go-ethereum: github.com/axiomzen/go-ethereum/crypto/bn256/google Index | Examples | Files

package bn256

import "github.com/axiomzen/go-ethereum/crypto/bn256/google"

Package bn256 implements a particular bilinear group.

Bilinear groups are the basis of many of the new cryptographic protocols that have been proposed over the past decade. They consist of a triplet of groups (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ is a generator of the respective group). That function is called a pairing function.

This package specifically implements the Optimal Ate pairing over a 256-bit Barreto-Naehrig curve as described in http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible with the implementation described in that paper.

(This package previously claimed to operate at a 128-bit security level. However, recent improvements in attacks mean that is no longer true. See https://moderncrypto.org/mail-archive/curves/2016/000740.html..)

Index

Examples

Package Files

bn256.go constants.go curve.go gfp12.go gfp2.go gfp6.go optate.go twist.go

Variables

var Order = bigFromBase10("21888242871839275222246405745257275088548364400416034343698204186575808495617")

Order is the number of elements in both G₁ and G₂: 36u⁴+36u³+18u²+6u+1.

var P = bigFromBase10("21888242871839275222246405745257275088696311157297823662689037894645226208583")

p is a prime over which we form a basic field: 36u⁴+36u³+24u²+6u+1.

func PairingCheck Uses

func PairingCheck(a []*G1, b []*G2) bool

PairingCheck calculates the Optimal Ate pairing for a set of points.

type G1 Uses

type G1 struct {
    // contains filtered or unexported fields
}

G1 is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.

func RandomG1 Uses

func RandomG1(r io.Reader) (*big.Int, *G1, error)

RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r.

func (*G1) Add Uses

func (e *G1) Add(a, b *G1) *G1

Add sets e to a+b and then returns e. BUG(agl): this function is not complete: a==b fails.

func (*G1) CurvePoints Uses

func (e *G1) CurvePoints() (*big.Int, *big.Int, *big.Int, *big.Int)

CurvePoints returns p's curve points in big integer

func (*G1) Marshal Uses

func (e *G1) Marshal() []byte

Marshal converts n to a byte slice.

func (*G1) Neg Uses

func (e *G1) Neg(a *G1) *G1

Neg sets e to -a and then returns e.

func (*G1) ScalarBaseMult Uses

func (e *G1) ScalarBaseMult(k *big.Int) *G1

ScalarBaseMult sets e to g*k where g is the generator of the group and then returns e.

func (*G1) ScalarMult Uses

func (e *G1) ScalarMult(a *G1, k *big.Int) *G1

ScalarMult sets e to a*k and then returns e.

func (*G1) String Uses

func (e *G1) String() string

func (*G1) Unmarshal Uses

func (e *G1) Unmarshal(m []byte) ([]byte, error)

Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.

type G2 Uses

type G2 struct {
    // contains filtered or unexported fields
}

G2 is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.

func RandomG2 Uses

func RandomG2(r io.Reader) (*big.Int, *G2, error)

RandomG1 returns x and g₂ˣ where x is a random, non-zero number read from r.

func (*G2) Add Uses

func (e *G2) Add(a, b *G2) *G2

Add sets e to a+b and then returns e. BUG(agl): this function is not complete: a==b fails.

func (*G2) CurvePoints Uses

func (e *G2) CurvePoints() (*gfP2, *gfP2, *gfP2, *gfP2)

CurvePoints returns the curve points of p which includes the real and imaginary parts of the curve point.

func (*G2) Marshal Uses

func (n *G2) Marshal() []byte

Marshal converts n into a byte slice.

func (*G2) ScalarBaseMult Uses

func (e *G2) ScalarBaseMult(k *big.Int) *G2

ScalarBaseMult sets e to g*k where g is the generator of the group and then returns out.

func (*G2) ScalarMult Uses

func (e *G2) ScalarMult(a *G2, k *big.Int) *G2

ScalarMult sets e to a*k and then returns e.

func (*G2) String Uses

func (e *G2) String() string

func (*G2) Unmarshal Uses

func (e *G2) Unmarshal(m []byte) ([]byte, error)

Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.

type GT Uses

type GT struct {
    // contains filtered or unexported fields
}

GT is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.

func Pair Uses

func Pair(g1 *G1, g2 *G2) *GT

Pair calculates an Optimal Ate pairing.

Code:

// This implements the tripartite Diffie-Hellman algorithm from "A One
// Round Protocol for Tripartite Diffie-Hellman", A. Joux.
// http://www.springerlink.com/content/cddc57yyva0hburb/fulltext.pdf

// Each of three parties, a, b and c, generate a private value.
a, _ := rand.Int(rand.Reader, Order)
b, _ := rand.Int(rand.Reader, Order)
c, _ := rand.Int(rand.Reader, Order)

// Then each party calculates g₁ and g₂ times their private value.
pa := new(G1).ScalarBaseMult(a)
qa := new(G2).ScalarBaseMult(a)

pb := new(G1).ScalarBaseMult(b)
qb := new(G2).ScalarBaseMult(b)

pc := new(G1).ScalarBaseMult(c)
qc := new(G2).ScalarBaseMult(c)

// Now each party exchanges its public values with the other two and
// all parties can calculate the shared key.
k1 := Pair(pb, qc)
k1.ScalarMult(k1, a)

k2 := Pair(pc, qa)
k2.ScalarMult(k2, b)

k3 := Pair(pa, qb)
k3.ScalarMult(k3, c)

// k1, k2 and k3 will all be equal.

func (*GT) Add Uses

func (e *GT) Add(a, b *GT) *GT

Add sets e to a+b and then returns e.

func (*GT) Marshal Uses

func (n *GT) Marshal() []byte

Marshal converts n into a byte slice.

func (*GT) Neg Uses

func (e *GT) Neg(a *GT) *GT

Neg sets e to -a and then returns e.

func (*GT) ScalarMult Uses

func (e *GT) ScalarMult(a *GT, k *big.Int) *GT

ScalarMult sets e to a*k and then returns e.

func (*GT) String Uses

func (g *GT) String() string

func (*GT) Unmarshal Uses

func (e *GT) Unmarshal(m []byte) (*GT, bool)

Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.

Bugs

this implementation is not constant time.

this function is not complete: a==b fails.

this function is not complete: a==b fails.

Package bn256 imports 4 packages (graph). Updated 2019-07-06. Refresh now. Tools for package owners.