From 0c18f4436cf392f58574acf05c153b55439f947c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mamy=20Andr=C3=A9-Ratsimbazafy?= <mamy_github@numforge.co>
Date: Wed, 23 Sep 2020 01:21:35 +0200
Subject: [PATCH] Frobenius map over fp12 (works for power 1 and 3 but not 2)

---
 constantine/isogeny/frobenius.nim       | 21 +++++++++++++---
 constantine/pairing/README.md           | 13 ++++++++++
 tests/t_fp12_frobenius.nim              | 33 +++++++++++++++++++++++++
 tests/t_fp_tower_frobenius_template.nim |  8 +-----
 4 files changed, 65 insertions(+), 10 deletions(-)
 create mode 100644 tests/t_fp12_frobenius.nim

diff --git a/constantine/isogeny/frobenius.nim b/constantine/isogeny/frobenius.nim
index 69e2335..9036273 100644
--- a/constantine/isogeny/frobenius.nim
+++ b/constantine/isogeny/frobenius.nim
@@ -47,13 +47,13 @@ template mulCheckSparse[Fp2](a: var Fp2, b: Fp2) =
   when b.c0.isOne().bool and b.c1.isZero().bool:
     discard
   elif b.c0.isZero().bool and b.c1.isOne().bool:
-    var t {.noInit.}: type(b.c0)
-    when fromComplexExtension(b.c0):
+    var t {.noInit.}: type(a.c0)
+    when fromComplexExtension(b):
       t.neg(a.c1)
       a.c1 = a.c0
       a.c0 = t
     else:
-      t = a.c1 * NonResidue
+      t = NonResidue * a.c1
       a.c1 = a.c0
       a.c0 = t
   elif b.c0.isZero().bool:
@@ -153,6 +153,21 @@ func frobenius_map*(r: var Fp4, a: Fp4, k: static int = 1) {.inline.} =
   r.c1.frobenius_map(a.c1, k)
   r.c1.mulCheckSparse FrobMapConst_BLS12_381[k-1][4-1]
 
+func frobenius_map*(r: var Fp12, a: Fp12, k: static int = 1) {.inline.} =
+  ## Computes a^(p^k)
+  ## The p-power frobenius automorphism on 𝔽p4
+  static: doAssert r.c0 is Fp4
+  for r_fp4, a_fp4 in fields(r, a):
+    for r_fp2, a_fp2 in fields(r_fp4, a_fp4):
+      r_fp2.frobenius_map(a_fp2)
+
+  r.c0.c0.mulCheckSparse FrobMapConst_BLS12_381[k-1][0]
+  r.c0.c1.mulCheckSparse FrobMapConst_BLS12_381[k-1][3]
+  r.c1.c0.mulCheckSparse FrobMapConst_BLS12_381[k-1][1]
+  r.c1.c1.mulCheckSparse FrobMapConst_BLS12_381[k-1][4]
+  r.c2.c0.mulCheckSparse FrobMapConst_BLS12_381[k-1][2]
+  r.c2.c1.mulCheckSparse FrobMapConst_BLS12_381[k-1][5]
+
 # ψ (Psi) - Untwist-Frobenius-Twist Endomorphisms on twisted curves
 # -----------------------------------------------------------------
 # TODO: generate those constants via Sage in a Json file
diff --git a/constantine/pairing/README.md b/constantine/pairing/README.md
index be35783..23e34a3 100644
--- a/constantine/pairing/README.md
+++ b/constantine/pairing/README.md
@@ -10,11 +10,24 @@
 
 ### Research
 
+- Compressed Pairings\
+  Scott, Barreto, 2004\
+  https://eprint.iacr.org/2004/032.pdf
+
 - On the Implementation of Pairing-based Cryptosystems\
   PhD Thesis\
   Ben Lynn, 2007\
   https://crypto.stanford.edu/pbc/thesis.pdf
 
+- On the final exponentiation for calculating\
+  pairings on ordinary elliptic curves\
+  Scott, Benger, Charlemagne, Perez, Kachisa, 2008\
+  https://eprint.iacr.org/2008/490.pdf
+
+- Faster Squaring in the Cyclotomic Subgroup ofSixth Degree Extensions\
+  Granger, Scott, 2009\
+  https://eprint.iacr.org/2009/565.pdf
+
 - Faster Pairing Computations on Curves with High-Degree Twists
   Craig Costello, Tanja Lange, and Michael Naehrig, 2009
   https://eprint.iacr.org/2009/615.pdf
diff --git a/tests/t_fp12_frobenius.nim b/tests/t_fp12_frobenius.nim
new file mode 100644
index 0000000..61e178f
--- /dev/null
+++ b/tests/t_fp12_frobenius.nim
@@ -0,0 +1,33 @@
+# Constantine
+# Copyright (c) 2018-2019    Status Research & Development GmbH
+# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
+# Licensed and distributed under either of
+#   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
+#   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
+# at your option. This file may not be copied, modified, or distributed except according to those terms.
+
+import
+  # Internals
+  ../constantine/towers,
+  ../constantine/config/curves,
+  # Test utilities
+  ./t_fp_tower_frobenius_template
+
+const TestCurves = [
+    # BN254_Nogami
+    # BN254_Snarks,
+    # BLS12_377,
+    BLS12_381,
+    # BN446
+    # FKM12_447
+    # BLS12_461
+    # BN462
+  ]
+
+runFrobeniusTowerTests(
+  ExtDegree = 12,
+  Iters = 8,
+  TestCurves = TestCurves,
+  moduleName = "test_fp12_frobenius",
+  testSuiteDesc = "𝔽p12 Frobenius map: Frobenius(a, k) = a^(p^k) (mod p^12)"
+)
diff --git a/tests/t_fp_tower_frobenius_template.nim b/tests/t_fp_tower_frobenius_template.nim
index 8e9864d..ec08121 100644
--- a/tests/t_fp_tower_frobenius_template.nim
+++ b/tests/t_fp_tower_frobenius_template.nim
@@ -83,22 +83,16 @@ proc runFrobeniusTowerTests*[N](
 
     test "Frobenius(a, 2) = a^(p^2) (mod p^" & $ExtDegree & ")":
       proc test(Field: typedesc, Iters: static int, gen: RandomGen) =
-        for _ in 0 ..< 1:
+        for _ in 0 ..< Iters:
           var a = rng.random_elem(Field, gen)
           var fa {.noInit.}: typeof(a)
           fa.frobenius_map(a, k = 2)
 
-          var fa2 {.noInit.}: typeof(a)
-          fa2.frobenius_map(a, k = 1)
-          fa2.frobenius_map(fa2, k = 1)
-
           a.powUnsafeExponent(Field.C.Mod, window = 3)
           a.powUnsafeExponent(Field.C.Mod, window = 3)
 
           check:
             bool(a == fa)
-            bool(a == fa2)
-            bool(fa == fa2)
 
       staticFor(curve, TestCurves):
         test(ExtField(ExtDegree, curve), Iters, gen = Uniform)