github.com/klaytn/klaytn@v1.12.1/crypto/bls12381/fp_test.go (about)

     1  package bls12381
     2  
     3  import (
     4  	"bytes"
     5  	"crypto/rand"
     6  	"math/big"
     7  	"testing"
     8  )
     9  
    10  func TestFpSerialization(t *testing.T) {
    11  	t.Run("zero", func(t *testing.T) {
    12  		in := make([]byte, 48)
    13  		fe, err := fromBytes(in)
    14  		if err != nil {
    15  			t.Fatal(err)
    16  		}
    17  		if !fe.isZero() {
    18  			t.Fatal("bad serialization")
    19  		}
    20  		if !bytes.Equal(in, toBytes(fe)) {
    21  			t.Fatal("bad serialization")
    22  		}
    23  	})
    24  	t.Run("bytes", func(t *testing.T) {
    25  		for i := 0; i < fuz; i++ {
    26  			a, _ := new(fe).rand(rand.Reader)
    27  			b, err := fromBytes(toBytes(a))
    28  			if err != nil {
    29  				t.Fatal(err)
    30  			}
    31  			if !a.equal(b) {
    32  				t.Fatal("bad serialization")
    33  			}
    34  		}
    35  	})
    36  	t.Run("string", func(t *testing.T) {
    37  		for i := 0; i < fuz; i++ {
    38  			a, _ := new(fe).rand(rand.Reader)
    39  			b, err := fromString(toString(a))
    40  			if err != nil {
    41  				t.Fatal(err)
    42  			}
    43  			if !a.equal(b) {
    44  				t.Fatal("bad encoding or decoding")
    45  			}
    46  		}
    47  	})
    48  	t.Run("big", func(t *testing.T) {
    49  		for i := 0; i < fuz; i++ {
    50  			a, _ := new(fe).rand(rand.Reader)
    51  			b, err := fromBig(toBig(a))
    52  			if err != nil {
    53  				t.Fatal(err)
    54  			}
    55  			if !a.equal(b) {
    56  				t.Fatal("bad encoding or decoding")
    57  			}
    58  		}
    59  	})
    60  }
    61  
    62  func TestFpAdditionCrossAgainstBigInt(t *testing.T) {
    63  	for i := 0; i < fuz; i++ {
    64  		a, _ := new(fe).rand(rand.Reader)
    65  		b, _ := new(fe).rand(rand.Reader)
    66  		c := new(fe)
    67  		big_a := toBig(a)
    68  		big_b := toBig(b)
    69  		big_c := new(big.Int)
    70  		add(c, a, b)
    71  		out_1 := toBytes(c)
    72  		out_2 := padBytes(big_c.Add(big_a, big_b).Mod(big_c, modulus.big()).Bytes(), 48)
    73  		if !bytes.Equal(out_1, out_2) {
    74  			t.Fatal("cross test against big.Int is not satisfied A")
    75  		}
    76  		double(c, a)
    77  		out_1 = toBytes(c)
    78  		out_2 = padBytes(big_c.Add(big_a, big_a).Mod(big_c, modulus.big()).Bytes(), 48)
    79  		if !bytes.Equal(out_1, out_2) {
    80  			t.Fatal("cross test against big.Int is not satisfied B")
    81  		}
    82  		sub(c, a, b)
    83  		out_1 = toBytes(c)
    84  		out_2 = padBytes(big_c.Sub(big_a, big_b).Mod(big_c, modulus.big()).Bytes(), 48)
    85  		if !bytes.Equal(out_1, out_2) {
    86  			t.Fatal("cross test against big.Int is not satisfied C")
    87  		}
    88  		neg(c, a)
    89  		out_1 = toBytes(c)
    90  		out_2 = padBytes(big_c.Neg(big_a).Mod(big_c, modulus.big()).Bytes(), 48)
    91  		if !bytes.Equal(out_1, out_2) {
    92  			t.Fatal("cross test against big.Int is not satisfied D")
    93  		}
    94  	}
    95  }
    96  
    97  func TestFpAdditionCrossAgainstBigIntAssigned(t *testing.T) {
    98  	for i := 0; i < fuz; i++ {
    99  		a, _ := new(fe).rand(rand.Reader)
   100  		b, _ := new(fe).rand(rand.Reader)
   101  		big_a, big_b := toBig(a), toBig(b)
   102  		addAssign(a, b)
   103  		out_1 := toBytes(a)
   104  		out_2 := padBytes(big_a.Add(big_a, big_b).Mod(big_a, modulus.big()).Bytes(), 48)
   105  		if !bytes.Equal(out_1, out_2) {
   106  			t.Fatal("cross test against big.Int is not satisfied A")
   107  		}
   108  		a, _ = new(fe).rand(rand.Reader)
   109  		big_a = toBig(a)
   110  		doubleAssign(a)
   111  		out_1 = toBytes(a)
   112  		out_2 = padBytes(big_a.Add(big_a, big_a).Mod(big_a, modulus.big()).Bytes(), 48)
   113  		if !bytes.Equal(out_1, out_2) {
   114  			t.Fatal("cross test against big.Int is not satisfied B")
   115  		}
   116  		a, _ = new(fe).rand(rand.Reader)
   117  		b, _ = new(fe).rand(rand.Reader)
   118  		big_a, big_b = toBig(a), toBig(b)
   119  		subAssign(a, b)
   120  		out_1 = toBytes(a)
   121  		out_2 = padBytes(big_a.Sub(big_a, big_b).Mod(big_a, modulus.big()).Bytes(), 48)
   122  		if !bytes.Equal(out_1, out_2) {
   123  			t.Fatal("cross test against big.Int is not satisfied A")
   124  		}
   125  	}
   126  }
   127  
   128  func TestFpAdditionProperties(t *testing.T) {
   129  	for i := 0; i < fuz; i++ {
   130  		zero := new(fe).zero()
   131  		a, _ := new(fe).rand(rand.Reader)
   132  		b, _ := new(fe).rand(rand.Reader)
   133  		c_1, c_2 := new(fe), new(fe)
   134  		add(c_1, a, zero)
   135  		if !c_1.equal(a) {
   136  			t.Fatal("a + 0 == a")
   137  		}
   138  		sub(c_1, a, zero)
   139  		if !c_1.equal(a) {
   140  			t.Fatal("a - 0 == a")
   141  		}
   142  		double(c_1, zero)
   143  		if !c_1.equal(zero) {
   144  			t.Fatal("2 * 0 == 0")
   145  		}
   146  		neg(c_1, zero)
   147  		if !c_1.equal(zero) {
   148  			t.Fatal("-0 == 0")
   149  		}
   150  		sub(c_1, zero, a)
   151  		neg(c_2, a)
   152  		if !c_1.equal(c_2) {
   153  			t.Fatal("0-a == -a")
   154  		}
   155  		double(c_1, a)
   156  		add(c_2, a, a)
   157  		if !c_1.equal(c_2) {
   158  			t.Fatal("2 * a == a + a")
   159  		}
   160  		add(c_1, a, b)
   161  		add(c_2, b, a)
   162  		if !c_1.equal(c_2) {
   163  			t.Fatal("a + b = b + a")
   164  		}
   165  		sub(c_1, a, b)
   166  		sub(c_2, b, a)
   167  		neg(c_2, c_2)
   168  		if !c_1.equal(c_2) {
   169  			t.Fatal("a - b = - ( b - a )")
   170  		}
   171  		c_x, _ := new(fe).rand(rand.Reader)
   172  		add(c_1, a, b)
   173  		add(c_1, c_1, c_x)
   174  		add(c_2, a, c_x)
   175  		add(c_2, c_2, b)
   176  		if !c_1.equal(c_2) {
   177  			t.Fatal("(a + b) + c == (a + c ) + b")
   178  		}
   179  		sub(c_1, a, b)
   180  		sub(c_1, c_1, c_x)
   181  		sub(c_2, a, c_x)
   182  		sub(c_2, c_2, b)
   183  		if !c_1.equal(c_2) {
   184  			t.Fatal("(a - b) - c == (a - c ) -b")
   185  		}
   186  	}
   187  }
   188  
   189  func TestFpAdditionPropertiesAssigned(t *testing.T) {
   190  	for i := 0; i < fuz; i++ {
   191  		zero := new(fe).zero()
   192  		a, b := new(fe), new(fe)
   193  		_, _ = a.rand(rand.Reader)
   194  		b.set(a)
   195  		addAssign(a, zero)
   196  		if !a.equal(b) {
   197  			t.Fatal("a + 0 == a")
   198  		}
   199  		subAssign(a, zero)
   200  		if !a.equal(b) {
   201  			t.Fatal("a - 0 == a")
   202  		}
   203  		a.set(zero)
   204  		doubleAssign(a)
   205  		if !a.equal(zero) {
   206  			t.Fatal("2 * 0 == 0")
   207  		}
   208  		a.set(zero)
   209  		subAssign(a, b)
   210  		neg(b, b)
   211  		if !a.equal(b) {
   212  			t.Fatal("0-a == -a")
   213  		}
   214  		_, _ = a.rand(rand.Reader)
   215  		b.set(a)
   216  		doubleAssign(a)
   217  		addAssign(b, b)
   218  		if !a.equal(b) {
   219  			t.Fatal("2 * a == a + a")
   220  		}
   221  		_, _ = a.rand(rand.Reader)
   222  		_, _ = b.rand(rand.Reader)
   223  		c_1, c_2 := new(fe).set(a), new(fe).set(b)
   224  		addAssign(c_1, b)
   225  		addAssign(c_2, a)
   226  		if !c_1.equal(c_2) {
   227  			t.Fatal("a + b = b + a")
   228  		}
   229  		_, _ = a.rand(rand.Reader)
   230  		_, _ = b.rand(rand.Reader)
   231  		c_1.set(a)
   232  		c_2.set(b)
   233  		subAssign(c_1, b)
   234  		subAssign(c_2, a)
   235  		neg(c_2, c_2)
   236  		if !c_1.equal(c_2) {
   237  			t.Fatal("a - b = - ( b - a )")
   238  		}
   239  		_, _ = a.rand(rand.Reader)
   240  		_, _ = b.rand(rand.Reader)
   241  		c, _ := new(fe).rand(rand.Reader)
   242  		a0 := new(fe).set(a)
   243  		addAssign(a, b)
   244  		addAssign(a, c)
   245  		addAssign(b, c)
   246  		addAssign(b, a0)
   247  		if !a.equal(b) {
   248  			t.Fatal("(a + b) + c == (b + c) + a")
   249  		}
   250  		_, _ = a.rand(rand.Reader)
   251  		_, _ = b.rand(rand.Reader)
   252  		_, _ = c.rand(rand.Reader)
   253  		a0.set(a)
   254  		subAssign(a, b)
   255  		subAssign(a, c)
   256  		subAssign(a0, c)
   257  		subAssign(a0, b)
   258  		if !a.equal(a0) {
   259  			t.Fatal("(a - b) - c == (a - c) -b")
   260  		}
   261  	}
   262  }
   263  
   264  func TestFpLazyOperations(t *testing.T) {
   265  	for i := 0; i < fuz; i++ {
   266  		a, _ := new(fe).rand(rand.Reader)
   267  		b, _ := new(fe).rand(rand.Reader)
   268  		c, _ := new(fe).rand(rand.Reader)
   269  		c0 := new(fe)
   270  		c1 := new(fe)
   271  		ladd(c0, a, b)
   272  		add(c1, a, b)
   273  		mul(c0, c0, c)
   274  		mul(c1, c1, c)
   275  		if !c0.equal(c1) {
   276  			// l+ operator stands for lazy addition
   277  			t.Fatal("(a + b) * c == (a l+ b) * c")
   278  		}
   279  		_, _ = a.rand(rand.Reader)
   280  		b.set(a)
   281  		ldouble(a, a)
   282  		ladd(b, b, b)
   283  		if !a.equal(b) {
   284  			t.Fatal("2 l* a = a l+ a")
   285  		}
   286  		_, _ = a.rand(rand.Reader)
   287  		_, _ = b.rand(rand.Reader)
   288  		_, _ = c.rand(rand.Reader)
   289  		a0 := new(fe).set(a)
   290  		lsubAssign(a, b)
   291  		laddAssign(a, &modulus)
   292  		mul(a, a, c)
   293  		subAssign(a0, b)
   294  		mul(a0, a0, c)
   295  		if !a.equal(a0) {
   296  			t.Fatal("((a l- b) + p) * c = (a-b) * c")
   297  		}
   298  	}
   299  }
   300  
   301  func TestFpMultiplicationCrossAgainstBigInt(t *testing.T) {
   302  	for i := 0; i < fuz; i++ {
   303  		a, _ := new(fe).rand(rand.Reader)
   304  		b, _ := new(fe).rand(rand.Reader)
   305  		c := new(fe)
   306  		big_a := toBig(a)
   307  		big_b := toBig(b)
   308  		big_c := new(big.Int)
   309  		mul(c, a, b)
   310  		out_1 := toBytes(c)
   311  		out_2 := padBytes(big_c.Mul(big_a, big_b).Mod(big_c, modulus.big()).Bytes(), 48)
   312  		if !bytes.Equal(out_1, out_2) {
   313  			t.Fatal("cross test against big.Int is not satisfied")
   314  		}
   315  	}
   316  }
   317  
   318  func TestFpMultiplicationProperties(t *testing.T) {
   319  	for i := 0; i < fuz; i++ {
   320  		a, _ := new(fe).rand(rand.Reader)
   321  		b, _ := new(fe).rand(rand.Reader)
   322  		zero, one := new(fe).zero(), new(fe).one()
   323  		c_1, c_2 := new(fe), new(fe)
   324  		mul(c_1, a, zero)
   325  		if !c_1.equal(zero) {
   326  			t.Fatal("a * 0 == 0")
   327  		}
   328  		mul(c_1, a, one)
   329  		if !c_1.equal(a) {
   330  			t.Fatal("a * 1 == a")
   331  		}
   332  		mul(c_1, a, b)
   333  		mul(c_2, b, a)
   334  		if !c_1.equal(c_2) {
   335  			t.Fatal("a * b == b * a")
   336  		}
   337  		c_x, _ := new(fe).rand(rand.Reader)
   338  		mul(c_1, a, b)
   339  		mul(c_1, c_1, c_x)
   340  		mul(c_2, c_x, b)
   341  		mul(c_2, c_2, a)
   342  		if !c_1.equal(c_2) {
   343  			t.Fatal("(a * b) * c == (a * c) * b")
   344  		}
   345  		square(a, zero)
   346  		if !a.equal(zero) {
   347  			t.Fatal("0^2 == 0")
   348  		}
   349  		square(a, one)
   350  		if !a.equal(one) {
   351  			t.Fatal("1^2 == 1")
   352  		}
   353  		_, _ = a.rand(rand.Reader)
   354  		square(c_1, a)
   355  		mul(c_2, a, a)
   356  		if !c_1.equal(c_1) {
   357  			t.Fatal("a^2 == a*a")
   358  		}
   359  	}
   360  }
   361  
   362  func TestFpExponentiation(t *testing.T) {
   363  	for i := 0; i < fuz; i++ {
   364  		a, _ := new(fe).rand(rand.Reader)
   365  		u := new(fe)
   366  		exp(u, a, big.NewInt(0))
   367  		if !u.isOne() {
   368  			t.Fatal("a^0 == 1")
   369  		}
   370  		exp(u, a, big.NewInt(1))
   371  		if !u.equal(a) {
   372  			t.Fatal("a^1 == a")
   373  		}
   374  		v := new(fe)
   375  		mul(u, a, a)
   376  		mul(u, u, u)
   377  		mul(u, u, u)
   378  		exp(v, a, big.NewInt(8))
   379  		if !u.equal(v) {
   380  			t.Fatal("((a^2)^2)^2 == a^8")
   381  		}
   382  		p := modulus.big()
   383  		exp(u, a, p)
   384  		if !u.equal(a) {
   385  			t.Fatal("a^p == a")
   386  		}
   387  		exp(u, a, p.Sub(p, big.NewInt(1)))
   388  		if !u.isOne() {
   389  			t.Fatal("a^(p-1) == 1")
   390  		}
   391  	}
   392  }
   393  
   394  func TestFpInversion(t *testing.T) {
   395  	for i := 0; i < fuz; i++ {
   396  		u := new(fe)
   397  		zero, one := new(fe).zero(), new(fe).one()
   398  		inverse(u, zero)
   399  		if !u.equal(zero) {
   400  			t.Fatal("(0^-1) == 0)")
   401  		}
   402  		inverse(u, one)
   403  		if !u.equal(one) {
   404  			t.Fatal("(1^-1) == 1)")
   405  		}
   406  		a, _ := new(fe).rand(rand.Reader)
   407  		inverse(u, a)
   408  		mul(u, u, a)
   409  		if !u.equal(one) {
   410  			t.Fatal("(r*a) * r*(a^-1) == r)")
   411  		}
   412  		v := new(fe)
   413  		p := modulus.big()
   414  		exp(u, a, p.Sub(p, big.NewInt(2)))
   415  		inverse(v, a)
   416  		if !v.equal(u) {
   417  			t.Fatal("a^(p-2) == a^-1")
   418  		}
   419  	}
   420  }
   421  
   422  func TestFpSquareRoot(t *testing.T) {
   423  	r := new(fe)
   424  	if sqrt(r, nonResidue1) {
   425  		t.Fatal("non residue cannot have a sqrt")
   426  	}
   427  	for i := 0; i < fuz; i++ {
   428  		a, _ := new(fe).rand(rand.Reader)
   429  		aa, rr, r := &fe{}, &fe{}, &fe{}
   430  		square(aa, a)
   431  		if !sqrt(r, aa) {
   432  			t.Fatal("bad sqrt 1")
   433  		}
   434  		square(rr, r)
   435  		if !rr.equal(aa) {
   436  			t.Fatal("bad sqrt 2")
   437  		}
   438  	}
   439  }
   440  
   441  func TestFpNonResidue(t *testing.T) {
   442  	if !isQuadraticNonResidue(nonResidue1) {
   443  		t.Fatal("element is quadratic non residue, 1")
   444  	}
   445  	if isQuadraticNonResidue(new(fe).one()) {
   446  		t.Fatal("one is not quadratic non residue")
   447  	}
   448  	if !isQuadraticNonResidue(new(fe).zero()) {
   449  		t.Fatal("should accept zero as quadratic non residue")
   450  	}
   451  	for i := 0; i < fuz; i++ {
   452  		a, _ := new(fe).rand(rand.Reader)
   453  		square(a, a)
   454  		if isQuadraticNonResidue(new(fe).one()) {
   455  			t.Fatal("element is not quadratic non residue")
   456  		}
   457  	}
   458  	for i := 0; i < fuz; i++ {
   459  		a, _ := new(fe).rand(rand.Reader)
   460  		if !sqrt(new(fe), a) {
   461  			if !isQuadraticNonResidue(a) {
   462  				t.Fatal("element is quadratic non residue, 2", i)
   463  			}
   464  		} else {
   465  			i -= 1
   466  		}
   467  	}
   468  }
   469  
   470  func TestFp2Serialization(t *testing.T) {
   471  	field := newFp2()
   472  	for i := 0; i < fuz; i++ {
   473  		a, _ := new(fe2).rand(rand.Reader)
   474  		b, err := field.fromBytes(field.toBytes(a))
   475  		if err != nil {
   476  			t.Fatal(err)
   477  		}
   478  		if !a.equal(b) {
   479  			t.Fatal("bad serialization")
   480  		}
   481  	}
   482  }
   483  
   484  func TestFp2AdditionProperties(t *testing.T) {
   485  	field := newFp2()
   486  	for i := 0; i < fuz; i++ {
   487  		zero := field.zero()
   488  		a, _ := new(fe2).rand(rand.Reader)
   489  		b, _ := new(fe2).rand(rand.Reader)
   490  		c_1 := field.new()
   491  		c_2 := field.new()
   492  		field.add(c_1, a, zero)
   493  		if !c_1.equal(a) {
   494  			t.Fatal("a + 0 == a")
   495  		}
   496  		field.sub(c_1, a, zero)
   497  		if !c_1.equal(a) {
   498  			t.Fatal("a - 0 == a")
   499  		}
   500  		field.double(c_1, zero)
   501  		if !c_1.equal(zero) {
   502  			t.Fatal("2 * 0 == 0")
   503  		}
   504  		field.neg(c_1, zero)
   505  		if !c_1.equal(zero) {
   506  			t.Fatal("-0 == 0")
   507  		}
   508  		field.sub(c_1, zero, a)
   509  		field.neg(c_2, a)
   510  		if !c_1.equal(c_2) {
   511  			t.Fatal("0-a == -a")
   512  		}
   513  		field.double(c_1, a)
   514  		field.add(c_2, a, a)
   515  		if !c_1.equal(c_2) {
   516  			t.Fatal("2 * a == a + a")
   517  		}
   518  		field.add(c_1, a, b)
   519  		field.add(c_2, b, a)
   520  		if !c_1.equal(c_2) {
   521  			t.Fatal("a + b = b + a")
   522  		}
   523  		field.sub(c_1, a, b)
   524  		field.sub(c_2, b, a)
   525  		field.neg(c_2, c_2)
   526  		if !c_1.equal(c_2) {
   527  			t.Fatal("a - b = - ( b - a )")
   528  		}
   529  		c_x, _ := new(fe2).rand(rand.Reader)
   530  		field.add(c_1, a, b)
   531  		field.add(c_1, c_1, c_x)
   532  		field.add(c_2, a, c_x)
   533  		field.add(c_2, c_2, b)
   534  		if !c_1.equal(c_2) {
   535  			t.Fatal("(a + b) + c == (a + c ) + b")
   536  		}
   537  		field.sub(c_1, a, b)
   538  		field.sub(c_1, c_1, c_x)
   539  		field.sub(c_2, a, c_x)
   540  		field.sub(c_2, c_2, b)
   541  		if !c_1.equal(c_2) {
   542  			t.Fatal("(a - b) - c == (a - c ) -b")
   543  		}
   544  	}
   545  }
   546  
   547  func TestFp2AdditionPropertiesAssigned(t *testing.T) {
   548  	field := newFp2()
   549  	for i := 0; i < fuz; i++ {
   550  		zero := new(fe2).zero()
   551  		a, b := new(fe2), new(fe2)
   552  		_, _ = a.rand(rand.Reader)
   553  		b.set(a)
   554  		field.addAssign(a, zero)
   555  		if !a.equal(b) {
   556  			t.Fatal("a + 0 == a")
   557  		}
   558  		field.subAssign(a, zero)
   559  		if !a.equal(b) {
   560  			t.Fatal("a - 0 == a")
   561  		}
   562  		a.set(zero)
   563  		field.doubleAssign(a)
   564  		if !a.equal(zero) {
   565  			t.Fatal("2 * 0 == 0")
   566  		}
   567  		a.set(zero)
   568  		field.subAssign(a, b)
   569  		field.neg(b, b)
   570  		if !a.equal(b) {
   571  			t.Fatal("0-a == -a")
   572  		}
   573  		_, _ = a.rand(rand.Reader)
   574  		b.set(a)
   575  		field.doubleAssign(a)
   576  		field.addAssign(b, b)
   577  		if !a.equal(b) {
   578  			t.Fatal("2 * a == a + a")
   579  		}
   580  		_, _ = a.rand(rand.Reader)
   581  		_, _ = b.rand(rand.Reader)
   582  		c_1, c_2 := new(fe2).set(a), new(fe2).set(b)
   583  		field.addAssign(c_1, b)
   584  		field.addAssign(c_2, a)
   585  		if !c_1.equal(c_2) {
   586  			t.Fatal("a + b = b + a")
   587  		}
   588  		_, _ = a.rand(rand.Reader)
   589  		_, _ = b.rand(rand.Reader)
   590  		c_1.set(a)
   591  		c_2.set(b)
   592  		field.subAssign(c_1, b)
   593  		field.subAssign(c_2, a)
   594  		field.neg(c_2, c_2)
   595  		if !c_1.equal(c_2) {
   596  			t.Fatal("a - b = - ( b - a )")
   597  		}
   598  		_, _ = a.rand(rand.Reader)
   599  		_, _ = b.rand(rand.Reader)
   600  		c, _ := new(fe2).rand(rand.Reader)
   601  		a0 := new(fe2).set(a)
   602  		field.addAssign(a, b)
   603  		field.addAssign(a, c)
   604  		field.addAssign(b, c)
   605  		field.addAssign(b, a0)
   606  		if !a.equal(b) {
   607  			t.Fatal("(a + b) + c == (b + c) + a")
   608  		}
   609  		_, _ = a.rand(rand.Reader)
   610  		_, _ = b.rand(rand.Reader)
   611  		_, _ = c.rand(rand.Reader)
   612  		a0.set(a)
   613  		field.subAssign(a, b)
   614  		field.subAssign(a, c)
   615  		field.subAssign(a0, c)
   616  		field.subAssign(a0, b)
   617  		if !a.equal(a0) {
   618  			t.Fatal("(a - b) - c == (a - c) -b")
   619  		}
   620  	}
   621  }
   622  
   623  func TestFp2LazyOperations(t *testing.T) {
   624  	field := newFp2()
   625  	for i := 0; i < fuz; i++ {
   626  		a, _ := new(fe2).rand(rand.Reader)
   627  		b, _ := new(fe2).rand(rand.Reader)
   628  		c, _ := new(fe2).rand(rand.Reader)
   629  		c0 := new(fe2)
   630  		c1 := new(fe2)
   631  		field.ladd(c0, a, b)
   632  		field.add(c1, a, b)
   633  		field.mulAssign(c0, c)
   634  		field.mulAssign(c1, c)
   635  		if !c0.equal(c1) {
   636  			// l+ operator stands for lazy addition
   637  			t.Fatal("(a + b) * c == (a l+ b) * c")
   638  		}
   639  		_, _ = a.rand(rand.Reader)
   640  		b.set(a)
   641  		field.ldouble(a, a)
   642  		field.ladd(b, b, b)
   643  		if !a.equal(b) {
   644  			t.Fatal("2 l* a = a l+ a")
   645  		}
   646  	}
   647  }
   648  
   649  func TestFp2MultiplicationProperties(t *testing.T) {
   650  	field := newFp2()
   651  	for i := 0; i < fuz; i++ {
   652  		a, _ := new(fe2).rand(rand.Reader)
   653  		b, _ := new(fe2).rand(rand.Reader)
   654  		zero := field.zero()
   655  		one := field.one()
   656  		c_1, c_2 := field.new(), field.new()
   657  		field.mul(c_1, a, zero)
   658  		if !c_1.equal(zero) {
   659  			t.Fatal("a * 0 == 0")
   660  		}
   661  		field.mul(c_1, a, one)
   662  		if !c_1.equal(a) {
   663  			t.Fatal("a * 1 == a")
   664  		}
   665  		field.mul(c_1, a, b)
   666  		field.mul(c_2, b, a)
   667  		if !c_1.equal(c_2) {
   668  			t.Fatal("a * b == b * a")
   669  		}
   670  		c_x, _ := new(fe2).rand(rand.Reader)
   671  		field.mul(c_1, a, b)
   672  		field.mul(c_1, c_1, c_x)
   673  		field.mul(c_2, c_x, b)
   674  		field.mul(c_2, c_2, a)
   675  		if !c_1.equal(c_2) {
   676  			t.Fatal("(a * b) * c == (a * c) * b")
   677  		}
   678  		field.square(a, zero)
   679  		if !a.equal(zero) {
   680  			t.Fatal("0^2 == 0")
   681  		}
   682  		field.square(a, one)
   683  		if !a.equal(one) {
   684  			t.Fatal("1^2 == 1")
   685  		}
   686  		_, _ = a.rand(rand.Reader)
   687  		field.square(c_1, a)
   688  		field.mul(c_2, a, a)
   689  		if !c_2.equal(c_1) {
   690  			t.Fatal("a^2 == a*a")
   691  		}
   692  	}
   693  }
   694  
   695  func TestFp2MultiplicationPropertiesAssigned(t *testing.T) {
   696  	field := newFp2()
   697  	for i := 0; i < fuz; i++ {
   698  		a, _ := new(fe2).rand(rand.Reader)
   699  		zero, one := new(fe2).zero(), new(fe2).one()
   700  		field.mulAssign(a, zero)
   701  		if !a.equal(zero) {
   702  			t.Fatal("a * 0 == 0")
   703  		}
   704  		_, _ = a.rand(rand.Reader)
   705  		a0 := new(fe2).set(a)
   706  		field.mulAssign(a, one)
   707  		if !a.equal(a0) {
   708  			t.Fatal("a * 1 == a")
   709  		}
   710  		_, _ = a.rand(rand.Reader)
   711  		b, _ := new(fe2).rand(rand.Reader)
   712  		a0.set(a)
   713  		field.mulAssign(a, b)
   714  		field.mulAssign(b, a0)
   715  		if !a.equal(b) {
   716  			t.Fatal("a * b == b * a")
   717  		}
   718  		c, _ := new(fe2).rand(rand.Reader)
   719  		a0.set(a)
   720  		field.mulAssign(a, b)
   721  		field.mulAssign(a, c)
   722  		field.mulAssign(a0, c)
   723  		field.mulAssign(a0, b)
   724  		if !a.equal(a0) {
   725  			t.Fatal("(a * b) * c == (a * c) * b")
   726  		}
   727  		a0.set(a)
   728  		field.squareAssign(a)
   729  		field.mulAssign(a0, a0)
   730  		if !a.equal(a0) {
   731  			t.Fatal("a^2 == a*a")
   732  		}
   733  	}
   734  }
   735  
   736  func TestFp2Exponentiation(t *testing.T) {
   737  	field := newFp2()
   738  	for i := 0; i < fuz; i++ {
   739  		a, _ := new(fe2).rand(rand.Reader)
   740  		u := field.new()
   741  		field.exp(u, a, big.NewInt(0))
   742  		if !u.equal(field.one()) {
   743  			t.Fatal("a^0 == 1")
   744  		}
   745  		field.exp(u, a, big.NewInt(1))
   746  		if !u.equal(a) {
   747  			t.Fatal("a^1 == a")
   748  		}
   749  		v := field.new()
   750  		field.mul(u, a, a)
   751  		field.mul(u, u, u)
   752  		field.mul(u, u, u)
   753  		field.exp(v, a, big.NewInt(8))
   754  		if !u.equal(v) {
   755  			t.Fatal("((a^2)^2)^2 == a^8")
   756  		}
   757  	}
   758  }
   759  
   760  func TestFp2Inversion(t *testing.T) {
   761  	field := newFp2()
   762  	u := field.new()
   763  	zero := field.zero()
   764  	one := field.one()
   765  	field.inverse(u, zero)
   766  	if !u.equal(zero) {
   767  		t.Fatal("(0 ^ -1) == 0)")
   768  	}
   769  	field.inverse(u, one)
   770  	if !u.equal(one) {
   771  		t.Fatal("(1 ^ -1) == 1)")
   772  	}
   773  	for i := 0; i < fuz; i++ {
   774  		a, _ := new(fe2).rand(rand.Reader)
   775  		field.inverse(u, a)
   776  		field.mul(u, u, a)
   777  		if !u.equal(one) {
   778  			t.Fatal("(r * a) * r * (a ^ -1) == r)")
   779  		}
   780  	}
   781  }
   782  
   783  func TestFp2SquareRoot(t *testing.T) {
   784  	field := newFp2()
   785  	for z := 0; z < 1000; z++ {
   786  		zi := new(fe)
   787  		sub(zi, &modulus, &fe{uint64(z * z)})
   788  		// r = (-z*z, 0)
   789  		r := &fe2{*zi, fe{0}}
   790  		toMont(&r[0], &r[0])
   791  		toMont(&r[1], &r[1])
   792  		c := field.new()
   793  		// sqrt((-z*z, 0)) = (0, z)
   794  		if !field.sqrt(c, r) {
   795  			t.Fatal("z*z does have a square root")
   796  		}
   797  		e := &fe2{fe{uint64(0)}, fe{uint64(z)}}
   798  		toMont(&e[0], &e[0])
   799  		toMont(&e[1], &e[1])
   800  		field.square(e, e)
   801  		field.square(c, c)
   802  		if !e.equal(c) {
   803  			t.Fatal("square root failed")
   804  		}
   805  	}
   806  	if field.sqrt(field.new(), nonResidue2) {
   807  		t.Fatal("non residue cannot have a sqrt")
   808  	}
   809  	for i := 0; i < fuz; i++ {
   810  		a, _ := new(fe2).rand(rand.Reader)
   811  		aa, rr, r := field.new(), field.new(), field.new()
   812  		field.square(aa, a)
   813  		if !field.sqrt(r, aa) {
   814  			t.Fatal("bad sqrt 1")
   815  		}
   816  		field.square(rr, r)
   817  		if !rr.equal(aa) {
   818  			t.Fatal("bad sqrt 2")
   819  		}
   820  	}
   821  }
   822  
   823  func TestFp2NonResidue(t *testing.T) {
   824  	field := newFp2()
   825  	if !field.isQuadraticNonResidue(nonResidue2) {
   826  		t.Fatal("element is quadratic non residue, 1")
   827  	}
   828  	if field.isQuadraticNonResidue(new(fe2).one()) {
   829  		t.Fatal("one is not quadratic non residue")
   830  	}
   831  	if !field.isQuadraticNonResidue(new(fe2).zero()) {
   832  		t.Fatal("should accept zero as quadratic non residue")
   833  	}
   834  	for i := 0; i < fuz; i++ {
   835  		a, _ := new(fe2).rand(rand.Reader)
   836  		field.squareAssign(a)
   837  		if field.isQuadraticNonResidue(new(fe2).one()) {
   838  			t.Fatal("element is not quadratic non residue")
   839  		}
   840  	}
   841  	for i := 0; i < fuz; i++ {
   842  		a, _ := new(fe2).rand(rand.Reader)
   843  		if !field.sqrt(new(fe2), a) {
   844  			if !field.isQuadraticNonResidue(a) {
   845  				t.Fatal("element is quadratic non residue, 2", i)
   846  			}
   847  		} else {
   848  			i -= 1
   849  		}
   850  	}
   851  }
   852  
   853  func TestFp6Serialization(t *testing.T) {
   854  	field := newFp6(nil)
   855  	for i := 0; i < fuz; i++ {
   856  		a, _ := new(fe6).rand(rand.Reader)
   857  		b, err := field.fromBytes(field.toBytes(a))
   858  		if err != nil {
   859  			t.Fatal(err)
   860  		}
   861  		if !a.equal(b) {
   862  			t.Fatal("bad serialization")
   863  		}
   864  	}
   865  }
   866  
   867  func TestFp6AdditionProperties(t *testing.T) {
   868  	field := newFp6(nil)
   869  	for i := 0; i < fuz; i++ {
   870  		zero := field.zero()
   871  		a, _ := new(fe6).rand(rand.Reader)
   872  		b, _ := new(fe6).rand(rand.Reader)
   873  		c_1 := field.new()
   874  		c_2 := field.new()
   875  		field.add(c_1, a, zero)
   876  		if !c_1.equal(a) {
   877  			t.Fatal("a + 0 == a")
   878  		}
   879  		field.sub(c_1, a, zero)
   880  		if !c_1.equal(a) {
   881  			t.Fatal("a - 0 == a")
   882  		}
   883  		field.double(c_1, zero)
   884  		if !c_1.equal(zero) {
   885  			t.Fatal("2 * 0 == 0")
   886  		}
   887  		field.neg(c_1, zero)
   888  		if !c_1.equal(zero) {
   889  			t.Fatal("-0 == 0")
   890  		}
   891  		field.sub(c_1, zero, a)
   892  		field.neg(c_2, a)
   893  		if !c_1.equal(c_2) {
   894  			t.Fatal("0-a == -a")
   895  		}
   896  		field.double(c_1, a)
   897  		field.add(c_2, a, a)
   898  		if !c_1.equal(c_2) {
   899  			t.Fatal("2 * a == a + a")
   900  		}
   901  		field.add(c_1, a, b)
   902  		field.add(c_2, b, a)
   903  		if !c_1.equal(c_2) {
   904  			t.Fatal("a + b = b + a")
   905  		}
   906  		field.sub(c_1, a, b)
   907  		field.sub(c_2, b, a)
   908  		field.neg(c_2, c_2)
   909  		if !c_1.equal(c_2) {
   910  			t.Fatal("a - b = - ( b - a )")
   911  		}
   912  		c_x, _ := new(fe6).rand(rand.Reader)
   913  		field.add(c_1, a, b)
   914  		field.add(c_1, c_1, c_x)
   915  		field.add(c_2, a, c_x)
   916  		field.add(c_2, c_2, b)
   917  		if !c_1.equal(c_2) {
   918  			t.Fatal("(a + b) + c == (a + c ) + b")
   919  		}
   920  		field.sub(c_1, a, b)
   921  		field.sub(c_1, c_1, c_x)
   922  		field.sub(c_2, a, c_x)
   923  		field.sub(c_2, c_2, b)
   924  		if !c_1.equal(c_2) {
   925  			t.Fatal("(a - b) - c == (a - c ) -b")
   926  		}
   927  	}
   928  }
   929  
   930  func TestFp6AdditionPropertiesAssigned(t *testing.T) {
   931  	field := newFp6(nil)
   932  	for i := 0; i < fuz; i++ {
   933  		zero := new(fe6).zero()
   934  		a, b := new(fe6), new(fe6)
   935  		_, _ = a.rand(rand.Reader)
   936  		b.set(a)
   937  		field.addAssign(a, zero)
   938  		if !a.equal(b) {
   939  			t.Fatal("a + 0 == a")
   940  		}
   941  		field.subAssign(a, zero)
   942  		if !a.equal(b) {
   943  			t.Fatal("a - 0 == a")
   944  		}
   945  		a.set(zero)
   946  		field.doubleAssign(a)
   947  		if !a.equal(zero) {
   948  			t.Fatal("2 * 0 == 0")
   949  		}
   950  		a.set(zero)
   951  		field.subAssign(a, b)
   952  		field.neg(b, b)
   953  		if !a.equal(b) {
   954  			t.Fatal("0-a == -a")
   955  		}
   956  		_, _ = a.rand(rand.Reader)
   957  		b.set(a)
   958  		field.doubleAssign(a)
   959  		field.addAssign(b, b)
   960  		if !a.equal(b) {
   961  			t.Fatal("2 * a == a + a")
   962  		}
   963  		_, _ = a.rand(rand.Reader)
   964  		_, _ = b.rand(rand.Reader)
   965  		c_1, c_2 := new(fe6).set(a), new(fe6).set(b)
   966  		field.addAssign(c_1, b)
   967  		field.addAssign(c_2, a)
   968  		if !c_1.equal(c_2) {
   969  			t.Fatal("a + b = b + a")
   970  		}
   971  		_, _ = a.rand(rand.Reader)
   972  		_, _ = b.rand(rand.Reader)
   973  		c_1.set(a)
   974  		c_2.set(b)
   975  		field.subAssign(c_1, b)
   976  		field.subAssign(c_2, a)
   977  		field.neg(c_2, c_2)
   978  		if !c_1.equal(c_2) {
   979  			t.Fatal("a - b = - ( b - a )")
   980  		}
   981  		_, _ = a.rand(rand.Reader)
   982  		_, _ = b.rand(rand.Reader)
   983  		c, _ := new(fe6).rand(rand.Reader)
   984  		a0 := new(fe6).set(a)
   985  		field.addAssign(a, b)
   986  		field.addAssign(a, c)
   987  		field.addAssign(b, c)
   988  		field.addAssign(b, a0)
   989  		if !a.equal(b) {
   990  			t.Fatal("(a + b) + c == (b + c) + a")
   991  		}
   992  		_, _ = a.rand(rand.Reader)
   993  		_, _ = b.rand(rand.Reader)
   994  		_, _ = c.rand(rand.Reader)
   995  		a0.set(a)
   996  		field.subAssign(a, b)
   997  		field.subAssign(a, c)
   998  		field.subAssign(a0, c)
   999  		field.subAssign(a0, b)
  1000  		if !a.equal(a0) {
  1001  			t.Fatal("(a - b) - c == (a - c) -b")
  1002  		}
  1003  	}
  1004  }
  1005  
  1006  func TestFp6SparseMultiplication(t *testing.T) {
  1007  	fp6 := newFp6(nil)
  1008  	var a, b, u *fe6
  1009  	for j := 0; j < fuz; j++ {
  1010  		a, _ = new(fe6).rand(rand.Reader)
  1011  		b, _ = new(fe6).rand(rand.Reader)
  1012  		u, _ = new(fe6).rand(rand.Reader)
  1013  		b[2].zero()
  1014  		fp6.mul(u, a, b)
  1015  		fp6.mulBy01(a, a, &b[0], &b[1])
  1016  		if !a.equal(u) {
  1017  			t.Fatal("bad mul by 01")
  1018  		}
  1019  	}
  1020  	for j := 0; j < fuz; j++ {
  1021  		a, _ = new(fe6).rand(rand.Reader)
  1022  		b, _ = new(fe6).rand(rand.Reader)
  1023  		u, _ = new(fe6).rand(rand.Reader)
  1024  		b[2].zero()
  1025  		b[0].zero()
  1026  		fp6.mul(u, a, b)
  1027  		fp6.mulBy1(a, a, &b[1])
  1028  		if !a.equal(u) {
  1029  			t.Fatal("bad mul by 1")
  1030  		}
  1031  	}
  1032  }
  1033  
  1034  func TestFp6MultiplicationProperties(t *testing.T) {
  1035  	field := newFp6(nil)
  1036  	for i := 0; i < fuz; i++ {
  1037  		a, _ := new(fe6).rand(rand.Reader)
  1038  		b, _ := new(fe6).rand(rand.Reader)
  1039  		zero := field.zero()
  1040  		one := field.one()
  1041  		c_1, c_2 := field.new(), field.new()
  1042  		field.mul(c_1, a, zero)
  1043  		if !c_1.equal(zero) {
  1044  			t.Fatal("a * 0 == 0")
  1045  		}
  1046  		field.mul(c_1, a, one)
  1047  		if !c_1.equal(a) {
  1048  			t.Fatal("a * 1 == a")
  1049  		}
  1050  		field.mul(c_1, a, b)
  1051  		field.mul(c_2, b, a)
  1052  		if !c_1.equal(c_2) {
  1053  			t.Fatal("a * b == b * a")
  1054  		}
  1055  		c_x, _ := new(fe6).rand(rand.Reader)
  1056  		field.mul(c_1, a, b)
  1057  		field.mul(c_1, c_1, c_x)
  1058  		field.mul(c_2, c_x, b)
  1059  		field.mul(c_2, c_2, a)
  1060  		if !c_1.equal(c_2) {
  1061  			t.Fatal("(a * b) * c == (a * c) * b")
  1062  		}
  1063  		field.square(a, zero)
  1064  		if !a.equal(zero) {
  1065  			t.Fatal("0^2 == 0")
  1066  		}
  1067  		field.square(a, one)
  1068  		if !a.equal(one) {
  1069  			t.Fatal("1^2 == 1")
  1070  		}
  1071  		_, _ = a.rand(rand.Reader)
  1072  		field.square(c_1, a)
  1073  		field.mul(c_2, a, a)
  1074  		if !c_2.equal(c_1) {
  1075  			t.Fatal("a^2 == a*a")
  1076  		}
  1077  	}
  1078  }
  1079  
  1080  func TestFp6MultiplicationPropertiesAssigned(t *testing.T) {
  1081  	field := newFp6(nil)
  1082  	for i := 0; i < fuz; i++ {
  1083  		a, _ := new(fe6).rand(rand.Reader)
  1084  		zero, one := new(fe6).zero(), new(fe6).one()
  1085  		field.mulAssign(a, zero)
  1086  		if !a.equal(zero) {
  1087  			t.Fatal("a * 0 == 0")
  1088  		}
  1089  		_, _ = a.rand(rand.Reader)
  1090  		a0 := new(fe6).set(a)
  1091  		field.mulAssign(a, one)
  1092  		if !a.equal(a0) {
  1093  			t.Fatal("a * 1 == a")
  1094  		}
  1095  		_, _ = a.rand(rand.Reader)
  1096  		b, _ := new(fe6).rand(rand.Reader)
  1097  		a0.set(a)
  1098  		field.mulAssign(a, b)
  1099  		field.mulAssign(b, a0)
  1100  		if !a.equal(b) {
  1101  			t.Fatal("a * b == b * a")
  1102  		}
  1103  		c, _ := new(fe6).rand(rand.Reader)
  1104  		a0.set(a)
  1105  		field.mulAssign(a, b)
  1106  		field.mulAssign(a, c)
  1107  		field.mulAssign(a0, c)
  1108  		field.mulAssign(a0, b)
  1109  		if !a.equal(a0) {
  1110  			t.Fatal("(a * b) * c == (a * c) * b")
  1111  		}
  1112  	}
  1113  }
  1114  
  1115  func TestFp6Exponentiation(t *testing.T) {
  1116  	field := newFp6(nil)
  1117  	for i := 0; i < fuz; i++ {
  1118  		a, _ := new(fe6).rand(rand.Reader)
  1119  		u := field.new()
  1120  		field.exp(u, a, big.NewInt(0))
  1121  		if !u.equal(field.one()) {
  1122  			t.Fatal("a^0 == 1")
  1123  		}
  1124  		field.exp(u, a, big.NewInt(1))
  1125  		if !u.equal(a) {
  1126  			t.Fatal("a^1 == a")
  1127  		}
  1128  		v := field.new()
  1129  		field.mul(u, a, a)
  1130  		field.mul(u, u, u)
  1131  		field.mul(u, u, u)
  1132  		field.exp(v, a, big.NewInt(8))
  1133  		if !u.equal(v) {
  1134  			t.Fatal("((a^2)^2)^2 == a^8")
  1135  		}
  1136  	}
  1137  }
  1138  
  1139  func TestFp6Inversion(t *testing.T) {
  1140  	field := newFp6(nil)
  1141  	for i := 0; i < fuz; i++ {
  1142  		u := field.new()
  1143  		zero := field.zero()
  1144  		one := field.one()
  1145  		field.inverse(u, zero)
  1146  		if !u.equal(zero) {
  1147  			t.Fatal("(0^-1) == 0)")
  1148  		}
  1149  		field.inverse(u, one)
  1150  		if !u.equal(one) {
  1151  			t.Fatal("(1^-1) == 1)")
  1152  		}
  1153  		a, _ := new(fe6).rand(rand.Reader)
  1154  		field.inverse(u, a)
  1155  		field.mul(u, u, a)
  1156  		if !u.equal(one) {
  1157  			t.Fatal("(r*a) * r*(a^-1) == r)")
  1158  		}
  1159  	}
  1160  }
  1161  
  1162  func TestFp12Serialization(t *testing.T) {
  1163  	field := newFp12(nil)
  1164  	for i := 0; i < fuz; i++ {
  1165  		a, _ := new(fe12).rand(rand.Reader)
  1166  		b, err := field.fromBytes(field.toBytes(a))
  1167  		if err != nil {
  1168  			t.Fatal(err)
  1169  		}
  1170  		if !a.equal(b) {
  1171  			t.Fatal("bad serialization")
  1172  		}
  1173  	}
  1174  }
  1175  
  1176  func TestFp12AdditionProperties(t *testing.T) {
  1177  	field := newFp12(nil)
  1178  	for i := 0; i < fuz; i++ {
  1179  		zero := field.zero()
  1180  		a, _ := new(fe12).rand(rand.Reader)
  1181  		b, _ := new(fe12).rand(rand.Reader)
  1182  		c_1 := field.new()
  1183  		c_2 := field.new()
  1184  		field.add(c_1, a, zero)
  1185  		if !c_1.equal(a) {
  1186  			t.Fatal("a + 0 == a")
  1187  		}
  1188  		field.sub(c_1, a, zero)
  1189  		if !c_1.equal(a) {
  1190  			t.Fatal("a - 0 == a")
  1191  		}
  1192  		field.double(c_1, zero)
  1193  		if !c_1.equal(zero) {
  1194  			t.Fatal("2 * 0 == 0")
  1195  		}
  1196  		field.neg(c_1, zero)
  1197  		if !c_1.equal(zero) {
  1198  			t.Fatal("-0 == 0")
  1199  		}
  1200  		field.sub(c_1, zero, a)
  1201  		field.neg(c_2, a)
  1202  		if !c_1.equal(c_2) {
  1203  			t.Fatal("0-a == -a")
  1204  		}
  1205  		field.double(c_1, a)
  1206  		field.add(c_2, a, a)
  1207  		if !c_1.equal(c_2) {
  1208  			t.Fatal("2 * a == a + a")
  1209  		}
  1210  		field.add(c_1, a, b)
  1211  		field.add(c_2, b, a)
  1212  		if !c_1.equal(c_2) {
  1213  			t.Fatal("a + b = b + a")
  1214  		}
  1215  		field.sub(c_1, a, b)
  1216  		field.sub(c_2, b, a)
  1217  		field.neg(c_2, c_2)
  1218  		if !c_1.equal(c_2) {
  1219  			t.Fatal("a - b = - ( b - a )")
  1220  		}
  1221  		c_x, _ := new(fe12).rand(rand.Reader)
  1222  		field.add(c_1, a, b)
  1223  		field.add(c_1, c_1, c_x)
  1224  		field.add(c_2, a, c_x)
  1225  		field.add(c_2, c_2, b)
  1226  		if !c_1.equal(c_2) {
  1227  			t.Fatal("(a + b) + c == (a + c ) + b")
  1228  		}
  1229  		field.sub(c_1, a, b)
  1230  		field.sub(c_1, c_1, c_x)
  1231  		field.sub(c_2, a, c_x)
  1232  		field.sub(c_2, c_2, b)
  1233  		if !c_1.equal(c_2) {
  1234  			t.Fatal("(a - b) - c == (a - c ) -b")
  1235  		}
  1236  	}
  1237  }
  1238  
  1239  func TestFp12MultiplicationProperties(t *testing.T) {
  1240  	field := newFp12(nil)
  1241  	for i := 0; i < fuz; i++ {
  1242  		a, _ := new(fe12).rand(rand.Reader)
  1243  		b, _ := new(fe12).rand(rand.Reader)
  1244  		zero := field.zero()
  1245  		one := field.one()
  1246  		c_1, c_2 := field.new(), field.new()
  1247  		field.mul(c_1, a, zero)
  1248  		if !c_1.equal(zero) {
  1249  			t.Fatal("a * 0 == 0")
  1250  		}
  1251  		field.mul(c_1, a, one)
  1252  		if !c_1.equal(a) {
  1253  			t.Fatal("a * 1 == a")
  1254  		}
  1255  		field.mul(c_1, a, b)
  1256  		field.mul(c_2, b, a)
  1257  		if !c_1.equal(c_2) {
  1258  			t.Fatal("a * b == b * a")
  1259  		}
  1260  		c_x, _ := new(fe12).rand(rand.Reader)
  1261  		field.mul(c_1, a, b)
  1262  		field.mul(c_1, c_1, c_x)
  1263  		field.mul(c_2, c_x, b)
  1264  		field.mul(c_2, c_2, a)
  1265  		if !c_1.equal(c_2) {
  1266  			t.Fatal("(a * b) * c == (a * c) * b")
  1267  		}
  1268  		field.square(a, zero)
  1269  		if !a.equal(zero) {
  1270  			t.Fatal("0^2 == 0")
  1271  		}
  1272  		field.square(a, one)
  1273  		if !a.equal(one) {
  1274  			t.Fatal("1^2 == 1")
  1275  		}
  1276  		_, _ = a.rand(rand.Reader)
  1277  		field.square(c_1, a)
  1278  		field.mul(c_2, a, a)
  1279  		if !c_2.equal(c_1) {
  1280  			t.Fatal("a^2 == a*a")
  1281  		}
  1282  	}
  1283  }
  1284  
  1285  func TestFp12MultiplicationPropertiesAssigned(t *testing.T) {
  1286  	field := newFp12(nil)
  1287  	for i := 0; i < fuz; i++ {
  1288  		a, _ := new(fe12).rand(rand.Reader)
  1289  		zero, one := new(fe12).zero(), new(fe12).one()
  1290  		field.mulAssign(a, zero)
  1291  		if !a.equal(zero) {
  1292  			t.Fatal("a * 0 == 0")
  1293  		}
  1294  		_, _ = a.rand(rand.Reader)
  1295  		a0 := new(fe12).set(a)
  1296  		field.mulAssign(a, one)
  1297  		if !a.equal(a0) {
  1298  			t.Fatal("a * 1 == a")
  1299  		}
  1300  		_, _ = a.rand(rand.Reader)
  1301  		b, _ := new(fe12).rand(rand.Reader)
  1302  		a0.set(a)
  1303  		field.mulAssign(a, b)
  1304  		field.mulAssign(b, a0)
  1305  		if !a.equal(b) {
  1306  			t.Fatal("a * b == b * a")
  1307  		}
  1308  		c, _ := new(fe12).rand(rand.Reader)
  1309  		a0.set(a)
  1310  		field.mulAssign(a, b)
  1311  		field.mulAssign(a, c)
  1312  		field.mulAssign(a0, c)
  1313  		field.mulAssign(a0, b)
  1314  		if !a.equal(a0) {
  1315  			t.Fatal("(a * b) * c == (a * c) * b")
  1316  		}
  1317  	}
  1318  }
  1319  
  1320  func TestFp12SparseMultiplication(t *testing.T) {
  1321  	fp12 := newFp12(nil)
  1322  	var a, b, u *fe12
  1323  	for j := 0; j < fuz; j++ {
  1324  		a, _ = new(fe12).rand(rand.Reader)
  1325  		b, _ = new(fe12).rand(rand.Reader)
  1326  		u, _ = new(fe12).rand(rand.Reader)
  1327  		b[0][2].zero()
  1328  		b[1][0].zero()
  1329  		b[1][2].zero()
  1330  		fp12.mul(u, a, b)
  1331  		fp12.mulBy014Assign(a, &b[0][0], &b[0][1], &b[1][1])
  1332  		if !a.equal(u) {
  1333  			t.Fatal("bad mul by 01")
  1334  		}
  1335  	}
  1336  }
  1337  
  1338  func TestFp12Exponentiation(t *testing.T) {
  1339  	field := newFp12(nil)
  1340  	for i := 0; i < fuz; i++ {
  1341  		a, _ := new(fe12).rand(rand.Reader)
  1342  		u := field.new()
  1343  		field.exp(u, a, big.NewInt(0))
  1344  		if !u.equal(field.one()) {
  1345  			t.Fatal("a^0 == 1")
  1346  		}
  1347  		field.exp(u, a, big.NewInt(1))
  1348  		if !u.equal(a) {
  1349  			t.Fatal("a^1 == a")
  1350  		}
  1351  		v := field.new()
  1352  		field.mul(u, a, a)
  1353  		field.mul(u, u, u)
  1354  		field.mul(u, u, u)
  1355  		field.exp(v, a, big.NewInt(8))
  1356  		if !u.equal(v) {
  1357  			t.Fatal("((a^2)^2)^2 == a^8")
  1358  		}
  1359  	}
  1360  }
  1361  
  1362  func TestFp12Inversion(t *testing.T) {
  1363  	field := newFp12(nil)
  1364  	for i := 0; i < fuz; i++ {
  1365  		u := field.new()
  1366  		zero := field.zero()
  1367  		one := field.one()
  1368  		field.inverse(u, zero)
  1369  		if !u.equal(zero) {
  1370  			t.Fatal("(0^-1) == 0)")
  1371  		}
  1372  		field.inverse(u, one)
  1373  		if !u.equal(one) {
  1374  			t.Fatal("(1^-1) == 1)")
  1375  		}
  1376  		a, _ := new(fe12).rand(rand.Reader)
  1377  		field.inverse(u, a)
  1378  		field.mul(u, u, a)
  1379  		if !u.equal(one) {
  1380  			t.Fatal("(r*a) * r*(a^-1) == r)")
  1381  		}
  1382  	}
  1383  }
  1384  
  1385  func BenchmarkMultiplication(t *testing.B) {
  1386  	a, _ := new(fe).rand(rand.Reader)
  1387  	b, _ := new(fe).rand(rand.Reader)
  1388  	c, _ := new(fe).rand(rand.Reader)
  1389  	t.ResetTimer()
  1390  	for i := 0; i < t.N; i++ {
  1391  		mul(c, a, b)
  1392  	}
  1393  }
  1394  
  1395  func BenchmarkInverse(t *testing.B) {
  1396  	a, _ := new(fe).rand(rand.Reader)
  1397  	b, _ := new(fe).rand(rand.Reader)
  1398  	t.ResetTimer()
  1399  	for i := 0; i < t.N; i++ {
  1400  		inverse(a, b)
  1401  	}
  1402  }
  1403  
  1404  func padBytes(in []byte, size int) []byte {
  1405  	out := make([]byte, size)
  1406  	if len(in) > size {
  1407  		panic("bad input for padding")
  1408  	}
  1409  	copy(out[size-len(in):], in)
  1410  	return out
  1411  }