Fix cofactor in BW6-761 naive final exp (but still buggy - see #152)
This commit is contained in:
parent
258e7e516f
commit
ffc77cd087
|
@ -41,7 +41,7 @@ const BW6_761_pairing_ate_param_1_opt_isNeg* = false
|
||||||
|
|
||||||
|
|
||||||
# 2nd part: f_{u²-u-1,Q}(P) followed by Frobenius application
|
# 2nd part: f_{u²-u-1,Q}(P) followed by Frobenius application
|
||||||
const BW6_761_pairing_ate_param_opt_2* = block:
|
const BW6_761_pairing_ate_param_2_opt* = block:
|
||||||
# BW6 Miller loop second part is parametrized by u²-u-1
|
# BW6 Miller loop second part is parametrized by u²-u-1
|
||||||
# +1 to bitlength so that we can mul by 3 for NAF encoding
|
# +1 to bitlength so that we can mul by 3 for NAF encoding
|
||||||
BigInt[127+1].fromHex"0x452217cc900000008508bfffffffffff"
|
BigInt[127+1].fromHex"0x452217cc900000008508bfffffffffff"
|
||||||
|
@ -50,8 +50,8 @@ const BW6_761_pairing_ate_param_2_opt_isNeg* = false
|
||||||
|
|
||||||
|
|
||||||
const BW6_761_pairing_finalexponent* = block:
|
const BW6_761_pairing_finalexponent* = block:
|
||||||
# (p^6 - 1) / r * 3
|
# (p^6 - 1) / r * 3*(u^3-u^2+1)
|
||||||
BigInt[4186].fromHex"0x3d7fafd4d00189a67bdf3e3e099095571b3671b450e1430228baeca99efec770d2499a6732e8891ede83d26c08c7afdcb004a074ccea612933db92ba5b26a6683f2b782d91befd4170c3203b47ecb246847cd292b51591c00f608b6bd51942243a3042325356d537c26dc5cbe2c64656bf2aed4b94c66bf8629eb027698ebde2b14cbeda063db5d74b44c16ffd421206094832fe5b7ec54d68e312f5bfa26f87ea2c85578de4a05d1283d040a9a13ee0c9b4dfaf4116599b14ffbde13fb06415e28945def8dc5ada9692d40c49b675718ca8865551b0cca4c87bbb2becd0a90db08638c5bd777015ae4f34d19c66bb5de3e9929deb7de11789fb4100a0d1bbd75cabb2d52979693cd2f2c7bbb77016161f43722b3b1a32f3cf150df07f282193c7bd573c046e3b17775c3f007b2ba146b8fd2434604c0f29fb56edf981d37ad4c312c3daa27314b14db0d0c4d030a5dd7641899e685efcb9d41791a84ed44ef6b8f6f86522ef26e63f53693df95706fc1264a062f93d499cfdc033465a582b86fe0329b011a4536505fcd30aa0e09dfc3c57fc4a9e95246d4d4519160cb6088828f5082ebc1775012c6868441ee831d897fabe8de92fde56533968e8bd25fd04cccb2d932f768350e8b0eaebbcab3649380640e01daba898ae6c5085a149cf14bb0b2f465391d8393298b2c3caf1c30a8496035a5c00c8327c30f7d1d5c24f02a65f7d3d0b413ade8564b78"
|
BigInt[4376].fromHex"0x8a168e18d34ff984b8399b649a12265bcdd3023623c45b9a1d38314c4fdd4547f8a0c18b88468482c0ff74c94606e4e5734c43d4e9fa977c1196361496699ea26e4d912e4918fff3cbe177b5d47cd9ba63103cb2a7a1699ef2a48dd77d1f939ca33d35dadabf0aab681703a3340126ab78a2a76c2147cc4f5897f610596fed83ccdcab13b919d48f9365b50ad005a6fbcf41412c73ad8d03f465568acbb86d9b97d5216af6a67fe6d16f12c069cdc44035adc99b54e9e68095349af476057b5bc94bca6e4e23b8de4afd24d6fc655448269a02123b8c4d25115d8d09fc4b2774042d2c744568b132b11cb1fae68e025a6d8c7e405ce52092154a56523f2abeb3ec693419f8402799b08ae023360be4468046e81033e3e1d172d19d5ce5e3441140c26e710015f97bdbbddce57396c565d1a9d4f81d571415dacf2686171f2679797d97a35c59c372cca29eeb8556e2576912edb846235fb723a75a0cc5acc8ace1e5628f8e14c931f0a0d58372a44d0eba074e4fefff61efaf4bde1adf999e6194cf12c73cba39732fe059618901d4c0924b8a5d15ad9bea271be5f6679b6f0148f15d36a9269c4b6a07d08b2aa9b9365ab295a8c6a7eb4088e86fb5e30843798bf1bf426f07c2c39f4b8beef71b3da9c1d656ba3c23bbc8d3b54399d0e6fd1ec64616566ee1471934d0763fe360fb9a02bc3a5d4ccdf6fcaf52be7b67955a89b522a5e0a45e935f1794a038aeca4b9a6d8ae28da00178304c7dfc3d0e13ade8564b78"
|
||||||
|
|
||||||
# Addition chain
|
# Addition chain
|
||||||
# ------------------------------------------------------------
|
# ------------------------------------------------------------
|
|
@ -166,7 +166,7 @@ def genAteParam_BW6_opt(curve_name, curve_config):
|
||||||
|
|
||||||
buf += '\n\n\n'
|
buf += '\n\n\n'
|
||||||
buf += '# 2nd part: f_{u²-u-1,Q}(P) followed by Frobenius application\n'
|
buf += '# 2nd part: f_{u²-u-1,Q}(P) followed by Frobenius application\n'
|
||||||
buf += f'const {curve_name}_pairing_ate_param_opt_2* = block:\n'
|
buf += f'const {curve_name}_pairing_ate_param_2_opt* = block:\n'
|
||||||
buf += ate_comment_2
|
buf += ate_comment_2
|
||||||
|
|
||||||
ate_2_bits = int(ate_param_2).bit_length()
|
ate_2_bits = int(ate_param_2).bit_length()
|
||||||
|
@ -188,14 +188,21 @@ def genFinalExp(curve_name, curve_config):
|
||||||
|
|
||||||
# For BLS12 and BW6, 3*hard part has a better expression
|
# For BLS12 and BW6, 3*hard part has a better expression
|
||||||
# in the q basis with LLL algorithm
|
# in the q basis with LLL algorithm
|
||||||
fexpMul3 = family == 'BLS12' or family == 'BW6'
|
scale = 1
|
||||||
|
scaleDesc = ''
|
||||||
|
if family == 'BLS12':
|
||||||
|
scale = 3
|
||||||
|
scaleDesc = ' * 3'
|
||||||
|
if family == 'BW6':
|
||||||
|
u = curve_config[curve_name]['field']['param']
|
||||||
|
scale = 3*(u^3-u^2+1)
|
||||||
|
scaleDesc = ' * 3*(u^3-u^2+1)'
|
||||||
|
|
||||||
fexp = (p^k - 1)//r
|
fexp = (p^k - 1)//r
|
||||||
if fexpMul3:
|
fexp *= scale
|
||||||
fexp *= 3
|
|
||||||
|
|
||||||
buf = f'const {curve_name}_pairing_finalexponent* = block:\n'
|
buf = f'const {curve_name}_pairing_finalexponent* = block:\n'
|
||||||
buf += f' # (p^{k} - 1) / r' + (' * 3' if fexpMul3 else '')
|
buf += f' # (p^{k} - 1) / r' + scaleDesc
|
||||||
buf += '\n'
|
buf += '\n'
|
||||||
buf += f' BigInt[{int(fexp).bit_length()}].fromHex"0x{Integer(fexp).hex()}"'
|
buf += f' BigInt[{int(fexp).bit_length()}].fromHex"0x{Integer(fexp).hex()}"'
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue