ark_ec/models/bn/
g2.rs

1use ark_ff::{
2    fields::{Field, Fp2},
3    AdditiveGroup,
4};
5use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
6use ark_std::vec::*;
7use educe::Educe;
8use num_traits::One;
9
10use crate::{
11    bn::{BnConfig, TwistType},
12    models::short_weierstrass::SWCurveConfig,
13    short_weierstrass::{Affine, Projective},
14    AffineRepr, CurveGroup,
15};
16
17pub type G2Affine<P> = Affine<<P as BnConfig>::G2Config>;
18pub type G2Projective<P> = Projective<<P as BnConfig>::G2Config>;
19
20#[derive(Educe, CanonicalSerialize, CanonicalDeserialize)]
21#[educe(Clone, Debug, PartialEq, Eq)]
22pub struct G2Prepared<P: BnConfig> {
23    /// Stores the coefficients of the line evaluations as calculated in
24    /// <https://eprint.iacr.org/2013/722.pdf>
25    pub ell_coeffs: Vec<EllCoeff<P>>,
26    pub infinity: bool,
27}
28
29pub type EllCoeff<P> = (
30    Fp2<<P as BnConfig>::Fp2Config>,
31    Fp2<<P as BnConfig>::Fp2Config>,
32    Fp2<<P as BnConfig>::Fp2Config>,
33);
34
35#[derive(Educe)]
36#[educe(Clone, Copy, Debug)]
37pub struct G2HomProjective<P: BnConfig> {
38    x: Fp2<P::Fp2Config>,
39    y: Fp2<P::Fp2Config>,
40    z: Fp2<P::Fp2Config>,
41}
42
43impl<P: BnConfig> G2HomProjective<P> {
44    pub fn double_in_place(&mut self, two_inv: &P::Fp) -> EllCoeff<P> {
45        // Formula for line function when working with
46        // homogeneous projective coordinates.
47
48        let mut a = self.x * &self.y;
49        a.mul_assign_by_fp(two_inv);
50        let b = self.y.square();
51        let c = self.z.square();
52        let e = P::G2Config::COEFF_B * &(c.double() + &c);
53        let f = e.double() + &e;
54        let mut g = b + &f;
55        g.mul_assign_by_fp(two_inv);
56        let h = (self.y + &self.z).square() - &(b + &c);
57        let i = e - &b;
58        let j = self.x.square();
59        let e_square = e.square();
60
61        self.x = a * &(b - &f);
62        self.y = g.square() - &(e_square.double() + &e_square);
63        self.z = b * &h;
64        match P::TWIST_TYPE {
65            TwistType::M => (i, j.double() + &j, -h),
66            TwistType::D => (-h, j.double() + &j, i),
67        }
68    }
69
70    pub fn add_in_place(&mut self, q: &G2Affine<P>) -> EllCoeff<P> {
71        // Formula for line function when working with
72        // homogeneous projective coordinates.
73        let theta = self.y - &(q.y * &self.z);
74        let lambda = self.x - &(q.x * &self.z);
75        let c = theta.square();
76        let d = lambda.square();
77        let e = lambda * &d;
78        let f = self.z * &c;
79        let g = self.x * &d;
80        let h = e + &f - &g.double();
81        self.x = lambda * &h;
82        self.y = theta * &(g - &h) - &(e * &self.y);
83        self.z *= &e;
84        let j = theta * &q.x - &(lambda * &q.y);
85
86        match P::TWIST_TYPE {
87            TwistType::M => (j, -theta, lambda),
88            TwistType::D => (lambda, -theta, j),
89        }
90    }
91}
92
93impl<P: BnConfig> Default for G2Prepared<P> {
94    fn default() -> Self {
95        Self::from(G2Affine::<P>::generator())
96    }
97}
98
99impl<P: BnConfig> From<G2Affine<P>> for G2Prepared<P> {
100    fn from(q: G2Affine<P>) -> Self {
101        if q.infinity {
102            G2Prepared {
103                ell_coeffs: vec![],
104                infinity: true,
105            }
106        } else {
107            let two_inv = P::Fp::one().double().inverse().unwrap();
108            let mut ell_coeffs = vec![];
109            let mut r = G2HomProjective::<P> {
110                x: q.x,
111                y: q.y,
112                z: Fp2::one(),
113            };
114
115            let neg_q = -q;
116
117            for bit in P::ATE_LOOP_COUNT.iter().rev().skip(1) {
118                ell_coeffs.push(r.double_in_place(&two_inv));
119
120                match bit {
121                    1 => ell_coeffs.push(r.add_in_place(&q)),
122                    -1 => ell_coeffs.push(r.add_in_place(&neg_q)),
123                    _ => continue,
124                }
125            }
126
127            let q1 = mul_by_char::<P>(q);
128            let mut q2 = mul_by_char::<P>(q1);
129
130            if P::X_IS_NEGATIVE {
131                r.y = -r.y;
132            }
133
134            q2.y = -q2.y;
135
136            ell_coeffs.push(r.add_in_place(&q1));
137            ell_coeffs.push(r.add_in_place(&q2));
138
139            Self {
140                ell_coeffs,
141                infinity: false,
142            }
143        }
144    }
145}
146
147impl<P: BnConfig> From<G2Projective<P>> for G2Prepared<P> {
148    fn from(q: G2Projective<P>) -> Self {
149        q.into_affine().into()
150    }
151}
152
153impl<'a, P: BnConfig> From<&'a G2Affine<P>> for G2Prepared<P> {
154    fn from(other: &'a G2Affine<P>) -> Self {
155        (*other).into()
156    }
157}
158
159impl<'a, P: BnConfig> From<&'a G2Projective<P>> for G2Prepared<P> {
160    fn from(q: &'a G2Projective<P>) -> Self {
161        q.into_affine().into()
162    }
163}
164
165impl<P: BnConfig> G2Prepared<P> {
166    pub fn is_zero(&self) -> bool {
167        self.infinity
168    }
169}
170
171fn mul_by_char<P: BnConfig>(r: G2Affine<P>) -> G2Affine<P> {
172    // multiply by field characteristic
173
174    let mut s = r;
175    s.x.frobenius_map_in_place(1);
176    s.x *= &P::TWIST_MUL_BY_Q_X;
177    s.y.frobenius_map_in_place(1);
178    s.y *= &P::TWIST_MUL_BY_Q_Y;
179
180    s
181}