1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
Require Import Crypto.Spec.WeierstrassCurve.
Require Import Crypto.Util.Decidable Crypto.Algebra.Field.
Require Import Crypto.Util.Tactics.BreakMatch.
Require Import Crypto.Util.Tactics.DestructHead.
Require Import Crypto.Util.Tactics.SpecializeBy.
Require Import Crypto.Util.Tactics.SetoidSubst.
Require Import Crypto.Util.Notations Crypto.Util.FixCoqMistakes.
Require Import Crypto.Util.Sum Crypto.Util.Prod Crypto.Util.Sigma.
Module Projective.
Section Projective.
Context {F Feq Fzero Fone Fopp Fadd Fsub Fmul Finv Fdiv} {a b:F}
{field:@Algebra.Hierarchy.field F Feq Fzero Fone Fopp Fadd Fsub Fmul Finv Fdiv}
{char_ge_3:@Ring.char_ge F Feq Fzero Fone Fopp Fadd Fsub Fmul (BinNat.N.succ_pos (BinNat.N.two))}
{Feq_dec:DecidableRel Feq}.
Local Infix "=" := Feq : type_scope. Local Notation "a <> b" := (not (a = b)) : type_scope.
Local Notation "0" := Fzero. Local Notation "1" := Fone.
Local Infix "+" := Fadd. Local Infix "-" := Fsub.
Local Infix "*" := Fmul. Local Infix "/" := Fdiv.
Local Notation "x ^ 2" := (x*x). Local Notation "x ^ 3" := (x*x^2).
Local Notation Wpoint := (@W.point F Feq Fadd Fmul a b).
(* Originally from
<http://www.mat.uniroma3.it/users/pappa/CORSI/CR510_13_14/BosmaLenstra.pdf>
"Commplete Systems of Addition Laws" by Bosma and Lenstra;
optimized in <https://eprint.iacr.org/2015/1060.pdf> "Complete
addition formulas for prime order elliptic curves" Algorithm 1
"Complete, projective point addition for arbitrary prime order
short Weierstrass curves" by Joost Renes, Craig Costello, and
Lejla Batina. *)
Ltac t :=
repeat match goal with
| _ => solve [ contradiction | trivial ]
| _ => progress cbv zeta
| _ => progress intros
| _ => progress destruct_head' @W.point
| _ => progress destruct_head' sum
| _ => progress destruct_head' prod
| _ => progress destruct_head' unit
| _ => progress destruct_head' and
| _ => progress specialize_by assumption
| _ => progress cbv [W.eq W.add W.coordinates proj1_sig] in *
| _ => progress break_match_hyps
| _ => progress break_match
| |- _ /\ _ => split
end.
Definition point : Type := { P : F*F*F | let '(X,Y,Z) := P in Y^2*Z = X^3 + a*X*Z^2 + b*Z^3 /\ (Z = 0 -> Y <> 0) }.
Program Definition to_affine (P:point) : Wpoint :=
match proj1_sig P return F*F+_ with
| (X, Y, Z) =>
if dec (Z = 0) then inr tt
else inl (X/Z, Y/Z)
end.
Next Obligation. Proof. t. fsatz. Qed.
Program Definition of_affine (P:Wpoint) : point :=
match W.coordinates P return F*F*F with
| inl (x, y) => (x, y, 1)
| inr _ => (0, 1, 0)
end.
Next Obligation. Proof. t; fsatz. Qed.
Program Definition opp (P:point) : point :=
match proj1_sig P return F*F*F with
| (X, Y, Z) => (X, Fopp Y, Z)
end.
Next Obligation. Proof. t; fsatz. Qed.
Context (three_b:F) (three_b_correct: three_b = b+b+b).
Local Notation "4" := (1+1+1+1). Local Notation "27" := (4*4 + 4+4 +1+1+1).
Context {discriminant_nonzero: id(4*a*a*a + 27*b*b <> 0)}.
Program Definition add (P Q:point)
(y_PmQ_nz: match W.coordinates (W.add (to_affine P) (to_affine (opp Q))) return Prop with
| inr _ => True
| inl (_, y) => y <> 0
end) : point :=
match proj1_sig P, proj1_sig Q return F*F*F with (X1, Y1, Z1), (X2, Y2, Z2) =>
let t0 := X1*X2 in
let t1 := Y1*Y2 in
let t2 := Z1*Z2 in
let t3 := X1+Y1 in
let t4 := X2+Y2 in
let t3 := t3*t4 in
let t4 := t0+t1 in
let t3 := t3-t4 in
let t4 := X1+Z1 in
let t5 := X2+Z2 in
let t4 := t4*t5 in
let t5 := t0+t2 in
let t4 := t4-t5 in
let t5 := Y1+Z1 in
let X3 := Y2+Z2 in
let t5 := t5*X3 in
let X3 := t1+t2 in
let t5 := t5-X3 in
let Z3 := a*t4 in
let X3 := three_b*t2 in
let Z3 := X3+Z3 in
let X3 := t1-Z3 in
let Z3 := t1+Z3 in
let Y3 := X3*Z3 in
let t1 := t0+t0 in
let t1 := t1+t0 in
let t2 := a*t2 in
let t4 := three_b*t4 in
let t1 := t1+t2 in
let t2 := t0-t2 in
let t2 := a*t2 in
let t4 := t4+t2 in
let t0 := t1*t4 in
let Y3 := Y3+t0 in
let t0 := t5*t4 in
let X3 := t3*X3 in
let X3 := X3-t0 in
let t0 := t3*t1 in
let Z3 := t5*Z3 in
let Z3 := Z3+t0 in
(X3, Y3, Z3)
end.
Next Obligation.
Proof.
match goal with
| [ |- match (let (_, _) := proj1_sig ?P in let (_, _) := _ in let (_, _) := proj1_sig ?Q in _) with _ => _ end ]
=> destruct P as [p ?]; destruct p as [p Z1]; destruct p as [X1 Y1];
destruct Q as [q ?]; destruct q as [q Z2]; destruct q as [X2 Y2]
end.
t.
all: try abstract fsatz.
(* FIXME: the final fsatz starts requiring 56 <> 0 if
- the next assert block is removed
- the assertion is changed to [Y2 = Fopp Y1] *)
assert (Y2 / Z2 = Fopp (Y1 / Z1)) by (
assert (forall pfP pfQ, match W.coordinates (W.add (to_affine (exist _ (X1,Y1,Z1) pfP)) (to_affine (exist _ (X2,Y2,Z2) pfQ))) with inl _ => False | _ => True end) by (cbv [to_affine]; t; fsatz); cbv [to_affine] in *; t; specialize_by (t;fsatz); t; fsatz).
unfold id in discriminant_nonzero; fsatz.
Qed.
Lemma to_affine_add P Q H :
W.eq
(to_affine (add P Q H))
(WeierstrassCurve.W.add (to_affine P) (to_affine Q)).
Proof using Type.
destruct P as [p ?]; destruct p as [p Z1]; destruct p as [X1 Y1].
destruct Q as [q ?]; destruct q as [q Z2]; destruct q as [X2 Y2].
cbv [add opp to_affine] in *; t.
all: try abstract fsatz.
(* zero + P = P -- cases for x and y *)
assert (X1 = 0) by (setoid_subst_rel Feq; Nsatz.nsatz_power 3%nat); t; fsatz.
assert (X1 = 0) by (setoid_subst_rel Feq; Nsatz.nsatz_power 3%nat); t; fsatz.
(* P + zero = P -- cases for x and y *)
assert (X2 = 0) by (setoid_subst_rel Feq; Nsatz.nsatz_power 3%nat); t; fsatz.
assert (X2 = 0) by (setoid_subst_rel Feq; Nsatz.nsatz_power 3%nat); t; fsatz.
Qed.
End Projective.
End Projective.
|
