Clearmatics Libff  0.1
C++ library for Finite Fields and Elliptic Curves
Namespaces | Classes | Typedefs | Enumerations | Functions | Variables
libff Namespace Reference

Namespaces

 ffi
 

Classes

struct  alt_bn128_ate_ell_coeffs
 
struct  alt_bn128_ate_G1_precomp
 
struct  alt_bn128_ate_G2_precomp
 
class  alt_bn128_G1
 
class  alt_bn128_G2
 
class  alt_bn128_pp
 
class  bigint
 
struct  bls12_377_ate_ell_coeffs
 
struct  bls12_377_ate_G1_precomp
 
struct  bls12_377_ate_G2_precomp
 
class  bls12_377_G1
 
class  bls12_377_G2
 
class  bls12_377_pp
 
struct  bls12_381_ate_ell_coeffs
 
struct  bls12_381_ate_G1_precomp
 
struct  bls12_381_ate_G2_precomp
 
class  bls12_381_G1
 
class  bls12_381_G2
 
class  bls12_381_pp
 
struct  bn128_ate_G1_precomp
 
struct  bn128_ate_G2_precomp
 
class  bn128_G1
 
class  bn128_G2
 
class  bn128_GT
 
class  bn128_pp
 
struct  bw6_761_ate_ell_coeffs
 
struct  bw6_761_ate_G1_precomp
 
struct  bw6_761_ate_G2_precomp
 
struct  bw6_761_ate_G2_precomp_iteration
 
class  bw6_761_G1
 
class  bw6_761_G2
 
class  bw6_761_pp
 
class  concurrent_buffer_fifo_spsc
 
class  concurrent_fifo_spsc
 
class  Double
 
struct  edwards_ate_G1_precomp
 
struct  edwards_Fq3_conic_coefficients
 
struct  edwards_Fq_conic_coefficients
 
class  edwards_G1
 
class  edwards_G2
 
class  edwards_pp
 
struct  edwards_tate_G2_precomp
 
struct  extended_edwards_G1_projective
 
struct  extended_edwards_G2_projective
 
struct  extended_mnt4_G2_projective
 
struct  extended_mnt6_G2_projective
 
class  Fp12_2over3over2_model
 
class  Fp2_model
 
class  Fp3_model
 
class  Fp4_model
 
class  Fp6_2over3_model
 
class  Fp6_3over2_model
 
class  Fp_model
 
struct  mnt4_affine_ate_coeffs
 
struct  mnt4_affine_ate_G1_precomputation
 
struct  mnt4_affine_ate_G2_precomputation
 
struct  mnt4_ate_add_coeffs
 
struct  mnt4_ate_dbl_coeffs
 
struct  mnt4_ate_G1_precomp
 
struct  mnt4_ate_G2_precomp
 
class  mnt4_G1
 
class  mnt4_G2
 
class  mnt4_pp
 
struct  mnt6_affine_ate_coeffs
 
struct  mnt6_affine_ate_G1_precomputation
 
struct  mnt6_affine_ate_G2_precomputation
 
struct  mnt6_ate_add_coeffs
 
struct  mnt6_ate_dbl_coeffs
 
struct  mnt6_ate_G1_precomp
 
struct  mnt6_ate_G2_precomp
 
class  mnt6_G1
 
class  mnt6_G2
 
class  mnt6_pp
 
struct  void_type
 

Typedefs

typedef Fp_model< alt_bn128_r_limbs, alt_bn128_modulus_ralt_bn128_Fr
 
typedef Fp_model< alt_bn128_q_limbs, alt_bn128_modulus_qalt_bn128_Fq
 
typedef Fp2_model< alt_bn128_q_limbs, alt_bn128_modulus_qalt_bn128_Fq2
 
typedef Fp6_3over2_model< alt_bn128_q_limbs, alt_bn128_modulus_qalt_bn128_Fq6
 
typedef Fp12_2over3over2_model< alt_bn128_q_limbs, alt_bn128_modulus_qalt_bn128_Fq12
 
typedef alt_bn128_Fq12 alt_bn128_GT
 
typedef alt_bn128_ate_G1_precomp alt_bn128_G1_precomp
 
typedef alt_bn128_ate_G2_precomp alt_bn128_G2_precomp
 
typedef Fp_model< bls12_377_r_limbs, bls12_377_modulus_rbls12_377_Fr
 
typedef Fp_model< bls12_377_q_limbs, bls12_377_modulus_qbls12_377_Fq
 
typedef Fp2_model< bls12_377_q_limbs, bls12_377_modulus_qbls12_377_Fq2
 
typedef Fp6_3over2_model< bls12_377_q_limbs, bls12_377_modulus_qbls12_377_Fq6
 
typedef Fp12_2over3over2_model< bls12_377_q_limbs, bls12_377_modulus_qbls12_377_Fq12
 
typedef bls12_377_Fq12 bls12_377_GT
 
typedef bls12_377_ate_G1_precomp bls12_377_G1_precomp
 
typedef bls12_377_ate_G2_precomp bls12_377_G2_precomp
 
typedef Fp_model< bls12_381_r_limbs, bls12_381_modulus_rbls12_381_Fr
 
typedef Fp_model< bls12_381_q_limbs, bls12_381_modulus_qbls12_381_Fq
 
typedef Fp2_model< bls12_381_q_limbs, bls12_381_modulus_qbls12_381_Fq2
 
typedef Fp6_3over2_model< bls12_381_q_limbs, bls12_381_modulus_qbls12_381_Fq6
 
typedef Fp12_2over3over2_model< bls12_381_q_limbs, bls12_381_modulus_qbls12_381_Fq12
 
typedef bls12_381_Fq12 bls12_381_GT
 
typedef bls12_381_ate_G1_precomp bls12_381_G1_precomp
 
typedef bls12_381_ate_G2_precomp bls12_381_G2_precomp
 
typedef Fp_model< bn128_r_limbs, bn128_modulus_rbn128_Fr
 
typedef Fp_model< bn128_q_limbs, bn128_modulus_qbn128_Fq
 
typedef bn128_GT bn128_Fq12
 
typedef bn::Fp6 bn128_ate_ell_coeffs
 
typedef Fp_model< bw6_761_r_limbs, bw6_761_modulus_rbw6_761_Fr
 
typedef Fp_model< bw6_761_q_limbs, bw6_761_modulus_qbw6_761_Fq
 
typedef Fp3_model< bw6_761_q_limbs, bw6_761_modulus_qbw6_761_Fq3
 
typedef Fp6_2over3_model< bw6_761_q_limbs, bw6_761_modulus_qbw6_761_Fq6
 
typedef bw6_761_Fq6 bw6_761_GT
 
typedef bw6_761_ate_G1_precomp bw6_761_G1_precomp
 
typedef bw6_761_ate_G2_precomp bw6_761_G2_precomp
 
typedef Fp_model< edwards_r_limbs, edwards_modulus_redwards_Fr
 
typedef Fp_model< edwards_q_limbs, edwards_modulus_qedwards_Fq
 
typedef Fp3_model< edwards_q_limbs, edwards_modulus_qedwards_Fq3
 
typedef Fp6_2over3_model< edwards_q_limbs, edwards_modulus_qedwards_Fq6
 
typedef edwards_Fq6 edwards_GT
 
typedef std::vector< edwards_Fq_conic_coefficientsedwards_tate_G1_precomp
 
typedef std::vector< edwards_Fq3_conic_coefficientsedwards_ate_G2_precomp
 
typedef edwards_ate_G1_precomp edwards_G1_precomp
 
typedef edwards_ate_G2_precomp edwards_G2_precomp
 
typedef Fp_model< mnt4_r_limbs, mnt4_modulus_rmnt4_Fr
 
typedef Fp_model< mnt4_q_limbs, mnt4_modulus_qmnt4_Fq
 
typedef Fp2_model< mnt4_q_limbs, mnt4_modulus_qmnt4_Fq2
 
typedef Fp4_model< mnt4_q_limbs, mnt4_modulus_qmnt4_Fq4
 
typedef mnt4_Fq4 mnt4_GT
 
typedef mnt4_ate_G1_precomp mnt4_G1_precomp
 
typedef mnt4_ate_G2_precomp mnt4_G2_precomp
 
typedef Fp_model< mnt6_r_limbs, mnt6_modulus_rmnt6_Fr
 
typedef Fp_model< mnt6_q_limbs, mnt6_modulus_qmnt6_Fq
 
typedef Fp3_model< mnt6_q_limbs, mnt6_modulus_qmnt6_Fq3
 
typedef Fp6_2over3_model< mnt6_q_limbs, mnt6_modulus_qmnt6_Fq6
 
typedef mnt6_Fq6 mnt6_GT
 
typedef mnt6_ate_G1_precomp mnt6_G1_precomp
 
typedef mnt6_ate_G2_precomp mnt6_G2_precomp
 
template<typename EC_ppT >
using Fr = typename EC_ppT::Fp_type
 
template<typename EC_ppT >
using G1 = typename EC_ppT::G1_type
 
template<typename EC_ppT >
using G2 = typename EC_ppT::G2_type
 
template<typename EC_ppT >
using G1_precomp = typename EC_ppT::G1_precomp_type
 
template<typename EC_ppT >
using G2_precomp = typename EC_ppT::G2_precomp_type
 
template<typename EC_ppT >
using affine_ate_G1_precomp = typename EC_ppT::affine_ate_G1_precomp_type
 
template<typename EC_ppT >
using affine_ate_G2_precomp = typename EC_ppT::affine_ate_G2_precomp_type
 
template<typename EC_ppT >
using Fq = typename EC_ppT::Fq_type
 
template<typename EC_ppT >
using Fqe = typename EC_ppT::Fqe_type
 
template<typename EC_ppT >
using Fqk = typename EC_ppT::Fqk_type
 
template<typename EC_ppT >
using GT = typename EC_ppT::GT_type
 
template<typename EC_ppT >
using Fr_vector = std::vector< Fr< EC_ppT > >
 
template<typename EC_ppT >
using G1_vector = std::vector< G1< EC_ppT > >
 
template<typename EC_ppT >
using G2_vector = std::vector< G2< EC_ppT > >
 
template<typename T >
using window_table = std::vector< std::vector< T > >
 
typedef std::vector< bool > bit_vector
 

Enumerations

enum  multi_exp_method {
  multi_exp_method_naive, multi_exp_method_naive_plain, multi_exp_method_bos_coster, multi_exp_method_BDLO12,
  multi_exp_method_BDLO12_signed
}
 
enum  multi_exp_base_form { multi_exp_base_form_normal, multi_exp_base_form_special }
 Form of base elements passed to multi_exp routines. More...
 
enum  encoding_t : uint8_t { encoding_binary = 0, encoding_json = 1 }
 Encodings for (de)serialization. More...
 
enum  form_t : uint8_t { form_plain = 0, form_montgomery = 1 }
 Encodings for (de)serialization. More...
 
enum  compression_t : uint8_t { compression_off = 0, compression_on = 1 }
 Enable / disable compression in (de)serialization. More...
 

Functions

std::ostream & operator<< (std::ostream &out, const alt_bn128_G1 &g)
 
std::istream & operator>> (std::istream &in, alt_bn128_G1 &g)
 
template<mp_size_t m>
alt_bn128_G1 operator* (const bigint< m > &lhs, const alt_bn128_G1 &rhs)
 
template<mp_size_t m, const bigint< m > & modulus_p>
alt_bn128_G1 operator* (const Fp_model< m, modulus_p > &lhs, const alt_bn128_G1 &rhs)
 
std::ostream & operator<< (std::ostream &out, const alt_bn128_G2 &g)
 
std::istream & operator>> (std::istream &in, alt_bn128_G2 &g)
 
template<mp_size_t m>
alt_bn128_G2 operator* (const bigint< m > &lhs, const alt_bn128_G2 &rhs)
 
template<mp_size_t m, const bigint< m > & modulus_p>
alt_bn128_G2 operator* (const Fp_model< m, modulus_p > &lhs, const alt_bn128_G2 &rhs)
 
void init_alt_bn128_params ()
 
std::ostream & operator<< (std::ostream &out, const alt_bn128_ate_G1_precomp &prec_P)
 
std::istream & operator>> (std::istream &in, alt_bn128_ate_G1_precomp &prec_P)
 
std::ostream & operator<< (std::ostream &out, const alt_bn128_ate_ell_coeffs &c)
 
std::istream & operator>> (std::istream &in, alt_bn128_ate_ell_coeffs &c)
 
std::ostream & operator<< (std::ostream &out, const alt_bn128_ate_G2_precomp &prec_Q)
 
std::istream & operator>> (std::istream &in, alt_bn128_ate_G2_precomp &prec_Q)
 
alt_bn128_Fq12 alt_bn128_final_exponentiation_first_chunk (const alt_bn128_Fq12 &elt)
 
alt_bn128_Fq12 alt_bn128_exp_by_neg_z (const alt_bn128_Fq12 &elt)
 
alt_bn128_Fq12 alt_bn128_final_exponentiation_last_chunk (const alt_bn128_Fq12 &elt)
 
alt_bn128_GT alt_bn128_final_exponentiation (const alt_bn128_Fq12 &elt)
 
void doubling_step_for_flipped_miller_loop (const alt_bn128_Fq two_inv, alt_bn128_G2 &current, alt_bn128_ate_ell_coeffs &c)
 
void mixed_addition_step_for_flipped_miller_loop (const alt_bn128_G2 base, alt_bn128_G2 &current, alt_bn128_ate_ell_coeffs &c)
 
alt_bn128_ate_G1_precomp alt_bn128_ate_precompute_G1 (const alt_bn128_G1 &P)
 
alt_bn128_ate_G2_precomp alt_bn128_ate_precompute_G2 (const alt_bn128_G2 &Q)
 
alt_bn128_Fq12 alt_bn128_ate_miller_loop (const alt_bn128_ate_G1_precomp &prec_P, const alt_bn128_ate_G2_precomp &prec_Q)
 
alt_bn128_Fq12 alt_bn128_ate_double_miller_loop (const alt_bn128_ate_G1_precomp &prec_P1, const alt_bn128_ate_G2_precomp &prec_Q1, const alt_bn128_ate_G1_precomp &prec_P2, const alt_bn128_ate_G2_precomp &prec_Q2)
 
alt_bn128_Fq12 alt_bn128_ate_pairing (const alt_bn128_G1 &P, const alt_bn128_G2 &Q)
 
alt_bn128_GT alt_bn128_ate_reduced_pairing (const alt_bn128_G1 &P, const alt_bn128_G2 &Q)
 
alt_bn128_G1_precomp alt_bn128_precompute_G1 (const alt_bn128_G1 &P)
 
alt_bn128_G2_precomp alt_bn128_precompute_G2 (const alt_bn128_G2 &Q)
 
alt_bn128_Fq12 alt_bn128_miller_loop (const alt_bn128_G1_precomp &prec_P, const alt_bn128_G2_precomp &prec_Q)
 
alt_bn128_Fq12 alt_bn128_double_miller_loop (const alt_bn128_G1_precomp &prec_P1, const alt_bn128_G2_precomp &prec_Q1, const alt_bn128_G1_precomp &prec_P2, const alt_bn128_G2_precomp &prec_Q2)
 
alt_bn128_Fq12 alt_bn128_pairing (const alt_bn128_G1 &P, const alt_bn128_G2 &Q)
 
alt_bn128_GT alt_bn128_reduced_pairing (const alt_bn128_G1 &P, const alt_bn128_G2 &Q)
 
alt_bn128_GT alt_bn128_affine_reduced_pairing (const alt_bn128_G1 &P, const alt_bn128_G2 &Q)
 
std::ostream & operator<< (std::ostream &out, const bls12_377_G1 &g)
 
std::istream & operator>> (std::istream &in, bls12_377_G1 &g)
 
template<mp_size_t m>
bls12_377_G1 operator* (const bigint< m > &lhs, const bls12_377_G1 &rhs)
 
template<mp_size_t m, const bigint< m > & modulus_p>
bls12_377_G1 operator* (const Fp_model< m, modulus_p > &lhs, const bls12_377_G1 &rhs)
 
std::ostream & operator<< (std::ostream &out, const bls12_377_G2 &g)
 
std::istream & operator>> (std::istream &in, bls12_377_G2 &g)
 
template<mp_size_t m>
bls12_377_G2 operator* (const bigint< m > &lhs, const bls12_377_G2 &rhs)
 
template<mp_size_t m, const bigint< m > & modulus_p>
bls12_377_G2 operator* (const Fp_model< m, modulus_p > &lhs, const bls12_377_G2 &rhs)
 
void init_bls12_377_params ()
 
std::ostream & operator<< (std::ostream &out, const bls12_377_ate_G1_precomp &prec_P)
 
std::istream & operator>> (std::istream &in, bls12_377_ate_G1_precomp &prec_P)
 
std::ostream & operator<< (std::ostream &out, const bls12_377_ate_ell_coeffs &c)
 
std::istream & operator>> (std::istream &in, bls12_377_ate_ell_coeffs &c)
 
std::ostream & operator<< (std::ostream &out, const bls12_377_ate_G2_precomp &prec_Q)
 
std::istream & operator>> (std::istream &in, bls12_377_ate_G2_precomp &prec_Q)
 
bls12_377_Fq12 bls12_377_final_exponentiation_first_chunk (const bls12_377_Fq12 &elt)
 
bls12_377_Fq12 bls12_377_exp_by_z (const bls12_377_Fq12 &elt)
 
bls12_377_Fq12 bls12_377_final_exponentiation_last_chunk (const bls12_377_Fq12 &elt)
 
bls12_377_GT bls12_377_final_exponentiation (const bls12_377_Fq12 &elt)
 
void bls12_377_doubling_step_for_miller_loop (const bls12_377_Fq two_inv, bls12_377_G2 &current, bls12_377_ate_ell_coeffs &c)
 
void bls12_377_mixed_addition_step_for_miller_loop (const bls12_377_G2 &base, bls12_377_G2 &current, bls12_377_ate_ell_coeffs &c)
 
bls12_377_ate_G1_precomp bls12_377_ate_precompute_G1 (const bls12_377_G1 &P)
 
bls12_377_ate_G2_precomp bls12_377_ate_precompute_G2 (const bls12_377_G2 &Q)
 
bls12_377_Fq12 bls12_377_ate_miller_loop (const bls12_377_ate_G1_precomp &prec_P, const bls12_377_ate_G2_precomp &prec_Q)
 
bls12_377_Fq12 bls12_377_ate_double_miller_loop (const bls12_377_ate_G1_precomp &prec_P1, const bls12_377_ate_G2_precomp &prec_Q1, const bls12_377_ate_G1_precomp &prec_P2, const bls12_377_ate_G2_precomp &prec_Q2)
 
bls12_377_Fq12 bls12_377_ate_pairing (const bls12_377_G1 &P, const bls12_377_G2 &Q)
 
bls12_377_GT bls12_377_ate_reduced_pairing (const bls12_377_G1 &P, const bls12_377_G2 &Q)
 
bls12_377_G1_precomp bls12_377_precompute_G1 (const bls12_377_G1 &P)
 
bls12_377_G2_precomp bls12_377_precompute_G2 (const bls12_377_G2 &Q)
 
bls12_377_Fq12 bls12_377_miller_loop (const bls12_377_G1_precomp &prec_P, const bls12_377_G2_precomp &prec_Q)
 
bls12_377_Fq12 bls12_377_double_miller_loop (const bls12_377_G1_precomp &prec_P1, const bls12_377_G2_precomp &prec_Q1, const bls12_377_G1_precomp &prec_P2, const bls12_377_G2_precomp &prec_Q2)
 
bls12_377_Fq12 bls12_377_pairing (const bls12_377_G1 &P, const bls12_377_G2 &Q)
 
bls12_377_GT bls12_377_reduced_pairing (const bls12_377_G1 &P, const bls12_377_G2 &Q)
 
bls12_377_GT bls12_377_affine_reduced_pairing (const bls12_377_G1 &P, const bls12_377_G2 &Q)
 
std::ostream & operator<< (std::ostream &out, const bls12_381_G1 &g)
 
std::istream & operator>> (std::istream &in, bls12_381_G1 &g)
 
template<mp_size_t m>
bls12_381_G1 operator* (const bigint< m > &lhs, const bls12_381_G1 &rhs)
 
template<mp_size_t m, const bigint< m > & modulus_p>
bls12_381_G1 operator* (const Fp_model< m, modulus_p > &lhs, const bls12_381_G1 &rhs)
 
std::ostream & operator<< (std::ostream &out, const bls12_381_G2 &g)
 
std::istream & operator>> (std::istream &in, bls12_381_G2 &g)
 
template<mp_size_t m>
bls12_381_G2 operator* (const bigint< m > &lhs, const bls12_381_G2 &rhs)
 
template<mp_size_t m, const bigint< m > & modulus_p>
bls12_381_G2 operator* (const Fp_model< m, modulus_p > &lhs, const bls12_381_G2 &rhs)
 
void init_bls12_381_params ()
 
std::ostream & operator<< (std::ostream &out, const bls12_381_ate_G1_precomp &prec_P)
 
std::istream & operator>> (std::istream &in, bls12_381_ate_G1_precomp &prec_P)
 
std::ostream & operator<< (std::ostream &out, const bls12_381_ate_ell_coeffs &c)
 
std::istream & operator>> (std::istream &in, bls12_381_ate_ell_coeffs &c)
 
std::ostream & operator<< (std::ostream &out, const bls12_381_ate_G2_precomp &prec_Q)
 
std::istream & operator>> (std::istream &in, bls12_381_ate_G2_precomp &prec_Q)
 
bls12_381_Fq12 bls12_381_final_exponentiation_first_chunk (const bls12_381_Fq12 &elt)
 
bls12_381_Fq12 bls12_381_exp_by_z (const bls12_381_Fq12 &elt)
 
bls12_381_Fq12 bls12_381_final_exponentiation_last_chunk (const bls12_381_Fq12 &elt)
 
bls12_381_GT bls12_381_final_exponentiation (const bls12_381_Fq12 &elt)
 
void bls12_381_doubling_step_for_miller_loop (const bls12_381_Fq two_inv, bls12_381_G2 &current, bls12_381_ate_ell_coeffs &c)
 
void bls12_381_mixed_addition_step_for_miller_loop (const bls12_381_G2 base, bls12_381_G2 &current, bls12_381_ate_ell_coeffs &c)
 
bls12_381_ate_G1_precomp bls12_381_ate_precompute_G1 (const bls12_381_G1 &P)
 
bls12_381_ate_G2_precomp bls12_381_ate_precompute_G2 (const bls12_381_G2 &Q)
 
bls12_381_Fq12 bls12_381_ate_miller_loop (const bls12_381_ate_G1_precomp &prec_P, const bls12_381_ate_G2_precomp &prec_Q)
 
bls12_381_Fq12 bls12_381_ate_double_miller_loop (const bls12_381_ate_G1_precomp &prec_P1, const bls12_381_ate_G2_precomp &prec_Q1, const bls12_381_ate_G1_precomp &prec_P2, const bls12_381_ate_G2_precomp &prec_Q2)
 
bls12_381_Fq12 bls12_381_ate_pairing (const bls12_381_G1 &P, const bls12_381_G2 &Q)
 
bls12_381_GT bls12_381_ate_reduced_pairing (const bls12_381_G1 &P, const bls12_381_G2 &Q)
 
bls12_381_G1_precomp bls12_381_precompute_G1 (const bls12_381_G1 &P)
 
bls12_381_G2_precomp bls12_381_precompute_G2 (const bls12_381_G2 &Q)
 
bls12_381_Fq12 bls12_381_miller_loop (const bls12_381_G1_precomp &prec_P, const bls12_381_G2_precomp &prec_Q)
 
bls12_381_Fq12 bls12_381_double_miller_loop (const bls12_381_G1_precomp &prec_P1, const bls12_381_G2_precomp &prec_Q1, const bls12_381_G1_precomp &prec_P2, const bls12_381_G2_precomp &prec_Q2)
 
bls12_381_Fq12 bls12_381_pairing (const bls12_381_G1 &P, const bls12_381_G2 &Q)
 
bls12_381_GT bls12_381_reduced_pairing (const bls12_381_G1 &P, const bls12_381_G2 &Q)
 
bls12_381_GT bls12_381_affine_reduced_pairing (const bls12_381_G1 &P, const bls12_381_G2 &Q)
 
std::ostream & operator<< (std::ostream &out, const bn128_G1 &g)
 
std::istream & operator>> (std::istream &in, bn128_G1 &g)
 
template<mp_size_t m>
bn128_G1 operator* (const bigint< m > &lhs, const bn128_G1 &rhs)
 
template<mp_size_t m, const bigint< m > & modulus_p>
bn128_G1 operator* (const Fp_model< m, modulus_p > &lhs, const bn128_G1 &rhs)
 
std::ostream & operator<< (std::ostream &out, const bn128_G2 &g)
 
std::istream & operator>> (std::istream &in, bn128_G2 &g)
 
template<mp_size_t m>
bn128_G2 operator* (const bigint< m > &lhs, const bn128_G2 &rhs)
 
template<mp_size_t m, const bigint< m > & modulus_p>
bn128_G2 operator* (const Fp_model< m, modulus_p > &lhs, const bn128_G2 &rhs)
 
std::ostream & operator<< (std::ostream &out, const bn128_GT &g)
 
std::istream & operator>> (std::istream &in, bn128_GT &g)
 
template<mp_size_t m>
bn128_GT operator^ (const bn128_GT &rhs, const bigint< m > &lhs)
 
template<mp_size_t m, const bigint< m > & modulus_p>
bn128_GT operator^ (const bn128_GT &rhs, const Fp_model< m, modulus_p > &lhs)
 
void init_bn128_params ()
 
std::ostream & operator<< (std::ostream &out, const bn128_ate_G1_precomp &prec_P)
 
std::istream & operator>> (std::istream &in, bn128_ate_G1_precomp &prec_P)
 
std::ostream & operator<< (std::ostream &out, const bn128_ate_G2_precomp &prec_Q)
 
std::istream & operator>> (std::istream &in, bn128_ate_G2_precomp &prec_Q)
 
bn128_ate_G1_precomp bn128_ate_precompute_G1 (const bn128_G1 &P)
 
bn128_ate_G2_precomp bn128_ate_precompute_G2 (const bn128_G2 &Q)
 
bn128_Fq12 bn128_ate_miller_loop (const bn128_ate_G1_precomp &prec_P, const bn128_ate_G2_precomp &prec_Q)
 
bn128_Fq12 bn128_double_ate_miller_loop (const bn128_ate_G1_precomp &prec_P1, const bn128_ate_G2_precomp &prec_Q1, const bn128_ate_G1_precomp &prec_P2, const bn128_ate_G2_precomp &prec_Q2)
 
bn128_GT bn128_final_exponentiation (const bn128_Fq12 &elt)
 
template<typename FieldT >
void bn_batch_invert (std::vector< FieldT > &vec)
 
std::ostream & operator<< (std::ostream &out, const bw6_761_G1 &g)
 
std::istream & operator>> (std::istream &in, bw6_761_G1 &g)
 
template<mp_size_t m>
bw6_761_G1 operator* (const bigint< m > &lhs, const bw6_761_G1 &rhs)
 
template<mp_size_t m, const bigint< m > & modulus_p>
bw6_761_G1 operator* (const Fp_model< m, modulus_p > &lhs, const bw6_761_G1 &rhs)
 
std::ostream & operator<< (std::ostream &out, const bw6_761_G2 &g)
 
std::istream & operator>> (std::istream &in, bw6_761_G2 &g)
 
template<mp_size_t m>
bw6_761_G2 operator* (const bigint< m > &lhs, const bw6_761_G2 &rhs)
 
template<mp_size_t m, const bigint< m > & modulus_p>
bw6_761_G2 operator* (const Fp_model< m, modulus_p > &lhs, const bw6_761_G2 &rhs)
 
void init_bw6_761_params ()
 
std::ostream & operator<< (std::ostream &out, const bw6_761_ate_G1_precomp &prec_P)
 
std::istream & operator>> (std::istream &in, bw6_761_ate_G1_precomp &prec_P)
 
std::ostream & operator<< (std::ostream &out, const bw6_761_ate_ell_coeffs &c)
 
std::istream & operator>> (std::istream &in, bw6_761_ate_ell_coeffs &c)
 
std::ostream & operator<< (std::ostream &out, const bw6_761_ate_G2_precomp_iteration &prec_Q)
 
std::istream & operator>> (std::istream &in, bw6_761_ate_G2_precomp_iteration &prec_Q)
 
std::ostream & operator<< (std::ostream &out, const bw6_761_ate_G2_precomp &prec_Q)
 
std::istream & operator>> (std::istream &in, bw6_761_ate_G2_precomp &prec_Q)
 
bw6_761_Fq6 bw6_761_final_exponentiation_first_chunk (const bw6_761_Fq6 &elt)
 
bw6_761_Fq6 bw6_761_exp_by_z (const bw6_761_Fq6 &elt)
 
bw6_761_Fq6 bw6_761_final_exponentiation_last_chunk (const bw6_761_Fq6 &elt)
 
bw6_761_GT bw6_761_final_exponentiation (const bw6_761_Fq6 &elt)
 
void doubling_step_for_miller_loop (bw6_761_G2 &current, bw6_761_ate_ell_coeffs &c)
 
void mixed_addition_step_for_miller_loop (const bw6_761_G2 base, bw6_761_G2 &current, bw6_761_ate_ell_coeffs &c)
 
bw6_761_ate_G1_precomp bw6_761_ate_precompute_G1 (const bw6_761_G1 &P)
 
bw6_761_ate_G2_precomp bw6_761_ate_precompute_G2 (const bw6_761_G2 &Q)
 
bw6_761_Fq6 bw6_761_ate_miller_loop (const bw6_761_ate_G1_precomp &prec_P, const bw6_761_ate_G2_precomp &prec_Q)
 
bw6_761_Fq6 bw6_761_ate_double_miller_loop (const bw6_761_ate_G1_precomp &prec_P1, const bw6_761_ate_G2_precomp &prec_Q1, const bw6_761_ate_G1_precomp &prec_P2, const bw6_761_ate_G2_precomp &prec_Q2)
 
bw6_761_Fq6 bw6_761_ate_pairing (const bw6_761_G1 &P, const bw6_761_G2 &Q)
 
bw6_761_GT bw6_761_ate_reduced_pairing (const bw6_761_G1 &P, const bw6_761_G2 &Q)
 
bw6_761_G1_precomp bw6_761_precompute_G1 (const bw6_761_G1 &P)
 
bw6_761_G2_precomp bw6_761_precompute_G2 (const bw6_761_G2 &Q)
 
bw6_761_Fq6 bw6_761_miller_loop (const bw6_761_G1_precomp &prec_P, const bw6_761_G2_precomp &prec_Q)
 
bw6_761_Fq6 bw6_761_double_miller_loop (const bw6_761_ate_G1_precomp &prec_P1, const bw6_761_ate_G2_precomp &prec_Q1, const bw6_761_ate_G1_precomp &prec_P2, const bw6_761_ate_G2_precomp &prec_Q2)
 
bw6_761_Fq6 bw6_761_pairing (const bw6_761_G1 &P, const bw6_761_G2 &Q)
 
bw6_761_GT bw6_761_reduced_pairing (const bw6_761_G1 &P, const bw6_761_G2 &Q)
 
template<encoding_t Enc, form_t Form, compression_t Comp, typename GroupT >
void group_read (GroupT &v, std::istream &in_s)
 
template<encoding_t Enc, form_t Form, compression_t Comp, typename GroupT >
void group_write (const GroupT &v, std::ostream &out_s)
 
template<typename GroupT , mp_size_t m>
GroupT scalar_mul (const GroupT &base, const bigint< m > &scalar)
 
template<typename GroupT >
GroupT g1_curve_point_at_x (const typename GroupT::base_field &x)
 
template<typename GroupT >
GroupT g2_curve_point_at_x (const typename GroupT::twist_field &x)
 
std::ostream & operator<< (std::ostream &out, const edwards_G1 &g)
 
std::istream & operator>> (std::istream &in, edwards_G1 &g)
 
template<mp_size_t m>
edwards_G1 operator* (const bigint< m > &lhs, const edwards_G1 &rhs)
 
template<mp_size_t m, const bigint< m > & modulus_p>
edwards_G1 operator* (const Fp_model< m, modulus_p > &lhs, const edwards_G1 &rhs)
 
std::ostream & operator<< (std::ostream &out, const edwards_G2 &g)
 
std::istream & operator>> (std::istream &in, edwards_G2 &g)
 
template<mp_size_t m>
edwards_G2 operator* (const bigint< m > &lhs, const edwards_G2 &rhs)
 
template<mp_size_t m, const bigint< m > & modulus_p>
edwards_G2 operator* (const Fp_model< m, modulus_p > &lhs, const edwards_G2 &rhs)
 
void init_edwards_params ()
 
std::ostream & operator<< (std::ostream &out, const edwards_Fq_conic_coefficients &cc)
 
std::istream & operator>> (std::istream &in, edwards_Fq_conic_coefficients &cc)
 
std::ostream & operator<< (std::ostream &out, const edwards_tate_G1_precomp &prec_P)
 
std::istream & operator>> (std::istream &in, edwards_tate_G1_precomp &prec_P)
 
std::ostream & operator<< (std::ostream &out, const edwards_tate_G2_precomp &prec_Q)
 
std::istream & operator>> (std::istream &in, edwards_tate_G2_precomp &prec_Q)
 
std::ostream & operator<< (std::ostream &out, const edwards_Fq3_conic_coefficients &cc)
 
std::istream & operator>> (std::istream &in, edwards_Fq3_conic_coefficients &cc)
 
std::ostream & operator<< (std::ostream &out, const edwards_ate_G2_precomp &prec_Q)
 
std::istream & operator>> (std::istream &in, edwards_ate_G2_precomp &prec_Q)
 
std::ostream & operator<< (std::ostream &out, const edwards_ate_G1_precomp &prec_P)
 
std::istream & operator>> (std::istream &in, edwards_ate_G1_precomp &prec_P)
 
edwards_Fq6 edwards_final_exponentiation_last_chunk (const edwards_Fq6 &elt, const edwards_Fq6 &elt_inv)
 
edwards_Fq6 edwards_final_exponentiation_first_chunk (const edwards_Fq6 &elt, const edwards_Fq6 &elt_inv)
 
edwards_GT edwards_final_exponentiation (const edwards_Fq6 &elt)
 
edwards_tate_G2_precomp edwards_tate_precompute_G2 (const edwards_G2 &Q)
 
void doubling_step_for_miller_loop (extended_edwards_G1_projective &current, edwards_Fq_conic_coefficients &cc)
 
void full_addition_step_for_miller_loop (const extended_edwards_G1_projective &base, extended_edwards_G1_projective &current, edwards_Fq_conic_coefficients &cc)
 
void mixed_addition_step_for_miller_loop (const extended_edwards_G1_projective &base, extended_edwards_G1_projective &current, edwards_Fq_conic_coefficients &cc)
 
edwards_tate_G1_precomp edwards_tate_precompute_G1 (const edwards_G1 &P)
 
edwards_Fq6 edwards_tate_miller_loop (const edwards_tate_G1_precomp &prec_P, const edwards_tate_G2_precomp &prec_Q)
 
edwards_Fq6 edwards_tate_pairing (const edwards_G1 &P, const edwards_G2 &Q)
 
edwards_GT edwards_tate_reduced_pairing (const edwards_G1 &P, const edwards_G2 &Q)
 
void doubling_step_for_flipped_miller_loop (extended_edwards_G2_projective &current, edwards_Fq3_conic_coefficients &cc)
 
void full_addition_step_for_flipped_miller_loop (const extended_edwards_G2_projective &base, extended_edwards_G2_projective &current, edwards_Fq3_conic_coefficients &cc)
 
void mixed_addition_step_for_flipped_miller_loop (const extended_edwards_G2_projective &base, extended_edwards_G2_projective &current, edwards_Fq3_conic_coefficients &cc)
 
edwards_ate_G1_precomp edwards_ate_precompute_G1 (const edwards_G1 &P)
 
edwards_ate_G2_precomp edwards_ate_precompute_G2 (const edwards_G2 &Q)
 
edwards_Fq6 edwards_ate_miller_loop (const edwards_ate_G1_precomp &prec_P, const edwards_ate_G2_precomp &prec_Q)
 
edwards_Fq6 edwards_ate_double_miller_loop (const edwards_ate_G1_precomp &prec_P1, const edwards_ate_G2_precomp &prec_Q1, const edwards_ate_G1_precomp &prec_P2, const edwards_ate_G2_precomp &prec_Q2)
 
edwards_Fq6 edwards_ate_pairing (const edwards_G1 &P, const edwards_G2 &Q)
 
edwards_GT edwards_ate_reduced_pairing (const edwards_G1 &P, const edwards_G2 &Q)
 
edwards_G1_precomp edwards_precompute_G1 (const edwards_G1 &P)
 
edwards_G2_precomp edwards_precompute_G2 (const edwards_G2 &Q)
 
edwards_Fq6 edwards_miller_loop (const edwards_G1_precomp &prec_P, const edwards_G2_precomp &prec_Q)
 
edwards_Fq6 edwards_double_miller_loop (const edwards_G1_precomp &prec_P1, const edwards_G2_precomp &prec_Q1, const edwards_G1_precomp &prec_P2, const edwards_G2_precomp &prec_Q2)
 
edwards_Fq6 edwards_pairing (const edwards_G1 &P, const edwards_G2 &Q)
 
edwards_GT edwards_reduced_pairing (const edwards_G1 &P, const edwards_G2 &Q)
 
std::ostream & operator<< (std::ostream &out, const mnt4_G1 &g)
 
std::istream & operator>> (std::istream &in, mnt4_G1 &g)
 
template<mp_size_t m>
mnt4_G1 operator* (const bigint< m > &lhs, const mnt4_G1 &rhs)
 
template<mp_size_t m, const bigint< m > & modulus_p>
mnt4_G1 operator* (const Fp_model< m, modulus_p > &lhs, const mnt4_G1 &rhs)
 
std::ostream & operator<< (std::ostream &out, const mnt4_G2 &g)
 
std::istream & operator>> (std::istream &in, mnt4_G2 &g)
 
template<mp_size_t m>
mnt4_G2 operator* (const bigint< m > &lhs, const mnt4_G2 &rhs)
 
template<mp_size_t m, const bigint< m > & modulus_p>
mnt4_G2 operator* (const Fp_model< m, modulus_p > &lhs, const mnt4_G2 &rhs)
 
void init_mnt4_params ()
 
std::ostream & operator<< (std::ostream &out, const mnt4_ate_G1_precomp &prec_P)
 
std::istream & operator>> (std::istream &in, mnt4_ate_G1_precomp &prec_P)
 
std::ostream & operator<< (std::ostream &out, const mnt4_ate_dbl_coeffs &dc)
 
std::istream & operator>> (std::istream &in, mnt4_ate_dbl_coeffs &dc)
 
std::ostream & operator<< (std::ostream &out, const mnt4_ate_add_coeffs &ac)
 
std::istream & operator>> (std::istream &in, mnt4_ate_add_coeffs &ac)
 
std::ostream & operator<< (std::ostream &out, const mnt4_ate_G2_precomp &prec_Q)
 
std::istream & operator>> (std::istream &in, mnt4_ate_G2_precomp &prec_Q)
 
mnt4_Fq4 mnt4_final_exponentiation_last_chunk (const mnt4_Fq4 &elt, const mnt4_Fq4 &elt_inv)
 
mnt4_Fq4 mnt4_final_exponentiation_first_chunk (const mnt4_Fq4 &elt, const mnt4_Fq4 &elt_inv)
 
mnt4_GT mnt4_final_exponentiation (const mnt4_Fq4 &elt)
 
mnt4_affine_ate_G1_precomputation mnt4_affine_ate_precompute_G1 (const mnt4_G1 &P)
 
mnt4_affine_ate_G2_precomputation mnt4_affine_ate_precompute_G2 (const mnt4_G2 &Q)
 
mnt4_Fq4 mnt4_affine_ate_miller_loop (const mnt4_affine_ate_G1_precomputation &prec_P, const mnt4_affine_ate_G2_precomputation &prec_Q)
 
void doubling_step_for_flipped_miller_loop (extended_mnt4_G2_projective &current, mnt4_ate_dbl_coeffs &dc)
 
void mixed_addition_step_for_flipped_miller_loop (const mnt4_Fq2 base_X, const mnt4_Fq2 base_Y, const mnt4_Fq2 base_Y_squared, extended_mnt4_G2_projective &current, mnt4_ate_add_coeffs &ac)
 
mnt4_ate_G1_precomp mnt4_ate_precompute_G1 (const mnt4_G1 &P)
 
mnt4_ate_G2_precomp mnt4_ate_precompute_G2 (const mnt4_G2 &Q)
 
mnt4_Fq4 mnt4_ate_miller_loop (const mnt4_ate_G1_precomp &prec_P, const mnt4_ate_G2_precomp &prec_Q)
 
mnt4_Fq4 mnt4_ate_double_miller_loop (const mnt4_ate_G1_precomp &prec_P1, const mnt4_ate_G2_precomp &prec_Q1, const mnt4_ate_G1_precomp &prec_P2, const mnt4_ate_G2_precomp &prec_Q2)
 
mnt4_Fq4 mnt4_ate_pairing (const mnt4_G1 &P, const mnt4_G2 &Q)
 
mnt4_GT mnt4_ate_reduced_pairing (const mnt4_G1 &P, const mnt4_G2 &Q)
 
mnt4_G1_precomp mnt4_precompute_G1 (const mnt4_G1 &P)
 
mnt4_G2_precomp mnt4_precompute_G2 (const mnt4_G2 &Q)
 
mnt4_Fq4 mnt4_miller_loop (const mnt4_G1_precomp &prec_P, const mnt4_G2_precomp &prec_Q)
 
mnt4_Fq4 mnt4_double_miller_loop (const mnt4_G1_precomp &prec_P1, const mnt4_G2_precomp &prec_Q1, const mnt4_G1_precomp &prec_P2, const mnt4_G2_precomp &prec_Q2)
 
mnt4_Fq4 mnt4_pairing (const mnt4_G1 &P, const mnt4_G2 &Q)
 
mnt4_GT mnt4_reduced_pairing (const mnt4_G1 &P, const mnt4_G2 &Q)
 
mnt4_GT mnt4_affine_reduced_pairing (const mnt4_G1 &P, const mnt4_G2 &Q)
 
std::ostream & operator<< (std::ostream &out, const mnt6_G1 &g)
 
std::istream & operator>> (std::istream &in, mnt6_G1 &g)
 
template<mp_size_t m>
mnt6_G1 operator* (const bigint< m > &lhs, const mnt6_G1 &rhs)
 
template<mp_size_t m, const bigint< m > & modulus_p>
mnt6_G1 operator* (const Fp_model< m, modulus_p > &lhs, const mnt6_G1 &rhs)
 
std::ostream & operator<< (std::ostream &out, const mnt6_G2 &g)
 
std::istream & operator>> (std::istream &in, mnt6_G2 &g)
 
template<mp_size_t m>
mnt6_G2 operator* (const bigint< m > &lhs, const mnt6_G2 &rhs)
 
template<mp_size_t m, const bigint< m > & modulus_p>
mnt6_G2 operator* (const Fp_model< m, modulus_p > &lhs, const mnt6_G2 &rhs)
 
void init_mnt6_params ()
 
std::ostream & operator<< (std::ostream &out, const mnt6_ate_G1_precomp &prec_P)
 
std::istream & operator>> (std::istream &in, mnt6_ate_G1_precomp &prec_P)
 
std::ostream & operator<< (std::ostream &out, const mnt6_ate_dbl_coeffs &dc)
 
std::istream & operator>> (std::istream &in, mnt6_ate_dbl_coeffs &dc)
 
std::ostream & operator<< (std::ostream &out, const mnt6_ate_add_coeffs &ac)
 
std::istream & operator>> (std::istream &in, mnt6_ate_add_coeffs &ac)
 
std::ostream & operator<< (std::ostream &out, const mnt6_ate_G2_precomp &prec_Q)
 
std::istream & operator>> (std::istream &in, mnt6_ate_G2_precomp &prec_Q)
 
mnt6_Fq6 mnt6_final_exponentiation_last_chunk (const mnt6_Fq6 &elt, const mnt6_Fq6 &elt_inv)
 
mnt6_Fq6 mnt6_final_exponentiation_first_chunk (const mnt6_Fq6 &elt, const mnt6_Fq6 &elt_inv)
 
mnt6_GT mnt6_final_exponentiation (const mnt6_Fq6 &elt)
 
mnt6_affine_ate_G1_precomputation mnt6_affine_ate_precompute_G1 (const mnt6_G1 &P)
 
mnt6_affine_ate_G2_precomputation mnt6_affine_ate_precompute_G2 (const mnt6_G2 &Q)
 
mnt6_Fq6 mnt6_affine_ate_miller_loop (const mnt6_affine_ate_G1_precomputation &prec_P, const mnt6_affine_ate_G2_precomputation &prec_Q)
 
void doubling_step_for_flipped_miller_loop (extended_mnt6_G2_projective &current, mnt6_ate_dbl_coeffs &dc)
 
void mixed_addition_step_for_flipped_miller_loop (const mnt6_Fq3 base_X, const mnt6_Fq3 base_Y, const mnt6_Fq3 base_Y_squared, extended_mnt6_G2_projective &current, mnt6_ate_add_coeffs &ac)
 
mnt6_ate_G1_precomp mnt6_ate_precompute_G1 (const mnt6_G1 &P)
 
mnt6_ate_G2_precomp mnt6_ate_precompute_G2 (const mnt6_G2 &Q)
 
mnt6_Fq6 mnt6_ate_miller_loop (const mnt6_ate_G1_precomp &prec_P, const mnt6_ate_G2_precomp &prec_Q)
 
mnt6_Fq6 mnt6_ate_double_miller_loop (const mnt6_ate_G1_precomp &prec_P1, const mnt6_ate_G2_precomp &prec_Q1, const mnt6_ate_G1_precomp &prec_P2, const mnt6_ate_G2_precomp &prec_Q2)
 
mnt6_Fq6 mnt6_ate_pairing (const mnt6_G1 &P, const mnt6_G2 &Q)
 
mnt6_GT mnt6_ate_reduced_pairing (const mnt6_G1 &P, const mnt6_G2 &Q)
 
mnt6_G1_precomp mnt6_precompute_G1 (const mnt6_G1 &P)
 
mnt6_G2_precomp mnt6_precompute_G2 (const mnt6_G2 &Q)
 
mnt6_Fq6 mnt6_miller_loop (const mnt6_G1_precomp &prec_P, const mnt6_G2_precomp &prec_Q)
 
mnt6_Fq6 mnt6_double_miller_loop (const mnt6_G1_precomp &prec_P1, const mnt6_G2_precomp &prec_Q1, const mnt6_G1_precomp &prec_P2, const mnt6_G2_precomp &prec_Q2)
 
mnt6_Fq6 mnt6_pairing (const mnt6_G1 &P, const mnt6_G2 &Q)
 
mnt6_GT mnt6_reduced_pairing (const mnt6_G1 &P, const mnt6_G2 &Q)
 
mnt6_GT mnt6_affine_reduced_pairing (const mnt6_G1 &P, const mnt6_G2 &Q)
 
template<typename FieldT , mp_size_t m>
FieldT power (const FieldT &base, const bigint< m > &exponent)
 
template<typename FieldT >
FieldT power (const FieldT &base, const unsigned long exponent)
 
template<mp_size_t n>
std::ostream & operator<< (std::ostream &, const bigint< n > &)
 
template<mp_size_t n>
std::istream & operator>> (std::istream &, bigint< n > &)
 
template<typename BigIntT >
void bigint_from_hex (BigIntT &v, const std::string &hex)
 
template<typename BigIntT >
std::string bigint_to_hex (const BigIntT &v, bool prefix=false)
 
template<encoding_t Enc = encoding_binary, form_t Form = form_plain, typename FieldT >
void field_read (FieldT &v, std::istream &in_s)
 
template<encoding_t Enc = encoding_binary, form_t Form = form_plain, typename FieldT >
void field_write (const FieldT &v, std::ostream &out_s)
 
template<typename FieldT >
std::enable_if< std::is_same< FieldT, Double >::value, bool >::type has_root_of_unity (const size_t n)
 
template<typename FieldT >
std::enable_if<!std::is_same< FieldT, Double >::value, bool >::type has_root_of_unity (const size_t n)
 
template<typename FieldT >
std::enable_if< std::is_same< FieldT, Double >::value, FieldT >::type get_root_of_unity (const size_t n)
 
template<typename FieldT >
std::enable_if<!std::is_same< FieldT, Double >::value, FieldT >::type get_root_of_unity (const size_t n)
 
template<mp_size_t n>
size_t field_get_digit (const bigint< n > &v, const size_t digit_size, const size_t digit_index)
 Decompose v into fixed-size digits of digit_size bits each. More...
 
template<mp_size_t n>
ssize_t field_get_signed_digit (const bigint< n > &v, const size_t digit_size, const size_t digit_index)
 Decompose v into fixed-size signed digits of digit_size bits each. More...
 
template<typename FieldT >
void field_get_signed_digits (std::vector< ssize_t > &digits, const FieldT &v, const size_t digit_size, const size_t num_digits)
 
template<typename FieldT >
std::vector< FieldT > pack_int_vector_into_field_element_vector (const std::vector< size_t > &v, const size_t w)
 
template<typename FieldT >
std::vector< FieldT > pack_bit_vector_into_field_element_vector (const bit_vector &v, const size_t chunk_bits)
 
template<typename FieldT >
std::vector< FieldT > pack_bit_vector_into_field_element_vector (const bit_vector &v)
 
template<typename FieldT >
std::vector< FieldT > convert_bit_vector_to_field_element_vector (const bit_vector &v)
 
template<typename FieldT >
bit_vector convert_field_element_vector_to_bit_vector (const std::vector< FieldT > &v)
 
template<typename FieldT >
bit_vector convert_field_element_to_bit_vector (const FieldT &el)
 
template<typename FieldT >
bit_vector convert_field_element_to_bit_vector (const FieldT &el, const size_t bitcount)
 
template<typename FieldT >
FieldT convert_bit_vector_to_field_element (const bit_vector &v)
 
template<typename FieldT >
void batch_invert (std::vector< FieldT > &vec)
 
template<typename FieldT >
const FieldT::my_Fp & field_get_component_0 (const FieldT &v)
 
template<mp_size_t wn, const bigint< wn > & wmodulus, mp_size_t nn, const bigint< nn > & nmodulus>
void fp_from_fp (Fp_model< wn, wmodulus > &wfp, const Fp_model< nn, nmodulus > &nfp)
 
template<typename FieldT >
void print_vector (const std::vector< FieldT > &v)
 print the elements of a vector More...
 
template<mp_size_t n, const bigint< n > & modulus>
std::ostream & operator<< (std::ostream &, const Fp_model< n, modulus > &)
 
template<mp_size_t n, const bigint< n > & modulus>
std::istream & operator>> (std::istream &, Fp_model< n, modulus > &)
 
template<mp_size_t n, const bigint< n > & modulus>
std::ostream & operator<< (std::ostream &, const Fp12_2over3over2_model< n, modulus > &)
 
template<mp_size_t n, const bigint< n > & modulus>
std::istream & operator>> (std::istream &, Fp12_2over3over2_model< n, modulus > &)
 
template<mp_size_t n, const bigint< n > & modulus>
std::ostream & operator<< (std::ostream &out, const std::vector< Fp12_2over3over2_model< n, modulus >> &v)
 
template<mp_size_t n, const bigint< n > & modulus>
std::istream & operator>> (std::istream &in, std::vector< Fp12_2over3over2_model< n, modulus >> &v)
 
template<mp_size_t n, const bigint< n > & modulus>
Fp12_2over3over2_model< n, modulus > operator* (const Fp_model< n, modulus > &lhs, const Fp12_2over3over2_model< n, modulus > &rhs)
 
template<mp_size_t n, const bigint< n > & modulus>
Fp12_2over3over2_model< n, modulus > operator* (const Fp2_model< n, modulus > &lhs, const Fp12_2over3over2_model< n, modulus > &rhs)
 
template<mp_size_t n, const bigint< n > & modulus>
Fp12_2over3over2_model< n, modulus > operator* (const Fp6_3over2_model< n, modulus > &lhs, const Fp12_2over3over2_model< n, modulus > &rhs)
 
template<mp_size_t n, const bigint< n > & modulus, mp_size_t m>
Fp12_2over3over2_model< n, modulus > operator^ (const Fp12_2over3over2_model< n, modulus > &self, const bigint< m > &exponent)
 
template<mp_size_t n, const bigint< n > & modulus, mp_size_t m, const bigint< m > & exp_modulus>
Fp12_2over3over2_model< n, modulus > operator^ (const Fp12_2over3over2_model< n, modulus > &self, const Fp_model< m, exp_modulus > &exponent)
 
template<mp_size_t n, const bigint< n > & modulus>
std::ostream & operator<< (std::ostream &, const Fp2_model< n, modulus > &)
 
template<mp_size_t n, const bigint< n > & modulus>
std::istream & operator>> (std::istream &, Fp2_model< n, modulus > &)
 
template<mp_size_t n, const bigint< n > & modulus>
std::ostream & operator<< (std::ostream &out, const std::vector< Fp2_model< n, modulus >> &v)
 
template<mp_size_t n, const bigint< n > & modulus>
std::istream & operator>> (std::istream &in, std::vector< Fp2_model< n, modulus >> &v)
 
template<mp_size_t n, const bigint< n > & modulus>
Fp2_model< n, modulus > operator* (const Fp_model< n, modulus > &lhs, const Fp2_model< n, modulus > &rhs)
 
template<mp_size_t n, const bigint< n > & modulus>
std::ostream & operator<< (std::ostream &, const Fp3_model< n, modulus > &)
 
template<mp_size_t n, const bigint< n > & modulus>
std::istream & operator>> (std::istream &, Fp3_model< n, modulus > &)
 
template<mp_size_t n, const bigint< n > & modulus>
std::ostream & operator<< (std::ostream &out, const std::vector< Fp3_model< n, modulus >> &v)
 
template<mp_size_t n, const bigint< n > & modulus>
std::istream & operator>> (std::istream &in, std::vector< Fp3_model< n, modulus >> &v)
 
template<mp_size_t n, const bigint< n > & modulus>
Fp3_model< n, modulus > operator* (const Fp_model< n, modulus > &lhs, const Fp3_model< n, modulus > &rhs)
 
template<mp_size_t n, const bigint< n > & modulus>
std::ostream & operator<< (std::ostream &, const Fp4_model< n, modulus > &)
 
template<mp_size_t n, const bigint< n > & modulus>
std::istream & operator>> (std::istream &, Fp4_model< n, modulus > &)
 
template<mp_size_t n, const bigint< n > & modulus>
Fp4_model< n, modulus > operator* (const Fp_model< n, modulus > &lhs, const Fp4_model< n, modulus > &rhs)
 
template<mp_size_t n, const bigint< n > & modulus>
Fp4_model< n, modulus > operator* (const Fp2_model< n, modulus > &lhs, const Fp4_model< n, modulus > &rhs)
 
template<mp_size_t n, const bigint< n > & modulus, mp_size_t m>
Fp4_model< n, modulus > operator^ (const Fp4_model< n, modulus > &self, const bigint< m > &exponent)
 
template<mp_size_t n, const bigint< n > & modulus, mp_size_t m, const bigint< m > & modulus_p>
Fp4_model< n, modulus > operator^ (const Fp4_model< n, modulus > &self, const Fp_model< m, modulus_p > &exponent)
 
template<mp_size_t n, const bigint< n > & modulus>
std::ostream & operator<< (std::ostream &, const Fp6_2over3_model< n, modulus > &)
 
template<mp_size_t n, const bigint< n > & modulus>
std::istream & operator>> (std::istream &, Fp6_2over3_model< n, modulus > &)
 
template<mp_size_t n, const bigint< n > & modulus>
std::ostream & operator<< (std::ostream &out, const std::vector< Fp6_2over3_model< n, modulus >> &v)
 
template<mp_size_t n, const bigint< n > & modulus>
std::istream & operator>> (std::istream &in, std::vector< Fp6_2over3_model< n, modulus >> &v)
 
template<mp_size_t n, const bigint< n > & modulus>
Fp6_2over3_model< n, modulus > operator* (const Fp_model< n, modulus > &lhs, const Fp6_2over3_model< n, modulus > &rhs)
 
template<mp_size_t n, const bigint< n > & modulus, mp_size_t m>
Fp6_2over3_model< n, modulus > operator^ (const Fp6_2over3_model< n, modulus > &self, const bigint< m > &exponent)
 
template<mp_size_t n, const bigint< n > & modulus, mp_size_t m, const bigint< m > & exp_modulus>
Fp6_2over3_model< n, modulus > operator^ (const Fp6_2over3_model< n, modulus > &self, const Fp_model< m, exp_modulus > &exponent)
 
template<mp_size_t n, const bigint< n > & modulus>
std::ostream & operator<< (std::ostream &, const Fp6_3over2_model< n, modulus > &)
 
template<mp_size_t n, const bigint< n > & modulus>
std::istream & operator>> (std::istream &, Fp6_3over2_model< n, modulus > &)
 
template<mp_size_t n, const bigint< n > & modulus>
std::ostream & operator<< (std::ostream &out, const std::vector< Fp6_3over2_model< n, modulus >> &v)
 
template<mp_size_t n, const bigint< n > & modulus>
std::istream & operator>> (std::istream &in, std::vector< Fp6_3over2_model< n, modulus >> &v)
 
template<mp_size_t n, const bigint< n > & modulus>
Fp6_3over2_model< n, modulus > operator* (const Fp_model< n, modulus > &lhs, const Fp6_3over2_model< n, modulus > &rhs)
 
template<mp_size_t n, const bigint< n > & modulus>
Fp6_3over2_model< n, modulus > operator* (const Fp2_model< n, modulus > &lhs, const Fp6_3over2_model< n, modulus > &rhs)
 
template<typename T , typename FieldT , multi_exp_method Method, multi_exp_base_form BaseForm = multi_exp_base_form_normal>
multi_exp (typename std::vector< T >::const_iterator vec_start, typename std::vector< T >::const_iterator vec_end, typename std::vector< FieldT >::const_iterator scalar_start, typename std::vector< FieldT >::const_iterator scalar_end, const size_t chunks)
 
template<typename T , typename FieldT , multi_exp_method Method, multi_exp_base_form BaseForm = multi_exp_base_form_normal>
multi_exp_filter_one_zero (typename std::vector< T >::const_iterator vec_start, typename std::vector< T >::const_iterator vec_end, typename std::vector< FieldT >::const_iterator scalar_start, typename std::vector< FieldT >::const_iterator scalar_end, const size_t chunks)
 
template<typename T >
inner_product (typename std::vector< T >::const_iterator a_start, typename std::vector< T >::const_iterator a_end, typename std::vector< T >::const_iterator b_start, typename std::vector< T >::const_iterator b_end)
 
template<typename T >
size_t get_exp_window_size (const size_t num_scalars)
 Compute window size for the given number of scalars. More...
 
template<typename T >
window_table< T > get_window_table (const size_t scalar_size, const size_t window, const T &g)
 Compute table of window sizes. More...
 
template<typename T , typename FieldT >
windowed_exp (const size_t scalar_size, const size_t window, const window_table< T > &powers_of_g, const FieldT &pow)
 
template<typename T , typename FieldT >
std::vector< T > batch_exp (const size_t scalar_size, const size_t window, const window_table< T > &table, const std::vector< FieldT > &v)
 
template<typename T , typename FieldT >
std::vector< T > batch_exp (const size_t scalar_size, const size_t window, const window_table< T > &table, const std::vector< FieldT > &v, size_t num_entries)
 
template<typename T , typename FieldT >
std::vector< T > batch_exp_with_coeff (const size_t scalar_size, const size_t window, const window_table< T > &table, const FieldT &coeff, const std::vector< FieldT > &v)
 
template<typename T >
void batch_to_special (std::vector< T > &vec)
 
template<form_t Form, compression_t Comp, typename GroupT , typename FieldT >
GroupT multi_exp_stream (std::istream &base_elements_in, const std::vector< FieldT > &exponents)
 
template<form_t Form, compression_t Comp, typename GroupT , typename FieldT >
GroupT multi_exp_stream_with_precompute (std::istream &precomputed_elements_in, const std::vector< FieldT > &exponents, const size_t precompute_c)
 
template<mp_size_t n>
void update_wnaf (std::vector< long > &naf, const size_t window_size, const bigint< n > &scalar)
 
template<mp_size_t n>
std::vector< long > find_wnaf (const size_t window_size, const bigint< n > &scalar)
 
template<typename T >
size_t wnaf_opt_window_size (const size_t scalar_bits)
 Compute optimal window size. More...
 
template<typename T >
fixed_window_wnaf_exp (const size_t window_size, const T &base, const std::vector< long > &naf)
 
template<typename T , mp_size_t n>
fixed_window_wnaf_exp (const size_t window_size, const T &base, const bigint< n > &scalar)
 
template<typename T , mp_size_t n>
opt_window_wnaf_exp (const T &base, const bigint< n > &scalar, const size_t scalar_bits)
 
uint8_t char_to_nibble (const char c)
 
void hex_to_bytes_reversed (const std::string &hex, void *dest, size_t bytes)
 
std::string bytes_to_hex_reversed (const void *bytes, size_t num_bytes, bool prefix=false)
 "prefix" here refers to "0x" More...
 
long long get_nsec_time ()
 
long long get_nsec_cpu_time ()
 
void start_profiling ()
 
void clear_profiling_counters ()
 
void print_cumulative_time_entry (const std::string &key, const long long factor)
 
void print_cumulative_times (const long long factor)
 
void print_cumulative_op_counts (const bool only_fq)
 
void print_op_profiling (const std::string &msg)
 
void print_time (const char *msg)
 
void print_header (const char *msg)
 
void print_indent ()
 
void op_profiling_enter (const std::string &msg)
 
void enter_block (const std::string &msg, const bool indent)
 
void leave_block (const std::string &msg, const bool indent)
 
void print_mem (const std::string &s)
 
void print_compilation_info ()
 
template<typename FieldT >
FieldT SHA512_rng (const uint64_t idx)
 
void consume_newline (std::istream &in)
 
void consume_OUTPUT_NEWLINE (std::istream &in)
 
void consume_OUTPUT_SEPARATOR (std::istream &in)
 
void output_bool (std::ostream &out, const bool b)
 
void input_bool (std::istream &in, bool &b)
 
void output_bool_vector (std::ostream &out, const std::vector< bool > &v)
 
void input_bool_vector (std::istream &in, std::vector< bool > &v)
 
template<typename T >
reserialize (const T &obj)
 
template<typename T >
std::ostream & operator<< (std::ostream &out, const std::vector< T > &v)
 
template<typename T >
std::istream & operator>> (std::ostream &out, std::vector< T > &v)
 
template<typename T1 , typename T2 >
std::ostream & operator<< (std::ostream &out, const std::map< T1, T2 > &m)
 
template<typename T1 , typename T2 >
std::istream & operator>> (std::istream &in, std::map< T1, T2 > &m)
 
template<typename T >
std::ostream & operator<< (std::ostream &out, const std::set< T > &s)
 
template<typename T >
std::istream & operator>> (std::istream &in, std::set< T > &s)
 
size_t get_power_of_two (size_t n)
 
size_t log2 (size_t n)
 
size_t to_twos_complement (int i, size_t w)
 
int from_twos_complement (size_t i, size_t w)
 
size_t bitreverse (size_t n, const size_t l)
 
bit_vector int_list_to_bits (const std::initializer_list< unsigned long > &l, const size_t wordsize)
 
long long div_ceil (long long x, long long y)
 
bool is_little_endian ()
 
std::string FORMAT (const std::string &prefix, const char *format,...)
 
void serialize_bit_vector (std::ostream &out, const bit_vector &v)
 
void deserialize_bit_vector (std::istream &in, bit_vector &v)
 
size_t exp2 (size_t k)
 
template<typename... Types>
void UNUSED (Types &&...)
 A variadic template to suppress unused argument warnings. More...
 
template<typename T >
size_t size_in_bits (const std::vector< T > &v)
 

Variables

bigint< alt_bn128_r_limbsalt_bn128_modulus_r
 
bigint< alt_bn128_q_limbsalt_bn128_modulus_q
 
alt_bn128_Fq alt_bn128_coeff_b
 
alt_bn128_Fq2 alt_bn128_twist
 
alt_bn128_Fq2 alt_bn128_twist_coeff_b
 
alt_bn128_Fq alt_bn128_twist_mul_by_b_c0
 
alt_bn128_Fq alt_bn128_twist_mul_by_b_c1
 
alt_bn128_Fq2 alt_bn128_twist_mul_by_q_X
 
alt_bn128_Fq2 alt_bn128_twist_mul_by_q_Y
 
bigint< alt_bn128_q_limbsalt_bn128_ate_loop_count
 
bool alt_bn128_ate_is_loop_count_neg
 
bigint< 12 *alt_bn128_q_limbsalt_bn128_final_exponent
 
bigint< alt_bn128_q_limbsalt_bn128_final_exponent_z
 
bool alt_bn128_final_exponent_is_z_neg
 
const mp_size_t alt_bn128_r_bitcount = 254
 
const mp_size_t alt_bn128_q_bitcount = 254
 
const mp_size_t alt_bn128_r_limbs
 
const mp_size_t alt_bn128_q_limbs
 
bigint< bls12_377_r_limbsbls12_377_modulus_r
 
bls12_377_Fq bls12_377_coeff_b
 
bigint< bls12_377_r_limbsbls12_377_trace_of_frobenius
 
bls12_377_Fq2 bls12_377_twist
 
bls12_377_Fq2 bls12_377_twist_coeff_b
 
bls12_377_Fq bls12_377_twist_mul_by_b_c0
 
bls12_377_Fq bls12_377_twist_mul_by_b_c1
 
bls12_377_Fq2 bls12_377_twist_mul_by_q_X
 
bls12_377_Fq2 bls12_377_twist_mul_by_q_Y
 
bls12_377_Fq bls12_377_g1_endomorphism_beta
 
bigint< bls12_377_r_limbsbls12_377_g1_safe_subgroup_check_c1
 
bigint< bls12_377_r_limbsbls12_377_g1_proof_of_safe_subgroup_w
 
bls12_377_Fq bls12_377_g1_proof_of_safe_subgroup_non_member_x
 
bls12_377_Fq bls12_377_g1_proof_of_safe_subgroup_non_member_y
 
bls12_377_Fq12 bls12_377_g2_untwist_frobenius_twist_w
 
bls12_377_Fq12 bls12_377_g2_untwist_frobenius_twist_v
 
bls12_377_Fq12 bls12_377_g2_untwist_frobenius_twist_w_3
 
bls12_377_Fq12 bls12_377_g2_untwist_frobenius_twist_v_inverse
 
bls12_377_Fq12 bls12_377_g2_untwist_frobenius_twist_w_3_inverse
 
bigint< bls12_377_r_limbsbls12_377_g2_mul_by_cofactor_h2_0
 
bigint< bls12_377_r_limbsbls12_377_g2_mul_by_cofactor_h2_1
 
bigint< bls12_377_q_limbsbls12_377_ate_loop_count
 
bool bls12_377_ate_is_loop_count_neg
 
bigint< 12 *bls12_377_q_limbsbls12_377_final_exponent
 
bigint< bls12_377_q_limbsbls12_377_final_exponent_z
 
bool bls12_377_final_exponent_is_z_neg
 
const mp_size_t bls12_377_r_bitcount = 253
 
const mp_size_t bls12_377_q_bitcount = 377
 
const mp_size_t bls12_377_r_limbs
 
const mp_size_t bls12_377_q_limbs
 
bigint< bls12_377_q_limbsbw6_761_modulus_r
 
bigint< bls12_381_r_limbsbls12_381_modulus_r
 
bigint< bls12_381_q_limbsbls12_381_modulus_q
 
bls12_381_Fq bls12_381_coeff_b
 
bigint< bls12_381_r_limbsbls12_381_trace_of_frobenius
 
bls12_381_Fq2 bls12_381_twist
 
bls12_381_Fq2 bls12_381_twist_coeff_b
 
bls12_381_Fq bls12_381_twist_mul_by_b_c0
 
bls12_381_Fq bls12_381_twist_mul_by_b_c1
 
bls12_381_Fq2 bls12_381_twist_mul_by_q_X
 
bls12_381_Fq2 bls12_381_twist_mul_by_q_Y
 
bigint< bls12_381_q_limbsbls12_381_ate_loop_count
 
bool bls12_381_ate_is_loop_count_neg
 
bigint< 12 *bls12_381_q_limbsbls12_381_final_exponent
 
bigint< bls12_381_q_limbsbls12_381_final_exponent_z
 
bool bls12_381_final_exponent_is_z_neg
 
const mp_size_t bls12_381_r_bitcount = 255
 
const mp_size_t bls12_381_q_bitcount = 381
 
const mp_size_t bls12_381_r_limbs
 
const mp_size_t bls12_381_q_limbs
 
bigint< bn128_r_limbsbn128_modulus_r
 
bigint< bn128_q_limbsbn128_modulus_q
 
bn::Fp bn128_coeff_b
 
size_t bn128_Fq_s
 
bn::Fp bn128_Fq_nqr_to_t
 
mie::Vuint bn128_Fq_t_minus_1_over_2
 
bn::Fp2 bn128_twist_coeff_b
 
size_t bn128_Fq2_s
 
bn::Fp2 bn128_Fq2_nqr_to_t
 
mie::Vuint bn128_Fq2_t_minus_1_over_2
 
const mp_size_t bn128_r_bitcount = 254
 
const mp_size_t bn128_q_bitcount = 254
 
const mp_size_t bn128_r_limbs
 
const mp_size_t bn128_q_limbs
 
bigint< bw6_761_q_limbsbw6_761_modulus_q
 
bw6_761_Fq bw6_761_coeff_b
 
bw6_761_Fq bw6_761_twist
 
bw6_761_Fq bw6_761_twist_coeff_b
 
bigint< bw6_761_q_limbsbw6_761_ate_loop_count1
 
bigint< bw6_761_q_limbsbw6_761_ate_loop_count2
 
bool bw6_761_ate_is_loop_count_neg
 
bigint< bw6_761_q_limbsbw6_761_final_exponent_z
 
bool bw6_761_final_exponent_is_z_neg
 
const mp_size_t bw6_761_r_bitcount = 377
 
const mp_size_t bw6_761_q_bitcount = 761
 
const mp_size_t bw6_761_r_limbs
 
const mp_size_t bw6_761_q_limbs
 
template<typename GroupT >
decltype(((GroupT *) nullptr) ->X) curve_point_y_at_x (const decltype(((GroupT *) nullptr) ->X) &x)
 
bigint< edwards_r_limbsedwards_modulus_r
 
bigint< edwards_q_limbsedwards_modulus_q
 
edwards_Fq edwards_coeff_a
 
edwards_Fq edwards_coeff_d
 
edwards_Fq3 edwards_twist
 
edwards_Fq3 edwards_twist_coeff_a
 
edwards_Fq3 edwards_twist_coeff_d
 
edwards_Fq edwards_twist_mul_by_a_c0
 
edwards_Fq edwards_twist_mul_by_a_c1
 
edwards_Fq edwards_twist_mul_by_a_c2
 
edwards_Fq edwards_twist_mul_by_d_c0
 
edwards_Fq edwards_twist_mul_by_d_c1
 
edwards_Fq edwards_twist_mul_by_d_c2
 
edwards_Fq edwards_twist_mul_by_q_Y
 
edwards_Fq edwards_twist_mul_by_q_Z
 
bigint< edwards_q_limbsedwards_ate_loop_count
 
bigint< 6 *edwards_q_limbsedwards_final_exponent
 
bigint< edwards_q_limbsedwards_final_exponent_last_chunk_abs_of_w0
 
bool edwards_final_exponent_last_chunk_is_w0_neg
 
bigint< edwards_q_limbsedwards_final_exponent_last_chunk_w1
 
const mp_size_t edwards_r_bitcount = 181
 
const mp_size_t edwards_q_bitcount = 183
 
const mp_size_t edwards_r_limbs
 
const mp_size_t edwards_q_limbs
 
mnt4_Fq2 mnt4_twist
 
mnt4_Fq2 mnt4_twist_coeff_a
 
mnt4_Fq2 mnt4_twist_coeff_b
 
mnt4_Fq mnt4_twist_mul_by_a_c0
 
mnt4_Fq mnt4_twist_mul_by_a_c1
 
mnt4_Fq mnt4_twist_mul_by_b_c0
 
mnt4_Fq mnt4_twist_mul_by_b_c1
 
mnt4_Fq mnt4_twist_mul_by_q_X
 
mnt4_Fq mnt4_twist_mul_by_q_Y
 
bigint< mnt4_q_limbsmnt4_ate_loop_count
 
bool mnt4_ate_is_loop_count_neg
 
bigint< 4 *mnt4_q_limbsmnt4_final_exponent
 
bigint< mnt4_q_limbsmnt4_final_exponent_last_chunk_abs_of_w0
 
bool mnt4_final_exponent_last_chunk_is_w0_neg
 
bigint< mnt4_q_limbsmnt4_final_exponent_last_chunk_w1
 
const mp_size_t mnt4_r_bitcount = mnt46_A_bitcount
 
const mp_size_t mnt4_q_bitcount = mnt46_B_bitcount
 
const mp_size_t mnt4_r_limbs = mnt46_A_limbs
 
const mp_size_t mnt4_q_limbs = mnt46_B_limbs
 
bigint< mnt4_r_limbsmnt4_modulus_r
 
bigint< mnt4_q_limbsmnt4_modulus_q
 
bigint< mnt46_A_limbsmnt46_modulus_A
 
bigint< mnt46_B_limbsmnt46_modulus_B
 
const mp_size_t mnt46_A_bitcount = 298
 
const mp_size_t mnt46_B_bitcount = 298
 
const mp_size_t mnt46_A_limbs
 
const mp_size_t mnt46_B_limbs
 
mnt6_Fq3 mnt6_twist
 
mnt6_Fq3 mnt6_twist_coeff_a
 
mnt6_Fq3 mnt6_twist_coeff_b
 
mnt6_Fq mnt6_twist_mul_by_a_c0
 
mnt6_Fq mnt6_twist_mul_by_a_c1
 
mnt6_Fq mnt6_twist_mul_by_a_c2
 
mnt6_Fq mnt6_twist_mul_by_b_c0
 
mnt6_Fq mnt6_twist_mul_by_b_c1
 
mnt6_Fq mnt6_twist_mul_by_b_c2
 
mnt6_Fq mnt6_twist_mul_by_q_X
 
mnt6_Fq mnt6_twist_mul_by_q_Y
 
bigint< mnt6_q_limbsmnt6_ate_loop_count
 
bool mnt6_ate_is_loop_count_neg
 
bigint< 6 *mnt6_q_limbsmnt6_final_exponent
 
bigint< mnt6_q_limbsmnt6_final_exponent_last_chunk_abs_of_w0
 
bool mnt6_final_exponent_last_chunk_is_w0_neg
 
bigint< mnt6_q_limbsmnt6_final_exponent_last_chunk_w1
 
const mp_size_t mnt6_r_bitcount = mnt46_B_bitcount
 
const mp_size_t mnt6_q_bitcount = mnt46_A_bitcount
 
const mp_size_t mnt6_r_limbs = mnt46_B_limbs
 
const mp_size_t mnt6_q_limbs = mnt46_A_limbs
 
bigint< mnt6_r_limbsmnt6_modulus_r
 
bigint< mnt6_q_limbsmnt6_modulus_q
 
constexpr encoding_t DEFAULT_ENCODING = encoding_json
 
constexpr form_t DEFAULT_FORM = form_plain
 
constexpr compression_t DEFAULT_COMPRESSION = compression_on
 
long long start_time
 
long long last_time
 
long long start_cpu_time
 
long long last_cpu_time
 
std::map< std::string, size_t > invocation_counts
 
std::map< std::string, long long > enter_times
 
std::map< std::string, long long > last_times
 
std::map< std::string, long long > cumulative_times
 
std::map< std::string, long long > enter_cpu_times
 
std::map< std::string, long long > last_cpu_times
 
std::map< std::pair< std::string, std::string >, long long > op_counts
 
std::map< std::pair< std::string, std::string >, long long > cumulative_op_counts
 
size_t indentation = 0
 
std::vector< std::string > block_names
 
std::list< std::pair< std::string, long long * > > op_data_points
 
bool inhibit_profiling_info = false
 
bool inhibit_profiling_counters = false
 

Typedef Documentation

◆ affine_ate_G1_precomp

template<typename EC_ppT >
using libff::affine_ate_G1_precomp = typedef typename EC_ppT::affine_ate_G1_precomp_type

Definition at line 81 of file public_params.hpp.

◆ affine_ate_G2_precomp

template<typename EC_ppT >
using libff::affine_ate_G2_precomp = typedef typename EC_ppT::affine_ate_G2_precomp_type

Definition at line 83 of file public_params.hpp.

◆ alt_bn128_Fq

typedef Fp_model<alt_bn128_q_limbs, alt_bn128_modulus_q> libff::alt_bn128_Fq

Definition at line 31 of file alt_bn128_init.hpp.

◆ alt_bn128_Fq12

typedef Fp12_2over3over2_model<alt_bn128_q_limbs, alt_bn128_modulus_q> libff::alt_bn128_Fq12

Definition at line 35 of file alt_bn128_init.hpp.

◆ alt_bn128_Fq2

typedef Fp2_model<alt_bn128_q_limbs, alt_bn128_modulus_q> libff::alt_bn128_Fq2

Definition at line 32 of file alt_bn128_init.hpp.

◆ alt_bn128_Fq6

typedef Fp6_3over2_model<alt_bn128_q_limbs, alt_bn128_modulus_q> libff::alt_bn128_Fq6

Definition at line 33 of file alt_bn128_init.hpp.

◆ alt_bn128_Fr

typedef Fp_model<alt_bn128_r_limbs, alt_bn128_modulus_r> libff::alt_bn128_Fr

Definition at line 30 of file alt_bn128_init.hpp.

◆ alt_bn128_G1_precomp

typedef alt_bn128_ate_G1_precomp libff::alt_bn128_G1_precomp

Definition at line 76 of file alt_bn128_pairing.hpp.

◆ alt_bn128_G2_precomp

typedef alt_bn128_ate_G2_precomp libff::alt_bn128_G2_precomp

Definition at line 77 of file alt_bn128_pairing.hpp.

◆ alt_bn128_GT

typedef alt_bn128_Fq12 libff::alt_bn128_GT

Definition at line 36 of file alt_bn128_init.hpp.

◆ bit_vector

typedef std::vector<bool> libff::bit_vector

Definition at line 22 of file utils.hpp.

◆ bls12_377_Fq

typedef Fp_model<bls12_377_q_limbs, bls12_377_modulus_q> libff::bls12_377_Fq

Definition at line 48 of file bls12_377_init.hpp.

◆ bls12_377_Fq12

typedef Fp12_2over3over2_model<bls12_377_q_limbs, bls12_377_modulus_q> libff::bls12_377_Fq12

Definition at line 52 of file bls12_377_init.hpp.

◆ bls12_377_Fq2

typedef Fp2_model<bls12_377_q_limbs, bls12_377_modulus_q> libff::bls12_377_Fq2

Definition at line 49 of file bls12_377_init.hpp.

◆ bls12_377_Fq6

typedef Fp6_3over2_model<bls12_377_q_limbs, bls12_377_modulus_q> libff::bls12_377_Fq6

Definition at line 50 of file bls12_377_init.hpp.

◆ bls12_377_Fr

typedef Fp_model<bls12_377_r_limbs, bls12_377_modulus_r> libff::bls12_377_Fr

Definition at line 47 of file bls12_377_init.hpp.

◆ bls12_377_G1_precomp

typedef bls12_377_ate_G1_precomp libff::bls12_377_G1_precomp

Definition at line 91 of file bls12_377_pairing.hpp.

◆ bls12_377_G2_precomp

typedef bls12_377_ate_G2_precomp libff::bls12_377_G2_precomp

Definition at line 92 of file bls12_377_pairing.hpp.

◆ bls12_377_GT

typedef bls12_377_Fq12 libff::bls12_377_GT

Definition at line 53 of file bls12_377_init.hpp.

◆ bls12_381_Fq

typedef Fp_model<bls12_381_q_limbs, bls12_381_modulus_q> libff::bls12_381_Fq

Definition at line 31 of file bls12_381_init.hpp.

◆ bls12_381_Fq12

typedef Fp12_2over3over2_model<bls12_381_q_limbs, bls12_381_modulus_q> libff::bls12_381_Fq12

Definition at line 35 of file bls12_381_init.hpp.

◆ bls12_381_Fq2

typedef Fp2_model<bls12_381_q_limbs, bls12_381_modulus_q> libff::bls12_381_Fq2

Definition at line 32 of file bls12_381_init.hpp.

◆ bls12_381_Fq6

typedef Fp6_3over2_model<bls12_381_q_limbs, bls12_381_modulus_q> libff::bls12_381_Fq6

Definition at line 33 of file bls12_381_init.hpp.

◆ bls12_381_Fr

typedef Fp_model<bls12_381_r_limbs, bls12_381_modulus_r> libff::bls12_381_Fr

Definition at line 30 of file bls12_381_init.hpp.

◆ bls12_381_G1_precomp

typedef bls12_381_ate_G1_precomp libff::bls12_381_G1_precomp

Definition at line 91 of file bls12_381_pairing.hpp.

◆ bls12_381_G2_precomp

typedef bls12_381_ate_G2_precomp libff::bls12_381_G2_precomp

Definition at line 92 of file bls12_381_pairing.hpp.

◆ bls12_381_GT

typedef bls12_381_Fq12 libff::bls12_381_GT

Definition at line 36 of file bls12_381_init.hpp.

◆ bn128_ate_ell_coeffs

typedef bn::Fp6 libff::bn128_ate_ell_coeffs

Definition at line 32 of file bn128_pairing.hpp.

◆ bn128_Fq

typedef Fp_model<bn128_q_limbs, bn128_modulus_q> libff::bn128_Fq

Definition at line 40 of file bn128_init.hpp.

◆ bn128_Fq12

typedef bn128_GT libff::bn128_Fq12

Definition at line 46 of file bn128_init.hpp.

◆ bn128_Fr

typedef Fp_model<bn128_r_limbs, bn128_modulus_r> libff::bn128_Fr

Definition at line 39 of file bn128_init.hpp.

◆ bw6_761_Fq

typedef Fp_model<bw6_761_q_limbs, bw6_761_modulus_q> libff::bw6_761_Fq

Definition at line 24 of file bw6_761_init.hpp.

◆ bw6_761_Fq3

typedef Fp3_model<bw6_761_q_limbs, bw6_761_modulus_q> libff::bw6_761_Fq3

Definition at line 25 of file bw6_761_init.hpp.

◆ bw6_761_Fq6

typedef Fp6_2over3_model<bw6_761_q_limbs, bw6_761_modulus_q> libff::bw6_761_Fq6

Definition at line 26 of file bw6_761_init.hpp.

◆ bw6_761_Fr

typedef Fp_model<bw6_761_r_limbs, bw6_761_modulus_r> libff::bw6_761_Fr

Definition at line 23 of file bw6_761_init.hpp.

◆ bw6_761_G1_precomp

typedef bw6_761_ate_G1_precomp libff::bw6_761_G1_precomp

Definition at line 80 of file bw6_761_pairing.hpp.

◆ bw6_761_G2_precomp

typedef bw6_761_ate_G2_precomp libff::bw6_761_G2_precomp

Definition at line 81 of file bw6_761_pairing.hpp.

◆ bw6_761_GT

typedef bw6_761_Fq6 libff::bw6_761_GT

Definition at line 27 of file bw6_761_init.hpp.

◆ edwards_ate_G2_precomp

typedef std::vector<edwards_Fq3_conic_coefficients> libff::edwards_ate_G2_precomp

Definition at line 77 of file edwards_pairing.hpp.

◆ edwards_Fq

typedef Fp_model<edwards_q_limbs, edwards_modulus_q> libff::edwards_Fq

Definition at line 30 of file edwards_init.hpp.

◆ edwards_Fq3

typedef Fp3_model<edwards_q_limbs, edwards_modulus_q> libff::edwards_Fq3

Definition at line 31 of file edwards_init.hpp.

◆ edwards_Fq6

typedef Fp6_2over3_model<edwards_q_limbs, edwards_modulus_q> libff::edwards_Fq6

Definition at line 32 of file edwards_init.hpp.

◆ edwards_Fr

typedef Fp_model<edwards_r_limbs, edwards_modulus_r> libff::edwards_Fr

Definition at line 29 of file edwards_init.hpp.

◆ edwards_G1_precomp

typedef edwards_ate_G1_precomp libff::edwards_G1_precomp

Definition at line 112 of file edwards_pairing.hpp.

◆ edwards_G2_precomp

typedef edwards_ate_G2_precomp libff::edwards_G2_precomp

Definition at line 113 of file edwards_pairing.hpp.

◆ edwards_GT

typedef edwards_Fq6 libff::edwards_GT

Definition at line 33 of file edwards_init.hpp.

◆ edwards_tate_G1_precomp

typedef std::vector<edwards_Fq_conic_coefficients> libff::edwards_tate_G1_precomp

Definition at line 37 of file edwards_pairing.hpp.

◆ Fq

template<typename EC_ppT >
using libff::Fq = typedef typename EC_ppT::Fq_type

Definition at line 84 of file public_params.hpp.

◆ Fqe

template<typename EC_ppT >
using libff::Fqe = typedef typename EC_ppT::Fqe_type

Definition at line 85 of file public_params.hpp.

◆ Fqk

template<typename EC_ppT >
using libff::Fqk = typedef typename EC_ppT::Fqk_type

Definition at line 86 of file public_params.hpp.

◆ Fr

template<typename EC_ppT >
using libff::Fr = typedef typename EC_ppT::Fp_type

For every curve the user should define corresponding public_params with the following typedefs:

Fp_type G1_type G2_type G1_precomp_type G2_precomp_type affine_ate_G1_precomp_type affine_ate_G2_precomp_type Fq_type Fqe_type Fqk_type GT_type

one should also define the following static elements and methods:

const std::string name;

void init_public_params();

GT<EC_ppT> final_exponentiation(const Fqk<EC_ppT> &elt);

G1_precomp<EC_ppT> precompute_G1(const G1<EC_ppT> &P); G2_precomp<EC_ppT> precompute_G2(const G2<EC_ppT> &Q);

Fqk<EC_ppT> miller_loop( const G1_precomp<EC_ppT> &prec_P, const G2_precomp<EC_ppT> &prec_Q);

affine_ate_G1_precomp<EC_ppT> affine_ate_precompute_G1(const G1<EC_ppT> &P); affine_ate_G2_precomp<EC_ppT> affine_ate_precompute_G2(const G2<EC_ppT> &Q);

Fqk<EC_ppT> affine_ate_miller_loop( const affine_ate_G1_precomp<EC_ppT> &prec_P, const affine_ate_G2_precomp<EC_ppT> &prec_Q); Fqk<EC_ppT> affine_ate_e_over_e_miller_loop( const affine_ate_G1_precomp<EC_ppT> &prec_P1, const affine_ate_G2_precomp<EC_ppT> &prec_Q1, const affine_ate_G1_precomp<EC_ppT> &prec_P2, const affine_ate_G2_precomp<EC_ppT> &prec_Q2); Fqk<EC_ppT> affine_ate_e_times_e_over_e_miller_loop( const affine_ate_G1_precomp<EC_ppT> &prec_P1, const affine_ate_G2_precomp<EC_ppT> &prec_Q1, const affine_ate_G1_precomp<EC_ppT> &prec_P2, const affine_ate_G2_precomp<EC_ppT> &prec_Q2, const affine_ate_G1_precomp<EC_ppT> &prec_P3, const affine_ate_G2_precomp<EC_ppT> &prec_Q3); Fqk<EC_ppT> double_miller_loop( const G1_precomp<EC_ppT> &prec_P1, const G2_precomp<EC_ppT> &prec_Q1, const G1_precomp<EC_ppT> &prec_P2, const G2_precomp<EC_ppT> &prec_Q2);

Fqk<EC_ppT> pairing(const G1<EC_ppT> &P, const G2<EC_ppT> &Q); GT<EC_ppT> reduced_pairing(const G1<EC_ppT> &P, const G2<EC_ppT> &Q); GT<EC_ppT> affine_reduced_pairing(const G1<EC_ppT> &P, const G2<EC_ppT> &Q);

Definition at line 75 of file public_params.hpp.

◆ Fr_vector

template<typename EC_ppT >
using libff::Fr_vector = typedef std::vector<Fr<EC_ppT> >

Definition at line 89 of file public_params.hpp.

◆ G1

template<typename EC_ppT >
using libff::G1 = typedef typename EC_ppT::G1_type

Definition at line 76 of file public_params.hpp.

◆ G1_precomp

template<typename EC_ppT >
using libff::G1_precomp = typedef typename EC_ppT::G1_precomp_type

Definition at line 78 of file public_params.hpp.

◆ G1_vector

template<typename EC_ppT >
using libff::G1_vector = typedef std::vector<G1<EC_ppT> >

Definition at line 90 of file public_params.hpp.

◆ G2

template<typename EC_ppT >
using libff::G2 = typedef typename EC_ppT::G2_type

Definition at line 77 of file public_params.hpp.

◆ G2_precomp

template<typename EC_ppT >
using libff::G2_precomp = typedef typename EC_ppT::G2_precomp_type

Definition at line 79 of file public_params.hpp.

◆ G2_vector

template<typename EC_ppT >
using libff::G2_vector = typedef std::vector<G2<EC_ppT> >

Definition at line 91 of file public_params.hpp.

◆ GT

template<typename EC_ppT >
using libff::GT = typedef typename EC_ppT::GT_type

Definition at line 87 of file public_params.hpp.

◆ mnt4_Fq

typedef Fp_model<mnt4_q_limbs, mnt4_modulus_q> libff::mnt4_Fq

Definition at line 37 of file mnt4_init.hpp.

◆ mnt4_Fq2

typedef Fp2_model<mnt4_q_limbs, mnt4_modulus_q> libff::mnt4_Fq2

Definition at line 38 of file mnt4_init.hpp.

◆ mnt4_Fq4

typedef Fp4_model<mnt4_q_limbs, mnt4_modulus_q> libff::mnt4_Fq4

Definition at line 39 of file mnt4_init.hpp.

◆ mnt4_Fr

typedef Fp_model<mnt4_r_limbs, mnt4_modulus_r> libff::mnt4_Fr

Definition at line 36 of file mnt4_init.hpp.

◆ mnt4_G1_precomp

typedef mnt4_ate_G1_precomp libff::mnt4_G1_precomp

Definition at line 130 of file mnt4_pairing.hpp.

◆ mnt4_G2_precomp

typedef mnt4_ate_G2_precomp libff::mnt4_G2_precomp

Definition at line 131 of file mnt4_pairing.hpp.

◆ mnt4_GT

typedef mnt4_Fq4 libff::mnt4_GT

Definition at line 40 of file mnt4_init.hpp.

◆ mnt6_Fq

typedef Fp_model<mnt6_q_limbs, mnt6_modulus_q> libff::mnt6_Fq

Definition at line 37 of file mnt6_init.hpp.

◆ mnt6_Fq3

typedef Fp3_model<mnt6_q_limbs, mnt6_modulus_q> libff::mnt6_Fq3

Definition at line 38 of file mnt6_init.hpp.

◆ mnt6_Fq6

typedef Fp6_2over3_model<mnt6_q_limbs, mnt6_modulus_q> libff::mnt6_Fq6

Definition at line 39 of file mnt6_init.hpp.

◆ mnt6_Fr

typedef Fp_model<mnt6_r_limbs, mnt6_modulus_r> libff::mnt6_Fr

Definition at line 36 of file mnt6_init.hpp.

◆ mnt6_G1_precomp

typedef mnt6_ate_G1_precomp libff::mnt6_G1_precomp

Definition at line 130 of file mnt6_pairing.hpp.

◆ mnt6_G2_precomp

typedef mnt6_ate_G2_precomp libff::mnt6_G2_precomp

Definition at line 131 of file mnt6_pairing.hpp.

◆ mnt6_GT

typedef mnt6_Fq6 libff::mnt6_GT

Definition at line 40 of file mnt6_init.hpp.

◆ window_table

template<typename T >
using libff::window_table = typedef std::vector<std::vector<T> >

A window table stores window sizes for different instance sizes for fixed-base multi-scalar multiplications.

Definition at line 101 of file multiexp.hpp.

Enumeration Type Documentation

◆ compression_t

enum libff::compression_t : uint8_t

Enable / disable compression in (de)serialization.

Enumerator
compression_off 
compression_on 

Definition at line 31 of file serialization.hpp.

31  : uint8_t {
32  compression_off = 0,
33  compression_on = 1,
34 };

◆ encoding_t

enum libff::encoding_t : uint8_t

Encodings for (de)serialization.

Enumerator
encoding_binary 
encoding_json 

Definition at line 19 of file serialization.hpp.

19  : uint8_t {
20  encoding_binary = 0, // big endian
21  encoding_json = 1,
22 };

◆ form_t

enum libff::form_t : uint8_t

Encodings for (de)serialization.

Enumerator
form_plain 
form_montgomery 

Definition at line 25 of file serialization.hpp.

25  : uint8_t {
26  form_plain = 0,
27  form_montgomery = 1,
28 };

◆ multi_exp_base_form

enum libff::multi_exp_base_form

Form of base elements passed to multi_exp routines.

Enumerator
multi_exp_base_form_normal 

Incoming base elements are not in special form.

multi_exp_base_form_special 

Incoming base elements are in special form (so that implementations can use mixed_add, where appropriate.

Definition at line 45 of file multiexp.hpp.

45  {
47  multi_exp_base_form_normal,
50  multi_exp_base_form_special,
51 };

◆ multi_exp_method

enum libff::multi_exp_method
Enumerator
multi_exp_method_naive 

Naive multi-exponentiation individually multiplies each base by the corresponding scalar and adds up the results. multi_exp_method_naive uses opt_window_wnaf_exp for exponentiation.

multi_exp_method_naive_plain 

As multi_exp_method_naive, but uses operator * rather than opt_window_wnaf_exp.

multi_exp_method_bos_coster 

A variant of the Bos-Coster algorithm [1], with implementation suggestions from [2]. [1] = Bos and Coster, "Addition chain heuristics", CRYPTO '89 [2] = Bernstein, Duif, Lange, Schwabe, and Yang, "High-speed high-security signatures", CHES '11

multi_exp_method_BDLO12 

A special case of Pippenger's algorithm from Page 15 of Bernstein, Doumen, Lange, Oosterwijk, "Faster batch forgery identification", INDOCRYPT 2012 (https://eprint.iacr.org/2012/549.pdf) Requires that T implements .dbl()

multi_exp_method_BDLO12_signed 

Similar to multi_exp_method_BDLO12, but using signed digits.

Definition at line 21 of file multiexp.hpp.

21  {
25  multi_exp_method_naive,
28  multi_exp_method_naive_plain,
34  multi_exp_method_bos_coster,
39  multi_exp_method_BDLO12,
41  multi_exp_method_BDLO12_signed,
42 };

Function Documentation

◆ alt_bn128_affine_reduced_pairing()

alt_bn128_GT libff::alt_bn128_affine_reduced_pairing ( const alt_bn128_G1 P,
const alt_bn128_G2 Q 
)

◆ alt_bn128_ate_double_miller_loop()

alt_bn128_Fq12 libff::alt_bn128_ate_double_miller_loop ( const alt_bn128_ate_G1_precomp prec_P1,
const alt_bn128_ate_G2_precomp prec_Q1,
const alt_bn128_ate_G1_precomp prec_P2,
const alt_bn128_ate_G2_precomp prec_Q2 
)

Definition at line 453 of file alt_bn128_pairing.cpp.

458 {
459  enter_block("Call to alt_bn128_ate_double_miller_loop");
460 
461  alt_bn128_Fq12 f = alt_bn128_Fq12::one();
462 
463  bool found_one = false;
464  size_t idx = 0;
465 
466  const bigint<alt_bn128_Fr::num_limbs> &loop_count =
467  alt_bn128_ate_loop_count;
468  for (long i = loop_count.max_bits(); i >= 0; --i) {
469  const bool bit = loop_count.test_bit(i);
470  if (!found_one) {
471  /* this skips the MSB itself */
472  found_one |= bit;
473  continue;
474  }
475 
476  /* code below gets executed for all bits (EXCEPT the MSB itself) of
477  alt_bn128_param_p (skipping leading zeros) in MSB to LSB
478  order */
479 
480  alt_bn128_ate_ell_coeffs c1 = prec_Q1.coeffs[idx];
481  alt_bn128_ate_ell_coeffs c2 = prec_Q2.coeffs[idx];
482  ++idx;
483 
484  f = f.squared();
485 
486  f = f.mul_by_024(
487  c1.ell_0, prec_P1.PY * c1.ell_VW, prec_P1.PX * c1.ell_VV);
488  f = f.mul_by_024(
489  c2.ell_0, prec_P2.PY * c2.ell_VW, prec_P2.PX * c2.ell_VV);
490 
491  if (bit) {
492  alt_bn128_ate_ell_coeffs c1 = prec_Q1.coeffs[idx];
493  alt_bn128_ate_ell_coeffs c2 = prec_Q2.coeffs[idx];
494  ++idx;
495 
496  f = f.mul_by_024(
497  c1.ell_0, prec_P1.PY * c1.ell_VW, prec_P1.PX * c1.ell_VV);
498  f = f.mul_by_024(
499  c2.ell_0, prec_P2.PY * c2.ell_VW, prec_P2.PX * c2.ell_VV);
500  }
501  }
502 
503  if (alt_bn128_ate_is_loop_count_neg) {
504  f = f.inverse();
505  }
506 
507  alt_bn128_ate_ell_coeffs c1 = prec_Q1.coeffs[idx];
508  alt_bn128_ate_ell_coeffs c2 = prec_Q2.coeffs[idx];
509  ++idx;
510  f = f.mul_by_024(c1.ell_0, prec_P1.PY * c1.ell_VW, prec_P1.PX * c1.ell_VV);
511  f = f.mul_by_024(c2.ell_0, prec_P2.PY * c2.ell_VW, prec_P2.PX * c2.ell_VV);
512 
513  c1 = prec_Q1.coeffs[idx];
514  c2 = prec_Q2.coeffs[idx];
515  ++idx;
516  f = f.mul_by_024(c1.ell_0, prec_P1.PY * c1.ell_VW, prec_P1.PX * c1.ell_VV);
517  f = f.mul_by_024(c2.ell_0, prec_P2.PY * c2.ell_VW, prec_P2.PX * c2.ell_VV);
518 
519  leave_block("Call to alt_bn128_ate_double_miller_loop");
520 
521  return f;
522 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ alt_bn128_ate_miller_loop()

alt_bn128_Fq12 libff::alt_bn128_ate_miller_loop ( const alt_bn128_ate_G1_precomp prec_P,
const alt_bn128_ate_G2_precomp prec_Q 
)

Definition at line 401 of file alt_bn128_pairing.cpp.

404 {
405  enter_block("Call to alt_bn128_ate_miller_loop");
406 
407  alt_bn128_Fq12 f = alt_bn128_Fq12::one();
408 
409  bool found_one = false;
410  size_t idx = 0;
411 
412  const bigint<alt_bn128_Fr::num_limbs> &loop_count =
413  alt_bn128_ate_loop_count;
414  alt_bn128_ate_ell_coeffs c;
415 
416  for (long i = loop_count.max_bits(); i >= 0; --i) {
417  const bool bit = loop_count.test_bit(i);
418  if (!found_one) {
419  /* this skips the MSB itself */
420  found_one |= bit;
421  continue;
422  }
423 
424  /* code below gets executed for all bits (EXCEPT the MSB itself) of
425  alt_bn128_param_p (skipping leading zeros) in MSB to LSB
426  order */
427 
428  c = prec_Q.coeffs[idx++];
429  f = f.squared();
430  f = f.mul_by_024(c.ell_0, prec_P.PY * c.ell_VW, prec_P.PX * c.ell_VV);
431 
432  if (bit) {
433  c = prec_Q.coeffs[idx++];
434  f = f.mul_by_024(
435  c.ell_0, prec_P.PY * c.ell_VW, prec_P.PX * c.ell_VV);
436  }
437  }
438 
439  if (alt_bn128_ate_is_loop_count_neg) {
440  f = f.inverse();
441  }
442 
443  c = prec_Q.coeffs[idx++];
444  f = f.mul_by_024(c.ell_0, prec_P.PY * c.ell_VW, prec_P.PX * c.ell_VV);
445 
446  c = prec_Q.coeffs[idx++];
447  f = f.mul_by_024(c.ell_0, prec_P.PY * c.ell_VW, prec_P.PX * c.ell_VV);
448 
449  leave_block("Call to alt_bn128_ate_miller_loop");
450  return f;
451 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ alt_bn128_ate_pairing()

alt_bn128_Fq12 libff::alt_bn128_ate_pairing ( const alt_bn128_G1 P,
const alt_bn128_G2 Q 
)

Definition at line 524 of file alt_bn128_pairing.cpp.

526 {
527  enter_block("Call to alt_bn128_ate_pairing");
528  alt_bn128_ate_G1_precomp prec_P = alt_bn128_ate_precompute_G1(P);
529  alt_bn128_ate_G2_precomp prec_Q = alt_bn128_ate_precompute_G2(Q);
530  alt_bn128_Fq12 result = alt_bn128_ate_miller_loop(prec_P, prec_Q);
531  leave_block("Call to alt_bn128_ate_pairing");
532  return result;
533 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ alt_bn128_ate_precompute_G1()

alt_bn128_ate_G1_precomp libff::alt_bn128_ate_precompute_G1 ( const alt_bn128_G1 P)

Definition at line 325 of file alt_bn128_pairing.cpp.

326 {
327  enter_block("Call to alt_bn128_ate_precompute_G1");
328 
329  alt_bn128_G1 Pcopy = P;
330  Pcopy.to_affine_coordinates();
331 
332  alt_bn128_ate_G1_precomp result;
333  result.PX = Pcopy.X;
334  result.PY = Pcopy.Y;
335 
336  leave_block("Call to alt_bn128_ate_precompute_G1");
337  return result;
338 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ alt_bn128_ate_precompute_G2()

alt_bn128_ate_G2_precomp libff::alt_bn128_ate_precompute_G2 ( const alt_bn128_G2 Q)

Definition at line 340 of file alt_bn128_pairing.cpp.

341 {
342  enter_block("Call to alt_bn128_ate_precompute_G2");
343 
344  alt_bn128_G2 Qcopy(Q);
345  Qcopy.to_affine_coordinates();
346 
347  // could add to global params if needed
348  alt_bn128_Fq two_inv = (alt_bn128_Fq("2").inverse());
349 
350  alt_bn128_ate_G2_precomp result;
351  result.QX = Qcopy.X;
352  result.QY = Qcopy.Y;
353 
354  alt_bn128_G2 R;
355  R.X = Qcopy.X;
356  R.Y = Qcopy.Y;
357  R.Z = alt_bn128_Fq2::one();
358 
359  const bigint<alt_bn128_Fr::num_limbs> &loop_count =
360  alt_bn128_ate_loop_count;
361  bool found_one = false;
362  alt_bn128_ate_ell_coeffs c;
363 
364  for (long i = loop_count.max_bits(); i >= 0; --i) {
365  const bool bit = loop_count.test_bit(i);
366  if (!found_one) {
367  /* this skips the MSB itself */
368  found_one |= bit;
369  continue;
370  }
371 
372  doubling_step_for_flipped_miller_loop(two_inv, R, c);
373  result.coeffs.push_back(c);
374 
375  if (bit) {
376  mixed_addition_step_for_flipped_miller_loop(Qcopy, R, c);
377  result.coeffs.push_back(c);
378  }
379  }
380 
381  alt_bn128_G2 Q1 = Qcopy.mul_by_q();
382  assert(Q1.Z == alt_bn128_Fq2::one());
383  alt_bn128_G2 Q2 = Q1.mul_by_q();
384  assert(Q2.Z == alt_bn128_Fq2::one());
385 
386  if (alt_bn128_ate_is_loop_count_neg) {
387  R.Y = -R.Y;
388  }
389  Q2.Y = -Q2.Y;
390 
391  mixed_addition_step_for_flipped_miller_loop(Q1, R, c);
392  result.coeffs.push_back(c);
393 
394  mixed_addition_step_for_flipped_miller_loop(Q2, R, c);
395  result.coeffs.push_back(c);
396 
397  leave_block("Call to alt_bn128_ate_precompute_G2");
398  return result;
399 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ alt_bn128_ate_reduced_pairing()

alt_bn128_GT libff::alt_bn128_ate_reduced_pairing ( const alt_bn128_G1 P,
const alt_bn128_G2 Q 
)

Definition at line 535 of file alt_bn128_pairing.cpp.

537 {
538  enter_block("Call to alt_bn128_ate_reduced_pairing");
539  const alt_bn128_Fq12 f = alt_bn128_ate_pairing(P, Q);
540  const alt_bn128_GT result = alt_bn128_final_exponentiation(f);
541  leave_block("Call to alt_bn128_ate_reduced_pairing");
542  return result;
543 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ alt_bn128_double_miller_loop()

alt_bn128_Fq12 libff::alt_bn128_double_miller_loop ( const alt_bn128_G1_precomp prec_P1,
const alt_bn128_G2_precomp prec_Q1,
const alt_bn128_G1_precomp prec_P2,
const alt_bn128_G2_precomp prec_Q2 
)

Definition at line 563 of file alt_bn128_pairing.cpp.

568 {
569  return alt_bn128_ate_double_miller_loop(prec_P1, prec_Q1, prec_P2, prec_Q2);
570 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ alt_bn128_exp_by_neg_z()

alt_bn128_Fq12 libff::alt_bn128_exp_by_neg_z ( const alt_bn128_Fq12 elt)

Definition at line 141 of file alt_bn128_pairing.cpp.

142 {
143  enter_block("Call to alt_bn128_exp_by_neg_z");
144 
145  alt_bn128_Fq12 result = elt.cyclotomic_exp(alt_bn128_final_exponent_z);
146  if (!alt_bn128_final_exponent_is_z_neg) {
147  result = result.unitary_inverse();
148  }
149 
150  leave_block("Call to alt_bn128_exp_by_neg_z");
151 
152  return result;
153 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ alt_bn128_final_exponentiation()

alt_bn128_GT libff::alt_bn128_final_exponentiation ( const alt_bn128_Fq12 elt)

Definition at line 231 of file alt_bn128_pairing.cpp.

232 {
233  enter_block("Call to alt_bn128_final_exponentiation");
234  /* OLD naive version:
235  alt_bn128_GT result = elt^alt_bn128_final_exponent;
236  */
237  alt_bn128_Fq12 A = alt_bn128_final_exponentiation_first_chunk(elt);
238  alt_bn128_GT result = alt_bn128_final_exponentiation_last_chunk(A);
239 
240  leave_block("Call to alt_bn128_final_exponentiation");
241  return result;
242 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ alt_bn128_final_exponentiation_first_chunk()

alt_bn128_Fq12 libff::alt_bn128_final_exponentiation_first_chunk ( const alt_bn128_Fq12 elt)

Definition at line 113 of file alt_bn128_pairing.cpp.

115 {
116  enter_block("Call to alt_bn128_final_exponentiation_first_chunk");
117 
118  /*
119  Computes result = elt^((q^6-1)*(q^2+1)).
120  Follows, e.g., Beuchat et al page 9, by computing result as follows:
121  elt^((q^6-1)*(q^2+1)) = (conj(elt) * elt^(-1))^(q^2+1)
122  More precisely:
123  A = conj(elt)
124  B = elt.inverse()
125  C = A * B
126  D = C.Frobenius_map(2)
127  result = D * C
128  */
129 
130  const alt_bn128_Fq12 A = alt_bn128_Fq12(elt.coeffs[0], -elt.coeffs[1]);
131  const alt_bn128_Fq12 B = elt.inverse();
132  const alt_bn128_Fq12 C = A * B;
133  const alt_bn128_Fq12 D = C.Frobenius_map(2);
134  const alt_bn128_Fq12 result = D * C;
135 
136  leave_block("Call to alt_bn128_final_exponentiation_first_chunk");
137 
138  return result;
139 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ alt_bn128_final_exponentiation_last_chunk()

alt_bn128_Fq12 libff::alt_bn128_final_exponentiation_last_chunk ( const alt_bn128_Fq12 elt)

Definition at line 155 of file alt_bn128_pairing.cpp.

157 {
158  enter_block("Call to alt_bn128_final_exponentiation_last_chunk");
159 
160  // clang-format off
161  /*
162  Follows Laura Fuentes-Castaneda et al. "Faster hashing to G2"
163  by computing:
164 
165  result = elt^(q^3 * (12*z^3 + 6z^2 + 4z - 1) +
166  q^2 * (12*z^3 + 6z^2 + 6z) +
167  q * (12*z^3 + 6z^2 + 4z) +
168  1 * (12*z^3 + 12z^2 + 6z + 1))
169  which equals
170 
171  result = elt^( 2z * ( 6z^2 + 3z + 1 ) * (q^4 - q^2 + 1)/r ).
172 
173  Using the following addition chain:
174 
175  A = exp_by_neg_z(elt) // = elt^(-z)
176  B = A^2 // = elt^(-2*z)
177  C = B^2 // = elt^(-4*z)
178  D = C * B // = elt^(-6*z)
179  E = exp_by_neg_z(D) // = elt^(6*z^2)
180  F = E^2 // = elt^(12*z^2)
181  G = epx_by_neg_z(F) // = elt^(-12*z^3)
182  H = conj(D) // = elt^(6*z)
183  I = conj(G) // = elt^(12*z^3)
184  J = I * E // = elt^(12*z^3 + 6*z^2)
185  K = J * H // = elt^(12*z^3 + 6*z^2 + 6*z)
186  L = K * B // = elt^(12*z^3 + 6*z^2 + 4*z)
187  M = K * E // = elt^(12*z^3 + 12*z^2 + 6*z)
188  N = M * elt // = elt^(12*z^3 + 12*z^2 + 6*z + 1)
189  O = L.Frobenius_map(1) // = elt^(q*(12*z^3 + 6*z^2 + 4*z))
190  P = O * N // = elt^(q*(12*z^3 + 6*z^2 + 4*z) * (12*z^3 + 12*z^2 + 6*z + 1))
191  Q = K.Frobenius_map(2) // = elt^(q^2 * (12*z^3 + 6*z^2 + 6*z))
192  R = Q * P // = elt^(q^2 * (12*z^3 + 6*z^2 + 6*z) + q*(12*z^3 + 6*z^2 + 4*z) * (12*z^3 + 12*z^2 + 6*z + 1))
193  S = conj(elt) // = elt^(-1)
194  T = S * L // = elt^(12*z^3 + 6*z^2 + 4*z - 1)
195  U = T.Frobenius_map(3) // = elt^(q^3(12*z^3 + 6*z^2 + 4*z - 1))
196  V = U * R // = elt^(q^3(12*z^3 + 6*z^2 + 4*z - 1) + q^2 * (12*z^3 + 6*z^2 + 6*z) + q*(12*z^3 + 6*z^2 + 4*z) * (12*z^3 + 12*z^2 + 6*z + 1))
197  result = V
198  */
199  // clang-format on
200 
201  const alt_bn128_Fq12 A = alt_bn128_exp_by_neg_z(elt);
202  const alt_bn128_Fq12 B = A.cyclotomic_squared();
203  const alt_bn128_Fq12 C = B.cyclotomic_squared();
204  const alt_bn128_Fq12 D = C * B;
205  const alt_bn128_Fq12 E = alt_bn128_exp_by_neg_z(D);
206  const alt_bn128_Fq12 F = E.cyclotomic_squared();
207  const alt_bn128_Fq12 G = alt_bn128_exp_by_neg_z(F);
208  const alt_bn128_Fq12 H = D.unitary_inverse();
209  const alt_bn128_Fq12 I = G.unitary_inverse();
210  const alt_bn128_Fq12 J = I * E;
211  const alt_bn128_Fq12 K = J * H;
212  const alt_bn128_Fq12 L = K * B;
213  const alt_bn128_Fq12 M = K * E;
214  const alt_bn128_Fq12 N = M * elt;
215  const alt_bn128_Fq12 O = L.Frobenius_map(1);
216  const alt_bn128_Fq12 P = O * N;
217  const alt_bn128_Fq12 Q = K.Frobenius_map(2);
218  const alt_bn128_Fq12 R = Q * P;
219  const alt_bn128_Fq12 S = elt.unitary_inverse();
220  const alt_bn128_Fq12 T = S * L;
221  const alt_bn128_Fq12 U = T.Frobenius_map(3);
222  const alt_bn128_Fq12 V = U * R;
223 
224  const alt_bn128_Fq12 result = V;
225 
226  leave_block("Call to alt_bn128_final_exponentiation_last_chunk");
227 
228  return result;
229 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ alt_bn128_miller_loop()

alt_bn128_Fq12 libff::alt_bn128_miller_loop ( const alt_bn128_G1_precomp prec_P,
const alt_bn128_G2_precomp prec_Q 
)

Definition at line 557 of file alt_bn128_pairing.cpp.

559 {
560  return alt_bn128_ate_miller_loop(prec_P, prec_Q);
561 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ alt_bn128_pairing()

alt_bn128_Fq12 libff::alt_bn128_pairing ( const alt_bn128_G1 P,
const alt_bn128_G2 Q 
)

Definition at line 572 of file alt_bn128_pairing.cpp.

573 {
574  return alt_bn128_ate_pairing(P, Q);
575 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ alt_bn128_precompute_G1()

alt_bn128_G1_precomp libff::alt_bn128_precompute_G1 ( const alt_bn128_G1 P)

Definition at line 547 of file alt_bn128_pairing.cpp.

548 {
549  return alt_bn128_ate_precompute_G1(P);
550 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ alt_bn128_precompute_G2()

alt_bn128_G2_precomp libff::alt_bn128_precompute_G2 ( const alt_bn128_G2 Q)

Definition at line 552 of file alt_bn128_pairing.cpp.

553 {
554  return alt_bn128_ate_precompute_G2(Q);
555 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ alt_bn128_reduced_pairing()

alt_bn128_GT libff::alt_bn128_reduced_pairing ( const alt_bn128_G1 P,
const alt_bn128_G2 Q 
)

Definition at line 577 of file alt_bn128_pairing.cpp.

579 {
580  return alt_bn128_ate_reduced_pairing(P, Q);
581 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ batch_exp() [1/2]

template<typename T , typename FieldT >
std::vector<T> libff::batch_exp ( const size_t  scalar_size,
const size_t  window,
const window_table< T > &  table,
const std::vector< FieldT > &  v 
)

◆ batch_exp() [2/2]

template<typename T , typename FieldT >
std::vector<T> libff::batch_exp ( const size_t  scalar_size,
const size_t  window,
const window_table< T > &  table,
const std::vector< FieldT > &  v,
size_t  num_entries 
)

◆ batch_exp_with_coeff()

template<typename T , typename FieldT >
std::vector<T> libff::batch_exp_with_coeff ( const size_t  scalar_size,
const size_t  window,
const window_table< T > &  table,
const FieldT &  coeff,
const std::vector< FieldT > &  v 
)

◆ batch_invert()

template<typename FieldT >
void libff::batch_invert ( std::vector< FieldT > &  vec)

◆ batch_to_special()

template<typename T >
void libff::batch_to_special ( std::vector< T > &  vec)

◆ bigint_from_hex()

template<typename BigIntT >
void libff::bigint_from_hex ( BigIntT &  v,
const std::string &  hex 
)

◆ bigint_to_hex()

template<typename BigIntT >
std::string libff::bigint_to_hex ( const BigIntT &  v,
bool  prefix = false 
)

◆ bitreverse()

size_t libff::bitreverse ( size_t  n,
const size_t  l 
)

Definition at line 59 of file utils.cpp.

60 {
61  size_t r = 0;
62  for (size_t k = 0; k < l; ++k) {
63  r = (r << 1) | (n & 1);
64  n >>= 1;
65  }
66  return r;
67 }

◆ bls12_377_affine_reduced_pairing()

bls12_377_GT libff::bls12_377_affine_reduced_pairing ( const bls12_377_G1 P,
const bls12_377_G2 Q 
)

◆ bls12_377_ate_double_miller_loop()

bls12_377_Fq12 libff::bls12_377_ate_double_miller_loop ( const bls12_377_ate_G1_precomp prec_P1,
const bls12_377_ate_G2_precomp prec_Q1,
const bls12_377_ate_G1_precomp prec_P2,
const bls12_377_ate_G2_precomp prec_Q2 
)

Definition at line 465 of file bls12_377_pairing.cpp.

470 {
471  enter_block("Call to bls12_377_ate_double_miller_loop");
472 
473  bls12_377_Fq12 f = bls12_377_Fq12::one();
474 
475  bool found_one = false;
476  size_t idx = 0;
477 
478  const bigint<bls12_377_Fq::num_limbs> &loop_count =
479  bls12_377_ate_loop_count;
480  for (long i = loop_count.max_bits(); i >= 0; --i) {
481  const bool bit = loop_count.test_bit(i);
482  if (!found_one) {
483  // This skips the MSB itself
484  found_one |= bit;
485  continue;
486  }
487 
488  // The code below gets executed for all bits (EXCEPT the MSB itself)
489  // of the binary representation of bls12_377_ate_loop_count
490  // (skipping leading zeros) in MSB to LSB order
491  bls12_377_ate_ell_coeffs c1 = prec_Q1.coeffs[idx];
492  bls12_377_ate_ell_coeffs c2 = prec_Q2.coeffs[idx];
493  ++idx;
494 
495  f = f.squared();
496 
497  f = f.mul_by_024(
498  c1.ell_0, prec_P1.PY * c1.ell_VW, prec_P1.PX * c1.ell_VV);
499  f = f.mul_by_024(
500  c2.ell_0, prec_P2.PY * c2.ell_VW, prec_P2.PX * c2.ell_VV);
501 
502  if (bit) {
503  bls12_377_ate_ell_coeffs c1 = prec_Q1.coeffs[idx];
504  bls12_377_ate_ell_coeffs c2 = prec_Q2.coeffs[idx];
505  ++idx;
506 
507  f = f.mul_by_024(
508  c1.ell_0, prec_P1.PY * c1.ell_VW, prec_P1.PX * c1.ell_VV);
509  f = f.mul_by_024(
510  c2.ell_0, prec_P2.PY * c2.ell_VW, prec_P2.PX * c2.ell_VV);
511  }
512  }
513 
514  leave_block("Call to bls12_377_ate_double_miller_loop");
515 
516  return f;
517 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_377_ate_miller_loop()

bls12_377_Fq12 libff::bls12_377_ate_miller_loop ( const bls12_377_ate_G1_precomp prec_P,
const bls12_377_ate_G2_precomp prec_Q 
)

Definition at line 408 of file bls12_377_pairing.cpp.

411 {
412  enter_block("Call to bls12_377_ate_miller_loop");
413 
414  bls12_377_Fq12 f = bls12_377_Fq12::one();
415 
416  bool found_one = false;
417  size_t idx = 0;
418 
419  const bigint<bls12_377_Fq::num_limbs> &loop_count =
420  bls12_377_ate_loop_count;
421  bls12_377_ate_ell_coeffs c;
422 
423  // Added for DEBUG purpose
424  // TODO: Remove the 2 variables below
425  int nb_double = 0;
426  int nb_add = 0;
427 
428  // The loop length of the Miller algorithm is floor(log_2(u)), where
429  // u is the "curve parameter" used to sample the curve from the
430  // BLS12 family
431  for (long i = loop_count.max_bits(); i >= 0; --i) {
432  const bool bit = loop_count.test_bit(i);
433  if (!found_one) {
434  // This skips the MSB itself
435  found_one |= bit;
436  continue;
437  }
438 
439  // The code below gets executed for all bits (EXCEPT the MSB itself)
440  // of the binary representation of bls12_377_ate_loop_count
441  // (skipping leading zeros) in MSB to LSB order
442  c = prec_Q.coeffs[idx++];
443  f = f.squared();
444  // Sparse multiplication in Fq12
445  f = f.mul_by_024(c.ell_0, prec_P.PY * c.ell_VW, prec_P.PX * c.ell_VV);
446  nb_double++;
447 
448  if (bit) {
449  c = prec_Q.coeffs[idx++];
450  f = f.mul_by_024(
451  c.ell_0, prec_P.PY * c.ell_VW, prec_P.PX * c.ell_VV);
452  nb_add++;
453  }
454  }
455 
456  // Note: bls12_377_ate_is_loop_count_neg = false BUT this is not the case
457  // for BLS12-381!
458 
459  std::cout << "[DEBUG] NB_DOUBLE (Should be 63): " << nb_double
460  << " NB_ADD (Should be 7): " << nb_add << std::endl;
461  leave_block("Call to bls12_377_ate_miller_loop");
462  return f;
463 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_377_ate_pairing()

bls12_377_Fq12 libff::bls12_377_ate_pairing ( const bls12_377_G1 P,
const bls12_377_G2 Q 
)

Definition at line 519 of file bls12_377_pairing.cpp.

521 {
522  enter_block("Call to bls12_377_ate_pairing");
523  bls12_377_ate_G1_precomp prec_P = bls12_377_ate_precompute_G1(P);
524  bls12_377_ate_G2_precomp prec_Q = bls12_377_ate_precompute_G2(Q);
525  bls12_377_Fq12 result = bls12_377_ate_miller_loop(prec_P, prec_Q);
526  leave_block("Call to bls12_377_ate_pairing");
527  return result;
528 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_377_ate_precompute_G1()

bls12_377_ate_G1_precomp libff::bls12_377_ate_precompute_G1 ( const bls12_377_G1 P)

Definition at line 333 of file bls12_377_pairing.cpp.

334 {
335  enter_block("Call to bls12_377_ate_precompute_G1");
336 
337  bls12_377_G1 Pcopy = P;
338  Pcopy.to_affine_coordinates();
339 
340  bls12_377_ate_G1_precomp result;
341  result.PX = Pcopy.X;
342  result.PY = Pcopy.Y;
343 
344  leave_block("Call to bls12_377_ate_precompute_G1");
345  return result;
346 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_377_ate_precompute_G2()

bls12_377_ate_G2_precomp libff::bls12_377_ate_precompute_G2 ( const bls12_377_G2 Q)

Definition at line 363 of file bls12_377_pairing.cpp.

364 {
365  enter_block("Call to bls12_377_ate_precompute_G2");
366 
367  bls12_377_G2 Qcopy(Q);
368  Qcopy.to_affine_coordinates();
369 
370  // could add to global params if needed
371  bls12_377_Fq two_inv = (bls12_377_Fq("2").inverse());
372 
373  bls12_377_ate_G2_precomp result;
374  result.QX = Qcopy.X;
375  result.QY = Qcopy.Y;
376 
377  bls12_377_G2 R;
378  R.X = Qcopy.X;
379  R.Y = Qcopy.Y;
380  R.Z = bls12_377_Fq2::one();
381 
382  const bigint<bls12_377_Fq::num_limbs> &loop_count =
383  bls12_377_ate_loop_count;
384  bool found_one = false;
385  bls12_377_ate_ell_coeffs c;
386 
387  for (long i = loop_count.max_bits(); i >= 0; --i) {
388  const bool bit = loop_count.test_bit(i);
389  if (!found_one) {
390  // This skips the MSB itself
391  found_one |= bit;
392  continue;
393  }
394 
395  bls12_377_doubling_step_for_miller_loop(two_inv, R, c);
396  result.coeffs.push_back(c);
397 
398  if (bit) {
399  bls12_377_mixed_addition_step_for_miller_loop(Qcopy, R, c);
400  result.coeffs.push_back(c);
401  }
402  }
403 
404  leave_block("Call to bls12_377_ate_precompute_G2");
405  return result;
406 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_377_ate_reduced_pairing()

bls12_377_GT libff::bls12_377_ate_reduced_pairing ( const bls12_377_G1 P,
const bls12_377_G2 Q 
)

Definition at line 530 of file bls12_377_pairing.cpp.

532 {
533  enter_block("Call to bls12_377_ate_reduced_pairing");
534  const bls12_377_Fq12 f = bls12_377_ate_pairing(P, Q);
535  const bls12_377_GT result = bls12_377_final_exponentiation(f);
536  leave_block("Call to bls12_377_ate_reduced_pairing");
537  return result;
538 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_377_double_miller_loop()

bls12_377_Fq12 libff::bls12_377_double_miller_loop ( const bls12_377_G1_precomp prec_P1,
const bls12_377_G2_precomp prec_Q1,
const bls12_377_G1_precomp prec_P2,
const bls12_377_G2_precomp prec_Q2 
)

Definition at line 558 of file bls12_377_pairing.cpp.

563 {
564  return bls12_377_ate_double_miller_loop(prec_P1, prec_Q1, prec_P2, prec_Q2);
565 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_377_doubling_step_for_miller_loop()

void libff::bls12_377_doubling_step_for_miller_loop ( const bls12_377_Fq  two_inv,
bls12_377_G2 current,
bls12_377_ate_ell_coeffs c 
)

Definition at line 239 of file bls12_377_pairing.cpp.

243 {
244  // Below we assume that `current` = (X, Y, Z) \in E'(Fp2) is a point
245  // in homogeneous projective coordinates.
246  const bls12_377_Fq2 X = current.X, Y = current.Y, Z = current.Z;
247 
248  // Compute the line function
249 
250  // A = (X * Y)/ 2
251  const bls12_377_Fq2 A = two_inv * (X * Y);
252  // B = Y^2
253  const bls12_377_Fq2 B = Y.squared();
254  // C = Z^2
255  const bls12_377_Fq2 C = Z.squared();
256  // D = 3 * C
257  const bls12_377_Fq2 D = C + C + C;
258  // E = bls12_377_twist_coeff_b * D
259  const bls12_377_Fq2 E = bls12_377_twist_coeff_b * D;
260  // F = 3 * E
261  const bls12_377_Fq2 F = E + E + E;
262  // G = (B + F)/2
263  const bls12_377_Fq2 G = two_inv * (B + F);
264  // H = (Y + Z)^2 - (B + C) = 2YZ
265  const bls12_377_Fq2 H = (Y + Z).squared() - (B + C);
266  // I = E - B
267  const bls12_377_Fq2 I = E - B;
268  // J = X^2
269  const bls12_377_Fq2 J = X.squared();
270  // E_squared = E^2
271  const bls12_377_Fq2 E_squared = E.squared();
272 
273  // X = A * (B-F)
274  // = ((X * Y)/ 2) * (Y^2 - 3 * (bls12_377_twist_coeff_b * 3 * Z^2)
275  // = ((X * Y)/ 2) * (Y^2 - 9 * (bls12_377_twist_coeff_b * Z^2)
276  current.X = A * (B - F);
277  // Y = G^2 - 3*E^2
278  // = (Y^2 + 9 * bls12_377_twist_coeff_b * Z^2)/2 -
279  // 27*(bls12_377_twist_coeff_b^2 * Z^4)
280  current.Y = G.squared() - (E_squared + E_squared + E_squared);
281  // Z = B * H
282  // = Y^2 * 2YZ
283  // = 2Y^3 * Z
284  current.Z = B * H;
285 
286  // Note: We use a D-type twist
287  //
288  // See: Equation (2) https://eprint.iacr.org/2010/526.pdf
289  //
290  // The tangent line evaluated at the twisting point P = (x_p, y_p) is
291  // computed as:
292  // (-2YZ*y_p)vw + <-- -H
293  // (3*X^2 * x_p) * v^2 + <-- 3*J
294  // bls12_377_twist * bls12_377_twist * <-- bls12_377_twist * I
295  // (3*bls12_377_twist_coeff_b*Z^2 - Y^2)
296  c.ell_VW = -H;
297  c.ell_VV = J + J + J;
298  c.ell_0 = bls12_377_twist * I;
299 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_377_exp_by_z()

bls12_377_Fq12 libff::bls12_377_exp_by_z ( const bls12_377_Fq12 elt)

Definition at line 137 of file bls12_377_pairing.cpp.

138 {
139  enter_block("Call to bls12_377_exp_by_z");
140 
141  bls12_377_Fq12 result = elt.cyclotomic_exp(bls12_377_final_exponent_z);
142  if (bls12_377_final_exponent_is_z_neg) {
143  result = result.unitary_inverse();
144  }
145 
146  leave_block("Call to bls12_377_exp_by_z");
147 
148  return result;
149 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_377_final_exponentiation()

bls12_377_GT libff::bls12_377_final_exponentiation ( const bls12_377_Fq12 elt)

Definition at line 217 of file bls12_377_pairing.cpp.

218 {
219  // We know that:
220  // (p^12 - 1) / r = (p^6 - 1) (p^2 + 1) ((p^4 - p^2 + 1) / r)
221  // |_________________| |__________________|
222  // easy part hard part
223  // where:
224  // sage: cyclotomic_polynomial(12) # = x^4 - x^2 + 1
225  enter_block("Call to bls12_377_final_exponentiation");
226 
227  // Compute the easy part
228  bls12_377_Fq12 first = bls12_377_final_exponentiation_first_chunk(elt);
229  // Finish the final exponentiation by computing the hard part
230  bls12_377_GT result = bls12_377_final_exponentiation_last_chunk(first);
231 
232  leave_block("Call to bls12_377_final_exponentiation");
233 
234  return result;
235 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_377_final_exponentiation_first_chunk()

bls12_377_Fq12 libff::bls12_377_final_exponentiation_first_chunk ( const bls12_377_Fq12 elt)

Definition at line 109 of file bls12_377_pairing.cpp.

111 {
112  // The content of this file follows: https://eprint.iacr.org/2016/130.pdf
113  //
114  // Note: in the alt_bn_128 implementation the libff authors used a trick by
115  // Beuchat et al. to compute the first chunk of the exponentiation which
116  // seems faster. Look into that and use it if it applies here too.
117  //
118  // TODO: Look into this.
119  enter_block("Call to bls12_377_final_exponentiation_first_chunk");
120 
121  // elt^(q^6)
122  const bls12_377_Fq12 A = elt.Frobenius_map(6);
123  // elt^(-1)
124  const bls12_377_Fq12 B = elt.inverse();
125  // elt^(q^6 - 1)
126  const bls12_377_Fq12 C = A * B;
127  // (elt^(q^6 - 1))^(q^2) = elt^((q^6 - 1) * (q^2))
128  const bls12_377_Fq12 D = C.Frobenius_map(2);
129  // elt^((q^6 - 1) * (q^2) + (q^6 - 1)) = elt^((q^6 - 1) * (q^2 + 1))
130  const bls12_377_Fq12 result = D * C;
131 
132  leave_block("Call to bls12_377_final_exponentiation_first_chunk");
133 
134  return result;
135 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_377_final_exponentiation_last_chunk()

bls12_377_Fq12 libff::bls12_377_final_exponentiation_last_chunk ( const bls12_377_Fq12 elt)

Definition at line 151 of file bls12_377_pairing.cpp.

153 {
154  enter_block("Call to bls12_377_final_exponentiation_last_chunk");
155 
156  // In the following, we follow the Algorithm 1 described in Table 1 of:
157  // https://eprint.iacr.org/2016/130.pdf in order to compute the
158  // hard part of the final exponentiation
159  //
160  // Note: As shown Table 3: https://eprint.iacr.org/2016/130.pdf this
161  // algorithm isn't optimal since Algorithm 2 allows to have less temp.
162  // variables and has a better complexity.
163  //
164  // In the following we denote by [x] = elt^(x):
165  // A = [-2]
166  const bls12_377_Fq12 A = elt.cyclotomic_squared().unitary_inverse();
167  // B = [z]
168  const bls12_377_Fq12 B = bls12_377_exp_by_z(elt);
169  // C = [2z]
170  const bls12_377_Fq12 C = B.cyclotomic_squared();
171  // D = [z-2]
172  const bls12_377_Fq12 D = A * B;
173  // E = [z^2-2z]
174  const bls12_377_Fq12 E = bls12_377_exp_by_z(D);
175  // F = [z^3-2z^2]
176  const bls12_377_Fq12 F = bls12_377_exp_by_z(E);
177  // G = [z^4-2z^3]
178  const bls12_377_Fq12 G = bls12_377_exp_by_z(F);
179  // H = [z^4-2z^3+2z]
180  const bls12_377_Fq12 H = G * C;
181  // I = [z^5-2z^4+2z^2]
182  const bls12_377_Fq12 I = bls12_377_exp_by_z(H);
183  // J = [-z+2]
184  const bls12_377_Fq12 J = D.unitary_inverse();
185  // K = [z^5-2z^4+2z^2-z+2]
186  const bls12_377_Fq12 K = I * J;
187  // L = [z^5-2z^4+2z^2-z+3] = [\lambda_0]
188  const bls12_377_Fq12 L = K * elt;
189  // M = [-1]
190  const bls12_377_Fq12 M = elt.unitary_inverse();
191  // N = [z^2-2z+1] = [\lambda_3]
192  const bls12_377_Fq12 N = E * elt;
193  // O = [(z^2-2z+1) * (q^3)]
194  const bls12_377_Fq12 O = N.Frobenius_map(3);
195  // P = [z^4-2z^3+2z-1] = [\lambda_1]
196  const bls12_377_Fq12 P = H * M;
197  // Q = [(z^4-2z^3+2z-1) * q]
198  const bls12_377_Fq12 Q = P.Frobenius_map(1);
199  // R = [z^3-2z^2+z] = [\lambda_2]
200  const bls12_377_Fq12 R = F * B;
201  // S = [(z^3-2z^2+z) * (q^2)]
202  const bls12_377_Fq12 S = R.Frobenius_map(2);
203  // T = [(z^2-2z+1) * (q^3) + (z^3-2z^2+z) * (q^2)]
204  const bls12_377_Fq12 T = O * S;
205  // U = [(z^2-2z+1) * (q^3) + (z^3-2z^2+z) * (q^2) + (z^4-2z^3+2z-1) * q]
206  const bls12_377_Fq12 U = T * Q;
207  // result = [(z^2-2z+1) * (q^3) + (z^3-2z^2+z) * (q^2) + (z^4-2z^3+2z-1) * q
208  // + z^5-2z^4+2z^2-z+3]
209  // = [(p^4 - p^2 + 1)/r].
210  const bls12_377_Fq12 result = U * L;
211 
212  leave_block("Call to bls12_377_final_exponentiation_last_chunk");
213 
214  return result;
215 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_377_miller_loop()

bls12_377_Fq12 libff::bls12_377_miller_loop ( const bls12_377_G1_precomp prec_P,
const bls12_377_G2_precomp prec_Q 
)

Definition at line 552 of file bls12_377_pairing.cpp.

554 {
555  return bls12_377_ate_miller_loop(prec_P, prec_Q);
556 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_377_mixed_addition_step_for_miller_loop()

void libff::bls12_377_mixed_addition_step_for_miller_loop ( const bls12_377_G2 base,
bls12_377_G2 current,
bls12_377_ate_ell_coeffs c 
)

Definition at line 301 of file bls12_377_pairing.cpp.

305 {
306  const bls12_377_Fq2 &X1 = current.X, &Y1 = current.Y, &Z1 = current.Z;
307  const bls12_377_Fq2 &X2 = base.X, &Y2 = base.Y;
308 
309  const bls12_377_Fq2 A = Y2 * Z1;
310  const bls12_377_Fq2 B = X2 * Z1;
311  const bls12_377_Fq2 theta = Y1 - A;
312  const bls12_377_Fq2 lambda = X1 - B;
313  const bls12_377_Fq2 C = theta.squared();
314  const bls12_377_Fq2 D = lambda.squared();
315  const bls12_377_Fq2 E = lambda * D;
316  const bls12_377_Fq2 F = Z1 * C;
317  const bls12_377_Fq2 G = X1 * D;
318  const bls12_377_Fq2 H = E + F - (G + G);
319  const bls12_377_Fq2 I = Y1 * E;
320  const bls12_377_Fq2 J = theta * X2 - lambda * Y2;
321 
322  current.X = lambda * H;
323  current.Y = theta * (G - H) - I;
324  current.Z = Z1 * E;
325 
326  c.ell_0 = bls12_377_twist * J;
327  // VV gets multiplied to xP during line evaluation at P
328  c.ell_VV = -theta;
329  // VW gets multiplied to yP during line evaluation at P
330  c.ell_VW = lambda;
331 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_377_pairing()

bls12_377_Fq12 libff::bls12_377_pairing ( const bls12_377_G1 P,
const bls12_377_G2 Q 
)

Definition at line 567 of file bls12_377_pairing.cpp.

568 {
569  return bls12_377_ate_pairing(P, Q);
570 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_377_precompute_G1()

bls12_377_G1_precomp libff::bls12_377_precompute_G1 ( const bls12_377_G1 P)

Definition at line 542 of file bls12_377_pairing.cpp.

543 {
544  return bls12_377_ate_precompute_G1(P);
545 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_377_precompute_G2()

bls12_377_G2_precomp libff::bls12_377_precompute_G2 ( const bls12_377_G2 Q)

Definition at line 547 of file bls12_377_pairing.cpp.

548 {
549  return bls12_377_ate_precompute_G2(Q);
550 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_377_reduced_pairing()

bls12_377_GT libff::bls12_377_reduced_pairing ( const bls12_377_G1 P,
const bls12_377_G2 Q 
)

Definition at line 572 of file bls12_377_pairing.cpp.

574 {
575  return bls12_377_ate_reduced_pairing(P, Q);
576 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_381_affine_reduced_pairing()

bls12_381_GT libff::bls12_381_affine_reduced_pairing ( const bls12_381_G1 P,
const bls12_381_G2 Q 
)

◆ bls12_381_ate_double_miller_loop()

bls12_381_Fq12 libff::bls12_381_ate_double_miller_loop ( const bls12_381_ate_G1_precomp prec_P1,
const bls12_381_ate_G2_precomp prec_Q1,
const bls12_381_ate_G1_precomp prec_P2,
const bls12_381_ate_G2_precomp prec_Q2 
)

Definition at line 415 of file bls12_381_pairing.cpp.

420 {
421  enter_block("Call to bls12_381_ate_double_miller_loop");
422 
423  bls12_381_Fq12 f = bls12_381_Fq12::one();
424 
425  bool found_one = false;
426  size_t idx = 0;
427 
428  const bigint<bls12_381_Fq::num_limbs> &loop_count =
429  bls12_381_ate_loop_count;
430  for (long i = loop_count.max_bits(); i >= 0; --i) {
431  const bool bit = loop_count.test_bit(i);
432  if (!found_one) {
433  /* this skips the MSB itself */
434  found_one |= bit;
435  continue;
436  }
437 
438  /* code below gets executed for all bits (EXCEPT the MSB itself) of
439  bls12_381_param_p (skipping leading zeros) in MSB to LSB
440  order */
441 
442  bls12_381_ate_ell_coeffs c1 = prec_Q1.coeffs[idx];
443  bls12_381_ate_ell_coeffs c2 = prec_Q2.coeffs[idx];
444  ++idx;
445 
446  f = f.squared();
447 
448  f = f.mul_by_045(
449  c1.ell_0, prec_P1.PY * c1.ell_VW, prec_P1.PX * c1.ell_VV);
450  f = f.mul_by_045(
451  c2.ell_0, prec_P2.PY * c2.ell_VW, prec_P2.PX * c2.ell_VV);
452 
453  if (bit) {
454  bls12_381_ate_ell_coeffs c1 = prec_Q1.coeffs[idx];
455  bls12_381_ate_ell_coeffs c2 = prec_Q2.coeffs[idx];
456  ++idx;
457 
458  f = f.mul_by_045(
459  c1.ell_0, prec_P1.PY * c1.ell_VW, prec_P1.PX * c1.ell_VV);
460  f = f.mul_by_045(
461  c2.ell_0, prec_P2.PY * c2.ell_VW, prec_P2.PX * c2.ell_VV);
462  }
463  }
464 
465  if (bls12_381_ate_is_loop_count_neg) {
466  f = f.inverse();
467  }
468 
469  leave_block("Call to bls12_381_ate_double_miller_loop");
470 
471  return f;
472 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_381_ate_miller_loop()

bls12_381_Fq12 libff::bls12_381_ate_miller_loop ( const bls12_381_ate_G1_precomp prec_P,
const bls12_381_ate_G2_precomp prec_Q 
)

Definition at line 369 of file bls12_381_pairing.cpp.

372 {
373  enter_block("Call to bls12_381_ate_miller_loop");
374 
375  bls12_381_Fq12 f = bls12_381_Fq12::one();
376 
377  bool found_one = false;
378  size_t idx = 0;
379 
380  const bigint<bls12_381_Fq::num_limbs> &loop_count =
381  bls12_381_ate_loop_count;
382  bls12_381_ate_ell_coeffs c;
383 
384  for (long i = loop_count.max_bits(); i >= 0; --i) {
385  const bool bit = loop_count.test_bit(i);
386  if (!found_one) {
387  /* this skips the MSB itself */
388  found_one |= bit;
389  continue;
390  }
391 
392  /* code below gets executed for all bits (EXCEPT the MSB itself) of
393  bls12_381_param_p (skipping leading zeros) in MSB to LSB
394  order */
395 
396  c = prec_Q.coeffs[idx++];
397  f = f.squared();
398  f = f.mul_by_045(c.ell_0, prec_P.PY * c.ell_VW, prec_P.PX * c.ell_VV);
399 
400  if (bit) {
401  c = prec_Q.coeffs[idx++];
402  f = f.mul_by_045(
403  c.ell_0, prec_P.PY * c.ell_VW, prec_P.PX * c.ell_VV);
404  }
405  }
406 
407  if (bls12_381_ate_is_loop_count_neg) {
408  f = f.inverse();
409  }
410 
411  leave_block("Call to bls12_381_ate_miller_loop");
412  return f;
413 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_381_ate_pairing()

bls12_381_Fq12 libff::bls12_381_ate_pairing ( const bls12_381_G1 P,
const bls12_381_G2 Q 
)

Definition at line 474 of file bls12_381_pairing.cpp.

476 {
477  enter_block("Call to bls12_381_ate_pairing");
478  bls12_381_ate_G1_precomp prec_P = bls12_381_ate_precompute_G1(P);
479  bls12_381_ate_G2_precomp prec_Q = bls12_381_ate_precompute_G2(Q);
480  bls12_381_Fq12 result = bls12_381_ate_miller_loop(prec_P, prec_Q);
481  leave_block("Call to bls12_381_ate_pairing");
482  return result;
483 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_381_ate_precompute_G1()

bls12_381_ate_G1_precomp libff::bls12_381_ate_precompute_G1 ( const bls12_381_G1 P)

Definition at line 309 of file bls12_381_pairing.cpp.

310 {
311  enter_block("Call to bls12_381_ate_precompute_G1");
312 
313  bls12_381_G1 Pcopy = P;
314  Pcopy.to_affine_coordinates();
315 
316  bls12_381_ate_G1_precomp result;
317  result.PX = Pcopy.X;
318  result.PY = Pcopy.Y;
319 
320  leave_block("Call to bls12_381_ate_precompute_G1");
321  return result;
322 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_381_ate_precompute_G2()

bls12_381_ate_G2_precomp libff::bls12_381_ate_precompute_G2 ( const bls12_381_G2 Q)

Definition at line 324 of file bls12_381_pairing.cpp.

325 {
326  enter_block("Call to bls12_381_ate_precompute_G2");
327 
328  bls12_381_G2 Qcopy(Q);
329  Qcopy.to_affine_coordinates();
330 
331  // could add to global params if needed
332  bls12_381_Fq two_inv = (bls12_381_Fq("2").inverse());
333 
334  bls12_381_ate_G2_precomp result;
335  result.QX = Qcopy.X;
336  result.QY = Qcopy.Y;
337 
338  bls12_381_G2 R;
339  R.X = Qcopy.X;
340  R.Y = Qcopy.Y;
341  R.Z = bls12_381_Fq2::one();
342 
343  const bigint<bls12_381_Fq::num_limbs> &loop_count =
344  bls12_381_ate_loop_count;
345  bool found_one = false;
346  bls12_381_ate_ell_coeffs c;
347 
348  for (long i = loop_count.max_bits(); i >= 0; --i) {
349  const bool bit = loop_count.test_bit(i);
350  if (!found_one) {
351  /* this skips the MSB itself */
352  found_one |= bit;
353  continue;
354  }
355 
356  bls12_381_doubling_step_for_miller_loop(two_inv, R, c);
357  result.coeffs.push_back(c);
358 
359  if (bit) {
360  bls12_381_mixed_addition_step_for_miller_loop(Qcopy, R, c);
361  result.coeffs.push_back(c);
362  }
363  }
364 
365  leave_block("Call to bls12_381_ate_precompute_G2");
366  return result;
367 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_381_ate_reduced_pairing()

bls12_381_GT libff::bls12_381_ate_reduced_pairing ( const bls12_381_G1 P,
const bls12_381_G2 Q 
)

Definition at line 485 of file bls12_381_pairing.cpp.

487 {
488  enter_block("Call to bls12_381_ate_reduced_pairing");
489  const bls12_381_Fq12 f = bls12_381_ate_pairing(P, Q);
490  const bls12_381_GT result = bls12_381_final_exponentiation(f);
491  leave_block("Call to bls12_381_ate_reduced_pairing");
492  return result;
493 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_381_double_miller_loop()

bls12_381_Fq12 libff::bls12_381_double_miller_loop ( const bls12_381_G1_precomp prec_P1,
const bls12_381_G2_precomp prec_Q1,
const bls12_381_G1_precomp prec_P2,
const bls12_381_G2_precomp prec_Q2 
)

Definition at line 513 of file bls12_381_pairing.cpp.

518 {
519  return bls12_381_ate_double_miller_loop(prec_P1, prec_Q1, prec_P2, prec_Q2);
520 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_381_doubling_step_for_miller_loop()

void libff::bls12_381_doubling_step_for_miller_loop ( const bls12_381_Fq  two_inv,
bls12_381_G2 current,
bls12_381_ate_ell_coeffs c 
)

Definition at line 230 of file bls12_381_pairing.cpp.

234 {
235  const bls12_381_Fq2 X = current.X, Y = current.Y, Z = current.Z;
236 
237  // A = X1 * Y1 / 2
238  const bls12_381_Fq2 A = two_inv * (X * Y);
239  // B = Y1^2
240  const bls12_381_Fq2 B = Y.squared();
241  // C = Z1^2
242  const bls12_381_Fq2 C = Z.squared();
243  // D = 3 * C
244  const bls12_381_Fq2 D = C + C + C;
245  // E = twist_b * D
246  const bls12_381_Fq2 E = bls12_381_twist_coeff_b * D;
247  // F = 3 * E
248  const bls12_381_Fq2 F = E + E + E;
249  // G = (B+F)/2
250  const bls12_381_Fq2 G = two_inv * (B + F);
251  // H = (Y1+Z1)^2-(B+C)
252  const bls12_381_Fq2 H = (Y + Z).squared() - (B + C);
253  // I = E-B
254  const bls12_381_Fq2 I = E - B;
255  // J = X1^2
256  const bls12_381_Fq2 J = X.squared();
257  // E_squared = E^2
258  const bls12_381_Fq2 E_squared = E.squared();
259 
260  // X3 = A * (B-F)
261  current.X = A * (B - F);
262  // Y3 = G^2 - 3*E^2
263  current.Y = G.squared() - (E_squared + E_squared + E_squared);
264  // Z3 = B * H
265  current.Z = B * H;
266  // ell_0 = xi * I
267  c.ell_0 = I;
268  // ell_VW = - H (later: * yP)
269  c.ell_VW = -bls12_381_twist * H;
270  // ell_VV = 3*J (later: * xP)
271  c.ell_VV = J + J + J;
272 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_381_exp_by_z()

bls12_381_Fq12 libff::bls12_381_exp_by_z ( const bls12_381_Fq12 elt)

Definition at line 142 of file bls12_381_pairing.cpp.

143 {
144  enter_block("Call to bls12_381_exp_by_z");
145 
146  bls12_381_Fq12 result = elt.cyclotomic_exp(bls12_381_final_exponent_z);
147  if (bls12_381_final_exponent_is_z_neg) {
148  result = result.unitary_inverse();
149  }
150 
151  leave_block("Call to bls12_381_exp_by_z");
152 
153  return result;
154 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_381_final_exponentiation()

bls12_381_GT libff::bls12_381_final_exponentiation ( const bls12_381_Fq12 elt)

Definition at line 215 of file bls12_381_pairing.cpp.

216 {
217  enter_block("Call to bls12_381_final_exponentiation");
218  /* OLD naive version:
219  bls12_381_GT result = elt^bls12_381_final_exponent;
220  */
221  bls12_381_Fq12 first = bls12_381_final_exponentiation_first_chunk(elt);
222  bls12_381_GT result = bls12_381_final_exponentiation_last_chunk(first);
223 
224  leave_block("Call to bls12_381_final_exponentiation");
225  return result;
226 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_381_final_exponentiation_first_chunk()

bls12_381_Fq12 libff::bls12_381_final_exponentiation_first_chunk ( const bls12_381_Fq12 elt)

Definition at line 114 of file bls12_381_pairing.cpp.

116 {
117  enter_block("Call to bls12_381_final_exponentiation_first_chunk");
118 
119  /*
120  Computes result = elt^((q^6-1)*(q^2+1)).
121  Follows, e.g., Beuchat et al page 9, by computing result as follows:
122  elt^((q^6-1)*(q^2+1)) = (conj(elt) * elt^(-1))^(q^2+1)
123  More precisely:
124  A = conj(elt)
125  B = elt.inverse()
126  C = A * B
127  D = C.Frobenius_map(2)
128  result = D * C
129  */
130 
131  const bls12_381_Fq12 A = bls12_381_Fq12(elt.coeffs[0], -elt.coeffs[1]);
132  const bls12_381_Fq12 B = elt.inverse();
133  const bls12_381_Fq12 C = A * B;
134  const bls12_381_Fq12 D = C.Frobenius_map(2);
135  const bls12_381_Fq12 result = D * C;
136 
137  leave_block("Call to bls12_381_final_exponentiation_first_chunk");
138 
139  return result;
140 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_381_final_exponentiation_last_chunk()

bls12_381_Fq12 libff::bls12_381_final_exponentiation_last_chunk ( const bls12_381_Fq12 elt)

Definition at line 156 of file bls12_381_pairing.cpp.

158 {
159  enter_block("Call to bls12_381_final_exponentiation_last_chunk");
160 
161  // https://eprint.iacr.org/2016/130.pdf (Algorithm 1 described in Table 1)
162  // elt^(-2)
163  const bls12_381_Fq12 A = elt.cyclotomic_squared().unitary_inverse();
164  // elt^z
165  const bls12_381_Fq12 B = bls12_381_exp_by_z(elt);
166  // elt^(2z)
167  const bls12_381_Fq12 C = B.cyclotomic_squared();
168  // elt^(z-2)
169  const bls12_381_Fq12 D = A * B;
170  // elt^(z^2-2z)
171  const bls12_381_Fq12 E = bls12_381_exp_by_z(D);
172  // elt^(z^3-2z^2)
173  const bls12_381_Fq12 F = bls12_381_exp_by_z(E);
174  // elt^(z^4-2z^3)
175  const bls12_381_Fq12 G = bls12_381_exp_by_z(F);
176  // elt^(z^4-2z^3+2z)
177  const bls12_381_Fq12 H = G * C;
178  // elt^(z^5-2z^4+2z^2)
179  const bls12_381_Fq12 I = bls12_381_exp_by_z(H);
180  // elt^(-z+2)
181  const bls12_381_Fq12 J = D.unitary_inverse();
182  // elt^(z^5-2z^4+2z^2) * elt^(-z+2)
183  const bls12_381_Fq12 K = J * I;
184  // elt^(z^5-2z^4+2z^2) * elt^(-z+2) * elt
185  const bls12_381_Fq12 L = elt * K;
186  // elt^(-1)
187  const bls12_381_Fq12 M = elt.unitary_inverse();
188  // elt^(z^2-2z) * elt
189  const bls12_381_Fq12 N = E * elt;
190  // (elt^(z^2-2z) * elt)^(q^3)
191  const bls12_381_Fq12 O = N.Frobenius_map(3);
192  // elt^(z^4-2z^3+2z) * elt^(-1)
193  const bls12_381_Fq12 P = H * M;
194  // (elt^(z^4-2z^3+2z) * elt^(-1))^q
195  const bls12_381_Fq12 Q = P.Frobenius_map(1);
196  // elt^(z^3-2z^2) * elt^z
197  const bls12_381_Fq12 R = B * F;
198  // (elt^(z^3-2z^2) * elt^z)^(q^2)
199  const bls12_381_Fq12 S = R.Frobenius_map(2);
200  // (elt^(z^2-2z) * elt)^(q^3) * (elt^(z^3-2z^2) * elt^z)^(q^2)
201  const bls12_381_Fq12 T = S * O;
202  // (elt^(z^2-2z) * elt)^(q^3) * (elt^(z^3-2z^2) * elt^z)^(q^2) *
203  // (elt^(z^4-2z^3+2z) * elt^(-1))^q
204  const bls12_381_Fq12 U = T * Q;
205  // (elt^(z^2-2z) * elt)^(q^3) * (elt^(z^3-2z^2) * elt^z)^(q^2) *
206  // (elt^(z^4-2z^3+2z) * elt^(-1))^q * elt^(z^5-2z^4+2z^2) *
207  // elt^(-z+2) * elt
208  const bls12_381_Fq12 result = U * L;
209 
210  leave_block("Call to bls12_381_final_exponentiation_last_chunk");
211 
212  return result;
213 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_381_miller_loop()

bls12_381_Fq12 libff::bls12_381_miller_loop ( const bls12_381_G1_precomp prec_P,
const bls12_381_G2_precomp prec_Q 
)

Definition at line 507 of file bls12_381_pairing.cpp.

509 {
510  return bls12_381_ate_miller_loop(prec_P, prec_Q);
511 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_381_mixed_addition_step_for_miller_loop()

void libff::bls12_381_mixed_addition_step_for_miller_loop ( const bls12_381_G2  base,
bls12_381_G2 current,
bls12_381_ate_ell_coeffs c 
)

Definition at line 274 of file bls12_381_pairing.cpp.

276 {
277  const bls12_381_Fq2 X1 = current.X, Y1 = current.Y, Z1 = current.Z;
278  const bls12_381_Fq2 &x2 = base.X, &y2 = base.Y;
279 
280  // D = X1 - X2*Z1
281  const bls12_381_Fq2 D = X1 - x2 * Z1;
282  // E = Y1 - Y2*Z1
283  const bls12_381_Fq2 E = Y1 - y2 * Z1;
284  // F = D^2
285  const bls12_381_Fq2 F = D.squared();
286  // G = E^2
287  const bls12_381_Fq2 G = E.squared();
288  // H = D*F
289  const bls12_381_Fq2 H = D * F;
290  // I = X1 * F
291  const bls12_381_Fq2 I = X1 * F;
292  // J = H + Z1*G - (I+I)
293  const bls12_381_Fq2 J = H + Z1 * G - (I + I);
294 
295  // X3 = D*J
296  current.X = D * J;
297  // Y3 = E*(I-J)-(H*Y1)
298  current.Y = E * (I - J) - (H * Y1);
299  // Z3 = Z1*H
300  current.Z = Z1 * H;
301  // ell_0 = xi * (E * X2 - D * Y2)
302  c.ell_0 = E * x2 - D * y2;
303  // ell_VV = - E (later: * xP)
304  c.ell_VV = -E;
305  // ell_VW = D (later: * yP )
306  c.ell_VW = bls12_381_twist * D;
307 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_381_pairing()

bls12_381_Fq12 libff::bls12_381_pairing ( const bls12_381_G1 P,
const bls12_381_G2 Q 
)

Definition at line 522 of file bls12_381_pairing.cpp.

523 {
524  return bls12_381_ate_pairing(P, Q);
525 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_381_precompute_G1()

bls12_381_G1_precomp libff::bls12_381_precompute_G1 ( const bls12_381_G1 P)

Definition at line 497 of file bls12_381_pairing.cpp.

498 {
499  return bls12_381_ate_precompute_G1(P);
500 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_381_precompute_G2()

bls12_381_G2_precomp libff::bls12_381_precompute_G2 ( const bls12_381_G2 Q)

Definition at line 502 of file bls12_381_pairing.cpp.

503 {
504  return bls12_381_ate_precompute_G2(Q);
505 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bls12_381_reduced_pairing()

bls12_381_GT libff::bls12_381_reduced_pairing ( const bls12_381_G1 P,
const bls12_381_G2 Q 
)

Definition at line 527 of file bls12_381_pairing.cpp.

529 {
530  return bls12_381_ate_reduced_pairing(P, Q);
531 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bn128_ate_miller_loop()

bn128_Fq12 libff::bn128_ate_miller_loop ( const bn128_ate_G1_precomp prec_P,
const bn128_ate_G2_precomp prec_Q 
)

Definition at line 192 of file bn128_pairing.cpp.

194 {
195  bn128_Fq12 f;
196  bn::components::millerLoop(f.elem, prec_Q.coeffs, prec_P.P);
197  return f;
198 }
Here is the caller graph for this function:

◆ bn128_ate_precompute_G1()

bn128_ate_G1_precomp libff::bn128_ate_precompute_G1 ( const bn128_G1 P)

Definition at line 166 of file bn128_pairing.cpp.

167 {
168  enter_block("Call to bn128_ate_precompute_G1");
169 
170  bn128_ate_G1_precomp result;
171  bn::Fp P_coord[3];
172  P.fill_coord(P_coord);
173  bn::ecop::NormalizeJac(result.P, P_coord);
174 
175  leave_block("Call to bn128_ate_precompute_G1");
176  return result;
177 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bn128_ate_precompute_G2()

bn128_ate_G2_precomp libff::bn128_ate_precompute_G2 ( const bn128_G2 Q)

Definition at line 179 of file bn128_pairing.cpp.

180 {
181  enter_block("Call to bn128_ate_precompute_G2");
182 
183  bn128_ate_G2_precomp result;
184  bn::Fp2 Q_coord[3];
185  Q.fill_coord(Q_coord);
186  bn::components::precomputeG2(result.coeffs, result.Q, Q_coord);
187 
188  leave_block("Call to bn128_ate_precompute_G2");
189  return result;
190 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bn128_double_ate_miller_loop()

bn128_Fq12 libff::bn128_double_ate_miller_loop ( const bn128_ate_G1_precomp prec_P1,
const bn128_ate_G2_precomp prec_Q1,
const bn128_ate_G1_precomp prec_P2,
const bn128_ate_G2_precomp prec_Q2 
)

Definition at line 200 of file bn128_pairing.cpp.

205 {
206  bn128_Fq12 f;
207  bn::components::millerLoop2(
208  f.elem, prec_Q1.coeffs, prec_P1.P, prec_Q2.coeffs, prec_P2.P);
209  return f;
210 }
Here is the caller graph for this function:

◆ bn128_final_exponentiation()

bn128_GT libff::bn128_final_exponentiation ( const bn128_Fq12 elt)

Definition at line 212 of file bn128_pairing.cpp.

213 {
214  enter_block("Call to bn128_final_exponentiation");
215  bn128_GT eltcopy = elt;
216  eltcopy.elem.final_exp();
217  leave_block("Call to bn128_final_exponentiation");
218  return eltcopy;
219 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bn_batch_invert()

template<typename FieldT >
void libff::bn_batch_invert ( std::vector< FieldT > &  vec)

◆ bw6_761_ate_double_miller_loop()

bw6_761_Fq6 libff::bw6_761_ate_double_miller_loop ( const bw6_761_ate_G1_precomp prec_P1,
const bw6_761_ate_G2_precomp prec_Q1,
const bw6_761_ate_G1_precomp prec_P2,
const bw6_761_ate_G2_precomp prec_Q2 
)

Definition at line 508 of file bw6_761_pairing.cpp.

513 {
514  enter_block("Call to bw6_761_ate_double_miller_loop");
515 
516  const bw6_761_ate_G2_precomp_iteration &prec_Q1_1 = prec_Q1.precomp_1;
517  const bw6_761_ate_G2_precomp_iteration &prec_Q2_1 = prec_Q1.precomp_2;
518  const bw6_761_ate_G2_precomp_iteration &prec_Q1_2 = prec_Q2.precomp_1;
519  const bw6_761_ate_G2_precomp_iteration &prec_Q2_2 = prec_Q2.precomp_2;
520 
521  // f_{u+1,Q}(P)
522  bw6_761_Fq6 f_1 = bw6_761_Fq6::one();
523 
524  bool found_nonzero_1 = false;
525  size_t idx_1 = 0;
526 
527  bw6_761_ate_ell_coeffs c_1_1;
528  bw6_761_ate_ell_coeffs c_1_2;
529 
530  const bigint<bw6_761_Fq::num_limbs> &loop_count_1 = bw6_761_ate_loop_count1;
531  // Get the Non-Adjacent Form of the 1st loop count
532  std::vector<long> NAF_1 = find_wnaf(1, loop_count_1);
533  for (long i = NAF_1.size() - 1; i >= 0; --i) {
534  if (!found_nonzero_1) {
535  // This skips the MSB itself
536  found_nonzero_1 |= (NAF_1[i] != 0);
537  continue;
538  }
539 
540  // The code below gets executed for all bits (EXCEPT the MSB itself) of
541  // bw6_761_param_p (skipping leading zeros) in MSB to LSB
542  // order
543  c_1_1 = prec_Q1_1.coeffs[idx_1];
544  c_1_2 = prec_Q1_2.coeffs[idx_1];
545  ++idx_1;
546 
547  f_1 = f_1.squared();
548  f_1 = f_1.mul_by_045(
549  c_1_1.ell_0, prec_P1.PY * c_1_1.ell_VW, prec_P1.PX * c_1_1.ell_VV);
550  f_1 = f_1.mul_by_045(
551  c_1_2.ell_0, prec_P2.PY * c_1_2.ell_VW, prec_P2.PX * c_1_2.ell_VV);
552 
553  if (NAF_1[i] != 0) {
554  c_1_1 = prec_Q1_1.coeffs[idx_1];
555  c_1_2 = prec_Q1_2.coeffs[idx_1];
556  ++idx_1;
557 
558  f_1 = f_1.mul_by_045(
559  c_1_1.ell_0,
560  prec_P1.PY * c_1_1.ell_VW,
561  prec_P1.PX * c_1_1.ell_VV);
562  f_1 = f_1.mul_by_045(
563  c_1_2.ell_0,
564  prec_P2.PY * c_1_2.ell_VW,
565  prec_P2.PX * c_1_2.ell_VV);
566  }
567  }
568 
569  // f_{u^3-u^2-u,Q}(P)
570  bw6_761_Fq6 f_2 = bw6_761_Fq6::one();
571 
572  bool found_nonzero_2 = false;
573  size_t idx_2 = 0;
574 
575  bw6_761_ate_ell_coeffs c_2_1;
576  bw6_761_ate_ell_coeffs c_2_2;
577 
578  const bigint<bw6_761_Fq::num_limbs> &loop_count_2 = bw6_761_ate_loop_count2;
579  // Get the Non-Adjacent Form of the 1st loop count
580  std::vector<long> NAF_2 = find_wnaf(1, loop_count_2);
581  for (long i = NAF_2.size() - 1; i >= 0; --i) {
582  if (!found_nonzero_2) {
583  // This skips the MSB itself
584  found_nonzero_2 |= (NAF_2[i] != 0);
585  continue;
586  }
587 
588  // The code below gets executed for all bits (EXCEPT the MSB itself) of
589  // bw6_761_param_p (skipping leading zeros) in MSB to LSB
590  // order
591  c_2_1 = prec_Q2_1.coeffs[idx_2];
592  c_2_2 = prec_Q2_2.coeffs[idx_2];
593  ++idx_2;
594 
595  f_2 = f_2.squared();
596 
597  f_2 = f_2.mul_by_045(
598  c_2_1.ell_0, prec_P1.PY * c_2_1.ell_VW, prec_P1.PX * c_2_1.ell_VV);
599  f_2 = f_2.mul_by_045(
600  c_2_2.ell_0, prec_P2.PY * c_2_2.ell_VW, prec_P2.PX * c_2_2.ell_VV);
601 
602  if (NAF_2[i] != 0) {
603  c_2_1 = prec_Q2_1.coeffs[idx_2];
604  c_2_2 = prec_Q2_2.coeffs[idx_2];
605  ++idx_2;
606 
607  f_2 = f_2.mul_by_045(
608  c_2_1.ell_0,
609  prec_P1.PY * c_2_1.ell_VW,
610  prec_P1.PX * c_2_1.ell_VV);
611  f_2 = f_2.mul_by_045(
612  c_2_2.ell_0,
613  prec_P2.PY * c_2_2.ell_VW,
614  prec_P2.PX * c_2_2.ell_VV);
615  }
616  }
617 
618  leave_block("Call to bw6_761_ate_double_miller_loop");
619 
620  f_2 = f_2.Frobenius_map(1);
621 
622  return f_1 * f_2;
623 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bw6_761_ate_miller_loop()

bw6_761_Fq6 libff::bw6_761_ate_miller_loop ( const bw6_761_ate_G1_precomp prec_P,
const bw6_761_ate_G2_precomp prec_Q 
)

Definition at line 423 of file bw6_761_pairing.cpp.

425 {
426  enter_block("Call to bw6_761_ate_miller_loop");
427 
428  const bw6_761_ate_G2_precomp_iteration &prec_Q_1 = prec_Q.precomp_1;
429  const bw6_761_ate_G2_precomp_iteration &prec_Q_2 = prec_Q.precomp_2;
430 
431  // f_{u+1,Q}(P)
432  bw6_761_Fq6 f_1 = bw6_761_Fq6::one();
433 
434  bool found_nonzero_1 = false;
435  size_t idx_1 = 0;
436 
437  const bigint<bw6_761_Fq::num_limbs> &loop_count_1 = bw6_761_ate_loop_count1;
438  bw6_761_ate_ell_coeffs c_1;
439 
440  // Get the Non-Adjacent Form of the loop count
441  // loop_count_1 = u+1
442  // This allows to cover steps 2 to 11 Algorithm 5:
443  // https://eprint.iacr.org/2020/351.pdf
444  std::vector<long> NAF_1 = find_wnaf(1, loop_count_1);
445  for (long i = NAF_1.size() - 1; i >= 0; --i) {
446  if (!found_nonzero_1) {
447  // This skips the MSB itself
448  found_nonzero_1 |= (NAF_1[i] != 0);
449  continue;
450  }
451 
452  // The code below gets executed for all bits (EXCEPT the MSB itself) of
453  // bw6_761_param_p (skipping leading zeros) in MSB to LSB
454  // order
455  c_1 = prec_Q_1.coeffs[idx_1];
456  ++idx_1;
457  f_1 = f_1.squared();
458  f_1 = f_1.mul_by_045(
459  c_1.ell_0, prec_P.PY * c_1.ell_VW, prec_P.PX * c_1.ell_VV);
460 
461  if (NAF_1[i] != 0) {
462  c_1 = prec_Q_1.coeffs[idx_1];
463  ++idx_1;
464  f_1 = f_1.mul_by_045(
465  c_1.ell_0, prec_P.PY * c_1.ell_VW, prec_P.PX * c_1.ell_VV);
466  }
467  }
468 
469  // f_{u^3-u^2-u,Q}(P)
470  bw6_761_Fq6 f_2 = bw6_761_Fq6::one();
471 
472  bool found_nonzero_2 = false;
473  size_t idx_2 = 0;
474 
475  const bigint<bw6_761_Fq::num_limbs> &loop_count_2 = bw6_761_ate_loop_count2;
476  bw6_761_ate_ell_coeffs c_2;
477 
478  std::vector<long> NAF_2 = find_wnaf(1, loop_count_2);
479  for (long i = NAF_2.size() - 1; i >= 0; --i) {
480  if (!found_nonzero_2) {
481  // This skips the MSB itself
482  found_nonzero_2 |= (NAF_2[i] != 0);
483  continue;
484  }
485 
486  // The code below gets executed for all bits (EXCEPT the MSB itself) of
487  // bw6_761_param_p (skipping leading zeros) in MSB to LSB
488  // order
489  c_2 = prec_Q_2.coeffs[idx_2++];
490  f_2 = f_2.squared();
491  f_2 = f_2.mul_by_045(
492  c_2.ell_0, prec_P.PY * c_2.ell_VW, prec_P.PX * c_2.ell_VV);
493 
494  if (NAF_2[i] != 0) {
495  c_2 = prec_Q_2.coeffs[idx_2++];
496  f_2 = f_2.mul_by_045(
497  c_2.ell_0, prec_P.PY * c_2.ell_VW, prec_P.PX * c_2.ell_VV);
498  }
499  }
500 
501  leave_block("Call to bw6_761_ate_miller_loop");
502 
503  f_2 = f_2.Frobenius_map(1);
504 
505  return f_1 * f_2;
506 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bw6_761_ate_pairing()

bw6_761_Fq6 libff::bw6_761_ate_pairing ( const bw6_761_G1 P,
const bw6_761_G2 Q 
)

Definition at line 625 of file bw6_761_pairing.cpp.

626 {
627  enter_block("Call to bw6_761_ate_pairing");
628  bw6_761_ate_G1_precomp prec_P = bw6_761_ate_precompute_G1(P);
629  bw6_761_ate_G2_precomp prec_Q = bw6_761_ate_precompute_G2(Q);
630  bw6_761_Fq6 result = bw6_761_ate_miller_loop(prec_P, prec_Q);
631  leave_block("Call to bw6_761_ate_pairing");
632  return result;
633 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bw6_761_ate_precompute_G1()

bw6_761_ate_G1_precomp libff::bw6_761_ate_precompute_G1 ( const bw6_761_G1 P)

Definition at line 354 of file bw6_761_pairing.cpp.

355 {
356  enter_block("Call to bw6_761_ate_precompute_G1");
357 
358  bw6_761_G1 Pcopy = P;
359  Pcopy.to_affine_coordinates();
360 
361  bw6_761_ate_G1_precomp result;
362  result.PX = Pcopy.X;
363  result.PY = Pcopy.Y;
364 
365  leave_block("Call to bw6_761_ate_precompute_G1");
366  return result;
367 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bw6_761_ate_precompute_G2()

bw6_761_ate_G2_precomp libff::bw6_761_ate_precompute_G2 ( const bw6_761_G2 Q)

Definition at line 414 of file bw6_761_pairing.cpp.

415 {
416  return {
417  bw6_761_ate_precompute_G2_internal(Q, bw6_761_ate_loop_count1),
418  bw6_761_ate_precompute_G2_internal(Q, bw6_761_ate_loop_count2),
419  };
420 }
Here is the caller graph for this function:

◆ bw6_761_ate_reduced_pairing()

bw6_761_GT libff::bw6_761_ate_reduced_pairing ( const bw6_761_G1 P,
const bw6_761_G2 Q 
)

Definition at line 635 of file bw6_761_pairing.cpp.

636 {
637  enter_block("Call to bw6_761_ate_reduced_pairing");
638  const bw6_761_Fq6 f = bw6_761_ate_pairing(P, Q);
639  const bw6_761_GT result = bw6_761_final_exponentiation(f);
640  leave_block("Call to bw6_761_ate_reduced_pairing");
641  return result;
642 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bw6_761_double_miller_loop()

bw6_761_Fq6 libff::bw6_761_double_miller_loop ( const bw6_761_ate_G1_precomp prec_P1,
const bw6_761_ate_G2_precomp prec_Q1,
const bw6_761_ate_G1_precomp prec_P2,
const bw6_761_ate_G2_precomp prec_Q2 
)

Definition at line 662 of file bw6_761_pairing.cpp.

667 {
668  return bw6_761_ate_double_miller_loop(prec_P1, prec_Q1, prec_P2, prec_Q2);
669 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bw6_761_exp_by_z()

bw6_761_Fq6 libff::bw6_761_exp_by_z ( const bw6_761_Fq6 elt)

Definition at line 150 of file bw6_761_pairing.cpp.

151 {
152  enter_block("Call to bw6_761_exp_by_z");
153 
154  bw6_761_Fq6 result = elt.cyclotomic_exp(bw6_761_final_exponent_z);
155  if (bw6_761_final_exponent_is_z_neg) {
156  result = result.unitary_inverse();
157  }
158 
159  leave_block("Call to bw6_761_exp_by_z");
160 
161  return result;
162 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bw6_761_final_exponentiation()

bw6_761_GT libff::bw6_761_final_exponentiation ( const bw6_761_Fq6 elt)

Definition at line 258 of file bw6_761_pairing.cpp.

259 {
260  enter_block("Call to bw6_761_final_exponentiation");
261 
262  bw6_761_Fq6 elt_to_first_chunk =
263  bw6_761_final_exponentiation_first_chunk(elt);
264  bw6_761_GT result =
265  bw6_761_final_exponentiation_last_chunk(elt_to_first_chunk);
266 
267  leave_block("Call to bw6_761_final_exponentiation");
268 
269  return result;
270 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bw6_761_final_exponentiation_first_chunk()

bw6_761_Fq6 libff::bw6_761_final_exponentiation_first_chunk ( const bw6_761_Fq6 elt)

Definition at line 131 of file bw6_761_pairing.cpp.

132 {
133  // Compute elt^{(q^3-1)*(q+1)}
134  enter_block("Call to bw6_761_final_exponentiation_first_chunk");
135 
136  // A = elt^(q^3)
137  const bw6_761_Fq6 A = elt.Frobenius_map(3);
138  // B = elt^(q^3-1)
139  const bw6_761_Fq6 elt_inv = elt.inverse();
140  const bw6_761_Fq6 B = A * elt_inv;
141  // D = elt^((q^3-1) * q)
142  const bw6_761_Fq6 D = B.Frobenius_map(1);
143  // result = elt^{(q^3-1)*(q+1)}
144  const bw6_761_Fq6 result = D * B;
145 
146  leave_block("Call to bw6_761_final_exponentiation_first_chunk");
147  return result;
148 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bw6_761_final_exponentiation_last_chunk()

bw6_761_Fq6 libff::bw6_761_final_exponentiation_last_chunk ( const bw6_761_Fq6 elt)

Definition at line 172 of file bw6_761_pairing.cpp.

173 {
174  enter_block("Call to bw6_761_final_exponentiation_last_chunk");
175 
176  // Step 1
177  const bw6_761_Fq6 f0 = elt;
178  const bw6_761_Fq6 f0p = f0.Frobenius_map(1);
179 
180  // Step 2-3: For loop
181  const bw6_761_Fq6 f1 = bw6_761_exp_by_z(f0);
182  const bw6_761_Fq6 f1p = f1.Frobenius_map(1);
183  const bw6_761_Fq6 f2 = bw6_761_exp_by_z(f1);
184  const bw6_761_Fq6 f2p = f2.Frobenius_map(1);
185  const bw6_761_Fq6 f3 = bw6_761_exp_by_z(f2);
186  const bw6_761_Fq6 f3p = f3.Frobenius_map(1);
187  const bw6_761_Fq6 f4 = bw6_761_exp_by_z(f3);
188  const bw6_761_Fq6 f4p = f4.Frobenius_map(1);
189  const bw6_761_Fq6 f5 = bw6_761_exp_by_z(f4);
190  const bw6_761_Fq6 f5p = f5.Frobenius_map(1);
191  const bw6_761_Fq6 f6 = bw6_761_exp_by_z(f5);
192  const bw6_761_Fq6 f6p = f6.Frobenius_map(1);
193  const bw6_761_Fq6 f7 = bw6_761_exp_by_z(f6);
194  const bw6_761_Fq6 f7p = f7.Frobenius_map(1);
195 
196  // Step 4
197  const bw6_761_Fq6 f8p = bw6_761_exp_by_z(f7p);
198  const bw6_761_Fq6 f9p = bw6_761_exp_by_z(f8p);
199 
200  // Step 5
201  const bw6_761_Fq6 result1 = f3p * f6p * f5p.Frobenius_map(3);
202 
203  // Step 6
204  const bw6_761_Fq6 result2 = result1.squared();
205  const bw6_761_Fq6 f4_2p = f4 * f2p;
206  const bw6_761_Fq6 result3 =
207  result2 * f5 * f0p * (f0 * f1 * f3 * f4_2p * f8p).Frobenius_map(3);
208 
209  // Step 7
210  const bw6_761_Fq6 result4 = result3.squared();
211  const bw6_761_Fq6 result5 = result4 * f9p * f7.Frobenius_map(3);
212 
213  // Step 8
214  const bw6_761_Fq6 result6 = result5.squared();
215  const bw6_761_Fq6 f2_4p = f2 * f4p;
216  const bw6_761_Fq6 f4_2p_5p = f4_2p * f5p;
217  const bw6_761_Fq6 result7 =
218  result6 * f4_2p_5p * f6 * f7p * (f2_4p * f3 * f3p).Frobenius_map(3);
219 
220  // Step 9
221  const bw6_761_Fq6 result8 = result7.squared();
222  const bw6_761_Fq6 result9 =
223  result8 * f0 * f7 * f1p * (f0p * f9p).Frobenius_map(3);
224 
225  // Step 10
226  const bw6_761_Fq6 result10 = result9.squared();
227  const bw6_761_Fq6 f6p_8p = f6p * f8p;
228  const bw6_761_Fq6 f5_7p = f5 * f7p;
229  const bw6_761_Fq6 result11 =
230  result10 * f5_7p * f2p * (f6p_8p).Frobenius_map(3);
231 
232  // Step 11
233  const bw6_761_Fq6 result12 = result11.squared();
234  const bw6_761_Fq6 f3_6 = f3 * f6;
235  const bw6_761_Fq6 f1_7 = f1 * f7;
236  const bw6_761_Fq6 result13 =
237  result12 * f3_6 * f9p * (f1_7 * f2).Frobenius_map(3);
238 
239  // Step 12
240  const bw6_761_Fq6 result14 = result13.squared();
241  const bw6_761_Fq6 result15 = result14 * f0 * f0p * f3p * f5p *
242  (f4_2p * f5_7p * f6p_8p).Frobenius_map(3);
243 
244  // Step 13
245  const bw6_761_Fq6 result16 = result15.squared();
246  const bw6_761_Fq6 result17 = result16 * f1p * (f3_6).Frobenius_map(3);
247 
248  // Step 14
249  const bw6_761_Fq6 result18 = result17.squared();
250  const bw6_761_Fq6 result19 = result18 * f1_7 * f5_7p * f0p *
251  (f2_4p * f4_2p_5p * f9p).Frobenius_map(3);
252 
253  leave_block("Call to bw6_761_final_exponentiation_last_chunk");
254 
255  return result19;
256 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bw6_761_miller_loop()

bw6_761_Fq6 libff::bw6_761_miller_loop ( const bw6_761_G1_precomp prec_P,
const bw6_761_G2_precomp prec_Q 
)

Definition at line 656 of file bw6_761_pairing.cpp.

658 {
659  return bw6_761_ate_miller_loop(prec_P, prec_Q);
660 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bw6_761_pairing()

bw6_761_Fq6 libff::bw6_761_pairing ( const bw6_761_G1 P,
const bw6_761_G2 Q 
)

Definition at line 671 of file bw6_761_pairing.cpp.

672 {
673  return bw6_761_ate_pairing(P, Q);
674 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bw6_761_precompute_G1()

bw6_761_G1_precomp libff::bw6_761_precompute_G1 ( const bw6_761_G1 P)

Definition at line 646 of file bw6_761_pairing.cpp.

647 {
648  return bw6_761_ate_precompute_G1(P);
649 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bw6_761_precompute_G2()

bw6_761_G2_precomp libff::bw6_761_precompute_G2 ( const bw6_761_G2 Q)

Definition at line 651 of file bw6_761_pairing.cpp.

652 {
653  return bw6_761_ate_precompute_G2(Q);
654 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bw6_761_reduced_pairing()

bw6_761_GT libff::bw6_761_reduced_pairing ( const bw6_761_G1 P,
const bw6_761_G2 Q 
)

Definition at line 676 of file bw6_761_pairing.cpp.

677 {
678  return bw6_761_ate_reduced_pairing(P, Q);
679 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ bytes_to_hex_reversed()

std::string libff::bytes_to_hex_reversed ( const void *  bytes,
size_t  num_bytes,
bool  prefix 
)

"prefix" here refers to "0x"

Definition at line 87 of file serialization.cpp.

89 {
90  if (num_bytes == 0) {
91  return "";
92  }
93 
94  std::string out;
95  if (prefix) {
96  out.reserve(num_bytes * 2 + 2);
97  out.push_back('0');
98  out.push_back('x');
99  } else {
100  out.reserve(num_bytes * 2);
101  }
102 
103  const uint8_t *const src_bytes_end = (const uint8_t *)bytes;
104  const uint8_t *src_bytes = src_bytes_end + num_bytes;
105  do {
106  --src_bytes;
107  const uint8_t byte = *src_bytes;
108  out.push_back(nibble_hex(byte >> 4));
109  out.push_back(nibble_hex(byte & 0x0f));
110  } while (src_bytes > src_bytes_end);
111 
112  return out;
113 }

◆ char_to_nibble()

uint8_t libff::char_to_nibble ( const char  c)

Definition at line 19 of file serialization.cpp.

20 {
21  const char cc = (char)std::tolower(c);
22  if (cc < '0') {
23  throw std::invalid_argument("invalid hex character");
24  }
25  if (cc <= '9') {
26  return cc - '0';
27  }
28  if (cc < 'a') {
29  throw std::invalid_argument("invalid hex character");
30  }
31  if (cc <= 'f') {
32  return cc - 'a' + 10;
33  }
34  throw std::invalid_argument("invalid hex character");
35 }

◆ clear_profiling_counters()

void libff::clear_profiling_counters ( )

Definition at line 110 of file profiling.cpp.

111 {
112  invocation_counts.clear();
113  last_times.clear();
114  last_cpu_times.clear();
115  cumulative_times.clear();
116 }

◆ consume_newline()

void libff::consume_newline ( std::istream &  in)
inline
Here is the caller graph for this function:

◆ consume_OUTPUT_NEWLINE()

void libff::consume_OUTPUT_NEWLINE ( std::istream &  in)
inline
Here is the caller graph for this function:

◆ consume_OUTPUT_SEPARATOR()

void libff::consume_OUTPUT_SEPARATOR ( std::istream &  in)
inline
Here is the caller graph for this function:

◆ convert_bit_vector_to_field_element()

template<typename FieldT >
FieldT libff::convert_bit_vector_to_field_element ( const bit_vector v)

◆ convert_bit_vector_to_field_element_vector()

template<typename FieldT >
std::vector<FieldT> libff::convert_bit_vector_to_field_element_vector ( const bit_vector v)

◆ convert_field_element_to_bit_vector() [1/2]

template<typename FieldT >
bit_vector libff::convert_field_element_to_bit_vector ( const FieldT &  el)

◆ convert_field_element_to_bit_vector() [2/2]

template<typename FieldT >
bit_vector libff::convert_field_element_to_bit_vector ( const FieldT &  el,
const size_t  bitcount 
)

◆ convert_field_element_vector_to_bit_vector()

template<typename FieldT >
bit_vector libff::convert_field_element_vector_to_bit_vector ( const std::vector< FieldT > &  v)

◆ deserialize_bit_vector()

void libff::deserialize_bit_vector ( std::istream &  in,
bit_vector v 
)

Definition at line 111 of file utils.cpp.

112 {
113  size_t size;
114  in >> size;
115  v.resize(size);
116  for (size_t i = 0; i < size; ++i) {
117  bool b;
118  in >> b;
119  v[i] = b;
120  }
121 }

◆ div_ceil()

long long libff::div_ceil ( long long  x,
long long  y 
)

Definition at line 82 of file utils.cpp.

82 { return (x + (y - 1)) / y; }

◆ doubling_step_for_flipped_miller_loop() [1/4]

void libff::doubling_step_for_flipped_miller_loop ( const alt_bn128_Fq  two_inv,
alt_bn128_G2 current,
alt_bn128_ate_ell_coeffs c 
)

Definition at line 246 of file alt_bn128_pairing.cpp.

250 {
251  const alt_bn128_Fq2 X = current.X, Y = current.Y, Z = current.Z;
252 
253  // A = X1 * Y1 / 2
254  const alt_bn128_Fq2 A = two_inv * (X * Y);
255  // B = Y1^2
256  const alt_bn128_Fq2 B = Y.squared();
257  // C = Z1^2
258  const alt_bn128_Fq2 C = Z.squared();
259  // D = 3 * C
260  const alt_bn128_Fq2 D = C + C + C;
261  // E = twist_b * D
262  const alt_bn128_Fq2 E = alt_bn128_twist_coeff_b * D;
263  // F = 3 * E
264  const alt_bn128_Fq2 F = E + E + E;
265  // G = (B+F)/2
266  const alt_bn128_Fq2 G = two_inv * (B + F);
267  // H = (Y1+Z1)^2-(B+C)
268  const alt_bn128_Fq2 H = (Y + Z).squared() - (B + C);
269  // I = E-B
270  const alt_bn128_Fq2 I = E - B;
271  // J = X1^2
272  const alt_bn128_Fq2 J = X.squared();
273  // E_squared = E^2
274  const alt_bn128_Fq2 E_squared = E.squared();
275 
276  // X3 = A * (B-F)
277  current.X = A * (B - F);
278  // Y3 = G^2 - 3*E^2
279  current.Y = G.squared() - (E_squared + E_squared + E_squared);
280  // Z3 = B * H
281  current.Z = B * H;
282  // ell_0 = xi * I
283  c.ell_0 = alt_bn128_twist * I;
284  // ell_VW = - H (later: * yP)
285  c.ell_VW = -H;
286  // ell_VV = 3*J (later: * xP)
287  c.ell_VV = J + J + J;
288 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ doubling_step_for_flipped_miller_loop() [2/4]

void libff::doubling_step_for_flipped_miller_loop ( extended_edwards_G2_projective current,
edwards_Fq3_conic_coefficients cc 
)

Definition at line 489 of file edwards_pairing.cpp.

491 {
492  const edwards_Fq3 &X = current.X, &Y = current.Y, &Z = current.Z,
493  &T = current.T;
494  const edwards_Fq3 A = X.squared(); // A = X1^2
495  const edwards_Fq3 B = Y.squared(); // B = Y1^2
496  const edwards_Fq3 C = Z.squared(); // C = Z1^2
497  const edwards_Fq3 D = (X + Y).squared(); // D = (X1+Y1)^2
498  const edwards_Fq3 E = (Y + Z).squared(); // E = (Y1+Z1)^2
499  const edwards_Fq3 F = D - (A + B); // F = D-(A+B)
500  const edwards_Fq3 G = E - (B + C); // G = E-(B+C)
501  const edwards_Fq3 H =
502  edwards_G2::mul_by_a(A); // edwards_param_twist_coeff_a is 1 * X for us
503  // H = twisted_a * A
504  const edwards_Fq3 I = H + B; // I = H+B
505  const edwards_Fq3 J = C - I; // J = C-I
506  const edwards_Fq3 K = J + C; // K = J+C
507 
508  cc.c_ZZ = Y * (T - X); // c_ZZ = 2*Y1*(T1-X1)
509  cc.c_ZZ = cc.c_ZZ + cc.c_ZZ;
510 
511  // c_XY = 2*(C-edwards_a * A * delta_3-B)+G (edwards_a = 1 for us)
512  cc.c_XY = C - edwards_G2::mul_by_a(A) -
513  B; // edwards_param_twist_coeff_a is 1 * X for us
514  cc.c_XY = cc.c_XY + cc.c_XY + G;
515 
516  // c_XZ = 2*(edwards_a*X1*T1*delta_3-B) (edwards_a = 1 for us)
517  cc.c_XZ = edwards_G2::mul_by_a(X * T) -
518  B; // edwards_param_twist_coeff_a is 1 * X for us
519  cc.c_XZ = cc.c_XZ + cc.c_XZ;
520 
521  current.X = F * K; // X3 = F*K
522  current.Y = I * (B - H); // Y3 = I*(B-H)
523  current.Z = I * K; // Z3 = I*K
524  current.T = F * (B - H); // T3 = F*(B-H)
525 #ifdef DEBUG
526  current.test_invariant();
527 #endif
528 }
Here is the call graph for this function:

◆ doubling_step_for_flipped_miller_loop() [3/4]

void libff::doubling_step_for_flipped_miller_loop ( extended_mnt4_G2_projective current,
mnt4_ate_dbl_coeffs dc 
)

Definition at line 400 of file mnt4_pairing.cpp.

402 {
403  const mnt4_Fq2 X = current.X, Y = current.Y, Z = current.Z, T = current.T;
404 
405  const mnt4_Fq2 A = T.squared(); // A = T1^2
406  const mnt4_Fq2 B = X.squared(); // B = X1^2
407  const mnt4_Fq2 C = Y.squared(); // C = Y1^2
408  const mnt4_Fq2 D = C.squared(); // D = C^2
409  const mnt4_Fq2 E = (X + C).squared() - B - D; // E = (X1+C)^2-B-D
410  const mnt4_Fq2 F = (B + B + B) + mnt4_twist_coeff_a * A; // F = 3*B + a *A
411  const mnt4_Fq2 G = F.squared(); // G = F^2
412 
413  current.X = -(E + E + E + E) + G; // X3 = -4*E+G
414  current.Y =
415  -mnt4_Fq("8") * D + F * (E + E - current.X); // Y3 = -8*D+F*(2*E-X3)
416  current.Z = (Y + Z).squared() - C - Z.squared(); // Z3 = (Y1+Z1)^2-C-Z1^2
417  current.T = current.Z.squared(); // T3 = Z3^2
418 
419  dc.c_H = (current.Z + T).squared() - current.T - A; // H = (Z3+T1)^2-T3-A
420  dc.c_4C = C + C + C + C; // fourC = 4*C
421  dc.c_J = (F + T).squared() - G - A; // J = (F+T1)^2-G-A
422  dc.c_L = (F + X).squared() - G - B; // L = (F+X1)^2-G-B
423 
424 #ifdef DEBUG
425  current.test_invariant();
426 #endif
427 }
Here is the call graph for this function:

◆ doubling_step_for_flipped_miller_loop() [4/4]

void libff::doubling_step_for_flipped_miller_loop ( extended_mnt6_G2_projective current,
mnt6_ate_dbl_coeffs dc 
)

Definition at line 405 of file mnt6_pairing.cpp.

407 {
408  const mnt6_Fq3 X = current.X, Y = current.Y, Z = current.Z, T = current.T;
409 
410  const mnt6_Fq3 A = T.squared(); // A = T1^2
411  const mnt6_Fq3 B = X.squared(); // B = X1^2
412  const mnt6_Fq3 C = Y.squared(); // C = Y1^2
413  const mnt6_Fq3 D = C.squared(); // D = C^2
414  const mnt6_Fq3 E = (X + C).squared() - B - D; // E = (X1+C)^2-B-D
415  const mnt6_Fq3 F = (B + B + B) + mnt6_twist_coeff_a * A; // F = 3*B + a *A
416  const mnt6_Fq3 G = F.squared(); // G = F^2
417 
418  current.X = -(E + E + E + E) + G; // X3 = -4*E+G
419  current.Y =
420  -mnt6_Fq("8") * D + F * (E + E - current.X); // Y3 = -8*D+F*(2*E-X3)
421  current.Z = (Y + Z).squared() - C - Z.squared(); // Z3 = (Y1+Z1)^2-C-Z1^2
422  current.T = current.Z.squared(); // T3 = Z3^2
423 
424  dc.c_H = (current.Z + T).squared() - current.T - A; // H = (Z3+T1)^2-T3-A
425  dc.c_4C = C + C + C + C; // fourC = 4*C
426  dc.c_J = (F + T).squared() - G - A; // J = (F+T1)^2-G-A
427  dc.c_L = (F + X).squared() - G - B; // L = (F+X1)^2-G-B
428 
429 #ifdef DEBUG
430  current.test_invariant();
431 #endif
432 }
Here is the call graph for this function:

◆ doubling_step_for_miller_loop() [1/2]

void libff::doubling_step_for_miller_loop ( bw6_761_G2 current,
bw6_761_ate_ell_coeffs c 
)

Definition at line 274 of file bw6_761_pairing.cpp.

276 {
277  const bw6_761_Fq X = current.X, Y = current.Y, Z = current.Z;
278 
279  // A = X1 * Y1
280  const bw6_761_Fq A = X * Y;
281  // B = Y1^2
282  const bw6_761_Fq B = Y.squared();
283  // B4 = 4 * Y1^2
284  const bw6_761_Fq B4 = B + B + B + B;
285  // C = Z1^2
286  const bw6_761_Fq C = Z.squared();
287  // D = 3 * C
288  const bw6_761_Fq D = C + C + C;
289  // E = bw6_761_twist_coeff_b * D
290  const bw6_761_Fq E = bw6_761_twist_coeff_b * D;
291  // F = 3 * E
292  const bw6_761_Fq F = E + E + E;
293  // G = B+F
294  const bw6_761_Fq G = B + F;
295  // H = (Y1+Z1)^2-(B+C)
296  const bw6_761_Fq H = (Y + Z).squared() - (B + C);
297  // I = E-B
298  const bw6_761_Fq I = E - B;
299  // J = X1^2
300  const bw6_761_Fq J = X.squared();
301  // E2_squared = (2E)^2
302  const bw6_761_Fq E2_squared = (E + E).squared();
303 
304  // X3 = 2A * (B-F)
305  current.X = (A + A) * (B - F);
306  // Y3 = G^2 - 3*E2^2
307  current.Y = G.squared() - (E2_squared + E2_squared + E2_squared);
308  // Z3 = 4 * B * H
309  current.Z = B4 * H;
310 
311  // ell_0 = I
312  c.ell_0 = I;
313  // ell_VW = -xi * H (later: * yP)
314  c.ell_VW = -bw6_761_twist * H;
315  // ell_VV = 3*J (later: * xP)
316  c.ell_VV = J + J + J;
317 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ doubling_step_for_miller_loop() [2/2]

void libff::doubling_step_for_miller_loop ( extended_edwards_G1_projective current,
edwards_Fq_conic_coefficients cc 
)

Definition at line 267 of file edwards_pairing.cpp.

269 {
270  const edwards_Fq &X = current.X, &Y = current.Y, &Z = current.Z,
271  &T = current.T;
272  const edwards_Fq A = X.squared(); // A = X1^2
273  const edwards_Fq B = Y.squared(); // B = Y1^2
274  const edwards_Fq C = Z.squared(); // C = Z1^2
275  const edwards_Fq D = (X + Y).squared(); // D = (X1+Y1)^2
276  const edwards_Fq E = (Y + Z).squared(); // E = (Y1+Z1)^2
277  const edwards_Fq F = D - (A + B); // F = D-(A+B)
278  const edwards_Fq G = E - (B + C); // G = E-(B+C)
279  const edwards_Fq &H = A; // H = A (edwards_a=1)
280  const edwards_Fq I = H + B; // I = H+B
281  const edwards_Fq J = C - I; // J = C-I
282  const edwards_Fq K = J + C; // K = J+C
283 
284  cc.c_ZZ = Y * (T - X); // c_ZZ = 2*Y1*(T1-X1)
285  cc.c_ZZ = cc.c_ZZ + cc.c_ZZ;
286 
287  cc.c_XY = J + J + G; // c_XY = 2*J+G
288  cc.c_XZ = X * T - B; // c_XZ = 2*(X1*T1-B) (edwards_a=1)
289  cc.c_XZ = cc.c_XZ + cc.c_XZ;
290 
291  current.X = F * K; // X3 = F*K
292  current.Y = I * (B - H); // Y3 = I*(B-H)
293  current.Z = I * K; // Z3 = I*K
294  current.T = F * (B - H); // T3 = F*(B-H)
295 
296 #ifdef DEBUG
297  current.test_invariant();
298 #endif
299 }
Here is the call graph for this function:

◆ edwards_ate_double_miller_loop()

edwards_Fq6 libff::edwards_ate_double_miller_loop ( const edwards_ate_G1_precomp prec_P1,
const edwards_ate_G2_precomp prec_Q1,
const edwards_ate_G1_precomp prec_P2,
const edwards_ate_G2_precomp prec_Q2 
)

Definition at line 702 of file edwards_pairing.cpp.

707 {
708  enter_block("Call to edwards_ate_double_miller_loop");
709  const bigint<edwards_Fr::num_limbs> &loop_count = edwards_ate_loop_count;
710 
711  edwards_Fq6 f = edwards_Fq6::one();
712 
713  bool found_one = false;
714  size_t idx = 0;
715  for (long i = loop_count.max_bits() - 1; i >= 0; --i) {
716  const bool bit = loop_count.test_bit(i);
717  if (!found_one) {
718  /* this skips the MSB itself */
719  found_one |= bit;
720  continue;
721  }
722 
723  /* code below gets executed for all bits (EXCEPT the MSB itself) of
724  edwards_param_p (skipping leading zeros) in MSB to LSB
725  order */
726  edwards_Fq3_conic_coefficients cc1 = prec_Q1[idx];
727  edwards_Fq3_conic_coefficients cc2 = prec_Q2[idx];
728  ++idx;
729 
730  edwards_Fq6 g_RR_at_P1 = edwards_Fq6(
731  prec_P1.P_XY * cc1.c_XY + prec_P1.P_XZ * cc1.c_XZ,
732  prec_P1.P_ZZplusYZ * cc1.c_ZZ);
733 
734  edwards_Fq6 g_RR_at_P2 = edwards_Fq6(
735  prec_P2.P_XY * cc2.c_XY + prec_P2.P_XZ * cc2.c_XZ,
736  prec_P2.P_ZZplusYZ * cc2.c_ZZ);
737  f = f.squared() * g_RR_at_P1 * g_RR_at_P2;
738 
739  if (bit) {
740  cc1 = prec_Q1[idx];
741  cc2 = prec_Q2[idx];
742  ++idx;
743  edwards_Fq6 g_RQ_at_P1 = edwards_Fq6(
744  prec_P1.P_ZZplusYZ * cc1.c_ZZ,
745  prec_P1.P_XY * cc1.c_XY + prec_P1.P_XZ * cc1.c_XZ);
746  edwards_Fq6 g_RQ_at_P2 = edwards_Fq6(
747  prec_P2.P_ZZplusYZ * cc2.c_ZZ,
748  prec_P2.P_XY * cc2.c_XY + prec_P2.P_XZ * cc2.c_XZ);
749  f = f * g_RQ_at_P1 * g_RQ_at_P2;
750  }
751  }
752  leave_block("Call to edwards_ate_double_miller_loop");
753 
754  return f;
755 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ edwards_ate_miller_loop()

edwards_Fq6 libff::edwards_ate_miller_loop ( const edwards_ate_G1_precomp prec_P,
const edwards_ate_G2_precomp prec_Q 
)

Definition at line 662 of file edwards_pairing.cpp.

664 {
665  enter_block("Call to edwards_ate_miller_loop");
666  const bigint<edwards_Fr::num_limbs> &loop_count = edwards_ate_loop_count;
667 
668  edwards_Fq6 f = edwards_Fq6::one();
669 
670  bool found_one = false;
671  size_t idx = 0;
672  for (long i = loop_count.max_bits() - 1; i >= 0; --i) {
673  const bool bit = loop_count.test_bit(i);
674  if (!found_one) {
675  /* this skips the MSB itself */
676  found_one |= bit;
677  continue;
678  }
679 
680  /* code below gets executed for all bits (EXCEPT the MSB itself) of
681  edwards_param_p (skipping leading zeros) in MSB to LSB
682  order */
683  edwards_Fq3_conic_coefficients cc = prec_Q[idx++];
684 
685  edwards_Fq6 g_RR_at_P = edwards_Fq6(
686  prec_P.P_XY * cc.c_XY + prec_P.P_XZ * cc.c_XZ,
687  prec_P.P_ZZplusYZ * cc.c_ZZ);
688  f = f.squared() * g_RR_at_P;
689  if (bit) {
690  cc = prec_Q[idx++];
691  edwards_Fq6 g_RQ_at_P = edwards_Fq6(
692  prec_P.P_ZZplusYZ * cc.c_ZZ,
693  prec_P.P_XY * cc.c_XY + prec_P.P_XZ * cc.c_XZ);
694  f = f * g_RQ_at_P;
695  }
696  }
697  leave_block("Call to edwards_ate_miller_loop");
698 
699  return f;
700 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ edwards_ate_pairing()

edwards_Fq6 libff::edwards_ate_pairing ( const edwards_G1 P,
const edwards_G2 Q 
)

Definition at line 757 of file edwards_pairing.cpp.

758 {
759  enter_block("Call to edwards_ate_pairing");
760  edwards_ate_G1_precomp prec_P = edwards_ate_precompute_G1(P);
761  edwards_ate_G2_precomp prec_Q = edwards_ate_precompute_G2(Q);
762  edwards_Fq6 result = edwards_ate_miller_loop(prec_P, prec_Q);
763  leave_block("Call to edwards_ate_pairing");
764  return result;
765 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ edwards_ate_precompute_G1()

edwards_ate_G1_precomp libff::edwards_ate_precompute_G1 ( const edwards_G1 P)

Definition at line 609 of file edwards_pairing.cpp.

610 {
611  enter_block("Call to edwards_ate_precompute_G1");
612  edwards_G1 Pcopy = P;
613  Pcopy.to_affine_coordinates();
614  edwards_ate_G1_precomp result;
615  result.P_XY = Pcopy.X * Pcopy.Y;
616  result.P_XZ = Pcopy.X; // P.X * P.Z but P.Z = 1
617  result.P_ZZplusYZ =
618  (edwards_Fq::one() + Pcopy.Y); // (P.Z + P.Y) * P.Z but P.Z = 1
619  leave_block("Call to edwards_ate_precompute_G1");
620  return result;
621 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ edwards_ate_precompute_G2()

edwards_ate_G2_precomp libff::edwards_ate_precompute_G2 ( const edwards_G2 Q)

Definition at line 623 of file edwards_pairing.cpp.

624 {
625  enter_block("Call to edwards_ate_precompute_G2");
626  const bigint<edwards_Fr::num_limbs> &loop_count = edwards_ate_loop_count;
627  edwards_ate_G2_precomp result;
628 
629  edwards_G2 Qcopy(Q);
630  Qcopy.to_affine_coordinates();
631 
632  extended_edwards_G2_projective Q_ext;
633  Q_ext.X = Qcopy.X;
634  Q_ext.Y = Qcopy.Y;
635  Q_ext.Z = Qcopy.Z;
636  Q_ext.T = Qcopy.X * Qcopy.Y;
637 
638  extended_edwards_G2_projective R = Q_ext;
639 
640  bool found_one = false;
641  for (long i = loop_count.max_bits() - 1; i >= 0; --i) {
642  const bool bit = loop_count.test_bit(i);
643  if (!found_one) {
644  /* this skips the MSB itself */
645  found_one |= bit;
646  continue;
647  }
648 
649  edwards_Fq3_conic_coefficients cc;
650  doubling_step_for_flipped_miller_loop(R, cc);
651  result.push_back(cc);
652  if (bit) {
653  mixed_addition_step_for_flipped_miller_loop(Q_ext, R, cc);
654  result.push_back(cc);
655  }
656  }
657 
658  leave_block("Call to edwards_ate_precompute_G2");
659  return result;
660 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ edwards_ate_reduced_pairing()

edwards_GT libff::edwards_ate_reduced_pairing ( const edwards_G1 P,
const edwards_G2 Q 
)

Definition at line 767 of file edwards_pairing.cpp.

768 {
769  enter_block("Call to edwards_ate_reduced_pairing");
770  const edwards_Fq6 f = edwards_ate_pairing(P, Q);
771  const edwards_GT result = edwards_final_exponentiation(f);
772  leave_block("Call to edwards_ate_reduced_pairing");
773  return result;
774 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ edwards_double_miller_loop()

edwards_Fq6 libff::edwards_double_miller_loop ( const edwards_G1_precomp prec_P1,
const edwards_G2_precomp prec_Q1,
const edwards_G1_precomp prec_P2,
const edwards_G2_precomp prec_Q2 
)

Definition at line 792 of file edwards_pairing.cpp.

797 {
798  return edwards_ate_double_miller_loop(prec_P1, prec_Q1, prec_P2, prec_Q2);
799 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ edwards_final_exponentiation()

edwards_GT libff::edwards_final_exponentiation ( const edwards_Fq6 elt)

Definition at line 219 of file edwards_pairing.cpp.

220 {
221  enter_block("Call to edwards_final_exponentiation");
222  const edwards_Fq6 elt_inv = elt.inverse();
223  const edwards_Fq6 elt_to_first_chunk =
224  edwards_final_exponentiation_first_chunk(elt, elt_inv);
225  const edwards_Fq6 elt_inv_to_first_chunk =
226  edwards_final_exponentiation_first_chunk(elt_inv, elt);
227  edwards_GT result = edwards_final_exponentiation_last_chunk(
228  elt_to_first_chunk, elt_inv_to_first_chunk);
229  leave_block("Call to edwards_final_exponentiation");
230 
231  return result;
232 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ edwards_final_exponentiation_first_chunk()

edwards_Fq6 libff::edwards_final_exponentiation_first_chunk ( const edwards_Fq6 elt,
const edwards_Fq6 elt_inv 
)

Definition at line 200 of file edwards_pairing.cpp.

202 {
203  enter_block("Call to edwards_final_exponentiation_first_chunk");
204 
205  /* (q^3-1)*(q+1) */
206 
207  /* elt_q3 = elt^(q^3) */
208  const edwards_Fq6 elt_q3 = elt.Frobenius_map(3);
209  /* elt_q3_over_elt = elt^(q^3-1) */
210  const edwards_Fq6 elt_q3_over_elt = elt_q3 * elt_inv;
211  /* alpha = elt^((q^3-1) * q) */
212  const edwards_Fq6 alpha = elt_q3_over_elt.Frobenius_map(1);
213  /* beta = elt^((q^3-1)*(q+1) */
214  const edwards_Fq6 beta = alpha * elt_q3_over_elt;
215  leave_block("Call to edwards_final_exponentiation_first_chunk");
216  return beta;
217 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ edwards_final_exponentiation_last_chunk()

edwards_Fq6 libff::edwards_final_exponentiation_last_chunk ( const edwards_Fq6 elt,
const edwards_Fq6 elt_inv 
)

Definition at line 179 of file edwards_pairing.cpp.

181 {
182  enter_block("Call to edwards_final_exponentiation_last_chunk");
183  const edwards_Fq6 elt_q = elt.Frobenius_map(1);
184  edwards_Fq6 w1_part =
185  elt_q.cyclotomic_exp(edwards_final_exponent_last_chunk_w1);
186  edwards_Fq6 w0_part;
187  if (edwards_final_exponent_last_chunk_is_w0_neg) {
188  w0_part =
189  elt_inv.cyclotomic_exp(edwards_final_exponent_last_chunk_abs_of_w0);
190  } else {
191  w0_part =
192  elt.cyclotomic_exp(edwards_final_exponent_last_chunk_abs_of_w0);
193  }
194  edwards_Fq6 result = w1_part * w0_part;
195  leave_block("Call to edwards_final_exponentiation_last_chunk");
196 
197  return result;
198 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ edwards_miller_loop()

edwards_Fq6 libff::edwards_miller_loop ( const edwards_G1_precomp prec_P,
const edwards_G2_precomp prec_Q 
)

Definition at line 786 of file edwards_pairing.cpp.

788 {
789  return edwards_ate_miller_loop(prec_P, prec_Q);
790 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ edwards_pairing()

edwards_Fq6 libff::edwards_pairing ( const edwards_G1 P,
const edwards_G2 Q 
)

Definition at line 801 of file edwards_pairing.cpp.

802 {
803  return edwards_ate_pairing(P, Q);
804 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ edwards_precompute_G1()

edwards_G1_precomp libff::edwards_precompute_G1 ( const edwards_G1 P)

Definition at line 776 of file edwards_pairing.cpp.

777 {
778  return edwards_ate_precompute_G1(P);
779 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ edwards_precompute_G2()

edwards_G2_precomp libff::edwards_precompute_G2 ( const edwards_G2 Q)

Definition at line 781 of file edwards_pairing.cpp.

782 {
783  return edwards_ate_precompute_G2(Q);
784 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ edwards_reduced_pairing()

edwards_GT libff::edwards_reduced_pairing ( const edwards_G1 P,
const edwards_G2 Q 
)

Definition at line 806 of file edwards_pairing.cpp.

807 {
808  return edwards_ate_reduced_pairing(P, Q);
809 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ edwards_tate_miller_loop()

edwards_Fq6 libff::edwards_tate_miller_loop ( const edwards_tate_G1_precomp prec_P,
const edwards_tate_G2_precomp prec_Q 
)

Definition at line 409 of file edwards_pairing.cpp.

412 {
413  enter_block("Call to edwards_tate_miller_loop");
414 
415  edwards_Fq6 f = edwards_Fq6::one();
416 
417  bool found_one = false;
418  size_t idx = 0;
419  for (long i = edwards_modulus_r.max_bits() - 1; i >= 0; --i) {
420  const bool bit = edwards_modulus_r.test_bit(i);
421  if (!found_one) {
422  /* this skips the MSB itself */
423  found_one |= bit;
424  continue;
425  }
426 
427  /* code below gets executed for all bits (EXCEPT the MSB itself) of
428  edwards_modulus_r (skipping leading zeros) in MSB to LSB
429  order */
430  edwards_Fq_conic_coefficients cc = prec_P[idx++];
431  edwards_Fq6 g_RR_at_Q = edwards_Fq6(
432  edwards_Fq3(cc.c_XZ, edwards_Fq(0l), edwards_Fq(0l)) +
433  cc.c_XY * prec_Q.y0,
434  cc.c_ZZ * prec_Q.eta);
435  f = f.squared() * g_RR_at_Q;
436  if (bit) {
437  cc = prec_P[idx++];
438 
439  edwards_Fq6 g_RP_at_Q = edwards_Fq6(
440  edwards_Fq3(cc.c_XZ, edwards_Fq(0l), edwards_Fq(0l)) +
441  cc.c_XY * prec_Q.y0,
442  cc.c_ZZ * prec_Q.eta);
443  f = f * g_RP_at_Q;
444  }
445  }
446  leave_block("Call to edwards_tate_miller_loop");
447 
448  return f;
449 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ edwards_tate_pairing()

edwards_Fq6 libff::edwards_tate_pairing ( const edwards_G1 P,
const edwards_G2 Q 
)

Definition at line 451 of file edwards_pairing.cpp.

452 {
453  enter_block("Call to edwards_tate_pairing");
454  edwards_tate_G1_precomp prec_P = edwards_tate_precompute_G1(P);
455  edwards_tate_G2_precomp prec_Q = edwards_tate_precompute_G2(Q);
456  edwards_Fq6 result = edwards_tate_miller_loop(prec_P, prec_Q);
457  leave_block("Call to edwards_tate_pairing");
458  return result;
459 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ edwards_tate_precompute_G1()

edwards_tate_G1_precomp libff::edwards_tate_precompute_G1 ( const edwards_G1 P)

Definition at line 367 of file edwards_pairing.cpp.

368 {
369  enter_block("Call to edwards_tate_precompute_G1");
370  edwards_tate_G1_precomp result;
371 
372  edwards_G1 Pcopy = P;
373  Pcopy.to_affine_coordinates();
374 
375  extended_edwards_G1_projective P_ext;
376  P_ext.X = Pcopy.X;
377  P_ext.Y = Pcopy.Y;
378  P_ext.Z = Pcopy.Z;
379  P_ext.T = Pcopy.X * Pcopy.Y;
380 
381  extended_edwards_G1_projective R = P_ext;
382 
383  bool found_one = false;
384  for (long i = edwards_modulus_r.max_bits(); i >= 0; --i) {
385  const bool bit = edwards_modulus_r.test_bit(i);
386  if (!found_one) {
387  /* this skips the MSB itself */
388  found_one |= bit;
389  continue;
390  }
391 
392  /* code below gets executed for all bits (EXCEPT the MSB itself) of
393  edwards_modulus_r (skipping leading zeros) in MSB to LSB
394  order */
395  edwards_Fq_conic_coefficients cc;
396  doubling_step_for_miller_loop(R, cc);
397  result.push_back(cc);
398 
399  if (bit) {
400  mixed_addition_step_for_miller_loop(P_ext, R, cc);
401  result.push_back(cc);
402  }
403  }
404 
405  leave_block("Call to edwards_tate_precompute_G1");
406  return result;
407 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ edwards_tate_precompute_G2()

edwards_tate_G2_precomp libff::edwards_tate_precompute_G2 ( const edwards_G2 Q)

Definition at line 234 of file edwards_pairing.cpp.

235 {
236  enter_block("Call to edwards_tate_precompute_G2");
237  edwards_G2 Qcopy = Q;
238  Qcopy.to_affine_coordinates();
239  edwards_tate_G2_precomp result;
240  result.y0 = Qcopy.Y * Qcopy.Z.inverse(); // Y/Z
241  result.eta =
242  (Qcopy.Z + Qcopy.Y) *
243  edwards_Fq6::mul_by_non_residue(Qcopy.X).inverse(); // (Z+Y)/(nqr*X)
244  leave_block("Call to edwards_tate_precompute_G2");
245 
246  return result;
247 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ edwards_tate_reduced_pairing()

edwards_GT libff::edwards_tate_reduced_pairing ( const edwards_G1 P,
const edwards_G2 Q 
)

Definition at line 461 of file edwards_pairing.cpp.

463 {
464  enter_block("Call to edwards_tate_reduced_pairing");
465  const edwards_Fq6 f = edwards_tate_pairing(P, Q);
466  const edwards_GT result = edwards_final_exponentiation(f);
467  leave_block("Call to edwards_tate_reduce_pairing");
468  return result;
469 }
Here is the call graph for this function:

◆ enter_block()

void libff::enter_block ( const std::string &  msg,
const bool  indent 
)

Definition at line 271 of file profiling.cpp.

272 {
273  if (inhibit_profiling_counters) {
274  return;
275  }
276 
277  block_names.emplace_back(msg);
278  long long t = get_nsec_time();
279  enter_times[msg] = t;
280  long long cpu_t = get_nsec_cpu_time();
281  enter_cpu_times[msg] = cpu_t;
282 
283  if (inhibit_profiling_info) {
284  return;
285  }
286 
287 #ifdef MULTICORE
288 #pragma omp critical
289 #endif
290  {
291  op_profiling_enter(msg);
292 
293  print_indent();
294  printf("(enter) %-35s\t", msg.c_str());
295  print_times_from_last_and_start(t, t, cpu_t, cpu_t);
296  printf("\n");
297  fflush(stdout);
298 
299  if (indent) {
300  ++indentation;
301  }
302  }
303 }
Here is the call graph for this function:

◆ exp2()

size_t libff::exp2 ( size_t  k)
inline

Definition at line 30 of file utils.hpp.

30 { return size_t(1) << k; }

◆ field_get_component_0()

template<typename FieldT >
const FieldT::my_Fp& libff::field_get_component_0 ( const FieldT &  v)

Rerturns a reference to the 0-th component of the element (or the element itself if FieldT is not an extension field).

◆ field_get_digit()

template<mp_size_t n>
size_t libff::field_get_digit ( const bigint< n > &  v,
const size_t  digit_size,
const size_t  digit_index 
)

Decompose v into fixed-size digits of digit_size bits each.

◆ field_get_signed_digit()

template<mp_size_t n>
ssize_t libff::field_get_signed_digit ( const bigint< n > &  v,
const size_t  digit_size,
const size_t  digit_index 
)

Decompose v into fixed-size signed digits of digit_size bits each.

◆ field_get_signed_digits()

template<typename FieldT >
void libff::field_get_signed_digits ( std::vector< ssize_t > &  digits,
const FieldT &  v,
const size_t  digit_size,
const size_t  num_digits 
)

Decompose the input into a (pre-allocated) vector of fixed-size signed digits, of size digit_size bits.

◆ field_read()

template<encoding_t Enc = encoding_binary, form_t Form = form_plain, typename FieldT >
void libff::field_read ( FieldT &  v,
std::istream &  in_s 
)

◆ field_write()

template<encoding_t Enc = encoding_binary, form_t Form = form_plain, typename FieldT >
void libff::field_write ( const FieldT &  v,
std::ostream &  out_s 
)

◆ find_wnaf()

template<mp_size_t n>
std::vector<long> libff::find_wnaf ( const size_t  window_size,
const bigint< n > &  scalar 
)

Find the wNAF representation of the given scalar relative to the given window size.

Here is the caller graph for this function:

◆ fixed_window_wnaf_exp() [1/2]

template<typename T , mp_size_t n>
T libff::fixed_window_wnaf_exp ( const size_t  window_size,
const T &  base,
const bigint< n > &  scalar 
)

In additive notation, use wNAF exponentiation (with the given window size) to compute scalar * base.

◆ fixed_window_wnaf_exp() [2/2]

template<typename T >
T libff::fixed_window_wnaf_exp ( const size_t  window_size,
const T &  base,
const std::vector< long > &  naf 
)

In additive notation, use wNAF exponentiation (with the given window size) to compute scalar * base, for a scalar in NAF form.

◆ FORMAT()

std::string libff::FORMAT ( const std::string &  prefix,
const char *  format,
  ... 
)

Definition at line 91 of file utils.cpp.

92 {
93  const static size_t MAX_FMT = 256;
94  char buf[MAX_FMT];
95  va_list args;
96  va_start(args, format);
97  vsnprintf(buf, MAX_FMT, format, args);
98  va_end(args);
99 
100  return prefix + std::string(buf);
101 }

◆ fp_from_fp()

template<mp_size_t wn, const bigint< wn > & wmodulus, mp_size_t nn, const bigint< nn > & nmodulus>
void libff::fp_from_fp ( Fp_model< wn, wmodulus > &  wfp,
const Fp_model< nn, nmodulus > &  nfp 
)

Safe conversion from one finite field type to another. Internally asserts that the transformation is injective (i.e. multiple input values cannot result in the same output value).

◆ from_twos_complement()

int libff::from_twos_complement ( size_t  i,
size_t  w 
)

Definition at line 53 of file utils.cpp.

54 {
55  assert(i < (1ul << w));
56  return (i < (1ul << (w - 1))) ? i : i - (1ul << w);
57 }

◆ full_addition_step_for_flipped_miller_loop()

void libff::full_addition_step_for_flipped_miller_loop ( const extended_edwards_G2_projective base,
extended_edwards_G2_projective current,
edwards_Fq3_conic_coefficients cc 
)

Definition at line 530 of file edwards_pairing.cpp.

534 {
535  const edwards_Fq3 &X1 = current.X, &Y1 = current.Y, &Z1 = current.Z,
536  &T1 = current.T;
537  const edwards_Fq3 &X2 = base.X, &Y2 = base.Y, &Z2 = base.Z, &T2 = base.T;
538 
539  const edwards_Fq3 A = X1 * X2; // A = X1*X2
540  const edwards_Fq3 B = Y1 * Y2; // B = Y1*Y2
541  const edwards_Fq3 C = Z1 * T2; // C = Z1*T2
542  const edwards_Fq3 D = T1 * Z2; // D = T1*Z2
543  const edwards_Fq3 E = D + C; // E = D+C
544  const edwards_Fq3 F =
545  (X1 - Y1) * (X2 + Y2) + B - A; // F = (X1-Y1)*(X2+Y2)+B-A
546  // G = B + twisted_edwards_a * A
547  const edwards_Fq3 G =
548  B +
549  edwards_G2::mul_by_a(A); // edwards_param_twist_coeff_a is 1*X for us
550  const edwards_Fq3 H = D - C; // H = D-C
551  const edwards_Fq3 I = T1 * T2; // I = T1*T2
552 
553  // c_ZZ = delta_3* ((T1-X1)*(T2+X2)-I+A)
554  cc.c_ZZ = edwards_G2::mul_by_a(
555  (T1 - X1) * (T2 + X2) - I +
556  A); // edwards_param_twist_coeff_a is 1*X for us
557 
558  cc.c_XY = X1 * Z2 - X2 * Z1 + F; // c_XY = X1*Z2-X2*Z1+F
559  cc.c_XZ = (Y1 - T1) * (Y2 + T2) - B + I - H; // c_XZ = (Y1-T1)*(Y2+T2)-B+I-H
560  current.X = E * F; // X3 = E*F
561  current.Y = G * H; // Y3 = G*H
562  current.Z = F * G; // Z3 = F*G
563  current.T = E * H; // T3 = E*H
564 
565 #ifdef DEBUG
566  current.test_invariant();
567 #endif
568 }
Here is the call graph for this function:

◆ full_addition_step_for_miller_loop()

void libff::full_addition_step_for_miller_loop ( const extended_edwards_G1_projective base,
extended_edwards_G1_projective current,
edwards_Fq_conic_coefficients cc 
)

Definition at line 301 of file edwards_pairing.cpp.

305 {
306  const edwards_Fq &X1 = current.X, &Y1 = current.Y, &Z1 = current.Z,
307  &T1 = current.T;
308  const edwards_Fq &X2 = base.X, &Y2 = base.Y, &Z2 = base.Z, &T2 = base.T;
309 
310  const edwards_Fq A = X1 * X2; // A = X1*X2
311  const edwards_Fq B = Y1 * Y2; // B = Y1*Y2
312  const edwards_Fq C = Z1 * T2; // C = Z1*T2
313  const edwards_Fq D = T1 * Z2; // D = T1*Z2
314  const edwards_Fq E = D + C; // E = D+C
315  const edwards_Fq F =
316  (X1 - Y1) * (X2 + Y2) + B - A; // F = (X1-Y1)*(X2+Y2)+B-A
317  const edwards_Fq G = B + A; // G = B + A (edwards_a=1)
318  const edwards_Fq H = D - C; // H = D-C
319  const edwards_Fq I = T1 * T2; // I = T1*T2
320 
321  cc.c_ZZ = (T1 - X1) * (T2 + X2) - I + A; // c_ZZ = (T1-X1)*(T2+X2)-I+A
322  cc.c_XY = X1 * Z2 - X2 * Z1 + F; // c_XY = X1*Z2-X2*Z1+F
323  cc.c_XZ = (Y1 - T1) * (Y2 + T2) - B + I - H; // c_XZ = (Y1-T1)*(Y2+T2)-B+I-H
324  current.X = E * F; // X3 = E*F
325  current.Y = G * H; // Y3 = G*H
326  current.Z = F * G; // Z3 = F*G
327  current.T = E * H; // T3 = E*H
328 
329 #ifdef DEBUG
330  current.test_invariant();
331 #endif
332 }
Here is the call graph for this function:

◆ g1_curve_point_at_x()

template<typename GroupT >
GroupT libff::g1_curve_point_at_x ( const typename GroupT::base_field &  x)

◆ g2_curve_point_at_x()

template<typename GroupT >
GroupT libff::g2_curve_point_at_x ( const typename GroupT::twist_field &  x)

◆ get_exp_window_size()

template<typename T >
size_t libff::get_exp_window_size ( const size_t  num_scalars)

Compute window size for the given number of scalars.

◆ get_nsec_cpu_time()

long long libff::get_nsec_cpu_time ( )

Definition at line 42 of file profiling.cpp.

43 {
44 #if _MSC_VER
45  return 0;
46 #else
47  ::timespec ts;
48  if (::clock_gettime(CLOCK_PROCESS_CPUTIME_ID, &ts))
49  throw ::std::runtime_error(
50  "clock_gettime(CLOCK_PROCESS_CPUTIME_ID) failed");
51  // If we expected this to work, don't silently ignore failures, because that
52  // would hide the problem and incur an unnecessarily system-call overhead.
53  // So if we ever observe this exception, we should probably add a suitable
54  // #ifdef .
55  // TODO: clock_gettime(CLOCK_PROCESS_CPUTIME_ID) is not supported by native
56  // Windows. What about Cygwin? Should we #ifdef on CLOCK_PROCESS_CPUTIME_ID
57  // or on __linux__?
58  return ts.tv_sec * 1000000000ll + ts.tv_nsec;
59 #endif
60 }
Here is the caller graph for this function:

◆ get_nsec_time()

long long libff::get_nsec_time ( )

Definition at line 32 of file profiling.cpp.

33 {
34  auto timepoint = std::chrono::high_resolution_clock::now();
35  return std::chrono::duration_cast<std::chrono::nanoseconds>(
36  timepoint.time_since_epoch())
37  .count();
38 }
Here is the caller graph for this function:

◆ get_power_of_two()

size_t libff::get_power_of_two ( size_t  n)

Definition at line 19 of file utils.cpp.

20 {
21  n--;
22  n |= n >> 1;
23  n |= n >> 2;
24  n |= n >> 4;
25  n |= n >> 8;
26  n |= n >> 16;
27  n++;
28 
29  return n;
30 }

◆ get_root_of_unity() [1/2]

template<typename FieldT >
std::enable_if<std::is_same<FieldT, Double>::value, FieldT>::type libff::get_root_of_unity ( const size_t  n)

◆ get_root_of_unity() [2/2]

template<typename FieldT >
std::enable_if<!std::is_same<FieldT, Double>::value, FieldT>::type libff::get_root_of_unity ( const size_t  n)

◆ get_window_table()

template<typename T >
window_table<T> libff::get_window_table ( const size_t  scalar_size,
const size_t  window,
const T &  g 
)

Compute table of window sizes.

◆ group_read()

template<encoding_t Enc, form_t Form, compression_t Comp, typename GroupT >
void libff::group_read ( GroupT &  v,
std::istream &  in_s 
)

◆ group_write()

template<encoding_t Enc, form_t Form, compression_t Comp, typename GroupT >
void libff::group_write ( const GroupT &  v,
std::ostream &  out_s 
)

◆ has_root_of_unity() [1/2]

template<typename FieldT >
std::enable_if<std::is_same<FieldT, Double>::value, bool>::type libff::has_root_of_unity ( const size_t  n)

◆ has_root_of_unity() [2/2]

template<typename FieldT >
std::enable_if<!std::is_same<FieldT, Double>::value, bool>::type libff::has_root_of_unity ( const size_t  n)

◆ hex_to_bytes_reversed()

void libff::hex_to_bytes_reversed ( const std::string &  hex,
void *  dest,
size_t  bytes 
)

Definition at line 72 of file serialization.cpp.

73 {
74  if (bytes == 0) {
75  return;
76  }
77  const char *cur = find_hex_string_of_length(hex, bytes);
78  uint8_t *const dest_bytes_end = (uint8_t *)dest;
79  uint8_t *dest_bytes = dest_bytes_end + bytes;
80  do {
81  --dest_bytes;
82  *dest_bytes = chars_to_byte(cur);
83  cur += 2;
84  } while (dest_bytes > dest_bytes_end);
85 }

◆ init_alt_bn128_params()

void libff::init_alt_bn128_params ( )

Definition at line 32 of file alt_bn128_init.cpp.

33 {
34  typedef bigint<alt_bn128_r_limbs> bigint_r;
35  typedef bigint<alt_bn128_q_limbs> bigint_q;
36 
37  assert(
38  sizeof(mp_limb_t) == 8 ||
39  sizeof(mp_limb_t) == 4); // Montgomery assumes this
40 
41  /* parameters for scalar field Fr */
42 
43  alt_bn128_modulus_r = bigint_r("2188824287183927522224640574525727508854836"
44  "4400416034343698204186575808495617");
45  assert(alt_bn128_Fr::modulus_is_valid());
46  if (sizeof(mp_limb_t) == 8) {
47  alt_bn128_Fr::Rsquared =
48  bigint_r("944936681149208446651664254269745548490766851729442924617"
49  "792859073125903783");
50  alt_bn128_Fr::Rcubed =
51  bigint_r("586654854594384522748989487204024472040386810557878410528"
52  "1690076696998248512");
53  alt_bn128_Fr::inv = 0xc2e1f593efffffff;
54  }
55  if (sizeof(mp_limb_t) == 4) {
56  alt_bn128_Fr::Rsquared =
57  bigint_r("944936681149208446651664254269745548490766851729442924617"
58  "792859073125903783");
59  alt_bn128_Fr::Rcubed =
60  bigint_r("586654854594384522748989487204024472040386810557878410528"
61  "1690076696998248512");
62  alt_bn128_Fr::inv = 0xefffffff;
63  }
64  alt_bn128_Fr::num_bits = 254;
65  alt_bn128_Fr::euler = bigint_r("1094412143591963761112320287262863754427418"
66  "2200208017171849102093287904247808");
67  alt_bn128_Fr::s = 28;
68  alt_bn128_Fr::t = bigint_r(
69  "81540058820840996586704275553141814055101440848469862132140264610111");
70  alt_bn128_Fr::t_minus_1_over_2 = bigint_r(
71  "40770029410420498293352137776570907027550720424234931066070132305055");
72  alt_bn128_Fr::multiplicative_generator = alt_bn128_Fr("5");
73  alt_bn128_Fr::root_of_unity =
74  alt_bn128_Fr("191032190679217139442913928276920700361456519573292863153"
75  "05642004821462161904");
76  alt_bn128_Fr::nqr = alt_bn128_Fr("5");
77  alt_bn128_Fr::nqr_to_t =
78  alt_bn128_Fr("191032190679217139442913928276920700361456519573292863153"
79  "05642004821462161904");
80  alt_bn128_Fr::static_init();
81 
82  /* parameters for base field Fq */
83 
84  alt_bn128_modulus_q = bigint_q("2188824287183927522224640574525727508869631"
85  "1157297823662689037894645226208583");
86  assert(alt_bn128_Fq::modulus_is_valid());
87  if (sizeof(mp_limb_t) == 8) {
88  alt_bn128_Fq::Rsquared =
89  bigint_q("309661650298370392384356793683737445173554096841907652877"
90  "1170197431451843209");
91  alt_bn128_Fq::Rcubed =
92  bigint_q("149217865411596481859481527385630809590936198385102451777"
93  "10943249661917737183");
94  alt_bn128_Fq::inv = 0x87d20782e4866389;
95  }
96  if (sizeof(mp_limb_t) == 4) {
97  alt_bn128_Fq::Rsquared =
98  bigint_q("309661650298370392384356793683737445173554096841907652877"
99  "1170197431451843209");
100  alt_bn128_Fq::Rcubed =
101  bigint_q("149217865411596481859481527385630809590936198385102451777"
102  "10943249661917737183");
103  alt_bn128_Fq::inv = 0xe4866389;
104  }
105  alt_bn128_Fq::num_bits = 254;
106  alt_bn128_Fq::euler = bigint_q("1094412143591963761112320287262863754434815"
107  "5578648911831344518947322613104291");
108  alt_bn128_Fq::s = 1;
109  alt_bn128_Fq::t = bigint_q("10944121435919637611123202872628637544348155578"
110  "648911831344518947322613104291");
111  alt_bn128_Fq::t_minus_1_over_2 =
112  bigint_q("5472060717959818805561601436314318772174077789324455915672259"
113  "473661306552145");
114  alt_bn128_Fq::multiplicative_generator = alt_bn128_Fq("3");
115  alt_bn128_Fq::root_of_unity =
116  alt_bn128_Fq("218882428718392752222464057452572750886963111572978236626"
117  "89037894645226208582");
118  alt_bn128_Fq::nqr = alt_bn128_Fq("3");
119  alt_bn128_Fq::nqr_to_t =
120  alt_bn128_Fq("218882428718392752222464057452572750886963111572978236626"
121  "89037894645226208582");
122  alt_bn128_Fq::static_init();
123 
124  /* parameters for twist field Fq2 */
125  alt_bn128_Fq2::euler = bigint<2 * alt_bn128_q_limbs>(
126  "2395475880083114212209940226083393703996261582655504112182239011270350"
127  "4684318911872392052590971893598559411615740655013091812781706979347432"
128  "3196511433944");
129  alt_bn128_Fq2::s = 4;
130  alt_bn128_Fq2::t = bigint<2 * alt_bn128_q_limbs>(
131  "2994344850103892765262425282604242129995326978319380140227798764087938"
132  "0855398639840490065738714866998199264519675818766364765977133724184290"
133  "399563929243");
134  alt_bn128_Fq2::t_minus_1_over_2 = bigint<2 * alt_bn128_q_limbs>(
135  "1497172425051946382631212641302121064997663489159690070113899382043969"
136  "0427699319920245032869357433499099632259837909383182382988566862092145"
137  "199781964621");
138  alt_bn128_Fq2::non_residue =
139  alt_bn128_Fq("218882428718392752222464057452572750886963111572978236626"
140  "89037894645226208582");
141  alt_bn128_Fq2::nqr = alt_bn128_Fq2(alt_bn128_Fq("2"), alt_bn128_Fq("1"));
142  alt_bn128_Fq2::nqr_to_t = alt_bn128_Fq2(
143  alt_bn128_Fq("503350371626262426731249255837998268717520073493487759859"
144  "9011485707452665730"),
145  alt_bn128_Fq("314498342015008975724433667930697407966947188435857772134"
146  "235984660852259084"));
147  alt_bn128_Fq2::Frobenius_coeffs_c1[0] = alt_bn128_Fq("1");
148  alt_bn128_Fq2::Frobenius_coeffs_c1[1] =
149  alt_bn128_Fq("218882428718392752222464057452572750886963111572978236626"
150  "89037894645226208582");
151  alt_bn128_Fq2::static_init();
152 
153  /* parameters for Fq6 */
154  alt_bn128_Fq6::non_residue =
155  alt_bn128_Fq2(alt_bn128_Fq("9"), alt_bn128_Fq("1"));
156  alt_bn128_Fq6::Frobenius_coeffs_c1[0] =
157  alt_bn128_Fq2(alt_bn128_Fq("1"), alt_bn128_Fq("0"));
158  alt_bn128_Fq6::Frobenius_coeffs_c1[1] = alt_bn128_Fq2(
159  alt_bn128_Fq("215754636382808430103983242694308260992690442743472168272"
160  "12613867836435027261"),
161  alt_bn128_Fq("103076015958737097001522842738161122640692301306164367556"
162  "25194854815875713954"));
163  alt_bn128_Fq6::Frobenius_coeffs_c1[2] = alt_bn128_Fq2(
164  alt_bn128_Fq("218882428718392752200424452601091531672777074144720616417"
165  "14758635765020556616"),
166  alt_bn128_Fq("0"));
167  alt_bn128_Fq6::Frobenius_coeffs_c1[3] = alt_bn128_Fq2(
168  alt_bn128_Fq("377200088191985377643369518671385823900907359381719577177"
169  "3381919316419345261"),
170  alt_bn128_Fq("223659549596724518828170124820318179512106890260586122785"
171  "5261137820944008926"));
172  alt_bn128_Fq6::Frobenius_coeffs_c1[4] = alt_bn128_Fq2(
173  alt_bn128_Fq(
174  "2203960485148121921418603742825762020974279258880205651966"),
175  alt_bn128_Fq("0"));
176  alt_bn128_Fq6::Frobenius_coeffs_c1[5] = alt_bn128_Fq2(
177  alt_bn128_Fq("184290212234778536576607920343698658391145044464312347263"
178  "92080002137598044644"),
179  alt_bn128_Fq("934404577999832033381242022323798102950601212407552567920"
180  "8581902008406485703"));
181  alt_bn128_Fq6::Frobenius_coeffs_c2[0] =
182  alt_bn128_Fq2(alt_bn128_Fq("1"), alt_bn128_Fq("0"));
183  alt_bn128_Fq6::Frobenius_coeffs_c2[1] = alt_bn128_Fq2(
184  alt_bn128_Fq("258191134446700933526731111546880309955166560507619674086"
185  "7805258568234346338"),
186  alt_bn128_Fq("199377569717756479879959321699293419943146406529649494483"
187  "13374472400716661030"));
188  alt_bn128_Fq6::Frobenius_coeffs_c2[2] = alt_bn128_Fq2(
189  alt_bn128_Fq(
190  "2203960485148121921418603742825762020974279258880205651966"),
191  alt_bn128_Fq("0"));
192  alt_bn128_Fq6::Frobenius_coeffs_c2[3] = alt_bn128_Fq2(
193  alt_bn128_Fq("532447920244990354272678339550621448192825776240064327978"
194  "0343368557297135718"),
195  alt_bn128_Fq("162089003807376930849194951273343879813937264198568887999"
196  "17914180988844123039"));
197  alt_bn128_Fq6::Frobenius_coeffs_c2[4] = alt_bn128_Fq2(
198  alt_bn128_Fq("218882428718392752200424452601091531672777074144720616417"
199  "14758635765020556616"),
200  alt_bn128_Fq("0"));
201  alt_bn128_Fq6::Frobenius_coeffs_c2[5] = alt_bn128_Fq2(
202  alt_bn128_Fq("139818523249223623442523112342822575072163877898209836420"
203  "40889267519694726527"),
204  alt_bn128_Fq("762982839116520937157738419325082020168425524177380907714"
205  "6787135900891633097"));
206 
207  /* parameters for Fq12 */
208 
209  alt_bn128_Fq12::non_residue =
210  alt_bn128_Fq2(alt_bn128_Fq("9"), alt_bn128_Fq("1"));
211  alt_bn128_Fq12::Frobenius_coeffs_c1[0] =
212  alt_bn128_Fq2(alt_bn128_Fq("1"), alt_bn128_Fq("0"));
213  alt_bn128_Fq12::Frobenius_coeffs_c1[1] = alt_bn128_Fq2(
214  alt_bn128_Fq("837611886576382149658397386762636409258990606586829877690"
215  "9617916018768340080"),
216  alt_bn128_Fq("164698233230778082238891372411765367990092866461081699356"
217  "59301613961712198316"));
218  alt_bn128_Fq12::Frobenius_coeffs_c1[2] = alt_bn128_Fq2(
219  alt_bn128_Fq("218882428718392752200424452601091531672777074144720616417"
220  "14758635765020556617"),
221  alt_bn128_Fq("0"));
222  alt_bn128_Fq12::Frobenius_coeffs_c1[3] = alt_bn128_Fq2(
223  alt_bn128_Fq("116974234963581543048257829225847253129123834411595050387"
224  "94027105778954184319"),
225  alt_bn128_Fq("303847389135065887422783454877609941456349188919719272345"
226  "083954437860409601"));
227  alt_bn128_Fq12::Frobenius_coeffs_c1[4] = alt_bn128_Fq2(
228  alt_bn128_Fq("218882428718392752200424452601091531672777074144720616417"
229  "14758635765020556616"),
230  alt_bn128_Fq("0"));
231  alt_bn128_Fq12::Frobenius_coeffs_c1[5] = alt_bn128_Fq2(
232  alt_bn128_Fq("332130463059433280824180905495836122032247737529120626188"
233  "4409189760185844239"),
234  alt_bn128_Fq("572226693789653288578005195895834823114337370010937299937"
235  "4820235121374419868"));
236  alt_bn128_Fq12::Frobenius_coeffs_c1[6] = alt_bn128_Fq2(
237  alt_bn128_Fq("218882428718392752222464057452572750886963111572978236626"
238  "89037894645226208582"),
239  alt_bn128_Fq("0"));
240  alt_bn128_Fq12::Frobenius_coeffs_c1[7] = alt_bn128_Fq2(
241  alt_bn128_Fq("135121240060754537256624318776309109961064050914295248857"
242  "79419978626457868503"),
243  alt_bn128_Fq("541841954876146699835726850408073828968702451118965372702"
244  "9736280683514010267"));
245  alt_bn128_Fq12::Frobenius_coeffs_c1[8] = alt_bn128_Fq2(
246  alt_bn128_Fq(
247  "2203960485148121921418603742825762020974279258880205651966"),
248  alt_bn128_Fq("0"));
249  alt_bn128_Fq12::Frobenius_coeffs_c1[9] = alt_bn128_Fq2(
250  alt_bn128_Fq("101908193754811209174206228226725497757839277161383186238"
251  "95010788866272024264"),
252  alt_bn128_Fq("215843954827042093348236222903796651472399619683781043903"
253  "43953940207365798982"));
254  alt_bn128_Fq12::Frobenius_coeffs_c1[10] = alt_bn128_Fq2(
255  alt_bn128_Fq(
256  "2203960485148121921418603742825762020974279258880205651967"),
257  alt_bn128_Fq("0"));
258  alt_bn128_Fq12::Frobenius_coeffs_c1[11] = alt_bn128_Fq2(
259  alt_bn128_Fq("185669382412449424140045966902989138683738337820066174008"
260  "04628704885040364344"),
261  alt_bn128_Fq("161659759339427423364663537862989268575529374571884506633"
262  "14217659523851788715"));
263 
264  /* choice of short Weierstrass curve and its twist */
265 
266  alt_bn128_coeff_b = alt_bn128_Fq("3");
267  alt_bn128_twist = alt_bn128_Fq2(alt_bn128_Fq("9"), alt_bn128_Fq("1"));
268  alt_bn128_twist_coeff_b = alt_bn128_coeff_b * alt_bn128_twist.inverse();
269  alt_bn128_twist_mul_by_b_c0 =
270  alt_bn128_coeff_b * alt_bn128_Fq2::non_residue;
271  alt_bn128_twist_mul_by_b_c1 =
272  alt_bn128_coeff_b * alt_bn128_Fq2::non_residue;
273  alt_bn128_twist_mul_by_q_X = alt_bn128_Fq2(
274  alt_bn128_Fq("215754636382808430103983242694308260992690442743472168272"
275  "12613867836435027261"),
276  alt_bn128_Fq("103076015958737097001522842738161122640692301306164367556"
277  "25194854815875713954"));
278  alt_bn128_twist_mul_by_q_Y = alt_bn128_Fq2(
279  alt_bn128_Fq("282156518219453684454815956169350265935961718524412036707"
280  "8079554186484126554"),
281  alt_bn128_Fq("350584376791155637868703030998424884554024350989925964101"
282  "3678093033130930403"));
283 
284  /* choice of group G1 */
285 
286  // Identities
287  alt_bn128_G1::G1_zero = alt_bn128_G1(
288  alt_bn128_Fq::zero(), alt_bn128_Fq::one(), alt_bn128_Fq::zero());
289  alt_bn128_G1::G1_one =
290  alt_bn128_G1(alt_bn128_Fq("1"), alt_bn128_Fq("2"), alt_bn128_Fq::one());
291 
292  // Curve coeffs
293  alt_bn128_G1::coeff_a = alt_bn128_Fq::zero();
294  alt_bn128_G1::coeff_b = alt_bn128_coeff_b;
295 
296  // Cofactor
297  alt_bn128_G1::h = bigint<alt_bn128_G1::h_limbs>("1");
298 
299  // WNAF
300  alt_bn128_G1::wnaf_window_table.resize(0);
301  alt_bn128_G1::wnaf_window_table.push_back(11);
302  alt_bn128_G1::wnaf_window_table.push_back(24);
303  alt_bn128_G1::wnaf_window_table.push_back(60);
304  alt_bn128_G1::wnaf_window_table.push_back(127);
305 
306  alt_bn128_G1::fixed_base_exp_window_table.resize(0);
307  // window 1 is unbeaten in [-inf, 4.99]
308  alt_bn128_G1::fixed_base_exp_window_table.push_back(1);
309  // window 2 is unbeaten in [4.99, 10.99]
310  alt_bn128_G1::fixed_base_exp_window_table.push_back(5);
311  // window 3 is unbeaten in [10.99, 32.29]
312  alt_bn128_G1::fixed_base_exp_window_table.push_back(11);
313  // window 4 is unbeaten in [32.29, 55.23]
314  alt_bn128_G1::fixed_base_exp_window_table.push_back(32);
315  // window 5 is unbeaten in [55.23, 162.03]
316  alt_bn128_G1::fixed_base_exp_window_table.push_back(55);
317  // window 6 is unbeaten in [162.03, 360.15]
318  alt_bn128_G1::fixed_base_exp_window_table.push_back(162);
319  // window 7 is unbeaten in [360.15, 815.44]
320  alt_bn128_G1::fixed_base_exp_window_table.push_back(360);
321  // window 8 is unbeaten in [815.44, 2373.07]
322  alt_bn128_G1::fixed_base_exp_window_table.push_back(815);
323  // window 9 is unbeaten in [2373.07, 6977.75]
324  alt_bn128_G1::fixed_base_exp_window_table.push_back(2373);
325  // window 10 is unbeaten in [6977.75, 7122.23]
326  alt_bn128_G1::fixed_base_exp_window_table.push_back(6978);
327  // window 11 is unbeaten in [7122.23, 57818.46]
328  alt_bn128_G1::fixed_base_exp_window_table.push_back(7122);
329  // window 12 is never the best
330  alt_bn128_G1::fixed_base_exp_window_table.push_back(0);
331  // window 13 is unbeaten in [57818.46, 169679.14]
332  alt_bn128_G1::fixed_base_exp_window_table.push_back(57818);
333  // window 14 is never the best
334  alt_bn128_G1::fixed_base_exp_window_table.push_back(0);
335  // window 15 is unbeaten in [169679.14, 439758.91]
336  alt_bn128_G1::fixed_base_exp_window_table.push_back(169679);
337  // window 16 is unbeaten in [439758.91, 936073.41]
338  alt_bn128_G1::fixed_base_exp_window_table.push_back(439759);
339  // window 17 is unbeaten in [936073.41, 4666554.74]
340  alt_bn128_G1::fixed_base_exp_window_table.push_back(936073);
341  // window 18 is never the best
342  alt_bn128_G1::fixed_base_exp_window_table.push_back(0);
343  // window 19 is unbeaten in [4666554.74, 7580404.42]
344  alt_bn128_G1::fixed_base_exp_window_table.push_back(4666555);
345  // window 20 is unbeaten in [7580404.42, 34552892.20]
346  alt_bn128_G1::fixed_base_exp_window_table.push_back(7580404);
347  // window 21 is never the best
348  alt_bn128_G1::fixed_base_exp_window_table.push_back(0);
349  // window 22 is unbeaten in [34552892.20, inf]
350  alt_bn128_G1::fixed_base_exp_window_table.push_back(34552892);
351 
352  /* choice of group G2 */
353 
354  // Identities
355  alt_bn128_G2::G2_zero = alt_bn128_G2(
356  alt_bn128_Fq2::zero(), alt_bn128_Fq2::one(), alt_bn128_Fq2::zero());
357 
358  alt_bn128_G2::G2_one = alt_bn128_G2(
359  alt_bn128_Fq2(
360  alt_bn128_Fq("10857046999023057135944570762232829481370756359578518"
361  "086990519993285655852781"),
362  alt_bn128_Fq("11559732032986387107991004021392285783925812861821192"
363  "530917403151452391805634")),
364  alt_bn128_Fq2(
365  alt_bn128_Fq("84956539231234314176049732474892724384181905872636001"
366  "48770280649306958101930"),
367  alt_bn128_Fq("40823678758634336813322034031454355683168513275934012"
368  "08105741076214120093531")),
369  alt_bn128_Fq2::one());
370 
371  // Curve coeffs
372  alt_bn128_G2::coeff_a = alt_bn128_Fq2::zero();
373  alt_bn128_G2::coeff_b = alt_bn128_twist_coeff_b;
374 
375  // Cofactor
376  // [Sage excerpt]
377  // u = 4965661367192848881
378  // h2 = (36 * u^4) + (36 * u^3) + (30 * u^2) + 6*u + 1; h2
379  // #
380  // 21888242871839275222246405745257275088844257914179612981679871602714643921549
381  alt_bn128_G2::h =
382  bigint<alt_bn128_G2::h_limbs>("2188824287183927522224640574525727508884"
383  "4257914179612981679871602714643921549");
384 
385  // WNAF
386  alt_bn128_G2::wnaf_window_table.resize(0);
387  alt_bn128_G2::wnaf_window_table.push_back(5);
388  alt_bn128_G2::wnaf_window_table.push_back(15);
389  alt_bn128_G2::wnaf_window_table.push_back(39);
390  alt_bn128_G2::wnaf_window_table.push_back(109);
391 
392  alt_bn128_G2::fixed_base_exp_window_table.resize(0);
393  // window 1 is unbeaten in [-inf, 5.10]
394  alt_bn128_G2::fixed_base_exp_window_table.push_back(1);
395  // window 2 is unbeaten in [5.10, 10.43]
396  alt_bn128_G2::fixed_base_exp_window_table.push_back(5);
397  // window 3 is unbeaten in [10.43, 25.28]
398  alt_bn128_G2::fixed_base_exp_window_table.push_back(10);
399  // window 4 is unbeaten in [25.28, 59.00]
400  alt_bn128_G2::fixed_base_exp_window_table.push_back(25);
401  // window 5 is unbeaten in [59.00, 154.03]
402  alt_bn128_G2::fixed_base_exp_window_table.push_back(59);
403  // window 6 is unbeaten in [154.03, 334.25]
404  alt_bn128_G2::fixed_base_exp_window_table.push_back(154);
405  // window 7 is unbeaten in [334.25, 742.58]
406  alt_bn128_G2::fixed_base_exp_window_table.push_back(334);
407  // window 8 is unbeaten in [742.58, 2034.40]
408  alt_bn128_G2::fixed_base_exp_window_table.push_back(743);
409  // window 9 is unbeaten in [2034.40, 4987.56]
410  alt_bn128_G2::fixed_base_exp_window_table.push_back(2034);
411  // window 10 is unbeaten in [4987.56, 8888.27]
412  alt_bn128_G2::fixed_base_exp_window_table.push_back(4988);
413  // window 11 is unbeaten in [8888.27, 26271.13]
414  alt_bn128_G2::fixed_base_exp_window_table.push_back(8888);
415  // window 12 is unbeaten in [26271.13, 39768.20]
416  alt_bn128_G2::fixed_base_exp_window_table.push_back(26271);
417  // window 13 is unbeaten in [39768.20, 106275.75]
418  alt_bn128_G2::fixed_base_exp_window_table.push_back(39768);
419  // window 14 is unbeaten in [106275.75, 141703.40]
420  alt_bn128_G2::fixed_base_exp_window_table.push_back(106276);
421  // window 15 is unbeaten in [141703.40, 462422.97]
422  alt_bn128_G2::fixed_base_exp_window_table.push_back(141703);
423  // window 16 is unbeaten in [462422.97, 926871.84]
424  alt_bn128_G2::fixed_base_exp_window_table.push_back(462423);
425  // window 17 is unbeaten in [926871.84, 4873049.17]
426  alt_bn128_G2::fixed_base_exp_window_table.push_back(926872);
427  // window 18 is never the best
428  alt_bn128_G2::fixed_base_exp_window_table.push_back(0);
429  // window 19 is unbeaten in [4873049.17, 5706707.88]
430  alt_bn128_G2::fixed_base_exp_window_table.push_back(4873049);
431  // window 20 is unbeaten in [5706707.88, 31673814.95]
432  alt_bn128_G2::fixed_base_exp_window_table.push_back(5706708);
433  // window 21 is never the best
434  alt_bn128_G2::fixed_base_exp_window_table.push_back(0);
435  // window 22 is unbeaten in [31673814.95, inf]
436  alt_bn128_G2::fixed_base_exp_window_table.push_back(31673815);
437 
438  /* pairing parameters */
439 
440  alt_bn128_ate_loop_count = bigint_q("29793968203157093288");
441  alt_bn128_ate_is_loop_count_neg = false;
442  alt_bn128_final_exponent = bigint<12 * alt_bn128_q_limbs>(
443  "5524842336132240963126171267831731470973821037629576541888827343141969"
444  "1083990754121397450276154062981700960854865468034362770115382944674781"
445  "0907373256841551006201639677726139946029199968412598804882391702273019"
446  "0836532720475663165843655597764930274954582383739028759376599435048732"
447  "2055416155052592630230333174746351564471187665317712957830319109590090"
448  "9191624817826566688241804408081892785725967931714097716709526092261278"
449  "0719525601711114440720492291235650574837501614600243533462841672824527"
450  "5621766233552881351913980829117053907212538123081572907154486160275093"
451  "6964829313608137325426383735122175229541155376346436093930287402089517"
452  "4269731789175697133847480818272554725769374714961957527271882614356332"
453  "7123871013173609629979816885292554054934233077527987700678435480142224"
454  "972257378356168517961881648003769500551542616236243107224563832474448"
455  "0");
456  alt_bn128_final_exponent_z = bigint_q("4965661367192848881");
457  alt_bn128_final_exponent_is_z_neg = false;
458 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ init_bls12_377_params()

void libff::init_bls12_377_params ( )

Definition at line 50 of file bls12_377_init.cpp.

51 {
52  typedef bigint<bls12_377_r_limbs> bigint_r;
53  typedef bigint<bls12_377_q_limbs> bigint_q;
54 
55  // Montgomery assumes this
56  assert(sizeof(mp_limb_t) == 8 || sizeof(mp_limb_t) == 4);
57 
58  // Parameters for scalar field Fr
59  // r = 0x12ab655e9a2ca55660b44d1e5c37b00159aa76fed00000010a11800000000001
60  bls12_377_modulus_r = bigint_r("8444461749428370424248824938781546531375899"
61  "335154063827935233455917409239041");
62  assert(bls12_377_Fr::modulus_is_valid());
63  // 64-bit architecture
64  if (sizeof(mp_limb_t) == 8) {
65  bls12_377_Fr::Rsquared =
66  bigint_r("508595941311779472113692600146818027278633330499214071737"
67  "745792929336755579");
68  bls12_377_Fr::Rcubed =
69  bigint_r("271718748542331355632020787121653842635320109739890963908"
70  "6937135091399607628");
71  bls12_377_Fr::inv = 0xa117fffffffffff;
72  }
73  // 32-bit architecture
74  if (sizeof(mp_limb_t) == 4) {
75  bls12_377_Fr::Rsquared =
76  bigint_r("508595941311779472113692600146818027278633330499214071737"
77  "745792929336755579");
78  bls12_377_Fr::Rcubed =
79  bigint_r("271718748542331355632020787121653842635320109739890963908"
80  "6937135091399607628");
81  bls12_377_Fr::inv = 0xffffffff;
82  }
83  bls12_377_Fr::num_bits = 253;
84  bls12_377_Fr::euler = bigint_r("4222230874714185212124412469390773265687949"
85  "667577031913967616727958704619520");
86  bls12_377_Fr::s = 47;
87  bls12_377_Fr::t = bigint_r(
88  "60001509534603559531609739528203892656505753216962260608619555");
89  bls12_377_Fr::t_minus_1_over_2 = bigint_r(
90  "30000754767301779765804869764101946328252876608481130304309777");
91  bls12_377_Fr::multiplicative_generator = bls12_377_Fr("22");
92  bls12_377_Fr::root_of_unity =
93  bls12_377_Fr("806515965671681287737496751840327346652143269366181061997"
94  "9959746626482506078");
95  bls12_377_Fr::nqr = bls12_377_Fr("11");
96  bls12_377_Fr::nqr_to_t =
97  bls12_377_Fr("692488678884788206012306650822351907723216075069845241107"
98  "1850219367055984476");
99  bls12_377_Fr::static_init();
100 
101  // Parameters for base field Fq
102  // q =
103  // 0x1ae3a4617c510eac63b05c06ca1493b1a22d9f300f5138f1ef3622fba094800170b5d44300000008508c00000000001
104  // sage:
105  // mod(0x1ae3a4617c510eac63b05c06ca1493b1a22d9f300f5138f1ef3622fba094800170b5d44300000008508c00000000001,
106  // 6) # = 1
107  bls12_377_modulus_q =
108  bigint_q("2586644260129690940106527336948935335363935127549146605398842"
109  "62666720468348340822774968888139573360124440321458177");
110  assert(bls12_377_Fq::modulus_is_valid());
111  if (sizeof(mp_limb_t) == 8) {
112  bls12_377_Fq::Rsquared = bigint_q(
113  "661274283768726978163325701168662324052305289846649183196063154202"
114  "33909940404532140033099444330447428417853902114");
115  bls12_377_Fq::Rcubed = bigint_q(
116  "157734475176213061358192738313701451942220138363611391489992831740"
117  "412033225490229541667992423878570205050777755168");
118  bls12_377_Fq::inv = 0x8508bfffffffffff;
119  }
120  if (sizeof(mp_limb_t) == 4) {
121  bls12_377_Fq::Rsquared = bigint_q(
122  "661274283768726978163325701168662324052305289846649183196063154202"
123  "33909940404532140033099444330447428417853902114");
124  bls12_377_Fq::Rcubed = bigint_q(
125  "157734475176213061358192738313701451942220138363611391489992831740"
126  "412033225490229541667992423878570205050777755168");
127  bls12_377_Fq::inv = 0xffffffff;
128  }
129 
130  bls12_377_Fq::num_bits = 377;
131  bls12_377_Fq::euler =
132  bigint_q("1293322130064845470053263668474467667681967563774573302699421"
133  "31333360234174170411387484444069786680062220160729088");
134  bls12_377_Fq::s = 46;
135  bls12_377_Fq::t =
136  bigint_q("3675842578061421676390135839012792950148785745837396071634149"
137  "488243117337281387659330802195819009059");
138  bls12_377_Fq::t_minus_1_over_2 =
139  bigint_q("1837921289030710838195067919506396475074392872918698035817074"
140  "744121558668640693829665401097909504529");
141  bls12_377_Fq::multiplicative_generator = bls12_377_Fq("15");
142  bls12_377_Fq::root_of_unity = bls12_377_Fq(
143  "3286357854725450502960126193986832566977050893937512246290474576635225"
144  "6812585773382134936404344547323199885654433");
145  // We need to find a qnr (small preferably) in order to compute square roots
146  // in the field
147  bls12_377_Fq::nqr = bls12_377_Fq("5");
148  bls12_377_Fq::nqr_to_t = bls12_377_Fq(
149  "3377495600822765621977587665628813354707861049382861377725882934574055"
150  "6592044969439504850374928261397247202212840");
151  bls12_377_Fq::static_init();
152 
153  // Parameters for twist field Fq2
154  bls12_377_Fq2::euler = bigint<2 * bls12_377_q_limbs>(
155  "3345364264230938125808962594624906928800576001088647925307095745329795"
156  "7116339370141113413635838485065209570299254148838549585056123015878375"
157  "0227249980418287852270900634666582330594333230337725133219903165601670"
158  "27213559780081664");
159  bls12_377_Fq2::s = 47;
160  bls12_377_Fq2::t = bigint<2 * bls12_377_q_limbs>(
161  "4754048552841450893153254632217264839938161459668674418291936583116517"
162  "6127142572882339399080590404004751647874022280630227875599477749628896"
163  "1383541476974255391881599499962735436887347234371823579436839914935817"
164  "251");
165  bls12_377_Fq2::t_minus_1_over_2 = bigint<2 * bls12_377_q_limbs>(
166  "2377024276420725446576627316108632419969080729834337209145968291558258"
167  "8063571286441169699540295202002375823937011140315113937799738874814448"
168  "0691770738487127695940799749981367718443673617185911789718419957467908"
169  "625");
170  // https://github.com/scipr-lab/zexe/blob/6bfe574f7adea14b97ff554bbb594988635b1908/algebra/src/bls12_377/fields/fq2.rs#L11
171  // Additive inverse of 5 in GF(q)
172  // sage: GF(q)(-5)
173  // Fp2 = Fp[X] / (X^2 - (-5)))
174  bls12_377_Fq2::non_residue = bls12_377_Fq(
175  "2586644260129690940106527336948935335363935127549146605398842626667204"
176  "68348340822774968888139573360124440321458172");
177  bls12_377_Fq2::nqr = bls12_377_Fq2(bls12_377_Fq("0"), bls12_377_Fq("1"));
178  bls12_377_Fq2::nqr_to_t = bls12_377_Fq2(
179  bls12_377_Fq("0"),
180  bls12_377_Fq(
181  "257286236321774568987262729980034669694531728092793737444525294935"
182  "421142460394028155736019924956637466133519652786"));
183  bls12_377_Fq2::Frobenius_coeffs_c1[0] = bls12_377_Fq("1");
184  bls12_377_Fq2::Frobenius_coeffs_c1[1] = bls12_377_Fq(
185  "2586644260129690940106527336948935335363935127549146605398842626667204"
186  "68348340822774968888139573360124440321458176");
187  bls12_377_Fq2::static_init();
188 
189  // Parameters for Fq6 = (Fq2)^3
190  bls12_377_Fq6::non_residue =
191  bls12_377_Fq2(bls12_377_Fq("0"), bls12_377_Fq("1"));
192  bls12_377_Fq6::Frobenius_coeffs_c1[0] =
193  bls12_377_Fq2(bls12_377_Fq("1"), bls12_377_Fq("0"));
194  bls12_377_Fq6::Frobenius_coeffs_c1[1] = bls12_377_Fq2(
195  bls12_377_Fq("809496482649127194085583631406374772648452947207104994781"
196  "37287262712535938301461879813459410946"),
197  bls12_377_Fq("0"));
198  bls12_377_Fq6::Frobenius_coeffs_c1[2] = bls12_377_Fq2(
199  bls12_377_Fq("809496482649127194085583631406374772648452947207104994781"
200  "37287262712535938301461879813459410945"),
201  bls12_377_Fq("0"));
202  bls12_377_Fq6::Frobenius_coeffs_c1[3] = bls12_377_Fq2(
203  bls12_377_Fq(
204  "258664426012969094010652733694893533536393512754914660539884262666"
205  "720468348340822774968888139573360124440321458176"),
206  bls12_377_Fq("0"));
207  bls12_377_Fq6::Frobenius_coeffs_c1[4] = bls12_377_Fq2(
208  bls12_377_Fq(
209  "258664426012969093929703085429980814127835149614277183275038967946"
210  "009968870203535512256352201271898244626862047231"),
211  bls12_377_Fq("0"));
212  bls12_377_Fq6::Frobenius_coeffs_c1[5] = bls12_377_Fq2(
213  bls12_377_Fq(
214  "258664426012969093929703085429980814127835149614277183275038967946"
215  "009968870203535512256352201271898244626862047232"),
216  bls12_377_Fq("0"));
217  bls12_377_Fq6::Frobenius_coeffs_c2[0] =
218  bls12_377_Fq2(bls12_377_Fq("1"), bls12_377_Fq("0"));
219  bls12_377_Fq6::Frobenius_coeffs_c2[1] = bls12_377_Fq2(
220  bls12_377_Fq("809496482649127194085583631406374772648452947207104994781"
221  "37287262712535938301461879813459410945"),
222  bls12_377_Fq("0"));
223  bls12_377_Fq6::Frobenius_coeffs_c2[2] = bls12_377_Fq2(
224  bls12_377_Fq(
225  "258664426012969093929703085429980814127835149614277183275038967946"
226  "009968870203535512256352201271898244626862047231"),
227  bls12_377_Fq("0"));
228  bls12_377_Fq6::Frobenius_coeffs_c2[3] =
229  bls12_377_Fq2(bls12_377_Fq("1"), bls12_377_Fq("0"));
230  bls12_377_Fq6::Frobenius_coeffs_c2[4] = bls12_377_Fq2(
231  bls12_377_Fq("809496482649127194085583631406374772648452947207104994781"
232  "37287262712535938301461879813459410945"),
233  bls12_377_Fq("0"));
234  bls12_377_Fq6::Frobenius_coeffs_c2[5] = bls12_377_Fq2(
235  bls12_377_Fq(
236  "258664426012969093929703085429980814127835149614277183275038967946"
237  "009968870203535512256352201271898244626862047231"),
238  bls12_377_Fq("0"));
239 
240  // Parameters for Fq12 = ((Fq2)^3)^2
241  bls12_377_Fq12::non_residue =
242  bls12_377_Fq2(bls12_377_Fq("0"), bls12_377_Fq("1"));
243  bls12_377_Fq12::Frobenius_coeffs_c1[0] =
244  bls12_377_Fq2(bls12_377_Fq("1"), bls12_377_Fq("0"));
245  bls12_377_Fq12::Frobenius_coeffs_c1[1] = bls12_377_Fq2(
246  bls12_377_Fq(
247  "929493452202778647586249605064731826779530489092832489809601043817"
248  "95901929519566951595905490535835115111760994353"),
249  bls12_377_Fq("0"));
250  bls12_377_Fq12::Frobenius_coeffs_c1[2] = bls12_377_Fq2(
251  bls12_377_Fq("809496482649127194085583631406374772648452947207104994781"
252  "37287262712535938301461879813459410946"),
253  bls12_377_Fq("0"));
254  bls12_377_Fq12::Frobenius_coeffs_c1[3] = bls12_377_Fq2(
255  bls12_377_Fq(
256  "216465761340224619389371505802605247630151569547285782856803747159"
257  "100223055385581585702401816380679166954762214499"),
258  bls12_377_Fq("0"));
259  bls12_377_Fq12::Frobenius_coeffs_c1[4] = bls12_377_Fq2(
260  bls12_377_Fq("809496482649127194085583631406374772648452947207104994781"
261  "37287262712535938301461879813459410945"),
262  bls12_377_Fq("0"));
263  bls12_377_Fq12::Frobenius_coeffs_c1[5] = bls12_377_Fq2(
264  bls12_377_Fq(
265  "123516416119946754630746545296132064952198520638002533875843642777"
266  "304321125866014634106496325844844051843001220146"),
267  bls12_377_Fq("0"));
268  bls12_377_Fq12::Frobenius_coeffs_c1[6] = bls12_377_Fq2(
269  bls12_377_Fq(
270  "258664426012969094010652733694893533536393512754914660539884262666"
271  "720468348340822774968888139573360124440321458176"),
272  bls12_377_Fq("0"));
273  bls12_377_Fq12::Frobenius_coeffs_c1[7] = bls12_377_Fq2(
274  bls12_377_Fq(
275  "165715080792691229252027773188420350858440463845631411558924158284"
276  "924566418821255823372982649037525009328560463824"),
277  bls12_377_Fq("0"));
278  bls12_377_Fq12::Frobenius_coeffs_c1[8] = bls12_377_Fq2(
279  bls12_377_Fq(
280  "258664426012969093929703085429980814127835149614277183275038967946"
281  "009968870203535512256352201271898244626862047231"),
282  bls12_377_Fq("0"));
283  bls12_377_Fq12::Frobenius_coeffs_c1[9] = bls12_377_Fq2(
284  bls12_377_Fq(
285  "421986646727444746212812278922882859062419432076288776830805155076"
286  "20245292955241189266486323192680957485559243678"),
287  bls12_377_Fq("0"));
288  bls12_377_Fq12::Frobenius_coeffs_c1[10] = bls12_377_Fq2(
289  bls12_377_Fq(
290  "258664426012969093929703085429980814127835149614277183275038967946"
291  "009968870203535512256352201271898244626862047232"),
292  bls12_377_Fq("0"));
293  bls12_377_Fq12::Frobenius_coeffs_c1[11] = bls12_377_Fq2(
294  bls12_377_Fq(
295  "135148009893022339379906188398761468584194992116912126664040619889"
296  "416147222474808140862391813728516072597320238031"),
297  bls12_377_Fq("0"));
298 
299  // Choice of short Weierstrass curve and its twist
300  // E(Fq): y^2 = x^3 + 1
301  bls12_377_coeff_b = bls12_377_Fq("1");
302  // We use a type-D twist here, E'(Fq2): y^2 = x^3 + 1/u
303  bls12_377_twist = bls12_377_Fq2(bls12_377_Fq("0"), bls12_377_Fq("1"));
304  bls12_377_twist_coeff_b = bls12_377_coeff_b * bls12_377_twist.inverse();
305 
306  bls12_377_twist_mul_by_b_c0 =
307  bls12_377_coeff_b * bls12_377_Fq2::non_residue;
308  bls12_377_twist_mul_by_b_c1 =
309  bls12_377_coeff_b * bls12_377_Fq2::non_residue;
310  bls12_377_twist_mul_by_q_X = bls12_377_Fq2(
311  bls12_377_Fq("809496482649127194085583631406374772648452947207104994781"
312  "37287262712535938301461879813459410946"),
313  bls12_377_Fq("0"));
314  bls12_377_twist_mul_by_q_Y = bls12_377_Fq2(
315  bls12_377_Fq(
316  "216465761340224619389371505802605247630151569547285782856803747159"
317  "100223055385581585702401816380679166954762214499"),
318  bls12_377_Fq("0"));
319 
320  // Choice of group G1
321  // Identities
322  bls12_377_G1::G1_zero = bls12_377_G1(
323  bls12_377_Fq::zero(), bls12_377_Fq::one(), bls12_377_Fq::zero());
324  bls12_377_G1::G1_one = bls12_377_G1(
325  bls12_377_Fq(
326  "819379993731509642399382555734659482399886715026479765942196956448"
327  "55304257327692006745978603320413799295628339695"),
328  bls12_377_Fq(
329  "241266749859715473739788878240585681733927191168601896383759122102"
330  "112907357779751001206799952863815012735208165030"),
331  bls12_377_Fq::one());
332 
333  // Curve coeffs
334  bls12_377_G1::coeff_a = bls12_377_Fq::zero();
335  bls12_377_G1::coeff_b = bls12_377_coeff_b;
336 
337  // Trace of Frobenius
338  bls12_377_trace_of_frobenius = bigint_r("9586122913090633730");
339 
340  // Cofactor
341  bls12_377_G1::h =
342  bigint<bls12_377_G1::h_limbs>("30631250834960419227450344600217059328");
343 
344  // G1 fast subgroup check: 0 == [c0]P + [c1]sigma(P)
345  bls12_377_g1_endomorphism_beta =
346  bls12_377_Fq("809496482649127194085583631406374772648452947207104994781"
347  "37287262712535938301461879813459410945");
348  bls12_377_g1_safe_subgroup_check_c1 =
349  bigint_r("91893752504881257701523279626832445441");
350 
351  // G1 proof of subgroup: values used to generate x' s.t. [r]x' = x.
352  bls12_377_g1_proof_of_safe_subgroup_w =
353  bigint_r("5285428838741532253824584287042945485047145357130994810877");
354  bls12_377_g1_proof_of_safe_subgroup_non_member_x = bls12_377_Fq(
355  "5579135224678387240478846790990709250936401022990388020368969649878761"
356  "5734938123558571181995209025075818229621722");
357  bls12_377_g1_proof_of_safe_subgroup_non_member_y = bls12_377_Fq(
358  "1743638558335201382296667234848353486892365850134605544446097301206037"
359  "41818916846216286948728983932214174344518655");
360 
361  // WNAF
362  //
363  // Note to self (AntoineR): Careful with wNAF as it can lead to SCAs:
364  // https://eprint.iacr.org/2019/861.pdf Note to self (AntoineR): The GLV
365  // patent (https://patents.google.com/patent/US7110538B2/en) expires in
366  // 09/2020. As such, efficient techniques for scalar mult. described in
367  // https://cryptosith.org/papers/exppair-20130904.pdf can become of interest
368  // then.
369  //
370  // Below we use the same `wnaf_window_table` as used for other curves
371  // TODO: Adjust the `wnaf_window_table` and `fixed_base_exp_window_table`
372  bls12_377_G1::wnaf_window_table.resize(0);
373  bls12_377_G1::wnaf_window_table.push_back(11);
374  bls12_377_G1::wnaf_window_table.push_back(24);
375  bls12_377_G1::wnaf_window_table.push_back(60);
376  bls12_377_G1::wnaf_window_table.push_back(127);
377 
378  // Below we use the same `fixed_base_exp_window_table` as used for other
379  // curves
380  bls12_377_G1::fixed_base_exp_window_table.resize(0);
381  // window 1 is unbeaten in [-inf, 4.99]
382  bls12_377_G1::fixed_base_exp_window_table.push_back(1);
383  // window 2 is unbeaten in [4.99, 10.99]
384  bls12_377_G1::fixed_base_exp_window_table.push_back(5);
385  // window 3 is unbeaten in [10.99, 32.29]
386  bls12_377_G1::fixed_base_exp_window_table.push_back(11);
387  // window 4 is unbeaten in [32.29, 55.23]
388  bls12_377_G1::fixed_base_exp_window_table.push_back(32);
389  // window 5 is unbeaten in [55.23, 162.03]
390  bls12_377_G1::fixed_base_exp_window_table.push_back(55);
391  // window 6 is unbeaten in [162.03, 360.15]
392  bls12_377_G1::fixed_base_exp_window_table.push_back(162);
393  // window 7 is unbeaten in [360.15, 815.44]
394  bls12_377_G1::fixed_base_exp_window_table.push_back(360);
395  // window 8 is unbeaten in [815.44, 2373.07]
396  bls12_377_G1::fixed_base_exp_window_table.push_back(815);
397  // window 9 is unbeaten in [2373.07, 6977.75]
398  bls12_377_G1::fixed_base_exp_window_table.push_back(2373);
399  // window 10 is unbeaten in [6977.75, 7122.23]
400  bls12_377_G1::fixed_base_exp_window_table.push_back(6978);
401  // window 11 is unbeaten in [7122.23, 57818.46]
402  bls12_377_G1::fixed_base_exp_window_table.push_back(7122);
403  // window 12 is never the best
404  bls12_377_G1::fixed_base_exp_window_table.push_back(0);
405  // window 13 is unbeaten in [57818.46, 169679.14]
406  bls12_377_G1::fixed_base_exp_window_table.push_back(57818);
407  // window 14 is never the best
408  bls12_377_G1::fixed_base_exp_window_table.push_back(0);
409  // window 15 is unbeaten in [169679.14, 439758.91]
410  bls12_377_G1::fixed_base_exp_window_table.push_back(169679);
411  // window 16 is unbeaten in [439758.91, 936073.41]
412  bls12_377_G1::fixed_base_exp_window_table.push_back(439759);
413  // window 17 is unbeaten in [936073.41, 4666554.74]
414  bls12_377_G1::fixed_base_exp_window_table.push_back(936073);
415  // window 18 is never the best
416  bls12_377_G1::fixed_base_exp_window_table.push_back(0);
417  // window 19 is unbeaten in [4666554.74, 7580404.42]
418  bls12_377_G1::fixed_base_exp_window_table.push_back(4666555);
419  // window 20 is unbeaten in [7580404.42, 34552892.20]
420  bls12_377_G1::fixed_base_exp_window_table.push_back(7580404);
421  // window 21 is never the best
422  bls12_377_G1::fixed_base_exp_window_table.push_back(0);
423  // window 22 is unbeaten in [34552892.20, inf]
424  bls12_377_G1::fixed_base_exp_window_table.push_back(34552892);
425 
426  // Choice of group G2
427  // Identities
428  bls12_377_G2::G2_zero = bls12_377_G2(
429  bls12_377_Fq2::zero(), bls12_377_Fq2::one(), bls12_377_Fq2::zero());
430  bls12_377_G2::G2_one = bls12_377_G2(
431  bls12_377_Fq2(
432  bls12_377_Fq(
433  "11158394577469511644391122625782382343446874024988304283774515"
434  "1039122196680777376765707574547389190084887628324746"),
435  bls12_377_Fq(
436  "12906698065670308551815730115433521588608211252437868655587316"
437  "1080604845924984124025594590925548060469686767592854")),
438  bls12_377_Fq2(
439  bls12_377_Fq(
440  "16886329972466897718302994134759646260897838050396510334100391"
441  "8678547611204475537878680436662916294540335494194722"),
442  bls12_377_Fq(
443  "23389249728747576225133535189361842960367292146986439276751455"
444  "2093535653615809913098097380147379993375817193725968")),
445  bls12_377_Fq2::one());
446 
447  // Curve twist coeffs
448  bls12_377_G2::coeff_a = bls12_377_Fq2::zero();
449  bls12_377_G2::coeff_b = bls12_377_twist_coeff_b;
450 
451  // Cofactor
452  bls12_377_G2::h = bigint<bls12_377_G2::h_limbs>(
453  "7923214915284317143930293550643874566881017850177945424769256759165301"
454  "4366169332282092779667740924864672894786184047614126306918357646745593"
455  "76407658497");
456 
457  // Untwist-Frobenius-Twist coefficients
458  bls12_377_Fq12 untwist_frobenius_twist_w =
459  bls12_377_Fq12(bls12_377_Fq6::zero(), bls12_377_Fq6::one());
460  bls12_377_g2_untwist_frobenius_twist_v =
461  untwist_frobenius_twist_w * untwist_frobenius_twist_w;
462  bls12_377_g2_untwist_frobenius_twist_w_3 =
463  untwist_frobenius_twist_w * bls12_377_g2_untwist_frobenius_twist_v;
464  bls12_377_g2_untwist_frobenius_twist_v_inverse =
465  bls12_377_g2_untwist_frobenius_twist_v.inverse();
466  bls12_377_g2_untwist_frobenius_twist_w_3_inverse =
467  bls12_377_g2_untwist_frobenius_twist_w_3.inverse();
468 
469  // Fast cofactor multiplication coefficients
470  bls12_377_g2_mul_by_cofactor_h2_0 =
471  bigint_r("293634935485640680722085584138834120318524213360527933441");
472  bls12_377_g2_mul_by_cofactor_h2_1 =
473  bigint_r("30631250834960419227450344600217059328");
474 
475  // G2 wNAF window table
476  bls12_377_G2::wnaf_window_table.resize(0);
477  bls12_377_G2::wnaf_window_table.push_back(5);
478  bls12_377_G2::wnaf_window_table.push_back(15);
479  bls12_377_G2::wnaf_window_table.push_back(39);
480  bls12_377_G2::wnaf_window_table.push_back(109);
481 
482  // G2 fixed-base exponentiation table
483  bls12_377_G2::fixed_base_exp_window_table.resize(0);
484  // window 1 is unbeaten in [-inf, 5.10]
485  bls12_377_G2::fixed_base_exp_window_table.push_back(1);
486  // window 2 is unbeaten in [5.10, 10.43]
487  bls12_377_G2::fixed_base_exp_window_table.push_back(5);
488  // window 3 is unbeaten in [10.43, 25.28]
489  bls12_377_G2::fixed_base_exp_window_table.push_back(10);
490  // window 4 is unbeaten in [25.28, 59.00]
491  bls12_377_G2::fixed_base_exp_window_table.push_back(25);
492  // window 5 is unbeaten in [59.00, 154.03]
493  bls12_377_G2::fixed_base_exp_window_table.push_back(59);
494  // window 6 is unbeaten in [154.03, 334.25]
495  bls12_377_G2::fixed_base_exp_window_table.push_back(154);
496  // window 7 is unbeaten in [334.25, 742.58]
497  bls12_377_G2::fixed_base_exp_window_table.push_back(334);
498  // window 8 is unbeaten in [742.58, 2034.40]
499  bls12_377_G2::fixed_base_exp_window_table.push_back(743);
500  // window 9 is unbeaten in [2034.40, 4987.56]
501  bls12_377_G2::fixed_base_exp_window_table.push_back(2034);
502  // window 10 is unbeaten in [4987.56, 8888.27]
503  bls12_377_G2::fixed_base_exp_window_table.push_back(4988);
504  // window 11 is unbeaten in [8888.27, 26271.13]
505  bls12_377_G2::fixed_base_exp_window_table.push_back(8888);
506  // window 12 is unbeaten in [26271.13, 39768.20]
507  bls12_377_G2::fixed_base_exp_window_table.push_back(26271);
508  // window 13 is unbeaten in [39768.20, 106275.75]
509  bls12_377_G2::fixed_base_exp_window_table.push_back(39768);
510  // window 14 is unbeaten in [106275.75, 141703.40]
511  bls12_377_G2::fixed_base_exp_window_table.push_back(106276);
512  // window 15 is unbeaten in [141703.40, 462422.97]
513  bls12_377_G2::fixed_base_exp_window_table.push_back(141703);
514  // window 16 is unbeaten in [462422.97, 926871.84]
515  bls12_377_G2::fixed_base_exp_window_table.push_back(462423);
516  // window 17 is unbeaten in [926871.84, 4873049.17]
517  bls12_377_G2::fixed_base_exp_window_table.push_back(926872);
518  // window 18 is never the best
519  bls12_377_G2::fixed_base_exp_window_table.push_back(0);
520  // window 19 is unbeaten in [4873049.17, 5706707.88]
521  bls12_377_G2::fixed_base_exp_window_table.push_back(4873049);
522  // window 20 is unbeaten in [5706707.88, 31673814.95]
523  bls12_377_G2::fixed_base_exp_window_table.push_back(5706708);
524  // window 21 is never the best
525  bls12_377_G2::fixed_base_exp_window_table.push_back(0);
526  // window 22 is unbeaten in [31673814.95, inf]
527  bls12_377_G2::fixed_base_exp_window_table.push_back(31673815);
528 
529  // Pairing parameters
530  // sage: u = 9586122913090633729
531  // sage: ceil(log(u, 2)) # = 64
532  // sage: bin(u) # =
533  // '0b1000010100001000110000000000000000000000000000000000000000000001'
534  // The Hamming weight of u is: HW(u) = 7, where
535  // u = 2**63 + 2**58 + 2**56 + 2**51 + 2**47 + 2**46 + 1
536  // Based on the power-2 decomposition of u, we should have 63 doubling
537  // steps and 7 addition steps in the Miller Loop.
538  bls12_377_ate_loop_count = bigint_q("9586122913090633729");
539  bls12_377_ate_is_loop_count_neg = false;
540  // k (embedding degree) = 12
541  // bls12_377_final_exponent = (q^12 - 1) / r
542  bls12_377_final_exponent = bigint<12 * bls12_377_q_limbs>(
543  "1062352101801986048825403166370756842879803290512381119957121396507912"
544  "9114663661236359849629341526275899063345613340067081670062620727617884"
545  "1374877547391501474912045595142051864923855902722089344674614449446527"
546  "1100516937116825006879082077612477209563023710218982773301998983506333"
547  "4551453893534663070786533932633573962932272563471643288531959637300817"
548  "0702655374295064848809909810690412694053835028896773570820128072985299"
549  "3111812442856905982234628974507740157013415744497327152098177404714691"
550  "8354408632568723153146248333028827919406785654402107153546667815607201"
551  "4885908324782254034441364093498774812681548179045413406141732619497724"
552  "0306092432436686172324518261985938925498500823600746581427336149713413"
553  "8868945580557938161335670207544906643574043606819537336472235809927599"
554  "6281232753142880061708040445602386764639316393397119131110809745825932"
555  "2813870415432059977568309560404130900019702541996812571801831180595931"
556  "5220036948621879242495199408833915486421612374480018459896018440926235"
557  "2618246549569323848592604793727760229797367342216290972978901546921944"
558  "4152846277021881179562447110897237757369083391323126054783555085125681"
559  "7740247389770320334698430697237343583761719223414894063451411431859122"
560  "7384883115800054127650702518101599918971109363249432325268702807248769"
561  "46523218213525646968094720");
562  bls12_377_final_exponent_z = bigint_q("9586122913090633729");
563  bls12_377_final_exponent_is_z_neg = false;
564 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ init_bls12_381_params()

void libff::init_bls12_381_params ( )

Definition at line 26 of file bls12_381_init.cpp.

27 {
28  typedef bigint<bls12_381_r_limbs> bigint_r;
29  typedef bigint<bls12_381_q_limbs> bigint_q;
30 
31  // Montgomery assumes this
32  assert(sizeof(mp_limb_t) == 8 || sizeof(mp_limb_t) == 4);
33 
34  /* parameters for scalar field Fr */
35 
36  bls12_381_modulus_r = bigint_r("5243587517512619047944774050818596583769055"
37  "2500527637822603658699938581184513");
38  assert(bls12_381_Fr::modulus_is_valid());
39  if (sizeof(mp_limb_t) == 8) {
40  bls12_381_Fr::Rsquared =
41  bigint_r("329490647479426544212979752063071073927857568219980068178"
42  "8903916070560242797");
43  bls12_381_Fr::Rcubed =
44  bigint_r("498292539885403193545507422492760844601274463553159150895"
45  "27227471280320770991");
46  bls12_381_Fr::inv = 0xfffffffeffffffff; // (-1/modulus) mod W
47  }
48  if (sizeof(mp_limb_t) == 4) {
49  bls12_381_Fr::Rsquared =
50  bigint_r("329490647479426544212979752063071073927857568219980068178"
51  "8903916070560242797");
52  bls12_381_Fr::Rcubed =
53  bigint_r("498292539885403193545507422492760844601274463553159150895"
54  "27227471280320770991");
55  bls12_381_Fr::inv = 0xffffffff;
56  }
57  bls12_381_Fr::num_bits = 255;
58  bls12_381_Fr::euler = bigint_r("2621793758756309523972387025409298291884527"
59  "6250263818911301829349969290592256");
60  bls12_381_Fr::s = 32;
61  bls12_381_Fr::t = bigint_r(
62  "12208678567578594777604504606729831043093128246378069236549469339647");
63  bls12_381_Fr::t_minus_1_over_2 = bigint_r(
64  "6104339283789297388802252303364915521546564123189034618274734669823");
65  bls12_381_Fr::multiplicative_generator = bls12_381_Fr("7");
66  bls12_381_Fr::root_of_unity =
67  bls12_381_Fr("102382273577394958236510305758492320625588601802844775411"
68  "89508159991286009131");
69  bls12_381_Fr::nqr = bls12_381_Fr("5");
70  bls12_381_Fr::nqr_to_t =
71  bls12_381_Fr("937917089079007706106976984802249742464848817460758522850"
72  "752807661925904159");
73  bls12_381_Fr::static_init();
74 
75  /* parameters for base field Fq */
76  bls12_381_modulus_q =
77  bigint_q("4002409555221667393417789825735904156556882819939007885332058"
78  "136124031650490837864442687629129015664037894272559787");
79  assert(bls12_381_Fq::modulus_is_valid());
80  if (sizeof(mp_limb_t) == 8) {
81  bls12_381_Fq::Rsquared = bigint_q(
82  "270826391065473017479378762632817651183645519716631767700615429398"
83  "2164122222515399004018013397331347120527951271750"); // k=6
84  bls12_381_Fq::Rcubed = bigint_q(
85  "163906754277462589423671657554808490593875383721159409588363701458"
86  "2201460755008380976950835174037649440777609978336");
87 
88  bls12_381_Fq::inv = 0x89f3fffcfffcfffd;
89  }
90  if (sizeof(mp_limb_t) == 4) {
91  bls12_381_Fq::Rsquared = bigint_q(
92  "270826391065473017479378762632817651183645519716631767700615429398"
93  "2164122222515399004018013397331347120527951271750");
94  bls12_381_Fq::Rcubed = bigint_q(
95  "163906754277462589423671657554808490593875383721159409588363701458"
96  "2201460755008380976950835174037649440777609978336");
97  bls12_381_Fq::inv = 0xfffcfffd;
98  }
99  bls12_381_Fq::num_bits = 381;
100  bls12_381_Fq::euler =
101  bigint_q("2001204777610833696708894912867952078278441409969503942666029"
102  "068062015825245418932221343814564507832018947136279893");
103  bls12_381_Fq::s = 1;
104  bls12_381_Fq::t =
105  bigint_q("2001204777610833696708894912867952078278441409969503942666029"
106  "068062015825245418932221343814564507832018947136279893");
107  bls12_381_Fq::t_minus_1_over_2 =
108  bigint_q("1000602388805416848354447456433976039139220704984751971333014"
109  "534031007912622709466110671907282253916009473568139946");
110  bls12_381_Fq::multiplicative_generator = bls12_381_Fq("2");
111  bls12_381_Fq::root_of_unity = bls12_381_Fq(
112  "4002409555221667393417789825735904156556882819939007885332058136124031"
113  "650490837864442687629129015664037894272559786");
114  bls12_381_Fq::nqr = bls12_381_Fq("2");
115  bls12_381_Fq::nqr_to_t = bls12_381_Fq(
116  "4002409555221667393417789825735904156556882819939007885332058136124031"
117  "650490837864442687629129015664037894272559786");
118  bls12_381_Fq::static_init();
119 
120  /* parameters for twist field Fq2 */
121  bls12_381_Fq2::euler = bigint<2 * bls12_381_q_limbs>(
122  "8009641123864852705971874322159486308847560049665276329931192268492988"
123  "3742456785717003280396510967149874771927700853652655519422698534529681"
124  "0010121051821790554650651713590637900820398474816583070927051183888744"
125  "9985712996744742684");
126  bls12_381_Fq2::s = 3;
127  bls12_381_Fq2::t = bigint<2 * bls12_381_q_limbs>(
128  "2002410280966213176492968580539871577211890012416319082482798067123247"
129  "0935614196429250820099127741787468692981925213413163879855674633632420"
130  "2502530262955447638662662928397659475205099618704145767731762795972186"
131  "2496428249186185671");
132  bls12_381_Fq2::t_minus_1_over_2 = bigint<2 * bls12_381_q_limbs>(
133  "1001205140483106588246484290269935788605945006208159541241399033561623"
134  "5467807098214625410049563870893734346490962606706581939927837316816210"
135  "1251265131477723819331331464198829737602549809352072883865881397986093"
136  "1248214124593092835");
137  bls12_381_Fq2::non_residue = bls12_381_Fq(
138  "4002409555221667393417789825735904156556882819939007885332058136124031"
139  "650490837864442687629129015664037894272559786");
140  bls12_381_Fq2::nqr =
141  bls12_381_Fq2(bls12_381_Fq("1"), bls12_381_Fq("1")); // u+1
142  bls12_381_Fq2::nqr_to_t = bls12_381_Fq2(
143  bls12_381_Fq(
144  "102873214623510634997532447921579527738483993692975789615564311803"
145  "2610843298655225875571310552543014690878354869257"),
146  bls12_381_Fq(
147  "297367740898656104344246534652010887917204288300924998917641501809"
148  "1420807192182638567116318576472649347015917690530"));
149  bls12_381_Fq2::Frobenius_coeffs_c1[0] = bls12_381_Fq("1");
150  bls12_381_Fq2::Frobenius_coeffs_c1[1] = bls12_381_Fq(
151  "4002409555221667393417789825735904156556882819939007885332058136124031"
152  "650490837864442687629129015664037894272559786");
153  bls12_381_Fq2::static_init();
154 
155  /* parameters for Fq6 */
156 
157  bls12_381_Fq6::euler = bigint<6 * bls12_381_q_limbs>(
158  "2055413310034685917547178203792332860309200402936847589812920000288065"
159  "0925292078031236336437155417867098264344518387365893430771451315477306"
160  "7723923870911995741881272581302001907244790574962263945847542833396860"
161  "73743682966778056496"
162  "2327945395707855461784923849488018385374868097169740055671857527378364"
163  "8469851242261268044817816320342666827076722752447529192782544353128746"
164  "1471193084577848300836833318729082346882823602164341569076593462295099"
165  "0371613607731757827"
166  "4075669149520898024347473697702653612215721050521068924301068068177428"
167  "7151859717713146107915044671570816889418683602912643322766216203471482"
168  "2884004062053629214182533388992931530312083763262100940571236423950189"
169  "3128509197213249204");
170  bls12_381_Fq6::s = 3;
171  bls12_381_Fq6::t = bigint<6 * bls12_381_q_limbs>(
172  "5138533275086714793867945509480832150773001007342118974532300000720162"
173  "7313230195078090841092888544667745660861295968414733576928628288693266"
174  "9309809677279989354703181453255004768111976437405659864618857083492151"
175  "8435920741694514124"
176  "0581986348926963865446230962372004596343717024292435013917964381844591"
177  "2117462810565317011204454080085666706769180688111882298195636088282186"
178  "5367798271144462075209208329682270586720705900541085392269148365573774"
179  "7592903401932939456"
180  "8518917287380224506086868424425663403053930262630267231075267017044357"
181  "1787964929428286526978761167892704222354670900728160830691554050867870"
182  "5721001015513407303545633347248232882578020940815525235142809105987547"
183  "3282127299303312301");
184  bls12_381_Fq6::t_minus_1_over_2 = bigint<6 * bls12_381_q_limbs>(
185  "2569266637543357396933972754740416075386500503671059487266150000360081"
186  "3656615097539045420546444272333872830430647984207366788464314144346633"
187  "4654904838639994677351590726627502384055988218702829932309428541746075"
188  "9217960370847257062"
189  "0290993174463481932723115481186002298171858512146217506958982190922295"
190  "6058731405282658505602227040042833353384590344055941149097818044141093"
191  "2683899135572231037604604164841135293360352950270542696134574182786887"
192  "3796451700966469728"
193  "4259458643690112253043434212212831701526965131315133615537633508522178"
194  "5893982464714143263489380583946352111177335450364080415345777025433935"
195  "2860500507756703651772816673624116441289010470407762617571404552993773"
196  "6641063649651656150");
197  bls12_381_Fq6::non_residue =
198  bls12_381_Fq2(bls12_381_Fq("1"), bls12_381_Fq("1"));
199  bls12_381_Fq6::nqr = bls12_381_Fq6(
200  bls12_381_Fq2::one(), bls12_381_Fq2::one(), bls12_381_Fq2::zero());
201  bls12_381_Fq temp_Fq6 = bls12_381_Fq(
202  "2973677408986561043442465346520108879172042883009249989176415018091420"
203  "807192182638567116318576472649347015917690530");
204  bls12_381_Fq6::nqr_to_t = bls12_381_Fq6(
205  bls12_381_Fq2(temp_Fq6, temp_Fq6),
206  bls12_381_Fq2::zero(),
207  bls12_381_Fq2::zero());
208  bls12_381_Fq6::Frobenius_coeffs_c1[0] =
209  bls12_381_Fq2(bls12_381_Fq("1"), bls12_381_Fq("0"));
210  bls12_381_Fq6::Frobenius_coeffs_c1[1] = bls12_381_Fq2(
211  bls12_381_Fq("0"),
212  bls12_381_Fq(
213  "400240955522166739262431043500668864393550311830558643827117139584"
214  "2971157480381377015405980053539358417135540939436"));
215  bls12_381_Fq6::Frobenius_coeffs_c1[2] = bls12_381_Fq2(
216  bls12_381_Fq("793479390729215512621379701633421447060886740281060493010"
217  "456487427281649075476305620758731620350"),
218  bls12_381_Fq("0"));
219  bls12_381_Fq6::Frobenius_coeffs_c1[3] =
220  bls12_381_Fq2(bls12_381_Fq("0"), bls12_381_Fq("1"));
221  bls12_381_Fq6::Frobenius_coeffs_c1[4] = bls12_381_Fq2(
222  bls12_381_Fq(
223  "400240955522166739262431043500668864393550311830558643827117139584"
224  "2971157480381377015405980053539358417135540939436"),
225  bls12_381_Fq("0"));
226  bls12_381_Fq6::Frobenius_coeffs_c1[5] = bls12_381_Fq2(
227  bls12_381_Fq("0"),
228  bls12_381_Fq("793479390729215512621379701633421447060886740281060493010"
229  "456487427281649075476305620758731620350"));
230  bls12_381_Fq6::Frobenius_coeffs_c2[0] =
231  bls12_381_Fq2(bls12_381_Fq("1"), bls12_381_Fq("0"));
232  bls12_381_Fq6::Frobenius_coeffs_c2[1] = bls12_381_Fq2(
233  bls12_381_Fq(
234  "400240955522166739262431043500668864393550311830558643827117139584"
235  "2971157480381377015405980053539358417135540939437"),
236  bls12_381_Fq("0"));
237  bls12_381_Fq6::Frobenius_coeffs_c2[2] = bls12_381_Fq2(
238  bls12_381_Fq(
239  "400240955522166739262431043500668864393550311830558643827117139584"
240  "2971157480381377015405980053539358417135540939436"),
241  bls12_381_Fq("0"));
242  bls12_381_Fq6::Frobenius_coeffs_c2[3] = bls12_381_Fq2(
243  bls12_381_Fq(
244  "400240955522166739341778982573590415655688281993900788533205813612"
245  "4031650490837864442687629129015664037894272559786"),
246  bls12_381_Fq("0"));
247  bls12_381_Fq6::Frobenius_coeffs_c2[4] = bls12_381_Fq2(
248  bls12_381_Fq("793479390729215512621379701633421447060886740281060493010"
249  "456487427281649075476305620758731620350"),
250  bls12_381_Fq("0"));
251  bls12_381_Fq6::Frobenius_coeffs_c2[5] = bls12_381_Fq2(
252  bls12_381_Fq("793479390729215512621379701633421447060886740281060493010"
253  "456487427281649075476305620758731620351"),
254  bls12_381_Fq("0"));
255 
256  /* parameters for Fq12 */
257 
258  bls12_381_Fq12::euler = bigint<12 * bls12_381_q_limbs>(
259  "8449447750135487786386536757818793037762212639342076082205056847631733"
260  "7611486762037414270042798116043101246277209976512094361633120467161014"
261  "0655544453405655390597288113542772613560509732197200272091941904878386"
262  "92659063939320510475"
263  "6684686564553744540192748080653129821509884735609423581664936489210967"
264  "0440467529068420483514604958227574975684523172972030890413264728910407"
265  "5914291222737139398079433126860286068573844453009747181852522430304241"
266  "3280382576694575299"
267  "4243167774120254336745536274773695755236419654903551716949533916736161"
268  "3569172920059467104043034274069321829696761906239463005630083855610676"
269  "3024021975665415739763789028633084871968346012196283360672552982454440"
270  "6779592032379877481"
271  "1619354467715920346231349235866829244117661464414438262378914602649540"
272  "0686951521638441608423046735329190594695892803338108752058997137128797"
273  "3778883772765769448885014782339635406211030364946185240866112535299846"
274  "0333970628572435583"
275  "1757875201144654542881444863180645429521461839597984159381168059700378"
276  "1998317840382782546961827784098634063653000816109224177006797686172283"
277  "6524688010589950951561114449900951002753319232147895757766930045754791"
278  "8189673190852298371"
279  "5647603567520167155789018111526068121587518840305926270907547770597694"
280  "1239754628313695901797410453781873141027101200728931074856266540267317"
281  "2430117685618695762741237977291546454709306808974723155022101617076402"
282  "8215685592439765640");
283  bls12_381_Fq12::s = 4;
284  bls12_381_Fq12::t = bigint<12 * bls12_381_q_limbs>(
285  "1056180968766935973298317094727349129720276579917759510275632105953966"
286  "7201435845254676783755349764505387655784651247064011795204140058395126"
287  "7581943056675706923824661014192846576695063716524650034011492738109798"
288  "36582382992415063809"
289  "4585585820569218067524093510081641227688735591951177947708117061151370"
290  "8805058441133552560439325619778446871960565396621503861301658091113800"
291  "9489286402842142424759929140857535758571730556626218397731565303788030"
292  "1660047822086821912"
293  "4280395971765031792093192034346711969404552456862943964618691739592020"
294  "1696146615007433388005379284258665228712095238279932875703760481951334"
295  "5378002746958176967470473628579135608996043251524535420084069122806805"
296  "0847449004047484685"
297  "1452419308464490043278918654483353655514707683051804782797364325331192"
298  "5085868940204805201052880841916148824336986600417263594007374642141099"
299  "6722360471595721181110626847792454425776378795618273155108264066912480"
300  "7541746328571554447"
301  "8969734400143081817860180607897580678690182729949748019922646007462547"
302  "2749789730047847818370228473012329257956625102013653022125849710771535"
303  "4565586001323743868945139306237618875344164904018486969720866255719348"
304  "9773709148856537296"
305  "4455950445940020894473627263940758515198439855038240783863443471324711"
306  "7654969328539211987724676306722734142628387650091116384357033317533414"
307  "6553764710702336970342654747161443306838663351121840394377762702134550"
308  "3526960699054970705");
309  bls12_381_Fq12::t_minus_1_over_2 = bigint<12 * bls12_381_q_limbs>(
310  "5280904843834679866491585473636745648601382899588797551378160529769833"
311  "6007179226273383918776748822526938278923256235320058976020700291975633"
312  "7909715283378534619123305070964232883475318582623250170057463690548991"
313  "8291191496207531904"
314  "7292792910284609033762046755040820613844367795975588973854058530575685"
315  "4402529220566776280219662809889223435980282698310751930650829045556900"
316  "4744643201421071212379964570428767879285865278313109198865782651894015"
317  "0830023911043410956"
318  "2140197985882515896046596017173355984702276228431471982309345869796010"
319  "0848073307503716694002689642129332614356047619139966437851880240975667"
320  "2689001373479088483735236814289567804498021625762267710042034561403402"
321  "5423724502023742342"
322  "5726209654232245021639459327241676827757353841525902391398682162665596"
323  "2542934470102402600526440420958074412168493300208631797003687321070549"
324  "8361180235797860590555313423896227212888189397809136577554132033456240"
325  "3770873164285777223"
326  "9484867200071540908930090303948790339345091364974874009961323003731273"
327  "6374894865023923909185114236506164628978312551006826511062924855385767"
328  "7282793000661871934472569653118809437672082452009243484860433127859674"
329  "4886854574428268648"
330  "2227975222970010447236813631970379257599219927519120391931721735662355"
331  "8827484664269605993862338153361367071314193825045558192178516658766707"
332  "3276882355351168485171327373580721653419331675560920197188881351067275"
333  "1763480349527485352");
334  bls12_381_Fq12::non_residue =
335  bls12_381_Fq2(bls12_381_Fq("1"), bls12_381_Fq("1"));
336  bls12_381_Fq12::nqr =
337  bls12_381_Fq12(bls12_381_Fq6::zero(), bls12_381_Fq6::one());
338  bls12_381_Fq temp_Fq12 = bls12_381_Fq(
339  "3357996710086603428986649435961018971596863377125478091385687488711898"
340  "724126407611022502097010210262797519903698974");
341  bls12_381_Fq12::nqr_to_t = bls12_381_Fq12(
342  bls12_381_Fq6::zero(),
343  bls12_381_Fq6(
344  bls12_381_Fq2::zero(),
345  bls12_381_Fq2(temp_Fq12, temp_Fq12),
346  bls12_381_Fq2::zero()));
347  bls12_381_Fq12::Frobenius_coeffs_c1[0] =
348  bls12_381_Fq2(bls12_381_Fq("1"), bls12_381_Fq("0"));
349  bls12_381_Fq12::Frobenius_coeffs_c1[1] = bls12_381_Fq2(
350  bls12_381_Fq(
351  "385075437003716901195214707605136405715880742097068243867605052261"
352  "3628423219637725072182697113062777891589506424760"),
353  bls12_381_Fq(
354  "151655185184498381465642749684540099398075398968325446656007613510"
355  "403227271200139370504932015952886146304766135027"));
356  bls12_381_Fq12::Frobenius_coeffs_c1[2] = bls12_381_Fq2(
357  bls12_381_Fq("793479390729215512621379701633421447060886740281060493010"
358  "456487427281649075476305620758731620351"),
359  bls12_381_Fq("0"));
360  bls12_381_Fq12::Frobenius_coeffs_c1[3] = bls12_381_Fq2(
361  bls12_381_Fq(
362  "297367740898656104344246534652010887917204288300924998917641501809"
363  "1420807192182638567116318576472649347015917690530"),
364  bls12_381_Fq(
365  "102873214623510634997532447921579527738483993692975789615564311803"
366  "2610843298655225875571310552543014690878354869257"));
367  bls12_381_Fq12::Frobenius_coeffs_c1[4] = bls12_381_Fq2(
368  bls12_381_Fq("793479390729215512621379701633421447060886740281060493010"
369  "456487427281649075476305620758731620350"),
370  bls12_381_Fq("0"));
371  bls12_381_Fq12::Frobenius_coeffs_c1[5] = bls12_381_Fq2(
372  bls12_381_Fq(
373  "312533259417105942490810809620464897857011828197757543583242263160"
374  "1824034463382777937621250592425535493320683825557"),
375  bls12_381_Fq(
376  "877076961050607968509681729531255177986764537961432449499635504522"
377  "207616027455086505066378536590128544573588734230"));
378  bls12_381_Fq12::Frobenius_coeffs_c1[6] = bls12_381_Fq2(
379  bls12_381_Fq(
380  "400240955522166739341778982573590415655688281993900788533205813612"
381  "4031650490837864442687629129015664037894272559786"),
382  bls12_381_Fq("0"));
383  bls12_381_Fq12::Frobenius_coeffs_c1[7] = bls12_381_Fq2(
384  bls12_381_Fq(
385  "151655185184498381465642749684540099398075398968325446656007613510"
386  "403227271200139370504932015952886146304766135027"),
387  bls12_381_Fq(
388  "385075437003716901195214707605136405715880742097068243867605052261"
389  "3628423219637725072182697113062777891589506424760"));
390  bls12_381_Fq12::Frobenius_coeffs_c1[8] = bls12_381_Fq2(
391  bls12_381_Fq(
392  "400240955522166739262431043500668864393550311830558643827117139584"
393  "2971157480381377015405980053539358417135540939436"),
394  bls12_381_Fq("0"));
395  bls12_381_Fq12::Frobenius_coeffs_c1[9] = bls12_381_Fq2(
396  bls12_381_Fq(
397  "102873214623510634997532447921579527738483993692975789615564311803"
398  "2610843298655225875571310552543014690878354869257"),
399  bls12_381_Fq(
400  "297367740898656104344246534652010887917204288300924998917641501809"
401  "1420807192182638567116318576472649347015917690530"));
402  bls12_381_Fq12::Frobenius_coeffs_c1[10] = bls12_381_Fq2(
403  bls12_381_Fq(
404  "400240955522166739262431043500668864393550311830558643827117139584"
405  "2971157480381377015405980053539358417135540939437"),
406  bls12_381_Fq("0"));
407  bls12_381_Fq12::Frobenius_coeffs_c1[11] = bls12_381_Fq2(
408  bls12_381_Fq(
409  "877076961050607968509681729531255177986764537961432449499635504522"
410  "207616027455086505066378536590128544573588734230"),
411  bls12_381_Fq(
412  "312533259417105942490810809620464897857011828197757543583242263160"
413  "1824034463382777937621250592425535493320683825557"));
414 
415  // Choice of short Weierstrass curve and its twist
416  // E(Fq): y^2 = x^3 + 4
417 
418  bls12_381_coeff_b = bls12_381_Fq("4");
419  bls12_381_twist = bls12_381_Fq2(bls12_381_Fq("1"), bls12_381_Fq("1"));
420  bls12_381_twist_coeff_b = bls12_381_coeff_b * bls12_381_twist;
421  bls12_381_twist_mul_by_b_c0 =
422  bls12_381_coeff_b * bls12_381_Fq2::non_residue;
423  bls12_381_twist_mul_by_b_c1 =
424  bls12_381_coeff_b * bls12_381_Fq2::non_residue;
425  bls12_381_twist_mul_by_q_X = bls12_381_Fq2(
426  bls12_381_Fq("0"),
427  bls12_381_Fq(
428  "400240955522166739262431043500668864393550311830558643827117139584"
429  "2971157480381377015405980053539358417135540939437"));
430  bls12_381_twist_mul_by_q_Y = bls12_381_Fq2(
431  bls12_381_Fq(
432  "297367740898656104344246534652010887917204288300924998917641501809"
433  "1420807192182638567116318576472649347015917690530"),
434  bls12_381_Fq(
435  "102873214623510634997532447921579527738483993692975789615564311803"
436  "2610843298655225875571310552543014690878354869257"));
437 
438  /* choice of group G1 */
439  bls12_381_G1::G1_zero = bls12_381_G1(
440  bls12_381_Fq::zero(), bls12_381_Fq::one(), bls12_381_Fq::zero());
441  bls12_381_G1::G1_one = bls12_381_G1(
442  bls12_381_Fq(
443  "368541675371338701678108831518307775796162079578254640989457837868"
444  "8607592378376318836054947676345821548104185464507"),
445  bls12_381_Fq(
446  "133950654494447647302047137994192122158493387593834962042654373641"
447  "6511423956333506472724655353366534992391756441569"),
448  bls12_381_Fq::one());
449 
450  // Curve coeffs
451  bls12_381_G1::coeff_a = bls12_381_Fq::zero();
452  bls12_381_G1::coeff_b = bls12_381_coeff_b;
453 
454  // Cofactor
455  bls12_381_G1::h =
456  bigint<bls12_381_G1::h_limbs>("76329603384216526031706109802092473003");
457 
458  // TODO: wNAF window table
459  bls12_381_G1::wnaf_window_table.resize(0);
460  bls12_381_G1::wnaf_window_table.push_back(11);
461  bls12_381_G1::wnaf_window_table.push_back(24);
462  bls12_381_G1::wnaf_window_table.push_back(60);
463  bls12_381_G1::wnaf_window_table.push_back(127);
464 
465  // TODO: fixed-base exponentiation table
466  bls12_381_G1::fixed_base_exp_window_table.resize(0);
467  // window 1 is unbeaten in [-inf, 4.99]
468  bls12_381_G1::fixed_base_exp_window_table.push_back(1);
469  // window 2 is unbeaten in [4.99, 10.99]
470  bls12_381_G1::fixed_base_exp_window_table.push_back(5);
471  // window 3 is unbeaten in [10.99, 32.29]
472  bls12_381_G1::fixed_base_exp_window_table.push_back(11);
473  // window 4 is unbeaten in [32.29, 55.23]
474  bls12_381_G1::fixed_base_exp_window_table.push_back(32);
475  // window 5 is unbeaten in [55.23, 162.03]
476  bls12_381_G1::fixed_base_exp_window_table.push_back(55);
477  // window 6 is unbeaten in [162.03, 360.15]
478  bls12_381_G1::fixed_base_exp_window_table.push_back(162);
479  // window 7 is unbeaten in [360.15, 815.44]
480  bls12_381_G1::fixed_base_exp_window_table.push_back(360);
481  // window 8 is unbeaten in [815.44, 2373.07]
482  bls12_381_G1::fixed_base_exp_window_table.push_back(815);
483  // window 9 is unbeaten in [2373.07, 6977.75]
484  bls12_381_G1::fixed_base_exp_window_table.push_back(2373);
485  // window 10 is unbeaten in [6977.75, 7122.23]
486  bls12_381_G1::fixed_base_exp_window_table.push_back(6978);
487  // window 11 is unbeaten in [7122.23, 57818.46]
488  bls12_381_G1::fixed_base_exp_window_table.push_back(7122);
489  // window 12 is never the best
490  bls12_381_G1::fixed_base_exp_window_table.push_back(0);
491  // window 13 is unbeaten in [57818.46, 169679.14]
492  bls12_381_G1::fixed_base_exp_window_table.push_back(57818);
493  // window 14 is never the best
494  bls12_381_G1::fixed_base_exp_window_table.push_back(0);
495  // window 15 is unbeaten in [169679.14, 439758.91]
496  bls12_381_G1::fixed_base_exp_window_table.push_back(169679);
497  // window 16 is unbeaten in [439758.91, 936073.41]
498  bls12_381_G1::fixed_base_exp_window_table.push_back(439759);
499  // window 17 is unbeaten in [936073.41, 4666554.74]
500  bls12_381_G1::fixed_base_exp_window_table.push_back(936073);
501  // window 18 is never the best
502  bls12_381_G1::fixed_base_exp_window_table.push_back(0);
503  // window 19 is unbeaten in [4666554.74, 7580404.42]
504  bls12_381_G1::fixed_base_exp_window_table.push_back(4666555);
505  // window 20 is unbeaten in [7580404.42, 34552892.20]
506  bls12_381_G1::fixed_base_exp_window_table.push_back(7580404);
507  // window 21 is never the best
508  bls12_381_G1::fixed_base_exp_window_table.push_back(0);
509  // window 22 is unbeaten in [34552892.20, inf]
510  bls12_381_G1::fixed_base_exp_window_table.push_back(34552892);
511 
512  /* choice of group G2 */
513  bls12_381_G2::G2_zero = bls12_381_G2(
514  bls12_381_Fq2::zero(), bls12_381_Fq2::one(), bls12_381_Fq2::zero());
515 
516  // simple G2 generator
517  bls12_381_G2::G2_one = bls12_381_G2(
518  bls12_381_Fq2(
519  bls12_381_Fq(
520  "35270106958746661818713911601106014489002995279277524021990864"
521  "4239793785735715026873347600343865175952761926303160"),
522  bls12_381_Fq(
523  "30591443442442137099712598147537816369864703254766475586593732"
524  "06291635324768958432433509563104347017837885763365758")),
525  bls12_381_Fq2(
526  bls12_381_Fq(
527  "19851506022872919355680545211771716383008689782156557308593786"
528  "65066344726373823718423869104263333984641494340347905"),
529  bls12_381_Fq(
530  "92755366549233245574720196577603788075774019345359297002502797"
531  "8793976877002675564980949289727957565575433344219582")),
532  bls12_381_Fq2::one());
533 
534  // Curve twist coeffs
535  bls12_381_G2::coeff_a = bls12_381_Fq2::zero();
536  bls12_381_G2::coeff_b = bls12_381_twist_coeff_b;
537 
538  // Cofactor
539  bls12_381_G2::h = bigint<bls12_381_G2::h_limbs>(
540  "3055023339312683442009997531931215042144660192541881426676640329822676"
541  "0418297188402650742735925997784783227283904161666128580382337837209635"
542  "5777062779109");
543 
544  // TODO: wNAF window table
545  bls12_381_G2::wnaf_window_table.resize(0);
546  bls12_381_G2::wnaf_window_table.push_back(5);
547  bls12_381_G2::wnaf_window_table.push_back(15);
548  bls12_381_G2::wnaf_window_table.push_back(39);
549  bls12_381_G2::wnaf_window_table.push_back(109);
550 
551  // TODO: fixed-base exponentiation table
552  bls12_381_G2::fixed_base_exp_window_table.resize(0);
553  // window 1 is unbeaten in [-inf, 5.10]
554  bls12_381_G2::fixed_base_exp_window_table.push_back(1);
555  // window 2 is unbeaten in [5.10, 10.43]
556  bls12_381_G2::fixed_base_exp_window_table.push_back(5);
557  // window 3 is unbeaten in [10.43, 25.28]
558  bls12_381_G2::fixed_base_exp_window_table.push_back(10);
559  // window 4 is unbeaten in [25.28, 59.00]
560  bls12_381_G2::fixed_base_exp_window_table.push_back(25);
561  // window 5 is unbeaten in [59.00, 154.03]
562  bls12_381_G2::fixed_base_exp_window_table.push_back(59);
563  // window 6 is unbeaten in [154.03, 334.25]
564  bls12_381_G2::fixed_base_exp_window_table.push_back(154);
565  // window 7 is unbeaten in [334.25, 742.58]
566  bls12_381_G2::fixed_base_exp_window_table.push_back(334);
567  // window 8 is unbeaten in [742.58, 2034.40]
568  bls12_381_G2::fixed_base_exp_window_table.push_back(743);
569  // window 9 is unbeaten in [2034.40, 4987.56]
570  bls12_381_G2::fixed_base_exp_window_table.push_back(2034);
571  // window 10 is unbeaten in [4987.56, 8888.27]
572  bls12_381_G2::fixed_base_exp_window_table.push_back(4988);
573  // window 11 is unbeaten in [8888.27, 26271.13]
574  bls12_381_G2::fixed_base_exp_window_table.push_back(8888);
575  // window 12 is unbeaten in [26271.13, 39768.20]
576  bls12_381_G2::fixed_base_exp_window_table.push_back(26271);
577  // window 13 is unbeaten in [39768.20, 106275.75]
578  bls12_381_G2::fixed_base_exp_window_table.push_back(39768);
579  // window 14 is unbeaten in [106275.75, 141703.40]
580  bls12_381_G2::fixed_base_exp_window_table.push_back(106276);
581  // window 15 is unbeaten in [141703.40, 462422.97]
582  bls12_381_G2::fixed_base_exp_window_table.push_back(141703);
583  // window 16 is unbeaten in [462422.97, 926871.84]
584  bls12_381_G2::fixed_base_exp_window_table.push_back(462423);
585  // window 17 is unbeaten in [926871.84, 4873049.17]
586  bls12_381_G2::fixed_base_exp_window_table.push_back(926872);
587  // window 18 is never the best
588  bls12_381_G2::fixed_base_exp_window_table.push_back(0);
589  // window 19 is unbeaten in [4873049.17, 5706707.88]
590  bls12_381_G2::fixed_base_exp_window_table.push_back(4873049);
591  // window 20 is unbeaten in [5706707.88, 31673814.95]
592  bls12_381_G2::fixed_base_exp_window_table.push_back(5706708);
593  // window 21 is never the best
594  bls12_381_G2::fixed_base_exp_window_table.push_back(0);
595  // window 22 is unbeaten in [31673814.95, inf]
596  bls12_381_G2::fixed_base_exp_window_table.push_back(31673815);
597 
598  /* pairing parameters */
599 
600  bls12_381_ate_loop_count =
601  bigint<bls12_381_q_limbs>("15132376222941642752");
602  bls12_381_ate_is_loop_count_neg = true;
603  bls12_381_final_exponent = bigint<12 * bls12_381_q_limbs>(
604  "3222773615169341404628915645865101399083799695148284942183666880252886"
605  "6104110468279499868049758000889997324981410444769277898820837677957381"
606  "9485263026159588510513834876303014016798809919343532899164848730280942"
607  "6099566709175656181158672873996232868132703579017315101881499343633603"
608  "8161450133408682544227192007936328995451056537537844370437299488140679"
609  "7882676971082200626541916413184642520269678897559532260949334760604962"
610  "0863488981189822488426343796375986654688177690758785554937522144927901"
611  "2278585020295757520017608420442275148595733646547232481098283363849090"
612  "4279282696134323072515220044451592646885410572234451732790590013479358"
613  "3438412200741748482217220170835978720176385141031741227848439255783704"
614  "3084352295960009567628572373704943834654475316891297497679152853527631"
615  "7256904336520179281145394686565050419250614107803233314658825463117900"
616  "2507011991815292059423631593257659918194339143039088604607205814082013"
617  "7316404777379482541101192230582006561112154456180841405530221205747139"
618  "5719432072209245600258134364584636810093520285711072578721435517884103"
619  "5264838327332898024261573015427444767400084947803633543051169788056206"
620  "7146707140071135883955337534072489973546048014459978201490658654381329"
621  "2157922220645089192130209334926661588737007768565838519456601560804957"
622  "985667880395221049249803753582637708560");
623  bls12_381_final_exponent_z =
624  bigint<bls12_381_q_limbs>("15132376222941642752");
625  bls12_381_final_exponent_is_z_neg = true;
626 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ init_bn128_params()

void libff::init_bn128_params ( )

Definition at line 29 of file bn128_init.cpp.

30 {
31  bn::Param::init(); // init ate-pairing library
32 
33  typedef bigint<bn128_r_limbs> bigint_r;
34  typedef bigint<bn128_q_limbs> bigint_q;
35 
36  assert(
37  sizeof(mp_limb_t) == 8 ||
38  sizeof(mp_limb_t) == 4); // Montgomery assumes this
39 
40  /* parameters for scalar field Fr */
41  bn128_modulus_r = bigint_r("21888242871839275222246405745257275088548364400"
42  "416034343698204186575808495617");
43  assert(bn128_Fr::modulus_is_valid());
44  if (sizeof(mp_limb_t) == 8) {
45  bn128_Fr::Rsquared = bigint_r("9449366811492084466516642542697455484907"
46  "66851729442924617792859073125903783");
47  bn128_Fr::Rcubed = bigint_r("586654854594384522748989487204024472040386"
48  "8105578784105281690076696998248512");
49  bn128_Fr::inv = 0xc2e1f593efffffff;
50  }
51  if (sizeof(mp_limb_t) == 4) {
52  bn128_Fr::Rsquared = bigint_r("9449366811492084466516642542697455484907"
53  "66851729442924617792859073125903783");
54  bn128_Fr::Rcubed = bigint_r("586654854594384522748989487204024472040386"
55  "8105578784105281690076696998248512");
56  bn128_Fr::inv = 0xefffffff;
57  }
58  bn128_Fr::num_bits = 254;
59  bn128_Fr::euler = bigint_r("10944121435919637611123202872628637544274182200"
60  "208017171849102093287904247808");
61  bn128_Fr::s = 28;
62  bn128_Fr::t = bigint_r(
63  "81540058820840996586704275553141814055101440848469862132140264610111");
64  bn128_Fr::t_minus_1_over_2 = bigint_r(
65  "40770029410420498293352137776570907027550720424234931066070132305055");
66  bn128_Fr::multiplicative_generator = bn128_Fr("5");
67  bn128_Fr::root_of_unity =
68  bn128_Fr("1910321906792171394429139282769207003614565195732928631530564"
69  "2004821462161904");
70  bn128_Fr::nqr = bn128_Fr("5");
71  bn128_Fr::nqr_to_t = bn128_Fr("19103219067921713944291392827692070036145651"
72  "957329286315305642004821462161904");
73  bn128_Fr::static_init();
74 
75  /* parameters for base field Fq */
76  bn128_modulus_q = bigint_q("21888242871839275222246405745257275088696311157"
77  "297823662689037894645226208583");
78  assert(bn128_Fq::modulus_is_valid());
79  if (sizeof(mp_limb_t) == 8) {
80  bn128_Fq::Rsquared = bigint_q("3096616502983703923843567936837374451735"
81  "540968419076528771170197431451843209");
82  bn128_Fq::Rcubed = bigint_q("149217865411596481859481527385630809590936"
83  "19838510245177710943249661917737183");
84  bn128_Fq::inv = 0x87d20782e4866389;
85  }
86  if (sizeof(mp_limb_t) == 4) {
87  bn128_Fq::Rsquared = bigint_q("3096616502983703923843567936837374451735"
88  "540968419076528771170197431451843209");
89  bn128_Fq::Rcubed = bigint_q("149217865411596481859481527385630809590936"
90  "19838510245177710943249661917737183");
91  bn128_Fq::inv = 0xe4866389;
92  }
93  bn128_Fq::num_bits = 254;
94  bn128_Fq::euler = bigint_q("10944121435919637611123202872628637544348155578"
95  "648911831344518947322613104291");
96  bn128_Fq::s = 1;
97  bn128_Fq::t = bigint_q("109441214359196376111232028726286375443481555786489"
98  "11831344518947322613104291");
99  bn128_Fq::t_minus_1_over_2 =
100  bigint_q("5472060717959818805561601436314318772174077789324455915672259"
101  "473661306552145");
102  bn128_Fq::multiplicative_generator = bn128_Fq("3");
103  bn128_Fq::root_of_unity =
104  bn128_Fq("2188824287183927522224640574525727508869631115729782366268903"
105  "7894645226208582");
106  bn128_Fq::nqr = bn128_Fq("3");
107  bn128_Fq::nqr_to_t = bn128_Fq("21888242871839275222246405745257275088696311"
108  "157297823662689037894645226208582");
109  bn128_Fq::static_init();
110 
111  /* additional parameters for square roots in Fq/Fq2 */
112  bn128_coeff_b = bn::Fp(3);
113  bn128_Fq_s = 1;
114  bn128_Fq_nqr_to_t = bn::Fp("21888242871839275222246405745257275088696311157"
115  "297823662689037894645226208582");
116  bn128_Fq_t_minus_1_over_2 =
117  mie::Vuint("54720607179598188055616014363143187721740777893244559156722"
118  "59473661306552145");
119 
120  bn128_twist_coeff_b = bn::Fp2(
121  bn::Fp("194858747517593547710242392610217205057906184693017210655646312"
122  "96452457478373"),
123  bn::Fp("266929791119991161246907387137283842545076965332900288569378510"
124  "910307636690"));
125  bn128_Fq2_s = 4;
126  bn128_Fq2_nqr_to_t = bn::Fp2(
127  bn::Fp("503350371626262426731249255837998268717520073493487759859901148"
128  "5707452665730"),
129  bn::Fp("314498342015008975724433667930697407966947188435857772134235984"
130  "660852259084"));
131  bn128_Fq2_t_minus_1_over_2 =
132  mie::Vuint("14971724250519463826312126413021210649976634891596900701138"
133  "99382043969042769931992024503286935743349909963225983790938"
134  "3182382988566862092145199781964621");
135 
136  /* choice of group G1 */
137  // Identities
138  bn128_G1::G1_zero.X = bn::Fp(1);
139  bn128_G1::G1_zero.Y = bn::Fp(1);
140  bn128_G1::G1_zero.Z = bn::Fp(0);
141 
142  bn128_G1::G1_one.X = bn::Fp(1);
143  bn128_G1::G1_one.Y = bn::Fp(2);
144  bn128_G1::G1_one.Z = bn::Fp(1);
145 
146  // Cofactor
147  bn128_G1::h = bigint<bn128_G1::h_limbs>("1");
148 
149  // WNAF
150  bn128_G1::wnaf_window_table.resize(0);
151  bn128_G1::wnaf_window_table.push_back(10);
152  bn128_G1::wnaf_window_table.push_back(24);
153  bn128_G1::wnaf_window_table.push_back(40);
154  bn128_G1::wnaf_window_table.push_back(132);
155 
156  bn128_G1::fixed_base_exp_window_table.resize(0);
157  // window 1 is unbeaten in [-inf, 4.24]
158  bn128_G1::fixed_base_exp_window_table.push_back(1);
159  // window 2 is unbeaten in [4.24, 10.43]
160  bn128_G1::fixed_base_exp_window_table.push_back(4);
161  // window 3 is unbeaten in [10.43, 24.88]
162  bn128_G1::fixed_base_exp_window_table.push_back(10);
163  // window 4 is unbeaten in [24.88, 62.10]
164  bn128_G1::fixed_base_exp_window_table.push_back(25);
165  // window 5 is unbeaten in [62.10, 157.80]
166  bn128_G1::fixed_base_exp_window_table.push_back(62);
167  // window 6 is unbeaten in [157.80, 362.05]
168  bn128_G1::fixed_base_exp_window_table.push_back(158);
169  // window 7 is unbeaten in [362.05, 806.67]
170  bn128_G1::fixed_base_exp_window_table.push_back(362);
171  // window 8 is unbeaten in [806.67, 2090.34]
172  bn128_G1::fixed_base_exp_window_table.push_back(807);
173  // window 9 is unbeaten in [2090.34, 4459.58]
174  bn128_G1::fixed_base_exp_window_table.push_back(2090);
175  // window 10 is unbeaten in [4459.58, 9280.12]
176  bn128_G1::fixed_base_exp_window_table.push_back(4460);
177  // window 11 is unbeaten in [9280.12, 43302.64]
178  bn128_G1::fixed_base_exp_window_table.push_back(9280);
179  // window 12 is unbeaten in [43302.64, 210998.73]
180  bn128_G1::fixed_base_exp_window_table.push_back(43303);
181  // window 13 is never the best
182  bn128_G1::fixed_base_exp_window_table.push_back(0);
183  // window 14 is never the best
184  bn128_G1::fixed_base_exp_window_table.push_back(0);
185  // window 15 is unbeaten in [210998.73, 506869.47]
186  bn128_G1::fixed_base_exp_window_table.push_back(210999);
187  // window 16 is unbeaten in [506869.47, 930023.36]
188  bn128_G1::fixed_base_exp_window_table.push_back(506869);
189  // window 17 is unbeaten in [930023.36, 8350812.20]
190  bn128_G1::fixed_base_exp_window_table.push_back(930023);
191  // window 18 is never the best
192  bn128_G1::fixed_base_exp_window_table.push_back(0);
193  // window 19 is never the best
194  bn128_G1::fixed_base_exp_window_table.push_back(0);
195  // window 20 is unbeaten in [8350812.20, 21708138.87]
196  bn128_G1::fixed_base_exp_window_table.push_back(8350812);
197  // window 21 is unbeaten in [21708138.87, 29482995.52]
198  bn128_G1::fixed_base_exp_window_table.push_back(21708139);
199  // window 22 is unbeaten in [29482995.52, inf]
200  bn128_G1::fixed_base_exp_window_table.push_back(29482996);
201 
202  /* choice of group G2 */
203  // Identities
204  bn128_G2::G2_zero.X = bn::Fp2(bn::Fp(1), bn::Fp(0));
205  bn128_G2::G2_zero.Y = bn::Fp2(bn::Fp(1), bn::Fp(0));
206  bn128_G2::G2_zero.Z = bn::Fp2(bn::Fp(0), bn::Fp(0));
207 
208  bn128_G2::G2_one.X = bn::Fp2(
209  bn::Fp("152678028847935503835587060391656210502900897759612088243037657"
210  "53922461897946"),
211  bn::Fp("903449356601974233940237867046189777450996766956261078811321598"
212  "8055021632533"));
213  bn128_G2::G2_one.Y = bn::Fp2(
214  bn::Fp("644888581738283025171396578091639672120333224302184904896215738"
215  "366765861164"),
216  bn::Fp("205328750812034486954487442552245436619595163613273857798784767"
217  "09582931298750"));
218  bn128_G2::G2_one.Z = bn::Fp2(bn::Fp(1), bn::Fp(0));
219 
220  // Cofactor
221  bn128_G2::h =
222  bigint<bn128_G2::h_limbs>("21888242871839275222246405745257275088844257"
223  "914179612981679871602714643921549");
224 
225  // WNAF
226  bn128_G2::wnaf_window_table.resize(0);
227  bn128_G2::wnaf_window_table.push_back(7);
228  bn128_G2::wnaf_window_table.push_back(18);
229  bn128_G2::wnaf_window_table.push_back(35);
230  bn128_G2::wnaf_window_table.push_back(116);
231 
232  bn128_G2::fixed_base_exp_window_table.resize(0);
233  // window 1 is unbeaten in [-inf, 4.13]
234  bn128_G2::fixed_base_exp_window_table.push_back(1);
235  // window 2 is unbeaten in [4.13, 10.72]
236  bn128_G2::fixed_base_exp_window_table.push_back(4);
237  // window 3 is unbeaten in [10.72, 25.60]
238  bn128_G2::fixed_base_exp_window_table.push_back(11);
239  // window 4 is unbeaten in [25.60, 60.99]
240  bn128_G2::fixed_base_exp_window_table.push_back(26);
241  // window 5 is unbeaten in [60.99, 153.66]
242  bn128_G2::fixed_base_exp_window_table.push_back(61);
243  // window 6 is unbeaten in [153.66, 353.13]
244  bn128_G2::fixed_base_exp_window_table.push_back(154);
245  // window 7 is unbeaten in [353.13, 771.87]
246  bn128_G2::fixed_base_exp_window_table.push_back(353);
247  // window 8 is unbeaten in [771.87, 2025.85]
248  bn128_G2::fixed_base_exp_window_table.push_back(772);
249  // window 9 is unbeaten in [2025.85, 4398.65]
250  bn128_G2::fixed_base_exp_window_table.push_back(2026);
251  // window 10 is unbeaten in [4398.65, 10493.42]
252  bn128_G2::fixed_base_exp_window_table.push_back(4399);
253  // window 11 is unbeaten in [10493.42, 37054.73]
254  bn128_G2::fixed_base_exp_window_table.push_back(10493);
255  // window 12 is unbeaten in [37054.73, 49928.78]
256  bn128_G2::fixed_base_exp_window_table.push_back(37055);
257  // window 13 is unbeaten in [49928.78, 114502.82]
258  bn128_G2::fixed_base_exp_window_table.push_back(49929);
259  // window 14 is unbeaten in [114502.82, 161445.26]
260  bn128_G2::fixed_base_exp_window_table.push_back(114503);
261  // window 15 is unbeaten in [161445.26, 470648.01]
262  bn128_G2::fixed_base_exp_window_table.push_back(161445);
263  // window 16 is unbeaten in [470648.01, 1059821.87]
264  bn128_G2::fixed_base_exp_window_table.push_back(470648);
265  // window 17 is unbeaten in [1059821.87, 5450848.25]
266  bn128_G2::fixed_base_exp_window_table.push_back(1059822);
267  // window 18 is never the best
268  bn128_G2::fixed_base_exp_window_table.push_back(0);
269  // window 19 is unbeaten in [5450848.25, 5566795.57]
270  bn128_G2::fixed_base_exp_window_table.push_back(5450848);
271  // window 20 is unbeaten in [5566795.57, 33055217.52]
272  bn128_G2::fixed_base_exp_window_table.push_back(5566796);
273  // window 21 is never the best
274  bn128_G2::fixed_base_exp_window_table.push_back(0);
275  // window 22 is unbeaten in [33055217.52, inf]
276  bn128_G2::fixed_base_exp_window_table.push_back(33055218);
277 
278  bn128_GT::GT_one.elem = bn::Fp12(1);
279 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ init_bw6_761_params()

void libff::init_bw6_761_params ( )

Definition at line 27 of file bw6_761_init.cpp.

28 {
29  typedef bigint<bw6_761_r_limbs> bigint_r;
30  typedef bigint<bw6_761_q_limbs> bigint_q;
31 
32  // Montgomery assumes this
33  assert(sizeof(mp_limb_t) == 8 || sizeof(mp_limb_t) == 4);
34 
35  // Parameters for scalar field Fr
36  // r =
37  // 0x1ae3a4617c510eac63b05c06ca1493b1a22d9f300f5138f1ef3622fba094800170b5d44300000008508c00000000001
38  bw6_761_modulus_r =
39  bigint_r("2586644260129690940106527336948935335363935127549146605398842"
40  "62666720468348340822774968888139573360124440321458177");
41  assert(bw6_761_Fr::modulus_is_valid());
42  if (sizeof(mp_limb_t) == 8) {
43  bw6_761_Fr::Rsquared = bigint_r(
44  "661274283768726978163325701168662324052305289846649183196063154202"
45  "33909940404532140033099444330447428417853902114");
46  bw6_761_Fr::Rcubed = bigint_r(
47  "157734475176213061358192738313701451942220138363611391489992831740"
48  "412033225490229541667992423878570205050777755168");
49  bw6_761_Fr::inv = 0x8508bfffffffffff;
50  }
51  if (sizeof(mp_limb_t) == 4) {
52  bw6_761_Fr::Rsquared = bigint_r(
53  "661274283768726978163325701168662324052305289846649183196063154202"
54  "33909940404532140033099444330447428417853902114");
55  bw6_761_Fr::Rcubed = bigint_r(
56  "157734475176213061358192738313701451942220138363611391489992831740"
57  "412033225490229541667992423878570205050777755168");
58  bw6_761_Fr::inv = 0xffffffff;
59  }
60  bw6_761_Fr::num_bits = 377;
61  bw6_761_Fr::euler =
62  bigint_r("1293322130064845470053263668474467667681967563774573302699421"
63  "31333360234174170411387484444069786680062220160729088");
64  bw6_761_Fr::s = 46;
65  bw6_761_Fr::t =
66  bigint_r("3675842578061421676390135839012792950148785745837396071634149"
67  "488243117337281387659330802195819009059");
68  bw6_761_Fr::t_minus_1_over_2 =
69  bigint_r("1837921289030710838195067919506396475074392872918698035817074"
70  "744121558668640693829665401097909504529");
71  bw6_761_Fr::multiplicative_generator = bw6_761_Fr("15");
72  bw6_761_Fr::root_of_unity =
73  bw6_761_Fr("32863578547254505029601261939868325669770508939375122462904"
74  "745766352256812585773382134936404344547323199885654433");
75  bw6_761_Fr::nqr = bw6_761_Fr("5");
76  bw6_761_Fr::nqr_to_t =
77  bw6_761_Fr("33774956008227656219775876656288133547078610493828613777258"
78  "829345740556592044969439504850374928261397247202212840");
79  bw6_761_Fr::static_init();
80 
81  // Parameters for base field Fq
82  // q =
83  // 0x122e824fb83ce0ad187c94004faff3eb926186a81d14688528275ef8087be41707ba638e584e91903cebaff25b423048689c8ed12f9fd9071dcd3dc73ebff2e98a116c25667a8f8160cf8aeeaf0a437e6913e6870000082f49d00000000008b
84  bw6_761_modulus_q =
85  bigint_q("6891450384315732539396789682275657542479668912536150109513790"
86  "1602096234222434917360876831832894116876408645677537866134511"
87  "6175912055424775934951169912530159895160509937850885037254363"
88  "1423596795951899700429969112842764913119068299");
89  assert(bw6_761_Fq::modulus_is_valid());
90  if (sizeof(mp_limb_t) == 8) {
91  bw6_761_Fq::Rsquared = bigint_q(
92  "410173710550729835244256131339319232418037181415529408988358678008"
93  "337131002543531210418765667118526087296627284304957029592342298086"
94  "677137781899438438783090920915449892454598380340650741080836049574"
95  "9428678951279422657716620863065");
96  bw6_761_Fq::Rcubed = bigint_q(
97  "297415514632118086526834853439131925910825545338380841392089322640"
98  "624198677430665521626961318971291885148318712859327336480040754936"
99  "765047304839676586453060891603903912680899124818868997690823101153"
100  "644786484398736894438670450156");
101 
102  bw6_761_Fq::inv = 0xa5593568fa798dd;
103  }
104  if (sizeof(mp_limb_t) == 4) {
105  bw6_761_Fq::Rsquared = bigint_q(
106  "410173710550729835244256131339319232418037181415529408988358678008"
107  "337131002543531210418765667118526087296627284304957029592342298086"
108  "677137781899438438783090920915449892454598380340650741080836049574"
109  "9428678951279422657716620863065");
110  bw6_761_Fq::Rcubed = bigint_q(
111  "297415514632118086526834853439131925910825545338380841392089322640"
112  "624198677430665521626961318971291885148318712859327336480040754936"
113  "765047304839676586453060891603903912680899124818868997690823101153"
114  "644786484398736894438670450156");
115  bw6_761_Fq::inv = 0x8fa798dd;
116  }
117  bw6_761_Fq::num_bits = 761;
118  bw6_761_Fq::euler =
119  bigint_q("3445725192157866269698394841137828771239834456268075054756895"
120  "0801048117111217458680438415916447058438204322838768933067255"
121  "8087956027712387967475584956265079947580254968925442518627181"
122  "5711798397975949850214984556421382456559534149");
123  bw6_761_Fq::s = 1;
124  bw6_761_Fq::t =
125  bigint_q("3445725192157866269698394841137828771239834456268075054756895"
126  "0801048117111217458680438415916447058438204322838768933067255"
127  "8087956027712387967475584956265079947580254968925442518627181"
128  "5711798397975949850214984556421382456559534149");
129  bw6_761_Fq::t_minus_1_over_2 =
130  bigint_q("1722862596078933134849197420568914385619917228134037527378447"
131  "5400524058555608729340219207958223529219102161419384466533627"
132  "9043978013856193983737792478132539973790127484462721259313590"
133  "7855899198987974925107492278210691228279767074");
134  bw6_761_Fq::multiplicative_generator = bw6_761_Fq("2");
135  bw6_761_Fq::root_of_unity =
136  bw6_761_Fq("68914503843157325393967896822756575424796689125361501095137"
137  "90160209623422243491736087683183289411687640864567753786613"
138  "45116175912055424775934951169912530159895160509937850885037"
139  "2543631423596795951899700429969112842764913119068298");
140  bw6_761_Fq::nqr = bw6_761_Fq("2");
141  bw6_761_Fq::nqr_to_t =
142  bw6_761_Fq("68914503843157325393967896822756575424796689125361501095137"
143  "90160209623422243491736087683183289411687640864567753786613"
144  "45116175912055424775934951169912530159895160509937850885037"
145  "2543631423596795951899700429969112842764913119068298");
146  bw6_761_Fq::static_init();
147 
148  // Parameters for Fq3
149  bw6_761_Fq3::euler = bigint<3 * bw6_761_q_limbs>(
150  "1636446854262954003249141699409548889559206196373633220512096143268984"
151  "5397014880568641901171928604942518055908462554673180677727867910667998"
152  "4663099143697116161447047621868304705520956489172590015220902479424161"
153  "5633521368602921395669003930971333893630420619714613478078837246039873"
154  "3124493326270446151854198371345979937646860351442184846671768256523932"
155  "2945704382553665794724881767934477627356011124130848888786345848916593"
156  "9567481576923242781572039862743001907835119097653682898829629358506603"
157  "8893699793468601168791027807574316427084928535262789988925129164000203"
158  "2048904566729137025370148302740362549750397891505412715221417910833483"
159  "274288268810463328915955262815220574933205354950574767449");
160  bw6_761_Fq3::s = 1;
161  bw6_761_Fq3::t = bigint<3 * bw6_761_q_limbs>(
162  "1636446854262954003249141699409548889559206196373633220512096143268984"
163  "5397014880568641901171928604942518055908462554673180677727867910667998"
164  "4663099143697116161447047621868304705520956489172590015220902479424161"
165  "5633521368602921395669003930971333893630420619714613478078837246039873"
166  "3124493326270446151854198371345979937646860351442184846671768256523932"
167  "2945704382553665794724881767934477627356011124130848888786345848916593"
168  "9567481576923242781572039862743001907835119097653682898829629358506603"
169  "8893699793468601168791027807574316427084928535262789988925129164000203"
170  "2048904566729137025370148302740362549750397891505412715221417910833483"
171  "274288268810463328915955262815220574933205354950574767449");
172  bw6_761_Fq3::t_minus_1_over_2 = bigint<3 * bw6_761_q_limbs>(
173  "8182234271314770016245708497047744447796030981868166102560480716344922"
174  "6985074402843209505859643024712590279542312773365903388639339553339992"
175  "3315495718485580807235238109341523527604782445862950076104512397120807"
176  "8167606843014606978345019654856669468152103098573067390394186230199366"
177  "5622466631352230759270991856729899688234301757210924233358841282619661"
178  "4728521912768328973624408839672388136780055620654244443931729244582969"
179  "7837407884616213907860199313715009539175595488268414494148146792533019"
180  "4468498967343005843955139037871582135424642676313949944625645820001016"
181  "0244522833645685126850741513701812748751989457527063576107089554167416"
182  "37144134405231664457977631407610287466602677475287383724");
183  bw6_761_Fq3::nqr =
184  bw6_761_Fq3(bw6_761_Fq("0"), bw6_761_Fq("1"), bw6_761_Fq("0"));
185  bw6_761_Fq3::nqr_to_t = bw6_761_Fq3(
186  bw6_761_Fq("68914503843157325393967896822756575424796689125361501095137"
187  "90160209623422243491736087683183289411687640864567753786613"
188  "45116175912055424775934951169912530159895160509937850885037"
189  "2543631423596795951899700429969112842764913119068298"),
190  bw6_761_Fq("0"),
191  bw6_761_Fq("0"));
192  bw6_761_Fq3::non_residue =
193  bw6_761_Fq("68914503843157325393967896822756575424796689125361501095137"
194  "90160209623422243491736087683183289411687640864567753786613"
195  "45116175912055424775934951169912530159895160509937850885037"
196  "2543631423596795951899700429969112842764913119068295");
197  bw6_761_Fq3::nqr =
198  bw6_761_Fq3(bw6_761_Fq("0"), bw6_761_Fq("1"), bw6_761_Fq("0"));
199  bw6_761_Fq3::nqr_to_t = bw6_761_Fq3(
200  bw6_761_Fq("68914503843157325393967896822756575424796689125361501095137"
201  "90160209623422243491736087683183289411687640864567753786613"
202  "45116175912055424775934951169912530159895160509937850885037"
203  "2543631423596795951899700429969112842764913119068298"),
204  bw6_761_Fq("0"),
205  bw6_761_Fq("0"));
206  bw6_761_Fq3::Frobenius_coeffs_c1[0] = bw6_761_Fq("1");
207  bw6_761_Fq3::Frobenius_coeffs_c1[1] =
208  bw6_761_Fq("49224645602255232421181789425750803910820025302323243810630"
209  "48548642823052024664478336818169867474395270858391911405337"
210  "70724773573982666493944449046954210939153048282672820358254"
211  "9674992333383150446779312029624171857054392282775648");
212  bw6_761_Fq3::Frobenius_coeffs_c1[2] =
213  bw6_761_Fq("19689858240902092972786107397005771513976663823038257284507"
214  "41611566800370218827257750865013421937292370006175842381275"
215  "74391402338072758281990502122958319220742112227265030526782"
216  "2868639090213645505120388400344940985710520836292650");
217  bw6_761_Fq3::Frobenius_coeffs_c2[0] = bw6_761_Fq("1");
218  bw6_761_Fq3::Frobenius_coeffs_c2[1] =
219  bw6_761_Fq("19689858240902092972786107397005771513976663823038257284507"
220  "41611566800370218827257750865013421937292370006175842381275"
221  "74391402338072758281990502122958319220742112227265030526782"
222  "2868639090213645505120388400344940985710520836292650");
223  bw6_761_Fq3::Frobenius_coeffs_c2[2] =
224  bw6_761_Fq("49224645602255232421181789425750803910820025302323243810630"
225  "48548642823052024664478336818169867474395270858391911405337"
226  "70724773573982666493944449046954210939153048282672820358254"
227  "9674992333383150446779312029624171857054392282775648");
228 
229  // Parameters for the field Fq^6
230  bw6_761_Fq6::non_residue =
231  bw6_761_Fq("68914503843157325393967896822756575424796689125361501095137"
232  "90160209623422243491736087683183289411687640864567753786613"
233  "45116175912055424775934951169912530159895160509937850885037"
234  "2543631423596795951899700429969112842764913119068295");
235  bw6_761_Fq6::Frobenius_coeffs_c1[0] = bw6_761_Fq("1");
236  bw6_761_Fq6::Frobenius_coeffs_c1[1] =
237  bw6_761_Fq("49224645602255232421181789425750803910820025302323243810630"
238  "48548642823052024664478336818169867474395270858391911405337"
239  "70724773573982666493944449046954210939153048282672820358254"
240  "9674992333383150446779312029624171857054392282775649");
241  bw6_761_Fq6::Frobenius_coeffs_c1[2] =
242  bw6_761_Fq("49224645602255232421181789425750803910820025302323243810630"
243  "48548642823052024664478336818169867474395270858391911405337"
244  "70724773573982666493944449046954210939153048282672820358254"
245  "9674992333383150446779312029624171857054392282775648");
246  bw6_761_Fq6::Frobenius_coeffs_c1[3] =
247  bw6_761_Fq("68914503843157325393967896822756575424796689125361501095137"
248  "90160209623422243491736087683183289411687640864567753786613"
249  "45116175912055424775934951169912530159895160509937850885037"
250  "2543631423596795951899700429969112842764913119068298");
251  bw6_761_Fq6::Frobenius_coeffs_c1[4] =
252  bw6_761_Fq("19689858240902092972786107397005771513976663823038257284507"
253  "41611566800370218827257750865013421937292370006175842381275"
254  "74391402338072758281990502122958319220742112227265030526782"
255  "2868639090213645505120388400344940985710520836292650");
256  bw6_761_Fq6::Frobenius_coeffs_c1[5] =
257  bw6_761_Fq("19689858240902092972786107397005771513976663823038257284507"
258  "41611566800370218827257750865013421937292370006175842381275"
259  "74391402338072758281990502122958319220742112227265030526782"
260  "2868639090213645505120388400344940985710520836292651");
261 
262  bw6_761_Fq6::my_Fp2::non_residue = bw6_761_Fq3::non_residue;
263 
264  // Choice of short Weierstrass curve and its twist
265  // E: y^2 = x^3 - 1
266  // bw6_761_coeff_b = -1
267  bw6_761_coeff_b =
268  bw6_761_Fq("68914503843157325393967896822756575424796689125361501095137"
269  "90160209623422243491736087683183289411687640864567753786613"
270  "45116175912055424775934951169912530159895160509937850885037"
271  "2543631423596795951899700429969112842764913119068298");
272  // E': y^2 = x^3 - 1 * (-4) = y^2 = x^3 + 4
273  // bw6_761_twist = -4
274  bw6_761_twist =
275  bw6_761_Fq("68914503843157325393967896822756575424796689125361501095137"
276  "90160209623422243491736087683183289411687640864567753786613"
277  "45116175912055424775934951169912530159895160509937850885037"
278  "2543631423596795951899700429969112842764913119068295");
279  // We use a M-twist here, hence:
280  // bw6_761_twist_coeff_b = bw6_761_coeff_b * bw6_761_twist;
281  bw6_761_twist_coeff_b = bw6_761_Fq("4");
282 
283  // Choice of group G1
284  // Identities
285  bw6_761_G1::G1_zero =
286  bw6_761_G1(bw6_761_Fq::zero(), bw6_761_Fq::one(), bw6_761_Fq::zero());
287  bw6_761_G1::G1_one = bw6_761_G1(
288  bw6_761_Fq("62387722575946793680321456936228128387790058097608247331387"
289  "87810501188623461307351759238099287535516224314149266511977"
290  "13214082863595094002179048950761175436631780181109081136794"
291  "5064510304504157188661901055903167026722666149426237"),
292  bw6_761_Fq("21017351265208974239115045622158349511481275559133679971627"
293  "89335052900271653517958562461315794228241561913734371411178"
294  "22693652768320387955309393418595047097184897208532179795812"
295  "4416462268292467002957525517188485984766314758624099"),
296  bw6_761_Fq::one());
297 
298  // Curve coeffs
299  bw6_761_G1::coeff_a = bw6_761_Fq::zero();
300  bw6_761_G1::coeff_b = bw6_761_coeff_b;
301 
302  // Cofactor
303  bw6_761_G1::h = bigint<bw6_761_G1::h_limbs>(
304  "2664243587933581668398767770148807386775111827005265065594210250231297"
305  "7592501693353047140953112195348280268661194876");
306 
307  // WNAF
308  //
309  // Below we use the same `wnaf_window_table` as used for alt_bn_128
310  // TODO: Adjust the `wnaf_window_table` and `fixed_base_exp_window_table`
311  bw6_761_G1::wnaf_window_table.resize(0);
312  bw6_761_G1::wnaf_window_table.push_back(11);
313  bw6_761_G1::wnaf_window_table.push_back(24);
314  bw6_761_G1::wnaf_window_table.push_back(60);
315  bw6_761_G1::wnaf_window_table.push_back(127);
316 
317  // Fixed-base exponentiation table
318  bw6_761_G1::fixed_base_exp_window_table.resize(0);
319  // window 1 is unbeaten in [-inf, 4.99]
320  bw6_761_G1::fixed_base_exp_window_table.push_back(1);
321  // window 2 is unbeaten in [4.99, 10.99]
322  bw6_761_G1::fixed_base_exp_window_table.push_back(5);
323  // window 3 is unbeaten in [10.99, 32.29]
324  bw6_761_G1::fixed_base_exp_window_table.push_back(11);
325  // window 4 is unbeaten in [32.29, 55.23]
326  bw6_761_G1::fixed_base_exp_window_table.push_back(32);
327  // window 5 is unbeaten in [55.23, 162.03]
328  bw6_761_G1::fixed_base_exp_window_table.push_back(55);
329  // window 6 is unbeaten in [162.03, 360.15]
330  bw6_761_G1::fixed_base_exp_window_table.push_back(162);
331  // window 7 is unbeaten in [360.15, 815.44]
332  bw6_761_G1::fixed_base_exp_window_table.push_back(360);
333  // window 8 is unbeaten in [815.44, 2373.07]
334  bw6_761_G1::fixed_base_exp_window_table.push_back(815);
335  // window 9 is unbeaten in [2373.07, 6977.75]
336  bw6_761_G1::fixed_base_exp_window_table.push_back(2373);
337  // window 10 is unbeaten in [6977.75, 7122.23]
338  bw6_761_G1::fixed_base_exp_window_table.push_back(6978);
339  // window 11 is unbeaten in [7122.23, 57818.46]
340  bw6_761_G1::fixed_base_exp_window_table.push_back(7122);
341  // window 12 is never the best
342  bw6_761_G1::fixed_base_exp_window_table.push_back(0);
343  // window 13 is unbeaten in [57818.46, 169679.14]
344  bw6_761_G1::fixed_base_exp_window_table.push_back(57818);
345  // window 14 is never the best
346  bw6_761_G1::fixed_base_exp_window_table.push_back(0);
347  // window 15 is unbeaten in [169679.14, 439758.91]
348  bw6_761_G1::fixed_base_exp_window_table.push_back(169679);
349  // window 16 is unbeaten in [439758.91, 936073.41]
350  bw6_761_G1::fixed_base_exp_window_table.push_back(439759);
351  // window 17 is unbeaten in [936073.41, 4666554.74]
352  bw6_761_G1::fixed_base_exp_window_table.push_back(936073);
353  // window 18 is never the best
354  bw6_761_G1::fixed_base_exp_window_table.push_back(0);
355  // window 19 is unbeaten in [4666554.74, 7580404.42]
356  bw6_761_G1::fixed_base_exp_window_table.push_back(4666555);
357  // window 20 is unbeaten in [7580404.42, 34552892.20]
358  bw6_761_G1::fixed_base_exp_window_table.push_back(7580404);
359  // window 21 is never the best
360  bw6_761_G1::fixed_base_exp_window_table.push_back(0);
361  // window 22 is unbeaten in [34552892.20, inf]
362  bw6_761_G1::fixed_base_exp_window_table.push_back(34552892);
363 
364  // Choice of group G2
365  // Identities
366  bw6_761_G2::G2_zero =
367  bw6_761_G2(bw6_761_Fq::zero(), bw6_761_Fq::one(), bw6_761_Fq::zero());
368  bw6_761_G2::G2_one = bw6_761_G2(
369  bw6_761_Fq("64453329105969793360358881527740716268988861397741013649339"
370  "48236926875073754470830732273879639675437155036544153105017"
371  "72959260056063167855429956276229474392791242909663615640117"
372  "1909259073181112518725201388196280039960074422214428"),
373  bw6_761_Fq("56292365808953971938692216344454738775758653474108026394695"
374  "34015951552119346305989993003963171041825980447937581532149"
375  "72605680357108252243146746187917218885078195819486220416605"
376  "630144001533548163105316661692978285266378674355041"),
377  bw6_761_Fq::one());
378 
379  // Curve coeffs
380  bw6_761_G2::coeff_a = bw6_761_Fq::zero();
381  bw6_761_G2::coeff_b = bw6_761_twist_coeff_b;
382 
383  // Cofactor
384  bw6_761_G2::h = bigint<bw6_761_G2::h_limbs>(
385  "2664243587933581668398767770148807386775111827005265065594210250231297"
386  "7592501693353047140953112195348280268661194869");
387 
388  // wNAF window table
389  bw6_761_G2::wnaf_window_table.resize(0);
390  bw6_761_G2::wnaf_window_table.push_back(5);
391  bw6_761_G2::wnaf_window_table.push_back(15);
392  bw6_761_G2::wnaf_window_table.push_back(39);
393  bw6_761_G2::wnaf_window_table.push_back(109);
394 
395  // Fixed-base exponentiation table
396  bw6_761_G2::fixed_base_exp_window_table.resize(0);
397  // window 1 is unbeaten in [-inf, 5.10]
398  bw6_761_G2::fixed_base_exp_window_table.push_back(1);
399  // window 2 is unbeaten in [5.10, 10.43]
400  bw6_761_G2::fixed_base_exp_window_table.push_back(5);
401  // window 3 is unbeaten in [10.43, 25.28]
402  bw6_761_G2::fixed_base_exp_window_table.push_back(10);
403  // window 4 is unbeaten in [25.28, 59.00]
404  bw6_761_G2::fixed_base_exp_window_table.push_back(25);
405  // window 5 is unbeaten in [59.00, 154.03]
406  bw6_761_G2::fixed_base_exp_window_table.push_back(59);
407  // window 6 is unbeaten in [154.03, 334.25]
408  bw6_761_G2::fixed_base_exp_window_table.push_back(154);
409  // window 7 is unbeaten in [334.25, 742.58]
410  bw6_761_G2::fixed_base_exp_window_table.push_back(334);
411  // window 8 is unbeaten in [742.58, 2034.40]
412  bw6_761_G2::fixed_base_exp_window_table.push_back(743);
413  // window 9 is unbeaten in [2034.40, 4987.56]
414  bw6_761_G2::fixed_base_exp_window_table.push_back(2034);
415  // window 10 is unbeaten in [4987.56, 8888.27]
416  bw6_761_G2::fixed_base_exp_window_table.push_back(4988);
417  // window 11 is unbeaten in [8888.27, 26271.13]
418  bw6_761_G2::fixed_base_exp_window_table.push_back(8888);
419  // window 12 is unbeaten in [26271.13, 39768.20]
420  bw6_761_G2::fixed_base_exp_window_table.push_back(26271);
421  // window 13 is unbeaten in [39768.20, 106275.75]
422  bw6_761_G2::fixed_base_exp_window_table.push_back(39768);
423  // window 14 is unbeaten in [106275.75, 141703.40]
424  bw6_761_G2::fixed_base_exp_window_table.push_back(106276);
425  // window 15 is unbeaten in [141703.40, 462422.97]
426  bw6_761_G2::fixed_base_exp_window_table.push_back(141703);
427  // window 16 is unbeaten in [462422.97, 926871.84]
428  bw6_761_G2::fixed_base_exp_window_table.push_back(462423);
429  // window 17 is unbeaten in [926871.84, 4873049.17]
430  bw6_761_G2::fixed_base_exp_window_table.push_back(926872);
431  // window 18 is never the best
432  bw6_761_G2::fixed_base_exp_window_table.push_back(0);
433  // window 19 is unbeaten in [4873049.17, 5706707.88]
434  bw6_761_G2::fixed_base_exp_window_table.push_back(4873049);
435  // window 20 is unbeaten in [5706707.88, 31673814.95]
436  bw6_761_G2::fixed_base_exp_window_table.push_back(5706708);
437  // window 21 is never the best
438  bw6_761_G2::fixed_base_exp_window_table.push_back(0);
439  // window 22 is unbeaten in [31673814.95, inf]
440  bw6_761_G2::fixed_base_exp_window_table.push_back(31673815);
441 
442  // Pairing parameters
443  // See Algorithm 5 for Miller Loop: https://eprint.iacr.org/2020/351.pdf
444  // ate_opt(P,Q) = (f_{u^3-u^2-u,Q}(P)f^{q}_{u+1,Q}(P))^(q^6 - 1)/r
445  //
446  // u+1
447  bw6_761_ate_loop_count1 = bigint_q("9586122913090633730");
448  // u^3-u^2-u
449  bw6_761_ate_loop_count2 =
450  bigint_q("880904806456922042166256752416502360955572640081583800319");
451  bw6_761_ate_is_loop_count_neg = false;
452  // u
453  bw6_761_final_exponent_z = bigint_q("9586122913090633729");
454  bw6_761_final_exponent_is_z_neg = false;
455 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ init_edwards_params()

void libff::init_edwards_params ( )

Definition at line 38 of file edwards_init.cpp.

39 {
40  typedef bigint<edwards_r_limbs> bigint_r;
41  typedef bigint<edwards_q_limbs> bigint_q;
42 
43  assert(
44  sizeof(mp_limb_t) == 8 ||
45  sizeof(mp_limb_t) == 4); // Montgomery assumes this
46 
47  /* parameters for scalar field Fr */
48 
49  edwards_modulus_r =
50  bigint_r("1552511030102430251236801561344621993261920897571225601");
51  assert(edwards_Fr::modulus_is_valid());
52  if (sizeof(mp_limb_t) == 8) {
53  edwards_Fr::Rsquared =
54  bigint_r("621738487827897760168419760282818735947979812540885779");
55  edwards_Fr::Rcubed =
56  bigint_r("899968968216802386013510389846941393831065658679774050");
57  edwards_Fr::inv = 0xdde553277fffffff;
58  }
59  if (sizeof(mp_limb_t) == 4) {
60  edwards_Fr::Rsquared =
61  bigint_r("621738487827897760168419760282818735947979812540885779");
62  edwards_Fr::Rcubed =
63  bigint_r("899968968216802386013510389846941393831065658679774050");
64  edwards_Fr::inv = 0x7fffffff;
65  }
66  edwards_Fr::num_bits = 181;
67  edwards_Fr::euler =
68  bigint_r("776255515051215125618400780672310996630960448785612800");
69  edwards_Fr::s = 31;
70  edwards_Fr::t = bigint_r("722944284836962004768104088187507350585386575");
71  edwards_Fr::t_minus_1_over_2 =
72  bigint_r("361472142418481002384052044093753675292693287");
73  edwards_Fr::multiplicative_generator = edwards_Fr("19");
74  edwards_Fr::root_of_unity =
75  edwards_Fr("695314865466598274460565335217615316274564719601897184");
76  edwards_Fr::nqr = edwards_Fr("11");
77  edwards_Fr::nqr_to_t =
78  edwards_Fr("1326707053668679463752768729767248251415639579872144553");
79  edwards_Fr::static_init();
80 
81  /* parameters for base field Fq */
82 
83  edwards_modulus_q =
84  bigint_q("6210044120409721004947206240885978274523751269793792001");
85  assert(edwards_Fq::modulus_is_valid());
86  if (sizeof(mp_limb_t) == 8) {
87  edwards_Fq::Rsquared =
88  bigint_q("5943559676554581037560514598978484097352477055348195432");
89  edwards_Fq::Rcubed =
90  bigint_q("1081560488703514202058739223469726982199727506489234349");
91  edwards_Fq::inv = 0x76eb690b7fffffff;
92  }
93  if (sizeof(mp_limb_t) == 4) {
94  edwards_Fq::Rsquared =
95  bigint_q("5943559676554581037560514598978484097352477055348195432");
96  edwards_Fq::Rcubed =
97  bigint_q("1081560488703514202058739223469726982199727506489234349");
98  edwards_Fq::inv = 0x7fffffff;
99  }
100  edwards_Fq::num_bits = 183;
101  edwards_Fq::euler =
102  bigint_q("3105022060204860502473603120442989137261875634896896000");
103  edwards_Fq::s = 31;
104  edwards_Fq::t = bigint_q("2891777139347848019072416350658041552884388375");
105  edwards_Fq::t_minus_1_over_2 =
106  bigint_q("1445888569673924009536208175329020776442194187");
107  edwards_Fq::multiplicative_generator = edwards_Fq("61");
108  edwards_Fq::root_of_unity =
109  edwards_Fq("4692813029219384139894873043933463717810008194158530536");
110  edwards_Fq::nqr = edwards_Fq("23");
111  edwards_Fq::nqr_to_t =
112  edwards_Fq("2626736066325740702418554487368721595489070118548299138");
113  edwards_Fq::static_init();
114 
115  /* parameters for twist field Fq3 */
116 
117  edwards_Fq3::euler = bigint<3 * edwards_q_limbs>(
118  "1197440827139715029629926131910678366982050433739789489038399345641529"
119  "9485805128465854550297120332503183164742441311116131831414476564652505"
120  "7914792711854057586688000");
121  edwards_Fq3::s = 31;
122  edwards_Fq3::t = bigint<3 * edwards_q_limbs>(
123  "1115203674081447561858153093523046343570622088145268605126439915636116"
124  "5908915110366283497118503164968623933142462103735778323760700006645643"
125  "8894190557165125");
126  edwards_Fq3::t_minus_1_over_2 = bigint<3 * edwards_q_limbs>(
127  "5576018370407237809290765467615231717853110440726343025632199578180582"
128  "9544575551831417485592515824843119665712310518678891618803500033228219"
129  "447095278582562");
130  edwards_Fq3::non_residue = edwards_Fq("61");
131  edwards_Fq3::nqr =
132  edwards_Fq3(edwards_Fq("23"), edwards_Fq("0"), edwards_Fq("0"));
133  edwards_Fq3::nqr_to_t = edwards_Fq3(
134  edwards_Fq("104810943629412208121981114244673004633270996333237516"),
135  edwards_Fq("0"),
136  edwards_Fq("0"));
137  edwards_Fq3::Frobenius_coeffs_c1[0] = edwards_Fq("1");
138  edwards_Fq3::Frobenius_coeffs_c1[1] =
139  edwards_Fq("1073752683758513276629212192812154536507607213288832061");
140  edwards_Fq3::Frobenius_coeffs_c1[2] =
141  edwards_Fq("5136291436651207728317994048073823738016144056504959939");
142  edwards_Fq3::Frobenius_coeffs_c2[0] = edwards_Fq("1");
143  edwards_Fq3::Frobenius_coeffs_c2[1] =
144  edwards_Fq("5136291436651207728317994048073823738016144056504959939");
145  edwards_Fq3::Frobenius_coeffs_c2[2] =
146  edwards_Fq("1073752683758513276629212192812154536507607213288832061");
147 
148  /* parameters for Fq6 */
149 
150  edwards_Fq6::non_residue = edwards_Fq("61");
151  edwards_Fq6::Frobenius_coeffs_c1[0] = edwards_Fq("1");
152  edwards_Fq6::Frobenius_coeffs_c1[1] =
153  edwards_Fq("1073752683758513276629212192812154536507607213288832062");
154  edwards_Fq6::Frobenius_coeffs_c1[2] =
155  edwards_Fq("1073752683758513276629212192812154536507607213288832061");
156  edwards_Fq6::Frobenius_coeffs_c1[3] =
157  edwards_Fq("6210044120409721004947206240885978274523751269793792000");
158  edwards_Fq6::Frobenius_coeffs_c1[4] =
159  edwards_Fq("5136291436651207728317994048073823738016144056504959939");
160  edwards_Fq6::Frobenius_coeffs_c1[5] =
161  edwards_Fq("5136291436651207728317994048073823738016144056504959940");
162  edwards_Fq6::my_Fp2::non_residue = edwards_Fq3::non_residue;
163 
164  /* choice of Edwards curve and its twist */
165 
166  edwards_coeff_a = edwards_Fq::one();
167  edwards_coeff_d =
168  edwards_Fq("600581931845324488256649384912508268813600056237543024");
169  edwards_twist =
170  edwards_Fq3(edwards_Fq::zero(), edwards_Fq::one(), edwards_Fq::zero());
171  edwards_twist_coeff_a = edwards_coeff_a * edwards_twist;
172  edwards_twist_coeff_d = edwards_coeff_d * edwards_twist;
173  edwards_twist_mul_by_a_c0 = edwards_coeff_a * edwards_Fq3::non_residue;
174  edwards_twist_mul_by_a_c1 = edwards_coeff_a;
175  edwards_twist_mul_by_a_c2 = edwards_coeff_a;
176  edwards_twist_mul_by_d_c0 = edwards_coeff_d * edwards_Fq3::non_residue;
177  edwards_twist_mul_by_d_c1 = edwards_coeff_d;
178  edwards_twist_mul_by_d_c2 = edwards_coeff_d;
179  edwards_twist_mul_by_q_Y =
180  edwards_Fq("1073752683758513276629212192812154536507607213288832062");
181  edwards_twist_mul_by_q_Z =
182  edwards_Fq("1073752683758513276629212192812154536507607213288832062");
183 
184  /* choice of group G1 */
185 
186  edwards_G1::G1_zero = edwards_G1(edwards_Fq::zero(), edwards_Fq::one());
187  edwards_G1::G1_one = edwards_G1(
188  edwards_Fq("3713709671941291996998665608188072510389821008693530490"),
189  edwards_Fq("4869953702976555123067178261685365085639705297852816679"));
190 
191  edwards_G1::wnaf_window_table.resize(0);
192  edwards_G1::wnaf_window_table.push_back(9);
193  edwards_G1::wnaf_window_table.push_back(14);
194  edwards_G1::wnaf_window_table.push_back(24);
195  edwards_G1::wnaf_window_table.push_back(117);
196 
197  edwards_G1::fixed_base_exp_window_table.resize(0);
198  // window 1 is unbeaten in [-inf, 4.10]
199  edwards_G1::fixed_base_exp_window_table.push_back(1);
200  // window 2 is unbeaten in [4.10, 9.69]
201  edwards_G1::fixed_base_exp_window_table.push_back(4);
202  // window 3 is unbeaten in [9.69, 25.21]
203  edwards_G1::fixed_base_exp_window_table.push_back(10);
204  // window 4 is unbeaten in [25.21, 60.00]
205  edwards_G1::fixed_base_exp_window_table.push_back(25);
206  // window 5 is unbeaten in [60.00, 149.33]
207  edwards_G1::fixed_base_exp_window_table.push_back(60);
208  // window 6 is unbeaten in [149.33, 369.61]
209  edwards_G1::fixed_base_exp_window_table.push_back(149);
210  // window 7 is unbeaten in [369.61, 849.07]
211  edwards_G1::fixed_base_exp_window_table.push_back(370);
212  // window 8 is unbeaten in [849.07, 1764.94]
213  edwards_G1::fixed_base_exp_window_table.push_back(849);
214  // window 9 is unbeaten in [1764.94, 4429.59]
215  edwards_G1::fixed_base_exp_window_table.push_back(1765);
216  // window 10 is unbeaten in [4429.59, 13388.78]
217  edwards_G1::fixed_base_exp_window_table.push_back(4430);
218  // window 11 is unbeaten in [13388.78, 15368.00]
219  edwards_G1::fixed_base_exp_window_table.push_back(13389);
220  // window 12 is unbeaten in [15368.00, 74912.07]
221  edwards_G1::fixed_base_exp_window_table.push_back(15368);
222  // window 13 is unbeaten in [74912.07, 438107.20]
223  edwards_G1::fixed_base_exp_window_table.push_back(74912);
224  // window 14 is never the best
225  edwards_G1::fixed_base_exp_window_table.push_back(0);
226  // window 15 is unbeaten in [438107.20, 1045626.18]
227  edwards_G1::fixed_base_exp_window_table.push_back(438107);
228  // window 16 is never the best
229  edwards_G1::fixed_base_exp_window_table.push_back(0);
230  // window 17 is unbeaten in [1045626.18, 1577434.48]
231  edwards_G1::fixed_base_exp_window_table.push_back(1045626);
232  // window 18 is unbeaten in [1577434.48, 17350594.23]
233  edwards_G1::fixed_base_exp_window_table.push_back(1577434);
234  // window 19 is never the best
235  edwards_G1::fixed_base_exp_window_table.push_back(0);
236  // window 20 is never the best
237  edwards_G1::fixed_base_exp_window_table.push_back(0);
238  // window 21 is unbeaten in [17350594.23, inf]
239  edwards_G1::fixed_base_exp_window_table.push_back(17350594);
240  // window 22 is never the best
241  edwards_G1::fixed_base_exp_window_table.push_back(0);
242 
243  /* choice of group G2 */
244 
245  edwards_G2::G2_zero = edwards_G2(edwards_Fq3::zero(), edwards_Fq3::one());
246  edwards_G2::G2_one = edwards_G2(
247  edwards_Fq3(
248  edwards_Fq(
249  "4531683359223370252210990718516622098304721701253228128"),
250  edwards_Fq(
251  "5339624155305731263217400504407647531329993548123477368"),
252  edwards_Fq(
253  "3964037981777308726208525982198654699800283729988686552")),
254  edwards_Fq3(
255  edwards_Fq(
256  "364634864866983740775341816274081071386963546650700569"),
257  edwards_Fq(
258  "3264380230116139014996291397901297105159834497864380415"),
259  edwards_Fq(
260  "3504781284999684163274269077749440837914479176282903747")));
261 
262  edwards_G2::wnaf_window_table.resize(0);
263  edwards_G2::wnaf_window_table.push_back(6);
264  edwards_G2::wnaf_window_table.push_back(12);
265  edwards_G2::wnaf_window_table.push_back(42);
266  edwards_G2::wnaf_window_table.push_back(97);
267 
268  edwards_G2::fixed_base_exp_window_table.resize(0);
269  // window 1 is unbeaten in [-inf, 4.74]
270  edwards_G2::fixed_base_exp_window_table.push_back(1);
271  // window 2 is unbeaten in [4.74, 10.67]
272  edwards_G2::fixed_base_exp_window_table.push_back(5);
273  // window 3 is unbeaten in [10.67, 25.53]
274  edwards_G2::fixed_base_exp_window_table.push_back(11);
275  // window 4 is unbeaten in [25.53, 60.67]
276  edwards_G2::fixed_base_exp_window_table.push_back(26);
277  // window 5 is unbeaten in [60.67, 145.77]
278  edwards_G2::fixed_base_exp_window_table.push_back(61);
279  // window 6 is unbeaten in [145.77, 356.76]
280  edwards_G2::fixed_base_exp_window_table.push_back(146);
281  // window 7 is unbeaten in [356.76, 823.08]
282  edwards_G2::fixed_base_exp_window_table.push_back(357);
283  // window 8 is unbeaten in [823.08, 1589.45]
284  edwards_G2::fixed_base_exp_window_table.push_back(823);
285  // window 9 is unbeaten in [1589.45, 4135.70]
286  edwards_G2::fixed_base_exp_window_table.push_back(1589);
287  // window 10 is unbeaten in [4135.70, 14297.74]
288  edwards_G2::fixed_base_exp_window_table.push_back(4136);
289  // window 11 is unbeaten in [14297.74, 16744.85]
290  edwards_G2::fixed_base_exp_window_table.push_back(14298);
291  // window 12 is unbeaten in [16744.85, 51768.98]
292  edwards_G2::fixed_base_exp_window_table.push_back(16745);
293  // window 13 is unbeaten in [51768.98, 99811.01]
294  edwards_G2::fixed_base_exp_window_table.push_back(51769);
295  // window 14 is unbeaten in [99811.01, 193306.72]
296  edwards_G2::fixed_base_exp_window_table.push_back(99811);
297  // window 15 is unbeaten in [193306.72, 907184.68]
298  edwards_G2::fixed_base_exp_window_table.push_back(193307);
299  // window 16 is never the best
300  edwards_G2::fixed_base_exp_window_table.push_back(0);
301  // window 17 is unbeaten in [907184.68, 1389682.59]
302  edwards_G2::fixed_base_exp_window_table.push_back(907185);
303  // window 18 is unbeaten in [1389682.59, 6752695.74]
304  edwards_G2::fixed_base_exp_window_table.push_back(1389683);
305  // window 19 is never the best
306  edwards_G2::fixed_base_exp_window_table.push_back(0);
307  // window 20 is unbeaten in [6752695.74, 193642894.51]
308  edwards_G2::fixed_base_exp_window_table.push_back(6752696);
309  // window 21 is unbeaten in [193642894.51, 226760202.29]
310  edwards_G2::fixed_base_exp_window_table.push_back(193642895);
311  // window 22 is unbeaten in [226760202.29, inf]
312  edwards_G2::fixed_base_exp_window_table.push_back(226760202);
313 
314  /* pairing parameters */
315 
316  edwards_ate_loop_count = bigint_q("4492509698523932320491110403");
317  edwards_final_exponent = bigint<6 * edwards_q_limbs>(
318  "3694310717796169464961879734644687013874865157861174841512820742949159"
319  "3976636391130175425245705674550269561361208979548749447898941828686017"
320  "7657304194168755396159416512697939289624688998560831692274575039424707"
321  "21108165443528513330156264699608120624990672333642644221591552000");
322  edwards_final_exponent_last_chunk_abs_of_w0 =
323  bigint_q("17970038794095729281964441603");
324  edwards_final_exponent_last_chunk_is_w0_neg = true;
325  edwards_final_exponent_last_chunk_w1 = bigint_q("4");
326 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ init_mnt4_params()

void libff::init_mnt4_params ( )

Definition at line 41 of file mnt4_init.cpp.

42 {
43  typedef bigint<mnt4_r_limbs> bigint_r;
44  typedef bigint<mnt4_q_limbs> bigint_q;
45 
46  assert(
47  sizeof(mp_limb_t) == 8 ||
48  sizeof(mp_limb_t) == 4); // Montgomery assumes this
49 
50  /* parameters for scalar field Fr */
51  mnt4_modulus_r = bigint_r("475922286169261325753349249653048451545124878552"
52  "823515553267735739164647307408490559963137");
53  assert(mnt4_Fr::modulus_is_valid());
54  if (sizeof(mp_limb_t) == 8) {
55  mnt4_Fr::Rsquared =
56  bigint_r("163983144722506446826715124368972380525894397127205577781"
57  "234305496325861831001705438796139");
58  mnt4_Fr::Rcubed =
59  bigint_r("207236281459091063710247635236340312578688659363066707916"
60  "716212805695955118593239854980171");
61  mnt4_Fr::inv = 0xbb4334a3ffffffff;
62  }
63  if (sizeof(mp_limb_t) == 4) {
64  mnt4_Fr::Rsquared =
65  bigint_r("163983144722506446826715124368972380525894397127205577781"
66  "234305496325861831001705438796139");
67  mnt4_Fr::Rcubed =
68  bigint_r("207236281459091063710247635236340312578688659363066707916"
69  "716212805695955118593239854980171");
70  mnt4_Fr::inv = 0xffffffff;
71  }
72  mnt4_Fr::num_bits = 298;
73  mnt4_Fr::euler = bigint_r("237961143084630662876674624826524225772562439276"
74  "411757776633867869582323653704245279981568");
75  mnt4_Fr::s = 34;
76  mnt4_Fr::t = bigint_r("2770232305450256248897344628657729199302411164115319"
77  "9339359284829066871159442729");
78  mnt4_Fr::t_minus_1_over_2 =
79  bigint_r("1385116152725128124448672314328864599651205582057659966967964"
80  "2414533435579721364");
81  mnt4_Fr::multiplicative_generator = mnt4_Fr("10");
82  mnt4_Fr::root_of_unity =
83  mnt4_Fr("12063881782691317345876882948569009984537700803089161801010977"
84  "2937363554409782252579816313");
85  mnt4_Fr::nqr = mnt4_Fr("5");
86  mnt4_Fr::nqr_to_t = mnt4_Fr("4062206042430904010564294587302981459372625525"
87  "08985450684842547562990900634752279902740880");
88  mnt4_Fr::static_init();
89 
90  /* parameters for base field Fq */
91  mnt4_modulus_q = bigint_q("475922286169261325753349249653048451545124879242"
92  "694725395555128576210262817955800483758081");
93  assert(mnt4_Fq::modulus_is_valid());
94  if (sizeof(mp_limb_t) == 8) {
95  mnt4_Fq::Rsquared =
96  bigint_q("273000478523237720910981655601160860640083126627235719712"
97  "980612296263966512828033847775776");
98  mnt4_Fq::Rcubed =
99  bigint_q("427298980065529822574935274648041073124704261331681436071"
100  "990730954930769758106792920349077");
101  mnt4_Fq::inv = 0xb071a1b67165ffff;
102  }
103  if (sizeof(mp_limb_t) == 4) {
104  mnt4_Fq::Rsquared =
105  bigint_q("273000478523237720910981655601160860640083126627235719712"
106  "980612296263966512828033847775776");
107  mnt4_Fq::Rcubed =
108  bigint_q("427298980065529822574935274648041073124704261331681436071"
109  "990730954930769758106792920349077");
110  mnt4_Fq::inv = 0x7165ffff;
111  }
112  mnt4_Fq::num_bits = 298;
113  mnt4_Fq::euler = bigint_q("237961143084630662876674624826524225772562439621"
114  "347362697777564288105131408977900241879040");
115  mnt4_Fq::s = 17;
116  mnt4_Fq::t = bigint_q("3630998887399759870554727551674258816109656366292531"
117  "779446068791017229177993437198515");
118  mnt4_Fq::t_minus_1_over_2 =
119  bigint_q("1815499443699879935277363775837129408054828183146265889723034"
120  "395508614588996718599257");
121  mnt4_Fq::multiplicative_generator = mnt4_Fq("17");
122  mnt4_Fq::root_of_unity =
123  mnt4_Fq("26470625057180008075806930236965430553012567552126397603405487"
124  "8017580902343339784464690243");
125  mnt4_Fq::nqr = mnt4_Fq("17");
126  mnt4_Fq::nqr_to_t = mnt4_Fq("2647062505718000807580693023696543055301256755"
127  "21263976034054878017580902343339784464690243");
128  mnt4_Fq::static_init();
129 
130  /* parameters for twist field Fq2 */
131  mnt4_Fq2::euler = bigint<2 * mnt4_q_limbs>(
132  "1132510112362881350982493452491542308959143818587889181068472142434191"
133  "4242292413349746081746824985483306726003898571037009192086083701428188"
134  "6963086681184370139950267830740466401280");
135  mnt4_Fq2::s = 18;
136  mnt4_Fq2::t = bigint<2 * mnt4_q_limbs>(
137  "8640366457846689994678447360927904578850889729216683815524842395280391"
138  "1150302225873917249655341991297200973540485924049447571457547770905980"
139  "6542104196047745818712370534824115");
140  mnt4_Fq2::t_minus_1_over_2 = bigint<2 * mnt4_q_limbs>(
141  "4320183228923344997339223680463952289425444864608341907762421197640195"
142  "5575151112936958624827670995648600486770242962024723785728773885452990"
143  "3271052098023872909356185267412057");
144  mnt4_Fq2::non_residue = mnt4_Fq("17");
145  mnt4_Fq2::nqr = mnt4_Fq2(mnt4_Fq("8"), mnt4_Fq("1"));
146  mnt4_Fq2::nqr_to_t = mnt4_Fq2(
147  mnt4_Fq("0"),
148  mnt4_Fq("29402818985595053196743631544512156561638230562612542604956687"
149  "802791427330205135130967658"));
150  mnt4_Fq2::Frobenius_coeffs_c1[0] = mnt4_Fq("1");
151  mnt4_Fq2::Frobenius_coeffs_c1[1] =
152  mnt4_Fq("47592228616926132575334924965304845154512487924269472539555512"
153  "8576210262817955800483758080");
154  mnt4_Fq2::static_init();
155 
156  /* parameters for Fq4 */
157  mnt4_Fq4::non_residue = mnt4_Fq("17");
158  mnt4_Fq4::Frobenius_coeffs_c1[0] = mnt4_Fq("1");
159  mnt4_Fq4::Frobenius_coeffs_c1[1] =
160  mnt4_Fq("76841632454535016156213515524733370693010820609768050046250116"
161  "94147890954040864167002308");
162  mnt4_Fq4::Frobenius_coeffs_c1[2] =
163  mnt4_Fq("47592228616926132575334924965304845154512487924269472539555512"
164  "8576210262817955800483758080");
165  mnt4_Fq4::Frobenius_coeffs_c1[3] =
166  mnt4_Fq("46823812292380782413772789810057511447582379718171792039093011"
167  "6882062371863914936316755773");
168 
169  /* choice of short Weierstrass curve and its twist */
170  mnt4_G1::coeff_a = mnt4_Fq("2");
171  mnt4_G1::coeff_b = mnt4_Fq("42389453652668417828941601153388824002931810367"
172  "3896002803341544124054745019340795360841685");
173  mnt4_twist = mnt4_Fq2(mnt4_Fq::zero(), mnt4_Fq::one());
174  mnt4_twist_coeff_a =
175  mnt4_Fq2(mnt4_G1::coeff_a * mnt4_Fq2::non_residue, mnt4_Fq::zero());
176  mnt4_twist_coeff_b =
177  mnt4_Fq2(mnt4_Fq::zero(), mnt4_G1::coeff_b * mnt4_Fq2::non_residue);
178  mnt4_G2::twist = mnt4_twist;
179  mnt4_G2::coeff_a = mnt4_twist_coeff_a;
180  mnt4_G2::coeff_b = mnt4_twist_coeff_b;
181  mnt4_twist_mul_by_a_c0 = mnt4_G1::coeff_a * mnt4_Fq2::non_residue;
182  mnt4_twist_mul_by_a_c1 = mnt4_G1::coeff_a * mnt4_Fq2::non_residue;
183  mnt4_twist_mul_by_b_c0 = mnt4_G1::coeff_b * mnt4_Fq2::non_residue.squared();
184  mnt4_twist_mul_by_b_c1 = mnt4_G1::coeff_b * mnt4_Fq2::non_residue;
185  mnt4_twist_mul_by_q_X =
186  mnt4_Fq("47592228616926132575334924965304845154512487924269472539555512"
187  "8576210262817955800483758080");
188  mnt4_twist_mul_by_q_Y =
189  mnt4_Fq("76841632454535016156213515524733370693010820609768050046250116"
190  "94147890954040864167002308");
191 
192  /* choice of group G1 */
193  // Identities
194  mnt4_G1::G1_zero =
195  mnt4_G1(mnt4_Fq::zero(), mnt4_Fq::one(), mnt4_Fq::zero());
196  mnt4_G1::G1_one = mnt4_G1(
197  mnt4_Fq("60760244141852568949126569781626075788424196370144486719385562"
198  "369396875346601926534016838"),
199  mnt4_Fq("36373285070258297826390277081514578445974772235707184397110767"
200  "4179038674942891694705904306"),
201  mnt4_Fq::one());
202 
203  // Cofactor
204  mnt4_G1::h = bigint<mnt4_G1::h_limbs>("1");
205 
206  // WNAF
207  mnt4_G1::wnaf_window_table.resize(0);
208  mnt4_G1::wnaf_window_table.push_back(11);
209  mnt4_G1::wnaf_window_table.push_back(24);
210  mnt4_G1::wnaf_window_table.push_back(60);
211  mnt4_G1::wnaf_window_table.push_back(127);
212 
213  mnt4_G1::fixed_base_exp_window_table.resize(0);
214  // window 1 is unbeaten in [-inf, 5.09]
215  mnt4_G1::fixed_base_exp_window_table.push_back(1);
216  // window 2 is unbeaten in [5.09, 9.64]
217  mnt4_G1::fixed_base_exp_window_table.push_back(5);
218  // window 3 is unbeaten in [9.64, 24.79]
219  mnt4_G1::fixed_base_exp_window_table.push_back(10);
220  // window 4 is unbeaten in [24.79, 60.29]
221  mnt4_G1::fixed_base_exp_window_table.push_back(25);
222  // window 5 is unbeaten in [60.29, 144.37]
223  mnt4_G1::fixed_base_exp_window_table.push_back(60);
224  // window 6 is unbeaten in [144.37, 344.90]
225  mnt4_G1::fixed_base_exp_window_table.push_back(144);
226  // window 7 is unbeaten in [344.90, 855.00]
227  mnt4_G1::fixed_base_exp_window_table.push_back(345);
228  // window 8 is unbeaten in [855.00, 1804.62]
229  mnt4_G1::fixed_base_exp_window_table.push_back(855);
230  // window 9 is unbeaten in [1804.62, 3912.30]
231  mnt4_G1::fixed_base_exp_window_table.push_back(1805);
232  // window 10 is unbeaten in [3912.30, 11264.50]
233  mnt4_G1::fixed_base_exp_window_table.push_back(3912);
234  // window 11 is unbeaten in [11264.50, 27897.51]
235  mnt4_G1::fixed_base_exp_window_table.push_back(11265);
236  // window 12 is unbeaten in [27897.51, 57596.79]
237  mnt4_G1::fixed_base_exp_window_table.push_back(27898);
238  // window 13 is unbeaten in [57596.79, 145298.71]
239  mnt4_G1::fixed_base_exp_window_table.push_back(57597);
240  // window 14 is unbeaten in [145298.71, 157204.59]
241  mnt4_G1::fixed_base_exp_window_table.push_back(145299);
242  // window 15 is unbeaten in [157204.59, 601600.62]
243  mnt4_G1::fixed_base_exp_window_table.push_back(157205);
244  // window 16 is unbeaten in [601600.62, 1107377.25]
245  mnt4_G1::fixed_base_exp_window_table.push_back(601601);
246  // window 17 is unbeaten in [1107377.25, 1789646.95]
247  mnt4_G1::fixed_base_exp_window_table.push_back(1107377);
248  // window 18 is unbeaten in [1789646.95, 4392626.92]
249  mnt4_G1::fixed_base_exp_window_table.push_back(1789647);
250  // window 19 is unbeaten in [4392626.92, 8221210.60]
251  mnt4_G1::fixed_base_exp_window_table.push_back(4392627);
252  // window 20 is unbeaten in [8221210.60, 42363731.19]
253  mnt4_G1::fixed_base_exp_window_table.push_back(8221211);
254  // window 21 is never the best
255  mnt4_G1::fixed_base_exp_window_table.push_back(0);
256  // window 22 is unbeaten in [42363731.19, inf]
257  mnt4_G1::fixed_base_exp_window_table.push_back(42363731);
258 
259  /* choice of group G2 */
260  // Identities
261  mnt4_G2::G2_zero =
262  mnt4_G2(mnt4_Fq2::zero(), mnt4_Fq2::one(), mnt4_Fq2::zero());
263  mnt4_G2::G2_one = mnt4_G2(
264  mnt4_Fq2(
265  mnt4_Fq("4383749262193500998549191000778096818427835091637909918478"
266  "67546339851681564223481322252708"),
267  mnt4_Fq("3762095361550048011093551436092327860546447645971239327767"
268  "9280819942849043649216370485641")),
269  mnt4_Fq2(
270  mnt4_Fq("3743740900852896826835252103493693184297354644137066311854"
271  "3015118291998305624025037512482"),
272  mnt4_Fq("4246214795988938826723931903374206805975846958923171976461"
273  "13820787463109735345923009077489")),
274  mnt4_Fq2::one());
275 
276  // Cofactor
277  mnt4_G2::h = bigint<mnt4_G2::h_limbs>(
278  "4759222861692613257533492496530484515451248799325659352378425214132558"
279  "78328503110407553025");
280 
281  // WNAF
282  mnt4_G2::wnaf_window_table.resize(0);
283  mnt4_G2::wnaf_window_table.push_back(5);
284  mnt4_G2::wnaf_window_table.push_back(15);
285  mnt4_G2::wnaf_window_table.push_back(39);
286  mnt4_G2::wnaf_window_table.push_back(109);
287 
288  mnt4_G2::fixed_base_exp_window_table.resize(0);
289  // window 1 is unbeaten in [-inf, 4.17]
290  mnt4_G2::fixed_base_exp_window_table.push_back(1);
291  // window 2 is unbeaten in [4.17, 10.12]
292  mnt4_G2::fixed_base_exp_window_table.push_back(4);
293  // window 3 is unbeaten in [10.12, 24.65]
294  mnt4_G2::fixed_base_exp_window_table.push_back(10);
295  // window 4 is unbeaten in [24.65, 60.03]
296  mnt4_G2::fixed_base_exp_window_table.push_back(25);
297  // window 5 is unbeaten in [60.03, 143.16]
298  mnt4_G2::fixed_base_exp_window_table.push_back(60);
299  // window 6 is unbeaten in [143.16, 344.73]
300  mnt4_G2::fixed_base_exp_window_table.push_back(143);
301  // window 7 is unbeaten in [344.73, 821.24]
302  mnt4_G2::fixed_base_exp_window_table.push_back(345);
303  // window 8 is unbeaten in [821.24, 1793.92]
304  mnt4_G2::fixed_base_exp_window_table.push_back(821);
305  // window 9 is unbeaten in [1793.92, 3919.59]
306  mnt4_G2::fixed_base_exp_window_table.push_back(1794);
307  // window 10 is unbeaten in [3919.59, 11301.46]
308  mnt4_G2::fixed_base_exp_window_table.push_back(3920);
309  // window 11 is unbeaten in [11301.46, 18960.09]
310  mnt4_G2::fixed_base_exp_window_table.push_back(11301);
311  // window 12 is unbeaten in [18960.09, 44198.62]
312  mnt4_G2::fixed_base_exp_window_table.push_back(18960);
313  // window 13 is unbeaten in [44198.62, 150799.57]
314  mnt4_G2::fixed_base_exp_window_table.push_back(44199);
315  // window 14 is never the best
316  mnt4_G2::fixed_base_exp_window_table.push_back(0);
317  // window 15 is unbeaten in [150799.57, 548694.81]
318  mnt4_G2::fixed_base_exp_window_table.push_back(150800);
319  // window 16 is unbeaten in [548694.81, 1051769.08]
320  mnt4_G2::fixed_base_exp_window_table.push_back(548695);
321  // window 17 is unbeaten in [1051769.08, 2023925.59]
322  mnt4_G2::fixed_base_exp_window_table.push_back(1051769);
323  // window 18 is unbeaten in [2023925.59, 3787108.68]
324  mnt4_G2::fixed_base_exp_window_table.push_back(2023926);
325  // window 19 is unbeaten in [3787108.68, 7107480.30]
326  mnt4_G2::fixed_base_exp_window_table.push_back(3787109);
327  // window 20 is unbeaten in [7107480.30, 38760027.14]
328  mnt4_G2::fixed_base_exp_window_table.push_back(7107480);
329  // window 21 is never the best
330  mnt4_G2::fixed_base_exp_window_table.push_back(0);
331  // window 22 is unbeaten in [38760027.14, inf]
332  mnt4_G2::fixed_base_exp_window_table.push_back(38760027);
333 
334  /* pairing parameters */
335  mnt4_ate_loop_count =
336  bigint_q("689871209842287392837045615510547309923794944");
337  mnt4_ate_is_loop_count_neg = false;
338  mnt4_final_exponent = bigint<4 * mnt4_q_limbs>(
339  "1077973603571099034307944903095920722789277838030318543579109081219034"
340  "3983877286149717711641082558674308976086994539461051191727497797155906"
341  "2689561855016270594656570874331111995170645233717143416875749097203441"
342  "437192367065467706065411650403684877366879441766585988546560");
343  mnt4_final_exponent_last_chunk_abs_of_w0 =
344  bigint_q("689871209842287392837045615510547309923794945");
345  mnt4_final_exponent_last_chunk_is_w0_neg = false;
346  mnt4_final_exponent_last_chunk_w1 = bigint_q("1");
347 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ init_mnt6_params()

void libff::init_mnt6_params ( )

Definition at line 43 of file mnt6_init.cpp.

44 {
45  typedef bigint<mnt6_r_limbs> bigint_r;
46  typedef bigint<mnt6_q_limbs> bigint_q;
47 
48  assert(
49  sizeof(mp_limb_t) == 8 ||
50  sizeof(mp_limb_t) == 4); // Montgomery assumes this
51 
52  /* parameters for scalar field Fr */
53  mnt6_modulus_r = bigint_r("475922286169261325753349249653048451545124879242"
54  "694725395555128576210262817955800483758081");
55  assert(mnt6_Fr::modulus_is_valid());
56  if (sizeof(mp_limb_t) == 8) {
57  mnt6_Fr::Rsquared =
58  bigint_r("273000478523237720910981655601160860640083126627235719712"
59  "980612296263966512828033847775776");
60  mnt6_Fr::Rcubed =
61  bigint_r("427298980065529822574935274648041073124704261331681436071"
62  "990730954930769758106792920349077");
63  mnt6_Fr::inv = 0xb071a1b67165ffff;
64  }
65  if (sizeof(mp_limb_t) == 4) {
66  mnt6_Fr::Rsquared =
67  bigint_r("273000478523237720910981655601160860640083126627235719712"
68  "980612296263966512828033847775776");
69  mnt6_Fr::Rcubed =
70  bigint_r("427298980065529822574935274648041073124704261331681436071"
71  "990730954930769758106792920349077");
72  mnt6_Fr::inv = 0x7165ffff;
73  }
74  mnt6_Fr::num_bits = 298;
75  mnt6_Fr::euler = bigint_r("237961143084630662876674624826524225772562439621"
76  "347362697777564288105131408977900241879040");
77  mnt6_Fr::s = 17;
78  mnt6_Fr::t = bigint_r("3630998887399759870554727551674258816109656366292531"
79  "779446068791017229177993437198515");
80  mnt6_Fr::t_minus_1_over_2 =
81  bigint_r("1815499443699879935277363775837129408054828183146265889723034"
82  "395508614588996718599257");
83  mnt6_Fr::multiplicative_generator = mnt6_Fr("17");
84  mnt6_Fr::root_of_unity =
85  mnt6_Fr("26470625057180008075806930236965430553012567552126397603405487"
86  "8017580902343339784464690243");
87  mnt6_Fr::nqr = mnt6_Fr("17");
88  mnt6_Fr::nqr_to_t = mnt6_Fr("2647062505718000807580693023696543055301256755"
89  "21263976034054878017580902343339784464690243");
90  mnt6_Fr::static_init();
91 
92  /* parameters for base field Fq */
93  mnt6_modulus_q = bigint_q("475922286169261325753349249653048451545124878552"
94  "823515553267735739164647307408490559963137");
95  assert(mnt6_Fq::modulus_is_valid());
96  if (sizeof(mp_limb_t) == 8) {
97  mnt6_Fq::Rsquared =
98  bigint_q("163983144722506446826715124368972380525894397127205577781"
99  "234305496325861831001705438796139");
100  mnt6_Fq::Rcubed =
101  bigint_q("207236281459091063710247635236340312578688659363066707916"
102  "716212805695955118593239854980171");
103  mnt6_Fq::inv = 0xbb4334a3ffffffff;
104  }
105  if (sizeof(mp_limb_t) == 4) {
106  mnt6_Fq::Rsquared =
107  bigint_q("163983144722506446826715124368972380525894397127205577781"
108  "234305496325861831001705438796139");
109  mnt6_Fq::Rcubed =
110  bigint_q("207236281459091063710247635236340312578688659363066707916"
111  "716212805695955118593239854980171");
112  mnt6_Fq::inv = 0xffffffff;
113  }
114  mnt6_Fq::num_bits = 298;
115  mnt6_Fq::euler = bigint_q("237961143084630662876674624826524225772562439276"
116  "411757776633867869582323653704245279981568");
117  mnt6_Fq::s = 34;
118  mnt6_Fq::t = bigint_q("2770232305450256248897344628657729199302411164115319"
119  "9339359284829066871159442729");
120  mnt6_Fq::t_minus_1_over_2 =
121  bigint_q("1385116152725128124448672314328864599651205582057659966967964"
122  "2414533435579721364");
123  mnt6_Fq::multiplicative_generator = mnt6_Fq("10");
124  mnt6_Fq::root_of_unity =
125  mnt6_Fq("12063881782691317345876882948569009984537700803089161801010977"
126  "2937363554409782252579816313");
127  mnt6_Fq::nqr = mnt6_Fq("5");
128  mnt6_Fq::nqr_to_t = mnt6_Fq("4062206042430904010564294587302981459372625525"
129  "08985450684842547562990900634752279902740880");
130  mnt6_Fq::static_init();
131 
132  /* parameters for twist field Fq3 */
133  mnt6_Fq3::euler = bigint<3 * mnt6_q_limbs>(
134  "5389868017855495171539724515479603613946389158900147862919313636912491"
135  "5637741423690184935056189295242736833704290747216410090671804540908400"
136  "2107789344621296256462630953983234857955575512841902241668515716158341"
137  "94321908328559167529729507439069424158411618728014749106176");
138  mnt6_Fq3::s = 34;
139  mnt6_Fq3::t = bigint<3 * mnt6_q_limbs>(
140  "6274632199033507112809136178669989590936327770934612330653836993631547"
141  "7403976749268110067416202853483540045218880692515999649967770721889566"
142  "8755040206738394052328810740708414066996862544726932237004530285669423"
143  "1080113482726640944570478452261237446033817102203");
144  mnt6_Fq3::t_minus_1_over_2 = bigint<3 * mnt6_q_limbs>(
145  "3137316099516753556404568089334994795468163885467306165326918496815773"
146  "8701988374634055033708101426741770022609440346257999824983885360944783"
147  "4377520103369197026164405370354207033498431272363466118502265142834711"
148  "5540056741363320472285239226130618723016908551101");
149  mnt6_Fq3::non_residue = mnt6_Fq("5");
150  mnt6_Fq3::nqr = mnt6_Fq3(mnt6_Fq("5"), mnt6_Fq("0"), mnt6_Fq("0"));
151  mnt6_Fq3::nqr_to_t = mnt6_Fq3(
152  mnt6_Fq("15436144967878350507698415627597793765433110336117446963234623"
153  "0549735979552469642799720052"),
154  mnt6_Fq("0"),
155  mnt6_Fq("0"));
156  mnt6_Fq3::Frobenius_coeffs_c1[0] = mnt6_Fq("1");
157  mnt6_Fq3::Frobenius_coeffs_c1[1] =
158  mnt6_Fq("47173889896752102913304085131844916599730410872955897377007731"
159  "9830005517129946578866686956");
160  mnt6_Fq3::Frobenius_coeffs_c1[2] =
161  mnt6_Fq("41833872017402966203083983345992855478207698232645417831904159"
162  "09159130177461911693276180");
163  mnt6_Fq3::Frobenius_coeffs_c2[0] = mnt6_Fq("1");
164  mnt6_Fq3::Frobenius_coeffs_c2[1] =
165  mnt6_Fq("41833872017402966203083983345992855478207698232645417831904159"
166  "09159130177461911693276180");
167  mnt6_Fq3::Frobenius_coeffs_c2[2] =
168  mnt6_Fq("47173889896752102913304085131844916599730410872955897377007731"
169  "9830005517129946578866686956");
170 
171  /* parameters for Fq6 */
172  mnt6_Fq6::non_residue = mnt6_Fq("5");
173  mnt6_Fq6::Frobenius_coeffs_c1[0] = mnt6_Fq("1");
174  mnt6_Fq6::Frobenius_coeffs_c1[1] =
175  mnt6_Fq("47173889896752102913304085131844916599730410872955897377007731"
176  "9830005517129946578866686957");
177  mnt6_Fq6::Frobenius_coeffs_c1[2] =
178  mnt6_Fq("47173889896752102913304085131844916599730410872955897377007731"
179  "9830005517129946578866686956");
180  mnt6_Fq6::Frobenius_coeffs_c1[3] =
181  mnt6_Fq("47592228616926132575334924965304845154512487855282351555326773"
182  "5739164647307408490559963136");
183  mnt6_Fq6::Frobenius_coeffs_c1[4] =
184  mnt6_Fq("41833872017402966203083983345992855478207698232645417831904159"
185  "09159130177461911693276180");
186  mnt6_Fq6::Frobenius_coeffs_c1[5] =
187  mnt6_Fq("41833872017402966203083983345992855478207698232645417831904159"
188  "09159130177461911693276181");
189  mnt6_Fq6::my_Fp2::non_residue = mnt6_Fq3::non_residue;
190 
191  /* choice of short Weierstrass curve and its twist */
192  mnt6_G1::coeff_a = mnt6_Fq("11");
193  mnt6_G1::coeff_b = mnt6_Fq("10670008051085173567796731963258535225645425120"
194  "1367587890185989362936000262606668469523074");
195  mnt6_twist = mnt6_Fq3(mnt6_Fq::zero(), mnt6_Fq::one(), mnt6_Fq::zero());
196  mnt6_twist_coeff_a =
197  mnt6_Fq3(mnt6_Fq::zero(), mnt6_Fq::zero(), mnt6_G1::coeff_a);
198  mnt6_twist_coeff_b = mnt6_Fq3(
199  mnt6_G1::coeff_b * mnt6_Fq3::non_residue,
200  mnt6_Fq::zero(),
201  mnt6_Fq::zero());
202  mnt6_G2::twist = mnt6_twist;
203  mnt6_G2::coeff_a = mnt6_twist_coeff_a;
204  mnt6_G2::coeff_b = mnt6_twist_coeff_b;
205  mnt6_twist_mul_by_a_c0 = mnt6_G1::coeff_a * mnt6_Fq3::non_residue;
206  mnt6_twist_mul_by_a_c1 = mnt6_G1::coeff_a * mnt6_Fq3::non_residue;
207  mnt6_twist_mul_by_a_c2 = mnt6_G1::coeff_a;
208  mnt6_twist_mul_by_b_c0 = mnt6_G1::coeff_b * mnt6_Fq3::non_residue;
209  mnt6_twist_mul_by_b_c1 = mnt6_G1::coeff_b * mnt6_Fq3::non_residue;
210  mnt6_twist_mul_by_b_c2 = mnt6_G1::coeff_b * mnt6_Fq3::non_residue;
211  mnt6_twist_mul_by_q_X =
212  mnt6_Fq("41833872017402966203083983345992855478207698232645417831904159"
213  "09159130177461911693276180");
214  mnt6_twist_mul_by_q_Y =
215  mnt6_Fq("47592228616926132575334924965304845154512487855282351555326773"
216  "5739164647307408490559963136");
217 
218  /* choice of group G1 */
219  // Identities
220  mnt6_G1::G1_zero =
221  mnt6_G1(mnt6_Fq::zero(), mnt6_Fq::one(), mnt6_Fq::zero());
222  mnt6_G1::G1_one = mnt6_G1(
223  mnt6_Fq("33668575288308222810928984635393710418569820937140417834296883"
224  "8739115829740084426881123453"),
225  mnt6_Fq("40259629013978098970933270771656892077762203207376274986234237"
226  "4583908837063963736098549800"),
227  mnt6_Fq::one());
228 
229  // Cofactor
230  mnt6_G1::h = bigint<mnt6_G1::h_limbs>("1");
231 
232  // WNAF
233  mnt6_G1::wnaf_window_table.resize(0);
234  mnt6_G1::wnaf_window_table.push_back(11);
235  mnt6_G1::wnaf_window_table.push_back(24);
236  mnt6_G1::wnaf_window_table.push_back(60);
237  mnt6_G1::wnaf_window_table.push_back(127);
238 
239  mnt6_G1::fixed_base_exp_window_table.resize(0);
240  // window 1 is unbeaten in [-inf, 3.96]
241  mnt6_G1::fixed_base_exp_window_table.push_back(1);
242  // window 2 is unbeaten in [3.96, 9.67]
243  mnt6_G1::fixed_base_exp_window_table.push_back(4);
244  // window 3 is unbeaten in [9.67, 25.13]
245  mnt6_G1::fixed_base_exp_window_table.push_back(10);
246  // window 4 is unbeaten in [25.13, 60.31]
247  mnt6_G1::fixed_base_exp_window_table.push_back(25);
248  // window 5 is unbeaten in [60.31, 146.07]
249  mnt6_G1::fixed_base_exp_window_table.push_back(60);
250  // window 6 is unbeaten in [146.07, 350.09]
251  mnt6_G1::fixed_base_exp_window_table.push_back(146);
252  // window 7 is unbeaten in [350.09, 844.54]
253  mnt6_G1::fixed_base_exp_window_table.push_back(350);
254  // window 8 is unbeaten in [844.54, 1839.64]
255  mnt6_G1::fixed_base_exp_window_table.push_back(845);
256  // window 9 is unbeaten in [1839.64, 3904.26]
257  mnt6_G1::fixed_base_exp_window_table.push_back(1840);
258  // window 10 is unbeaten in [3904.26, 11309.42]
259  mnt6_G1::fixed_base_exp_window_table.push_back(3904);
260  // window 11 is unbeaten in [11309.42, 24015.57]
261  mnt6_G1::fixed_base_exp_window_table.push_back(11309);
262  // window 12 is unbeaten in [24015.57, 72288.57]
263  mnt6_G1::fixed_base_exp_window_table.push_back(24016);
264  // window 13 is unbeaten in [72288.57, 138413.22]
265  mnt6_G1::fixed_base_exp_window_table.push_back(72289);
266  // window 14 is unbeaten in [138413.22, 156390.30]
267  mnt6_G1::fixed_base_exp_window_table.push_back(138413);
268  // window 15 is unbeaten in [156390.30, 562560.50]
269  mnt6_G1::fixed_base_exp_window_table.push_back(156390);
270  // window 16 is unbeaten in [562560.50, 1036742.02]
271  mnt6_G1::fixed_base_exp_window_table.push_back(562560);
272  // window 17 is unbeaten in [1036742.02, 2053818.86]
273  mnt6_G1::fixed_base_exp_window_table.push_back(1036742);
274  // window 18 is unbeaten in [2053818.86, 4370223.95]
275  mnt6_G1::fixed_base_exp_window_table.push_back(2053819);
276  // window 19 is unbeaten in [4370223.95, 8215703.81]
277  mnt6_G1::fixed_base_exp_window_table.push_back(4370224);
278  // window 20 is unbeaten in [8215703.81, 42682375.43]
279  mnt6_G1::fixed_base_exp_window_table.push_back(8215704);
280  // window 21 is never the best
281  mnt6_G1::fixed_base_exp_window_table.push_back(0);
282  // window 22 is unbeaten in [42682375.43, inf]
283  mnt6_G1::fixed_base_exp_window_table.push_back(42682375);
284 
285  /* choice of group G2 */
286  // Identities
287  mnt6_G2::G2_zero =
288  mnt6_G2(mnt6_Fq3::zero(), mnt6_Fq3::one(), mnt6_Fq3::zero());
289  mnt6_G2::G2_one = mnt6_G2(
290  mnt6_Fq3(
291  mnt6_Fq("4214564357728118462568265615939083222885091154891199075603"
292  "82401870203318738334702321297427"),
293  mnt6_Fq("1030729274385485024635270099613449150211675847064399454049"
294  "59058962657261178393635706405114"),
295  mnt6_Fq("1430291721437318526270029263247351838097683633011490092048"
296  "49580478324784395590388826052558")),
297  mnt6_Fq3(
298  mnt6_Fq("4646735966686894631300992275756395125412181334453888693838"
299  "93594087634649237515554342751377"),
300  mnt6_Fq("1006429075019773751845750759671180718078211179601527433356"
301  "03284583254620685343989304941678"),
302  mnt6_Fq("1230198555029698960269405457158411813002751801572880446630"
303  "51565390506010149881373807142903")),
304  mnt6_Fq3::one());
305 
306  // Cofactor
307  mnt6_G2::h = bigint<mnt6_G2::h_limbs>(
308  "2265020224725762701964986904983084617918287627326025861622075353519602"
309  "7008271269497733337236154908221451925226173504813188901850140437785678"
310  "6623430385820659037970876666767495659520");
311 
312  // WNAF
313  mnt6_G2::wnaf_window_table.resize(0);
314  mnt6_G2::wnaf_window_table.push_back(5);
315  mnt6_G2::wnaf_window_table.push_back(15);
316  mnt6_G2::wnaf_window_table.push_back(39);
317  mnt6_G2::wnaf_window_table.push_back(109);
318 
319  mnt6_G2::fixed_base_exp_window_table.resize(0);
320  // window 1 is unbeaten in [-inf, 4.25]
321  mnt6_G2::fixed_base_exp_window_table.push_back(1);
322  // window 2 is unbeaten in [4.25, 10.22]
323  mnt6_G2::fixed_base_exp_window_table.push_back(4);
324  // window 3 is unbeaten in [10.22, 24.85]
325  mnt6_G2::fixed_base_exp_window_table.push_back(10);
326  // window 4 is unbeaten in [24.85, 60.06]
327  mnt6_G2::fixed_base_exp_window_table.push_back(25);
328  // window 5 is unbeaten in [60.06, 143.61]
329  mnt6_G2::fixed_base_exp_window_table.push_back(60);
330  // window 6 is unbeaten in [143.61, 345.66]
331  mnt6_G2::fixed_base_exp_window_table.push_back(144);
332  // window 7 is unbeaten in [345.66, 818.56]
333  mnt6_G2::fixed_base_exp_window_table.push_back(346);
334  // window 8 is unbeaten in [818.56, 1782.06]
335  mnt6_G2::fixed_base_exp_window_table.push_back(819);
336  // window 9 is unbeaten in [1782.06, 4002.45]
337  mnt6_G2::fixed_base_exp_window_table.push_back(1782);
338  // window 10 is unbeaten in [4002.45, 10870.18]
339  mnt6_G2::fixed_base_exp_window_table.push_back(4002);
340  // window 11 is unbeaten in [10870.18, 18022.51]
341  mnt6_G2::fixed_base_exp_window_table.push_back(10870);
342  // window 12 is unbeaten in [18022.51, 43160.74]
343  mnt6_G2::fixed_base_exp_window_table.push_back(18023);
344  // window 13 is unbeaten in [43160.74, 149743.32]
345  mnt6_G2::fixed_base_exp_window_table.push_back(43161);
346  // window 14 is never the best
347  mnt6_G2::fixed_base_exp_window_table.push_back(0);
348  // window 15 is unbeaten in [149743.32, 551844.13]
349  mnt6_G2::fixed_base_exp_window_table.push_back(149743);
350  // window 16 is unbeaten in [551844.13, 1041827.91]
351  mnt6_G2::fixed_base_exp_window_table.push_back(551844);
352  // window 17 is unbeaten in [1041827.91, 1977371.53]
353  mnt6_G2::fixed_base_exp_window_table.push_back(1041828);
354  // window 18 is unbeaten in [1977371.53, 3703619.51]
355  mnt6_G2::fixed_base_exp_window_table.push_back(1977372);
356  // window 19 is unbeaten in [3703619.51, 7057236.87]
357  mnt6_G2::fixed_base_exp_window_table.push_back(3703620);
358  // window 20 is unbeaten in [7057236.87, 38554491.67]
359  mnt6_G2::fixed_base_exp_window_table.push_back(7057237);
360  // window 21 is never the best
361  mnt6_G2::fixed_base_exp_window_table.push_back(0);
362  // window 22 is unbeaten in [38554491.67, inf]
363  mnt6_G2::fixed_base_exp_window_table.push_back(38554492);
364 
365  /* pairing parameters */
366  mnt6_ate_loop_count =
367  bigint_q("689871209842287392837045615510547309923794944");
368  mnt6_ate_is_loop_count_neg = true;
369  mnt6_final_exponent = bigint<6 * mnt6_q_limbs>(
370  "2441632013809050969789059541431343876835397748986254393590401071543906"
371  "6975957855922532159264213056712140358746422742237328406558352706591021"
372  "6422306180605028554512640453974447931868761990152567816487468886255270"
373  "7546606307501130780086217376423631134210521168112142693161684363521585"
374  "2236649271569251468773714424208521977615548771268520882870120900360322"
375  "0442188067120277293518453076904749855025875277538472001305920580983636"
376  "41559341826790559426614919168");
377  mnt6_final_exponent_last_chunk_abs_of_w0 =
378  bigint_q("689871209842287392837045615510547309923794944");
379  mnt6_final_exponent_last_chunk_is_w0_neg = true;
380  mnt6_final_exponent_last_chunk_w1 = bigint_q("1");
381 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ inner_product()

template<typename T >
T libff::inner_product ( typename std::vector< T >::const_iterator  a_start,
typename std::vector< T >::const_iterator  a_end,
typename std::vector< T >::const_iterator  b_start,
typename std::vector< T >::const_iterator  b_end 
)

A convenience function for calculating a pure inner product, where the more complicated methods are not required.

◆ input_bool()

void libff::input_bool ( std::istream &  in,
bool &  b 
)
inline

◆ input_bool_vector()

void libff::input_bool_vector ( std::istream &  in,
std::vector< bool > &  v 
)
inline

◆ int_list_to_bits()

bit_vector libff::int_list_to_bits ( const std::initializer_list< unsigned long > &  l,
const size_t  wordsize 
)

Definition at line 69 of file utils.cpp.

71 {
72  bit_vector res(wordsize * l.size());
73  for (size_t i = 0; i < l.size(); ++i) {
74  for (size_t j = 0; j < wordsize; ++j) {
75  res[i * wordsize + j] =
76  (*(l.begin() + i) & (1ul << (wordsize - 1 - j)));
77  }
78  }
79  return res;
80 }

◆ is_little_endian()

bool libff::is_little_endian ( )

Definition at line 84 of file utils.cpp.

85 {
86  uint64_t a = 0x12345678;
87  unsigned char *c = (unsigned char *)(&a);
88  return (*c = 0x78);
89 }

◆ leave_block()

void libff::leave_block ( const std::string &  msg,
const bool  indent 
)

Definition at line 305 of file profiling.cpp.

306 {
307  if (inhibit_profiling_counters) {
308  return;
309  }
310 
311 #ifndef MULTICORE
312  assert(*(--block_names.end()) == msg);
313 #endif
314  block_names.pop_back();
315 
316  ++invocation_counts[msg];
317 
318  long long t = get_nsec_time();
319  last_times[msg] = (t - enter_times[msg]);
320  cumulative_times[msg] += (t - enter_times[msg]);
321 
322  long long cpu_t = get_nsec_cpu_time();
323  last_cpu_times[msg] = (cpu_t - enter_cpu_times[msg]);
324 
325 #ifdef PROFILE_OP_COUNTS
326  for (std::pair<std::string, long long *> p : op_data_points) {
327  cumulative_op_counts[std::make_pair(msg, p.first)] +=
328  *(p.second) - op_counts[std::make_pair(msg, p.first)];
329  }
330 #endif
331 
332  if (inhibit_profiling_info) {
333  return;
334  }
335 
336 #ifdef MULTICORE
337 #pragma omp critical
338 #endif
339  {
340  if (indent) {
341  --indentation;
342  }
343 
344  print_indent();
345  printf("(leave) %-35s\t", msg.c_str());
346  print_times_from_last_and_start(
347  t, enter_times[msg], cpu_t, enter_cpu_times[msg]);
348  print_op_profiling(msg);
349  printf("\n");
350  fflush(stdout);
351  }
352 }
Here is the call graph for this function:

◆ log2()

size_t libff::log2 ( size_t  n)

returns ceil(log2(n)), so 1ul<<log2(n) is the smallest power of 2, that is not less than n

Definition at line 32 of file utils.cpp.

35 {
36  size_t r = ((n & (n - 1)) == 0 ? 0 : 1); // add 1 if n is not power of 2
37 
38  while (n > 1) {
39  n >>= 1;
40  r++;
41  }
42 
43  return r;
44 }

◆ mixed_addition_step_for_flipped_miller_loop() [1/4]

void libff::mixed_addition_step_for_flipped_miller_loop ( const alt_bn128_G2  base,
alt_bn128_G2 current,
alt_bn128_ate_ell_coeffs c 
)

Definition at line 290 of file alt_bn128_pairing.cpp.

292 {
293  const alt_bn128_Fq2 X1 = current.X, Y1 = current.Y, Z1 = current.Z;
294  const alt_bn128_Fq2 &x2 = base.X, &y2 = base.Y;
295 
296  // D = X1 - X2*Z1
297  const alt_bn128_Fq2 D = X1 - x2 * Z1;
298  // E = Y1 - Y2*Z1
299  const alt_bn128_Fq2 E = Y1 - y2 * Z1;
300  // F = D^2
301  const alt_bn128_Fq2 F = D.squared();
302  // G = E^2
303  const alt_bn128_Fq2 G = E.squared();
304  // H = D*F
305  const alt_bn128_Fq2 H = D * F;
306  // I = X1 * F
307  const alt_bn128_Fq2 I = X1 * F;
308  // J = H + Z1*G - (I+I)
309  const alt_bn128_Fq2 J = H + Z1 * G - (I + I);
310 
311  // X3 = D*J
312  current.X = D * J;
313  // Y3 = E*(I-J)-(H*Y1)
314  current.Y = E * (I - J) - (H * Y1);
315  // Z3 = Z1*H
316  current.Z = Z1 * H;
317  // ell_0 = xi * (E * X2 - D * Y2)
318  c.ell_0 = alt_bn128_twist * (E * x2 - D * y2);
319  // ell_VV = - E (later: * xP)
320  c.ell_VV = -E;
321  // ell_VW = D (later: * yP)
322  c.ell_VW = D;
323 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mixed_addition_step_for_flipped_miller_loop() [2/4]

void libff::mixed_addition_step_for_flipped_miller_loop ( const extended_edwards_G2_projective base,
extended_edwards_G2_projective current,
edwards_Fq3_conic_coefficients cc 
)

Definition at line 570 of file edwards_pairing.cpp.

574 {
575  const edwards_Fq3 &X1 = current.X, &Y1 = current.Y, &Z1 = current.Z,
576  &T1 = current.T;
577  const edwards_Fq3 &X2 = base.X, &Y2 = base.Y, &T2 = base.T;
578 
579  const edwards_Fq3 A = X1 * X2; // A = X1*X2
580  const edwards_Fq3 B = Y1 * Y2; // B = Y1*Y2
581  const edwards_Fq3 C = Z1 * T2; // C = Z1*T2
582  const edwards_Fq3 E = T1 + C; // E = T1+C
583  const edwards_Fq3 F =
584  (X1 - Y1) * (X2 + Y2) + B - A; // F = (X1-Y1)*(X2+Y2)+B-A
585  // G = B + twisted_edwards_a * A
586  const edwards_Fq3 G =
587  B +
588  edwards_G2::mul_by_a(A); // edwards_param_twist_coeff_a is 1*X for us
589  const edwards_Fq3 H = T1 - C; // H = T1-C
590  const edwards_Fq3 I = T1 * T2; // I = T1*T2
591 
592  // c_ZZ = delta_3* ((T1-X1)*(T2+X2)-I+A)
593  cc.c_ZZ = edwards_G2::mul_by_a(
594  (T1 - X1) * (T2 + X2) - I +
595  A); // edwards_param_twist_coeff_a is 1*X for us
596 
597  cc.c_XY = X1 - X2 * Z1 + F; // c_XY = X1*Z2-X2*Z1+F
598  cc.c_XZ = (Y1 - T1) * (Y2 + T2) - B + I - H; // c_XZ = (Y1-T1)*(Y2+T2)-B+I-H
599  current.X = E * F; // X3 = E*F
600  current.Y = G * H; // Y3 = G*H
601  current.Z = F * G; // Z3 = F*G
602  current.T = E * H; // T3 = E*H
603 
604 #ifdef DEBUG
605  current.test_invariant();
606 #endif
607 }
Here is the call graph for this function:

◆ mixed_addition_step_for_flipped_miller_loop() [3/4]

void libff::mixed_addition_step_for_flipped_miller_loop ( const mnt4_Fq2  base_X,
const mnt4_Fq2  base_Y,
const mnt4_Fq2  base_Y_squared,
extended_mnt4_G2_projective current,
mnt4_ate_add_coeffs ac 
)

Definition at line 429 of file mnt4_pairing.cpp.

435 {
436  const mnt4_Fq2 X1 = current.X, Y1 = current.Y, Z1 = current.Z,
437  T1 = current.T;
438  const mnt4_Fq2 &x2 = base_X, &y2 = base_Y, &y2_squared = base_Y_squared;
439 
440  const mnt4_Fq2 B = x2 * T1; // B = x2 * T1
441  const mnt4_Fq2 D = ((y2 + Z1).squared() - y2_squared - T1) *
442  T1; // D = ((y2 + Z1)^2 - y2squared - T1) * T1
443  const mnt4_Fq2 H = B - X1; // H = B - X1
444  const mnt4_Fq2 I = H.squared(); // I = H^2
445  const mnt4_Fq2 E = I + I + I + I; // E = 4*I
446  const mnt4_Fq2 J = H * E; // J = H * E
447  const mnt4_Fq2 V = X1 * E; // V = X1 * E
448  const mnt4_Fq2 L1 = D - (Y1 + Y1); // L1 = D - 2 * Y1
449 
450  current.X = L1.squared() - J - (V + V); // X3 = L1^2 - J - 2*V
451  current.Y =
452  L1 * (V - current.X) - (Y1 + Y1) * J; // Y3 = L1 * (V-X3) - 2*Y1 * J
453  current.Z = (Z1 + H).squared() - T1 - I; // Z3 = (Z1 + H)^2 - T1 - I
454  current.T = current.Z.squared(); // T3 = Z3^2
455 
456  ac.c_L1 = L1;
457  ac.c_RZ = current.Z;
458 #ifdef DEBUG
459  current.test_invariant();
460 #endif
461 }
Here is the call graph for this function:

◆ mixed_addition_step_for_flipped_miller_loop() [4/4]

void libff::mixed_addition_step_for_flipped_miller_loop ( const mnt6_Fq3  base_X,
const mnt6_Fq3  base_Y,
const mnt6_Fq3  base_Y_squared,
extended_mnt6_G2_projective current,
mnt6_ate_add_coeffs ac 
)

Definition at line 434 of file mnt6_pairing.cpp.

440 {
441  const mnt6_Fq3 X1 = current.X, Y1 = current.Y, Z1 = current.Z,
442  T1 = current.T;
443  const mnt6_Fq3 &x2 = base_X, &y2 = base_Y, &y2_squared = base_Y_squared;
444 
445  const mnt6_Fq3 B = x2 * T1; // B = x2 * T1
446  const mnt6_Fq3 D = ((y2 + Z1).squared() - y2_squared - T1) *
447  T1; // D = ((y2 + Z1)^2 - y2squared - T1) * T1
448  const mnt6_Fq3 H = B - X1; // H = B - X1
449  const mnt6_Fq3 I = H.squared(); // I = H^2
450  const mnt6_Fq3 E = I + I + I + I; // E = 4*I
451  const mnt6_Fq3 J = H * E; // J = H * E
452  const mnt6_Fq3 V = X1 * E; // V = X1 * E
453  const mnt6_Fq3 L1 = D - (Y1 + Y1); // L1 = D - 2 * Y1
454 
455  current.X = L1.squared() - J - (V + V); // X3 = L1^2 - J - 2*V
456  current.Y =
457  L1 * (V - current.X) - (Y1 + Y1) * J; // Y3 = L1 * (V-X3) - 2*Y1 * J
458  current.Z = (Z1 + H).squared() - T1 - I; // Z3 = (Z1 + H)^2 - T1 - I
459  current.T = current.Z.squared(); // T3 = Z3^2
460 
461  ac.c_L1 = L1;
462  ac.c_RZ = current.Z;
463 #ifdef DEBUG
464  current.test_invariant();
465 #endif
466 }
Here is the call graph for this function:

◆ mixed_addition_step_for_miller_loop() [1/2]

void libff::mixed_addition_step_for_miller_loop ( const bw6_761_G2  base,
bw6_761_G2 current,
bw6_761_ate_ell_coeffs c 
)

Definition at line 319 of file bw6_761_pairing.cpp.

321 {
322  const bw6_761_Fq X1 = current.X, Y1 = current.Y, Z1 = current.Z;
323  const bw6_761_Fq &X2 = base.X, &Y2 = base.Y;
324 
325  // D = X1 - X2*Z1
326  const bw6_761_Fq D = X1 - X2 * Z1;
327  // E = Y1 - Y2*Z1
328  const bw6_761_Fq E = Y1 - Y2 * Z1;
329  // F = D^2
330  const bw6_761_Fq F = D.squared();
331  // G = E^2
332  const bw6_761_Fq G = E.squared();
333  // H = D*F
334  const bw6_761_Fq H = D * F;
335  // I = X1 * F
336  const bw6_761_Fq I = X1 * F;
337  // J = H + Z1*G - (I+I)
338  const bw6_761_Fq J = H + Z1 * G - (I + I);
339 
340  // X3 = D*J
341  current.X = D * J;
342  // Y3 = E*(I-J)-(H*Y1)
343  current.Y = E * (I - J) - (H * Y1);
344  // Z3 = Z1*H
345  current.Z = Z1 * H;
346 
347  c.ell_0 = E * X2 - D * Y2;
348  // VV gets multiplied to xP during line evaluation at P
349  c.ell_VV = -E;
350  // VW gets multiplied to yP during line evaluation at P
351  c.ell_VW = bw6_761_twist * D;
352 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mixed_addition_step_for_miller_loop() [2/2]

void libff::mixed_addition_step_for_miller_loop ( const extended_edwards_G1_projective base,
extended_edwards_G1_projective current,
edwards_Fq_conic_coefficients cc 
)

Definition at line 334 of file edwards_pairing.cpp.

338 {
339  const edwards_Fq &X1 = current.X, &Y1 = current.Y, &Z1 = current.Z,
340  &T1 = current.T;
341  const edwards_Fq &X2 = base.X, &Y2 = base.Y, &T2 = base.T;
342 
343  const edwards_Fq A = X1 * X2; // A = X1*X2
344  const edwards_Fq B = Y1 * Y2; // B = Y1*Y2
345  const edwards_Fq C = Z1 * T2; // C = Z1*T2
346  const edwards_Fq D = T1; // D = T1*Z2
347  const edwards_Fq E = D + C; // E = D+C
348  const edwards_Fq F =
349  (X1 - Y1) * (X2 + Y2) + B - A; // F = (X1-Y1)*(X2+Y2)+B-A
350  const edwards_Fq G = B + A; // G = B + A (edwards_a=1)
351  const edwards_Fq H = D - C; // H = D-C
352  const edwards_Fq I = T1 * T2; // I = T1*T2
353 
354  cc.c_ZZ = (T1 - X1) * (T2 + X2) - I + A; // c_ZZ = (T1-X1)*(T2+X2)-I+A
355  cc.c_XY = X1 - X2 * Z1 + F; // c_XY = X1*Z2-X2*Z1+F
356  cc.c_XZ = (Y1 - T1) * (Y2 + T2) - B + I - H; // c_XZ = (Y1-T1)*(Y2+T2)-B+I-H
357  current.X = E * F; // X3 = E*F
358  current.Y = G * H; // Y3 = G*H
359  current.Z = F * G; // Z3 = F*G
360  current.T = E * H; // T3 = E*H
361 
362 #ifdef DEBUG
363  current.test_invariant();
364 #endif
365 }
Here is the call graph for this function:

◆ mnt4_affine_ate_miller_loop()

mnt4_Fq4 libff::mnt4_affine_ate_miller_loop ( const mnt4_affine_ate_G1_precomputation prec_P,
const mnt4_affine_ate_G2_precomputation prec_Q 
)

Definition at line 318 of file mnt4_pairing.cpp.

321 {
322  enter_block("Call to mnt4_affine_ate_miller_loop");
323 
324  mnt4_Fq4 f = mnt4_Fq4::one();
325 
326  bool found_nonzero = false;
327  size_t idx = 0;
328  const bigint<mnt4_Fr::num_limbs> &loop_count = mnt4_ate_loop_count;
329 
330  std::vector<long> NAF = find_wnaf(1, loop_count);
331  for (long i = NAF.size() - 1; i >= 0; --i) {
332  if (!found_nonzero) {
333  /* this skips the MSB itself */
334  found_nonzero |= (NAF[i] != 0);
335  continue;
336  }
337 
338  /* code below gets executed for all bits (EXCEPT the MSB itself) of
339  mnt4_param_p (skipping leading zeros) in MSB to LSB
340  order */
341  mnt4_affine_ate_coeffs c = prec_Q.coeffs[idx++];
342 
343  mnt4_Fq4 g_RR_at_P = mnt4_Fq4(
344  prec_P.PY_twist_squared,
345  -prec_P.PX * c.gamma_twist + c.gamma_X - c.old_RY);
346  f = f.squared().mul_by_023(g_RR_at_P);
347 
348  if (NAF[i] != 0) {
349  mnt4_affine_ate_coeffs c = prec_Q.coeffs[idx++];
350  mnt4_Fq4 g_RQ_at_P;
351  if (NAF[i] > 0) {
352  g_RQ_at_P = mnt4_Fq4(
353  prec_P.PY_twist_squared,
354  -prec_P.PX * c.gamma_twist + c.gamma_X - prec_Q.QY);
355  } else {
356  g_RQ_at_P = mnt4_Fq4(
357  prec_P.PY_twist_squared,
358  -prec_P.PX * c.gamma_twist + c.gamma_X + prec_Q.QY);
359  }
360  f = f.mul_by_023(g_RQ_at_P);
361  }
362  }
363 
364  /* TODO: maybe handle neg
365  if (mnt4_ate_is_loop_count_neg)
366  {
367  // TODO:
368  mnt4_affine_ate_coeffs ac = prec_Q.coeffs[idx++];
369  mnt4_Fq4 g_RnegR_at_P = mnt4_Fq4(prec_P.PY_twist_squared,
370  - prec_P.PX * c.gamma_twist + c.gamma_X - c.old_RY);
371  f = (f * g_RnegR_at_P).inverse();
372  }
373  */
374 
375  leave_block("Call to mnt4_affine_ate_miller_loop");
376 
377  return f;
378 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt4_affine_ate_precompute_G1()

mnt4_affine_ate_G1_precomputation libff::mnt4_affine_ate_precompute_G1 ( const mnt4_G1 P)

Definition at line 224 of file mnt4_pairing.cpp.

226 {
227  enter_block("Call to mnt4_affine_ate_precompute_G1");
228 
229  mnt4_G1 Pcopy = P;
230  Pcopy.to_affine_coordinates();
231 
232  mnt4_affine_ate_G1_precomputation result;
233  result.PX = Pcopy.X;
234  result.PY = Pcopy.Y;
235  result.PY_twist_squared = Pcopy.Y * mnt4_twist.squared();
236 
237  leave_block("Call to mnt4_affine_ate_precompute_G1");
238  return result;
239 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt4_affine_ate_precompute_G2()

mnt4_affine_ate_G2_precomputation libff::mnt4_affine_ate_precompute_G2 ( const mnt4_G2 Q)

Definition at line 241 of file mnt4_pairing.cpp.

243 {
244  enter_block("Call to mnt4_affine_ate_precompute_G2");
245 
246  mnt4_G2 Qcopy(Q);
247  Qcopy.to_affine_coordinates();
248 
249  mnt4_affine_ate_G2_precomputation result;
250  result.QX = Qcopy.X;
251  result.QY = Qcopy.Y;
252 
253  mnt4_Fq2 RX = Qcopy.X;
254  mnt4_Fq2 RY = Qcopy.Y;
255 
256  const bigint<mnt4_Fr::num_limbs> &loop_count = mnt4_ate_loop_count;
257  bool found_nonzero = false;
258 
259  std::vector<long> NAF = find_wnaf(1, loop_count);
260  for (long i = NAF.size() - 1; i >= 0; --i) {
261  if (!found_nonzero) {
262  /* this skips the MSB itself */
263  found_nonzero |= (NAF[i] != 0);
264  continue;
265  }
266 
267  mnt4_affine_ate_coeffs c;
268  c.old_RX = RX;
269  c.old_RY = RY;
270  mnt4_Fq2 old_RX_2 = c.old_RX.squared();
271  c.gamma = (old_RX_2 + old_RX_2 + old_RX_2 + mnt4_twist_coeff_a) *
272  (c.old_RY + c.old_RY).inverse();
273  c.gamma_twist = c.gamma * mnt4_twist;
274  c.gamma_X = c.gamma * c.old_RX;
275  result.coeffs.push_back(c);
276 
277  RX = c.gamma.squared() - (c.old_RX + c.old_RX);
278  RY = c.gamma * (c.old_RX - RX) - c.old_RY;
279 
280  if (NAF[i] != 0) {
281  mnt4_affine_ate_coeffs c;
282  c.old_RX = RX;
283  c.old_RY = RY;
284  if (NAF[i] > 0) {
285  c.gamma =
286  (c.old_RY - result.QY) * (c.old_RX - result.QX).inverse();
287  } else {
288  c.gamma =
289  (c.old_RY + result.QY) * (c.old_RX - result.QX).inverse();
290  }
291  c.gamma_twist = c.gamma * mnt4_twist;
292  c.gamma_X = c.gamma * result.QX;
293  result.coeffs.push_back(c);
294 
295  RX = c.gamma.squared() - (c.old_RX + result.QX);
296  RY = c.gamma * (c.old_RX - RX) - c.old_RY;
297  }
298  }
299 
300  /* TODO: maybe handle neg
301  if (mnt4_ate_is_loop_count_neg)
302  {
303  mnt4_ate_add_coeffs ac;
304  mnt4_affine_ate_dbl_coeffs c;
305  c.old_RX = RX;
306  c.old_RY = -RY;
307  old_RX_2 = c.old_RY.squared();
308  c.gamma = (old_RX_2 + old_RX_2 + old_RX_2 + mnt4_coeff_a) * (c.old_RY +
309  c.old_RY).inverse(); c.gamma_twist = c.gamma * mnt4_twist; c.gamma_X =
310  c.gamma * c.old_RX; result.coeffs.push_back(c);
311  }
312  */
313 
314  leave_block("Call to mnt4_affine_ate_precompute_G2");
315  return result;
316 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt4_affine_reduced_pairing()

mnt4_GT libff::mnt4_affine_reduced_pairing ( const mnt4_G1 P,
const mnt4_G2 Q 
)

Definition at line 730 of file mnt4_pairing.cpp.

731 {
732  const mnt4_affine_ate_G1_precomputation prec_P =
733  mnt4_affine_ate_precompute_G1(P);
734  const mnt4_affine_ate_G2_precomputation prec_Q =
735  mnt4_affine_ate_precompute_G2(Q);
736  const mnt4_Fq4 f = mnt4_affine_ate_miller_loop(prec_P, prec_Q);
737  const mnt4_GT result = mnt4_final_exponentiation(f);
738  return result;
739 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt4_ate_double_miller_loop()

mnt4_Fq4 libff::mnt4_ate_double_miller_loop ( const mnt4_ate_G1_precomp prec_P1,
const mnt4_ate_G2_precomp prec_Q1,
const mnt4_ate_G1_precomp prec_P2,
const mnt4_ate_G2_precomp prec_Q2 
)

Definition at line 595 of file mnt4_pairing.cpp.

600 {
601  enter_block("Call to mnt4_ate_double_miller_loop");
602 
603  mnt4_Fq2 L1_coeff1 =
604  mnt4_Fq2(prec_P1.PX, mnt4_Fq::zero()) - prec_Q1.QX_over_twist;
605  mnt4_Fq2 L1_coeff2 =
606  mnt4_Fq2(prec_P2.PX, mnt4_Fq::zero()) - prec_Q2.QX_over_twist;
607 
608  mnt4_Fq4 f = mnt4_Fq4::one();
609 
610  bool found_one = false;
611  size_t dbl_idx = 0;
612  size_t add_idx = 0;
613 
614  const bigint<mnt4_Fr::num_limbs> &loop_count = mnt4_ate_loop_count;
615  for (long i = loop_count.max_bits() - 1; i >= 0; --i) {
616  const bool bit = loop_count.test_bit(i);
617 
618  if (!found_one) {
619  /* this skips the MSB itself */
620  found_one |= bit;
621  continue;
622  }
623 
624  /* code below gets executed for all bits (EXCEPT the MSB itself) of
625  mnt4_param_p (skipping leading zeros) in MSB to LSB
626  order */
627  mnt4_ate_dbl_coeffs dc1 = prec_Q1.dbl_coeffs[dbl_idx];
628  mnt4_ate_dbl_coeffs dc2 = prec_Q2.dbl_coeffs[dbl_idx];
629  ++dbl_idx;
630 
631  mnt4_Fq4 g_RR_at_P1 = mnt4_Fq4(
632  -dc1.c_4C - dc1.c_J * prec_P1.PX_twist + dc1.c_L,
633  dc1.c_H * prec_P1.PY_twist);
634 
635  mnt4_Fq4 g_RR_at_P2 = mnt4_Fq4(
636  -dc2.c_4C - dc2.c_J * prec_P2.PX_twist + dc2.c_L,
637  dc2.c_H * prec_P2.PY_twist);
638 
639  f = f.squared() * g_RR_at_P1 * g_RR_at_P2;
640 
641  if (bit) {
642  mnt4_ate_add_coeffs ac1 = prec_Q1.add_coeffs[add_idx];
643  mnt4_ate_add_coeffs ac2 = prec_Q2.add_coeffs[add_idx];
644  ++add_idx;
645 
646  mnt4_Fq4 g_RQ_at_P1 = mnt4_Fq4(
647  ac1.c_RZ * prec_P1.PY_twist,
648  -(prec_Q1.QY_over_twist * ac1.c_RZ + L1_coeff1 * ac1.c_L1));
649  mnt4_Fq4 g_RQ_at_P2 = mnt4_Fq4(
650  ac2.c_RZ * prec_P2.PY_twist,
651  -(prec_Q2.QY_over_twist * ac2.c_RZ + L1_coeff2 * ac2.c_L1));
652 
653  f = f * g_RQ_at_P1 * g_RQ_at_P2;
654  }
655  }
656 
657  if (mnt4_ate_is_loop_count_neg) {
658  mnt4_ate_add_coeffs ac1 = prec_Q1.add_coeffs[add_idx];
659  mnt4_ate_add_coeffs ac2 = prec_Q2.add_coeffs[add_idx];
660  ++add_idx;
661  mnt4_Fq4 g_RnegR_at_P1 = mnt4_Fq4(
662  ac1.c_RZ * prec_P1.PY_twist,
663  -(prec_Q1.QY_over_twist * ac1.c_RZ + L1_coeff1 * ac1.c_L1));
664  mnt4_Fq4 g_RnegR_at_P2 = mnt4_Fq4(
665  ac2.c_RZ * prec_P2.PY_twist,
666  -(prec_Q2.QY_over_twist * ac2.c_RZ + L1_coeff2 * ac2.c_L1));
667 
668  f = (f * g_RnegR_at_P1 * g_RnegR_at_P2).inverse();
669  }
670 
671  leave_block("Call to mnt4_ate_double_miller_loop");
672 
673  return f;
674 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt4_ate_miller_loop()

mnt4_Fq4 libff::mnt4_ate_miller_loop ( const mnt4_ate_G1_precomp prec_P,
const mnt4_ate_G2_precomp prec_Q 
)

Definition at line 539 of file mnt4_pairing.cpp.

541 {
542  enter_block("Call to mnt4_ate_miller_loop");
543 
544  mnt4_Fq2 L1_coeff =
545  mnt4_Fq2(prec_P.PX, mnt4_Fq::zero()) - prec_Q.QX_over_twist;
546 
547  mnt4_Fq4 f = mnt4_Fq4::one();
548 
549  bool found_one = false;
550  size_t dbl_idx = 0;
551  size_t add_idx = 0;
552 
553  const bigint<mnt4_Fr::num_limbs> &loop_count = mnt4_ate_loop_count;
554  for (long i = loop_count.max_bits() - 1; i >= 0; --i) {
555  const bool bit = loop_count.test_bit(i);
556 
557  if (!found_one) {
558  /* this skips the MSB itself */
559  found_one |= bit;
560  continue;
561  }
562 
563  /* code below gets executed for all bits (EXCEPT the MSB itself) of
564  mnt4_param_p (skipping leading zeros) in MSB to LSB
565  order */
566  const mnt4_ate_dbl_coeffs &dc = prec_Q.dbl_coeffs[dbl_idx++];
567 
568  const mnt4_Fq4 g_RR_at_P = mnt4_Fq4(
569  -dc.c_4C - dc.c_J * prec_P.PX_twist + dc.c_L,
570  dc.c_H * prec_P.PY_twist);
571  f = f.squared() * g_RR_at_P;
572  if (bit) {
573  const mnt4_ate_add_coeffs &ac = prec_Q.add_coeffs[add_idx++];
574 
575  const mnt4_Fq4 g_RQ_at_P = mnt4_Fq4(
576  ac.c_RZ * prec_P.PY_twist,
577  -(prec_Q.QY_over_twist * ac.c_RZ + L1_coeff * ac.c_L1));
578  f = f * g_RQ_at_P;
579  }
580  }
581 
582  if (mnt4_ate_is_loop_count_neg) {
583  mnt4_ate_add_coeffs ac = prec_Q.add_coeffs[add_idx++];
584  mnt4_Fq4 g_RnegR_at_P = mnt4_Fq4(
585  ac.c_RZ * prec_P.PY_twist,
586  -(prec_Q.QY_over_twist * ac.c_RZ + L1_coeff * ac.c_L1));
587  f = (f * g_RnegR_at_P).inverse();
588  }
589 
590  leave_block("Call to mnt4_ate_miller_loop");
591 
592  return f;
593 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt4_ate_pairing()

mnt4_Fq4 libff::mnt4_ate_pairing ( const mnt4_G1 P,
const mnt4_G2 Q 
)

Definition at line 676 of file mnt4_pairing.cpp.

677 {
678  enter_block("Call to mnt4_ate_pairing");
679  mnt4_ate_G1_precomp prec_P = mnt4_ate_precompute_G1(P);
680  mnt4_ate_G2_precomp prec_Q = mnt4_ate_precompute_G2(Q);
681  mnt4_Fq4 result = mnt4_ate_miller_loop(prec_P, prec_Q);
682  leave_block("Call to mnt4_ate_pairing");
683  return result;
684 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt4_ate_precompute_G1()

mnt4_ate_G1_precomp libff::mnt4_ate_precompute_G1 ( const mnt4_G1 P)

Definition at line 463 of file mnt4_pairing.cpp.

464 {
465  enter_block("Call to mnt4_ate_precompute_G1");
466 
467  mnt4_G1 Pcopy = P;
468  Pcopy.to_affine_coordinates();
469 
470  mnt4_ate_G1_precomp result;
471  result.PX = Pcopy.X;
472  result.PY = Pcopy.Y;
473  result.PX_twist = Pcopy.X * mnt4_twist;
474  result.PY_twist = Pcopy.Y * mnt4_twist;
475 
476  leave_block("Call to mnt4_ate_precompute_G1");
477  return result;
478 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt4_ate_precompute_G2()

mnt4_ate_G2_precomp libff::mnt4_ate_precompute_G2 ( const mnt4_G2 Q)

Definition at line 480 of file mnt4_pairing.cpp.

481 {
482  enter_block("Call to mnt4_ate_precompute_G2");
483 
484  mnt4_G2 Qcopy(Q);
485  Qcopy.to_affine_coordinates();
486 
487  mnt4_ate_G2_precomp result;
488  result.QX = Qcopy.X;
489  result.QY = Qcopy.Y;
490  result.QY2 = Qcopy.Y.squared();
491  result.QX_over_twist = Qcopy.X * mnt4_twist.inverse();
492  result.QY_over_twist = Qcopy.Y * mnt4_twist.inverse();
493 
494  extended_mnt4_G2_projective R;
495  R.X = Qcopy.X;
496  R.Y = Qcopy.Y;
497  R.Z = mnt4_Fq2::one();
498  R.T = mnt4_Fq2::one();
499 
500  const bigint<mnt4_Fr::num_limbs> &loop_count = mnt4_ate_loop_count;
501  bool found_one = false;
502 
503  for (long i = loop_count.max_bits() - 1; i >= 0; --i) {
504  const bool bit = loop_count.test_bit(i);
505  if (!found_one) {
506  /* this skips the MSB itself */
507  found_one |= bit;
508  continue;
509  }
510 
511  mnt4_ate_dbl_coeffs dc;
512  doubling_step_for_flipped_miller_loop(R, dc);
513  result.dbl_coeffs.push_back(dc);
514  if (bit) {
515  mnt4_ate_add_coeffs ac;
516  mixed_addition_step_for_flipped_miller_loop(
517  result.QX, result.QY, result.QY2, R, ac);
518  result.add_coeffs.push_back(ac);
519  }
520  }
521 
522  if (mnt4_ate_is_loop_count_neg) {
523  mnt4_Fq2 RZ_inv = R.Z.inverse();
524  mnt4_Fq2 RZ2_inv = RZ_inv.squared();
525  mnt4_Fq2 RZ3_inv = RZ2_inv * RZ_inv;
526  mnt4_Fq2 minus_R_affine_X = R.X * RZ2_inv;
527  mnt4_Fq2 minus_R_affine_Y = -R.Y * RZ3_inv;
528  mnt4_Fq2 minus_R_affine_Y2 = minus_R_affine_Y.squared();
529  mnt4_ate_add_coeffs ac;
530  mixed_addition_step_for_flipped_miller_loop(
531  minus_R_affine_X, minus_R_affine_Y, minus_R_affine_Y2, R, ac);
532  result.add_coeffs.push_back(ac);
533  }
534 
535  leave_block("Call to mnt4_ate_precompute_G2");
536  return result;
537 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt4_ate_reduced_pairing()

mnt4_GT libff::mnt4_ate_reduced_pairing ( const mnt4_G1 P,
const mnt4_G2 Q 
)

Definition at line 686 of file mnt4_pairing.cpp.

687 {
688  enter_block("Call to mnt4_ate_reduced_pairing");
689  const mnt4_Fq4 f = mnt4_ate_pairing(P, Q);
690  const mnt4_GT result = mnt4_final_exponentiation(f);
691  leave_block("Call to mnt4_ate_reduced_pairing");
692  return result;
693 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt4_double_miller_loop()

mnt4_Fq4 libff::mnt4_double_miller_loop ( const mnt4_G1_precomp prec_P1,
const mnt4_G2_precomp prec_Q1,
const mnt4_G1_precomp prec_P2,
const mnt4_G2_precomp prec_Q2 
)

Definition at line 711 of file mnt4_pairing.cpp.

716 {
717  return mnt4_ate_double_miller_loop(prec_P1, prec_Q1, prec_P2, prec_Q2);
718 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt4_final_exponentiation()

mnt4_GT libff::mnt4_final_exponentiation ( const mnt4_Fq4 elt)

Definition at line 207 of file mnt4_pairing.cpp.

208 {
209  enter_block("Call to mnt4_final_exponentiation");
210  const mnt4_Fq4 elt_inv = elt.inverse();
211  const mnt4_Fq4 elt_to_first_chunk =
212  mnt4_final_exponentiation_first_chunk(elt, elt_inv);
213  const mnt4_Fq4 elt_inv_to_first_chunk =
214  mnt4_final_exponentiation_first_chunk(elt_inv, elt);
215  mnt4_GT result = mnt4_final_exponentiation_last_chunk(
216  elt_to_first_chunk, elt_inv_to_first_chunk);
217  leave_block("Call to mnt4_final_exponentiation");
218 
219  return result;
220 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt4_final_exponentiation_first_chunk()

mnt4_Fq4 libff::mnt4_final_exponentiation_first_chunk ( const mnt4_Fq4 elt,
const mnt4_Fq4 elt_inv 
)

Definition at line 191 of file mnt4_pairing.cpp.

193 {
194  enter_block("Call to mnt4_final_exponentiation_first_chunk");
195 
196  /* (q^2-1) */
197 
198  /* elt_q2 = elt^(q^2) */
199  const mnt4_Fq4 elt_q2 = elt.Frobenius_map(2);
200  /* elt_q3_over_elt = elt^(q^2-1) */
201  const mnt4_Fq4 elt_q2_over_elt = elt_q2 * elt_inv;
202 
203  leave_block("Call to mnt4_final_exponentiation_first_chunk");
204  return elt_q2_over_elt;
205 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt4_final_exponentiation_last_chunk()

mnt4_Fq4 libff::mnt4_final_exponentiation_last_chunk ( const mnt4_Fq4 elt,
const mnt4_Fq4 elt_inv 
)

Definition at line 172 of file mnt4_pairing.cpp.

174 {
175  enter_block("Call to mnt4_final_exponentiation_last_chunk");
176  const mnt4_Fq4 elt_q = elt.Frobenius_map(1);
177  mnt4_Fq4 w1_part = elt_q.cyclotomic_exp(mnt4_final_exponent_last_chunk_w1);
178  mnt4_Fq4 w0_part;
179  if (mnt4_final_exponent_last_chunk_is_w0_neg) {
180  w0_part =
181  elt_inv.cyclotomic_exp(mnt4_final_exponent_last_chunk_abs_of_w0);
182  } else {
183  w0_part = elt.cyclotomic_exp(mnt4_final_exponent_last_chunk_abs_of_w0);
184  }
185  mnt4_Fq4 result = w1_part * w0_part;
186  leave_block("Call to mnt4_final_exponentiation_last_chunk");
187 
188  return result;
189 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt4_miller_loop()

mnt4_Fq4 libff::mnt4_miller_loop ( const mnt4_G1_precomp prec_P,
const mnt4_G2_precomp prec_Q 
)

Definition at line 705 of file mnt4_pairing.cpp.

707 {
708  return mnt4_ate_miller_loop(prec_P, prec_Q);
709 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt4_pairing()

mnt4_Fq4 libff::mnt4_pairing ( const mnt4_G1 P,
const mnt4_G2 Q 
)

Definition at line 720 of file mnt4_pairing.cpp.

721 {
722  return mnt4_ate_pairing(P, Q);
723 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt4_precompute_G1()

mnt4_G1_precomp libff::mnt4_precompute_G1 ( const mnt4_G1 P)

Definition at line 695 of file mnt4_pairing.cpp.

696 {
697  return mnt4_ate_precompute_G1(P);
698 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt4_precompute_G2()

mnt4_G2_precomp libff::mnt4_precompute_G2 ( const mnt4_G2 Q)

Definition at line 700 of file mnt4_pairing.cpp.

701 {
702  return mnt4_ate_precompute_G2(Q);
703 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt4_reduced_pairing()

mnt4_GT libff::mnt4_reduced_pairing ( const mnt4_G1 P,
const mnt4_G2 Q 
)

Definition at line 725 of file mnt4_pairing.cpp.

726 {
727  return mnt4_ate_reduced_pairing(P, Q);
728 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt6_affine_ate_miller_loop()

mnt6_Fq6 libff::mnt6_affine_ate_miller_loop ( const mnt6_affine_ate_G1_precomputation prec_P,
const mnt6_affine_ate_G2_precomputation prec_Q 
)

Definition at line 323 of file mnt6_pairing.cpp.

326 {
327  enter_block("Call to mnt6_affine_ate_miller_loop");
328 
329  mnt6_Fq6 f = mnt6_Fq6::one();
330 
331  const bigint<mnt6_Fr::num_limbs> &loop_count = mnt6_ate_loop_count;
332  bool found_nonzero = false;
333  size_t idx = 0;
334 
335  std::vector<long> NAF = find_wnaf(1, loop_count);
336  for (long i = NAF.size() - 1; i >= 0; --i) {
337  if (!found_nonzero) {
338  /* this skips the MSB itself */
339  found_nonzero |= (NAF[i] != 0);
340  continue;
341  }
342 
343  /* code below gets executed for all bits (EXCEPT the MSB itself) of
344  mnt6_param_p (skipping leading zeros) in MSB to LSB
345  order */
346  mnt6_affine_ate_coeffs c = prec_Q.coeffs[idx++];
347 
348  mnt6_Fq6 g_RR_at_P = mnt6_Fq6(
349  prec_P.PY_twist_squared,
350  -prec_P.PX * c.gamma_twist + c.gamma_X - c.old_RY);
351  f = f.squared().mul_by_2345(g_RR_at_P);
352 
353  if (NAF[i] != 0) {
354  mnt6_affine_ate_coeffs c = prec_Q.coeffs[idx++];
355  mnt6_Fq6 g_RQ_at_P;
356  if (NAF[i] > 0) {
357  g_RQ_at_P = mnt6_Fq6(
358  prec_P.PY_twist_squared,
359  -prec_P.PX * c.gamma_twist + c.gamma_X - prec_Q.QY);
360  } else {
361  g_RQ_at_P = mnt6_Fq6(
362  prec_P.PY_twist_squared,
363  -prec_P.PX * c.gamma_twist + c.gamma_X + prec_Q.QY);
364  }
365  f = f.mul_by_2345(g_RQ_at_P);
366  }
367  }
368 
369  /* TODO: maybe handle neg
370  if (mnt6_ate_is_loop_count_neg)
371  {
372  // TODO:
373  mnt6_affine_ate_coeffs ac = prec_Q.coeffs[idx++];
374  mnt6_Fq6 g_RnegR_at_P = mnt6_Fq6(prec_P.PY_twist_squared,
375  - prec_P.PX * c.gamma_twist +
376  c.gamma_X - c.old_RY); f = (f * g_RnegR_at_P).inverse();
377  }
378  */
379 
380  leave_block("Call to mnt6_affine_ate_miller_loop");
381 
382  return f;
383 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt6_affine_ate_precompute_G1()

mnt6_affine_ate_G1_precomputation libff::mnt6_affine_ate_precompute_G1 ( const mnt6_G1 P)

Definition at line 228 of file mnt6_pairing.cpp.

230 {
231  enter_block("Call to mnt6_affine_ate_precompute_G1");
232 
233  mnt6_G1 Pcopy = P;
234  Pcopy.to_affine_coordinates();
235 
236  mnt6_affine_ate_G1_precomputation result;
237  result.PX = Pcopy.X;
238  result.PY = Pcopy.Y;
239  result.PY_twist_squared = Pcopy.Y * mnt6_twist.squared();
240 
241  leave_block("Call to mnt6_affine_ate_precompute_G1");
242  return result;
243 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt6_affine_ate_precompute_G2()

mnt6_affine_ate_G2_precomputation libff::mnt6_affine_ate_precompute_G2 ( const mnt6_G2 Q)

Definition at line 245 of file mnt6_pairing.cpp.

247 {
248  enter_block("Call to mnt6_affine_ate_precompute_G2");
249 
250  mnt6_G2 Qcopy(Q);
251  Qcopy.to_affine_coordinates();
252 
253  mnt6_affine_ate_G2_precomputation result;
254  result.QX = Qcopy.X;
255  result.QY = Qcopy.Y;
256 
257  mnt6_Fq3 RX = Qcopy.X;
258  mnt6_Fq3 RY = Qcopy.Y;
259 
260  const bigint<mnt6_Fr::num_limbs> &loop_count = mnt6_ate_loop_count;
261  bool found_nonzero = false;
262 
263  std::vector<long> NAF = find_wnaf(1, loop_count);
264  for (long i = NAF.size() - 1; i >= 0; --i) {
265  if (!found_nonzero) {
266  /* this skips the MSB itself */
267  found_nonzero |= (NAF[i] != 0);
268  continue;
269  }
270 
271  mnt6_affine_ate_coeffs c;
272  c.old_RX = RX;
273  c.old_RY = RY;
274  mnt6_Fq3 old_RX_2 = c.old_RX.squared();
275  c.gamma = (old_RX_2 + old_RX_2 + old_RX_2 + mnt6_twist_coeff_a) *
276  (c.old_RY + c.old_RY).inverse();
277  c.gamma_twist = c.gamma * mnt6_twist;
278  c.gamma_X = c.gamma * c.old_RX;
279  result.coeffs.push_back(c);
280 
281  RX = c.gamma.squared() - (c.old_RX + c.old_RX);
282  RY = c.gamma * (c.old_RX - RX) - c.old_RY;
283 
284  if (NAF[i] != 0) {
285  mnt6_affine_ate_coeffs c;
286  c.old_RX = RX;
287  c.old_RY = RY;
288  if (NAF[i] > 0) {
289  c.gamma =
290  (c.old_RY - result.QY) * (c.old_RX - result.QX).inverse();
291  } else {
292  c.gamma =
293  (c.old_RY + result.QY) * (c.old_RX - result.QX).inverse();
294  }
295  c.gamma_twist = c.gamma * mnt6_twist;
296  c.gamma_X = c.gamma * result.QX;
297  result.coeffs.push_back(c);
298 
299  RX = c.gamma.squared() - (c.old_RX + result.QX);
300  RY = c.gamma * (c.old_RX - RX) - c.old_RY;
301  }
302  }
303 
304  /* TODO: maybe handle neg
305  if (mnt6_ate_is_loop_count_neg)
306  {
307  mnt6_ate_add_coeffs ac;
308  mnt6_affine_ate_dbl_coeffs c;
309  c.old_RX = RX;
310  c.old_RY = -RY;
311  old_RX_2 = c.old_RY.squared();
312  c.gamma = (old_RX_2 + old_RX_2 + old_RX_2 + mnt6_coeff_a) *
313  (c.old_RY + c.old_RY).inverse(); c.gamma_twist = c.gamma * mnt6_twist;
314  c.gamma_X = c.gamma * c.old_RX;
315  result.coeffs.push_back(c);
316  }
317  */
318 
319  leave_block("Call to mnt6_affine_ate_precompute_G2");
320  return result;
321 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt6_affine_reduced_pairing()

mnt6_GT libff::mnt6_affine_reduced_pairing ( const mnt6_G1 P,
const mnt6_G2 Q 
)

Definition at line 743 of file mnt6_pairing.cpp.

744 {
745  const mnt6_affine_ate_G1_precomputation prec_P =
746  mnt6_affine_ate_precompute_G1(P);
747  const mnt6_affine_ate_G2_precomputation prec_Q =
748  mnt6_affine_ate_precompute_G2(Q);
749  const mnt6_Fq6 f = mnt6_affine_ate_miller_loop(prec_P, prec_Q);
750  const mnt6_GT result = mnt6_final_exponentiation(f);
751  return result;
752 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt6_ate_double_miller_loop()

mnt6_Fq6 libff::mnt6_ate_double_miller_loop ( const mnt6_ate_G1_precomp prec_P1,
const mnt6_ate_G2_precomp prec_Q1,
const mnt6_ate_G1_precomp prec_P2,
const mnt6_ate_G2_precomp prec_Q2 
)

Definition at line 605 of file mnt6_pairing.cpp.

610 {
611  enter_block("Call to mnt6_ate_double_miller_loop");
612 
613  mnt6_Fq3 L1_coeff1 =
614  mnt6_Fq3(prec_P1.PX, mnt6_Fq::zero(), mnt6_Fq::zero()) -
615  prec_Q1.QX_over_twist;
616  mnt6_Fq3 L1_coeff2 =
617  mnt6_Fq3(prec_P2.PX, mnt6_Fq::zero(), mnt6_Fq::zero()) -
618  prec_Q2.QX_over_twist;
619 
620  mnt6_Fq6 f = mnt6_Fq6::one();
621 
622  bool found_one = false;
623  size_t dbl_idx = 0;
624  size_t add_idx = 0;
625 
626  const bigint<mnt6_Fr::num_limbs> &loop_count = mnt6_ate_loop_count;
627 
628  for (long i = loop_count.max_bits() - 1; i >= 0; --i) {
629  const bool bit = loop_count.test_bit(i);
630 
631  if (!found_one) {
632  /* this skips the MSB itself */
633  found_one |= bit;
634  continue;
635  }
636 
637  /* code below gets executed for all bits (EXCEPT the MSB itself) of
638  mnt6_param_p (skipping leading zeros) in MSB to LSB
639  order */
640  mnt6_ate_dbl_coeffs dc1 = prec_Q1.dbl_coeffs[dbl_idx];
641  mnt6_ate_dbl_coeffs dc2 = prec_Q2.dbl_coeffs[dbl_idx];
642  ++dbl_idx;
643 
644  mnt6_Fq6 g_RR_at_P1 = mnt6_Fq6(
645  -dc1.c_4C - dc1.c_J * prec_P1.PX_twist + dc1.c_L,
646  dc1.c_H * prec_P1.PY_twist);
647 
648  mnt6_Fq6 g_RR_at_P2 = mnt6_Fq6(
649  -dc2.c_4C - dc2.c_J * prec_P2.PX_twist + dc2.c_L,
650  dc2.c_H * prec_P2.PY_twist);
651 
652  f = f.squared() * g_RR_at_P1 * g_RR_at_P2;
653 
654  if (bit) {
655  mnt6_ate_add_coeffs ac1 = prec_Q1.add_coeffs[add_idx];
656  mnt6_ate_add_coeffs ac2 = prec_Q2.add_coeffs[add_idx];
657  ++add_idx;
658 
659  mnt6_Fq6 g_RQ_at_P1 = mnt6_Fq6(
660  ac1.c_RZ * prec_P1.PY_twist,
661  -(prec_Q1.QY_over_twist * ac1.c_RZ + L1_coeff1 * ac1.c_L1));
662  mnt6_Fq6 g_RQ_at_P2 = mnt6_Fq6(
663  ac2.c_RZ * prec_P2.PY_twist,
664  -(prec_Q2.QY_over_twist * ac2.c_RZ + L1_coeff2 * ac2.c_L1));
665 
666  f = f * g_RQ_at_P1 * g_RQ_at_P2;
667  }
668  }
669 
670  if (mnt6_ate_is_loop_count_neg) {
671  mnt6_ate_add_coeffs ac1 = prec_Q1.add_coeffs[add_idx];
672  mnt6_ate_add_coeffs ac2 = prec_Q2.add_coeffs[add_idx];
673  ++add_idx;
674  mnt6_Fq6 g_RnegR_at_P1 = mnt6_Fq6(
675  ac1.c_RZ * prec_P1.PY_twist,
676  -(prec_Q1.QY_over_twist * ac1.c_RZ + L1_coeff1 * ac1.c_L1));
677  mnt6_Fq6 g_RnegR_at_P2 = mnt6_Fq6(
678  ac2.c_RZ * prec_P2.PY_twist,
679  -(prec_Q2.QY_over_twist * ac2.c_RZ + L1_coeff2 * ac2.c_L1));
680 
681  f = (f * g_RnegR_at_P1 * g_RnegR_at_P2).inverse();
682  }
683 
684  leave_block("Call to mnt6_ate_double_miller_loop");
685 
686  return f;
687 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt6_ate_miller_loop()

mnt6_Fq6 libff::mnt6_ate_miller_loop ( const mnt6_ate_G1_precomp prec_P,
const mnt6_ate_G2_precomp prec_Q 
)

Definition at line 548 of file mnt6_pairing.cpp.

550 {
551  enter_block("Call to mnt6_ate_miller_loop");
552 
553  mnt6_Fq3 L1_coeff = mnt6_Fq3(prec_P.PX, mnt6_Fq::zero(), mnt6_Fq::zero()) -
554  prec_Q.QX_over_twist;
555 
556  mnt6_Fq6 f = mnt6_Fq6::one();
557 
558  bool found_one = false;
559  size_t dbl_idx = 0;
560  size_t add_idx = 0;
561 
562  const bigint<mnt6_Fr::num_limbs> &loop_count = mnt6_ate_loop_count;
563 
564  for (long i = loop_count.max_bits() - 1; i >= 0; --i) {
565  const bool bit = loop_count.test_bit(i);
566 
567  if (!found_one) {
568  /* this skips the MSB itself */
569  found_one |= bit;
570  continue;
571  }
572 
573  /* code below gets executed for all bits (EXCEPT the MSB itself) of
574  mnt6_param_p (skipping leading zeros) in MSB to LSB
575  order */
576  mnt6_ate_dbl_coeffs dc = prec_Q.dbl_coeffs[dbl_idx++];
577 
578  mnt6_Fq6 g_RR_at_P = mnt6_Fq6(
579  -dc.c_4C - dc.c_J * prec_P.PX_twist + dc.c_L,
580  dc.c_H * prec_P.PY_twist);
581  f = f.squared() * g_RR_at_P;
582 
583  if (bit) {
584  mnt6_ate_add_coeffs ac = prec_Q.add_coeffs[add_idx++];
585  mnt6_Fq6 g_RQ_at_P = mnt6_Fq6(
586  ac.c_RZ * prec_P.PY_twist,
587  -(prec_Q.QY_over_twist * ac.c_RZ + L1_coeff * ac.c_L1));
588  f = f * g_RQ_at_P;
589  }
590  }
591 
592  if (mnt6_ate_is_loop_count_neg) {
593  mnt6_ate_add_coeffs ac = prec_Q.add_coeffs[add_idx++];
594  mnt6_Fq6 g_RnegR_at_P = mnt6_Fq6(
595  ac.c_RZ * prec_P.PY_twist,
596  -(prec_Q.QY_over_twist * ac.c_RZ + L1_coeff * ac.c_L1));
597  f = (f * g_RnegR_at_P).inverse();
598  }
599 
600  leave_block("Call to mnt6_ate_miller_loop");
601 
602  return f;
603 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt6_ate_pairing()

mnt6_Fq6 libff::mnt6_ate_pairing ( const mnt6_G1 P,
const mnt6_G2 Q 
)

Definition at line 689 of file mnt6_pairing.cpp.

690 {
691  enter_block("Call to mnt6_ate_pairing");
692  mnt6_ate_G1_precomp prec_P = mnt6_ate_precompute_G1(P);
693  mnt6_ate_G2_precomp prec_Q = mnt6_ate_precompute_G2(Q);
694  mnt6_Fq6 result = mnt6_ate_miller_loop(prec_P, prec_Q);
695  leave_block("Call to mnt6_ate_pairing");
696  return result;
697 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt6_ate_precompute_G1()

mnt6_ate_G1_precomp libff::mnt6_ate_precompute_G1 ( const mnt6_G1 P)

Definition at line 468 of file mnt6_pairing.cpp.

469 {
470  enter_block("Call to mnt6_ate_precompute_G1");
471 
472  mnt6_G1 Pcopy = P;
473  Pcopy.to_affine_coordinates();
474 
475  mnt6_ate_G1_precomp result;
476  result.PX = Pcopy.X;
477  result.PY = Pcopy.Y;
478  result.PX_twist = Pcopy.X * mnt6_twist;
479  result.PY_twist = Pcopy.Y * mnt6_twist;
480 
481  leave_block("Call to mnt6_ate_precompute_G1");
482  return result;
483 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt6_ate_precompute_G2()

mnt6_ate_G2_precomp libff::mnt6_ate_precompute_G2 ( const mnt6_G2 Q)

Definition at line 485 of file mnt6_pairing.cpp.

486 {
487  enter_block("Call to mnt6_ate_precompute_G2");
488 
489  mnt6_G2 Qcopy(Q);
490  Qcopy.to_affine_coordinates();
491 
492  mnt6_Fq3 mnt6_twist_inv =
493  mnt6_twist.inverse(); // could add to global params if needed
494 
495  mnt6_ate_G2_precomp result;
496  result.QX = Qcopy.X;
497  result.QY = Qcopy.Y;
498  result.QY2 = Qcopy.Y.squared();
499  result.QX_over_twist = Qcopy.X * mnt6_twist_inv;
500  result.QY_over_twist = Qcopy.Y * mnt6_twist_inv;
501 
502  extended_mnt6_G2_projective R;
503  R.X = Qcopy.X;
504  R.Y = Qcopy.Y;
505  R.Z = mnt6_Fq3::one();
506  R.T = mnt6_Fq3::one();
507 
508  const bigint<mnt6_Fr::num_limbs> &loop_count = mnt6_ate_loop_count;
509  bool found_one = false;
510  for (long i = loop_count.max_bits() - 1; i >= 0; --i) {
511  const bool bit = loop_count.test_bit(i);
512 
513  if (!found_one) {
514  /* this skips the MSB itself */
515  found_one |= bit;
516  continue;
517  }
518 
519  mnt6_ate_dbl_coeffs dc;
520  doubling_step_for_flipped_miller_loop(R, dc);
521  result.dbl_coeffs.push_back(dc);
522 
523  if (bit) {
524  mnt6_ate_add_coeffs ac;
525  mixed_addition_step_for_flipped_miller_loop(
526  result.QX, result.QY, result.QY2, R, ac);
527  result.add_coeffs.push_back(ac);
528  }
529  }
530 
531  if (mnt6_ate_is_loop_count_neg) {
532  mnt6_Fq3 RZ_inv = R.Z.inverse();
533  mnt6_Fq3 RZ2_inv = RZ_inv.squared();
534  mnt6_Fq3 RZ3_inv = RZ2_inv * RZ_inv;
535  mnt6_Fq3 minus_R_affine_X = R.X * RZ2_inv;
536  mnt6_Fq3 minus_R_affine_Y = -R.Y * RZ3_inv;
537  mnt6_Fq3 minus_R_affine_Y2 = minus_R_affine_Y.squared();
538  mnt6_ate_add_coeffs ac;
539  mixed_addition_step_for_flipped_miller_loop(
540  minus_R_affine_X, minus_R_affine_Y, minus_R_affine_Y2, R, ac);
541  result.add_coeffs.push_back(ac);
542  }
543 
544  leave_block("Call to mnt6_ate_precompute_G2");
545  return result;
546 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt6_ate_reduced_pairing()

mnt6_GT libff::mnt6_ate_reduced_pairing ( const mnt6_G1 P,
const mnt6_G2 Q 
)

Definition at line 699 of file mnt6_pairing.cpp.

700 {
701  enter_block("Call to mnt6_ate_reduced_pairing");
702  const mnt6_Fq6 f = mnt6_ate_pairing(P, Q);
703  const mnt6_GT result = mnt6_final_exponentiation(f);
704  leave_block("Call to mnt6_ate_reduced_pairing");
705  return result;
706 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt6_double_miller_loop()

mnt6_Fq6 libff::mnt6_double_miller_loop ( const mnt6_G1_precomp prec_P1,
const mnt6_G2_precomp prec_Q1,
const mnt6_G1_precomp prec_P2,
const mnt6_G2_precomp prec_Q2 
)

Definition at line 724 of file mnt6_pairing.cpp.

729 {
730  return mnt6_ate_double_miller_loop(prec_P1, prec_Q1, prec_P2, prec_Q2);
731 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt6_final_exponentiation()

mnt6_GT libff::mnt6_final_exponentiation ( const mnt6_Fq6 elt)

Definition at line 211 of file mnt6_pairing.cpp.

212 {
213  enter_block("Call to mnt6_final_exponentiation");
214  const mnt6_Fq6 elt_inv = elt.inverse();
215  const mnt6_Fq6 elt_to_first_chunk =
216  mnt6_final_exponentiation_first_chunk(elt, elt_inv);
217  const mnt6_Fq6 elt_inv_to_first_chunk =
218  mnt6_final_exponentiation_first_chunk(elt_inv, elt);
219  mnt6_GT result = mnt6_final_exponentiation_last_chunk(
220  elt_to_first_chunk, elt_inv_to_first_chunk);
221  leave_block("Call to mnt6_final_exponentiation");
222 
223  return result;
224 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt6_final_exponentiation_first_chunk()

mnt6_Fq6 libff::mnt6_final_exponentiation_first_chunk ( const mnt6_Fq6 elt,
const mnt6_Fq6 elt_inv 
)

Definition at line 192 of file mnt6_pairing.cpp.

194 {
195  enter_block("Call to mnt6_final_exponentiation_first_chunk");
196 
197  /* (q^3-1)*(q+1) */
198 
199  /* elt_q3 = elt^(q^3) */
200  const mnt6_Fq6 elt_q3 = elt.Frobenius_map(3);
201  /* elt_q3_over_elt = elt^(q^3-1) */
202  const mnt6_Fq6 elt_q3_over_elt = elt_q3 * elt_inv;
203  /* alpha = elt^((q^3-1) * q) */
204  const mnt6_Fq6 alpha = elt_q3_over_elt.Frobenius_map(1);
205  /* beta = elt^((q^3-1)*(q+1) */
206  const mnt6_Fq6 beta = alpha * elt_q3_over_elt;
207  leave_block("Call to mnt6_final_exponentiation_first_chunk");
208  return beta;
209 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt6_final_exponentiation_last_chunk()

mnt6_Fq6 libff::mnt6_final_exponentiation_last_chunk ( const mnt6_Fq6 elt,
const mnt6_Fq6 elt_inv 
)

Definition at line 173 of file mnt6_pairing.cpp.

175 {
176  enter_block("Call to mnt6_final_exponentiation_last_chunk");
177  const mnt6_Fq6 elt_q = elt.Frobenius_map(1);
178  mnt6_Fq6 w1_part = elt_q.cyclotomic_exp(mnt6_final_exponent_last_chunk_w1);
179  mnt6_Fq6 w0_part;
180  if (mnt6_final_exponent_last_chunk_is_w0_neg) {
181  w0_part =
182  elt_inv.cyclotomic_exp(mnt6_final_exponent_last_chunk_abs_of_w0);
183  } else {
184  w0_part = elt.cyclotomic_exp(mnt6_final_exponent_last_chunk_abs_of_w0);
185  }
186  mnt6_Fq6 result = w1_part * w0_part;
187  leave_block("Call to mnt6_final_exponentiation_last_chunk");
188 
189  return result;
190 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt6_miller_loop()

mnt6_Fq6 libff::mnt6_miller_loop ( const mnt6_G1_precomp prec_P,
const mnt6_G2_precomp prec_Q 
)

Definition at line 718 of file mnt6_pairing.cpp.

720 {
721  return mnt6_ate_miller_loop(prec_P, prec_Q);
722 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt6_pairing()

mnt6_Fq6 libff::mnt6_pairing ( const mnt6_G1 P,
const mnt6_G2 Q 
)

Definition at line 733 of file mnt6_pairing.cpp.

734 {
735  return mnt6_ate_pairing(P, Q);
736 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt6_precompute_G1()

mnt6_G1_precomp libff::mnt6_precompute_G1 ( const mnt6_G1 P)

Definition at line 708 of file mnt6_pairing.cpp.

709 {
710  return mnt6_ate_precompute_G1(P);
711 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt6_precompute_G2()

mnt6_G2_precomp libff::mnt6_precompute_G2 ( const mnt6_G2 Q)

Definition at line 713 of file mnt6_pairing.cpp.

714 {
715  return mnt6_ate_precompute_G2(Q);
716 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ mnt6_reduced_pairing()

mnt6_GT libff::mnt6_reduced_pairing ( const mnt6_G1 P,
const mnt6_G2 Q 
)

Definition at line 738 of file mnt6_pairing.cpp.

739 {
740  return mnt6_ate_reduced_pairing(P, Q);
741 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ multi_exp()

template<typename T , typename FieldT , multi_exp_method Method, multi_exp_base_form BaseForm = multi_exp_base_form_normal>
T libff::multi_exp ( typename std::vector< T >::const_iterator  vec_start,
typename std::vector< T >::const_iterator  vec_end,
typename std::vector< FieldT >::const_iterator  scalar_start,
typename std::vector< FieldT >::const_iterator  scalar_end,
const size_t  chunks 
)

Computes the sum: \sum_i scalar_start[i] * vec_start[i] using the selected method. Input is split into the given number of chunks, and processed in parallel.

◆ multi_exp_filter_one_zero()

template<typename T , typename FieldT , multi_exp_method Method, multi_exp_base_form BaseForm = multi_exp_base_form_normal>
T libff::multi_exp_filter_one_zero ( typename std::vector< T >::const_iterator  vec_start,
typename std::vector< T >::const_iterator  vec_end,
typename std::vector< FieldT >::const_iterator  scalar_start,
typename std::vector< FieldT >::const_iterator  scalar_end,
const size_t  chunks 
)

A variant of multi_exp which includes special pre-processing step to skip zeros, and directly sum base elements with factor 1. Remaining values are processed as usual via multi_exp.

◆ multi_exp_stream()

template<form_t Form, compression_t Comp, typename GroupT , typename FieldT >
GroupT libff::multi_exp_stream ( std::istream &  base_elements_in,
const std::vector< FieldT > &  exponents 
)

Read base elements from a stream. More intermediate memory is used (offset by the fact that base elements are streamed and therefore not all memory-resident) to reduce the number of internal passes. Currently processing is single-threaded (although element streaming happens in a separate temporary thread).

◆ multi_exp_stream_with_precompute()

template<form_t Form, compression_t Comp, typename GroupT , typename FieldT >
GroupT libff::multi_exp_stream_with_precompute ( std::istream &  precomputed_elements_in,
const std::vector< FieldT > &  exponents,
const size_t  precompute_c 
)

Perform optimal multiexp using precomputed elements from a stream. The stream is expected to be formatted as follows: For each original base element e_i: e_i, [2^c] e_i, [2^2c] e_i, .... [2^(b-1)c] e_i where c is the digit size (in bits) to be used in the BDLO12_signed algorithm, and b = (FieldT::num_bits + c - 1) / c is the number of digits required to fully represent a scalar value.

Optimal c can be computed with bdlo12_signed_optimal_c().

◆ op_profiling_enter()

void libff::op_profiling_enter ( const std::string &  msg)

Definition at line 264 of file profiling.cpp.

265 {
266  for (std::pair<std::string, long long *> p : op_data_points) {
267  op_counts[std::make_pair(msg, p.first)] = *(p.second);
268  }
269 }
Here is the caller graph for this function:

◆ operator*() [1/42]

template<mp_size_t m>
alt_bn128_G1 libff::operator* ( const bigint< m > &  lhs,
const alt_bn128_G1 rhs 
)

Definition at line 99 of file alt_bn128_g1.hpp.

100 {
101  return scalar_mul<alt_bn128_G1, m>(rhs, lhs);
102 }

◆ operator*() [2/42]

template<mp_size_t m>
alt_bn128_G2 libff::operator* ( const bigint< m > &  lhs,
const alt_bn128_G2 rhs 
)

Definition at line 103 of file alt_bn128_g2.hpp.

104 {
105  return scalar_mul<alt_bn128_G2, m>(rhs, lhs);
106 }

◆ operator*() [3/42]

template<mp_size_t m>
bls12_377_G1 libff::operator* ( const bigint< m > &  lhs,
const bls12_377_G1 rhs 
)

Definition at line 112 of file bls12_377_g1.hpp.

113 {
114  return scalar_mul<bls12_377_G1, m>(rhs, lhs);
115 }

◆ operator*() [4/42]

template<mp_size_t m>
bls12_377_G2 libff::operator* ( const bigint< m > &  lhs,
const bls12_377_G2 rhs 
)

Definition at line 104 of file bls12_377_g2.hpp.

105 {
106  return scalar_mul<bls12_377_G2, m>(rhs, lhs);
107 }

◆ operator*() [5/42]

template<mp_size_t m>
bls12_381_G1 libff::operator* ( const bigint< m > &  lhs,
const bls12_381_G1 rhs 
)

Definition at line 99 of file bls12_381_g1.hpp.

100 {
101  return scalar_mul<bls12_381_G1, m>(rhs, lhs);
102 }

◆ operator*() [6/42]

template<mp_size_t m>
bls12_381_G2 libff::operator* ( const bigint< m > &  lhs,
const bls12_381_G2 rhs 
)

Definition at line 106 of file bls12_381_g2.hpp.

107 {
108  return scalar_mul<bls12_381_G2, m>(rhs, lhs);
109 }

◆ operator*() [7/42]

template<mp_size_t m>
bn128_G1 libff::operator* ( const bigint< m > &  lhs,
const bn128_G1 rhs 
)

Definition at line 106 of file bn128_g1.hpp.

107 {
108  return scalar_mul<bn128_G1, m>(rhs, lhs);
109 }

◆ operator*() [8/42]

template<mp_size_t m>
bn128_G2 libff::operator* ( const bigint< m > &  lhs,
const bn128_G2 rhs 
)

Definition at line 106 of file bn128_g2.hpp.

107 {
108  return scalar_mul<bn128_G2, m>(rhs, lhs);
109 }

◆ operator*() [9/42]

template<mp_size_t m>
bw6_761_G1 libff::operator* ( const bigint< m > &  lhs,
const bw6_761_G1 rhs 
)

Definition at line 94 of file bw6_761_g1.hpp.

95 {
96  return scalar_mul<bw6_761_G1, m>(rhs, lhs);
97 }

◆ operator*() [10/42]

template<mp_size_t m>
bw6_761_G2 libff::operator* ( const bigint< m > &  lhs,
const bw6_761_G2 rhs 
)

Definition at line 98 of file bw6_761_g2.hpp.

99 {
100  return scalar_mul<bw6_761_G2, m>(rhs, lhs);
101 }

◆ operator*() [11/42]

template<mp_size_t m>
edwards_G1 libff::operator* ( const bigint< m > &  lhs,
const edwards_G1 rhs 
)

Definition at line 92 of file edwards_g1.hpp.

93 {
94  return scalar_mul<edwards_G1, m>(rhs, lhs);
95 }

◆ operator*() [12/42]

template<mp_size_t m>
edwards_G2 libff::operator* ( const bigint< m > &  lhs,
const edwards_G2 rhs 
)

Definition at line 99 of file edwards_g2.hpp.

100 {
101  return scalar_mul<edwards_G2, m>(rhs, lhs);
102 }

◆ operator*() [13/42]

template<mp_size_t m>
mnt4_G1 libff::operator* ( const bigint< m > &  lhs,
const mnt4_G1 rhs 
)

Definition at line 106 of file mnt4_g1.hpp.

107 {
108  return scalar_mul<mnt4_G1, m>(rhs, lhs);
109 }

◆ operator*() [14/42]

template<mp_size_t m>
mnt4_G2 libff::operator* ( const bigint< m > &  lhs,
const mnt4_G2 rhs 
)

Definition at line 106 of file mnt4_g2.hpp.

107 {
108  return scalar_mul<mnt4_G2, m>(rhs, lhs);
109 }

◆ operator*() [15/42]

template<mp_size_t m>
mnt6_G1 libff::operator* ( const bigint< m > &  lhs,
const mnt6_G1 rhs 
)

Definition at line 109 of file mnt6_g1.hpp.

110 {
111  return scalar_mul<mnt6_G1, m>(rhs, lhs);
112 }

◆ operator*() [16/42]

template<mp_size_t m>
mnt6_G2 libff::operator* ( const bigint< m > &  lhs,
const mnt6_G2 rhs 
)

Definition at line 111 of file mnt6_g2.hpp.

112 {
113  return scalar_mul<mnt6_G2, m>(rhs, lhs);
114 }

◆ operator*() [17/42]

template<mp_size_t n, const bigint< n > & modulus>
Fp12_2over3over2_model<n, modulus> libff::operator* ( const Fp2_model< n, modulus > &  lhs,
const Fp12_2over3over2_model< n, modulus > &  rhs 
)

◆ operator*() [18/42]

template<mp_size_t n, const bigint< n > & modulus>
Fp4_model<n, modulus> libff::operator* ( const Fp2_model< n, modulus > &  lhs,
const Fp4_model< n, modulus > &  rhs 
)

◆ operator*() [19/42]

template<mp_size_t n, const bigint< n > & modulus>
Fp6_3over2_model<n, modulus> libff::operator* ( const Fp2_model< n, modulus > &  lhs,
const Fp6_3over2_model< n, modulus > &  rhs 
)

◆ operator*() [20/42]

template<mp_size_t n, const bigint< n > & modulus>
Fp12_2over3over2_model<n, modulus> libff::operator* ( const Fp6_3over2_model< n, modulus > &  lhs,
const Fp12_2over3over2_model< n, modulus > &  rhs 
)

◆ operator*() [21/42]

template<mp_size_t m, const bigint< m > & modulus_p>
alt_bn128_G1 libff::operator* ( const Fp_model< m, modulus_p > &  lhs,
const alt_bn128_G1 rhs 
)

Definition at line 105 of file alt_bn128_g1.hpp.

107 {
108  return scalar_mul<alt_bn128_G1, m>(rhs, lhs.as_bigint());
109 }
Here is the call graph for this function:

◆ operator*() [22/42]

template<mp_size_t m, const bigint< m > & modulus_p>
alt_bn128_G2 libff::operator* ( const Fp_model< m, modulus_p > &  lhs,
const alt_bn128_G2 rhs 
)

Definition at line 109 of file alt_bn128_g2.hpp.

111 {
112  return scalar_mul<alt_bn128_G2, m>(rhs, lhs.as_bigint());
113 }
Here is the call graph for this function:

◆ operator*() [23/42]

template<mp_size_t m, const bigint< m > & modulus_p>
bls12_377_G1 libff::operator* ( const Fp_model< m, modulus_p > &  lhs,
const bls12_377_G1 rhs 
)

Definition at line 118 of file bls12_377_g1.hpp.

120 {
121  return scalar_mul<bls12_377_G1, m>(rhs, lhs.as_bigint());
122 }
Here is the call graph for this function:

◆ operator*() [24/42]

template<mp_size_t m, const bigint< m > & modulus_p>
bls12_377_G2 libff::operator* ( const Fp_model< m, modulus_p > &  lhs,
const bls12_377_G2 rhs 
)

Definition at line 110 of file bls12_377_g2.hpp.

112 {
113  return scalar_mul<bls12_377_G2, m>(rhs, lhs.as_bigint());
114 }
Here is the call graph for this function:

◆ operator*() [25/42]

template<mp_size_t m, const bigint< m > & modulus_p>
bls12_381_G1 libff::operator* ( const Fp_model< m, modulus_p > &  lhs,
const bls12_381_G1 rhs 
)

Definition at line 105 of file bls12_381_g1.hpp.

107 {
108  return scalar_mul<bls12_381_G1, m>(rhs, lhs.as_bigint());
109 }
Here is the call graph for this function:

◆ operator*() [26/42]

template<mp_size_t m, const bigint< m > & modulus_p>
bls12_381_G2 libff::operator* ( const Fp_model< m, modulus_p > &  lhs,
const bls12_381_G2 rhs 
)

Definition at line 112 of file bls12_381_g2.hpp.

114 {
115  return scalar_mul<bls12_381_G2, m>(rhs, lhs.as_bigint());
116 }
Here is the call graph for this function:

◆ operator*() [27/42]

template<mp_size_t m, const bigint< m > & modulus_p>
bn128_G1 libff::operator* ( const Fp_model< m, modulus_p > &  lhs,
const bn128_G1 rhs 
)

Definition at line 112 of file bn128_g1.hpp.

113 {
114  return scalar_mul<bn128_G1, m>(rhs, lhs.as_bigint());
115 }
Here is the call graph for this function:

◆ operator*() [28/42]

template<mp_size_t m, const bigint< m > & modulus_p>
bn128_G2 libff::operator* ( const Fp_model< m, modulus_p > &  lhs,
const bn128_G2 rhs 
)

Definition at line 112 of file bn128_g2.hpp.

113 {
114  return scalar_mul<bn128_G2, m>(rhs, lhs.as_bigint());
115 }
Here is the call graph for this function:

◆ operator*() [29/42]

template<mp_size_t m, const bigint< m > & modulus_p>
bw6_761_G1 libff::operator* ( const Fp_model< m, modulus_p > &  lhs,
const bw6_761_G1 rhs 
)

Definition at line 100 of file bw6_761_g1.hpp.

101 {
102  return scalar_mul<bw6_761_G1, m>(rhs, lhs.as_bigint());
103 }
Here is the call graph for this function:

◆ operator*() [30/42]

template<mp_size_t m, const bigint< m > & modulus_p>
bw6_761_G2 libff::operator* ( const Fp_model< m, modulus_p > &  lhs,
const bw6_761_G2 rhs 
)

Definition at line 104 of file bw6_761_g2.hpp.

105 {
106  return scalar_mul<bw6_761_G2, m>(rhs, lhs.as_bigint());
107 }
Here is the call graph for this function:

◆ operator*() [31/42]

template<mp_size_t m, const bigint< m > & modulus_p>
edwards_G1 libff::operator* ( const Fp_model< m, modulus_p > &  lhs,
const edwards_G1 rhs 
)

Definition at line 98 of file edwards_g1.hpp.

99 {
100  return scalar_mul<edwards_G1, m>(rhs, lhs.as_bigint());
101 }
Here is the call graph for this function:

◆ operator*() [32/42]

template<mp_size_t m, const bigint< m > & modulus_p>
edwards_G2 libff::operator* ( const Fp_model< m, modulus_p > &  lhs,
const edwards_G2 rhs 
)

Definition at line 105 of file edwards_g2.hpp.

106 {
107  return scalar_mul<edwards_G2, m>(rhs, lhs.as_bigint());
108 }
Here is the call graph for this function:

◆ operator*() [33/42]

template<mp_size_t m, const bigint< m > & modulus_p>
mnt4_G1 libff::operator* ( const Fp_model< m, modulus_p > &  lhs,
const mnt4_G1 rhs 
)

Definition at line 112 of file mnt4_g1.hpp.

113 {
114  return scalar_mul<mnt4_G1, m>(rhs, lhs.as_bigint());
115 }
Here is the call graph for this function:

◆ operator*() [34/42]

template<mp_size_t m, const bigint< m > & modulus_p>
mnt4_G2 libff::operator* ( const Fp_model< m, modulus_p > &  lhs,
const mnt4_G2 rhs 
)

Definition at line 112 of file mnt4_g2.hpp.

113 {
114  return scalar_mul<mnt4_G2, m>(rhs, lhs.as_bigint());
115 }
Here is the call graph for this function:

◆ operator*() [35/42]

template<mp_size_t m, const bigint< m > & modulus_p>
mnt6_G1 libff::operator* ( const Fp_model< m, modulus_p > &  lhs,
const mnt6_G1 rhs 
)

Definition at line 115 of file mnt6_g1.hpp.

116 {
117  return scalar_mul<mnt6_G1, m>(rhs, lhs.as_bigint());
118 }
Here is the call graph for this function:

◆ operator*() [36/42]

template<mp_size_t m, const bigint< m > & modulus_p>
mnt6_G2 libff::operator* ( const Fp_model< m, modulus_p > &  lhs,
const mnt6_G2 rhs 
)

Definition at line 117 of file mnt6_g2.hpp.

118 {
119  return scalar_mul<mnt6_G2, m>(rhs, lhs.as_bigint());
120 }
Here is the call graph for this function:

◆ operator*() [37/42]

template<mp_size_t n, const bigint< n > & modulus>
Fp12_2over3over2_model<n, modulus> libff::operator* ( const Fp_model< n, modulus > &  lhs,
const Fp12_2over3over2_model< n, modulus > &  rhs 
)

◆ operator*() [38/42]

template<mp_size_t n, const bigint< n > & modulus>
Fp2_model<n, modulus> libff::operator* ( const Fp_model< n, modulus > &  lhs,
const Fp2_model< n, modulus > &  rhs 
)

◆ operator*() [39/42]

template<mp_size_t n, const bigint< n > & modulus>
Fp3_model<n, modulus> libff::operator* ( const Fp_model< n, modulus > &  lhs,
const Fp3_model< n, modulus > &  rhs 
)

◆ operator*() [40/42]

template<mp_size_t n, const bigint< n > & modulus>
Fp4_model<n, modulus> libff::operator* ( const Fp_model< n, modulus > &  lhs,
const Fp4_model< n, modulus > &  rhs 
)

◆ operator*() [41/42]

template<mp_size_t n, const bigint< n > & modulus>
Fp6_2over3_model<n, modulus> libff::operator* ( const Fp_model< n, modulus > &  lhs,
const Fp6_2over3_model< n, modulus > &  rhs 
)

◆ operator*() [42/42]

template<mp_size_t n, const bigint< n > & modulus>
Fp6_3over2_model<n, modulus> libff::operator* ( const Fp_model< n, modulus > &  lhs,
const Fp6_3over2_model< n, modulus > &  rhs 
)

◆ operator<<() [1/62]

template<mp_size_t n>
std::ostream& libff::operator<< ( std::ostream &  ,
const bigint< n > &   
)

◆ operator<<() [2/62]

template<mp_size_t n, const bigint< n > & modulus>
std::ostream& libff::operator<< ( std::ostream &  ,
const Fp12_2over3over2_model< n, modulus > &   
)

◆ operator<<() [3/62]

template<mp_size_t n, const bigint< n > & modulus>
std::ostream& libff::operator<< ( std::ostream &  ,
const Fp2_model< n, modulus > &   
)

◆ operator<<() [4/62]

template<mp_size_t n, const bigint< n > & modulus>
std::ostream& libff::operator<< ( std::ostream &  ,
const Fp3_model< n, modulus > &   
)

◆ operator<<() [5/62]

template<mp_size_t n, const bigint< n > & modulus>
std::ostream& libff::operator<< ( std::ostream &  ,
const Fp4_model< n, modulus > &   
)

◆ operator<<() [6/62]

template<mp_size_t n, const bigint< n > & modulus>
std::ostream& libff::operator<< ( std::ostream &  ,
const Fp6_2over3_model< n, modulus > &   
)

◆ operator<<() [7/62]

template<mp_size_t n, const bigint< n > & modulus>
std::ostream& libff::operator<< ( std::ostream &  ,
const Fp6_3over2_model< n, modulus > &   
)

◆ operator<<() [8/62]

template<mp_size_t n, const bigint< n > & modulus>
std::ostream& libff::operator<< ( std::ostream &  ,
const Fp_model< n, modulus > &   
)

◆ operator<<() [9/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const alt_bn128_ate_ell_coeffs c 
)

Definition at line 49 of file alt_bn128_pairing.cpp.

50 {
51  out << c.ell_0 << OUTPUT_SEPARATOR << c.ell_VW << OUTPUT_SEPARATOR
52  << c.ell_VV;
53  return out;
54 }

◆ operator<<() [10/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const alt_bn128_ate_G1_precomp prec_P 
)

Definition at line 24 of file alt_bn128_pairing.cpp.

26 {
27  out << prec_P.PX << OUTPUT_SEPARATOR << prec_P.PY;
28 
29  return out;
30 }

◆ operator<<() [11/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const alt_bn128_ate_G2_precomp prec_Q 
)

Definition at line 75 of file alt_bn128_pairing.cpp.

77 {
78  out << prec_Q.QX << OUTPUT_SEPARATOR << prec_Q.QY << "\n";
79  out << prec_Q.coeffs.size() << "\n";
80  for (const alt_bn128_ate_ell_coeffs &c : prec_Q.coeffs) {
81  out << c << OUTPUT_NEWLINE;
82  }
83  return out;
84 }

◆ operator<<() [12/62]

std::ostream & libff::operator<< ( std::ostream &  out,
const alt_bn128_G1 g 
)

Definition at line 436 of file alt_bn128_g1.cpp.

437 {
438 #ifdef NO_PT_COMPRESSION
439  g.write_uncompressed(out);
440 #else
441  g.write_compressed(out);
442 #endif
443  return out;
444 }
Here is the call graph for this function:

◆ operator<<() [13/62]

std::ostream & libff::operator<< ( std::ostream &  out,
const alt_bn128_G2 g 
)

Definition at line 466 of file alt_bn128_g2.cpp.

467 {
468 #ifdef NO_PT_COMPRESSION
469  g.write_uncompressed(out);
470 #else
471  g.write_compressed(out);
472 #endif
473  return out;
474 }
Here is the call graph for this function:

◆ operator<<() [14/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const bls12_377_ate_ell_coeffs c 
)

Definition at line 42 of file bls12_377_pairing.cpp.

43 {
44  out << c.ell_0 << OUTPUT_SEPARATOR << c.ell_VW << OUTPUT_SEPARATOR
45  << c.ell_VV;
46  return out;
47 }

◆ operator<<() [15/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const bls12_377_ate_G1_precomp prec_P 
)

Definition at line 17 of file bls12_377_pairing.cpp.

19 {
20  out << prec_P.PX << OUTPUT_SEPARATOR << prec_P.PY;
21 
22  return out;
23 }

◆ operator<<() [16/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const bls12_377_ate_G2_precomp prec_Q 
)

Definition at line 68 of file bls12_377_pairing.cpp.

70 {
71  out << prec_Q.QX << OUTPUT_SEPARATOR << prec_Q.QY << "\n";
72  out << prec_Q.coeffs.size() << "\n";
73  for (const bls12_377_ate_ell_coeffs &c : prec_Q.coeffs) {
74  out << c << OUTPUT_NEWLINE;
75  }
76  return out;
77 }

◆ operator<<() [17/62]

std::ostream & libff::operator<< ( std::ostream &  out,
const bls12_377_G1 g 
)

Definition at line 492 of file bls12_377_g1.cpp.

493 {
494 #ifdef NO_PT_COMPRESSION
495  g.write_uncompressed(out);
496 #else
497  g.write_compressed(out);
498 #endif
499  return out;
500 }
Here is the call graph for this function:

◆ operator<<() [18/62]

std::ostream & libff::operator<< ( std::ostream &  out,
const bls12_377_G2 g 
)

Definition at line 551 of file bls12_377_g2.cpp.

552 {
553 #ifdef NO_PT_COMPRESSION
554  g.write_uncompressed(out);
555 #else
556  g.write_compressed(out);
557 #endif
558  return out;
559 }
Here is the call graph for this function:

◆ operator<<() [19/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const bls12_381_ate_ell_coeffs c 
)

Definition at line 49 of file bls12_381_pairing.cpp.

50 {
51  out << c.ell_0 << OUTPUT_SEPARATOR << c.ell_VW << OUTPUT_SEPARATOR
52  << c.ell_VV;
53  return out;
54 }

◆ operator<<() [20/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const bls12_381_ate_G1_precomp prec_P 
)

Definition at line 24 of file bls12_381_pairing.cpp.

26 {
27  out << prec_P.PX << OUTPUT_SEPARATOR << prec_P.PY;
28 
29  return out;
30 }

◆ operator<<() [21/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const bls12_381_ate_G2_precomp prec_Q 
)

Definition at line 75 of file bls12_381_pairing.cpp.

77 {
78  out << prec_Q.QX << OUTPUT_SEPARATOR << prec_Q.QY << "\n";
79  out << prec_Q.coeffs.size() << "\n";
80  for (const bls12_381_ate_ell_coeffs &c : prec_Q.coeffs) {
81  out << c << OUTPUT_NEWLINE;
82  }
83 
84  return out;
85 }

◆ operator<<() [22/62]

std::ostream & libff::operator<< ( std::ostream &  out,
const bls12_381_G1 g 
)

Definition at line 421 of file bls12_381_g1.cpp.

422 {
423 #ifdef NO_PT_COMPRESSION
424  g.write_uncompressed(out);
425 #else
426  g.write_compressed(out);
427 #endif
428  return out;
429 }
Here is the call graph for this function:

◆ operator<<() [23/62]

std::ostream & libff::operator<< ( std::ostream &  out,
const bls12_381_G2 g 
)

Definition at line 443 of file bls12_381_g2.cpp.

444 {
445 #ifdef NO_PT_COMPRESSION
446  g.write_uncompressed(out);
447 #else
448  g.write_compressed(out);
449 #endif
450  return out;
451 }
Here is the call graph for this function:

◆ operator<<() [24/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const bn128_ate_G1_precomp prec_P 
)

Definition at line 29 of file bn128_pairing.cpp.

30 {
31  for (size_t i = 0; i < 3; ++i) {
32 #ifndef BINARY_OUTPUT
33  out << prec_P.P[i] << "\n";
34 #else
35  out.write((char *)&prec_P.P[i], sizeof(prec_P.P[i]));
36 #endif
37  }
38  return out;
39 }

◆ operator<<() [25/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const bn128_ate_G2_precomp prec_Q 
)

Definition at line 75 of file bn128_pairing.cpp.

76 {
77  for (size_t i = 0; i < 3; ++i) {
78 #ifndef BINARY_OUTPUT
79  out << prec_Q.Q[i].a_ << "\n";
80  out << prec_Q.Q[i].b_ << "\n";
81 #else
82  out.write((char *)&prec_Q.Q[i].a_, sizeof(prec_Q.Q[i].a_));
83  out.write((char *)&prec_Q.Q[i].b_, sizeof(prec_Q.Q[i].b_));
84 #endif
85  }
86 
87  out << prec_Q.coeffs.size() << "\n";
88 
89  for (size_t i = 0; i < prec_Q.coeffs.size(); ++i) {
90 #ifndef BINARY_OUTPUT
91  out << prec_Q.coeffs[i].a_.a_ << "\n";
92  out << prec_Q.coeffs[i].a_.b_ << "\n";
93  out << prec_Q.coeffs[i].b_.a_ << "\n";
94  out << prec_Q.coeffs[i].b_.b_ << "\n";
95  out << prec_Q.coeffs[i].c_.a_ << "\n";
96  out << prec_Q.coeffs[i].c_.b_ << "\n";
97 #else
98  out.write(
99  (char *)&prec_Q.coeffs[i].a_.a_, sizeof(prec_Q.coeffs[i].a_.a_));
100  out.write(
101  (char *)&prec_Q.coeffs[i].a_.b_, sizeof(prec_Q.coeffs[i].a_.b_));
102  out.write(
103  (char *)&prec_Q.coeffs[i].b_.a_, sizeof(prec_Q.coeffs[i].b_.a_));
104  out.write(
105  (char *)&prec_Q.coeffs[i].b_.b_, sizeof(prec_Q.coeffs[i].b_.b_));
106  out.write(
107  (char *)&prec_Q.coeffs[i].c_.a_, sizeof(prec_Q.coeffs[i].c_.a_));
108  out.write(
109  (char *)&prec_Q.coeffs[i].c_.b_, sizeof(prec_Q.coeffs[i].c_.b_));
110 #endif
111  }
112 
113  return out;
114 }

◆ operator<<() [26/62]

std::ostream & libff::operator<< ( std::ostream &  out,
const bn128_G1 g 
)

Definition at line 449 of file bn128_g1.cpp.

450 {
451 #ifdef NO_PT_COMPRESSION
452  g.write_uncompressed(out);
453 #else
454  g.write_compressed(out);
455 #endif
456  return out;
457 }
Here is the call graph for this function:

◆ operator<<() [27/62]

std::ostream & libff::operator<< ( std::ostream &  out,
const bn128_G2 g 
)

Definition at line 463 of file bn128_g2.cpp.

464 {
465 #ifdef NO_PT_COMPRESSION
466  g.write_uncompressed(out);
467 #else
468  g.write_compressed(out);
469 #endif
470  return out;
471 }
Here is the call graph for this function:

◆ operator<<() [28/62]

std::ostream & libff::operator<< ( std::ostream &  out,
const bn128_GT g 
)

Definition at line 42 of file bn128_gt.cpp.

43 {
44 #ifndef BINARY_OUTPUT
45  out << g.elem.a_ << OUTPUT_SEPARATOR << g.elem.b_;
46 #else
47  out.write((char *)&g.elem.a_, sizeof(g.elem.a_));
48  out.write((char *)&g.elem.b_, sizeof(g.elem.b_));
49 #endif
50  return out;
51 }

◆ operator<<() [29/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const bw6_761_ate_ell_coeffs c 
)

Definition at line 42 of file bw6_761_pairing.cpp.

43 {
44  out << c.ell_0 << OUTPUT_SEPARATOR << c.ell_VW << OUTPUT_SEPARATOR
45  << c.ell_VV;
46  return out;
47 }

◆ operator<<() [30/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const bw6_761_ate_G1_precomp prec_P 
)

Definition at line 17 of file bw6_761_pairing.cpp.

19 {
20  out << prec_P.PX << OUTPUT_SEPARATOR << prec_P.PY;
21 
22  return out;
23 }

◆ operator<<() [31/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const bw6_761_ate_G2_precomp prec_Q 
)

Definition at line 113 of file bw6_761_pairing.cpp.

115 {
116  out << prec_Q.precomp_1 << OUTPUT_SEPARATOR << prec_Q.precomp_2 << "\n";
117  return out;
118 }

◆ operator<<() [32/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const bw6_761_ate_G2_precomp_iteration prec_Q 
)

Definition at line 68 of file bw6_761_pairing.cpp.

70 {
71  out << prec_Q.QX << OUTPUT_SEPARATOR << prec_Q.QY << "\n";
72  out << prec_Q.coeffs.size() << "\n";
73  for (const bw6_761_ate_ell_coeffs &c : prec_Q.coeffs) {
74  out << c << OUTPUT_NEWLINE;
75  }
76  return out;
77 }

◆ operator<<() [33/62]

std::ostream & libff::operator<< ( std::ostream &  out,
const bw6_761_G1 g 
)

Definition at line 416 of file bw6_761_g1.cpp.

417 {
418 #ifdef NO_PT_COMPRESSION
419  g.write_uncompressed(out);
420 #else
421  g.write_compressed(out);
422 #endif
423  return out;
424 }
Here is the call graph for this function:

◆ operator<<() [34/62]

std::ostream & libff::operator<< ( std::ostream &  out,
const bw6_761_G2 g 
)

Definition at line 427 of file bw6_761_g2.cpp.

428 {
429 #ifdef NO_PT_COMPRESSION
430  g.write_uncompressed(out);
431 #else
432  g.write_compressed(out);
433 #endif
434  return out;
435 }
Here is the call graph for this function:

◆ operator<<() [35/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const edwards_ate_G1_precomp prec_P 
)

Definition at line 162 of file edwards_pairing.cpp.

164 {
165  out << prec_P.P_XY << OUTPUT_SEPARATOR << prec_P.P_XZ << OUTPUT_SEPARATOR
166  << prec_P.P_ZZplusYZ;
167 
168  return out;
169 }

◆ operator<<() [36/62]

std::ostream & libff::operator<< ( std::ostream &  out,
const edwards_ate_G2_precomp prec_Q 
)

Definition at line 122 of file edwards_pairing.cpp.

124 {
125  out << prec_Q.size() << "\n";
126  for (const edwards_Fq3_conic_coefficients &cc : prec_Q) {
127  out << cc << OUTPUT_NEWLINE;
128  }
129 
130  return out;
131 }

◆ operator<<() [37/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const edwards_Fq3_conic_coefficients cc 
)

Definition at line 104 of file edwards_pairing.cpp.

106 {
107  out << cc.c_ZZ << OUTPUT_SEPARATOR << cc.c_XY << OUTPUT_SEPARATOR
108  << cc.c_XZ;
109  return out;
110 }

◆ operator<<() [38/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const edwards_Fq_conic_coefficients cc 
)

Definition at line 26 of file edwards_pairing.cpp.

28 {
29  out << cc.c_ZZ << OUTPUT_SEPARATOR << cc.c_XY << OUTPUT_SEPARATOR
30  << cc.c_XZ;
31  return out;
32 }

◆ operator<<() [39/62]

std::ostream & libff::operator<< ( std::ostream &  out,
const edwards_G1 g 
)

Definition at line 368 of file edwards_g1.cpp.

369 {
370 #ifdef NO_PT_COMPRESSION
371  g.write_uncompressed(out);
372 #else
373  g.write_compressed(out);
374 #endif
375  return out;
376 }
Here is the call graph for this function:

◆ operator<<() [40/62]

std::ostream & libff::operator<< ( std::ostream &  out,
const edwards_G2 g 
)

Definition at line 426 of file edwards_g2.cpp.

427 {
428 #ifdef NO_PT_COMPRESSION
429  g.write_uncompressed(out);
430 #else
431  g.write_compressed(out);
432 #endif
433  return out;
434 }
Here is the call graph for this function:

◆ operator<<() [41/62]

std::ostream & libff::operator<< ( std::ostream &  out,
const edwards_tate_G1_precomp prec_P 
)

Definition at line 44 of file edwards_pairing.cpp.

46 {
47  out << prec_P.size() << "\n";
48  for (const edwards_Fq_conic_coefficients &cc : prec_P) {
49  out << cc << OUTPUT_NEWLINE;
50  }
51 
52  return out;
53 }

◆ operator<<() [42/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const edwards_tate_G2_precomp prec_Q 
)

Definition at line 81 of file edwards_pairing.cpp.

83 {
84  out << prec_Q.y0 << OUTPUT_SEPARATOR << prec_Q.eta;
85  return out;
86 }

◆ operator<<() [43/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const mnt4_ate_add_coeffs ac 
)

Definition at line 85 of file mnt4_pairing.cpp.

86 {
87  out << ac.c_L1 << OUTPUT_SEPARATOR << ac.c_RZ;
88  return out;
89 }

◆ operator<<() [44/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const mnt4_ate_dbl_coeffs dc 
)

Definition at line 60 of file mnt4_pairing.cpp.

61 {
62  out << dc.c_H << OUTPUT_SEPARATOR << dc.c_4C << OUTPUT_SEPARATOR << dc.c_J
63  << OUTPUT_SEPARATOR << dc.c_L;
64  return out;
65 }

◆ operator<<() [45/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const mnt4_ate_G1_precomp prec_P 
)

Definition at line 32 of file mnt4_pairing.cpp.

33 {
34  out << prec_P.PX << OUTPUT_SEPARATOR << prec_P.PY << OUTPUT_SEPARATOR
35  << prec_P.PX_twist << OUTPUT_SEPARATOR << prec_P.PY_twist;
36 
37  return out;
38 }

◆ operator<<() [46/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const mnt4_ate_G2_precomp prec_Q 
)

Definition at line 109 of file mnt4_pairing.cpp.

110 {
111  out << prec_Q.QX << OUTPUT_SEPARATOR << prec_Q.QY << OUTPUT_SEPARATOR
112  << prec_Q.QY2 << OUTPUT_SEPARATOR << prec_Q.QX_over_twist
113  << OUTPUT_SEPARATOR << prec_Q.QY_over_twist << "\n";
114  out << prec_Q.dbl_coeffs.size() << "\n";
115  for (const mnt4_ate_dbl_coeffs &dc : prec_Q.dbl_coeffs) {
116  out << dc << OUTPUT_NEWLINE;
117  }
118  out << prec_Q.add_coeffs.size() << "\n";
119  for (const mnt4_ate_add_coeffs &ac : prec_Q.add_coeffs) {
120  out << ac << OUTPUT_NEWLINE;
121  }
122 
123  return out;
124 }

◆ operator<<() [47/62]

std::ostream & libff::operator<< ( std::ostream &  out,
const mnt4_G1 g 
)

Definition at line 507 of file mnt4_g1.cpp.

508 {
509 #ifdef NO_PT_COMPRESSION
510  g.write_uncompressed(out);
511 #else
512  g.write_compressed(out);
513 #endif
514  return out;
515 }
Here is the call graph for this function:

◆ operator<<() [48/62]

std::ostream & libff::operator<< ( std::ostream &  out,
const mnt4_G2 g 
)

Definition at line 558 of file mnt4_g2.cpp.

559 {
560 #ifdef NO_PT_COMPRESSION
561  g.write_uncompressed(out);
562 #else
563  g.write_compressed(out);
564 #endif
565  return out;
566 }
Here is the call graph for this function:

◆ operator<<() [49/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const mnt6_ate_add_coeffs ac 
)

Definition at line 85 of file mnt6_pairing.cpp.

86 {
87  out << ac.c_L1 << OUTPUT_SEPARATOR << ac.c_RZ;
88  return out;
89 }

◆ operator<<() [50/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const mnt6_ate_dbl_coeffs dc 
)

Definition at line 60 of file mnt6_pairing.cpp.

61 {
62  out << dc.c_H << OUTPUT_SEPARATOR << dc.c_4C << OUTPUT_SEPARATOR << dc.c_J
63  << OUTPUT_SEPARATOR << dc.c_L;
64  return out;
65 }

◆ operator<<() [51/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const mnt6_ate_G1_precomp prec_P 
)

Definition at line 32 of file mnt6_pairing.cpp.

33 {
34  out << prec_P.PX << OUTPUT_SEPARATOR << prec_P.PY << OUTPUT_SEPARATOR
35  << prec_P.PX_twist << OUTPUT_SEPARATOR << prec_P.PY_twist;
36 
37  return out;
38 }

◆ operator<<() [52/62]

std::ostream& libff::operator<< ( std::ostream &  out,
const mnt6_ate_G2_precomp prec_Q 
)

Definition at line 110 of file mnt6_pairing.cpp.

111 {
112  out << prec_Q.QX << OUTPUT_SEPARATOR << prec_Q.QY << OUTPUT_SEPARATOR
113  << prec_Q.QY2 << OUTPUT_SEPARATOR << prec_Q.QX_over_twist
114  << OUTPUT_SEPARATOR << prec_Q.QY_over_twist << "\n";
115  out << prec_Q.dbl_coeffs.size() << "\n";
116  for (const mnt6_ate_dbl_coeffs &dc : prec_Q.dbl_coeffs) {
117  out << dc << OUTPUT_NEWLINE;
118  }
119  out << prec_Q.add_coeffs.size() << "\n";
120  for (const mnt6_ate_add_coeffs &ac : prec_Q.add_coeffs) {
121  out << ac << OUTPUT_NEWLINE;
122  }
123 
124  return out;
125 }

◆ operator<<() [53/62]

std::ostream & libff::operator<< ( std::ostream &  out,
const mnt6_G1 g 
)

Definition at line 524 of file mnt6_g1.cpp.

525 {
526 #ifdef NO_PT_COMPRESSION
527  g.write_uncompressed(out);
528 #else
529  g.write_compressed(out);
530 #endif
531  return out;
532 }
Here is the call graph for this function:

◆ operator<<() [54/62]

std::ostream & libff::operator<< ( std::ostream &  out,
const mnt6_G2 g 
)

Definition at line 575 of file mnt6_g2.cpp.

576 {
577 #ifdef NO_PT_COMPRESSION
578  g.write_uncompressed(out);
579 #else
580  g.write_compressed(out);
581 #endif
582  return out;
583 }
Here is the call graph for this function:

◆ operator<<() [55/62]

template<typename T1 , typename T2 >
std::ostream& libff::operator<< ( std::ostream &  out,
const std::map< T1, T2 > &  m 
)

◆ operator<<() [56/62]

template<typename T >
std::ostream& libff::operator<< ( std::ostream &  out,
const std::set< T > &  s 
)

◆ operator<<() [57/62]

template<mp_size_t n, const bigint< n > & modulus>
std::ostream& libff::operator<< ( std::ostream &  out,
const std::vector< Fp12_2over3over2_model< n, modulus >> &  v 
)

◆ operator<<() [58/62]

template<mp_size_t n, const bigint< n > & modulus>
std::ostream& libff::operator<< ( std::ostream &  out,
const std::vector< Fp2_model< n, modulus >> &  v 
)

◆ operator<<() [59/62]

template<mp_size_t n, const bigint< n > & modulus>
std::ostream& libff::operator<< ( std::ostream &  out,
const std::vector< Fp3_model< n, modulus >> &  v 
)

◆ operator<<() [60/62]

template<mp_size_t n, const bigint< n > & modulus>
std::ostream& libff::operator<< ( std::ostream &  out,
const std::vector< Fp6_2over3_model< n, modulus >> &  v 
)

◆ operator<<() [61/62]

template<mp_size_t n, const bigint< n > & modulus>
std::ostream& libff::operator<< ( std::ostream &  out,
const std::vector< Fp6_3over2_model< n, modulus >> &  v 
)

◆ operator<<() [62/62]

template<typename T >
std::ostream& libff::operator<< ( std::ostream &  out,
const std::vector< T > &  v 
)

◆ operator>>() [1/62]

template<mp_size_t n>
std::istream& libff::operator>> ( std::istream &  ,
bigint< n > &   
)

◆ operator>>() [2/62]

template<mp_size_t n, const bigint< n > & modulus>
std::istream& libff::operator>> ( std::istream &  ,
Fp12_2over3over2_model< n, modulus > &   
)

◆ operator>>() [3/62]

template<mp_size_t n, const bigint< n > & modulus>
std::istream& libff::operator>> ( std::istream &  ,
Fp2_model< n, modulus > &   
)

◆ operator>>() [4/62]

template<mp_size_t n, const bigint< n > & modulus>
std::istream& libff::operator>> ( std::istream &  ,
Fp3_model< n, modulus > &   
)

◆ operator>>() [5/62]

template<mp_size_t n, const bigint< n > & modulus>
std::istream& libff::operator>> ( std::istream &  ,
Fp4_model< n, modulus > &   
)

◆ operator>>() [6/62]

template<mp_size_t n, const bigint< n > & modulus>
std::istream& libff::operator>> ( std::istream &  ,
Fp6_2over3_model< n, modulus > &   
)

◆ operator>>() [7/62]

template<mp_size_t n, const bigint< n > & modulus>
std::istream& libff::operator>> ( std::istream &  ,
Fp6_3over2_model< n, modulus > &   
)

◆ operator>>() [8/62]

template<mp_size_t n, const bigint< n > & modulus>
std::istream& libff::operator>> ( std::istream &  ,
Fp_model< n, modulus > &   
)

◆ operator>>() [9/62]

std::istream& libff::operator>> ( std::istream &  in,
alt_bn128_ate_ell_coeffs c 
)

Definition at line 56 of file alt_bn128_pairing.cpp.

57 {
58  in >> c.ell_0;
59  consume_OUTPUT_SEPARATOR(in);
60  in >> c.ell_VW;
61  consume_OUTPUT_SEPARATOR(in);
62  in >> c.ell_VV;
63 
64  return in;
65 }
Here is the call graph for this function:

◆ operator>>() [10/62]

std::istream& libff::operator>> ( std::istream &  in,
alt_bn128_ate_G1_precomp prec_P 
)

Definition at line 32 of file alt_bn128_pairing.cpp.

33 {
34  in >> prec_P.PX;
35  consume_OUTPUT_SEPARATOR(in);
36  in >> prec_P.PY;
37 
38  return in;
39 }
Here is the call graph for this function:

◆ operator>>() [11/62]

std::istream& libff::operator>> ( std::istream &  in,
alt_bn128_ate_G2_precomp prec_Q 
)

Definition at line 86 of file alt_bn128_pairing.cpp.

87 {
88  in >> prec_Q.QX;
89  consume_OUTPUT_SEPARATOR(in);
90  in >> prec_Q.QY;
91  consume_newline(in);
92 
93  prec_Q.coeffs.clear();
94  size_t s;
95  in >> s;
96 
97  consume_newline(in);
98 
99  prec_Q.coeffs.reserve(s);
100 
101  for (size_t i = 0; i < s; ++i) {
102  alt_bn128_ate_ell_coeffs c;
103  in >> c;
104  consume_OUTPUT_NEWLINE(in);
105  prec_Q.coeffs.emplace_back(c);
106  }
107 
108  return in;
109 }
Here is the call graph for this function:

◆ operator>>() [12/62]

std::istream & libff::operator>> ( std::istream &  in,
alt_bn128_G1 g 
)

Definition at line 446 of file alt_bn128_g1.cpp.

447 {
448 #ifdef NO_PT_COMPRESSION
449  alt_bn128_G1::read_uncompressed(in, g);
450 #else
451  alt_bn128_G1::read_compressed(in, g);
452 #endif
453  return in;
454 }
Here is the call graph for this function:

◆ operator>>() [13/62]

std::istream & libff::operator>> ( std::istream &  in,
alt_bn128_G2 g 
)

Definition at line 476 of file alt_bn128_g2.cpp.

477 {
478 #ifdef NO_PT_COMPRESSION
479  alt_bn128_G2::read_uncompressed(in, g);
480 #else
481  alt_bn128_G2::read_compressed(in, g);
482 #endif
483  return in;
484 }
Here is the call graph for this function:

◆ operator>>() [14/62]

std::istream& libff::operator>> ( std::istream &  in,
bls12_377_ate_ell_coeffs c 
)

Definition at line 49 of file bls12_377_pairing.cpp.

50 {
51  in >> c.ell_0;
52  consume_OUTPUT_SEPARATOR(in);
53  in >> c.ell_VW;
54  consume_OUTPUT_SEPARATOR(in);
55  in >> c.ell_VV;
56 
57  return in;
58 }
Here is the call graph for this function:

◆ operator>>() [15/62]

std::istream& libff::operator>> ( std::istream &  in,
bls12_377_ate_G1_precomp prec_P 
)

Definition at line 25 of file bls12_377_pairing.cpp.

26 {
27  in >> prec_P.PX;
28  consume_OUTPUT_SEPARATOR(in);
29  in >> prec_P.PY;
30 
31  return in;
32 }
Here is the call graph for this function:

◆ operator>>() [16/62]

std::istream& libff::operator>> ( std::istream &  in,
bls12_377_ate_G2_precomp prec_Q 
)

Definition at line 79 of file bls12_377_pairing.cpp.

80 {
81  in >> prec_Q.QX;
82  consume_OUTPUT_SEPARATOR(in);
83  in >> prec_Q.QY;
84  consume_newline(in);
85 
86  prec_Q.coeffs.clear();
87  size_t s;
88  in >> s;
89 
90  consume_newline(in);
91 
92  prec_Q.coeffs.reserve(s);
93 
94  for (size_t i = 0; i < s; ++i) {
95  bls12_377_ate_ell_coeffs c;
96  in >> c;
97  consume_OUTPUT_NEWLINE(in);
98  prec_Q.coeffs.emplace_back(c);
99  }
100 
101  return in;
102 }
Here is the call graph for this function:

◆ operator>>() [17/62]

std::istream & libff::operator>> ( std::istream &  in,
bls12_377_G1 g 
)

Definition at line 502 of file bls12_377_g1.cpp.

503 {
504 #ifdef NO_PT_COMPRESSION
505  bls12_377_G1::read_uncompressed(in, g);
506 #else
507  bls12_377_G1::read_compressed(in, g);
508 #endif
509  return in;
510 }
Here is the call graph for this function:

◆ operator>>() [18/62]

std::istream & libff::operator>> ( std::istream &  in,
bls12_377_G2 g 
)

Definition at line 561 of file bls12_377_g2.cpp.

562 {
563 #ifdef NO_PT_COMPRESSION
564  bls12_377_G2::read_uncompressed(in, g);
565 #else
566  bls12_377_G2::read_compressed(in, g);
567 #endif
568  return in;
569 }
Here is the call graph for this function:

◆ operator>>() [19/62]

std::istream& libff::operator>> ( std::istream &  in,
bls12_381_ate_ell_coeffs c 
)

Definition at line 56 of file bls12_381_pairing.cpp.

57 {
58  in >> c.ell_0;
59  consume_OUTPUT_SEPARATOR(in);
60  in >> c.ell_VW;
61  consume_OUTPUT_SEPARATOR(in);
62  in >> c.ell_VV;
63 
64  return in;
65 }
Here is the call graph for this function:

◆ operator>>() [20/62]

std::istream& libff::operator>> ( std::istream &  in,
bls12_381_ate_G1_precomp prec_P 
)

Definition at line 32 of file bls12_381_pairing.cpp.

33 {
34  in >> prec_P.PX;
35  consume_OUTPUT_SEPARATOR(in);
36  in >> prec_P.PY;
37 
38  return in;
39 }
Here is the call graph for this function:

◆ operator>>() [21/62]

std::istream& libff::operator>> ( std::istream &  in,
bls12_381_ate_G2_precomp prec_Q 
)

Definition at line 87 of file bls12_381_pairing.cpp.

88 {
89  in >> prec_Q.QX;
90  consume_OUTPUT_SEPARATOR(in);
91  in >> prec_Q.QY;
92  consume_newline(in);
93 
94  prec_Q.coeffs.clear();
95  size_t s;
96  in >> s;
97 
98  consume_newline(in);
99 
100  prec_Q.coeffs.reserve(s);
101 
102  for (size_t i = 0; i < s; ++i) {
103  bls12_381_ate_ell_coeffs c;
104  in >> c;
105  consume_OUTPUT_NEWLINE(in);
106  prec_Q.coeffs.emplace_back(c);
107  }
108 
109  return in;
110 }
Here is the call graph for this function:

◆ operator>>() [22/62]

std::istream & libff::operator>> ( std::istream &  in,
bls12_381_G1 g 
)

Definition at line 431 of file bls12_381_g1.cpp.

432 {
433 #ifdef NO_PT_COMPRESSION
434  bls12_381_G1::read_uncompressed(in, g);
435 #else
436  bls12_381_G1::read_compressed(in, g);
437 #endif
438  return in;
439 }
Here is the call graph for this function:

◆ operator>>() [23/62]

std::istream & libff::operator>> ( std::istream &  in,
bls12_381_G2 g 
)

Definition at line 453 of file bls12_381_g2.cpp.

454 {
455 #ifdef NO_PT_COMPRESSION
456  bls12_381_G2::read_uncompressed(in, g);
457 #else
458  bls12_381_G2::read_compressed(in, g);
459 #endif
460  return in;
461 }
Here is the call graph for this function:

◆ operator>>() [24/62]

std::istream& libff::operator>> ( std::istream &  in,
bn128_ate_G1_precomp prec_P 
)

Definition at line 41 of file bn128_pairing.cpp.

42 {
43  for (size_t i = 0; i < 3; ++i) {
44 #ifndef BINARY_OUTPUT
45  in >> prec_P.P[i];
46  consume_newline(in);
47 #else
48  in.read((char *)&prec_P.P[i], sizeof(prec_P.P[i]));
49 #endif
50  }
51  return in;
52 }
Here is the call graph for this function:

◆ operator>>() [25/62]

std::istream& libff::operator>> ( std::istream &  in,
bn128_ate_G2_precomp prec_Q 
)

Definition at line 116 of file bn128_pairing.cpp.

117 {
118  for (size_t i = 0; i < 3; ++i) {
119 #ifndef BINARY_OUTPUT
120  in >> prec_Q.Q[i].a_;
121  consume_newline(in);
122  in >> prec_Q.Q[i].b_;
123  consume_newline(in);
124 #else
125  in.read((char *)&prec_Q.Q[i].a_, sizeof(prec_Q.Q[i].a_));
126  in.read((char *)&prec_Q.Q[i].b_, sizeof(prec_Q.Q[i].b_));
127 #endif
128  }
129 
130  size_t count;
131  in >> count;
132  consume_newline(in);
133  prec_Q.coeffs.resize(count);
134  for (size_t i = 0; i < count; ++i) {
135 #ifndef BINARY_OUTPUT
136  in >> prec_Q.coeffs[i].a_.a_;
137  consume_newline(in);
138  in >> prec_Q.coeffs[i].a_.b_;
139  consume_newline(in);
140  in >> prec_Q.coeffs[i].b_.a_;
141  consume_newline(in);
142  in >> prec_Q.coeffs[i].b_.b_;
143  consume_newline(in);
144  in >> prec_Q.coeffs[i].c_.a_;
145  consume_newline(in);
146  in >> prec_Q.coeffs[i].c_.b_;
147  consume_newline(in);
148 #else
149  in.read(
150  (char *)&prec_Q.coeffs[i].a_.a_, sizeof(prec_Q.coeffs[i].a_.a_));
151  in.read(
152  (char *)&prec_Q.coeffs[i].a_.b_, sizeof(prec_Q.coeffs[i].a_.b_));
153  in.read(
154  (char *)&prec_Q.coeffs[i].b_.a_, sizeof(prec_Q.coeffs[i].b_.a_));
155  in.read(
156  (char *)&prec_Q.coeffs[i].b_.b_, sizeof(prec_Q.coeffs[i].b_.b_));
157  in.read(
158  (char *)&prec_Q.coeffs[i].c_.a_, sizeof(prec_Q.coeffs[i].c_.a_));
159  in.read(
160  (char *)&prec_Q.coeffs[i].c_.b_, sizeof(prec_Q.coeffs[i].c_.b_));
161 #endif
162  }
163  return in;
164 }
Here is the call graph for this function:

◆ operator>>() [26/62]

std::istream & libff::operator>> ( std::istream &  in,
bn128_G1 g 
)

Definition at line 459 of file bn128_g1.cpp.

460 {
461 #ifdef NO_PT_COMPRESSION
462  bn128_G1::read_uncompressed(in, g);
463 #else
464  bn128_G1::read_compressed(in, g);
465 #endif
466  return in;
467 }
Here is the call graph for this function:

◆ operator>>() [27/62]

std::istream & libff::operator>> ( std::istream &  in,
bn128_G2 g 
)

Definition at line 473 of file bn128_g2.cpp.

474 {
475 #ifdef NO_PT_COMPRESSION
476  bn128_G2::read_uncompressed(in, g);
477 #else
478  bn128_G2::read_compressed(in, g);
479 #endif
480  return in;
481 }
Here is the call graph for this function:

◆ operator>>() [28/62]

std::istream & libff::operator>> ( std::istream &  in,
bn128_GT g 
)

Definition at line 53 of file bn128_gt.cpp.

54 {
55 #ifndef BINARY_OUTPUT
56  in >> g.elem.a_;
57  consume_OUTPUT_SEPARATOR(in);
58  in >> g.elem.b_;
59 #else
60  in.read((char *)&g.elem.a_, sizeof(g.elem.a_));
61  in.read((char *)&g.elem.b_, sizeof(g.elem.b_));
62 #endif
63  return in;
64 }
Here is the call graph for this function:

◆ operator>>() [29/62]

std::istream& libff::operator>> ( std::istream &  in,
bw6_761_ate_ell_coeffs c 
)

Definition at line 49 of file bw6_761_pairing.cpp.

50 {
51  in >> c.ell_0;
52  consume_OUTPUT_SEPARATOR(in);
53  in >> c.ell_VW;
54  consume_OUTPUT_SEPARATOR(in);
55  in >> c.ell_VV;
56 
57  return in;
58 }
Here is the call graph for this function:

◆ operator>>() [30/62]

std::istream& libff::operator>> ( std::istream &  in,
bw6_761_ate_G1_precomp prec_P 
)

Definition at line 25 of file bw6_761_pairing.cpp.

26 {
27  in >> prec_P.PX;
28  consume_OUTPUT_SEPARATOR(in);
29  in >> prec_P.PY;
30 
31  return in;
32 }
Here is the call graph for this function:

◆ operator>>() [31/62]

std::istream& libff::operator>> ( std::istream &  in,
bw6_761_ate_G2_precomp prec_Q 
)

Definition at line 120 of file bw6_761_pairing.cpp.

121 {
122  in >> prec_Q.precomp_1;
123  consume_OUTPUT_SEPARATOR(in);
124  in >> prec_Q.precomp_2;
125  consume_newline(in);
126  return in;
127 }
Here is the call graph for this function:

◆ operator>>() [32/62]

std::istream& libff::operator>> ( std::istream &  in,
bw6_761_ate_G2_precomp_iteration prec_Q 
)

Definition at line 79 of file bw6_761_pairing.cpp.

81 {
82  in >> prec_Q.QX;
83  consume_OUTPUT_SEPARATOR(in);
84  in >> prec_Q.QY;
85  consume_newline(in);
86 
87  prec_Q.coeffs.clear();
88  size_t s;
89  in >> s;
90 
91  consume_newline(in);
92 
93  prec_Q.coeffs.reserve(s);
94 
95  for (size_t i = 0; i < s; ++i) {
96  bw6_761_ate_ell_coeffs c;
97  in >> c;
98  consume_OUTPUT_NEWLINE(in);
99  prec_Q.coeffs.emplace_back(c);
100  }
101 
102  return in;
103 }
Here is the call graph for this function:

◆ operator>>() [33/62]

std::istream & libff::operator>> ( std::istream &  in,
bw6_761_G1 g 
)

Definition at line 479 of file bw6_761_g1.cpp.

480 {
481 #ifdef NO_PT_COMPRESSION
482  bw6_761_G1::read_uncompressed(in, g);
483 #else
484  bw6_761_G1::read_compressed(in, g);
485 #endif
486  return in;
487 }
Here is the call graph for this function:

◆ operator>>() [34/62]

std::istream & libff::operator>> ( std::istream &  in,
bw6_761_G2 g 
)

Definition at line 488 of file bw6_761_g2.cpp.

489 {
490 #ifdef NO_PT_COMPRESSION
491  bw6_761_G2::read_uncompressed(in, g);
492 #else
493  bw6_761_G2::read_compressed(in, g);
494 #endif
495  return in;
496 }
Here is the call graph for this function:

◆ operator>>() [35/62]

std::istream& libff::operator>> ( std::istream &  in,
edwards_ate_G1_precomp prec_P 
)

Definition at line 171 of file edwards_pairing.cpp.

172 {
173  in >> prec_P.P_XY >> prec_P.P_XZ >> prec_P.P_ZZplusYZ;
174 
175  return in;
176 }

◆ operator>>() [36/62]

std::istream & libff::operator>> ( std::istream &  in,
edwards_ate_G2_precomp prec_Q 
)

Definition at line 133 of file edwards_pairing.cpp.

134 {
135  prec_Q.clear();
136 
137  size_t s;
138  in >> s;
139 
140  consume_newline(in);
141 
142  prec_Q.reserve(s);
143 
144  for (size_t i = 0; i < s; ++i) {
145  edwards_Fq3_conic_coefficients cc;
146  in >> cc;
147  consume_OUTPUT_NEWLINE(in);
148  prec_Q.emplace_back(cc);
149  }
150 
151  return in;
152 }
Here is the call graph for this function:

◆ operator>>() [37/62]

std::istream& libff::operator>> ( std::istream &  in,
edwards_Fq3_conic_coefficients cc 
)

Definition at line 112 of file edwards_pairing.cpp.

113 {
114  in >> cc.c_ZZ;
115  consume_OUTPUT_SEPARATOR(in);
116  in >> cc.c_XY;
117  consume_OUTPUT_SEPARATOR(in);
118  in >> cc.c_XZ;
119  return in;
120 }
Here is the call graph for this function:

◆ operator>>() [38/62]

std::istream& libff::operator>> ( std::istream &  in,
edwards_Fq_conic_coefficients cc 
)

Definition at line 34 of file edwards_pairing.cpp.

35 {
36  in >> cc.c_ZZ;
37  consume_OUTPUT_SEPARATOR(in);
38  in >> cc.c_XY;
39  consume_OUTPUT_SEPARATOR(in);
40  in >> cc.c_XZ;
41  return in;
42 }
Here is the call graph for this function:

◆ operator>>() [39/62]

std::istream & libff::operator>> ( std::istream &  in,
edwards_G1 g 
)

Definition at line 378 of file edwards_g1.cpp.

379 {
380 #ifdef NO_PT_COMPRESSION
381  edwards_G1::read_uncompressed(in, g);
382 #else
383  edwards_G1::read_compressed(in, g);
384 #endif
385  return in;
386 }
Here is the call graph for this function:

◆ operator>>() [40/62]

std::istream & libff::operator>> ( std::istream &  in,
edwards_G2 g 
)

Definition at line 436 of file edwards_g2.cpp.

437 {
438 #ifdef NO_PT_COMPRESSION
439  edwards_G2::read_uncompressed(in, g);
440 #else
441  edwards_G2::read_compressed(in, g);
442 #endif
443  return in;
444 }
Here is the call graph for this function:

◆ operator>>() [41/62]

std::istream & libff::operator>> ( std::istream &  in,
edwards_tate_G1_precomp prec_P 
)

Definition at line 55 of file edwards_pairing.cpp.

56 {
57  prec_P.clear();
58 
59  size_t s;
60  in >> s;
61 
62  consume_newline(in);
63  prec_P.reserve(s);
64 
65  for (size_t i = 0; i < s; ++i) {
66  edwards_Fq_conic_coefficients cc;
67  in >> cc;
68  consume_OUTPUT_NEWLINE(in);
69  prec_P.emplace_back(cc);
70  }
71 
72  return in;
73 }
Here is the call graph for this function:

◆ operator>>() [42/62]

std::istream& libff::operator>> ( std::istream &  in,
edwards_tate_G2_precomp prec_Q 
)

Definition at line 88 of file edwards_pairing.cpp.

89 {
90  in >> prec_Q.y0;
91  consume_OUTPUT_SEPARATOR(in);
92  in >> prec_Q.eta;
93  return in;
94 }
Here is the call graph for this function:

◆ operator>>() [43/62]

std::istream& libff::operator>> ( std::istream &  in,
mnt4_ate_add_coeffs ac 
)

Definition at line 91 of file mnt4_pairing.cpp.

92 {
93  in >> ac.c_L1;
94  consume_OUTPUT_SEPARATOR(in);
95  in >> ac.c_RZ;
96  return in;
97 }
Here is the call graph for this function:

◆ operator>>() [44/62]

std::istream& libff::operator>> ( std::istream &  in,
mnt4_ate_dbl_coeffs dc 
)

Definition at line 67 of file mnt4_pairing.cpp.

68 {
69  in >> dc.c_H;
70  consume_OUTPUT_SEPARATOR(in);
71  in >> dc.c_4C;
72  consume_OUTPUT_SEPARATOR(in);
73  in >> dc.c_J;
74  consume_OUTPUT_SEPARATOR(in);
75  in >> dc.c_L;
76 
77  return in;
78 }
Here is the call graph for this function:

◆ operator>>() [45/62]

std::istream& libff::operator>> ( std::istream &  in,
mnt4_ate_G1_precomp prec_P 
)

Definition at line 40 of file mnt4_pairing.cpp.

41 {
42  in >> prec_P.PX;
43  consume_OUTPUT_SEPARATOR(in);
44  in >> prec_P.PY;
45  consume_OUTPUT_SEPARATOR(in);
46  in >> prec_P.PX_twist;
47  consume_OUTPUT_SEPARATOR(in);
48  in >> prec_P.PY_twist;
49 
50  return in;
51 }
Here is the call graph for this function:

◆ operator>>() [46/62]

std::istream& libff::operator>> ( std::istream &  in,
mnt4_ate_G2_precomp prec_Q 
)

Definition at line 126 of file mnt4_pairing.cpp.

127 {
128  in >> prec_Q.QX;
129  consume_OUTPUT_SEPARATOR(in);
130  in >> prec_Q.QY;
131  consume_OUTPUT_SEPARATOR(in);
132  in >> prec_Q.QY2;
133  consume_OUTPUT_SEPARATOR(in);
134  in >> prec_Q.QX_over_twist;
135  consume_OUTPUT_SEPARATOR(in);
136  in >> prec_Q.QY_over_twist;
137  consume_newline(in);
138 
139  prec_Q.dbl_coeffs.clear();
140  size_t dbl_s;
141  in >> dbl_s;
142  consume_newline(in);
143 
144  prec_Q.dbl_coeffs.reserve(dbl_s);
145 
146  for (size_t i = 0; i < dbl_s; ++i) {
147  mnt4_ate_dbl_coeffs dc;
148  in >> dc;
149  consume_OUTPUT_NEWLINE(in);
150  prec_Q.dbl_coeffs.emplace_back(dc);
151  }
152 
153  prec_Q.add_coeffs.clear();
154  size_t add_s;
155  in >> add_s;
156  consume_newline(in);
157 
158  prec_Q.add_coeffs.reserve(add_s);
159 
160  for (size_t i = 0; i < add_s; ++i) {
161  mnt4_ate_add_coeffs ac;
162  in >> ac;
163  consume_OUTPUT_NEWLINE(in);
164  prec_Q.add_coeffs.emplace_back(ac);
165  }
166 
167  return in;
168 }
Here is the call graph for this function:

◆ operator>>() [47/62]

std::istream & libff::operator>> ( std::istream &  in,
mnt4_G1 g 
)

Definition at line 517 of file mnt4_g1.cpp.

518 {
519 #ifdef NO_PT_COMPRESSION
520  mnt4_G1::read_uncompressed(in, g);
521 #else
522  mnt4_G1::read_compressed(in, g);
523 #endif
524  return in;
525 }
Here is the call graph for this function:

◆ operator>>() [48/62]

std::istream & libff::operator>> ( std::istream &  in,
mnt4_G2 g 
)

Definition at line 568 of file mnt4_g2.cpp.

569 {
570 #ifdef NO_PT_COMPRESSION
571  mnt4_G2::read_uncompressed(in, g);
572 #else
573  mnt4_G2::read_compressed(in, g);
574 #endif
575  return in;
576 }
Here is the call graph for this function:

◆ operator>>() [49/62]

std::istream& libff::operator>> ( std::istream &  in,
mnt6_ate_add_coeffs ac 
)

Definition at line 91 of file mnt6_pairing.cpp.

92 {
93  in >> ac.c_L1;
94  consume_OUTPUT_SEPARATOR(in);
95  in >> ac.c_RZ;
96 
97  return in;
98 }
Here is the call graph for this function:

◆ operator>>() [50/62]

std::istream& libff::operator>> ( std::istream &  in,
mnt6_ate_dbl_coeffs dc 
)

Definition at line 67 of file mnt6_pairing.cpp.

68 {
69  in >> dc.c_H;
70  consume_OUTPUT_SEPARATOR(in);
71  in >> dc.c_4C;
72  consume_OUTPUT_SEPARATOR(in);
73  in >> dc.c_J;
74  consume_OUTPUT_SEPARATOR(in);
75  in >> dc.c_L;
76 
77  return in;
78 }
Here is the call graph for this function:

◆ operator>>() [51/62]

std::istream& libff::operator>> ( std::istream &  in,
mnt6_ate_G1_precomp prec_P 
)

Definition at line 40 of file mnt6_pairing.cpp.

41 {
42  in >> prec_P.PX;
43  consume_OUTPUT_SEPARATOR(in);
44  in >> prec_P.PY;
45  consume_OUTPUT_SEPARATOR(in);
46  in >> prec_P.PX_twist;
47  consume_OUTPUT_SEPARATOR(in);
48  in >> prec_P.PY_twist;
49 
50  return in;
51 }
Here is the call graph for this function:

◆ operator>>() [52/62]

std::istream& libff::operator>> ( std::istream &  in,
mnt6_ate_G2_precomp prec_Q 
)

Definition at line 127 of file mnt6_pairing.cpp.

128 {
129  in >> prec_Q.QX;
130  consume_OUTPUT_SEPARATOR(in);
131  in >> prec_Q.QY;
132  consume_OUTPUT_SEPARATOR(in);
133  in >> prec_Q.QY2;
134  consume_OUTPUT_SEPARATOR(in);
135  in >> prec_Q.QX_over_twist;
136  consume_OUTPUT_SEPARATOR(in);
137  in >> prec_Q.QY_over_twist;
138  consume_newline(in);
139 
140  prec_Q.dbl_coeffs.clear();
141  size_t dbl_s;
142  in >> dbl_s;
143  consume_newline(in);
144 
145  prec_Q.dbl_coeffs.reserve(dbl_s);
146 
147  for (size_t i = 0; i < dbl_s; ++i) {
148  mnt6_ate_dbl_coeffs dc;
149  in >> dc;
150  consume_OUTPUT_NEWLINE(in);
151  prec_Q.dbl_coeffs.emplace_back(dc);
152  }
153 
154  prec_Q.add_coeffs.clear();
155  size_t add_s;
156  in >> add_s;
157  consume_newline(in);
158 
159  prec_Q.add_coeffs.reserve(add_s);
160 
161  for (size_t i = 0; i < add_s; ++i) {
162  mnt6_ate_add_coeffs ac;
163  in >> ac;
164  consume_OUTPUT_NEWLINE(in);
165  prec_Q.add_coeffs.emplace_back(ac);
166  }
167 
168  return in;
169 }
Here is the call graph for this function:

◆ operator>>() [53/62]

std::istream & libff::operator>> ( std::istream &  in,
mnt6_G1 g 
)

Definition at line 534 of file mnt6_g1.cpp.

535 {
536 #ifdef NO_PT_COMPRESSION
537  mnt6_G1::read_uncompressed(in, g);
538 #else
539  mnt6_G1::read_compressed(in, g);
540 #endif
541  return in;
542 }
Here is the call graph for this function:

◆ operator>>() [54/62]

std::istream & libff::operator>> ( std::istream &  in,
mnt6_G2 g 
)

Definition at line 585 of file mnt6_g2.cpp.

586 {
587 #ifdef NO_PT_COMPRESSION
588  mnt6_G2::read_uncompressed(in, g);
589 #else
590  mnt6_G2::read_compressed(in, g);
591 #endif
592  return in;
593 }
Here is the call graph for this function:

◆ operator>>() [55/62]

template<typename T1 , typename T2 >
std::istream& libff::operator>> ( std::istream &  in,
std::map< T1, T2 > &  m 
)

◆ operator>>() [56/62]

template<typename T >
std::istream& libff::operator>> ( std::istream &  in,
std::set< T > &  s 
)

◆ operator>>() [57/62]

template<mp_size_t n, const bigint< n > & modulus>
std::istream& libff::operator>> ( std::istream &  in,
std::vector< Fp12_2over3over2_model< n, modulus >> &  v 
)

◆ operator>>() [58/62]

template<mp_size_t n, const bigint< n > & modulus>
std::istream& libff::operator>> ( std::istream &  in,
std::vector< Fp2_model< n, modulus >> &  v 
)

◆ operator>>() [59/62]

template<mp_size_t n, const bigint< n > & modulus>
std::istream& libff::operator>> ( std::istream &  in,
std::vector< Fp3_model< n, modulus >> &  v 
)

◆ operator>>() [60/62]

template<mp_size_t n, const bigint< n > & modulus>
std::istream& libff::operator>> ( std::istream &  in,
std::vector< Fp6_2over3_model< n, modulus >> &  v 
)

◆ operator>>() [61/62]

template<mp_size_t n, const bigint< n > & modulus>
std::istream& libff::operator>> ( std::istream &  in,
std::vector< Fp6_3over2_model< n, modulus >> &  v 
)

◆ operator>>() [62/62]

template<typename T >
std::istream& libff::operator>> ( std::ostream &  out,
std::vector< T > &  v 
)

◆ operator^() [1/8]

template<mp_size_t m>
bn128_GT libff::operator^ ( const bn128_GT rhs,
const bigint< m > &  lhs 
)

Definition at line 45 of file bn128_gt.hpp.

46 {
47  return power<bn128_GT, m>(rhs, lhs);
48 }

◆ operator^() [2/8]

template<mp_size_t m, const bigint< m > & modulus_p>
bn128_GT libff::operator^ ( const bn128_GT rhs,
const Fp_model< m, modulus_p > &  lhs 
)

Definition at line 51 of file bn128_gt.hpp.

52 {
53  return power<bn128_GT, m>(rhs, lhs.as_bigint());
54 }
Here is the call graph for this function:

◆ operator^() [3/8]

template<mp_size_t n, const bigint< n > & modulus, mp_size_t m>
Fp12_2over3over2_model<n, modulus> libff::operator^ ( const Fp12_2over3over2_model< n, modulus > &  self,
const bigint< m > &  exponent 
)

◆ operator^() [4/8]

template<mp_size_t n, const bigint< n > & modulus, mp_size_t m, const bigint< m > & exp_modulus>
Fp12_2over3over2_model<n, modulus> libff::operator^ ( const Fp12_2over3over2_model< n, modulus > &  self,
const Fp_model< m, exp_modulus > &  exponent 
)

◆ operator^() [5/8]

template<mp_size_t n, const bigint< n > & modulus, mp_size_t m>
Fp4_model<n, modulus> libff::operator^ ( const Fp4_model< n, modulus > &  self,
const bigint< m > &  exponent 
)

◆ operator^() [6/8]

template<mp_size_t n, const bigint< n > & modulus, mp_size_t m, const bigint< m > & modulus_p>
Fp4_model<n, modulus> libff::operator^ ( const Fp4_model< n, modulus > &  self,
const Fp_model< m, modulus_p > &  exponent 
)

◆ operator^() [7/8]

template<mp_size_t n, const bigint< n > & modulus, mp_size_t m>
Fp6_2over3_model<n, modulus> libff::operator^ ( const Fp6_2over3_model< n, modulus > &  self,
const bigint< m > &  exponent 
)

◆ operator^() [8/8]

template<mp_size_t n, const bigint< n > & modulus, mp_size_t m, const bigint< m > & exp_modulus>
Fp6_2over3_model<n, modulus> libff::operator^ ( const Fp6_2over3_model< n, modulus > &  self,
const Fp_model< m, exp_modulus > &  exponent 
)

◆ opt_window_wnaf_exp()

template<typename T , mp_size_t n>
T libff::opt_window_wnaf_exp ( const T &  base,
const bigint< n > &  scalar,
const size_t  scalar_bits 
)

In additive notation, use wNAF exponentiation (with the window size determined by T) to compute scalar * base.

◆ output_bool()

void libff::output_bool ( std::ostream &  out,
const bool  b 
)
inline

◆ output_bool_vector()

void libff::output_bool_vector ( std::ostream &  out,
const std::vector< bool > &  v 
)
inline

◆ pack_bit_vector_into_field_element_vector() [1/2]

template<typename FieldT >
std::vector<FieldT> libff::pack_bit_vector_into_field_element_vector ( const bit_vector v)

◆ pack_bit_vector_into_field_element_vector() [2/2]

template<typename FieldT >
std::vector<FieldT> libff::pack_bit_vector_into_field_element_vector ( const bit_vector v,
const size_t  chunk_bits 
)

◆ pack_int_vector_into_field_element_vector()

template<typename FieldT >
std::vector<FieldT> libff::pack_int_vector_into_field_element_vector ( const std::vector< size_t > &  v,
const size_t  w 
)

◆ power() [1/2]

template<typename FieldT , mp_size_t m>
FieldT libff::power ( const FieldT &  base,
const bigint< m > &  exponent 
)
Here is the caller graph for this function:

◆ power() [2/2]

template<typename FieldT >
FieldT libff::power ( const FieldT &  base,
const unsigned long  exponent 
)

◆ print_compilation_info()

void libff::print_compilation_info ( )

Definition at line 375 of file profiling.cpp.

376 {
377 #ifdef __GNUC__
378  printf("g++ version: %s\n", __VERSION__);
379  printf("Compiled on %s %s\n", __DATE__, __TIME__);
380 #endif
381 #ifdef STATIC
382  printf("STATIC: yes\n");
383 #else
384  printf("STATIC: no\n");
385 #endif
386 #ifdef MULTICORE
387  printf("MULTICORE: yes\n");
388 #else
389  printf("MULTICORE: no\n");
390 #endif
391 #ifdef DEBUG
392  printf("DEBUG: yes\n");
393 #else
394  printf("DEBUG: no\n");
395 #endif
396 #ifdef PROFILE_OP_COUNTS
397  printf("PROFILE_OP_COUNTS: yes\n");
398 #else
399  printf("PROFILE_OP_COUNTS: no\n");
400 #endif
401 #ifdef _GLIBCXX_DEBUG
402  printf("_GLIBCXX_DEBUG: yes\n");
403 #else
404  printf("_GLIBCXX_DEBUG: no\n");
405 #endif
406 }
Here is the caller graph for this function:

◆ print_cumulative_op_counts()

void libff::print_cumulative_op_counts ( const bool  only_fq)

Definition at line 144 of file profiling.cpp.

145 {
146 #ifdef PROFILE_OP_COUNTS
147  printf("Dumping operation counts:\n");
148  for (auto &msg : invocation_counts) {
149  printf(" %-45s: ", msg.first.c_str());
150  bool first = true;
151  for (auto &data_point : op_data_points) {
152  if (only_fq && data_point.first.compare(0, 2, "Fq") != 0) {
153  continue;
154  }
155 
156  if (!first) {
157  printf(", ");
158  }
159  printf(
160  "%-5s = %7.0f (%3zu)",
161  data_point.first.c_str(),
162  1. *
163  cumulative_op_counts[std::make_pair(
164  msg.first, data_point.first)] /
165  msg.second,
166  msg.second);
167  first = false;
168  }
169  printf("\n");
170  }
171 #else
172  UNUSED(only_fq);
173 #endif
174 }
Here is the call graph for this function:

◆ print_cumulative_time_entry()

void libff::print_cumulative_time_entry ( const std::string &  key,
const long long  factor 
)

Definition at line 118 of file profiling.cpp.

119 {
120  const double total_ms = (cumulative_times.at(key) * 1e-6);
121  const size_t cnt = invocation_counts.at(key);
122  const double avg_ms = total_ms / cnt;
123  printf(
124  " %-45s: %12.5fms = %lld * %0.5fms (%zu invocations, %0.5fms = %lld "
125  "* %0.5fms per invocation)\n",
126  key.c_str(),
127  total_ms,
128  factor,
129  total_ms / factor,
130  cnt,
131  avg_ms,
132  factor,
133  avg_ms / factor);
134 }
Here is the caller graph for this function:

◆ print_cumulative_times()

void libff::print_cumulative_times ( const long long  factor)

Definition at line 136 of file profiling.cpp.

137 {
138  printf("Dumping times:\n");
139  for (auto &kv : cumulative_times) {
140  print_cumulative_time_entry(kv.first, factor);
141  }
142 }
Here is the call graph for this function:

◆ print_header()

void libff::print_header ( const char *  msg)

Definition at line 248 of file profiling.cpp.

249 {
250  printf("\n================================================================="
251  "===============\n");
252  printf("%s\n", msg);
253  printf("==================================================================="
254  "=============\n\n");
255 }

◆ print_indent()

void libff::print_indent ( )

Definition at line 257 of file profiling.cpp.

258 {
259  for (size_t i = 0; i < indentation; ++i) {
260  printf(" ");
261  }
262 }
Here is the caller graph for this function:

◆ print_mem()

void libff::print_mem ( const std::string &  s)

Definition at line 354 of file profiling.cpp.

355 {
356 #ifndef NO_PROCPS
357  struct proc_t usage;
358  look_up_our_self(&usage);
359  if (s.empty()) {
360  printf(
361  "* Peak vsize (physical memory+swap) in mebibytes: %lu\n",
362  usage.vsize >> 20);
363  } else {
364  printf(
365  "* Peak vsize (physical memory+swap) in mebibytes (%s): %lu\n",
366  s.c_str(),
367  usage.vsize >> 20);
368  }
369 #else
370  UNUSED(s);
371  printf("* Memory profiling not supported in NO_PROCPS mode\n");
372 #endif
373 }
Here is the call graph for this function:

◆ print_op_profiling()

void libff::print_op_profiling ( const std::string &  msg)

Definition at line 176 of file profiling.cpp.

177 {
178 #ifdef PROFILE_OP_COUNTS
179  printf("\n");
180  print_indent();
181 
182  printf("(opcounts) = (");
183  bool first = true;
184  for (std::pair<std::string, long long *> p : op_data_points) {
185  if (!first) {
186  printf(", ");
187  }
188 
189  printf(
190  "%s=%lld",
191  p.first.c_str(),
192  *(p.second) - op_counts[std::make_pair(msg, p.first)]);
193  first = false;
194  }
195  printf(")");
196 #else
197  UNUSED(msg);
198 #endif
199 }
Here is the call graph for this function:
Here is the caller graph for this function:

◆ print_time()

void libff::print_time ( const char *  msg)

Definition at line 227 of file profiling.cpp.

228 {
229  if (inhibit_profiling_info) {
230  return;
231  }
232 
233  long long now = get_nsec_time();
234  long long cpu_now = get_nsec_cpu_time();
235 
236  printf("%-35s\t", msg);
237  print_times_from_last_and_start(now, last_time, cpu_now, last_cpu_time);
238 #ifdef PROFILE_OP_COUNTS
239  print_op_profiling(msg);
240 #endif
241  printf("\n");
242 
243  fflush(stdout);
244  last_time = now;
245  last_cpu_time = cpu_now;
246 }
Here is the call graph for this function:

◆ print_vector()

template<typename FieldT >
void libff::print_vector ( const std::vector< FieldT > &  v)

print the elements of a vector

◆ reserialize()

template<typename T >
T libff::reserialize ( const T &  obj)

◆ scalar_mul()

template<typename GroupT , mp_size_t m>
GroupT libff::scalar_mul ( const GroupT &  base,
const bigint< m > &  scalar 
)

◆ serialize_bit_vector()

void libff::serialize_bit_vector ( std::ostream &  out,
const bit_vector v 
)

Definition at line 103 of file utils.cpp.

104 {
105  out << v.size() << "\n";
106  for (size_t i = 0; i < v.size(); ++i) {
107  out << v[i] << "\n";
108  }
109 }

◆ SHA512_rng()

template<typename FieldT >
FieldT libff::SHA512_rng ( const uint64_t  idx)

◆ size_in_bits()

template<typename T >
size_t libff::size_in_bits ( const std::vector< T > &  v)

◆ start_profiling()

void libff::start_profiling ( )

Definition at line 65 of file profiling.cpp.

66 {
67  printf("Reset time counters for profiling\n");
68 
69  last_time = start_time = get_nsec_time();
70  last_cpu_time = start_cpu_time = get_nsec_cpu_time();
71 }
Here is the call graph for this function:

◆ to_twos_complement()

size_t libff::to_twos_complement ( int  i,
size_t  w 
)

Definition at line 46 of file utils.cpp.

47 {
48  assert(i >= -(1l << (w - 1)));
49  assert(i < (1l << (w - 1)));
50  return (i >= 0) ? i : i + (1l << w);
51 }

◆ UNUSED()

template<typename... Types>
void libff::UNUSED ( Types &&  ...)

A variadic template to suppress unused argument warnings.

Definition at line 45 of file utils.hpp.

45 {}
Here is the caller graph for this function:

◆ update_wnaf()

template<mp_size_t n>
void libff::update_wnaf ( std::vector< long > &  naf,
const size_t  window_size,
const bigint< n > &  scalar 
)

Find the wNAF representation of the given scalar relative to the given window size, reusing the given vector to store it.

◆ windowed_exp()

template<typename T , typename FieldT >
T libff::windowed_exp ( const size_t  scalar_size,
const size_t  window,
const window_table< T > &  powers_of_g,
const FieldT &  pow 
)

◆ wnaf_opt_window_size()

template<typename T >
size_t libff::wnaf_opt_window_size ( const size_t  scalar_bits)

Compute optimal window size.

Variable Documentation

◆ alt_bn128_ate_is_loop_count_neg

bool libff::alt_bn128_ate_is_loop_count_neg

Definition at line 27 of file alt_bn128_init.cpp.

◆ alt_bn128_ate_loop_count

bigint< alt_bn128_q_limbs > libff::alt_bn128_ate_loop_count

Definition at line 26 of file alt_bn128_init.cpp.

◆ alt_bn128_coeff_b

alt_bn128_Fq libff::alt_bn128_coeff_b

Definition at line 18 of file alt_bn128_init.cpp.

◆ alt_bn128_final_exponent

bigint< 12 *alt_bn128_q_limbs > libff::alt_bn128_final_exponent

Definition at line 28 of file alt_bn128_init.cpp.

◆ alt_bn128_final_exponent_is_z_neg

bool libff::alt_bn128_final_exponent_is_z_neg

Definition at line 30 of file alt_bn128_init.cpp.

◆ alt_bn128_final_exponent_z

bigint< alt_bn128_q_limbs > libff::alt_bn128_final_exponent_z

Definition at line 29 of file alt_bn128_init.cpp.

◆ alt_bn128_modulus_q

bigint< alt_bn128_q_limbs > libff::alt_bn128_modulus_q

Definition at line 16 of file alt_bn128_init.cpp.

◆ alt_bn128_modulus_r

bigint< alt_bn128_r_limbs > libff::alt_bn128_modulus_r

Definition at line 15 of file alt_bn128_init.cpp.

◆ alt_bn128_q_bitcount

const mp_size_t libff::alt_bn128_q_bitcount = 254

Definition at line 20 of file alt_bn128_init.hpp.

◆ alt_bn128_q_limbs

const mp_size_t libff::alt_bn128_q_limbs
Initial value:
=
(alt_bn128_q_bitcount + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS

Definition at line 24 of file alt_bn128_init.hpp.

◆ alt_bn128_r_bitcount

const mp_size_t libff::alt_bn128_r_bitcount = 254

Definition at line 19 of file alt_bn128_init.hpp.

◆ alt_bn128_r_limbs

const mp_size_t libff::alt_bn128_r_limbs
Initial value:
=
(alt_bn128_r_bitcount + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS

Definition at line 22 of file alt_bn128_init.hpp.

◆ alt_bn128_twist

alt_bn128_Fq2 libff::alt_bn128_twist

Definition at line 19 of file alt_bn128_init.cpp.

◆ alt_bn128_twist_coeff_b

alt_bn128_Fq2 libff::alt_bn128_twist_coeff_b

Definition at line 20 of file alt_bn128_init.cpp.

◆ alt_bn128_twist_mul_by_b_c0

alt_bn128_Fq libff::alt_bn128_twist_mul_by_b_c0

Definition at line 21 of file alt_bn128_init.cpp.

◆ alt_bn128_twist_mul_by_b_c1

alt_bn128_Fq libff::alt_bn128_twist_mul_by_b_c1

Definition at line 22 of file alt_bn128_init.cpp.

◆ alt_bn128_twist_mul_by_q_X

alt_bn128_Fq2 libff::alt_bn128_twist_mul_by_q_X

Definition at line 23 of file alt_bn128_init.cpp.

◆ alt_bn128_twist_mul_by_q_Y

alt_bn128_Fq2 libff::alt_bn128_twist_mul_by_q_Y

Definition at line 24 of file alt_bn128_init.cpp.

◆ block_names

std::vector<std::string> libff::block_names

Definition at line 88 of file profiling.cpp.

◆ bls12_377_ate_is_loop_count_neg

bool libff::bls12_377_ate_is_loop_count_neg

Definition at line 44 of file bls12_377_init.cpp.

◆ bls12_377_ate_loop_count

bigint< bls12_377_q_limbs > libff::bls12_377_ate_loop_count

Definition at line 43 of file bls12_377_init.cpp.

◆ bls12_377_coeff_b

bls12_377_Fq libff::bls12_377_coeff_b

Definition at line 16 of file bls12_377_init.cpp.

◆ bls12_377_final_exponent

bigint< 12 *bls12_377_q_limbs > libff::bls12_377_final_exponent

Definition at line 46 of file bls12_377_init.cpp.

◆ bls12_377_final_exponent_is_z_neg

bool libff::bls12_377_final_exponent_is_z_neg

Definition at line 48 of file bls12_377_init.cpp.

◆ bls12_377_final_exponent_z

bigint< bls12_377_q_limbs > libff::bls12_377_final_exponent_z

Definition at line 47 of file bls12_377_init.cpp.

◆ bls12_377_g1_endomorphism_beta

bls12_377_Fq libff::bls12_377_g1_endomorphism_beta

Definition at line 26 of file bls12_377_init.cpp.

◆ bls12_377_g1_proof_of_safe_subgroup_non_member_x

bls12_377_Fq libff::bls12_377_g1_proof_of_safe_subgroup_non_member_x

Definition at line 29 of file bls12_377_init.cpp.

◆ bls12_377_g1_proof_of_safe_subgroup_non_member_y

bls12_377_Fq libff::bls12_377_g1_proof_of_safe_subgroup_non_member_y

Definition at line 30 of file bls12_377_init.cpp.

◆ bls12_377_g1_proof_of_safe_subgroup_w

bigint< bls12_377_r_limbs > libff::bls12_377_g1_proof_of_safe_subgroup_w

Definition at line 28 of file bls12_377_init.cpp.

◆ bls12_377_g1_safe_subgroup_check_c1

bigint< bls12_377_r_limbs > libff::bls12_377_g1_safe_subgroup_check_c1

Definition at line 27 of file bls12_377_init.cpp.

◆ bls12_377_g2_mul_by_cofactor_h2_0

bigint< bls12_377_r_limbs > libff::bls12_377_g2_mul_by_cofactor_h2_0

Definition at line 40 of file bls12_377_init.cpp.

◆ bls12_377_g2_mul_by_cofactor_h2_1

bigint< bls12_377_r_limbs > libff::bls12_377_g2_mul_by_cofactor_h2_1

Definition at line 41 of file bls12_377_init.cpp.

◆ bls12_377_g2_untwist_frobenius_twist_v

bls12_377_Fq12 libff::bls12_377_g2_untwist_frobenius_twist_v

Definition at line 34 of file bls12_377_init.cpp.

◆ bls12_377_g2_untwist_frobenius_twist_v_inverse

bls12_377_Fq12 libff::bls12_377_g2_untwist_frobenius_twist_v_inverse

Definition at line 36 of file bls12_377_init.cpp.

◆ bls12_377_g2_untwist_frobenius_twist_w

bls12_377_Fq12 libff::bls12_377_g2_untwist_frobenius_twist_w

Definition at line 33 of file bls12_377_init.cpp.

◆ bls12_377_g2_untwist_frobenius_twist_w_3

bls12_377_Fq12 libff::bls12_377_g2_untwist_frobenius_twist_w_3

Definition at line 35 of file bls12_377_init.cpp.

◆ bls12_377_g2_untwist_frobenius_twist_w_3_inverse

bls12_377_Fq12 libff::bls12_377_g2_untwist_frobenius_twist_w_3_inverse

Definition at line 37 of file bls12_377_init.cpp.

◆ bls12_377_modulus_r

bigint< bls12_377_r_limbs > libff::bls12_377_modulus_r

Definition at line 11 of file bls12_377_init.cpp.

◆ bls12_377_q_bitcount

const mp_size_t libff::bls12_377_q_bitcount = 377

Definition at line 25 of file bls12_377_init.hpp.

◆ bls12_377_q_limbs

const mp_size_t libff::bls12_377_q_limbs
Initial value:
=
(bls12_377_q_bitcount + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS

Definition at line 29 of file bls12_377_init.hpp.

◆ bls12_377_r_bitcount

const mp_size_t libff::bls12_377_r_bitcount = 253

Definition at line 24 of file bls12_377_init.hpp.

◆ bls12_377_r_limbs

const mp_size_t libff::bls12_377_r_limbs
Initial value:
=
(bls12_377_r_bitcount + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS

Definition at line 27 of file bls12_377_init.hpp.

◆ bls12_377_trace_of_frobenius

bigint< bls12_377_r_limbs > libff::bls12_377_trace_of_frobenius

Definition at line 17 of file bls12_377_init.cpp.

◆ bls12_377_twist

bls12_377_Fq2 libff::bls12_377_twist

Definition at line 18 of file bls12_377_init.cpp.

◆ bls12_377_twist_coeff_b

bls12_377_Fq2 libff::bls12_377_twist_coeff_b

Definition at line 19 of file bls12_377_init.cpp.

◆ bls12_377_twist_mul_by_b_c0

bls12_377_Fq libff::bls12_377_twist_mul_by_b_c0

Definition at line 20 of file bls12_377_init.cpp.

◆ bls12_377_twist_mul_by_b_c1

bls12_377_Fq libff::bls12_377_twist_mul_by_b_c1

Definition at line 21 of file bls12_377_init.cpp.

◆ bls12_377_twist_mul_by_q_X

bls12_377_Fq2 libff::bls12_377_twist_mul_by_q_X

Definition at line 22 of file bls12_377_init.cpp.

◆ bls12_377_twist_mul_by_q_Y

bls12_377_Fq2 libff::bls12_377_twist_mul_by_q_Y

Definition at line 23 of file bls12_377_init.cpp.

◆ bls12_381_ate_is_loop_count_neg

bool libff::bls12_381_ate_is_loop_count_neg

Definition at line 21 of file bls12_381_init.cpp.

◆ bls12_381_ate_loop_count

bigint< bls12_381_q_limbs > libff::bls12_381_ate_loop_count

Definition at line 20 of file bls12_381_init.cpp.

◆ bls12_381_coeff_b

bls12_381_Fq libff::bls12_381_coeff_b

Definition at line 11 of file bls12_381_init.cpp.

◆ bls12_381_final_exponent

bigint< 12 *bls12_381_q_limbs > libff::bls12_381_final_exponent

Definition at line 22 of file bls12_381_init.cpp.

◆ bls12_381_final_exponent_is_z_neg

bool libff::bls12_381_final_exponent_is_z_neg

Definition at line 24 of file bls12_381_init.cpp.

◆ bls12_381_final_exponent_z

bigint< bls12_381_q_limbs > libff::bls12_381_final_exponent_z

Definition at line 23 of file bls12_381_init.cpp.

◆ bls12_381_modulus_q

bigint< bls12_381_q_limbs > libff::bls12_381_modulus_q

Definition at line 9 of file bls12_381_init.cpp.

◆ bls12_381_modulus_r

bigint< bls12_381_r_limbs > libff::bls12_381_modulus_r

Definition at line 8 of file bls12_381_init.cpp.

◆ bls12_381_q_bitcount

const mp_size_t libff::bls12_381_q_bitcount = 381

Definition at line 20 of file bls12_381_init.hpp.

◆ bls12_381_q_limbs

const mp_size_t libff::bls12_381_q_limbs
Initial value:
=
(bls12_381_q_bitcount + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS

Definition at line 24 of file bls12_381_init.hpp.

◆ bls12_381_r_bitcount

const mp_size_t libff::bls12_381_r_bitcount = 255

Definition at line 19 of file bls12_381_init.hpp.

◆ bls12_381_r_limbs

const mp_size_t libff::bls12_381_r_limbs
Initial value:
=
(bls12_381_r_bitcount + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS

Definition at line 22 of file bls12_381_init.hpp.

◆ bls12_381_trace_of_frobenius

bigint< bls12_381_r_limbs > libff::bls12_381_trace_of_frobenius

Definition at line 12 of file bls12_381_init.cpp.

◆ bls12_381_twist

bls12_381_Fq2 libff::bls12_381_twist

Definition at line 13 of file bls12_381_init.cpp.

◆ bls12_381_twist_coeff_b

bls12_381_Fq2 libff::bls12_381_twist_coeff_b

Definition at line 14 of file bls12_381_init.cpp.

◆ bls12_381_twist_mul_by_b_c0

bls12_381_Fq libff::bls12_381_twist_mul_by_b_c0

Definition at line 15 of file bls12_381_init.cpp.

◆ bls12_381_twist_mul_by_b_c1

bls12_381_Fq libff::bls12_381_twist_mul_by_b_c1

Definition at line 16 of file bls12_381_init.cpp.

◆ bls12_381_twist_mul_by_q_X

bls12_381_Fq2 libff::bls12_381_twist_mul_by_q_X

Definition at line 17 of file bls12_381_init.cpp.

◆ bls12_381_twist_mul_by_q_Y

bls12_381_Fq2 libff::bls12_381_twist_mul_by_q_Y

Definition at line 18 of file bls12_381_init.cpp.

◆ bn128_coeff_b

bn::Fp libff::bn128_coeff_b

Definition at line 19 of file bn128_init.cpp.

◆ bn128_Fq2_nqr_to_t

bn::Fp2 libff::bn128_Fq2_nqr_to_t

Definition at line 26 of file bn128_init.cpp.

◆ bn128_Fq2_s

size_t libff::bn128_Fq2_s

Definition at line 25 of file bn128_init.cpp.

◆ bn128_Fq2_t_minus_1_over_2

mie::Vuint libff::bn128_Fq2_t_minus_1_over_2

Definition at line 27 of file bn128_init.cpp.

◆ bn128_Fq_nqr_to_t

bn::Fp libff::bn128_Fq_nqr_to_t

Definition at line 21 of file bn128_init.cpp.

◆ bn128_Fq_s

size_t libff::bn128_Fq_s

Definition at line 20 of file bn128_init.cpp.

◆ bn128_Fq_t_minus_1_over_2

mie::Vuint libff::bn128_Fq_t_minus_1_over_2

Definition at line 22 of file bn128_init.cpp.

◆ bn128_modulus_q

bigint< bn128_q_limbs > libff::bn128_modulus_q

Definition at line 17 of file bn128_init.cpp.

◆ bn128_modulus_r

bigint< bn128_r_limbs > libff::bn128_modulus_r

Definition at line 16 of file bn128_init.cpp.

◆ bn128_q_bitcount

const mp_size_t libff::bn128_q_bitcount = 254

Definition at line 19 of file bn128_init.hpp.

◆ bn128_q_limbs

const mp_size_t libff::bn128_q_limbs
Initial value:
=
(bn128_q_bitcount + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS

Definition at line 23 of file bn128_init.hpp.

◆ bn128_r_bitcount

const mp_size_t libff::bn128_r_bitcount = 254

Definition at line 18 of file bn128_init.hpp.

◆ bn128_r_limbs

const mp_size_t libff::bn128_r_limbs
Initial value:
=
(bn128_r_bitcount + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS

Definition at line 21 of file bn128_init.hpp.

◆ bn128_twist_coeff_b

bn::Fp2 libff::bn128_twist_coeff_b

Definition at line 24 of file bn128_init.cpp.

◆ bw6_761_ate_is_loop_count_neg

bool libff::bw6_761_ate_is_loop_count_neg

Definition at line 23 of file bw6_761_init.cpp.

◆ bw6_761_ate_loop_count1

bigint< bw6_761_q_limbs > libff::bw6_761_ate_loop_count1

Definition at line 21 of file bw6_761_init.cpp.

◆ bw6_761_ate_loop_count2

bigint< bw6_761_q_limbs > libff::bw6_761_ate_loop_count2

Definition at line 22 of file bw6_761_init.cpp.

◆ bw6_761_coeff_b

bw6_761_Fq libff::bw6_761_coeff_b

Definition at line 17 of file bw6_761_init.cpp.

◆ bw6_761_final_exponent_is_z_neg

bool libff::bw6_761_final_exponent_is_z_neg

Definition at line 25 of file bw6_761_init.cpp.

◆ bw6_761_final_exponent_z

bigint< bw6_761_q_limbs > libff::bw6_761_final_exponent_z

Definition at line 24 of file bw6_761_init.cpp.

◆ bw6_761_modulus_q

bigint< bw6_761_q_limbs > libff::bw6_761_modulus_q

Definition at line 15 of file bw6_761_init.cpp.

◆ bw6_761_modulus_r

bigint< bw6_761_r_limbs > libff::bw6_761_modulus_r

Definition at line 14 of file bw6_761_init.cpp.

◆ bw6_761_q_bitcount

const mp_size_t libff::bw6_761_q_bitcount = 761

Definition at line 13 of file bw6_761_init.hpp.

◆ bw6_761_q_limbs

const mp_size_t libff::bw6_761_q_limbs
Initial value:
=
(bw6_761_q_bitcount + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS

Definition at line 17 of file bw6_761_init.hpp.

◆ bw6_761_r_bitcount

const mp_size_t libff::bw6_761_r_bitcount = 377

Definition at line 12 of file bw6_761_init.hpp.

◆ bw6_761_r_limbs

const mp_size_t libff::bw6_761_r_limbs
Initial value:
=
(bw6_761_r_bitcount + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS

Definition at line 15 of file bw6_761_init.hpp.

◆ bw6_761_twist

bw6_761_Fq libff::bw6_761_twist

Definition at line 18 of file bw6_761_init.cpp.

◆ bw6_761_twist_coeff_b

bw6_761_Fq libff::bw6_761_twist_coeff_b

Definition at line 19 of file bw6_761_init.cpp.

◆ cumulative_op_counts

std::map<std::pair<std::string, std::string>, long long> libff::cumulative_op_counts

Definition at line 83 of file profiling.cpp.

◆ cumulative_times

std::map< std::string, long long > libff::cumulative_times

Definition at line 76 of file profiling.cpp.

◆ curve_point_y_at_x

template<typename GroupT >
decltype(((GroupT *)nullptr)->X) libff::curve_point_y_at_x(const decltype(((GroupT *) nullptr) ->X) &x)

Definition at line 24 of file curve_utils.hpp.

◆ DEFAULT_COMPRESSION

constexpr compression_t libff::DEFAULT_COMPRESSION = compression_on
constexpr

Definition at line 60 of file serialization.hpp.

◆ DEFAULT_ENCODING

constexpr encoding_t libff::DEFAULT_ENCODING = encoding_json
constexpr

Definition at line 48 of file serialization.hpp.

◆ DEFAULT_FORM

constexpr form_t libff::DEFAULT_FORM = form_plain
constexpr

Definition at line 54 of file serialization.hpp.

◆ edwards_ate_loop_count

bigint< edwards_q_limbs > libff::edwards_ate_loop_count

Definition at line 32 of file edwards_init.cpp.

◆ edwards_coeff_a

edwards_Fq libff::edwards_coeff_a

Definition at line 18 of file edwards_init.cpp.

◆ edwards_coeff_d

edwards_Fq libff::edwards_coeff_d

Definition at line 19 of file edwards_init.cpp.

◆ edwards_final_exponent

bigint< 6 *edwards_q_limbs > libff::edwards_final_exponent

Definition at line 33 of file edwards_init.cpp.

◆ edwards_final_exponent_last_chunk_abs_of_w0

bigint< edwards_q_limbs > libff::edwards_final_exponent_last_chunk_abs_of_w0

Definition at line 34 of file edwards_init.cpp.

◆ edwards_final_exponent_last_chunk_is_w0_neg

bool libff::edwards_final_exponent_last_chunk_is_w0_neg

Definition at line 35 of file edwards_init.cpp.

◆ edwards_final_exponent_last_chunk_w1

bigint< edwards_q_limbs > libff::edwards_final_exponent_last_chunk_w1

Definition at line 36 of file edwards_init.cpp.

◆ edwards_modulus_q

bigint< edwards_q_limbs > libff::edwards_modulus_q

Definition at line 16 of file edwards_init.cpp.

◆ edwards_modulus_r

bigint< edwards_r_limbs > libff::edwards_modulus_r

Definition at line 15 of file edwards_init.cpp.

◆ edwards_q_bitcount

const mp_size_t libff::edwards_q_bitcount = 183

Definition at line 19 of file edwards_init.hpp.

◆ edwards_q_limbs

const mp_size_t libff::edwards_q_limbs
Initial value:
=
(edwards_q_bitcount + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS

Definition at line 23 of file edwards_init.hpp.

◆ edwards_r_bitcount

const mp_size_t libff::edwards_r_bitcount = 181

Definition at line 18 of file edwards_init.hpp.

◆ edwards_r_limbs

const mp_size_t libff::edwards_r_limbs
Initial value:
=
(edwards_r_bitcount + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS

Definition at line 21 of file edwards_init.hpp.

◆ edwards_twist

edwards_Fq3 libff::edwards_twist

Definition at line 20 of file edwards_init.cpp.

◆ edwards_twist_coeff_a

edwards_Fq3 libff::edwards_twist_coeff_a

Definition at line 21 of file edwards_init.cpp.

◆ edwards_twist_coeff_d

edwards_Fq3 libff::edwards_twist_coeff_d

Definition at line 22 of file edwards_init.cpp.

◆ edwards_twist_mul_by_a_c0

edwards_Fq libff::edwards_twist_mul_by_a_c0

Definition at line 23 of file edwards_init.cpp.

◆ edwards_twist_mul_by_a_c1

edwards_Fq libff::edwards_twist_mul_by_a_c1

Definition at line 24 of file edwards_init.cpp.

◆ edwards_twist_mul_by_a_c2

edwards_Fq libff::edwards_twist_mul_by_a_c2

Definition at line 25 of file edwards_init.cpp.

◆ edwards_twist_mul_by_d_c0

edwards_Fq libff::edwards_twist_mul_by_d_c0

Definition at line 26 of file edwards_init.cpp.

◆ edwards_twist_mul_by_d_c1

edwards_Fq libff::edwards_twist_mul_by_d_c1

Definition at line 27 of file edwards_init.cpp.

◆ edwards_twist_mul_by_d_c2

edwards_Fq libff::edwards_twist_mul_by_d_c2

Definition at line 28 of file edwards_init.cpp.

◆ edwards_twist_mul_by_q_Y

edwards_Fq libff::edwards_twist_mul_by_q_Y

Definition at line 29 of file edwards_init.cpp.

◆ edwards_twist_mul_by_q_Z

edwards_Fq libff::edwards_twist_mul_by_q_Z

Definition at line 30 of file edwards_init.cpp.

◆ enter_cpu_times

std::map<std::string, long long> libff::enter_cpu_times

Definition at line 79 of file profiling.cpp.

◆ enter_times

std::map<std::string, long long> libff::enter_times

Definition at line 74 of file profiling.cpp.

◆ indentation

size_t libff::indentation = 0

Definition at line 86 of file profiling.cpp.

◆ inhibit_profiling_counters

bool libff::inhibit_profiling_counters = false

Definition at line 108 of file profiling.cpp.

◆ inhibit_profiling_info

bool libff::inhibit_profiling_info = false

Definition at line 107 of file profiling.cpp.

◆ invocation_counts

std::map< std::string, size_t > libff::invocation_counts

Definition at line 73 of file profiling.cpp.

◆ last_cpu_time

long long libff::last_cpu_time

Definition at line 63 of file profiling.cpp.

◆ last_cpu_times

std::map<std::string, long long> libff::last_cpu_times

Definition at line 80 of file profiling.cpp.

◆ last_time

long long libff::last_time

Definition at line 62 of file profiling.cpp.

◆ last_times

std::map< std::string, long long > libff::last_times

Definition at line 75 of file profiling.cpp.

◆ mnt46_A_bitcount

const mp_size_t libff::mnt46_A_bitcount = 298

Definition at line 20 of file mnt46_common.hpp.

◆ mnt46_A_limbs

const mp_size_t libff::mnt46_A_limbs
Initial value:
=
(mnt46_A_bitcount + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS

Definition at line 23 of file mnt46_common.hpp.

◆ mnt46_B_bitcount

const mp_size_t libff::mnt46_B_bitcount = 298

Definition at line 21 of file mnt46_common.hpp.

◆ mnt46_B_limbs

const mp_size_t libff::mnt46_B_limbs
Initial value:
=
(mnt46_B_bitcount + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS

Definition at line 25 of file mnt46_common.hpp.

◆ mnt46_modulus_A

bigint< mnt46_A_limbs > libff::mnt46_modulus_A

Definition at line 19 of file mnt46_common.cpp.

◆ mnt46_modulus_B

bigint< mnt46_B_limbs > libff::mnt46_modulus_B

Definition at line 20 of file mnt46_common.cpp.

◆ mnt4_ate_is_loop_count_neg

bool libff::mnt4_ate_is_loop_count_neg

Definition at line 35 of file mnt4_init.cpp.

◆ mnt4_ate_loop_count

bigint< mnt4_q_limbs > libff::mnt4_ate_loop_count

Definition at line 34 of file mnt4_init.cpp.

◆ mnt4_final_exponent

bigint< 4 *mnt4_q_limbs > libff::mnt4_final_exponent

Definition at line 36 of file mnt4_init.cpp.

◆ mnt4_final_exponent_last_chunk_abs_of_w0

bigint< mnt4_q_limbs > libff::mnt4_final_exponent_last_chunk_abs_of_w0

Definition at line 37 of file mnt4_init.cpp.

◆ mnt4_final_exponent_last_chunk_is_w0_neg

bool libff::mnt4_final_exponent_last_chunk_is_w0_neg

Definition at line 38 of file mnt4_init.cpp.

◆ mnt4_final_exponent_last_chunk_w1

bigint< mnt4_q_limbs > libff::mnt4_final_exponent_last_chunk_w1

Definition at line 39 of file mnt4_init.cpp.

◆ mnt4_modulus_q

bigint<mnt4_q_limbs> libff::mnt4_modulus_q

◆ mnt4_modulus_r

bigint<mnt4_r_limbs> libff::mnt4_modulus_r

◆ mnt4_q_bitcount

const mp_size_t libff::mnt4_q_bitcount = mnt46_B_bitcount

Definition at line 28 of file mnt4_init.hpp.

◆ mnt4_q_limbs

const mp_size_t libff::mnt4_q_limbs = mnt46_B_limbs

Definition at line 31 of file mnt4_init.hpp.

◆ mnt4_r_bitcount

const mp_size_t libff::mnt4_r_bitcount = mnt46_A_bitcount

Definition at line 27 of file mnt4_init.hpp.

◆ mnt4_r_limbs

const mp_size_t libff::mnt4_r_limbs = mnt46_A_limbs

Definition at line 30 of file mnt4_init.hpp.

◆ mnt4_twist

mnt4_Fq2 libff::mnt4_twist

Definition at line 24 of file mnt4_init.cpp.

◆ mnt4_twist_coeff_a

mnt4_Fq2 libff::mnt4_twist_coeff_a

Definition at line 25 of file mnt4_init.cpp.

◆ mnt4_twist_coeff_b

mnt4_Fq2 libff::mnt4_twist_coeff_b

Definition at line 26 of file mnt4_init.cpp.

◆ mnt4_twist_mul_by_a_c0

mnt4_Fq libff::mnt4_twist_mul_by_a_c0

Definition at line 27 of file mnt4_init.cpp.

◆ mnt4_twist_mul_by_a_c1

mnt4_Fq libff::mnt4_twist_mul_by_a_c1

Definition at line 28 of file mnt4_init.cpp.

◆ mnt4_twist_mul_by_b_c0

mnt4_Fq libff::mnt4_twist_mul_by_b_c0

Definition at line 29 of file mnt4_init.cpp.

◆ mnt4_twist_mul_by_b_c1

mnt4_Fq libff::mnt4_twist_mul_by_b_c1

Definition at line 30 of file mnt4_init.cpp.

◆ mnt4_twist_mul_by_q_X

mnt4_Fq libff::mnt4_twist_mul_by_q_X

Definition at line 31 of file mnt4_init.cpp.

◆ mnt4_twist_mul_by_q_Y

mnt4_Fq libff::mnt4_twist_mul_by_q_Y

Definition at line 32 of file mnt4_init.cpp.

◆ mnt6_ate_is_loop_count_neg

bool libff::mnt6_ate_is_loop_count_neg

Definition at line 37 of file mnt6_init.cpp.

◆ mnt6_ate_loop_count

bigint< mnt6_q_limbs > libff::mnt6_ate_loop_count

Definition at line 36 of file mnt6_init.cpp.

◆ mnt6_final_exponent

bigint< 6 *mnt6_q_limbs > libff::mnt6_final_exponent

Definition at line 38 of file mnt6_init.cpp.

◆ mnt6_final_exponent_last_chunk_abs_of_w0

bigint< mnt6_q_limbs > libff::mnt6_final_exponent_last_chunk_abs_of_w0

Definition at line 39 of file mnt6_init.cpp.

◆ mnt6_final_exponent_last_chunk_is_w0_neg

bool libff::mnt6_final_exponent_last_chunk_is_w0_neg

Definition at line 40 of file mnt6_init.cpp.

◆ mnt6_final_exponent_last_chunk_w1

bigint< mnt6_q_limbs > libff::mnt6_final_exponent_last_chunk_w1

Definition at line 41 of file mnt6_init.cpp.

◆ mnt6_modulus_q

bigint<mnt6_q_limbs> libff::mnt6_modulus_q

◆ mnt6_modulus_r

bigint<mnt6_r_limbs> libff::mnt6_modulus_r

◆ mnt6_q_bitcount

const mp_size_t libff::mnt6_q_bitcount = mnt46_A_bitcount

Definition at line 28 of file mnt6_init.hpp.

◆ mnt6_q_limbs

const mp_size_t libff::mnt6_q_limbs = mnt46_A_limbs

Definition at line 31 of file mnt6_init.hpp.

◆ mnt6_r_bitcount

const mp_size_t libff::mnt6_r_bitcount = mnt46_B_bitcount

Definition at line 27 of file mnt6_init.hpp.

◆ mnt6_r_limbs

const mp_size_t libff::mnt6_r_limbs = mnt46_B_limbs

Definition at line 30 of file mnt6_init.hpp.

◆ mnt6_twist

mnt6_Fq3 libff::mnt6_twist

Definition at line 24 of file mnt6_init.cpp.

◆ mnt6_twist_coeff_a

mnt6_Fq3 libff::mnt6_twist_coeff_a

Definition at line 25 of file mnt6_init.cpp.

◆ mnt6_twist_coeff_b

mnt6_Fq3 libff::mnt6_twist_coeff_b

Definition at line 26 of file mnt6_init.cpp.

◆ mnt6_twist_mul_by_a_c0

mnt6_Fq libff::mnt6_twist_mul_by_a_c0

Definition at line 27 of file mnt6_init.cpp.

◆ mnt6_twist_mul_by_a_c1

mnt6_Fq libff::mnt6_twist_mul_by_a_c1

Definition at line 28 of file mnt6_init.cpp.

◆ mnt6_twist_mul_by_a_c2

mnt6_Fq libff::mnt6_twist_mul_by_a_c2

Definition at line 29 of file mnt6_init.cpp.

◆ mnt6_twist_mul_by_b_c0

mnt6_Fq libff::mnt6_twist_mul_by_b_c0

Definition at line 30 of file mnt6_init.cpp.

◆ mnt6_twist_mul_by_b_c1

mnt6_Fq libff::mnt6_twist_mul_by_b_c1

Definition at line 31 of file mnt6_init.cpp.

◆ mnt6_twist_mul_by_b_c2

mnt6_Fq libff::mnt6_twist_mul_by_b_c2

Definition at line 32 of file mnt6_init.cpp.

◆ mnt6_twist_mul_by_q_X

mnt6_Fq libff::mnt6_twist_mul_by_q_X

Definition at line 33 of file mnt6_init.cpp.

◆ mnt6_twist_mul_by_q_Y

mnt6_Fq libff::mnt6_twist_mul_by_q_Y

Definition at line 34 of file mnt6_init.cpp.

◆ op_counts

std::map<std::pair<std::string, std::string>, long long> libff::op_counts

Definition at line 81 of file profiling.cpp.

◆ op_data_points

std::list<std::pair<std::string, long long *> > libff::op_data_points
Initial value:
= {
}

Definition at line 90 of file profiling.cpp.

◆ start_cpu_time

long long libff::start_cpu_time

Definition at line 63 of file profiling.cpp.

◆ start_time

long long libff::start_time

Definition at line 62 of file profiling.cpp.

libff::edwards_twist_mul_by_d_c0
edwards_Fq edwards_twist_mul_by_d_c0
Definition: edwards_init.cpp:26
libff::Fp2_model::coeffs
my_Fp coeffs[2]
Definition: fp2.hpp:63
libff::bls12_377_r_bitcount
const mp_size_t bls12_377_r_bitcount
Definition: bls12_377_init.hpp:24
libff::mnt4_Fr
Fp_model< mnt4_r_limbs, mnt4_modulus_r > mnt4_Fr
Definition: mnt4_init.hpp:36
libff::bls12_377_g2_untwist_frobenius_twist_v_inverse
bls12_377_Fq12 bls12_377_g2_untwist_frobenius_twist_v_inverse
Definition: bls12_377_init.cpp:36
libff::alt_bn128_twist_mul_by_q_Y
alt_bn128_Fq2 alt_bn128_twist_mul_by_q_Y
Definition: alt_bn128_init.cpp:24
libff::edwards_final_exponentiation_last_chunk
edwards_Fq6 edwards_final_exponentiation_last_chunk(const edwards_Fq6 &elt, const edwards_Fq6 &elt_inv)
Definition: edwards_pairing.cpp:179
libff::bls12_381_GT
bls12_381_Fq12 bls12_381_GT
Definition: bls12_381_init.hpp:36
libff::bls12_381_ate_is_loop_count_neg
bool bls12_381_ate_is_loop_count_neg
Definition: bls12_381_init.cpp:21
libff::mnt4_twist_mul_by_b_c1
mnt4_Fq mnt4_twist_mul_by_b_c1
Definition: mnt4_init.cpp:30
libff::bn128_Fq2_nqr_to_t
bn::Fp2 bn128_Fq2_nqr_to_t
Definition: bn128_init.cpp:26
libff::mnt6_ate_loop_count
bigint< mnt6_q_limbs > mnt6_ate_loop_count
Definition: mnt6_init.cpp:36
libff::bls12_381_twist_mul_by_b_c1
bls12_381_Fq bls12_381_twist_mul_by_b_c1
Definition: bls12_381_init.cpp:16
libff::mnt4_twist_coeff_b
mnt4_Fq2 mnt4_twist_coeff_b
Definition: mnt4_init.cpp:26
libff::mnt6_twist_mul_by_a_c0
mnt6_Fq mnt6_twist_mul_by_a_c0
Definition: mnt6_init.cpp:27
libff::mnt6_twist_mul_by_b_c2
mnt6_Fq mnt6_twist_mul_by_b_c2
Definition: mnt6_init.cpp:32
libff::bn128_Fq
Fp_model< bn128_q_limbs, bn128_modulus_q > bn128_Fq
Definition: bn128_init.hpp:40
libff::mnt4_twist_mul_by_a_c1
mnt4_Fq mnt4_twist_mul_by_a_c1
Definition: mnt4_init.cpp:28
libff::bls12_381_final_exponent_z
bigint< bls12_381_q_limbs > bls12_381_final_exponent_z
Definition: bls12_381_init.cpp:23
libff::bls12_381_ate_pairing
bls12_381_Fq12 bls12_381_ate_pairing(const bls12_381_G1 &P, const bls12_381_G2 &Q)
Definition: bls12_381_pairing.cpp:474
libff::bls12_381_ate_loop_count
bigint< bls12_381_q_limbs > bls12_381_ate_loop_count
Definition: bls12_381_init.cpp:20
libff::mnt6_GT
mnt6_Fq6 mnt6_GT
Definition: mnt6_init.hpp:40
libff::bls12_377_doubling_step_for_miller_loop
void bls12_377_doubling_step_for_miller_loop(const bls12_377_Fq two_inv, bls12_377_G2 &current, bls12_377_ate_ell_coeffs &c)
Definition: bls12_377_pairing.cpp:239
libff::bw6_761_GT
bw6_761_Fq6 bw6_761_GT
Definition: bw6_761_init.hpp:27
libff::bls12_377_ate_miller_loop
bls12_377_Fq12 bls12_377_ate_miller_loop(const bls12_377_ate_G1_precomp &prec_P, const bls12_377_ate_G2_precomp &prec_Q)
Definition: bls12_377_pairing.cpp:408
libff::edwards_final_exponent_last_chunk_w1
bigint< edwards_q_limbs > edwards_final_exponent_last_chunk_w1
Definition: edwards_init.cpp:36
libff::bls12_377_final_exponentiation_last_chunk
bls12_377_Fq12 bls12_377_final_exponentiation_last_chunk(const bls12_377_Fq12 &elt)
Definition: bls12_377_pairing.cpp:151
libff::bw6_761_ate_is_loop_count_neg
bool bw6_761_ate_is_loop_count_neg
Definition: bw6_761_init.cpp:23
libff::mixed_addition_step_for_flipped_miller_loop
void mixed_addition_step_for_flipped_miller_loop(const mnt4_Fq2 base_X, const mnt4_Fq2 base_Y, const mnt4_Fq2 base_Y_squared, extended_mnt4_G2_projective &current, mnt4_ate_add_coeffs &ac)
Definition: mnt4_pairing.cpp:429
libff::bw6_761_twist
bw6_761_Fq bw6_761_twist
Definition: bw6_761_init.cpp:18
libff::bls12_381_Fr
Fp_model< bls12_381_r_limbs, bls12_381_modulus_r > bls12_381_Fr
Definition: bls12_381_init.hpp:30
libff::bls12_381_ate_reduced_pairing
bls12_381_GT bls12_381_ate_reduced_pairing(const bls12_381_G1 &P, const bls12_381_G2 &Q)
Definition: bls12_381_pairing.cpp:485
libff::enter_block
void enter_block(const std::string &msg, const bool indent)
Definition: profiling.cpp:271
libff::print_indent
void print_indent()
Definition: profiling.cpp:257
libff::bls12_377_g2_untwist_frobenius_twist_v
bls12_377_Fq12 bls12_377_g2_untwist_frobenius_twist_v
Definition: bls12_377_init.cpp:34
mnt6_modulus_r
#define mnt6_modulus_r
Definition: mnt6_init.hpp:24
libff::start_time
long long start_time
Definition: profiling.cpp:62
libff::bw6_761_modulus_r
bigint< bls12_377_q_limbs > bw6_761_modulus_r
Definition: bw6_761_init.cpp:14
libff::bw6_761_final_exponentiation_first_chunk
bw6_761_Fq6 bw6_761_final_exponentiation_first_chunk(const bw6_761_Fq6 &elt)
Definition: bw6_761_pairing.cpp:131
libff::mnt6_ate_precompute_G2
mnt6_ate_G2_precomp mnt6_ate_precompute_G2(const mnt6_G2 &Q)
Definition: mnt6_pairing.cpp:485
libff::edwards_GT
edwards_Fq6 edwards_GT
Definition: edwards_init.hpp:33
libff::print_op_profiling
void print_op_profiling(const std::string &msg)
Definition: profiling.cpp:176
libff::bls12_377_final_exponent_is_z_neg
bool bls12_377_final_exponent_is_z_neg
Definition: bls12_377_init.cpp:48
libff::alt_bn128_exp_by_neg_z
alt_bn128_Fq12 alt_bn128_exp_by_neg_z(const alt_bn128_Fq12 &elt)
Definition: alt_bn128_pairing.cpp:141
libff::bls12_377_modulus_r
bigint< bls12_377_r_limbs > bls12_377_modulus_r
Definition: bls12_377_init.cpp:11
libff::bls12_381_twist_coeff_b
bls12_381_Fq2 bls12_381_twist_coeff_b
Definition: bls12_381_init.cpp:14
libff::bls12_381_Fq2
Fp2_model< bls12_381_q_limbs, bls12_381_modulus_q > bls12_381_Fq2
Definition: bls12_381_init.hpp:32
libff::cumulative_times
std::map< std::string, long long > cumulative_times
Definition: profiling.cpp:76
libff::bw6_761_Fr
Fp_model< bw6_761_r_limbs, bw6_761_modulus_r > bw6_761_Fr
Definition: bw6_761_init.hpp:23
libff::bls12_377_ate_loop_count
bigint< bls12_377_q_limbs > bls12_377_ate_loop_count
Definition: bls12_377_init.cpp:43
libff::edwards_twist_coeff_d
edwards_Fq3 edwards_twist_coeff_d
Definition: edwards_init.cpp:22
libff::bls12_377_final_exponent_z
bigint< bls12_377_q_limbs > bls12_377_final_exponent_z
Definition: bls12_377_init.cpp:47
libff::bw6_761_ate_double_miller_loop
bw6_761_Fq6 bw6_761_ate_double_miller_loop(const bw6_761_ate_G1_precomp &prec_P1, const bw6_761_ate_G2_precomp &prec_Q1, const bw6_761_ate_G1_precomp &prec_P2, const bw6_761_ate_G2_precomp &prec_Q2)
Definition: bw6_761_pairing.cpp:508
libff::Fp_model::squared
Fp_model squared() const
libff::mnt6_final_exponent_last_chunk_w1
bigint< mnt6_q_limbs > mnt6_final_exponent_last_chunk_w1
Definition: mnt6_init.cpp:41
libff::mnt6_Fq
Fp_model< mnt6_q_limbs, mnt6_modulus_q > mnt6_Fq
Definition: mnt6_init.hpp:37
libff::edwards_twist
edwards_Fq3 edwards_twist
Definition: edwards_init.cpp:20
libff::mnt6_twist_mul_by_b_c1
mnt6_Fq mnt6_twist_mul_by_b_c1
Definition: mnt6_init.cpp:31
libff::mnt4_affine_ate_precompute_G1
mnt4_affine_ate_G1_precomputation mnt4_affine_ate_precompute_G1(const mnt4_G1 &P)
Definition: mnt4_pairing.cpp:224
libff::multi_exp_base_form_special
@ multi_exp_base_form_special
Definition: multiexp.hpp:50
libff::edwards_ate_G2_precomp
std::vector< edwards_Fq3_conic_coefficients > edwards_ate_G2_precomp
Definition: edwards_pairing.hpp:77
libff::doubling_step_for_flipped_miller_loop
void doubling_step_for_flipped_miller_loop(const alt_bn128_Fq two_inv, alt_bn128_G2 &current, alt_bn128_ate_ell_coeffs &c)
Definition: alt_bn128_pairing.cpp:246
libff::bls12_381_twist_mul_by_q_X
bls12_381_Fq2 bls12_381_twist_mul_by_q_X
Definition: bls12_381_init.cpp:17
libff::mnt6_twist_mul_by_q_Y
mnt6_Fq mnt6_twist_mul_by_q_Y
Definition: mnt6_init.cpp:34
libff::mnt4_twist_coeff_a
mnt4_Fq2 mnt4_twist_coeff_a
Definition: mnt4_init.cpp:25
libff::bn128_Fq2_s
size_t bn128_Fq2_s
Definition: bn128_init.cpp:25
libff::mnt4_final_exponentiation_last_chunk
mnt4_Fq4 mnt4_final_exponentiation_last_chunk(const mnt4_Fq4 &elt, const mnt4_Fq4 &elt_inv)
Definition: mnt4_pairing.cpp:172
libff::bls12_381_Fq
Fp_model< bls12_381_q_limbs, bls12_381_modulus_q > bls12_381_Fq
Definition: bls12_381_init.hpp:31
libff::bw6_761_Fq
Fp_model< bw6_761_q_limbs, bw6_761_modulus_q > bw6_761_Fq
Definition: bw6_761_init.hpp:24
libff::bls12_377_Fr
Fp_model< bls12_377_r_limbs, bls12_377_modulus_r > bls12_377_Fr
Definition: bls12_377_init.hpp:47
libff::bls12_381_final_exponentiation_last_chunk
bls12_381_Fq12 bls12_381_final_exponentiation_last_chunk(const bls12_381_Fq12 &elt)
Definition: bls12_381_pairing.cpp:156
libff::edwards_twist_coeff_a
edwards_Fq3 edwards_twist_coeff_a
Definition: edwards_init.cpp:21
mnt6_modulus_q
#define mnt6_modulus_q
Definition: mnt6_init.hpp:25
libff::mnt4_ate_reduced_pairing
mnt4_GT mnt4_ate_reduced_pairing(const mnt4_G1 &P, const mnt4_G2 &Q)
Definition: mnt4_pairing.cpp:686
libff::mnt4_ate_precompute_G2
mnt4_ate_G2_precomp mnt4_ate_precompute_G2(const mnt4_G2 &Q)
Definition: mnt4_pairing.cpp:480
libff::bn128_coeff_b
bn::Fp bn128_coeff_b
Definition: bn128_init.cpp:19
libff::mnt6_ate_miller_loop
mnt6_Fq6 mnt6_ate_miller_loop(const mnt6_ate_G1_precomp &prec_P, const mnt6_ate_G2_precomp &prec_Q)
Definition: mnt6_pairing.cpp:548
libff::last_cpu_time
long long last_cpu_time
Definition: profiling.cpp:63
libff::bn128_modulus_r
bigint< bn128_r_limbs > bn128_modulus_r
Definition: bn128_init.cpp:16
libff::bls12_377_final_exponent
bigint< 12 *bls12_377_q_limbs > bls12_377_final_exponent
Definition: bls12_377_init.cpp:46
libff::alt_bn128_final_exponentiation_first_chunk
alt_bn128_Fq12 alt_bn128_final_exponentiation_first_chunk(const alt_bn128_Fq12 &elt)
Definition: alt_bn128_pairing.cpp:113
mnt4_modulus_q
#define mnt4_modulus_q
Definition: mnt4_init.hpp:25
libff::bw6_761_ate_miller_loop
bw6_761_Fq6 bw6_761_ate_miller_loop(const bw6_761_ate_G1_precomp &prec_P, const bw6_761_ate_G2_precomp &prec_Q)
Definition: bw6_761_pairing.cpp:423
libff::alt_bn128_GT
alt_bn128_Fq12 alt_bn128_GT
Definition: alt_bn128_init.hpp:36
libff::mnt6_twist_mul_by_a_c1
mnt6_Fq mnt6_twist_mul_by_a_c1
Definition: mnt6_init.cpp:28
libff::start_cpu_time
long long start_cpu_time
Definition: profiling.cpp:63
libff::mnt6_twist_mul_by_q_X
mnt6_Fq mnt6_twist_mul_by_q_X
Definition: mnt6_init.cpp:33
libff::bn128_Fq_nqr_to_t
bn::Fp bn128_Fq_nqr_to_t
Definition: bn128_init.cpp:21
libff::bls12_381_twist_mul_by_q_Y
bls12_381_Fq2 bls12_381_twist_mul_by_q_Y
Definition: bls12_381_init.cpp:18
libff::UNUSED
void UNUSED(Types &&...)
A variadic template to suppress unused argument warnings.
Definition: utils.hpp:45
libff::encoding_binary
@ encoding_binary
Definition: serialization.hpp:20
libff::mnt4_final_exponent
bigint< 4 *mnt4_q_limbs > mnt4_final_exponent
Definition: mnt4_init.cpp:36
libff::edwards_twist_mul_by_q_Z
edwards_Fq edwards_twist_mul_by_q_Z
Definition: edwards_init.cpp:30
libff::bls12_377_Fq12
Fp12_2over3over2_model< bls12_377_q_limbs, bls12_377_modulus_q > bls12_377_Fq12
Definition: bls12_377_init.hpp:52
libff::form_montgomery
@ form_montgomery
Definition: serialization.hpp:27
libff::mnt6_twist_coeff_b
mnt6_Fq3 mnt6_twist_coeff_b
Definition: mnt6_init.cpp:26
libff::enter_cpu_times
std::map< std::string, long long > enter_cpu_times
Definition: profiling.cpp:79
libff::bls12_377_coeff_b
bls12_377_Fq bls12_377_coeff_b
Definition: bls12_377_init.cpp:16
libff::bls12_381_ate_miller_loop
bls12_381_Fq12 bls12_381_ate_miller_loop(const bls12_381_ate_G1_precomp &prec_P, const bls12_381_ate_G2_precomp &prec_Q)
Definition: bls12_381_pairing.cpp:369
libff::mixed_addition_step_for_flipped_miller_loop
void mixed_addition_step_for_flipped_miller_loop(const alt_bn128_G2 base, alt_bn128_G2 &current, alt_bn128_ate_ell_coeffs &c)
Definition: alt_bn128_pairing.cpp:290
libff::bls12_377_Fq
Fp_model< bls12_377_q_limbs, bls12_377_modulus_q > bls12_377_Fq
Definition: bls12_377_init.hpp:48
libff::last_times
std::map< std::string, long long > last_times
Definition: profiling.cpp:75
libff::Fp_model::inverse
Fp_model inverse() const
libff::bw6_761_ate_loop_count2
bigint< bw6_761_q_limbs > bw6_761_ate_loop_count2
Definition: bw6_761_init.cpp:22
libff::bls12_377_twist_coeff_b
bls12_377_Fq2 bls12_377_twist_coeff_b
Definition: bls12_377_init.cpp:19
libff::bls12_377_g2_untwist_frobenius_twist_w_3
bls12_377_Fq12 bls12_377_g2_untwist_frobenius_twist_w_3
Definition: bls12_377_init.cpp:35
libff::edwards_tate_precompute_G2
edwards_tate_G2_precomp edwards_tate_precompute_G2(const edwards_G2 &Q)
Definition: edwards_pairing.cpp:234
libff::edwards_ate_precompute_G2
edwards_ate_G2_precomp edwards_ate_precompute_G2(const edwards_G2 &Q)
Definition: edwards_pairing.cpp:623
libff::Fp3_model::coeffs
my_Fp coeffs[3]
Definition: fp3.hpp:59
libff::edwards_final_exponent_last_chunk_is_w0_neg
bool edwards_final_exponent_last_chunk_is_w0_neg
Definition: edwards_init.cpp:35
libff::edwards_Fr
Fp_model< edwards_r_limbs, edwards_modulus_r > edwards_Fr
Definition: edwards_init.hpp:29
libff::edwards_final_exponent_last_chunk_abs_of_w0
bigint< edwards_q_limbs > edwards_final_exponent_last_chunk_abs_of_w0
Definition: edwards_init.cpp:34
libff::bls12_377_twist_mul_by_q_X
bls12_377_Fq2 bls12_377_twist_mul_by_q_X
Definition: bls12_377_init.cpp:22
libff::bls12_377_ate_pairing
bls12_377_Fq12 bls12_377_ate_pairing(const bls12_377_G1 &P, const bls12_377_G2 &Q)
Definition: bls12_377_pairing.cpp:519
libff::doubling_step_for_flipped_miller_loop
void doubling_step_for_flipped_miller_loop(extended_edwards_G2_projective &current, edwards_Fq3_conic_coefficients &cc)
Definition: edwards_pairing.cpp:489
libff::mnt4_twist_mul_by_q_X
mnt4_Fq mnt4_twist_mul_by_q_X
Definition: mnt4_init.cpp:31
libff::mnt4_final_exponent_last_chunk_abs_of_w0
bigint< mnt4_q_limbs > mnt4_final_exponent_last_chunk_abs_of_w0
Definition: mnt4_init.cpp:37
libff::mnt6_ate_reduced_pairing
mnt6_GT mnt6_ate_reduced_pairing(const mnt6_G1 &P, const mnt6_G2 &Q)
Definition: mnt6_pairing.cpp:699
libff::edwards_tate_pairing
edwards_Fq6 edwards_tate_pairing(const edwards_G1 &P, const edwards_G2 &Q)
Definition: edwards_pairing.cpp:451
libff::alt_bn128_twist_coeff_b
alt_bn128_Fq2 alt_bn128_twist_coeff_b
Definition: alt_bn128_init.cpp:20
libff::alt_bn128_modulus_r
bigint< alt_bn128_r_limbs > alt_bn128_modulus_r
Definition: alt_bn128_init.cpp:15
libff::bls12_377_g1_safe_subgroup_check_c1
bigint< bls12_377_r_limbs > bls12_377_g1_safe_subgroup_check_c1
Definition: bls12_377_init.cpp:27
libff::multi_exp_method_bos_coster
@ multi_exp_method_bos_coster
Definition: multiexp.hpp:34
libff::edwards_ate_loop_count
bigint< edwards_q_limbs > edwards_ate_loop_count
Definition: edwards_init.cpp:32
libff::cumulative_op_counts
std::map< std::pair< std::string, std::string >, long long > cumulative_op_counts
Definition: profiling.cpp:83
libff::mnt6_affine_ate_precompute_G2
mnt6_affine_ate_G2_precomputation mnt6_affine_ate_precompute_G2(const mnt6_G2 &Q)
Definition: mnt6_pairing.cpp:245
libff::alt_bn128_twist_mul_by_q_X
alt_bn128_Fq2 alt_bn128_twist_mul_by_q_X
Definition: alt_bn128_init.cpp:23
libff::mnt6_ate_pairing
mnt6_Fq6 mnt6_ate_pairing(const mnt6_G1 &P, const mnt6_G2 &Q)
Definition: mnt6_pairing.cpp:689
libff::Fp2_model::inverse
Fp2_model inverse() const
libff::edwards_twist_mul_by_a_c1
edwards_Fq edwards_twist_mul_by_a_c1
Definition: edwards_init.cpp:24
libff::indentation
size_t indentation
Definition: profiling.cpp:86
libff::edwards_final_exponent
bigint< 6 *edwards_q_limbs > edwards_final_exponent
Definition: edwards_init.cpp:33
libff::bls12_381_exp_by_z
bls12_381_Fq12 bls12_381_exp_by_z(const bls12_381_Fq12 &elt)
Definition: bls12_381_pairing.cpp:142
libff::bw6_761_modulus_q
bigint< bw6_761_q_limbs > bw6_761_modulus_q
Definition: bw6_761_init.cpp:15
libff::mnt4_Fq
Fp_model< mnt4_q_limbs, mnt4_modulus_q > mnt4_Fq
Definition: mnt4_init.hpp:37
libff::bls12_377_g1_proof_of_safe_subgroup_non_member_y
bls12_377_Fq bls12_377_g1_proof_of_safe_subgroup_non_member_y
Definition: bls12_377_init.cpp:30
OUTPUT_SEPARATOR
#define OUTPUT_SEPARATOR
Definition: serialization.hpp:69
libff::mnt6_twist
mnt6_Fq3 mnt6_twist
Definition: mnt6_init.cpp:24
libff::bit_vector
std::vector< bool > bit_vector
Definition: utils.hpp:22
libff::bw6_761_final_exponentiation
bw6_761_GT bw6_761_final_exponentiation(const bw6_761_Fq6 &elt)
Definition: bw6_761_pairing.cpp:258
libff::bls12_377_GT
bls12_377_Fq12 bls12_377_GT
Definition: bls12_377_init.hpp:53
libff::mnt6_final_exponentiation_last_chunk
mnt6_Fq6 mnt6_final_exponentiation_last_chunk(const mnt6_Fq6 &elt, const mnt6_Fq6 &elt_inv)
Definition: mnt6_pairing.cpp:173
libff::alt_bn128_final_exponent_z
bigint< alt_bn128_q_limbs > alt_bn128_final_exponent_z
Definition: alt_bn128_init.cpp:29
libff::bls12_381_modulus_q
bigint< bls12_381_q_limbs > bls12_381_modulus_q
Definition: bls12_381_init.cpp:9
libff::bw6_761_final_exponent_is_z_neg
bool bw6_761_final_exponent_is_z_neg
Definition: bw6_761_init.cpp:25
libff::bls12_381_doubling_step_for_miller_loop
void bls12_381_doubling_step_for_miller_loop(const bls12_381_Fq two_inv, bls12_381_G2 &current, bls12_381_ate_ell_coeffs &c)
Definition: bls12_381_pairing.cpp:230
libff::bw6_761_ate_precompute_G1
bw6_761_ate_G1_precomp bw6_761_ate_precompute_G1(const bw6_761_G1 &P)
Definition: bw6_761_pairing.cpp:354
libff::bls12_377_twist_mul_by_q_Y
bls12_377_Fq2 bls12_377_twist_mul_by_q_Y
Definition: bls12_377_init.cpp:23
libff::alt_bn128_ate_double_miller_loop
alt_bn128_Fq12 alt_bn128_ate_double_miller_loop(const alt_bn128_ate_G1_precomp &prec_P1, const alt_bn128_ate_G2_precomp &prec_Q1, const alt_bn128_ate_G1_precomp &prec_P2, const alt_bn128_ate_G2_precomp &prec_Q2)
Definition: alt_bn128_pairing.cpp:453
libff::Fp12_2over3over2_model::inverse
Fp12_2over3over2_model inverse() const
libff::bls12_381_mixed_addition_step_for_miller_loop
void bls12_381_mixed_addition_step_for_miller_loop(const bls12_381_G2 base, bls12_381_G2 &current, bls12_381_ate_ell_coeffs &c)
Definition: bls12_381_pairing.cpp:274
libff::bw6_761_ate_precompute_G2
bw6_761_ate_G2_precomp bw6_761_ate_precompute_G2(const bw6_761_G2 &Q)
Definition: bw6_761_pairing.cpp:414
libff::multi_exp_base_form_normal
@ multi_exp_base_form_normal
Incoming base elements are not in special form.
Definition: multiexp.hpp:47
libff::bls12_381_twist_mul_by_b_c0
bls12_381_Fq bls12_381_twist_mul_by_b_c0
Definition: bls12_381_init.cpp:15
libff::bls12_377_g1_proof_of_safe_subgroup_non_member_x
bls12_377_Fq bls12_377_g1_proof_of_safe_subgroup_non_member_x
Definition: bls12_377_init.cpp:29
libff::bw6_761_exp_by_z
bw6_761_Fq6 bw6_761_exp_by_z(const bw6_761_Fq6 &elt)
Definition: bw6_761_pairing.cpp:150
libff::alt_bn128_twist_mul_by_b_c1
alt_bn128_Fq alt_bn128_twist_mul_by_b_c1
Definition: alt_bn128_init.cpp:22
libff::bls12_381_Fq6
Fp6_3over2_model< bls12_381_q_limbs, bls12_381_modulus_q > bls12_381_Fq6
Definition: bls12_381_init.hpp:33
libff::bn128_q_bitcount
const mp_size_t bn128_q_bitcount
Definition: bn128_init.hpp:19
libff::bls12_377_g2_mul_by_cofactor_h2_1
bigint< bls12_377_r_limbs > bls12_377_g2_mul_by_cofactor_h2_1
Definition: bls12_377_init.cpp:41
libff::alt_bn128_Fq2
Fp2_model< alt_bn128_q_limbs, alt_bn128_modulus_q > alt_bn128_Fq2
Definition: alt_bn128_init.hpp:32
libff::alt_bn128_final_exponent
bigint< 12 *alt_bn128_q_limbs > alt_bn128_final_exponent
Definition: alt_bn128_init.cpp:28
libff::get_nsec_time
long long get_nsec_time()
Definition: profiling.cpp:32
libff::bls12_377_Fq2
Fp2_model< bls12_377_q_limbs, bls12_377_modulus_q > bls12_377_Fq2
Definition: bls12_377_init.hpp:49
libff::edwards_tate_precompute_G1
edwards_tate_G1_precomp edwards_tate_precompute_G1(const edwards_G1 &P)
Definition: edwards_pairing.cpp:367
libff::bls12_381_q_bitcount
const mp_size_t bls12_381_q_bitcount
Definition: bls12_381_init.hpp:20
libff::mnt6_twist_coeff_a
mnt6_Fq3 mnt6_twist_coeff_a
Definition: mnt6_init.cpp:25
libff::alt_bn128_q_bitcount
const mp_size_t alt_bn128_q_bitcount
Definition: alt_bn128_init.hpp:20
libff::mnt6_final_exponentiation_first_chunk
mnt6_Fq6 mnt6_final_exponentiation_first_chunk(const mnt6_Fq6 &elt, const mnt6_Fq6 &elt_inv)
Definition: mnt6_pairing.cpp:192
libff::alt_bn128_final_exponent_is_z_neg
bool alt_bn128_final_exponent_is_z_neg
Definition: alt_bn128_init.cpp:30
libff::alt_bn128_ate_is_loop_count_neg
bool alt_bn128_ate_is_loop_count_neg
Definition: alt_bn128_init.cpp:27
libff::op_data_points
std::list< std::pair< std::string, long long * > > op_data_points
Definition: profiling.cpp:90
libff::bls12_381_final_exponentiation_first_chunk
bls12_381_Fq12 bls12_381_final_exponentiation_first_chunk(const bls12_381_Fq12 &elt)
Definition: bls12_381_pairing.cpp:114
libff::compression_on
@ compression_on
Definition: serialization.hpp:33
libff::op_profiling_enter
void op_profiling_enter(const std::string &msg)
Definition: profiling.cpp:264
libff::consume_OUTPUT_SEPARATOR
void consume_OUTPUT_SEPARATOR(std::istream &in)
libff::mnt4_affine_ate_precompute_G2
mnt4_affine_ate_G2_precomputation mnt4_affine_ate_precompute_G2(const mnt4_G2 &Q)
Definition: mnt4_pairing.cpp:241
libff::mnt4_ate_pairing
mnt4_Fq4 mnt4_ate_pairing(const mnt4_G1 &P, const mnt4_G2 &Q)
Definition: mnt4_pairing.cpp:676
libff::doubling_step_for_flipped_miller_loop
void doubling_step_for_flipped_miller_loop(extended_mnt4_G2_projective &current, mnt4_ate_dbl_coeffs &dc)
Definition: mnt4_pairing.cpp:400
libff::bls12_381_r_bitcount
const mp_size_t bls12_381_r_bitcount
Definition: bls12_381_init.hpp:19
libff::edwards_modulus_r
bigint< edwards_r_limbs > edwards_modulus_r
Definition: edwards_init.cpp:15
libff::bw6_761_final_exponentiation_last_chunk
bw6_761_Fq6 bw6_761_final_exponentiation_last_chunk(const bw6_761_Fq6 &elt)
Definition: bw6_761_pairing.cpp:172
libff::bn128_Fq_s
size_t bn128_Fq_s
Definition: bn128_init.cpp:20
libff::edwards_q_bitcount
const mp_size_t edwards_q_bitcount
Definition: edwards_init.hpp:19
libff::get_nsec_cpu_time
long long get_nsec_cpu_time()
Definition: profiling.cpp:42
libff::bls12_381_modulus_r
bigint< bls12_381_r_limbs > bls12_381_modulus_r
Definition: bls12_381_init.cpp:8
libff::bls12_377_g1_proof_of_safe_subgroup_w
bigint< bls12_377_r_limbs > bls12_377_g1_proof_of_safe_subgroup_w
Definition: bls12_377_init.cpp:28
libff::bls12_377_twist_mul_by_b_c1
bls12_377_Fq bls12_377_twist_mul_by_b_c1
Definition: bls12_377_init.cpp:21
mnt4_modulus_r
#define mnt4_modulus_r
Definition: mnt4_init.hpp:24
libff::mnt4_Fq2
Fp2_model< mnt4_q_limbs, mnt4_modulus_q > mnt4_Fq2
Definition: mnt4_init.hpp:38
libff::edwards_ate_double_miller_loop
edwards_Fq6 edwards_ate_double_miller_loop(const edwards_ate_G1_precomp &prec_P1, const edwards_ate_G2_precomp &prec_Q1, const edwards_ate_G1_precomp &prec_P2, const edwards_ate_G2_precomp &prec_Q2)
Definition: edwards_pairing.cpp:702
libff::alt_bn128_modulus_q
bigint< alt_bn128_q_limbs > alt_bn128_modulus_q
Definition: alt_bn128_init.cpp:16
libff::alt_bn128_Fr
Fp_model< alt_bn128_r_limbs, alt_bn128_modulus_r > alt_bn128_Fr
Definition: alt_bn128_init.hpp:30
libff::mnt4_final_exponentiation_first_chunk
mnt4_Fq4 mnt4_final_exponentiation_first_chunk(const mnt4_Fq4 &elt, const mnt4_Fq4 &elt_inv)
Definition: mnt4_pairing.cpp:191
libff::bls12_377_ate_reduced_pairing
bls12_377_GT bls12_377_ate_reduced_pairing(const bls12_377_G1 &P, const bls12_377_G2 &Q)
Definition: bls12_377_pairing.cpp:530
libff::mixed_addition_step_for_miller_loop
void mixed_addition_step_for_miller_loop(const extended_edwards_G1_projective &base, extended_edwards_G1_projective &current, edwards_Fq_conic_coefficients &cc)
Definition: edwards_pairing.cpp:334
libff::edwards_coeff_d
edwards_Fq edwards_coeff_d
Definition: edwards_init.cpp:19
libff::mnt6_Fq3
Fp3_model< mnt6_q_limbs, mnt6_modulus_q > mnt6_Fq3
Definition: mnt6_init.hpp:38
libff::encoding_json
@ encoding_json
Definition: serialization.hpp:21
libff::bw6_761_ate_reduced_pairing
bw6_761_GT bw6_761_ate_reduced_pairing(const bw6_761_G1 &P, const bw6_761_G2 &Q)
Definition: bw6_761_pairing.cpp:635
libff::edwards_ate_miller_loop
edwards_Fq6 edwards_ate_miller_loop(const edwards_ate_G1_precomp &prec_P, const edwards_ate_G2_precomp &prec_Q)
Definition: edwards_pairing.cpp:662
libff::compression_off
@ compression_off
Definition: serialization.hpp:32
libff::mnt4_ate_double_miller_loop
mnt4_Fq4 mnt4_ate_double_miller_loop(const mnt4_ate_G1_precomp &prec_P1, const mnt4_ate_G2_precomp &prec_Q1, const mnt4_ate_G1_precomp &prec_P2, const mnt4_ate_G2_precomp &prec_Q2)
Definition: mnt4_pairing.cpp:595
libff::edwards_r_bitcount
const mp_size_t edwards_r_bitcount
Definition: edwards_init.hpp:18
libff::doubling_step_for_flipped_miller_loop
void doubling_step_for_flipped_miller_loop(extended_mnt6_G2_projective &current, mnt6_ate_dbl_coeffs &dc)
Definition: mnt6_pairing.cpp:405
libff::alt_bn128_Fq
Fp_model< alt_bn128_q_limbs, alt_bn128_modulus_q > alt_bn128_Fq
Definition: alt_bn128_init.hpp:31
libff::mnt6_ate_double_miller_loop
mnt6_Fq6 mnt6_ate_double_miller_loop(const mnt6_ate_G1_precomp &prec_P1, const mnt6_ate_G2_precomp &prec_Q1, const mnt6_ate_G1_precomp &prec_P2, const mnt6_ate_G2_precomp &prec_Q2)
Definition: mnt6_pairing.cpp:605
libff::edwards_twist_mul_by_a_c0
edwards_Fq edwards_twist_mul_by_a_c0
Definition: edwards_init.cpp:23
libff::bls12_381_final_exponent
bigint< 12 *bls12_381_q_limbs > bls12_381_final_exponent
Definition: bls12_381_init.cpp:22
libff::bls12_377_trace_of_frobenius
bigint< bls12_377_r_limbs > bls12_377_trace_of_frobenius
Definition: bls12_377_init.cpp:17
libff::bls12_377_mixed_addition_step_for_miller_loop
void bls12_377_mixed_addition_step_for_miller_loop(const bls12_377_G2 &base, bls12_377_G2 &current, bls12_377_ate_ell_coeffs &c)
Definition: bls12_377_pairing.cpp:301
libff::edwards_ate_precompute_G1
edwards_ate_G1_precomp edwards_ate_precompute_G1(const edwards_G1 &P)
Definition: edwards_pairing.cpp:609
libff::bw6_761_coeff_b
bw6_761_Fq bw6_761_coeff_b
Definition: bw6_761_init.cpp:17
libff::mnt6_Fq6
Fp6_2over3_model< mnt6_q_limbs, mnt6_modulus_q > mnt6_Fq6
Definition: mnt6_init.hpp:39
libff::edwards_coeff_a
edwards_Fq edwards_coeff_a
Definition: edwards_init.cpp:18
libff::mnt6_twist_mul_by_a_c2
mnt6_Fq mnt6_twist_mul_by_a_c2
Definition: mnt6_init.cpp:29
libff::mnt6_Fr
Fp_model< mnt6_r_limbs, mnt6_modulus_r > mnt6_Fr
Definition: mnt6_init.hpp:36
libff::bls12_377_final_exponentiation_first_chunk
bls12_377_Fq12 bls12_377_final_exponentiation_first_chunk(const bls12_377_Fq12 &elt)
Definition: bls12_377_pairing.cpp:109
libff::edwards_Fq3
Fp3_model< edwards_q_limbs, edwards_modulus_q > edwards_Fq3
Definition: edwards_init.hpp:31
libff::edwards_tate_miller_loop
edwards_Fq6 edwards_tate_miller_loop(const edwards_tate_G1_precomp &prec_P, const edwards_tate_G2_precomp &prec_Q)
Definition: edwards_pairing.cpp:409
libff::edwards_final_exponentiation
edwards_GT edwards_final_exponentiation(const edwards_Fq6 &elt)
Definition: edwards_pairing.cpp:219
bls12_377_modulus_q
#define bls12_377_modulus_q
Definition: bls12_377_init.hpp:45
libff::bls12_377_twist
bls12_377_Fq2 bls12_377_twist
Definition: bls12_377_init.cpp:18
libff::edwards_final_exponentiation_first_chunk
edwards_Fq6 edwards_final_exponentiation_first_chunk(const edwards_Fq6 &elt, const edwards_Fq6 &elt_inv)
Definition: edwards_pairing.cpp:200
libff::edwards_twist_mul_by_q_Y
edwards_Fq edwards_twist_mul_by_q_Y
Definition: edwards_init.cpp:29
libff::mnt4_GT
mnt4_Fq4 mnt4_GT
Definition: mnt4_init.hpp:40
libff::bls12_381_ate_precompute_G1
bls12_381_ate_G1_precomp bls12_381_ate_precompute_G1(const bls12_381_G1 &P)
Definition: bls12_381_pairing.cpp:309
libff::bn128_twist_coeff_b
bn::Fp2 bn128_twist_coeff_b
Definition: bn128_init.cpp:24
libff::alt_bn128_ate_reduced_pairing
alt_bn128_GT alt_bn128_ate_reduced_pairing(const alt_bn128_G1 &P, const alt_bn128_G2 &Q)
Definition: alt_bn128_pairing.cpp:535
libff::mnt4_ate_loop_count
bigint< mnt4_q_limbs > mnt4_ate_loop_count
Definition: mnt4_init.cpp:34
libff::alt_bn128_final_exponentiation_last_chunk
alt_bn128_Fq12 alt_bn128_final_exponentiation_last_chunk(const alt_bn128_Fq12 &elt)
Definition: alt_bn128_pairing.cpp:155
libff::edwards_Fq
Fp_model< edwards_q_limbs, edwards_modulus_q > edwards_Fq
Definition: edwards_init.hpp:30
libff::mnt6_affine_ate_miller_loop
mnt6_Fq6 mnt6_affine_ate_miller_loop(const mnt6_affine_ate_G1_precomputation &prec_P, const mnt6_affine_ate_G2_precomputation &prec_Q)
Definition: mnt6_pairing.cpp:323
libff::bls12_377_g2_untwist_frobenius_twist_w_3_inverse
bls12_377_Fq12 bls12_377_g2_untwist_frobenius_twist_w_3_inverse
Definition: bls12_377_init.cpp:37
libff::alt_bn128_ate_precompute_G2
alt_bn128_ate_G2_precomp alt_bn128_ate_precompute_G2(const alt_bn128_G2 &Q)
Definition: alt_bn128_pairing.cpp:340
libff::mnt4_ate_is_loop_count_neg
bool mnt4_ate_is_loop_count_neg
Definition: mnt4_init.cpp:35
libff::edwards_twist_mul_by_d_c1
edwards_Fq edwards_twist_mul_by_d_c1
Definition: edwards_init.cpp:27
libff::mnt46_A_bitcount
const mp_size_t mnt46_A_bitcount
Definition: mnt46_common.hpp:20
libff::mnt4_twist_mul_by_b_c0
mnt4_Fq mnt4_twist_mul_by_b_c0
Definition: mnt4_init.cpp:29
libff::Fp3_model::inverse
Fp3_model inverse() const
libff::last_time
long long last_time
Definition: profiling.cpp:62
libff::bw6_761_final_exponent_z
bigint< bw6_761_q_limbs > bw6_761_final_exponent_z
Definition: bw6_761_init.cpp:24
libff::form_plain
@ form_plain
Definition: serialization.hpp:26
libff::consume_OUTPUT_NEWLINE
void consume_OUTPUT_NEWLINE(std::istream &in)
libff::multi_exp_method_BDLO12
@ multi_exp_method_BDLO12
Definition: multiexp.hpp:39
usage
void usage(const char *const argv0)
Definition: profile_algebra_groups_read.cpp:581
libff::multi_exp_method_naive
@ multi_exp_method_naive
Definition: multiexp.hpp:25
libff::bls12_377_final_exponentiation
bls12_377_GT bls12_377_final_exponentiation(const bls12_377_Fq12 &elt)
Definition: bls12_377_pairing.cpp:217
libff::alt_bn128_ate_miller_loop
alt_bn128_Fq12 alt_bn128_ate_miller_loop(const alt_bn128_ate_G1_precomp &prec_P, const alt_bn128_ate_G2_precomp &prec_Q)
Definition: alt_bn128_pairing.cpp:401
libff::last_cpu_times
std::map< std::string, long long > last_cpu_times
Definition: profiling.cpp:80
libff::find_wnaf
std::vector< long > find_wnaf(const size_t window_size, const bigint< n > &scalar)
libff::mnt4_Fq4
Fp4_model< mnt4_q_limbs, mnt4_modulus_q > mnt4_Fq4
Definition: mnt4_init.hpp:39
libff::mnt4_final_exponent_last_chunk_is_w0_neg
bool mnt4_final_exponent_last_chunk_is_w0_neg
Definition: mnt4_init.cpp:38
libff::op_counts
std::map< std::pair< std::string, std::string >, long long > op_counts
Definition: profiling.cpp:81
libff::mnt4_twist_mul_by_q_Y
mnt4_Fq mnt4_twist_mul_by_q_Y
Definition: mnt4_init.cpp:32
libff::Fp2_model::squared
Fp2_model squared() const
default is squared_complex
libff::bw6_761_r_bitcount
const mp_size_t bw6_761_r_bitcount
Definition: bw6_761_init.hpp:12
libff::mixed_addition_step_for_flipped_miller_loop
void mixed_addition_step_for_flipped_miller_loop(const extended_edwards_G2_projective &base, extended_edwards_G2_projective &current, edwards_Fq3_conic_coefficients &cc)
Definition: edwards_pairing.cpp:570
libff::bn128_Fq2_t_minus_1_over_2
mie::Vuint bn128_Fq2_t_minus_1_over_2
Definition: bn128_init.cpp:27
libff::multi_exp_method_naive_plain
@ multi_exp_method_naive_plain
Definition: multiexp.hpp:28
libff::mnt4_final_exponent_last_chunk_w1
bigint< mnt4_q_limbs > mnt4_final_exponent_last_chunk_w1
Definition: mnt4_init.cpp:39
libff::enter_times
std::map< std::string, long long > enter_times
Definition: profiling.cpp:74
libff::invocation_counts
std::map< std::string, size_t > invocation_counts
Definition: profiling.cpp:73
libff::leave_block
void leave_block(const std::string &msg, const bool indent)
Definition: profiling.cpp:305
libff::bls12_381_ate_precompute_G2
bls12_381_ate_G2_precomp bls12_381_ate_precompute_G2(const bls12_381_G2 &Q)
Definition: bls12_381_pairing.cpp:324
libff::bls12_381_Fq12
Fp12_2over3over2_model< bls12_381_q_limbs, bls12_381_modulus_q > bls12_381_Fq12
Definition: bls12_381_init.hpp:35
libff::bls12_377_ate_is_loop_count_neg
bool bls12_377_ate_is_loop_count_neg
Definition: bls12_377_init.cpp:44
libff::bw6_761_twist_coeff_b
bw6_761_Fq bw6_761_twist_coeff_b
Definition: bw6_761_init.cpp:19
libff::alt_bn128_ate_pairing
alt_bn128_Fq12 alt_bn128_ate_pairing(const alt_bn128_G1 &P, const alt_bn128_G2 &Q)
Definition: alt_bn128_pairing.cpp:524
libff::alt_bn128_Fq12
Fp12_2over3over2_model< alt_bn128_q_limbs, alt_bn128_modulus_q > alt_bn128_Fq12
Definition: alt_bn128_init.hpp:35
libff::alt_bn128_r_bitcount
const mp_size_t alt_bn128_r_bitcount
Definition: alt_bn128_init.hpp:19
libff::alt_bn128_twist_mul_by_b_c0
alt_bn128_Fq alt_bn128_twist_mul_by_b_c0
Definition: alt_bn128_init.cpp:21
libff::bw6_761_Fq6
Fp6_2over3_model< bw6_761_q_limbs, bw6_761_modulus_q > bw6_761_Fq6
Definition: bw6_761_init.hpp:26
libff::multi_exp_method_BDLO12_signed
@ multi_exp_method_BDLO12_signed
Similar to multi_exp_method_BDLO12, but using signed digits.
Definition: multiexp.hpp:41
libff::bls12_381_ate_double_miller_loop
bls12_381_Fq12 bls12_381_ate_double_miller_loop(const bls12_381_ate_G1_precomp &prec_P1, const bls12_381_ate_G2_precomp &prec_Q1, const bls12_381_ate_G1_precomp &prec_P2, const bls12_381_ate_G2_precomp &prec_Q2)
Definition: bls12_381_pairing.cpp:415
libff::bls12_381_coeff_b
bls12_381_Fq bls12_381_coeff_b
Definition: bls12_381_init.cpp:11
OUTPUT_NEWLINE
#define OUTPUT_NEWLINE
Definition: serialization.hpp:68
libff::alt_bn128_ate_precompute_G1
alt_bn128_ate_G1_precomp alt_bn128_ate_precompute_G1(const alt_bn128_G1 &P)
Definition: alt_bn128_pairing.cpp:325
libff::edwards_Fq6
Fp6_2over3_model< edwards_q_limbs, edwards_modulus_q > edwards_Fq6
Definition: edwards_init.hpp:32
libff::bls12_381_twist
bls12_381_Fq2 bls12_381_twist
Definition: bls12_381_init.cpp:13
libff::edwards_twist_mul_by_d_c2
edwards_Fq edwards_twist_mul_by_d_c2
Definition: edwards_init.cpp:28
libff::bw6_761_q_bitcount
const mp_size_t bw6_761_q_bitcount
Definition: bw6_761_init.hpp:13
libff::mnt4_twist_mul_by_a_c0
mnt4_Fq mnt4_twist_mul_by_a_c0
Definition: mnt4_init.cpp:27
libff::mnt6_ate_is_loop_count_neg
bool mnt6_ate_is_loop_count_neg
Definition: mnt6_init.cpp:37
libff::bn128_modulus_q
bigint< bn128_q_limbs > bn128_modulus_q
Definition: bn128_init.cpp:17
libff::edwards_ate_pairing
edwards_Fq6 edwards_ate_pairing(const edwards_G1 &P, const edwards_G2 &Q)
Definition: edwards_pairing.cpp:757
libff::bls12_377_g2_mul_by_cofactor_h2_0
bigint< bls12_377_r_limbs > bls12_377_g2_mul_by_cofactor_h2_0
Definition: bls12_377_init.cpp:40
libff::edwards_modulus_q
bigint< edwards_q_limbs > edwards_modulus_q
Definition: edwards_init.cpp:16
libff::bls12_377_q_bitcount
const mp_size_t bls12_377_q_bitcount
Definition: bls12_377_init.hpp:25
libff::bls12_377_ate_precompute_G2
bls12_377_ate_G2_precomp bls12_377_ate_precompute_G2(const bls12_377_G2 &Q)
Definition: bls12_377_pairing.cpp:363
libff::bn128_r_bitcount
const mp_size_t bn128_r_bitcount
Definition: bn128_init.hpp:18
libff::mnt6_final_exponent
bigint< 6 *mnt6_q_limbs > mnt6_final_exponent
Definition: mnt6_init.cpp:38
libff::mnt46_B_bitcount
const mp_size_t mnt46_B_bitcount
Definition: mnt46_common.hpp:21
libff::mnt6_final_exponent_last_chunk_is_w0_neg
bool mnt6_final_exponent_last_chunk_is_w0_neg
Definition: mnt6_init.cpp:40
libff::bls12_377_ate_precompute_G1
bls12_377_ate_G1_precomp bls12_377_ate_precompute_G1(const bls12_377_G1 &P)
Definition: bls12_377_pairing.cpp:333
libff::edwards_tate_G1_precomp
std::vector< edwards_Fq_conic_coefficients > edwards_tate_G1_precomp
Definition: edwards_pairing.hpp:37
libff::mnt4_final_exponentiation
mnt4_GT mnt4_final_exponentiation(const mnt4_Fq4 &elt)
Definition: mnt4_pairing.cpp:207
libff::mnt4_affine_ate_miller_loop
mnt4_Fq4 mnt4_affine_ate_miller_loop(const mnt4_affine_ate_G1_precomputation &prec_P, const mnt4_affine_ate_G2_precomputation &prec_Q)
Definition: mnt4_pairing.cpp:318
libff::mnt6_final_exponent_last_chunk_abs_of_w0
bigint< mnt6_q_limbs > mnt6_final_exponent_last_chunk_abs_of_w0
Definition: mnt6_init.cpp:39
libff::mnt4_twist
mnt4_Fq2 mnt4_twist
Definition: mnt4_init.cpp:24
libff::bn128_Fq12
bn128_GT bn128_Fq12
Definition: bn128_init.hpp:46
libff::bls12_377_ate_double_miller_loop
bls12_377_Fq12 bls12_377_ate_double_miller_loop(const bls12_377_ate_G1_precomp &prec_P1, const bls12_377_ate_G2_precomp &prec_Q1, const bls12_377_ate_G1_precomp &prec_P2, const bls12_377_ate_G2_precomp &prec_Q2)
Definition: bls12_377_pairing.cpp:465
libff::bls12_381_final_exponent_is_z_neg
bool bls12_381_final_exponent_is_z_neg
Definition: bls12_381_init.cpp:24
libff::consume_newline
void consume_newline(std::istream &in)
libff::Fp3_model::squared
Fp3_model squared() const
libff::alt_bn128_final_exponentiation
alt_bn128_GT alt_bn128_final_exponentiation(const alt_bn128_Fq12 &elt)
Definition: alt_bn128_pairing.cpp:231
libff::bls12_377_twist_mul_by_b_c0
bls12_377_Fq bls12_377_twist_mul_by_b_c0
Definition: bls12_377_init.cpp:20
libff::print_cumulative_time_entry
void print_cumulative_time_entry(const std::string &key, const long long factor)
Definition: profiling.cpp:118
libff::alt_bn128_ate_loop_count
bigint< alt_bn128_q_limbs > alt_bn128_ate_loop_count
Definition: alt_bn128_init.cpp:26
libff::block_names
std::vector< std::string > block_names
Definition: profiling.cpp:88
libff::mnt6_affine_ate_precompute_G1
mnt6_affine_ate_G1_precomputation mnt6_affine_ate_precompute_G1(const mnt6_G1 &P)
Definition: mnt6_pairing.cpp:228
libff::alt_bn128_coeff_b
alt_bn128_Fq alt_bn128_coeff_b
Definition: alt_bn128_init.cpp:18
libff::mnt6_final_exponentiation
mnt6_GT mnt6_final_exponentiation(const mnt6_Fq6 &elt)
Definition: mnt6_pairing.cpp:211
libff::bw6_761_Fq3
Fp3_model< bw6_761_q_limbs, bw6_761_modulus_q > bw6_761_Fq3
Definition: bw6_761_init.hpp:25
libff::edwards_ate_reduced_pairing
edwards_GT edwards_ate_reduced_pairing(const edwards_G1 &P, const edwards_G2 &Q)
Definition: edwards_pairing.cpp:767
libff::bn128_Fr
Fp_model< bn128_r_limbs, bn128_modulus_r > bn128_Fr
Definition: bn128_init.hpp:39
libff::edwards_twist_mul_by_a_c2
edwards_Fq edwards_twist_mul_by_a_c2
Definition: edwards_init.cpp:25
libff::bw6_761_ate_pairing
bw6_761_Fq6 bw6_761_ate_pairing(const bw6_761_G1 &P, const bw6_761_G2 &Q)
Definition: bw6_761_pairing.cpp:625
libff::bls12_377_exp_by_z
bls12_377_Fq12 bls12_377_exp_by_z(const bls12_377_Fq12 &elt)
Definition: bls12_377_pairing.cpp:137
libff::inhibit_profiling_counters
bool inhibit_profiling_counters
Definition: profiling.cpp:108
libff::mnt4_ate_miller_loop
mnt4_Fq4 mnt4_ate_miller_loop(const mnt4_ate_G1_precomp &prec_P, const mnt4_ate_G2_precomp &prec_Q)
Definition: mnt4_pairing.cpp:539
libff::bls12_381_final_exponentiation
bls12_381_GT bls12_381_final_exponentiation(const bls12_381_Fq12 &elt)
Definition: bls12_381_pairing.cpp:215
libff::mnt6_twist_mul_by_b_c0
mnt6_Fq mnt6_twist_mul_by_b_c0
Definition: mnt6_init.cpp:30
libff::mnt4_ate_precompute_G1
mnt4_ate_G1_precomp mnt4_ate_precompute_G1(const mnt4_G1 &P)
Definition: mnt4_pairing.cpp:463
libff::inhibit_profiling_info
bool inhibit_profiling_info
Definition: profiling.cpp:107
libff::mnt6_ate_precompute_G1
mnt6_ate_G1_precomp mnt6_ate_precompute_G1(const mnt6_G1 &P)
Definition: mnt6_pairing.cpp:468
libff::mixed_addition_step_for_flipped_miller_loop
void mixed_addition_step_for_flipped_miller_loop(const mnt6_Fq3 base_X, const mnt6_Fq3 base_Y, const mnt6_Fq3 base_Y_squared, extended_mnt6_G2_projective &current, mnt6_ate_add_coeffs &ac)
Definition: mnt6_pairing.cpp:434
libff::bls12_377_g1_endomorphism_beta
bls12_377_Fq bls12_377_g1_endomorphism_beta
Definition: bls12_377_init.cpp:26
libff::bw6_761_ate_loop_count1
bigint< bw6_761_q_limbs > bw6_761_ate_loop_count1
Definition: bw6_761_init.cpp:21
libff::doubling_step_for_miller_loop
void doubling_step_for_miller_loop(extended_edwards_G1_projective &current, edwards_Fq_conic_coefficients &cc)
Definition: edwards_pairing.cpp:267
libff::bn128_Fq_t_minus_1_over_2
mie::Vuint bn128_Fq_t_minus_1_over_2
Definition: bn128_init.cpp:22
libff::alt_bn128_twist
alt_bn128_Fq2 alt_bn128_twist
Definition: alt_bn128_init.cpp:19
Generated on Thu Aug 18 2022 12:42:19 for Clearmatics Libff by   doxygen 1.8.17