Merge pull request #693 from Gorachya/master

Tests passed

crypto/sm9/sm9_lcl.h

@@ -151,6 +151,7 @@ const BIGNUM *SM9_get0_order(void);
 const BIGNUM *SM9_get0_order_minus_one(void);
 const BIGNUM *SM9_get0_loop_count(void);
 const BIGNUM *SM9_get0_final_exponent(void);
+const BIGNUM *SM9_get0_fast_final_exponent(void);
 const BIGNUM *SM9_get0_generator2_x0(void);
 const BIGNUM *SM9_get0_generator2_x1(void);
 const BIGNUM *SM9_get0_generator2_y0(void);

crypto/sm9/sm9_params.c

@@ -62,6 +62,7 @@
 #define BN_SM9_BN256_TOP (256+BN_BITS2-1)/BN_BITS2
 #define BN_SM9_LOOP_TOP (66+BN_BITS2-1)/BN_BITS2
 #define BN_SM9_FINAL_EXPO_TOP (2816+BN_BITS2-1)/BN_BITS2
+#define BN_SM9_FAST_FINAL_EXPO_P3_TOP (768+BN_BITS2-1)/BN_BITS2
 
 #if BN_BITS2 == 64
 static const BN_ULONG _sm9bn256v1_prime[BN_SM9_BN256_TOP] = {
@@ -122,6 +123,15 @@ static const BN_ULONG _sm9bn256v1_final_expo[BN_SM9_FINAL_EXPO_TOP] = {
 	0x1A09A6AE43ADE454ULL, 0x061835E8B1259499ULL,
 };
 
+static const BN_ULONG _sm9bn256v1_fast_final_expo_p3[BN_SM9_FAST_FINAL_EXPO_P3_TOP] = {
+	0xA9B2ADA593152855ULL, 0x44BF9D0FA74DDFB7ULL,
+	0x83687EE0C6D9188CULL, 0xE0D49DE3AA8A4748ULL,
+	0x0DA3D71BCDB13FE5ULL, 0xA5782C82FDB6B0A1ULL,
+	0x7C0CA02D9B0D8649ULL, 0xBA4CADE09029E471ULL,
+	0xDC53E586930846F1ULL, 0xD62CD8FB7B497A0AULL,
+	0xF12FCAD3B31FE2B0ULL, 0x5C5E452404034E2AULL,
+};
+
 #elif BN_BITS2 == 32
 static const BN_ULONG _sm9bn256v1_prime[BN_SM9_BN256_TOP] = {
 	0xE351457D, 0xE56F9B27, 0x1A7AEEDB, 0x21F2934B,
@@ -181,6 +191,15 @@ static const BN_ULONG _sm9bn256v1_final_expo[BN_SM9_FINAL_EXPO_TOP] = {
 	0x43ADE454, 0x1A09A6AE, 0xB1259499, 0x061835E8,
 };
 
+static const BN_ULONG _sm9bn256v1_fast_final_expo_p3[BN_SM9_FAST_FINAL_EXPO_P3_TOP] = {
+	0x93152855, 0xA9B2ADA5, 0xA74DDFB7, 0x44BF9D0F,
+	0xC6D9188C, 0x83687EE0, 0xAA8A4748, 0xE0D49DE3,
+	0xCDB13FE5, 0x0DA3D71B, 0xFDB6B0A1, 0xA5782C82,
+	0x9B0D8649, 0x7C0CA02D, 0x9029E471, 0xBA4CADE0,
+	0x930846F1, 0xDC53E586, 0x7B497A0A, 0xD62CD8FB,
+	0xB31FE2B0, 0xF12FCAD3, 0x04034E2A, 0x5C5E4524,
+};
+
 #else
 # error "unsupported BN_BITS2"
 #endif
@@ -225,6 +244,14 @@ static const BIGNUM _bignum_sm9bn256v1_final_expo = {
 	BN_FLG_STATIC_DATA
 };
 
+static const BIGNUM _bignum_sm9bn256v1_fast_final_expo_p3 = {
+	(BN_ULONG *)_sm9bn256v1_fast_final_expo_p3,
+	BN_SM9_FAST_FINAL_EXPO_P3_TOP,
+	BN_SM9_FAST_FINAL_EXPO_P3_TOP,
+	0,
+	BN_FLG_STATIC_DATA
+};
+
 static const BIGNUM _bignum_sm9bn256v1_x20 = {
 	(BN_ULONG *)_sm9bn256v1_x2[0],
 	BN_SM9_BN256_TOP,
@@ -301,3 +328,8 @@ const BIGNUM *SM9_get0_final_exponent(void)
 {
 	return &_bignum_sm9bn256v1_final_expo;
 }
+
+const BIGNUM *SM9_get0_fast_final_exponent(void)
+{
+	return &_bignum_sm9bn256v1_fast_final_expo_p3;
+}

crypto/sm9/sm9_rate.c

@@ -2397,7 +2397,7 @@ static int final_expo(fp12_t r, const fp12_t a, const BIGNUM *k, const BIGNUM *p
 
 static int fast_final_expo(fp12_t r, const fp12_t a, const BIGNUM *k, const BIGNUM *p, BN_CTX *ctx)
 {
-	// (p^4-p^2+1)/n will be directly used to finish the 3rd step with k unused here.
+	// (p^4-p^2+1)/n is k
 	int i, n;
 	fp12_t t;
 	fp12_t t0;
@@ -2427,7 +2427,7 @@ static int fast_final_expo(fp12_t r, const fp12_t a, const BIGNUM *k, const BIGN
 	if (!fp12_mul(t, t0, t, p, ctx)) { // t = t0 * t = a ^ (p^6-1) = a1
 		return 0;
 	}
-	
+
 	// second step: a = a ^ (p^2+1)
 	if (!fp12_copy(t0, t)) { // t0 = t = a1
 		return 0;
@@ -2461,32 +2461,24 @@ static int fast_final_expo(fp12_t r, const fp12_t a, const BIGNUM *k, const BIGN
 	if (!fp12_mul(t, t0, t, p, ctx)) { // t = t0 * t = a ^ (p^2+1) = a2
 		return 0;
 	}
-	
+
 	// third step: a = a ^ [(p^4-p^2+1)/n]
-	BIGNUM *x = BN_new();
-	BN_init(x);
-	
-	// this is (p^4-p^2+1)/n
-	const char *power_p3 = 	"56016940484435473570363458812714626596371"
-							"56263396225483794771796879929232299116963"
-							"85989797265808925975765890463898744492959"
-							"90589989684454491684765426953541105430217"
-							"12895268418170653274635803649243300415902"
-							"97941432449745271567755349";
-	if (!BN_dec2bn(&x, power_p3)){
+
+	if (!fp12_copy(t0, t)) {
 		return 0;
 	}
-	n = BN_num_bits(x);
+
+	n = BN_num_bits(k);
 	for (i = n - 2; i >= 0; i--) {
 		if (!fp12_sqr(t, t, p, ctx)) {
 			return 0;
 		}
-		if (BN_is_bit_set(x, i)) {
-			if (!fp12_mul(t, t, a, p, ctx)) {
+		if (BN_is_bit_set(k, i)) {
+			if (!fp12_mul(t, t, t0, p, ctx)) {
 				return 0;
 			}
 		}
-	}	
+	}
 	fp12_copy(r, t);
 	return 1;
 }
@@ -2571,7 +2563,7 @@ static int rate(fp12_t f, const point_t *Q, const BIGNUM *xP, const BIGNUM *yP,
 	point_add(&T, &T, &Q2, p, ctx);
 
 	/* f = f^((p^12 - 1)/n) */
-#ifndef SM9_FAST
+#ifdef NOSM9_FAST
 	final_expo(f, f, k, p, ctx);
 #else
 	fast_final_expo(f, f, k, p, ctx); // (p^6-1) * (p^2+1) * [(p^4-p^2+1)/n]
@@ -2610,8 +2602,11 @@ int rate_pairing(fp12_t r, const point_t *Q, const EC_POINT *P, BN_CTX *ctx)
 	group = EC_GROUP_new_by_curve_name(NID_sm9bn256v1);
 	p = SM9_get0_prime();
 	a = SM9_get0_loop_count();
+#ifdef NOSM9_FAST
 	k = SM9_get0_final_exponent();
-
+#else
+	k = SM9_get0_fast_final_exponent();
+#endif
 	xP = BN_CTX_get(ctx);
 	yP = BN_CTX_get(ctx);