github.com/arieschain/arieschain@v0.0.0-20191023063405-37c074544356/crypto/bn256/cloudflare/bn256.go (about) 1 // Package bn256 implements a particular bilinear group at the 128-bit security 2 // level. 3 // Bilinear groups are the basis of many of the new cryptographic protocols that 4 // have been proposed over the past decade. They consist of a triplet of groups 5 // (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ 6 // is a generator of the respective group). That function is called a pairing 7 // function. 8 // 9 // This package specifically implements the Optimal Ate pairing over a 256-bit 10 // Barreto-Naehrig curve as described in 11 // http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible 12 // with the implementation described in that paper. 13 package bn256 14 15 import ( 16 "crypto/rand" 17 "errors" 18 "io" 19 "math/big" 20 ) 21 22 func randomK(r io.Reader) (k *big.Int, err error) { 23 for { 24 k, err = rand.Int(r, Order) 25 if k.Sign() > 0 || err != nil { 26 return 27 } 28 } 29 } 30 31 // G1 is an abstract cyclic group. The zero value is suitable for use as the 32 // output of an operation, but cannot be used as an input. 33 type G1 struct { 34 p *curvePoint 35 } 36 37 // RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r. 38 func RandomG1(r io.Reader) (*big.Int, *G1, error) { 39 k, err := randomK(r) 40 if err != nil { 41 return nil, nil, err 42 } 43 44 return k, new(G1).ScalarBaseMult(k), nil 45 } 46 47 func (g *G1) String() string { 48 return "bn256.G1" + g.p.String() 49 } 50 51 // ScalarBaseMult sets e to g*k where g is the generator of the group and then 52 // returns e. 53 func (e *G1) ScalarBaseMult(k *big.Int) *G1 { 54 if e.p == nil { 55 e.p = &curvePoint{} 56 } 57 e.p.Mul(curveGen, k) 58 return e 59 } 60 61 // ScalarMult sets e to a*k and then returns e. 62 func (e *G1) ScalarMult(a *G1, k *big.Int) *G1 { 63 if e.p == nil { 64 e.p = &curvePoint{} 65 } 66 e.p.Mul(a.p, k) 67 return e 68 } 69 70 // Add sets e to a+b and then returns e. 71 func (e *G1) Add(a, b *G1) *G1 { 72 if e.p == nil { 73 e.p = &curvePoint{} 74 } 75 e.p.Add(a.p, b.p) 76 return e 77 } 78 79 // Neg sets e to -a and then returns e. 80 func (e *G1) Neg(a *G1) *G1 { 81 if e.p == nil { 82 e.p = &curvePoint{} 83 } 84 e.p.Neg(a.p) 85 return e 86 } 87 88 // Set sets e to a and then returns e. 89 func (e *G1) Set(a *G1) *G1 { 90 if e.p == nil { 91 e.p = &curvePoint{} 92 } 93 e.p.Set(a.p) 94 return e 95 } 96 97 // Marshal converts e to a byte slice. 98 func (e *G1) Marshal() []byte { 99 // Each value is a 256-bit number. 100 const numBytes = 256 / 8 101 102 e.p.MakeAffine() 103 ret := make([]byte, numBytes*2) 104 if e.p.IsInfinity() { 105 return ret 106 } 107 temp := &gfP{} 108 109 montDecode(temp, &e.p.x) 110 temp.Marshal(ret) 111 montDecode(temp, &e.p.y) 112 temp.Marshal(ret[numBytes:]) 113 114 return ret 115 } 116 117 // Unmarshal sets e to the result of converting the output of Marshal back into 118 // a group element and then returns e. 119 func (e *G1) Unmarshal(m []byte) ([]byte, error) { 120 // Each value is a 256-bit number. 121 const numBytes = 256 / 8 122 if len(m) < 2*numBytes { 123 return nil, errors.New("bn256: not enough data") 124 } 125 // Unmarshal the points and check their caps 126 if e.p == nil { 127 e.p = &curvePoint{} 128 } else { 129 e.p.x, e.p.y = gfP{0}, gfP{0} 130 } 131 var err error 132 if err = e.p.x.Unmarshal(m); err != nil { 133 return nil, err 134 } 135 if err = e.p.y.Unmarshal(m[numBytes:]); err != nil { 136 return nil, err 137 } 138 // Encode into Montgomery form and ensure it's on the curve 139 montEncode(&e.p.x, &e.p.x) 140 montEncode(&e.p.y, &e.p.y) 141 142 zero := gfP{0} 143 if e.p.x == zero && e.p.y == zero { 144 // This is the point at infinity. 145 e.p.y = *newGFp(1) 146 e.p.z = gfP{0} 147 e.p.t = gfP{0} 148 } else { 149 e.p.z = *newGFp(1) 150 e.p.t = *newGFp(1) 151 152 if !e.p.IsOnCurve() { 153 return nil, errors.New("bn256: malformed point") 154 } 155 } 156 return m[2*numBytes:], nil 157 } 158 159 // G2 is an abstract cyclic group. The zero value is suitable for use as the 160 // output of an operation, but cannot be used as an input. 161 type G2 struct { 162 p *twistPoint 163 } 164 165 // RandomG2 returns x and g₂ˣ where x is a random, non-zero number read from r. 166 func RandomG2(r io.Reader) (*big.Int, *G2, error) { 167 k, err := randomK(r) 168 if err != nil { 169 return nil, nil, err 170 } 171 172 return k, new(G2).ScalarBaseMult(k), nil 173 } 174 175 func (e *G2) String() string { 176 return "bn256.G2" + e.p.String() 177 } 178 179 // ScalarBaseMult sets e to g*k where g is the generator of the group and then 180 // returns out. 181 func (e *G2) ScalarBaseMult(k *big.Int) *G2 { 182 if e.p == nil { 183 e.p = &twistPoint{} 184 } 185 e.p.Mul(twistGen, k) 186 return e 187 } 188 189 // ScalarMult sets e to a*k and then returns e. 190 func (e *G2) ScalarMult(a *G2, k *big.Int) *G2 { 191 if e.p == nil { 192 e.p = &twistPoint{} 193 } 194 e.p.Mul(a.p, k) 195 return e 196 } 197 198 // Add sets e to a+b and then returns e. 199 func (e *G2) Add(a, b *G2) *G2 { 200 if e.p == nil { 201 e.p = &twistPoint{} 202 } 203 e.p.Add(a.p, b.p) 204 return e 205 } 206 207 // Neg sets e to -a and then returns e. 208 func (e *G2) Neg(a *G2) *G2 { 209 if e.p == nil { 210 e.p = &twistPoint{} 211 } 212 e.p.Neg(a.p) 213 return e 214 } 215 216 // Set sets e to a and then returns e. 217 func (e *G2) Set(a *G2) *G2 { 218 if e.p == nil { 219 e.p = &twistPoint{} 220 } 221 e.p.Set(a.p) 222 return e 223 } 224 225 // Marshal converts e into a byte slice. 226 func (e *G2) Marshal() []byte { 227 // Each value is a 256-bit number. 228 const numBytes = 256 / 8 229 230 if e.p == nil { 231 e.p = &twistPoint{} 232 } 233 234 e.p.MakeAffine() 235 ret := make([]byte, numBytes*4) 236 if e.p.IsInfinity() { 237 return ret 238 } 239 temp := &gfP{} 240 241 montDecode(temp, &e.p.x.x) 242 temp.Marshal(ret) 243 montDecode(temp, &e.p.x.y) 244 temp.Marshal(ret[numBytes:]) 245 montDecode(temp, &e.p.y.x) 246 temp.Marshal(ret[2*numBytes:]) 247 montDecode(temp, &e.p.y.y) 248 temp.Marshal(ret[3*numBytes:]) 249 250 return ret 251 } 252 253 // Unmarshal sets e to the result of converting the output of Marshal back into 254 // a group element and then returns e. 255 func (e *G2) Unmarshal(m []byte) ([]byte, error) { 256 // Each value is a 256-bit number. 257 const numBytes = 256 / 8 258 if len(m) < 4*numBytes { 259 return nil, errors.New("bn256: not enough data") 260 } 261 // Unmarshal the points and check their caps 262 if e.p == nil { 263 e.p = &twistPoint{} 264 } 265 var err error 266 if err = e.p.x.x.Unmarshal(m); err != nil { 267 return nil, err 268 } 269 if err = e.p.x.y.Unmarshal(m[numBytes:]); err != nil { 270 return nil, err 271 } 272 if err = e.p.y.x.Unmarshal(m[2*numBytes:]); err != nil { 273 return nil, err 274 } 275 if err = e.p.y.y.Unmarshal(m[3*numBytes:]); err != nil { 276 return nil, err 277 } 278 // Encode into Montgomery form and ensure it's on the curve 279 montEncode(&e.p.x.x, &e.p.x.x) 280 montEncode(&e.p.x.y, &e.p.x.y) 281 montEncode(&e.p.y.x, &e.p.y.x) 282 montEncode(&e.p.y.y, &e.p.y.y) 283 284 if e.p.x.IsZero() && e.p.y.IsZero() { 285 // This is the point at infinity. 286 e.p.y.SetOne() 287 e.p.z.SetZero() 288 e.p.t.SetZero() 289 } else { 290 e.p.z.SetOne() 291 e.p.t.SetOne() 292 293 if !e.p.IsOnCurve() { 294 return nil, errors.New("bn256: malformed point") 295 } 296 } 297 return m[4*numBytes:], nil 298 } 299 300 // GT is an abstract cyclic group. The zero value is suitable for use as the 301 // output of an operation, but cannot be used as an input. 302 type GT struct { 303 p *gfP12 304 } 305 306 // Pair calculates an Optimal Ate pairing. 307 func Pair(g1 *G1, g2 *G2) *GT { 308 return >{optimalAte(g2.p, g1.p)} 309 } 310 311 // PairingCheck calculates the Optimal Ate pairing for a set of points. 312 func PairingCheck(a []*G1, b []*G2) bool { 313 acc := new(gfP12) 314 acc.SetOne() 315 316 for i := 0; i < len(a); i++ { 317 if a[i].p.IsInfinity() || b[i].p.IsInfinity() { 318 continue 319 } 320 acc.Mul(acc, miller(b[i].p, a[i].p)) 321 } 322 return finalExponentiation(acc).IsOne() 323 } 324 325 // Miller applies Miller's algorithm, which is a bilinear function from the 326 // source groups to F_p^12. Miller(g1, g2).Finalize() is equivalent to Pair(g1, 327 // g2). 328 func Miller(g1 *G1, g2 *G2) *GT { 329 return >{miller(g2.p, g1.p)} 330 } 331 332 func (g *GT) String() string { 333 return "bn256.GT" + g.p.String() 334 } 335 336 // ScalarMult sets e to a*k and then returns e. 337 func (e *GT) ScalarMult(a *GT, k *big.Int) *GT { 338 if e.p == nil { 339 e.p = &gfP12{} 340 } 341 e.p.Exp(a.p, k) 342 return e 343 } 344 345 // Add sets e to a+b and then returns e. 346 func (e *GT) Add(a, b *GT) *GT { 347 if e.p == nil { 348 e.p = &gfP12{} 349 } 350 e.p.Mul(a.p, b.p) 351 return e 352 } 353 354 // Neg sets e to -a and then returns e. 355 func (e *GT) Neg(a *GT) *GT { 356 if e.p == nil { 357 e.p = &gfP12{} 358 } 359 e.p.Conjugate(a.p) 360 return e 361 } 362 363 // Set sets e to a and then returns e. 364 func (e *GT) Set(a *GT) *GT { 365 if e.p == nil { 366 e.p = &gfP12{} 367 } 368 e.p.Set(a.p) 369 return e 370 } 371 372 // Finalize is a linear function from F_p^12 to GT. 373 func (e *GT) Finalize() *GT { 374 ret := finalExponentiation(e.p) 375 e.p.Set(ret) 376 return e 377 } 378 379 // Marshal converts e into a byte slice. 380 func (e *GT) Marshal() []byte { 381 // Each value is a 256-bit number. 382 const numBytes = 256 / 8 383 384 ret := make([]byte, numBytes*12) 385 temp := &gfP{} 386 387 montDecode(temp, &e.p.x.x.x) 388 temp.Marshal(ret) 389 montDecode(temp, &e.p.x.x.y) 390 temp.Marshal(ret[numBytes:]) 391 montDecode(temp, &e.p.x.y.x) 392 temp.Marshal(ret[2*numBytes:]) 393 montDecode(temp, &e.p.x.y.y) 394 temp.Marshal(ret[3*numBytes:]) 395 montDecode(temp, &e.p.x.z.x) 396 temp.Marshal(ret[4*numBytes:]) 397 montDecode(temp, &e.p.x.z.y) 398 temp.Marshal(ret[5*numBytes:]) 399 montDecode(temp, &e.p.y.x.x) 400 temp.Marshal(ret[6*numBytes:]) 401 montDecode(temp, &e.p.y.x.y) 402 temp.Marshal(ret[7*numBytes:]) 403 montDecode(temp, &e.p.y.y.x) 404 temp.Marshal(ret[8*numBytes:]) 405 montDecode(temp, &e.p.y.y.y) 406 temp.Marshal(ret[9*numBytes:]) 407 montDecode(temp, &e.p.y.z.x) 408 temp.Marshal(ret[10*numBytes:]) 409 montDecode(temp, &e.p.y.z.y) 410 temp.Marshal(ret[11*numBytes:]) 411 412 return ret 413 } 414 415 // Unmarshal sets e to the result of converting the output of Marshal back into 416 // a group element and then returns e. 417 func (e *GT) Unmarshal(m []byte) ([]byte, error) { 418 // Each value is a 256-bit number. 419 const numBytes = 256 / 8 420 421 if len(m) < 12*numBytes { 422 return nil, errors.New("bn256: not enough data") 423 } 424 425 if e.p == nil { 426 e.p = &gfP12{} 427 } 428 429 var err error 430 if err = e.p.x.x.x.Unmarshal(m); err != nil { 431 return nil, err 432 } 433 if err = e.p.x.x.y.Unmarshal(m[numBytes:]); err != nil { 434 return nil, err 435 } 436 if err = e.p.x.y.x.Unmarshal(m[2*numBytes:]); err != nil { 437 return nil, err 438 } 439 if err = e.p.x.y.y.Unmarshal(m[3*numBytes:]); err != nil { 440 return nil, err 441 } 442 if err = e.p.x.z.x.Unmarshal(m[4*numBytes:]); err != nil { 443 return nil, err 444 } 445 if err = e.p.x.z.y.Unmarshal(m[5*numBytes:]); err != nil { 446 return nil, err 447 } 448 if err = e.p.y.x.x.Unmarshal(m[6*numBytes:]); err != nil { 449 return nil, err 450 } 451 if err = e.p.y.x.y.Unmarshal(m[7*numBytes:]); err != nil { 452 return nil, err 453 } 454 if err = e.p.y.y.x.Unmarshal(m[8*numBytes:]); err != nil { 455 return nil, err 456 } 457 if err = e.p.y.y.y.Unmarshal(m[9*numBytes:]); err != nil { 458 return nil, err 459 } 460 if err = e.p.y.z.x.Unmarshal(m[10*numBytes:]); err != nil { 461 return nil, err 462 } 463 if err = e.p.y.z.y.Unmarshal(m[11*numBytes:]); err != nil { 464 return nil, err 465 } 466 montEncode(&e.p.x.x.x, &e.p.x.x.x) 467 montEncode(&e.p.x.x.y, &e.p.x.x.y) 468 montEncode(&e.p.x.y.x, &e.p.x.y.x) 469 montEncode(&e.p.x.y.y, &e.p.x.y.y) 470 montEncode(&e.p.x.z.x, &e.p.x.z.x) 471 montEncode(&e.p.x.z.y, &e.p.x.z.y) 472 montEncode(&e.p.y.x.x, &e.p.y.x.x) 473 montEncode(&e.p.y.x.y, &e.p.y.x.y) 474 montEncode(&e.p.y.y.x, &e.p.y.y.x) 475 montEncode(&e.p.y.y.y, &e.p.y.y.y) 476 montEncode(&e.p.y.z.x, &e.p.y.z.x) 477 montEncode(&e.p.y.z.y, &e.p.y.z.y) 478 479 return m[12*numBytes:], nil 480 }