package Crypt::Perl::ECDSA::EC::Point;

use strict;
use warnings;

#----------------------------------------------------------------------
# NOTE TO SELF: This module’s internal coordinates are
# homogeneous/projective coordinates, not Cartesian.
#----------------------------------------------------------------------

use Crypt::Perl::BigInt ();

my ($bi1, $bi2, $bi3);

END {
    undef $bi1, $bi2, $bi3;
}

sub new_infinity {
    my ($class) = @_;

    return $class->new( undef, undef );
}

#$curve is ECCurve
#$x and $y are “ECFieldElement”
#$z isa bigint (?)
sub new {
    my ($class, $curve, $x, $y, $z) = @_;

    $bi1 ||= Crypt::Perl::BigInt->new(1);
    $bi2 ||= Crypt::Perl::BigInt->new(2);
    $bi3 ||= Crypt::Perl::BigInt->new(3);

    my $self = {
        curve => $curve,
        x => $x,
        y => $y,

        # Generally z won’t be given since we expect
        # Cartesian coordinates as input. But accepting
        # z allows this constructor to receive Jacobi
        # coordinates as well.
        z => $z || $bi1->copy(),

        zinv => undef,
    };

    return bless $self, $class;
}

sub is_infinity {
    my ($self) = @_;

    return 1 if !defined $self->{'x'} && !defined $self->{'y'};

    return( ($self->{'z'}->is_zero() && !$self->{'y'}->to_bigint()->is_zero()) || 0 );
}

#returns ECFieldElement (Cartesian)
sub get_x {
    my ($self) = @_;

    return $self->_get_x_or_y('x');
}

#returns ECFieldElement (Cartesian)
#Used in key generation (not signing … ?)
sub get_y {
    my ($self) = @_;

    return $self->_get_x_or_y('y');
}

sub _get_x_or_y {
    my ($self, $to_get) = @_;

    if (!defined $self->{'zinv'}) {
        $self->{'zinv'} = $self->{'z'}->copy()->bmodinv($self->{'curve'}{'q'});
    }

    return $self->{'curve'}->from_bigint(
        $self->{$to_get}->to_bigint()->copy()->bmul($self->{'zinv'})->bmod($self->{'curve'}{'q'})
    );
}

sub negate {
    my ($self) = @_;

    my @args = @{$self}{qw( curve x y z )};
    $args[2] = $args[2]->negate();

    return (ref $self)->new(@args);
}

sub twice {
    my ($self) = @_;

    return $self if $self->is_infinity();

    #if ($self->{'y'}->to_bigint()->signum() == 0) {
    #    return $self->{'curve'}->get_infinity();
    #}

    my $x1 = $self->{'x'}->to_bigint();
    my $y1 = $self->{'y'}->to_bigint();

    my $y1z1 = $y1->copy()->bmul($self->{'z'});

    my $y1sqz1 = $y1z1->copy()->bmul($y1)->bmod($self->{'curve'}{'q'});

    my $a = $self->{'curve'}{'a'};

    # w = 3 * x1^2 + a * z1^2
    #var w = x1.square().multiply(THREE);
    my $w = $x1->copy()->bpow($bi2)->bmul($bi3);

    if (!$a->is_zero()) {
        #$w += ($self->{'z'} ** 2) * $a;
        $w->badd( $a->copy()->bmul( $self->{'z'} )->bmul($self->{'z'}) );
    }

    $w->bmod($self->{'curve'}{'q'});

    # x3 = 2 * y1 * z1 * (w^2 - 8 * x1 * y1^2 * z1)
    #var x3 = w.square().subtract(x1.shiftLeft(3).multiply(y1sqz1)).shiftLeft(1).multiply(y1z1).mod(this.curve.q);

    my $x3 = $w->copy()->bmuladd( $w, $y1sqz1->copy()->bmul($x1)->blsft($bi3)->bneg() )->bmul($bi2)->bmul($y1z1);
    #my $x3 = 2 * $y1z1 * (($w ** 2) - ($x1 << 3) * $y1sqz1);
    #my $x3 = ($w ** 2) - (($x1 << 3) * $y1sqz1);
    #$x3 = $x3 << 1;
    #$x3 *= $y1z1;

    # y3 = 4 * y1^2 * z1 * (3 * w * x1 - 2 * y1^2 * z1) - w^3
    #var y3 = w.multiply(THREE).multiply(x1).subtract(y1sqz1.shiftLeft(1)).shiftLeft(2).multiply(y1sqz1).subtract(w.square().multiply(w)).mod(this.curve.q);
    #my $y3 = 4 * $y1sqz1 * (3 * $w * $x1 - 2 * $y1sqz1) - ($w ** 3);

    my $y3 = $y1sqz1->copy()->blsft($bi2);

    $y3->bmuladd(

        #We don’t need y1sqz1 anymore
        $w->copy()->bmul($bi3)->bmuladd($x1, $y1sqz1->blsft($bi1)->bneg()),

        #Don’t need $w anymore
        $w->bpow($bi3)->bneg(),
    );

    #// z3 = 8 * (y1 * z1)^3
    #var z3 = y1z1.square().multiply(y1z1).shiftLeft(3).mod(this.curve.q);
    #my $z3 = ($y1z1 ** 3) << 3;
    my $z3 = $y1z1->bpow($bi3)->blsft($bi3);  #don’t need y1z1 anymore

    #In original JS logic
    $_->bmod($self->{'curve'}{'q'}) for ($x3, $y3, $z3);

    #return new ECPointFp(this.curve, this.curve.fromBigInteger(x3), this.curve.fromBigInteger(y3), z3);
    return (ref $self)->new(
        $self->{'curve'},
        $self->{'curve'}->from_bigint($x3),
        $self->{'curve'}->from_bigint($y3),
        $z3,
    );
}

#XXX clear
sub dump {
    my ($self, $label) = @_;

    $label = q<> if !defined $label;

    printf "$label.x: %s\n", $self->{'x'}->to_bigint()->as_hex();
    printf "$label.y: %s\n", $self->{'y'}->to_bigint()->as_hex();
    printf "$label.z: %s\n", $self->{'z'}->as_hex();
}

sub multiply {
    my ($self, $k) = @_;

    if ($self->is_infinity()) {
        return $self;
    }

    # “Montgomery ladder” algorithm taken from Wikipedia:
    #
    # R0 ← 0
    # R1 ← P
    # for i from m downto 0 do
    #     if di = 0 then
    #         R1 ← point_add(R0, R1)
    #         R0 ← point_double(R0)
    #     else
    #         R0 ← point_add(R0, R1)
    #         R1 ← point_double(R1)
    # return R0
    #
    # This thwarts the timing attacks that can recover private keys
    # by running the standard “double-and-add” algorithm over and over
    # and analyzing response times.

    my $r0 = ref($self)->new_infinity();
    my $r1 = $self;

    for my $i ( reverse( 0 .. ($k->bit_length() - 1) ) ) {
        if ($k->test_bit($i)) {
            $r0 = $r0->add($r1);
            $r1 = $r1->twice();
        }
        else {
            $r1 = $r0->add($r1);
            $r0 = $r0->twice();
        }
    }

    return $r0;
}

#$b isa ECPoint
sub add {
    my ($self, $b) = @_;
#$b->dump('$b');

    #if(this.isInfinity()) return b;
    #if(b.isInfinity()) return this;

    return $b if $self->is_infinity();
    return $self if $b->is_infinity();

    #// u = Y2 * Z1 - Y1 * Z2
    #var u = b.y.toBigInteger().multiply(this.z).subtract(this.y.toBigInteger().multiply(b.z)).mod(this.curve.q);
    my $u = $b->{'y'}->to_bigint()->copy()->bmuladd(
        $self->{'z'},
        $self->{'y'}->to_bigint()->copy()->bneg()->bmul($b->{'z'}),
    );
# $b->{'z'};

    #// v = X2 * Z1 - X1 * Z2
    #var v = b.x.toBigInteger().multiply(this.z).subtract(this.x.toBigInteger().multiply(b.z)).mod(this.curve.q);
    my $v = $b->{'x'}->to_bigint()->copy()->bmuladd(
        $self->{'z'},
        $self->{'x'}->to_bigint()->copy()->bneg()->bmul($b->{'z'}),
    );


    $_->bmod($self->{'curve'}{'q'}) for ($u, $v);
#print "u: " . $u->as_hex() . $/;
#print "v: " . $v->as_hex() . $/;
    #if(BigInteger.ZERO.equals(v)) {
    #    if(BigInteger.ZERO.equals(u)) {
    #        return this.twice(); // this == b, so double
    #    }
	#return this.curve.getInfinity(); // this = -b, so infinity
    #}
    if ($v->is_zero()) {
        if ($u->is_zero()) {
            return $self->twice();
        }

        return $self->{'curve'}->get_infinity();
    }

    #var THREE = new BigInteger("3");
    #var x1 = this.x.toBigInteger();
    #var y1 = this.y.toBigInteger();
    #var x2 = b.x.toBigInteger();
    #var y2 = b.y.toBigInteger();
    my ($x1, $y1, $z1) = @{$self}{ qw( x y z ) };
    my ($x2, $y2, $z2) = @{$b}{ qw( x y z ) };

    $_ = $_->to_bigint() for ($x1, $y1, $x2, $y2);

    #var v2 = v.square();
    #var v3 = v2.multiply(v);
    #var x1v2 = x1.multiply(v2);
    #var zu2 = u.square().multiply(this.z);

    my $v2 = $v->copy()->bmul($v);
    my $v3 = $v->copy()->bmul($v2);

    my $x1v2 = $x1->copy()->bmul($v2);
    my $zu2 = $u->copy()->bmul($u)->bmul($self->{'z'});
#use Data::Dumper;
#print Dumper( map { $_->as_hex() } $u, $v, $x1, $y1, $z1, $x2, $y2, $z2, $v2, $v3, $x1v2, $zu2 );

    #// x3 = v * (z2 * (z1 * u^2 - 2 * x1 * v^2) - v^3)
    #var x3 = zu2.subtract(x1v2.shiftLeft(1)).multiply(b.z).subtract(v3).multiply(v).mod(this.curve.q);
    #my $x3 = $v * ($z2 * ($z1 * ($u ** 2) - 2 * $x1 * ($v ** 2)) - ($v ** 3));
    my $x3 = $u->copy()->bmul($u);
    $x3->bmuladd( $z1, $x1->copy()->blsft($bi1)->bneg()->bmul($v)->bmul($v) );
    $x3->bmuladd( $z2, $v->copy()->bpow($bi3)->bneg() );
    $x3->bmul($v);

    #// y3 = z2 * (3 * x1 * u * v^2 - y1 * v^3 - z1 * u^3) + u * v^3
    #var y3 = x1v2.multiply(THREE).multiply(u).subtract(y1.multiply(v3)).subtract(zu2.multiply(u)).multiply(b.z).add(u.multiply(v3)).mod(this.curve.q);
    #my $y3 = $z2 * (3 * $x1 * $u * $v2 - $y1 * $v3 - $z1 * ($u ** 3)) + $u * $v3;
    my $y3 = $u->copy()->bmul($bi3)->bmul($x1);
    $y3->bmuladd($v2, $y1->copy()->bmul($v3)->bneg());      #no more y1 after this
    $y3->bsub( $u->copy()->bpow($bi3)->bmul($z1) );

    $y3->bmuladd( $z2, $u->bmul($v3) );             #we don’t need $u anymore

    #// z3 = v^3 * z1 * z2
    #var z3 = v3.multiply(this.z).multiply(b.z).mod(this.curve.q);
    my $z3 = $v3->bmul($z1)->bmul($z2);

    $_->bmod($self->{'curve'}{'q'}) for ($x3, $y3, $z3);

    return (ref $self)->new(
        $self->{'curve'},
        $self->{'curve'}->from_bigint($x3),
        $self->{'curve'}->from_bigint($y3),
        $z3,
    );
}

1;