github.com/consensys/gnark-crypto@v0.14.0/ecc/bls12-381/internal/fptower/frobenius.go (about) 1 // Copyright 2020 ConsenSys AG 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package fptower 16 17 import "github.com/consensys/gnark-crypto/ecc/bls12-381/fp" 18 19 // Frobenius set z to Frobenius(x), return z 20 func (z *E12) Frobenius(x *E12) *E12 { 21 // Algorithm 28 from https://eprint.iacr.org/2010/354.pdf (beware typos!) 22 var t [6]E2 23 24 // Frobenius acts on fp2 by conjugation 25 t[0].Conjugate(&x.C0.B0) 26 t[1].Conjugate(&x.C0.B1) 27 t[2].Conjugate(&x.C0.B2) 28 t[3].Conjugate(&x.C1.B0) 29 t[4].Conjugate(&x.C1.B1) 30 t[5].Conjugate(&x.C1.B2) 31 32 t[1].MulByNonResidue1Power2(&t[1]) 33 t[2].MulByNonResidue1Power4(&t[2]) 34 t[3].MulByNonResidue1Power1(&t[3]) 35 t[4].MulByNonResidue1Power3(&t[4]) 36 t[5].MulByNonResidue1Power5(&t[5]) 37 38 z.C0.B0 = t[0] 39 z.C0.B1 = t[1] 40 z.C0.B2 = t[2] 41 z.C1.B0 = t[3] 42 z.C1.B1 = t[4] 43 z.C1.B2 = t[5] 44 45 return z 46 } 47 48 // FrobeniusSquare set z to Frobenius^2(x), and return z 49 func (z *E12) FrobeniusSquare(x *E12) *E12 { 50 // Algorithm 29 from https://eprint.iacr.org/2010/354.pdf (beware typos!) 51 52 z.C0.B0 = x.C0.B0 53 z.C0.B1.MulByNonResidue2Power2(&x.C0.B1) 54 z.C0.B2.MulByNonResidue2Power4(&x.C0.B2) 55 z.C1.B0.MulByNonResidue2Power1(&x.C1.B0) 56 z.C1.B1.MulByNonResidue2Power3(&x.C1.B1) 57 z.C1.B2.MulByNonResidue2Power5(&x.C1.B2) 58 59 return z 60 } 61 62 // MulByNonResidue1Power1 set z=x*(1,1)^(1*(p^1-1)/6) and return z 63 func (z *E2) MulByNonResidue1Power1(x *E2) *E2 { 64 // (3850754370037169011952147076051364057158807420970682438676050522613628423219637725072182697113062777891589506424760,151655185184498381465642749684540099398075398968325446656007613510403227271200139370504932015952886146304766135027) 65 var b = E2{ 66 A0: fp.Element{ 67 506819140503852133, 68 14297063575771579155, 69 10946065744702939791, 70 11771194236670323182, 71 2081670087578406477, 72 644615147456521963, 73 }, 74 A1: fp.Element{ 75 12895611875574011462, 76 6359822009455181036, 77 14936352902570693524, 78 13914887797453940944, 79 3330433690892295817, 80 1229183470191017903, 81 }, 82 } 83 z.Mul(x, &b) 84 return z 85 } 86 87 // MulByNonResidue1Power2 set z=x*(1,1)^(2*(p^1-1)/6) and return z 88 func (z *E2) MulByNonResidue1Power2(x *E2) *E2 { 89 // (0,4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939436) 90 var b = E2{ 91 A0: fp.Element{ 92 0, 93 0, 94 0, 95 0, 96 0, 97 0, 98 }, 99 A1: fp.Element{ 100 14772873186050699377, 101 6749526151121446354, 102 6372666795664677781, 103 10283423008382700446, 104 286397964926079186, 105 1796971870900422465, 106 }, 107 } 108 z.Mul(x, &b) 109 return z 110 } 111 112 // MulByNonResidue1Power3 set z=x*(1,1)^(3*(p^1-1)/6) and return z 113 func (z *E2) MulByNonResidue1Power3(x *E2) *E2 { 114 // (1028732146235106349975324479215795277384839936929757896155643118032610843298655225875571310552543014690878354869257,1028732146235106349975324479215795277384839936929757896155643118032610843298655225875571310552543014690878354869257) 115 var b = E2{ 116 A0: fp.Element{ 117 8921533702591418330, 118 15859389534032789116, 119 3389114680249073393, 120 15116930867080254631, 121 3288288975085550621, 122 1021049300055853010, 123 }, 124 A1: fp.Element{ 125 8921533702591418330, 126 15859389534032789116, 127 3389114680249073393, 128 15116930867080254631, 129 3288288975085550621, 130 1021049300055853010, 131 }, 132 } 133 z.Mul(x, &b) 134 return z 135 } 136 137 // MulByNonResidue1Power4 set z=x*(1,1)^(4*(p^1-1)/6) and return z 138 func (z *E2) MulByNonResidue1Power4(x *E2) *E2 { 139 // 4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939437 140 var b = fp.Element{ 141 9875771541238924739, 142 3094855109658912213, 143 5802897354862067244, 144 11677019699073781796, 145 1505592401347711080, 146 1505729768134575418, 147 } 148 z.A0.Mul(&x.A0, &b) 149 z.A1.Mul(&x.A1, &b) 150 return z 151 } 152 153 // MulByNonResidue1Power5 set z=x*(1,1)^(5*(p^1-1)/6) and return z 154 func (z *E2) MulByNonResidue1Power5(x *E2) *E2 { 155 // (877076961050607968509681729531255177986764537961432449499635504522207616027455086505066378536590128544573588734230,3125332594171059424908108096204648978570118281977575435832422631601824034463382777937621250592425535493320683825557) 156 var b = E2{ 157 A0: fp.Element{ 158 9428352843095270463, 159 11709709036094816655, 160 14335180424952013185, 161 8441381030041026197, 162 5369959062663957099, 163 1665664447512374973, 164 }, 165 A1: fp.Element{ 166 3974078172982593132, 167 8947176549131943536, 168 11547238222321620130, 169 17244701004083237929, 170 42144715806745195, 171 208134170135164893, 172 }, 173 } 174 z.Mul(x, &b) 175 return z 176 } 177 178 // 793479390729215512621379701633421447060886740281060493010456487427281649075476305620758731620351 179 var nonResidue2Power1 = fp.Element{ 180 17076301903736715834, 181 13907359434105313836, 182 1063007777899403918, 183 15402659025741563681, 184 5125705813544623108, 185 76826746747117401, 186 } 187 188 // MulByNonResidue2Power1 set z=x*(1,1)^(1*(p^2-1)/6) and return z 189 func (z *E2) MulByNonResidue2Power1(x *E2) *E2 { 190 z.A0.Mul(&x.A0, &nonResidue2Power1) 191 z.A1.Mul(&x.A1, &nonResidue2Power1) 192 return z 193 } 194 195 // 793479390729215512621379701633421447060886740281060493010456487427281649075476305620758731620350 196 var nonResidue2Power2 = fp.Element{ 197 3526659474838938856, 198 17562030475567847978, 199 1632777218702014455, 200 14009062335050482331, 201 3906511377122991214, 202 368068849512964448, 203 } 204 205 // MulByNonResidue2Power2 set z=x*(1,1)^(2*(p^2-1)/6) and return z 206 func (z *E2) MulByNonResidue2Power2(x *E2) *E2 { 207 z.A0.Mul(&x.A0, &nonResidue2Power2) 208 z.A1.Mul(&x.A1, &nonResidue2Power2) 209 return z 210 } 211 212 // 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559786 213 var nonResidue2Power3 = fp.Element{ 214 4897101644811774638, 215 3654671041462534141, 216 569769440802610537, 217 17053147383018470266, 218 17227549637287919721, 219 291242102765847046, 220 } 221 222 // MulByNonResidue2Power3 set z=x*(1,1)^(3*(p^2-1)/6) and return z 223 func (z *E2) MulByNonResidue2Power3(x *E2) *E2 { 224 z.A0.Mul(&x.A0, &nonResidue2Power3) 225 z.A1.Mul(&x.A1, &nonResidue2Power3) 226 return z 227 } 228 229 // 4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939436 230 var nonResidue2Power4 = fp.Element{ 231 14772873186050699377, 232 6749526151121446354, 233 6372666795664677781, 234 10283423008382700446, 235 286397964926079186, 236 1796971870900422465, 237 } 238 239 // MulByNonResidue2Power4 set z=x*(1,1)^(4*(p^2-1)/6) and return z 240 func (z *E2) MulByNonResidue2Power4(x *E2) *E2 { 241 z.A0.Mul(&x.A0, &nonResidue2Power4) 242 z.A1.Mul(&x.A1, &nonResidue2Power4) 243 return z 244 } 245 246 // 4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939437 247 var nonResidue2Power5 = fp.Element{ 248 9875771541238924739, 249 3094855109658912213, 250 5802897354862067244, 251 11677019699073781796, 252 1505592401347711080, 253 1505729768134575418, 254 } 255 256 // MulByNonResidue2Power5 set z=x*(1,1)^(5*(p^2-1)/6) and return z 257 func (z *E2) MulByNonResidue2Power5(x *E2) *E2 { 258 z.A0.Mul(&x.A0, &nonResidue2Power5) 259 z.A1.Mul(&x.A1, &nonResidue2Power5) 260 return z 261 }