a_param.c

这是一个C的源代码

	    element_mul(e0, t0, sm2);
	    element_mul(e1, tm2, s0);
	    element_sub(cm2, e0, e1);
	    element_mul(cm2, cm2, C);

	    element_mul(e0, t0, sm1);
	    element_mul(e1, tm1, s0);
	    element_sub(cm1, e0, e1);

	    element_mul(e0, t1, sm1);
	    element_mul(e1, tm1, s1);
	    element_sub(c0, e0, e1);
	    element_mul(c0, c0, C);

	    element_mul(e0, t1, s0);
	    element_mul(e1, t0, s1);
	    element_sub(c1, e0, e1);

	    element_mul(e0, t2, s0);
	    element_mul(e1, t0, s2);
	    element_sub(c2, e0, e1);
	    element_mul(c2, c2, C);

	    element_mul(e0, t2, s1);
	    element_mul(e1, t1, s2);
	    element_sub(c3, e0, e1);

	    element_mul(e0, t3, s1);
	    element_mul(e1, t1, s3);
	    element_sub(c4, e0, e1);
	    element_mul(c4, c4, C);
	}
	m--;
    }

    element_clear(cm3);
    element_clear(cm2);
    element_clear(cm1);
    element_clear(c0);
    element_clear(c1);
    element_clear(c2);
    element_clear(c3);
    element_clear(c4);

    element_clear(sm2);
    element_clear(s3);

    element_clear(tm2);
    element_clear(t3);

    element_clear(e0);
    element_clear(e1);
    element_clear(C);
}

static void a_pairing_ellnet_pp_clear(pairing_pp_t p)
{
    ellnet_pp_ptr pp = p->data;
    int i, rbits = mpz_sizeinbase(p->pairing->r, 2);
    for (i=0; i<rbits; i++) {
	ellnet_pp_st_ptr seq = pp->seq[i];
	element_clear(seq->sm1);
	element_clear(seq->s0);
	element_clear(seq->s1);
	element_clear(seq->s2);
	element_clear(seq->tm1);
	element_clear(seq->t0);
	element_clear(seq->t1);
	element_clear(seq->t2);
    }
    element_clear(pp->x);
    element_clear(pp->y);
    pbc_free(pp->seq);
    pbc_free(p->data);
}

static void a_pairing_ellnet_pp_apply(element_ptr out, element_ptr in2, pairing_pp_t p)
{
    element_ptr x2 = curve_x_coord(in2);
    element_ptr y2 = curve_y_coord(in2);
    ellnet_pp_ptr pp = p->data;
    int rbits = mpz_sizeinbase(p->pairing->r, 2);
    int k = 0;
    int m = rbits - 2;
    element_t A, B;
    element_t e0, e1;
    element_t dm1, d0, d1;
    element_t u, v;

    element_init_same_as(A, x2);
    element_init_same_as(B, out);
    element_init_same_as(e0, x2);
    element_init_same_as(e1, x2);
    element_init_same_as(dm1, out);
    element_init_same_as(d0, out);
    element_init_same_as(d1, out);
    element_init_same_as(u, out);
    element_init_same_as(v, out);

    element_add(A, pp->x, x2);
    element_double(e0, pp->x);
    element_sub(e0, e0, x2);
    element_square(e1, A);
    element_mul(e1, e0, e1);
    element_set(fi_re(d1), pp->y);
    element_set(fi_im(d1), y2);
    element_square(d1, d1);
    element_sub(fi_re(d1), fi_re(d1), e1);
    element_neg(B, d1);
    element_invert(B, B);
    element_invert(A, A);
    element_mul(fi_re(d1), pp->y, A);
    element_neg(fi_re(d1), fi_re(d1));
    element_mul(fi_im(d1), y2, A);
    element_square(d1, d1);
    element_sub(fi_re(d1), e0, fi_re(d1));
    element_neg(fi_im(d1), fi_im(d1));

    element_set1(dm1);
    element_set1(d0);
    for (;;) {
	element_ptr sm1, s0, s1, s2;
	element_ptr tm1, t0, t1, t2;
	ellnet_pp_st_ptr seq = pp->seq[k];
	sm1 = seq->sm1;
	s0 = seq->s0;
	s1 = seq->s1;
	s2 = seq->s2;
	tm1 = seq->tm1;
	t0 = seq->t0;
	t1 = seq->t1;
	t2 = seq->t2;
	k++;

	element_square(u, d0);
	element_mul(v, dm1, d1);

	if (mpz_tstbit(p->pairing->r, m)) {
	    //double-and-add
	    element_mul(fi_re(out), fi_re(u), t0);
	    element_mul(fi_im(out), fi_im(u), t0);
	    element_mul(fi_re(dm1), fi_re(v), s0);
	    element_mul(fi_im(dm1), fi_im(v), s0);
	    element_sub(dm1, dm1, out);

	    element_mul(fi_re(out), fi_re(u), t1);
	    element_mul(fi_im(out), fi_im(u), t1);
	    element_mul(fi_re(d0), fi_re(v), s1);
	    element_mul(fi_im(d0), fi_im(v), s1);
	    element_sub(d0, d0, out);
	    element_mul(fi_re(d0), fi_re(d0), A);
	    element_mul(fi_im(d0), fi_im(d0), A);

	    element_mul(fi_re(out), fi_re(u), t2);
	    element_mul(fi_im(out), fi_im(u), t2);
	    element_mul(fi_re(d1), fi_re(v), s2);
	    element_mul(fi_im(d1), fi_im(v), s2);
	    element_sub(d1, d1, out);
	    element_mul(d1, d1, B);
	} else {
	    //double
	    element_mul(fi_re(out), fi_re(u), tm1);
	    element_mul(fi_im(out), fi_im(u), tm1);
	    element_mul(fi_re(dm1), fi_re(v), sm1);
	    element_mul(fi_im(dm1), fi_im(v), sm1);
	    element_sub(dm1, dm1, out);

	    element_mul(fi_re(out), fi_re(u), t0);
	    element_mul(fi_im(out), fi_im(u), t0);
	    element_mul(fi_re(d0), fi_re(v), s0);
	    element_mul(fi_im(d0), fi_im(v), s0);
	    element_sub(d0, d0, out);

	    element_mul(fi_re(out), fi_re(u), t1);
	    element_mul(fi_im(out), fi_im(u), t1);
	    element_mul(fi_re(d1), fi_re(v), s1);
	    element_mul(fi_im(d1), fi_im(v), s1);
	    element_sub(d1, d1, out);
	    element_mul(fi_re(d1), fi_re(d1), A);
	    element_mul(fi_im(d1), fi_im(d1), A);
	}
	if (!m) break;
	m--;
    }
    a_tateexp(out, d1, d0, p->pairing->phikonr);

    element_clear(A);
    element_clear(B);
    element_clear(e0);
    element_clear(e1);
    element_clear(dm1);
    element_clear(d0);
    element_clear(d1);
    element_clear(u);
    element_clear(v);
}

static void a_pairing_proj(element_ptr out, element_ptr in1, element_ptr in2,
	pairing_t pairing)
//in1, in2 are from E(F_q), out from F_q^2
{
    a_pairing_data_ptr p = pairing->data;
    element_t V, V1;
    element_t z, z2;
    element_t f, f0, f1;
    element_t a, b, c;
    element_t e0;
    const element_ptr e1 = a, e2 = b, e3 = c;
    int i, n;
    element_ptr Vx, Vy;
    element_ptr V1x, V1y;
    element_ptr Qx = curve_x_coord(in2);
    element_ptr Qy = curve_y_coord(in2);

    //could save a couple of inversions by avoiding
    //this function and rewriting do_line() to handle projective coords
    //convert V from weighted projective (Jacobian) to affine
    //i.e. (X, Y, Z) --> (X/Z^2, Y/Z^3)
    //also sets z to 1
    void point_to_affine(void)
    {
	element_invert(z, z);
	element_square(e0, z);
	element_mul(Vx, Vx, e0);
	element_mul(e0, e0, z);
	element_mul(Vy, Vy, e0);
	element_set1(z);
	element_set1(z2);
    }

    void proj_double(void)
    {
	//e0 = 3x^2 + (cc->a) z^4
	//for this case a = 1
	element_square(e0, Vx);
	////element_mul_si(e0, e0, 3);
	element_double(e1, e0);
	element_add(e0, e1, e0);
	element_square(e1, z2);
	element_add(e0, e0, e1);

	//z_out = 2 y z
	element_mul(z, Vy, z);
	////element_mul_si(z, z, 2);
	element_double(z, z);
	element_square(z2, z);

	//e1 = 4 x y^2
	element_square(e2, Vy);
	element_mul(e1, Vx, e2);
	//element_mul_si(e1, e1, 4);
	element_double(e1, e1);
	element_double(e1, e1);

	//x_out = e0^2 - 2 e1
	element_double(e3, e1);
	element_square(Vx, e0);
	element_sub(Vx, Vx, e3);

	//e2 = 8y^4
	element_square(e2, e2);
	//element_mul_si(e2, e2, 8);
	element_double(e2, e2);
	element_double(e2, e2);
	element_double(e2, e2);

	//y_out = e0(e1 - x_out) - e2
	element_sub(e1, e1, Vx);
	element_mul(e0, e0, e1);
	element_sub(Vy, e0, e2);
    }

    void do_tangent(void) {
	compute_abc_tangent_proj(a, b, c, Vx, Vy, z, z2, e0);
	a_miller_evalfn(f0, a, b, c, Qx, Qy);
	element_mul(f, f, f0);
    }

    void do_line(void) {
	compute_abc_line(a, b, c, Vx, Vy, V1x, V1y, e0);
	a_miller_evalfn(f0, a, b, c, Qx, Qy);
	element_mul(f, f, f0);
    }

    element_init(V, p->Eq);
    element_init(V1, p->Eq);
    element_set(V, in1);

    Vx = curve_x_coord(V);
    Vy = curve_y_coord(V);
    V1x = curve_x_coord(V1);
    V1y = curve_y_coord(V1);

    element_init(f, p->Fq2);
    element_init(f0, p->Fq2);
    element_init(f1, p->Fq2);
    element_set1(f);
    element_init(a, p->Fq);
    element_init(b, p->Fq);
    element_init(c, p->Fq);
    element_init(e0, p->Fq);
    element_init(z, p->Fq);
    element_init(z2, p->Fq);
    element_set1(z);
    element_set1(z2);
    n = p->exp1;
    for (i=0; i<n; i++) {
	//f = f^2 g_V,V(Q)
	//where g_V,V = tangent at V
	element_square(f, f);
	do_tangent();
	proj_double();
    }
    point_to_affine();
    if (p->sign1 < 0) {
	element_neg(V1, V);
	element_invert(f1, f);
    } else {
	element_set(V1, V);
	element_set(f1, f);
    }
    n = p->exp2;
    for (; i<n; i++) {
	element_square(f, f);
	do_tangent();
	proj_double();
    }

    element_mul(f, f, f1);
    point_to_affine();
    do_line();

    a_tateexp(out, f, f0, pairing->phikonr);

    element_clear(f);
    element_clear(f0);
    element_clear(f1);
    element_clear(z);
    element_clear(z2);
    element_clear(V);
    element_clear(V1);
    element_clear(a);
    element_clear(b);
    element_clear(c);
    element_clear(e0);
}

static void a_pairing_affine(element_ptr out, element_ptr in1, element_ptr in2,
	pairing_t pairing)
//in1, in2 are from E(F_q), out from F_q^2
{
    a_pairing_data_ptr p = pairing->data;
    element_t V, V1;
    element_t f, f0, f1;
    element_t a, b, c;
    element_t e0;
    int i, n;
    element_ptr Qx = curve_x_coord(in2);
    element_ptr Qy = curve_y_coord(in2);
    element_ptr Vx, Vy;
    element_ptr V1x, V1y;

    void do_tangent(void) {
	compute_abc_tangent(a, b, c, Vx, Vy, e0);
	a_miller_evalfn(f0, a, b, c, Qx, Qy);
	element_mul(f, f, f0);
    }

    void do_line(void) {
	compute_abc_line(a, b, c, Vx, Vy, V1x, V1y, e0);
	a_miller_evalfn(f0, a, b, c, Qx, Qy);
	element_mul(f, f, f0);
    }

    element_init(V, p->Eq);
    Vx = curve_x_coord(V);
    Vy = curve_y_coord(V);
    element_init(V1, p->Eq);
    element_set(V, in1);
    element_init(f, p->Fq2);
    element_init(f0, p->Fq2);
    element_init(f1, p->Fq2);
    element_set1(f);
    element_init(a, p->Fq);
    element_init(b, p->Fq);
    element_init(c, p->Fq);
    element_init(e0, p->Fq);
    n = p->exp1;
    element_t z; element_init(z, p->Fq);
    for (i=0; i<n; i++) {
	//f = f^2 g_V,V(Q)
	//where g_V,V = tangent at V
	element_square(f, f);
	do_tangent();
	element_double(V, V);
    }
    if (p->sign1 < 0) {
	element_neg(V1, V);
	element_invert(f1, f);
    } else {
	element_set(V1, V);
	element_set(f1, f);
    }
    n = p->exp2;
    for (; i<n; i++) {
	element_square(f, f);
	do_tangent();
	element_double(V, V);
    }

    element_mul(f, f, f1);
    do_line();

    a_tateexp(out, f, f0, pairing->phikonr);

    element_clear(f);
    element_clear(f0);
    element_clear(f1);
    element_clear(V);
    element_clear(V1);
    element_clear(a);
    element_clear(b);
    element_clear(c);
    element_clear(e0);
}

static void a_pairing_clear(pairing_t pairing)
{
    a_pairing_data_ptr p = pairing->data;
    field_clear(p->Eq);
    field_clear(p->Fq);
    field_clear(p->Fq2);
    pbc_free(p);

    mpz_clear(pairing->r);
    mpz_clear(pairing->phikonr);
    field_clear(pairing->Zr);
}

static void a_pairing_option_set(pairing_t pairing, char *key, char *value)
{
    if (!strcmp(key, "method")) {
	if (!strcmp(value, "miller")) {
	    pairing->map = a_pairing_proj;
	    pairing->pp_init = a_pairing_pp_init;
	    pairing->pp_clear = a_pairing_pp_clear;
	    pairing->pp_apply = a_pairing_pp_apply;
	} else if (!strcmp(value, "miller-affine")) {
	    pairing->map = a_pairing_affine;
	    pairing->pp_init = a_pairing_pp_init;
	    pairing->pp_clear = a_pairing_pp_clear;
	    pairing->pp_apply = a_pairing_pp_apply;
	} else if (!strcmp(value, "shipsey-stange")) {
	    pairing->map = a_pairing_ellnet;
	    pairing->pp_init = a_pairing_ellnet_pp_init;
	    pairing->pp_clear = a_pairing_ellnet_pp_clear;
	    pairing->pp_apply = a_pairing_ellnet_pp_apply;
	}
    }
}

void pairing_init_a_param(pairing_t pairing, a_param_t param)
{
    element_t a, b;
    a_pairing_data_ptr p;

    p =	pairing->data = pbc_malloc(sizeof(a_pairing_data_t));
    p->exp2 = param->exp2;
    p->exp1 = param->exp1;
    p->sign1 = param->sign1;
    mpz_init(pairing->r);
    mpz_set(pairing->r, param->r);
    field_init_fp(pairing->Zr, pairing->r);