github.com/sberex/go-sberex@v1.8.2-0.20181113200658-ed96ac38f7d7/crypto/bn256/bn256.go (about) 1 // Copyright 2012 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // Package bn256 implements a particular bilinear group at the 128-bit security level. 6 // 7 // Bilinear groups are the basis of many of the new cryptographic protocols 8 // that have been proposed over the past decade. They consist of a triplet of 9 // groups (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ 10 // (where gₓ is a generator of the respective group). That function is called 11 // a pairing function. 12 // 13 // This package specifically implements the Optimal Ate pairing over a 256-bit 14 // Barreto-Naehrig curve as described in 15 // http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible 16 // with the implementation described in that paper. 17 package bn256 18 19 import ( 20 "crypto/rand" 21 "io" 22 "math/big" 23 ) 24 25 // BUG(agl): this implementation is not constant time. 26 // TODO(agl): keep GF(p²) elements in Mongomery form. 27 28 // G1 is an abstract cyclic group. The zero value is suitable for use as the 29 // output of an operation, but cannot be used as an input. 30 type G1 struct { 31 p *curvePoint 32 } 33 34 // RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r. 35 func RandomG1(r io.Reader) (*big.Int, *G1, error) { 36 var k *big.Int 37 var err error 38 39 for { 40 k, err = rand.Int(r, Order) 41 if err != nil { 42 return nil, nil, err 43 } 44 if k.Sign() > 0 { 45 break 46 } 47 } 48 49 return k, new(G1).ScalarBaseMult(k), nil 50 } 51 52 func (g *G1) String() string { 53 return "bn256.G1" + g.p.String() 54 } 55 56 // CurvePoints returns p's curve points in big integer 57 func (e *G1) CurvePoints() (*big.Int, *big.Int, *big.Int, *big.Int) { 58 return e.p.x, e.p.y, e.p.z, e.p.t 59 } 60 61 // ScalarBaseMult sets e to g*k where g is the generator of the group and 62 // then returns e. 63 func (e *G1) ScalarBaseMult(k *big.Int) *G1 { 64 if e.p == nil { 65 e.p = newCurvePoint(nil) 66 } 67 e.p.Mul(curveGen, k, new(bnPool)) 68 return e 69 } 70 71 // ScalarMult sets e to a*k and then returns e. 72 func (e *G1) ScalarMult(a *G1, k *big.Int) *G1 { 73 if e.p == nil { 74 e.p = newCurvePoint(nil) 75 } 76 e.p.Mul(a.p, k, new(bnPool)) 77 return e 78 } 79 80 // Add sets e to a+b and then returns e. 81 // BUG(agl): this function is not complete: a==b fails. 82 func (e *G1) Add(a, b *G1) *G1 { 83 if e.p == nil { 84 e.p = newCurvePoint(nil) 85 } 86 e.p.Add(a.p, b.p, new(bnPool)) 87 return e 88 } 89 90 // Neg sets e to -a and then returns e. 91 func (e *G1) Neg(a *G1) *G1 { 92 if e.p == nil { 93 e.p = newCurvePoint(nil) 94 } 95 e.p.Negative(a.p) 96 return e 97 } 98 99 // Marshal converts n to a byte slice. 100 func (n *G1) Marshal() []byte { 101 n.p.MakeAffine(nil) 102 103 xBytes := new(big.Int).Mod(n.p.x, P).Bytes() 104 yBytes := new(big.Int).Mod(n.p.y, P).Bytes() 105 106 // Each value is a 256-bit number. 107 const numBytes = 256 / 8 108 109 ret := make([]byte, numBytes*2) 110 copy(ret[1*numBytes-len(xBytes):], xBytes) 111 copy(ret[2*numBytes-len(yBytes):], yBytes) 112 113 return ret 114 } 115 116 // Unmarshal sets e to the result of converting the output of Marshal back into 117 // a group element and then returns e. 118 func (e *G1) Unmarshal(m []byte) (*G1, bool) { 119 // Each value is a 256-bit number. 120 const numBytes = 256 / 8 121 122 if len(m) != 2*numBytes { 123 return nil, false 124 } 125 126 if e.p == nil { 127 e.p = newCurvePoint(nil) 128 } 129 130 e.p.x.SetBytes(m[0*numBytes : 1*numBytes]) 131 e.p.y.SetBytes(m[1*numBytes : 2*numBytes]) 132 133 if e.p.x.Sign() == 0 && e.p.y.Sign() == 0 { 134 // This is the point at infinity. 135 e.p.y.SetInt64(1) 136 e.p.z.SetInt64(0) 137 e.p.t.SetInt64(0) 138 } else { 139 e.p.z.SetInt64(1) 140 e.p.t.SetInt64(1) 141 142 if !e.p.IsOnCurve() { 143 return nil, false 144 } 145 } 146 147 return e, true 148 } 149 150 // G2 is an abstract cyclic group. The zero value is suitable for use as the 151 // output of an operation, but cannot be used as an input. 152 type G2 struct { 153 p *twistPoint 154 } 155 156 // RandomG1 returns x and g₂ˣ where x is a random, non-zero number read from r. 157 func RandomG2(r io.Reader) (*big.Int, *G2, error) { 158 var k *big.Int 159 var err error 160 161 for { 162 k, err = rand.Int(r, Order) 163 if err != nil { 164 return nil, nil, err 165 } 166 if k.Sign() > 0 { 167 break 168 } 169 } 170 171 return k, new(G2).ScalarBaseMult(k), nil 172 } 173 174 func (g *G2) String() string { 175 return "bn256.G2" + g.p.String() 176 } 177 178 // CurvePoints returns the curve points of p which includes the real 179 // and imaginary parts of the curve point. 180 func (e *G2) CurvePoints() (*gfP2, *gfP2, *gfP2, *gfP2) { 181 return e.p.x, e.p.y, e.p.z, e.p.t 182 } 183 184 // ScalarBaseMult sets e to g*k where g is the generator of the group and 185 // then returns out. 186 func (e *G2) ScalarBaseMult(k *big.Int) *G2 { 187 if e.p == nil { 188 e.p = newTwistPoint(nil) 189 } 190 e.p.Mul(twistGen, k, new(bnPool)) 191 return e 192 } 193 194 // ScalarMult sets e to a*k and then returns e. 195 func (e *G2) ScalarMult(a *G2, k *big.Int) *G2 { 196 if e.p == nil { 197 e.p = newTwistPoint(nil) 198 } 199 e.p.Mul(a.p, k, new(bnPool)) 200 return e 201 } 202 203 // Add sets e to a+b and then returns e. 204 // BUG(agl): this function is not complete: a==b fails. 205 func (e *G2) Add(a, b *G2) *G2 { 206 if e.p == nil { 207 e.p = newTwistPoint(nil) 208 } 209 e.p.Add(a.p, b.p, new(bnPool)) 210 return e 211 } 212 213 // Marshal converts n into a byte slice. 214 func (n *G2) Marshal() []byte { 215 n.p.MakeAffine(nil) 216 217 xxBytes := new(big.Int).Mod(n.p.x.x, P).Bytes() 218 xyBytes := new(big.Int).Mod(n.p.x.y, P).Bytes() 219 yxBytes := new(big.Int).Mod(n.p.y.x, P).Bytes() 220 yyBytes := new(big.Int).Mod(n.p.y.y, P).Bytes() 221 222 // Each value is a 256-bit number. 223 const numBytes = 256 / 8 224 225 ret := make([]byte, numBytes*4) 226 copy(ret[1*numBytes-len(xxBytes):], xxBytes) 227 copy(ret[2*numBytes-len(xyBytes):], xyBytes) 228 copy(ret[3*numBytes-len(yxBytes):], yxBytes) 229 copy(ret[4*numBytes-len(yyBytes):], yyBytes) 230 231 return ret 232 } 233 234 // Unmarshal sets e to the result of converting the output of Marshal back into 235 // a group element and then returns e. 236 func (e *G2) Unmarshal(m []byte) (*G2, bool) { 237 // Each value is a 256-bit number. 238 const numBytes = 256 / 8 239 240 if len(m) != 4*numBytes { 241 return nil, false 242 } 243 244 if e.p == nil { 245 e.p = newTwistPoint(nil) 246 } 247 248 e.p.x.x.SetBytes(m[0*numBytes : 1*numBytes]) 249 e.p.x.y.SetBytes(m[1*numBytes : 2*numBytes]) 250 e.p.y.x.SetBytes(m[2*numBytes : 3*numBytes]) 251 e.p.y.y.SetBytes(m[3*numBytes : 4*numBytes]) 252 253 if e.p.x.x.Sign() == 0 && 254 e.p.x.y.Sign() == 0 && 255 e.p.y.x.Sign() == 0 && 256 e.p.y.y.Sign() == 0 { 257 // This is the point at infinity. 258 e.p.y.SetOne() 259 e.p.z.SetZero() 260 e.p.t.SetZero() 261 } else { 262 e.p.z.SetOne() 263 e.p.t.SetOne() 264 265 if !e.p.IsOnCurve() { 266 return nil, false 267 } 268 } 269 270 return e, true 271 } 272 273 // GT is an abstract cyclic group. The zero value is suitable for use as the 274 // output of an operation, but cannot be used as an input. 275 type GT struct { 276 p *gfP12 277 } 278 279 func (g *GT) String() string { 280 return "bn256.GT" + g.p.String() 281 } 282 283 // ScalarMult sets e to a*k and then returns e. 284 func (e *GT) ScalarMult(a *GT, k *big.Int) *GT { 285 if e.p == nil { 286 e.p = newGFp12(nil) 287 } 288 e.p.Exp(a.p, k, new(bnPool)) 289 return e 290 } 291 292 // Add sets e to a+b and then returns e. 293 func (e *GT) Add(a, b *GT) *GT { 294 if e.p == nil { 295 e.p = newGFp12(nil) 296 } 297 e.p.Mul(a.p, b.p, new(bnPool)) 298 return e 299 } 300 301 // Neg sets e to -a and then returns e. 302 func (e *GT) Neg(a *GT) *GT { 303 if e.p == nil { 304 e.p = newGFp12(nil) 305 } 306 e.p.Invert(a.p, new(bnPool)) 307 return e 308 } 309 310 // Marshal converts n into a byte slice. 311 func (n *GT) Marshal() []byte { 312 n.p.Minimal() 313 314 xxxBytes := n.p.x.x.x.Bytes() 315 xxyBytes := n.p.x.x.y.Bytes() 316 xyxBytes := n.p.x.y.x.Bytes() 317 xyyBytes := n.p.x.y.y.Bytes() 318 xzxBytes := n.p.x.z.x.Bytes() 319 xzyBytes := n.p.x.z.y.Bytes() 320 yxxBytes := n.p.y.x.x.Bytes() 321 yxyBytes := n.p.y.x.y.Bytes() 322 yyxBytes := n.p.y.y.x.Bytes() 323 yyyBytes := n.p.y.y.y.Bytes() 324 yzxBytes := n.p.y.z.x.Bytes() 325 yzyBytes := n.p.y.z.y.Bytes() 326 327 // Each value is a 256-bit number. 328 const numBytes = 256 / 8 329 330 ret := make([]byte, numBytes*12) 331 copy(ret[1*numBytes-len(xxxBytes):], xxxBytes) 332 copy(ret[2*numBytes-len(xxyBytes):], xxyBytes) 333 copy(ret[3*numBytes-len(xyxBytes):], xyxBytes) 334 copy(ret[4*numBytes-len(xyyBytes):], xyyBytes) 335 copy(ret[5*numBytes-len(xzxBytes):], xzxBytes) 336 copy(ret[6*numBytes-len(xzyBytes):], xzyBytes) 337 copy(ret[7*numBytes-len(yxxBytes):], yxxBytes) 338 copy(ret[8*numBytes-len(yxyBytes):], yxyBytes) 339 copy(ret[9*numBytes-len(yyxBytes):], yyxBytes) 340 copy(ret[10*numBytes-len(yyyBytes):], yyyBytes) 341 copy(ret[11*numBytes-len(yzxBytes):], yzxBytes) 342 copy(ret[12*numBytes-len(yzyBytes):], yzyBytes) 343 344 return ret 345 } 346 347 // Unmarshal sets e to the result of converting the output of Marshal back into 348 // a group element and then returns e. 349 func (e *GT) Unmarshal(m []byte) (*GT, bool) { 350 // Each value is a 256-bit number. 351 const numBytes = 256 / 8 352 353 if len(m) != 12*numBytes { 354 return nil, false 355 } 356 357 if e.p == nil { 358 e.p = newGFp12(nil) 359 } 360 361 e.p.x.x.x.SetBytes(m[0*numBytes : 1*numBytes]) 362 e.p.x.x.y.SetBytes(m[1*numBytes : 2*numBytes]) 363 e.p.x.y.x.SetBytes(m[2*numBytes : 3*numBytes]) 364 e.p.x.y.y.SetBytes(m[3*numBytes : 4*numBytes]) 365 e.p.x.z.x.SetBytes(m[4*numBytes : 5*numBytes]) 366 e.p.x.z.y.SetBytes(m[5*numBytes : 6*numBytes]) 367 e.p.y.x.x.SetBytes(m[6*numBytes : 7*numBytes]) 368 e.p.y.x.y.SetBytes(m[7*numBytes : 8*numBytes]) 369 e.p.y.y.x.SetBytes(m[8*numBytes : 9*numBytes]) 370 e.p.y.y.y.SetBytes(m[9*numBytes : 10*numBytes]) 371 e.p.y.z.x.SetBytes(m[10*numBytes : 11*numBytes]) 372 e.p.y.z.y.SetBytes(m[11*numBytes : 12*numBytes]) 373 374 return e, true 375 } 376 377 // Pair calculates an Optimal Ate pairing. 378 func Pair(g1 *G1, g2 *G2) *GT { 379 return >{optimalAte(g2.p, g1.p, new(bnPool))} 380 } 381 382 // PairingCheck calculates the Optimal Ate pairing for a set of points. 383 func PairingCheck(a []*G1, b []*G2) bool { 384 pool := new(bnPool) 385 386 acc := newGFp12(pool) 387 acc.SetOne() 388 389 for i := 0; i < len(a); i++ { 390 if a[i].p.IsInfinity() || b[i].p.IsInfinity() { 391 continue 392 } 393 acc.Mul(acc, miller(b[i].p, a[i].p, pool), pool) 394 } 395 ret := finalExponentiation(acc, pool) 396 acc.Put(pool) 397 398 return ret.IsOne() 399 } 400 401 // bnPool implements a tiny cache of *big.Int objects that's used to reduce the 402 // number of allocations made during processing. 403 type bnPool struct { 404 bns []*big.Int 405 count int 406 } 407 408 func (pool *bnPool) Get() *big.Int { 409 if pool == nil { 410 return new(big.Int) 411 } 412 413 pool.count++ 414 l := len(pool.bns) 415 if l == 0 { 416 return new(big.Int) 417 } 418 419 bn := pool.bns[l-1] 420 pool.bns = pool.bns[:l-1] 421 return bn 422 } 423 424 func (pool *bnPool) Put(bn *big.Int) { 425 if pool == nil { 426 return 427 } 428 pool.bns = append(pool.bns, bn) 429 pool.count-- 430 } 431 432 func (pool *bnPool) Count() int { 433 return pool.count 434 }