Merge pull request #95 from ConsenSys/perf/bn-g2-membership

perf(bn): faster G2 membership test
Consensys · Oct 28, 2021 · f618194 · f618194
2 parents 9e9e1e9 + dce0063
commit f618194
Show file tree

Hide file tree

Showing 14 changed files with 32 additions and 37 deletions.
diff --git a/ecc/bls12-377/g1.go b/ecc/bls12-377/g1.go
diff --git a/ecc/bls12-377/g2.go b/ecc/bls12-377/g2.go
diff --git a/ecc/bls12-381/g1.go b/ecc/bls12-381/g1.go
diff --git a/ecc/bls12-381/g2.go b/ecc/bls12-381/g2.go
diff --git a/ecc/bls24-315/g1.go b/ecc/bls24-315/g1.go
diff --git a/ecc/bls24-315/g2.go b/ecc/bls24-315/g2.go
diff --git a/ecc/bn254/bn254.go b/ecc/bn254/bn254.go
@@ -66,6 +66,9 @@ var endo struct {
 // generator of the curve
 var xGen big.Int
 
+// fixefCoeff t-1 = 6*xGen^2
+var fixedCoeff big.Int
+
 func init() {
 
 	bCurveCoeff.SetUint64(3)
@@ -109,6 +112,8 @@ func init() {
 
 	xGen.SetString("4965661367192848881", 10)
 
+	fixedCoeff.SetString("147946756881789318990833708069417712966", 10)
+
 }
 
 // Generators return the generators of the r-torsion group, resp. in ker(pi-id), ker(Tr)

diff --git a/ecc/bn254/g1.go b/ecc/bn254/g1.go
diff --git a/ecc/bn254/g2.go b/ecc/bn254/g2.go
diff --git a/ecc/bw6-633/g1.go b/ecc/bw6-633/g1.go
diff --git a/ecc/bw6-633/g2.go b/ecc/bw6-633/g2.go
diff --git a/ecc/bw6-761/g1.go b/ecc/bw6-761/g1.go
diff --git a/ecc/bw6-761/g2.go b/ecc/bw6-761/g2.go
diff --git a/internal/generator/ecc/template/point.go.tmpl b/internal/generator/ecc/template/point.go.tmpl
@@ -147,7 +147,7 @@ func (p *{{ $TAffine }}) IsOnCurve() bool {
 func (p *{{ $TAffine }}) IsInSubGroup() bool {
 	var _p {{ $TJacobian }}
 	_p.FromAffine(p)
-	return _p.IsOnCurve() && _p.IsInSubGroup()
+	return _p.IsInSubGroup()
 }
 
 
@@ -402,20 +402,15 @@ func (p *{{ $TJacobian }}) IsOnCurve() bool {
 		}
 	{{else if eq .PointName "g2"}}
 		// IsInSubGroup returns true if p is on the r-torsion, false otherwise.
-		// Z[r,0]+Z[-lambda{{ $TAffine }}, 1] is the kernel
-		// of (u,v)->u+lambda{{ $TAffine }}v mod r. Expressing r, lambda{{ $TAffine }} as
-		// polynomials in x, a short vector of this Zmodule is
-		// (4x+2), (-12x**2+4*x). So we check that (4x+2)p+(-12x**2+4*x)phi(p)
-		// is the infinity.
+        // [r]P == 0 <==> Frob(P) == [6x^2]P
 		func (p *{{ $TJacobian }}) IsInSubGroup() bool {
+            var a, res G2Jac
+            a.X.Conjugate(&p.X).MulByNonResidue1Power2(&a.X)
+            a.Y.Conjugate(&p.Y).MulByNonResidue1Power3(&a.Y)
+            a.Z.Conjugate(&p.Z)
 
-			var res, xphip, phip {{ $TJacobian }}
-			phip.phi(p)
-			xphip.ScalarMultiplication(&phip, &xGen)           // x*phi(p)
-			res.Double(&xphip).AddAssign(&xphip)               // 3x*phi(p)
-			res.AddAssign(&phip).SubAssign(p)                  // 3x*phi(p)+phi(p)-p
-			res.Double(&res).ScalarMultiplication(&res, &xGen) // 6x**2*phi(p)+2x*phi(p)-2x*p
-			res.SubAssign(p).Double(&res)                      // 12x**2*phi(p)+4x*phi(p)-4x*p-2p
+            res.ScalarMultiplication(p, &fixedCoeff).
+                SubAssign(&a)
 
 			return res.IsOnCurve() && res.Z.IsZero()