// ecp.cpp - originally written and placed in the public domain by Wei Dai
#include "pch.h"
#ifndef CRYPTOPP_IMPORTS
#include "ecp.h"
#include "asn.h"
#include "integer.h"
#include "nbtheory.h"
#include "modarith.h"
#include "filters.h"
#include "algebra.cpp"
ANONYMOUS_NAMESPACE_BEGIN
using CryptoPP::ECP;
using CryptoPP::Integer;
using CryptoPP::ModularArithmetic;
#if defined(HAVE_GCC_INIT_PRIORITY)
#define INIT_ATTRIBUTE __attribute__ ((init_priority (CRYPTOPP_INIT_PRIORITY + 50)))
const ECP::Point g_identity INIT_ATTRIBUTE = ECP::Point();
#elif defined(HAVE_MSC_INIT_PRIORITY)
#pragma warning(disable: 4075)
#pragma init_seg(".CRT$XCU")
const ECP::Point g_identity;
#pragma warning(default: 4075)
#elif defined(HAVE_XLC_INIT_PRIORITY)
#pragma priority(290)
const ECP::Point g_identity;
#endif
inline ECP::Point ToMontgomery(const ModularArithmetic &mr, const ECP::Point &P)
{
return P.identity ? P : ECP::Point(mr.ConvertIn(P.x), mr.ConvertIn(P.y));
}
inline ECP::Point FromMontgomery(const ModularArithmetic &mr, const ECP::Point &P)
{
return P.identity ? P : ECP::Point(mr.ConvertOut(P.x), mr.ConvertOut(P.y));
}
inline Integer IdentityToInteger(bool val)
{
return val ? Integer::One() : Integer::Zero();
}
ANONYMOUS_NAMESPACE_END
NAMESPACE_BEGIN(CryptoPP)
ECP::ECP(const ECP &ecp, bool convertToMontgomeryRepresentation)
{
if (convertToMontgomeryRepresentation && !ecp.GetField().IsMontgomeryRepresentation())
{
m_fieldPtr.reset(new MontgomeryRepresentation(ecp.GetField().GetModulus()));
m_a = GetField().ConvertIn(ecp.m_a);
m_b = GetField().ConvertIn(ecp.m_b);
}
else
operator=(ecp);
}
ECP::ECP(BufferedTransformation &bt)
: m_fieldPtr(new Field(bt))
{
BERSequenceDecoder seq(bt);
GetField().BERDecodeElement(seq, m_a);
GetField().BERDecodeElement(seq, m_b);
// skip optional seed
if (!seq.EndReached())
{
SecByteBlock seed;
unsigned int unused;
BERDecodeBitString(seq, seed, unused);
}
seq.MessageEnd();
}
void ECP::DEREncode(BufferedTransformation &bt) const
{
GetField().DEREncode(bt);
DERSequenceEncoder seq(bt);
GetField().DEREncodeElement(seq, m_a);
GetField().DEREncodeElement(seq, m_b);
seq.MessageEnd();
}
bool ECP::DecodePoint(ECP::Point &P, const byte *encodedPoint, size_t encodedPointLen) const
{
StringStore store(encodedPoint, encodedPointLen);
return DecodePoint(P, store, encodedPointLen);
}
bool ECP::DecodePoint(ECP::Point &P, BufferedTransformation &bt, size_t encodedPointLen) const
{
byte type;
if (encodedPointLen < 1 || !bt.Get(type))
return false;
switch (type)
{
case 0:
P.identity = true;
return true;
case 2:
case 3:
{
if (encodedPointLen != EncodedPointSize(true))
return false;
Integer p = FieldSize();
P.identity = false;
P.x.Decode(bt, GetField().MaxElementByteLength());
P.y = ((P.x*P.x+m_a)*P.x+m_b) % p;
if (Jacobi(P.y, p) !=1)
return false;
P.y = ModularSquareRoot(P.y, p);
if ((type & 1) != P.y.GetBit(0))
P.y = p-P.y;
return true;
}
case 4:
{
if (encodedPointLen != EncodedPointSize(false))
return false;
unsigned int len = GetField().MaxElementByteLength();
P.identity = false;
P.x.Decode(bt, len);
P.y.Decode(bt, len);
return true;
}
default:
return false;
}
}
void ECP::EncodePoint(BufferedTransformation &bt, const Point &P, bool compressed) const
{
if (P.identity)
NullStore().TransferTo(bt, EncodedPointSize(compressed));
else if (compressed)
{
bt.Put((byte)(2U + P.y.GetBit(0)));
P.x.Encode(bt, GetField().MaxElementByteLength());
}
else
{
unsigned int len = GetField().MaxElementByteLength();
bt.Put(4U); // uncompressed
P.x.Encode(bt, len);
P.y.Encode(bt, len);
}
}
void ECP::EncodePoint(byte *encodedPoint, const Point &P, bool compressed) const
{
ArraySink sink(encodedPoint, EncodedPointSize(compressed));
EncodePoint(sink, P, compressed);
CRYPTOPP_ASSERT(sink.TotalPutLength() == EncodedPointSize(compressed));
}
ECP::Point ECP::BERDecodePoint(BufferedTransformation &bt) const
{
SecByteBlock str;
BERDecodeOctetString(bt, str);
Point P;
if (!DecodePoint(P, str, str.size()))
BERDecodeError();
return P;
}
void ECP::DEREncodePoint(BufferedTransformation &bt, const Point &P, bool compressed) const
{
SecByteBlock str(EncodedPointSize(compressed));
EncodePoint(str, P, compressed);
DEREncodeOctetString(bt, str);
}
bool ECP::ValidateParameters(RandomNumberGenerator &rng, unsigned int level) const
{
Integer p = FieldSize();
bool pass = p.IsOdd();
pass = pass && !m_a.IsNegative() && m_a= 1)
pass = pass && ((4*m_a*m_a*m_a+27*m_b*m_b)%p).IsPositive();
if (level >= 2)
pass = pass && VerifyPrime(rng, p);
return pass;
}
bool ECP::VerifyPoint(const Point &P) const
{
const FieldElement &x = P.x, &y = P.y;
Integer p = FieldSize();
return P.identity ||
(!x.IsNegative() && x
().Ref();
#endif
}
const ECP::Point& ECP::Inverse(const Point &P) const
{
if (P.identity)
return P;
else
{
m_R.identity = false;
m_R.x = P.x;
m_R.y = GetField().Inverse(P.y);
return m_R;
}
}
const ECP::Point& ECP::Add(const Point &P, const Point &Q) const
{
AdditionFunction add(*this);
return (m_R = add(P, Q));
}
const ECP::Point& ECP::Double(const Point &P) const
{
AdditionFunction add(*this);
return (m_R = add(P));
}
template void ParallelInvert(const AbstractRing &ring, Iterator begin, Iterator end)
{
size_t n = end-begin;
if (n == 1)
*begin = ring.MultiplicativeInverse(*begin);
else if (n > 1)
{
std::vector vec((n+1)/2);
unsigned int i;
Iterator it;
for (i=0, it=begin; i::iterator it) : it(it) {}
Integer& operator*() {return it->z;}
int operator-(ZIterator it2) {return int(it-it2.it);}
ZIterator operator+(int i) {return ZIterator(it+i);}
ZIterator& operator+=(int i) {it+=i; return *this;}
std::vector::iterator it;
};
ECP::Point ECP::ScalarMultiply(const Point &P, const Integer &k) const
{
Element result;
if (k.BitCount() <= 5)
AbstractGroup::SimultaneousMultiply(&result, P, &k, 1);
else
ECP::SimultaneousMultiply(&result, P, &k, 1);
return result;
}
void ECP::SimultaneousMultiply(ECP::Point *results, const ECP::Point &P, const Integer *expBegin, unsigned int expCount) const
{
if (!GetField().IsMontgomeryRepresentation())
{
ECP ecpmr(*this, true);
const ModularArithmetic &mr = ecpmr.GetField();
ecpmr.SimultaneousMultiply(results, ToMontgomery(mr, P), expBegin, expCount);
for (unsigned int i=0; i bases;
std::vector exponents;
exponents.reserve(expCount);
std::vector > baseIndices(expCount);
std::vector > negateBase(expCount);
std::vector > exponentWindows(expCount);
unsigned int i;
for (i=0; iNotNegative());
exponents.push_back(WindowSlider(*expBegin++, InversionIsFast(), 5));
exponents[i].FindNextWindow();
}
unsigned int expBitPosition = 0;
bool notDone = true;
while (notDone)
{
notDone = false;
bool baseAdded = false;
for (i=0; i > finalCascade;
for (i=0; i::CascadeScalarMultiply(P, k1, Q, k2);
}
#define X p.x
#define Y p.y
#define Z p.z
#define X1 p.x
#define Y1 p.y
#define Z1 p.z
#define X2 q.x
#define Y2 q.y
#define Z2 q.z
#define X3 r.x
#define Y3 r.y
#define Z3 r.z
ECP::AdditionFunction::AdditionFunction(const ECP& ecp)
: m_ecp(ecp), m_alpha(static_cast(0))
{
if (m_ecp.GetField().IsMontgomeryRepresentation())
{
m_alpha = A_Montgomery;
}
else
{
if (m_ecp.m_a == 0)
{
m_alpha = A_0;
}
else if (m_ecp.m_a == -3 || (m_ecp.m_a - m_ecp.GetField().GetModulus()) == -3)
{
m_alpha = A_3;
}
else
{
m_alpha = A_Star;
}
}
}
ECP::Point ECP::AdditionFunction::operator()(const Point& P) const
{
if (m_alpha == A_3)
{
const ECP::Field& field = m_ecp.GetField();
const FieldElement& b = m_ecp.m_b;
ECP::Point& R = m_ecp.m_R;
// Gyrations attempt to maintain constant-timeness
// We need either (P.x, P.y, 1) or (0, 1, 0).
const Integer x = P.x * IdentityToInteger(!P.identity);
const Integer y = P.y * IdentityToInteger(!P.identity) + 1 * IdentityToInteger(P.identity);
const Integer z = 1 * IdentityToInteger(!P.identity);
ProjectivePoint p(x, y, z), r;
FieldElement t0 = field.Square(X);
FieldElement t1 = field.Square(Y);
FieldElement t2 = field.Square(Z);
FieldElement t3 = field.Multiply(X,Y);
t3 = field.Add(t3,t3);
Z3 = field.Multiply(X,Z);
Z3 = field.Add(Z3,Z3);
Y3 = field.Multiply(b,t2);
Y3 = field.Subtract(Y3,Z3);
X3 = field.Add(Y3,Y3);
Y3 = field.Add(X3,Y3);
X3 = field.Subtract(t1,Y3);
Y3 = field.Add(t1,Y3);
Y3 = field.Multiply(X3,Y3);
X3 = field.Multiply(X3,t3);
t3 = field.Add(t2,t2);
t2 = field.Add(t2,t3);
Z3 = field.Multiply(b,Z3);
Z3 = field.Subtract(Z3,t2);
Z3 = field.Subtract(Z3,t0);
t3 = field.Add(Z3,Z3);
Z3 = field.Add(Z3,t3);
t3 = field.Add(t0,t0);
t0 = field.Add(t3,t0);
t0 = field.Subtract(t0,t2);
t0 = field.Multiply(t0,Z3);
Y3 = field.Add(Y3,t0);
t0 = field.Multiply(Y,Z);
t0 = field.Add(t0,t0);
Z3 = field.Multiply(t0,Z3);
X3 = field.Subtract(X3,Z3);
Z3 = field.Multiply(t0,t1);
Z3 = field.Add(Z3,Z3);
Z3 = field.Add(Z3,Z3);
const FieldElement inv = field.MultiplicativeInverse(Z3.IsZero() ? Integer::One() : Z3);
X3 = field.Multiply(X3, inv); Y3 = field.Multiply(Y3, inv);
// More gyrations
R.x = X3*Z3.NotZero();
R.y = Y3*Z3.NotZero();
R.identity = Z3.IsZero();
return R;
}
else if (m_alpha == A_0)
{
const ECP::Field& field = m_ecp.GetField();
const FieldElement b3 = field.Multiply(m_ecp.m_b, 3);
ECP::Point& R = m_ecp.m_R;
// Gyrations attempt to maintain constant-timeness
// We need either (P.x, P.y, 1) or (0, 1, 0).
const Integer x = P.x * IdentityToInteger(!P.identity);
const Integer y = P.y * IdentityToInteger(!P.identity) + 1 * IdentityToInteger(P.identity);
const Integer z = 1 * IdentityToInteger(!P.identity);
ProjectivePoint p(x, y, z), r;
FieldElement t0 = field.Square(Y);
Z3 = field.Add(t0,t0);
Z3 = field.Add(Z3,Z3);
Z3 = field.Add(Z3,Z3);
FieldElement t1 = field.Add(Y,Z);
FieldElement t2 = field.Square(Z);
t2 = field.Multiply(b3,t2);
X3 = field.Multiply(t2,Z3);
Y3 = field.Add(t0,t2);
Z3 = field.Multiply(t1,Z3);
t1 = field.Add(t2,t2);
t2 = field.Add(t1,t2);
t0 = field.Subtract(t0,t2);
Y3 = field.Multiply(t0,Y3);
Y3 = field.Add(X3,Y3);
t1 = field.Multiply(X,Y);
X3 = field.Multiply(t0,t1);
X3 = field.Add(X3,X3);
const FieldElement inv = field.MultiplicativeInverse(Z3.IsZero() ? Integer::One() : Z3);
X3 = field.Multiply(X3, inv); Y3 = field.Multiply(Y3, inv);
// More gyrations
R.x = X3*Z3.NotZero();
R.y = Y3*Z3.NotZero();
R.identity = Z3.IsZero();
return R;
}
else if (m_alpha == A_Star)
{
const ECP::Field& field = m_ecp.GetField();
const FieldElement b3 = field.Multiply(m_ecp.m_b, 3);
ECP::Point& R = m_ecp.m_R;
// Gyrations attempt to maintain constant-timeness
// We need either (P.x, P.y, 1) or (0, 1, 0).
const Integer x = P.x * IdentityToInteger(!P.identity);
const Integer y = P.y * IdentityToInteger(!P.identity) + 1 * IdentityToInteger(P.identity);
const Integer z = 1 * IdentityToInteger(!P.identity);
ProjectivePoint p(x, y, z), r;
FieldElement t0 = field.Square(Y);
Z3 = field.Add(t0,t0);
Z3 = field.Add(Z3,Z3);
Z3 = field.Add(Z3,Z3);
FieldElement t1 = field.Add(Y,Z);
FieldElement t2 = field.Square(Z);
t2 = field.Multiply(b3,t2);
X3 = field.Multiply(t2,Z3);
Y3 = field.Add(t0,t2);
Z3 = field.Multiply(t1,Z3);
t1 = field.Add(t2,t2);
t2 = field.Add(t1,t2);
t0 = field.Subtract(t0,t2);
Y3 = field.Multiply(t0,Y3);
Y3 = field.Add(X3,Y3);
t1 = field.Multiply(X,Y);
X3 = field.Multiply(t0,t1);
X3 = field.Add(X3,X3);
const FieldElement inv = field.MultiplicativeInverse(Z3.IsZero() ? Integer::One() : Z3);
X3 = field.Multiply(X3, inv); Y3 = field.Multiply(Y3, inv);
// More gyrations
R.x = X3*Z3.NotZero();
R.y = Y3*Z3.NotZero();
R.identity = Z3.IsZero();
return R;
}
else // A_Montgomery
{
ECP::Point& R = m_ecp.m_R;
const ECP::Field& field = m_ecp.GetField();
const FieldElement& a = m_ecp.m_a;
// More gyrations
bool identity = (P.identity | (P.y==field.Identity()));
FieldElement t = field.Square(P.x);
t = field.Add(field.Add(field.Double(t), t), a);
t = field.Divide(t, field.Double(P.y));
FieldElement x = field.Subtract(field.Subtract(field.Square(t), P.x), P.x);
R.y = field.Subtract(field.Multiply(t, field.Subtract(P.x, x)), P.y);
R.x.swap(x);
// More gyrations
R.x *= IdentityToInteger(!identity);
R.y *= IdentityToInteger(!identity);
R.identity = identity;
return R;
}
}
ECP::Point ECP::AdditionFunction::operator()(const Point& P, const Point& Q) const
{
if (m_alpha == A_3)
{
const ECP::Field& field = m_ecp.GetField();
const FieldElement& b = m_ecp.m_b;
ECP::Point& R = m_ecp.m_R;
// Gyrations attempt to maintain constant-timeness
// We need either (P.x, P.y, 1) or (0, 1, 0).
const Integer x1 = P.x * IdentityToInteger(!P.identity);
const Integer y1 = P.y * IdentityToInteger(!P.identity) + 1 * IdentityToInteger(P.identity);
const Integer z1 = 1 * IdentityToInteger(!P.identity);
const Integer x2 = Q.x * IdentityToInteger(!Q.identity);
const Integer y2 = Q.y * IdentityToInteger(!Q.identity) + 1 * IdentityToInteger(Q.identity);
const Integer z2 = 1 * IdentityToInteger(!Q.identity);
ProjectivePoint p(x1, y1, z1), q(x2, y2, z2), r;
FieldElement t0 = field.Multiply(X1,X2);
FieldElement t1 = field.Multiply(Y1,Y2);
FieldElement t2 = field.Multiply(Z1,Z2);
FieldElement t3 = field.Add(X1,Y1);
FieldElement t4 = field.Add(X2,Y2);
t3 = field.Multiply(t3,t4);
t4 = field.Add(t0,t1);
t3 = field.Subtract(t3,t4);
t4 = field.Add(Y1,Z1);
X3 = field.Add(Y2,Z2);
t4 = field.Multiply(t4,X3);
X3 = field.Add(t1,t2);
t4 = field.Subtract(t4,X3);
X3 = field.Add(X1,Z1);
Y3 = field.Add(X2,Z2);
X3 = field.Multiply(X3,Y3);
Y3 = field.Add(t0,t2);
Y3 = field.Subtract(X3,Y3);
Z3 = field.Multiply(b,t2);
X3 = field.Subtract(Y3,Z3);
Z3 = field.Add(X3,X3);
X3 = field.Add(X3,Z3);
Z3 = field.Subtract(t1,X3);
X3 = field.Add(t1,X3);
Y3 = field.Multiply(b,Y3);
t1 = field.Add(t2,t2);
t2 = field.Add(t1,t2);
Y3 = field.Subtract(Y3,t2);
Y3 = field.Subtract(Y3,t0);
t1 = field.Add(Y3,Y3);
Y3 = field.Add(t1,Y3);
t1 = field.Add(t0,t0);
t0 = field.Add(t1,t0);
t0 = field.Subtract(t0,t2);
t1 = field.Multiply(t4,Y3);
t2 = field.Multiply(t0,Y3);
Y3 = field.Multiply(X3,Z3);
Y3 = field.Add(Y3,t2);
X3 = field.Multiply(t3,X3);
X3 = field.Subtract(X3,t1);
Z3 = field.Multiply(t4,Z3);
t1 = field.Multiply(t3,t0);
Z3 = field.Add(Z3,t1);
const FieldElement inv = field.MultiplicativeInverse(Z3.IsZero() ? Integer::One() : Z3);
X3 = field.Multiply(X3, inv); Y3 = field.Multiply(Y3, inv);
// More gyrations
R.x = X3*Z3.NotZero();
R.y = Y3*Z3.NotZero();
R.identity = Z3.IsZero();
return R;
}
else if (m_alpha == A_0)
{
const ECP::Field& field = m_ecp.GetField();
const FieldElement b3 = field.Multiply(m_ecp.m_b, 3);
ECP::Point& R = m_ecp.m_R;
// Gyrations attempt to maintain constant-timeness
// We need either (P.x, P.y, 1) or (0, 1, 0).
const Integer x1 = P.x * IdentityToInteger(!P.identity);
const Integer y1 = P.y * IdentityToInteger(!P.identity) + 1 * IdentityToInteger(P.identity);
const Integer z1 = 1 * IdentityToInteger(!P.identity);
const Integer x2 = Q.x * IdentityToInteger(!Q.identity);
const Integer y2 = Q.y * IdentityToInteger(!Q.identity) + 1 * IdentityToInteger(Q.identity);
const Integer z2 = 1 * IdentityToInteger(!Q.identity);
ProjectivePoint p(x1, y1, z1), q(x2, y2, z2), r;
FieldElement t0 = field.Square(Y);
Z3 = field.Add(t0,t0);
Z3 = field.Add(Z3,Z3);
Z3 = field.Add(Z3,Z3);
FieldElement t1 = field.Add(Y,Z);
FieldElement t2 = field.Square(Z);
t2 = field.Multiply(b3,t2);
X3 = field.Multiply(t2,Z3);
Y3 = field.Add(t0,t2);
Z3 = field.Multiply(t1,Z3);
t1 = field.Add(t2,t2);
t2 = field.Add(t1,t2);
t0 = field.Subtract(t0,t2);
Y3 = field.Multiply(t0,Y3);
Y3 = field.Add(X3,Y3);
t1 = field.Multiply(X,Y);
X3 = field.Multiply(t0,t1);
X3 = field.Add(X3,X3);
const FieldElement inv = field.MultiplicativeInverse(Z3.IsZero() ? Integer::One() : Z3);
X3 = field.Multiply(X3, inv); Y3 = field.Multiply(Y3, inv);
// More gyrations
R.x = X3*Z3.NotZero();
R.y = Y3*Z3.NotZero();
R.identity = Z3.IsZero();
return R;
}
else if (m_alpha == A_Star)
{
const ECP::Field& field = m_ecp.GetField();
const FieldElement &a = m_ecp.m_a;
const FieldElement b3 = field.Multiply(m_ecp.m_b, 3);
ECP::Point& R = m_ecp.m_R;
// Gyrations attempt to maintain constant-timeness
// We need either (P.x, P.y, 1) or (0, 1, 0).
const Integer x1 = P.x * IdentityToInteger(!P.identity);
const Integer y1 = P.y * IdentityToInteger(!P.identity) + 1 * IdentityToInteger(P.identity);
const Integer z1 = 1 * IdentityToInteger(!P.identity);
const Integer x2 = Q.x * IdentityToInteger(!Q.identity);
const Integer y2 = Q.y * IdentityToInteger(!Q.identity) + 1 * IdentityToInteger(Q.identity);
const Integer z2 = 1 * IdentityToInteger(!Q.identity);
ProjectivePoint p(x1, y1, z1), q(x2, y2, z2), r;
FieldElement t0 = field.Multiply(X1,X2);
FieldElement t1 = field.Multiply(Y1,Y2);
FieldElement t2 = field.Multiply(Z1,Z2);
FieldElement t3 = field.Add(X1,Y1);
FieldElement t4 = field.Add(X2,Y2);
t3 = field.Multiply(t3,t4);
t4 = field.Add(t0,t1);
t3 = field.Subtract(t3,t4);
t4 = field.Add(X1,Z1);
FieldElement t5 = field.Add(X2,Z2);
t4 = field.Multiply(t4,t5);
t5 = field.Add(t0,t2);
t4 = field.Subtract(t4,t5);
t5 = field.Add(Y1,Z1);
X3 = field.Add(Y2,Z2);
t5 = field.Multiply(t5,X3);
X3 = field.Add(t1,t2);
t5 = field.Subtract(t5,X3);
Z3 = field.Multiply(a,t4);
X3 = field.Multiply(b3,t2);
Z3 = field.Add(X3,Z3);
X3 = field.Subtract(t1,Z3);
Z3 = field.Add(t1,Z3);
Y3 = field.Multiply(X3,Z3);
t1 = field.Add(t0,t0);
t1 = field.Add(t1,t0);
t2 = field.Multiply(a,t2);
t4 = field.Multiply(b3,t4);
t1 = field.Add(t1,t2);
t2 = field.Subtract(t0,t2);
t2 = field.Multiply(a,t2);
t4 = field.Add(t4,t2);
t0 = field.Multiply(t1,t4);
Y3 = field.Add(Y3,t0);
t0 = field.Multiply(t5,t4);
X3 = field.Multiply(t3,X3);
X3 = field.Subtract(X3,t0);
t0 = field.Multiply(t3,t1);
Z3 = field.Multiply(t5,Z3);
Z3 = field.Add(Z3,t0);
const FieldElement inv = field.MultiplicativeInverse(Z3.IsZero() ? Integer::One() : Z3);
X3 = field.Multiply(X3, inv); Y3 = field.Multiply(Y3, inv);
// More gyrations
R.x = X3*Z3.NotZero();
R.y = Y3*Z3.NotZero();
R.identity = Z3.IsZero();
return R;
}
else // A_Montgomery
{
const ECP::Field& field = m_ecp.GetField();
const FieldElement& a = m_ecp.m_a;
ECP::Point& R = m_ecp.m_R, S = m_ecp.m_R;
// More gyrations
bool return_Q = P.identity;
bool return_P = Q.identity;
bool double_P = field.Equal(P.x, Q.x) && field.Equal(P.y, Q.y);
bool identity = field.Equal(P.x, Q.x) && !field.Equal(P.y, Q.y);
// This code taken from Double(P)
identity |= (double_P * (P.identity | (P.y==field.Identity())));
if (double_P)
{
// This code taken from Double(P)
FieldElement t = field.Square(P.x);
t = field.Add(field.Add(field.Double(t), t), a);
t = field.Divide(t, field.Double(P.y));
FieldElement x = field.Subtract(field.Subtract(field.Square(t), P.x), P.x);
R.y = field.Subtract(field.Multiply(t, field.Subtract(P.x, x)), P.y);
R.x.swap(x);
}
else
{
// Original Double (P,Q) code
FieldElement t = field.Subtract(Q.y, P.y);
t = field.Divide(t, field.Subtract(Q.x, P.x));
FieldElement x = field.Subtract(field.Subtract(field.Square(t), P.x), Q.x);
R.y = field.Subtract(field.Multiply(t, field.Subtract(P.x, x)), P.y);
R.x.swap(x);
}
// More gyrations
R.x = R.x * IdentityToInteger(!identity);
R.y = R.y * IdentityToInteger(!identity);
R.identity = identity;
if (return_Q)
return (R = S), Q;
else if (return_P)
return (R = S), P;
else
return (S = R), R;
}
}
#undef X
#undef Y
#undef Z
#undef X1
#undef Y1
#undef Z1
#undef X2
#undef Y2
#undef Z2
#undef X3
#undef Y3
#undef Z3
NAMESPACE_END
#endif