diff --git a/ecc/bls12-377/pairing.go b/ecc/bls12-377/pairing.go index cb60c8dd19..ede3a03803 100644 --- a/ecc/bls12-377/pairing.go +++ b/ecc/bls12-377/pairing.go @@ -133,22 +133,25 @@ func MillerLoop(P []G1Affine, Q []G2Affine) (GT, error) { } var result GT + result.SetOne() var l1, l2 lineEvaluation var prodLines [5]E2 // Compute ∏ᵢ { fᵢ_{x₀,Q}(P) } - // i = 62, separately to avoid an E12 Square - // (Square(res) = 1² = 1) - // loopCounter[62] = 0 - // k = 0, separately to avoid MulBy034 (res × ℓ) - // (assign line to res) - - // qProj[0] ← 2qProj[0] and l1 the tangent ℓ passing 2qProj[0] - qProj[0].doubleStep(&l1) - // line evaluation at P[0] (assign) - result.C0.B0.MulByElement(&l1.r0, &p[0].Y) - result.C1.B0.MulByElement(&l1.r1, &p[0].X) - result.C1.B1.Set(&l1.r2) + if n >= 1 { + // i = 62, separately to avoid an E12 Square + // (Square(res) = 1² = 1) + // loopCounter[62] = 0 + // k = 0, separately to avoid MulBy034 (res × ℓ) + // (assign line to res) + + // qProj[0] ← 2qProj[0] and l1 the tangent ℓ passing 2qProj[0] + qProj[0].doubleStep(&l1) + // line evaluation at P[0] (assign) + result.C0.B0.MulByElement(&l1.r0, &p[0].Y) + result.C1.B0.MulByElement(&l1.r1, &p[0].X) + result.C1.B1.Set(&l1.r2) + } if n >= 2 { // k = 1, separately to avoid MulBy034 (res × ℓ) diff --git a/ecc/bls12-378/pairing.go b/ecc/bls12-378/pairing.go index ab43ff0c45..1796944080 100644 --- a/ecc/bls12-378/pairing.go +++ b/ecc/bls12-378/pairing.go @@ -132,22 +132,25 @@ func MillerLoop(P []G1Affine, Q []G2Affine) (GT, error) { } var result GT + result.SetOne() var l1, l2 lineEvaluation var prodLines [5]E2 // Compute ∏ᵢ { fᵢ_{x₀,Q}(P) } - // i = 62, separately to avoid an E12 Square - // (Square(res) = 1² = 1) - // loopCounter[62] = 0 - // k = 0, separately to avoid MulBy014 (res × ℓ) - // (assign line to res) - - // qProj[0] ← 2qProj[0] and l1 the tangent ℓ passing 2qProj[0] - qProj[0].doubleStep(&l1) - // line evaluation at P[0] (assign) - result.C0.B0.Set(&l1.r0) - result.C0.B1.MulByElement(&l1.r1, &p[0].X) - result.C1.B1.MulByElement(&l1.r2, &p[0].Y) + if n >= 1 { + // i = 62, separately to avoid an E12 Square + // (Square(res) = 1² = 1) + // loopCounter[62] = 0 + // k = 0, separately to avoid MulBy014 (res × ℓ) + // (assign line to res) + + // qProj[0] ← 2qProj[0] and l1 the tangent ℓ passing 2qProj[0] + qProj[0].doubleStep(&l1) + // line evaluation at P[0] (assign) + result.C0.B0.Set(&l1.r0) + result.C0.B1.MulByElement(&l1.r1, &p[0].X) + result.C1.B1.MulByElement(&l1.r2, &p[0].Y) + } if n >= 2 { // k = 1, separately to avoid MulBy014 (res × ℓ) diff --git a/ecc/bls12-381/pairing.go b/ecc/bls12-381/pairing.go index a22b03e007..4c2c867f86 100644 --- a/ecc/bls12-381/pairing.go +++ b/ecc/bls12-381/pairing.go @@ -132,36 +132,39 @@ func MillerLoop(P []G1Affine, Q []G2Affine) (GT, error) { } var result GT + result.SetOne() var l1, l2 lineEvaluation var prodLines [5]E2 // Compute ∏ᵢ { fᵢ_{x₀,Q}(P) } - // i = 62, separately to avoid an E12 Square - // (Square(res) = 1² = 1) - // loopCounter[62] = 1 - // k = 0, separately to avoid MulBy014 (res × ℓ) - // (assign line to res) - - // qProj[0] ← 2qProj[0] and l1 the tangent ℓ passing 2qProj[0] - qProj[0].doubleStep(&l1) - // line evaluation at P[0] (assign) - result.C0.B0.Set(&l1.r0) - result.C0.B1.MulByElement(&l1.r1, &p[0].X) - result.C1.B1.MulByElement(&l1.r2, &p[0].Y) - - // qProj[0] ← qProj[0]+Q[0] and - // l2 the line ℓ passing qProj[0] and Q[0] - qProj[0].addMixedStep(&l2, &q[0]) - // line evaluation at P[0] (assign) - l2.r1.MulByElement(&l2.r1, &p[0].X) - l2.r2.MulByElement(&l2.r2, &p[0].Y) - // ℓ × res - prodLines = fptower.Mul014By014(&l2.r0, &l2.r1, &l2.r2, &result.C0.B0, &result.C0.B1, &result.C1.B1) - result.C0.B0 = prodLines[0] - result.C0.B1 = prodLines[1] - result.C0.B2 = prodLines[2] - result.C1.B1 = prodLines[3] - result.C1.B2 = prodLines[4] + if n >= 1 { + // i = 62, separately to avoid an E12 Square + // (Square(res) = 1² = 1) + // loopCounter[62] = 1 + // k = 0, separately to avoid MulBy014 (res × ℓ) + // (assign line to res) + + // qProj[0] ← 2qProj[0] and l1 the tangent ℓ passing 2qProj[0] + qProj[0].doubleStep(&l1) + // line evaluation at P[0] (assign) + result.C0.B0.Set(&l1.r0) + result.C0.B1.MulByElement(&l1.r1, &p[0].X) + result.C1.B1.MulByElement(&l1.r2, &p[0].Y) + + // qProj[0] ← qProj[0]+Q[0] and + // l2 the line ℓ passing qProj[0] and Q[0] + qProj[0].addMixedStep(&l2, &q[0]) + // line evaluation at P[0] (assign) + l2.r1.MulByElement(&l2.r1, &p[0].X) + l2.r2.MulByElement(&l2.r2, &p[0].Y) + // ℓ × res + prodLines = fptower.Mul014By014(&l2.r0, &l2.r1, &l2.r2, &result.C0.B0, &result.C0.B1, &result.C1.B1) + result.C0.B0 = prodLines[0] + result.C0.B1 = prodLines[1] + result.C0.B2 = prodLines[2] + result.C1.B1 = prodLines[3] + result.C1.B2 = prodLines[4] + } // k >= 1 for k := 1; k < n; k++ { diff --git a/ecc/bls24-315/pairing.go b/ecc/bls24-315/pairing.go index e1adc4df8d..1ef5569e13 100644 --- a/ecc/bls24-315/pairing.go +++ b/ecc/bls24-315/pairing.go @@ -143,22 +143,25 @@ func MillerLoop(P []G1Affine, Q []G2Affine) (GT, error) { } var result GT + result.SetOne() var l1, l2 lineEvaluation var prodLines [5]fptower.E4 // Compute ∏ᵢ { fᵢ_{x₀,Q}(P) } - // i = 31, separately to avoid an E12 Square - // (Square(res) = 1² = 1) - // loopCounter[31] = 0 - // k = 0, separately to avoid MulBy014 (res × ℓ) - // (assign line to res) - - // qProj[0] ← 2qProj[0] and l1 the tangent ℓ passing 2qProj[0] qProj[0].doubleStep(&l1) - qProj[0].doubleStep(&l1) - // line evaluation at P[0] (assign) - result.D0.C0.MulByElement(&l1.r0, &p[0].Y) - result.D1.C0.MulByElement(&l1.r1, &p[0].X) - result.D1.C1.Set(&l1.r2) + if n >= 1 { + // i = 31, separately to avoid an E12 Square + // (Square(res) = 1² = 1) + // loopCounter[31] = 0 + // k = 0, separately to avoid MulBy014 (res × ℓ) + // (assign line to res) + + // qProj[0] ← 2qProj[0] and l1 the tangent ℓ passing 2qProj[0] qProj[0].doubleStep(&l1) + qProj[0].doubleStep(&l1) + // line evaluation at P[0] (assign) + result.D0.C0.MulByElement(&l1.r0, &p[0].Y) + result.D1.C0.MulByElement(&l1.r1, &p[0].X) + result.D1.C1.Set(&l1.r2) + } if n >= 2 { // k = 1, separately to avoid MulBy014 (res × ℓ) diff --git a/ecc/bls24-317/pairing.go b/ecc/bls24-317/pairing.go index bffd182f27..c82e7e63fc 100644 --- a/ecc/bls24-317/pairing.go +++ b/ecc/bls24-317/pairing.go @@ -147,22 +147,25 @@ func MillerLoop(P []G1Affine, Q []G2Affine) (GT, error) { } var result GT + result.SetOne() var l1, l2 lineEvaluation var prodLines [5]fptower.E4 // Compute ∏ᵢ { fᵢ_{x₀,Q}(P) } - // i = 31, separately to avoid an E12 Square - // (Square(res) = 1² = 1) - // loopCounter[31] = 0 - // k = 0, separately to avoid MulBy014 (res × ℓ) - // (assign line to res) - - // qProj[0] ← 2qProj[0] and l1 the tangent ℓ passing 2qProj[0] - qProj[0].doubleStep(&l1) - // line evaluation at P[0] (assign) - result.D0.C0.Set(&l1.r0) - result.D0.C1.MulByElement(&l1.r1, &p[0].X) - result.D1.C1.MulByElement(&l1.r2, &p[0].Y) + if n >= 1 { + // i = 31, separately to avoid an E12 Square + // (Square(res) = 1² = 1) + // loopCounter[31] = 0 + // k = 0, separately to avoid MulBy014 (res × ℓ) + // (assign line to res) + + // qProj[0] ← 2qProj[0] and l1 the tangent ℓ passing 2qProj[0] + qProj[0].doubleStep(&l1) + // line evaluation at P[0] (assign) + result.D0.C0.Set(&l1.r0) + result.D0.C1.MulByElement(&l1.r1, &p[0].X) + result.D1.C1.MulByElement(&l1.r2, &p[0].Y) + } if n >= 2 { // k = 1, separately to avoid MulBy014 (res × ℓ) diff --git a/ecc/bn254/pairing.go b/ecc/bn254/pairing.go index e3ec86c59d..44a87ca612 100644 --- a/ecc/bn254/pairing.go +++ b/ecc/bn254/pairing.go @@ -140,22 +140,25 @@ func MillerLoop(P []G1Affine, Q []G2Affine) (GT, error) { } var result GT + result.SetOne() var l2, l1 lineEvaluation var prodLines [5]E2 // Compute ∏ᵢ { fᵢ_{6x₀+2,Q}(P) } - // i = 64, separately to avoid an E12 Square - // (Square(res) = 1² = 1) - // loopCounter[64] = 0 - // k = 0, separately to avoid MulBy034 (res × ℓ) - // (assign line to res) - - // qProj[0] ← 2qProj[0] and l1 the tangent ℓ passing 2qProj[0] - qProj[0].doubleStep(&l1) - // line evaluation at P[0] (assign) - result.C0.B0.MulByElement(&l1.r0, &p[0].Y) - result.C1.B0.MulByElement(&l1.r1, &p[0].X) - result.C1.B1.Set(&l1.r2) + if n >= 1 { + // i = 64, separately to avoid an E12 Square + // (Square(res) = 1² = 1) + // loopCounter[64] = 0 + // k = 0, separately to avoid MulBy034 (res × ℓ) + // (assign line to res) + + // qProj[0] ← 2qProj[0] and l1 the tangent ℓ passing 2qProj[0] + qProj[0].doubleStep(&l1) + // line evaluation at P[0] (assign) + result.C0.B0.MulByElement(&l1.r0, &p[0].Y) + result.C1.B0.MulByElement(&l1.r1, &p[0].X) + result.C1.B1.Set(&l1.r2) + } if n >= 2 { // k = 1, separately to avoid MulBy034 (res × ℓ) diff --git a/ecc/bw6-633/pairing.go b/ecc/bw6-633/pairing.go index 4fefec3ad9..27fb49be91 100644 --- a/ecc/bw6-633/pairing.go +++ b/ecc/bw6-633/pairing.go @@ -229,23 +229,26 @@ func MillerLoop(P []G1Affine, Q []G2Affine) (GT, error) { // f_{a0+λ*a1,P}(Q) var result GT + result.SetOne() var l, l0 lineEvaluation var prodLines [5]fp.Element var j int8 - // i = len(loopCounter0) - 2, separately to avoid an E12 Square - // (Square(res) = 1² = 1) - // j = 0 - // k = 0, separately to avoid MulBy034 (res × ℓ) - // (assign line to res) - - // pProj0[0] ← 2pProj0[0] and l0 the tangent ℓ passing 2pProj0[0] - pProj0[0].doubleStep(&l0) - // line evaluation at Q[0] (assign) - result.B1.A0.Mul(&l0.r1, &q[0].X) - result.B0.A0.Mul(&l0.r0, &q[0].Y) - result.B1.A1.Set(&l0.r2) + if n >= 1 { + // i = len(loopCounter0) - 2, separately to avoid an E12 Square + // (Square(res) = 1² = 1) + // j = 0 + // k = 0, separately to avoid MulBy034 (res × ℓ) + // (assign line to res) + + // pProj0[0] ← 2pProj0[0] and l0 the tangent ℓ passing 2pProj0[0] + pProj0[0].doubleStep(&l0) + // line evaluation at Q[0] (assign) + result.B1.A0.Mul(&l0.r1, &q[0].X) + result.B0.A0.Mul(&l0.r0, &q[0].Y) + result.B1.A1.Set(&l0.r2) + } // k = 1 if n >= 2 { diff --git a/ecc/bw6-756/pairing.go b/ecc/bw6-756/pairing.go index 171a197000..9a3bc5b4cd 100644 --- a/ecc/bw6-756/pairing.go +++ b/ecc/bw6-756/pairing.go @@ -209,23 +209,26 @@ func MillerLoop(P []G1Affine, Q []G2Affine) (GT, error) { // f_{a0+λ*a1,P}(Q) var result GT + result.SetOne() var l, l0 lineEvaluation var prodLines [5]fp.Element var j int8 - // i = len(loopCounter0) - 2, separately to avoid an E12 Square - // (Square(res) = 1² = 1) - // j = 0 - // k = 0, separately to avoid MulBy034 (res × ℓ) - // (assign line to res) - - // pProj1[0] ← 2pProj1[0] and l0 the tangent ℓ passing 2pProj1[0] - pProj1[0].doubleStep(&l0) - // line evaluation at Q[0] (assign) - result.B1.A0.Mul(&l0.r1, &q[0].X) - result.B0.A0.Mul(&l0.r0, &q[0].Y) - result.B1.A1.Set(&l0.r2) + if n >= 1 { + // i = len(loopCounter0) - 2, separately to avoid an E12 Square + // (Square(res) = 1² = 1) + // j = 0 + // k = 0, separately to avoid MulBy034 (res × ℓ) + // (assign line to res) + + // pProj1[0] ← 2pProj1[0] and l0 the tangent ℓ passing 2pProj1[0] + pProj1[0].doubleStep(&l0) + // line evaluation at Q[0] (assign) + result.B1.A0.Mul(&l0.r1, &q[0].X) + result.B0.A0.Mul(&l0.r0, &q[0].Y) + result.B1.A1.Set(&l0.r2) + } // k = 1 if n >= 2 { diff --git a/ecc/bw6-761/pairing.go b/ecc/bw6-761/pairing.go index efa194adaf..a5bad77332 100644 --- a/ecc/bw6-761/pairing.go +++ b/ecc/bw6-761/pairing.go @@ -207,23 +207,26 @@ func MillerLoop(P []G1Affine, Q []G2Affine) (GT, error) { // f_{a0+λ*a1,P}(Q) var result GT + result.SetOne() var l, l0 lineEvaluation var prodLines [5]fp.Element var j int8 - // i = len(loopCounter0) - 2, separately to avoid an E12 Square - // (Square(res) = 1² = 1) - // j = 0 - // k = 0, separately to avoid MulBy034 (res × ℓ) - // (assign line to res) - - // pProj1[0] ← 2pProj1[0] and l0 the tangent ℓ passing 2pProj1[0] - pProj1[0].doubleStep(&l0) - // line evaluation at Q[0] (assign) - result.B1.A0.Mul(&l0.r1, &q[0].X) - result.B0.A0.Mul(&l0.r0, &q[0].Y) - result.B1.A1.Set(&l0.r2) + if n >= 1 { + // i = len(loopCounter0) - 2, separately to avoid an E12 Square + // (Square(res) = 1² = 1) + // j = 0 + // k = 0, separately to avoid MulBy034 (res × ℓ) + // (assign line to res) + + // pProj1[0] ← 2pProj1[0] and l0 the tangent ℓ passing 2pProj1[0] + pProj1[0].doubleStep(&l0) + // line evaluation at Q[0] (assign) + result.B1.A0.Mul(&l0.r1, &q[0].X) + result.B0.A0.Mul(&l0.r0, &q[0].Y) + result.B1.A1.Set(&l0.r2) + } // k = 1 if n >= 2 {