github.com/ebceco/ebc@v1.8.19-0.20190309150932-8cb0b9e06484/crypto/bn256/cloudflare/bn256.go (about) 1 // Package bn256 implements a particular bilinear group at the 128-bit security 2 // level. 3 // 4 // Bilinear groups are the basis of many of the new cryptographic protocols that 5 // have been proposed over the past decade. They consist of a triplet of groups 6 // (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ 7 // is a generator of the respective group). That function is called a pairing 8 // function. 9 // 10 // This package specifically implements the Optimal Ate pairing over a 256-bit 11 // Barreto-Naehrig curve as described in 12 // http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible 13 // with the implementation described in that paper. 14 package bn256 15 16 import ( 17 "crypto/rand" 18 "errors" 19 "io" 20 "math/big" 21 ) 22 23 func randomK(r io.Reader) (k *big.Int, err error) { 24 for { 25 k, err = rand.Int(r, Order) 26 if k.Sign() > 0 || err != nil { 27 return 28 } 29 } 30 } 31 32 // G1 is an abstract cyclic group. The zero value is suitable for use as the 33 // output of an operation, but cannot be used as an input. 34 type G1 struct { 35 p *curvePoint 36 } 37 38 // RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r. 39 func RandomG1(r io.Reader) (*big.Int, *G1, error) { 40 k, err := randomK(r) 41 if err != nil { 42 return nil, nil, err 43 } 44 45 return k, new(G1).ScalarBaseMult(k), nil 46 } 47 48 func (g *G1) String() string { 49 return "bn256.G1" + g.p.String() 50 } 51 52 // ScalarBaseMult sets e to g*k where g is the generator of the group and then 53 // returns e. 54 func (e *G1) ScalarBaseMult(k *big.Int) *G1 { 55 if e.p == nil { 56 e.p = &curvePoint{} 57 } 58 e.p.Mul(curveGen, k) 59 return e 60 } 61 62 // ScalarMult sets e to a*k and then returns e. 63 func (e *G1) ScalarMult(a *G1, k *big.Int) *G1 { 64 if e.p == nil { 65 e.p = &curvePoint{} 66 } 67 e.p.Mul(a.p, k) 68 return e 69 } 70 71 // Add sets e to a+b and then returns e. 72 func (e *G1) Add(a, b *G1) *G1 { 73 if e.p == nil { 74 e.p = &curvePoint{} 75 } 76 e.p.Add(a.p, b.p) 77 return e 78 } 79 80 // Neg sets e to -a and then returns e. 81 func (e *G1) Neg(a *G1) *G1 { 82 if e.p == nil { 83 e.p = &curvePoint{} 84 } 85 e.p.Neg(a.p) 86 return e 87 } 88 89 // Set sets e to a and then returns e. 90 func (e *G1) Set(a *G1) *G1 { 91 if e.p == nil { 92 e.p = &curvePoint{} 93 } 94 e.p.Set(a.p) 95 return e 96 } 97 98 // Marshal converts e to a byte slice. 99 func (e *G1) Marshal() []byte { 100 // Each value is a 256-bit number. 101 const numBytes = 256 / 8 102 103 e.p.MakeAffine() 104 ret := make([]byte, numBytes*2) 105 if e.p.IsInfinity() { 106 return ret 107 } 108 temp := &gfP{} 109 110 montDecode(temp, &e.p.x) 111 temp.Marshal(ret) 112 montDecode(temp, &e.p.y) 113 temp.Marshal(ret[numBytes:]) 114 115 return ret 116 } 117 118 // Unmarshal sets e to the result of converting the output of Marshal back into 119 // a group element and then returns e. 120 func (e *G1) Unmarshal(m []byte) ([]byte, error) { 121 // Each value is a 256-bit number. 122 const numBytes = 256 / 8 123 if len(m) < 2*numBytes { 124 return nil, errors.New("bn256: not enough data") 125 } 126 // Unmarshal the points and check their caps 127 if e.p == nil { 128 e.p = &curvePoint{} 129 } else { 130 e.p.x, e.p.y = gfP{0}, gfP{0} 131 } 132 var err error 133 if err = e.p.x.Unmarshal(m); err != nil { 134 return nil, err 135 } 136 if err = e.p.y.Unmarshal(m[numBytes:]); err != nil { 137 return nil, err 138 } 139 // Encode into Montgomery form and ensure it's on the curve 140 montEncode(&e.p.x, &e.p.x) 141 montEncode(&e.p.y, &e.p.y) 142 143 zero := gfP{0} 144 if e.p.x == zero && e.p.y == zero { 145 // This is the point at infinity. 146 e.p.y = *newGFp(1) 147 e.p.z = gfP{0} 148 e.p.t = gfP{0} 149 } else { 150 e.p.z = *newGFp(1) 151 e.p.t = *newGFp(1) 152 153 if !e.p.IsOnCurve() { 154 return nil, errors.New("bn256: malformed point") 155 } 156 } 157 return m[2*numBytes:], nil 158 } 159 160 // G2 is an abstract cyclic group. The zero value is suitable for use as the 161 // output of an operation, but cannot be used as an input. 162 type G2 struct { 163 p *twistPoint 164 } 165 166 // RandomG2 returns x and g₂ˣ where x is a random, non-zero number read from r. 167 func RandomG2(r io.Reader) (*big.Int, *G2, error) { 168 k, err := randomK(r) 169 if err != nil { 170 return nil, nil, err 171 } 172 173 return k, new(G2).ScalarBaseMult(k), nil 174 } 175 176 func (e *G2) String() string { 177 return "bn256.G2" + e.p.String() 178 } 179 180 // ScalarBaseMult sets e to g*k where g is the generator of the group and then 181 // returns out. 182 func (e *G2) ScalarBaseMult(k *big.Int) *G2 { 183 if e.p == nil { 184 e.p = &twistPoint{} 185 } 186 e.p.Mul(twistGen, k) 187 return e 188 } 189 190 // ScalarMult sets e to a*k and then returns e. 191 func (e *G2) ScalarMult(a *G2, k *big.Int) *G2 { 192 if e.p == nil { 193 e.p = &twistPoint{} 194 } 195 e.p.Mul(a.p, k) 196 return e 197 } 198 199 // Add sets e to a+b and then returns e. 200 func (e *G2) Add(a, b *G2) *G2 { 201 if e.p == nil { 202 e.p = &twistPoint{} 203 } 204 e.p.Add(a.p, b.p) 205 return e 206 } 207 208 // Neg sets e to -a and then returns e. 209 func (e *G2) Neg(a *G2) *G2 { 210 if e.p == nil { 211 e.p = &twistPoint{} 212 } 213 e.p.Neg(a.p) 214 return e 215 } 216 217 // Set sets e to a and then returns e. 218 func (e *G2) Set(a *G2) *G2 { 219 if e.p == nil { 220 e.p = &twistPoint{} 221 } 222 e.p.Set(a.p) 223 return e 224 } 225 226 // Marshal converts e into a byte slice. 227 func (e *G2) Marshal() []byte { 228 // Each value is a 256-bit number. 229 const numBytes = 256 / 8 230 231 if e.p == nil { 232 e.p = &twistPoint{} 233 } 234 235 e.p.MakeAffine() 236 ret := make([]byte, numBytes*4) 237 if e.p.IsInfinity() { 238 return ret 239 } 240 temp := &gfP{} 241 242 montDecode(temp, &e.p.x.x) 243 temp.Marshal(ret) 244 montDecode(temp, &e.p.x.y) 245 temp.Marshal(ret[numBytes:]) 246 montDecode(temp, &e.p.y.x) 247 temp.Marshal(ret[2*numBytes:]) 248 montDecode(temp, &e.p.y.y) 249 temp.Marshal(ret[3*numBytes:]) 250 251 return ret 252 } 253 254 // Unmarshal sets e to the result of converting the output of Marshal back into 255 // a group element and then returns e. 256 func (e *G2) Unmarshal(m []byte) ([]byte, error) { 257 // Each value is a 256-bit number. 258 const numBytes = 256 / 8 259 if len(m) < 4*numBytes { 260 return nil, errors.New("bn256: not enough data") 261 } 262 // Unmarshal the points and check their caps 263 if e.p == nil { 264 e.p = &twistPoint{} 265 } 266 var err error 267 if err = e.p.x.x.Unmarshal(m); err != nil { 268 return nil, err 269 } 270 if err = e.p.x.y.Unmarshal(m[numBytes:]); err != nil { 271 return nil, err 272 } 273 if err = e.p.y.x.Unmarshal(m[2*numBytes:]); err != nil { 274 return nil, err 275 } 276 if err = e.p.y.y.Unmarshal(m[3*numBytes:]); err != nil { 277 return nil, err 278 } 279 // Encode into Montgomery form and ensure it's on the curve 280 montEncode(&e.p.x.x, &e.p.x.x) 281 montEncode(&e.p.x.y, &e.p.x.y) 282 montEncode(&e.p.y.x, &e.p.y.x) 283 montEncode(&e.p.y.y, &e.p.y.y) 284 285 if e.p.x.IsZero() && e.p.y.IsZero() { 286 // This is the point at infinity. 287 e.p.y.SetOne() 288 e.p.z.SetZero() 289 e.p.t.SetZero() 290 } else { 291 e.p.z.SetOne() 292 e.p.t.SetOne() 293 294 if !e.p.IsOnCurve() { 295 return nil, errors.New("bn256: malformed point") 296 } 297 } 298 return m[4*numBytes:], nil 299 } 300 301 // GT is an abstract cyclic group. The zero value is suitable for use as the 302 // output of an operation, but cannot be used as an input. 303 type GT struct { 304 p *gfP12 305 } 306 307 // Pair calculates an Optimal Ate pairing. 308 func Pair(g1 *G1, g2 *G2) *GT { 309 return >{optimalAte(g2.p, g1.p)} 310 } 311 312 // PairingCheck calculates the Optimal Ate pairing for a set of points. 313 func PairingCheck(a []*G1, b []*G2) bool { 314 acc := new(gfP12) 315 acc.SetOne() 316 317 for i := 0; i < len(a); i++ { 318 if a[i].p.IsInfinity() || b[i].p.IsInfinity() { 319 continue 320 } 321 acc.Mul(acc, miller(b[i].p, a[i].p)) 322 } 323 return finalExponentiation(acc).IsOne() 324 } 325 326 // Miller applies Miller's algorithm, which is a bilinear function from the 327 // source groups to F_p^12. Miller(g1, g2).Finalize() is equivalent to Pair(g1, 328 // g2). 329 func Miller(g1 *G1, g2 *G2) *GT { 330 return >{miller(g2.p, g1.p)} 331 } 332 333 func (g *GT) String() string { 334 return "bn256.GT" + g.p.String() 335 } 336 337 // ScalarMult sets e to a*k and then returns e. 338 func (e *GT) ScalarMult(a *GT, k *big.Int) *GT { 339 if e.p == nil { 340 e.p = &gfP12{} 341 } 342 e.p.Exp(a.p, k) 343 return e 344 } 345 346 // Add sets e to a+b and then returns e. 347 func (e *GT) Add(a, b *GT) *GT { 348 if e.p == nil { 349 e.p = &gfP12{} 350 } 351 e.p.Mul(a.p, b.p) 352 return e 353 } 354 355 // Neg sets e to -a and then returns e. 356 func (e *GT) Neg(a *GT) *GT { 357 if e.p == nil { 358 e.p = &gfP12{} 359 } 360 e.p.Conjugate(a.p) 361 return e 362 } 363 364 // Set sets e to a and then returns e. 365 func (e *GT) Set(a *GT) *GT { 366 if e.p == nil { 367 e.p = &gfP12{} 368 } 369 e.p.Set(a.p) 370 return e 371 } 372 373 // Finalize is a linear function from F_p^12 to GT. 374 func (e *GT) Finalize() *GT { 375 ret := finalExponentiation(e.p) 376 e.p.Set(ret) 377 return e 378 } 379 380 // Marshal converts e into a byte slice. 381 func (e *GT) Marshal() []byte { 382 // Each value is a 256-bit number. 383 const numBytes = 256 / 8 384 385 ret := make([]byte, numBytes*12) 386 temp := &gfP{} 387 388 montDecode(temp, &e.p.x.x.x) 389 temp.Marshal(ret) 390 montDecode(temp, &e.p.x.x.y) 391 temp.Marshal(ret[numBytes:]) 392 montDecode(temp, &e.p.x.y.x) 393 temp.Marshal(ret[2*numBytes:]) 394 montDecode(temp, &e.p.x.y.y) 395 temp.Marshal(ret[3*numBytes:]) 396 montDecode(temp, &e.p.x.z.x) 397 temp.Marshal(ret[4*numBytes:]) 398 montDecode(temp, &e.p.x.z.y) 399 temp.Marshal(ret[5*numBytes:]) 400 montDecode(temp, &e.p.y.x.x) 401 temp.Marshal(ret[6*numBytes:]) 402 montDecode(temp, &e.p.y.x.y) 403 temp.Marshal(ret[7*numBytes:]) 404 montDecode(temp, &e.p.y.y.x) 405 temp.Marshal(ret[8*numBytes:]) 406 montDecode(temp, &e.p.y.y.y) 407 temp.Marshal(ret[9*numBytes:]) 408 montDecode(temp, &e.p.y.z.x) 409 temp.Marshal(ret[10*numBytes:]) 410 montDecode(temp, &e.p.y.z.y) 411 temp.Marshal(ret[11*numBytes:]) 412 413 return ret 414 } 415 416 // Unmarshal sets e to the result of converting the output of Marshal back into 417 // a group element and then returns e. 418 func (e *GT) Unmarshal(m []byte) ([]byte, error) { 419 // Each value is a 256-bit number. 420 const numBytes = 256 / 8 421 422 if len(m) < 12*numBytes { 423 return nil, errors.New("bn256: not enough data") 424 } 425 426 if e.p == nil { 427 e.p = &gfP12{} 428 } 429 430 var err error 431 if err = e.p.x.x.x.Unmarshal(m); err != nil { 432 return nil, err 433 } 434 if err = e.p.x.x.y.Unmarshal(m[numBytes:]); err != nil { 435 return nil, err 436 } 437 if err = e.p.x.y.x.Unmarshal(m[2*numBytes:]); err != nil { 438 return nil, err 439 } 440 if err = e.p.x.y.y.Unmarshal(m[3*numBytes:]); err != nil { 441 return nil, err 442 } 443 if err = e.p.x.z.x.Unmarshal(m[4*numBytes:]); err != nil { 444 return nil, err 445 } 446 if err = e.p.x.z.y.Unmarshal(m[5*numBytes:]); err != nil { 447 return nil, err 448 } 449 if err = e.p.y.x.x.Unmarshal(m[6*numBytes:]); err != nil { 450 return nil, err 451 } 452 if err = e.p.y.x.y.Unmarshal(m[7*numBytes:]); err != nil { 453 return nil, err 454 } 455 if err = e.p.y.y.x.Unmarshal(m[8*numBytes:]); err != nil { 456 return nil, err 457 } 458 if err = e.p.y.y.y.Unmarshal(m[9*numBytes:]); err != nil { 459 return nil, err 460 } 461 if err = e.p.y.z.x.Unmarshal(m[10*numBytes:]); err != nil { 462 return nil, err 463 } 464 if err = e.p.y.z.y.Unmarshal(m[11*numBytes:]); err != nil { 465 return nil, err 466 } 467 montEncode(&e.p.x.x.x, &e.p.x.x.x) 468 montEncode(&e.p.x.x.y, &e.p.x.x.y) 469 montEncode(&e.p.x.y.x, &e.p.x.y.x) 470 montEncode(&e.p.x.y.y, &e.p.x.y.y) 471 montEncode(&e.p.x.z.x, &e.p.x.z.x) 472 montEncode(&e.p.x.z.y, &e.p.x.z.y) 473 montEncode(&e.p.y.x.x, &e.p.y.x.x) 474 montEncode(&e.p.y.x.y, &e.p.y.x.y) 475 montEncode(&e.p.y.y.x, &e.p.y.y.x) 476 montEncode(&e.p.y.y.y, &e.p.y.y.y) 477 montEncode(&e.p.y.z.x, &e.p.y.z.x) 478 montEncode(&e.p.y.z.y, &e.p.y.z.y) 479 480 return m[12*numBytes:], nil 481 }