github.com/consensys/gnark-crypto@v0.14.0/ecc/bls12-377/internal/fptower/frobenius.go (about)

     1  // Copyright 2020 ConsenSys AG
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package fptower
    16  
    17  import "github.com/consensys/gnark-crypto/ecc/bls12-377/fp"
    18  
    19  // Frobenius set z to Frobenius(x), return z
    20  func (z *E12) Frobenius(x *E12) *E12 {
    21  	// Algorithm 28 from https://eprint.iacr.org/2010/354.pdf (beware typos!)
    22  	var t [6]E2
    23  
    24  	// Frobenius acts on fp2 by conjugation
    25  	t[0].Conjugate(&x.C0.B0)
    26  	t[1].Conjugate(&x.C0.B1)
    27  	t[2].Conjugate(&x.C0.B2)
    28  	t[3].Conjugate(&x.C1.B0)
    29  	t[4].Conjugate(&x.C1.B1)
    30  	t[5].Conjugate(&x.C1.B2)
    31  
    32  	t[1].MulByNonResidue1Power2(&t[1])
    33  	t[2].MulByNonResidue1Power4(&t[2])
    34  	t[3].MulByNonResidue1Power1(&t[3])
    35  	t[4].MulByNonResidue1Power3(&t[4])
    36  	t[5].MulByNonResidue1Power5(&t[5])
    37  
    38  	z.C0.B0 = t[0]
    39  	z.C0.B1 = t[1]
    40  	z.C0.B2 = t[2]
    41  	z.C1.B0 = t[3]
    42  	z.C1.B1 = t[4]
    43  	z.C1.B2 = t[5]
    44  
    45  	return z
    46  }
    47  
    48  // FrobeniusSquare set z to Frobenius^2(x), and return z
    49  func (z *E12) FrobeniusSquare(x *E12) *E12 {
    50  	// Algorithm 29 from https://eprint.iacr.org/2010/354.pdf (beware typos!)
    51  	var t [6]E2
    52  
    53  	t[1].MulByNonResidue2Power2(&x.C0.B1)
    54  	t[2].MulByNonResidue2Power4(&x.C0.B2)
    55  	t[3].MulByNonResidue2Power1(&x.C1.B0)
    56  	t[4].MulByNonResidue2Power3(&x.C1.B1)
    57  	t[5].MulByNonResidue2Power5(&x.C1.B2)
    58  
    59  	z.C0.B0 = x.C0.B0
    60  	z.C0.B1 = t[1]
    61  	z.C0.B2 = t[2]
    62  	z.C1.B0 = t[3]
    63  	z.C1.B1 = t[4]
    64  	z.C1.B2 = t[5]
    65  
    66  	return z
    67  }
    68  
    69  // MulByNonResidue1Power1 set z=x*(0,1)^(1*(p^1-1)/6) and return z
    70  func (z *E2) MulByNonResidue1Power1(x *E2) *E2 {
    71  	// 92949345220277864758624960506473182677953048909283248980960104381795901929519566951595905490535835115111760994353
    72  	b := fp.Element{
    73  		7981638599956744862,
    74  		11830407261614897732,
    75  		6308788297503259939,
    76  		10596665404780565693,
    77  		11693741422477421038,
    78  		61545186993886319,
    79  	}
    80  	z.A0.Mul(&x.A0, &b)
    81  	z.A1.Mul(&x.A1, &b)
    82  	return z
    83  }
    84  
    85  // MulByNonResidue1Power2 set z=x*(0,1)^(2*(p^1-1)/6) and return z
    86  func (z *E2) MulByNonResidue1Power2(x *E2) *E2 {
    87  	// 80949648264912719408558363140637477264845294720710499478137287262712535938301461879813459410946
    88  	b := fp.Element{
    89  		6382252053795993818,
    90  		1383562296554596171,
    91  		11197251941974877903,
    92  		6684509567199238270,
    93  		6699184357838251020,
    94  		19987743694136192,
    95  	}
    96  	z.A0.Mul(&x.A0, &b)
    97  	z.A1.Mul(&x.A1, &b)
    98  	return z
    99  }
   100  
   101  // MulByNonResidue1Power3 set z=x*(0,1)^(3*(p^1-1)/6) and return z
   102  func (z *E2) MulByNonResidue1Power3(x *E2) *E2 {
   103  	// 216465761340224619389371505802605247630151569547285782856803747159100223055385581585702401816380679166954762214499
   104  	b := fp.Element{
   105  		10965161018967488287,
   106  		18251363109856037426,
   107  		7036083669251591763,
   108  		16109345360066746489,
   109  		4679973768683352764,
   110  		96952949334633821,
   111  	}
   112  	z.A0.Mul(&x.A0, &b)
   113  	z.A1.Mul(&x.A1, &b)
   114  	return z
   115  }
   116  
   117  // MulByNonResidue1Power4 set z=x*(0,1)^(4*(p^1-1)/6) and return z
   118  func (z *E2) MulByNonResidue1Power4(x *E2) *E2 {
   119  	// 80949648264912719408558363140637477264845294720710499478137287262712535938301461879813459410945
   120  	b := fp.Element{
   121  		15766275933608376691,
   122  		15635974902606112666,
   123  		1934946774703877852,
   124  		18129354943882397960,
   125  		15437979634065614942,
   126  		101285514078273488,
   127  	}
   128  	z.A0.Mul(&x.A0, &b)
   129  	z.A1.Mul(&x.A1, &b)
   130  	return z
   131  }
   132  
   133  // MulByNonResidue1Power5 set z=x*(0,1)^(5*(p^1-1)/6) and return z
   134  func (z *E2) MulByNonResidue1Power5(x *E2) *E2 {
   135  	// 123516416119946754630746545296132064952198520638002533875843642777304321125866014634106496325844844051843001220146
   136  	b := fp.Element{
   137  		2983522419010743425,
   138  		6420955848241139694,
   139  		727295371748331824,
   140  		5512679955286180796,
   141  		11432976419915483342,
   142  		35407762340747501,
   143  	}
   144  	z.A0.Mul(&x.A0, &b)
   145  	z.A1.Mul(&x.A1, &b)
   146  	return z
   147  }
   148  
   149  // MulByNonResidue2Power1 set z=x*(0,1)^(1*(p^2-1)/6) and return z
   150  func (z *E2) MulByNonResidue2Power1(x *E2) *E2 {
   151  	// 80949648264912719408558363140637477264845294720710499478137287262712535938301461879813459410946
   152  	b := fp.Element{
   153  		6382252053795993818,
   154  		1383562296554596171,
   155  		11197251941974877903,
   156  		6684509567199238270,
   157  		6699184357838251020,
   158  		19987743694136192,
   159  	}
   160  	z.A0.Mul(&x.A0, &b)
   161  	z.A1.Mul(&x.A1, &b)
   162  	return z
   163  }
   164  
   165  // MulByNonResidue2Power2 set z=x*(0,1)^(2*(p^2-1)/6) and return z
   166  func (z *E2) MulByNonResidue2Power2(x *E2) *E2 {
   167  	// 80949648264912719408558363140637477264845294720710499478137287262712535938301461879813459410945
   168  	b := fp.Element{
   169  		15766275933608376691,
   170  		15635974902606112666,
   171  		1934946774703877852,
   172  		18129354943882397960,
   173  		15437979634065614942,
   174  		101285514078273488,
   175  	}
   176  	z.A0.Mul(&x.A0, &b)
   177  	z.A1.Mul(&x.A1, &b)
   178  	return z
   179  }
   180  
   181  // MulByNonResidue2Power3 set z=x*(0,1)^(3*(p^2-1)/6) and return z
   182  func (z *E2) MulByNonResidue2Power3(x *E2) *E2 {
   183  	// 258664426012969094010652733694893533536393512754914660539884262666720468348340822774968888139573360124440321458176
   184  	b := fp.Element{
   185  		9384023879812382873,
   186  		14252412606051516495,
   187  		9184438906438551565,
   188  		11444845376683159689,
   189  		8738795276227363922,
   190  		81297770384137296,
   191  	}
   192  	z.A0.Mul(&x.A0, &b)
   193  	z.A1.Mul(&x.A1, &b)
   194  	return z
   195  }
   196  
   197  // MulByNonResidue2Power4 set z=x*(0,1)^(4*(p^2-1)/6) and return z
   198  func (z *E2) MulByNonResidue2Power4(x *E2) *E2 {
   199  	// 258664426012969093929703085429980814127835149614277183275038967946009968870203535512256352201271898244626862047231
   200  	b := fp.Element{
   201  		3203870859294639911,
   202  		276961138506029237,
   203  		9479726329337356593,
   204  		13645541738420943632,
   205  		7584832609311778094,
   206  		101110569012358506,
   207  	}
   208  	z.A0.Mul(&x.A0, &b)
   209  	z.A1.Mul(&x.A1, &b)
   210  	return z
   211  }
   212  
   213  // MulByNonResidue2Power5 set z=x*(0,1)^(5*(p^2-1)/6) and return z
   214  func (z *E2) MulByNonResidue2Power5(x *E2) *E2 {
   215  	// 258664426012969093929703085429980814127835149614277183275038967946009968870203535512256352201271898244626862047232
   216  	b := fp.Element{
   217  		12266591053191808654,
   218  		4471292606164064357,
   219  		295287422898805027,
   220  		2200696361737783943,
   221  		17292781406793965788,
   222  		19812798628221209,
   223  	}
   224  	z.A0.Mul(&x.A0, &b)
   225  	z.A1.Mul(&x.A1, &b)
   226  	return z
   227  }