2016-12-25 01:01:01 +00:00
|
|
|
from bn128_curve import double, add, multiply, is_on_curve, neg, twist, b, b2, b12, curve_order, G1, G2, G12
|
2017-02-08 14:02:13 +00:00
|
|
|
from bn128_field_elements import field_modulus, FQ
|
2017-03-09 07:11:07 +00:00
|
|
|
from optimized_field_elements import FQ2, FQ12
|
2016-12-24 17:32:04 +00:00
|
|
|
|
|
|
|
ate_loop_count = 29793968203157093288
|
2016-12-24 19:06:58 +00:00
|
|
|
log_ate_loop_count = 63
|
2016-12-24 17:32:04 +00:00
|
|
|
|
|
|
|
# Create a function representing the line between P1 and P2,
|
|
|
|
# and evaluate it at T
|
|
|
|
def linefunc(P1, P2, T):
|
2016-12-24 19:06:58 +00:00
|
|
|
assert P1 and P2 and T # No points-at-infinity allowed, sorry
|
2016-12-24 17:32:04 +00:00
|
|
|
x1, y1 = P1
|
|
|
|
x2, y2 = P2
|
|
|
|
xt, yt = T
|
|
|
|
if x1 != x2:
|
|
|
|
m = (y2 - y1) / (x2 - x1)
|
2016-12-25 01:01:01 +00:00
|
|
|
return m * (xt - x1) - (yt - y1)
|
2016-12-24 17:32:04 +00:00
|
|
|
elif y1 == y2:
|
|
|
|
m = 3 * x1**2 / (2 * y1)
|
2016-12-25 01:01:01 +00:00
|
|
|
return m * (xt - x1) - (yt - y1)
|
2016-12-24 17:32:04 +00:00
|
|
|
else:
|
|
|
|
return xt - x1
|
|
|
|
|
|
|
|
def cast_point_to_fq12(pt):
|
|
|
|
if pt is None:
|
|
|
|
return None
|
|
|
|
x, y = pt
|
|
|
|
return (FQ12([x.n] + [0] * 11), FQ12([y.n] + [0] * 11))
|
|
|
|
|
|
|
|
# Check consistency of the "line function"
|
2016-12-24 19:06:58 +00:00
|
|
|
one, two, three = G1, double(G1), multiply(G1, 3)
|
|
|
|
negone, negtwo, negthree = multiply(G1, curve_order - 1), multiply(G1, curve_order - 2), multiply(G1, curve_order - 3)
|
2016-12-24 17:32:04 +00:00
|
|
|
|
|
|
|
assert linefunc(one, two, one) == FQ(0)
|
|
|
|
assert linefunc(one, two, two) == FQ(0)
|
|
|
|
assert linefunc(one, two, three) != FQ(0)
|
2016-12-24 19:06:58 +00:00
|
|
|
assert linefunc(one, two, negthree) == FQ(0)
|
2016-12-24 17:32:04 +00:00
|
|
|
assert linefunc(one, negone, one) == FQ(0)
|
|
|
|
assert linefunc(one, negone, negone) == FQ(0)
|
|
|
|
assert linefunc(one, negone, two) != FQ(0)
|
|
|
|
assert linefunc(one, one, one) == FQ(0)
|
|
|
|
assert linefunc(one, one, two) != FQ(0)
|
2016-12-24 19:06:58 +00:00
|
|
|
assert linefunc(one, one, negtwo) == FQ(0)
|
2016-12-24 17:32:04 +00:00
|
|
|
|
|
|
|
# Main miller loop
|
|
|
|
def miller_loop(Q, P):
|
2016-12-24 19:06:58 +00:00
|
|
|
if Q is None or P is None:
|
|
|
|
return FQ12.one()
|
2016-12-24 17:32:04 +00:00
|
|
|
R = Q
|
|
|
|
f = FQ12.one()
|
|
|
|
for i in range(log_ate_loop_count, -1, -1):
|
2016-12-24 19:06:58 +00:00
|
|
|
f = f * f * linefunc(R, R, P)
|
2016-12-24 17:32:04 +00:00
|
|
|
R = double(R)
|
|
|
|
if ate_loop_count & (2**i):
|
|
|
|
f = f * linefunc(R, Q, P)
|
|
|
|
R = add(R, Q)
|
2016-12-30 19:41:50 +00:00
|
|
|
# assert R == multiply(Q, ate_loop_count)
|
2016-12-24 17:32:04 +00:00
|
|
|
Q1 = (Q[0] ** field_modulus, Q[1] ** field_modulus)
|
2016-12-30 19:41:50 +00:00
|
|
|
# assert is_on_curve(Q1, b12)
|
|
|
|
nQ2 = (Q1[0] ** field_modulus, -Q1[1] ** field_modulus)
|
|
|
|
# assert is_on_curve(nQ2, b12)
|
2016-12-24 17:32:04 +00:00
|
|
|
f = f * linefunc(R, Q1, P)
|
|
|
|
R = add(R, Q1)
|
|
|
|
f = f * linefunc(R, nQ2, P)
|
2016-12-30 19:41:50 +00:00
|
|
|
# R = add(R, nQ2) This line is in many specifications but it technically does nothing
|
2017-02-07 13:39:28 +00:00
|
|
|
return f ** ((field_modulus ** 12 - 1) // curve_order)
|
2016-12-24 17:32:04 +00:00
|
|
|
|
|
|
|
# Pairing computation
|
|
|
|
def pairing(Q, P):
|
|
|
|
assert is_on_curve(Q, b2)
|
|
|
|
assert is_on_curve(P, b)
|
|
|
|
return miller_loop(twist(Q), cast_point_to_fq12(P))
|