diff options
| author | MITSUNARI Shigeo <herumi@nifty.com> | 2018-04-01 21:50:34 +0800 |
|---|---|---|
| committer | MITSUNARI Shigeo <herumi@nifty.com> | 2018-04-01 21:50:34 +0800 |
| commit | 2d36f00388b25a06b4ffebb526fd1ec22e81e1f1 (patch) | |
| tree | ede261da7043be1c9bf6e9a45eab4a516bc2ea8e | |
| parent | abdbc00f232f1ae7c4c688936ca9d546ec0e4977 (diff) | |
| download | tangerine-mcl-2d36f00388b25a06b4ffebb526fd1ec22e81e1f1.tar.gz tangerine-mcl-2d36f00388b25a06b4ffebb526fd1ec22e81e1f1.tar.zst tangerine-mcl-2d36f00388b25a06b4ffebb526fd1ec22e81e1f1.zip | |
remove macro for bls12
| -rw-r--r-- | include/mcl/bls12.hpp | 59 | ||||
| -rw-r--r-- | include/mcl/bn.hpp | 70 | ||||
| -rw-r--r-- | include/mcl/pairing_util.hpp | 159 | ||||
| -rw-r--r-- | test/bn384_test.cpp | 2 | ||||
| -rw-r--r-- | test/bn512_test.cpp | 35 |
5 files changed, 140 insertions, 185 deletions
diff --git a/include/mcl/bls12.hpp b/include/mcl/bls12.hpp index 8811d6a..f97c2f7 100644 --- a/include/mcl/bls12.hpp +++ b/include/mcl/bls12.hpp @@ -6,8 +6,6 @@ @license modified new BSD license http://opensource.org/licenses/BSD-3-Clause */ -#define MCL_MTYPE -#define MCL_USE_BLS12 #include <mcl/pairing_util.hpp> namespace mcl { namespace bls12 { @@ -98,9 +96,9 @@ struct ParamT : public util::CommonParamT<Fp> { }; template<class Fp> -struct BLS12T : mcl::util::BasePairingT<Fp, ParamT<Fp> > { +struct BLS12T : mcl::util::BasePairingT<BLS12T<Fp>, Fp, ParamT<Fp> > { typedef ParamT<Fp> Param; - typedef typename mcl::util::BasePairingT<Fp, Param> Base; + typedef typename mcl::util::BasePairingT<BLS12T<Fp>, Fp, Param> Base; typedef mcl::Fp2T<Fp> Fp2; typedef mcl::Fp6T<Fp> Fp6; typedef mcl::Fp12T<Fp> Fp12; @@ -114,6 +112,59 @@ struct BLS12T : mcl::util::BasePairingT<Fp, ParamT<Fp> > { Base::param.init(cp, mode); G2withF::init(cp.isMtype); } + /* + Implementing Pairings at the 192-bit Security Level + D.F.Aranha, L.F.Castaneda, E.Knapp, A.Menezes, F.R.Henriquez + Section 4 + */ + static void expHardPart(Fp12& y, const Fp12& x) + { +#if 0 + const mpz_class& p = param.p; + mpz_class p2 = p * p; + mpz_class p4 = p2 * p2; + Fp12::pow(y, x, (p4 - p2 + 1) / param.r * 3); + return; +#endif +#if 1 + Fp12 a0, a1, a2, a3, a4, a5, a6, a7; + Fp12::unitaryInv(a0, x); // a0 = x^-1 + Base::fasterSqr(a1, a0); // x^-2 + Base::pow_z(a2, x); // x^z + Base::fasterSqr(a3, a2); // x^2z + a1 *= a2; // a1 = x^(z-2) + Base::pow_z(a7, a1); // a7 = x^(z^2-2z) + Base::pow_z(a4, a7); // a4 = x^(z^3-2z^2) + Base::pow_z(a5, a4); // a5 = x^(z^4-2z^3) + a3 *= a5; // a3 = x^(z^4-2z^3+2z) + Base::pow_z(a6, a3); // a6 = x^(z^5-2z^4+2z^2) + + Fp12::unitaryInv(a1, a1); // x^(2-z) + a1 *= a6; // x^(z^5-2z^4+2z^2-z+2) + a1 *= x; // x^(z^5-2z^4+2z^2-z+3) = x^c0 + a3 *= a0; // x^(z^4-2z^3-1) = x^c1 + Fp12::Frobenius(a3, a3); // x^(c1 p) + a1 *= a3; // x^(c0 + c1 p) + a4 *= a2; // x^(z^3-2z^2+z) = x^c2 + Fp12::Frobenius2(a4, a4); // x^(c2 p^2) + a1 *= a4; // x^(c0 + c1 p + c2 p^2) + a7 *= x; // x^(z^2-2z+1) = x^c3 + Fp12::Frobenius3(y, a7); + y *= a1; +#else + Fp12 t1, t2, t3; + Fp12::Frobenius(t1, x); + Fp12::Frobenius(t2, t1); + Fp12::Frobenius(t3, t2); + Fp12::pow(t1, t1, param.exp_c1); + Fp12::pow(t2, t2, param.exp_c2); + Fp12::pow(t3, t3, param.exp_c3); + Fp12::pow(y, x, param.exp_c0); + y *= t1; + y *= t2; + y *= t3; +#endif + } }; } } // mcl::bls12 diff --git a/include/mcl/bn.hpp b/include/mcl/bn.hpp index e03811c..a1b4878 100644 --- a/include/mcl/bn.hpp +++ b/include/mcl/bn.hpp @@ -476,9 +476,9 @@ struct ParamT : public util::CommonParamT<Fp> { }; template<class Fp> -struct BNT : mcl::util::BasePairingT<Fp, ParamT<Fp> > { +struct BNT : mcl::util::BasePairingT<BNT<Fp>, Fp, ParamT<Fp> > { typedef ParamT<Fp> Param; - typedef typename mcl::util::BasePairingT<Fp, Param> Base; + typedef typename mcl::util::BasePairingT<BNT<Fp>, Fp, Param> Base; typedef mcl::Fp2T<Fp> Fp2; typedef mcl::Fp6T<Fp> Fp6; typedef mcl::Fp12T<Fp> Fp12; @@ -516,6 +516,72 @@ struct BNT : mcl::util::BasePairingT<Fp, ParamT<Fp> > { G2::setMulArrayGLV(mulArrayGLV2); Fp12::setPowArrayGLV(powArrayGLV2); } + /* + Faster Hashing to G2 + Laura Fuentes-Castaneda, Edward Knapp, Francisco Rodriguez-Henriquez + section 4.1 + y = x^(d 2z(6z^2 + 3z + 1)) where + p = p(z) = 36z^4 + 36z^3 + 24z^2 + 6z + 1 + r = r(z) = 36z^4 + 36z^3 + 18z^2 + 6z + 1 + d = (p^4 - p^2 + 1) / r + d1 = d 2z(6z^2 + 3z + 1) + = c0 + c1 p + c2 p^2 + c3 p^3 + + c0 = 1 + 6z + 12z^2 + 12z^3 + c1 = 4z + 6z^2 + 12z^3 + c2 = 6z + 6z^2 + 12z^3 + c3 = -1 + 4z + 6z^2 + 12z^3 + x -> x^z -> x^2z -> x^4z -> x^6z -> x^(6z^2) -> x^(12z^2) -> x^(12z^3) + a = x^(6z) x^(6z^2) x^(12z^3) + b = a / (x^2z) + x^d1 = (a x^(6z^2) x) b^p a^(p^2) (b / x)^(p^3) + */ + static void expHardPart(Fp12& y, const Fp12& x) + { +#if 0 + const mpz_class& p = param.p; + mpz_class p2 = p * p; + mpz_class p4 = p2 * p2; + Fp12::pow(y, x, (p4 - p2 + 1) / param.r); + return; +#endif +#if 1 + Fp12 a, b; + Fp12 a2, a3; + Base::pow_z(b, x); // x^z + Base::fasterSqr(b, b); // x^2z + Base::fasterSqr(a, b); // x^4z + a *= b; // x^6z + Base::pow_z(a2, a); // x^(6z^2) + a *= a2; + Base::fasterSqr(a3, a2); // x^(12z^2) + Base::pow_z(a3, a3); // x^(12z^3) + a *= a3; + Fp12::unitaryInv(b, b); + b *= a; + a2 *= a; + Fp12::Frobenius2(a, a); + a *= a2; + a *= x; + Fp12::unitaryInv(y, x); + y *= b; + Fp12::Frobenius(b, b); + a *= b; + Fp12::Frobenius3(y, y); + y *= a; +#else + Fp12 t1, t2, t3; + Fp12::Frobenius(t1, x); + Fp12::Frobenius(t2, t1); + Fp12::Frobenius(t3, t2); + Fp12::pow(t1, t1, param.exp_c1); + Fp12::pow(t2, t2, param.exp_c2); + Fp12::pow(y, x, param.exp_c0); + y *= t1; + y *= t2; + y *= t3; +#endif + } }; } } // mcl::bn diff --git a/include/mcl/pairing_util.hpp b/include/mcl/pairing_util.hpp index b9a4d2c..4214637 100644 --- a/include/mcl/pairing_util.hpp +++ b/include/mcl/pairing_util.hpp @@ -108,6 +108,7 @@ struct CommonParamT { mpz_class z; mpz_class abs_z; bool isNegative; + bool isBLS12; mpz_class p; mpz_class r; /* @@ -133,8 +134,8 @@ struct CommonParamT { void initCommonParam(const CurveParam& cp, fp::Mode mode) { - const bool isBLS12 = cp.curveType == mclBls12_CurveFp381; this->cp = cp; + isBLS12 = cp.curveType == mclBls12_CurveFp381; z = mpz_class(cp.z); isNegative = z < 0; if (isNegative) { @@ -269,7 +270,7 @@ typename G2::Fp HaveFrobenius<G2>::g2; template<class G2> typename G2::Fp HaveFrobenius<G2>::g3; -template<class Fp, class Param> +template<class CT, class Fp, class Param> struct BasePairingT { typedef mcl::Fp2T<Fp> Fp2; typedef mcl::Fp6T<Fp> Fp6; @@ -774,11 +775,11 @@ struct BasePairingT { */ static void mulSparse(Fp12& z, const Fp6& x) { -#ifdef MCL_USE_BLS12 - mul_041(z, x); - return; -#endif - mul_403(z, x); + if (param.cp.isMtype) { + mul_041(z, x); + } else { + mul_403(z, x); + } } static void convertFp6toFp12(Fp12& y, const Fp6& x) { @@ -800,32 +801,6 @@ struct BasePairingT { convertFp6toFp12(z, x); mulSparse(z, y); } -#if 0 - /* - y = x^d - d = (p^4 - p^2 + 1)/r = c0 + c1 p + c2 p^2 + p^3 - */ - static void exp_d(Fp12& y, const Fp12& x) - { -#if 1 - Fp12 t1, t2, t3; - Fp12::Frobenius(t1, x); - Fp12::Frobenius(t2, t1); - Fp12::Frobenius(t3, t2); - Fp12::pow(t1, t1, param.exp_c1); - Fp12::pow(t2, t2, param.exp_c2); - Fp12::pow(y, x, param.exp_c0); - y *= t1; - y *= t2; - y *= t3; -#else - const mpz_class& p = param.p; - mpz_class p2 = p * p; - mpz_class p4 = p2 * p2; - Fp12::pow(y, x, (p4 - p2 + 1) / param.r); -#endif - } -#endif /* Faster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions Robert Granger, Michael Scott @@ -899,52 +874,6 @@ struct BasePairingT { y3 += t2; #endif } - /* - Faster Hashing to G2 - Laura Fuentes-Castaneda, Edward Knapp, Francisco Rodriguez-Henriquez - section 4.1 - y = x^(d 2z(6z^2 + 3z + 1)) where - p = p(z) = 36z^4 + 36z^3 + 24z^2 + 6z + 1 - r = r(z) = 36z^4 + 36z^3 + 18z^2 + 6z + 1 - d = (p^4 - p^2 + 1) / r - d1 = d 2z(6z^2 + 3z + 1) - = c0 + c1 p + c2 p^2 + c3 p^3 - - c0 = 1 + 6z + 12z^2 + 12z^3 - c1 = 4z + 6z^2 + 12z^3 - c2 = 6z + 6z^2 + 12z^3 - c3 = -1 + 4z + 6z^2 + 12z^3 - x -> x^z -> x^2z -> x^4z -> x^6z -> x^(6z^2) -> x^(12z^2) -> x^(12z^3) - a = x^(6z) x^(6z^2) x^(12z^3) - b = a / (x^2z) - x^d1 = (a x^(6z^2) x) b^p a^(p^2) (b / x)^(p^3) - */ - static void exp_d1(Fp12& y, const Fp12& x) - { - Fp12 a, b; - Fp12 a2, a3; - pow_z(b, x); // x^z - fasterSqr(b, b); // x^2z - fasterSqr(a, b); // x^4z - a *= b; // x^6z - pow_z(a2, a); // x^(6z^2) - a *= a2; - fasterSqr(a3, a2); // x^(12z^2) - pow_z(a3, a3); // x^(12z^3) - a *= a3; - Fp12::unitaryInv(b, b); - b *= a; - a2 *= a; - Fp12::Frobenius2(a, a); - a *= a2; - a *= x; - Fp12::unitaryInv(y, x); - y *= b; - Fp12::Frobenius(b, b); - a *= b; - Fp12::Frobenius3(y, y); - y *= a; - } static void mapToCyclotomic(Fp12& y, const Fp12& x) { Fp12 z; @@ -954,56 +883,6 @@ struct BasePairingT { Fp6::neg(z.b, z.b); // z^(p^6) = conjugate of z y *= z; } -#ifdef MCL_USE_BLS12 - static void exp_d(Fp12& y, const Fp12& x) - { -#if 0 - const mpz_class& p = param.p; - mpz_class p2 = p * p; - mpz_class p4 = p2 * p2; - Fp12::pow(y, x, (p4 - p2 + 1) / param.r * 3); - return; -#endif -#if 1 - Fp12 a0, a1, a2, a3, a4, a5, a6, a7; - Fp12::unitaryInv(a0, x); // a0 = x^-1 - fasterSqr(a1, a0); // x^-2 - pow_z(a2, x); // x^z - fasterSqr(a3, a2); // x^2z - a1 *= a2; // a1 = x^(z-2) - pow_z(a7, a1); // a7 = x^(z^2-2z) - pow_z(a4, a7); // a4 = x^(z^3-2z^2) - pow_z(a5, a4); // a5 = x^(z^4-2z^3) - a3 *= a5; // a3 = x^(z^4-2z^3+2z) - pow_z(a6, a3); // a6 = x^(z^5-2z^4+2z^2) - - Fp12::unitaryInv(a1, a1); // x^(2-z) - a1 *= a6; // x^(z^5-2z^4+2z^2-z+2) - a1 *= x; // x^(z^5-2z^4+2z^2-z+3) = x^c0 - a3 *= a0; // x^(z^4-2z^3-1) = x^c1 - Fp12::Frobenius(a3, a3); // x^(c1 p) - a1 *= a3; // x^(c0 + c1 p) - a4 *= a2; // x^(z^3-2z^2+z) = x^c2 - Fp12::Frobenius2(a4, a4); // x^(c2 p^2) - a1 *= a4; // x^(c0 + c1 p + c2 p^2) - a7 *= x; // x^(z^2-2z+1) = x^c3 - Fp12::Frobenius3(y, a7); - y *= a1; -#else - Fp12 t1, t2, t3; - Fp12::Frobenius(t1, x); - Fp12::Frobenius(t2, t1); - Fp12::Frobenius(t3, t2); - Fp12::pow(t1, t1, param.exp_c1); - Fp12::pow(t2, t2, param.exp_c2); - Fp12::pow(t3, t3, param.exp_c3); - Fp12::pow(y, x, param.exp_c0); - y *= t1; - y *= t2; - y *= t3; -#endif - } -#endif /* y = x^((p^12 - 1) / r) (p^12 - 1) / r = (p^2 + 1) (p^6 - 1) (p^4 - p^2 + 1)/r @@ -1021,11 +900,7 @@ struct BasePairingT { Fp12::pow(y, x, p2 + 1); Fp12::pow(y, y, p4 * p2 - 1); #endif -#ifdef MCL_USE_BLS12 - exp_d(y, y); -#else - exp_d1(y, y); -#endif + CT::expHardPart(y, y); } /* remark : returned value is NOT on a curve @@ -1078,7 +953,7 @@ struct BasePairingT { G2::neg(T, T); Fp6::neg(f.b, f.b); } -#ifndef MCL_USE_BLS12 + if (param.isBLS12) return; G2 Q1, Q2; G2withF::Frobenius(Q1, Q); G2withF::Frobenius(Q2, Q1); @@ -1088,7 +963,6 @@ struct BasePairingT { Fp12 ft; mulSparse2(ft, d, e); f *= ft; -#endif } static void pairing(Fp12& f, const G1& P, const G2& Q) { @@ -1141,7 +1015,7 @@ struct BasePairingT { if (param.z < 0) { G2::neg(T, T); } -#ifndef MCL_USE_BLS12 + if (param.isBLS12) return; G2 Q1, Q2; G2withF::Frobenius(Q1, Q); G2withF::Frobenius(Q2, Q1); @@ -1149,7 +1023,6 @@ struct BasePairingT { addLineWithoutP(Qcoeff[idx++], T, Q1); addLineWithoutP(Qcoeff[idx++], T, Q2); assert(idx == param.precomputedQcoeffSize); -#endif } static void precomputedMillerLoop(Fp12& f, const G1& P, const std::vector<Fp6>& Qcoeff) { @@ -1182,7 +1055,7 @@ struct BasePairingT { if (param.z < 0) { Fp6::neg(f.b, f.b); } -#ifndef MCL_USE_BLS12 + if (param.isBLS12) return; mulFp6cb_by_G1xy(d, Qcoeff[idx], P); idx++; mulFp6cb_by_G1xy(e, Qcoeff[idx], P); @@ -1190,7 +1063,6 @@ struct BasePairingT { Fp12 ft; mulSparse2(ft, d, e); f *= ft; -#endif } /* f = MillerLoop(P1, Q1) x MillerLoop(P2, Q2) @@ -1238,7 +1110,7 @@ struct BasePairingT { if (param.z < 0) { Fp6::neg(f.b, f.b); } -#ifndef MCL_USE_BLS12 + if (param.isBLS12) return; mulFp6cb_by_G1xy(d1, Q1coeff[idx], P1); mulFp6cb_by_G1xy(d2, Q2coeff[idx], P2); idx++; @@ -1249,7 +1121,6 @@ struct BasePairingT { mulSparse2(f2, d2, e2); f *= f1; f *= f2; -#endif } static void mapToG1(G1& P, const Fp& x) { param.mapTo.calcG1(P, x); } static void mapToG2(G2& P, const Fp2& x) { param.mapTo.calcG2(P, x); } @@ -1276,8 +1147,8 @@ struct BasePairingT { } }; -template<class Fp, class Param> -Param BasePairingT<Fp, Param>::param; +template<class CT, class Fp, class Param> +Param BasePairingT<CT, Fp, Param>::param; } // mcl::util diff --git a/test/bn384_test.cpp b/test/bn384_test.cpp index af44bee..ea36284 100644 --- a/test/bn384_test.cpp +++ b/test/bn384_test.cpp @@ -33,7 +33,7 @@ void testCurve(const mcl::bn::CurveParam& cp) BN::pairing(e2, aP, bQ); GT::pow(e1, e1, a * b); CYBOZU_TEST_EQUAL(e1, e2); - testBench(P, Q); + testBench<BN>(P, Q); } CYBOZU_TEST_AUTO(pairing) diff --git a/test/bn512_test.cpp b/test/bn512_test.cpp index 2b59023..a5bc660 100644 --- a/test/bn512_test.cpp +++ b/test/bn512_test.cpp @@ -12,38 +12,6 @@ mcl::fp::Mode g_mode; #include "bench.hpp" -void testHashAndMapto(const mcl::bn::CurveParam& cp) -{ - G1 P; - G2 Q; - BN::hashAndMapToG1(P, "test", 4); - BN::hashAndMapToG2(Q, "test", 4); - const char *p = 0; - const char *q = 0; - if (cp == mcl::bn::CurveFp462) { - p = "1 10953c12172901fcbdada97c50a248ee33f57ecad739b5e16d5dee3abf43e4ef282c76eb6dec6e639b5df4a3bde3000d8e850db82b7b0465a979 1326c1cba10792ce942bf7064795c8f6222242a2ece48cf92a227e481588ce8bbdc0e661bfbefd421c440fb9859f95ce0e0a43e81522b1ded5"; - q = "1 118143ce614efdcddd2a56a78615a5a37eb544e0e2456a18e378de01e967d2c28a8e3175211b140e764255e04dbadc3cac95dd8fc78829169513 1603d1906a39839ded9154f199039ace8c564bd205f14b96fd43180f71400df02f9d117bf68b008a845ea952699d163d4ce8c274d092faa42c90 1c81acea0fba05de766733651fc9fe0aa05c490d27ff54236212b0e5c3ed9efc6d91d505d88ce0ef3ac30eb4ae1eb49a7fabeaac3625f21d279b 1d51b2613d65f1f93462163e37415bf75bdfda6eaefba4034a1375590edd340f295f5cbca7f8afe9d1bdf4fbe85a279a5ebe19f403dcf4f35263"; - } else if (cp == mcl::bn::CurveFp382_1) { - p = "1 21e43f3aecae284f008bcf780ef3064c92951c40357de8d6653fecdcaaaa4e539847e3d74becab9a6edcce475cb56374 1668854173ac1d40921a325ed482cf39aad24570eb5ba04b71d96f8f9b5385652a48167365039974c3e215c79305d4f8"; - q = "1 141ed1e349e553088bdd1e118b5cdf10ae382f7305100c7afc8f30c685c659ff3428261f2dc52079fb0ec6158e08689b 1cf6f471ef1a959ae0170a8ee5e9637defeb41b1f85f953223b20349de894741e0f5882dcacbfb7efbb301ec1ba0807c 16a2ce4c680918b0e80596d51d2add3fcc51a9ec986d9eff0be328ebe75cee039047055317871d8b2101b687bda58739 10fed1bc206bd46f48e58b371f70c4df8da5477c5de15c0014967cd81664b131917709216618ee6795ec81a6cad6cc3"; - } else if (cp == mcl::bn::CurveFp382_2) { - p = "1 16e20771f6138ac9254a2b2d03af648192230c1d54a74490ba1c8ea9d4f4962fef22fda740ec8c3600faa49cca4b265f c62cd3384224dacee20b34926e7deb45887959f3db948dc358fe00917fa9723dad5e5146822c513a22888f74156bff3"; - q = "1 5c4a9258661680ffa4bb27db209ad3fb7d1778826fc4c701d0f6b47fc1b0c366ec0b1fcd4873d14a9a4e024e03bbdd5 c0f34a7ad7d698f8aa0821a9c3693d2b396803ec96ebcdfca2cf02b164955c04b582b9f49e6cea2bcd8087546199252 1760d4d6f5b96f18a215fc03756c81ae40582bd2d5c403f0cef4eba774e250db37bcc5cf99fff863b4e3a60a57c4753e 6d432706c8dcc0213cd7f316058a6d97b8e785d6a82158dbd93f0be041acb0c1a732da3e2abff331450fbef5ae42401"; - } else if (cp == mcl::bn::CurveFp254BNb) { - p = "1 eec3cf4d6081a968f03332701b07163bf6b69fdef0b995f067857f018cb7761 1a47fcc17416ae55d2a8c32be5662ff2446e044252d77eb66299e13b38a71452"; - q = "1 1890d3fee3f3cbed840f62846b54cb7386b776da11ae16b2d1b72d1d2467f6ad 1aec28931fbac01fb567b297a5d70252521a965a2a8c890c5ce700d2801742f5 113fd22d2c5264d7ef1a98344777407ed3a622bb8ce9e5efeec15f2c03dc9698 b0ac220896b9efca039babada9536e04cf392cb482508eafab2ad7362509b4a"; - } else { - CYBOZU_TEST_ASSERT(0); - } - G1 P2; - G2 Q2; - P2.setStr(p, 16); - Q2.setStr(q, 16); - CYBOZU_TEST_EQUAL(P, P2); - CYBOZU_TEST_EQUAL(Q, Q2); -} - - void testCurve(const mcl::bn::CurveParam& cp) { initPairing(cp, g_mode); @@ -65,8 +33,7 @@ void testCurve(const mcl::bn::CurveParam& cp) BN::pairing(e2, aP, bQ); GT::pow(e1, e1, a * b); CYBOZU_TEST_EQUAL(e1, e2); - testHashAndMapto(cp); - testBench(P, Q); + testBench<BN>(P, Q); } CYBOZU_TEST_AUTO(pairing) |