gmsm/sm9/bn256/gfp6.go

package bn256

import "math/big"

// For details of the algorithms used, see "Multiplication and Squaring on
// Pairing-Friendly Fields, Devegili et al.
// http://eprint.iacr.org/2006/471.pdf.
//

// gfP6 implements the field of size p^6 as a cubic extension of gfP2
// where s³=ξ and ξ=u
type gfP6 struct {
	x, y, z gfP2 // value is xs² + ys + z
}

func gfP6Decode(in *gfP6) *gfP6 {
	out := &gfP6{}
	out.x = *gfP2Decode(&in.x)
	out.y = *gfP2Decode(&in.y)
	out.z = *gfP2Decode(&in.z)
	return out
}

func (e *gfP6) String() string {
	return "(" + e.x.String() + ", " + e.y.String() + ", " + e.z.String() + ")"
}

func (e *gfP6) Set(a *gfP6) *gfP6 {
	gfp6Copy(e, a)
	return e
}

func (e *gfP6) SetZero() *gfP6 {
	e.x.SetZero()
	e.y.SetZero()
	e.z.SetZero()
	return e
}

func (e *gfP6) SetOne() *gfP6 {
	e.x.SetZero()
	e.y.SetZero()
	e.z.SetOne()
	return e
}

func (e *gfP6) SetS() *gfP6 {
	e.x.SetZero()
	e.y.SetOne()
	e.z.SetZero()
	return e
}

func (e *gfP6) SetS2() *gfP6 {
	e.x.SetOne()
	e.y.SetZero()
	e.z.SetZero()
	return e
}

func (e *gfP6) IsZero() bool {
	return e.x.IsZero() && e.y.IsZero() && e.z.IsZero()
}

func (e *gfP6) IsOne() bool {
	return e.x.IsZero() && e.y.IsZero() && e.z.IsOne()
}

func (e *gfP6) Neg(a *gfP6) *gfP6 {
	e.x.Neg(&a.x)
	e.y.Neg(&a.y)
	e.z.Neg(&a.z)
	return e
}

func (e *gfP6) Add(a, b *gfP6) *gfP6 {
	e.x.Add(&a.x, &b.x)
	e.y.Add(&a.y, &b.y)
	e.z.Add(&a.z, &b.z)
	return e
}

func (e *gfP6) Sub(a, b *gfP6) *gfP6 {
	e.x.Sub(&a.x, &b.x)
	e.y.Sub(&a.y, &b.y)
	e.z.Sub(&a.z, &b.z)
	return e
}

func (e *gfP6) MulScalar(a *gfP6, b *gfP2) *gfP6 {
	e.x.Mul(&a.x, b)
	e.y.Mul(&a.y, b)
	e.z.Mul(&a.z, b)
	return e
}

func (e *gfP6) MulGfP(a *gfP6, b *gfP) *gfP6 {
	e.x.MulScalar(&a.x, b)
	e.y.MulScalar(&a.y, b)
	e.z.MulScalar(&a.z, b)
	return e
}

func (e *gfP6) Mul(a, b *gfP6) *gfP6 {
	tmp := &gfP6{}
	tmp.MulNC(a, b)
	gfp6Copy(e, tmp)
	return e
}

// Mul without value copy, will use e directly, so e can't be same as a and b.
func (e *gfP6) MulNC(a, b *gfP6) *gfP6 {
	// (z0 + y0*s + x0*s²)* (z1 + y1*s + x1*s²)
	//  z0*z1 + z0*y1*s + z0*x1*s²
	// +y0*z1*s + y0*y1*s² + y0*x1*u
	// +x0*z1*s² + x0*y1*u + x0*x1*s*u
	//=(z0*z1+y0*x1*u+x0*y1*u) + (z0*y1+y0*z1+x0*x1*u)s + (z0*x1 + y0*y1 + x0*z1)*s²
	tx := &e.x
	ty := &e.y
	tz := &e.z
	t, v0, v1, v2 := &gfP2{}, &gfP2{}, &gfP2{}, &gfP2{}
	v0.Mul(&a.z, &b.z)
	v1.Mul(&a.y, &b.y)
	v2.Mul(&a.x, &b.x)

	t.Add(&a.y, &a.x)
	tz.Add(&b.y, &b.x)
	t.Mul(t, tz)
	t.Sub(t, v1)
	t.Sub(t, v2)
	t.MulU1(t)
	tz.Add(t, v0)

	t.Add(&a.z, &a.y)
	ty.Add(&b.z, &b.y)
	ty.Mul(t, ty)
	ty.Sub(ty, v0)
	ty.Sub(ty, v1)
	t.MulU1(v2)
	ty.Add(ty, t)

	t.Add(&a.z, &a.x)
	tx.Add(&b.z, &b.x)
	tx.Mul(tx, t)
	tx.Sub(tx, v0)
	tx.Add(tx, v1)
	tx.Sub(tx, v2)

	return e
}

// MulS returns (z + y*s + x*s²)*s
// = ys² + zs + xu
func (e *gfP6) MulS(a *gfP6) *gfP6 {
	ty := (&gfP2{}).Set(&a.y)
	tz := &gfP2{}

	tz.x.Set(&a.x.y)
	gfpDouble(&tz.y, &a.x.x)
	gfpNeg(&tz.y, &tz.y)

	e.y.Set(&a.z)
	e.x.Set(ty)
	e.z.Set(tz)

	return e
}

func (e *gfP6) Square(a *gfP6) *gfP6 {
	tmp := &gfP6{}
	tmp.SquareNC(a)
	gfp6Copy(e, tmp)
	return e
}

// Square without value copy, will use e directly, so e can't be same as a.
func (e *gfP6) SquareNC(a *gfP6) *gfP6 {
	// (z + y*s + x*s²)* (z + y*s + x*s²)
	// z^2 + z*y*s + z*x*s² + y*z*s + y^2*s² + y*x*u + x*z*s² + x*y*u + x^2 *u *s
	// (z^2 + y*x*s + x*y*u) + (z*y + y*z + u * x^2)s + (z*x + y^2 + x*z)*s²
	// (z^2 + 2*x*y*u) + (u*x^2 + 2*y*z) * s + (y^2 + 2*x*z) * s²
	// Karatsuba method
	tx := &e.x
	ty := &e.y
	tz := &e.z
	t, v0, v1, v2 := &gfP2{}, &gfP2{}, &gfP2{}, &gfP2{}

	v0.Square(&a.z)
	v1.Square(&a.y)
	v2.Square(&a.x)

	t.Add(&a.y, &a.x)
	tz.Square(t)
	tz.Sub(tz, v1)
	tz.Sub(tz, v2)
	tz.MulU1(tz)
	tz.Add(tz, v0)

	t.Add(&a.z, &a.y)
	ty.Square(t)
	ty.Sub(ty, v0)
	ty.Sub(ty, v1)
	t.MulU1(v2)
	ty.Add(ty, t)

	t.Add(&a.z, &a.x)
	tx.Square(t)
	tx.Sub(tx, v0)
	tx.Add(tx, v1)
	tx.Sub(tx, v2)

	return e
}

func (e *gfP6) Exp(f *gfP6, power *big.Int) *gfP6 {
	sum := (&gfP6{}).SetOne()
	t := &gfP6{}

	for i := power.BitLen() - 1; i >= 0; i-- {
		t.Square(sum)
		if power.Bit(i) != 0 {
			sum.Mul(t, f)
		} else {
			sum.Set(t)
		}
	}

	e.Set(sum)
	return e
}

func (e *gfP6) Invert(a *gfP6) *gfP6 {
	// See "Implementing cryptographic pairings", M. Scott, section 3.2.
	// ftp://136.206.11.249/pub/crypto/pairings.pdf

	t1 := (&gfP2{}).MulU(&a.x, &a.y)
	A := (&gfP2{}).Square(&a.z)
	A.Sub(A, t1)

	B := (&gfP2{}).SquareU(&a.x)
	t1.Mul(&a.y, &a.z)
	B.Sub(B, t1)

	C := (&gfP2{}).Square(&a.y)
	t1.Mul(&a.x, &a.z)
	C.Sub(C, t1)

	F := (&gfP2{}).MulU(C, &a.y)
	t1.Mul(A, &a.z)
	F.Add(F, t1)
	t1.MulU(B, &a.x)
	F.Add(F, t1)

	F.Invert(F)

	e.x.Mul(C, F)
	e.y.Mul(B, F)
	e.z.Mul(A, F)
	return e
}

// (z + y*s + x*s²)^p
//= z^p + y^p*s*s^(p-1)+x^p*s²*(s²)^(p-1)
//= z^p + (s^(p-1)*y^p)*s+((s²)^(p-1)*x^p)*s²
//= f(z) + (s^(p-1)*f(y))*s+((s²)^(p-1)*f(x))*s²
// sToPMinus1^3 = p - 1
// sTo2PMinus2 = sToPMinus1 ^ 2
func (e *gfP6) Frobenius(a *gfP6) *gfP6 {
	e.z.Conjugate(&a.z)
	e.y.Conjugate(&a.y)
	e.x.Conjugate(&a.x)
	e.y.MulScalar(&e.y, sToPMinus1)
	e.x.MulScalar(&e.x, sTo2PMinus2)

	return e
}

// FrobeniusP2 computes (xs²+ys+z)^(p²)
// = z^p² + y^p²*s^p² + x^p²*s²^p²
// = z + y*s^p² + x * s^(2p²)
// = z + y*s*s^(p²-1) + x * s² * s^(2p² - 2)
// = z + y*s*u^((p²-1)/3) + x * s² * u^((2p² - 2)/3)
// uToPSquaredMinus1Over3 = sToPSquaredMinus1
// s^(p²-1) = s^((p-1)(p+1)) = (s^(p-1))^(p+1) = sTo2PMinus2
//
// uToPSquaredMinus1Over3 = sTo2PSquaredMinus2
// = sTo2PMinus2^2
func (e *gfP6) FrobeniusP2(a *gfP6) *gfP6 {
	e.x.MulScalar(&a.x, sTo2PSquaredMinus2)
	e.y.MulScalar(&a.y, sToPSquaredMinus1)
	e.z.Set(&a.z)
	return e
}

// FrobeniusP4 computes (xs²+ys+z)^(p^4)
func (e *gfP6) FrobeniusP4(a *gfP6) *gfP6 {
	e.x.MulScalar(&a.x, sToPSquaredMinus1)
	e.y.MulScalar(&a.y, sTo2PSquaredMinus2)
	e.z.Set(&a.z)
	return e
}

// Select sets q to p1 if cond == 1, and to p2 if cond == 0.
func (q *gfP6) Select(p1, p2 *gfP6, cond int) *gfP6 {
	q.x.Select(&p1.x, &p2.x, cond)
	q.y.Select(&p1.y, &p2.y, cond)
	q.z.Select(&p1.z, &p2.z, cond)
	return q
}