Line data Source code
1 : #include "./fd_bn254.h"
2 :
3 : /* G2 */
4 :
5 : /* COV: unlike g1, g2 operations are not exposed to users.
6 : So many edge cases and checks for zero are never triggered, e.g. by syscall tests. */
7 :
8 : static inline int
9 337368 : fd_bn254_g2_is_zero( fd_bn254_g2_t const * p ) {
10 337368 : return fd_bn254_fp2_is_zero( &p->Z );
11 337368 : }
12 :
13 : static inline int
14 : fd_bn254_g2_eq( fd_bn254_g2_t const * p,
15 1206 : fd_bn254_g2_t const * q ) {
16 1206 : if( fd_bn254_g2_is_zero( p ) ) {
17 12 : return fd_bn254_g2_is_zero( q );
18 12 : }
19 1194 : if( fd_bn254_g2_is_zero( q ) ) {
20 0 : return 0;
21 0 : }
22 :
23 1194 : fd_bn254_fp2_t pz2[1], qz2[1];
24 1194 : fd_bn254_fp2_t l[1], r[1];
25 :
26 1194 : fd_bn254_fp2_sqr( pz2, &p->Z );
27 1194 : fd_bn254_fp2_sqr( qz2, &q->Z );
28 :
29 1194 : fd_bn254_fp2_mul( l, &p->X, qz2 );
30 1194 : fd_bn254_fp2_mul( r, &q->X, pz2 );
31 1194 : if( !fd_bn254_fp2_eq( l, r ) ) {
32 0 : return 0;
33 0 : }
34 :
35 1194 : fd_bn254_fp2_mul( l, &p->Y, qz2 );
36 1194 : fd_bn254_fp2_mul( l, l, &q->Z );
37 1194 : fd_bn254_fp2_mul( r, &q->Y, pz2 );
38 1194 : fd_bn254_fp2_mul( r, r, &p->Z );
39 1194 : return fd_bn254_fp2_eq( l, r );
40 1194 : }
41 :
42 : static inline fd_bn254_g2_t *
43 : fd_bn254_g2_set( fd_bn254_g2_t * r,
44 3534 : fd_bn254_g2_t const * p ) {
45 3534 : fd_bn254_fp2_set( &r->X, &p->X );
46 3534 : fd_bn254_fp2_set( &r->Y, &p->Y );
47 3534 : fd_bn254_fp2_set( &r->Z, &p->Z );
48 3534 : return r;
49 3534 : }
50 :
51 : static inline fd_bn254_g2_t *
52 : fd_bn254_g2_neg( fd_bn254_g2_t * r,
53 876 : fd_bn254_g2_t const * p ) {
54 876 : fd_bn254_fp2_set( &r->X, &p->X );
55 876 : fd_bn254_fp2_neg( &r->Y, &p->Y );
56 876 : fd_bn254_fp2_set( &r->Z, &p->Z );
57 876 : return r;
58 876 : }
59 :
60 : static inline fd_bn254_g2_t *
61 2313 : fd_bn254_g2_set_zero( fd_bn254_g2_t * r ) {
62 : // fd_bn254_fp2_set_zero( &r->X );
63 : // fd_bn254_fp2_set_zero( &r->Y );
64 2313 : fd_bn254_fp2_set_zero( &r->Z );
65 2313 : return r;
66 2313 : }
67 :
68 : static inline fd_bn254_g2_t *
69 : fd_bn254_g2_to_affine( fd_bn254_g2_t * r,
70 336 : fd_bn254_g2_t const * p ) {
71 336 : if( FD_UNLIKELY( fd_bn254_fp2_is_zero( &p->Z ) || fd_bn254_fp2_is_one( &p->Z ) ) ) {
72 18 : return fd_bn254_g2_set( r, p );
73 18 : }
74 :
75 318 : fd_bn254_fp2_t iz[1], iz2[1];
76 318 : fd_bn254_fp2_inv( iz, &p->Z );
77 318 : fd_bn254_fp2_sqr( iz2, iz );
78 :
79 : /* X / Z^2, Y / Z^3 */
80 318 : fd_bn254_fp2_mul( &r->X, &p->X, iz2 );
81 318 : fd_bn254_fp2_mul( &r->Y, &p->Y, iz2 );
82 318 : fd_bn254_fp2_mul( &r->Y, &r->Y, iz );
83 318 : fd_bn254_fp2_set_one( &r->Z );
84 318 : return r;
85 336 : }
86 :
87 : uchar *
88 : fd_bn254_g2_tobytes( uchar out[128],
89 : fd_bn254_g2_t const * p,
90 360 : int big_endian ) {
91 360 : if( FD_UNLIKELY( fd_bn254_g2_is_zero( p ) ) ) {
92 24 : fd_memset( out, 0, 128UL );
93 : /* no flags */
94 24 : return out;
95 24 : }
96 :
97 336 : fd_bn254_g2_t r[1];
98 336 : fd_bn254_g2_to_affine( r, p );
99 :
100 336 : fd_bn254_fp2_from_mont( &r->X, &r->X );
101 336 : fd_bn254_fp2_from_mont( &r->Y, &r->Y );
102 :
103 336 : fd_bn254_fp2_tobytes_nm( &out[ 0], &r->X, big_endian );
104 336 : fd_bn254_fp2_tobytes_nm( &out[64], &r->Y, big_endian );
105 : /* no flags */
106 336 : return out;
107 360 : }
108 :
109 : static inline fd_bn254_g2_t *
110 : fd_bn254_g2_frob( fd_bn254_g2_t * r,
111 3288 : fd_bn254_g2_t const * p ) {
112 3288 : fd_bn254_fp2_conj( &r->X, &p->X );
113 3288 : fd_bn254_fp2_mul ( &r->X, &r->X, &fd_bn254_const_frob_gamma1_mont[1] );
114 3288 : fd_bn254_fp2_conj( &r->Y, &p->Y );
115 3288 : fd_bn254_fp2_mul ( &r->Y, &r->Y, &fd_bn254_const_frob_gamma1_mont[2] );
116 3288 : fd_bn254_fp2_conj( &r->Z, &p->Z );
117 3288 : return r;
118 3288 : }
119 :
120 : static inline fd_bn254_g2_t *
121 : fd_bn254_g2_frob2( fd_bn254_g2_t * r,
122 2082 : fd_bn254_g2_t const * p ) {
123 : /* X */
124 2082 : fd_bn254_fp_mul( &r->X.el[0], &p->X.el[0], &fd_bn254_const_frob_gamma2_mont[1] );
125 2082 : fd_bn254_fp_mul( &r->X.el[1], &p->X.el[1], &fd_bn254_const_frob_gamma2_mont[1] );
126 : /* Y */
127 2082 : fd_bn254_fp_mul( &r->Y.el[0], &p->Y.el[0], &fd_bn254_const_frob_gamma2_mont[2] );
128 2082 : fd_bn254_fp_mul( &r->Y.el[1], &p->Y.el[1], &fd_bn254_const_frob_gamma2_mont[2] );
129 : /* Z=1 */
130 2082 : fd_bn254_fp2_set( &r->Z, &p->Z );
131 2082 : return r;
132 2082 : }
133 :
134 : /* fd_bn254_g2_dbl computes r = 2p.
135 : https://hyperelliptic.org/efd/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l */
136 : fd_bn254_g2_t *
137 : fd_bn254_g2_dbl( fd_bn254_g2_t * r,
138 154296 : fd_bn254_g2_t const * p ) {
139 : /* p==0, return 0 */
140 154296 : if( FD_UNLIKELY( fd_bn254_g2_is_zero( p ) ) ) {
141 2262 : return fd_bn254_g2_set_zero( r );
142 2262 : }
143 :
144 152034 : fd_bn254_fp2_t a[1], b[1], c[1];
145 152034 : fd_bn254_fp2_t d[1], e[1], f[1];
146 :
147 : /* A = X1^2 */
148 152034 : fd_bn254_fp2_sqr( a, &p->X );
149 : /* B = Y1^2 */
150 152034 : fd_bn254_fp2_sqr( b, &p->Y );
151 : /* C = B^2 */
152 152034 : fd_bn254_fp2_sqr( c, b );
153 : /* D = 2*((X1+B)^2-A-C)
154 : (X1+B)^2 = X1^2 + 2*X1*B + B^2
155 : D = 2*(X1^2 + 2*X1*B + B^2 - A - C)
156 : D = 2*(X1^2 + 2*X1*B + B^2 - X1^2 - B^2)
157 : ^ ^ ^ ^
158 : |---------------|-----| |
159 : |------------|
160 : These terms cancel each other out, and we're left with:
161 : D = 2*(2*X1*B) */
162 152034 : fd_bn254_fp2_mul( d, &p->X, b );
163 152034 : fd_bn254_fp2_add( d, d, d );
164 152034 : fd_bn254_fp2_add( d, d, d );
165 : /* E = 3*A */
166 152034 : fd_bn254_fp2_add( e, a, a );
167 152034 : fd_bn254_fp2_add( e, a, e );
168 : /* F = E^2 */
169 152034 : fd_bn254_fp2_sqr( f, e );
170 : /* X3 = F-2*D */
171 152034 : fd_bn254_fp2_add( &r->X, d, d );
172 152034 : fd_bn254_fp2_sub( &r->X, f, &r->X );
173 : /* Z3 = (Y1+Z1)^2-YY-ZZ
174 : note: compute Z3 before Y3 because it depends on p->Y,
175 : that might be overwritten if r==p. */
176 : /* Z3 = 2*Y1*Z1 */
177 152034 : fd_bn254_fp2_mul( &r->Z, &p->Y, &p->Z );
178 152034 : fd_bn254_fp2_add( &r->Z, &r->Z, &r->Z );
179 : /* Y3 = E*(D-X3)-8*C */
180 152034 : fd_bn254_fp2_sub( &r->Y, d, &r->X );
181 152034 : fd_bn254_fp2_mul( &r->Y, e, &r->Y );
182 152034 : fd_bn254_fp2_add( c, c, c ); /* 2*c */
183 152034 : fd_bn254_fp2_add( c, c, c ); /* 4*y */
184 152034 : fd_bn254_fp2_add( c, c, c ); /* 8*y */
185 152034 : fd_bn254_fp2_sub( &r->Y, &r->Y, c );
186 152034 : return r;
187 154296 : }
188 :
189 : /* fd_bn254_g2_add_mixed computes r = p + q, when q->Z==1.
190 : http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-madd-2007-bl */
191 : fd_bn254_g2_t *
192 : fd_bn254_g2_add_mixed( fd_bn254_g2_t * r,
193 : fd_bn254_g2_t const * p,
194 72174 : fd_bn254_g2_t const * q ) {
195 : /* p==0, return q */
196 72174 : if( FD_UNLIKELY( fd_bn254_g2_is_zero( p ) ) ) {
197 1086 : return fd_bn254_g2_set( r, q );
198 1086 : }
199 : /* q==0, return p */
200 71088 : if( FD_UNLIKELY( fd_bn254_g2_is_zero( q ) ) ) {
201 6 : return fd_bn254_g2_set( r, p );
202 6 : }
203 71082 : fd_bn254_fp2_t zz[1], u2[1], s2[1];
204 71082 : fd_bn254_fp2_t h[1], hh[1];
205 71082 : fd_bn254_fp2_t i[1], j[1];
206 71082 : fd_bn254_fp2_t rr[1], v[1];
207 : /* Z1Z1 = Z1^2 */
208 71082 : fd_bn254_fp2_sqr( zz, &p->Z );
209 : /* U2 = X2*Z1Z1 */
210 71082 : fd_bn254_fp2_mul( u2, &q->X, zz );
211 : /* S2 = Y2*Z1*Z1Z1 */
212 71082 : fd_bn254_fp2_mul( s2, &q->Y, &p->Z );
213 71082 : fd_bn254_fp2_mul( s2, s2, zz );
214 :
215 : /* if p==q, call fd_bn254_g2_dbl */
216 71082 : if( FD_UNLIKELY( fd_bn254_fp2_eq( u2, &p->X ) && fd_bn254_fp2_eq( s2, &p->Y ) ) ) {
217 6 : return fd_bn254_g2_dbl( r, p );
218 6 : }
219 :
220 : /* H = U2-X1 */
221 71076 : fd_bn254_fp2_sub( h, u2, &p->X );
222 : /* HH = H^2 */
223 71076 : fd_bn254_fp2_sqr( hh, h );
224 : /* I = 4*HH */
225 71076 : fd_bn254_fp2_add( i, hh, hh );
226 71076 : fd_bn254_fp2_add( i, i, i );
227 : /* J = H*I */
228 71076 : fd_bn254_fp2_mul( j, h, i );
229 : /* r = 2*(S2-Y1) */
230 71076 : fd_bn254_fp2_sub( rr, s2, &p->Y );
231 71076 : fd_bn254_fp2_add( rr, rr, rr );
232 : /* V = X1*I */
233 71076 : fd_bn254_fp2_mul( v, &p->X, i );
234 : /* X3 = r^2-J-2*V */
235 71076 : fd_bn254_fp2_sqr( &r->X, rr );
236 71076 : fd_bn254_fp2_sub( &r->X, &r->X, j );
237 71076 : fd_bn254_fp2_sub( &r->X, &r->X, v );
238 71076 : fd_bn254_fp2_sub( &r->X, &r->X, v );
239 : /* Y3 = r*(V-X3)-2*Y1*J
240 : note: i no longer used */
241 71076 : fd_bn254_fp2_mul( i, &p->Y, j ); /* i = Y1*J */
242 71076 : fd_bn254_fp2_add( i, i, i ); /* i = 2*Y1*J */
243 71076 : fd_bn254_fp2_sub( &r->Y, v, &r->X );
244 71076 : fd_bn254_fp2_mul( &r->Y, &r->Y, rr );
245 71076 : fd_bn254_fp2_sub( &r->Y, &r->Y, i );
246 : /* Z3 = (Z1+H)^2-Z1Z1-HH */
247 71076 : fd_bn254_fp2_add( &r->Z, &p->Z, h );
248 71076 : fd_bn254_fp2_sqr( &r->Z, &r->Z );
249 71076 : fd_bn254_fp2_sub( &r->Z, &r->Z, zz );
250 71076 : fd_bn254_fp2_sub( &r->Z, &r->Z, hh );
251 71076 : return r;
252 71082 : }
253 :
254 : /* fd_bn254_g2_add computes r = p + q.
255 : http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-add-2007-bl */
256 : fd_bn254_g2_t *
257 : fd_bn254_g2_add( fd_bn254_g2_t * r,
258 : fd_bn254_g2_t const * p,
259 2412 : fd_bn254_g2_t const * q ) {
260 : /* p==0, return q */
261 2412 : if( FD_UNLIKELY( fd_bn254_g2_is_zero( p ) ) ) {
262 24 : return fd_bn254_g2_set( r, q );
263 24 : }
264 : /* q==0, return p */
265 2388 : if( FD_UNLIKELY( fd_bn254_g2_is_zero( q ) ) ) {
266 0 : return fd_bn254_g2_set( r, p );
267 0 : }
268 2388 : fd_bn254_fp2_t zz1[1], zz2[1];
269 2388 : fd_bn254_fp2_t u1[1], s1[1];
270 2388 : fd_bn254_fp2_t u2[1], s2[1];
271 2388 : fd_bn254_fp2_t h[1];
272 2388 : fd_bn254_fp2_t i[1], j[1];
273 2388 : fd_bn254_fp2_t rr[1], v[1];
274 : /* Z1Z1 = Z1^2 */
275 2388 : fd_bn254_fp2_sqr( zz1, &p->Z );
276 : /* Z2Z2 = Z2^2 */
277 2388 : fd_bn254_fp2_sqr( zz2, &q->Z );
278 : /* U1 = X1*Z2Z2 */
279 2388 : fd_bn254_fp2_mul( u1, &p->X, zz2 );
280 : /* U2 = X2*Z1Z1 */
281 2388 : fd_bn254_fp2_mul( u2, &q->X, zz1 );
282 : /* S1 = Y1*Z2*Z2Z2 */
283 2388 : fd_bn254_fp2_mul( s1, &p->Y, &q->Z );
284 2388 : fd_bn254_fp2_mul( s1, s1, zz2 );
285 : /* S2 = Y2*Z1*Z1Z1 */
286 2388 : fd_bn254_fp2_mul( s2, &q->Y, &p->Z );
287 2388 : fd_bn254_fp2_mul( s2, s2, zz1 );
288 :
289 : /* if p==q, call fd_bn254_g2_dbl */
290 : // if( FD_UNLIKELY( fd_bn254_fp2_eq( u2, &p->X ) && fd_bn254_fp2_eq( s2, &p->Y ) ) ) {
291 : // return fd_bn254_g2_dbl( r, p );
292 : // }
293 :
294 : /* H = U2-U1 */
295 2388 : fd_bn254_fp2_sub( h, u2, u1 );
296 : /* HH = (2*H)^2 */
297 2388 : fd_bn254_fp2_add( i, h, h );
298 2388 : fd_bn254_fp2_sqr( i, i );
299 : /* J = H*I */
300 2388 : fd_bn254_fp2_mul( j, h, i );
301 : /* r = 2*(S2-S1) */
302 2388 : fd_bn254_fp2_sub( rr, s2, s1 );
303 2388 : fd_bn254_fp2_add( rr, rr, rr );
304 : /* V = U1*I */
305 2388 : fd_bn254_fp2_mul( v, u1, i );
306 : /* X3 = r^2-J-2*V */
307 2388 : fd_bn254_fp2_sqr( &r->X, rr );
308 2388 : fd_bn254_fp2_sub( &r->X, &r->X, j );
309 2388 : fd_bn254_fp2_sub( &r->X, &r->X, v );
310 2388 : fd_bn254_fp2_sub( &r->X, &r->X, v );
311 : /* Y3 = r*(V-X3)-2*S1*J
312 : note: i no longer used */
313 2388 : fd_bn254_fp2_mul( i, s1, j ); /* i = S1*J */
314 2388 : fd_bn254_fp2_add( i, i, i ); /* i = 2*S1*J */
315 2388 : fd_bn254_fp2_sub( &r->Y, v, &r->X );
316 2388 : fd_bn254_fp2_mul( &r->Y, &r->Y, rr );
317 2388 : fd_bn254_fp2_sub( &r->Y, &r->Y, i );
318 : /* Z3 = ((Z1+Z2)^2-Z1Z1-Z2Z2)*H */
319 2388 : fd_bn254_fp2_add( &r->Z, &p->Z, &q->Z );
320 2388 : fd_bn254_fp2_sqr( &r->Z, &r->Z );
321 2388 : fd_bn254_fp2_sub( &r->Z, &r->Z, zz1 );
322 2388 : fd_bn254_fp2_sub( &r->Z, &r->Z, zz2 );
323 2388 : fd_bn254_fp2_mul( &r->Z, &r->Z, h );
324 2388 : return r;
325 2388 : }
326 :
327 : /* fd_bn254_g2_scalar_mul computes r = s * p.
328 : This assumes that p is affine, i.e. p->Z==1. */
329 : fd_bn254_g2_t *
330 : fd_bn254_g2_scalar_mul( fd_bn254_g2_t * r,
331 : fd_bn254_g2_t const * p,
332 1536 : fd_bn254_scalar_t const * s ) {
333 : /* TODO: wNAF, GLV */
334 1536 : int i = 255;
335 240144 : for( ; i>=0 && !fd_uint256_bit( s, i ); i-- ) ; /* do nothing, just i-- */
336 1536 : if( FD_UNLIKELY( i<0 ) ) {
337 12 : return fd_bn254_g2_set_zero( r );
338 12 : }
339 1524 : fd_bn254_g2_set( r, p );
340 154608 : for( i--; i>=0; i-- ) {
341 153084 : fd_bn254_g2_dbl( r, r );
342 153084 : if( fd_uint256_bit( s, i ) ) {
343 70938 : fd_bn254_g2_add_mixed( r, r, p );
344 70938 : }
345 153084 : }
346 1524 : return r;
347 1536 : }
348 :
349 : /* fd_bn254_g2_frombytes_internal extracts (x, y) and performs basic checks.
350 : This is used by fd_bn254_g2_compress() and fd_bn254_g2_frombytes_check_subgroup(). */
351 : static inline fd_bn254_g2_t *
352 : fd_bn254_g2_frombytes_internal( fd_bn254_g2_t * p,
353 : uchar const in[128],
354 31362 : int big_endian ) {
355 : /* Special case: all zeros => point at infinity */
356 31362 : const uchar zero[128] = { 0 };
357 31362 : if( FD_UNLIKELY( fd_memeq( in, zero, 128 ) ) ) {
358 39 : return fd_bn254_g2_set_zero( p );
359 39 : }
360 :
361 : /* Check x < p */
362 31323 : if( FD_UNLIKELY( !fd_bn254_fp2_frombytes_nm( &p->X, &in[0], big_endian, NULL, NULL ) ) ) {
363 0 : return NULL;
364 0 : }
365 :
366 : /* Check flags and y < p */
367 31323 : int is_inf, is_neg;
368 31323 : if( FD_UNLIKELY( !fd_bn254_fp2_frombytes_nm( &p->Y, &in[64], big_endian, &is_inf, &is_neg ) ) ) {
369 0 : return NULL;
370 0 : }
371 :
372 31323 : if( FD_UNLIKELY( is_inf ) ) {
373 0 : return fd_bn254_g2_set_zero( p );
374 0 : }
375 :
376 31323 : fd_bn254_fp2_set_one( &p->Z );
377 31323 : return p;
378 31323 : }
379 :
380 : /* fd_bn254_g2_frombytes_check_eq_only performs frombytes, checks the curve
381 : equation, but does NOT check subgroup membership. */
382 : static inline fd_bn254_g2_t *
383 : fd_bn254_g2_frombytes_check_eq_only( fd_bn254_g2_t * p,
384 : uchar const in[128],
385 1266 : int big_endian ) {
386 1266 : if( FD_UNLIKELY( !fd_bn254_g2_frombytes_internal( p, in, big_endian ) ) ) {
387 0 : return NULL;
388 0 : }
389 1266 : if( FD_UNLIKELY( fd_bn254_g2_is_zero( p ) ) ) {
390 36 : return p;
391 36 : }
392 :
393 1230 : fd_bn254_fp2_to_mont( &p->X, &p->X );
394 1230 : fd_bn254_fp2_to_mont( &p->Y, &p->Y );
395 1230 : fd_bn254_fp2_set_one( &p->Z );
396 :
397 : /* Check that y^2 = x^3 + b */
398 1230 : fd_bn254_fp2_t y2[1], x3b[1];
399 1230 : fd_bn254_fp2_sqr( y2, &p->Y );
400 1230 : fd_bn254_fp2_sqr( x3b, &p->X );
401 1230 : fd_bn254_fp2_mul( x3b, x3b, &p->X );
402 1230 : fd_bn254_fp2_add( x3b, x3b, fd_bn254_const_twist_b_mont );
403 1230 : if( FD_UNLIKELY( !fd_bn254_fp2_eq( y2, x3b ) ) ) {
404 0 : return NULL;
405 0 : }
406 1230 : return p;
407 1230 : }
408 :
409 : /* fd_bn254_g2_frombytes_check_subgroup performs frombytes AND checks subgroup membership. */
410 : static inline fd_bn254_g2_t *
411 : fd_bn254_g2_frombytes_check_subgroup( fd_bn254_g2_t * p,
412 : uchar const in[128],
413 1206 : int big_endian ) {
414 1206 : if( FD_UNLIKELY( fd_bn254_g2_frombytes_check_eq_only( p, in, big_endian )==NULL ) ) {
415 0 : return NULL;
416 0 : }
417 :
418 : /* G2 does NOT have prime order, so we have to check group membership. */
419 :
420 : /* We use the fast subgroup membership check, that requires a single 64-bit scalar mul.
421 : https://eprint.iacr.org/2022/348, Sec 3.1.
422 : [r]P == 0 <==> [x+1]P + ψ([x]P) + ψ²([x]P) = ψ³([2x]P)
423 : See also: https://github.com/Consensys/gnark-crypto/blob/v0.12.1/ecc/bn254/g2.go#L404
424 :
425 : For reference, the followings also work:
426 :
427 : 1) very slow: 256-bit scalar mul
428 :
429 : fd_bn254_g2_t r[1];
430 : fd_bn254_g2_scalar_mul( r, p, fd_bn254_const_r );
431 : if( !fd_bn254_g2_is_zero( r ) ) return NULL;
432 :
433 : 2) slow: 128-bit scalar mul
434 :
435 : fd_bn254_g2_t a[1], b[1];
436 : const fd_bn254_scalar_t six_x_sqr[1] = {{{ 0xf83e9682e87cfd46, 0x6f4d8248eeb859fb, 0x0, 0x0, }}};
437 : fd_bn254_g2_scalar_mul( a, p, six_x_sqr );
438 : fd_bn254_g2_frob( b, p );
439 : if( !fd_bn254_g2_eq( a, b ) ) return NULL; */
440 :
441 1206 : fd_bn254_g2_t xp[1], l[1], psi[1], r[1];
442 1206 : fd_bn254_g2_scalar_mul( xp, p, fd_bn254_const_x ); /* 64-bit */
443 1206 : fd_bn254_g2_add_mixed( l, xp, p );
444 :
445 1206 : fd_bn254_g2_frob( psi, xp );
446 1206 : fd_bn254_g2_add( l, l, psi );
447 :
448 1206 : fd_bn254_g2_frob2( psi, xp ); /* faster than frob( psi, psi ) */
449 1206 : fd_bn254_g2_add( l, l, psi );
450 :
451 1206 : fd_bn254_g2_frob( psi, psi );
452 1206 : fd_bn254_g2_dbl( r, psi );
453 1206 : if( FD_UNLIKELY( !fd_bn254_g2_eq( l, r ) ) ) {
454 0 : return NULL;
455 0 : }
456 1206 : return p;
457 1206 : }
|
