-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathBN254A.hs
177 lines (155 loc) · 8.16 KB
/
BN254A.hs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
{-# OPTIONS -fno-warn-orphans #-}
module Data.Pairing.BN254A
( module Data.Pairing
, module Data.Pairing.Ate
-- * BN254A curve
, BN254A
, parameterBin
, parameterHex
-- ** Fields
, Fq
, Fq2
, Fq6
, Fq12
, Fr
-- ** Groups
, G1'
, G2'
, GT'
-- ** Roots of unity
, getRootOfUnity
) where
import Protolude
import Data.Curve.Weierstrass.BN254A as G1
import Data.Curve.Weierstrass.BN254AT as G2
import Data.Field.Galois as F
import Data.Pairing
import Data.Pairing.Ate
-------------------------------------------------------------------------------
-- Fields
-------------------------------------------------------------------------------
-- Cubic nonresidue in @Fq2@.
xi :: Fq2
xi = [0, 1]
{-# INLINABLE xi #-}
-- | Field of points of BN254A curve over @Fq6@.
type Fq6 = Extension V Fq2
data V
instance IrreducibleMonic V Fq2 where
poly _ = [-xi, 0, 0, 1]
{-# INLINABLE poly #-}
-- | Field of points of BN254A curve over @Fq12@.
type Fq12 = Extension W Fq6
data W
instance IrreducibleMonic W Fq6 where
poly _ = [[0, -1], 0, 1]
{-# INLINABLE poly #-}
-------------------------------------------------------------------------------
-- Curves
-------------------------------------------------------------------------------
-- | BN254A curve left group @G1 = E(Fq)@.
type G1' = G1.PA
-- | BN254A curve right group @G2 = E'(Fq2)@.
type G2' = G2.PA
-- | @Fq12@ multiplicative target group @GT@.
type GT' = RootsOfUnity R Fq12
instance CyclicSubgroup (RootsOfUnity R Fq12) where
gen = toU'
[ [ [ 0x4458b6bb7ef0dda02b9ad613e4409b2d6df24f0c185fa2d78123ca6f77d07da
, 0x2231017130d2fab595f7e65d6523c9a000194b87ecaa4c7ea38fd6521afd5a71
]
, [ 0xad346bd688cc084eafd4046c8917e0fa9ab4a57c38030a138d92d2c01e7aed8
, 0x171585475d4ff21f16d98a1d4fe602600291395c2bb90410110e3d371debb5be
]
, [ 0x22581de973331965d6d99e91e099f7103fc1adae7ff144b2883700e8a62c736d
, 0x1a1aea16ea2f8a1a83bbb94f313017d4d219934299f164a4cf81d238ba1a28f7
]
]
, [ [ 0xe13cf00937f8e3ac7a5a0fb48155d00da25dffb034dd4bcdfe0f104c4add186
, 0x2078ec5a822a57b5f6d9588693d1f133c5fd810af9eed8f49f8f2eeeca7291ce
]
, [ 0xae3a9a729c6b4499e68c37eda1d2bb5102c8cf5ebce94be9fcfac8c9e0a919f
, 0x1f0d8b494d6cfe679c44568e3aa183442bc3b330dbed889d5fd23e72042b9563
]
, [ 0x771453fb3496035abf9120d7a2f69760cc6096cea55b8734bf1e31cfb47bbbd
, 0x7252678df761476bf642f8a9870c8c38a6c89adc2078e724188f7b7731899f3
]
]
]
{-# INLINABLE gen #-}
-------------------------------------------------------------------------------
-- Pairings
-------------------------------------------------------------------------------
-- | BN254A curve parameter @s = 6t + 2@ in signed binary.
parameterBin :: [Int8]
parameterBin = [ 1, 0, 1, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0
, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0
]
{-# INLINABLE parameterBin #-}
-- | BN254A curve parameter @t@ in hexadecimal.
parameterHex :: Integer
parameterHex = 0x3fc0100000000000
{-# INLINABLE parameterHex #-}
-- BN254A curve is pairing-friendly.
instance Pairing BN254A where
type instance G1 BN254A = G1'
type instance G2 BN254A = G2'
type instance GT BN254A = GT'
pairing = (.) (finalExponentiationBN parameterHex)
. millerAlgorithmBN xi parameterBin
{-# INLINABLE pairing #-}
-------------------------------------------------------------------------------
-- Roots of unity
-------------------------------------------------------------------------------
-- | Precompute primitive roots of unity for binary powers that divide @r - 1@.
getRootOfUnity :: Int -> Fr
getRootOfUnity 0 = 1
getRootOfUnity 1 = 16030569034403128277756688287498649515510226217719936227669524443298095169536
getRootOfUnity 2 = 3489693859167495945826266994150801934706357307593354903555
getRootOfUnity 3 = 3285903727338212256516752050919226860376724583194591055153489062260959380635
getRootOfUnity 4 = 2270555545872348511759307962351523183560262977186337590657501402287699857908
getRootOfUnity 5 = 1315072370156942873281151013996374548132532175092877209004809243239179089527
getRootOfUnity 6 = 3156020212676014144280026166857817346787625345871557368826134972222969932340
getRootOfUnity 7 = 7470724239101740420986373029747289447449046784740915971953525293322381316462
getRootOfUnity 8 = 15496266489460347899257264157305968971891080888631944276330231347438178328945
getRootOfUnity 9 = 6208678585364090833596481491575308816974565051050326042583304699099274900516
getRootOfUnity 10 = 796515107887427991933186869096395437894651103048849183011948903001294588129
getRootOfUnity 11 = 229553444980607832372975580592847411867111770105669153114319009026047689566
getRootOfUnity 12 = 10320469552241416859375342152843553688047393757297404342932446859867323430848
getRootOfUnity 13 = 2881415290328970841685261289447033704708770367211748821894107957428088839272
getRootOfUnity 14 = 2322625722969234922285093801229200180009986675201187810370257177988538146799
getRootOfUnity 15 = 5271797936540031745884034785920204801094365349300930934606337942533497715992
getRootOfUnity 16 = 5497379639823644199468923626014227736920726162404780871132077046009441828871
getRootOfUnity 17 = 4692228325300560980869201540386574542235836389265038297593418577672500818515
getRootOfUnity 18 = 11994345287481770242581984677490446412334261753963410985240697457391182314159
getRootOfUnity 19 = 3502606443509093825284480908358085456133537454462190972491980856498383164446
getRootOfUnity 20 = 13519651907130181317064728599294301997820893880375441722742380085637396813274
getRootOfUnity 21 = 3881421327062235019113442541771664926155256962922001705444401214302821256619
getRootOfUnity 22 = 12856165973329967033853942823838453467927057675554924662306612709420871237434
getRootOfUnity 23 = 9139599546834243578435669355986378334708742924990005355591331148663878897471
getRootOfUnity 24 = 4661664601773682192206691279923082111080348374869531232262038176861158702949
getRootOfUnity 25 = 3709525180785332782171154777368422244075198766350471017496881161034205298444
getRootOfUnity 26 = 1465023158884904519090295913338095428293500566287977122484287885738304885304
getRootOfUnity 27 = 7342143466883872856992304520157712891165876310466091361417063107995612776528
getRootOfUnity 28 = 14232985424354665335349545605043255054435486437116951267913584526936902984572
getRootOfUnity 29 = 15202645715456227220902578982283274974185471379804841919320704390321665511593
getRootOfUnity 30 = 14570242844365864539082801254584382183965977083519576508328512259057880191351
getRootOfUnity 31 = 12124489194579669025494570168358476039067207610761137160623928994617971352978
getRootOfUnity 32 = 9718442060030929845321135565988969997330755591893628810369169031282195485548
getRootOfUnity 33 = 13965075499833313859769837639859228559796706060489672986239848943597052983689
getRootOfUnity 34 = 10878093517899627911123755383124378638161855886233124881053647640975408380375
getRootOfUnity 35 = 8435881533388956906701822403627474797360487188253006898229971548356058895841
getRootOfUnity 36 = 11660419090175191042607011267921111859970661475035565017766326822422109704808
getRootOfUnity 37 = 13479613258966828527336495732827319975048965079999537436391314511974795113951
getRootOfUnity 38 = 12255848062519507646813918887151731798620337402496187483152725509958716707663
getRootOfUnity 39 = 1191064701498473107728525837268157158221596571314584007460879085431101032989
getRootOfUnity 40 = 7929157873712339907565714231863226177716129881382898594366876137275735512725
getRootOfUnity 41 = 878558801117149418179485141457461919292588373038232616995665969934829282730
getRootOfUnity 42 = 10023598691536594233642036976538415768177003819780468987316242524307181351110
getRootOfUnity 43 = 13768920145013244438846404581759054081571321087354902639223576775854942865536
getRootOfUnity 44 = 965470443850859442138730035344447750734927117134681333276344975479417325425
getRootOfUnity 45 = 11031593636764287520022492693862893135473941066680485901697733005752357613794
getRootOfUnity _ = panic "getRootOfUnity: exponent too big for Fr / negative"
{-# INLINABLE getRootOfUnity #-}