From b9bbf94b4766dff6d0c0f4f41373e0a8f6559f13 Mon Sep 17 00:00:00 2001 From: Sun Yimin Date: Tue, 18 Jul 2023 17:29:10 +0800 Subject: [PATCH] sm9/bn256: rename special square function name --- sm9/bn256/bn_pair.go | 13 ++++++------- sm9/bn256/bn_pair_b6.go | 13 ++++++------- sm9/bn256/curve.go | 2 +- sm9/bn256/gfp12.go | 22 ++++++++++++++-------- sm9/bn256/gfp12_b6.go | 22 ++++++++++++++-------- sm9/bn256/gfp12_b6_test.go | 2 +- sm9/bn256/gfp12_exp_u.go | 18 +++++++++--------- sm9/bn256/gfp12_test.go | 34 ++++++++++++++++++++++++++-------- sm9/bn256/gfp12b6_exp_u.go | 18 +++++++++--------- 9 files changed, 86 insertions(+), 58 deletions(-) diff --git a/sm9/bn256/bn_pair.go b/sm9/bn256/bn_pair.go index ff9fd81..10e8daf 100644 --- a/sm9/bn256/bn_pair.go +++ b/sm9/bn256/bn_pair.go @@ -218,10 +218,9 @@ func finalExponentiation(in *gfP12) *gfP12 { y0.MulNC(fp, fp2).Mul(y0, fp3) // y0 = (t1^p) * (t1^(p^2)) * (t1^(p^3)) // reuse fp, fp2, fp3 local variables - // [gfP12ExpU] is most time consuming operation - fu := fp.gfP12ExpU(t1) - fu2 := fp2.gfP12ExpU(fu) - fu3 := fp3.gfP12ExpU(fu2) + fu := fp.Cyclo6PowToU(t1) + fu2 := fp2.Cyclo6PowToU(fu) + fu3 := fp3.Cyclo6PowToU(fu2) fu2p := (&gfP12{}).Frobenius(fu2) fu3p := (&gfP12{}).Frobenius(fu3) @@ -237,14 +236,14 @@ func finalExponentiation(in *gfP12) *gfP12 { y6.Conjugate(y6) // y6 = 1 / (t1^(u^3) * (t1^(u^3))^p) // https://eprint.iacr.org/2008/490.pdf - t0 := (&gfP12{}).SpecialSquareNC(y6) + t0 := (&gfP12{}).Cyclo6SquareNC(y6) t0.Mul(t0, y4).Mul(t0, y5) t1.Mul(y3, y5).Mul(t1, t0) t0.Mul(t0, y2) - t1.SpecialSquare(t1).Mul(t1, t0).SpecialSquare(t1) + t1.Cyclo6Square(t1).Mul(t1, t0).Cyclo6Square(t1) t0.Mul(t1, y1) t1.Mul(t1, y0) - t0.SpecialSquare(t0).Mul(t0, t1) + t0.Cyclo6Square(t0).Mul(t0, t1) return t0 } diff --git a/sm9/bn256/bn_pair_b6.go b/sm9/bn256/bn_pair_b6.go index c65682e..6435beb 100644 --- a/sm9/bn256/bn_pair_b6.go +++ b/sm9/bn256/bn_pair_b6.go @@ -155,10 +155,9 @@ func finalExponentiationB6(in *gfP12b6) *gfP12b6 { y0.MulNC(fp, fp2).Mul(y0, fp3) // reuse fp, fp2, fp3 local variables - // [gfP12ExpU] is most time consuming operation - fu := fp.gfP12ExpU(t1) - fu2 := fp2.gfP12ExpU(fu) - fu3 := fp3.gfP12ExpU(fu2) + fu := fp.Cyclo6PowToU(t1) + fu2 := fp2.Cyclo6PowToU(fu) + fu3 := fp3.Cyclo6PowToU(fu2) y3 := (&gfP12b6{}).Frobenius(fu) fu2p := (&gfP12b6{}).Frobenius(fu2) @@ -174,14 +173,14 @@ func finalExponentiationB6(in *gfP12b6) *gfP12b6 { y6 := (&gfP12b6{}).MulNC(fu3, fu3p) y6.Conjugate(y6) - t0 := (&gfP12b6{}).SpecialSquareNC(y6) + t0 := (&gfP12b6{}).Cyclo6SquareNC(y6) t0.Mul(t0, y4).Mul(t0, y5) t1.Mul(y3, y5).Mul(t1, t0) t0.Mul(t0, y2) - t1.SpecialSquare(t1).Mul(t1, t0).SpecialSquare(t1) + t1.Cyclo6Square(t1).Mul(t1, t0).Cyclo6Square(t1) t0.Mul(t1, y1) t1.Mul(t1, y0) - t0.SpecialSquare(t0).Mul(t0, t1) + t0.Cyclo6Square(t0).Mul(t0, t1) return t0 } diff --git a/sm9/bn256/curve.go b/sm9/bn256/curve.go index a2d2328..122920f 100644 --- a/sm9/bn256/curve.go +++ b/sm9/bn256/curve.go @@ -182,7 +182,7 @@ func (c *curvePoint) Double(a *curvePoint) { gfpSub(t2, t, C) d, e, f := &gfP{}, &gfP{}, &gfP{} - gfpAdd(d, t2, t2) + gfpDouble(d, t2) gfpDouble(t, A) gfpAdd(e, t, A) gfpSqr(f, e, 1) diff --git a/sm9/bn256/gfp12.go b/sm9/bn256/gfp12.go index cd51aa6..4f9bc27 100644 --- a/sm9/bn256/gfp12.go +++ b/sm9/bn256/gfp12.go @@ -226,13 +226,19 @@ func (e *gfP12) SquareNC(a *gfP12) *gfP12 { return e } -// Special squaring for use on elements in T_6(fp2) (after the -// easy part of the final exponentiation. Used in the hard part -// of the final exponentiation. Function uses formulas in -// Granger/Scott (PKC2010). -func (e *gfP12) SpecialSquare(a *gfP12) *gfP12 { +// Cyclo6Square is used in final exponentiation after easy part(a ^ ((p^2 + 1)(p^6-1))). +// Note that after the easy part of the final exponentiation, +// the resulting element lies in cyclotomic subgroup. +// "New software speed records for cryptographic pairings" +// Section 3.3, Final exponentiation +// https://cryptojedi.org/papers/dclxvi-20100714.pdf +// The fomula reference: +// Granger/Scott (PKC2010). +// Section 3.2 +// https://eprint.iacr.org/2009/565.pdf +func (e *gfP12) Cyclo6Square(a *gfP12) *gfP12 { tmp := &gfP12{} - tmp.SpecialSquareNC(a) + tmp.Cyclo6SquareNC(a) gfp12Copy(e, tmp) return e } @@ -241,7 +247,7 @@ func (e *gfP12) SpecialSquare(a *gfP12) *gfP12 { // easy part of the final exponentiation. Used in the hard part // of the final exponentiation. Function uses formulas in // Granger/Scott (PKC2010). -func (e *gfP12) SpecialSquares(a *gfP12, n int) *gfP12 { +func (e *gfP12) Cyclo6Squares(a *gfP12, n int) *gfP12 { // Square first round in := &gfP12{} tx, ty, tz := &gfP4{}, &gfP4{}, &gfP4{} @@ -306,7 +312,7 @@ func (e *gfP12) SpecialSquares(a *gfP12, n int) *gfP12 { } // Special Square without value copy, will use e directly, so e can't be same as a. -func (e *gfP12) SpecialSquareNC(a *gfP12) *gfP12 { +func (e *gfP12) Cyclo6SquareNC(a *gfP12) *gfP12 { tx, ty, tz := &gfP4{}, &gfP4{}, &gfP4{} v0 := &e.x diff --git a/sm9/bn256/gfp12_b6.go b/sm9/bn256/gfp12_b6.go index 3661796..2a27fc1 100644 --- a/sm9/bn256/gfp12_b6.go +++ b/sm9/bn256/gfp12_b6.go @@ -201,20 +201,26 @@ func (e *gfP12b6) SquareNC(a *gfP12b6) *gfP12b6 { return e } -// Special squaring for use on elements in T_6(fp2) (after the -// easy part of the final exponentiation. Used in the hard part -// of the final exponentiation. Function uses formulas in -// Granger/Scott (PKC2010). -func (e *gfP12b6) SpecialSquare(a *gfP12b6) *gfP12b6 { +// Cyclo6Square is used in final exponentiation after easy part(a ^ ((p^2 + 1)(p^6-1))). +// Note that after the easy part of the final exponentiation, +// the resulting element lies in cyclotomic subgroup. +// "New software speed records for cryptographic pairings" +// Section 3.3, Final exponentiation +// https://cryptojedi.org/papers/dclxvi-20100714.pdf +// The fomula reference: +// Granger/Scott (PKC2010). +// Section 3.2 +// https://eprint.iacr.org/2009/565.pdf +func (e *gfP12b6) Cyclo6Square(a *gfP12b6) *gfP12b6 { tmp := &gfP12b6{} - tmp.SpecialSquareNC(a) + tmp.Cyclo6SquareNC(a) e.x.Set(&tmp.x) e.y.Set(&tmp.y) return e } // Special Square without value copy, will use e directly, so e can't be same as a. -func (e *gfP12b6) SpecialSquareNC(a *gfP12b6) *gfP12b6 { +func (e *gfP12b6) Cyclo6SquareNC(a *gfP12b6) *gfP12b6 { f02 := &e.y.x f01 := &e.y.y f00 := &e.y.z @@ -265,7 +271,7 @@ func (e *gfP12b6) SpecialSquareNC(a *gfP12b6) *gfP12b6 { return e } -func (e *gfP12b6) SpecialSquares(a *gfP12b6, n int) *gfP12b6 { +func (e *gfP12b6) Cyclo6Squares(a *gfP12b6, n int) *gfP12b6 { // Square first round in := &gfP12b6{} f02 := &in.y.x diff --git a/sm9/bn256/gfp12_b6_test.go b/sm9/bn256/gfp12_b6_test.go index 2bca692..975a157 100644 --- a/sm9/bn256/gfp12_b6_test.go +++ b/sm9/bn256/gfp12_b6_test.go @@ -330,7 +330,7 @@ func TestGfP12b6SpecialSquare(t *testing.T) { got := &gfP12b6{} expected := &gfP12b6{} - got.SpecialSquare(t1) + got.Cyclo6Square(t1) expected.Square(t1) if *got != *expected { t.Errorf("not same got=%v, expected=%v", got, expected) diff --git a/sm9/bn256/gfp12_exp_u.go b/sm9/bn256/gfp12_exp_u.go index 198be7d..c380eba 100644 --- a/sm9/bn256/gfp12_exp_u.go +++ b/sm9/bn256/gfp12_exp_u.go @@ -1,7 +1,7 @@ package bn256 // Use special square -func (e *gfP12) gfP12ExpU(x *gfP12) *gfP12 { +func (e *gfP12) Cyclo6PowToU(x *gfP12) *gfP12 { // The sequence of 10 multiplications and 61 squarings is derived from the // following addition chain generated with github.com/mmcloughlin/addchain v0.4.0. // @@ -21,23 +21,23 @@ func (e *gfP12) gfP12ExpU(x *gfP12) *gfP12 { var t2 = new(gfP12) var t3 = new(gfP12) - t2.SpecialSquareNC(x) - t1.SpecialSquareNC(t2) + t2.Cyclo6SquareNC(x) + t1.Cyclo6SquareNC(t2) z.MulNC(x, t1) t0.MulNC(t1, z) t2.Mul(t2, t0) t3.MulNC(x, t2) - t3.SpecialSquares(t3, 40) + t3.Cyclo6Squares(t3, 40) t3.Mul(t2, t3) - t3.SpecialSquares(t3, 7) + t3.Cyclo6Squares(t3, 7) t2.Mul(t2, t3) t1.Mul(t1, t2) - t1.SpecialSquares(t1, 4) + t1.Cyclo6Squares(t1, 4) t0.Mul(t0, t1) - t0.SpecialSquare(t0) + t0.Cyclo6Square(t0) t0.Mul(x, t0) - t0.SpecialSquares(t0, 6) + t0.Cyclo6Squares(t0, 6) z.Mul(z, t0) - z.SpecialSquare(z) + z.Cyclo6Square(z) return e } diff --git a/sm9/bn256/gfp12_test.go b/sm9/bn256/gfp12_test.go index 4d08177..fd78c05 100644 --- a/sm9/bn256/gfp12_test.go +++ b/sm9/bn256/gfp12_test.go @@ -35,7 +35,7 @@ func Test_gfP12Square(t *testing.T) { } } -func TestSpecialSquare(t *testing.T) { +func TestCyclo6Square(t *testing.T) { in := &gfP12{ testdataP4, testdataP4, @@ -51,9 +51,18 @@ func TestSpecialSquare(t *testing.T) { t2 := inv.FrobeniusP2(t1) // reuse inv t1.Mul(t1, t2) // t1 = in ^ ((p^6 - 1) * (p^2 + 1)), the first two parts of the exponentiation + one := (&gfP12{}).SetOne() + t3 := (&gfP12{}).FrobeniusP2(t1) + t4 := (&gfP12{}).FrobeniusP2(t3) + t5 := (&gfP12{}).Invert(t3) + t5.Mul(t4, t5).Mul(t1, t5) + if *t5 != *one { + t.Errorf("t1 should be in Cyclotomic Subgroup") + } + got := &gfP12{} expected := &gfP12{} - got.SpecialSquare(t1) + got.Cyclo6Square(t1) expected.Square(t1) if *got != *expected { t.Errorf("not same got=%v, expected=%v", got, expected) @@ -74,7 +83,7 @@ func BenchmarkGfP12Square(b *testing.B) { } } -func BenchmarkGfP12SpecialSquare(b *testing.B) { +func BenchmarkGfP12Cyclo6Square(b *testing.B) { in := &gfP12{ testdataP4, testdataP4, @@ -93,7 +102,7 @@ func BenchmarkGfP12SpecialSquare(b *testing.B) { b.ReportAllocs() b.ResetTimer() for i := 0; i < b.N; i++ { - x2.SpecialSquare(t1) + x2.Cyclo6Square(t1) } } @@ -116,7 +125,7 @@ func BenchmarkGfP12SpecialSqures(b *testing.B) { b.ReportAllocs() b.ResetTimer() for i := 0; i < b.N; i++ { - got.SpecialSquares(in, 61) + got.Cyclo6Squares(in, 61) } } @@ -433,13 +442,22 @@ func BenchmarkGfP12ExpU(b *testing.B) { testdataP4, testdataP4, } + // This is the p^6-Frobenius + t1 := (&gfP12{}).FrobeniusP6(x) + + inv := (&gfP12{}).Invert(x) + t1.Mul(t1, inv) + + t2 := inv.FrobeniusP2(t1) // reuse inv + t1.Mul(t1, t2) // t1 = in ^ ((p^6 - 1) * (p^2 + 1)), the first two parts of the exponentiation + got := &gfP12{} b.ReportAllocs() b.ResetTimer() for i := 0; i < b.N; i++ { - got.gfP12ExpU(x) - got.gfP12ExpU(x) - got.gfP12ExpU(x) + got.Cyclo6PowToU(t1) + got.Cyclo6PowToU(t1) + got.Cyclo6PowToU(t1) } } diff --git a/sm9/bn256/gfp12b6_exp_u.go b/sm9/bn256/gfp12b6_exp_u.go index 9fd09f3..dc2900f 100644 --- a/sm9/bn256/gfp12b6_exp_u.go +++ b/sm9/bn256/gfp12b6_exp_u.go @@ -1,7 +1,7 @@ package bn256 // Use special square -func (e *gfP12b6) gfP12ExpU(x *gfP12b6) *gfP12b6 { +func (e *gfP12b6) Cyclo6PowToU(x *gfP12b6) *gfP12b6 { // The sequence of 10 multiplications and 61 squarings is derived from the // following addition chain generated with github.com/mmcloughlin/addchain v0.4.0. // @@ -21,23 +21,23 @@ func (e *gfP12b6) gfP12ExpU(x *gfP12b6) *gfP12b6 { var t2 = new(gfP12b6) var t3 = new(gfP12b6) - t2.SpecialSquareNC(x) - t1.SpecialSquareNC(t2) + t2.Cyclo6SquareNC(x) + t1.Cyclo6SquareNC(t2) z.MulNC(x, t1) t0.MulNC(t1, z) t2.Mul(t2, t0) t3.MulNC(x, t2) - t3.SpecialSquares(t3, 40) + t3.Cyclo6Squares(t3, 40) t3.Mul(t2, t3) - t3.SpecialSquares(t3, 7) + t3.Cyclo6Squares(t3, 7) t2.Mul(t2, t3) t1.Mul(t1, t2) - t1.SpecialSquares(t1, 4) + t1.Cyclo6Squares(t1, 4) t0.Mul(t0, t1) - t0.SpecialSquare(t0) + t0.Cyclo6Square(t0) t0.Mul(x, t0) - t0.SpecialSquares(t0, 6) + t0.Cyclo6Squares(t0, 6) z.Mul(z, t0) - z.SpecialSquare(z) + z.Cyclo6Square(z) return e }