Merge pull request #466 from Consensys/kzg/srs

Perf: KZG with fixed-argument pairing in affine coordinates
Consensys · Nov 15, 2023 · 0d49504 · 0d49504
2 parents ef56c84 + 3abc810
commit 0d49504
Show file tree

Hide file tree

Showing 89 changed files with 20,539 additions and 499 deletions.
diff --git a/ecc/bls12-377/bls12-377.go b/ecc/bls12-377/bls12-377.go
@@ -62,7 +62,7 @@ var g1Infinity G1Jac
 var g2Infinity G2Jac
 
 // optimal Ate loop counter
-var loopCounter [64]int8
+var LoopCounter [64]int8
 
 // Parameters useful for the GLV scalar multiplication. The third roots define the
 // endomorphisms ϕ₁ and ϕ₂ for <G1Affine> and <G2Affine>. lambda is such that <r, ϕ-λ> lies above
@@ -134,7 +134,7 @@ func init() {
 	endo.v.A0.SetString("216465761340224619389371505802605247630151569547285782856803747159100223055385581585702401816380679166954762214499")
 
 	// binary decomposition of x₀ little endian
-	loopCounter = [64]int8{1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1}
+	LoopCounter = [64]int8{1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1}
 
 	// x₀
 	xGen.SetString("9586122913090633729", 10)

diff --git a/ecc/bls12-377/g1.go b/ecc/bls12-377/g1.go
diff --git a/ecc/bls12-377/g2.go b/ecc/bls12-377/g2.go
diff --git a/ecc/bls12-377/internal/fptower/e12_pairing.go b/ecc/bls12-377/internal/fptower/e12_pairing.go
@@ -52,9 +52,31 @@ func (z *E12) MulBy034(c0, c3, c4 *E2) *E12 {
 	b.Set(&z.C1)
 	b.MulBy01(c3, c4)
 
-	c0.Add(c0, c3)
+	var d0 E2
+	d0.Add(c0, c3)
 	d.Add(&z.C0, &z.C1)
-	d.MulBy01(c0, c4)
+	d.MulBy01(&d0, c4)
+
+	z.C1.Add(&a, &b).Neg(&z.C1).Add(&z.C1, &d)
+	z.C0.MulByNonResidue(&b).Add(&z.C0, &a)
+
+	return z
+}
+
+// MulBy34 multiplication by sparse element (1,0,0,c3,c4,0)
+func (z *E12) MulBy34(c3, c4 *E2) *E12 {
+
+	var a, b, d E6
+
+	a.Set(&z.C0)
+
+	b.Set(&z.C1)
+	b.MulBy01(c3, c4)
+
+	var d0 E2
+	d0.SetOne().Add(&d0, c3)
+	d.Add(&z.C0, &z.C1)
+	d.MulBy01(&d0, c4)
 
 	z.C1.Add(&a, &b).Neg(&z.C1).Add(&z.C1, &d)
 	z.C0.MulByNonResidue(&b).Add(&z.C0, &a)
@@ -90,6 +112,26 @@ func Mul034By034(d0, d3, d4, c0, c3, c4 *E2) [5]E2 {
 	return [5]E2{z00, x3, x34, x03, x04}
 }
 
+// Mul34By34 multiplication of sparse element (1,0,0,c3,c4,0) by sparse element (1,0,0,d3,d4,0)
+func Mul34By34(d3, d4, c3, c4 *E2) [5]E2 {
+	var z00, tmp, x0, x3, x4, x04, x03, x34 E2
+	x3.Mul(c3, d3)
+	x4.Mul(c4, d4)
+	x04.Add(c4, d4)
+	x03.Add(c3, d3)
+	tmp.Add(c3, c4)
+	x34.Add(d3, d4).
+		Mul(&x34, &tmp).
+		Sub(&x34, &x3).
+		Sub(&x34, &x4)
+
+	x0.SetOne()
+	z00.MulByNonResidue(&x4).
+		Add(&z00, &x0)
+
+	return [5]E2{z00, x3, x34, x03, x04}
+}
+
 // MulBy01234 multiplies z by an E12 sparse element of the form (x0, x1, x2, x3, x4, 0)
 func (z *E12) MulBy01234(x *[5]E2) *E12 {
 	var c1, a, b, c, z0, z1 E6

diff --git a/ecc/bls12-377/kzg/kzg.go b/ecc/bls12-377/kzg/kzg.go
diff --git a/ecc/bls12-377/kzg/kzg_test.go b/ecc/bls12-377/kzg/kzg_test.go