faster multiplication of original G2 cofactor

include/mcl/bn.hpp

@@ -325,6 +325,7 @@ struct MapTo {
 	mpz_class z_;
 	mpz_class cofactor_;
 	mpz_class g2cofactor_;
+	Fr g2cofactorAdj_;
 	int type_;
 	int mapToMode_;
 	bool useOriginalG2cofactor_;
@@ -459,13 +460,10 @@ struct MapTo {
 		Efficient hash maps to G2 on BLS curves
 		Alessandro Budroni, Federico Pintore
 		Q = (z(z-1)-1)P + Frob((z-1)P) + Frob^2(2P)
+		original G2 cofactor = this cofactor * g2cofactorAdj_
 	*/
-	void mulByCofactorBLS12(G2& Q, const G2& P) const
+	void mulByCofactorBLS12fast(G2& Q, const G2& P) const
 	{
-		if (useOriginalG2cofactor_) {
-			G2::mulGeneric(Q, P, g2cofactor_);
-			return;
-		}
 		G2 T0, T1;
 		G2::mulGeneric(T0, P, z_ - 1);
 		G2::mulGeneric(T1, T0, z_);
@@ -476,6 +474,14 @@ struct MapTo {
 		Frobenius2(T1, T1);
 		G2::add(Q, T0, T1);
 	}
+	void mulByCofactorBLS12(G2& Q, const G2& P) const
+	{
+		mulByCofactorBLS12fast(Q, P);
+		if (useOriginalG2cofactor_) {
+			Q *= g2cofactorAdj_;
+			return;
+		}
+	}
 	/*
 		cofactor_ is for G2(not used now)
 	*/
@@ -508,6 +514,11 @@ struct MapTo {
 		assert(b);
 		(void)b;
 		c2_ = (c1_ - 1) / 2;
+		mpz_class t = (z * z - 1) * 3;;
+		g2cofactorAdj_.setMpz(&b, t);
+		assert(b);
+		(void)b;
+		Fr::inv(g2cofactorAdj_, g2cofactorAdj_);
 	}
 	/*
 		change mapTo function to mode

test/bls12_test.cpp

@@ -733,6 +733,19 @@ CYBOZU_TEST_AUTO(eth2)
 	CYBOZU_BENCH_C("mapToG2  org-cofactor", 1000, mapToG2, Q, m);
 	setOriginalG2cofactor(false);
 	CYBOZU_BENCH_C("mapToG2 fast-cofactor", 1000, mapToG2, Q, m);
+
+	Fp2 x;
+	x.a = 5;
+	x.b = 3;
+	const mpz_class& g2c = BN::param.mapTo.g2cofactor_;
+	const Fr& g2ca = BN::param.mapTo.g2cofactorAdj_;
+	G2 Q1, Q2, Q3;
+	BN::param.mapTo.mapToEc(Q, x);
+	G2::mulGeneric(Q1, Q, g2c);
+	Q2 = Q;
+	BN::param.mapTo.mulByCofactor(Q2);
+	Q2 *= g2ca;
+	CYBOZU_TEST_EQUAL(Q1, Q2);
 }
 
 typedef std::vector<Fp> FpVec;