Module Bls12_381.G1

Elliptic curve built over the field Fq and the equation y^2 = x^3 + 4

include CURVE
exception Not_on_curve of Stdlib.Bytes.t
type t

The type of the element on the curve and in the prime subgroup. The point is given in jacobian coordinates

type affine

An element on the curve and in the prime subgroup, in affine coordinates

val affine_of_jacobian : t -> affine

affine_of_jacobian p creates a new value of type affine representing the point p in affine coordinates

val jacobian_of_affine : affine -> t

jacobian_of_affine p creates a new value of type t representing the point p in jacobian coordinates

type affine_array

Contiguous C array containing points in affine coordinates

val to_affine_array : t array -> affine_array

to_affine_array pts builds a contiguous C array and populate it with the points pts in affine coordinates. Use it with pippenger_with_affine_array to get better performance.

val of_affine_array : affine_array -> t array

Build a OCaml array of t values from the contiguous C array

val affine_array_of_compressed_bytes_opt : subgroup_check:bool -> Stdlib.Bytes.t array -> affine_array option

affine_array_of_compressed_bytes_opt pts builds a contiguous C array and populate it with the points pts in affine coordinates from their compressed representation in bytes.

If subgroup_check is set, the function also checks if the points are in the prime subgroup.

Use it with affine_add_bulk to get better performance

val size_of_affine_array : affine_array -> int

Return the number of elements in the array

val size_in_memory : int

Actual number of bytes allocated for a value of type t

val compressed_size_in_bytes : int

Size in bytes for the compressed representation

val size_in_bytes : int

The size of a point representation, in bytes

module Scalar : Ff_sig.PRIME with type t = Fr.t
val check_bytes : Stdlib.Bytes.t -> bool

Check if a point, represented as a byte array, is on the curve and in the prime subgroup. The bytes must be of length size_in_bytes.

val of_bytes_opt : Stdlib.Bytes.t -> t option

Attempt to construct a point from a byte array of length size_in_bytes. Return None if the bytes do not represent a point on the curve and in the prime subgroup.

val of_bytes_exn : Stdlib.Bytes.t -> t

Attempt to construct a point from a byte array of length size_in_bytes. Raise Not_on_curve if the point is not on the curve and in the prime subgroup.

val of_compressed_bytes_opt : Stdlib.Bytes.t -> t option

Allocates a new point from a byte of length size_in_bytes / 2 array representing a point in compressed form. Return None if the bytes do not represent a point on the curve and in the prime subgroup.

val of_compressed_bytes_exn : Stdlib.Bytes.t -> t

Allocates a new point from a byte array of length size_in_bytes / 2 representing a point in compressed form. Raise Not_on_curve if the point is not on the curve and in the prime subgroup.

val to_bytes : t -> Stdlib.Bytes.t

Return a representation in bytes

val to_compressed_bytes : t -> Stdlib.Bytes.t

Return a compressed bytes representation

val zero : t

Zero of the elliptic curve

val one : t

A fixed generator of the elliptic curve

val is_zero : t -> bool

Return true if the given element is zero

val copy : t -> t

copy x return a fresh copy of x

val random : ?state:Stdlib.Random.State.t -> unit -> t

Generate a random element. The function ensures the element is on the curve and in the prime subgroup.

The routines in the module Random.State are used to generate the elements. A state can be given to the function to be used. If no state is given, Random.get_state is used.

To create a value of type Random.State.t, you can use Random.State.make [|42|].

val add : t -> t -> t

Return the addition of two element

val add_inplace : t -> t -> t -> unit

add_inplace res a b is the same than add but writes the result in res. No allocation happens.

val add_bulk : t list -> t

add_bulk xs returns the sum of the elements of xs by performing only one allocation for the output. This method is recommended to save the allocation overhead of using n times add.

val affine_add_bulk : affine_array -> t

affine_add_bulk xs returns the sum of the elements of xs by performing only one allocation for the output.

val double : t -> t

double g returns 2g

val negate : t -> t

Return the opposite of the element

val eq : t -> t -> bool

Return true if the two elements are algebraically the same

val mul : t -> Scalar.t -> t

Multiply an element by a scalar

val mul_inplace : t -> t -> Scalar.t -> unit

mul_inplace g x is the same than mul but writes the output in res. No allocation happens.

val hash_to_curve : Stdlib.Bytes.t -> Stdlib.Bytes.t -> t

hash_to_curve msg dst follows the standard Hashing to Elliptic Curves applied to BLS12-381

val pippenger : ?start:int -> ?len:int -> t array -> Scalar.t array -> t

pippenger ?start ?len pts scalars computes the multi scalar exponentiation/multiplication. The scalars are given in scalars and the points in pts. If pts and scalars are not of the same length, perform the computation on the first n points where n is the smallest size. Arguments start and len can be used to take advantages of multicore OCaml. Default value for start (resp. len) is 0 (resp. the length of the array scalars).

  • raises Invalid_argument

    if start or len would infer out of bounds array access.

Perform allocations on the C heap to convert scalars to bytes and to convert the points pts in affine coordinates as values of type t are in jacobian coordinates.

Warning. Undefined behavior if the point to infinity is in the array

val pippenger_with_affine_array : ?start:int -> ?len:int -> affine_array -> Scalar.t array -> t

pippenger_with_affine_array ?start ?len pts scalars computes the multi scalar exponentiation/multiplication. The scalars are given in scalars and the points in pts. If pts and scalars are not of the same length, perform the computation on the first n points where n is the smallest length. The differences with pippenger are 1. the points are loaded in a contiguous C array to speed up the access to the elements by relying on the CPU cache 2. and the points are in affine coordinates, the form expected by the algorithm implementation, avoiding new allocations and field inversions required to convert from jacobian (representation of a points of type t, as expected by pippenger) to affine coordinates. Expect a speed improvement around 20% compared to pippenger, and less allocation on the C heap. A value of affine_array can be built using to_affine_array. Arguments start and len can be used to take advantages of multicore OCaml. Default value for start (resp. len) is 0 (resp. the length of the array scalars).

  • raises Invalid_argument

    if start or len would infer out of bounds array access.

Perform allocations on the C heap to convert scalars to bytes.

Warning. Undefined behavior if the point to infinity is in the array

val pippenger_with_compressed_bytes_array_opt : subgroup_check:bool -> Stdlib.Bytes.t array -> Scalar.t array -> Stdlib.Bytes.t option

pippenger_with_compressed_bytes_array_opt points scalars computes the multi-scalar multiplication, i.e., the sum of scalars[i] * points[i].

If subgroup_check is set, the function also checks if the points are in the prime subgroup.

Returns None if deserialization of points fails.

val add_bulk_with_compressed_bytes_array_opt : subgroup_check:bool -> Stdlib.Bytes.t array -> Stdlib.Bytes.t option

add_bulk_with_compressed_bytes_array_opt points computes the sum of points[i].

If subgroup_check is set, the function also checks if the points are in the prime subgroup.

Returns None if deserialization of points fails.

val of_z_opt : x:Z.t -> y:Z.t -> t option

Create a point from the coordinates. If the point is not on the curve and in the prime subgroup,returns None. The points must be given modulo the order of Fq. To create the point at infinity, use zero