diff --git a/constantine/arithmetic/finite_fields_inversion.nim b/constantine/arithmetic/finite_fields_inversion.nim index e64373d..51c8725 100644 --- a/constantine/arithmetic/finite_fields_inversion.nim +++ b/constantine/arithmetic/finite_fields_inversion.nim @@ -310,48 +310,6 @@ func inv_addchain*(r: var Fp[BLS12_381], a: Fp[BLS12_381]) = # BN Curves # ------------------------------------------------------------ -# Efficient Pairings and ECC for Embedded Systems -# Thomas Unterluggauer and Erich Wenger -# https://eprint.iacr.org/2014/800.pdf -# -# BN curve field modulus are of the form: -# p = 36u^4 + 36u^3 + 24u^2 + 6u + 1 -# -# We construct the following multiplication-squaring chain -# a^-1 mod p = a^(p-2) mod p (Little Fermat Theorem) -# = a^(36 u^4 + 36 u^3 + 24 u^2 + 6u + 1 - 2) mod p -# = a^(36 u^4) . a^(36 u^3) . a^(24 u^2) . a^(6u-1) mod p -# -# Note: it only works for u positive, in particular BN254_Nogami doesn't work :/ -# Is there a way to only use a^-u or even powers? - -func inv_addchain_bn[C](r: var Fp[C], a: Fp[C]) {.used.}= - ## Inversion on BN prime fields with positive base parameter `u` - ## via Little Fermat theorem and leveraging the prime low Hamming weight - ## - ## Requires a `bn` curve with a positive parameter `u` - # TODO: debug for input "0x0d2007d8aaface1b8501bfbe792974166e8f9ad6106e5b563604f0aea9ab06f6" - # on BN254_Snarks see test suite (but works in Sage so aliasing issue?) - # - # For BN254_Snarks `u` and `6u-1` exponentiation are not fast enough - # (even with dedicated addchains) - # compared to an addchain on the full prime modulus - static: doAssert C.canUse_BN_AddchainInversion() - - var v0 {.noInit.}, v1 {.noInit.}: Fp[C] - - v0 = a - v0.powUnsafeExponent(C.getBN_param_6u_minus_1_BE()) # v0 <- a^(6u-1) - v1.prod(v0, a) # v1 <- a^(6u) - v1.powUnsafeExponent(C.getBN_param_u_BE()) # v1 <- a^(6u²) - r.square(v1) # r <- a^(12u²) - v1.square(r) # v1 <- a^(24u²) - v0 *= v1 # v0 <- a^(24u²) a^(6u-1) - v1 *= r # v1 <- a^(24u²) a^(12u²) = a^(36u²) - v1.powUnsafeExponent(C.getBN_param_u_BE()) # v1 <- a^(36u³) - r.prod(v0, v1) # r <- a^(36u³) a^(24u²) a^(6u-1) - v1.powUnsafeExponent(C.getBN_param_u_BE()) # v1 <- a^(36u⁴) - r *= v1 # r <- a^(36u⁴) a^(36u³) a^(24u²) a^(6u-1) = a^(p-2) = a^(-1) func inv_addchain*(r: var Fp[BN254_Snarks], a: Fp[BN254_Snarks]) = var diff --git a/constantine/config/curves_declaration.nim b/constantine/config/curves_declaration.nim index 68c1a71..157ed88 100644 --- a/constantine/config/curves_declaration.nim +++ b/constantine/config/curves_declaration.nim @@ -38,15 +38,6 @@ export CurveFamily # which returns the field modulus of the curve # - proc Family*(curve: static Curve): CurveFamily # which returns the curve family -# - proc get_BN_param_u_BE*(curve: static Curve): array[N, byte] -# which returns the "u" parameter of a BN curve -# as a big-endian canonical integer representation -# if it's a BN curve and u is positive -# - proc get_BN_param_6u_minus1_BE*(curve: static Curve): array[N, byte] -# which returns the "6u-1" parameter of a BN curve -# as a big-endian canonical integer representation -# if it's a BN curve and u is positive. -# This is used for optimized field inversion for BN curves declareCurves: # ----------------------------------------------------------------------------- @@ -102,8 +93,6 @@ declareCurves: bitwidth: 254 modulus: "0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47" family: BarretoNaehrig - bn_u_bitwidth: 63 - bn_u: "0x44e992b44a6909f1" # u: 4965661367192848881 # G1 Equation: Y^2 = X^3 + 3 # G2 Equation: Y^2 = X^3 + 3/(9+𝑖) diff --git a/constantine/config/curves_parser.nim b/constantine/config/curves_parser.nim index 674383e..7baaf54 100644 --- a/constantine/config/curves_parser.nim +++ b/constantine/config/curves_parser.nim @@ -110,10 +110,6 @@ type sexticNonResidue_fp2: NimNode # nnkPar(nnkIntLit, nnkIntLit) family: CurveFamily - # BN family - # ------------------------ - bn_u_bitwidth: NimNode # nnkIntLit - bn_u: NimNode # nnkStrLit (hex) var curvesDefinitions {.compileTime.}: seq[CurveParams] @@ -178,10 +174,6 @@ proc parseCurveDecls(defs: var seq[CurveParams], curves: NimNode) = params.modulus = sectionVal elif sectionId.eqIdent"family": params.family = parseEnum[CurveFamily]($sectionVal) - elif sectionId.eqIdent"bn_u_bitwidth": - params.bn_u_bitwidth = sectionVal - elif sectionId.eqIdent"bn_u": - params.bn_u = sectionVal elif sectionId.eqIdent"eq_form": params.eq_form = parseEnum[CurveEquationForm]($sectionVal) elif sectionId.eqIdent"coef_a": @@ -315,29 +307,6 @@ proc genMainConstants(defs: var seq[CurveParams]): NimNode = curveDef.sexticNonResidue_fp2 ) - # BN curves - # ----------------------------------------------- - if family == BarretoNaehrig: - if not curveDef.bn_u_bitwidth.isNil and - not curveDef.bn_u.isNil and - ($curveDef.bn_u)[0] != '-': # The parameter must be positive - curveExtraStmts.add newConstStmt( - exported($curve & "_BN_can_use_addchain_inversion"), - newLit true - ) - curveExtraStmts.add newConstStmt( - exported($curve & "_BN_param_u"), - newCall( - bindSym"fromHex", - nnkBracketExpr.newTree(bindSym"BigInt", curveDef.bn_u_bitwidth), - curveDef.bn_u - ) - ) - else: - curveExtraStmts.add newConstStmt( - exported($curve & "_BN_can_use_addchain_inversion"), - newLit false - ) # end for --------------------------------------------------- result = newStmtList() diff --git a/constantine/io/io_towers.nim b/constantine/io/io_towers.nim index 41ab40c..f712e31 100644 --- a/constantine/io/io_towers.nim +++ b/constantine/io/io_towers.nim @@ -12,8 +12,6 @@ import std/typetraits, # Internal ./io_bigints, ./io_fields, - ../config/curves, - ../arithmetic/finite_fields, ../towers # No exceptions allowed