Wire Sysio Wire Sysion 1.0.0
Loading...
Searching...
No Matches
mnt6_g1.cpp
Go to the documentation of this file.
1
14#include <libff/algebra/curves/mnt/mnt6/mnt6_g1.hpp>
15
16namespace libff {
17
18#ifdef PROFILE_OP_COUNTS
19long long mnt6_G1::add_cnt = 0;
20long long mnt6_G1::dbl_cnt = 0;
21#endif
22
23std::vector<size_t> mnt6_G1::wnaf_window_table;
24std::vector<size_t> mnt6_G1::fixed_base_exp_window_table;
25mnt6_G1 mnt6_G1::G1_zero = {};
26mnt6_G1 mnt6_G1::G1_one = {};
27bool mnt6_G1::initialized = false;
28mnt6_Fq mnt6_G1::coeff_a;
29mnt6_Fq mnt6_G1::coeff_b;
30
31mnt6_G1::mnt6_G1()
32{
33 if (mnt6_G1::initialized)
34 {
35 this->X = G1_zero.X;
36 this->Y = G1_zero.Y;
37 this->Z = G1_zero.Z;
38 }
39}
40
41void mnt6_G1::print() const
42{
43 if (this->is_zero())
44 {
45 printf("O\n");
46 }
47 else
48 {
49 mnt6_G1 copy(*this);
50 copy.to_affine_coordinates();
51 gmp_printf("(%Nd , %Nd)\n",
52 copy.X.as_bigint().data, mnt6_Fq::num_limbs,
53 copy.Y.as_bigint().data, mnt6_Fq::num_limbs);
54 }
55}
56
57void mnt6_G1::print_coordinates() const
58{
59 if (this->is_zero())
60 {
61 printf("O\n");
62 }
63 else
64 {
65 gmp_printf("(%Nd : %Nd : %Nd)\n",
66 this->X.as_bigint().data, mnt6_Fq::num_limbs,
67 this->Y.as_bigint().data, mnt6_Fq::num_limbs,
68 this->Z.as_bigint().data, mnt6_Fq::num_limbs);
69 }
70}
71
72void mnt6_G1::to_affine_coordinates()
73{
74 if (this->is_zero())
75 {
76 this->X = mnt6_Fq::zero();
77 this->Y = mnt6_Fq::one();
78 this->Z = mnt6_Fq::zero();
79 }
80 else
81 {
82 const mnt6_Fq Z_inv = Z.inverse();
83 this->X = this->X * Z_inv;
84 this->Y = this->Y * Z_inv;
85 this->Z = mnt6_Fq::one();
86 }
87}
88
89void mnt6_G1::to_special()
90{
91 this->to_affine_coordinates();
92}
93
94bool mnt6_G1::is_special() const
95{
96 return (this->is_zero() || this->Z == mnt6_Fq::one());
97}
98
99bool mnt6_G1::is_zero() const
100{
101 return (this->X.is_zero() && this->Z.is_zero());
102}
103
104bool mnt6_G1::operator==(const mnt6_G1 &other) const
105{
106 if (this->is_zero())
107 {
108 return other.is_zero();
109 }
110
111 if (other.is_zero())
112 {
113 return false;
114 }
115
116 /* now neither is O */
117
118 // X1/Z1 = X2/Z2 <=> X1*Z2 = X2*Z1
119 if ((this->X * other.Z) != (other.X * this->Z))
120 {
121 return false;
122 }
123
124 // Y1/Z1 = Y2/Z2 <=> Y1*Z2 = Y2*Z1
125 if ((this->Y * other.Z) != (other.Y * this->Z))
126 {
127 return false;
128 }
129
130 return true;
131}
132
133bool mnt6_G1::operator!=(const mnt6_G1& other) const
134{
135 return !(operator==(other));
136}
137
138mnt6_G1 mnt6_G1::operator+(const mnt6_G1 &other) const
139{
140 // handle special cases having to do with O
141 if (this->is_zero())
142 {
143 return other;
144 }
145
146 if (other.is_zero())
147 {
148 return *this;
149 }
150
151 // no need to handle points of order 2,4
152 // (they cannot exist in a prime-order subgroup)
153
154 // handle double case, and then all the rest
155 /*
156 The code below is equivalent to (but faster than) the snippet below:
157
158 if (this->operator==(other))
159 {
160 return this->dbl();
161 }
162 else
163 {
164 return this->add(other);
165 }
166 */
167
168 const mnt6_Fq X1Z2 = (this->X) * (other.Z); // X1Z2 = X1*Z2
169 const mnt6_Fq X2Z1 = (this->Z) * (other.X); // X2Z1 = X2*Z1
170
171 // (used both in add and double checks)
172
173 const mnt6_Fq Y1Z2 = (this->Y) * (other.Z); // Y1Z2 = Y1*Z2
174 const mnt6_Fq Y2Z1 = (this->Z) * (other.Y); // Y2Z1 = Y2*Z1
175
176 if (X1Z2 == X2Z1 && Y1Z2 == Y2Z1)
177 {
178 // perform dbl case
179 const mnt6_Fq XX = (this->X).squared(); // XX = X1^2
180 const mnt6_Fq ZZ = (this->Z).squared(); // ZZ = Z1^2
181 const mnt6_Fq w = mnt6_G1::coeff_a * ZZ + (XX + XX + XX); // w = a*ZZ + 3*XX
182 const mnt6_Fq Y1Z1 = (this->Y) * (this->Z);
183 const mnt6_Fq s = Y1Z1 + Y1Z1; // s = 2*Y1*Z1
184 const mnt6_Fq ss = s.squared(); // ss = s^2
185 const mnt6_Fq sss = s * ss; // sss = s*ss
186 const mnt6_Fq R = (this->Y) * s; // R = Y1*s
187 const mnt6_Fq RR = R.squared(); // RR = R^2
188 const mnt6_Fq B = ((this->X)+R).squared()-XX-RR; // B = (X1+R)^2 - XX - RR
189 const mnt6_Fq h = w.squared() - (B+B); // h = w^2 - 2*B
190 const mnt6_Fq X3 = h * s; // X3 = h*s
191 const mnt6_Fq Y3 = w * (B-h)-(RR+RR); // Y3 = w*(B-h) - 2*RR
192 const mnt6_Fq Z3 = sss; // Z3 = sss
193
194 return mnt6_G1(X3, Y3, Z3);
195 }
196
197 // if we have arrived here we are in the add case
198 const mnt6_Fq Z1Z2 = (this->Z) * (other.Z); // Z1Z2 = Z1*Z2
199 const mnt6_Fq u = Y2Z1 - Y1Z2; // u = Y2*Z1-Y1Z2
200 const mnt6_Fq uu = u.squared(); // uu = u^2
201 const mnt6_Fq v = X2Z1 - X1Z2; // v = X2*Z1-X1Z2
202 const mnt6_Fq vv = v.squared(); // vv = v^2
203 const mnt6_Fq vvv = v * vv; // vvv = v*vv
204 const mnt6_Fq R = vv * X1Z2; // R = vv*X1Z2
205 const mnt6_Fq A = uu * Z1Z2 - (vvv + R + R); // A = uu*Z1Z2 - vvv - 2*R
206 const mnt6_Fq X3 = v * A; // X3 = v*A
207 const mnt6_Fq Y3 = u * (R-A) - vvv * Y1Z2; // Y3 = u*(R-A) - vvv*Y1Z2
208 const mnt6_Fq Z3 = vvv * Z1Z2; // Z3 = vvv*Z1Z2
209
210 return mnt6_G1(X3, Y3, Z3);
211}
212
213mnt6_G1 mnt6_G1::operator-() const
214{
215 return mnt6_G1(this->X, -(this->Y), this->Z);
216}
217
218
219mnt6_G1 mnt6_G1::operator-(const mnt6_G1 &other) const
220{
221 return (*this) + (-other);
222}
223
224mnt6_G1 mnt6_G1::add(const mnt6_G1 &other) const
225{
226 // handle special cases having to do with O
227 if (this->is_zero())
228 {
229 return other;
230 }
231
232 if (other.is_zero())
233 {
234 return (*this);
235 }
236
237 // no need to handle points of order 2,4
238 // (they cannot exist in a prime-order subgroup)
239
240 // handle double case
241 if (this->operator==(other))
242 {
243 return this->dbl();
244 }
245
246#ifdef PROFILE_OP_COUNTS
247 this->add_cnt++;
248#endif
249 // NOTE: does not handle O and pts of order 2,4
250 // http://www.hyperelliptic.org/EFD/g1p/auto-shortw-projective.html#addition-add-1998-cmo-2
251
252 const mnt6_Fq Y1Z2 = (this->Y) * (other.Z); // Y1Z2 = Y1*Z2
253 const mnt6_Fq X1Z2 = (this->X) * (other.Z); // X1Z2 = X1*Z2
254 const mnt6_Fq Z1Z2 = (this->Z) * (other.Z); // Z1Z2 = Z1*Z2
255 const mnt6_Fq u = (other.Y) * (this->Z) - Y1Z2; // u = Y2*Z1-Y1Z2
256 const mnt6_Fq uu = u.squared(); // uu = u^2
257 const mnt6_Fq v = (other.X) * (this->Z) - X1Z2; // v = X2*Z1-X1Z2
258 const mnt6_Fq vv = v.squared(); // vv = v^2
259 const mnt6_Fq vvv = v * vv; // vvv = v*vv
260 const mnt6_Fq R = vv * X1Z2; // R = vv*X1Z2
261 const mnt6_Fq A = uu * Z1Z2 - (vvv + R + R); // A = uu*Z1Z2 - vvv - 2*R
262 const mnt6_Fq X3 = v * A; // X3 = v*A
263 const mnt6_Fq Y3 = u * (R-A) - vvv * Y1Z2; // Y3 = u*(R-A) - vvv*Y1Z2
264 const mnt6_Fq Z3 = vvv * Z1Z2; // Z3 = vvv*Z1Z2
265
266 return mnt6_G1(X3, Y3, Z3);
267}
268
269mnt6_G1 mnt6_G1::mixed_add(const mnt6_G1 &other) const
270{
271#ifdef PROFILE_OP_COUNTS
272 this->add_cnt++;
273#endif
274 // NOTE: does not handle O and pts of order 2,4
275 // http://www.hyperelliptic.org/EFD/g1p/auto-shortw-projective.html#addition-add-1998-cmo-2
276 //assert(other.Z == mnt6_Fq::one());
277
278 if (this->is_zero())
279 {
280 return other;
281 }
282
283 if (other.is_zero())
284 {
285 return (*this);
286 }
287
288#ifdef DEBUG
289 assert(other.is_special());
290#endif
291
292 const mnt6_Fq &X1Z2 = (this->X); // X1Z2 = X1*Z2 (but other is special and not zero)
293 const mnt6_Fq X2Z1 = (this->Z) * (other.X); // X2Z1 = X2*Z1
294
295 // (used both in add and double checks)
296
297 const mnt6_Fq &Y1Z2 = (this->Y); // Y1Z2 = Y1*Z2 (but other is special and not zero)
298 const mnt6_Fq Y2Z1 = (this->Z) * (other.Y); // Y2Z1 = Y2*Z1
299
300 if (X1Z2 == X2Z1 && Y1Z2 == Y2Z1)
301 {
302 return this->dbl();
303 }
304
305 mnt6_Fq u = Y2Z1 - this->Y; // u = Y2*Z1-Y1
306 mnt6_Fq uu = u.squared(); // uu = u2
307 mnt6_Fq v = X2Z1 - this->X; // v = X2*Z1-X1
308 mnt6_Fq vv = v.squared(); // vv = v2
309 mnt6_Fq vvv = v*vv; // vvv = v*vv
310 mnt6_Fq R = vv * this->X; // R = vv*X1
311 mnt6_Fq A = uu * this->Z - vvv - R - R; // A = uu*Z1-vvv-2*R
312 mnt6_Fq X3 = v * A; // X3 = v*A
313 mnt6_Fq Y3 = u*(R-A) - vvv * this->Y; // Y3 = u*(R-A)-vvv*Y1
314 mnt6_Fq Z3 = vvv * this->Z; // Z3 = vvv*Z1
315
316 return mnt6_G1(X3, Y3, Z3);
317}
318
319mnt6_G1 mnt6_G1::dbl() const
320{
321#ifdef PROFILE_OP_COUNTS
322 this->dbl_cnt++;
323#endif
324 if (this->is_zero())
325 {
326 return (*this);
327 }
328 else
329 {
330 // NOTE: does not handle O and pts of order 2,4
331 // http://www.hyperelliptic.org/EFD/g1p/auto-shortw-projective.html#doubling-dbl-2007-bl
332
333 const mnt6_Fq XX = (this->X).squared(); // XX = X1^2
334 const mnt6_Fq ZZ = (this->Z).squared(); // ZZ = Z1^2
335 const mnt6_Fq w = mnt6_G1::coeff_a * ZZ + (XX + XX + XX); // w = a*ZZ + 3*XX
336 const mnt6_Fq Y1Z1 = (this->Y) * (this->Z);
337 const mnt6_Fq s = Y1Z1 + Y1Z1; // s = 2*Y1*Z1
338 const mnt6_Fq ss = s.squared(); // ss = s^2
339 const mnt6_Fq sss = s * ss; // sss = s*ss
340 const mnt6_Fq R = (this->Y) * s; // R = Y1*s
341 const mnt6_Fq RR = R.squared(); // RR = R^2
342 const mnt6_Fq B = ((this->X)+R).squared()-XX-RR; // B = (X1+R)^2 - XX - RR
343 const mnt6_Fq h = w.squared() - (B+B); // h = w^2 - 2*B
344 const mnt6_Fq X3 = h * s; // X3 = h*s
345 const mnt6_Fq Y3 = w * (B-h)-(RR+RR); // Y3 = w*(B-h) - 2*RR
346 const mnt6_Fq Z3 = sss; // Z3 = sss
347
348 return mnt6_G1(X3, Y3, Z3);
349 }
350}
351
352bool mnt6_G1::is_well_formed() const
353{
354 if (this->is_zero())
355 {
356 return true;
357 }
358 else
359 {
360 /*
361 y^2 = x^3 + ax + b
362
363 We are using projective, so equation we need to check is actually
364
365 (y/z)^2 = (x/z)^3 + a (x/z) + b
366 z y^2 = x^3 + a z^2 x + b z^3
367
368 z (y^2 - b z^2) = x ( x^2 + a z^2)
369 */
370 const mnt6_Fq X2 = this->X.squared();
371 const mnt6_Fq Y2 = this->Y.squared();
372 const mnt6_Fq Z2 = this->Z.squared();
373
374 return (this->Z * (Y2 - mnt6_G1::coeff_b * Z2) == this->X * (X2 + mnt6_G1::coeff_a * Z2));
375 }
376}
377
378mnt6_G1 mnt6_G1::zero()
379{
380 return G1_zero;
381}
382
383mnt6_G1 mnt6_G1::one()
384{
385 return G1_one;
386}
387
388mnt6_G1 mnt6_G1::random_element()
389{
390 return (scalar_field::random_element().as_bigint()) * G1_one;
391}
392
393std::ostream& operator<<(std::ostream &out, const mnt6_G1 &g)
394{
395 mnt6_G1 copy(g);
396 copy.to_affine_coordinates();
397
398 out << (copy.is_zero() ? 1 : 0) << OUTPUT_SEPARATOR;
399#ifdef NO_PT_COMPRESSION
400 out << copy.X << OUTPUT_SEPARATOR << copy.Y;
401#else
402 /* storing LSB of Y */
403 out << copy.X << OUTPUT_SEPARATOR << (copy.Y.as_bigint().data[0] & 1);
404#endif
405
406 return out;
407}
408
409std::istream& operator>>(std::istream &in, mnt6_G1 &g)
410{
411 char is_zero;
412 mnt6_Fq tX, tY;
413
414#ifdef NO_PT_COMPRESSION
415 in >> is_zero >> tX >> tY;
416 is_zero -= '0';
417#else
418 in.read((char*)&is_zero, 1); // this reads is_zero;
419 is_zero -= '0';
420 consume_OUTPUT_SEPARATOR(in);
421
422 unsigned char Y_lsb;
423 in >> tX;
424 consume_OUTPUT_SEPARATOR(in);
425 in.read((char*)&Y_lsb, 1);
426 Y_lsb -= '0';
427
428 // y = +/- sqrt(x^3 + a*x + b)
429 if (!is_zero)
430 {
431 mnt6_Fq tX2 = tX.squared();
432 mnt6_Fq tY2 = (tX2 + mnt6_G1::coeff_a) * tX + mnt6_G1::coeff_b;
433 tY = tY2.sqrt();
434
435 if ((tY.as_bigint().data[0] & 1) != Y_lsb)
436 {
437 tY = -tY;
438 }
439 }
440#endif
441 // using projective coordinates
442 if (!is_zero)
443 {
444 g.X = tX;
445 g.Y = tY;
446 g.Z = mnt6_Fq::one();
447 }
448 else
449 {
450 g = mnt6_G1::zero();
451 }
452
453 return in;
454}
455
456std::ostream& operator<<(std::ostream& out, const std::vector<mnt6_G1> &v)
457{
458 out << v.size() << "\n";
459 for (const mnt6_G1& t : v)
460 {
461 out << t << OUTPUT_NEWLINE;
462 }
463
464 return out;
465}
466
467std::istream& operator>>(std::istream& in, std::vector<mnt6_G1> &v)
468{
469 v.clear();
470
471 size_t s;
472 in >> s;
473 consume_newline(in);
474
475 v.reserve(s);
476
477 for (size_t i = 0; i < s; ++i)
478 {
479 mnt6_G1 g;
480 in >> g;
481 consume_OUTPUT_NEWLINE(in);
482 v.emplace_back(g);
483 }
484
485 return in;
486}
487
488void mnt6_G1::batch_to_special_all_non_zeros(std::vector<mnt6_G1> &vec)
489{
490 std::vector<mnt6_Fq> Z_vec;
491 Z_vec.reserve(vec.size());
492
493 for (auto &el: vec)
494 {
495 Z_vec.emplace_back(el.Z);
496 }
497 batch_invert<mnt6_Fq>(Z_vec);
498
499 const mnt6_Fq one = mnt6_Fq::one();
500
501 for (size_t i = 0; i < vec.size(); ++i)
502 {
503 vec[i] = mnt6_G1(vec[i].X * Z_vec[i], vec[i].Y * Z_vec[i], one);
504 }
505}
506
507} // libff
libff::Fp_model< mnt6_q_limbs, mnt6_modulus_q >
libff::Fp_model< mnt6_q_limbs, mnt6_modulus_q >::zero
static Fp_model< n, modulus > zero()
libff::Fp_model< mnt6_q_limbs, mnt6_modulus_q >::one
static Fp_model< n, modulus > one()
libff::Fp_model::sqrt
Fp_model sqrt() const
libff::Fp_model< mnt6_q_limbs, mnt6_modulus_q >::num_limbs
static const mp_size_t num_limbs
Definition fp.hpp:44
libff::Fp_model::squared
Fp_model squared() const
libff::Fp_model::inverse
Fp_model inverse() const
libff::Fp_model::as_bigint
bigint< n > as_bigint() const
libff::Fp_model::random_element
static Fp_model< n, modulus > random_element()
libff::mnt6_G1
Definition mnt6_g1.hpp:26
libff::mnt6_G1::print
void print() const
Definition mnt6_g1.cpp:41
libff::mnt6_G1::Z
mnt6_Fq Z
Definition mnt6_g1.hpp:43
libff::mnt6_G1::fixed_base_exp_window_table
static std::vector< size_t > fixed_base_exp_window_table
Definition mnt6_g1.hpp:33
libff::mnt6_G1::coeff_a
static mnt6_Fq coeff_a
Definition mnt6_g1.hpp:37
libff::mnt6_G1::random_element
static mnt6_G1 random_element()
Definition mnt6_g1.cpp:388
libff::mnt6_G1::is_special
bool is_special() const
Definition mnt6_g1.cpp:94
libff::mnt6_G1::add
mnt6_G1 add(const mnt6_G1 &other) const
Definition mnt6_g1.cpp:224
libff::mnt6_G1::operator+
mnt6_G1 operator+(const mnt6_G1 &other) const
Definition mnt6_g1.cpp:138
libff::mnt6_G1::dbl
mnt6_G1 dbl() const
Definition mnt6_g1.cpp:319
libff::mnt6_G1::is_well_formed
bool is_well_formed() const
Definition mnt6_g1.cpp:352
libff::mnt6_G1::coeff_b
static mnt6_Fq coeff_b
Definition mnt6_g1.hpp:38
libff::mnt6_G1::initialized
static bool initialized
Definition mnt6_g1.hpp:36
libff::mnt6_G1::is_zero
bool is_zero() const
Definition mnt6_g1.cpp:99
libff::mnt6_G1::G1_zero
static mnt6_G1 G1_zero
Definition mnt6_g1.hpp:34
libff::mnt6_G1::X
mnt6_Fq X
Definition mnt6_g1.hpp:43
libff::mnt6_G1::operator==
bool operator==(const mnt6_G1 &other) const
Definition mnt6_g1.cpp:104
libff::mnt6_G1::operator!=
bool operator!=(const mnt6_G1 &other) const
Definition mnt6_g1.cpp:133
libff::mnt6_G1::one
static mnt6_G1 one()
Definition mnt6_g1.cpp:383
libff::mnt6_G1::to_affine_coordinates
void to_affine_coordinates()
Definition mnt6_g1.cpp:72
libff::mnt6_G1::mnt6_G1
mnt6_G1()
Definition mnt6_g1.cpp:31
libff::mnt6_G1::G1_one
static mnt6_G1 G1_one
Definition mnt6_g1.hpp:35
libff::mnt6_G1::print_coordinates
void print_coordinates() const
Definition mnt6_g1.cpp:57
libff::mnt6_G1::operator-
mnt6_G1 operator-() const
Definition mnt6_g1.cpp:213
libff::mnt6_G1::mixed_add
mnt6_G1 mixed_add(const mnt6_G1 &other) const
Definition mnt6_g1.cpp:269
libff::mnt6_G1::zero
static mnt6_G1 zero()
Definition mnt6_g1.cpp:378
libff::mnt6_G1::batch_to_special_all_non_zeros
static void batch_to_special_all_non_zeros(std::vector< mnt6_G1 > &vec)
Definition mnt6_g1.cpp:488
libff::mnt6_G1::Y
mnt6_Fq Y
Definition mnt6_g1.hpp:43
libff::mnt6_G1::wnaf_window_table
static std::vector< size_t > wnaf_window_table
Definition mnt6_g1.hpp:32
libff::mnt6_G1::to_special
void to_special()
Definition mnt6_g1.cpp:89
OUTPUT_NEWLINE
#define OUTPUT_NEWLINE
Definition serialization.hpp:67
OUTPUT_SEPARATOR
#define OUTPUT_SEPARATOR
Definition serialization.hpp:68
mnt6_g1.hpp
libff::consume_OUTPUT_NEWLINE
void consume_OUTPUT_NEWLINE(std::istream &in)
libff::operator>>
std::istream & operator>>(std::istream &in, alt_bn128_G1 &g)
Definition alt_bn128_g1.cpp:424
libff::consume_OUTPUT_SEPARATOR
void consume_OUTPUT_SEPARATOR(std::istream &in)
libff::operator<<
std::ostream & operator<<(std::ostream &out, const alt_bn128_G1 &g)
Definition alt_bn128_g1.cpp:408
libff::mnt6_Fq
Fp_model< mnt6_q_limbs, mnt6_modulus_q > mnt6_Fq
Definition mnt6_init.hpp:36
libff::consume_newline
void consume_newline(std::istream &in)
libff::batch_invert
void batch_invert(std::vector< FieldT > &vec)
XT
Definition lib.h:43
R
#define R
A
#define A
s
char * s
Definition yubihsm_pkcs11.c:524