Merge branch 'dev'

api.md

@@ -61,6 +61,7 @@ r = |G1| = |G2| = |GT|
 curveType   | b| r and p |
 ------------|--|------------------|
 BN254       | 2|r = 0x2523648240000001ba344d8000000007ff9f800000000010a10000000000000d <br> p = 0x2523648240000001ba344d80000000086121000000000013a700000000000013 |
+BN_SNARK1|3|r = 0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47 <br> p = 0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47|
 BLS12-381   | 4|r = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001 <br> p = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab |
 BN381       | 2|r = 0x240026400f3d82b2e42de125b00158405b710818ac000007e0042f008e3e00000000001080046200000000000000000d <br> p = 0x240026400f3d82b2e42de125b00158405b710818ac00000840046200950400000000001380052e000000000000000013 |
 

ffi/cs/mcl/mcl.cs

@@ -28,7 +28,7 @@ public class MCL {
         [DllImport(dllName)] public static extern int mclBnFr_isOne(in Fr x);
         [DllImport(dllName)] public static extern void mclBnFr_setByCSPRNG(ref Fr x);
 
-        [DllImport(dllName)] public static extern int mclBnFr_setHashOf(ref Fr x, [In]byte[] buf, long bufSize);
+        [DllImport(dllName)] public static extern int mclBnFr_setHashOf(ref Fr x, [In] byte[] buf, long bufSize);
         [DllImport(dllName)] public static extern int mclBnFr_getStr([Out] StringBuilder buf, long maxBufSize, in Fr x, int ioMode);
 
         [DllImport(dllName)] public static extern void mclBnFr_neg(ref Fr y, in Fr x);
@@ -48,7 +48,7 @@ public class MCL {
         [DllImport(dllName)] public static extern int mclBnFp_isOne(in Fp x);
         [DllImport(dllName)] public static extern void mclBnFp_setByCSPRNG(ref Fp x);
 
-        [DllImport(dllName)] public static extern int mclBnFp_setHashOf(ref Fp x, [In]byte[] buf, long bufSize);
+        [DllImport(dllName)] public static extern int mclBnFp_setHashOf(ref Fp x, [In] byte[] buf, long bufSize);
         [DllImport(dllName)] public static extern int mclBnFp_getStr([Out] StringBuilder buf, long maxBufSize, in Fp x, int ioMode);
 
         [DllImport(dllName)] public static extern void mclBnFp_neg(ref Fp y, in Fp x);
@@ -64,7 +64,7 @@ public class MCL {
         [DllImport(dllName)] public static extern int mclBnG1_isValid(in G1 x);
         [DllImport(dllName)] public static extern int mclBnG1_isEqual(in G1 x, in G1 y);
         [DllImport(dllName)] public static extern int mclBnG1_isZero(in G1 x);
-        [DllImport(dllName)] public static extern int mclBnG1_hashAndMapTo(ref G1 x, [In]byte[] buf, long bufSize);
+        [DllImport(dllName)] public static extern int mclBnG1_hashAndMapTo(ref G1 x, [In] byte[] buf, long bufSize);
         [DllImport(dllName)] public static extern long mclBnG1_getStr([Out] StringBuilder buf, long maxBufSize, in G1 x, int ioMode);
         [DllImport(dllName)] public static extern void mclBnG1_neg(ref G1 y, in G1 x);
         [DllImport(dllName)] public static extern void mclBnG1_dbl(ref G1 y, in G1 x);
@@ -79,7 +79,7 @@ public class MCL {
         [DllImport(dllName)] public static extern int mclBnG2_isValid(in G2 x);
         [DllImport(dllName)] public static extern int mclBnG2_isEqual(in G2 x, in G2 y);
         [DllImport(dllName)] public static extern int mclBnG2_isZero(in G2 x);
-        [DllImport(dllName)] public static extern int mclBnG2_hashAndMapTo(ref G2 x, [In]byte[] buf, long bufSize);
+        [DllImport(dllName)] public static extern int mclBnG2_hashAndMapTo(ref G2 x, [In] byte[] buf, long bufSize);
         [DllImport(dllName)] public static extern long mclBnG2_getStr([Out] StringBuilder buf, long maxBufSize, in G2 x, int ioMode);
         [DllImport(dllName)] public static extern void mclBnG2_neg(ref G2 y, in G2 x);
         [DllImport(dllName)] public static extern void mclBnG2_dbl(ref G2 y, in G2 x);
@@ -116,10 +116,12 @@ public class MCL {
         [DllImport(dllName)] public static extern ulong mclBnFr_serialize([Out] byte[] buf, ulong maxBufSize, in Fr x);
         [DllImport(dllName)] public static extern ulong mclBnG1_serialize([Out] byte[] buf, ulong maxBufSize, in G1 x);
         [DllImport(dllName)] public static extern ulong mclBnG2_serialize([Out] byte[] buf, ulong maxBufSize, in G2 x);
+        [DllImport(dllName)] public static extern ulong mclBnGT_serialize([Out] byte[] buf, ulong maxBufSize, in GT x);
         [DllImport(dllName)] public static extern ulong mclBnFr_deserialize(ref Fr x, [In] byte[] buf, ulong bufSize);
         [DllImport(dllName)] public static extern ulong mclBnFp_deserialize(ref Fp x, [In] byte[] buf, ulong bufSize);
         [DllImport(dllName)] public static extern ulong mclBnG1_deserialize(ref G1 x, [In] byte[] buf, ulong bufSize);
         [DllImport(dllName)] public static extern ulong mclBnG2_deserialize(ref G2 x, [In] byte[] buf, ulong bufSize);
+        [DllImport(dllName)] public static extern ulong mclBnGT_deserialize(ref GT x, [In] byte[] buf, ulong bufSize);
 
         [DllImport(dllName)] public static extern int mclBn_FrEvaluatePolynomial(ref Fr z, [In] Fr[] cVec, ulong cSize, in Fr x);
         [DllImport(dllName)] public static extern int mclBn_G1EvaluatePolynomial(ref G1 z, [In] G1[] cVec, ulong cSize, in Fr x);
@@ -948,6 +950,22 @@ public string GetStr(int ioMode)
                 }
                 return sb.ToString();
             }
+            public byte[] Serialize()
+            {
+                byte[] buf = new byte[mclBn_getFpByteSize() * 12];
+                ulong n = mclBnGT_serialize(buf, (ulong)buf.Length, this);
+                if (n != (ulong)buf.Length) {
+                    throw new ArithmeticException("mclBnGT_serialize");
+                }
+                return buf;
+            }
+            public void Deserialize(byte[] buf)
+            {
+                ulong n = mclBnGT_deserialize(ref this, buf, (ulong)buf.Length);
+                if (n == 0) {
+                    throw new ArithmeticException("mclBnGT_deserialize");
+                }
+            }
             public void Neg(in GT x)
             {
                 MCL.Neg(ref this, x);

ffi/cs/mcl/mcl.csproj

@@ -1,7 +1,8 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>netstandard2.1</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
+    <PlatformTarget>x64</PlatformTarget>
   </PropertyGroup>
 
   <ItemGroup>

ffi/cs/test/test.cs

@@ -77,7 +77,7 @@ static void TestFr()
             Console.WriteLine("exception test");
             try {
                 x.SetStr("1234567891234x", 10);
-                Console.WriteLine("x = {0}", x);
+                Console.WriteLine("ERR ; not here");
             } catch (Exception e) {
                 Console.WriteLine("OK ; expected exception: {0}", e);
             }
@@ -123,7 +123,7 @@ static void TestFp()
             Console.WriteLine("exception test");
             try {
                 x.SetStr("1234567891234x", 10);
-                Console.WriteLine("x = {0}", x);
+                Console.WriteLine("ERR ; not here");
             } catch (Exception e) {
                 Console.WriteLine("OK ; expected exception: {0}", e);
             }
@@ -258,6 +258,12 @@ static void TestPairing()
             e2.Pairing(P, bQ);
             e3.Pow(e1, b);
             assert("e2.Equals(e3)", e2.Equals(e3));
+            {
+                byte[] buf = e1.Serialize();
+                e2.Clear();
+                e2.Deserialize(buf);
+                assert("e1 == e2", e1.Equals(e2));
+            }
         }
         static void TestETH_mapToG1()
         {

ffi/cs/test/test.csproj

@@ -12,7 +12,7 @@
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <TargetFramework>netcoreapp3.1</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
   </PropertyGroup>
 
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'">

include/mcl/ec.hpp

@@ -226,6 +226,29 @@ void normalizeVecT(Eout& Q, Ein& P, size_t n, size_t N = 256)
 
 } // mcl::ec::local
 
+// [X:Y:Z] as Proj = (X/Z, Y/Z) as Affine = [XZ:YZ^2:Z] as Jacobi
+template<class E>
+void ProjToJacobi(E& Q, const E& P)
+{
+	typedef typename E::Fp F;
+	F::mul(Q.x, P.x, P.z);
+	F::mul(Q.y, P.y, P.z);
+	Q.y *= P.z;
+	Q.z = P.z;
+}
+
+// [X:Y:Z] as Jacobi = (X/Z^2, Y/Z^3) as Affine = [XZ:Y:Z^3] as Proj
+template<class E>
+void JacobiToProj(E& Q, const E& P)
+{
+	typedef typename E::Fp F;
+	F::mul(Q.x, P.x, P.z);
+	Q.y = P.y;
+	F t;
+	F::sqr(t, P.z);
+	F::mul(Q.z, P.z, t);
+}
+
 template<class E>
 void normalizeJacobi(E& P)
 {
@@ -485,14 +508,20 @@ void addJacobi(E& R, const E& P, const E& Q)
 	(x, y, z) is zero <=> x = 0, y = 1, z = 0
 */
 template<class E>
+void clearCTProj(E& P)
+{
+	P.x.clear();
+	P.y = 1;
+	P.z.clear();
+}
+
+// 14M
+template<class E>
 void addCTProj(E& R, const E& P, const E& Q)
 {
 	typedef typename E::Fp F;
 	assert(E::a_ == 0);
-	F b3;
-	F::add(b3, E::b_, E::b_);
-	b3 += E::b_;
-	F t0, t1, t2, t3, t4, x3, y3, z3;
+	F t0, t1, t2, t3, t4, x3, y3;
 	F::mul(t0, P.x, Q.x);
 	F::mul(t1, P.y, Q.y);
 	F::mul(t2, P.z, Q.z);
@@ -513,19 +542,45 @@ void addCTProj(E& R, const E& P, const E& Q)
 	F::sub(y3, x3, y3);
 	F::add(x3, t0, t0);
 	F::add(t0, t0, x3);
-	t2 *= b3;
-	F::add(z3, t1, t2);
+	F::mul(t2, t2, E::b3_);
+	F::add(R.z, t1, t2);
 	F::sub(t1, t1, t2);
-	y3 *= b3;
+	F::mul(y3, y3, E::b3_);
 	F::mul(x3, y3, t4);
 	F::mul(t2, t3, t1);
 	F::sub(R.x, t2, x3);
 	F::mul(y3, y3, t0);
-	F::mul(t1, t1, z3);
+	F::mul(t1, t1, R.z);
 	F::add(R.y, y3, t1);
 	F::mul(t0, t0, t3);
-	F::mul(z3, z3, t4);
-	F::add(R.z, z3, t0);
+	F::mul(R.z, R.z, t4);
+	F::add(R.z, R.z, t0);
+}
+// 7M+2S
+template<class E>
+void dblCTProj(E& R, const E& P)
+{
+	typedef typename E::Fp F;
+	assert(E::a_ == 0);
+	F t0, t1, t2, x3, y3;
+	F::sqr(t0, P.y);
+	F::mul(t1, P.y, P.z);
+	F::sqr(t2, P.z);
+	F::add(R.z, t0, t0);
+	F::add(R.z, R.z, R.z);
+	F::add(R.z, R.z, R.z);
+	F::mul(t2, t2, E::b3_);
+	F::mul(x3, t2, P.z);
+	F::add(y3, t0, t2);
+	F::mul(R.z, R.z, t1);
+	F::add(t1, t2, t2);
+	F::add(t2, t2, t1);
+	F::mul(t1, P.x, P.y);
+	F::sub(t0, t0, t2);
+	F::mul(R.y, y3, t0);
+	F::add(R.y, R.y, x3);
+	F::mul(R.x, t0, t1);
+	F::add(R.x, R.x, R.x);
 }
 
 template<class E>
@@ -1214,6 +1269,7 @@ class EcT : public fp::Serializable<EcT<_Fp> > {
 	static int mode_;
 	static Fp a_;
 	static Fp b_;
+	static Fp b3_;
 	static int specialA_;
 	static int ioMode_;
 	/*
@@ -1271,6 +1327,7 @@ class EcT : public fp::Serializable<EcT<_Fp> > {
 	{
 		a_ = a;
 		b_ = b;
+		b3_ = b * 3;
 		if (a_.isZero()) {
 			specialA_ = ec::Zero;
 		} else if (a_ == -3) {
@@ -2077,6 +2134,7 @@ class EcT : public fp::Serializable<EcT<_Fp> > {
 
 template<class Fp> Fp EcT<Fp>::a_;
 template<class Fp> Fp EcT<Fp>::b_;
+template<class Fp> Fp EcT<Fp>::b3_;
 template<class Fp> int EcT<Fp>::specialA_;
 template<class Fp> int EcT<Fp>::ioMode_;
 template<class Fp> bool EcT<Fp>::verifyOrder_;

include/mcl/vint.hpp

@@ -22,17 +22,6 @@
 
 namespace mcl {
 
-// return the max size in x[0..n)
-inline int getRealSize(const Unit *x, int n)
-{
-	assert(n > 0);
-	while (n > 0) {
-		if (x[n - 1]) return n;
-		n--;
-	}
-	return 1;
-}
-
 /**
 	signed integer with variable length
 */

sample/mt_test.cpp

@@ -14,34 +14,37 @@ int main(int argc, char *argv[])
 {
 	cybozu::Option opt;
 	size_t n;
+	int bit;
 	size_t cpuN;
+	bool g1only;
+	int C;
 	opt.appendOpt(&n, 100, "n");
 	opt.appendOpt(&cpuN, 0, "cpu");
+	opt.appendOpt(&C, 50, "c");
+	opt.appendOpt(&bit, 0, "b");
+	opt.appendBoolOpt(&g1only, "g1");
 	opt.appendHelp("h");
 	if (!opt.parse(argc, argv)) {
 		opt.usage();
 		return 1;
 	}
-	printf("n=%zd cpuN=%zd\n", n, cpuN);
-	int C = 10;
-	if (n >= 1000) {
-		C = 1;
-	}
+	if (bit) n = 1u << bit;
+	printf("n=%zd cpuN=%zd C=%d\n", n, cpuN, C);
 
 	initPairing(mcl::BLS12_381);
 	cybozu::XorShift rg;
 	std::vector<G1> Pvec(n);
 	std::vector<G2> Qvec(n);
 	std::vector<Fr> xVec(n);
-	char c = '0';
-	for (size_t i = 0; i < n; i++) {
-		hashAndMapToG1(Pvec[i], &c, 1);
-		hashAndMapToG2(Qvec[i], &c, 1);
-		xVec[i].setRand(rg);
-		c++;
+	hashAndMapToG1(Pvec[0], "abc", 3);
+	hashAndMapToG2(Qvec[0], "abc", 3);
+	for (size_t i = 1; i < n; i++) {
+		G1::add(Pvec[i], Pvec[i-1], Pvec[0]);
+		G2::add(Qvec[i], Qvec[i-1], Qvec[0]);
 	}
 	G1 P1, P2;
 	CYBOZU_BENCH_C("single", C, G1::mulVec, P1, Pvec.data(), xVec.data(), n);
+	if (g1only) return 0;
 	CYBOZU_BENCH_C("multi ", C, G1::mulVecMT, P2, Pvec.data(), xVec.data(), n, cpuN);
 	printf("G1 ret %s\n", P1 == P2 ? "ok" : "ng");
 	G2 Q1, Q2;

test/ec_test.cpp

@@ -626,6 +626,42 @@ struct Test {
 		mcl::ec::addCTProj(Q, Zero, Zero);
 		Ec::add(R, Zero, Zero);
 		CYBOZU_TEST_EQUAL(Q, R);
+		mcl::ec::addCTProj(Q, Q, Q);
+		Ec::add(R, R, R);
+		CYBOZU_TEST_EQUAL(Q, R);
+
+		// dbl
+		mcl::ec::dblCTProj(P, Q);
+		Ec::dbl(R, R);
+		CYBOZU_TEST_EQUAL(Q, R);
+		mcl::ec::dblCTProj(Q, Q);
+		Ec::dbl(R, R);
+		CYBOZU_TEST_EQUAL(Q, R);
+		mcl::ec::dblCTProj(Q, Zero);
+		CYBOZU_TEST_EQUAL(Q, Zero);
+	}
+	void ProjJacobi() const
+	{
+		if (Ec::getMode() == mcl::ec::Affine) return;
+		Fp x(para.gx);
+		Fp y(para.gy);
+		Ec P(x, y), Q, R;
+		P *= 123;
+		if (Ec::getMode() == mcl::ec::Proj) {
+			mcl::ec::ProjToJacobi(Q, P);
+			mcl::ec::normalizeJacobi(Q);
+			CYBOZU_TEST_EQUAL(Q, P);
+			mcl::ec::ProjToJacobi(Q, P);
+			mcl::ec::JacobiToProj(R, Q);
+			CYBOZU_TEST_EQUAL(R, P);
+		} else {
+			mcl::ec::JacobiToProj(Q, P);
+			mcl::ec::normalizeProj(Q);
+			CYBOZU_TEST_EQUAL(Q, P);
+			mcl::ec::JacobiToProj(Q, P);
+			mcl::ec::ProjToJacobi(R, Q);
+			CYBOZU_TEST_EQUAL(R, P);
+		}
 	}
 
 	template<class F>
@@ -672,6 +708,7 @@ mul 499.00usec
 		mulCT();
 		compare();
 		addCT();
+		ProjJacobi();
 	}
 private:
 	Test(const Test&);

test/mont.hpp

@@ -33,12 +33,11 @@ class Montgomery {
 		mR = 1;
 		mR = (mR << (N * sizeof(Unit) * 8)) % mp;
 		mR2 = (mR * mR) % mp;
-		v_.resize(N * 2);
-		Unit *base = &v_[N];
+		v_.resize(N + 1);
+		Unit *base = &v_[1];
 		mcl::gmp::getArray(base, N, _p);
-		rp = mcl::bint::getMontgomeryCoeff(v_[0]);
+		base[-1] = rp = mcl::bint::getMontgomeryCoeff(base[0]);
 		p = base;
-		rp = base[-1];
 		isFullBit = p[N - 1] >> (sizeof(Unit) * 8 - 1);
 	}