github.com/theQRL/go-zond@v0.1.1/crypto/bls12381/fp12.go (about) 1 // Copyright 2020 The go-ethereum Authors 2 // This file is part of the go-ethereum library. 3 // 4 // The go-ethereum library is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU Lesser General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // The go-ethereum library is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU Lesser General Public License for more details. 13 // 14 // You should have received a copy of the GNU Lesser General Public License 15 // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>. 16 17 package bls12381 18 19 import ( 20 "errors" 21 "math/big" 22 ) 23 24 type fp12 struct { 25 fp12temp 26 fp6 *fp6 27 } 28 29 type fp12temp struct { 30 t2 [9]*fe2 31 t6 [5]*fe6 32 t12 *fe12 33 } 34 35 func newFp12Temp() fp12temp { 36 t2 := [9]*fe2{} 37 t6 := [5]*fe6{} 38 for i := 0; i < len(t2); i++ { 39 t2[i] = &fe2{} 40 } 41 for i := 0; i < len(t6); i++ { 42 t6[i] = &fe6{} 43 } 44 return fp12temp{t2, t6, &fe12{}} 45 } 46 47 func newFp12(fp6 *fp6) *fp12 { 48 t := newFp12Temp() 49 if fp6 == nil { 50 return &fp12{t, newFp6(nil)} 51 } 52 return &fp12{t, fp6} 53 } 54 55 func (e *fp12) fp2() *fp2 { 56 return e.fp6.fp2 57 } 58 59 func (e *fp12) fromBytes(in []byte) (*fe12, error) { 60 if len(in) != 576 { 61 return nil, errors.New("input string should be larger than 96 bytes") 62 } 63 fp6 := e.fp6 64 c1, err := fp6.fromBytes(in[:288]) 65 if err != nil { 66 return nil, err 67 } 68 c0, err := fp6.fromBytes(in[288:]) 69 if err != nil { 70 return nil, err 71 } 72 return &fe12{*c0, *c1}, nil 73 } 74 75 func (e *fp12) toBytes(a *fe12) []byte { 76 fp6 := e.fp6 77 out := make([]byte, 576) 78 copy(out[:288], fp6.toBytes(&a[1])) 79 copy(out[288:], fp6.toBytes(&a[0])) 80 return out 81 } 82 83 func (e *fp12) new() *fe12 { 84 return new(fe12) 85 } 86 87 func (e *fp12) zero() *fe12 { 88 return new(fe12) 89 } 90 91 func (e *fp12) one() *fe12 { 92 return new(fe12).one() 93 } 94 95 func (e *fp12) add(c, a, b *fe12) { 96 fp6 := e.fp6 97 fp6.add(&c[0], &a[0], &b[0]) 98 fp6.add(&c[1], &a[1], &b[1]) 99 } 100 101 func (e *fp12) double(c, a *fe12) { 102 fp6 := e.fp6 103 fp6.double(&c[0], &a[0]) 104 fp6.double(&c[1], &a[1]) 105 } 106 107 func (e *fp12) sub(c, a, b *fe12) { 108 fp6 := e.fp6 109 fp6.sub(&c[0], &a[0], &b[0]) 110 fp6.sub(&c[1], &a[1], &b[1]) 111 } 112 113 func (e *fp12) neg(c, a *fe12) { 114 fp6 := e.fp6 115 fp6.neg(&c[0], &a[0]) 116 fp6.neg(&c[1], &a[1]) 117 } 118 119 func (e *fp12) conjugate(c, a *fe12) { 120 fp6 := e.fp6 121 c[0].set(&a[0]) 122 fp6.neg(&c[1], &a[1]) 123 } 124 125 func (e *fp12) square(c, a *fe12) { 126 fp6, t := e.fp6, e.t6 127 fp6.add(t[0], &a[0], &a[1]) 128 fp6.mul(t[2], &a[0], &a[1]) 129 fp6.mulByNonResidue(t[1], &a[1]) 130 fp6.addAssign(t[1], &a[0]) 131 fp6.mulByNonResidue(t[3], t[2]) 132 fp6.mulAssign(t[0], t[1]) 133 fp6.subAssign(t[0], t[2]) 134 fp6.sub(&c[0], t[0], t[3]) 135 fp6.double(&c[1], t[2]) 136 } 137 138 func (e *fp12) cyclotomicSquare(c, a *fe12) { 139 t, fp2 := e.t2, e.fp2() 140 e.fp4Square(t[3], t[4], &a[0][0], &a[1][1]) 141 fp2.sub(t[2], t[3], &a[0][0]) 142 fp2.doubleAssign(t[2]) 143 fp2.add(&c[0][0], t[2], t[3]) 144 fp2.add(t[2], t[4], &a[1][1]) 145 fp2.doubleAssign(t[2]) 146 fp2.add(&c[1][1], t[2], t[4]) 147 e.fp4Square(t[3], t[4], &a[1][0], &a[0][2]) 148 e.fp4Square(t[5], t[6], &a[0][1], &a[1][2]) 149 fp2.sub(t[2], t[3], &a[0][1]) 150 fp2.doubleAssign(t[2]) 151 fp2.add(&c[0][1], t[2], t[3]) 152 fp2.add(t[2], t[4], &a[1][2]) 153 fp2.doubleAssign(t[2]) 154 fp2.add(&c[1][2], t[2], t[4]) 155 fp2.mulByNonResidue(t[3], t[6]) 156 fp2.add(t[2], t[3], &a[1][0]) 157 fp2.doubleAssign(t[2]) 158 fp2.add(&c[1][0], t[2], t[3]) 159 fp2.sub(t[2], t[5], &a[0][2]) 160 fp2.doubleAssign(t[2]) 161 fp2.add(&c[0][2], t[2], t[5]) 162 } 163 164 func (e *fp12) mul(c, a, b *fe12) { 165 t, fp6 := e.t6, e.fp6 166 fp6.mul(t[1], &a[0], &b[0]) 167 fp6.mul(t[2], &a[1], &b[1]) 168 fp6.add(t[0], t[1], t[2]) 169 fp6.mulByNonResidue(t[2], t[2]) 170 fp6.add(t[3], t[1], t[2]) 171 fp6.add(t[1], &a[0], &a[1]) 172 fp6.add(t[2], &b[0], &b[1]) 173 fp6.mulAssign(t[1], t[2]) 174 c[0].set(t[3]) 175 fp6.sub(&c[1], t[1], t[0]) 176 } 177 178 func (e *fp12) mulAssign(a, b *fe12) { 179 t, fp6 := e.t6, e.fp6 180 fp6.mul(t[1], &a[0], &b[0]) 181 fp6.mul(t[2], &a[1], &b[1]) 182 fp6.add(t[0], t[1], t[2]) 183 fp6.mulByNonResidue(t[2], t[2]) 184 fp6.add(t[3], t[1], t[2]) 185 fp6.add(t[1], &a[0], &a[1]) 186 fp6.add(t[2], &b[0], &b[1]) 187 fp6.mulAssign(t[1], t[2]) 188 a[0].set(t[3]) 189 fp6.sub(&a[1], t[1], t[0]) 190 } 191 192 func (e *fp12) fp4Square(c0, c1, a0, a1 *fe2) { 193 t, fp2 := e.t2, e.fp2() 194 fp2.square(t[0], a0) 195 fp2.square(t[1], a1) 196 fp2.mulByNonResidue(t[2], t[1]) 197 fp2.add(c0, t[2], t[0]) 198 fp2.add(t[2], a0, a1) 199 fp2.squareAssign(t[2]) 200 fp2.subAssign(t[2], t[0]) 201 fp2.sub(c1, t[2], t[1]) 202 } 203 204 func (e *fp12) inverse(c, a *fe12) { 205 fp6, t := e.fp6, e.t6 206 fp6.square(t[0], &a[0]) 207 fp6.square(t[1], &a[1]) 208 fp6.mulByNonResidue(t[1], t[1]) 209 fp6.sub(t[1], t[0], t[1]) 210 fp6.inverse(t[0], t[1]) 211 fp6.mul(&c[0], &a[0], t[0]) 212 fp6.mulAssign(t[0], &a[1]) 213 fp6.neg(&c[1], t[0]) 214 } 215 216 func (e *fp12) mulBy014Assign(a *fe12, c0, c1, c4 *fe2) { 217 fp2, fp6, t, t2 := e.fp2(), e.fp6, e.t6, e.t2[0] 218 fp6.mulBy01(t[0], &a[0], c0, c1) 219 fp6.mulBy1(t[1], &a[1], c4) 220 fp2.add(t2, c1, c4) 221 fp6.add(t[2], &a[1], &a[0]) 222 fp6.mulBy01Assign(t[2], c0, t2) 223 fp6.subAssign(t[2], t[0]) 224 fp6.sub(&a[1], t[2], t[1]) 225 fp6.mulByNonResidue(t[1], t[1]) 226 fp6.add(&a[0], t[1], t[0]) 227 } 228 229 func (e *fp12) exp(c, a *fe12, s *big.Int) { 230 z := e.one() 231 for i := s.BitLen() - 1; i >= 0; i-- { 232 e.square(z, z) 233 if s.Bit(i) == 1 { 234 e.mul(z, z, a) 235 } 236 } 237 c.set(z) 238 } 239 240 func (e *fp12) cyclotomicExp(c, a *fe12, s *big.Int) { 241 z := e.one() 242 for i := s.BitLen() - 1; i >= 0; i-- { 243 e.cyclotomicSquare(z, z) 244 if s.Bit(i) == 1 { 245 e.mul(z, z, a) 246 } 247 } 248 c.set(z) 249 } 250 251 func (e *fp12) frobeniusMap(c, a *fe12, power uint) { 252 fp6 := e.fp6 253 fp6.frobeniusMap(&c[0], &a[0], power) 254 fp6.frobeniusMap(&c[1], &a[1], power) 255 switch power { 256 case 0: 257 return 258 case 6: 259 fp6.neg(&c[1], &c[1]) 260 default: 261 fp6.mulByBaseField(&c[1], &c[1], &frobeniusCoeffs12[power]) 262 } 263 } 264 265 func (e *fp12) frobeniusMapAssign(a *fe12, power uint) { 266 fp6 := e.fp6 267 fp6.frobeniusMapAssign(&a[0], power) 268 fp6.frobeniusMapAssign(&a[1], power) 269 switch power { 270 case 0: 271 return 272 case 6: 273 fp6.neg(&a[1], &a[1]) 274 default: 275 fp6.mulByBaseField(&a[1], &a[1], &frobeniusCoeffs12[power]) 276 } 277 }