Clearmatics Libff  0.1
C++ library for Finite Fields and Elliptic Curves
alt_bn128_pairing.cpp
Go to the documentation of this file.
1 
8 #include <cassert>
9 #include <libff/algebra/curves/alt_bn128/alt_bn128_g1.hpp>
10 #include <libff/algebra/curves/alt_bn128/alt_bn128_g2.hpp>
11 #include <libff/algebra/curves/alt_bn128/alt_bn128_init.hpp>
12 #include <libff/algebra/curves/alt_bn128/alt_bn128_pairing.hpp>
13 #include <libff/common/profiling.hpp>
14 
15 namespace libff
16 {
17 
18 bool alt_bn128_ate_G1_precomp::operator==(
19  const alt_bn128_ate_G1_precomp &other) const
20 {
21  return (this->PX == other.PX && this->PY == other.PY);
22 }
23 
24 std::ostream &operator<<(
25  std::ostream &out, const alt_bn128_ate_G1_precomp &prec_P)
26 {
27  out << prec_P.PX << OUTPUT_SEPARATOR << prec_P.PY;
28 
29  return out;
30 }
31 
32 std::istream &operator>>(std::istream &in, alt_bn128_ate_G1_precomp &prec_P)
33 {
34  in >> prec_P.PX;
35  consume_OUTPUT_SEPARATOR(in);
36  in >> prec_P.PY;
37 
38  return in;
39 }
40 
41 bool alt_bn128_ate_ell_coeffs::operator==(
42  const alt_bn128_ate_ell_coeffs &other) const
43 {
44  return (
45  this->ell_0 == other.ell_0 && this->ell_VW == other.ell_VW &&
46  this->ell_VV == other.ell_VV);
47 }
48 
49 std::ostream &operator<<(std::ostream &out, const alt_bn128_ate_ell_coeffs &c)
50 {
51  out << c.ell_0 << OUTPUT_SEPARATOR << c.ell_VW << OUTPUT_SEPARATOR
52  << c.ell_VV;
53  return out;
54 }
55 
56 std::istream &operator>>(std::istream &in, alt_bn128_ate_ell_coeffs &c)
57 {
58  in >> c.ell_0;
59  consume_OUTPUT_SEPARATOR(in);
60  in >> c.ell_VW;
61  consume_OUTPUT_SEPARATOR(in);
62  in >> c.ell_VV;
63 
64  return in;
65 }
66 
67 bool alt_bn128_ate_G2_precomp::operator==(
68  const alt_bn128_ate_G2_precomp &other) const
69 {
70  return (
71  this->QX == other.QX && this->QY == other.QY &&
72  this->coeffs == other.coeffs);
73 }
74 
75 std::ostream &operator<<(
76  std::ostream &out, const alt_bn128_ate_G2_precomp &prec_Q)
77 {
78  out << prec_Q.QX << OUTPUT_SEPARATOR << prec_Q.QY << "\n";
79  out << prec_Q.coeffs.size() << "\n";
80  for (const alt_bn128_ate_ell_coeffs &c : prec_Q.coeffs) {
81  out << c << OUTPUT_NEWLINE;
82  }
83  return out;
84 }
85 
86 std::istream &operator>>(std::istream &in, alt_bn128_ate_G2_precomp &prec_Q)
87 {
88  in >> prec_Q.QX;
89  consume_OUTPUT_SEPARATOR(in);
90  in >> prec_Q.QY;
91  consume_newline(in);
92 
93  prec_Q.coeffs.clear();
94  size_t s;
95  in >> s;
96 
97  consume_newline(in);
98 
99  prec_Q.coeffs.reserve(s);
100 
101  for (size_t i = 0; i < s; ++i) {
102  alt_bn128_ate_ell_coeffs c;
103  in >> c;
104  consume_OUTPUT_NEWLINE(in);
105  prec_Q.coeffs.emplace_back(c);
106  }
107 
108  return in;
109 }
110 
111 /* final exponentiations */
112 
113 alt_bn128_Fq12 alt_bn128_final_exponentiation_first_chunk(
114  const alt_bn128_Fq12 &elt)
115 {
116  enter_block("Call to alt_bn128_final_exponentiation_first_chunk");
117 
118  /*
119  Computes result = elt^((q^6-1)*(q^2+1)).
120  Follows, e.g., Beuchat et al page 9, by computing result as follows:
121  elt^((q^6-1)*(q^2+1)) = (conj(elt) * elt^(-1))^(q^2+1)
122  More precisely:
123  A = conj(elt)
124  B = elt.inverse()
125  C = A * B
126  D = C.Frobenius_map(2)
127  result = D * C
128  */
129 
130  const alt_bn128_Fq12 A = alt_bn128_Fq12(elt.coeffs[0], -elt.coeffs[1]);
131  const alt_bn128_Fq12 B = elt.inverse();
132  const alt_bn128_Fq12 C = A * B;
133  const alt_bn128_Fq12 D = C.Frobenius_map(2);
134  const alt_bn128_Fq12 result = D * C;
135 
136  leave_block("Call to alt_bn128_final_exponentiation_first_chunk");
137 
138  return result;
139 }
140 
141 alt_bn128_Fq12 alt_bn128_exp_by_neg_z(const alt_bn128_Fq12 &elt)
142 {
143  enter_block("Call to alt_bn128_exp_by_neg_z");
144 
145  alt_bn128_Fq12 result = elt.cyclotomic_exp(alt_bn128_final_exponent_z);
146  if (!alt_bn128_final_exponent_is_z_neg) {
147  result = result.unitary_inverse();
148  }
149 
150  leave_block("Call to alt_bn128_exp_by_neg_z");
151 
152  return result;
153 }
154 
155 alt_bn128_Fq12 alt_bn128_final_exponentiation_last_chunk(
156  const alt_bn128_Fq12 &elt)
157 {
158  enter_block("Call to alt_bn128_final_exponentiation_last_chunk");
159 
160  // clang-format off
161  /*
162  Follows Laura Fuentes-Castaneda et al. "Faster hashing to G2"
163  by computing:
164 
165  result = elt^(q^3 * (12*z^3 + 6z^2 + 4z - 1) +
166  q^2 * (12*z^3 + 6z^2 + 6z) +
167  q * (12*z^3 + 6z^2 + 4z) +
168  1 * (12*z^3 + 12z^2 + 6z + 1))
169  which equals
170 
171  result = elt^( 2z * ( 6z^2 + 3z + 1 ) * (q^4 - q^2 + 1)/r ).
172 
173  Using the following addition chain:
174 
175  A = exp_by_neg_z(elt) // = elt^(-z)
176  B = A^2 // = elt^(-2*z)
177  C = B^2 // = elt^(-4*z)
178  D = C * B // = elt^(-6*z)
179  E = exp_by_neg_z(D) // = elt^(6*z^2)
180  F = E^2 // = elt^(12*z^2)
181  G = epx_by_neg_z(F) // = elt^(-12*z^3)
182  H = conj(D) // = elt^(6*z)
183  I = conj(G) // = elt^(12*z^3)
184  J = I * E // = elt^(12*z^3 + 6*z^2)
185  K = J * H // = elt^(12*z^3 + 6*z^2 + 6*z)
186  L = K * B // = elt^(12*z^3 + 6*z^2 + 4*z)
187  M = K * E // = elt^(12*z^3 + 12*z^2 + 6*z)
188  N = M * elt // = elt^(12*z^3 + 12*z^2 + 6*z + 1)
189  O = L.Frobenius_map(1) // = elt^(q*(12*z^3 + 6*z^2 + 4*z))
190  P = O * N // = elt^(q*(12*z^3 + 6*z^2 + 4*z) * (12*z^3 + 12*z^2 + 6*z + 1))
191  Q = K.Frobenius_map(2) // = elt^(q^2 * (12*z^3 + 6*z^2 + 6*z))
192  R = Q * P // = elt^(q^2 * (12*z^3 + 6*z^2 + 6*z) + q*(12*z^3 + 6*z^2 + 4*z) * (12*z^3 + 12*z^2 + 6*z + 1))
193  S = conj(elt) // = elt^(-1)
194  T = S * L // = elt^(12*z^3 + 6*z^2 + 4*z - 1)
195  U = T.Frobenius_map(3) // = elt^(q^3(12*z^3 + 6*z^2 + 4*z - 1))
196  V = U * R // = elt^(q^3(12*z^3 + 6*z^2 + 4*z - 1) + q^2 * (12*z^3 + 6*z^2 + 6*z) + q*(12*z^3 + 6*z^2 + 4*z) * (12*z^3 + 12*z^2 + 6*z + 1))
197  result = V
198  */
199  // clang-format on
200 
201  const alt_bn128_Fq12 A = alt_bn128_exp_by_neg_z(elt);
202  const alt_bn128_Fq12 B = A.cyclotomic_squared();
203  const alt_bn128_Fq12 C = B.cyclotomic_squared();
204  const alt_bn128_Fq12 D = C * B;
205  const alt_bn128_Fq12 E = alt_bn128_exp_by_neg_z(D);
206  const alt_bn128_Fq12 F = E.cyclotomic_squared();
207  const alt_bn128_Fq12 G = alt_bn128_exp_by_neg_z(F);
208  const alt_bn128_Fq12 H = D.unitary_inverse();
209  const alt_bn128_Fq12 I = G.unitary_inverse();
210  const alt_bn128_Fq12 J = I * E;
211  const alt_bn128_Fq12 K = J * H;
212  const alt_bn128_Fq12 L = K * B;
213  const alt_bn128_Fq12 M = K * E;
214  const alt_bn128_Fq12 N = M * elt;
215  const alt_bn128_Fq12 O = L.Frobenius_map(1);
216  const alt_bn128_Fq12 P = O * N;
217  const alt_bn128_Fq12 Q = K.Frobenius_map(2);
218  const alt_bn128_Fq12 R = Q * P;
219  const alt_bn128_Fq12 S = elt.unitary_inverse();
220  const alt_bn128_Fq12 T = S * L;
221  const alt_bn128_Fq12 U = T.Frobenius_map(3);
222  const alt_bn128_Fq12 V = U * R;
223 
224  const alt_bn128_Fq12 result = V;
225 
226  leave_block("Call to alt_bn128_final_exponentiation_last_chunk");
227 
228  return result;
229 }
230 
231 alt_bn128_GT alt_bn128_final_exponentiation(const alt_bn128_Fq12 &elt)
232 {
233  enter_block("Call to alt_bn128_final_exponentiation");
234  /* OLD naive version:
235  alt_bn128_GT result = elt^alt_bn128_final_exponent;
236  */
237  alt_bn128_Fq12 A = alt_bn128_final_exponentiation_first_chunk(elt);
238  alt_bn128_GT result = alt_bn128_final_exponentiation_last_chunk(A);
239 
240  leave_block("Call to alt_bn128_final_exponentiation");
241  return result;
242 }
243 
244 /* ate pairing */
245 
246 void doubling_step_for_flipped_miller_loop(
247  const alt_bn128_Fq two_inv,
248  alt_bn128_G2 &current,
249  alt_bn128_ate_ell_coeffs &c)
250 {
251  const alt_bn128_Fq2 X = current.X, Y = current.Y, Z = current.Z;
252 
253  // A = X1 * Y1 / 2
254  const alt_bn128_Fq2 A = two_inv * (X * Y);
255  // B = Y1^2
256  const alt_bn128_Fq2 B = Y.squared();
257  // C = Z1^2
258  const alt_bn128_Fq2 C = Z.squared();
259  // D = 3 * C
260  const alt_bn128_Fq2 D = C + C + C;
261  // E = twist_b * D
262  const alt_bn128_Fq2 E = alt_bn128_twist_coeff_b * D;
263  // F = 3 * E
264  const alt_bn128_Fq2 F = E + E + E;
265  // G = (B+F)/2
266  const alt_bn128_Fq2 G = two_inv * (B + F);
267  // H = (Y1+Z1)^2-(B+C)
268  const alt_bn128_Fq2 H = (Y + Z).squared() - (B + C);
269  // I = E-B
270  const alt_bn128_Fq2 I = E - B;
271  // J = X1^2
272  const alt_bn128_Fq2 J = X.squared();
273  // E_squared = E^2
274  const alt_bn128_Fq2 E_squared = E.squared();
275 
276  // X3 = A * (B-F)
277  current.X = A * (B - F);
278  // Y3 = G^2 - 3*E^2
279  current.Y = G.squared() - (E_squared + E_squared + E_squared);
280  // Z3 = B * H
281  current.Z = B * H;
282  // ell_0 = xi * I
283  c.ell_0 = alt_bn128_twist * I;
284  // ell_VW = - H (later: * yP)
285  c.ell_VW = -H;
286  // ell_VV = 3*J (later: * xP)
287  c.ell_VV = J + J + J;
288 }
289 
290 void mixed_addition_step_for_flipped_miller_loop(
291  const alt_bn128_G2 base, alt_bn128_G2 &current, alt_bn128_ate_ell_coeffs &c)
292 {
293  const alt_bn128_Fq2 X1 = current.X, Y1 = current.Y, Z1 = current.Z;
294  const alt_bn128_Fq2 &x2 = base.X, &y2 = base.Y;
295 
296  // D = X1 - X2*Z1
297  const alt_bn128_Fq2 D = X1 - x2 * Z1;
298  // E = Y1 - Y2*Z1
299  const alt_bn128_Fq2 E = Y1 - y2 * Z1;
300  // F = D^2
301  const alt_bn128_Fq2 F = D.squared();
302  // G = E^2
303  const alt_bn128_Fq2 G = E.squared();
304  // H = D*F
305  const alt_bn128_Fq2 H = D * F;
306  // I = X1 * F
307  const alt_bn128_Fq2 I = X1 * F;
308  // J = H + Z1*G - (I+I)
309  const alt_bn128_Fq2 J = H + Z1 * G - (I + I);
310 
311  // X3 = D*J
312  current.X = D * J;
313  // Y3 = E*(I-J)-(H*Y1)
314  current.Y = E * (I - J) - (H * Y1);
315  // Z3 = Z1*H
316  current.Z = Z1 * H;
317  // ell_0 = xi * (E * X2 - D * Y2)
318  c.ell_0 = alt_bn128_twist * (E * x2 - D * y2);
319  // ell_VV = - E (later: * xP)
320  c.ell_VV = -E;
321  // ell_VW = D (later: * yP)
322  c.ell_VW = D;
323 }
324 
325 alt_bn128_ate_G1_precomp alt_bn128_ate_precompute_G1(const alt_bn128_G1 &P)
326 {
327  enter_block("Call to alt_bn128_ate_precompute_G1");
328 
329  alt_bn128_G1 Pcopy = P;
330  Pcopy.to_affine_coordinates();
331 
332  alt_bn128_ate_G1_precomp result;
333  result.PX = Pcopy.X;
334  result.PY = Pcopy.Y;
335 
336  leave_block("Call to alt_bn128_ate_precompute_G1");
337  return result;
338 }
339 
340 alt_bn128_ate_G2_precomp alt_bn128_ate_precompute_G2(const alt_bn128_G2 &Q)
341 {
342  enter_block("Call to alt_bn128_ate_precompute_G2");
343 
344  alt_bn128_G2 Qcopy(Q);
345  Qcopy.to_affine_coordinates();
346 
347  // could add to global params if needed
348  alt_bn128_Fq two_inv = (alt_bn128_Fq("2").inverse());
349 
350  alt_bn128_ate_G2_precomp result;
351  result.QX = Qcopy.X;
352  result.QY = Qcopy.Y;
353 
354  alt_bn128_G2 R;
355  R.X = Qcopy.X;
356  R.Y = Qcopy.Y;
357  R.Z = alt_bn128_Fq2::one();
358 
359  const bigint<alt_bn128_Fr::num_limbs> &loop_count =
360  alt_bn128_ate_loop_count;
361  bool found_one = false;
362  alt_bn128_ate_ell_coeffs c;
363 
364  for (long i = loop_count.max_bits(); i >= 0; --i) {
365  const bool bit = loop_count.test_bit(i);
366  if (!found_one) {
367  /* this skips the MSB itself */
368  found_one |= bit;
369  continue;
370  }
371 
372  doubling_step_for_flipped_miller_loop(two_inv, R, c);
373  result.coeffs.push_back(c);
374 
375  if (bit) {
376  mixed_addition_step_for_flipped_miller_loop(Qcopy, R, c);
377  result.coeffs.push_back(c);
378  }
379  }
380 
381  alt_bn128_G2 Q1 = Qcopy.mul_by_q();
382  assert(Q1.Z == alt_bn128_Fq2::one());
383  alt_bn128_G2 Q2 = Q1.mul_by_q();
384  assert(Q2.Z == alt_bn128_Fq2::one());
385 
386  if (alt_bn128_ate_is_loop_count_neg) {
387  R.Y = -R.Y;
388  }
389  Q2.Y = -Q2.Y;
390 
391  mixed_addition_step_for_flipped_miller_loop(Q1, R, c);
392  result.coeffs.push_back(c);
393 
394  mixed_addition_step_for_flipped_miller_loop(Q2, R, c);
395  result.coeffs.push_back(c);
396 
397  leave_block("Call to alt_bn128_ate_precompute_G2");
398  return result;
399 }
400 
401 alt_bn128_Fq12 alt_bn128_ate_miller_loop(
402  const alt_bn128_ate_G1_precomp &prec_P,
403  const alt_bn128_ate_G2_precomp &prec_Q)
404 {
405  enter_block("Call to alt_bn128_ate_miller_loop");
406 
407  alt_bn128_Fq12 f = alt_bn128_Fq12::one();
408 
409  bool found_one = false;
410  size_t idx = 0;
411 
412  const bigint<alt_bn128_Fr::num_limbs> &loop_count =
413  alt_bn128_ate_loop_count;
414  alt_bn128_ate_ell_coeffs c;
415 
416  for (long i = loop_count.max_bits(); i >= 0; --i) {
417  const bool bit = loop_count.test_bit(i);
418  if (!found_one) {
419  /* this skips the MSB itself */
420  found_one |= bit;
421  continue;
422  }
423 
424  /* code below gets executed for all bits (EXCEPT the MSB itself) of
425  alt_bn128_param_p (skipping leading zeros) in MSB to LSB
426  order */
427 
428  c = prec_Q.coeffs[idx++];
429  f = f.squared();
430  f = f.mul_by_024(c.ell_0, prec_P.PY * c.ell_VW, prec_P.PX * c.ell_VV);
431 
432  if (bit) {
433  c = prec_Q.coeffs[idx++];
434  f = f.mul_by_024(
435  c.ell_0, prec_P.PY * c.ell_VW, prec_P.PX * c.ell_VV);
436  }
437  }
438 
439  if (alt_bn128_ate_is_loop_count_neg) {
440  f = f.inverse();
441  }
442 
443  c = prec_Q.coeffs[idx++];
444  f = f.mul_by_024(c.ell_0, prec_P.PY * c.ell_VW, prec_P.PX * c.ell_VV);
445 
446  c = prec_Q.coeffs[idx++];
447  f = f.mul_by_024(c.ell_0, prec_P.PY * c.ell_VW, prec_P.PX * c.ell_VV);
448 
449  leave_block("Call to alt_bn128_ate_miller_loop");
450  return f;
451 }
452 
453 alt_bn128_Fq12 alt_bn128_ate_double_miller_loop(
454  const alt_bn128_ate_G1_precomp &prec_P1,
455  const alt_bn128_ate_G2_precomp &prec_Q1,
456  const alt_bn128_ate_G1_precomp &prec_P2,
457  const alt_bn128_ate_G2_precomp &prec_Q2)
458 {
459  enter_block("Call to alt_bn128_ate_double_miller_loop");
460 
461  alt_bn128_Fq12 f = alt_bn128_Fq12::one();
462 
463  bool found_one = false;
464  size_t idx = 0;
465 
466  const bigint<alt_bn128_Fr::num_limbs> &loop_count =
467  alt_bn128_ate_loop_count;
468  for (long i = loop_count.max_bits(); i >= 0; --i) {
469  const bool bit = loop_count.test_bit(i);
470  if (!found_one) {
471  /* this skips the MSB itself */
472  found_one |= bit;
473  continue;
474  }
475 
476  /* code below gets executed for all bits (EXCEPT the MSB itself) of
477  alt_bn128_param_p (skipping leading zeros) in MSB to LSB
478  order */
479 
480  alt_bn128_ate_ell_coeffs c1 = prec_Q1.coeffs[idx];
481  alt_bn128_ate_ell_coeffs c2 = prec_Q2.coeffs[idx];
482  ++idx;
483 
484  f = f.squared();
485 
486  f = f.mul_by_024(
487  c1.ell_0, prec_P1.PY * c1.ell_VW, prec_P1.PX * c1.ell_VV);
488  f = f.mul_by_024(
489  c2.ell_0, prec_P2.PY * c2.ell_VW, prec_P2.PX * c2.ell_VV);
490 
491  if (bit) {
492  alt_bn128_ate_ell_coeffs c1 = prec_Q1.coeffs[idx];
493  alt_bn128_ate_ell_coeffs c2 = prec_Q2.coeffs[idx];
494  ++idx;
495 
496  f = f.mul_by_024(
497  c1.ell_0, prec_P1.PY * c1.ell_VW, prec_P1.PX * c1.ell_VV);
498  f = f.mul_by_024(
499  c2.ell_0, prec_P2.PY * c2.ell_VW, prec_P2.PX * c2.ell_VV);
500  }
501  }
502 
503  if (alt_bn128_ate_is_loop_count_neg) {
504  f = f.inverse();
505  }
506 
507  alt_bn128_ate_ell_coeffs c1 = prec_Q1.coeffs[idx];
508  alt_bn128_ate_ell_coeffs c2 = prec_Q2.coeffs[idx];
509  ++idx;
510  f = f.mul_by_024(c1.ell_0, prec_P1.PY * c1.ell_VW, prec_P1.PX * c1.ell_VV);
511  f = f.mul_by_024(c2.ell_0, prec_P2.PY * c2.ell_VW, prec_P2.PX * c2.ell_VV);
512 
513  c1 = prec_Q1.coeffs[idx];
514  c2 = prec_Q2.coeffs[idx];
515  ++idx;
516  f = f.mul_by_024(c1.ell_0, prec_P1.PY * c1.ell_VW, prec_P1.PX * c1.ell_VV);
517  f = f.mul_by_024(c2.ell_0, prec_P2.PY * c2.ell_VW, prec_P2.PX * c2.ell_VV);
518 
519  leave_block("Call to alt_bn128_ate_double_miller_loop");
520 
521  return f;
522 }
523 
524 alt_bn128_Fq12 alt_bn128_ate_pairing(
525  const alt_bn128_G1 &P, const alt_bn128_G2 &Q)
526 {
527  enter_block("Call to alt_bn128_ate_pairing");
528  alt_bn128_ate_G1_precomp prec_P = alt_bn128_ate_precompute_G1(P);
529  alt_bn128_ate_G2_precomp prec_Q = alt_bn128_ate_precompute_G2(Q);
530  alt_bn128_Fq12 result = alt_bn128_ate_miller_loop(prec_P, prec_Q);
531  leave_block("Call to alt_bn128_ate_pairing");
532  return result;
533 }
534 
535 alt_bn128_GT alt_bn128_ate_reduced_pairing(
536  const alt_bn128_G1 &P, const alt_bn128_G2 &Q)
537 {
538  enter_block("Call to alt_bn128_ate_reduced_pairing");
539  const alt_bn128_Fq12 f = alt_bn128_ate_pairing(P, Q);
540  const alt_bn128_GT result = alt_bn128_final_exponentiation(f);
541  leave_block("Call to alt_bn128_ate_reduced_pairing");
542  return result;
543 }
544 
545 /* choice of pairing */
546 
547 alt_bn128_G1_precomp alt_bn128_precompute_G1(const alt_bn128_G1 &P)
548 {
549  return alt_bn128_ate_precompute_G1(P);
550 }
551 
552 alt_bn128_G2_precomp alt_bn128_precompute_G2(const alt_bn128_G2 &Q)
553 {
554  return alt_bn128_ate_precompute_G2(Q);
555 }
556 
557 alt_bn128_Fq12 alt_bn128_miller_loop(
558  const alt_bn128_G1_precomp &prec_P, const alt_bn128_G2_precomp &prec_Q)
559 {
560  return alt_bn128_ate_miller_loop(prec_P, prec_Q);
561 }
562 
563 alt_bn128_Fq12 alt_bn128_double_miller_loop(
564  const alt_bn128_G1_precomp &prec_P1,
565  const alt_bn128_G2_precomp &prec_Q1,
566  const alt_bn128_G1_precomp &prec_P2,
567  const alt_bn128_G2_precomp &prec_Q2)
568 {
569  return alt_bn128_ate_double_miller_loop(prec_P1, prec_Q1, prec_P2, prec_Q2);
570 }
571 
572 alt_bn128_Fq12 alt_bn128_pairing(const alt_bn128_G1 &P, const alt_bn128_G2 &Q)
573 {
574  return alt_bn128_ate_pairing(P, Q);
575 }
576 
577 alt_bn128_GT alt_bn128_reduced_pairing(
578  const alt_bn128_G1 &P, const alt_bn128_G2 &Q)
579 {
580  return alt_bn128_ate_reduced_pairing(P, Q);
581 }
582 } // namespace libff
libff::Fp2_model::coeffs
my_Fp coeffs[2]
Definition: fp2.hpp:63
libff::alt_bn128_ate_G1_precomp::PX
alt_bn128_Fq PX
Definition: alt_bn128_pairing.hpp:23
libff::enter_block
void enter_block(const std::string &msg, const bool indent)
Definition: profiling.cpp:271
libff::alt_bn128_G1::to_affine_coordinates
void to_affine_coordinates()
Definition: alt_bn128_g1.cpp:68
libff::alt_bn128_exp_by_neg_z
alt_bn128_Fq12 alt_bn128_exp_by_neg_z(const alt_bn128_Fq12 &elt)
Definition: alt_bn128_pairing.cpp:141
libff
Definition: ffi.cpp:8
libff::Fp2_model< alt_bn128_q_limbs, alt_bn128_modulus_q >::one
static const Fp2_model< n, modulus > & one()
libff::alt_bn128_ate_ell_coeffs
Definition: alt_bn128_pairing.hpp:33
libff::doubling_step_for_flipped_miller_loop
void doubling_step_for_flipped_miller_loop(const alt_bn128_Fq two_inv, alt_bn128_G2 &current, alt_bn128_ate_ell_coeffs &c)
Definition: alt_bn128_pairing.cpp:246
libff::alt_bn128_G1::X
alt_bn128_Fq X
Definition: alt_bn128_g1.hpp:44
libff::alt_bn128_ate_ell_coeffs::ell_VW
alt_bn128_Fq2 ell_VW
Definition: alt_bn128_pairing.hpp:35
libff::alt_bn128_double_miller_loop
alt_bn128_Fq12 alt_bn128_double_miller_loop(const alt_bn128_G1_precomp &prec_P1, const alt_bn128_G2_precomp &prec_Q1, const alt_bn128_G1_precomp &prec_P2, const alt_bn128_G2_precomp &prec_Q2)
Definition: alt_bn128_pairing.cpp:563
libff::alt_bn128_final_exponentiation_first_chunk
alt_bn128_Fq12 alt_bn128_final_exponentiation_first_chunk(const alt_bn128_Fq12 &elt)
Definition: alt_bn128_pairing.cpp:113
libff::Fp12_2over3over2_model::one
static Fp12_2over3over2_model< n, modulus > one()
libff::operator>>
std::istream & operator>>(std::istream &in, alt_bn128_G1 &g)
Definition: alt_bn128_g1.cpp:446
libff::alt_bn128_ate_G1_precomp::PY
alt_bn128_Fq PY
Definition: alt_bn128_pairing.hpp:24
libff::alt_bn128_pairing
alt_bn128_Fq12 alt_bn128_pairing(const alt_bn128_G1 &P, const alt_bn128_G2 &Q)
Definition: alt_bn128_pairing.cpp:572
libff::alt_bn128_ate_G2_precomp::operator==
bool operator==(const alt_bn128_ate_G2_precomp &other) const
Definition: alt_bn128_pairing.cpp:67
libff::alt_bn128_G2::Y
alt_bn128_Fq2 Y
Definition: alt_bn128_g2.hpp:45
libff::alt_bn128_G2::mul_by_q
alt_bn128_G2 mul_by_q() const
Definition: alt_bn128_g2.cpp:351
libff::mixed_addition_step_for_flipped_miller_loop
void mixed_addition_step_for_flipped_miller_loop(const alt_bn128_G2 base, alt_bn128_G2 &current, alt_bn128_ate_ell_coeffs &c)
Definition: alt_bn128_pairing.cpp:290
libff::Fp_model::inverse
Fp_model inverse() const
libff::Fp12_2over3over2_model::squared
Fp12_2over3over2_model squared() const
default is squared_complex
libff::alt_bn128_G1::Y
alt_bn128_Fq Y
Definition: alt_bn128_g1.hpp:44
libff::alt_bn128_twist_coeff_b
alt_bn128_Fq2 alt_bn128_twist_coeff_b
Definition: alt_bn128_init.cpp:20
libff::alt_bn128_G2::Z
alt_bn128_Fq2 Z
Definition: alt_bn128_g2.hpp:45
libff::alt_bn128_ate_G2_precomp::QY
alt_bn128_Fq2 QY
Definition: alt_bn128_pairing.hpp:47
libff::alt_bn128_G2::X
alt_bn128_Fq2 X
Definition: alt_bn128_g2.hpp:45
libff::alt_bn128_ate_ell_coeffs::ell_0
alt_bn128_Fq2 ell_0
Definition: alt_bn128_pairing.hpp:34
libff::alt_bn128_precompute_G1
alt_bn128_G1_precomp alt_bn128_precompute_G1(const alt_bn128_G1 &P)
Definition: alt_bn128_pairing.cpp:547
OUTPUT_SEPARATOR
#define OUTPUT_SEPARATOR
Definition: serialization.hpp:69
libff::Fp12_2over3over2_model::Frobenius_map
Fp12_2over3over2_model Frobenius_map(unsigned long power) const
libff::bigint::max_bits
static constexpr size_t max_bits()
The number of bits representable by this bigint type.
Definition: bigint.hpp:51
libff::alt_bn128_ate_G2_precomp::QX
alt_bn128_Fq2 QX
Definition: alt_bn128_pairing.hpp:46
libff::alt_bn128_final_exponent_z
bigint< alt_bn128_q_limbs > alt_bn128_final_exponent_z
Definition: alt_bn128_init.cpp:29
libff::alt_bn128_ate_double_miller_loop
alt_bn128_Fq12 alt_bn128_ate_double_miller_loop(const alt_bn128_ate_G1_precomp &prec_P1, const alt_bn128_ate_G2_precomp &prec_Q1, const alt_bn128_ate_G1_precomp &prec_P2, const alt_bn128_ate_G2_precomp &prec_Q2)
Definition: alt_bn128_pairing.cpp:453
libff::Fp12_2over3over2_model::inverse
Fp12_2over3over2_model inverse() const
alt_bn128_pairing.hpp
alt_bn128_init.hpp
libff::Fp12_2over3over2_model::mul_by_024
Fp12_2over3over2_model mul_by_024(const my_Fp2 &ell_0, const my_Fp2 &ell_VW, const my_Fp2 &ell_VV) const
libff::alt_bn128_precompute_G2
alt_bn128_G2_precomp alt_bn128_precompute_G2(const alt_bn128_G2 &Q)
Definition: alt_bn128_pairing.cpp:552
libff::alt_bn128_final_exponent_is_z_neg
bool alt_bn128_final_exponent_is_z_neg
Definition: alt_bn128_init.cpp:30
libff::alt_bn128_ate_is_loop_count_neg
bool alt_bn128_ate_is_loop_count_neg
Definition: alt_bn128_init.cpp:27
libff::consume_OUTPUT_SEPARATOR
void consume_OUTPUT_SEPARATOR(std::istream &in)
libff::alt_bn128_reduced_pairing
alt_bn128_GT alt_bn128_reduced_pairing(const alt_bn128_G1 &P, const alt_bn128_G2 &Q)
Definition: alt_bn128_pairing.cpp:577
libff::bigint
Definition: bigint.hpp:20
libff::alt_bn128_G2
Definition: alt_bn128_g2.hpp:21
libff::Fp12_2over3over2_model::unitary_inverse
Fp12_2over3over2_model unitary_inverse() const
libff::Fp12_2over3over2_model
Definition: fp12_2over3over2.hpp:20
libff::alt_bn128_Fq
Fp_model< alt_bn128_q_limbs, alt_bn128_modulus_q > alt_bn128_Fq
Definition: alt_bn128_init.hpp:31
libff::Fp12_2over3over2_model::cyclotomic_exp
Fp12_2over3over2_model cyclotomic_exp(const bigint< m > &exponent) const
alt_bn128_g1.hpp
libff::Fp_model< alt_bn128_q_limbs, alt_bn128_modulus_q >
libff::alt_bn128_ate_reduced_pairing
alt_bn128_GT alt_bn128_ate_reduced_pairing(const alt_bn128_G1 &P, const alt_bn128_G2 &Q)
Definition: alt_bn128_pairing.cpp:535
libff::alt_bn128_final_exponentiation_last_chunk
alt_bn128_Fq12 alt_bn128_final_exponentiation_last_chunk(const alt_bn128_Fq12 &elt)
Definition: alt_bn128_pairing.cpp:155
libff::alt_bn128_ate_precompute_G2
alt_bn128_ate_G2_precomp alt_bn128_ate_precompute_G2(const alt_bn128_G2 &Q)
Definition: alt_bn128_pairing.cpp:340
libff::operator<<
std::ostream & operator<<(std::ostream &out, const alt_bn128_G1 &g)
Definition: alt_bn128_g1.cpp:436
libff::alt_bn128_G2::to_affine_coordinates
void to_affine_coordinates()
Definition: alt_bn128_g2.cpp:85
libff::consume_OUTPUT_NEWLINE
void consume_OUTPUT_NEWLINE(std::istream &in)
libff::alt_bn128_ate_miller_loop
alt_bn128_Fq12 alt_bn128_ate_miller_loop(const alt_bn128_ate_G1_precomp &prec_P, const alt_bn128_ate_G2_precomp &prec_Q)
Definition: alt_bn128_pairing.cpp:401
libff::alt_bn128_ate_G1_precomp
Definition: alt_bn128_pairing.hpp:22
libff::alt_bn128_ate_ell_coeffs::ell_VV
alt_bn128_Fq2 ell_VV
Definition: alt_bn128_pairing.hpp:36
libff::alt_bn128_ate_G2_precomp::coeffs
std::vector< alt_bn128_ate_ell_coeffs > coeffs
Definition: alt_bn128_pairing.hpp:48
libff::Fp2_model::squared
Fp2_model squared() const
default is squared_complex
libff::Fp2_model
Definition: fp2.hpp:18
profiling.hpp
libff::alt_bn128_G1
Definition: alt_bn128_g1.hpp:21
libff::leave_block
void leave_block(const std::string &msg, const bool indent)
Definition: profiling.cpp:305
libff::alt_bn128_ate_pairing
alt_bn128_Fq12 alt_bn128_ate_pairing(const alt_bn128_G1 &P, const alt_bn128_G2 &Q)
Definition: alt_bn128_pairing.cpp:524
libff::Fp12_2over3over2_model::cyclotomic_squared
Fp12_2over3over2_model cyclotomic_squared() const
libff::alt_bn128_Fq12
Fp12_2over3over2_model< alt_bn128_q_limbs, alt_bn128_modulus_q > alt_bn128_Fq12
Definition: alt_bn128_init.hpp:35
libff::alt_bn128_ate_G1_precomp::operator==
bool operator==(const alt_bn128_ate_G1_precomp &other) const
Definition: alt_bn128_pairing.cpp:18
libff::alt_bn128_ate_G2_precomp
Definition: alt_bn128_pairing.hpp:45
OUTPUT_NEWLINE
#define OUTPUT_NEWLINE
Definition: serialization.hpp:68
libff::alt_bn128_ate_precompute_G1
alt_bn128_ate_G1_precomp alt_bn128_ate_precompute_G1(const alt_bn128_G1 &P)
Definition: alt_bn128_pairing.cpp:325
libff::bigint::test_bit
bool test_bit(const std::size_t bitno) const
libff::alt_bn128_miller_loop
alt_bn128_Fq12 alt_bn128_miller_loop(const alt_bn128_G1_precomp &prec_P, const alt_bn128_G2_precomp &prec_Q)
Definition: alt_bn128_pairing.cpp:557
libff::Fp12_2over3over2_model::coeffs
my_Fp6 coeffs[2]
Definition: fp12_2over3over2.hpp:62
libff::consume_newline
void consume_newline(std::istream &in)
libff::alt_bn128_final_exponentiation
alt_bn128_GT alt_bn128_final_exponentiation(const alt_bn128_Fq12 &elt)
Definition: alt_bn128_pairing.cpp:231
libff::alt_bn128_ate_loop_count
bigint< alt_bn128_q_limbs > alt_bn128_ate_loop_count
Definition: alt_bn128_init.cpp:26
alt_bn128_g2.hpp
libff::alt_bn128_ate_ell_coeffs::operator==
bool operator==(const alt_bn128_ate_ell_coeffs &other) const
Definition: alt_bn128_pairing.cpp:41
libff::alt_bn128_twist
alt_bn128_Fq2 alt_bn128_twist
Definition: alt_bn128_init.cpp:19
Generated on Thu Aug 18 2022 12:42:18 for Clearmatics Libff by   doxygen 1.8.17