Clearmatics Libff  0.1
C++ library for Finite Fields and Elliptic Curves
bls12_377_init.cpp
Go to the documentation of this file.
1 #include <libff/algebra/curves/bls12_377/bls12_377_g1.hpp>
2 #include <libff/algebra/curves/bls12_377/bls12_377_g2.hpp>
3 #include <libff/algebra/curves/bls12_377/bls12_377_init.hpp>
4 
5 // Note: These parameters match the RUST implementation of the BLS12-377 curve:
6 // https://github.com/scipr-lab/zexe/tree/6bfe574f7adea14b97ff554bbb594988635b1908/algebra/src/bls12_377
7 
8 namespace libff
9 {
10 
11 bigint<bls12_377_r_limbs> bls12_377_modulus_r;
12 // bls12_377_modulus_q is a macro referring to bw6_761_modulus_r. See
13 // bls12_377_init.hpp.
14 // bigint<bls12_377_q_limbs> bls12_377_modulus_q;
15 
16 bls12_377_Fq bls12_377_coeff_b;
17 bigint<bls12_377_r_limbs> bls12_377_trace_of_frobenius;
18 bls12_377_Fq2 bls12_377_twist;
19 bls12_377_Fq2 bls12_377_twist_coeff_b;
20 bls12_377_Fq bls12_377_twist_mul_by_b_c0;
21 bls12_377_Fq bls12_377_twist_mul_by_b_c1;
22 bls12_377_Fq2 bls12_377_twist_mul_by_q_X;
23 bls12_377_Fq2 bls12_377_twist_mul_by_q_Y;
24 
25 // See bls12_377_G1::is_in_safe_subgroup
26 bls12_377_Fq bls12_377_g1_endomorphism_beta;
27 bigint<bls12_377_r_limbs> bls12_377_g1_safe_subgroup_check_c1;
28 bigint<bls12_377_r_limbs> bls12_377_g1_proof_of_safe_subgroup_w;
29 bls12_377_Fq bls12_377_g1_proof_of_safe_subgroup_non_member_x;
30 bls12_377_Fq bls12_377_g1_proof_of_safe_subgroup_non_member_y;
31 
32 // Coefficients for G2 untwist-frobenius-twist
33 bls12_377_Fq12 bls12_377_g2_untwist_frobenius_twist_w;
34 bls12_377_Fq12 bls12_377_g2_untwist_frobenius_twist_v;
35 bls12_377_Fq12 bls12_377_g2_untwist_frobenius_twist_w_3;
36 bls12_377_Fq12 bls12_377_g2_untwist_frobenius_twist_v_inverse;
37 bls12_377_Fq12 bls12_377_g2_untwist_frobenius_twist_w_3_inverse;
38 
39 // Coefficients used in bls12_377_G2::mul_by_cofactor
40 bigint<bls12_377_r_limbs> bls12_377_g2_mul_by_cofactor_h2_0;
41 bigint<bls12_377_r_limbs> bls12_377_g2_mul_by_cofactor_h2_1;
42 
43 bigint<bls12_377_q_limbs> bls12_377_ate_loop_count;
44 bool bls12_377_ate_is_loop_count_neg;
45 // k (embedding degree) = 12
46 bigint<12 * bls12_377_q_limbs> bls12_377_final_exponent;
47 bigint<bls12_377_q_limbs> bls12_377_final_exponent_z;
48 bool bls12_377_final_exponent_is_z_neg;
49 
50 void init_bls12_377_params()
51 {
52  typedef bigint<bls12_377_r_limbs> bigint_r;
53  typedef bigint<bls12_377_q_limbs> bigint_q;
54 
55  // Montgomery assumes this
56  assert(sizeof(mp_limb_t) == 8 || sizeof(mp_limb_t) == 4);
57 
58  // Parameters for scalar field Fr
59  // r = 0x12ab655e9a2ca55660b44d1e5c37b00159aa76fed00000010a11800000000001
60  bls12_377_modulus_r = bigint_r("8444461749428370424248824938781546531375899"
61  "335154063827935233455917409239041");
62  assert(bls12_377_Fr::modulus_is_valid());
63  // 64-bit architecture
64  if (sizeof(mp_limb_t) == 8) {
65  bls12_377_Fr::Rsquared =
66  bigint_r("508595941311779472113692600146818027278633330499214071737"
67  "745792929336755579");
68  bls12_377_Fr::Rcubed =
69  bigint_r("271718748542331355632020787121653842635320109739890963908"
70  "6937135091399607628");
71  bls12_377_Fr::inv = 0xa117fffffffffff;
72  }
73  // 32-bit architecture
74  if (sizeof(mp_limb_t) == 4) {
75  bls12_377_Fr::Rsquared =
76  bigint_r("508595941311779472113692600146818027278633330499214071737"
77  "745792929336755579");
78  bls12_377_Fr::Rcubed =
79  bigint_r("271718748542331355632020787121653842635320109739890963908"
80  "6937135091399607628");
81  bls12_377_Fr::inv = 0xffffffff;
82  }
83  bls12_377_Fr::num_bits = 253;
84  bls12_377_Fr::euler = bigint_r("4222230874714185212124412469390773265687949"
85  "667577031913967616727958704619520");
86  bls12_377_Fr::s = 47;
87  bls12_377_Fr::t = bigint_r(
88  "60001509534603559531609739528203892656505753216962260608619555");
89  bls12_377_Fr::t_minus_1_over_2 = bigint_r(
90  "30000754767301779765804869764101946328252876608481130304309777");
91  bls12_377_Fr::multiplicative_generator = bls12_377_Fr("22");
92  bls12_377_Fr::root_of_unity =
93  bls12_377_Fr("806515965671681287737496751840327346652143269366181061997"
94  "9959746626482506078");
95  bls12_377_Fr::nqr = bls12_377_Fr("11");
96  bls12_377_Fr::nqr_to_t =
97  bls12_377_Fr("692488678884788206012306650822351907723216075069845241107"
98  "1850219367055984476");
99  bls12_377_Fr::static_init();
100 
101  // Parameters for base field Fq
102  // q =
103  // 0x1ae3a4617c510eac63b05c06ca1493b1a22d9f300f5138f1ef3622fba094800170b5d44300000008508c00000000001
104  // sage:
105  // mod(0x1ae3a4617c510eac63b05c06ca1493b1a22d9f300f5138f1ef3622fba094800170b5d44300000008508c00000000001,
106  // 6) # = 1
107  bls12_377_modulus_q =
108  bigint_q("2586644260129690940106527336948935335363935127549146605398842"
109  "62666720468348340822774968888139573360124440321458177");
110  assert(bls12_377_Fq::modulus_is_valid());
111  if (sizeof(mp_limb_t) == 8) {
112  bls12_377_Fq::Rsquared = bigint_q(
113  "661274283768726978163325701168662324052305289846649183196063154202"
114  "33909940404532140033099444330447428417853902114");
115  bls12_377_Fq::Rcubed = bigint_q(
116  "157734475176213061358192738313701451942220138363611391489992831740"
117  "412033225490229541667992423878570205050777755168");
118  bls12_377_Fq::inv = 0x8508bfffffffffff;
119  }
120  if (sizeof(mp_limb_t) == 4) {
121  bls12_377_Fq::Rsquared = bigint_q(
122  "661274283768726978163325701168662324052305289846649183196063154202"
123  "33909940404532140033099444330447428417853902114");
124  bls12_377_Fq::Rcubed = bigint_q(
125  "157734475176213061358192738313701451942220138363611391489992831740"
126  "412033225490229541667992423878570205050777755168");
127  bls12_377_Fq::inv = 0xffffffff;
128  }
129 
130  bls12_377_Fq::num_bits = 377;
131  bls12_377_Fq::euler =
132  bigint_q("1293322130064845470053263668474467667681967563774573302699421"
133  "31333360234174170411387484444069786680062220160729088");
134  bls12_377_Fq::s = 46;
135  bls12_377_Fq::t =
136  bigint_q("3675842578061421676390135839012792950148785745837396071634149"
137  "488243117337281387659330802195819009059");
138  bls12_377_Fq::t_minus_1_over_2 =
139  bigint_q("1837921289030710838195067919506396475074392872918698035817074"
140  "744121558668640693829665401097909504529");
141  bls12_377_Fq::multiplicative_generator = bls12_377_Fq("15");
142  bls12_377_Fq::root_of_unity = bls12_377_Fq(
143  "3286357854725450502960126193986832566977050893937512246290474576635225"
144  "6812585773382134936404344547323199885654433");
145  // We need to find a qnr (small preferably) in order to compute square roots
146  // in the field
147  bls12_377_Fq::nqr = bls12_377_Fq("5");
148  bls12_377_Fq::nqr_to_t = bls12_377_Fq(
149  "3377495600822765621977587665628813354707861049382861377725882934574055"
150  "6592044969439504850374928261397247202212840");
151  bls12_377_Fq::static_init();
152 
153  // Parameters for twist field Fq2
154  bls12_377_Fq2::euler = bigint<2 * bls12_377_q_limbs>(
155  "3345364264230938125808962594624906928800576001088647925307095745329795"
156  "7116339370141113413635838485065209570299254148838549585056123015878375"
157  "0227249980418287852270900634666582330594333230337725133219903165601670"
158  "27213559780081664");
159  bls12_377_Fq2::s = 47;
160  bls12_377_Fq2::t = bigint<2 * bls12_377_q_limbs>(
161  "4754048552841450893153254632217264839938161459668674418291936583116517"
162  "6127142572882339399080590404004751647874022280630227875599477749628896"
163  "1383541476974255391881599499962735436887347234371823579436839914935817"
164  "251");
165  bls12_377_Fq2::t_minus_1_over_2 = bigint<2 * bls12_377_q_limbs>(
166  "2377024276420725446576627316108632419969080729834337209145968291558258"
167  "8063571286441169699540295202002375823937011140315113937799738874814448"
168  "0691770738487127695940799749981367718443673617185911789718419957467908"
169  "625");
170  // https://github.com/scipr-lab/zexe/blob/6bfe574f7adea14b97ff554bbb594988635b1908/algebra/src/bls12_377/fields/fq2.rs#L11
171  // Additive inverse of 5 in GF(q)
172  // sage: GF(q)(-5)
173  // Fp2 = Fp[X] / (X^2 - (-5)))
174  bls12_377_Fq2::non_residue = bls12_377_Fq(
175  "2586644260129690940106527336948935335363935127549146605398842626667204"
176  "68348340822774968888139573360124440321458172");
177  bls12_377_Fq2::nqr = bls12_377_Fq2(bls12_377_Fq("0"), bls12_377_Fq("1"));
178  bls12_377_Fq2::nqr_to_t = bls12_377_Fq2(
179  bls12_377_Fq("0"),
180  bls12_377_Fq(
181  "257286236321774568987262729980034669694531728092793737444525294935"
182  "421142460394028155736019924956637466133519652786"));
183  bls12_377_Fq2::Frobenius_coeffs_c1[0] = bls12_377_Fq("1");
184  bls12_377_Fq2::Frobenius_coeffs_c1[1] = bls12_377_Fq(
185  "2586644260129690940106527336948935335363935127549146605398842626667204"
186  "68348340822774968888139573360124440321458176");
187  bls12_377_Fq2::static_init();
188 
189  // Parameters for Fq6 = (Fq2)^3
190  bls12_377_Fq6::non_residue =
191  bls12_377_Fq2(bls12_377_Fq("0"), bls12_377_Fq("1"));
192  bls12_377_Fq6::Frobenius_coeffs_c1[0] =
193  bls12_377_Fq2(bls12_377_Fq("1"), bls12_377_Fq("0"));
194  bls12_377_Fq6::Frobenius_coeffs_c1[1] = bls12_377_Fq2(
195  bls12_377_Fq("809496482649127194085583631406374772648452947207104994781"
196  "37287262712535938301461879813459410946"),
197  bls12_377_Fq("0"));
198  bls12_377_Fq6::Frobenius_coeffs_c1[2] = bls12_377_Fq2(
199  bls12_377_Fq("809496482649127194085583631406374772648452947207104994781"
200  "37287262712535938301461879813459410945"),
201  bls12_377_Fq("0"));
202  bls12_377_Fq6::Frobenius_coeffs_c1[3] = bls12_377_Fq2(
203  bls12_377_Fq(
204  "258664426012969094010652733694893533536393512754914660539884262666"
205  "720468348340822774968888139573360124440321458176"),
206  bls12_377_Fq("0"));
207  bls12_377_Fq6::Frobenius_coeffs_c1[4] = bls12_377_Fq2(
208  bls12_377_Fq(
209  "258664426012969093929703085429980814127835149614277183275038967946"
210  "009968870203535512256352201271898244626862047231"),
211  bls12_377_Fq("0"));
212  bls12_377_Fq6::Frobenius_coeffs_c1[5] = bls12_377_Fq2(
213  bls12_377_Fq(
214  "258664426012969093929703085429980814127835149614277183275038967946"
215  "009968870203535512256352201271898244626862047232"),
216  bls12_377_Fq("0"));
217  bls12_377_Fq6::Frobenius_coeffs_c2[0] =
218  bls12_377_Fq2(bls12_377_Fq("1"), bls12_377_Fq("0"));
219  bls12_377_Fq6::Frobenius_coeffs_c2[1] = bls12_377_Fq2(
220  bls12_377_Fq("809496482649127194085583631406374772648452947207104994781"
221  "37287262712535938301461879813459410945"),
222  bls12_377_Fq("0"));
223  bls12_377_Fq6::Frobenius_coeffs_c2[2] = bls12_377_Fq2(
224  bls12_377_Fq(
225  "258664426012969093929703085429980814127835149614277183275038967946"
226  "009968870203535512256352201271898244626862047231"),
227  bls12_377_Fq("0"));
228  bls12_377_Fq6::Frobenius_coeffs_c2[3] =
229  bls12_377_Fq2(bls12_377_Fq("1"), bls12_377_Fq("0"));
230  bls12_377_Fq6::Frobenius_coeffs_c2[4] = bls12_377_Fq2(
231  bls12_377_Fq("809496482649127194085583631406374772648452947207104994781"
232  "37287262712535938301461879813459410945"),
233  bls12_377_Fq("0"));
234  bls12_377_Fq6::Frobenius_coeffs_c2[5] = bls12_377_Fq2(
235  bls12_377_Fq(
236  "258664426012969093929703085429980814127835149614277183275038967946"
237  "009968870203535512256352201271898244626862047231"),
238  bls12_377_Fq("0"));
239 
240  // Parameters for Fq12 = ((Fq2)^3)^2
241  bls12_377_Fq12::non_residue =
242  bls12_377_Fq2(bls12_377_Fq("0"), bls12_377_Fq("1"));
243  bls12_377_Fq12::Frobenius_coeffs_c1[0] =
244  bls12_377_Fq2(bls12_377_Fq("1"), bls12_377_Fq("0"));
245  bls12_377_Fq12::Frobenius_coeffs_c1[1] = bls12_377_Fq2(
246  bls12_377_Fq(
247  "929493452202778647586249605064731826779530489092832489809601043817"
248  "95901929519566951595905490535835115111760994353"),
249  bls12_377_Fq("0"));
250  bls12_377_Fq12::Frobenius_coeffs_c1[2] = bls12_377_Fq2(
251  bls12_377_Fq("809496482649127194085583631406374772648452947207104994781"
252  "37287262712535938301461879813459410946"),
253  bls12_377_Fq("0"));
254  bls12_377_Fq12::Frobenius_coeffs_c1[3] = bls12_377_Fq2(
255  bls12_377_Fq(
256  "216465761340224619389371505802605247630151569547285782856803747159"
257  "100223055385581585702401816380679166954762214499"),
258  bls12_377_Fq("0"));
259  bls12_377_Fq12::Frobenius_coeffs_c1[4] = bls12_377_Fq2(
260  bls12_377_Fq("809496482649127194085583631406374772648452947207104994781"
261  "37287262712535938301461879813459410945"),
262  bls12_377_Fq("0"));
263  bls12_377_Fq12::Frobenius_coeffs_c1[5] = bls12_377_Fq2(
264  bls12_377_Fq(
265  "123516416119946754630746545296132064952198520638002533875843642777"
266  "304321125866014634106496325844844051843001220146"),
267  bls12_377_Fq("0"));
268  bls12_377_Fq12::Frobenius_coeffs_c1[6] = bls12_377_Fq2(
269  bls12_377_Fq(
270  "258664426012969094010652733694893533536393512754914660539884262666"
271  "720468348340822774968888139573360124440321458176"),
272  bls12_377_Fq("0"));
273  bls12_377_Fq12::Frobenius_coeffs_c1[7] = bls12_377_Fq2(
274  bls12_377_Fq(
275  "165715080792691229252027773188420350858440463845631411558924158284"
276  "924566418821255823372982649037525009328560463824"),
277  bls12_377_Fq("0"));
278  bls12_377_Fq12::Frobenius_coeffs_c1[8] = bls12_377_Fq2(
279  bls12_377_Fq(
280  "258664426012969093929703085429980814127835149614277183275038967946"
281  "009968870203535512256352201271898244626862047231"),
282  bls12_377_Fq("0"));
283  bls12_377_Fq12::Frobenius_coeffs_c1[9] = bls12_377_Fq2(
284  bls12_377_Fq(
285  "421986646727444746212812278922882859062419432076288776830805155076"
286  "20245292955241189266486323192680957485559243678"),
287  bls12_377_Fq("0"));
288  bls12_377_Fq12::Frobenius_coeffs_c1[10] = bls12_377_Fq2(
289  bls12_377_Fq(
290  "258664426012969093929703085429980814127835149614277183275038967946"
291  "009968870203535512256352201271898244626862047232"),
292  bls12_377_Fq("0"));
293  bls12_377_Fq12::Frobenius_coeffs_c1[11] = bls12_377_Fq2(
294  bls12_377_Fq(
295  "135148009893022339379906188398761468584194992116912126664040619889"
296  "416147222474808140862391813728516072597320238031"),
297  bls12_377_Fq("0"));
298 
299  // Choice of short Weierstrass curve and its twist
300  // E(Fq): y^2 = x^3 + 1
301  bls12_377_coeff_b = bls12_377_Fq("1");
302  // We use a type-D twist here, E'(Fq2): y^2 = x^3 + 1/u
303  bls12_377_twist = bls12_377_Fq2(bls12_377_Fq("0"), bls12_377_Fq("1"));
304  bls12_377_twist_coeff_b = bls12_377_coeff_b * bls12_377_twist.inverse();
305 
306  bls12_377_twist_mul_by_b_c0 =
307  bls12_377_coeff_b * bls12_377_Fq2::non_residue;
308  bls12_377_twist_mul_by_b_c1 =
309  bls12_377_coeff_b * bls12_377_Fq2::non_residue;
310  bls12_377_twist_mul_by_q_X = bls12_377_Fq2(
311  bls12_377_Fq("809496482649127194085583631406374772648452947207104994781"
312  "37287262712535938301461879813459410946"),
313  bls12_377_Fq("0"));
314  bls12_377_twist_mul_by_q_Y = bls12_377_Fq2(
315  bls12_377_Fq(
316  "216465761340224619389371505802605247630151569547285782856803747159"
317  "100223055385581585702401816380679166954762214499"),
318  bls12_377_Fq("0"));
319 
320  // Choice of group G1
321  // Identities
322  bls12_377_G1::G1_zero = bls12_377_G1(
323  bls12_377_Fq::zero(), bls12_377_Fq::one(), bls12_377_Fq::zero());
324  bls12_377_G1::G1_one = bls12_377_G1(
325  bls12_377_Fq(
326  "819379993731509642399382555734659482399886715026479765942196956448"
327  "55304257327692006745978603320413799295628339695"),
328  bls12_377_Fq(
329  "241266749859715473739788878240585681733927191168601896383759122102"
330  "112907357779751001206799952863815012735208165030"),
331  bls12_377_Fq::one());
332 
333  // Curve coeffs
334  bls12_377_G1::coeff_a = bls12_377_Fq::zero();
335  bls12_377_G1::coeff_b = bls12_377_coeff_b;
336 
337  // Trace of Frobenius
338  bls12_377_trace_of_frobenius = bigint_r("9586122913090633730");
339 
340  // Cofactor
341  bls12_377_G1::h =
342  bigint<bls12_377_G1::h_limbs>("30631250834960419227450344600217059328");
343 
344  // G1 fast subgroup check: 0 == [c0]P + [c1]sigma(P)
345  bls12_377_g1_endomorphism_beta =
346  bls12_377_Fq("809496482649127194085583631406374772648452947207104994781"
347  "37287262712535938301461879813459410945");
348  bls12_377_g1_safe_subgroup_check_c1 =
349  bigint_r("91893752504881257701523279626832445441");
350 
351  // G1 proof of subgroup: values used to generate x' s.t. [r]x' = x.
352  bls12_377_g1_proof_of_safe_subgroup_w =
353  bigint_r("5285428838741532253824584287042945485047145357130994810877");
354  bls12_377_g1_proof_of_safe_subgroup_non_member_x = bls12_377_Fq(
355  "5579135224678387240478846790990709250936401022990388020368969649878761"
356  "5734938123558571181995209025075818229621722");
357  bls12_377_g1_proof_of_safe_subgroup_non_member_y = bls12_377_Fq(
358  "1743638558335201382296667234848353486892365850134605544446097301206037"
359  "41818916846216286948728983932214174344518655");
360 
361  // WNAF
362  //
363  // Note to self (AntoineR): Careful with wNAF as it can lead to SCAs:
364  // https://eprint.iacr.org/2019/861.pdf Note to self (AntoineR): The GLV
365  // patent (https://patents.google.com/patent/US7110538B2/en) expires in
366  // 09/2020. As such, efficient techniques for scalar mult. described in
367  // https://cryptosith.org/papers/exppair-20130904.pdf can become of interest
368  // then.
369  //
370  // Below we use the same `wnaf_window_table` as used for other curves
371  // TODO: Adjust the `wnaf_window_table` and `fixed_base_exp_window_table`
372  bls12_377_G1::wnaf_window_table.resize(0);
373  bls12_377_G1::wnaf_window_table.push_back(11);
374  bls12_377_G1::wnaf_window_table.push_back(24);
375  bls12_377_G1::wnaf_window_table.push_back(60);
376  bls12_377_G1::wnaf_window_table.push_back(127);
377 
378  // Below we use the same `fixed_base_exp_window_table` as used for other
379  // curves
380  bls12_377_G1::fixed_base_exp_window_table.resize(0);
381  // window 1 is unbeaten in [-inf, 4.99]
382  bls12_377_G1::fixed_base_exp_window_table.push_back(1);
383  // window 2 is unbeaten in [4.99, 10.99]
384  bls12_377_G1::fixed_base_exp_window_table.push_back(5);
385  // window 3 is unbeaten in [10.99, 32.29]
386  bls12_377_G1::fixed_base_exp_window_table.push_back(11);
387  // window 4 is unbeaten in [32.29, 55.23]
388  bls12_377_G1::fixed_base_exp_window_table.push_back(32);
389  // window 5 is unbeaten in [55.23, 162.03]
390  bls12_377_G1::fixed_base_exp_window_table.push_back(55);
391  // window 6 is unbeaten in [162.03, 360.15]
392  bls12_377_G1::fixed_base_exp_window_table.push_back(162);
393  // window 7 is unbeaten in [360.15, 815.44]
394  bls12_377_G1::fixed_base_exp_window_table.push_back(360);
395  // window 8 is unbeaten in [815.44, 2373.07]
396  bls12_377_G1::fixed_base_exp_window_table.push_back(815);
397  // window 9 is unbeaten in [2373.07, 6977.75]
398  bls12_377_G1::fixed_base_exp_window_table.push_back(2373);
399  // window 10 is unbeaten in [6977.75, 7122.23]
400  bls12_377_G1::fixed_base_exp_window_table.push_back(6978);
401  // window 11 is unbeaten in [7122.23, 57818.46]
402  bls12_377_G1::fixed_base_exp_window_table.push_back(7122);
403  // window 12 is never the best
404  bls12_377_G1::fixed_base_exp_window_table.push_back(0);
405  // window 13 is unbeaten in [57818.46, 169679.14]
406  bls12_377_G1::fixed_base_exp_window_table.push_back(57818);
407  // window 14 is never the best
408  bls12_377_G1::fixed_base_exp_window_table.push_back(0);
409  // window 15 is unbeaten in [169679.14, 439758.91]
410  bls12_377_G1::fixed_base_exp_window_table.push_back(169679);
411  // window 16 is unbeaten in [439758.91, 936073.41]
412  bls12_377_G1::fixed_base_exp_window_table.push_back(439759);
413  // window 17 is unbeaten in [936073.41, 4666554.74]
414  bls12_377_G1::fixed_base_exp_window_table.push_back(936073);
415  // window 18 is never the best
416  bls12_377_G1::fixed_base_exp_window_table.push_back(0);
417  // window 19 is unbeaten in [4666554.74, 7580404.42]
418  bls12_377_G1::fixed_base_exp_window_table.push_back(4666555);
419  // window 20 is unbeaten in [7580404.42, 34552892.20]
420  bls12_377_G1::fixed_base_exp_window_table.push_back(7580404);
421  // window 21 is never the best
422  bls12_377_G1::fixed_base_exp_window_table.push_back(0);
423  // window 22 is unbeaten in [34552892.20, inf]
424  bls12_377_G1::fixed_base_exp_window_table.push_back(34552892);
425 
426  // Choice of group G2
427  // Identities
428  bls12_377_G2::G2_zero = bls12_377_G2(
429  bls12_377_Fq2::zero(), bls12_377_Fq2::one(), bls12_377_Fq2::zero());
430  bls12_377_G2::G2_one = bls12_377_G2(
431  bls12_377_Fq2(
432  bls12_377_Fq(
433  "11158394577469511644391122625782382343446874024988304283774515"
434  "1039122196680777376765707574547389190084887628324746"),
435  bls12_377_Fq(
436  "12906698065670308551815730115433521588608211252437868655587316"
437  "1080604845924984124025594590925548060469686767592854")),
438  bls12_377_Fq2(
439  bls12_377_Fq(
440  "16886329972466897718302994134759646260897838050396510334100391"
441  "8678547611204475537878680436662916294540335494194722"),
442  bls12_377_Fq(
443  "23389249728747576225133535189361842960367292146986439276751455"
444  "2093535653615809913098097380147379993375817193725968")),
445  bls12_377_Fq2::one());
446 
447  // Curve twist coeffs
448  bls12_377_G2::coeff_a = bls12_377_Fq2::zero();
449  bls12_377_G2::coeff_b = bls12_377_twist_coeff_b;
450 
451  // Cofactor
452  bls12_377_G2::h = bigint<bls12_377_G2::h_limbs>(
453  "7923214915284317143930293550643874566881017850177945424769256759165301"
454  "4366169332282092779667740924864672894786184047614126306918357646745593"
455  "76407658497");
456 
457  // Untwist-Frobenius-Twist coefficients
458  bls12_377_Fq12 untwist_frobenius_twist_w =
459  bls12_377_Fq12(bls12_377_Fq6::zero(), bls12_377_Fq6::one());
460  bls12_377_g2_untwist_frobenius_twist_v =
461  untwist_frobenius_twist_w * untwist_frobenius_twist_w;
462  bls12_377_g2_untwist_frobenius_twist_w_3 =
463  untwist_frobenius_twist_w * bls12_377_g2_untwist_frobenius_twist_v;
464  bls12_377_g2_untwist_frobenius_twist_v_inverse =
465  bls12_377_g2_untwist_frobenius_twist_v.inverse();
466  bls12_377_g2_untwist_frobenius_twist_w_3_inverse =
467  bls12_377_g2_untwist_frobenius_twist_w_3.inverse();
468 
469  // Fast cofactor multiplication coefficients
470  bls12_377_g2_mul_by_cofactor_h2_0 =
471  bigint_r("293634935485640680722085584138834120318524213360527933441");
472  bls12_377_g2_mul_by_cofactor_h2_1 =
473  bigint_r("30631250834960419227450344600217059328");
474 
475  // G2 wNAF window table
476  bls12_377_G2::wnaf_window_table.resize(0);
477  bls12_377_G2::wnaf_window_table.push_back(5);
478  bls12_377_G2::wnaf_window_table.push_back(15);
479  bls12_377_G2::wnaf_window_table.push_back(39);
480  bls12_377_G2::wnaf_window_table.push_back(109);
481 
482  // G2 fixed-base exponentiation table
483  bls12_377_G2::fixed_base_exp_window_table.resize(0);
484  // window 1 is unbeaten in [-inf, 5.10]
485  bls12_377_G2::fixed_base_exp_window_table.push_back(1);
486  // window 2 is unbeaten in [5.10, 10.43]
487  bls12_377_G2::fixed_base_exp_window_table.push_back(5);
488  // window 3 is unbeaten in [10.43, 25.28]
489  bls12_377_G2::fixed_base_exp_window_table.push_back(10);
490  // window 4 is unbeaten in [25.28, 59.00]
491  bls12_377_G2::fixed_base_exp_window_table.push_back(25);
492  // window 5 is unbeaten in [59.00, 154.03]
493  bls12_377_G2::fixed_base_exp_window_table.push_back(59);
494  // window 6 is unbeaten in [154.03, 334.25]
495  bls12_377_G2::fixed_base_exp_window_table.push_back(154);
496  // window 7 is unbeaten in [334.25, 742.58]
497  bls12_377_G2::fixed_base_exp_window_table.push_back(334);
498  // window 8 is unbeaten in [742.58, 2034.40]
499  bls12_377_G2::fixed_base_exp_window_table.push_back(743);
500  // window 9 is unbeaten in [2034.40, 4987.56]
501  bls12_377_G2::fixed_base_exp_window_table.push_back(2034);
502  // window 10 is unbeaten in [4987.56, 8888.27]
503  bls12_377_G2::fixed_base_exp_window_table.push_back(4988);
504  // window 11 is unbeaten in [8888.27, 26271.13]
505  bls12_377_G2::fixed_base_exp_window_table.push_back(8888);
506  // window 12 is unbeaten in [26271.13, 39768.20]
507  bls12_377_G2::fixed_base_exp_window_table.push_back(26271);
508  // window 13 is unbeaten in [39768.20, 106275.75]
509  bls12_377_G2::fixed_base_exp_window_table.push_back(39768);
510  // window 14 is unbeaten in [106275.75, 141703.40]
511  bls12_377_G2::fixed_base_exp_window_table.push_back(106276);
512  // window 15 is unbeaten in [141703.40, 462422.97]
513  bls12_377_G2::fixed_base_exp_window_table.push_back(141703);
514  // window 16 is unbeaten in [462422.97, 926871.84]
515  bls12_377_G2::fixed_base_exp_window_table.push_back(462423);
516  // window 17 is unbeaten in [926871.84, 4873049.17]
517  bls12_377_G2::fixed_base_exp_window_table.push_back(926872);
518  // window 18 is never the best
519  bls12_377_G2::fixed_base_exp_window_table.push_back(0);
520  // window 19 is unbeaten in [4873049.17, 5706707.88]
521  bls12_377_G2::fixed_base_exp_window_table.push_back(4873049);
522  // window 20 is unbeaten in [5706707.88, 31673814.95]
523  bls12_377_G2::fixed_base_exp_window_table.push_back(5706708);
524  // window 21 is never the best
525  bls12_377_G2::fixed_base_exp_window_table.push_back(0);
526  // window 22 is unbeaten in [31673814.95, inf]
527  bls12_377_G2::fixed_base_exp_window_table.push_back(31673815);
528 
529  // Pairing parameters
530  // sage: u = 9586122913090633729
531  // sage: ceil(log(u, 2)) # = 64
532  // sage: bin(u) # =
533  // '0b1000010100001000110000000000000000000000000000000000000000000001'
534  // The Hamming weight of u is: HW(u) = 7, where
535  // u = 2**63 + 2**58 + 2**56 + 2**51 + 2**47 + 2**46 + 1
536  // Based on the power-2 decomposition of u, we should have 63 doubling
537  // steps and 7 addition steps in the Miller Loop.
538  bls12_377_ate_loop_count = bigint_q("9586122913090633729");
539  bls12_377_ate_is_loop_count_neg = false;
540  // k (embedding degree) = 12
541  // bls12_377_final_exponent = (q^12 - 1) / r
542  bls12_377_final_exponent = bigint<12 * bls12_377_q_limbs>(
543  "1062352101801986048825403166370756842879803290512381119957121396507912"
544  "9114663661236359849629341526275899063345613340067081670062620727617884"
545  "1374877547391501474912045595142051864923855902722089344674614449446527"
546  "1100516937116825006879082077612477209563023710218982773301998983506333"
547  "4551453893534663070786533932633573962932272563471643288531959637300817"
548  "0702655374295064848809909810690412694053835028896773570820128072985299"
549  "3111812442856905982234628974507740157013415744497327152098177404714691"
550  "8354408632568723153146248333028827919406785654402107153546667815607201"
551  "4885908324782254034441364093498774812681548179045413406141732619497724"
552  "0306092432436686172324518261985938925498500823600746581427336149713413"
553  "8868945580557938161335670207544906643574043606819537336472235809927599"
554  "6281232753142880061708040445602386764639316393397119131110809745825932"
555  "2813870415432059977568309560404130900019702541996812571801831180595931"
556  "5220036948621879242495199408833915486421612374480018459896018440926235"
557  "2618246549569323848592604793727760229797367342216290972978901546921944"
558  "4152846277021881179562447110897237757369083391323126054783555085125681"
559  "7740247389770320334698430697237343583761719223414894063451411431859122"
560  "7384883115800054127650702518101599918971109363249432325268702807248769"
561  "46523218213525646968094720");
562  bls12_377_final_exponent_z = bigint_q("9586122913090633729");
563  bls12_377_final_exponent_is_z_neg = false;
564 }
565 
566 } // namespace libff
libff::Fp2_model< bls12_377_q_limbs, bls12_377_modulus_q >::euler
static bigint< 2 *n > euler
(modulus^2-1)/2
Definition: fp2.hpp:46
libff::bls12_377_g2_untwist_frobenius_twist_v_inverse
bls12_377_Fq12 bls12_377_g2_untwist_frobenius_twist_v_inverse
Definition: bls12_377_init.cpp:36
libff::bls12_377_G2::G2_one
static bls12_377_G2 G2_one
Definition: bls12_377_g2.hpp:31
libff::bls12_377_G1::coeff_b
static bls12_377_Fq coeff_b
Definition: bls12_377_g1.hpp:33
libff::Fp2_model< bls12_377_q_limbs, bls12_377_modulus_q >::nqr_to_t
static Fp2_model< n, modulus > nqr_to_t
nqr^t
Definition: fp2.hpp:59
libff::bls12_377_G1::G1_zero
static bls12_377_G1 G1_zero
Definition: bls12_377_g1.hpp:30
bls12_377_init.hpp
libff::bls12_377_g2_untwist_frobenius_twist_v
bls12_377_Fq12 bls12_377_g2_untwist_frobenius_twist_v
Definition: bls12_377_init.cpp:34
libff::bls12_377_G2
Definition: bls12_377_g2.hpp:21
libff::Fp6_3over2_model::one
static Fp6_3over2_model< n, modulus > one()
libff::Fp6_3over2_model::zero
static Fp6_3over2_model< n, modulus > zero()
libff::bls12_377_final_exponent_is_z_neg
bool bls12_377_final_exponent_is_z_neg
Definition: bls12_377_init.cpp:48
libff::Fp2_model< bls12_377_q_limbs, bls12_377_modulus_q >::t_minus_1_over_2
static bigint< 2 *n > t_minus_1_over_2
(t-1)/2
Definition: fp2.hpp:52
libff
Definition: ffi.cpp:8
libff::bls12_377_modulus_r
bigint< bls12_377_r_limbs > bls12_377_modulus_r
Definition: bls12_377_init.cpp:11
libff::Fp2_model< bls12_377_q_limbs, bls12_377_modulus_q >::one
static const Fp2_model< n, modulus > & one()
libff::bls12_377_ate_loop_count
bigint< bls12_377_q_limbs > bls12_377_ate_loop_count
Definition: bls12_377_init.cpp:43
libff::bls12_377_final_exponent_z
bigint< bls12_377_q_limbs > bls12_377_final_exponent_z
Definition: bls12_377_init.cpp:47
libff::Fp_model::nqr
static Fp_model< n, modulus > nqr
a quadratic nonresidue
Definition: fp.hpp:70
libff::Fp_model< bls12_377_q_limbs, bls12_377_modulus_q >::zero
static const Fp_model< n, modulus > & zero()
libff::bls12_377_Fr
Fp_model< bls12_377_r_limbs, bls12_377_modulus_r > bls12_377_Fr
Definition: bls12_377_init.hpp:47
libff::Fp12_2over3over2_model::non_residue
static Fp2_model< n, modulus > non_residue
Definition: fp12_2over3over2.hpp:56
libff::Fp12_2over3over2_model::Frobenius_coeffs_c1
static Fp2_model< n, modulus > Frobenius_coeffs_c1[12]
non_residue^((modulus^i-1)/6) for i=0,...,11
Definition: fp12_2over3over2.hpp:58
libff::bls12_377_final_exponent
bigint< 12 *bls12_377_q_limbs > bls12_377_final_exponent
Definition: bls12_377_init.cpp:46
libff::Fp_model::t
static bigint< n > t
with t odd
Definition: fp.hpp:66
libff::Fp_model::s
static size_t s
modulus = 2^s * t + 1
Definition: fp.hpp:64
libff::bls12_377_Fq12
Fp12_2over3over2_model< bls12_377_q_limbs, bls12_377_modulus_q > bls12_377_Fq12
Definition: bls12_377_init.hpp:52
libff::bls12_377_G1::coeff_a
static bls12_377_Fq coeff_a
Definition: bls12_377_g1.hpp:32
libff::bls12_377_coeff_b
bls12_377_Fq bls12_377_coeff_b
Definition: bls12_377_init.cpp:16
libff::bls12_377_Fq
Fp_model< bls12_377_q_limbs, bls12_377_modulus_q > bls12_377_Fq
Definition: bls12_377_init.hpp:48
libff::bls12_377_G2::h
static bigint< h_limbs > h
Definition: bls12_377_g2.hpp:43
libff::bls12_377_twist_coeff_b
bls12_377_Fq2 bls12_377_twist_coeff_b
Definition: bls12_377_init.cpp:19
libff::bls12_377_g2_untwist_frobenius_twist_w_3
bls12_377_Fq12 bls12_377_g2_untwist_frobenius_twist_w_3
Definition: bls12_377_init.cpp:35
bls12_377_g2.hpp
libff::bls12_377_twist_mul_by_q_X
bls12_377_Fq2 bls12_377_twist_mul_by_q_X
Definition: bls12_377_init.cpp:22
libff::bls12_377_G1
Definition: bls12_377_g1.hpp:21
libff::Fp_model::euler
static bigint< n > euler
(modulus-1)/2
Definition: fp.hpp:62
libff::Fp6_3over2_model::Frobenius_coeffs_c1
static my_Fp2 Frobenius_coeffs_c1[6]
non_residue^((modulus^i-1)/3) for i=0,1,2,3,4,5
Definition: fp6_3over2.hpp:54
libff::Fp_model::modulus_is_valid
static bool modulus_is_valid()
Definition: fp.hpp:84
libff::bls12_377_g1_safe_subgroup_check_c1
bigint< bls12_377_r_limbs > bls12_377_g1_safe_subgroup_check_c1
Definition: bls12_377_init.cpp:27
libff::Fp2_model::inverse
Fp2_model inverse() const
libff::Fp_model< bls12_377_q_limbs, bls12_377_modulus_q >::one
static const Fp_model< n, modulus > & one()
libff::bls12_377_g1_proof_of_safe_subgroup_non_member_y
bls12_377_Fq bls12_377_g1_proof_of_safe_subgroup_non_member_y
Definition: bls12_377_init.cpp:30
libff::bls12_377_G2::fixed_base_exp_window_table
static std::vector< size_t > fixed_base_exp_window_table
Definition: bls12_377_g2.hpp:29
libff::Fp6_3over2_model::Frobenius_coeffs_c2
static my_Fp2 Frobenius_coeffs_c2[6]
non_residue^((2*modulus^i-2)/3) for i=0,1,2,3,4,5
Definition: fp6_3over2.hpp:56
libff::Fp2_model< bls12_377_q_limbs, bls12_377_modulus_q >::Frobenius_coeffs_c1
static my_Fp Frobenius_coeffs_c1[2]
non_residue^((modulus^i-1)/2) for i=0,1
Definition: fp2.hpp:61
libff::bls12_377_G1::wnaf_window_table
static std::vector< size_t > wnaf_window_table
Definition: bls12_377_g1.hpp:28
libff::Fp2_model< bls12_377_q_limbs, bls12_377_modulus_q >::nqr
static Fp2_model< n, modulus > nqr
a quadratic nonresidue in Fp2
Definition: fp2.hpp:57
libff::bls12_377_twist_mul_by_q_Y
bls12_377_Fq2 bls12_377_twist_mul_by_q_Y
Definition: bls12_377_init.cpp:23
libff::Fp12_2over3over2_model::inverse
Fp12_2over3over2_model inverse() const
libff::bls12_377_g1_proof_of_safe_subgroup_non_member_x
bls12_377_Fq bls12_377_g1_proof_of_safe_subgroup_non_member_x
Definition: bls12_377_init.cpp:29
libff::bls12_377_g2_mul_by_cofactor_h2_1
bigint< bls12_377_r_limbs > bls12_377_g2_mul_by_cofactor_h2_1
Definition: bls12_377_init.cpp:41
libff::bls12_377_Fq2
Fp2_model< bls12_377_q_limbs, bls12_377_modulus_q > bls12_377_Fq2
Definition: bls12_377_init.hpp:49
libff::Fp2_model< bls12_377_q_limbs, bls12_377_modulus_q >::static_init
static void static_init()
libff::Fp_model::t_minus_1_over_2
static bigint< n > t_minus_1_over_2
(t-1)/2
Definition: fp.hpp:68
libff::bls12_377_g1_proof_of_safe_subgroup_w
bigint< bls12_377_r_limbs > bls12_377_g1_proof_of_safe_subgroup_w
Definition: bls12_377_init.cpp:28
libff::bls12_377_twist_mul_by_b_c1
bls12_377_Fq bls12_377_twist_mul_by_b_c1
Definition: bls12_377_init.cpp:21
bls12_377_g1.hpp
libff::bigint
Definition: bigint.hpp:20
libff::Fp_model::static_init
static void static_init()
libff::Fp_model::root_of_unity
static Fp_model< n, modulus > root_of_unity
generator^((modulus-1)/2^s)
Definition: fp.hpp:76
libff::Fp12_2over3over2_model
Definition: fp12_2over3over2.hpp:20
libff::Fp2_model< bls12_377_q_limbs, bls12_377_modulus_q >::non_residue
static my_Fp non_residue
Definition: fp2.hpp:55
libff::bls12_377_trace_of_frobenius
bigint< bls12_377_r_limbs > bls12_377_trace_of_frobenius
Definition: bls12_377_init.cpp:17
bls12_377_modulus_q
#define bls12_377_modulus_q
Definition: bls12_377_init.hpp:45
libff::bls12_377_twist
bls12_377_Fq2 bls12_377_twist
Definition: bls12_377_init.cpp:18
libff::bls12_377_G2::G2_zero
static bls12_377_G2 G2_zero
Definition: bls12_377_g2.hpp:30
libff::Fp_model< bls12_377_q_limbs, bls12_377_modulus_q >
libff::bls12_377_g2_untwist_frobenius_twist_w_3_inverse
bls12_377_Fq12 bls12_377_g2_untwist_frobenius_twist_w_3_inverse
Definition: bls12_377_init.cpp:37
libff::Fp_model::nqr_to_t
static Fp_model< n, modulus > nqr_to_t
nqr^t
Definition: fp.hpp:72
libff::Fp_model::multiplicative_generator
static Fp_model< n, modulus > multiplicative_generator
generator of Fp^*
Definition: fp.hpp:74
libff::Fp_model::num_bits
static size_t num_bits
Definition: fp.hpp:60
libff::bls12_377_G1::G1_one
static bls12_377_G1 G1_one
Definition: bls12_377_g1.hpp:31
libff::Fp2_model
Definition: fp2.hpp:18
libff::bls12_377_G2::coeff_b
static bls12_377_Fq2 coeff_b
Definition: bls12_377_g2.hpp:33
libff::Fp_model::inv
static mp_limb_t inv
-modulus^(-1) mod W, where W = 2^(word size)
Definition: fp.hpp:78
libff::bls12_377_ate_is_loop_count_neg
bool bls12_377_ate_is_loop_count_neg
Definition: bls12_377_init.cpp:44
libff::init_bls12_377_params
void init_bls12_377_params()
Definition: bls12_377_init.cpp:50
libff::Fp6_3over2_model::non_residue
static my_Fp2 non_residue
Definition: fp6_3over2.hpp:52
libff::bls12_377_G2::coeff_a
static bls12_377_Fq2 coeff_a
Definition: bls12_377_g2.hpp:32
libff::bls12_377_G1::fixed_base_exp_window_table
static std::vector< size_t > fixed_base_exp_window_table
Definition: bls12_377_g1.hpp:29
libff::bls12_377_g2_mul_by_cofactor_h2_0
bigint< bls12_377_r_limbs > bls12_377_g2_mul_by_cofactor_h2_0
Definition: bls12_377_init.cpp:40
libff::Fp2_model< bls12_377_q_limbs, bls12_377_modulus_q >::zero
static const Fp2_model< n, modulus > & zero()
libff::Fp_model::Rsquared
static bigint< n > Rsquared
R^2, where R = W^k, where k = ??
Definition: fp.hpp:80
libff::bls12_377_G2::wnaf_window_table
static std::vector< size_t > wnaf_window_table
Definition: bls12_377_g2.hpp:28
libff::bls12_377_G1::h
static bigint< h_limbs > h
Definition: bls12_377_g1.hpp:42
libff::Fp2_model< bls12_377_q_limbs, bls12_377_modulus_q >::t
static bigint< 2 *n > t
with t odd
Definition: fp2.hpp:50
libff::bls12_377_twist_mul_by_b_c0
bls12_377_Fq bls12_377_twist_mul_by_b_c0
Definition: bls12_377_init.cpp:20
libff::Fp2_model< bls12_377_q_limbs, bls12_377_modulus_q >::s
static size_t s
modulus^2 = 2^s * t + 1
Definition: fp2.hpp:48
libff::Fp_model::Rcubed
static bigint< n > Rcubed
R^3.
Definition: fp.hpp:82
libff::bls12_377_g2_untwist_frobenius_twist_w
bls12_377_Fq12 bls12_377_g2_untwist_frobenius_twist_w
Definition: bls12_377_init.cpp:33
libff::bls12_377_g1_endomorphism_beta
bls12_377_Fq bls12_377_g1_endomorphism_beta
Definition: bls12_377_init.cpp:26
Generated on Thu Aug 18 2022 12:42:18 for Clearmatics Libff by   doxygen 1.8.17