Mamy Ratsimbazafy 53c4db7ead
Fast modular inversion (#172)
* split modular inversion in its own file

* Stash fast GCD inversion https://eprint.iacr.org/2020/972.pdf

* Stash Pornin's bingcd -> issue with inner modular reduction

* Implement Bernstein-Yang inversion

* Avoid Nim checks on signed integers (32-bit runtime issue)

* cleanup: remove old inversion impls

* cleanup: static moduli, move div2

* small comments (skip ci)

* comment cleanup (skip ci)

* fix total iterations on 32-bit

* Add batch conversion to affine coordinates using simultaneous inversion trick

* fix conditional setZero and batchAffine conversion

* cleanup unneeded branches following affine conversion unification

* Fix batchAffine with zero inputs and add fuzz failure to test suite
2022-02-10 14:05:07 +01:00

72 lines
1.6 KiB
Nim

import
../../constantine/config/curves,
../../constantine/[arithmetic, primitives, towers],
../../constantine/elliptic/[
ec_scalar_mul,
ec_shortweierstrass_affine,
ec_shortweierstrass_projective,
],
../../constantine/io/[io_fields, io_ec],
../../constantine/pairing/[
pairing_bls12,
miller_loops,
cyclotomic_fp12
]
type
G1 = ECP_ShortW_Prj[Fp[BLS12_381], G1]
G2 = ECP_ShortW_Prj[Fp2[BLS12_381], G2]
G1aff = ECP_ShortW_Aff[Fp[BLS12_381], G1]
G2aff = ECP_ShortW_Aff[Fp2[BLS12_381], G2]
GT = Fp12[BLS12_381]
func linear_combination*(
r: var G1,
points: openarray[G1],
coefs: openarray[Fr[BLS12_381]]
) =
## Polynomial evaluation
## TODO: multi scalar mul
doAssert points.len == coefs.len
r.setInf()
for i in 0 ..< points.len:
var tmp = points[i]
tmp.scalarMul(coefs[i].toBig())
r += tmp
func pair_verify*(
P1: G1,
Q1: G2,
P2: G1,
Q2: G2,
): bool =
## TODO, multi-pairings.
## Affine
var P1a, P2a: G1aff
var Q1a, Q2a: G2aff
P1a.affine(P1)
Q1a.affine(Q1)
P2a.affine(P2)
Q2a.affine(Q2)
# To verify if e(P1, Q1) == e(P2, Q2)
# we can do e(P1, Q1) / e(P2, Q2) == 1
# <=> e(P1, Q1) . e(P2, Q2)^-1
# <=> e(P1, Q1) . e(-P2, Q2) due to pairings bilinearity
# we can negate any of the points but it's cheaper to use a G1
P1a.neg()
# Merge 2 miller loops.
var gt1, gt2: GT
gt1.millerLoopAddchain(Q1a, P1a)
gt2.millerLoopAddchain(Q2a, P2a)
gt1 *= gt2
gt1.finalExpEasy()
gt1.finalExpHard_BLS12()
return gt1.isOne().bool()