From ce0b22d6f108b0bf1d4312377f5cd831e2690307 Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Wed, 30 Aug 2023 18:59:04 -0300 Subject: [PATCH 01/31] Add function utils to check elements in curve and twisted curve --- scripts/pairing_utils.py | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/scripts/pairing_utils.py b/scripts/pairing_utils.py index 26aa7632..7635461d 100644 --- a/scripts/pairing_utils.py +++ b/scripts/pairing_utils.py @@ -1,5 +1,25 @@ +import montgomery as monty +import fp2 + # r = 36x**4 + 36x**3 + 18x**2 + 6x + 1 # t = 6x**2 + 1 # x = 4965661367192848881 # s = 6x + 2 -> s = 29793968203157093288 S_NAF = [1, 0, -1, 0, 1, 0, 0, 0, -1, 0, -1, 0, 0, 0, -1, 0, 1, 0, -1, 0, 0, -1, 0, 0, 0, 0, 0, 1, 0, 0, -1, 0, 1, 0, 0, -1, 0, 0, 0, 0, -1, 0, 1, 0, 0, 0, -1, 0, -1, 0, 0, 1, 0, 0, 0, -1, 0, 0, -1, 0, 1, 0, 1, 0, 0, 0] + +def is_in_curve(x, y): + x = monty.out_of(x) + y = monty.out_of(y) + + N = 21888242871839275222246405745257275088696311157297823662689037894645226208583 + a = y ** 2 % N + b = x ** 3 % N + b = (b + 3) % N + return a == b + +def is_in_twisted_curve(x0, x1, y0, y1): + a = (monty.into(19485874751759354771024239261021720505790618469301721065564631296452457478373), monty.into(266929791119991161246907387137283842545076965332900288569378510910307636690)) + b = fp2.exp(x0, x1, 3) + b = fp2.add(*b, *a) + c = fp2.exp(y0, y1, 2) + return b == c From 29a19279665dd52c617b9e35533e4bc319f0251b Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Wed, 30 Aug 2023 18:59:38 -0300 Subject: [PATCH 02/31] Add conditional for g2 from affine --- scripts/g2.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/g2.py b/scripts/g2.py index ee6948e2..5fd06c1f 100644 --- a/scripts/g2.py +++ b/scripts/g2.py @@ -6,6 +6,9 @@ def neg(x0,x1, y0, y1, z0, z1): return (x0,x1,y0,y1,z0,z1) def from_affine(x0,x1,y0,y1): + if x0 == 0 and x1 == 0 and y0 == 0 and y1 == 0: + return (monty.ONE, 0, monty.ONE, 0, 0, 0) + z0 = monty.ONE z1 = 0 return (x0,x1,y0,y1,z0,z1) From 10e6d3b2d6feaad68d98e1adbe7adb2ef1fd3e14 Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Wed, 30 Aug 2023 19:00:08 -0300 Subject: [PATCH 03/31] Add tests for conjugate in fp12 and fp2 --- scripts/fp12.py | 8 +++++--- scripts/fp2.py | 9 +++++++++ 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/scripts/fp12.py b/scripts/fp12.py index 7c050d87..1050080c 100644 --- a/scripts/fp12.py +++ b/scripts/fp12.py @@ -173,7 +173,7 @@ def main(): fp12_two = tuple([monty.TWO] + [0 for _ in range(11)]) fp12_all_one = tuple([monty.ONE for _ in range(12)]) fp12_all_two = tuple([monty.TWO for _ in range(12)]) - ffp12_random = (monty.ONE, monty.TWO, monty.ONE, monty.TWO, monty.ONE, monty.TWO, monty.ONE, monty.TWO, monty.ONE, monty.TWO, monty.ONE, monty.TWO) + fp12_random = (monty.ONE, monty.TWO, monty.ONE, monty.TWO, monty.ONE, monty.TWO, monty.ONE, monty.TWO, monty.ONE, monty.TWO, monty.ONE, monty.TWO) # ADDITION assert(add(*fp12_zero, *fp12_zero) == fp12_zero) @@ -216,10 +216,12 @@ def main(): assert(mul(*fp12_all_one,*fp12_all_one_inverse) == fp12_one) assert(mul(*fp12_all_two_inverse, *fp12_all_two) == fp12_one) + # CONJUGATE + assert(conjugate(*conjugate(*fp12_random)) == fp12_random) # CYCLOTOMIC SQUARE - b = conjugate(*ffp12_random) - a = inv(*ffp12_random) + b = conjugate(*fp12_random) + a = inv(*fp12_random) b = mul(*b, *a) a = frb.frobenius_square(*b) a = mul(*a, *b) diff --git a/scripts/fp2.py b/scripts/fp2.py index 9600b4bc..27b91cda 100644 --- a/scripts/fp2.py +++ b/scripts/fp2.py @@ -94,6 +94,15 @@ def main(): # (1 + 2i) * 3 = 3 + 6i fp2_three = scalar_mul(*fp2_a, monty.THREE) assert(fp2_three == (monty.THREE, monty.SIX)) + + # (1 + 2i) + (1 - 2i) = 2 + 0i + conjugated_fp2_a = conjugate(*fp2_a) + result = add(*fp2_a, *conjugated_fp2_a) + assert(result == (monty.TWO, 0)) + + # conj(conj((1 + 2i))) = 1 + 2i + fp2_a_aux = conjugate(*conjugated_fp2_a) + assert(fp2_a_aux == (monty.ONE, monty.TWO)) if __name__ == '__main__': main() From d5afe279b53d5156050f3c4f31de83b1a68da77d Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Wed, 30 Aug 2023 19:01:09 -0300 Subject: [PATCH 04/31] Fix miller loop errors --- scripts/alt_bn128_pairing.py | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/scripts/alt_bn128_pairing.py b/scripts/alt_bn128_pairing.py index f32af322..ee3e5d15 100644 --- a/scripts/alt_bn128_pairing.py +++ b/scripts/alt_bn128_pairing.py @@ -49,8 +49,8 @@ def point_doubling_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1, xp, yp): t0 = fp2.mul(*Zt,*Zq_squared) t0 = fp2.add(*t0,*t0) t0 = fp2.scalar_mul(*t0,yp) - T = Xt, Yt, Zt - l = (*t3,0,0,0,0,*t3,*t6,0,0) + T = Xt + Yt + Zt + l = (*t0,0,0,0,0,*t3,*t6,0,0) return l, T # Algorithm 27 from https://eprint.iacr.org/2010/354.pdf @@ -118,7 +118,7 @@ def point_addition_and_line_evaluation(xq0, xq1, yq0, yq1, _zq0, _zq1, xr0, xr1, l1 = t1[0], t1[1], t9[0], t9[1], 0, 0 l = l0 + l1 - T = X_T, Y_T, Z_T + T = X_T + Y_T + Z_T return l, T # Algorithm 31 from https://eprint.iacr.org/2010/354.pdf @@ -176,19 +176,19 @@ def final_exponentiation(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, return f -def miller_loop(xp, yp, Xq0, Xq1, Yq0, Yq1, Zq0, Zq1): - T = (Xq0, Xq1, Yq0, Yq1, Zq0, Zq1) +def miller_loop(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1, xp, yp): + T = Xq0, Xq1, Yq0, Yq1, Zq0, Zq1 f = fp12.ONE - + for i in range(64, -1, -1): - double_step = point_doubling_and_line_evaluation(xp,yp,*T) + double_step = point_doubling_and_line_evaluation(*T, xp, yp) f = fp12.square(*f) f = fp12.mul(*f,*double_step[0]) T = double_step[1] if pairing_utils.S_NAF[i] == -1: minus_Q = g2.neg(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1) - add_step = point_addition_and_line_evaluation(*minus_Q,*T,xp,yp) + add_step = point_addition_and_line_evaluation(*minus_Q, *T, xp,yp) f = fp12.mul(*f,*add_step[0]) T = add_step[1] @@ -198,17 +198,17 @@ def miller_loop(xp, yp, Xq0, Xq1, Yq0, Yq1, Zq0, Zq1): T = add_step[1] # Q1 <- pi_p(Q) - Xq1 = fp2.conj(Xq0, Xq1) - Yq1 = fp2.conj(Yq0, Yq1) - Xq1 = frb.mul_by_gamma_1_2(*Xq1) - Yq1 = frb.mul_by_gamma_1_3(*Xq1) - Q1 = g2.from_affine(*Xq1, *Yq1) + X_q0, X_q1 = fp2.conjugate(Xq0, Xq1) + Y_q0, Y_q1 = fp2.conjugate(Yq0, Yq1) + X_q0, X_q1 = frb.mul_by_gamma_1_2(X_q0, X_q1) + Y_q0, Y_q1 = frb.mul_by_gamma_1_3(Y_q0, Y_q1) + Q1 = g2.from_affine(X_q0, X_q1, Y_q0, Y_q1) # Q2 <- pi_p_square(Q) - Xq2 = frb.mul_by_gamma_2_2(Xq0, Xq1) - Yq2 = frb.mul_by_gamma_2_3(Yq0, Yq1) - Q2 = g2.from_affine(*Xq2, *Yq2) - Q2 = g2.neg(Q2) + X_q20, X_q21 = frb.mul_by_gamma_2_2(Xq0, Xq1) + Y_q20, Y_q21 = frb.mul_by_gamma_2_3(Yq0, Yq1) + Q2 = g2.from_affine(X_q20, X_q21, Y_q20, Y_q21) + Q2 = g2.neg(*Q2) add_step = point_addition_and_line_evaluation(*Q1,*T,xp,yp) f = fp12.mul(*f,*add_step[0]) From 4a51691d9fd6f3b95c59cb3eeae4cb6e28a8b8b6 Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Wed, 30 Aug 2023 19:01:36 -0300 Subject: [PATCH 05/31] Add pair function --- scripts/alt_bn128_pairing.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/scripts/alt_bn128_pairing.py b/scripts/alt_bn128_pairing.py index ee3e5d15..1902c32f 100644 --- a/scripts/alt_bn128_pairing.py +++ b/scripts/alt_bn128_pairing.py @@ -219,6 +219,11 @@ def miller_loop(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1, xp, yp): return f +def pair(xp, yp, Xq0, Xq1, Yq0, Yq1): + f = miller_loop(Xq0, Xq1, Yq0, Yq1, monty.ONE, 0, xp, yp) + f = final_exponentiation(*f) + return f + def main(): # Test 1 fp12_a = (monty.ONE, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) From c06240e43520f2d0b0c5c569d3216cbf6c958e88 Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Wed, 30 Aug 2023 19:02:27 -0300 Subject: [PATCH 06/31] Add pairing test from eth tests --- scripts/alt_bn128_pairing.py | 59 ++++++++++++++++++++++++++++++++---- 1 file changed, 53 insertions(+), 6 deletions(-) diff --git a/scripts/alt_bn128_pairing.py b/scripts/alt_bn128_pairing.py index 1902c32f..7ff76412 100644 --- a/scripts/alt_bn128_pairing.py +++ b/scripts/alt_bn128_pairing.py @@ -230,12 +230,59 @@ def main(): result = final_exponentiation(*fp12_a) assert(result == fp12_a) - # Test 2 - # This test won't pass - # fp12_b = (monty.ONE, monty.TWO, monty.ONE, monty.TWO, monty.ONE, monty.TWO, monty.ONE, monty.TWO, monty.ONE, monty.TWO, monty.ONE, monty.TWO) - # result = final_exponentiation(*fp12_b) - # assert(not fp12.is_in_subgroup(*fp12_b)) - # assert(fp12.is_in_subgroup(*result)) + # Pairing Test + + # 1c76476f4def4bb94541d57ebba1193381ffa7aa76ada664dd31c16024c43f59 -> Xp1 + # 3034dd2920f673e204fee2811c678745fc819b55d3e9d294e45c9b03a76aef41 -> Yp1 + + # 209dd15ebff5d46c4bd888e51a93cf99a7329636c63514396b4a452003a35bf7 -> Xq11 + # 04bf11ca01483bfa8b34b43561848d28905960114c8ac04049af4b6315a41678 -> Xq10 + # 2bb8324af6cfc93537a2ad1a445cfd0ca2a71acd7ac41fadbf933c2a51be344d -> Yq11 + # 120a2a4cf30c1bf9845f20c6fe39e07ea2cce61f0c9bb048165fe5e4de877550 -> Yq10 + + # 111e129f1cf1097710d41c4ac70fcdfa5ba2023c6ff1cbeac322de49d1b6df7c -> Xp2 + # 2032c61a830e3c17286de9462bf242fca2883585b93870a73853face6a6bf411 -> Yp2 + + # 198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c2 -> Xq21 + # 1800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed -> Xq20 + # 090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b -> Yq21 + # 12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa -> Yq20 + + xp = monty.into(12873740738727497448187997291915224677121726020054032516825496230827252793177) + yp = monty.into(21804419174137094775122804775419507726154084057848719988004616848382402162497) + Xq0 = monty.into(2146841959437886920191033516947821737903543682424168472444605468016078231160) + Xq1 = monty.into(14752851163271972921165116810778899752274893127848647655434033030151679466487) + Yq0 = monty.into(8159591693044959083845993640644415462154314071906244874217244895511876957520) + Yq1 = monty.into(19774899457345372253936887903062884289284519982717033379297427576421785416781) + + a = pair(xp, yp, Xq0, Xq1, Yq0, Yq1) + + xp = monty.into(7742452358972543465462254569134860944739929848367563713587808717088650354556) + yp = monty.into(14563720768440487558151020426243236708567496944263114635856508834497000371217) + Xq0 = monty.into(10857046999023057135944570762232829481370756359578518086990519993285655852781) + Xq1 = monty.into(11559732032986387107991004021392285783925812861821192530917403151452391805634) + Yq0 = monty.into(8495653923123431417604973247489272438418190587263600148770280649306958101930) + Yq1 = monty.into(4082367875863433681332203403145435568316851327593401208105741076214120093531) + + b = pair(xp, yp, Xq0, Xq1, Yq0, Yq1) + + # Should be 1 + result = fp12.mul(*a, *b) + print(result) + assert(result == fp12.ONE) + + # 1c76476f4def4bb94541d57ebba1193381ffa7aa76ada664dd31c16024c43f59 + # 3034dd2920f673e204fee2811c678745fc819b55d3e9d294e45c9b03a76aef41 + # 209dd15ebff5d46c4bd888e51a93cf99a7329636c63514396b4a452003a35bf7 + # 04bf11ca01483bfa8b34b43561848d28905960114c8ac04049af4b6315a41678 + # 2bb8324af6cfc93537a2ad1a445cfd0ca2a71acd7ac41fadbf933c2a51be344d + # 120a2a4cf30c1bf9845f20c6fe39e07ea2cce61f0c9bb048165fe5e4de877550 + # 111e129f1cf1097710d41c4ac70fcdfa5ba2023c6ff1cbeac322de49d1b6df7c + # 2032c61a830e3c17286de9462bf242fca2883585b93870a73853face6a6bf411 + # 198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c2 + # 1800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed + # 090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b + # 12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa if __name__ == '__main__': main() From 8408dafd081e51a1f009876c2dbbbac00f3e940a Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Thu, 31 Aug 2023 18:33:48 -0300 Subject: [PATCH 07/31] Correct NAF representation --- scripts/pairing_utils.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/pairing_utils.py b/scripts/pairing_utils.py index 7635461d..c2975e52 100644 --- a/scripts/pairing_utils.py +++ b/scripts/pairing_utils.py @@ -5,7 +5,10 @@ # t = 6x**2 + 1 # x = 4965661367192848881 # s = 6x + 2 -> s = 29793968203157093288 -S_NAF = [1, 0, -1, 0, 1, 0, 0, 0, -1, 0, -1, 0, 0, 0, -1, 0, 1, 0, -1, 0, 0, -1, 0, 0, 0, 0, 0, 1, 0, 0, -1, 0, 1, 0, 0, -1, 0, 0, 0, 0, -1, 0, 1, 0, 0, 0, -1, 0, -1, 0, 0, 1, 0, 0, 0, -1, 0, 0, -1, 0, 1, 0, 1, 0, 0, 0] +S_NAF = [0, 0, 0, 1, 0, 1, 0, -1, 0, 0, 1, -1, 0, 0, 1, 0, + 0, 1, 1, 0, -1, 0, 0, 1, 0, -1, 0, 0, 0, 0, 1, 1, + 1, 0, 0, -1, 0, 0, 1, 0, 0, 0, 0, 0, -1, 0, 0, 1, + 1, 0, 0, -1, 0, 0, 0, 1, 1, 0, -1, 0, 0, 1, 0, 1, 1] def is_in_curve(x, y): x = monty.out_of(x) From abe9d5e59e2b477171c9c39c2fff7a501f28d682 Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Thu, 31 Aug 2023 18:34:36 -0300 Subject: [PATCH 08/31] Change exponentiation impl to be able to test it correctly --- scripts/fp12.py | 53 +++++++++++-------------------------------------- 1 file changed, 12 insertions(+), 41 deletions(-) diff --git a/scripts/fp12.py b/scripts/fp12.py index 1050080c..680c31f2 100644 --- a/scripts/fp12.py +++ b/scripts/fp12.py @@ -124,50 +124,20 @@ def n_square(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_11 return out -# def is_in_subgroup(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121): -# a = frb.frobenius(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121) -# b = exponentiation(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121) -# b = exponentiation(*b) -# b = cyclotomic_square(*b) -# b2 = cyclotomic_square(*b) -# b = mul(*b, *b2) -# return a == b - -def exponentiation(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121): - t3 = cyclotomic_square(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121) - t5 = cyclotomic_square(*t3) - result = cyclotomic_square(*t5) - t0 = cyclotomic_square(*result) - t2 = mul(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121, *t0) - t0 = mul(*t2, *t3) - t1 = mul(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121, *t0) - t4 = mul(*result, *t2) - t6 = cyclotomic_square(*t2) - t1 = mul(*t1, *t0) - t0 = mul(*t1, *t3) - t6 = n_square(*t6, 6) - t5 = mul(*t5, *t6) - t5 = mul(*t4, *t5) - t5 = n_square(*t5, 7) - t4 = mul(*t4, *t5) - t4 = n_square(*t4, 8) - t4 = mul(*t4, *t0) - t3 = mul(*t3, *t4) - t3 = n_square(*t3, 6) - t2 = mul(*t2, *t3) - t2 = n_square(*t2, 8) - t2 = mul(*t0, *t2) - t2 = n_square(*t2, 6) - t2 = mul(*t0, *t2) - t2 = n_square(*t2, 10) - t1 = mul(*t1, *t2) - t1 = n_square(*t1, 6) - t0 = mul(*t0, *t1) - result = mul(*result, *t0) +def exponentiation(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121, exp): + a = a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121 + result = ONE + bits_exp = bin(exp)[2:] + for i in bits_exp: + aux = mul(*result, *result) + if i != '0': + result = mul(*a, *aux) + else: + result = aux + return result def main(): - fp12_zero = tuple([0 for _ in range(12)]) fp12_one = tuple([monty.ONE] + [0 for _ in range(11)]) fp12_two = tuple([monty.TWO] + [0 for _ in range(11)]) @@ -228,5 +198,6 @@ def main(): c = square(*a) d = cyclotomic_square(*a) assert(c == d) + if __name__ == '__main__': main() From 54bf3fd3004176d39899046c7146d3171d84a051 Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Thu, 31 Aug 2023 18:36:16 -0300 Subject: [PATCH 09/31] Correct point doubling and miller loop --- scripts/alt_bn128_pairing.py | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/scripts/alt_bn128_pairing.py b/scripts/alt_bn128_pairing.py index 7ff76412..a4675b38 100644 --- a/scripts/alt_bn128_pairing.py +++ b/scripts/alt_bn128_pairing.py @@ -4,6 +4,7 @@ import fp12 import frobenius as frb import g2 +import pairing_utils as utils # Algorithm 26. https://eprint.iacr.org/2010/354.pdf # P belongs to curve E over Fp in affine coordinates: P = (xp, yp) @@ -23,7 +24,7 @@ def point_doubling_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1, xp, yp): t4 = fp2.scalar_mul(*t0,monty.THREE) t6 = fp2.add(Xq0,Xq1,*t4) t5 = fp2.mul(*t4,*t4) - Xt = fp2.scalar_mul(*t3,2) + Xt = fp2.scalar_mul(*t3, monty.TWO) Xt = fp2.sub(*t5,*Xt) Zq_squared = fp2.mul(Zq0,Zq1,Zq0,Zq1) # TODO: This could be an optimization in the future, make sure to test it @@ -40,7 +41,7 @@ def point_doubling_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1, xp, yp): t3 = fp2.mul(*Zq_squared,*t4) t3 = fp2.add(*t3,*t3) t3 = fp2.sub(0,0,*t3) # multiply by -1 - t3 = fp2.scalar_mul(*t3,xp) + t3 = fp2.scalar_mul(*t3, xp) t1_times_4 = fp2.scalar_mul(*t1,monty.FOUR) t6 = fp2.mul(*t6,*t6) t6 = fp2.sub(*t6,*t0) @@ -180,22 +181,22 @@ def miller_loop(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1, xp, yp): T = Xq0, Xq1, Yq0, Yq1, Zq0, Zq1 f = fp12.ONE - for i in range(64, -1, -1): - double_step = point_doubling_and_line_evaluation(*T, xp, yp) + for i in range(len(utils.S_NAF) - 1, -1, -1): + line_eval, double_step = point_doubling_and_line_evaluation(*T, xp, yp) f = fp12.square(*f) - f = fp12.mul(*f,*double_step[0]) - T = double_step[1] + f = fp12.mul(*f,*line_eval) + T = double_step - if pairing_utils.S_NAF[i] == -1: + if pairing_utils.S_NAF[i] == -1: minus_Q = g2.neg(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1) - add_step = point_addition_and_line_evaluation(*minus_Q, *T, xp,yp) - f = fp12.mul(*f,*add_step[0]) - T = add_step[1] + line_eval, add_step = point_addition_and_line_evaluation(*minus_Q, *T, xp,yp) + f = fp12.mul(*f, *line_eval) + T = add_step elif pairing_utils.S_NAF[i] == 1: - add_step = point_addition_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1,*T,xp,yp) - f = fp12.mul(*f,*add_step[0]) - T = add_step[1] + line_eval, add_step = point_addition_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1,*T,xp,yp) + f = fp12.mul(*f,*line_eval) + T = add_step # Q1 <- pi_p(Q) X_q0, X_q1 = fp2.conjugate(Xq0, Xq1) From 4cb2e488cea8c2f2be38952b452da19d46e89ce1 Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Thu, 31 Aug 2023 18:36:34 -0300 Subject: [PATCH 10/31] Add test for point doubling and line evaluation --- scripts/alt_bn128_pairing.py | 90 ++++++++++++++++++++++++++---------- 1 file changed, 66 insertions(+), 24 deletions(-) diff --git a/scripts/alt_bn128_pairing.py b/scripts/alt_bn128_pairing.py index a4675b38..c22b7e7e 100644 --- a/scripts/alt_bn128_pairing.py +++ b/scripts/alt_bn128_pairing.py @@ -222,16 +222,11 @@ def miller_loop(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1, xp, yp): def pair(xp, yp, Xq0, Xq1, Yq0, Yq1): f = miller_loop(Xq0, Xq1, Yq0, Yq1, monty.ONE, 0, xp, yp) - f = final_exponentiation(*f) + # This should be final exponentiation + f = fp12.exponentiation(*f, 552484233613224096312617126783173147097382103762957654188882734314196910839907541213974502761540629817009608548654680343627701153829446747810907373256841551006201639677726139946029199968412598804882391702273019083653272047566316584365559776493027495458238373902875937659943504873220554161550525926302303331747463515644711876653177129578303191095900909191624817826566688241804408081892785725967931714097716709526092261278071952560171111444072049229123565057483750161460024353346284167282452756217662335528813519139808291170539072125381230815729071544861602750936964829313608137325426383735122175229541155376346436093930287402089517426973178917569713384748081827255472576937471496195752727188261435633271238710131736096299798168852925540549342330775279877006784354801422249722573783561685179618816480037695005515426162362431072245638324744480) return f def main(): - # Test 1 - fp12_a = (monty.ONE, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) - result = final_exponentiation(*fp12_a) - assert(result == fp12_a) - - # Pairing Test # 1c76476f4def4bb94541d57ebba1193381ffa7aa76ada664dd31c16024c43f59 -> Xp1 # 3034dd2920f673e204fee2811c678745fc819b55d3e9d294e45c9b03a76aef41 -> Yp1 @@ -267,23 +262,70 @@ def main(): b = pair(xp, yp, Xq0, Xq1, Yq0, Yq1) - # Should be 1 - result = fp12.mul(*a, *b) - print(result) - assert(result == fp12.ONE) - - # 1c76476f4def4bb94541d57ebba1193381ffa7aa76ada664dd31c16024c43f59 - # 3034dd2920f673e204fee2811c678745fc819b55d3e9d294e45c9b03a76aef41 - # 209dd15ebff5d46c4bd888e51a93cf99a7329636c63514396b4a452003a35bf7 - # 04bf11ca01483bfa8b34b43561848d28905960114c8ac04049af4b6315a41678 - # 2bb8324af6cfc93537a2ad1a445cfd0ca2a71acd7ac41fadbf933c2a51be344d - # 120a2a4cf30c1bf9845f20c6fe39e07ea2cce61f0c9bb048165fe5e4de877550 - # 111e129f1cf1097710d41c4ac70fcdfa5ba2023c6ff1cbeac322de49d1b6df7c - # 2032c61a830e3c17286de9462bf242fca2883585b93870a73853face6a6bf411 - # 198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c2 - # 1800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed - # 090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b - # 12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa + # Point doubling and line evaluation + Zq0 = monty.ONE + Zq1 = 0 + line_evaluation, double = point_doubling_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1, xp, yp) + + # Xr = 9 Xt ** 4 - 8 Xt Yt **2 + Xr_a = fp2.exp(Xq0,Xq1,4) + Xr_a = fp2.scalar_mul(*Xr_a,monty.NINE) + Xr_b = fp2.exp(Yq0,Yq1,2) + Xr_b = fp2.mul(Xq0,Xq1, *Xr_b) + Xr_b = fp2.scalar_mul(*Xr_b,monty.EIGHT) + Xr = fp2.sub(*Xr_a,*Xr_b) + assert((double[0], double[1]) == Xr) + + # Yr = 3 * (Xt ** 2) * (4 * (Xt ** 2) * (Yt ** 2) - Xr) - 8 * (Yt ** 4) + Xq_squared = fp2.mul(Xq0,Xq1,Xq0,Xq1) + Yq_squared = fp2.mul(Yq0,Yq1,Yq0,Yq1) + Yr_a = fp2.scalar_mul(*Xq_squared, monty.THREE) + Yr_b = fp2.scalar_mul(Xq0,Xq1, monty.FOUR) + Yr_b = fp2.mul(*Yr_b, *Yq_squared) + Yr_b = fp2.sub(*Yr_b,*Xr) + Yr_c = fp2.mul(*Yq_squared,*Yq_squared) + Yr_c = fp2.scalar_mul(*Yr_c, monty.EIGHT) + Yr = fp2.mul(*Yr_a, *Yr_b) + Yr = fp2.sub(*Yr, *Yr_c) + assert((double[2], double[3]) == Yr) + + # Zr = 2 * Yt * Zt + Zr = fp2.mul(Yq0,Yq1,Zq0,Zq1) + Zr = fp2.scalar_mul(*Zr,monty.TWO) + assert((double[4], double[5]) == Zr) + + # l_tt_x = 2 * Zr * Zt^2 * yp + l_tt_x = fp2.mul(Zq0, Zq1, Zq0, Zq1) + l_tt_x = fp2.mul(*l_tt_x, *Zr) + l_tt_x = fp2.scalar_mul(*l_tt_x, yp) + l_tt_x = fp2.scalar_mul(*l_tt_x, monty.TWO) + assert((line_evaluation[0], line_evaluation[1]) == l_tt_x) + + # l_tt_y = 6 * Xt^2 * Zt^2 * xp + l_tt_y = fp2.mul(Xq0, Xq1, Xq0, Xq1) + t0 = fp2.mul(Zq0, Zq1, Zq0, Zq1) + l_tt_y = fp2.mul(*l_tt_y, *t0) + l_tt_y = fp2.scalar_mul(*l_tt_y, xp) + l_tt_y = fp2.scalar_mul(*l_tt_y, monty.SIX) + l_tt_y = fp2.neg(*l_tt_y) + # We ignore the 0 between the fp2 in line evaluation like the paper does + assert((line_evaluation[6], line_evaluation[7]) == l_tt_y) + + # l_tt_z = 6 * Xt^3 - 4 * Yt^2 + l_tt_z = fp2.mul(Xq0, Xq1, Xq0, Xq1) + l_tt_z = fp2.mul(*l_tt_z, Xq0, Xq1) + l_tt_z = fp2.scalar_mul(*l_tt_z, monty.SIX) + t0 = fp2.mul(Yq0, Yq1, Yq0, Yq1) + t0 = fp2.scalar_mul(*t0, monty.FOUR) + l_tt_z = fp2.sub(*l_tt_z, *t0) + # We ignore the 0 between the fp2 in line evaluation like the paper does + assert((line_evaluation[8], line_evaluation[9]) == l_tt_z) + + # Pairing Test + # # Should be 1 + # result = fp12.mul(*a, *b) + # print(result) + # assert(result == fp12.ONE) if __name__ == '__main__': main() From 5e34f22d14cf5f9a32ccfc57acd8e2f5f2dc08eb Mon Sep 17 00:00:00 2001 From: Joaquin Carletti Date: Thu, 31 Aug 2023 18:53:55 -0300 Subject: [PATCH 11/31] add addition tests --- scripts/alt_bn128_pairing.py | 63 ++++++++++++++++++++++++++++++++---- 1 file changed, 56 insertions(+), 7 deletions(-) diff --git a/scripts/alt_bn128_pairing.py b/scripts/alt_bn128_pairing.py index c22b7e7e..484aa13e 100644 --- a/scripts/alt_bn128_pairing.py +++ b/scripts/alt_bn128_pairing.py @@ -250,21 +250,24 @@ def main(): Xq1 = monty.into(14752851163271972921165116810778899752274893127848647655434033030151679466487) Yq0 = monty.into(8159591693044959083845993640644415462154314071906244874217244895511876957520) Yq1 = monty.into(19774899457345372253936887903062884289284519982717033379297427576421785416781) + Zq0 = monty.ONE + Zq1 = 0 a = pair(xp, yp, Xq0, Xq1, Yq0, Yq1) xp = monty.into(7742452358972543465462254569134860944739929848367563713587808717088650354556) yp = monty.into(14563720768440487558151020426243236708567496944263114635856508834497000371217) - Xq0 = monty.into(10857046999023057135944570762232829481370756359578518086990519993285655852781) - Xq1 = monty.into(11559732032986387107991004021392285783925812861821192530917403151452391805634) - Yq0 = monty.into(8495653923123431417604973247489272438418190587263600148770280649306958101930) - Yq1 = monty.into(4082367875863433681332203403145435568316851327593401208105741076214120093531) + Xr0 = monty.into(10857046999023057135944570762232829481370756359578518086990519993285655852781) + Xr1 = monty.into(11559732032986387107991004021392285783925812861821192530917403151452391805634) + Yr0 = monty.into(8495653923123431417604973247489272438418190587263600148770280649306958101930) + Yr1 = monty.into(4082367875863433681332203403145435568316851327593401208105741076214120093531) + Zr0 = monty.ONE + Zr1 = 0 - b = pair(xp, yp, Xq0, Xq1, Yq0, Yq1) + b = pair(xp, yp, Xr0, Xr1, Yr0, Yr1) # Point doubling and line evaluation - Zq0 = monty.ONE - Zq1 = 0 + line_evaluation, double = point_doubling_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1, xp, yp) # Xr = 9 Xt ** 4 - 8 Xt Yt **2 @@ -321,6 +324,52 @@ def main(): # We ignore the 0 between the fp2 in line evaluation like the paper does assert((line_evaluation[8], line_evaluation[9]) == l_tt_z) + # # Point addition and line evaluation + + Xq = Xq0, Xq1 + Yq = Yq0, Yq1 + Zq = Zq0, Zq1 + Xt = Xr0, Xr1 + Yt = Yr0, Yr1 + Zt = Zr0, Zr1 + + line_evaluation, addition = point_addition_and_line_evaluation(*Xq, *Yq, *Zq, *Xt, *Yt, *Zt, xp, yp) + + # Xr + Zt_squared = fp2.mul(*Zt,*Zt) + Xr_a = fp2.mul(*Zt_squared,*Zt) + Xr_a = fp2.mul(*Xr_a,*Yq) + Xr_a = fp2.scalar_mul(*Xr_a, monty.TWO) + Xr_a2 = fp2.scalar_mul(*Yt, monty.TWO) + Xr_a = fp2.sub(*Xr_a,*Xr_a2) + Xr_af = fp2.mul(*Xr_a,*Xr_a) + Xr_b = fp2.mul(*Xq,*Zt_squared) + Xr_b = fp2.sub(*Xr_b,*Xt) + Xr_bf = fp2.exp(*Xr_b, 3) + Xr_bf = fp2.scalar_mul(*Xr_bf, monty.FOUR) + Xr_c = fp2.mul(*Xr_b,*Xr_b) + Xr_c = fp2.mul(*Xr_c,*Xt) + Xr_c = fp2.scalar_mul(*Xr_c, monty.FOUR) + Xr_cf = fp2.scalar_mul(*Xr_c, monty.TWO) + Xr = fp2.sub(*Xr_af,*Xr_bf) + Xr = fp2.sub(*Xr,*Xr_cf) + assert((addition[0],addition[1]) == Xr) + + # Yr + Yr_a = fp2.sub(*Xr_c,*Xr) + Yr_a = fp2.mul(*Xr_a,*Yr_a) + Yr_b = fp2.scalar_mul(*Xr_bf, monty.TWO) + Yr_b = fp2.mul(*Yr_b,*Yt) + Yr = fp2.sub(*Yr_a, *Yr_b) + assert((addition[2],addition[3]) == Yr) + + # Zr + Zr = fp2.mul(*Xq,*Zt_squared) + Zr = fp2.sub(*Zr,*Xt) + Zr = fp2.mul(*Zr,*Zt) + Zr = fp2.scalar_mul(*Zr, monty.TWO) + assert((addition[4],addition[5]) == Zr) + # Pairing Test # # Should be 1 # result = fp12.mul(*a, *b) From cb69bea3d44633f15896ce072863ff33c501d8f6 Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Mon, 4 Sep 2023 18:37:01 -0300 Subject: [PATCH 12/31] Add tests for frobenius --- scripts/frobenius.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/scripts/frobenius.py b/scripts/frobenius.py index bd639480..46db0700 100644 --- a/scripts/frobenius.py +++ b/scripts/frobenius.py @@ -1,5 +1,6 @@ import fp2 import montgomery as monty +import fp12 def frobenius(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121): t1 = fp2.conjugate(a_000, a_001) @@ -196,6 +197,20 @@ def main(): assert(result[9] == fp12_a[9]) assert(result[10] == fp12_a[10]) assert(result[11] == fp12_a[11]) + + p = 21888242871839275222246405745257275088696311157297823662689037894645226208583 + a = frobenius(*fp12_a) + b = fp12.exponentiation(*fp12_a, p) + assert(a == b) + + a = frobenius_square(*fp12_a) + b = fp12.exponentiation(*fp12_a, p ** 2) + assert(a == b) + + a = frobenius_cube(*fp12_a) + b = fp12.exponentiation(*fp12_a, p ** 3) + assert(a == b) + if __name__ == '__main__': main() From 141f6473f4243b3cf8e95864fd730270a904744a Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Mon, 4 Sep 2023 18:37:35 -0300 Subject: [PATCH 13/31] Add line evaluation test after point addition --- scripts/alt_bn128_pairing.py | 76 +++++++++++++++++++++++++----------- 1 file changed, 53 insertions(+), 23 deletions(-) diff --git a/scripts/alt_bn128_pairing.py b/scripts/alt_bn128_pairing.py index 484aa13e..344a9a23 100644 --- a/scripts/alt_bn128_pairing.py +++ b/scripts/alt_bn128_pairing.py @@ -211,12 +211,12 @@ def miller_loop(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1, xp, yp): Q2 = g2.from_affine(X_q20, X_q21, Y_q20, Y_q21) Q2 = g2.neg(*Q2) - add_step = point_addition_and_line_evaluation(*Q1,*T,xp,yp) - f = fp12.mul(*f,*add_step[0]) - T = add_step[1] + line_eval, add_step = point_addition_and_line_evaluation(*Q1,*T,xp,yp) + f = fp12.mul(*f,*line_eval) + T = add_step - add_step = point_addition_and_line_evaluation(*Q2,*T,xp,yp) - f = fp12.mul(*f,*add_step[0]) + line_eval, add_step = point_addition_and_line_evaluation(*Q2,*T,xp,yp) + f = fp12.mul(*f,*line_eval) return f @@ -228,6 +228,7 @@ def pair(xp, yp, Xq0, Xq1, Yq0, Yq1): def main(): + # From Ethereum tests # 1c76476f4def4bb94541d57ebba1193381ffa7aa76ada664dd31c16024c43f59 -> Xp1 # 3034dd2920f673e204fee2811c678745fc819b55d3e9d294e45c9b03a76aef41 -> Yp1 @@ -253,21 +254,22 @@ def main(): Zq0 = monty.ONE Zq1 = 0 - a = pair(xp, yp, Xq0, Xq1, Yq0, Yq1) + assert(utils.is_in_curve(xp, yp)) + assert(utils.is_in_twisted_curve(Xq0, Xq1, Yq0, Yq1)) xp = monty.into(7742452358972543465462254569134860944739929848367563713587808717088650354556) yp = monty.into(14563720768440487558151020426243236708567496944263114635856508834497000371217) - Xr0 = monty.into(10857046999023057135944570762232829481370756359578518086990519993285655852781) - Xr1 = monty.into(11559732032986387107991004021392285783925812861821192530917403151452391805634) - Yr0 = monty.into(8495653923123431417604973247489272438418190587263600148770280649306958101930) - Yr1 = monty.into(4082367875863433681332203403145435568316851327593401208105741076214120093531) - Zr0 = monty.ONE - Zr1 = 0 + Xt0 = monty.into(10857046999023057135944570762232829481370756359578518086990519993285655852781) + Xt1 = monty.into(11559732032986387107991004021392285783925812861821192530917403151452391805634) + Yt0 = monty.into(8495653923123431417604973247489272438418190587263600148770280649306958101930) + Yt1 = monty.into(4082367875863433681332203403145435568316851327593401208105741076214120093531) + Zt0 = monty.ONE + Zt1 = 0 - b = pair(xp, yp, Xr0, Xr1, Yr0, Yr1) + assert(utils.is_in_curve(xp, yp)) + assert(utils.is_in_twisted_curve(Xt0, Xt1, Yt0, Yt1)) # Point doubling and line evaluation - line_evaluation, double = point_doubling_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1, xp, yp) # Xr = 9 Xt ** 4 - 8 Xt Yt **2 @@ -324,14 +326,13 @@ def main(): # We ignore the 0 between the fp2 in line evaluation like the paper does assert((line_evaluation[8], line_evaluation[9]) == l_tt_z) - # # Point addition and line evaluation - + # Point addition and line evaluation Xq = Xq0, Xq1 Yq = Yq0, Yq1 Zq = Zq0, Zq1 - Xt = Xr0, Xr1 - Yt = Yr0, Yr1 - Zt = Zr0, Zr1 + Xt = Xt0, Xt1 + Yt = Yt0, Yt1 + Zt = Zt0, Zt1 line_evaluation, addition = point_addition_and_line_evaluation(*Xq, *Yq, *Zq, *Xt, *Yt, *Zt, xp, yp) @@ -370,11 +371,40 @@ def main(): Zr = fp2.scalar_mul(*Zr, monty.TWO) assert((addition[4],addition[5]) == Zr) + # l_tq_x = 2 * Zr * yp + l_tq_x = fp2.add(*Zr,*Zr) + l_tq_x = fp2.scalar_mul(*l_tq_x, yp) + assert((line_evaluation[0],line_evaluation[1]) == l_tq_x) + + # l_tq_y = - (4 * xp * (Yq * Zt^3 - Yt)) + # Change respect to the paper, the algorithm use sub and not add + Zt_cubed = fp2.mul(*Zt_squared, *Zt) + l_tq_y = fp2.mul(*Yq, *Zt_cubed) + # l_tq_y = fp2.add(*l_tq_y, *Yt) + l_tq_y = fp2.sub(*l_tq_y, *Yt) + l_tq_y = fp2.scalar_mul(*l_tq_y, monty.FOUR) + l_tq_y = fp2.scalar_mul(*l_tq_y, xp) + l_tq_y = fp2.neg(*l_tq_y) + assert((line_evaluation[6],line_evaluation[7]) == l_tq_y) + + # l_tq_z = 4 * Xq * (Yq * Zt^3 − Yt ) − 2 * Yq * Zr + # Change respect to the paper, the algorithm does not multiply by Xq + l_tq_z = fp2.mul(*Yq, *Zt_cubed) + #l_tq_z = fp2.mul(*l_tq_z, *Xq) + l_tq_z = fp2.sub(*l_tq_z, *Yt) + l_tq_z = fp2.scalar_mul(*l_tq_z, monty.FOUR) + l_tq_z = fp2.mul(*l_tq_z, *Xq) + t0 = fp2.scalar_mul(*Yq, monty.TWO) + t0 = fp2.mul(*t0,*Zr) + l_tq_z = fp2.sub(*l_tq_z, *t0) + assert((line_evaluation[8],line_evaluation[9]) == l_tq_z) + # Pairing Test - # # Should be 1 - # result = fp12.mul(*a, *b) - # print(result) - # assert(result == fp12.ONE) + # Should be 1 + a = pair(xp, yp, Xq0, Xq1, Yq0, Yq1) + b = pair(xp, yp, Xt0, Xt1, Yt0, Yt1) + result = fp12.mul(*a, *b) + assert(result == fp12.ONE) if __name__ == '__main__': main() From 29840f12694208d630a9d9e41124d282165b3b5f Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Wed, 6 Sep 2023 10:49:57 -0300 Subject: [PATCH 14/31] Add point doubling and adding functions for projective coordinates --- scripts/alt_bn128_pairing.py | 186 ++++++++++++++--------------------- 1 file changed, 73 insertions(+), 113 deletions(-) diff --git a/scripts/alt_bn128_pairing.py b/scripts/alt_bn128_pairing.py index 344a9a23..b898b4dc 100644 --- a/scripts/alt_bn128_pairing.py +++ b/scripts/alt_bn128_pairing.py @@ -6,120 +6,80 @@ import g2 import pairing_utils as utils -# Algorithm 26. https://eprint.iacr.org/2010/354.pdf -# P belongs to curve E over Fp in affine coordinates: P = (xp, yp) -# Q belongs to curve E' over Fp2 in Jacobian coordinates: Q = (Xq, Yq, Zq) -def point_doubling_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1, xp, yp): - t0 = fp2.mul(Xq0,Xq1,Xq0,Xq1) - t1 = fp2.mul(Yq0,Yq1,Yq0,Yq1) - t2 = fp2.mul(*t1,*t1) - # TODO: This could be an optimization in the future, make sure to test it - # t3 = fp2.mul(*t1,Xq0,Xq1) - # t3 = fp2.add(*t3, *t3) - t3 = fp2.add(*t1,Xq0,Xq1) - t3 = fp2.mul(*t3,*t3) - t3 = fp2.sub(*t3,*t0) - t3 = fp2.sub(*t3,*t2) - t3 = fp2.add(*t3,*t3) - t4 = fp2.scalar_mul(*t0,monty.THREE) - t6 = fp2.add(Xq0,Xq1,*t4) - t5 = fp2.mul(*t4,*t4) - Xt = fp2.scalar_mul(*t3, monty.TWO) - Xt = fp2.sub(*t5,*Xt) - Zq_squared = fp2.mul(Zq0,Zq1,Zq0,Zq1) - # TODO: This could be an optimization in the future, make sure to test it - # Zt = fp2.mul(Yq0,Yq1,Zq0,Zq1 ) - # Zt = fp2.add(*Zt, *Zt) - Zt = fp2.add(Yq0,Yq1,Zq0,Zq1) - Zt = fp2.mul(*Zt,*Zt) - Zt = fp2.sub(*Zt,*t1) - Zt = fp2.sub(*Zt, *Zq_squared) - t2_times_eight = fp2.scalar_mul(*t2,monty.EIGHT) - Yt = fp2.sub(*t3,*Xt) - Yt = fp2.mul(*Yt,*t4) - Yt = fp2.sub(*Yt,*t2_times_eight) - t3 = fp2.mul(*Zq_squared,*t4) - t3 = fp2.add(*t3,*t3) - t3 = fp2.sub(0,0,*t3) # multiply by -1 - t3 = fp2.scalar_mul(*t3, xp) - t1_times_4 = fp2.scalar_mul(*t1,monty.FOUR) - t6 = fp2.mul(*t6,*t6) - t6 = fp2.sub(*t6,*t0) - t6 = fp2.sub(*t6,*t5) - t6 = fp2.sub(*t6,*t1_times_4) - t0 = fp2.mul(*Zt,*Zq_squared) - t0 = fp2.add(*t0,*t0) - t0 = fp2.scalar_mul(*t0,yp) - T = Xt + Yt + Zt - l = (*t0,0,0,0,0,*t3,*t6,0,0) - return l, T - -# Algorithm 27 from https://eprint.iacr.org/2010/354.pdf -# P belongs to curve E over Fp in affine coordinates: P = (xp, yp) -# Q belongs to curve E' over Fp2 in Jacobian coordinates: Q = (Xq, Yq, Zq) -# R belongs to curve E' over Fp2 in Jacobian coordinates: R = (Xr, Yr, Zr) -def point_addition_and_line_evaluation(xq0, xq1, yq0, yq1, _zq0, _zq1, xr0, xr1, yr0, yr1, zr0, zr1, xp, yp): - zr_squared = fp2.mul(zr0, zr1, zr0, zr1) - yq_squared = fp2.mul(yq0, yq1, yq0, yq1) - yr_doubled = fp2.add(yr0, yr1, yr0, yr1) - t0 = fp2.mul(xq0, xq1, *zr_squared) - - # TODO: This could be an optimization in the future, make sure to test it - # t1 = fp2.mul(yq0, yq1, zr0, zr1) - # t1 = fp2.add(*t1, *t1) - t1 = fp2.add(yq0, yq1, zr0, zr1) - t1 = fp2.mul(*t1, *t1) - t1 = fp2.sub(*t1, *yq_squared) - t1 = fp2.sub(*t1, *zr_squared) - t1 = fp2.mul(*t1, *zr_squared) +def point_doubling_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1): + two_inv = monty.inv(monty.TWO) + t0 = fp2.mul(Xq0,Xq1,Yq0,Yq1) + A = fp2.scalar_mul(*t0, two_inv) + B = fp2.mul(Yq0, Yq1, Yq0, Yq1) + C = fp2.mul(Zq0, Zq1, Zq0, Zq1) + D = fp2.add(*C, *C) + D = fp2.add(*D, *C) + E = fp2.mul(*D, *utils.TWISTED_CURVE_COEFFS) + F = fp2.add(*E, *E) + F = fp2.add(*F, *E) + G = fp2.add(*B, *F) + G = fp2.scalar_mul(*G, two_inv) + H = fp2.add(Yq0, Yq1, Zq0, Zq1) + H = fp2.mul(*H, *H) + t1 = fp2.add(*B, *C) + H = fp2.sub(*H, *t1) + I = fp2.sub(*E, *B) + J = fp2.mul(Xq0, Xq1, Xq0, Xq1) + EE = fp2.mul(*E, *E) + K = fp2.add(*EE,*EE) + K = fp2.add(*K,*EE) + + Tx = fp2.sub(*B, *F) + Tx = fp2.mul(*Tx, *A) + + Ty = fp2.mul(*G, *G) + Ty = fp2.sub(*Ty, *K) + + Tz = fp2.mul(*B, *H) + + l0 = fp2.neg(*H) + l1 = fp2.add(*J, *J) + l1 = fp2.add(*l1, *J) + l2 = I + + l = (*l0,0,0,0,0,*l1,*l2,0,0) + T = Tx + Ty + Tz + return l,T + +def point_addition_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Xt0, Xt1, Yt0, Yt1, Zt0, Zt1): + temp = fp2.mul(Yq0,Yq1,Zt0,Zt1) # Y2Z1.Mul(&a.Y, &p.z) + O = fp2.sub(Yt0,Yt1,*temp) # O.Sub(&p.y, &Y2Z1) + temp = fp2.mul(Xq0,Xq1,Zt0,Zt1) # X2Z1.Mul(&a.X, &p.z) + L = fp2.sub(Xt0,Xt1,*temp) # L.Sub(&p.x, &X2Z1) + C = fp2.mul(*O,*O) # C.Square(&O) + D = fp2.mul(*L,*L) # D.Square(&L) + E = fp2.mul(*L,*D) # E.Mul(&L, &D) + F = fp2.mul(Zt0,Zt1,*C) # F.Mul(&p.z, &C) + G = fp2.mul(Xt0,Xt1,*D) # G.Mul(&p.x, &D) + temp = fp2.add(*G,*G) # t0.Double(&G) + H = fp2.add(*E,*F) + H = fp2.sub(*H,*temp) # H.Add(&E, &F).Sub(&H, &t0) + temp = fp2.mul(Yt0, Yt1, *E) # t1.Mul(&p.y, &E) + + # X, Y, Z + Tx0, Tx1 = fp2.mul(*L,*H) # p.x.Mul(&L, &H) + Ty0, Ty1 = fp2.sub(*G,*H) + Ty0, Ty1 = fp2.mul(Ty0,Ty1,*O) + Ty0, Ty1 = fp2.sub(Ty0,Ty1,*temp) # p.y.Sub(&G, &H).Mul(&p.y, &O).Sub(&p.y, &t1) + Tz0, Tz1 = fp2.mul(*E, Zt0, Zt1) # p.z.Mul(&E, &p.z) + + temp = fp2.mul(*L,Yq0,Yq1) # t2.Mul(&L, &a.Y) + J = fp2.mul(Xq0,Xq1,*O) + J = fp2.sub(*J, *temp) # J.Mul(&a.X, &O).Sub(&J, &t2) - t2 = fp2.sub(*t0, xr0, xr1) - t3 = fp2.mul(*t2, *t2) - t4 = fp2.add(*t3, *t3) - t4 = fp2.add(*t4, *t4) - t5 = fp2.mul(*t4, *t2) - t6 = fp2.sub(*t1, *yr_doubled) - t9 = fp2.mul(*t6, xq0, xq1) - t7 = fp2.mul(xr0, xr1, *t4) - X_T = fp2.mul(*t6, *t6) - X_T = fp2.sub(*X_T, *t5) - X_T = fp2.sub(*X_T, *fp2.add(*t7, *t7)) - - # TODO: This could be an optimization in the future, make sure to test it - # Z_T = fp2.mul(zr0, zr1, *t2) - # Z_T = fp2.add(*Z_T, *Z_T) - Z_T = fp2.add(zr0, zr1, *t2) - Z_T = fp2.mul(*Z_T, *Z_T) - Z_T = fp2.sub(*Z_T, *zr_squared) - Z_T = fp2.sub(*Z_T, *t3) - - t10 = fp2.add(yq0, yq1, *Z_T) - t8 = fp2.sub(*t7, *X_T) - t8 = fp2.mul(*t8, *t6) - t0 = fp2.mul(yr0, yr1, *t5) - t0 = fp2.add(*t0, *t0) - Y_T = fp2.sub(*t8, *t0) - - # TODO: This could be an optimization in the future, make sure to test it - # t10 = fp2.mul(yq0, yq1, *Z_T) - # t10 = fp2.add(*t10, *t10) - t10 = fp2.mul(*t10, *t10) - t10 = fp2.sub(*t10, *yq_squared) - t10 = fp2.sub(*t10, *fp2.mul(*Z_T, *Z_T)) - - t9 = fp2.add(*t9, *t9) - t9 = fp2.sub(*t9, *t10) - t10 = fp2.scalar_mul(*Z_T, yp) - t10 = fp2.add(*t10, *t10) - t6 = fp2.neg(*t6) - t1 = fp2.scalar_mul(*t6, xp) - t1 = fp2.add(*t1, *t1) - - l0 = t10[0], t10[1], 0, 0, 0, 0 - l1 = t1[0], t1[1], t9[0], t9[1], 0, 0 - l = l0 + l1 - - T = X_T + Y_T + Z_T + # Line evaluation + l0 = L # evaluations.r0.Set(&L) + l1 = fp2.neg(*O) # evaluations.r1.Neg(&O) + l2 = J # evaluations.r2.Set(&J) + + l = (*l0,0,0,0,0,*l1,*l2,0,0) + T = Tx0, Tx1, Ty0, Ty1, Tz0, Tz1 + return l, T # Algorithm 31 from https://eprint.iacr.org/2010/354.pdf From adf7a8649912d201975379588a5a34fc1ff9350b Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Wed, 6 Sep 2023 10:50:41 -0300 Subject: [PATCH 15/31] Fix in miller loop function --- scripts/alt_bn128_pairing.py | 50 ++++++++++++++++++++++++++---------- 1 file changed, 37 insertions(+), 13 deletions(-) diff --git a/scripts/alt_bn128_pairing.py b/scripts/alt_bn128_pairing.py index b898b4dc..23f91dd7 100644 --- a/scripts/alt_bn128_pairing.py +++ b/scripts/alt_bn128_pairing.py @@ -137,24 +137,39 @@ def final_exponentiation(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, return f -def miller_loop(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1, xp, yp): - T = Xq0, Xq1, Yq0, Yq1, Zq0, Zq1 +def miller_loop(Xq0, Xq1, Yq0, Yq1, xp, yp): + + Q = Xq0, Xq1, Yq0, Yq1 + T = g2.from_affine(Xq0, Xq1, Yq0, Yq1) f = fp12.ONE - for i in range(len(utils.S_NAF) - 1, -1, -1): - line_eval, double_step = point_doubling_and_line_evaluation(*T, xp, yp) + for i in range(len(utils.S_NAF) - 2, -1, -1): f = fp12.square(*f) + + line_eval, double_step = point_doubling_and_line_evaluation(*T) + aux = list(line_eval) + aux[0], aux[1] = fp2.scalar_mul(aux[0], aux[1], yp) + aux[6], aux[7] = fp2.scalar_mul(aux[6], aux[7], xp) + line_eval = tuple(aux) f = fp12.mul(*f,*line_eval) T = double_step if pairing_utils.S_NAF[i] == -1: - minus_Q = g2.neg(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1) - line_eval, add_step = point_addition_and_line_evaluation(*minus_Q, *T, xp,yp) + minus_Q = g2.neg(*Q) + line_eval, add_step = point_addition_and_line_evaluation(*minus_Q, *T) + aux = list(line_eval) + aux[0], aux[1] = fp2.scalar_mul(aux[0], aux[1], yp) + aux[6], aux[7] = fp2.scalar_mul(aux[6], aux[7], xp) + line_eval = tuple(aux) f = fp12.mul(*f, *line_eval) T = add_step elif pairing_utils.S_NAF[i] == 1: - line_eval, add_step = point_addition_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1,*T,xp,yp) + line_eval, add_step = point_addition_and_line_evaluation(*Q,*T) + aux = list(line_eval) + aux[0], aux[1] = fp2.scalar_mul(aux[0], aux[1], yp) + aux[6], aux[7] = fp2.scalar_mul(aux[6], aux[7], xp) + line_eval = tuple(aux) f = fp12.mul(*f,*line_eval) T = add_step @@ -163,25 +178,34 @@ def miller_loop(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1, xp, yp): Y_q0, Y_q1 = fp2.conjugate(Yq0, Yq1) X_q0, X_q1 = frb.mul_by_gamma_1_2(X_q0, X_q1) Y_q0, Y_q1 = frb.mul_by_gamma_1_3(Y_q0, Y_q1) - Q1 = g2.from_affine(X_q0, X_q1, Y_q0, Y_q1) + Q1 = X_q0, X_q1, Y_q0, Y_q1 # Q2 <- pi_p_square(Q) X_q20, X_q21 = frb.mul_by_gamma_2_2(Xq0, Xq1) Y_q20, Y_q21 = frb.mul_by_gamma_2_3(Yq0, Yq1) - Q2 = g2.from_affine(X_q20, X_q21, Y_q20, Y_q21) - Q2 = g2.neg(*Q2) + Y_q20, Y_q21 = fp2.neg(Y_q20, Y_q21) + Q2 = X_q20, X_q21, Y_q20, Y_q21 - line_eval, add_step = point_addition_and_line_evaluation(*Q1,*T,xp,yp) + line_eval, add_step = point_addition_and_line_evaluation(*Q1,*T) + aux = list(line_eval) + aux[0], aux[1] = fp2.scalar_mul(aux[0], aux[1], yp) + aux[6], aux[7] = fp2.scalar_mul(aux[6], aux[7], xp) + line_eval = tuple(aux) f = fp12.mul(*f,*line_eval) T = add_step - line_eval, add_step = point_addition_and_line_evaluation(*Q2,*T,xp,yp) + line_eval, add_step = point_addition_and_line_evaluation(*Q2,*T) + aux = list(line_eval) + aux[0], aux[1] = fp2.scalar_mul(aux[0], aux[1], yp) + aux[6], aux[7] = fp2.scalar_mul(aux[6], aux[7], xp) + line_eval = tuple(aux) f = fp12.mul(*f,*line_eval) + T = add_step return f def pair(xp, yp, Xq0, Xq1, Yq0, Yq1): - f = miller_loop(Xq0, Xq1, Yq0, Yq1, monty.ONE, 0, xp, yp) + f = miller_loop(Xq0, Xq1, Yq0, Yq1, xp, yp) # This should be final exponentiation f = fp12.exponentiation(*f, 552484233613224096312617126783173147097382103762957654188882734314196910839907541213974502761540629817009608548654680343627701153829446747810907373256841551006201639677726139946029199968412598804882391702273019083653272047566316584365559776493027495458238373902875937659943504873220554161550525926302303331747463515644711876653177129578303191095900909191624817826566688241804408081892785725967931714097716709526092261278071952560171111444072049229123565057483750161460024353346284167282452756217662335528813519139808291170539072125381230815729071544861602750936964829313608137325426383735122175229541155376346436093930287402089517426973178917569713384748081827255472576937471496195752727188261435633271238710131736096299798168852925540549342330775279877006784354801422249722573783561685179618816480037695005515426162362431072245638324744480) return f From 4cdcc8cda3d95733405d0602ca1c96c610b7064a Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Wed, 6 Sep 2023 10:51:18 -0300 Subject: [PATCH 16/31] Add test refactors with new functions --- scripts/alt_bn128_pairing.py | 145 ++--------------------------------- 1 file changed, 8 insertions(+), 137 deletions(-) diff --git a/scripts/alt_bn128_pairing.py b/scripts/alt_bn128_pairing.py index 23f91dd7..6c85349d 100644 --- a/scripts/alt_bn128_pairing.py +++ b/scripts/alt_bn128_pairing.py @@ -229,8 +229,8 @@ def main(): # 090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b -> Yq21 # 12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa -> Yq20 - xp = monty.into(12873740738727497448187997291915224677121726020054032516825496230827252793177) - yp = monty.into(21804419174137094775122804775419507726154084057848719988004616848382402162497) + xp0 = monty.into(12873740738727497448187997291915224677121726020054032516825496230827252793177) + yp0 = monty.into(21804419174137094775122804775419507726154084057848719988004616848382402162497) Xq0 = monty.into(2146841959437886920191033516947821737903543682424168472444605468016078231160) Xq1 = monty.into(14752851163271972921165116810778899752274893127848647655434033030151679466487) Yq0 = monty.into(8159591693044959083845993640644415462154314071906244874217244895511876957520) @@ -238,11 +238,11 @@ def main(): Zq0 = monty.ONE Zq1 = 0 - assert(utils.is_in_curve(xp, yp)) + assert(utils.is_in_curve(xp0, yp0)) assert(utils.is_in_twisted_curve(Xq0, Xq1, Yq0, Yq1)) - xp = monty.into(7742452358972543465462254569134860944739929848367563713587808717088650354556) - yp = monty.into(14563720768440487558151020426243236708567496944263114635856508834497000371217) + xp1 = monty.into(7742452358972543465462254569134860944739929848367563713587808717088650354556) + yp1 = monty.into(14563720768440487558151020426243236708567496944263114635856508834497000371217) Xt0 = monty.into(10857046999023057135944570762232829481370756359578518086990519993285655852781) Xt1 = monty.into(11559732032986387107991004021392285783925812861821192530917403151452391805634) Yt0 = monty.into(8495653923123431417604973247489272438418190587263600148770280649306958101930) @@ -250,143 +250,14 @@ def main(): Zt0 = monty.ONE Zt1 = 0 - assert(utils.is_in_curve(xp, yp)) + assert(utils.is_in_curve(xp1, yp1)) assert(utils.is_in_twisted_curve(Xt0, Xt1, Yt0, Yt1)) - # Point doubling and line evaluation - line_evaluation, double = point_doubling_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1, xp, yp) - - # Xr = 9 Xt ** 4 - 8 Xt Yt **2 - Xr_a = fp2.exp(Xq0,Xq1,4) - Xr_a = fp2.scalar_mul(*Xr_a,monty.NINE) - Xr_b = fp2.exp(Yq0,Yq1,2) - Xr_b = fp2.mul(Xq0,Xq1, *Xr_b) - Xr_b = fp2.scalar_mul(*Xr_b,monty.EIGHT) - Xr = fp2.sub(*Xr_a,*Xr_b) - assert((double[0], double[1]) == Xr) - - # Yr = 3 * (Xt ** 2) * (4 * (Xt ** 2) * (Yt ** 2) - Xr) - 8 * (Yt ** 4) - Xq_squared = fp2.mul(Xq0,Xq1,Xq0,Xq1) - Yq_squared = fp2.mul(Yq0,Yq1,Yq0,Yq1) - Yr_a = fp2.scalar_mul(*Xq_squared, monty.THREE) - Yr_b = fp2.scalar_mul(Xq0,Xq1, monty.FOUR) - Yr_b = fp2.mul(*Yr_b, *Yq_squared) - Yr_b = fp2.sub(*Yr_b,*Xr) - Yr_c = fp2.mul(*Yq_squared,*Yq_squared) - Yr_c = fp2.scalar_mul(*Yr_c, monty.EIGHT) - Yr = fp2.mul(*Yr_a, *Yr_b) - Yr = fp2.sub(*Yr, *Yr_c) - assert((double[2], double[3]) == Yr) - - # Zr = 2 * Yt * Zt - Zr = fp2.mul(Yq0,Yq1,Zq0,Zq1) - Zr = fp2.scalar_mul(*Zr,monty.TWO) - assert((double[4], double[5]) == Zr) - - # l_tt_x = 2 * Zr * Zt^2 * yp - l_tt_x = fp2.mul(Zq0, Zq1, Zq0, Zq1) - l_tt_x = fp2.mul(*l_tt_x, *Zr) - l_tt_x = fp2.scalar_mul(*l_tt_x, yp) - l_tt_x = fp2.scalar_mul(*l_tt_x, monty.TWO) - assert((line_evaluation[0], line_evaluation[1]) == l_tt_x) - - # l_tt_y = 6 * Xt^2 * Zt^2 * xp - l_tt_y = fp2.mul(Xq0, Xq1, Xq0, Xq1) - t0 = fp2.mul(Zq0, Zq1, Zq0, Zq1) - l_tt_y = fp2.mul(*l_tt_y, *t0) - l_tt_y = fp2.scalar_mul(*l_tt_y, xp) - l_tt_y = fp2.scalar_mul(*l_tt_y, monty.SIX) - l_tt_y = fp2.neg(*l_tt_y) - # We ignore the 0 between the fp2 in line evaluation like the paper does - assert((line_evaluation[6], line_evaluation[7]) == l_tt_y) - - # l_tt_z = 6 * Xt^3 - 4 * Yt^2 - l_tt_z = fp2.mul(Xq0, Xq1, Xq0, Xq1) - l_tt_z = fp2.mul(*l_tt_z, Xq0, Xq1) - l_tt_z = fp2.scalar_mul(*l_tt_z, monty.SIX) - t0 = fp2.mul(Yq0, Yq1, Yq0, Yq1) - t0 = fp2.scalar_mul(*t0, monty.FOUR) - l_tt_z = fp2.sub(*l_tt_z, *t0) - # We ignore the 0 between the fp2 in line evaluation like the paper does - assert((line_evaluation[8], line_evaluation[9]) == l_tt_z) - - # Point addition and line evaluation - Xq = Xq0, Xq1 - Yq = Yq0, Yq1 - Zq = Zq0, Zq1 - Xt = Xt0, Xt1 - Yt = Yt0, Yt1 - Zt = Zt0, Zt1 - - line_evaluation, addition = point_addition_and_line_evaluation(*Xq, *Yq, *Zq, *Xt, *Yt, *Zt, xp, yp) - - # Xr - Zt_squared = fp2.mul(*Zt,*Zt) - Xr_a = fp2.mul(*Zt_squared,*Zt) - Xr_a = fp2.mul(*Xr_a,*Yq) - Xr_a = fp2.scalar_mul(*Xr_a, monty.TWO) - Xr_a2 = fp2.scalar_mul(*Yt, monty.TWO) - Xr_a = fp2.sub(*Xr_a,*Xr_a2) - Xr_af = fp2.mul(*Xr_a,*Xr_a) - Xr_b = fp2.mul(*Xq,*Zt_squared) - Xr_b = fp2.sub(*Xr_b,*Xt) - Xr_bf = fp2.exp(*Xr_b, 3) - Xr_bf = fp2.scalar_mul(*Xr_bf, monty.FOUR) - Xr_c = fp2.mul(*Xr_b,*Xr_b) - Xr_c = fp2.mul(*Xr_c,*Xt) - Xr_c = fp2.scalar_mul(*Xr_c, monty.FOUR) - Xr_cf = fp2.scalar_mul(*Xr_c, monty.TWO) - Xr = fp2.sub(*Xr_af,*Xr_bf) - Xr = fp2.sub(*Xr,*Xr_cf) - assert((addition[0],addition[1]) == Xr) - - # Yr - Yr_a = fp2.sub(*Xr_c,*Xr) - Yr_a = fp2.mul(*Xr_a,*Yr_a) - Yr_b = fp2.scalar_mul(*Xr_bf, monty.TWO) - Yr_b = fp2.mul(*Yr_b,*Yt) - Yr = fp2.sub(*Yr_a, *Yr_b) - assert((addition[2],addition[3]) == Yr) - - # Zr - Zr = fp2.mul(*Xq,*Zt_squared) - Zr = fp2.sub(*Zr,*Xt) - Zr = fp2.mul(*Zr,*Zt) - Zr = fp2.scalar_mul(*Zr, monty.TWO) - assert((addition[4],addition[5]) == Zr) - - # l_tq_x = 2 * Zr * yp - l_tq_x = fp2.add(*Zr,*Zr) - l_tq_x = fp2.scalar_mul(*l_tq_x, yp) - assert((line_evaluation[0],line_evaluation[1]) == l_tq_x) - - # l_tq_y = - (4 * xp * (Yq * Zt^3 - Yt)) - # Change respect to the paper, the algorithm use sub and not add - Zt_cubed = fp2.mul(*Zt_squared, *Zt) - l_tq_y = fp2.mul(*Yq, *Zt_cubed) - # l_tq_y = fp2.add(*l_tq_y, *Yt) - l_tq_y = fp2.sub(*l_tq_y, *Yt) - l_tq_y = fp2.scalar_mul(*l_tq_y, monty.FOUR) - l_tq_y = fp2.scalar_mul(*l_tq_y, xp) - l_tq_y = fp2.neg(*l_tq_y) - assert((line_evaluation[6],line_evaluation[7]) == l_tq_y) - - # l_tq_z = 4 * Xq * (Yq * Zt^3 − Yt ) − 2 * Yq * Zr - # Change respect to the paper, the algorithm does not multiply by Xq - l_tq_z = fp2.mul(*Yq, *Zt_cubed) - #l_tq_z = fp2.mul(*l_tq_z, *Xq) - l_tq_z = fp2.sub(*l_tq_z, *Yt) - l_tq_z = fp2.scalar_mul(*l_tq_z, monty.FOUR) - l_tq_z = fp2.mul(*l_tq_z, *Xq) - t0 = fp2.scalar_mul(*Yq, monty.TWO) - t0 = fp2.mul(*t0,*Zr) - l_tq_z = fp2.sub(*l_tq_z, *t0) - assert((line_evaluation[8],line_evaluation[9]) == l_tq_z) # Pairing Test # Should be 1 - a = pair(xp, yp, Xq0, Xq1, Yq0, Yq1) - b = pair(xp, yp, Xt0, Xt1, Yt0, Yt1) + a = pair(xp0, yp0, Xq0, Xq1, Yq0, Yq1) + b = pair(xp1, yp1, Xt0, Xt1, Yt0, Yt1) result = fp12.mul(*a, *b) assert(result == fp12.ONE) From fda67c5067f5cfdf611b625898b1db457591d563 Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Wed, 6 Sep 2023 10:51:32 -0300 Subject: [PATCH 17/31] Fix constant for fp12 --- scripts/fp12.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/fp12.py b/scripts/fp12.py index 680c31f2..9201ac85 100644 --- a/scripts/fp12.py +++ b/scripts/fp12.py @@ -4,7 +4,7 @@ import frobenius as frb ZERO = (0,0,0,0,0,0,0,0,0,0,0,0) -ONE = [monty.ONE] + [0 for _ in range(11)] +ONE = tuple([monty.ONE] + [0 for _ in range(11)]) # Algorithm 18 from https://eprint.iacr.org/2010/354.pdf def add(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121, b_000, b_001, b_010, b_011, b_020, b_021, b_100, b_101, b_110, b_111, b_120, b_121): From ccb20e3d2781d4b4bc51575ab38f8fa6e6621074 Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Wed, 6 Sep 2023 10:51:49 -0300 Subject: [PATCH 18/31] Add functions for g2 in projective and affine --- scripts/g2.py | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/scripts/g2.py b/scripts/g2.py index 5fd06c1f..b3b7265e 100644 --- a/scripts/g2.py +++ b/scripts/g2.py @@ -1,10 +1,12 @@ import fp2 import montgomery as monty -def neg(x0,x1, y0, y1, z0, z1): +# Neg function for G2 in affine coordinates +def neg(x0,x1, y0, y1): y0,y1= fp2.neg(y0,y1) - return (x0,x1,y0,y1,z0,z1) + return (x0,x1,y0,y1) +# G2 function to go back and forth between affine and projective coordinates def from_affine(x0,x1,y0,y1): if x0 == 0 and x1 == 0 and y0 == 0 and y1 == 0: return (monty.ONE, 0, monty.ONE, 0, 0, 0) @@ -12,3 +14,11 @@ def from_affine(x0,x1,y0,y1): z0 = monty.ONE z1 = 0 return (x0,x1,y0,y1,z0,z1) + +def into_affine(x0,x1,y0,y1,z0,z1): + + z0, z1 = fp2.inv(z0,z1) + x0, x1 = fp2.mul(x0,x1,z0,z1) + y0, y1 = fp2.mul(y0,y1,z0,z1) + + return (x0,x1,y0,y1) From 94d199ba993746a708f0e0178faaba03a904e9c4 Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Wed, 6 Sep 2023 10:52:12 -0300 Subject: [PATCH 19/31] Fix NAF representation --- scripts/pairing_utils.py | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/scripts/pairing_utils.py b/scripts/pairing_utils.py index c2975e52..ed964de2 100644 --- a/scripts/pairing_utils.py +++ b/scripts/pairing_utils.py @@ -5,10 +5,10 @@ # t = 6x**2 + 1 # x = 4965661367192848881 # s = 6x + 2 -> s = 29793968203157093288 -S_NAF = [0, 0, 0, 1, 0, 1, 0, -1, 0, 0, 1, -1, 0, 0, 1, 0, - 0, 1, 1, 0, -1, 0, 0, 1, 0, -1, 0, 0, 0, 0, 1, 1, - 1, 0, 0, -1, 0, 0, 1, 0, 0, 0, 0, 0, -1, 0, 0, 1, - 1, 0, 0, -1, 0, 0, 0, 1, 1, 0, -1, 0, 0, 1, 0, 1, 1] +S_NAF = [0, 0, 0, 1, 0, 1, 0, -1, 0, 0, -1, 0, 0, 0, 1, 0, 0, -1, 0, -1, 0, + 0, 0, 1, 0, -1, 0, 0, 0, 0, -1, 0, 0, 1, 0, -1, 0, 0, 1, 0, 0, 0, 0, + 0, -1, 0, 0, -1, 0, 1, 0, -1, 0, 0, 0, -1, 0, -1, 0, 0, 0, 1, 0, -1, 0, 1] +TWISTED_CURVE_COEFFS = (monty.into(19485874751759354771024239261021720505790618469301721065564631296452457478373), monty.into(266929791119991161246907387137283842545076965332900288569378510910307636690)) def is_in_curve(x, y): x = monty.out_of(x) @@ -21,8 +21,7 @@ def is_in_curve(x, y): return a == b def is_in_twisted_curve(x0, x1, y0, y1): - a = (monty.into(19485874751759354771024239261021720505790618469301721065564631296452457478373), monty.into(266929791119991161246907387137283842545076965332900288569378510910307636690)) b = fp2.exp(x0, x1, 3) - b = fp2.add(*b, *a) + b = fp2.add(*b, *TWISTED_CURVE_COEFFS) c = fp2.exp(y0, y1, 2) return b == c From 70aca4ffdc1081fd6ba2021b93354d8f3231ab5b Mon Sep 17 00:00:00 2001 From: Joaquin Carletti Date: Wed, 6 Sep 2023 13:36:49 -0300 Subject: [PATCH 20/31] add eth tests --- scripts/pairing_eth_test.json | 100 ++++++++++++++++++++++++++++++++++ scripts/pairing_test.py | 48 ++++++++++++++++ 2 files changed, 148 insertions(+) create mode 100644 scripts/pairing_eth_test.json create mode 100644 scripts/pairing_test.py diff --git a/scripts/pairing_eth_test.json b/scripts/pairing_eth_test.json new file mode 100644 index 00000000..f7434df2 --- /dev/null +++ b/scripts/pairing_eth_test.json @@ -0,0 +1,100 @@ +[ + { + "Input": "1c76476f4def4bb94541d57ebba1193381ffa7aa76ada664dd31c16024c43f593034dd2920f673e204fee2811c678745fc819b55d3e9d294e45c9b03a76aef41209dd15ebff5d46c4bd888e51a93cf99a7329636c63514396b4a452003a35bf704bf11ca01483bfa8b34b43561848d28905960114c8ac04049af4b6315a416782bb8324af6cfc93537a2ad1a445cfd0ca2a71acd7ac41fadbf933c2a51be344d120a2a4cf30c1bf9845f20c6fe39e07ea2cce61f0c9bb048165fe5e4de877550111e129f1cf1097710d41c4ac70fcdfa5ba2023c6ff1cbeac322de49d1b6df7c2032c61a830e3c17286de9462bf242fca2883585b93870a73853face6a6bf411198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa", + "Expected": "0000000000000000000000000000000000000000000000000000000000000001", + "Name": "jeff1", + "Gas": 113000, + "NoBenchmark": false + }, + { + "Input": "2eca0c7238bf16e83e7a1e6c5d49540685ff51380f309842a98561558019fc0203d3260361bb8451de5ff5ecd17f010ff22f5c31cdf184e9020b06fa5997db841213d2149b006137fcfb23036606f848d638d576a120ca981b5b1a5f9300b3ee2276cf730cf493cd95d64677bbb75fc42db72513a4c1e387b476d056f80aa75f21ee6226d31426322afcda621464d0611d226783262e21bb3bc86b537e986237096df1f82dff337dd5972e32a8ad43e28a78a96a823ef1cd4debe12b6552ea5f06967a1237ebfeca9aaae0d6d0bab8e28c198c5a339ef8a2407e31cdac516db922160fa257a5fd5b280642ff47b65eca77e626cb685c84fa6d3b6882a283ddd1198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa", + "Expected": "0000000000000000000000000000000000000000000000000000000000000001", + "Name": "jeff2", + "Gas": 113000, + "NoBenchmark": false + }, + { + "Input": "0f25929bcb43d5a57391564615c9e70a992b10eafa4db109709649cf48c50dd216da2f5cb6be7a0aa72c440c53c9bbdfec6c36c7d515536431b3a865468acbba2e89718ad33c8bed92e210e81d1853435399a271913a6520736a4729cf0d51eb01a9e2ffa2e92599b68e44de5bcf354fa2642bd4f26b259daa6f7ce3ed57aeb314a9a87b789a58af499b314e13c3d65bede56c07ea2d418d6874857b70763713178fb49a2d6cd347dc58973ff49613a20757d0fcc22079f9abd10c3baee245901b9e027bd5cfc2cb5db82d4dc9677ac795ec500ecd47deee3b5da006d6d049b811d7511c78158de484232fc68daf8a45cf217d1c2fae693ff5871e8752d73b21198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa", + "Expected": "0000000000000000000000000000000000000000000000000000000000000001", + "Name": "jeff3", + "Gas": 113000, + "NoBenchmark": false + }, + { + "Input": "2f2ea0b3da1e8ef11914acf8b2e1b32d99df51f5f4f206fc6b947eae860eddb6068134ddb33dc888ef446b648d72338684d678d2eb2371c61a50734d78da4b7225f83c8b6ab9de74e7da488ef02645c5a16a6652c3c71a15dc37fe3a5dcb7cb122acdedd6308e3bb230d226d16a105295f523a8a02bfc5e8bd2da135ac4c245d065bbad92e7c4e31bf3757f1fe7362a63fbfee50e7dc68da116e67d600d9bf6806d302580dc0661002994e7cd3a7f224e7ddc27802777486bf80f40e4ca3cfdb186bac5188a98c45e6016873d107f5cd131f3a3e339d0375e58bd6219347b008122ae2b09e539e152ec5364e7e2204b03d11d3caa038bfc7cd499f8176aacbee1f39e4e4afc4bc74790a4a028aff2c3d2538731fb755edefd8cb48d6ea589b5e283f150794b6736f670d6a1033f9b46c6f5204f50813eb85c8dc4b59db1c5d39140d97ee4d2b36d99bc49974d18ecca3e7ad51011956051b464d9e27d46cc25e0764bb98575bd466d32db7b15f582b2d5c452b36aa394b789366e5e3ca5aabd415794ab061441e51d01e94640b7e3084a07e02c78cf3103c542bc5b298669f211b88da1679b0b64a63b7e0e7bfe52aae524f73a55be7fe70c7e9bfc94b4cf0da1213d2149b006137fcfb23036606f848d638d576a120ca981b5b1a5f9300b3ee2276cf730cf493cd95d64677bbb75fc42db72513a4c1e387b476d056f80aa75f21ee6226d31426322afcda621464d0611d226783262e21bb3bc86b537e986237096df1f82dff337dd5972e32a8ad43e28a78a96a823ef1cd4debe12b6552ea5f", + "Expected": "0000000000000000000000000000000000000000000000000000000000000001", + "Name": "jeff4", + "Gas": 147000, + "NoBenchmark": false + }, + { + "Input": "20a754d2071d4d53903e3b31a7e98ad6882d58aec240ef981fdf0a9d22c5926a29c853fcea789887315916bbeb89ca37edb355b4f980c9a12a94f30deeed30211213d2149b006137fcfb23036606f848d638d576a120ca981b5b1a5f9300b3ee2276cf730cf493cd95d64677bbb75fc42db72513a4c1e387b476d056f80aa75f21ee6226d31426322afcda621464d0611d226783262e21bb3bc86b537e986237096df1f82dff337dd5972e32a8ad43e28a78a96a823ef1cd4debe12b6552ea5f1abb4a25eb9379ae96c84fff9f0540abcfc0a0d11aeda02d4f37e4baf74cb0c11073b3ff2cdbb38755f8691ea59e9606696b3ff278acfc098fa8226470d03869217cee0a9ad79a4493b5253e2e4e3a39fc2df38419f230d341f60cb064a0ac290a3d76f140db8418ba512272381446eb73958670f00cf46f1d9e64cba057b53c26f64a8ec70387a13e41430ed3ee4a7db2059cc5fc13c067194bcc0cb49a98552fd72bd9edb657346127da132e5b82ab908f5816c826acb499e22f2412d1a2d70f25929bcb43d5a57391564615c9e70a992b10eafa4db109709649cf48c50dd2198a1f162a73261f112401aa2db79c7dab1533c9935c77290a6ce3b191f2318d198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa", + "Expected": "0000000000000000000000000000000000000000000000000000000000000001", + "Name": "jeff5", + "Gas": 147000, + "NoBenchmark": false + }, + { + "Input": "1c76476f4def4bb94541d57ebba1193381ffa7aa76ada664dd31c16024c43f593034dd2920f673e204fee2811c678745fc819b55d3e9d294e45c9b03a76aef41209dd15ebff5d46c4bd888e51a93cf99a7329636c63514396b4a452003a35bf704bf11ca01483bfa8b34b43561848d28905960114c8ac04049af4b6315a416782bb8324af6cfc93537a2ad1a445cfd0ca2a71acd7ac41fadbf933c2a51be344d120a2a4cf30c1bf9845f20c6fe39e07ea2cce61f0c9bb048165fe5e4de877550111e129f1cf1097710d41c4ac70fcdfa5ba2023c6ff1cbeac322de49d1b6df7c103188585e2364128fe25c70558f1560f4f9350baf3959e603cc91486e110936198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa", + "Expected": "0000000000000000000000000000000000000000000000000000000000000000", + "Name": "jeff6", + "Gas": 113000, + "NoBenchmark": false + }, + { + "Input": "", + "Expected": "0000000000000000000000000000000000000000000000000000000000000001", + "Name": "empty_data", + "Gas": 45000, + "NoBenchmark": false + }, + { + "Input": "00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa", + "Expected": "0000000000000000000000000000000000000000000000000000000000000000", + "Name": "one_point", + "Gas": 79000, + "NoBenchmark": false + }, + { + "Input": "00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed275dc4a288d1afb3cbb1ac09187524c7db36395df7be3b99e673b13a075a65ec1d9befcd05a5323e6da4d435f3b617cdb3af83285c2df711ef39c01571827f9d", + "Expected": "0000000000000000000000000000000000000000000000000000000000000001", + "Name": "two_point_match_2", + "Gas": 113000, + "NoBenchmark": false + }, + { + "Input": "00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002203e205db4f19b37b60121b83a7333706db86431c6d835849957ed8c3928ad7927dc7234fd11d3e8c36c59277c3e6f149d5cd3cfa9a62aee49f8130962b4b3b9195e8aa5b7827463722b8c153931579d3505566b4edf48d498e185f0509de15204bb53b8977e5f92a0bc372742c4830944a59b4fe6b1c0466e2a6dad122b5d2e030644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd31a76dae6d3272396d0cbe61fced2bc532edac647851e3ac53ce1cc9c7e645a83198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa", + "Expected": "0000000000000000000000000000000000000000000000000000000000000001", + "Name": "two_point_match_3", + "Gas": 113000, + "NoBenchmark": false + }, + { + "Input": "105456a333e6d636854f987ea7bb713dfd0ae8371a72aea313ae0c32c0bf10160cf031d41b41557f3e7e3ba0c51bebe5da8e6ecd855ec50fc87efcdeac168bcc0476be093a6d2b4bbf907172049874af11e1b6267606e00804d3ff0037ec57fd3010c68cb50161b7d1d96bb71edfec9880171954e56871abf3d93cc94d745fa114c059d74e5b6c4ec14ae5864ebe23a71781d86c29fb8fb6cce94f70d3de7a2101b33461f39d9e887dbb100f170a2345dde3c07e256d1dfa2b657ba5cd030427000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000021a2c3013d2ea92e13c800cde68ef56a294b883f6ac35d25f587c09b1b3c635f7290158a80cd3d66530f74dc94c94adb88f5cdb481acca997b6e60071f08a115f2f997f3dbd66a7afe07fe7862ce239edba9e05c5afff7f8a1259c9733b2dfbb929d1691530ca701b4a106054688728c9972c8512e9789e9567aae23e302ccd75", + "Expected": "0000000000000000000000000000000000000000000000000000000000000001", + "Name": "two_point_match_4", + "Gas": 113000, + "NoBenchmark": false + }, + { + "Input": "00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed275dc4a288d1afb3cbb1ac09187524c7db36395df7be3b99e673b13a075a65ec1d9befcd05a5323e6da4d435f3b617cdb3af83285c2df711ef39c01571827f9d00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed275dc4a288d1afb3cbb1ac09187524c7db36395df7be3b99e673b13a075a65ec1d9befcd05a5323e6da4d435f3b617cdb3af83285c2df711ef39c01571827f9d00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed275dc4a288d1afb3cbb1ac09187524c7db36395df7be3b99e673b13a075a65ec1d9befcd05a5323e6da4d435f3b617cdb3af83285c2df711ef39c01571827f9d00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed275dc4a288d1afb3cbb1ac09187524c7db36395df7be3b99e673b13a075a65ec1d9befcd05a5323e6da4d435f3b617cdb3af83285c2df711ef39c01571827f9d00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed275dc4a288d1afb3cbb1ac09187524c7db36395df7be3b99e673b13a075a65ec1d9befcd05a5323e6da4d435f3b617cdb3af83285c2df711ef39c01571827f9d", + "Expected": "0000000000000000000000000000000000000000000000000000000000000001", + "Name": "ten_point_match_1", + "Gas": 385000, + "NoBenchmark": false + }, + { + "Input": "00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002203e205db4f19b37b60121b83a7333706db86431c6d835849957ed8c3928ad7927dc7234fd11d3e8c36c59277c3e6f149d5cd3cfa9a62aee49f8130962b4b3b9195e8aa5b7827463722b8c153931579d3505566b4edf48d498e185f0509de15204bb53b8977e5f92a0bc372742c4830944a59b4fe6b1c0466e2a6dad122b5d2e030644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd31a76dae6d3272396d0cbe61fced2bc532edac647851e3ac53ce1cc9c7e645a83198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002203e205db4f19b37b60121b83a7333706db86431c6d835849957ed8c3928ad7927dc7234fd11d3e8c36c59277c3e6f149d5cd3cfa9a62aee49f8130962b4b3b9195e8aa5b7827463722b8c153931579d3505566b4edf48d498e185f0509de15204bb53b8977e5f92a0bc372742c4830944a59b4fe6b1c0466e2a6dad122b5d2e030644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd31a76dae6d3272396d0cbe61fced2bc532edac647851e3ac53ce1cc9c7e645a83198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002203e205db4f19b37b60121b83a7333706db86431c6d835849957ed8c3928ad7927dc7234fd11d3e8c36c59277c3e6f149d5cd3cfa9a62aee49f8130962b4b3b9195e8aa5b7827463722b8c153931579d3505566b4edf48d498e185f0509de15204bb53b8977e5f92a0bc372742c4830944a59b4fe6b1c0466e2a6dad122b5d2e030644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd31a76dae6d3272396d0cbe61fced2bc532edac647851e3ac53ce1cc9c7e645a83198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002203e205db4f19b37b60121b83a7333706db86431c6d835849957ed8c3928ad7927dc7234fd11d3e8c36c59277c3e6f149d5cd3cfa9a62aee49f8130962b4b3b9195e8aa5b7827463722b8c153931579d3505566b4edf48d498e185f0509de15204bb53b8977e5f92a0bc372742c4830944a59b4fe6b1c0466e2a6dad122b5d2e030644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd31a76dae6d3272396d0cbe61fced2bc532edac647851e3ac53ce1cc9c7e645a83198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002203e205db4f19b37b60121b83a7333706db86431c6d835849957ed8c3928ad7927dc7234fd11d3e8c36c59277c3e6f149d5cd3cfa9a62aee49f8130962b4b3b9195e8aa5b7827463722b8c153931579d3505566b4edf48d498e185f0509de15204bb53b8977e5f92a0bc372742c4830944a59b4fe6b1c0466e2a6dad122b5d2e030644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd31a76dae6d3272396d0cbe61fced2bc532edac647851e3ac53ce1cc9c7e645a83198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa", + "Expected": "0000000000000000000000000000000000000000000000000000000000000001", + "Name": "ten_point_match_2", + "Gas": 385000, + "NoBenchmark": false + }, + { + "Input": "105456a333e6d636854f987ea7bb713dfd0ae8371a72aea313ae0c32c0bf10160cf031d41b41557f3e7e3ba0c51bebe5da8e6ecd855ec50fc87efcdeac168bcc0476be093a6d2b4bbf907172049874af11e1b6267606e00804d3ff0037ec57fd3010c68cb50161b7d1d96bb71edfec9880171954e56871abf3d93cc94d745fa114c059d74e5b6c4ec14ae5864ebe23a71781d86c29fb8fb6cce94f70d3de7a2101b33461f39d9e887dbb100f170a2345dde3c07e256d1dfa2b657ba5cd030427000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000021a2c3013d2ea92e13c800cde68ef56a294b883f6ac35d25f587c09b1b3c635f7290158a80cd3d66530f74dc94c94adb88f5cdb481acca997b6e60071f08a115f2f997f3dbd66a7afe07fe7862ce239edba9e05c5afff7f8a1259c9733b2dfbb929d1691530ca701b4a106054688728c9972c8512e9789e9567aae23e302ccd75", + "Expected": "0000000000000000000000000000000000000000000000000000000000000001", + "Name": "ten_point_match_3", + "Gas": 113000, + "NoBenchmark": false + } + ] diff --git a/scripts/pairing_test.py b/scripts/pairing_test.py new file mode 100644 index 00000000..8302ec8b --- /dev/null +++ b/scripts/pairing_test.py @@ -0,0 +1,48 @@ +import json +from functools import reduce +import montgomery as monty +import alt_bn128_pairing as pairing +import fp12 + +json_file_path = "pairing_eth_test.json" + +tests = [] + +with open(json_file_path, "r") as json_file: + data = json.load(json_file) + tests = [] + for element in data: + input_data = element["Input"] + expected_data = element["Expected"] + + chunks = [monty.into(int(input_data[i:i+64], 16)) for i in range(0, len(input_data), 64)] + sublistas = [chunks[i:i+6] for i in range(0, len(chunks), 6)] + + for sublista in sublistas: + temp = sublista[2] + sublista[2] = sublista[3] + sublista[3] = temp + + temp = sublista[4] + sublista[4] = sublista[5] + sublista[5] = temp + + tests.append({ + "Input": sublistas, + "Expected": int(element["Expected"], 16) + }) + +for test in tests: + result = [] + for i in test["Input"]: + result.append(pairing.pair(*i)) + try: + resultado = reduce(lambda x, y: fp12.mul(*x,*y), result) + if resultado == fp12.ONE: + resultado = 1 + else: + resultado = 0 + + print(resultado == test["Expected"]) + except: + print("Error") From f8283a19be383c43c28403f440c0c06a15788eac Mon Sep 17 00:00:00 2001 From: Joaquin Carletti Date: Wed, 6 Sep 2023 14:15:57 -0300 Subject: [PATCH 21/31] add tests names --- scripts/pairing_test.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/scripts/pairing_test.py b/scripts/pairing_test.py index 8302ec8b..cfe2e3ba 100644 --- a/scripts/pairing_test.py +++ b/scripts/pairing_test.py @@ -14,6 +14,7 @@ for element in data: input_data = element["Input"] expected_data = element["Expected"] + name = element["Name"] chunks = [monty.into(int(input_data[i:i+64], 16)) for i in range(0, len(input_data), 64)] sublistas = [chunks[i:i+6] for i in range(0, len(chunks), 6)] @@ -29,11 +30,13 @@ tests.append({ "Input": sublistas, - "Expected": int(element["Expected"], 16) + "Expected": int(element["Expected"], 16), + "Name": name }) for test in tests: result = [] + print("Test: ", test["Name"]) for i in test["Input"]: result.append(pairing.pair(*i)) try: @@ -42,7 +45,7 @@ resultado = 1 else: resultado = 0 - - print(resultado == test["Expected"]) + print("-> ", resultado == test["Expected"]) except: print("Error") + print("___________") From f65e4f88b6ecce7286715127c56163dc7e9e8337 Mon Sep 17 00:00:00 2001 From: Joaquin Carletti Date: Thu, 7 Sep 2023 13:08:11 -0300 Subject: [PATCH 22/31] add expt --- scripts/fp12.py | 53 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/scripts/fp12.py b/scripts/fp12.py index 9201ac85..67ffaef1 100644 --- a/scripts/fp12.py +++ b/scripts/fp12.py @@ -137,6 +137,40 @@ def exponentiation(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110 return result +# u = 4965661367192848881 +def expt(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121): + t3 = cyclotomic_square(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121) + t5 = cyclotomic_square(*t3) + result = cyclotomic_square(*t5) + t0 = cyclotomic_square(*result) + t2 = mul(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121, *t0) + t0 = mul(*t2, *t3) + t1 = mul(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121, *t0) + t4 = mul(*result, *t2) + t6 = cyclotomic_square(*t2) + t1 = mul(*t1, *t0) + t0 = mul(*t1, *t3) + t6 = n_square(*t6, 6) + t5 = mul(*t5, *t6) + t5 = mul(*t4, *t5) + t5 = n_square(*t5, 7) + t4 = mul(*t4, *t5) + t4 = n_square(*t4, 8) + t4 = mul(*t4, *t0) + t3 = mul(*t3, *t4) + t3 = n_square(*t3, 6) + t2 = mul(*t2, *t3) + t2 = n_square(*t2, 8) + t2 = mul(*t0, *t2) + t2 = n_square(*t2, 6) + t2 = mul(*t0, *t2) + t2 = n_square(*t2, 10) + t1 = mul(*t1, *t2) + t1 = n_square(*t1, 6) + t0 = mul(*t0, *t1) + result = mul(*result, *t0) + return result + def main(): fp12_zero = tuple([0 for _ in range(12)]) fp12_one = tuple([monty.ONE] + [0 for _ in range(11)]) @@ -199,5 +233,24 @@ def main(): d = cyclotomic_square(*a) assert(c == d) + a = monty.into(19827568283656725110692125913997829449742114644971661319388242922918416973148) + b = monty.into(9732999610386208770202207078338067809442208175202866744722770421649221072959) + c = monty.into(20727574841732554863292016530689298917088494351528827122664593932739308306871) + d = monty.into(3874564711458012378314531860069575778169810677257551585602923961104676288406) + e = monty.into(17935684740199818762028639022893627301715986407063418165523758955792561981414) + f = monty.into(8477107368724046874298374695965950213457400565707569119844627494731679280724) + g = monty.into(8912696930561146201022263645939453588081385625233747724443687991590113109735) + h = monty.into(628165832162375762915573557640725085470303025585612898242872490717337051282) + i = monty.into(1777633336557734562438287626165944169907122686274029270455278654706759272728) + j = monty.into(377476157103636884886539826205985119579850123657565215557418605056063929807) + k = monty.into(3564650365049544497504264806008011348687628776990506738674777591518974019008) + l = monty.into(2847850797826906352579336459817708483258925268188678907210088234083286774036) + + result = exponentiation(a,b,c,d,e,f,g,h,i,j,k,l, 4965661367192848881) + # result = expt(a,b,c,d,e,f,g,h,i,j,k,l) + + for i in result: + print(monty.out_of(i)) + if __name__ == '__main__': main() From 12c9285909af92806d0fff7da4fde94dbaac2cf7 Mon Sep 17 00:00:00 2001 From: Joaquin Carletti Date: Thu, 7 Sep 2023 13:08:59 -0300 Subject: [PATCH 23/31] change final_exp --- scripts/alt_bn128_pairing.py | 144 ++++++++++++++++++----------------- 1 file changed, 74 insertions(+), 70 deletions(-) diff --git a/scripts/alt_bn128_pairing.py b/scripts/alt_bn128_pairing.py index 6c85349d..29dd9691 100644 --- a/scripts/alt_bn128_pairing.py +++ b/scripts/alt_bn128_pairing.py @@ -89,53 +89,36 @@ def final_exponentiation(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, # First part f1 = fp12.conjugate(*f) f2 = fp12.inv(*f) - f = fp12.mul(*f1, *f2) - f_aux = frb.frobenius_square(*f) - f = fp12.mul(*f_aux, *f) + f1 = fp12.mul(*f1, *f2) + f_aux = frb.frobenius_square(*f1) + f = fp12.mul(*f_aux, *f1) # Second part - ft_1 = fp12.exponentiation(*f) - ft_2 = fp12.square(*ft_1) - ft_3 = fp12.mul(*ft_2, *ft_1) - - fp_1 = frb.frobenius(*f) - fp_2 = frb.frobenius_square(*f) - fp_3 = frb.frobenius_cube(*f) - - y0 = fp12.mul(*fp_1, *fp_2) - y0 = fp12.mul(*y0, *fp_3) - - y1 = f1 - y2 = frb.frobenius_square(*ft_2) - y3 = frb.frobenius(*ft_1) - y3 = fp12.conjugate(*y3) - y4 = frb.frobenius(*ft_2) - y4 = fp12.mul(*y4, *ft_1) - y4 = fp12.conjugate(*y4) - y5 = fp12.conjugate(*ft_2) - y6 = frb.frobenius(*ft_3) - y6 = fp12.mul(*y6, *ft_3) - y6 = fp12.conjugate(*y6) - - t0 = fp12.square(*y6) - t0 = fp12.mul(*t0, *y4) - t0 = fp12.mul(*t0, *y5) - - t1 = fp12.mul(*y3, *y5) - t1 = fp12.mul(*t1, *t0) - - t0 = fp12.mul(*t0, *y2) - - t1 = fp12.square(*t1) - t1 = fp12.mul(*t1, *t0) - t1 = fp12.square(*t1) - - t0 = fp12.mul(*t1, *y1) - t1 = fp12.mul(*t1, *y0) - t0 = fp12.square(*t0) - f = fp12.mul(*t0, *t1) - - return f + t0 = fp12.expt(*f) + t0 = fp12.conjugate(*t0) + t0 = fp12.cyclotomic_square(*t0) + t1 = fp12.cyclotomic_square(*t0) + t1 = fp12.mul(*t0,*t1) + t2 = fp12.expt(*t1) + t2 = fp12.conjugate(*t2) + t3 = fp12.conjugate(*t1) + t1 = fp12.mul(*t2,*t3) + t3 = fp12.cyclotomic_square(*t2) + t4 = fp12.expt(*t3) + t4 = fp12.mul(*t4,*t1) + t3 = fp12.mul(*t4,*t0) + t0 = fp12.mul(*t2,*t4) + t0 = fp12.mul(*t0,*f) + t2 = frb.frobenius(*t3) + t0 = fp12.mul(*t2,*t0) + t2 = frb.frobenius_square(*t4) + t0 = fp12.mul(*t2,*t0) + t2 = fp12.conjugate(*f) + t2 = fp12.mul(*t2,*t3) + t2 = frb.frobenius_cube(*t2) + t0 = fp12.mul(*t2,*t0) + + return t0 def miller_loop(Xq0, Xq1, Yq0, Yq1, xp, yp): @@ -211,7 +194,6 @@ def pair(xp, yp, Xq0, Xq1, Yq0, Yq1): return f def main(): - # From Ethereum tests # 1c76476f4def4bb94541d57ebba1193381ffa7aa76ada664dd31c16024c43f59 -> Xp1 # 3034dd2920f673e204fee2811c678745fc819b55d3e9d294e45c9b03a76aef41 -> Yp1 @@ -229,37 +211,59 @@ def main(): # 090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b -> Yq21 # 12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa -> Yq20 - xp0 = monty.into(12873740738727497448187997291915224677121726020054032516825496230827252793177) - yp0 = monty.into(21804419174137094775122804775419507726154084057848719988004616848382402162497) - Xq0 = monty.into(2146841959437886920191033516947821737903543682424168472444605468016078231160) - Xq1 = monty.into(14752851163271972921165116810778899752274893127848647655434033030151679466487) - Yq0 = monty.into(8159591693044959083845993640644415462154314071906244874217244895511876957520) - Yq1 = monty.into(19774899457345372253936887903062884289284519982717033379297427576421785416781) - Zq0 = monty.ONE - Zq1 = 0 + # xp0 = monty.into(12873740738727497448187997291915224677121726020054032516825496230827252793177) + # yp0 = monty.into(21804419174137094775122804775419507726154084057848719988004616848382402162497) + # Xq0 = monty.into(2146841959437886920191033516947821737903543682424168472444605468016078231160) + # Xq1 = monty.into(14752851163271972921165116810778899752274893127848647655434033030151679466487) + # Yq0 = monty.into(8159591693044959083845993640644415462154314071906244874217244895511876957520) + # Yq1 = monty.into(19774899457345372253936887903062884289284519982717033379297427576421785416781) + # Zq0 = monty.ONE + # Zq1 = 0 - assert(utils.is_in_curve(xp0, yp0)) - assert(utils.is_in_twisted_curve(Xq0, Xq1, Yq0, Yq1)) + # assert(utils.is_in_curve(xp0, yp0)) + # assert(utils.is_in_twisted_curve(Xq0, Xq1, Yq0, Yq1)) - xp1 = monty.into(7742452358972543465462254569134860944739929848367563713587808717088650354556) - yp1 = monty.into(14563720768440487558151020426243236708567496944263114635856508834497000371217) - Xt0 = monty.into(10857046999023057135944570762232829481370756359578518086990519993285655852781) - Xt1 = monty.into(11559732032986387107991004021392285783925812861821192530917403151452391805634) - Yt0 = monty.into(8495653923123431417604973247489272438418190587263600148770280649306958101930) - Yt1 = monty.into(4082367875863433681332203403145435568316851327593401208105741076214120093531) - Zt0 = monty.ONE - Zt1 = 0 + # xp1 = monty.into(7742452358972543465462254569134860944739929848367563713587808717088650354556) + # yp1 = monty.into(14563720768440487558151020426243236708567496944263114635856508834497000371217) + # Xt0 = monty.into(10857046999023057135944570762232829481370756359578518086990519993285655852781) + # Xt1 = monty.into(11559732032986387107991004021392285783925812861821192530917403151452391805634) + # Yt0 = monty.into(8495653923123431417604973247489272438418190587263600148770280649306958101930) + # Yt1 = monty.into(4082367875863433681332203403145435568316851327593401208105741076214120093531) + # Zt0 = monty.ONE + # Zt1 = 0 6170940445994484564222204938066213705353407449799250191249554538140978927342]] - assert(utils.is_in_curve(xp1, yp1)) - assert(utils.is_in_twisted_curve(Xt0, Xt1, Yt0, Yt1)) + # assert(utils.is_in_curve(xp1, yp1)) + # assert(utils.is_in_twisted_curve(Xt0, Xt1, Yt0, Yt1)) # Pairing Test # Should be 1 - a = pair(xp0, yp0, Xq0, Xq1, Yq0, Yq1) - b = pair(xp1, yp1, Xt0, Xt1, Yt0, Yt1) - result = fp12.mul(*a, *b) - assert(result == fp12.ONE) + # a = pair(xp0, yp0, Xq0, Xq1, Yq0, Yq1) + # b = pair(xp1, yp1, Xt0, Xt1, Yt0, Yt1) + # result = fp12.mul(*a, *b) + # assert(result == fp12.ONE) + + a = monty.into(3922593631399090336339528803071099262141491405814296578274910684567510133683) + b = monty.into(16607425434230717262598164099514226944704153586804512012669443765848923952587) + c = monty.into(9134624062062024544725118676983342763083809929283420855003342259123398267824) + d = monty.into(4747675694213486057781601493127302819928133227424941866807419448726288902331) + e = monty.into(12254130592639987674566884737263569694989769400135483873338560119829064429975) + f = monty.into(6817926745858586453044832726703878642742495583716430686695253273962611100917) + g = monty.into(3546770739232558455041072017463377499292010810574652563603192703045638520109) + h = monty.into(14485480599716560126382393453180785246519066840333497703155017255223828628050) + i = monty.into(5076694896118152593877527434403782571381270076125031503051673857214224430642) + j = monty.into(4501790336157244275373122933475790238516145575110209506770563097616230186766) + k = monty.into(13232564460920072077570298894558682173110553862802663387322499368710843941714) + l = monty.into(13841506871711215674135020209000121175289355894296329127286968736958874517509) + + result = final_exponentiation(a,b,c,d,e,f,g,h,i,j,k,l) + + for i in result: + print(monty.out_of(i)) + + +# 3822727207351583292659994476990979135296112687596022631066558166493962670954+18922438517993961740682373793314673484281848981403947479389694874723665136519*u+(20857842099718567038881393327610339354071421691202877997782879588118221882136+20278284586561365113598722399016041871639817074728536135304063726790369425304*u)*v+(8912796180398104664142502639430370772493632980988097870838198815314533561370+6556208713406856861573597140639034753520173545126495321160154521292560496336*u)*v**2+(11691535323598952442780893535668124178259917244638368887121604852899565982563+14799213146982097028129994500065670358891587410514448097612740959915242877009*u+(8141033198733626940952022108226604502106143384492257860277471794395805824007+20593530128908133796390504110370159038301562635416783211842882198440455602073*u)*v+(14026693345682021594284240288075348335187515823342831384704383835559863778698+14624411140598065265555111540503171403538185164337398477030607424463066412392*u)*v**2)*w + pass if __name__ == '__main__': main() From 8d198f5498403c2d59fb79e5ea118f95574b8718 Mon Sep 17 00:00:00 2001 From: Joaquin Carletti Date: Thu, 7 Sep 2023 15:53:06 -0300 Subject: [PATCH 24/31] fix fp6 square --- scripts/alt_bn128_pairing.py | 67 +++++++++++++----------------------- scripts/fp6.py | 18 +++++----- 2 files changed, 33 insertions(+), 52 deletions(-) diff --git a/scripts/alt_bn128_pairing.py b/scripts/alt_bn128_pairing.py index 29dd9691..8ac88747 100644 --- a/scripts/alt_bn128_pairing.py +++ b/scripts/alt_bn128_pairing.py @@ -86,12 +86,13 @@ def point_addition_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Xt0, Xt1, Yt0, Yt1, Z def final_exponentiation(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121): f = (a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121) + # First part - f1 = fp12.conjugate(*f) - f2 = fp12.inv(*f) - f1 = fp12.mul(*f1, *f2) - f_aux = frb.frobenius_square(*f1) - f = fp12.mul(*f_aux, *f1) + t0 = fp12.conjugate(*f) + f= fp12.inv(*f) + t0 = fp12.mul(*t0, *f) + f_aux = frb.frobenius_square(*t0) + f = fp12.mul(*f_aux, *t0) # Second part t0 = fp12.expt(*f) @@ -190,7 +191,8 @@ def miller_loop(Xq0, Xq1, Yq0, Yq1, xp, yp): def pair(xp, yp, Xq0, Xq1, Yq0, Yq1): f = miller_loop(Xq0, Xq1, Yq0, Yq1, xp, yp) # This should be final exponentiation - f = fp12.exponentiation(*f, 552484233613224096312617126783173147097382103762957654188882734314196910839907541213974502761540629817009608548654680343627701153829446747810907373256841551006201639677726139946029199968412598804882391702273019083653272047566316584365559776493027495458238373902875937659943504873220554161550525926302303331747463515644711876653177129578303191095900909191624817826566688241804408081892785725967931714097716709526092261278071952560171111444072049229123565057483750161460024353346284167282452756217662335528813519139808291170539072125381230815729071544861602750936964829313608137325426383735122175229541155376346436093930287402089517426973178917569713384748081827255472576937471496195752727188261435633271238710131736096299798168852925540549342330775279877006784354801422249722573783561685179618816480037695005515426162362431072245638324744480) + # f = fp12.exponentiation(*f, 552484233613224096312617126783173147097382103762957654188882734314196910839907541213974502761540629817009608548654680343627701153829446747810907373256841551006201639677726139946029199968412598804882391702273019083653272047566316584365559776493027495458238373902875937659943504873220554161550525926302303331747463515644711876653177129578303191095900909191624817826566688241804408081892785725967931714097716709526092261278071952560171111444072049229123565057483750161460024353346284167282452756217662335528813519139808291170539072125381230815729071544861602750936964829313608137325426383735122175229541155376346436093930287402089517426973178917569713384748081827255472576937471496195752727188261435633271238710131736096299798168852925540549342330775279877006784354801422249722573783561685179618816480037695005515426162362431072245638324744480) + f = final_exponentiation(*f) return f def main(): @@ -211,24 +213,24 @@ def main(): # 090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b -> Yq21 # 12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa -> Yq20 - # xp0 = monty.into(12873740738727497448187997291915224677121726020054032516825496230827252793177) - # yp0 = monty.into(21804419174137094775122804775419507726154084057848719988004616848382402162497) - # Xq0 = monty.into(2146841959437886920191033516947821737903543682424168472444605468016078231160) - # Xq1 = monty.into(14752851163271972921165116810778899752274893127848647655434033030151679466487) - # Yq0 = monty.into(8159591693044959083845993640644415462154314071906244874217244895511876957520) - # Yq1 = monty.into(19774899457345372253936887903062884289284519982717033379297427576421785416781) + xp0 = monty.into(12873740738727497448187997291915224677121726020054032516825496230827252793177) + yp0 = monty.into(21804419174137094775122804775419507726154084057848719988004616848382402162497) + Xq0 = monty.into(2146841959437886920191033516947821737903543682424168472444605468016078231160) + Xq1 = monty.into(14752851163271972921165116810778899752274893127848647655434033030151679466487) + Yq0 = monty.into(8159591693044959083845993640644415462154314071906244874217244895511876957520) + Yq1 = monty.into(19774899457345372253936887903062884289284519982717033379297427576421785416781) # Zq0 = monty.ONE # Zq1 = 0 # assert(utils.is_in_curve(xp0, yp0)) # assert(utils.is_in_twisted_curve(Xq0, Xq1, Yq0, Yq1)) - # xp1 = monty.into(7742452358972543465462254569134860944739929848367563713587808717088650354556) - # yp1 = monty.into(14563720768440487558151020426243236708567496944263114635856508834497000371217) - # Xt0 = monty.into(10857046999023057135944570762232829481370756359578518086990519993285655852781) - # Xt1 = monty.into(11559732032986387107991004021392285783925812861821192530917403151452391805634) - # Yt0 = monty.into(8495653923123431417604973247489272438418190587263600148770280649306958101930) - # Yt1 = monty.into(4082367875863433681332203403145435568316851327593401208105741076214120093531) + xp1 = monty.into(7742452358972543465462254569134860944739929848367563713587808717088650354556) + yp1 = monty.into(14563720768440487558151020426243236708567496944263114635856508834497000371217) + Xt0 = monty.into(10857046999023057135944570762232829481370756359578518086990519993285655852781) + Xt1 = monty.into(11559732032986387107991004021392285783925812861821192530917403151452391805634) + Yt0 = monty.into(8495653923123431417604973247489272438418190587263600148770280649306958101930) + Yt1 = monty.into(4082367875863433681332203403145435568316851327593401208105741076214120093531) # Zt0 = monty.ONE # Zt1 = 0 6170940445994484564222204938066213705353407449799250191249554538140978927342]] @@ -238,31 +240,10 @@ def main(): # Pairing Test # Should be 1 - # a = pair(xp0, yp0, Xq0, Xq1, Yq0, Yq1) - # b = pair(xp1, yp1, Xt0, Xt1, Yt0, Yt1) - # result = fp12.mul(*a, *b) - # assert(result == fp12.ONE) - - a = monty.into(3922593631399090336339528803071099262141491405814296578274910684567510133683) - b = monty.into(16607425434230717262598164099514226944704153586804512012669443765848923952587) - c = monty.into(9134624062062024544725118676983342763083809929283420855003342259123398267824) - d = monty.into(4747675694213486057781601493127302819928133227424941866807419448726288902331) - e = monty.into(12254130592639987674566884737263569694989769400135483873338560119829064429975) - f = monty.into(6817926745858586453044832726703878642742495583716430686695253273962611100917) - g = monty.into(3546770739232558455041072017463377499292010810574652563603192703045638520109) - h = monty.into(14485480599716560126382393453180785246519066840333497703155017255223828628050) - i = monty.into(5076694896118152593877527434403782571381270076125031503051673857214224430642) - j = monty.into(4501790336157244275373122933475790238516145575110209506770563097616230186766) - k = monty.into(13232564460920072077570298894558682173110553862802663387322499368710843941714) - l = monty.into(13841506871711215674135020209000121175289355894296329127286968736958874517509) - - result = final_exponentiation(a,b,c,d,e,f,g,h,i,j,k,l) - - for i in result: - print(monty.out_of(i)) - - -# 3822727207351583292659994476990979135296112687596022631066558166493962670954+18922438517993961740682373793314673484281848981403947479389694874723665136519*u+(20857842099718567038881393327610339354071421691202877997782879588118221882136+20278284586561365113598722399016041871639817074728536135304063726790369425304*u)*v+(8912796180398104664142502639430370772493632980988097870838198815314533561370+6556208713406856861573597140639034753520173545126495321160154521292560496336*u)*v**2+(11691535323598952442780893535668124178259917244638368887121604852899565982563+14799213146982097028129994500065670358891587410514448097612740959915242877009*u+(8141033198733626940952022108226604502106143384492257860277471794395805824007+20593530128908133796390504110370159038301562635416783211842882198440455602073*u)*v+(14026693345682021594284240288075348335187515823342831384704383835559863778698+14624411140598065265555111540503171403538185164337398477030607424463066412392*u)*v**2)*w + a = pair(xp0, yp0, Xq0, Xq1, Yq0, Yq1) + b = pair(xp1, yp1, Xt0, Xt1, Yt0, Yt1) + result = fp12.mul(*a, *b) + assert(result == fp12.ONE) pass if __name__ == '__main__': diff --git a/scripts/fp6.py b/scripts/fp6.py index 65fd63c4..bcd0870e 100644 --- a/scripts/fp6.py +++ b/scripts/fp6.py @@ -36,7 +36,7 @@ def square(a_00, a_01, a_10, a_11, a_20, a_21): c2 = fp2.sub(*c4, *c5) c3 = fp2.exp(a_00, a_01, 2) c4 = fp2.add(*fp2.sub(a_00, a_01, a_10, a_11), a_20, a_21) - c5 = fp2.scalar_mul(*fp2.mul(a_00, a_01, a_20, a_21), monty.TWO) + c5 = fp2.scalar_mul(*fp2.mul(a_10, a_11, a_20, a_21), monty.TWO) c4 = fp2.exp(*c4, 2) c0 = fp2.add(*fp2.mul_by_xi(*c5), *c3) c2 = fp2.sub(*fp2.add(*fp2.add(*c2, *c4), *c5), *c3) @@ -125,14 +125,14 @@ def main(): # INVERSE fp6_inversed = inv(*fp2_a_0, *fp2_a_1, *fp2_a_2) - fp6_zero = mul(*fp2_a_0, *fp2_a_1, *fp2_a_2, *fp6_inversed) - - assert(fp6_zero[0] == monty.ONE) - assert(fp6_zero[1] == 0) - assert(fp6_zero[2] == 0) - assert(fp6_zero[3] == 0) - assert(fp6_zero[4] == 0) - assert(fp6_zero[5] == 0) + fp6_one = mul(*fp2_a_0, *fp2_a_1, *fp2_a_2, *fp6_inversed) + + assert(fp6_one[0] == monty.ONE) + assert(fp6_one[1] == 0) + assert(fp6_one[2] == 0) + assert(fp6_one[3] == 0) + assert(fp6_one[4] == 0) + assert(fp6_one[5] == 0) if __name__ == '__main__': main() From 591cef7e4e77c695e604e51ee80a661259a297c4 Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Thu, 7 Sep 2023 16:37:28 -0300 Subject: [PATCH 25/31] Delete test generator for pairing in python --- scripts/pairing_eth_test.json | 100 ---------------------------------- scripts/pairing_test.py | 51 ----------------- 2 files changed, 151 deletions(-) delete mode 100644 scripts/pairing_eth_test.json delete mode 100644 scripts/pairing_test.py diff --git a/scripts/pairing_eth_test.json b/scripts/pairing_eth_test.json deleted file mode 100644 index f7434df2..00000000 --- a/scripts/pairing_eth_test.json +++ /dev/null @@ -1,100 +0,0 @@ -[ - { - "Input": "1c76476f4def4bb94541d57ebba1193381ffa7aa76ada664dd31c16024c43f593034dd2920f673e204fee2811c678745fc819b55d3e9d294e45c9b03a76aef41209dd15ebff5d46c4bd888e51a93cf99a7329636c63514396b4a452003a35bf704bf11ca01483bfa8b34b43561848d28905960114c8ac04049af4b6315a416782bb8324af6cfc93537a2ad1a445cfd0ca2a71acd7ac41fadbf933c2a51be344d120a2a4cf30c1bf9845f20c6fe39e07ea2cce61f0c9bb048165fe5e4de877550111e129f1cf1097710d41c4ac70fcdfa5ba2023c6ff1cbeac322de49d1b6df7c2032c61a830e3c17286de9462bf242fca2883585b93870a73853face6a6bf411198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa", - "Expected": "0000000000000000000000000000000000000000000000000000000000000001", - "Name": "jeff1", - "Gas": 113000, - "NoBenchmark": false - }, - { - "Input": "2eca0c7238bf16e83e7a1e6c5d49540685ff51380f309842a98561558019fc0203d3260361bb8451de5ff5ecd17f010ff22f5c31cdf184e9020b06fa5997db841213d2149b006137fcfb23036606f848d638d576a120ca981b5b1a5f9300b3ee2276cf730cf493cd95d64677bbb75fc42db72513a4c1e387b476d056f80aa75f21ee6226d31426322afcda621464d0611d226783262e21bb3bc86b537e986237096df1f82dff337dd5972e32a8ad43e28a78a96a823ef1cd4debe12b6552ea5f06967a1237ebfeca9aaae0d6d0bab8e28c198c5a339ef8a2407e31cdac516db922160fa257a5fd5b280642ff47b65eca77e626cb685c84fa6d3b6882a283ddd1198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa", - "Expected": "0000000000000000000000000000000000000000000000000000000000000001", - "Name": "jeff2", - "Gas": 113000, - "NoBenchmark": false - }, - { - "Input": "0f25929bcb43d5a57391564615c9e70a992b10eafa4db109709649cf48c50dd216da2f5cb6be7a0aa72c440c53c9bbdfec6c36c7d515536431b3a865468acbba2e89718ad33c8bed92e210e81d1853435399a271913a6520736a4729cf0d51eb01a9e2ffa2e92599b68e44de5bcf354fa2642bd4f26b259daa6f7ce3ed57aeb314a9a87b789a58af499b314e13c3d65bede56c07ea2d418d6874857b70763713178fb49a2d6cd347dc58973ff49613a20757d0fcc22079f9abd10c3baee245901b9e027bd5cfc2cb5db82d4dc9677ac795ec500ecd47deee3b5da006d6d049b811d7511c78158de484232fc68daf8a45cf217d1c2fae693ff5871e8752d73b21198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa", - "Expected": "0000000000000000000000000000000000000000000000000000000000000001", - "Name": "jeff3", - "Gas": 113000, - "NoBenchmark": false - }, - { - "Input": "2f2ea0b3da1e8ef11914acf8b2e1b32d99df51f5f4f206fc6b947eae860eddb6068134ddb33dc888ef446b648d72338684d678d2eb2371c61a50734d78da4b7225f83c8b6ab9de74e7da488ef02645c5a16a6652c3c71a15dc37fe3a5dcb7cb122acdedd6308e3bb230d226d16a105295f523a8a02bfc5e8bd2da135ac4c245d065bbad92e7c4e31bf3757f1fe7362a63fbfee50e7dc68da116e67d600d9bf6806d302580dc0661002994e7cd3a7f224e7ddc27802777486bf80f40e4ca3cfdb186bac5188a98c45e6016873d107f5cd131f3a3e339d0375e58bd6219347b008122ae2b09e539e152ec5364e7e2204b03d11d3caa038bfc7cd499f8176aacbee1f39e4e4afc4bc74790a4a028aff2c3d2538731fb755edefd8cb48d6ea589b5e283f150794b6736f670d6a1033f9b46c6f5204f50813eb85c8dc4b59db1c5d39140d97ee4d2b36d99bc49974d18ecca3e7ad51011956051b464d9e27d46cc25e0764bb98575bd466d32db7b15f582b2d5c452b36aa394b789366e5e3ca5aabd415794ab061441e51d01e94640b7e3084a07e02c78cf3103c542bc5b298669f211b88da1679b0b64a63b7e0e7bfe52aae524f73a55be7fe70c7e9bfc94b4cf0da1213d2149b006137fcfb23036606f848d638d576a120ca981b5b1a5f9300b3ee2276cf730cf493cd95d64677bbb75fc42db72513a4c1e387b476d056f80aa75f21ee6226d31426322afcda621464d0611d226783262e21bb3bc86b537e986237096df1f82dff337dd5972e32a8ad43e28a78a96a823ef1cd4debe12b6552ea5f", - "Expected": "0000000000000000000000000000000000000000000000000000000000000001", - "Name": "jeff4", - "Gas": 147000, - "NoBenchmark": false - }, - { - "Input": "20a754d2071d4d53903e3b31a7e98ad6882d58aec240ef981fdf0a9d22c5926a29c853fcea789887315916bbeb89ca37edb355b4f980c9a12a94f30deeed30211213d2149b006137fcfb23036606f848d638d576a120ca981b5b1a5f9300b3ee2276cf730cf493cd95d64677bbb75fc42db72513a4c1e387b476d056f80aa75f21ee6226d31426322afcda621464d0611d226783262e21bb3bc86b537e986237096df1f82dff337dd5972e32a8ad43e28a78a96a823ef1cd4debe12b6552ea5f1abb4a25eb9379ae96c84fff9f0540abcfc0a0d11aeda02d4f37e4baf74cb0c11073b3ff2cdbb38755f8691ea59e9606696b3ff278acfc098fa8226470d03869217cee0a9ad79a4493b5253e2e4e3a39fc2df38419f230d341f60cb064a0ac290a3d76f140db8418ba512272381446eb73958670f00cf46f1d9e64cba057b53c26f64a8ec70387a13e41430ed3ee4a7db2059cc5fc13c067194bcc0cb49a98552fd72bd9edb657346127da132e5b82ab908f5816c826acb499e22f2412d1a2d70f25929bcb43d5a57391564615c9e70a992b10eafa4db109709649cf48c50dd2198a1f162a73261f112401aa2db79c7dab1533c9935c77290a6ce3b191f2318d198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa", - "Expected": "0000000000000000000000000000000000000000000000000000000000000001", - "Name": "jeff5", - "Gas": 147000, - "NoBenchmark": false - }, - { - "Input": "1c76476f4def4bb94541d57ebba1193381ffa7aa76ada664dd31c16024c43f593034dd2920f673e204fee2811c678745fc819b55d3e9d294e45c9b03a76aef41209dd15ebff5d46c4bd888e51a93cf99a7329636c63514396b4a452003a35bf704bf11ca01483bfa8b34b43561848d28905960114c8ac04049af4b6315a416782bb8324af6cfc93537a2ad1a445cfd0ca2a71acd7ac41fadbf933c2a51be344d120a2a4cf30c1bf9845f20c6fe39e07ea2cce61f0c9bb048165fe5e4de877550111e129f1cf1097710d41c4ac70fcdfa5ba2023c6ff1cbeac322de49d1b6df7c103188585e2364128fe25c70558f1560f4f9350baf3959e603cc91486e110936198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa", - "Expected": "0000000000000000000000000000000000000000000000000000000000000000", - "Name": "jeff6", - "Gas": 113000, - "NoBenchmark": false - }, - { - "Input": "", - "Expected": "0000000000000000000000000000000000000000000000000000000000000001", - "Name": "empty_data", - "Gas": 45000, - "NoBenchmark": false - }, - { - "Input": "00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa", - "Expected": "0000000000000000000000000000000000000000000000000000000000000000", - "Name": "one_point", - "Gas": 79000, - "NoBenchmark": false - }, - { - "Input": "00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed275dc4a288d1afb3cbb1ac09187524c7db36395df7be3b99e673b13a075a65ec1d9befcd05a5323e6da4d435f3b617cdb3af83285c2df711ef39c01571827f9d", - "Expected": "0000000000000000000000000000000000000000000000000000000000000001", - "Name": "two_point_match_2", - "Gas": 113000, - "NoBenchmark": false - }, - { - "Input": "00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002203e205db4f19b37b60121b83a7333706db86431c6d835849957ed8c3928ad7927dc7234fd11d3e8c36c59277c3e6f149d5cd3cfa9a62aee49f8130962b4b3b9195e8aa5b7827463722b8c153931579d3505566b4edf48d498e185f0509de15204bb53b8977e5f92a0bc372742c4830944a59b4fe6b1c0466e2a6dad122b5d2e030644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd31a76dae6d3272396d0cbe61fced2bc532edac647851e3ac53ce1cc9c7e645a83198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa", - "Expected": "0000000000000000000000000000000000000000000000000000000000000001", - "Name": "two_point_match_3", - "Gas": 113000, - "NoBenchmark": false - }, - { - "Input": "105456a333e6d636854f987ea7bb713dfd0ae8371a72aea313ae0c32c0bf10160cf031d41b41557f3e7e3ba0c51bebe5da8e6ecd855ec50fc87efcdeac168bcc0476be093a6d2b4bbf907172049874af11e1b6267606e00804d3ff0037ec57fd3010c68cb50161b7d1d96bb71edfec9880171954e56871abf3d93cc94d745fa114c059d74e5b6c4ec14ae5864ebe23a71781d86c29fb8fb6cce94f70d3de7a2101b33461f39d9e887dbb100f170a2345dde3c07e256d1dfa2b657ba5cd030427000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000021a2c3013d2ea92e13c800cde68ef56a294b883f6ac35d25f587c09b1b3c635f7290158a80cd3d66530f74dc94c94adb88f5cdb481acca997b6e60071f08a115f2f997f3dbd66a7afe07fe7862ce239edba9e05c5afff7f8a1259c9733b2dfbb929d1691530ca701b4a106054688728c9972c8512e9789e9567aae23e302ccd75", - "Expected": "0000000000000000000000000000000000000000000000000000000000000001", - "Name": "two_point_match_4", - "Gas": 113000, - "NoBenchmark": false - }, - { - "Input": "00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed275dc4a288d1afb3cbb1ac09187524c7db36395df7be3b99e673b13a075a65ec1d9befcd05a5323e6da4d435f3b617cdb3af83285c2df711ef39c01571827f9d00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed275dc4a288d1afb3cbb1ac09187524c7db36395df7be3b99e673b13a075a65ec1d9befcd05a5323e6da4d435f3b617cdb3af83285c2df711ef39c01571827f9d00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed275dc4a288d1afb3cbb1ac09187524c7db36395df7be3b99e673b13a075a65ec1d9befcd05a5323e6da4d435f3b617cdb3af83285c2df711ef39c01571827f9d00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed275dc4a288d1afb3cbb1ac09187524c7db36395df7be3b99e673b13a075a65ec1d9befcd05a5323e6da4d435f3b617cdb3af83285c2df711ef39c01571827f9d00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed275dc4a288d1afb3cbb1ac09187524c7db36395df7be3b99e673b13a075a65ec1d9befcd05a5323e6da4d435f3b617cdb3af83285c2df711ef39c01571827f9d", - "Expected": "0000000000000000000000000000000000000000000000000000000000000001", - "Name": "ten_point_match_1", - "Gas": 385000, - "NoBenchmark": false - }, - { - "Input": "00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002203e205db4f19b37b60121b83a7333706db86431c6d835849957ed8c3928ad7927dc7234fd11d3e8c36c59277c3e6f149d5cd3cfa9a62aee49f8130962b4b3b9195e8aa5b7827463722b8c153931579d3505566b4edf48d498e185f0509de15204bb53b8977e5f92a0bc372742c4830944a59b4fe6b1c0466e2a6dad122b5d2e030644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd31a76dae6d3272396d0cbe61fced2bc532edac647851e3ac53ce1cc9c7e645a83198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002203e205db4f19b37b60121b83a7333706db86431c6d835849957ed8c3928ad7927dc7234fd11d3e8c36c59277c3e6f149d5cd3cfa9a62aee49f8130962b4b3b9195e8aa5b7827463722b8c153931579d3505566b4edf48d498e185f0509de15204bb53b8977e5f92a0bc372742c4830944a59b4fe6b1c0466e2a6dad122b5d2e030644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd31a76dae6d3272396d0cbe61fced2bc532edac647851e3ac53ce1cc9c7e645a83198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002203e205db4f19b37b60121b83a7333706db86431c6d835849957ed8c3928ad7927dc7234fd11d3e8c36c59277c3e6f149d5cd3cfa9a62aee49f8130962b4b3b9195e8aa5b7827463722b8c153931579d3505566b4edf48d498e185f0509de15204bb53b8977e5f92a0bc372742c4830944a59b4fe6b1c0466e2a6dad122b5d2e030644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd31a76dae6d3272396d0cbe61fced2bc532edac647851e3ac53ce1cc9c7e645a83198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002203e205db4f19b37b60121b83a7333706db86431c6d835849957ed8c3928ad7927dc7234fd11d3e8c36c59277c3e6f149d5cd3cfa9a62aee49f8130962b4b3b9195e8aa5b7827463722b8c153931579d3505566b4edf48d498e185f0509de15204bb53b8977e5f92a0bc372742c4830944a59b4fe6b1c0466e2a6dad122b5d2e030644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd31a76dae6d3272396d0cbe61fced2bc532edac647851e3ac53ce1cc9c7e645a83198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002203e205db4f19b37b60121b83a7333706db86431c6d835849957ed8c3928ad7927dc7234fd11d3e8c36c59277c3e6f149d5cd3cfa9a62aee49f8130962b4b3b9195e8aa5b7827463722b8c153931579d3505566b4edf48d498e185f0509de15204bb53b8977e5f92a0bc372742c4830944a59b4fe6b1c0466e2a6dad122b5d2e030644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd31a76dae6d3272396d0cbe61fced2bc532edac647851e3ac53ce1cc9c7e645a83198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c21800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa", - "Expected": "0000000000000000000000000000000000000000000000000000000000000001", - "Name": "ten_point_match_2", - "Gas": 385000, - "NoBenchmark": false - }, - { - "Input": "105456a333e6d636854f987ea7bb713dfd0ae8371a72aea313ae0c32c0bf10160cf031d41b41557f3e7e3ba0c51bebe5da8e6ecd855ec50fc87efcdeac168bcc0476be093a6d2b4bbf907172049874af11e1b6267606e00804d3ff0037ec57fd3010c68cb50161b7d1d96bb71edfec9880171954e56871abf3d93cc94d745fa114c059d74e5b6c4ec14ae5864ebe23a71781d86c29fb8fb6cce94f70d3de7a2101b33461f39d9e887dbb100f170a2345dde3c07e256d1dfa2b657ba5cd030427000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000021a2c3013d2ea92e13c800cde68ef56a294b883f6ac35d25f587c09b1b3c635f7290158a80cd3d66530f74dc94c94adb88f5cdb481acca997b6e60071f08a115f2f997f3dbd66a7afe07fe7862ce239edba9e05c5afff7f8a1259c9733b2dfbb929d1691530ca701b4a106054688728c9972c8512e9789e9567aae23e302ccd75", - "Expected": "0000000000000000000000000000000000000000000000000000000000000001", - "Name": "ten_point_match_3", - "Gas": 113000, - "NoBenchmark": false - } - ] diff --git a/scripts/pairing_test.py b/scripts/pairing_test.py deleted file mode 100644 index cfe2e3ba..00000000 --- a/scripts/pairing_test.py +++ /dev/null @@ -1,51 +0,0 @@ -import json -from functools import reduce -import montgomery as monty -import alt_bn128_pairing as pairing -import fp12 - -json_file_path = "pairing_eth_test.json" - -tests = [] - -with open(json_file_path, "r") as json_file: - data = json.load(json_file) - tests = [] - for element in data: - input_data = element["Input"] - expected_data = element["Expected"] - name = element["Name"] - - chunks = [monty.into(int(input_data[i:i+64], 16)) for i in range(0, len(input_data), 64)] - sublistas = [chunks[i:i+6] for i in range(0, len(chunks), 6)] - - for sublista in sublistas: - temp = sublista[2] - sublista[2] = sublista[3] - sublista[3] = temp - - temp = sublista[4] - sublista[4] = sublista[5] - sublista[5] = temp - - tests.append({ - "Input": sublistas, - "Expected": int(element["Expected"], 16), - "Name": name - }) - -for test in tests: - result = [] - print("Test: ", test["Name"]) - for i in test["Input"]: - result.append(pairing.pair(*i)) - try: - resultado = reduce(lambda x, y: fp12.mul(*x,*y), result) - if resultado == fp12.ONE: - resultado = 1 - else: - resultado = 0 - print("-> ", resultado == test["Expected"]) - except: - print("Error") - print("___________") From 7c71f00b752a782dd1ba325aeb18eb1351638a35 Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Thu, 7 Sep 2023 16:37:40 -0300 Subject: [PATCH 26/31] Delete unnecesary comments --- scripts/alt_bn128_pairing.py | 58 ++++++++++++++++-------------------- 1 file changed, 25 insertions(+), 33 deletions(-) diff --git a/scripts/alt_bn128_pairing.py b/scripts/alt_bn128_pairing.py index 8ac88747..3635a300 100644 --- a/scripts/alt_bn128_pairing.py +++ b/scripts/alt_bn128_pairing.py @@ -47,44 +47,43 @@ def point_doubling_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1): return l,T def point_addition_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Xt0, Xt1, Yt0, Yt1, Zt0, Zt1): - temp = fp2.mul(Yq0,Yq1,Zt0,Zt1) # Y2Z1.Mul(&a.Y, &p.z) - O = fp2.sub(Yt0,Yt1,*temp) # O.Sub(&p.y, &Y2Z1) - temp = fp2.mul(Xq0,Xq1,Zt0,Zt1) # X2Z1.Mul(&a.X, &p.z) - L = fp2.sub(Xt0,Xt1,*temp) # L.Sub(&p.x, &X2Z1) - C = fp2.mul(*O,*O) # C.Square(&O) - D = fp2.mul(*L,*L) # D.Square(&L) - E = fp2.mul(*L,*D) # E.Mul(&L, &D) - F = fp2.mul(Zt0,Zt1,*C) # F.Mul(&p.z, &C) - G = fp2.mul(Xt0,Xt1,*D) # G.Mul(&p.x, &D) - temp = fp2.add(*G,*G) # t0.Double(&G) + temp = fp2.mul(Yq0,Yq1,Zt0,Zt1) + O = fp2.sub(Yt0,Yt1,*temp) + temp = fp2.mul(Xq0,Xq1,Zt0,Zt1) + L = fp2.sub(Xt0,Xt1,*temp) + C = fp2.mul(*O,*O) + D = fp2.mul(*L,*L) + E = fp2.mul(*L,*D) + F = fp2.mul(Zt0,Zt1,*C) + G = fp2.mul(Xt0,Xt1,*D) + temp = fp2.add(*G,*G) H = fp2.add(*E,*F) - H = fp2.sub(*H,*temp) # H.Add(&E, &F).Sub(&H, &t0) - temp = fp2.mul(Yt0, Yt1, *E) # t1.Mul(&p.y, &E) + H = fp2.sub(*H,*temp) + temp = fp2.mul(Yt0, Yt1, *E) # X, Y, Z - Tx0, Tx1 = fp2.mul(*L,*H) # p.x.Mul(&L, &H) + Tx0, Tx1 = fp2.mul(*L,*H) Ty0, Ty1 = fp2.sub(*G,*H) Ty0, Ty1 = fp2.mul(Ty0,Ty1,*O) - Ty0, Ty1 = fp2.sub(Ty0,Ty1,*temp) # p.y.Sub(&G, &H).Mul(&p.y, &O).Sub(&p.y, &t1) - Tz0, Tz1 = fp2.mul(*E, Zt0, Zt1) # p.z.Mul(&E, &p.z) + Ty0, Ty1 = fp2.sub(Ty0,Ty1,*temp) + Tz0, Tz1 = fp2.mul(*E, Zt0, Zt1) - temp = fp2.mul(*L,Yq0,Yq1) # t2.Mul(&L, &a.Y) + temp = fp2.mul(*L,Yq0,Yq1) J = fp2.mul(Xq0,Xq1,*O) - J = fp2.sub(*J, *temp) # J.Mul(&a.X, &O).Sub(&J, &t2) + J = fp2.sub(*J, *temp) # Line evaluation - l0 = L # evaluations.r0.Set(&L) - l1 = fp2.neg(*O) # evaluations.r1.Neg(&O) - l2 = J # evaluations.r2.Set(&J) + l0 = L + l1 = fp2.neg(*O) + l2 = J l = (*l0,0,0,0,0,*l1,*l2,0,0) T = Tx0, Tx1, Ty0, Ty1, Tz0, Tz1 return l, T -# Algorithm 31 from https://eprint.iacr.org/2010/354.pdf +# Algorithm 6 from https://eprint.iacr.org/2015/192.pdf def final_exponentiation(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121): - f = (a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121) # First part @@ -190,8 +189,6 @@ def miller_loop(Xq0, Xq1, Yq0, Yq1, xp, yp): def pair(xp, yp, Xq0, Xq1, Yq0, Yq1): f = miller_loop(Xq0, Xq1, Yq0, Yq1, xp, yp) - # This should be final exponentiation - # f = fp12.exponentiation(*f, 552484233613224096312617126783173147097382103762957654188882734314196910839907541213974502761540629817009608548654680343627701153829446747810907373256841551006201639677726139946029199968412598804882391702273019083653272047566316584365559776493027495458238373902875937659943504873220554161550525926302303331747463515644711876653177129578303191095900909191624817826566688241804408081892785725967931714097716709526092261278071952560171111444072049229123565057483750161460024353346284167282452756217662335528813519139808291170539072125381230815729071544861602750936964829313608137325426383735122175229541155376346436093930287402089517426973178917569713384748081827255472576937471496195752727188261435633271238710131736096299798168852925540549342330775279877006784354801422249722573783561685179618816480037695005515426162362431072245638324744480) f = final_exponentiation(*f) return f @@ -219,11 +216,9 @@ def main(): Xq1 = monty.into(14752851163271972921165116810778899752274893127848647655434033030151679466487) Yq0 = monty.into(8159591693044959083845993640644415462154314071906244874217244895511876957520) Yq1 = monty.into(19774899457345372253936887903062884289284519982717033379297427576421785416781) - # Zq0 = monty.ONE - # Zq1 = 0 - # assert(utils.is_in_curve(xp0, yp0)) - # assert(utils.is_in_twisted_curve(Xq0, Xq1, Yq0, Yq1)) + assert(utils.is_in_curve(xp0, yp0)) + assert(utils.is_in_twisted_curve(Xq0, Xq1, Yq0, Yq1)) xp1 = monty.into(7742452358972543465462254569134860944739929848367563713587808717088650354556) yp1 = monty.into(14563720768440487558151020426243236708567496944263114635856508834497000371217) @@ -231,15 +226,12 @@ def main(): Xt1 = monty.into(11559732032986387107991004021392285783925812861821192530917403151452391805634) Yt0 = monty.into(8495653923123431417604973247489272438418190587263600148770280649306958101930) Yt1 = monty.into(4082367875863433681332203403145435568316851327593401208105741076214120093531) - # Zt0 = monty.ONE - # Zt1 = 0 6170940445994484564222204938066213705353407449799250191249554538140978927342]] - # assert(utils.is_in_curve(xp1, yp1)) - # assert(utils.is_in_twisted_curve(Xt0, Xt1, Yt0, Yt1)) + assert(utils.is_in_curve(xp1, yp1)) + assert(utils.is_in_twisted_curve(Xt0, Xt1, Yt0, Yt1)) # Pairing Test - # Should be 1 a = pair(xp0, yp0, Xq0, Xq1, Yq0, Yq1) b = pair(xp1, yp1, Xt0, Xt1, Yt0, Yt1) result = fp12.mul(*a, *b) From ff1cbdf317376f1bcccd75ea5a24e900a124f9b4 Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Thu, 7 Sep 2023 16:41:37 -0300 Subject: [PATCH 27/31] Delete unused exponentiation function --- scripts/fp12.py | 35 +---------------------------------- scripts/frobenius.py | 14 -------------- 2 files changed, 1 insertion(+), 48 deletions(-) diff --git a/scripts/fp12.py b/scripts/fp12.py index 67ffaef1..f56349b6 100644 --- a/scripts/fp12.py +++ b/scripts/fp12.py @@ -119,25 +119,11 @@ def cyclotomic_square(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_ def n_square(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121, n): out = a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121 - for i in range(0, n): + for _ in range(0, n): out = cyclotomic_square(*out) return out -def exponentiation(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121, exp): - a = a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121 - result = ONE - bits_exp = bin(exp)[2:] - for i in bits_exp: - aux = mul(*result, *result) - if i != '0': - result = mul(*a, *aux) - else: - result = aux - - return result - -# u = 4965661367192848881 def expt(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121): t3 = cyclotomic_square(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121) t5 = cyclotomic_square(*t3) @@ -233,24 +219,5 @@ def main(): d = cyclotomic_square(*a) assert(c == d) - a = monty.into(19827568283656725110692125913997829449742114644971661319388242922918416973148) - b = monty.into(9732999610386208770202207078338067809442208175202866744722770421649221072959) - c = monty.into(20727574841732554863292016530689298917088494351528827122664593932739308306871) - d = monty.into(3874564711458012378314531860069575778169810677257551585602923961104676288406) - e = monty.into(17935684740199818762028639022893627301715986407063418165523758955792561981414) - f = monty.into(8477107368724046874298374695965950213457400565707569119844627494731679280724) - g = monty.into(8912696930561146201022263645939453588081385625233747724443687991590113109735) - h = monty.into(628165832162375762915573557640725085470303025585612898242872490717337051282) - i = monty.into(1777633336557734562438287626165944169907122686274029270455278654706759272728) - j = monty.into(377476157103636884886539826205985119579850123657565215557418605056063929807) - k = monty.into(3564650365049544497504264806008011348687628776990506738674777591518974019008) - l = monty.into(2847850797826906352579336459817708483258925268188678907210088234083286774036) - - result = exponentiation(a,b,c,d,e,f,g,h,i,j,k,l, 4965661367192848881) - # result = expt(a,b,c,d,e,f,g,h,i,j,k,l) - - for i in result: - print(monty.out_of(i)) - if __name__ == '__main__': main() diff --git a/scripts/frobenius.py b/scripts/frobenius.py index 46db0700..930f39b7 100644 --- a/scripts/frobenius.py +++ b/scripts/frobenius.py @@ -198,19 +198,5 @@ def main(): assert(result[10] == fp12_a[10]) assert(result[11] == fp12_a[11]) - p = 21888242871839275222246405745257275088696311157297823662689037894645226208583 - a = frobenius(*fp12_a) - b = fp12.exponentiation(*fp12_a, p) - assert(a == b) - - a = frobenius_square(*fp12_a) - b = fp12.exponentiation(*fp12_a, p ** 2) - assert(a == b) - - a = frobenius_cube(*fp12_a) - b = fp12.exponentiation(*fp12_a, p ** 3) - assert(a == b) - - if __name__ == '__main__': main() From 82930d13b519ee6ae59d98e71c76cad2ee041a6c Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Thu, 7 Sep 2023 16:50:15 -0300 Subject: [PATCH 28/31] Delete unused import and old todo --- scripts/frobenius.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/scripts/frobenius.py b/scripts/frobenius.py index 930f39b7..2459c080 100644 --- a/scripts/frobenius.py +++ b/scripts/frobenius.py @@ -1,6 +1,5 @@ import fp2 import montgomery as monty -import fp12 def frobenius(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110, a_111, a_120, a_121): t1 = fp2.conjugate(a_000, a_001) @@ -54,7 +53,6 @@ def frobenius_cube(a_000, a_001, a_010, a_011, a_020, a_021, a_100, a_101, a_110 return c0 + c1 # Implement the precomputed constant multiplications for utilizing the Frobenius Operator. -# TODO: Verify the precomputed numbers. # GAMMA_1_i From 10a1fb684ef77f97590e7ef6e44eef8093f06c42 Mon Sep 17 00:00:00 2001 From: IAvecilla Date: Thu, 7 Sep 2023 17:04:15 -0300 Subject: [PATCH 29/31] Improve naming of doubling and addition steps in miller loop --- scripts/alt_bn128_pairing.py | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/scripts/alt_bn128_pairing.py b/scripts/alt_bn128_pairing.py index 3635a300..05ea9cba 100644 --- a/scripts/alt_bn128_pairing.py +++ b/scripts/alt_bn128_pairing.py @@ -6,7 +6,7 @@ import g2 import pairing_utils as utils -def point_doubling_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1): +def double_step(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1): two_inv = monty.inv(monty.TWO) t0 = fp2.mul(Xq0,Xq1,Yq0,Yq1) A = fp2.scalar_mul(*t0, two_inv) @@ -46,7 +46,7 @@ def point_doubling_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Zq0, Zq1): T = Tx + Ty + Tz return l,T -def point_addition_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Xt0, Xt1, Yt0, Yt1, Zt0, Zt1): +def mixed_addition_step(Xq0, Xq1, Yq0, Yq1, Xt0, Xt1, Yt0, Yt1, Zt0, Zt1): temp = fp2.mul(Yq0,Yq1,Zt0,Zt1) O = fp2.sub(Yt0,Yt1,*temp) temp = fp2.mul(Xq0,Xq1,Zt0,Zt1) @@ -61,7 +61,6 @@ def point_addition_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Xt0, Xt1, Yt0, Yt1, Z H = fp2.sub(*H,*temp) temp = fp2.mul(Yt0, Yt1, *E) - # X, Y, Z Tx0, Tx1 = fp2.mul(*L,*H) Ty0, Ty1 = fp2.sub(*G,*H) Ty0, Ty1 = fp2.mul(Ty0,Ty1,*O) @@ -72,7 +71,6 @@ def point_addition_and_line_evaluation(Xq0, Xq1, Yq0, Yq1, Xt0, Xt1, Yt0, Yt1, Z J = fp2.mul(Xq0,Xq1,*O) J = fp2.sub(*J, *temp) - # Line evaluation l0 = L l1 = fp2.neg(*O) l2 = J @@ -129,32 +127,32 @@ def miller_loop(Xq0, Xq1, Yq0, Yq1, xp, yp): for i in range(len(utils.S_NAF) - 2, -1, -1): f = fp12.square(*f) - line_eval, double_step = point_doubling_and_line_evaluation(*T) + line_eval, point_double = double_step(*T) aux = list(line_eval) aux[0], aux[1] = fp2.scalar_mul(aux[0], aux[1], yp) aux[6], aux[7] = fp2.scalar_mul(aux[6], aux[7], xp) line_eval = tuple(aux) f = fp12.mul(*f,*line_eval) - T = double_step + T = point_double if pairing_utils.S_NAF[i] == -1: minus_Q = g2.neg(*Q) - line_eval, add_step = point_addition_and_line_evaluation(*minus_Q, *T) + line_eval, point_adding = mixed_addition_step(*minus_Q, *T) aux = list(line_eval) aux[0], aux[1] = fp2.scalar_mul(aux[0], aux[1], yp) aux[6], aux[7] = fp2.scalar_mul(aux[6], aux[7], xp) line_eval = tuple(aux) f = fp12.mul(*f, *line_eval) - T = add_step + T = point_adding elif pairing_utils.S_NAF[i] == 1: - line_eval, add_step = point_addition_and_line_evaluation(*Q,*T) + line_eval, point_adding = mixed_addition_step(*Q,*T) aux = list(line_eval) aux[0], aux[1] = fp2.scalar_mul(aux[0], aux[1], yp) aux[6], aux[7] = fp2.scalar_mul(aux[6], aux[7], xp) line_eval = tuple(aux) f = fp12.mul(*f,*line_eval) - T = add_step + T = point_adding # Q1 <- pi_p(Q) X_q0, X_q1 = fp2.conjugate(Xq0, Xq1) @@ -169,21 +167,21 @@ def miller_loop(Xq0, Xq1, Yq0, Yq1, xp, yp): Y_q20, Y_q21 = fp2.neg(Y_q20, Y_q21) Q2 = X_q20, X_q21, Y_q20, Y_q21 - line_eval, add_step = point_addition_and_line_evaluation(*Q1,*T) + line_eval, point_adding = mixed_addition_step(*Q1,*T) aux = list(line_eval) aux[0], aux[1] = fp2.scalar_mul(aux[0], aux[1], yp) aux[6], aux[7] = fp2.scalar_mul(aux[6], aux[7], xp) line_eval = tuple(aux) f = fp12.mul(*f,*line_eval) - T = add_step + T = point_adding - line_eval, add_step = point_addition_and_line_evaluation(*Q2,*T) + line_eval, point_adding = mixed_addition_step(*Q2,*T) aux = list(line_eval) aux[0], aux[1] = fp2.scalar_mul(aux[0], aux[1], yp) aux[6], aux[7] = fp2.scalar_mul(aux[6], aux[7], xp) line_eval = tuple(aux) f = fp12.mul(*f,*line_eval) - T = add_step + T = point_adding return f From b8bafb881a180ea3e5463ca927c7e4e2d35be29d Mon Sep 17 00:00:00 2001 From: Joaquin Carletti Date: Fri, 8 Sep 2023 12:24:20 -0300 Subject: [PATCH 30/31] add final exponentiation --- precompiles/Playground.yul | 45 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/precompiles/Playground.yul b/precompiles/Playground.yul index 6d4f9482..d81b048b 100644 --- a/precompiles/Playground.yul +++ b/precompiles/Playground.yul @@ -623,6 +623,51 @@ object "Playground" { c100, c101, c110, c111, c120, c121 := fp6Sub(z00, z01, z10, z11, z20, z21, c100, c101, c110, c111, c120, c121) } + function finalExponentiation(a000, a001, a010, a011, a020, a021, a100, a101, a110, a111, a120, a121) -> f000, f001, f010, f011, f020, f021, f100, f101, f110, f111, f120, f121 { + f000 := a000 + f001 := a001 + f010 := a010 + f011 := a011 + f020 := a020 + f021 := a021 + f100 := a100 + f101 := a101 + f110 := a110 + f111 := a111 + f120 := a120 + f121 := a121 + + let t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121 := fp12Conjugate(f000, f001, f010, f011, f020, f021, f100, f101, f110, f111, f120, f121) + f000, f001, f010, f011, f020, f021, f100, f101, f110, f111, f120, f121 := fp12Inv(f000, f001, f010, f011, f020, f021, f100, f101, f110, f111, f120, f121) + t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121 := fp12Mul(t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121, f000, f001, f010, f011, f020, f021, f100, f101, f110, f111, f120, f121) + let t1000, t1001, t1010, t1011, t1020, t1021, t1100, t1101, t1110, t1111, t1120, t1121 := frobeniusSquare(t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121) + f000, f001, f010, f011, f020, f021, f100, f101, f110, f111, f120, f121 := fp12Mul(t1000, t1001, t1010, t1011, t1020, t1021, t1100, t1101, t1110, t1111, t1120, t1121, t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121) + + t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121 := fp2Expt(f000, f001, f010, f011, f020, f021, f100, f101, f110, f111, f120, f121) + t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121 := fp12Conjugate(t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121) + t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121 := cyloctimicSquare(t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121) + t1000, t1001, t1010, t1011, t1020, t1021, t1100, t1101, t1110, t1111, t1120, t1121 := cyloctimicSquare(t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121) + t1000, t1001, t1010, t1011, t1020, t1021, t1100, t1101, t1110, t1111, t1120, t1121 := fp12Mul(t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121, t1000, t1001, t1010, t1011, t1020, t1021, t1100, t1101, t1110, t1111, t1120, t1121) + let t2000, t2001, t2010, t2011, t2020, t2021, t2100, t2101, t2110, t2111, t2120, t2121 := fp12Expt(t1000, t1001, t1010, t1011, t1020, t1021, t1100, t1101, t1110, t1111, t1120, t1121) + t2000, t2001, t2010, t2011, t2020, t2021, t2100, t2101, t2110, t2111, t2120, t2121 := fp12Conjugate(t2000, t2001, t2010, t2011, t2020, t2021, t2100, t2101, t2110, t2111, t2120, t2121) + let t3000, t3001, t3010, t3011, t3020, t3021, t3100, t3101, t3110, t3111, t3120, t3121 := fp12Conjugate(t1000, t1001, t1010, t1011, t1020, t1021, t1100, t1101, t1110, t1111, t1120, t1121) + t1000, t1001, t1010, t1011, t1020, t1021, t1100, t1101, t1110, t1111, t1120, t1121 := fp12Mul(t2000, t2001, t2010, t2011, t2020, t2021, t2100, t2101, t2110, t2111, t2120, t2121, t3000, t3001, t3010, t3011, t3020, t3021, t3100, t3101, t3110, t3111, t3120, t3121) + t3000, t3001, t3010, t3011, t3020, t3021, t3100, t3101, t3110, t3111, t3120, t3121 := cyloctimicSquare(t2000, t2001, t2010, t2011, t2020, t2021, t2100, t2101, t2110, t2111, t2120, t2121) + let t4000, t4001, t4010, t4011, t4020, t4021, t4100, t4101, t4110, t4111, t4120, t4121 := fp12Expt(t3000, t3001, t3010, t3011, t3020, t3021, t3100, t3101, t3110, t3111, t3120, t3121) + t4000, t4001, t4010, t4011, t4020, t4021, t4100, t4101, t4110, t4111, t4120, t4121 := fp12Mul(t4000, t4001, t4010, t4011, t4020, t4021, t4100, t4101, t4110, t4111, t4120, t4121, t1000, t1001, t1010, t1011, t1020, t1021, t1100, t1101, t1110, t1111, t1120, t1121) + t3000, t3001, t3010, t3011, t3020, t3021, t3100, t3101, t3110, t3111, t3120, t3121 := fp12Mul(t4000, t4001, t4010, t4011, t4020, t4021, t4100, t4101, t4110, t4111, t4120, t4121, t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121) + t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121 := fp12Mul(t2000, t2001, t2010, t2011, t2020, t2021, t2100, t2101, t2110, t2111, t2120, t2121, t4000, t4001, t4010, t4011, t4020, t4021, t4100, t4101, t4110, t4111, t4120, t4121) + t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121 := fp12Mul(t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121, f000, f001, f010, f011, f020, f021, f100, f101, f110, f111, f120, f121) + t2000, t2001, t2010, t2011, t2020, t2021, t2100, t2101, t2110, t2111, t2120, t2121 := frobenius(t3000, t3001, t3010, t3011, t3020, t3021, t3100, t3101, t3110, t3111, t3120, t3121) + t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121 := fp12Mul(t2000, t2001, t2010, t2011, t2020, t2021, t2100, t2101, t2110, t2111, t2120, t2121, t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121) + t2000, t2001, t2010, t2011, t2020, t2021, t2100, t2101, t2110, t2111, t2120, t2121 := frobeniusSquare(t4000, t4001, t4010, t4011, t4020, t4021, t4100, t4101, t4110, t4111, t4120, t4121) + t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121 := fp12Mul(t2000, t2001, t2010, t2011, t2020, t2021, t2100, t2101, t2110, t2111, t2120, t2121, t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121) + t2000, t2001, t2010, t2011, t2020, t2021, t2100, t2101, t2110, t2111, t2120, t2121 := fp12Conjugate(f000, f001, f010, f011, f020, f021, f100, f101, f110, f111, f120, f121) + t2000, t2001, t2010, t2011, t2020, t2021, t2100, t2101, t2110, t2111, t2120, t2121 := fp2Mul(t2000, t2001, t2010, t2011, t2020, t2021, t2100, t2101, t2110, t2111, t2120, t2121, t3000, t3001, t3010, t3011, t3020, t3021, t3100, t3101, t3110, t3111, t3120, t3121) + t2000, t2001, t2010, t2011, t2020, t2021, t2100, t2101, t2110, t2111, t2120, t2121 := frobeniusCube(t2000, t2001, t2010, t2011, t2020, t2021, t2100, t2101, t2110, t2111, t2120, t2121) + f000, f001, f010, f011, f020, f021, f100, f101, f110, f111, f120, f121 := fp12Mul(t2000, t2001, t2010, t2011, t2020, t2021, t2100, t2101, t2110, t2111, t2120, t2121, t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121) + } + //////////////////////////////////////////////////////////////// // FALLBACK //////////////////////////////////////////////////////////////// From 6e53ac0bf31399bdf249ab36a599f6757632f475 Mon Sep 17 00:00:00 2001 From: Joaquin Carletti <56092489+ColoCarletti@users.noreply.github.com> Date: Fri, 8 Sep 2023 14:52:39 -0300 Subject: [PATCH 31/31] Update precompiles/Playground.yul Co-authored-by: Ivan Litteri <67517699+ilitteri@users.noreply.github.com> --- precompiles/Playground.yul | 2 -- 1 file changed, 2 deletions(-) diff --git a/precompiles/Playground.yul b/precompiles/Playground.yul index 83f2e70d..7c9a1ca9 100644 --- a/precompiles/Playground.yul +++ b/precompiles/Playground.yul @@ -847,8 +847,6 @@ object "Playground" { f000, f001, f010, f011, f020, f021, f100, f101, f110, f111, f120, f121 := fp12Mul(t2000, t2001, t2010, t2011, t2020, t2021, t2100, t2101, t2110, t2111, t2120, t2121, t0000, t0001, t0010, t0011, t0020, t0021, t0100, t0101, t0110, t0111, t0120, t0121) } - - //////////////////////////////////////////////////////////////// // FALLBACK ////////////////////////////////////////////////////////////////