github.com/SmartMeshFoundation/Spectrum@v0.0.0-20220621030607-452a266fee1e/crypto/bn256/cloudflare/bn256.go (about)

     1  // Package bn256 implements a particular bilinear group at the 128-bit security
     2  // level.
     3  //
     4  // Bilinear groups are the basis of many of the new cryptographic protocols that
     5  // have been proposed over the past decade. They consist of a triplet of groups
     6  // (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ
     7  // is a generator of the respective group). That function is called a pairing
     8  // function.
     9  //
    10  // This package specifically implements the Optimal Ate pairing over a 256-bit
    11  // Barreto-Naehrig curve as described in
    12  // http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible
    13  // with the implementation described in that paper.
    14  package bn256
    15  
    16  import (
    17  	"crypto/rand"
    18  	"errors"
    19  	"io"
    20  	"math/big"
    21  )
    22  
    23  func randomK(r io.Reader) (k *big.Int, err error) {
    24  	for {
    25  		k, err = rand.Int(r, Order)
    26  		if k.Sign() > 0 || err != nil {
    27  			return
    28  		}
    29  	}
    30  }
    31  
    32  // G1 is an abstract cyclic group. The zero value is suitable for use as the
    33  // output of an operation, but cannot be used as an input.
    34  type G1 struct {
    35  	p *curvePoint
    36  }
    37  
    38  // RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r.
    39  func RandomG1(r io.Reader) (*big.Int, *G1, error) {
    40  	k, err := randomK(r)
    41  	if err != nil {
    42  		return nil, nil, err
    43  	}
    44  
    45  	return k, new(G1).ScalarBaseMult(k), nil
    46  }
    47  
    48  func (g *G1) String() string {
    49  	return "bn256.G1" + g.p.String()
    50  }
    51  
    52  // ScalarBaseMult sets e to g*k where g is the generator of the group and then
    53  // returns e.
    54  func (e *G1) ScalarBaseMult(k *big.Int) *G1 {
    55  	if e.p == nil {
    56  		e.p = &curvePoint{}
    57  	}
    58  	e.p.Mul(curveGen, k)
    59  	return e
    60  }
    61  
    62  // ScalarMult sets e to a*k and then returns e.
    63  func (e *G1) ScalarMult(a *G1, k *big.Int) *G1 {
    64  	if e.p == nil {
    65  		e.p = &curvePoint{}
    66  	}
    67  	e.p.Mul(a.p, k)
    68  	return e
    69  }
    70  
    71  // Add sets e to a+b and then returns e.
    72  func (e *G1) Add(a, b *G1) *G1 {
    73  	if e.p == nil {
    74  		e.p = &curvePoint{}
    75  	}
    76  	e.p.Add(a.p, b.p)
    77  	return e
    78  }
    79  
    80  // Neg sets e to -a and then returns e.
    81  func (e *G1) Neg(a *G1) *G1 {
    82  	if e.p == nil {
    83  		e.p = &curvePoint{}
    84  	}
    85  	e.p.Neg(a.p)
    86  	return e
    87  }
    88  
    89  // Set sets e to a and then returns e.
    90  func (e *G1) Set(a *G1) *G1 {
    91  	if e.p == nil {
    92  		e.p = &curvePoint{}
    93  	}
    94  	e.p.Set(a.p)
    95  	return e
    96  }
    97  
    98  // Marshal converts e to a byte slice.
    99  func (e *G1) Marshal() []byte {
   100  	// Each value is a 256-bit number.
   101  	const numBytes = 256 / 8
   102  
   103  	if e.p == nil {
   104  		e.p = &curvePoint{}
   105  	}
   106  
   107  	e.p.MakeAffine()
   108  	ret := make([]byte, numBytes*2)
   109  	if e.p.IsInfinity() {
   110  		return ret
   111  	}
   112  	temp := &gfP{}
   113  
   114  	montDecode(temp, &e.p.x)
   115  	temp.Marshal(ret)
   116  	montDecode(temp, &e.p.y)
   117  	temp.Marshal(ret[numBytes:])
   118  
   119  	return ret
   120  }
   121  
   122  // Unmarshal sets e to the result of converting the output of Marshal back into
   123  // a group element and then returns e.
   124  func (e *G1) Unmarshal(m []byte) ([]byte, error) {
   125  	// Each value is a 256-bit number.
   126  	const numBytes = 256 / 8
   127  	if len(m) < 2*numBytes {
   128  		return nil, errors.New("bn256: not enough data")
   129  	}
   130  	// Unmarshal the points and check their caps
   131  	if e.p == nil {
   132  		e.p = &curvePoint{}
   133  	} else {
   134  		e.p.x, e.p.y = gfP{0}, gfP{0}
   135  	}
   136  	var err error
   137  	if err = e.p.x.Unmarshal(m); err != nil {
   138  		return nil, err
   139  	}
   140  	if err = e.p.y.Unmarshal(m[numBytes:]); err != nil {
   141  		return nil, err
   142  	}
   143  	// Encode into Montgomery form and ensure it's on the curve
   144  	montEncode(&e.p.x, &e.p.x)
   145  	montEncode(&e.p.y, &e.p.y)
   146  
   147  	zero := gfP{0}
   148  	if e.p.x == zero && e.p.y == zero {
   149  		// This is the point at infinity.
   150  		e.p.y = *newGFp(1)
   151  		e.p.z = gfP{0}
   152  		e.p.t = gfP{0}
   153  	} else {
   154  		e.p.z = *newGFp(1)
   155  		e.p.t = *newGFp(1)
   156  
   157  		if !e.p.IsOnCurve() {
   158  			return nil, errors.New("bn256: malformed point")
   159  		}
   160  	}
   161  	return m[2*numBytes:], nil
   162  }
   163  
   164  // G2 is an abstract cyclic group. The zero value is suitable for use as the
   165  // output of an operation, but cannot be used as an input.
   166  type G2 struct {
   167  	p *twistPoint
   168  }
   169  
   170  // RandomG2 returns x and g₂ˣ where x is a random, non-zero number read from r.
   171  func RandomG2(r io.Reader) (*big.Int, *G2, error) {
   172  	k, err := randomK(r)
   173  	if err != nil {
   174  		return nil, nil, err
   175  	}
   176  
   177  	return k, new(G2).ScalarBaseMult(k), nil
   178  }
   179  
   180  func (e *G2) String() string {
   181  	return "bn256.G2" + e.p.String()
   182  }
   183  
   184  // ScalarBaseMult sets e to g*k where g is the generator of the group and then
   185  // returns out.
   186  func (e *G2) ScalarBaseMult(k *big.Int) *G2 {
   187  	if e.p == nil {
   188  		e.p = &twistPoint{}
   189  	}
   190  	e.p.Mul(twistGen, k)
   191  	return e
   192  }
   193  
   194  // ScalarMult sets e to a*k and then returns e.
   195  func (e *G2) ScalarMult(a *G2, k *big.Int) *G2 {
   196  	if e.p == nil {
   197  		e.p = &twistPoint{}
   198  	}
   199  	e.p.Mul(a.p, k)
   200  	return e
   201  }
   202  
   203  // Add sets e to a+b and then returns e.
   204  func (e *G2) Add(a, b *G2) *G2 {
   205  	if e.p == nil {
   206  		e.p = &twistPoint{}
   207  	}
   208  	e.p.Add(a.p, b.p)
   209  	return e
   210  }
   211  
   212  // Neg sets e to -a and then returns e.
   213  func (e *G2) Neg(a *G2) *G2 {
   214  	if e.p == nil {
   215  		e.p = &twistPoint{}
   216  	}
   217  	e.p.Neg(a.p)
   218  	return e
   219  }
   220  
   221  // Set sets e to a and then returns e.
   222  func (e *G2) Set(a *G2) *G2 {
   223  	if e.p == nil {
   224  		e.p = &twistPoint{}
   225  	}
   226  	e.p.Set(a.p)
   227  	return e
   228  }
   229  
   230  // Marshal converts e into a byte slice.
   231  func (e *G2) Marshal() []byte {
   232  	// Each value is a 256-bit number.
   233  	const numBytes = 256 / 8
   234  
   235  	if e.p == nil {
   236  		e.p = &twistPoint{}
   237  	}
   238  
   239  	e.p.MakeAffine()
   240  	ret := make([]byte, numBytes*4)
   241  	if e.p.IsInfinity() {
   242  		return ret
   243  	}
   244  	temp := &gfP{}
   245  
   246  	montDecode(temp, &e.p.x.x)
   247  	temp.Marshal(ret)
   248  	montDecode(temp, &e.p.x.y)
   249  	temp.Marshal(ret[numBytes:])
   250  	montDecode(temp, &e.p.y.x)
   251  	temp.Marshal(ret[2*numBytes:])
   252  	montDecode(temp, &e.p.y.y)
   253  	temp.Marshal(ret[3*numBytes:])
   254  
   255  	return ret
   256  }
   257  
   258  // Unmarshal sets e to the result of converting the output of Marshal back into
   259  // a group element and then returns e.
   260  func (e *G2) Unmarshal(m []byte) ([]byte, error) {
   261  	// Each value is a 256-bit number.
   262  	const numBytes = 256 / 8
   263  	if len(m) < 4*numBytes {
   264  		return nil, errors.New("bn256: not enough data")
   265  	}
   266  	// Unmarshal the points and check their caps
   267  	if e.p == nil {
   268  		e.p = &twistPoint{}
   269  	}
   270  	var err error
   271  	if err = e.p.x.x.Unmarshal(m); err != nil {
   272  		return nil, err
   273  	}
   274  	if err = e.p.x.y.Unmarshal(m[numBytes:]); err != nil {
   275  		return nil, err
   276  	}
   277  	if err = e.p.y.x.Unmarshal(m[2*numBytes:]); err != nil {
   278  		return nil, err
   279  	}
   280  	if err = e.p.y.y.Unmarshal(m[3*numBytes:]); err != nil {
   281  		return nil, err
   282  	}
   283  	// Encode into Montgomery form and ensure it's on the curve
   284  	montEncode(&e.p.x.x, &e.p.x.x)
   285  	montEncode(&e.p.x.y, &e.p.x.y)
   286  	montEncode(&e.p.y.x, &e.p.y.x)
   287  	montEncode(&e.p.y.y, &e.p.y.y)
   288  
   289  	if e.p.x.IsZero() && e.p.y.IsZero() {
   290  		// This is the point at infinity.
   291  		e.p.y.SetOne()
   292  		e.p.z.SetZero()
   293  		e.p.t.SetZero()
   294  	} else {
   295  		e.p.z.SetOne()
   296  		e.p.t.SetOne()
   297  
   298  		if !e.p.IsOnCurve() {
   299  			return nil, errors.New("bn256: malformed point")
   300  		}
   301  	}
   302  	return m[4*numBytes:], nil
   303  }
   304  
   305  // GT is an abstract cyclic group. The zero value is suitable for use as the
   306  // output of an operation, but cannot be used as an input.
   307  type GT struct {
   308  	p *gfP12
   309  }
   310  
   311  // Pair calculates an Optimal Ate pairing.
   312  func Pair(g1 *G1, g2 *G2) *GT {
   313  	return &GT{optimalAte(g2.p, g1.p)}
   314  }
   315  
   316  // PairingCheck calculates the Optimal Ate pairing for a set of points.
   317  func PairingCheck(a []*G1, b []*G2) bool {
   318  	acc := new(gfP12)
   319  	acc.SetOne()
   320  
   321  	for i := 0; i < len(a); i++ {
   322  		if a[i].p.IsInfinity() || b[i].p.IsInfinity() {
   323  			continue
   324  		}
   325  		acc.Mul(acc, miller(b[i].p, a[i].p))
   326  	}
   327  	return finalExponentiation(acc).IsOne()
   328  }
   329  
   330  // Miller applies Miller's algorithm, which is a bilinear function from the
   331  // source groups to F_p^12. Miller(g1, g2).Finalize() is equivalent to Pair(g1,
   332  // g2).
   333  func Miller(g1 *G1, g2 *G2) *GT {
   334  	return &GT{miller(g2.p, g1.p)}
   335  }
   336  
   337  func (g *GT) String() string {
   338  	return "bn256.GT" + g.p.String()
   339  }
   340  
   341  // ScalarMult sets e to a*k and then returns e.
   342  func (e *GT) ScalarMult(a *GT, k *big.Int) *GT {
   343  	if e.p == nil {
   344  		e.p = &gfP12{}
   345  	}
   346  	e.p.Exp(a.p, k)
   347  	return e
   348  }
   349  
   350  // Add sets e to a+b and then returns e.
   351  func (e *GT) Add(a, b *GT) *GT {
   352  	if e.p == nil {
   353  		e.p = &gfP12{}
   354  	}
   355  	e.p.Mul(a.p, b.p)
   356  	return e
   357  }
   358  
   359  // Neg sets e to -a and then returns e.
   360  func (e *GT) Neg(a *GT) *GT {
   361  	if e.p == nil {
   362  		e.p = &gfP12{}
   363  	}
   364  	e.p.Conjugate(a.p)
   365  	return e
   366  }
   367  
   368  // Set sets e to a and then returns e.
   369  func (e *GT) Set(a *GT) *GT {
   370  	if e.p == nil {
   371  		e.p = &gfP12{}
   372  	}
   373  	e.p.Set(a.p)
   374  	return e
   375  }
   376  
   377  // Finalize is a linear function from F_p^12 to GT.
   378  func (e *GT) Finalize() *GT {
   379  	ret := finalExponentiation(e.p)
   380  	e.p.Set(ret)
   381  	return e
   382  }
   383  
   384  // Marshal converts e into a byte slice.
   385  func (e *GT) Marshal() []byte {
   386  	// Each value is a 256-bit number.
   387  	const numBytes = 256 / 8
   388  
   389  	if e.p == nil {
   390  		e.p = &gfP12{}
   391  		e.p.SetOne()
   392  	}
   393  
   394  	ret := make([]byte, numBytes*12)
   395  	temp := &gfP{}
   396  
   397  	montDecode(temp, &e.p.x.x.x)
   398  	temp.Marshal(ret)
   399  	montDecode(temp, &e.p.x.x.y)
   400  	temp.Marshal(ret[numBytes:])
   401  	montDecode(temp, &e.p.x.y.x)
   402  	temp.Marshal(ret[2*numBytes:])
   403  	montDecode(temp, &e.p.x.y.y)
   404  	temp.Marshal(ret[3*numBytes:])
   405  	montDecode(temp, &e.p.x.z.x)
   406  	temp.Marshal(ret[4*numBytes:])
   407  	montDecode(temp, &e.p.x.z.y)
   408  	temp.Marshal(ret[5*numBytes:])
   409  	montDecode(temp, &e.p.y.x.x)
   410  	temp.Marshal(ret[6*numBytes:])
   411  	montDecode(temp, &e.p.y.x.y)
   412  	temp.Marshal(ret[7*numBytes:])
   413  	montDecode(temp, &e.p.y.y.x)
   414  	temp.Marshal(ret[8*numBytes:])
   415  	montDecode(temp, &e.p.y.y.y)
   416  	temp.Marshal(ret[9*numBytes:])
   417  	montDecode(temp, &e.p.y.z.x)
   418  	temp.Marshal(ret[10*numBytes:])
   419  	montDecode(temp, &e.p.y.z.y)
   420  	temp.Marshal(ret[11*numBytes:])
   421  
   422  	return ret
   423  }
   424  
   425  // Unmarshal sets e to the result of converting the output of Marshal back into
   426  // a group element and then returns e.
   427  func (e *GT) Unmarshal(m []byte) ([]byte, error) {
   428  	// Each value is a 256-bit number.
   429  	const numBytes = 256 / 8
   430  
   431  	if len(m) < 12*numBytes {
   432  		return nil, errors.New("bn256: not enough data")
   433  	}
   434  
   435  	if e.p == nil {
   436  		e.p = &gfP12{}
   437  	}
   438  
   439  	var err error
   440  	if err = e.p.x.x.x.Unmarshal(m); err != nil {
   441  		return nil, err
   442  	}
   443  	if err = e.p.x.x.y.Unmarshal(m[numBytes:]); err != nil {
   444  		return nil, err
   445  	}
   446  	if err = e.p.x.y.x.Unmarshal(m[2*numBytes:]); err != nil {
   447  		return nil, err
   448  	}
   449  	if err = e.p.x.y.y.Unmarshal(m[3*numBytes:]); err != nil {
   450  		return nil, err
   451  	}
   452  	if err = e.p.x.z.x.Unmarshal(m[4*numBytes:]); err != nil {
   453  		return nil, err
   454  	}
   455  	if err = e.p.x.z.y.Unmarshal(m[5*numBytes:]); err != nil {
   456  		return nil, err
   457  	}
   458  	if err = e.p.y.x.x.Unmarshal(m[6*numBytes:]); err != nil {
   459  		return nil, err
   460  	}
   461  	if err = e.p.y.x.y.Unmarshal(m[7*numBytes:]); err != nil {
   462  		return nil, err
   463  	}
   464  	if err = e.p.y.y.x.Unmarshal(m[8*numBytes:]); err != nil {
   465  		return nil, err
   466  	}
   467  	if err = e.p.y.y.y.Unmarshal(m[9*numBytes:]); err != nil {
   468  		return nil, err
   469  	}
   470  	if err = e.p.y.z.x.Unmarshal(m[10*numBytes:]); err != nil {
   471  		return nil, err
   472  	}
   473  	if err = e.p.y.z.y.Unmarshal(m[11*numBytes:]); err != nil {
   474  		return nil, err
   475  	}
   476  	montEncode(&e.p.x.x.x, &e.p.x.x.x)
   477  	montEncode(&e.p.x.x.y, &e.p.x.x.y)
   478  	montEncode(&e.p.x.y.x, &e.p.x.y.x)
   479  	montEncode(&e.p.x.y.y, &e.p.x.y.y)
   480  	montEncode(&e.p.x.z.x, &e.p.x.z.x)
   481  	montEncode(&e.p.x.z.y, &e.p.x.z.y)
   482  	montEncode(&e.p.y.x.x, &e.p.y.x.x)
   483  	montEncode(&e.p.y.x.y, &e.p.y.x.y)
   484  	montEncode(&e.p.y.y.x, &e.p.y.y.x)
   485  	montEncode(&e.p.y.y.y, &e.p.y.y.y)
   486  	montEncode(&e.p.y.z.x, &e.p.y.z.x)
   487  	montEncode(&e.p.y.z.y, &e.p.y.z.y)
   488  
   489  	return m[12*numBytes:], nil
   490  }