github.com/klaytn/klaytn@v1.12.1/crypto/bn256/google/bn256.go (about) 1 // Copyright 2018 The klaytn Authors 2 // Copyright 2012 The Go Authors. All rights reserved. 3 // Use of this source code is governed by a BSD-style 4 // license that can be found in the LICENSE file. 5 // 6 // This file is derived from crypto/bn256/google/bn256.go (2018/06/04). 7 // Modified and improved for the klaytn development. 8 9 package bn256 10 11 import ( 12 "crypto/rand" 13 "errors" 14 "io" 15 "math/big" 16 ) 17 18 // BUG(agl): this implementation is not constant time. 19 // TODO(agl): keep GF(p²) elements in Mongomery form. 20 21 // G1 is an abstract cyclic group. The zero value is suitable for use as the 22 // output of an operation, but cannot be used as an input. 23 type G1 struct { 24 p *curvePoint 25 } 26 27 // RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r. 28 func RandomG1(r io.Reader) (*big.Int, *G1, error) { 29 var k *big.Int 30 var err error 31 32 for { 33 k, err = rand.Int(r, Order) 34 if err != nil { 35 return nil, nil, err 36 } 37 if k.Sign() > 0 { 38 break 39 } 40 } 41 42 return k, new(G1).ScalarBaseMult(k), nil 43 } 44 45 func (e *G1) String() string { 46 return "bn256.G1" + e.p.String() 47 } 48 49 // CurvePoints returns p's curve points in big integer 50 func (e *G1) CurvePoints() (*big.Int, *big.Int, *big.Int, *big.Int) { 51 return e.p.x, e.p.y, e.p.z, e.p.t 52 } 53 54 // ScalarBaseMult sets e to g*k where g is the generator of the group and 55 // then returns e. 56 func (e *G1) ScalarBaseMult(k *big.Int) *G1 { 57 if e.p == nil { 58 e.p = newCurvePoint(nil) 59 } 60 e.p.Mul(curveGen, k, new(bnPool)) 61 return e 62 } 63 64 // ScalarMult sets e to a*k and then returns e. 65 func (e *G1) ScalarMult(a *G1, k *big.Int) *G1 { 66 if e.p == nil { 67 e.p = newCurvePoint(nil) 68 } 69 e.p.Mul(a.p, k, new(bnPool)) 70 return e 71 } 72 73 // Add sets e to a+b and then returns e. 74 // BUG(agl): this function is not complete: a==b fails. 75 func (e *G1) Add(a, b *G1) *G1 { 76 if e.p == nil { 77 e.p = newCurvePoint(nil) 78 } 79 e.p.Add(a.p, b.p, new(bnPool)) 80 return e 81 } 82 83 // Neg sets e to -a and then returns e. 84 func (e *G1) Neg(a *G1) *G1 { 85 if e.p == nil { 86 e.p = newCurvePoint(nil) 87 } 88 e.p.Negative(a.p) 89 return e 90 } 91 92 // Marshal converts n to a byte slice. 93 func (e *G1) Marshal() []byte { 94 // Each value is a 256-bit number. 95 const numBytes = 256 / 8 96 97 if e.p.IsInfinity() { 98 return make([]byte, numBytes*2) 99 } 100 101 e.p.MakeAffine(nil) 102 103 xBytes := new(big.Int).Mod(e.p.x, P).Bytes() 104 yBytes := new(big.Int).Mod(e.p.y, P).Bytes() 105 106 ret := make([]byte, numBytes*2) 107 copy(ret[1*numBytes-len(xBytes):], xBytes) 108 copy(ret[2*numBytes-len(yBytes):], yBytes) 109 110 return ret 111 } 112 113 // Unmarshal sets e to the result of converting the output of Marshal back into 114 // a group element and then returns e. 115 func (e *G1) Unmarshal(m []byte) ([]byte, error) { 116 // Each value is a 256-bit number. 117 const numBytes = 256 / 8 118 if len(m) != 2*numBytes { 119 return nil, errors.New("bn256: not enough data") 120 } 121 // Unmarshal the points and check their caps 122 if e.p == nil { 123 e.p = newCurvePoint(nil) 124 } 125 e.p.x.SetBytes(m[0*numBytes : 1*numBytes]) 126 if e.p.x.Cmp(P) >= 0 { 127 return nil, errors.New("bn256: coordinate exceeds modulus") 128 } 129 e.p.y.SetBytes(m[1*numBytes : 2*numBytes]) 130 if e.p.y.Cmp(P) >= 0 { 131 return nil, errors.New("bn256: coordinate exceeds modulus") 132 } 133 // Ensure the point is on the curve 134 if e.p.x.Sign() == 0 && e.p.y.Sign() == 0 { 135 // This is the point at infinity. 136 e.p.y.SetInt64(1) 137 e.p.z.SetInt64(0) 138 e.p.t.SetInt64(0) 139 } else { 140 e.p.z.SetInt64(1) 141 e.p.t.SetInt64(1) 142 143 if !e.p.IsOnCurve() { 144 return nil, errors.New("bn256: malformed point") 145 } 146 } 147 return m[2*numBytes:], nil 148 } 149 150 // G2 is an abstract cyclic group. The zero value is suitable for use as the 151 // output of an operation, but cannot be used as an input. 152 type G2 struct { 153 p *twistPoint 154 } 155 156 // RandomG1 returns x and g₂ˣ where x is a random, non-zero number read from r. 157 func RandomG2(r io.Reader) (*big.Int, *G2, error) { 158 var k *big.Int 159 var err error 160 161 for { 162 k, err = rand.Int(r, Order) 163 if err != nil { 164 return nil, nil, err 165 } 166 if k.Sign() > 0 { 167 break 168 } 169 } 170 171 return k, new(G2).ScalarBaseMult(k), nil 172 } 173 174 func (e *G2) String() string { 175 return "bn256.G2" + e.p.String() 176 } 177 178 // CurvePoints returns the curve points of p which includes the real 179 // and imaginary parts of the curve point. 180 func (e *G2) CurvePoints() (*gfP2, *gfP2, *gfP2, *gfP2) { 181 return e.p.x, e.p.y, e.p.z, e.p.t 182 } 183 184 // ScalarBaseMult sets e to g*k where g is the generator of the group and 185 // then returns out. 186 func (e *G2) ScalarBaseMult(k *big.Int) *G2 { 187 if e.p == nil { 188 e.p = newTwistPoint(nil) 189 } 190 e.p.Mul(twistGen, k, new(bnPool)) 191 return e 192 } 193 194 // ScalarMult sets e to a*k and then returns e. 195 func (e *G2) ScalarMult(a *G2, k *big.Int) *G2 { 196 if e.p == nil { 197 e.p = newTwistPoint(nil) 198 } 199 e.p.Mul(a.p, k, new(bnPool)) 200 return e 201 } 202 203 // Add sets e to a+b and then returns e. 204 // BUG(agl): this function is not complete: a==b fails. 205 func (e *G2) Add(a, b *G2) *G2 { 206 if e.p == nil { 207 e.p = newTwistPoint(nil) 208 } 209 e.p.Add(a.p, b.p, new(bnPool)) 210 return e 211 } 212 213 // Marshal converts n into a byte slice. 214 func (n *G2) Marshal() []byte { 215 // Each value is a 256-bit number. 216 const numBytes = 256 / 8 217 218 if n.p.IsInfinity() { 219 return make([]byte, numBytes*4) 220 } 221 222 n.p.MakeAffine(nil) 223 224 xxBytes := new(big.Int).Mod(n.p.x.x, P).Bytes() 225 xyBytes := new(big.Int).Mod(n.p.x.y, P).Bytes() 226 yxBytes := new(big.Int).Mod(n.p.y.x, P).Bytes() 227 yyBytes := new(big.Int).Mod(n.p.y.y, P).Bytes() 228 229 ret := make([]byte, numBytes*4) 230 copy(ret[1*numBytes-len(xxBytes):], xxBytes) 231 copy(ret[2*numBytes-len(xyBytes):], xyBytes) 232 copy(ret[3*numBytes-len(yxBytes):], yxBytes) 233 copy(ret[4*numBytes-len(yyBytes):], yyBytes) 234 235 return ret 236 } 237 238 // Unmarshal sets e to the result of converting the output of Marshal back into 239 // a group element and then returns e. 240 func (e *G2) Unmarshal(m []byte) ([]byte, error) { 241 // Each value is a 256-bit number. 242 const numBytes = 256 / 8 243 if len(m) != 4*numBytes { 244 return nil, errors.New("bn256: not enough data") 245 } 246 // Unmarshal the points and check their caps 247 if e.p == nil { 248 e.p = newTwistPoint(nil) 249 } 250 e.p.x.x.SetBytes(m[0*numBytes : 1*numBytes]) 251 if e.p.x.x.Cmp(P) >= 0 { 252 return nil, errors.New("bn256: coordinate exceeds modulus") 253 } 254 e.p.x.y.SetBytes(m[1*numBytes : 2*numBytes]) 255 if e.p.x.y.Cmp(P) >= 0 { 256 return nil, errors.New("bn256: coordinate exceeds modulus") 257 } 258 e.p.y.x.SetBytes(m[2*numBytes : 3*numBytes]) 259 if e.p.y.x.Cmp(P) >= 0 { 260 return nil, errors.New("bn256: coordinate exceeds modulus") 261 } 262 e.p.y.y.SetBytes(m[3*numBytes : 4*numBytes]) 263 if e.p.y.y.Cmp(P) >= 0 { 264 return nil, errors.New("bn256: coordinate exceeds modulus") 265 } 266 // Ensure the point is on the curve 267 if e.p.x.x.Sign() == 0 && 268 e.p.x.y.Sign() == 0 && 269 e.p.y.x.Sign() == 0 && 270 e.p.y.y.Sign() == 0 { 271 // This is the point at infinity. 272 e.p.y.SetOne() 273 e.p.z.SetZero() 274 e.p.t.SetZero() 275 } else { 276 e.p.z.SetOne() 277 e.p.t.SetOne() 278 279 if !e.p.IsOnCurve() { 280 return nil, errors.New("bn256: malformed point") 281 } 282 } 283 return m[4*numBytes:], nil 284 } 285 286 // GT is an abstract cyclic group. The zero value is suitable for use as the 287 // output of an operation, but cannot be used as an input. 288 type GT struct { 289 p *gfP12 290 } 291 292 func (g *GT) String() string { 293 return "bn256.GT" + g.p.String() 294 } 295 296 // ScalarMult sets e to a*k and then returns e. 297 func (e *GT) ScalarMult(a *GT, k *big.Int) *GT { 298 if e.p == nil { 299 e.p = newGFp12(nil) 300 } 301 e.p.Exp(a.p, k, new(bnPool)) 302 return e 303 } 304 305 // Add sets e to a+b and then returns e. 306 func (e *GT) Add(a, b *GT) *GT { 307 if e.p == nil { 308 e.p = newGFp12(nil) 309 } 310 e.p.Mul(a.p, b.p, new(bnPool)) 311 return e 312 } 313 314 // Neg sets e to -a and then returns e. 315 func (e *GT) Neg(a *GT) *GT { 316 if e.p == nil { 317 e.p = newGFp12(nil) 318 } 319 e.p.Invert(a.p, new(bnPool)) 320 return e 321 } 322 323 // Marshal converts n into a byte slice. 324 func (n *GT) Marshal() []byte { 325 n.p.Minimal() 326 327 xxxBytes := n.p.x.x.x.Bytes() 328 xxyBytes := n.p.x.x.y.Bytes() 329 xyxBytes := n.p.x.y.x.Bytes() 330 xyyBytes := n.p.x.y.y.Bytes() 331 xzxBytes := n.p.x.z.x.Bytes() 332 xzyBytes := n.p.x.z.y.Bytes() 333 yxxBytes := n.p.y.x.x.Bytes() 334 yxyBytes := n.p.y.x.y.Bytes() 335 yyxBytes := n.p.y.y.x.Bytes() 336 yyyBytes := n.p.y.y.y.Bytes() 337 yzxBytes := n.p.y.z.x.Bytes() 338 yzyBytes := n.p.y.z.y.Bytes() 339 340 // Each value is a 256-bit number. 341 const numBytes = 256 / 8 342 343 ret := make([]byte, numBytes*12) 344 copy(ret[1*numBytes-len(xxxBytes):], xxxBytes) 345 copy(ret[2*numBytes-len(xxyBytes):], xxyBytes) 346 copy(ret[3*numBytes-len(xyxBytes):], xyxBytes) 347 copy(ret[4*numBytes-len(xyyBytes):], xyyBytes) 348 copy(ret[5*numBytes-len(xzxBytes):], xzxBytes) 349 copy(ret[6*numBytes-len(xzyBytes):], xzyBytes) 350 copy(ret[7*numBytes-len(yxxBytes):], yxxBytes) 351 copy(ret[8*numBytes-len(yxyBytes):], yxyBytes) 352 copy(ret[9*numBytes-len(yyxBytes):], yyxBytes) 353 copy(ret[10*numBytes-len(yyyBytes):], yyyBytes) 354 copy(ret[11*numBytes-len(yzxBytes):], yzxBytes) 355 copy(ret[12*numBytes-len(yzyBytes):], yzyBytes) 356 357 return ret 358 } 359 360 // Unmarshal sets e to the result of converting the output of Marshal back into 361 // a group element and then returns e. 362 func (e *GT) Unmarshal(m []byte) (*GT, bool) { 363 // Each value is a 256-bit number. 364 const numBytes = 256 / 8 365 366 if len(m) != 12*numBytes { 367 return nil, false 368 } 369 370 if e.p == nil { 371 e.p = newGFp12(nil) 372 } 373 374 e.p.x.x.x.SetBytes(m[0*numBytes : 1*numBytes]) 375 e.p.x.x.y.SetBytes(m[1*numBytes : 2*numBytes]) 376 e.p.x.y.x.SetBytes(m[2*numBytes : 3*numBytes]) 377 e.p.x.y.y.SetBytes(m[3*numBytes : 4*numBytes]) 378 e.p.x.z.x.SetBytes(m[4*numBytes : 5*numBytes]) 379 e.p.x.z.y.SetBytes(m[5*numBytes : 6*numBytes]) 380 e.p.y.x.x.SetBytes(m[6*numBytes : 7*numBytes]) 381 e.p.y.x.y.SetBytes(m[7*numBytes : 8*numBytes]) 382 e.p.y.y.x.SetBytes(m[8*numBytes : 9*numBytes]) 383 e.p.y.y.y.SetBytes(m[9*numBytes : 10*numBytes]) 384 e.p.y.z.x.SetBytes(m[10*numBytes : 11*numBytes]) 385 e.p.y.z.y.SetBytes(m[11*numBytes : 12*numBytes]) 386 387 return e, true 388 } 389 390 // Pair calculates an Optimal Ate pairing. 391 func Pair(g1 *G1, g2 *G2) *GT { 392 return >{optimalAte(g2.p, g1.p, new(bnPool))} 393 } 394 395 // PairingCheck calculates the Optimal Ate pairing for a set of points. 396 func PairingCheck(a []*G1, b []*G2) bool { 397 pool := new(bnPool) 398 399 acc := newGFp12(pool) 400 acc.SetOne() 401 402 for i := 0; i < len(a); i++ { 403 if a[i].p.IsInfinity() || b[i].p.IsInfinity() { 404 continue 405 } 406 acc.Mul(acc, miller(b[i].p, a[i].p, pool), pool) 407 } 408 ret := finalExponentiation(acc, pool) 409 acc.Put(pool) 410 411 return ret.IsOne() 412 } 413 414 // bnPool implements a tiny cache of *big.Int objects that's used to reduce the 415 // number of allocations made during processing. 416 type bnPool struct { 417 bns []*big.Int 418 count int 419 } 420 421 func (pool *bnPool) Get() *big.Int { 422 if pool == nil { 423 return new(big.Int) 424 } 425 426 pool.count++ 427 l := len(pool.bns) 428 if l == 0 { 429 return new(big.Int) 430 } 431 432 bn := pool.bns[l-1] 433 pool.bns = pool.bns[:l-1] 434 return bn 435 } 436 437 func (pool *bnPool) Put(bn *big.Int) { 438 if pool == nil { 439 return 440 } 441 pool.bns = append(pool.bns, bn) 442 pool.count-- 443 } 444 445 func (pool *bnPool) Count() int { 446 return pool.count 447 }