Merge branch 'dev'

herumi · Jun 14, 2024 · c6dc373 · c6dc373
2 parents a0c23dd + 077343a
commit c6dc373
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 6 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -6,7 +6,7 @@ jobs:
     name: test
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - run: lscpu
     - run: sudo apt update
     - run: sudo apt install valgrind nasm

diff --git a/Makefile b/Makefile
@@ -195,6 +195,8 @@ ifeq ($(MCL_MSM),1)
   LIB_OBJ+=$(OBJ_DIR)/$(MSM).o
 $(OBJ_DIR)/$(MSM).o: src/$(MSM).cpp
 	$(PRE)$(CXX) -c $< -o $@ $(CFLAGS) -mavx512f -mavx512ifma -std=c++11 $(CFLAGS_USER)
+else
+  CFLAGS+=-DMCL_MSM=0
 endif
 include/mcl/bint_proto.hpp: src/gen_bint_header.py
 	python3 $< > $@ proto $(GEN_BINT_HEADER_PY_OPT)

diff --git a/api.md b/api.md
@@ -46,7 +46,7 @@ The elliptic equation of a curve E is `E: y^2 = x^3 + b`.
 - `Fp12` ; the field extension over Fp6 with degree 2. Fp6[w] / (w^2 - v).
 - `G1` ; the cyclic subgroup of E(Fp).
 - `G2` ; the cyclic subgroup of the inverse image of E'(Fp^2) under a twisting isomorphism from E' to E.
-- `GT` ; the cyclic subgroup of Fp12.
+- `GT` ; the cyclic subgroup of Fp12, which is an alias of Fp12.
   - `G1`, `G2`, and `GT` have the order `r`.
 
 The pairing e: G1 x G2 -> GT is the optimal ate pairing.
@@ -588,6 +588,18 @@ T::mulVec(T& z, T* x, const Fr *y, size_t n);
 - z = prod_{i=0}^{n-1} pow(x[i], y[i]) for GT.
 - `x[]` does not const because they may be normailzed (The value does not change).
 
+### scalar multiplication of each point
+```
+void mclBnG1_mulEach(mclBnG1 *x, const mclBnFr *y, mclSize n);
+```
+C++
+```
+G1::mulEach(G1 *xVec, const Fr *yVec, size_t n);
+```
+
+- xVec[i] *= yVec[i]
+- `G1::mulVec` and `G1::mulEach` for BLS12-381 use AVX-512 IFMA if possible
+
 ## hash-to-curve function
 ### Set hash of `buf[0..bufSize-1]` to `x`
 ```
@@ -602,7 +614,7 @@ T::setHashOf(const void *msg, size_t msgSize);
 - always return 0
 - use SHA-256 if sizeof(*x) <= 256 else SHA-512
 - set according to the same way as `setLittleEndian`.
-- This is a function for backward compatibility only. Do not use it.
+- This is a function for backward compatibility only. DO'NT use it. Instead of this, use setLittleEndianMod to the hashed value.
 
 ### map `x` to G1 / G2.
 ```

diff --git a/include/mcl/gmp_util.hpp b/include/mcl/gmp_util.hpp
@@ -37,6 +37,9 @@ typedef mcl::Vint mpz_class;
 	#pragma warning(pop)
 	#include <cybozu/link_mpir.hpp>
 #endif
+#if MCL_SIZEOF_UNIT == 8 && (defined(_LONG_LONG_LIMB) || defined(__APPLE__))
+	#define MCL_GMP_CANT_USE_UINT
+#endif
 #endif
 
 namespace mcl {
@@ -88,6 +91,28 @@ inline void set(mpz_class& z, uint64_t x)
 	assert(b);
 	(void)b;
 }
+// z = x
+inline void setUnit(mpz_class& z, Unit x)
+{
+#ifdef MCL_GMP_CANT_USE_UINT
+	set(z, x);
+#else
+	z = x;
+#endif
+}
+
+// z += x
+inline void addUnit(mpz_class& z, Unit x)
+{
+#ifdef MCL_GMP_CANT_USE_UINT
+	mpz_class t;
+	setUnit(t, x);
+	z += t;
+#else
+	z += x;
+#endif
+}
+
 inline void setStr(bool *pb, mpz_class& z, const char *str, int base = 0)
 {
 #ifdef MCL_USE_VINT

diff --git a/src/msm_avx.cpp b/src/msm_avx.cpp
@@ -84,10 +84,11 @@ inline void toArray(Unit x[N], const mpz_class& mx)
 template<size_t N>
 inline mpz_class fromArray(const Unit x[N])
 {
-	mpz_class mx = x[N-1];
+	mpz_class mx;
+	mcl::gmp::setUnit(mx, x[N-1]);
 	for (size_t i = 1; i < N; i++) {
 		mx <<= W;
-		mx += x[N-1-i];
+		mcl::gmp::addUnit(mx, x[N-1-i]);
 	}
 	return mx;
 }
@@ -567,9 +568,10 @@ class Montgomery {
 	void mod(mpz_class& z, const mpz_class& xy) const
 	{
 		z = xy;
+		mpz_class t;
 		for (size_t i = 0; i < N; i++) {
 			Unit q = (getLow(z) * rp) & g_mask;
-			mpz_class t = q;
+			mcl::gmp::setUnit(t, q);
 			z += mp * t;
 			z >>= W;
 		}