tate

2026-01-12 02:33:06 +00:00 · 2022-11-28 14:56:36 -08:00 · 2022-11-28 14:56:36 -08:00 · c3dcdfd540
commit c3dcdfd540
parent 6b34f4ff0a
4 changed files with 94 additions and 33 deletions
--- a/evm/src/cpu/kernel/aggregator.rs
+++ b/evm/src/cpu/kernel/aggregator.rs
@ -30,6 +30,7 @@ pub(crate) fn combined_kernel() -> Kernel {
        include_str!("asm/curve/bn254/field_arithmetic/field_macros.asm"),
        include_str!("asm/curve/bn254/field_arithmetic/fp6_mul.asm"),
        include_str!("asm/curve/bn254/field_arithmetic/fp12_mul.asm"),
+        include_str!("asm/curve/bn254/field_arithmetic/frobenius.asm"),
        include_str!("asm/curve/common.asm"),
        include_str!("asm/curve/secp256k1/curve_mul.asm"),
        include_str!("asm/curve/secp256k1/curve_add.asm"),
--- a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/lines.asm
+++ b/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/lines.asm
@ -1,16 +0,0 @@
-/// p1, p2 : [Fp; 2], q : [Fp2; 2]
-
-/// def cord(p1x, p1y, p2x, p2y, qx, qy):
-///     return sparse_embed(
-///         p1y*p2x - p2y*p1x, 
-///         (p2y - p1y) * qx, 
-///         (p1x - p2x) * qy,
-///     )
-    
-/// def tangent(px, py, qx, qy):
-///     return sparse_embed(
-///         -9 + py**2, 
-///         (-3*px**2) * qx, 
-///         (2*py)     * qy,
-///     )
-
--- a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/tate_pairing.asm
+++ b/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/tate_pairing.asm
@ -24,7 +24,7 @@ global tate:
    // stack:                     out, ptr,            tate_mul1, tate_mul2, tate_mul3, retdest
    PUSH post_mllr   SWAP2 
    // stack:                     ptr, out, post_mllr, tate_mul1, tate_mul2, tate_mul3, retdest
-    %jump(miller_loop)
+    %jump(miller_init)
 post_mllr:
    // stack:                          out,            tate_mul1, tate_mul2, tate_mul3, retdest
    PUSH 100 
@ -70,25 +70,101 @@ tate_mul3:
    SWAP1  JUMP


-/// def miller_loop(P, Q):
+/// def miller(P, Q):
+///     miller_init()
+///     miller_loop()
+///
+/// def miller_init():
 ///     out = 1
 ///     O = P
-///     for i in EXP:
-///         out = square_fp12(out)
-///         line = tangent(O, Q)
-///         out = mul_fp12_sparse(out, line)
-///         O += O
-///         if i:
-///             line = cord(P, O, Q)
-///             out = mul_fp12_sparse(out, line)
-///             O += P
+///     times = 62
+///
+/// def miller_loop():
+///     while times:
+///         n_m = fetch_times()
+///         while n_m > 10:
+///             mul_tangent()
+///             mul_cord()
+///             n_m - 10
+///         while n_n:
+///             mul_tangent()
+///             n_m - 1
+///         times -= 1
+             
+/// Note: miller_data is formed by
+/// (1) taking the binary expansion of the BN254 prime p
+/// (2) popping the head and appending a 0:
+///     exp = bin(p)[1:-1] + [0]
+/// (3) counting the lengths of 1s and 0s in exp, e.g.
+///     exp = 1100010011110 => EXP = [(2,3), (1,2), (4,1)]
+/// (4) encoding each pair (n,m) as 10*n+m:
+///     miller_data = [10*n + m for (n,m) in EXP]
+
+miller_init:
+    // stack:         ptr, out, retdest
+    PUSH 1
+    // stack:      1, ptr, out, retdest
+    DUP3
+    // stack: out, 1, ptr, out, retdest
+    %mstore_kernel_general
+    // stack:         ptr, out, retdest
+    %load_fp6
+    // stack:        P, Q, out, retdest
+    DUP1  DUP1
+    // stack:     O, P, Q, out, retdest
+    PUSH 62
+    // stack: 62, O, P, Q, out, retdest
+    %jump(miller_loop)
+
+miller_loop:
+    // stack:        times, O, P, Q, out, retdest
+    DUP1
+    // stack: times, times, O, P, Q, out, retdest
+    mload_kernel_code(exp_runs)
+    // stack:    nm, times, O, P, Q, out, retdest
+    %jump(miller_step)
+
+miller_step:
+    
+
+miller_decr:
+    // stack:     times  , O, P, Q, out, retdest
+    %sub_const(1)
+    // stack:     times-1, O, P, Q, out, retdest
+    DUP1  %jumpi(miller_loop)
+    // stack:           0, O, P, Q, out, retdest
+    %pop3  %pop3  %pop3
+    // stack:                       out, retdest
+    %jump(post_mllr)
+
+
+/// def mul_tangent()
 ///     out = square_fp12(out)
 ///     line = tangent(O, Q)
-///     return mul_fp12_sparse(out, line)
+///     out = mul_fp12_sparse(out, line)
+///     O += O
 ///
-/// EXP is the binary expansion of the BN254 prime
+/// def mul_cord()
+///     line = cord(O, P, Q)
+///     out = mul_fp12_sparse(out, line)
+///     O += P

-global miller_loop:
-    // stack: ptr, out, retdest
+mul_tangent:

-    // stack:      out
+
+
+/// p1, p2 : [Fp; 2], q : [Fp2; 2]
+
+/// def cord(p1x, p1y, p2x, p2y, qx, qy):
+///     return sparse_embed(
+///         p1y*p2x - p2y*p1x, 
+///         (p2y - p1y) * qx, 
+///         (p1x - p2x) * qy,
+///     )
+    
+/// def tangent(px, py, qx, qy):
+///     return sparse_embed(
+///         -9 + py**2, 
+///         (-3*px**2) * qx, 
+///         (2*py)     * qy,
+///     )
--- a/evm/src/cpu/kernel/asm/ripemd/box.asm
+++ b/evm/src/cpu/kernel/asm/ripemd/box.asm
@ -72,7 +72,7 @@ post_rol:


 %macro get_round
-    // stack: sides, rounds
+    // stack:        sides , rounds
    %mul_const(5)  
    PUSH 10  
    SUB