comments

2026-01-09 09:13:09 +00:00 · 2023-02-01 19:30:04 -08:00 · 2023-02-01 19:30:04 -08:00 · c107c5055e
commit c107c5055e
parent e1dca8703c
3 changed files with 10 additions and 3 deletions
--- a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/final_power.asm
+++ b/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/final_power.asm
@ -1,3 +1,8 @@
+/// To make the Tate pairing an invariant, the final step is to exponentiate by
+///     (p^12 - 1)/N = (p^6 - 1)(p^2 + 1)(p^4 - p^2 + 1)/N
+/// The function in this module enacts the final exponentiation, by
+///     (p^4 - p^2 + 1)/N = p^3 + (a2)p^2 - (a1)p - a0
+///
 /// def final_exp(y):
 ///     y4, y2, y0 = 1, 1, 1
 ///     power_loop_4()
@ -15,7 +20,7 @@
 ///     y  = y.frob(3)
 ///     y2 = y2.frob(2)
 ///     y1 = y1.frob(1)
-///     return y * y2 * y4 * y0
+///     return y * y2 * y1 * y0

 global final_exp:
    // stack:                  val, retdest
--- a/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/fp12_mul.asm
+++ b/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/fp12_mul.asm
@ -360,7 +360,7 @@ square_fp12_1:
    %jump(square_fp6)
 square_fp12_2:
    // stack:                                           f'f', inp, f, square_fp12_3, out
-    %sh
+    %sh_fp254_6
    // stack:                                       sh(f'f'), inp, f, square_fp12_3, out
    %swap_fp6_hole
    // stack:                                       f, inp, sh(f'f'), square_fp12_3, out
--- a/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/util.asm
+++ b/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/util.asm
@ -490,7 +490,9 @@
    // stack: g0, g1, g2, g3, g4, g5, X, f0, f1, f2, f3, f4, f5
 %endmacro

-%macro sh
+/// multiply (a + bt + ct^2) by t:
+///     t(a + bt + ct^2) = at + bt^2 + ct^3 = (9+i)c + at + bt^2
+%macro sh_fp254_6
    // stack: f0 , f0_, f1,  f1_, f2 , f2_
    SWAP2
    // stack: f1 , f0_, g0 , f1_, f2 , f2_