refactor(bw6-761): PairingCheck uses millerLoopLines

std/algebra/emulated/sw_bls12381/pairing.go

@@ -289,23 +289,23 @@ func (pr Pairing) millerLoopLines(P []*G1Affine, lines []lineEvaluations, init *
 
 	// Compute ∏ᵢ { fᵢ_{x₀,Q}(P) }
 	res := pr.Ext12.One()
-	j := len(loopCounter) - 2
 
 	if init != nil {
 		res = init
 	}
 
+	j := len(loopCounter) - 2
 	if first {
-		// i = 62, separately to avoid an E12 Square
+		// i = j, separately to avoid an E12 Square
 		// (Square(res) = 1² = 1)
 		for k := 0; k < n; k++ {
 			res = pr.MulBy02368(res,
-				pr.MulByElement(&lines[k][0][62].R1, yInv[k]),
-				pr.MulByElement(&lines[k][0][62].R0, xNegOverY[k]),
+				pr.MulByElement(&lines[k][0][j].R1, yInv[k]),
+				pr.MulByElement(&lines[k][0][j].R0, xNegOverY[k]),
 			)
 			res = pr.MulBy02368(res,
-				pr.MulByElement(&lines[k][1][62].R1, yInv[k]),
-				pr.MulByElement(&lines[k][1][62].R0, xNegOverY[k]),
+				pr.MulByElement(&lines[k][1][j].R1, yInv[k]),
+				pr.MulByElement(&lines[k][1][j].R0, xNegOverY[k]),
 			)
 		}
 		j--

std/algebra/emulated/sw_bn254/pairing.go

@@ -446,17 +446,16 @@ func (pr Pairing) millerLoopLines(P []*G1Affine, lines []lineEvaluations, init *
 	// Compute f_{6x₀+2,Q}(P)
 	var prodLines [10]*baseEl
 	res := pr.Ext12.One()
-	j := len(loopCounter) - 2
 
 	var initInv GTEl
 	if init != nil {
 		res = init
 		initInv = *pr.Ext12.Inverse(init)
 	}
 
+	j := len(loopCounter) - 2
 	if first {
-		// i = 64
-		//
+		// i = j
 		// k = 0
 		c3 := pr.Ext2.MulByElement(&lines[0][0][j].R0, xNegOverY[0])
 		c4 := pr.Ext2.MulByElement(&lines[0][0][j].R1, yInv[0])

std/algebra/emulated/sw_bw6761/hints.go

@@ -81,14 +81,15 @@ func pairingCheckHint(nativeMod *big.Int, nativeInputs, nativeOutputs []*big.Int
 			var mInv big.Int
 			mInv.SetString("105300887666978464659709343582542432109497460559010677145223399327335567156593762277982229043678237863242655241846768823344862796112034076814141083092751207576412334798103601349742476585775877619451019850167305863473223932142842098178714149254582966792063312581807532675011404956270444910983750120675327025908192761069674135173328190635728173483753211505851991073745950587829640934449952514784880889959559541546684726344944253403018397996950965921029567425987659358091464001225755716260618839676545930683009926269854751616319103606509390667378268460666742713527948268373325914395974070631687649214144656759247037859773349886114399692016935966157297580328600396352321897692663748248168657388300690175586203114387947411720168269584172401784701771662759756974275902513788431327670950496435721956320875507468132703494465092748348925165286946843554008708392819919707156205920861214337368776935547492934209453494196115576830279851512338758088097719490141268227027970070242059962020992385206924254152017997017283665944910844784993588814611604460594039341562723060932582754994971346320340801549001828241339646153773031765187339622798156846331769418880530957782348437016822638577491500694745694281480857816937650066502281171825041093314285283892479458782481150957342407", 10)
 
-			residueWitness := finalExpWitness(&millerLoop, &mInv)
-
-			residueWitness.B0.A0.BigInt(outputs[0])
-			residueWitness.B0.A1.BigInt(outputs[2])
-			residueWitness.B0.A2.BigInt(outputs[4])
-			residueWitness.B1.A0.BigInt(outputs[1])
-			residueWitness.B1.A1.BigInt(outputs[3])
-			residueWitness.B1.A2.BigInt(outputs[5])
+			residueWitnessInv := finalExpWitness(&millerLoop, &mInv)
+			residueWitnessInv.Inverse(&residueWitnessInv)
+
+			residueWitnessInv.B0.A0.BigInt(outputs[0])
+			residueWitnessInv.B0.A1.BigInt(outputs[2])
+			residueWitnessInv.B0.A2.BigInt(outputs[4])
+			residueWitnessInv.B1.A0.BigInt(outputs[1])
+			residueWitnessInv.B1.A1.BigInt(outputs[3])
+			residueWitnessInv.B1.A2.BigInt(outputs[5])
 
 			return nil
 		})