simplify splitting code

Author: GiacomoPope

src/elliptic/projective_point.rs

@@ -51,7 +51,7 @@ impl<Fq: FqTrait> Point<Fq> {
     }
 
     /// Returns the X and Z coordinates of the projective point
-    pub fn to_point_x(self) -> PointX<Fq> {
+    pub fn to_pointx(self) -> PointX<Fq> {
         PointX::new(&self.X, &self.Z)
     }
 

src/elliptic/torsion_basis.rs

@@ -5,7 +5,7 @@ use super::point::PointX;
 use fp2::fq::Fq as FqTrait;
 
 impl<Fq: FqTrait> Curve<Fq> {
-    /// TODO:
+    /// Given xP and xQ as (X : Z) points, compute the point x(P ± Q) (sign is unknown).
     fn projective_difference(self, P: &PointX<Fq>, Q: &PointX<Fq>) -> PointX<Fq> {
         let mut t0 = P.X * Q.X;
         let mut t1 = P.Z * Q.Z;
@@ -24,12 +24,10 @@ impl<Fq: FqTrait> Curve<Fq> {
         bxz += t0; // bzz = (PX * QX + PZ * QZ) * (PX * QZ + PZ * QX) + 2 * A * PX * QZ * PZ * QX
 
         // We now normalise the result by \bar{(PZ * QZ)}^2
-        // TODO: I can remove a square here, right?
         t0 = P.Z.conjugate();
-        t0.set_square();
         t1 = Q.Z.conjugate();
-        t1.set_square();
         t0 *= t1;
+        t0.set_square();
         bxx *= t0;
         bxz *= t0;
         bzz *= t0;
@@ -148,8 +146,8 @@ impl<Fq: FqTrait> Curve<Fq> {
         xPQ = self.xmul(&xPQ, cofactor, cofactor_bitsize);
 
         // We clear the 2^(f - e) order with repeated doubling.
-        xP = self.xmul_2e(&xP, e_diff);
-        xPQ = self.xmul_2e(&xPQ, e_diff);
+        xP = self.xdouble_iter(&xP, e_diff);
+        xPQ = self.xdouble_iter(&xPQ, e_diff);
 
         // Compute the difference point to get the basis x(P), x(Q) and x(P-Q)
         let xQ = self.projective_difference(&xP, &xPQ);
@@ -211,8 +209,8 @@ impl<Fq: FqTrait> Curve<Fq> {
         xPQ = self.xmul(&xPQ, cofactor, cofactor_bitsize);
 
         // We clear the 2^(f - e) order with repeated doubling.
-        xP = self.xmul_2e(&xP, e_diff);
-        xPQ = self.xmul_2e(&xPQ, e_diff);
+        xP = self.xdouble_iter(&xP, e_diff);
+        xPQ = self.xdouble_iter(&xPQ, e_diff);
 
         // Compute the difference point to get the basis x(P), x(Q) and x(P-Q)
         let xQ = self.projective_difference(&xP, &xPQ);

src/elliptic/x_only_arithmetic.rs

@@ -34,30 +34,6 @@ impl<Fq: FqTrait> Curve<Fq> {
         *Z *= V1;
     }
 
-    /// x-only doubling, set `R` to the value of \[2\]P
-    #[inline]
-    fn set_xdouble(self, xR: &mut PointX<Fq>) {
-        self.xdbl(&mut xR.X, &mut xR.Z);
-    }
-
-    /// Return the value [2]P
-    #[inline]
-    fn xdouble(self, xP: &PointX<Fq>) -> PointX<Fq> {
-        let mut xR = *xP;
-        self.set_xdouble(&mut xR);
-        xR
-    }
-
-    /// Return the value [2^n]P
-    #[inline]
-    fn xdouble_iter(self, xP: &PointX<Fq>, n: usize) -> PointX<Fq> {
-        let mut xR = *xP;
-        for _ in 0..n {
-            self.set_xdouble(&mut xR);
-        }
-        xR
-    }
-
     /// x-only differential formula Note: order of arguments:
     /// (XPQ : ZPQ), (XP : ZP), (XQ : ZQ) For PQ = P - Q
     /// Sets Q  = P + Q in place
@@ -97,7 +73,7 @@ impl<Fq: FqTrait> Curve<Fq> {
         *ZQ = *XPQ * (V1 - V2).square();
     }
 
-    /// P3 <- n*P, X-only variant.
+    /// P3 <- n*P, x-only variant.
     /// Integer n is encoded as unsigned little-endian, with length
     /// nbitlen bits. Bits beyond that length are ignored.
     pub fn xmul_into(self, P3: &mut PointX<Fq>, P: &PointX<Fq>, n: &[u8], nbitlen: usize) {
@@ -153,7 +129,7 @@ impl<Fq: FqTrait> Curve<Fq> {
         P3.Z.set_cond(&Fq::ONE, spec);
     }
 
-    /// Return n*P as a new point (X-only variant).
+    /// Return n*P as a new point (x-only variant).
     /// Integer n is encoded as unsigned little-endian, with length
     /// nbitlen bits. Bits beyond that length are ignored.
     pub fn xmul(self, P: &PointX<Fq>, n: &[u8], nbitlen: usize) -> PointX<Fq> {
@@ -162,8 +138,27 @@ impl<Fq: FqTrait> Curve<Fq> {
         P3
     }
 
-    /// P3 <- (2^e)*P (X-only variant)
-    fn xmul_2e_into(self, P3: &mut PointX<Fq>, P: &PointX<Fq>, e: usize) {
+    /// P3 <- [2]*P (x-only variant)
+    fn xdouble_into(self, P3: &mut PointX<Fq>, P: &PointX<Fq>) {
+        let mut V1 = (P.X + P.Z).square();
+        let V2 = (P.X - P.Z).square();
+        P3.X = V1 * V2;
+        V1 -= V2;
+        P3.Z = V1;
+        P3.Z *= self.A24;
+        P3.Z += V2;
+        P3.Z *= V1;
+    }
+
+    /// Return [2]*P (x-only variant).
+    pub fn xdouble(self, P: &PointX<Fq>) -> PointX<Fq> {
+        let mut Q = PointX::INFINITY;
+        self.xdouble_into(&mut Q, P);
+        Q
+    }
+
+    /// P3 <- (2^e)*P (x-only variant)
+    fn xdouble_iter_into(self, P3: &mut PointX<Fq>, P: &PointX<Fq>, e: usize) {
         let mut X = P.X;
         let mut Z = P.Z;
         for _ in 0..e {
@@ -181,17 +176,17 @@ impl<Fq: FqTrait> Curve<Fq> {
     }
 
     /// Return (2^e)*P (x-only variant).
-    pub fn xmul_2e(self, P: &PointX<Fq>, e: usize) -> PointX<Fq> {
+    pub fn xdouble_iter(self, P: &PointX<Fq>, e: usize) -> PointX<Fq> {
         let mut Q = PointX::INFINITY;
-        self.xmul_2e_into(&mut Q, P, e);
+        self.xdouble_iter_into(&mut Q, P, e);
         Q
     }
 
     /// Return (2^e)*R for R in [P, Q, P - Q] (x-only variant).
-    pub fn basis_xmul_2e(self, B: &BasisX<Fq>, e: usize) -> BasisX<Fq> {
-        let P = self.xmul_2e(&B.P, e);
-        let Q = self.xmul_2e(&B.Q, e);
-        let PQ = self.xmul_2e(&B.PQ, e);
+    pub fn basis_double_iter(self, B: &BasisX<Fq>, e: usize) -> BasisX<Fq> {
+        let P = self.xdouble_iter(&B.P, e);
+        let Q = self.xdouble_iter(&B.Q, e);
+        let PQ = self.xdouble_iter(&B.PQ, e);
         BasisX::from_points(&P, &Q, &PQ)
     }
 
@@ -230,7 +225,7 @@ impl<Fq: FqTrait> Curve<Fq> {
         *ZQ = ZPQ;
     }
 
-    /// Return P + n*Q, X-only variant given the x-only basis x(P), x(Q) and x(P - Q).
+    /// Return P + n*Q, x-only variant given the x-only basis x(P), x(Q) and x(P - Q).
     /// Integer `n` is encoded as unsigned little-endian, with length `nbitlen` bits.
     /// Bits beyond that length are ignored.
     pub fn three_point_ladder(self, B: &BasisX<Fq>, n: &[u8], nbitlen: usize) -> PointX<Fq> {
@@ -308,7 +303,7 @@ impl<Fq: FqTrait> Curve<Fq> {
         ((s0 & 1) as usize, (s1 & 1) as usize, r)
     }
 
-    /// Return [a]P + [b]*Q, X-only variant given the x-only basis x(P), x(Q) and x(P - Q).
+    /// Return [a]P + [b]*Q, x-only variant given the x-only basis x(P), x(Q) and x(P - Q).
     /// The integers `a` and `b` are encoded as unsigned little-endian.
     pub fn ladder_biscalar(
         self,

src/protocols/sqisign.rs

@@ -227,7 +227,7 @@ impl<Fq: FqTrait> Sqisign<Fq> {
         let mut chl_kernel =
             pk.curve
                 .three_point_ladder(&pk_basis, sig.chl_scalar, self.security_bits);
-        chl_kernel = pk.curve.xmul_2e(&chl_kernel, sig.backtracking);
+        chl_kernel = pk.curve.xdouble_iter(&chl_kernel, sig.backtracking);
 
         // Compute the isogeny chain, a failure u32 is returned for the case of
         // bad input.
@@ -333,8 +333,9 @@ impl<Fq: FqTrait> Sqisign<Fq> {
         // Double the bases to get points of the correct even order.
         aux_basis = sig
             .aux_curve
-            .basis_xmul_2e(&aux_basis, self.f - e_rsp_prime - 2);
-        chl_basis = E_chl.basis_xmul_2e(&chl_basis, self.f - e_rsp_prime - sig.two_resp_length - 2);
+            .basis_double_iter(&aux_basis, self.f - e_rsp_prime - 2);
+        chl_basis =
+            E_chl.basis_double_iter(&chl_basis, self.f - e_rsp_prime - sig.two_resp_length - 2);
 
         // Apply the change of basis dictated by the matrix aij contained in the signature.
         chl_basis = Self::apply_change_of_basis(&E_chl, &chl_basis, &sig.aij, chl_order);
@@ -355,9 +356,9 @@ impl<Fq: FqTrait> Sqisign<Fq> {
         // depending on aij values
         let mut basis_img = B.to_array();
         let kernel = if sig.aij[0][0] & 1 == 0 && sig.aij[2][0] & 1 == 0 {
-            E.xmul_2e(&B.Q, e_rsp_prime + 2)
+            E.xdouble_iter(&B.Q, e_rsp_prime + 2)
         } else {
-            E.xmul_2e(&B.P, e_rsp_prime + 2)
+            E.xdouble_iter(&B.P, e_rsp_prime + 2)
         };
 
         // Compute the two isogeny and push the challenge basis through

src/theta/theta_chain.rs

@@ -1,7 +1,6 @@
 use fp2::fq::Fq as FqTrait;
 
 use super::elliptic_product::{EllipticProduct, ProductPoint};
-use super::theta_gluing::gluing_isogeny;
 use super::theta_isogeny::{two_isogeny, two_isogeny_to_product};
 use super::theta_point::ThetaPoint;
 use super::theta_splitting::{split_to_product, splitting_isomorphism};
@@ -47,7 +46,7 @@ impl<Fq: FqTrait> EllipticProduct<Fq> {
 
         // Compute Gluing isogeny
         let (mut domain, mut kernel_pts) =
-            gluing_isogeny(&self, &P1P2_8, &Q1Q2_8, &kernel_couple_pts);
+            self.gluing_isogeny(&P1P2_8, &Q1Q2_8, &kernel_couple_pts);
 
         // Do all remaining steps
         let mut Tp1: ThetaPoint<Fq>;
@@ -146,8 +145,7 @@ impl<Fq: FqTrait> EllipticProduct<Fq> {
 
         // Compute the Gluing isogeny and push through stategy_points to get a new
         // vector of ThetaPoints of the same length.
-        let (mut domain, mut strategy_pts) = gluing_isogeny(
-            &self,
+        let (mut domain, mut strategy_pts) = self.gluing_isogeny(
             &product_strategy_pts[2 * k],
             &product_strategy_pts[2 * k + 1],
             &product_strategy_pts,