github.com/core-coin/go-core/v2@v2.1.9/crypto/bn256/google/bn256.go (about)

     1  // Copyright 2012 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // Package bn256 implements a particular bilinear group.
     6  //
     7  // Bilinear groups are the basis of many of the new cryptographic protocols
     8  // that have been proposed over the past decade. They consist of a triplet of
     9  // groups (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ
    10  // (where gₓ is a generator of the respective group). That function is called
    11  // a pairing function.
    12  //
    13  // This package specifically implements the Optimal Ate pairing over a 256-bit
    14  // Barreto-Naehrig curve as described in
    15  // http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is not
    16  // compatible with the implementation described in that paper, as different
    17  // parameters are chosen.
    18  //
    19  // (This package previously claimed to operate at a 128-bit security level.
    20  // However, recent improvements in attacks mean that is no longer true. See
    21  // https://moderncrypto.org/mail-archive/curves/2016/000740.html.)
    22  package bn256
    23  
    24  import (
    25  	"crypto/rand"
    26  	"errors"
    27  	"io"
    28  	"math/big"
    29  )
    30  
    31  // BUG(raisty): this implementation is not constant time.
    32  // TODO(raisty): keep GF(p²) elements in Mongomery form.
    33  
    34  // G1 is an abstract cyclic group. The zero value is suitable for use as the
    35  // output of an operation, but cannot be used as an input.
    36  type G1 struct {
    37  	p *curvePoint
    38  }
    39  
    40  // RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r.
    41  func RandomG1(r io.Reader) (*big.Int, *G1, error) {
    42  	var k *big.Int
    43  	var err error
    44  
    45  	for {
    46  		k, err = rand.Int(r, Order)
    47  		if err != nil {
    48  			return nil, nil, err
    49  		}
    50  		if k.Sign() > 0 {
    51  			break
    52  		}
    53  	}
    54  
    55  	return k, new(G1).ScalarBaseMult(k), nil
    56  }
    57  
    58  func (e *G1) String() string {
    59  	return "bn256.G1" + e.p.String()
    60  }
    61  
    62  // CurvePoints returns p's curve points in big integer
    63  func (e *G1) CurvePoints() (*big.Int, *big.Int, *big.Int, *big.Int) {
    64  	return e.p.x, e.p.y, e.p.z, e.p.t
    65  }
    66  
    67  // ScalarBaseMult sets e to g*k where g is the generator of the group and
    68  // then returns e.
    69  func (e *G1) ScalarBaseMult(k *big.Int) *G1 {
    70  	if e.p == nil {
    71  		e.p = newCurvePoint(nil)
    72  	}
    73  	e.p.Mul(curveGen, k, new(bnPool))
    74  	return e
    75  }
    76  
    77  // ScalarMult sets e to a*k and then returns e.
    78  func (e *G1) ScalarMult(a *G1, k *big.Int) *G1 {
    79  	if e.p == nil {
    80  		e.p = newCurvePoint(nil)
    81  	}
    82  	e.p.Mul(a.p, k, new(bnPool))
    83  	return e
    84  }
    85  
    86  // Add sets e to a+b and then returns e.
    87  // BUG(raisty): this function is not complete: a==b fails.
    88  func (e *G1) Add(a, b *G1) *G1 {
    89  	if e.p == nil {
    90  		e.p = newCurvePoint(nil)
    91  	}
    92  	e.p.Add(a.p, b.p, new(bnPool))
    93  	return e
    94  }
    95  
    96  // Neg sets e to -a and then returns e.
    97  func (e *G1) Neg(a *G1) *G1 {
    98  	if e.p == nil {
    99  		e.p = newCurvePoint(nil)
   100  	}
   101  	e.p.Negative(a.p)
   102  	return e
   103  }
   104  
   105  // Marshal converts n to a byte slice.
   106  func (e *G1) Marshal() []byte {
   107  	// Each value is a 256-bit number.
   108  	const numBytes = 256 / 8
   109  
   110  	if e.p.IsInfinity() {
   111  		return make([]byte, numBytes*2)
   112  	}
   113  
   114  	e.p.MakeAffine(nil)
   115  
   116  	xBytes := new(big.Int).Mod(e.p.x, P).Bytes()
   117  	yBytes := new(big.Int).Mod(e.p.y, P).Bytes()
   118  
   119  	ret := make([]byte, numBytes*2)
   120  	copy(ret[1*numBytes-len(xBytes):], xBytes)
   121  	copy(ret[2*numBytes-len(yBytes):], yBytes)
   122  
   123  	return ret
   124  }
   125  
   126  // Unmarshal sets e to the result of converting the output of Marshal back into
   127  // a group element and then returns e.
   128  func (e *G1) Unmarshal(m []byte) ([]byte, error) {
   129  	// Each value is a 256-bit number.
   130  	const numBytes = 256 / 8
   131  	if len(m) != 2*numBytes {
   132  		return nil, errors.New("bn256: not enough data")
   133  	}
   134  	// Unmarshal the points and check their caps
   135  	if e.p == nil {
   136  		e.p = newCurvePoint(nil)
   137  	}
   138  	e.p.x.SetBytes(m[0*numBytes : 1*numBytes])
   139  	if e.p.x.Cmp(P) >= 0 {
   140  		return nil, errors.New("bn256: coordinate exceeds modulus")
   141  	}
   142  	e.p.y.SetBytes(m[1*numBytes : 2*numBytes])
   143  	if e.p.y.Cmp(P) >= 0 {
   144  		return nil, errors.New("bn256: coordinate exceeds modulus")
   145  	}
   146  	// Ensure the point is on the curve
   147  	if e.p.x.Sign() == 0 && e.p.y.Sign() == 0 {
   148  		// This is the point at infinity.
   149  		e.p.y.SetInt64(1)
   150  		e.p.z.SetInt64(0)
   151  		e.p.t.SetInt64(0)
   152  	} else {
   153  		e.p.z.SetInt64(1)
   154  		e.p.t.SetInt64(1)
   155  
   156  		if !e.p.IsOnCurve() {
   157  			return nil, errors.New("bn256: malformed point")
   158  		}
   159  	}
   160  	return m[2*numBytes:], nil
   161  }
   162  
   163  // G2 is an abstract cyclic group. The zero value is suitable for use as the
   164  // output of an operation, but cannot be used as an input.
   165  type G2 struct {
   166  	p *twistPoint
   167  }
   168  
   169  // RandomG1 returns x and g₂ˣ where x is a random, non-zero number read from r.
   170  func RandomG2(r io.Reader) (*big.Int, *G2, error) {
   171  	var k *big.Int
   172  	var err error
   173  
   174  	for {
   175  		k, err = rand.Int(r, Order)
   176  		if err != nil {
   177  			return nil, nil, err
   178  		}
   179  		if k.Sign() > 0 {
   180  			break
   181  		}
   182  	}
   183  
   184  	return k, new(G2).ScalarBaseMult(k), nil
   185  }
   186  
   187  func (e *G2) String() string {
   188  	return "bn256.G2" + e.p.String()
   189  }
   190  
   191  // CurvePoints returns the curve points of p which includes the real
   192  // and imaginary parts of the curve point.
   193  func (e *G2) CurvePoints() (*gfP2, *gfP2, *gfP2, *gfP2) {
   194  	return e.p.x, e.p.y, e.p.z, e.p.t
   195  }
   196  
   197  // ScalarBaseMult sets e to g*k where g is the generator of the group and
   198  // then returns out.
   199  func (e *G2) ScalarBaseMult(k *big.Int) *G2 {
   200  	if e.p == nil {
   201  		e.p = newTwistPoint(nil)
   202  	}
   203  	e.p.Mul(twistGen, k, new(bnPool))
   204  	return e
   205  }
   206  
   207  // ScalarMult sets e to a*k and then returns e.
   208  func (e *G2) ScalarMult(a *G2, k *big.Int) *G2 {
   209  	if e.p == nil {
   210  		e.p = newTwistPoint(nil)
   211  	}
   212  	e.p.Mul(a.p, k, new(bnPool))
   213  	return e
   214  }
   215  
   216  // Add sets e to a+b and then returns e.
   217  // BUG(raisty): this function is not complete: a==b fails.
   218  func (e *G2) Add(a, b *G2) *G2 {
   219  	if e.p == nil {
   220  		e.p = newTwistPoint(nil)
   221  	}
   222  	e.p.Add(a.p, b.p, new(bnPool))
   223  	return e
   224  }
   225  
   226  // Marshal converts n into a byte slice.
   227  func (n *G2) Marshal() []byte {
   228  	// Each value is a 256-bit number.
   229  	const numBytes = 256 / 8
   230  
   231  	if n.p.IsInfinity() {
   232  		return make([]byte, numBytes*4)
   233  	}
   234  
   235  	n.p.MakeAffine(nil)
   236  
   237  	xxBytes := new(big.Int).Mod(n.p.x.x, P).Bytes()
   238  	xyBytes := new(big.Int).Mod(n.p.x.y, P).Bytes()
   239  	yxBytes := new(big.Int).Mod(n.p.y.x, P).Bytes()
   240  	yyBytes := new(big.Int).Mod(n.p.y.y, P).Bytes()
   241  
   242  	ret := make([]byte, numBytes*4)
   243  	copy(ret[1*numBytes-len(xxBytes):], xxBytes)
   244  	copy(ret[2*numBytes-len(xyBytes):], xyBytes)
   245  	copy(ret[3*numBytes-len(yxBytes):], yxBytes)
   246  	copy(ret[4*numBytes-len(yyBytes):], yyBytes)
   247  
   248  	return ret
   249  }
   250  
   251  // Unmarshal sets e to the result of converting the output of Marshal back into
   252  // a group element and then returns e.
   253  func (e *G2) Unmarshal(m []byte) ([]byte, error) {
   254  	// Each value is a 256-bit number.
   255  	const numBytes = 256 / 8
   256  	if len(m) != 4*numBytes {
   257  		return nil, errors.New("bn256: not enough data")
   258  	}
   259  	// Unmarshal the points and check their caps
   260  	if e.p == nil {
   261  		e.p = newTwistPoint(nil)
   262  	}
   263  	e.p.x.x.SetBytes(m[0*numBytes : 1*numBytes])
   264  	if e.p.x.x.Cmp(P) >= 0 {
   265  		return nil, errors.New("bn256: coordinate exceeds modulus")
   266  	}
   267  	e.p.x.y.SetBytes(m[1*numBytes : 2*numBytes])
   268  	if e.p.x.y.Cmp(P) >= 0 {
   269  		return nil, errors.New("bn256: coordinate exceeds modulus")
   270  	}
   271  	e.p.y.x.SetBytes(m[2*numBytes : 3*numBytes])
   272  	if e.p.y.x.Cmp(P) >= 0 {
   273  		return nil, errors.New("bn256: coordinate exceeds modulus")
   274  	}
   275  	e.p.y.y.SetBytes(m[3*numBytes : 4*numBytes])
   276  	if e.p.y.y.Cmp(P) >= 0 {
   277  		return nil, errors.New("bn256: coordinate exceeds modulus")
   278  	}
   279  	// Ensure the point is on the curve
   280  	if e.p.x.x.Sign() == 0 &&
   281  		e.p.x.y.Sign() == 0 &&
   282  		e.p.y.x.Sign() == 0 &&
   283  		e.p.y.y.Sign() == 0 {
   284  		// This is the point at infinity.
   285  		e.p.y.SetOne()
   286  		e.p.z.SetZero()
   287  		e.p.t.SetZero()
   288  	} else {
   289  		e.p.z.SetOne()
   290  		e.p.t.SetOne()
   291  
   292  		if !e.p.IsOnCurve() {
   293  			return nil, errors.New("bn256: malformed point")
   294  		}
   295  	}
   296  	return m[4*numBytes:], nil
   297  }
   298  
   299  // GT is an abstract cyclic group. The zero value is suitable for use as the
   300  // output of an operation, but cannot be used as an input.
   301  type GT struct {
   302  	p *gfP12
   303  }
   304  
   305  func (g *GT) String() string {
   306  	return "bn256.GT" + g.p.String()
   307  }
   308  
   309  // ScalarMult sets e to a*k and then returns e.
   310  func (e *GT) ScalarMult(a *GT, k *big.Int) *GT {
   311  	if e.p == nil {
   312  		e.p = newGFp12(nil)
   313  	}
   314  	e.p.Exp(a.p, k, new(bnPool))
   315  	return e
   316  }
   317  
   318  // Add sets e to a+b and then returns e.
   319  func (e *GT) Add(a, b *GT) *GT {
   320  	if e.p == nil {
   321  		e.p = newGFp12(nil)
   322  	}
   323  	e.p.Mul(a.p, b.p, new(bnPool))
   324  	return e
   325  }
   326  
   327  // Neg sets e to -a and then returns e.
   328  func (e *GT) Neg(a *GT) *GT {
   329  	if e.p == nil {
   330  		e.p = newGFp12(nil)
   331  	}
   332  	e.p.Invert(a.p, new(bnPool))
   333  	return e
   334  }
   335  
   336  // Marshal converts n into a byte slice.
   337  func (n *GT) Marshal() []byte {
   338  	n.p.Minimal()
   339  
   340  	xxxBytes := n.p.x.x.x.Bytes()
   341  	xxyBytes := n.p.x.x.y.Bytes()
   342  	xyxBytes := n.p.x.y.x.Bytes()
   343  	xyyBytes := n.p.x.y.y.Bytes()
   344  	xzxBytes := n.p.x.z.x.Bytes()
   345  	xzyBytes := n.p.x.z.y.Bytes()
   346  	yxxBytes := n.p.y.x.x.Bytes()
   347  	yxyBytes := n.p.y.x.y.Bytes()
   348  	yyxBytes := n.p.y.y.x.Bytes()
   349  	yyyBytes := n.p.y.y.y.Bytes()
   350  	yzxBytes := n.p.y.z.x.Bytes()
   351  	yzyBytes := n.p.y.z.y.Bytes()
   352  
   353  	// Each value is a 256-bit number.
   354  	const numBytes = 256 / 8
   355  
   356  	ret := make([]byte, numBytes*12)
   357  	copy(ret[1*numBytes-len(xxxBytes):], xxxBytes)
   358  	copy(ret[2*numBytes-len(xxyBytes):], xxyBytes)
   359  	copy(ret[3*numBytes-len(xyxBytes):], xyxBytes)
   360  	copy(ret[4*numBytes-len(xyyBytes):], xyyBytes)
   361  	copy(ret[5*numBytes-len(xzxBytes):], xzxBytes)
   362  	copy(ret[6*numBytes-len(xzyBytes):], xzyBytes)
   363  	copy(ret[7*numBytes-len(yxxBytes):], yxxBytes)
   364  	copy(ret[8*numBytes-len(yxyBytes):], yxyBytes)
   365  	copy(ret[9*numBytes-len(yyxBytes):], yyxBytes)
   366  	copy(ret[10*numBytes-len(yyyBytes):], yyyBytes)
   367  	copy(ret[11*numBytes-len(yzxBytes):], yzxBytes)
   368  	copy(ret[12*numBytes-len(yzyBytes):], yzyBytes)
   369  
   370  	return ret
   371  }
   372  
   373  // Unmarshal sets e to the result of converting the output of Marshal back into
   374  // a group element and then returns e.
   375  func (e *GT) Unmarshal(m []byte) (*GT, bool) {
   376  	// Each value is a 256-bit number.
   377  	const numBytes = 256 / 8
   378  
   379  	if len(m) != 12*numBytes {
   380  		return nil, false
   381  	}
   382  
   383  	if e.p == nil {
   384  		e.p = newGFp12(nil)
   385  	}
   386  
   387  	e.p.x.x.x.SetBytes(m[0*numBytes : 1*numBytes])
   388  	e.p.x.x.y.SetBytes(m[1*numBytes : 2*numBytes])
   389  	e.p.x.y.x.SetBytes(m[2*numBytes : 3*numBytes])
   390  	e.p.x.y.y.SetBytes(m[3*numBytes : 4*numBytes])
   391  	e.p.x.z.x.SetBytes(m[4*numBytes : 5*numBytes])
   392  	e.p.x.z.y.SetBytes(m[5*numBytes : 6*numBytes])
   393  	e.p.y.x.x.SetBytes(m[6*numBytes : 7*numBytes])
   394  	e.p.y.x.y.SetBytes(m[7*numBytes : 8*numBytes])
   395  	e.p.y.y.x.SetBytes(m[8*numBytes : 9*numBytes])
   396  	e.p.y.y.y.SetBytes(m[9*numBytes : 10*numBytes])
   397  	e.p.y.z.x.SetBytes(m[10*numBytes : 11*numBytes])
   398  	e.p.y.z.y.SetBytes(m[11*numBytes : 12*numBytes])
   399  
   400  	return e, true
   401  }
   402  
   403  // Pair calculates an Optimal Ate pairing.
   404  func Pair(g1 *G1, g2 *G2) *GT {
   405  	return &GT{optimalAte(g2.p, g1.p, new(bnPool))}
   406  }
   407  
   408  // PairingCheck calculates the Optimal Ate pairing for a set of points.
   409  func PairingCheck(a []*G1, b []*G2) bool {
   410  	pool := new(bnPool)
   411  
   412  	acc := newGFp12(pool)
   413  	acc.SetOne()
   414  
   415  	for i := 0; i < len(a); i++ {
   416  		if a[i].p.IsInfinity() || b[i].p.IsInfinity() {
   417  			continue
   418  		}
   419  		acc.Mul(acc, miller(b[i].p, a[i].p, pool), pool)
   420  	}
   421  	ret := finalExponentiation(acc, pool)
   422  	acc.Put(pool)
   423  
   424  	return ret.IsOne()
   425  }
   426  
   427  // bnPool implements a tiny cache of *big.Int objects that's used to reduce the
   428  // number of allocations made during processing.
   429  type bnPool struct {
   430  	bns   []*big.Int
   431  	count int
   432  }
   433  
   434  func (pool *bnPool) Get() *big.Int {
   435  	if pool == nil {
   436  		return new(big.Int)
   437  	}
   438  
   439  	pool.count++
   440  	l := len(pool.bns)
   441  	if l == 0 {
   442  		return new(big.Int)
   443  	}
   444  
   445  	bn := pool.bns[l-1]
   446  	pool.bns = pool.bns[:l-1]
   447  	return bn
   448  }
   449  
   450  func (pool *bnPool) Put(bn *big.Int) {
   451  	if pool == nil {
   452  		return
   453  	}
   454  	pool.bns = append(pool.bns, bn)
   455  	pool.count--
   456  }
   457  
   458  func (pool *bnPool) Count() int {
   459  	return pool.count
   460  }