github.com/consensys/gnark-crypto@v0.14.0/ecc/bls24-317/bls24-317.go (about) 1 // Package bls24317 efficient elliptic curve, pairing and hash to curve implementation for bls24-317. 2 // 3 // bls24-317: A Barreto--Lynn--Scott curve 4 // 5 // embedding degree k=24 6 // seed x₀=3640754176 7 // 𝔽r: r=30869589236456844204538189757527902584594726589286811523515204428962673459201 (x₀^8-x₀^4+2) 8 // 𝔽p: p=136393071104295911515099765908274057061945112121419593977210139303905973197232025618026156731051 ((x₀-1)² ⋅ r(x₀)/3+x₀) 9 // (E/𝔽p): Y²=X³+4 10 // (Eₜ/𝔽p⁴): Y² = X³+4v (M-type twist) 11 // r ∣ #E(Fp) and r ∣ #Eₜ(𝔽p⁴) 12 // 13 // Extension fields tower: 14 // 15 // 𝔽p²[u] = 𝔽p/u²+1 16 // 𝔽p⁴[v] = 𝔽p²/v²-u-1 17 // 𝔽p¹²[w] = 𝔽p⁴/w³-v 18 // 𝔽p²⁴[i] = 𝔽p¹²/i²-w 19 // 20 // optimal Ate loop size: 21 // 22 // x₀ 23 // 24 // Security: estimated 160-bit level following [https://eprint.iacr.org/2019/885.pdf] 25 // (r is 255 bits and p²⁴ is 7599 bits) 26 // 27 // # Warning 28 // 29 // This code has not been audited and is provided as-is. In particular, there is no security guarantees such as constant time implementation or side-channel attack resistance. 30 package bls24317 31 32 import ( 33 "math/big" 34 35 "github.com/consensys/gnark-crypto/ecc" 36 "github.com/consensys/gnark-crypto/ecc/bls24-317/fp" 37 "github.com/consensys/gnark-crypto/ecc/bls24-317/fr" 38 "github.com/consensys/gnark-crypto/ecc/bls24-317/internal/fptower" 39 ) 40 41 // ID bls317 ID 42 const ID = ecc.BLS24_317 43 44 // aCurveCoeff is the a coefficients of the curve Y²=X³+ax+b 45 var aCurveCoeff fp.Element 46 var bCurveCoeff fp.Element 47 48 // twist 49 var twist fptower.E4 50 51 // bTwistCurveCoeff b coeff of the twist (defined over 𝔽p⁴) curve 52 var bTwistCurveCoeff fptower.E4 53 54 // generators of the r-torsion group, resp. in ker(pi-id), ker(Tr) 55 var g1Gen G1Jac 56 var g2Gen G2Jac 57 58 var g1GenAff G1Affine 59 var g2GenAff G2Affine 60 61 // point at infinity 62 var g1Infinity G1Jac 63 var g2Infinity G2Jac 64 65 // optimal Ate loop counter 66 var LoopCounter [33]int8 67 68 // Parameters useful for the GLV scalar multiplication. The third roots define the 69 // endomorphisms ϕ₁ and ϕ₂ for <G1Affine> and <G2Affine>. lambda is such that <r, ϕ-λ> lies above 70 // <r> in the ring Z[ϕ]. More concretely it's the associated eigenvalue 71 // of ϕ₁ (resp ϕ₂) restricted to <G1Affine> (resp <G2Affine>) 72 // see https://www.cosic.esat.kuleuven.be/nessie/reports/phase2/GLV.pdf 73 var thirdRootOneG1 fp.Element 74 var thirdRootOneG2 fp.Element 75 var lambdaGLV big.Int 76 77 // glvBasis stores R-linearly independent vectors (a,b), (c,d) 78 // in ker((u,v) → u+vλ[r]), and their determinant 79 var glvBasis ecc.Lattice 80 81 // ψ o π o ψ⁻¹, where ψ:E → E' is the degree 6 iso defined over 𝔽p¹² 82 var endo struct { 83 u fptower.E4 84 v fptower.E4 85 } 86 87 // seed x₀ of the curve 88 var xGen big.Int 89 90 func init() { 91 aCurveCoeff.SetUint64(0) 92 bCurveCoeff.SetUint64(4) 93 // M-twist 94 twist.B1.SetOne() 95 bTwistCurveCoeff.MulByElement(&twist, &bCurveCoeff) 96 97 // E(1,y)*c 98 g1Gen.X.SetString("26261810162995192444253184251590159762050205376519976412461726336843100448942248976252388876791") 99 g1Gen.Y.SetString("26146603602820658047261036676090398397874822703333117264049387703172159980214065566219085800243") 100 g1Gen.Z.SetOne() 101 102 // E'(1,y)*c' 103 g2Gen.X.B0.SetString("28498404142312365002533744693556861244212064443103687717510540998257508853975496760832205123607", 104 "104881342316154169720140745551267577558255475983798552134082689646705436288255501236462500135051") 105 g2Gen.X.B1.SetString("134208762611471838850128095341317427866582025424914361408168906642550705688378271974920859507485", 106 "47807860684290705153036437491997319116342330273104493957877398921782737166446662055996604784294") 107 g2Gen.Y.B0.SetString("91516448788529060702418635560646746547369142933278847722177434542449427480796649633689953798948", 108 "13448671391015186163413673966297442264556781166352891049005282051703895543542296449974630011689") 109 g2Gen.Y.B1.SetString("1980905665816458576882252418967038151483710575831277397652951146268622037800272983431026055487", 110 "134363379072057086809745572347104070037544575425956896869689256737197090432635401300100624083192") 111 g2Gen.Z.B0.SetString("1", 112 "0") 113 g2Gen.Z.B1.SetString("0", 114 "0") 115 116 g1GenAff.FromJacobian(&g1Gen) 117 g2GenAff.FromJacobian(&g2Gen) 118 119 // (X,Y,Z) = (1,1,0) 120 g1Infinity.X.SetOne() 121 g1Infinity.Y.SetOne() 122 g2Infinity.X.SetOne() 123 g2Infinity.Y.SetOne() 124 125 thirdRootOneG1.SetString("112388585831426139305998878408983604164339968939599860577886592073045019257058155724801") 126 thirdRootOneG2.Square(&thirdRootOneG1) 127 lambdaGLV.SetString("30869589236456844204538189757527902584770424025911415822847175497150445387776", 10) // x₀⁸ 128 _r := fr.Modulus() 129 ecc.PrecomputeLattice(_r, &lambdaGLV, &glvBasis) 130 131 endo.u.B0.A0.SetString("100835231576138384070271140557450756773581004948002542492497192760544145876107391019725843007951") 132 endo.u.B0.A1.SetString("100835231576138384070271140557450756773581004948002542492497192760544145876107391019725843007951") 133 endo.v.B1.A0.SetString("65063930028143676778466901566890018271632055221368035552739808236464024322431728149960968101") 134 endo.v.B1.A1.SetString("65063930028143676778466901566890018271632055221368035552739808236464024322431728149960968101") 135 136 // 2-NAF decomposition of x₀ little endian 137 optimaAteLoop, _ := new(big.Int).SetString("3640754176", 10) 138 ecc.NafDecomposition(optimaAteLoop, LoopCounter[:]) 139 140 // x₀ 141 xGen.SetString("3640754176", 10) 142 143 } 144 145 // Generators return the generators of the r-torsion group, resp. in ker(pi-id), ker(Tr) 146 func Generators() (g1Jac G1Jac, g2Jac G2Jac, g1Aff G1Affine, g2Aff G2Affine) { 147 g1Aff = g1GenAff 148 g2Aff = g2GenAff 149 g1Jac = g1Gen 150 g2Jac = g2Gen 151 return 152 } 153 154 // CurveCoefficients returns the a, b coefficients of the curve equation. 155 func CurveCoefficients() (a, b fp.Element) { 156 return aCurveCoeff, bCurveCoeff 157 }