github.com/phillinzzz/newBsc@v1.1.6/crypto/bn256/cloudflare/bn256.go (about) 1 // Package bn256 implements a particular bilinear group at the 128-bit security 2 // level. 3 // 4 // Bilinear groups are the basis of many of the new cryptographic protocols that 5 // have been proposed over the past decade. They consist of a triplet of groups 6 // (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ 7 // is a generator of the respective group). That function is called a pairing 8 // function. 9 // 10 // This package specifically implements the Optimal Ate pairing over a 256-bit 11 // Barreto-Naehrig curve as described in 12 // http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is not 13 // compatible with the implementation described in that paper, as different 14 // parameters are chosen. 15 // 16 // (This package previously claimed to operate at a 128-bit security level. 17 // However, recent improvements in attacks mean that is no longer true. See 18 // https://moderncrypto.org/mail-archive/curves/2016/000740.html.) 19 package bn256 20 21 import ( 22 "crypto/rand" 23 "errors" 24 "io" 25 "math/big" 26 ) 27 28 func randomK(r io.Reader) (k *big.Int, err error) { 29 for { 30 k, err = rand.Int(r, Order) 31 if err != nil || k.Sign() > 0 { 32 return 33 } 34 } 35 } 36 37 // G1 is an abstract cyclic group. The zero value is suitable for use as the 38 // output of an operation, but cannot be used as an input. 39 type G1 struct { 40 p *curvePoint 41 } 42 43 // RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r. 44 func RandomG1(r io.Reader) (*big.Int, *G1, error) { 45 k, err := randomK(r) 46 if err != nil { 47 return nil, nil, err 48 } 49 50 return k, new(G1).ScalarBaseMult(k), nil 51 } 52 53 func (g *G1) String() string { 54 return "bn256.G1" + g.p.String() 55 } 56 57 // ScalarBaseMult sets e to g*k where g is the generator of the group and then 58 // returns e. 59 func (e *G1) ScalarBaseMult(k *big.Int) *G1 { 60 if e.p == nil { 61 e.p = &curvePoint{} 62 } 63 e.p.Mul(curveGen, k) 64 return e 65 } 66 67 // ScalarMult sets e to a*k and then returns e. 68 func (e *G1) ScalarMult(a *G1, k *big.Int) *G1 { 69 if e.p == nil { 70 e.p = &curvePoint{} 71 } 72 e.p.Mul(a.p, k) 73 return e 74 } 75 76 // Add sets e to a+b and then returns e. 77 func (e *G1) Add(a, b *G1) *G1 { 78 if e.p == nil { 79 e.p = &curvePoint{} 80 } 81 e.p.Add(a.p, b.p) 82 return e 83 } 84 85 // Neg sets e to -a and then returns e. 86 func (e *G1) Neg(a *G1) *G1 { 87 if e.p == nil { 88 e.p = &curvePoint{} 89 } 90 e.p.Neg(a.p) 91 return e 92 } 93 94 // Set sets e to a and then returns e. 95 func (e *G1) Set(a *G1) *G1 { 96 if e.p == nil { 97 e.p = &curvePoint{} 98 } 99 e.p.Set(a.p) 100 return e 101 } 102 103 // Marshal converts e to a byte slice. 104 func (e *G1) Marshal() []byte { 105 // Each value is a 256-bit number. 106 const numBytes = 256 / 8 107 108 if e.p == nil { 109 e.p = &curvePoint{} 110 } 111 112 e.p.MakeAffine() 113 ret := make([]byte, numBytes*2) 114 if e.p.IsInfinity() { 115 return ret 116 } 117 temp := &gfP{} 118 119 montDecode(temp, &e.p.x) 120 temp.Marshal(ret) 121 montDecode(temp, &e.p.y) 122 temp.Marshal(ret[numBytes:]) 123 124 return ret 125 } 126 127 // Unmarshal sets e to the result of converting the output of Marshal back into 128 // a group element and then returns e. 129 func (e *G1) Unmarshal(m []byte) ([]byte, error) { 130 // Each value is a 256-bit number. 131 const numBytes = 256 / 8 132 if len(m) < 2*numBytes { 133 return nil, errors.New("bn256: not enough data") 134 } 135 // Unmarshal the points and check their caps 136 if e.p == nil { 137 e.p = &curvePoint{} 138 } else { 139 e.p.x, e.p.y = gfP{0}, gfP{0} 140 } 141 var err error 142 if err = e.p.x.Unmarshal(m); err != nil { 143 return nil, err 144 } 145 if err = e.p.y.Unmarshal(m[numBytes:]); err != nil { 146 return nil, err 147 } 148 // Encode into Montgomery form and ensure it's on the curve 149 montEncode(&e.p.x, &e.p.x) 150 montEncode(&e.p.y, &e.p.y) 151 152 zero := gfP{0} 153 if e.p.x == zero && e.p.y == zero { 154 // This is the point at infinity. 155 e.p.y = *newGFp(1) 156 e.p.z = gfP{0} 157 e.p.t = gfP{0} 158 } else { 159 e.p.z = *newGFp(1) 160 e.p.t = *newGFp(1) 161 162 if !e.p.IsOnCurve() { 163 return nil, errors.New("bn256: malformed point") 164 } 165 } 166 return m[2*numBytes:], nil 167 } 168 169 // G2 is an abstract cyclic group. The zero value is suitable for use as the 170 // output of an operation, but cannot be used as an input. 171 type G2 struct { 172 p *twistPoint 173 } 174 175 // RandomG2 returns x and g₂ˣ where x is a random, non-zero number read from r. 176 func RandomG2(r io.Reader) (*big.Int, *G2, error) { 177 k, err := randomK(r) 178 if err != nil { 179 return nil, nil, err 180 } 181 182 return k, new(G2).ScalarBaseMult(k), nil 183 } 184 185 func (e *G2) String() string { 186 return "bn256.G2" + e.p.String() 187 } 188 189 // ScalarBaseMult sets e to g*k where g is the generator of the group and then 190 // returns out. 191 func (e *G2) ScalarBaseMult(k *big.Int) *G2 { 192 if e.p == nil { 193 e.p = &twistPoint{} 194 } 195 e.p.Mul(twistGen, k) 196 return e 197 } 198 199 // ScalarMult sets e to a*k and then returns e. 200 func (e *G2) ScalarMult(a *G2, k *big.Int) *G2 { 201 if e.p == nil { 202 e.p = &twistPoint{} 203 } 204 e.p.Mul(a.p, k) 205 return e 206 } 207 208 // Add sets e to a+b and then returns e. 209 func (e *G2) Add(a, b *G2) *G2 { 210 if e.p == nil { 211 e.p = &twistPoint{} 212 } 213 e.p.Add(a.p, b.p) 214 return e 215 } 216 217 // Neg sets e to -a and then returns e. 218 func (e *G2) Neg(a *G2) *G2 { 219 if e.p == nil { 220 e.p = &twistPoint{} 221 } 222 e.p.Neg(a.p) 223 return e 224 } 225 226 // Set sets e to a and then returns e. 227 func (e *G2) Set(a *G2) *G2 { 228 if e.p == nil { 229 e.p = &twistPoint{} 230 } 231 e.p.Set(a.p) 232 return e 233 } 234 235 // Marshal converts e into a byte slice. 236 func (e *G2) Marshal() []byte { 237 // Each value is a 256-bit number. 238 const numBytes = 256 / 8 239 240 if e.p == nil { 241 e.p = &twistPoint{} 242 } 243 244 e.p.MakeAffine() 245 ret := make([]byte, numBytes*4) 246 if e.p.IsInfinity() { 247 return ret 248 } 249 temp := &gfP{} 250 251 montDecode(temp, &e.p.x.x) 252 temp.Marshal(ret) 253 montDecode(temp, &e.p.x.y) 254 temp.Marshal(ret[numBytes:]) 255 montDecode(temp, &e.p.y.x) 256 temp.Marshal(ret[2*numBytes:]) 257 montDecode(temp, &e.p.y.y) 258 temp.Marshal(ret[3*numBytes:]) 259 260 return ret 261 } 262 263 // Unmarshal sets e to the result of converting the output of Marshal back into 264 // a group element and then returns e. 265 func (e *G2) Unmarshal(m []byte) ([]byte, error) { 266 // Each value is a 256-bit number. 267 const numBytes = 256 / 8 268 if len(m) < 4*numBytes { 269 return nil, errors.New("bn256: not enough data") 270 } 271 // Unmarshal the points and check their caps 272 if e.p == nil { 273 e.p = &twistPoint{} 274 } 275 var err error 276 if err = e.p.x.x.Unmarshal(m); err != nil { 277 return nil, err 278 } 279 if err = e.p.x.y.Unmarshal(m[numBytes:]); err != nil { 280 return nil, err 281 } 282 if err = e.p.y.x.Unmarshal(m[2*numBytes:]); err != nil { 283 return nil, err 284 } 285 if err = e.p.y.y.Unmarshal(m[3*numBytes:]); err != nil { 286 return nil, err 287 } 288 // Encode into Montgomery form and ensure it's on the curve 289 montEncode(&e.p.x.x, &e.p.x.x) 290 montEncode(&e.p.x.y, &e.p.x.y) 291 montEncode(&e.p.y.x, &e.p.y.x) 292 montEncode(&e.p.y.y, &e.p.y.y) 293 294 if e.p.x.IsZero() && e.p.y.IsZero() { 295 // This is the point at infinity. 296 e.p.y.SetOne() 297 e.p.z.SetZero() 298 e.p.t.SetZero() 299 } else { 300 e.p.z.SetOne() 301 e.p.t.SetOne() 302 303 if !e.p.IsOnCurve() { 304 return nil, errors.New("bn256: malformed point") 305 } 306 } 307 return m[4*numBytes:], nil 308 } 309 310 // GT is an abstract cyclic group. The zero value is suitable for use as the 311 // output of an operation, but cannot be used as an input. 312 type GT struct { 313 p *gfP12 314 } 315 316 // Pair calculates an Optimal Ate pairing. 317 func Pair(g1 *G1, g2 *G2) *GT { 318 return >{optimalAte(g2.p, g1.p)} 319 } 320 321 // PairingCheck calculates the Optimal Ate pairing for a set of points. 322 func PairingCheck(a []*G1, b []*G2) bool { 323 acc := new(gfP12) 324 acc.SetOne() 325 326 for i := 0; i < len(a); i++ { 327 if a[i].p.IsInfinity() || b[i].p.IsInfinity() { 328 continue 329 } 330 acc.Mul(acc, miller(b[i].p, a[i].p)) 331 } 332 return finalExponentiation(acc).IsOne() 333 } 334 335 // Miller applies Miller's algorithm, which is a bilinear function from the 336 // source groups to F_p^12. Miller(g1, g2).Finalize() is equivalent to Pair(g1, 337 // g2). 338 func Miller(g1 *G1, g2 *G2) *GT { 339 return >{miller(g2.p, g1.p)} 340 } 341 342 func (g *GT) String() string { 343 return "bn256.GT" + g.p.String() 344 } 345 346 // ScalarMult sets e to a*k and then returns e. 347 func (e *GT) ScalarMult(a *GT, k *big.Int) *GT { 348 if e.p == nil { 349 e.p = &gfP12{} 350 } 351 e.p.Exp(a.p, k) 352 return e 353 } 354 355 // Add sets e to a+b and then returns e. 356 func (e *GT) Add(a, b *GT) *GT { 357 if e.p == nil { 358 e.p = &gfP12{} 359 } 360 e.p.Mul(a.p, b.p) 361 return e 362 } 363 364 // Neg sets e to -a and then returns e. 365 func (e *GT) Neg(a *GT) *GT { 366 if e.p == nil { 367 e.p = &gfP12{} 368 } 369 e.p.Conjugate(a.p) 370 return e 371 } 372 373 // Set sets e to a and then returns e. 374 func (e *GT) Set(a *GT) *GT { 375 if e.p == nil { 376 e.p = &gfP12{} 377 } 378 e.p.Set(a.p) 379 return e 380 } 381 382 // Finalize is a linear function from F_p^12 to GT. 383 func (e *GT) Finalize() *GT { 384 ret := finalExponentiation(e.p) 385 e.p.Set(ret) 386 return e 387 } 388 389 // Marshal converts e into a byte slice. 390 func (e *GT) Marshal() []byte { 391 // Each value is a 256-bit number. 392 const numBytes = 256 / 8 393 394 if e.p == nil { 395 e.p = &gfP12{} 396 e.p.SetOne() 397 } 398 399 ret := make([]byte, numBytes*12) 400 temp := &gfP{} 401 402 montDecode(temp, &e.p.x.x.x) 403 temp.Marshal(ret) 404 montDecode(temp, &e.p.x.x.y) 405 temp.Marshal(ret[numBytes:]) 406 montDecode(temp, &e.p.x.y.x) 407 temp.Marshal(ret[2*numBytes:]) 408 montDecode(temp, &e.p.x.y.y) 409 temp.Marshal(ret[3*numBytes:]) 410 montDecode(temp, &e.p.x.z.x) 411 temp.Marshal(ret[4*numBytes:]) 412 montDecode(temp, &e.p.x.z.y) 413 temp.Marshal(ret[5*numBytes:]) 414 montDecode(temp, &e.p.y.x.x) 415 temp.Marshal(ret[6*numBytes:]) 416 montDecode(temp, &e.p.y.x.y) 417 temp.Marshal(ret[7*numBytes:]) 418 montDecode(temp, &e.p.y.y.x) 419 temp.Marshal(ret[8*numBytes:]) 420 montDecode(temp, &e.p.y.y.y) 421 temp.Marshal(ret[9*numBytes:]) 422 montDecode(temp, &e.p.y.z.x) 423 temp.Marshal(ret[10*numBytes:]) 424 montDecode(temp, &e.p.y.z.y) 425 temp.Marshal(ret[11*numBytes:]) 426 427 return ret 428 } 429 430 // Unmarshal sets e to the result of converting the output of Marshal back into 431 // a group element and then returns e. 432 func (e *GT) Unmarshal(m []byte) ([]byte, error) { 433 // Each value is a 256-bit number. 434 const numBytes = 256 / 8 435 436 if len(m) < 12*numBytes { 437 return nil, errors.New("bn256: not enough data") 438 } 439 440 if e.p == nil { 441 e.p = &gfP12{} 442 } 443 444 var err error 445 if err = e.p.x.x.x.Unmarshal(m); err != nil { 446 return nil, err 447 } 448 if err = e.p.x.x.y.Unmarshal(m[numBytes:]); err != nil { 449 return nil, err 450 } 451 if err = e.p.x.y.x.Unmarshal(m[2*numBytes:]); err != nil { 452 return nil, err 453 } 454 if err = e.p.x.y.y.Unmarshal(m[3*numBytes:]); err != nil { 455 return nil, err 456 } 457 if err = e.p.x.z.x.Unmarshal(m[4*numBytes:]); err != nil { 458 return nil, err 459 } 460 if err = e.p.x.z.y.Unmarshal(m[5*numBytes:]); err != nil { 461 return nil, err 462 } 463 if err = e.p.y.x.x.Unmarshal(m[6*numBytes:]); err != nil { 464 return nil, err 465 } 466 if err = e.p.y.x.y.Unmarshal(m[7*numBytes:]); err != nil { 467 return nil, err 468 } 469 if err = e.p.y.y.x.Unmarshal(m[8*numBytes:]); err != nil { 470 return nil, err 471 } 472 if err = e.p.y.y.y.Unmarshal(m[9*numBytes:]); err != nil { 473 return nil, err 474 } 475 if err = e.p.y.z.x.Unmarshal(m[10*numBytes:]); err != nil { 476 return nil, err 477 } 478 if err = e.p.y.z.y.Unmarshal(m[11*numBytes:]); err != nil { 479 return nil, err 480 } 481 montEncode(&e.p.x.x.x, &e.p.x.x.x) 482 montEncode(&e.p.x.x.y, &e.p.x.x.y) 483 montEncode(&e.p.x.y.x, &e.p.x.y.x) 484 montEncode(&e.p.x.y.y, &e.p.x.y.y) 485 montEncode(&e.p.x.z.x, &e.p.x.z.x) 486 montEncode(&e.p.x.z.y, &e.p.x.z.y) 487 montEncode(&e.p.y.x.x, &e.p.y.x.x) 488 montEncode(&e.p.y.x.y, &e.p.y.x.y) 489 montEncode(&e.p.y.y.x, &e.p.y.y.x) 490 montEncode(&e.p.y.y.y, &e.p.y.y.y) 491 montEncode(&e.p.y.z.x, &e.p.y.z.x) 492 montEncode(&e.p.y.z.y, &e.p.y.z.y) 493 494 return m[12*numBytes:], nil 495 }