github.com/aquanetwork/aquachain@v1.7.8/crypto/bn256/cloudflare/bn256.go (about)

     1  // Package bn256 implements a particular bilinear group at the 128-bit security
     2  // level.
     3  //
     4  // Bilinear groups are the basis of many of the new cryptographic protocols that
     5  // have been proposed over the past decade. They consist of a triplet of groups
     6  // (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ
     7  // is a generator of the respective group). That function is called a pairing
     8  // function.
     9  //
    10  // This package specifically implements the Optimal Ate pairing over a 256-bit
    11  // Barreto-Naehrig curve as described in
    12  // http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible
    13  // with the implementation described in that paper.
    14  package bn256
    15  
    16  import (
    17  	"crypto/rand"
    18  	"errors"
    19  	"io"
    20  	"math/big"
    21  )
    22  
    23  func randomK(r io.Reader) (k *big.Int, err error) {
    24  	for {
    25  		k, err = rand.Int(r, Order)
    26  		if k.Sign() > 0 || err != nil {
    27  			return
    28  		}
    29  	}
    30  }
    31  
    32  // G1 is an abstract cyclic group. The zero value is suitable for use as the
    33  // output of an operation, but cannot be used as an input.
    34  type G1 struct {
    35  	p *curvePoint
    36  }
    37  
    38  // RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r.
    39  func RandomG1(r io.Reader) (*big.Int, *G1, error) {
    40  	k, err := randomK(r)
    41  	if err != nil {
    42  		return nil, nil, err
    43  	}
    44  
    45  	return k, new(G1).ScalarBaseMult(k), nil
    46  }
    47  
    48  func (g *G1) String() string {
    49  	return "bn256.G1" + g.p.String()
    50  }
    51  
    52  // ScalarBaseMult sets e to g*k where g is the generator of the group and then
    53  // returns e.
    54  func (e *G1) ScalarBaseMult(k *big.Int) *G1 {
    55  	if e.p == nil {
    56  		e.p = &curvePoint{}
    57  	}
    58  	e.p.Mul(curveGen, k)
    59  	return e
    60  }
    61  
    62  // ScalarMult sets e to a*k and then returns e.
    63  func (e *G1) ScalarMult(a *G1, k *big.Int) *G1 {
    64  	if e.p == nil {
    65  		e.p = &curvePoint{}
    66  	}
    67  	e.p.Mul(a.p, k)
    68  	return e
    69  }
    70  
    71  // Add sets e to a+b and then returns e.
    72  func (e *G1) Add(a, b *G1) *G1 {
    73  	if e.p == nil {
    74  		e.p = &curvePoint{}
    75  	}
    76  	e.p.Add(a.p, b.p)
    77  	return e
    78  }
    79  
    80  // Neg sets e to -a and then returns e.
    81  func (e *G1) Neg(a *G1) *G1 {
    82  	if e.p == nil {
    83  		e.p = &curvePoint{}
    84  	}
    85  	e.p.Neg(a.p)
    86  	return e
    87  }
    88  
    89  // Set sets e to a and then returns e.
    90  func (e *G1) Set(a *G1) *G1 {
    91  	if e.p == nil {
    92  		e.p = &curvePoint{}
    93  	}
    94  	e.p.Set(a.p)
    95  	return e
    96  }
    97  
    98  // Marshal converts e to a byte slice.
    99  func (e *G1) Marshal() []byte {
   100  	// Each value is a 256-bit number.
   101  	const numBytes = 256 / 8
   102  
   103  	e.p.MakeAffine()
   104  	ret := make([]byte, numBytes*2)
   105  	if e.p.IsInfinity() {
   106  		return ret
   107  	}
   108  	temp := &gfP{}
   109  
   110  	montDecode(temp, &e.p.x)
   111  	temp.Marshal(ret)
   112  	montDecode(temp, &e.p.y)
   113  	temp.Marshal(ret[numBytes:])
   114  
   115  	return ret
   116  }
   117  
   118  // Unmarshal sets e to the result of converting the output of Marshal back into
   119  // a group element and then returns e.
   120  func (e *G1) Unmarshal(m []byte) ([]byte, error) {
   121  	// Each value is a 256-bit number.
   122  	const numBytes = 256 / 8
   123  	if len(m) < 2*numBytes {
   124  		return nil, errors.New("bn256: not enough data")
   125  	}
   126  	// Unmarshal the points and check their caps
   127  	if e.p == nil {
   128  		e.p = &curvePoint{}
   129  	} else {
   130  		e.p.x, e.p.y = gfP{0}, gfP{0}
   131  	}
   132  	var err error
   133  	if err = e.p.x.Unmarshal(m); err != nil {
   134  		return nil, err
   135  	}
   136  	if err = e.p.y.Unmarshal(m[numBytes:]); err != nil {
   137  		return nil, err
   138  	}
   139  	// Encode into Montgomery form and ensure it's on the curve
   140  	montEncode(&e.p.x, &e.p.x)
   141  	montEncode(&e.p.y, &e.p.y)
   142  
   143  	zero := gfP{0}
   144  	if e.p.x == zero && e.p.y == zero {
   145  		// This is the point at infinity.
   146  		e.p.y = *newGFp(1)
   147  		e.p.z = gfP{0}
   148  		e.p.t = gfP{0}
   149  	} else {
   150  		e.p.z = *newGFp(1)
   151  		e.p.t = *newGFp(1)
   152  
   153  		if !e.p.IsOnCurve() {
   154  			return nil, errors.New("bn256: malformed point")
   155  		}
   156  	}
   157  	return m[2*numBytes:], nil
   158  }
   159  
   160  // G2 is an abstract cyclic group. The zero value is suitable for use as the
   161  // output of an operation, but cannot be used as an input.
   162  type G2 struct {
   163  	p *twistPoint
   164  }
   165  
   166  // RandomG2 returns x and g₂ˣ where x is a random, non-zero number read from r.
   167  func RandomG2(r io.Reader) (*big.Int, *G2, error) {
   168  	k, err := randomK(r)
   169  	if err != nil {
   170  		return nil, nil, err
   171  	}
   172  
   173  	return k, new(G2).ScalarBaseMult(k), nil
   174  }
   175  
   176  func (e *G2) String() string {
   177  	return "bn256.G2" + e.p.String()
   178  }
   179  
   180  // ScalarBaseMult sets e to g*k where g is the generator of the group and then
   181  // returns out.
   182  func (e *G2) ScalarBaseMult(k *big.Int) *G2 {
   183  	if e.p == nil {
   184  		e.p = &twistPoint{}
   185  	}
   186  	e.p.Mul(twistGen, k)
   187  	return e
   188  }
   189  
   190  // ScalarMult sets e to a*k and then returns e.
   191  func (e *G2) ScalarMult(a *G2, k *big.Int) *G2 {
   192  	if e.p == nil {
   193  		e.p = &twistPoint{}
   194  	}
   195  	e.p.Mul(a.p, k)
   196  	return e
   197  }
   198  
   199  // Add sets e to a+b and then returns e.
   200  func (e *G2) Add(a, b *G2) *G2 {
   201  	if e.p == nil {
   202  		e.p = &twistPoint{}
   203  	}
   204  	e.p.Add(a.p, b.p)
   205  	return e
   206  }
   207  
   208  // Neg sets e to -a and then returns e.
   209  func (e *G2) Neg(a *G2) *G2 {
   210  	if e.p == nil {
   211  		e.p = &twistPoint{}
   212  	}
   213  	e.p.Neg(a.p)
   214  	return e
   215  }
   216  
   217  // Set sets e to a and then returns e.
   218  func (e *G2) Set(a *G2) *G2 {
   219  	if e.p == nil {
   220  		e.p = &twistPoint{}
   221  	}
   222  	e.p.Set(a.p)
   223  	return e
   224  }
   225  
   226  // Marshal converts e into a byte slice.
   227  func (e *G2) Marshal() []byte {
   228  	// Each value is a 256-bit number.
   229  	const numBytes = 256 / 8
   230  
   231  	if e.p == nil {
   232  		e.p = &twistPoint{}
   233  	}
   234  
   235  	e.p.MakeAffine()
   236  	ret := make([]byte, numBytes*4)
   237  	if e.p.IsInfinity() {
   238  		return ret
   239  	}
   240  	temp := &gfP{}
   241  
   242  	montDecode(temp, &e.p.x.x)
   243  	temp.Marshal(ret)
   244  	montDecode(temp, &e.p.x.y)
   245  	temp.Marshal(ret[numBytes:])
   246  	montDecode(temp, &e.p.y.x)
   247  	temp.Marshal(ret[2*numBytes:])
   248  	montDecode(temp, &e.p.y.y)
   249  	temp.Marshal(ret[3*numBytes:])
   250  
   251  	return ret
   252  }
   253  
   254  // Unmarshal sets e to the result of converting the output of Marshal back into
   255  // a group element and then returns e.
   256  func (e *G2) Unmarshal(m []byte) ([]byte, error) {
   257  	// Each value is a 256-bit number.
   258  	const numBytes = 256 / 8
   259  	if len(m) < 4*numBytes {
   260  		return nil, errors.New("bn256: not enough data")
   261  	}
   262  	// Unmarshal the points and check their caps
   263  	if e.p == nil {
   264  		e.p = &twistPoint{}
   265  	}
   266  	var err error
   267  	if err = e.p.x.x.Unmarshal(m); err != nil {
   268  		return nil, err
   269  	}
   270  	if err = e.p.x.y.Unmarshal(m[numBytes:]); err != nil {
   271  		return nil, err
   272  	}
   273  	if err = e.p.y.x.Unmarshal(m[2*numBytes:]); err != nil {
   274  		return nil, err
   275  	}
   276  	if err = e.p.y.y.Unmarshal(m[3*numBytes:]); err != nil {
   277  		return nil, err
   278  	}
   279  	// Encode into Montgomery form and ensure it's on the curve
   280  	montEncode(&e.p.x.x, &e.p.x.x)
   281  	montEncode(&e.p.x.y, &e.p.x.y)
   282  	montEncode(&e.p.y.x, &e.p.y.x)
   283  	montEncode(&e.p.y.y, &e.p.y.y)
   284  
   285  	if e.p.x.IsZero() && e.p.y.IsZero() {
   286  		// This is the point at infinity.
   287  		e.p.y.SetOne()
   288  		e.p.z.SetZero()
   289  		e.p.t.SetZero()
   290  	} else {
   291  		e.p.z.SetOne()
   292  		e.p.t.SetOne()
   293  
   294  		if !e.p.IsOnCurve() {
   295  			return nil, errors.New("bn256: malformed point")
   296  		}
   297  	}
   298  	return m[4*numBytes:], nil
   299  }
   300  
   301  // GT is an abstract cyclic group. The zero value is suitable for use as the
   302  // output of an operation, but cannot be used as an input.
   303  type GT struct {
   304  	p *gfP12
   305  }
   306  
   307  // Pair calculates an Optimal Ate pairing.
   308  func Pair(g1 *G1, g2 *G2) *GT {
   309  	return &GT{optimalAte(g2.p, g1.p)}
   310  }
   311  
   312  // PairingCheck calculates the Optimal Ate pairing for a set of points.
   313  func PairingCheck(a []*G1, b []*G2) bool {
   314  	acc := new(gfP12)
   315  	acc.SetOne()
   316  
   317  	for i := 0; i < len(a); i++ {
   318  		if a[i].p.IsInfinity() || b[i].p.IsInfinity() {
   319  			continue
   320  		}
   321  		acc.Mul(acc, miller(b[i].p, a[i].p))
   322  	}
   323  	return finalExponentiation(acc).IsOne()
   324  }
   325  
   326  // Miller applies Miller's algorithm, which is a bilinear function from the
   327  // source groups to F_p^12. Miller(g1, g2).Finalize() is equivalent to Pair(g1,
   328  // g2).
   329  func Miller(g1 *G1, g2 *G2) *GT {
   330  	return &GT{miller(g2.p, g1.p)}
   331  }
   332  
   333  func (g *GT) String() string {
   334  	return "bn256.GT" + g.p.String()
   335  }
   336  
   337  // ScalarMult sets e to a*k and then returns e.
   338  func (e *GT) ScalarMult(a *GT, k *big.Int) *GT {
   339  	if e.p == nil {
   340  		e.p = &gfP12{}
   341  	}
   342  	e.p.Exp(a.p, k)
   343  	return e
   344  }
   345  
   346  // Add sets e to a+b and then returns e.
   347  func (e *GT) Add(a, b *GT) *GT {
   348  	if e.p == nil {
   349  		e.p = &gfP12{}
   350  	}
   351  	e.p.Mul(a.p, b.p)
   352  	return e
   353  }
   354  
   355  // Neg sets e to -a and then returns e.
   356  func (e *GT) Neg(a *GT) *GT {
   357  	if e.p == nil {
   358  		e.p = &gfP12{}
   359  	}
   360  	e.p.Conjugate(a.p)
   361  	return e
   362  }
   363  
   364  // Set sets e to a and then returns e.
   365  func (e *GT) Set(a *GT) *GT {
   366  	if e.p == nil {
   367  		e.p = &gfP12{}
   368  	}
   369  	e.p.Set(a.p)
   370  	return e
   371  }
   372  
   373  // Finalize is a linear function from F_p^12 to GT.
   374  func (e *GT) Finalize() *GT {
   375  	ret := finalExponentiation(e.p)
   376  	e.p.Set(ret)
   377  	return e
   378  }
   379  
   380  // Marshal converts e into a byte slice.
   381  func (e *GT) Marshal() []byte {
   382  	// Each value is a 256-bit number.
   383  	const numBytes = 256 / 8
   384  
   385  	ret := make([]byte, numBytes*12)
   386  	temp := &gfP{}
   387  
   388  	montDecode(temp, &e.p.x.x.x)
   389  	temp.Marshal(ret)
   390  	montDecode(temp, &e.p.x.x.y)
   391  	temp.Marshal(ret[numBytes:])
   392  	montDecode(temp, &e.p.x.y.x)
   393  	temp.Marshal(ret[2*numBytes:])
   394  	montDecode(temp, &e.p.x.y.y)
   395  	temp.Marshal(ret[3*numBytes:])
   396  	montDecode(temp, &e.p.x.z.x)
   397  	temp.Marshal(ret[4*numBytes:])
   398  	montDecode(temp, &e.p.x.z.y)
   399  	temp.Marshal(ret[5*numBytes:])
   400  	montDecode(temp, &e.p.y.x.x)
   401  	temp.Marshal(ret[6*numBytes:])
   402  	montDecode(temp, &e.p.y.x.y)
   403  	temp.Marshal(ret[7*numBytes:])
   404  	montDecode(temp, &e.p.y.y.x)
   405  	temp.Marshal(ret[8*numBytes:])
   406  	montDecode(temp, &e.p.y.y.y)
   407  	temp.Marshal(ret[9*numBytes:])
   408  	montDecode(temp, &e.p.y.z.x)
   409  	temp.Marshal(ret[10*numBytes:])
   410  	montDecode(temp, &e.p.y.z.y)
   411  	temp.Marshal(ret[11*numBytes:])
   412  
   413  	return ret
   414  }
   415  
   416  // Unmarshal sets e to the result of converting the output of Marshal back into
   417  // a group element and then returns e.
   418  func (e *GT) Unmarshal(m []byte) ([]byte, error) {
   419  	// Each value is a 256-bit number.
   420  	const numBytes = 256 / 8
   421  
   422  	if len(m) < 12*numBytes {
   423  		return nil, errors.New("bn256: not enough data")
   424  	}
   425  
   426  	if e.p == nil {
   427  		e.p = &gfP12{}
   428  	}
   429  
   430  	var err error
   431  	if err = e.p.x.x.x.Unmarshal(m); err != nil {
   432  		return nil, err
   433  	}
   434  	if err = e.p.x.x.y.Unmarshal(m[numBytes:]); err != nil {
   435  		return nil, err
   436  	}
   437  	if err = e.p.x.y.x.Unmarshal(m[2*numBytes:]); err != nil {
   438  		return nil, err
   439  	}
   440  	if err = e.p.x.y.y.Unmarshal(m[3*numBytes:]); err != nil {
   441  		return nil, err
   442  	}
   443  	if err = e.p.x.z.x.Unmarshal(m[4*numBytes:]); err != nil {
   444  		return nil, err
   445  	}
   446  	if err = e.p.x.z.y.Unmarshal(m[5*numBytes:]); err != nil {
   447  		return nil, err
   448  	}
   449  	if err = e.p.y.x.x.Unmarshal(m[6*numBytes:]); err != nil {
   450  		return nil, err
   451  	}
   452  	if err = e.p.y.x.y.Unmarshal(m[7*numBytes:]); err != nil {
   453  		return nil, err
   454  	}
   455  	if err = e.p.y.y.x.Unmarshal(m[8*numBytes:]); err != nil {
   456  		return nil, err
   457  	}
   458  	if err = e.p.y.y.y.Unmarshal(m[9*numBytes:]); err != nil {
   459  		return nil, err
   460  	}
   461  	if err = e.p.y.z.x.Unmarshal(m[10*numBytes:]); err != nil {
   462  		return nil, err
   463  	}
   464  	if err = e.p.y.z.y.Unmarshal(m[11*numBytes:]); err != nil {
   465  		return nil, err
   466  	}
   467  	montEncode(&e.p.x.x.x, &e.p.x.x.x)
   468  	montEncode(&e.p.x.x.y, &e.p.x.x.y)
   469  	montEncode(&e.p.x.y.x, &e.p.x.y.x)
   470  	montEncode(&e.p.x.y.y, &e.p.x.y.y)
   471  	montEncode(&e.p.x.z.x, &e.p.x.z.x)
   472  	montEncode(&e.p.x.z.y, &e.p.x.z.y)
   473  	montEncode(&e.p.y.x.x, &e.p.y.x.x)
   474  	montEncode(&e.p.y.x.y, &e.p.y.x.y)
   475  	montEncode(&e.p.y.y.x, &e.p.y.y.x)
   476  	montEncode(&e.p.y.y.y, &e.p.y.y.y)
   477  	montEncode(&e.p.y.z.x, &e.p.y.z.x)
   478  	montEncode(&e.p.y.z.y, &e.p.y.z.y)
   479  
   480  	return m[12*numBytes:], nil
   481  }