github.com/consensys/gnark-crypto@v0.14.0/ecc/bn254/internal/fptower/frobenius.go (about) 1 // Copyright 2020 ConsenSys AG 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package fptower 16 17 import "github.com/consensys/gnark-crypto/ecc/bn254/fp" 18 19 // Frobenius set z to Frobenius(x), return z 20 func (z *E12) Frobenius(x *E12) *E12 { 21 // Algorithm 28 from https://eprint.iacr.org/2010/354.pdf 22 var t [6]E2 23 24 // Frobenius acts on fp2 by conjugation 25 t[0].Conjugate(&x.C0.B0) 26 t[1].Conjugate(&x.C0.B1) 27 t[2].Conjugate(&x.C0.B2) 28 t[3].Conjugate(&x.C1.B0) 29 t[4].Conjugate(&x.C1.B1) 30 t[5].Conjugate(&x.C1.B2) 31 32 t[1].MulByNonResidue1Power2(&t[1]) 33 t[2].MulByNonResidue1Power4(&t[2]) 34 t[3].MulByNonResidue1Power1(&t[3]) 35 t[4].MulByNonResidue1Power3(&t[4]) 36 t[5].MulByNonResidue1Power5(&t[5]) 37 38 z.C0.B0 = t[0] 39 z.C0.B1 = t[1] 40 z.C0.B2 = t[2] 41 z.C1.B0 = t[3] 42 z.C1.B1 = t[4] 43 z.C1.B2 = t[5] 44 45 return z 46 } 47 48 // FrobeniusSquare set z to Frobenius^2(x), and return z 49 func (z *E12) FrobeniusSquare(x *E12) *E12 { 50 // Algorithm 29 from https://eprint.iacr.org/2010/354.pdf 51 z.C0.B0 = x.C0.B0 52 z.C0.B1.MulByNonResidue2Power2(&x.C0.B1) 53 z.C0.B2.MulByNonResidue2Power4(&x.C0.B2) 54 z.C1.B0.MulByNonResidue2Power1(&x.C1.B0) 55 z.C1.B1.MulByNonResidue2Power3(&x.C1.B1) 56 z.C1.B2.MulByNonResidue2Power5(&x.C1.B2) 57 58 return z 59 } 60 61 // FrobeniusCube set z to Frobenius^3(x), return z 62 func (z *E12) FrobeniusCube(x *E12) *E12 { 63 // Algorithm 30 from https://eprint.iacr.org/2010/354.pdf 64 var t [6]E2 65 66 // Frobenius^3 acts on fp2 by conjugation 67 t[0].Conjugate(&x.C0.B0) 68 t[1].Conjugate(&x.C0.B1) 69 t[2].Conjugate(&x.C0.B2) 70 t[3].Conjugate(&x.C1.B0) 71 t[4].Conjugate(&x.C1.B1) 72 t[5].Conjugate(&x.C1.B2) 73 74 t[1].MulByNonResidue3Power2(&t[1]) 75 t[2].MulByNonResidue3Power4(&t[2]) 76 t[3].MulByNonResidue3Power1(&t[3]) 77 t[4].MulByNonResidue3Power3(&t[4]) 78 t[5].MulByNonResidue3Power5(&t[5]) 79 80 z.C0.B0 = t[0] 81 z.C0.B1 = t[1] 82 z.C0.B2 = t[2] 83 z.C1.B0 = t[3] 84 z.C1.B1 = t[4] 85 z.C1.B2 = t[5] 86 87 return z 88 } 89 90 // declaring these here instead of in the functions allow to inline the calls 91 var nonRes1Pow1to5 [5]E2 92 var nonRes3Pow1To5 [5]E2 93 94 func init() { 95 // (11697423496358154304825782922584725312912383441159505038794027105778954184319,303847389135065887422783454877609941456349188919719272345083954437860409601) 96 nonRes3Pow1To5[0] = E2{ 97 A0: fp.Element{ 98 3914496794763385213, 99 790120733010914719, 100 7322192392869644725, 101 581366264293887267, 102 }, 103 A1: fp.Element{ 104 12817045492518885689, 105 4440270538777280383, 106 11178533038884588256, 107 2767537931541304486, 108 }, 109 } 110 111 // (3772000881919853776433695186713858239009073593817195771773381919316419345261,2236595495967245188281701248203181795121068902605861227855261137820944008926) 112 nonRes3Pow1To5[1] = E2{ 113 A0: fp.Element{ 114 14532872967180610477, 115 12903226530429559474, 116 1868623743233345524, 117 2316889217940299650, 118 }, 119 A1: fp.Element{ 120 12447993766991532972, 121 4121872836076202828, 122 7630813605053367399, 123 740282956577754197, 124 }, 125 } 126 127 // (19066677689644738377698246183563772429336693972053703295610958340458742082029,18382399103927718843559375435273026243156067647398564021675359801612095278180) 128 nonRes3Pow1To5[2] = E2{ 129 A0: fp.Element{ 130 6297350639395948318, 131 15875321927225446337, 132 9702569988553770230, 133 805825149519570764, 134 }, 135 A1: fp.Element{ 136 11117433864585119104, 137 10363184613815941297, 138 5420513773305887730, 139 278429812070195549, 140 }, 141 } 142 143 // (5324479202449903542726783395506214481928257762400643279780343368557297135718,16208900380737693084919495127334387981393726419856888799917914180988844123039) 144 nonRes3Pow1To5[3] = E2{ 145 A0: fp.Element{ 146 4938922280314430175, 147 13823286637238282975, 148 15589480384090068090, 149 481952561930628184, 150 }, 151 A1: fp.Element{ 152 3105754162722846417, 153 11647802298615474591, 154 13057042392041828081, 155 1660844386505564338, 156 }, 157 } 158 159 // (8941241848238582420466759817324047081148088512956452953208002715982955420483,10338197737521362862238855242243140895517409139741313354160881284257516364953) 160 nonRes3Pow1To5[4] = E2{ 161 A0: fp.Element{ 162 16193900971494954399, 163 13995139551301264911, 164 9239559758168096094, 165 1571199014989505406, 166 }, 167 A1: fp.Element{ 168 3254114329011132839, 169 11171599147282597747, 170 10965492220518093659, 171 2657556514797346915, 172 }, 173 } 174 175 // (8376118865763821496583973867626364092589906065868298776909617916018768340080,16469823323077808223889137241176536799009286646108169935659301613961712198316) 176 nonRes1Pow1to5[0] = E2{ 177 A0: fp.Element{ 178 12653890742059813127, 179 14585784200204367754, 180 1278438861261381767, 181 212598772761311868, 182 }, 183 A1: fp.Element{ 184 11683091849979440498, 185 14992204589386555739, 186 15866167890766973222, 187 1200023580730561873, 188 }, 189 } 190 191 // (21575463638280843010398324269430826099269044274347216827212613867836435027261,10307601595873709700152284273816112264069230130616436755625194854815875713954) 192 nonRes1Pow1to5[1] = E2{ 193 A0: fp.Element{ 194 13075984984163199792, 195 3782902503040509012, 196 8791150885551868305, 197 1825854335138010348, 198 }, 199 A1: fp.Element{ 200 7963664994991228759, 201 12257807996192067905, 202 13179524609921305146, 203 2767831111890561987, 204 }, 205 } 206 207 // (2821565182194536844548159561693502659359617185244120367078079554186484126554,3505843767911556378687030309984248845540243509899259641013678093033130930403) 208 nonRes1Pow1to5[2] = E2{ 209 A0: fp.Element{ 210 16482010305593259561, 211 13488546290961988299, 212 3578621962720924518, 213 2681173117283399901, 214 }, 215 A1: fp.Element{ 216 11661927080404088775, 217 553939530661941723, 218 7860678177968807019, 219 3208568454732775116, 220 }, 221 } 222 223 // (2581911344467009335267311115468803099551665605076196740867805258568234346338,19937756971775647987995932169929341994314640652964949448313374472400716661030) 224 nonRes1Pow1to5[3] = E2{ 225 A0: fp.Element{ 226 8314163329781907090, 227 11942187022798819835, 228 11282677263046157209, 229 1576150870752482284, 230 }, 231 A1: fp.Element{ 232 6763840483288992073, 233 7118829427391486816, 234 4016233444936635065, 235 2630958277570195709, 236 }, 237 } 238 239 // (685108087231508774477564247770172212460312782337200605669322048753928464687,8447204650696766136447902020341177575205426561248465145919723016860428151883) 240 nonRes1Pow1to5[4] = E2{ 241 A0: fp.Element{ 242 14515217250696892391, 243 16303087968080972555, 244 3656613296917993960, 245 1345095164996126785, 246 }, 247 A1: fp.Element{ 248 957117326806663081, 249 367382125163301975, 250 15253872307375509749, 251 3396254757538665050, 252 }, 253 } 254 } 255 256 // MulByNonResidue1Power1 set z=x*(9,1)^(1*(p^1-1)/6) and return z 257 func (z *E2) MulByNonResidue1Power1(x *E2) *E2 { 258 // (8376118865763821496583973867626364092589906065868298776909617916018768340080,16469823323077808223889137241176536799009286646108169935659301613961712198316) 259 z.Mul(x, &nonRes1Pow1to5[0]) 260 return z 261 } 262 263 // MulByNonResidue1Power2 set z=x*(9,1)^(2*(p^1-1)/6) and return z 264 func (z *E2) MulByNonResidue1Power2(x *E2) *E2 { 265 // (21575463638280843010398324269430826099269044274347216827212613867836435027261,10307601595873709700152284273816112264069230130616436755625194854815875713954) 266 z.Mul(x, &nonRes1Pow1to5[1]) 267 return z 268 } 269 270 // MulByNonResidue1Power3 set z=x*(9,1)^(3*(p^1-1)/6) and return z 271 func (z *E2) MulByNonResidue1Power3(x *E2) *E2 { 272 // (2821565182194536844548159561693502659359617185244120367078079554186484126554,3505843767911556378687030309984248845540243509899259641013678093033130930403) 273 z.Mul(x, &nonRes1Pow1to5[2]) 274 return z 275 } 276 277 // MulByNonResidue1Power4 set z=x*(9,1)^(4*(p^1-1)/6) and return z 278 func (z *E2) MulByNonResidue1Power4(x *E2) *E2 { 279 // (2581911344467009335267311115468803099551665605076196740867805258568234346338,19937756971775647987995932169929341994314640652964949448313374472400716661030) 280 z.Mul(x, &nonRes1Pow1to5[3]) 281 return z 282 } 283 284 // MulByNonResidue1Power5 set z=x*(9,1)^(5*(p^1-1)/6) and return z 285 func (z *E2) MulByNonResidue1Power5(x *E2) *E2 { 286 // (685108087231508774477564247770172212460312782337200605669322048753928464687,8447204650696766136447902020341177575205426561248465145919723016860428151883) 287 z.Mul(x, &nonRes1Pow1to5[4]) 288 return z 289 } 290 291 // MulByNonResidue2Power1 set z=x*(9,1)^(1*(p^2-1)/6) and return z 292 func (z *E2) MulByNonResidue2Power1(x *E2) *E2 { 293 // 21888242871839275220042445260109153167277707414472061641714758635765020556617 294 b := fp.Element{ 295 14595462726357228530, 296 17349508522658994025, 297 1017833795229664280, 298 299787779797702374, 299 } 300 z.A0.Mul(&x.A0, &b) 301 z.A1.Mul(&x.A1, &b) 302 return z 303 } 304 305 // MulByNonResidue2Power2 set z=x*(9,1)^(2*(p^2-1)/6) and return z 306 func (z *E2) MulByNonResidue2Power2(x *E2) *E2 { 307 // 21888242871839275220042445260109153167277707414472061641714758635765020556616 308 b := fp.Element{ 309 3697675806616062876, 310 9065277094688085689, 311 6918009208039626314, 312 2775033306905974752, 313 } 314 z.A0.Mul(&x.A0, &b) 315 z.A1.Mul(&x.A1, &b) 316 return z 317 } 318 319 // MulByNonResidue2Power3 set z=x*(9,1)^(3*(p^2-1)/6) and return z 320 func (z *E2) MulByNonResidue2Power3(x *E2) *E2 { 321 // 21888242871839275222246405745257275088696311157297823662689037894645226208582 322 b := fp.Element{ 323 7548957153968385962, 324 10162512645738643279, 325 5900175412809962033, 326 2475245527108272378, 327 } 328 z.A0.Mul(&x.A0, &b) 329 z.A1.Mul(&x.A1, &b) 330 return z 331 } 332 333 // MulByNonResidue2Power4 set z=x*(9,1)^(4*(p^2-1)/6) and return z 334 func (z *E2) MulByNonResidue2Power4(x *E2) *E2 { 335 // 2203960485148121921418603742825762020974279258880205651966 336 b := fp.Element{ 337 8183898218631979349, 338 12014359695528440611, 339 12263358156045030468, 340 3187210487005268291, 341 } 342 z.A0.Mul(&x.A0, &b) 343 z.A1.Mul(&x.A1, &b) 344 return z 345 } 346 347 // MulByNonResidue2Power5 set z=x*(9,1)^(5*(p^2-1)/6) and return z 348 func (z *E2) MulByNonResidue2Power5(x *E2) *E2 { 349 // 2203960485148121921418603742825762020974279258880205651967 350 b := fp.Element{ 351 634941064663593387, 352 1851847049789797332, 353 6363182743235068435, 354 711964959896995913, 355 } 356 z.A0.Mul(&x.A0, &b) 357 z.A1.Mul(&x.A1, &b) 358 return z 359 } 360 361 // MulByNonResidue3Power1 set z=x*(9,1)^(1*(p^3-1)/6) and return z 362 func (z *E2) MulByNonResidue3Power1(x *E2) *E2 { 363 // (11697423496358154304825782922584725312912383441159505038794027105778954184319,303847389135065887422783454877609941456349188919719272345083954437860409601) 364 z.Mul(x, &nonRes3Pow1To5[0]) 365 return z 366 } 367 368 // MulByNonResidue3Power2 set z=x*(9,1)^(2*(p^3-1)/6) and return z 369 func (z *E2) MulByNonResidue3Power2(x *E2) *E2 { 370 // (3772000881919853776433695186713858239009073593817195771773381919316419345261,2236595495967245188281701248203181795121068902605861227855261137820944008926) 371 z.Mul(x, &nonRes3Pow1To5[1]) 372 return z 373 } 374 375 // MulByNonResidue3Power3 set z=x*(9,1)^(3*(p^3-1)/6) and return z 376 func (z *E2) MulByNonResidue3Power3(x *E2) *E2 { 377 // (19066677689644738377698246183563772429336693972053703295610958340458742082029,18382399103927718843559375435273026243156067647398564021675359801612095278180) 378 z.Mul(x, &nonRes3Pow1To5[2]) 379 return z 380 } 381 382 // MulByNonResidue3Power4 set z=x*(9,1)^(4*(p^3-1)/6) and return z 383 func (z *E2) MulByNonResidue3Power4(x *E2) *E2 { 384 z.Mul(x, &nonRes3Pow1To5[3]) 385 return z 386 } 387 388 // MulByNonResidue3Power5 set z=x*(9,1)^(5*(p^3-1)/6) and return z 389 func (z *E2) MulByNonResidue3Power5(x *E2) *E2 { 390 z.Mul(x, &nonRes3Pow1To5[4]) 391 return z 392 }