sm9/bn256: rename special square function name

sm9/bn256/bn_pair.go

@@ -218,10 +218,9 @@ func finalExponentiation(in *gfP12) *gfP12 {
 	y0.MulNC(fp, fp2).Mul(y0, fp3) // y0 = (t1^p) * (t1^(p^2)) * (t1^(p^3))
 
 	// reuse fp, fp2, fp3 local variables
-	// [gfP12ExpU] is most time consuming operation
-	fu := fp.gfP12ExpU(t1)
-	fu2 := fp2.gfP12ExpU(fu)
-	fu3 := fp3.gfP12ExpU(fu2)
+	fu := fp.Cyclo6PowToU(t1)
+	fu2 := fp2.Cyclo6PowToU(fu)
+	fu3 := fp3.Cyclo6PowToU(fu2)
 
 	fu2p := (&gfP12{}).Frobenius(fu2)
 	fu3p := (&gfP12{}).Frobenius(fu3)
@@ -237,14 +236,14 @@ func finalExponentiation(in *gfP12) *gfP12 {
 	y6.Conjugate(y6)                  // y6 = 1 / (t1^(u^3) * (t1^(u^3))^p)
 
 	// https://eprint.iacr.org/2008/490.pdf
-	t0 := (&gfP12{}).SpecialSquareNC(y6)
+	t0 := (&gfP12{}).Cyclo6SquareNC(y6)
 	t0.Mul(t0, y4).Mul(t0, y5)
 	t1.Mul(y3, y5).Mul(t1, t0)
 	t0.Mul(t0, y2)
-	t1.SpecialSquare(t1).Mul(t1, t0).SpecialSquare(t1)
+	t1.Cyclo6Square(t1).Mul(t1, t0).Cyclo6Square(t1)
 	t0.Mul(t1, y1)
 	t1.Mul(t1, y0)
-	t0.SpecialSquare(t0).Mul(t0, t1)
+	t0.Cyclo6Square(t0).Mul(t0, t1)
 
 	return t0
 }

sm9/bn256/bn_pair_b6.go

@@ -155,10 +155,9 @@ func finalExponentiationB6(in *gfP12b6) *gfP12b6 {
 	y0.MulNC(fp, fp2).Mul(y0, fp3)
 
 	// reuse fp, fp2, fp3 local variables
-	// [gfP12ExpU] is most time consuming operation
-	fu := fp.gfP12ExpU(t1)
-	fu2 := fp2.gfP12ExpU(fu)
-	fu3 := fp3.gfP12ExpU(fu2)
+	fu := fp.Cyclo6PowToU(t1)
+	fu2 := fp2.Cyclo6PowToU(fu)
+	fu3 := fp3.Cyclo6PowToU(fu2)
 
 	y3 := (&gfP12b6{}).Frobenius(fu)
 	fu2p := (&gfP12b6{}).Frobenius(fu2)
@@ -174,14 +173,14 @@ func finalExponentiationB6(in *gfP12b6) *gfP12b6 {
 	y6 := (&gfP12b6{}).MulNC(fu3, fu3p)
 	y6.Conjugate(y6)
 
-	t0 := (&gfP12b6{}).SpecialSquareNC(y6)
+	t0 := (&gfP12b6{}).Cyclo6SquareNC(y6)
 	t0.Mul(t0, y4).Mul(t0, y5)
 	t1.Mul(y3, y5).Mul(t1, t0)
 	t0.Mul(t0, y2)
-	t1.SpecialSquare(t1).Mul(t1, t0).SpecialSquare(t1)
+	t1.Cyclo6Square(t1).Mul(t1, t0).Cyclo6Square(t1)
 	t0.Mul(t1, y1)
 	t1.Mul(t1, y0)
-	t0.SpecialSquare(t0).Mul(t0, t1)
+	t0.Cyclo6Square(t0).Mul(t0, t1)
 
 	return t0
 }

sm9/bn256/curve.go

@@ -182,7 +182,7 @@ func (c *curvePoint) Double(a *curvePoint) {
 	gfpSub(t2, t, C)
 
 	d, e, f := &gfP{}, &gfP{}, &gfP{}
-	gfpAdd(d, t2, t2)
+	gfpDouble(d, t2)
 	gfpDouble(t, A)
 	gfpAdd(e, t, A)
 	gfpSqr(f, e, 1)

sm9/bn256/gfp12.go

@@ -226,13 +226,19 @@ func (e *gfP12) SquareNC(a *gfP12) *gfP12 {
 	return e
 }
 
-// Special squaring for use on elements in T_6(fp2) (after the
-// easy part of the final exponentiation. Used in the hard part
-// of the final exponentiation. Function uses formulas in
+// Cyclo6Square is used in final exponentiation after easy part(a ^ ((p^2 + 1)(p^6-1))).
+// Note that after the easy part of the final exponentiation, 
+// the resulting element lies in cyclotomic subgroup. 
+// "New software speed records for cryptographic pairings"
+// Section 3.3, Final exponentiation
+// https://cryptojedi.org/papers/dclxvi-20100714.pdf
+// The fomula reference:
 // Granger/Scott (PKC2010). 
-func (e *gfP12) SpecialSquare(a *gfP12) *gfP12 {
+// Section 3.2
+// https://eprint.iacr.org/2009/565.pdf
+func (e *gfP12) Cyclo6Square(a *gfP12) *gfP12 {
 	tmp := &gfP12{}
-	tmp.SpecialSquareNC(a)
+	tmp.Cyclo6SquareNC(a)
 	gfp12Copy(e, tmp)
 	return e
 }
@@ -241,7 +247,7 @@ func (e *gfP12) SpecialSquare(a *gfP12) *gfP12 {
 // easy part of the final exponentiation. Used in the hard part
 // of the final exponentiation. Function uses formulas in
 // Granger/Scott (PKC2010).
-func (e *gfP12) SpecialSquares(a *gfP12, n int) *gfP12 {
+func (e *gfP12) Cyclo6Squares(a *gfP12, n int) *gfP12 {
 	// Square first round
 	in := &gfP12{}
 	tx, ty, tz := &gfP4{}, &gfP4{}, &gfP4{}
@@ -306,7 +312,7 @@ func (e *gfP12) SpecialSquares(a *gfP12, n int) *gfP12 {
 }
 
 // Special Square without value copy, will use e directly, so e can't be same as a.
-func (e *gfP12) SpecialSquareNC(a *gfP12) *gfP12 {
+func (e *gfP12) Cyclo6SquareNC(a *gfP12) *gfP12 {
 	tx, ty, tz := &gfP4{}, &gfP4{}, &gfP4{}
 
 	v0 := &e.x

sm9/bn256/gfp12_b6.go

@@ -201,20 +201,26 @@ func (e *gfP12b6) SquareNC(a *gfP12b6) *gfP12b6 {
 	return e
 }
 
-// Special squaring for use on elements in T_6(fp2) (after the
-// easy part of the final exponentiation. Used in the hard part
-// of the final exponentiation. Function uses formulas in
+// Cyclo6Square is used in final exponentiation after easy part(a ^ ((p^2 + 1)(p^6-1))).
+// Note that after the easy part of the final exponentiation, 
+// the resulting element lies in cyclotomic subgroup. 
+// "New software speed records for cryptographic pairings"
+// Section 3.3, Final exponentiation
+// https://cryptojedi.org/papers/dclxvi-20100714.pdf
+// The fomula reference:
 // Granger/Scott (PKC2010). 
-func (e *gfP12b6) SpecialSquare(a *gfP12b6) *gfP12b6 {
+// Section 3.2
+// https://eprint.iacr.org/2009/565.pdf
+func (e *gfP12b6) Cyclo6Square(a *gfP12b6) *gfP12b6 {
 	tmp := &gfP12b6{}
-	tmp.SpecialSquareNC(a)
+	tmp.Cyclo6SquareNC(a)
 	e.x.Set(&tmp.x)
 	e.y.Set(&tmp.y)
 	return e
 }
 
 // Special Square without value copy, will use e directly, so e can't be same as a.
-func (e *gfP12b6) SpecialSquareNC(a *gfP12b6) *gfP12b6 {
+func (e *gfP12b6) Cyclo6SquareNC(a *gfP12b6) *gfP12b6 {
 	f02 := &e.y.x
 	f01 := &e.y.y
 	f00 := &e.y.z
@@ -265,7 +271,7 @@ func (e *gfP12b6) SpecialSquareNC(a *gfP12b6) *gfP12b6 {
 	return e
 }
 
-func (e *gfP12b6) SpecialSquares(a *gfP12b6, n int) *gfP12b6 {
+func (e *gfP12b6) Cyclo6Squares(a *gfP12b6, n int) *gfP12b6 {
 	// Square first round
 	in := &gfP12b6{}
 	f02 := &in.y.x

sm9/bn256/gfp12_b6_test.go

@@ -330,7 +330,7 @@ func TestGfP12b6SpecialSquare(t *testing.T) {
 
 	got := &gfP12b6{}
 	expected := &gfP12b6{}
-	got.SpecialSquare(t1)
+	got.Cyclo6Square(t1)
 	expected.Square(t1)
 	if *got != *expected {
 		t.Errorf("not same got=%v, expected=%v", got, expected)

sm9/bn256/gfp12_exp_u.go

@@ -1,7 +1,7 @@
 package bn256
 
 // Use special square
-func (e *gfP12) gfP12ExpU(x *gfP12) *gfP12 {
+func (e *gfP12) Cyclo6PowToU(x *gfP12) *gfP12 {
 	// The sequence of 10 multiplications and 61 squarings is derived from the
 	// following addition chain generated with github.com/mmcloughlin/addchain v0.4.0.
 	//
@@ -21,23 +21,23 @@ func (e *gfP12) gfP12ExpU(x *gfP12) *gfP12 {
 	var t2 = new(gfP12)
 	var t3 = new(gfP12)
 
-	t2.SpecialSquareNC(x)
-	t1.SpecialSquareNC(t2)
+	t2.Cyclo6SquareNC(x)
+	t1.Cyclo6SquareNC(t2)
 	z.MulNC(x, t1)
 	t0.MulNC(t1, z)
 	t2.Mul(t2, t0)
 	t3.MulNC(x, t2)
-	t3.SpecialSquares(t3, 40)
+	t3.Cyclo6Squares(t3, 40)
 	t3.Mul(t2, t3)
-	t3.SpecialSquares(t3, 7)
+	t3.Cyclo6Squares(t3, 7)
 	t2.Mul(t2, t3)
 	t1.Mul(t1, t2)
-	t1.SpecialSquares(t1, 4)
+	t1.Cyclo6Squares(t1, 4)
 	t0.Mul(t0, t1)
-	t0.SpecialSquare(t0)
+	t0.Cyclo6Square(t0)
 	t0.Mul(x, t0)
-	t0.SpecialSquares(t0, 6)
+	t0.Cyclo6Squares(t0, 6)
 	z.Mul(z, t0)
-	z.SpecialSquare(z)
+	z.Cyclo6Square(z)
 	return e
 }

sm9/bn256/gfp12_test.go

@@ -35,7 +35,7 @@ func Test_gfP12Square(t *testing.T) {
 	}
 }
 
-func TestSpecialSquare(t *testing.T) {
+func TestCyclo6Square(t *testing.T) {
 	in := &gfP12{
 		testdataP4,
 		testdataP4,
@@ -51,9 +51,18 @@ func TestSpecialSquare(t *testing.T) {
 	t2 := inv.FrobeniusP2(t1) // reuse inv
 	t1.Mul(t1, t2)            // t1 = in ^ ((p^6 - 1) * (p^2 + 1)), the first two parts of the exponentiation
 
+	one := (&gfP12{}).SetOne()
+	t3 := (&gfP12{}).FrobeniusP2(t1)
+	t4 := (&gfP12{}).FrobeniusP2(t3)
+	t5 := (&gfP12{}).Invert(t3)
+	t5.Mul(t4, t5).Mul(t1, t5)
+	if *t5 != *one {
+		t.Errorf("t1 should be in Cyclotomic Subgroup")
+	}
+
 	got := &gfP12{}
 	expected := &gfP12{}
-	got.SpecialSquare(t1)
+	got.Cyclo6Square(t1)
 	expected.Square(t1)
 	if *got != *expected {
 		t.Errorf("not same got=%v, expected=%v", got, expected)
@@ -74,7 +83,7 @@ func BenchmarkGfP12Square(b *testing.B) {
 	}
 }
 
-func BenchmarkGfP12SpecialSquare(b *testing.B) {
+func BenchmarkGfP12Cyclo6Square(b *testing.B) {
 	in := &gfP12{
 		testdataP4,
 		testdataP4,
@@ -93,7 +102,7 @@ func BenchmarkGfP12SpecialSquare(b *testing.B) {
 	b.ReportAllocs()
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		x2.SpecialSquare(t1)
+		x2.Cyclo6Square(t1)
 	}
 }
 
@@ -116,7 +125,7 @@ func BenchmarkGfP12SpecialSqures(b *testing.B) {
 	b.ReportAllocs()
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		got.SpecialSquares(in, 61)
+		got.Cyclo6Squares(in, 61)
 	}
 }
 
@@ -433,13 +442,22 @@ func BenchmarkGfP12ExpU(b *testing.B) {
 		testdataP4,
 		testdataP4,
 	}
+	// This is the p^6-Frobenius
+	t1 := (&gfP12{}).FrobeniusP6(x)
+
+	inv := (&gfP12{}).Invert(x)
+	t1.Mul(t1, inv)
+
+	t2 := inv.FrobeniusP2(t1) // reuse inv
+	t1.Mul(t1, t2)            // t1 = in ^ ((p^6 - 1) * (p^2 + 1)), the first two parts of the exponentiation
+
 	got := &gfP12{}
 	b.ReportAllocs()
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		got.gfP12ExpU(x)
-		got.gfP12ExpU(x)
-		got.gfP12ExpU(x)
+		got.Cyclo6PowToU(t1)
+		got.Cyclo6PowToU(t1)
+		got.Cyclo6PowToU(t1)
 	}
 }
 

sm9/bn256/gfp12b6_exp_u.go

@@ -1,7 +1,7 @@
 package bn256
 
 // Use special square
-func (e *gfP12b6) gfP12ExpU(x *gfP12b6) *gfP12b6 {
+func (e *gfP12b6) Cyclo6PowToU(x *gfP12b6) *gfP12b6 {
 	// The sequence of 10 multiplications and 61 squarings is derived from the
 	// following addition chain generated with github.com/mmcloughlin/addchain v0.4.0.
 	//
@@ -21,23 +21,23 @@ func (e *gfP12b6) gfP12ExpU(x *gfP12b6) *gfP12b6 {
 	var t2 = new(gfP12b6)
 	var t3 = new(gfP12b6)
 
-	t2.SpecialSquareNC(x)
-	t1.SpecialSquareNC(t2)
+	t2.Cyclo6SquareNC(x)
+	t1.Cyclo6SquareNC(t2)
 	z.MulNC(x, t1)
 	t0.MulNC(t1, z)
 	t2.Mul(t2, t0)
 	t3.MulNC(x, t2)
-	t3.SpecialSquares(t3, 40)
+	t3.Cyclo6Squares(t3, 40)
 	t3.Mul(t2, t3)
-	t3.SpecialSquares(t3, 7)
+	t3.Cyclo6Squares(t3, 7)
 	t2.Mul(t2, t3)
 	t1.Mul(t1, t2)
-	t1.SpecialSquares(t1, 4)
+	t1.Cyclo6Squares(t1, 4)
 	t0.Mul(t0, t1)
-	t0.SpecialSquare(t0)
+	t0.Cyclo6Square(t0)
 	t0.Mul(x, t0)
-	t0.SpecialSquares(t0, 6)
+	t0.Cyclo6Squares(t0, 6)
 	z.Mul(z, t0)
-	z.SpecialSquare(z)
+	z.Cyclo6Square(z)
 	return e
 }