@noble/curves 1.4.2 → 1.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +159 -128
- package/_shortw_utils.d.ts.map +1 -1
- package/abstract/bls.d.ts +37 -34
- package/abstract/bls.d.ts.map +1 -1
- package/abstract/bls.js +167 -115
- package/abstract/bls.js.map +1 -1
- package/abstract/curve.d.ts +14 -1
- package/abstract/curve.d.ts.map +1 -1
- package/abstract/curve.js +77 -7
- package/abstract/curve.js.map +1 -1
- package/abstract/edwards.d.ts +12 -0
- package/abstract/edwards.d.ts.map +1 -1
- package/abstract/edwards.js +84 -75
- package/abstract/edwards.js.map +1 -1
- package/abstract/hash-to-curve.d.ts.map +1 -1
- package/abstract/hash-to-curve.js +4 -2
- package/abstract/hash-to-curve.js.map +1 -1
- package/abstract/modular.d.ts +4 -0
- package/abstract/modular.d.ts.map +1 -1
- package/abstract/modular.js +13 -2
- package/abstract/modular.js.map +1 -1
- package/abstract/montgomery.d.ts.map +1 -1
- package/abstract/montgomery.js +4 -9
- package/abstract/montgomery.js.map +1 -1
- package/abstract/tower.d.ts +107 -0
- package/abstract/tower.d.ts.map +1 -0
- package/abstract/tower.js +498 -0
- package/abstract/tower.js.map +1 -0
- package/abstract/utils.d.ts +17 -0
- package/abstract/utils.d.ts.map +1 -1
- package/abstract/utils.js +50 -1
- package/abstract/utils.js.map +1 -1
- package/abstract/weierstrass.d.ts +25 -3
- package/abstract/weierstrass.d.ts.map +1 -1
- package/abstract/weierstrass.js +189 -113
- package/abstract/weierstrass.js.map +1 -1
- package/bls12-381.d.ts +1 -65
- package/bls12-381.d.ts.map +1 -1
- package/bls12-381.js +48 -575
- package/bls12-381.js.map +1 -1
- package/bn254.d.ts +10 -6
- package/bn254.d.ts.map +1 -1
- package/bn254.js +207 -10
- package/bn254.js.map +1 -1
- package/ed25519.d.ts +7 -4
- package/ed25519.d.ts.map +1 -1
- package/ed25519.js +3 -0
- package/ed25519.js.map +1 -1
- package/esm/_shortw_utils.d.ts.map +1 -1
- package/esm/abstract/bls.d.ts +37 -34
- package/esm/abstract/bls.d.ts.map +1 -1
- package/esm/abstract/bls.js +168 -116
- package/esm/abstract/bls.js.map +1 -1
- package/esm/abstract/curve.d.ts +14 -1
- package/esm/abstract/curve.d.ts.map +1 -1
- package/esm/abstract/curve.js +77 -8
- package/esm/abstract/curve.js.map +1 -1
- package/esm/abstract/edwards.d.ts +12 -0
- package/esm/abstract/edwards.d.ts.map +1 -1
- package/esm/abstract/edwards.js +87 -78
- package/esm/abstract/edwards.js.map +1 -1
- package/esm/abstract/hash-to-curve.d.ts.map +1 -1
- package/esm/abstract/hash-to-curve.js +4 -2
- package/esm/abstract/hash-to-curve.js.map +1 -1
- package/esm/abstract/modular.d.ts +4 -0
- package/esm/abstract/modular.d.ts.map +1 -1
- package/esm/abstract/modular.js +12 -2
- package/esm/abstract/modular.js.map +1 -1
- package/esm/abstract/montgomery.d.ts.map +1 -1
- package/esm/abstract/montgomery.js +5 -10
- package/esm/abstract/montgomery.js.map +1 -1
- package/esm/abstract/tower.d.ts +107 -0
- package/esm/abstract/tower.d.ts.map +1 -0
- package/esm/abstract/tower.js +494 -0
- package/esm/abstract/tower.js.map +1 -0
- package/esm/abstract/utils.d.ts +17 -0
- package/esm/abstract/utils.d.ts.map +1 -1
- package/esm/abstract/utils.js +44 -0
- package/esm/abstract/utils.js.map +1 -1
- package/esm/abstract/weierstrass.d.ts +25 -3
- package/esm/abstract/weierstrass.d.ts.map +1 -1
- package/esm/abstract/weierstrass.js +191 -115
- package/esm/abstract/weierstrass.js.map +1 -1
- package/esm/bls12-381.d.ts +1 -65
- package/esm/bls12-381.d.ts.map +1 -1
- package/esm/bls12-381.js +50 -577
- package/esm/bls12-381.js.map +1 -1
- package/esm/bn254.d.ts +10 -6
- package/esm/bn254.d.ts.map +1 -1
- package/esm/bn254.js +206 -9
- package/esm/bn254.js.map +1 -1
- package/esm/ed25519.d.ts +7 -4
- package/esm/ed25519.d.ts.map +1 -1
- package/esm/ed25519.js +3 -0
- package/esm/ed25519.js.map +1 -1
- package/esm/jubjub.d.ts.map +1 -1
- package/esm/jubjub.js +8 -2
- package/esm/jubjub.js.map +1 -1
- package/esm/p256.d.ts.map +1 -1
- package/esm/p384.d.ts.map +1 -1
- package/esm/p521.d.ts.map +1 -1
- package/esm/secp256k1.d.ts +6 -0
- package/esm/secp256k1.d.ts.map +1 -1
- package/esm/secp256k1.js +17 -13
- package/esm/secp256k1.js.map +1 -1
- package/jubjub.d.ts.map +1 -1
- package/jubjub.js +8 -2
- package/jubjub.js.map +1 -1
- package/p256.d.ts.map +1 -1
- package/p384.d.ts.map +1 -1
- package/p521.d.ts.map +1 -1
- package/package.json +27 -19
- package/secp256k1.d.ts +6 -0
- package/secp256k1.d.ts.map +1 -1
- package/secp256k1.js +16 -12
- package/secp256k1.js.map +1 -1
- package/src/abstract/bls.ts +222 -168
- package/src/abstract/curve.ts +80 -8
- package/src/abstract/edwards.ts +97 -70
- package/src/abstract/hash-to-curve.ts +3 -1
- package/src/abstract/modular.ts +13 -3
- package/src/abstract/montgomery.ts +11 -10
- package/src/abstract/tower.ts +605 -0
- package/src/abstract/utils.ts +49 -0
- package/src/abstract/weierstrass.ts +179 -104
- package/src/bls12-381.ts +53 -707
- package/src/bn254.ts +224 -9
- package/src/ed25519.ts +5 -2
- package/src/jubjub.ts +7 -2
- package/src/secp256k1.ts +24 -12
package/abstract/montgomery.js
CHANGED
|
@@ -47,12 +47,6 @@ function montgomery(curveDef) {
|
|
|
47
47
|
x_3 = modP(x_3 + dummy);
|
|
48
48
|
return [x_2, x_3];
|
|
49
49
|
}
|
|
50
|
-
// Accepts 0 as well
|
|
51
|
-
function assertFieldElement(n) {
|
|
52
|
-
if (typeof n === 'bigint' && _0n <= n && n < P)
|
|
53
|
-
return n;
|
|
54
|
-
throw new Error('Expected valid scalar 0 < scalar < CURVE.P');
|
|
55
|
-
}
|
|
56
50
|
// x25519 from 4
|
|
57
51
|
// The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519
|
|
58
52
|
const a24 = (CURVE.a - BigInt(2)) / BigInt(4);
|
|
@@ -62,11 +56,12 @@ function montgomery(curveDef) {
|
|
|
62
56
|
* @param scalar by which the point would be multiplied
|
|
63
57
|
* @returns new Point on Montgomery curve
|
|
64
58
|
*/
|
|
65
|
-
function montgomeryLadder(
|
|
66
|
-
|
|
59
|
+
function montgomeryLadder(u, scalar) {
|
|
60
|
+
(0, utils_js_1.aInRange)('u', u, _0n, P);
|
|
61
|
+
(0, utils_js_1.aInRange)('scalar', scalar, _0n, P);
|
|
67
62
|
// Section 5: Implementations MUST accept non-canonical values and process them as
|
|
68
63
|
// if they had been reduced modulo the field prime.
|
|
69
|
-
const k =
|
|
64
|
+
const k = scalar;
|
|
70
65
|
const x_1 = u;
|
|
71
66
|
let x_2 = _1n;
|
|
72
67
|
let z_2 = _0n;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"montgomery.js","sourceRoot":"","sources":["../src/abstract/montgomery.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"montgomery.js","sourceRoot":"","sources":["../src/abstract/montgomery.ts"],"names":[],"mappings":";;AAwDA,gCAmIC;AA3LD,sEAAsE;AACtE,6CAAwC;AACxC,yCAMoB;AAEpB,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;AACtB,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;AAwBtB,SAAS,YAAY,CAAC,KAAgB;IACpC,IAAA,yBAAc,EACZ,KAAK,EACL;QACE,CAAC,EAAE,QAAQ;KACZ,EACD;QACE,cAAc,EAAE,eAAe;QAC/B,WAAW,EAAE,eAAe;QAC5B,iBAAiB,EAAE,UAAU;QAC7B,MAAM,EAAE,UAAU;QAClB,UAAU,EAAE,UAAU;QACtB,EAAE,EAAE,QAAQ;KACb,CACF,CAAC;IACF,eAAe;IACf,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,KAAK,EAAW,CAAC,CAAC;AAC9C,CAAC;AAED,4IAA4I;AAC5I,0CAA0C;AAC1C,SAAgB,UAAU,CAAC,QAAmB;IAC5C,MAAM,KAAK,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;IACrC,MAAM,EAAE,CAAC,EAAE,GAAG,KAAK,CAAC;IACpB,MAAM,IAAI,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,IAAA,gBAAG,EAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACtC,MAAM,cAAc,GAAG,KAAK,CAAC,cAAc,CAAC;IAC5C,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,cAAc,GAAG,CAAC,CAAC,CAAC;IACtD,MAAM,QAAQ,GAAG,KAAK,CAAC,WAAW,CAAC;IACnC,MAAM,iBAAiB,GAAG,KAAK,CAAC,iBAAiB,IAAI,CAAC,CAAC,KAAiB,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;IACpF,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,IAAI,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,IAAA,gBAAG,EAAC,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAEjF,kDAAkD;IAClD;;;;;;;;MAQE;IACF,SAAS,KAAK,CAAC,IAAY,EAAE,GAAW,EAAE,GAAW;QACnD,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,GAAG,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC;QACvC,GAAG,GAAG,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC,CAAC;QACxB,GAAG,GAAG,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC,CAAC;QACxB,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACpB,CAAC;IAED,gBAAgB;IAChB,sEAAsE;IACtE,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IAC9C;;;;;OAKG;IACH,SAAS,gBAAgB,CAAC,CAAS,EAAE,MAAc;QACjD,IAAA,mBAAQ,EAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;QACzB,IAAA,mBAAQ,EAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;QACnC,kFAAkF;QAClF,mDAAmD;QACnD,MAAM,CAAC,GAAG,MAAM,CAAC;QACjB,MAAM,GAAG,GAAG,CAAC,CAAC;QACd,IAAI,GAAG,GAAG,GAAG,CAAC;QACd,IAAI,GAAG,GAAG,GAAG,CAAC;QACd,IAAI,GAAG,GAAG,CAAC,CAAC;QACZ,IAAI,GAAG,GAAG,GAAG,CAAC;QACd,IAAI,IAAI,GAAG,GAAG,CAAC;QACf,IAAI,EAAoB,CAAC;QACzB,KAAK,IAAI,CAAC,GAAG,MAAM,CAAC,cAAc,GAAG,CAAC,CAAC,EAAE,CAAC,IAAI,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;YACvD,MAAM,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC;YAC3B,IAAI,IAAI,GAAG,CAAC;YACZ,EAAE,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;YAC3B,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;YACZ,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;YACZ,EAAE,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;YAC3B,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;YACZ,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;YACZ,IAAI,GAAG,GAAG,CAAC;YAEX,MAAM,CAAC,GAAG,GAAG,GAAG,GAAG,CAAC;YACpB,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACvB,MAAM,CAAC,GAAG,GAAG,GAAG,GAAG,CAAC;YACpB,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACvB,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC;YAClB,MAAM,CAAC,GAAG,GAAG,GAAG,GAAG,CAAC;YACpB,MAAM,CAAC,GAAG,GAAG,GAAG,GAAG,CAAC;YACpB,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACvB,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACvB,MAAM,IAAI,GAAG,EAAE,GAAG,EAAE,CAAC;YACrB,MAAM,KAAK,GAAG,EAAE,GAAG,EAAE,CAAC;YACtB,GAAG,GAAG,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;YACxB,GAAG,GAAG,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC;YACtC,GAAG,GAAG,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;YACpB,GAAG,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACvC,CAAC;QACD,qCAAqC;QACrC,EAAE,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;QAC3B,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;QACZ,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;QACZ,qCAAqC;QACrC,EAAE,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;QAC3B,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;QACZ,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;QACZ,cAAc;QACd,MAAM,EAAE,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAC3B,6BAA6B;QAC7B,OAAO,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC;IACxB,CAAC;IAED,SAAS,iBAAiB,CAAC,CAAS;QAClC,OAAO,IAAA,0BAAe,EAAC,IAAI,CAAC,CAAC,CAAC,EAAE,eAAe,CAAC,CAAC;IACnD,CAAC;IAED,SAAS,iBAAiB,CAAC,IAAS;QAClC,qEAAqE;QACrE,wDAAwD;QACxD,MAAM,CAAC,GAAG,IAAA,sBAAW,EAAC,cAAc,EAAE,IAAI,EAAE,eAAe,CAAC,CAAC;QAC7D,IAAI,QAAQ,KAAK,EAAE;YAAE,CAAC,CAAC,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,cAAc;QACjD,OAAO,IAAA,0BAAe,EAAC,CAAC,CAAC,CAAC;IAC5B,CAAC;IACD,SAAS,YAAY,CAAC,CAAM;QAC1B,MAAM,KAAK,GAAG,IAAA,sBAAW,EAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;QACvC,MAAM,GAAG,GAAG,KAAK,CAAC,MAAM,CAAC;QACzB,IAAI,GAAG,KAAK,eAAe,IAAI,GAAG,KAAK,QAAQ;YAC7C,MAAM,IAAI,KAAK,CAAC,YAAY,eAAe,OAAO,QAAQ,eAAe,GAAG,EAAE,CAAC,CAAC;QAClF,OAAO,IAAA,0BAAe,EAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC,CAAC;IACnD,CAAC;IACD,SAAS,UAAU,CAAC,MAAW,EAAE,CAAM;QACrC,MAAM,MAAM,GAAG,iBAAiB,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;QACrC,MAAM,EAAE,GAAG,gBAAgB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC7C,kCAAkC;QAClC,sCAAsC;QACtC,IAAI,EAAE,KAAK,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC1E,OAAO,iBAAiB,CAAC,EAAE,CAAC,CAAC;IAC/B,CAAC;IACD,kFAAkF;IAClF,MAAM,OAAO,GAAG,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC5C,SAAS,cAAc,CAAC,MAAW;QACjC,OAAO,UAAU,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,CAAC;IAED,OAAO;QACL,UAAU;QACV,cAAc;QACd,eAAe,EAAE,CAAC,UAAe,EAAE,SAAc,EAAE,EAAE,CAAC,UAAU,CAAC,UAAU,EAAE,SAAS,CAAC;QACvF,YAAY,EAAE,CAAC,UAAe,EAAc,EAAE,CAAC,cAAc,CAAC,UAAU,CAAC;QACzE,KAAK,EAAE,EAAE,gBAAgB,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,WAAY,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE;QACxE,OAAO,EAAE,OAAO;KACjB,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,107 @@
|
|
|
1
|
+
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
|
|
2
|
+
import * as mod from './modular.js';
|
|
3
|
+
import type { ProjConstructor, ProjPointType } from './weierstrass.js';
|
|
4
|
+
export type BigintTuple = [bigint, bigint];
|
|
5
|
+
export type Fp = bigint;
|
|
6
|
+
export type Fp2 = {
|
|
7
|
+
c0: bigint;
|
|
8
|
+
c1: bigint;
|
|
9
|
+
};
|
|
10
|
+
export type BigintSix = [bigint, bigint, bigint, bigint, bigint, bigint];
|
|
11
|
+
export type Fp6 = {
|
|
12
|
+
c0: Fp2;
|
|
13
|
+
c1: Fp2;
|
|
14
|
+
c2: Fp2;
|
|
15
|
+
};
|
|
16
|
+
export type Fp12 = {
|
|
17
|
+
c0: Fp6;
|
|
18
|
+
c1: Fp6;
|
|
19
|
+
};
|
|
20
|
+
export type BigintTwelve = [
|
|
21
|
+
bigint,
|
|
22
|
+
bigint,
|
|
23
|
+
bigint,
|
|
24
|
+
bigint,
|
|
25
|
+
bigint,
|
|
26
|
+
bigint,
|
|
27
|
+
bigint,
|
|
28
|
+
bigint,
|
|
29
|
+
bigint,
|
|
30
|
+
bigint,
|
|
31
|
+
bigint,
|
|
32
|
+
bigint
|
|
33
|
+
];
|
|
34
|
+
export type Fp2Bls = mod.IField<Fp2> & {
|
|
35
|
+
reim: (num: Fp2) => {
|
|
36
|
+
re: Fp;
|
|
37
|
+
im: Fp;
|
|
38
|
+
};
|
|
39
|
+
mulByB: (num: Fp2) => Fp2;
|
|
40
|
+
frobeniusMap(num: Fp2, power: number): Fp2;
|
|
41
|
+
fromBigTuple(num: [bigint, bigint]): Fp2;
|
|
42
|
+
};
|
|
43
|
+
export type Fp12Bls = mod.IField<Fp12> & {
|
|
44
|
+
frobeniusMap(num: Fp12, power: number): Fp12;
|
|
45
|
+
mul014(num: Fp12, o0: Fp2, o1: Fp2, o4: Fp2): Fp12;
|
|
46
|
+
mul034(num: Fp12, o0: Fp2, o3: Fp2, o4: Fp2): Fp12;
|
|
47
|
+
conjugate(num: Fp12): Fp12;
|
|
48
|
+
finalExponentiate(num: Fp12): Fp12;
|
|
49
|
+
};
|
|
50
|
+
export declare function psiFrobenius(Fp: mod.IField<Fp>, Fp2: Fp2Bls, base: Fp2): {
|
|
51
|
+
psi: (x: Fp2, y: Fp2) => [Fp2, Fp2];
|
|
52
|
+
psi2: (x: Fp2, y: Fp2) => [Fp2, Fp2];
|
|
53
|
+
G2psi: (c: ProjConstructor<Fp2>, P: ProjPointType<Fp2>) => ProjPointType<Fp2>;
|
|
54
|
+
G2psi2: (c: ProjConstructor<Fp2>, P: ProjPointType<Fp2>) => ProjPointType<Fp2>;
|
|
55
|
+
PSI_X: Fp2;
|
|
56
|
+
PSI_Y: Fp2;
|
|
57
|
+
PSI2_X: Fp2;
|
|
58
|
+
PSI2_Y: Fp2;
|
|
59
|
+
};
|
|
60
|
+
export type Tower12Opts = {
|
|
61
|
+
ORDER: bigint;
|
|
62
|
+
NONRESIDUE?: Fp;
|
|
63
|
+
FP2_NONRESIDUE: BigintTuple;
|
|
64
|
+
Fp2sqrt?: (num: Fp2) => Fp2;
|
|
65
|
+
Fp2mulByB: (num: Fp2) => Fp2;
|
|
66
|
+
Fp12cyclotomicSquare: (num: Fp12) => Fp12;
|
|
67
|
+
Fp12cyclotomicExp: (num: Fp12, n: bigint) => Fp12;
|
|
68
|
+
Fp12finalExponentiate: (num: Fp12) => Fp12;
|
|
69
|
+
};
|
|
70
|
+
export declare function tower12(opts: Tower12Opts): {
|
|
71
|
+
Fp: Readonly<mod.IField<bigint> & Required<Pick<mod.IField<bigint>, "isOdd">>>;
|
|
72
|
+
Fp2: mod.IField<Fp2> & {
|
|
73
|
+
NONRESIDUE: Fp2;
|
|
74
|
+
fromBigTuple: (tuple: BigintTuple | bigint[]) => Fp2;
|
|
75
|
+
reim: (num: Fp2) => {
|
|
76
|
+
re: bigint;
|
|
77
|
+
im: bigint;
|
|
78
|
+
};
|
|
79
|
+
mulByNonresidue: (num: Fp2) => Fp2;
|
|
80
|
+
mulByB: (num: Fp2) => Fp2;
|
|
81
|
+
frobeniusMap(num: Fp2, power: number): Fp2;
|
|
82
|
+
};
|
|
83
|
+
Fp6: mod.IField<Fp6> & {
|
|
84
|
+
fromBigSix: (tuple: BigintSix) => Fp6;
|
|
85
|
+
mulByNonresidue: (num: Fp6) => Fp6;
|
|
86
|
+
frobeniusMap(num: Fp6, power: number): Fp6;
|
|
87
|
+
mul1(num: Fp6, b1: Fp2): Fp6;
|
|
88
|
+
mul01(num: Fp6, b0: Fp2, b1: Fp2): Fp6;
|
|
89
|
+
mulByFp2(lhs: Fp6, rhs: Fp2): Fp6;
|
|
90
|
+
};
|
|
91
|
+
Fp4Square: (a: Fp2, b: Fp2) => {
|
|
92
|
+
first: Fp2;
|
|
93
|
+
second: Fp2;
|
|
94
|
+
};
|
|
95
|
+
Fp12: mod.IField<Fp12> & {
|
|
96
|
+
fromBigTwelve: (t: BigintTwelve) => Fp12;
|
|
97
|
+
frobeniusMap(num: Fp12, power: number): Fp12;
|
|
98
|
+
mul014(num: Fp12, o0: Fp2, o1: Fp2, o4: Fp2): Fp12;
|
|
99
|
+
mul034(num: Fp12, o0: Fp2, o3: Fp2, o4: Fp2): Fp12;
|
|
100
|
+
mulByFp2(lhs: Fp12, rhs: Fp2): Fp12;
|
|
101
|
+
conjugate(num: Fp12): Fp12;
|
|
102
|
+
finalExponentiate(num: Fp12): Fp12;
|
|
103
|
+
_cyclotomicSquare(num: Fp12): Fp12;
|
|
104
|
+
_cyclotomicExp(num: Fp12, n: bigint): Fp12;
|
|
105
|
+
};
|
|
106
|
+
};
|
|
107
|
+
//# sourceMappingURL=tower.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tower.d.ts","sourceRoot":"","sources":["../src/abstract/tower.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,OAAO,KAAK,GAAG,MAAM,cAAc,CAAC;AAEpC,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAmBvE,MAAM,MAAM,WAAW,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAC3C,MAAM,MAAM,EAAE,GAAG,MAAM,CAAC;AAGxB,MAAM,MAAM,GAAG,GAAG;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAA;CAAE,CAAC;AAC7C,MAAM,MAAM,SAAS,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;AACzE,MAAM,MAAM,GAAG,GAAG;IAAE,EAAE,EAAE,GAAG,CAAC;IAAC,EAAE,EAAE,GAAG,CAAC;IAAC,EAAE,EAAE,GAAG,CAAA;CAAE,CAAC;AAChD,MAAM,MAAM,IAAI,GAAG;IAAE,EAAE,EAAE,GAAG,CAAC;IAAC,EAAE,EAAE,GAAG,CAAA;CAAE,CAAC;AAExC,MAAM,MAAM,YAAY,GAAG;IACzB,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;IAC9C,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;CAC/C,CAAC;AAEF,MAAM,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG;IACrC,IAAI,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK;QAAE,EAAE,EAAE,EAAE,CAAC;QAAC,EAAE,EAAE,EAAE,CAAA;KAAE,CAAC;IACvC,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,CAAC;IAC1B,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,GAAG,GAAG,CAAC;IAC3C,YAAY,CAAC,GAAG,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,GAAG,CAAC;CAC1C,CAAC;AAEF,MAAM,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG;IACvC,YAAY,CAAC,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7C,MAAM,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,GAAG,IAAI,CAAC;IACnD,MAAM,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,GAAG,IAAI,CAAC;IACnD,SAAS,CAAC,GAAG,EAAE,IAAI,GAAG,IAAI,CAAC;IAC3B,iBAAiB,CAAC,GAAG,EAAE,IAAI,GAAG,IAAI,CAAC;CACpC,CAAC;AA2BF,wBAAgB,YAAY,CAAC,EAAE,EAAE,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG;aAIrD,GAAG,KAAK,GAAG,KAAG,CAAC,GAAG,EAAE,GAAG,CAAC;cAYvB,GAAG,KAAK,GAAG,KAAG,CAAC,GAAG,EAAE,GAAG,CAAC;;;;;;;EAc1C;AAED,MAAM,MAAM,WAAW,GAAG;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,EAAE,CAAC;IAEhB,cAAc,EAAE,WAAW,CAAC;IAC5B,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,CAAC;IAC5B,SAAS,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,CAAC;IAE7B,oBAAoB,EAAE,CAAC,GAAG,EAAE,IAAI,KAAK,IAAI,CAAC;IAC1C,iBAAiB,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;IAClD,qBAAqB,EAAE,CAAC,GAAG,EAAE,IAAI,KAAK,IAAI,CAAC;CAC5C,CAAC;AAEF,wBAAgB,OAAO,CAAC,IAAI,EAAE,WAAW;;;oBAoCzB,GAAG;sBACD,CAAC,KAAK,EAAE,WAAW,GAAG,MAAM,EAAE,KAAK,GAAG;cAC9C,CAAC,GAAG,EAAE,GAAG,KAAK;YAAE,EAAE,EAAE,MAAM,CAAC;YAAC,EAAE,EAAE,MAAM,CAAA;SAAE;yBAC7B,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG;gBAC1B,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG;0BACP,GAAG,SAAS,MAAM,GAAG,GAAG;;;oBA+J9B,CAAC,KAAK,EAAE,SAAS,KAAK,GAAG;yBACpB,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG;0BAChB,GAAG,SAAS,MAAM,GAAG,GAAG;kBAChC,GAAG,MAAM,GAAG,GAAG,GAAG;mBACjB,GAAG,MAAM,GAAG,MAAM,GAAG,GAAG,GAAG;sBACxB,GAAG,OAAO,GAAG,GAAG,GAAG;;mBAoJb,GAAG,KAAK,GAAG,KAAG;QAAE,KAAK,EAAE,GAAG,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAE;;uBAS9C,CAAC,CAAC,EAAE,YAAY,KAAK,IAAI;0BACtB,IAAI,SAAS,MAAM,GAAG,IAAI;oBAChC,IAAI,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,GAAG,IAAI;oBACtC,IAAI,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,GAAG,IAAI;sBACpC,IAAI,OAAO,GAAG,GAAG,IAAI;uBACpB,IAAI,GAAG,IAAI;+BACH,IAAI,GAAG,IAAI;+BACX,IAAI,GAAG,IAAI;4BACd,IAAI,KAAK,MAAM,GAAG,IAAI;;EAiH7C"}
|
|
@@ -0,0 +1,498 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.psiFrobenius = psiFrobenius;
|
|
4
|
+
exports.tower12 = tower12;
|
|
5
|
+
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
|
|
6
|
+
const mod = require("./modular.js");
|
|
7
|
+
const utils_js_1 = require("./utils.js");
|
|
8
|
+
/*
|
|
9
|
+
Towered extension fields
|
|
10
|
+
|
|
11
|
+
Rather than implementing a massive 12th-degree extension directly, it is more efficient
|
|
12
|
+
to build it up from smaller extensions: a tower of extensions.
|
|
13
|
+
|
|
14
|
+
For BLS12-381, the Fp12 field is implemented as a quadratic (degree two) extension,
|
|
15
|
+
on top of a cubic (degree three) extension, on top of a quadratic extension of Fp.
|
|
16
|
+
|
|
17
|
+
For more info: "Pairings for beginners" by Costello, section 7.3.
|
|
18
|
+
*/
|
|
19
|
+
// Be friendly to bad ECMAScript parsers by not using bigint literals
|
|
20
|
+
// prettier-ignore
|
|
21
|
+
const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
|
|
22
|
+
function calcFrobeniusCoefficients(Fp, nonResidue, modulus, degree, num = 1, divisor) {
|
|
23
|
+
const _divisor = BigInt(divisor === undefined ? degree : divisor);
|
|
24
|
+
const towerModulus = modulus ** BigInt(degree);
|
|
25
|
+
const res = [];
|
|
26
|
+
for (let i = 0; i < num; i++) {
|
|
27
|
+
const a = BigInt(i + 1);
|
|
28
|
+
const powers = [];
|
|
29
|
+
for (let j = 0, qPower = _1n; j < degree; j++) {
|
|
30
|
+
const power = ((a * qPower - a) / _divisor) % towerModulus;
|
|
31
|
+
powers.push(Fp.pow(nonResidue, power));
|
|
32
|
+
qPower *= modulus;
|
|
33
|
+
}
|
|
34
|
+
res.push(powers);
|
|
35
|
+
}
|
|
36
|
+
return res;
|
|
37
|
+
}
|
|
38
|
+
// This works same at least for bls12-381, bn254 and bls12-377
|
|
39
|
+
function psiFrobenius(Fp, Fp2, base) {
|
|
40
|
+
// Ψ endomorphism
|
|
41
|
+
const PSI_X = Fp2.pow(base, (Fp.ORDER - _1n) / _3n); // u^((p-1)/3)
|
|
42
|
+
const PSI_Y = Fp2.pow(base, (Fp.ORDER - _1n) / _2n); // u^((p-1)/2)
|
|
43
|
+
function psi(x, y) {
|
|
44
|
+
// This x10 faster than previous version in bls12-381
|
|
45
|
+
const x2 = Fp2.mul(Fp2.frobeniusMap(x, 1), PSI_X);
|
|
46
|
+
const y2 = Fp2.mul(Fp2.frobeniusMap(y, 1), PSI_Y);
|
|
47
|
+
return [x2, y2];
|
|
48
|
+
}
|
|
49
|
+
// Ψ²(P) endomorphism (psi2(x) = psi(psi(x)))
|
|
50
|
+
const PSI2_X = Fp2.pow(base, (Fp.ORDER ** _2n - _1n) / _3n); // u^((p^2 - 1)/3)
|
|
51
|
+
// This equals -1, which causes y to be Fp2.neg(y).
|
|
52
|
+
// But not sure if there are case when this is not true?
|
|
53
|
+
const PSI2_Y = Fp2.pow(base, (Fp.ORDER ** _2n - _1n) / _2n); // u^((p^2 - 1)/3)
|
|
54
|
+
if (!Fp2.eql(PSI2_Y, Fp2.neg(Fp2.ONE)))
|
|
55
|
+
throw new Error('psiFrobenius: PSI2_Y!==-1');
|
|
56
|
+
function psi2(x, y) {
|
|
57
|
+
return [Fp2.mul(x, PSI2_X), Fp2.neg(y)];
|
|
58
|
+
}
|
|
59
|
+
// Map points
|
|
60
|
+
const mapAffine = (fn) => (c, P) => {
|
|
61
|
+
const affine = P.toAffine();
|
|
62
|
+
const p = fn(affine.x, affine.y);
|
|
63
|
+
return c.fromAffine({ x: p[0], y: p[1] });
|
|
64
|
+
};
|
|
65
|
+
const G2psi = mapAffine(psi);
|
|
66
|
+
const G2psi2 = mapAffine(psi2);
|
|
67
|
+
return { psi, psi2, G2psi, G2psi2, PSI_X, PSI_Y, PSI2_X, PSI2_Y };
|
|
68
|
+
}
|
|
69
|
+
function tower12(opts) {
|
|
70
|
+
const { ORDER } = opts;
|
|
71
|
+
// Fp
|
|
72
|
+
const Fp = mod.Field(ORDER);
|
|
73
|
+
const FpNONRESIDUE = Fp.create(opts.NONRESIDUE || BigInt(-1));
|
|
74
|
+
const FpLegendre = mod.FpLegendre(ORDER);
|
|
75
|
+
const Fpdiv2 = Fp.div(Fp.ONE, _2n); // 1/2
|
|
76
|
+
// Fp2
|
|
77
|
+
const FP2_FROBENIUS_COEFFICIENTS = calcFrobeniusCoefficients(Fp, FpNONRESIDUE, Fp.ORDER, 2)[0];
|
|
78
|
+
const Fp2Add = ({ c0, c1 }, { c0: r0, c1: r1 }) => ({
|
|
79
|
+
c0: Fp.add(c0, r0),
|
|
80
|
+
c1: Fp.add(c1, r1),
|
|
81
|
+
});
|
|
82
|
+
const Fp2Subtract = ({ c0, c1 }, { c0: r0, c1: r1 }) => ({
|
|
83
|
+
c0: Fp.sub(c0, r0),
|
|
84
|
+
c1: Fp.sub(c1, r1),
|
|
85
|
+
});
|
|
86
|
+
const Fp2Multiply = ({ c0, c1 }, rhs) => {
|
|
87
|
+
if (typeof rhs === 'bigint')
|
|
88
|
+
return { c0: Fp.mul(c0, rhs), c1: Fp.mul(c1, rhs) };
|
|
89
|
+
// (a+bi)(c+di) = (ac−bd) + (ad+bc)i
|
|
90
|
+
const { c0: r0, c1: r1 } = rhs;
|
|
91
|
+
let t1 = Fp.mul(c0, r0); // c0 * o0
|
|
92
|
+
let t2 = Fp.mul(c1, r1); // c1 * o1
|
|
93
|
+
// (T1 - T2) + ((c0 + c1) * (r0 + r1) - (T1 + T2))*i
|
|
94
|
+
const o0 = Fp.sub(t1, t2);
|
|
95
|
+
const o1 = Fp.sub(Fp.mul(Fp.add(c0, c1), Fp.add(r0, r1)), Fp.add(t1, t2));
|
|
96
|
+
return { c0: o0, c1: o1 };
|
|
97
|
+
};
|
|
98
|
+
const Fp2Square = ({ c0, c1 }) => {
|
|
99
|
+
const a = Fp.add(c0, c1);
|
|
100
|
+
const b = Fp.sub(c0, c1);
|
|
101
|
+
const c = Fp.add(c0, c0);
|
|
102
|
+
return { c0: Fp.mul(a, b), c1: Fp.mul(c, c1) };
|
|
103
|
+
};
|
|
104
|
+
const Fp2fromBigTuple = (tuple) => {
|
|
105
|
+
if (tuple.length !== 2)
|
|
106
|
+
throw new Error('Invalid tuple');
|
|
107
|
+
const fps = tuple.map((n) => Fp.create(n));
|
|
108
|
+
return { c0: fps[0], c1: fps[1] };
|
|
109
|
+
};
|
|
110
|
+
const FP2_ORDER = ORDER * ORDER;
|
|
111
|
+
const Fp2Nonresidue = Fp2fromBigTuple(opts.FP2_NONRESIDUE);
|
|
112
|
+
const Fp2 = {
|
|
113
|
+
ORDER: FP2_ORDER,
|
|
114
|
+
NONRESIDUE: Fp2Nonresidue,
|
|
115
|
+
BITS: (0, utils_js_1.bitLen)(FP2_ORDER),
|
|
116
|
+
BYTES: Math.ceil((0, utils_js_1.bitLen)(FP2_ORDER) / 8),
|
|
117
|
+
MASK: (0, utils_js_1.bitMask)((0, utils_js_1.bitLen)(FP2_ORDER)),
|
|
118
|
+
ZERO: { c0: Fp.ZERO, c1: Fp.ZERO },
|
|
119
|
+
ONE: { c0: Fp.ONE, c1: Fp.ZERO },
|
|
120
|
+
create: (num) => num,
|
|
121
|
+
isValid: ({ c0, c1 }) => typeof c0 === 'bigint' && typeof c1 === 'bigint',
|
|
122
|
+
is0: ({ c0, c1 }) => Fp.is0(c0) && Fp.is0(c1),
|
|
123
|
+
eql: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp.eql(c0, r0) && Fp.eql(c1, r1),
|
|
124
|
+
neg: ({ c0, c1 }) => ({ c0: Fp.neg(c0), c1: Fp.neg(c1) }),
|
|
125
|
+
pow: (num, power) => mod.FpPow(Fp2, num, power),
|
|
126
|
+
invertBatch: (nums) => mod.FpInvertBatch(Fp2, nums),
|
|
127
|
+
// Normalized
|
|
128
|
+
add: Fp2Add,
|
|
129
|
+
sub: Fp2Subtract,
|
|
130
|
+
mul: Fp2Multiply,
|
|
131
|
+
sqr: Fp2Square,
|
|
132
|
+
// NonNormalized stuff
|
|
133
|
+
addN: Fp2Add,
|
|
134
|
+
subN: Fp2Subtract,
|
|
135
|
+
mulN: Fp2Multiply,
|
|
136
|
+
sqrN: Fp2Square,
|
|
137
|
+
// Why inversion for bigint inside Fp instead of Fp2? it is even used in that context?
|
|
138
|
+
div: (lhs, rhs) => Fp2.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : Fp2.inv(rhs)),
|
|
139
|
+
inv: ({ c0: a, c1: b }) => {
|
|
140
|
+
// We wish to find the multiplicative inverse of a nonzero
|
|
141
|
+
// element a + bu in Fp2. We leverage an identity
|
|
142
|
+
//
|
|
143
|
+
// (a + bu)(a - bu) = a² + b²
|
|
144
|
+
//
|
|
145
|
+
// which holds because u² = -1. This can be rewritten as
|
|
146
|
+
//
|
|
147
|
+
// (a + bu)(a - bu)/(a² + b²) = 1
|
|
148
|
+
//
|
|
149
|
+
// because a² + b² = 0 has no nonzero solutions for (a, b).
|
|
150
|
+
// This gives that (a - bu)/(a² + b²) is the inverse
|
|
151
|
+
// of (a + bu). Importantly, this can be computing using
|
|
152
|
+
// only a single inversion in Fp.
|
|
153
|
+
const factor = Fp.inv(Fp.create(a * a + b * b));
|
|
154
|
+
return { c0: Fp.mul(factor, Fp.create(a)), c1: Fp.mul(factor, Fp.create(-b)) };
|
|
155
|
+
},
|
|
156
|
+
sqrt: (num) => {
|
|
157
|
+
if (opts.Fp2sqrt)
|
|
158
|
+
return opts.Fp2sqrt(num);
|
|
159
|
+
// This is generic for all quadratic extensions (Fp2)
|
|
160
|
+
const { c0, c1 } = num;
|
|
161
|
+
if (Fp.is0(c1)) {
|
|
162
|
+
// if c0 is quadratic residue
|
|
163
|
+
if (Fp.eql(FpLegendre(Fp, c0), Fp.ONE))
|
|
164
|
+
return Fp2.create({ c0: Fp.sqrt(c0), c1: Fp.ZERO });
|
|
165
|
+
else
|
|
166
|
+
return Fp2.create({ c0: Fp.ZERO, c1: Fp.sqrt(Fp.div(c0, FpNONRESIDUE)) });
|
|
167
|
+
}
|
|
168
|
+
const a = Fp.sqrt(Fp.sub(Fp.sqr(c0), Fp.mul(Fp.sqr(c1), FpNONRESIDUE)));
|
|
169
|
+
let d = Fp.mul(Fp.add(a, c0), Fpdiv2);
|
|
170
|
+
const legendre = FpLegendre(Fp, d);
|
|
171
|
+
// -1, Quadratic non residue
|
|
172
|
+
if (!Fp.is0(legendre) && !Fp.eql(legendre, Fp.ONE))
|
|
173
|
+
d = Fp.sub(d, a);
|
|
174
|
+
const a0 = Fp.sqrt(d);
|
|
175
|
+
const candidateSqrt = Fp2.create({ c0: a0, c1: Fp.div(Fp.mul(c1, Fpdiv2), a0) });
|
|
176
|
+
if (!Fp2.eql(Fp2.sqr(candidateSqrt), num))
|
|
177
|
+
throw new Error('Cannot find square root');
|
|
178
|
+
// Normalize root: at this point candidateSqrt ** 2 = num, but also -candidateSqrt ** 2 = num
|
|
179
|
+
const x1 = candidateSqrt;
|
|
180
|
+
const x2 = Fp2.neg(x1);
|
|
181
|
+
const { re: re1, im: im1 } = Fp2.reim(x1);
|
|
182
|
+
const { re: re2, im: im2 } = Fp2.reim(x2);
|
|
183
|
+
if (im1 > im2 || (im1 === im2 && re1 > re2))
|
|
184
|
+
return x1;
|
|
185
|
+
return x2;
|
|
186
|
+
},
|
|
187
|
+
// Same as sgn0_m_eq_2 in RFC 9380
|
|
188
|
+
isOdd: (x) => {
|
|
189
|
+
const { re: x0, im: x1 } = Fp2.reim(x);
|
|
190
|
+
const sign_0 = x0 % _2n;
|
|
191
|
+
const zero_0 = x0 === _0n;
|
|
192
|
+
const sign_1 = x1 % _2n;
|
|
193
|
+
return BigInt(sign_0 || (zero_0 && sign_1)) == _1n;
|
|
194
|
+
},
|
|
195
|
+
// Bytes util
|
|
196
|
+
fromBytes(b) {
|
|
197
|
+
if (b.length !== Fp2.BYTES)
|
|
198
|
+
throw new Error(`fromBytes wrong length=${b.length}`);
|
|
199
|
+
return { c0: Fp.fromBytes(b.subarray(0, Fp.BYTES)), c1: Fp.fromBytes(b.subarray(Fp.BYTES)) };
|
|
200
|
+
},
|
|
201
|
+
toBytes: ({ c0, c1 }) => (0, utils_js_1.concatBytes)(Fp.toBytes(c0), Fp.toBytes(c1)),
|
|
202
|
+
cmov: ({ c0, c1 }, { c0: r0, c1: r1 }, c) => ({
|
|
203
|
+
c0: Fp.cmov(c0, r0, c),
|
|
204
|
+
c1: Fp.cmov(c1, r1, c),
|
|
205
|
+
}),
|
|
206
|
+
reim: ({ c0, c1 }) => ({ re: c0, im: c1 }),
|
|
207
|
+
// multiply by u + 1
|
|
208
|
+
mulByNonresidue: ({ c0, c1 }) => Fp2.mul({ c0, c1 }, Fp2Nonresidue),
|
|
209
|
+
mulByB: opts.Fp2mulByB,
|
|
210
|
+
fromBigTuple: Fp2fromBigTuple,
|
|
211
|
+
frobeniusMap: ({ c0, c1 }, power) => ({
|
|
212
|
+
c0,
|
|
213
|
+
c1: Fp.mul(c1, FP2_FROBENIUS_COEFFICIENTS[power % 2]),
|
|
214
|
+
}),
|
|
215
|
+
};
|
|
216
|
+
// Fp6
|
|
217
|
+
const Fp6Add = ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) => ({
|
|
218
|
+
c0: Fp2.add(c0, r0),
|
|
219
|
+
c1: Fp2.add(c1, r1),
|
|
220
|
+
c2: Fp2.add(c2, r2),
|
|
221
|
+
});
|
|
222
|
+
const Fp6Subtract = ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) => ({
|
|
223
|
+
c0: Fp2.sub(c0, r0),
|
|
224
|
+
c1: Fp2.sub(c1, r1),
|
|
225
|
+
c2: Fp2.sub(c2, r2),
|
|
226
|
+
});
|
|
227
|
+
const Fp6Multiply = ({ c0, c1, c2 }, rhs) => {
|
|
228
|
+
if (typeof rhs === 'bigint') {
|
|
229
|
+
return {
|
|
230
|
+
c0: Fp2.mul(c0, rhs),
|
|
231
|
+
c1: Fp2.mul(c1, rhs),
|
|
232
|
+
c2: Fp2.mul(c2, rhs),
|
|
233
|
+
};
|
|
234
|
+
}
|
|
235
|
+
const { c0: r0, c1: r1, c2: r2 } = rhs;
|
|
236
|
+
const t0 = Fp2.mul(c0, r0); // c0 * o0
|
|
237
|
+
const t1 = Fp2.mul(c1, r1); // c1 * o1
|
|
238
|
+
const t2 = Fp2.mul(c2, r2); // c2 * o2
|
|
239
|
+
return {
|
|
240
|
+
// t0 + (c1 + c2) * (r1 * r2) - (T1 + T2) * (u + 1)
|
|
241
|
+
c0: Fp2.add(t0, Fp2.mulByNonresidue(Fp2.sub(Fp2.mul(Fp2.add(c1, c2), Fp2.add(r1, r2)), Fp2.add(t1, t2)))),
|
|
242
|
+
// (c0 + c1) * (r0 + r1) - (T0 + T1) + T2 * (u + 1)
|
|
243
|
+
c1: Fp2.add(Fp2.sub(Fp2.mul(Fp2.add(c0, c1), Fp2.add(r0, r1)), Fp2.add(t0, t1)), Fp2.mulByNonresidue(t2)),
|
|
244
|
+
// T1 + (c0 + c2) * (r0 + r2) - T0 + T2
|
|
245
|
+
c2: Fp2.sub(Fp2.add(t1, Fp2.mul(Fp2.add(c0, c2), Fp2.add(r0, r2))), Fp2.add(t0, t2)),
|
|
246
|
+
};
|
|
247
|
+
};
|
|
248
|
+
const Fp6Square = ({ c0, c1, c2 }) => {
|
|
249
|
+
let t0 = Fp2.sqr(c0); // c0²
|
|
250
|
+
let t1 = Fp2.mul(Fp2.mul(c0, c1), _2n); // 2 * c0 * c1
|
|
251
|
+
let t3 = Fp2.mul(Fp2.mul(c1, c2), _2n); // 2 * c1 * c2
|
|
252
|
+
let t4 = Fp2.sqr(c2); // c2²
|
|
253
|
+
return {
|
|
254
|
+
c0: Fp2.add(Fp2.mulByNonresidue(t3), t0), // T3 * (u + 1) + T0
|
|
255
|
+
c1: Fp2.add(Fp2.mulByNonresidue(t4), t1), // T4 * (u + 1) + T1
|
|
256
|
+
// T1 + (c0 - c1 + c2)² + T3 - T0 - T4
|
|
257
|
+
c2: Fp2.sub(Fp2.sub(Fp2.add(Fp2.add(t1, Fp2.sqr(Fp2.add(Fp2.sub(c0, c1), c2))), t3), t0), t4),
|
|
258
|
+
};
|
|
259
|
+
};
|
|
260
|
+
const [FP6_FROBENIUS_COEFFICIENTS_1, FP6_FROBENIUS_COEFFICIENTS_2] = calcFrobeniusCoefficients(Fp2, Fp2Nonresidue, Fp.ORDER, 6, 2, 3);
|
|
261
|
+
const Fp6 = {
|
|
262
|
+
ORDER: Fp2.ORDER, // TODO: unused, but need to verify
|
|
263
|
+
BITS: 3 * Fp2.BITS,
|
|
264
|
+
BYTES: 3 * Fp2.BYTES,
|
|
265
|
+
MASK: (0, utils_js_1.bitMask)(3 * Fp2.BITS),
|
|
266
|
+
ZERO: { c0: Fp2.ZERO, c1: Fp2.ZERO, c2: Fp2.ZERO },
|
|
267
|
+
ONE: { c0: Fp2.ONE, c1: Fp2.ZERO, c2: Fp2.ZERO },
|
|
268
|
+
create: (num) => num,
|
|
269
|
+
isValid: ({ c0, c1, c2 }) => Fp2.isValid(c0) && Fp2.isValid(c1) && Fp2.isValid(c2),
|
|
270
|
+
is0: ({ c0, c1, c2 }) => Fp2.is0(c0) && Fp2.is0(c1) && Fp2.is0(c2),
|
|
271
|
+
neg: ({ c0, c1, c2 }) => ({ c0: Fp2.neg(c0), c1: Fp2.neg(c1), c2: Fp2.neg(c2) }),
|
|
272
|
+
eql: ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) => Fp2.eql(c0, r0) && Fp2.eql(c1, r1) && Fp2.eql(c2, r2),
|
|
273
|
+
sqrt: utils_js_1.notImplemented,
|
|
274
|
+
// Do we need division by bigint at all? Should be done via order:
|
|
275
|
+
div: (lhs, rhs) => Fp6.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : Fp6.inv(rhs)),
|
|
276
|
+
pow: (num, power) => mod.FpPow(Fp6, num, power),
|
|
277
|
+
invertBatch: (nums) => mod.FpInvertBatch(Fp6, nums),
|
|
278
|
+
// Normalized
|
|
279
|
+
add: Fp6Add,
|
|
280
|
+
sub: Fp6Subtract,
|
|
281
|
+
mul: Fp6Multiply,
|
|
282
|
+
sqr: Fp6Square,
|
|
283
|
+
// NonNormalized stuff
|
|
284
|
+
addN: Fp6Add,
|
|
285
|
+
subN: Fp6Subtract,
|
|
286
|
+
mulN: Fp6Multiply,
|
|
287
|
+
sqrN: Fp6Square,
|
|
288
|
+
inv: ({ c0, c1, c2 }) => {
|
|
289
|
+
let t0 = Fp2.sub(Fp2.sqr(c0), Fp2.mulByNonresidue(Fp2.mul(c2, c1))); // c0² - c2 * c1 * (u + 1)
|
|
290
|
+
let t1 = Fp2.sub(Fp2.mulByNonresidue(Fp2.sqr(c2)), Fp2.mul(c0, c1)); // c2² * (u + 1) - c0 * c1
|
|
291
|
+
let t2 = Fp2.sub(Fp2.sqr(c1), Fp2.mul(c0, c2)); // c1² - c0 * c2
|
|
292
|
+
// 1/(((c2 * T1 + c1 * T2) * v) + c0 * T0)
|
|
293
|
+
let t4 = Fp2.inv(Fp2.add(Fp2.mulByNonresidue(Fp2.add(Fp2.mul(c2, t1), Fp2.mul(c1, t2))), Fp2.mul(c0, t0)));
|
|
294
|
+
return { c0: Fp2.mul(t4, t0), c1: Fp2.mul(t4, t1), c2: Fp2.mul(t4, t2) };
|
|
295
|
+
},
|
|
296
|
+
// Bytes utils
|
|
297
|
+
fromBytes: (b) => {
|
|
298
|
+
if (b.length !== Fp6.BYTES)
|
|
299
|
+
throw new Error(`fromBytes wrong length=${b.length}`);
|
|
300
|
+
return {
|
|
301
|
+
c0: Fp2.fromBytes(b.subarray(0, Fp2.BYTES)),
|
|
302
|
+
c1: Fp2.fromBytes(b.subarray(Fp2.BYTES, 2 * Fp2.BYTES)),
|
|
303
|
+
c2: Fp2.fromBytes(b.subarray(2 * Fp2.BYTES)),
|
|
304
|
+
};
|
|
305
|
+
},
|
|
306
|
+
toBytes: ({ c0, c1, c2 }) => (0, utils_js_1.concatBytes)(Fp2.toBytes(c0), Fp2.toBytes(c1), Fp2.toBytes(c2)),
|
|
307
|
+
cmov: ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }, c) => ({
|
|
308
|
+
c0: Fp2.cmov(c0, r0, c),
|
|
309
|
+
c1: Fp2.cmov(c1, r1, c),
|
|
310
|
+
c2: Fp2.cmov(c2, r2, c),
|
|
311
|
+
}),
|
|
312
|
+
fromBigSix: (t) => {
|
|
313
|
+
if (!Array.isArray(t) || t.length !== 6)
|
|
314
|
+
throw new Error('Invalid Fp6 usage');
|
|
315
|
+
return {
|
|
316
|
+
c0: Fp2.fromBigTuple(t.slice(0, 2)),
|
|
317
|
+
c1: Fp2.fromBigTuple(t.slice(2, 4)),
|
|
318
|
+
c2: Fp2.fromBigTuple(t.slice(4, 6)),
|
|
319
|
+
};
|
|
320
|
+
},
|
|
321
|
+
frobeniusMap: ({ c0, c1, c2 }, power) => ({
|
|
322
|
+
c0: Fp2.frobeniusMap(c0, power),
|
|
323
|
+
c1: Fp2.mul(Fp2.frobeniusMap(c1, power), FP6_FROBENIUS_COEFFICIENTS_1[power % 6]),
|
|
324
|
+
c2: Fp2.mul(Fp2.frobeniusMap(c2, power), FP6_FROBENIUS_COEFFICIENTS_2[power % 6]),
|
|
325
|
+
}),
|
|
326
|
+
mulByFp2: ({ c0, c1, c2 }, rhs) => ({
|
|
327
|
+
c0: Fp2.mul(c0, rhs),
|
|
328
|
+
c1: Fp2.mul(c1, rhs),
|
|
329
|
+
c2: Fp2.mul(c2, rhs),
|
|
330
|
+
}),
|
|
331
|
+
mulByNonresidue: ({ c0, c1, c2 }) => ({ c0: Fp2.mulByNonresidue(c2), c1: c0, c2: c1 }),
|
|
332
|
+
// Sparse multiplication
|
|
333
|
+
mul1: ({ c0, c1, c2 }, b1) => ({
|
|
334
|
+
c0: Fp2.mulByNonresidue(Fp2.mul(c2, b1)),
|
|
335
|
+
c1: Fp2.mul(c0, b1),
|
|
336
|
+
c2: Fp2.mul(c1, b1),
|
|
337
|
+
}),
|
|
338
|
+
// Sparse multiplication
|
|
339
|
+
mul01({ c0, c1, c2 }, b0, b1) {
|
|
340
|
+
let t0 = Fp2.mul(c0, b0); // c0 * b0
|
|
341
|
+
let t1 = Fp2.mul(c1, b1); // c1 * b1
|
|
342
|
+
return {
|
|
343
|
+
// ((c1 + c2) * b1 - T1) * (u + 1) + T0
|
|
344
|
+
c0: Fp2.add(Fp2.mulByNonresidue(Fp2.sub(Fp2.mul(Fp2.add(c1, c2), b1), t1)), t0),
|
|
345
|
+
// (b0 + b1) * (c0 + c1) - T0 - T1
|
|
346
|
+
c1: Fp2.sub(Fp2.sub(Fp2.mul(Fp2.add(b0, b1), Fp2.add(c0, c1)), t0), t1),
|
|
347
|
+
// (c0 + c2) * b0 - T0 + T1
|
|
348
|
+
c2: Fp2.add(Fp2.sub(Fp2.mul(Fp2.add(c0, c2), b0), t0), t1),
|
|
349
|
+
};
|
|
350
|
+
},
|
|
351
|
+
};
|
|
352
|
+
// Fp12
|
|
353
|
+
const FP12_FROBENIUS_COEFFICIENTS = calcFrobeniusCoefficients(Fp2, Fp2Nonresidue, Fp.ORDER, 12, 1, 6)[0];
|
|
354
|
+
const Fp12Add = ({ c0, c1 }, { c0: r0, c1: r1 }) => ({
|
|
355
|
+
c0: Fp6.add(c0, r0),
|
|
356
|
+
c1: Fp6.add(c1, r1),
|
|
357
|
+
});
|
|
358
|
+
const Fp12Subtract = ({ c0, c1 }, { c0: r0, c1: r1 }) => ({
|
|
359
|
+
c0: Fp6.sub(c0, r0),
|
|
360
|
+
c1: Fp6.sub(c1, r1),
|
|
361
|
+
});
|
|
362
|
+
const Fp12Multiply = ({ c0, c1 }, rhs) => {
|
|
363
|
+
if (typeof rhs === 'bigint')
|
|
364
|
+
return { c0: Fp6.mul(c0, rhs), c1: Fp6.mul(c1, rhs) };
|
|
365
|
+
let { c0: r0, c1: r1 } = rhs;
|
|
366
|
+
let t1 = Fp6.mul(c0, r0); // c0 * r0
|
|
367
|
+
let t2 = Fp6.mul(c1, r1); // c1 * r1
|
|
368
|
+
return {
|
|
369
|
+
c0: Fp6.add(t1, Fp6.mulByNonresidue(t2)), // T1 + T2 * v
|
|
370
|
+
// (c0 + c1) * (r0 + r1) - (T1 + T2)
|
|
371
|
+
c1: Fp6.sub(Fp6.mul(Fp6.add(c0, c1), Fp6.add(r0, r1)), Fp6.add(t1, t2)),
|
|
372
|
+
};
|
|
373
|
+
};
|
|
374
|
+
const Fp12Square = ({ c0, c1 }) => {
|
|
375
|
+
let ab = Fp6.mul(c0, c1); // c0 * c1
|
|
376
|
+
return {
|
|
377
|
+
// (c1 * v + c0) * (c0 + c1) - AB - AB * v
|
|
378
|
+
c0: Fp6.sub(Fp6.sub(Fp6.mul(Fp6.add(Fp6.mulByNonresidue(c1), c0), Fp6.add(c0, c1)), ab), Fp6.mulByNonresidue(ab)),
|
|
379
|
+
c1: Fp6.add(ab, ab),
|
|
380
|
+
}; // AB + AB
|
|
381
|
+
};
|
|
382
|
+
function Fp4Square(a, b) {
|
|
383
|
+
const a2 = Fp2.sqr(a);
|
|
384
|
+
const b2 = Fp2.sqr(b);
|
|
385
|
+
return {
|
|
386
|
+
first: Fp2.add(Fp2.mulByNonresidue(b2), a2), // b² * Nonresidue + a²
|
|
387
|
+
second: Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(a, b)), a2), b2), // (a + b)² - a² - b²
|
|
388
|
+
};
|
|
389
|
+
}
|
|
390
|
+
const Fp12 = {
|
|
391
|
+
ORDER: Fp2.ORDER, // TODO: unused, but need to verify
|
|
392
|
+
BITS: 2 * Fp2.BITS,
|
|
393
|
+
BYTES: 2 * Fp2.BYTES,
|
|
394
|
+
MASK: (0, utils_js_1.bitMask)(2 * Fp2.BITS),
|
|
395
|
+
ZERO: { c0: Fp6.ZERO, c1: Fp6.ZERO },
|
|
396
|
+
ONE: { c0: Fp6.ONE, c1: Fp6.ZERO },
|
|
397
|
+
create: (num) => num,
|
|
398
|
+
isValid: ({ c0, c1 }) => Fp6.isValid(c0) && Fp6.isValid(c1),
|
|
399
|
+
is0: ({ c0, c1 }) => Fp6.is0(c0) && Fp6.is0(c1),
|
|
400
|
+
neg: ({ c0, c1 }) => ({ c0: Fp6.neg(c0), c1: Fp6.neg(c1) }),
|
|
401
|
+
eql: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp6.eql(c0, r0) && Fp6.eql(c1, r1),
|
|
402
|
+
sqrt: utils_js_1.notImplemented,
|
|
403
|
+
inv: ({ c0, c1 }) => {
|
|
404
|
+
let t = Fp6.inv(Fp6.sub(Fp6.sqr(c0), Fp6.mulByNonresidue(Fp6.sqr(c1)))); // 1 / (c0² - c1² * v)
|
|
405
|
+
return { c0: Fp6.mul(c0, t), c1: Fp6.neg(Fp6.mul(c1, t)) }; // ((C0 * T) * T) + (-C1 * T) * w
|
|
406
|
+
},
|
|
407
|
+
div: (lhs, rhs) => Fp12.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : Fp12.inv(rhs)),
|
|
408
|
+
pow: (num, power) => mod.FpPow(Fp12, num, power),
|
|
409
|
+
invertBatch: (nums) => mod.FpInvertBatch(Fp12, nums),
|
|
410
|
+
// Normalized
|
|
411
|
+
add: Fp12Add,
|
|
412
|
+
sub: Fp12Subtract,
|
|
413
|
+
mul: Fp12Multiply,
|
|
414
|
+
sqr: Fp12Square,
|
|
415
|
+
// NonNormalized stuff
|
|
416
|
+
addN: Fp12Add,
|
|
417
|
+
subN: Fp12Subtract,
|
|
418
|
+
mulN: Fp12Multiply,
|
|
419
|
+
sqrN: Fp12Square,
|
|
420
|
+
// Bytes utils
|
|
421
|
+
fromBytes: (b) => {
|
|
422
|
+
if (b.length !== Fp12.BYTES)
|
|
423
|
+
throw new Error(`fromBytes wrong length=${b.length}`);
|
|
424
|
+
return {
|
|
425
|
+
c0: Fp6.fromBytes(b.subarray(0, Fp6.BYTES)),
|
|
426
|
+
c1: Fp6.fromBytes(b.subarray(Fp6.BYTES)),
|
|
427
|
+
};
|
|
428
|
+
},
|
|
429
|
+
toBytes: ({ c0, c1 }) => (0, utils_js_1.concatBytes)(Fp6.toBytes(c0), Fp6.toBytes(c1)),
|
|
430
|
+
cmov: ({ c0, c1 }, { c0: r0, c1: r1 }, c) => ({
|
|
431
|
+
c0: Fp6.cmov(c0, r0, c),
|
|
432
|
+
c1: Fp6.cmov(c1, r1, c),
|
|
433
|
+
}),
|
|
434
|
+
// Utils
|
|
435
|
+
// toString() {
|
|
436
|
+
// return `Fp12(${this.c0} + ${this.c1} * w)`;
|
|
437
|
+
// },
|
|
438
|
+
// fromTuple(c: [Fp6, Fp6]) {
|
|
439
|
+
// return new Fp12(...c);
|
|
440
|
+
// }
|
|
441
|
+
fromBigTwelve: (t) => ({
|
|
442
|
+
c0: Fp6.fromBigSix(t.slice(0, 6)),
|
|
443
|
+
c1: Fp6.fromBigSix(t.slice(6, 12)),
|
|
444
|
+
}),
|
|
445
|
+
// Raises to q**i -th power
|
|
446
|
+
frobeniusMap(lhs, power) {
|
|
447
|
+
const { c0, c1, c2 } = Fp6.frobeniusMap(lhs.c1, power);
|
|
448
|
+
const coeff = FP12_FROBENIUS_COEFFICIENTS[power % 12];
|
|
449
|
+
return {
|
|
450
|
+
c0: Fp6.frobeniusMap(lhs.c0, power),
|
|
451
|
+
c1: Fp6.create({
|
|
452
|
+
c0: Fp2.mul(c0, coeff),
|
|
453
|
+
c1: Fp2.mul(c1, coeff),
|
|
454
|
+
c2: Fp2.mul(c2, coeff),
|
|
455
|
+
}),
|
|
456
|
+
};
|
|
457
|
+
},
|
|
458
|
+
mulByFp2: ({ c0, c1 }, rhs) => ({
|
|
459
|
+
c0: Fp6.mulByFp2(c0, rhs),
|
|
460
|
+
c1: Fp6.mulByFp2(c1, rhs),
|
|
461
|
+
}),
|
|
462
|
+
conjugate: ({ c0, c1 }) => ({ c0, c1: Fp6.neg(c1) }),
|
|
463
|
+
// Sparse multiplication
|
|
464
|
+
mul014: ({ c0, c1 }, o0, o1, o4) => {
|
|
465
|
+
let t0 = Fp6.mul01(c0, o0, o1);
|
|
466
|
+
let t1 = Fp6.mul1(c1, o4);
|
|
467
|
+
return {
|
|
468
|
+
c0: Fp6.add(Fp6.mulByNonresidue(t1), t0), // T1 * v + T0
|
|
469
|
+
// (c1 + c0) * [o0, o1+o4] - T0 - T1
|
|
470
|
+
c1: Fp6.sub(Fp6.sub(Fp6.mul01(Fp6.add(c1, c0), o0, Fp2.add(o1, o4)), t0), t1),
|
|
471
|
+
};
|
|
472
|
+
},
|
|
473
|
+
mul034: ({ c0, c1 }, o0, o3, o4) => {
|
|
474
|
+
const a = Fp6.create({
|
|
475
|
+
c0: Fp2.mul(c0.c0, o0),
|
|
476
|
+
c1: Fp2.mul(c0.c1, o0),
|
|
477
|
+
c2: Fp2.mul(c0.c2, o0),
|
|
478
|
+
});
|
|
479
|
+
const b = Fp6.mul01(c1, o3, o4);
|
|
480
|
+
const e = Fp6.mul01(Fp6.add(c0, c1), Fp2.add(o0, o3), o4);
|
|
481
|
+
return {
|
|
482
|
+
c0: Fp6.add(Fp6.mulByNonresidue(b), a),
|
|
483
|
+
c1: Fp6.sub(e, Fp6.add(a, b)),
|
|
484
|
+
};
|
|
485
|
+
},
|
|
486
|
+
// A cyclotomic group is a subgroup of Fp^n defined by
|
|
487
|
+
// GΦₙ(p) = {α ∈ Fpⁿ : α^Φₙ(p) = 1}
|
|
488
|
+
// The result of any pairing is in a cyclotomic subgroup
|
|
489
|
+
// https://eprint.iacr.org/2009/565.pdf
|
|
490
|
+
_cyclotomicSquare: opts.Fp12cyclotomicSquare,
|
|
491
|
+
_cyclotomicExp: opts.Fp12cyclotomicExp,
|
|
492
|
+
// https://eprint.iacr.org/2010/354.pdf
|
|
493
|
+
// https://eprint.iacr.org/2009/565.pdf
|
|
494
|
+
finalExponentiate: opts.Fp12finalExponentiate,
|
|
495
|
+
};
|
|
496
|
+
return { Fp, Fp2, Fp6, Fp4Square, Fp12 };
|
|
497
|
+
}
|
|
498
|
+
//# sourceMappingURL=tower.js.map
|