private static Precomputed FlippedMillerLoopDoubling(BN128G2 g2)
{
Fp2 x = g2.x, y = g2.y, z = g2.z;
Fp2 a = Fp._2_INV.Mul(x.Mul(y)); // a = x * y / 2
Fp2 b = y.Squared(); // b = y^2
Fp2 c = z.Squared(); // c = z^2
Fp2 d = c.Add(c).Add(c); // d = 3 * c
Fp2 e = Parameters.B_Fp2.Mul(d); // e = twist_b * d
Fp2 f = e.Add(e).Add(e); // f = 3 * e
Fp2 g = Fp._2_INV.Mul(b.Add(f)); // g = (b + f) / 2
Fp2 h = y.Add(z).Squared().Sub(b.Add(c)); // h = (y + z)^2 - (b + c)
Fp2 i = e.Sub(b); // i = e - b
Fp2 j = x.Squared(); // j = x^2
Fp2 e2 = e.Squared(); // e2 = e^2
Fp2 rx = a.Mul(b.Sub(f)); // rx = a * (b - f)
Fp2 ry = g.Squared().Sub(e2.Add(e2).Add(e2)); // ry = g^2 - 3 * e^2
Fp2 rz = b.Mul(h); // rz = b * h
Fp2 ell0 = Parameters.TWIST.Mul(i); // ell_0 = twist * i
Fp2 ellVW = h.Negate(); // ell_VW = -h
Fp2 ellVV = j.Add(j).Add(j); // ell_VV = 3 * j
return(Precomputed.Of(
new BN128G2(rx, ry, rz),
new EllCoeffs(ell0, ellVW, ellVV)
));
}
private static Precomputed FlippedMillerLoopMixedAddition(BN128G2 base_val, BN128G2 addend)
{
Fp2 x1 = addend.x, y1 = addend.y, z1 = addend.z;
Fp2 x2 = base_val.x, y2 = base_val.y;
Fp2 d = x1.Sub(x2.Mul(z1)); // d = x1 - x2 * z1
Fp2 e = y1.Sub(y2.Mul(z1)); // e = y1 - y2 * z1
Fp2 f = d.Squared(); // f = d^2
Fp2 g = e.Squared(); // g = e^2
Fp2 h = d.Mul(f); // h = d * f
Fp2 i = x1.Mul(f); // i = x1 * f
Fp2 j = h.Add(z1.Mul(g)).Sub(i.Dbl()); // j = h + z1 * g - 2 * i
Fp2 x3 = d.Mul(j); // x3 = d * j
Fp2 y3 = e.Mul(i.Sub(j)).Sub(h.Mul(y1)); // y3 = e * (i - j) - h * y1)
Fp2 z3 = z1.Mul(h); // z3 = Z1*H
Fp2 ell0 = Parameters.TWIST.Mul(e.Mul(x2).Sub(d.Mul(y2))); // ell_0 = TWIST * (e * x2 - d * y2)
Fp2 ellVV = e.Negate(); // ell_VV = -e
Fp2 ellVW = d; // ell_VW = d
return(Precomputed.Of(
new BN128G2(x3, y3, z3),
new EllCoeffs(ell0, ellVW, ellVV)
));
}
public Fp6 Squared()
{
Fp2 s0 = a.Squared();
Fp2 ab = a.Mul(b);
Fp2 s1 = ab.Dbl();
Fp2 s2 = a.Sub(b).Add(c).Squared();
Fp2 bc = b.Mul(c);
Fp2 s3 = bc.Dbl();
Fp2 s4 = c.Squared();
Fp2 ra = s0.Add(s3.MulByNonResidue());
Fp2 rb = s1.Add(s4.MulByNonResidue());
Fp2 rc = s1.Add(s2).Add(s3).Sub(s0).Sub(s4);
return(new Fp6(ra, rb, rc));
}
public Fp6 Sub(Fp6 o)
{
Fp2 ra = a.Sub(o.a);
Fp2 rb = b.Sub(o.b);
Fp2 rc = c.Sub(o.c);
return(new Fp6(ra, rb, rc));
}
public Fp6 Inverse()
{
/* From "High-Speed Software Implementation of the Optimal Ate Pairing over Barreto-Naehrig Curves"; Algorithm 17 */
Fp2 t0 = a.Squared();
Fp2 t1 = b.Squared();
Fp2 t2 = c.Squared();
Fp2 t3 = a.Mul(b);
Fp2 t4 = a.Mul(c);
Fp2 t5 = b.Mul(c);
Fp2 c0 = t0.Sub(t5.MulByNonResidue());
Fp2 c1 = t2.MulByNonResidue().Sub(t3);
Fp2 c2 = t1.Sub(t4); // typo in paper referenced above. should be "-" as per Scott, but is "*"
Fp2 t6 = a.Mul(c0).Add((c.Mul(c1).Add(b.Mul(c2))).MulByNonResidue()).Inverse();
Fp2 ra = t6.Mul(c0);
Fp2 rb = t6.Mul(c1);
Fp2 rc = t6.Mul(c2);
return(new Fp6(ra, rb, rc));
}