github.com/consensys/gnark-crypto@v0.14.0/ecc/bls12-381/fp/element_ops_amd64.go (about) 1 //go:build !purego 2 // +build !purego 3 4 // Copyright 2020 ConsenSys Software Inc. 5 // 6 // Licensed under the Apache License, Version 2.0 (the "License"); 7 // you may not use this file except in compliance with the License. 8 // You may obtain a copy of the License at 9 // 10 // http://www.apache.org/licenses/LICENSE-2.0 11 // 12 // Unless required by applicable law or agreed to in writing, software 13 // distributed under the License is distributed on an "AS IS" BASIS, 14 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 // See the License for the specific language governing permissions and 16 // limitations under the License. 17 18 // Code generated by consensys/gnark-crypto DO NOT EDIT 19 20 package fp 21 22 //go:noescape 23 func MulBy3(x *Element) 24 25 //go:noescape 26 func MulBy5(x *Element) 27 28 //go:noescape 29 func MulBy13(x *Element) 30 31 //go:noescape 32 func mul(res, x, y *Element) 33 34 //go:noescape 35 func fromMont(res *Element) 36 37 //go:noescape 38 func reduce(res *Element) 39 40 // Butterfly sets 41 // 42 // a = a + b (mod q) 43 // b = a - b (mod q) 44 // 45 //go:noescape 46 func Butterfly(a, b *Element) 47 48 // Mul z = x * y (mod q) 49 // 50 // x and y must be less than q 51 func (z *Element) Mul(x, y *Element) *Element { 52 53 // Implements CIOS multiplication -- section 2.3.2 of Tolga Acar's thesis 54 // https://www.microsoft.com/en-us/research/wp-content/uploads/1998/06/97Acar.pdf 55 // 56 // The algorithm: 57 // 58 // for i=0 to N-1 59 // C := 0 60 // for j=0 to N-1 61 // (C,t[j]) := t[j] + x[j]*y[i] + C 62 // (t[N+1],t[N]) := t[N] + C 63 // 64 // C := 0 65 // m := t[0]*q'[0] mod D 66 // (C,_) := t[0] + m*q[0] 67 // for j=1 to N-1 68 // (C,t[j-1]) := t[j] + m*q[j] + C 69 // 70 // (C,t[N-1]) := t[N] + C 71 // t[N] := t[N+1] + C 72 // 73 // → N is the number of machine words needed to store the modulus q 74 // → D is the word size. For example, on a 64-bit architecture D is 2 64 75 // → x[i], y[i], q[i] is the ith word of the numbers x,y,q 76 // → q'[0] is the lowest word of the number -q⁻¹ mod r. This quantity is pre-computed, as it does not depend on the inputs. 77 // → t is a temporary array of size N+2 78 // → C, S are machine words. A pair (C,S) refers to (hi-bits, lo-bits) of a two-word number 79 // 80 // As described here https://hackmd.io/@gnark/modular_multiplication we can get rid of one carry chain and simplify: 81 // (also described in https://eprint.iacr.org/2022/1400.pdf annex) 82 // 83 // for i=0 to N-1 84 // (A,t[0]) := t[0] + x[0]*y[i] 85 // m := t[0]*q'[0] mod W 86 // C,_ := t[0] + m*q[0] 87 // for j=1 to N-1 88 // (A,t[j]) := t[j] + x[j]*y[i] + A 89 // (C,t[j-1]) := t[j] + m*q[j] + C 90 // 91 // t[N-1] = C + A 92 // 93 // This optimization saves 5N + 2 additions in the algorithm, and can be used whenever the highest bit 94 // of the modulus is zero (and not all of the remaining bits are set). 95 96 mul(z, x, y) 97 return z 98 } 99 100 // Square z = x * x (mod q) 101 // 102 // x must be less than q 103 func (z *Element) Square(x *Element) *Element { 104 // see Mul for doc. 105 mul(z, x, x) 106 return z 107 }