From 3929d198d1ec2ecbd28d371897437d5b4093644e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mamy=20Andr=C3=A9-Ratsimbazafy?= <mamy_github@numforge.co>
Date: Mon, 8 Feb 2021 00:29:22 +0100
Subject: [PATCH] Address https://github.com/mratsim/constantine/issues/154
 partly

---
 .../tower_instantiation.nim                   | 29 ++++++++++++-------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/constantine/tower_field_extensions/tower_instantiation.nim b/constantine/tower_field_extensions/tower_instantiation.nim
index cdcbc1a71..bb337d1db 100644
--- a/constantine/tower_field_extensions/tower_instantiation.nim
+++ b/constantine/tower_field_extensions/tower_instantiation.nim
@@ -116,17 +116,24 @@ func prod*(r: var Fp2, a: Fp2, _: type NonResidue) {.inline.} =
       # BLS12_377 and BW6_761, use small addition chain
       r.mul_sparse_by_0y(a, v)
     else:
-      # BN254_Snarks, u = 9
-      # Full 𝔽p2 multiplication is cheaper than addition chains
-      # for u*c0 and u*c1
-      static:
-        doAssert u >= 0 and uint64(u) <= uint64(high(BaseType))
-        doAssert v >= 0 and uint64(v) <= uint64(high(BaseType))
-      # TODO: compile-time
-      var NR {.noInit.}: Fp2
-      NR.c0.fromUint(uint u)
-      NR.c1.fromUint(uint v)
-      r.prod(a, NR)
+      # BN254_Snarks, u = 9, v = 1, β = -1
+      # Even with u = 9, the 2x9 addition chains (8 additions total)
+      # are cheaper than full Fp2 multiplication
+      var t {.noInit.}: typeof(a.c0)
+
+      t.prod(a.c0, u)
+      when v == 1 and Beta == -1: # Case BN254_Snarks
+        t -= a.c1                 # r0 = u c0 + β v c1
+      else:
+        {.error: "Unimplemented".}
+
+      r.c1.prod(a.c1, u)
+      when v == 1:                # r1 = v c0 + u c1
+        r.c1 += a.c0
+        # aliasing: a.c0 is unused
+        r.c0 = t
+      else:
+        {.error: "Unimplemented".}
 
 func `*=`*(a: var Fp2, _: type NonResidue) {.inline.} =
   ## Multiply an element of 𝔽p2 by the non-residue