github.com/consensys/gnark-crypto@v0.14.0/ecc/bls12-381/fr/element_ops_amd64.go (about)

     1  //go:build !purego
     2  // +build !purego
     3  
     4  // Copyright 2020 ConsenSys Software Inc.
     5  //
     6  // Licensed under the Apache License, Version 2.0 (the "License");
     7  // you may not use this file except in compliance with the License.
     8  // You may obtain a copy of the License at
     9  //
    10  //     http://www.apache.org/licenses/LICENSE-2.0
    11  //
    12  // Unless required by applicable law or agreed to in writing, software
    13  // distributed under the License is distributed on an "AS IS" BASIS,
    14  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    15  // See the License for the specific language governing permissions and
    16  // limitations under the License.
    17  
    18  // Code generated by consensys/gnark-crypto DO NOT EDIT
    19  
    20  package fr
    21  
    22  //go:noescape
    23  func MulBy3(x *Element)
    24  
    25  //go:noescape
    26  func MulBy5(x *Element)
    27  
    28  //go:noescape
    29  func MulBy13(x *Element)
    30  
    31  //go:noescape
    32  func mul(res, x, y *Element)
    33  
    34  //go:noescape
    35  func fromMont(res *Element)
    36  
    37  //go:noescape
    38  func reduce(res *Element)
    39  
    40  // Butterfly sets
    41  //
    42  //	a = a + b (mod q)
    43  //	b = a - b (mod q)
    44  //
    45  //go:noescape
    46  func Butterfly(a, b *Element)
    47  
    48  // Mul z = x * y (mod q)
    49  //
    50  // x and y must be less than q
    51  func (z *Element) Mul(x, y *Element) *Element {
    52  
    53  	// Implements CIOS multiplication -- section 2.3.2 of Tolga Acar's thesis
    54  	// https://www.microsoft.com/en-us/research/wp-content/uploads/1998/06/97Acar.pdf
    55  	//
    56  	// The algorithm:
    57  	//
    58  	// for i=0 to N-1
    59  	// 		C := 0
    60  	// 		for j=0 to N-1
    61  	// 			(C,t[j]) := t[j] + x[j]*y[i] + C
    62  	// 		(t[N+1],t[N]) := t[N] + C
    63  	//
    64  	// 		C := 0
    65  	// 		m := t[0]*q'[0] mod D
    66  	// 		(C,_) := t[0] + m*q[0]
    67  	// 		for j=1 to N-1
    68  	// 			(C,t[j-1]) := t[j] + m*q[j] + C
    69  	//
    70  	// 		(C,t[N-1]) := t[N] + C
    71  	// 		t[N] := t[N+1] + C
    72  	//
    73  	// → N is the number of machine words needed to store the modulus q
    74  	// → D is the word size. For example, on a 64-bit architecture D is 2	64
    75  	// → x[i], y[i], q[i] is the ith word of the numbers x,y,q
    76  	// → q'[0] is the lowest word of the number -q⁻¹ mod r. This quantity is pre-computed, as it does not depend on the inputs.
    77  	// → t is a temporary array of size N+2
    78  	// → C, S are machine words. A pair (C,S) refers to (hi-bits, lo-bits) of a two-word number
    79  	//
    80  	// As described here https://hackmd.io/@gnark/modular_multiplication we can get rid of one carry chain and simplify:
    81  	// (also described in https://eprint.iacr.org/2022/1400.pdf annex)
    82  	//
    83  	// for i=0 to N-1
    84  	// 		(A,t[0]) := t[0] + x[0]*y[i]
    85  	// 		m := t[0]*q'[0] mod W
    86  	// 		C,_ := t[0] + m*q[0]
    87  	// 		for j=1 to N-1
    88  	// 			(A,t[j])  := t[j] + x[j]*y[i] + A
    89  	// 			(C,t[j-1]) := t[j] + m*q[j] + C
    90  	//
    91  	// 		t[N-1] = C + A
    92  	//
    93  	// This optimization saves 5N + 2 additions in the algorithm, and can be used whenever the highest bit
    94  	// of the modulus is zero (and not all of the remaining bits are set).
    95  
    96  	mul(z, x, y)
    97  	return z
    98  }
    99  
   100  // Square z = x * x (mod q)
   101  //
   102  // x must be less than q
   103  func (z *Element) Square(x *Element) *Element {
   104  	// see Mul for doc.
   105  	mul(z, x, x)
   106  	return z
   107  }