github.com/consensys/gnark-crypto@v0.14.0/ecc/bls12-378/internal/fptower/frobenius.go (about) 1 // Copyright 2020 ConsenSys AG 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package fptower 16 17 import "github.com/consensys/gnark-crypto/ecc/bls12-378/fp" 18 19 // Frobenius set z to Frobenius(x), return z 20 func (z *E12) Frobenius(x *E12) *E12 { 21 // Algorithm 28 from https://eprint.iacr.org/2010/354.pdf (beware typos!) 22 var t [6]E2 23 24 // Frobenius acts on fp2 by conjugation 25 t[0].Conjugate(&x.C0.B0) 26 t[1].Conjugate(&x.C0.B1) 27 t[2].Conjugate(&x.C0.B2) 28 t[3].Conjugate(&x.C1.B0) 29 t[4].Conjugate(&x.C1.B1) 30 t[5].Conjugate(&x.C1.B2) 31 32 t[1].MulByNonResidue1Power2(&t[1]) 33 t[2].MulByNonResidue1Power4(&t[2]) 34 t[3].MulByNonResidue1Power1(&t[3]) 35 t[4].MulByNonResidue1Power3(&t[4]) 36 t[5].MulByNonResidue1Power5(&t[5]) 37 38 z.C0.B0 = t[0] 39 z.C0.B1 = t[1] 40 z.C0.B2 = t[2] 41 z.C1.B0 = t[3] 42 z.C1.B1 = t[4] 43 z.C1.B2 = t[5] 44 45 return z 46 } 47 48 // FrobeniusSquare set z to Frobenius^2(x), and return z 49 func (z *E12) FrobeniusSquare(x *E12) *E12 { 50 // Algorithm 29 from https://eprint.iacr.org/2010/354.pdf (beware typos!) 51 var t [6]E2 52 53 t[1].MulByNonResidue2Power2(&x.C0.B1) 54 t[2].MulByNonResidue2Power4(&x.C0.B2) 55 t[3].MulByNonResidue2Power1(&x.C1.B0) 56 t[4].MulByNonResidue2Power3(&x.C1.B1) 57 t[5].MulByNonResidue2Power5(&x.C1.B2) 58 59 z.C0.B0 = x.C0.B0 60 z.C0.B1 = t[1] 61 z.C0.B2 = t[2] 62 z.C1.B0 = t[3] 63 z.C1.B1 = t[4] 64 z.C1.B2 = t[5] 65 66 return z 67 } 68 69 // MulByNonResidue1Power1 set z=x*(0,1)^(1*(p^1-1)/6) and return z 70 func (z *E2) MulByNonResidue1Power1(x *E2) *E2 { 71 b := fp.Element{ 72 9424304261440581301, 73 15622662318784019360, 74 5704744713545767383, 75 7376930514650170538, 76 2328236726423359970, 77 256435709676028998, 78 } 79 z.A0.Mul(&x.A0, &b) 80 z.A1.Mul(&x.A1, &b) 81 return z 82 } 83 84 // MulByNonResidue1Power2 set z=x*(0,1)^(2*(p^1-1)/6) and return z 85 func (z *E2) MulByNonResidue1Power2(x *E2) *E2 { 86 b := fp.Element{ 87 1263886799460835702, 88 3481310115429540252, 89 1430516082310201521, 90 10760454131030452261, 91 15881431079209118478, 92 56234068425139279, 93 } 94 z.A0.Mul(&x.A0, &b) 95 z.A1.Mul(&x.A1, &b) 96 return z 97 } 98 99 // MulByNonResidue1Power3 set z=x*(0,1)^(3*(p^1-1)/6) and return z 100 func (z *E2) MulByNonResidue1Power3(x *E2) *E2 { 101 b := fp.Element{ 102 6315024805150803022, 103 16048962212196301574, 104 10554832649293981783, 105 14109148363171599309, 106 4153042273623539198, 107 250647462785784749, 108 } 109 z.A0.Mul(&x.A0, &b) 110 z.A1.Mul(&x.A1, &b) 111 return z 112 } 113 114 // MulByNonResidue1Power4 set z=x*(0,1)^(4*(p^1-1)/6) and return z 115 func (z *E2) MulByNonResidue1Power4(x *E2) *E2 { 116 b := fp.Element{ 117 18229265454137549239, 118 11882161740266529218, 119 12635080069402934820, 120 1928134709134316785, 121 2524500224088382290, 122 27735392882694645, 123 } 124 z.A0.Mul(&x.A0, &b) 125 z.A1.Mul(&x.A1, &b) 126 return z 127 } 128 129 // MulByNonResidue1Power5 set z=x*(0,1)^(5*(p^1-1)/6) and return z 130 func (z *E2) MulByNonResidue1Power5(x *E2) *E2 { 131 b := fp.Element{ 132 7935976750720062874, 133 15312939023531261798, 134 15806716224795225087, 135 16245402142124945993, 136 7862827682069246910, 137 277569374620018935, 138 } 139 z.A0.Mul(&x.A0, &b) 140 z.A1.Mul(&x.A1, &b) 141 return z 142 } 143 144 // MulByNonResidue2Power1 set z=x*(0,1)^(1*(p^2-1)/6) and return z 145 func (z *E2) MulByNonResidue2Power1(x *E2) *E2 { 146 b := fp.Element{ 147 1263886799460835702, 148 3481310115429540252, 149 1430516082310201521, 150 10760454131030452261, 151 15881431079209118478, 152 56234068425139279, 153 } 154 z.A0.Mul(&x.A0, &b) 155 z.A1.Mul(&x.A1, &b) 156 return z 157 } 158 159 // MulByNonResidue2Power2 set z=x*(0,1)^(2*(p^2-1)/6) and return z 160 func (z *E2) MulByNonResidue2Power2(x *E2) *E2 { 161 b := fp.Element{ 162 18229265454137549239, 163 11882161740266529218, 164 12635080069402934820, 165 1928134709134316785, 166 2524500224088382290, 167 27735392882694645, 168 } 169 z.A0.Mul(&x.A0, &b) 170 z.A1.Mul(&x.A1, &b) 171 return z 172 } 173 174 // MulByNonResidue2Power3 set z=x*(0,1)^(3*(p^2-1)/6) and return z 175 func (z *E2) MulByNonResidue2Power3(x *E2) *E2 { 176 b := fp.Element{ 177 9563890787977003074, 178 4840746681246416935, 179 3714448202430192371, 180 680864871707381747, 181 11127835353457883110, 182 254858945967818549, 183 } 184 z.A0.Mul(&x.A0, &b) 185 z.A1.Mul(&x.A1, &b) 186 return z 187 } 188 189 // MulByNonResidue2Power4 set z=x*(0,1)^(4*(p^2-1)/6) and return z 190 func (z *E2) MulByNonResidue2Power4(x *E2) *E2 { 191 b := fp.Element{ 192 9781369407549005451, 193 11405329014689439332, 194 9526112206736809166, 195 17199474236282616577, 196 8603335129369500819, 197 227123553085123904, 198 } 199 z.A0.Mul(&x.A0, &b) 200 z.A1.Mul(&x.A1, &b) 201 return z 202 } 203 204 // MulByNonResidue2Power5 set z=x*(0,1)^(5*(p^2-1)/6) and return z 205 func (z *E2) MulByNonResidue2Power5(x *E2) *E2 { 206 b := fp.Element{ 207 11262734826581843530, 208 3004477389852450365, 209 16768292293353627483, 210 7585049584469200436, 211 3513521910780685392, 212 255622228627568539, 213 } 214 z.A0.Mul(&x.A0, &b) 215 z.A1.Mul(&x.A1, &b) 216 return z 217 }