diff --git a/std/algebra/emulated/fields_bls12381/e12_pairing.go b/std/algebra/emulated/fields_bls12381/e12_pairing.go index a2a3f25ebc..7e4f26d9b4 100644 --- a/std/algebra/emulated/fields_bls12381/e12_pairing.go +++ b/std/algebra/emulated/fields_bls12381/e12_pairing.go @@ -411,13 +411,10 @@ func (e Ext12) AssertFinalExponentiationIsOne(x *E12) { }, } // constrain cubicNonResiduePower to be in Fp6 - scalingFactor := E12{ - C0: E6{ - B0: E2{A0: *res[12], A1: *res[13]}, - B1: E2{A0: *res[14], A1: *res[15]}, - B2: E2{A0: *res[16], A1: *res[17]}, - }, - C1: (*e.Ext6.Zero()), + scalingFactor := E6{ + B0: E2{A0: *res[12], A1: *res[13]}, + B1: E2{A0: *res[14], A1: *res[15]}, + B2: E2{A0: *res[16], A1: *res[17]}, } // Check that x * scalingFactor == residueWitness^(q-u) @@ -428,7 +425,10 @@ func (e Ext12) AssertFinalExponentiationIsOne(x *E12) { t1 := e.Expt(&residueWitness) t0 = e.Mul(t0, t1) - t1 = e.Mul(x, &scalingFactor) + t1 = &E12{ + C0: *e.Ext6.Mul(&x.C0, &scalingFactor), + C1: *e.Ext6.Mul(&x.C1, &scalingFactor), + } e.AssertIsEqual(t0, t1) } diff --git a/std/algebra/emulated/fields_bn254/e12_pairing.go b/std/algebra/emulated/fields_bn254/e12_pairing.go index f7c93c75e7..2e0411afed 100644 --- a/std/algebra/emulated/fields_bn254/e12_pairing.go +++ b/std/algebra/emulated/fields_bn254/e12_pairing.go @@ -448,19 +448,19 @@ func (e Ext12) AssertFinalExponentiationIsOne(x *E12) { }, } // constrain cubicNonResiduePower to be in Fp6 - cubicNonResiduePower := E12{ - C0: E6{ - B0: E2{A0: *res[12], A1: *res[13]}, - B1: E2{A0: *res[14], A1: *res[15]}, - B2: E2{A0: *res[16], A1: *res[17]}, - }, - C1: (*e.Ext6.Zero()), + cubicNonResiduePower := E6{ + B0: E2{A0: *res[12], A1: *res[13]}, + B1: E2{A0: *res[14], A1: *res[15]}, + B2: E2{A0: *res[16], A1: *res[17]}, } // Check that x * cubicNonResiduePower == residueWitness^λ // where λ = 6u + 2 + q^3 - q^2 + q, with u the BN254 seed // and residueWitness, cubicNonResiduePower from the hint. - t2 := e.Mul(&cubicNonResiduePower, x) + t2 := &E12{ + C0: *e.Ext6.Mul(&x.C0, &cubicNonResiduePower), + C1: *e.Ext6.Mul(&x.C1, &cubicNonResiduePower), + } t1 := e.FrobeniusCube(&residueWitness) t0 := e.FrobeniusSquare(&residueWitness) diff --git a/std/algebra/emulated/sw_bn254/pairing.go b/std/algebra/emulated/sw_bn254/pairing.go index 569fb72f93..def19d2654 100644 --- a/std/algebra/emulated/sw_bn254/pairing.go +++ b/std/algebra/emulated/sw_bn254/pairing.go @@ -705,13 +705,10 @@ func (pr Pairing) millerLoopAndFinalExpResult(P *G1Affine, Q *G2Affine, previous }, } // constrain cubicNonResiduePower to be in Fp6 - cubicNonResiduePower := fields_bn254.E12{ - C0: fields_bn254.E6{ - B0: fields_bn254.E2{A0: *hint[12], A1: *hint[13]}, - B1: fields_bn254.E2{A0: *hint[14], A1: *hint[15]}, - B2: fields_bn254.E2{A0: *hint[16], A1: *hint[17]}, - }, - C1: (*pr.Ext6.Zero()), + cubicNonResiduePower := fields_bn254.E6{ + B0: fields_bn254.E2{A0: *hint[12], A1: *hint[13]}, + B1: fields_bn254.E2{A0: *hint[14], A1: *hint[15]}, + B2: fields_bn254.E2{A0: *hint[16], A1: *hint[17]}, } // residueWitnessInv = 1 / residueWitness @@ -795,7 +792,10 @@ func (pr Pairing) millerLoopAndFinalExpResult(P *G1Affine, Q *G2Affine, previous // and residueWitnessInv, cubicNonResiduePower from the hint. // Note that res is already MillerLoop(P,Q) * residueWitnessInv^{6x₀+2} since // we initialized the Miller loop accumulator with residueWitnessInv. - t2 := pr.Mul(&cubicNonResiduePower, res) + t2 := &fields_bn254.E12{ + C0: *pr.Ext6.Mul(&res.C0, &cubicNonResiduePower), + C1: *pr.Ext6.Mul(&res.C1, &cubicNonResiduePower), + } t1 := pr.FrobeniusCube(residueWitnessInv) t0 := pr.FrobeniusSquare(residueWitnessInv) diff --git a/std/algebra/native/fields_bls12377/e12_pairing.go b/std/algebra/native/fields_bls12377/e12_pairing.go index de72c44645..f1715e4806 100644 --- a/std/algebra/native/fields_bls12377/e12_pairing.go +++ b/std/algebra/native/fields_bls12377/e12_pairing.go @@ -219,16 +219,16 @@ func (x *E12) AssertFinalExponentiationIsOne(api frontend.API) { panic(err) } - var residueWitness, scalingFactor, t0, t1 E12 + var residueWitness, t0, t1 E12 + var scalingFactor E6 residueWitness.assign(res[:12]) // constrain cubicNonResiduePower to be in Fp6 - scalingFactor.C0.B0.A0 = res[12] - scalingFactor.C0.B0.A1 = res[13] - scalingFactor.C0.B1.A0 = res[14] - scalingFactor.C0.B1.A1 = res[15] - scalingFactor.C0.B2.A0 = res[16] - scalingFactor.C0.B2.A1 = res[17] - scalingFactor.C1.SetZero() + scalingFactor.B0.A0 = res[12] + scalingFactor.B0.A1 = res[13] + scalingFactor.B1.A0 = res[14] + scalingFactor.B1.A1 = res[15] + scalingFactor.B2.A0 = res[16] + scalingFactor.B2.A1 = res[17] // Check that x * scalingFactor == residueWitness^(q-u) // where u=0x8508c00000000001 is the BLS12-377 seed, @@ -238,7 +238,8 @@ func (x *E12) AssertFinalExponentiationIsOne(api frontend.API) { t1.ExpX0(api, residueWitness) t0.DivUnchecked(api, t0, t1) - t1.Mul(api, *x, scalingFactor) + t1.C0.Mul(api, x.C0, scalingFactor) + t1.C1.Mul(api, x.C1, scalingFactor) t0.AssertIsEqual(api, t1) }