-- Hoogle documentation, generated by Haddock -- See Hoogle, http://www.haskell.org/hoogle/ -- | Optimal ate pairing over Barreto-Naehrig curves -- -- Optimal ate pairing over Barreto-Naehrig curves @package pairing @version 0.2 module Pairing.CyclicGroup class AsInteger a asInteger :: AsInteger a => a -> Integer class Monoid g => CyclicGroup g generator :: CyclicGroup g => g order :: CyclicGroup g => Proxy g -> Integer expn :: (CyclicGroup g, AsInteger e) => g -> e -> g inverse :: CyclicGroup g => g -> g -- | Sum all the elements of some container according to its group -- structure. sumG :: (Foldable t, CyclicGroup g) => t g -> g instance Pairing.CyclicGroup.AsInteger GHC.Types.Int -- | Parameters chosen for the pairing. The parameters chosen here -- correspond to the BN128 curve (aka CurveSNARK). -- -- 
--   a = 0
--   b = 3
--   k = 12
--   t = 4965661367192848881
--   q = 21888242871839275222246405745257275088696311157297823662689037894645226208583
--   r = 21888242871839275222246405745257275088548364400416034343698204186575808495617
--   ΞΎ = 9 + u
--
module Pairing.Params -- | Elliptic curve coefficent _a :: Integer -- | Elliptic curve coefficent _b :: Integer -- | Characteristic of the finite fields we work with _q :: Integer -- | Order of elliptic curve E(Fq) G1, and therefore also the -- characteristic of the prime field we choose our exponents from _r :: Integer -- | Embedding degree _k :: Integer -- | Quadratic nonresidue in Fq _nqr :: Integer -- | Parameter used to define the twisted curve over Fq, with xi = xi_a + -- xi_b * i _xiA :: Integer -- | Parameter used to define the twisted curve over Fq, with xi = xi_a + -- xi_b * i _xiB :: Integer -- | Prime field with characteristic _q, over which the elliptic curve is -- defined and the other finite field extensions. First field in the -- tower: -- -- module Pairing.Fq -- | Prime field with characteristic _q newtype Fq -- | Use new instead of this constructor Fq :: Integer -> Fq -- | Turn an integer into an Fq number, should be used instead of -- the Fq constructor. new :: Integer -> Fq -- | Multiplicative inverse fqInv :: Fq -> Fq -- | Additive identity fqZero :: Fq -- | Multiplicative identity fqOne :: Fq -- | Quadratic non-residue fqNqr :: Fq -- | Euclidean algorithm to compute inverse in an integral domain -- a euclidean :: Integral a => a -> a -> a random :: MonadRandom m => m Fq fromBytes :: ByteString -> Fq instance GHC.Classes.Ord Pairing.Fq.Fq instance Control.DeepSeq.NFData Pairing.Fq.Fq instance GHC.Generics.Generic Pairing.Fq.Fq instance Data.Bits.Bits Pairing.Fq.Fq instance GHC.Classes.Eq Pairing.Fq.Fq instance GHC.Show.Show Pairing.Fq.Fq instance Pairing.CyclicGroup.AsInteger Pairing.Fq.Fq instance GHC.Num.Num Pairing.Fq.Fq instance GHC.Real.Fractional Pairing.Fq.Fq -- | Prime field from which exponents should be chosen module Pairing.Fr -- | Prime field with characteristic _r newtype Fr -- | Use new instead of this constructor Fr :: Integer -> Fr -- | Turn an integer into an Fr number, should be used instead of -- the Fr constructor. new :: Integer -> Fr frInv :: Fr -> Fr random :: MonadRandom m => m Fr isRootOfUnity :: Integer -> Fr -> Bool isPrimitiveRootOfUnity :: Integer -> Fr -> Bool -- | Compute primitive roots of unity for 2^0, 2^1, ..., 2^28. (2^28 is the -- largest power of two that divides _r - 1, therefore there are no -- primitive roots of unity for higher powers of 2 in Fr.) primitiveRootOfUnity :: Int -> Fr precompRootOfUnity :: Int -> Fr instance Control.DeepSeq.NFData Pairing.Fr.Fr instance Data.Bits.Bits Pairing.Fr.Fr instance GHC.Classes.Ord Pairing.Fr.Fr instance GHC.Classes.Eq Pairing.Fr.Fr instance GHC.Show.Show Pairing.Fr.Fr instance Pairing.CyclicGroup.AsInteger Pairing.Fr.Fr instance GHC.Num.Num Pairing.Fr.Fr instance GHC.Real.Fractional Pairing.Fr.Fr instance Text.PrettyPrint.Leijen.Text.Pretty Pairing.Fr.Fr -- | First quadratic extension of the tower: -- -- -- -- Implementation following "Multiplication and Squaring on -- Pairing-Friendly Fields" by Devigili, hEigeartaigh, Scott and Dahab. module Pairing.Fq2 -- | Quadratic extension of Fq defined as Fq[u]/x^2 + 1 data Fq2 -- | Use new instead of this contructor Fq2 :: Fq -> Fq -> Fq2 [fq2x] :: Fq2 -> Fq [fq2y] :: Fq2 -> Fq -- | new x y creates a value representing x + y * u new :: Fq -> Fq -> Fq2 -- | Multiplication by a scalar in Fq fq2scalarMul :: Fq -> Fq2 -> Fq2 -- | Multiplicative inverse fq2inv :: Fq2 -> Fq2 -- | Multiplicative identity fq2one :: Fq2 -- | Additive identity fq2zero :: Fq2 -- | Conjugation fq2conj :: Fq2 -> Fq2 -- | Squaring operation fq2sqr :: Fq2 -> Fq2 -- | Multiply by xi mulXi :: Fq2 -> Fq2 -- | Divide by xi divXi :: Fq2 -> Fq2 -- | Cubic non-residue in Fq2 xi :: Fq2 random :: MonadRandom m => m Fq2 instance Control.DeepSeq.NFData Pairing.Fq2.Fq2 instance GHC.Generics.Generic Pairing.Fq2.Fq2 instance GHC.Show.Show Pairing.Fq2.Fq2 instance GHC.Classes.Eq Pairing.Fq2.Fq2 instance GHC.Num.Num Pairing.Fq2.Fq2 instance GHC.Real.Fractional Pairing.Fq2.Fq2 -- | Cubic extension of the tower: -- -- -- -- Implementation follows "Multiplication and Squaring on -- Pairing-Friendly Fields" by Devigili, hEigeartaigh, Scott and Dahab. module Pairing.Fq6 -- | Field extension defined as Fq2[v]/v^3 - (9 + u) data Fq6 Fq6 :: Fq2 -> Fq2 -> Fq2 -> Fq6 [fq6x] :: Fq6 -> Fq2 [fq6y] :: Fq6 -> Fq2 [fq6z] :: Fq6 -> Fq2 -- | Create a new value in Fq6, should be used instead of the -- Fq6 constructor. new :: Fq2 -> Fq2 -> Fq2 -> Fq6 -- | Multiplicative inverse fq6inv :: Fq6 -> Fq6 -- | Multiplicative identity fq6one :: Fq6 -- | Additive identity fq6zero :: Fq6 -- | Squaring operation fq6sqr :: Fq6 -> Fq6 -- | Multiply by xi (cubic nonresidue in Fq2) and reorder -- coefficients mulXi :: Fq6 -> Fq6 random :: MonadRandom m => m Fq6 instance GHC.Show.Show Pairing.Fq6.Fq6 instance GHC.Classes.Eq Pairing.Fq6.Fq6 instance GHC.Num.Num Pairing.Fq6.Fq6 instance GHC.Real.Fractional Pairing.Fq6.Fq6 -- | Final quadratic extension of the tower: -- -- -- -- Implementation follows "Multiplication and Squaring on -- Pairing-Friendly Fields" by Devigili, hEigeartaigh, Scott and Dahab. module Pairing.Fq12 -- | Field extension defined as Fq6[w]/w^2 - v data Fq12 -- | Use new instead of this constructor Fq12 :: Fq6 -> Fq6 -> Fq12 [fq12x] :: Fq12 -> Fq6 [fq12y] :: Fq12 -> Fq6 -- | Create a new value in Fq12 by providing a list of twelve -- coefficients in Fq, should be used instead of the -- Fq12 constructor. new :: [Fq] -> Fq12 -- | Deconstruct a value in Fq12 into a list of twelve -- coefficients in Fq. deconstruct :: Fq12 -> [Fq] -- | Multiplicative inverse fq12inv :: Fq12 -> Fq12 -- | Multiplicative identity fq12one :: Fq12 -- | Additive identity fq12zero :: Fq12 -- | Conjugation fq12conj :: Fq12 -> Fq12 -- | Iterated Frobenius automorphism fq12frobenius :: Int -> Fq12 -> Fq12 random :: MonadRandom m => m Fq12 instance GHC.Show.Show Pairing.Fq12.Fq12 instance GHC.Classes.Eq Pairing.Fq12.Fq12 instance GHC.Num.Num Pairing.Fq12.Fq12 instance GHC.Real.Fractional Pairing.Fq12.Fq12 -- | Affine point arithmetic defining the group operation on an elliptic -- curve E(F), for some field F. In our case the field F is given as some -- type t with Num and Fractional instances. module Pairing.Point -- | Points on a curve over a field a represented as either affine -- coordinates or as a point at infinity. data Point a -- | Affine point Point :: a -> a -> Point a -- | Point at infinity Infinity :: Point a -- | Point doubling gDouble :: (Fractional t, Eq t) => Point t -> Point t -- | Point addition, provides a group structure on an elliptic curve with -- the point at infinity as its unit. gAdd :: (Fractional t, Eq t) => Point t -> Point t -> Point t -- | Negation (flipping the y component) gNeg :: (Fractional t, Eq t) => Point t -> Point t -- | Multiplication by a scalar gMul :: (Eq t, Integral a, Fractional t) => Point t -> a -> Point t instance Control.DeepSeq.NFData a => Control.DeepSeq.NFData (Pairing.Point.Point a) instance GHC.Generics.Generic (Pairing.Point.Point a) instance GHC.Base.Functor Pairing.Point.Point instance GHC.Show.Show a => GHC.Show.Show (Pairing.Point.Point a) instance GHC.Classes.Ord a => GHC.Classes.Ord (Pairing.Point.Point a) instance GHC.Classes.Eq a => GHC.Classes.Eq (Pairing.Point.Point a) -- | Jacobian representation of points on an elliptic curve. -- -- In Jacobian coordinates the triple (x, y, z) represents the -- affine point (X Z^2, Y Z^3). Curve operations are -- more optimal in Jacobian coordinates when the time complexity for -- underlying field inversions is significantly higher than field -- multiplications. module Pairing.Jacobian -- | Jacobian coordinates for points on an elliptic curve over a field -- a. type JPoint a = (a, a, a) -- | Convert affine coordinates to Jacobian coordinates toJacobian :: Fractional a => Point a -> JPoint a -- | Convert Jacobian coordinates to affine coordinates fromJacobian :: (Eq a, Fractional a) => JPoint a -> Point a module Pairing.Hash -- | Encodes a given byte string to a point on the BN curve. The -- implemenation uses the Shallue van de Woestijne encoding to BN curves -- as specifed in Section 6 of Indifferentiable Hashing to Barreto -- Naehrig Curves by Pierre-Alain Fouque and Mehdi Tibouchi. This -- function evaluates an empty bytestring or one that contains NUL to -- zero which according to Definiton 2 of the paper is sent to an -- arbitrary point on the curve swEncBN :: (MonadIO m, MonadRandom m) => ByteString -> m (Point Fq) -- | Definitions of the groups the pairing is defined on module Pairing.Group class Monoid g => CyclicGroup g generator :: CyclicGroup g => g order :: CyclicGroup g => Proxy g -> Integer expn :: (CyclicGroup g, AsInteger e) => g -> e -> g inverse :: CyclicGroup g => g -> g -- | G1 is E(Fq) defined by y^2 = x^3 + b type G1 = Point Fq -- | G2 is E'(Fq2) defined by y^2 = x^3 + b / xi type G2 = Point Fq2 -- | GT is subgroup of _r-th roots of unity of the multiplicative group of -- Fq12 type GT = Fq12 -- | Test whether a value in G1 satisfies the corresponding curve equation isOnCurveG1 :: G1 -> Bool -- | Test whether a value in G2 satisfies the corresponding curve equation isOnCurveG2 :: G2 -> Bool -- | Test whether a value is an _r-th root of unity isInGT :: GT -> Bool -- | Generator for G1 g1 :: G1 -- | Generator for G2 g2 :: G2 -- | Parameter for curve on Fq b1 :: Fq -- | Parameter for twisted curve over Fq2 b2 :: Fq2 hashToG1 :: (MonadIO m, MonadRandom m) => ByteString -> m G1 randomG1 :: (MonadIO m, MonadRandom m) => m G1 randomG2 :: (MonadIO m, MonadRandom m) => m G2 instance GHC.Base.Semigroup Pairing.Group.GT instance GHC.Base.Monoid Pairing.Group.GT instance Pairing.CyclicGroup.CyclicGroup Pairing.Group.GT instance GHC.Base.Semigroup Pairing.Group.G2 instance GHC.Base.Monoid Pairing.Group.G2 instance Pairing.CyclicGroup.CyclicGroup Pairing.Group.G2 instance GHC.Base.Semigroup Pairing.Group.G1 instance GHC.Base.Monoid Pairing.Group.G1 instance Pairing.CyclicGroup.CyclicGroup Pairing.Group.G1 instance Test.QuickCheck.Arbitrary.Arbitrary (Pairing.Point.Point Pairing.Fq.Fq) instance Test.QuickCheck.Arbitrary.Arbitrary (Pairing.Point.Point Pairing.Fq2.Fq2) -- | Implementation of the optimal Ate pairing on the curve BN128 module Pairing.Pairing -- | Optimal Ate pairing (including final exponentiation step) reducedPairing :: G1 -> G2 -> GT -- | Optimal Ate pairing without the final exponentiation step atePairing :: G1 -> G2 -> Fq12 -- | A faster way of performing the final exponentiation step finalExponentiation :: Fq12 -> GT -- | Naive implementation of the final exponentiation step finalExponentiationNaive :: Fq12 -> GT -- | Iterated frobenius morphisms on fields of characteristic _q, -- implemented naively frobeniusNaive :: Num a => Int -> a -> a -- | Binary expansion (missing the most-significant bit) representing the -- number 6 * _t + 2. -- -- 
--   29793968203157093288
--   = 0b11001110101111001011100000011100110111110011101100011101110101000
--
ateLoopCountBinary :: [Bool] instance GHC.Classes.Eq Pairing.Pairing.EllCoeffs instance GHC.Show.Show Pairing.Pairing.EllCoeffs