// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package nistec

import (
	
	
	
)

var p384B, _ = new(fiat.P384Element).SetBytes([]byte{
	0xb3, 0x31, 0x2f, 0xa7, 0xe2, 0x3e, 0xe7, 0xe4, 0x98, 0x8e, 0x05, 0x6b,
	0xe3, 0xf8, 0x2d, 0x19, 0x18, 0x1d, 0x9c, 0x6e, 0xfe, 0x81, 0x41, 0x12,
	0x03, 0x14, 0x08, 0x8f, 0x50, 0x13, 0x87, 0x5a, 0xc6, 0x56, 0x39, 0x8d,
	0x8a, 0x2e, 0xd1, 0x9d, 0x2a, 0x85, 0xc8, 0xed, 0xd3, 0xec, 0x2a, 0xef})

var p384G, _ = NewP384Point().SetBytes([]byte{0x4,
	0xaa, 0x87, 0xca, 0x22, 0xbe, 0x8b, 0x05, 0x37, 0x8e, 0xb1, 0xc7, 0x1e,
	0xf3, 0x20, 0xad, 0x74, 0x6e, 0x1d, 0x3b, 0x62, 0x8b, 0xa7, 0x9b, 0x98,
	0x59, 0xf7, 0x41, 0xe0, 0x82, 0x54, 0x2a, 0x38, 0x55, 0x02, 0xf2, 0x5d,
	0xbf, 0x55, 0x29, 0x6c, 0x3a, 0x54, 0x5e, 0x38, 0x72, 0x76, 0x0a, 0xb7,
	0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf,
	0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,
	0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce,
	0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f})

const p384ElementLength = 48

// P384Point is a P-384 point. The zero value is NOT valid.
type P384Point struct {
	// The point is represented in projective coordinates (X:Y:Z),
	// where x = X/Z and y = Y/Z.
	x, y, z *fiat.P384Element
}

// NewP384Point returns a new P384Point representing the point at infinity point.
func () *P384Point {
	return &P384Point{
		x: new(fiat.P384Element),
		y: new(fiat.P384Element).One(),
		z: new(fiat.P384Element),
	}
}

// NewP384Generator returns a new P384Point set to the canonical generator.
func () *P384Point {
	return (&P384Point{
		x: new(fiat.P384Element),
		y: new(fiat.P384Element),
		z: new(fiat.P384Element),
	}).Set(p384G)
}

// Set sets p = q and returns p.
func ( *P384Point) ( *P384Point) *P384Point {
	.x.Set(.x)
	.y.Set(.y)
	.z.Set(.z)
	return 
}

// SetBytes sets p to the compressed, uncompressed, or infinity value encoded in
// b, as specified in SEC 1, Version 2.0, Section 2.3.4. If the point is not on
// the curve, it returns nil and an error, and the receiver is unchanged.
// Otherwise, it returns p.
func ( *P384Point) ( []byte) (*P384Point, error) {
	switch {
	// Point at infinity.
	case len() == 1 && [0] == 0:
		return .Set(NewP384Point()), nil

	// Uncompressed form.
	case len() == 1+2*p384ElementLength && [0] == 4:
		,  := new(fiat.P384Element).SetBytes([1 : 1+p384ElementLength])
		if  != nil {
			return nil, 
		}
		,  := new(fiat.P384Element).SetBytes([1+p384ElementLength:])
		if  != nil {
			return nil, 
		}
		if  := p384CheckOnCurve(, );  != nil {
			return nil, 
		}
		.x.Set()
		.y.Set()
		.z.One()
		return , nil

	// Compressed form
	case len() == 1+p384ElementLength && [0] == 0:
		return nil, errors.New("unimplemented") // TODO(filippo)

	default:
		return nil, errors.New("invalid P384 point encoding")
	}
}

func (,  *fiat.P384Element) error {
	// x³ - 3x + b.
	 := new(fiat.P384Element).Square()
	.Mul(, )

	 := new(fiat.P384Element).Add(, )
	.Add(, )

	.Sub(, )
	.Add(, p384B)

	// y² = x³ - 3x + b
	 := new(fiat.P384Element).Square()

	if .Equal() != 1 {
		return errors.New("P384 point not on curve")
	}
	return nil
}

// Bytes returns the uncompressed or infinity encoding of p, as specified in
// SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the point at
// infinity is shorter than all other encodings.
func ( *P384Point) () []byte {
	// This function is outlined to make the allocations inline in the caller
	// rather than happen on the heap.
	var  [133]byte
	return .bytes(&)
}

func ( *P384Point) ( *[133]byte) []byte {
	if .z.IsZero() == 1 {
		return append([:0], 0)
	}

	 := new(fiat.P384Element).Invert(.z)
	 := new(fiat.P384Element).Mul(.x, )
	 := new(fiat.P384Element).Mul(.y, )

	 := append([:0], 4)
	 = append(, .Bytes()...)
	 = append(, .Bytes()...)
	return 
}

// Add sets q = p1 + p2, and returns q. The points may overlap.
func ( *P384Point) (,  *P384Point) *P384Point {
	// Complete addition formula for a = -3 from "Complete addition formulas for
	// prime order elliptic curves" (https://eprint.iacr.org/2015/1060), §A.2.

	 := new(fiat.P384Element).Mul(.x, .x) // t0 := X1 * X2
	 := new(fiat.P384Element).Mul(.y, .y) // t1 := Y1 * Y2
	 := new(fiat.P384Element).Mul(.z, .z) // t2 := Z1 * Z2
	 := new(fiat.P384Element).Add(.x, .y) // t3 := X1 + Y1
	 := new(fiat.P384Element).Add(.x, .y) // t4 := X2 + Y2
	.Mul(, )                              // t3 := t3 * t4
	.Add(, )                              // t4 := t0 + t1
	.Sub(, )                              // t3 := t3 - t4
	.Add(.y, .z)                          // t4 := Y1 + Z1
	 := new(fiat.P384Element).Add(.y, .z) // X3 := Y2 + Z2
	.Mul(, )                              // t4 := t4 * X3
	.Add(, )                              // X3 := t1 + t2
	.Sub(, )                              // t4 := t4 - X3
	.Add(.x, .z)                          // X3 := X1 + Z1
	 := new(fiat.P384Element).Add(.x, .z) // Y3 := X2 + Z2
	.Mul(, )                              // X3 := X3 * Y3
	.Add(, )                              // Y3 := t0 + t2
	.Sub(, )                              // Y3 := X3 - Y3
	 := new(fiat.P384Element).Mul(p384B, )  // Z3 := b * t2
	.Sub(, )                              // X3 := Y3 - Z3
	.Add(, )                              // Z3 := X3 + X3
	.Add(, )                              // X3 := X3 + Z3
	.Sub(, )                              // Z3 := t1 - X3
	.Add(, )                              // X3 := t1 + X3
	.Mul(p384B, )                           // Y3 := b * Y3
	.Add(, )                              // t1 := t2 + t2
	.Add(, )                              // t2 := t1 + t2
	.Sub(, )                              // Y3 := Y3 - t2
	.Sub(, )                              // Y3 := Y3 - t0
	.Add(, )                              // t1 := Y3 + Y3
	.Add(, )                              // Y3 := t1 + Y3
	.Add(, )                              // t1 := t0 + t0
	.Add(, )                              // t0 := t1 + t0
	.Sub(, )                              // t0 := t0 - t2
	.Mul(, )                              // t1 := t4 * Y3
	.Mul(, )                              // t2 := t0 * Y3
	.Mul(, )                              // Y3 := X3 * Z3
	.Add(, )                              // Y3 := Y3 + t2
	.Mul(, )                              // X3 := t3 * X3
	.Sub(, )                              // X3 := X3 - t1
	.Mul(, )                              // Z3 := t4 * Z3
	.Mul(, )                              // t1 := t3 * t0
	.Add(, )                              // Z3 := Z3 + t1

	.x.Set()
	.y.Set()
	.z.Set()
	return 
}

// Double sets q = p + p, and returns q. The points may overlap.
func ( *P384Point) ( *P384Point) *P384Point {
	// Complete addition formula for a = -3 from "Complete addition formulas for
	// prime order elliptic curves" (https://eprint.iacr.org/2015/1060), §A.2.

	 := new(fiat.P384Element).Square(.x)    // t0 := X ^ 2
	 := new(fiat.P384Element).Square(.y)    // t1 := Y ^ 2
	 := new(fiat.P384Element).Square(.z)    // t2 := Z ^ 2
	 := new(fiat.P384Element).Mul(.x, .y)  // t3 := X * Y
	.Add(, )                             // t3 := t3 + t3
	 := new(fiat.P384Element).Mul(.x, .z)  // Z3 := X * Z
	.Add(, )                             // Z3 := Z3 + Z3
	 := new(fiat.P384Element).Mul(p384B, ) // Y3 := b * t2
	.Sub(, )                             // Y3 := Y3 - Z3
	 := new(fiat.P384Element).Add(, )    // X3 := Y3 + Y3
	.Add(, )                             // Y3 := X3 + Y3
	.Sub(, )                             // X3 := t1 - Y3
	.Add(, )                             // Y3 := t1 + Y3
	.Mul(, )                             // Y3 := X3 * Y3
	.Mul(, )                             // X3 := X3 * t3
	.Add(, )                             // t3 := t2 + t2
	.Add(, )                             // t2 := t2 + t3
	.Mul(p384B, )                          // Z3 := b * Z3
	.Sub(, )                             // Z3 := Z3 - t2
	.Sub(, )                             // Z3 := Z3 - t0
	.Add(, )                             // t3 := Z3 + Z3
	.Add(, )                             // Z3 := Z3 + t3
	.Add(, )                             // t3 := t0 + t0
	.Add(, )                             // t0 := t3 + t0
	.Sub(, )                             // t0 := t0 - t2
	.Mul(, )                             // t0 := t0 * Z3
	.Add(, )                             // Y3 := Y3 + t0
	.Mul(.y, .z)                           // t0 := Y * Z
	.Add(, )                             // t0 := t0 + t0
	.Mul(, )                             // Z3 := t0 * Z3
	.Sub(, )                             // X3 := X3 - Z3
	.Mul(, )                             // Z3 := t0 * t1
	.Add(, )                             // Z3 := Z3 + Z3
	.Add(, )                             // Z3 := Z3 + Z3

	.x.Set()
	.y.Set()
	.z.Set()
	return 
}

// Select sets q to p1 if cond == 1, and to p2 if cond == 0.
func ( *P384Point) (,  *P384Point,  int) *P384Point {
	.x.Select(.x, .x, )
	.y.Select(.y, .y, )
	.z.Select(.z, .z, )
	return 
}

// ScalarMult sets p = scalar * q, and returns p.
func ( *P384Point) ( *P384Point,  []byte) *P384Point {
	// table holds the first 16 multiples of q. The explicit newP384Point calls
	// get inlined, letting the allocations live on the stack.
	var  = [16]*P384Point{
		NewP384Point(), NewP384Point(), NewP384Point(), NewP384Point(),
		NewP384Point(), NewP384Point(), NewP384Point(), NewP384Point(),
		NewP384Point(), NewP384Point(), NewP384Point(), NewP384Point(),
		NewP384Point(), NewP384Point(), NewP384Point(), NewP384Point(),
	}
	for  := 1;  < 16; ++ {
		[].Add([-1], )
	}

	// Instead of doing the classic double-and-add chain, we do it with a
	// four-bit window: we double four times, and then add [0-15]P.
	 := NewP384Point()
	.Set(NewP384Point())
	for ,  := range  {
		.Double()
		.Double()
		.Double()
		.Double()

		for  := uint8(0);  < 16; ++ {
			 := subtle.ConstantTimeByteEq(>>4, )
			.Select([], , )
		}
		.Add(, )

		.Double()
		.Double()
		.Double()
		.Double()

		for  := uint8(0);  < 16; ++ {
			 := subtle.ConstantTimeByteEq(&0b1111, )
			.Select([], , )
		}
		.Add(, )
	}

	return 
}