Merge branch 'master' into releases

Author: mmagician

.github/release-pr-template.ejs

@@ -9,5 +9,5 @@ This is a release PR for version **<%= version.actual %>**<%
 You will still need to manually publish the cargo crate:
 
 ```
-$ make VERSION=<latest version> release
+$ make VERSION=<%= version.actual %> release
 ```

ec/src/lib.rs

@@ -264,7 +264,7 @@ pub trait AffineRepr:
     /// `Self::ScalarField`.
     #[must_use]
     fn mul_by_cofactor_inv(&self) -> Self {
-        self.mul_bigint(&Self::Config::COFACTOR_INV.into_bigint())
+        self.mul_bigint(Self::Config::COFACTOR_INV.into_bigint())
             .into()
     }
 }

ec/src/models/bn/mod.rs

@@ -23,7 +23,7 @@ pub enum TwistType {
     D,
 }
 
-pub trait BnConfig: 'static {
+pub trait BnConfig: 'static + Sized {
     /// The absolute value of the BN curve parameter `X`
     /// (as in `q = 36 X^4 + 36 X^3 + 24 X^2 + 6 X + 1`).
     const X: &'static [u64];
@@ -46,65 +46,11 @@ pub trait BnConfig: 'static {
         BaseField = Fp2<Self::Fp2Config>,
         ScalarField = <Self::G1Config as CurveConfig>::ScalarField,
     >;
-}
-
-pub mod g1;
-pub mod g2;
-
-pub use self::{
-    g1::{G1Affine, G1Prepared, G1Projective},
-    g2::{G2Affine, G2Prepared, G2Projective},
-};
-
-#[derive(Derivative)]
-#[derivative(Copy, Clone, PartialEq, Eq, Debug, Hash)]
-pub struct Bn<P: BnConfig>(PhantomData<fn() -> P>);
-
-impl<P: BnConfig> Bn<P> {
-    /// Evaluates the line function at point p.
-    fn ell(f: &mut Fp12<P::Fp12Config>, coeffs: &g2::EllCoeff<P>, p: &G1Affine<P>) {
-        let mut c0 = coeffs.0;
-        let mut c1 = coeffs.1;
-        let mut c2 = coeffs.2;
-
-        match P::TWIST_TYPE {
-            TwistType::M => {
-                c2.mul_assign_by_fp(&p.y);
-                c1.mul_assign_by_fp(&p.x);
-                f.mul_by_014(&c0, &c1, &c2);
-            },
-            TwistType::D => {
-                c0.mul_assign_by_fp(&p.y);
-                c1.mul_assign_by_fp(&p.x);
-                f.mul_by_034(&c0, &c1, &c2);
-            },
-        }
-    }
-
-    fn exp_by_neg_x(mut f: Fp12<P::Fp12Config>) -> Fp12<P::Fp12Config> {
-        f = f.cyclotomic_exp(&P::X);
-        if !P::X_IS_NEGATIVE {
-            f.cyclotomic_inverse_in_place();
-        }
-        f
-    }
-}
-
-impl<P: BnConfig> Pairing for Bn<P> {
-    type BaseField = <P::G1Config as CurveConfig>::BaseField;
-    type ScalarField = <P::G1Config as CurveConfig>::ScalarField;
-    type G1 = G1Projective<P>;
-    type G1Affine = G1Affine<P>;
-    type G1Prepared = G1Prepared<P>;
-    type G2 = G2Projective<P>;
-    type G2Affine = G2Affine<P>;
-    type G2Prepared = G2Prepared<P>;
-    type TargetField = Fp12<P::Fp12Config>;
 
     fn multi_miller_loop(
-        a: impl IntoIterator<Item = impl Into<Self::G1Prepared>>,
-        b: impl IntoIterator<Item = impl Into<Self::G2Prepared>>,
-    ) -> MillerLoopOutput<Self> {
+        a: impl IntoIterator<Item = impl Into<G1Prepared<Self>>>,
+        b: impl IntoIterator<Item = impl Into<G2Prepared<Self>>>,
+    ) -> MillerLoopOutput<Bn<Self>> {
         let mut pairs = a
             .into_iter()
             .zip_eq(b)
@@ -119,44 +65,44 @@ impl<P: BnConfig> Pairing for Bn<P> {
 
         let mut f = cfg_chunks_mut!(pairs, 4)
             .map(|pairs| {
-                let mut f = Self::TargetField::one();
-                for i in (1..P::ATE_LOOP_COUNT.len()).rev() {
-                    if i != P::ATE_LOOP_COUNT.len() - 1 {
+                let mut f = <Bn<Self> as Pairing>::TargetField::one();
+                for i in (1..Self::ATE_LOOP_COUNT.len()).rev() {
+                    if i != Self::ATE_LOOP_COUNT.len() - 1 {
                         f.square_in_place();
                     }
 
                     for (p, coeffs) in pairs.iter_mut() {
-                        Self::ell(&mut f, &coeffs.next().unwrap(), &p.0);
+                        Bn::<Self>::ell(&mut f, &coeffs.next().unwrap(), &p.0);
                     }
 
-                    let bit = P::ATE_LOOP_COUNT[i - 1];
+                    let bit = Self::ATE_LOOP_COUNT[i - 1];
                     if bit == 1 || bit == -1 {
                         for (p, coeffs) in pairs.iter_mut() {
-                            Self::ell(&mut f, &coeffs.next().unwrap(), &p.0);
+                            Bn::<Self>::ell(&mut f, &coeffs.next().unwrap(), &p.0);
                         }
                     }
                 }
                 f
             })
-            .product::<Self::TargetField>();
+            .product::<<Bn<Self> as Pairing>::TargetField>();
 
-        if P::X_IS_NEGATIVE {
+        if Self::X_IS_NEGATIVE {
             f.cyclotomic_inverse_in_place();
         }
 
         for (p, coeffs) in &mut pairs {
-            Self::ell(&mut f, &coeffs.next().unwrap(), &p.0);
+            Bn::<Self>::ell(&mut f, &coeffs.next().unwrap(), &p.0);
         }
 
         for (p, coeffs) in &mut pairs {
-            Self::ell(&mut f, &coeffs.next().unwrap(), &p.0);
+            Bn::<Self>::ell(&mut f, &coeffs.next().unwrap(), &p.0);
         }
 
         MillerLoopOutput(f)
     }
 
     #[allow(clippy::let_and_return)]
-    fn final_exponentiation(f: MillerLoopOutput<Self>) -> Option<PairingOutput<Self>> {
+    fn final_exponentiation(f: MillerLoopOutput<Bn<Self>>) -> Option<PairingOutput<Bn<Self>>> {
         // Easy part: result = elt^((q^6-1)*(q^2+1)).
         // Follows, e.g., Beuchat et al page 9, by computing result as follows:
         //   elt^((q^6-1)*(q^2+1)) = (conj(elt) * elt^(-1))^(q^2+1)
@@ -191,13 +137,13 @@ impl<P: BnConfig> Pairing for Bn<P> {
             //
             // result = elt^( 2z * ( 6z^2 + 3z + 1 ) * (q^4 - q^2 + 1)/r ).
 
-            let y0 = Self::exp_by_neg_x(r);
+            let y0 = Bn::<Self>::exp_by_neg_x(r);
             let y1 = y0.cyclotomic_square();
             let y2 = y1.cyclotomic_square();
             let mut y3 = y2 * &y1;
-            let y4 = Self::exp_by_neg_x(y3);
+            let y4 = Bn::<Self>::exp_by_neg_x(y3);
             let y5 = y4.cyclotomic_square();
-            let mut y6 = Self::exp_by_neg_x(y5);
+            let mut y6 = Bn::<Self>::exp_by_neg_x(y5);
             y3.cyclotomic_inverse_in_place();
             y6.cyclotomic_inverse_in_place();
             let y7 = y6 * &y4;
@@ -219,3 +165,68 @@ impl<P: BnConfig> Pairing for Bn<P> {
         })
     }
 }
+
+pub mod g1;
+pub mod g2;
+
+pub use self::{
+    g1::{G1Affine, G1Prepared, G1Projective},
+    g2::{G2Affine, G2Prepared, G2Projective},
+};
+
+#[derive(Derivative)]
+#[derivative(Copy, Clone, PartialEq, Eq, Debug, Hash)]
+pub struct Bn<P: BnConfig>(PhantomData<fn() -> P>);
+
+impl<P: BnConfig> Bn<P> {
+    /// Evaluates the line function at point p.
+    fn ell(f: &mut Fp12<P::Fp12Config>, coeffs: &g2::EllCoeff<P>, p: &G1Affine<P>) {
+        let mut c0 = coeffs.0;
+        let mut c1 = coeffs.1;
+        let mut c2 = coeffs.2;
+
+        match P::TWIST_TYPE {
+            TwistType::M => {
+                c2.mul_assign_by_fp(&p.y);
+                c1.mul_assign_by_fp(&p.x);
+                f.mul_by_014(&c0, &c1, &c2);
+            },
+            TwistType::D => {
+                c0.mul_assign_by_fp(&p.y);
+                c1.mul_assign_by_fp(&p.x);
+                f.mul_by_034(&c0, &c1, &c2);
+            },
+        }
+    }
+
+    fn exp_by_neg_x(mut f: Fp12<P::Fp12Config>) -> Fp12<P::Fp12Config> {
+        f = f.cyclotomic_exp(P::X);
+        if !P::X_IS_NEGATIVE {
+            f.cyclotomic_inverse_in_place();
+        }
+        f
+    }
+}
+
+impl<P: BnConfig> Pairing for Bn<P> {
+    type BaseField = <P::G1Config as CurveConfig>::BaseField;
+    type ScalarField = <P::G1Config as CurveConfig>::ScalarField;
+    type G1 = G1Projective<P>;
+    type G1Affine = G1Affine<P>;
+    type G1Prepared = G1Prepared<P>;
+    type G2 = G2Projective<P>;
+    type G2Affine = G2Affine<P>;
+    type G2Prepared = G2Prepared<P>;
+    type TargetField = Fp12<P::Fp12Config>;
+
+    fn multi_miller_loop(
+        a: impl IntoIterator<Item = impl Into<Self::G1Prepared>>,
+        b: impl IntoIterator<Item = impl Into<Self::G2Prepared>>,
+    ) -> MillerLoopOutput<Self> {
+        P::multi_miller_loop(a, b)
+    }
+
+    fn final_exponentiation(f: MillerLoopOutput<Self>) -> Option<PairingOutput<Self>> {
+        P::final_exponentiation(f)
+    }
+}

ec/src/models/bw6/mod.rs

@@ -160,7 +160,7 @@ impl<P: BW6Config> BW6<P> {
     }
 
     fn exp_by_x(mut f: Fp6<P::Fp6Config>) -> Fp6<P::Fp6Config> {
-        f = f.cyclotomic_exp(&P::X);
+        f = f.cyclotomic_exp(P::X);
         if P::X_IS_NEGATIVE {
             f.cyclotomic_inverse_in_place();
         }

ec/src/models/mnt4/mod.rs

@@ -26,7 +26,7 @@ pub use self::{
 
 pub type GT<P> = Fp4<P>;
 
-pub trait MNT4Config: 'static {
+pub trait MNT4Config: 'static + Sized {
     const TWIST: Fp2<Self::Fp2Config>;
     const TWIST_COEFF_A: Fp2<Self::Fp2Config>;
     const ATE_LOOP_COUNT: &'static [i8];
@@ -43,6 +43,34 @@ pub trait MNT4Config: 'static {
         BaseField = Fp2<Self::Fp2Config>,
         ScalarField = <Self::G1Config as CurveConfig>::ScalarField,
     >;
+    fn multi_miller_loop(
+        a: impl IntoIterator<Item = impl Into<G1Prepared<Self>>>,
+        b: impl IntoIterator<Item = impl Into<G2Prepared<Self>>>,
+    ) -> MillerLoopOutput<MNT4<Self>> {
+        let pairs = a
+            .into_iter()
+            .zip_eq(b)
+            .map(|(a, b)| (a.into(), b.into()))
+            .collect::<Vec<_>>();
+        let result = cfg_into_iter!(pairs)
+            .map(|(a, b)| MNT4::<Self>::ate_miller_loop(&a, &b))
+            .product();
+        MillerLoopOutput(result)
+    }
+
+    fn final_exponentiation(f: MillerLoopOutput<MNT4<Self>>) -> Option<PairingOutput<MNT4<Self>>> {
+        let value = f.0;
+        let value_inv = value.inverse().unwrap();
+        let value_to_first_chunk =
+            MNT4::<Self>::final_exponentiation_first_chunk(&value, &value_inv);
+        let value_inv_to_first_chunk =
+            MNT4::<Self>::final_exponentiation_first_chunk(&value_inv, &value);
+        let result = MNT4::<Self>::final_exponentiation_last_chunk(
+            &value_to_first_chunk,
+            &value_inv_to_first_chunk,
+        );
+        Some(PairingOutput(result))
+    }
 }
 
 #[derive(Derivative)]
@@ -185,11 +213,11 @@ impl<P: MNT4Config> MNT4<P> {
         let mut elt_q = *elt;
         elt_q.frobenius_map_in_place(1);
 
-        let w1_part = elt_q.cyclotomic_exp(&P::FINAL_EXPONENT_LAST_CHUNK_1);
+        let w1_part = elt_q.cyclotomic_exp(P::FINAL_EXPONENT_LAST_CHUNK_1);
         let w0_part = if P::FINAL_EXPONENT_LAST_CHUNK_W0_IS_NEG {
-            elt_inv_clone.cyclotomic_exp(&P::FINAL_EXPONENT_LAST_CHUNK_ABS_OF_W0)
+            elt_inv_clone.cyclotomic_exp(P::FINAL_EXPONENT_LAST_CHUNK_ABS_OF_W0)
         } else {
-            elt_clone.cyclotomic_exp(&P::FINAL_EXPONENT_LAST_CHUNK_ABS_OF_W0)
+            elt_clone.cyclotomic_exp(P::FINAL_EXPONENT_LAST_CHUNK_ABS_OF_W0)
         };
 
         w1_part * &w0_part
@@ -211,24 +239,10 @@ impl<P: MNT4Config> Pairing for MNT4<P> {
         a: impl IntoIterator<Item = impl Into<Self::G1Prepared>>,
         b: impl IntoIterator<Item = impl Into<Self::G2Prepared>>,
     ) -> MillerLoopOutput<Self> {
-        let pairs = a
-            .into_iter()
-            .zip_eq(b)
-            .map(|(a, b)| (a.into(), b.into()))
-            .collect::<Vec<_>>();
-        let result = cfg_into_iter!(pairs)
-            .map(|(a, b)| Self::ate_miller_loop(&a, &b))
-            .product();
-        MillerLoopOutput(result)
+        P::multi_miller_loop(a, b)
     }
 
     fn final_exponentiation(f: MillerLoopOutput<Self>) -> Option<PairingOutput<Self>> {
-        let value = f.0;
-        let value_inv = value.inverse().unwrap();
-        let value_to_first_chunk = Self::final_exponentiation_first_chunk(&value, &value_inv);
-        let value_inv_to_first_chunk = Self::final_exponentiation_first_chunk(&value_inv, &value);
-        let result =
-            Self::final_exponentiation_last_chunk(&value_to_first_chunk, &value_inv_to_first_chunk);
-        Some(PairingOutput(result))
+        P::final_exponentiation(f)
     }
 }