Add BW6-767 curve and update BW6-761 to use the new bw6 model (#156)

* Rework bw6-761 to bw6-767 use bls12-381 instead of 377 for test imports fix the inline comments with correct name and params Set the right base field Equation for base curve is y2 = x3 + 1 fill in pairing params adapt sage scripts with correct moduli calculate the correct cubic non residue correct the parameter B in the curve equation remove the specialized method for mult by nonresidue nonresidue is two, so default will be doubling calculate more correct parameters for fq3 `TRACE_MINUS_ONE_DIV_TWO` and `QUADRATIC_NONRESIDUE_TO_T` compute the right fq3 & fp6 frobenious coefficients calculate the cofactor for g1 use the g1 generator from gnark's fork use the right g2 equation g2 cofactor is slightly smaller than g1 cofactor get the g2 generators from gnark's fork update g1 and g2 curve info in the comments fill in `COFACTOR_INV` value for g1 fill in `COFACTOR_INV` value for g2 * update module description author information 2-adicity of the scalar field * update changelog * remove trailing comma * remove todo * 2nd loop count is x^3 - x^2 - x * Revert "2nd loop count is x^3 - x^2 - x" This reverts commit 2b323db. * fix comment regarding non-residue * first loop count should be X * 1. Generic BW6 params added to BW6-761 2. Curve specific hard part of the final exp moved from algebra * 1. Generic BW6 params added to BW6-767 2. Miller loop params changed to the "unoptimized" version * cargo fmt * changelog updated * X_MINUS_1_DIV_3 added to BW6Config * imports fixed --------- Co-authored-by: mmagician <[email protected]>
arkworks-rs · Sep 1, 2023 · 7e58260 · 7e58260
1 parent 3fded1f
commit 7e58260
Show file tree

Hide file tree

Showing 20 changed files with 619 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,8 +6,12 @@
 
 ### Features
 
+- [\#156](https://github.com/arkworks-rs/curves/pull/156) Add the bw6-767 curve.
+
 ### Improvements
 
+- [\#156](https://github.com/arkworks-rs/curves/pull/156) The hard part of the final exponentiation for bw6-761 relocated from arkworks/algebra.
+
 ### Bugfixes
 
 ## v0.4.0

diff --git a/Cargo.toml b/Cargo.toml
@@ -9,6 +9,8 @@ members = [
     "bw6_761",
     "ed_on_bw6_761",
 
+    "bw6_767",
+
     "cp6_782",
     "ed_on_cp6_782",
 

diff --git a/bw6_761/src/curves/mod.rs b/bw6_761/src/curves/mod.rs
@@ -2,7 +2,9 @@ use ark_ec::{
     bw6,
     bw6::{BW6Config, TwistType, BW6},
 };
-use ark_ff::{biginteger::BigInteger768 as BigInteger, BigInt};
+use ark_ff::{
+    biginteger::BigInteger768 as BigInteger, fp6_2over3::Fp6, BigInt, CyclotomicMultSubgroup, Field,
+};
 
 use crate::*;
 
@@ -32,6 +34,21 @@ impl BW6Config for Config {
     ]);
     /// `x` is positive.
     const X_IS_NEGATIVE: bool = false;
+    // (X-1)/3
+    const X_MINUS_1_DIV_3: BigInteger = BigInt::new([
+        0x2c58400000000000,
+        0x0,
+        0x0,
+        0x0,
+        0x0,
+        0x0,
+        0x0,
+        0x0,
+        0x0,
+        0x0,
+        0x0,
+        0x0,
+    ]);
     // X+1
     const ATE_LOOP_COUNT_1: &'static [u64] = &[0x8508c00000000002];
     const ATE_LOOP_COUNT_1_IS_NEGATIVE: bool = false;
@@ -47,11 +64,122 @@ impl BW6Config for Config {
     ];
     const ATE_LOOP_COUNT_2_IS_NEGATIVE: bool = false;
     const TWIST_TYPE: TwistType = TwistType::M;
+    const H_T: i64 = 13;
+    const H_Y: i64 = 9;
+    const T_MOD_R_IS_ZERO: bool = false;
     type Fp = Fq;
     type Fp3Config = Fq3Config;
     type Fp6Config = Fq6Config;
     type G1Config = g1::Config;
     type G2Config = g2::Config;
+
+    fn final_exponentiation_hard_part(f: &Fp6<Self::Fp6Config>) -> Fp6<Self::Fp6Config> {
+        // hard_part
+        // From https://eprint.iacr.org/2020/351.pdf, Alg.6
+
+        #[rustfmt::skip]
+        // R0(x) := (-103*x^7 + 70*x^6 + 269*x^5 - 197*x^4 - 314*x^3 - 73*x^2 - 263*x - 220)
+        // R1(x) := (103*x^9 - 276*x^8 + 77*x^7 + 492*x^6 - 445*x^5 - 65*x^4 + 452*x^3 - 181*x^2 + 34*x + 229)
+        // f ^ R0(u) * (f ^ q) ^ R1(u) in a 2-NAF multi-exp fashion.
+
+        // steps 1,2,3
+        let f0 = *f;
+        let mut f0p = f0;
+        f0p.frobenius_map_in_place(1);
+        let f1 = Self::exp_by_x(&f0);
+        let mut f1p = f1;
+        f1p.frobenius_map_in_place(1);
+        let f2 = Self::exp_by_x(&f1);
+        let mut f2p = f2;
+        f2p.frobenius_map_in_place(1);
+        let f3 = Self::exp_by_x(&f2);
+        let mut f3p = f3;
+        f3p.frobenius_map_in_place(1);
+        let f4 = Self::exp_by_x(&f3);
+        let mut f4p = f4;
+        f4p.frobenius_map_in_place(1);
+        let f5 = Self::exp_by_x(&f4);
+        let mut f5p = f5;
+        f5p.frobenius_map_in_place(1);
+        let f6 = Self::exp_by_x(&f5);
+        let mut f6p = f6;
+        f6p.frobenius_map_in_place(1);
+        let f7 = Self::exp_by_x(&f6);
+        let mut f7p = f7;
+        f7p.frobenius_map_in_place(1);
+
+        // step 4
+        let f8p = Self::exp_by_x(&f7p);
+        let f9p = Self::exp_by_x(&f8p);
+
+        // step 5
+        let mut f5p_p3 = f5p;
+        f5p_p3.cyclotomic_inverse_in_place();
+        let result1 = f3p * &f6p * &f5p_p3;
+
+        // step 6
+        let result2 = result1.square();
+        let f4_2p = f4 * &f2p;
+        let mut tmp1_p3 = f0 * &f1 * &f3 * &f4_2p * &f8p;
+        tmp1_p3.cyclotomic_inverse_in_place();
+        let result3 = result2 * &f5 * &f0p * &tmp1_p3;
+
+        // step 7
+        let result4 = result3.square();
+        let mut f7_p3 = f7;
+        f7_p3.cyclotomic_inverse_in_place();
+        let result5 = result4 * &f9p * &f7_p3;
+
+        // step 8
+        let result6 = result5.square();
+        let f2_4p = f2 * &f4p;
+        let f4_2p_5p = f4_2p * &f5p;
+        let mut tmp2_p3 = f2_4p * &f3 * &f3p;
+        tmp2_p3.cyclotomic_inverse_in_place();
+        let result7 = result6 * &f4_2p_5p * &f6 * &f7p * &tmp2_p3;
+
+        // step 9
+        let result8 = result7.square();
+        let mut tmp3_p3 = f0p * &f9p;
+        tmp3_p3.cyclotomic_inverse_in_place();
+        let result9 = result8 * &f0 * &f7 * &f1p * &tmp3_p3;
+
+        // step 10
+        let result10 = result9.square();
+        let f6p_8p = f6p * &f8p;
+        let f5_7p = f5 * &f7p;
+        let mut tmp4_p3 = f6p_8p;
+        tmp4_p3.cyclotomic_inverse_in_place();
+        let result11 = result10 * &f5_7p * &f2p * &tmp4_p3;
+
+        // step 11
+        let result12 = result11.square();
+        let f3_6 = f3 * &f6;
+        let f1_7 = f1 * &f7;
+        let mut tmp5_p3 = f1_7 * &f2;
+        tmp5_p3.cyclotomic_inverse_in_place();
+        let result13 = result12 * &f3_6 * &f9p * &tmp5_p3;
+
+        // step 12
+        let result14 = result13.square();
+        let mut tmp6_p3 = f4_2p * &f5_7p * &f6p_8p;
+        tmp6_p3.cyclotomic_inverse_in_place();
+        let result15 = result14 * &f0 * &f0p * &f3p * &f5p * &tmp6_p3;
+
+        // step 13
+        let result16 = result15.square();
+        let mut tmp7_p3 = f3_6;
+        tmp7_p3.cyclotomic_inverse_in_place();
+        let result17 = result16 * &f1p * &tmp7_p3;
+
+        // step 14
+        let result18 = result17.square();
+        let mut tmp8_p3 = f2_4p * &f4_2p_5p * &f9p;
+        tmp8_p3.cyclotomic_inverse_in_place();
+        let result19 = result18 * &f1_7 * &f5_7p * &f0p * &tmp8_p3;
+
+        result19
+    }
 }
 
 pub type BW6_761 = BW6<Config>;

diff --git a/bw6_767/Cargo.toml b/bw6_767/Cargo.toml
@@ -0,0 +1,33 @@
+[package]
+name = "ark-bw6-767"
+version = "0.4.0"
+authors = [ "arkworks contributors" ]
+description = "The BW6-767 pairing-friendly elliptic curve"
+homepage = "https://arkworks.rs"
+repository = "https://github.com/arkworks-rs/curves"
+documentation = "https://docs.rs/ark-bw6-767/"
+keywords = ["cryptography", "finite-fields", "elliptic-curves" ]
+categories = ["cryptography"]
+include = ["Cargo.toml", "src", "README.md", "LICENSE-APACHE", "LICENSE-MIT"]
+license = "MIT/Apache-2.0"
+edition = "2021"
+
+[dependencies]
+ark-ff = { version= "0.4.0", default-features = false }
+ark-ec = { version= "0.4.0", default-features = false }
+ark-std = { version = "0.4.0", default-features = false }
+ark-bls12-381 = { version = "0.4.0", path = "../bls12_381", default-features = false, features = [ "curve" ] }
+
+[dev-dependencies]
+ark-serialize = { version = "0.4.0", default-features = false }
+ark-algebra-test-templates = { version = "0.4.0", default-features = false }
+ark-algebra-bench-templates = { version = "0.4.0", default-features = false }
+
+[features]
+default = []
+std = [ "ark-std/std", "ark-ff/std", "ark-ec/std", "ark-bls12-381/std" ]
+
+[[bench]]
+name = "bw6_767"
+path = "benches/bw6_767.rs"
+harness = false
diff --git a/bw6_767/LICENSE-APACHE b/bw6_767/LICENSE-APACHE
@@ -0,0 +1 @@
+../LICENSE-APACHE
diff --git a/bw6_767/LICENSE-MIT b/bw6_767/LICENSE-MIT
@@ -0,0 +1 @@
+../LICENSE-MIT
diff --git a/bw6_767/benches/bw6_767.rs b/bw6_767/benches/bw6_767.rs
@@ -0,0 +1,16 @@
+use ark_algebra_bench_templates::*;
+
+use ark_bw6_767::{
+    fq::Fq, fq3::Fq3, fq6::Fq6, fr::Fr, g1::G1Projective as G1, g2::G2Projective as G2, BW6_767,
+};
+
+bench!(
+    Name = "BW6_767",
+    Pairing = BW6_767,
+    G1 = G1,
+    G2 = G2,
+    ScalarField = Fr,
+    G1BaseField = Fq,
+    G2BaseField = Fq3,
+    TargetField = Fq6,
+);
diff --git a/bw6_767/scripts/base_field.sage b/bw6_767/scripts/base_field.sage
@@ -0,0 +1,28 @@
+modulus = 496597749679620867773432037469214230242402307330180853437434581099336634619713640485778675608223760166307530047354464605410050411581079376994803852937842168733702867087556948851016246640584660942486895230518034810309227309966899431
+
+assert(modulus.is_prime())
+
+Fp = GF(modulus)
+
+generator = Fp(0);
+for i in range(0, 20):
+    i = Fp(i);
+    neg_i = Fp(-i)
+    if not(i.is_primitive_root() or neg_i.is_primitive_root()):
+        continue
+    elif i.is_primitive_root():
+        assert(i.is_primitive_root());
+        print("Generator: %d" % i)
+        generator = i
+        break
+    else:
+        assert(neg_i.is_primitive_root());
+        print("Generator: %d" % neg_i)
+        generator = neg_i
+        break
+
+
+two_adicity = valuation(modulus - 1, 2);
+trace = (modulus - 1) / 2**two_adicity;
+two_adic_root_of_unity = generator^trace
+print("2-adic Root of Unity: %d " % two_adic_root_of_unity)
diff --git a/bw6_767/scripts/scalar_field.sage b/bw6_767/scripts/scalar_field.sage
@@ -0,0 +1,28 @@
+modulus = 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787
+
+assert(modulus.is_prime())
+
+Fp = GF(modulus)
+
+generator = Fp(0);
+for i in range(0, 20):
+    i = Fp(i);
+    neg_i = Fp(-i)
+    if not(i.is_primitive_root() or neg_i.is_primitive_root()):
+        continue
+    elif i.is_primitive_root():
+        assert(i.is_primitive_root());
+        print("Generator: %d" % i)
+        generator = i
+        break
+    else:
+        assert(neg_i.is_primitive_root());
+        print("Generator: %d" % neg_i)
+        generator = neg_i
+        break
+
+
+two_adicity = valuation(modulus - 1, 2);
+trace = (modulus - 1) / 2**two_adicity;
+two_adic_root_of_unity = generator^trace
+print("2-adic Root of Unity: %d " % two_adic_root_of_unity)
diff --git a/bw6_767/src/curves/g1.rs b/bw6_767/src/curves/g1.rs
@@ -0,0 +1,59 @@
+use ark_ec::{
+    models::{short_weierstrass::SWCurveConfig, CurveConfig},
+    short_weierstrass::{Affine, Projective},
+};
+use ark_ff::{AdditiveGroup, MontFp};
+
+use crate::{Fq, Fr};
+
+pub type G1Affine = Affine<Config>;
+pub type G1Projective = Projective<Config>;
+
+#[derive(Clone, Default, PartialEq, Eq)]
+pub struct Config;
+
+impl CurveConfig for Config {
+    type BaseField = Fq;
+    type ScalarField = Fr;
+
+    /// COFACTOR =
+    /// 124074696211871689196744963988542244365937182994917792082847997279938522233341057826255097957635256182243502012934844
+    #[rustfmt::skip]
+    const COFACTOR: &'static [u64] = &[
+        0x9fed0006fffaaabc,
+        0xfae29bffb34d7c0d,
+        0xc51e35fba8145036,
+        0x58c9927410ca3a62,
+        0x7772b64205a0bc67,
+        0x26212b5cf67cecaf,
+        0x3,
+    ];
+
+    /// COFACTOR^(-1) mod r =
+    /// 1707860402533867312515920333330662452399178546610458136488910471176197226039103222144872611321997303708365553992812
+    const COFACTOR_INV: Fr = MontFp!("1707860402533867312515920333330662452399178546610458136488910471176197226039103222144872611321997303708365553992812");
+}
+
+impl SWCurveConfig for Config {
+    /// COEFF_A = 0
+    const COEFF_A: Fq = Fq::ZERO;
+
+    /// COEFF_B = 1
+    const COEFF_B: Fq = MontFp!("1");
+
+    /// AFFINE_GENERATOR_COEFFS = (G1_GENERATOR_X, G1_GENERATOR_Y)
+    const GENERATOR: G1Affine = G1Affine::new_unchecked(G1_GENERATOR_X, G1_GENERATOR_Y);
+    #[inline(always)]
+    fn mul_by_a(_elem: Self::BaseField) -> Self::BaseField {
+        use ark_ff::Zero;
+        Self::BaseField::zero()
+    }
+}
+
+/// G1_GENERATOR_X =
+/// 127687253511432941835499154999732953539969793860764514205013635996439242747457934431893570832266740963864950713809357287070846939000367049554519743864924323440810949629217677483481194663331926309250818003412838087592587472550707218
+pub const G1_GENERATOR_X: Fq = MontFp!("127687253511432941835499154999732953539969793860764514205013635996439242747457934431893570832266740963864950713809357287070846939000367049554519743864924323440810949629217677483481194663331926309250818003412838087592587472550707218");
+
+/// G1_GENERATOR_Y =
+/// 415570529523170147223250223671601071129165798689804006717876771297003017718159840368703823786319144396618898691682149260290217115399107531975419658973137909698922937988511368601419289861827304905241655385035120916874417442125721204
+pub const G1_GENERATOR_Y: Fq = MontFp!("415570529523170147223250223671601071129165798689804006717876771297003017718159840368703823786319144396618898691682149260290217115399107531975419658973137909698922937988511368601419289861827304905241655385035120916874417442125721204");