src/curves/aff_pt_edwards.c

*f0865ec9SKyle Evans/*
*f0865ec9SKyle Evans *  Copyright (C) 2021 - This file is part of libecc project
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans *  Authors:
*f0865ec9SKyle Evans *      Ryad BENADJILA <ryadbenadjila@gmail.com>
*f0865ec9SKyle Evans *      Arnaud EBALARD <arnaud.ebalard@ssi.gouv.fr>
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans *  This software is licensed under a dual BSD and GPL v2 license.
*f0865ec9SKyle Evans *  See LICENSE file at the root folder of the project.
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evans#include <libecc/curves/aff_pt.h>
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/* NOTE: Edwards here implies Twisted Edwards curves
*f0865ec9SKyle Evans * (these in fact include/extend basic form Edwards curves).
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans#define AFF_PT_EDWARDS_MAGIC ((word_t)(0x8390a9bc43d9ffabULL))
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/* Verify that an affine point has already been initialized
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * Returns 0 on success, -1 on error.
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint aff_pt_edwards_check_initialized(aff_pt_edwards_src_t in)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans	int ret;
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	MUST_HAVE(((in != NULL) && (in->magic == AFF_PT_EDWARDS_MAGIC)), ret, err);
*f0865ec9SKyle Evans	ret = ec_edwards_crv_check_initialized(in->crv);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/*
*f0865ec9SKyle Evans * Initialize pointed aff_pt_edwards structure to make it usable by library
*f0865ec9SKyle Evans * function on given curve.
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * Returns 0 on success, -1 on error.
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint aff_pt_edwards_init(aff_pt_edwards_t in, ec_edwards_crv_src_t curve)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans	int ret;
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	MUST_HAVE((in != NULL), ret, err);
*f0865ec9SKyle Evans	ret = ec_edwards_crv_check_initialized(curve); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_init(&(in->x), curve->a.ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&(in->y), curve->a.ctx); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	in->crv = curve;
*f0865ec9SKyle Evans	in->magic = AFF_PT_EDWARDS_MAGIC;
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/*
*f0865ec9SKyle Evans * Initialize pointed aff_pt_edwards structure to make it usable by library
*f0865ec9SKyle Evans * function on given curve with explicit coordinates.
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * Returns 0 on success, -1 on error.
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint aff_pt_edwards_init_from_coords(aff_pt_edwards_t in,
*f0865ec9SKyle Evans			     ec_edwards_crv_src_t curve,
*f0865ec9SKyle Evans			     fp_src_t xcoord, fp_src_t ycoord)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans	int ret;
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = aff_pt_edwards_init(in, curve); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_copy(&(in->x), xcoord); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_copy(&(in->y), ycoord);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/*
*f0865ec9SKyle Evans * Uninitialize pointed affine point to prevent further use (magic field
*f0865ec9SKyle Evans * in the structure is zeroized) and zeroize associated storage space.
*f0865ec9SKyle Evans * Note that the curve context pointed to by the point element (passed
*f0865ec9SKyle Evans * during init) is left untouched.
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansvoid aff_pt_edwards_uninit(aff_pt_edwards_t in)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans	if ((in != NULL) && (in->magic == AFF_PT_EDWARDS_MAGIC) && (in->crv != NULL)) {
*f0865ec9SKyle Evans		fp_uninit(&(in->x));
*f0865ec9SKyle Evans		fp_uninit(&(in->y));
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans		in->crv = NULL;
*f0865ec9SKyle Evans		in->magic = WORD(0);
*f0865ec9SKyle Evans	}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	return;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/*
*f0865ec9SKyle Evans * 'on_curve' set to 1 if the point of coordinates (u,v) is on the curve, i.e. if it
*f0865ec9SKyle Evans * verifies curve equation a*x^2 + y^2 = 1 + d*x^2*y^2. It is set to 0 otherwise.
*f0865ec9SKyle Evans * 'on_curve' is not meaningful on error.
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * Returns 0 on success, -1 on error.
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint is_on_edwards_curve(fp_src_t x, fp_src_t y,
*f0865ec9SKyle Evans			ec_edwards_crv_src_t curve,
*f0865ec9SKyle Evans			int *on_curve)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans	fp x2, y2, tmp1, tmp2;
*f0865ec9SKyle Evans	int ret, cmp;
*f0865ec9SKyle Evans	x2.magic = y2.magic = tmp1.magic = tmp2.magic = WORD(0);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	MUST_HAVE((on_curve != NULL), ret, err);
*f0865ec9SKyle Evans	ret = ec_edwards_crv_check_initialized(curve); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_check_initialized(x); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_check_initialized(y); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	MUST_HAVE((x->ctx == y->ctx), ret, err);
*f0865ec9SKyle Evans	MUST_HAVE((x->ctx == curve->a.ctx), ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_init(&x2, x->ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_sqr(&x2, x); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&y2, x->ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_sqr(&y2, y); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_init(&tmp1, x->ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&tmp2, x->ctx); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_mul(&tmp1, &x2, &y2); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_mul(&tmp1, &tmp1, &(curve->d)); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_inc(&tmp1, &tmp1); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_mul(&tmp2, &x2, &(curve->a)); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_add(&tmp2, &tmp2, &y2); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_cmp(&tmp1, &tmp2, &cmp);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	if (!ret) {
*f0865ec9SKyle Evans		(*on_curve) = (!cmp);
*f0865ec9SKyle Evans	}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	fp_uninit(&x2);
*f0865ec9SKyle Evans	fp_uninit(&y2);
*f0865ec9SKyle Evans	fp_uninit(&tmp1);
*f0865ec9SKyle Evans	fp_uninit(&tmp2);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/*
*f0865ec9SKyle Evans * Checks if affine coordinates point is on an Edwards curve. 'on_curve' is set
*f0865ec9SKyle Evans * to 1 if yes, 0 if no. 'on_curve' is not meaningful in case of error.
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * Returns 0 on success, -1 on error.
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint aff_pt_edwards_is_on_curve(aff_pt_edwards_src_t pt, int *on_curve)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans	int ret;
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = aff_pt_edwards_check_initialized(pt); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = is_on_edwards_curve(&(pt->x), &(pt->y), pt->crv, on_curve);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/*
*f0865ec9SKyle Evans * Copy an Edwards affine point in an output. The output is initialized properly.
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * Returns 0 on success, -1 on error.
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint ec_edwards_aff_copy(aff_pt_edwards_t out, aff_pt_edwards_src_t in)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans	int ret;
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = aff_pt_edwards_check_initialized(in); EG(ret, err);
*f0865ec9SKyle Evans	ret = aff_pt_edwards_init(out, in->crv); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_copy(&(out->x), &(in->x)); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_copy(&(out->y), &(in->y));
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/*
*f0865ec9SKyle Evans * Compares two given affine points on an Edwards curve, it returns 0 in input
*f0865ec9SKyle Evans * 'cmp' if they correspond or not 0 if not. 'cmp' is not meaningful on error.
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * Returns 0 on success, -1 on error.
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint ec_edwards_aff_cmp(aff_pt_edwards_src_t in1, aff_pt_edwards_src_t in2,
*f0865ec9SKyle Evans		       int *cmp)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans	int ret, cmp1, cmp2;
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	MUST_HAVE((cmp != NULL), ret, err);
*f0865ec9SKyle Evans	ret = aff_pt_edwards_check_initialized(in1); EG(ret, err);
*f0865ec9SKyle Evans	ret = aff_pt_edwards_check_initialized(in2); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	MUST_HAVE((in1->crv == in2->crv), ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_cmp(&(in1->x), &(in2->x), &cmp1); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_cmp(&(in1->y), &(in2->y), &cmp2);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	if (!ret) {
*f0865ec9SKyle Evans		(*cmp) = (cmp1 | cmp2);
*f0865ec9SKyle Evans	}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/*
*f0865ec9SKyle Evans * Import an Edwards affine point from a buffer with the following layout; the 2
*f0865ec9SKyle Evans * coordinates (elements of Fp) are each encoded on p_len bytes, where p_len
*f0865ec9SKyle Evans * is the size of p in bytes (e.g. 66 for a prime p of 521 bits). Each
*f0865ec9SKyle Evans * coordinate is encoded in big endian. Size of buffer must exactly match
*f0865ec9SKyle Evans * 2 * p_len.
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * Returns 0 on success, -1 on error.
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint aff_pt_edwards_import_from_buf(aff_pt_edwards_t pt,
*f0865ec9SKyle Evans				   const u8 *pt_buf,
*f0865ec9SKyle Evans				   u16 pt_buf_len, ec_edwards_crv_src_t crv)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans	fp_ctx_src_t ctx;
*f0865ec9SKyle Evans	u16 coord_len;
*f0865ec9SKyle Evans	int ret, on_curve;
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = ec_edwards_crv_check_initialized(crv); EG(ret, err);
*f0865ec9SKyle Evans	MUST_HAVE(((pt_buf != NULL) && (pt != NULL)), ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ctx = crv->a.ctx;
*f0865ec9SKyle Evans	coord_len = (u16)BYTECEIL(ctx->p_bitlen);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	MUST_HAVE((pt_buf_len == (2 * coord_len)), ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_init_from_buf(&(pt->x), ctx, pt_buf, coord_len); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init_from_buf(&(pt->y), ctx, pt_buf + coord_len, coord_len); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* Set the curve */
*f0865ec9SKyle Evans	pt->crv = crv;
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* Mark the point as initialized */
*f0865ec9SKyle Evans	pt->magic = AFF_PT_EDWARDS_MAGIC;
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* Check that the point is indeed on the provided curve, uninitialize it
*f0865ec9SKyle Evans	 * if this is not the case.
*f0865ec9SKyle Evans	 */
*f0865ec9SKyle Evans	ret = aff_pt_edwards_is_on_curve(pt, &on_curve); EG(ret, err);
*f0865ec9SKyle Evans	if (!on_curve) {
*f0865ec9SKyle Evans		aff_pt_edwards_uninit(pt);
*f0865ec9SKyle Evans		ret = -1;
*f0865ec9SKyle Evans	}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/* Export an Edwards affine point to a buffer with the following layout; the 2
*f0865ec9SKyle Evans * coordinates (elements of Fp) are each encoded on p_len bytes, where p_len
*f0865ec9SKyle Evans * is the size of p in bytes (e.g. 66 for a prime p of 521 bits). Each
*f0865ec9SKyle Evans * coordinate is encoded in big endian. Size of buffer must exactly match
*f0865ec9SKyle Evans * 2 * p_len.
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * Returns 0 on success, -1 on error.
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint aff_pt_edwards_export_to_buf(aff_pt_edwards_src_t pt,
*f0865ec9SKyle Evans				 u8 *pt_buf, u32 pt_buf_len)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans	fp_ctx_src_t ctx;
*f0865ec9SKyle Evans	u16 coord_len;
*f0865ec9SKyle Evans	int ret, on_curve;
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = aff_pt_edwards_check_initialized(pt); EG(ret, err);
*f0865ec9SKyle Evans	MUST_HAVE((pt_buf != NULL), ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* The point to be exported must be on the curve */
*f0865ec9SKyle Evans	ret = aff_pt_edwards_is_on_curve(pt, &on_curve); EG(ret, err);
*f0865ec9SKyle Evans	MUST_HAVE(on_curve, ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ctx = pt->crv->a.ctx;
*f0865ec9SKyle Evans	coord_len = (u16)BYTECEIL(ctx->p_bitlen);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	MUST_HAVE((pt_buf_len == (2 * coord_len)), ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* Export the three coordinates */
*f0865ec9SKyle Evans	ret = fp_export_to_buf(pt_buf, coord_len, &(pt->x)); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_export_to_buf(pt_buf + coord_len, coord_len, &(pt->y));
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/*
*f0865ec9SKyle Evans * Mapping curves from twisted Edwards to Montgomery.
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans *  E{a, d} is mapped to M{A, B} using the formula:
*f0865ec9SKyle Evans *    A = 2(a+d)/(a-d)
*f0865ec9SKyle Evans *    B = 4/((a-d) * alpha^2)
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * Returns 0 on success, -1 on error.
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint curve_edwards_to_montgomery(ec_edwards_crv_src_t edwards_crv,
*f0865ec9SKyle Evans				ec_montgomery_crv_t montgomery_crv,
*f0865ec9SKyle Evans				fp_src_t alpha_edwards)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans	fp tmp1, tmp2, A, B;
*f0865ec9SKyle Evans	int ret;
*f0865ec9SKyle Evans	tmp1.magic = tmp2.magic = A.magic = B.magic = WORD(0);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = ec_edwards_crv_check_initialized(edwards_crv); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_check_initialized(alpha_edwards); EG(ret, err);
*f0865ec9SKyle Evans	MUST_HAVE((edwards_crv->a.ctx == alpha_edwards->ctx), ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_init(&tmp1, edwards_crv->a.ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&tmp2, edwards_crv->a.ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&A, edwards_crv->a.ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&B, edwards_crv->a.ctx); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* Compute Z = (alpha ^ 2) et T = 2 / ((a-d) * Z)
*f0865ec9SKyle Evans	 * and then:
*f0865ec9SKyle Evans	 *   A = 2(a+d)/(a-d) = Z * (a + d) * T
*f0865ec9SKyle Evans	 *   B = 4/((a-d) * alpha^2) = 2 * T
*f0865ec9SKyle Evans	 */
*f0865ec9SKyle Evans	ret = fp_sqr(&tmp1, alpha_edwards); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_sub(&tmp2, &(edwards_crv->a), &(edwards_crv->d)); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_mul(&tmp2, &tmp2, &tmp1); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_inv(&tmp2, &tmp2); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_set_word_value(&B, WORD(2)); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_mul(&tmp2, &tmp2, &B); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_add(&A, &(edwards_crv->a), &(edwards_crv->d)); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_mul(&A, &A, &tmp1); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_mul(&A, &A, &tmp2); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_mul(&B, &B, &tmp2); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* Initialize our Montgomery curve */
*f0865ec9SKyle Evans	ret = ec_montgomery_crv_init(montgomery_crv, &A, &B, &(edwards_crv->order));
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	fp_uninit(&tmp1);
*f0865ec9SKyle Evans	fp_uninit(&tmp2);
*f0865ec9SKyle Evans	fp_uninit(&A);
*f0865ec9SKyle Evans	fp_uninit(&B);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/*
*f0865ec9SKyle Evans * Checks that an Edwards curve and Montgomery curve are compatible.
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * Returns 0 on success, -1 on error.
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint curve_edwards_montgomery_check(ec_edwards_crv_src_t e_crv,
*f0865ec9SKyle Evans				   ec_montgomery_crv_src_t m_crv,
*f0865ec9SKyle Evans				   fp_src_t alpha_edwards)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans	int ret, cmp;
*f0865ec9SKyle Evans	ec_montgomery_crv check;
*f0865ec9SKyle Evans	check.magic = WORD(0);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = ec_montgomery_crv_check_initialized(m_crv); EG(ret, err);
*f0865ec9SKyle Evans	ret = curve_edwards_to_montgomery(e_crv, &check, alpha_edwards); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* Check elements */
*f0865ec9SKyle Evans	MUST_HAVE((!fp_cmp(&(check.A), &(m_crv->A), &cmp)) && (!cmp), ret, err);
*f0865ec9SKyle Evans	MUST_HAVE((!fp_cmp(&(check.B), &(m_crv->B), &cmp)) && (!cmp), ret, err);
*f0865ec9SKyle Evans	MUST_HAVE((!nn_cmp(&(check.order), &(m_crv->order), &cmp)) && (!cmp), ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	ec_montgomery_crv_uninit(&check);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/*
*f0865ec9SKyle Evans * Mapping curves from Montgomery to twisted Edwards.
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans *  M{A, B} is mapped to E{a, d} using the formula:
*f0865ec9SKyle Evans *    a = (A+2)/(B * alpha^2)
*f0865ec9SKyle Evans *    d = (A-2)/(B * alpha^2)
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans *  Or the inverse (switch a and d roles).
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * Returns 0 on success, -1 on error.
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint curve_montgomery_to_edwards(ec_montgomery_crv_src_t m_crv,
*f0865ec9SKyle Evans				ec_edwards_crv_t e_crv,
*f0865ec9SKyle Evans				fp_src_t alpha_edwards)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans	int ret, cmp;
*f0865ec9SKyle Evans	fp tmp, tmp2, a, d;
*f0865ec9SKyle Evans	tmp.magic = tmp2.magic = a.magic = d.magic = WORD(0);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = ec_montgomery_crv_check_initialized(m_crv); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_check_initialized(alpha_edwards); EG(ret, err);
*f0865ec9SKyle Evans	MUST_HAVE((m_crv->A.ctx == alpha_edwards->ctx), ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_init(&tmp, m_crv->A.ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&tmp2, m_crv->A.ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&a, m_crv->A.ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&d, m_crv->A.ctx); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_set_word_value(&tmp, WORD(2)); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_mul(&tmp2, &(m_crv->B), alpha_edwards); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_mul(&tmp2, &tmp2, alpha_edwards); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_inv(&tmp2, &tmp2); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* a = (A+2)/(B * alpha^2) */
*f0865ec9SKyle Evans	ret = fp_add(&a, &(m_crv->A), &tmp); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_mul(&a, &a, &tmp2); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* d = (A-2)/(B * alpha^2) */
*f0865ec9SKyle Evans	ret = fp_sub(&d, &(m_crv->A), &tmp); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_mul(&d, &d, &tmp2); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* Initialize our Edwards curve */
*f0865ec9SKyle Evans	/* Check if we have to inverse a and d */
*f0865ec9SKyle Evans	ret = fp_one(&tmp); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_cmp(&d, &tmp, &cmp); EG(ret, err);
*f0865ec9SKyle Evans	if (cmp == 0) {
*f0865ec9SKyle Evans		ret = ec_edwards_crv_init(e_crv, &d, &a, &(m_crv->order));
*f0865ec9SKyle Evans	} else {
*f0865ec9SKyle Evans		ret = ec_edwards_crv_init(e_crv, &a, &d, &(m_crv->order));
*f0865ec9SKyle Evans	}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	fp_uninit(&tmp);
*f0865ec9SKyle Evans	fp_uninit(&tmp2);
*f0865ec9SKyle Evans	fp_uninit(&a);
*f0865ec9SKyle Evans	fp_uninit(&d);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/*
*f0865ec9SKyle Evans * Mapping curve from Edwards to short Weierstrass.
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * Returns 0 on success, -1 on error.
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint curve_edwards_to_shortw(ec_edwards_crv_src_t edwards_crv,
*f0865ec9SKyle Evans			    ec_shortw_crv_t shortw_crv,
*f0865ec9SKyle Evans			    fp_src_t alpha_edwards)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans	int ret;
*f0865ec9SKyle Evans	ec_montgomery_crv montgomery_crv;
*f0865ec9SKyle Evans	montgomery_crv.magic = WORD(0);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = curve_edwards_to_montgomery(edwards_crv, &montgomery_crv, alpha_edwards); EG(ret, err);
*f0865ec9SKyle Evans	ret = curve_montgomery_to_shortw(&montgomery_crv, shortw_crv);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	ec_montgomery_crv_uninit(&montgomery_crv);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/* Checking if an Edwards curve and short Weierstrass curve are compliant (through Montgomery mapping).
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * Returns 0 on success, -1 on error.
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint curve_edwards_shortw_check(ec_edwards_crv_src_t edwards_crv,
*f0865ec9SKyle Evans			       ec_shortw_crv_src_t shortw_crv,
*f0865ec9SKyle Evans			       fp_src_t alpha_edwards)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans	int ret;
*f0865ec9SKyle Evans	ec_montgomery_crv montgomery_crv;
*f0865ec9SKyle Evans	montgomery_crv.magic = WORD(0);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = curve_edwards_to_montgomery(edwards_crv, &montgomery_crv, alpha_edwards); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = curve_montgomery_shortw_check(&montgomery_crv, shortw_crv);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	ec_montgomery_crv_uninit(&montgomery_crv);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/*
*f0865ec9SKyle Evans * Mapping curve from short Weierstrass to Edwards.
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * Returns 0 on success, -1 on error.
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint curve_shortw_to_edwards(ec_shortw_crv_src_t shortw_crv,
*f0865ec9SKyle Evans			    ec_edwards_crv_t edwards_crv,
*f0865ec9SKyle Evans			    fp_src_t alpha_montgomery,
*f0865ec9SKyle Evans			    fp_src_t gamma_montgomery,
*f0865ec9SKyle Evans			    fp_src_t alpha_edwards)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans	int ret;
*f0865ec9SKyle Evans	ec_montgomery_crv montgomery_crv;
*f0865ec9SKyle Evans	montgomery_crv.magic = WORD(0);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = curve_shortw_to_montgomery(shortw_crv, &montgomery_crv, alpha_montgomery, gamma_montgomery); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = curve_montgomery_to_edwards(&montgomery_crv, edwards_crv, alpha_edwards);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	ec_montgomery_crv_uninit(&montgomery_crv);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/*
*f0865ec9SKyle Evans * Mapping points from twisted Edwards to Montgomery.
*f0865ec9SKyle Evans *   Point E(x, y) is mapped to M(u, v) with the formula:
*f0865ec9SKyle Evans *       - (0, 1) mapped to the point at infinity (not possible in our affine coordinates)
*f0865ec9SKyle Evans *       - (0, -1) mapped to (0, 0)
*f0865ec9SKyle Evans *       - (u, v) mapped to ((1+y)/(1-y), alpha * (1+y)/((1-y)x))
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * Returns 0 on success, -1 on error.
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint aff_pt_edwards_to_montgomery(aff_pt_edwards_src_t in_edwards,
*f0865ec9SKyle Evans				 ec_montgomery_crv_src_t montgomery_crv,
*f0865ec9SKyle Evans				 aff_pt_montgomery_t out_montgomery,
*f0865ec9SKyle Evans				 fp_src_t alpha_edwards)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans	/* NOTE: we attempt to perform the (0, -1) -> (0, 0) mapping in constant time.
*f0865ec9SKyle Evans	 * Hence the weird table selection.
*f0865ec9SKyle Evans	 */
*f0865ec9SKyle Evans	int ret, iszero, on_curve, cmp;
*f0865ec9SKyle Evans	fp tmp, tmp2, x, y;
*f0865ec9SKyle Evans	fp tab_x[2];
*f0865ec9SKyle Evans	fp_src_t tab_x_t[2] = { &tab_x[0], &tab_x[1] };
*f0865ec9SKyle Evans	fp tab_y[2];
*f0865ec9SKyle Evans	fp_src_t tab_y_t[2] = { &tab_y[0], &tab_y[1] };
*f0865ec9SKyle Evans	u8 idx = 0;
*f0865ec9SKyle Evans	tmp.magic = tmp2.magic = x.magic = y.magic = WORD(0);
*f0865ec9SKyle Evans	tab_x[0].magic = tab_x[1].magic = WORD(0);
*f0865ec9SKyle Evans	tab_y[0].magic = tab_y[1].magic = WORD(0);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = ec_montgomery_crv_check_initialized(montgomery_crv); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* Check input point is on its curve */
*f0865ec9SKyle Evans	ret = aff_pt_edwards_is_on_curve(in_edwards, &on_curve); EG(ret, err);
*f0865ec9SKyle Evans	MUST_HAVE(on_curve, ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = curve_edwards_montgomery_check(in_edwards->crv, montgomery_crv, alpha_edwards); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_init(&tmp, in_edwards->crv->a.ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&tmp2, in_edwards->crv->a.ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&x, in_edwards->crv->a.ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&y, in_edwards->crv->a.ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&tab_x[0], in_edwards->crv->a.ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&tab_x[1], in_edwards->crv->a.ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&tab_y[0], in_edwards->crv->a.ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&tab_y[1], in_edwards->crv->a.ctx); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_one(&tmp); EG(ret, err);
*f0865ec9SKyle Evans	/* We do not handle point at infinity in affine coordinates */
*f0865ec9SKyle Evans	ret = fp_iszero(&(in_edwards->x), &iszero); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_cmp(&(in_edwards->y), &tmp, &cmp); EG(ret, err);
*f0865ec9SKyle Evans	MUST_HAVE(!(iszero && (cmp == 0)), ret, err);
*f0865ec9SKyle Evans	/* Map (0, -1) to (0, 0) */
*f0865ec9SKyle Evans	ret = fp_zero(&tmp2); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_sub(&tmp2, &tmp2, &tmp); EG(ret, err);
*f0865ec9SKyle Evans	/* Copy 1 as x as dummy value */
*f0865ec9SKyle Evans	ret = fp_one(&tab_x[0]); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_copy(&tab_x[1], &(in_edwards->x)); EG(ret, err);
*f0865ec9SKyle Evans	/* Copy -1 as y to produce (0, 0) */
*f0865ec9SKyle Evans	ret = fp_copy(&tab_y[0], &tmp2); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_copy(&tab_y[1], &(in_edwards->y)); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_iszero(&(in_edwards->x), &iszero); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_cmp(&(in_edwards->y), &tmp2, &cmp); EG(ret, err);
*f0865ec9SKyle Evans	idx = !(iszero && cmp);
*f0865ec9SKyle Evans	ret = fp_tabselect(&x, idx, tab_x_t, 2); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_tabselect(&y, idx, tab_y_t, 2); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = aff_pt_montgomery_init(out_montgomery, montgomery_crv); EG(ret, err);
*f0865ec9SKyle Evans	/* Compute general case */
*f0865ec9SKyle Evans	ret = fp_copy(&tmp2, &tmp); EG(ret, err);
*f0865ec9SKyle Evans	/* Put 1/(1-y) in tmp */
*f0865ec9SKyle Evans	ret = fp_sub(&tmp, &tmp, &y); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_inv(&tmp, &tmp); EG(ret, err);
*f0865ec9SKyle Evans	/* Put (1+y) in tmp2 */
*f0865ec9SKyle Evans	ret = fp_add(&tmp2, &tmp2, &y); EG(ret, err);
*f0865ec9SKyle Evans	/* u = (1+y) / (1-y) */
*f0865ec9SKyle Evans	ret = fp_mul(&(out_montgomery->u), &tmp, &tmp2); EG(ret, err);
*f0865ec9SKyle Evans	/* v = alpha_edwards * (1+y)/((1-y)x) */
*f0865ec9SKyle Evans	ret = fp_inv(&(out_montgomery->v), &x); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_mul(&(out_montgomery->v), &(out_montgomery->v), alpha_edwards); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_mul(&(out_montgomery->v), &(out_montgomery->u), &(out_montgomery->v)); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* Final check that the point is on the curve */
*f0865ec9SKyle Evans	ret = aff_pt_montgomery_is_on_curve(out_montgomery, &on_curve); EG(ret, err);
*f0865ec9SKyle Evans	if (!on_curve) {
*f0865ec9SKyle Evans		ret = -1;
*f0865ec9SKyle Evans	}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	fp_uninit(&tmp);
*f0865ec9SKyle Evans	fp_uninit(&tmp2);
*f0865ec9SKyle Evans	fp_uninit(&x);
*f0865ec9SKyle Evans	fp_uninit(&y);
*f0865ec9SKyle Evans	fp_uninit(&tab_x[0]);
*f0865ec9SKyle Evans	fp_uninit(&tab_x[1]);
*f0865ec9SKyle Evans	fp_uninit(&tab_y[0]);
*f0865ec9SKyle Evans	fp_uninit(&tab_y[1]);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/*
*f0865ec9SKyle Evans * Mapping points from Montgomery to twisted Edwards.
*f0865ec9SKyle Evans *   Point M(u, v) is mapped to E(x, y) with the formula:
*f0865ec9SKyle Evans *       - Point at infinity mapped to (0, 1) (not possible in our affine coordinates)
*f0865ec9SKyle Evans *       - (0, 0) mapped to (0, -1)
*f0865ec9SKyle Evans *       - (x, y) mapped to (alpha * (u/v), (u-1)/(u+1))
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * Returns 0 on success, -1 on error.
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint aff_pt_montgomery_to_edwards(aff_pt_montgomery_src_t in_montgomery,
*f0865ec9SKyle Evans				 ec_edwards_crv_src_t edwards_crv,
*f0865ec9SKyle Evans				 aff_pt_edwards_t out_edwards,
*f0865ec9SKyle Evans				 fp_src_t alpha)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans	/* NOTE: we attempt to perform the (0, 0) -> (0, -1) mapping in constant time.
*f0865ec9SKyle Evans	 * Hence the weird table selection.
*f0865ec9SKyle Evans	 */
*f0865ec9SKyle Evans	int ret, iszero1, iszero2, on_curve;
*f0865ec9SKyle Evans	fp tmp, u, v;
*f0865ec9SKyle Evans	fp tab_u[2];
*f0865ec9SKyle Evans	fp_src_t tab_u_t[2] = { &tab_u[0], &tab_u[1] };
*f0865ec9SKyle Evans	fp tab_v[2];
*f0865ec9SKyle Evans	fp_src_t tab_v_t[2] = { &tab_v[0], &tab_v[1] };
*f0865ec9SKyle Evans	u8 idx = 0;
*f0865ec9SKyle Evans	tmp.magic = u.magic = v.magic  = 0;
*f0865ec9SKyle Evans	tab_u[0].magic = tab_u[1].magic = WORD(0);
*f0865ec9SKyle Evans	tab_v[0].magic = tab_v[1].magic = WORD(0);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = ec_edwards_crv_check_initialized(edwards_crv); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* Check input point is on its curve */
*f0865ec9SKyle Evans	ret = aff_pt_montgomery_is_on_curve(in_montgomery, &on_curve); EG(ret, err);
*f0865ec9SKyle Evans	MUST_HAVE(on_curve, ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = curve_edwards_montgomery_check(edwards_crv, in_montgomery->crv, alpha); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_init(&tmp, in_montgomery->crv->A.ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&u, in_montgomery->crv->A.ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&v, in_montgomery->crv->A.ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&tab_u[0], in_montgomery->crv->A.ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&tab_u[1], in_montgomery->crv->A.ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&tab_v[0], in_montgomery->crv->A.ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&tab_v[1], in_montgomery->crv->A.ctx); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_one(&tmp); EG(ret, err);
*f0865ec9SKyle Evans	/* Map (0, 0) to (0, -1) */
*f0865ec9SKyle Evans	/* Copy 0 as u as dummy value */
*f0865ec9SKyle Evans	ret = fp_zero(&tab_u[0]); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_copy(&tab_u[1], &(in_montgomery->u)); EG(ret, err);
*f0865ec9SKyle Evans	/* Copy 1 as v dummy value to produce (0, -1) */
*f0865ec9SKyle Evans	ret = fp_copy(&tab_v[0], &tmp); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_copy(&tab_v[1], &(in_montgomery->v)); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_iszero(&(in_montgomery->u), &iszero1); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_iszero(&(in_montgomery->v), &iszero2); EG(ret, err);
*f0865ec9SKyle Evans	idx = (iszero1 && iszero2) ? 0 : 1;
*f0865ec9SKyle Evans	ret = fp_tabselect(&u, idx, tab_u_t, 2); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_tabselect(&v, idx, tab_v_t, 2); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = aff_pt_edwards_init(out_edwards, edwards_crv); EG(ret, err);
*f0865ec9SKyle Evans	/* x = alpha * (u / v) */
*f0865ec9SKyle Evans	ret = fp_inv(&(out_edwards->x), &v); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_mul(&(out_edwards->x), &(out_edwards->x), alpha); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_mul(&(out_edwards->x), &(out_edwards->x), &u); EG(ret, err);
*f0865ec9SKyle Evans	/* y = (u-1)/(u+1) */
*f0865ec9SKyle Evans	ret = fp_add(&(out_edwards->y), &u, &tmp); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_inv(&(out_edwards->y), &(out_edwards->y)); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_sub(&tmp, &u, &tmp); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_mul(&(out_edwards->y), &(out_edwards->y), &tmp); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* Final check that the point is on the curve */
*f0865ec9SKyle Evans	ret = aff_pt_edwards_is_on_curve(out_edwards, &on_curve); EG(ret, err);
*f0865ec9SKyle Evans	if (!on_curve) {
*f0865ec9SKyle Evans		ret = -1;
*f0865ec9SKyle Evans	}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	fp_uninit(&tmp);
*f0865ec9SKyle Evans	fp_uninit(&u);
*f0865ec9SKyle Evans	fp_uninit(&v);
*f0865ec9SKyle Evans	fp_uninit(&tab_u[0]);
*f0865ec9SKyle Evans	fp_uninit(&tab_u[1]);
*f0865ec9SKyle Evans	fp_uninit(&tab_v[0]);
*f0865ec9SKyle Evans	fp_uninit(&tab_v[1]);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/*
*f0865ec9SKyle Evans * Map points from Edwards to short Weierstrass through Montgomery (composition mapping).
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * Returns 0 on success, -1 on error.
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint aff_pt_edwards_to_shortw(aff_pt_edwards_src_t in_edwards,
*f0865ec9SKyle Evans			     ec_shortw_crv_src_t shortw_crv,
*f0865ec9SKyle Evans			     aff_pt_t out_shortw, fp_src_t alpha_edwards)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans	int ret;
*f0865ec9SKyle Evans	aff_pt_montgomery inter_montgomery;
*f0865ec9SKyle Evans	ec_montgomery_crv inter_montgomery_crv;
*f0865ec9SKyle Evans	inter_montgomery.magic = inter_montgomery_crv.magic = WORD(0);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* First, map from Edwards to Montgomery */
*f0865ec9SKyle Evans	ret = aff_pt_edwards_check_initialized(in_edwards); EG(ret, err);
*f0865ec9SKyle Evans	ret = curve_edwards_to_montgomery(in_edwards->crv, &inter_montgomery_crv, alpha_edwards); EG(ret, err);
*f0865ec9SKyle Evans	ret = aff_pt_edwards_to_montgomery(in_edwards, &inter_montgomery_crv, &inter_montgomery, alpha_edwards); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* Then map from Montgomery to short Weierstrass */
*f0865ec9SKyle Evans	ret = aff_pt_montgomery_to_shortw(&inter_montgomery, shortw_crv, out_shortw);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	aff_pt_montgomery_uninit(&inter_montgomery);
*f0865ec9SKyle Evans	ec_montgomery_crv_uninit(&inter_montgomery_crv);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/*
*f0865ec9SKyle Evans * Map points from projective short Weierstrass to Edwards through Montgomery (composition mapping).
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * Returns 0 on success, -1 on error.
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint aff_pt_shortw_to_edwards(aff_pt_src_t in_shortw,
*f0865ec9SKyle Evans			     ec_edwards_crv_src_t edwards_crv,
*f0865ec9SKyle Evans			     aff_pt_edwards_t out_edwards,
*f0865ec9SKyle Evans			     fp_src_t alpha_edwards)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans	int ret;
*f0865ec9SKyle Evans	aff_pt_montgomery inter_montgomery;
*f0865ec9SKyle Evans	ec_montgomery_crv inter_montgomery_crv;
*f0865ec9SKyle Evans	inter_montgomery.magic = inter_montgomery_crv.magic = WORD(0);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* First, map from short Weierstrass to Montgomery */
*f0865ec9SKyle Evans	ret = curve_edwards_to_montgomery(edwards_crv, &inter_montgomery_crv, alpha_edwards); EG(ret, err);
*f0865ec9SKyle Evans	ret = aff_pt_shortw_to_montgomery(in_shortw, &inter_montgomery_crv, &inter_montgomery); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* Then map from Montgomery to Edwards */
*f0865ec9SKyle Evans	ret = aff_pt_montgomery_to_edwards(&inter_montgomery, edwards_crv, out_edwards, alpha_edwards);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	aff_pt_montgomery_uninit(&inter_montgomery);
*f0865ec9SKyle Evans	ec_montgomery_crv_uninit(&inter_montgomery_crv);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/*
*f0865ec9SKyle Evans * Recover the two possible y coordinates from one x on a given
*f0865ec9SKyle Evans * curve.
*f0865ec9SKyle Evans * The two outputs y1 and y2 are initialized in the function.
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * The function returns -1 on error, 0 on success.
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint aff_pt_edwards_y_from_x(fp_t y1, fp_t y2, fp_src_t x, ec_edwards_crv_src_t crv)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans        int ret;
*f0865ec9SKyle Evans	fp tmp;
*f0865ec9SKyle Evans	tmp.magic = WORD(0);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* Sanity checks */
*f0865ec9SKyle Evans	ret = fp_check_initialized(x); EG(ret, err);
*f0865ec9SKyle Evans	ret = ec_edwards_crv_check_initialized(crv); EG(ret, err);
*f0865ec9SKyle Evans	MUST_HAVE((x->ctx == crv->a.ctx) && (x->ctx == crv->d.ctx), ret, err);
*f0865ec9SKyle Evans	MUST_HAVE((y1 != NULL) && (y2 != NULL), ret, err);
*f0865ec9SKyle Evans	/* Aliasing is not supported */
*f0865ec9SKyle Evans	MUST_HAVE((y1 != y2) && (y1 != x), ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_init(y1, x->ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(y2, x->ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&tmp, x->ctx); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* In order to find our two possible y, we have to find the square
*f0865ec9SKyle Evans	 * roots of (1 - a x**2) / (1 - d * x**2).
*f0865ec9SKyle Evans	 */
*f0865ec9SKyle Evans	ret = fp_one(&tmp); EG(ret, err);
*f0865ec9SKyle Evans	/* (1 - a x**2) */
*f0865ec9SKyle Evans	ret = fp_mul(y1, x, &(crv->a)); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_mul(y1, y1, x); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_sub(y1, &tmp, y1); EG(ret, err);
*f0865ec9SKyle Evans	/* 1 / (1 - d * x**2) */
*f0865ec9SKyle Evans	ret = fp_mul(y2, x, &(crv->d)); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_mul(y2, y2, x); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_sub(y2, &tmp, y2); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_inv(y2, y2); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_mul(&tmp, y1, y2); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_sqrt(y1, y2, &tmp);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	fp_uninit(&tmp);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans/*
*f0865ec9SKyle Evans * Recover the two possible x coordinates from one y on a given
*f0865ec9SKyle Evans * curve.
*f0865ec9SKyle Evans * The two outputs x1 and x2 are initialized in the function.
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans * The function returns -1 on error, 0 on success.
*f0865ec9SKyle Evans *
*f0865ec9SKyle Evans */
*f0865ec9SKyle Evansint aff_pt_edwards_x_from_y(fp_t x1, fp_t x2, fp_src_t y, ec_edwards_crv_src_t crv)
*f0865ec9SKyle Evans{
*f0865ec9SKyle Evans        int ret;
*f0865ec9SKyle Evans	fp tmp;
*f0865ec9SKyle Evans	tmp.magic = WORD(0);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* Sanity checks */
*f0865ec9SKyle Evans	ret = fp_check_initialized(y); EG(ret, err);
*f0865ec9SKyle Evans	ret = ec_edwards_crv_check_initialized(crv); EG(ret, err);
*f0865ec9SKyle Evans	MUST_HAVE((y->ctx == crv->a.ctx) && (y->ctx == crv->d.ctx), ret, err);
*f0865ec9SKyle Evans	MUST_HAVE((x1 != NULL) && (x2 != NULL), ret, err);
*f0865ec9SKyle Evans	/* Aliasing is not supported */
*f0865ec9SKyle Evans	MUST_HAVE((x1 != x2) && (x1 != y), ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_init(x1, y->ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(x2, y->ctx); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_init(&tmp, y->ctx); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	/* In order to find our two possible y, we have to find the square
*f0865ec9SKyle Evans	 * roots of (1 - y**2) / (a - d * y**2).
*f0865ec9SKyle Evans	 */
*f0865ec9SKyle Evans	ret = fp_one(&tmp); EG(ret, err);
*f0865ec9SKyle Evans	/* (1 - y**2) */
*f0865ec9SKyle Evans	ret = fp_mul(x1, y, y); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_sub(x1, &tmp, x1); EG(ret, err);
*f0865ec9SKyle Evans	/* 1 / (a - d * x**2) */
*f0865ec9SKyle Evans	ret = fp_mul(x2, y, &(crv->d)); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_mul(x2, x2, y); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_sub(x2, &(crv->a), x2); EG(ret, err);
*f0865ec9SKyle Evans	ret = fp_inv(x2, x2); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_mul(&tmp, x1, x2); EG(ret, err);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	ret = fp_sqrt(x1, x2, &tmp);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evanserr:
*f0865ec9SKyle Evans	fp_uninit(&tmp);
*f0865ec9SKyle Evans
*f0865ec9SKyle Evans	return ret;
*f0865ec9SKyle Evans}