github.com/luckypickle/go-ethereum-vet@v1.14.2/crypto/bn256/google/bn256.go (about) 1 // Copyright 2012 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // Package bn256 implements a particular bilinear group. 6 // 7 // Bilinear groups are the basis of many of the new cryptographic protocols 8 // that have been proposed over the past decade. They consist of a triplet of 9 // groups (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ 10 // (where gₓ is a generator of the respective group). That function is called 11 // a pairing function. 12 // 13 // This package specifically implements the Optimal Ate pairing over a 256-bit 14 // Barreto-Naehrig curve as described in 15 // http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is not 16 // compatible with the implementation described in that paper, as different 17 // parameters are chosen. 18 // 19 // (This package previously claimed to operate at a 128-bit security level. 20 // However, recent improvements in attacks mean that is no longer true. See 21 // https://moderncrypto.org/mail-archive/curves/2016/000740.html.) 22 package bn256 23 24 import ( 25 "crypto/rand" 26 "errors" 27 "io" 28 "math/big" 29 ) 30 31 // BUG(agl): this implementation is not constant time. 32 // TODO(agl): keep GF(p²) elements in Mongomery form. 33 34 // G1 is an abstract cyclic group. The zero value is suitable for use as the 35 // output of an operation, but cannot be used as an input. 36 type G1 struct { 37 p *curvePoint 38 } 39 40 // RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r. 41 func RandomG1(r io.Reader) (*big.Int, *G1, error) { 42 var k *big.Int 43 var err error 44 45 for { 46 k, err = rand.Int(r, Order) 47 if err != nil { 48 return nil, nil, err 49 } 50 if k.Sign() > 0 { 51 break 52 } 53 } 54 55 return k, new(G1).ScalarBaseMult(k), nil 56 } 57 58 func (e *G1) String() string { 59 return "bn256.G1" + e.p.String() 60 } 61 62 // CurvePoints returns p's curve points in big integer 63 func (e *G1) CurvePoints() (*big.Int, *big.Int, *big.Int, *big.Int) { 64 return e.p.x, e.p.y, e.p.z, e.p.t 65 } 66 67 // ScalarBaseMult sets e to g*k where g is the generator of the group and 68 // then returns e. 69 func (e *G1) ScalarBaseMult(k *big.Int) *G1 { 70 if e.p == nil { 71 e.p = newCurvePoint(nil) 72 } 73 e.p.Mul(curveGen, k, new(bnPool)) 74 return e 75 } 76 77 // ScalarMult sets e to a*k and then returns e. 78 func (e *G1) ScalarMult(a *G1, k *big.Int) *G1 { 79 if e.p == nil { 80 e.p = newCurvePoint(nil) 81 } 82 e.p.Mul(a.p, k, new(bnPool)) 83 return e 84 } 85 86 // Add sets e to a+b and then returns e. 87 // BUG(agl): this function is not complete: a==b fails. 88 func (e *G1) Add(a, b *G1) *G1 { 89 if e.p == nil { 90 e.p = newCurvePoint(nil) 91 } 92 e.p.Add(a.p, b.p, new(bnPool)) 93 return e 94 } 95 96 // Neg sets e to -a and then returns e. 97 func (e *G1) Neg(a *G1) *G1 { 98 if e.p == nil { 99 e.p = newCurvePoint(nil) 100 } 101 e.p.Negative(a.p) 102 return e 103 } 104 105 // Marshal converts n to a byte slice. 106 func (e *G1) Marshal() []byte { 107 // Each value is a 256-bit number. 108 const numBytes = 256 / 8 109 110 if e.p.IsInfinity() { 111 return make([]byte, numBytes*2) 112 } 113 114 e.p.MakeAffine(nil) 115 116 xBytes := new(big.Int).Mod(e.p.x, P).Bytes() 117 yBytes := new(big.Int).Mod(e.p.y, P).Bytes() 118 119 ret := make([]byte, numBytes*2) 120 copy(ret[1*numBytes-len(xBytes):], xBytes) 121 copy(ret[2*numBytes-len(yBytes):], yBytes) 122 123 return ret 124 } 125 126 // Unmarshal sets e to the result of converting the output of Marshal back into 127 // a group element and then returns e. 128 func (e *G1) Unmarshal(m []byte) ([]byte, error) { 129 // Each value is a 256-bit number. 130 const numBytes = 256 / 8 131 if len(m) != 2*numBytes { 132 return nil, errors.New("bn256: not enough data") 133 } 134 // Unmarshal the points and check their caps 135 if e.p == nil { 136 e.p = newCurvePoint(nil) 137 } 138 e.p.x.SetBytes(m[0*numBytes : 1*numBytes]) 139 if e.p.x.Cmp(P) >= 0 { 140 return nil, errors.New("bn256: coordinate exceeds modulus") 141 } 142 e.p.y.SetBytes(m[1*numBytes : 2*numBytes]) 143 if e.p.y.Cmp(P) >= 0 { 144 return nil, errors.New("bn256: coordinate exceeds modulus") 145 } 146 // Ensure the point is on the curve 147 if e.p.x.Sign() == 0 && e.p.y.Sign() == 0 { 148 // This is the point at infinity. 149 e.p.y.SetInt64(1) 150 e.p.z.SetInt64(0) 151 e.p.t.SetInt64(0) 152 } else { 153 e.p.z.SetInt64(1) 154 e.p.t.SetInt64(1) 155 156 if !e.p.IsOnCurve() { 157 return nil, errors.New("bn256: malformed point") 158 } 159 } 160 return m[2*numBytes:], nil 161 } 162 163 // G2 is an abstract cyclic group. The zero value is suitable for use as the 164 // output of an operation, but cannot be used as an input. 165 type G2 struct { 166 p *twistPoint 167 } 168 169 // RandomG1 returns x and g₂ˣ where x is a random, non-zero number read from r. 170 func RandomG2(r io.Reader) (*big.Int, *G2, error) { 171 var k *big.Int 172 var err error 173 174 for { 175 k, err = rand.Int(r, Order) 176 if err != nil { 177 return nil, nil, err 178 } 179 if k.Sign() > 0 { 180 break 181 } 182 } 183 184 return k, new(G2).ScalarBaseMult(k), nil 185 } 186 187 func (e *G2) String() string { 188 return "bn256.G2" + e.p.String() 189 } 190 191 // CurvePoints returns the curve points of p which includes the real 192 // and imaginary parts of the curve point. 193 func (e *G2) CurvePoints() (*gfP2, *gfP2, *gfP2, *gfP2) { 194 return e.p.x, e.p.y, e.p.z, e.p.t 195 } 196 197 // ScalarBaseMult sets e to g*k where g is the generator of the group and 198 // then returns out. 199 func (e *G2) ScalarBaseMult(k *big.Int) *G2 { 200 if e.p == nil { 201 e.p = newTwistPoint(nil) 202 } 203 e.p.Mul(twistGen, k, new(bnPool)) 204 return e 205 } 206 207 // ScalarMult sets e to a*k and then returns e. 208 func (e *G2) ScalarMult(a *G2, k *big.Int) *G2 { 209 if e.p == nil { 210 e.p = newTwistPoint(nil) 211 } 212 e.p.Mul(a.p, k, new(bnPool)) 213 return e 214 } 215 216 // Add sets e to a+b and then returns e. 217 // BUG(agl): this function is not complete: a==b fails. 218 func (e *G2) Add(a, b *G2) *G2 { 219 if e.p == nil { 220 e.p = newTwistPoint(nil) 221 } 222 e.p.Add(a.p, b.p, new(bnPool)) 223 return e 224 } 225 226 // Marshal converts n into a byte slice. 227 func (n *G2) Marshal() []byte { 228 // Each value is a 256-bit number. 229 const numBytes = 256 / 8 230 231 if n.p.IsInfinity() { 232 return make([]byte, numBytes*4) 233 } 234 235 n.p.MakeAffine(nil) 236 237 xxBytes := new(big.Int).Mod(n.p.x.x, P).Bytes() 238 xyBytes := new(big.Int).Mod(n.p.x.y, P).Bytes() 239 yxBytes := new(big.Int).Mod(n.p.y.x, P).Bytes() 240 yyBytes := new(big.Int).Mod(n.p.y.y, P).Bytes() 241 242 ret := make([]byte, numBytes*4) 243 copy(ret[1*numBytes-len(xxBytes):], xxBytes) 244 copy(ret[2*numBytes-len(xyBytes):], xyBytes) 245 copy(ret[3*numBytes-len(yxBytes):], yxBytes) 246 copy(ret[4*numBytes-len(yyBytes):], yyBytes) 247 248 return ret 249 } 250 251 // Unmarshal sets e to the result of converting the output of Marshal back into 252 // a group element and then returns e. 253 func (e *G2) Unmarshal(m []byte) ([]byte, error) { 254 // Each value is a 256-bit number. 255 const numBytes = 256 / 8 256 if len(m) != 4*numBytes { 257 return nil, errors.New("bn256: not enough data") 258 } 259 // Unmarshal the points and check their caps 260 if e.p == nil { 261 e.p = newTwistPoint(nil) 262 } 263 e.p.x.x.SetBytes(m[0*numBytes : 1*numBytes]) 264 if e.p.x.x.Cmp(P) >= 0 { 265 return nil, errors.New("bn256: coordinate exceeds modulus") 266 } 267 e.p.x.y.SetBytes(m[1*numBytes : 2*numBytes]) 268 if e.p.x.y.Cmp(P) >= 0 { 269 return nil, errors.New("bn256: coordinate exceeds modulus") 270 } 271 e.p.y.x.SetBytes(m[2*numBytes : 3*numBytes]) 272 if e.p.y.x.Cmp(P) >= 0 { 273 return nil, errors.New("bn256: coordinate exceeds modulus") 274 } 275 e.p.y.y.SetBytes(m[3*numBytes : 4*numBytes]) 276 if e.p.y.y.Cmp(P) >= 0 { 277 return nil, errors.New("bn256: coordinate exceeds modulus") 278 } 279 // Ensure the point is on the curve 280 if e.p.x.x.Sign() == 0 && 281 e.p.x.y.Sign() == 0 && 282 e.p.y.x.Sign() == 0 && 283 e.p.y.y.Sign() == 0 { 284 // This is the point at infinity. 285 e.p.y.SetOne() 286 e.p.z.SetZero() 287 e.p.t.SetZero() 288 } else { 289 e.p.z.SetOne() 290 e.p.t.SetOne() 291 292 if !e.p.IsOnCurve() { 293 return nil, errors.New("bn256: malformed point") 294 } 295 } 296 return m[4*numBytes:], nil 297 } 298 299 // GT is an abstract cyclic group. The zero value is suitable for use as the 300 // output of an operation, but cannot be used as an input. 301 type GT struct { 302 p *gfP12 303 } 304 305 func (g *GT) String() string { 306 return "bn256.GT" + g.p.String() 307 } 308 309 // ScalarMult sets e to a*k and then returns e. 310 func (e *GT) ScalarMult(a *GT, k *big.Int) *GT { 311 if e.p == nil { 312 e.p = newGFp12(nil) 313 } 314 e.p.Exp(a.p, k, new(bnPool)) 315 return e 316 } 317 318 // Add sets e to a+b and then returns e. 319 func (e *GT) Add(a, b *GT) *GT { 320 if e.p == nil { 321 e.p = newGFp12(nil) 322 } 323 e.p.Mul(a.p, b.p, new(bnPool)) 324 return e 325 } 326 327 // Neg sets e to -a and then returns e. 328 func (e *GT) Neg(a *GT) *GT { 329 if e.p == nil { 330 e.p = newGFp12(nil) 331 } 332 e.p.Invert(a.p, new(bnPool)) 333 return e 334 } 335 336 // Marshal converts n into a byte slice. 337 func (n *GT) Marshal() []byte { 338 n.p.Minimal() 339 340 xxxBytes := n.p.x.x.x.Bytes() 341 xxyBytes := n.p.x.x.y.Bytes() 342 xyxBytes := n.p.x.y.x.Bytes() 343 xyyBytes := n.p.x.y.y.Bytes() 344 xzxBytes := n.p.x.z.x.Bytes() 345 xzyBytes := n.p.x.z.y.Bytes() 346 yxxBytes := n.p.y.x.x.Bytes() 347 yxyBytes := n.p.y.x.y.Bytes() 348 yyxBytes := n.p.y.y.x.Bytes() 349 yyyBytes := n.p.y.y.y.Bytes() 350 yzxBytes := n.p.y.z.x.Bytes() 351 yzyBytes := n.p.y.z.y.Bytes() 352 353 // Each value is a 256-bit number. 354 const numBytes = 256 / 8 355 356 ret := make([]byte, numBytes*12) 357 copy(ret[1*numBytes-len(xxxBytes):], xxxBytes) 358 copy(ret[2*numBytes-len(xxyBytes):], xxyBytes) 359 copy(ret[3*numBytes-len(xyxBytes):], xyxBytes) 360 copy(ret[4*numBytes-len(xyyBytes):], xyyBytes) 361 copy(ret[5*numBytes-len(xzxBytes):], xzxBytes) 362 copy(ret[6*numBytes-len(xzyBytes):], xzyBytes) 363 copy(ret[7*numBytes-len(yxxBytes):], yxxBytes) 364 copy(ret[8*numBytes-len(yxyBytes):], yxyBytes) 365 copy(ret[9*numBytes-len(yyxBytes):], yyxBytes) 366 copy(ret[10*numBytes-len(yyyBytes):], yyyBytes) 367 copy(ret[11*numBytes-len(yzxBytes):], yzxBytes) 368 copy(ret[12*numBytes-len(yzyBytes):], yzyBytes) 369 370 return ret 371 } 372 373 // Unmarshal sets e to the result of converting the output of Marshal back into 374 // a group element and then returns e. 375 func (e *GT) Unmarshal(m []byte) (*GT, bool) { 376 // Each value is a 256-bit number. 377 const numBytes = 256 / 8 378 379 if len(m) != 12*numBytes { 380 return nil, false 381 } 382 383 if e.p == nil { 384 e.p = newGFp12(nil) 385 } 386 387 e.p.x.x.x.SetBytes(m[0*numBytes : 1*numBytes]) 388 e.p.x.x.y.SetBytes(m[1*numBytes : 2*numBytes]) 389 e.p.x.y.x.SetBytes(m[2*numBytes : 3*numBytes]) 390 e.p.x.y.y.SetBytes(m[3*numBytes : 4*numBytes]) 391 e.p.x.z.x.SetBytes(m[4*numBytes : 5*numBytes]) 392 e.p.x.z.y.SetBytes(m[5*numBytes : 6*numBytes]) 393 e.p.y.x.x.SetBytes(m[6*numBytes : 7*numBytes]) 394 e.p.y.x.y.SetBytes(m[7*numBytes : 8*numBytes]) 395 e.p.y.y.x.SetBytes(m[8*numBytes : 9*numBytes]) 396 e.p.y.y.y.SetBytes(m[9*numBytes : 10*numBytes]) 397 e.p.y.z.x.SetBytes(m[10*numBytes : 11*numBytes]) 398 e.p.y.z.y.SetBytes(m[11*numBytes : 12*numBytes]) 399 400 return e, true 401 } 402 403 // Pair calculates an Optimal Ate pairing. 404 func Pair(g1 *G1, g2 *G2) *GT { 405 return >{optimalAte(g2.p, g1.p, new(bnPool))} 406 } 407 408 // PairingCheck calculates the Optimal Ate pairing for a set of points. 409 func PairingCheck(a []*G1, b []*G2) bool { 410 pool := new(bnPool) 411 412 acc := newGFp12(pool) 413 acc.SetOne() 414 415 for i := 0; i < len(a); i++ { 416 if a[i].p.IsInfinity() || b[i].p.IsInfinity() { 417 continue 418 } 419 acc.Mul(acc, miller(b[i].p, a[i].p, pool), pool) 420 } 421 ret := finalExponentiation(acc, pool) 422 acc.Put(pool) 423 424 return ret.IsOne() 425 } 426 427 // bnPool implements a tiny cache of *big.Int objects that's used to reduce the 428 // number of allocations made during processing. 429 type bnPool struct { 430 bns []*big.Int 431 count int 432 } 433 434 func (pool *bnPool) Get() *big.Int { 435 if pool == nil { 436 return new(big.Int) 437 } 438 439 pool.count++ 440 l := len(pool.bns) 441 if l == 0 { 442 return new(big.Int) 443 } 444 445 bn := pool.bns[l-1] 446 pool.bns = pool.bns[:l-1] 447 return bn 448 } 449 450 func (pool *bnPool) Put(bn *big.Int) { 451 if pool == nil { 452 return 453 } 454 pool.bns = append(pool.bns, bn) 455 pool.count-- 456 } 457 458 func (pool *bnPool) Count() int { 459 return pool.count 460 }