diff --git a/crypto/src/math/ec/custom/gm/SM2P256V1Curve.cs b/crypto/src/math/ec/custom/gm/SM2P256V1Curve.cs
new file mode 100644
index 000000000..70b1190c9
--- /dev/null
+++ b/crypto/src/math/ec/custom/gm/SM2P256V1Curve.cs
@@ -0,0 +1,77 @@
+using System;
+
+using Org.BouncyCastle.Utilities.Encoders;
+
+namespace Org.BouncyCastle.Math.EC.Custom.GM
+{
+ internal class SM2P256V1Curve
+ : AbstractFpCurve
+ {
+ public static readonly BigInteger q = new BigInteger(1,
+ Hex.Decode("FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF"));
+
+ private const int SM2P256V1_DEFAULT_COORDS = COORD_JACOBIAN;
+
+ protected readonly SM2P256V1Point m_infinity;
+
+ public SM2P256V1Curve()
+ : base(q)
+ {
+ this.m_infinity = new SM2P256V1Point(this, null, null);
+
+ this.m_a = FromBigInteger(new BigInteger(1,
+ Hex.Decode("FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC")));
+ this.m_b = FromBigInteger(new BigInteger(1,
+ Hex.Decode("28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93")));
+ this.m_order = new BigInteger(1, Hex.Decode("FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123"));
+ this.m_cofactor = BigInteger.One;
+ this.m_coord = SM2P256V1_DEFAULT_COORDS;
+ }
+
+ protected override ECCurve CloneCurve()
+ {
+ return new SM2P256V1Curve();
+ }
+
+ public override bool SupportsCoordinateSystem(int coord)
+ {
+ switch (coord)
+ {
+ case COORD_JACOBIAN:
+ return true;
+ default:
+ return false;
+ }
+ }
+
+ public virtual BigInteger Q
+ {
+ get { return q; }
+ }
+
+ public override ECPoint Infinity
+ {
+ get { return m_infinity; }
+ }
+
+ public override int FieldSize
+ {
+ get { return q.BitLength; }
+ }
+
+ public override ECFieldElement FromBigInteger(BigInteger x)
+ {
+ return new SM2P256V1FieldElement(x);
+ }
+
+ protected internal override ECPoint CreateRawPoint(ECFieldElement x, ECFieldElement y, bool withCompression)
+ {
+ return new SM2P256V1Point(this, x, y, withCompression);
+ }
+
+ protected internal override ECPoint CreateRawPoint(ECFieldElement x, ECFieldElement y, ECFieldElement[] zs, bool withCompression)
+ {
+ return new SM2P256V1Point(this, x, y, zs, withCompression);
+ }
+ }
+}
diff --git a/crypto/src/math/ec/custom/gm/SM2P256V1Field.cs b/crypto/src/math/ec/custom/gm/SM2P256V1Field.cs
new file mode 100644
index 000000000..b1d232347
--- /dev/null
+++ b/crypto/src/math/ec/custom/gm/SM2P256V1Field.cs
@@ -0,0 +1,307 @@
+using System;
+using System.Diagnostics;
+
+using Org.BouncyCastle.Math.Raw;
+
+namespace Org.BouncyCastle.Math.EC.Custom.GM
+{
+ internal class SM2P256V1Field
+ {
+ // 2^256 - 2^224 - 2^96 + 2^64 - 1
+ internal static readonly uint[] P = new uint[]{ 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
+ 0xFFFFFFFF, 0xFFFFFFFE };
+ internal static readonly uint[] PExt = new uint[]{ 00000001, 0x00000000, 0xFFFFFFFE, 0x00000001, 0x00000001,
+ 0xFFFFFFFE, 0x00000000, 0x00000002, 0xFFFFFFFE, 0xFFFFFFFD, 0x00000003, 0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFF,
+ 0x00000000, 0xFFFFFFFE };
+ internal const uint P7 = 0xFFFFFFFE;
+ internal const uint PExt15 = 0xFFFFFFFE;
+
+ public static void Add(uint[] x, uint[] y, uint[] z)
+ {
+ uint c = Nat256.Add(x, y, z);
+ if (c != 0 || (z[7] >= P7 && Nat256.Gte(z, P)))
+ {
+ AddPInvTo(z);
+ }
+ }
+
+ public static void AddExt(uint[] xx, uint[] yy, uint[] zz)
+ {
+ uint c = Nat.Add(16, xx, yy, zz);
+ if (c != 0 || (zz[15] >= PExt15 && Nat.Gte(16, zz, PExt)))
+ {
+ Nat.SubFrom(16, PExt, zz);
+ }
+ }
+
+ public static void AddOne(uint[] x, uint[] z)
+ {
+ uint c = Nat.Inc(8, x, z);
+ if (c != 0 || (z[7] >= P7 && Nat256.Gte(z, P)))
+ {
+ AddPInvTo(z);
+ }
+ }
+
+ public static uint[] FromBigInteger(BigInteger x)
+ {
+ uint[] z = Nat256.FromBigInteger(x);
+ if (z[7] >= P7 && Nat256.Gte(z, P))
+ {
+ Nat256.SubFrom(P, z);
+ }
+ return z;
+ }
+
+ public static void Half(uint[] x, uint[] z)
+ {
+ if ((x[0] & 1) == 0)
+ {
+ Nat.ShiftDownBit(8, x, 0, z);
+ }
+ else
+ {
+ uint c = Nat256.Add(x, P, z);
+ Nat.ShiftDownBit(8, z, c);
+ }
+ }
+
+ public static void Multiply(uint[] x, uint[] y, uint[] z)
+ {
+ uint[] tt = Nat256.CreateExt();
+ Nat256.Mul(x, y, tt);
+ Reduce(tt, z);
+ }
+
+ public static void MultiplyAddToExt(uint[] x, uint[] y, uint[] zz)
+ {
+ uint c = Nat256.MulAddTo(x, y, zz);
+ if (c != 0 || (zz[15] >= PExt15 && Nat.Gte(16, zz, PExt)))
+ {
+ Nat.SubFrom(16, PExt, zz);
+ }
+ }
+
+ public static void Negate(uint[] x, uint[] z)
+ {
+ if (Nat256.IsZero(x))
+ {
+ Nat256.Zero(z);
+ }
+ else
+ {
+ Nat256.Sub(P, x, z);
+ }
+ }
+
+ public static void Reduce(uint[] xx, uint[] z)
+ {
+ long xx08 = xx[8], xx09 = xx[9], xx10 = xx[10], xx11 = xx[11];
+ long xx12 = xx[12], xx13 = xx[13], xx14 = xx[14], xx15 = xx[15];
+
+ long t0 = xx08 + xx09;
+ long t1 = xx10 + xx11;
+ long t2 = xx12 + xx15;
+ long t3 = xx13 + xx14;
+ long t4 = t3 + (xx15 << 1);
+
+ long ts = t0 + t3;
+ long tt = t1 + t2 + ts;
+
+ long cc = 0;
+ cc += (long)xx[0] + tt + xx13 + xx14 + xx15;
+ z[0] = (uint)cc;
+ cc >>= 32;
+ cc += (long)xx[1] + tt - xx08 + xx14 + xx15;
+ z[1] = (uint)cc;
+ cc >>= 32;
+ cc += (long)xx[2] - ts;
+ z[2] = (uint)cc;
+ cc >>= 32;
+ cc += (long)xx[3] + tt - xx09 - xx10 + xx13;
+ z[3] = (uint)cc;
+ cc >>= 32;
+ cc += (long)xx[4] + tt - t1 - xx08 + xx14;
+ z[4] = (uint)cc;
+ cc >>= 32;
+ cc += (long)xx[5] + t4 + xx10;
+ z[5] = (uint)cc;
+ cc >>= 32;
+ cc += (long)xx[6] + xx11 + xx14 + xx15;
+ z[6] = (uint)cc;
+ cc >>= 32;
+ cc += (long)xx[7] + tt + t4 + xx12;
+ z[7] = (uint)cc;
+ cc >>= 32;
+
+ Debug.Assert(cc >= 0);
+
+ Reduce32((uint)cc, z);
+ }
+
+ public static void Reduce32(uint x, uint[] z)
+ {
+ long cc = 0;
+
+ if (x != 0)
+ {
+ long xx08 = x;
+
+ cc += (long)z[0] + xx08;
+ z[0] = (uint)cc;
+ cc >>= 32;
+ if (cc != 0)
+ {
+ cc += (long)z[1];
+ z[1] = (uint)cc;
+ cc >>= 32;
+ }
+ cc += (long)z[2] - xx08;
+ z[2] = (uint)cc;
+ cc >>= 32;
+ cc += (long)z[3] + xx08;
+ z[3] = (uint)cc;
+ cc >>= 32;
+ if (cc != 0)
+ {
+ cc += (long)z[4];
+ z[4] = (uint)cc;
+ cc >>= 32;
+ cc += (long)z[5];
+ z[5] = (uint)cc;
+ cc >>= 32;
+ cc += (long)z[6];
+ z[6] = (uint)cc;
+ cc >>= 32;
+ }
+ cc += (long)z[7] + xx08;
+ z[7] = (uint)cc;
+ cc >>= 32;
+
+ Debug.Assert(cc == 0 || cc == 1);
+ }
+
+ if (cc != 0 || (z[7] >= P7 && Nat256.Gte(z, P)))
+ {
+ AddPInvTo(z);
+ }
+ }
+
+ public static void Square(uint[] x, uint[] z)
+ {
+ uint[] tt = Nat256.CreateExt();
+ Nat256.Square(x, tt);
+ Reduce(tt, z);
+ }
+
+ public static void SquareN(uint[] x, int n, uint[] z)
+ {
+ Debug.Assert(n > 0);
+
+ uint[] tt = Nat256.CreateExt();
+ Nat256.Square(x, tt);
+ Reduce(tt, z);
+
+ while (--n > 0)
+ {
+ Nat256.Square(z, tt);
+ Reduce(tt, z);
+ }
+ }
+
+ public static void Subtract(uint[] x, uint[] y, uint[] z)
+ {
+ int c = Nat256.Sub(x, y, z);
+ if (c != 0)
+ {
+ SubPInvFrom(z);
+ }
+ }
+
+ public static void SubtractExt(uint[] xx, uint[] yy, uint[] zz)
+ {
+ int c = Nat.Sub(16, xx, yy, zz);
+ if (c != 0)
+ {
+ Nat.AddTo(16, PExt, zz);
+ }
+ }
+
+ public static void Twice(uint[] x, uint[] z)
+ {
+ uint c = Nat.ShiftUpBit(8, x, 0, z);
+ if (c != 0 || (z[7] >= P7 && Nat256.Gte(z, P)))
+ {
+ AddPInvTo(z);
+ }
+ }
+
+ private static void AddPInvTo(uint[] z)
+ {
+ long c = (long)z[0] + 1;
+ z[0] = (uint)c;
+ c >>= 32;
+ if (c != 0)
+ {
+ c += (long)z[1];
+ z[1] = (uint)c;
+ c >>= 32;
+ }
+ c += (long)z[2] - 1;
+ z[2] = (uint)c;
+ c >>= 32;
+ c += (long)z[3] + 1;
+ z[3] = (uint)c;
+ c >>= 32;
+ if (c != 0)
+ {
+ c += (long)z[4];
+ z[4] = (uint)c;
+ c >>= 32;
+ c += (long)z[5];
+ z[5] = (uint)c;
+ c >>= 32;
+ c += (long)z[6];
+ z[6] = (uint)c;
+ c >>= 32;
+ }
+ c += (long)z[7] + 1;
+ z[7] = (uint)c;
+ //c >>= 32;
+ }
+
+ private static void SubPInvFrom(uint[] z)
+ {
+ long c = (long)z[0] - 1;
+ z[0] = (uint)c;
+ c >>= 32;
+ if (c != 0)
+ {
+ c += (long)z[1];
+ z[1] = (uint)c;
+ c >>= 32;
+ }
+ c += (long)z[2] + 1;
+ z[2] = (uint)c;
+ c >>= 32;
+ c += (long)z[3] - 1;
+ z[3] = (uint)c;
+ c >>= 32;
+ if (c != 0)
+ {
+ c += (long)z[4];
+ z[4] = (uint)c;
+ c >>= 32;
+ c += (long)z[5];
+ z[5] = (uint)c;
+ c >>= 32;
+ c += (long)z[6];
+ z[6] = (uint)c;
+ c >>= 32;
+ }
+ c += (long)z[7] - 1;
+ z[7] = (uint)c;
+ //c >>= 32;
+ }
+ }
+}
diff --git a/crypto/src/math/ec/custom/gm/SM2P256V1FieldElement.cs b/crypto/src/math/ec/custom/gm/SM2P256V1FieldElement.cs
new file mode 100644
index 000000000..669c73bd2
--- /dev/null
+++ b/crypto/src/math/ec/custom/gm/SM2P256V1FieldElement.cs
@@ -0,0 +1,213 @@
+using System;
+
+using Org.BouncyCastle.Math.Raw;
+using Org.BouncyCastle.Utilities;
+
+namespace Org.BouncyCastle.Math.EC.Custom.GM
+{
+ internal class SM2P256V1FieldElement
+ : ECFieldElement
+ {
+ public static readonly BigInteger Q = SM2P256V1Curve.q;
+
+ protected internal readonly uint[] x;
+
+ public SM2P256V1FieldElement(BigInteger x)
+ {
+ if (x == null || x.SignValue < 0 || x.CompareTo(Q) >= 0)
+ throw new ArgumentException("value invalid for SM2P256V1FieldElement", "x");
+
+ this.x = SM2P256V1Field.FromBigInteger(x);
+ }
+
+ public SM2P256V1FieldElement()
+ {
+ this.x = Nat256.Create();
+ }
+
+ protected internal SM2P256V1FieldElement(uint[] x)
+ {
+ this.x = x;
+ }
+
+ public override bool IsZero
+ {
+ get { return Nat256.IsZero(x); }
+ }
+
+ public override bool IsOne
+ {
+ get { return Nat256.IsOne(x); }
+ }
+
+ public override bool TestBitZero()
+ {
+ return Nat256.GetBit(x, 0) == 1;
+ }
+
+ public override BigInteger ToBigInteger()
+ {
+ return Nat256.ToBigInteger(x);
+ }
+
+ public override string FieldName
+ {
+ get { return "SM2P256V1Field"; }
+ }
+
+ public override int FieldSize
+ {
+ get { return Q.BitLength; }
+ }
+
+ public override ECFieldElement Add(ECFieldElement b)
+ {
+ uint[] z = Nat256.Create();
+ SM2P256V1Field.Add(x, ((SM2P256V1FieldElement)b).x, z);
+ return new SM2P256V1FieldElement(z);
+ }
+
+ public override ECFieldElement AddOne()
+ {
+ uint[] z = Nat256.Create();
+ SM2P256V1Field.AddOne(x, z);
+ return new SM2P256V1FieldElement(z);
+ }
+
+ public override ECFieldElement Subtract(ECFieldElement b)
+ {
+ uint[] z = Nat256.Create();
+ SM2P256V1Field.Subtract(x, ((SM2P256V1FieldElement)b).x, z);
+ return new SM2P256V1FieldElement(z);
+ }
+
+ public override ECFieldElement Multiply(ECFieldElement b)
+ {
+ uint[] z = Nat256.Create();
+ SM2P256V1Field.Multiply(x, ((SM2P256V1FieldElement)b).x, z);
+ return new SM2P256V1FieldElement(z);
+ }
+
+ public override ECFieldElement Divide(ECFieldElement b)
+ {
+ //return Multiply(b.Invert());
+ uint[] z = Nat256.Create();
+ Mod.Invert(SM2P256V1Field.P, ((SM2P256V1FieldElement)b).x, z);
+ SM2P256V1Field.Multiply(z, x, z);
+ return new SM2P256V1FieldElement(z);
+ }
+
+ public override ECFieldElement Negate()
+ {
+ uint[] z = Nat256.Create();
+ SM2P256V1Field.Negate(x, z);
+ return new SM2P256V1FieldElement(z);
+ }
+
+ public override ECFieldElement Square()
+ {
+ uint[] z = Nat256.Create();
+ SM2P256V1Field.Square(x, z);
+ return new SM2P256V1FieldElement(z);
+ }
+
+ public override ECFieldElement Invert()
+ {
+ //return new SM2P256V1FieldElement(ToBigInteger().ModInverse(Q));
+ uint[] z = Nat256.Create();
+ Mod.Invert(SM2P256V1Field.P, x, z);
+ return new SM2P256V1FieldElement(z);
+ }
+
+ /**
+ * return a sqrt root - the routine verifies that the calculation returns the right value - if
+ * none exists it returns null.
+ */
+ public override ECFieldElement Sqrt()
+ {
+ /*
+ * Raise this element to the exponent 2^254 - 2^222 - 2^94 + 2^62
+ *
+ * Breaking up the exponent's binary representation into "repunits", we get:
+ * { 31 1s } { 1 0s } { 128 1s } { 31 0s } { 1 1s } { 62 0s}
+ *
+ * We use an addition chain for the beginning: [1], 2, 3, 6, 12, [24], 30, [31]
+ */
+
+ uint[] x1 = this.x;
+ if (Nat256.IsZero(x1) || Nat256.IsOne(x1))
+ {
+ return this;
+ }
+
+ uint[] x2 = Nat256.Create();
+ SM2P256V1Field.Square(x1, x2);
+ SM2P256V1Field.Multiply(x2, x1, x2);
+ uint[] x3 = x2;
+ SM2P256V1Field.Square(x2, x3);
+ SM2P256V1Field.Multiply(x3, x1, x3);
+ uint[] x6 = Nat256.Create();
+ SM2P256V1Field.SquareN(x3, 3, x6);
+ SM2P256V1Field.Multiply(x6, x3, x6);
+ uint[] x12 = x3;
+ SM2P256V1Field.SquareN(x6, 6, x12);
+ SM2P256V1Field.Multiply(x12, x6, x12);
+ uint[] x24 = Nat256.Create();
+ SM2P256V1Field.SquareN(x12, 12, x24);
+ SM2P256V1Field.Multiply(x24, x12, x24);
+ uint[] x30 = x12;
+ SM2P256V1Field.SquareN(x24, 6, x30);
+ SM2P256V1Field.Multiply(x30, x6, x30);
+ uint[] x31 = x6;
+ SM2P256V1Field.Square(x30, x31);
+ SM2P256V1Field.Multiply(x31, x1, x31);
+
+ uint[] t1 = x31;
+ SM2P256V1Field.Square(x31, t1);
+
+ uint[] x32 = x12;
+ SM2P256V1Field.Multiply(t1, x1, x32);
+
+ SM2P256V1Field.SquareN(t1, 32, t1);
+ SM2P256V1Field.Multiply(t1, x32, t1);
+
+ uint[] t2 = x24;
+ SM2P256V1Field.SquareN(t1, 32, t2);
+ SM2P256V1Field.Multiply(t2, x1, t2);
+ SM2P256V1Field.SquareN(t2, 32, t2);
+ SM2P256V1Field.Multiply(t2, t1, t2);
+ SM2P256V1Field.SquareN(t2, 32, t2);
+ SM2P256V1Field.Multiply(t2, x32, t2);
+ SM2P256V1Field.SquareN(t2, 32, t2);
+ SM2P256V1Field.Multiply(t2, x1, t2);
+ SM2P256V1Field.SquareN(t2, 62, t1);
+ SM2P256V1Field.Square(t1, t2);
+
+ return Nat256.Eq(x1, t2) ? new SM2P256V1FieldElement(t1) : null;
+ }
+
+ public override bool Equals(object obj)
+ {
+ return Equals(obj as SM2P256V1FieldElement);
+ }
+
+ public override bool Equals(ECFieldElement other)
+ {
+ return Equals(other as SM2P256V1FieldElement);
+ }
+
+ public virtual bool Equals(SM2P256V1FieldElement other)
+ {
+ if (this == other)
+ return true;
+ if (null == other)
+ return false;
+ return Nat256.Eq(x, other.x);
+ }
+
+ public override int GetHashCode()
+ {
+ return Q.GetHashCode() ^ Arrays.GetHashCode(x, 0, 8);
+ }
+ }
+}
diff --git a/crypto/src/math/ec/custom/gm/SM2P256V1Point.cs b/crypto/src/math/ec/custom/gm/SM2P256V1Point.cs
new file mode 100644
index 000000000..916c90633
--- /dev/null
+++ b/crypto/src/math/ec/custom/gm/SM2P256V1Point.cs
@@ -0,0 +1,279 @@
+using System;
+
+using Org.BouncyCastle.Math.Raw;
+
+namespace Org.BouncyCastle.Math.EC.Custom.GM
+{
+ internal class SM2P256V1Point
+ : AbstractFpPoint
+ {
+ /**
+ * Create a point which encodes with point compression.
+ *
+ * @param curve
+ * the curve to use
+ * @param x
+ * affine x co-ordinate
+ * @param y
+ * affine y co-ordinate
+ *
+ * @deprecated Use ECCurve.createPoint to construct points
+ */
+ public SM2P256V1Point(ECCurve curve, ECFieldElement x, ECFieldElement y)
+ : this(curve, x, y, false)
+ {
+ }
+
+ /**
+ * Create a point that encodes with or without point compresion.
+ *
+ * @param curve
+ * the curve to use
+ * @param x
+ * affine x co-ordinate
+ * @param y
+ * affine y co-ordinate
+ * @param withCompression
+ * if true encode with point compression
+ *
+ * @deprecated per-point compression property will be removed, refer
+ * {@link #getEncoded(bool)}
+ */
+ public SM2P256V1Point(ECCurve curve, ECFieldElement x, ECFieldElement y, bool withCompression)
+ : base(curve, x, y, withCompression)
+ {
+ if ((x == null) != (y == null))
+ throw new ArgumentException("Exactly one of the field elements is null");
+ }
+
+ internal SM2P256V1Point(ECCurve curve, ECFieldElement x, ECFieldElement y, ECFieldElement[] zs, bool withCompression)
+ : base(curve, x, y, zs, withCompression)
+ {
+ }
+
+ protected override ECPoint Detach()
+ {
+ return new SM2P256V1Point(null, AffineXCoord, AffineYCoord);
+ }
+
+ public override ECPoint Add(ECPoint b)
+ {
+ if (this.IsInfinity)
+ return b;
+ if (b.IsInfinity)
+ return this;
+ if (this == b)
+ return Twice();
+
+ ECCurve curve = this.Curve;
+
+ SM2P256V1FieldElement X1 = (SM2P256V1FieldElement)this.RawXCoord, Y1 = (SM2P256V1FieldElement)this.RawYCoord;
+ SM2P256V1FieldElement X2 = (SM2P256V1FieldElement)b.RawXCoord, Y2 = (SM2P256V1FieldElement)b.RawYCoord;
+
+ SM2P256V1FieldElement Z1 = (SM2P256V1FieldElement)this.RawZCoords[0];
+ SM2P256V1FieldElement Z2 = (SM2P256V1FieldElement)b.RawZCoords[0];
+
+ uint c;
+ uint[] tt1 = Nat256.CreateExt();
+ uint[] t2 = Nat256.Create();
+ uint[] t3 = Nat256.Create();
+ uint[] t4 = Nat256.Create();
+
+ bool Z1IsOne = Z1.IsOne;
+ uint[] U2, S2;
+ if (Z1IsOne)
+ {
+ U2 = X2.x;
+ S2 = Y2.x;
+ }
+ else
+ {
+ S2 = t3;
+ SM2P256V1Field.Square(Z1.x, S2);
+
+ U2 = t2;
+ SM2P256V1Field.Multiply(S2, X2.x, U2);
+
+ SM2P256V1Field.Multiply(S2, Z1.x, S2);
+ SM2P256V1Field.Multiply(S2, Y2.x, S2);
+ }
+
+ bool Z2IsOne = Z2.IsOne;
+ uint[] U1, S1;
+ if (Z2IsOne)
+ {
+ U1 = X1.x;
+ S1 = Y1.x;
+ }
+ else
+ {
+ S1 = t4;
+ SM2P256V1Field.Square(Z2.x, S1);
+
+ U1 = tt1;
+ SM2P256V1Field.Multiply(S1, X1.x, U1);
+
+ SM2P256V1Field.Multiply(S1, Z2.x, S1);
+ SM2P256V1Field.Multiply(S1, Y1.x, S1);
+ }
+
+ uint[] H = Nat256.Create();
+ SM2P256V1Field.Subtract(U1, U2, H);
+
+ uint[] R = t2;
+ SM2P256V1Field.Subtract(S1, S2, R);
+
+ // Check if b == this or b == -this
+ if (Nat256.IsZero(H))
+ {
+ if (Nat256.IsZero(R))
+ {
+ // this == b, i.e. this must be doubled
+ return this.Twice();
+ }
+
+ // this == -b, i.e. the result is the point at infinity
+ return curve.Infinity;
+ }
+
+ uint[] HSquared = t3;
+ SM2P256V1Field.Square(H, HSquared);
+
+ uint[] G = Nat256.Create();
+ SM2P256V1Field.Multiply(HSquared, H, G);
+
+ uint[] V = t3;
+ SM2P256V1Field.Multiply(HSquared, U1, V);
+
+ SM2P256V1Field.Negate(G, G);
+ Nat256.Mul(S1, G, tt1);
+
+ c = Nat256.AddBothTo(V, V, G);
+ SM2P256V1Field.Reduce32(c, G);
+
+ SM2P256V1FieldElement X3 = new SM2P256V1FieldElement(t4);
+ SM2P256V1Field.Square(R, X3.x);
+ SM2P256V1Field.Subtract(X3.x, G, X3.x);
+
+ SM2P256V1FieldElement Y3 = new SM2P256V1FieldElement(G);
+ SM2P256V1Field.Subtract(V, X3.x, Y3.x);
+ SM2P256V1Field.MultiplyAddToExt(Y3.x, R, tt1);
+ SM2P256V1Field.Reduce(tt1, Y3.x);
+
+ SM2P256V1FieldElement Z3 = new SM2P256V1FieldElement(H);
+ if (!Z1IsOne)
+ {
+ SM2P256V1Field.Multiply(Z3.x, Z1.x, Z3.x);
+ }
+ if (!Z2IsOne)
+ {
+ SM2P256V1Field.Multiply(Z3.x, Z2.x, Z3.x);
+ }
+
+ ECFieldElement[] zs = new ECFieldElement[]{ Z3 };
+
+ return new SM2P256V1Point(curve, X3, Y3, zs, IsCompressed);
+ }
+
+ public override ECPoint Twice()
+ {
+ if (this.IsInfinity)
+ return this;
+
+ ECCurve curve = this.Curve;
+
+ SM2P256V1FieldElement Y1 = (SM2P256V1FieldElement)this.RawYCoord;
+ if (Y1.IsZero)
+ return curve.Infinity;
+
+ SM2P256V1FieldElement X1 = (SM2P256V1FieldElement)this.RawXCoord, Z1 = (SM2P256V1FieldElement)this.RawZCoords[0];
+
+ uint c;
+ uint[] t1 = Nat256.Create();
+ uint[] t2 = Nat256.Create();
+
+ uint[] Y1Squared = Nat256.Create();
+ SM2P256V1Field.Square(Y1.x, Y1Squared);
+
+ uint[] T = Nat256.Create();
+ SM2P256V1Field.Square(Y1Squared, T);
+
+ bool Z1IsOne = Z1.IsOne;
+
+ uint[] Z1Squared = Z1.x;
+ if (!Z1IsOne)
+ {
+ Z1Squared = t2;
+ SM2P256V1Field.Square(Z1.x, Z1Squared);
+ }
+
+ SM2P256V1Field.Subtract(X1.x, Z1Squared, t1);
+
+ uint[] M = t2;
+ SM2P256V1Field.Add(X1.x, Z1Squared, M);
+ SM2P256V1Field.Multiply(M, t1, M);
+ c = Nat256.AddBothTo(M, M, M);
+ SM2P256V1Field.Reduce32(c, M);
+
+ uint[] S = Y1Squared;
+ SM2P256V1Field.Multiply(Y1Squared, X1.x, S);
+ c = Nat.ShiftUpBits(8, S, 2, 0);
+ SM2P256V1Field.Reduce32(c, S);
+
+ c = Nat.ShiftUpBits(8, T, 3, 0, t1);
+ SM2P256V1Field.Reduce32(c, t1);
+
+ SM2P256V1FieldElement X3 = new SM2P256V1FieldElement(T);
+ SM2P256V1Field.Square(M, X3.x);
+ SM2P256V1Field.Subtract(X3.x, S, X3.x);
+ SM2P256V1Field.Subtract(X3.x, S, X3.x);
+
+ SM2P256V1FieldElement Y3 = new SM2P256V1FieldElement(S);
+ SM2P256V1Field.Subtract(S, X3.x, Y3.x);
+ SM2P256V1Field.Multiply(Y3.x, M, Y3.x);
+ SM2P256V1Field.Subtract(Y3.x, t1, Y3.x);
+
+ SM2P256V1FieldElement Z3 = new SM2P256V1FieldElement(M);
+ SM2P256V1Field.Twice(Y1.x, Z3.x);
+ if (!Z1IsOne)
+ {
+ SM2P256V1Field.Multiply(Z3.x, Z1.x, Z3.x);
+ }
+
+ return new SM2P256V1Point(curve, X3, Y3, new ECFieldElement[]{ Z3 }, IsCompressed);
+ }
+
+ public override ECPoint TwicePlus(ECPoint b)
+ {
+ if (this == b)
+ return ThreeTimes();
+ if (this.IsInfinity)
+ return b;
+ if (b.IsInfinity)
+ return Twice();
+
+ ECFieldElement Y1 = this.RawYCoord;
+ if (Y1.IsZero)
+ return b;
+
+ return Twice().Add(b);
+ }
+
+ public override ECPoint ThreeTimes()
+ {
+ if (this.IsInfinity || this.RawYCoord.IsZero)
+ return this;
+
+ // NOTE: Be careful about recursions between TwicePlus and ThreeTimes
+ return Twice().Add(this);
+ }
+
+ public override ECPoint Negate()
+ {
+ if (IsInfinity)
+ return this;
+
+ return new SM2P256V1Point(Curve, RawXCoord, RawYCoord.Negate(), RawZCoords, IsCompressed);
+ }
+ }
+}
|
