github.com/arieschain/arieschain@v0.0.0-20191023063405-37c074544356/crypto/bn256/cloudflare/bn256.go (about)

     1  // Package bn256 implements a particular bilinear group at the 128-bit security
     2  // level.
     3  // Bilinear groups are the basis of many of the new cryptographic protocols that
     4  // have been proposed over the past decade. They consist of a triplet of groups
     5  // (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ
     6  // is a generator of the respective group). That function is called a pairing
     7  // function.
     8  //
     9  // This package specifically implements the Optimal Ate pairing over a 256-bit
    10  // Barreto-Naehrig curve as described in
    11  // http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible
    12  // with the implementation described in that paper.
    13  package bn256
    14  
    15  import (
    16  	"crypto/rand"
    17  	"errors"
    18  	"io"
    19  	"math/big"
    20  )
    21  
    22  func randomK(r io.Reader) (k *big.Int, err error) {
    23  	for {
    24  		k, err = rand.Int(r, Order)
    25  		if k.Sign() > 0 || err != nil {
    26  			return
    27  		}
    28  	}
    29  }
    30  
    31  // G1 is an abstract cyclic group. The zero value is suitable for use as the
    32  // output of an operation, but cannot be used as an input.
    33  type G1 struct {
    34  	p *curvePoint
    35  }
    36  
    37  // RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r.
    38  func RandomG1(r io.Reader) (*big.Int, *G1, error) {
    39  	k, err := randomK(r)
    40  	if err != nil {
    41  		return nil, nil, err
    42  	}
    43  
    44  	return k, new(G1).ScalarBaseMult(k), nil
    45  }
    46  
    47  func (g *G1) String() string {
    48  	return "bn256.G1" + g.p.String()
    49  }
    50  
    51  // ScalarBaseMult sets e to g*k where g is the generator of the group and then
    52  // returns e.
    53  func (e *G1) ScalarBaseMult(k *big.Int) *G1 {
    54  	if e.p == nil {
    55  		e.p = &curvePoint{}
    56  	}
    57  	e.p.Mul(curveGen, k)
    58  	return e
    59  }
    60  
    61  // ScalarMult sets e to a*k and then returns e.
    62  func (e *G1) ScalarMult(a *G1, k *big.Int) *G1 {
    63  	if e.p == nil {
    64  		e.p = &curvePoint{}
    65  	}
    66  	e.p.Mul(a.p, k)
    67  	return e
    68  }
    69  
    70  // Add sets e to a+b and then returns e.
    71  func (e *G1) Add(a, b *G1) *G1 {
    72  	if e.p == nil {
    73  		e.p = &curvePoint{}
    74  	}
    75  	e.p.Add(a.p, b.p)
    76  	return e
    77  }
    78  
    79  // Neg sets e to -a and then returns e.
    80  func (e *G1) Neg(a *G1) *G1 {
    81  	if e.p == nil {
    82  		e.p = &curvePoint{}
    83  	}
    84  	e.p.Neg(a.p)
    85  	return e
    86  }
    87  
    88  // Set sets e to a and then returns e.
    89  func (e *G1) Set(a *G1) *G1 {
    90  	if e.p == nil {
    91  		e.p = &curvePoint{}
    92  	}
    93  	e.p.Set(a.p)
    94  	return e
    95  }
    96  
    97  // Marshal converts e to a byte slice.
    98  func (e *G1) Marshal() []byte {
    99  	// Each value is a 256-bit number.
   100  	const numBytes = 256 / 8
   101  
   102  	e.p.MakeAffine()
   103  	ret := make([]byte, numBytes*2)
   104  	if e.p.IsInfinity() {
   105  		return ret
   106  	}
   107  	temp := &gfP{}
   108  
   109  	montDecode(temp, &e.p.x)
   110  	temp.Marshal(ret)
   111  	montDecode(temp, &e.p.y)
   112  	temp.Marshal(ret[numBytes:])
   113  
   114  	return ret
   115  }
   116  
   117  // Unmarshal sets e to the result of converting the output of Marshal back into
   118  // a group element and then returns e.
   119  func (e *G1) Unmarshal(m []byte) ([]byte, error) {
   120  	// Each value is a 256-bit number.
   121  	const numBytes = 256 / 8
   122  	if len(m) < 2*numBytes {
   123  		return nil, errors.New("bn256: not enough data")
   124  	}
   125  	// Unmarshal the points and check their caps
   126  	if e.p == nil {
   127  		e.p = &curvePoint{}
   128  	} else {
   129  		e.p.x, e.p.y = gfP{0}, gfP{0}
   130  	}
   131  	var err error
   132  	if err = e.p.x.Unmarshal(m); err != nil {
   133  		return nil, err
   134  	}
   135  	if err = e.p.y.Unmarshal(m[numBytes:]); err != nil {
   136  		return nil, err
   137  	}
   138  	// Encode into Montgomery form and ensure it's on the curve
   139  	montEncode(&e.p.x, &e.p.x)
   140  	montEncode(&e.p.y, &e.p.y)
   141  
   142  	zero := gfP{0}
   143  	if e.p.x == zero && e.p.y == zero {
   144  		// This is the point at infinity.
   145  		e.p.y = *newGFp(1)
   146  		e.p.z = gfP{0}
   147  		e.p.t = gfP{0}
   148  	} else {
   149  		e.p.z = *newGFp(1)
   150  		e.p.t = *newGFp(1)
   151  
   152  		if !e.p.IsOnCurve() {
   153  			return nil, errors.New("bn256: malformed point")
   154  		}
   155  	}
   156  	return m[2*numBytes:], nil
   157  }
   158  
   159  // G2 is an abstract cyclic group. The zero value is suitable for use as the
   160  // output of an operation, but cannot be used as an input.
   161  type G2 struct {
   162  	p *twistPoint
   163  }
   164  
   165  // RandomG2 returns x and g₂ˣ where x is a random, non-zero number read from r.
   166  func RandomG2(r io.Reader) (*big.Int, *G2, error) {
   167  	k, err := randomK(r)
   168  	if err != nil {
   169  		return nil, nil, err
   170  	}
   171  
   172  	return k, new(G2).ScalarBaseMult(k), nil
   173  }
   174  
   175  func (e *G2) String() string {
   176  	return "bn256.G2" + e.p.String()
   177  }
   178  
   179  // ScalarBaseMult sets e to g*k where g is the generator of the group and then
   180  // returns out.
   181  func (e *G2) ScalarBaseMult(k *big.Int) *G2 {
   182  	if e.p == nil {
   183  		e.p = &twistPoint{}
   184  	}
   185  	e.p.Mul(twistGen, k)
   186  	return e
   187  }
   188  
   189  // ScalarMult sets e to a*k and then returns e.
   190  func (e *G2) ScalarMult(a *G2, k *big.Int) *G2 {
   191  	if e.p == nil {
   192  		e.p = &twistPoint{}
   193  	}
   194  	e.p.Mul(a.p, k)
   195  	return e
   196  }
   197  
   198  // Add sets e to a+b and then returns e.
   199  func (e *G2) Add(a, b *G2) *G2 {
   200  	if e.p == nil {
   201  		e.p = &twistPoint{}
   202  	}
   203  	e.p.Add(a.p, b.p)
   204  	return e
   205  }
   206  
   207  // Neg sets e to -a and then returns e.
   208  func (e *G2) Neg(a *G2) *G2 {
   209  	if e.p == nil {
   210  		e.p = &twistPoint{}
   211  	}
   212  	e.p.Neg(a.p)
   213  	return e
   214  }
   215  
   216  // Set sets e to a and then returns e.
   217  func (e *G2) Set(a *G2) *G2 {
   218  	if e.p == nil {
   219  		e.p = &twistPoint{}
   220  	}
   221  	e.p.Set(a.p)
   222  	return e
   223  }
   224  
   225  // Marshal converts e into a byte slice.
   226  func (e *G2) Marshal() []byte {
   227  	// Each value is a 256-bit number.
   228  	const numBytes = 256 / 8
   229  
   230  	if e.p == nil {
   231  		e.p = &twistPoint{}
   232  	}
   233  
   234  	e.p.MakeAffine()
   235  	ret := make([]byte, numBytes*4)
   236  	if e.p.IsInfinity() {
   237  		return ret
   238  	}
   239  	temp := &gfP{}
   240  
   241  	montDecode(temp, &e.p.x.x)
   242  	temp.Marshal(ret)
   243  	montDecode(temp, &e.p.x.y)
   244  	temp.Marshal(ret[numBytes:])
   245  	montDecode(temp, &e.p.y.x)
   246  	temp.Marshal(ret[2*numBytes:])
   247  	montDecode(temp, &e.p.y.y)
   248  	temp.Marshal(ret[3*numBytes:])
   249  
   250  	return ret
   251  }
   252  
   253  // Unmarshal sets e to the result of converting the output of Marshal back into
   254  // a group element and then returns e.
   255  func (e *G2) Unmarshal(m []byte) ([]byte, error) {
   256  	// Each value is a 256-bit number.
   257  	const numBytes = 256 / 8
   258  	if len(m) < 4*numBytes {
   259  		return nil, errors.New("bn256: not enough data")
   260  	}
   261  	// Unmarshal the points and check their caps
   262  	if e.p == nil {
   263  		e.p = &twistPoint{}
   264  	}
   265  	var err error
   266  	if err = e.p.x.x.Unmarshal(m); err != nil {
   267  		return nil, err
   268  	}
   269  	if err = e.p.x.y.Unmarshal(m[numBytes:]); err != nil {
   270  		return nil, err
   271  	}
   272  	if err = e.p.y.x.Unmarshal(m[2*numBytes:]); err != nil {
   273  		return nil, err
   274  	}
   275  	if err = e.p.y.y.Unmarshal(m[3*numBytes:]); err != nil {
   276  		return nil, err
   277  	}
   278  	// Encode into Montgomery form and ensure it's on the curve
   279  	montEncode(&e.p.x.x, &e.p.x.x)
   280  	montEncode(&e.p.x.y, &e.p.x.y)
   281  	montEncode(&e.p.y.x, &e.p.y.x)
   282  	montEncode(&e.p.y.y, &e.p.y.y)
   283  
   284  	if e.p.x.IsZero() && e.p.y.IsZero() {
   285  		// This is the point at infinity.
   286  		e.p.y.SetOne()
   287  		e.p.z.SetZero()
   288  		e.p.t.SetZero()
   289  	} else {
   290  		e.p.z.SetOne()
   291  		e.p.t.SetOne()
   292  
   293  		if !e.p.IsOnCurve() {
   294  			return nil, errors.New("bn256: malformed point")
   295  		}
   296  	}
   297  	return m[4*numBytes:], nil
   298  }
   299  
   300  // GT is an abstract cyclic group. The zero value is suitable for use as the
   301  // output of an operation, but cannot be used as an input.
   302  type GT struct {
   303  	p *gfP12
   304  }
   305  
   306  // Pair calculates an Optimal Ate pairing.
   307  func Pair(g1 *G1, g2 *G2) *GT {
   308  	return &GT{optimalAte(g2.p, g1.p)}
   309  }
   310  
   311  // PairingCheck calculates the Optimal Ate pairing for a set of points.
   312  func PairingCheck(a []*G1, b []*G2) bool {
   313  	acc := new(gfP12)
   314  	acc.SetOne()
   315  
   316  	for i := 0; i < len(a); i++ {
   317  		if a[i].p.IsInfinity() || b[i].p.IsInfinity() {
   318  			continue
   319  		}
   320  		acc.Mul(acc, miller(b[i].p, a[i].p))
   321  	}
   322  	return finalExponentiation(acc).IsOne()
   323  }
   324  
   325  // Miller applies Miller's algorithm, which is a bilinear function from the
   326  // source groups to F_p^12. Miller(g1, g2).Finalize() is equivalent to Pair(g1,
   327  // g2).
   328  func Miller(g1 *G1, g2 *G2) *GT {
   329  	return &GT{miller(g2.p, g1.p)}
   330  }
   331  
   332  func (g *GT) String() string {
   333  	return "bn256.GT" + g.p.String()
   334  }
   335  
   336  // ScalarMult sets e to a*k and then returns e.
   337  func (e *GT) ScalarMult(a *GT, k *big.Int) *GT {
   338  	if e.p == nil {
   339  		e.p = &gfP12{}
   340  	}
   341  	e.p.Exp(a.p, k)
   342  	return e
   343  }
   344  
   345  // Add sets e to a+b and then returns e.
   346  func (e *GT) Add(a, b *GT) *GT {
   347  	if e.p == nil {
   348  		e.p = &gfP12{}
   349  	}
   350  	e.p.Mul(a.p, b.p)
   351  	return e
   352  }
   353  
   354  // Neg sets e to -a and then returns e.
   355  func (e *GT) Neg(a *GT) *GT {
   356  	if e.p == nil {
   357  		e.p = &gfP12{}
   358  	}
   359  	e.p.Conjugate(a.p)
   360  	return e
   361  }
   362  
   363  // Set sets e to a and then returns e.
   364  func (e *GT) Set(a *GT) *GT {
   365  	if e.p == nil {
   366  		e.p = &gfP12{}
   367  	}
   368  	e.p.Set(a.p)
   369  	return e
   370  }
   371  
   372  // Finalize is a linear function from F_p^12 to GT.
   373  func (e *GT) Finalize() *GT {
   374  	ret := finalExponentiation(e.p)
   375  	e.p.Set(ret)
   376  	return e
   377  }
   378  
   379  // Marshal converts e into a byte slice.
   380  func (e *GT) Marshal() []byte {
   381  	// Each value is a 256-bit number.
   382  	const numBytes = 256 / 8
   383  
   384  	ret := make([]byte, numBytes*12)
   385  	temp := &gfP{}
   386  
   387  	montDecode(temp, &e.p.x.x.x)
   388  	temp.Marshal(ret)
   389  	montDecode(temp, &e.p.x.x.y)
   390  	temp.Marshal(ret[numBytes:])
   391  	montDecode(temp, &e.p.x.y.x)
   392  	temp.Marshal(ret[2*numBytes:])
   393  	montDecode(temp, &e.p.x.y.y)
   394  	temp.Marshal(ret[3*numBytes:])
   395  	montDecode(temp, &e.p.x.z.x)
   396  	temp.Marshal(ret[4*numBytes:])
   397  	montDecode(temp, &e.p.x.z.y)
   398  	temp.Marshal(ret[5*numBytes:])
   399  	montDecode(temp, &e.p.y.x.x)
   400  	temp.Marshal(ret[6*numBytes:])
   401  	montDecode(temp, &e.p.y.x.y)
   402  	temp.Marshal(ret[7*numBytes:])
   403  	montDecode(temp, &e.p.y.y.x)
   404  	temp.Marshal(ret[8*numBytes:])
   405  	montDecode(temp, &e.p.y.y.y)
   406  	temp.Marshal(ret[9*numBytes:])
   407  	montDecode(temp, &e.p.y.z.x)
   408  	temp.Marshal(ret[10*numBytes:])
   409  	montDecode(temp, &e.p.y.z.y)
   410  	temp.Marshal(ret[11*numBytes:])
   411  
   412  	return ret
   413  }
   414  
   415  // Unmarshal sets e to the result of converting the output of Marshal back into
   416  // a group element and then returns e.
   417  func (e *GT) Unmarshal(m []byte) ([]byte, error) {
   418  	// Each value is a 256-bit number.
   419  	const numBytes = 256 / 8
   420  
   421  	if len(m) < 12*numBytes {
   422  		return nil, errors.New("bn256: not enough data")
   423  	}
   424  
   425  	if e.p == nil {
   426  		e.p = &gfP12{}
   427  	}
   428  
   429  	var err error
   430  	if err = e.p.x.x.x.Unmarshal(m); err != nil {
   431  		return nil, err
   432  	}
   433  	if err = e.p.x.x.y.Unmarshal(m[numBytes:]); err != nil {
   434  		return nil, err
   435  	}
   436  	if err = e.p.x.y.x.Unmarshal(m[2*numBytes:]); err != nil {
   437  		return nil, err
   438  	}
   439  	if err = e.p.x.y.y.Unmarshal(m[3*numBytes:]); err != nil {
   440  		return nil, err
   441  	}
   442  	if err = e.p.x.z.x.Unmarshal(m[4*numBytes:]); err != nil {
   443  		return nil, err
   444  	}
   445  	if err = e.p.x.z.y.Unmarshal(m[5*numBytes:]); err != nil {
   446  		return nil, err
   447  	}
   448  	if err = e.p.y.x.x.Unmarshal(m[6*numBytes:]); err != nil {
   449  		return nil, err
   450  	}
   451  	if err = e.p.y.x.y.Unmarshal(m[7*numBytes:]); err != nil {
   452  		return nil, err
   453  	}
   454  	if err = e.p.y.y.x.Unmarshal(m[8*numBytes:]); err != nil {
   455  		return nil, err
   456  	}
   457  	if err = e.p.y.y.y.Unmarshal(m[9*numBytes:]); err != nil {
   458  		return nil, err
   459  	}
   460  	if err = e.p.y.z.x.Unmarshal(m[10*numBytes:]); err != nil {
   461  		return nil, err
   462  	}
   463  	if err = e.p.y.z.y.Unmarshal(m[11*numBytes:]); err != nil {
   464  		return nil, err
   465  	}
   466  	montEncode(&e.p.x.x.x, &e.p.x.x.x)
   467  	montEncode(&e.p.x.x.y, &e.p.x.x.y)
   468  	montEncode(&e.p.x.y.x, &e.p.x.y.x)
   469  	montEncode(&e.p.x.y.y, &e.p.x.y.y)
   470  	montEncode(&e.p.x.z.x, &e.p.x.z.x)
   471  	montEncode(&e.p.x.z.y, &e.p.x.z.y)
   472  	montEncode(&e.p.y.x.x, &e.p.y.x.x)
   473  	montEncode(&e.p.y.x.y, &e.p.y.x.y)
   474  	montEncode(&e.p.y.y.x, &e.p.y.y.x)
   475  	montEncode(&e.p.y.y.y, &e.p.y.y.y)
   476  	montEncode(&e.p.y.z.x, &e.p.y.z.x)
   477  	montEncode(&e.p.y.z.y, &e.p.y.z.y)
   478  
   479  	return m[12*numBytes:], nil
   480  }