147 fix alt bn128 254 pairing

include/nil/crypto3/algebra/curves/alt_bn128.hpp

@@ -28,6 +28,7 @@
 #define CRYPTO3_ALGEBRA_CURVES_ALT_BN128_HPP
 
 #include <nil/crypto3/algebra/curves/detail/alt_bn128/types.hpp>
+
 #include <nil/crypto3/algebra/curves/detail/alt_bn128/g1.hpp>
 #include <nil/crypto3/algebra/curves/detail/alt_bn128/g2.hpp>
 

include/nil/crypto3/algebra/curves/detail/alt_bn128/types.hpp

@@ -26,6 +26,8 @@
 #ifndef CRYPTO3_ALGEBRA_CURVES_ALT_BN128_TYPES_HPP
 #define CRYPTO3_ALGEBRA_CURVES_ALT_BN128_TYPES_HPP
 
+#include <cstddef>
+
 #include <nil/crypto3/algebra/fields/alt_bn128/base_field.hpp>
 #include <nil/crypto3/algebra/fields/alt_bn128/scalar_field.hpp>
 
@@ -81,4 +83,4 @@ namespace nil {
     }                // namespace crypto3
 }    // namespace nil
 
-#endif    // CRYPTO3_ALGEBRA_CURVES_ALT_BN128_TYPES_HPP
+#endif    // CRYPTO3_ALGEBRA_CURVES_ALT_BN128_TYPES_HPP

include/nil/crypto3/algebra/fields/alt_bn128/base_field.hpp

@@ -56,10 +56,13 @@ namespace nil {
 
                     constexpr static const integral_type modulus =
                         0x30644E72E131A029B85045B68181585D97816A916871CA8D3C208C16D87CFD47_cppui254;
-
+
+//                    constexpr static const integral_type group_order_minus_one_half =
+//                        (modulus - 1) / 2;
+/*
                     constexpr static const integral_type group_order_minus_one_half =
                         0x183227397098D014DC2822DB40C0AC2ECBC0B548B438E5469E10460B6C3E7EA3_cppui254;
-
+*/
                     typedef typename policy_type::modular_backend modular_backend;
                     constexpr static const modular_params_type modulus_params = modulus;
                     typedef nil::crypto3::multiprecision::number<
@@ -84,7 +87,7 @@ namespace nil {
 
                 constexpr typename alt_bn128_base_field<254>::integral_type const alt_bn128_base_field<254>::modulus;
 
-                constexpr typename alt_bn128_base_field<254>::integral_type const alt_bn128_base_field<254>::group_order_minus_one_half;
+//                constexpr typename alt_bn128_base_field<254>::integral_type const alt_bn128_base_field<254>::group_order_minus_one_half;
 
                 constexpr typename alt_bn128_base_field<254>::modular_params_type const
                     alt_bn128_base_field<254>::modulus_params;

include/nil/crypto3/algebra/fields/detail/element/fp12_2over3over2.hpp

@@ -282,6 +282,49 @@ namespace nil {
                             // return *this;
                         }
 
+                        /** @brief multiply by [ [c0, 0, 0], [c3, c4, 0] ] */
+                        element_fp12_2over3over2
+                            mul_by_034(const typename underlying_type::underlying_type &c0,
+                                       const typename underlying_type::underlying_type &c3,
+                                       const typename underlying_type::underlying_type &c4) const
+                        {
+                            auto a0 = this->data[0].data[0] * c0;
+                            auto a1 = this->data[0].data[1] * c0;
+                            auto a2 = this->data[0].data[2] * c0;
+
+                            auto a = underlying_type(a0,a1,a2);
+                            auto b = this->data[1].mul_by_01(c3, c4);
+
+                            auto _c0 = c0 + c3;
+                            auto e = (this->data[0]+this->data[1]).mul_by_01(_c0, c4);
+                            auto rc1 = e - (a+b);
+                            auto rc0 = mul_by_non_residue(b);
+                            rc0 += a;
+
+                            return element_fp12_2over3over2(rc0, rc1);
+                        }
+
+                        /** @brief multiply by [ [c0, c1, 0], [c3, 0, 0] ] */
+                        element_fp12_2over3over2
+                            mul_by_014(const typename underlying_type::underlying_type &c0,
+                                       const typename underlying_type::underlying_type &c1,
+                                       const typename underlying_type::underlying_type &c4) const
+                        {
+                            auto aa = this->data[0].mul_by_01(c0, c1);
+                            auto bb = this->data[1].mul_by_1(c4);
+                            auto o = c1+c4;
+
+                            auto rc1 = this->data[0]+this->data[1];
+                            rc1 = rc1.mul_by_01(c0, o);
+                            rc1 -= aa;
+                            rc1 -= bb;
+                            auto rc0 = mul_by_non_residue(bb);
+                            rc0 += aa;
+
+                            return element_fp12_2over3over2(rc0, rc1);
+                        }
+
+
                         element_fp12_2over3over2
                             mul_by_045(const typename underlying_type::underlying_type &ell_0,
                                        const typename underlying_type::underlying_type &ell_VW,

include/nil/crypto3/algebra/fields/detail/element/fp6_2over3.hpp

@@ -270,6 +270,11 @@ namespace nil {
                             return underlying_type(non_residue * A.data[2], A.data[0], A.data[1]);
                         }
 
+                        /** @brief Multiply by other, assuming form:
+                         * [ [0,0,a], [b,c,d] ]
+                         * other[0] == 0
+                         * other[1] == 0
+                         */
                         element_fp6_2over3 mul_by_2345(const element_fp6_2over3 &other) const {
                             /* Devegili OhEig Scott Dahab --- Multiplication and Squaring on Pairing-Friendly
                              * Fields.pdf; Section 3 (Karatsuba) */

include/nil/crypto3/algebra/fields/detail/element/fp6_3over2.hpp

@@ -143,18 +143,73 @@ namespace nil {
                             // compute squared root with Tonelli--Shanks
                         }
 
+                        // xz: nu
                         element_fp6_3over2 mul_Fp_b(const element_fp<FieldParams> &B) {
                             return element_fp6_3over2(data[0], data[1].mul_Fp_0(B), data[2]);
                         }
 
+                        // xz: nu
                         element_fp6_3over2 mul_Fp_c(const element_fp<FieldParams> &B) {
                             return element_fp6_3over2(data[0], data[1], data[2].mul_Fp_0(B));
                         }
 
+                        // xz: nu
                         element_fp6_3over2 mulFp6_24_Fp_01(const element_fp<FieldParams> *B) {
                             return element_fp6_3over2(data[0], data[1].mul_Fp_0(B[1]), data[2].mul_Fp_0(B[0]));
                         }
 
+                        /** @brief Assume B in form [ c0:[a,b], c1:[c,d], c2:[0,0] ], i.e. c2 == 0
+                         *  Apply formulae from Devegili et al
+                         *  https://eprint.iacr.org/2006/471.pdf,  section 4
+                         * */
+                        element_fp6_3over2 mul_by_01(underlying_type const& c0, underlying_type const& c1) const
+                        {
+                            auto a_a = this->data[0] * c0;
+                            auto b_b = this->data[1] * c1;
+
+                            auto t1 = c1;
+                            auto tmp = this->data[1] + this->data[2];
+                            t1 *= tmp;
+                            t1 -= b_b;
+                            t1 = mul_by_non_residue(t1) + a_a;
+
+                            auto t3 = c0;
+                            tmp = this->data[0] + this->data[2];
+                            t3 *= tmp;
+                            t3 -= a_a;
+                            t3 += b_b;
+
+                            auto t2 = c0 + c1;
+                            tmp = this->data[0] + this->data[1];
+                            t2 *= tmp;
+                            t2 -= a_a;
+                            t2 -= b_b;
+
+                            return element_fp6_3over2(t1, t2, t3);
+                        }
+
+                        /** @brief Assume B in form [ c0:[0,0], c1:[c,d], c2:[0,0] ], i.e. B.data[0] == B.data[2] == 0
+                         *  Apply formulae from Devegili et al
+                         *  https://eprint.iacr.org/2006/471.pdf,  section 4
+                         * */
+                        element_fp6_3over2 mul_by_1(underlying_type const& c1) const {
+                            auto b_b = this->data[1].squared();
+
+                            auto t1 = c1;
+                            auto tmp = this->data[1] + this->data[2];
+                            t1 *= tmp;
+                            t1 -= b_b;
+                            t1 = mul_by_non_residue(t1);
+
+                            auto t2 = c1;
+                            tmp = this->data[0] + this->data[1];
+                            t2 *= tmp;
+                            t2 -= b_b;
+
+                            return element_fp6_3over2(t1, t2, b_b);
+                        }
+
+
                         constexpr element_fp6_3over2 squared() const {
                             return (*this) * (*this);    // maybe can be done more effective
                         }

include/nil/crypto3/algebra/pairing/alt_bn128.hpp

@@ -29,11 +29,11 @@
 #include <nil/crypto3/algebra/curves/babyjubjub.hpp>
 #include <nil/crypto3/algebra/curves/alt_bn128.hpp>
 #include <nil/crypto3/algebra/pairing/detail/alt_bn128/params.hpp>
-#include <nil/crypto3/algebra/pairing/forms/short_weierstrass/jacobian_with_a4_0/ate_double_miller_loop.hpp>
-#include <nil/crypto3/algebra/pairing/forms/short_weierstrass/jacobian_with_a4_0/ate_miller_loop.hpp>
-#include <nil/crypto3/algebra/pairing/forms/short_weierstrass/jacobian_with_a4_0/ate_precompute_g1.hpp>
-#include <nil/crypto3/algebra/pairing/forms/short_weierstrass/jacobian_with_a4_0/ate_precompute_g2.hpp>
-#include <nil/crypto3/algebra/pairing/forms/short_weierstrass/jacobian_with_a4_0/final_exponentiation.hpp>
+#include <nil/crypto3/algebra/pairing/forms/short_weierstrass/jacobian_with_a4_0_sbit/ate_double_miller_loop.hpp>
+#include <nil/crypto3/algebra/pairing/forms/short_weierstrass/jacobian_with_a4_0_sbit/ate_miller_loop.hpp>
+#include <nil/crypto3/algebra/pairing/forms/short_weierstrass/jacobian_with_a4_0_sbit/ate_precompute_g1.hpp>
+#include <nil/crypto3/algebra/pairing/forms/short_weierstrass/jacobian_with_a4_0_sbit/ate_precompute_g2.hpp>
+#include <nil/crypto3/algebra/pairing/forms/short_weierstrass/jacobian_with_a4_0_sbit/final_exponentiation.hpp>
 #include <nil/crypto3/algebra/pairing/pairing_policy.hpp>
 
 namespace nil {
@@ -47,16 +47,17 @@ namespace nil {
 
                     using chained_curve_type = curves::babyjubjub;
 
-                    using precompute_g1 = pairing::short_weierstrass_jacobian_with_a4_0_ate_precompute_g1<curve_type>;
-                    using precompute_g2 = pairing::short_weierstrass_jacobian_with_a4_0_ate_precompute_g2<curve_type>;
-                    using miller_loop = pairing::short_weierstrass_jacobian_with_a4_0_ate_miller_loop<curve_type>;
+                    using precompute_g1 = pairing::short_weierstrass_jacobian_with_a4_0_sbit_ate_precompute_g1<curve_type>;
+                    using precompute_g2 = pairing::short_weierstrass_jacobian_with_a4_0_sbit_ate_precompute_g2<curve_type>;
+                    using miller_loop = pairing::short_weierstrass_jacobian_with_a4_0_sbit_ate_miller_loop<curve_type>;
                     using double_miller_loop =
-                        pairing::short_weierstrass_jacobian_with_a4_0_ate_double_miller_loop<curve_type>;
+                        pairing::short_weierstrass_jacobian_with_a4_0_sbit_ate_double_miller_loop<curve_type>;
                     using final_exponentiation =
-                        pairing::short_weierstrass_jacobian_with_a4_0_final_exponentiation<curve_type>;
+                        pairing::short_weierstrass_jacobian_with_a4_0_sbit_final_exponentiation<curve_type>;
 
                     using g1_precomputed_type = typename precompute_g1::g1_precomputed_type;
                     using g2_precomputed_type = typename precompute_g2::g2_precomputed_type;
+
                 };
 
             }    // namespace pairing

include/nil/crypto3/algebra/pairing/bls12.hpp

@@ -29,6 +29,7 @@
 #include <nil/crypto3/algebra/curves/jubjub.hpp>
 #include <nil/crypto3/algebra/curves/bls12.hpp>
 #include <nil/crypto3/algebra/pairing/detail/bls12/381/params.hpp>
+#include <nil/crypto3/algebra/pairing/detail/bls12/377/params.hpp>
 #include <nil/crypto3/algebra/pairing/forms/short_weierstrass/jacobian_with_a4_0/ate_double_miller_loop.hpp>
 #include <nil/crypto3/algebra/pairing/forms/short_weierstrass/jacobian_with_a4_0/ate_miller_loop.hpp>
 #include <nil/crypto3/algebra/pairing/forms/short_weierstrass/jacobian_with_a4_0/ate_precompute_g1.hpp>
@@ -59,6 +60,24 @@ namespace nil {
                     using g2_precomputed_type = typename precompute_g2::g2_precomputed_type;
                 };
 
+                template<>
+                struct pairing_policy<curves::bls12<377>> {
+                    using curve_type = curves::bls12<377>;
+
+                    using chained_curve_type = curves::jubjub;
+
+                    using precompute_g1 = pairing::short_weierstrass_jacobian_with_a4_0_ate_precompute_g1<curve_type>;
+                    using precompute_g2 = pairing::short_weierstrass_jacobian_with_a4_0_ate_precompute_g2<curve_type>;
+                    using miller_loop = pairing::short_weierstrass_jacobian_with_a4_0_ate_miller_loop<curve_type>;
+                    using double_miller_loop =
+                        pairing::short_weierstrass_jacobian_with_a4_0_ate_double_miller_loop<curve_type>;
+                    using final_exponentiation =
+                        pairing::short_weierstrass_jacobian_with_a4_0_final_exponentiation<curve_type>;
+
+                    using g1_precomputed_type = typename precompute_g1::g1_precomputed_type;
+                    using g2_precomputed_type = typename precompute_g2::g2_precomputed_type;
+                };
+
             }    // namespace pairing
         }        // namespace algebra
     }            // namespace crypto3