From 5828ed16b94555ca31926a00e96ac4ac9ae06b6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Sun, 15 Dec 2019 13:39:17 +0100
Subject: [PATCH] Comment fixes and notation for ecc_dup_eh

---
 ecc-dup-eh.c | 102 ++++++++++++++++++++++++++-------------------------
 1 file changed, 53 insertions(+), 49 deletions(-)

diff --git a/ecc-dup-eh.c b/ecc-dup-eh.c
index 1b9a3f69..a850346c 100644
--- a/ecc-dup-eh.c
+++ b/ecc-dup-eh.c
@@ -43,65 +43,69 @@ ecc_dup_eh (const struct ecc_curve *ecc,
 	    mp_limb_t *scratch)
 {
   /* Formulas (from djb,
-     http://www.hyperelliptic.org/EFD/g1p/auto-edwards-projective.html#doubling-dbl-2007-bl):
+     http://www.hyperelliptic.org/EFD/g1p/auto-twisted-projective.html#doubling-dbl-2008-bbjlp):
+
+     B = (X1+Y1)^2
+     C = X1^2
+     D = Y1^2
+     (E = a*C = -C)
+     F = E+D
+     H = Z1^2
+     J = F-2*H
+     X3 = (B-C-D)*J
+     Y3 = F*(E-D)
+     Z3 = F*J         (-C+D)*(-C+D - 2Z1^2)
+
+     In the formula for Y3, we have E - D = -(C+D). To avoid explicit
+     negation, negate all of X3, Y3, Z3, and use
 
      Computation	Operation	Live variables
-     
-     b = (x+y)^2	sqr		b
-     c = x^2		sqr		b, c
-     d = y^2		sqr		b, c, d
-     e = c+d				b, c, d, e
-     h = z^2		sqr		b, c, d, e, h
-     j = e-2*h				b, c, d, e, j
-     x' = (b-e)*j	mul		c, d, e, j
-     y' = e*(c-d)	mul		e, j
-     z' = e*j		mul
-
-     But for the twisted curve, we need some sign changes.
 
-     b = (x+y)^2	sqr		b
-     c = x^2		sqr		b, c
-     d = y^2		sqr		b, c, d
-   ! e = -c+d				b, c, d, e
-     h = z^2		sqr		b, c, d, e, h
-   ! j = -e+2*h				b, c, d, e, j
-   ! x' = (b-c-d)*j	mul		c, d, e, j
-   ! y' = e*(c+d)	mul		e, j
-     z' = e*j		mul
+     B = (X1+Y1)^2	sqr		B
+     C = X1^2		sqr		B, C
+     D = Y1^2		sqr		B, C, D
+     F = -C+D				B, C, D, F
+     H = Z1^2		sqr		B, C, D, F, H
+     J = 2*H - F			B, C, D, F, J
+     X3 = (B-C-D)*J	mul		C, D, F, J
+     Y3 = F*(C+D)	mul		F, J
+     Z3 = F*J		mul
+
+     3M+4S
   */
-#define b scratch 
-#define c (scratch  + ecc->p.size)
-#define d (scratch  + 2*ecc->p.size)
-#define e (scratch  + 3*ecc->p.size)
-#define j (scratch  + 4*ecc->p.size)
-
-  /* b */
-  ecc_modp_add (ecc, e, p, p + ecc->p.size);
-  ecc_modp_sqr (ecc, b, e);
-
-  /* c */
-  ecc_modp_sqr (ecc, c, p);
-  /* d */
-  ecc_modp_sqr (ecc, d, p + ecc->p.size);
-  /* h, can use r as scratch, even for in-place operation. */
+#define B scratch
+#define C (scratch  + ecc->p.size)
+#define D (scratch  + 2*ecc->p.size)
+#define F (scratch  + 3*ecc->p.size)
+#define J (scratch  + 4*ecc->p.size)
+
+  /* B */
+  ecc_modp_add (ecc, F, p, p + ecc->p.size);
+  ecc_modp_sqr (ecc, B, F);
+
+  /* C */
+  ecc_modp_sqr (ecc, C, p);
+  /* D */
+  ecc_modp_sqr (ecc, D, p + ecc->p.size);
+  /* Can use r as scratch, even for in-place operation. */
   ecc_modp_sqr (ecc, r, p + 2*ecc->p.size);
-  /* e, */
-  ecc_modp_sub (ecc, e, d, c);
-  /* b - c - d */
-  ecc_modp_sub (ecc, b, b, c);
-  ecc_modp_sub (ecc, b, b, d);
-  /* j */
+  /* F, */
+  ecc_modp_sub (ecc, F, D, C);
+  /* B - C - D */
+  ecc_modp_sub (ecc, B, B, C);
+  ecc_modp_sub (ecc, B, B, D);
+  /* J */
   ecc_modp_add (ecc, r, r, r);
-  ecc_modp_sub (ecc, j, r, e);
+  ecc_modp_sub (ecc, J, r, F);
 
   /* x' */
-  ecc_modp_mul (ecc, r, b, j);
+  ecc_modp_mul (ecc, r, B, J);
   /* y' */
-  ecc_modp_add (ecc, c, c, d); /* Redundant */
-  ecc_modp_mul (ecc, r + ecc->p.size, e, c);
+  ecc_modp_add (ecc, C, C, D); /* Redundant */
+  ecc_modp_mul (ecc, r + ecc->p.size, F, C);
   /* z' */
-  ecc_modp_mul (ecc, b, e, j);
-  mpn_copyi (r + 2*ecc->p.size, b, ecc->p.size);
+  ecc_modp_mul (ecc, B, F, J);
+  mpn_copyi (r + 2*ecc->p.size, B, ecc->p.size);
 }
 
 void
-- 
GitLab