|
| | element () noexcept=default |
| |
| constexpr | element (const Fq &a, const Fq &b, const Fq &c) noexcept |
| |
| constexpr | element (const element &other) noexcept |
| |
| constexpr | element (element &&other) noexcept |
| |
| constexpr | element (const affine_element< Fq, Fr, Params > &other) noexcept |
| |
| | ~element () noexcept=default |
| |
| constexpr element & | operator= (const element &other) noexcept |
| |
| constexpr element & | operator= (element &&other) noexcept |
| |
| constexpr | operator affine_element< Fq, Fr, Params > () const noexcept |
| |
| constexpr element | dbl () const noexcept |
| |
| constexpr void | self_dbl () noexcept |
| |
| constexpr element | operator+ (const element &other) const noexcept |
| |
| constexpr element | operator+ (const affine_element< Fq, Fr, Params > &other) const noexcept |
| |
| constexpr element | operator+= (const element &other) noexcept |
| |
| constexpr element | operator+= (const affine_element< Fq, Fr, Params > &other) noexcept |
| |
| constexpr element | operator- (const element &other) const noexcept |
| |
| constexpr element | operator- (const affine_element< Fq, Fr, Params > &other) const noexcept |
| |
| constexpr element | operator- () const noexcept |
| |
| constexpr element | operator-= (const element &other) noexcept |
| |
| constexpr element | operator-= (const affine_element< Fq, Fr, Params > &other) noexcept |
| |
| element | operator* (const Fr &exponent) const noexcept |
| |
| element | operator*= (const Fr &exponent) noexcept |
| |
| element | mul_const_time (const Fr &scalar, numeric::RNG *engine=nullptr) const noexcept |
| | Constant-time scalar multiplication intended for secret scalars (e.g. ECDSA / Schnorr nonces).
|
| |
| constexpr element | normalize () const noexcept |
| |
| constexpr element | normalize_const_time () const noexcept |
| |
| constexpr affine_element< Fq, Fr, Params > | to_affine_const_time () const noexcept |
| |
| BB_INLINE constexpr element | set_infinity () const noexcept |
| |
| BB_INLINE constexpr void | self_set_infinity () noexcept |
| |
| BB_INLINE constexpr bool | is_point_at_infinity () const noexcept |
| |
| BB_INLINE constexpr bool | on_curve () const noexcept |
| |
| BB_INLINE constexpr bool | operator== (const element &other) const noexcept |
| |
| template<typename > |
| element< Fq, Fr, T > | random_coordinates_on_curve (numeric::RNG *engine) noexcept |
| |
|
| static constexpr element | one () noexcept |
| |
| static constexpr element | zero () noexcept |
| |
| static element | random_element (numeric::RNG *engine=nullptr) noexcept |
| |
| static element | infinity () |
| |
| static void | batch_normalize (element *elements, size_t num_elements) noexcept |
| |
| static void | batch_affine_add (const std::span< affine_element< Fq, Fr, Params > > &first_group, const std::span< affine_element< Fq, Fr, Params > > &second_group, const std::span< affine_element< Fq, Fr, Params > > &results) noexcept |
| | Pairwise affine add points in first and second group.
|
| |
| static element | straus_msm (std::span< const affine_element< Fq, Fr, Params > > points, std::span< const Fr > scalars) noexcept |
| | Straus-style multi-scalar multiplication.
|
| |
| static std::vector< affine_element< Fq, Fr, Params > > | batch_mul_with_endomorphism (const std::span< const affine_element< Fq, Fr, Params > > &points, const Fr &scalar) noexcept |
| | Multiply each point by the same scalar.
|
| |
| static affine_element< Fq, Fr, Params > | batch_mul (std::span< const affine_element< Fq, Fr, Params > > points, std::span< Fr > scalars, size_t max_num_bits=0, bool with_edgecases=true, const Fr &masking_scalar=Fr(1)) noexcept |
| | Multi-scalar multiplication: compute sum_i(scalars[i] * points[i])
|
| |
template<class
Fq, class
Fr, class
Params>
class bb::group_elements::element< Fq, Fr, Params >
element class. Implements ecc group arithmetic using Jacobian coordinates See https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l
Note: BN254 / Grumpkin G1 have cofactor 1, so on-curve membership coincides with prime-order subgroup membership. BN254 G2 has a non-trivial cofactor; an explicit subgroup check is provided by affine_element::is_in_prime_subgroup() and must be applied to externally-supplied G2 bytes (see bbapi). The arithmetic in this file does not rederive subgroup membership and assumes the caller already ensured operands are valid prime-order subgroup elements.
- Template Parameters
-
| Fq | prime field the curve is defined over |
| Fr | prime field whose characteristic equals the size of the prime-order elliptic curve subgroup |
| Params | curve parameters |
Definition at line 35 of file element.hpp.
template<typename
Fq , typename
Fr , typename T >
We now proceed to iterate back down the array of points. At each iteration we update the accumulator to contain the z-coordinate of the currently worked-upon z-coordinate. We can then multiply this accumulator with temporaries, to get a scalar that is equal to the inverse of the z-coordinate of the point at the next iteration cycle e.g. Imagine we have 4 points, such that:
accumulator = 1 / z.data[0]*z.data[1]*z.data[2]*z.data[3] temporaries[3] = z.data[0]*z.data[1]*z.data[2] temporaries[2] = z.data[0]*z.data[1] temporaries[1] = z.data[0] temporaries[0] = 1
At the first iteration, accumulator * temporaries[3] = z.data[0]*z.data[1]*z.data[2] / z.data[0]*z.data[1]*z.data[2]*z.data[3] = (1 / z.data[3]) We then update accumulator, such that:
accumulator = accumulator * z.data[3] = 1 / z.data[0]*z.data[1]*z.data[2]
At the second iteration, accumulator * temporaries[2] = z.data[0]*z.data[1] / z.data[0]*z.data[1]*z.data[2] = (1 z.data[2]) And so on, until we have computed every z-inverse!
We can then convert out of Jacobian form (x = X / Z^2, y = Y / Z^3) with 4 muls and 1 square.
Definition at line 1731 of file element_impl.hpp.
template<class
Fq , class
Fr , class T >
Constant-time scalar multiplication intended for secret scalars (e.g. ECDSA / Schnorr nonces).
Implementation: Montgomery ladder (Montgomery 1987 [1]; SCA-regular form: Joye & Yen, CHES 2002 [2]) over a fixed iteration count, with Coron's first DPA countermeasure (CHES 1999 [3]) applied to the scalar: k' = k + r * n for a fresh random 64-bit r sampled per call. Since n * P = O in the prime-order subgroup, k' * P = k * P; the randomization decorrelates the per-bit timing trace across signings with the same k.
[1] P. L. Montgomery, "Speeding the Pollard and Elliptic Curve Methods of Factorization", Mathematics of Computation 48 (1987), pp. 243-264. [2] M. Joye and S.-M. Yen, "The Montgomery Powering Ladder", CHES 2002, LNCS 2523, pp. 291-302. [3] J.-S. Coron, "Resistance against Differential Power Analysis for Elliptic Curve
Cryptosystems", CHES 1999, LNCS 1717, pp. 292-302.
- Parameters
-
| engine | Optional RNG for the blinding factor. If nullptr, uses the global RNG. |
- Warning
- Slower than operator*. Use only when the scalar is secret. For public scalars (MSM, public arithmetic), prefer operator*.
Definition at line 425 of file element_impl.hpp.
1.9.8