diff --git a/constantine/curves/bw6_761_pairing.nim b/constantine/curves/bw6_761_pairing.nim index 1516ae8..a3d0cf5 100644 --- a/constantine/curves/bw6_761_pairing.nim +++ b/constantine/curves/bw6_761_pairing.nim @@ -41,7 +41,7 @@ const BW6_761_pairing_ate_param_1_opt_isNeg* = false # 2nd part: f_{u²-u-1,Q}(P) followed by Frobenius application -const BW6_761_pairing_ate_param_opt_2* = block: +const BW6_761_pairing_ate_param_2_opt* = block: # BW6 Miller loop second part is parametrized by u²-u-1 # +1 to bitlength so that we can mul by 3 for NAF encoding BigInt[127+1].fromHex"0x452217cc900000008508bfffffffffff" @@ -50,8 +50,8 @@ const BW6_761_pairing_ate_param_2_opt_isNeg* = false const BW6_761_pairing_finalexponent* = block: - # (p^6 - 1) / r * 3 - BigInt[4186].fromHex"0x3d7fafd4d00189a67bdf3e3e099095571b3671b450e1430228baeca99efec770d2499a6732e8891ede83d26c08c7afdcb004a074ccea612933db92ba5b26a6683f2b782d91befd4170c3203b47ecb246847cd292b51591c00f608b6bd51942243a3042325356d537c26dc5cbe2c64656bf2aed4b94c66bf8629eb027698ebde2b14cbeda063db5d74b44c16ffd421206094832fe5b7ec54d68e312f5bfa26f87ea2c85578de4a05d1283d040a9a13ee0c9b4dfaf4116599b14ffbde13fb06415e28945def8dc5ada9692d40c49b675718ca8865551b0cca4c87bbb2becd0a90db08638c5bd777015ae4f34d19c66bb5de3e9929deb7de11789fb4100a0d1bbd75cabb2d52979693cd2f2c7bbb77016161f43722b3b1a32f3cf150df07f282193c7bd573c046e3b17775c3f007b2ba146b8fd2434604c0f29fb56edf981d37ad4c312c3daa27314b14db0d0c4d030a5dd7641899e685efcb9d41791a84ed44ef6b8f6f86522ef26e63f53693df95706fc1264a062f93d499cfdc033465a582b86fe0329b011a4536505fcd30aa0e09dfc3c57fc4a9e95246d4d4519160cb6088828f5082ebc1775012c6868441ee831d897fabe8de92fde56533968e8bd25fd04cccb2d932f768350e8b0eaebbcab3649380640e01daba898ae6c5085a149cf14bb0b2f465391d8393298b2c3caf1c30a8496035a5c00c8327c30f7d1d5c24f02a65f7d3d0b413ade8564b78" + # (p^6 - 1) / r * 3*(u^3-u^2+1) + BigInt[4376].fromHex"0x8a168e18d34ff984b8399b649a12265bcdd3023623c45b9a1d38314c4fdd4547f8a0c18b88468482c0ff74c94606e4e5734c43d4e9fa977c1196361496699ea26e4d912e4918fff3cbe177b5d47cd9ba63103cb2a7a1699ef2a48dd77d1f939ca33d35dadabf0aab681703a3340126ab78a2a76c2147cc4f5897f610596fed83ccdcab13b919d48f9365b50ad005a6fbcf41412c73ad8d03f465568acbb86d9b97d5216af6a67fe6d16f12c069cdc44035adc99b54e9e68095349af476057b5bc94bca6e4e23b8de4afd24d6fc655448269a02123b8c4d25115d8d09fc4b2774042d2c744568b132b11cb1fae68e025a6d8c7e405ce52092154a56523f2abeb3ec693419f8402799b08ae023360be4468046e81033e3e1d172d19d5ce5e3441140c26e710015f97bdbbddce57396c565d1a9d4f81d571415dacf2686171f2679797d97a35c59c372cca29eeb8556e2576912edb846235fb723a75a0cc5acc8ace1e5628f8e14c931f0a0d58372a44d0eba074e4fefff61efaf4bde1adf999e6194cf12c73cba39732fe059618901d4c0924b8a5d15ad9bea271be5f6679b6f0148f15d36a9269c4b6a07d08b2aa9b9365ab295a8c6a7eb4088e86fb5e30843798bf1bf426f07c2c39f4b8beef71b3da9c1d656ba3c23bbc8d3b54399d0e6fd1ec64616566ee1471934d0763fe360fb9a02bc3a5d4ccdf6fcaf52be7b67955a89b522a5e0a45e935f1794a038aeca4b9a6d8ae28da00178304c7dfc3d0e13ade8564b78" # Addition chain # ------------------------------------------------------------ \ No newline at end of file diff --git a/sage/derive_pairing.sage b/sage/derive_pairing.sage index adf9c3d..7df2ad1 100644 --- a/sage/derive_pairing.sage +++ b/sage/derive_pairing.sage @@ -166,7 +166,7 @@ def genAteParam_BW6_opt(curve_name, curve_config): buf += '\n\n\n' buf += '# 2nd part: f_{u²-u-1,Q}(P) followed by Frobenius application\n' - buf += f'const {curve_name}_pairing_ate_param_opt_2* = block:\n' + buf += f'const {curve_name}_pairing_ate_param_2_opt* = block:\n' buf += ate_comment_2 ate_2_bits = int(ate_param_2).bit_length() @@ -188,14 +188,21 @@ def genFinalExp(curve_name, curve_config): # For BLS12 and BW6, 3*hard part has a better expression # in the q basis with LLL algorithm - fexpMul3 = family == 'BLS12' or family == 'BW6' + scale = 1 + scaleDesc = '' + if family == 'BLS12': + scale = 3 + scaleDesc = ' * 3' + if family == 'BW6': + u = curve_config[curve_name]['field']['param'] + scale = 3*(u^3-u^2+1) + scaleDesc = ' * 3*(u^3-u^2+1)' fexp = (p^k - 1)//r - if fexpMul3: - fexp *= 3 + fexp *= scale buf = f'const {curve_name}_pairing_finalexponent* = block:\n' - buf += f' # (p^{k} - 1) / r' + (' * 3' if fexpMul3 else '') + buf += f' # (p^{k} - 1) / r' + scaleDesc buf += '\n' buf += f' BigInt[{int(fexp).bit_length()}].fromHex"0x{Integer(fexp).hex()}"'