Merge pull request #356 from ConsenSys/perf/bn24317-FinalExp

Perf: optimize BLS24-317 final exp
Consensys · Mar 14, 2023 · 5185eb8 · 5185eb8
2 parents 022d009 + ce7c660
commit 5185eb8
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 11 deletions.
diff --git a/ecc/bls24-317/internal/fptower/e24_pairing.go b/ecc/bls24-317/internal/fptower/e24_pairing.go
@@ -12,9 +12,9 @@ func (z *E24) nSquareCompressed(n int) {
 	}
 }
 
-// Expt set z to x^t in E24 and return z (t is the seed of the curve)
-// t = 3640754176
-func (z *E24) Expt(x *E24) *E24 {
+// ExptHalf set z to x^(t/2) in E24 and return z (t is the seed of the curve)
+// t/2 = 1820377088
+func (z *E24) ExptHalf(x *E24) *E24 {
 	// Expt computation is derived from the addition chain:
 	//
 	//	_10       = 2*1
@@ -23,9 +23,9 @@ func (z *E24) Expt(x *E24) *E24 {
 	//	_11000000 = _11000 << 3
 	//	_11011000 = _11000 + _11000000
 	//	_11011001 = 1 + _11011000
-	//	return      (_11011001 << 9 + _11) << 15
+	//	return      (_11011001 << 9 + _11) << 14
 	//
-	// Operations: 31 squares 4 multiplies
+	// Operations: 30 squares 4 multiplies
 	//
 	// Generated by github.com/mmcloughlin/addchain v0.4.0.
 
@@ -60,14 +60,22 @@ func (z *E24) Expt(x *E24) *E24 {
 	result.Mul(&result, &t0)
 
 	// Step 35: result = x^0xd9018000
-	result.nSquareCompressed(15)
+	result.nSquareCompressed(14)
 	result.DecompressKarabina(&result)
 
 	z.Set(&result)
 
 	return z
 }
 
+// Expt set z to x^t in E24 and return z (t is the seed of the curve)
+// t = 3640754176
+func (z *E24) Expt(x *E24) *E24 {
+	var result E24
+	result.ExptHalf(x)
+	return z.CyclotomicSquare(&result)
+}
+
 // MulBy014 multiplication by sparse element (c0, c1, 0, 0, c4, 0)
 func (z *E24) MulBy014(c0, c1, c4 *E4) *E24 {
 

diff --git a/ecc/bls24-317/pairing.go b/ecc/bls24-317/pairing.go
@@ -84,7 +84,7 @@ func FinalExponentiation(z *GT, _z ...*GT) GT {
 	// https://eprint.iacr.org/2020/875.pdf
 	// 3(p⁸ - p⁴ +1)/r = (x₀-1)² * (x₀+p) * (x₀²+p²) * (x₀⁴+p⁴-1) + 3
 	t[0].CyclotomicSquare(&result)
-	t[1].Expt(&result)
+	t[1].ExptHalf(&t[0])
 	t[2].InverseUnitary(&result)
 	t[1].Mul(&t[1], &t[2])
 	t[2].Expt(&t[1])
@@ -98,10 +98,14 @@ func FinalExponentiation(z *GT, _z ...*GT) GT {
 	t[2].Expt(&t[0])
 	t[0].FrobeniusSquare(&t[1])
 	t[2].Mul(&t[0], &t[2])
-	t[1].Expt(&t[2])
-	t[1].Expt(&t[1])
-	t[1].Expt(&t[1])
-	t[1].Expt(&t[1])
+	t[1].ExptHalf(&t[2])
+	t[1].ExptHalf(&t[1])
+	t[1].ExptHalf(&t[1])
+	t[1].ExptHalf(&t[1])
+	for s := 0; s < 4; s++ {
+		t[1].CyclotomicSquareCompressed(&t[1])
+	}
+	t[1].DecompressKarabina(&t[1])
 	t[0].FrobeniusQuad(&t[2])
 	t[0].Mul(&t[0], &t[1])
 	t[2].InverseUnitary(&t[2])