github.com/consensys/gnark-crypto@v0.14.0/ecc/bw6-633/bw6-633.go (about) 1 // Package bw6633 efficient elliptic curve, pairing and hash to curve implementation for bw6-633. 2 // 3 // bw6-633: A Brezing--Weng curve (2-chain with bls24-315) 4 // 5 // embedding degree k=6 6 // seed x₀=-3218079743 7 // 𝔽p: p=20494478644167774678813387386538961497669590920908778075528754551012016751717791778743535050360001387419576570244406805463255765034468441182772056330021723098661967429339971741066259394985997 8 // 𝔽r: r=39705142709513438335025689890408969744933502416914749335064285505637884093126342347073617133569 9 // (E/𝔽p): Y²=X³+4 10 // (Eₜ/𝔽p): Y² = X³+8 (M-type twist) 11 // r ∣ #E(Fp) and r ∣ #Eₜ(𝔽p) 12 // 13 // Extension fields tower: 14 // 15 // 𝔽p³[u] = 𝔽p/u³-2 16 // 𝔽p⁶[v] = 𝔽p³/v²-u 17 // 18 // case t % r % u = 0 19 // 20 // optimal Ate loops: 21 // 22 // x₀+1, x₀^5-x₀^4-x₀ 23 // 24 // Security: estimated 124-bit level following [https://eprint.iacr.org/2019/885.pdf] 25 // (r is 315 bits and p⁶ is 3798 bits) 26 // 27 // # Warning 28 // 29 // This code has not been audited and is provided as-is. In particular, there is no security guarantees such as constant time implementation or side-channel attack resistance. 30 package bw6633 31 32 import ( 33 "math/big" 34 35 "github.com/consensys/gnark-crypto/ecc" 36 "github.com/consensys/gnark-crypto/ecc/bw6-633/fp" 37 "github.com/consensys/gnark-crypto/ecc/bw6-633/fr" 38 ) 39 40 // ID BW6_633 ID 41 const ID = ecc.BW6_633 42 43 // aCurveCoeff is the a coefficients of the curve Y²=X³+ax+b 44 var aCurveCoeff fp.Element 45 var bCurveCoeff fp.Element 46 47 // bTwistCurveCoeff b coeff of the twist (defined over 𝔽p) curve 48 var bTwistCurveCoeff fp.Element 49 50 // generators of the r-torsion group, resp. in ker(pi-id), ker(Tr) 51 var g1Gen G1Jac 52 var g2Gen G2Jac 53 54 var g1GenAff G1Affine 55 var g2GenAff G2Affine 56 57 // point at infinity 58 var g1Infinity G1Jac 59 var g2Infinity G2Jac 60 61 // optimal Ate loop counters 62 var LoopCounter [159]int8 63 var LoopCounter1 [159]int8 64 65 // Parameters useful for the GLV scalar multiplication. The third roots define the 66 // endomorphisms ϕ₁ and ϕ₂ for <G1Affine> and <G2Affine>. lambda is such that <r, ϕ-λ> lies above 67 // <r> in the ring Z[ϕ]. More concretely it's the associated eigenvalue 68 // of ϕ₁ (resp ϕ₂) restricted to <G1Affine> (resp <G2Affine>) 69 // see https://www.cosic.esat.kuleuven.be/nessie/reports/phase2/GLV.pdf 70 var thirdRootOneG1 fp.Element 71 var thirdRootOneG2 fp.Element 72 var lambdaGLV big.Int 73 74 // glvBasis stores R-linearly independent vectors (a,b), (c,d) 75 // in ker((u,v) → u+vλ[r]), and their determinant 76 var glvBasis ecc.Lattice 77 78 // seed -x₀ of the curve 79 var xGen big.Int 80 81 func init() { 82 aCurveCoeff.SetUint64(0) 83 bCurveCoeff.SetUint64(4) 84 bTwistCurveCoeff.SetUint64(8) // M-twist 85 86 // E1(2,y)*cofactor 87 g1Gen.X.SetString("14087405796052437206213362229855313116771222912153372774869400386285407949123477431442535997951698710614498307938219633856996133201713506830167161540335446217605918678317160130862890417553415") 88 g1Gen.Y.SetString("5208886161111258314476333487866604447704068601830026647530443033297117148121067806438008469463787158470000157308702133756065259580313172904438248825389121766442385979570644351664733475122746") 89 g1Gen.Z.SetOne() 90 91 // E2(2,y))*cofactor 92 g2Gen.X.SetString("13658793733252505713431834233072715040674666715141692574468286839081203251180283741830175712695426047062165811313478642863696265647598838732554425602399576125615559121457137320131899043374497") 93 g2Gen.Y.SetString("599560264833409786573595720823495699033661029721475252751314180543773745554433461106678360045466656230822473390866244089461950086268801746497554519984580043036179195728559548424763890207250") 94 g2Gen.Z.SetOne() 95 96 g1GenAff.FromJacobian(&g1Gen) 97 g2GenAff.FromJacobian(&g2Gen) 98 99 // binary decomposition of x₀+1 (negative) 100 LoopCounter = [159]int8{0, -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, -1, 0, 0, 0, 0, 0, 0, 0, -1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} 101 102 // x₀⁵-x₀⁴-x₀ (negative) 103 T, _ := new(big.Int).SetString("345131030376204096837580131803633448876874137601", 10) 104 ecc.NafDecomposition(T, LoopCounter1[:]) 105 106 // (X,Y,Z) = (1,1,0) 107 g1Infinity.X.SetOne() 108 g1Infinity.Y.SetOne() 109 g2Infinity.X.SetOne() 110 g2Infinity.Y.SetOne() 111 112 thirdRootOneG1.SetString("4098895725012429242072311240482566844345873033931481129362557724405008256668293241245050359832461015092695507587185678086043587575438449040313411246717257958467499181450742260777082884928318") // (45-10*x+151*x²-187*x³+171*x⁴-49*x⁵-110*x⁶+430*x⁷-696*x⁸+702*x⁹-528*x¹⁰+201*x¹¹+144*x¹²-274*x¹³+181*x¹⁴-34*x¹⁵-63*x¹⁶+92*x¹⁷-56*x¹⁸+13*x¹⁹)/15 113 thirdRootOneG2.Square(&thirdRootOneG1) 114 lambdaGLV.SetString("39705142672498995661671850106945620852186608752525090699191017895721506694646055668218723303426", 10) // 1-x+2*x²-2*x³+3*x⁵-4*x⁶+4*x⁷-3*x⁸+x⁹ 115 _r := fr.Modulus() 116 ecc.PrecomputeLattice(_r, &lambdaGLV, &glvBasis) 117 118 // -x₀ 119 xGen.SetString("3218079743", 10) // negative 120 121 } 122 123 // Generators return the generators of the r-torsion group, resp. in ker(pi-id), ker(Tr) 124 func Generators() (g1Jac G1Jac, g2Jac G2Jac, g1Aff G1Affine, g2Aff G2Affine) { 125 g1Aff = g1GenAff 126 g2Aff = g2GenAff 127 g1Jac = g1Gen 128 g2Jac = g2Gen 129 return 130 } 131 132 // CurveCoefficients returns the a, b coefficients of the curve equation. 133 func CurveCoefficients() (a, b fp.Element) { 134 return aCurveCoeff, bCurveCoeff 135 }