README
¶
bn256
Package bn256 implements a particular bilinear group at the 128-bit security
level. It is a modification of the official version at
https://golang.org/x/crypto/bn256 but all operations are ~10 times faster on
amd64 and arm64. There is a lattices branch for non-commercial use where
non-pairing operations are up to ~20 times faster.
Bilinear groups are the basis of many of the new cryptographic protocols that have been proposed over the past decade. They consist of a triplet of groups (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ is a generator of the respective group). That function is called a pairing function.
This package specifically implements the Optimal Ate pairing over a 256-bit Barreto-Naehrig curve as described in http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible with the implementation described in that paper.
Benchmarks
branch master:
BenchmarkG1-4 10000 154995 ns/op
BenchmarkG2-4 3000 541503 ns/op
BenchmarkGT-4 1000 1267811 ns/op
BenchmarkPairing-4 1000 1630584 ns/op
branch lattices:
BenchmarkG1-4 20000 92198 ns/op
BenchmarkG2-4 5000 340622 ns/op
BenchmarkGT-4 2000 635061 ns/op
BenchmarkPairing-4 1000 1629943 ns/op
official version:
BenchmarkG1-4 1000 2268491 ns/op
BenchmarkG2-4 300 7227637 ns/op
BenchmarkGT-4 100 15121359 ns/op
BenchmarkPairing-4 50 20296164 ns/op
Documentation
¶
Overview ¶
Package bn256 implements a particular bilinear group at the 128-bit security level.
Bilinear groups are the basis of many of the new cryptographic protocols that have been proposed over the past decade. They consist of a triplet of groups (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ is a generator of the respective group). That function is called a pairing function.
This package specifically implements the Optimal Ate pairing over a 256-bit Barreto-Naehrig curve as described in http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible with the implementation described in that paper.
Improved by lalumine based on cloudflare/bn256
Package bn256 implements a particular bilinear group at the 128-bit security level.
Bilinear groups are the basis of many of the new cryptographic protocols that have been proposed over the past decade. They consist of a triplet of groups (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ is a generator of the respective group). That function is called a pairing function.
This package specifically implements the Optimal Ate pairing over a 256-bit Barreto-Naehrig curve as described in http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible with the implementation described in that paper.
Index ¶
- Variables
- type G1
- func (e *G1) Add(a, b *G1) *G1
- func (e *G1) Base() *G1
- func (e *G1) IsZero() bool
- func (e *G1) Marshal() []byte
- func (e *G1) Neg(a *G1) *G1
- func (e *G1) ScalarBaseMult(k *big.Int) *G1
- func (e *G1) ScalarMult(a *G1, k *big.Int) *G1
- func (e *G1) Set(a *G1) *G1
- func (g *G1) String() string
- func (e *G1) Unmarshal(m []byte) error
- func (e *G1) Zero() *G1
- type G2
- func (e *G2) Add(a, b *G2) *G2
- func (e *G2) Base() *G2
- func (e *G2) IsZero() bool
- func (e *G2) Marshal() []byte
- func (e *G2) Neg(a *G2) *G2
- func (e *G2) ScalarBaseMult(k *big.Int) *G2
- func (e *G2) ScalarMult(a *G2, k *big.Int) *G2
- func (e *G2) Set(a *G2) *G2
- func (e *G2) String() string
- func (e *G2) Unmarshal(m []byte) error
- func (e *G2) Zero() *G2
- type GT
- func (e *GT) Add(a, b *GT) *GT
- func (e *GT) Base() *GT
- func (e *GT) Finalize() *GT
- func (e *GT) IsZero() bool
- func (e *GT) Marshal() []byte
- func (e *GT) Neg(a *GT) *GT
- func (e *GT) ScalarBaseMult(k *big.Int) *GT
- func (e *GT) ScalarMult(a *GT, k *big.Int) *GT
- func (e *GT) ScalarMultSimple(a *GT, k *big.Int) *GT
- func (e *GT) Set(a *GT) *GT
- func (g *GT) String() string
- func (e *GT) Unit() *GT
- func (e *GT) Unmarshal(m []byte) error
- func (e *GT) Zero() *GT
- type Scalar
Examples ¶
Constants ¶
This section is empty.
Variables ¶
var Order = bigFromBase10("65000549695646603732796438742359905742570406053903786389881062969044166799969")
Order is the number of elements in both G₁ and G₂: 36u⁴+36u³+18u²+6u+1. order-1 = (2**5) * 3 * 5743 * 280941149 * 130979359433191 * 491513138693455212421542731357 * 6518589491078791937
Functions ¶
This section is empty.
Types ¶
type G1 ¶
type G1 struct {
// contains filtered or unexported fields
}
G1 is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.
func (*G1) ScalarBaseMult ¶
ScalarBaseMult sets e to g*k where g is the generator of the group and then returns e.
func (*G1) ScalarMult ¶
ScalarMult sets e to a*k and then returns e.
type G2 ¶
type G2 struct {
// contains filtered or unexported fields
}
G2 is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.
func (*G2) ScalarBaseMult ¶
ScalarBaseMult sets e to g*k where g is the generator of the group and then returns out.
func (*G2) ScalarMult ¶
ScalarMult sets e to a*k and then returns e.
type GT ¶
type GT struct {
// contains filtered or unexported fields
}
GT is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.
func Miller ¶
Miller applies Miller's algorithm, which is a bilinear function from the source groups to F_p^12. Miller(g1, g2).Finalize() is equivalent to Pair(g1, g2).
func Pair ¶
Pair calculates an Optimal Ate pairing.
Example ¶
// This implements the tripartite Diffie-Hellman algorithm from "A One // Round Protocol for Tripartite Diffie-Hellman", A. Joux. // http://www.springerlink.com/content/cddc57yyva0hburb/fulltext.pdf // Each of three parties, a, b and c, generate a private value. a, _ := rand.Int(rand.Reader, Order) b, _ := rand.Int(rand.Reader, Order) c, _ := rand.Int(rand.Reader, Order) // Then each party calculates g₁ and g₂ times their private value. pa := new(G1).ScalarBaseMult(a) qa := new(G2).ScalarBaseMult(a) pb := new(G1).ScalarBaseMult(b) qb := new(G2).ScalarBaseMult(b) pc := new(G1).ScalarBaseMult(c) qc := new(G2).ScalarBaseMult(c) // Now each party exchanges its public values with the other two and // all parties can calculate the shared key. k1 := Pair(pb, qc) k1.ScalarMult(k1, a) k2 := Pair(pc, qa) k2.ScalarMult(k2, b) k3 := Pair(pa, qb) k3.ScalarMult(k3, c) // k1, k2 and k3 will all be equal.
Output:
func (*GT) ScalarBaseMult ¶
ScalarBaseMult sets e to g*k where g is the generator of the group and then returns out.
func (*GT) ScalarMult ¶
ScalarMult sets e to a*k and then returns e. (If e is not guaranteed to be an element of the group because it is the output of Miller(), use ScalarMultSimple.)
func (*GT) ScalarMultSimple ¶
ScalarMultSimple sets e to a*k and then returns e.
Source Files