status-im/constantine
2
0
Fork 0
mirror of https://github.com/status-im/constantine.git synced 2025-02-22 17:08:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

BW6-761 part 1 (#100)

Browse Source 
* Add Fp, Fp2, Fp6 support for BW6-761

* Add G1 for BW6-761

* Prepare to support G2 twists on the same field as G1

* Remove a useless dependent type for lines

* Implement G2 for BW6-761

* Fix Line leftover
This commit is contained in:
Mamy Ratsimbazafy 2020-10-09 07:51:47 +02:00 committed by GitHub
parent 49164b66d8
commit 71bb4c799a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
88 changed files with 1150 additions and 600 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
README.md
View File

@ -1,4 +1,4 @@
# Constantine - Constant Time Elliptic Curve Cryptography
# Constantine - Constant Time Pairing-Based & Elliptic Curve Cryptography
[![License: Apache](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
@ -7,9 +7,10 @@
[![Build Status: Travis](https://img.shields.io/travis/com/mratsim/constantine/master?label=Travis%20%28Linux%20x86_64%2FARM64%2FPowerPC64,%20MacOS%20x86_64%29)](https://travis-ci.com/mratsim/constantine)\
[![Build Status: Azure](https://img.shields.io/azure-devops/build/numforge/07a2a7a5-995a-45d3-acd5-f5456fe7b04d/4?label=Azure%20%28Linux%2032%2F64-bit%2C%20Windows%2032%2F64-bit%2C%20MacOS%2064-bit%29)](https://dev.azure.com/numforge/Constantine/_build?definitionId=4&branchName=master)
This library provides constant-time implementation of elliptic curve cryptography.
This library provides [constant-time](https://en.wikipedia.org/wiki/Side-channel_attack) implementation of elliptic curve cryptography
with a particular focus on pairing-based cryptography.
The implementation is accompanied with SAGE code used as reference implementation and test vectors generators before high speed implementation.
The implementations are accompanied with SAGE code used as reference implementation and test vectors generators before writing highly optimized routines implemented in the [Nim language](https://nim-lang.org/)
> The library is in development state and high-level wrappers or example protocols are not available yet.
@ -43,6 +44,23 @@ This can be deactivated with `"-d:ConstantineASM=false"`:
- at misssed opportunity on recent CPUs that support MULX/ADCX/ADOX instructions (~60% faster than Clang).
- There is a 2.4x perf ratio between using plain GCC vs GCC with inline assembly.
## Why Nim
The Nim language offers the following benefits for cryptography:
- Compilation to machine code via C or C++ or alternatively compilation to Javascript. Easy FFI to those languages.
- Obscure embedded devices with proprietary C compilers can be targeted.
- WASM can be targeted.
- Performance reachable in C is reachable in Nim, easily.
- Rich type system: generics, dependent types, mutability-tracking and side-effect analysis, borrow-checking, distinct types (Miles != Meters, SecretBool != bool SecretWord != uint64).
- Compile-time evaluation, including parsing hex string, converting them to BigInt or Finite Field elements and doing bigint operations.
- Assembly support either inline or ``__attribute__((naked))`` or a simple `{.compile: "myasm.S".}` away
- No GC if no GC-ed types are used (automatic memory management is set at the type level and optimized for latency/soft-realtime by default and can be totally deactivated).
- Procedural macros working directly on AST to
- create generic curve configuration,
- derive constants
- write a size-independent inline assembly code generator
- Upcoming proof system for formal verification via Z3 ([DrNim](https://nim-lang.org/docs/drnim.html), [Correct-by-Construction RFC](https://github.com/nim-lang/RFCs/issues/222))
## Curves supported
At the moment the following curves are supported, adding a new curve only requires adding the prime modulus
@ -50,14 +68,6 @@ and its bitsize in [constantine/config/curves.nim](constantine/config/curves_dec
The following curves are configured:
### ECDH / ECDSA / EdDSA curves
WIP:
- NIST P-224
- Curve25519
- NIST P-256 / Secp256r1
- Secp256k1 (Bitcoin, Ethereum 1)
### Pairing-Friendly curves
Supports:
@ -76,6 +86,7 @@ Curves:
- BN254_Snarks (Zero-Knowledge Proofs, Snarks, Starks, Zcash, Ethereum 1)
- BLS12-377 (Zexe)
- BLS12-381 (Algorand, Chia Networks, Dfinity, Ethereum 2, Filecoin, Zcash Sapling)
- BW6-671 (Celo, EY Blockchain) (Pairings are WIP)
## Security
@ -97,7 +108,7 @@ This is would be incomplete without mentioning that the hardware, OS and compile
actively hinder you by:
- Hardware: sometimes not implementing multiplication in constant-time.
- OS: not providing a way to prevent memory paging to disk, core dumps, a debugger attaching to your process or a context switch (coroutines) leaking register data.
- Compiler: optimizing away your carefully crafted branchless code and leaking server secrets or optimizing away your secure erasure routine which is "useless" because at the end of the function the data is not used anymore.
- Compiler: optimizing away your carefully crafted branchless code and leaking server secrets or optimizing away your secure erasure routine which is deemed "useless" because at the end of the function the data is not used anymore.
A growing number of attack vectors is being collected for your viewing pleasure
at https://github.com/mratsim/constantine/wiki/Constant-time-arithmetics
@ -167,40 +178,51 @@ nimble bench_pairing_bls12_381
As mentioned in the [Compiler caveats](#compiler-caveats) section, GCC is up to 2x slower than Clang due to mishandling of carries and register usage.
On my machine i9-9980XE, for selected benchmarks with Clang + Assembly
On my machine i9-9980XE, for selected benchmarks with Clang + Assembly, all being constant-time (or tagged unsafe).
```
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Line double BLS12_381 649350.649 ops/s 1540 ns/op 4617 CPU cycles (approx)
Line add BLS12_381 482858.522 ops/s 2071 ns/op 6211 CPU cycles (approx)
Mul 𝔽p12 by line xy000z BLS12_381 543478.261 ops/s 1840 ns/op 5518 CPU cycles (approx)
Line double BLS12_381 872600.349 ops/s 1146 ns/op 3434 CPU cycles (approx)
Line add BLS12_381 616522.811 ops/s 1622 ns/op 4864 CPU cycles (approx)
Mul 𝔽p12 by line xy000z BLS12_381 535905.681 ops/s 1866 ns/op 5597 CPU cycles (approx)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Final Exponentiation Easy BLS12_381 39411.973 ops/s 25373 ns/op 76119 CPU cycles (approx)
Final Exponentiation Hard BLS12 BLS12_381 2141.603 ops/s 466940 ns/op 1400833 CPU cycles (approx)
Final Exponentiation Easy BLS12_381 39443.064 ops/s 25353 ns/op 76058 CPU cycles (approx)
Final Exponentiation Hard BLS12 BLS12_381 2139.367 ops/s 467428 ns/op 1402299 CPU cycles (approx)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Miller Loop BLS12 BLS12_381 2731.576 ops/s 366089 ns/op 1098278 CPU cycles (approx)
Final Exponentiation BLS12 BLS12_381 2033.045 ops/s 491873 ns/op 1475634 CPU cycles (approx)
Miller Loop BLS12 BLS12_381 2971.512 ops/s 336529 ns/op 1009596 CPU cycles (approx)
Final Exponentiation BLS12 BLS12_381 2029.365 ops/s 492765 ns/op 1478310 CPU cycles (approx)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Pairing BLS12 BLS12_381 1131.391 ops/s 883868 ns/op 2651631 CPU cycles (approx)
Pairing BLS12 BLS12_381 1164.051 ops/s 859069 ns/op 2577234 CPU cycles (approx)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
```
```
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
EC Add G1 ECP_ShortW_Proj[Fp[BLS12_381]] 2118644.068 ops/s 472 ns/op 1416 CPU cycles (approx)
EC Add G1 ECP_ShortW_Jac[Fp[BLS12_381]] 1818181.818 ops/s 550 ns/op 1652 CPU cycles (approx)
EC Mixed Addition G1 ECP_ShortW_Proj[Fp[BLS12_381]] 2427184.466 ops/s 412 ns/op 1236 CPU cycles (approx)
EC Double G1 ECP_ShortW_Proj[Fp[BLS12_381]] 3460207.612 ops/s 289 ns/op 867 CPU cycles (approx)
EC Double G1 ECP_ShortW_Jac[Fp[BLS12_381]] 3717472.119 ops/s 269 ns/op 809 CPU cycles (approx)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
EC Add G1 ECP_ShortW_Proj[Fp[BLS12_381]] 2118644.068 ops/s 472 ns/op 1416 CPU cycles (approx)
EC Mixed Addition G1 ECP_ShortW_Proj[Fp[BLS12_381]] 2439024.390 ops/s 410 ns/op 1232 CPU cycles (approx)
EC Double G1 ECP_ShortW_Proj[Fp[BLS12_381]] 3448275.862 ops/s 290 ns/op 871 CPU cycles (approx)
EC Projective to Affine G1 ECP_ShortW_Proj[Fp[BLS12_381]] 72020.166 ops/s 13885 ns/op 41656 CPU cycles (approx)
EC Jacobian to Affine G1 ECP_ShortW_Jac[Fp[BLS12_381]] 71989.058 ops/s 13891 ns/op 41673 CPU cycles (approx)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
EC ScalarMul G1 (unsafe reference DoubleAdd) ECP_ShortW_Proj[Fp[BLS12_381]] 7147.094 ops/s 139917 ns/op 419756 CPU cycles (approx)
EC ScalarMul G1 (unsafe reference DoubleAdd) ECP_ShortW_Proj[Fp[BLS12_381]] 7260.266 ops/s 137736 ns/op 413213 CPU cycles (approx)
EC ScalarMul G1 (unsafe reference DoubleAdd) ECP_ShortW_Jac[Fp[BLS12_381]] 7140.970 ops/s 140037 ns/op 420115 CPU cycles (approx)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
EC ScalarMul Generic G1 (window = 2, scratchsize = 4) ECP_ShortW_Proj[Fp[BLS12_381]] 5048.975 ops/s 198060 ns/op 594188 CPU cycles (approx)
EC ScalarMul Generic G1 (window = 3, scratchsize = 8) ECP_ShortW_Proj[Fp[BLS12_381]] 7148.269 ops/s 139894 ns/op 419685 CPU cycles (approx)
EC ScalarMul Generic G1 (window = 4, scratchsize = 16) ECP_ShortW_Proj[Fp[BLS12_381]] 8112.735 ops/s 123263 ns/op 369791 CPU cycles (approx)
EC ScalarMul Generic G1 (window = 5, scratchsize = 32) ECP_ShortW_Proj[Fp[BLS12_381]] 8464.534 ops/s 118140 ns/op 354424 CPU cycles (approx)
EC ScalarMul Generic G1 (window = 2, scratchsize = 4) ECP_ShortW_Proj[Fp[BLS12_381]] 5036.946 ops/s 198533 ns/op 595606 CPU cycles (approx)
EC ScalarMul Generic G1 (window = 3, scratchsize = 8) ECP_ShortW_Proj[Fp[BLS12_381]] 7080.799 ops/s 141227 ns/op 423684 CPU cycles (approx)
EC ScalarMul Generic G1 (window = 4, scratchsize = 16) ECP_ShortW_Proj[Fp[BLS12_381]] 8062.631 ops/s 124029 ns/op 372091 CPU cycles (approx)
EC ScalarMul Generic G1 (window = 5, scratchsize = 32) ECP_ShortW_Proj[Fp[BLS12_381]] 8377.244 ops/s 119371 ns/op 358116 CPU cycles (approx)
EC ScalarMul Generic G1 (window = 2, scratchsize = 4) ECP_ShortW_Jac[Fp[BLS12_381]] 4703.359 ops/s 212614 ns/op 637847 CPU cycles (approx)
EC ScalarMul Generic G1 (window = 3, scratchsize = 8) ECP_ShortW_Jac[Fp[BLS12_381]] 6901.407 ops/s 144898 ns/op 434697 CPU cycles (approx)
EC ScalarMul Generic G1 (window = 4, scratchsize = 16) ECP_ShortW_Jac[Fp[BLS12_381]] 8022.720 ops/s 124646 ns/op 373940 CPU cycles (approx)
EC ScalarMul Generic G1 (window = 5, scratchsize = 32) ECP_ShortW_Jac[Fp[BLS12_381]] 8433.552 ops/s 118574 ns/op 355725 CPU cycles (approx)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
EC ScalarMul G1 (endomorphism accelerated) ECP_ShortW_Proj[Fp[BLS12_381]] 9679.418 ops/s 103312 ns/op 309939 CPU cycles (approx)
EC ScalarMul Window-2 G1 (endomorphism accelerated) ECP_ShortW_Proj[Fp[BLS12_381]] 13089.348 ops/s 76398 ns/op 229195 CPU cycles (approx)
EC ScalarMul G1 (endomorphism accelerated) ECP_ShortW_Proj[Fp[BLS12_381]] 9703.933 ops/s 103051 ns/op 309155 CPU cycles (approx)
EC ScalarMul Window-2 G1 (endomorphism accelerated) ECP_ShortW_Proj[Fp[BLS12_381]] 13160.839 ops/s 75983 ns/op 227950 CPU cycles (approx)
EC ScalarMul G1 (endomorphism accelerated) ECP_ShortW_Jac[Fp[BLS12_381]] 9064.868 ops/s 110316 ns/op 330951 CPU cycles (approx)
EC ScalarMul Window-2 G1 (endomorphism accelerated) ECP_ShortW_Jac[Fp[BLS12_381]] 12722.484 ops/s 78601 ns/op 235806 CPU cycles (approx)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
```

42
benchmarks/bench_ec_g1.nim
View File

@ -45,31 +45,31 @@ proc main() =
separator()
staticFor i, 0, AvailableCurves.len:
const curve = AvailableCurves[i]
addBench(ECP_ShortW_Proj[Fp[curve]], Iters)
addBench(ECP_ShortW_Jac[Fp[curve]], Iters)
mixedAddBench(ECP_ShortW_Proj[Fp[curve]], Iters)
doublingBench(ECP_ShortW_Proj[Fp[curve]], Iters)
doublingBench(ECP_ShortW_Jac[Fp[curve]], Iters)
addBench(ECP_ShortW_Proj[Fp[curve], NotOnTwist], Iters)
addBench(ECP_ShortW_Jac[Fp[curve], NotOnTwist], Iters)
mixedAddBench(ECP_ShortW_Proj[Fp[curve], NotOnTwist], Iters)
doublingBench(ECP_ShortW_Proj[Fp[curve], NotOnTwist], Iters)
doublingBench(ECP_ShortW_Jac[Fp[curve], NotOnTwist], Iters)
separator()
affFromProjBench(ECP_ShortW_Proj[Fp[curve]], MulIters)
affFromJacBench(ECP_ShortW_Jac[Fp[curve]], MulIters)
affFromProjBench(ECP_ShortW_Proj[Fp[curve], NotOnTwist], MulIters)
affFromJacBench(ECP_ShortW_Jac[Fp[curve], NotOnTwist], MulIters)
separator()
scalarMulUnsafeDoubleAddBench(ECP_ShortW_Proj[Fp[curve]], MulIters)
scalarMulUnsafeDoubleAddBench(ECP_ShortW_Jac[Fp[curve]], MulIters)
scalarMulUnsafeDoubleAddBench(ECP_ShortW_Proj[Fp[curve], NotOnTwist], MulIters)
scalarMulUnsafeDoubleAddBench(ECP_ShortW_Jac[Fp[curve], NotOnTwist], MulIters)
separator()
scalarMulGenericBench(ECP_ShortW_Proj[Fp[curve]], window = 2, MulIters)
scalarMulGenericBench(ECP_ShortW_Proj[Fp[curve]], window = 3, MulIters)
scalarMulGenericBench(ECP_ShortW_Proj[Fp[curve]], window = 4, MulIters)
scalarMulGenericBench(ECP_ShortW_Proj[Fp[curve]], window = 5, MulIters)
scalarMulGenericBench(ECP_ShortW_Jac[Fp[curve]], window = 2, MulIters)
scalarMulGenericBench(ECP_ShortW_Jac[Fp[curve]], window = 3, MulIters)
scalarMulGenericBench(ECP_ShortW_Jac[Fp[curve]], window = 4, MulIters)
scalarMulGenericBench(ECP_ShortW_Jac[Fp[curve]], window = 5, MulIters)
scalarMulGenericBench(ECP_ShortW_Proj[Fp[curve], NotOnTwist], window = 2, MulIters)
scalarMulGenericBench(ECP_ShortW_Proj[Fp[curve], NotOnTwist], window = 3, MulIters)
scalarMulGenericBench(ECP_ShortW_Proj[Fp[curve], NotOnTwist], window = 4, MulIters)
scalarMulGenericBench(ECP_ShortW_Proj[Fp[curve], NotOnTwist], window = 5, MulIters)
scalarMulGenericBench(ECP_ShortW_Jac[Fp[curve], NotOnTwist], window = 2, MulIters)
scalarMulGenericBench(ECP_ShortW_Jac[Fp[curve], NotOnTwist], window = 3, MulIters)
scalarMulGenericBench(ECP_ShortW_Jac[Fp[curve], NotOnTwist], window = 4, MulIters)
scalarMulGenericBench(ECP_ShortW_Jac[Fp[curve], NotOnTwist], window = 5, MulIters)
separator()
scalarMulEndo(ECP_ShortW_Proj[Fp[curve]], MulIters)
scalarMulEndoWindow(ECP_ShortW_Proj[Fp[curve]], MulIters)
scalarMulEndo(ECP_ShortW_Jac[Fp[curve]], MulIters)
scalarMulEndoWindow(ECP_ShortW_Jac[Fp[curve]], MulIters)
scalarMulEndo(ECP_ShortW_Proj[Fp[curve], NotOnTwist], MulIters)
scalarMulEndoWindow(ECP_ShortW_Proj[Fp[curve], NotOnTwist], MulIters)
scalarMulEndo(ECP_ShortW_Jac[Fp[curve], NotOnTwist], MulIters)
scalarMulEndoWindow(ECP_ShortW_Jac[Fp[curve], NotOnTwist], MulIters)
separator()
separator()

38
benchmarks/bench_ec_g2.nim
View File

@ -46,29 +46,29 @@ proc main() =
separator()
staticFor i, 0, AvailableCurves.len:
const curve = AvailableCurves[i]
addBench(ECP_ShortW_Proj[Fp2[curve]], Iters)
addBench(ECP_ShortW_Jac[Fp2[curve]], Iters)
mixedAddBench(ECP_ShortW_Proj[Fp2[curve]], Iters)
doublingBench(ECP_ShortW_Proj[Fp2[curve]], Iters)
doublingBench(ECP_ShortW_Jac[Fp2[curve]], Iters)
addBench(ECP_ShortW_Proj[Fp2[curve], OnTwist], Iters)
addBench(ECP_ShortW_Jac[Fp2[curve], OnTwist], Iters)
mixedAddBench(ECP_ShortW_Proj[Fp2[curve], OnTwist], Iters)
doublingBench(ECP_ShortW_Proj[Fp2[curve], OnTwist], Iters)
doublingBench(ECP_ShortW_Jac[Fp2[curve], OnTwist], Iters)
separator()
affFromProjBench(ECP_ShortW_Proj[Fp2[curve]], MulIters)
affFromJacBench(ECP_ShortW_Jac[Fp2[curve]], MulIters)
affFromProjBench(ECP_ShortW_Proj[Fp2[curve], OnTwist], MulIters)
affFromJacBench(ECP_ShortW_Jac[Fp2[curve], OnTwist], MulIters)
separator()
scalarMulUnsafeDoubleAddBench(ECP_ShortW_Proj[Fp2[curve]], MulIters)
scalarMulUnsafeDoubleAddBench(ECP_ShortW_Jac[Fp2[curve]], MulIters)
scalarMulUnsafeDoubleAddBench(ECP_ShortW_Proj[Fp2[curve], OnTwist], MulIters)
scalarMulUnsafeDoubleAddBench(ECP_ShortW_Jac[Fp2[curve], OnTwist], MulIters)
separator()
scalarMulGenericBench(ECP_ShortW_Proj[Fp2[curve]], window = 2, MulIters)
scalarMulGenericBench(ECP_ShortW_Proj[Fp2[curve]], window = 3, MulIters)
scalarMulGenericBench(ECP_ShortW_Proj[Fp2[curve]], window = 4, MulIters)
scalarMulGenericBench(ECP_ShortW_Proj[Fp2[curve]], window = 5, MulIters)
scalarMulGenericBench(ECP_ShortW_Jac[Fp2[curve]], window = 2, MulIters)
scalarMulGenericBench(ECP_ShortW_Jac[Fp2[curve]], window = 3, MulIters)
scalarMulGenericBench(ECP_ShortW_Jac[Fp2[curve]], window = 4, MulIters)
scalarMulGenericBench(ECP_ShortW_Jac[Fp2[curve]], window = 5, MulIters)
scalarMulGenericBench(ECP_ShortW_Proj[Fp2[curve], OnTwist], window = 2, MulIters)
scalarMulGenericBench(ECP_ShortW_Proj[Fp2[curve], OnTwist], window = 3, MulIters)
scalarMulGenericBench(ECP_ShortW_Proj[Fp2[curve], OnTwist], window = 4, MulIters)
scalarMulGenericBench(ECP_ShortW_Proj[Fp2[curve], OnTwist], window = 5, MulIters)
scalarMulGenericBench(ECP_ShortW_Jac[Fp2[curve], OnTwist], window = 2, MulIters)
scalarMulGenericBench(ECP_ShortW_Jac[Fp2[curve], OnTwist], window = 3, MulIters)
scalarMulGenericBench(ECP_ShortW_Jac[Fp2[curve], OnTwist], window = 4, MulIters)
scalarMulGenericBench(ECP_ShortW_Jac[Fp2[curve], OnTwist], window = 5, MulIters)
separator()
scalarMulEndo(ECP_ShortW_Proj[Fp2[curve]], MulIters)
scalarMulEndo(ECP_ShortW_Jac[Fp2[curve]], MulIters)
scalarMulEndo(ECP_ShortW_Proj[Fp2[curve], OnTwist], MulIters)
scalarMulEndo(ECP_ShortW_Jac[Fp2[curve], OnTwist], MulIters)
separator()
separator()

6
benchmarks/bench_elliptic_template.nim
View File

@ -140,7 +140,7 @@ proc mixedAddBench*(T: typedesc, iters: int) =
var r {.noInit.}: T
let P = rng.random_unsafe(T)
let Q = rng.random_unsafe(T)
var Qaff: ECP_ShortW_Aff[T.F]
var Qaff: ECP_ShortW_Aff[T.F, T.Tw]
Qaff.affineFromProjective(Q)
bench("EC Mixed Addition " & G1_or_G2, T, iters):
r.madd(P, Qaff)
@ -154,14 +154,14 @@ proc doublingBench*(T: typedesc, iters: int) =
proc affFromProjBench*(T: typedesc, iters: int) =
const G1_or_G2 = when T.F is Fp: "G1" else: "G2"
var r {.noInit.}: ECP_ShortW_Aff[T.F]
var r {.noInit.}: ECP_ShortW_Aff[T.F, T.Tw]
let P = rng.random_unsafe(T)
bench("EC Projective to Affine " & G1_or_G2, T, iters):
r.affineFromProjective(P)
proc affFromJacBench*(T: typedesc, iters: int) =
const G1_or_G2 = when T.F is Fp: "G1" else: "G2"
var r {.noInit.}: ECP_ShortW_Aff[T.F]
var r {.noInit.}: ECP_ShortW_Aff[T.F, T.Tw]
let P = rng.random_unsafe(T)
bench("EC Jacobian to Affine " & G1_or_G2, T, iters):
r.affineFromJacobian(P)

60
benchmarks/bench_pairing_template.nim
View File

@ -129,33 +129,33 @@ func random_point*(rng: var RngState, EC: typedesc): EC {.noInit.} =
result.clearCofactorReference()
proc lineDoubleBench*(C: static Curve, iters: int) =
var line: Line[Fp2[C], C.getSexticTwist()]
var T = rng.random_point(ECP_ShortW_Proj[Fp2[C]])
let P = rng.random_point(ECP_ShortW_Proj[Fp[C]])
var Paff: ECP_ShortW_Aff[Fp[C]]
var line: Line[Fp2[C]]
var T = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist])
let P = rng.random_point(ECP_ShortW_Proj[Fp[C], NotOnTwist])
var Paff: ECP_ShortW_Aff[Fp[C], NotOnTwist]
Paff.affineFromProjective(P)
bench("Line double", C, iters):
line.line_double(T, Paff)
proc lineAddBench*(C: static Curve, iters: int) =
var line: Line[Fp2[C], C.getSexticTwist()]
var T = rng.random_point(ECP_ShortW_Proj[Fp2[C]])
var line: Line[Fp2[C]]
var T = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist])
let
P = rng.random_point(ECP_ShortW_Proj[Fp[C]])
Q = rng.random_point(ECP_ShortW_Proj[Fp2[C]])
P = rng.random_point(ECP_ShortW_Proj[Fp[C], NotOnTwist])
Q = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist])
var
Paff: ECP_ShortW_Aff[Fp[C]]
Qaff: ECP_ShortW_Aff[Fp2[C]]
Paff: ECP_ShortW_Aff[Fp[C], NotOnTwist]
Qaff: ECP_ShortW_Aff[Fp2[C], OnTwist]
Paff.affineFromProjective(P)
Qaff.affineFromProjective(Q)
bench("Line add", C, iters):
line.line_add(T, Qaff, Paff)
proc mulFp12byLine_xyz000_Bench*(C: static Curve, iters: int) =
var line: Line[Fp2[C], C.getSexticTwist()]
var T = rng.random_point(ECP_ShortW_Proj[Fp2[C]])
let P = rng.random_point(ECP_ShortW_Proj[Fp[C]])
var Paff: ECP_ShortW_Aff[Fp[C]]
var line: Line[Fp2[C]]
var T = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist])
let P = rng.random_point(ECP_ShortW_Proj[Fp[C], NotOnTwist])
var Paff: ECP_ShortW_Aff[Fp[C], NotOnTwist]
Paff.affineFromProjective(P)
line.line_double(T, Paff)
@ -165,10 +165,10 @@ proc mulFp12byLine_xyz000_Bench*(C: static Curve, iters: int) =
f.mul_sparse_by_line_xyz000(line)
proc mulFp12byLine_xy000z_Bench*(C: static Curve, iters: int) =
var line: Line[Fp2[C], C.getSexticTwist()]
var T = rng.random_point(ECP_ShortW_Proj[Fp2[C]])
let P = rng.random_point(ECP_ShortW_Proj[Fp[C]])
var Paff: ECP_ShortW_Aff[Fp[C]]
var line: Line[Fp2[C]]
var T = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist])
let P = rng.random_point(ECP_ShortW_Proj[Fp[C], NotOnTwist])
var Paff: ECP_ShortW_Aff[Fp[C], NotOnTwist]
Paff.affineFromProjective(P)
line.line_double(T, Paff)
@ -179,11 +179,11 @@ proc mulFp12byLine_xy000z_Bench*(C: static Curve, iters: int) =
proc millerLoopBLS12Bench*(C: static Curve, iters: int) =
let
P = rng.random_point(ECP_ShortW_Proj[Fp[C]])
Q = rng.random_point(ECP_ShortW_Proj[Fp2[C]])
P = rng.random_point(ECP_ShortW_Proj[Fp[C], NotOnTwist])
Q = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist])
var
Paff: ECP_ShortW_Aff[Fp[C]]
Qaff: ECP_ShortW_Aff[Fp2[C]]
Paff: ECP_ShortW_Aff[Fp[C], NotOnTwist]
Qaff: ECP_ShortW_Aff[Fp2[C], OnTwist]
Paff.affineFromProjective(P)
Qaff.affineFromProjective(Q)
@ -194,11 +194,11 @@ proc millerLoopBLS12Bench*(C: static Curve, iters: int) =
proc millerLoopBNBench*(C: static Curve, iters: int) =
let
P = rng.random_point(ECP_ShortW_Proj[Fp[C]])
Q = rng.random_point(ECP_ShortW_Proj[Fp2[C]])
P = rng.random_point(ECP_ShortW_Proj[Fp[C], NotOnTwist])
Q = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist])
var
Paff: ECP_ShortW_Aff[Fp[C]]
Qaff: ECP_ShortW_Aff[Fp2[C]]
Paff: ECP_ShortW_Aff[Fp[C], NotOnTwist]
Qaff: ECP_ShortW_Aff[Fp2[C], OnTwist]
Paff.affineFromProjective(P)
Qaff.affineFromProjective(Q)
@ -238,8 +238,8 @@ proc finalExpBNBench*(C: static Curve, iters: int) =
proc pairingBLS12Bench*(C: static Curve, iters: int) =
let
P = rng.random_point(ECP_ShortW_Proj[Fp[C]])
Q = rng.random_point(ECP_ShortW_Proj[Fp2[C]])
P = rng.random_point(ECP_ShortW_Proj[Fp[C], NotOnTwist])
Q = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist])
var f: Fp12[C]
@ -248,8 +248,8 @@ proc pairingBLS12Bench*(C: static Curve, iters: int) =
proc pairingBNBench*(C: static Curve, iters: int) =
let
P = rng.random_point(ECP_ShortW_Proj[Fp[C]])
Q = rng.random_point(ECP_ShortW_Proj[Fp2[C]])
P = rng.random_point(ECP_ShortW_Proj[Fp[C], NotOnTwist])
Q = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist])
var f: Fp12[C]

42
constantine.nimble
View File

@ -43,6 +43,7 @@ const testDesc: seq[tuple[path: string, useGMP: bool]] = @[
("tests/t_fp6_bn254_snarks.nim", false),
("tests/t_fp6_bls12_377.nim", false),
("tests/t_fp6_bls12_381.nim", false),
("tests/t_fp6_bw6_761.nim", false),
("tests/t_fp12_bn254_snarks.nim", false),
("tests/t_fp12_bls12_377.nim", false),
("tests/t_fp12_bls12_381.nim", false),
@ -60,36 +61,57 @@ const testDesc: seq[tuple[path: string, useGMP: bool]] = @[
("tests/t_ec_shortw_jac_g1_mul_sanity.nim", false),
("tests/t_ec_shortw_jac_g1_mul_distri.nim", false),
("tests/t_ec_shortw_jac_g1_mul_vs_ref.nim", false),
# mixed_add
# Elliptic curve arithmetic G2
("tests/t_ec_shortw_prj_g2_add_double_bn254_snarks.nim", false),
("tests/t_ec_shortw_prj_g2_mul_sanity_bn254_snarks.nim", false),
("tests/t_ec_shortw_prj_g2_mul_distri_bn254_snarks.nim", false),
("tests/t_ec_shortw_prj_g2_mul_vs_ref_bn254_snarks.nim", false),
("tests/t_ec_shortw_prj_g2_mixed_add_bn254_snarks.nim", false),
("tests/t_ec_shortw_prj_g2_add_double_bls12_381.nim", false),
("tests/t_ec_shortw_prj_g2_mul_sanity_bls12_381.nim", false),
("tests/t_ec_shortw_prj_g2_mul_distri_bls12_381.nim", false),
("tests/t_ec_shortw_prj_g2_mul_vs_ref_bls12_381.nim", false),
("tests/t_ec_shortw_prj_g2_mixed_add_bls12_381.nim", false),
("tests/t_ec_shortw_prj_g2_add_double_bls12_377.nim", false),
("tests/t_ec_shortw_prj_g2_mul_sanity_bls12_377.nim", false),
("tests/t_ec_shortw_prj_g2_mul_distri_bls12_377.nim", false),
("tests/t_ec_shortw_prj_g2_mul_vs_ref_bls12_377.nim", false),
("tests/t_ec_shortw_prj_g2_mixed_add_bls12_377.nim", false),
("tests/t_ec_shortw_prj_g2_add_double_bw6_761.nim", false),
("tests/t_ec_shortw_prj_g2_mul_sanity_bw6_761.nim", false),
("tests/t_ec_shortw_prj_g2_mul_distri_bw6_761.nim", false),
("tests/t_ec_shortw_prj_g2_mul_vs_ref_bw6_761.nim", false),
("tests/t_ec_shortw_prj_g2_mixed_add_bw6_761.nim", false),
("tests/t_ec_shortw_jac_g2_add_double_bn254_snarks.nim", false),
("tests/t_ec_shortw_jac_g2_mul_sanity_bn254_snarks.nim", false),
("tests/t_ec_shortw_jac_g2_mul_distri_bn254_snarks.nim", false),
("tests/t_ec_shortw_jac_g2_mul_vs_ref_bn254_snarks.nim", false),
# mixed_add
("tests/t_ec_shortw_jac_g2_add_double_bls12_381.nim", false),
("tests/t_ec_shortw_jac_g2_mul_sanity_bls12_381.nim", false),
("tests/t_ec_shortw_jac_g2_mul_distri_bls12_381.nim", false),
("tests/t_ec_shortw_jac_g2_mul_vs_ref_bls12_381.nim", false),
# mixed_add
("tests/t_ec_shortw_jac_g2_add_double_bls12_377.nim", false),
("tests/t_ec_shortw_jac_g2_mul_sanity_bls12_377.nim", false),
("tests/t_ec_shortw_jac_g2_mul_distri_bls12_377.nim", false),
("tests/t_ec_shortw_jac_g2_mul_vs_ref_bls12_377.nim", false),
# mixed_add
("tests/t_ec_shortw_jac_g2_add_double_bw6_761.nim", false),
("tests/t_ec_shortw_jac_g2_mul_sanity_bw6_761.nim", false),
("tests/t_ec_shortw_jac_g2_mul_distri_bw6_761.nim", false),
("tests/t_ec_shortw_jac_g2_mul_vs_ref_bw6_761.nim", false),
# mixed_add
# Elliptic curve arithmetic vs Sagemath
("tests/t_ec_frobenius.nim", false),
("tests/t_ec_sage_bn254.nim", false),
@ -217,6 +239,10 @@ task test_no_gmp, "Run tests that don't require GMP":
runBench("bench_fp12")
runBench("bench_ec_g1")
runBench("bench_ec_g2")
runBench("bench_pairing_bls12_377")
runBench("bench_pairing_bls12_381")
runBench("bench_pairing_bn254_nogami")
runBench("bench_pairing_bn254_snarks")
task test_parallel, "Run all tests in parallel (via GNU parallel)":
# -d:testingCurves is configured in a *.nim.cfg for convenience
@ -256,6 +282,10 @@ task test_parallel, "Run all tests in parallel (via GNU parallel)":
runBench("bench_fp12")
runBench("bench_ec_g1")
runBench("bench_ec_g2")
runBench("bench_pairing_bls12_377")
runBench("bench_pairing_bls12_381")
runBench("bench_pairing_bn254_nogami")
runBench("bench_pairing_bn254_snarks")
task test_parallel_no_assembler, "Run all tests (without macro assembler) in parallel (via GNU parallel)":
# -d:testingCurves is configured in a *.nim.cfg for convenience
@ -295,6 +325,10 @@ task test_parallel_no_assembler, "Run all tests (without macro assembler) in par
runBench("bench_fp12")
runBench("bench_ec_g1")
runBench("bench_ec_g2")
runBench("bench_pairing_bls12_377")
runBench("bench_pairing_bls12_381")
runBench("bench_pairing_bn254_nogami")
runBench("bench_pairing_bn254_snarks")
task test_parallel_no_gmp, "Run all tests in parallel (via GNU parallel)":
# -d:testingCurves is configured in a *.nim.cfg for convenience
@ -336,6 +370,10 @@ task test_parallel_no_gmp, "Run all tests in parallel (via GNU parallel)":
runBench("bench_fp12")
runBench("bench_ec_g1")
runBench("bench_ec_g2")
runBench("bench_pairing_bls12_377")
runBench("bench_pairing_bls12_381")
runBench("bench_pairing_bn254_nogami")
runBench("bench_pairing_bn254_snarks")
task test_parallel_no_gmp_no_assembler, "Run all tests in parallel (via GNU parallel)":
# -d:testingCurves is configured in a *.nim.cfg for convenience
@ -377,6 +415,10 @@ task test_parallel_no_gmp_no_assembler, "Run all tests in parallel (via GNU para
runBench("bench_fp12")
runBench("bench_ec_g1")
runBench("bench_ec_g2")
runBench("bench_pairing_bls12_377")
runBench("bench_pairing_bls12_381")
runBench("bench_pairing_bn254_nogami")
runBench("bench_pairing_bn254_snarks")
task bench_fp, "Run benchmark 𝔽p with your default compiler":
runBench("bench_fp")

26
constantine/config/curves_declaration.nim
View File

@ -128,7 +128,7 @@ declareCurves:
# u: 0x8508c00000000001
# G1 Equation: y² = x³ + 1
# G2 Equation: y² = x³ + 1/ with 𝑗 = √-5
# G2 Equation: y² = x³ + 1/𝑗 with 𝑗 = √-5
order: "0x12ab655e9a2ca55660b44d1e5c37b00159aa76fed00000010a11800000000001"
orderBitwidth: 253
eq_form: ShortWeierstrass
@ -159,3 +159,27 @@ declareCurves:
sexticTwist: M_Twist
sexticNonResidue_fp2: (1, 1) # 1+𝑖
curve BW6_761:
bitwidth: 761
modulus: "0x122e824fb83ce0ad187c94004faff3eb926186a81d14688528275ef8087be41707ba638e584e91903cebaff25b423048689c8ed12f9fd9071dcd3dc73ebff2e98a116c25667a8f8160cf8aeeaf0a437e6913e6870000082f49d00000000008b"
family: BrezingWeng
# Curve that embeds BLS12-377, see https://eprint.iacr.org/2020/351.pdf
# u: 3 * 2^46 * (7 * 13 * 499) + 1
# u: 0x8508c00000000001
# r = p_BLS12-377 = (x⁶2x⁵+2x³+x+1)/3
# p = 103x¹²379x¹¹+250x¹⁰+691x⁹911x⁸79x⁷+623x⁶640x⁵+274x⁴+763x³+73x²+254x+229)/9
# G1 Equation: y² = x³ - 1
# G6 Equation: y² = x³ + 4 (M-Twist)
order: "0x01ae3a4617c510eac63b05c06ca1493b1a22d9f300f5138f1ef3622fba094800170b5d44300000008508c00000000001"
orderBitwidth: 377
coef_a: 0
coef_b: -1
# TODO: rework the quad/cube/sextic non residue declaration
nonresidue_quad_fp: -4 # -4 is not a square in 𝔽p
nonresidue_cube_fp2: (0, 1) # -4 is not a cube in 𝔽
sexticTwist: M_Twist
sexticNonResidue_fp2: (0, 1) # -4

5
constantine/config/curves_parser.nim
View File

@ -29,6 +29,7 @@ type
NoFamily
BarretoNaehrig # BN curve
BarretoLynnScott # BLS curve
BrezingWeng # BW curve
CurveCoefKind* = enum
## Small coefficients fit in an int64
@ -184,6 +185,10 @@ proc parseCurveDecls(defs: var seq[CurveParams], curves: NimNode) =
elif sectionId.eqIdent"coef_b":
if sectionVal.kind == nnkIntLit:
params.coef_B = CurveCoef(kind: Small, coef: sectionVal.intVal.int)
elif sectionVal.kind == nnkPrefix: # Got -1
sectionVal[0].expectIdent"-"
sectionVal[1].expectKind(nnkIntLit)
params.coef_B = CurveCoef(kind: Small, coef: -sectionVal[1].intVal.int)
else:
params.coef_B = CurveCoef(kind: Large, coefHex: sectionVal.strVal)
elif sectionId.eqIdent"order":

6
constantine/elliptic/ec_endomorphism_accel.nim
View File

@ -65,18 +65,20 @@ func decomposeEndo*[M, scalBits, L: static int](
static: doAssert L >= (scalBits + M - 1) div M + 1
const w = F.C.getCurveOrderBitwidth().wordsRequired()
when F is Fp:
when M == 2:
var alphas{.noInit.}: (
BigInt[scalBits + babai(F)[0][0].bits],
BigInt[scalBits + babai(F)[1][0].bits]
)
else:
elif M == 4:
var alphas{.noInit.}: (
BigInt[scalBits + babai(F)[0][0].bits],
BigInt[scalBits + babai(F)[1][0].bits],
BigInt[scalBits + babai(F)[2][0].bits],
BigInt[scalBits + babai(F)[3][0].bits]
)
else:
{.error: "The decomposition degree " & $M & " is not configured".}
staticFor i, 0, M:
when bool babai(F)[i][0].isZero():

61
constantine/elliptic/ec_shortweierstrass_affine.nim
View File

@ -11,7 +11,7 @@ import
../config/[common, curves],
../arithmetic,
../towers,
../io/io_bigints
../io/[io_fields, io_towers]
# ############################################################
#
@ -20,14 +20,19 @@ import
#
# ############################################################
type ECP_ShortW_Aff*[F] = object
## Elliptic curve point for a curve in Short Weierstrass form
## y² = x³ + a x + b
##
## over a field F
x*, y*: F
type
Twisted* = enum
NotOnTwist
OnTwist
func curve_eq_rhs*[F](y2: var F, x: F) =
ECP_ShortW_Aff*[F; Tw: static Twisted] = object
## Elliptic curve point for a curve in Short Weierstrass form
## y² = x³ + a x + b
##
## over a field F
x*, y*: F
func curve_eq_rhs*[F](y2: var F, x: F, Tw: static Twisted) =
## Compute the curve equation right-hand-side from field element `x`
## i.e. `y²` in `y² = x³ + a x + b`
## or on sextic twists for pairing curves `y² = x³ + b/µ` or `y² = x³ + µ b`
@ -54,33 +59,47 @@ func curve_eq_rhs*[F](y2: var F, x: F) =
# TODO: precomputation needed when deserializing points
# to check if a point is on-curve and prevent denial-of-service
# using slow inversion.
y2.fromBig F.C.matchingBigInt().fromUint F.C.getCoefB()
when F is Fp2:
when F.C.getSexticTwist() == D_Twist:
y2 /= SexticNonResidue
elif F.C.getSexticTwist() == M_Twist:
y2 *= SexticNonResidue
else:
{.error: "Only twisted curves are supported on extension field 𝔽".}
when F.C.getCoefB() >= 0:
y2.fromInt F.C.getCoefB()
when Tw == OnTwist:
when F.C.getSexticTwist() == D_Twist:
y2 /= SexticNonResidue
elif F.C.getSexticTwist() == M_Twist:
y2 *= SexticNonResidue
else:
{.error: "Only twisted curves are supported on extension field 𝔽".}
y2 += t
y2 += t
else:
y2.fromInt -F.C.getCoefB()
when Tw == OnTwist:
when F.C.getSexticTwist() == D_Twist:
y2 /= SexticNonResidue
elif F.C.getSexticTwist() == M_Twist:
y2 *= SexticNonResidue
else:
{.error: "Only twisted curves are supported on extension field 𝔽".}
y2.diffAlias(t, y2)
when F.C.getCoefA() != 0:
t = x
t *= F.C.getCoefA()
y2 += t
func isOnCurve*[F](x, y: F): SecretBool =
func isOnCurve*[F](x, y: F, Tw: static Twisted): SecretBool =
## Returns true if the (x, y) coordinates
## represents a point of the elliptic curve
var y2, rhs {.noInit.}: F
y2.square(y)
rhs.curve_eq_rhs(x)
rhs.curve_eq_rhs(x, Tw)
return y2 == rhs
func trySetFromCoordX*[F](P: var ECP_ShortW_Aff[F], x: F): SecretBool =
func trySetFromCoordX*[F, Tw](
P: var ECP_ShortW_Aff[F, Tw],
x: F): SecretBool =
## Try to create a point the elliptic curve
## y² = x³ + a x + b (affine coordinate)
##
@ -91,7 +110,7 @@ func trySetFromCoordX*[F](P: var ECP_ShortW_Aff[F], x: F): SecretBool =
##
## Note: Dedicated robust procedures for hashing-to-curve
## will be provided, this is intended for testing purposes.
P.y.curve_eq_rhs(x)
P.y.curve_eq_rhs(x, Tw)
# TODO: supports non p ≡ 3 (mod 4) modulus like BLS12-377
result = sqrt_if_square(P.y)

39
constantine/elliptic/ec_shortweierstrass_jacobian.nim
View File

@ -13,6 +13,8 @@ import
../towers,
./ec_shortweierstrass_affine
export Twisted
# ############################################################
#
# Elliptic Curve in Short Weierstrass form
@ -20,7 +22,7 @@ import
#
# ############################################################
type ECP_ShortW_Jac*[F] = object
type ECP_ShortW_Jac*[F; Tw: static Twisted] = object
## Elliptic curve point for a curve in Short Weierstrass form
## y² = x³ + a x + b
##
@ -32,10 +34,11 @@ type ECP_ShortW_Jac*[F] = object
## Note that jacobian coordinates are not unique
x*, y*, z*: F
func `==`*[F](P, Q: ECP_ShortW_Jac[F]): SecretBool =
func `==`*(P, Q: ECP_ShortW_Jac): SecretBool =
## Constant-time equality check
## This is a costly operation
# Reminder: the representation is not unique
type F = ECP_ShortW_Jac.F
var z1z1 {.noInit.}, z2z2 {.noInit.}: F
var a{.noInit.}, b{.noInit.}: F
@ -77,7 +80,9 @@ func ccopy*(P: var ECP_ShortW_Jac, Q: ECP_ShortW_Jac, ctl: SecretBool) =
for fP, fQ in fields(P, Q):
ccopy(fP, fQ, ctl)
func trySetFromCoordsXandZ*[F](P: var ECP_ShortW_Jac[F], x, z: F): SecretBool =
func trySetFromCoordsXandZ*[F; Tw](
P: var ECP_ShortW_Jac[F, Tw],
x, z: F): SecretBool =
## Try to create a point the elliptic curve
## Y² = X³ + aXZ⁴ + bZ⁶ (Jacobian coordinates)
## y² = x³ + a x + b (affine coordinate)
@ -86,7 +91,7 @@ func trySetFromCoordsXandZ*[F](P: var ECP_ShortW_Jac[F], x, z: F): SecretBool =
##
## Note: Dedicated robust procedures for hashing-to-curve
## will be provided, this is intended for testing purposes.
P.y.curve_eq_rhs(x)
P.y.curve_eq_rhs(x, Tw)
# TODO: supports non p ≡ 3 (mod 4) modulus like BLS12-377
result = sqrt_if_square(P.y)
@ -97,7 +102,9 @@ func trySetFromCoordsXandZ*[F](P: var ECP_ShortW_Jac[F], x, z: F): SecretBool =
P.y *= z
P.z = z
func trySetFromCoordX*[F](P: var ECP_ShortW_Jac[F], x: F): SecretBool =
func trySetFromCoordX*[F; Tw](
P: var ECP_ShortW_Jac[F, Tw],
x: F): SecretBool =
## Try to create a point the elliptic curve
## y² = x³ + a x + b (affine coordinate)
##
@ -108,7 +115,7 @@ func trySetFromCoordX*[F](P: var ECP_ShortW_Jac[F], x: F): SecretBool =
##
## Note: Dedicated robust procedures for hashing-to-curve
## will be provided, this is intended for testing purposes.
P.y.curve_eq_rhs(x)
P.y.curve_eq_rhs(x, Tw)
# TODO: supports non p ≡ 3 (mod 4) modulus like BLS12-377
result = sqrt_if_square(P.y)
P.x = x
@ -129,9 +136,9 @@ func cneg*(P: var ECP_ShortW_Jac, ctl: CTBool) =
## Negate if ``ctl`` is true
P.y.cneg(ctl)
func sum*[F](
r: var ECP_ShortW_Jac[F],
P, Q: ECP_ShortW_Jac[F]
func sum*[F; Tw: static Twisted](
r: var ECP_ShortW_Jac[F, Tw],
P, Q: ECP_ShortW_Jac[F, Tw]
) =
## Elliptic curve point addition for Short Weierstrass curves in Jacobian coordinates
##
@ -286,9 +293,9 @@ func sum*[F](
r.ccopy(Q, P.isInf())
r.ccopy(P, Q.isInf())
func double*[F](
r: var ECP_ShortW_Jac[F],
P: ECP_ShortW_Jac[F]
func double*[F; Tw: static Twisted](
r: var ECP_ShortW_Jac[F, Tw],
P: ECP_ShortW_Jac[F, Tw]
) =
## Elliptic curve point doubling for Short Weierstrass curves in projective coordinate
##
@ -365,7 +372,9 @@ func diff*(r: var ECP_ShortW_Jac,
nQ.neg()
r.sum(P, nQ)
func affineFromJacobian*[F](aff: var ECP_ShortW_Aff[F], jac: ECP_ShortW_Jac) =
func affineFromJacobian*[F; Tw](
aff: var ECP_ShortW_Aff[F, Tw],
jac: ECP_ShortW_Jac[F, Tw]) =
var invZ {.noInit.}, invZ2: F
invZ.inv(jac.z)
invZ2.square(invZ)
@ -374,7 +383,9 @@ func affineFromJacobian*[F](aff: var ECP_ShortW_Aff[F], jac: ECP_ShortW_Jac) =
aff.y.prod(jac.y, invZ)
aff.y.prod(jac.y, invZ2)
func projectiveFromJacobian*[F](jac: var ECP_ShortW_Jac, aff: ECP_ShortW_Aff[F]) {.inline.} =
func projectiveFromJacobian*[F; Tw](
jac: var ECP_ShortW_Jac[F, Tw],
aff: ECP_ShortW_Aff[F, Tw]) {.inline.} =
jac.x = aff.x
jac.y = aff.y
jac.z.setOne()

84
constantine/elliptic/ec_shortweierstrass_projective.nim
View File

@ -13,6 +13,8 @@ import
../towers,
./ec_shortweierstrass_affine
export Twisted
# ############################################################
#
# Elliptic Curve in Short Weierstrass form
@ -20,7 +22,7 @@ import
#
# ############################################################
type ECP_ShortW_Proj*[F] = object
type ECP_ShortW_Proj*[F; Tw: static Twisted] = object
## Elliptic curve point for a curve in Short Weierstrass form
## y² = x³ + a x + b
##
@ -32,10 +34,11 @@ type ECP_ShortW_Proj*[F] = object
## Note that projective coordinates are not unique
x*, y*, z*: F
func `==`*[F](P, Q: ECP_ShortW_Proj[F]): SecretBool =
func `==`*(P, Q: ECP_ShortW_Proj): SecretBool =
## Constant-time equality check
## This is a costly operation
# Reminder: the representation is not unique
type F = ECP_ShortW_Proj.F
var a{.noInit.}, b{.noInit.}: F
@ -71,7 +74,9 @@ func ccopy*(P: var ECP_ShortW_Proj, Q: ECP_ShortW_Proj, ctl: SecretBool) =
for fP, fQ in fields(P, Q):
ccopy(fP, fQ, ctl)
func trySetFromCoordsXandZ*[F](P: var ECP_ShortW_Proj[F], x, z: F): SecretBool =
func trySetFromCoordsXandZ*[F; Tw](
P: var ECP_ShortW_Proj[F, Tw],
x, z: F): SecretBool =
## Try to create a point the elliptic curve
## Y²Z = X³ + aXZ² + bZ³ (projective coordinates)
## y² = x³ + a x + b (affine coordinate)
@ -80,7 +85,7 @@ func trySetFromCoordsXandZ*[F](P: var ECP_ShortW_Proj[F], x, z: F): SecretBool =
##
## Note: Dedicated robust procedures for hashing-to-curve
## will be provided, this is intended for testing purposes.
P.y.curve_eq_rhs(x)
P.y.curve_eq_rhs(x, Tw)
# TODO: supports non p ≡ 3 (mod 4) modulus like BLS12-377
result = sqrt_if_square(P.y)
@ -88,7 +93,9 @@ func trySetFromCoordsXandZ*[F](P: var ECP_ShortW_Proj[F], x, z: F): SecretBool =
P.y *= z
P.z = z
func trySetFromCoordX*[F](P: var ECP_ShortW_Proj[F], x: F): SecretBool =
func trySetFromCoordX*[F; Tw](
P: var ECP_ShortW_Proj[F, Tw],
x: F): SecretBool =
## Try to create a point the elliptic curve
## y² = x³ + a x + b (affine coordinate)
##
@ -99,7 +106,7 @@ func trySetFromCoordX*[F](P: var ECP_ShortW_Proj[F], x: F): SecretBool =
##
## Note: Dedicated robust procedures for hashing-to-curve
## will be provided, this is intended for testing purposes.
P.y.curve_eq_rhs(x)
P.y.curve_eq_rhs(x, Tw)
# TODO: supports non p ≡ 3 (mod 4) modulus like BLS12-377
result = sqrt_if_square(P.y)
P.x = x
@ -120,9 +127,9 @@ func cneg*(P: var ECP_ShortW_Proj, ctl: CTBool) =
## Negate if ``ctl`` is true
P.y.cneg(ctl)
func sum*[F](
r: var ECP_ShortW_Proj[F],
P, Q: ECP_ShortW_Proj[F]
func sum*[F; Tw: static Twisted](
r: var ECP_ShortW_Proj[F, Tw],
P, Q: ECP_ShortW_Proj[F, Tw]
) =
## Elliptic curve point addition for Short Weierstrass curves in projective coordinates
##
@ -180,32 +187,32 @@ func sum*[F](
t3 *= t4 # 6. t₃ <- t₃ * t₄
t4.sum(t0, t1) # 7. t₄ <- t₀ + t₁
t3 -= t4 # 8. t₃ <- t₃ - t₄ t₃ = (X₁ + Y₁)(X₂ + Y₂) - (X₁X₂ + Y₁Y₂) = X₁Y₂ + X₂Y₁
when F is Fp2 and F.C.getSexticTwist() == D_Twist:
when Tw == OnTwist and F.C.getSexticTwist() == D_Twist:
t3 *= SexticNonResidue
t4.sum(P.y, P.z) # 9. t₄ <- Y₁ + Z₁
r.x.sum(Q.y, Q.z) # 10. X₃ <- Y₂ + Z₂
t4 *= r.x # 11. t₄ <- t₄ X₃
r.x.sum(t1, t2) # 12. X₃ <- t₁ + t₂ X₃ = Y₁Y₂ + Z₁Z₂
t4 -= r.x # 13. t₄ <- t₄ - X₃ t₄ = (Y₁ + Z₁)(Y₂ + Z₂) - (Y₁Y₂ + Z₁Z₂) = Y₁Z₂ + Y₂Z₁
when F is Fp2 and F.C.getSexticTwist() == D_Twist:
when Tw == OnTwist and F.C.getSexticTwist() == D_Twist:
t4 *= SexticNonResidue
r.x.sum(P.x, P.z) # 14. X₃ <- X₁ + Z₁
r.y.sum(Q.x, Q.z) # 15. Y₃ <- X₂ + Z₂
r.x *= r.y # 16. X₃ <- X₃ Y₃ X₃ = (X₁Z₁)(X₂Z₂)
r.y.sum(t0, t2) # 17. Y₃ <- t₀ + t₂ Y₃ = X₁ X₂ + Z₁ Z₂
r.y.diffAlias(r.x, r.y) # 18. Y₃ <- X₃ - Y₃ Y₃ = (X₁ + Z₁)(X₂ + Z₂) - (X₁ X₂ + Z₁ Z₂) = X₁Z₂ + X₂Z₁
when F is Fp2 and F.C.getSexticTwist() == D_Twist:
when Tw == OnTwist and F.C.getSexticTwist() == D_Twist:
t0 *= SexticNonResidue
t1 *= SexticNonResidue
r.x.double(t0) # 19. X₃ <- t₀ + t₀ X₃ = 2 X₁X₂
t0 += r.x # 20. t₀ <- X₃ + t₀ t₀ = 3 X₁X₂
t2 *= b3 # 21. t₂ <- 3b t₂ t₂ = 3bZ₁Z₂
when F is Fp2 and F.C.getSexticTwist() == M_Twist:
when Tw == OnTwist and F.C.getSexticTwist() == M_Twist:
t2 *= SexticNonResidue
r.z.sum(t1, t2) # 22. Z₃ <- t₁ + t₂ Z₃ = Y₁Y₂ + 3bZ₁Z₂
t1 -= t2 # 23. t₁ <- t₁ - t₂ t₁ = Y₁Y₂ - 3bZ₁Z₂
r.y *= b3 # 24. Y₃ <- 3b Y₃ Y₃ = 3b(X₁Z₂ + X₂Z₁)
when F is Fp2 and F.C.getSexticTwist() == M_Twist:
when Tw == OnTwist and F.C.getSexticTwist() == M_Twist:
r.y *= SexticNonResidue
r.x.prod(t4, r.y) # 25. X₃ <- t₄ Y₃ X₃ = 3b(Y₁Z₂ + Y₂Z₁)(X₁Z₂ + X₂Z₁)
t2.prod(t3, t1) # 26. t₂ <- t₃ t₁ t₂ = (X₁Y₂ + X₂Y₁) (Y₁Y₂ - 3bZ₁Z₂)
@ -219,9 +226,10 @@ func sum*[F](
else:
{.error: "Not implemented.".}
func madd*[F](
r: var ECP_ShortW_Proj[F],
P: ECP_ShortW_Proj[F], Q: ECP_ShortW_Aff[F]
func madd*[F; Tw: static Twisted](
r: var ECP_ShortW_Proj[F, Tw],
P: ECP_ShortW_Proj[F, Tw],
Q: ECP_ShortW_Aff[F, Tw]
) =
## Elliptic curve mixed addition for Short Weierstrass curves
## with p in Projective coordinates and Q in affine coordinates
@ -247,27 +255,27 @@ func madd*[F](
t3 *= t4 # 5. t₃ <- t₃ * t₄
t4.sum(t0, t1) # 6. t₄ <- t₀ + t₁
t3 -= t4 # 7. t₃ <- t₃ - t₄, t₃ = (X₁ + Y₁)(X₂ + Y₂) - (X₁ X₂ + Y₁ Y₂) = X₁Y₂ + X₂Y₁
when F is Fp2 and F.C.getSexticTwist() == D_Twist:
when Tw == OnTwist and F.C.getSexticTwist() == D_Twist:
t3 *= SexticNonResidue
t4.prod(Q.y, P.z) # 8. t₄ <- Y₂ Z₁
t4 += P.y # 9. t₄ <- t₄ + Y₁, t₄ = Y₁+Y₂Z₁
when F is Fp2 and F.C.getSexticTwist() == D_Twist:
when Tw == OnTwist and F.C.getSexticTwist() == D_Twist:
t4 *= SexticNonResidue
r.y.prod(Q.x, P.z) # 10. Y₃ <- X₂ Z₁
r.y += P.x # 11. Y₃ <- Y₃ + X₁, Y₃ = X₁ + X₂Z₁
when F is Fp2 and F.C.getSexticTwist() == D_Twist:
when Tw == OnTwist and F.C.getSexticTwist() == D_Twist:
t0 *= SexticNonResidue
t1 *= SexticNonResidue
r.x.double(t0) # 12. X₃ <- t₀ + t₀
t0 += r.x # 13. t₀ <- X₃ + t₀, t₀ = 3X₁X₂
t2 = P.z
t2 *= b3 # 14. t₂ <- 3bZ₁
when F is Fp2 and F.C.getSexticTwist() == M_Twist:
when Tw == OnTwist and F.C.getSexticTwist() == M_Twist:
t2 *= SexticNonResidue
r.z.sum(t1, t2) # 15. Z₃ <- t₁ + t₂, Z₃ = Y₁Y₂ + 3bZ₁
t1 -= t2 # 16. t₁ <- t₁ - t₂, t₁ = Y₁Y₂ - 3bZ₁
r.y *= b3 # 17. Y₃ <- 3bY₃, Y₃ = 3b(X₁ + X₂Z₁)
when F is Fp2 and F.C.getSexticTwist() == M_Twist:
when Tw == OnTwist and F.C.getSexticTwist() == M_Twist:
r.y *= SexticNonResidue
r.x.prod(t4, r.y) # 18. X₃ <- t₄ Y₃, X₃ = (Y₁ + Y₂Z₁) 3b(X₁ + X₂Z₁)
t2.prod(t3, t1) # 19. t₂ <- t₃ t₁, t₂ = (X₁Y₂ + X₂Y₁)(Y₁Y₂ - 3bZ₁)
@ -281,9 +289,9 @@ func madd*[F](
else:
{.error: "Not implemented.".}
func double*[F](
r: var ECP_ShortW_Proj[F],
P: ECP_ShortW_Proj[F]
func double*[F; Tw: static Twisted](
r: var ECP_ShortW_Proj[F, Tw],
P: ECP_ShortW_Proj[F, Tw]
) =
## Elliptic curve point doubling for Short Weierstrass curves in projective coordinate
##
@ -327,7 +335,7 @@ func double*[F](
# Y₃ = (Y² - 9bZ²)(Y² + 3bZ²) + 24bY²Z²
# Z₃ = 8Y³Z
snrY = P.y
when F is Fp2 and F.C.getSexticTwist() == D_Twist:
when Tw == OnTwist and F.C.getSexticTwist() == D_Twist:
snrY *= SexticNonResidue
t0.square(P.y)
t0 *= SexticNonResidue
@ -339,7 +347,7 @@ func double*[F](
t1.prod(snrY, P.z) # 5. t₁ <- Y Z
t2.square(P.z) # 6. t₂ <- Z Z
t2 *= b3 # 7. t₂ <- 3b t₂
when F is Fp2 and F.C.getSexticTwist() == M_Twist:
when Tw == OnTwist and F.C.getSexticTwist() == M_Twist:
t2 *= SexticNonResidue
r.x.prod(t2, r.z) # 8. X₃ <- t₂ Z₃
r.y.sum(t0, t2) # 9. Y₃ <- t₀ + t₂
@ -355,25 +363,25 @@ func double*[F](
else:
{.error: "Not implemented.".}
func `+=`*[F](P: var ECP_ShortW_Proj[F], Q: ECP_ShortW_Proj[F]) =
func `+=`*(P: var ECP_ShortW_Proj, Q: ECP_ShortW_Proj) =
## In-place point addition
# TODO test for aliasing support
var tmp {.noInit.}: ECP_ShortW_Proj[F]
var tmp {.noInit.}: ECP_ShortW_Proj
tmp.sum(P, Q)
P = tmp
func `+=`*[F](P: var ECP_ShortW_Proj[F], Q: ECP_ShortW_Aff[F]) =
func `+=`*(P: var ECP_ShortW_Proj, Q: ECP_ShortW_Aff) =
## In-place mixed point addition
# used in line_addition
P.madd(P, Q)
func double*[F](P: var ECP_ShortW_Proj[F]) =
var tmp {.noInit.}: ECP_ShortW_Proj[F]
func double*(P: var ECP_ShortW_Proj) =
var tmp {.noInit.}: ECP_ShortW_Proj
tmp.double(P)
P = tmp
func diff*[F](r: var ECP_ShortW_Proj[F],
P, Q: ECP_ShortW_Proj[F]
func diff*(r: var ECP_ShortW_Proj,
P, Q: ECP_ShortW_Proj
) =
## r = P - Q
## Can handle r and Q aliasing
@ -381,14 +389,18 @@ func diff*[F](r: var ECP_ShortW_Proj[F],
nQ.neg()
r.sum(P, nQ)
func affineFromProjective*[F](aff: var ECP_ShortW_Aff[F], proj: ECP_ShortW_Proj) =
func affineFromProjective*[F, Tw](
aff: var ECP_ShortW_Aff[F, Tw],
proj: ECP_ShortW_Proj[F, Tw]) =
var invZ {.noInit.}: F
invZ.inv(proj.z)
aff.x.prod(proj.x, invZ)
aff.y.prod(proj.y, invZ)
func projectiveFromAffine*[F](proj: var ECP_ShortW_Proj, aff: ECP_ShortW_Aff[F]) {.inline.} =
func projectiveFromAffine*[F, Tw](
proj: var ECP_ShortW_Proj[F, Tw],
aff: ECP_ShortW_Aff[F, Tw]) {.inline.} =
proj.x = aff.x
proj.y = aff.y
proj.z.setOne()

16
constantine/hash_to_curve/cofactors.nim
View File

@ -42,40 +42,40 @@ const Cofactor_Eff_BLS12_381_G1 = BigInt[64].fromHex"0xd201000000010001"
const Cofactor_Eff_BLS12_381_G2 = BigInt[636].fromHex"0xbc69f08f2ee75b3584c6a0ea91b352888e2a8e9145ad7689986ff031508ffe1329c2f178731db956d82bf015d1212b02ec0ec69d7477c1ae954cbc06689f6a359894c0adebbf6b4e8020005aaa95551"
## P -> (x^2 - x - 1) P + (x - 1) psi(P) + psi(psi(2P))
func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp[BN254_Nogami]]) {.inline.} =
func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp[BN254_Nogami], NotOnTwist]) {.inline.} =
## Clear the cofactor of BN254_Nogami G1
## BN curve have a G1 cofactor of 1 so this is a no-op
discard
func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp2[BN254_Nogami]]) {.inline.} =
func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp2[BN254_Nogami], OnTwist]) {.inline.} =
## Clear the cofactor of BN254_Snarks G2
# Endomorphism acceleration cannot be used if cofactor is not cleared
P.scalarMulGeneric(Cofactor_Eff_BN254_Nogami_G2)
func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp[BN254_Snarks]]) {.inline.} =
func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist]) {.inline.} =
## Clear the cofactor of BN254_Snarks G1
## BN curve have a G1 cofactor of 1 so this is a no-op
discard
func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp2[BN254_Snarks]]) {.inline.} =
func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist]) {.inline.} =
## Clear the cofactor of BN254_Snarks G2
# Endomorphism acceleration cannot be used if cofactor is not cleared
P.scalarMulGeneric(Cofactor_Eff_BN254_Snarks_G2)
func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp[BLS12_377]]) {.inline.} =
func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist]) {.inline.} =
## Clear the cofactor of BLS12_377 G1
P.scalarMulGeneric(Cofactor_Eff_BLS12_377_G1)
func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp2[BLS12_377]]) {.inline.} =
func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist]) {.inline.} =
## Clear the cofactor of BLS12_377 G2
# Endomorphism acceleration cannot be used if cofactor is not cleared
P.scalarMulGeneric(Cofactor_Eff_BLS12_377_G2)
func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp[BLS12_381]]) {.inline.} =
func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist]) {.inline.} =
## Clear the cofactor of BLS12_381 G1
P.scalarMulGeneric(Cofactor_Eff_BLS12_381_G1)
func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp2[BLS12_381]]) {.inline.} =
func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist]) {.inline.} =
## Clear the cofactor of BLS12_381 G2
# Endomorphism acceleration cannot be used if cofactor is not cleared
P.scalarMulGeneric(Cofactor_Eff_BLS12_381_G2)

10
constantine/io/io_ec.nim
View File

@ -41,7 +41,7 @@ func toHex*[EC](P: EC): string =
##
## This proc output may change format in the future
var aff {.noInit.}: ECP_ShortW_Aff[EC.F]
var aff {.noInit.}: ECP_ShortW_Aff[EC.F, EC.Tw]
when EC is ECP_ShortW_Proj:
aff.affineFromProjective(P)
elif EC is ECP_ShortW_Jac:
@ -64,7 +64,7 @@ func fromHex*(dst: var (ECP_ShortW_Proj or ECP_ShortW_Jac), x, y: string): bool
dst.x.fromHex(x)
dst.y.fromHex(y)
dst.z.setOne()
return bool(isOnCurve(dst.x, dst.y))
return bool(isOnCurve(dst.x, dst.y, dst.Tw))
func fromHex*(dst: var (ECP_ShortW_Proj or ECP_ShortW_Jac), x0, x1, y0, y1: string): bool {.raises: [ValueError].}=
## Convert hex strings to a G2 curve point
@ -75,7 +75,7 @@ func fromHex*(dst: var (ECP_ShortW_Proj or ECP_ShortW_Jac), x0, x1, y0, y1: stri
dst.x.fromHex(x0, x1)
dst.y.fromHex(y0, y1)
dst.z.setOne()
return bool(isOnCurve(dst.x, dst.y))
return bool(isOnCurve(dst.x, dst.y, dst.Tw))
func fromHex*(dst: var ECP_ShortW_Aff, x, y: string): bool {.raises: [ValueError].}=
## Convert hex strings to a G1 curve point
@ -85,7 +85,7 @@ func fromHex*(dst: var ECP_ShortW_Aff, x, y: string): bool {.raises: [ValueError
static: doAssert dst.F is Fp, "dst must be on G1, an elliptic curve over 𝔽p"
dst.x.fromHex(x)
dst.y.fromHex(y)
return bool(isOnCurve(dst.x, dst.y))
return bool(isOnCurve(dst.x, dst.y, dst.Tw))
func fromHex*(dst: var ECP_ShortW_Aff, x0, x1, y0, y1: string): bool {.raises: [ValueError].}=
## Convert hex strings to a G2 curve point
@ -95,4 +95,4 @@ func fromHex*(dst: var ECP_ShortW_Aff, x0, x1, y0, y1: string): bool {.raises: [
static: doAssert dst.F is Fp2, "dst must be on G2, an elliptic curve over 𝔽p2"
dst.x.fromHex(x0, x1)
dst.y.fromHex(y0, y1)
return bool(isOnCurve(dst.x, dst.y))
return bool(isOnCurve(dst.x, dst.y, dst.Tw))

21
constantine/io/io_fields.nim
View File

@ -8,7 +8,9 @@
import
./io_bigints,
../arithmetic/finite_fields
../config/common,
../arithmetic/finite_fields,
../primitives
# No exceptions allowed
{.push raises: [].}
@ -23,10 +25,25 @@ import
func fromUint*(dst: var Fp,
src: SomeUnsignedInt) =
## Parse a regular unsigned integer
## and store it into a BigInt of size `bits`
## and store it into a Fp
let raw {.noinit.} = (type dst.mres).fromRawUint(cast[array[sizeof(src), byte]](src), cpuEndian)
dst.fromBig(raw)
func fromInt*(dst: var Fp,
src: SomeInteger) =
## Parse a regular signed integer
## and store it into a Fp
## A negative integer will be instantiated as a negated number (mod p)
when src is SomeUnsignedInt:
dst.fromUint(src)
else:
const msb_pos = src.sizeof * 8 - 1
let isNeg = SecretBool((src shr msb_pos) and 1)
let src = isNeg.mux(SecretWord -src, SecretWord src)
let raw {.noinit.} = (type dst.mres).fromRawUint(cast[array[sizeof(src), byte]](src), cpuEndian)
dst.fromBig(raw)
func exportRawUint*(dst: var openarray[byte],
src: Fp,
dstEndianness: static Endianness) =

19
constantine/io/io_towers.nim
View File

@ -12,6 +12,7 @@ import
std/typetraits,
# Internal
./io_bigints, ./io_fields,
../arithmetic/finite_fields,
../towers
# No exceptions allowed
@ -103,3 +104,21 @@ func fromHex*(T: typedesc[Fp12],
c8, c9, c10, c11: string): T {.raises: [ValueError].}=
## Convert 12 coordinates to an element of 𝔽p12
result.fromHex(c0, c1, c2, c3, c4, c5, c6, c7, c8, c9, c10, c11)
func fromUint*(a: var ExtensionField, src: SomeUnsignedInt) =
## Set ``a`` to the bigint value int eh extension field
for fieldName, fA in fieldPairs(a):
when fieldName == "c0":
fA.fromUint(src)
else:
fA.setZero()
func fromInt*(a: var ExtensionField, src: SomeInteger) =
## Parse a regular signed integer
## and store it into a Fp^n
## A negative integer will be instantiated as a negated number (mod p^n)
for fieldName, fA in fieldPairs(a):
when fieldName == "c0":
fA.fromInt(src)
else:
fA.setZero()

40
constantine/pairing/cyclotomic_fp12.nim
View File

@ -40,11 +40,11 @@ func finalExpEasy*[C: static Curve](f: var Fp12[C]) =
## an unique Gₜ representation
## (reminder, Gₜ is a multiplicative group hence we exponentiate by the cofactor)
##
## i.e. Fp^12 --> (fexp easy) --> Gϕ₁₂ --> (fexp hard) --> Gₜ
## i.e. Fp¹² --> (fexp easy) --> Gϕ₁₂ --> (fexp hard) --> Gₜ
##
## The final exponentiation is fexp = f^((p^12 - 1) / r)
## The final exponentiation is fexp = f^((p¹² - 1) / r)
## It is separated into:
## f^((p^12 - 1) / r) = (p^12 - 1) / ϕ₁₂(p) * ϕ₁₂(p) / r
## f^((p¹² - 1) / r) = (p¹² - 1) / ϕ₁₂(p) * ϕ₁₂(p) / r
##
## with the cyclotomic polynomial ϕ₁₂(p) = (p⁴-p²+1)
##
@ -53,10 +53,10 @@ func finalExpEasy*[C: static Curve](f: var Fp12[C]) =
## f^(p⁶1)(p²+1)
##
## And properties are
## 0. f^(p⁶) ≡ conj(f) (mod p^12) for all f in Fp12
## 0. f^(p⁶) ≡ conj(f) (mod p¹²) for all f in Fp12
##
## After g = f^(p⁶1) the result g is on the cyclotomic subgroup
## 1. g^(-1) ≡ g^(p⁶) (mod p^12)
## 1. g^(-1) ≡ g^(p⁶) (mod p¹²)
## 2. Inversion can be done with conjugate
## 3. g is unitary, its norm |g| (the product of conjugates) is 1
## 4. Squaring has a fast compressed variant.
@ -66,43 +66,43 @@ func finalExpEasy*[C: static Curve](f: var Fp12[C]) =
# Fp12 can be defined as a quadratic extension over Fp⁶
# with g = g₀ + x g₁ with x a quadratic non-residue
#
# with q = p⁶
# with q = p⁶, q² = p¹²
# The frobenius map f^q ≡ (f₀ + x f₁)^q (mod q²)
# ≡ f₀^q + x^q f₁^q (mod q²)
# ≡ f₀ + x^q f₁ (mod q²)
# ≡ f₀ - x f₁ (mod q²)
# hence
# f^p⁶ ≡ conj(f) (mod p^12)
# f^p⁶ ≡ conj(f) (mod p¹²)
# Q.E.D. of (0)
#
# ----------------
#
# p^12 - 1 = (p⁶1)(p⁶+1) = (p⁶1)(p²+1)(p⁴-p²+1)
# p¹² - 1 = (p⁶1)(p⁶+1) = (p⁶1)(p²+1)(p⁴-p²+1)
# by Fermat's little theorem we have
# f^(p^12 - 1) ≡ 1 (mod p^12)
# f^(p¹² - 1) ≡ 1 (mod p¹²)
#
# Hence f^(p⁶1)(p⁶+1) ≡ 1 (mod p^12)
# Hence f^(p⁶1)(p⁶+1) ≡ 1 (mod p¹²)
#
# We call g = f^(p⁶1) we have
# g^(p⁶+1) ≡ 1 (mod p^12) <=> g^(p⁶) * g ≡ 1 (mod p^12)
# hence g^(-1) ≡ g^(p⁶) (mod p^12)
# g^(p⁶+1) ≡ 1 (mod p¹²) <=> g^(p⁶) * g ≡ 1 (mod p¹²)
# hence g^(-1) ≡ g^(p⁶) (mod p¹²)
# Q.E.D. of (1)
#
# --
#
# From (1) g^(-1) ≡ g^(p⁶) (mod p^12) for g = f^(p⁶1)
# and (0) f^p⁶ ≡ conj(f) (mod p^12) for all f in fp12
# From (1) g^(-1) ≡ g^(p⁶) (mod p¹²) for g = f^(p⁶1)
# and (0) f^p⁶ ≡ conj(f) (mod p¹²) for all f in fp12
#
# so g^(-1) ≡ conj(g) (mod p^12) for g = f^(p⁶1)
# so g^(-1) ≡ conj(g) (mod p¹²) for g = f^(p⁶1)
# Q.E.D. of (2)
#
# --
#
# f^(p^12 - 1) ≡ 1 (mod p^12) by Fermat's Little Theorem
# f^(p⁶1)(p⁶+1) ≡ 1 (mod p^12)
# g^(p⁶+1) ≡ 1 (mod p^12)
# g * g^p⁶ ≡ 1 (mod p^12)
# g * conj(g) ≡ 1 (mod p^12)
# f^(p¹² - 1) ≡ 1 (mod p¹²) by Fermat's Little Theorem
# f^(p⁶1)(p⁶+1) ≡ 1 (mod p¹²)
# g^(p⁶+1) ≡ 1 (mod p¹²)
# g * g^p⁶ ≡ 1 (mod p¹²)
# g * conj(g) ≡ 1 (mod p¹²)
# Q.E.D. of (3)
var g {.noinit.}: typeof(f)
g.inv(f) # g = f^-1

5
constantine/pairing/lines_common.nim
View File

@ -16,7 +16,7 @@ import
../io/io_towers
type
Line*[F; twist: static SexticTwist] = object
Line*[F] = object
## Packed line representation over a E'(Fp^k/d)
## with k the embedding degree and d the twist degree
## i.e. for a curve with embedding degree 12 and sextic twist
@ -47,9 +47,10 @@ func toHex*(line: Line, order: static Endianness = bigEndian): string =
# Line evaluation
# --------------------------------------------------
func line_update*(line: var Line, P: ECP_ShortW_Aff) =
func line_update*[F1, F2](line: var Line[F2], P: ECP_ShortW_Aff[F1, NotOnTwist]) =
## Update the line evaluation with P
## after addition or doubling
## P in G1
static: doAssert F1.C == F2.C
line.x *= P.y
line.z *= P.x

84
constantine/pairing/lines_projective.nim
View File

@ -44,7 +44,9 @@ export lines_common
# Line evaluation only
# -----------------------------------------------------------------------------
func line_eval_double(line: var Line, T: ECP_ShortW_Proj) =
func line_eval_double[F](
line: var Line[F],
T: ECP_ShortW_Proj[F, OnTwist]) =
## Evaluate the line function for doubling
## i.e. the tangent at T
##
@ -83,8 +85,8 @@ func line_eval_double(line: var Line, T: ECP_ShortW_Proj) =
## A constant factor on twisted coordinates pᵏᐟᵈ
## is a constant factor on pᵏ with d the twisting degree
## and so will be elminated. QED.
var v {.noInit.}: Line.F
const b3 = 3 * ECP_ShortW_Proj.F.C.getCoefB()
var v {.noInit.}: F
const b3 = 3 * F.C.getCoefB()
template A: untyped = line.x
template B: untyped = line.y
@ -106,9 +108,9 @@ func line_eval_double(line: var Line, T: ECP_ShortW_Proj) =
B *= b3 # B = 3b Z²
C *= 3 # C = 3X²
when ECP_ShortW_Proj.F.C.getSexticTwist() == M_Twist:
when F.C.getSexticTwist() == M_Twist:
B *= SexticNonResidue # B = 3b' Z² = 3bξ Z²
elif ECP_ShortW_Proj.F.C.getSexticTwist() == D_Twist:
elif F.C.getSexticTwist() == D_Twist:
v *= SexticNonResidue # v = ξ Y²
C *= SexticNonResidue # C = 3ξ X²
else:
@ -117,7 +119,10 @@ func line_eval_double(line: var Line, T: ECP_ShortW_Proj) =
B -= v # B = 3bξ Z² - Y² (M-twist)
# B = 3b Z² - ξ Y² (D-twist)
func line_eval_add(line: var Line, T: ECP_ShortW_Proj, Q: ECP_ShortW_Aff) =
func line_eval_add[F](
line: var Line[F],
T: ECP_ShortW_Proj[F, OnTwist],
Q: ECP_ShortW_Aff[F, OnTwist]) =
## Evaluate the line function for addition
## i.e. the line between T and Q
##
@ -137,7 +142,7 @@ func line_eval_add(line: var Line, T: ECP_ShortW_Proj, Q: ECP_ShortW_Aff) =
## Note: There is no need for complete formula as
## we have T ∉ [Q, -Q] in the Miller loop doubling-and-add
## i.e. the line cannot be vertical
var v {.noInit.}: Line.F
var v {.noInit.}: F
template A: untyped = line.x
template B: untyped = line.y
@ -155,7 +160,7 @@ func line_eval_add(line: var Line, T: ECP_ShortW_Proj, Q: ECP_ShortW_Aff) =
C -= v # C = Y₁-Z₁Y₂
v = A # v = X₁-Z₁X₂
when ECP_ShortW_Proj.F.C.getSexticTwist() == M_Twist:
when F.C.getSexticTwist() == M_Twist:
A *= SexticNonResidue # A = ξ (X₁ - Z₁X₂)
v *= Q.y # v = (X₁-Z₁X₂) Y₂
@ -165,16 +170,18 @@ func line_eval_add(line: var Line, T: ECP_ShortW_Proj, Q: ECP_ShortW_Aff) =
C.neg() # C = -(Y₁-Z₁Y₂)
func line_eval_fused_double(line: var Line, T: var ECP_ShortW_Proj) =
func line_eval_fused_double[F](
line: var Line[F],
T: var ECP_ShortW_Proj[F, OnTwist]) =
## Fused line evaluation and elliptic point doubling
# Grewal et al, 2012 adapted to Scott 2019 line notation
var A {.noInit.}, B {.noInit.}, C {.noInit.}: Line.F
var E {.noInit.}, F {.noInit.}, G {.noInit.}: Line.F
var A {.noInit.}, B {.noInit.}, C {.noInit.}: F
var E {.noInit.}, F {.noInit.}, G {.noInit.}: F
template H: untyped = line.x
const b3 = 3*Line.F.C.getCoefB()
const b3 = 3*F.C.getCoefB()
var snrY = T.y
when Line.F.C.getSexticTwist() == D_Twist:
when F.C.getSexticTwist() == D_Twist:
snrY *= SexticNonResidue
A.prod(T.x, snrY)
@ -183,12 +190,12 @@ func line_eval_fused_double(line: var Line, T: var ECP_ShortW_Proj) =
C.square(T.z) # C = Z²
var snrB = B
when Line.F.C.getSexticTwist() == D_Twist:
when F.C.getSexticTwist() == D_Twist:
snrB *= SexticNonResidue
E = C
E *= b3
when Line.F.C.getSexticTwist() == M_Twist:
when F.C.getSexticTwist() == M_Twist:
E *= SexticNonResidue # E = 3b'Z² = 3bξ Z²
F = E
@ -202,7 +209,7 @@ func line_eval_fused_double(line: var Line, T: var ECP_ShortW_Proj) =
line.z.square(T.x)
line.z *= 3 # lz = 3X²
when Line.F.C.getSexticTwist() == D_Twist:
when F.C.getSexticTwist() == D_Twist:
line.z *= SexticNonResidue
line.y.diff(E, snrB) # ly = E-B = 3b'Z² - Y²
@ -220,7 +227,7 @@ func line_eval_fused_double(line: var Line, T: var ECP_ShortW_Proj) =
# M-twist: (Y²+9bξZ²)²/4 - 3*(3bξZ²)²
# D-Twist: (ξY²+9bZ²)²/4 - 3*(3bZ²)²
when Line.F.C.getSexticTwist() == D_Twist:
when F.C.getSexticTwist() == D_Twist:
H *= SexticNonResidue
T.z.prod(snrB, H) # Z₃ = BH = Y²((Y+Z)² - (Y²+Z²)) = 2Y³Z
# M-twist: 2Y³Z
@ -228,23 +235,26 @@ func line_eval_fused_double(line: var Line, T: var ECP_ShortW_Proj) =
# Correction for Fp4 towering
H.neg() # lx = -H
when Line.F.C.getSexticTwist() == M_Twist:
when F.C.getSexticTwist() == M_Twist:
H *= SexticNonResidue
# else: the SNR is already integrated in H
func line_eval_fused_add(line: var Line, T: var ECP_ShortW_Proj, Q: ECP_ShortW_Aff) =
func line_eval_fused_add[F](
line: var Line[F],
T: var ECP_ShortW_Proj[F, OnTwist],
Q: ECP_ShortW_Aff[F, OnTwist]) =
## Fused line evaluation and elliptic point addition
# Grewal et al, 2012 adapted to Scott 2019 line notation
var
A {.noInit.}: Line.F
B {.noInit.}: Line.F
C {.noInit.}: Line.F
D {.noInit.}: Line.F
E {.noInit.}: Line.F
F {.noInit.}: Line.F
G {.noInit.}: Line.F
H {.noInit.}: Line.F
I {.noInit.}: Line.F
A {.noInit.}: F
B {.noInit.}: F
C {.noInit.}: F
D {.noInit.}: F
E {.noInit.}: F
F {.noInit.}: F
G {.noInit.}: F
H {.noInit.}: F
I {.noInit.}: F
template lambda: untyped = line.x
template theta: untyped = line.z
@ -279,17 +289,21 @@ func line_eval_fused_add(line: var Line, T: var ECP_ShortW_Proj, Q: ECP_ShortW_A
# Line evaluation
theta.neg()
when ECP_ShortW_Proj.F.C.getSexticTwist() == M_Twist:
when F.C.getSexticTwist() == M_Twist:
lambda *= SexticNonResidue # A = ξ (X₁ - Z₁X₂)
# Public proc
# -----------------------------------------------------------------------------
func line_double*(line: var Line, T: var ECP_ShortW_Proj, P: ECP_ShortW_Aff) =
func line_double*[F1, F2](
line: var Line[F2],
T: var ECP_ShortW_Proj[F2, OnTwist],
P: ECP_ShortW_Aff[F1, NotOnTwist]) =
## Doubling step of the Miller loop
## T in G2, P in G1
##
## Compute lt,t(P)
static: doAssert F1.C == F2.C
when true:
line_eval_fused_double(line, T)
line.line_update(P)
@ -298,14 +312,16 @@ func line_double*(line: var Line, T: var ECP_ShortW_Proj, P: ECP_ShortW_Aff) =
line.line_update(P)
T.double()
func line_add*[C](
line: var Line,
T: var ECP_ShortW_Proj[Fp2[C]],
Q: ECP_ShortW_Aff[Fp2[C]], P: ECP_ShortW_Aff[Fp[C]]) =
func line_add*[F1, F2](
line: var Line[F2],
T: var ECP_ShortW_Proj[F2, OnTwist],
Q: ECP_ShortW_Aff[F2, OnTwist],
P: ECP_ShortW_Aff[F1, NotOnTwist]) =
## Addition step of the Miller loop
## T and Q in G2, P in G1
##
## Compute lt,q(P)
static: doAssert F1.C == F2.C
when true:
line_eval_fused_add(line, T, Q)
line.line_update(P)

38
constantine/pairing/mul_fp12_by_lines.nim
View File

@ -41,10 +41,10 @@ import
# 𝔽p12 by line - Sparse functions
# ----------------------------------------------------------------
func mul_by_line_xy0*[C: static Curve, twist: static SexticTwist](
func mul_by_line_xy0*[C: static Curve](
r: var Fp6[C],
a: Fp6[C],
b: Line[Fp2[C], twist]) =
b: Line[Fp2[C]]) =
## Sparse multiplication of an 𝔽p6
## with coordinates (a₀, a₁, a₂) by a line (x, y, 0)
## The z coordinates in the line will be ignored.
@ -68,19 +68,21 @@ func mul_by_line_xy0*[C: static Curve, twist: static SexticTwist](
r.c2.prod(a.c2, b.x)
r.c2 += v1
func mul_sparse_by_line_xy00z0*[C: static Curve, Tw: static SexticTwist](
f: var Fp12[C], l: Line[Fp2[C], Tw]) =
func mul_sparse_by_line_xy00z0*[C: static Curve](
f: var Fp12[C], l: Line[Fp2[C]]) =
## Sparse multiplication of an 𝔽p12 element
## by a sparse 𝔽p12 element coming from an D-Twist line function.
## The sparse element is represented by a packed Line type
## with coordinate (x,y,z) matching 𝔽p12 coordinates xy00z0 (TODO: verify this)
static: doAssert f.c0.typeof is Fp6, "This assumes 𝔽p12 as a quadratic extension of 𝔽p6"
static:
doAssert C.getSexticTwist() == D_Twist
doAssert f.c0.typeof is Fp6, "This assumes 𝔽p12 as a quadratic extension of 𝔽p6"
var
v0 {.noInit.}: Fp6[C]
v1 {.noInit.}: Fp6[C]
v2 {.noInit.}: Line[Fp2[C], Tw]
v2 {.noInit.}: Line[Fp2[C]]
v3 {.noInit.}: Fp6[C]
v0.mul_by_line_xy0(f.c0, l)
@ -100,14 +102,16 @@ func mul_sparse_by_line_xy00z0*[C: static Curve, Tw: static SexticTwist](
v3.c2.sum(v0.c2, v1.c1)
f.c0 = v3
func mul_sparse_by_line_xyz000*[C: static Curve, Tw: static SexticTwist](
f: var Fp12[C], l: Line[Fp2[C], Tw]) =
func mul_sparse_by_line_xyz000*[C: static Curve](
f: var Fp12[C], l: Line[Fp2[C]]) =
## Sparse multiplication of an 𝔽p12 element
## by a sparse 𝔽p12 element coming from an D-Twist line function.
## The sparse element is represented by a packed Line type
## with coordinates (x,y,z) matching 𝔽p12 coordinates xyz000
static: doAssert f.c0.typeof is Fp4, "This assumes 𝔽p12 as a cubic extension of 𝔽p4"
static:
doAssert C.getSexticTwist() == D_Twist
doAssert f.c0.typeof is Fp4, "This assumes 𝔽p12 as a cubic extension of 𝔽p4"
# In the following equations (taken from cubic extension implementation)
# a = f
@ -153,10 +157,12 @@ func mul_sparse_by_line_xyz000*[C: static Curve, Tw: static SexticTwist](
f.c2 *= b0
f.c2 += v1
func mul_sparse_by_line_xy000z*[C: static Curve, Tw: static SexticTwist](
f: var Fp12[C], l: Line[Fp2[C], Tw]) =
func mul_sparse_by_line_xy000z*[C: static Curve](
f: var Fp12[C], l: Line[Fp2[C]]) =
static: doAssert f.c0.typeof is Fp4, "This assumes 𝔽p12 as a cubic extension of 𝔽p4"
static:
doAssert C.getSexticTwist() == M_Twist
doAssert f.c0.typeof is Fp4, "This assumes 𝔽p12 as a cubic extension of 𝔽p4"
# In the following equations (taken from cubic extension implementation)
# a = f
@ -202,3 +208,11 @@ func mul_sparse_by_line_xy000z*[C: static Curve, Tw: static SexticTwist](
f.c1 *= b0
v2 *= NonResidue
f.c1 += v2
func mul*[C](f: var Fp12[C], line: Line[Fp2[C]]) {.inline.} =
when C.getSexticTwist() == D_Twist:
f.mul_sparse_by_line_xyz000(line)
elif C.getSexticTwist() == M_Twist:
f.mul_sparse_by_line_xy000z(line)
else:
{.error: "A line function assumes that the curve has a twist".}

32
constantine/pairing/pairing_bls12.nim
View File

@ -47,8 +47,8 @@ import
func millerLoopGenericBLS12*[C](
f: var Fp12[C],
P: ECP_ShortW_Aff[Fp[C]],
Q: ECP_ShortW_Aff[Fp2[C]]
P: ECP_ShortW_Aff[Fp[C], NotOnTwist],
Q: ECP_ShortW_Aff[Fp2[C], OnTwist]
) =
## Generic Miller Loop for BLS12 curve
## Computes f{u,Q}(P) with u the BLS curve parameter
@ -81,20 +81,14 @@ func millerLoopGenericBLS12*[C](
# or we ensure the loop is done for a number of iterations strictly less
# than the curve order which is the case for BLS12 curves
var
T {.noInit.}: ECP_ShortW_Proj[Fp2[C]]
line {.noInit.}: Line[Fp2[C], C.getSexticTwist()]
T {.noInit.}: ECP_ShortW_Proj[Fp2[C], OnTwist]
line {.noInit.}: Line[Fp2[C]]
nQ{.noInit.}: typeof(Q)
T.projectiveFromAffine(Q)
nQ.neg(Q)
f.setOne()
template mul(f, line): untyped =
when C.getSexticTwist() == D_Twist:
f.mul_sparse_by_line_xyz000(line)
else:
f.mul_sparse_by_line_xy000z(line)
template u: untyped = C.pairing(ate_param)
let u3 = 3*C.pairing(ate_param)
for i in countdown(u3.bits - 2, 1):
@ -121,14 +115,17 @@ func finalExpGeneric[C: static Curve](f: var Fp12[C]) =
## for sanity checks purposes.
f.powUnsafeExponent(C.pairing(finalexponent), window = 3)
func pairing_bls12_reference*[C](gt: var Fp12[C], P: ECP_ShortW_Proj[Fp[C]], Q: ECP_ShortW_Proj[Fp2[C]]) =
func pairing_bls12_reference*[C](
gt: var Fp12[C],
P: ECP_ShortW_Proj[Fp[C], NotOnTwist],
Q: ECP_ShortW_Proj[Fp2[C], OnTwist]) =
## Compute the optimal Ate Pairing for BLS12 curves
## Input: P ∈ G1, Q ∈ G2
## Output: e(P, Q) ∈ Gt
##
## Reference implementation
var Paff {.noInit.}: ECP_ShortW_Aff[Fp[C]]
var Qaff {.noInit.}: ECP_ShortW_Aff[Fp2[C]]
var Paff {.noInit.}: ECP_ShortW_Aff[Fp[C], NotOnTwist]
var Qaff {.noInit.}: ECP_ShortW_Aff[Fp2[C], OnTwist]
Paff.affineFromProjective(P)
Qaff.affineFromProjective(Q)
gt.millerLoopGenericBLS12(Paff, Qaff)
@ -195,12 +192,15 @@ func finalExpHard_BLS12*[C](f: var Fp12[C]) =
# (x1)².(x+p).(x²+p²1) + 3
f *= v0
func pairing_bls12*[C](gt: var Fp12[C], P: ECP_ShortW_Proj[Fp[C]], Q: ECP_ShortW_Proj[Fp2[C]]) =
func pairing_bls12*[C](
gt: var Fp12[C],
P: ECP_ShortW_Proj[Fp[C], NotOnTwist],
Q: ECP_ShortW_Proj[Fp2[C], OnTwist]) =
## Compute the optimal Ate Pairing for BLS12 curves
## Input: P ∈ G1, Q ∈ G2
## Output: e(P, Q) ∈ Gt
var Paff {.noInit.}: ECP_ShortW_Aff[Fp[C]]
var Qaff {.noInit.}: ECP_ShortW_Aff[Fp2[C]]
var Paff {.noInit.}: ECP_ShortW_Aff[Fp[C], NotOnTwist]
var Qaff {.noInit.}: ECP_ShortW_Aff[Fp2[C], OnTwist]
Paff.affineFromProjective(P)
Qaff.affineFromProjective(Q)
gt.millerLoopGenericBLS12(Paff, Qaff)

36
constantine/pairing/pairing_bn.nim
View File

@ -44,8 +44,8 @@ import
func millerLoopGenericBN*[C](
f: var Fp12[C],
P: ECP_ShortW_Aff[Fp[C]],
Q: ECP_ShortW_Aff[Fp2[C]]
P: ECP_ShortW_Aff[Fp[C], NotOnTwist],
Q: ECP_ShortW_Aff[Fp2[C], OnTwist]
) =
## Generic Miller Loop for BN curves
## Computes f{6u+2,Q}(P) with u the BN curve parameter
@ -79,20 +79,14 @@ func millerLoopGenericBN*[C](
# than the curve order which is the case for BN curves
var
T {.noInit.}: ECP_ShortW_Proj[Fp2[C]]
line {.noInit.}: Line[Fp2[C], C.getSexticTwist()]
T {.noInit.}: ECP_ShortW_Proj[Fp2[C], OnTwist]
line {.noInit.}: Line[Fp2[C]]
nQ{.noInit.}: typeof(Q)
T.projectiveFromAffine(Q)
nQ.neg(Q)
f.setOne()
template mul(f, line): untyped =
when C.getSexticTwist() == D_Twist:
f.mul_sparse_by_line_xyz000(line)
else:
f.mul_sparse_by_line_xy000z(line)
template u: untyped = C.pairing(ate_param)
let u3 = 3*C.pairing(ate_param)
for i in countdown(u3.bits - 2, 1):
@ -120,26 +114,29 @@ func millerLoopGenericBN*[C](
V.frobenius_psi(Q)
line.line_add(T, V, P)
f.mul_sparse_by_line_xyz000(line)
f.mul(line)
V.frobenius_psi2(Q)
V.neg()
line.line_add(T, V, P)
f.mul_sparse_by_line_xyz000(line)
f.mul(line)
func finalExpGeneric[C: static Curve](f: var Fp12[C]) =
## A generic and slow implementation of final exponentiation
## for sanity checks purposes.
f.powUnsafeExponent(C.pairing(finalexponent), window = 3)
func pairing_bn_reference*[C](gt: var Fp12[C], P: ECP_ShortW_Proj[Fp[C]], Q: ECP_ShortW_Proj[Fp2[C]]) =
func pairing_bn_reference*[C](
gt: var Fp12[C],
P: ECP_ShortW_Proj[Fp[C], NotOnTwist],
Q: ECP_ShortW_Proj[Fp2[C], OnTwist]) =
## Compute the optimal Ate Pairing for BN curves
## Input: P ∈ G1, Q ∈ G2
## Output: e(P, Q) ∈ Gt
##
## Reference implementation
var Paff {.noInit.}: ECP_ShortW_Aff[Fp[C]]
var Qaff {.noInit.}: ECP_ShortW_Aff[Fp2[C]]
var Paff {.noInit.}: ECP_ShortW_Aff[Fp[C], NotOnTwist]
var Qaff {.noInit.}: ECP_ShortW_Aff[Fp2[C], OnTwist]
Paff.affineFromProjective(P)
Qaff.affineFromProjective(Q)
gt.millerLoopGenericBN(Paff, Qaff)
@ -200,12 +197,15 @@ func finalExpHard_BN*[C: static Curve](f: var Fp12[C]) =
f.frobenius_map(t2, 3) # r = f^λ₃p³
f *= t0 # r = f^(λ₀ + λ₁p + λ₂p² + λ₃p³) = f^((p⁴-p²+1)/r)
func pairing_bn*[C](gt: var Fp12[C], P: ECP_ShortW_Proj[Fp[C]], Q: ECP_ShortW_Proj[Fp2[C]]) =
func pairing_bn*[C](
gt: var Fp12[C],
P: ECP_ShortW_Proj[Fp[C], NotOnTwist],
Q: ECP_ShortW_Proj[Fp2[C], OnTwist]) =
## Compute the optimal Ate Pairing for BLS12 curves
## Input: P ∈ G1, Q ∈ G2
## Output: e(P, Q) ∈ Gt
var Paff {.noInit.}: ECP_ShortW_Aff[Fp[C]]
var Qaff {.noInit.}: ECP_ShortW_Aff[Fp2[C]]
var Paff {.noInit.}: ECP_ShortW_Aff[Fp[C], NotOnTwist]
var Qaff {.noInit.}: ECP_ShortW_Aff[Fp2[C], OnTwist]
Paff.affineFromProjective(P)
Qaff.affineFromProjective(Q)
gt.millerLoopGenericBN(Paff, Qaff)

2
constantine/tower_field_extensions/tower_common.nim
View File

@ -57,7 +57,7 @@ func setOne*(a: var ExtensionField) =
fA.setZero()
func fromBig*(a: var ExtensionField, src: BigInt) =
## Set ``a`` to the bigint value int eh extension field
## Set ``a`` to the bigint value in the extension field
for fieldName, fA in fieldPairs(a):
when fieldName == "c0":
fA.fromBig(src)

17
constantine/towers.nim
View File

@ -27,6 +27,9 @@ type
c0*, c1*: Fp[C]
β = NonResidue
# Quadratic or Cubic non-residue
SexticNonResidue* = object
template fromComplexExtension*[F](elem: F): static bool =
## Returns true if the input is a complex extension
@ -50,8 +53,18 @@ func `*`*(_: typedesc[β], a: Fp): Fp {.inline, noInit.} =
result = a
result *= β
type
SexticNonResidue* = object
# TODO: rework the quad/cube/sextic non residue declaration
func `*=`*(a: var Fp, _: typedesc[SexticNonResidue]) {.inline.} =
## Multiply an element of 𝔽p by the sextic non-residue
## chosen to construct 𝔽p6
a *= Fp.C.get_QNR_Fp()
func `*`*(_: typedesc[SexticNonResidue], a: Fp): Fp {.inline, noInit.} =
## Multiply an element of 𝔽p by the sextic non-residue
## chosen to construct 𝔽p6
result = a
result *= SexticNonResidue
func `*=`*(a: var Fp2, _: typedesc[SexticNonResidue]) {.inline.} =
## Multiply an element of 𝔽p2 by the sextic non-residue

48
helpers/prng_unsafe.nim
View File

@ -229,85 +229,85 @@ func random_long01Seq[T](rng: var RngState, a: var T, C: static Curve) =
# Elliptic curves
# ------------------------------------------------------------
func random_unsafe[F](rng: var RngState, a: var (ECP_ShortW_Proj[F] or ECP_ShortW_Aff[F] or ECP_ShortW_Jac[F])) =
func random_unsafe(rng: var RngState, a: var (ECP_ShortW_Proj or ECP_ShortW_Aff or ECP_ShortW_Jac)) =
## Initialize a random curve point with Z coordinate == 1
## Unsafe: for testing and benchmarking purposes only
var fieldElem {.noInit.}: F
var fieldElem {.noInit.}: a.F
var success = CtFalse
while not bool(success):
# Euler's criterion: there are (p-1)/2 squares in a field with modulus `p`
# so we have a probability of ~0.5 to get a good point
rng.random_unsafe(fieldElem, F.C)
rng.random_unsafe(fieldElem, a.F.C)
success = trySetFromCoordX(a, fieldElem)
func random_unsafe_with_randZ[F](rng: var RngState, a: var (ECP_ShortW_Proj[F] or ECP_ShortW_Jac[F])) =
func random_unsafe_with_randZ(rng: var RngState, a: var (ECP_ShortW_Proj or ECP_ShortW_Jac)) =
## Initialize a random curve point with Z coordinate being random
## Unsafe: for testing and benchmarking purposes only
var Z{.noInit.}: F
rng.random_unsafe(Z, F.C) # If Z is zero, X will be zero and that will be an infinity point
var Z{.noInit.}: a.F
rng.random_unsafe(Z, a.F.C) # If Z is zero, X will be zero and that will be an infinity point
var fieldElem {.noInit.}: F
var fieldElem {.noInit.}: a.F
var success = CtFalse
while not bool(success):
rng.random_unsafe(fieldElem, F.C)
rng.random_unsafe(fieldElem, a.F.C)
success = trySetFromCoordsXandZ(a, fieldElem, Z)
func random_highHammingWeight[F](rng: var RngState, a: var (ECP_ShortW_Proj[F] or ECP_ShortW_Aff[F] or ECP_ShortW_Jac[F])) =
func random_highHammingWeight(rng: var RngState, a: var (ECP_ShortW_Proj or ECP_ShortW_Aff or ECP_ShortW_Jac)) =
## Initialize a random curve point with Z coordinate == 1
## This will be generated with a biaised RNG with high Hamming Weight
## to trigger carry bugs
var fieldElem {.noInit.}: F
var fieldElem {.noInit.}: a.F
var success = CtFalse
while not bool(success):
# Euler's criterion: there are (p-1)/2 squares in a field with modulus `p`
# so we have a probability of ~0.5 to get a good point
rng.random_highHammingWeight(fieldElem, F.C)
rng.random_highHammingWeight(fieldElem, a.F.C)
success = trySetFromCoordX(a, fieldElem)
func random_highHammingWeight_with_randZ[F](rng: var RngState, a: var (ECP_ShortW_Proj[F] or ECP_ShortW_Jac[F])) =
func random_highHammingWeight_with_randZ(rng: var RngState, a: var (ECP_ShortW_Proj or ECP_ShortW_Jac)) =
## Initialize a random curve point with Z coordinate == 1
## This will be generated with a biaised RNG with high Hamming Weight
## to trigger carry bugs
var Z{.noInit.}: F
rng.random_highHammingWeight(Z, F.C) # If Z is zero, X will be zero and that will be an infinity point
var Z{.noInit.}: a.F
rng.random_highHammingWeight(Z, a.F.C) # If Z is zero, X will be zero and that will be an infinity point
var fieldElem {.noInit.}: F
var fieldElem {.noInit.}: a.F
var success = CtFalse
while not bool(success):
rng.random_highHammingWeight(fieldElem, F.C)
rng.random_highHammingWeight(fieldElem, a.F.C)
success = trySetFromCoordsXandZ(a, fieldElem, Z)
func random_long01Seq[F](rng: var RngState, a: var (ECP_ShortW_Proj[F] or ECP_ShortW_Aff[F] or ECP_ShortW_Jac[F])) =
func random_long01Seq(rng: var RngState, a: var (ECP_ShortW_Proj or ECP_ShortW_Aff or ECP_ShortW_Jac)) =
## Initialize a random curve point with Z coordinate == 1
## This will be generated with a biaised RNG
## that produces long bitstrings of 0 and 1
## to trigger edge cases
var fieldElem {.noInit.}: F
var fieldElem {.noInit.}: a.F
var success = CtFalse
while not bool(success):
# Euler's criterion: there are (p-1)/2 squares in a field with modulus `p`
# so we have a probability of ~0.5 to get a good point
rng.random_long01Seq(fieldElem, F.C)
rng.random_long01Seq(fieldElem, a.F.C)
success = trySetFromCoordX(a, fieldElem)
func random_long01Seq_with_randZ[F](rng: var RngState, a: var (ECP_ShortW_Proj[F] or ECP_ShortW_Jac[F])) =
func random_long01Seq_with_randZ(rng: var RngState, a: var (ECP_ShortW_Proj or ECP_ShortW_Jac)) =
## Initialize a random curve point with Z coordinate == 1
## This will be generated with a biaised RNG
## that produces long bitstrings of 0 and 1
## to trigger edge cases
var Z{.noInit.}: F
rng.random_long01Seq(Z, F.C) # If Z is zero, X will be zero and that will be an infinity point
var Z{.noInit.}: a.F
rng.random_long01Seq(Z, a.F.C) # If Z is zero, X will be zero and that will be an infinity point
var fieldElem {.noInit.}: F
var fieldElem {.noInit.}: a.F
var success = CtFalse
while not bool(success):
rng.random_long01Seq(fieldElem, F.C)
rng.random_long01Seq(fieldElem, a.F.C)
success = trySetFromCoordsXandZ(a, fieldElem, Z)
# Generic over any Constantine type

54
tests/t_ec_frobenius.nim
View File

@ -55,7 +55,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
# - sage sage/frobenius_bls12_381.sage
test(
id = 0,
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
Px0 = "598e4c8c14c24c90834f2debedee4db3d31fed98a5134177704bfec14f46cb5",
Px1 = "c6fffa61daeb7caaf96983e70f164931d958c6820b205cdde19f2fa1eaaa7b1",
Py0 = "2f5fa252a27df56f5ca2e9c3382c17e531d317d50396f3fe952704304946a5a",
@ -68,7 +68,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
test(
id = 1,
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
Px0 = "21014830dd88a0e7961e704cea531200866c5df46cb25aa3e2aac8d4fec64c6e",
Px1 = "1db17d8364def10443beab6e4a055c210d3e49c7c3af31e9cfb66d829938dca7",
Py0 = "1394ab8c346ad3eba14fa14789d3bbfc2deed5a7a510da8e9418580515d27bda",
@ -81,7 +81,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
test(
id = 2,
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
Px0 = "46f2a2be9a3e19c1bb484fc37703ff64c3d7379de22249ccf0881037948beec",
Px1 = "10a5aaae14cb028f4ff4b81d41b712038b9f620a99e208c23504887e56831806",
Py0 = "2e6c3ebe0f3dada0063dc59f85fe2264dc3502bf65206336106a8d39d838a7b2",
@ -94,7 +94,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
test(
id = 3,
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
Px0 = "1cf3af1d41e89d8df378aa81463a978c021f27f4a48387e74655ce2cf5c1f298",
Px1 = "36553e80e5c7c7360c7a2ae6bf1b8f68eb48804fc7eba7d2f56f09e87bbb0b1",
Py0 = "25f03e551d74b6be3268bf001905dfbe0bcbe43a2d1aac645a3ca8650b52e551",
@ -109,7 +109,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
test(
id = 0,
EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
Px0 = "112de13b7cd42bccdb005f2d4dc2726f360243103335ef6cf5e217e777554ae7c1deff5ddb5bcbb581fc9f13728a439",
Px1 = "10d1a8963e5c6854d5e610ece9914f9b5619c27652be1e9ec3e87687d63ed5d45b449bf59c2481e18ac6159f75966ac",
Py0 = "8aaf3a8660cf0edd6e97a2cd7837af1c63ec89e18f9bf4c64638662a661636b928a4f8097e6a2e8dfa11e13c51b075",
@ -122,7 +122,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
test(
id = 1,
EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
Px0 = "2f9318360b53c2d706061f527571e91679e6086a72ce8203ba1a04850f83bb192b29307e9b2d63feb1d23979e3f632",
Px1 = "3cbab0789968a3a35fa5d2e2326baa40c34d11a4af05a4109350944300ce32eef74dc5e47ba46717bd8bf87604696d",
Py0 = "14ea84922f76f2681fec869dce26141392975dcdb4f21d5fa8aec06b37bf71ba6249c219ecbaef4a266196dafb4ad19",
@ -135,7 +135,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
test(
id = 2,
EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
Px0 = "833ca23630be463c388ea6cfcff5b0e3b055065702a84310d2c726aee14d9e140cba05be79b5cb0441816d9e8c8370",
Px1 = "264a9755524baac8d9e53b0a45789e9dafcb6b453e965061fcfa20bb12a27d9b9417d5277ae2a499b1cfe567d75e2d",
Py0 = "5b670b9789825e2b48101b5b6e660cf9117e29c521dad54640cb356b674b3946c98cb43909c3495fb6d6d231891b7e",
@ -148,7 +148,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
test(
id = 3,
EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
Px0 = "14cd89e2e2755ddc086f63fd62e1f9904c3c1497243455c578a963e81b389f04e95ceafc4f47dc777579cdc82eca79b",
Px1 = "ba8801beba0654f20ccb78783efa7a911d182ec0eb99abe10f9a3d26b46fb7f90552e4ff6beb4df4611a9072be648b",
Py0 = "12e23bc97d891f2a047bac9c90e728cb89760c812156f96c95e36c40f1c830cf6ecbb5d407b189070d48a92eb461ea6",
@ -163,7 +163,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
test(
id = 0,
EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
Px0 = "d6904be428a0310dbd6e15a744a774bcf9800abe27536267a5383f1ddbd7783e1dc20098a8e045e3cca66b83f6d7f0f",
Px1 = "12107f6ef71d0d1e3bcba9e00a0675d3080519dd1b6c086bd660eb2d2bca8f276e283a891b5c0615064d7886af625cf2",
Py0 = "c592a3546d2d61d671070909e97860822db0a389e351c1744bdbb2c472cf52f3ca3e94068b0b6f3b0121923659131f5",
@ -176,7 +176,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
test(
id = 1,
EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
Px0 = "112de130b7cd42bccdb005f2d4dc2726f360243103335ef6cf5e217e777554ae7c1deff5ddb5bcbb581fc9f13728a439",
Px1 = "10d1a89a63e5c6854d5e610ece9914f9b5619c27652be1e9ec3e87687d63ed5d45b449bf59c2481e18ac6159f75966ac",
Py0 = "11261c8fcb0f4f560479547fe6b2a1c1e8b648d87e54c39f299eba8729294e99b415851d134ca31e8bb861c42e6f1022",
@ -189,7 +189,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
test(
id = 2,
EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
Px0 = "2f93183360b53c2d706061f527571e91679e6086a72ce8203ba1a04850f83bb192b29307e9b2d63feb1d23979e3f632",
Px1 = "3cbab0c789968a3a35fa5d2e2326baa40c34d11a4af05a4109350944300ce32eef74dc5e47ba46717bd8bf87604696d",
Py0 = "2b8d995b0f2114442b7bbdbe5732fbf94430d6d413e1f388031f3abb956e598cb6764275a75832c1670868c458378b6",
@ -202,7 +202,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
test(
id = 3,
EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
Px0 = "d7d1c55ddf8bd03b7a15c3ea4f8f69aee37bf282d4aac82b7bd1fd47139250b9c708997a7ff8f603e48f0471c2cfe03",
Px1 = "d145a91934a6ad865d24ab556ae1e6c42decdd05d676b80e53365a6ff7536332859c9682e7200e40515f675415d71a3",
Py0 = "6de67fa12af93813a42612b1e9449c7b1f160c5de004ec26ea61010e48ba38dcf158d2692f347fdc6c6332bbec7106f",
@ -240,9 +240,10 @@ suite "ψ - psi(psi(P)) == psi2(P) - (Untwist-Frobenius-Twist Endomorphism)" & "
test(EC, randZ = false, gen = Long01Sequence)
test(EC, randZ = true, gen = Long01Sequence)
testAll(ECP_ShortW_Proj[Fp2[BN254_Snarks]])
# testAll(ECP_ShortW_Proj[Fp2[BLS12_377]])
testAll(ECP_ShortW_Proj[Fp2[BLS12_381]])
testAll(ECP_ShortW_Proj[Fp2[BN254_Nogami], OnTwist])
testAll(ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist])
testAll(ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist])
testAll(ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist])
suite "ψ²(P) - [t]ψ(P) + [p]P = Inf" & " [" & $WordBitwidth & "-bit mode]":
const Iters = 10
@ -252,6 +253,15 @@ suite "ψ²(P) - [t]ψ(P) + [p]P = Inf" & " [" & $WordBitwidth & "-bit mode]":
# x = "0x44E992B44A6909F1"
# t = 6x²+1
return (BigInt[127].fromHex"0x6f4d8248eeb859fbf83e9682e87cfd47", false)
elif C == BN254_Nogami:
# x = "-0x4080000000000001"
# t = 6x²+1
return (BigInt[127].fromHex"0x61818000000000030600000000000007", false)
elif C == BLS12_377:
# x = 3 * 2^46 * (7 * 13 * 499) + 1
# x = 0x8508c00000000001
# t = x+1
return (BigInt[64].fromHex"8508c00000000002", false)
elif C == BLS12_381:
# x = "-(2^63 + 2^62 + 2^60 + 2^57 + 2^48 + 2^16)"
# t = x+1
@ -290,9 +300,10 @@ suite "ψ²(P) - [t]ψ(P) + [p]P = Inf" & " [" & $WordBitwidth & "-bit mode]":
test(EC, randZ = false, gen = Long01Sequence)
test(EC, randZ = true, gen = Long01Sequence)
testAll(ECP_ShortW_Proj[Fp2[BN254_Snarks]])
# testAll(ECP_ShortW_Proj[Fp2[BLS12_377]])
testAll(ECP_ShortW_Proj[Fp2[BLS12_381]])
testAll(ECP_ShortW_Proj[Fp2[BN254_Nogami], OnTwist])
testAll(ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist])
testAll(ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist])
testAll(ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist])
suite "ψ⁴(P) - ψ²(P) + P = Inf (k-th cyclotomic polynomial with embedding degree k=12)" & " [" & $WordBitwidth & "-bit mode]":
const Iters = 10
@ -319,6 +330,7 @@ suite "ψ⁴(P) - ψ²(P) + P = Inf (k-th cyclotomic polynomial with embedding d
test(EC, randZ = false, gen = Long01Sequence)
test(EC, randZ = true, gen = Long01Sequence)
testAll(ECP_ShortW_Proj[Fp2[BN254_Snarks]])
# testAll(ECP_ShortW_Proj[Fp2[BLS12_377]])
testAll(ECP_ShortW_Proj[Fp2[BLS12_381]])
testAll(ECP_ShortW_Proj[Fp2[BN254_Nogami], OnTwist])
testAll(ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist])
testAll(ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist])
testAll(ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist])

80
tests/t_ec_sage_bls12_377.nim
View File

@ -61,7 +61,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
# Generated via sage sage/testgen_bls12_377.sage
test(
id = 0,
EC = ECP_ShortW_Proj[Fp[BLS12_377]],
EC = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
Px = "4e7e6dfa01ed0ceb6e66708b07cb5c6cd30a42eeb13d7b76f8d103a0a4d491450be6f526fc12f15209b792220c041e",
Py = "c782515159b7e7b9371e0e0caa387951317e993b1625d91869d4346621058a0960ef1b8b6eabb33cd5719694908a05",
scalar = "cf815cb4d44d3d691b7c82a40b4b70caa9b0e8fe9586648abf3f1e2e639ca1b",
@ -71,7 +71,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
test(
id = 1,
EC = ECP_ShortW_Proj[Fp[BLS12_377]],
EC = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
Px = "13d735b28405253dcc0bc60bcdc13633475ffc187d38a9b97655b0d0fa1d56c4548f11ea0a795391ee85c953aaf9b83",
Py = "1693101123fd13a20f9c0569c52c29507ba1c8b6dd412660bc82e7974022f1a10f9137b4ba59d3f0aab67027cefec19",
scalar = "913aa7b9fa2f940b70b6dcf538cc08da1a369809ab86a8ee49cead0ed6bfef6",
@ -81,7 +81,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
test(
id = 2,
EC = ECP_ShortW_Proj[Fp[BLS12_377]],
EC = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
Px = "6dd2211113cada09d3b96848cbf21ed14f6fc238b581c0afd49aa776980101e4ee279a256ce8f1428d3ed3f70afd85",
Py = "3b406b4433a3f44f8e196012f50c520e876412fbcae2651916f133c1fd3899c79f676e1abba01d84bab7ad100c9295",
scalar = "4cf47669aeb0f30b6c6c5aa02808a87dc787fba22da32875e614a54a50b6a0c",
@ -91,7 +91,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
test(
id = 3,
EC = ECP_ShortW_Proj[Fp[BLS12_377]],
EC = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
Px = "18648abbe3261f93cbf679777eac66e419035041a967d1e6a0f0afdb92810d7122e0984f1d6efc8fe518500464ee803",
Py = "7b6f518d4d06309aad4d60d29118310b6c8b17c7bf5db2251f4701b13b89a8c0f04bb5d0386785e55ffbbd7ecc445e",
scalar = "69498486a06c18f836a8e9ed507bbb563d6d03545e03e08f628e8fbd2e5d098",
@ -101,7 +101,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
test(
id = 4,
EC = ECP_ShortW_Proj[Fp[BLS12_377]],
EC = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
Px = "745e9944549522486f3446676cc62fb666682e10c661a13b8110b42cb9a37676b6f33a46f9495f4fafb342d5809db5",
Py = "bc595854bc42ccec60dd9ec573608d736aa59996cef1c2e8f6c5d424f525a6f3e3d4beeedfac6b959dbd71ced95b13",
scalar = "6e08d8714102a5aa3e9f46e33c70a759c27253c7b0196c3e46c7cb42671197e",
@ -111,7 +111,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
test(
id = 5,
EC = ECP_ShortW_Proj[Fp[BLS12_377]],
EC = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
Px = "f7b56cf212a8906ed77a758164c0bd05ce1fbd3ee3c4357e7a09b3aedc748a29ace254f1f6df35b8cb74361060337f",
Py = "2640ef641d20fea19b28947833e53faceeafa57a8761b807049f3d707d70c01f1c69a57edd993d301a64517bf47f77",
scalar = "a5c46d7a52938fed7f3093d5867f65361dc8b48c83bd7db490c26736196e20e",
@ -121,7 +121,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
test(
id = 6,
EC = ECP_ShortW_Proj[Fp[BLS12_377]],
EC = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
Px = "43b387c12e4cc91fb1a5593b7671356dceb0fe6e6ac666d5bac94f2a44c8db54976b649a678aae038b21144de04e23",
Py = "1a6366a50f1f9ba64eef73d82bec86177bf184be048a9d66326ccb0122203569ddcb8cf74445cadaff7f47a66d1b1a2",
scalar = "bddd07231bc7fe89ee4a859a00ea1f9d236be9e7fd561303d566904c1b0a07c",
@ -131,7 +131,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
test(
id = 7,
EC = ECP_ShortW_Proj[Fp[BLS12_377]],
EC = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
Px = "6984c9385a67081f97b3d33444077466cca1d0442a4da8c083a0957578e0b21011435b126a5ab143da9da1cf5b216f",
Py = "18a87c7f5f6c5a8101773e63956b9addd4becf5177acc560d548e5331638121934842fdc9f654b3f456a7df5a2e471a",
scalar = "b72c41a6ffaff0aacb5d62e3dcb16acfec66b6a9639e19d3128fd43c18e7dbe",
@ -141,7 +141,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
test(
id = 8,
EC = ECP_ShortW_Proj[Fp[BLS12_377]],
EC = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
Px = "efc34595823e7333616f7768bc82f407268df6f029bf4c94d15f1785dc7ccc08f22e7301dfc48dadc0ea383c8bb3e",
Py = "2459bd9f71977ef122d2102e8bfd07a5737066075058cfa8bcaa9f9690ed065919c844363ceaea6f9bb650906a535f",
scalar = "8f90f6ab0ffa6e4acc601b44c062745f2935b3dc153d0da07977470080d5c18",
@ -151,7 +151,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
test(
id = 9,
EC = ECP_ShortW_Proj[Fp[BLS12_377]],
EC = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
Px = "3eec93c2a9c5fd03f0de5ede2fdac9e361090fbaea38e4a0f1828745f1d14a057d9fd7c46b9168bd95a45a182a3a62",
Py = "e912dc7e95f90d91e3274ec5639edacb88be1b092c47c13d31a29ecd579885cc09f197f8207d23b2260ab10c94d5f5",
scalar = "203300e949aff816d084a388f07c74b9152bb11b523543afd65c805a389980",
@ -163,7 +163,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
test(
id = 0,
EC = ECP_ShortW_Jac[Fp[BLS12_377]],
EC = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
Px = "4e7e6dfa01ed0ceb6e66708b07cb5c6cd30a42eeb13d7b76f8d103a0a4d491450be6f526fc12f15209b792220c041e",
Py = "c782515159b7e7b9371e0e0caa387951317e993b1625d91869d4346621058a0960ef1b8b6eabb33cd5719694908a05",
scalar = "cf815cb4d44d3d691b7c82a40b4b70caa9b0e8fe9586648abf3f1e2e639ca1b",
@ -173,7 +173,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
test(
id = 1,
EC = ECP_ShortW_Jac[Fp[BLS12_377]],
EC = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
Px = "13d735b28405253dcc0bc60bcdc13633475ffc187d38a9b97655b0d0fa1d56c4548f11ea0a795391ee85c953aaf9b83",
Py = "1693101123fd13a20f9c0569c52c29507ba1c8b6dd412660bc82e7974022f1a10f9137b4ba59d3f0aab67027cefec19",
scalar = "913aa7b9fa2f940b70b6dcf538cc08da1a369809ab86a8ee49cead0ed6bfef6",
@ -183,7 +183,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
test(
id = 2,
EC = ECP_ShortW_Jac[Fp[BLS12_377]],
EC = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
Px = "6dd2211113cada09d3b96848cbf21ed14f6fc238b581c0afd49aa776980101e4ee279a256ce8f1428d3ed3f70afd85",
Py = "3b406b4433a3f44f8e196012f50c520e876412fbcae2651916f133c1fd3899c79f676e1abba01d84bab7ad100c9295",
scalar = "4cf47669aeb0f30b6c6c5aa02808a87dc787fba22da32875e614a54a50b6a0c",
@ -193,7 +193,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
test(
id = 3,
EC = ECP_ShortW_Jac[Fp[BLS12_377]],
EC = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
Px = "18648abbe3261f93cbf679777eac66e419035041a967d1e6a0f0afdb92810d7122e0984f1d6efc8fe518500464ee803",
Py = "7b6f518d4d06309aad4d60d29118310b6c8b17c7bf5db2251f4701b13b89a8c0f04bb5d0386785e55ffbbd7ecc445e",
scalar = "69498486a06c18f836a8e9ed507bbb563d6d03545e03e08f628e8fbd2e5d098",
@ -203,7 +203,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
test(
id = 4,
EC = ECP_ShortW_Jac[Fp[BLS12_377]],
EC = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
Px = "745e9944549522486f3446676cc62fb666682e10c661a13b8110b42cb9a37676b6f33a46f9495f4fafb342d5809db5",
Py = "bc595854bc42ccec60dd9ec573608d736aa59996cef1c2e8f6c5d424f525a6f3e3d4beeedfac6b959dbd71ced95b13",
scalar = "6e08d8714102a5aa3e9f46e33c70a759c27253c7b0196c3e46c7cb42671197e",
@ -213,7 +213,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
test(
id = 5,
EC = ECP_ShortW_Jac[Fp[BLS12_377]],
EC = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
Px = "f7b56cf212a8906ed77a758164c0bd05ce1fbd3ee3c4357e7a09b3aedc748a29ace254f1f6df35b8cb74361060337f",
Py = "2640ef641d20fea19b28947833e53faceeafa57a8761b807049f3d707d70c01f1c69a57edd993d301a64517bf47f77",
scalar = "a5c46d7a52938fed7f3093d5867f65361dc8b48c83bd7db490c26736196e20e",
@ -223,7 +223,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
test(
id = 6,
EC = ECP_ShortW_Jac[Fp[BLS12_377]],
EC = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
Px = "43b387c12e4cc91fb1a5593b7671356dceb0fe6e6ac666d5bac94f2a44c8db54976b649a678aae038b21144de04e23",
Py = "1a6366a50f1f9ba64eef73d82bec86177bf184be048a9d66326ccb0122203569ddcb8cf74445cadaff7f47a66d1b1a2",
scalar = "bddd07231bc7fe89ee4a859a00ea1f9d236be9e7fd561303d566904c1b0a07c",
@ -233,7 +233,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
test(
id = 7,
EC = ECP_ShortW_Jac[Fp[BLS12_377]],
EC = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
Px = "6984c9385a67081f97b3d33444077466cca1d0442a4da8c083a0957578e0b21011435b126a5ab143da9da1cf5b216f",
Py = "18a87c7f5f6c5a8101773e63956b9addd4becf5177acc560d548e5331638121934842fdc9f654b3f456a7df5a2e471a",
scalar = "b72c41a6ffaff0aacb5d62e3dcb16acfec66b6a9639e19d3128fd43c18e7dbe",
@ -243,7 +243,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
test(
id = 8,
EC = ECP_ShortW_Jac[Fp[BLS12_377]],
EC = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
Px = "efc34595823e7333616f7768bc82f407268df6f029bf4c94d15f1785dc7ccc08f22e7301dfc48dadc0ea383c8bb3e",
Py = "2459bd9f71977ef122d2102e8bfd07a5737066075058cfa8bcaa9f9690ed065919c844363ceaea6f9bb650906a535f",
scalar = "8f90f6ab0ffa6e4acc601b44c062745f2935b3dc153d0da07977470080d5c18",
@ -253,7 +253,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
test(
id = 9,
EC = ECP_ShortW_Jac[Fp[BLS12_377]],
EC = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
Px = "3eec93c2a9c5fd03f0de5ede2fdac9e361090fbaea38e4a0f1828745f1d14a057d9fd7c46b9168bd95a45a182a3a62",
Py = "e912dc7e95f90d91e3274ec5639edacb88be1b092c47c13d31a29ecd579885cc09f197f8207d23b2260ab10c94d5f5",
scalar = "203300e949aff816d084a388f07c74b9152bb11b523543afd65c805a389980",
@ -297,7 +297,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
# Generated via sage sage/testgen_bls12_377.sage
test(
id = 0,
EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
Px0 = "267401f3ef554fe74ae131d56a10edf14ae40192654901b4618d2bf7af22e77c2a9b79e407348dbd4aad13ca73b33a",
Px1 = "12dcca838f46a3e0418e5dd8b978362757a16bfd78f0b77f4a1916ace353938389ae3ea228d0eb5020a0aaa58884aec",
Py0 = "11799118d2e054aabd9f74c0843fecbdc1c0d56f61c61c5854c2507ae2416e48a6b2cd3bc8bf7495a4d3d8270eafe2b",
@ -311,7 +311,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 1,
EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
Px0 = "3a3055d6a46901c1b2227a0e334ffa9f654e62a6d3608f3a672e5816f9e9b04c0e668c3e9f8c807b269422afdc7de9",
Px1 = "25803bd55f37b254865d5fc7ac9843fb306c2eb09d34ee0c4ecb705b5e10f6911f07fd707a2e28681a421f45b1a4d",
Py0 = "15a0594a3c9dddc535472c4827aa443774a06f77bec2d20837c6574aa5fac35a279bac756531fa75f979a7a97f297d6",
@ -325,7 +325,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 2,
EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
Px0 = "18ebf549cd24a64badff4ec177205be121757b68589020434aba816756d2e6fa95fdb389c8639d4bf77575122e1c04e",
Px1 = "11cd0f0976658a6f2ec113034428ef1605befdaa5642944f5c4e571b24fc166c368c30473e25ab148209be4c0b4e37",
Py0 = "1190d818317495201732feb2cfc8f507adac6273debff46bb6aea4a3f3e3fe7d28d893c90b21a6f28d2fbc72d9fc528",
@ -339,7 +339,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 3,
EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
Px0 = "52b54c30c1dcadbcb698d0cb7fd65de1eb8f7590c7afe46e019bdc9e0ef8bc4c060339220d3615e4b1f2b12ffa6d83",
Px1 = "dd53b483c2ab1aaa7ed22ef619b5e979237ae95476436f2c51c8b70da39a4e54a989f10f6d12ee098154911aa052f6",
Py0 = "2a8c96662a7c76cb7d8ca6571a5b99abfd2d7343dd668425e5fa4a8c880b313b70f09a15a825fac63ae7065c0c51d",
@ -353,7 +353,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 4,
EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
Px0 = "fb6dd822e327a60c9e55d760c4f5d26783617a06f868835c2f46e902108eaca5d60fd64c0a0c8a6dc12f9352dfef33",
Px1 = "85e97eef3b4e42a93b8421644e9334f4543a25a36ccd41d448c385146baf3b1efbaeac49c202b04cdbf8b50f3fd962",
Py0 = "8db78b315a524f17ac3d69333604e6bc8aa0b2f138f9adf7edb19f49c847eda6b64df9fe2576b7687e7b55cb5f0bd0",
@ -367,7 +367,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 5,
EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
Px0 = "b56e23f2558c3c124f024952e1858067223541f51a8885d161133beb7bf8d64f22163769e604afbf7fbfb02e1fcb43",
Px1 = "e10c4366d667b40488a9ae32daf3e2a5cc8ddf25ed407afe1a38b855f3ac4f7ea20455924e71369eed07114613b633",
Py0 = "f42d3ab4716d10384bcdfec38cba997c2bafb8d8de32a47225a3e2d2835be1ad02a63323d3dd4145db21e3cbf5cc7a",
@ -381,7 +381,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 6,
EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
Px0 = "137001541ab8a479362ee39f818fc38788231e5288ceea5ebe0c08d0bbca3be9519aa415bde98428df26d361b7311ea",
Px1 = "411b1a4f0abb9fd255a7ae26ac39c1f2c88a48f82c7623b6f225aec9755206e27084b23cbc98f31399405a6599dc54",
Py0 = "833ef097986116cab669c4fddff9b831535d100644f732fb0da0a2dce17d69beaeed67230dd66392e840679afbae1e",
@ -395,7 +395,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 7,
EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
Px0 = "1580ffccc21b057dfe4831f950cbb8f1436f999df657404ecec20225a929a5d56920e8662abc426de23402643087308",
Px1 = "8bf8ff20713a9054aa1cce9635eb3d6ac8371fc052b747a8414595708ff9462d64a0a11ff2c1c5121f4ecc5f22df5e",
Py0 = "e7a5f7df0cec03de25da415fdda485ecc1443b95352e47b23e5506b820c9bc9ea9c2d9e99dd48e1f74e1befe58ce80",
@ -409,7 +409,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 8,
EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
Px0 = "10898a074b6931cc4ada152b64dd1c6b2bb47912e6502b9e88f638e489c144f8aa9b9f915bb428e082ec84676607f40",
Px1 = "18484823648fe1699468e2d265cd2f2e381a0e67f35f8d192259e2a14573692b4e1fbdeed639e9b6eb0731be820b166",
Py0 = "1840bc6fcb224efe00e32f827fa4f9694cd4186493089c66a936e912b50346b75542b6edbe51ba95c88d3b0fcac34ed",
@ -423,7 +423,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 9,
EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
Px0 = "13c3a392307124afb5f219ba0f8062fa9b75654d3fff12bc924592d284af550f039b6ac58880d2c6fea146b3982f03c",
Px1 = "188169bc937fcc20cc9c289adef30580188f64ecb126faadb5b888f31b813727ff7046d1a19b81abeea6609b8b208c6",
Py0 = "2f9bde8fdd43c5f4de30f335a480dca3bf0858464d8368984406f10ddc1ecabb15fcfd11cebd4fef426e7ca9411221",
@ -439,7 +439,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 0,
EC = ECP_ShortW_Jac[Fp2[BLS12_377]],
EC = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
Px0 = "267401f3ef554fe74ae131d56a10edf14ae40192654901b4618d2bf7af22e77c2a9b79e407348dbd4aad13ca73b33a",
Px1 = "12dcca838f46a3e0418e5dd8b978362757a16bfd78f0b77f4a1916ace353938389ae3ea228d0eb5020a0aaa58884aec",
Py0 = "11799118d2e054aabd9f74c0843fecbdc1c0d56f61c61c5854c2507ae2416e48a6b2cd3bc8bf7495a4d3d8270eafe2b",
@ -453,7 +453,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 1,
EC = ECP_ShortW_Jac[Fp2[BLS12_377]],
EC = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
Px0 = "3a3055d6a46901c1b2227a0e334ffa9f654e62a6d3608f3a672e5816f9e9b04c0e668c3e9f8c807b269422afdc7de9",
Px1 = "25803bd55f37b254865d5fc7ac9843fb306c2eb09d34ee0c4ecb705b5e10f6911f07fd707a2e28681a421f45b1a4d",
Py0 = "15a0594a3c9dddc535472c4827aa443774a06f77bec2d20837c6574aa5fac35a279bac756531fa75f979a7a97f297d6",
@ -467,7 +467,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 2,
EC = ECP_ShortW_Jac[Fp2[BLS12_377]],
EC = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
Px0 = "18ebf549cd24a64badff4ec177205be121757b68589020434aba816756d2e6fa95fdb389c8639d4bf77575122e1c04e",
Px1 = "11cd0f0976658a6f2ec113034428ef1605befdaa5642944f5c4e571b24fc166c368c30473e25ab148209be4c0b4e37",
Py0 = "1190d818317495201732feb2cfc8f507adac6273debff46bb6aea4a3f3e3fe7d28d893c90b21a6f28d2fbc72d9fc528",
@ -481,7 +481,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 3,
EC = ECP_ShortW_Jac[Fp2[BLS12_377]],
EC = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
Px0 = "52b54c30c1dcadbcb698d0cb7fd65de1eb8f7590c7afe46e019bdc9e0ef8bc4c060339220d3615e4b1f2b12ffa6d83",
Px1 = "dd53b483c2ab1aaa7ed22ef619b5e979237ae95476436f2c51c8b70da39a4e54a989f10f6d12ee098154911aa052f6",
Py0 = "2a8c96662a7c76cb7d8ca6571a5b99abfd2d7343dd668425e5fa4a8c880b313b70f09a15a825fac63ae7065c0c51d",
@ -495,7 +495,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 4,
EC = ECP_ShortW_Jac[Fp2[BLS12_377]],
EC = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
Px0 = "fb6dd822e327a60c9e55d760c4f5d26783617a06f868835c2f46e902108eaca5d60fd64c0a0c8a6dc12f9352dfef33",
Px1 = "85e97eef3b4e42a93b8421644e9334f4543a25a36ccd41d448c385146baf3b1efbaeac49c202b04cdbf8b50f3fd962",
Py0 = "8db78b315a524f17ac3d69333604e6bc8aa0b2f138f9adf7edb19f49c847eda6b64df9fe2576b7687e7b55cb5f0bd0",
@ -509,7 +509,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 5,
EC = ECP_ShortW_Jac[Fp2[BLS12_377]],
EC = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
Px0 = "b56e23f2558c3c124f024952e1858067223541f51a8885d161133beb7bf8d64f22163769e604afbf7fbfb02e1fcb43",
Px1 = "e10c4366d667b40488a9ae32daf3e2a5cc8ddf25ed407afe1a38b855f3ac4f7ea20455924e71369eed07114613b633",
Py0 = "f42d3ab4716d10384bcdfec38cba997c2bafb8d8de32a47225a3e2d2835be1ad02a63323d3dd4145db21e3cbf5cc7a",
@ -523,7 +523,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 6,
EC = ECP_ShortW_Jac[Fp2[BLS12_377]],
EC = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
Px0 = "137001541ab8a479362ee39f818fc38788231e5288ceea5ebe0c08d0bbca3be9519aa415bde98428df26d361b7311ea",
Px1 = "411b1a4f0abb9fd255a7ae26ac39c1f2c88a48f82c7623b6f225aec9755206e27084b23cbc98f31399405a6599dc54",
Py0 = "833ef097986116cab669c4fddff9b831535d100644f732fb0da0a2dce17d69beaeed67230dd66392e840679afbae1e",
@ -537,7 +537,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 7,
EC = ECP_ShortW_Jac[Fp2[BLS12_377]],
EC = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
Px0 = "1580ffccc21b057dfe4831f950cbb8f1436f999df657404ecec20225a929a5d56920e8662abc426de23402643087308",
Px1 = "8bf8ff20713a9054aa1cce9635eb3d6ac8371fc052b747a8414595708ff9462d64a0a11ff2c1c5121f4ecc5f22df5e",
Py0 = "e7a5f7df0cec03de25da415fdda485ecc1443b95352e47b23e5506b820c9bc9ea9c2d9e99dd48e1f74e1befe58ce80",
@ -551,7 +551,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 8,
EC = ECP_ShortW_Jac[Fp2[BLS12_377]],
EC = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
Px0 = "10898a074b6931cc4ada152b64dd1c6b2bb47912e6502b9e88f638e489c144f8aa9b9f915bb428e082ec84676607f40",
Px1 = "18484823648fe1699468e2d265cd2f2e381a0e67f35f8d192259e2a14573692b4e1fbdeed639e9b6eb0731be820b166",
Py0 = "1840bc6fcb224efe00e32f827fa4f9694cd4186493089c66a936e912b50346b75542b6edbe51ba95c88d3b0fcac34ed",
@ -565,7 +565,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 9,
EC = ECP_ShortW_Jac[Fp2[BLS12_377]],
EC = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
Px0 = "13c3a392307124afb5f219ba0f8062fa9b75654d3fff12bc924592d284af550f039b6ac58880d2c6fea146b3982f03c",
Px1 = "188169bc937fcc20cc9c289adef30580188f64ecb126faadb5b888f31b813727ff7046d1a19b81abeea6609b8b208c6",
Py0 = "2f9bde8fdd43c5f4de30f335a480dca3bf0858464d8368984406f10ddc1ecabb15fcfd11cebd4fef426e7ca9411221",

80
tests/t_ec_sage_bls12_381.nim
View File

@ -62,7 +62,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
# Generated via sage sage/testgen_bls12_381.sage
test(
id = 0,
EC = ECP_ShortW_Proj[Fp[BLS12_381]],
EC = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
Px = "f9679bb02ee7f352fff6a6467a5e563ec8dd38c86a48abd9e8f7f241f1cdd29d54bc3ddea3a33b62e0d7ce22f3d244a",
Py = "50189b992cf856846b30e52205ff9ef72dc081e9680726586231cbc29a81a162120082585f401e00382d5c86fb1083f",
scalar = "f7e60a832eb77ac47374bc93251360d6c81c21add62767ff816caf11a20d8db",
@ -72,7 +72,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
test(
id = 1,
EC = ECP_ShortW_Proj[Fp[BLS12_381]],
EC = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
Px = "17d71835ff84f150fabf5c77ac90bf7f6249143abd1f5d8a46a76f243d424d82e1e258fc7983ba8af97a2462adebe090",
Py = "d3e108ee1332067cbe4f4193eae10381acb69f493b40e53d9dee59506b49c6564c9056494a7f987982eb4069512c1c6",
scalar = "5f10367bdae7aa872d90b5ac209321ce5a15181ce22848d032a8d452055cbfd0",
@ -82,7 +82,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
test(
id = 2,
EC = ECP_ShortW_Proj[Fp[BLS12_381]],
EC = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
Px = "f92c9572692e8f3d450483a7a9bb4694e3b54c9cd09441a4dd7f579b0a6984e47f8090c31c172b33d87f3de186d6b58",
Py = "286ede4cb2ae19ead4932d5550c5d3ec8ce3a3ada5e1ed6d202e93dd1b16d3513f0f9b62adc6323f18e272a426ee955",
scalar = "4c321d72220c098fc0fd52306de98f8be9446bf854cf1e4d8dbae62375d18faf",
@ -92,7 +92,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
test(
id = 3,
EC = ECP_ShortW_Proj[Fp[BLS12_381]],
EC = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
Px = "ec23ff3435b8ebd5e8e0a879d432e11eb974161664b1341fd28f1ffc4c228bf6ada2ae4a565f18c9b66f67a7573502d",
Py = "10c4b647be08db0b49b75320ae891f9f9c5d7bb7c798947e800d681d205d1b24b12e4dfa993d1bd16851b00356627cc1",
scalar = "1738857afb76c55f615c2a20b44ca90dcb3267d804ec23fddea431dbee4eb37f",
@ -102,7 +102,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
test(
id = 4,
EC = ECP_ShortW_Proj[Fp[BLS12_381]],
EC = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
Px = "df127083c2a5ef2388b02af913c0e4002a52a82db9e5ecbf23ee4f557d3b61c91ebcfe9d4973070b46bc5ea6897bca1",
Py = "318960aeea262ec23ffdd42ec1ba72ae6fa2186a1e2a0fc2659073fb7b5adfb50d581a4d998a94d1accf78b1b3a0163",
scalar = "19c47811813444020c999a2b263940b5054cf45bb8ad8e086ff126bfcd5507e1",
@ -112,7 +112,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
test(
id = 5,
EC = ECP_ShortW_Proj[Fp[BLS12_381]],
EC = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
Px = "101123de23c0f240c583c2368c4118dc942db219c55f58cf54acd500c1fcfa06f651ad75319ebf840cbdb6bddea7fde4",
Py = "5268587d4b844b0708e0336d1bbf48da185aaf5b948eccc3b565d00a856dd55882b9bb31c52af0e275b168cb35eb7b0",
scalar = "43ffcda71e45a3e90b7502d92b30a0b06c54c95a91aa21e0438677b1c2714ecb",
@ -122,7 +122,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
test(
id = 6,
EC = ECP_ShortW_Proj[Fp[BLS12_381]],
EC = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
Px = "1457ba1bae6eb3afae3261941c65c93e3ae7d784907d15b8d559100da5e13fd29e4a4d6e3103b781a95237b7b2d80a8e",
Py = "6a869a47cb48d01e7d29660932afd7617720262b55de5f430b8aa3d74f9fd2b9d3a07ce192425da58014764fc9532cd",
scalar = "64ad0d6c36dba5368e71f0010aebf860288f54611e5aaf18082bae7a404ebfd8",
@ -132,7 +132,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
test(
id = 7,
EC = ECP_ShortW_Proj[Fp[BLS12_381]],
EC = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
Px = "2615f843e8fe68d4c337bcf83b2cf13cbae638edd0740f1eac520dc2146afa3b8d36c540878c1d207ef913634b1e593",
Py = "1787d6eeeceb6e7793073f0bbe7bae522529c126b650c43d5d41e732c581a57df1bfb818061b7b4e6c9145da5df2c43e",
scalar = "b0ac3d0e685583075aa46c03a00859dfbec24ccb36e2cae3806d82275adcc03",
@ -142,7 +142,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
test(
id = 8,
EC = ECP_ShortW_Proj[Fp[BLS12_381]],
EC = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
Px = "10bc0c4e1ed87246a9d4d7d38546369f275a245f6e1d3b882e8c9a7f05bc6ee8ff97a96a54084c2bef15ed8bfefb1465",
Py = "1782377e5f588576b5ab42fea224e88873dda957202f0c6d72ce8728c2d58dc654be77226fbda385d5f269354e4a176a",
scalar = "23941bb3c3659423d6fdafb7cff52e0e02de0ac91e64c537c6203d64905b63d0",
@ -152,7 +152,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
test(
id = 9,
EC = ECP_ShortW_Proj[Fp[BLS12_381]],
EC = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
Px = "be4f9f721d98a761a5562bd80ea06f369e9cbb7d33bbb2f0191d4b77d0fd2a10c4083b54157b525f36c522ca3a6ca09",
Py = "166c315ecdd20acb3c5efcc7e038b17d0b37a06ffbf77873f15fc0cd091a1e4102a8b8bf5507919453759e744391b04d",
scalar = "4203156dcf70582ea8cbd0388104f47fd5a18ae336b2fed8458e1e4e74d7baf5",
@ -164,7 +164,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
test(
id = 0,
EC = ECP_ShortW_Jac[Fp[BLS12_381]],
EC = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
Px = "f9679bb02ee7f352fff6a6467a5e563ec8dd38c86a48abd9e8f7f241f1cdd29d54bc3ddea3a33b62e0d7ce22f3d244a",
Py = "50189b992cf856846b30e52205ff9ef72dc081e9680726586231cbc29a81a162120082585f401e00382d5c86fb1083f",
scalar = "f7e60a832eb77ac47374bc93251360d6c81c21add62767ff816caf11a20d8db",
@ -174,7 +174,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
test(
id = 1,
EC = ECP_ShortW_Jac[Fp[BLS12_381]],
EC = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
Px = "17d71835ff84f150fabf5c77ac90bf7f6249143abd1f5d8a46a76f243d424d82e1e258fc7983ba8af97a2462adebe090",
Py = "d3e108ee1332067cbe4f4193eae10381acb69f493b40e53d9dee59506b49c6564c9056494a7f987982eb4069512c1c6",
scalar = "5f10367bdae7aa872d90b5ac209321ce5a15181ce22848d032a8d452055cbfd0",
@ -184,7 +184,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
test(
id = 2,
EC = ECP_ShortW_Jac[Fp[BLS12_381]],
EC = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
Px = "f92c9572692e8f3d450483a7a9bb4694e3b54c9cd09441a4dd7f579b0a6984e47f8090c31c172b33d87f3de186d6b58",
Py = "286ede4cb2ae19ead4932d5550c5d3ec8ce3a3ada5e1ed6d202e93dd1b16d3513f0f9b62adc6323f18e272a426ee955",
scalar = "4c321d72220c098fc0fd52306de98f8be9446bf854cf1e4d8dbae62375d18faf",
@ -194,7 +194,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
test(
id = 3,
EC = ECP_ShortW_Jac[Fp[BLS12_381]],
EC = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
Px = "ec23ff3435b8ebd5e8e0a879d432e11eb974161664b1341fd28f1ffc4c228bf6ada2ae4a565f18c9b66f67a7573502d",
Py = "10c4b647be08db0b49b75320ae891f9f9c5d7bb7c798947e800d681d205d1b24b12e4dfa993d1bd16851b00356627cc1",
scalar = "1738857afb76c55f615c2a20b44ca90dcb3267d804ec23fddea431dbee4eb37f",
@ -204,7 +204,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
test(
id = 4,
EC = ECP_ShortW_Jac[Fp[BLS12_381]],
EC = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
Px = "df127083c2a5ef2388b02af913c0e4002a52a82db9e5ecbf23ee4f557d3b61c91ebcfe9d4973070b46bc5ea6897bca1",
Py = "318960aeea262ec23ffdd42ec1ba72ae6fa2186a1e2a0fc2659073fb7b5adfb50d581a4d998a94d1accf78b1b3a0163",
scalar = "19c47811813444020c999a2b263940b5054cf45bb8ad8e086ff126bfcd5507e1",
@ -214,7 +214,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
test(
id = 5,
EC = ECP_ShortW_Jac[Fp[BLS12_381]],
EC = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
Px = "101123de23c0f240c583c2368c4118dc942db219c55f58cf54acd500c1fcfa06f651ad75319ebf840cbdb6bddea7fde4",
Py = "5268587d4b844b0708e0336d1bbf48da185aaf5b948eccc3b565d00a856dd55882b9bb31c52af0e275b168cb35eb7b0",
scalar = "43ffcda71e45a3e90b7502d92b30a0b06c54c95a91aa21e0438677b1c2714ecb",
@ -224,7 +224,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
test(
id = 6,
EC = ECP_ShortW_Jac[Fp[BLS12_381]],
EC = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
Px = "1457ba1bae6eb3afae3261941c65c93e3ae7d784907d15b8d559100da5e13fd29e4a4d6e3103b781a95237b7b2d80a8e",
Py = "6a869a47cb48d01e7d29660932afd7617720262b55de5f430b8aa3d74f9fd2b9d3a07ce192425da58014764fc9532cd",
scalar = "64ad0d6c36dba5368e71f0010aebf860288f54611e5aaf18082bae7a404ebfd8",
@ -234,7 +234,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
test(
id = 7,
EC = ECP_ShortW_Jac[Fp[BLS12_381]],
EC = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
Px = "2615f843e8fe68d4c337bcf83b2cf13cbae638edd0740f1eac520dc2146afa3b8d36c540878c1d207ef913634b1e593",
Py = "1787d6eeeceb6e7793073f0bbe7bae522529c126b650c43d5d41e732c581a57df1bfb818061b7b4e6c9145da5df2c43e",
scalar = "b0ac3d0e685583075aa46c03a00859dfbec24ccb36e2cae3806d82275adcc03",
@ -244,7 +244,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
test(
id = 8,
EC = ECP_ShortW_Jac[Fp[BLS12_381]],
EC = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
Px = "10bc0c4e1ed87246a9d4d7d38546369f275a245f6e1d3b882e8c9a7f05bc6ee8ff97a96a54084c2bef15ed8bfefb1465",
Py = "1782377e5f588576b5ab42fea224e88873dda957202f0c6d72ce8728c2d58dc654be77226fbda385d5f269354e4a176a",
scalar = "23941bb3c3659423d6fdafb7cff52e0e02de0ac91e64c537c6203d64905b63d0",
@ -254,7 +254,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
test(
id = 9,
EC = ECP_ShortW_Jac[Fp[BLS12_381]],
EC = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
Px = "be4f9f721d98a761a5562bd80ea06f369e9cbb7d33bbb2f0191d4b77d0fd2a10c4083b54157b525f36c522ca3a6ca09",
Py = "166c315ecdd20acb3c5efcc7e038b17d0b37a06ffbf77873f15fc0cd091a1e4102a8b8bf5507919453759e744391b04d",
scalar = "4203156dcf70582ea8cbd0388104f47fd5a18ae336b2fed8458e1e4e74d7baf5",
@ -298,7 +298,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
# Generated via sage sage/testgen_bls12_381.sage
test(
id = 0,
EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
Px0 = "10fbddd49246ac4b0faa489e3474507ebc96a5da194b2f7a706fad6bf8435021e1598700088abfe0ae7343296c1b7f52",
Px1 = "324102fa5bd71d9048c3c6a6c62d1f35195d7067bf00dc5eaedd14eecc688383446aba4e8fda059d3f619f00be7890",
Py0 = "f3e974aafa7a3fb3a1209f3af4492c9d9c52f1ae738e1e08309dd0f438f131f8ddd8b934eb8ff2cb078b8c524c11fab",
@ -312,7 +312,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 1,
EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
Px0 = "4b472ab5d0995a22c95f0805eb459b147d2033b8c13c1c07c857a97e66952d4df3e3b5f346997cc7bd19886492fae83",
Px1 = "12228345592511c7327176258097c70dffad1ff53b37163cbd4747d0085ed0bcfe90b9150d2f7e49580a42110b1d9c6b",
Py0 = "19220ed4e423d3274a8e9a58624b8762d7831d6f65fcaf6718b933bf77a0c41d3bb713a2224dbc448cfc735101a5bb1e",
@ -326,7 +326,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 2,
EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
Px0 = "11c9f03cd130f7b4d6675b902d9b4dddfa41577b7673c31a508760675ca083abedfe3f6c1c69eb46737d4877adb527c6",
Px1 = "c64be8d22d478378784c4f38e386635a8ab606d2b35101ebecfe97b3bb5132d26e9a7ea9690d07a78a22f458045a8c5",
Py0 = "6253c05b48fde95024644efd87cdf0cf15414c36c35625e383ea7b5ab839eaa783563918cd9e5e391ef1512a6ac28e0",
@ -340,7 +340,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 3,
EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
Px0 = "5adc112fb04bf4ca642d5a7d7343ccd6b93546442d2fff5b9d32c15e456d54884cba49dd7f94ce4ddaad4018e55d0f2",
Px1 = "5d1c5bbf5d7a833dc76ba206bfa99c281fc37941be050e18f8c6d267b2376b3634d8ad6eb951e52a6d096315abd17d6",
Py0 = "15a959e54981fab9ac3c6f5bfd6fb60a50a916bd43d96a09922a54309b84812736581bfa728670cba864b08b9e391bb9",
@ -354,7 +354,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 4,
EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
Px0 = "99f8b62e82892d323847f64ab2b422478d207b780fbb097cdca6a1a89e70ff09213dee8534eaf63dac9f7f7feff2548",
Px1 = "12e7b53d802fa9cd897b5470614d57b1620bfe53f36158466f83e7cc6a6cccb1ac7557a8d5a2208c7c1366835c2cba59",
Py0 = "115d6b7a8bc5628690ec750207b3252d4121c20c2106d0277cd41dee7b1d4ed1ff856883719bccb545054b9a745a53e2",
@ -368,7 +368,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 5,
EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
Px0 = "7f56aa6111f341d6381090f058835b3d60200032b382108194188c40afe4225eb6fecaba734084283771923e004b5ca",
Px1 = "18abca4d9eca6d3ef3c720ca6b27f824fdd12dcac72c167f0212f707fa22752f291c9c20a4b92417d05c64207b8e6da6",
Py0 = "10e08fc323d2ef92c5fd9a0ba38e32e16068ac5a4a0f95b0390c2e8ad6caa446adebe16bbf628a0c2de007bfa1218317",
@ -382,7 +382,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 6,
EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
Px0 = "a8c5649d2df1bae84fd9e8bfcde5113937b3acea22d67ddfedaf1fb8de8c1ef4c70591cf505c24c31e54020c2c510c3",
Px1 = "a0553f98229a6a067489c3ee204161c11e96f421b3e9c145dc3865b03e9d4ff6cab14c5b5308ecd31173f954463690c",
Py0 = "b29d8dfe18dc41b4826c3a102c1bf8f306cb42433cc36ee38080f47a324c02a678f9daed0a2bc577c18b9865de029f0",
@ -396,7 +396,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 7,
EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
Px0 = "eb79d9e425feb105ec09ce60949721b12dac5e6721c8a6b505aa2d83270d2a3e6c6bcce16a1b510f6822504c5e86416",
Px1 = "9f5d2dc403a2e96c3f59c7bb98a36cc8be68500510fd88b09f55938efd192d9653f4bcfd1451518c535e9d1996a924",
Py0 = "114825899129828ee0b946811ff98a79af1b53c4511bc45a8e41a07a7d9600c824ed7c5cd608781d0a98a13e69b0c002",
@ -410,7 +410,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 8,
EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
Px0 = "17ce8a849a475599245ad6b84cf5284cd15d6346ae52a833954ec50d5cf7f0be1cd8473fdc9dfd500d7f1d80bf6fa6ca",
Px1 = "15d8128bc60c8e83846bf6748982a7188df6393a9379b2959fa7e1cb72f1c1da066fe3a6d927f97ecec3725fac65eb10",
Py0 = "a05421595b36750e134b91500962201e9f57ac068732b9fb34ec50ff22f274d395d34d133e131e6dc7bc42d66149767",
@ -424,7 +424,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 9,
EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
Px0 = "13eb9e9906446be49345c08de406cd104d6bb9901ee12af0b80a8351027152d6f6d158d5a906e4a58c5602e97347cfd5",
Px1 = "1218df3f2a9cd7685325a4a7bb6a3636a458a52ea7f1e1d73c2429acb74a2a9beb838c109541120b095118c90868eb0f",
Py0 = "3ac16edac6898f11ff8ddb48fad6f59f4842cd427d72fa964171801be172b8ecd2fdffb4882d4aa6f1e730f6e53f8c5",
@ -440,7 +440,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 0,
EC = ECP_ShortW_Jac[Fp2[BLS12_381]],
EC = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
Px0 = "10fbddd49246ac4b0faa489e3474507ebc96a5da194b2f7a706fad6bf8435021e1598700088abfe0ae7343296c1b7f52",
Px1 = "324102fa5bd71d9048c3c6a6c62d1f35195d7067bf00dc5eaedd14eecc688383446aba4e8fda059d3f619f00be7890",
Py0 = "f3e974aafa7a3fb3a1209f3af4492c9d9c52f1ae738e1e08309dd0f438f131f8ddd8b934eb8ff2cb078b8c524c11fab",
@ -454,7 +454,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 1,
EC = ECP_ShortW_Jac[Fp2[BLS12_381]],
EC = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
Px0 = "4b472ab5d0995a22c95f0805eb459b147d2033b8c13c1c07c857a97e66952d4df3e3b5f346997cc7bd19886492fae83",
Px1 = "12228345592511c7327176258097c70dffad1ff53b37163cbd4747d0085ed0bcfe90b9150d2f7e49580a42110b1d9c6b",
Py0 = "19220ed4e423d3274a8e9a58624b8762d7831d6f65fcaf6718b933bf77a0c41d3bb713a2224dbc448cfc735101a5bb1e",
@ -468,7 +468,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 2,
EC = ECP_ShortW_Jac[Fp2[BLS12_381]],
EC = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
Px0 = "11c9f03cd130f7b4d6675b902d9b4dddfa41577b7673c31a508760675ca083abedfe3f6c1c69eb46737d4877adb527c6",
Px1 = "c64be8d22d478378784c4f38e386635a8ab606d2b35101ebecfe97b3bb5132d26e9a7ea9690d07a78a22f458045a8c5",
Py0 = "6253c05b48fde95024644efd87cdf0cf15414c36c35625e383ea7b5ab839eaa783563918cd9e5e391ef1512a6ac28e0",
@ -482,7 +482,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 3,
EC = ECP_ShortW_Jac[Fp2[BLS12_381]],
EC = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
Px0 = "5adc112fb04bf4ca642d5a7d7343ccd6b93546442d2fff5b9d32c15e456d54884cba49dd7f94ce4ddaad4018e55d0f2",
Px1 = "5d1c5bbf5d7a833dc76ba206bfa99c281fc37941be050e18f8c6d267b2376b3634d8ad6eb951e52a6d096315abd17d6",
Py0 = "15a959e54981fab9ac3c6f5bfd6fb60a50a916bd43d96a09922a54309b84812736581bfa728670cba864b08b9e391bb9",
@ -496,7 +496,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 4,
EC = ECP_ShortW_Jac[Fp2[BLS12_381]],
EC = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
Px0 = "99f8b62e82892d323847f64ab2b422478d207b780fbb097cdca6a1a89e70ff09213dee8534eaf63dac9f7f7feff2548",
Px1 = "12e7b53d802fa9cd897b5470614d57b1620bfe53f36158466f83e7cc6a6cccb1ac7557a8d5a2208c7c1366835c2cba59",
Py0 = "115d6b7a8bc5628690ec750207b3252d4121c20c2106d0277cd41dee7b1d4ed1ff856883719bccb545054b9a745a53e2",
@ -510,7 +510,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 5,
EC = ECP_ShortW_Jac[Fp2[BLS12_381]],
EC = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
Px0 = "7f56aa6111f341d6381090f058835b3d60200032b382108194188c40afe4225eb6fecaba734084283771923e004b5ca",
Px1 = "18abca4d9eca6d3ef3c720ca6b27f824fdd12dcac72c167f0212f707fa22752f291c9c20a4b92417d05c64207b8e6da6",
Py0 = "10e08fc323d2ef92c5fd9a0ba38e32e16068ac5a4a0f95b0390c2e8ad6caa446adebe16bbf628a0c2de007bfa1218317",
@ -524,7 +524,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 6,
EC = ECP_ShortW_Jac[Fp2[BLS12_381]],
EC = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
Px0 = "a8c5649d2df1bae84fd9e8bfcde5113937b3acea22d67ddfedaf1fb8de8c1ef4c70591cf505c24c31e54020c2c510c3",
Px1 = "a0553f98229a6a067489c3ee204161c11e96f421b3e9c145dc3865b03e9d4ff6cab14c5b5308ecd31173f954463690c",
Py0 = "b29d8dfe18dc41b4826c3a102c1bf8f306cb42433cc36ee38080f47a324c02a678f9daed0a2bc577c18b9865de029f0",
@ -538,7 +538,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 7,
EC = ECP_ShortW_Jac[Fp2[BLS12_381]],
EC = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
Px0 = "eb79d9e425feb105ec09ce60949721b12dac5e6721c8a6b505aa2d83270d2a3e6c6bcce16a1b510f6822504c5e86416",
Px1 = "9f5d2dc403a2e96c3f59c7bb98a36cc8be68500510fd88b09f55938efd192d9653f4bcfd1451518c535e9d1996a924",
Py0 = "114825899129828ee0b946811ff98a79af1b53c4511bc45a8e41a07a7d9600c824ed7c5cd608781d0a98a13e69b0c002",
@ -552,7 +552,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 8,
EC = ECP_ShortW_Jac[Fp2[BLS12_381]],
EC = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
Px0 = "17ce8a849a475599245ad6b84cf5284cd15d6346ae52a833954ec50d5cf7f0be1cd8473fdc9dfd500d7f1d80bf6fa6ca",
Px1 = "15d8128bc60c8e83846bf6748982a7188df6393a9379b2959fa7e1cb72f1c1da066fe3a6d927f97ecec3725fac65eb10",
Py0 = "a05421595b36750e134b91500962201e9f57ac068732b9fb34ec50ff22f274d395d34d133e131e6dc7bc42d66149767",
@ -566,7 +566,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
test(
id = 9,
EC = ECP_ShortW_Jac[Fp2[BLS12_381]],
EC = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
Px0 = "13eb9e9906446be49345c08de406cd104d6bb9901ee12af0b80a8351027152d6f6d158d5a906e4a58c5602e97347cfd5",
Px1 = "1218df3f2a9cd7685325a4a7bb6a3636a458a52ea7f1e1d73c2429acb74a2a9beb838c109541120b095118c90868eb0f",
Py0 = "3ac16edac6898f11ff8ddb48fad6f59f4842cd427d72fa964171801be172b8ecd2fdffb4882d4aa6f1e730f6e53f8c5",

80
tests/t_ec_sage_bn254.nim
View File

@ -62,7 +62,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
# Generated via sage sage/testgen_bn254_snarks.sage
test(
id = 0,
EC = ECP_ShortW_Proj[Fp[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
Px = "22d3af0f3ee310df7fc1a2a204369ac13eb4a48d969a27fcd2861506b2dc0cd7",
Py = "1c994169687886ccd28dd587c29c307fb3cab55d796d73a5be0bbf9aab69912e",
scalar = "e08a292f940cfb361cc82bc24ca564f51453708c9745a9cf8707b11c84bc448",
@ -72,7 +72,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 1,
EC = ECP_ShortW_Proj[Fp[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
Px = "2724750abe620fce759b6f18729e40f891a514160d477811a44b222372cc4ea3",
Py = "105cdcbe363921790a56bf2696e73642447c60b814827ca4dba86c814912c98a",
scalar = "2f5c2960850eabadab1e5595ff0bf841206885653e7f2024248b281a86744790",
@ -82,7 +82,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 2,
EC = ECP_ShortW_Proj[Fp[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
Px = "39bc19c41835082f86ca046b71875b051575072e4d6a4aeedac31eee34b07df",
Py = "1fdbf42fc20421e1e775fd93ed1888d614f7e39067e7443f21b6a4817481c346",
scalar = "29e140c33f706c0111443699b0b8396d8ead339a3d6f3c212b08749cf2a16f6b",
@ -92,7 +92,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 3,
EC = ECP_ShortW_Proj[Fp[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
Px = "157a3e1ff9dabccced9746e19855a9438098be6d734f07d1c069aa1bd05b8d87",
Py = "1c96bf3e48bc1a6635d93d4f1302a0eba39bd907c5d861f2a9d0c714ee60f04d",
scalar = "29b05bd55963e262e0fa458c76297fb5be3ec1421fdb1354789f68fdce81dc2c",
@ -102,7 +102,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 4,
EC = ECP_ShortW_Proj[Fp[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
Px = "2f260967d4cd5d15f98c0a0a9d5abaae0c70d3b8d83e1e884586cd6ece395fe7",
Py = "2a102c7aebdfaa999d5a99984148ada142f72f5d4158c10368a2e13dded886f6",
scalar = "1796de74c1edac90d102e7c33f3fad94304eaff4a67a018cae678774d377f6cd",
@ -112,7 +112,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 5,
EC = ECP_ShortW_Proj[Fp[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
Px = "1b4ccef57f4411360a02b8228e4251896c9492ff93a69ba3720da0cd46a04e83",
Py = "1fabcb215bd7c06ead2e6b0167497efc2cdd3dbacf69bcb0244142fd63c1e405",
scalar = "116741cd19dac61c5e77877fc6fef40f363b164b501dfbdbc09e17ea51d6beb0",
@ -122,7 +122,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 6,
EC = ECP_ShortW_Proj[Fp[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
Px = "2807c88d6759280d6bd83a54d349a533d1a66dc32f72cab8114ab707f10e829b",
Py = "dbf0d486aeed3d303880f324faa2605aa0219e35661bc88150470c7df1c0b61",
scalar = "2a5976268563870739ced3e6efd8cf53887e8e4426803377095708509dd156ca",
@ -132,7 +132,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 7,
EC = ECP_ShortW_Proj[Fp[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
Px = "2754a174a33a55f2a31573767e9bf5381b47dca1cbebc8b68dd4df58b3f1cc2",
Py = "f222f59c8893ad87c581dacb3f8b6e7c20e7a13bc5fb6e24262a3436d663b1",
scalar = "25d596bf6caf4565fbfd22d81f9cef40c8f89b1e5939f20caa1b28056e0e4f58",
@ -142,7 +142,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 8,
EC = ECP_ShortW_Proj[Fp[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
Px = "273bf6c679d8e880034590d16c007bbabc6c65ed870a263b5d1ce7375c18fd7",
Py = "2904086cb9e33657999229b082558a74c19b2b619a0499afb2e21d804d8598ee",
scalar = "67a499a389129f3902ba6140660c431a56811b53de01d043e924711bd341e53",
@ -152,7 +152,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 9,
EC = ECP_ShortW_Proj[Fp[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
Px = "ec892c09a5f1c68c1bfec7780a1ebd279739383f2698eeefbba745b3e717fd5",
Py = "23d273a1b9750fe1d4ebd4b7c25f4a8d7d94f6662c436305cca8ff2cdbd3f736",
scalar = "d2f09ceaa2638b7ac3d7d4aa9eff7a12e93dc85db0f9676e5f19fb86d6273e9",
@ -164,7 +164,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 0,
EC = ECP_ShortW_Jac[Fp[BN254_Snarks]],
EC = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
Px = "22d3af0f3ee310df7fc1a2a204369ac13eb4a48d969a27fcd2861506b2dc0cd7",
Py = "1c994169687886ccd28dd587c29c307fb3cab55d796d73a5be0bbf9aab69912e",
scalar = "e08a292f940cfb361cc82bc24ca564f51453708c9745a9cf8707b11c84bc448",
@ -174,7 +174,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 1,
EC = ECP_ShortW_Jac[Fp[BN254_Snarks]],
EC = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
Px = "2724750abe620fce759b6f18729e40f891a514160d477811a44b222372cc4ea3",
Py = "105cdcbe363921790a56bf2696e73642447c60b814827ca4dba86c814912c98a",
scalar = "2f5c2960850eabadab1e5595ff0bf841206885653e7f2024248b281a86744790",
@ -184,7 +184,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 2,
EC = ECP_ShortW_Jac[Fp[BN254_Snarks]],
EC = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
Px = "39bc19c41835082f86ca046b71875b051575072e4d6a4aeedac31eee34b07df",
Py = "1fdbf42fc20421e1e775fd93ed1888d614f7e39067e7443f21b6a4817481c346",
scalar = "29e140c33f706c0111443699b0b8396d8ead339a3d6f3c212b08749cf2a16f6b",
@ -194,7 +194,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 3,
EC = ECP_ShortW_Jac[Fp[BN254_Snarks]],
EC = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
Px = "157a3e1ff9dabccced9746e19855a9438098be6d734f07d1c069aa1bd05b8d87",
Py = "1c96bf3e48bc1a6635d93d4f1302a0eba39bd907c5d861f2a9d0c714ee60f04d",
scalar = "29b05bd55963e262e0fa458c76297fb5be3ec1421fdb1354789f68fdce81dc2c",
@ -204,7 +204,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 4,
EC = ECP_ShortW_Jac[Fp[BN254_Snarks]],
EC = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
Px = "2f260967d4cd5d15f98c0a0a9d5abaae0c70d3b8d83e1e884586cd6ece395fe7",
Py = "2a102c7aebdfaa999d5a99984148ada142f72f5d4158c10368a2e13dded886f6",
scalar = "1796de74c1edac90d102e7c33f3fad94304eaff4a67a018cae678774d377f6cd",
@ -214,7 +214,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 5,
EC = ECP_ShortW_Jac[Fp[BN254_Snarks]],
EC = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
Px = "1b4ccef57f4411360a02b8228e4251896c9492ff93a69ba3720da0cd46a04e83",
Py = "1fabcb215bd7c06ead2e6b0167497efc2cdd3dbacf69bcb0244142fd63c1e405",
scalar = "116741cd19dac61c5e77877fc6fef40f363b164b501dfbdbc09e17ea51d6beb0",
@ -224,7 +224,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 6,
EC = ECP_ShortW_Jac[Fp[BN254_Snarks]],
EC = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
Px = "2807c88d6759280d6bd83a54d349a533d1a66dc32f72cab8114ab707f10e829b",
Py = "dbf0d486aeed3d303880f324faa2605aa0219e35661bc88150470c7df1c0b61",
scalar = "2a5976268563870739ced3e6efd8cf53887e8e4426803377095708509dd156ca",
@ -234,7 +234,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 7,
EC = ECP_ShortW_Jac[Fp[BN254_Snarks]],
EC = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
Px = "2754a174a33a55f2a31573767e9bf5381b47dca1cbebc8b68dd4df58b3f1cc2",
Py = "f222f59c8893ad87c581dacb3f8b6e7c20e7a13bc5fb6e24262a3436d663b1",
scalar = "25d596bf6caf4565fbfd22d81f9cef40c8f89b1e5939f20caa1b28056e0e4f58",
@ -244,7 +244,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 8,
EC = ECP_ShortW_Jac[Fp[BN254_Snarks]],
EC = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
Px = "273bf6c679d8e880034590d16c007bbabc6c65ed870a263b5d1ce7375c18fd7",
Py = "2904086cb9e33657999229b082558a74c19b2b619a0499afb2e21d804d8598ee",
scalar = "67a499a389129f3902ba6140660c431a56811b53de01d043e924711bd341e53",
@ -254,7 +254,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 9,
EC = ECP_ShortW_Jac[Fp[BN254_Snarks]],
EC = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
Px = "ec892c09a5f1c68c1bfec7780a1ebd279739383f2698eeefbba745b3e717fd5",
Py = "23d273a1b9750fe1d4ebd4b7c25f4a8d7d94f6662c436305cca8ff2cdbd3f736",
scalar = "d2f09ceaa2638b7ac3d7d4aa9eff7a12e93dc85db0f9676e5f19fb86d6273e9",
@ -298,7 +298,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
# Generated via sage sage/testgen_bn254_snarks.sage
test(
id = 0,
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
Px0 = "1dcee2242ae85da43d02d38032b85836660f9a0a8777ab66c84ffbbde3ac3b25",
Px1 = "1e2eb4c305e3b6c36a4081888b7a953eb44804b8b5120306331f8c89a3bb950",
Py0 = "1db75f495edd522cae161ceeb86ca466ca2efd80ef979028d7aa39679de675fd",
@ -312,7 +312,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 1,
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
Px0 = "5ed8c937273562944e0f1ebfb40e6511202188c1cabf588ed38735016d37b32",
Px1 = "23f75e8322c4b540cd5b8fd144a89ab5206a040f498b7b59385770bc841cf012",
Py0 = "2150beef17f5c22a65a4129390f47eece8f0c7d0c516790ea2632e7fd594ed8",
@ -326,7 +326,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 2,
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
Px0 = "2ac4b3d0a70d6686c63d9d63cce1370eafd4dc67f616c13582c6c64f6670513e",
Px1 = "f1daeb6a2581ba6c8027a645ab5c10e303db4aee85c70c8fe11f4c1adcc7029",
Py0 = "25807ff21967759cab64844741d006e2aa0221d9836613b1239da1a167d15131",
@ -340,7 +340,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 3,
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
Px0 = "2a028c1328bb0abf252edfbf7133b84eef2a5f20163fe61685b4b54229ca585d",
Px1 = "8f80ad79e8e7e79bbdc645d9f5b339c52dd99a901b90de2494492656f11a9d5",
Py0 = "1f04320578e31ffa2e2b59ad8fcb1aba622b5f307ac540cf2ccdab07dec56503",
@ -354,7 +354,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 4,
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
Px0 = "1132e63c444e1abce6fc4c39bdf5be5caad586837cbf5ca9d3891482bdefe77",
Px1 = "22b71f598dab789f055fc9669ddf66f0d75f581af0e9e8863d7f95a51ef34862",
Py0 = "58e39050f64c9948d7238b99ecaee947cb934688a6e9f483c5c36b6e07aa31b",
@ -368,7 +368,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 5,
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
Px0 = "6a20c456e80e2bfe37d8631d41ffed31cba5d1c411e816d64014d0088d16554",
Px1 = "9d1555c77222abd79e17e2806386c53aba9609375276e817f52f03dc3f75676",
Py0 = "127e76f384726e56dfaa46e6fde6dc644f5fd494d056191059e2bebc525ce835",
@ -382,7 +382,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 6,
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
Px0 = "4c591d080257375d6189340185c6fe4c1fa796722d07e1bec0b17080b6b1154",
Px1 = "241e2f2eb2a58afc2b5410d4ccbf75b53744ca1ac0bb28d7c60449f8d06204a4",
Py0 = "eaddea52f2e884a5e2635965ca4146b12127fe8a8883e07def8e8720f410781",
@ -396,7 +396,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 7,
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
Px0 = "115e772198e3f0003e31c0a1c48b6ac870d96020a4d634b7f14c15422d001cfe",
Px1 = "1913447ff41836e0b6a3b01be670a2457e6119e02ae35903fb71be4369e269f7",
Py0 = "14cb779c640aad2731b93b07c623c621a5585d0374f0394e5332f20ac28ca49d",
@ -410,7 +410,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 8,
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
Px0 = "13faa1f28e6bfe89765c284e67face6ce0a29006ebc1551d4243e754c59f88ad",
Px1 = "640cebb80938dfcb998d84a8e5aafd47ffbcba0aa2f8c9b1c585baf119a8942",
Py0 = "1de793a9ef8f4dea5dad12fb09ddefa07ce197d4d7389a29ad3d8c6484582afe",
@ -424,7 +424,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 9,
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
Px0 = "2fc3da947b78ac524a57670cef36ca89f1dad71b337bc3c18305c582a59648ad",
Px1 = "2f7cc845d8c1ef0613f919d8c47f3c62f83608a45b1e186748ac5dcccd4c6baf",
Py0 = "18ddc4718a4161f72f8d188fc61a609a3d592e186a65f4158483b719ffb05b8f",
@ -440,7 +440,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 0,
EC = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
Px0 = "1dcee2242ae85da43d02d38032b85836660f9a0a8777ab66c84ffbbde3ac3b25",
Px1 = "1e2eb4c305e3b6c36a4081888b7a953eb44804b8b5120306331f8c89a3bb950",
Py0 = "1db75f495edd522cae161ceeb86ca466ca2efd80ef979028d7aa39679de675fd",
@ -454,7 +454,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 1,
EC = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
Px0 = "5ed8c937273562944e0f1ebfb40e6511202188c1cabf588ed38735016d37b32",
Px1 = "23f75e8322c4b540cd5b8fd144a89ab5206a040f498b7b59385770bc841cf012",
Py0 = "2150beef17f5c22a65a4129390f47eece8f0c7d0c516790ea2632e7fd594ed8",
@ -468,7 +468,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 2,
EC = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
Px0 = "2ac4b3d0a70d6686c63d9d63cce1370eafd4dc67f616c13582c6c64f6670513e",
Px1 = "f1daeb6a2581ba6c8027a645ab5c10e303db4aee85c70c8fe11f4c1adcc7029",
Py0 = "25807ff21967759cab64844741d006e2aa0221d9836613b1239da1a167d15131",
@ -482,7 +482,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 3,
EC = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
Px0 = "2a028c1328bb0abf252edfbf7133b84eef2a5f20163fe61685b4b54229ca585d",
Px1 = "8f80ad79e8e7e79bbdc645d9f5b339c52dd99a901b90de2494492656f11a9d5",
Py0 = "1f04320578e31ffa2e2b59ad8fcb1aba622b5f307ac540cf2ccdab07dec56503",
@ -496,7 +496,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 4,
EC = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
Px0 = "1132e63c444e1abce6fc4c39bdf5be5caad586837cbf5ca9d3891482bdefe77",
Px1 = "22b71f598dab789f055fc9669ddf66f0d75f581af0e9e8863d7f95a51ef34862",
Py0 = "58e39050f64c9948d7238b99ecaee947cb934688a6e9f483c5c36b6e07aa31b",
@ -510,7 +510,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 5,
EC = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
Px0 = "6a20c456e80e2bfe37d8631d41ffed31cba5d1c411e816d64014d0088d16554",
Px1 = "9d1555c77222abd79e17e2806386c53aba9609375276e817f52f03dc3f75676",
Py0 = "127e76f384726e56dfaa46e6fde6dc644f5fd494d056191059e2bebc525ce835",
@ -524,7 +524,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 6,
EC = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
Px0 = "4c591d080257375d6189340185c6fe4c1fa796722d07e1bec0b17080b6b1154",
Px1 = "241e2f2eb2a58afc2b5410d4ccbf75b53744ca1ac0bb28d7c60449f8d06204a4",
Py0 = "eaddea52f2e884a5e2635965ca4146b12127fe8a8883e07def8e8720f410781",
@ -538,7 +538,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 7,
EC = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
Px0 = "115e772198e3f0003e31c0a1c48b6ac870d96020a4d634b7f14c15422d001cfe",
Px1 = "1913447ff41836e0b6a3b01be670a2457e6119e02ae35903fb71be4369e269f7",
Py0 = "14cb779c640aad2731b93b07c623c621a5585d0374f0394e5332f20ac28ca49d",
@ -552,7 +552,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 8,
EC = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
Px0 = "13faa1f28e6bfe89765c284e67face6ce0a29006ebc1551d4243e754c59f88ad",
Px1 = "640cebb80938dfcb998d84a8e5aafd47ffbcba0aa2f8c9b1c585baf119a8942",
Py0 = "1de793a9ef8f4dea5dad12fb09ddefa07ce197d4d7389a29ad3d8c6484582afe",
@ -566,7 +566,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
test(
id = 9,
EC = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
EC = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
Px0 = "2fc3da947b78ac524a57670cef36ca89f1dad71b337bc3c18305c582a59648ad",
Px1 = "2f7cc845d8c1ef0613f919d8c47f3c62f83608a45b1e186748ac5dcccd4c6baf",
Py0 = "18ddc4718a4161f72f8d188fc61a609a3d592e186a65f4158483b719ffb05b8f",

12
tests/t_ec_shortw_jac_g1_add_double.nim
View File

@ -17,19 +17,25 @@ const
Iters = 8
run_EC_addition_tests(
ec = ECP_ShortW_Jac[Fp[BN254_Snarks]],
ec = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_jacobian_g1_add_double_" & $BN254_Snarks
)
run_EC_addition_tests(
ec = ECP_ShortW_Jac[Fp[BLS12_381]],
ec = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_jacobian_g1_add_double_" & $BLS12_381
)
run_EC_addition_tests(
ec = ECP_ShortW_Jac[Fp[BLS12_377]],
ec = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_jacobian_g1_add_double_" & $BLS12_377
)
run_EC_addition_tests(
ec = ECP_ShortW_Jac[Fp[BW6_761], NotOnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_jacobian_g1_add_double_" & $BLS12_377
)

12
tests/t_ec_shortw_jac_g1_mul_distri.nim
View File

@ -18,19 +18,25 @@ const
ItersMul = Iters div 4
run_EC_mul_distributive_tests(
ec = ECP_ShortW_Jac[Fp[BN254_Snarks]],
ec = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_distributive_" & $BN254_Snarks
)
run_EC_mul_distributive_tests(
ec = ECP_ShortW_Jac[Fp[BLS12_381]],
ec = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_distributive_" & $BLS12_381
)
run_EC_mul_distributive_tests(
ec = ECP_ShortW_Jac[Fp[BLS12_377]],
ec = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_distributive_" & $BLS12_377
)
run_EC_mul_distributive_tests(
ec = ECP_ShortW_Jac[Fp[BW6_761], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_distributive_" & $BLS12_377
)

12
tests/t_ec_shortw_jac_g1_mul_sanity.nim
View File

@ -24,7 +24,7 @@ const
ItersMul = Iters div 4
run_EC_mul_sanity_tests(
ec = ECP_ShortW_Jac[Fp[BN254_Snarks]],
ec = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_sanity_" & $BN254_Snarks
)
@ -56,8 +56,8 @@ suite "Order checks on BN254_Snarks":
bool(impl.isInf())
bool(reference.isInf())
test(ECP_ShortW_Jac[Fp[BN254_Snarks]], bits = BN254_Snarks.getCurveOrderBitwidth(), randZ = false)
test(ECP_ShortW_Jac[Fp[BN254_Snarks]], bits = BN254_Snarks.getCurveOrderBitwidth(), randZ = true)
test(ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist], bits = BN254_Snarks.getCurveOrderBitwidth(), randZ = false)
test(ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist], bits = BN254_Snarks.getCurveOrderBitwidth(), randZ = true)
# TODO: BLS12 is using a subgroup of order "r" such as r*h = CurveOrder
# with h the curve cofactor
# instead of the full group
@ -67,20 +67,20 @@ suite "Order checks on BN254_Snarks":
test "Not a point on the curve / not a square - #67":
var ax, ay: Fp[BN254_Snarks]
ax.fromHex"0x2a74c9ca553cd5f3437b41e77ca0c8cc77567a7eca5e7debc55b146b0bee324b"
ay.curve_eq_rhs(ax)
ay.curve_eq_rhs(ax, NotOnTwist)
check:
bool not ay.isSquare()
bool not ay.sqrt_if_square()
run_EC_mul_sanity_tests(
ec = ECP_ShortW_Jac[Fp[BLS12_381]],
ec = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_sanity_" & $BLS12_381
)
run_EC_mul_sanity_tests(
ec = ECP_ShortW_Jac[Fp[BLS12_377]],
ec = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_sanity_" & $BLS12_377
)

12
tests/t_ec_shortw_jac_g1_mul_vs_ref.nim
View File

@ -18,19 +18,25 @@ const
ItersMul = Iters div 4
run_EC_mul_vs_ref_impl(
ec = ECP_ShortW_Jac[Fp[BN254_Snarks]],
ec = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_vs_ref_" & $BN254_Snarks
)
run_EC_mul_vs_ref_impl(
ec = ECP_ShortW_Jac[Fp[BLS12_381]],
ec = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_vs_ref_" & $BLS12_381
)
run_EC_mul_vs_ref_impl(
ec = ECP_ShortW_Jac[Fp[BLS12_377]],
ec = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_vs_ref_" & $BLS12_377
)
run_EC_mul_vs_ref_impl(
ec = ECP_ShortW_Jac[Fp[BW6_761], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_vs_ref_" & $BLS12_377
)

2
tests/t_ec_shortw_jac_g2_add_double_bls12_377.nim
View File

@ -18,7 +18,7 @@ const
Iters = 8
run_EC_addition_tests(
ec = ECP_ShortW_Jac[Fp2[BLS12_377]],
ec = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_jacobian_g2_add_double_" & $BLS12_377
)

2
tests/t_ec_shortw_jac_g2_add_double_bls12_381.nim
View File

@ -18,7 +18,7 @@ const
Iters = 8
run_EC_addition_tests(
ec = ECP_ShortW_Jac[Fp2[BLS12_381]],
ec = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_jacobian_g2_add_double_" & $BLS12_381
)

2
tests/t_ec_shortw_jac_g2_add_double_bn254_snarks.nim
View File

@ -18,7 +18,7 @@ const
Iters = 8
run_EC_addition_tests(
ec = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
ec = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_jacobian_g2_add_double_" & $BN254_Snarks
)

23
tests/t_ec_shortw_jac_g2_add_double_bw6_761.nim Normal file
View File

@ -0,0 +1,23 @@
# Constantine
# Copyright (c) 2018-2019 Status Research & Development GmbH
# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
# Licensed and distributed under either of
# * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
# * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
# at your option. This file may not be copied, modified, or distributed except according to those terms.
import
# Internals
../constantine/config/[type_fp, curves],
../constantine/elliptic/ec_shortweierstrass_jacobian,
# Test utilities
./t_ec_template
const
Iters = 8
run_EC_addition_tests(
ec = ECP_ShortW_Jac[Fp[BW6_761], OnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_jacobian_g2_add_double_" & $BW6_761
)

2
tests/t_ec_shortw_jac_g2_mixed_add_bls12_377.nim
View File

@ -18,7 +18,7 @@ const
Iters = 12
run_EC_mixed_add_impl(
ec = ECP_ShortW_Jac[Fp2[BLS12_377]],
ec = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_jacobian_mixed_add_" & $BLS12_377
)

2
tests/t_ec_shortw_jac_g2_mixed_add_bls12_381.nim
View File

@ -18,7 +18,7 @@ const
Iters = 12
run_EC_mixed_add_impl(
ec = ECP_ShortW_Jac[Fp2[BLS12_381]],
ec = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_jacobian_mixed_add_" & $BLS12_381
)

2
tests/t_ec_shortw_jac_g2_mixed_add_bn254_snarks.nim
View File

@ -18,7 +18,7 @@ const
Iters = 12
run_EC_mixed_add_impl(
ec = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
ec = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_jacobian_mixed_add_" & $BN254_Snarks
)

23
tests/t_ec_shortw_jac_g2_mixed_add_bw6_761.nim Normal file
View File

@ -0,0 +1,23 @@
# Constantine
# Copyright (c) 2018-2019 Status Research & Development GmbH
# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
# Licensed and distributed under either of
# * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
# * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
# at your option. This file may not be copied, modified, or distributed except according to those terms.
import
# Internals
../constantine/config/[type_fp, curves],
../constantine/elliptic/ec_shortweierstrass_jacobian,
# Test utilities
./t_ec_template
const
Iters = 12
run_EC_mixed_add_impl(
ec = ECP_ShortW_Jac[Fp[BW6_761], OnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_jacobian_mixed_add_" & $BW6_761
)

2
tests/t_ec_shortw_jac_g2_mul_distri_bls12_377.nim
View File

@ -19,7 +19,7 @@ const
ItersMul = Iters div 4
run_EC_mul_distributive_tests(
ec = ECP_ShortW_Jac[Fp2[BLS12_377]],
ec = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_distributive_" & $BLS12_377
)

2
tests/t_ec_shortw_jac_g2_mul_distri_bls12_381.nim
View File

@ -19,7 +19,7 @@ const
ItersMul = Iters div 4
run_EC_mul_distributive_tests(
ec = ECP_ShortW_Jac[Fp2[BLS12_381]],
ec = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_distributive_" & $BLS12_381
)

2
tests/t_ec_shortw_jac_g2_mul_distri_bn254_snarks.nim
View File

@ -19,7 +19,7 @@ const
ItersMul = Iters div 4
run_EC_mul_distributive_tests(
ec = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
ec = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_distributive_" & $BN254_Snarks
)

24
tests/t_ec_shortw_jac_g2_mul_distri_bw6_761.nim Normal file
View File

@ -0,0 +1,24 @@
# Constantine
# Copyright (c) 2018-2019 Status Research & Development GmbH
# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
# Licensed and distributed under either of
# * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
# * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
# at your option. This file may not be copied, modified, or distributed except according to those terms.
import
# Internals
../constantine/config/[type_fp, curves],
../constantine/elliptic/ec_shortweierstrass_jacobian,
# Test utilities
./t_ec_template
const
Iters = 12
ItersMul = Iters div 4
run_EC_mul_distributive_tests(
ec = ECP_ShortW_Jac[Fp[BW6_761], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_distributive_" & $BW6_761
)

4
tests/t_ec_shortw_jac_g2_mul_sanity_bls12_377.nim
View File

@ -13,13 +13,13 @@ import
../constantine/towers,
# Test utilities
./t_ec_template
const
Iters = 12
ItersMul = Iters div 4
run_EC_mul_sanity_tests(
ec = ECP_ShortW_Jac[Fp2[BLS12_377]],
ec = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_sanity_" & $BLS12_377
)

2
tests/t_ec_shortw_jac_g2_mul_sanity_bls12_381.nim
View File

@ -19,7 +19,7 @@ const
ItersMul = Iters div 4
run_EC_mul_sanity_tests(
ec = ECP_ShortW_Jac[Fp2[BLS12_381]],
ec = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_sanity_" & $BLS12_381
)

2
tests/t_ec_shortw_jac_g2_mul_sanity_bn254_snarks.nim
View File

@ -19,7 +19,7 @@ const
ItersMul = Iters div 4
run_EC_mul_sanity_tests(
ec = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
ec = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_sanity_" & $BN254_Snarks
)

24
tests/t_ec_shortw_jac_g2_mul_sanity_bw6_761.nim Normal file
View File

@ -0,0 +1,24 @@
# Constantine
# Copyright (c) 2018-2019 Status Research & Development GmbH
# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
# Licensed and distributed under either of
# * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
# * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
# at your option. This file may not be copied, modified, or distributed except according to those terms.
import
# Internals
../constantine/config/[type_fp, curves],
../constantine/elliptic/ec_shortweierstrass_jacobian,
# Test utilities
./t_ec_template
const
Iters = 12
ItersMul = Iters div 4
run_EC_mul_sanity_tests(
ec = ECP_ShortW_Jac[Fp[BW6_761], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_sanity_" & $BW6_761
)

2
tests/t_ec_shortw_jac_g2_mul_vs_ref_bls12_377.nim
View File

@ -19,7 +19,7 @@ const
ItersMul = Iters div 4
run_EC_mul_vs_ref_impl(
ec = ECP_ShortW_Jac[Fp2[BLS12_377]],
ec = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_vs_ref_" & $BLS12_377
)

2
tests/t_ec_shortw_jac_g2_mul_vs_ref_bls12_381.nim
View File

@ -19,7 +19,7 @@ const
ItersMul = Iters div 4
run_EC_mul_vs_ref_impl(
ec = ECP_ShortW_Jac[Fp2[BLS12_381]],
ec = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_vs_ref_" & $BLS12_381
)

2
tests/t_ec_shortw_jac_g2_mul_vs_ref_bn254_snarks.nim
View File

@ -19,7 +19,7 @@ const
ItersMul = Iters div 4
run_EC_mul_vs_ref_impl(
ec = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
ec = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_vs_ref_" & $BN254_Snarks
)

24
tests/t_ec_shortw_jac_g2_mul_vs_ref_bw6_761.nim Normal file
View File

@ -0,0 +1,24 @@
# Constantine
# Copyright (c) 2018-2019 Status Research & Development GmbH
# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
# Licensed and distributed under either of
# * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
# * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
# at your option. This file may not be copied, modified, or distributed except according to those terms.
import
# Internals
../constantine/config/[type_fp, curves],
../constantine/elliptic/ec_shortweierstrass_jacobian,
# Test utilities
./t_ec_template
const
Iters = 12
ItersMul = Iters div 4
run_EC_mul_vs_ref_impl(
ec = ECP_ShortW_Jac[Fp[BW6_761], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_vs_ref_" & $BW6_761
)

8
tests/t_ec_shortw_prj_edge_cases.nim
View File

@ -26,7 +26,7 @@ import
./support/ec_reference_scalar_mult
func testAddAssociativity[EC](a, b, c: EC) =
var tmp1{.noInit.}, tmp2{.noInit.}: ECP_ShortW_Proj[Fp2[BLS12_381]]
var tmp1{.noInit.}, tmp2{.noInit.}: ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist]
# r0 = (a + b) + c
tmp1.sum(a, b)
@ -63,7 +63,7 @@ func testAddAssociativity[EC](a, b, c: EC) =
suite "Short Weierstrass Elliptic Curve - Edge cases [" & $WordBitwidth & "-bit mode]":
test "EC Add G2 is associative - #60":
var a, b, c: ECP_ShortW_Proj[Fp2[BLS12_381]]
var a, b, c: ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist]
var ax, az, bx, bz, cx, cz: Fp2[BLS12_381]
ax.fromHex(
@ -101,7 +101,7 @@ suite "Short Weierstrass Elliptic Curve - Edge cases [" & $WordBitwidth & "-bit
test "EC Add G2 is associative - #65-1":
var a, b, c: ECP_ShortW_Proj[Fp2[BLS12_381]]
var a, b, c: ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist]
var ax, az, bx, bz, cx, cz: Fp2[BLS12_381]
ax.fromHex(
@ -139,7 +139,7 @@ suite "Short Weierstrass Elliptic Curve - Edge cases [" & $WordBitwidth & "-bit
test "EC Add G2 is associative - #65-2":
var a, b, c: ECP_ShortW_Proj[Fp2[BLS12_381]]
var a, b, c: ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist]
var ax, az, bx, bz, cx, cz: Fp2[BLS12_381]
ax.fromHex(

14
tests/t_ec_shortw_prj_g1_add_double.nim
View File

@ -14,22 +14,28 @@ import
./t_ec_template
const
Iters = 8
Iters = 1
run_EC_addition_tests(
ec = ECP_ShortW_Proj[Fp[BN254_Snarks]],
ec = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_projective_g1_add_double_" & $BN254_Snarks
)
run_EC_addition_tests(
ec = ECP_ShortW_Proj[Fp[BLS12_381]],
ec = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_projective_g1_add_double_" & $BLS12_381
)
run_EC_addition_tests(
ec = ECP_ShortW_Proj[Fp[BLS12_377]],
ec = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_projective_g1_add_double_" & $BLS12_377
)
run_EC_addition_tests(
ec = ECP_ShortW_Proj[Fp[BW6_761], NotOnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_projective_g1_add_double_" & $BW6_761
)

12
tests/t_ec_shortw_prj_g1_mixed_add.nim
View File

@ -18,19 +18,25 @@ const
Iters = 12
run_EC_mixed_add_impl(
ec = ECP_ShortW_Proj[Fp[BN254_Snarks]],
ec = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_projective_mixed_add_" & $BN254_Snarks
)
run_EC_mixed_add_impl(
ec = ECP_ShortW_Proj[Fp[BLS12_381]],
ec = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_projective_mixed_add_" & $BLS12_381
)
run_EC_mixed_add_impl(
ec = ECP_ShortW_Proj[Fp[BLS12_377]],
ec = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_projective_mixed_add_" & $BLS12_377
)
run_EC_mixed_add_impl(
ec = ECP_ShortW_Proj[Fp[BW6_761], NotOnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_projective_mixed_add_" & $BW6_761
)

12
tests/t_ec_shortw_prj_g1_mul_distri.nim
View File

@ -18,19 +18,25 @@ const
ItersMul = Iters div 4
run_EC_mul_distributive_tests(
ec = ECP_ShortW_Proj[Fp[BN254_Snarks]],
ec = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g1_mul_distributive_" & $BN254_Snarks
)
run_EC_mul_distributive_tests(
ec = ECP_ShortW_Proj[Fp[BLS12_381]],
ec = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g1_mul_distributive_" & $BLS12_381
)
run_EC_mul_distributive_tests(
ec = ECP_ShortW_Proj[Fp[BLS12_377]],
ec = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g1_mul_distributive_" & $BLS12_377
)
run_EC_mul_distributive_tests(
ec = ECP_ShortW_Proj[Fp[BW6_761], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g1_mul_distributive_" & $BW6_761
)

20
tests/t_ec_shortw_prj_g1_mul_sanity.nim
View File

@ -24,7 +24,7 @@ const
ItersMul = Iters div 4
run_EC_mul_sanity_tests(
ec = ECP_ShortW_Proj[Fp[BN254_Snarks]],
ec = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g1_mul_sanity_" & $BN254_Snarks
)
@ -56,31 +56,37 @@ suite "Order checks on BN254_Snarks":
bool(impl.isInf())
bool(reference.isInf())
test(ECP_ShortW_Proj[Fp[BN254_Snarks]], bits = BN254_Snarks.getCurveOrderBitwidth(), randZ = false)
test(ECP_ShortW_Proj[Fp[BN254_Snarks]], bits = BN254_Snarks.getCurveOrderBitwidth(), randZ = true)
test(ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist], bits = BN254_Snarks.getCurveOrderBitwidth(), randZ = false)
test(ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist], bits = BN254_Snarks.getCurveOrderBitwidth(), randZ = true)
# TODO: BLS12 is using a subgroup of order "r" such as r*h = CurveOrder
# with h the curve cofactor
# instead of the full group
# test(Fp[BLS12_381], bits = BLS12_381.getCurveOrderBitwidth(), randZ = false)
# test(Fp[BLS12_381], bits = BLS12_381.getCurveOrderBitwidth(), randZ = NotOnTwist)
# test(Fp[BLS12_381], bits = BLS12_381.getCurveOrderBitwidth(), randZ = true)
test "Not a point on the curve / not a square - #67":
var ax, ay: Fp[BN254_Snarks]
ax.fromHex"0x2a74c9ca553cd5f3437b41e77ca0c8cc77567a7eca5e7debc55b146b0bee324b"
ay.curve_eq_rhs(ax)
ay.curve_eq_rhs(ax, NotOnTwist)
check:
bool not ay.isSquare()
bool not ay.sqrt_if_square()
run_EC_mul_sanity_tests(
ec = ECP_ShortW_Proj[Fp[BLS12_381]],
ec = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g1_mul_sanity_" & $BLS12_381
)
run_EC_mul_sanity_tests(
ec = ECP_ShortW_Proj[Fp[BLS12_377]],
ec = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g1_mul_sanity_" & $BLS12_377
)
run_EC_mul_sanity_tests(
ec = ECP_ShortW_Proj[Fp[BW6_761], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g1_mul_sanity_" & $BW6_761
)

12
tests/t_ec_shortw_prj_g1_mul_vs_ref.nim
View File

@ -18,19 +18,25 @@ const
ItersMul = Iters div 4
run_EC_mul_vs_ref_impl(
ec = ECP_ShortW_Proj[Fp[BN254_Snarks]],
ec = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g1_mul_vs_ref_" & $BN254_Snarks
)
run_EC_mul_vs_ref_impl(
ec = ECP_ShortW_Proj[Fp[BLS12_381]],
ec = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g1_mul_vs_ref_" & $BLS12_381
)
run_EC_mul_vs_ref_impl(
ec = ECP_ShortW_Proj[Fp[BLS12_377]],
ec = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g1_mul_vs_ref_" & $BLS12_377
)
run_EC_mul_vs_ref_impl(
ec = ECP_ShortW_Proj[Fp[BW6_761], NotOnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g1_mul_vs_ref_" & $BW6_761
)

2
tests/t_ec_shortw_prj_g2_add_double_bls12_377.nim
View File

@ -18,7 +18,7 @@ const
Iters = 8
run_EC_addition_tests(
ec = ECP_ShortW_Proj[Fp2[BLS12_377]],
ec = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_projective_g2_add_double_" & $BLS12_377
)

2
tests/t_ec_shortw_prj_g2_add_double_bls12_381.nim
View File

@ -18,7 +18,7 @@ const
Iters = 8
run_EC_addition_tests(
ec = ECP_ShortW_Proj[Fp2[BLS12_381]],
ec = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_projective_g2_add_double_" & $BLS12_381
)

2
tests/t_ec_shortw_prj_g2_add_double_bn254_snarks.nim
View File

@ -18,7 +18,7 @@ const
Iters = 8
run_EC_addition_tests(
ec = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
ec = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_projective_g2_add_double_" & $BN254_Snarks
)

23
tests/t_ec_shortw_prj_g2_add_double_bw6_761.nim Normal file
View File

@ -0,0 +1,23 @@
# Constantine
# Copyright (c) 2018-2019 Status Research & Development GmbH
# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
# Licensed and distributed under either of
# * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
# * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
# at your option. This file may not be copied, modified, or distributed except according to those terms.
import
# Internals
../constantine/config/[type_fp, curves],
../constantine/elliptic/ec_shortweierstrass_projective,
# Test utilities
./t_ec_template
const
Iters = 8
run_EC_addition_tests(
ec = ECP_ShortW_Proj[Fp[BW6_761], OnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_projective_g2_add_double_" & $BW6_761
)

2
tests/t_ec_shortw_prj_g2_mixed_add_bls12_377.nim
View File

@ -18,7 +18,7 @@ const
Iters = 12
run_EC_mixed_add_impl(
ec = ECP_ShortW_Proj[Fp2[BLS12_377]],
ec = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_projective_mixed_add_" & $BLS12_377
)

2
tests/t_ec_shortw_prj_g2_mixed_add_bls12_381.nim
View File

@ -18,7 +18,7 @@ const
Iters = 12
run_EC_mixed_add_impl(
ec = ECP_ShortW_Proj[Fp2[BLS12_381]],
ec = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_projective_mixed_add_" & $BLS12_381
)

2
tests/t_ec_shortw_prj_g2_mixed_add_bn254_snarks.nim
View File

@ -18,7 +18,7 @@ const
Iters = 12
run_EC_mixed_add_impl(
ec = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
ec = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_projective_mixed_add_" & $BN254_Snarks
)

23
tests/t_ec_shortw_prj_g2_mixed_add_bw6_761.nim Normal file
View File

@ -0,0 +1,23 @@
# Constantine
# Copyright (c) 2018-2019 Status Research & Development GmbH
# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
# Licensed and distributed under either of
# * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
# * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
# at your option. This file may not be copied, modified, or distributed except according to those terms.
import
# Internals
../constantine/config/[type_fp, curves],
../constantine/elliptic/ec_shortweierstrass_projective,
# Test utilities
./t_ec_template
const
Iters = 12
run_EC_mixed_add_impl(
ec = ECP_ShortW_Proj[Fp[BW6_761], OnTwist],
Iters = Iters,
moduleName = "test_ec_shortweierstrass_projective_mixed_add_" & $BW6_761
)

2
tests/t_ec_shortw_prj_g2_mul_distri_bls12_377.nim
View File

@ -19,7 +19,7 @@ const
ItersMul = Iters div 4
run_EC_mul_distributive_tests(
ec = ECP_ShortW_Proj[Fp2[BLS12_377]],
ec = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g2_mul_distributive_" & $BLS12_377
)

2
tests/t_ec_shortw_prj_g2_mul_distri_bls12_381.nim
View File

@ -19,7 +19,7 @@ const
ItersMul = Iters div 4
run_EC_mul_distributive_tests(
ec = ECP_ShortW_Proj[Fp2[BLS12_381]],
ec = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g2_mul_distributive_" & $BLS12_381
)

2
tests/t_ec_shortw_prj_g2_mul_distri_bn254_snarks.nim
View File

@ -19,7 +19,7 @@ const
ItersMul = Iters div 4
run_EC_mul_distributive_tests(
ec = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
ec = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g2_mul_distributive_" & $BN254_Snarks
)

24
tests/t_ec_shortw_prj_g2_mul_distri_bw6_761.nim Normal file
View File

@ -0,0 +1,24 @@
# Constantine
# Copyright (c) 2018-2019 Status Research & Development GmbH
# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
# Licensed and distributed under either of
# * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
# * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
# at your option. This file may not be copied, modified, or distributed except according to those terms.
import
# Internals
../constantine/config/[type_fp, curves],
../constantine/elliptic/ec_shortweierstrass_projective,
# Test utilities
./t_ec_template
const
Iters = 12
ItersMul = Iters div 4
run_EC_mul_distributive_tests(
ec = ECP_ShortW_Proj[Fp[BW6_761], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g2_mul_distributive_" & $BW6_761
)

2
tests/t_ec_shortw_prj_g2_mul_sanity_bls12_377.nim
View File

@ -19,7 +19,7 @@ const
ItersMul = Iters div 4
run_EC_mul_sanity_tests(
ec = ECP_ShortW_Proj[Fp2[BLS12_377]],
ec = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g2_mul_sanity_" & $BLS12_377
)

2
tests/t_ec_shortw_prj_g2_mul_sanity_bls12_381.nim
View File

@ -19,7 +19,7 @@ const
ItersMul = Iters div 4
run_EC_mul_sanity_tests(
ec = ECP_ShortW_Proj[Fp2[BLS12_381]],
ec = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g2_mul_sanity_" & $BLS12_381
)

2
tests/t_ec_shortw_prj_g2_mul_sanity_bn254_snarks.nim
View File

@ -19,7 +19,7 @@ const
ItersMul = Iters div 4
run_EC_mul_sanity_tests(
ec = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
ec = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g2_mul_sanity_" & $BN254_Snarks
)

24
tests/t_ec_shortw_prj_g2_mul_sanity_bw6_761.nim Normal file
View File

@ -0,0 +1,24 @@
# Constantine
# Copyright (c) 2018-2019 Status Research & Development GmbH
# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
# Licensed and distributed under either of
# * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
# * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
# at your option. This file may not be copied, modified, or distributed except according to those terms.
import
# Internals
../constantine/config/[type_fp, curves],
../constantine/elliptic/ec_shortweierstrass_projective,
# Test utilities
./t_ec_template
const
Iters = 12
ItersMul = Iters div 4
run_EC_mul_sanity_tests(
ec = ECP_ShortW_Proj[Fp[BW6_761], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g2_mul_sanity_" & $BW6_761
)

2
tests/t_ec_shortw_prj_g2_mul_vs_ref_bls12_377.nim
View File

@ -19,7 +19,7 @@ const
ItersMul = Iters div 4
run_EC_mul_vs_ref_impl(
ec = ECP_ShortW_Proj[Fp2[BLS12_377]],
ec = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g2_mul_vs_ref_" & $BLS12_377
)

2
tests/t_ec_shortw_prj_g2_mul_vs_ref_bls12_381.nim
View File

@ -19,7 +19,7 @@ const
ItersMul = Iters div 4
run_EC_mul_vs_ref_impl(
ec = ECP_ShortW_Proj[Fp2[BLS12_381]],
ec = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g2_mul_vs_ref_" & $BLS12_381
)

2
tests/t_ec_shortw_prj_g2_mul_vs_ref_bn254_snarks.nim
View File

@ -19,7 +19,7 @@ const
ItersMul = Iters div 4
run_EC_mul_vs_ref_impl(
ec = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
ec = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g2_mul_vs_ref_" & $BN254_Snarks
)

24
tests/t_ec_shortw_prj_g2_mul_vs_ref_bw6_761.nim Normal file
View File

@ -0,0 +1,24 @@
# Constantine
# Copyright (c) 2018-2019 Status Research & Development GmbH
# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
# Licensed and distributed under either of
# * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
# * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
# at your option. This file may not be copied, modified, or distributed except according to those terms.
import
# Internals
../constantine/config/[type_fp, curves],
../constantine/elliptic/ec_shortweierstrass_projective,
# Test utilities
./t_ec_template
const
Iters = 12
ItersMul = Iters div 4
run_EC_mul_vs_ref_impl(
ec = ECP_ShortW_Proj[Fp[BW6_761], OnTwist],
ItersMul = ItersMul,
moduleName = "test_ec_shortweierstrass_projective_g2_mul_vs_ref_" & $BW6_761
)

12
tests/t_ec_template.nim
View File

@ -64,7 +64,7 @@ proc run_EC_addition_tests*(
echo "\n------------------------------------------------------\n"
echo moduleName, " xoshiro512** seed: ", seed
when ec.F is Fp:
when ec.Tw == NotOnTwist:
const G1_or_G2 = "G1"
else:
const G1_or_G2 = "G2"
@ -215,7 +215,7 @@ proc run_EC_mul_sanity_tests*(
echo "\n------------------------------------------------------\n"
echo moduleName, " xoshiro512** seed: ", seed
when ec.F is Fp:
when ec.Tw == NotOnTwist:
const G1_or_G2 = "G1"
else:
const G1_or_G2 = "G2"
@ -313,7 +313,7 @@ proc run_EC_mul_distributive_tests*(
echo "\n------------------------------------------------------\n"
echo moduleName, " xoshiro512** seed: ", seed
when ec.F is Fp:
when ec.Tw == NotOnTwist:
const G1_or_G2 = "G1"
else:
const G1_or_G2 = "G2"
@ -383,7 +383,7 @@ proc run_EC_mul_vs_ref_impl*(
echo "\n------------------------------------------------------\n"
echo moduleName, " xoshiro512** seed: ", seed
when ec.F is Fp:
when ec.Tw == NotOnTwist:
const G1_or_G2 = "G1"
else:
const G1_or_G2 = "G2"
@ -427,7 +427,7 @@ proc run_EC_mixed_add_impl*(
echo "\n------------------------------------------------------\n"
echo moduleName, " xoshiro512** seed: ", seed
when ec.F is Fp:
when ec.Tw == NotOnTwist:
const G1_or_G2 = "G1"
else:
const G1_or_G2 = "G2"
@ -440,7 +440,7 @@ proc run_EC_mixed_add_impl*(
for _ in 0 ..< Iters:
let a = rng.random_point(EC, randZ, gen)
let b = rng.random_point(EC, randZ, gen)
var bAff: ECP_ShortW_Aff[EC.F]
var bAff: ECP_ShortW_Aff[EC.F, EC.Tw]
bAff.affineFromProjective(b)
var r_generic, r_mixed: EC

4
tests/t_finite_fields_sqrt.nim
View File

@ -119,8 +119,8 @@ proc randomSqrtCheck(C: static Curve) =
proc main() =
suite "Modular square root" & " [" & $WordBitwidth & "-bit mode]":
exhaustiveCheck Fake103, 103
exhaustiveCheck Fake10007, 10007
exhaustiveCheck Fake65519, 65519
# exhaustiveCheck Fake10007, 10007
# exhaustiveCheck Fake65519, 65519
randomSqrtCheck BN254_Nogami
randomSqrtCheck BN254_Snarks
randomSqrtCheck BLS12_377 # p ≢ 3 (mod 4)

16
tests/t_finite_fields_vs_gmp.nim
View File

@ -25,7 +25,7 @@ const AvailableCurves = [
P224,
BN254_Nogami, BN254_Snarks,
P256, Secp256k1,
BLS12_381
BLS12_377, BLS12_381, BW6_761
]
const # https://gmplib.org/manual/Integer-Import-and-Export.html
@ -133,7 +133,7 @@ proc addTests(gmpRng: var gmp_randstate_t, a, b, p, r: var mpz_t, C: static Curv
r2Test += bTest
binary_epilogue(r, a, b, rTest, aBuf, bBuf, "Addition (with result)")
binary_epilogue(r, a, b, rTest, aBuf, bBuf, "Addition (in-place)")
binary_epilogue(r, a, b, r2Test, aBuf, bBuf, "Addition (in-place)")
proc subTests(gmpRng: var gmp_randstate_t, a, b, p, r: var mpz_t, C: static Curve) =
# echo "Testing: random modular substraction on ", $C
@ -155,8 +155,12 @@ proc subTests(gmpRng: var gmp_randstate_t, a, b, p, r: var mpz_t, C: static Curv
var r2Test = aTest
r2Test -= bTest
var r3Test = bTest
r3Test.diffAlias(aTest, r3Test)
binary_epilogue(r, a, b, rTest, aBuf, bBuf, "Substraction (with result)")
binary_epilogue(r, a, b, rTest, aBuf, bBuf, "Substraction (in-place)")
binary_epilogue(r, a, b, r2Test, aBuf, bBuf, "Substraction (in-place)")
binary_epilogue(r, a, b, r3Test, aBuf, bBuf, "Substraction (result aliasing)")
proc mulTests(gmpRng: var gmp_randstate_t, a, b, p, r: var mpz_t, C: static Curve) =
# echo "Testing: random modular multiplication on ", $C
@ -175,7 +179,11 @@ proc mulTests(gmpRng: var gmp_randstate_t, a, b, p, r: var mpz_t, C: static Curv
var rTest {.noInit.}: Fp[C]
rTest.prod(aTest, bTest)
binary_epilogue(r, a, b, rTest, aBuf, bBuf, "Multiplication")
var r2Test = aTest
r2Test *= bTest
binary_epilogue(r, a, b, rTest, aBuf, bBuf, "Multiplication (with result)")
binary_epilogue(r, a, b, r2Test, aBuf, bBuf, "Multiplication (in-place)")
proc invTests(gmpRng: var gmp_randstate_t, a, b, p, r: var mpz_t, C: static Curve) =
# We use the binary prologue epilogue but the "b" parameter is actual unused

1
tests/t_fp2.nim
View File

@ -18,6 +18,7 @@ const TestCurves = [
BN254_Snarks,
BLS12_377,
BLS12_381,
BW6_761
]
runTowerTests(

26
tests/t_fp6_bw6_761.nim Normal file
View File

@ -0,0 +1,26 @@
# Constantine
# Copyright (c) 2018-2019 Status Research & Development GmbH
# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
# Licensed and distributed under either of
# * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
# * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
# at your option. This file may not be copied, modified, or distributed except according to those terms.
import
# Internals
../constantine/towers,
../constantine/config/curves,
# Test utilities
./t_fp_tower_template
const TestCurves = [
BW6_761,
]
runTowerTests(
ExtDegree = 6,
Iters = 12,
TestCurves = TestCurves,
moduleName = "test_fp6_" & $BW6_761,
testSuiteDesc = "𝔽p6 = 𝔽p2[v] " & $BW6_761
)

18
tests/t_pairing_bls12_377_line_functions.nim
View File

@ -69,10 +69,10 @@ suite "Pairing - Line Functions on BLS12-377" & " [" & $WordBitwidth & "-bit mod
test "Line double - lt,t(P)":
proc test_line_double(C: static Curve, randZ: bool, gen: RandomGen) =
for _ in 0 ..< Iters:
let P = rng.random_point(ECP_ShortW_Aff[Fp[C]], gen)
var T = rng.random_point(ECP_ShortW_Proj[Fp2[C]], randZ, gen)
let Q = rng.random_point(ECP_ShortW_Proj[Fp2[C]], randZ, gen)
var l: Line[Fp2[C], C.getSexticTwist()]
let P = rng.random_point(ECP_ShortW_Aff[Fp[C], NotOnTwist], gen)
var T = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist], randZ, gen)
let Q = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist], randZ, gen)
var l: Line[Fp2[C]]
var T2: typeof(Q)
T2.double(T)
@ -91,15 +91,15 @@ suite "Pairing - Line Functions on BLS12-377" & " [" & $WordBitwidth & "-bit mod
test "Line add - lt,q(P)":
proc test_line_add(C: static Curve, randZ: bool, gen: RandomGen) =
for _ in 0 ..< Iters:
let P = rng.random_point(ECP_ShortW_Aff[Fp[C]], gen)
let Q = rng.random_point(ECP_ShortW_Proj[Fp2[C]], randZ, gen)
var T = rng.random_point(ECP_ShortW_Proj[Fp2[C]], randZ, gen)
var l: Line[Fp2[C], C.getSexticTwist()]
let P = rng.random_point(ECP_ShortW_Aff[Fp[C], NotOnTwist], gen)
let Q = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist], randZ, gen)
var T = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist], randZ, gen)
var l: Line[Fp2[C]]
var TQ{.noInit.}: typeof(T)
TQ.sum(T, Q)
var Qaff{.noInit.}: ECP_ShortW_Aff[Fp2[C]]
var Qaff{.noInit.}: ECP_ShortW_Aff[Fp2[C], OnTwist]
Qaff.affineFromProjective(Q)
l.line_add(T, Qaff, P)

18
tests/t_pairing_bls12_381_line_functions.nim
View File

@ -69,10 +69,10 @@ suite "Pairing - Line Functions on BLS12-381" & " [" & $WordBitwidth & "-bit mod
test "Line double - lt,t(P)":
proc test_line_double(C: static Curve, randZ: bool, gen: RandomGen) =
for _ in 0 ..< Iters:
let P = rng.random_point(ECP_ShortW_Aff[Fp[C]], gen)
var T = rng.random_point(ECP_ShortW_Proj[Fp2[C]], randZ, gen)
let Q = rng.random_point(ECP_ShortW_Proj[Fp2[C]], randZ, gen)
var l: Line[Fp2[C], C.getSexticTwist()]
let P = rng.random_point(ECP_ShortW_Aff[Fp[C], NotOnTwist], gen)
var T = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist], randZ, gen)
let Q = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist], randZ, gen)
var l: Line[Fp2[C]]
var T2: typeof(Q)
T2.double(T)
@ -91,15 +91,15 @@ suite "Pairing - Line Functions on BLS12-381" & " [" & $WordBitwidth & "-bit mod
test "Line add - lt,q(P)":
proc test_line_add(C: static Curve, randZ: bool, gen: RandomGen) =
for _ in 0 ..< Iters:
let P = rng.random_point(ECP_ShortW_Aff[Fp[C]], gen)
let Q = rng.random_point(ECP_ShortW_Proj[Fp2[C]], randZ, gen)
var T = rng.random_point(ECP_ShortW_Proj[Fp2[C]], randZ, gen)
var l: Line[Fp2[C], C.getSexticTwist()]
let P = rng.random_point(ECP_ShortW_Aff[Fp[C], NotOnTwist], gen)
let Q = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist], randZ, gen)
var T = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist], randZ, gen)
var l: Line[Fp2[C]]
var TQ{.noInit.}: typeof(T)
TQ.sum(T, Q)
var Qaff{.noInit.}: ECP_ShortW_Aff[Fp2[C]]
var Qaff{.noInit.}: ECP_ShortW_Aff[Fp2[C], OnTwist]
Qaff.affineFromProjective(Q)
l.line_add(T, Qaff, P)

72
tests/t_pairing_mul_fp12_by_lines.nim
View File

@ -97,7 +97,7 @@ suite "Pairing - Sparse 𝔽p12 multiplication by line function is consistent wi
let x = rng.random_elem(Fp2[C], gen)
let y = rng.random_elem(Fp2[C], gen)
let b = Fp6[C](c0: x, c1: y)
let line = Line[Fp2[C], M_twist](x: x, y: y)
let line = Line[Fp2[C]](x: x, y: y)
var r {.noInit.}, r2 {.noInit.}: Fp6[C]
@ -122,7 +122,7 @@ suite "Pairing - Sparse 𝔽p12 multiplication by line function is consistent wi
var y = rng.random_elem(Fp2[C], gen)
var z = rng.random_elem(Fp2[C], gen)
let line = Line[Fp2[C], Mtwist](x: x, y: y, z: z)
let line = Line[Fp2[C]](x: x, y: y, z: z)
let b = Fp12[C](
c0: Fp6[C](c0: x, c1: y),
c1: Fp6[C](c1: z)
@ -148,7 +148,7 @@ suite "Pairing - Sparse 𝔽p12 multiplication by line function is consistent wi
var y = rng.random_elem(Fp2[C], gen)
var z = rng.random_elem(Fp2[C], gen)
let line = Line[Fp2[C], Mtwist](x: x, y: y, z: z)
let line = Line[Fp2[C]](x: x, y: y, z: z)
let b = Fp12[C](
c0: Fp6[C](c0: x, c1: y, c2: z)
)
@ -165,54 +165,56 @@ suite "Pairing - Sparse 𝔽p12 multiplication by line function is consistent wi
else:
static: doAssert Fp12[BN254_Snarks]().c0.typeof is Fp4
test "Sparse 𝔽p12/𝔽p4 resulting from xy000z line function":
test "Sparse 𝔽p12/𝔽p4 resulting from xy000z line function (M-twist only)":
proc test_fp12_xy000z(C: static Curve, gen: static RandomGen) =
for _ in 0 ..< Iters:
var a = rng.random_elem(Fp12[C], gen)
var a2 = a
when C.getSexticTwist() == M_Twist:
for _ in 0 ..< Iters:
var a = rng.random_elem(Fp12[C], gen)
var a2 = a
var x = rng.random_elem(Fp2[C], gen)
var y = rng.random_elem(Fp2[C], gen)
var z = rng.random_elem(Fp2[C], gen)
var x = rng.random_elem(Fp2[C], gen)
var y = rng.random_elem(Fp2[C], gen)
var z = rng.random_elem(Fp2[C], gen)
let line = Line[Fp2[C], Mtwist](x: x, y: y, z: z)
let b = Fp12[C](
c0: Fp4[C](c0: x, c1: y),
# c1
c2: Fp4[C]( c1: z),
)
let line = Line[Fp2[C]](x: x, y: y, z: z)
let b = Fp12[C](
c0: Fp4[C](c0: x, c1: y),
# c1
c2: Fp4[C]( c1: z),
)
a *= b
a2.mul_sparse_by_line_xy000z(line)
a *= b
a2.mul_sparse_by_line_xy000z(line)
check: bool(a == a2)
check: bool(a == a2)
staticFor(curve, TestCurves):
test_fp12_xy000z(curve, gen = Uniform)
test_fp12_xy000z(curve, gen = HighHammingWeight)
test_fp12_xy000z(curve, gen = Long01Sequence)
test "Sparse 𝔽p12/𝔽p4 resulting from xyz000 line function":
test "Sparse 𝔽p12/𝔽p4 resulting from xyz000 line function (D-twist only)":
proc test_fp12_xy000z(C: static Curve, gen: static RandomGen) =
for _ in 0 ..< Iters:
var a = rng.random_elem(Fp12[C], gen)
var a2 = a
when C.getSexticTwist() == D_Twist:
for _ in 0 ..< Iters:
var a = rng.random_elem(Fp12[C], gen)
var a2 = a
var x = rng.random_elem(Fp2[C], gen)
var y = rng.random_elem(Fp2[C], gen)
var z = rng.random_elem(Fp2[C], gen)
var x = rng.random_elem(Fp2[C], gen)
var y = rng.random_elem(Fp2[C], gen)
var z = rng.random_elem(Fp2[C], gen)
let line = Line[Fp2[C], Dtwist](x: x, y: y, z: z)
let b = Fp12[C](
c0: Fp4[C](c0: x, c1: y),
c1: Fp4[C](c0: z ),
# c2:
)
let line = Line[Fp2[C]](x: x, y: y, z: z)
let b = Fp12[C](
c0: Fp4[C](c0: x, c1: y),
c1: Fp4[C](c0: z ),
# c2:
)
a *= b
a2.mul_sparse_by_line_xyz000(line)
a *= b
a2.mul_sparse_by_line_xyz000(line)
check: bool(a == a2)
check: bool(a == a2)
staticFor(curve, TestCurves):
test_fp12_xy000z(curve, gen = Uniform)

4
tests/t_pairing_template.nim
View File

@ -61,8 +61,8 @@ template runPairingTests*(Iters: static int, C: static Curve, pairing_fn: untype
proc test_bilinearity_double_impl(randZ: bool, gen: RandomGen) =
for _ in 0 ..< Iters:
let P = rng.random_point(ECP_ShortW_Proj[Fp[C]], randZ, gen)
let Q = rng.random_point(ECP_ShortW_Proj[Fp2[C]], randZ, gen)
let P = rng.random_point(ECP_ShortW_Proj[Fp[C], NotOnTwist], randZ, gen)
let Q = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist], randZ, gen)
var P2: typeof(P)
var Q2: typeof(Q)