github.com/consensys/gnark-crypto@v0.14.0/ecc/bw6-756/internal/fptower/e6_pairing.go (about) 1 package fptower 2 3 import "github.com/consensys/gnark-crypto/ecc/bw6-756/fp" 4 5 func (z *E6) nSquare(n int) { 6 for i := 0; i < n; i++ { 7 z.CyclotomicSquare(z) 8 } 9 } 10 11 func (z *E6) nSquareCompressed(n int) { 12 for i := 0; i < n; i++ { 13 z.CyclotomicSquareCompressed(z) 14 } 15 } 16 17 // ExptMinus1 set z to x^t in E6 and return z 18 // t-1 = 11045256207009841152 19 func (z *E6) ExptMinus1(x *E6) *E6 { 20 21 var result, t0, t1 E6 22 23 result.CyclotomicSquare(x) 24 result.nSquare(2) 25 t0.Mul(x, &result) 26 t1.CyclotomicSquare(&t0) 27 t1.nSquare(2) 28 result.Mul(&t0, &t1) 29 t1.Mul(&t1, &result) 30 t1.nSquare(5) 31 t0.Mul(&t0, &t1) 32 t0.nSquare(10) 33 result.Mul(&result, &t0) 34 result.nSquareCompressed(41) 35 result.DecompressKarabina(&result) 36 z.Set(&result) 37 38 return z 39 } 40 41 // ExptMinus1Square set z to x^t in E6 and return z 42 // (t-1)^2 = 121997684678489422939424157776272687104 43 func (z *E6) ExptMinus1Square(x *E6) *E6 { 44 var result, t0, t1, t2, t3 E6 45 result.CyclotomicSquare(x) 46 t0.Mul(x, &result) 47 result.CyclotomicSquare(&t0) 48 t0.Mul(&t0, &result) 49 result.Mul(&result, &t0) 50 t1.CyclotomicSquare(&result) 51 t1.nSquare(2) 52 t0.Mul(&t0, &t1) 53 result.Mul(&result, &t0) 54 t0.Mul(&t0, &result) 55 result.Mul(&result, &t0) 56 t1.CyclotomicSquare(&result) 57 t1.Mul(&result, &t1) 58 t1.CyclotomicSquare(&t1) 59 t2.CyclotomicSquare(&t1) 60 t1.Mul(&t1, &t2) 61 t2.Mul(&t2, &t1) 62 t1.Mul(&t1, &t2) 63 t3.CyclotomicSquare(&t1) 64 t2.Mul(&t2, &t3) 65 t1.Mul(&t1, &t2) 66 t3.CyclotomicSquare(&t1) 67 t3.CyclotomicSquare(&t3) 68 t3.Mul(&t1, &t3) 69 t3.nSquare(2) 70 t2.Mul(&t2, &t3) 71 t2.nSquare(11) 72 t1.Mul(&t1, &t2) 73 t0.Mul(&t0, &t1) 74 t0.nSquare(13) 75 result.Mul(&result, &t0) 76 result.nSquareCompressed(82) 77 result.DecompressKarabina(&result) 78 z.Set(&result) 79 80 return z 81 } 82 83 // Expt set z to x^t in E6 and return z 84 // t = 11045256207009841153 85 func (z *E6) Expt(x *E6) *E6 { 86 var result E6 87 88 result.ExptMinus1(x) 89 result.Mul(&result, x) 90 z.Set(&result) 91 92 return z 93 } 94 95 // ExptPlus1 set z to x^(t+1) in E6 and return z 96 // t+1 = 11045256207009841154 97 func (z *E6) ExptPlus1(x *E6) *E6 { 98 var result, t E6 99 100 result.ExptMinus1(x) 101 t.CyclotomicSquare(x) 102 result.Mul(&result, &t) 103 z.Set(&result) 104 105 return z 106 } 107 108 // ExptMinus1Div3 set z to x^(t-1)/3 in E6 and return z 109 // (t-1)/3 = 3681752069003280384 110 func (z *E6) ExptMinus1Div3(x *E6) *E6 { 111 var result, t0, t1 E6 112 result.CyclotomicSquare(x) 113 t0.Mul(x, &result) 114 t1.CyclotomicSquare(&t0) 115 t1.nSquare(2) 116 result.Mul(&t0, &t1) 117 t1.Mul(&t1, &result) 118 t1.nSquare(5) 119 t0.Mul(&t0, &t1) 120 t0.nSquare(10) 121 result.Mul(&result, &t0) 122 result.nSquareCompressed(41) 123 result.DecompressKarabina(&result) 124 z.Set(&result) 125 126 return z 127 } 128 129 // MulBy014 multiplication by sparse element (c0,c1,0,0,c4,0) 130 func (z *E6) MulBy014(c0, c1, c4 *fp.Element) *E6 { 131 132 var a, b E3 133 var d fp.Element 134 135 a.Set(&z.B0) 136 a.MulBy01(c0, c1) 137 138 b.Set(&z.B1) 139 b.MulBy1(c4) 140 d.Add(c1, c4) 141 142 z.B1.Add(&z.B1, &z.B0) 143 z.B1.MulBy01(c0, &d) 144 z.B1.Sub(&z.B1, &a) 145 z.B1.Sub(&z.B1, &b) 146 z.B0.MulByNonResidue(&b) 147 z.B0.Add(&z.B0, &a) 148 149 return z 150 } 151 152 // MulBy01 multiplication by sparse element (c0, c1, 0, 0, 1) 153 func (z *E6) MulBy01(c0, c1 *fp.Element) *E6 { 154 155 var a, b E3 156 var d fp.Element 157 158 a.Set(&z.B0) 159 a.MulBy01(c0, c1) 160 161 b.MulByNonResidue(&z.B1) 162 d.SetOne().Add(c1, &d) 163 164 z.B1.Add(&z.B1, &z.B0) 165 z.B1.MulBy01(c0, &d) 166 z.B1.Sub(&z.B1, &a) 167 z.B1.Sub(&z.B1, &b) 168 z.B0.MulByNonResidue(&b) 169 z.B0.Add(&z.B0, &a) 170 171 return z 172 } 173 174 // Mul014By014 multiplication of sparse element (c0,c1,0,0,c4,0) by sparse element (d0,d1,0,0,d4,0) 175 func Mul014By014(d0, d1, d4, c0, c1, c4 *fp.Element) [5]fp.Element { 176 var z00, tmp, x0, x1, x4, x04, x01, x14 fp.Element 177 x0.Mul(c0, d0) 178 x1.Mul(c1, d1) 179 x4.Mul(c4, d4) 180 tmp.Add(c0, c4) 181 x04.Add(d0, d4). 182 Mul(&x04, &tmp). 183 Sub(&x04, &x0). 184 Sub(&x04, &x4) 185 tmp.Add(c0, c1) 186 x01.Add(d0, d1). 187 Mul(&x01, &tmp). 188 Sub(&x01, &x0). 189 Sub(&x01, &x1) 190 tmp.Add(c1, c4) 191 x14.Add(d1, d4). 192 Mul(&x14, &tmp). 193 Sub(&x14, &x1). 194 Sub(&x14, &x4) 195 196 z00.MulByNonResidue(&x4). 197 Add(&z00, &x0) 198 199 return [5]fp.Element{z00, x01, x1, x04, x14} 200 } 201 202 // Mul01By01 multiplication of sparse element (c0,c1,0,0,1,0) by sparse element (d0,d1,0,0,1,0) 203 func Mul01By01(d0, d1, c0, c1 *fp.Element) [5]fp.Element { 204 var z00, tmp, x0, x1, x4, x04, x01, x14 fp.Element 205 x0.Mul(c0, d0) 206 x1.Mul(c1, d1) 207 x4.SetOne() 208 x04.Add(d0, c0) 209 tmp.Add(c0, c1) 210 x01.Add(d0, d1). 211 Mul(&x01, &tmp). 212 Sub(&x01, &x0). 213 Sub(&x01, &x1) 214 x14.Add(d1, c1) 215 216 z00.MulByNonResidue(&x4). 217 Add(&z00, &x0) 218 219 return [5]fp.Element{z00, x01, x1, x04, x14} 220 } 221 222 // MulBy01245 multiplies z by an E12 sparse element of the form (x0, x1, x2, 0, x4, x5) 223 func (z *E6) MulBy01245(x *[5]fp.Element) *E6 { 224 var c1, a, b, c, z0, z1 E3 225 c0 := &E3{A0: x[0], A1: x[1], A2: x[2]} 226 c1.A1 = x[3] 227 c1.A2 = x[4] 228 a.Add(&z.B0, &z.B1) 229 b.Add(c0, &c1) 230 a.Mul(&a, &b) 231 b.Mul(&z.B0, c0) 232 c.Set(&z.B1).MulBy12(&x[3], &x[4]) 233 z1.Sub(&a, &b) 234 z1.Sub(&z1, &c) 235 z0.MulByNonResidue(&c) 236 z0.Add(&z0, &b) 237 238 z.B0 = z0 239 z.B1 = z1 240 241 return z 242 }