github.com/klaytn/klaytn@v1.12.1/crypto/bn256/cloudflare/bn256.go (about) 1 package bn256 2 3 import ( 4 "crypto/rand" 5 "errors" 6 "io" 7 "math/big" 8 ) 9 10 func randomK(r io.Reader) (k *big.Int, err error) { 11 for { 12 k, err = rand.Int(r, Order) 13 if k.Sign() > 0 || err != nil { 14 return 15 } 16 } 17 } 18 19 // G1 is an abstract cyclic group. The zero value is suitable for use as the 20 // output of an operation, but cannot be used as an input. 21 type G1 struct { 22 p *curvePoint 23 } 24 25 // RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r. 26 func RandomG1(r io.Reader) (*big.Int, *G1, error) { 27 k, err := randomK(r) 28 if err != nil { 29 return nil, nil, err 30 } 31 32 return k, new(G1).ScalarBaseMult(k), nil 33 } 34 35 func (g *G1) String() string { 36 return "bn256.G1" + g.p.String() 37 } 38 39 // ScalarBaseMult sets e to g*k where g is the generator of the group and then 40 // returns e. 41 func (e *G1) ScalarBaseMult(k *big.Int) *G1 { 42 if e.p == nil { 43 e.p = &curvePoint{} 44 } 45 e.p.Mul(curveGen, k) 46 return e 47 } 48 49 // ScalarMult sets e to a*k and then returns e. 50 func (e *G1) ScalarMult(a *G1, k *big.Int) *G1 { 51 if e.p == nil { 52 e.p = &curvePoint{} 53 } 54 e.p.Mul(a.p, k) 55 return e 56 } 57 58 // Add sets e to a+b and then returns e. 59 func (e *G1) Add(a, b *G1) *G1 { 60 if e.p == nil { 61 e.p = &curvePoint{} 62 } 63 e.p.Add(a.p, b.p) 64 return e 65 } 66 67 // Neg sets e to -a and then returns e. 68 func (e *G1) Neg(a *G1) *G1 { 69 if e.p == nil { 70 e.p = &curvePoint{} 71 } 72 e.p.Neg(a.p) 73 return e 74 } 75 76 // Set sets e to a and then returns e. 77 func (e *G1) Set(a *G1) *G1 { 78 if e.p == nil { 79 e.p = &curvePoint{} 80 } 81 e.p.Set(a.p) 82 return e 83 } 84 85 // Marshal converts e to a byte slice. 86 func (e *G1) Marshal() []byte { 87 // Each value is a 256-bit number. 88 const numBytes = 256 / 8 89 90 e.p.MakeAffine() 91 ret := make([]byte, numBytes*2) 92 if e.p.IsInfinity() { 93 return ret 94 } 95 temp := &gfP{} 96 97 montDecode(temp, &e.p.x) 98 temp.Marshal(ret) 99 montDecode(temp, &e.p.y) 100 temp.Marshal(ret[numBytes:]) 101 102 return ret 103 } 104 105 // Unmarshal sets e to the result of converting the output of Marshal back into 106 // a group element and then returns e. 107 func (e *G1) Unmarshal(m []byte) ([]byte, error) { 108 // Each value is a 256-bit number. 109 const numBytes = 256 / 8 110 if len(m) < 2*numBytes { 111 return nil, errors.New("bn256: not enough data") 112 } 113 // Unmarshal the points and check their caps 114 if e.p == nil { 115 e.p = &curvePoint{} 116 } else { 117 e.p.x, e.p.y = gfP{0}, gfP{0} 118 } 119 var err error 120 if err = e.p.x.Unmarshal(m); err != nil { 121 return nil, err 122 } 123 if err = e.p.y.Unmarshal(m[numBytes:]); err != nil { 124 return nil, err 125 } 126 // Encode into Montgomery form and ensure it's on the curve 127 montEncode(&e.p.x, &e.p.x) 128 montEncode(&e.p.y, &e.p.y) 129 130 zero := gfP{0} 131 if e.p.x == zero && e.p.y == zero { 132 // This is the point at infinity. 133 e.p.y = *newGFp(1) 134 e.p.z = gfP{0} 135 e.p.t = gfP{0} 136 } else { 137 e.p.z = *newGFp(1) 138 e.p.t = *newGFp(1) 139 140 if !e.p.IsOnCurve() { 141 return nil, errors.New("bn256: malformed point") 142 } 143 } 144 return m[2*numBytes:], nil 145 } 146 147 // G2 is an abstract cyclic group. The zero value is suitable for use as the 148 // output of an operation, but cannot be used as an input. 149 type G2 struct { 150 p *twistPoint 151 } 152 153 // RandomG2 returns x and g₂ˣ where x is a random, non-zero number read from r. 154 func RandomG2(r io.Reader) (*big.Int, *G2, error) { 155 k, err := randomK(r) 156 if err != nil { 157 return nil, nil, err 158 } 159 160 return k, new(G2).ScalarBaseMult(k), nil 161 } 162 163 func (e *G2) String() string { 164 return "bn256.G2" + e.p.String() 165 } 166 167 // ScalarBaseMult sets e to g*k where g is the generator of the group and then 168 // returns out. 169 func (e *G2) ScalarBaseMult(k *big.Int) *G2 { 170 if e.p == nil { 171 e.p = &twistPoint{} 172 } 173 e.p.Mul(twistGen, k) 174 return e 175 } 176 177 // ScalarMult sets e to a*k and then returns e. 178 func (e *G2) ScalarMult(a *G2, k *big.Int) *G2 { 179 if e.p == nil { 180 e.p = &twistPoint{} 181 } 182 e.p.Mul(a.p, k) 183 return e 184 } 185 186 // Add sets e to a+b and then returns e. 187 func (e *G2) Add(a, b *G2) *G2 { 188 if e.p == nil { 189 e.p = &twistPoint{} 190 } 191 e.p.Add(a.p, b.p) 192 return e 193 } 194 195 // Neg sets e to -a and then returns e. 196 func (e *G2) Neg(a *G2) *G2 { 197 if e.p == nil { 198 e.p = &twistPoint{} 199 } 200 e.p.Neg(a.p) 201 return e 202 } 203 204 // Set sets e to a and then returns e. 205 func (e *G2) Set(a *G2) *G2 { 206 if e.p == nil { 207 e.p = &twistPoint{} 208 } 209 e.p.Set(a.p) 210 return e 211 } 212 213 // Marshal converts e into a byte slice. 214 func (e *G2) Marshal() []byte { 215 // Each value is a 256-bit number. 216 const numBytes = 256 / 8 217 218 if e.p == nil { 219 e.p = &twistPoint{} 220 } 221 222 e.p.MakeAffine() 223 ret := make([]byte, numBytes*4) 224 if e.p.IsInfinity() { 225 return ret 226 } 227 temp := &gfP{} 228 229 montDecode(temp, &e.p.x.x) 230 temp.Marshal(ret) 231 montDecode(temp, &e.p.x.y) 232 temp.Marshal(ret[numBytes:]) 233 montDecode(temp, &e.p.y.x) 234 temp.Marshal(ret[2*numBytes:]) 235 montDecode(temp, &e.p.y.y) 236 temp.Marshal(ret[3*numBytes:]) 237 238 return ret 239 } 240 241 // Unmarshal sets e to the result of converting the output of Marshal back into 242 // a group element and then returns e. 243 func (e *G2) Unmarshal(m []byte) ([]byte, error) { 244 // Each value is a 256-bit number. 245 const numBytes = 256 / 8 246 if len(m) < 4*numBytes { 247 return nil, errors.New("bn256: not enough data") 248 } 249 // Unmarshal the points and check their caps 250 if e.p == nil { 251 e.p = &twistPoint{} 252 } 253 var err error 254 if err = e.p.x.x.Unmarshal(m); err != nil { 255 return nil, err 256 } 257 if err = e.p.x.y.Unmarshal(m[numBytes:]); err != nil { 258 return nil, err 259 } 260 if err = e.p.y.x.Unmarshal(m[2*numBytes:]); err != nil { 261 return nil, err 262 } 263 if err = e.p.y.y.Unmarshal(m[3*numBytes:]); err != nil { 264 return nil, err 265 } 266 // Encode into Montgomery form and ensure it's on the curve 267 montEncode(&e.p.x.x, &e.p.x.x) 268 montEncode(&e.p.x.y, &e.p.x.y) 269 montEncode(&e.p.y.x, &e.p.y.x) 270 montEncode(&e.p.y.y, &e.p.y.y) 271 272 if e.p.x.IsZero() && e.p.y.IsZero() { 273 // This is the point at infinity. 274 e.p.y.SetOne() 275 e.p.z.SetZero() 276 e.p.t.SetZero() 277 } else { 278 e.p.z.SetOne() 279 e.p.t.SetOne() 280 281 if !e.p.IsOnCurve() { 282 return nil, errors.New("bn256: malformed point") 283 } 284 } 285 return m[4*numBytes:], nil 286 } 287 288 // GT is an abstract cyclic group. The zero value is suitable for use as the 289 // output of an operation, but cannot be used as an input. 290 type GT struct { 291 p *gfP12 292 } 293 294 // Pair calculates an Optimal Ate pairing. 295 func Pair(g1 *G1, g2 *G2) *GT { 296 return >{optimalAte(g2.p, g1.p)} 297 } 298 299 // PairingCheck calculates the Optimal Ate pairing for a set of points. 300 func PairingCheck(a []*G1, b []*G2) bool { 301 acc := new(gfP12) 302 acc.SetOne() 303 304 for i := 0; i < len(a); i++ { 305 if a[i].p.IsInfinity() || b[i].p.IsInfinity() { 306 continue 307 } 308 acc.Mul(acc, miller(b[i].p, a[i].p)) 309 } 310 return finalExponentiation(acc).IsOne() 311 } 312 313 // Miller applies Miller's algorithm, which is a bilinear function from the 314 // source groups to F_p^12. Miller(g1, g2).Finalize() is equivalent to Pair(g1, 315 // g2). 316 func Miller(g1 *G1, g2 *G2) *GT { 317 return >{miller(g2.p, g1.p)} 318 } 319 320 func (g *GT) String() string { 321 return "bn256.GT" + g.p.String() 322 } 323 324 // ScalarMult sets e to a*k and then returns e. 325 func (e *GT) ScalarMult(a *GT, k *big.Int) *GT { 326 if e.p == nil { 327 e.p = &gfP12{} 328 } 329 e.p.Exp(a.p, k) 330 return e 331 } 332 333 // Add sets e to a+b and then returns e. 334 func (e *GT) Add(a, b *GT) *GT { 335 if e.p == nil { 336 e.p = &gfP12{} 337 } 338 e.p.Mul(a.p, b.p) 339 return e 340 } 341 342 // Neg sets e to -a and then returns e. 343 func (e *GT) Neg(a *GT) *GT { 344 if e.p == nil { 345 e.p = &gfP12{} 346 } 347 e.p.Conjugate(a.p) 348 return e 349 } 350 351 // Set sets e to a and then returns e. 352 func (e *GT) Set(a *GT) *GT { 353 if e.p == nil { 354 e.p = &gfP12{} 355 } 356 e.p.Set(a.p) 357 return e 358 } 359 360 // Finalize is a linear function from F_p^12 to GT. 361 func (e *GT) Finalize() *GT { 362 ret := finalExponentiation(e.p) 363 e.p.Set(ret) 364 return e 365 } 366 367 // Marshal converts e into a byte slice. 368 func (e *GT) Marshal() []byte { 369 // Each value is a 256-bit number. 370 const numBytes = 256 / 8 371 372 ret := make([]byte, numBytes*12) 373 temp := &gfP{} 374 375 montDecode(temp, &e.p.x.x.x) 376 temp.Marshal(ret) 377 montDecode(temp, &e.p.x.x.y) 378 temp.Marshal(ret[numBytes:]) 379 montDecode(temp, &e.p.x.y.x) 380 temp.Marshal(ret[2*numBytes:]) 381 montDecode(temp, &e.p.x.y.y) 382 temp.Marshal(ret[3*numBytes:]) 383 montDecode(temp, &e.p.x.z.x) 384 temp.Marshal(ret[4*numBytes:]) 385 montDecode(temp, &e.p.x.z.y) 386 temp.Marshal(ret[5*numBytes:]) 387 montDecode(temp, &e.p.y.x.x) 388 temp.Marshal(ret[6*numBytes:]) 389 montDecode(temp, &e.p.y.x.y) 390 temp.Marshal(ret[7*numBytes:]) 391 montDecode(temp, &e.p.y.y.x) 392 temp.Marshal(ret[8*numBytes:]) 393 montDecode(temp, &e.p.y.y.y) 394 temp.Marshal(ret[9*numBytes:]) 395 montDecode(temp, &e.p.y.z.x) 396 temp.Marshal(ret[10*numBytes:]) 397 montDecode(temp, &e.p.y.z.y) 398 temp.Marshal(ret[11*numBytes:]) 399 400 return ret 401 } 402 403 // Unmarshal sets e to the result of converting the output of Marshal back into 404 // a group element and then returns e. 405 func (e *GT) Unmarshal(m []byte) ([]byte, error) { 406 // Each value is a 256-bit number. 407 const numBytes = 256 / 8 408 409 if len(m) < 12*numBytes { 410 return nil, errors.New("bn256: not enough data") 411 } 412 413 if e.p == nil { 414 e.p = &gfP12{} 415 } 416 417 var err error 418 if err = e.p.x.x.x.Unmarshal(m); err != nil { 419 return nil, err 420 } 421 if err = e.p.x.x.y.Unmarshal(m[numBytes:]); err != nil { 422 return nil, err 423 } 424 if err = e.p.x.y.x.Unmarshal(m[2*numBytes:]); err != nil { 425 return nil, err 426 } 427 if err = e.p.x.y.y.Unmarshal(m[3*numBytes:]); err != nil { 428 return nil, err 429 } 430 if err = e.p.x.z.x.Unmarshal(m[4*numBytes:]); err != nil { 431 return nil, err 432 } 433 if err = e.p.x.z.y.Unmarshal(m[5*numBytes:]); err != nil { 434 return nil, err 435 } 436 if err = e.p.y.x.x.Unmarshal(m[6*numBytes:]); err != nil { 437 return nil, err 438 } 439 if err = e.p.y.x.y.Unmarshal(m[7*numBytes:]); err != nil { 440 return nil, err 441 } 442 if err = e.p.y.y.x.Unmarshal(m[8*numBytes:]); err != nil { 443 return nil, err 444 } 445 if err = e.p.y.y.y.Unmarshal(m[9*numBytes:]); err != nil { 446 return nil, err 447 } 448 if err = e.p.y.z.x.Unmarshal(m[10*numBytes:]); err != nil { 449 return nil, err 450 } 451 if err = e.p.y.z.y.Unmarshal(m[11*numBytes:]); err != nil { 452 return nil, err 453 } 454 montEncode(&e.p.x.x.x, &e.p.x.x.x) 455 montEncode(&e.p.x.x.y, &e.p.x.x.y) 456 montEncode(&e.p.x.y.x, &e.p.x.y.x) 457 montEncode(&e.p.x.y.y, &e.p.x.y.y) 458 montEncode(&e.p.x.z.x, &e.p.x.z.x) 459 montEncode(&e.p.x.z.y, &e.p.x.z.y) 460 montEncode(&e.p.y.x.x, &e.p.y.x.x) 461 montEncode(&e.p.y.x.y, &e.p.y.x.y) 462 montEncode(&e.p.y.y.x, &e.p.y.y.x) 463 montEncode(&e.p.y.y.y, &e.p.y.y.y) 464 montEncode(&e.p.y.z.x, &e.p.y.z.x) 465 montEncode(&e.p.y.z.y, &e.p.y.z.y) 466 467 return m[12*numBytes:], nil 468 }