Skip to content

Commit ccdae97

Browse files
tarcieritarcieri
authored
elliptic-curve: generic impl of complete prime order formulas (#1022)
Adds a generic implementation of the complete addition formulas from Renes-Costello-Batina 2015[1] adapted from @str4d's original implementation for the `p256` crate: RustCrypto/elliptic-curves#15 This implementation has been copied-and-pasted into the `p384` crate, hence the motivation to make it generic and extract it somewhere that it can be reused. The API exposed is fairly low-level, however it's difficult to better encapsulate it without making breaking changes to the `elliptic-curve` crate. Thus this PR opts to provide an initial low-level generic implementation with the goal of exploring removing more duplication with a higher-level API as followup work to be done at a time when breaking changes are permitted. [1]: https://eprint.iacr.org/2015/1060
1 parent 6937f5d commit ccdae97

File tree

2 files changed

+147
-14
lines changed

2 files changed

+147
-14
lines changed

elliptic-curve/src/lib.rs

Lines changed: 19 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -66,13 +66,30 @@ extern crate std;
6666
#[cfg_attr(docsrs, doc(cfg(feature = "rand_core")))]
6767
pub use rand_core;
6868

69+
#[macro_use]
70+
mod macros;
71+
6972
pub mod ops;
7073

74+
#[cfg(feature = "dev")]
75+
#[cfg_attr(docsrs, doc(cfg(feature = "dev")))]
76+
pub mod dev;
77+
78+
#[cfg(feature = "ecdh")]
79+
#[cfg_attr(docsrs, doc(cfg(feature = "ecdh")))]
80+
pub mod ecdh;
81+
82+
#[cfg(feature = "hash2curve")]
83+
#[cfg_attr(docsrs, doc(cfg(feature = "hash2curve")))]
84+
pub mod hash2curve;
85+
7186
#[cfg(feature = "sec1")]
87+
#[cfg_attr(docsrs, doc(cfg(feature = "sec1")))]
7288
pub mod sec1;
7389

74-
#[macro_use]
75-
mod macros;
90+
#[cfg(feature = "arithmetic")]
91+
#[cfg_attr(docsrs, doc(cfg(feature = "arithmetic")))]
92+
pub mod weierstrass;
7693

7794
mod error;
7895
mod point;
@@ -84,21 +101,9 @@ mod arithmetic;
84101
#[cfg(feature = "arithmetic")]
85102
mod public_key;
86103

87-
#[cfg(feature = "dev")]
88-
#[cfg_attr(docsrs, doc(cfg(feature = "dev")))]
89-
pub mod dev;
90-
91-
#[cfg(feature = "ecdh")]
92-
#[cfg_attr(docsrs, doc(cfg(feature = "ecdh")))]
93-
pub mod ecdh;
94-
95104
#[cfg(feature = "jwk")]
96105
mod jwk;
97106

98-
#[cfg(feature = "hash2curve")]
99-
#[cfg_attr(docsrs, doc(cfg(feature = "hash2curve")))]
100-
pub mod hash2curve;
101-
102107
pub use crate::{
103108
error::{Error, Result},
104109
point::{

elliptic-curve/src/weierstrass.rs

Lines changed: 128 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,128 @@
1+
//! Complete projective formulas for prime order elliptic curves as described
2+
//! in [Renes-Costello-Batina 2015].
3+
//!
4+
//! [Renes-Costello-Batina 2015]: https://eprint.iacr.org/2015/1060
5+
6+
#![allow(clippy::op_ref)]
7+
8+
use ff::Field;
9+
10+
/// Affine point whose coordinates are represented by the given field element.
11+
pub type AffinePoint<Fe> = (Fe, Fe);
12+
13+
/// Projective point whose coordinates are represented by the given field element.
14+
pub type ProjectivePoint<Fe> = (Fe, Fe, Fe);
15+
16+
/// Implements the complete addition formula from [Renes-Costello-Batina 2015]
17+
/// (Algorithm 4).
18+
///
19+
/// [Renes-Costello-Batina 2015]: https://eprint.iacr.org/2015/1060
20+
#[inline(always)]
21+
pub fn add<Fe>(
22+
(ax, ay, az): ProjectivePoint<Fe>,
23+
(bx, by, bz): ProjectivePoint<Fe>,
24+
curve_equation_b: Fe,
25+
) -> ProjectivePoint<Fe>
26+
where
27+
Fe: Field,
28+
{
29+
// The comments after each line indicate which algorithm steps are being
30+
// performed.
31+
let xx = ax * bx; // 1
32+
let yy = ay * by; // 2
33+
let zz = az * bz; // 3
34+
let xy_pairs = ((ax + ay) * &(bx + by)) - &(xx + &yy); // 4, 5, 6, 7, 8
35+
let yz_pairs = ((ay + az) * &(by + bz)) - &(yy + &zz); // 9, 10, 11, 12, 13
36+
let xz_pairs = ((ax + az) * &(bx + bz)) - &(xx + &zz); // 14, 15, 16, 17, 18
37+
38+
let bzz_part = xz_pairs - &(curve_equation_b * &zz); // 19, 20
39+
let bzz3_part = bzz_part.double() + &bzz_part; // 21, 22
40+
let yy_m_bzz3 = yy - &bzz3_part; // 23
41+
let yy_p_bzz3 = yy + &bzz3_part; // 24
42+
43+
let zz3 = zz.double() + &zz; // 26, 27
44+
let bxz_part = (curve_equation_b * &xz_pairs) - &(zz3 + &xx); // 25, 28, 29
45+
let bxz3_part = bxz_part.double() + &bxz_part; // 30, 31
46+
let xx3_m_zz3 = xx.double() + &xx - &zz3; // 32, 33, 34
47+
48+
(
49+
(yy_p_bzz3 * &xy_pairs) - &(yz_pairs * &bxz3_part), // 35, 39, 40
50+
(yy_p_bzz3 * &yy_m_bzz3) + &(xx3_m_zz3 * &bxz3_part), // 36, 37, 38
51+
(yy_m_bzz3 * &yz_pairs) + &(xy_pairs * &xx3_m_zz3), // 41, 42, 43
52+
)
53+
}
54+
55+
/// Implements the complete mixed addition formula from
56+
/// [Renes-Costello-Batina 2015] (Algorithm 5).
57+
///
58+
/// [Renes-Costello-Batina 2015]: https://eprint.iacr.org/2015/1060
59+
#[inline(always)]
60+
pub fn add_mixed<Fe>(
61+
(ax, ay, az): ProjectivePoint<Fe>,
62+
(bx, by): AffinePoint<Fe>,
63+
curve_equation_b: Fe,
64+
) -> ProjectivePoint<Fe>
65+
where
66+
Fe: Field,
67+
{
68+
// The comments after each line indicate which algorithm steps are being
69+
// performed.
70+
let xx = ax * &bx; // 1
71+
let yy = ay * &by; // 2
72+
let xy_pairs = ((ax + &ay) * &(bx + &by)) - &(xx + &yy); // 3, 4, 5, 6, 7
73+
let yz_pairs = (by * &az) + &ay; // 8, 9 (t4)
74+
let xz_pairs = (bx * &az) + &ax; // 10, 11 (y3)
75+
76+
let bz_part = xz_pairs - &(curve_equation_b * &az); // 12, 13
77+
let bz3_part = bz_part.double() + &bz_part; // 14, 15
78+
let yy_m_bzz3 = yy - &bz3_part; // 16
79+
let yy_p_bzz3 = yy + &bz3_part; // 17
80+
81+
let z3 = az.double() + &az; // 19, 20
82+
let bxz_part = (curve_equation_b * &xz_pairs) - &(z3 + &xx); // 18, 21, 22
83+
let bxz3_part = bxz_part.double() + &bxz_part; // 23, 24
84+
let xx3_m_zz3 = xx.double() + &xx - &z3; // 25, 26, 27
85+
86+
(
87+
(yy_p_bzz3 * &xy_pairs) - &(yz_pairs * &bxz3_part), // 28, 32, 33
88+
(yy_p_bzz3 * &yy_m_bzz3) + &(xx3_m_zz3 * &bxz3_part), // 29, 30, 31
89+
(yy_m_bzz3 * &yz_pairs) + &(xy_pairs * &xx3_m_zz3), // 34, 35, 36
90+
)
91+
}
92+
93+
/// Implements the exception-free point doubling formula from
94+
/// [Renes-Costello-Batina 2015] (Algorithm 6).
95+
///
96+
/// [Renes-Costello-Batina 2015]: https://eprint.iacr.org/2015/1060
97+
#[inline(always)]
98+
pub fn double<Fe>((x, y, z): ProjectivePoint<Fe>, curve_equation_b: Fe) -> ProjectivePoint<Fe>
99+
where
100+
Fe: Field,
101+
{
102+
// The comments after each line indicate which algorithm steps are being
103+
// performed.
104+
let xx = x.square(); // 1
105+
let yy = y.square(); // 2
106+
let zz = z.square(); // 3
107+
let xy2 = (x * &y).double(); // 4, 5
108+
let xz2 = (x * &z).double(); // 6, 7
109+
110+
let bzz_part = (curve_equation_b * &zz) - &xz2; // 8, 9
111+
let bzz3_part = bzz_part.double() + &bzz_part; // 10, 11
112+
let yy_m_bzz3 = yy - &bzz3_part; // 12
113+
let yy_p_bzz3 = yy + &bzz3_part; // 13
114+
let y_frag = yy_p_bzz3 * &yy_m_bzz3; // 14
115+
let x_frag = yy_m_bzz3 * &xy2; // 15
116+
117+
let zz3 = zz.double() + &zz; // 16, 17
118+
let bxz2_part = (curve_equation_b * &xz2) - &(zz3 + &xx); // 18, 19, 20
119+
let bxz6_part = bxz2_part.double() + &bxz2_part; // 21, 22
120+
let xx3_m_zz3 = xx.double() + &xx - &zz3; // 23, 24, 25
121+
122+
let dy = y_frag + &(xx3_m_zz3 * &bxz6_part); // 26, 27
123+
let yz2 = (y * &z).double(); // 28, 29
124+
let dx = x_frag - &(bxz6_part * &yz2); // 30, 31
125+
let dz = (yz2 * &yy).double().double(); // 32, 33, 34
126+
127+
(dx, dy, dz)
128+
}

0 commit comments

Comments
 (0)