github.com/c2s/go-ethereum@v1.9.7/crypto/bn256/cloudflare/bn256.go (about) 1 // Package bn256 implements a particular bilinear group at the 128-bit security 2 // level. 3 // 4 // Bilinear groups are the basis of many of the new cryptographic protocols that 5 // have been proposed over the past decade. They consist of a triplet of groups 6 // (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ 7 // is a generator of the respective group). That function is called a pairing 8 // function. 9 // 10 // This package specifically implements the Optimal Ate pairing over a 256-bit 11 // Barreto-Naehrig curve as described in 12 // http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible 13 // with the implementation described in that paper. 14 package bn256 15 16 import ( 17 "crypto/rand" 18 "errors" 19 "io" 20 "math/big" 21 ) 22 23 func randomK(r io.Reader) (k *big.Int, err error) { 24 for { 25 k, err = rand.Int(r, Order) 26 if k.Sign() > 0 || err != nil { 27 return 28 } 29 } 30 } 31 32 // G1 is an abstract cyclic group. The zero value is suitable for use as the 33 // output of an operation, but cannot be used as an input. 34 type G1 struct { 35 p *curvePoint 36 } 37 38 // RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r. 39 func RandomG1(r io.Reader) (*big.Int, *G1, error) { 40 k, err := randomK(r) 41 if err != nil { 42 return nil, nil, err 43 } 44 45 return k, new(G1).ScalarBaseMult(k), nil 46 } 47 48 func (g *G1) String() string { 49 return "bn256.G1" + g.p.String() 50 } 51 52 // ScalarBaseMult sets e to g*k where g is the generator of the group and then 53 // returns e. 54 func (e *G1) ScalarBaseMult(k *big.Int) *G1 { 55 if e.p == nil { 56 e.p = &curvePoint{} 57 } 58 e.p.Mul(curveGen, k) 59 return e 60 } 61 62 // ScalarMult sets e to a*k and then returns e. 63 func (e *G1) ScalarMult(a *G1, k *big.Int) *G1 { 64 if e.p == nil { 65 e.p = &curvePoint{} 66 } 67 e.p.Mul(a.p, k) 68 return e 69 } 70 71 // Add sets e to a+b and then returns e. 72 func (e *G1) Add(a, b *G1) *G1 { 73 if e.p == nil { 74 e.p = &curvePoint{} 75 } 76 e.p.Add(a.p, b.p) 77 return e 78 } 79 80 // Neg sets e to -a and then returns e. 81 func (e *G1) Neg(a *G1) *G1 { 82 if e.p == nil { 83 e.p = &curvePoint{} 84 } 85 e.p.Neg(a.p) 86 return e 87 } 88 89 // Set sets e to a and then returns e. 90 func (e *G1) Set(a *G1) *G1 { 91 if e.p == nil { 92 e.p = &curvePoint{} 93 } 94 e.p.Set(a.p) 95 return e 96 } 97 98 // Marshal converts e to a byte slice. 99 func (e *G1) Marshal() []byte { 100 // Each value is a 256-bit number. 101 const numBytes = 256 / 8 102 103 if e.p == nil { 104 e.p = &curvePoint{} 105 } 106 107 e.p.MakeAffine() 108 ret := make([]byte, numBytes*2) 109 if e.p.IsInfinity() { 110 return ret 111 } 112 temp := &gfP{} 113 114 montDecode(temp, &e.p.x) 115 temp.Marshal(ret) 116 montDecode(temp, &e.p.y) 117 temp.Marshal(ret[numBytes:]) 118 119 return ret 120 } 121 122 // Unmarshal sets e to the result of converting the output of Marshal back into 123 // a group element and then returns e. 124 func (e *G1) Unmarshal(m []byte) ([]byte, error) { 125 // Each value is a 256-bit number. 126 const numBytes = 256 / 8 127 if len(m) < 2*numBytes { 128 return nil, errors.New("bn256: not enough data") 129 } 130 // Unmarshal the points and check their caps 131 if e.p == nil { 132 e.p = &curvePoint{} 133 } else { 134 e.p.x, e.p.y = gfP{0}, gfP{0} 135 } 136 var err error 137 if err = e.p.x.Unmarshal(m); err != nil { 138 return nil, err 139 } 140 if err = e.p.y.Unmarshal(m[numBytes:]); err != nil { 141 return nil, err 142 } 143 // Encode into Montgomery form and ensure it's on the curve 144 montEncode(&e.p.x, &e.p.x) 145 montEncode(&e.p.y, &e.p.y) 146 147 zero := gfP{0} 148 if e.p.x == zero && e.p.y == zero { 149 // This is the point at infinity. 150 e.p.y = *newGFp(1) 151 e.p.z = gfP{0} 152 e.p.t = gfP{0} 153 } else { 154 e.p.z = *newGFp(1) 155 e.p.t = *newGFp(1) 156 157 if !e.p.IsOnCurve() { 158 return nil, errors.New("bn256: malformed point") 159 } 160 } 161 return m[2*numBytes:], nil 162 } 163 164 // G2 is an abstract cyclic group. The zero value is suitable for use as the 165 // output of an operation, but cannot be used as an input. 166 type G2 struct { 167 p *twistPoint 168 } 169 170 // RandomG2 returns x and g₂ˣ where x is a random, non-zero number read from r. 171 func RandomG2(r io.Reader) (*big.Int, *G2, error) { 172 k, err := randomK(r) 173 if err != nil { 174 return nil, nil, err 175 } 176 177 return k, new(G2).ScalarBaseMult(k), nil 178 } 179 180 func (e *G2) String() string { 181 return "bn256.G2" + e.p.String() 182 } 183 184 // ScalarBaseMult sets e to g*k where g is the generator of the group and then 185 // returns out. 186 func (e *G2) ScalarBaseMult(k *big.Int) *G2 { 187 if e.p == nil { 188 e.p = &twistPoint{} 189 } 190 e.p.Mul(twistGen, k) 191 return e 192 } 193 194 // ScalarMult sets e to a*k and then returns e. 195 func (e *G2) ScalarMult(a *G2, k *big.Int) *G2 { 196 if e.p == nil { 197 e.p = &twistPoint{} 198 } 199 e.p.Mul(a.p, k) 200 return e 201 } 202 203 // Add sets e to a+b and then returns e. 204 func (e *G2) Add(a, b *G2) *G2 { 205 if e.p == nil { 206 e.p = &twistPoint{} 207 } 208 e.p.Add(a.p, b.p) 209 return e 210 } 211 212 // Neg sets e to -a and then returns e. 213 func (e *G2) Neg(a *G2) *G2 { 214 if e.p == nil { 215 e.p = &twistPoint{} 216 } 217 e.p.Neg(a.p) 218 return e 219 } 220 221 // Set sets e to a and then returns e. 222 func (e *G2) Set(a *G2) *G2 { 223 if e.p == nil { 224 e.p = &twistPoint{} 225 } 226 e.p.Set(a.p) 227 return e 228 } 229 230 // Marshal converts e into a byte slice. 231 func (e *G2) Marshal() []byte { 232 // Each value is a 256-bit number. 233 const numBytes = 256 / 8 234 235 if e.p == nil { 236 e.p = &twistPoint{} 237 } 238 239 e.p.MakeAffine() 240 ret := make([]byte, numBytes*4) 241 if e.p.IsInfinity() { 242 return ret 243 } 244 temp := &gfP{} 245 246 montDecode(temp, &e.p.x.x) 247 temp.Marshal(ret) 248 montDecode(temp, &e.p.x.y) 249 temp.Marshal(ret[numBytes:]) 250 montDecode(temp, &e.p.y.x) 251 temp.Marshal(ret[2*numBytes:]) 252 montDecode(temp, &e.p.y.y) 253 temp.Marshal(ret[3*numBytes:]) 254 255 return ret 256 } 257 258 // Unmarshal sets e to the result of converting the output of Marshal back into 259 // a group element and then returns e. 260 func (e *G2) Unmarshal(m []byte) ([]byte, error) { 261 // Each value is a 256-bit number. 262 const numBytes = 256 / 8 263 if len(m) < 4*numBytes { 264 return nil, errors.New("bn256: not enough data") 265 } 266 // Unmarshal the points and check their caps 267 if e.p == nil { 268 e.p = &twistPoint{} 269 } 270 var err error 271 if err = e.p.x.x.Unmarshal(m); err != nil { 272 return nil, err 273 } 274 if err = e.p.x.y.Unmarshal(m[numBytes:]); err != nil { 275 return nil, err 276 } 277 if err = e.p.y.x.Unmarshal(m[2*numBytes:]); err != nil { 278 return nil, err 279 } 280 if err = e.p.y.y.Unmarshal(m[3*numBytes:]); err != nil { 281 return nil, err 282 } 283 // Encode into Montgomery form and ensure it's on the curve 284 montEncode(&e.p.x.x, &e.p.x.x) 285 montEncode(&e.p.x.y, &e.p.x.y) 286 montEncode(&e.p.y.x, &e.p.y.x) 287 montEncode(&e.p.y.y, &e.p.y.y) 288 289 if e.p.x.IsZero() && e.p.y.IsZero() { 290 // This is the point at infinity. 291 e.p.y.SetOne() 292 e.p.z.SetZero() 293 e.p.t.SetZero() 294 } else { 295 e.p.z.SetOne() 296 e.p.t.SetOne() 297 298 if !e.p.IsOnCurve() { 299 return nil, errors.New("bn256: malformed point") 300 } 301 } 302 return m[4*numBytes:], nil 303 } 304 305 // GT is an abstract cyclic group. The zero value is suitable for use as the 306 // output of an operation, but cannot be used as an input. 307 type GT struct { 308 p *gfP12 309 } 310 311 // Pair calculates an Optimal Ate pairing. 312 func Pair(g1 *G1, g2 *G2) *GT { 313 return >{optimalAte(g2.p, g1.p)} 314 } 315 316 // PairingCheck calculates the Optimal Ate pairing for a set of points. 317 func PairingCheck(a []*G1, b []*G2) bool { 318 acc := new(gfP12) 319 acc.SetOne() 320 321 for i := 0; i < len(a); i++ { 322 if a[i].p.IsInfinity() || b[i].p.IsInfinity() { 323 continue 324 } 325 acc.Mul(acc, miller(b[i].p, a[i].p)) 326 } 327 return finalExponentiation(acc).IsOne() 328 } 329 330 // Miller applies Miller's algorithm, which is a bilinear function from the 331 // source groups to F_p^12. Miller(g1, g2).Finalize() is equivalent to Pair(g1, 332 // g2). 333 func Miller(g1 *G1, g2 *G2) *GT { 334 return >{miller(g2.p, g1.p)} 335 } 336 337 func (g *GT) String() string { 338 return "bn256.GT" + g.p.String() 339 } 340 341 // ScalarMult sets e to a*k and then returns e. 342 func (e *GT) ScalarMult(a *GT, k *big.Int) *GT { 343 if e.p == nil { 344 e.p = &gfP12{} 345 } 346 e.p.Exp(a.p, k) 347 return e 348 } 349 350 // Add sets e to a+b and then returns e. 351 func (e *GT) Add(a, b *GT) *GT { 352 if e.p == nil { 353 e.p = &gfP12{} 354 } 355 e.p.Mul(a.p, b.p) 356 return e 357 } 358 359 // Neg sets e to -a and then returns e. 360 func (e *GT) Neg(a *GT) *GT { 361 if e.p == nil { 362 e.p = &gfP12{} 363 } 364 e.p.Conjugate(a.p) 365 return e 366 } 367 368 // Set sets e to a and then returns e. 369 func (e *GT) Set(a *GT) *GT { 370 if e.p == nil { 371 e.p = &gfP12{} 372 } 373 e.p.Set(a.p) 374 return e 375 } 376 377 // Finalize is a linear function from F_p^12 to GT. 378 func (e *GT) Finalize() *GT { 379 ret := finalExponentiation(e.p) 380 e.p.Set(ret) 381 return e 382 } 383 384 // Marshal converts e into a byte slice. 385 func (e *GT) Marshal() []byte { 386 // Each value is a 256-bit number. 387 const numBytes = 256 / 8 388 389 if e.p == nil { 390 e.p = &gfP12{} 391 e.p.SetOne() 392 } 393 394 ret := make([]byte, numBytes*12) 395 temp := &gfP{} 396 397 montDecode(temp, &e.p.x.x.x) 398 temp.Marshal(ret) 399 montDecode(temp, &e.p.x.x.y) 400 temp.Marshal(ret[numBytes:]) 401 montDecode(temp, &e.p.x.y.x) 402 temp.Marshal(ret[2*numBytes:]) 403 montDecode(temp, &e.p.x.y.y) 404 temp.Marshal(ret[3*numBytes:]) 405 montDecode(temp, &e.p.x.z.x) 406 temp.Marshal(ret[4*numBytes:]) 407 montDecode(temp, &e.p.x.z.y) 408 temp.Marshal(ret[5*numBytes:]) 409 montDecode(temp, &e.p.y.x.x) 410 temp.Marshal(ret[6*numBytes:]) 411 montDecode(temp, &e.p.y.x.y) 412 temp.Marshal(ret[7*numBytes:]) 413 montDecode(temp, &e.p.y.y.x) 414 temp.Marshal(ret[8*numBytes:]) 415 montDecode(temp, &e.p.y.y.y) 416 temp.Marshal(ret[9*numBytes:]) 417 montDecode(temp, &e.p.y.z.x) 418 temp.Marshal(ret[10*numBytes:]) 419 montDecode(temp, &e.p.y.z.y) 420 temp.Marshal(ret[11*numBytes:]) 421 422 return ret 423 } 424 425 // Unmarshal sets e to the result of converting the output of Marshal back into 426 // a group element and then returns e. 427 func (e *GT) Unmarshal(m []byte) ([]byte, error) { 428 // Each value is a 256-bit number. 429 const numBytes = 256 / 8 430 431 if len(m) < 12*numBytes { 432 return nil, errors.New("bn256: not enough data") 433 } 434 435 if e.p == nil { 436 e.p = &gfP12{} 437 } 438 439 var err error 440 if err = e.p.x.x.x.Unmarshal(m); err != nil { 441 return nil, err 442 } 443 if err = e.p.x.x.y.Unmarshal(m[numBytes:]); err != nil { 444 return nil, err 445 } 446 if err = e.p.x.y.x.Unmarshal(m[2*numBytes:]); err != nil { 447 return nil, err 448 } 449 if err = e.p.x.y.y.Unmarshal(m[3*numBytes:]); err != nil { 450 return nil, err 451 } 452 if err = e.p.x.z.x.Unmarshal(m[4*numBytes:]); err != nil { 453 return nil, err 454 } 455 if err = e.p.x.z.y.Unmarshal(m[5*numBytes:]); err != nil { 456 return nil, err 457 } 458 if err = e.p.y.x.x.Unmarshal(m[6*numBytes:]); err != nil { 459 return nil, err 460 } 461 if err = e.p.y.x.y.Unmarshal(m[7*numBytes:]); err != nil { 462 return nil, err 463 } 464 if err = e.p.y.y.x.Unmarshal(m[8*numBytes:]); err != nil { 465 return nil, err 466 } 467 if err = e.p.y.y.y.Unmarshal(m[9*numBytes:]); err != nil { 468 return nil, err 469 } 470 if err = e.p.y.z.x.Unmarshal(m[10*numBytes:]); err != nil { 471 return nil, err 472 } 473 if err = e.p.y.z.y.Unmarshal(m[11*numBytes:]); err != nil { 474 return nil, err 475 } 476 montEncode(&e.p.x.x.x, &e.p.x.x.x) 477 montEncode(&e.p.x.x.y, &e.p.x.x.y) 478 montEncode(&e.p.x.y.x, &e.p.x.y.x) 479 montEncode(&e.p.x.y.y, &e.p.x.y.y) 480 montEncode(&e.p.x.z.x, &e.p.x.z.x) 481 montEncode(&e.p.x.z.y, &e.p.x.z.y) 482 montEncode(&e.p.y.x.x, &e.p.y.x.x) 483 montEncode(&e.p.y.x.y, &e.p.y.x.y) 484 montEncode(&e.p.y.y.x, &e.p.y.y.x) 485 montEncode(&e.p.y.y.y, &e.p.y.y.y) 486 montEncode(&e.p.y.z.x, &e.p.y.z.x) 487 montEncode(&e.p.y.z.y, &e.p.y.z.y) 488 489 return m[12*numBytes:], nil 490 }