constantine/constantine/arithmetic/finite_fields_inversion.nim

# Constantine
# Copyright (c) 2018-2019    Status Research & Development GmbH
# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
# Licensed and distributed under either of
#   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
#   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
# at your option. This file may not be copied, modified, or distributed except according to those terms.

import
  ../config/[curves, type_ff],
  ./bigints,
  ../curves/zoo_inversions

export zoo_inversions

# ############################################################
#
#                 Finite field inversion
#
# ############################################################

# No exceptions allowed
{.push raises: [].}
{.push inline.}

func inv_euclid*(r: var FF, a: FF) =
  ## Inversion modulo p via
  ## Niels Moller constant-time version of
  ## Stein's GCD derived from extended binary Euclid algorithm
  r.mres.steinsGCD(a.mres, FF.getR2modP(), FF.fieldMod(), FF.getPrimePlus1div2())

func inv*(r: var FF, a: FF) =
  ## Inversion modulo p
  ##
  ## The inverse of 0 is 0.
  ## Incidentally this avoids extra check
  ## to convert Jacobian and Projective coordinates
  ## to affine for elliptic curve
  # For now we don't activate the addition chains
  # Performance is slower than Euclid-based inversion on newer CPUs
  #
  # - Montgomery multiplication/squaring can skip the final substraction
  # - For generalized Mersenne Prime curves, modular reduction can be made extremely cheap.
  # - For BW6-761 the addition chain is over 2x slower than Euclid-based inversion
  #   due to multiplication being so costly with 12 limbs (grows quadratically)
  #   while Euclid costs grows linearly.
  when false and
       FF is Fp and FF.C.hasInversionAddchain() and
       FF.C notin {BW6_761}:
    r.inv_addchain(a)
  else:
    r.inv_euclid(a)

func inv*(a: var FF) =
  ## Inversion modulo p
  ##
  ## The inverse of 0 is 0.
  ## Incidentally this avoids extra check
  ## to convert Jacobian and Projective coordinates
  ## to affine for elliptic curve
  a.inv(a)

{.pop.} # inline
{.pop.} # raises no exceptions
30% faster constant-time inversion 2020-03-20 23:03:52 +01:00			`# Constantine`
			`# Copyright (c) 2018-2019 Status Research & Development GmbH`
			`# Copyright (c) 2020-Present Mamy André-Ratsimbazafy`
			`# Licensed and distributed under either of`
			`# * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).`
			`# * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).`
			`# at your option. This file may not be copied, modified, or distributed except according to those terms.`

			`import`
Fr: Finite Field parametrized by the curve order (#115) * Introduce Fr type: finite field over curve order. Need workaround for https://github.com/nim-lang/Nim/issues/16774 * Split curve properties into core and derived * Attach field properties to an instantiated field instead of the curve enum * Workaround https://github.com/nim-lang/Nim/issues/14021, yet another "working with types in macros" is difficult https://github.com/nim-lang/RFCs/issues/44 * Implement finite field over prime order of a curve subgroup * skip OpenSSL tests on windows 2021-01-22 00:09:52 +01:00			`../config/[curves, type_ff],`
Benchmark template for 𝔽p, 𝔽p2, 𝔽p6 2020-03-21 02:31:31 +01:00			`./bigints,`
Move pairings 2020-09-27 21:00:35 +02:00			`../curves/zoo_inversions`
30% faster constant-time inversion 2020-03-20 23:03:52 +01:00
Move pairings 2020-09-27 21:00:35 +02:00			`export zoo_inversions`
Faster inversion with addition chains (#80) 2020-09-04 19:04:32 +02:00
30% faster constant-time inversion 2020-03-20 23:03:52 +01:00			`# ############################################################`
			`#`
Move inversions curve-specific routines to the curve folder 2020-09-27 17:37:02 +02:00			`# Finite field inversion`
30% faster constant-time inversion 2020-03-20 23:03:52 +01:00			`#`
			`# ############################################################`

Rework towering (#148) * naive removal of out-of-place mul by non residue * Use {.inline.} in a consistent manner across the codebase * Handle aliasing for quadratic multiplication * reorg optimization * Handle aliasing for quadratic squaring * handle aliasing in mul_sparse_complex_by_0y * Rework multiplication by nonresidue, assume tower and twist use same non-residue * continue rework * continue on non-residues * Remove "NonResidue " calls handle aliasing in Chung-Hasan SQR2 * Handla aliasing in Chung-Hasan SQR3 * Use one less temporary in Chung Hasan sqr2 * handle aliasing in cubic extensions * merge extension tower in the same file to reduce duplicate proc and allow better inlining * handle aliasing in cubic inversion * drop out-of-place proc from BigInt and finite fields as well * less copies in line_projective * remove a copy in fp12 by lines 2021-02-06 16:28:38 +01:00			`# No exceptions allowed`
			`{.push raises: [].}`
			`{.push inline.}`

[Research] KZG polynomial commitment - part 1 FFT (#151) * FFT compiles, now on to debugging ... [skip CI] * Fix FFT and add bench [skip ci] * rename + add KZG resources * rename fft_fr * Implement FFT on elliptic curves =) * FFT G1 bench 2021-02-06 22:11:17 +01:00			`func inv_euclid*(r: var FF, a: FF) =`
Faster inversion with addition chains (#80) 2020-09-04 19:04:32 +02:00			`## Inversion modulo p via`
			`## Niels Moller constant-time version of`
			`## Stein's GCD derived from extended binary Euclid algorithm`
[Research] KZG polynomial commitment - part 1 FFT (#151) * FFT compiles, now on to debugging ... [skip CI] * Fix FFT and add bench [skip ci] * rename + add KZG resources * rename fft_fr * Implement FFT on elliptic curves =) * FFT G1 bench 2021-02-06 22:11:17 +01:00			`r.mres.steinsGCD(a.mres, FF.getR2modP(), FF.fieldMod(), FF.getPrimePlus1div2())`
Faster inversion with addition chains (#80) 2020-09-04 19:04:32 +02:00
[Research] KZG polynomial commitment - part 1 FFT (#151) * FFT compiles, now on to debugging ... [skip CI] * Fix FFT and add bench [skip ci] * rename + add KZG resources * rename fft_fr * Implement FFT on elliptic curves =) * FFT G1 bench 2021-02-06 22:11:17 +01:00			`func inv*(r: var FF, a: FF) =`
30% faster constant-time inversion 2020-03-20 23:03:52 +01:00			`## Inversion modulo p`
Refactor: Higher-Kinded Tower of Extension Fields (#25) * Mention that the inverse of 0 is 0 (TODO tests) * Introduce "Higher-Kinded tower extensions" * rename isCOmplexExtension -> fromComplexExtension * update benchmarks with the new tower scheme * Try to recover some speed on mul/squaring for an optimal tower (but this was not it) 2020-04-14 02:05:42 +02:00			`##`
			`## The inverse of 0 is 0.`
			`## Incidentally this avoids extra check`
			`## to convert Jacobian and Projective coordinates`
			`## to affine for elliptic curve`
Improve bn curve family support (#23) * Allow tagging BarretoNaehrig family * Refactor the constant generation and fix XDeclaredButNotUsed * BN field inversion via addition chain (but slower than generic :/ so deactivated) 2020-04-12 16:09:38 +02:00			`# For now we don't activate the addition chains`
Field sqrt optimization (#168) * add more Fp tests for Twisted Edwards curves * add fused sqrt+division bench * Significant fused sqrt+division improvement for any prime field over algorithm described in "High-Speed High-Security Signature", Bernstein et al, p15 "Fast decompression", https://ed25519.cr.yp.to/ed25519-20110705.pdf * Activate secp256k1 field benches + spring renaming of field multiplication * addition chains for inversion and sqrt of Curve25519 * Make isSquare use addition chains * add double-prec mul/square bench for <256-bit prime fields. 2022-01-01 16:19:35 +01:00			`# Performance is slower than Euclid-based inversion on newer CPUs`
			`#`
			`# - Montgomery multiplication/squaring can skip the final substraction`
			`# - For generalized Mersenne Prime curves, modular reduction can be made extremely cheap.`
			`# - For BW6-761 the addition chain is over 2x slower than Euclid-based inversion`
			`# due to multiplication being so costly with 12 limbs (grows quadratically)`
			`# while Euclid costs grows linearly.`
			`when false and`
			`FF is Fp and FF.C.hasInversionAddchain() and`
			`FF.C notin {BW6_761}:`
Faster inversion with addition chains (#80) 2020-09-04 19:04:32 +02:00			`r.inv_addchain(a)`
Bash ~_~ .... Azure 32-bit (+ fix BN inversion alternative path) 2020-09-01 13:40:39 +02:00			`else:`
Faster inversion with addition chains (#80) 2020-09-04 19:04:32 +02:00			`r.inv_euclid(a)`
G2 / Operations on the twisted curve E'(Fp2) (#51) * Split elliptic curve tests to better use parallel testing * Add support for printing points on G2 * Implement multiplication and division by optimal sextic non-residue (BLS12-381) * Implement modular square root in 𝔽p2 * Support EC add and EC double on G2 (for BLS12-381) * Support G2 divisive twists with non-unit sextic-non-residue like BN254 snarks * Add EC G2 bench * cleanup some unused warnings * Reorg the tests for parallelization and to avoid instantiating huge files 2020-06-15 22:58:56 +02:00
[Research] KZG polynomial commitment - part 1 FFT (#151) * FFT compiles, now on to debugging ... [skip CI] * Fix FFT and add bench [skip ci] * rename + add KZG resources * rename fft_fr * Implement FFT on elliptic curves =) * FFT G1 bench 2021-02-06 22:11:17 +01:00			`func inv*(a: var FF) =`
G2 / Operations on the twisted curve E'(Fp2) (#51) * Split elliptic curve tests to better use parallel testing * Add support for printing points on G2 * Implement multiplication and division by optimal sextic non-residue (BLS12-381) * Implement modular square root in 𝔽p2 * Support EC add and EC double on G2 (for BLS12-381) * Support G2 divisive twists with non-unit sextic-non-residue like BN254 snarks * Add EC G2 bench * cleanup some unused warnings * Reorg the tests for parallelization and to avoid instantiating huge files 2020-06-15 22:58:56 +02:00			`## Inversion modulo p`
			`##`
			`## The inverse of 0 is 0.`
			`## Incidentally this avoids extra check`
			`## to convert Jacobian and Projective coordinates`
			`## to affine for elliptic curve`
[Research] KZG polynomial commitment - part 1 FFT (#151) * FFT compiles, now on to debugging ... [skip CI] * Fix FFT and add bench [skip ci] * rename + add KZG resources * rename fft_fr * Implement FFT on elliptic curves =) * FFT G1 bench 2021-02-06 22:11:17 +01:00			`a.inv(a)`
Rework towering (#148) * naive removal of out-of-place mul by non residue * Use {.inline.} in a consistent manner across the codebase * Handle aliasing for quadratic multiplication * reorg optimization * Handle aliasing for quadratic squaring * handle aliasing in mul_sparse_complex_by_0y * Rework multiplication by nonresidue, assume tower and twist use same non-residue * continue rework * continue on non-residues * Remove "NonResidue " calls handle aliasing in Chung-Hasan SQR2 * Handla aliasing in Chung-Hasan SQR3 * Use one less temporary in Chung Hasan sqr2 * handle aliasing in cubic extensions * merge extension tower in the same file to reduce duplicate proc and allow better inlining * handle aliasing in cubic inversion * drop out-of-place proc from BigInt and finite fields as well * less copies in line_projective * remove a copy in fp12 by lines 2021-02-06 16:28:38 +01:00
			`{.pop.} # inline`
			`{.pop.} # raises no exceptions`