private static Precomputed FlippedMillerLoopMixedAddition(Bn128Fp2 baseElement, Bn128Fp2 addend)
{
Fp2 x1 = addend.X, y1 = addend.Y, z1 = addend.Z;
Fp2 x2 = baseElement.X, y2 = baseElement.Y;
Fp2 d = x1.Sub(x2.Mul(z1)); // d = x1 - x2 * z1
Fp2 e = y1.Sub(y2.Mul(z1)); // e = y1 - y2 * z1
Fp2 f = d.Squared(); // f = d^2
Fp2 g = e.Squared(); // g = e^2
Fp2 h = d.Mul(f); // h = d * f
Fp2 i = x1.Mul(f); // i = x1 * f
Fp2 j = h.Add(z1.Mul(g)).Sub(i.Double()); // j = h + z1 * g - 2 * i
Fp2 x3 = d.Mul(j); // x3 = d * j
Fp2 y3 = e.Mul(i.Sub(j)).Sub(h.Mul(y1)); // y3 = e * (i - j) - h * y1)
Fp2 z3 = z1.Mul(h); // z3 = Z1*H
Fp2 ell0 = Parameters.Twist.Mul(e.Mul(x2).Sub(d.Mul(y2))); // ell_0 = TWIST * (e * x2 - d * y2)
Fp2 ellVv = e.Negate(); // ell_VV = -e
Fp2 ellVw = d; // ell_VW = d
return(new Precomputed(
new Bn128Fp2(x3, y3, z3),
new EllCoeffs(ell0, ellVw, ellVv)
));
}
private static Precomputed FlippedMillerLoopDoubling(Bn128Fp2 g2)
{
Fp2 x = g2.X, y = g2.Y, z = g2.Z;
Fp2 a = Fp.InverseOf2.Mul(x.Mul(y)); // a = x * y / 2
Fp2 b = y.Squared(); // b = y^2
Fp2 c = z.Squared(); // c = z^2
Fp2 d = c.Add(c).Add(c); // d = 3 * c
Fp2 e = Parameters.Fp2B.Mul(d); // e = twist_b * d
Fp2 f = e.Add(e).Add(e); // f = 3 * e
Fp2 g = Fp.InverseOf2.Mul(b.Add(f)); // g = (b + f) / 2
Fp2 h = y.Add(z).Squared().Sub(b.Add(c)); // h = (y + z)^2 - (b + c)
Fp2 i = e.Sub(b); // i = e - b
Fp2 j = x.Squared(); // j = x^2
Fp2 e2 = e.Squared(); // e2 = e^2
Fp2 rx = a.Mul(b.Sub(f)); // rx = a * (b - f)
Fp2 ry = g.Squared().Sub(e2.Add(e2).Add(e2)); // ry = g^2 - 3 * e^2
Fp2 rz = b.Mul(h); // rz = b * h
Fp2 ell0 = Parameters.Twist.Mul(i); // ell_0 = twist * i
Fp2 ellVw = h.Negate(); // ell_VW = -h
Fp2 ellVv = j.Add(j).Add(j); // ell_VV = 3 * j
return(new Precomputed(
new Bn128Fp2(rx, ry, rz),
new EllCoeffs(ell0, ellVw, ellVv)
));
}
/// <summary>
/// https://eprint.iacr.org/2010/354.pdf
/// Algorithm 17
/// </summary>
/// <returns></returns>
public Fp6 Inverse()
{
Fp2 a0 = A;
Fp2 a1 = B;
Fp2 a2 = C;
Fp2 t0 = a0.Squared();
Fp2 t1 = a1.Squared();
Fp2 t2 = a2.Squared();
Fp2 t3 = a0 * a1;
Fp2 t4 = a0 * a2;
Fp2 t5 = a1 * a2; // typo (a2 * a3 in paper)?
Fp2 c0 = t0 - t5.MulByNonResidue();
Fp2 c1 = t2.MulByNonResidue() - t3;
Fp2 c2 = t1 - t4; // typo in paper referenced above. should be "-" as per Scott, but is "*"
Fp2 t6 = a0 * c0;
t6 = t6 + a2.MulByNonResidue() * c1;
t6 = t6 + a1.MulByNonResidue() * c2;
t6 = t6.Inverse();
c0 = c0 * t6;
c1 = c1 * t6;
c2 = c2 * t6;
return(new Fp6(c0, c1, c2));
}
public Fp6 FrobeniusMap(int power)
{
Fp2 ra = A.FrobeniusMap(power);
Fp2 rb = FrobeniusCoefficientsB[power % 6].Mul(B.FrobeniusMap(power));
Fp2 rc = FrobeniusCoefficientsC[power % 6].Mul(C.FrobeniusMap(power));
return(new Fp6(ra, rb, rc));
}
/// <summary>
/// https://eprint.iacr.org/2010/354.pdf
/// Algorithm 14
/// </summary>
/// <param name="b0"></param>
/// <returns></returns>
public Fp6 Mul(Fp2 b0)
{
Fp2 a0 = A;
Fp2 a1 = B;
Fp2 a2 = C;
return(new Fp6(
a0 * b0,
a1 * b0,
a2 * b0));
}
/// <summary>
/// https://eprint.iacr.org/2010/354.pdf
/// Algorithm 10
/// </summary>
/// <param name="o"></param>
/// <returns></returns>
public Fp6 Add(Fp6 o)
{
Fp2 a0 = A;
Fp2 a1 = B;
Fp2 a2 = C;
Fp2 b0 = o.A;
Fp2 b1 = o.B;
Fp2 b2 = o.C;
Fp2 c0 = a0 + b0;
Fp2 c1 = a1 + b1;
Fp2 c2 = a2 + b2;
return(new Fp6(c0, c1, c2));
}
/// <summary>
/// https://eprint.iacr.org/2010/354.pdf
/// Algorithm 11
/// </summary>
/// <param name="o"></param>
/// <returns></returns>
public Fp6 Sub(Fp6 o)
{
Fp2 a0 = A;
Fp2 a1 = B;
Fp2 a2 = C;
Fp2 b0 = o.A;
Fp2 b1 = o.B;
Fp2 b2 = o.C;
Fp2 c0 = a0 - b0;
Fp2 c1 = a1 - b1;
Fp2 c2 = a2 - b2;
return(new Fp6(c0, c1, c2));
}
/// <summary>
/// https://eprint.iacr.org/2010/354.pdf
/// Algorithm 13
/// </summary>
/// <param name="o"></param>
/// <returns></returns>
public Fp6 Mul(Fp6 o)
{
Fp2 a0 = A;
Fp2 a1 = B;
Fp2 a2 = C;
Fp2 b0 = o.A;
Fp2 b1 = o.B;
Fp2 b2 = o.C;
Fp2 v0 = a0 * b0;
Fp2 v1 = a1 * b1;
Fp2 v2 = a2 * b2;
Fp2 c0 = v0 + ((a1 + a2) * (b1 + b2) - v1 - v2).MulByNonResidue();
Fp2 c1 = (a0 + a1) * (b0 + b1) - v0 - v1 + v2.MulByNonResidue();
Fp2 c2 = (a0 + a2) * (b0 + b2) - v0 + v1 - v2;
return(new Fp6(c0, c1, c2));
}
/// <summary>
/// https://eprint.iacr.org/2010/354.pdf
/// Algorithm 16
/// </summary>
/// <returns></returns>
public Fp6 Squared()
{
Fp2 a0 = A;
Fp2 a1 = B;
Fp2 a2 = C;
Fp2 c4 = (a0 * a1).Double();
Fp2 c5 = a2.Squared();
Fp2 c1 = c5.MulByNonResidue() + c4;
Fp2 c2 = c4 - c5;
Fp2 c3 = a0.Squared();
c4 = a0 - a1 + a2;
c5 = (a1 * a2).Double();
c4 = c4.Squared();
Fp2 c0 = c5.MulByNonResidue() + c3;
c2 = c2 + c4 + c5 - c3;
return(new Fp6(c0, c1, c2));
}
public EllCoeffs(Fp2 ell0, Fp2 ellVw, Fp2 ellVv)
{
Ell0 = ell0;
EllVw = ellVw;
EllVv = ellVv;
}
public Fp2 Mul(Fp2 fp2)
{
return(new Fp2(fp2.A.Mul(this), fp2.B.Mul(this)));
}
public Fp12 MulBy024(Fp2 ell0, Fp2 ellVw, Fp2 ellVv)
{
Fp2 z0 = A.A;
Fp2 z1 = A.B;
Fp2 z2 = A.C;
Fp2 z3 = B.A;
Fp2 z4 = B.B;
Fp2 z5 = B.C;
Fp2 x0 = ell0;
Fp2 x2 = ellVv;
Fp2 x4 = ellVw;
Fp2 d0 = z0.Mul(x0);
Fp2 d2 = z2.Mul(x2);
Fp2 d4 = z4.Mul(x4);
Fp2 t2 = z0.Add(z4);
Fp2 t1 = z0.Add(z2);
Fp2 s0 = z1.Add(z3).Add(z5);
// For z.a_.a_ = z0.
Fp2 s1 = z1.Mul(x2);
Fp2 t3 = s1.Add(d4);
Fp2 t4 = Fp6.NonResidue.Mul(t3).Add(d0);
z0 = t4;
// For z.a_.b_ = z1
t3 = z5.Mul(x4);
s1 = s1.Add(t3);
t3 = t3.Add(d2);
t4 = Fp6.NonResidue.Mul(t3);
t3 = z1.Mul(x0);
s1 = s1.Add(t3);
t4 = t4.Add(t3);
z1 = t4;
// For z.a_.c_ = z2
Fp2 t0 = x0.Add(x2);
t3 = t1.Mul(t0).Sub(d0).Sub(d2);
t4 = z3.Mul(x4);
s1 = s1.Add(t4);
t3 = t3.Add(t4);
// For z.b_.a_ = z3 (z3 needs z2)
t0 = z2.Add(z4);
z2 = t3;
t1 = x2.Add(x4);
t3 = t0.Mul(t1).Sub(d2).Sub(d4);
t4 = Fp6.NonResidue.Mul(t3);
t3 = z3.Mul(x0);
s1 = s1.Add(t3);
t4 = t4.Add(t3);
z3 = t4;
// For z.b_.b_ = z4
t3 = z5.Mul(x2);
s1 = s1.Add(t3);
t4 = Fp6.NonResidue.Mul(t3);
t0 = x0.Add(x4);
t3 = t2.Mul(t0).Sub(d0).Sub(d4);
t4 = t4.Add(t3);
z4 = t4;
// For z.b_.c_ = z5.
t0 = x0.Add(x2).Add(x4);
t3 = s0.Mul(t0).Sub(s1);
z5 = t3;
return(new Fp12(new Fp6(z0, z1, z2), new Fp6(z3, z4, z5)));
}
public Fp12 CyclotomicSquare()
{
Fp2 z0 = A.A;
Fp2 z4 = A.B;
Fp2 z3 = A.C;
Fp2 z2 = B.A;
Fp2 z1 = B.B;
Fp2 z5 = B.C;
// t0 + t1*y = (z0 + z1*y)^2 = a^2
Fp2 tmp = z0.Mul(z1);
Fp2 t0 = z0.Add(z1).Mul(z0.Add(Fp6.NonResidue.Mul(z1))).Sub(tmp).Sub(Fp6.NonResidue.Mul(tmp));
Fp2 t1 = tmp.Add(tmp);
// t2 + t3*y = (z2 + z3*y)^2 = b^2
tmp = z2.Mul(z3);
Fp2 t2 = z2.Add(z3).Mul(z2.Add(Fp6.NonResidue.Mul(z3))).Sub(tmp).Sub(Fp6.NonResidue.Mul(tmp));
Fp2 t3 = tmp.Add(tmp);
// t4 + t5*y = (z4 + z5*y)^2 = c^2
tmp = z4.Mul(z5);
Fp2 t4 = z4.Add(z5).Mul(z4.Add(Fp6.NonResidue.Mul(z5))).Sub(tmp).Sub(Fp6.NonResidue.Mul(tmp));
Fp2 t5 = tmp.Add(tmp);
// for A
// z0 = 3 * t0 - 2 * z0
z0 = t0.Sub(z0);
z0 = z0.Add(z0);
z0 = z0.Add(t0);
// z1 = 3 * t1 + 2 * z1
z1 = t1.Add(z1);
z1 = z1.Add(z1);
z1 = z1.Add(t1);
// for B
// z2 = 3 * (xi * t5) + 2 * z2
tmp = Fp6.NonResidue.Mul(t5);
z2 = tmp.Add(z2);
z2 = z2.Add(z2);
z2 = z2.Add(tmp);
// z3 = 3 * t4 - 2 * z3
z3 = t4.Sub(z3);
z3 = z3.Add(z3);
z3 = z3.Add(t4);
// for C
// z4 = 3 * t2 - 2 * z4
z4 = t2.Sub(z4);
z4 = z4.Add(z4);
z4 = z4.Add(t2);
// z5 = 3 * t3 + 2 * z5
z5 = t3.Add(z5);
z5 = z5.Add(z5);
z5 = z5.Add(t3);
return(new Fp12(new Fp6(z0, z4, z3), new Fp6(z2, z1, z5)));
}
public Fp6(Fp2 a, Fp2 b, Fp2 c)
{
A = a;
B = b;
C = c;
}
