aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMITSUNARI Shigeo <herumi@nifty.com>2018-04-25 13:46:46 +0800
committerMITSUNARI Shigeo <herumi@nifty.com>2018-04-25 13:46:46 +0800
commitede0f9b2072b33ef4b09992a85e4ac842e02ea9b (patch)
tree4284a3982e2da7bf72ec6ada161d7d029eea752a
parente53ae142e89cb18f54fa132f214978cbf0e48c4e (diff)
downloadtangerine-mcl-ede0f9b2072b33ef4b09992a85e4ac842e02ea9b.tar.gz
tangerine-mcl-ede0f9b2072b33ef4b09992a85e4ac842e02ea9b.tar.zst
tangerine-mcl-ede0f9b2072b33ef4b09992a85e4ac842e02ea9b.zip
refactor namespace
Diffstat
-rw-r--r--include/mcl/bn.hpp1717
-rw-r--r--test/bench.hpp27
-rw-r--r--test/bls12_test.cpp8
-rw-r--r--test/bn384_test.cpp2
-rw-r--r--test/bn512_test.cpp2
-rw-r--r--test/bn_test.cpp8
6 files changed, 850 insertions, 914 deletions
diff --git a/include/mcl/bn.hpp b/include/mcl/bn.hpp
index 99a99bf..b5de8cd 100644
--- a/include/mcl/bn.hpp
+++ b/include/mcl/bn.hpp
@@ -494,7 +494,7 @@ struct MapTo {
/*
Software implementation of Attribute-Based Encryption: Appendixes
- GLV for G1 on BN
+ GLV for G1 on BN/BLS12
*/
struct GLV1 {
Fp rw; // rw = 1 / w = (-1 - sqrt(-3)) / 2
@@ -643,7 +643,7 @@ struct GLV1 {
};
/*
- GLV method for G2 and GT on BN
+ GLV method for G2 and GT on BN/BLS12
*/
struct GLV2 {
size_t m;
@@ -956,872 +956,885 @@ struct Param {
} else {
mapTo.init(2 * p - r, z, true);
}
- glv2.init(r, z, isBLS12);
glv1.init(r, z, isBLS12);
+ glv2.init(r, z, isBLS12);
}
};
-} // mcl::bn::local
-
template<size_t dummyImpl = 0>
-struct BNT {
- typedef local::Compress Compress;
+struct StaticVar {
static local::Param param;
+};
- static void mulArrayGLV1(G1& z, const G1& x, const mcl::fp::Unit *y, size_t yn, bool isNegative, bool constTime)
- {
- mpz_class s;
- mcl::gmp::setArray(s, y, yn);
- if (isNegative) s = -s;
- param.glv1.mul(z, x, s, constTime);
- }
- static void mulArrayGLV2(G2& z, const G2& x, const mcl::fp::Unit *y, size_t yn, bool isNegative, bool constTime)
- {
- mpz_class s;
- mcl::gmp::setArray(s, y, yn);
- if (isNegative) s = -s;
- param.glv2.mul(z, x, s, constTime);
- }
- static void powArrayGLV2(Fp12& z, const Fp12& x, const mcl::fp::Unit *y, size_t yn, bool isNegative, bool constTime)
- {
- mpz_class s;
- mcl::gmp::setArray(s, y, yn);
- if (isNegative) s = -s;
- param.glv2.pow(z, x, s, constTime);
- }
- static void init(const mcl::CurveParam& cp = mcl::BN254, fp::Mode mode = fp::FP_AUTO)
- {
- param.init(cp, mode);
- G1::setMulArrayGLV(mulArrayGLV1);
- G2::setMulArrayGLV(mulArrayGLV2);
- Fp12::setPowArrayGLV(powArrayGLV2);
- }
+template<size_t dummyImpl>
+local::Param StaticVar<dummyImpl>::param;
- /*
- y = x^z if z > 0
- = unitaryInv(x^(-z)) if z < 0
- */
- static void pow_z(Fp12& y, const Fp12& x)
- {
+} // mcl::bn::local
+
+namespace BN {
+
+static const local::Param& param = local::StaticVar<>::param;
+
+} // mcl::bn::BN
+
+namespace local {
+
+inline void mulArrayGLV1(G1& z, const G1& x, const mcl::fp::Unit *y, size_t yn, bool isNegative, bool constTime)
+{
+ mpz_class s;
+ mcl::gmp::setArray(s, y, yn);
+ if (isNegative) s = -s;
+ BN::param.glv1.mul(z, x, s, constTime);
+}
+inline void mulArrayGLV2(G2& z, const G2& x, const mcl::fp::Unit *y, size_t yn, bool isNegative, bool constTime)
+{
+ mpz_class s;
+ mcl::gmp::setArray(s, y, yn);
+ if (isNegative) s = -s;
+ BN::param.glv2.mul(z, x, s, constTime);
+}
+inline void powArrayGLV2(Fp12& z, const Fp12& x, const mcl::fp::Unit *y, size_t yn, bool isNegative, bool constTime)
+{
+ mpz_class s;
+ mcl::gmp::setArray(s, y, yn);
+ if (isNegative) s = -s;
+ BN::param.glv2.pow(z, x, s, constTime);
+}
+
+/*
+ Faster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions
+ Robert Granger, Michael Scott
+*/
+inline void sqrFp4(Fp2& z0, Fp2& z1, const Fp2& x0, const Fp2& x1)
+{
#if 1
- if (param.cp.curveType == MCL_BN254) {
- Compress::fixed_power(y, x);
- } else {
- Fp12 orgX = x;
- y = x;
- Fp12 conj;
- conj.a = x.a;
- Fp6::neg(conj.b, x.b);
- for (size_t i = 1; i < param.zReplTbl.size(); i++) {
- fasterSqr(y, y);
- if (param.zReplTbl[i] > 0) {
- y *= orgX;
- } else if (param.zReplTbl[i] < 0) {
- y *= conj;
- }
- }
- }
+ Fp2Dbl T0, T1, T2;
+ Fp2Dbl::sqrPre(T0, x0);
+ Fp2Dbl::sqrPre(T1, x1);
+ Fp2Dbl::mul_xi(T2, T1);
+ Fp2Dbl::add(T2, T2, T0);
+ Fp2::add(z1, x0, x1);
+ Fp2Dbl::mod(z0, T2);
+ Fp2Dbl::sqrPre(T2, z1);
+ Fp2Dbl::sub(T2, T2, T0);
+ Fp2Dbl::sub(T2, T2, T1);
+ Fp2Dbl::mod(z1, T2);
#else
- Fp12::pow(y, x, param.abs_z);
+ Fp2 t0, t1, t2;
+ Fp2::sqr(t0, x0);
+ Fp2::sqr(t1, x1);
+ Fp2::mul_xi(z0, t1);
+ z0 += t0;
+ Fp2::add(z1, x0, x1);
+ Fp2::sqr(z1, z1);
+ z1 -= t0;
+ z1 -= t1;
#endif
- if (param.isNegative) {
- Fp12::unitaryInv(y, y);
- }
- }
- static void mul_b_div_xi(Fp2& y, const Fp2& x)
- {
- switch (param.twist_b_type) {
- case local::tb_1m1i:
- /*
- b / xi = 1 - 1i
- (a + bi)(1 - 1i) = (a + b) + (b - a)i
- */
- {
- Fp t;
- Fp::add(t, x.a, x.b);
- Fp::sub(y.b, x.b, x.a);
- y.a = t;
- }
- return;
- case local::tb_1m2i:
- /*
- b / xi = 1 - 2i
- (a + bi)(1 - 2i) = (a + 2b) + (b - 2a)i
- */
- {
- Fp t;
- Fp::sub(t, x.b, x.a);
- t -= x.a;
- Fp::add(y.a, x.a, x.b);
- y.a += x.b;
- y.b = t;
- }
- return;
- case local::tb_generic:
- Fp2::mul(y, x, param.twist_b);
- return;
- }
- }
+}
- static void dblLineWithoutP(Fp6& l, G2& Q)
- {
- Fp2 t0, t1, t2, t3, t4, t5;
- Fp2Dbl T0, T1;
- Fp2::sqr(t0, Q.z);
- Fp2::mul(t4, Q.x, Q.y);
- Fp2::sqr(t1, Q.y);
- Fp2::add(t3, t0, t0);
- Fp2::divBy2(t4, t4);
- Fp2::add(t5, t0, t1);
- t0 += t3;
- mul_b_div_xi(t2, t0);
- Fp2::sqr(t0, Q.x);
- Fp2::add(t3, t2, t2);
- t3 += t2;
- Fp2::sub(Q.x, t1, t3);
- t3 += t1;
- Q.x *= t4;
- Fp2::divBy2(t3, t3);
- Fp2Dbl::sqrPre(T0, t3);
- Fp2Dbl::sqrPre(T1, t2);
- Fp2Dbl::sub(T0, T0, T1);
- Fp2Dbl::add(T1, T1, T1);
- Fp2Dbl::sub(T0, T0, T1);
- Fp2::add(t3, Q.y, Q.z);
- Fp2Dbl::mod(Q.y, T0);
- Fp2::sqr(t3, t3);
- t3 -= t5;
- Fp2::mul(Q.z, t1, t3);
- Fp2::sub(l.a, t2, t1);
- l.c = t0;
- l.b = t3;
- }
- static void addLineWithoutP(Fp6& l, G2& R, const G2& Q)
- {
- Fp2 t1, t2, t3, t4;
- Fp2Dbl T1, T2;
- Fp2::mul(t1, R.z, Q.x);
- Fp2::mul(t2, R.z, Q.y);
- Fp2::sub(t1, R.x, t1);
- Fp2::sub(t2, R.y, t2);
- Fp2::sqr(t3, t1);
- Fp2::mul(R.x, t3, R.x);
- Fp2::sqr(t4, t2);
- t3 *= t1;
- t4 *= R.z;
- t4 += t3;
- t4 -= R.x;
- t4 -= R.x;
- R.x -= t4;
- Fp2Dbl::mulPre(T1, t2, R.x);
- Fp2Dbl::mulPre(T2, t3, R.y);
- Fp2Dbl::sub(T2, T1, T2);
- Fp2Dbl::mod(R.y, T2);
- Fp2::mul(R.x, t1, t4);
- Fp2::mul(R.z, t3, R.z);
- Fp2::neg(l.c, t2);
- Fp2Dbl::mulPre(T1, t2, Q.x);
- Fp2Dbl::mulPre(T2, t1, Q.y);
- Fp2Dbl::sub(T1, T1, T2);
- l.b = t1;
- Fp2Dbl::mod(l.a, T1);
- }
- static void dblLine(Fp6& l, G2& Q, const G1& P)
- {
- dblLineWithoutP(l, Q);
- local::updateLine(l, P);
- }
- static void addLine(Fp6& l, G2& R, const G2& Q, const G1& P)
- {
- addLineWithoutP(l, R, Q);
- local::updateLine(l, P);
- }
- static void mulFp6cb_by_G1xy(Fp6& y, const Fp6& x, const G1& P)
- {
- assert(P.isNormalized());
- if (&y != &x) y.a = x.a;
- Fp2::mulFp(y.c, x.c, P.x);
- Fp2::mulFp(y.b, x.b, P.y);
- }
+inline void fasterSqr(Fp12& y, const Fp12& x)
+{
+#if 0
+ Fp12::sqr(y, x);
+#else
+ const Fp2& x0(x.a.a);
+ const Fp2& x4(x.a.b);
+ const Fp2& x3(x.a.c);
+ const Fp2& x2(x.b.a);
+ const Fp2& x1(x.b.b);
+ const Fp2& x5(x.b.c);
+ Fp2& y0(y.a.a);
+ Fp2& y4(y.a.b);
+ Fp2& y3(y.a.c);
+ Fp2& y2(y.b.a);
+ Fp2& y1(y.b.b);
+ Fp2& y5(y.b.c);
+ Fp2 t0, t1;
+ sqrFp4(t0, t1, x0, x1);
+ Fp2::sub(y0, t0, x0);
+ y0 += y0;
+ y0 += t0;
+ Fp2::add(y1, t1, x1);
+ y1 += y1;
+ y1 += t1;
+ Fp2 t2, t3;
+ sqrFp4(t0, t1, x2, x3);
+ sqrFp4(t2, t3, x4, x5);
+ Fp2::sub(y4, t0, x4);
+ y4 += y4;
+ y4 += t0;
+ Fp2::add(y5, t1, x5);
+ y5 += y5;
+ y5 += t1;
+ Fp2::mul_xi(t0, t3);
+ Fp2::add(y2, t0, x2);
+ y2 += y2;
+ y2 += t0;
+ Fp2::sub(y3, t2, x3);
+ y3 += y3;
+ y3 += t2;
+#endif
+}
- /*
- x = a + bv + cv^2
- y = (y0, y4, y2) -> (y0, 0, y2, 0, y4, 0)
- z = xy = (a + bv + cv^2)(d + ev)
- = (ad + ce xi) + ((a + b)(d + e) - ad - be)v + (be + cd)v^2
- */
- static void Fp6mul_01(Fp6& z, const Fp6& x, const Fp2& d, const Fp2& e)
- {
- const Fp2& a = x.a;
- const Fp2& b = x.b;
- const Fp2& c = x.c;
- Fp2 t0, t1;
- Fp2Dbl AD, CE, BE, CD, T;
- Fp2Dbl::mulPre(AD, a, d);
- Fp2Dbl::mulPre(CE, c, e);
- Fp2Dbl::mulPre(BE, b, e);
- Fp2Dbl::mulPre(CD, c, d);
- Fp2::add(t0, a, b);
- Fp2::add(t1, d, e);
- Fp2Dbl::mulPre(T, t0, t1);
- T -= AD;
- T -= BE;
- Fp2Dbl::mod(z.b, T);
- Fp2Dbl::mul_xi(CE, CE);
- AD += CE;
- Fp2Dbl::mod(z.a, AD);
- BE += CD;
- Fp2Dbl::mod(z.c, BE);
- }
- /*
- input
- z = (z0 + z1v + z2v^2) + (z3 + z4v + z5v^2)w = Z0 + Z1w
- 0 3 4
- x = (a, b, c) -> (b, 0, 0, c, a, 0) = X0 + X1w
- X0 = b = (b, 0, 0)
- X1 = c + av = (c, a, 0)
- w^2 = v, v^3 = xi
- output
- z <- zx = (Z0X0 + Z1X1v) + ((Z0 + Z1)(X0 + X1) - Z0X0 - Z1X1)w
- Z0X0 = Z0 b
- Z1X1 = Z1 (c, a, 0)
- (Z0 + Z1)(X0 + X1) = (Z0 + Z1) (b + c, a, 0)
- */
- static void mul_403(Fp12& z, const Fp6& x)
- {
- const Fp2& a = x.a;
- const Fp2& b = x.b;
- const Fp2& c = x.c;
+/*
+ y = x^z if z > 0
+ = unitaryInv(x^(-z)) if z < 0
+*/
+inline void pow_z(Fp12& y, const Fp12& x)
+{
#if 1
- Fp6& z0 = z.a;
- Fp6& z1 = z.b;
- Fp6 z0x0, z1x1, t0;
- Fp2 t1;
- Fp2::add(t1, x.b, c);
- Fp6::add(t0, z0, z1);
- Fp2::mul(z0x0.a, z0.a, b);
- Fp2::mul(z0x0.b, z0.b, b);
- Fp2::mul(z0x0.c, z0.c, b);
- Fp6mul_01(z1x1, z1, c, a);
- Fp6mul_01(t0, t0, t1, a);
- Fp6::sub(z.b, t0, z0x0);
- z.b -= z1x1;
- // a + bv + cv^2 = cxi + av + bv^2
- Fp2::mul_xi(z1x1.c, z1x1.c);
- Fp2::add(z.a.a, z0x0.a, z1x1.c);
- Fp2::add(z.a.b, z0x0.b, z1x1.a);
- Fp2::add(z.a.c, z0x0.c, z1x1.b);
+ if (BN::param.cp.curveType == MCL_BN254) {
+ Compress::fixed_power(y, x);
+ } else {
+ Fp12 orgX = x;
+ y = x;
+ Fp12 conj;
+ conj.a = x.a;
+ Fp6::neg(conj.b, x.b);
+ for (size_t i = 1; i < BN::param.zReplTbl.size(); i++) {
+ fasterSqr(y, y);
+ if (BN::param.zReplTbl[i] > 0) {
+ y *= orgX;
+ } else if (BN::param.zReplTbl[i] < 0) {
+ y *= conj;
+ }
+ }
+ }
#else
- Fp2& z0 = z.a.a;
- Fp2& z1 = z.a.b;
- Fp2& z2 = z.a.c;
- Fp2& z3 = z.b.a;
- Fp2& z4 = z.b.b;
- Fp2& z5 = z.b.c;
- Fp2Dbl Z0B, Z1B, Z2B, Z3C, Z4C, Z5C;
- Fp2Dbl T0, T1, T2, T3, T4, T5;
- Fp2 bc, t;
- Fp2::addPre(bc, b, c);
- Fp2::addPre(t, z5, z2);
- Fp2Dbl::mulPre(T5, t, bc);
- Fp2Dbl::mulPre(Z5C, z5, c);
- Fp2Dbl::mulPre(Z2B, z2, b);
- Fp2Dbl::sub(T5, T5, Z5C);
- Fp2Dbl::sub(T5, T5, Z2B);
- Fp2Dbl::mulPre(T0, z1, a);
- T5 += T0;
-
- Fp2::addPre(t, z4, z1);
- Fp2Dbl::mulPre(T4, t, bc);
- Fp2Dbl::mulPre(Z4C, z4, c);
- Fp2Dbl::mulPre(Z1B, z1, b);
- Fp2Dbl::sub(T4, T4, Z4C);
- Fp2Dbl::sub(T4, T4, Z1B);
- Fp2Dbl::mulPre(T0, z0, a);
- T4 += T0;
-
- Fp2::addPre(t, z3, z0);
- Fp2Dbl::mulPre(T3, t, bc);
- Fp2Dbl::mulPre(Z3C, z3, c);
- Fp2Dbl::mulPre(Z0B, z0, b);
- Fp2Dbl::sub(T3, T3, Z3C);
- Fp2Dbl::sub(T3, T3, Z0B);
- Fp2::mul_xi(t, z2);
- Fp2Dbl::mulPre(T0, t, a);
- T3 += T0;
-
- Fp2Dbl::mulPre(T2, z3, a);
- T2 += Z2B;
- T2 += Z4C;
-
- Fp2::mul_xi(t, z5);
- Fp2Dbl::mulPre(T1, t, a);
- T1 += Z1B;
- T1 += Z3C;
-
- Fp2Dbl::mulPre(T0, z4, a);
- T0 += Z5C;
- Fp2Dbl::mul_xi(T0, T0);
- T0 += Z0B;
-
- Fp2Dbl::mod(z0, T0);
- Fp2Dbl::mod(z1, T1);
- Fp2Dbl::mod(z2, T2);
- Fp2Dbl::mod(z3, T3);
- Fp2Dbl::mod(z4, T4);
- Fp2Dbl::mod(z5, T5);
+ Fp12::pow(y, x, param.abs_z);
#endif
+ if (BN::param.isNegative) {
+ Fp12::unitaryInv(y, y);
}
- /*
- input
- z = (z0 + z1v + z2v^2) + (z3 + z4v + z5v^2)w = Z0 + Z1w
- 0 1 4
- x = (a, b, c) -> (a, c, 0, 0, b, 0) = X0 + X1w
- X0 = (a, c, 0)
- X1 = (0, b, 0)
- w^2 = v, v^3 = xi
- output
- z <- zx = (Z0X0 + Z1X1v) + ((Z0 + Z1)(X0 + X1) - Z0X0 - Z1X1)w
- Z0X0 = Z0 (a, c, 0)
- Z1X1 = Z1 (0, b, 0) = Z1 bv
- (Z0 + Z1)(X0 + X1) = (Z0 + Z1) (a, b + c, 0)
-
- (a + bv + cv^2)v = c xi + av + bv^2
- */
- static void mul_041(Fp12& z, const Fp6& x)
- {
- const Fp2& a = x.a;
- const Fp2& b = x.b;
- const Fp2& c = x.c;
- Fp6& z0 = z.a;
- Fp6& z1 = z.b;
- Fp6 z0x0, z1x1, t0;
- Fp2 t1;
- Fp2::mul(z1x1.a, z1.c, b);
- Fp2::mul_xi(z1x1.a, z1x1.a);
- Fp2::mul(z1x1.b, z1.a, b);
- Fp2::mul(z1x1.c, z1.b, b);
- Fp2::add(t1, x.b, c);
- Fp6::add(t0, z0, z1);
- Fp6mul_01(z0x0, z0, a, c);
- Fp6mul_01(t0, t0, a, t1);
- Fp6::sub(z.b, t0, z0x0);
- z.b -= z1x1;
- // a + bv + cv^2 = cxi + av + bv^2
- Fp2::mul_xi(z1x1.c, z1x1.c);
- Fp2::add(z.a.a, z0x0.a, z1x1.c);
- Fp2::add(z.a.b, z0x0.b, z1x1.a);
- Fp2::add(z.a.c, z0x0.c, z1x1.b);
- }
- static void mulSparse(Fp12& z, const Fp6& x)
- {
- if (param.cp.isMtype) {
- mul_041(z, x);
- } else {
- mul_403(z, x);
+}
+inline void mul_b_div_xi(Fp2& y, const Fp2& x)
+{
+ switch (BN::param.twist_b_type) {
+ case local::tb_1m1i:
+ /*
+ b / xi = 1 - 1i
+ (a + bi)(1 - 1i) = (a + b) + (b - a)i
+ */
+ {
+ Fp t;
+ Fp::add(t, x.a, x.b);
+ Fp::sub(y.b, x.b, x.a);
+ y.a = t;
}
- }
- static void convertFp6toFp12(Fp12& y, const Fp6& x)
- {
- y.clear();
- if (param.cp.isMtype) {
- // (a, b, c) -> (a, c, 0, 0, b, 0)
- y.a.a = x.a;
- y.b.b = x.b;
- y.a.b = x.c;
- } else {
- // (a, b, c) -> (b, 0, 0, c, a, 0)
- y.b.b = x.a;
- y.a.a = x.b;
- y.b.a = x.c;
+ return;
+ case local::tb_1m2i:
+ /*
+ b / xi = 1 - 2i
+ (a + bi)(1 - 2i) = (a + 2b) + (b - 2a)i
+ */
+ {
+ Fp t;
+ Fp::sub(t, x.b, x.a);
+ t -= x.a;
+ Fp::add(y.a, x.a, x.b);
+ y.a += x.b;
+ y.b = t;
}
+ return;
+ case local::tb_generic:
+ Fp2::mul(y, x, BN::param.twist_b);
+ return;
}
- static void mulSparse2(Fp12& z, const Fp6& x, const Fp6& y)
- {
- convertFp6toFp12(z, x);
- mulSparse(z, y);
- }
- /*
- Faster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions
- Robert Granger, Michael Scott
- */
- static void sqrFp4(Fp2& z0, Fp2& z1, const Fp2& x0, const Fp2& x1)
- {
+}
+
+inline void dblLineWithoutP(Fp6& l, G2& Q)
+{
+ Fp2 t0, t1, t2, t3, t4, t5;
+ Fp2Dbl T0, T1;
+ Fp2::sqr(t0, Q.z);
+ Fp2::mul(t4, Q.x, Q.y);
+ Fp2::sqr(t1, Q.y);
+ Fp2::add(t3, t0, t0);
+ Fp2::divBy2(t4, t4);
+ Fp2::add(t5, t0, t1);
+ t0 += t3;
+ mul_b_div_xi(t2, t0);
+ Fp2::sqr(t0, Q.x);
+ Fp2::add(t3, t2, t2);
+ t3 += t2;
+ Fp2::sub(Q.x, t1, t3);
+ t3 += t1;
+ Q.x *= t4;
+ Fp2::divBy2(t3, t3);
+ Fp2Dbl::sqrPre(T0, t3);
+ Fp2Dbl::sqrPre(T1, t2);
+ Fp2Dbl::sub(T0, T0, T1);
+ Fp2Dbl::add(T1, T1, T1);
+ Fp2Dbl::sub(T0, T0, T1);
+ Fp2::add(t3, Q.y, Q.z);
+ Fp2Dbl::mod(Q.y, T0);
+ Fp2::sqr(t3, t3);
+ t3 -= t5;
+ Fp2::mul(Q.z, t1, t3);
+ Fp2::sub(l.a, t2, t1);
+ l.c = t0;
+ l.b = t3;
+}
+inline void addLineWithoutP(Fp6& l, G2& R, const G2& Q)
+{
+ Fp2 t1, t2, t3, t4;
+ Fp2Dbl T1, T2;
+ Fp2::mul(t1, R.z, Q.x);
+ Fp2::mul(t2, R.z, Q.y);
+ Fp2::sub(t1, R.x, t1);
+ Fp2::sub(t2, R.y, t2);
+ Fp2::sqr(t3, t1);
+ Fp2::mul(R.x, t3, R.x);
+ Fp2::sqr(t4, t2);
+ t3 *= t1;
+ t4 *= R.z;
+ t4 += t3;
+ t4 -= R.x;
+ t4 -= R.x;
+ R.x -= t4;
+ Fp2Dbl::mulPre(T1, t2, R.x);
+ Fp2Dbl::mulPre(T2, t3, R.y);
+ Fp2Dbl::sub(T2, T1, T2);
+ Fp2Dbl::mod(R.y, T2);
+ Fp2::mul(R.x, t1, t4);
+ Fp2::mul(R.z, t3, R.z);
+ Fp2::neg(l.c, t2);
+ Fp2Dbl::mulPre(T1, t2, Q.x);
+ Fp2Dbl::mulPre(T2, t1, Q.y);
+ Fp2Dbl::sub(T1, T1, T2);
+ l.b = t1;
+ Fp2Dbl::mod(l.a, T1);
+}
+inline void dblLine(Fp6& l, G2& Q, const G1& P)
+{
+ dblLineWithoutP(l, Q);
+ local::updateLine(l, P);
+}
+inline void addLine(Fp6& l, G2& R, const G2& Q, const G1& P)
+{
+ addLineWithoutP(l, R, Q);
+ local::updateLine(l, P);
+}
+inline void mulFp6cb_by_G1xy(Fp6& y, const Fp6& x, const G1& P)
+{
+ assert(P.isNormalized());
+ if (&y != &x) y.a = x.a;
+ Fp2::mulFp(y.c, x.c, P.x);
+ Fp2::mulFp(y.b, x.b, P.y);
+}
+
+/*
+ x = a + bv + cv^2
+ y = (y0, y4, y2) -> (y0, 0, y2, 0, y4, 0)
+ z = xy = (a + bv + cv^2)(d + ev)
+ = (ad + ce xi) + ((a + b)(d + e) - ad - be)v + (be + cd)v^2
+*/
+inline void Fp6mul_01(Fp6& z, const Fp6& x, const Fp2& d, const Fp2& e)
+{
+ const Fp2& a = x.a;
+ const Fp2& b = x.b;
+ const Fp2& c = x.c;
+ Fp2 t0, t1;
+ Fp2Dbl AD, CE, BE, CD, T;
+ Fp2Dbl::mulPre(AD, a, d);
+ Fp2Dbl::mulPre(CE, c, e);
+ Fp2Dbl::mulPre(BE, b, e);
+ Fp2Dbl::mulPre(CD, c, d);
+ Fp2::add(t0, a, b);
+ Fp2::add(t1, d, e);
+ Fp2Dbl::mulPre(T, t0, t1);
+ T -= AD;
+ T -= BE;
+ Fp2Dbl::mod(z.b, T);
+ Fp2Dbl::mul_xi(CE, CE);
+ AD += CE;
+ Fp2Dbl::mod(z.a, AD);
+ BE += CD;
+ Fp2Dbl::mod(z.c, BE);
+}
+/*
+ input
+ z = (z0 + z1v + z2v^2) + (z3 + z4v + z5v^2)w = Z0 + Z1w
+ 0 3 4
+ x = (a, b, c) -> (b, 0, 0, c, a, 0) = X0 + X1w
+ X0 = b = (b, 0, 0)
+ X1 = c + av = (c, a, 0)
+ w^2 = v, v^3 = xi
+ output
+ z <- zx = (Z0X0 + Z1X1v) + ((Z0 + Z1)(X0 + X1) - Z0X0 - Z1X1)w
+ Z0X0 = Z0 b
+ Z1X1 = Z1 (c, a, 0)
+ (Z0 + Z1)(X0 + X1) = (Z0 + Z1) (b + c, a, 0)
+*/
+inline void mul_403(Fp12& z, const Fp6& x)
+{
+ const Fp2& a = x.a;
+ const Fp2& b = x.b;
+ const Fp2& c = x.c;
#if 1
- Fp2Dbl T0, T1, T2;
- Fp2Dbl::sqrPre(T0, x0);
- Fp2Dbl::sqrPre(T1, x1);
- Fp2Dbl::mul_xi(T2, T1);
- Fp2Dbl::add(T2, T2, T0);
- Fp2::add(z1, x0, x1);
- Fp2Dbl::mod(z0, T2);
- Fp2Dbl::sqrPre(T2, z1);
- Fp2Dbl::sub(T2, T2, T0);
- Fp2Dbl::sub(T2, T2, T1);
- Fp2Dbl::mod(z1, T2);
+ Fp6& z0 = z.a;
+ Fp6& z1 = z.b;
+ Fp6 z0x0, z1x1, t0;
+ Fp2 t1;
+ Fp2::add(t1, x.b, c);
+ Fp6::add(t0, z0, z1);
+ Fp2::mul(z0x0.a, z0.a, b);
+ Fp2::mul(z0x0.b, z0.b, b);
+ Fp2::mul(z0x0.c, z0.c, b);
+ Fp6mul_01(z1x1, z1, c, a);
+ Fp6mul_01(t0, t0, t1, a);
+ Fp6::sub(z.b, t0, z0x0);
+ z.b -= z1x1;
+ // a + bv + cv^2 = cxi + av + bv^2
+ Fp2::mul_xi(z1x1.c, z1x1.c);
+ Fp2::add(z.a.a, z0x0.a, z1x1.c);
+ Fp2::add(z.a.b, z0x0.b, z1x1.a);
+ Fp2::add(z.a.c, z0x0.c, z1x1.b);
#else
- Fp2 t0, t1, t2;
- Fp2::sqr(t0, x0);
- Fp2::sqr(t1, x1);
- Fp2::mul_xi(z0, t1);
- z0 += t0;
- Fp2::add(z1, x0, x1);
- Fp2::sqr(z1, z1);
- z1 -= t0;
- z1 -= t1;
+ Fp2& z0 = z.a.a;
+ Fp2& z1 = z.a.b;
+ Fp2& z2 = z.a.c;
+ Fp2& z3 = z.b.a;
+ Fp2& z4 = z.b.b;
+ Fp2& z5 = z.b.c;
+ Fp2Dbl Z0B, Z1B, Z2B, Z3C, Z4C, Z5C;
+ Fp2Dbl T0, T1, T2, T3, T4, T5;
+ Fp2 bc, t;
+ Fp2::addPre(bc, b, c);
+ Fp2::addPre(t, z5, z2);
+ Fp2Dbl::mulPre(T5, t, bc);
+ Fp2Dbl::mulPre(Z5C, z5, c);
+ Fp2Dbl::mulPre(Z2B, z2, b);
+ Fp2Dbl::sub(T5, T5, Z5C);
+ Fp2Dbl::sub(T5, T5, Z2B);
+ Fp2Dbl::mulPre(T0, z1, a);
+ T5 += T0;
+
+ Fp2::addPre(t, z4, z1);
+ Fp2Dbl::mulPre(T4, t, bc);
+ Fp2Dbl::mulPre(Z4C, z4, c);
+ Fp2Dbl::mulPre(Z1B, z1, b);
+ Fp2Dbl::sub(T4, T4, Z4C);
+ Fp2Dbl::sub(T4, T4, Z1B);
+ Fp2Dbl::mulPre(T0, z0, a);
+ T4 += T0;
+
+ Fp2::addPre(t, z3, z0);
+ Fp2Dbl::mulPre(T3, t, bc);
+ Fp2Dbl::mulPre(Z3C, z3, c);
+ Fp2Dbl::mulPre(Z0B, z0, b);
+ Fp2Dbl::sub(T3, T3, Z3C);
+ Fp2Dbl::sub(T3, T3, Z0B);
+ Fp2::mul_xi(t, z2);
+ Fp2Dbl::mulPre(T0, t, a);
+ T3 += T0;
+
+ Fp2Dbl::mulPre(T2, z3, a);
+ T2 += Z2B;
+ T2 += Z4C;
+
+ Fp2::mul_xi(t, z5);
+ Fp2Dbl::mulPre(T1, t, a);
+ T1 += Z1B;
+ T1 += Z3C;
+
+ Fp2Dbl::mulPre(T0, z4, a);
+ T0 += Z5C;
+ Fp2Dbl::mul_xi(T0, T0);
+ T0 += Z0B;
+
+ Fp2Dbl::mod(z0, T0);
+ Fp2Dbl::mod(z1, T1);
+ Fp2Dbl::mod(z2, T2);
+ Fp2Dbl::mod(z3, T3);
+ Fp2Dbl::mod(z4, T4);
+ Fp2Dbl::mod(z5, T5);
#endif
+}
+/*
+ input
+ z = (z0 + z1v + z2v^2) + (z3 + z4v + z5v^2)w = Z0 + Z1w
+ 0 1 4
+ x = (a, b, c) -> (a, c, 0, 0, b, 0) = X0 + X1w
+ X0 = (a, c, 0)
+ X1 = (0, b, 0)
+ w^2 = v, v^3 = xi
+ output
+ z <- zx = (Z0X0 + Z1X1v) + ((Z0 + Z1)(X0 + X1) - Z0X0 - Z1X1)w
+ Z0X0 = Z0 (a, c, 0)
+ Z1X1 = Z1 (0, b, 0) = Z1 bv
+ (Z0 + Z1)(X0 + X1) = (Z0 + Z1) (a, b + c, 0)
+
+ (a + bv + cv^2)v = c xi + av + bv^2
+*/
+inline void mul_041(Fp12& z, const Fp6& x)
+{
+ const Fp2& a = x.a;
+ const Fp2& b = x.b;
+ const Fp2& c = x.c;
+ Fp6& z0 = z.a;
+ Fp6& z1 = z.b;
+ Fp6 z0x0, z1x1, t0;
+ Fp2 t1;
+ Fp2::mul(z1x1.a, z1.c, b);
+ Fp2::mul_xi(z1x1.a, z1x1.a);
+ Fp2::mul(z1x1.b, z1.a, b);
+ Fp2::mul(z1x1.c, z1.b, b);
+ Fp2::add(t1, x.b, c);
+ Fp6::add(t0, z0, z1);
+ Fp6mul_01(z0x0, z0, a, c);
+ Fp6mul_01(t0, t0, a, t1);
+ Fp6::sub(z.b, t0, z0x0);
+ z.b -= z1x1;
+ // a + bv + cv^2 = cxi + av + bv^2
+ Fp2::mul_xi(z1x1.c, z1x1.c);
+ Fp2::add(z.a.a, z0x0.a, z1x1.c);
+ Fp2::add(z.a.b, z0x0.b, z1x1.a);
+ Fp2::add(z.a.c, z0x0.c, z1x1.b);
+}
+inline void mulSparse(Fp12& z, const Fp6& x)
+{
+ if (BN::param.cp.isMtype) {
+ mul_041(z, x);
+ } else {
+ mul_403(z, x);
}
- static void fasterSqr(Fp12& y, const Fp12& x)
- {
+}
+inline void convertFp6toFp12(Fp12& y, const Fp6& x)
+{
+ y.clear();
+ if (BN::param.cp.isMtype) {
+ // (a, b, c) -> (a, c, 0, 0, b, 0)
+ y.a.a = x.a;
+ y.b.b = x.b;
+ y.a.b = x.c;
+ } else {
+ // (a, b, c) -> (b, 0, 0, c, a, 0)
+ y.b.b = x.a;
+ y.a.a = x.b;
+ y.b.a = x.c;
+ }
+}
+inline void mulSparse2(Fp12& z, const Fp6& x, const Fp6& y)
+{
+ convertFp6toFp12(z, x);
+ mulSparse(z, y);
+}
+inline void mapToCyclotomic(Fp12& y, const Fp12& x)
+{
+ Fp12 z;
+ Fp12::Frobenius2(z, x); // z = x^(p^2)
+ z *= x; // x^(p^2 + 1)
+ Fp12::inv(y, z);
+ Fp6::neg(z.b, z.b); // z^(p^6) = conjugate of z
+ y *= z;
+}
+/*
+ Implementing Pairings at the 192-bit Security Level
+ D.F.Aranha, L.F.Castaneda, E.Knapp, A.Menezes, F.R.Henriquez
+ Section 4
+*/
+inline void expHardPartBLS12(Fp12& y, const Fp12& x)
+{
#if 0
- Fp12::sqr(y, x);
-#else
- const Fp2& x0(x.a.a);
- const Fp2& x4(x.a.b);
- const Fp2& x3(x.a.c);
- const Fp2& x2(x.b.a);
- const Fp2& x1(x.b.b);
- const Fp2& x5(x.b.c);
- Fp2& y0(y.a.a);
- Fp2& y4(y.a.b);
- Fp2& y3(y.a.c);
- Fp2& y2(y.b.a);
- Fp2& y1(y.b.b);
- Fp2& y5(y.b.c);
- Fp2 t0, t1;
- sqrFp4(t0, t1, x0, x1);
- Fp2::sub(y0, t0, x0);
- y0 += y0;
- y0 += t0;
- Fp2::add(y1, t1, x1);
- y1 += y1;
- y1 += t1;
- Fp2 t2, t3;
- sqrFp4(t0, t1, x2, x3);
- sqrFp4(t2, t3, x4, x5);
- Fp2::sub(y4, t0, x4);
- y4 += y4;
- y4 += t0;
- Fp2::add(y5, t1, x5);
- y5 += y5;
- y5 += t1;
- Fp2::mul_xi(t0, t3);
- Fp2::add(y2, t0, x2);
- y2 += y2;
- y2 += t0;
- Fp2::sub(y3, t2, x3);
- y3 += y3;
- y3 += t2;
+ const mpz_class& p = param.p;
+ mpz_class p2 = p * p;
+ mpz_class p4 = p2 * p2;
+ Fp12::pow(y, x, (p4 - p2 + 1) / param.r * 3);
+ return;
#endif
- }
- static void mapToCyclotomic(Fp12& y, const Fp12& x)
- {
- Fp12 z;
- Fp12::Frobenius2(z, x); // z = x^(p^2)
- z *= x; // x^(p^2 + 1)
- Fp12::inv(y, z);
- Fp6::neg(z.b, z.b); // z^(p^6) = conjugate of z
- y *= z;
- }
- /*
- y = x^((p^12 - 1) / r)
- (p^12 - 1) / r = (p^2 + 1) (p^6 - 1) (p^4 - p^2 + 1)/r
- (a + bw)^(p^6) = a - bw in Fp12
- (p^4 - p^2 + 1)/r = c0 + c1 p + c2 p^2 + p^3
- */
- static void finalExp(Fp12& y, const Fp12& x)
- {
#if 1
- mapToCyclotomic(y, x);
+ Fp12 a0, a1, a2, a3, a4, a5, a6, a7;
+ Fp12::unitaryInv(a0, x); // a0 = x^-1
+ fasterSqr(a1, a0); // x^-2
+ pow_z(a2, x); // x^z
+ fasterSqr(a3, a2); // x^2z
+ a1 *= a2; // a1 = x^(z-2)
+ pow_z(a7, a1); // a7 = x^(z^2-2z)
+ pow_z(a4, a7); // a4 = x^(z^3-2z^2)
+ pow_z(a5, a4); // a5 = x^(z^4-2z^3)
+ a3 *= a5; // a3 = x^(z^4-2z^3+2z)
+ pow_z(a6, a3); // a6 = x^(z^5-2z^4+2z^2)
+
+ Fp12::unitaryInv(a1, a1); // x^(2-z)
+ a1 *= a6; // x^(z^5-2z^4+2z^2-z+2)
+ a1 *= x; // x^(z^5-2z^4+2z^2-z+3) = x^c0
+ a3 *= a0; // x^(z^4-2z^3-1) = x^c1
+ Fp12::Frobenius(a3, a3); // x^(c1 p)
+ a1 *= a3; // x^(c0 + c1 p)
+ a4 *= a2; // x^(z^3-2z^2+z) = x^c2
+ Fp12::Frobenius2(a4, a4); // x^(c2 p^2)
+ a1 *= a4; // x^(c0 + c1 p + c2 p^2)
+ a7 *= x; // x^(z^2-2z+1) = x^c3
+ Fp12::Frobenius3(y, a7);
+ y *= a1;
#else
- const mpz_class& p = param.p;
- mpz_class p2 = p * p;
- mpz_class p4 = p2 * p2;
- Fp12::pow(y, x, p2 + 1);
- Fp12::pow(y, y, p4 * p2 - 1);
+ Fp12 t1, t2, t3;
+ Fp12::Frobenius(t1, x);
+ Fp12::Frobenius(t2, t1);
+ Fp12::Frobenius(t3, t2);
+ Fp12::pow(t1, t1, param.exp_c1);
+ Fp12::pow(t2, t2, param.exp_c2);
+ Fp12::pow(t3, t3, param.exp_c3);
+ Fp12::pow(y, x, param.exp_c0);
+ y *= t1;
+ y *= t2;
+ y *= t3;
#endif
- if (param.isBLS12) {
- expHardPartBLS12(y, y);
- } else {
- expHardPartBN(y, y);
- }
- }
- /*
- Faster Hashing to G2
- Laura Fuentes-Castaneda, Edward Knapp, Francisco Rodriguez-Henriquez
- section 4.1
- y = x^(d 2z(6z^2 + 3z + 1)) where
- p = p(z) = 36z^4 + 36z^3 + 24z^2 + 6z + 1
- r = r(z) = 36z^4 + 36z^3 + 18z^2 + 6z + 1
- d = (p^4 - p^2 + 1) / r
- d1 = d 2z(6z^2 + 3z + 1)
- = c0 + c1 p + c2 p^2 + c3 p^3
-
- c0 = 1 + 6z + 12z^2 + 12z^3
- c1 = 4z + 6z^2 + 12z^3
- c2 = 6z + 6z^2 + 12z^3
- c3 = -1 + 4z + 6z^2 + 12z^3
- x -> x^z -> x^2z -> x^4z -> x^6z -> x^(6z^2) -> x^(12z^2) -> x^(12z^3)
- a = x^(6z) x^(6z^2) x^(12z^3)
- b = a / (x^2z)
- x^d1 = (a x^(6z^2) x) b^p a^(p^2) (b / x)^(p^3)
- */
- static void expHardPartBN(Fp12& y, const Fp12& x)
- {
+}
+/*
+ Faster Hashing to G2
+ Laura Fuentes-Castaneda, Edward Knapp, Francisco Rodriguez-Henriquez
+ section 4.1
+ y = x^(d 2z(6z^2 + 3z + 1)) where
+ p = p(z) = 36z^4 + 36z^3 + 24z^2 + 6z + 1
+ r = r(z) = 36z^4 + 36z^3 + 18z^2 + 6z + 1
+ d = (p^4 - p^2 + 1) / r
+ d1 = d 2z(6z^2 + 3z + 1)
+ = c0 + c1 p + c2 p^2 + c3 p^3
+
+ c0 = 1 + 6z + 12z^2 + 12z^3
+ c1 = 4z + 6z^2 + 12z^3
+ c2 = 6z + 6z^2 + 12z^3
+ c3 = -1 + 4z + 6z^2 + 12z^3
+ x -> x^z -> x^2z -> x^4z -> x^6z -> x^(6z^2) -> x^(12z^2) -> x^(12z^3)
+ a = x^(6z) x^(6z^2) x^(12z^3)
+ b = a / (x^2z)
+ x^d1 = (a x^(6z^2) x) b^p a^(p^2) (b / x)^(p^3)
+*/
+inline void expHardPartBN(Fp12& y, const Fp12& x)
+{
#if 0
- const mpz_class& p = param.p;
- mpz_class p2 = p * p;
- mpz_class p4 = p2 * p2;
- Fp12::pow(y, x, (p4 - p2 + 1) / param.r);
- return;
+ const mpz_class& p = param.p;
+ mpz_class p2 = p * p;
+ mpz_class p4 = p2 * p2;
+ Fp12::pow(y, x, (p4 - p2 + 1) / param.r);
+ return;
#endif
#if 1
- Fp12 a, b;
- Fp12 a2, a3;
- pow_z(b, x); // x^z
- fasterSqr(b, b); // x^2z
- fasterSqr(a, b); // x^4z
- a *= b; // x^6z
- pow_z(a2, a); // x^(6z^2)
- a *= a2;
- fasterSqr(a3, a2); // x^(12z^2)
- pow_z(a3, a3); // x^(12z^3)
- a *= a3;
- Fp12::unitaryInv(b, b);
- b *= a;
- a2 *= a;
- Fp12::Frobenius2(a, a);
- a *= a2;
- a *= x;
- Fp12::unitaryInv(y, x);
- y *= b;
- Fp12::Frobenius(b, b);
- a *= b;
- Fp12::Frobenius3(y, y);
- y *= a;
+ Fp12 a, b;
+ Fp12 a2, a3;
+ pow_z(b, x); // x^z
+ fasterSqr(b, b); // x^2z
+ fasterSqr(a, b); // x^4z
+ a *= b; // x^6z
+ pow_z(a2, a); // x^(6z^2)
+ a *= a2;
+ fasterSqr(a3, a2); // x^(12z^2)
+ pow_z(a3, a3); // x^(12z^3)
+ a *= a3;
+ Fp12::unitaryInv(b, b);
+ b *= a;
+ a2 *= a;
+ Fp12::Frobenius2(a, a);
+ a *= a2;
+ a *= x;
+ Fp12::unitaryInv(y, x);
+ y *= b;
+ Fp12::Frobenius(b, b);
+ a *= b;
+ Fp12::Frobenius3(y, y);
+ y *= a;
#else
- Fp12 t1, t2, t3;
- Fp12::Frobenius(t1, x);
- Fp12::Frobenius(t2, t1);
- Fp12::Frobenius(t3, t2);
- Fp12::pow(t1, t1, param.exp_c1);
- Fp12::pow(t2, t2, param.exp_c2);
- Fp12::pow(y, x, param.exp_c0);
- y *= t1;
- y *= t2;
- y *= t3;
-#endif
- }
- /*
- Implementing Pairings at the 192-bit Security Level
- D.F.Aranha, L.F.Castaneda, E.Knapp, A.Menezes, F.R.Henriquez
- Section 4
- */
- static void expHardPartBLS12(Fp12& y, const Fp12& x)
- {
-#if 0
- const mpz_class& p = param.p;
- mpz_class p2 = p * p;
- mpz_class p4 = p2 * p2;
- Fp12::pow(y, x, (p4 - p2 + 1) / param.r * 3);
- return;
+ Fp12 t1, t2, t3;
+ Fp12::Frobenius(t1, x);
+ Fp12::Frobenius(t2, t1);
+ Fp12::Frobenius(t3, t2);
+ Fp12::pow(t1, t1, param.exp_c1);
+ Fp12::pow(t2, t2, param.exp_c2);
+ Fp12::pow(y, x, param.exp_c0);
+ y *= t1;
+ y *= t2;
+ y *= t3;
#endif
+}
+/*
+ remark : returned value is NOT on a curve
+*/
+inline G1 makeAdjP(const G1& P)
+{
+ G1 adjP;
+ Fp::add(adjP.x, P.x, P.x);
+ adjP.x += P.x;
+ Fp::neg(adjP.y, P.y);
+ adjP.z = 1;
+ return adjP;
+}
+
+inline void init(const mcl::CurveParam& cp = mcl::BN254, fp::Mode mode = fp::FP_AUTO)
+{
+ local::StaticVar<>::param.init(cp, mode);
+ G1::setMulArrayGLV(local::mulArrayGLV1);
+ G2::setMulArrayGLV(local::mulArrayGLV2);
+ Fp12::setPowArrayGLV(local::powArrayGLV2);
+}
+
+} // mcl::bn::local
+
+/*
+ y = x^((p^12 - 1) / r)
+ (p^12 - 1) / r = (p^2 + 1) (p^6 - 1) (p^4 - p^2 + 1)/r
+ (a + bw)^(p^6) = a - bw in Fp12
+ (p^4 - p^2 + 1)/r = c0 + c1 p + c2 p^2 + p^3
+*/
+inline void finalExp(Fp12& y, const Fp12& x)
+{
#if 1
- Fp12 a0, a1, a2, a3, a4, a5, a6, a7;
- Fp12::unitaryInv(a0, x); // a0 = x^-1
- fasterSqr(a1, a0); // x^-2
- pow_z(a2, x); // x^z
- fasterSqr(a3, a2); // x^2z
- a1 *= a2; // a1 = x^(z-2)
- pow_z(a7, a1); // a7 = x^(z^2-2z)
- pow_z(a4, a7); // a4 = x^(z^3-2z^2)
- pow_z(a5, a4); // a5 = x^(z^4-2z^3)
- a3 *= a5; // a3 = x^(z^4-2z^3+2z)
- pow_z(a6, a3); // a6 = x^(z^5-2z^4+2z^2)
-
- Fp12::unitaryInv(a1, a1); // x^(2-z)
- a1 *= a6; // x^(z^5-2z^4+2z^2-z+2)
- a1 *= x; // x^(z^5-2z^4+2z^2-z+3) = x^c0
- a3 *= a0; // x^(z^4-2z^3-1) = x^c1
- Fp12::Frobenius(a3, a3); // x^(c1 p)
- a1 *= a3; // x^(c0 + c1 p)
- a4 *= a2; // x^(z^3-2z^2+z) = x^c2
- Fp12::Frobenius2(a4, a4); // x^(c2 p^2)
- a1 *= a4; // x^(c0 + c1 p + c2 p^2)
- a7 *= x; // x^(z^2-2z+1) = x^c3
- Fp12::Frobenius3(y, a7);
- y *= a1;
+ mapToCyclotomic(y, x);
#else
- Fp12 t1, t2, t3;
- Fp12::Frobenius(t1, x);
- Fp12::Frobenius(t2, t1);
- Fp12::Frobenius(t3, t2);
- Fp12::pow(t1, t1, param.exp_c1);
- Fp12::pow(t2, t2, param.exp_c2);
- Fp12::pow(t3, t3, param.exp_c3);
- Fp12::pow(y, x, param.exp_c0);
- y *= t1;
- y *= t2;
- y *= t3;
+ const mpz_class& p = param.p;
+ mpz_class p2 = p * p;
+ mpz_class p4 = p2 * p2;
+ Fp12::pow(y, x, p2 + 1);
+ Fp12::pow(y, y, p4 * p2 - 1);
#endif
+ if (BN::param.isBLS12) {
+ expHardPartBLS12(y, y);
+ } else {
+ expHardPartBN(y, y);
}
- /*
- remark : returned value is NOT on a curve
- */
- static G1 makeAdjP(const G1& P)
- {
- G1 adjP;
- Fp::add(adjP.x, P.x, P.x);
- adjP.x += P.x;
- Fp::neg(adjP.y, P.y);
- adjP.z = 1;
- return adjP;
+}
+inline void millerLoop(Fp12& f, const G1& P_, const G2& Q_)
+{
+ G1 P(P_);
+ G2 Q(Q_);
+ P.normalize();
+ Q.normalize();
+ if (Q.isZero()) {
+ f = 1;
+ return;
}
- static void millerLoop(Fp12& f, const G1& P_, const G2& Q_)
- {
- G1 P(P_);
- G2 Q(Q_);
- P.normalize();
- Q.normalize();
- if (Q.isZero()) {
- f = 1;
- return;
- }
- assert(param.siTbl[1] == 1);
- G2 T = Q;
- G2 negQ;
- if (param.useNAF) {
- G2::neg(negQ, Q);
- }
- Fp6 d, e, l;
- d = e = l = 1;
- G1 adjP = makeAdjP(P);
- dblLine(d, T, adjP);
- addLine(l, T, Q, P);
- mulSparse2(f, d, l);
- for (size_t i = 2; i < param.siTbl.size(); i++) {
- dblLine(l, T, adjP);
- Fp12::sqr(f, f);
- mulSparse(f, l);
- if (param.siTbl[i]) {
- if (param.siTbl[i] > 0) {
- addLine(l, T, Q, P);
- } else {
- addLine(l, T, negQ, P);
- }
- mulSparse(f, l);
+ assert(BN::param.siTbl[1] == 1);
+ G2 T = Q;
+ G2 negQ;
+ if (BN::param.useNAF) {
+ G2::neg(negQ, Q);
+ }
+ Fp6 d, e, l;
+ d = e = l = 1;
+ G1 adjP = makeAdjP(P);
+ dblLine(d, T, adjP);
+ addLine(l, T, Q, P);
+ mulSparse2(f, d, l);
+ for (size_t i = 2; i < BN::param.siTbl.size(); i++) {
+ dblLine(l, T, adjP);
+ Fp12::sqr(f, f);
+ mulSparse(f, l);
+ if (BN::param.siTbl[i]) {
+ if (BN::param.siTbl[i] > 0) {
+ addLine(l, T, Q, P);
+ } else {
+ addLine(l, T, negQ, P);
}
+ mulSparse(f, l);
}
- if (param.z < 0) {
- G2::neg(T, T);
- Fp6::neg(f.b, f.b);
- }
- if (param.isBLS12) return;
- G2 Q1, Q2;
- Frobenius(Q1, Q);
- Frobenius(Q2, Q1);
- G2::neg(Q2, Q2);
- addLine(d, T, Q1, P);
- addLine(e, T, Q2, P);
- Fp12 ft;
- mulSparse2(ft, d, e);
- f *= ft;
}
- static void pairing(Fp12& f, const G1& P, const G2& Q)
- {
- millerLoop(f, P, Q);
- finalExp(f, f);
+ if (BN::param.z < 0) {
+ G2::neg(T, T);
+ Fp6::neg(f.b, f.b);
+ }
+ if (BN::param.isBLS12) return;
+ G2 Q1, Q2;
+ Frobenius(Q1, Q);
+ Frobenius(Q2, Q1);
+ G2::neg(Q2, Q2);
+ addLine(d, T, Q1, P);
+ addLine(e, T, Q2, P);
+ Fp12 ft;
+ mulSparse2(ft, d, e);
+ f *= ft;
+}
+inline void pairing(Fp12& f, const G1& P, const G2& Q)
+{
+ millerLoop(f, P, Q);
+ finalExp(f, f);
+}
+/*
+ allocate param.precomputedQcoeffSize elements of Fp6 for Qcoeff
+*/
+inline void precomputeG2(Fp6 *Qcoeff, const G2& Q_)
+{
+ size_t idx = 0;
+ G2 Q(Q_);
+ Q.normalize();
+ if (Q.isZero()) {
+ for (size_t i = 0; i < BN::param.precomputedQcoeffSize; i++) {
+ Qcoeff[i] = 1;
+ }
+ return;
}
- /*
- millerLoop(e, P, Q) is same as the following
- std::vector<Fp6> Qcoeff;
- precomputeG2(Qcoeff, Q);
- precomputedMillerLoop(e, P, Qcoeff);
- */
- static void precomputeG2(std::vector<Fp6>& Qcoeff, const G2& Q)
- {
- Qcoeff.resize(param.precomputedQcoeffSize);
- precomputeG2(Qcoeff.data(), Q);
+ G2 T = Q;
+ G2 negQ;
+ if (BN::param.useNAF) {
+ G2::neg(negQ, Q);
}
- /*
- allocate param.precomputedQcoeffSize elements of Fp6 for Qcoeff
- */
- static void precomputeG2(Fp6 *Qcoeff, const G2& Q_)
- {
- size_t idx = 0;
- G2 Q(Q_);
- Q.normalize();
- if (Q.isZero()) {
- for (size_t i = 0; i < param.precomputedQcoeffSize; i++) {
- Qcoeff[i] = 1;
- }
- return;
- }
- G2 T = Q;
- G2 negQ;
- if (param.useNAF) {
- G2::neg(negQ, Q);
- }
- assert(param.siTbl[1] == 1);
+ assert(BN::param.siTbl[1] == 1);
+ dblLineWithoutP(Qcoeff[idx++], T);
+ addLineWithoutP(Qcoeff[idx++], T, Q);
+ for (size_t i = 2; i < BN::param.siTbl.size(); i++) {
dblLineWithoutP(Qcoeff[idx++], T);
- addLineWithoutP(Qcoeff[idx++], T, Q);
- for (size_t i = 2; i < param.siTbl.size(); i++) {
- dblLineWithoutP(Qcoeff[idx++], T);
- if (param.siTbl[i]) {
- if (param.siTbl[i] > 0) {
- addLineWithoutP(Qcoeff[idx++], T, Q);
- } else {
- addLineWithoutP(Qcoeff[idx++], T, negQ);
- }
+ if (BN::param.siTbl[i]) {
+ if (BN::param.siTbl[i] > 0) {
+ addLineWithoutP(Qcoeff[idx++], T, Q);
+ } else {
+ addLineWithoutP(Qcoeff[idx++], T, negQ);
}
}
- if (param.z < 0) {
- G2::neg(T, T);
- }
- if (param.isBLS12) return;
- G2 Q1, Q2;
- Frobenius(Q1, Q);
- Frobenius(Q2, Q1);
- G2::neg(Q2, Q2);
- addLineWithoutP(Qcoeff[idx++], T, Q1);
- addLineWithoutP(Qcoeff[idx++], T, Q2);
- assert(idx == param.precomputedQcoeffSize);
}
- static void precomputedMillerLoop(Fp12& f, const G1& P, const std::vector<Fp6>& Qcoeff)
- {
- precomputedMillerLoop(f, P, Qcoeff.data());
- }
- static void precomputedMillerLoop(Fp12& f, const G1& P_, const Fp6* Qcoeff)
- {
- G1 P(P_);
- P.normalize();
- G1 adjP = makeAdjP(P);
- size_t idx = 0;
- Fp6 d, e, l;
- mulFp6cb_by_G1xy(d, Qcoeff[idx], adjP);
- idx++;
-
- mulFp6cb_by_G1xy(e, Qcoeff[idx], P);
+ if (BN::param.z < 0) {
+ G2::neg(T, T);
+ }
+ if (BN::param.isBLS12) return;
+ G2 Q1, Q2;
+ Frobenius(Q1, Q);
+ Frobenius(Q2, Q1);
+ G2::neg(Q2, Q2);
+ addLineWithoutP(Qcoeff[idx++], T, Q1);
+ addLineWithoutP(Qcoeff[idx++], T, Q2);
+ assert(idx == BN::param.precomputedQcoeffSize);
+}
+/*
+ millerLoop(e, P, Q) is same as the following
+ std::vector<Fp6> Qcoeff;
+ precomputeG2(Qcoeff, Q);
+ precomputedMillerLoop(e, P, Qcoeff);
+*/
+inline void precomputeG2(std::vector<Fp6>& Qcoeff, const G2& Q)
+{
+ Qcoeff.resize(BN::param.precomputedQcoeffSize);
+ precomputeG2(Qcoeff.data(), Q);
+}
+inline void precomputedMillerLoop(Fp12& f, const G1& P_, const Fp6* Qcoeff)
+{
+ G1 P(P_);
+ P.normalize();
+ G1 adjP = makeAdjP(P);
+ size_t idx = 0;
+ Fp6 d, e, l;
+ mulFp6cb_by_G1xy(d, Qcoeff[idx], adjP);
+ idx++;
+
+ mulFp6cb_by_G1xy(e, Qcoeff[idx], P);
+ idx++;
+ mulSparse2(f, d, e);
+ for (size_t i = 2; i < BN::param.siTbl.size(); i++) {
+ mulFp6cb_by_G1xy(l, Qcoeff[idx], adjP);
idx++;
- mulSparse2(f, d, e);
- for (size_t i = 2; i < param.siTbl.size(); i++) {
- mulFp6cb_by_G1xy(l, Qcoeff[idx], adjP);
+ Fp12::sqr(f, f);
+ mulSparse(f, l);
+ if (BN::param.siTbl[i]) {
+ mulFp6cb_by_G1xy(l, Qcoeff[idx], P);
idx++;
- Fp12::sqr(f, f);
mulSparse(f, l);
- if (param.siTbl[i]) {
- mulFp6cb_by_G1xy(l, Qcoeff[idx], P);
- idx++;
- mulSparse(f, l);
- }
- }
- if (param.z < 0) {
- Fp6::neg(f.b, f.b);
}
- if (param.isBLS12) return;
- mulFp6cb_by_G1xy(d, Qcoeff[idx], P);
- idx++;
- mulFp6cb_by_G1xy(e, Qcoeff[idx], P);
- idx++;
- Fp12 ft;
- mulSparse2(ft, d, e);
- f *= ft;
- }
- /*
- f = MillerLoop(P1, Q1) x MillerLoop(P2, Q2)
- */
- static void precomputedMillerLoop2(Fp12& f, const G1& P1, const std::vector<Fp6>& Q1coeff, const G1& P2, const std::vector<Fp6>& Q2coeff)
- {
- precomputedMillerLoop2(f, P1, Q1coeff.data(), P2, Q2coeff.data());
}
- static void precomputedMillerLoop2(Fp12& f, const G1& P1_, const Fp6* Q1coeff, const G1& P2_, const Fp6* Q2coeff)
- {
- G1 P1(P1_), P2(P2_);
- P1.normalize();
- P2.normalize();
- G1 adjP1 = makeAdjP(P1);
- G1 adjP2 = makeAdjP(P2);
- size_t idx = 0;
- Fp6 d1, d2, e1, e2, l1, l2;
- mulFp6cb_by_G1xy(d1, Q1coeff[idx], adjP1);
- mulFp6cb_by_G1xy(d2, Q2coeff[idx], adjP2);
- idx++;
-
- Fp12 f1, f2;
- mulFp6cb_by_G1xy(e1, Q1coeff[idx], P1);
- mulSparse2(f1, d1, e1);
-
- mulFp6cb_by_G1xy(e2, Q2coeff[idx], P2);
- mulSparse2(f2, d2, e2);
- Fp12::mul(f, f1, f2);
+ if (BN::param.z < 0) {
+ Fp6::neg(f.b, f.b);
+ }
+ if (BN::param.isBLS12) return;
+ mulFp6cb_by_G1xy(d, Qcoeff[idx], P);
+ idx++;
+ mulFp6cb_by_G1xy(e, Qcoeff[idx], P);
+ idx++;
+ Fp12 ft;
+ mulSparse2(ft, d, e);
+ f *= ft;
+}
+inline void precomputedMillerLoop(Fp12& f, const G1& P, const std::vector<Fp6>& Qcoeff)
+{
+ precomputedMillerLoop(f, P, Qcoeff.data());
+}
+/*
+ f = MillerLoop(P1, Q1) x MillerLoop(P2, Q2)
+*/
+inline void precomputedMillerLoop2(Fp12& f, const G1& P1_, const Fp6* Q1coeff, const G1& P2_, const Fp6* Q2coeff)
+{
+ G1 P1(P1_), P2(P2_);
+ P1.normalize();
+ P2.normalize();
+ G1 adjP1 = makeAdjP(P1);
+ G1 adjP2 = makeAdjP(P2);
+ size_t idx = 0;
+ Fp6 d1, d2, e1, e2, l1, l2;
+ mulFp6cb_by_G1xy(d1, Q1coeff[idx], adjP1);
+ mulFp6cb_by_G1xy(d2, Q2coeff[idx], adjP2);
+ idx++;
+
+ Fp12 f1, f2;
+ mulFp6cb_by_G1xy(e1, Q1coeff[idx], P1);
+ mulSparse2(f1, d1, e1);
+
+ mulFp6cb_by_G1xy(e2, Q2coeff[idx], P2);
+ mulSparse2(f2, d2, e2);
+ Fp12::mul(f, f1, f2);
+ idx++;
+ for (size_t i = 2; i < BN::param.siTbl.size(); i++) {
+ mulFp6cb_by_G1xy(l1, Q1coeff[idx], adjP1);
+ mulFp6cb_by_G1xy(l2, Q2coeff[idx], adjP2);
idx++;
- for (size_t i = 2; i < param.siTbl.size(); i++) {
- mulFp6cb_by_G1xy(l1, Q1coeff[idx], adjP1);
- mulFp6cb_by_G1xy(l2, Q2coeff[idx], adjP2);
+ Fp12::sqr(f, f);
+ mulSparse2(f1, l1, l2);
+ f *= f1;
+ if (BN::param.siTbl[i]) {
+ mulFp6cb_by_G1xy(l1, Q1coeff[idx], P1);
+ mulFp6cb_by_G1xy(l2, Q2coeff[idx], P2);
idx++;
- Fp12::sqr(f, f);
mulSparse2(f1, l1, l2);
f *= f1;
- if (param.siTbl[i]) {
- mulFp6cb_by_G1xy(l1, Q1coeff[idx], P1);
- mulFp6cb_by_G1xy(l2, Q2coeff[idx], P2);
- idx++;
- mulSparse2(f1, l1, l2);
- f *= f1;
- }
- }
- if (param.z < 0) {
- Fp6::neg(f.b, f.b);
- }
- if (param.isBLS12) return;
- mulFp6cb_by_G1xy(d1, Q1coeff[idx], P1);
- mulFp6cb_by_G1xy(d2, Q2coeff[idx], P2);
- idx++;
- mulFp6cb_by_G1xy(e1, Q1coeff[idx], P1);
- mulFp6cb_by_G1xy(e2, Q2coeff[idx], P2);
- idx++;
- mulSparse2(f1, d1, e1);
- mulSparse2(f2, d2, e2);
- f *= f1;
- f *= f2;
- }
- static void mapToG1(G1& P, const Fp& x) { param.mapTo.calcG1(P, x); }
- static void mapToG2(G2& P, const Fp2& x) { param.mapTo.calcG2(P, x); }
- static void hashAndMapToG1(G1& P, const void *buf, size_t bufSize)
- {
- Fp t;
- t.setHashOf(buf, bufSize);
- mapToG1(P, t);
- }
- static void hashAndMapToG2(G2& P, const void *buf, size_t bufSize)
- {
- Fp2 t;
- t.a.setHashOf(buf, bufSize);
- t.b.clear();
- mapToG2(P, t);
- }
- static void hashAndMapToG1(G1& P, const std::string& str)
- {
- hashAndMapToG1(P, str.c_str(), str.size());
- }
- static void hashAndMapToG2(G2& P, const std::string& str)
- {
- hashAndMapToG2(P, str.c_str(), str.size());
- }
- static void verifyOrderG1(bool doVerify)
- {
- if (param.isBLS12) {
- G1::setOrder(doVerify ? param.r : 0);
}
}
- static void verifyOrderG2(bool doVerify)
- {
- G2::setOrder(doVerify ? param.r : 0);
+ if (BN::param.z < 0) {
+ Fp6::neg(f.b, f.b);
+ }
+ if (BN::param.isBLS12) return;
+ mulFp6cb_by_G1xy(d1, Q1coeff[idx], P1);
+ mulFp6cb_by_G1xy(d2, Q2coeff[idx], P2);
+ idx++;
+ mulFp6cb_by_G1xy(e1, Q1coeff[idx], P1);
+ mulFp6cb_by_G1xy(e2, Q2coeff[idx], P2);
+ idx++;
+ mulSparse2(f1, d1, e1);
+ mulSparse2(f2, d2, e2);
+ f *= f1;
+ f *= f2;
+}
+inline void precomputedMillerLoop2(Fp12& f, const G1& P1, const std::vector<Fp6>& Q1coeff, const G1& P2, const std::vector<Fp6>& Q2coeff)
+{
+ precomputedMillerLoop2(f, P1, Q1coeff.data(), P2, Q2coeff.data());
+}
+inline void mapToG1(G1& P, const Fp& x) { BN::param.mapTo.calcG1(P, x); }
+inline void mapToG2(G2& P, const Fp2& x) { BN::param.mapTo.calcG2(P, x); }
+inline void hashAndMapToG1(G1& P, const void *buf, size_t bufSize)
+{
+ Fp t;
+ t.setHashOf(buf, bufSize);
+ mapToG1(P, t);
+}
+inline void hashAndMapToG2(G2& P, const void *buf, size_t bufSize)
+{
+ Fp2 t;
+ t.a.setHashOf(buf, bufSize);
+ t.b.clear();
+ mapToG2(P, t);
+}
+inline void hashAndMapToG1(G1& P, const std::string& str)
+{
+ hashAndMapToG1(P, str.c_str(), str.size());
+}
+inline void hashAndMapToG2(G2& P, const std::string& str)
+{
+ hashAndMapToG2(P, str.c_str(), str.size());
+}
+inline void verifyOrderG1(bool doVerify)
+{
+ if (BN::param.isBLS12) {
+ G1::setOrder(doVerify ? BN::param.r : 0);
}
-};
-
-template<size_t dummyImpl>
-local::Param BNT<dummyImpl>::param;
+}
+inline void verifyOrderG2(bool doVerify)
+{
+ G2::setOrder(doVerify ? BN::param.r : 0);
+}
// backward compatibility
using mcl::CurveParam;
@@ -1831,8 +1844,6 @@ static const CurveParam& CurveFp382_2 = BN381_2;
static const CurveParam& CurveFp462 = BN462;
static const CurveParam& CurveSNARK1 = BN_SNARK1;
-typedef mcl::bn::BNT<> BN;
-
/*
FrobeniusOnTwist for Dtype
p mod 6 = 1, w^6 = xi
@@ -1867,95 +1878,21 @@ inline void Frobenius3(G2& D, const G2& S)
inline void initPairing(const mcl::CurveParam& cp = mcl::BN254, fp::Mode mode = fp::FP_AUTO)
{
- BN::init(cp, mode);
+ local::init(cp, mode);
G1::setCompressedExpression();
G2::setCompressedExpression();
Fr::init(BN::param.r);
}
-inline void finalExp(Fp12& y, const Fp12& x)
-{
- BN::finalExp(y, x);
-}
-
-inline void hashAndMapToG1(G1& P, const void *buf, size_t bufSize)
-{
- BN::hashAndMapToG1(P, buf, bufSize);
-}
-
-inline void hashAndMapToG1(G1& P, const std::string& str)
-{
- BN::hashAndMapToG1(P, str);
-}
-
-inline void hashAndMapToG2(G2& P, const void *buf, size_t bufSize)
-{
- BN::hashAndMapToG2(P, buf, bufSize);
-}
-
-inline void hashAndMapToG2(G2& P, const std::string& str)
-{
- BN::hashAndMapToG2(P, str);
-}
-
-inline void mapToG1(G1& P, const Fp& x)
-{
- BN::mapToG1(P, x);
-}
+namespace BN {
-inline void mapToG2(G2& P, const Fp2& x)
+using namespace mcl::bn; // backward compatibility
+inline void init(const mcl::CurveParam& cp = mcl::BN254, fp::Mode mode = fp::FP_AUTO)
{
- BN::mapToG2(P, x);
+ local::init(cp, mode);
}
-inline void millerLoop(Fp12& f, const G1& P, const G2& Q)
-{
- BN::millerLoop(f, P, Q);
-}
-inline void pairing(Fp12& f, const G1& P, const G2& Q)
-{
- BN::pairing(f, P, Q);
-}
-
-inline void precomputeG2(std::vector<Fp6>& Qcoeff, const G2& Q)
-{
- BN::precomputeG2(Qcoeff, Q);
-}
-
-inline void precomputeG2(Fp6 *Qcoeff, const G2& Q)
-{
- BN::precomputeG2(Qcoeff, Q);
-}
-
-inline void precomputedMillerLoop(Fp12& f, const G1& P, const std::vector<Fp6>& Qcoeff)
-{
- BN::precomputedMillerLoop(f, P, Qcoeff);
-}
-
-inline void precomputedMillerLoop(Fp12& f, const G1& P, const Fp6* Qcoeff)
-{
- BN::precomputedMillerLoop(f, P, Qcoeff);
-}
-
-inline void precomputedMillerLoop2(Fp12& f, const G1& P1, const std::vector<Fp6>& Q1coeff, const G1& P2, const std::vector<Fp6>& Q2coeff)
-{
- BN::precomputedMillerLoop2(f, P1, Q1coeff, P2, Q2coeff);
-}
-
-inline void precomputedMillerLoop2(Fp12& f, const G1& P1, const Fp6* Q1coeff, const G1& P2, const Fp6* Q2coeff)
-{
- BN::precomputedMillerLoop2(f, P1, Q1coeff, P2, Q2coeff);
-}
-
-inline void verifyOrderG1(bool doVerify)
-{
- BN::verifyOrderG1(doVerify);
-}
-
-inline void verifyOrderG2(bool doVerify)
-{
- BN::verifyOrderG2(doVerify);
-}
+} // mcl::bn::BN
} } // mcl::bn
diff --git a/test/bench.hpp b/test/bench.hpp
index a937dbc..8506b5a 100644
--- a/test/bench.hpp
+++ b/test/bench.hpp
@@ -1,10 +1,9 @@
-template<class CT>
void testBench(const G1& P, const G2& Q)
{
G1 Pa;
G2 Qa;
Fp12 e1, e2;
- CT::pairing(e1, P, Q);
+ pairing(e1, P, Q);
Fp12::pow(e2, e1, 12345);
const int C = 500;
const int C2 = 1000;
@@ -26,22 +25,22 @@ void testBench(const G1& P, const G2& Q)
CYBOZU_BENCH_C("G2::add ", C, G2::add, Qa, Qa, Q);
CYBOZU_BENCH_C("G2::dbl ", C, G2::dbl, Qa, Qa);
CYBOZU_BENCH_C("GT::pow ", C, GT::pow, e1, e1, a);
-// CYBOZU_BENCH_C("GT::powGLV ", C, CT::param.glv2.pow, e1, e1, a);
+// CYBOZU_BENCH_C("GT::powGLV ", C, BN::param.glv2.pow, e1, e1, a);
G1 PP;
G2 QQ;
std::string s;
s = P.getStr();
CYBOZU_BENCH_C("G1::setStr chk", C, PP.setStr, s);
- CT::verifyOrderG1(false);
+ verifyOrderG1(false);
CYBOZU_BENCH_C("G1::setStr ", C, PP.setStr, s);
- CT::verifyOrderG1(true);
+ verifyOrderG1(true);
s = Q.getStr();
CYBOZU_BENCH_C("G2::setStr chk", C, QQ.setStr, s);
- CT::verifyOrderG2(false);
+ verifyOrderG2(false);
CYBOZU_BENCH_C("G2::setStr ", C, QQ.setStr, s);
- CT::verifyOrderG2(true);
- CYBOZU_BENCH_C("hashAndMapToG1", C, CT::hashAndMapToG1, PP, "abc", 3);
- CYBOZU_BENCH_C("hashAndMapToG2", C, CT::hashAndMapToG2, QQ, "abc", 3);
+ verifyOrderG2(true);
+ CYBOZU_BENCH_C("hashAndMapToG1", C, hashAndMapToG1, PP, "abc", 3);
+ CYBOZU_BENCH_C("hashAndMapToG2", C, hashAndMapToG2, QQ, "abc", 3);
CYBOZU_BENCH_C("Fp::add ", C2, Fp::add, x, x, y);
CYBOZU_BENCH_C("Fp::mul ", C2, Fp::mul, x, x, y);
CYBOZU_BENCH_C("Fp::sqr ", C2, Fp::sqr, x, x);
@@ -51,10 +50,10 @@ void testBench(const G1& P, const G2& Q)
CYBOZU_BENCH_C("GT::mul ", C2, GT::mul, e1, e1, e2);
CYBOZU_BENCH_C("GT::sqr ", C2, GT::sqr, e1, e1);
CYBOZU_BENCH_C("GT::inv ", C2, GT::inv, e1, e1);
- CYBOZU_BENCH_C("pairing ", C, CT::pairing, e1, P, Q);
- CYBOZU_BENCH_C("millerLoop ", C, CT::millerLoop, e1, P, Q);
- CYBOZU_BENCH_C("finalExp ", C, CT::finalExp, e1, e1);
+ CYBOZU_BENCH_C("pairing ", C, pairing, e1, P, Q);
+ CYBOZU_BENCH_C("millerLoop ", C, millerLoop, e1, P, Q);
+ CYBOZU_BENCH_C("finalExp ", C, finalExp, e1, e1);
std::vector<Fp6> Qcoeff;
- CT::precomputeG2(Qcoeff, Q);
- CYBOZU_BENCH_C("precomputedML ", C, CT::precomputedMillerLoop, e2, P, Qcoeff);
+ precomputeG2(Qcoeff, Q);
+ CYBOZU_BENCH_C("precomputedML ", C, precomputedMillerLoop, e2, P, Qcoeff);
}
diff --git a/test/bls12_test.cpp b/test/bls12_test.cpp
index 261d10c..4b6eb7a 100644
--- a/test/bls12_test.cpp
+++ b/test/bls12_test.cpp
@@ -320,7 +320,7 @@ CYBOZU_TEST_AUTO(naive)
testPairing(P, Q, ts.e);
testPrecomputed(P, Q);
testMillerLoop2(P, Q);
- testBench<BN>(P, Q);
+ testBench(P, Q);
}
int count = (int)clk.getCount();
if (count) {
@@ -430,7 +430,7 @@ const char *r1Str =
l.a.setStr(l0Str, mode);
l.b.setStr(l4Str, mode);
l.c.setStr(l1Str, mode);
- BN::addLine(l, R, Q, P);
+ local::addLine(l, R, Q, P);
m.a.setStr(m0Str, mode);
m.b.setStr(m4Str, mode);
m.c.setStr(m1Str, mode);
@@ -494,7 +494,7 @@ const char *q1Str =
l.a.setStr(l0Str, mode);
l.b.setStr(l4Str, mode);
l.c.setStr(l1Str, mode);
- BN::dblLine(l, Q, P);
+ local::dblLine(l, Q, P);
m.a.setStr(m0Str, mode);
m.b.setStr(m4Str, mode);
m.c.setStr(m1Str, mode);
@@ -551,7 +551,7 @@ const char *f2Str =
l.c.setStr(l1Str, 16);
f.setStr(fStr, 16);
f2.setStr(f2Str, 16);
- BN::mulSparse(f, l);
+ local::mulSparse(f, l);
CYBOZU_TEST_EQUAL(f, f2);
}
diff --git a/test/bn384_test.cpp b/test/bn384_test.cpp
index ab93c14..11f1690 100644
--- a/test/bn384_test.cpp
+++ b/test/bn384_test.cpp
@@ -33,7 +33,7 @@ void testCurve(const mcl::CurveParam& cp)
pairing(e2, aP, bQ);
GT::pow(e1, e1, a * b);
CYBOZU_TEST_EQUAL(e1, e2);
- testBench<BN>(P, Q);
+ testBench(P, Q);
}
CYBOZU_TEST_AUTO(pairing)
diff --git a/test/bn512_test.cpp b/test/bn512_test.cpp
index f3e6799..dde8950 100644
--- a/test/bn512_test.cpp
+++ b/test/bn512_test.cpp
@@ -33,7 +33,7 @@ void testCurve(const mcl::CurveParam& cp)
pairing(e2, aP, bQ);
GT::pow(e1, e1, a * b);
CYBOZU_TEST_EQUAL(e1, e2);
- testBench<BN>(P, Q);
+ testBench(P, Q);
}
CYBOZU_TEST_AUTO(pairing)
diff --git a/test/bn_test.cpp b/test/bn_test.cpp
index f7a1452..c33e1d9 100644
--- a/test/bn_test.cpp
+++ b/test/bn_test.cpp
@@ -11,7 +11,7 @@ cybozu::CpuClock clk;
#define MCL_AVOID_EXCEPTION_TEST
#endif
-typedef mcl::bn256::BN::Compress Compress;
+typedef mcl::bn::local::Compress Compress;
using namespace mcl::bn256;
mcl::fp::Mode g_mode;
@@ -152,7 +152,7 @@ void testCyclotomic()
for (int i = 0; i < 12; ++i) {
a.getFp0()[i] = i * i;
}
- BN::mapToCyclotomic(a, a);
+ local::mapToCyclotomic(a, a);
Fp12 d;
Compress b(d, a);
a *= a;
@@ -171,7 +171,7 @@ void testCompress(const G1& P, const G2& Q)
if (BN::param.cp.curveType != MCL_BN254) return;
Fp12 a;
pairing(a, P, Q);
- BN::mapToCyclotomic(a, a);
+ local::mapToCyclotomic(a, a);
Fp12 b;
Compress::fixed_power(b, a);
Fp12 c;
@@ -360,7 +360,7 @@ CYBOZU_TEST_AUTO(naive)
testPairing(P, Q, ts.e);
testPrecomputed(P, Q);
testMillerLoop2(P, Q);
- testBench<BN>(P, Q);
+ testBench(P, Q);
}
int count = (int)clk.getCount();
if (count) {
generated by cgit (git 2.34.1) at 2025-10-20 18:07:08 +0800