From 76b13b05edab0bdf26b918286670bccf9013a0bf Mon Sep 17 00:00:00 2001
From: MITSUNARI Shigeo <herumi@nifty.com>
Date: Sat, 22 Sep 2018 08:51:34 +0900
Subject: [PATCH] mapToFunction for BLS12 is changed to calcBN

---
 include/mcl/bn.hpp  | 18 +++++++++++++++++-
 readme.md           |  4 ++++
 test/bls12_test.cpp | 13 +++++++++++++
 3 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/include/mcl/bn.hpp b/include/mcl/bn.hpp
index 38f3f8d..8e9a9c6 100644
--- a/include/mcl/bn.hpp
+++ b/include/mcl/bn.hpp
@@ -414,6 +414,9 @@ struct MapTo {
 #endif
 #endif
 	}
+	/*
+		1.2~1.4 times faster than calBN
+	*/
 	template<class G, class F>
 	void naiveMapTo(G& P, const F& t) const
 	{
@@ -480,6 +483,10 @@ struct MapTo {
 		z_ = z;
 		// cofactor for G1
 		cofactor_ = (z - 1) * (z - 1) / 3;
+		bool b = Fp::squareRoot(c1_, -3);
+		assert(b);
+		(void)b;
+		c2_ = (c1_ - 1) / 2;
 	}
 	void init(const mpz_class& cofactor, const mpz_class &z, bool isBN, int curveType = -1)
 	{
@@ -494,8 +501,13 @@ struct MapTo {
 	{
 		if (isBN_) {
 			if (!calcBN<G1, Fp>(P, t)) return false;
+			// no subgroup
 		} else {
+#ifdef MCL_USE_OLD_MAPTO_FOR_BLS12
 			naiveMapTo<G1, Fp>(P, t);
+#else
+			if (!calcBN<G1, Fp>(P, t)) return false;
+#endif
 			mulByCofactorBLS12(P, P);
 		}
 		assert(P.isValid());
@@ -510,7 +522,11 @@ struct MapTo {
 			if (!calcBN<G2, Fp2>(P, t)) return false;
 			mulByCofactorBN(P, P);
 		} else {
-			naiveMapTo<G2, Fp2>(P, t);
+#ifdef MCL_USE_OLD_MAPTO_FOR_BLS12
+			naiveMapTo<G1, Fp>(P, t);
+#else
+			if (!calcBN<G2, Fp2>(P, t)) return false;
+#endif
 			mulByCofactorBLS12(P, P);
 		}
 		assert(P.isValid());
diff --git a/readme.md b/readme.md
index a8a90ea..bea7e9d 100644
--- a/readme.md
+++ b/readme.md
@@ -9,6 +9,10 @@ A portable and fast pairing-based cryptography library.
 mcl is a library for pairing-based cryptography.
 The current version supports the optimal Ate pairing over BN curves and BLS12-381 curves.
 
+# News
+* break backward compatibility of mapToGi for BLS12. A map-to-function for BN is used.
+If `MCL_USE_OLD_MAPTO_FOR_BLS12` is defined, then the old function is used, but this will be removed in the future.
+
 # Support architecture
 
 * x86-64 Windows + Visual Studio
diff --git a/test/bls12_test.cpp b/test/bls12_test.cpp
index 7046a95..0aa06ae 100644
--- a/test/bls12_test.cpp
+++ b/test/bls12_test.cpp
@@ -631,10 +631,23 @@ void testCurve(const mcl::CurveParam& cp)
 }
 CYBOZU_TEST_AUTO(multi)
 {
+	G1 P;
+	G2 Q;
+	int i;
 	puts("BN254");
 	testCurve(mcl::BN254);
+	i = 1;
+	CYBOZU_BENCH_C("calcBN1", 100, (BN::param.mapTo.calcBN<G1, Fp>), P, i++);
+	CYBOZU_BENCH_C("naiveG2", 100, (BN::param.mapTo.naiveMapTo<G1, Fp>), P, i++);
+	CYBOZU_BENCH_C("calcBN2", 100, (BN::param.mapTo.calcBN<G2, Fp2>), Q, i++);
+	CYBOZU_BENCH_C("naiveG2", 100, (BN::param.mapTo.naiveMapTo<G2, Fp2>), Q, i++);
 	puts("BLS12_381");
 	testCurve(mcl::BLS12_381);
+	i = 1;
+	CYBOZU_BENCH_C("calcBN1", 100, (BN::param.mapTo.calcBN<G1, Fp>), P, i++);
+	CYBOZU_BENCH_C("naiveG1", 100, (BN::param.mapTo.naiveMapTo<G1, Fp>), P, i++);
+	CYBOZU_BENCH_C("calcBN2", 100, (BN::param.mapTo.calcBN<G2, Fp2>), Q, i++);
+	CYBOZU_BENCH_C("naiveG2", 100, (BN::param.mapTo.naiveMapTo<G2, Fp2>), Q, i++);
 }
 
 CYBOZU_TEST_AUTO(BLS12_G1mulCofactor)