1// Copyright 2020 ConsenSys AG
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15package fptower
16
17import "github.com/consensys/gnark-crypto/ecc/bw6-761/fp"
18
19// Frobenius set z to Frobenius(x), return z
20func (z *E6) Frobenius(x *E6) *E6 {
21	// Adapted from https://eprint.iacr.org/2010/354.pdf (Section 3.2)
22
23	z.B0.Conjugate(&x.B0)
24	z.B1.Conjugate(&x.B1)
25	z.B2.Conjugate(&x.B2)
26
27	z.B1.MulByNonResidue1Power1(&z.B1)
28	z.B2.MulByNonResidue1Power2(&z.B2)
29
30	return z
31}
32
33// FrobeniusSquare set z to Frobenius^2(x), and return z
34func (z *E6) FrobeniusSquare(x *E6) *E6 {
35	// Adapted from https://eprint.iacr.org/2010/354.pdf (Section 3.2)
36
37	z.Set(x)
38
39	z.B1.MulByNonResidue2Power1(&z.B1)
40	z.B2.MulByNonResidue2Power2(&z.B2)
41
42	return z
43}
44
45// FrobeniusCube set z to Frobenius^3(x), return z
46func (z *E6) FrobeniusCube(x *E6) *E6 {
47
48	z.B0.Conjugate(&x.B0)
49	z.B1.Conjugate(&x.B1).Neg(&z.B1) // Frob^3 on Fp^3 acts as a conjugation
50	z.B2.Conjugate(&x.B2)
51
52	return z
53}
54
55// MulByNonResidue1Power1 set z=x*(0,1)^(1*(p^1-1)/3) and return z
56func (z *E2) MulByNonResidue1Power1(x *E2) *E2 {
57	// 4922464560225523242118178942575080391082002530232324381063048548642823052024664478336818169867474395270858391911405337707247735739826664939444490469542109391530482826728203582549674992333383150446779312029624171857054392282775649
58	b := fp.Element{
59		10159193990637832851,
60		5286779382647858051,
61		15149190582698529379,
62		10172307932521123666,
63		7672315572788794062,
64		4504265454330324035,
65		8586997380578354686,
66		5916374020980521403,
67		9559933215456904989,
68		10407926721244239843,
69		3712625600415690514,
70		17752318063289862,
71	}
72	z.A0.Mul(&x.A0, &b)
73	z.A1.Mul(&x.A1, &b)
74	return z
75}
76
77// MulByNonResidue1Power2 set z=x*(0,1)^(2*(p^1-1)/3) and return z
78func (z *E2) MulByNonResidue1Power2(x *E2) *E2 {
79	// 4922464560225523242118178942575080391082002530232324381063048548642823052024664478336818169867474395270858391911405337707247735739826664939444490469542109391530482826728203582549674992333383150446779312029624171857054392282775648
80	b := fp.Element{
81		9193734820520314185,
82		15390913228415833887,
83		5309822015742495676,
84		5431732283202763350,
85		17252325881282386417,
86		298854800984767943,
87		15252629665615712253,
88		11476276919959978448,
89		6617989123466214626,
90		293279592164056124,
91		3271178847573361778,
92		76563709148138387,
93	}
94	z.A0.Mul(&x.A0, &b)
95	z.A1.Mul(&x.A1, &b)
96	return z
97}
98
99// MulByNonResidue2Power1 set z=x*(0,1)^(1*(p^2-1)/3) and return z
100func (z *E2) MulByNonResidue2Power1(x *E2) *E2 {
101	// 4922464560225523242118178942575080391082002530232324381063048548642823052024664478336818169867474395270858391911405337707247735739826664939444490469542109391530482826728203582549674992333383150446779312029624171857054392282775648
102	b := fp.Element{
103		9193734820520314185,
104		15390913228415833887,
105		5309822015742495676,
106		5431732283202763350,
107		17252325881282386417,
108		298854800984767943,
109		15252629665615712253,
110		11476276919959978448,
111		6617989123466214626,
112		293279592164056124,
113		3271178847573361778,
114		76563709148138387,
115	}
116	z.A0.Mul(&x.A0, &b)
117	z.A1.Mul(&x.A1, &b)
118	return z
119}
120
121// MulByNonResidue2Power2 set z=x*(0,1)^(2*(p^2-1)/3) and return z
122func (z *E2) MulByNonResidue2Power2(x *E2) *E2 {
123	// 1968985824090209297278610739700577151397666382303825728450741611566800370218827257750865013421937292370006175842381275743914023380727582819905021229583192207421122272650305267822868639090213645505120388400344940985710520836292650
124	b := fp.Element{
125		7467050525960156664,
126		11327349735975181567,
127		4886471689715601876,
128		825788856423438757,
129		532349992164519008,
130		5190235139112556877,
131		10134108925459365126,
132		2188880696701890397,
133		14832254987849135908,
134		2933451070611009188,
135		11385631952165834796,
136		64130670718986244,
137	}
138	z.A0.Mul(&x.A0, &b)
139	z.A1.Mul(&x.A1, &b)
140	return z
141}
142
143// MulByNonResidue3Power1 set z=x*(0,1)^(1*(p^3-1)/3) and return z
144func (z *E2) MulByNonResidue3Power1(x *E2) *E2 {
145	// 6891450384315732539396789682275657542479668912536150109513790160209623422243491736087683183289411687640864567753786613451161759120554247759349511699125301598951605099378508850372543631423596795951899700429969112842764913119068298
146	b := fp.Element{
147		17481284903592032950,
148		10104133845767975835,
149		8607375506753517913,
150		13706168424391191299,
151		9580010308493592354,
152		14241333420363995524,
153		6665632285037357566,
154		5559902898979457045,
155		15504799981718861253,
156		8332096944629367896,
157		18005297320867222879,
158		58811391084848524,
159	}
160	z.A0.Mul(&x.A0, &b)
161	z.A1.Mul(&x.A1, &b)
162	return z
163}
164
165// MulByNonResidue3Power2 set z=x*(0,1)^(2*(p^3-1)/3) and return z
166func (z *E2) MulByNonResidue3Power2(x *E2) *E2 {
167	// 1
168	// nothing to do
169	return z
170}
171