diff --git a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/final_power.asm b/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/final_power.asm index a38c8a65..6d27ed93 100644 --- a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/final_power.asm +++ b/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/final_power.asm @@ -1,3 +1,8 @@ +/// To make the Tate pairing an invariant, the final step is to exponentiate by +/// (p^12 - 1)/N = (p^6 - 1)(p^2 + 1)(p^4 - p^2 + 1)/N +/// The function in this module enacts the final exponentiation, by +/// (p^4 - p^2 + 1)/N = p^3 + (a2)p^2 - (a1)p - a0 +/// /// def final_exp(y): /// y4, y2, y0 = 1, 1, 1 /// power_loop_4() @@ -15,7 +20,7 @@ /// y = y.frob(3) /// y2 = y2.frob(2) /// y1 = y1.frob(1) -/// return y * y2 * y4 * y0 +/// return y * y2 * y1 * y0 global final_exp: // stack: val, retdest diff --git a/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/fp12_mul.asm b/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/fp12_mul.asm index 3069107f..ef0d1c96 100644 --- a/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/fp12_mul.asm +++ b/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/fp12_mul.asm @@ -360,7 +360,7 @@ square_fp12_1: %jump(square_fp6) square_fp12_2: // stack: f'f', inp, f, square_fp12_3, out - %sh + %sh_fp254_6 // stack: sh(f'f'), inp, f, square_fp12_3, out %swap_fp6_hole // stack: f, inp, sh(f'f'), square_fp12_3, out diff --git a/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/util.asm b/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/util.asm index 9097c72b..092d38aa 100644 --- a/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/util.asm +++ b/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/util.asm @@ -490,7 +490,9 @@ // stack: g0, g1, g2, g3, g4, g5, X, f0, f1, f2, f3, f4, f5 %endmacro -%macro sh +/// multiply (a + bt + ct^2) by t: +/// t(a + bt + ct^2) = at + bt^2 + ct^3 = (9+i)c + at + bt^2 +%macro sh_fp254_6 // stack: f0 , f0_, f1, f1_, f2 , f2_ SWAP2 // stack: f1 , f0_, g0 , f1_, f2 , f2_