github.com/ebceco/ebc@v1.8.19-0.20190309150932-8cb0b9e06484/crypto/bn256/cloudflare/curve.go (about) 1 package bn256 2 3 import ( 4 "math/big" 5 ) 6 7 // curvePoint implements the elliptic curve y²=x³+3. Points are kept in Jacobian 8 // form and t=z² when valid. G₁ is the set of points of this curve on GF(p). 9 type curvePoint struct { 10 x, y, z, t gfP 11 } 12 13 var curveB = newGFp(3) 14 15 // curveGen is the generator of G₁. 16 var curveGen = &curvePoint{ 17 x: *newGFp(1), 18 y: *newGFp(2), 19 z: *newGFp(1), 20 t: *newGFp(1), 21 } 22 23 func (c *curvePoint) String() string { 24 c.MakeAffine() 25 x, y := &gfP{}, &gfP{} 26 montDecode(x, &c.x) 27 montDecode(y, &c.y) 28 return "(" + x.String() + ", " + y.String() + ")" 29 } 30 31 func (c *curvePoint) Set(a *curvePoint) { 32 c.x.Set(&a.x) 33 c.y.Set(&a.y) 34 c.z.Set(&a.z) 35 c.t.Set(&a.t) 36 } 37 38 // IsOnCurve returns true iff c is on the curve. 39 func (c *curvePoint) IsOnCurve() bool { 40 c.MakeAffine() 41 if c.IsInfinity() { 42 return true 43 } 44 45 y2, x3 := &gfP{}, &gfP{} 46 gfpMul(y2, &c.y, &c.y) 47 gfpMul(x3, &c.x, &c.x) 48 gfpMul(x3, x3, &c.x) 49 gfpAdd(x3, x3, curveB) 50 51 return *y2 == *x3 52 } 53 54 func (c *curvePoint) SetInfinity() { 55 c.x = gfP{0} 56 c.y = *newGFp(1) 57 c.z = gfP{0} 58 c.t = gfP{0} 59 } 60 61 func (c *curvePoint) IsInfinity() bool { 62 return c.z == gfP{0} 63 } 64 65 func (c *curvePoint) Add(a, b *curvePoint) { 66 if a.IsInfinity() { 67 c.Set(b) 68 return 69 } 70 if b.IsInfinity() { 71 c.Set(a) 72 return 73 } 74 75 // See http://hyperelliptic.org/EFD/g1p/auto-code/shortw/jacobian-0/addition/add-2007-bl.op3 76 77 // Normalize the points by replacing a = [x1:y1:z1] and b = [x2:y2:z2] 78 // by [u1:s1:z1·z2] and [u2:s2:z1·z2] 79 // where u1 = x1·z2², s1 = y1·z2³ and u1 = x2·z1², s2 = y2·z1³ 80 z12, z22 := &gfP{}, &gfP{} 81 gfpMul(z12, &a.z, &a.z) 82 gfpMul(z22, &b.z, &b.z) 83 84 u1, u2 := &gfP{}, &gfP{} 85 gfpMul(u1, &a.x, z22) 86 gfpMul(u2, &b.x, z12) 87 88 t, s1 := &gfP{}, &gfP{} 89 gfpMul(t, &b.z, z22) 90 gfpMul(s1, &a.y, t) 91 92 s2 := &gfP{} 93 gfpMul(t, &a.z, z12) 94 gfpMul(s2, &b.y, t) 95 96 // Compute x = (2h)²(s²-u1-u2) 97 // where s = (s2-s1)/(u2-u1) is the slope of the line through 98 // (u1,s1) and (u2,s2). The extra factor 2h = 2(u2-u1) comes from the value of z below. 99 // This is also: 100 // 4(s2-s1)² - 4h²(u1+u2) = 4(s2-s1)² - 4h³ - 4h²(2u1) 101 // = r² - j - 2v 102 // with the notations below. 103 h := &gfP{} 104 gfpSub(h, u2, u1) 105 xEqual := *h == gfP{0} 106 107 gfpAdd(t, h, h) 108 // i = 4h² 109 i := &gfP{} 110 gfpMul(i, t, t) 111 // j = 4h³ 112 j := &gfP{} 113 gfpMul(j, h, i) 114 115 gfpSub(t, s2, s1) 116 yEqual := *t == gfP{0} 117 if xEqual && yEqual { 118 c.Double(a) 119 return 120 } 121 r := &gfP{} 122 gfpAdd(r, t, t) 123 124 v := &gfP{} 125 gfpMul(v, u1, i) 126 127 // t4 = 4(s2-s1)² 128 t4, t6 := &gfP{}, &gfP{} 129 gfpMul(t4, r, r) 130 gfpAdd(t, v, v) 131 gfpSub(t6, t4, j) 132 133 gfpSub(&c.x, t6, t) 134 135 // Set y = -(2h)³(s1 + s*(x/4h²-u1)) 136 // This is also 137 // y = - 2·s1·j - (s2-s1)(2x - 2i·u1) = r(v-x) - 2·s1·j 138 gfpSub(t, v, &c.x) // t7 139 gfpMul(t4, s1, j) // t8 140 gfpAdd(t6, t4, t4) // t9 141 gfpMul(t4, r, t) // t10 142 gfpSub(&c.y, t4, t6) 143 144 // Set z = 2(u2-u1)·z1·z2 = 2h·z1·z2 145 gfpAdd(t, &a.z, &b.z) // t11 146 gfpMul(t4, t, t) // t12 147 gfpSub(t, t4, z12) // t13 148 gfpSub(t4, t, z22) // t14 149 gfpMul(&c.z, t4, h) 150 } 151 152 func (c *curvePoint) Double(a *curvePoint) { 153 // See http://hyperelliptic.org/EFD/g1p/auto-code/shortw/jacobian-0/doubling/dbl-2009-l.op3 154 A, B, C := &gfP{}, &gfP{}, &gfP{} 155 gfpMul(A, &a.x, &a.x) 156 gfpMul(B, &a.y, &a.y) 157 gfpMul(C, B, B) 158 159 t, t2 := &gfP{}, &gfP{} 160 gfpAdd(t, &a.x, B) 161 gfpMul(t2, t, t) 162 gfpSub(t, t2, A) 163 gfpSub(t2, t, C) 164 165 d, e, f := &gfP{}, &gfP{}, &gfP{} 166 gfpAdd(d, t2, t2) 167 gfpAdd(t, A, A) 168 gfpAdd(e, t, A) 169 gfpMul(f, e, e) 170 171 gfpAdd(t, d, d) 172 gfpSub(&c.x, f, t) 173 174 gfpAdd(t, C, C) 175 gfpAdd(t2, t, t) 176 gfpAdd(t, t2, t2) 177 gfpSub(&c.y, d, &c.x) 178 gfpMul(t2, e, &c.y) 179 gfpSub(&c.y, t2, t) 180 181 gfpMul(t, &a.y, &a.z) 182 gfpAdd(&c.z, t, t) 183 } 184 185 func (c *curvePoint) Mul(a *curvePoint, scalar *big.Int) { 186 precomp := [1 << 2]*curvePoint{nil, {}, {}, {}} 187 precomp[1].Set(a) 188 precomp[2].Set(a) 189 gfpMul(&precomp[2].x, &precomp[2].x, xiTo2PSquaredMinus2Over3) 190 precomp[3].Add(precomp[1], precomp[2]) 191 192 multiScalar := curveLattice.Multi(scalar) 193 194 sum := &curvePoint{} 195 sum.SetInfinity() 196 t := &curvePoint{} 197 198 for i := len(multiScalar) - 1; i >= 0; i-- { 199 t.Double(sum) 200 if multiScalar[i] == 0 { 201 sum.Set(t) 202 } else { 203 sum.Add(t, precomp[multiScalar[i]]) 204 } 205 } 206 c.Set(sum) 207 } 208 209 func (c *curvePoint) MakeAffine() { 210 if c.z == *newGFp(1) { 211 return 212 } else if c.z == *newGFp(0) { 213 c.x = gfP{0} 214 c.y = *newGFp(1) 215 c.t = gfP{0} 216 return 217 } 218 219 zInv := &gfP{} 220 zInv.Invert(&c.z) 221 222 t, zInv2 := &gfP{}, &gfP{} 223 gfpMul(t, &c.y, zInv) 224 gfpMul(zInv2, zInv, zInv) 225 226 gfpMul(&c.x, &c.x, zInv2) 227 gfpMul(&c.y, t, zInv2) 228 229 c.z = *newGFp(1) 230 c.t = *newGFp(1) 231 } 232 233 func (c *curvePoint) Neg(a *curvePoint) { 234 c.x.Set(&a.x) 235 gfpNeg(&c.y, &a.y) 236 c.z.Set(&a.z) 237 c.t = gfP{0} 238 }