-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/
-- | Bilinear pairings
--
-- Optimal Ate pairing over Barreto-Naehrig curves
@package pairing
@version 0.5.0
module Pairing.Curve
-- | Prime field Fq.
type Fq = Fq
-- | Quadratic extension field of Fq defined as Fq2 =
-- Fq[u]/+ 1.
type Fq2 = Fq2
-- | Cubic extension field of Fq2 defined as Fq6 = Fq2[v]/-
-- (9 + u).
type Fq6 = Fq6
-- | Quadratic extension field of Fq6 defined as Fq12 =
-- Fq6[w]/- v.
type Fq12 = Fq12
-- | Prime field Fr.
type Fr = Fr
-- | G1 is E(Fq) defined by y^2 = x^3 + b.
type G1 = PA
-- | G2 is E'(Fq2) defined by y^2 = x^3 + b / xi.
type G2 = PA
-- | G2' is G2 in Jacobian coordinates.
type G2' = PJ
-- | GT is subgroup of r-th roots of unity of the multiplicative
-- group of Fq12.
type GT = P
-- | Generator of G1.
gG1 :: G1
-- | Generator of G2.
gG2 :: G2
-- | Generator of GT.
gGT :: GT
-- | Order of G1.
rG1 :: Integer
-- | Order of G2.
rG2 :: Integer
-- | Order of GT.
rGT :: Integer
-- | Elliptic curve E(Fq) coefficient A, with y = x^3
-- + Ax + B.
_a :: Fq
-- | Elliptic curve E(Fq2) coefficient A', with y =
-- x^3 + A'x + B'.
_a' :: Fq2
-- | Elliptic curve E(Fq) coefficient B, with y = x^3
-- + Ax + B.
_b :: Fq
-- | Elliptic curve E(Fq2) coefficient B', with y =
-- x^3 + A'x + B'.
_b' :: Fq2
-- | Embedding degree.
_k :: Integer
-- | Quadratic nonresidue in Fq.
_nqr :: Integer
-- | Characteristic of finite fields.
_q :: Integer
-- | Order of G1 and characteristic of prime field of exponents.
_r :: Integer
-- | BN parameter that determines the prime _q.
_t :: Integer
-- | Parameter of twisted curve over Fq.
_xi :: Fq2
-- | Conjugation.
conj :: forall k im. IrreducibleMonic k im => ExtensionField k im -> ExtensionField k im
-- | Get Y coordinate from X coordinate given a curve and a choice
-- function.
getYfromX :: Curve f c e q r => Point f c e q r -> (q -> q -> q) -> q -> Maybe q
-- | Scalar multiplication.
scale :: IrreducibleMonic k im => k -> ExtensionField k im -> ExtensionField k im
-- | Multiply by _xi (cubic nonresidue in Fq2) and
-- reorder coefficients.
mulXi :: Fq6 -> Fq6
-- | Iterated Frobenius automorphism in Fq12.
fq12Frobenius :: Int -> Fq12 -> Fq12
-- | Check if an element is a root of unity.
isRootOfUnity :: Integer -> Fr -> Bool
-- | Check if an element is a primitive root of unity.
isPrimitiveRootOfUnity :: Integer -> Fr -> Bool
-- | Compute primitive roots of unity for 2^0, 2^1, ..., 2^28. (2^28 is the
-- largest power of two that divides _r - 1, therefore there are no
-- primitive roots of unity for higher powers of 2 in Fr.)
primitiveRootOfUnity :: Int -> Fr
-- | Precompute roots of unity.
precompRootOfUnity :: Int -> Fr
module Pairing.ByteRepr
data ByteOrder
MostSignificantFirst :: ByteOrder
LeastSignificantFirst :: ByteOrder
data ByteOrderLength
ByteOrderLength :: ByteOrder -> ElementLength -> ByteOrderLength
[byteOrder] :: ByteOrderLength -> ByteOrder
[lenPerElement] :: ByteOrderLength -> ElementLength
class ByteRepr a
mkRepr :: ByteRepr a => ByteOrderLength -> a -> Maybe ByteString
fromRepr :: ByteRepr a => ByteOrderLength -> a -> ByteString -> Maybe a
calcReprLength :: ByteRepr a => a -> ElementLength -> Int
fromBytesToInteger :: ByteOrder -> ByteString -> Integer
toBytes :: Integer -> ByteString
toPaddedBytes :: ByteOrderLength -> Integer -> Maybe ByteString
instance Pairing.ByteRepr.ByteRepr Pairing.Curve.Fq
instance Pairing.ByteRepr.ByteRepr Pairing.Curve.Fq2
instance Pairing.ByteRepr.ByteRepr Pairing.Curve.Fq6
instance Pairing.ByteRepr.ByteRepr Pairing.Curve.Fq12
module Pairing.Hash
-- | Encodes a given byte string to a point on the BN curve. The
-- implementation uses the Shallue-van de Woestijne encoding to BN curves
-- as specified in Section 6 of Indifferentiable Hashing to Barreto
-- Naehrig Curves by Pierre-Alain Fouque and Mehdi Tibouchi. This
-- function evaluates an empty bytestring or one that contains NUL to
-- zero, which according to Definition 2 of the paper is sent to an
-- arbitrary point on the curve.
swEncBN :: MonadRandom m => ByteString -> m (Maybe G1)
-- | Implementation of the optimal Ate pairing on the curve BN128
module Pairing.Pairing
-- | Optimal Ate pairing (including final exponentiation step)
reducedPairing :: G1 -> G2 -> GT
-- | Optimal Ate pairing without the final exponentiation step
atePairing :: G1 -> G2 -> GT
-- | A faster way of performing the final exponentiation step
finalExponentiation :: Fq12 -> Fq12
-- | Naive implementation of the final exponentiation step
finalExponentiationNaive :: Fq12 -> Fq12
-- | Iterated frobenius morphisms on fields of characteristic _q,
-- implemented naively
frobeniusNaive :: Num a => Int -> a -> a
-- | Binary expansion (missing the most-significant bit) representing the
-- number 6 * _t + 2.
--
--
-- 29793968203157093288
-- = 0b11001110101111001011100000011100110111110011101100011101110101000
--
ateLoopCountBinary :: [Bool]
instance GHC.Classes.Eq Pairing.Pairing.EllCoeffs
instance GHC.Show.Show Pairing.Pairing.EllCoeffs
-- | Point serialisation using
-- https://tools.ietf.org/id/draft-jivsov-ecc-compact-05.html It
-- is unclear if 02 is smallest y or not so the following is used in the
-- first 2 bytes 01 - Point at infinity 02 - Compressed repr i.e. x only
-- but use smallest y on decode 03 - Compressed repr i.e. x only but use
-- largest y on decode 04 -- Uncompressed repr i.e. x & y
module Pairing.Serialize.Jivsov
-- | MCL WASM (https:/github.comherumi/mcl-wasm) serialisation
-- support MCL WASM uses the following algorithm to serialise P = (x, y)
-- in G1 if P.isZero() then 64-bytes zero. otherwise, d = x.serialize()
-- if (y.isOdd()) d[MSB] |= 0x80 On analysis of the GT format, each
-- element of GT is simply LSB serialised and appended as a continuous
-- bytestring, using the element length to split each point
module Pairing.Serialize.MCLWasm
-- | Base API for Point serialisation for G1, G2 and GT
module Pairing.Serialize.Types