Implement gfp6.

constants.go

@@ -9,16 +9,32 @@ func bigFromBase10(s string) *big.Int {
 	return n
 }
 
-// p is a prime over which we form a basic field: 36u⁴+36u³+24u³+6u+1.
+// p is a prime over which we form a basic field: 36u⁴+36u³+24u²+6u+1.
 var p = bigFromBase10("65000549695646603732796438742359905742825358107623003571877145026864184071783")
 
 var p2 = [4]uint64{0x185cac6c5e089667, 0xee5b88d120b5b59e, 0xaa6fecb86184dc21, 0x8fb501e34aa387f9}
 var np = [4]uint64{0x2387f9007f17daa9, 0x734b3343ab8513c8, 0x2524282f48054c12, 0x38997ae661c3ef3c}
 
+var rN1 = &gfP{0xcbb781e36236117d, 0xcc65f3bcec8c91b, 0x2eab68888ea1f515, 0x1fc5c0956f92f825}
+
 // var r = &gfP{0xe7a35393a1f76999, 0x11a4772edf4a4a61, 0x559013479e7b23de, 0x704afe1cb55c7806}
 var r2 = &gfP{0x9c21c3ff7e444f56, 0x409ed151b2efb0c2, 0xc6dc37b80fb1651, 0x7c36e0e62c2380b7}
 var r3 = &gfP{0x2af2dfb9324a5bb8, 0x388f899054f538a4, 0xdf2ff66396b107a7, 0x24ebbbb3a2529292}
 
-// Order is the number of elements in both G₁ and G₂: 36u⁴+36u³+18u³+6u+1.
+// Order is the number of elements in both G₁ and G₂: 36u⁴+36u³+18u²+6u+1.
 // order-1 = (2**5) * 3 * 5743 * 280941149 * 130979359433191 * 491513138693455212421542731357 * 6518589491078791937
 var Order = bigFromBase10("65000549695646603732796438742359905742570406053903786389881062969044166799969")
+
+var xiToPMinus1Over3 = &gfP2{
+	gfP{0x4f59e37c01832e57, 0xae6be39ac2bbbfe4, 0xe04ea1bb697512f8, 0x3097caa8fc40e10e},
+	gfP{0xf8606916d3816f2c, 0x1e5c0d7926de927e, 0xbc45f3946d81185e, 0x80752a25aa738091},
+}
+
+var xiTo2PMinus2Over3 = &gfP2{
+	gfP{0x51678e7469b3c52a, 0x4fb98f8b13319fc9, 0x29b2254db3f1df75, 0x1c044935a3d22fb2},
+	gfP{0x4d2ea218872f3d2c, 0x2fcb27fc4abe7b69, 0xd31d972f0e88ced9, 0x53adc04a00a73b15},
+}
+
+var xiToPSquaredMinus1Over3 = &gfP{0x12d3cef5e1ada57d, 0xe2eca1463753babb, 0xca41e40ddccf750, 0x551337060397e04c}
+
+var xiTo2PSquaredMinus2Over3 = &gfP{0x3642364f386c1db8, 0xe825f92d2acd661f, 0xf2aba7e846c19d14, 0x5a0bcea3dc52b7a0}

gfp.go

@@ -30,7 +30,8 @@ func (e *gfP) Set(f *gfP) {
 func (e *gfP) Invert(f *gfP) {
 	bits := [4]uint64{0x185cac6c5e089665, 0xee5b88d120b5b59e, 0xaa6fecb86184dc21, 0x8fb501e34aa387f9}
 
-	sum, power := &gfP{1}, &gfP{}
+	sum, power := &gfP{}, &gfP{}
+	sum.Set(rN1)
 	power.Set(f)
 
 	for word := 0; word < 4; word++ {

gfp.h

@@ -10,7 +10,7 @@
 	MOVQ 16+r, a3 \
 	MOVQ 24+r, a4
 
-#define gfpReduce(a1,a2,a3,a4,a5, b1,b2,b3,b4,b5) \
+#define gfpCarry(a1,a2,a3,a4,a5, b1,b2,b3,b4,b5) \
 	\ // b = a-p
 	MOVQ a1, b1 \
 	MOVQ a2, b2 \
@@ -95,3 +95,54 @@
 	MULXQ 24+rb, AX, BX \
 	ADCQ AX, R14 \
 	ADCQ BX, R15
+
+#define gfpReduce() \
+	\ // m = (T * N') mod R, store m in R8:R9:R10:R11
+	MOVQ ·np+0(SB), DX \
+	MULXQ 0(SP), R8, R9 \
+	MULXQ 8(SP), AX, R10 \
+	ADDQ AX, R9 \
+	MULXQ 16(SP), AX, R11 \
+	ADCQ AX, R10 \
+	MULXQ 24(SP), AX, BX \
+	ADCQ AX, R11 \
+	\
+	MOVQ ·np+8(SB), DX \
+	MULXQ 0(SP), AX, BX \
+	ADDQ AX, R9 \
+	ADCQ BX, R10 \
+	MULXQ 16(SP), AX, BX \
+	ADCQ AX, R11 \
+	MULXQ 8(SP), AX, BX \
+	ADDQ AX, R10 \
+	ADCQ BX, R11 \
+	\
+	MOVQ ·np+16(SB), DX \
+	MULXQ 0(SP), AX, BX \
+	ADDQ AX, R10 \
+	ADCQ BX, R11 \
+	MULXQ 8(SP), AX, BX \
+	ADDQ AX, R11 \
+	\
+	MOVQ ·np+24(SB), DX \
+	MULXQ 0(SP), AX, BX \
+	ADDQ AX, R11 \
+	\
+	storeBlock(R8,R9,R10,R11, 64(SP)) \
+	\
+	\ // m * N
+	mulArb(·p2+0(SB),·p2+8(SB),·p2+16(SB),·p2+24(SB), 64(SP)) \
+	\
+	\ // Add the 512-bit intermediate to m*N
+	MOVQ $0, AX \
+	ADDQ 0(SP), R8 \
+	ADCQ 8(SP), R9 \
+	ADCQ 16(SP), R10 \
+	ADCQ 24(SP), R11 \
+	ADCQ 32(SP), R12 \
+	ADCQ 40(SP), R13 \
+	ADCQ 48(SP), R14 \
+	ADCQ 56(SP), R15 \
+	ADCQ $0, AX \
+	\
+	gfpCarry(R12,R13,R14,R15,AX, R8,R9,R10,R11,BX)

gfp.s

@@ -13,7 +13,7 @@ TEXT ·gfpNeg(SB),0,$0-16
 	SBBQ 24(DI), R11
 
 	MOVQ $0, AX
-	gfpReduce(R8,R9,R10,R11,AX, R12,R13,R14,R15,BX)
+	gfpCarry(R8,R9,R10,R11,AX, R12,R13,R14,R15,BX)
 
 	MOVQ c+0(FP), DI
 	storeBlock(R8,R9,R10,R11, 0(DI))
@@ -32,7 +32,7 @@ TEXT ·gfpAdd(SB),0,$0-24
 	ADCQ 24(SI), R11
 	ADCQ $0, R12
 
-	gfpReduce(R8,R9,R10,R11,R12, R13,R14,R15,AX,BX)
+	gfpCarry(R8,R9,R10,R11,R12, R13,R14,R15,AX,BX)
 
 	MOVQ c+0(FP), DI
 	storeBlock(R8,R9,R10,R11, 0(DI))
@@ -78,55 +78,7 @@ TEXT ·gfpMul(SB),0,$96-24
 	storeBlock( R8, R9,R10,R11,  0(SP))
 	storeBlock(R12,R13,R14,R15, 32(SP))
 
-	// m = (T * N') mod R, store m in R8:R9:R10:R11
-	MOVQ ·np+0(SB), DX
-	MULXQ 0(SP), R8, R9
-	MULXQ 8(SP), AX, R10
-	ADDQ AX, R9
-	MULXQ 16(SP), AX, R11
-	ADCQ AX, R10
-	MULXQ 24(SP), AX, BX
-	ADCQ AX, R11
-
-	MOVQ ·np+8(SB), DX
-	MULXQ 0(SP), AX, BX
-	ADDQ AX, R9
-	ADCQ BX, R10
-	MULXQ 16(SP), AX, BX
-	ADCQ AX, R11
-	MULXQ 8(SP), AX, BX
-	ADDQ AX, R10
-	ADCQ BX, R11
-
-	MOVQ ·np+16(SB), DX
-	MULXQ 0(SP), AX, BX
-	ADDQ AX, R10
-	ADCQ BX, R11
-	MULXQ 8(SP), AX, BX
-	ADDQ AX, R11
-
-	MOVQ ·np+24(SB), DX
-	MULXQ 0(SP), AX, BX
-	ADDQ AX, R11
-
-	storeBlock(R8,R9,R10,R11, 64(SP))
-
-	// m * N
-	mulArb(·p2+0(SB),·p2+8(SB),·p2+16(SB),·p2+24(SB), 64(SP))
-
-	// Add the 512-bit intermediate to m*N
-	MOVQ $0, AX
-	ADDQ 0(SP), R8
-	ADCQ 8(SP), R9
-	ADCQ 16(SP), R10
-	ADCQ 24(SP), R11
-	ADCQ 32(SP), R12
-	ADCQ 40(SP), R13
-	ADCQ 48(SP), R14
-	ADCQ 56(SP), R15
-	ADCQ $0, AX
-
-	gfpReduce(R12,R13,R14,R15,AX, R8,R9,R10,R11,BX)
+	gfpReduce()
 
 	MOVQ c+0(FP), DI
 	storeBlock(R12,R13,R14,R15, 0(DI))

gfp2.go

@@ -14,7 +14,6 @@ func gfP2Decode(in *gfP2) *gfP2 {
 	out := &gfP2{}
 	montDecode(&out.x, &in.x)
 	montDecode(&out.y, &in.y)
-
 	return out
 }
 
@@ -95,7 +94,24 @@ func (e *gfP2) Mul(a, b *gfP2) *gfP2 {
 func (e *gfP2) MulScalar(a *gfP2, b *gfP) *gfP2 {
 	gfpMul(&e.x, &a.x, b)
 	gfpMul(&e.y, &a.y, b)
+	return e
+}
+
+// MulXi sets e=ξa where ξ=i+3 and then returns e.
+func (e *gfP2) MulXi(a *gfP2) *gfP2 {
+	// (xi+y)(i+3) = (3x+y)i+(3y-x)
+	tx := &gfP{}
+	gfpAdd(tx, &a.x, &a.x)
+	gfpAdd(tx, tx, &a.x)
+	gfpAdd(tx, tx, &a.y)
 
+	ty := &gfP{}
+	gfpAdd(ty, &a.y, &a.y)
+	gfpAdd(ty, ty, &a.y)
+	gfpSub(ty, ty, &a.x)
+
+	e.x.Set(tx)
+	e.y.Set(ty)
 	return e
 }