Merge pull request #465 from Consensys/refactor/bw6761-pairing

Refactor(BW6): use revisited Ate pairing instead of Tate
Consensys · Oct 23, 2023 · 538dff9 · 538dff9
2 parents 7e44877 + 0aaff18
commit 538dff9
Show file tree

Hide file tree

Showing 14 changed files with 362 additions and 551 deletions.
diff --git a/ecc/bw6-633/g1.go b/ecc/bw6-633/g1.go
diff --git a/ecc/bw6-756/g1.go b/ecc/bw6-756/g1.go
diff --git a/ecc/bw6-756/g2.go b/ecc/bw6-756/g2.go
diff --git a/ecc/bw6-756/internal/fptower/e3.go b/ecc/bw6-756/internal/fptower/e3.go
@@ -140,6 +140,34 @@ func (z *E3) MulByElement(x *E3, y *fp.Element) *E3 {
 	return z
 }
 
+// MulBy12 multiplication by sparse element (0,b1,b2)
+func (x *E3) MulBy12(b1, b2 *fp.Element) *E3 {
+	var t1, t2, c0, tmp, c1, c2 fp.Element
+	t1.Mul(&x.A1, b1)
+	t2.Mul(&x.A2, b2)
+	c0.Add(&x.A1, &x.A2)
+	tmp.Add(b1, b2)
+	c0.Mul(&c0, &tmp)
+	c0.Sub(&c0, &t1)
+	c0.Sub(&c0, &t2)
+	c0.MulByNonResidue(&c0)
+	c1.Add(&x.A0, &x.A1)
+	c1.Mul(&c1, b1)
+	c1.Sub(&c1, &t1)
+	tmp.MulByNonResidue(&t2)
+	c1.Add(&c1, &tmp)
+	tmp.Add(&x.A0, &x.A2)
+	c2.Mul(b2, &tmp)
+	c2.Sub(&c2, &t2)
+	c2.Add(&c2, &t1)
+
+	x.A0 = c0
+	x.A1 = c1
+	x.A2 = c2
+
+	return x
+}
+
 // MulBy01 multiplication by sparse element (c0,c1,0)
 func (z *E3) MulBy01(c0, c1 *fp.Element) *E3 {
 

diff --git a/ecc/bw6-756/internal/fptower/e6_pairing.go b/ecc/bw6-756/internal/fptower/e6_pairing.go
@@ -126,65 +126,68 @@ func (z *E6) ExptMinus1Div3(x *E6) *E6 {
 	return z
 }
 
-// MulBy034 multiplication by sparse element (c0,0,0,c3,c4,0)
-func (z *E6) MulBy034(c0, c3, c4 *fp.Element) *E6 {
+// MulBy014 multiplication by sparse element (c0,c1,0,0,c4,0)
+func (z *E6) MulBy014(c0, c1, c4 *fp.Element) *E6 {
 
-	var a, b, d E3
+	var a, b E3
+	var d fp.Element
 
-	a.MulByElement(&z.B0, c0)
+	a.Set(&z.B0)
+	a.MulBy01(c0, c1)
 
 	b.Set(&z.B1)
-	b.MulBy01(c3, c4)
+	b.MulBy1(c4)
+	d.Add(c1, c4)
 
-	c0.Add(c0, c3)
-	d.Add(&z.B0, &z.B1)
-	d.MulBy01(c0, c4)
-
-	z.B1.Add(&a, &b).Neg(&z.B1).Add(&z.B1, &d)
-	z.B0.MulByNonResidue(&b).Add(&z.B0, &a)
+	z.B1.Add(&z.B1, &z.B0)
+	z.B1.MulBy01(c0, &d)
+	z.B1.Sub(&z.B1, &a)
+	z.B1.Sub(&z.B1, &b)
+	z.B0.MulByNonResidue(&b)
+	z.B0.Add(&z.B0, &a)
 
 	return z
 }
 
-// Mul034By034 multiplication of sparse element (c0,0,0,c3,c4,0) by sparse element (d0,0,0,d3,d4,0)
-func Mul034By034(d0, d3, d4, c0, c3, c4 *fp.Element) [5]fp.Element {
-	var z00, tmp, x0, x3, x4, x04, x03, x34 fp.Element
+// Mul014By014 multiplication of sparse element (c0,c1,0,0,c4,0) by sparse element (d0,d1,0,0,d4,0)
+func Mul014By014(d0, d1, d4, c0, c1, c4 *fp.Element) [5]fp.Element {
+	var z00, tmp, x0, x1, x4, x04, x01, x14 fp.Element
 	x0.Mul(c0, d0)
-	x3.Mul(c3, d3)
+	x1.Mul(c1, d1)
 	x4.Mul(c4, d4)
 	tmp.Add(c0, c4)
 	x04.Add(d0, d4).
 		Mul(&x04, &tmp).
 		Sub(&x04, &x0).
 		Sub(&x04, &x4)
-	tmp.Add(c0, c3)
-	x03.Add(d0, d3).
-		Mul(&x03, &tmp).
-		Sub(&x03, &x0).
-		Sub(&x03, &x3)
-	tmp.Add(c3, c4)
-	x34.Add(d3, d4).
-		Mul(&x34, &tmp).
-		Sub(&x34, &x3).
-		Sub(&x34, &x4)
+	tmp.Add(c0, c1)
+	x01.Add(d0, d1).
+		Mul(&x01, &tmp).
+		Sub(&x01, &x0).
+		Sub(&x01, &x1)
+	tmp.Add(c1, c4)
+	x14.Add(d1, d4).
+		Mul(&x14, &tmp).
+		Sub(&x14, &x1).
+		Sub(&x14, &x4)
 
 	z00.MulByNonResidue(&x4).
 		Add(&z00, &x0)
 
-	return [5]fp.Element{z00, x3, x34, x03, x04}
+	return [5]fp.Element{z00, x01, x1, x04, x14}
 }
 
-// MulBy01234 multiplies z by an E12 sparse element of the form (x0, x1, x2, x3, x4, 0)
-func (z *E6) MulBy01234(x *[5]fp.Element) *E6 {
+// MulBy01245 multiplies z by an E12 sparse element of the form (x0, x1, x2, 0, x4, x5)
+func (z *E6) MulBy01245(x *[5]fp.Element) *E6 {
 	var c1, a, b, c, z0, z1 E3
 	c0 := &E3{A0: x[0], A1: x[1], A2: x[2]}
-	c1.A0 = x[3]
-	c1.A1 = x[4]
+	c1.A1 = x[3]
+	c1.A2 = x[4]
 	a.Add(&z.B0, &z.B1)
 	b.Add(c0, &c1)
 	a.Mul(&a, &b)
 	b.Mul(&z.B0, c0)
-	c.Set(&z.B1).MulBy01(&x[3], &x[4])
+	c.Set(&z.B1).MulBy12(&x[3], &x[4])
 	z1.Sub(&a, &b)
 	z1.Sub(&z1, &c)
 	z0.MulByNonResidue(&c)