Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Perf: plonk verifier gadget #949

Merged
merged 87 commits into from
Dec 13, 2023
Merged

Perf: plonk verifier gadget #949

Show file tree
Hide file tree
Changes from 73 commits
Commits
Show all changes
87 commits
Select commit Hold shift + click to select a range
a88809d
feat(sw_bls12377): Add DoubleFixedQPairing
yelhousni Oct 18, 2023
588b840
feat(sw_bls24315): Add DoubleFixedQPairing
yelhousni Oct 18, 2023
44733f1
perf: kzg gadget using DoubleFixedQPairing
yelhousni Oct 19, 2023
768d2ad
refactor(bn254, bls12-381): DoubleFixedQPairing and kzg
yelhousni Oct 19, 2023
dea5a07
Merge branch 'master' into perf/kzg
yelhousni Oct 19, 2023
213b824
Merge branch 'feat/bw6761-fixed-pairing' into perf/kzg
yelhousni Oct 23, 2023
2e21d9e
Merge branch 'feat/bw6761-fixed-pairing' into perf/kzg
yelhousni Oct 23, 2023
ec2f3f4
perf(bw6): use optimized DoublePairFixedQ in kzg
yelhousni Oct 23, 2023
7b8201c
Merge branch 'master' into perf/kzg
yelhousni Oct 24, 2023
97842ed
refactor(kzg): lazy precomputation of lines
yelhousni Oct 26, 2023
a377fa6
refactor(emulated): use gnark-crytpo fixed-arg pairing
yelhousni Nov 9, 2023
fcd7024
refactor(2-chains): use gnark-crytpo fixed-arg pairing
yelhousni Nov 9, 2023
bfc72d0
refactor: bls24 also uses size 4 lines
yelhousni Nov 10, 2023
5461270
refactor: use lineEvaluation type instead of field elements
yelhousni Nov 10, 2023
44d4faf
refactor: algebra interface and pairing
yelhousni Nov 11, 2023
03861c5
perf: use new fixed-arg pairing in kzg (WIP)
yelhousni Nov 11, 2023
f2b60d1
perf: use new fixed-arg pairing in kzg
yelhousni Nov 11, 2023
87e2d9f
refactor: some refactoring
yelhousni Nov 11, 2023
64a7cc8
Merge branch 'master' into perf/kzg
yelhousni Nov 11, 2023
c4f12ad
Merge branch 'master' into perf/kzg
yelhousni Nov 11, 2023
649a633
fix: groth16 recursion
yelhousni Nov 11, 2023
237764e
refactor: use variable point in tests for precomputeLines
yelhousni Nov 11, 2023
079d9d1
perf(bn254): mul lines 2-by-2 in fixed-arg pairing for KZG when bit=0
yelhousni Nov 15, 2023
7bbfd50
chore: update gnark-crypto
yelhousni Nov 15, 2023
813a47d
Merge branch 'master' into perf/kzg
yelhousni Nov 16, 2023
343d7ef
refactor: re-introduce points in KZG verification key
yelhousni Nov 16, 2023
d86a141
chore: update gnark-crypto
yelhousni Nov 17, 2023
5ee67a1
feat(2-chain): MSM of size 2
yelhousni Nov 30, 2023
4d93903
fix(2-chain): last iteration of MSM of size 2
yelhousni Nov 30, 2023
e0e6494
perf: use JointScalarMul in plonk recursion
yelhousni Nov 30, 2023
670a9ec
perf(plonkVerif): manually reduce wrong-field elements here and there
yelhousni Dec 1, 2023
bdab848
perf(mimc/bw6-761): use inverse as bijection instead of pow5
yelhousni Dec 2, 2023
079152e
perf(2-chain/msm): special case using same scalar
yelhousni Dec 2, 2023
5e6c608
perf: mutualize bit decomposition when same scalar used is ScalarMul
yelhousni Dec 2, 2023
82f4176
perf: implement unified addition in 2-chains
yelhousni Dec 3, 2023
9c27643
perf: rewrite Hayashida et al. hard part
yelhousni Dec 4, 2023
fc61e36
Merge branch 'master' into perf/kzg
yelhousni Dec 4, 2023
ae2b1d6
Merge branch 'master' into perf/plonk-verifier
yelhousni Dec 4, 2023
10ad7ac
Revert "perf(plonkVerif): manually reduce wrong-field elements here a…
yelhousni Dec 4, 2023
8f3b20d
refactor(bn254): precomputed lines embedded in G2Affine struct
yelhousni Dec 4, 2023
a572b8c
refactor(bn254+bw6761): use precomputed lines in kzg and plonk verifier
yelhousni Dec 5, 2023
696c813
fix: groth16 verifier
yelhousni Dec 5, 2023
005549f
refactor(bls12-381): precomputed lines embedded in G2Affine struct
yelhousni Dec 5, 2023
eaf7e8b
refactor(bls12381, bn254, bw6761): precomputed lines in KZG
yelhousni Dec 5, 2023
df19d9b
fix: test Expt remaned to ExpX0
yelhousni Dec 5, 2023
be1cf55
test: plonk verifier with precomputed lines
yelhousni Dec 5, 2023
cc528dd
refactor(2-chain): precomputed lines in pairing + KZG + plonk verifier
yelhousni Dec 6, 2023
0af6ef0
refactor(2-chain bls24): precomputed lines in pairing+KZG+plonk verifier
yelhousni Dec 6, 2023
5b72b4a
refactor: rename precompute to compute when done in-circuit
yelhousni Dec 6, 2023
dba4c79
fix: update stats
yelhousni Dec 6, 2023
f8a3f82
refactor: reconcile with master
yelhousni Dec 6, 2023
b4f4738
Merge branch 'perf/kzg' into perf/plonk-verifier
yelhousni Dec 6, 2023
2e061ca
perf(bls12-377/FE): rearrange addchain to use karabina1234 sq for size 3
yelhousni Dec 6, 2023
b766ff7
perf(bw6/FE): Karabina1234 all the way is better in emulated case
yelhousni Dec 6, 2023
0e29879
perf(bw6/tower): save some emulated negations
yelhousni Dec 6, 2023
870dd5a
perf(bw6/pairing): small perf improvement
yelhousni Dec 6, 2023
dc152cd
perf(bw6/plonk-verifier): small perf improvement
yelhousni Dec 6, 2023
7f9ef23
perf(emulated/doubleAndAdd): substitute some Sub with Add
yelhousni Dec 7, 2023
7fb4c17
perf(emulated/doubleAndAdd): avoid an emulated negation
yelhousni Dec 7, 2023
23b2918
perf: isolate trival add/mul by 0/1 in plonk verifier and kzg
yelhousni Dec 7, 2023
f9b9df9
perf: minor optims for plonk verifier
yelhousni Dec 8, 2023
2386a14
perf: glv-base msm for bw6 (dirty)
yelhousni Dec 10, 2023
c0b923c
perf: plonk verifier
yelhousni Dec 11, 2023
f26c9aa
perf: bw6 glv with smaller loop
yelhousni Dec 11, 2023
d9865b4
refactor: remove SameScalarMul from interface
yelhousni Dec 12, 2023
192708e
feat: implement glv for all curves
yelhousni Dec 12, 2023
3b96e17
fix: use Generic instead of GLV for ECMUL to handle edge-cases
yelhousni Dec 12, 2023
e7e5628
refactor: hardcode glv values instead of exporting from gnark-crypto
yelhousni Dec 12, 2023
018b09a
chore: fix linter errors
ivokub Dec 12, 2023
31f67a7
perf: avoid some additions in jointScalarMulGLV
yelhousni Dec 12, 2023
0737cc8
Revert "perf(mimc/bw6-761): use inverse as bijection instead of pow5"
yelhousni Dec 13, 2023
e22b65a
fix: stats
yelhousni Dec 13, 2023
e187ab5
chore: inline computation
ivokub Dec 13, 2023
d0d198f
chore: use type alias
ivokub Dec 13, 2023
a5b1b80
test: keep test curve
ivokub Dec 13, 2023
166008c
refactor: use line evaluation references for avoiding copies
ivokub Dec 13, 2023
57da485
docs: add method documentation
ivokub Dec 13, 2023
a7eec50
refactor: make newG2Aff private
ivokub Dec 13, 2023
14211e7
chore: remove unused line eval init
ivokub Dec 13, 2023
ef4572e
feat: register hints in std/ also when have no circuit
ivokub Dec 13, 2023
823c63d
refactor: use emulated pointer to avoid init when no GLV
ivokub Dec 13, 2023
c3c813b
docs: define that addition is now unsafe
ivokub Dec 13, 2023
c4f4a2d
fix: use eigenvalue and thirdroot pointers
ivokub Dec 13, 2023
c9d6114
fix: init lines before assigning
ivokub Dec 13, 2023
b150f30
chore: remove unused line init
ivokub Dec 13, 2023
188c4d8
refactor: use existing modulus value
ivokub Dec 13, 2023
e76b231
refactor: work on pointer values
ivokub Dec 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions internal/generator/backend/template/zkpschemes/plonk/plonk.marshal.go.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ import (
{{ template "import_fr" . }}
{{ template "import_kzg" . }}
"github.com/consensys/gnark-crypto/ecc/{{toLower .Curve}}/fr/iop"
"io"
"io"
"errors"
)

Expand Down Expand Up @@ -385,4 +385,4 @@ func (vk *VerifyingKey) ReadFrom(r io.Reader) (int64, error) {
}

return dec.BytesRead(), nil
}
}
2 changes: 1 addition & 1 deletion internal/generator/backend/template/zkpschemes/plonk/tests/marshal.go.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ import (
{{ template "import_curve" . }}
{{ template "import_fr" . }}
{{ template "import_fft" . }}
"testing"
"testing"
"math/big"
"math/rand"
"github.com/consensys/gnark/io"
Expand Down
Binary file modified internal/stats/latest.stats
View file
Open in desktop
Binary file not shown.
24 changes: 12 additions & 12 deletions internal/stats/snippet.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,10 +110,10 @@ func initSnippets() {
var dummyG2 sw_bls12377.G2Affine
dummyG1.X = newVariable()
dummyG1.Y = newVariable()
dummyG2.X.A0 = newVariable()
dummyG2.X.A1 = newVariable()
dummyG2.Y.A0 = newVariable()
dummyG2.Y.A1 = newVariable()
dummyG2.P.X.A0 = newVariable()
dummyG2.P.X.A1 = newVariable()
dummyG2.P.Y.A0 = newVariable()
dummyG2.P.Y.A1 = newVariable()

// e(psi0, -gamma)*e(-πC, -δ)*e(πA, πB)
_, _ = sw_bls12377.Pair(api, []sw_bls12377.G1Affine{dummyG1}, []sw_bls12377.G2Affine{dummyG2})
Expand All @@ -126,14 +126,14 @@ func initSnippets() {
var dummyG2 sw_bls24315.G2Affine
dummyG1.X = newVariable()
dummyG1.Y = newVariable()
dummyG2.X.B0.A0 = newVariable()
dummyG2.X.B0.A1 = newVariable()
dummyG2.X.B1.A0 = newVariable()
dummyG2.X.B1.A1 = newVariable()
dummyG2.Y.B0.A0 = newVariable()
dummyG2.Y.B0.A1 = newVariable()
dummyG2.Y.B1.A0 = newVariable()
dummyG2.Y.B1.A1 = newVariable()
dummyG2.P.X.B0.A0 = newVariable()
dummyG2.P.X.B0.A1 = newVariable()
dummyG2.P.X.B1.A0 = newVariable()
dummyG2.P.X.B1.A1 = newVariable()
dummyG2.P.Y.B0.A0 = newVariable()
dummyG2.P.Y.B0.A1 = newVariable()
dummyG2.P.Y.B1.A0 = newVariable()
dummyG2.P.Y.B1.A1 = newVariable()

// e(psi0, -gamma)*e(-πC, -δ)*e(πA, πB)
_, _ = sw_bls24315.Pair(api, []sw_bls24315.G1Affine{dummyG1}, []sw_bls24315.G2Affine{dummyG2})
Expand Down
22 changes: 10 additions & 12 deletions std/algebra/emulated/fields_bw6761/e3.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,8 +150,8 @@ func (e Ext3) MulBy01(z *E3, c0, c1 *baseEl) *E3 {

tmp := e.fp.Add(&z.A1, &z.A2)
t0 := e.fp.Mul(c1, tmp)
t0 = e.fp.Sub(t0, b)
t0 = mulFpByNonResidue(e.fp, t0)
t0 = e.fp.Sub(b, t0)
t0 = e.fp.MulConst(t0, big.NewInt(4))
t0 = e.fp.Add(t0, a)

tmp = e.fp.Add(&z.A0, &z.A2)
Expand All @@ -176,12 +176,10 @@ func (e Ext3) MulBy01(z *E3, c0, c1 *baseEl) *E3 {
func (e Ext3) MulBy1(z *E3, c1 *baseEl) *E3 {

b := e.fp.Mul(&z.A1, c1)

tmp := e.fp.Add(&z.A1, &z.A2)
t0 := e.fp.Mul(c1, tmp)
t0 = e.fp.Sub(t0, b)
t0 = mulFpByNonResidue(e.fp, t0)

t0 = e.fp.Sub(b, t0)
t0 = e.fp.MulConst(t0, big.NewInt(4))
tmp = e.fp.Add(&z.A0, &z.A1)
t1 := e.fp.Mul(c1, tmp)
t1 = e.fp.Sub(t1, b)
Expand All @@ -201,8 +199,8 @@ func (e Ext3) MulBy12(x *E3, b1, b2 *baseEl) *E3 {
tmp := e.fp.Add(b1, b2)
c0 = e.fp.Mul(c0, tmp)
c0 = e.fp.Sub(c0, t1)
c0 = e.fp.Sub(c0, t2)
c0 = mulFpByNonResidue(e.fp, c0)
c0 = e.fp.Sub(t2, c0)
c0 = e.fp.MulConst(c0, big.NewInt(4))
c1 := e.fp.Add(&x.A0, &x.A1)
c1 = e.fp.Mul(c1, b1)
c1 = e.fp.Sub(c1, t1)
Expand Down Expand Up @@ -238,8 +236,8 @@ func (e Ext3) Mul01By01(c0, c1, d0, d1 *baseEl) *E3 {
a := e.fp.Mul(d0, c0)
b := e.fp.Mul(d1, c1)
t0 := e.fp.Mul(c1, d1)
t0 = e.fp.Sub(t0, b)
t0 = mulFpByNonResidue(e.fp, t0)
t0 = e.fp.Sub(b, t0)
t0 = e.fp.MulConst(t0, big.NewInt(4))
t0 = e.fp.Add(t0, a)
t2 := e.fp.Mul(c0, d0)
t2 = e.fp.Sub(t2, a)
Expand All @@ -266,8 +264,8 @@ func (e Ext3) Mul(x, y *E3) *E3 {
tmp := e.fp.Add(&y.A1, &y.A2)
c0 = e.fp.Mul(c0, tmp)
c0 = e.fp.Sub(c0, t1)
c0 = e.fp.Sub(c0, t2)
c0 = mulFpByNonResidue(e.fp, c0)
c0 = e.fp.Sub(t2, c0)
c0 = e.fp.MulConst(c0, big.NewInt(4))

tmp = e.fp.Add(&x.A0, &x.A2)
c2 := e.fp.Add(&y.A0, &y.A2)
Expand Down
16 changes: 8 additions & 8 deletions std/algebra/emulated/fields_bw6761/e6.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,8 +119,8 @@ func (e Ext6) CyclotomicSquareKarabina12345(x *E6) *E6 {
t := e.fp.Add(&x.B1.A0, &x.B1.A2)
h4 = e.fp.Mul(h4, t)
h4 = e.fp.Sub(h4, g1g5)
t = mulFpByNonResidue(e.fp, g3g2)
h4 = e.fp.Sub(h4, t)
t = e.fp.MulConst(g3g2, big.NewInt(4))
h4 = e.fp.Add(h4, t)
h4 = e.fp.MulConst(h4, big.NewInt(3))
h4 = e.fp.Sub(h4, &x.B1.A1)

Expand Down Expand Up @@ -182,8 +182,8 @@ func (e Ext6) DecompressKarabina12345(x *E6) *E6 {
h0 := e.fp.Mul(&x.B1.A1, &x.B1.A1)
h0 = e.fp.MulConst(h0, big.NewInt(2))
h0 = e.fp.Add(h0, t1)
h0 = e.fp.Sub(h0, t0)
h0 = mulFpByNonResidue(e.fp, h0)
h0 = e.fp.Sub(t0, h0)
h0 = e.fp.MulConst(h0, big.NewInt(4))
h0 = e.fp.Add(h0, e.fp.One())

return &E6{
Expand Down Expand Up @@ -217,7 +217,7 @@ func (e Ext6) CyclotomicSquareKarabina2345(x *E6) *E6 {
// t3 = g1² + g5²
t[3] = e.fp.Add(t[0], t[1])
// t5 = 2 * g1 * g5
t[5] = e.fp.Sub(t[2], t[3])
t[5] = e.fp.Sub(t[3], t[2])

// t6 = g3 + g2
t[6] = e.fp.Add(&x.B1.A0, &x.B0.A2)
Expand All @@ -227,7 +227,7 @@ func (e Ext6) CyclotomicSquareKarabina2345(x *E6) *E6 {
t[2] = e.fp.Mul(&x.B1.A0, &x.B1.A0)

// t6 = 2 * nr * g1 * g5
t[6] = mulFpByNonResidue(e.fp, t[5])
t[6] = e.fp.MulConst(t[5], big.NewInt(4))
// t5 = 4 * nr * g1 * g5 + 2 * g3
t[5] = e.fp.Add(t[6], &x.B1.A0)
t[5] = e.fp.MulConst(t[5], big.NewInt(2))
Expand Down Expand Up @@ -383,8 +383,8 @@ func (e Ext6) CyclotomicSquare(x *E6) *E6 {
t[8] = e.fp.Add(&x.B1.A2, &x.B0.A1)
t[8] = e.fp.Mul(t[8], t[8])
t[8] = e.fp.Sub(t[8], t[4])
t[8] = e.fp.Sub(t[8], t[5])
t[8] = mulFpByNonResidue(e.fp, t[8]) // 2*x5*x1*u
t[8] = e.fp.Sub(t[5], t[8])
t[8] = e.fp.MulConst(t[8], big.NewInt(4)) // 2*x5*x1*u

t[0] = mulFpByNonResidue(e.fp, t[0])
t[0] = e.fp.Add(t[0], t[1]) // x4²*u + x0²
Expand Down
64 changes: 25 additions & 39 deletions std/algebra/emulated/fields_bw6761/e6_pairing.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,17 +6,11 @@ import (
"github.com/consensys/gnark/std/math/emulated"
)

func (e Ext6) nSquareKarabina2345(z *E6, n int) *E6 {
for i := 0; i < n; i++ {
z = e.CyclotomicSquareKarabina2345(z)
}
return z
}

func (e Ext6) nSquareKarabina12345(z *E6, n int) *E6 {
for i := 0; i < n; i++ {
z = e.CyclotomicSquareKarabina12345(z)
}
z = e.DecompressKarabina12345(z)
return z
}

Expand All @@ -26,19 +20,15 @@ func (e Ext6) ExpX0Minus1(z *E6) *E6 {
z = e.Reduce(z)
result := e.Copy(z)
result = e.nSquareKarabina12345(result, 5)
result = e.DecompressKarabina12345(result)
result = e.Mul(result, z)
z33 := e.Copy(result)
result = e.nSquareKarabina12345(result, 7)
result = e.DecompressKarabina12345(result)
result = e.Mul(result, z33)
result = e.nSquareKarabina12345(result, 4)
result = e.DecompressKarabina12345(result)
result = e.Mul(result, z)
result = e.CyclotomicSquare(result)
result = e.Mul(result, z)
result = e.nSquareKarabina2345(result, 46)
result = e.DecompressKarabina2345(result)
result = e.nSquareKarabina12345(result, 46)

return result
}
Expand All @@ -49,28 +39,22 @@ func (e Ext6) ExpX0Minus1Square(z *E6) *E6 {
z = e.Reduce(z)
result := e.Copy(z)
result = e.nSquareKarabina12345(result, 3)
result = e.DecompressKarabina12345(result)
t0 := e.CyclotomicSquare(result)
t2 := e.Mul(z, t0)
result = e.Mul(result, t2)
t0 = e.Mul(z, result)
t1 := e.CyclotomicSquare(t0)
t1 = e.Mul(t2, t1)
t3 := e.nSquareKarabina12345(t1, 7)
t3 = e.DecompressKarabina12345(t3)
t2 = e.Mul(t2, t3)
t2 = e.nSquareKarabina12345(t2, 11)
t2 = e.DecompressKarabina12345(t2)
t1 = e.Mul(t1, t2)
t0 = e.Mul(t0, t1)
t0 = e.nSquareKarabina12345(t0, 7)
t0 = e.DecompressKarabina12345(t0)
result = e.Mul(result, t0)
result = e.nSquareKarabina12345(result, 3)
result = e.DecompressKarabina12345(result)
result = e.Mul(z, result)
result = e.nSquareKarabina2345(result, 92)
result = e.DecompressKarabina2345(result)
result = e.nSquareKarabina12345(result, 92)

return result

Expand All @@ -83,19 +67,15 @@ func (e Ext6) ExpX0Plus1(z *E6) *E6 {
result := e.Copy(z)
t := e.CyclotomicSquare(result)
result = e.nSquareKarabina12345(t, 4)
result = e.DecompressKarabina12345(result)
result = e.Mul(result, z)
z33 := e.Copy(result)
result = e.nSquareKarabina12345(result, 7)
result = e.DecompressKarabina12345(result)
result = e.Mul(result, z33)
result = e.nSquareKarabina12345(result, 4)
result = e.DecompressKarabina12345(result)
result = e.Mul(result, z)
result = e.CyclotomicSquare(result)
result = e.Mul(result, z)
result = e.nSquareKarabina2345(result, 46)
result = e.DecompressKarabina2345(result)
result = e.nSquareKarabina12345(result, 46)
result = e.Mul(result, t)

return result
Expand All @@ -112,13 +92,10 @@ func (e Ext6) ExptMinus1Div3(z *E6) *E6 {
result = e.CyclotomicSquare(result)
result = e.Mul(result, z)
t0 := e.nSquareKarabina12345(result, 7)
t0 = e.DecompressKarabina2345(t0)
result = e.Mul(result, t0)
result = e.nSquareKarabina12345(result, 5)
result = e.DecompressKarabina12345(result)
result = e.Mul(result, z)
result = e.nSquareKarabina2345(result, 46)
result = e.DecompressKarabina2345(result)
result = e.nSquareKarabina12345(result, 46)

return result
}
Expand Down Expand Up @@ -146,7 +123,6 @@ func (e Ext6) ExpC2(z *E6) *E6 {
result := e.CyclotomicSquare(z)
result = e.Mul(result, z)
t0 := e.nSquareKarabina12345(result, 4)
t0 = e.DecompressKarabina12345(t0)
result = e.Mul(result, t0)
result = e.CyclotomicSquare(result)
result = e.Mul(result, z)
Expand All @@ -167,18 +143,23 @@ func (e *Ext6) MulBy014(z *E6, c0, c1 *baseEl) *E6 {

var b E3
// Mul by E3{0, 1, 0}
b.A0 = *mulFpByNonResidue(e.fp, &z.B1.A2)
b.A2 = z.B1.A1
b.A1 = z.B1.A0
b.A0 = *e.fp.MulConst(&z.B1.A2, big.NewInt(4))
b.A2 = *e.fp.Neg(&z.B1.A1)
b.A1 = *e.fp.Neg(&z.B1.A0)

one := e.fp.One()
d := e.fp.Add(c1, one)

zC1 := e.Ext3.Add(&z.B1, &z.B0)
zC1 = e.Ext3.MulBy01(zC1, c0, d)
zC1 = e.Ext3.Sub(zC1, a)
zC1 = e.Ext3.Sub(zC1, &b)
zC0 := e.Ext3.MulByNonResidue(&b)
zC1 = e.Ext3.Add(zC1, &b)
zC0 := &E3{
A0: *e.fp.MulConst(&b.A2, big.NewInt(4)),
A1: *e.fp.Neg(&b.A0),
A2: *e.fp.Neg(&b.A1),
}

zC0 = e.Ext3.Add(zC0, a)

return &E6{
Expand Down Expand Up @@ -250,13 +231,18 @@ func (e *Ext6) Mul01245By014(x [5]*baseEl, d0, d1 *baseEl) *E6 {
a := e.Ext3.MulBy01(b, d0, e.fp.Add(d1, e.fp.One()))
b = e.Ext3.MulBy01(c0, d0, d1)
c := &E3{
A0: *mulFpByNonResidue(e.fp, x[4]),
A1: *zero,
A2: *x[3],
A0: *e.fp.MulConst(x[4], big.NewInt(4)),
A1: *e.fp.Neg(zero),
A2: *e.fp.Neg(x[3]),
}
z1 := e.Ext3.Sub(a, b)
z1 = e.Ext3.Sub(z1, c)
z0 := e.Ext3.MulByNonResidue(c)
z1 = e.Ext3.Add(z1, c)
z0 := &E3{
A0: *e.fp.MulConst(&c.A2, big.NewInt(4)),
A1: *e.fp.Neg(&c.A0),
A2: *e.fp.Neg(&c.A1),
}

z0 = e.Ext3.Add(z0, b)
return &E6{
B0: *z0,
Expand Down
Loading