Let us walk on the 3-isogeny graph
Loading...
Searching...
No Matches
isogeny_walks.h File Reference
#include "fp2.h"
Include dependency graph for isogeny_walks.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Functions

void fp2_mul_by_1488 (fp2_t *output, fp2_t input)
void fp2_mul_by_2976 (fp2_t *output, fp2_t input)
void fp2_mul_by_162000 (fp2_t *output, fp2_t input)
void fp2_mul_by_324000 (fp2_t *output, fp2_t input)
void fp2_mul_by_2532192 (fp2_t *output, fp2_t input)
void fp2_mul_by_645205500 (fp2_t *output, fp2_t input)
void fp2_mul_by_8748000000 (fp2_t *output, fp2_t input)
void isogeny_walks_2 (fp2_t *output, fp2_t input_prev, fp2_t input, const uint8_t *input_path, size_t input_length)
void isogeny_walks_from_montgomery_model_2 (fp2_t *output_j, fp2_t input_A)
void isogeny_walks_get_previous_step_2 (fp2_t *output_j, fp2_t input_A)
void isogeny_walks_sample_bit_string (uint8_t *output)
void isogeny_walks_2_slow (fp2_t *j0, fp2_t *j1, fp2_t input_prev, fp2_t input, const uint8_t *input_path, size_t input_length)
void isogeny_walks_3 (fp2_t *output_a1, fp2_t *output_a3, fp2_t input_a1, fp2_t input_a3, const uint8_t *input_path, size_t input_length)
void isogeny_walks_get_points_3 (fp2_t *output, fp2_t input_A)
void isogeny_walks_from_montgomery_model_3 (fp2_t *output_a1, fp2_t *output_a3, fp2_t input_A, fp2_t input_xP)
void isogeny_walks_switch_from_model_3 (fp2_t *output_j, fp2_t input_a1, fp2_t input_a3)
void isogeny_walks_sample_trit_string (uint8_t *output)
void isogeny_walks_get_points_3_fp (fp_t *output, const fp_t *input_A)
void isogeny_walks_to_montgomery_model_3_fp (fp_t *output_A, const fp_t *input_t)
void isogeny_walks_3_fp (fp_t output_A, const fp_t input_A, int input_length)

Function Documentation

◆ fp2_mul_by_1488()

void fp2_mul_by_1488 ( fp2_t * output,
fp2_t input )

Definition at line 11 of file isogeny_walks_2.c.

11 {
12 fp2_t r, s, t;
13
14 fp2_add(&r, input, input); // 2 × input
15 fp2_add(&s, r, input); // 3 × input
16 fp2_add(&t, r, s); // 5 × input
17 fp2_add(&t, t, t); // 10 × input
18
19 fp2_add(&t, t, t); // 20 × input
20 fp2_add(&t, t, s); // 23 × input
21 fp2_add(&t, t, t); // 46 × input
22 fp2_add(&t, t, t); // 92 × input
23
24 fp2_add(&t, t, input); // 93 × input
25 fp2_add(&t, t, t); // 186 × input
26 fp2_add(&t, t, t); // 372 × input
27 fp2_add(&t, t, t); // 744 × input
28
29 fp2_add(output, t, t); // 1488 × input
30}
fp2_t
Definition fp2.h:10

References fp2_add.

Referenced by fp2_mul_by_2976().

Here is the caller graph for this function:

◆ fp2_mul_by_162000()

void fp2_mul_by_162000 ( fp2_t * output,
fp2_t input )

Definition at line 37 of file isogeny_walks_2.c.

37 {
38 fp2_t r, s, t;
39 fp2_add(&r, input, input); // 2 × input
40 fp2_add(&r, r, r); // 4 × input
41 fp2_add(&r, r, r); // 8 × input
42 fp2_add(&r, r, input); // 9 × input
43
44 fp2_add(&s, r, r); // 18 × input
45 fp2_add(&s, s, s); // 36 × input
46 fp2_add(&s, s, s); // 72 × input
47 fp2_add(&t, s, r); // 81 × input
48
49 fp2_add(&s, t, s); // 153 × input
50 fp2_add(&s, s, s); // 306 × input
51 fp2_add(&s, s, s); // 612 × input
52 fp2_add(&s, s, s); // 1224 × input
53
54 fp2_add(&s, s, s); // 2448 × input
55 fp2_add(&t, s, t); // 2529 × input
56 fp2_add(&t, t, t); // 5058 × input
57 fp2_add(&t, t, t); // 10116 × input
58
59 fp2_add(&t, t, r); // 10125 × input
60 fp2_add(&t, t, t); // 20250 × input
61 fp2_add(&t, t, t); // 40500 × input
62 fp2_add(&t, t, t); // 81000 × input
63
64 fp2_add(output, t, t); // 162000 × input
65}

References fp2_add.

Referenced by fp2_mul_by_324000(), isogeny_walks_2(), and isogeny_walks_2_slow().

Here is the caller graph for this function:

◆ fp2_mul_by_2532192()

void fp2_mul_by_2532192 ( fp2_t * output,
fp2_t input )

Definition at line 72 of file isogeny_walks_2.c.

72 {
73 fp2_t r, s, t, u, v;
74
75 fp2_add(&r, input, input); // 2 × input
76 fp2_add(&s, r, input); // 3 × input
77 fp2_add(&t, s, s); // 6 × input
78 fp2_add(&t, t, t); // 12 × input
79
80 fp2_add(&t, t, t); // 24 × input
81 fp2_add(&u, t, s); // 27 × input
82 fp2_add(&v, u, t); // 51 × input
83 fp2_add(&t, v, v); // 102 × input
84
85 fp2_add(&t, t, v); // 153 × input
86 fp2_add(&t, t, t); // 306 × input
87 fp2_add(&t, t, s); // 309 × input
88 fp2_add(&t, t, t); // 618 × input
89
90 fp2_add(&t, t, t); // 1236 × input
91 fp2_add(&t, t, t); // 2472 × input
92 fp2_add(&t, t, t); // 4944 × input
93 fp2_add(&t, t, t); // 9888 × input
94
95 fp2_add(&t, t, t); // 19776 × input
96 fp2_add(&t, t, t); // 39552 × input
97 fp2_add(&t, t, t); // 79104 × input
98 fp2_add(&t, t, u); // 79131 × input
99
100 fp2_add(&t, t, t); // 158262 × input
101 fp2_add(&t, t, t); // 316524 × input
102 fp2_add(&t, t, t); // 633048 × input
103 fp2_add(&t, t, t); // 1266096 × input
104
105 fp2_add(output, t, t); // 2532192 × input
106}

References fp2_add.

Referenced by isogeny_walks_2(), and isogeny_walks_2_slow().

Here is the caller graph for this function:

◆ fp2_mul_by_2976()

void fp2_mul_by_2976 ( fp2_t * output,
fp2_t input )

Definition at line 32 of file isogeny_walks_2.c.

32 {
33 fp2_mul_by_1488(output, input); // 1488 × input
34 fp2_add(output, *output, *output); // 2976 × input
35}
fp2_mul_by_1488
void fp2_mul_by_1488(fp2_t *output, fp2_t input)
Definition isogeny_walks_2.c:11

References fp2_add, and fp2_mul_by_1488().

Referenced by isogeny_walks_2(), and isogeny_walks_2_slow().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ fp2_mul_by_324000()

void fp2_mul_by_324000 ( fp2_t * output,
fp2_t input )

Definition at line 67 of file isogeny_walks_2.c.

67 {
68 fp2_mul_by_162000(output, input); // 162000 × input
69 fp2_add(output, *output, *output); // 324000 × input
70}
fp2_mul_by_162000
void fp2_mul_by_162000(fp2_t *output, fp2_t input)
Definition isogeny_walks_2.c:37

References fp2_add, and fp2_mul_by_162000().

Referenced by isogeny_walks_2(), and isogeny_walks_2_slow().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ fp2_mul_by_645205500()

void fp2_mul_by_645205500 ( fp2_t * output,
fp2_t input )

Definition at line 108 of file isogeny_walks_2.c.

108 {
109
110 fp2_t r, s, t, u, v;
111 fp2_add(&r, input, input); // 2 × input
112 fp2_add(&r, r, r); // 4 × input
113 fp2_add(&s, r, input); // 5 × input
114 fp2_add(&t, s, s); // 10 × input
115
116 fp2_add(&t, t, t); // 20 × input
117 fp2_add(&r, t, t); // 40 × input
118 fp2_add(&t, r, r); // 80 × input
119 fp2_add(&u, t, s); // 85 × input
120
121 fp2_add(&v, t, u); // 165 × input
122 fp2_add(&v, v, r); // 205 × input
123 fp2_add(&t, v, v); // 410 × input
124 fp2_add(&t, t, t); // 820 × input
125
126 fp2_add(&t, t, t); // 1640 × input
127 fp2_add(&t, t, t); // 3280 × input
128 fp2_add(&t, t, t); // 6560 × input
129 fp2_add(&t, t, t); // 13120 × input
130
131 fp2_add(&t, t, t); // 26240 × input
132 fp2_add(&t, t, t); // 52480 × input
133 fp2_add(&t, t, t); // 104960 × input
134 fp2_add(&t, t, t); // 209920 × input
135
136 fp2_add(&t, t, t); // 419840 × input
137 fp2_add(&t, t, v); // 420045 × input
138 fp2_add(&t, t, t); // 840090 × input
139 fp2_add(&t, t, t); // 1680180 × input
140
141 fp2_add(&t, t, t); // 3360360 × input
142 fp2_add(&t, t, u); // 3360445 × input
143 fp2_add(&t, t, t); // 6720890 × input
144 fp2_add(&t, t, t); // 13441780 × input
145
146 fp2_add(&t, t, t); // 26883560 × input
147 fp2_add(&t, t, t); // 53767120 × input
148 fp2_add(&t, t, s); // 53767125 × input
149 fp2_add(&u, t, t); // 107534250 × input
150
151 fp2_add(&t, t, u); // 161301375 × input
152 fp2_add(&t, t, t); // 322602750 × input
153 fp2_add(output, t, t); // 645205500 × input
154}

References fp2_add.

Referenced by isogeny_walks_2(), and isogeny_walks_2_slow().

Here is the caller graph for this function:

◆ fp2_mul_by_8748000000()

void fp2_mul_by_8748000000 ( fp2_t * output,
fp2_t input )

Definition at line 156 of file isogeny_walks_2.c.

156 {
157 fp2_t r, s, t, u, v;
158 fp2_add(&r, input, input); // 2 × input
159 fp2_add(&r, r, r); // 4 × input
160 fp2_add(&r, r, r); // 8 × input
161 fp2_add(&r, r, r); // 16 × input
162
163 fp2_add(&r, r, r); // 32 × input
164 fp2_add(&r, r, r); // 64 × input
165 fp2_add(&r, r, r); // 128 × input
166 fp2_add(&s, r, input); // 129 × input
167
168 fp2_add(&r, s, r); // 257 × input
169 fp2_add(&r, r, r); // 514 × input
170 fp2_add(&r, r, r); // 1028 × input
171 fp2_add(&t, r, r); // 2056 × input
172
173 fp2_add(&t, t, t); // 4112 × input
174 fp2_add(&t, t, t); // 8224 × input
175 fp2_add(&u, t, s); // 8353 × input
176 fp2_add(&v, t, r); // 9252 × input
177
178 fp2_add(&t, u, v); // 17605 × input
179 fp2_add(&t, t, t); // 35210 × input
180 fp2_add(&t, t, v); // 44462 × input
181 fp2_add(&t, t, t); // 88924 × input
182
183 fp2_add(&t, t, t); // 177848 × input
184 fp2_add(&t, t, t); // 355696 × input
185 fp2_add(&t, t, t); // 711392 × input
186 fp2_add(&t, t, t); // 1422784 × input
187
188 fp2_add(&t, t, t); // 2845568 × input
189 fp2_add(&t, t, t); // 5691136 × input
190 fp2_add(&t, t, t); // 11382272 × input
191 fp2_add(&t, t, u); // 11390625 × input
192
193 fp2_add(&u, t, t); // 22781250 × input
194 fp2_add(&t, t, u); // 34171875 × input
195 fp2_add(&t, t, t); // 68343750 × input
196 fp2_add(&t, t, t); // 136687500 × input
197
198 fp2_add(&t, t, t); // 273375000 × input
199 fp2_add(&t, t, t); // 546750000 × input
200 fp2_add(&t, t, t); // 1093500000 × input
201 fp2_add(&t, t, t); // 2187000000 × input
202
203 fp2_add(&t, t, t); // 4374000000 × input
204 fp2_add(output, t, t); // 8748000000 × input
205}

References fp2_add.

Referenced by isogeny_walks_2(), and isogeny_walks_2_slow().

Here is the caller graph for this function:

◆ isogeny_walks_2()

void isogeny_walks_2 ( fp2_t * output,
fp2_t input_prev,
fp2_t input,
const uint8_t * input_path,
size_t input_length )

Definition at line 208 of file isogeny_walks_2.c.

208 {
209 size_t i, j;
210 fp2_t t4, t3, t2, t1, t0, jk_next, jk, jk_prev, Dk, Dk_sqrt[2];
211 fp2_t constant_162000, constant_2532192, constant_645205500, constant_8748000000;
212 fp2_t jk_times_2976, jk_prev_times_2976, jk_prev_times_324000, jk_squared, jk_prev_squared;
213
214 fp2_set_to_one(&constant_162000);
215 fp2_set_to_one(&constant_2532192);
216 fp2_set_to_one(&constant_645205500);
217 fp2_set_to_one(&constant_8748000000);
218
219 fp2_mul_by_162000(&constant_162000, constant_162000);
220 fp2_mul_by_2532192(&constant_2532192, constant_2532192);
221 fp2_mul_by_645205500(&constant_645205500, constant_645205500);
222 fp2_mul_by_8748000000(&constant_8748000000, constant_8748000000);
223
224 fp2_copy(&jk, input);
225 fp2_copy(&jk_prev, input_prev);
226
227 for (i = 0; i < input_length; i++) {
228 uint8_t mask = 0x1;
229 for (j = 0; j < 8; j++) {
230 // jk⁴
231 fp2_sqr(&jk_squared, jk);
232 fp2_sqr(&t4, jk_squared);
233 // - 2976 × (jk³) [= - (2976 × jk) × (jk²) ]
234 fp2_mul_by_2976(&jk_times_2976, jk);
235 fp2_mul(&t3, jk_times_2976, jk_squared);
236 // + 2 × (jk²) × jk_prev + 2532192 × (jk²) [= + [2 × jk_prev + 2532192] × (jk²)]
237 fp2_add(&t2, jk_prev, jk_prev);
238 fp2_add(&t2, t2, constant_2532192);
239 fp2_mul(&t2, t2, jk_squared);
240 // - 2976 × jk × jk_prev - 645205500 × jk [= -(2976 × jk_prev + 645205500) × jk ]
241 fp2_mul_by_2976(&jk_prev_times_2976, jk_prev);
242 fp2_add(&t1, jk_prev_times_2976, constant_645205500);
243 fp2_mul(&t1, t1, jk);
244 // - 3 × (jk_prev²) + 324000 × jk_prev [= (-3 × jk_prev + 324000) × jk_prev]
245 fp2_mul_by_324000(&jk_prev_times_324000, jk_prev);
246 fp2_sqr(&jk_prev_squared, jk_prev);
247 fp2_add(&t0, jk_prev_squared, jk_prev_squared);
248 fp2_add(&t0, t0, jk_prev_squared);
249 fp2_sub(&t0, jk_prev_times_324000, t0);
250 // - 8748000000
251
252 // Dk = jk⁴ - 2976 × (jk³) + 2 × (jk²) × jk_prev + 2532192 × (jk²) - 2976 × jk × jk_prev - 645205500 × jk - 3 × (jk_prev²) + 324000 × jk_prev - 8748000000
253 fp2_sub(&Dk, t4, t3);
254 fp2_add(&Dk, Dk, t2);
255 fp2_sub(&Dk, Dk, t1);
256 fp2_add(&Dk, Dk, t0);
257 fp2_sub(&Dk, Dk, constant_8748000000);
258
259 fp2_sqrt_fast(&Dk_sqrt[0], Dk); // 1st square-root (deterministic)
260 fp2_neg(&Dk_sqrt[1], Dk_sqrt[0]); // 2nd square-root (negative)
261 fp2_linear_pass_in(&Dk, Dk_sqrt , 2, (input_path[i] & mask) >> j);
262
263 // jk_next = (jk² - 1488 × jk - jk_prev + 162000 + Dk_sqrt[path[k]]) / 2
264 fp2_half(&t0, jk_times_2976); // 2976 = 2 × 1488
265 fp2_sub(&t1, jk_squared, t0);
266 fp2_sub(&t1, t1, jk_prev);
267 fp2_add(&t1, t1, constant_162000);
268 fp2_add(&t1, t1, Dk);
269 fp2_half(&jk_next, t1);
270
271 fp2_copy(&jk_prev, jk);
272 fp2_copy(&jk, jk_next);
273
274 mask <<= 1;
275 }
276 }
277 fp2_copy(output, jk);
278}
fp2_linear_pass_in
void fp2_linear_pass_in(fp2_t *output, const fp2_t *input, uint8_t input_length, uint8_t input_index)
Definition fp2.c:159
fp2_sqrt_fast
void fp2_sqrt_fast(fp2_t *output, fp2_t input)
Definition fp2.c:333
fp2_half
void fp2_half(fp2_t *output, fp2_t input)
Definition fp2.c:107
fp2_set_to_one
void fp2_set_to_one(fp2_t *output)
Definition fp2.c:49
fp2_mul_by_2532192
void fp2_mul_by_2532192(fp2_t *output, fp2_t input)
Definition isogeny_walks_2.c:72
fp2_mul_by_645205500
void fp2_mul_by_645205500(fp2_t *output, fp2_t input)
Definition isogeny_walks_2.c:108
fp2_mul_by_8748000000
void fp2_mul_by_8748000000(fp2_t *output, fp2_t input)
Definition isogeny_walks_2.c:156
fp2_mul_by_324000
void fp2_mul_by_324000(fp2_t *output, fp2_t input)
Definition isogeny_walks_2.c:67
fp2_mul_by_2976
void fp2_mul_by_2976(fp2_t *output, fp2_t input)
Definition isogeny_walks_2.c:32
i
for i
Definition prime_search.m:10
j
for j
Definition prime_search.m:12

References fp2_add, fp2_copy, fp2_half(), fp2_linear_pass_in(), fp2_mul, fp2_mul_by_162000(), fp2_mul_by_2532192(), fp2_mul_by_2976(), fp2_mul_by_324000(), fp2_mul_by_645205500(), fp2_mul_by_8748000000(), fp2_neg, fp2_set_to_one(), fp2_sqr, fp2_sqrt_fast(), fp2_sub, i, and j.

Referenced by cgl_hash_digest_2().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ isogeny_walks_2_slow()

void isogeny_walks_2_slow ( fp2_t * j0,
fp2_t * j1,
fp2_t input_prev,
fp2_t input,
const uint8_t * input_path,
size_t input_length )

Definition at line 333 of file isogeny_walks_2.c.

333 {
334 size_t i, j;
335 fp2_t t4, t3, t2, t1, t0, jk_next, jk, jk_prev, Dk, Dk_sqrt[2];
336 fp2_t constant_162000, constant_2532192, constant_645205500, constant_8748000000;
337 fp2_t jk_times_2976, jk_prev_times_2976, jk_prev_times_324000, jk_squared, jk_prev_squared;
338
339 fp2_set_to_one(&constant_162000);
340 fp2_set_to_one(&constant_2532192);
341 fp2_set_to_one(&constant_645205500);
342 fp2_set_to_one(&constant_8748000000);
343
344 fp2_mul_by_162000(&constant_162000, constant_162000);
345 fp2_mul_by_2532192(&constant_2532192, constant_2532192);
346 fp2_mul_by_645205500(&constant_645205500, constant_645205500);
347 fp2_mul_by_8748000000(&constant_8748000000, constant_8748000000);
348
349 fp2_copy(&jk, input);
350 fp2_copy(&jk_prev, input_prev);
351
352 for (i = 0; i < input_length; i++) {
353 uint8_t mask = 0x1;
354 for (j = 0; j < 8; j++) {
355 // jk⁴
356 fp2_sqr(&jk_squared, jk);
357 fp2_sqr(&t4, jk_squared);
358 // - 2976 × (jk³) [= - (2976 × jk) × (jk²) ]
359 fp2_mul_by_2976(&jk_times_2976, jk);
360 fp2_mul(&t3, jk_times_2976, jk_squared);
361 // + 2 × (jk²) × jk_prev + 2532192 × (jk²) [= + [2 × jk_prev + 2532192] × (jk²)]
362 fp2_add(&t2, jk_prev, jk_prev);
363 fp2_add(&t2, t2, constant_2532192);
364 fp2_mul(&t2, t2, jk_squared);
365 // - 2976 × jk × jk_prev - 645205500 × jk [= -(2976 × jk_prev + 645205500) × jk ]
366 fp2_mul_by_2976(&jk_prev_times_2976, jk_prev);
367 fp2_add(&t1, jk_prev_times_2976, constant_645205500);
368 fp2_mul(&t1, t1, jk);
369 // - 3 × (jk_prev²) + 324000 × jk_prev [= (-3 × jk_prev + 324000) × jk_prev]
370 fp2_mul_by_324000(&jk_prev_times_324000, jk_prev);
371 fp2_sqr(&jk_prev_squared, jk_prev);
372 fp2_add(&t0, jk_prev_squared, jk_prev_squared);
373 fp2_add(&t0, t0, jk_prev_squared);
374 fp2_sub(&t0, jk_prev_times_324000, t0);
375 // - 8748000000
376
377 // Dk = jk⁴ - 2976 × (jk³) + 2 × (jk²) × jk_prev + 2532192 × (jk²) - 2976 × jk × jk_prev - 645205500 × jk - 3 × (jk_prev²) + 324000 × jk_prev - 8748000000
378 fp2_sub(&Dk, t4, t3);
379 fp2_add(&Dk, Dk, t2);
380 fp2_sub(&Dk, Dk, t1);
381 fp2_add(&Dk, Dk, t0);
382 fp2_sub(&Dk, Dk, constant_8748000000);
383
384 fp2_sqrt_slow(&Dk_sqrt[0], Dk); // 1st square-root (deterministic)
385 fp2_neg(&Dk_sqrt[1], Dk_sqrt[0]); // 2nd square-root (negative)
386 fp2_linear_pass_in(&Dk, Dk_sqrt , 2, (input_path[i] & mask) >> j);
387
388 // jk_next = (jk² - 1488 × jk - jk_prev + 162000 + Dk_sqrt[path[k]]) / 2
389 fp2_half(&t0, jk_times_2976); // 2976 = 2 × 1488
390 fp2_sub(&t1, jk_squared, t0);
391 fp2_sub(&t1, t1, jk_prev);
392 fp2_add(&t1, t1, constant_162000);
393 fp2_add(&t1, t1, Dk);
394 fp2_half(&jk_next, t1);
395
396 fp2_copy(&jk_prev, jk);
397 fp2_copy(&jk, jk_next);
398
399 mask <<= 1;
400 }
401 }
402 fp2_copy(j0, jk_prev);
403 fp2_copy(j1, jk);
404}
fp2_sqrt_slow
void fp2_sqrt_slow(fp2_t *output, fp2_t input)
Definition fp2.c:283

References fp2_add, fp2_copy, fp2_half(), fp2_linear_pass_in(), fp2_mul, fp2_mul_by_162000(), fp2_mul_by_2532192(), fp2_mul_by_2976(), fp2_mul_by_324000(), fp2_mul_by_645205500(), fp2_mul_by_8748000000(), fp2_neg, fp2_set_to_one(), fp2_sqr, fp2_sqrt_slow(), fp2_sub, i, and j.

Here is the call graph for this function:

◆ isogeny_walks_3()

void isogeny_walks_3 ( fp2_t * output_a1,
fp2_t * output_a3,
fp2_t input_a1,
fp2_t input_a3,
const uint8_t * input_path,
size_t input_length )

Definition at line 10 of file isogeny_walks_3.c.

10 {
11 // This function assumes the input and output determines elliptic
12 // curves of form y² + a₁xy + a₃y = x³ − 5a₁a₃x − (a₁³)a₃ − 7(a₃)²
13 size_t i, j;
14 fp2_t a, a1, a3, cube_roots_of_unity[3], r, s, t;
15
16 fp2_set_to_one(&cube_roots_of_unity[0]);
17 fp2_copy(&cube_roots_of_unity[1], *((fp2_t *)&CUBE_ROOT_OF_UNITY));
18 fp2_sqr(&cube_roots_of_unity[2], cube_roots_of_unity[1]);
19
20 fp2_copy(&a1, input_a1);
21 fp2_copy(&a3, input_a3);
22
23 uint32_t trit_string[input_length];
24 to_trit_string(trit_string, input_path, input_length);
25
26 for (i = 0; i < input_length; i++) {
27 uint32_t mask = 0x0000000F;
28 for (j = 0; j < 5; j++) {
29 fp2_neg(&a, a3);
30 fp2_curt(&a, a);
31 fp2_linear_pass_in(&t, cube_roots_of_unity, 3, (trit_string[i] & mask) >> (4*j));
32 fp2_mul(&a, a, t);
33
34 // radical 3-isogeny
35 fp2_add(&t, a, a); // 2α
36 fp2_add(&t, t, a); // 3α
37 fp2_add(&t, t, t); // 6α
38
39 fp2_add(&r, a1, a1); // 2a₁
40 fp2_add(&r, r, a1); // 3a₁
41 fp2_sqr(&s, a1); // a₁²
42
43 fp2_sub(&a1, a1, t); // a₁ <- a₁ - 6α
44
45 fp2_sqr(&t, a); // α²
46 fp2_mul(&r, r, t); // 3a₁ · α²
47 fp2_mul(&s, s, a); // a₁² · α
48 fp2_add(&t, a3, a3); // 2a₃
49 fp2_add(&t, t, a3); // 3a₃
50 fp2_add(&a, t, t); // 6a₃
51 fp2_add(&t, a, t); // 9a₃
52 fp2_sub(&a3, r, s); // a₃ <- 3a₁ · α² - a₁² · α
53 fp2_add(&a3, a3, t); // a₃ <- 3a₁ · α² - a₁² · α + 9a₃
54
55 mask <<= 4;
56 }
57 }
58 fp2_copy(output_a1, a1);
59 fp2_copy(output_a3, a3);
60}
fp2_curt
void fp2_curt(fp2_t *output, fp2_t input)
Definition fp2.c:399
a3
den a3
Definition j-invariants.m:29
a1
g a1
Definition to_model.m:15
a
f a
Definition to_model.m:12

References a, a1, a3, fp2_add, fp2_copy, fp2_curt(), fp2_linear_pass_in(), fp2_mul, fp2_neg, fp2_set_to_one(), fp2_sqr, fp2_sub, i, and j.

Referenced by cgl_hash_digest_3().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ isogeny_walks_3_fp()

void isogeny_walks_3_fp ( fp_t output_A,
const fp_t input_A,
int input_length )

Definition at line 217 of file isogeny_walks_3_fp.c.

217 {
218 fp_t aux[2], num_den[3];
219
220 fp_copy(aux[0], input_A);
221 fp_set_to_one(aux[1]);
222
223 isogeny_walks_get_points_3_fp(num_den, aux);
224
225 uint64_t sign = (input_length >> TOP_BIT) & 1;
226 fp_cset(aux[0], num_den[0], -sign);
227 fp_cset(aux[0], num_den[1], sign-1);
228 fp_copy(aux[1], num_den[2]);
229
230 int input_length_abs = absolute_value(input_length);
231 for(int i = 0; i < input_length_abs; i++){
232 fp_t t[2] = {0};
233 uint64_t d = constant_time_is_lessthan_u64(i, input_length_abs);
234 isogeny_walks_to_montgomery_model_3_fp(t, aux);
235 fp_cset(aux[0], t[0], -d);
236 fp_cset(aux[1], t[1], -d);
237 }
238 isogeny_to_montgomery(output_A, aux);
239}
isogeny_walks_get_points_3_fp
void isogeny_walks_get_points_3_fp(fp_t *output, const fp_t *input_A)
Definition isogeny_walks_3_fp.c:18
TOP_BIT
#define TOP_BIT
Definition isogeny_walks_3_fp.c:210
isogeny_to_montgomery
void isogeny_to_montgomery(fp_t output_A, const fp_t *input_t)
Definition isogeny_walks_3_fp.c:183
isogeny_walks_to_montgomery_model_3_fp
void isogeny_walks_to_montgomery_model_3_fp(fp_t *output_A, const fp_t *input_t)
Definition isogeny_walks_3_fp.c:144
fp_copy
#define fp_copy
Definition fp-gmp.h:79
fp_cset
void fp_cset(fp_t output, const fp_t input, uint64_t input_mask)
Definition fp.c:28
fp_set_to_one
void fp_set_to_one(fp_t input_output)
Definition fp.c:14
fp_t
uint64_t fp_t[FIELD_64BITS_WORDS]
Definition fp.h:12
constant_time_is_lessthan_u64
uint64_t constant_time_is_lessthan_u64(uint64_t x, uint64_t y)
Definition utilities.c:58

References constant_time_is_lessthan_u64(), fp_copy, fp_cset(), fp_set_to_one(), i, isogeny_to_montgomery(), isogeny_walks_get_points_3_fp(), isogeny_walks_to_montgomery_model_3_fp(), and TOP_BIT.

Referenced by action().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ isogeny_walks_from_montgomery_model_2()

void isogeny_walks_from_montgomery_model_2 ( fp2_t * output_j,
fp2_t input_A )

Definition at line 280 of file isogeny_walks_2.c.

280 {
281 // Computes the j-invariant of a Montgomery curve E : y² = x³ + Ax² + x
282 fp2_t r, s, t;
283
284 fp2_set_to_one(&t);
285
286 fp2_add(&r, t, t); // 2
287 fp2_add(&r, r, t); // 3
288 fp2_sqr(&s, input_A); // A²
289
290 fp2_sub(&s, s, r); // A² - 3
291 fp2_sub(&r, s, t); // A² - 4
292 fp2_add(&s, s, s); // 2(A² - 3)
293 fp2_add(&s, s, s); // 4(A² - 3)
294
295 fp2_sqr(&t, s); // 16(A² - 3)²
296 fp2_mul(&s, s, t); // 64(A² - 3)³
297 fp2_add(&s, s, s); // 128(A² - 3)³
298 fp2_add(&s, s, s); // 256(A² - 3)³
299 fp2_inv(&t, r); // 1 / (A² - 4)
300 fp2_mul(output_j, s, t);
301}

References fp2_add, fp2_inv, fp2_mul, fp2_set_to_one(), fp2_sqr, and fp2_sub.

Referenced by cgl_hash_init_2().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ isogeny_walks_from_montgomery_model_3()

void isogeny_walks_from_montgomery_model_3 ( fp2_t * output_a1,
fp2_t * output_a3,
fp2_t input_A,
fp2_t input_xP )

Definition at line 62 of file isogeny_walks_3.c.

62 {
63 // inputs: x-coordinate of an order-3 point P on E: y² = x³ + Ax² + x, and A
64 // output: isomorphic curve of form F: y² + a₁xy + a₃y = x³
65 // Cost: 2M + 2S + 7A
66 fp2_t r, s, xP_squared, A_times_xP;
67
68 fp2_sqr(&xP_squared, input_xP);
69 fp2_add(&r, xP_squared, xP_squared);
70 fp2_add(&r, xP_squared, r);
71
72 fp2_mul(&A_times_xP, input_A, input_xP);
73 fp2_add(&s, A_times_xP, A_times_xP);
74 fp2_add(&r, r, s);
75
76 fp2_set_to_one(&s);
77 fp2_add(output_a1, r, s); // (3xₚ² + 2Axₚ + 1)
78
79 fp2_add(output_a3, xP_squared, A_times_xP);
80 fp2_add(output_a3, *output_a3, s);
81 fp2_mul(output_a3, *output_a3, input_xP);
82 fp2_sqr(output_a3, *output_a3);
83 fp2_add(output_a3, *output_a3, *output_a3); // 2 yₚ⁴ = 2 (xₚ³ + Axₚ² + xₚ)²
84}

References fp2_add, fp2_mul, fp2_set_to_one(), and fp2_sqr.

Referenced by cgl_hash_init_3().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ isogeny_walks_get_points_3()

void isogeny_walks_get_points_3 ( fp2_t * output,
fp2_t input_A )

Definition at line 124 of file isogeny_walks_3.c.

124 {
125 fp2_t A_times_one_third, A_squared, r, s, t, u, v, y, s0, i0, s1, s2;
126 fp_t THREE, EIGHT;
127
128 fp_set_to_one(THREE); // 1
129
130 fp_add(EIGHT, THREE, THREE); // 2
131 fp_add(THREE, THREE, EIGHT); // 3
132 fp_add(EIGHT, EIGHT, EIGHT); // 4
133 fp_add(EIGHT, EIGHT, EIGHT); // 8
134
135 fp_mul(A_times_one_third.re, input_A.re, ONE_THIRD);
136 fp_mul(A_times_one_third.im, input_A.im, ONE_THIRD);
137 fp2_sqr(&A_squared, input_A);
138
139 // t takes the value of ⅑(3 - A²)
140 fp_sub(t.re, THREE, A_squared.re);
141 fp_neg(t.im, A_squared.im);
142 fp_mul(t.re, t.re, ONE_NINTH);
143 fp_mul(t.im, t.im, ONE_NINTH);
144
145 // r takes the value of (⁸⁄₂₇)A³
146 fp2_mul(&r, A_squared, input_A);
147 fp_mul(r.re, r.re, ONE_BY_27);
148 fp_mul(r.im, r.im, ONE_BY_27);
149 fp2_add(&r, r, r); // 2r
150 fp2_add(&r, r, r); // 4r
151 fp2_add(&r, r, r); // 8r
152 fp2_add(&r, r, r); // 16r
153
154 // s takes the calue of (⁸⁄₃)A
155 fp2_copy(&s, A_times_one_third);
156 fp2_add(&s, s, s); // 2s
157 fp2_add(&s, s, s); // 4s
158 fp2_add(&s, s, s); // 8s
159 fp2_sub(&u, r, s); // r - s
160
161 // v takes the value of -2A² + 8
162 fp2_add(&v, A_squared, A_squared);
163 fp_sub(v.re, EIGHT, v.re);
164 fp_neg(v.im, v.im);
165 fp2_curt(&y, v); // cube-root of v
166
167 // y takes the value of t + (¹⁄₃)∛v
168 fp_mul(y.re, y.re, ONE_THIRD);
169 fp_mul(y.im, y.im, ONE_THIRD);
170 fp2_add(&y, t, y);
171 fp2_add(&r, y, y); // 2y
172
173 fp2_add(&s, t, t); // 2t
174 fp2_add(&s, t, s); // 3t
175 fp2_add(&s, s, s); // 6t
176 fp2_sub(&t, r, s); // r - s
177
178 // s₀ takes the value of √(r - s)
179 fp2_sqrt_slow(&s0, t);
180 fp2_inv(&i0, s0); // 1 / s₀
181
182 fp2_add(&v, r, s); // r + s
183 fp2_neg(&v, v); // -(r + s)
184 fp2_mul(&t, u, i0); // u / s₀
185
186 // s₁ takes the value of √[v + (u / s₀)]
187 fp2_add(&s, v, t); // v + (u / s₀)
188 fp2_sqrt_slow(&s1, s);
189 // s₂ takes the value of √[v - (u / s₀)]
190 fp2_sub(&s, v, t); // v - (u / s₀)
191 fp2_sqrt_slow(&s2, s);
192
193 fp2_sub(&r, s1, s0); // -s₀ + s₁
194 fp2_add(&s, s1, s0); // s₀ + s₁
195 fp2_add(&t, s0, s2); // s₀ + s₂
196 fp2_sub(&u, s0, s2); // s₀ - s₂
197
198 fp2_neg(&s, s); // -(s₀ + s₁)
199
200 fp2_half(&r, r); // (¹⁄₂)(-s₀ + s₁)
201 fp2_half(&s, s); // (¹⁄₂)(-s₀ - s₁)
202 fp2_half(&t, t); // (¹⁄₂)( s₀ + s₂)
203 fp2_half(&u, u); // (¹⁄₂)( s₀ - s₂)
204
205 fp2_sub(&output[3], u, A_times_one_third); // r - (¹⁄₃)A
206 fp2_sub(&output[2], t, A_times_one_third); // s - (¹⁄₃)A
207 fp2_sub(&output[1], s, A_times_one_third); // t - (¹⁄₃)A
208 fp2_sub(&output[0], r, A_times_one_third); // u - (¹⁄₃)A
209}
fp_sub
#define fp_sub
Definition fp-gmp.h:67
fp_mul
#define fp_mul
Definition fp-gmp.h:70
fp_add
#define fp_add
Definition fp-gmp.h:64
fp_neg
void fp_neg(fp_t output, const fp_t input)
Definition fp.c:9
fp2_t::re
fp_t re
Definition fp2.h:11
fp2_t::im
fp_t im
Definition fp2.h:12

References fp2_add, fp2_copy, fp2_curt(), fp2_half(), fp2_inv, fp2_mul, fp2_neg, fp2_sqr, fp2_sqrt_slow(), fp2_sub, fp_add, fp_mul, fp_neg(), fp_set_to_one(), fp_sub, fp2_t::im, and fp2_t::re.

Referenced by cgl_hash_init_3().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ isogeny_walks_get_points_3_fp()

void isogeny_walks_get_points_3_fp ( fp_t * output,
const fp_t * input_A )

Definition at line 18 of file isogeny_walks_3_fp.c.

18 {
19 fp_t A_times_one_third, A_squared, C_squared;
20 fp_t t, r, s, u, aux, tmp, y;
21 fp_t s0, s1, s2, s0_squared, v;
22
23 // input_A[0] is A
24 // input_A[1] is C
25 // A_times_one_third = A * one_third # M𝒸
26 fp_mul(A_times_one_third, ONE_THIRD, input_A[0]);
27 // A_squared = A**2 # S
28 fp_sqr(A_squared, input_A[0]);
29 // C_squared = C**2 # S
30 fp_sqr(C_squared, input_A[1]);
31
32 // t = (3 * C_squared - A_squared) * one_ninth # M𝒸 + 3A
33 fp_add(t, C_squared, C_squared);
34 fp_add(t, t, C_squared);
35 fp_sub(t, t, A_squared);
36 fp_mul(t, ONE_NINTH, t);
37
38 // r = 16 * (A_squared * A) * one_by_27 # M + M𝒸 + 4A
39 fp_mul(r, A_squared, input_A[0]);
40 fp_mul(r, ONE_BY_27, r);
41 fp_add(r, r, r);
42 fp_add(r, r, r);
43 fp_add(r, r, r);
44 fp_add(r, r, r);
45
46 // s = 8 * A_times_one_third # 3A
47 fp_add(s, A_times_one_third, A_times_one_third);
48 fp_add(s, s, s);
49 fp_add(s, s, s);
50
51 // u = r - s * C_squared # M + A
52 fp_mul(u, s, C_squared);
53 fp_sub(u, r, u);
54
55 // aux = 2*C_squared**2 # S + A
56 fp_sqr(aux, C_squared);
57 fp_add(aux, aux, aux);
58 // y = 4 * C_squared # 2A
59 fp_add(y, C_squared, C_squared);
60 fp_add(y, y, y);
61 // y = y - A_squared # A
62 fp_sub(y, y, A_squared);
63 // y = aux * y # M
64 fp_mul(y, aux, y);
65
66 // y = t + one_third * setup['curt'](y) # M𝒸 + A + E (TOTAL = S + M + Mc + 5A + E)
67 fp_curt(y, y);
68 fp_mul(y, y, ONE_THIRD);
69 fp_add(y, y, t);
70
71 // r = 2 * y # A
72 fp_add(r, y, y);
73 // s = 6 * t # 3A
74 fp_add(s, t, t);
75 fp_add(t, s, s);
76 fp_add(s, s, t);
77
78 // s0 = setup['sqrt'](r - s) # A + E
79 fp_sub(s0, r, s);
80 fp_sqrt(s0, s0);
81
82 // s0_squared = s0**2 # S
83 fp_sqr(s0_squared, s0);
84 // v = -(r + s) # 2A
85 fp_add(v, r, s);
86 fp_neg(v, v);
87
88 fp_mul(tmp, v, s0_squared); // # M
89 fp_mul(u, u, s0); // # M
90 // s1 = setup['sqrt'](tmp + u) # A + E
91 fp_add(t, tmp, u);
92 fp_sqrt(s1, t);
93 // s2 = setup['sqrt'](tmp - u) # A + E
94 fp_sub(s, tmp, u);
95 fp_sqrt(s2, s);
96
97 // Test to know if s1 and s2 are square roots # 2S
98 fp_sqr(tmp, s1);
99 fp_sqr(aux, s2);
100 uint8_t test_s1 = fp_is_equal(tmp, t);
101 uint8_t test_s2 = fp_is_equal(aux, s);
102
103 // Compute z # 4Mc + 5A
104 fp_sub(t, s1, s0_squared);
105 fp_mul(t, t, ONE_HALF);
106 fp_neg(s1, s1);
107 fp_sub(r, s1, s0_squared);
108 fp_mul(r, r, ONE_HALF);
109
110 fp_add(s, s2, s0_squared);
111 fp_mul(s, s, ONE_HALF);
112 fp_sub(u, s0_squared, s2);
113 fp_mul(u, u, ONE_HALF);
114
115 // Select z in constant time
116 fp_cset(output[0], t, -test_s1);
117 fp_cset(output[1], r, -test_s1);
118 fp_cset(output[0], s, -test_s2);
119 fp_cset(output[1], u, -test_s2);
120
121 // Compute num and den # 2M + 2A
122 fp_mul(output[2], s0, input_A[1]);
123 fp_mul(aux, s0, A_times_one_third);
124 fp_sub(output[0], output[0], aux);
125 fp_sub(output[1], output[1], aux);
126
127 // # 2S + 7M + 2A
128 fp_sqr(r, output[0]); // x**2
129 fp_sqr(s, output[2]); // den**2
130 fp_mul(v, input_A[1], output[0]); // C*x
131 fp_mul(t, output[2], input_A[0]); // A*den
132 fp_mul(u, v, s); // C*x*den**2
133 fp_mul(aux, s, output[2]); // den**3
134 fp_mul(aux, aux, input_A[1]); // C*den**3
135 fp_add(t, t, v); // C*x + A*den
136 fp_mul(t, t, r); // x**2 * (C*x + A*den)
137 fp_add(t, t, u); // (x**2 * (C*x + A*den)) + C*x * den**2
138 fp_mul(t, t, aux);
139
140 uint64_t test_sqr = (uint64_t)!fp_is_square(t);// # E
141 fp_cswap(output[0], output[1], -test_sqr);
142}
fp_sqr
#define fp_sqr
Definition fp-gmp.h:73
fp_cswap
#define fp_cswap
Definition fp-gmp.h:82
fp_curt
void fp_curt(fp_t output, const fp_t input)
Definition fp.c:189
fp_is_equal
uint8_t fp_is_equal(const fp_t input_a, const fp_t input_b)
Definition fp.c:122
fp_sqrt
void fp_sqrt(fp_t output, const fp_t input)
Definition fp.c:168
fp_is_square
uint8_t fp_is_square(const fp_t input)
Definition fp.c:148

References fp_add, fp_cset(), fp_cswap, fp_curt(), fp_is_equal(), fp_is_square(), fp_mul, fp_neg(), fp_sqr, fp_sqrt(), and fp_sub.

Referenced by isogeny_walks_3_fp(), and isogeny_walks_3_fp().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ isogeny_walks_get_previous_step_2()

void isogeny_walks_get_previous_step_2 ( fp2_t * output_j,
fp2_t input_A )

Definition at line 303 of file isogeny_walks_2.c.

303 {
304 // Computes the j-invariant of a Montgomery curve E : y² = x³ + (A + 6)x² + (4[2 + A])x
305 fp2_t r, s, t;
306
307 fp2_set_to_one(&t);
308
309 fp2_add(&r, t, t); // 2
310 fp2_add(&t, r, r); // 4
311 fp2_add(&r, t, t); // 8
312 fp2_add(&r, t, r); // 12
313
314 fp2_sqr(&s, input_A); // A²
315 fp2_add(&s, s, r); // A² + 12
316 fp2_sub(&r, s, t); // A² - 4
317 fp2_add(&s, s, s); // 2(A² + 12)
318
319 fp2_sqr(&r, r); // (A² - 4)²
320 fp2_sqr(&t, s); // 4(A² + 12)²
321 fp2_mul(&s, s, t); // 8(A² + 12)³
322 fp2_add(&s, s, s); // 16(A² + 12)³
323
324 fp2_inv(&t, r); // 1 / (A² - 4)²
325 fp2_mul(output_j, s, t);
326}

References fp2_add, fp2_inv, fp2_mul, fp2_set_to_one(), fp2_sqr, and fp2_sub.

Referenced by cgl_hash_init_2().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ isogeny_walks_sample_bit_string()

void isogeny_walks_sample_bit_string ( uint8_t * output)

Definition at line 329 of file isogeny_walks_2.c.

329 {
330 randombytes(output, BIT_LENGTH_PATH / 8);
331}
randombytes
void randombytes(void *x, size_t l)
Definition rng.c:8
BIT_LENGTH_PATH
#define BIT_LENGTH_PATH
Definition p254.h:14

References BIT_LENGTH_PATH, and randombytes().

Referenced by main().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ isogeny_walks_sample_trit_string()

void isogeny_walks_sample_trit_string ( uint8_t * output)

Definition at line 212 of file isogeny_walks_3.c.

212 {
213 uint8_t bound = 0xF3;
214 for(int i = 0; i < (TRITLENGTH_PATH / 5); i++) {
215 output[i] = 0x00;
216 randombytes(&output[i], 1);
217 while (issmaller((int32_t)bound, (int32_t)(output[i]))) {
218 randombytes(&output[i], 1);
219 }
220 }
221}
analyze_bench.output
str output
Definition analyze_bench.py:80
TRITLENGTH_PATH
#define TRITLENGTH_PATH
Definition p254.h:15

References i, randombytes(), and TRITLENGTH_PATH.

Referenced by main().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ isogeny_walks_switch_from_model_3()

void isogeny_walks_switch_from_model_3 ( fp2_t * output_j,
fp2_t input_a1,
fp2_t input_a3 )

Definition at line 87 of file isogeny_walks_3.c.

87 {
88 // Computes the j-invariant of an elliptic curve E : y² + a₁xy + a₃y = x³ − 5a₁a₃x − (a₁³)a₃ − 7(a₃)²
89 fp2_t aux, tmp, num, den, a1_cube, a3_cube;
90
91 fp2_sqr(&a1_cube, input_a1);
92 fp2_sqr(&a3_cube, input_a3);
93 fp2_mul(&a1_cube, a1_cube, input_a1);
94 fp2_mul(&a3_cube, a3_cube, input_a3);
95
96 fp2_add(&tmp, input_a3, input_a3); // 2 × a₃
97 fp2_add(&tmp, tmp, input_a3); // 3 × a₃
98 fp2_add(&aux, tmp, tmp); // 6 × a₃
99 fp2_add(&aux, aux, aux); // 12 × a₃
100
101 fp2_add(&aux, aux, aux); // 24 × a₃
102 fp2_add(&aux, aux, tmp); // 27 × a₃
103 fp2_add(&tmp, aux, aux); // 54 × a₃
104 fp2_add(&tmp, tmp, tmp); // 108 × a₃
105
106 fp2_add(&tmp, tmp, tmp); // 216 × a₃
107 fp2_add(&num, a1_cube, tmp); // a₁³ + 216 × a₃
108 fp2_sub(&den, a1_cube, aux); // a₁³ - 27 × a₃
109
110 fp2_sqr(&tmp, num);
111 fp2_sqr(&aux, den);
112
113 fp2_mul(&num, num, tmp); // (a₁³ + 216 × a₃)³
114 fp2_mul(&den, den, aux); // (a₁³ - 27 × a₃)³
115 fp2_mul(&num, a1_cube, num); // (a₁³ + 216 × a₃)³ × a₁³
116 fp2_mul(&den, input_a3, den); // (a₁³ - 27 × a₃)³ × a₃
117
118 fp2_inv(&den, den);
119 fp2_mul(output_j, num, den);
120
121}
num
num
Definition j-invariants.m:29

References fp2_add, fp2_inv, fp2_mul, fp2_sqr, fp2_sub, and num.

Referenced by cgl_hash_digest_3().

Here is the caller graph for this function:

◆ isogeny_walks_to_montgomery_model_3_fp()

void isogeny_walks_to_montgomery_model_3_fp ( fp_t * output_A,
const fp_t * input_t )

Definition at line 144 of file isogeny_walks_3_fp.c.

144 {
145 fp_t r_squared, s_squared, r_cubed;
146 fp_t aux, alpha_cubed, alpha, rd;
147
148 // input_t[0] is r
149 // input_t[1] is s
150 // r_squared = r**2
151 fp_sqr(r_squared, input_t[0]);
152 // s_squared = s**2
153 fp_sqr(s_squared, input_t[1]);
154 // r_cubed = r_squared * r
155 fp_mul(r_cubed, r_squared, input_t[0]);
156 // s_cubed = s_squared * s
157 fp_mul(output_A[1], s_squared, input_t[1]);
158 // aux = r * s_squared
159 fp_mul(aux, s_squared, input_t[0]);
160
161 // alpha_cubed = r * (r_squared - s_squared)
162 fp_sub(alpha_cubed, r_squared, s_squared);
163 fp_mul(alpha_cubed, alpha_cubed, input_t[0]);
164 // alpha = setup['curt'](alpha_cubed)
165 fp_curt(alpha, alpha_cubed);
166
167 // Goal rd = 3 * (r * alpha**2 + r_squared * alpha + r_cubed) - s_sqr * alpha - 2 * aux
168 //rd = (r * alpha**2 + r_squared * alpha + r_cubed)
169 fp_mul(rd, input_t[0], alpha);
170 fp_add(rd, rd, r_squared);
171 fp_mul(rd, rd, alpha);
172 fp_add(rd, rd, r_cubed);
173 // rd = 3 * (r * alpha**2 + r_squared * alpha + r_cubed)
174 fp_add(r_squared, rd, rd);
175 fp_add(rd, rd, r_squared);
176 // rd = 3 * (r * alpha**2 + r_squared * alpha + r_cubed) - s_sqr * alpha - 2 * aux
177 fp_sub(rd, rd, aux);
178 fp_sub(rd, rd, aux);
179 fp_mul(r_squared, s_squared, alpha);
180 fp_sub(output_A[0], rd, r_squared);
181}

References fp_add, fp_curt(), fp_mul, fp_sqr, and fp_sub.

Referenced by isogeny_walks_3_fp(), and isogeny_walks_3_fp().

Here is the call graph for this function:
Here is the caller graph for this function: