Accelerate fexp a bit for BLS24 curves.

relic-toolkit · Jan 31, 2024 · ba4a8de · ba4a8de
1 parent afbbd0a
commit ba4a8de
Showing 1 changed file with 19 additions and 18 deletions.
diff --git a/src/pp/relic_pp_exp_k24.c b/src/pp/relic_pp_exp_k24.c
@@ -57,41 +57,42 @@ void pp_exp_k24(fp24_t c, fp24_t a) {
 		/*
 		 * Final exponentiation following Hayashida, Hayasaka and Teruya:
 		 * Efficient Final Exponentiation via Cyclotomic Structure for Pairings
-		 * over Families of Elliptic Curves
+		 * over Families of Elliptic Curves: https://eprint.iacr.org/2020/875
 		 */
 		fp_prime_get_par(x);
 		b = fp_prime_get_par_sps(&l);
 		/* First, compute m^(p^12 - 1)(p^4 + 1). */
 		fp24_conv_cyc(c, a);
 
-		/* t0 = f^x. */
-		fp24_exp_cyc_sps(t0, c, b, l, bn_sign(x));
-
-		/* t1 = f^(-2x + 1). */
-		fp24_sqr_cyc(t1, t0);
-		fp24_inv_cyc(t1, t1);
-		fp24_mul(t1, t1, c);
-
-		/* t0 = f^(x^2 - 2x + 1). */
-		fp24_exp_cyc_sps(t0, t0, b, l, bn_sign(x));
-		fp24_mul(t0, t0, t1);
+		/* t0 = f^(x-1)^2. */
+		if (bn_sign(x) == RLC_NEG && b[0] == 0 && b[1] == -1) {
+			fp24_exp_cyc_sps(t0, c, b+2, l-2, RLC_POS);
+			fp24_exp_cyc_sps(t0, t0, b+2, l-2, RLC_POS);
+		} else {
+			fp24_exp_cyc_sps(t1, c, b, l, bn_sign(x));
+			fp24_inv_cyc(t0, c);
+			fp24_mul(t1, t1, t0);
+			fp24_exp_cyc_sps(t0, t1, b, l, bn_sign(x));
+			fp24_inv_cyc(t1, t1);
+			fp24_mul(t0, t0, t1);
+		}
 
 		/* t1 = t0^(x + p). */
 		fp24_exp_cyc_sps(t1, t0, b, l, bn_sign(x));
 		fp24_frb(t0, t0, 1);
 		fp24_mul(t1, t1, t0);
 
 		/* t0 = t1^(x^2 + p^2). */
-		fp24_exp_cyc_sps(t0, t1, b, l, bn_sign(x));
-		fp24_exp_cyc_sps(t0, t0, b, l, bn_sign(x));
+		fp24_exp_cyc_sps(t0, t1, b, l, RLC_POS);
+		fp24_exp_cyc_sps(t0, t0, b, l, RLC_POS);
 		fp24_frb(t1, t1, 2);
 		fp24_mul(t0, t0, t1);
 
 		/* t1 = t0^(x^4 + p^4 - 1). */
-		fp24_exp_cyc_sps(t1, t0, b, l, bn_sign(x));
-		fp24_exp_cyc_sps(t1, t1, b, l, bn_sign(x));
-		fp24_exp_cyc_sps(t1, t1, b, l, bn_sign(x));
-		fp24_exp_cyc_sps(t1, t1, b, l, bn_sign(x));
+		fp24_exp_cyc_sps(t1, t0, b, l, RLC_POS);
+		fp24_exp_cyc_sps(t1, t1, b, l, RLC_POS);
+		fp24_exp_cyc_sps(t1, t1, b, l, RLC_POS);
+		fp24_exp_cyc_sps(t1, t1, b, l, RLC_POS);
 		fp24_inv_cyc(t2, t0);
 		fp24_frb(t0, t0, 4);
 		fp24_mul(t1, t1, t0);