Skip to content

Commit

Permalink
Merge branch 'master' into releases
Browse files Browse the repository at this point in the history
  • Loading branch information
mmagician committed Jan 16, 2023
2 parents 667ec3e + 24496c9 commit c29a9aa
Show file tree
Hide file tree
Showing 30 changed files with 258 additions and 190 deletions.
2 changes: 1 addition & 1 deletion .github/release-pr-template.ejs
Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,5 @@ This is a release PR for version **<%= version.actual %>**<%
You will still need to manually publish the cargo crate:

```
$ make VERSION=<latest version> release
$ make VERSION=<%= version.actual %> release
```
2 changes: 1 addition & 1 deletion ec/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -264,7 +264,7 @@ pub trait AffineRepr:
/// `Self::ScalarField`.
#[must_use]
fn mul_by_cofactor_inv(&self) -> Self {
self.mul_bigint(&Self::Config::COFACTOR_INV.into_bigint())
self.mul_bigint(Self::Config::COFACTOR_INV.into_bigint())
.into()
}
}
Expand Down
155 changes: 83 additions & 72 deletions ec/src/models/bn/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ pub enum TwistType {
D,
}

pub trait BnConfig: 'static {
pub trait BnConfig: 'static + Sized {
/// The absolute value of the BN curve parameter `X`
/// (as in `q = 36 X^4 + 36 X^3 + 24 X^2 + 6 X + 1`).
const X: &'static [u64];
Expand All @@ -46,65 +46,11 @@ pub trait BnConfig: 'static {
BaseField = Fp2<Self::Fp2Config>,
ScalarField = <Self::G1Config as CurveConfig>::ScalarField,
>;
}

pub mod g1;
pub mod g2;

pub use self::{
g1::{G1Affine, G1Prepared, G1Projective},
g2::{G2Affine, G2Prepared, G2Projective},
};

#[derive(Derivative)]
#[derivative(Copy, Clone, PartialEq, Eq, Debug, Hash)]
pub struct Bn<P: BnConfig>(PhantomData<fn() -> P>);

impl<P: BnConfig> Bn<P> {
/// Evaluates the line function at point p.
fn ell(f: &mut Fp12<P::Fp12Config>, coeffs: &g2::EllCoeff<P>, p: &G1Affine<P>) {
let mut c0 = coeffs.0;
let mut c1 = coeffs.1;
let mut c2 = coeffs.2;

match P::TWIST_TYPE {
TwistType::M => {
c2.mul_assign_by_fp(&p.y);
c1.mul_assign_by_fp(&p.x);
f.mul_by_014(&c0, &c1, &c2);
},
TwistType::D => {
c0.mul_assign_by_fp(&p.y);
c1.mul_assign_by_fp(&p.x);
f.mul_by_034(&c0, &c1, &c2);
},
}
}

fn exp_by_neg_x(mut f: Fp12<P::Fp12Config>) -> Fp12<P::Fp12Config> {
f = f.cyclotomic_exp(&P::X);
if !P::X_IS_NEGATIVE {
f.cyclotomic_inverse_in_place();
}
f
}
}

impl<P: BnConfig> Pairing for Bn<P> {
type BaseField = <P::G1Config as CurveConfig>::BaseField;
type ScalarField = <P::G1Config as CurveConfig>::ScalarField;
type G1 = G1Projective<P>;
type G1Affine = G1Affine<P>;
type G1Prepared = G1Prepared<P>;
type G2 = G2Projective<P>;
type G2Affine = G2Affine<P>;
type G2Prepared = G2Prepared<P>;
type TargetField = Fp12<P::Fp12Config>;

fn multi_miller_loop(
a: impl IntoIterator<Item = impl Into<Self::G1Prepared>>,
b: impl IntoIterator<Item = impl Into<Self::G2Prepared>>,
) -> MillerLoopOutput<Self> {
a: impl IntoIterator<Item = impl Into<G1Prepared<Self>>>,
b: impl IntoIterator<Item = impl Into<G2Prepared<Self>>>,
) -> MillerLoopOutput<Bn<Self>> {
let mut pairs = a
.into_iter()
.zip_eq(b)
Expand All @@ -119,44 +65,44 @@ impl<P: BnConfig> Pairing for Bn<P> {

let mut f = cfg_chunks_mut!(pairs, 4)
.map(|pairs| {
let mut f = Self::TargetField::one();
for i in (1..P::ATE_LOOP_COUNT.len()).rev() {
if i != P::ATE_LOOP_COUNT.len() - 1 {
let mut f = <Bn<Self> as Pairing>::TargetField::one();
for i in (1..Self::ATE_LOOP_COUNT.len()).rev() {
if i != Self::ATE_LOOP_COUNT.len() - 1 {
f.square_in_place();
}

for (p, coeffs) in pairs.iter_mut() {
Self::ell(&mut f, &coeffs.next().unwrap(), &p.0);
Bn::<Self>::ell(&mut f, &coeffs.next().unwrap(), &p.0);
}

let bit = P::ATE_LOOP_COUNT[i - 1];
let bit = Self::ATE_LOOP_COUNT[i - 1];
if bit == 1 || bit == -1 {
for (p, coeffs) in pairs.iter_mut() {
Self::ell(&mut f, &coeffs.next().unwrap(), &p.0);
Bn::<Self>::ell(&mut f, &coeffs.next().unwrap(), &p.0);
}
}
}
f
})
.product::<Self::TargetField>();
.product::<<Bn<Self> as Pairing>::TargetField>();

if P::X_IS_NEGATIVE {
if Self::X_IS_NEGATIVE {
f.cyclotomic_inverse_in_place();
}

for (p, coeffs) in &mut pairs {
Self::ell(&mut f, &coeffs.next().unwrap(), &p.0);
Bn::<Self>::ell(&mut f, &coeffs.next().unwrap(), &p.0);
}

for (p, coeffs) in &mut pairs {
Self::ell(&mut f, &coeffs.next().unwrap(), &p.0);
Bn::<Self>::ell(&mut f, &coeffs.next().unwrap(), &p.0);
}

MillerLoopOutput(f)
}

#[allow(clippy::let_and_return)]
fn final_exponentiation(f: MillerLoopOutput<Self>) -> Option<PairingOutput<Self>> {
fn final_exponentiation(f: MillerLoopOutput<Bn<Self>>) -> Option<PairingOutput<Bn<Self>>> {
// Easy part: result = elt^((q^6-1)*(q^2+1)).
// Follows, e.g., Beuchat et al page 9, by computing result as follows:
// elt^((q^6-1)*(q^2+1)) = (conj(elt) * elt^(-1))^(q^2+1)
Expand Down Expand Up @@ -191,13 +137,13 @@ impl<P: BnConfig> Pairing for Bn<P> {
//
// result = elt^( 2z * ( 6z^2 + 3z + 1 ) * (q^4 - q^2 + 1)/r ).

let y0 = Self::exp_by_neg_x(r);
let y0 = Bn::<Self>::exp_by_neg_x(r);
let y1 = y0.cyclotomic_square();
let y2 = y1.cyclotomic_square();
let mut y3 = y2 * &y1;
let y4 = Self::exp_by_neg_x(y3);
let y4 = Bn::<Self>::exp_by_neg_x(y3);
let y5 = y4.cyclotomic_square();
let mut y6 = Self::exp_by_neg_x(y5);
let mut y6 = Bn::<Self>::exp_by_neg_x(y5);
y3.cyclotomic_inverse_in_place();
y6.cyclotomic_inverse_in_place();
let y7 = y6 * &y4;
Expand All @@ -219,3 +165,68 @@ impl<P: BnConfig> Pairing for Bn<P> {
})
}
}

pub mod g1;
pub mod g2;

pub use self::{
g1::{G1Affine, G1Prepared, G1Projective},
g2::{G2Affine, G2Prepared, G2Projective},
};

#[derive(Derivative)]
#[derivative(Copy, Clone, PartialEq, Eq, Debug, Hash)]
pub struct Bn<P: BnConfig>(PhantomData<fn() -> P>);

impl<P: BnConfig> Bn<P> {
/// Evaluates the line function at point p.
fn ell(f: &mut Fp12<P::Fp12Config>, coeffs: &g2::EllCoeff<P>, p: &G1Affine<P>) {
let mut c0 = coeffs.0;
let mut c1 = coeffs.1;
let mut c2 = coeffs.2;

match P::TWIST_TYPE {
TwistType::M => {
c2.mul_assign_by_fp(&p.y);
c1.mul_assign_by_fp(&p.x);
f.mul_by_014(&c0, &c1, &c2);
},
TwistType::D => {
c0.mul_assign_by_fp(&p.y);
c1.mul_assign_by_fp(&p.x);
f.mul_by_034(&c0, &c1, &c2);
},
}
}

fn exp_by_neg_x(mut f: Fp12<P::Fp12Config>) -> Fp12<P::Fp12Config> {
f = f.cyclotomic_exp(P::X);
if !P::X_IS_NEGATIVE {
f.cyclotomic_inverse_in_place();
}
f
}
}

impl<P: BnConfig> Pairing for Bn<P> {
type BaseField = <P::G1Config as CurveConfig>::BaseField;
type ScalarField = <P::G1Config as CurveConfig>::ScalarField;
type G1 = G1Projective<P>;
type G1Affine = G1Affine<P>;
type G1Prepared = G1Prepared<P>;
type G2 = G2Projective<P>;
type G2Affine = G2Affine<P>;
type G2Prepared = G2Prepared<P>;
type TargetField = Fp12<P::Fp12Config>;

fn multi_miller_loop(
a: impl IntoIterator<Item = impl Into<Self::G1Prepared>>,
b: impl IntoIterator<Item = impl Into<Self::G2Prepared>>,
) -> MillerLoopOutput<Self> {
P::multi_miller_loop(a, b)
}

fn final_exponentiation(f: MillerLoopOutput<Self>) -> Option<PairingOutput<Self>> {
P::final_exponentiation(f)
}
}
2 changes: 1 addition & 1 deletion ec/src/models/bw6/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,7 @@ impl<P: BW6Config> BW6<P> {
}

fn exp_by_x(mut f: Fp6<P::Fp6Config>) -> Fp6<P::Fp6Config> {
f = f.cyclotomic_exp(&P::X);
f = f.cyclotomic_exp(P::X);
if P::X_IS_NEGATIVE {
f.cyclotomic_inverse_in_place();
}
Expand Down
54 changes: 34 additions & 20 deletions ec/src/models/mnt4/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ pub use self::{

pub type GT<P> = Fp4<P>;

pub trait MNT4Config: 'static {
pub trait MNT4Config: 'static + Sized {
const TWIST: Fp2<Self::Fp2Config>;
const TWIST_COEFF_A: Fp2<Self::Fp2Config>;
const ATE_LOOP_COUNT: &'static [i8];
Expand All @@ -43,6 +43,34 @@ pub trait MNT4Config: 'static {
BaseField = Fp2<Self::Fp2Config>,
ScalarField = <Self::G1Config as CurveConfig>::ScalarField,
>;
fn multi_miller_loop(
a: impl IntoIterator<Item = impl Into<G1Prepared<Self>>>,
b: impl IntoIterator<Item = impl Into<G2Prepared<Self>>>,
) -> MillerLoopOutput<MNT4<Self>> {
let pairs = a
.into_iter()
.zip_eq(b)
.map(|(a, b)| (a.into(), b.into()))
.collect::<Vec<_>>();
let result = cfg_into_iter!(pairs)
.map(|(a, b)| MNT4::<Self>::ate_miller_loop(&a, &b))
.product();
MillerLoopOutput(result)
}

fn final_exponentiation(f: MillerLoopOutput<MNT4<Self>>) -> Option<PairingOutput<MNT4<Self>>> {
let value = f.0;
let value_inv = value.inverse().unwrap();
let value_to_first_chunk =
MNT4::<Self>::final_exponentiation_first_chunk(&value, &value_inv);
let value_inv_to_first_chunk =
MNT4::<Self>::final_exponentiation_first_chunk(&value_inv, &value);
let result = MNT4::<Self>::final_exponentiation_last_chunk(
&value_to_first_chunk,
&value_inv_to_first_chunk,
);
Some(PairingOutput(result))
}
}

#[derive(Derivative)]
Expand Down Expand Up @@ -185,11 +213,11 @@ impl<P: MNT4Config> MNT4<P> {
let mut elt_q = *elt;
elt_q.frobenius_map_in_place(1);

let w1_part = elt_q.cyclotomic_exp(&P::FINAL_EXPONENT_LAST_CHUNK_1);
let w1_part = elt_q.cyclotomic_exp(P::FINAL_EXPONENT_LAST_CHUNK_1);
let w0_part = if P::FINAL_EXPONENT_LAST_CHUNK_W0_IS_NEG {
elt_inv_clone.cyclotomic_exp(&P::FINAL_EXPONENT_LAST_CHUNK_ABS_OF_W0)
elt_inv_clone.cyclotomic_exp(P::FINAL_EXPONENT_LAST_CHUNK_ABS_OF_W0)
} else {
elt_clone.cyclotomic_exp(&P::FINAL_EXPONENT_LAST_CHUNK_ABS_OF_W0)
elt_clone.cyclotomic_exp(P::FINAL_EXPONENT_LAST_CHUNK_ABS_OF_W0)
};

w1_part * &w0_part
Expand All @@ -211,24 +239,10 @@ impl<P: MNT4Config> Pairing for MNT4<P> {
a: impl IntoIterator<Item = impl Into<Self::G1Prepared>>,
b: impl IntoIterator<Item = impl Into<Self::G2Prepared>>,
) -> MillerLoopOutput<Self> {
let pairs = a
.into_iter()
.zip_eq(b)
.map(|(a, b)| (a.into(), b.into()))
.collect::<Vec<_>>();
let result = cfg_into_iter!(pairs)
.map(|(a, b)| Self::ate_miller_loop(&a, &b))
.product();
MillerLoopOutput(result)
P::multi_miller_loop(a, b)
}

fn final_exponentiation(f: MillerLoopOutput<Self>) -> Option<PairingOutput<Self>> {
let value = f.0;
let value_inv = value.inverse().unwrap();
let value_to_first_chunk = Self::final_exponentiation_first_chunk(&value, &value_inv);
let value_inv_to_first_chunk = Self::final_exponentiation_first_chunk(&value_inv, &value);
let result =
Self::final_exponentiation_last_chunk(&value_to_first_chunk, &value_inv_to_first_chunk);
Some(PairingOutput(result))
P::final_exponentiation(f)
}
}
Loading

0 comments on commit c29a9aa

Please sign in to comment.