moreupdate

crypto/sm9/sm9_lcl.h

@@ -151,7 +151,11 @@ const BIGNUM *SM9_get0_order(void);
 const BIGNUM *SM9_get0_order_minus_one(void);
 const BIGNUM *SM9_get0_loop_count(void);
 const BIGNUM *SM9_get0_final_exponent(void);
-const BIGNUM *SM9_get0_fast_final_exponent(void);
+const BIGNUM *SM9_get0_fast_final_exponent_p20(void);
+const BIGNUM *SM9_get0_fast_final_exponent_p21(void);
+const BIGNUM *SM9_get0_fast_final_exponent_p22(void);
+const BIGNUM *SM9_get0_fast_final_exponent_p23(void);
+const BIGNUM *SM9_get0_fast_final_exponent_p3(void);
 const BIGNUM *SM9_get0_generator2_x0(void);
 const BIGNUM *SM9_get0_generator2_x1(void);
 const BIGNUM *SM9_get0_generator2_y0(void);

crypto/sm9/sm9_params.c

@@ -62,6 +62,7 @@
 #define BN_SM9_BN256_TOP (256+BN_BITS2-1)/BN_BITS2
 #define BN_SM9_LOOP_TOP (66+BN_BITS2-1)/BN_BITS2
 #define BN_SM9_FINAL_EXPO_TOP (2816+BN_BITS2-1)/BN_BITS2
+#define BN_SM9_FAST_FINAL_EXPO_P2_TOP (256+BN_BITS2-1)/BN_BITS2
 #define BN_SM9_FAST_FINAL_EXPO_P3_TOP (768+BN_BITS2-1)/BN_BITS2
 
 #if BN_BITS2 == 64
@@ -123,6 +124,17 @@ static const BN_ULONG _sm9bn256v1_final_expo[BN_SM9_FINAL_EXPO_TOP] = {
 	0x1A09A6AE43ADE454ULL, 0x061835E8B1259499ULL,
 };
 
+static const BN_ULONG _sm9bn256v1_fast_final_expo_p2[][BN_SM9_FAST_FINAL_EXPO_P2_TOP] = {
+	{0xD5FC11967BE65334ULL, 0x780272354F8B78F4ULL,
+	 0xF300000002A3A6F2ULL},
+	{0x0F738991676AF249ULL, 0xA9F02115CAEF75E7ULL,
+	 0xE303AB4FF2EB2052ULL, 0xB640000002A3A6F0ULL},
+	{0xD5FC11967BE65333ULL, 0x780272354F8B78F4ULL,
+	 0xF300000002A3A6F2ULL},
+	{0x0F738991676AF24AULL, 0xA9F02115CAEF75E7ULL,
+	 0xE303AB4FF2EB2052ULL, 0xB640000002A3A6F0ULL}
+};
+
 static const BN_ULONG _sm9bn256v1_fast_final_expo_p3[BN_SM9_FAST_FINAL_EXPO_P3_TOP] = {
 	0xA9B2ADA593152855ULL, 0x44BF9D0FA74DDFB7ULL,
 	0x83687EE0C6D9188CULL, 0xE0D49DE3AA8A4748ULL,
@@ -191,6 +203,17 @@ static const BN_ULONG _sm9bn256v1_final_expo[BN_SM9_FINAL_EXPO_TOP] = {
 	0x43ADE454, 0x1A09A6AE, 0xB1259499, 0x061835E8,
 };
 
+static const BN_ULONG _sm9bn256v1_fast_final_expo_p2[][BN_SM9_FAST_FINAL_EXPO_P2_TOP] = {
+	{0x7BE65334, 0xD5FC1196, 0x4F8B78F4, 0x78027235,
+	 0x02A3A6F2, 0xF3000000},
+	{0x676AF249, 0x0F738991, 0xCAEF75E7, 0xA9F02115,
+	 0xF2EB2052, 0xE303AB4F, 0x02A3A6F0, 0xB6400000},
+	{0x7BE65333, 0xD5FC1196, 0x4F8B78F4, 0x78027235,
+	 0x02A3A6F2, 0xF3000000},
+	{0x676AF24A, 0x0F738991, 0xCAEF75E7, 0xA9F02115,
+	 0xF2EB2052, 0xE303AB4F, 0x02A3A6F0, 0xB6400000}
+};
+
 static const BN_ULONG _sm9bn256v1_fast_final_expo_p3[BN_SM9_FAST_FINAL_EXPO_P3_TOP] = {
 	0x93152855, 0xA9B2ADA5, 0xA74DDFB7, 0x44BF9D0F,
 	0xC6D9188C, 0x83687EE0, 0xAA8A4748, 0xE0D49DE3,
@@ -244,6 +267,38 @@ static const BIGNUM _bignum_sm9bn256v1_final_expo = {
 	BN_FLG_STATIC_DATA
 };
 
+static const BIGNUM _bignum_sm9bn256v1_fast_final_expo_p20 = {
+	(BN_ULONG *)_sm9bn256v1_fast_final_expo_p2[0],
+	BN_SM9_FAST_FINAL_EXPO_P2_TOP,
+	BN_SM9_FAST_FINAL_EXPO_P2_TOP,
+	0,
+	BN_FLG_STATIC_DATA
+};
+
+static const BIGNUM _bignum_sm9bn256v1_fast_final_expo_p21 = {
+	(BN_ULONG *)_sm9bn256v1_fast_final_expo_p2[1],
+	BN_SM9_FAST_FINAL_EXPO_P2_TOP,
+	BN_SM9_FAST_FINAL_EXPO_P2_TOP,
+	0,
+	BN_FLG_STATIC_DATA
+};
+
+static const BIGNUM _bignum_sm9bn256v1_fast_final_expo_p22 = {
+	(BN_ULONG *)_sm9bn256v1_fast_final_expo_p2[2],
+	BN_SM9_FAST_FINAL_EXPO_P2_TOP,
+	BN_SM9_FAST_FINAL_EXPO_P2_TOP,
+	0,
+	BN_FLG_STATIC_DATA
+};
+
+static const BIGNUM _bignum_sm9bn256v1_fast_final_expo_p23 = {
+	(BN_ULONG *)_sm9bn256v1_fast_final_expo_p2[3],
+	BN_SM9_FAST_FINAL_EXPO_P2_TOP,
+	BN_SM9_FAST_FINAL_EXPO_P2_TOP,
+	0,
+	BN_FLG_STATIC_DATA
+};
+
 static const BIGNUM _bignum_sm9bn256v1_fast_final_expo_p3 = {
 	(BN_ULONG *)_sm9bn256v1_fast_final_expo_p3,
 	BN_SM9_FAST_FINAL_EXPO_P3_TOP,
@@ -329,7 +384,27 @@ const BIGNUM *SM9_get0_final_exponent(void)
 	return &_bignum_sm9bn256v1_final_expo;
 }
 
-const BIGNUM *SM9_get0_fast_final_exponent(void)
+const BIGNUM *SM9_get0_fast_final_exponent_p20(void)
+{
+	return &_bignum_sm9bn256v1_fast_final_expo_p20;
+}
+
+const BIGNUM *SM9_get0_fast_final_exponent_p21(void)
+{
+	return &_bignum_sm9bn256v1_fast_final_expo_p21;
+}
+
+const BIGNUM *SM9_get0_fast_final_exponent_p22(void)
+{
+	return &_bignum_sm9bn256v1_fast_final_expo_p22;
+}
+
+const BIGNUM *SM9_get0_fast_final_exponent_p23(void)
+{
+	return &_bignum_sm9bn256v1_fast_final_expo_p23;
+}
+
+const BIGNUM *SM9_get0_fast_final_exponent_p3(void)
 {
 	return &_bignum_sm9bn256v1_fast_final_expo_p3;
 }

crypto/sm9/sm9_rate.c

@@ -293,6 +293,27 @@ static int fp2_mul_u(fp2_t r, const fp2_t a, const fp2_t b, const BIGNUM *p, BN_
 	return 1;
 }
 
+static int fp2_mul_num(fp2_t r, const fp2_t a, const BIGNUM *n, const BIGNUM *p, BN_CTX *ctx)
+{
+	BIGNUM *r0 = NULL;
+	BIGNUM *r1 = NULL;
+	if (!(r0 = BN_CTX_get(ctx))
+		|| !(r1 = BN_CTX_get(ctx))
+		
+		|| !BN_mod_mul(r0, a[0], n, p, ctx)
+		|| !BN_mod_mul(r1, a[1], n, p, ctx)
+
+		|| !BN_copy(r[0], r0)
+		|| !BN_copy(r[1], r1)) {
+		BN_free(r0);
+		BN_free(r1);
+		return 0;
+	}
+	BN_free(r0);
+	BN_free(r1);
+	return 1;
+}
+
 static int fp2_sqr(fp2_t r, const fp2_t a, const BIGNUM *p, BN_CTX *ctx)
 {
 	BIGNUM *r0 = NULL;
@@ -1425,6 +1446,39 @@ int fp12_pow(fp12_t r, const fp12_t a, const BIGNUM *k, const BIGNUM *p, BN_CTX
 	return 1;
 }
 
+static int fp12_fast_expo_p1(fp12_t r, const fp12_t a, const BIGNUM *p, BN_CTX *ctx)
+{
+	return fp2_copy(r[0][0], a[0][0])
+		&& fp2_neg (r[0][1], a[0][1], p, ctx)
+		&& fp2_neg (r[1][0], a[1][0], p, ctx)
+		&& fp2_copy(r[1][1], a[1][1])
+		&& fp2_copy(r[2][0], a[2][0])
+		&& fp2_neg (r[2][1], a[2][1], p, ctx);
+}
+
+static int fp12_fast_expo_p2(fp12_t r, const fp12_t a, const BIGNUM *p, BN_CTX *ctx)
+{
+	const BIGNUM *pw20;
+	const BIGNUM *pw21;
+	const BIGNUM *pw22;
+	const BIGNUM *pw23;
+	pw20 = SM9_get0_fast_final_exponent_p20();
+	pw21 = SM9_get0_fast_final_exponent_p21();
+	pw22 = SM9_get0_fast_final_exponent_p22();
+	pw23 = SM9_get0_fast_final_exponent_p23();
+	
+	if(!fp2_copy(r[0][0], a[0][0])
+		|| !fp2_neg (r[0][1], a[0][1], p, ctx)
+		|| !fp2_mul_num(r[1][0], a[1][0], pw20, p, ctx)
+		|| !fp2_mul_num(r[1][1], a[1][1], pw21, p, ctx)
+		|| !fp2_mul_num(r[2][0], a[2][0], pw22, p, ctx)
+		|| !fp2_mul_num(r[2][1], a[2][1], pw23, p, ctx)) {
+			
+		return 0;
+	}
+	return 1;
+}
+
 static int fp12_test(const BIGNUM *p, BN_CTX *ctx)
 {
 	const char *_a[] = {
@@ -2397,7 +2451,6 @@ static int final_expo(fp12_t r, const fp12_t a, const BIGNUM *k, const BIGNUM *p
 
 static int fast_final_expo(fp12_t r, const fp12_t a, const BIGNUM *k, const BIGNUM *p, BN_CTX *ctx)
 {
-	// (p^4-p^2+1)/n is k
 	int i, n;
 	fp12_t t;
 	fp12_t t0;
@@ -2412,57 +2465,27 @@ static int fast_final_expo(fp12_t r, const fp12_t a, const BIGNUM *k, const BIGN
 		return 0;
 	}
 
-	// first step: a1 = a ^ (p^6-1)
-	if (!fp12_inv(t0, t, p, ctx)) { // t0 = a ^ (-1)
+	if (!fp12_inv(t0, t, p, ctx)) {
 		return 0;
 	}
-	if (!BN_sub(t[0][1][0], p, t[0][1][0])
-		|| !BN_sub(t[0][1][1], p, t[0][1][1])
-		|| !BN_sub(t[1][0][0], p, t[1][0][0])
-		|| !BN_sub(t[1][0][1], p, t[1][0][1])
-		|| !BN_sub(t[2][1][0], p, t[2][1][0])
-		|| !BN_sub(t[2][1][1], p, t[2][1][1])) { // t = a ^ (p^6)
+	if (!fp12_fast_expo_p1(t, t, p, ctx)) {
 		return 0;
 	}
-	if (!fp12_mul(t, t0, t, p, ctx)) { // t = t0 * t = a ^ (p^6-1) = a1
+	if (!fp12_mul(t, t0, t, p, ctx)) {
 		return 0;
 	}
 
-	// second step: a = a ^ (p^2+1)
-	if (!fp12_copy(t0, t)) { // t0 = t = a1
+	if (!fp12_copy(t0, t)) {
 		return 0;
 	}
-	const char *power_p2[] = {
-		"5958342662901643427453578939755302545063035311436308304692", 
-        "82434016654578246438872420442344325702149582327179867092849556861979152020041", 
-        "5958342662901643427453578939755302545063035311436308304691", 
-        "82434016654578246438872420442344325702149582327179867092849556861979152020042"};
-    BIGNUM *par[4];
-	for(i=0;i<4;++i) {
-		par[i] = BN_new();
-		BN_init(par[i]);
-		if(!BN_dec2bn(&par[i], power_p2[i])){
-			return 0;
-		}
+		
+	if(!fp12_fast_expo_p2(t, t, p, ctx)){
+		return 0;
 	}
 	
-	if (!BN_sub(t[0][1][0], p, t[0][1][0])
-		|| !BN_sub(t[0][1][1], p, t[0][1][1])
-		|| !BN_mod_mul(t[1][0][0], t[1][0][0], par[0], p, ctx)
-		|| !BN_mod_mul(t[1][0][1], t[1][0][1], par[0], p, ctx)
-		|| !BN_mod_mul(t[1][1][0], t[1][1][0], par[1], p, ctx)
-		|| !BN_mod_mul(t[1][1][1], t[1][1][1], par[1], p, ctx)
-		|| !BN_mod_mul(t[2][0][0], t[2][0][0], par[2], p, ctx)
-		|| !BN_mod_mul(t[2][0][1], t[2][0][1], par[2], p, ctx)
-		|| !BN_mod_mul(t[2][1][0], t[2][1][0], par[3], p, ctx)
-		|| !BN_mod_mul(t[2][1][1], t[2][1][1], par[3], p, ctx)) { // t = a1 ^ (p^2)
+	if (!fp12_mul(t, t0, t, p, ctx)) {
 		return 0;
 	}
-	if (!fp12_mul(t, t0, t, p, ctx)) { // t = t0 * t = a ^ (p^2+1) = a2
-		return 0;
-	}
-
-	// third step: a = a ^ [(p^4-p^2+1)/n]
 
 	if (!fp12_copy(t0, t)) {
 		return 0;
@@ -2562,11 +2585,12 @@ static int rate(fp12_t f, const point_t *Q, const BIGNUM *xP, const BIGNUM *yP,
 	/* T = T - Q2 */	
 	point_add(&T, &T, &Q2, p, ctx);
 
-	/* f = f^((p^12 - 1)/n) */
 #ifdef NOSM9_FAST
+	/* f = f^((p^12 - 1)/n) */
 	final_expo(f, f, k, p, ctx);
 #else
-	fast_final_expo(f, f, k, p, ctx); // (p^6-1) * (p^2+1) * [(p^4-p^2+1)/n]
+	/* f = ((f ^ (p^6-1)) ^ (p^2+1)) ^ [(p^4-p^2+1)/n] */
+	fast_final_expo(f, f, k, p, ctx);
 #endif
 
 	point_cleanup(&T);
@@ -2605,7 +2629,7 @@ int rate_pairing(fp12_t r, const point_t *Q, const EC_POINT *P, BN_CTX *ctx)
 #ifdef NOSM9_FAST
 	k = SM9_get0_final_exponent();
 #else
-	k = SM9_get0_fast_final_exponent();
+	k = SM9_get0_fast_final_exponent_p3();
 #endif
 	xP = BN_CTX_get(ctx);
 	yP = BN_CTX_get(ctx);