github.com/aigarnetwork/aigar@v0.0.0-20191115204914-d59a6eb70f8e/crypto/bn256/google/bn256.go (about) 1 // Copyright 2018 The go-ethereum Authors 2 // Copyright 2019 The go-aigar Authors 3 // This file is part of the go-aigar library. 4 // 5 // The go-aigar library is free software: you can redistribute it and/or modify 6 // it under the terms of the GNU Lesser General Public License as published by 7 // the Free Software Foundation, either version 3 of the License, or 8 // (at your option) any later version. 9 // 10 // The go-aigar library is distributed in the hope that it will be useful, 11 // but WITHOUT ANY WARRANTY; without even the implied warranty of 12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 // GNU Lesser General Public License for more details. 14 // 15 // You should have received a copy of the GNU Lesser General Public License 16 // along with the go-aigar library. If not, see <http://www.gnu.org/licenses/>. 17 18 // Package bn256 implements a particular bilinear group. 19 // 20 // Bilinear groups are the basis of many of the new cryptographic protocols 21 // that have been proposed over the past decade. They consist of a triplet of 22 // groups (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ 23 // (where gₓ is a generator of the respective group). That function is called 24 // a pairing function. 25 // 26 // This package specifically implements the Optimal Ate pairing over a 256-bit 27 // Barreto-Naehrig curve as described in 28 // http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible 29 // with the implementation described in that paper. 30 // 31 // (This package previously claimed to operate at a 128-bit security level. 32 // However, recent improvements in attacks mean that is no longer true. See 33 // https://moderncrypto.org/mail-archive/curves/2016/000740.html.) 34 package bn256 35 36 import ( 37 "crypto/rand" 38 "errors" 39 "io" 40 "math/big" 41 ) 42 43 // BUG(agl): this implementation is not constant time. 44 // TODO(agl): keep GF(p²) elements in Mongomery form. 45 46 // G1 is an abstract cyclic group. The zero value is suitable for use as the 47 // output of an operation, but cannot be used as an input. 48 type G1 struct { 49 p *curvePoint 50 } 51 52 // RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r. 53 func RandomG1(r io.Reader) (*big.Int, *G1, error) { 54 var k *big.Int 55 var err error 56 57 for { 58 k, err = rand.Int(r, Order) 59 if err != nil { 60 return nil, nil, err 61 } 62 if k.Sign() > 0 { 63 break 64 } 65 } 66 67 return k, new(G1).ScalarBaseMult(k), nil 68 } 69 70 func (e *G1) String() string { 71 return "bn256.G1" + e.p.String() 72 } 73 74 // CurvePoints returns p's curve points in big integer 75 func (e *G1) CurvePoints() (*big.Int, *big.Int, *big.Int, *big.Int) { 76 return e.p.x, e.p.y, e.p.z, e.p.t 77 } 78 79 // ScalarBaseMult sets e to g*k where g is the generator of the group and 80 // then returns e. 81 func (e *G1) ScalarBaseMult(k *big.Int) *G1 { 82 if e.p == nil { 83 e.p = newCurvePoint(nil) 84 } 85 e.p.Mul(curveGen, k, new(bnPool)) 86 return e 87 } 88 89 // ScalarMult sets e to a*k and then returns e. 90 func (e *G1) ScalarMult(a *G1, k *big.Int) *G1 { 91 if e.p == nil { 92 e.p = newCurvePoint(nil) 93 } 94 e.p.Mul(a.p, k, new(bnPool)) 95 return e 96 } 97 98 // Add sets e to a+b and then returns e. 99 // BUG(agl): this function is not complete: a==b fails. 100 func (e *G1) Add(a, b *G1) *G1 { 101 if e.p == nil { 102 e.p = newCurvePoint(nil) 103 } 104 e.p.Add(a.p, b.p, new(bnPool)) 105 return e 106 } 107 108 // Neg sets e to -a and then returns e. 109 func (e *G1) Neg(a *G1) *G1 { 110 if e.p == nil { 111 e.p = newCurvePoint(nil) 112 } 113 e.p.Negative(a.p) 114 return e 115 } 116 117 // Marshal converts n to a byte slice. 118 func (e *G1) Marshal() []byte { 119 // Each value is a 256-bit number. 120 const numBytes = 256 / 8 121 122 if e.p.IsInfinity() { 123 return make([]byte, numBytes*2) 124 } 125 126 e.p.MakeAffine(nil) 127 128 xBytes := new(big.Int).Mod(e.p.x, P).Bytes() 129 yBytes := new(big.Int).Mod(e.p.y, P).Bytes() 130 131 ret := make([]byte, numBytes*2) 132 copy(ret[1*numBytes-len(xBytes):], xBytes) 133 copy(ret[2*numBytes-len(yBytes):], yBytes) 134 135 return ret 136 } 137 138 // Unmarshal sets e to the result of converting the output of Marshal back into 139 // a group element and then returns e. 140 func (e *G1) Unmarshal(m []byte) ([]byte, error) { 141 // Each value is a 256-bit number. 142 const numBytes = 256 / 8 143 if len(m) != 2*numBytes { 144 return nil, errors.New("bn256: not enough data") 145 } 146 // Unmarshal the points and check their caps 147 if e.p == nil { 148 e.p = newCurvePoint(nil) 149 } 150 e.p.x.SetBytes(m[0*numBytes : 1*numBytes]) 151 if e.p.x.Cmp(P) >= 0 { 152 return nil, errors.New("bn256: coordinate exceeds modulus") 153 } 154 e.p.y.SetBytes(m[1*numBytes : 2*numBytes]) 155 if e.p.y.Cmp(P) >= 0 { 156 return nil, errors.New("bn256: coordinate exceeds modulus") 157 } 158 // Ensure the point is on the curve 159 if e.p.x.Sign() == 0 && e.p.y.Sign() == 0 { 160 // This is the point at infinity. 161 e.p.y.SetInt64(1) 162 e.p.z.SetInt64(0) 163 e.p.t.SetInt64(0) 164 } else { 165 e.p.z.SetInt64(1) 166 e.p.t.SetInt64(1) 167 168 if !e.p.IsOnCurve() { 169 return nil, errors.New("bn256: malformed point") 170 } 171 } 172 return m[2*numBytes:], nil 173 } 174 175 // G2 is an abstract cyclic group. The zero value is suitable for use as the 176 // output of an operation, but cannot be used as an input. 177 type G2 struct { 178 p *twistPoint 179 } 180 181 // RandomG1 returns x and g₂ˣ where x is a random, non-zero number read from r. 182 func RandomG2(r io.Reader) (*big.Int, *G2, error) { 183 var k *big.Int 184 var err error 185 186 for { 187 k, err = rand.Int(r, Order) 188 if err != nil { 189 return nil, nil, err 190 } 191 if k.Sign() > 0 { 192 break 193 } 194 } 195 196 return k, new(G2).ScalarBaseMult(k), nil 197 } 198 199 func (e *G2) String() string { 200 return "bn256.G2" + e.p.String() 201 } 202 203 // CurvePoints returns the curve points of p which includes the real 204 // and imaginary parts of the curve point. 205 func (e *G2) CurvePoints() (*gfP2, *gfP2, *gfP2, *gfP2) { 206 return e.p.x, e.p.y, e.p.z, e.p.t 207 } 208 209 // ScalarBaseMult sets e to g*k where g is the generator of the group and 210 // then returns out. 211 func (e *G2) ScalarBaseMult(k *big.Int) *G2 { 212 if e.p == nil { 213 e.p = newTwistPoint(nil) 214 } 215 e.p.Mul(twistGen, k, new(bnPool)) 216 return e 217 } 218 219 // ScalarMult sets e to a*k and then returns e. 220 func (e *G2) ScalarMult(a *G2, k *big.Int) *G2 { 221 if e.p == nil { 222 e.p = newTwistPoint(nil) 223 } 224 e.p.Mul(a.p, k, new(bnPool)) 225 return e 226 } 227 228 // Add sets e to a+b and then returns e. 229 // BUG(agl): this function is not complete: a==b fails. 230 func (e *G2) Add(a, b *G2) *G2 { 231 if e.p == nil { 232 e.p = newTwistPoint(nil) 233 } 234 e.p.Add(a.p, b.p, new(bnPool)) 235 return e 236 } 237 238 // Marshal converts n into a byte slice. 239 func (n *G2) Marshal() []byte { 240 // Each value is a 256-bit number. 241 const numBytes = 256 / 8 242 243 if n.p.IsInfinity() { 244 return make([]byte, numBytes*4) 245 } 246 247 n.p.MakeAffine(nil) 248 249 xxBytes := new(big.Int).Mod(n.p.x.x, P).Bytes() 250 xyBytes := new(big.Int).Mod(n.p.x.y, P).Bytes() 251 yxBytes := new(big.Int).Mod(n.p.y.x, P).Bytes() 252 yyBytes := new(big.Int).Mod(n.p.y.y, P).Bytes() 253 254 ret := make([]byte, numBytes*4) 255 copy(ret[1*numBytes-len(xxBytes):], xxBytes) 256 copy(ret[2*numBytes-len(xyBytes):], xyBytes) 257 copy(ret[3*numBytes-len(yxBytes):], yxBytes) 258 copy(ret[4*numBytes-len(yyBytes):], yyBytes) 259 260 return ret 261 } 262 263 // Unmarshal sets e to the result of converting the output of Marshal back into 264 // a group element and then returns e. 265 func (e *G2) Unmarshal(m []byte) ([]byte, error) { 266 // Each value is a 256-bit number. 267 const numBytes = 256 / 8 268 if len(m) != 4*numBytes { 269 return nil, errors.New("bn256: not enough data") 270 } 271 // Unmarshal the points and check their caps 272 if e.p == nil { 273 e.p = newTwistPoint(nil) 274 } 275 e.p.x.x.SetBytes(m[0*numBytes : 1*numBytes]) 276 if e.p.x.x.Cmp(P) >= 0 { 277 return nil, errors.New("bn256: coordinate exceeds modulus") 278 } 279 e.p.x.y.SetBytes(m[1*numBytes : 2*numBytes]) 280 if e.p.x.y.Cmp(P) >= 0 { 281 return nil, errors.New("bn256: coordinate exceeds modulus") 282 } 283 e.p.y.x.SetBytes(m[2*numBytes : 3*numBytes]) 284 if e.p.y.x.Cmp(P) >= 0 { 285 return nil, errors.New("bn256: coordinate exceeds modulus") 286 } 287 e.p.y.y.SetBytes(m[3*numBytes : 4*numBytes]) 288 if e.p.y.y.Cmp(P) >= 0 { 289 return nil, errors.New("bn256: coordinate exceeds modulus") 290 } 291 // Ensure the point is on the curve 292 if e.p.x.x.Sign() == 0 && 293 e.p.x.y.Sign() == 0 && 294 e.p.y.x.Sign() == 0 && 295 e.p.y.y.Sign() == 0 { 296 // This is the point at infinity. 297 e.p.y.SetOne() 298 e.p.z.SetZero() 299 e.p.t.SetZero() 300 } else { 301 e.p.z.SetOne() 302 e.p.t.SetOne() 303 304 if !e.p.IsOnCurve() { 305 return nil, errors.New("bn256: malformed point") 306 } 307 } 308 return m[4*numBytes:], nil 309 } 310 311 // GT is an abstract cyclic group. The zero value is suitable for use as the 312 // output of an operation, but cannot be used as an input. 313 type GT struct { 314 p *gfP12 315 } 316 317 func (g *GT) String() string { 318 return "bn256.GT" + g.p.String() 319 } 320 321 // ScalarMult sets e to a*k and then returns e. 322 func (e *GT) ScalarMult(a *GT, k *big.Int) *GT { 323 if e.p == nil { 324 e.p = newGFp12(nil) 325 } 326 e.p.Exp(a.p, k, new(bnPool)) 327 return e 328 } 329 330 // Add sets e to a+b and then returns e. 331 func (e *GT) Add(a, b *GT) *GT { 332 if e.p == nil { 333 e.p = newGFp12(nil) 334 } 335 e.p.Mul(a.p, b.p, new(bnPool)) 336 return e 337 } 338 339 // Neg sets e to -a and then returns e. 340 func (e *GT) Neg(a *GT) *GT { 341 if e.p == nil { 342 e.p = newGFp12(nil) 343 } 344 e.p.Invert(a.p, new(bnPool)) 345 return e 346 } 347 348 // Marshal converts n into a byte slice. 349 func (n *GT) Marshal() []byte { 350 n.p.Minimal() 351 352 xxxBytes := n.p.x.x.x.Bytes() 353 xxyBytes := n.p.x.x.y.Bytes() 354 xyxBytes := n.p.x.y.x.Bytes() 355 xyyBytes := n.p.x.y.y.Bytes() 356 xzxBytes := n.p.x.z.x.Bytes() 357 xzyBytes := n.p.x.z.y.Bytes() 358 yxxBytes := n.p.y.x.x.Bytes() 359 yxyBytes := n.p.y.x.y.Bytes() 360 yyxBytes := n.p.y.y.x.Bytes() 361 yyyBytes := n.p.y.y.y.Bytes() 362 yzxBytes := n.p.y.z.x.Bytes() 363 yzyBytes := n.p.y.z.y.Bytes() 364 365 // Each value is a 256-bit number. 366 const numBytes = 256 / 8 367 368 ret := make([]byte, numBytes*12) 369 copy(ret[1*numBytes-len(xxxBytes):], xxxBytes) 370 copy(ret[2*numBytes-len(xxyBytes):], xxyBytes) 371 copy(ret[3*numBytes-len(xyxBytes):], xyxBytes) 372 copy(ret[4*numBytes-len(xyyBytes):], xyyBytes) 373 copy(ret[5*numBytes-len(xzxBytes):], xzxBytes) 374 copy(ret[6*numBytes-len(xzyBytes):], xzyBytes) 375 copy(ret[7*numBytes-len(yxxBytes):], yxxBytes) 376 copy(ret[8*numBytes-len(yxyBytes):], yxyBytes) 377 copy(ret[9*numBytes-len(yyxBytes):], yyxBytes) 378 copy(ret[10*numBytes-len(yyyBytes):], yyyBytes) 379 copy(ret[11*numBytes-len(yzxBytes):], yzxBytes) 380 copy(ret[12*numBytes-len(yzyBytes):], yzyBytes) 381 382 return ret 383 } 384 385 // Unmarshal sets e to the result of converting the output of Marshal back into 386 // a group element and then returns e. 387 func (e *GT) Unmarshal(m []byte) (*GT, bool) { 388 // Each value is a 256-bit number. 389 const numBytes = 256 / 8 390 391 if len(m) != 12*numBytes { 392 return nil, false 393 } 394 395 if e.p == nil { 396 e.p = newGFp12(nil) 397 } 398 399 e.p.x.x.x.SetBytes(m[0*numBytes : 1*numBytes]) 400 e.p.x.x.y.SetBytes(m[1*numBytes : 2*numBytes]) 401 e.p.x.y.x.SetBytes(m[2*numBytes : 3*numBytes]) 402 e.p.x.y.y.SetBytes(m[3*numBytes : 4*numBytes]) 403 e.p.x.z.x.SetBytes(m[4*numBytes : 5*numBytes]) 404 e.p.x.z.y.SetBytes(m[5*numBytes : 6*numBytes]) 405 e.p.y.x.x.SetBytes(m[6*numBytes : 7*numBytes]) 406 e.p.y.x.y.SetBytes(m[7*numBytes : 8*numBytes]) 407 e.p.y.y.x.SetBytes(m[8*numBytes : 9*numBytes]) 408 e.p.y.y.y.SetBytes(m[9*numBytes : 10*numBytes]) 409 e.p.y.z.x.SetBytes(m[10*numBytes : 11*numBytes]) 410 e.p.y.z.y.SetBytes(m[11*numBytes : 12*numBytes]) 411 412 return e, true 413 } 414 415 // Pair calculates an Optimal Ate pairing. 416 func Pair(g1 *G1, g2 *G2) *GT { 417 return >{optimalAte(g2.p, g1.p, new(bnPool))} 418 } 419 420 // PairingCheck calculates the Optimal Ate pairing for a set of points. 421 func PairingCheck(a []*G1, b []*G2) bool { 422 pool := new(bnPool) 423 424 acc := newGFp12(pool) 425 acc.SetOne() 426 427 for i := 0; i < len(a); i++ { 428 if a[i].p.IsInfinity() || b[i].p.IsInfinity() { 429 continue 430 } 431 acc.Mul(acc, miller(b[i].p, a[i].p, pool), pool) 432 } 433 ret := finalExponentiation(acc, pool) 434 acc.Put(pool) 435 436 return ret.IsOne() 437 } 438 439 // bnPool implements a tiny cache of *big.Int objects that's used to reduce the 440 // number of allocations made during processing. 441 type bnPool struct { 442 bns []*big.Int 443 count int 444 } 445 446 func (pool *bnPool) Get() *big.Int { 447 if pool == nil { 448 return new(big.Int) 449 } 450 451 pool.count++ 452 l := len(pool.bns) 453 if l == 0 { 454 return new(big.Int) 455 } 456 457 bn := pool.bns[l-1] 458 pool.bns = pool.bns[:l-1] 459 return bn 460 } 461 462 func (pool *bnPool) Put(bn *big.Int) { 463 if pool == nil { 464 return 465 } 466 pool.bns = append(pool.bns, bn) 467 pool.count-- 468 } 469 470 func (pool *bnPool) Count() int { 471 return pool.count 472 }