cloudflare
diff --git a/‎ecc/bls12381/constants.go
+144-86 b/‎ecc/bls12381/constants.go
+144-86
diff --git a/‎ecc/bls12381/g1.go
+20-12 b/‎ecc/bls12381/g1.go
+20-12
@@ -2,7 +2,6 @@ package bls12381
 
 import (
 	"errors"
-	"fmt"
 
 	"github.com/cloudflare/circl/ecc/bls12381/ff"
 )
@@ -17,43 +16,71 @@ const ScalarSize = ff.ScalarSize
 func Order() []byte { return ff.ScalarOrder() }
 
 var (
-	g1Params struct {
-		b, _3b, genX, genY ff.Fp
-		cofactorSmall      [8]byte // (1-z), where z is the BLS12 parameter (big-endian).
-	}
-	g2Params struct {
-		b, _3b, genX, genY ff.Fp2
-		z                  [8]byte // z, where z is the BLS12 parameter (big-endian).
+	bls12381 struct { // Let z be the BLS12 parameter.
+		minusZ    [8]byte  //      (-z), (integer big-endian).
+		oneMinusZ [8]byte  //     (1-z), (integer big-endian).
+		g1Check   [16]byte // (z^2-1)/3, (integer big-endian).
 	}
+	g1Params struct{ b, _3b, genX, genY ff.Fp }
+	g2Params struct{ b, _3b, genX, genY ff.Fp2 }
+
+	// g1Isog11 is an isogeny of degree 11 from g1Iso(a,b) to G1 and is given
+	// by rational maps:
+	//  g1Iso(a,b) --> G1
+	//  (x,y,z)    |-> (x,y,1)
+	//                 (xNum/xDen, y * yNum/yDen, 1)
+	//                 (xNum*yDen, y * yNum*xDen, z*xDen*yDen)
+	// such that
+	//  xNum = \sum ai * x^i * z^(n-1-i), for 0 <= i < n, and n=12.
+	//  xDen = \sum bi * x^i * z^(n-1-i), for 0 <= i < n, and n=11.
+	//  yNum = \sum ci * x^i * z^(n-1-i), for 0 <= i < n, and n=16.
+	//  yDen = \sum di * x^i * z^(n-1-i), for 0 <= i < n, and n=16.
 	g1Isog11 struct {
-		a, b, c2 ff.Fp
-		c1       [48]byte // integer c1 = (p - 3) / 4 (big-endian)
-		xNum     [12]ff.Fp
-		xDen     [11]ff.Fp
-		yNum     [16]ff.Fp
-		yDen     [16]ff.Fp
+		a, b ff.Fp
+		xNum [12]ff.Fp
+		xDen [11]ff.Fp
+		yNum [16]ff.Fp
+		yDen [16]ff.Fp
 	}
+
+	// g2Isog3 is an isogeny of degree 3 from g2Iso(a,b) to G2 and is given
+	// by rational maps:
+	//  g2Iso(a,b) --> G2
+	//  (x,y,z)    |-> (x,y,1)
+	//                 (xNum/xDen, y * yNum/yDen, 1)
+	//                 (xNum*yDen, y * yNum*xDen, z*xDen*yDen)
+	// such that
+	//  xNum = \sum ai * x^i * z^(n-1-i), for 0 <= i < n, and n=4.
+	//  xDen = \sum bi * x^i * z^(n-1-i), for 0 <= i < n, and n=3.
+	//  yNum = \sum ci * x^i * z^(n-1-i), for 0 <= i < n, and n=4.
+	//  yDen = \sum di * x^i * z^(n-1-i), for 0 <= i < n, and n=4.
 	g2Isog3 struct {
 		a, b ff.Fp2
-		c1   [95]byte // integer c1 = (p^2 - 9) / 16 (big-endian)
-		c2   ff.Fp2   // sqrt(-1)
-		c3   ff.Fp2   // sqrt(c2)
-		c4   ff.Fp2   // sqrt(Z^3 / c3)
-		c5   ff.Fp2   // sqrt(Z^3 / (c2 * c3))
 		xNum [4]ff.Fp2
 		xDen [3]ff.Fp2
 		yNum [4]ff.Fp2
 		yDen [4]ff.Fp2
 	}
-	g1Check struct {
-		coef  [16]byte // coef  = (z^2-1)/3, where z is the BLS12 parameter (big-endian).
-		beta0 ff.Fp    // beta0 = F(2)^(2*(p-1)/3) where F = GF(p).
-		beta1 ff.Fp    // beta1 = F(2)^(1*(p-1)/3) where F = GF(p).
+	g1sswu struct {
+		Z  ff.Fp    // Z = 11.
+		c1 [48]byte // integer c1 = (p - 3) / 4 (big-endian)
+		c2 ff.Fp
+	}
+	g2sswu struct {
+		Z  ff.Fp2   // -(2 + I)
+		c1 [95]byte // integer c1 = (p^2 - 9) / 16 (big-endian)
+		c2 ff.Fp2   // sqrt(-1)
+		c3 ff.Fp2   // sqrt(c2)
+		c4 ff.Fp2   // sqrt(Z^3 / c3)
+		c5 ff.Fp2   // sqrt(Z^3 / (c2 * c3))
+	}
+	g1Sigma struct {
+		beta0 ff.Fp // beta0 = F(2)^(2*(p-1)/3) where F = GF(p).
+		beta1 ff.Fp // beta1 = F(2)^(1*(p-1)/3) where F = GF(p).
 	}
-	g2PsiCoeff struct {
-		minusZ [8]byte // (-z), where z is the BLS12 parameter (big-endian).
-		alpha  ff.Fp2  // alpha = w^2/Frob(w^2)
-		beta   ff.Fp2  // beta = w^3/Frob(w^3)
+	g2Psi struct {
+		alpha ff.Fp2 // alpha = w^2/Frob(w^2)
+		beta  ff.Fp2 // beta = w^3/Frob(w^3)
 	}
 )
 
@@ -66,31 +93,41 @@ func headerEncoding(isCompressed, isInfinity, isBigYCoord byte) byte {
 	return (isBigYCoord&0x1)<<5 | (isInfinity&0x1)<<6 | (isCompressed&0x1)<<7
 }
 
-// ratioKummer sets z = t/Frob(t) if it falls in Fp2, panics otherwise.
-func ratioKummer(z *ff.Fp2, t *ff.Fp12) {
-	var r ff.Fp12
-	r.Frob(t)
-	r.Inv(&r)
-	r.Mul(t, &r)
-	if r[1].IsZero() != 1 || r[0][1].IsZero() != 1 || r[0][2].IsZero() != 1 {
-		panic(fmt.Errorf("failure of result %v to be in Fp2", r))
+func err(e error) {
+	if e != nil {
+		panic(e)
 	}
-	*z = r[0][0]
 }
 
 func init() {
-	err := func(e error) {
-		if e != nil {
-			panic(e)
-		}
+	bls12381.oneMinusZ = [8]byte{ // (big-endian)
+		0xd2, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01,
+	}
+	bls12381.minusZ = [8]byte{ // (big-endian)
+		0xd2, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
+	}
+	bls12381.g1Check = [16]byte{ // (big-endian)
+		0x39, 0x6c, 0x8c, 0x00, 0x55, 0x55, 0xe1, 0x56,
+		0x00, 0x00, 0x00, 0x00, 0x55, 0x55, 0x55, 0x55,
 	}
+	initG1Params()
+	initG2Params()
+	initG1Isog11()
+	initG2Isog3()
+	initG1sswu()
+	initG2sswu()
+	initSigma()
+	initPsi()
+}
 
+func initG1Params() {
 	g1Params.b.SetUint64(4)
 	g1Params._3b.SetUint64(12)
 	err(g1Params.genX.SetString("0x17f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bb"))
 	err(g1Params.genY.SetString("0x08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1"))
-	g1Params.cofactorSmall = [8]byte{0xd2, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01} // (big-endian)
+}
 
+func initG2Params() {
 	g2Params.b[0].SetUint64(4)
 	g2Params.b[1].SetUint64(4)
 	g2Params._3b[0].SetUint64(12)
@@ -99,20 +136,11 @@ func init() {
 	err(g2Params.genX[1].SetString("0x13e02b6052719f607dacd3a088274f65596bd0d09920b61ab5da61bbdc7f5049334cf11213945d57e5ac7d055d042b7e"))
 	err(g2Params.genY[0].SetString("0x0ce5d527727d6e118cc9cdc6da2e351aadfd9baa8cbdd3a76d429a695160d12c923ac9cc3baca289e193548608b82801"))
 	err(g2Params.genY[1].SetString("0x0606c4a02ea734cc32acd2b02bc28b99cb3e287e85a763af267492ab572e99ab3f370d275cec1da1aaa9075ff05f79be"))
-	g2Params.z = [8]byte{0xd2, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01} // (big-endian)
+}
 
-	g1Isog11.c1 = [48]byte{ // (big-endian)
-		0x06, 0x80, 0x44, 0x7a, 0x8e, 0x5f, 0xf9, 0xa6,
-		0x92, 0xc6, 0xe9, 0xed, 0x90, 0xd2, 0xeb, 0x35,
-		0xd9, 0x1d, 0xd2, 0xe1, 0x3c, 0xe1, 0x44, 0xaf,
-		0xd9, 0xcc, 0x34, 0xa8, 0x3d, 0xac, 0x3d, 0x89,
-		0x07, 0xaa, 0xff, 0xff, 0xac, 0x54, 0xff, 0xff,
-		0xee, 0x7f, 0xbf, 0xff, 0xff, 0xff, 0xea, 0xaa,
-	}
+func initG1Isog11() {
 	err(g1Isog11.a.SetString("0x144698a3b8e9433d693a02c96d4982b0ea985383ee66a8d8e8981aefd881ac98936f8da0e0f97f5cf428082d584c1d"))
 	err(g1Isog11.b.SetString("0x12e2908d11688030018b12e8753eee3b2016c1f0f24f4070a0b9c14fcef35ef55a23215a316ceaa5d1cc48e98e172be0"))
-	err(g1Isog11.c2.SetString("0x3d689d1e0e762cef9f2bec6130316806b4c80eda6fc10ce77ae83eab1ea8b8b8a407c9c6db195e06f2dbeabc2baeff5"))
-
 	err(g1Isog11.xNum[0].SetString("0x11a05f2b1e833340b809101dd99815856b303e88a2d7005ff2627b56cdb4e2c85610c2d5f2e62d6eaeac1662734649b7"))
 	err(g1Isog11.xNum[1].SetString("0x17294ed3e943ab2f0588bab22147a81c7c17e75b2f6a8417f565e33c70d1e86b4838f2a6f318c356e834eef1b3cb83bb"))
 	err(g1Isog11.xNum[2].SetString("0x0d54005db97678ec1d1048c5d10a9a1bce032473295983e56878e501ec68e25c958c3e3d2a09729fe0179f9dac9edcb0"))
@@ -171,36 +199,11 @@ func init() {
 	err(g1Isog11.yDen[13].SetString("0x02660400eb2e4f3b628bdd0d53cd76f2bf565b94e72927c1cb748df27942480e420517bd8714cc80d1fadc1326ed06f7"))
 	err(g1Isog11.yDen[14].SetString("0x0e0fa1d816ddc03e6b24255e0d7819c171c40f65e273b853324efcd6356caa205ca2f570f13497804415473a1d634b8f"))
 	g1Isog11.yDen[15].SetOne()
+}
 
+func initG2Isog3() {
 	err(g2Isog3.a.SetString("0x00", "0xF0"))
 	err(g2Isog3.b.SetString("0x03F4", "0x03F4"))
-	g2Isog3.c1 = [95]byte{ // (big-endian)
-		0x2a, 0x43, 0x7a, 0x4b, 0x8c, 0x35, 0xfc, 0x74,
-		0xbd, 0x27, 0x8e, 0xaa, 0x22, 0xf2, 0x5e, 0x9e,
-		0x2d, 0xc9, 0x0e, 0x50, 0xe7, 0x04, 0x6b, 0x46,
-		0x6e, 0x59, 0xe4, 0x93, 0x49, 0xe8, 0xbd, 0x05,
-		0x0a, 0x62, 0xcf, 0xd1, 0x6d, 0xdc, 0xa6, 0xef,
-		0x53, 0x14, 0x93, 0x30, 0x97, 0x8e, 0xf0, 0x11,
-		0xd6, 0x86, 0x19, 0xc8, 0x61, 0x85, 0xc7, 0xb2,
-		0x92, 0xe8, 0x5a, 0x87, 0x09, 0x1a, 0x04, 0x96,
-		0x6b, 0xf9, 0x1e, 0xd3, 0xe7, 0x1b, 0x74, 0x31,
-		0x62, 0xc3, 0x38, 0x36, 0x21, 0x13, 0xcf, 0xd7,
-		0xce, 0xd6, 0xb1, 0xd7, 0x63, 0x82, 0xea, 0xb2,
-		0x6a, 0xa0, 0x00, 0x01, 0xc7, 0x18, 0xe3,
-	}
-	err(g2Isog3.c2.SetString("0x00", "0x01"))
-	err(g2Isog3.c3.SetString(
-		"0x135203e60180a68ee2e9c448d77a2cd91c3dedd930b1cf60ef396489f61eb45e304466cf3e67fa0af1ee7b04121bdea2",
-		"0x6af0e0437ff400b6831e36d6bd17ffe48395dabc2d3435e77f76e17009241c5ee67992f72ec05f4c81084fbede3cc09",
-	))
-	err(g2Isog3.c4.SetString(
-		"0x699be3b8c6870965e5bf892ad5d2cc7b0e85a117402dfd83b7f4a947e02d978498255a2aaec0ac627b5afbdf1bf1c90",
-		"0x8157cd83046453f5dd0972b6e3949e4288020b5b8a9cc99ca07e27089a2ce2436d965026adad3ef7baba37f2183e9b5",
-	))
-	err(g2Isog3.c5.SetString(
-		"0xf5d0d63d2797471e6d39f306cc0dc0ab85de3bd9f39ce46f3649ac0de9e844417cc8de88716c1fd323fa68040801aea",
-		"0xab1c2ffdd6c253ca155231eb3e71ba044fd562f6f72bc5bad5ec46a0b7a3b0247cf08ce6c6317f40edbc653a72dee17",
-	))
 
 	err(g2Isog3.xNum[0].SetString(
 		"0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6",
@@ -259,23 +262,78 @@ func init() {
 		"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa99",
 	))
 	g2Isog3.yDen[3].SetOne()
+}
 
-	err(g1Check.beta0.SetString("0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaac"))
-	err(g1Check.beta1.SetString("0x5f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe"))
+func initG1sswu() {
+	g1sswu.Z.SetUint64(11)
+	g1sswu.c1 = [48]byte{ // (big-endian)
+		0x06, 0x80, 0x44, 0x7a, 0x8e, 0x5f, 0xf9, 0xa6,
+		0x92, 0xc6, 0xe9, 0xed, 0x90, 0xd2, 0xeb, 0x35,
+		0xd9, 0x1d, 0xd2, 0xe1, 0x3c, 0xe1, 0x44, 0xaf,
+		0xd9, 0xcc, 0x34, 0xa8, 0x3d, 0xac, 0x3d, 0x89,
+		0x07, 0xaa, 0xff, 0xff, 0xac, 0x54, 0xff, 0xff,
+		0xee, 0x7f, 0xbf, 0xff, 0xff, 0xff, 0xea, 0xaa,
+	}
+	err(g1sswu.c2.SetString("0x3d689d1e0e762cef9f2bec6130316806b4c80eda6fc10ce77ae83eab1ea8b8b8a407c9c6db195e06f2dbeabc2baeff5"))
+}
 
-	g1Check.coef = [16]byte{0x39, 0x6c, 0x8c, 0x00, 0x55, 0x55, 0xe1, 0x56, 0x00, 0x00, 0x00, 0x00, 0x55, 0x55, 0x55, 0x55} // (big-endian)
+func initG2sswu() {
+	g2sswu.Z[1].SetUint64(1)
+	g2sswu.Z[0].SetUint64(2)
+	g2sswu.Z.Neg()
+	g2sswu.c1 = [95]byte{ // (big-endian)
+		0x2a, 0x43, 0x7a, 0x4b, 0x8c, 0x35, 0xfc, 0x74,
+		0xbd, 0x27, 0x8e, 0xaa, 0x22, 0xf2, 0x5e, 0x9e,
+		0x2d, 0xc9, 0x0e, 0x50, 0xe7, 0x04, 0x6b, 0x46,
+		0x6e, 0x59, 0xe4, 0x93, 0x49, 0xe8, 0xbd, 0x05,
+		0x0a, 0x62, 0xcf, 0xd1, 0x6d, 0xdc, 0xa6, 0xef,
+		0x53, 0x14, 0x93, 0x30, 0x97, 0x8e, 0xf0, 0x11,
+		0xd6, 0x86, 0x19, 0xc8, 0x61, 0x85, 0xc7, 0xb2,
+		0x92, 0xe8, 0x5a, 0x87, 0x09, 0x1a, 0x04, 0x96,
+		0x6b, 0xf9, 0x1e, 0xd3, 0xe7, 0x1b, 0x74, 0x31,
+		0x62, 0xc3, 0x38, 0x36, 0x21, 0x13, 0xcf, 0xd7,
+		0xce, 0xd6, 0xb1, 0xd7, 0x63, 0x82, 0xea, 0xb2,
+		0x6a, 0xa0, 0x00, 0x01, 0xc7, 0x18, 0xe3,
+	}
+	err(g2sswu.c2.SetString("0x00", "0x01"))
+	err(g2sswu.c3.SetString(
+		"0x135203e60180a68ee2e9c448d77a2cd91c3dedd930b1cf60ef396489f61eb45e304466cf3e67fa0af1ee7b04121bdea2",
+		"0x6af0e0437ff400b6831e36d6bd17ffe48395dabc2d3435e77f76e17009241c5ee67992f72ec05f4c81084fbede3cc09",
+	))
+	err(g2sswu.c4.SetString(
+		"0x699be3b8c6870965e5bf892ad5d2cc7b0e85a117402dfd83b7f4a947e02d978498255a2aaec0ac627b5afbdf1bf1c90",
+		"0x8157cd83046453f5dd0972b6e3949e4288020b5b8a9cc99ca07e27089a2ce2436d965026adad3ef7baba37f2183e9b5",
+	))
+	err(g2sswu.c5.SetString(
+		"0xf5d0d63d2797471e6d39f306cc0dc0ab85de3bd9f39ce46f3649ac0de9e844417cc8de88716c1fd323fa68040801aea",
+		"0xab1c2ffdd6c253ca155231eb3e71ba044fd562f6f72bc5bad5ec46a0b7a3b0247cf08ce6c6317f40edbc653a72dee17",
+	))
+}
 
-	initPsi()
+func initSigma() {
+	err(g1Sigma.beta0.SetString("0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaac"))
+	err(g1Sigma.beta1.SetString("0x5f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe"))
 }
 
 func initPsi() {
-	g2PsiCoeff.minusZ = [8]byte{0xd2, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00} // (big-endian)
+	// ratioKummer sets z = t/Frob(t) if it falls in Fp2, panics otherwise.
+	ratioKummer := func(z *ff.Fp2, t *ff.Fp12) {
+		var r ff.Fp12
+		r.Frob(t)
+		r.Inv(&r)
+		r.Mul(t, &r)
+		if r[1].IsZero() != 1 || r[0][1].IsZero() != 1 || r[0][2].IsZero() != 1 {
+			err(errors.New("failure of result to be in Fp2"))
+		}
+		*z = r[0][0]
+	}
+
 	w := &ff.Fp12{}
 	w[1].SetOne()
 	wsq := &ff.Fp12{}
 	wsq.Sqr(w)
-	ratioKummer(&g2PsiCoeff.alpha, wsq)
+	ratioKummer(&g2Psi.alpha, wsq)
 	wcube := &ff.Fp12{}
 	wcube.Mul(wsq, w)
-	ratioKummer(&g2PsiCoeff.beta, wcube)
+	ratioKummer(&g2Psi.beta, wcube)
 }
@@ -136,20 +136,28 @@ func (g *G1) cmov(P *G1, b int) {
 	(&g.z).CMov(&g.z, &P.z, b)
 }
 
+// sigma is an edomorphism defined by (x, y) → (βx, y) for some β ∈ Fp of
+// multiplicative order 3.
+func (g *G1) sigma(P *G1) { *g = *P; g.x.Mul(&g.x, &g1Sigma.beta0) }
+
+// sigma2 is sigma(sigma(P)).
+func (g *G1) sigma2(P *G1) { *g = *P; g.x.Mul(&g.x, &g1Sigma.beta1) }
+
 // isRTorsion returns true if point is in the r-torsion subgroup.
 func (g *G1) isRTorsion() bool {
 	// Bowe, "Faster Subgroup Checks for BLS12-381" (https://eprint.iacr.org/2019/814)
-	Q, _2sP, ssP := &G1{}, *g, *g
-
-	_2sP.x.Mul(&g.x, &g1Check.beta0)      // s(P)
-	_2sP.Double()                         // 2*s(P)
-	ssP.x.Mul(&g.x, &g1Check.beta1)       // s(s(P))
-	Q.Add(g, &ssP)                        // P + s(s(P))
-	Q.Neg()                               // -P - s(s(P))
-	Q.Add(Q, &_2sP)                       // 2*s(P) - P - s(s(P))
-	Q.scalarMultShort(g1Check.coef[:], Q) // coef * [2*s(P) - P - s(s(P))]
-	ssP.Neg()                             // -s(s(P))
-	Q.Add(Q, &ssP)                        // coef * [2*s(P) - P - s(s(P))] - s(s(P))
+	Q, _2sP, ssP := &G1{}, &G1{}, &G1{}
+	coef := bls12381.g1Check[:]
+
+	_2sP.sigma(g)              // s(P)
+	_2sP.Double()              // 2*s(P)
+	ssP.sigma2(g)              // s(s(P))
+	Q.Add(g, ssP)              // P + s(s(P))
+	Q.Neg()                    // -P - s(s(P))
+	Q.Add(Q, _2sP)             // 2*s(P) - P - s(s(P))
+	Q.scalarMultShort(coef, Q) // coef * [2*s(P) - P - s(s(P))]
+	ssP.Neg()                  // -s(s(P))
+	Q.Add(Q, ssP)              // coef * [2*s(P) - P - s(s(P))] - s(s(P))
 
 	return Q.IsIdentity()
 }
@@ -162,7 +170,7 @@ func (g *G1) isRTorsion() bool {
 // and because there are no points of order h^2. See Section 5 of Wahby-Boneh
 // "Fast and simple constant-time hashing to the BLS12-381 elliptic curve" at
 // https://eprint.iacr.org/2019/403
-func (g *G1) clearCofactor() { g.scalarMultShort(g1Params.cofactorSmall[:], g) }
+func (g *G1) clearCofactor() { g.scalarMultShort(bls12381.oneMinusZ[:], g) }
 
 // Double updates g = 2g.
 func (g *G1) Double() {