-
Notifications
You must be signed in to change notification settings - Fork 150
/
e12_pairing.go
63 lines (49 loc) · 1.36 KB
/
e12_pairing.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
package fptower
func (z *E12) nSquare(n int) {
for i := 0; i < n; i++ {
z.CyclotomicSquare(z)
}
}
func (z *E12) nSquareCompressed(n int) {
for i := 0; i < n; i++ {
z.CyclotomicSquareCompressed(z)
}
}
// Expt set z to x^t in E12 and return z
func (z *E12) Expt(x *E12) *E12 {
// const tAbsVal uint64 = 9586122913090633729
// tAbsVal in binary: 1000010100001000110000000000000000000000000000000000000000000001
// drop the low 46 bits (all 0 except the least significant bit): 100001010000100011 = 136227
// Shortest addition chains can be found at https://wwwhomes.uni-bielefeld.de/achim/addition_chain.html
var result, x33 E12
// a shortest addition chain for 136227
result.Set(x)
result.nSquare(5)
result.Mul(&result, x)
x33.Set(&result)
result.nSquare(7)
result.Mul(&result, &x33)
result.nSquare(4)
result.Mul(&result, x)
result.CyclotomicSquare(&result)
result.Mul(&result, x)
// the remaining 46 bits
result.nSquareCompressed(46)
result.DecompressKarabina(&result)
result.Mul(&result, x)
z.Set(&result)
return z
}
// MulBy034 multiplication by sparse element (c0,0,0,c3,c4,0)
func (z *E12) MulBy034(c0, c3, c4 *E2) *E12 {
var a, b, d E6
a.MulByE2(&z.C0, c0)
b.Set(&z.C1)
b.MulBy01(c3, c4)
c0.Add(c0, c3)
d.Add(&z.C0, &z.C1)
d.MulBy01(c0, c4)
z.C1.Add(&a, &b).Neg(&z.C1).Add(&z.C1, &d)
z.C0.MulByNonResidue(&b).Add(&z.C0, &a)
return z
}