diff options
549 files changed, 9186 insertions, 32 deletions
diff --git a/pyecsca/ec/__init__.py b/pyecsca/ec/__init__.py new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/pyecsca/ec/__init__.py diff --git a/pyecsca/ec/coordinates.py b/pyecsca/ec/coordinates.py new file mode 100644 index 0000000..d1b7870 --- /dev/null +++ b/pyecsca/ec/coordinates.py @@ -0,0 +1,71 @@ +from ast import parse, Expression +from pkg_resources import resource_listdir, resource_isdir, resource_stream +from typing import List, Any, MutableMapping + +from .formula import Formula, AdditionFormula, DoublingFormula, TriplingFormula, DifferentialAdditionFormula, LadderFormula, ScalingFormula + +class CoordinateModel(object): + name: str + full_name: str + curve_model: Any + variables: List[str] + satisfying: List[Expression] + parameters: List[str] + assumptions: List[Expression] + formulas: MutableMapping[str, Formula] + + def __init__(self, dir_path: str, name: str, curve_model: Any): + self.name = name + self.curve_model = curve_model + self.variables = [] + self.satisfying = [] + self.parameters = [] + self.assumptions = [] + self.formulas = {} + for fname in resource_listdir(__name__, dir_path): + file_path = dir_path + "/" + fname + if resource_isdir(__name__, file_path): + self.__read_formula_dir(file_path, fname) + else: + self.__read_coordinates_file(file_path) + + def __read_formula_dir(self, dir_path, formula_type): + for fname in resource_listdir(__name__, dir_path): + if fname.endswith(".op3"): + continue + if formula_type == "addition": + cls = AdditionFormula + elif formula_type == "doubling": + cls = DoublingFormula + elif formula_type == "tripling": + cls = TriplingFormula + elif formula_type == "diffadd": + cls = DifferentialAdditionFormula + elif formula_type == "ladder": + cls = LadderFormula + elif formula_type == "scaling": + cls = ScalingFormula + else: + cls = Formula + self.formulas[fname] = cls(dir_path + "/" + fname, fname, self) + + def __read_coordinates_file(self, file_path): + with resource_stream(__name__, file_path) as f: + line = f.readline().decode("ascii") + while line: + line = line[:-1] + if line.startswith("name"): + self.full_name = line[5:] + elif line.startswith("variable"): + self.variables.append(line[9:]) + elif line.startswith("satisfying"): + self.satisfying.append(parse(line[11:].replace("=", "==").replace("^", "**"), mode="eval")) + elif line.startswith("parameter"): + self.parameters.append(line[10:]) + elif line.startswith("assume"): + self.assumptions.append( + parse(line[7:].replace("=", "==").replace("^", "**"), mode="eval")) + line = f.readline().decode("ascii") + + def __repr__(self): + return "CoordinateModel(\"{}\" on {})".format(self.name, self.curve_model.name) diff --git a/pyecsca/ec/efd/edwards/coordinates b/pyecsca/ec/efd/edwards/coordinates new file mode 100644 index 0000000..dc85a7a --- /dev/null +++ b/pyecsca/ec/efd/edwards/coordinates @@ -0,0 +1,24 @@ +name Edwards curves +parameter c +parameter d +coordinate x +coordinate y +satisfying x^2+y^2 == c^2*(1+d*x^2*y^2) +addition x = (x1*y2+y1*x2)/(c(1+d*x1*x2*y1*y2)) +addition y = (y1*y2-x1*x2)/(c(1-d*x1*x2*y1*y2)) +doubling x = (x1*y1+y1*x1)/(c(1+d*x1*x1*y1*y1)) +doubling y = (y1*y1-x1*x1)/(c(1-d*x1*x1*y1*y1)) +negation x = -x1 +negation y = y1 +neutral x = 0 +neutral y = c +toweierstrass u = (c+y)/(c-y) +toweierstrass v = 2*c*(c+y)/(x(c-y)) +a0 = 1/(1-d*c^4) +a1 = 0 +a2 = 4/(1-d*c^4)-2 +a3 = 0 +a4 = 1 +a6 = 0 +fromweierstrass x = 2*c*u/v +fromweierstrass y = c(u-1)/(u+1) diff --git a/pyecsca/ec/efd/edwards/inverted/addition/add-2007-bl b/pyecsca/ec/efd/edwards/inverted/addition/add-2007-bl new file mode 100644 index 0000000..f2a8b68 --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/addition/add-2007-bl @@ -0,0 +1,11 @@ +source 2007 Bernstein--Lange +compute A = Z1 Z2 +compute B = d A^2 +compute C = X1 X2 +compute D = Y1 Y2 +compute E = C D +compute H = C-D +compute I = (X1+Y1) (X2+Y2)-C-D +compute X3 = c (E+B) H +compute Y3 = c (E-B) I +compute Z3 = A H I diff --git a/pyecsca/ec/efd/edwards/inverted/addition/add-2007-bl.op3 b/pyecsca/ec/efd/edwards/inverted/addition/add-2007-bl.op3 new file mode 100644 index 0000000..062453a --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/addition/add-2007-bl.op3 @@ -0,0 +1,20 @@ +A = Z1*Z2 +t0 = A^2 +B = d*t0 +C = X1*X2 +D = Y1*Y2 +E = C*D +H = C-D +t1 = X1+Y1 +t2 = X2+Y2 +t3 = t1*t2 +t4 = t3-C +I = t4-D +t5 = E+B +t6 = t5*H +X3 = c*t6 +t7 = E-B +t8 = t7*I +Y3 = c*t8 +t9 = H*I +Z3 = A*t9 diff --git a/pyecsca/ec/efd/edwards/inverted/addition/add-20080225-hwcd b/pyecsca/ec/efd/edwards/inverted/addition/add-20080225-hwcd new file mode 100644 index 0000000..fcd4f55 --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/addition/add-20080225-hwcd @@ -0,0 +1,12 @@ +source 2008.02.25 Hisil--Wong--Carter--Dawson, page 8 +compute A = X1 Z2 +compute B = Y1 Z2 +compute C = Z1 X2 +compute D = Z1 Y2 +compute E = A B +compute F = C D +compute G = E+F +compute H = E-F +compute X3 = ((A+D)(B+C)-G)H +compute Y3 = ((A-C)(B+D)-H)G +compute Z3 = c G H diff --git a/pyecsca/ec/efd/edwards/inverted/addition/add-20080225-hwcd.op3 b/pyecsca/ec/efd/edwards/inverted/addition/add-20080225-hwcd.op3 new file mode 100644 index 0000000..18977cd --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/addition/add-20080225-hwcd.op3 @@ -0,0 +1,20 @@ +A = X1*Z2 +B = Y1*Z2 +C = Z1*X2 +D = Z1*Y2 +E = A*B +F = C*D +G = E+F +H = E-F +t0 = A+D +t1 = B+C +t2 = t0*t1 +t3 = t2-G +X3 = t3*H +t4 = A-C +t5 = B+D +t6 = t4*t5 +t7 = t6-H +Y3 = t7*G +t8 = G*H +Z3 = c*t8 diff --git a/pyecsca/ec/efd/edwards/inverted/addition/madd-2007-bl b/pyecsca/ec/efd/edwards/inverted/addition/madd-2007-bl new file mode 100644 index 0000000..d690f62 --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/addition/madd-2007-bl @@ -0,0 +1,12 @@ +source 2007 Bernstein--Lange +assume Z2 = 1 +compute A = Z1 +compute B = d A^2 +compute C = X1 X2 +compute D = Y1 Y2 +compute E = C D +compute H = C-D +compute I = (X1+Y1) (X2+Y2)-C-D +compute X3 = c (E+B) H +compute Y3 = c (E-B) I +compute Z3 = A H I diff --git a/pyecsca/ec/efd/edwards/inverted/addition/madd-2007-bl.op3 b/pyecsca/ec/efd/edwards/inverted/addition/madd-2007-bl.op3 new file mode 100644 index 0000000..d23ab91 --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/addition/madd-2007-bl.op3 @@ -0,0 +1,20 @@ +A = Z1 +t0 = A^2 +B = d*t0 +C = X1*X2 +D = Y1*Y2 +E = C*D +H = C-D +t1 = X1+Y1 +t2 = X2+Y2 +t3 = t1*t2 +t4 = t3-C +I = t4-D +t5 = E+B +t6 = t5*H +X3 = c*t6 +t7 = E-B +t8 = t7*I +Y3 = c*t8 +t9 = H*I +Z3 = A*t9 diff --git a/pyecsca/ec/efd/edwards/inverted/addition/madd-20080225-hwcd b/pyecsca/ec/efd/edwards/inverted/addition/madd-20080225-hwcd new file mode 100644 index 0000000..08bd765 --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/addition/madd-20080225-hwcd @@ -0,0 +1,13 @@ +source 2008.02.25 Hisil--Wong--Carter--Dawson, page 8 +assume Z2 = 1 +compute A = X1 +compute B = Y1 +compute C = Z1 X2 +compute D = Z1 Y2 +compute E = A B +compute F = C D +compute G = E+F +compute H = E-F +compute X3 = ((A+D)(B+C)-G)H +compute Y3 = ((A-C)(B+D)-H)G +compute Z3 = c G H diff --git a/pyecsca/ec/efd/edwards/inverted/addition/madd-20080225-hwcd.op3 b/pyecsca/ec/efd/edwards/inverted/addition/madd-20080225-hwcd.op3 new file mode 100644 index 0000000..5713dc9 --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/addition/madd-20080225-hwcd.op3 @@ -0,0 +1,20 @@ +A = X1 +B = Y1 +C = Z1*X2 +D = Z1*Y2 +E = A*B +F = C*D +G = E+F +H = E-F +t0 = A+D +t1 = B+C +t2 = t0*t1 +t3 = t2-G +X3 = t3*H +t4 = A-C +t5 = B+D +t6 = t4*t5 +t7 = t6-H +Y3 = t7*G +t8 = G*H +Z3 = c*t8 diff --git a/pyecsca/ec/efd/edwards/inverted/addition/mmadd-2007-bl b/pyecsca/ec/efd/edwards/inverted/addition/mmadd-2007-bl new file mode 100644 index 0000000..d333914 --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/addition/mmadd-2007-bl @@ -0,0 +1,11 @@ +source 2007 Bernstein--Lange +assume Z1 = 1 +assume Z2 = 1 +compute C = X1 X2 +compute D = Y1 Y2 +compute E = C D +compute H = C-D +compute I = (X1+Y1) (X2+Y2)-C-D +compute X3 = c (E+d) H +compute Y3 = c (E-d) I +compute Z3 = H I diff --git a/pyecsca/ec/efd/edwards/inverted/addition/mmadd-2007-bl.op3 b/pyecsca/ec/efd/edwards/inverted/addition/mmadd-2007-bl.op3 new file mode 100644 index 0000000..93c632d --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/addition/mmadd-2007-bl.op3 @@ -0,0 +1,16 @@ +C = X1*X2 +D = Y1*Y2 +E = C*D +H = C-D +t0 = X1+Y1 +t1 = X2+Y2 +t2 = t0*t1 +t3 = t2-C +I = t3-D +t4 = E+d +t5 = t4*H +X3 = c*t5 +t6 = E-d +t7 = t6*I +Y3 = c*t7 +Z3 = H*I diff --git a/pyecsca/ec/efd/edwards/inverted/addition/xmadd-2007-bl b/pyecsca/ec/efd/edwards/inverted/addition/xmadd-2007-bl new file mode 100644 index 0000000..392d01c --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/addition/xmadd-2007-bl @@ -0,0 +1,13 @@ +source 2007 Bernstein--Lange +assume X2 = 1 +compute A = Z1 Z2 +compute B = d A^2 +compute D = Y1 Y2 +compute E = X1 D +compute F = E-B +compute G = E+B +compute H = X1-D +compute I = X1 Y2+Y1 +compute X3 = c G H +compute Y3 = c F I +compute Z3 = A H I diff --git a/pyecsca/ec/efd/edwards/inverted/addition/xmadd-2007-bl.op3 b/pyecsca/ec/efd/edwards/inverted/addition/xmadd-2007-bl.op3 new file mode 100644 index 0000000..9a3ad1d --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/addition/xmadd-2007-bl.op3 @@ -0,0 +1,16 @@ +A = Z1*Z2 +t0 = A^2 +B = d*t0 +D = Y1*Y2 +E = X1*D +F = E-B +G = E+B +H = X1-D +t1 = X1*Y2 +I = t1+Y1 +t2 = G*H +X3 = c*t2 +t3 = F*I +Y3 = c*t3 +t4 = H*I +Z3 = A*t4 diff --git a/pyecsca/ec/efd/edwards/inverted/doubling/dbl-2007-bl b/pyecsca/ec/efd/edwards/inverted/doubling/dbl-2007-bl new file mode 100644 index 0000000..ccdfd40 --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/doubling/dbl-2007-bl @@ -0,0 +1,11 @@ +source 2007 Bernstein--Lange +parameter ccd2 +assume ccd2 = 2*c*c*d +compute A = X1^2 +compute B = Y1^2 +compute C = A+B +compute D = A-B +compute E = (X1+Y1)^2-C +compute Z3 = c D E +compute X3 = C D +compute Y3 = E (C-ccd2 Z1^2) diff --git a/pyecsca/ec/efd/edwards/inverted/doubling/dbl-2007-bl.op3 b/pyecsca/ec/efd/edwards/inverted/doubling/dbl-2007-bl.op3 new file mode 100644 index 0000000..8286b07 --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/doubling/dbl-2007-bl.op3 @@ -0,0 +1,14 @@ +A = X1^2 +B = Y1^2 +C = A+B +D = A-B +t0 = X1+Y1 +t1 = t0^2 +E = t1-C +t2 = D*E +Z3 = c*t2 +X3 = C*D +t3 = Z1^2 +t4 = ccd2*t3 +t5 = C-t4 +Y3 = E*t5 diff --git a/pyecsca/ec/efd/edwards/inverted/doubling/mdbl-2007-bl b/pyecsca/ec/efd/edwards/inverted/doubling/mdbl-2007-bl new file mode 100644 index 0000000..ca2095d --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/doubling/mdbl-2007-bl @@ -0,0 +1,12 @@ +source 2007 Bernstein--Lange +parameter ccd2 +assume ccd2 = 2*c*c*d +assume Z1 = 1 +compute A = X1^2 +compute B = Y1^2 +compute C = A+B +compute D = A-B +compute E = (X1+Y1)^2-C +compute Z3 = c D E +compute X3 = C D +compute Y3 = E (C-ccd2) diff --git a/pyecsca/ec/efd/edwards/inverted/doubling/mdbl-2007-bl.op3 b/pyecsca/ec/efd/edwards/inverted/doubling/mdbl-2007-bl.op3 new file mode 100644 index 0000000..2ee195a --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/doubling/mdbl-2007-bl.op3 @@ -0,0 +1,12 @@ +A = X1^2 +B = Y1^2 +C = A+B +D = A-B +t0 = X1+Y1 +t1 = t0^2 +E = t1-C +t2 = D*E +Z3 = c*t2 +X3 = C*D +t3 = C-ccd2 +Y3 = E*t3 diff --git a/pyecsca/ec/efd/edwards/inverted/scaling/z b/pyecsca/ec/efd/edwards/inverted/scaling/z new file mode 100644 index 0000000..4c37771 --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/scaling/z @@ -0,0 +1,4 @@ +compute A = 1/Z1 +compute X3 = X1 A +compute Y3 = Y1 A +compute Z3 = 1 diff --git a/pyecsca/ec/efd/edwards/inverted/scaling/z.op3 b/pyecsca/ec/efd/edwards/inverted/scaling/z.op3 new file mode 100644 index 0000000..8b51efc --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/scaling/z.op3 @@ -0,0 +1,4 @@ +A = 1/Z1 +X3 = X1*A +Y3 = Y1*A +Z3 = 1 diff --git a/pyecsca/ec/efd/edwards/inverted/tripling/tpl-2007-bl b/pyecsca/ec/efd/edwards/inverted/tripling/tpl-2007-bl new file mode 100644 index 0000000..842e976 --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/tripling/tpl-2007-bl @@ -0,0 +1,13 @@ +source 2007 Bernstein--Lange +compute XX = X1^2 +compute YY = Y1^2 +compute ZZ = (c Z1)^2 +compute D = XX+YY +compute DD = D^2 +compute E = 4 (D-d ZZ) +compute H = 2 D (YY-XX) +compute P = DD-XX E +compute Q = DD-YY E +compute X3 = (H+Q) Q X1 +compute Y3 = (H-P) P Y1 +compute Z3 = P Q Z1 diff --git a/pyecsca/ec/efd/edwards/inverted/tripling/tpl-2007-bl-2 b/pyecsca/ec/efd/edwards/inverted/tripling/tpl-2007-bl-2 new file mode 100644 index 0000000..c15bcb0 --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/tripling/tpl-2007-bl-2 @@ -0,0 +1,16 @@ +source 2007 Bernstein--Lange +parameter ccd +assume ccd = c*c*d +compute XX = X1^2 +compute YY = Y1^2 +compute ZZ = Z1^2 +compute D = XX+YY +compute DD = D^2 +compute E = 4 (D-ccd ZZ) +compute H = 2 D (YY-XX) +compute P = DD-XX E +compute Q = DD-YY E +compute QQ = Q^2 +compute X3 = (H+Q) ((Q+X1)^2-QQ-XX) +compute Y3 = 2 (H-P) P Y1 +compute Z3 = P ((Q+Z1)^2-QQ-ZZ) diff --git a/pyecsca/ec/efd/edwards/inverted/tripling/tpl-2007-bl-2.op3 b/pyecsca/ec/efd/edwards/inverted/tripling/tpl-2007-bl-2.op3 new file mode 100644 index 0000000..e61b239 --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/tripling/tpl-2007-bl-2.op3 @@ -0,0 +1,31 @@ +XX = X1^2 +YY = Y1^2 +ZZ = Z1^2 +D = XX+YY +DD = D^2 +t0 = ccd*ZZ +t1 = D-t0 +E = 4*t1 +t2 = YY-XX +t3 = D*t2 +H = 2*t3 +t4 = XX*E +P = DD-t4 +t5 = YY*E +Q = DD-t5 +QQ = Q^2 +t6 = Q+X1 +t7 = t6^2 +t8 = H+Q +t9 = t7-QQ +t10 = t9-XX +X3 = t8*t10 +t11 = H-P +t12 = P*Y1 +t13 = t11*t12 +Y3 = 2*t13 +t14 = Q+Z1 +t15 = t14^2 +t16 = t15-QQ +t17 = t16-ZZ +Z3 = P*t17 diff --git a/pyecsca/ec/efd/edwards/inverted/tripling/tpl-2007-bl.op3 b/pyecsca/ec/efd/edwards/inverted/tripling/tpl-2007-bl.op3 new file mode 100644 index 0000000..7684782 --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/tripling/tpl-2007-bl.op3 @@ -0,0 +1,24 @@ +XX = X1^2 +YY = Y1^2 +t0 = c*Z1 +ZZ = t0^2 +D = XX+YY +DD = D^2 +t1 = d*ZZ +t2 = D-t1 +E = 4*t2 +t3 = YY-XX +t4 = D*t3 +H = 2*t4 +t5 = XX*E +P = DD-t5 +t6 = YY*E +Q = DD-t6 +t7 = H+Q +t8 = Q*X1 +X3 = t7*t8 +t9 = H-P +t10 = P*Y1 +Y3 = t9*t10 +t11 = Q*Z1 +Z3 = P*t11 diff --git a/pyecsca/ec/efd/edwards/inverted/variables b/pyecsca/ec/efd/edwards/inverted/variables new file mode 100644 index 0000000..97014ad --- /dev/null +++ b/pyecsca/ec/efd/edwards/inverted/variables @@ -0,0 +1,6 @@ +name inverted coordinates +variable X +variable Y +variable Z +satisfying x = Z/X +satisfying y = Z/Y diff --git a/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl b/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl new file mode 100644 index 0000000..3cc1886 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl @@ -0,0 +1,11 @@ +source 2007 Bernstein--Lange +compute A = Z1 Z2 +compute B = A^2 +compute C = X1 X2 +compute D = Y1 Y2 +compute E = d C D +compute F = B-E +compute G = B+E +compute X3 = A F((X1+Y1)(X2+Y2)-C-D) +compute Y3 = A G(D-C) +compute Z3 = c F G diff --git a/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl-2 b/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl-2 new file mode 100644 index 0000000..449fde4 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl-2 @@ -0,0 +1,30 @@ +source 2007 Bernstein--Lange +compute R1 = X1 +compute R2 = Y1 +compute R3 = Z1 +compute R4 = X2 +compute R5 = Y2 +compute R6 = Z2 +compute R3 = R3 R6 +compute R7 = R1+R2 +compute R8 = R4+R5 +compute R1 = R1 R4 +compute R2 = R2 R5 +compute R7 = R7 R8 +compute R7 = R7-R1 +compute R7 = R7-R2 +compute R7 = R7 R3 +compute R8 = R1 R2 +compute R8 = d R8 +compute R2 = R2-R1 +compute R2 = R2 R3 +compute R3 = R3^2 +compute R1 = R3-R8 +compute R3 = R3+R8 +compute R2 = R2 R3 +compute R3 = R3 R1 +compute R1 = R1 R7 +compute R3 = c R3 +compute X3 = R1 +compute Y3 = R2 +compute Z3 = R3 diff --git a/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl-2.op3 b/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl-2.op3 new file mode 100644 index 0000000..37c2595 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl-2.op3 @@ -0,0 +1,29 @@ +R1 = X1 +R2 = Y1 +R3 = Z1 +R4 = X2 +R5 = Y2 +R6 = Z2 +R3 = R3*R6 +R7 = R1+R2 +R8 = R4+R5 +R1 = R1*R4 +R2 = R2*R5 +R7 = R7*R8 +R7 = R7-R1 +R7 = R7-R2 +R7 = R7*R3 +R8 = R1*R2 +R8 = d*R8 +R2 = R2-R1 +R2 = R2*R3 +R3 = R3^2 +R1 = R3-R8 +R3 = R3+R8 +R2 = R2*R3 +R3 = R3*R1 +R1 = R1*R7 +R3 = c*R3 +X3 = R1 +Y3 = R2 +Z3 = R3 diff --git a/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl-3 b/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl-3 new file mode 100644 index 0000000..33e49ea --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl-3 @@ -0,0 +1,15 @@ +source 2007 Bernstein--Lange +parameter c2 +assume c2 = 2*c +compute A = Z1 Z2 +compute B = A^2 +compute C = X1 X2 +compute D = Y1 Y2 +compute E = d C D +compute BB = B^2 +compute EE = E^2 +compute H = (A+B)^2-BB +compute I = (A+E)^2-EE +compute X3 = (H-I)((X1+Y1)(X2+Y2)-C-D) +compute Y3 = (H+I-2 B)(D-C) +compute Z3 = c2(BB-EE) diff --git a/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl-3.op3 b/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl-3.op3 new file mode 100644 index 0000000..5c9f508 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl-3.op3 @@ -0,0 +1,28 @@ +A = Z1*Z2 +B = A^2 +C = X1*X2 +D = Y1*Y2 +t0 = C*D +E = d*t0 +BB = B^2 +EE = E^2 +t1 = A+B +t2 = t1^2 +H = t2-BB +t3 = A+E +t4 = t3^2 +I = t4-EE +t5 = X1+Y1 +t6 = X2+Y2 +t7 = t5*t6 +t8 = H-I +t9 = t7-C +t10 = t9-D +X3 = t8*t10 +t11 = 2*B +t12 = H+I +t13 = t12-t11 +t14 = D-C +Y3 = t13*t14 +t15 = BB-EE +Z3 = c2*t15 diff --git a/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl-4 b/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl-4 new file mode 100644 index 0000000..ab868e1 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl-4 @@ -0,0 +1,22 @@ +source 2007 Bernstein--Lange +parameter i +assume i^2 = -1 +compute iX2 = i X2 +compute C2 = Y2+iX2 +compute D2 = Y2-iX2 +compute iX1 = i X1 +compute C1 = Y1+iX1 +compute D1 = Y1-iX1 +compute A = Z1 Z2 +compute B = 2 A^2 +compute C = C1 C2 +compute D = D1 D2 +compute L = D+C +compute M = Y1 Y2 +compute N = 2 M-L +compute E = d M N +compute F = B-E +compute G = B+E +compute X3 = i A F (D-C) +compute Y3 = A G L +compute Z3 = c G F diff --git a/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl-4.op3 b/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl-4.op3 new file mode 100644 index 0000000..3886a57 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl-4.op3 @@ -0,0 +1,27 @@ +iX2 = i*X2 +C2 = Y2+iX2 +D2 = Y2-iX2 +iX1 = i*X1 +C1 = Y1+iX1 +D1 = Y1-iX1 +A = Z1*Z2 +t0 = A^2 +B = 2*t0 +C = C1*C2 +D = D1*D2 +L = D+C +M = Y1*Y2 +t1 = 2*M +N = t1-L +t2 = M*N +E = d*t2 +F = B-E +G = B+E +t3 = D-C +t4 = F*t3 +t5 = A*t4 +X3 = i*t5 +t6 = G*L +Y3 = A*t6 +t7 = G*F +Z3 = c*t7 diff --git a/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl.op3 b/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl.op3 new file mode 100644 index 0000000..6fdb17e --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/add-2007-bl.op3 @@ -0,0 +1,20 @@ +A = Z1*Z2 +B = A^2 +C = X1*X2 +D = Y1*Y2 +t0 = C*D +E = d*t0 +F = B-E +G = B+E +t1 = X1+Y1 +t2 = X2+Y2 +t3 = t1*t2 +t4 = t3-C +t5 = t4-D +t6 = F*t5 +X3 = A*t6 +t7 = D-C +t8 = G*t7 +Y3 = A*t8 +t9 = F*G +Z3 = c*t9 diff --git a/pyecsca/ec/efd/edwards/projective/addition/add-20080225-hwcd b/pyecsca/ec/efd/edwards/projective/addition/add-20080225-hwcd new file mode 100644 index 0000000..dc4e163 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/add-20080225-hwcd @@ -0,0 +1,16 @@ +source 2008.02.25 Hisil--Wong--Carter--Dawson, page 8 +parameter k +assume k*c = 1 +compute A = X1 Z2 +compute B = Y1 Z2 +compute C = Z1 X2 +compute D = Z1 Y2 +compute E = A B +compute F = C D +compute G = E+F +compute H = E-F +compute J = (A-C)(B+D)-H +compute K = (A+D)(B+C)-G +compute X3 = G J +compute Y3 = H K +compute Z3 = k J K diff --git a/pyecsca/ec/efd/edwards/projective/addition/add-20080225-hwcd.op3 b/pyecsca/ec/efd/edwards/projective/addition/add-20080225-hwcd.op3 new file mode 100644 index 0000000..f91ca8d --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/add-20080225-hwcd.op3 @@ -0,0 +1,20 @@ +A = X1*Z2 +B = Y1*Z2 +C = Z1*X2 +D = Z1*Y2 +E = A*B +F = C*D +G = E+F +H = E-F +t0 = A-C +t1 = B+D +t2 = t0*t1 +J = t2-H +t3 = A+D +t4 = B+C +t5 = t3*t4 +K = t5-G +X3 = G*J +Y3 = H*K +t6 = J*K +Z3 = k*t6 diff --git a/pyecsca/ec/efd/edwards/projective/addition/add-20090311-hwcd b/pyecsca/ec/efd/edwards/projective/addition/add-20090311-hwcd new file mode 100644 index 0000000..c3f6ac3 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/add-20090311-hwcd @@ -0,0 +1,15 @@ +source 2009.03.11 Hisil--Wong--Carter--Dawson, after formula (17), plus denominator elimination +parameter k +assume k*c = 1 +compute R1 = X2 Y2 +compute R2 = Z2^2 +compute A = X1 Y1 +compute B = Z1^2 +compute C = R2 A +compute D = R1 B +compute E = (X1-X2)(Y1+Y2)-A+R1 +compute F = (X1+Y2)(Y1+X2)-A-R1 +compute G = (Z1+Z2)^2-B-R2 +compute X3 = 2 E(C+D) +compute Y3 = 2 F(C-D) +compute Z3 = k E F G diff --git a/pyecsca/ec/efd/edwards/projective/addition/add-20090311-hwcd.op3 b/pyecsca/ec/efd/edwards/projective/addition/add-20090311-hwcd.op3 new file mode 100644 index 0000000..32dc1c5 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/add-20090311-hwcd.op3 @@ -0,0 +1,29 @@ +R1 = X2*Y2 +R2 = Z2^2 +A = X1*Y1 +B = Z1^2 +C = R2*A +D = R1*B +t0 = X1-X2 +t1 = Y1+Y2 +t2 = t0*t1 +t3 = t2-A +E = t3+R1 +t4 = X1+Y2 +t5 = Y1+X2 +t6 = t4*t5 +t7 = t6-A +F = t7-R1 +t8 = Z1+Z2 +t9 = t8^2 +t10 = t9-B +G = t10-R2 +t11 = C+D +t12 = E*t11 +X3 = 2*t12 +t13 = C-D +t14 = F*t13 +Y3 = 2*t14 +t15 = F*G +t16 = E*t15 +Z3 = k*t16 diff --git a/pyecsca/ec/efd/edwards/projective/addition/madd-2007-bl b/pyecsca/ec/efd/edwards/projective/addition/madd-2007-bl new file mode 100644 index 0000000..00bc0f2 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/madd-2007-bl @@ -0,0 +1,11 @@ +source 2007 Bernstein--Lange +assume Z2 = 1 +compute B = Z1^2 +compute C = X1 X2 +compute D = Y1 Y2 +compute E = d C D +compute F = B-E +compute G = B+E +compute X3 = Z1 F ((X1+Y1)(X2+Y2)-C-D) +compute Y3 = Z1 G (D-C) +compute Z3 = c F G diff --git a/pyecsca/ec/efd/edwards/projective/addition/madd-2007-bl-2 b/pyecsca/ec/efd/edwards/projective/addition/madd-2007-bl-2 new file mode 100644 index 0000000..080b055 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/madd-2007-bl-2 @@ -0,0 +1,29 @@ +source 2007 Bernstein--Lange +assume Z2 = 1 +compute R1 = X1 +compute R2 = Y1 +compute R3 = Z1 +compute R4 = X2 +compute R5 = Y2 +compute R7 = R1+R2 +compute R6 = R4+R5 +compute R1 = R1 R4 +compute R2 = R2 R5 +compute R7 = R7 R6 +compute R7 = R7-R1 +compute R7 = R7-R2 +compute R7 = R7 R3 +compute R6 = R1 R2 +compute R6 = d R6 +compute R2 = R2-R1 +compute R2 = R2 R3 +compute R3 = R3^2 +compute R1 = R3-R6 +compute R3 = R3+R6 +compute R2 = R2 R3 +compute R3 = R3 R1 +compute R1 = R1 R7 +compute R3 = c R3 +compute X3 = R1 +compute Y3 = R2 +compute Z3 = R3 diff --git a/pyecsca/ec/efd/edwards/projective/addition/madd-2007-bl-2.op3 b/pyecsca/ec/efd/edwards/projective/addition/madd-2007-bl-2.op3 new file mode 100644 index 0000000..4b605ad --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/madd-2007-bl-2.op3 @@ -0,0 +1,27 @@ +R1 = X1 +R2 = Y1 +R3 = Z1 +R4 = X2 +R5 = Y2 +R7 = R1+R2 +R6 = R4+R5 +R1 = R1*R4 +R2 = R2*R5 +R7 = R7*R6 +R7 = R7-R1 +R7 = R7-R2 +R7 = R7*R3 +R6 = R1*R2 +R6 = d*R6 +R2 = R2-R1 +R2 = R2*R3 +R3 = R3^2 +R1 = R3-R6 +R3 = R3+R6 +R2 = R2*R3 +R3 = R3*R1 +R1 = R1*R7 +R3 = c*R3 +X3 = R1 +Y3 = R2 +Z3 = R3 diff --git a/pyecsca/ec/efd/edwards/projective/addition/madd-2007-bl-3 b/pyecsca/ec/efd/edwards/projective/addition/madd-2007-bl-3 new file mode 100644 index 0000000..a67df7a --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/madd-2007-bl-3 @@ -0,0 +1,15 @@ +source 2007 Bernstein--Lange +parameter c2 +assume c2 = 2*c +assume Z2 = 1 +compute B = Z1^2 +compute C = X1 X2 +compute D = Y1 Y2 +compute E = d C D +compute BB = B^2 +compute EE = E^2 +compute H = (Z1+B)^2-BB +compute I = (Z1+E)^2-EE +compute X3 = (H-I)((X1+Y1)(X2+Y2)-C-D) +compute Y3 = (H+I-2 B)(D-C) +compute Z3 = c2(BB-EE) diff --git a/pyecsca/ec/efd/edwards/projective/addition/madd-2007-bl-3.op3 b/pyecsca/ec/efd/edwards/projective/addition/madd-2007-bl-3.op3 new file mode 100644 index 0000000..1aff593 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/madd-2007-bl-3.op3 @@ -0,0 +1,27 @@ +B = Z1^2 +C = X1*X2 +D = Y1*Y2 +t0 = C*D +E = d*t0 +BB = B^2 +EE = E^2 +t1 = Z1+B +t2 = t1^2 +H = t2-BB +t3 = Z1+E +t4 = t3^2 +I = t4-EE +t5 = X1+Y1 +t6 = X2+Y2 +t7 = t5*t6 +t8 = H-I +t9 = t7-C +t10 = t9-D +X3 = t8*t10 +t11 = 2*B +t12 = H+I +t13 = t12-t11 +t14 = D-C +Y3 = t13*t14 +t15 = BB-EE +Z3 = c2*t15 diff --git a/pyecsca/ec/efd/edwards/projective/addition/madd-2007-bl.op3 b/pyecsca/ec/efd/edwards/projective/addition/madd-2007-bl.op3 new file mode 100644 index 0000000..4da6bf9 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/madd-2007-bl.op3 @@ -0,0 +1,19 @@ +B = Z1^2 +C = X1*X2 +D = Y1*Y2 +t0 = C*D +E = d*t0 +F = B-E +G = B+E +t1 = X1+Y1 +t2 = X2+Y2 +t3 = t1*t2 +t4 = t3-C +t5 = t4-D +t6 = F*t5 +X3 = Z1*t6 +t7 = D-C +t8 = G*t7 +Y3 = Z1*t8 +t9 = F*G +Z3 = c*t9 diff --git a/pyecsca/ec/efd/edwards/projective/addition/madd-20080225-hwcd b/pyecsca/ec/efd/edwards/projective/addition/madd-20080225-hwcd new file mode 100644 index 0000000..6d4da4b --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/madd-20080225-hwcd @@ -0,0 +1,17 @@ +source 2008.02.25 Hisil--Wong--Carter--Dawson, page 8 +parameter k +assume k*c = 1 +assume Z2 = 1 +compute A = X1 +compute B = Y1 +compute C = Z1 X2 +compute D = Z1 Y2 +compute E = A B +compute F = C D +compute G = E+F +compute H = E-F +compute J = (A-C)(B+D)-H +compute K = (A+D)(B+C)-G +compute X3 = G J +compute Y3 = H K +compute Z3 = k J K diff --git a/pyecsca/ec/efd/edwards/projective/addition/madd-20080225-hwcd.op3 b/pyecsca/ec/efd/edwards/projective/addition/madd-20080225-hwcd.op3 new file mode 100644 index 0000000..22ea53d --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/madd-20080225-hwcd.op3 @@ -0,0 +1,20 @@ +A = X1 +B = Y1 +C = Z1*X2 +D = Z1*Y2 +E = A*B +F = C*D +G = E+F +H = E-F +t0 = A-C +t1 = B+D +t2 = t0*t1 +J = t2-H +t3 = A+D +t4 = B+C +t5 = t3*t4 +K = t5-G +X3 = G*J +Y3 = H*K +t6 = J*K +Z3 = k*t6 diff --git a/pyecsca/ec/efd/edwards/projective/addition/mmadd-2007-bl b/pyecsca/ec/efd/edwards/projective/addition/mmadd-2007-bl new file mode 100644 index 0000000..68a467d --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/mmadd-2007-bl @@ -0,0 +1,9 @@ +source 2007 Bernstein--Lange +assume Z1 = 1 +assume Z2 = 1 +compute C = X1 X2 +compute D = Y1 Y2 +compute E = d C D +compute X3 = (1-E)((X1+Y1)(X2+Y2)-C-D) +compute Y3 = (1+E)(D-C) +compute Z3 = c(1-E^2) diff --git a/pyecsca/ec/efd/edwards/projective/addition/mmadd-2007-bl.op3 b/pyecsca/ec/efd/edwards/projective/addition/mmadd-2007-bl.op3 new file mode 100644 index 0000000..1f64eff --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/mmadd-2007-bl.op3 @@ -0,0 +1,17 @@ +C = X1*X2 +D = Y1*Y2 +t0 = C*D +E = d*t0 +t1 = X1+Y1 +t2 = X2+Y2 +t3 = t1*t2 +t4 = 1-E +t5 = t3-C +t6 = t5-D +X3 = t4*t6 +t7 = 1+E +t8 = D-C +Y3 = t7*t8 +t9 = E^2 +t10 = 1-t9 +Z3 = c*t10 diff --git a/pyecsca/ec/efd/edwards/projective/addition/xmadd-2007-hcd b/pyecsca/ec/efd/edwards/projective/addition/xmadd-2007-hcd new file mode 100644 index 0000000..eb0ab17 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/xmadd-2007-hcd @@ -0,0 +1,18 @@ +source 2007 Hisil--Carter--Dawson +assume X2 = 1 +compute T0 = X1 Y2 +compute T0 = T0+Y1 +compute Y3 = Y1 Y2 +compute T1 = Y3 X1 +compute Y3 = Y3-X1 +compute Z3 = Z1 Z2 +compute X3 = T0 Z3 +compute Y3 = Y3 Z3 +compute T1 = d T1 +compute Z3 = Z3^2 +compute T0 = Z3-T1 +compute Z3 = Z3+T1 +compute X3 = X3 T0 +compute Y3 = Y3 Z3 +compute Z3 = Z3 T0 +compute Z3 = c Z3 diff --git a/pyecsca/ec/efd/edwards/projective/addition/xmadd-2007-hcd.op3 b/pyecsca/ec/efd/edwards/projective/addition/xmadd-2007-hcd.op3 new file mode 100644 index 0000000..f607aff --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/addition/xmadd-2007-hcd.op3 @@ -0,0 +1,16 @@ +T0 = X1*Y2 +T0 = T0+Y1 +Y3 = Y1*Y2 +T1 = Y3*X1 +Y3 = Y3-X1 +Z3 = Z1*Z2 +X3 = T0*Z3 +Y3 = Y3*Z3 +T1 = d*T1 +Z3 = Z3^2 +T0 = Z3-T1 +Z3 = Z3+T1 +X3 = X3*T0 +Y3 = Y3*Z3 +Z3 = Z3*T0 +Z3 = c*Z3 diff --git a/pyecsca/ec/efd/edwards/projective/doubling/dbl-2007-bl b/pyecsca/ec/efd/edwards/projective/doubling/dbl-2007-bl new file mode 100644 index 0000000..ed45cd4 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/doubling/dbl-2007-bl @@ -0,0 +1,10 @@ +source 2007 Bernstein--Lange +compute B = (X1+Y1)^2 +compute C = X1^2 +compute D = Y1^2 +compute E = C+D +compute H = (c Z1)^2 +compute J = E-2 H +compute X3 = c (B-E)J +compute Y3 = c E(C-D) +compute Z3 = E J diff --git a/pyecsca/ec/efd/edwards/projective/doubling/dbl-2007-bl-2 b/pyecsca/ec/efd/edwards/projective/doubling/dbl-2007-bl-2 new file mode 100644 index 0000000..d08fbb6 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/doubling/dbl-2007-bl-2 @@ -0,0 +1,23 @@ +source 2007 Bernstein--Lange; source comments that these formulas use two temporary registers +compute R1 = X1 +compute R2 = Y1 +compute R3 = Z1 +compute R4 = R1+R2 +compute R3 = c R3 +compute R1 = R1^2 +compute R2 = R2^2 +compute R3 = R3^2 +compute R4 = R4^2 +compute R3 = 2 R3 +compute R5 = R1+R2 +compute R2 = R1-R2 +compute R4 = R4-R5 +compute R3 = R5-R3 +compute R1 = R3 R4 +compute R3 = R3 R5 +compute R2 = R2 R5 +compute R1 = c R1 +compute R2 = c R2 +compute X3 = R1 +compute Y3 = R2 +compute Z3 = R3 diff --git a/pyecsca/ec/efd/edwards/projective/doubling/dbl-2007-bl-2.op3 b/pyecsca/ec/efd/edwards/projective/doubling/dbl-2007-bl-2.op3 new file mode 100644 index 0000000..524de13 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/doubling/dbl-2007-bl-2.op3 @@ -0,0 +1,22 @@ +R1 = X1 +R2 = Y1 +R3 = Z1 +R4 = R1+R2 +R3 = c*R3 +R1 = R1^2 +R2 = R2^2 +R3 = R3^2 +R4 = R4^2 +R3 = 2*R3 +R5 = R1+R2 +R2 = R1-R2 +R4 = R4-R5 +R3 = R5-R3 +R1 = R3*R4 +R3 = R3*R5 +R2 = R2*R5 +R1 = c*R1 +R2 = c*R2 +X3 = R1 +Y3 = R2 +Z3 = R3 diff --git a/pyecsca/ec/efd/edwards/projective/doubling/dbl-2007-bl-3 b/pyecsca/ec/efd/edwards/projective/doubling/dbl-2007-bl-3 new file mode 100644 index 0000000..ee6ce09 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/doubling/dbl-2007-bl-3 @@ -0,0 +1,24 @@ +source 2007 Bernstein--Lange; source comments that these formulas use one temporary register +compute R1 = X1 +compute R2 = Y1 +compute R3 = Z1 +compute R3 = c R3 +compute R4 = R1^2 +compute R1 = R1+R2 +compute R1 = R1^2 +compute R2 = R2^2 +compute R3 = R3^2 +compute R3 = 2 R3 +compute R4 = R2+R4 +compute R2 = 2 R2 +compute R2 = R4-R2 +compute R1 = R1-R4 +compute R2 = R2 R4 +compute R3 = R4-R3 +compute R1 = R1 R3 +compute R3 = R3 R4 +compute R1 = c R1 +compute R2 = c R2 +compute X3 = R1 +compute Y3 = R2 +compute Z3 = R3 diff --git a/pyecsca/ec/efd/edwards/projective/doubling/dbl-2007-bl-3.op3 b/pyecsca/ec/efd/edwards/projective/doubling/dbl-2007-bl-3.op3 new file mode 100644 index 0000000..ecb2ccf --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/doubling/dbl-2007-bl-3.op3 @@ -0,0 +1,23 @@ +R1 = X1 +R2 = Y1 +R3 = Z1 +R3 = c*R3 +R4 = R1^2 +R1 = R1+R2 +R1 = R1^2 +R2 = R2^2 +R3 = R3^2 +R3 = 2*R3 +R4 = R2+R4 +R2 = 2*R2 +R2 = R4-R2 +R1 = R1-R4 +R2 = R2*R4 +R3 = R4-R3 +R1 = R1*R3 +R3 = R3*R4 +R1 = c*R1 +R2 = c*R2 +X3 = R1 +Y3 = R2 +Z3 = R3 diff --git a/pyecsca/ec/efd/edwards/projective/doubling/dbl-2007-bl.op3 b/pyecsca/ec/efd/edwards/projective/doubling/dbl-2007-bl.op3 new file mode 100644 index 0000000..547f8ef --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/doubling/dbl-2007-bl.op3 @@ -0,0 +1,16 @@ +t0 = X1+Y1 +B = t0^2 +C = X1^2 +D = Y1^2 +E = C+D +t1 = c*Z1 +H = t1^2 +t2 = 2*H +J = E-t2 +t3 = B-E +t4 = t3*J +X3 = c*t4 +t5 = C-D +t6 = E*t5 +Y3 = c*t6 +Z3 = E*J diff --git a/pyecsca/ec/efd/edwards/projective/doubling/mdbl-2007-bl b/pyecsca/ec/efd/edwards/projective/doubling/mdbl-2007-bl new file mode 100644 index 0000000..538099a --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/doubling/mdbl-2007-bl @@ -0,0 +1,12 @@ +source 2007 Bernstein--Lange +parameter cc2 +assume cc2 = 2*c*c +assume Z1 = 1 +compute B = (X1+Y1)^2 +compute C = X1^2 +compute D = Y1^2 +compute E = C+D +compute J = E-cc2 +compute X3 = c(B-E)J +compute Y3 = c E(C-D) +compute Z3 = E J diff --git a/pyecsca/ec/efd/edwards/projective/doubling/mdbl-2007-bl.op3 b/pyecsca/ec/efd/edwards/projective/doubling/mdbl-2007-bl.op3 new file mode 100644 index 0000000..7ad6acf --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/doubling/mdbl-2007-bl.op3 @@ -0,0 +1,13 @@ +t0 = X1+Y1 +B = t0^2 +C = X1^2 +D = Y1^2 +E = C+D +J = E-cc2 +t1 = B-E +t2 = t1*J +X3 = c*t2 +t3 = C-D +t4 = E*t3 +Y3 = c*t4 +Z3 = E*J diff --git a/pyecsca/ec/efd/edwards/projective/scaling/z b/pyecsca/ec/efd/edwards/projective/scaling/z new file mode 100644 index 0000000..4c37771 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/scaling/z @@ -0,0 +1,4 @@ +compute A = 1/Z1 +compute X3 = X1 A +compute Y3 = Y1 A +compute Z3 = 1 diff --git a/pyecsca/ec/efd/edwards/projective/scaling/z.op3 b/pyecsca/ec/efd/edwards/projective/scaling/z.op3 new file mode 100644 index 0000000..8b51efc --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/scaling/z.op3 @@ -0,0 +1,4 @@ +A = 1/Z1 +X3 = X1*A +Y3 = Y1*A +Z3 = 1 diff --git a/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-bblp b/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-bblp new file mode 100644 index 0000000..80f9a6e --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-bblp @@ -0,0 +1,16 @@ +source 2007 Bernstein--Birkner--Lange--Peters +parameter c2 +assume c2 = 2*c +compute XX = X1^2 +compute YY = Y1^2 +compute ZZ = (c2 Z1)^2 +compute D = XX+YY +compute DD = D^2 +compute H = 2 D (XX-YY) +compute P = DD-YY ZZ +compute Q = DD-XX ZZ +compute T = H+Q +compute U = H-P +compute X3 = P U X1 +compute Y3 = Q T Y1 +compute Z3 = T U Z1 diff --git a/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-bblp-2 b/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-bblp-2 new file mode 100644 index 0000000..f87553b --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-bblp-2 @@ -0,0 +1,17 @@ +source 2007 Bernstein--Birkner--Lange--Peters +assume c = 1 +compute XX = X1^2 +compute YY = Y1^2 +compute ZZ = Z1^2 +compute ZZ4 = 4 ZZ +compute D = XX+YY +compute DD = D^2 +compute H = 2 D(XX-YY) +compute P = DD-YY ZZ4 +compute Q = DD-XX ZZ4 +compute T = H+Q +compute TT = T^2 +compute U = H-P +compute X3 = 2 P U X1 +compute Y3 = Q((T+Y1)^2-TT-YY) +compute Z3 = U((T+Z1)^2-TT-ZZ) diff --git a/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-bblp-2.op3 b/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-bblp-2.op3 new file mode 100644 index 0000000..db7d8b5 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-bblp-2.op3 @@ -0,0 +1,29 @@ +XX = X1^2 +YY = Y1^2 +ZZ = Z1^2 +ZZ4 = 4*ZZ +D = XX+YY +DD = D^2 +t0 = XX-YY +t1 = D*t0 +H = 2*t1 +t2 = YY*ZZ4 +P = DD-t2 +t3 = XX*ZZ4 +Q = DD-t3 +T = H+Q +TT = T^2 +U = H-P +t4 = U*X1 +t5 = P*t4 +X3 = 2*t5 +t6 = T+Y1 +t7 = t6^2 +t8 = t7-TT +t9 = t8-YY +Y3 = Q*t9 +t10 = T+Z1 +t11 = t10^2 +t12 = t11-TT +t13 = t12-ZZ +Z3 = U*t13 diff --git a/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-bblp-3 b/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-bblp-3 new file mode 100644 index 0000000..4999e6f --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-bblp-3 @@ -0,0 +1,18 @@ +source 2007 Bernstein--Birkner--Lange--Peters +parameter cc4 +assume cc4 = 4*c*c +compute XX = X1^2 +compute YY = Y1^2 +compute ZZ = Z1^2 +compute ZZ4 = cc4 ZZ +compute D = XX+YY +compute DD = D^2 +compute H = 2 D(XX-YY) +compute P = DD-YY ZZ4 +compute Q = DD-XX ZZ4 +compute T = H+Q +compute TT = T^2 +compute U = H-P +compute X3 = 2 P U X1 +compute Y3 = Q((T+Y1)^2-TT-YY) +compute Z3 = U((T+Z1)^2-TT-ZZ) diff --git a/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-bblp-3.op3 b/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-bblp-3.op3 new file mode 100644 index 0000000..509ec50 --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-bblp-3.op3 @@ -0,0 +1,29 @@ +XX = X1^2 +YY = Y1^2 +ZZ = Z1^2 +ZZ4 = cc4*ZZ +D = XX+YY +DD = D^2 +t0 = XX-YY +t1 = D*t0 +H = 2*t1 +t2 = YY*ZZ4 +P = DD-t2 +t3 = XX*ZZ4 +Q = DD-t3 +T = H+Q +TT = T^2 +U = H-P +t4 = U*X1 +t5 = P*t4 +X3 = 2*t5 +t6 = T+Y1 +t7 = t6^2 +t8 = t7-TT +t9 = t8-YY +Y3 = Q*t9 +t10 = T+Z1 +t11 = t10^2 +t12 = t11-TT +t13 = t12-ZZ +Z3 = U*t13 diff --git a/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-bblp.op3 b/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-bblp.op3 new file mode 100644 index 0000000..ff7b58f --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-bblp.op3 @@ -0,0 +1,21 @@ +XX = X1^2 +YY = Y1^2 +t0 = c2*Z1 +ZZ = t0^2 +D = XX+YY +DD = D^2 +t1 = XX-YY +t2 = D*t1 +H = 2*t2 +t3 = YY*ZZ +P = DD-t3 +t4 = XX*ZZ +Q = DD-t4 +T = H+Q +U = H-P +t5 = U*X1 +X3 = P*t5 +t6 = T*Y1 +Y3 = Q*t6 +t7 = U*Z1 +Z3 = T*t7 diff --git a/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-hcd b/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-hcd new file mode 100644 index 0000000..2b7153a --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-hcd @@ -0,0 +1,11 @@ +source 2007 Hisil--Carter--Dawson +compute A = X1^2 +compute B = Y1^2 +compute C = (2 c Z1)^2 +compute D = (A+B)^2 +compute E = 2(A+B)(A-B) +compute F = A C +compute G = B C +compute X3 = X1(E-(D-G))(D-G) +compute Y3 = Y1(E+(D-F))(D-F) +compute Z3 = Z1(E-(D-G))(E+(D-F)) diff --git a/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-hcd.op3 b/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-hcd.op3 new file mode 100644 index 0000000..3873e6b --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/tripling/tpl-2007-hcd.op3 @@ -0,0 +1,29 @@ +A = X1^2 +B = Y1^2 +t0 = c*Z1 +t1 = 2*t0 +C = t1^2 +t2 = A+B +D = t2^2 +t3 = A+B +t4 = A-B +t5 = t3*t4 +E = 2*t5 +F = A*C +G = B*C +t6 = D-G +t7 = E-t6 +t8 = D-G +t9 = t7*t8 +X3 = X1*t9 +t10 = D-F +t11 = E+t10 +t12 = D-F +t13 = t11*t12 +Y3 = Y1*t13 +t14 = D-G +t15 = D-F +t16 = E-t14 +t17 = E+t15 +t18 = t16*t17 +Z3 = Z1*t18 diff --git a/pyecsca/ec/efd/edwards/projective/variables b/pyecsca/ec/efd/edwards/projective/variables new file mode 100644 index 0000000..9c6045b --- /dev/null +++ b/pyecsca/ec/efd/edwards/projective/variables @@ -0,0 +1,6 @@ +name projective coordinates +variable X +variable Y +variable Z +satisfying x = X/Z +satisfying y = Y/Z diff --git a/pyecsca/ec/efd/edwards/yz/diffadd/dadd-2006-g b/pyecsca/ec/efd/edwards/yz/diffadd/dadd-2006-g new file mode 100644 index 0000000..0b5f17a --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/diffadd/dadd-2006-g @@ -0,0 +1,7 @@ +source 2006 Gaudry "Variants of the Montgomery form based on Theta functions", page 23/52, with A^2/B^2 = (a^2+b^2)/(a^2-b^2) as on page 20/52, replacing incorrect B^2/A^2 on page 23/52 with correct A^2/B^2 and a/b; or 2009 Gaudry--Lubicz "The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines", Section 6.2, replacing incorrect A'/B' = (a^2+b^2)/(a^2-b^2) with correct A'^2/B'^2 = (a^2+b^2)/(a^2-b^2), replacing A'^2/B'^2 with A^2/B^2, and replacing z... with y...; plus notation changes: a/b and A^2/B^2 defined as 1/sqrt(r) and (1+r)/(1-r), input x^2/y^2 etc. replaced by r Z2^2/Y2^2 and r Z3^2/Y3^2 and r Z1^2/Y1^2, intermediate x'/y' replaced by W/V, output X/Y replaced by sqrt(r) Z5/Y5 +parameter s +assume s = (1+r)/(1-r) +compute V = s(r Z2^2-Y2^2)(r Z3^2-Y3^2) +compute W = (r Z2^2+Y2^2)(r Z3^2+Y3^2) +compute Y5 = r Z1(W-V) +compute Z5 = Y1(W+V) diff --git a/pyecsca/ec/efd/edwards/yz/diffadd/dadd-2006-g-2 b/pyecsca/ec/efd/edwards/yz/diffadd/dadd-2006-g-2 new file mode 100644 index 0000000..b611b34 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/diffadd/dadd-2006-g-2 @@ -0,0 +1,11 @@ +source 2006 Gaudry "Variants of the Montgomery form based on Theta functions", page 23/52, with A^2/B^2 = (a^2+b^2)/(a^2-b^2) as on page 20/52, replacing incorrect B^2/A^2 on page 23/52 with correct A^2/B^2 and a/b; or 2009 Gaudry--Lubicz "The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines", Section 6.2, replacing incorrect A'/B' = (a^2+b^2)/(a^2-b^2) with correct A'^2/B'^2 = (a^2+b^2)/(a^2-b^2), replacing A'^2/B'^2 with A^2/B^2, and replacing z... with y...; plus notation changes: a/b and A^2/B^2 defined as 1/sqrt(r) and (1+r)/(1-r), input x^2/y^2 etc. replaced by r Z2^2/Y2^2 and r Z3^2/Y3^2 and r Z1^2/Y1^2, intermediate x'/y' replaced by W/V, output X/Y replaced by sqrt(r) Z5/Y5; plus common-subexpression elimination +parameter s +assume s = (1+r)/(1-r) +compute YY2 = Y2^2 +compute ZZ2 = r Z2^2 +compute YY3 = Y3^2 +compute ZZ3 = r Z3^2 +compute V = s(ZZ2-YY2)(ZZ3-YY3) +compute W = (ZZ2+YY2)(ZZ3+YY3) +compute Y5 = (r Z1)(W-V) +compute Z5 = Y1(W+V) diff --git a/pyecsca/ec/efd/edwards/yz/diffadd/dadd-2006-g-2.op3 b/pyecsca/ec/efd/edwards/yz/diffadd/dadd-2006-g-2.op3 new file mode 100644 index 0000000..3433bd8 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/diffadd/dadd-2006-g-2.op3 @@ -0,0 +1,18 @@ +YY2 = Y2^2 +t0 = Z2^2 +ZZ2 = r*t0 +YY3 = Y3^2 +t1 = Z3^2 +ZZ3 = r*t1 +t2 = ZZ2-YY2 +t3 = ZZ3-YY3 +t4 = t2*t3 +V = s*t4 +t5 = ZZ2+YY2 +t6 = ZZ3+YY3 +W = t5*t6 +t7 = r*Z1 +t8 = W-V +Y5 = t7*t8 +t9 = W+V +Z5 = Y1*t9 diff --git a/pyecsca/ec/efd/edwards/yz/diffadd/dadd-2006-g.op3 b/pyecsca/ec/efd/edwards/yz/diffadd/dadd-2006-g.op3 new file mode 100644 index 0000000..b7a2ed7 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/diffadd/dadd-2006-g.op3 @@ -0,0 +1,24 @@ +t0 = Z2^2 +t1 = Y2^2 +t2 = Z3^2 +t3 = Y3^2 +t4 = r*t2 +t5 = r*t0 +t6 = t5-t1 +t7 = t4-t3 +t8 = t6*t7 +V = s*t8 +t9 = Z2^2 +t10 = Y2^2 +t11 = Z3^2 +t12 = Y3^2 +t13 = r*t11 +t14 = r*t9 +t15 = t14+t10 +t16 = t13+t12 +W = t15*t16 +t17 = W-V +t18 = Z1*t17 +Y5 = r*t18 +t19 = W+V +Z5 = Y1*t19 diff --git a/pyecsca/ec/efd/edwards/yz/diffadd/mdadd-2006-g-2 b/pyecsca/ec/efd/edwards/yz/diffadd/mdadd-2006-g-2 new file mode 100644 index 0000000..53d3fd7 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/diffadd/mdadd-2006-g-2 @@ -0,0 +1,12 @@ +source 2006 Gaudry "Variants of the Montgomery form based on Theta functions", page 23/52, with A^2/B^2 = (a^2+b^2)/(a^2-b^2) as on page 20/52, replacing incorrect B^2/A^2 on page 23/52 with correct A^2/B^2 and a/b; or 2009 Gaudry--Lubicz "The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines", Section 6.2, replacing incorrect A'/B' = (a^2+b^2)/(a^2-b^2) with correct A'^2/B'^2 = (a^2+b^2)/(a^2-b^2), replacing A'^2/B'^2 with A^2/B^2, and replacing z... with y...; plus notation changes: a/b and A^2/B^2 defined as 1/sqrt(r) and (1+r)/(1-r), input x^2/y^2 etc. replaced by r Z2^2/Y2^2 and r Z3^2/Y3^2 and r Z1^2/Y1^2, intermediate x'/y' replaced by W/V, output X/Y replaced by sqrt(r) Z5/Y5; plus common-subexpression elimination; plus assumption Z1=1 +parameter s +assume s = (1+r)/(1-r) +assume Z1 = 1 +compute YY2 = Y2^2 +compute ZZ2 = r Z2^2 +compute YY3 = Y3^2 +compute ZZ3 = r Z3^2 +compute V = s(ZZ2-YY2)(ZZ3-YY3) +compute W = (ZZ2+YY2)(ZZ3+YY3) +compute Y5 = r(W-V) +compute Z5 = Y1(W+V) diff --git a/pyecsca/ec/efd/edwards/yz/diffadd/mdadd-2006-g-2.op3 b/pyecsca/ec/efd/edwards/yz/diffadd/mdadd-2006-g-2.op3 new file mode 100644 index 0000000..1a10347 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/diffadd/mdadd-2006-g-2.op3 @@ -0,0 +1,17 @@ +YY2 = Y2^2 +t0 = Z2^2 +ZZ2 = r*t0 +YY3 = Y3^2 +t1 = Z3^2 +ZZ3 = r*t1 +t2 = ZZ2-YY2 +t3 = ZZ3-YY3 +t4 = t2*t3 +V = s*t4 +t5 = ZZ2+YY2 +t6 = ZZ3+YY3 +W = t5*t6 +t7 = W-V +Y5 = r*t7 +t8 = W+V +Z5 = Y1*t8 diff --git a/pyecsca/ec/efd/edwards/yz/doubling/dbl-2006-g b/pyecsca/ec/efd/edwards/yz/doubling/dbl-2006-g new file mode 100644 index 0000000..3cc3673 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/doubling/dbl-2006-g @@ -0,0 +1,7 @@ +source 2006 Gaudry "Variants of the Montgomery form based on Theta functions", page 22/52, with A^2/B^2 = (a^2+b^2)/(a^2-b^2) as on page 20/52, replacing incorrect B^2/A^2 and b/a on page 22/52 with correct A^2/B^2 and a/b; or 2009 Gaudry--Lubicz "The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines", Section 6.2, replacing incorrect A'/B' = (a^2+b^2)/(a^2-b^2) with correct A'^2/B'^2 = (a^2+b^2)/(a^2-b^2), replacing A'^2/B'^2 with A^2/B^2, and replacing z... with y...; plus notation changes: a/b and A^2/B^2 defined as 1/sqrt(r) and (1+r)/(1-r), input x^2/y^2 replaced by r Z1^2/Y1^2, intermediate x'/y' replaced by W/V, output X/Y replaced by sqrt(r) Z3/Y3 +parameter s +assume s = (1+r)/(1-r) +compute V = s(r Z1^2-Y1^2)^2 +compute W = (r Z1^2+Y1^2)^2 +compute Y3 = W-V +compute Z3 = W+V diff --git a/pyecsca/ec/efd/edwards/yz/doubling/dbl-2006-g-2 b/pyecsca/ec/efd/edwards/yz/doubling/dbl-2006-g-2 new file mode 100644 index 0000000..2f90481 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/doubling/dbl-2006-g-2 @@ -0,0 +1,9 @@ +source 2006 Gaudry "Variants of the Montgomery form based on Theta functions", page 22/52, with A^2/B^2 = (a^2+b^2)/(a^2-b^2) as on page 20/52, replacing incorrect B^2/A^2 and b/a on page 22/52 with correct A^2/B^2 and a/b; or 2009 Gaudry--Lubicz "The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines", Section 6.2, replacing incorrect A'/B' = (a^2+b^2)/(a^2-b^2) with correct A'^2/B'^2 = (a^2+b^2)/(a^2-b^2), replacing A'^2/B'^2 with A^2/B^2, and replacing z... with y...; plus notation changes: a/b and A^2/B^2 defined as 1/sqrt(r) and (1+r)/(1-r), input x^2/y^2 replaced by r Z1^2/Y1^2, intermediate x'/y' replaced by W/V, output X/Y replaced by sqrt(r) Z3/Y3; plus common-subexpression elimination +parameter s +assume s = (1+r)/(1-r) +compute YY = Y1^2 +compute ZZ = r Z1^2 +compute V = s(ZZ-YY)^2 +compute W = (ZZ+YY)^2 +compute Y3 = W-V +compute Z3 = W+V diff --git a/pyecsca/ec/efd/edwards/yz/doubling/dbl-2006-g-2.op3 b/pyecsca/ec/efd/edwards/yz/doubling/dbl-2006-g-2.op3 new file mode 100644 index 0000000..4954f59 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/doubling/dbl-2006-g-2.op3 @@ -0,0 +1,10 @@ +YY = Y1^2 +t0 = Z1^2 +ZZ = r*t0 +t1 = ZZ-YY +t2 = t1^2 +V = s*t2 +t3 = ZZ+YY +W = t3^2 +Y3 = W-V +Z3 = W+V diff --git a/pyecsca/ec/efd/edwards/yz/doubling/dbl-2006-g.op3 b/pyecsca/ec/efd/edwards/yz/doubling/dbl-2006-g.op3 new file mode 100644 index 0000000..be78d4c --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/doubling/dbl-2006-g.op3 @@ -0,0 +1,13 @@ +t0 = Z1^2 +t1 = Y1^2 +t2 = r*t0 +t3 = t2-t1 +t4 = t3^2 +V = s*t4 +t5 = Z1^2 +t6 = Y1^2 +t7 = r*t5 +t8 = t7+t6 +W = t8^2 +Y3 = W-V +Z3 = W+V diff --git a/pyecsca/ec/efd/edwards/yz/doubling/mdbl-2006-g-2 b/pyecsca/ec/efd/edwards/yz/doubling/mdbl-2006-g-2 new file mode 100644 index 0000000..3a58e29 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/doubling/mdbl-2006-g-2 @@ -0,0 +1,13 @@ +source 2006 Gaudry "Variants of the Montgomery form based on Theta functions", page 22/52, with A^2/B^2 = (a^2+b^2)/(a^2-b^2) as on page 20/52, replacing incorrect B^2/A^2 and b/a on page 22/52 with correct A^2/B^2 and a/b; or 2009 Gaudry--Lubicz "The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines", Section 6.2, replacing incorrect A'/B' = (a^2+b^2)/(a^2-b^2) with correct A'^2/B'^2 = (a^2+b^2)/(a^2-b^2), replacing A'^2/B'^2 with A^2/B^2, and replacing z... with y...; plus notation changes: a/b and A^2/B^2 defined as 1/sqrt(r) and (1+r)/(1-r), input x^2/y^2 replaced by r Z1^2/Y1^2, intermediate x'/y' replaced by W/V, output X/Y replaced by sqrt(r) Z3/Y3; plus common-subexpression elimination; plus assumption Z1=1; plus standard simplification +parameter s +assume s = (1+r)/(1-r) +parameter r2 +assume r2 = 2*r +assume Z1 = 1 +compute YY = Y1^2 +compute A = r2 YY +compute B = d + YY^2 +compute V = s(B-A) +compute W = B+A +compute Y3 = W-V +compute Z3 = W+V diff --git a/pyecsca/ec/efd/edwards/yz/doubling/mdbl-2006-g-2.op3 b/pyecsca/ec/efd/edwards/yz/doubling/mdbl-2006-g-2.op3 new file mode 100644 index 0000000..29a9d69 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/doubling/mdbl-2006-g-2.op3 @@ -0,0 +1,9 @@ +YY = Y1^2 +A = r2*YY +t0 = YY^2 +B = d+t0 +t1 = B-A +V = s*t1 +W = B+A +Y3 = W-V +Z3 = W+V diff --git a/pyecsca/ec/efd/edwards/yz/doubling/mdbl-2006-g-3 b/pyecsca/ec/efd/edwards/yz/doubling/mdbl-2006-g-3 new file mode 100644 index 0000000..b7f7615 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/doubling/mdbl-2006-g-3 @@ -0,0 +1,10 @@ +source 2006 Gaudry "Variants of the Montgomery form based on Theta functions", page 22/52, with A^2/B^2 = (a^2+b^2)/(a^2-b^2) as on page 20/52, replacing incorrect B^2/A^2 and b/a on page 22/52 with correct A^2/B^2 and a/b; or 2009 Gaudry--Lubicz "The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines", Section 6.2, replacing incorrect A'/B' = (a^2+b^2)/(a^2-b^2) with correct A'^2/B'^2 = (a^2+b^2)/(a^2-b^2), replacing A'^2/B'^2 with A^2/B^2, and replacing z... with y...; plus notation changes: a/b and A^2/B^2 defined as 1/sqrt(r) and (1+r)/(1-r), input x^2/y^2 replaced by r Z1^2/Y1^2, intermediate x'/y' replaced by W/V, output X/Y replaced by sqrt(r) Z3/Y3; plus common-subexpression elimination; plus assumption Z1=1; plus standard simplification +parameter s +assume s = (1+r)/(1-r) +assume Z1 = 1 +compute YY = Y1^2 +compute B = d + YY^2 +compute W = (r+YY)^2 +compute V = s(2 B-W) +compute Y3 = W-V +compute Z3 = W+V diff --git a/pyecsca/ec/efd/edwards/yz/doubling/mdbl-2006-g-3.op3 b/pyecsca/ec/efd/edwards/yz/doubling/mdbl-2006-g-3.op3 new file mode 100644 index 0000000..e82b83e --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/doubling/mdbl-2006-g-3.op3 @@ -0,0 +1,10 @@ +YY = Y1^2 +t0 = YY^2 +B = d+t0 +t1 = r+YY +W = t1^2 +t2 = 2*B +t3 = t2-W +V = s*t3 +Y3 = W-V +Z3 = W+V diff --git a/pyecsca/ec/efd/edwards/yz/ladder/ladd-2006-g b/pyecsca/ec/efd/edwards/yz/ladder/ladd-2006-g new file mode 100644 index 0000000..229acb7 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/ladder/ladd-2006-g @@ -0,0 +1,11 @@ +source 2006 Gaudry "Variants of the Montgomery form based on Theta functions", pages 22/52 and 23/52, with A^2/B^2 = (a^2+b^2)/(a^2-b^2) as on page 20/52, replacing incorrect B^2/A^2 and b/a on pages 22/52 and 23/52 with correct A^2/B^2 and a/b; or 2009 Gaudry--Lubicz "The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines", Section 6.2, replacing incorrect A'/B' = (a^2+b^2)/(a^2-b^2) with correct A'^2/B'^2 = (a^2+b^2)/(a^2-b^2), replacing A'^2/B'^2 with A^2/B^2, and replacing z... with y...; plus notation changes: a/b and A^2/B^2 defined as 1/sqrt(r) and (1+r)/(1-r), input x^2/y^2 etc. replaced by r Z2^2/Y2^2 and r Z3^2/Y3^2 and r Z1^2/Y1^2, intermediate x'/y' replaced by W/V, output X/Y replaced by sqrt(r) Z5/Y5 +parameter s +assume s = (1+r)/(1-r) +compute V2 = s(r Z2^2-Y2^2)^2 +compute W2 = (r Z2^2+Y2^2)^2 +compute Y4 = W2-V2 +compute Z4 = W2+V2 +compute V = s(r Z2^2-Y2^2)(r Z3^2-Y3^2) +compute W = (r Z2^2+Y2^2)(r Z3^2+Y3^2) +compute Y5 = r Z1(W-V) +compute Z5 = Y1(W+V) diff --git a/pyecsca/ec/efd/edwards/yz/ladder/ladd-2006-g-2 b/pyecsca/ec/efd/edwards/yz/ladder/ladd-2006-g-2 new file mode 100644 index 0000000..014f607 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/ladder/ladd-2006-g-2 @@ -0,0 +1,17 @@ +source 2006 Gaudry "Variants of the Montgomery form based on Theta functions", pages 22/52 and 23/52, with A^2/B^2 = (a^2+b^2)/(a^2-b^2) as on page 20/52, replacing incorrect B^2/A^2 and b/a on pages 22/52 and 23/52 with correct A^2/B^2 and a/b; or 2009 Gaudry--Lubicz "The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines", Section 6.2, replacing incorrect A'/B' = (a^2+b^2)/(a^2-b^2) with correct A'^2/B'^2 = (a^2+b^2)/(a^2-b^2), replacing A'^2/B'^2 with A^2/B^2, and replacing z... with y...; plus notation changes: a/b and A^2/B^2 defined as 1/sqrt(r) and (1+r)/(1-r), input x^2/y^2 etc. replaced by r Z2^2/Y2^2 and r Z3^2/Y3^2 and r Z1^2/Y1^2, intermediate x'/y' replaced by W/V, output X/Y replaced by sqrt(r) Z5/Y5; plus common-subexpression elimination +parameter s +assume s = (1+r)/(1-r) +compute YY2 = Y2^2 +compute ZZ2 = r Z2^2 +compute A = ZZ2-YY2 +compute B = ZZ2+YY2 +compute YY3 = Y3^2 +compute ZZ3 = r Z3^2 +compute V2 = s A^2 +compute W2 = B^2 +compute Y4 = W2-V2 +compute Z4 = W2+V2 +compute V = s A(ZZ3-YY3) +compute W = B(ZZ3+YY3) +compute Y5 = (r Z1)(W-V) +compute Z5 = Y1(W+V) diff --git a/pyecsca/ec/efd/edwards/yz/ladder/ladd-2006-g-2.op3 b/pyecsca/ec/efd/edwards/yz/ladder/ladd-2006-g-2.op3 new file mode 100644 index 0000000..517f8b3 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/ladder/ladd-2006-g-2.op3 @@ -0,0 +1,23 @@ +YY2 = Y2^2 +t0 = Z2^2 +ZZ2 = r*t0 +A = ZZ2-YY2 +B = ZZ2+YY2 +YY3 = Y3^2 +t1 = Z3^2 +ZZ3 = r*t1 +t2 = A^2 +V2 = s*t2 +W2 = B^2 +Y4 = W2-V2 +Z4 = W2+V2 +t3 = ZZ3-YY3 +t4 = A*t3 +V = s*t4 +t5 = ZZ3+YY3 +W = B*t5 +t6 = r*Z1 +t7 = W-V +Y5 = t6*t7 +t8 = W+V +Z5 = Y1*t8 diff --git a/pyecsca/ec/efd/edwards/yz/ladder/ladd-2006-g.op3 b/pyecsca/ec/efd/edwards/yz/ladder/ladd-2006-g.op3 new file mode 100644 index 0000000..f576bc2 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/ladder/ladd-2006-g.op3 @@ -0,0 +1,37 @@ +t0 = Z2^2 +t1 = Y2^2 +t2 = r*t0 +t3 = t2-t1 +t4 = t3^2 +V2 = s*t4 +t5 = Z2^2 +t6 = Y2^2 +t7 = r*t5 +t8 = t7+t6 +W2 = t8^2 +Y4 = W2-V2 +Z4 = W2+V2 +t9 = Z2^2 +t10 = Y2^2 +t11 = Z3^2 +t12 = Y3^2 +t13 = r*t11 +t14 = r*t9 +t15 = t14-t10 +t16 = t13-t12 +t17 = t15*t16 +V = s*t17 +t18 = Z2^2 +t19 = Y2^2 +t20 = Z3^2 +t21 = Y3^2 +t22 = r*t20 +t23 = r*t18 +t24 = t23+t19 +t25 = t22+t21 +W = t24*t25 +t26 = W-V +t27 = Z1*t26 +Y5 = r*t27 +t28 = W+V +Z5 = Y1*t28 diff --git a/pyecsca/ec/efd/edwards/yz/ladder/mladd-2006-g-2 b/pyecsca/ec/efd/edwards/yz/ladder/mladd-2006-g-2 new file mode 100644 index 0000000..bfc7677 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/ladder/mladd-2006-g-2 @@ -0,0 +1,18 @@ +source 2006 Gaudry "Variants of the Montgomery form based on Theta functions", pages 22/52 and 23/52, with A^2/B^2 = (a^2+b^2)/(a^2-b^2) as on page 20/52, replacing incorrect B^2/A^2 and b/a on pages 22/52 and 23/52 with correct A^2/B^2 and a/b; or 2009 Gaudry--Lubicz "The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines", Section 6.2, replacing incorrect A'/B' = (a^2+b^2)/(a^2-b^2) with correct A'^2/B'^2 = (a^2+b^2)/(a^2-b^2), replacing A'^2/B'^2 with A^2/B^2, and replacing z... with y...; plus notation changes: a/b and A^2/B^2 defined as 1/sqrt(r) and (1+r)/(1-r), input x^2/y^2 etc. replaced by r Z2^2/Y2^2 and r Z3^2/Y3^2 and r Z1^2/Y1^2, intermediate x'/y' replaced by W/V, output X/Y replaced by sqrt(r) Z5/Y5; plus common-subexpression elimination; plus assumption Z1=1 +parameter s +assume s = (1+r)/(1-r) +assume Z1 = 1 +compute YY2 = Y2^2 +compute ZZ2 = r Z2^2 +compute A = ZZ2-YY2 +compute B = ZZ2+YY2 +compute YY3 = Y3^2 +compute ZZ3 = r Z3^2 +compute V2 = s A^2 +compute W2 = B^2 +compute Y4 = W2-V2 +compute Z4 = W2+V2 +compute V = s A(ZZ3-YY3) +compute W = B(ZZ3+YY3) +compute Y5 = r(W-V) +compute Z5 = Y1(W+V) diff --git a/pyecsca/ec/efd/edwards/yz/ladder/mladd-2006-g-2.op3 b/pyecsca/ec/efd/edwards/yz/ladder/mladd-2006-g-2.op3 new file mode 100644 index 0000000..1299de3 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/ladder/mladd-2006-g-2.op3 @@ -0,0 +1,22 @@ +YY2 = Y2^2 +t0 = Z2^2 +ZZ2 = r*t0 +A = ZZ2-YY2 +B = ZZ2+YY2 +YY3 = Y3^2 +t1 = Z3^2 +ZZ3 = r*t1 +t2 = A^2 +V2 = s*t2 +W2 = B^2 +Y4 = W2-V2 +Z4 = W2+V2 +t3 = ZZ3-YY3 +t4 = A*t3 +V = s*t4 +t5 = ZZ3+YY3 +W = B*t5 +t6 = W-V +Y5 = r*t6 +t7 = W+V +Z5 = Y1*t7 diff --git a/pyecsca/ec/efd/edwards/yz/scaling/scale b/pyecsca/ec/efd/edwards/yz/scaling/scale new file mode 100644 index 0000000..8c5563b --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/scaling/scale @@ -0,0 +1,2 @@ +compute Y3 = Y1 / Z1 +compute Z3 = 1 diff --git a/pyecsca/ec/efd/edwards/yz/scaling/scale.op3 b/pyecsca/ec/efd/edwards/yz/scaling/scale.op3 new file mode 100644 index 0000000..b35c4ba --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/scaling/scale.op3 @@ -0,0 +1,3 @@ +t0 = 1/Z1 +Y3 = Y1*t0 +Z3 = 1 diff --git a/pyecsca/ec/efd/edwards/yz/variables b/pyecsca/ec/efd/edwards/yz/variables new file mode 100644 index 0000000..8481675 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yz/variables @@ -0,0 +1,7 @@ +name YZ coordinates with square d +parameter r +assume c = 1 +assume d = r^2 +variable Y +variable Z +satisfying r*y = Y/Z diff --git a/pyecsca/ec/efd/edwards/yzsquared/diffadd/dadd-2006-g b/pyecsca/ec/efd/edwards/yzsquared/diffadd/dadd-2006-g new file mode 100644 index 0000000..1353955 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yzsquared/diffadd/dadd-2006-g @@ -0,0 +1,7 @@ +source 2006 Gaudry "Variants of the Montgomery form based on Theta functions", page 23/52, with A^2/B^2 = (a^2+b^2)/(a^2-b^2) as on page 20/52, replacing incorrect B^2/A^2 on page 23/52 with correct A^2/B^2 and a/b; or 2009 Gaudry--Lubicz "The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines", Section 6.2, replacing incorrect A'/B' = (a^2+b^2)/(a^2-b^2) with correct A'^2/B'^2 = (a^2+b^2)/(a^2-b^2), replacing A'^2/B'^2 with A^2/B^2, and replacing z... with y...; plus notation changes: a/b and A^2/B^2 defined as 1/sqrt(r) and (1+r)/(1-r), input x^2/y^2 etc. replaced by Z2/Y2 and Z3/Y3 and Z1/Y1, intermediate x'/y' replaced by W/V, output X^2/Y^2 replaced by Z5/Y5 +parameter s +assume s = (1+r)/(1-r) +compute V = s(Z2-Y2)(Z3-Y3) +compute W = (Z2+Y2)(Z3+Y3) +compute Y5 = Z1(W-V)^2 +compute Z5 = Y1(W+V)^2 diff --git a/pyecsca/ec/efd/edwards/yzsquared/diffadd/dadd-2006-g.op3 b/pyecsca/ec/efd/edwards/yzsquared/diffadd/dadd-2006-g.op3 new file mode 100644 index 0000000..9194932 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yzsquared/diffadd/dadd-2006-g.op3 @@ -0,0 +1,13 @@ +t0 = Z2-Y2 +t1 = Z3-Y3 +t2 = t0*t1 +V = s*t2 +t3 = Z2+Y2 +t4 = Z3+Y3 +W = t3*t4 +t5 = W-V +t6 = t5^2 +Y5 = Z1*t6 +t7 = W+V +t8 = t7^2 +Z5 = Y1*t8 diff --git a/pyecsca/ec/efd/edwards/yzsquared/diffadd/mdadd-2006-g b/pyecsca/ec/efd/edwards/yzsquared/diffadd/mdadd-2006-g new file mode 100644 index 0000000..f6fc535 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yzsquared/diffadd/mdadd-2006-g @@ -0,0 +1,8 @@ +source 2006 Gaudry "Variants of the Montgomery form based on Theta functions", page 23/52, with A^2/B^2 = (a^2+b^2)/(a^2-b^2) as on page 20/52, replacing incorrect B^2/A^2 on page 23/52 with correct A^2/B^2 and a/b; or 2009 Gaudry--Lubicz "The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines", Section 6.2, replacing incorrect A'/B' = (a^2+b^2)/(a^2-b^2) with correct A'^2/B'^2 = (a^2+b^2)/(a^2-b^2), replacing A'^2/B'^2 with A^2/B^2, and replacing z... with y...; plus notation changes: a/b and A^2/B^2 defined as 1/sqrt(r) and (1+r)/(1-r), input x^2/y^2 etc. replaced by Z2/Y2 and Z3/Y3 and Z1/Y1, intermediate x'/y' replaced by W/V, output X^2/Y^2 replaced by Z5/Y5; plus assumption Z1=1 +assume Z1 = 1 +parameter s +assume s = (1+r)/(1-r) +compute V = s(Z2-Y2)(Z3-Y3) +compute W = (Z2+Y2)(Z3+Y3) +compute Y5 = (W-V)^2 +compute Z5 = Y1(W+V)^2 diff --git a/pyecsca/ec/efd/edwards/yzsquared/diffadd/mdadd-2006-g.op3 b/pyecsca/ec/efd/edwards/yzsquared/diffadd/mdadd-2006-g.op3 new file mode 100644 index 0000000..530c50f --- /dev/null +++ b/pyecsca/ec/efd/edwards/yzsquared/diffadd/mdadd-2006-g.op3 @@ -0,0 +1,12 @@ +t0 = Z2-Y2 +t1 = Z3-Y3 +t2 = t0*t1 +V = s*t2 +t3 = Z2+Y2 +t4 = Z3+Y3 +W = t3*t4 +t5 = W-V +Y5 = t5^2 +t6 = W+V +t7 = t6^2 +Z5 = Y1*t7 diff --git a/pyecsca/ec/efd/edwards/yzsquared/doubling/dbl-2006-g b/pyecsca/ec/efd/edwards/yzsquared/doubling/dbl-2006-g new file mode 100644 index 0000000..6bf616e --- /dev/null +++ b/pyecsca/ec/efd/edwards/yzsquared/doubling/dbl-2006-g @@ -0,0 +1,7 @@ +source 2006 Gaudry "Variants of the Montgomery form based on Theta functions", page 22/52, with A^2/B^2 = (a^2+b^2)/(a^2-b^2) as on page 20/52, replacing incorrect B^2/A^2 and b/a on page 22/52 with correct A^2/B^2 and a/b; or 2009 Gaudry--Lubicz "The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines", Section 6.2, replacing incorrect A'/B' = (a^2+b^2)/(a^2-b^2) with correct A'^2/B'^2 = (a^2+b^2)/(a^2-b^2), replacing A'^2/B'^2 with A^2/B^2, and replacing z... with y...; plus notation changes: a/b and A^2/B^2 defined as 1/sqrt(r) and (1+r)/(1-r), input x^2/y^2 replaced by Z1/Y1, intermediate x'/y' replaced by W/V, output X^2/Y^2 replaced by Z3/Y3 +parameter s +assume s = (1+r)/(1-r) +compute V = s(Z1-Y1)^2 +compute W = (Z1+Y1)^2 +compute Y3 = (W-V)^2 +compute Z3 = r(W+V)^2 diff --git a/pyecsca/ec/efd/edwards/yzsquared/doubling/dbl-2006-g.op3 b/pyecsca/ec/efd/edwards/yzsquared/doubling/dbl-2006-g.op3 new file mode 100644 index 0000000..7360c87 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yzsquared/doubling/dbl-2006-g.op3 @@ -0,0 +1,10 @@ +t0 = Z1-Y1 +t1 = t0^2 +V = s*t1 +t2 = Z1+Y1 +W = t2^2 +t3 = W-V +Y3 = t3^2 +t4 = W+V +t5 = t4^2 +Z3 = r*t5 diff --git a/pyecsca/ec/efd/edwards/yzsquared/doubling/mdbl-2006-g b/pyecsca/ec/efd/edwards/yzsquared/doubling/mdbl-2006-g new file mode 100644 index 0000000..60af410 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yzsquared/doubling/mdbl-2006-g @@ -0,0 +1,8 @@ +source 2006 Gaudry "Variants of the Montgomery form based on Theta functions", page 22/52, with A^2/B^2 = (a^2+b^2)/(a^2-b^2) as on page 20/52, replacing incorrect B^2/A^2 and b/a on page 22/52 with correct A^2/B^2 and a/b; or 2009 Gaudry--Lubicz "The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines", Section 6.2, replacing incorrect A'/B' = (a^2+b^2)/(a^2-b^2) with correct A'^2/B'^2 = (a^2+b^2)/(a^2-b^2), replacing A'^2/B'^2 with A^2/B^2, and replacing z... with y...; plus notation changes: a/b and A^2/B^2 defined as 1/sqrt(r) and (1+r)/(1-r), input x^2/y^2 replaced by Z1/Y1, intermediate x'/y' replaced by W/V, output X^2/Y^2 replaced by Z3/Y3; plus assumption Z1=1; plus standard simplification +assume Z1 = 1 +parameter s +assume s = (1+r)/(1-r) +compute W = (1+Y1)^2 +compute V = s(W-4 Y1) +compute Y3 = (W-V)^2 +compute Z3 = r(W+V)^2 diff --git a/pyecsca/ec/efd/edwards/yzsquared/doubling/mdbl-2006-g.op3 b/pyecsca/ec/efd/edwards/yzsquared/doubling/mdbl-2006-g.op3 new file mode 100644 index 0000000..512e52d --- /dev/null +++ b/pyecsca/ec/efd/edwards/yzsquared/doubling/mdbl-2006-g.op3 @@ -0,0 +1,10 @@ +t0 = 1+Y1 +W = t0^2 +t1 = 4*Y1 +t2 = W-t1 +V = s*t2 +t3 = W-V +Y3 = t3^2 +t4 = W+V +t5 = t4^2 +Z3 = r*t5 diff --git a/pyecsca/ec/efd/edwards/yzsquared/ladder/ladd-2006-g b/pyecsca/ec/efd/edwards/yzsquared/ladder/ladd-2006-g new file mode 100644 index 0000000..dc25d53 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yzsquared/ladder/ladd-2006-g @@ -0,0 +1,11 @@ +source 2006 Gaudry "Variants of the Montgomery form based on Theta functions", pages 22/52 and 23/52, with A^2/B^2 = (a^2+b^2)/(a^2-b^2) as on page 20/52, replacing incorrect B^2/A^2 on pages 22/52 and 23/52 with correct A^2/B^2 and a/b; or 2009 Gaudry--Lubicz "The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines", Section 6.2, replacing incorrect A'/B' = (a^2+b^2)/(a^2-b^2) with correct A'^2/B'^2 = (a^2+b^2)/(a^2-b^2), replacing A'^2/B'^2 with A^2/B^2, and replacing z... with y...; plus notation changes: a/b and A^2/B^2 defined as 1/sqrt(r) and (1+r)/(1-r), input x^2/y^2 etc. replaced by Z2/Y2 and Z3/Y3 and Z1/Y1, intermediate x'/y' replaced by W/V, output X^2/Y^2 replaced by Z5/Y5 +parameter s +assume s = (1+r)/(1-r) +compute V2 = s(Z2-Y2)^2 +compute W2 = (Z2+Y2)^2 +compute Y4 = (W2-V2)^2 +compute Z4 = r(W2+V2)^2 +compute V = s(Z2-Y2)(Z3-Y3) +compute W = (Z2+Y2)(Z3+Y3) +compute Y5 = Z1(W-V)^2 +compute Z5 = Y1(W+V)^2 diff --git a/pyecsca/ec/efd/edwards/yzsquared/ladder/ladd-2006-g-2 b/pyecsca/ec/efd/edwards/yzsquared/ladder/ladd-2006-g-2 new file mode 100644 index 0000000..0266100 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yzsquared/ladder/ladd-2006-g-2 @@ -0,0 +1,13 @@ +source 2006 Gaudry "Variants of the Montgomery form based on Theta functions", pages 22/52 and 23/52, with A^2/B^2 = (a^2+b^2)/(a^2-b^2) as on page 20/52, replacing incorrect B^2/A^2 on pages 22/52 and 23/52 with correct A^2/B^2 and a/b; or 2009 Gaudry--Lubicz "The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines", Section 6.2, replacing incorrect A'/B' = (a^2+b^2)/(a^2-b^2) with correct A'^2/B'^2 = (a^2+b^2)/(a^2-b^2), replacing A'^2/B'^2 with A^2/B^2, and replacing z... with y...; plus notation changes: a/b and A^2/B^2 defined as 1/sqrt(r) and (1+r)/(1-r), input x^2/y^2 etc. replaced by Z2/Y2 and Z3/Y3 and Z1/Y1, intermediate x'/y' replaced by W/V, output X^2/Y^2 replaced by Z5/Y5; plus common-subexpression elimination +parameter s +assume s = (1+r)/(1-r) +compute A = Z2-Y2 +compute B = Z2+Y2 +compute V2 = s A^2 +compute W2 = B^2 +compute Y4 = (W2-V2)^2 +compute Z4 = r(W2+V2)^2 +compute V = s A(Z3-Y3) +compute W = B(Z3+Y3) +compute Y5 = Z1(W-V)^2 +compute Z5 = Y1(W+V)^2 diff --git a/pyecsca/ec/efd/edwards/yzsquared/ladder/ladd-2006-g-2.op3 b/pyecsca/ec/efd/edwards/yzsquared/ladder/ladd-2006-g-2.op3 new file mode 100644 index 0000000..0a98e01 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yzsquared/ladder/ladd-2006-g-2.op3 @@ -0,0 +1,21 @@ +A = Z2-Y2 +B = Z2+Y2 +t0 = A^2 +V2 = s*t0 +W2 = B^2 +t1 = W2-V2 +Y4 = t1^2 +t2 = W2+V2 +t3 = t2^2 +Z4 = r*t3 +t4 = Z3-Y3 +t5 = A*t4 +V = s*t5 +t6 = Z3+Y3 +W = B*t6 +t7 = W-V +t8 = t7^2 +Y5 = Z1*t8 +t9 = W+V +t10 = t9^2 +Z5 = Y1*t10 diff --git a/pyecsca/ec/efd/edwards/yzsquared/ladder/ladd-2006-g.op3 b/pyecsca/ec/efd/edwards/yzsquared/ladder/ladd-2006-g.op3 new file mode 100644 index 0000000..1247fba --- /dev/null +++ b/pyecsca/ec/efd/edwards/yzsquared/ladder/ladd-2006-g.op3 @@ -0,0 +1,23 @@ +t0 = Z2-Y2 +t1 = t0^2 +V2 = s*t1 +t2 = Z2+Y2 +W2 = t2^2 +t3 = W2-V2 +Y4 = t3^2 +t4 = W2+V2 +t5 = t4^2 +Z4 = r*t5 +t6 = Z2-Y2 +t7 = Z3-Y3 +t8 = t6*t7 +V = s*t8 +t9 = Z2+Y2 +t10 = Z3+Y3 +W = t9*t10 +t11 = W-V +t12 = t11^2 +Y5 = Z1*t12 +t13 = W+V +t14 = t13^2 +Z5 = Y1*t14 diff --git a/pyecsca/ec/efd/edwards/yzsquared/ladder/mladd-2006-g b/pyecsca/ec/efd/edwards/yzsquared/ladder/mladd-2006-g new file mode 100644 index 0000000..3f4f4b0 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yzsquared/ladder/mladd-2006-g @@ -0,0 +1,12 @@ +source 2006 Gaudry "Variants of the Montgomery form based on Theta functions", pages 22/52 and 23/52, with A^2/B^2 = (a^2+b^2)/(a^2-b^2) as on page 20/52, replacing incorrect B^2/A^2 on pages 22/52 and 23/52 with correct A^2/B^2 and a/b; or 2009 Gaudry--Lubicz "The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines", Section 6.2, replacing incorrect A'/B' = (a^2+b^2)/(a^2-b^2) with correct A'^2/B'^2 = (a^2+b^2)/(a^2-b^2), replacing A'^2/B'^2 with A^2/B^2, and replacing z... with y...; plus notation changes: a/b and A^2/B^2 defined as 1/sqrt(r) and (1+r)/(1-r), input x^2/y^2 etc. replaced by Z2/Y2 and Z3/Y3 and Z1/Y1, intermediate x'/y' replaced by W/V, output X^2/Y^2 replaced by Z5/Y5; plus assumption Z1=1 +assume Z1 = 1 +parameter s +assume s = (1+r)/(1-r) +compute V2 = s(Z2-Y2)^2 +compute W2 = (Z2+Y2)^2 +compute Y4 = (W2-V2)^2 +compute Z4 = r(W2+V2)^2 +compute V = s(Z2-Y2)(Z3-Y3) +compute W = (Z2+Y2)(Z3+Y3) +compute Y5 = (W-V)^2 +compute Z5 = Y1(W+V)^2 diff --git a/pyecsca/ec/efd/edwards/yzsquared/ladder/mladd-2006-g-2 b/pyecsca/ec/efd/edwards/yzsquared/ladder/mladd-2006-g-2 new file mode 100644 index 0000000..50930f8 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yzsquared/ladder/mladd-2006-g-2 @@ -0,0 +1,14 @@ +source 2006 Gaudry "Variants of the Montgomery form based on Theta functions", pages 22/52 and 23/52, with A^2/B^2 = (a^2+b^2)/(a^2-b^2) as on page 20/52, replacing incorrect B^2/A^2 on pages 22/52 and 23/52 with correct A^2/B^2 and a/b; or 2009 Gaudry--Lubicz "The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines", Section 6.2, replacing incorrect A'/B' = (a^2+b^2)/(a^2-b^2) with correct A'^2/B'^2 = (a^2+b^2)/(a^2-b^2), replacing A'^2/B'^2 with A^2/B^2, and replacing z... with y...; plus notation changes: a/b and A^2/B^2 defined as 1/sqrt(r) and (1+r)/(1-r), input x^2/y^2 etc. replaced by Z2/Y2 and Z3/Y3 and Z1/Y1, intermediate x'/y' replaced by W/V, output X^2/Y^2 replaced by Z5/Y5; plus common-subexpression elimination; plus assumption Z1=1 +assume Z1 = 1 +parameter s +assume s = (1+r)/(1-r) +compute A = Z2-Y2 +compute B = Z2+Y2 +compute V2 = s A^2 +compute W2 = B^2 +compute Y4 = (W2-V2)^2 +compute Z4 = r(W2+V2)^2 +compute V = s A(Z3-Y3) +compute W = B(Z3+Y3) +compute Y5 = (W-V)^2 +compute Z5 = Y1(W+V)^2 diff --git a/pyecsca/ec/efd/edwards/yzsquared/ladder/mladd-2006-g-2.op3 b/pyecsca/ec/efd/edwards/yzsquared/ladder/mladd-2006-g-2.op3 new file mode 100644 index 0000000..b1acdc4 --- /dev/null +++ b/pyecsca/ec/efd/edwards/yzsquared/ladder/mladd-2006-g-2.op3 @@ -0,0 +1,20 @@ +A = Z2-Y2 +B = Z2+Y2 +t0 = A^2 +V2 = s*t0 +W2 = B^2 +t1 = W2-V2 +Y4 = t1^2 +t2 = W2+V2 +t3 = t2^2 +Z4 = r*t3 +t4 = Z3-Y3 +t5 = A*t4 +V = s*t5 +t6 = Z3+Y3 +W = B*t6 +t7 = W-V +Y5 = t7^2 +t8 = W+V +t9 = t8^2 +Z5 = Y1*t9 diff --git a/pyecsca/ec/efd/edwards/yzsquared/ladder/mladd-2006-g.op3 b/pyecsca/ec/efd/edwards/yzsquared/ladder/mladd-2006-g.op3 new file mode 100644 index 0000000..1d8670a --- /dev/null +++ b/pyecsca/ec/efd/edwards/yzsquared/ladder/mladd-2006-g.op3 @@ -0,0 +1,22 @@ +t0 = Z2-Y2 +t1 = t0^2 +V2 = s*t1 +t2 = Z2+Y2 +W2 = t2^2 +t3 = W2-V2 +Y4 = t3^2 +t4 = W2+V2 +t5 = t4^2 +Z4 = r*t5 +t6 = Z2-Y2 +t7 = Z3-Y3 +t8 = t6*t7 +V = s*t8 +t9 = Z2+Y2 +t10 = Z3+Y3 +W = t9*t10 +t11 = W-V +Y5 = t11^2 +t12 = W+V +t13 = t12^2 +Z5 = Y1*t13 diff --git a/pyecsca/ec/efd/edwards/yzsquared/scaling/scale b/pyecsca/ec/efd/edwards/yzsquared/scaling/scale new file mode 100644 index 0000000..8c5563b --- /dev/null +++ b/pyecsca/ec/efd/edwards/yzsquared/scaling/scale @@ -0,0 +1,2 @@ +compute Y3 = Y1 / Z1 +compute Z3 = 1 diff --git a/pyecsca/ec/efd/edwards/yzsquared/scaling/scale.op3 b/pyecsca/ec/efd/edwards/yzsquared/scaling/scale.op3 new file mode 100644 index 0000000..b35c4ba --- /dev/null +++ b/pyecsca/ec/efd/edwards/yzsquared/scaling/scale.op3 @@ -0,0 +1,3 @@ +t0 = 1/Z1 +Y3 = Y1*t0 +Z3 = 1 diff --git a/pyecsca/ec/efd/edwards/yzsquared/variables b/pyecsca/ec/efd/edwards/yzsquared/variables new file mode 100644 index 0000000..439f49f --- /dev/null +++ b/pyecsca/ec/efd/edwards/yzsquared/variables @@ -0,0 +1,7 @@ +name squared YZ coordinates with square d +parameter r +assume c = 1 +assume d = r^2 +variable Y +variable Z +satisfying r*y^2 = Y/Z diff --git a/pyecsca/ec/efd/montgom/coordinates b/pyecsca/ec/efd/montgom/coordinates new file mode 100644 index 0000000..0821ec6 --- /dev/null +++ b/pyecsca/ec/efd/montgom/coordinates @@ -0,0 +1,22 @@ +name Montgomery curves +parameter a +parameter b +coordinate x +coordinate y +satisfying b*y^2 == x^3 + a*x^2 + x +addition x = b*(y2-y1)^2/(x2-x1)^2-a-x1-x2 +addition y = (2*x1+x2+a)*(y2-y1)/(x2-x1)-b*(y2-y1)^3/(x2-x1)^3-y1 +doubling x = b*(3*x1^2+2*a*x1+1)^2/(2*b*y1)^2-a-x1-x1 +doubling y = (2*x1+x1+a)*(3*x1^2+2*a*x1+1)/(2*b*y1)-b*(3*x1^2+2*a*x1+1)^3/(2*b*y1)^3-y1 +negation x = x1 +negation y = -y1 +toweierstrass weierx = x +toweierstrass weiery = y +a0 = b +a1 = 0 +a2 = a +a3 = 0 +a4 = 1 +a6 = 0 +fromweierstrass x = weierx +fromweierstrass y = weiery diff --git a/pyecsca/ec/efd/montgom/xz/diffadd/dadd-1987-m b/pyecsca/ec/efd/montgom/xz/diffadd/dadd-1987-m new file mode 100644 index 0000000..31f105a --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/diffadd/dadd-1987-m @@ -0,0 +1,3 @@ +source 1987 Montgomery "Speeding the Pollard and elliptic curve methods of factorization", page 261, third display +compute X5 = Z1(X2 X3-Z2 Z3)^2 +compute Z5 = X1(X2 Z3-Z2 X3)^2 diff --git a/pyecsca/ec/efd/montgom/xz/diffadd/dadd-1987-m-2 b/pyecsca/ec/efd/montgom/xz/diffadd/dadd-1987-m-2 new file mode 100644 index 0000000..814c28d --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/diffadd/dadd-1987-m-2 @@ -0,0 +1,3 @@ +source 1987 Montgomery "Speeding the Pollard and elliptic curve methods of factorization", page 261, fifth display +compute X5 = Z1((X3-Z3)(X2+Z2)+(X3+Z3)(X2-Z2))^2 +compute Z5 = X1((X3-Z3)(X2+Z2)-(X3+Z3)(X2-Z2))^2 diff --git a/pyecsca/ec/efd/montgom/xz/diffadd/dadd-1987-m-2.op3 b/pyecsca/ec/efd/montgom/xz/diffadd/dadd-1987-m-2.op3 new file mode 100644 index 0000000..2d31113 --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/diffadd/dadd-1987-m-2.op3 @@ -0,0 +1,18 @@ +t0 = X3-Z3 +t1 = X2+Z2 +t2 = X3+Z3 +t3 = X2-Z2 +t4 = t2*t3 +t5 = t0*t1 +t6 = t5+t4 +t7 = t6^2 +X5 = Z1*t7 +t8 = X3-Z3 +t9 = X2+Z2 +t10 = X3+Z3 +t11 = X2-Z2 +t12 = t10*t11 +t13 = t8*t9 +t14 = t13-t12 +t15 = t14^2 +Z5 = X1*t15 diff --git a/pyecsca/ec/efd/montgom/xz/diffadd/dadd-1987-m-3 b/pyecsca/ec/efd/montgom/xz/diffadd/dadd-1987-m-3 new file mode 100644 index 0000000..757dff5 --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/diffadd/dadd-1987-m-3 @@ -0,0 +1,9 @@ +source 1987 Montgomery "Speeding the Pollard and elliptic curve methods of factorization", page 261, fifth display, plus common-subexpression elimination +compute A = X2+Z2 +compute B = X2-Z2 +compute C = X3+Z3 +compute D = X3-Z3 +compute DA = D A +compute CB = C B +compute X5 = Z1(DA+CB)^2 +compute Z5 = X1(DA-CB)^2 diff --git a/pyecsca/ec/efd/montgom/xz/diffadd/dadd-1987-m-3.op3 b/pyecsca/ec/efd/montgom/xz/diffadd/dadd-1987-m-3.op3 new file mode 100644 index 0000000..09bb8ef --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/diffadd/dadd-1987-m-3.op3 @@ -0,0 +1,12 @@ +A = X2+Z2 +B = X2-Z2 +C = X3+Z3 +D = X3-Z3 +DA = D*A +CB = C*B +t0 = DA+CB +t1 = t0^2 +X5 = Z1*t1 +t2 = DA-CB +t3 = t2^2 +Z5 = X1*t3 diff --git a/pyecsca/ec/efd/montgom/xz/diffadd/dadd-1987-m.op3 b/pyecsca/ec/efd/montgom/xz/diffadd/dadd-1987-m.op3 new file mode 100644 index 0000000..aa88ba8 --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/diffadd/dadd-1987-m.op3 @@ -0,0 +1,10 @@ +t0 = Z2*Z3 +t1 = X2*X3 +t2 = t1-t0 +t3 = t2^2 +X5 = Z1*t3 +t4 = Z2*X3 +t5 = X2*Z3 +t6 = t5-t4 +t7 = t6^2 +Z5 = X1*t7 diff --git a/pyecsca/ec/efd/montgom/xz/diffadd/mdadd-1987-m b/pyecsca/ec/efd/montgom/xz/diffadd/mdadd-1987-m new file mode 100644 index 0000000..5323f23 --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/diffadd/mdadd-1987-m @@ -0,0 +1,10 @@ +source 1987 Montgomery "Speeding the Pollard and elliptic curve methods of factorization", page 261, fifth display, plus common-subexpression elimination, plus assumption Z1=1 +assume Z1 = 1 +compute A = X2+Z2 +compute B = X2-Z2 +compute C = X3+Z3 +compute D = X3-Z3 +compute DA = D A +compute CB = C B +compute X5 = (DA+CB)^2 +compute Z5 = X1(DA-CB)^2 diff --git a/pyecsca/ec/efd/montgom/xz/diffadd/mdadd-1987-m.op3 b/pyecsca/ec/efd/montgom/xz/diffadd/mdadd-1987-m.op3 new file mode 100644 index 0000000..c734dfa --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/diffadd/mdadd-1987-m.op3 @@ -0,0 +1,11 @@ +A = X2+Z2 +B = X2-Z2 +C = X3+Z3 +D = X3-Z3 +DA = D*A +CB = C*B +t0 = DA+CB +X5 = t0^2 +t1 = DA-CB +t2 = t1^2 +Z5 = X1*t2 diff --git a/pyecsca/ec/efd/montgom/xz/doubling/dbl-1987-m b/pyecsca/ec/efd/montgom/xz/doubling/dbl-1987-m new file mode 100644 index 0000000..c12912a --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/doubling/dbl-1987-m @@ -0,0 +1,3 @@ +source 1987 Montgomery "Speeding the Pollard and elliptic curve methods of factorization", page 261, fourth display +compute X3 = (X1^2-Z1^2)^2 +compute Z3 = 4 X1 Z1 (X1^2 + a X1 Z1 + Z1^2) diff --git a/pyecsca/ec/efd/montgom/xz/doubling/dbl-1987-m-2 b/pyecsca/ec/efd/montgom/xz/doubling/dbl-1987-m-2 new file mode 100644 index 0000000..bb52e95 --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/doubling/dbl-1987-m-2 @@ -0,0 +1,5 @@ +source 1987 Montgomery "Speeding the Pollard and elliptic curve methods of factorization", page 261, sixth display +parameter a24 +assume 4*a24 = a+2 +compute X3 = (X1+Z1)^2 (X1-Z1)^2 +compute Z3 = (4 X1 Z1)((X1-Z1)^2 + a24(4 X1 Z1)) diff --git a/pyecsca/ec/efd/montgom/xz/doubling/dbl-1987-m-2.op3 b/pyecsca/ec/efd/montgom/xz/doubling/dbl-1987-m-2.op3 new file mode 100644 index 0000000..329d655 --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/doubling/dbl-1987-m-2.op3 @@ -0,0 +1,14 @@ +t0 = X1+Z1 +t1 = X1-Z1 +t2 = t0^2 +t3 = t1^2 +X3 = t2*t3 +t4 = X1*Z1 +t5 = 4*t4 +t6 = X1-Z1 +t7 = t6^2 +t8 = a24*t5 +t9 = X1*Z1 +t10 = 4*t9 +t11 = t7+t8 +Z3 = t10*t11 diff --git a/pyecsca/ec/efd/montgom/xz/doubling/dbl-1987-m-3 b/pyecsca/ec/efd/montgom/xz/doubling/dbl-1987-m-3 new file mode 100644 index 0000000..981f838 --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/doubling/dbl-1987-m-3 @@ -0,0 +1,10 @@ +source 1987 Montgomery "Speeding the Pollard and elliptic curve methods of factorization", page 261, sixth display, plus common-subexpression elimination +parameter a24 +assume 4*a24 = a+2 +compute A = X1+Z1 +compute AA = A^2 +compute B = X1-Z1 +compute BB = B^2 +compute C = AA-BB +compute X3 = AA BB +compute Z3 = C(BB + a24 C) diff --git a/pyecsca/ec/efd/montgom/xz/doubling/dbl-1987-m-3.op3 b/pyecsca/ec/efd/montgom/xz/doubling/dbl-1987-m-3.op3 new file mode 100644 index 0000000..175d46b --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/doubling/dbl-1987-m-3.op3 @@ -0,0 +1,9 @@ +A = X1+Z1 +AA = A^2 +B = X1-Z1 +BB = B^2 +C = AA-BB +X3 = AA*BB +t0 = a24*C +t1 = BB+t0 +Z3 = C*t1 diff --git a/pyecsca/ec/efd/montgom/xz/doubling/dbl-1987-m.op3 b/pyecsca/ec/efd/montgom/xz/doubling/dbl-1987-m.op3 new file mode 100644 index 0000000..0993ef2 --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/doubling/dbl-1987-m.op3 @@ -0,0 +1,13 @@ +t0 = X1^2 +t1 = Z1^2 +t2 = t0-t1 +X3 = t2^2 +t3 = X1^2 +t4 = Z1^2 +t5 = X1*Z1 +t6 = a*t5 +t7 = t3+t6 +t8 = t7+t4 +t9 = Z1*t8 +t10 = X1*t9 +Z3 = 4*t10 diff --git a/pyecsca/ec/efd/montgom/xz/doubling/mdbl-1987-m b/pyecsca/ec/efd/montgom/xz/doubling/mdbl-1987-m new file mode 100644 index 0000000..b6850bf --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/doubling/mdbl-1987-m @@ -0,0 +1,5 @@ +source 1987 Montgomery "Speeding the Pollard and elliptic curve methods of factorization", page 261, fourth display, plus assumption Z1=1, plus common-subexpression elimination +assume Z1 = 1 +compute XX1 = X1^2 +compute X3 = (XX1-1)^2 +compute Z3 = 4 X1 (XX1 + a X1 + 1) diff --git a/pyecsca/ec/efd/montgom/xz/doubling/mdbl-1987-m.op3 b/pyecsca/ec/efd/montgom/xz/doubling/mdbl-1987-m.op3 new file mode 100644 index 0000000..c94a9d0 --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/doubling/mdbl-1987-m.op3 @@ -0,0 +1,8 @@ +XX1 = X1^2 +t0 = XX1-1 +X3 = t0^2 +t1 = a*X1 +t2 = XX1+t1 +t3 = t2+1 +t4 = X1*t3 +Z3 = 4*t4 diff --git a/pyecsca/ec/efd/montgom/xz/ladder/ladd-1987-m b/pyecsca/ec/efd/montgom/xz/ladder/ladd-1987-m new file mode 100644 index 0000000..35ebff6 --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/ladder/ladd-1987-m @@ -0,0 +1,5 @@ +source 1987 Montgomery "Speeding the Pollard and elliptic curve methods of factorization", page 261, third and fourth displays +compute X5 = Z1(X2 X3-Z2 Z3)^2 +compute Z5 = X1(X2 Z3-Z2 X3)^2 +compute X4 = (X2^2-Z2^2)^2 +compute Z4 = 4 X2 Z2 (X2^2 + a X2 Z2 + Z2^2) diff --git a/pyecsca/ec/efd/montgom/xz/ladder/ladd-1987-m-2 b/pyecsca/ec/efd/montgom/xz/ladder/ladd-1987-m-2 new file mode 100644 index 0000000..b9326b1 --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/ladder/ladd-1987-m-2 @@ -0,0 +1,7 @@ +source 1987 Montgomery "Speeding the Pollard and elliptic curve methods of factorization", page 261, fifth and sixth displays +parameter a24 +assume 4*a24 = a+2 +compute X5 = Z1((X3-Z3)(X2+Z2)+(X3+Z3)(X2-Z2))^2 +compute Z5 = X1((X3-Z3)(X2+Z2)-(X3+Z3)(X2-Z2))^2 +compute X4 = (X2+Z2)^2 (X2-Z2)^2 +compute Z4 = (4 X2 Z2)((X2-Z2)^2 + a24(4 X2 Z2)) diff --git a/pyecsca/ec/efd/montgom/xz/ladder/ladd-1987-m-2.op3 b/pyecsca/ec/efd/montgom/xz/ladder/ladd-1987-m-2.op3 new file mode 100644 index 0000000..d3bd6af --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/ladder/ladd-1987-m-2.op3 @@ -0,0 +1,32 @@ +t0 = X3-Z3 +t1 = X2+Z2 +t2 = X3+Z3 +t3 = X2-Z2 +t4 = t2*t3 +t5 = t0*t1 +t6 = t5+t4 +t7 = t6^2 +X5 = Z1*t7 +t8 = X3-Z3 +t9 = X2+Z2 +t10 = X3+Z3 +t11 = X2-Z2 +t12 = t10*t11 +t13 = t8*t9 +t14 = t13-t12 +t15 = t14^2 +Z5 = X1*t15 +t16 = X2+Z2 +t17 = X2-Z2 +t18 = t16^2 +t19 = t17^2 +X4 = t18*t19 +t20 = X2*Z2 +t21 = 4*t20 +t22 = X2-Z2 +t23 = t22^2 +t24 = a24*t21 +t25 = X2*Z2 +t26 = 4*t25 +t27 = t23+t24 +Z4 = t26*t27 diff --git a/pyecsca/ec/efd/montgom/xz/ladder/ladd-1987-m-3 b/pyecsca/ec/efd/montgom/xz/ladder/ladd-1987-m-3 new file mode 100644 index 0000000..d8b9b94 --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/ladder/ladd-1987-m-3 @@ -0,0 +1,16 @@ +source 1987 Montgomery "Speeding the Pollard and elliptic curve methods of factorization", page 261, fifth and sixth displays, plus common-subexpression elimination +parameter a24 +assume 4*a24 = a+2 +compute A = X2+Z2 +compute AA = A^2 +compute B = X2-Z2 +compute BB = B^2 +compute E = AA-BB +compute C = X3+Z3 +compute D = X3-Z3 +compute DA = D A +compute CB = C B +compute X5 = Z1(DA+CB)^2 +compute Z5 = X1(DA-CB)^2 +compute X4 = AA BB +compute Z4 = E(BB + a24 E) diff --git a/pyecsca/ec/efd/montgom/xz/ladder/ladd-1987-m-3.op3 b/pyecsca/ec/efd/montgom/xz/ladder/ladd-1987-m-3.op3 new file mode 100644 index 0000000..4296bf4 --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/ladder/ladd-1987-m-3.op3 @@ -0,0 +1,19 @@ +A = X2+Z2 +AA = A^2 +B = X2-Z2 +BB = B^2 +E = AA-BB +C = X3+Z3 +D = X3-Z3 +DA = D*A +CB = C*B +t0 = DA+CB +t1 = t0^2 +X5 = Z1*t1 +t2 = DA-CB +t3 = t2^2 +Z5 = X1*t3 +X4 = AA*BB +t4 = a24*E +t5 = BB+t4 +Z4 = E*t5 diff --git a/pyecsca/ec/efd/montgom/xz/ladder/ladd-1987-m.op3 b/pyecsca/ec/efd/montgom/xz/ladder/ladd-1987-m.op3 new file mode 100644 index 0000000..53ccfda --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/ladder/ladd-1987-m.op3 @@ -0,0 +1,23 @@ +t0 = Z2*Z3 +t1 = X2*X3 +t2 = t1-t0 +t3 = t2^2 +X5 = Z1*t3 +t4 = Z2*X3 +t5 = X2*Z3 +t6 = t5-t4 +t7 = t6^2 +Z5 = X1*t7 +t8 = X2^2 +t9 = Z2^2 +t10 = t8-t9 +X4 = t10^2 +t11 = X2^2 +t12 = Z2^2 +t13 = X2*Z2 +t14 = a*t13 +t15 = t11+t14 +t16 = t15+t12 +t17 = Z2*t16 +t18 = X2*t17 +Z4 = 4*t18 diff --git a/pyecsca/ec/efd/montgom/xz/ladder/mladd-1987-m b/pyecsca/ec/efd/montgom/xz/ladder/mladd-1987-m new file mode 100644 index 0000000..23a5588 --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/ladder/mladd-1987-m @@ -0,0 +1,17 @@ +source 1987 Montgomery "Speeding the Pollard and elliptic curve methods of factorization", page 261, fifth and sixth displays, plus common-subexpression elimination, plus assumption Z1=1 +assume Z1 = 1 +parameter a24 +assume 4*a24 = a+2 +compute A = X2+Z2 +compute AA = A^2 +compute B = X2-Z2 +compute BB = B^2 +compute E = AA-BB +compute C = X3+Z3 +compute D = X3-Z3 +compute DA = D A +compute CB = C B +compute X5 = (DA+CB)^2 +compute Z5 = X1(DA-CB)^2 +compute X4 = AA BB +compute Z4 = E(BB + a24 E) diff --git a/pyecsca/ec/efd/montgom/xz/ladder/mladd-1987-m.op3 b/pyecsca/ec/efd/montgom/xz/ladder/mladd-1987-m.op3 new file mode 100644 index 0000000..745f888 --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/ladder/mladd-1987-m.op3 @@ -0,0 +1,18 @@ +A = X2+Z2 +AA = A^2 +B = X2-Z2 +BB = B^2 +E = AA-BB +C = X3+Z3 +D = X3-Z3 +DA = D*A +CB = C*B +t0 = DA+CB +X5 = t0^2 +t1 = DA-CB +t2 = t1^2 +Z5 = X1*t2 +X4 = AA*BB +t3 = a24*E +t4 = BB+t3 +Z4 = E*t4 diff --git a/pyecsca/ec/efd/montgom/xz/scaling/scale b/pyecsca/ec/efd/montgom/xz/scaling/scale new file mode 100644 index 0000000..9309967 --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/scaling/scale @@ -0,0 +1,2 @@ +compute X3 = X1 / Z1 +compute Z3 = 1 diff --git a/pyecsca/ec/efd/montgom/xz/scaling/scale.op3 b/pyecsca/ec/efd/montgom/xz/scaling/scale.op3 new file mode 100644 index 0000000..3a6b93c --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/scaling/scale.op3 @@ -0,0 +1,3 @@ +t0 = 1/Z1 +X3 = X1*t0 +Z3 = 1 diff --git a/pyecsca/ec/efd/montgom/xz/variables b/pyecsca/ec/efd/montgom/xz/variables new file mode 100644 index 0000000..9863a08 --- /dev/null +++ b/pyecsca/ec/efd/montgom/xz/variables @@ -0,0 +1,4 @@ +name XZ coordinates +variable X +variable Z +satisfying x = X/Z diff --git a/pyecsca/ec/efd/shortw/coordinates b/pyecsca/ec/efd/shortw/coordinates new file mode 100644 index 0000000..683d86d --- /dev/null +++ b/pyecsca/ec/efd/shortw/coordinates @@ -0,0 +1,22 @@ +name short Weierstrass curves +parameter a +parameter b +coordinate x +coordinate y +satisfying y^2 == x^3 + a*x + b +addition x = (y2-y1)^2/(x2-x1)^2-x1-x2 +addition y = (2*x1+x2)*(y2-y1)/(x2-x1)-(y2-y1)^3/(x2-x1)^3-y1 +doubling x = (3*x1^2+a)^2/(2*y1)^2-x1-x1 +doubling y = (2*x1+x1)*(3*x1^2+a)/(2*y1)-(3*x1^2+a)^3/(2*y1)^3-y1 +negation x = x1 +negation y = -y1 +toweierstrass weierx = x +toweierstrass weiery = y +a0 = 1 +a1 = 0 +a2 = 0 +a3 = 0 +a4 = a +a6 = b +fromweierstrass x = weierx +fromweierstrass y = weiery diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1986-cc b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1986-cc new file mode 100644 index 0000000..af536a1 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1986-cc @@ -0,0 +1,10 @@ +source 1986 Chudnovsky--Chudnovsky "Sequences of numbers generated by addition in formal groups and new primality and factorization tests", page 414, formula (4.3i) +compute U1 = X1 Z2^2 +compute U2 = X2 Z1^2 +compute S1 = Y1 Z2^3 +compute S2 = Y2 Z1^3 +compute P = U2-U1 +compute R = S2-S1 +compute X3 = R^2-(U1+U2) P^2 +compute Y3 = R (U1 P^2-X3)-S1 P^3 +compute Z3 = Z1 Z2 P diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1986-cc.op3 b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1986-cc.op3 new file mode 100644 index 0000000..9774366 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1986-cc.op3 @@ -0,0 +1,24 @@ +t0 = Z2^2 +U1 = X1*t0 +t1 = Z1^2 +U2 = X2*t1 +t2 = Z2^3 +S1 = Y1*t2 +t3 = Z1^3 +S2 = Y2*t3 +P = U2-U1 +R = S2-S1 +t4 = U1+U2 +t5 = R^2 +t6 = P^2 +t7 = t4*t6 +X3 = t5-t7 +t8 = P^2 +t9 = U1*t8 +t10 = t9-X3 +t11 = P^3 +t12 = S1*t11 +t13 = R*t10 +Y3 = t13-t12 +t14 = Z2*P +Z3 = Z1*t14 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1998-cmo b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1998-cmo new file mode 100644 index 0000000..b312a77 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1998-cmo @@ -0,0 +1,10 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (5) +compute U1 = X1 Z2^2 +compute U2 = X2 Z1^2 +compute S1 = Y1 Z2^3 +compute S2 = Y2 Z1^3 +compute H = U2-U1 +compute r = S2-S1 +compute X3 = r^2-H^3-2 U1 H^2 +compute Y3 = r (U1 H^2-X3)-S1 H^3 +compute Z3 = Z1 Z2 H diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1998-cmo-2 b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1998-cmo-2 new file mode 100644 index 0000000..acef19d --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1998-cmo-2 @@ -0,0 +1,15 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (5), plus common-subexpression elimination +compute Z1Z1 = Z1^2 +compute Z2Z2 = Z2^2 +compute U1 = X1 Z2Z2 +compute U2 = X2 Z1Z1 +compute S1 = Y1 Z2 Z2Z2 +compute S2 = Y2 Z1 Z1Z1 +compute H = U2-U1 +compute HH = H^2 +compute HHH = H HH +compute r = S2-S1 +compute V = U1 HH +compute X3 = r^2-HHH-2 V +compute Y3 = r (V-X3)-S1 HHH +compute Z3 = Z1 Z2 H diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1998-cmo-2.op3 b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1998-cmo-2.op3 new file mode 100644 index 0000000..439ab62 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1998-cmo-2.op3 @@ -0,0 +1,23 @@ +Z1Z1 = Z1^2 +Z2Z2 = Z2^2 +U1 = X1*Z2Z2 +U2 = X2*Z1Z1 +t0 = Z2*Z2Z2 +S1 = Y1*t0 +t1 = Z1*Z1Z1 +S2 = Y2*t1 +H = U2-U1 +HH = H^2 +HHH = H*HH +r = S2-S1 +V = U1*HH +t2 = r^2 +t3 = 2*V +t4 = t2-HHH +X3 = t4-t3 +t5 = V-X3 +t6 = S1*HHH +t7 = r*t5 +Y3 = t7-t6 +t8 = Z2*H +Z3 = Z1*t8 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1998-cmo.op3 b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1998-cmo.op3 new file mode 100644 index 0000000..2721e20 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1998-cmo.op3 @@ -0,0 +1,26 @@ +t0 = Z2^2 +U1 = X1*t0 +t1 = Z1^2 +U2 = X2*t1 +t2 = Z2^3 +S1 = Y1*t2 +t3 = Z1^3 +S2 = Y2*t3 +H = U2-U1 +r = S2-S1 +t4 = r^2 +t5 = H^3 +t6 = H^2 +t7 = U1*t6 +t8 = 2*t7 +t9 = t4-t5 +X3 = t9-t8 +t10 = H^2 +t11 = U1*t10 +t12 = t11-X3 +t13 = H^3 +t14 = S1*t13 +t15 = r*t12 +Y3 = t15-t14 +t16 = Z2*H +Z3 = Z1*t16 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1998-hnm b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1998-hnm new file mode 100644 index 0000000..ebace0d --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1998-hnm @@ -0,0 +1,39 @@ +source 1998 Hasegawa--Nakajima--Matsui, page 188 +parameter half +assume half*2=1 +compute R1 = X1 +compute R2 = Y1 +compute R3 = Z1 +compute R4 = X2 +compute R5 = Y2 +compute R6 = Z2 +compute R7 = R6^2 +compute R1 = R1 R7 +compute R7 = R6 R7 +compute R2 = R2 R7 +compute R7 = R3^2 +compute R8 = R4 R7 +compute R7 = R3 R7 +compute R7 = R5 R7 +compute R2 = R2-R7 +compute R7 = 2 R7 +compute R7 = R2+R7 +compute R1 = R1-R8 +compute R8 = 2 R8 +compute R8 = R1+R8 +compute R3 = R3 R6 +compute R3 = R3 R1 +compute R7 = R7 R1 +compute R1 = R1^2 +compute R8 = R8 R1 +compute R7 = R7 R1 +compute R1 = R2^2 +compute R1 = R1-R8 +compute R8 = R8-R1 +compute R8 = R8-R1 +compute R8 = R8 R2 +compute R2 = R8-R7 +compute R2 = half R2 +compute X3 = R1 +compute Y3 = R2 +compute Z3 = R3 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1998-hnm.op3 b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1998-hnm.op3 new file mode 100644 index 0000000..5817e98 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-1998-hnm.op3 @@ -0,0 +1,36 @@ +R1 = X1 +R2 = Y1 +R3 = Z1 +R4 = X2 +R5 = Y2 +R6 = Z2 +R7 = R6^2 +R1 = R1*R7 +R7 = R6*R7 +R2 = R2*R7 +R7 = R3^2 +R8 = R4*R7 +R7 = R3*R7 +R7 = R5*R7 +R2 = R2-R7 +R7 = 2*R7 +R7 = R2+R7 +R1 = R1-R8 +R8 = 2*R8 +R8 = R1+R8 +R3 = R3*R6 +R3 = R3*R1 +R7 = R7*R1 +R1 = R1^2 +R8 = R8*R1 +R7 = R7*R1 +R1 = R2^2 +R1 = R1-R8 +R8 = R8-R1 +R8 = R8-R1 +R8 = R8*R2 +R2 = R8-R7 +R2 = half*R2 +X3 = R1 +Y3 = R2 +Z3 = R3 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/add-2001-b b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-2001-b new file mode 100644 index 0000000..b6a403d --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-2001-b @@ -0,0 +1,18 @@ +source 2001 Bernstein http://cr.yp.to/nistp224.html opt-idea53.c ecadd +compute ZZ1 = Z1^2 +compute ZZZ1 = Z1 ZZ1 +compute ZZ2 = Z2^2 +compute ZZZ2 = Z2 ZZ2 +compute A = X1 ZZ2 +compute B = X2 ZZ1 -A +compute c = Y1 ZZZ2 +compute d = Y2 ZZZ1 -c +compute e = B^2 +compute f = B e +compute g = A e +compute h = Z1 Z2 +compute f2g = 2 g+f +compute X3 = d^2-f2g +compute Z3 = B h +compute gx = g-X3 +compute Y3 = d gx-c f diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/add-2001-b.op3 b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-2001-b.op3 new file mode 100644 index 0000000..6f362a2 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-2001-b.op3 @@ -0,0 +1,23 @@ +ZZ1 = Z1^2 +ZZZ1 = Z1*ZZ1 +ZZ2 = Z2^2 +ZZZ2 = Z2*ZZ2 +A = X1*ZZ2 +t0 = X2*ZZ1 +B = t0-A +c = Y1*ZZZ2 +t1 = Y2*ZZZ1 +d = t1-c +e = B^2 +f = B*e +g = A*e +h = Z1*Z2 +t2 = 2*g +f2g = t2+f +t3 = d^2 +X3 = t3-f2g +Z3 = B*h +gx = g-X3 +t4 = c*f +t5 = d*gx +Y3 = t5-t4 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/add-2007-bl b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-2007-bl new file mode 100644 index 0000000..dc8af68 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-2007-bl @@ -0,0 +1,15 @@ +source 2007 Bernstein--Lange; note that the improvement from 12M+4S to 11M+5S was already mentioned in 2001 Bernstein http://cr.yp.to/talks.html#2001.10.29 +compute Z1Z1 = Z1^2 +compute Z2Z2 = Z2^2 +compute U1 = X1 Z2Z2 +compute U2 = X2 Z1Z1 +compute S1 = Y1 Z2 Z2Z2 +compute S2 = Y2 Z1 Z1Z1 +compute H = U2-U1 +compute I = (2 H)^2 +compute J = H I +compute r = 2 (S2-S1) +compute V = U1 I +compute X3 = r^2-J-2 V +compute Y3 = r (V-X3)-2 S1 J +compute Z3 = ((Z1+Z2)^2-Z1Z1-Z2Z2) H diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/add-2007-bl.op3 b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-2007-bl.op3 new file mode 100644 index 0000000..89085ff --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/add-2007-bl.op3 @@ -0,0 +1,29 @@ +Z1Z1 = Z1^2 +Z2Z2 = Z2^2 +U1 = X1*Z2Z2 +U2 = X2*Z1Z1 +t0 = Z2*Z2Z2 +S1 = Y1*t0 +t1 = Z1*Z1Z1 +S2 = Y2*t1 +H = U2-U1 +t2 = 2*H +I = t2^2 +J = H*I +t3 = S2-S1 +r = 2*t3 +V = U1*I +t4 = r^2 +t5 = 2*V +t6 = t4-J +X3 = t6-t5 +t7 = V-X3 +t8 = S1*J +t9 = 2*t8 +t10 = r*t7 +Y3 = t10-t9 +t11 = Z1+Z2 +t12 = t11^2 +t13 = t12-Z1Z1 +t14 = t13-Z2Z2 +Z3 = t14*H diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/madd b/pyecsca/ec/efd/shortw/jacobian-0/addition/madd new file mode 100644 index 0000000..c4ced5f --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/madd @@ -0,0 +1,12 @@ +assume Z2=1 +compute Z1Z1 = Z1^2 +compute U2 = X2 Z1Z1 +compute S2 = Y2 Z1 Z1Z1 +compute H = U2-X1 +compute I = (2 H)^2 +compute J = H I +compute r = 2 (S2-Y1) +compute V = X1 I +compute X3 = r^2-J-2 V +compute Y3 = r (V-X3)-2 Y1 J +compute Z3 = 2 Z1 H diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/madd-2004-hmv b/pyecsca/ec/efd/shortw/jacobian-0/addition/madd-2004-hmv new file mode 100644 index 0000000..c6904b6 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/madd-2004-hmv @@ -0,0 +1,20 @@ +source 2004 Hankerson--Menezes--Vanstone, page 91 +assume Z2=1 +compute T1 = Z1^2 +compute T2 = T1 Z1 +compute T1 = T1 X2 +compute T2 = T2 Y2 +compute T1 = T1-X1 +compute T2 = T2-Y1 +compute Z3 = Z1 T1 +compute T3 = T1^2 +compute T4 = T3 T1 +compute T3 = T3 X1 +compute T1 = 2 T3 +compute X3 = T2^2 +compute X3 = X3-T1 +compute X3 = X3-T4 +compute T3 = T3-X3 +compute T3 = T3 T2 +compute T4 = T4 Y1 +compute Y3 = T3-T4 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/madd-2004-hmv.op3 b/pyecsca/ec/efd/shortw/jacobian-0/addition/madd-2004-hmv.op3 new file mode 100644 index 0000000..70a991f --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/madd-2004-hmv.op3 @@ -0,0 +1,18 @@ +T1 = Z1^2 +T2 = T1*Z1 +T1 = T1*X2 +T2 = T2*Y2 +T1 = T1-X1 +T2 = T2-Y1 +Z3 = Z1*T1 +T3 = T1^2 +T4 = T3*T1 +T3 = T3*X1 +T1 = 2*T3 +X3 = T2^2 +X3 = X3-T1 +X3 = X3-T4 +T3 = T3-X3 +T3 = T3*T2 +T4 = T4*Y1 +Y3 = T3-T4 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/madd-2007-bl b/pyecsca/ec/efd/shortw/jacobian-0/addition/madd-2007-bl new file mode 100644 index 0000000..92a97af --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/madd-2007-bl @@ -0,0 +1,14 @@ +source 2007 Bernstein--Lange +assume Z2=1 +compute Z1Z1 = Z1^2 +compute U2 = X2 Z1Z1 +compute S2 = Y2 Z1 Z1Z1 +compute H = U2-X1 +compute HH = H^2 +compute I = 4 HH +compute J = H I +compute r = 2 (S2-Y1) +compute V = X1 I +compute X3 = r^2-J-2 V +compute Y3 = r (V-X3)-2 Y1 J +compute Z3 = (Z1+H)^2-Z1Z1-HH diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/madd-2007-bl.op3 b/pyecsca/ec/efd/shortw/jacobian-0/addition/madd-2007-bl.op3 new file mode 100644 index 0000000..958774f --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/madd-2007-bl.op3 @@ -0,0 +1,24 @@ +Z1Z1 = Z1^2 +U2 = X2*Z1Z1 +t0 = Z1*Z1Z1 +S2 = Y2*t0 +H = U2-X1 +HH = H^2 +I = 4*HH +J = H*I +t1 = S2-Y1 +r = 2*t1 +V = X1*I +t2 = r^2 +t3 = 2*V +t4 = t2-J +X3 = t4-t3 +t5 = V-X3 +t6 = Y1*J +t7 = 2*t6 +t8 = r*t5 +Y3 = t8-t7 +t9 = Z1+H +t10 = t9^2 +t11 = t10-Z1Z1 +Z3 = t11-HH diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/madd-2008-g b/pyecsca/ec/efd/shortw/jacobian-0/addition/madd-2008-g new file mode 100644 index 0000000..7c5f660 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/madd-2008-g @@ -0,0 +1,20 @@ +source 2008 Giessmann +assume Z2=1 +compute T1 = Z1^2 +compute T2 = T1 Z1 +compute T1 = T1 X2 +compute T2 = T2 Y2 +compute T1 = X1-T1 +compute T2 = T2-Y1 +compute Z3 = Z1 T1 +compute T4 = T1^2 +compute T1 = T1 T4 +compute T4 = T4 X1 +compute X3 = T2^2 +compute X3 = X3+T1 +compute Y3 = T1 Y1 +compute T1 = 2 T4 +compute X3 = X3-T1 +compute T4 = X3-T4 +compute T4 = T4 T2 +compute Y3 = T4-Y3 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/madd-2008-g.op3 b/pyecsca/ec/efd/shortw/jacobian-0/addition/madd-2008-g.op3 new file mode 100644 index 0000000..c0552ea --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/madd-2008-g.op3 @@ -0,0 +1,18 @@ +T1 = Z1^2 +T2 = T1*Z1 +T1 = T1*X2 +T2 = T2*Y2 +T1 = X1-T1 +T2 = T2-Y1 +Z3 = Z1*T1 +T4 = T1^2 +T1 = T1*T4 +T4 = T4*X1 +X3 = T2^2 +X3 = X3+T1 +Y3 = T1*Y1 +T1 = 2*T4 +X3 = X3-T1 +T4 = X3-T4 +T4 = T4*T2 +Y3 = T4-Y3 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/madd.op3 b/pyecsca/ec/efd/shortw/jacobian-0/addition/madd.op3 new file mode 100644 index 0000000..e33baa2 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/madd.op3 @@ -0,0 +1,22 @@ +Z1Z1 = Z1^2 +U2 = X2*Z1Z1 +t0 = Z1*Z1Z1 +S2 = Y2*t0 +H = U2-X1 +t1 = 2*H +I = t1^2 +J = H*I +t2 = S2-Y1 +r = 2*t2 +V = X1*I +t3 = r^2 +t4 = 2*V +t5 = t3-J +X3 = t5-t4 +t6 = V-X3 +t7 = Y1*J +t8 = 2*t7 +t9 = r*t6 +Y3 = t9-t8 +t10 = Z1*H +Z3 = 2*t10 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/mmadd-2007-bl b/pyecsca/ec/efd/shortw/jacobian-0/addition/mmadd-2007-bl new file mode 100644 index 0000000..e11d9e4 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/mmadd-2007-bl @@ -0,0 +1,12 @@ +source 2007 Bernstein--Lange +assume Z1=1 +assume Z2=1 +compute H = X2-X1 +compute HH = H^2 +compute I = 4 HH +compute J = H I +compute r = 2 (Y2-Y1) +compute V = X1 I +compute X3 = r^2-J-2 V +compute Y3 = r (V-X3)-2 Y1 J +compute Z3 = 2 H diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/mmadd-2007-bl.op3 b/pyecsca/ec/efd/shortw/jacobian-0/addition/mmadd-2007-bl.op3 new file mode 100644 index 0000000..e91cc9f --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/mmadd-2007-bl.op3 @@ -0,0 +1,17 @@ +H = X2-X1 +HH = H^2 +I = 4*HH +J = H*I +t0 = Y2-Y1 +r = 2*t0 +V = X1*I +t1 = r^2 +t2 = 2*V +t3 = t1-J +X3 = t3-t2 +t4 = V-X3 +t5 = Y1*J +t6 = 2*t5 +t7 = r*t4 +Y3 = t7-t6 +Z3 = 2*H diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/zadd-2007-m b/pyecsca/ec/efd/shortw/jacobian-0/addition/zadd-2007-m new file mode 100644 index 0000000..417ef26 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/zadd-2007-m @@ -0,0 +1,9 @@ +source 2007 Meloni "New point addition formulae for ECC applications", page 192 +assume Z1 = Z2 +compute A = (X2-X1)^2 +compute B = X1 A +compute C = X2 A +compute D = (Y2-Y1)^2 +compute X3 = D-B-C +compute Y3 = (Y2-Y1)(B-X3)-Y1(C-B) +compute Z3 = Z1(X2-X1) diff --git a/pyecsca/ec/efd/shortw/jacobian-0/addition/zadd-2007-m.op3 b/pyecsca/ec/efd/shortw/jacobian-0/addition/zadd-2007-m.op3 new file mode 100644 index 0000000..afefe88 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/addition/zadd-2007-m.op3 @@ -0,0 +1,16 @@ +t0 = X2-X1 +A = t0^2 +B = X1*A +C = X2*A +t1 = Y2-Y1 +D = t1^2 +t2 = D-B +X3 = t2-C +t3 = Y2-Y1 +t4 = B-X3 +t5 = C-B +t6 = Y1*t5 +t7 = t3*t4 +Y3 = t7-t6 +t8 = X2-X1 +Z3 = Z1*t8 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1986-cc b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1986-cc new file mode 100644 index 0000000..56fa583 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1986-cc @@ -0,0 +1,7 @@ +source 1986 Chudnovsky--Chudnovsky "Sequences of numbers generated by addition in formal groups and new primality and factorization tests", page 414, formula (4.2ii) +compute S = 4 X1 Y1^2 +compute M = 3 X1^2+a Z1^4 +compute T = M^2-2 S +compute X3 = T +compute Y3 = M(S-T)-8 Y1^4 +compute Z3 = 2 Y1 Z1 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1986-cc.op3 b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1986-cc.op3 new file mode 100644 index 0000000..7d564ae --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1986-cc.op3 @@ -0,0 +1,19 @@ +t0 = Y1^2 +t1 = X1*t0 +S = 4*t1 +t2 = X1^2 +t3 = Z1^4 +t4 = a*t3 +t5 = 3*t2 +M = t5+t4 +t6 = M^2 +t7 = 2*S +T = t6-t7 +X3 = T +t8 = S-T +t9 = Y1^4 +t10 = 8*t9 +t11 = M*t8 +Y3 = t11-t10 +t12 = Y1*Z1 +Z3 = 2*t12 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1998-cmo b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1998-cmo new file mode 100644 index 0000000..448809a --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1998-cmo @@ -0,0 +1,7 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (6) +compute S = 4 X1 Y1^2 +compute M = 3 X1^2+a Z1^4 +compute T = M^2-2 S +compute X3 = T +compute Y3 = M (S-T)-8 Y1^4 +compute Z3 = 2 Y1 Z1 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1998-cmo-2 b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1998-cmo-2 new file mode 100644 index 0000000..3757742 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1998-cmo-2 @@ -0,0 +1,10 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (6), plus common-subexpression elimination +compute XX = X1^2 +compute YY = Y1^2 +compute ZZ = Z1^2 +compute S = 4 X1 YY +compute M = 3 XX+a ZZ^2 +compute T = M^2-2 S +compute X3 = T +compute Y3 = M (S-T)-8 YY^2 +compute Z3 = 2 Y1 Z1 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1998-cmo-2.op3 b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1998-cmo-2.op3 new file mode 100644 index 0000000..0e80d93 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1998-cmo-2.op3 @@ -0,0 +1,20 @@ +XX = X1^2 +YY = Y1^2 +ZZ = Z1^2 +t0 = X1*YY +S = 4*t0 +t1 = ZZ^2 +t2 = a*t1 +t3 = 3*XX +M = t3+t2 +t4 = M^2 +t5 = 2*S +T = t4-t5 +X3 = T +t6 = S-T +t7 = YY^2 +t8 = 8*t7 +t9 = M*t6 +Y3 = t9-t8 +t10 = Y1*Z1 +Z3 = 2*t10 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1998-cmo.op3 b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1998-cmo.op3 new file mode 100644 index 0000000..7d564ae --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1998-cmo.op3 @@ -0,0 +1,19 @@ +t0 = Y1^2 +t1 = X1*t0 +S = 4*t1 +t2 = X1^2 +t3 = Z1^4 +t4 = a*t3 +t5 = 3*t2 +M = t5+t4 +t6 = M^2 +t7 = 2*S +T = t6-t7 +X3 = T +t8 = S-T +t9 = Y1^4 +t10 = 8*t9 +t11 = M*t8 +Y3 = t11-t10 +t12 = Y1*Z1 +Z3 = 2*t12 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1998-hnm b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1998-hnm new file mode 100644 index 0000000..67375ba --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1998-hnm @@ -0,0 +1,29 @@ +source 1998 Hasegawa--Nakajima--Matsui, page 188 +parameter half +assume half*2=1 +compute R1 = X1 +compute R2 = Y1 +compute R3 = Z1 +compute R4 = R3^2 +compute R3 = R2 R3 +compute R3 = 2 R3 +compute R4 = R4^2 +compute R4 = a R4 +compute R5 = R1^2 +compute R4 = R4+R5 +compute R5 = 2 R5 +compute R4 = R4+R5 +compute R2 = 2 R2 +compute R2 = R2^2 +compute R5 = R2^2 +compute R5 = half R5 +compute R2 = R2 R1 +compute R1 = R4^2 +compute R1 = R1-R2 +compute R1 = R1-R2 +compute R2 = R2-R1 +compute R2 = R2 R4 +compute R2 = R2-R5 +compute X3 = R1 +compute Y3 = R2 +compute Z3 = R3 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1998-hnm.op3 b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1998-hnm.op3 new file mode 100644 index 0000000..003affc --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-1998-hnm.op3 @@ -0,0 +1,26 @@ +R1 = X1 +R2 = Y1 +R3 = Z1 +R4 = R3^2 +R3 = R2*R3 +R3 = 2*R3 +R4 = R4^2 +R4 = a*R4 +R5 = R1^2 +R4 = R4+R5 +R5 = 2*R5 +R4 = R4+R5 +R2 = 2*R2 +R2 = R2^2 +R5 = R2^2 +R5 = half*R5 +R2 = R2*R1 +R1 = R4^2 +R1 = R1-R2 +R1 = R1-R2 +R2 = R2-R1 +R2 = R2*R4 +R2 = R2-R5 +X3 = R1 +Y3 = R2 +Z3 = R3 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-2007-bl b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-2007-bl new file mode 100644 index 0000000..e6ae5c6 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-2007-bl @@ -0,0 +1,11 @@ +source 2007 Bernstein--Lange +compute XX = X1^2 +compute YY = Y1^2 +compute YYYY = YY^2 +compute ZZ = Z1^2 +compute S = 2 ((X1+YY)^2-XX-YYYY) +compute M = 3 XX+a ZZ^2 +compute T = M^2-2 S +compute X3 = T +compute Y3 = M (S-T)-8 YYYY +compute Z3 = (Y1+Z1)^2-YY-ZZ diff --git a/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-2007-bl.op3 b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-2007-bl.op3 new file mode 100644 index 0000000..7f76b36 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-2007-bl.op3 @@ -0,0 +1,25 @@ +XX = X1^2 +YY = Y1^2 +YYYY = YY^2 +ZZ = Z1^2 +t0 = X1+YY +t1 = t0^2 +t2 = t1-XX +t3 = t2-YYYY +S = 2*t3 +t4 = ZZ^2 +t5 = a*t4 +t6 = 3*XX +M = t6+t5 +t7 = M^2 +t8 = 2*S +T = t7-t8 +X3 = T +t9 = S-T +t10 = 8*YYYY +t11 = M*t9 +Y3 = t11-t10 +t12 = Y1+Z1 +t13 = t12^2 +t14 = t13-YY +Z3 = t14-ZZ diff --git a/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-2009-alnr b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-2009-alnr new file mode 100644 index 0000000..c0d382c --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-2009-alnr @@ -0,0 +1,12 @@ +source 2009.04.01 Arene--Lange--Naehrig--Ritzenthaler +appliesto jacobian-0 +compute A = X1^2 +compute B = Y1^2 +compute ZZ = Z1^2 +compute C = B^2 +compute D = 2 ((X1 + B)^2 - A - C) +compute E = 3 A +compute F = E^2 +compute X3 = F - 2 D +compute Y3 = E (D - X3) - 8 C +compute Z3 = (Y1 + Z1)^2 - B - ZZ diff --git a/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-2009-alnr.op3 b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-2009-alnr.op3 new file mode 100644 index 0000000..5a26209 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-2009-alnr.op3 @@ -0,0 +1,21 @@ +A = X1^2 +B = Y1^2 +ZZ = Z1^2 +C = B^2 +t0 = X1+B +t1 = t0^2 +t2 = t1-A +t3 = t2-C +D = 2*t3 +E = 3*A +F = E^2 +t4 = 2*D +X3 = F-t4 +t5 = D-X3 +t6 = 8*C +t7 = E*t5 +Y3 = t7-t6 +t8 = Y1+Z1 +t9 = t8^2 +t10 = t9-B +Z3 = t10-ZZ diff --git a/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-2009-l b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-2009-l new file mode 100644 index 0000000..ef412c3 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-2009-l @@ -0,0 +1,11 @@ +source 2009.04.01 Lange +appliesto jacobian-0 +compute A = X1^2 +compute B = Y1^2 +compute C = B^2 +compute D = 2 ((X1 + B)^2 - A - C) +compute E = 3 A +compute F = E^2 +compute X3 = F - 2 D +compute Y3 = E (D - X3) - 8 C +compute Z3 = 2 Y1 Z1 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-2009-l.op3 b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-2009-l.op3 new file mode 100644 index 0000000..260fab8 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/doubling/dbl-2009-l.op3 @@ -0,0 +1,18 @@ +A = X1^2 +B = Y1^2 +C = B^2 +t0 = X1+B +t1 = t0^2 +t2 = t1-A +t3 = t2-C +D = 2*t3 +E = 3*A +F = E^2 +t4 = 2*D +X3 = F-t4 +t5 = D-X3 +t6 = 8*C +t7 = E*t5 +Y3 = t7-t6 +t8 = Y1*Z1 +Z3 = 2*t8 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/doubling/mdbl-2007-bl b/pyecsca/ec/efd/shortw/jacobian-0/doubling/mdbl-2007-bl new file mode 100644 index 0000000..5e3e22e --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/doubling/mdbl-2007-bl @@ -0,0 +1,11 @@ +source 2007 Bernstein--Lange +assume Z1=1 +compute XX = X1^2 +compute YY = Y1^2 +compute YYYY = YY^2 +compute S = 2((X1+YY)^2-XX-YYYY) +compute M = 3 XX+a +compute T = M^2-2 S +compute X3 = T +compute Y3 = M(S-T)-8 YYYY +compute Z3 = 2 Y1 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/doubling/mdbl-2007-bl.op3 b/pyecsca/ec/efd/shortw/jacobian-0/doubling/mdbl-2007-bl.op3 new file mode 100644 index 0000000..df25bc2 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/doubling/mdbl-2007-bl.op3 @@ -0,0 +1,19 @@ +XX = X1^2 +YY = Y1^2 +YYYY = YY^2 +t0 = X1+YY +t1 = t0^2 +t2 = t1-XX +t3 = t2-YYYY +S = 2*t3 +t4 = 3*XX +M = t4+a +t5 = M^2 +t6 = 2*S +T = t5-t6 +X3 = T +t7 = S-T +t8 = 8*YYYY +t9 = M*t7 +Y3 = t9-t8 +Z3 = 2*Y1 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/scaling/z b/pyecsca/ec/efd/shortw/jacobian-0/scaling/z new file mode 100644 index 0000000..1e19284 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/scaling/z @@ -0,0 +1,5 @@ +compute A = 1/Z1 +compute AA = A^2 +compute X3 = X1*AA +compute Y3 = Y1*AA*A +compute Z3 = 1 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/scaling/z.op3 b/pyecsca/ec/efd/shortw/jacobian-0/scaling/z.op3 new file mode 100644 index 0000000..61856ec --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/scaling/z.op3 @@ -0,0 +1,6 @@ +A = 1/Z1 +AA = A^2 +X3 = X1*AA +t0 = AA*A +Y3 = Y1*t0 +Z3 = 1 diff --git a/pyecsca/ec/efd/shortw/jacobian-0/tripling/tpl-2005-dim b/pyecsca/ec/efd/shortw/jacobian-0/tripling/tpl-2005-dim new file mode 100644 index 0000000..a9c6d71 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/tripling/tpl-2005-dim @@ -0,0 +1,7 @@ +source 2005 Dimitrov--Imbert--Mishra +compute M = 3 X1^2+a Z1^4 +compute E = 12 X1 Y1^2-M^2 +compute T = 8 Y1^4 +compute X3 = 8 Y1^2 (T-M E)+X1 E^2 +compute Y3 = Y1 (4 (M E-T) (2 T-M E)-E^3) +compute Z3 = Z1 E diff --git a/pyecsca/ec/efd/shortw/jacobian-0/tripling/tpl-2005-dim-2 b/pyecsca/ec/efd/shortw/jacobian-0/tripling/tpl-2005-dim-2 new file mode 100644 index 0000000..9eb1356 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/tripling/tpl-2005-dim-2 @@ -0,0 +1,13 @@ +source 2005 Dimitrov--Imbert--Mishra, plus common-subexpression elimination +compute ZZ = Z1^2 +compute YY = Y1^2 +compute C = 2 YY +compute M = 3 X1^2+a ZZ^2 +compute E = 6 X1 C-M^2 +compute EE = E^2 +compute T = 2 C^2 +compute U = M E-T +compute U4 = 4 U +compute X3 = X1 EE-C U4 +compute Y3 = Y1 (U4 (T-U)-E EE) +compute Z3 = Z1 E diff --git a/pyecsca/ec/efd/shortw/jacobian-0/tripling/tpl-2005-dim-2.op3 b/pyecsca/ec/efd/shortw/jacobian-0/tripling/tpl-2005-dim-2.op3 new file mode 100644 index 0000000..3d3ae16 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/tripling/tpl-2005-dim-2.op3 @@ -0,0 +1,27 @@ +ZZ = Z1^2 +YY = Y1^2 +C = 2*YY +t0 = X1^2 +t1 = ZZ^2 +t2 = a*t1 +t3 = 3*t0 +M = t3+t2 +t4 = M^2 +t5 = X1*C +t6 = 6*t5 +E = t6-t4 +EE = E^2 +t7 = C^2 +T = 2*t7 +t8 = M*E +U = t8-T +U4 = 4*U +t9 = C*U4 +t10 = X1*EE +X3 = t10-t9 +t11 = T-U +t12 = E*EE +t13 = U4*t11 +t14 = t13-t12 +Y3 = Y1*t14 +Z3 = Z1*E diff --git a/pyecsca/ec/efd/shortw/jacobian-0/tripling/tpl-2005-dim.op3 b/pyecsca/ec/efd/shortw/jacobian-0/tripling/tpl-2005-dim.op3 new file mode 100644 index 0000000..a20c4fd --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/tripling/tpl-2005-dim.op3 @@ -0,0 +1,31 @@ +t0 = X1^2 +t1 = Z1^4 +t2 = a*t1 +t3 = 3*t0 +M = t3+t2 +t4 = Y1^2 +t5 = M^2 +t6 = X1*t4 +t7 = 12*t6 +E = t7-t5 +t8 = Y1^4 +T = 8*t8 +t9 = M*E +t10 = T-t9 +t11 = Y1^2 +t12 = E^2 +t13 = X1*t12 +t14 = t11*t10 +t15 = 8*t14 +X3 = t15+t13 +t16 = M*E +t17 = 2*T +t18 = M*E +t19 = t18-T +t20 = t17-t16 +t21 = E^3 +t22 = t19*t20 +t23 = 4*t22 +t24 = t23-t21 +Y3 = Y1*t24 +Z3 = Z1*E diff --git a/pyecsca/ec/efd/shortw/jacobian-0/tripling/tpl-2007-bl b/pyecsca/ec/efd/shortw/jacobian-0/tripling/tpl-2007-bl new file mode 100644 index 0000000..ad53ad1 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/tripling/tpl-2007-bl @@ -0,0 +1,14 @@ +source 2007 Bernstein--Lange +compute XX = X1^2 +compute YY = Y1^2 +compute ZZ = Z1^2 +compute YYYY = YY^2 +compute M = 3 XX+a ZZ^2 +compute MM = M^2 +compute E = 6 ((X1+YY)^2-XX-YYYY)-MM +compute EE = E^2 +compute T = 16 YYYY +compute U = (M+E)^2-MM-EE-T +compute X3 = 4 (X1 EE-4 YY U) +compute Y3 = 8 Y1 (U (T-U)-E EE) +compute Z3 = (Z1+E)^2-ZZ-EE diff --git a/pyecsca/ec/efd/shortw/jacobian-0/tripling/tpl-2007-bl.op3 b/pyecsca/ec/efd/shortw/jacobian-0/tripling/tpl-2007-bl.op3 new file mode 100644 index 0000000..5a1cda6 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/tripling/tpl-2007-bl.op3 @@ -0,0 +1,37 @@ +XX = X1^2 +YY = Y1^2 +ZZ = Z1^2 +YYYY = YY^2 +t0 = ZZ^2 +t1 = a*t0 +t2 = 3*XX +M = t2+t1 +MM = M^2 +t3 = X1+YY +t4 = t3^2 +t5 = t4-XX +t6 = t5-YYYY +t7 = 6*t6 +E = t7-MM +EE = E^2 +T = 16*YYYY +t8 = M+E +t9 = t8^2 +t10 = t9-MM +t11 = t10-EE +U = t11-T +t12 = YY*U +t13 = 4*t12 +t14 = X1*EE +t15 = t14-t13 +X3 = 4*t15 +t16 = T-U +t17 = E*EE +t18 = U*t16 +t19 = t18-t17 +t20 = Y1*t19 +Y3 = 8*t20 +t21 = Z1+E +t22 = t21^2 +t23 = t22-ZZ +Z3 = t23-EE diff --git a/pyecsca/ec/efd/shortw/jacobian-0/variables b/pyecsca/ec/efd/shortw/jacobian-0/variables new file mode 100644 index 0000000..5e84b72 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-0/variables @@ -0,0 +1,7 @@ +name Jacobian coordinates with a4=0 +assume a = 0 +variable X +variable Y +variable Z +satisfying x = X/Z^2 +satisfying y = Y/Z^3 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1986-cc b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1986-cc new file mode 100644 index 0000000..af536a1 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1986-cc @@ -0,0 +1,10 @@ +source 1986 Chudnovsky--Chudnovsky "Sequences of numbers generated by addition in formal groups and new primality and factorization tests", page 414, formula (4.3i) +compute U1 = X1 Z2^2 +compute U2 = X2 Z1^2 +compute S1 = Y1 Z2^3 +compute S2 = Y2 Z1^3 +compute P = U2-U1 +compute R = S2-S1 +compute X3 = R^2-(U1+U2) P^2 +compute Y3 = R (U1 P^2-X3)-S1 P^3 +compute Z3 = Z1 Z2 P diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1986-cc.op3 b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1986-cc.op3 new file mode 100644 index 0000000..9774366 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1986-cc.op3 @@ -0,0 +1,24 @@ +t0 = Z2^2 +U1 = X1*t0 +t1 = Z1^2 +U2 = X2*t1 +t2 = Z2^3 +S1 = Y1*t2 +t3 = Z1^3 +S2 = Y2*t3 +P = U2-U1 +R = S2-S1 +t4 = U1+U2 +t5 = R^2 +t6 = P^2 +t7 = t4*t6 +X3 = t5-t7 +t8 = P^2 +t9 = U1*t8 +t10 = t9-X3 +t11 = P^3 +t12 = S1*t11 +t13 = R*t10 +Y3 = t13-t12 +t14 = Z2*P +Z3 = Z1*t14 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1998-cmo b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1998-cmo new file mode 100644 index 0000000..b312a77 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1998-cmo @@ -0,0 +1,10 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (5) +compute U1 = X1 Z2^2 +compute U2 = X2 Z1^2 +compute S1 = Y1 Z2^3 +compute S2 = Y2 Z1^3 +compute H = U2-U1 +compute r = S2-S1 +compute X3 = r^2-H^3-2 U1 H^2 +compute Y3 = r (U1 H^2-X3)-S1 H^3 +compute Z3 = Z1 Z2 H diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1998-cmo-2 b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1998-cmo-2 new file mode 100644 index 0000000..acef19d --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1998-cmo-2 @@ -0,0 +1,15 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (5), plus common-subexpression elimination +compute Z1Z1 = Z1^2 +compute Z2Z2 = Z2^2 +compute U1 = X1 Z2Z2 +compute U2 = X2 Z1Z1 +compute S1 = Y1 Z2 Z2Z2 +compute S2 = Y2 Z1 Z1Z1 +compute H = U2-U1 +compute HH = H^2 +compute HHH = H HH +compute r = S2-S1 +compute V = U1 HH +compute X3 = r^2-HHH-2 V +compute Y3 = r (V-X3)-S1 HHH +compute Z3 = Z1 Z2 H diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1998-cmo-2.op3 b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1998-cmo-2.op3 new file mode 100644 index 0000000..439ab62 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1998-cmo-2.op3 @@ -0,0 +1,23 @@ +Z1Z1 = Z1^2 +Z2Z2 = Z2^2 +U1 = X1*Z2Z2 +U2 = X2*Z1Z1 +t0 = Z2*Z2Z2 +S1 = Y1*t0 +t1 = Z1*Z1Z1 +S2 = Y2*t1 +H = U2-U1 +HH = H^2 +HHH = H*HH +r = S2-S1 +V = U1*HH +t2 = r^2 +t3 = 2*V +t4 = t2-HHH +X3 = t4-t3 +t5 = V-X3 +t6 = S1*HHH +t7 = r*t5 +Y3 = t7-t6 +t8 = Z2*H +Z3 = Z1*t8 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1998-cmo.op3 b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1998-cmo.op3 new file mode 100644 index 0000000..2721e20 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1998-cmo.op3 @@ -0,0 +1,26 @@ +t0 = Z2^2 +U1 = X1*t0 +t1 = Z1^2 +U2 = X2*t1 +t2 = Z2^3 +S1 = Y1*t2 +t3 = Z1^3 +S2 = Y2*t3 +H = U2-U1 +r = S2-S1 +t4 = r^2 +t5 = H^3 +t6 = H^2 +t7 = U1*t6 +t8 = 2*t7 +t9 = t4-t5 +X3 = t9-t8 +t10 = H^2 +t11 = U1*t10 +t12 = t11-X3 +t13 = H^3 +t14 = S1*t13 +t15 = r*t12 +Y3 = t15-t14 +t16 = Z2*H +Z3 = Z1*t16 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1998-hnm b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1998-hnm new file mode 100644 index 0000000..ebace0d --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1998-hnm @@ -0,0 +1,39 @@ +source 1998 Hasegawa--Nakajima--Matsui, page 188 +parameter half +assume half*2=1 +compute R1 = X1 +compute R2 = Y1 +compute R3 = Z1 +compute R4 = X2 +compute R5 = Y2 +compute R6 = Z2 +compute R7 = R6^2 +compute R1 = R1 R7 +compute R7 = R6 R7 +compute R2 = R2 R7 +compute R7 = R3^2 +compute R8 = R4 R7 +compute R7 = R3 R7 +compute R7 = R5 R7 +compute R2 = R2-R7 +compute R7 = 2 R7 +compute R7 = R2+R7 +compute R1 = R1-R8 +compute R8 = 2 R8 +compute R8 = R1+R8 +compute R3 = R3 R6 +compute R3 = R3 R1 +compute R7 = R7 R1 +compute R1 = R1^2 +compute R8 = R8 R1 +compute R7 = R7 R1 +compute R1 = R2^2 +compute R1 = R1-R8 +compute R8 = R8-R1 +compute R8 = R8-R1 +compute R8 = R8 R2 +compute R2 = R8-R7 +compute R2 = half R2 +compute X3 = R1 +compute Y3 = R2 +compute Z3 = R3 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1998-hnm.op3 b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1998-hnm.op3 new file mode 100644 index 0000000..5817e98 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-1998-hnm.op3 @@ -0,0 +1,36 @@ +R1 = X1 +R2 = Y1 +R3 = Z1 +R4 = X2 +R5 = Y2 +R6 = Z2 +R7 = R6^2 +R1 = R1*R7 +R7 = R6*R7 +R2 = R2*R7 +R7 = R3^2 +R8 = R4*R7 +R7 = R3*R7 +R7 = R5*R7 +R2 = R2-R7 +R7 = 2*R7 +R7 = R2+R7 +R1 = R1-R8 +R8 = 2*R8 +R8 = R1+R8 +R3 = R3*R6 +R3 = R3*R1 +R7 = R7*R1 +R1 = R1^2 +R8 = R8*R1 +R7 = R7*R1 +R1 = R2^2 +R1 = R1-R8 +R8 = R8-R1 +R8 = R8-R1 +R8 = R8*R2 +R2 = R8-R7 +R2 = half*R2 +X3 = R1 +Y3 = R2 +Z3 = R3 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/add-2001-b b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-2001-b new file mode 100644 index 0000000..b6a403d --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-2001-b @@ -0,0 +1,18 @@ +source 2001 Bernstein http://cr.yp.to/nistp224.html opt-idea53.c ecadd +compute ZZ1 = Z1^2 +compute ZZZ1 = Z1 ZZ1 +compute ZZ2 = Z2^2 +compute ZZZ2 = Z2 ZZ2 +compute A = X1 ZZ2 +compute B = X2 ZZ1 -A +compute c = Y1 ZZZ2 +compute d = Y2 ZZZ1 -c +compute e = B^2 +compute f = B e +compute g = A e +compute h = Z1 Z2 +compute f2g = 2 g+f +compute X3 = d^2-f2g +compute Z3 = B h +compute gx = g-X3 +compute Y3 = d gx-c f diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/add-2001-b.op3 b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-2001-b.op3 new file mode 100644 index 0000000..6f362a2 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-2001-b.op3 @@ -0,0 +1,23 @@ +ZZ1 = Z1^2 +ZZZ1 = Z1*ZZ1 +ZZ2 = Z2^2 +ZZZ2 = Z2*ZZ2 +A = X1*ZZ2 +t0 = X2*ZZ1 +B = t0-A +c = Y1*ZZZ2 +t1 = Y2*ZZZ1 +d = t1-c +e = B^2 +f = B*e +g = A*e +h = Z1*Z2 +t2 = 2*g +f2g = t2+f +t3 = d^2 +X3 = t3-f2g +Z3 = B*h +gx = g-X3 +t4 = c*f +t5 = d*gx +Y3 = t5-t4 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/add-2007-bl b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-2007-bl new file mode 100644 index 0000000..dc8af68 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-2007-bl @@ -0,0 +1,15 @@ +source 2007 Bernstein--Lange; note that the improvement from 12M+4S to 11M+5S was already mentioned in 2001 Bernstein http://cr.yp.to/talks.html#2001.10.29 +compute Z1Z1 = Z1^2 +compute Z2Z2 = Z2^2 +compute U1 = X1 Z2Z2 +compute U2 = X2 Z1Z1 +compute S1 = Y1 Z2 Z2Z2 +compute S2 = Y2 Z1 Z1Z1 +compute H = U2-U1 +compute I = (2 H)^2 +compute J = H I +compute r = 2 (S2-S1) +compute V = U1 I +compute X3 = r^2-J-2 V +compute Y3 = r (V-X3)-2 S1 J +compute Z3 = ((Z1+Z2)^2-Z1Z1-Z2Z2) H diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/add-2007-bl.op3 b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-2007-bl.op3 new file mode 100644 index 0000000..89085ff --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/add-2007-bl.op3 @@ -0,0 +1,29 @@ +Z1Z1 = Z1^2 +Z2Z2 = Z2^2 +U1 = X1*Z2Z2 +U2 = X2*Z1Z1 +t0 = Z2*Z2Z2 +S1 = Y1*t0 +t1 = Z1*Z1Z1 +S2 = Y2*t1 +H = U2-U1 +t2 = 2*H +I = t2^2 +J = H*I +t3 = S2-S1 +r = 2*t3 +V = U1*I +t4 = r^2 +t5 = 2*V +t6 = t4-J +X3 = t6-t5 +t7 = V-X3 +t8 = S1*J +t9 = 2*t8 +t10 = r*t7 +Y3 = t10-t9 +t11 = Z1+Z2 +t12 = t11^2 +t13 = t12-Z1Z1 +t14 = t13-Z2Z2 +Z3 = t14*H diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/madd b/pyecsca/ec/efd/shortw/jacobian-3/addition/madd new file mode 100644 index 0000000..c4ced5f --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/madd @@ -0,0 +1,12 @@ +assume Z2=1 +compute Z1Z1 = Z1^2 +compute U2 = X2 Z1Z1 +compute S2 = Y2 Z1 Z1Z1 +compute H = U2-X1 +compute I = (2 H)^2 +compute J = H I +compute r = 2 (S2-Y1) +compute V = X1 I +compute X3 = r^2-J-2 V +compute Y3 = r (V-X3)-2 Y1 J +compute Z3 = 2 Z1 H diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/madd-2004-hmv b/pyecsca/ec/efd/shortw/jacobian-3/addition/madd-2004-hmv new file mode 100644 index 0000000..c6904b6 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/madd-2004-hmv @@ -0,0 +1,20 @@ +source 2004 Hankerson--Menezes--Vanstone, page 91 +assume Z2=1 +compute T1 = Z1^2 +compute T2 = T1 Z1 +compute T1 = T1 X2 +compute T2 = T2 Y2 +compute T1 = T1-X1 +compute T2 = T2-Y1 +compute Z3 = Z1 T1 +compute T3 = T1^2 +compute T4 = T3 T1 +compute T3 = T3 X1 +compute T1 = 2 T3 +compute X3 = T2^2 +compute X3 = X3-T1 +compute X3 = X3-T4 +compute T3 = T3-X3 +compute T3 = T3 T2 +compute T4 = T4 Y1 +compute Y3 = T3-T4 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/madd-2004-hmv.op3 b/pyecsca/ec/efd/shortw/jacobian-3/addition/madd-2004-hmv.op3 new file mode 100644 index 0000000..70a991f --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/madd-2004-hmv.op3 @@ -0,0 +1,18 @@ +T1 = Z1^2 +T2 = T1*Z1 +T1 = T1*X2 +T2 = T2*Y2 +T1 = T1-X1 +T2 = T2-Y1 +Z3 = Z1*T1 +T3 = T1^2 +T4 = T3*T1 +T3 = T3*X1 +T1 = 2*T3 +X3 = T2^2 +X3 = X3-T1 +X3 = X3-T4 +T3 = T3-X3 +T3 = T3*T2 +T4 = T4*Y1 +Y3 = T3-T4 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/madd-2007-bl b/pyecsca/ec/efd/shortw/jacobian-3/addition/madd-2007-bl new file mode 100644 index 0000000..92a97af --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/madd-2007-bl @@ -0,0 +1,14 @@ +source 2007 Bernstein--Lange +assume Z2=1 +compute Z1Z1 = Z1^2 +compute U2 = X2 Z1Z1 +compute S2 = Y2 Z1 Z1Z1 +compute H = U2-X1 +compute HH = H^2 +compute I = 4 HH +compute J = H I +compute r = 2 (S2-Y1) +compute V = X1 I +compute X3 = r^2-J-2 V +compute Y3 = r (V-X3)-2 Y1 J +compute Z3 = (Z1+H)^2-Z1Z1-HH diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/madd-2007-bl.op3 b/pyecsca/ec/efd/shortw/jacobian-3/addition/madd-2007-bl.op3 new file mode 100644 index 0000000..958774f --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/madd-2007-bl.op3 @@ -0,0 +1,24 @@ +Z1Z1 = Z1^2 +U2 = X2*Z1Z1 +t0 = Z1*Z1Z1 +S2 = Y2*t0 +H = U2-X1 +HH = H^2 +I = 4*HH +J = H*I +t1 = S2-Y1 +r = 2*t1 +V = X1*I +t2 = r^2 +t3 = 2*V +t4 = t2-J +X3 = t4-t3 +t5 = V-X3 +t6 = Y1*J +t7 = 2*t6 +t8 = r*t5 +Y3 = t8-t7 +t9 = Z1+H +t10 = t9^2 +t11 = t10-Z1Z1 +Z3 = t11-HH diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/madd-2008-g b/pyecsca/ec/efd/shortw/jacobian-3/addition/madd-2008-g new file mode 100644 index 0000000..7c5f660 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/madd-2008-g @@ -0,0 +1,20 @@ +source 2008 Giessmann +assume Z2=1 +compute T1 = Z1^2 +compute T2 = T1 Z1 +compute T1 = T1 X2 +compute T2 = T2 Y2 +compute T1 = X1-T1 +compute T2 = T2-Y1 +compute Z3 = Z1 T1 +compute T4 = T1^2 +compute T1 = T1 T4 +compute T4 = T4 X1 +compute X3 = T2^2 +compute X3 = X3+T1 +compute Y3 = T1 Y1 +compute T1 = 2 T4 +compute X3 = X3-T1 +compute T4 = X3-T4 +compute T4 = T4 T2 +compute Y3 = T4-Y3 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/madd-2008-g.op3 b/pyecsca/ec/efd/shortw/jacobian-3/addition/madd-2008-g.op3 new file mode 100644 index 0000000..c0552ea --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/madd-2008-g.op3 @@ -0,0 +1,18 @@ +T1 = Z1^2 +T2 = T1*Z1 +T1 = T1*X2 +T2 = T2*Y2 +T1 = X1-T1 +T2 = T2-Y1 +Z3 = Z1*T1 +T4 = T1^2 +T1 = T1*T4 +T4 = T4*X1 +X3 = T2^2 +X3 = X3+T1 +Y3 = T1*Y1 +T1 = 2*T4 +X3 = X3-T1 +T4 = X3-T4 +T4 = T4*T2 +Y3 = T4-Y3 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/madd.op3 b/pyecsca/ec/efd/shortw/jacobian-3/addition/madd.op3 new file mode 100644 index 0000000..e33baa2 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/madd.op3 @@ -0,0 +1,22 @@ +Z1Z1 = Z1^2 +U2 = X2*Z1Z1 +t0 = Z1*Z1Z1 +S2 = Y2*t0 +H = U2-X1 +t1 = 2*H +I = t1^2 +J = H*I +t2 = S2-Y1 +r = 2*t2 +V = X1*I +t3 = r^2 +t4 = 2*V +t5 = t3-J +X3 = t5-t4 +t6 = V-X3 +t7 = Y1*J +t8 = 2*t7 +t9 = r*t6 +Y3 = t9-t8 +t10 = Z1*H +Z3 = 2*t10 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/mmadd-2007-bl b/pyecsca/ec/efd/shortw/jacobian-3/addition/mmadd-2007-bl new file mode 100644 index 0000000..e11d9e4 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/mmadd-2007-bl @@ -0,0 +1,12 @@ +source 2007 Bernstein--Lange +assume Z1=1 +assume Z2=1 +compute H = X2-X1 +compute HH = H^2 +compute I = 4 HH +compute J = H I +compute r = 2 (Y2-Y1) +compute V = X1 I +compute X3 = r^2-J-2 V +compute Y3 = r (V-X3)-2 Y1 J +compute Z3 = 2 H diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/mmadd-2007-bl.op3 b/pyecsca/ec/efd/shortw/jacobian-3/addition/mmadd-2007-bl.op3 new file mode 100644 index 0000000..e91cc9f --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/mmadd-2007-bl.op3 @@ -0,0 +1,17 @@ +H = X2-X1 +HH = H^2 +I = 4*HH +J = H*I +t0 = Y2-Y1 +r = 2*t0 +V = X1*I +t1 = r^2 +t2 = 2*V +t3 = t1-J +X3 = t3-t2 +t4 = V-X3 +t5 = Y1*J +t6 = 2*t5 +t7 = r*t4 +Y3 = t7-t6 +Z3 = 2*H diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/zadd-2007-m b/pyecsca/ec/efd/shortw/jacobian-3/addition/zadd-2007-m new file mode 100644 index 0000000..417ef26 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/zadd-2007-m @@ -0,0 +1,9 @@ +source 2007 Meloni "New point addition formulae for ECC applications", page 192 +assume Z1 = Z2 +compute A = (X2-X1)^2 +compute B = X1 A +compute C = X2 A +compute D = (Y2-Y1)^2 +compute X3 = D-B-C +compute Y3 = (Y2-Y1)(B-X3)-Y1(C-B) +compute Z3 = Z1(X2-X1) diff --git a/pyecsca/ec/efd/shortw/jacobian-3/addition/zadd-2007-m.op3 b/pyecsca/ec/efd/shortw/jacobian-3/addition/zadd-2007-m.op3 new file mode 100644 index 0000000..afefe88 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/addition/zadd-2007-m.op3 @@ -0,0 +1,16 @@ +t0 = X2-X1 +A = t0^2 +B = X1*A +C = X2*A +t1 = Y2-Y1 +D = t1^2 +t2 = D-B +X3 = t2-C +t3 = Y2-Y1 +t4 = B-X3 +t5 = C-B +t6 = Y1*t5 +t7 = t3*t4 +Y3 = t7-t6 +t8 = X2-X1 +Z3 = Z1*t8 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1986-cc b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1986-cc new file mode 100644 index 0000000..56fa583 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1986-cc @@ -0,0 +1,7 @@ +source 1986 Chudnovsky--Chudnovsky "Sequences of numbers generated by addition in formal groups and new primality and factorization tests", page 414, formula (4.2ii) +compute S = 4 X1 Y1^2 +compute M = 3 X1^2+a Z1^4 +compute T = M^2-2 S +compute X3 = T +compute Y3 = M(S-T)-8 Y1^4 +compute Z3 = 2 Y1 Z1 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1986-cc-2 b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1986-cc-2 new file mode 100644 index 0000000..5a973d1 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1986-cc-2 @@ -0,0 +1,8 @@ +source 1986 Chudnovsky--Chudnovsky "Sequences of numbers generated by addition in formal groups and new primality and factorization tests", page 414, formula (4.2ii) modified as indicated after "It is even smarter ..." +appliesto jacobian-3 +compute S = 4 X1 Y1^2 +compute M = 3(X1-Z1^2)(X1+Z1^2) +compute T = M^2-2 S +compute X3 = T +compute Y3 = M(S-T)-8 Y1^4 +compute Z3 = 2 Y1 Z1 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1986-cc-2.op3 b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1986-cc-2.op3 new file mode 100644 index 0000000..97715bf --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1986-cc-2.op3 @@ -0,0 +1,20 @@ +t0 = Y1^2 +t1 = X1*t0 +S = 4*t1 +t2 = Z1^2 +t3 = Z1^2 +t4 = X1-t2 +t5 = X1+t3 +t6 = t4*t5 +M = 3*t6 +t7 = M^2 +t8 = 2*S +T = t7-t8 +X3 = T +t9 = S-T +t10 = Y1^4 +t11 = 8*t10 +t12 = M*t9 +Y3 = t12-t11 +t13 = Y1*Z1 +Z3 = 2*t13 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1986-cc.op3 b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1986-cc.op3 new file mode 100644 index 0000000..7d564ae --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1986-cc.op3 @@ -0,0 +1,19 @@ +t0 = Y1^2 +t1 = X1*t0 +S = 4*t1 +t2 = X1^2 +t3 = Z1^4 +t4 = a*t3 +t5 = 3*t2 +M = t5+t4 +t6 = M^2 +t7 = 2*S +T = t6-t7 +X3 = T +t8 = S-T +t9 = Y1^4 +t10 = 8*t9 +t11 = M*t8 +Y3 = t11-t10 +t12 = Y1*Z1 +Z3 = 2*t12 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-cmo b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-cmo new file mode 100644 index 0000000..448809a --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-cmo @@ -0,0 +1,7 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (6) +compute S = 4 X1 Y1^2 +compute M = 3 X1^2+a Z1^4 +compute T = M^2-2 S +compute X3 = T +compute Y3 = M (S-T)-8 Y1^4 +compute Z3 = 2 Y1 Z1 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-cmo-2 b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-cmo-2 new file mode 100644 index 0000000..3757742 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-cmo-2 @@ -0,0 +1,10 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (6), plus common-subexpression elimination +compute XX = X1^2 +compute YY = Y1^2 +compute ZZ = Z1^2 +compute S = 4 X1 YY +compute M = 3 XX+a ZZ^2 +compute T = M^2-2 S +compute X3 = T +compute Y3 = M (S-T)-8 YY^2 +compute Z3 = 2 Y1 Z1 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-cmo-2.op3 b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-cmo-2.op3 new file mode 100644 index 0000000..0e80d93 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-cmo-2.op3 @@ -0,0 +1,20 @@ +XX = X1^2 +YY = Y1^2 +ZZ = Z1^2 +t0 = X1*YY +S = 4*t0 +t1 = ZZ^2 +t2 = a*t1 +t3 = 3*XX +M = t3+t2 +t4 = M^2 +t5 = 2*S +T = t4-t5 +X3 = T +t6 = S-T +t7 = YY^2 +t8 = 8*t7 +t9 = M*t6 +Y3 = t9-t8 +t10 = Y1*Z1 +Z3 = 2*t10 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-cmo.op3 b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-cmo.op3 new file mode 100644 index 0000000..7d564ae --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-cmo.op3 @@ -0,0 +1,19 @@ +t0 = Y1^2 +t1 = X1*t0 +S = 4*t1 +t2 = X1^2 +t3 = Z1^4 +t4 = a*t3 +t5 = 3*t2 +M = t5+t4 +t6 = M^2 +t7 = 2*S +T = t6-t7 +X3 = T +t8 = S-T +t9 = Y1^4 +t10 = 8*t9 +t11 = M*t8 +Y3 = t11-t10 +t12 = Y1*Z1 +Z3 = 2*t12 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-hnm b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-hnm new file mode 100644 index 0000000..67375ba --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-hnm @@ -0,0 +1,29 @@ +source 1998 Hasegawa--Nakajima--Matsui, page 188 +parameter half +assume half*2=1 +compute R1 = X1 +compute R2 = Y1 +compute R3 = Z1 +compute R4 = R3^2 +compute R3 = R2 R3 +compute R3 = 2 R3 +compute R4 = R4^2 +compute R4 = a R4 +compute R5 = R1^2 +compute R4 = R4+R5 +compute R5 = 2 R5 +compute R4 = R4+R5 +compute R2 = 2 R2 +compute R2 = R2^2 +compute R5 = R2^2 +compute R5 = half R5 +compute R2 = R2 R1 +compute R1 = R4^2 +compute R1 = R1-R2 +compute R1 = R1-R2 +compute R2 = R2-R1 +compute R2 = R2 R4 +compute R2 = R2-R5 +compute X3 = R1 +compute Y3 = R2 +compute Z3 = R3 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-hnm-2 b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-hnm-2 new file mode 100644 index 0000000..ead1425 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-hnm-2 @@ -0,0 +1,29 @@ +source 1998 Hasegawa--Nakajima--Matsui, page 188 +appliesto jacobian-3 +parameter half +assume 2*half=1 +compute R1 = X1 +compute R2 = Y1 +compute R3 = Z1 +compute R4 = R3^2 +compute R3 = R2 R3 +compute R3 = 2 R3 +compute R5 = R1-R4 +compute R4 = R1+R4 +compute R5 = R4 R5 +compute R4 = 2 R5 +compute R4 = R4+R5 +compute R2 = 2 R2 +compute R2 = R2^2 +compute R5 = R2^2 +compute R5 = half R5 +compute R2 = R2 R1 +compute R1 = R4^2 +compute R1 = R1-R2 +compute R1 = R1-R2 +compute R2 = R2-R1 +compute R2 = R2 R4 +compute R2 = R2-R5 +compute X3 = R1 +compute Y3 = R2 +compute Z3 = R3 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-hnm-2.op3 b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-hnm-2.op3 new file mode 100644 index 0000000..260c5d5 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-hnm-2.op3 @@ -0,0 +1,25 @@ +R1 = X1 +R2 = Y1 +R3 = Z1 +R4 = R3^2 +R3 = R2*R3 +R3 = 2*R3 +R5 = R1-R4 +R4 = R1+R4 +R5 = R4*R5 +R4 = 2*R5 +R4 = R4+R5 +R2 = 2*R2 +R2 = R2^2 +R5 = R2^2 +R5 = half*R5 +R2 = R2*R1 +R1 = R4^2 +R1 = R1-R2 +R1 = R1-R2 +R2 = R2-R1 +R2 = R2*R4 +R2 = R2-R5 +X3 = R1 +Y3 = R2 +Z3 = R3 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-hnm.op3 b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-hnm.op3 new file mode 100644 index 0000000..003affc --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-1998-hnm.op3 @@ -0,0 +1,26 @@ +R1 = X1 +R2 = Y1 +R3 = Z1 +R4 = R3^2 +R3 = R2*R3 +R3 = 2*R3 +R4 = R4^2 +R4 = a*R4 +R5 = R1^2 +R4 = R4+R5 +R5 = 2*R5 +R4 = R4+R5 +R2 = 2*R2 +R2 = R2^2 +R5 = R2^2 +R5 = half*R5 +R2 = R2*R1 +R1 = R4^2 +R1 = R1-R2 +R1 = R1-R2 +R2 = R2-R1 +R2 = R2*R4 +R2 = R2-R5 +X3 = R1 +Y3 = R2 +Z3 = R3 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-2001-b b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-2001-b new file mode 100644 index 0000000..a13f718 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-2001-b @@ -0,0 +1,9 @@ +source 2001 Bernstein "A software implementation of NIST P-224" +appliesto jacobian-3 +compute delta = Z1^2 +compute gamma = Y1^2 +compute beta = X1 gamma +compute alpha = 3 (X1-delta) (X1+delta) +compute X3 = alpha^2-8 beta +compute Z3 = (Y1+Z1)^2-gamma-delta +compute Y3 = alpha (4 beta-X3)-8 gamma^2 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-2001-b.op3 b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-2001-b.op3 new file mode 100644 index 0000000..42e3a9a --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-2001-b.op3 @@ -0,0 +1,20 @@ +delta = Z1^2 +gamma = Y1^2 +beta = X1*gamma +t0 = X1-delta +t1 = X1+delta +t2 = t0*t1 +alpha = 3*t2 +t3 = alpha^2 +t4 = 8*beta +X3 = t3-t4 +t5 = Y1+Z1 +t6 = t5^2 +t7 = t6-gamma +Z3 = t7-delta +t8 = 4*beta +t9 = t8-X3 +t10 = gamma^2 +t11 = 8*t10 +t12 = alpha*t9 +Y3 = t12-t11 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-2004-hmv b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-2004-hmv new file mode 100644 index 0000000..f8902a4 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-2004-hmv @@ -0,0 +1,21 @@ +source 2004 Hankerson--Menezes--Vanstone, page 91 +appliesto jacobian-3 +parameter half +assume 2*half = 1 +compute T1 = Z1^2 +compute T2 = X1-T1 +compute T1 = X1+T1 +compute T2 = T2 T1 +compute T2 = 3 T2 +compute Y3 = 2 Y1 +compute Z3 = Y3 Z1 +compute Y3 = Y3^2 +compute T3 = Y3 X1 +compute Y3 = Y3^2 +compute Y3 = half Y3 +compute X3 = T2^2 +compute T1 = 2 T3 +compute X3 = X3-T1 +compute T1 = T3-X3 +compute T1 = T1 T2 +compute Y3 = T1-Y3 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-2004-hmv.op3 b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-2004-hmv.op3 new file mode 100644 index 0000000..cb78707 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-2004-hmv.op3 @@ -0,0 +1,17 @@ +T1 = Z1^2 +T2 = X1-T1 +T1 = X1+T1 +T2 = T2*T1 +T2 = 3*T2 +Y3 = 2*Y1 +Z3 = Y3*Z1 +Y3 = Y3^2 +T3 = Y3*X1 +Y3 = Y3^2 +Y3 = half*Y3 +X3 = T2^2 +T1 = 2*T3 +X3 = X3-T1 +T1 = T3-X3 +T1 = T1*T2 +Y3 = T1-Y3 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-2007-bl b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-2007-bl new file mode 100644 index 0000000..e6ae5c6 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-2007-bl @@ -0,0 +1,11 @@ +source 2007 Bernstein--Lange +compute XX = X1^2 +compute YY = Y1^2 +compute YYYY = YY^2 +compute ZZ = Z1^2 +compute S = 2 ((X1+YY)^2-XX-YYYY) +compute M = 3 XX+a ZZ^2 +compute T = M^2-2 S +compute X3 = T +compute Y3 = M (S-T)-8 YYYY +compute Z3 = (Y1+Z1)^2-YY-ZZ diff --git a/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-2007-bl.op3 b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-2007-bl.op3 new file mode 100644 index 0000000..7f76b36 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/doubling/dbl-2007-bl.op3 @@ -0,0 +1,25 @@ +XX = X1^2 +YY = Y1^2 +YYYY = YY^2 +ZZ = Z1^2 +t0 = X1+YY +t1 = t0^2 +t2 = t1-XX +t3 = t2-YYYY +S = 2*t3 +t4 = ZZ^2 +t5 = a*t4 +t6 = 3*XX +M = t6+t5 +t7 = M^2 +t8 = 2*S +T = t7-t8 +X3 = T +t9 = S-T +t10 = 8*YYYY +t11 = M*t9 +Y3 = t11-t10 +t12 = Y1+Z1 +t13 = t12^2 +t14 = t13-YY +Z3 = t14-ZZ diff --git a/pyecsca/ec/efd/shortw/jacobian-3/doubling/mdbl-2007-bl b/pyecsca/ec/efd/shortw/jacobian-3/doubling/mdbl-2007-bl new file mode 100644 index 0000000..5e3e22e --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/doubling/mdbl-2007-bl @@ -0,0 +1,11 @@ +source 2007 Bernstein--Lange +assume Z1=1 +compute XX = X1^2 +compute YY = Y1^2 +compute YYYY = YY^2 +compute S = 2((X1+YY)^2-XX-YYYY) +compute M = 3 XX+a +compute T = M^2-2 S +compute X3 = T +compute Y3 = M(S-T)-8 YYYY +compute Z3 = 2 Y1 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/doubling/mdbl-2007-bl.op3 b/pyecsca/ec/efd/shortw/jacobian-3/doubling/mdbl-2007-bl.op3 new file mode 100644 index 0000000..df25bc2 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/doubling/mdbl-2007-bl.op3 @@ -0,0 +1,19 @@ +XX = X1^2 +YY = Y1^2 +YYYY = YY^2 +t0 = X1+YY +t1 = t0^2 +t2 = t1-XX +t3 = t2-YYYY +S = 2*t3 +t4 = 3*XX +M = t4+a +t5 = M^2 +t6 = 2*S +T = t5-t6 +X3 = T +t7 = S-T +t8 = 8*YYYY +t9 = M*t7 +Y3 = t9-t8 +Z3 = 2*Y1 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/scaling/z b/pyecsca/ec/efd/shortw/jacobian-3/scaling/z new file mode 100644 index 0000000..1e19284 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/scaling/z @@ -0,0 +1,5 @@ +compute A = 1/Z1 +compute AA = A^2 +compute X3 = X1*AA +compute Y3 = Y1*AA*A +compute Z3 = 1 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/scaling/z.op3 b/pyecsca/ec/efd/shortw/jacobian-3/scaling/z.op3 new file mode 100644 index 0000000..61856ec --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/scaling/z.op3 @@ -0,0 +1,6 @@ +A = 1/Z1 +AA = A^2 +X3 = X1*AA +t0 = AA*A +Y3 = Y1*t0 +Z3 = 1 diff --git a/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2005-dim b/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2005-dim new file mode 100644 index 0000000..a9c6d71 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2005-dim @@ -0,0 +1,7 @@ +source 2005 Dimitrov--Imbert--Mishra +compute M = 3 X1^2+a Z1^4 +compute E = 12 X1 Y1^2-M^2 +compute T = 8 Y1^4 +compute X3 = 8 Y1^2 (T-M E)+X1 E^2 +compute Y3 = Y1 (4 (M E-T) (2 T-M E)-E^3) +compute Z3 = Z1 E diff --git a/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2005-dim-2 b/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2005-dim-2 new file mode 100644 index 0000000..9eb1356 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2005-dim-2 @@ -0,0 +1,13 @@ +source 2005 Dimitrov--Imbert--Mishra, plus common-subexpression elimination +compute ZZ = Z1^2 +compute YY = Y1^2 +compute C = 2 YY +compute M = 3 X1^2+a ZZ^2 +compute E = 6 X1 C-M^2 +compute EE = E^2 +compute T = 2 C^2 +compute U = M E-T +compute U4 = 4 U +compute X3 = X1 EE-C U4 +compute Y3 = Y1 (U4 (T-U)-E EE) +compute Z3 = Z1 E diff --git a/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2005-dim-2.op3 b/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2005-dim-2.op3 new file mode 100644 index 0000000..3d3ae16 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2005-dim-2.op3 @@ -0,0 +1,27 @@ +ZZ = Z1^2 +YY = Y1^2 +C = 2*YY +t0 = X1^2 +t1 = ZZ^2 +t2 = a*t1 +t3 = 3*t0 +M = t3+t2 +t4 = M^2 +t5 = X1*C +t6 = 6*t5 +E = t6-t4 +EE = E^2 +t7 = C^2 +T = 2*t7 +t8 = M*E +U = t8-T +U4 = 4*U +t9 = C*U4 +t10 = X1*EE +X3 = t10-t9 +t11 = T-U +t12 = E*EE +t13 = U4*t11 +t14 = t13-t12 +Y3 = Y1*t14 +Z3 = Z1*E diff --git a/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2005-dim.op3 b/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2005-dim.op3 new file mode 100644 index 0000000..a20c4fd --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2005-dim.op3 @@ -0,0 +1,31 @@ +t0 = X1^2 +t1 = Z1^4 +t2 = a*t1 +t3 = 3*t0 +M = t3+t2 +t4 = Y1^2 +t5 = M^2 +t6 = X1*t4 +t7 = 12*t6 +E = t7-t5 +t8 = Y1^4 +T = 8*t8 +t9 = M*E +t10 = T-t9 +t11 = Y1^2 +t12 = E^2 +t13 = X1*t12 +t14 = t11*t10 +t15 = 8*t14 +X3 = t15+t13 +t16 = M*E +t17 = 2*T +t18 = M*E +t19 = t18-T +t20 = t17-t16 +t21 = E^3 +t22 = t19*t20 +t23 = 4*t22 +t24 = t23-t21 +Y3 = Y1*t24 +Z3 = Z1*E diff --git a/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2007-bl b/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2007-bl new file mode 100644 index 0000000..ad53ad1 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2007-bl @@ -0,0 +1,14 @@ +source 2007 Bernstein--Lange +compute XX = X1^2 +compute YY = Y1^2 +compute ZZ = Z1^2 +compute YYYY = YY^2 +compute M = 3 XX+a ZZ^2 +compute MM = M^2 +compute E = 6 ((X1+YY)^2-XX-YYYY)-MM +compute EE = E^2 +compute T = 16 YYYY +compute U = (M+E)^2-MM-EE-T +compute X3 = 4 (X1 EE-4 YY U) +compute Y3 = 8 Y1 (U (T-U)-E EE) +compute Z3 = (Z1+E)^2-ZZ-EE diff --git a/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2007-bl-2 b/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2007-bl-2 new file mode 100644 index 0000000..b76f081 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2007-bl-2 @@ -0,0 +1,14 @@ +source 2007 Bernstein--Lange +appliesto jacobian-3 +compute YY = Y1^2 +compute ZZ = Z1^2 +compute YYYY = YY^2 +compute M = 3 (X1-ZZ) (X1+ZZ) +compute MM = M^2 +compute E = 12 X1 YY-MM +compute EE = E^2 +compute T = 16 YYYY +compute U = (M+E)^2-MM-EE-T +compute X3 = 4 (X1 EE-4 YY U) +compute Y3 = 8 Y1 (U (T-U)-E EE) +compute Z3 = (Z1+E)^2-ZZ-EE diff --git a/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2007-bl-2.op3 b/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2007-bl-2.op3 new file mode 100644 index 0000000..f10d8b4 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2007-bl-2.op3 @@ -0,0 +1,33 @@ +YY = Y1^2 +ZZ = Z1^2 +YYYY = YY^2 +t0 = X1-ZZ +t1 = X1+ZZ +t2 = t0*t1 +M = 3*t2 +MM = M^2 +t3 = X1*YY +t4 = 12*t3 +E = t4-MM +EE = E^2 +T = 16*YYYY +t5 = M+E +t6 = t5^2 +t7 = t6-MM +t8 = t7-EE +U = t8-T +t9 = YY*U +t10 = 4*t9 +t11 = X1*EE +t12 = t11-t10 +X3 = 4*t12 +t13 = T-U +t14 = E*EE +t15 = U*t13 +t16 = t15-t14 +t17 = Y1*t16 +Y3 = 8*t17 +t18 = Z1+E +t19 = t18^2 +t20 = t19-ZZ +Z3 = t20-EE diff --git a/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2007-bl.op3 b/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2007-bl.op3 new file mode 100644 index 0000000..5a1cda6 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/tripling/tpl-2007-bl.op3 @@ -0,0 +1,37 @@ +XX = X1^2 +YY = Y1^2 +ZZ = Z1^2 +YYYY = YY^2 +t0 = ZZ^2 +t1 = a*t0 +t2 = 3*XX +M = t2+t1 +MM = M^2 +t3 = X1+YY +t4 = t3^2 +t5 = t4-XX +t6 = t5-YYYY +t7 = 6*t6 +E = t7-MM +EE = E^2 +T = 16*YYYY +t8 = M+E +t9 = t8^2 +t10 = t9-MM +t11 = t10-EE +U = t11-T +t12 = YY*U +t13 = 4*t12 +t14 = X1*EE +t15 = t14-t13 +X3 = 4*t15 +t16 = T-U +t17 = E*EE +t18 = U*t16 +t19 = t18-t17 +t20 = Y1*t19 +Y3 = 8*t20 +t21 = Z1+E +t22 = t21^2 +t23 = t22-ZZ +Z3 = t23-EE diff --git a/pyecsca/ec/efd/shortw/jacobian-3/variables b/pyecsca/ec/efd/shortw/jacobian-3/variables new file mode 100644 index 0000000..cddb049 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian-3/variables @@ -0,0 +1,7 @@ +name Jacobian coordinates with a4=-3 +assume a = -3 +variable X +variable Y +variable Z +satisfying x = X/Z^2 +satisfying y = Y/Z^3 diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/add-1986-cc b/pyecsca/ec/efd/shortw/jacobian/addition/add-1986-cc new file mode 100644 index 0000000..af536a1 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/add-1986-cc @@ -0,0 +1,10 @@ +source 1986 Chudnovsky--Chudnovsky "Sequences of numbers generated by addition in formal groups and new primality and factorization tests", page 414, formula (4.3i) +compute U1 = X1 Z2^2 +compute U2 = X2 Z1^2 +compute S1 = Y1 Z2^3 +compute S2 = Y2 Z1^3 +compute P = U2-U1 +compute R = S2-S1 +compute X3 = R^2-(U1+U2) P^2 +compute Y3 = R (U1 P^2-X3)-S1 P^3 +compute Z3 = Z1 Z2 P diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/add-1986-cc.op3 b/pyecsca/ec/efd/shortw/jacobian/addition/add-1986-cc.op3 new file mode 100644 index 0000000..9774366 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/add-1986-cc.op3 @@ -0,0 +1,24 @@ +t0 = Z2^2 +U1 = X1*t0 +t1 = Z1^2 +U2 = X2*t1 +t2 = Z2^3 +S1 = Y1*t2 +t3 = Z1^3 +S2 = Y2*t3 +P = U2-U1 +R = S2-S1 +t4 = U1+U2 +t5 = R^2 +t6 = P^2 +t7 = t4*t6 +X3 = t5-t7 +t8 = P^2 +t9 = U1*t8 +t10 = t9-X3 +t11 = P^3 +t12 = S1*t11 +t13 = R*t10 +Y3 = t13-t12 +t14 = Z2*P +Z3 = Z1*t14 diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/add-1998-cmo b/pyecsca/ec/efd/shortw/jacobian/addition/add-1998-cmo new file mode 100644 index 0000000..b312a77 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/add-1998-cmo @@ -0,0 +1,10 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (5) +compute U1 = X1 Z2^2 +compute U2 = X2 Z1^2 +compute S1 = Y1 Z2^3 +compute S2 = Y2 Z1^3 +compute H = U2-U1 +compute r = S2-S1 +compute X3 = r^2-H^3-2 U1 H^2 +compute Y3 = r (U1 H^2-X3)-S1 H^3 +compute Z3 = Z1 Z2 H diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/add-1998-cmo-2 b/pyecsca/ec/efd/shortw/jacobian/addition/add-1998-cmo-2 new file mode 100644 index 0000000..acef19d --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/add-1998-cmo-2 @@ -0,0 +1,15 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (5), plus common-subexpression elimination +compute Z1Z1 = Z1^2 +compute Z2Z2 = Z2^2 +compute U1 = X1 Z2Z2 +compute U2 = X2 Z1Z1 +compute S1 = Y1 Z2 Z2Z2 +compute S2 = Y2 Z1 Z1Z1 +compute H = U2-U1 +compute HH = H^2 +compute HHH = H HH +compute r = S2-S1 +compute V = U1 HH +compute X3 = r^2-HHH-2 V +compute Y3 = r (V-X3)-S1 HHH +compute Z3 = Z1 Z2 H diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/add-1998-cmo-2.op3 b/pyecsca/ec/efd/shortw/jacobian/addition/add-1998-cmo-2.op3 new file mode 100644 index 0000000..439ab62 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/add-1998-cmo-2.op3 @@ -0,0 +1,23 @@ +Z1Z1 = Z1^2 +Z2Z2 = Z2^2 +U1 = X1*Z2Z2 +U2 = X2*Z1Z1 +t0 = Z2*Z2Z2 +S1 = Y1*t0 +t1 = Z1*Z1Z1 +S2 = Y2*t1 +H = U2-U1 +HH = H^2 +HHH = H*HH +r = S2-S1 +V = U1*HH +t2 = r^2 +t3 = 2*V +t4 = t2-HHH +X3 = t4-t3 +t5 = V-X3 +t6 = S1*HHH +t7 = r*t5 +Y3 = t7-t6 +t8 = Z2*H +Z3 = Z1*t8 diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/add-1998-cmo.op3 b/pyecsca/ec/efd/shortw/jacobian/addition/add-1998-cmo.op3 new file mode 100644 index 0000000..2721e20 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/add-1998-cmo.op3 @@ -0,0 +1,26 @@ +t0 = Z2^2 +U1 = X1*t0 +t1 = Z1^2 +U2 = X2*t1 +t2 = Z2^3 +S1 = Y1*t2 +t3 = Z1^3 +S2 = Y2*t3 +H = U2-U1 +r = S2-S1 +t4 = r^2 +t5 = H^3 +t6 = H^2 +t7 = U1*t6 +t8 = 2*t7 +t9 = t4-t5 +X3 = t9-t8 +t10 = H^2 +t11 = U1*t10 +t12 = t11-X3 +t13 = H^3 +t14 = S1*t13 +t15 = r*t12 +Y3 = t15-t14 +t16 = Z2*H +Z3 = Z1*t16 diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/add-1998-hnm b/pyecsca/ec/efd/shortw/jacobian/addition/add-1998-hnm new file mode 100644 index 0000000..ebace0d --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/add-1998-hnm @@ -0,0 +1,39 @@ +source 1998 Hasegawa--Nakajima--Matsui, page 188 +parameter half +assume half*2=1 +compute R1 = X1 +compute R2 = Y1 +compute R3 = Z1 +compute R4 = X2 +compute R5 = Y2 +compute R6 = Z2 +compute R7 = R6^2 +compute R1 = R1 R7 +compute R7 = R6 R7 +compute R2 = R2 R7 +compute R7 = R3^2 +compute R8 = R4 R7 +compute R7 = R3 R7 +compute R7 = R5 R7 +compute R2 = R2-R7 +compute R7 = 2 R7 +compute R7 = R2+R7 +compute R1 = R1-R8 +compute R8 = 2 R8 +compute R8 = R1+R8 +compute R3 = R3 R6 +compute R3 = R3 R1 +compute R7 = R7 R1 +compute R1 = R1^2 +compute R8 = R8 R1 +compute R7 = R7 R1 +compute R1 = R2^2 +compute R1 = R1-R8 +compute R8 = R8-R1 +compute R8 = R8-R1 +compute R8 = R8 R2 +compute R2 = R8-R7 +compute R2 = half R2 +compute X3 = R1 +compute Y3 = R2 +compute Z3 = R3 diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/add-1998-hnm.op3 b/pyecsca/ec/efd/shortw/jacobian/addition/add-1998-hnm.op3 new file mode 100644 index 0000000..5817e98 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/add-1998-hnm.op3 @@ -0,0 +1,36 @@ +R1 = X1 +R2 = Y1 +R3 = Z1 +R4 = X2 +R5 = Y2 +R6 = Z2 +R7 = R6^2 +R1 = R1*R7 +R7 = R6*R7 +R2 = R2*R7 +R7 = R3^2 +R8 = R4*R7 +R7 = R3*R7 +R7 = R5*R7 +R2 = R2-R7 +R7 = 2*R7 +R7 = R2+R7 +R1 = R1-R8 +R8 = 2*R8 +R8 = R1+R8 +R3 = R3*R6 +R3 = R3*R1 +R7 = R7*R1 +R1 = R1^2 +R8 = R8*R1 +R7 = R7*R1 +R1 = R2^2 +R1 = R1-R8 +R8 = R8-R1 +R8 = R8-R1 +R8 = R8*R2 +R2 = R8-R7 +R2 = half*R2 +X3 = R1 +Y3 = R2 +Z3 = R3 diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/add-2001-b b/pyecsca/ec/efd/shortw/jacobian/addition/add-2001-b new file mode 100644 index 0000000..b6a403d --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/add-2001-b @@ -0,0 +1,18 @@ +source 2001 Bernstein http://cr.yp.to/nistp224.html opt-idea53.c ecadd +compute ZZ1 = Z1^2 +compute ZZZ1 = Z1 ZZ1 +compute ZZ2 = Z2^2 +compute ZZZ2 = Z2 ZZ2 +compute A = X1 ZZ2 +compute B = X2 ZZ1 -A +compute c = Y1 ZZZ2 +compute d = Y2 ZZZ1 -c +compute e = B^2 +compute f = B e +compute g = A e +compute h = Z1 Z2 +compute f2g = 2 g+f +compute X3 = d^2-f2g +compute Z3 = B h +compute gx = g-X3 +compute Y3 = d gx-c f diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/add-2001-b.op3 b/pyecsca/ec/efd/shortw/jacobian/addition/add-2001-b.op3 new file mode 100644 index 0000000..6f362a2 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/add-2001-b.op3 @@ -0,0 +1,23 @@ +ZZ1 = Z1^2 +ZZZ1 = Z1*ZZ1 +ZZ2 = Z2^2 +ZZZ2 = Z2*ZZ2 +A = X1*ZZ2 +t0 = X2*ZZ1 +B = t0-A +c = Y1*ZZZ2 +t1 = Y2*ZZZ1 +d = t1-c +e = B^2 +f = B*e +g = A*e +h = Z1*Z2 +t2 = 2*g +f2g = t2+f +t3 = d^2 +X3 = t3-f2g +Z3 = B*h +gx = g-X3 +t4 = c*f +t5 = d*gx +Y3 = t5-t4 diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/add-2007-bl b/pyecsca/ec/efd/shortw/jacobian/addition/add-2007-bl new file mode 100644 index 0000000..dc8af68 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/add-2007-bl @@ -0,0 +1,15 @@ +source 2007 Bernstein--Lange; note that the improvement from 12M+4S to 11M+5S was already mentioned in 2001 Bernstein http://cr.yp.to/talks.html#2001.10.29 +compute Z1Z1 = Z1^2 +compute Z2Z2 = Z2^2 +compute U1 = X1 Z2Z2 +compute U2 = X2 Z1Z1 +compute S1 = Y1 Z2 Z2Z2 +compute S2 = Y2 Z1 Z1Z1 +compute H = U2-U1 +compute I = (2 H)^2 +compute J = H I +compute r = 2 (S2-S1) +compute V = U1 I +compute X3 = r^2-J-2 V +compute Y3 = r (V-X3)-2 S1 J +compute Z3 = ((Z1+Z2)^2-Z1Z1-Z2Z2) H diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/add-2007-bl.op3 b/pyecsca/ec/efd/shortw/jacobian/addition/add-2007-bl.op3 new file mode 100644 index 0000000..89085ff --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/add-2007-bl.op3 @@ -0,0 +1,29 @@ +Z1Z1 = Z1^2 +Z2Z2 = Z2^2 +U1 = X1*Z2Z2 +U2 = X2*Z1Z1 +t0 = Z2*Z2Z2 +S1 = Y1*t0 +t1 = Z1*Z1Z1 +S2 = Y2*t1 +H = U2-U1 +t2 = 2*H +I = t2^2 +J = H*I +t3 = S2-S1 +r = 2*t3 +V = U1*I +t4 = r^2 +t5 = 2*V +t6 = t4-J +X3 = t6-t5 +t7 = V-X3 +t8 = S1*J +t9 = 2*t8 +t10 = r*t7 +Y3 = t10-t9 +t11 = Z1+Z2 +t12 = t11^2 +t13 = t12-Z1Z1 +t14 = t13-Z2Z2 +Z3 = t14*H diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/madd b/pyecsca/ec/efd/shortw/jacobian/addition/madd new file mode 100644 index 0000000..c4ced5f --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/madd @@ -0,0 +1,12 @@ +assume Z2=1 +compute Z1Z1 = Z1^2 +compute U2 = X2 Z1Z1 +compute S2 = Y2 Z1 Z1Z1 +compute H = U2-X1 +compute I = (2 H)^2 +compute J = H I +compute r = 2 (S2-Y1) +compute V = X1 I +compute X3 = r^2-J-2 V +compute Y3 = r (V-X3)-2 Y1 J +compute Z3 = 2 Z1 H diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/madd-2004-hmv b/pyecsca/ec/efd/shortw/jacobian/addition/madd-2004-hmv new file mode 100644 index 0000000..c6904b6 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/madd-2004-hmv @@ -0,0 +1,20 @@ +source 2004 Hankerson--Menezes--Vanstone, page 91 +assume Z2=1 +compute T1 = Z1^2 +compute T2 = T1 Z1 +compute T1 = T1 X2 +compute T2 = T2 Y2 +compute T1 = T1-X1 +compute T2 = T2-Y1 +compute Z3 = Z1 T1 +compute T3 = T1^2 +compute T4 = T3 T1 +compute T3 = T3 X1 +compute T1 = 2 T3 +compute X3 = T2^2 +compute X3 = X3-T1 +compute X3 = X3-T4 +compute T3 = T3-X3 +compute T3 = T3 T2 +compute T4 = T4 Y1 +compute Y3 = T3-T4 diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/madd-2004-hmv.op3 b/pyecsca/ec/efd/shortw/jacobian/addition/madd-2004-hmv.op3 new file mode 100644 index 0000000..70a991f --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/madd-2004-hmv.op3 @@ -0,0 +1,18 @@ +T1 = Z1^2 +T2 = T1*Z1 +T1 = T1*X2 +T2 = T2*Y2 +T1 = T1-X1 +T2 = T2-Y1 +Z3 = Z1*T1 +T3 = T1^2 +T4 = T3*T1 +T3 = T3*X1 +T1 = 2*T3 +X3 = T2^2 +X3 = X3-T1 +X3 = X3-T4 +T3 = T3-X3 +T3 = T3*T2 +T4 = T4*Y1 +Y3 = T3-T4 diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/madd-2007-bl b/pyecsca/ec/efd/shortw/jacobian/addition/madd-2007-bl new file mode 100644 index 0000000..92a97af --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/madd-2007-bl @@ -0,0 +1,14 @@ +source 2007 Bernstein--Lange +assume Z2=1 +compute Z1Z1 = Z1^2 +compute U2 = X2 Z1Z1 +compute S2 = Y2 Z1 Z1Z1 +compute H = U2-X1 +compute HH = H^2 +compute I = 4 HH +compute J = H I +compute r = 2 (S2-Y1) +compute V = X1 I +compute X3 = r^2-J-2 V +compute Y3 = r (V-X3)-2 Y1 J +compute Z3 = (Z1+H)^2-Z1Z1-HH diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/madd-2007-bl.op3 b/pyecsca/ec/efd/shortw/jacobian/addition/madd-2007-bl.op3 new file mode 100644 index 0000000..958774f --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/madd-2007-bl.op3 @@ -0,0 +1,24 @@ +Z1Z1 = Z1^2 +U2 = X2*Z1Z1 +t0 = Z1*Z1Z1 +S2 = Y2*t0 +H = U2-X1 +HH = H^2 +I = 4*HH +J = H*I +t1 = S2-Y1 +r = 2*t1 +V = X1*I +t2 = r^2 +t3 = 2*V +t4 = t2-J +X3 = t4-t3 +t5 = V-X3 +t6 = Y1*J +t7 = 2*t6 +t8 = r*t5 +Y3 = t8-t7 +t9 = Z1+H +t10 = t9^2 +t11 = t10-Z1Z1 +Z3 = t11-HH diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/madd-2008-g b/pyecsca/ec/efd/shortw/jacobian/addition/madd-2008-g new file mode 100644 index 0000000..7c5f660 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/madd-2008-g @@ -0,0 +1,20 @@ +source 2008 Giessmann +assume Z2=1 +compute T1 = Z1^2 +compute T2 = T1 Z1 +compute T1 = T1 X2 +compute T2 = T2 Y2 +compute T1 = X1-T1 +compute T2 = T2-Y1 +compute Z3 = Z1 T1 +compute T4 = T1^2 +compute T1 = T1 T4 +compute T4 = T4 X1 +compute X3 = T2^2 +compute X3 = X3+T1 +compute Y3 = T1 Y1 +compute T1 = 2 T4 +compute X3 = X3-T1 +compute T4 = X3-T4 +compute T4 = T4 T2 +compute Y3 = T4-Y3 diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/madd-2008-g.op3 b/pyecsca/ec/efd/shortw/jacobian/addition/madd-2008-g.op3 new file mode 100644 index 0000000..c0552ea --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/madd-2008-g.op3 @@ -0,0 +1,18 @@ +T1 = Z1^2 +T2 = T1*Z1 +T1 = T1*X2 +T2 = T2*Y2 +T1 = X1-T1 +T2 = T2-Y1 +Z3 = Z1*T1 +T4 = T1^2 +T1 = T1*T4 +T4 = T4*X1 +X3 = T2^2 +X3 = X3+T1 +Y3 = T1*Y1 +T1 = 2*T4 +X3 = X3-T1 +T4 = X3-T4 +T4 = T4*T2 +Y3 = T4-Y3 diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/madd.op3 b/pyecsca/ec/efd/shortw/jacobian/addition/madd.op3 new file mode 100644 index 0000000..e33baa2 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/madd.op3 @@ -0,0 +1,22 @@ +Z1Z1 = Z1^2 +U2 = X2*Z1Z1 +t0 = Z1*Z1Z1 +S2 = Y2*t0 +H = U2-X1 +t1 = 2*H +I = t1^2 +J = H*I +t2 = S2-Y1 +r = 2*t2 +V = X1*I +t3 = r^2 +t4 = 2*V +t5 = t3-J +X3 = t5-t4 +t6 = V-X3 +t7 = Y1*J +t8 = 2*t7 +t9 = r*t6 +Y3 = t9-t8 +t10 = Z1*H +Z3 = 2*t10 diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/mmadd-2007-bl b/pyecsca/ec/efd/shortw/jacobian/addition/mmadd-2007-bl new file mode 100644 index 0000000..e11d9e4 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/mmadd-2007-bl @@ -0,0 +1,12 @@ +source 2007 Bernstein--Lange +assume Z1=1 +assume Z2=1 +compute H = X2-X1 +compute HH = H^2 +compute I = 4 HH +compute J = H I +compute r = 2 (Y2-Y1) +compute V = X1 I +compute X3 = r^2-J-2 V +compute Y3 = r (V-X3)-2 Y1 J +compute Z3 = 2 H diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/mmadd-2007-bl.op3 b/pyecsca/ec/efd/shortw/jacobian/addition/mmadd-2007-bl.op3 new file mode 100644 index 0000000..e91cc9f --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/mmadd-2007-bl.op3 @@ -0,0 +1,17 @@ +H = X2-X1 +HH = H^2 +I = 4*HH +J = H*I +t0 = Y2-Y1 +r = 2*t0 +V = X1*I +t1 = r^2 +t2 = 2*V +t3 = t1-J +X3 = t3-t2 +t4 = V-X3 +t5 = Y1*J +t6 = 2*t5 +t7 = r*t4 +Y3 = t7-t6 +Z3 = 2*H diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/zadd-2007-m b/pyecsca/ec/efd/shortw/jacobian/addition/zadd-2007-m new file mode 100644 index 0000000..417ef26 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/zadd-2007-m @@ -0,0 +1,9 @@ +source 2007 Meloni "New point addition formulae for ECC applications", page 192 +assume Z1 = Z2 +compute A = (X2-X1)^2 +compute B = X1 A +compute C = X2 A +compute D = (Y2-Y1)^2 +compute X3 = D-B-C +compute Y3 = (Y2-Y1)(B-X3)-Y1(C-B) +compute Z3 = Z1(X2-X1) diff --git a/pyecsca/ec/efd/shortw/jacobian/addition/zadd-2007-m.op3 b/pyecsca/ec/efd/shortw/jacobian/addition/zadd-2007-m.op3 new file mode 100644 index 0000000..afefe88 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/addition/zadd-2007-m.op3 @@ -0,0 +1,16 @@ +t0 = X2-X1 +A = t0^2 +B = X1*A +C = X2*A +t1 = Y2-Y1 +D = t1^2 +t2 = D-B +X3 = t2-C +t3 = Y2-Y1 +t4 = B-X3 +t5 = C-B +t6 = Y1*t5 +t7 = t3*t4 +Y3 = t7-t6 +t8 = X2-X1 +Z3 = Z1*t8 diff --git a/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1986-cc b/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1986-cc new file mode 100644 index 0000000..56fa583 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1986-cc @@ -0,0 +1,7 @@ +source 1986 Chudnovsky--Chudnovsky "Sequences of numbers generated by addition in formal groups and new primality and factorization tests", page 414, formula (4.2ii) +compute S = 4 X1 Y1^2 +compute M = 3 X1^2+a Z1^4 +compute T = M^2-2 S +compute X3 = T +compute Y3 = M(S-T)-8 Y1^4 +compute Z3 = 2 Y1 Z1 diff --git a/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1986-cc.op3 b/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1986-cc.op3 new file mode 100644 index 0000000..7d564ae --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1986-cc.op3 @@ -0,0 +1,19 @@ +t0 = Y1^2 +t1 = X1*t0 +S = 4*t1 +t2 = X1^2 +t3 = Z1^4 +t4 = a*t3 +t5 = 3*t2 +M = t5+t4 +t6 = M^2 +t7 = 2*S +T = t6-t7 +X3 = T +t8 = S-T +t9 = Y1^4 +t10 = 8*t9 +t11 = M*t8 +Y3 = t11-t10 +t12 = Y1*Z1 +Z3 = 2*t12 diff --git a/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1998-cmo b/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1998-cmo new file mode 100644 index 0000000..448809a --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1998-cmo @@ -0,0 +1,7 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (6) +compute S = 4 X1 Y1^2 +compute M = 3 X1^2+a Z1^4 +compute T = M^2-2 S +compute X3 = T +compute Y3 = M (S-T)-8 Y1^4 +compute Z3 = 2 Y1 Z1 diff --git a/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1998-cmo-2 b/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1998-cmo-2 new file mode 100644 index 0000000..3757742 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1998-cmo-2 @@ -0,0 +1,10 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (6), plus common-subexpression elimination +compute XX = X1^2 +compute YY = Y1^2 +compute ZZ = Z1^2 +compute S = 4 X1 YY +compute M = 3 XX+a ZZ^2 +compute T = M^2-2 S +compute X3 = T +compute Y3 = M (S-T)-8 YY^2 +compute Z3 = 2 Y1 Z1 diff --git a/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1998-cmo-2.op3 b/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1998-cmo-2.op3 new file mode 100644 index 0000000..0e80d93 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1998-cmo-2.op3 @@ -0,0 +1,20 @@ +XX = X1^2 +YY = Y1^2 +ZZ = Z1^2 +t0 = X1*YY +S = 4*t0 +t1 = ZZ^2 +t2 = a*t1 +t3 = 3*XX +M = t3+t2 +t4 = M^2 +t5 = 2*S +T = t4-t5 +X3 = T +t6 = S-T +t7 = YY^2 +t8 = 8*t7 +t9 = M*t6 +Y3 = t9-t8 +t10 = Y1*Z1 +Z3 = 2*t10 diff --git a/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1998-cmo.op3 b/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1998-cmo.op3 new file mode 100644 index 0000000..7d564ae --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1998-cmo.op3 @@ -0,0 +1,19 @@ +t0 = Y1^2 +t1 = X1*t0 +S = 4*t1 +t2 = X1^2 +t3 = Z1^4 +t4 = a*t3 +t5 = 3*t2 +M = t5+t4 +t6 = M^2 +t7 = 2*S +T = t6-t7 +X3 = T +t8 = S-T +t9 = Y1^4 +t10 = 8*t9 +t11 = M*t8 +Y3 = t11-t10 +t12 = Y1*Z1 +Z3 = 2*t12 diff --git a/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1998-hnm b/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1998-hnm new file mode 100644 index 0000000..67375ba --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1998-hnm @@ -0,0 +1,29 @@ +source 1998 Hasegawa--Nakajima--Matsui, page 188 +parameter half +assume half*2=1 +compute R1 = X1 +compute R2 = Y1 +compute R3 = Z1 +compute R4 = R3^2 +compute R3 = R2 R3 +compute R3 = 2 R3 +compute R4 = R4^2 +compute R4 = a R4 +compute R5 = R1^2 +compute R4 = R4+R5 +compute R5 = 2 R5 +compute R4 = R4+R5 +compute R2 = 2 R2 +compute R2 = R2^2 +compute R5 = R2^2 +compute R5 = half R5 +compute R2 = R2 R1 +compute R1 = R4^2 +compute R1 = R1-R2 +compute R1 = R1-R2 +compute R2 = R2-R1 +compute R2 = R2 R4 +compute R2 = R2-R5 +compute X3 = R1 +compute Y3 = R2 +compute Z3 = R3 diff --git a/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1998-hnm.op3 b/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1998-hnm.op3 new file mode 100644 index 0000000..003affc --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-1998-hnm.op3 @@ -0,0 +1,26 @@ +R1 = X1 +R2 = Y1 +R3 = Z1 +R4 = R3^2 +R3 = R2*R3 +R3 = 2*R3 +R4 = R4^2 +R4 = a*R4 +R5 = R1^2 +R4 = R4+R5 +R5 = 2*R5 +R4 = R4+R5 +R2 = 2*R2 +R2 = R2^2 +R5 = R2^2 +R5 = half*R5 +R2 = R2*R1 +R1 = R4^2 +R1 = R1-R2 +R1 = R1-R2 +R2 = R2-R1 +R2 = R2*R4 +R2 = R2-R5 +X3 = R1 +Y3 = R2 +Z3 = R3 diff --git a/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-2007-bl b/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-2007-bl new file mode 100644 index 0000000..e6ae5c6 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-2007-bl @@ -0,0 +1,11 @@ +source 2007 Bernstein--Lange +compute XX = X1^2 +compute YY = Y1^2 +compute YYYY = YY^2 +compute ZZ = Z1^2 +compute S = 2 ((X1+YY)^2-XX-YYYY) +compute M = 3 XX+a ZZ^2 +compute T = M^2-2 S +compute X3 = T +compute Y3 = M (S-T)-8 YYYY +compute Z3 = (Y1+Z1)^2-YY-ZZ diff --git a/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-2007-bl.op3 b/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-2007-bl.op3 new file mode 100644 index 0000000..7f76b36 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/doubling/dbl-2007-bl.op3 @@ -0,0 +1,25 @@ +XX = X1^2 +YY = Y1^2 +YYYY = YY^2 +ZZ = Z1^2 +t0 = X1+YY +t1 = t0^2 +t2 = t1-XX +t3 = t2-YYYY +S = 2*t3 +t4 = ZZ^2 +t5 = a*t4 +t6 = 3*XX +M = t6+t5 +t7 = M^2 +t8 = 2*S +T = t7-t8 +X3 = T +t9 = S-T +t10 = 8*YYYY +t11 = M*t9 +Y3 = t11-t10 +t12 = Y1+Z1 +t13 = t12^2 +t14 = t13-YY +Z3 = t14-ZZ diff --git a/pyecsca/ec/efd/shortw/jacobian/doubling/mdbl-2007-bl b/pyecsca/ec/efd/shortw/jacobian/doubling/mdbl-2007-bl new file mode 100644 index 0000000..5e3e22e --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/doubling/mdbl-2007-bl @@ -0,0 +1,11 @@ +source 2007 Bernstein--Lange +assume Z1=1 +compute XX = X1^2 +compute YY = Y1^2 +compute YYYY = YY^2 +compute S = 2((X1+YY)^2-XX-YYYY) +compute M = 3 XX+a +compute T = M^2-2 S +compute X3 = T +compute Y3 = M(S-T)-8 YYYY +compute Z3 = 2 Y1 diff --git a/pyecsca/ec/efd/shortw/jacobian/doubling/mdbl-2007-bl.op3 b/pyecsca/ec/efd/shortw/jacobian/doubling/mdbl-2007-bl.op3 new file mode 100644 index 0000000..df25bc2 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/doubling/mdbl-2007-bl.op3 @@ -0,0 +1,19 @@ +XX = X1^2 +YY = Y1^2 +YYYY = YY^2 +t0 = X1+YY +t1 = t0^2 +t2 = t1-XX +t3 = t2-YYYY +S = 2*t3 +t4 = 3*XX +M = t4+a +t5 = M^2 +t6 = 2*S +T = t5-t6 +X3 = T +t7 = S-T +t8 = 8*YYYY +t9 = M*t7 +Y3 = t9-t8 +Z3 = 2*Y1 diff --git a/pyecsca/ec/efd/shortw/jacobian/scaling/z b/pyecsca/ec/efd/shortw/jacobian/scaling/z new file mode 100644 index 0000000..1e19284 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/scaling/z @@ -0,0 +1,5 @@ +compute A = 1/Z1 +compute AA = A^2 +compute X3 = X1*AA +compute Y3 = Y1*AA*A +compute Z3 = 1 diff --git a/pyecsca/ec/efd/shortw/jacobian/scaling/z.op3 b/pyecsca/ec/efd/shortw/jacobian/scaling/z.op3 new file mode 100644 index 0000000..61856ec --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/scaling/z.op3 @@ -0,0 +1,6 @@ +A = 1/Z1 +AA = A^2 +X3 = X1*AA +t0 = AA*A +Y3 = Y1*t0 +Z3 = 1 diff --git a/pyecsca/ec/efd/shortw/jacobian/tripling/tpl-2005-dim b/pyecsca/ec/efd/shortw/jacobian/tripling/tpl-2005-dim new file mode 100644 index 0000000..a9c6d71 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/tripling/tpl-2005-dim @@ -0,0 +1,7 @@ +source 2005 Dimitrov--Imbert--Mishra +compute M = 3 X1^2+a Z1^4 +compute E = 12 X1 Y1^2-M^2 +compute T = 8 Y1^4 +compute X3 = 8 Y1^2 (T-M E)+X1 E^2 +compute Y3 = Y1 (4 (M E-T) (2 T-M E)-E^3) +compute Z3 = Z1 E diff --git a/pyecsca/ec/efd/shortw/jacobian/tripling/tpl-2005-dim-2 b/pyecsca/ec/efd/shortw/jacobian/tripling/tpl-2005-dim-2 new file mode 100644 index 0000000..9eb1356 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/tripling/tpl-2005-dim-2 @@ -0,0 +1,13 @@ +source 2005 Dimitrov--Imbert--Mishra, plus common-subexpression elimination +compute ZZ = Z1^2 +compute YY = Y1^2 +compute C = 2 YY +compute M = 3 X1^2+a ZZ^2 +compute E = 6 X1 C-M^2 +compute EE = E^2 +compute T = 2 C^2 +compute U = M E-T +compute U4 = 4 U +compute X3 = X1 EE-C U4 +compute Y3 = Y1 (U4 (T-U)-E EE) +compute Z3 = Z1 E diff --git a/pyecsca/ec/efd/shortw/jacobian/tripling/tpl-2005-dim-2.op3 b/pyecsca/ec/efd/shortw/jacobian/tripling/tpl-2005-dim-2.op3 new file mode 100644 index 0000000..3d3ae16 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/tripling/tpl-2005-dim-2.op3 @@ -0,0 +1,27 @@ +ZZ = Z1^2 +YY = Y1^2 +C = 2*YY +t0 = X1^2 +t1 = ZZ^2 +t2 = a*t1 +t3 = 3*t0 +M = t3+t2 +t4 = M^2 +t5 = X1*C +t6 = 6*t5 +E = t6-t4 +EE = E^2 +t7 = C^2 +T = 2*t7 +t8 = M*E +U = t8-T +U4 = 4*U +t9 = C*U4 +t10 = X1*EE +X3 = t10-t9 +t11 = T-U +t12 = E*EE +t13 = U4*t11 +t14 = t13-t12 +Y3 = Y1*t14 +Z3 = Z1*E diff --git a/pyecsca/ec/efd/shortw/jacobian/tripling/tpl-2005-dim.op3 b/pyecsca/ec/efd/shortw/jacobian/tripling/tpl-2005-dim.op3 new file mode 100644 index 0000000..a20c4fd --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/tripling/tpl-2005-dim.op3 @@ -0,0 +1,31 @@ +t0 = X1^2 +t1 = Z1^4 +t2 = a*t1 +t3 = 3*t0 +M = t3+t2 +t4 = Y1^2 +t5 = M^2 +t6 = X1*t4 +t7 = 12*t6 +E = t7-t5 +t8 = Y1^4 +T = 8*t8 +t9 = M*E +t10 = T-t9 +t11 = Y1^2 +t12 = E^2 +t13 = X1*t12 +t14 = t11*t10 +t15 = 8*t14 +X3 = t15+t13 +t16 = M*E +t17 = 2*T +t18 = M*E +t19 = t18-T +t20 = t17-t16 +t21 = E^3 +t22 = t19*t20 +t23 = 4*t22 +t24 = t23-t21 +Y3 = Y1*t24 +Z3 = Z1*E diff --git a/pyecsca/ec/efd/shortw/jacobian/tripling/tpl-2007-bl b/pyecsca/ec/efd/shortw/jacobian/tripling/tpl-2007-bl new file mode 100644 index 0000000..ad53ad1 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/tripling/tpl-2007-bl @@ -0,0 +1,14 @@ +source 2007 Bernstein--Lange +compute XX = X1^2 +compute YY = Y1^2 +compute ZZ = Z1^2 +compute YYYY = YY^2 +compute M = 3 XX+a ZZ^2 +compute MM = M^2 +compute E = 6 ((X1+YY)^2-XX-YYYY)-MM +compute EE = E^2 +compute T = 16 YYYY +compute U = (M+E)^2-MM-EE-T +compute X3 = 4 (X1 EE-4 YY U) +compute Y3 = 8 Y1 (U (T-U)-E EE) +compute Z3 = (Z1+E)^2-ZZ-EE diff --git a/pyecsca/ec/efd/shortw/jacobian/tripling/tpl-2007-bl.op3 b/pyecsca/ec/efd/shortw/jacobian/tripling/tpl-2007-bl.op3 new file mode 100644 index 0000000..5a1cda6 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/tripling/tpl-2007-bl.op3 @@ -0,0 +1,37 @@ +XX = X1^2 +YY = Y1^2 +ZZ = Z1^2 +YYYY = YY^2 +t0 = ZZ^2 +t1 = a*t0 +t2 = 3*XX +M = t2+t1 +MM = M^2 +t3 = X1+YY +t4 = t3^2 +t5 = t4-XX +t6 = t5-YYYY +t7 = 6*t6 +E = t7-MM +EE = E^2 +T = 16*YYYY +t8 = M+E +t9 = t8^2 +t10 = t9-MM +t11 = t10-EE +U = t11-T +t12 = YY*U +t13 = 4*t12 +t14 = X1*EE +t15 = t14-t13 +X3 = 4*t15 +t16 = T-U +t17 = E*EE +t18 = U*t16 +t19 = t18-t17 +t20 = Y1*t19 +Y3 = 8*t20 +t21 = Z1+E +t22 = t21^2 +t23 = t22-ZZ +Z3 = t23-EE diff --git a/pyecsca/ec/efd/shortw/jacobian/variables b/pyecsca/ec/efd/shortw/jacobian/variables new file mode 100644 index 0000000..7258c13 --- /dev/null +++ b/pyecsca/ec/efd/shortw/jacobian/variables @@ -0,0 +1,6 @@ +name Jacobian coordinates +variable X +variable Y +variable Z +satisfying x = X/Z^2 +satisfying y = Y/Z^3 diff --git a/pyecsca/ec/efd/shortw/modified/addition/add-1998-cmo-2 b/pyecsca/ec/efd/shortw/modified/addition/add-1998-cmo-2 new file mode 100644 index 0000000..9801907 --- /dev/null +++ b/pyecsca/ec/efd/shortw/modified/addition/add-1998-cmo-2 @@ -0,0 +1,17 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (9), plus common-subexpression elimination +compute ZZ1 = Z1^2 +compute ZZ2 = Z2^2 +compute U1 = X1 ZZ2 +compute U2 = X2 ZZ1 +compute S1 = Y1 Z2 ZZ2 +compute S2 = Y2 Z1 ZZ1 +compute H = U2-U1 +compute HH = H^2 +compute HHH = H HH +compute r = S2-S1 +compute V = U1 HH +compute X3 = r^2-HHH-2 V +compute Y3 = r(V-X3)-S1 HHH +compute Z3 = Z1 Z2 H +compute ZZ3 = Z3^2 +compute T3 = a ZZ3^2 diff --git a/pyecsca/ec/efd/shortw/modified/addition/add-1998-cmo-2.op3 b/pyecsca/ec/efd/shortw/modified/addition/add-1998-cmo-2.op3 new file mode 100644 index 0000000..4a5447e --- /dev/null +++ b/pyecsca/ec/efd/shortw/modified/addition/add-1998-cmo-2.op3 @@ -0,0 +1,26 @@ +ZZ1 = Z1^2 +ZZ2 = Z2^2 +U1 = X1*ZZ2 +U2 = X2*ZZ1 +t0 = Z2*ZZ2 +S1 = Y1*t0 +t1 = Z1*ZZ1 +S2 = Y2*t1 +H = U2-U1 +HH = H^2 +HHH = H*HH +r = S2-S1 +V = U1*HH +t2 = r^2 +t3 = 2*V +t4 = t2-HHH +X3 = t4-t3 +t5 = V-X3 +t6 = S1*HHH +t7 = r*t5 +Y3 = t7-t6 +t8 = Z2*H +Z3 = Z1*t8 +ZZ3 = Z3^2 +t9 = ZZ3^2 +T3 = a*t9 diff --git a/pyecsca/ec/efd/shortw/modified/addition/add-2009-bl b/pyecsca/ec/efd/shortw/modified/addition/add-2009-bl new file mode 100644 index 0000000..34f85a3 --- /dev/null +++ b/pyecsca/ec/efd/shortw/modified/addition/add-2009-bl @@ -0,0 +1,17 @@ +source 2009.04.01 Bernstein--Lange +compute ZZ1 = Z1^2 +compute ZZ2 = Z2^2 +compute U1 = X1 ZZ2 +compute U2 = X2 ZZ1 +compute S1 = Y1 Z2 ZZ2 +compute S2 = Y2 Z1 ZZ1 +compute H = U2-U1 +compute I = (2 H)^2 +compute J = H I +compute r = 2(S2-S1) +compute V = U1 I +compute X3 = r^2-J-2 V +compute Y3 = r(V-X3)-2 S1 J +compute Z3 = ((Z1+Z2)^2-ZZ1-ZZ2) H +compute ZZ3 = Z3^2 +compute T3 = a ZZ3^2 diff --git a/pyecsca/ec/efd/shortw/modified/addition/add-2009-bl.op3 b/pyecsca/ec/efd/shortw/modified/addition/add-2009-bl.op3 new file mode 100644 index 0000000..01e4981 --- /dev/null +++ b/pyecsca/ec/efd/shortw/modified/addition/add-2009-bl.op3 @@ -0,0 +1,32 @@ +ZZ1 = Z1^2 +ZZ2 = Z2^2 +U1 = X1*ZZ2 +U2 = X2*ZZ1 +t0 = Z2*ZZ2 +S1 = Y1*t0 +t1 = Z1*ZZ1 +S2 = Y2*t1 +H = U2-U1 +t2 = 2*H +I = t2^2 +J = H*I +t3 = S2-S1 +r = 2*t3 +V = U1*I +t4 = r^2 +t5 = 2*V +t6 = t4-J +X3 = t6-t5 +t7 = V-X3 +t8 = S1*J +t9 = 2*t8 +t10 = r*t7 +Y3 = t10-t9 +t11 = Z1+Z2 +t12 = t11^2 +t13 = t12-ZZ1 +t14 = t13-ZZ2 +Z3 = t14*H +ZZ3 = Z3^2 +t15 = ZZ3^2 +T3 = a*t15 diff --git a/pyecsca/ec/efd/shortw/modified/addition/madd-2009-bl b/pyecsca/ec/efd/shortw/modified/addition/madd-2009-bl new file mode 100644 index 0000000..24784b0 --- /dev/null +++ b/pyecsca/ec/efd/shortw/modified/addition/madd-2009-bl @@ -0,0 +1,14 @@ +source 2009.04.27 Bernstein--Lange +assume Z2 = 1 +compute ZZ1 = Z1^2 +compute H = X2 ZZ1-X1 +compute HH = H^2 +compute I = 4 HH +compute J = H I +compute r = 2(Y2 Z1 ZZ1-Y1) +compute V = X1 I +compute X3 = r^2-J-2 V +compute Y3 = r(V-X3)-2 Y1 J +compute Z3 = (Z1+H)^2 - ZZ1 - HH +compute ZZ3 = Z3^2 +compute T3 = a ZZ3^2 diff --git a/pyecsca/ec/efd/shortw/modified/addition/madd-2009-bl.op3 b/pyecsca/ec/efd/shortw/modified/addition/madd-2009-bl.op3 new file mode 100644 index 0000000..0df3bad --- /dev/null +++ b/pyecsca/ec/efd/shortw/modified/addition/madd-2009-bl.op3 @@ -0,0 +1,27 @@ +ZZ1 = Z1^2 +t0 = X2*ZZ1 +H = t0-X1 +HH = H^2 +I = 4*HH +J = H*I +t1 = Z1*ZZ1 +t2 = Y2*t1 +t3 = t2-Y1 +r = 2*t3 +V = X1*I +t4 = r^2 +t5 = 2*V +t6 = t4-J +X3 = t6-t5 +t7 = V-X3 +t8 = Y1*J +t9 = 2*t8 +t10 = r*t7 +Y3 = t10-t9 +t11 = Z1+H +t12 = t11^2 +t13 = t12-ZZ1 +Z3 = t13-HH +ZZ3 = Z3^2 +t14 = ZZ3^2 +T3 = a*t14 diff --git a/pyecsca/ec/efd/shortw/modified/addition/mmadd-2009-bl b/pyecsca/ec/efd/shortw/modified/addition/mmadd-2009-bl new file mode 100644 index 0000000..914cc1a --- /dev/null +++ b/pyecsca/ec/efd/shortw/modified/addition/mmadd-2009-bl @@ -0,0 +1,14 @@ +source 2009.04.27 Bernstein--Lange +assume Z1 = 1 +assume Z2 = 1 +compute H = X2-X1 +compute HH = H^2 +compute HHHH = HH^2 +compute Z3 = 2 H +compute ZZ3 = 4 HH +compute J = 2 ((H+HH)^2-HH-HHHH) +compute r = 2(Y2-Y1) +compute V = X1 ZZ3 +compute X3 = r^2-J-2 V +compute Y3 = r(V-X3)-2 Y1 J +compute T3 = 16 a HHHH diff --git a/pyecsca/ec/efd/shortw/modified/addition/mmadd-2009-bl.op3 b/pyecsca/ec/efd/shortw/modified/addition/mmadd-2009-bl.op3 new file mode 100644 index 0000000..c02e86d --- /dev/null +++ b/pyecsca/ec/efd/shortw/modified/addition/mmadd-2009-bl.op3 @@ -0,0 +1,24 @@ +H = X2-X1 +HH = H^2 +HHHH = HH^2 +Z3 = 2*H +ZZ3 = 4*HH +t0 = H+HH +t1 = t0^2 +t2 = t1-HH +t3 = t2-HHHH +J = 2*t3 +t4 = Y2-Y1 +r = 2*t4 +V = X1*ZZ3 +t5 = r^2 +t6 = 2*V +t7 = t5-J +X3 = t7-t6 +t8 = V-X3 +t9 = Y1*J +t10 = 2*t9 +t11 = r*t8 +Y3 = t11-t10 +t12 = a*HHHH +T3 = 16*t12 diff --git a/pyecsca/ec/efd/shortw/modified/doubling/dbl-1998-cmo-2 b/pyecsca/ec/efd/shortw/modified/doubling/dbl-1998-cmo-2 new file mode 100644 index 0000000..98649fa --- /dev/null +++ b/pyecsca/ec/efd/shortw/modified/doubling/dbl-1998-cmo-2 @@ -0,0 +1,10 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (10), plus common-subexpression elimination +compute XX = X1^2 +compute YY = Y1^2 +compute U = 8 YY^2 +compute S = 4 X1 YY +compute M = 3 XX + T1 +compute X3 = M^2 - 2 S +compute Y3 = M(S-X3)-U +compute Z3 = 2 Y1 Z1 +compute T3 = 2 U T1 diff --git a/pyecsca/ec/efd/shortw/modified/doubling/dbl-1998-cmo-2.op3 b/pyecsca/ec/efd/shortw/modified/doubling/dbl-1998-cmo-2.op3 new file mode 100644 index 0000000..4dd1108 --- /dev/null +++ b/pyecsca/ec/efd/shortw/modified/doubling/dbl-1998-cmo-2.op3 @@ -0,0 +1,18 @@ +XX = X1^2 +YY = Y1^2 +t0 = YY^2 +U = 8*t0 +t1 = X1*YY +S = 4*t1 +t2 = 3*XX +M = t2+T1 +t3 = M^2 +t4 = 2*S +X3 = t3-t4 +t5 = S-X3 +t6 = M*t5 +Y3 = t6-U +t7 = Y1*Z1 +Z3 = 2*t7 +t8 = U*T1 +T3 = 2*t8 diff --git a/pyecsca/ec/efd/shortw/modified/doubling/dbl-2009-bl b/pyecsca/ec/efd/shortw/modified/doubling/dbl-2009-bl new file mode 100644 index 0000000..37d2d62 --- /dev/null +++ b/pyecsca/ec/efd/shortw/modified/doubling/dbl-2009-bl @@ -0,0 +1,11 @@ +source 2009.04.01 Bernstein--Lange +compute XX = X1^2 +compute A = 2 Y1^2 +compute AA = A^2 +compute U = 2 AA +compute S = (X1+A)^2-XX-AA +compute M = 3 XX + T1 +compute X3 = M^2 - 2 S +compute Y3 = M(S-X3)-U +compute Z3 = 2 Y1 Z1 +compute T3 = 2 U T1 diff --git a/pyecsca/ec/efd/shortw/modified/doubling/dbl-2009-bl.op3 b/pyecsca/ec/efd/shortw/modified/doubling/dbl-2009-bl.op3 new file mode 100644 index 0000000..76e93f3 --- /dev/null +++ b/pyecsca/ec/efd/shortw/modified/doubling/dbl-2009-bl.op3 @@ -0,0 +1,21 @@ +XX = X1^2 +t0 = Y1^2 +A = 2*t0 +AA = A^2 +U = 2*AA +t1 = X1+A +t2 = t1^2 +t3 = t2-XX +S = t3-AA +t4 = 3*XX +M = t4+T1 +t5 = M^2 +t6 = 2*S +X3 = t5-t6 +t7 = S-X3 +t8 = M*t7 +Y3 = t8-U +t9 = Y1*Z1 +Z3 = 2*t9 +t10 = U*T1 +T3 = 2*t10 diff --git a/pyecsca/ec/efd/shortw/modified/doubling/mdbl-2009-bl b/pyecsca/ec/efd/shortw/modified/doubling/mdbl-2009-bl new file mode 100644 index 0000000..5bab0c6 --- /dev/null +++ b/pyecsca/ec/efd/shortw/modified/doubling/mdbl-2009-bl @@ -0,0 +1,12 @@ +source 2009.04.27 Bernstein--Lange +assume Z1 = 1 +compute XX = X1^2 +compute A = 2 Y1^2 +compute AA = A^2 +compute U = 2 AA +compute S = (X1+A)^2-XX-AA +compute M = 3 XX + T1 +compute X3 = M^2 - 2 S +compute Y3 = M(S-X3)-U +compute Z3 = 2 Y1 +compute T3 = 2 U T1 diff --git a/pyecsca/ec/efd/shortw/modified/doubling/mdbl-2009-bl.op3 b/pyecsca/ec/efd/shortw/modified/doubling/mdbl-2009-bl.op3 new file mode 100644 index 0000000..315b4e9 --- /dev/null +++ b/pyecsca/ec/efd/shortw/modified/doubling/mdbl-2009-bl.op3 @@ -0,0 +1,20 @@ +XX = X1^2 +t0 = Y1^2 +A = 2*t0 +AA = A^2 +U = 2*AA +t1 = X1+A +t2 = t1^2 +t3 = t2-XX +S = t3-AA +t4 = 3*XX +M = t4+T1 +t5 = M^2 +t6 = 2*S +X3 = t5-t6 +t7 = S-X3 +t8 = M*t7 +Y3 = t8-U +Z3 = 2*Y1 +t9 = U*T1 +T3 = 2*t9 diff --git a/pyecsca/ec/efd/shortw/modified/variables b/pyecsca/ec/efd/shortw/modified/variables new file mode 100644 index 0000000..438494c --- /dev/null +++ b/pyecsca/ec/efd/shortw/modified/variables @@ -0,0 +1,8 @@ +name modified Jacobian coordinates +variable X +variable Y +variable Z +variable T +satisfying x = X/Z^2 +satisfying y = Y/Z^3 +satisfying T = a*Z^4 diff --git a/pyecsca/ec/efd/shortw/projective-1/addition/add-1998-cmo b/pyecsca/ec/efd/shortw/projective-1/addition/add-1998-cmo new file mode 100644 index 0000000..90ac7d9 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/addition/add-1998-cmo @@ -0,0 +1,7 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (3) +compute u = Y2 Z1-Y1 Z2 +compute v = X2 Z1-X1 Z2 +compute A = u^2 Z1 Z2-v^3-2 v^2 X1 Z2 +compute X3 = v A +compute Y3 = u(v^2 X1 Z2-A)-v^3 Y1 Z2 +compute Z3 = v^3 Z1 Z2 diff --git a/pyecsca/ec/efd/shortw/projective-1/addition/add-1998-cmo-2 b/pyecsca/ec/efd/shortw/projective-1/addition/add-1998-cmo-2 new file mode 100644 index 0000000..8aabe7d --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/addition/add-1998-cmo-2 @@ -0,0 +1,14 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (3), plus common-subexpression elimination +compute Y1Z2 = Y1 Z2 +compute X1Z2 = X1 Z2 +compute Z1Z2 = Z1 Z2 +compute u = Y2 Z1-Y1Z2 +compute uu = u^2 +compute v = X2 Z1-X1Z2 +compute vv = v^2 +compute vvv = v vv +compute R = vv X1Z2 +compute A = uu Z1Z2-vvv-2 R +compute X3 = v A +compute Y3 = u(R-A)-vvv Y1Z2 +compute Z3 = vvv Z1Z2 diff --git a/pyecsca/ec/efd/shortw/projective-1/addition/add-1998-cmo-2.op3 b/pyecsca/ec/efd/shortw/projective-1/addition/add-1998-cmo-2.op3 new file mode 100644 index 0000000..8bce53b --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/addition/add-1998-cmo-2.op3 @@ -0,0 +1,21 @@ +Y1Z2 = Y1*Z2 +X1Z2 = X1*Z2 +Z1Z2 = Z1*Z2 +t0 = Y2*Z1 +u = t0-Y1Z2 +uu = u^2 +t1 = X2*Z1 +v = t1-X1Z2 +vv = v^2 +vvv = v*vv +R = vv*X1Z2 +t2 = 2*R +t3 = uu*Z1Z2 +t4 = t3-vvv +A = t4-t2 +X3 = v*A +t5 = R-A +t6 = vvv*Y1Z2 +t7 = u*t5 +Y3 = t7-t6 +Z3 = vvv*Z1Z2 diff --git a/pyecsca/ec/efd/shortw/projective-1/addition/add-1998-cmo.op3 b/pyecsca/ec/efd/shortw/projective-1/addition/add-1998-cmo.op3 new file mode 100644 index 0000000..636efb8 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/addition/add-1998-cmo.op3 @@ -0,0 +1,29 @@ +t0 = Y1*Z2 +t1 = Y2*Z1 +u = t1-t0 +t2 = X1*Z2 +t3 = X2*Z1 +v = t3-t2 +t4 = u^2 +t5 = v^3 +t6 = v^2 +t7 = X1*Z2 +t8 = t6*t7 +t9 = 2*t8 +t10 = Z1*Z2 +t11 = t4*t10 +t12 = t11-t5 +A = t12-t9 +X3 = v*A +t13 = v^2 +t14 = X1*Z2 +t15 = t13*t14 +t16 = t15-A +t17 = v^3 +t18 = Y1*Z2 +t19 = t17*t18 +t20 = u*t16 +Y3 = t20-t19 +t21 = v^3 +t22 = Z1*Z2 +Z3 = t21*t22 diff --git a/pyecsca/ec/efd/shortw/projective-1/addition/add-2002-bj b/pyecsca/ec/efd/shortw/projective-1/addition/add-2002-bj new file mode 100644 index 0000000..5ee1386 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/addition/add-2002-bj @@ -0,0 +1,16 @@ +source 2002 Brier--Joye "Weierstrass elliptic curves and side-channel attacks", page 339 +compute U1 = X1 Z2 +compute U2 = X2 Z1 +compute S1 = Y1 Z2 +compute S2 = Y2 Z1 +compute ZZ = Z1 Z2 +compute T = U1+U2 +compute M = S1+S2 +compute R = T^2-U1 U2+a ZZ^2 +compute F = ZZ M +compute L = M F +compute G = T L +compute W = R^2-G +compute X3 = 2 F W +compute Y3 = R(G-2 W)-L^2 +compute Z3 = 2 F F^2 diff --git a/pyecsca/ec/efd/shortw/projective-1/addition/add-2002-bj-2 b/pyecsca/ec/efd/shortw/projective-1/addition/add-2002-bj-2 new file mode 100644 index 0000000..f66570c --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/addition/add-2002-bj-2 @@ -0,0 +1,17 @@ +source 2002 Brier--Joye "Weierstrass elliptic curves and side-channel attacks", page 340 +appliesto projective-1 +compute U1 = X1 Z2 +compute U2 = X2 Z1 +compute S1 = Y1 Z2 +compute S2 = Y2 Z1 +compute ZZ = Z1 Z2 +compute T = U1+U2 +compute M = S1+S2 +compute R = (T-ZZ)(T+ZZ)-U1 U2 +compute F = ZZ M +compute L = M F +compute G = T L +compute W = R^2-G +compute X3 = 2 F W +compute Y3 = R(G-2 W)-L^2 +compute Z3 = 2 F F^2 diff --git a/pyecsca/ec/efd/shortw/projective-1/addition/add-2002-bj-2.op3 b/pyecsca/ec/efd/shortw/projective-1/addition/add-2002-bj-2.op3 new file mode 100644 index 0000000..d7c6b7f --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/addition/add-2002-bj-2.op3 @@ -0,0 +1,27 @@ +U1 = X1*Z2 +U2 = X2*Z1 +S1 = Y1*Z2 +S2 = Y2*Z1 +ZZ = Z1*Z2 +T = U1+U2 +M = S1+S2 +t0 = T-ZZ +t1 = T+ZZ +t2 = U1*U2 +t3 = t0*t1 +R = t3-t2 +F = ZZ*M +L = M*F +G = T*L +t4 = R^2 +W = t4-G +t5 = F*W +X3 = 2*t5 +t6 = 2*W +t7 = G-t6 +t8 = L^2 +t9 = R*t7 +Y3 = t9-t8 +t10 = F^2 +t11 = F*t10 +Z3 = 2*t11 diff --git a/pyecsca/ec/efd/shortw/projective-1/addition/add-2002-bj.op3 b/pyecsca/ec/efd/shortw/projective-1/addition/add-2002-bj.op3 new file mode 100644 index 0000000..106050d --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/addition/add-2002-bj.op3 @@ -0,0 +1,28 @@ +U1 = X1*Z2 +U2 = X2*Z1 +S1 = Y1*Z2 +S2 = Y2*Z1 +ZZ = Z1*Z2 +T = U1+U2 +M = S1+S2 +t0 = T^2 +t1 = ZZ^2 +t2 = a*t1 +t3 = U1*U2 +t4 = t0-t3 +R = t4+t2 +F = ZZ*M +L = M*F +G = T*L +t5 = R^2 +W = t5-G +t6 = F*W +X3 = 2*t6 +t7 = 2*W +t8 = G-t7 +t9 = L^2 +t10 = R*t8 +Y3 = t10-t9 +t11 = F^2 +t12 = F*t11 +Z3 = 2*t12 diff --git a/pyecsca/ec/efd/shortw/projective-1/addition/add-2007-bl b/pyecsca/ec/efd/shortw/projective-1/addition/add-2007-bl new file mode 100644 index 0000000..59bb96e --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/addition/add-2007-bl @@ -0,0 +1,18 @@ +source 2007 Bernstein--Lange +compute U1 = X1 Z2 +compute U2 = X2 Z1 +compute S1 = Y1 Z2 +compute S2 = Y2 Z1 +compute ZZ = Z1 Z2 +compute T = U1+U2 +compute TT = T^2 +compute M = S1+S2 +compute R = TT-U1 U2+a ZZ^2 +compute F = ZZ M +compute L = M F +compute LL = L^2 +compute G = (T+L)^2-TT-LL +compute W = 2 R^2-G +compute X3 = 2 F W +compute Y3 = R(G-2 W)-2 LL +compute Z3 = 4 F F^2 diff --git a/pyecsca/ec/efd/shortw/projective-1/addition/add-2007-bl.op3 b/pyecsca/ec/efd/shortw/projective-1/addition/add-2007-bl.op3 new file mode 100644 index 0000000..c0ef8ae --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/addition/add-2007-bl.op3 @@ -0,0 +1,33 @@ +U1 = X1*Z2 +U2 = X2*Z1 +S1 = Y1*Z2 +S2 = Y2*Z1 +ZZ = Z1*Z2 +T = U1+U2 +TT = T^2 +M = S1+S2 +t0 = ZZ^2 +t1 = a*t0 +t2 = U1*U2 +t3 = TT-t2 +R = t3+t1 +F = ZZ*M +L = M*F +LL = L^2 +t4 = T+L +t5 = t4^2 +t6 = t5-TT +G = t6-LL +t7 = R^2 +t8 = 2*t7 +W = t8-G +t9 = F*W +X3 = 2*t9 +t10 = 2*W +t11 = G-t10 +t12 = 2*LL +t13 = R*t11 +Y3 = t13-t12 +t14 = F^2 +t15 = F*t14 +Z3 = 4*t15 diff --git a/pyecsca/ec/efd/shortw/projective-1/addition/madd-1998-cmo b/pyecsca/ec/efd/shortw/projective-1/addition/madd-1998-cmo new file mode 100644 index 0000000..b2e8a01 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/addition/madd-1998-cmo @@ -0,0 +1,12 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (3), plus common-subexpression elimination, plus Z2=1 +assume Z2 = 1 +compute u = Y2 Z1-Y1 +compute uu = u^2 +compute v = X2 Z1-X1 +compute vv = v^2 +compute vvv = v vv +compute R = vv X1 +compute A = uu Z1-vvv-2 R +compute X3 = v A +compute Y3 = u(R-A)-vvv Y1 +compute Z3 = vvv Z1 diff --git a/pyecsca/ec/efd/shortw/projective-1/addition/madd-1998-cmo.op3 b/pyecsca/ec/efd/shortw/projective-1/addition/madd-1998-cmo.op3 new file mode 100644 index 0000000..01c5120 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/addition/madd-1998-cmo.op3 @@ -0,0 +1,18 @@ +t0 = Y2*Z1 +u = t0-Y1 +uu = u^2 +t1 = X2*Z1 +v = t1-X1 +vv = v^2 +vvv = v*vv +R = vv*X1 +t2 = 2*R +t3 = uu*Z1 +t4 = t3-vvv +A = t4-t2 +X3 = v*A +t5 = R-A +t6 = vvv*Y1 +t7 = u*t5 +Y3 = t7-t6 +Z3 = vvv*Z1 diff --git a/pyecsca/ec/efd/shortw/projective-1/addition/mmadd-1998-cmo b/pyecsca/ec/efd/shortw/projective-1/addition/mmadd-1998-cmo new file mode 100644 index 0000000..b2ed720 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/addition/mmadd-1998-cmo @@ -0,0 +1,13 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", plus Z1=1, plus Z2=1, plus common-subexpression elimination +assume Z1 = 1 +assume Z2 = 1 +compute u = Y2-Y1 +compute uu = u^2 +compute v = X2-X1 +compute vv = v^2 +compute vvv = v vv +compute R = vv X1 +compute A = uu-vvv-2 R +compute X3 = v A +compute Y3 = u(R-A)-vvv Y1 +compute Z3 = vvv diff --git a/pyecsca/ec/efd/shortw/projective-1/addition/mmadd-1998-cmo.op3 b/pyecsca/ec/efd/shortw/projective-1/addition/mmadd-1998-cmo.op3 new file mode 100644 index 0000000..81c18df --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/addition/mmadd-1998-cmo.op3 @@ -0,0 +1,15 @@ +u = Y2-Y1 +uu = u^2 +v = X2-X1 +vv = v^2 +vvv = v*vv +R = vv*X1 +t0 = 2*R +t1 = uu-vvv +A = t1-t0 +X3 = v*A +t2 = R-A +t3 = vvv*Y1 +t4 = u*t2 +Y3 = t4-t3 +Z3 = vvv diff --git a/pyecsca/ec/efd/shortw/projective-1/doubling/dbl-1998-cmo b/pyecsca/ec/efd/shortw/projective-1/doubling/dbl-1998-cmo new file mode 100644 index 0000000..3e4fa95 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/doubling/dbl-1998-cmo @@ -0,0 +1,8 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (4) +compute w = a Z1^2+3 X1^2 +compute s = Y1 Z1 +compute B = X1 Y1 s +compute h = w^2-8 B +compute X3 = 2 h s +compute Y3 = w(4 B-h)-8 Y1^2 s^2 +compute Z3 = 8 s^3 diff --git a/pyecsca/ec/efd/shortw/projective-1/doubling/dbl-1998-cmo-2 b/pyecsca/ec/efd/shortw/projective-1/doubling/dbl-1998-cmo-2 new file mode 100644 index 0000000..8434d52 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/doubling/dbl-1998-cmo-2 @@ -0,0 +1,11 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (4), plus common-subexpression elimination +compute w = a Z1^2+3 X1^2 +compute s = Y1 Z1 +compute ss = s^2 +compute sss = s ss +compute R = Y1 s +compute B = X1 R +compute h = w^2-8 B +compute X3 = 2 h s +compute Y3 = w(4 B-h)-8 R^2 +compute Z3 = 8 sss diff --git a/pyecsca/ec/efd/shortw/projective-1/doubling/dbl-1998-cmo-2.op3 b/pyecsca/ec/efd/shortw/projective-1/doubling/dbl-1998-cmo-2.op3 new file mode 100644 index 0000000..efd0f9d --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/doubling/dbl-1998-cmo-2.op3 @@ -0,0 +1,22 @@ +t0 = Z1^2 +t1 = X1^2 +t2 = 3*t1 +t3 = a*t0 +w = t3+t2 +s = Y1*Z1 +ss = s^2 +sss = s*ss +R = Y1*s +B = X1*R +t4 = w^2 +t5 = 8*B +h = t4-t5 +t6 = h*s +X3 = 2*t6 +t7 = 4*B +t8 = t7-h +t9 = R^2 +t10 = 8*t9 +t11 = w*t8 +Y3 = t11-t10 +Z3 = 8*sss diff --git a/pyecsca/ec/efd/shortw/projective-1/doubling/dbl-1998-cmo.op3 b/pyecsca/ec/efd/shortw/projective-1/doubling/dbl-1998-cmo.op3 new file mode 100644 index 0000000..ab986d6 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/doubling/dbl-1998-cmo.op3 @@ -0,0 +1,23 @@ +t0 = Z1^2 +t1 = X1^2 +t2 = 3*t1 +t3 = a*t0 +w = t3+t2 +s = Y1*Z1 +t4 = Y1*s +B = X1*t4 +t5 = w^2 +t6 = 8*B +h = t5-t6 +t7 = h*s +X3 = 2*t7 +t8 = 4*B +t9 = t8-h +t10 = Y1^2 +t11 = s^2 +t12 = t10*t11 +t13 = 8*t12 +t14 = w*t9 +Y3 = t14-t13 +t15 = s^3 +Z3 = 8*t15 diff --git a/pyecsca/ec/efd/shortw/projective-1/doubling/dbl-2007-bl b/pyecsca/ec/efd/shortw/projective-1/doubling/dbl-2007-bl new file mode 100644 index 0000000..e962f44 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/doubling/dbl-2007-bl @@ -0,0 +1,14 @@ +source 2007 Bernstein--Lange +compute XX = X1^2 +compute ZZ = Z1^2 +compute w = a ZZ+3 XX +compute s = 2 Y1 Z1 +compute ss = s^2 +compute sss = s ss +compute R = Y1 s +compute RR = R^2 +compute B = (X1+R)^2-XX-RR +compute h = w^2-2 B +compute X3 = h s +compute Y3 = w(B-h)-2 RR +compute Z3 = sss diff --git a/pyecsca/ec/efd/shortw/projective-1/doubling/dbl-2007-bl.op3 b/pyecsca/ec/efd/shortw/projective-1/doubling/dbl-2007-bl.op3 new file mode 100644 index 0000000..76c96f6 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/doubling/dbl-2007-bl.op3 @@ -0,0 +1,24 @@ +XX = X1^2 +ZZ = Z1^2 +t0 = 3*XX +t1 = a*ZZ +w = t1+t0 +t2 = Y1*Z1 +s = 2*t2 +ss = s^2 +sss = s*ss +R = Y1*s +RR = R^2 +t3 = X1+R +t4 = t3^2 +t5 = t4-XX +B = t5-RR +t6 = w^2 +t7 = 2*B +h = t6-t7 +X3 = h*s +t8 = B-h +t9 = 2*RR +t10 = w*t8 +Y3 = t10-t9 +Z3 = sss diff --git a/pyecsca/ec/efd/shortw/projective-1/doubling/mdbl-2007-bl b/pyecsca/ec/efd/shortw/projective-1/doubling/mdbl-2007-bl new file mode 100644 index 0000000..2f5508a --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/doubling/mdbl-2007-bl @@ -0,0 +1,13 @@ +source 2007 Bernstein--Lange +assume Z1 = 1 +compute XX = X1^2 +compute w = a+3 XX +compute Y1Y1 = Y1^2 +compute R = 2 Y1Y1 +compute sss = 4 Y1 R +compute RR = R^2 +compute B = (X1+R)^2-XX-RR +compute h = w^2-2 B +compute X3 = 2 h Y1 +compute Y3 = w(B-h)-2 RR +compute Z3 = sss diff --git a/pyecsca/ec/efd/shortw/projective-1/doubling/mdbl-2007-bl.op3 b/pyecsca/ec/efd/shortw/projective-1/doubling/mdbl-2007-bl.op3 new file mode 100644 index 0000000..193dc77 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/doubling/mdbl-2007-bl.op3 @@ -0,0 +1,22 @@ +XX = X1^2 +t0 = 3*XX +w = a+t0 +Y1Y1 = Y1^2 +R = 2*Y1Y1 +t1 = Y1*R +sss = 4*t1 +RR = R^2 +t2 = X1+R +t3 = t2^2 +t4 = t3-XX +B = t4-RR +t5 = w^2 +t6 = 2*B +h = t5-t6 +t7 = h*Y1 +X3 = 2*t7 +t8 = B-h +t9 = 2*RR +t10 = w*t8 +Y3 = t10-t9 +Z3 = sss diff --git a/pyecsca/ec/efd/shortw/projective-1/scaling/z b/pyecsca/ec/efd/shortw/projective-1/scaling/z new file mode 100644 index 0000000..668bd3b --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/scaling/z @@ -0,0 +1,4 @@ +compute A = 1/Z1 +compute X3 = A X1 +compute Y3 = A Y1 +compute Z3 = 1 diff --git a/pyecsca/ec/efd/shortw/projective-1/scaling/z.op3 b/pyecsca/ec/efd/shortw/projective-1/scaling/z.op3 new file mode 100644 index 0000000..c6e9140 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/scaling/z.op3 @@ -0,0 +1,4 @@ +A = 1/Z1 +X3 = A*X1 +Y3 = A*Y1 +Z3 = 1 diff --git a/pyecsca/ec/efd/shortw/projective-1/variables b/pyecsca/ec/efd/shortw/projective-1/variables new file mode 100644 index 0000000..49b8f7a --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-1/variables @@ -0,0 +1,7 @@ +name projective coordinates with a4=-1 +assume a = -1 +variable X +variable Y +variable Z +satisfying x = X/Z +satisfying y = Y/Z diff --git a/pyecsca/ec/efd/shortw/projective-3/addition/add-1998-cmo b/pyecsca/ec/efd/shortw/projective-3/addition/add-1998-cmo new file mode 100644 index 0000000..90ac7d9 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/addition/add-1998-cmo @@ -0,0 +1,7 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (3) +compute u = Y2 Z1-Y1 Z2 +compute v = X2 Z1-X1 Z2 +compute A = u^2 Z1 Z2-v^3-2 v^2 X1 Z2 +compute X3 = v A +compute Y3 = u(v^2 X1 Z2-A)-v^3 Y1 Z2 +compute Z3 = v^3 Z1 Z2 diff --git a/pyecsca/ec/efd/shortw/projective-3/addition/add-1998-cmo-2 b/pyecsca/ec/efd/shortw/projective-3/addition/add-1998-cmo-2 new file mode 100644 index 0000000..8aabe7d --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/addition/add-1998-cmo-2 @@ -0,0 +1,14 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (3), plus common-subexpression elimination +compute Y1Z2 = Y1 Z2 +compute X1Z2 = X1 Z2 +compute Z1Z2 = Z1 Z2 +compute u = Y2 Z1-Y1Z2 +compute uu = u^2 +compute v = X2 Z1-X1Z2 +compute vv = v^2 +compute vvv = v vv +compute R = vv X1Z2 +compute A = uu Z1Z2-vvv-2 R +compute X3 = v A +compute Y3 = u(R-A)-vvv Y1Z2 +compute Z3 = vvv Z1Z2 diff --git a/pyecsca/ec/efd/shortw/projective-3/addition/add-1998-cmo-2.op3 b/pyecsca/ec/efd/shortw/projective-3/addition/add-1998-cmo-2.op3 new file mode 100644 index 0000000..8bce53b --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/addition/add-1998-cmo-2.op3 @@ -0,0 +1,21 @@ +Y1Z2 = Y1*Z2 +X1Z2 = X1*Z2 +Z1Z2 = Z1*Z2 +t0 = Y2*Z1 +u = t0-Y1Z2 +uu = u^2 +t1 = X2*Z1 +v = t1-X1Z2 +vv = v^2 +vvv = v*vv +R = vv*X1Z2 +t2 = 2*R +t3 = uu*Z1Z2 +t4 = t3-vvv +A = t4-t2 +X3 = v*A +t5 = R-A +t6 = vvv*Y1Z2 +t7 = u*t5 +Y3 = t7-t6 +Z3 = vvv*Z1Z2 diff --git a/pyecsca/ec/efd/shortw/projective-3/addition/add-1998-cmo.op3 b/pyecsca/ec/efd/shortw/projective-3/addition/add-1998-cmo.op3 new file mode 100644 index 0000000..636efb8 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/addition/add-1998-cmo.op3 @@ -0,0 +1,29 @@ +t0 = Y1*Z2 +t1 = Y2*Z1 +u = t1-t0 +t2 = X1*Z2 +t3 = X2*Z1 +v = t3-t2 +t4 = u^2 +t5 = v^3 +t6 = v^2 +t7 = X1*Z2 +t8 = t6*t7 +t9 = 2*t8 +t10 = Z1*Z2 +t11 = t4*t10 +t12 = t11-t5 +A = t12-t9 +X3 = v*A +t13 = v^2 +t14 = X1*Z2 +t15 = t13*t14 +t16 = t15-A +t17 = v^3 +t18 = Y1*Z2 +t19 = t17*t18 +t20 = u*t16 +Y3 = t20-t19 +t21 = v^3 +t22 = Z1*Z2 +Z3 = t21*t22 diff --git a/pyecsca/ec/efd/shortw/projective-3/addition/add-2002-bj b/pyecsca/ec/efd/shortw/projective-3/addition/add-2002-bj new file mode 100644 index 0000000..5ee1386 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/addition/add-2002-bj @@ -0,0 +1,16 @@ +source 2002 Brier--Joye "Weierstrass elliptic curves and side-channel attacks", page 339 +compute U1 = X1 Z2 +compute U2 = X2 Z1 +compute S1 = Y1 Z2 +compute S2 = Y2 Z1 +compute ZZ = Z1 Z2 +compute T = U1+U2 +compute M = S1+S2 +compute R = T^2-U1 U2+a ZZ^2 +compute F = ZZ M +compute L = M F +compute G = T L +compute W = R^2-G +compute X3 = 2 F W +compute Y3 = R(G-2 W)-L^2 +compute Z3 = 2 F F^2 diff --git a/pyecsca/ec/efd/shortw/projective-3/addition/add-2002-bj.op3 b/pyecsca/ec/efd/shortw/projective-3/addition/add-2002-bj.op3 new file mode 100644 index 0000000..106050d --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/addition/add-2002-bj.op3 @@ -0,0 +1,28 @@ +U1 = X1*Z2 +U2 = X2*Z1 +S1 = Y1*Z2 +S2 = Y2*Z1 +ZZ = Z1*Z2 +T = U1+U2 +M = S1+S2 +t0 = T^2 +t1 = ZZ^2 +t2 = a*t1 +t3 = U1*U2 +t4 = t0-t3 +R = t4+t2 +F = ZZ*M +L = M*F +G = T*L +t5 = R^2 +W = t5-G +t6 = F*W +X3 = 2*t6 +t7 = 2*W +t8 = G-t7 +t9 = L^2 +t10 = R*t8 +Y3 = t10-t9 +t11 = F^2 +t12 = F*t11 +Z3 = 2*t12 diff --git a/pyecsca/ec/efd/shortw/projective-3/addition/add-2007-bl b/pyecsca/ec/efd/shortw/projective-3/addition/add-2007-bl new file mode 100644 index 0000000..59bb96e --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/addition/add-2007-bl @@ -0,0 +1,18 @@ +source 2007 Bernstein--Lange +compute U1 = X1 Z2 +compute U2 = X2 Z1 +compute S1 = Y1 Z2 +compute S2 = Y2 Z1 +compute ZZ = Z1 Z2 +compute T = U1+U2 +compute TT = T^2 +compute M = S1+S2 +compute R = TT-U1 U2+a ZZ^2 +compute F = ZZ M +compute L = M F +compute LL = L^2 +compute G = (T+L)^2-TT-LL +compute W = 2 R^2-G +compute X3 = 2 F W +compute Y3 = R(G-2 W)-2 LL +compute Z3 = 4 F F^2 diff --git a/pyecsca/ec/efd/shortw/projective-3/addition/add-2007-bl.op3 b/pyecsca/ec/efd/shortw/projective-3/addition/add-2007-bl.op3 new file mode 100644 index 0000000..c0ef8ae --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/addition/add-2007-bl.op3 @@ -0,0 +1,33 @@ +U1 = X1*Z2 +U2 = X2*Z1 +S1 = Y1*Z2 +S2 = Y2*Z1 +ZZ = Z1*Z2 +T = U1+U2 +TT = T^2 +M = S1+S2 +t0 = ZZ^2 +t1 = a*t0 +t2 = U1*U2 +t3 = TT-t2 +R = t3+t1 +F = ZZ*M +L = M*F +LL = L^2 +t4 = T+L +t5 = t4^2 +t6 = t5-TT +G = t6-LL +t7 = R^2 +t8 = 2*t7 +W = t8-G +t9 = F*W +X3 = 2*t9 +t10 = 2*W +t11 = G-t10 +t12 = 2*LL +t13 = R*t11 +Y3 = t13-t12 +t14 = F^2 +t15 = F*t14 +Z3 = 4*t15 diff --git a/pyecsca/ec/efd/shortw/projective-3/addition/madd-1998-cmo b/pyecsca/ec/efd/shortw/projective-3/addition/madd-1998-cmo new file mode 100644 index 0000000..b2e8a01 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/addition/madd-1998-cmo @@ -0,0 +1,12 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (3), plus common-subexpression elimination, plus Z2=1 +assume Z2 = 1 +compute u = Y2 Z1-Y1 +compute uu = u^2 +compute v = X2 Z1-X1 +compute vv = v^2 +compute vvv = v vv +compute R = vv X1 +compute A = uu Z1-vvv-2 R +compute X3 = v A +compute Y3 = u(R-A)-vvv Y1 +compute Z3 = vvv Z1 diff --git a/pyecsca/ec/efd/shortw/projective-3/addition/madd-1998-cmo.op3 b/pyecsca/ec/efd/shortw/projective-3/addition/madd-1998-cmo.op3 new file mode 100644 index 0000000..01c5120 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/addition/madd-1998-cmo.op3 @@ -0,0 +1,18 @@ +t0 = Y2*Z1 +u = t0-Y1 +uu = u^2 +t1 = X2*Z1 +v = t1-X1 +vv = v^2 +vvv = v*vv +R = vv*X1 +t2 = 2*R +t3 = uu*Z1 +t4 = t3-vvv +A = t4-t2 +X3 = v*A +t5 = R-A +t6 = vvv*Y1 +t7 = u*t5 +Y3 = t7-t6 +Z3 = vvv*Z1 diff --git a/pyecsca/ec/efd/shortw/projective-3/addition/mmadd-1998-cmo b/pyecsca/ec/efd/shortw/projective-3/addition/mmadd-1998-cmo new file mode 100644 index 0000000..b2ed720 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/addition/mmadd-1998-cmo @@ -0,0 +1,13 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", plus Z1=1, plus Z2=1, plus common-subexpression elimination +assume Z1 = 1 +assume Z2 = 1 +compute u = Y2-Y1 +compute uu = u^2 +compute v = X2-X1 +compute vv = v^2 +compute vvv = v vv +compute R = vv X1 +compute A = uu-vvv-2 R +compute X3 = v A +compute Y3 = u(R-A)-vvv Y1 +compute Z3 = vvv diff --git a/pyecsca/ec/efd/shortw/projective-3/addition/mmadd-1998-cmo.op3 b/pyecsca/ec/efd/shortw/projective-3/addition/mmadd-1998-cmo.op3 new file mode 100644 index 0000000..81c18df --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/addition/mmadd-1998-cmo.op3 @@ -0,0 +1,15 @@ +u = Y2-Y1 +uu = u^2 +v = X2-X1 +vv = v^2 +vvv = v*vv +R = vv*X1 +t0 = 2*R +t1 = uu-vvv +A = t1-t0 +X3 = v*A +t2 = R-A +t3 = vvv*Y1 +t4 = u*t2 +Y3 = t4-t3 +Z3 = vvv diff --git a/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-1998-cmo b/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-1998-cmo new file mode 100644 index 0000000..3e4fa95 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-1998-cmo @@ -0,0 +1,8 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (4) +compute w = a Z1^2+3 X1^2 +compute s = Y1 Z1 +compute B = X1 Y1 s +compute h = w^2-8 B +compute X3 = 2 h s +compute Y3 = w(4 B-h)-8 Y1^2 s^2 +compute Z3 = 8 s^3 diff --git a/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-1998-cmo-2 b/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-1998-cmo-2 new file mode 100644 index 0000000..8434d52 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-1998-cmo-2 @@ -0,0 +1,11 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (4), plus common-subexpression elimination +compute w = a Z1^2+3 X1^2 +compute s = Y1 Z1 +compute ss = s^2 +compute sss = s ss +compute R = Y1 s +compute B = X1 R +compute h = w^2-8 B +compute X3 = 2 h s +compute Y3 = w(4 B-h)-8 R^2 +compute Z3 = 8 sss diff --git a/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-1998-cmo-2.op3 b/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-1998-cmo-2.op3 new file mode 100644 index 0000000..efd0f9d --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-1998-cmo-2.op3 @@ -0,0 +1,22 @@ +t0 = Z1^2 +t1 = X1^2 +t2 = 3*t1 +t3 = a*t0 +w = t3+t2 +s = Y1*Z1 +ss = s^2 +sss = s*ss +R = Y1*s +B = X1*R +t4 = w^2 +t5 = 8*B +h = t4-t5 +t6 = h*s +X3 = 2*t6 +t7 = 4*B +t8 = t7-h +t9 = R^2 +t10 = 8*t9 +t11 = w*t8 +Y3 = t11-t10 +Z3 = 8*sss diff --git a/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-1998-cmo.op3 b/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-1998-cmo.op3 new file mode 100644 index 0000000..ab986d6 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-1998-cmo.op3 @@ -0,0 +1,23 @@ +t0 = Z1^2 +t1 = X1^2 +t2 = 3*t1 +t3 = a*t0 +w = t3+t2 +s = Y1*Z1 +t4 = Y1*s +B = X1*t4 +t5 = w^2 +t6 = 8*B +h = t5-t6 +t7 = h*s +X3 = 2*t7 +t8 = 4*B +t9 = t8-h +t10 = Y1^2 +t11 = s^2 +t12 = t10*t11 +t13 = 8*t12 +t14 = w*t9 +Y3 = t14-t13 +t15 = s^3 +Z3 = 8*t15 diff --git a/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-2007-bl b/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-2007-bl new file mode 100644 index 0000000..e962f44 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-2007-bl @@ -0,0 +1,14 @@ +source 2007 Bernstein--Lange +compute XX = X1^2 +compute ZZ = Z1^2 +compute w = a ZZ+3 XX +compute s = 2 Y1 Z1 +compute ss = s^2 +compute sss = s ss +compute R = Y1 s +compute RR = R^2 +compute B = (X1+R)^2-XX-RR +compute h = w^2-2 B +compute X3 = h s +compute Y3 = w(B-h)-2 RR +compute Z3 = sss diff --git a/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-2007-bl-2 b/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-2007-bl-2 new file mode 100644 index 0000000..d84e116 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-2007-bl-2 @@ -0,0 +1,13 @@ +source 2007 Bernstein--Lange +appliesto projective-3 +compute w = 3(X1-Z1)(X1+Z1) +compute s = 2 Y1 Z1 +compute ss = s^2 +compute sss = s ss +compute R = Y1 s +compute RR = R^2 +compute B = 2 X1 R +compute h = w^2-2 B +compute X3 = h s +compute Y3 = w(B-h)-2 RR +compute Z3 = sss diff --git a/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-2007-bl-2.op3 b/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-2007-bl-2.op3 new file mode 100644 index 0000000..8e2f540 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-2007-bl-2.op3 @@ -0,0 +1,21 @@ +t0 = X1-Z1 +t1 = X1+Z1 +t2 = t0*t1 +w = 3*t2 +t3 = Y1*Z1 +s = 2*t3 +ss = s^2 +sss = s*ss +R = Y1*s +RR = R^2 +t4 = X1*R +B = 2*t4 +t5 = w^2 +t6 = 2*B +h = t5-t6 +X3 = h*s +t7 = B-h +t8 = 2*RR +t9 = w*t7 +Y3 = t9-t8 +Z3 = sss diff --git a/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-2007-bl.op3 b/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-2007-bl.op3 new file mode 100644 index 0000000..76c96f6 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/doubling/dbl-2007-bl.op3 @@ -0,0 +1,24 @@ +XX = X1^2 +ZZ = Z1^2 +t0 = 3*XX +t1 = a*ZZ +w = t1+t0 +t2 = Y1*Z1 +s = 2*t2 +ss = s^2 +sss = s*ss +R = Y1*s +RR = R^2 +t3 = X1+R +t4 = t3^2 +t5 = t4-XX +B = t5-RR +t6 = w^2 +t7 = 2*B +h = t6-t7 +X3 = h*s +t8 = B-h +t9 = 2*RR +t10 = w*t8 +Y3 = t10-t9 +Z3 = sss diff --git a/pyecsca/ec/efd/shortw/projective-3/doubling/mdbl-2007-bl b/pyecsca/ec/efd/shortw/projective-3/doubling/mdbl-2007-bl new file mode 100644 index 0000000..2f5508a --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/doubling/mdbl-2007-bl @@ -0,0 +1,13 @@ +source 2007 Bernstein--Lange +assume Z1 = 1 +compute XX = X1^2 +compute w = a+3 XX +compute Y1Y1 = Y1^2 +compute R = 2 Y1Y1 +compute sss = 4 Y1 R +compute RR = R^2 +compute B = (X1+R)^2-XX-RR +compute h = w^2-2 B +compute X3 = 2 h Y1 +compute Y3 = w(B-h)-2 RR +compute Z3 = sss diff --git a/pyecsca/ec/efd/shortw/projective-3/doubling/mdbl-2007-bl.op3 b/pyecsca/ec/efd/shortw/projective-3/doubling/mdbl-2007-bl.op3 new file mode 100644 index 0000000..193dc77 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/doubling/mdbl-2007-bl.op3 @@ -0,0 +1,22 @@ +XX = X1^2 +t0 = 3*XX +w = a+t0 +Y1Y1 = Y1^2 +R = 2*Y1Y1 +t1 = Y1*R +sss = 4*t1 +RR = R^2 +t2 = X1+R +t3 = t2^2 +t4 = t3-XX +B = t4-RR +t5 = w^2 +t6 = 2*B +h = t5-t6 +t7 = h*Y1 +X3 = 2*t7 +t8 = B-h +t9 = 2*RR +t10 = w*t8 +Y3 = t10-t9 +Z3 = sss diff --git a/pyecsca/ec/efd/shortw/projective-3/scaling/z b/pyecsca/ec/efd/shortw/projective-3/scaling/z new file mode 100644 index 0000000..668bd3b --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/scaling/z @@ -0,0 +1,4 @@ +compute A = 1/Z1 +compute X3 = A X1 +compute Y3 = A Y1 +compute Z3 = 1 diff --git a/pyecsca/ec/efd/shortw/projective-3/scaling/z.op3 b/pyecsca/ec/efd/shortw/projective-3/scaling/z.op3 new file mode 100644 index 0000000..c6e9140 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/scaling/z.op3 @@ -0,0 +1,4 @@ +A = 1/Z1 +X3 = A*X1 +Y3 = A*Y1 +Z3 = 1 diff --git a/pyecsca/ec/efd/shortw/projective-3/variables b/pyecsca/ec/efd/shortw/projective-3/variables new file mode 100644 index 0000000..1de70b5 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective-3/variables @@ -0,0 +1,7 @@ +name projective coordinates with a4=-3 +assume a = -3 +variable X +variable Y +variable Z +satisfying x = X/Z +satisfying y = Y/Z diff --git a/pyecsca/ec/efd/shortw/projective/addition/add-1998-cmo b/pyecsca/ec/efd/shortw/projective/addition/add-1998-cmo new file mode 100644 index 0000000..90ac7d9 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/addition/add-1998-cmo @@ -0,0 +1,7 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (3) +compute u = Y2 Z1-Y1 Z2 +compute v = X2 Z1-X1 Z2 +compute A = u^2 Z1 Z2-v^3-2 v^2 X1 Z2 +compute X3 = v A +compute Y3 = u(v^2 X1 Z2-A)-v^3 Y1 Z2 +compute Z3 = v^3 Z1 Z2 diff --git a/pyecsca/ec/efd/shortw/projective/addition/add-1998-cmo-2 b/pyecsca/ec/efd/shortw/projective/addition/add-1998-cmo-2 new file mode 100644 index 0000000..8aabe7d --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/addition/add-1998-cmo-2 @@ -0,0 +1,14 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (3), plus common-subexpression elimination +compute Y1Z2 = Y1 Z2 +compute X1Z2 = X1 Z2 +compute Z1Z2 = Z1 Z2 +compute u = Y2 Z1-Y1Z2 +compute uu = u^2 +compute v = X2 Z1-X1Z2 +compute vv = v^2 +compute vvv = v vv +compute R = vv X1Z2 +compute A = uu Z1Z2-vvv-2 R +compute X3 = v A +compute Y3 = u(R-A)-vvv Y1Z2 +compute Z3 = vvv Z1Z2 diff --git a/pyecsca/ec/efd/shortw/projective/addition/add-1998-cmo-2.op3 b/pyecsca/ec/efd/shortw/projective/addition/add-1998-cmo-2.op3 new file mode 100644 index 0000000..8bce53b --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/addition/add-1998-cmo-2.op3 @@ -0,0 +1,21 @@ +Y1Z2 = Y1*Z2 +X1Z2 = X1*Z2 +Z1Z2 = Z1*Z2 +t0 = Y2*Z1 +u = t0-Y1Z2 +uu = u^2 +t1 = X2*Z1 +v = t1-X1Z2 +vv = v^2 +vvv = v*vv +R = vv*X1Z2 +t2 = 2*R +t3 = uu*Z1Z2 +t4 = t3-vvv +A = t4-t2 +X3 = v*A +t5 = R-A +t6 = vvv*Y1Z2 +t7 = u*t5 +Y3 = t7-t6 +Z3 = vvv*Z1Z2 diff --git a/pyecsca/ec/efd/shortw/projective/addition/add-1998-cmo.op3 b/pyecsca/ec/efd/shortw/projective/addition/add-1998-cmo.op3 new file mode 100644 index 0000000..636efb8 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/addition/add-1998-cmo.op3 @@ -0,0 +1,29 @@ +t0 = Y1*Z2 +t1 = Y2*Z1 +u = t1-t0 +t2 = X1*Z2 +t3 = X2*Z1 +v = t3-t2 +t4 = u^2 +t5 = v^3 +t6 = v^2 +t7 = X1*Z2 +t8 = t6*t7 +t9 = 2*t8 +t10 = Z1*Z2 +t11 = t4*t10 +t12 = t11-t5 +A = t12-t9 +X3 = v*A +t13 = v^2 +t14 = X1*Z2 +t15 = t13*t14 +t16 = t15-A +t17 = v^3 +t18 = Y1*Z2 +t19 = t17*t18 +t20 = u*t16 +Y3 = t20-t19 +t21 = v^3 +t22 = Z1*Z2 +Z3 = t21*t22 diff --git a/pyecsca/ec/efd/shortw/projective/addition/add-2002-bj b/pyecsca/ec/efd/shortw/projective/addition/add-2002-bj new file mode 100644 index 0000000..5ee1386 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/addition/add-2002-bj @@ -0,0 +1,16 @@ +source 2002 Brier--Joye "Weierstrass elliptic curves and side-channel attacks", page 339 +compute U1 = X1 Z2 +compute U2 = X2 Z1 +compute S1 = Y1 Z2 +compute S2 = Y2 Z1 +compute ZZ = Z1 Z2 +compute T = U1+U2 +compute M = S1+S2 +compute R = T^2-U1 U2+a ZZ^2 +compute F = ZZ M +compute L = M F +compute G = T L +compute W = R^2-G +compute X3 = 2 F W +compute Y3 = R(G-2 W)-L^2 +compute Z3 = 2 F F^2 diff --git a/pyecsca/ec/efd/shortw/projective/addition/add-2002-bj.op3 b/pyecsca/ec/efd/shortw/projective/addition/add-2002-bj.op3 new file mode 100644 index 0000000..106050d --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/addition/add-2002-bj.op3 @@ -0,0 +1,28 @@ +U1 = X1*Z2 +U2 = X2*Z1 +S1 = Y1*Z2 +S2 = Y2*Z1 +ZZ = Z1*Z2 +T = U1+U2 +M = S1+S2 +t0 = T^2 +t1 = ZZ^2 +t2 = a*t1 +t3 = U1*U2 +t4 = t0-t3 +R = t4+t2 +F = ZZ*M +L = M*F +G = T*L +t5 = R^2 +W = t5-G +t6 = F*W +X3 = 2*t6 +t7 = 2*W +t8 = G-t7 +t9 = L^2 +t10 = R*t8 +Y3 = t10-t9 +t11 = F^2 +t12 = F*t11 +Z3 = 2*t12 diff --git a/pyecsca/ec/efd/shortw/projective/addition/add-2007-bl b/pyecsca/ec/efd/shortw/projective/addition/add-2007-bl new file mode 100644 index 0000000..59bb96e --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/addition/add-2007-bl @@ -0,0 +1,18 @@ +source 2007 Bernstein--Lange +compute U1 = X1 Z2 +compute U2 = X2 Z1 +compute S1 = Y1 Z2 +compute S2 = Y2 Z1 +compute ZZ = Z1 Z2 +compute T = U1+U2 +compute TT = T^2 +compute M = S1+S2 +compute R = TT-U1 U2+a ZZ^2 +compute F = ZZ M +compute L = M F +compute LL = L^2 +compute G = (T+L)^2-TT-LL +compute W = 2 R^2-G +compute X3 = 2 F W +compute Y3 = R(G-2 W)-2 LL +compute Z3 = 4 F F^2 diff --git a/pyecsca/ec/efd/shortw/projective/addition/add-2007-bl.op3 b/pyecsca/ec/efd/shortw/projective/addition/add-2007-bl.op3 new file mode 100644 index 0000000..c0ef8ae --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/addition/add-2007-bl.op3 @@ -0,0 +1,33 @@ +U1 = X1*Z2 +U2 = X2*Z1 +S1 = Y1*Z2 +S2 = Y2*Z1 +ZZ = Z1*Z2 +T = U1+U2 +TT = T^2 +M = S1+S2 +t0 = ZZ^2 +t1 = a*t0 +t2 = U1*U2 +t3 = TT-t2 +R = t3+t1 +F = ZZ*M +L = M*F +LL = L^2 +t4 = T+L +t5 = t4^2 +t6 = t5-TT +G = t6-LL +t7 = R^2 +t8 = 2*t7 +W = t8-G +t9 = F*W +X3 = 2*t9 +t10 = 2*W +t11 = G-t10 +t12 = 2*LL +t13 = R*t11 +Y3 = t13-t12 +t14 = F^2 +t15 = F*t14 +Z3 = 4*t15 diff --git a/pyecsca/ec/efd/shortw/projective/addition/madd-1998-cmo b/pyecsca/ec/efd/shortw/projective/addition/madd-1998-cmo new file mode 100644 index 0000000..b2e8a01 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/addition/madd-1998-cmo @@ -0,0 +1,12 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (3), plus common-subexpression elimination, plus Z2=1 +assume Z2 = 1 +compute u = Y2 Z1-Y1 +compute uu = u^2 +compute v = X2 Z1-X1 +compute vv = v^2 +compute vvv = v vv +compute R = vv X1 +compute A = uu Z1-vvv-2 R +compute X3 = v A +compute Y3 = u(R-A)-vvv Y1 +compute Z3 = vvv Z1 diff --git a/pyecsca/ec/efd/shortw/projective/addition/madd-1998-cmo.op3 b/pyecsca/ec/efd/shortw/projective/addition/madd-1998-cmo.op3 new file mode 100644 index 0000000..01c5120 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/addition/madd-1998-cmo.op3 @@ -0,0 +1,18 @@ +t0 = Y2*Z1 +u = t0-Y1 +uu = u^2 +t1 = X2*Z1 +v = t1-X1 +vv = v^2 +vvv = v*vv +R = vv*X1 +t2 = 2*R +t3 = uu*Z1 +t4 = t3-vvv +A = t4-t2 +X3 = v*A +t5 = R-A +t6 = vvv*Y1 +t7 = u*t5 +Y3 = t7-t6 +Z3 = vvv*Z1 diff --git a/pyecsca/ec/efd/shortw/projective/addition/mmadd-1998-cmo b/pyecsca/ec/efd/shortw/projective/addition/mmadd-1998-cmo new file mode 100644 index 0000000..b2ed720 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/addition/mmadd-1998-cmo @@ -0,0 +1,13 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", plus Z1=1, plus Z2=1, plus common-subexpression elimination +assume Z1 = 1 +assume Z2 = 1 +compute u = Y2-Y1 +compute uu = u^2 +compute v = X2-X1 +compute vv = v^2 +compute vvv = v vv +compute R = vv X1 +compute A = uu-vvv-2 R +compute X3 = v A +compute Y3 = u(R-A)-vvv Y1 +compute Z3 = vvv diff --git a/pyecsca/ec/efd/shortw/projective/addition/mmadd-1998-cmo.op3 b/pyecsca/ec/efd/shortw/projective/addition/mmadd-1998-cmo.op3 new file mode 100644 index 0000000..81c18df --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/addition/mmadd-1998-cmo.op3 @@ -0,0 +1,15 @@ +u = Y2-Y1 +uu = u^2 +v = X2-X1 +vv = v^2 +vvv = v*vv +R = vv*X1 +t0 = 2*R +t1 = uu-vvv +A = t1-t0 +X3 = v*A +t2 = R-A +t3 = vvv*Y1 +t4 = u*t2 +Y3 = t4-t3 +Z3 = vvv diff --git a/pyecsca/ec/efd/shortw/projective/doubling/dbl-1998-cmo b/pyecsca/ec/efd/shortw/projective/doubling/dbl-1998-cmo new file mode 100644 index 0000000..3e4fa95 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/doubling/dbl-1998-cmo @@ -0,0 +1,8 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (4) +compute w = a Z1^2+3 X1^2 +compute s = Y1 Z1 +compute B = X1 Y1 s +compute h = w^2-8 B +compute X3 = 2 h s +compute Y3 = w(4 B-h)-8 Y1^2 s^2 +compute Z3 = 8 s^3 diff --git a/pyecsca/ec/efd/shortw/projective/doubling/dbl-1998-cmo-2 b/pyecsca/ec/efd/shortw/projective/doubling/dbl-1998-cmo-2 new file mode 100644 index 0000000..8434d52 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/doubling/dbl-1998-cmo-2 @@ -0,0 +1,11 @@ +source 1998 Cohen--Miyaji--Ono "Efficient elliptic curve exponentiation using mixed coordinates", formula (4), plus common-subexpression elimination +compute w = a Z1^2+3 X1^2 +compute s = Y1 Z1 +compute ss = s^2 +compute sss = s ss +compute R = Y1 s +compute B = X1 R +compute h = w^2-8 B +compute X3 = 2 h s +compute Y3 = w(4 B-h)-8 R^2 +compute Z3 = 8 sss diff --git a/pyecsca/ec/efd/shortw/projective/doubling/dbl-1998-cmo-2.op3 b/pyecsca/ec/efd/shortw/projective/doubling/dbl-1998-cmo-2.op3 new file mode 100644 index 0000000..efd0f9d --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/doubling/dbl-1998-cmo-2.op3 @@ -0,0 +1,22 @@ +t0 = Z1^2 +t1 = X1^2 +t2 = 3*t1 +t3 = a*t0 +w = t3+t2 +s = Y1*Z1 +ss = s^2 +sss = s*ss +R = Y1*s +B = X1*R +t4 = w^2 +t5 = 8*B +h = t4-t5 +t6 = h*s +X3 = 2*t6 +t7 = 4*B +t8 = t7-h +t9 = R^2 +t10 = 8*t9 +t11 = w*t8 +Y3 = t11-t10 +Z3 = 8*sss diff --git a/pyecsca/ec/efd/shortw/projective/doubling/dbl-1998-cmo.op3 b/pyecsca/ec/efd/shortw/projective/doubling/dbl-1998-cmo.op3 new file mode 100644 index 0000000..ab986d6 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/doubling/dbl-1998-cmo.op3 @@ -0,0 +1,23 @@ +t0 = Z1^2 +t1 = X1^2 +t2 = 3*t1 +t3 = a*t0 +w = t3+t2 +s = Y1*Z1 +t4 = Y1*s +B = X1*t4 +t5 = w^2 +t6 = 8*B +h = t5-t6 +t7 = h*s +X3 = 2*t7 +t8 = 4*B +t9 = t8-h +t10 = Y1^2 +t11 = s^2 +t12 = t10*t11 +t13 = 8*t12 +t14 = w*t9 +Y3 = t14-t13 +t15 = s^3 +Z3 = 8*t15 diff --git a/pyecsca/ec/efd/shortw/projective/doubling/dbl-2007-bl b/pyecsca/ec/efd/shortw/projective/doubling/dbl-2007-bl new file mode 100644 index 0000000..e962f44 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/doubling/dbl-2007-bl @@ -0,0 +1,14 @@ +source 2007 Bernstein--Lange +compute XX = X1^2 +compute ZZ = Z1^2 +compute w = a ZZ+3 XX +compute s = 2 Y1 Z1 +compute ss = s^2 +compute sss = s ss +compute R = Y1 s +compute RR = R^2 +compute B = (X1+R)^2-XX-RR +compute h = w^2-2 B +compute X3 = h s +compute Y3 = w(B-h)-2 RR +compute Z3 = sss diff --git a/pyecsca/ec/efd/shortw/projective/doubling/dbl-2007-bl.op3 b/pyecsca/ec/efd/shortw/projective/doubling/dbl-2007-bl.op3 new file mode 100644 index 0000000..76c96f6 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/doubling/dbl-2007-bl.op3 @@ -0,0 +1,24 @@ +XX = X1^2 +ZZ = Z1^2 +t0 = 3*XX +t1 = a*ZZ +w = t1+t0 +t2 = Y1*Z1 +s = 2*t2 +ss = s^2 +sss = s*ss +R = Y1*s +RR = R^2 +t3 = X1+R +t4 = t3^2 +t5 = t4-XX +B = t5-RR +t6 = w^2 +t7 = 2*B +h = t6-t7 +X3 = h*s +t8 = B-h +t9 = 2*RR +t10 = w*t8 +Y3 = t10-t9 +Z3 = sss diff --git a/pyecsca/ec/efd/shortw/projective/doubling/mdbl-2007-bl b/pyecsca/ec/efd/shortw/projective/doubling/mdbl-2007-bl new file mode 100644 index 0000000..2f5508a --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/doubling/mdbl-2007-bl @@ -0,0 +1,13 @@ +source 2007 Bernstein--Lange +assume Z1 = 1 +compute XX = X1^2 +compute w = a+3 XX +compute Y1Y1 = Y1^2 +compute R = 2 Y1Y1 +compute sss = 4 Y1 R +compute RR = R^2 +compute B = (X1+R)^2-XX-RR +compute h = w^2-2 B +compute X3 = 2 h Y1 +compute Y3 = w(B-h)-2 RR +compute Z3 = sss diff --git a/pyecsca/ec/efd/shortw/projective/doubling/mdbl-2007-bl.op3 b/pyecsca/ec/efd/shortw/projective/doubling/mdbl-2007-bl.op3 new file mode 100644 index 0000000..193dc77 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/doubling/mdbl-2007-bl.op3 @@ -0,0 +1,22 @@ +XX = X1^2 +t0 = 3*XX +w = a+t0 +Y1Y1 = Y1^2 +R = 2*Y1Y1 +t1 = Y1*R +sss = 4*t1 +RR = R^2 +t2 = X1+R +t3 = t2^2 +t4 = t3-XX +B = t4-RR +t5 = w^2 +t6 = 2*B +h = t5-t6 +t7 = h*Y1 +X3 = 2*t7 +t8 = B-h +t9 = 2*RR +t10 = w*t8 +Y3 = t10-t9 +Z3 = sss diff --git a/pyecsca/ec/efd/shortw/projective/scaling/z b/pyecsca/ec/efd/shortw/projective/scaling/z new file mode 100644 index 0000000..668bd3b --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/scaling/z @@ -0,0 +1,4 @@ +compute A = 1/Z1 +compute X3 = A X1 +compute Y3 = A Y1 +compute Z3 = 1 diff --git a/pyecsca/ec/efd/shortw/projective/scaling/z.op3 b/pyecsca/ec/efd/shortw/projective/scaling/z.op3 new file mode 100644 index 0000000..c6e9140 --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/scaling/z.op3 @@ -0,0 +1,4 @@ +A = 1/Z1 +X3 = A*X1 +Y3 = A*Y1 +Z3 = 1 diff --git a/pyecsca/ec/efd/shortw/projective/variables b/pyecsca/ec/efd/shortw/projective/variables new file mode 100644 index 0000000..9c6045b --- /dev/null +++ b/pyecsca/ec/efd/shortw/projective/variables @@ -0,0 +1,6 @@ +name projective coordinates +variable X +variable Y +variable Z +satisfying x = X/Z +satisfying y = Y/Z diff --git a/pyecsca/ec/efd/shortw/w12-0/addition/add-2010-cln b/pyecsca/ec/efd/shortw/w12-0/addition/add-2010-cln new file mode 100644 index 0000000..b89edf1 --- /dev/null +++ b/pyecsca/ec/efd/shortw/w12-0/addition/add-2010-cln @@ -0,0 +1,17 @@ +source 2010 Costello--Lange--Naehrig +compute A = Z1^2 +compute B = Z2^2 +compute C = (Z1 + Z2)^2-A-B +compute D = X1 Z2 +compute E = X2 Z1 +compute F = Y1 B +compute G = Y2 A +compute H = D - E +compute I = 2 (F - G) +compute II = I^2 +compute J = C H +compute K = 4 J H +compute X3 = 2 II - (D + E) K +compute JJ = J^2 +compute Y3 = ((J + I)^2 - JJ - II) (D K - X3) - F K^2 +compute Z3 = 2 JJ diff --git a/pyecsca/ec/efd/shortw/w12-0/addition/add-2010-cln.op3 b/pyecsca/ec/efd/shortw/w12-0/addition/add-2010-cln.op3 new file mode 100644 index 0000000..63ebd7c --- /dev/null +++ b/pyecsca/ec/efd/shortw/w12-0/addition/add-2010-cln.op3 @@ -0,0 +1,33 @@ +A = Z1^2 +B = Z2^2 +t0 = Z1+Z2 +t1 = t0^2 +t2 = t1-A +C = t2-B +D = X1*Z2 +E = X2*Z1 +F = Y1*B +G = Y2*A +H = D-E +t3 = F-G +I = 2*t3 +II = I^2 +J = C*H +t4 = J*H +K = 4*t4 +t5 = D+E +t6 = t5*K +t7 = 2*II +X3 = t7-t6 +JJ = J^2 +t8 = J+I +t9 = t8^2 +t10 = D*K +t11 = t9-JJ +t12 = t11-II +t13 = t10-X3 +t14 = K^2 +t15 = F*t14 +t16 = t12*t13 +Y3 = t16-t15 +Z3 = 2*JJ diff --git a/pyecsca/ec/efd/shortw/w12-0/addition/madd-2010-cln b/pyecsca/ec/efd/shortw/w12-0/addition/madd-2010-cln new file mode 100644 index 0000000..741f21c --- /dev/null +++ b/pyecsca/ec/efd/shortw/w12-0/addition/madd-2010-cln @@ -0,0 +1,14 @@ +source 2010 Costello--Lange--Naehrig +assume Z2 = 1 +compute A = Z1^2 +compute E = X2 Z1 +compute G = Y2 A +compute H = (X1 - E) +compute I = (Y1 - G) +compute II = I^2 +compute J = Z1 H +compute K = 2 J H +compute X3 = 2 II - (X1 + E) K +compute JJ = J^2 +compute Y3 = ((J+ I)^2 - JJ - II) (X1 K - X3) - Y1 K^2 +compute Z3 = 2 JJ diff --git a/pyecsca/ec/efd/shortw/w12-0/addition/madd-2010-cln.op3 b/pyecsca/ec/efd/shortw/w12-0/addition/madd-2010-cln.op3 new file mode 100644 index 0000000..ecc98f1 --- /dev/null +++ b/pyecsca/ec/efd/shortw/w12-0/addition/madd-2010-cln.op3 @@ -0,0 +1,25 @@ +A = Z1^2 +E = X2*Z1 +G = Y2*A +H = X1-E +I = Y1-G +II = I^2 +J = Z1*H +t0 = J*H +K = 2*t0 +t1 = X1+E +t2 = t1*K +t3 = 2*II +X3 = t3-t2 +JJ = J^2 +t4 = J+I +t5 = t4^2 +t6 = X1*K +t7 = t5-JJ +t8 = t7-II +t9 = t6-X3 +t10 = K^2 +t11 = Y1*t10 +t12 = t8*t9 +Y3 = t12-t11 +Z3 = 2*JJ diff --git a/pyecsca/ec/efd/shortw/w12-0/doubling/dbl-2010-cln b/pyecsca/ec/efd/shortw/w12-0/doubling/dbl-2010-cln new file mode 100644 index 0000000..1113227 --- /dev/null +++ b/pyecsca/ec/efd/shortw/w12-0/doubling/dbl-2010-cln @@ -0,0 +1,10 @@ +source 2010 Costello--Lange--Naehrig +compute A = X1^2 +compute B = Y1^2 +compute C = Z1^2 +compute D = a C +compute X3 = (A-D)^2 +compute E = 2 (A+D)^2-X3 +compute F = ((A-D+Y1)^2-B-X3) +compute Y3 = E F +compute Z3 = 4 B diff --git a/pyecsca/ec/efd/shortw/w12-0/doubling/dbl-2010-cln.op3 b/pyecsca/ec/efd/shortw/w12-0/doubling/dbl-2010-cln.op3 new file mode 100644 index 0000000..07b4f92 --- /dev/null +++ b/pyecsca/ec/efd/shortw/w12-0/doubling/dbl-2010-cln.op3 @@ -0,0 +1,17 @@ +A = X1^2 +B = Y1^2 +C = Z1^2 +D = a*C +t0 = A-D +X3 = t0^2 +t1 = A+D +t2 = t1^2 +t3 = 2*t2 +E = t3-X3 +t4 = A-D +t5 = t4+Y1 +t6 = t5^2 +t7 = t6-B +F = t7-X3 +Y3 = E*F +Z3 = 4*B diff --git a/pyecsca/ec/efd/shortw/w12-0/variables b/pyecsca/ec/efd/shortw/w12-0/variables new file mode 100644 index 0000000..5d8326e --- /dev/null +++ b/pyecsca/ec/efd/shortw/w12-0/variables @@ -0,0 +1,7 @@ +name W12 coordinates with a6=0 +assume b = 0 +variable X +variable Y +variable Z +satisfying x = X/Z +satisfying y = Y/Z^2 diff --git a/pyecsca/ec/efd/shortw/xyzz-3/addition/add-2008-s b/pyecsca/ec/efd/shortw/xyzz-3/addition/add-2008-s new file mode 100644 index 0000000..a28b0ab --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz-3/addition/add-2008-s @@ -0,0 +1,14 @@ +source 2008 Sutherland +compute U1 = X1 ZZ2 +compute U2 = X2 ZZ1 +compute S1 = Y1 ZZZ2 +compute S2 = Y2 ZZZ1 +compute P = U2-U1 +compute R = S2-S1 +compute PP = P^2 +compute PPP = P PP +compute Q = U1 PP +compute X3 = R^2-PPP-2 Q +compute Y3 = R (Q-X3)-S1 PPP +compute ZZ3 = ZZ1 ZZ2 PP +compute ZZZ3 = ZZZ1 ZZZ2 PPP diff --git a/pyecsca/ec/efd/shortw/xyzz-3/addition/add-2008-s.op3 b/pyecsca/ec/efd/shortw/xyzz-3/addition/add-2008-s.op3 new file mode 100644 index 0000000..88540c8 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz-3/addition/add-2008-s.op3 @@ -0,0 +1,21 @@ +U1 = X1*ZZ2 +U2 = X2*ZZ1 +S1 = Y1*ZZZ2 +S2 = Y2*ZZZ1 +P = U2-U1 +R = S2-S1 +PP = P^2 +PPP = P*PP +Q = U1*PP +t0 = R^2 +t1 = 2*Q +t2 = t0-PPP +X3 = t2-t1 +t3 = Q-X3 +t4 = S1*PPP +t5 = R*t3 +Y3 = t5-t4 +t6 = ZZ2*PP +ZZ3 = ZZ1*t6 +t7 = ZZZ2*PPP +ZZZ3 = ZZZ1*t7 diff --git a/pyecsca/ec/efd/shortw/xyzz-3/addition/madd-2008-s b/pyecsca/ec/efd/shortw/xyzz-3/addition/madd-2008-s new file mode 100644 index 0000000..1830258 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz-3/addition/madd-2008-s @@ -0,0 +1,14 @@ +source 2008 Sutherland +assume ZZ2 = 1 +assume ZZZ2 = 1 +compute U2 = X2 ZZ1 +compute S2 = Y2 ZZZ1 +compute P = U2-X1 +compute R = S2-Y1 +compute PP = P^2 +compute PPP = P PP +compute Q = X1 PP +compute X3 = R^2-PPP-2 Q +compute Y3 = R (Q-X3)-Y1 PPP +compute ZZ3 = ZZ1 PP +compute ZZZ3 = ZZZ1 PPP diff --git a/pyecsca/ec/efd/shortw/xyzz-3/addition/madd-2008-s.op3 b/pyecsca/ec/efd/shortw/xyzz-3/addition/madd-2008-s.op3 new file mode 100644 index 0000000..a1bc5ed --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz-3/addition/madd-2008-s.op3 @@ -0,0 +1,17 @@ +U2 = X2*ZZ1 +S2 = Y2*ZZZ1 +P = U2-X1 +R = S2-Y1 +PP = P^2 +PPP = P*PP +Q = X1*PP +t0 = R^2 +t1 = 2*Q +t2 = t0-PPP +X3 = t2-t1 +t3 = Q-X3 +t4 = Y1*PPP +t5 = R*t3 +Y3 = t5-t4 +ZZ3 = ZZ1*PP +ZZZ3 = ZZZ1*PPP diff --git a/pyecsca/ec/efd/shortw/xyzz-3/addition/mmadd-2008-s b/pyecsca/ec/efd/shortw/xyzz-3/addition/mmadd-2008-s new file mode 100644 index 0000000..5953e20 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz-3/addition/mmadd-2008-s @@ -0,0 +1,14 @@ +source 2008 Sutherland +assume ZZ1 = 1 +assume ZZZ1 = 1 +assume ZZ2 = 1 +assume ZZZ2 = 1 +compute P = X2-X1 +compute R = Y2-Y1 +compute PP = P^2 +compute PPP = P PP +compute Q = X1 PP +compute X3 = R^2-PPP-2 Q +compute Y3 = R (Q-X3)-Y1 PPP +compute ZZ3 = PP +compute ZZZ3 = PPP diff --git a/pyecsca/ec/efd/shortw/xyzz-3/addition/mmadd-2008-s.op3 b/pyecsca/ec/efd/shortw/xyzz-3/addition/mmadd-2008-s.op3 new file mode 100644 index 0000000..34d8e9b --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz-3/addition/mmadd-2008-s.op3 @@ -0,0 +1,15 @@ +P = X2-X1 +R = Y2-Y1 +PP = P^2 +PPP = P*PP +Q = X1*PP +t0 = R^2 +t1 = 2*Q +t2 = t0-PPP +X3 = t2-t1 +t3 = Q-X3 +t4 = Y1*PPP +t5 = R*t3 +Y3 = t5-t4 +ZZ3 = PP +ZZZ3 = PPP diff --git a/pyecsca/ec/efd/shortw/xyzz-3/doubling/dbl-2008-s-1 b/pyecsca/ec/efd/shortw/xyzz-3/doubling/dbl-2008-s-1 new file mode 100644 index 0000000..55cc4be --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz-3/doubling/dbl-2008-s-1 @@ -0,0 +1,10 @@ +source 2008 Sutherland +compute U = 2 Y1 +compute V = U^2 +compute W = U V +compute S = X1 V +compute M = 3 X1^2+a ZZ1^2 +compute X3 = M^2-2 S +compute Y3 = M (S-X3)-W Y1 +compute ZZ3 = V ZZ1 +compute ZZZ3 = W ZZZ1 diff --git a/pyecsca/ec/efd/shortw/xyzz-3/doubling/dbl-2008-s-1.op3 b/pyecsca/ec/efd/shortw/xyzz-3/doubling/dbl-2008-s-1.op3 new file mode 100644 index 0000000..99993c5 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz-3/doubling/dbl-2008-s-1.op3 @@ -0,0 +1,18 @@ +U = 2*Y1 +V = U^2 +W = U*V +S = X1*V +t0 = X1^2 +t1 = ZZ1^2 +t2 = a*t1 +t3 = 3*t0 +M = t3+t2 +t4 = M^2 +t5 = 2*S +X3 = t4-t5 +t6 = S-X3 +t7 = W*Y1 +t8 = M*t6 +Y3 = t8-t7 +ZZ3 = V*ZZ1 +ZZZ3 = W*ZZZ1 diff --git a/pyecsca/ec/efd/shortw/xyzz-3/doubling/dbl-2008-s-2 b/pyecsca/ec/efd/shortw/xyzz-3/doubling/dbl-2008-s-2 new file mode 100644 index 0000000..78e9f03 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz-3/doubling/dbl-2008-s-2 @@ -0,0 +1,11 @@ +source 2008 Sutherland +appliesto xyzz-3 +compute U = 2 Y1 +compute V = U^2 +compute W = U V +compute S = X1 V +compute M = 3 (X1-ZZ1) (X1+ZZ1) +compute X3 = M^2-2 S +compute Y3 = M (S-X3)-W Y1 +compute ZZ3 = V ZZ1 +compute ZZZ3 = W ZZZ1 diff --git a/pyecsca/ec/efd/shortw/xyzz-3/doubling/dbl-2008-s-2.op3 b/pyecsca/ec/efd/shortw/xyzz-3/doubling/dbl-2008-s-2.op3 new file mode 100644 index 0000000..f8fe113 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz-3/doubling/dbl-2008-s-2.op3 @@ -0,0 +1,17 @@ +U = 2*Y1 +V = U^2 +W = U*V +S = X1*V +t0 = X1-ZZ1 +t1 = X1+ZZ1 +t2 = t0*t1 +M = 3*t2 +t3 = M^2 +t4 = 2*S +X3 = t3-t4 +t5 = S-X3 +t6 = W*Y1 +t7 = M*t5 +Y3 = t7-t6 +ZZ3 = V*ZZ1 +ZZZ3 = W*ZZZ1 diff --git a/pyecsca/ec/efd/shortw/xyzz-3/doubling/mdbl-2008-s-1 b/pyecsca/ec/efd/shortw/xyzz-3/doubling/mdbl-2008-s-1 new file mode 100644 index 0000000..2047d86 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz-3/doubling/mdbl-2008-s-1 @@ -0,0 +1,12 @@ +source 2008 Sutherland +assume ZZ1 = 1 +assume ZZZ1 = 1 +compute U = 2 Y1 +compute V = U^2 +compute W = U V +compute S = X1 V +compute M = 3 X1^2+a +compute X3 = M^2-2 S +compute Y3 = M (S-X3)-W Y1 +compute ZZ3 = V +compute ZZZ3 = W diff --git a/pyecsca/ec/efd/shortw/xyzz-3/doubling/mdbl-2008-s-1.op3 b/pyecsca/ec/efd/shortw/xyzz-3/doubling/mdbl-2008-s-1.op3 new file mode 100644 index 0000000..c6d2c3b --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz-3/doubling/mdbl-2008-s-1.op3 @@ -0,0 +1,16 @@ +U = 2*Y1 +V = U^2 +W = U*V +S = X1*V +t0 = X1^2 +t1 = 3*t0 +M = t1+a +t2 = M^2 +t3 = 2*S +X3 = t2-t3 +t4 = S-X3 +t5 = W*Y1 +t6 = M*t4 +Y3 = t6-t5 +ZZ3 = V +ZZZ3 = W diff --git a/pyecsca/ec/efd/shortw/xyzz-3/doubling/mdbl-2008-s-2 b/pyecsca/ec/efd/shortw/xyzz-3/doubling/mdbl-2008-s-2 new file mode 100644 index 0000000..af8e81c --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz-3/doubling/mdbl-2008-s-2 @@ -0,0 +1,13 @@ +source 2008 Sutherland +appliesto xyzz-3 +assume ZZ1 = 1 +assume ZZZ1 = 1 +compute U = 2 Y1 +compute V = U^2 +compute W = U V +compute S = X1 V +compute M = 3 (X1^2-1) +compute X3 = M^2-2 S +compute Y3 = M (S-X3)-W Y1 +compute ZZ3 = V +compute ZZZ3 = W diff --git a/pyecsca/ec/efd/shortw/xyzz-3/doubling/mdbl-2008-s-2.op3 b/pyecsca/ec/efd/shortw/xyzz-3/doubling/mdbl-2008-s-2.op3 new file mode 100644 index 0000000..b762b4b --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz-3/doubling/mdbl-2008-s-2.op3 @@ -0,0 +1,16 @@ +U = 2*Y1 +V = U^2 +W = U*V +S = X1*V +t0 = X1^2 +t1 = t0-1 +M = 3*t1 +t2 = M^2 +t3 = 2*S +X3 = t2-t3 +t4 = S-X3 +t5 = W*Y1 +t6 = M*t4 +Y3 = t6-t5 +ZZ3 = V +ZZZ3 = W diff --git a/pyecsca/ec/efd/shortw/xyzz-3/scaling/z b/pyecsca/ec/efd/shortw/xyzz-3/scaling/z new file mode 100644 index 0000000..ae4c2e1 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz-3/scaling/z @@ -0,0 +1,6 @@ +compute A = 1/ZZZ1 +compute B = (ZZ1 A)^2 +compute X3 = X1 B +compute Y3 = Y1 A +compute ZZ3 = 1 +compute ZZZ3 = 1 diff --git a/pyecsca/ec/efd/shortw/xyzz-3/scaling/z.op3 b/pyecsca/ec/efd/shortw/xyzz-3/scaling/z.op3 new file mode 100644 index 0000000..1e076c3 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz-3/scaling/z.op3 @@ -0,0 +1,7 @@ +A = 1/ZZZ1 +t0 = ZZ1*A +B = t0^2 +X3 = X1*B +Y3 = Y1*A +ZZ3 = 1 +ZZZ3 = 1 diff --git a/pyecsca/ec/efd/shortw/xyzz-3/variables b/pyecsca/ec/efd/shortw/xyzz-3/variables new file mode 100644 index 0000000..1b1c2d7 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz-3/variables @@ -0,0 +1,9 @@ +name XYZZ coordinates with a4=-3 +assume a = -3 +variable X +variable Y +variable ZZ +variable ZZZ +satisfying x = X/ZZ +satisfying y = Y/ZZZ +satisfying ZZ^3 = ZZZ^2 diff --git a/pyecsca/ec/efd/shortw/xyzz/addition/add-2008-s b/pyecsca/ec/efd/shortw/xyzz/addition/add-2008-s new file mode 100644 index 0000000..a28b0ab --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz/addition/add-2008-s @@ -0,0 +1,14 @@ +source 2008 Sutherland +compute U1 = X1 ZZ2 +compute U2 = X2 ZZ1 +compute S1 = Y1 ZZZ2 +compute S2 = Y2 ZZZ1 +compute P = U2-U1 +compute R = S2-S1 +compute PP = P^2 +compute PPP = P PP +compute Q = U1 PP +compute X3 = R^2-PPP-2 Q +compute Y3 = R (Q-X3)-S1 PPP +compute ZZ3 = ZZ1 ZZ2 PP +compute ZZZ3 = ZZZ1 ZZZ2 PPP diff --git a/pyecsca/ec/efd/shortw/xyzz/addition/add-2008-s.op3 b/pyecsca/ec/efd/shortw/xyzz/addition/add-2008-s.op3 new file mode 100644 index 0000000..88540c8 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz/addition/add-2008-s.op3 @@ -0,0 +1,21 @@ +U1 = X1*ZZ2 +U2 = X2*ZZ1 +S1 = Y1*ZZZ2 +S2 = Y2*ZZZ1 +P = U2-U1 +R = S2-S1 +PP = P^2 +PPP = P*PP +Q = U1*PP +t0 = R^2 +t1 = 2*Q +t2 = t0-PPP +X3 = t2-t1 +t3 = Q-X3 +t4 = S1*PPP +t5 = R*t3 +Y3 = t5-t4 +t6 = ZZ2*PP +ZZ3 = ZZ1*t6 +t7 = ZZZ2*PPP +ZZZ3 = ZZZ1*t7 diff --git a/pyecsca/ec/efd/shortw/xyzz/addition/madd-2008-s b/pyecsca/ec/efd/shortw/xyzz/addition/madd-2008-s new file mode 100644 index 0000000..1830258 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz/addition/madd-2008-s @@ -0,0 +1,14 @@ +source 2008 Sutherland +assume ZZ2 = 1 +assume ZZZ2 = 1 +compute U2 = X2 ZZ1 +compute S2 = Y2 ZZZ1 +compute P = U2-X1 +compute R = S2-Y1 +compute PP = P^2 +compute PPP = P PP +compute Q = X1 PP +compute X3 = R^2-PPP-2 Q +compute Y3 = R (Q-X3)-Y1 PPP +compute ZZ3 = ZZ1 PP +compute ZZZ3 = ZZZ1 PPP diff --git a/pyecsca/ec/efd/shortw/xyzz/addition/madd-2008-s.op3 b/pyecsca/ec/efd/shortw/xyzz/addition/madd-2008-s.op3 new file mode 100644 index 0000000..a1bc5ed --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz/addition/madd-2008-s.op3 @@ -0,0 +1,17 @@ +U2 = X2*ZZ1 +S2 = Y2*ZZZ1 +P = U2-X1 +R = S2-Y1 +PP = P^2 +PPP = P*PP +Q = X1*PP +t0 = R^2 +t1 = 2*Q +t2 = t0-PPP +X3 = t2-t1 +t3 = Q-X3 +t4 = Y1*PPP +t5 = R*t3 +Y3 = t5-t4 +ZZ3 = ZZ1*PP +ZZZ3 = ZZZ1*PPP diff --git a/pyecsca/ec/efd/shortw/xyzz/addition/mmadd-2008-s b/pyecsca/ec/efd/shortw/xyzz/addition/mmadd-2008-s new file mode 100644 index 0000000..5953e20 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz/addition/mmadd-2008-s @@ -0,0 +1,14 @@ +source 2008 Sutherland +assume ZZ1 = 1 +assume ZZZ1 = 1 +assume ZZ2 = 1 +assume ZZZ2 = 1 +compute P = X2-X1 +compute R = Y2-Y1 +compute PP = P^2 +compute PPP = P PP +compute Q = X1 PP +compute X3 = R^2-PPP-2 Q +compute Y3 = R (Q-X3)-Y1 PPP +compute ZZ3 = PP +compute ZZZ3 = PPP diff --git a/pyecsca/ec/efd/shortw/xyzz/addition/mmadd-2008-s.op3 b/pyecsca/ec/efd/shortw/xyzz/addition/mmadd-2008-s.op3 new file mode 100644 index 0000000..34d8e9b --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz/addition/mmadd-2008-s.op3 @@ -0,0 +1,15 @@ +P = X2-X1 +R = Y2-Y1 +PP = P^2 +PPP = P*PP +Q = X1*PP +t0 = R^2 +t1 = 2*Q +t2 = t0-PPP +X3 = t2-t1 +t3 = Q-X3 +t4 = Y1*PPP +t5 = R*t3 +Y3 = t5-t4 +ZZ3 = PP +ZZZ3 = PPP diff --git a/pyecsca/ec/efd/shortw/xyzz/doubling/dbl-2008-s-1 b/pyecsca/ec/efd/shortw/xyzz/doubling/dbl-2008-s-1 new file mode 100644 index 0000000..55cc4be --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz/doubling/dbl-2008-s-1 @@ -0,0 +1,10 @@ +source 2008 Sutherland +compute U = 2 Y1 +compute V = U^2 +compute W = U V +compute S = X1 V +compute M = 3 X1^2+a ZZ1^2 +compute X3 = M^2-2 S +compute Y3 = M (S-X3)-W Y1 +compute ZZ3 = V ZZ1 +compute ZZZ3 = W ZZZ1 diff --git a/pyecsca/ec/efd/shortw/xyzz/doubling/dbl-2008-s-1.op3 b/pyecsca/ec/efd/shortw/xyzz/doubling/dbl-2008-s-1.op3 new file mode 100644 index 0000000..99993c5 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz/doubling/dbl-2008-s-1.op3 @@ -0,0 +1,18 @@ +U = 2*Y1 +V = U^2 +W = U*V +S = X1*V +t0 = X1^2 +t1 = ZZ1^2 +t2 = a*t1 +t3 = 3*t0 +M = t3+t2 +t4 = M^2 +t5 = 2*S +X3 = t4-t5 +t6 = S-X3 +t7 = W*Y1 +t8 = M*t6 +Y3 = t8-t7 +ZZ3 = V*ZZ1 +ZZZ3 = W*ZZZ1 diff --git a/pyecsca/ec/efd/shortw/xyzz/doubling/mdbl-2008-s-1 b/pyecsca/ec/efd/shortw/xyzz/doubling/mdbl-2008-s-1 new file mode 100644 index 0000000..2047d86 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz/doubling/mdbl-2008-s-1 @@ -0,0 +1,12 @@ +source 2008 Sutherland +assume ZZ1 = 1 +assume ZZZ1 = 1 +compute U = 2 Y1 +compute V = U^2 +compute W = U V +compute S = X1 V +compute M = 3 X1^2+a +compute X3 = M^2-2 S +compute Y3 = M (S-X3)-W Y1 +compute ZZ3 = V +compute ZZZ3 = W diff --git a/pyecsca/ec/efd/shortw/xyzz/doubling/mdbl-2008-s-1.op3 b/pyecsca/ec/efd/shortw/xyzz/doubling/mdbl-2008-s-1.op3 new file mode 100644 index 0000000..c6d2c3b --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz/doubling/mdbl-2008-s-1.op3 @@ -0,0 +1,16 @@ +U = 2*Y1 +V = U^2 +W = U*V +S = X1*V +t0 = X1^2 +t1 = 3*t0 +M = t1+a +t2 = M^2 +t3 = 2*S +X3 = t2-t3 +t4 = S-X3 +t5 = W*Y1 +t6 = M*t4 +Y3 = t6-t5 +ZZ3 = V +ZZZ3 = W diff --git a/pyecsca/ec/efd/shortw/xyzz/scaling/z b/pyecsca/ec/efd/shortw/xyzz/scaling/z new file mode 100644 index 0000000..ae4c2e1 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz/scaling/z @@ -0,0 +1,6 @@ +compute A = 1/ZZZ1 +compute B = (ZZ1 A)^2 +compute X3 = X1 B +compute Y3 = Y1 A +compute ZZ3 = 1 +compute ZZZ3 = 1 diff --git a/pyecsca/ec/efd/shortw/xyzz/scaling/z.op3 b/pyecsca/ec/efd/shortw/xyzz/scaling/z.op3 new file mode 100644 index 0000000..1e076c3 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz/scaling/z.op3 @@ -0,0 +1,7 @@ +A = 1/ZZZ1 +t0 = ZZ1*A +B = t0^2 +X3 = X1*B +Y3 = Y1*A +ZZ3 = 1 +ZZZ3 = 1 diff --git a/pyecsca/ec/efd/shortw/xyzz/variables b/pyecsca/ec/efd/shortw/xyzz/variables new file mode 100644 index 0000000..526f36c --- /dev/null +++ b/pyecsca/ec/efd/shortw/xyzz/variables @@ -0,0 +1,8 @@ +name XYZZ coordinates +variable X +variable Y +variable ZZ +variable ZZZ +satisfying x = X/ZZ +satisfying y = Y/ZZZ +satisfying ZZ^3 = ZZZ^2 diff --git a/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it b/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it new file mode 100644 index 0000000..3a54cef --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it @@ -0,0 +1,3 @@ +source 2002 Izu--Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", formula (8) +compute X5 = Z1 ((X2 X3 - a Z2 Z3)^2 - 4 b Z2 Z3(X2 Z3 + X3 Z2)) +compute Z5 = X1 (X2 Z3 - X3 Z2)^2 diff --git a/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it-2 b/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it-2 new file mode 100644 index 0000000..2280ca2 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it-2 @@ -0,0 +1,5 @@ +source 2002 Izu--Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", formula (9) +compute R = 2(X2 Z3 + X3 Z2)(X2 X3 + a Z2 Z3) + 4 b Z2^2 Z3^2 +compute S = (X2 Z3 - X3 Z2)^2 +compute X5 = R Z1 - S X1 +compute Z5 = S Z1 diff --git a/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it-2.op3 b/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it-2.op3 new file mode 100644 index 0000000..f30ee85 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it-2.op3 @@ -0,0 +1,23 @@ +t0 = Z2*Z3 +t1 = a*t0 +t2 = X2*X3 +t3 = X3*Z2 +t4 = X2*Z3 +t5 = t4+t3 +t6 = t2+t1 +t7 = Z2^2 +t8 = Z3^2 +t9 = t7*t8 +t10 = b*t9 +t11 = 4*t10 +t12 = t5*t6 +t13 = 2*t12 +R = t13+t11 +t14 = X3*Z2 +t15 = X2*Z3 +t16 = t15-t14 +S = t16^2 +t17 = S*X1 +t18 = R*Z1 +X5 = t18-t17 +Z5 = S*Z1 diff --git a/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it-3 b/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it-3 new file mode 100644 index 0000000..60a5382 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it-3 @@ -0,0 +1,17 @@ +source 2002 Izu--Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", page 295, Formula 1 +compute T1 = X2 X3 +compute T2 = Z2 Z3 +compute T3 = X2 Z3 +compute T4 = Z2 X3 +compute T5 = a T2 +compute T6 = T1 - T5 +compute T7 = T6^2 +compute T8 = b T2 +compute T9 = 4 T8 +compute T10 = T3 + T4 +compute T11 = T9 T10 +compute T12 = T7 - T11 +compute X5 = Z1 T12 +compute T13 = T3 - T4 +compute T14 = T13^2 +compute Z5 = X1 T14 diff --git a/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it-3.op3 b/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it-3.op3 new file mode 100644 index 0000000..cbfa800 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it-3.op3 @@ -0,0 +1,16 @@ +T1 = X2*X3 +T2 = Z2*Z3 +T3 = X2*Z3 +T4 = Z2*X3 +T5 = a*T2 +T6 = T1-T5 +T7 = T6^2 +T8 = b*T2 +T9 = 4*T8 +T10 = T3+T4 +T11 = T9*T10 +T12 = T7-T11 +X5 = Z1*T12 +T13 = T3-T4 +T14 = T13^2 +Z5 = X1*T14 diff --git a/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it-4 b/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it-4 new file mode 100644 index 0000000..978e636 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it-4 @@ -0,0 +1,20 @@ +source 2002 Izu--Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", page 296, Formula 2 +compute T1 = X2 X3 +compute T2 = Z2 Z3 +compute T3 = X2 Z3 +compute T4 = X3 Z2 +compute T5 = T3 + T4 +compute T6 = a T2 +compute T7 = T1 + T6 +compute T8 = T5 T7 +compute T9 = 2 T8 +compute T10 = T2^2 +compute T11 = b T10 +compute T12 = 4 T11 +compute T13 = T9 + T12 +compute T14 = T3 - T4 +compute T15 = T14^2 +compute T16 = Z1 T13 +compute T17 = X1 T15 +compute X5 = T16 - T17 +compute Z5 = Z1 T15 diff --git a/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it-4.op3 b/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it-4.op3 new file mode 100644 index 0000000..33dda8c --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it-4.op3 @@ -0,0 +1,19 @@ +T1 = X2*X3 +T2 = Z2*Z3 +T3 = X2*Z3 +T4 = X3*Z2 +T5 = T3+T4 +T6 = a*T2 +T7 = T1+T6 +T8 = T5*T7 +T9 = 2*T8 +T10 = T2^2 +T11 = b*T10 +T12 = 4*T11 +T13 = T9+T12 +T14 = T3-T4 +T15 = T14^2 +T16 = Z1*T13 +T17 = X1*T15 +X5 = T16-T17 +Z5 = Z1*T15 diff --git a/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it.op3 b/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it.op3 new file mode 100644 index 0000000..24f68c8 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/diffadd/dadd-2002-it.op3 @@ -0,0 +1,19 @@ +t0 = X3*Z2 +t1 = X2*Z3 +t2 = Z2*Z3 +t3 = a*t2 +t4 = X2*X3 +t5 = t4-t3 +t6 = t1+t0 +t7 = t5^2 +t8 = Z3*t6 +t9 = Z2*t8 +t10 = b*t9 +t11 = 4*t10 +t12 = t7-t11 +X5 = Z1*t12 +t13 = X3*Z2 +t14 = X2*Z3 +t15 = t14-t13 +t16 = t15^2 +Z5 = X1*t16 diff --git a/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-bj b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-bj new file mode 100644 index 0000000..6b19191 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-bj @@ -0,0 +1,4 @@ +source 2002 Brier--Joye "Weierstrass elliptic curves and side-channel attacks", formula (9) accompanied by note "7 multiplications plus 3 multiplications by a constant" +assume Z1 = 1 +compute X5 = (X2 X3 - a Z2 Z3)^2 - 4 b Z2 Z3 (X2 Z3 + X3 Z2) +compute Z5 = X1 (X2 Z3 - X3 Z2)^2 diff --git a/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-bj-2 b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-bj-2 new file mode 100644 index 0000000..fd943e2 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-bj-2 @@ -0,0 +1,10 @@ +source 2002 Brier--Joye "Weierstrass elliptic curves and side-channel attacks", formula (9) accompanied by note "7 multiplications plus 3 multiplications by a constant", plus common-subexpression elimination +assume Z1 = 1 +parameter b4 +assume b4 = 4*b +compute A = X2 X3 +compute B = Z2 Z3 +compute C = X2 Z3 +compute D = Z2 X3 +compute X5 = (A - a B)^2 - b4 B (C + D) +compute Z5 = X1 (C - D)^2 diff --git a/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-bj-2.op3 b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-bj-2.op3 new file mode 100644 index 0000000..10ec0ff --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-bj-2.op3 @@ -0,0 +1,14 @@ +A = X2*X3 +B = Z2*Z3 +C = X2*Z3 +D = Z2*X3 +t0 = a*B +t1 = A-t0 +t2 = C+D +t3 = t1^2 +t4 = B*t2 +t5 = b4*t4 +X5 = t3-t5 +t6 = C-D +t7 = t6^2 +Z5 = X1*t7 diff --git a/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-bj.op3 b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-bj.op3 new file mode 100644 index 0000000..c8e410d --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-bj.op3 @@ -0,0 +1,18 @@ +t0 = X3*Z2 +t1 = X2*Z3 +t2 = Z2*Z3 +t3 = a*t2 +t4 = X2*X3 +t5 = t4-t3 +t6 = t1+t0 +t7 = t5^2 +t8 = Z3*t6 +t9 = Z2*t8 +t10 = b*t9 +t11 = 4*t10 +X5 = t7-t11 +t12 = X3*Z2 +t13 = X2*Z3 +t14 = t13-t12 +t15 = t14^2 +Z5 = X1*t15 diff --git a/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it new file mode 100644 index 0000000..fe58ab2 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it @@ -0,0 +1,4 @@ +source 2002 Izu--Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", formula (8), plus assumption Z1 = 1 +assume Z1 = 1 +compute X5 = (X2 X3 - a Z2 Z3)^2 - 4 b Z2 Z3(X2 Z3 + X3 Z2) +compute Z5 = X1 (X2 Z3 - X3 Z2)^2 diff --git a/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it-2 b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it-2 new file mode 100644 index 0000000..a4ca509 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it-2 @@ -0,0 +1,6 @@ +source 2002 Izu--Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", formula (9), plus assumption Z1 = 1 +assume Z1 = 1 +compute R = 2(X2 Z3 + X3 Z2)(X2 X3 + a Z2 Z3) + 4 b Z2^2 Z3^2 +compute S = (X2 Z3 - X3 Z2)^2 +compute X5 = R - S X1 +compute Z5 = S diff --git a/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it-2.op3 b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it-2.op3 new file mode 100644 index 0000000..8f2d95c --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it-2.op3 @@ -0,0 +1,22 @@ +t0 = Z2*Z3 +t1 = a*t0 +t2 = X2*X3 +t3 = X3*Z2 +t4 = X2*Z3 +t5 = t4+t3 +t6 = t2+t1 +t7 = Z2^2 +t8 = Z3^2 +t9 = t7*t8 +t10 = b*t9 +t11 = 4*t10 +t12 = t5*t6 +t13 = 2*t12 +R = t13+t11 +t14 = X3*Z2 +t15 = X2*Z3 +t16 = t15-t14 +S = t16^2 +t17 = S*X1 +X5 = R-t17 +Z5 = S diff --git a/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it-3 b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it-3 new file mode 100644 index 0000000..21daab3 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it-3 @@ -0,0 +1,18 @@ +source 2002 Izu--Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", page 295, Formula 1, plus assumption Z1 = 1 +assume Z1 = 1 +compute T1 = X2 X3 +compute T2 = Z2 Z3 +compute T3 = X2 Z3 +compute T4 = Z2 X3 +compute T5 = a T2 +compute T6 = T1 - T5 +compute T7 = T6^2 +compute T8 = b T2 +compute T9 = 4 T8 +compute T10 = T3 + T4 +compute T11 = T9 T10 +compute T12 = T7 - T11 +compute X5 = T12 +compute T13 = T3 - T4 +compute T14 = T13^2 +compute Z5 = X1 T14 diff --git a/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it-3.op3 b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it-3.op3 new file mode 100644 index 0000000..01cffd0 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it-3.op3 @@ -0,0 +1,16 @@ +T1 = X2*X3 +T2 = Z2*Z3 +T3 = X2*Z3 +T4 = Z2*X3 +T5 = a*T2 +T6 = T1-T5 +T7 = T6^2 +T8 = b*T2 +T9 = 4*T8 +T10 = T3+T4 +T11 = T9*T10 +T12 = T7-T11 +X5 = T12 +T13 = T3-T4 +T14 = T13^2 +Z5 = X1*T14 diff --git a/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it-4 b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it-4 new file mode 100644 index 0000000..839c746 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it-4 @@ -0,0 +1,21 @@ +source 2002 Izu--Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", page 296, Formula 2, plus assumption Z1 = 1 +assume Z1 = 1 +compute T1 = X2 X3 +compute T2 = Z2 Z3 +compute T3 = X2 Z3 +compute T4 = X3 Z2 +compute T5 = T3 + T4 +compute T6 = a T2 +compute T7 = T1 + T6 +compute T8 = T5 T7 +compute T9 = 2 T8 +compute T10 = T2^2 +compute T11 = b T10 +compute T12 = 4 T11 +compute T13 = T9 + T12 +compute T14 = T3 - T4 +compute T15 = T14^2 +compute T16 = T13 +compute T17 = X1 T15 +compute X5 = T16 - T17 +compute Z5 = T15 diff --git a/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it-4.op3 b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it-4.op3 new file mode 100644 index 0000000..5363020 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it-4.op3 @@ -0,0 +1,19 @@ +T1 = X2*X3 +T2 = Z2*Z3 +T3 = X2*Z3 +T4 = X3*Z2 +T5 = T3+T4 +T6 = a*T2 +T7 = T1+T6 +T8 = T5*T7 +T9 = 2*T8 +T10 = T2^2 +T11 = b*T10 +T12 = 4*T11 +T13 = T9+T12 +T14 = T3-T4 +T15 = T14^2 +T16 = T13 +T17 = X1*T15 +X5 = T16-T17 +Z5 = T15 diff --git a/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it.op3 b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it.op3 new file mode 100644 index 0000000..c8e410d --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/diffadd/mdadd-2002-it.op3 @@ -0,0 +1,18 @@ +t0 = X3*Z2 +t1 = X2*Z3 +t2 = Z2*Z3 +t3 = a*t2 +t4 = X2*X3 +t5 = t4-t3 +t6 = t1+t0 +t7 = t5^2 +t8 = Z3*t6 +t9 = Z2*t8 +t10 = b*t9 +t11 = 4*t10 +X5 = t7-t11 +t12 = X3*Z2 +t13 = X2*Z3 +t14 = t13-t12 +t15 = t14^2 +Z5 = X1*t15 diff --git a/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-bj b/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-bj new file mode 100644 index 0000000..8da1b32 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-bj @@ -0,0 +1,3 @@ +source 2002 Brier--Joye "Weierstrass elliptic curves and side-channel attacks", formula (10) accompanied by note "7 multiplications plus 2 multiplications by a constant" +compute X3 = (X1^2 - a Z1^2)^2 - 8 b X1 Z1^3 +compute Z3 = 4 Z1 (X1^3 + a X1 Z1^2 + b Z1^3) diff --git a/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-bj-2 b/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-bj-2 new file mode 100644 index 0000000..be39e63 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-bj-2 @@ -0,0 +1,10 @@ +source 2002 Brier--Joye "Weierstrass elliptic curves and side-channel attacks", formula (10) accompanied by note "7 multiplications plus 2 multiplications by a constant", plus common-subexpression elimination +parameter b2 +assume b2 = 2*b +compute XX = X1^2 +compute ZZ = Z1^2 +compute A = 2((X1 + Z1)^2 - XX - ZZ) +compute aZZ = a ZZ +compute b2ZZ = b2 ZZ +compute X3 = (XX - aZZ)^2 - A b2ZZ +compute Z3 = A (XX + aZZ) + 2 b2ZZ ZZ diff --git a/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-bj-2.op3 b/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-bj-2.op3 new file mode 100644 index 0000000..d7a6d24 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-bj-2.op3 @@ -0,0 +1,18 @@ +XX = X1^2 +ZZ = Z1^2 +t0 = X1+Z1 +t1 = t0^2 +t2 = t1-XX +t3 = t2-ZZ +A = 2*t3 +aZZ = a*ZZ +b2ZZ = b2*ZZ +t4 = XX-aZZ +t5 = t4^2 +t6 = A*b2ZZ +X3 = t5-t6 +t7 = XX+aZZ +t8 = b2ZZ*ZZ +t9 = 2*t8 +t10 = A*t7 +Z3 = t10+t9 diff --git a/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-bj-3 b/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-bj-3 new file mode 100644 index 0000000..92df1c3 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-bj-3 @@ -0,0 +1,11 @@ +source 2002 Brier--Joye "Weierstrass elliptic curves and side-channel attacks", formula (10) accompanied by note "7 multiplications plus 2 multiplications by a constant", plus common-subexpression elimination emphasizing squaring +parameter b2 +assume b2 = 2*b +parameter b4 +assume b4 = 4*b +compute XX = X1^2 +compute ZZ = Z1^2 +compute A = 2((X1 + Z1)^2 - XX - ZZ) +compute aZZ = a ZZ +compute X3 = (XX - aZZ)^2 - b2 A ZZ +compute Z3 = A (XX + aZZ) + b4 ZZ^2 diff --git a/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-bj-3.op3 b/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-bj-3.op3 new file mode 100644 index 0000000..1e1c6d5 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-bj-3.op3 @@ -0,0 +1,18 @@ +XX = X1^2 +ZZ = Z1^2 +t0 = X1+Z1 +t1 = t0^2 +t2 = t1-XX +t3 = t2-ZZ +A = 2*t3 +aZZ = a*ZZ +t4 = XX-aZZ +t5 = t4^2 +t6 = A*ZZ +t7 = b2*t6 +X3 = t5-t7 +t8 = XX+aZZ +t9 = ZZ^2 +t10 = b4*t9 +t11 = A*t8 +Z3 = t11+t10 diff --git a/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-bj.op3 b/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-bj.op3 new file mode 100644 index 0000000..7f00d4b --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-bj.op3 @@ -0,0 +1,20 @@ +t0 = X1^2 +t1 = Z1^2 +t2 = a*t1 +t3 = t0-t2 +t4 = t3^2 +t5 = Z1^3 +t6 = X1*t5 +t7 = b*t6 +t8 = 8*t7 +X3 = t4-t8 +t9 = X1^3 +t10 = Z1^2 +t11 = Z1^3 +t12 = b*t11 +t13 = X1*t10 +t14 = a*t13 +t15 = t9+t14 +t16 = t15+t12 +t17 = Z1*t16 +Z3 = 4*t17 diff --git a/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-it b/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-it new file mode 100644 index 0000000..710ad0f --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-it @@ -0,0 +1,3 @@ +source 2002 Izu--Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", formula (10) +compute X3 = (X1^2 - a Z1^2)^2 - 8 b X1 Z1^3 +compute Z3 = 4(X1 Z1(X1^2 + a Z1^2) + b Z1^4) diff --git a/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-it-2 b/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-it-2 new file mode 100644 index 0000000..a47af40 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-it-2 @@ -0,0 +1,16 @@ +source 2002 Izu--Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", page 296, Formula 3 +compute T1 = X1^2 +compute T2 = Z1^2 +compute T3 = a T2 +compute T4 = T1 - T3 +compute T5 = T4^2 +compute T6 = b T2 +compute T7 = X1 Z1 +compute T8 = T6 T7 +compute T9 = 8 T8 +compute X3 = T5 - T9 +compute T10 = T1 + T3 +compute T11 = T7 T10 +compute T12 = T6 T2 +compute T13 = T11 + T12 +compute Z3 = 4 T13 diff --git a/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-it-2.op3 b/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-it-2.op3 new file mode 100644 index 0000000..78a9b84 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-it-2.op3 @@ -0,0 +1,15 @@ +T1 = X1^2 +T2 = Z1^2 +T3 = a*T2 +T4 = T1-T3 +T5 = T4^2 +T6 = b*T2 +T7 = X1*Z1 +T8 = T6*T7 +T9 = 8*T8 +X3 = T5-T9 +T10 = T1+T3 +T11 = T7*T10 +T12 = T6*T2 +T13 = T11+T12 +Z3 = 4*T13 diff --git a/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-it.op3 b/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-it.op3 new file mode 100644 index 0000000..d0dd925 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/doubling/dbl-2002-it.op3 @@ -0,0 +1,20 @@ +t0 = X1^2 +t1 = Z1^2 +t2 = a*t1 +t3 = t0-t2 +t4 = t3^2 +t5 = Z1^3 +t6 = X1*t5 +t7 = b*t6 +t8 = 8*t7 +X3 = t4-t8 +t9 = X1^2 +t10 = Z1^2 +t11 = a*t10 +t12 = t9+t11 +t13 = Z1^4 +t14 = b*t13 +t15 = Z1*t12 +t16 = X1*t15 +t17 = t16+t14 +Z3 = 4*t17 diff --git a/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it b/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it new file mode 100644 index 0000000..8706cdc --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it @@ -0,0 +1,5 @@ +source 2002 Izu--Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", formulas (8) and (10) +compute X4 = (X2^2 - a Z2^2)^2 - 8 b X2 Z2^3 +compute Z4 = 4(X2 Z2(X2^2 + a Z2^2) + b Z2^4) +compute X5 = Z1 ((X2 X3 - a Z2 Z3)^2 - 4 b Z2 Z3(X2 Z3 + X3 Z2)) +compute Z5 = X1 (X2 Z3 - X3 Z2)^2 diff --git a/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it-2 b/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it-2 new file mode 100644 index 0000000..801b39d --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it-2 @@ -0,0 +1,7 @@ +source 2002 Izu--Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", formulas (9) and (10) +compute X4 = (X2^2 - a Z2^2)^2 - 8 b X2 Z2^3 +compute Z4 = 4(X2 Z2(X2^2 + a Z2^2) + b Z2^4) +compute R = 2(X2 Z3 + X3 Z2)(X2 X3 + a Z2 Z3) + 4 b Z2^2 Z3^2 +compute S = (X2 Z3 - X3 Z2)^2 +compute X5 = R Z1 - S X1 +compute Z5 = S Z1 diff --git a/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it-2.op3 b/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it-2.op3 new file mode 100644 index 0000000..24b1621 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it-2.op3 @@ -0,0 +1,43 @@ +t0 = X2^2 +t1 = Z2^2 +t2 = a*t1 +t3 = t0-t2 +t4 = t3^2 +t5 = Z2^3 +t6 = X2*t5 +t7 = b*t6 +t8 = 8*t7 +X4 = t4-t8 +t9 = X2^2 +t10 = Z2^2 +t11 = a*t10 +t12 = t9+t11 +t13 = Z2^4 +t14 = b*t13 +t15 = Z2*t12 +t16 = X2*t15 +t17 = t16+t14 +Z4 = 4*t17 +t18 = Z2*Z3 +t19 = a*t18 +t20 = X2*X3 +t21 = X3*Z2 +t22 = X2*Z3 +t23 = t22+t21 +t24 = t20+t19 +t25 = Z2^2 +t26 = Z3^2 +t27 = t25*t26 +t28 = b*t27 +t29 = 4*t28 +t30 = t23*t24 +t31 = 2*t30 +R = t31+t29 +t32 = X3*Z2 +t33 = X2*Z3 +t34 = t33-t32 +S = t34^2 +t35 = S*X1 +t36 = R*Z1 +X5 = t36-t35 +Z5 = S*Z1 diff --git a/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it-3 b/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it-3 new file mode 100644 index 0000000..666fbde --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it-3 @@ -0,0 +1,15 @@ +source 2002 Izu--Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", formulas (8) and (10), plus common-subexpression elimination +parameter b4 +assume b4 = 4*b +compute XX = X2^2 +compute ZZ = Z2^2 +compute aZZ = a ZZ +compute E = (X2 + Z2)^2 - XX - ZZ +compute X4 = (XX - aZZ)^2 - b4 E ZZ +compute Z4 = 2 E(XX + aZZ) + b4 ZZ^2 +compute A = X2 X3 +compute B = Z2 Z3 +compute C = X2 Z3 +compute D = X3 Z2 +compute X5 = Z1 ((A - a B)^2 - b4 B(C + D)) +compute Z5 = X1 (C - D)^2 diff --git a/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it-3.op3 b/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it-3.op3 new file mode 100644 index 0000000..edb336f --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it-3.op3 @@ -0,0 +1,33 @@ +XX = X2^2 +ZZ = Z2^2 +aZZ = a*ZZ +t0 = X2+Z2 +t1 = t0^2 +t2 = t1-XX +E = t2-ZZ +t3 = XX-aZZ +t4 = t3^2 +t5 = E*ZZ +t6 = b4*t5 +X4 = t4-t6 +t7 = XX+aZZ +t8 = ZZ^2 +t9 = b4*t8 +t10 = E*t7 +t11 = 2*t10 +Z4 = t11+t9 +A = X2*X3 +B = Z2*Z3 +C = X2*Z3 +D = X3*Z2 +t12 = a*B +t13 = A-t12 +t14 = C+D +t15 = t13^2 +t16 = B*t14 +t17 = b4*t16 +t18 = t15-t17 +X5 = Z1*t18 +t19 = C-D +t20 = t19^2 +Z5 = X1*t20 diff --git a/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it-4 b/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it-4 new file mode 100644 index 0000000..1eeadc1 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it-4 @@ -0,0 +1,17 @@ +source 2002 Izu--Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", formulas (9) and (10), plus common-subexpression elimination +parameter b4 +assume b4 = 4*b +compute XX = X2^2 +compute ZZ = Z2^2 +compute aZZ = a ZZ +compute E = (X2 + Z2)^2 - XX - ZZ +compute X4 = (XX - aZZ)^2 - b4 E ZZ +compute Z4 = 2 E(XX + aZZ) + b4 ZZ^2 +compute A = X2 X3 +compute B = Z2 Z3 +compute C = X2 Z3 +compute D = X3 Z2 +compute R = 2(C + D)(A + a B) + b4 B^2 +compute S = (C - D)^2 +compute X5 = R Z1 - S X1 +compute Z5 = S Z1 diff --git a/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it-4.op3 b/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it-4.op3 new file mode 100644 index 0000000..a6f7646 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it-4.op3 @@ -0,0 +1,36 @@ +XX = X2^2 +ZZ = Z2^2 +aZZ = a*ZZ +t0 = X2+Z2 +t1 = t0^2 +t2 = t1-XX +E = t2-ZZ +t3 = XX-aZZ +t4 = t3^2 +t5 = E*ZZ +t6 = b4*t5 +X4 = t4-t6 +t7 = XX+aZZ +t8 = ZZ^2 +t9 = b4*t8 +t10 = E*t7 +t11 = 2*t10 +Z4 = t11+t9 +A = X2*X3 +B = Z2*Z3 +C = X2*Z3 +D = X3*Z2 +t12 = a*B +t13 = C+D +t14 = A+t12 +t15 = B^2 +t16 = b4*t15 +t17 = t13*t14 +t18 = 2*t17 +R = t18+t16 +t19 = C-D +S = t19^2 +t20 = S*X1 +t21 = R*Z1 +X5 = t21-t20 +Z5 = S*Z1 diff --git a/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it.op3 b/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it.op3 new file mode 100644 index 0000000..35167e1 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/ladd-2002-it.op3 @@ -0,0 +1,39 @@ +t0 = X2^2 +t1 = Z2^2 +t2 = a*t1 +t3 = t0-t2 +t4 = t3^2 +t5 = Z2^3 +t6 = X2*t5 +t7 = b*t6 +t8 = 8*t7 +X4 = t4-t8 +t9 = X2^2 +t10 = Z2^2 +t11 = a*t10 +t12 = t9+t11 +t13 = Z2^4 +t14 = b*t13 +t15 = Z2*t12 +t16 = X2*t15 +t17 = t16+t14 +Z4 = 4*t17 +t18 = X3*Z2 +t19 = X2*Z3 +t20 = Z2*Z3 +t21 = a*t20 +t22 = X2*X3 +t23 = t22-t21 +t24 = t19+t18 +t25 = t23^2 +t26 = Z3*t24 +t27 = Z2*t26 +t28 = b*t27 +t29 = 4*t28 +t30 = t25-t29 +X5 = Z1*t30 +t31 = X3*Z2 +t32 = X2*Z3 +t33 = t32-t31 +t34 = t33^2 +Z5 = X1*t34 diff --git a/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-bj b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-bj new file mode 100644 index 0000000..2a79093 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-bj @@ -0,0 +1,6 @@ +source 2002 Brier--Joye "Weierstrass elliptic curves and side-channel attacks", formulas (9) and (10) +assume Z1 = 1 +compute X4 = (X2^2 - a Z2^2)^2 - 8 b X2 Z2^3 +compute Z4 = 4 Z2 (X2^3 + a X2 Z2^2 + b Z2^3) +compute X5 = (X2 X3 - a Z2 Z3)^2 - 4 b Z2 Z3 (X2 Z3 + X3 Z2) +compute Z5 = X1 (X2 Z3 - X3 Z2)^2 diff --git a/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-bj-2 b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-bj-2 new file mode 100644 index 0000000..1f40019 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-bj-2 @@ -0,0 +1,19 @@ +source 2002 Brier--Joye "Weierstrass elliptic curves and side-channel attacks", formulas (9) and (10), plus common-subexpression elimination +assume Z1 = 1 +parameter b2 +assume b2 = 2*b +parameter b4 +assume b4 = 4*b +compute XX = X2^2 +compute ZZ = Z2^2 +compute E = 2((X2 + Z2)^2 - XX - ZZ) +compute aZZ = a ZZ +compute b2ZZ = b2 ZZ +compute X4 = (XX - aZZ)^2 - E b2ZZ +compute Z4 = E (XX + aZZ) + 2 b2ZZ ZZ +compute A = X2 X3 +compute B = Z2 Z3 +compute C = X2 Z3 +compute D = Z2 X3 +compute X5 = (A - a B)^2 - b4 B (C + D) +compute Z5 = X1 (C - D)^2 diff --git a/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-bj-2.op3 b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-bj-2.op3 new file mode 100644 index 0000000..ae68dbf --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-bj-2.op3 @@ -0,0 +1,32 @@ +XX = X2^2 +ZZ = Z2^2 +t0 = X2+Z2 +t1 = t0^2 +t2 = t1-XX +t3 = t2-ZZ +E = 2*t3 +aZZ = a*ZZ +b2ZZ = b2*ZZ +t4 = XX-aZZ +t5 = t4^2 +t6 = E*b2ZZ +X4 = t5-t6 +t7 = XX+aZZ +t8 = b2ZZ*ZZ +t9 = 2*t8 +t10 = E*t7 +Z4 = t10+t9 +A = X2*X3 +B = Z2*Z3 +C = X2*Z3 +D = Z2*X3 +t11 = a*B +t12 = A-t11 +t13 = C+D +t14 = t12^2 +t15 = B*t13 +t16 = b4*t15 +X5 = t14-t16 +t17 = C-D +t18 = t17^2 +Z5 = X1*t18 diff --git a/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-bj-3 b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-bj-3 new file mode 100644 index 0000000..29838e8 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-bj-3 @@ -0,0 +1,18 @@ +source 2002 Brier--Joye "Weierstrass elliptic curves and side-channel attacks", formulas (9) and (10), plus common-subexpression elimination emphasizing squarings +assume Z1 = 1 +parameter b2 +assume b2 = 2*b +parameter b4 +assume b4 = 4*b +compute XX = X2^2 +compute ZZ = Z2^2 +compute E = 2((X2 + Z2)^2 - XX - ZZ) +compute aZZ = a ZZ +compute X4 = (XX - aZZ)^2 - b2 E ZZ +compute Z4 = E (XX + aZZ) + b4 ZZ^2 +compute A = X2 X3 +compute B = Z2 Z3 +compute C = X2 Z3 +compute D = Z2 X3 +compute X5 = (A - a B)^2 - b4 B (C + D) +compute Z5 = X1 (C - D)^2 diff --git a/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-bj-3.op3 b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-bj-3.op3 new file mode 100644 index 0000000..05c5847 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-bj-3.op3 @@ -0,0 +1,32 @@ +XX = X2^2 +ZZ = Z2^2 +t0 = X2+Z2 +t1 = t0^2 +t2 = t1-XX +t3 = t2-ZZ +E = 2*t3 +aZZ = a*ZZ +t4 = XX-aZZ +t5 = t4^2 +t6 = E*ZZ +t7 = b2*t6 +X4 = t5-t7 +t8 = XX+aZZ +t9 = ZZ^2 +t10 = b4*t9 +t11 = E*t8 +Z4 = t11+t10 +A = X2*X3 +B = Z2*Z3 +C = X2*Z3 +D = Z2*X3 +t12 = a*B +t13 = A-t12 +t14 = C+D +t15 = t13^2 +t16 = B*t14 +t17 = b4*t16 +X5 = t15-t17 +t18 = C-D +t19 = t18^2 +Z5 = X1*t19 diff --git a/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-bj.op3 b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-bj.op3 new file mode 100644 index 0000000..676a9d1 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-bj.op3 @@ -0,0 +1,38 @@ +t0 = X2^2 +t1 = Z2^2 +t2 = a*t1 +t3 = t0-t2 +t4 = t3^2 +t5 = Z2^3 +t6 = X2*t5 +t7 = b*t6 +t8 = 8*t7 +X4 = t4-t8 +t9 = X2^3 +t10 = Z2^2 +t11 = Z2^3 +t12 = b*t11 +t13 = X2*t10 +t14 = a*t13 +t15 = t9+t14 +t16 = t15+t12 +t17 = Z2*t16 +Z4 = 4*t17 +t18 = X3*Z2 +t19 = X2*Z3 +t20 = Z2*Z3 +t21 = a*t20 +t22 = X2*X3 +t23 = t22-t21 +t24 = t19+t18 +t25 = t23^2 +t26 = Z3*t24 +t27 = Z2*t26 +t28 = b*t27 +t29 = 4*t28 +X5 = t25-t29 +t30 = X3*Z2 +t31 = X2*Z3 +t32 = t31-t30 +t33 = t32^2 +Z5 = X1*t33 diff --git a/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it new file mode 100644 index 0000000..d42d303 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it @@ -0,0 +1,6 @@ +source 2002 Izu--Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", formulas (8) and (10), plus assumption Z1 = 1 +assume Z1 = 1 +compute X4 = (X2^2 - a Z2^2)^2 - 8 b X2 Z2^3 +compute Z4 = 4(X2 Z2(X2^2 + a Z2^2) + b Z2^4) +compute X5 = ((X2 X3 - a Z2 Z3)^2 - 4 b Z2 Z3(X2 Z3 + X3 Z2)) +compute Z5 = X1 (X2 Z3 - X3 Z2)^2 diff --git a/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-2 b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-2 new file mode 100644 index 0000000..be1e142 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-2 @@ -0,0 +1,8 @@ +source 2002 Izu--Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", formulas (9) and (10), plus assumption Z1 = 1 +assume Z1 = 1 +compute X4 = (X2^2 - a Z2^2)^2 - 8 b X2 Z2^3 +compute Z4 = 4(X2 Z2(X2^2 + a Z2^2) + b Z2^4) +compute R = 2(X2 Z3 + X3 Z2)(X2 X3 + a Z2 Z3) + 4 b Z2^2 Z3^2 +compute S = (X2 Z3 - X3 Z2)^2 +compute X5 = R - S X1 +compute Z5 = S diff --git a/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-2.op3 b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-2.op3 new file mode 100644 index 0000000..d17f4fe --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-2.op3 @@ -0,0 +1,42 @@ +t0 = X2^2 +t1 = Z2^2 +t2 = a*t1 +t3 = t0-t2 +t4 = t3^2 +t5 = Z2^3 +t6 = X2*t5 +t7 = b*t6 +t8 = 8*t7 +X4 = t4-t8 +t9 = X2^2 +t10 = Z2^2 +t11 = a*t10 +t12 = t9+t11 +t13 = Z2^4 +t14 = b*t13 +t15 = Z2*t12 +t16 = X2*t15 +t17 = t16+t14 +Z4 = 4*t17 +t18 = Z2*Z3 +t19 = a*t18 +t20 = X2*X3 +t21 = X3*Z2 +t22 = X2*Z3 +t23 = t22+t21 +t24 = t20+t19 +t25 = Z2^2 +t26 = Z3^2 +t27 = t25*t26 +t28 = b*t27 +t29 = 4*t28 +t30 = t23*t24 +t31 = 2*t30 +R = t31+t29 +t32 = X3*Z2 +t33 = X2*Z3 +t34 = t33-t32 +S = t34^2 +t35 = S*X1 +X5 = R-t35 +Z5 = S diff --git a/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-3 b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-3 new file mode 100644 index 0000000..71a49ee --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-3 @@ -0,0 +1,16 @@ +source 2002 Izu--Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", formulas (8) and (10), plus common-subexpression elimination, plus assumption Z1=1 +assume Z1 = 1 +parameter b4 +assume b4 = 4*b +compute XX = X2^2 +compute ZZ = Z2^2 +compute aZZ = a ZZ +compute E = (X2 + Z2)^2 - XX - ZZ +compute X4 = (XX - aZZ)^2 - b4 E ZZ +compute Z4 = 2 E(XX + aZZ) + b4 ZZ^2 +compute A = X2 X3 +compute B = Z2 Z3 +compute C = X2 Z3 +compute D = X3 Z2 +compute X5 = (A - a B)^2 - b4 B(C + D) +compute Z5 = X1 (C - D)^2 diff --git a/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-3.op3 b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-3.op3 new file mode 100644 index 0000000..d15c7ce --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-3.op3 @@ -0,0 +1,32 @@ +XX = X2^2 +ZZ = Z2^2 +aZZ = a*ZZ +t0 = X2+Z2 +t1 = t0^2 +t2 = t1-XX +E = t2-ZZ +t3 = XX-aZZ +t4 = t3^2 +t5 = E*ZZ +t6 = b4*t5 +X4 = t4-t6 +t7 = XX+aZZ +t8 = ZZ^2 +t9 = b4*t8 +t10 = E*t7 +t11 = 2*t10 +Z4 = t11+t9 +A = X2*X3 +B = Z2*Z3 +C = X2*Z3 +D = X3*Z2 +t12 = a*B +t13 = A-t12 +t14 = C+D +t15 = t13^2 +t16 = B*t14 +t17 = b4*t16 +X5 = t15-t17 +t18 = C-D +t19 = t18^2 +Z5 = X1*t19 diff --git a/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-4 b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-4 new file mode 100644 index 0000000..96b421c --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-4 @@ -0,0 +1,18 @@ +source 2002 Izu--Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", formulas (9) and (10), plus common-subexpression elimination, plus assumption Z1=1 +assume Z1 = 1 +parameter b4 +assume b4 = 4*b +compute XX = X2^2 +compute ZZ = Z2^2 +compute aZZ = a ZZ +compute E = (X2 + Z2)^2 - XX - ZZ +compute X4 = (XX - aZZ)^2 - b4 E ZZ +compute Z4 = 2 E(XX + aZZ) + b4 ZZ^2 +compute A = X2 X3 +compute B = Z2 Z3 +compute C = X2 Z3 +compute D = X3 Z2 +compute R = 2(C + D)(A + a B) + b4 B^2 +compute S = (C - D)^2 +compute X5 = R - S X1 +compute Z5 = S diff --git a/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-4.op3 b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-4.op3 new file mode 100644 index 0000000..ec7381a --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-4.op3 @@ -0,0 +1,35 @@ +XX = X2^2 +ZZ = Z2^2 +aZZ = a*ZZ +t0 = X2+Z2 +t1 = t0^2 +t2 = t1-XX +E = t2-ZZ +t3 = XX-aZZ +t4 = t3^2 +t5 = E*ZZ +t6 = b4*t5 +X4 = t4-t6 +t7 = XX+aZZ +t8 = ZZ^2 +t9 = b4*t8 +t10 = E*t7 +t11 = 2*t10 +Z4 = t11+t9 +A = X2*X3 +B = Z2*Z3 +C = X2*Z3 +D = X3*Z2 +t12 = a*B +t13 = C+D +t14 = A+t12 +t15 = B^2 +t16 = b4*t15 +t17 = t13*t14 +t18 = 2*t17 +R = t18+t16 +t19 = C-D +S = t19^2 +t20 = S*X1 +X5 = R-t20 +Z5 = S diff --git a/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-5 b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-5 new file mode 100644 index 0000000..96b421c --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-5 @@ -0,0 +1,18 @@ +source 2002 Izu--Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", formulas (9) and (10), plus common-subexpression elimination, plus assumption Z1=1 +assume Z1 = 1 +parameter b4 +assume b4 = 4*b +compute XX = X2^2 +compute ZZ = Z2^2 +compute aZZ = a ZZ +compute E = (X2 + Z2)^2 - XX - ZZ +compute X4 = (XX - aZZ)^2 - b4 E ZZ +compute Z4 = 2 E(XX + aZZ) + b4 ZZ^2 +compute A = X2 X3 +compute B = Z2 Z3 +compute C = X2 Z3 +compute D = X3 Z2 +compute R = 2(C + D)(A + a B) + b4 B^2 +compute S = (C - D)^2 +compute X5 = R - S X1 +compute Z5 = S diff --git a/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-5.op3 b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-5.op3 new file mode 100644 index 0000000..ec7381a --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it-5.op3 @@ -0,0 +1,35 @@ +XX = X2^2 +ZZ = Z2^2 +aZZ = a*ZZ +t0 = X2+Z2 +t1 = t0^2 +t2 = t1-XX +E = t2-ZZ +t3 = XX-aZZ +t4 = t3^2 +t5 = E*ZZ +t6 = b4*t5 +X4 = t4-t6 +t7 = XX+aZZ +t8 = ZZ^2 +t9 = b4*t8 +t10 = E*t7 +t11 = 2*t10 +Z4 = t11+t9 +A = X2*X3 +B = Z2*Z3 +C = X2*Z3 +D = X3*Z2 +t12 = a*B +t13 = C+D +t14 = A+t12 +t15 = B^2 +t16 = b4*t15 +t17 = t13*t14 +t18 = 2*t17 +R = t18+t16 +t19 = C-D +S = t19^2 +t20 = S*X1 +X5 = R-t20 +Z5 = S diff --git a/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it.op3 b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it.op3 new file mode 100644 index 0000000..57b3f80 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/ladder/mladd-2002-it.op3 @@ -0,0 +1,38 @@ +t0 = X2^2 +t1 = Z2^2 +t2 = a*t1 +t3 = t0-t2 +t4 = t3^2 +t5 = Z2^3 +t6 = X2*t5 +t7 = b*t6 +t8 = 8*t7 +X4 = t4-t8 +t9 = X2^2 +t10 = Z2^2 +t11 = a*t10 +t12 = t9+t11 +t13 = Z2^4 +t14 = b*t13 +t15 = Z2*t12 +t16 = X2*t15 +t17 = t16+t14 +Z4 = 4*t17 +t18 = X3*Z2 +t19 = X2*Z3 +t20 = Z2*Z3 +t21 = a*t20 +t22 = X2*X3 +t23 = t22-t21 +t24 = t19+t18 +t25 = t23^2 +t26 = Z3*t24 +t27 = Z2*t26 +t28 = b*t27 +t29 = 4*t28 +X5 = t25-t29 +t30 = X3*Z2 +t31 = X2*Z3 +t32 = t31-t30 +t33 = t32^2 +Z5 = X1*t33 diff --git a/pyecsca/ec/efd/shortw/xz/variables b/pyecsca/ec/efd/shortw/xz/variables new file mode 100644 index 0000000..9863a08 --- /dev/null +++ b/pyecsca/ec/efd/shortw/xz/variables @@ -0,0 +1,4 @@ +name XZ coordinates +variable X +variable Z +satisfying x = X/Z diff --git a/pyecsca/ec/efd/twisted/coordinates b/pyecsca/ec/efd/twisted/coordinates new file mode 100644 index 0000000..1a0d32d --- /dev/null +++ b/pyecsca/ec/efd/twisted/coordinates @@ -0,0 +1,24 @@ +name twisted Edwards curves +parameter a +parameter d +coordinate x +coordinate y +satisfying a*x^2+y^2 == 1+d*x^2*y^2 +addition x = (x1*y2+y1*x2)/(1+d*x1*x2*y1*y2) +addition y = (y1*y2-a*x1*x2)/(1-d*x1*x2*y1*y2) +doubling x = (x1*y1+y1*x1)/(1+d*x1*x1*y1*y1) +doubling y = (y1*y1-a*x1*x1)/(1-d*x1*x1*y1*y1) +negation x = -x1 +negation y = y1 +neutral x = 0 +neutral y = 1 +toweierstrass u = (1+y)/(1-y) +toweierstrass v = 2*(1+y)/(x(1-y)) +a0 = 1/(a-d) +a1 = 0 +a2 = 4*a/(a-d)-2 +a3 = 0 +a4 = 1 +a6 = 0 +fromweierstrass x = 2*u/v +fromweierstrass y = (u-1)/(u+1) diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd b/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd new file mode 100644 index 0000000..78b82c3 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd @@ -0,0 +1,13 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.1 +compute A = X1 X2 +compute B = Y1 Y2 +compute C = T1 d T2 +compute D = Z1 Z2 +compute E = (X1+Y1)(X2+Y2)-A-B +compute F = D - C +compute G = D + C +compute H = B - a A +compute X3 = E F +compute Y3 = G H +compute T3 = E H +compute Z3 = F G diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd-2 b/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd-2 new file mode 100644 index 0000000..0b2c88d --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd-2 @@ -0,0 +1,13 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.2 +compute A = X1 X2 +compute B = Y1 Y2 +compute C = Z1 T2 +compute D = T1 Z2 +compute E = D + C +compute F = (X1-Y1)(X2+Y2)+B-A +compute G = B + a A +compute H = D - C +compute X3 = E F +compute Y3 = G H +compute T3 = E H +compute Z3 = F G diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd-2.op3 b/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd-2.op3 new file mode 100644 index 0000000..41269cf --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd-2.op3 @@ -0,0 +1,17 @@ +A = X1*X2 +B = Y1*Y2 +C = Z1*T2 +D = T1*Z2 +E = D+C +t0 = X1-Y1 +t1 = X2+Y2 +t2 = t0*t1 +t3 = t2+B +F = t3-A +t4 = a*A +G = B+t4 +H = D-C +X3 = E*F +Y3 = G*H +T3 = E*H +Z3 = F*G diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd-3 b/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd-3 new file mode 100644 index 0000000..5f7892e --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd-3 @@ -0,0 +1,16 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.1 +appliesto extended-1 +parameter k +assume k = 2*d +compute A = (Y1-X1)(Y2-X2) +compute B = (Y1+X1)(Y2+X2) +compute C = T1 k T2 +compute D = Z1 2 Z2 +compute E = B - A +compute F = D - C +compute G = D + C +compute H = B + A +compute X3 = E F +compute Y3 = G H +compute T3 = E H +compute Z3 = F G diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd-3.op3 b/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd-3.op3 new file mode 100644 index 0000000..497c151 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd-3.op3 @@ -0,0 +1,18 @@ +t0 = Y1-X1 +t1 = Y2-X2 +A = t0*t1 +t2 = Y1+X1 +t3 = Y2+X2 +B = t2*t3 +t4 = k*T2 +C = T1*t4 +t5 = 2*Z2 +D = Z1*t5 +E = B-A +F = D-C +G = D+C +H = B+A +X3 = E*F +Y3 = G*H +T3 = E*H +Z3 = F*G diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd-4 b/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd-4 new file mode 100644 index 0000000..09c7447 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd-4 @@ -0,0 +1,14 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.2 +appliesto extended-1 +compute A = (Y1-X1)(Y2+X2) +compute B = (Y1+X1)(Y2-X2) +compute C = Z1 2 T2 +compute D = T1 2 Z2 +compute E = D + C +compute F = B - A +compute G = B + A +compute H = D - C +compute X3 = E F +compute Y3 = G H +compute T3 = E H +compute Z3 = F G diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd-4.op3 b/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd-4.op3 new file mode 100644 index 0000000..af4280c --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd-4.op3 @@ -0,0 +1,18 @@ +t0 = Y1-X1 +t1 = Y2+X2 +A = t0*t1 +t2 = Y1+X1 +t3 = Y2-X2 +B = t2*t3 +t4 = 2*T2 +C = Z1*t4 +t5 = 2*Z2 +D = T1*t5 +E = D+C +F = B-A +G = B+A +H = D-C +X3 = E*F +Y3 = G*H +T3 = E*H +Z3 = F*G diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd.op3 b/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd.op3 new file mode 100644 index 0000000..9374a58 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/add-2008-hwcd.op3 @@ -0,0 +1,18 @@ +A = X1*X2 +B = Y1*Y2 +t0 = d*T2 +C = T1*t0 +D = Z1*Z2 +t1 = X1+Y1 +t2 = X2+Y2 +t3 = t1*t2 +t4 = t3-A +E = t4-B +F = D-C +G = D+C +t5 = a*A +H = B-t5 +X3 = E*F +Y3 = G*H +T3 = E*H +Z3 = F*G diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd b/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd new file mode 100644 index 0000000..92cb21e --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd @@ -0,0 +1,14 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.1 +assume Z2 = 1 +compute A = X1 X2 +compute B = Y1 Y2 +compute C = T1 d T2 +compute D = Z1 +compute E = (X1+Y1)(X2+Y2)-A-B +compute F = D - C +compute G = D + C +compute H = B - a A +compute X3 = E F +compute Y3 = G H +compute T3 = E H +compute Z3 = F G diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd-2 b/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd-2 new file mode 100644 index 0000000..546063e --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd-2 @@ -0,0 +1,14 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.2 +assume Z2 = 1 +compute A = X1 X2 +compute B = Y1 Y2 +compute C = Z1 T2 +compute D = T1 +compute E = D + C +compute F = (X1-Y1)(X2+Y2)+B-A +compute G = B + a A +compute H = D - C +compute X3 = E F +compute Y3 = G H +compute T3 = E H +compute Z3 = F G diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd-2.op3 b/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd-2.op3 new file mode 100644 index 0000000..bff3029 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd-2.op3 @@ -0,0 +1,17 @@ +A = X1*X2 +B = Y1*Y2 +C = Z1*T2 +D = T1 +E = D+C +t0 = X1-Y1 +t1 = X2+Y2 +t2 = t0*t1 +t3 = t2+B +F = t3-A +t4 = a*A +G = B+t4 +H = D-C +X3 = E*F +Y3 = G*H +T3 = E*H +Z3 = F*G diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd-3 b/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd-3 new file mode 100644 index 0000000..7474626 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd-3 @@ -0,0 +1,17 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.1 +appliesto extended-1 +assume Z2 = 1 +parameter k +assume k = 2*d +compute A = (Y1-X1)(Y2-X2) +compute B = (Y1+X1)(Y2+X2) +compute C = T1 k T2 +compute D = 2 Z1 +compute E = B - A +compute F = D - C +compute G = D + C +compute H = B + A +compute X3 = E F +compute Y3 = G H +compute T3 = E H +compute Z3 = F G diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd-3.op3 b/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd-3.op3 new file mode 100644 index 0000000..3ac949e --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd-3.op3 @@ -0,0 +1,17 @@ +t0 = Y1-X1 +t1 = Y2-X2 +A = t0*t1 +t2 = Y1+X1 +t3 = Y2+X2 +B = t2*t3 +t4 = k*T2 +C = T1*t4 +D = 2*Z1 +E = B-A +F = D-C +G = D+C +H = B+A +X3 = E*F +Y3 = G*H +T3 = E*H +Z3 = F*G diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd-4 b/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd-4 new file mode 100644 index 0000000..89b52ed --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd-4 @@ -0,0 +1,15 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.2 +appliesto extended-1 +assume Z2 = 1 +compute A = (Y1-X1)(Y2+X2) +compute B = (Y1+X1)(Y2-X2) +compute C = Z1 2 T2 +compute D = 2 T1 +compute E = D + C +compute F = B - A +compute G = B + A +compute H = D - C +compute X3 = E F +compute Y3 = G H +compute T3 = E H +compute Z3 = F G diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd-4.op3 b/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd-4.op3 new file mode 100644 index 0000000..b321c5c --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd-4.op3 @@ -0,0 +1,17 @@ +t0 = Y1-X1 +t1 = Y2+X2 +A = t0*t1 +t2 = Y1+X1 +t3 = Y2-X2 +B = t2*t3 +t4 = 2*T2 +C = Z1*t4 +D = 2*T1 +E = D+C +F = B-A +G = B+A +H = D-C +X3 = E*F +Y3 = G*H +T3 = E*H +Z3 = F*G diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd.op3 b/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd.op3 new file mode 100644 index 0000000..9c4b5fd --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/madd-2008-hwcd.op3 @@ -0,0 +1,18 @@ +A = X1*X2 +B = Y1*Y2 +t0 = d*T2 +C = T1*t0 +D = Z1 +t1 = X1+Y1 +t2 = X2+Y2 +t3 = t1*t2 +t4 = t3-A +E = t4-B +F = D-C +G = D+C +t5 = a*A +H = B-t5 +X3 = E*F +Y3 = G*H +T3 = E*H +Z3 = F*G diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd b/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd new file mode 100644 index 0000000..cdda363 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd @@ -0,0 +1,14 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.1, plus assumption Z1=1, plus standard simplification +assume Z1 = 1 +assume Z2 = 1 +compute A = X1 X2 +compute B = Y1 Y2 +compute C = T1 d T2 +compute E = (X1+Y1)(X2+Y2)-A-B +compute F = 1 - C +compute G = 1 + C +compute H = B - a A +compute X3 = E F +compute Y3 = G H +compute T3 = E H +compute Z3 = 1 - C^2 diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd-2 b/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd-2 new file mode 100644 index 0000000..6f296d5 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd-2 @@ -0,0 +1,15 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.2, plus assumption Z1=1 +assume Z1 = 1 +assume Z2 = 1 +compute A = X1 X2 +compute B = Y1 Y2 +compute C = T2 +compute D = T1 +compute E = D + C +compute F = (X1-Y1)(X2+Y2)+B-A +compute G = B + a A +compute H = D - C +compute X3 = E F +compute Y3 = G H +compute T3 = E H +compute Z3 = F G diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd-2.op3 b/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd-2.op3 new file mode 100644 index 0000000..66fa350 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd-2.op3 @@ -0,0 +1,17 @@ +A = X1*X2 +B = Y1*Y2 +C = T2 +D = T1 +E = D+C +t0 = X1-Y1 +t1 = X2+Y2 +t2 = t0*t1 +t3 = t2+B +F = t3-A +t4 = a*A +G = B+t4 +H = D-C +X3 = E*F +Y3 = G*H +T3 = E*H +Z3 = F*G diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd-3 b/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd-3 new file mode 100644 index 0000000..9c53737 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd-3 @@ -0,0 +1,17 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.1, plus assumption Z1=1, plus standard simplification +appliesto extended-1 +assume Z1 = 1 +assume Z2 = 1 +parameter k +assume k = 2*d +compute A = (Y1-X1)(Y2-X2) +compute B = (Y1+X1)(Y2+X2) +compute C = T1 k T2 +compute E = B - A +compute F = 2 - C +compute G = 2 + C +compute H = B + A +compute X3 = E F +compute Y3 = G H +compute T3 = E H +compute Z3 = 4 - C^2 diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd-3.op3 b/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd-3.op3 new file mode 100644 index 0000000..9818971 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd-3.op3 @@ -0,0 +1,17 @@ +t0 = Y1-X1 +t1 = Y2-X2 +A = t0*t1 +t2 = Y1+X1 +t3 = Y2+X2 +B = t2*t3 +t4 = k*T2 +C = T1*t4 +E = B-A +F = 2-C +G = 2+C +H = B+A +X3 = E*F +Y3 = G*H +T3 = E*H +t5 = C^2 +Z3 = 4-t5 diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd-4 b/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd-4 new file mode 100644 index 0000000..6cc599c --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd-4 @@ -0,0 +1,16 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.2, plus assumption Z1=1 +appliesto extended-1 +assume Z1 = 1 +assume Z2 = 1 +compute A = (Y1-X1)(Y2+X2) +compute B = (Y1+X1)(Y2-X2) +compute C = 2 T2 +compute D = 2 T1 +compute E = D + C +compute F = B - A +compute G = B + A +compute H = D - C +compute X3 = E F +compute Y3 = G H +compute T3 = E H +compute Z3 = F G diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd-4.op3 b/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd-4.op3 new file mode 100644 index 0000000..9b5e383 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd-4.op3 @@ -0,0 +1,16 @@ +t0 = Y1-X1 +t1 = Y2+X2 +A = t0*t1 +t2 = Y1+X1 +t3 = Y2-X2 +B = t2*t3 +C = 2*T2 +D = 2*T1 +E = D+C +F = B-A +G = B+A +H = D-C +X3 = E*F +Y3 = G*H +T3 = E*H +Z3 = F*G diff --git a/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd.op3 b/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd.op3 new file mode 100644 index 0000000..f4bc7f6 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/addition/mmadd-2008-hwcd.op3 @@ -0,0 +1,18 @@ +A = X1*X2 +B = Y1*Y2 +t0 = d*T2 +C = T1*t0 +t1 = X1+Y1 +t2 = X2+Y2 +t3 = t1*t2 +t4 = t3-A +E = t4-B +F = 1-C +G = 1+C +t5 = a*A +H = B-t5 +X3 = E*F +Y3 = G*H +T3 = E*H +t6 = C^2 +Z3 = 1-t6 diff --git a/pyecsca/ec/efd/twisted/extended-1/doubling/dbl-2008-hwcd b/pyecsca/ec/efd/twisted/extended-1/doubling/dbl-2008-hwcd new file mode 100644 index 0000000..1c37c7f --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/doubling/dbl-2008-hwcd @@ -0,0 +1,13 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.3 +compute A = X1^2 +compute B = Y1^2 +compute C = 2 Z1^2 +compute D = a A +compute E = (X1+Y1)^2-A-B +compute G = D + B +compute F = G - C +compute H = D - B +compute X3 = E F +compute Y3 = G H +compute T3 = E H +compute Z3 = F G diff --git a/pyecsca/ec/efd/twisted/extended-1/doubling/dbl-2008-hwcd.op3 b/pyecsca/ec/efd/twisted/extended-1/doubling/dbl-2008-hwcd.op3 new file mode 100644 index 0000000..dc3d945 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/doubling/dbl-2008-hwcd.op3 @@ -0,0 +1,16 @@ +A = X1^2 +B = Y1^2 +t0 = Z1^2 +C = 2*t0 +D = a*A +t1 = X1+Y1 +t2 = t1^2 +t3 = t2-A +E = t3-B +G = D+B +F = G-C +H = D-B +X3 = E*F +Y3 = G*H +T3 = E*H +Z3 = F*G diff --git a/pyecsca/ec/efd/twisted/extended-1/doubling/mdbl-2008-hwcd b/pyecsca/ec/efd/twisted/extended-1/doubling/mdbl-2008-hwcd new file mode 100644 index 0000000..faf5c42 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/doubling/mdbl-2008-hwcd @@ -0,0 +1,12 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.3, plus assumption Z1=1, plus standard simplification +assume Z1 = 1 +compute A = X1^2 +compute B = Y1^2 +compute D = a A +compute E = (X1+Y1)^2-A-B +compute G = D + B +compute H = D - B +compute X3 = E (G - 2) +compute Y3 = G H +compute T3 = E H +compute Z3 = G^2 - 2 G diff --git a/pyecsca/ec/efd/twisted/extended-1/doubling/mdbl-2008-hwcd.op3 b/pyecsca/ec/efd/twisted/extended-1/doubling/mdbl-2008-hwcd.op3 new file mode 100644 index 0000000..c36ded1 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/doubling/mdbl-2008-hwcd.op3 @@ -0,0 +1,16 @@ +A = X1^2 +B = Y1^2 +D = a*A +t0 = X1+Y1 +t1 = t0^2 +t2 = t1-A +E = t2-B +G = D+B +H = D-B +t3 = G-2 +X3 = E*t3 +Y3 = G*H +T3 = E*H +t4 = G^2 +t5 = 2*G +Z3 = t4-t5 diff --git a/pyecsca/ec/efd/twisted/extended-1/tripling/tpl-2015-c b/pyecsca/ec/efd/twisted/extended-1/tripling/tpl-2015-c new file mode 100644 index 0000000..7de3ef9 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/tripling/tpl-2015-c @@ -0,0 +1,18 @@ +source 2015 Chuengsatiansup +compute YY = Y1^2 +compute aXX = a X1^2 +compute Ap = YY + aXX +compute B = 2(2 Z1^2 - Ap) +compute xB = aXX B +compute yB = YY B +compute AA = Ap (YY - aXX) +compute F = AA - yB +compute G = AA + xB +compute xE = X1 (yB + AA) +compute yH = Y1 (xB - AA) +compute zF = Z1 F +compute zG = Z1 G +compute X3 = xE zF +compute Y3 = yH zG +compute Z3 = zF zG +compute T3 = xE yH diff --git a/pyecsca/ec/efd/twisted/extended-1/tripling/tpl-2015-c.op3 b/pyecsca/ec/efd/twisted/extended-1/tripling/tpl-2015-c.op3 new file mode 100644 index 0000000..858abf2 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/tripling/tpl-2015-c.op3 @@ -0,0 +1,24 @@ +YY = Y1^2 +t0 = X1^2 +aXX = a*t0 +Ap = YY+aXX +t1 = Z1^2 +t2 = 2*t1 +t3 = t2-Ap +B = 2*t3 +xB = aXX*B +yB = YY*B +t4 = YY-aXX +AA = Ap*t4 +F = AA-yB +G = AA+xB +t5 = yB+AA +xE = X1*t5 +t6 = xB-AA +yH = Y1*t6 +zF = Z1*F +zG = Z1*G +X3 = xE*zF +Y3 = yH*zG +Z3 = zF*zG +T3 = xE*yH diff --git a/pyecsca/ec/efd/twisted/extended-1/variables b/pyecsca/ec/efd/twisted/extended-1/variables new file mode 100644 index 0000000..ba9fb1f --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended-1/variables @@ -0,0 +1,9 @@ +name extended coordinates with a=-1 +assume a = -1 +variable X +variable Y +variable Z +variable T +satisfying x = X/Z +satisfying y = Y/Z +satisfying x*y = T/Z diff --git a/pyecsca/ec/efd/twisted/extended/addition/add-2008-hwcd b/pyecsca/ec/efd/twisted/extended/addition/add-2008-hwcd new file mode 100644 index 0000000..78b82c3 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended/addition/add-2008-hwcd @@ -0,0 +1,13 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.1 +compute A = X1 X2 +compute B = Y1 Y2 +compute C = T1 d T2 +compute D = Z1 Z2 +compute E = (X1+Y1)(X2+Y2)-A-B +compute F = D - C +compute G = D + C +compute H = B - a A +compute X3 = E F +compute Y3 = G H +compute T3 = E H +compute Z3 = F G diff --git a/pyecsca/ec/efd/twisted/extended/addition/add-2008-hwcd-2 b/pyecsca/ec/efd/twisted/extended/addition/add-2008-hwcd-2 new file mode 100644 index 0000000..0b2c88d --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended/addition/add-2008-hwcd-2 @@ -0,0 +1,13 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.2 +compute A = X1 X2 +compute B = Y1 Y2 +compute C = Z1 T2 +compute D = T1 Z2 +compute E = D + C +compute F = (X1-Y1)(X2+Y2)+B-A +compute G = B + a A +compute H = D - C +compute X3 = E F +compute Y3 = G H +compute T3 = E H +compute Z3 = F G diff --git a/pyecsca/ec/efd/twisted/extended/addition/add-2008-hwcd-2.op3 b/pyecsca/ec/efd/twisted/extended/addition/add-2008-hwcd-2.op3 new file mode 100644 index 0000000..41269cf --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended/addition/add-2008-hwcd-2.op3 @@ -0,0 +1,17 @@ +A = X1*X2 +B = Y1*Y2 +C = Z1*T2 +D = T1*Z2 +E = D+C +t0 = X1-Y1 +t1 = X2+Y2 +t2 = t0*t1 +t3 = t2+B +F = t3-A +t4 = a*A +G = B+t4 +H = D-C +X3 = E*F +Y3 = G*H +T3 = E*H +Z3 = F*G diff --git a/pyecsca/ec/efd/twisted/extended/addition/add-2008-hwcd.op3 b/pyecsca/ec/efd/twisted/extended/addition/add-2008-hwcd.op3 new file mode 100644 index 0000000..9374a58 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended/addition/add-2008-hwcd.op3 @@ -0,0 +1,18 @@ +A = X1*X2 +B = Y1*Y2 +t0 = d*T2 +C = T1*t0 +D = Z1*Z2 +t1 = X1+Y1 +t2 = X2+Y2 +t3 = t1*t2 +t4 = t3-A +E = t4-B +F = D-C +G = D+C +t5 = a*A +H = B-t5 +X3 = E*F +Y3 = G*H +T3 = E*H +Z3 = F*G diff --git a/pyecsca/ec/efd/twisted/extended/addition/madd-2008-hwcd b/pyecsca/ec/efd/twisted/extended/addition/madd-2008-hwcd new file mode 100644 index 0000000..92cb21e --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended/addition/madd-2008-hwcd @@ -0,0 +1,14 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.1 +assume Z2 = 1 +compute A = X1 X2 +compute B = Y1 Y2 +compute C = T1 d T2 +compute D = Z1 +compute E = (X1+Y1)(X2+Y2)-A-B +compute F = D - C +compute G = D + C +compute H = B - a A +compute X3 = E F +compute Y3 = G H +compute T3 = E H +compute Z3 = F G diff --git a/pyecsca/ec/efd/twisted/extended/addition/madd-2008-hwcd-2 b/pyecsca/ec/efd/twisted/extended/addition/madd-2008-hwcd-2 new file mode 100644 index 0000000..546063e --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended/addition/madd-2008-hwcd-2 @@ -0,0 +1,14 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.2 +assume Z2 = 1 +compute A = X1 X2 +compute B = Y1 Y2 +compute C = Z1 T2 +compute D = T1 +compute E = D + C +compute F = (X1-Y1)(X2+Y2)+B-A +compute G = B + a A +compute H = D - C +compute X3 = E F +compute Y3 = G H +compute T3 = E H +compute Z3 = F G diff --git a/pyecsca/ec/efd/twisted/extended/addition/madd-2008-hwcd-2.op3 b/pyecsca/ec/efd/twisted/extended/addition/madd-2008-hwcd-2.op3 new file mode 100644 index 0000000..bff3029 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended/addition/madd-2008-hwcd-2.op3 @@ -0,0 +1,17 @@ +A = X1*X2 +B = Y1*Y2 +C = Z1*T2 +D = T1 +E = D+C +t0 = X1-Y1 +t1 = X2+Y2 +t2 = t0*t1 +t3 = t2+B +F = t3-A +t4 = a*A +G = B+t4 +H = D-C +X3 = E*F +Y3 = G*H +T3 = E*H +Z3 = F*G diff --git a/pyecsca/ec/efd/twisted/extended/addition/madd-2008-hwcd.op3 b/pyecsca/ec/efd/twisted/extended/addition/madd-2008-hwcd.op3 new file mode 100644 index 0000000..9c4b5fd --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended/addition/madd-2008-hwcd.op3 @@ -0,0 +1,18 @@ +A = X1*X2 +B = Y1*Y2 +t0 = d*T2 +C = T1*t0 +D = Z1 +t1 = X1+Y1 +t2 = X2+Y2 +t3 = t1*t2 +t4 = t3-A +E = t4-B +F = D-C +G = D+C +t5 = a*A +H = B-t5 +X3 = E*F +Y3 = G*H +T3 = E*H +Z3 = F*G diff --git a/pyecsca/ec/efd/twisted/extended/addition/mmadd-2008-hwcd b/pyecsca/ec/efd/twisted/extended/addition/mmadd-2008-hwcd new file mode 100644 index 0000000..cdda363 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended/addition/mmadd-2008-hwcd @@ -0,0 +1,14 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.1, plus assumption Z1=1, plus standard simplification +assume Z1 = 1 +assume Z2 = 1 +compute A = X1 X2 +compute B = Y1 Y2 +compute C = T1 d T2 +compute E = (X1+Y1)(X2+Y2)-A-B +compute F = 1 - C +compute G = 1 + C +compute H = B - a A +compute X3 = E F +compute Y3 = G H +compute T3 = E H +compute Z3 = 1 - C^2 diff --git a/pyecsca/ec/efd/twisted/extended/addition/mmadd-2008-hwcd-2 b/pyecsca/ec/efd/twisted/extended/addition/mmadd-2008-hwcd-2 new file mode 100644 index 0000000..6f296d5 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended/addition/mmadd-2008-hwcd-2 @@ -0,0 +1,15 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.2, plus assumption Z1=1 +assume Z1 = 1 +assume Z2 = 1 +compute A = X1 X2 +compute B = Y1 Y2 +compute C = T2 +compute D = T1 +compute E = D + C +compute F = (X1-Y1)(X2+Y2)+B-A +compute G = B + a A +compute H = D - C +compute X3 = E F +compute Y3 = G H +compute T3 = E H +compute Z3 = F G diff --git a/pyecsca/ec/efd/twisted/extended/addition/mmadd-2008-hwcd-2.op3 b/pyecsca/ec/efd/twisted/extended/addition/mmadd-2008-hwcd-2.op3 new file mode 100644 index 0000000..66fa350 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended/addition/mmadd-2008-hwcd-2.op3 @@ -0,0 +1,17 @@ +A = X1*X2 +B = Y1*Y2 +C = T2 +D = T1 +E = D+C +t0 = X1-Y1 +t1 = X2+Y2 +t2 = t0*t1 +t3 = t2+B +F = t3-A +t4 = a*A +G = B+t4 +H = D-C +X3 = E*F +Y3 = G*H +T3 = E*H +Z3 = F*G diff --git a/pyecsca/ec/efd/twisted/extended/addition/mmadd-2008-hwcd.op3 b/pyecsca/ec/efd/twisted/extended/addition/mmadd-2008-hwcd.op3 new file mode 100644 index 0000000..f4bc7f6 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended/addition/mmadd-2008-hwcd.op3 @@ -0,0 +1,18 @@ +A = X1*X2 +B = Y1*Y2 +t0 = d*T2 +C = T1*t0 +t1 = X1+Y1 +t2 = X2+Y2 +t3 = t1*t2 +t4 = t3-A +E = t4-B +F = 1-C +G = 1+C +t5 = a*A +H = B-t5 +X3 = E*F +Y3 = G*H +T3 = E*H +t6 = C^2 +Z3 = 1-t6 diff --git a/pyecsca/ec/efd/twisted/extended/doubling/dbl-2008-hwcd b/pyecsca/ec/efd/twisted/extended/doubling/dbl-2008-hwcd new file mode 100644 index 0000000..1c37c7f --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended/doubling/dbl-2008-hwcd @@ -0,0 +1,13 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.3 +compute A = X1^2 +compute B = Y1^2 +compute C = 2 Z1^2 +compute D = a A +compute E = (X1+Y1)^2-A-B +compute G = D + B +compute F = G - C +compute H = D - B +compute X3 = E F +compute Y3 = G H +compute T3 = E H +compute Z3 = F G diff --git a/pyecsca/ec/efd/twisted/extended/doubling/dbl-2008-hwcd.op3 b/pyecsca/ec/efd/twisted/extended/doubling/dbl-2008-hwcd.op3 new file mode 100644 index 0000000..dc3d945 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended/doubling/dbl-2008-hwcd.op3 @@ -0,0 +1,16 @@ +A = X1^2 +B = Y1^2 +t0 = Z1^2 +C = 2*t0 +D = a*A +t1 = X1+Y1 +t2 = t1^2 +t3 = t2-A +E = t3-B +G = D+B +F = G-C +H = D-B +X3 = E*F +Y3 = G*H +T3 = E*H +Z3 = F*G diff --git a/pyecsca/ec/efd/twisted/extended/doubling/mdbl-2008-hwcd b/pyecsca/ec/efd/twisted/extended/doubling/mdbl-2008-hwcd new file mode 100644 index 0000000..faf5c42 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended/doubling/mdbl-2008-hwcd @@ -0,0 +1,12 @@ +source 2008 Hisil--Wong--Carter--Dawson, http://eprint.iacr.org/2008/522, Section 3.3, plus assumption Z1=1, plus standard simplification +assume Z1 = 1 +compute A = X1^2 +compute B = Y1^2 +compute D = a A +compute E = (X1+Y1)^2-A-B +compute G = D + B +compute H = D - B +compute X3 = E (G - 2) +compute Y3 = G H +compute T3 = E H +compute Z3 = G^2 - 2 G diff --git a/pyecsca/ec/efd/twisted/extended/doubling/mdbl-2008-hwcd.op3 b/pyecsca/ec/efd/twisted/extended/doubling/mdbl-2008-hwcd.op3 new file mode 100644 index 0000000..c36ded1 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended/doubling/mdbl-2008-hwcd.op3 @@ -0,0 +1,16 @@ +A = X1^2 +B = Y1^2 +D = a*A +t0 = X1+Y1 +t1 = t0^2 +t2 = t1-A +E = t2-B +G = D+B +H = D-B +t3 = G-2 +X3 = E*t3 +Y3 = G*H +T3 = E*H +t4 = G^2 +t5 = 2*G +Z3 = t4-t5 diff --git a/pyecsca/ec/efd/twisted/extended/tripling/tpl-2015-c b/pyecsca/ec/efd/twisted/extended/tripling/tpl-2015-c new file mode 100644 index 0000000..7de3ef9 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended/tripling/tpl-2015-c @@ -0,0 +1,18 @@ +source 2015 Chuengsatiansup +compute YY = Y1^2 +compute aXX = a X1^2 +compute Ap = YY + aXX +compute B = 2(2 Z1^2 - Ap) +compute xB = aXX B +compute yB = YY B +compute AA = Ap (YY - aXX) +compute F = AA - yB +compute G = AA + xB +compute xE = X1 (yB + AA) +compute yH = Y1 (xB - AA) +compute zF = Z1 F +compute zG = Z1 G +compute X3 = xE zF +compute Y3 = yH zG +compute Z3 = zF zG +compute T3 = xE yH diff --git a/pyecsca/ec/efd/twisted/extended/tripling/tpl-2015-c.op3 b/pyecsca/ec/efd/twisted/extended/tripling/tpl-2015-c.op3 new file mode 100644 index 0000000..858abf2 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended/tripling/tpl-2015-c.op3 @@ -0,0 +1,24 @@ +YY = Y1^2 +t0 = X1^2 +aXX = a*t0 +Ap = YY+aXX +t1 = Z1^2 +t2 = 2*t1 +t3 = t2-Ap +B = 2*t3 +xB = aXX*B +yB = YY*B +t4 = YY-aXX +AA = Ap*t4 +F = AA-yB +G = AA+xB +t5 = yB+AA +xE = X1*t5 +t6 = xB-AA +yH = Y1*t6 +zF = Z1*F +zG = Z1*G +X3 = xE*zF +Y3 = yH*zG +Z3 = zF*zG +T3 = xE*yH diff --git a/pyecsca/ec/efd/twisted/extended/variables b/pyecsca/ec/efd/twisted/extended/variables new file mode 100644 index 0000000..44e4865 --- /dev/null +++ b/pyecsca/ec/efd/twisted/extended/variables @@ -0,0 +1,8 @@ +name extended coordinates +variable X +variable Y +variable Z +variable T +satisfying x = X/Z +satisfying y = Y/Z +satisfying x*y = T/Z diff --git a/pyecsca/ec/efd/twisted/inverted/addition/add-2008-bbjlp b/pyecsca/ec/efd/twisted/inverted/addition/add-2008-bbjlp new file mode 100644 index 0000000..4997a3e --- /dev/null +++ b/pyecsca/ec/efd/twisted/inverted/addition/add-2008-bbjlp @@ -0,0 +1,11 @@ +source 2008 Bernstein--Birkner--Joye--Lange--Peters http://eprint.iacr.org/2008/013, Section 6 +compute A = Z1 Z2 +compute B = d A^2 +compute C = X1 X2 +compute D = Y1 Y2 +compute E = C D +compute H = C - a D +compute I = (X1 + Y1)(X2 + Y2) - C - D +compute X3 = (E + B) H +compute Y3 = (E - B) I +compute Z3 = A H I diff --git a/pyecsca/ec/efd/twisted/inverted/addition/add-2008-bbjlp.op3 b/pyecsca/ec/efd/twisted/inverted/addition/add-2008-bbjlp.op3 new file mode 100644 index 0000000..236478a --- /dev/null +++ b/pyecsca/ec/efd/twisted/inverted/addition/add-2008-bbjlp.op3 @@ -0,0 +1,19 @@ +A = Z1*Z2 +t0 = A^2 +B = d*t0 +C = X1*X2 +D = Y1*Y2 +E = C*D +t1 = a*D +H = C-t1 +t2 = X1+Y1 +t3 = X2+Y2 +t4 = t2*t3 +t5 = t4-C +I = t5-D +t6 = E+B +X3 = t6*H +t7 = E-B +Y3 = t7*I +t8 = H*I +Z3 = A*t8 diff --git a/pyecsca/ec/efd/twisted/inverted/addition/madd-2008-bbjlp b/pyecsca/ec/efd/twisted/inverted/addition/madd-2008-bbjlp new file mode 100644 index 0000000..83267c8 --- /dev/null +++ b/pyecsca/ec/efd/twisted/inverted/addition/madd-2008-bbjlp @@ -0,0 +1,11 @@ +source 2008 Bernstein--Birkner--Joye--Lange--Peters http://eprint.iacr.org/2008/013, Section 6, plus Z2=1, plus common-subexpression elimination +assume Z2 = 1 +compute B = d Z1^2 +compute C = X1 X2 +compute D = Y1 Y2 +compute E = C D +compute H = C - a D +compute I = (X1 + Y1)(X2 + Y2) - C - D +compute X3 = (E + B) H +compute Y3 = (E - B) I +compute Z3 = Z1 H I diff --git a/pyecsca/ec/efd/twisted/inverted/addition/madd-2008-bbjlp.op3 b/pyecsca/ec/efd/twisted/inverted/addition/madd-2008-bbjlp.op3 new file mode 100644 index 0000000..05075c2 --- /dev/null +++ b/pyecsca/ec/efd/twisted/inverted/addition/madd-2008-bbjlp.op3 @@ -0,0 +1,18 @@ +t0 = Z1^2 +B = d*t0 +C = X1*X2 +D = Y1*Y2 +E = C*D +t1 = a*D +H = C-t1 +t2 = X1+Y1 +t3 = X2+Y2 +t4 = t2*t3 +t5 = t4-C +I = t5-D +t6 = E+B +X3 = t6*H +t7 = E-B +Y3 = t7*I +t8 = H*I +Z3 = Z1*t8 diff --git a/pyecsca/ec/efd/twisted/inverted/addition/mmadd-2008-bbjlp b/pyecsca/ec/efd/twisted/inverted/addition/mmadd-2008-bbjlp new file mode 100644 index 0000000..e47a3c9 --- /dev/null +++ b/pyecsca/ec/efd/twisted/inverted/addition/mmadd-2008-bbjlp @@ -0,0 +1,11 @@ +source 2008 Bernstein--Birkner--Joye--Lange--Peters http://eprint.iacr.org/2008/013, Section 6, plus Z2=1, plus Z1=1, plus common-subexpression elimination +assume Z1 = 1 +assume Z2 = 1 +compute C = X1 X2 +compute D = Y1 Y2 +compute E = C D +compute H = C - a D +compute I = (X1 + Y1)(X2 + Y2) - C - D +compute X3 = (E + d) H +compute Y3 = (E - d) I +compute Z3 = H I diff --git a/pyecsca/ec/efd/twisted/inverted/addition/mmadd-2008-bbjlp.op3 b/pyecsca/ec/efd/twisted/inverted/addition/mmadd-2008-bbjlp.op3 new file mode 100644 index 0000000..fe012af --- /dev/null +++ b/pyecsca/ec/efd/twisted/inverted/addition/mmadd-2008-bbjlp.op3 @@ -0,0 +1,15 @@ +C = X1*X2 +D = Y1*Y2 +E = C*D +t0 = a*D +H = C-t0 +t1 = X1+Y1 +t2 = X2+Y2 +t3 = t1*t2 +t4 = t3-C +I = t4-D +t5 = E+d +X3 = t5*H +t6 = E-d +Y3 = t6*I +Z3 = H*I diff --git a/pyecsca/ec/efd/twisted/inverted/doubling/dbl-2008-bbjlp b/pyecsca/ec/efd/twisted/inverted/doubling/dbl-2008-bbjlp new file mode 100644 index 0000000..ca82407 --- /dev/null +++ b/pyecsca/ec/efd/twisted/inverted/doubling/dbl-2008-bbjlp @@ -0,0 +1,12 @@ +source 2008 Bernstein--Birkner--Joye--Lange--Peters http://eprint.iacr.org/2008/013, Section 6 +parameter d2 +assume d2 = 2*d +compute A = X1^2 +compute B = Y1^2 +compute U = a B +compute C = A + U +compute D = A - U +compute E = (X1 + Y1)^2 - A - B +compute X3 = C D +compute Y3 = E (C - d2 Z1^2) +compute Z3 = D E diff --git a/pyecsca/ec/efd/twisted/inverted/doubling/dbl-2008-bbjlp.op3 b/pyecsca/ec/efd/twisted/inverted/doubling/dbl-2008-bbjlp.op3 new file mode 100644 index 0000000..0a19ffe --- /dev/null +++ b/pyecsca/ec/efd/twisted/inverted/doubling/dbl-2008-bbjlp.op3 @@ -0,0 +1,15 @@ +A = X1^2 +B = Y1^2 +U = a*B +C = A+U +D = A-U +t0 = X1+Y1 +t1 = t0^2 +t2 = t1-A +E = t2-B +X3 = C*D +t3 = Z1^2 +t4 = d2*t3 +t5 = C-t4 +Y3 = E*t5 +Z3 = D*E diff --git a/pyecsca/ec/efd/twisted/inverted/doubling/mdbl-2008-bbjlp b/pyecsca/ec/efd/twisted/inverted/doubling/mdbl-2008-bbjlp new file mode 100644 index 0000000..b3fbf0b --- /dev/null +++ b/pyecsca/ec/efd/twisted/inverted/doubling/mdbl-2008-bbjlp @@ -0,0 +1,13 @@ +source 2008 Bernstein--Birkner--Joye--Lange--Peters http://eprint.iacr.org/2008/013, Section 6, plus Z1=1 +assume Z1 = 1 +parameter d2 +assume d2 = 2*d +compute A = X1^2 +compute B = Y1^2 +compute U = a B +compute C = A + U +compute D = A - U +compute E = (X1 + Y1)^2 - A - B +compute X3 = C D +compute Y3 = E (C - d2) +compute Z3 = D E diff --git a/pyecsca/ec/efd/twisted/inverted/doubling/mdbl-2008-bbjlp.op3 b/pyecsca/ec/efd/twisted/inverted/doubling/mdbl-2008-bbjlp.op3 new file mode 100644 index 0000000..659aaf4 --- /dev/null +++ b/pyecsca/ec/efd/twisted/inverted/doubling/mdbl-2008-bbjlp.op3 @@ -0,0 +1,13 @@ +A = X1^2 +B = Y1^2 +U = a*B +C = A+U +D = A-U +t0 = X1+Y1 +t1 = t0^2 +t2 = t1-A +E = t2-B +X3 = C*D +t3 = C-d2 +Y3 = E*t3 +Z3 = D*E diff --git a/pyecsca/ec/efd/twisted/inverted/variables b/pyecsca/ec/efd/twisted/inverted/variables new file mode 100644 index 0000000..97014ad --- /dev/null +++ b/pyecsca/ec/efd/twisted/inverted/variables @@ -0,0 +1,6 @@ +name inverted coordinates +variable X +variable Y +variable Z +satisfying x = Z/X +satisfying y = Z/Y diff --git a/pyecsca/ec/efd/twisted/projective/addition/add-2008-bbjlp b/pyecsca/ec/efd/twisted/projective/addition/add-2008-bbjlp new file mode 100644 index 0000000..42d7bf3 --- /dev/null +++ b/pyecsca/ec/efd/twisted/projective/addition/add-2008-bbjlp @@ -0,0 +1,11 @@ +source 2008 Bernstein--Birkner--Joye--Lange--Peters http://eprint.iacr.org/2008/013 Section 6 +compute A = Z1 Z2 +compute B = A^2 +compute C = X1 X2 +compute D = Y1 Y2 +compute E = d C D +compute F = B-E +compute G = B+E +compute X3 = A F ((X1+Y1)(X2+Y2)-C-D) +compute Y3 = A G (D-a C) +compute Z3 = F G diff --git a/pyecsca/ec/efd/twisted/projective/addition/add-2008-bbjlp.op3 b/pyecsca/ec/efd/twisted/projective/addition/add-2008-bbjlp.op3 new file mode 100644 index 0000000..6ea2404 --- /dev/null +++ b/pyecsca/ec/efd/twisted/projective/addition/add-2008-bbjlp.op3 @@ -0,0 +1,20 @@ +A = Z1*Z2 +B = A^2 +C = X1*X2 +D = Y1*Y2 +t0 = C*D +E = d*t0 +F = B-E +G = B+E +t1 = X1+Y1 +t2 = X2+Y2 +t3 = t1*t2 +t4 = t3-C +t5 = t4-D +t6 = F*t5 +X3 = A*t6 +t7 = a*C +t8 = D-t7 +t9 = G*t8 +Y3 = A*t9 +Z3 = F*G diff --git a/pyecsca/ec/efd/twisted/projective/addition/madd-2008-bbjlp b/pyecsca/ec/efd/twisted/projective/addition/madd-2008-bbjlp new file mode 100644 index 0000000..9e65591 --- /dev/null +++ b/pyecsca/ec/efd/twisted/projective/addition/madd-2008-bbjlp @@ -0,0 +1,11 @@ +source 2008 Bernstein--Birkner--Joye--Lange--Peters http://eprint.iacr.org/2008/013 Section 6, plus Z2=1, plus common-subexpression elimination +assume Z2 = 1 +compute B = Z1^2 +compute C = X1 X2 +compute D = Y1 Y2 +compute E = d C D +compute F = B-E +compute G = B+E +compute X3 = Z1 F ((X1+Y1)(X2+Y2)-C-D) +compute Y3 = Z1 G (D-a C) +compute Z3 = F G diff --git a/pyecsca/ec/efd/twisted/projective/addition/madd-2008-bbjlp.op3 b/pyecsca/ec/efd/twisted/projective/addition/madd-2008-bbjlp.op3 new file mode 100644 index 0000000..68e4356 --- /dev/null +++ b/pyecsca/ec/efd/twisted/projective/addition/madd-2008-bbjlp.op3 @@ -0,0 +1,19 @@ +B = Z1^2 +C = X1*X2 +D = Y1*Y2 +t0 = C*D +E = d*t0 +F = B-E +G = B+E +t1 = X1+Y1 +t2 = X2+Y2 +t3 = t1*t2 +t4 = t3-C +t5 = t4-D +t6 = F*t5 +X3 = Z1*t6 +t7 = a*C +t8 = D-t7 +t9 = G*t8 +Y3 = Z1*t9 +Z3 = F*G diff --git a/pyecsca/ec/efd/twisted/projective/addition/mmadd-2008-bbjlp b/pyecsca/ec/efd/twisted/projective/addition/mmadd-2008-bbjlp new file mode 100644 index 0000000..51d5db1 --- /dev/null +++ b/pyecsca/ec/efd/twisted/projective/addition/mmadd-2008-bbjlp @@ -0,0 +1,9 @@ +source 2008 Bernstein--Birkner--Joye--Lange--Peters http://eprint.iacr.org/2008/013 Section 6, plus Z2=1, plus Z1=1, plus standard simplification +assume Z1 = 1 +assume Z2 = 1 +compute C = X1 X2 +compute D = Y1 Y2 +compute E = d C D +compute X3 = (1-E) ((X1+Y1)(X2+Y2)-C-D) +compute Y3 = (1+E) (D-a C) +compute Z3 = 1-E^2 diff --git a/pyecsca/ec/efd/twisted/projective/addition/mmadd-2008-bbjlp.op3 b/pyecsca/ec/efd/twisted/projective/addition/mmadd-2008-bbjlp.op3 new file mode 100644 index 0000000..dc0a2a1 --- /dev/null +++ b/pyecsca/ec/efd/twisted/projective/addition/mmadd-2008-bbjlp.op3 @@ -0,0 +1,17 @@ +C = X1*X2 +D = Y1*Y2 +t0 = C*D +E = d*t0 +t1 = X1+Y1 +t2 = X2+Y2 +t3 = t1*t2 +t4 = 1-E +t5 = t3-C +t6 = t5-D +X3 = t4*t6 +t7 = a*C +t8 = 1+E +t9 = D-t7 +Y3 = t8*t9 +t10 = E^2 +Z3 = 1-t10 diff --git a/pyecsca/ec/efd/twisted/projective/doubling/dbl-2008-bbjlp b/pyecsca/ec/efd/twisted/projective/doubling/dbl-2008-bbjlp new file mode 100644 index 0000000..1177262 --- /dev/null +++ b/pyecsca/ec/efd/twisted/projective/doubling/dbl-2008-bbjlp @@ -0,0 +1,11 @@ +source 2008 Bernstein--Birkner--Joye--Lange--Peters http://eprint.iacr.org/2008/013 +compute B = (X1+Y1)^2 +compute C = X1^2 +compute D = Y1^2 +compute E = a C +compute F = E + D +compute H = Z1^2 +compute J = F - 2 H +compute X3 = (B-C-D)J +compute Y3 = F(E-D) +compute Z3 = F J diff --git a/pyecsca/ec/efd/twisted/projective/doubling/dbl-2008-bbjlp.op3 b/pyecsca/ec/efd/twisted/projective/doubling/dbl-2008-bbjlp.op3 new file mode 100644 index 0000000..ac265b5 --- /dev/null +++ b/pyecsca/ec/efd/twisted/projective/doubling/dbl-2008-bbjlp.op3 @@ -0,0 +1,15 @@ +t0 = X1+Y1 +B = t0^2 +C = X1^2 +D = Y1^2 +E = a*C +F = E+D +H = Z1^2 +t1 = 2*H +J = F-t1 +t2 = B-C +t3 = t2-D +X3 = t3*J +t4 = E-D +Y3 = F*t4 +Z3 = F*J diff --git a/pyecsca/ec/efd/twisted/projective/doubling/mdbl-2008-bbjlp b/pyecsca/ec/efd/twisted/projective/doubling/mdbl-2008-bbjlp new file mode 100644 index 0000000..a057621 --- /dev/null +++ b/pyecsca/ec/efd/twisted/projective/doubling/mdbl-2008-bbjlp @@ -0,0 +1,10 @@ +source 2008 Bernstein--Birkner--Joye--Lange--Peters http://eprint.iacr.org/2008/013, plus Z1=1, plus standard simplification +assume Z1 = 1 +compute B = (X1+Y1)^2 +compute C = X1^2 +compute D = Y1^2 +compute E = a C +compute F = E + D +compute X3 = (B-C-D)(F-2) +compute Y3 = F(E-D) +compute Z3 = F^2-2 F diff --git a/pyecsca/ec/efd/twisted/projective/doubling/mdbl-2008-bbjlp.op3 b/pyecsca/ec/efd/twisted/projective/doubling/mdbl-2008-bbjlp.op3 new file mode 100644 index 0000000..dff3391 --- /dev/null +++ b/pyecsca/ec/efd/twisted/projective/doubling/mdbl-2008-bbjlp.op3 @@ -0,0 +1,15 @@ +t0 = X1+Y1 +B = t0^2 +C = X1^2 +D = Y1^2 +E = a*C +F = E+D +t1 = B-C +t2 = t1-D +t3 = F-2 +X3 = t2*t3 +t4 = E-D +Y3 = F*t4 +t5 = F^2 +t6 = 2*F +Z3 = t5-t6 diff --git a/pyecsca/ec/efd/twisted/projective/tripling/tpl-2015-c b/pyecsca/ec/efd/twisted/projective/tripling/tpl-2015-c new file mode 100644 index 0000000..c3870d2 --- /dev/null +++ b/pyecsca/ec/efd/twisted/projective/tripling/tpl-2015-c @@ -0,0 +1,13 @@ +source 2015 Chuengsatiansup +compute YY = Y1^2 +compute aXX = a X1^2 +compute Ap = YY + aXX +compute B = 2(2 Z1^2 - Ap) +compute xB = aXX B +compute yB = YY B +compute AA = Ap (YY - aXX) +compute F = AA - yB +compute G = AA + xB +compute X3 = X1 (yB + AA) F +compute Y3 = Y1 (xB - AA) G +compute Z3 = Z1 F G diff --git a/pyecsca/ec/efd/twisted/projective/tripling/tpl-2015-c.op3 b/pyecsca/ec/efd/twisted/projective/tripling/tpl-2015-c.op3 new file mode 100644 index 0000000..fadf02f --- /dev/null +++ b/pyecsca/ec/efd/twisted/projective/tripling/tpl-2015-c.op3 @@ -0,0 +1,22 @@ +YY = Y1^2 +t0 = X1^2 +aXX = a*t0 +Ap = YY+aXX +t1 = Z1^2 +t2 = 2*t1 +t3 = t2-Ap +B = 2*t3 +xB = aXX*B +yB = YY*B +t4 = YY-aXX +AA = Ap*t4 +F = AA-yB +G = AA+xB +t5 = yB+AA +t6 = t5*F +X3 = X1*t6 +t7 = xB-AA +t8 = t7*G +Y3 = Y1*t8 +t9 = F*G +Z3 = Z1*t9 diff --git a/pyecsca/ec/efd/twisted/projective/variables b/pyecsca/ec/efd/twisted/projective/variables new file mode 100644 index 0000000..9c6045b --- /dev/null +++ b/pyecsca/ec/efd/twisted/projective/variables @@ -0,0 +1,6 @@ +name projective coordinates +variable X +variable Y +variable Z +satisfying x = X/Z +satisfying y = Y/Z diff --git a/pyecsca/ec/formula.py b/pyecsca/ec/formula.py new file mode 100644 index 0000000..42f73a7 --- /dev/null +++ b/pyecsca/ec/formula.py @@ -0,0 +1,65 @@ +from ast import parse, Expression, Module +from pkg_resources import resource_stream +from typing import List, Any + + +class Formula(object): + name: str + coordinate_model: Any + source: str + parameters: List[str] + assumptions: List[Expression] + code: Module + + def __init__(self, path: str, name: str, coordinate_model: Any): + self.name = name + self.coordinate_model = coordinate_model + self.parameters = [] + self.assumptions = [] + self.__read_meta_file(path) + self.__read_op3_file(path + ".op3") + + def __read_meta_file(self, path): + with resource_stream(__name__, path) as f: + line = f.readline().decode("ascii") + while line: + line = line[:-1] + if line.startswith("source"): + self.source = line[7:] + elif line.startswith("parameter"): + self.parameters.append(line[10:]) + elif line.startswith("assume"): + self.assumptions.append( + parse(line[7:].replace("=", "==").replace("^", "**"), mode="eval")) + line = f.readline().decode("ascii") + + def __read_op3_file(self, path): + with resource_stream(__name__, path) as f: + self.code = parse(f.read(), path, mode="exec") + + def __repr__(self): + return self.__class__.__name__ + "({} for {})".format(self.name, self.coordinate_model) + + +class AdditionFormula(Formula): + pass + + +class DoublingFormula(Formula): + pass + + +class TriplingFormula(Formula): + pass + + +class ScalingFormula(Formula): + pass + + +class DifferentialAdditionFormula(Formula): + pass + + +class LadderFormula(Formula): + pass diff --git a/pyecsca/ec/model.py b/pyecsca/ec/model.py new file mode 100644 index 0000000..285f1d2 --- /dev/null +++ b/pyecsca/ec/model.py @@ -0,0 +1,99 @@ +from ast import parse, Expression, Module +from pkg_resources import resource_listdir, resource_isdir, resource_stream +from public import public +from typing import List, MutableMapping + +from .coordinates import CoordinateModel + + +class CurveModel(object): + _efd_name: str + name: str + coordinates: MutableMapping[str, CoordinateModel] + parameter_names: List[str] + coordinate_names: List[str] + equation: Expression + base_addition: List[Module] + base_doubling: List[Module] + base_negation: List[Module] + base_neutral: List[Module] + full_weierstrass: List[Module] + to_weierstrass: List[Module] + from_weierstrass: List[Module] + + def __init_subclass__(cls, efd_name: str = None, **kwargs): + cls._efd_name = efd_name + files = resource_listdir(__name__, "efd/" + efd_name) + cls.coordinates = {} + cls.parameter_names = [] + cls.coordinate_names = [] + cls.base_addition = [] + cls.base_doubling = [] + cls.base_negation = [] + cls.base_neutral = [] + cls.full_weierstrass = [] + cls.to_weierstrass = [] + cls.from_weierstrass = [] + for fname in files: + file_path = "efd/" + efd_name + "/" + fname + if resource_isdir(__name__, file_path): + cls.__read_coordinate_dir(file_path, fname) + else: + cls.__read_curve_file(file_path) + + @classmethod + def __read_curve_file(cls, file_path): + def format_eq(line, mode="exec"): + return parse(line.replace("^", "**"), mode=mode) + + with resource_stream(__name__, file_path) as f: + line = f.readline() + while line: + line = line.decode("ascii")[:-1] + if line.startswith("name"): + cls.name = line[5:] + elif line.startswith("parameter"): + cls.parameter_names.append(line[10:]) + elif line.startswith("coordinate"): + cls.coordinate_names.append(line[11:]) + elif line.startswith("satisfying"): + cls.equation = format_eq(line[11:], mode="eval") + elif line.startswith("addition"): + cls.base_addition.append(format_eq(line[9:])) + elif line.startswith("doubling"): + cls.base_doubling.append(format_eq(line[9:])) + elif line.startswith("negation"): + cls.base_negation.append(format_eq(line[9:])) + elif line.startswith("neutral"): + cls.base_neutral.append(format_eq(line[8:])) + elif line.startswith("toweierstrass"): + cls.to_weierstrass.append(format_eq(line[14:])) + elif line.startswith("fromweierstrass"): + cls.to_weierstrass.append(format_eq(line[16:])) + else: + cls.full_weierstrass.append(format_eq(line)) + line = f.readline() + + @classmethod + def __read_coordinate_dir(cls, dir_path, name): + cls.coordinates[name] = CoordinateModel(dir_path, name, cls) + + +@public +class ShortWeierstrassModel(CurveModel, efd_name="shortw"): + pass + + +@public +class MontgomeryModel(CurveModel, efd_name="montgom"): + pass + + +@public +class EdwardsModel(CurveModel, efd_name="edwards"): + pass + + +@public +class TwistedEdwardsModel(CurveModel, efd_name="twisted"): + pass diff --git a/pyecsca/sca/trace_set/chipwhisperer.py b/pyecsca/sca/trace_set/chipwhisperer.py index 31e2479..21369d2 100644 --- a/pyecsca/sca/trace_set/chipwhisperer.py +++ b/pyecsca/sca/trace_set/chipwhisperer.py @@ -15,14 +15,14 @@ class ChipWhispererTraceSet(TraceSet): if path is None and name is None: super().__init__() else: - data = self._read_data(path, name) + data = self.__read_data(path, name) trace_data = data["traces"] traces = [Trace(None, None, trace_samples, trace_set=self) for trace_samples in trace_data] del data["traces"] - config = self._read_config(path, name) + config = self.__read_config(path, name) super().__init__(*traces, **data, **config) - def _read_data(self, path, name): + def __read_data(self, path, name): types = {"keylist": None, "knownkey": None, "textin": None, "textout": None, "traces": None} for type in types.keys(): type_path = join(path, name + "_" + type + ".npy") @@ -30,7 +30,7 @@ class ChipWhispererTraceSet(TraceSet): types[type] = np.load(type_path) return types - def _read_config(self, path, name): + def __read_config(self, path, name): config_path = join(path, "config_" + name + "_.cfg") if exists(config_path) and isfile(config_path): config = ConfigParser() diff --git a/pyecsca/sca/trace_set/inspector.py b/pyecsca/sca/trace_set/inspector.py index dcb7918..bcffb94 100644 --- a/pyecsca/sca/trace_set/inspector.py +++ b/pyecsca/sca/trace_set/inspector.py @@ -149,17 +149,17 @@ class InspectorTraceSet(TraceSet): traces = None if isinstance(input, bytes): with BytesIO(input) as f: - traces = self._read(f) + traces = self.__read(f) elif isinstance(input, (Path, str)): with open(input, "rb") as f: - traces = self._read(f) + traces = self.__read(f) elif isinstance(input, (RawIOBase, BufferedIOBase)): - traces = self._read(input) + traces = self.__read(input) elif input is not None: raise ValueError( "Cannot parse data, unknown input: {}".format(input)) if traces is not None: - super().__init__(*self._scale(traces)) + super().__init__(*self.__scale(traces)) else: super().__init__() if keep_raw_traces: @@ -167,7 +167,7 @@ class InspectorTraceSet(TraceSet): else: del traces - def _read(self, file): + def __read(self, file): self._set_tags = set() while True: tag = ord(file.read(1)) @@ -200,7 +200,7 @@ class InspectorTraceSet(TraceSet): result.append(Trace(title, data, samples, trace_set=self)) return result - def _write(self, file): + def __write(self, file): for set_tag in self._set_tags: tag_name, tag_len, _, tag_writer = InspectorTraceSet._tag_parsers[ set_tag] @@ -228,7 +228,7 @@ class InspectorTraceSet(TraceSet): except UnsupportedOperation: file.write(trace.samples.tobytes()) - def _scale(self, traces): + def __scale(self, traces): return list(map(lambda trace: Trace(trace.title, trace.data, trace.samples.astype("f4") * self.y_scale, trace_set=self), @@ -242,9 +242,9 @@ class InspectorTraceSet(TraceSet): """ if isinstance(output, (Path, str)): with open(output, "wb") as f: - self._write(f) + self.__write(f) elif isinstance(output, (RawIOBase, BufferedIOBase)): - self._write(output) + self.__write(output) else: raise ValueError("Cannot save data, unknown output: {}".format(output)) @@ -2,23 +2,35 @@ from setuptools import setup setup( - name='pyecsca', - author='Jan Jancar', - author_email='johny@neuromancer.sk', - version='0.1.0', - packages=['pyecsca'], - license="MIT license", - description="Python Elliptic Curve cryptography Side Channel Analysis toolkit.", - long_description=open("README.md").read(), - install_requires=[ - "numpy", - "scipy", - "atpublic", - "matplotlib", - "fastdtw" - ], - tests_require=[ - "nose2", - "green" - ] + name='pyecsca', + author='Jan Jancar', + author_email='johny@neuromancer.sk', + version='0.1.0', + packages=['pyecsca'], + license="MIT", + description="Python Elliptic Curve cryptography Side Channel Analysis toolkit.", + long_description=open("README.md").read(), + long_description_content_type="text/markdown", + classifiers=[ + "Development Status :: 3 - Alpha", + "License :: OSI Approved :: MIT License", + "Topic :: Security", + "Topic :: Security :: Cryptography", + "Programming Language :: Python :: 3", + "Intended Audience :: Developers", + "Intended Audience :: Science/Research" + ], + install_package_data=True, + python_requires='>=3', + install_requires=[ + "numpy", + "scipy", + "atpublic", + "matplotlib", + "fastdtw" + ], + tests_require=[ + "nose2", + "green" + ] ) |