elliptic_curve/
weierstrass.rs

Help
1//! Complete projective formulas for prime order elliptic curves as described
2//! in [Renes-Costello-Batina 2015].
3//!
4//! [Renes-Costello-Batina 2015]: https://eprint.iacr.org/2015/1060
5
6#![allow(clippy::op_ref)]
7
8use ff::Field;
9
10/// Affine point whose coordinates are represented by the given field element.
11pub type AffinePoint<Fe> = (Fe, Fe);
12
13/// Projective point whose coordinates are represented by the given field element.
14pub type ProjectivePoint<Fe> = (Fe, Fe, Fe);
15
16/// Implements the complete addition formula from [Renes-Costello-Batina 2015]
17/// (Algorithm 4).
18///
19/// [Renes-Costello-Batina 2015]: https://eprint.iacr.org/2015/1060
20#[inline(always)]
21pub fn add<Fe>(
22    (ax, ay, az): ProjectivePoint<Fe>,
23    (bx, by, bz): ProjectivePoint<Fe>,
24    curve_equation_b: Fe,
25) -> ProjectivePoint<Fe>
26where
27    Fe: Field,
28{
29    // The comments after each line indicate which algorithm steps are being
30    // performed.
31    let xx = ax * bx; // 1
32    let yy = ay * by; // 2
33    let zz = az * bz; // 3
34    let xy_pairs = ((ax + ay) * &(bx + by)) - &(xx + &yy); // 4, 5, 6, 7, 8
35    let yz_pairs = ((ay + az) * &(by + bz)) - &(yy + &zz); // 9, 10, 11, 12, 13
36    let xz_pairs = ((ax + az) * &(bx + bz)) - &(xx + &zz); // 14, 15, 16, 17, 18
37
38    let bzz_part = xz_pairs - &(curve_equation_b * &zz); // 19, 20
39    let bzz3_part = bzz_part.double() + &bzz_part; // 21, 22
40    let yy_m_bzz3 = yy - &bzz3_part; // 23
41    let yy_p_bzz3 = yy + &bzz3_part; // 24
42
43    let zz3 = zz.double() + &zz; // 26, 27
44    let bxz_part = (curve_equation_b * &xz_pairs) - &(zz3 + &xx); // 25, 28, 29
45    let bxz3_part = bxz_part.double() + &bxz_part; // 30, 31
46    let xx3_m_zz3 = xx.double() + &xx - &zz3; // 32, 33, 34
47
48    (
49        (yy_p_bzz3 * &xy_pairs) - &(yz_pairs * &bxz3_part), // 35, 39, 40
50        (yy_p_bzz3 * &yy_m_bzz3) + &(xx3_m_zz3 * &bxz3_part), // 36, 37, 38
51        (yy_m_bzz3 * &yz_pairs) + &(xy_pairs * &xx3_m_zz3), // 41, 42, 43
52    )
53}
54
55/// Implements the complete mixed addition formula from
56/// [Renes-Costello-Batina 2015] (Algorithm 5).
57///
58/// [Renes-Costello-Batina 2015]: https://eprint.iacr.org/2015/1060
59#[inline(always)]
60pub fn add_mixed<Fe>(
61    (ax, ay, az): ProjectivePoint<Fe>,
62    (bx, by): AffinePoint<Fe>,
63    curve_equation_b: Fe,
64) -> ProjectivePoint<Fe>
65where
66    Fe: Field,
67{
68    // The comments after each line indicate which algorithm steps are being
69    // performed.
70    let xx = ax * &bx; // 1
71    let yy = ay * &by; // 2
72    let xy_pairs = ((ax + &ay) * &(bx + &by)) - &(xx + &yy); // 3, 4, 5, 6, 7
73    let yz_pairs = (by * &az) + &ay; // 8, 9 (t4)
74    let xz_pairs = (bx * &az) + &ax; // 10, 11 (y3)
75
76    let bz_part = xz_pairs - &(curve_equation_b * &az); // 12, 13
77    let bz3_part = bz_part.double() + &bz_part; // 14, 15
78    let yy_m_bzz3 = yy - &bz3_part; // 16
79    let yy_p_bzz3 = yy + &bz3_part; // 17
80
81    let z3 = az.double() + &az; // 19, 20
82    let bxz_part = (curve_equation_b * &xz_pairs) - &(z3 + &xx); // 18, 21, 22
83    let bxz3_part = bxz_part.double() + &bxz_part; // 23, 24
84    let xx3_m_zz3 = xx.double() + &xx - &z3; // 25, 26, 27
85
86    (
87        (yy_p_bzz3 * &xy_pairs) - &(yz_pairs * &bxz3_part), // 28, 32, 33
88        (yy_p_bzz3 * &yy_m_bzz3) + &(xx3_m_zz3 * &bxz3_part), // 29, 30, 31
89        (yy_m_bzz3 * &yz_pairs) + &(xy_pairs * &xx3_m_zz3), // 34, 35, 36
90    )
91}
92
93/// Implements the exception-free point doubling formula from
94/// [Renes-Costello-Batina 2015] (Algorithm 6).
95///
96/// [Renes-Costello-Batina 2015]: https://eprint.iacr.org/2015/1060
97#[inline(always)]
98pub fn double<Fe>((x, y, z): ProjectivePoint<Fe>, curve_equation_b: Fe) -> ProjectivePoint<Fe>
99where
100    Fe: Field,
101{
102    // The comments after each line indicate which algorithm steps are being
103    // performed.
104    let xx = x.square(); // 1
105    let yy = y.square(); // 2
106    let zz = z.square(); // 3
107    let xy2 = (x * &y).double(); // 4, 5
108    let xz2 = (x * &z).double(); // 6, 7
109
110    let bzz_part = (curve_equation_b * &zz) - &xz2; // 8, 9
111    let bzz3_part = bzz_part.double() + &bzz_part; // 10, 11
112    let yy_m_bzz3 = yy - &bzz3_part; // 12
113    let yy_p_bzz3 = yy + &bzz3_part; // 13
114    let y_frag = yy_p_bzz3 * &yy_m_bzz3; // 14
115    let x_frag = yy_m_bzz3 * &xy2; // 15
116
117    let zz3 = zz.double() + &zz; // 16, 17
118    let bxz2_part = (curve_equation_b * &xz2) - &(zz3 + &xx); // 18, 19, 20
119    let bxz6_part = bxz2_part.double() + &bxz2_part; // 21, 22
120    let xx3_m_zz3 = xx.double() + &xx - &zz3; // 23, 24, 25
121
122    let dy = y_frag + &(xx3_m_zz3 * &bxz6_part); // 26, 27
123    let yz2 = (y * &z).double(); // 28, 29
124    let dx = x_frag - &(bxz6_part * &yz2); // 30, 31
125    let dz = (yz2 * &yy).double().double(); // 32, 33, 34
126
127    (dx, dy, dz)
128}
elliptic_curve/weierstrass.rs

elliptic_curve/
weierstrass.rs
