bn254

package
v0.0.0-...-4a97a7c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 3, 2024 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Overview

Package bn254 efficient elliptic curve, pairing and hash to curve implementation for bn254. This curve appears in Ethereum pre-compiles as altbn128.

bn254: A Barreto--Naerig curve with 

seed x₀=4965661367192848881
𝔽r: r=21888242871839275222246405745257275088548364400416034343698204186575808495617 (36x₀⁴+36x₀³+18x₀²+6x₀+1)
𝔽p: p=21888242871839275222246405745257275088696311157297823662689037894645226208583 (36x₀⁴+36x₀³+24x₀²+6x₀+1)
(E/𝔽p): Y²=X³+3
(Eₜ/𝔽p²): Y² = X³+3/(u+9) (D-type twist)
r ∣ #E(Fp) and r ∣ #Eₜ(𝔽p²)

Extension fields tower: 

𝔽p²[u] = 𝔽p/u²+1
𝔽p⁶[v] = 𝔽p²/v³-9-u
𝔽p¹²[w] = 𝔽p⁶/w²-v

optimal Ate loop size: 

6x₀+2

Security: estimated 103-bit level following [https://eprint.iacr.org/2019/885.pdf] (r is 254 bits and p¹² is 3044 bits)

Warning

This code has been partially audited and is provided as-is. In particular, there is no security guarantees such as constant time implementation or side-channel attack resistance.

Index

Constants

View Source 
const ID = ecc.BN254

ID bn254 ID

View Source 
const SizeOfG1AffineCompressed = 32

SizeOfG1AffineCompressed represents the size in bytes that a G1Affine need in binary form, compressed

View Source 
const SizeOfG1AffineUncompressed = SizeOfG1AffineCompressed * 2

SizeOfG1AffineUncompressed represents the size in bytes that a G1Affine need in binary form, uncompressed

View Source 
const SizeOfG2AffineCompressed = 32 * 2

SizeOfG2AffineCompressed represents the size in bytes that a G2Affine need in binary form, compressed

View Source 
const SizeOfG2AffineUncompressed = SizeOfG2AffineCompressed * 2

SizeOfG2AffineUncompressed represents the size in bytes that a G2Affine need in binary form, uncompressed

View Source 
const SizeOfGT = fptower.SizeOfGT

SizeOfGT represents the size in bytes that a GT element need in binary form

Variables

View Source 
var (
	ErrInvalidInfinityEncoding = errors.New("invalid infinity point encoding")
	ErrInvalidEncoding         = errors.New("invalid point encoding")
)
View Source 
var LoopCounter [66]int8

optimal Ate loop counter

Functions

func CurveCoefficients 

func CurveCoefficients() (a, b fp.Element)

CurveCoefficients returns the a, b coefficients of the curve equation.

func Generators 

func Generators() (g1Jac G1Jac, g2Jac G2Jac, g1Aff G1Affine, g2Aff G2Affine)

Generators return the generators of the r-torsion group, resp. in ker(pi-id), ker(Tr)

func NoSubgroupChecks 

func NoSubgroupChecks() func(*Decoder)

NoSubgroupChecks returns an option to use in NewDecoder(...) which disable subgroup checks on the points the decoder will read. Use with caution, as crafted points from an untrusted source can lead to crypto-attacks.

func PairingCheck 

func PairingCheck(P []G1Affine, Q []G2Affine) (bool, error)

PairingCheck calculates the reduced pairing for a set of points and returns True if the result is One ∏ᵢ e(Pᵢ, Qᵢ) =? 1

This function doesn't check that the inputs are in the correct subgroup. See IsInSubGroup.

func PairingCheckFixedQ 

func PairingCheckFixedQ(P []G1Affine, lines [][2][len(LoopCounter)]LineEvaluationAff) (bool, error)

PairingCheckFixedQ calculates the reduced pairing for a set of points and returns True if the result is One ∏ᵢ e(Pᵢ, Qᵢ) =? 1 where Q are fixed points in G2.

This function doesn't check that the inputs are in the correct subgroup. See IsInSubGroup.

func PrecomputeLines 

func PrecomputeLines(Q G2Affine) (PrecomputedLines [2][len(LoopCounter)]LineEvaluationAff)

PrecomputeLines precomputes the lines for the fixed-argument Miller loop

func RawEncoding 

func RawEncoding() func(*Encoder)

RawEncoding returns an option to use in NewEncoder(...) which sets raw encoding mode to true points will not be compressed using this option

Types

type Decoder 

type Decoder struct {
	// contains filtered or unexported fields
}

Decoder reads bn254 object values from an inbound stream

func NewDecoder 

func NewDecoder(r io.Reader, options ...func(*Decoder)) *Decoder

NewDecoder returns a binary decoder supporting curve bn254 objects in both compressed and uncompressed (raw) forms

func (*Decoder) BytesRead 

func (dec *Decoder) BytesRead() int64

BytesRead return total bytes read from reader

func (*Decoder) Decode 

func (dec *Decoder) Decode(v interface{}) (err error)

Decode reads the binary encoding of v from the stream type must be *uint64, *fr.Element, *fp.Element, *G1Affine, *G2Affine, *[]G1Affine or *[]G2Affine

type E12 

type E12 = fptower.E12

𝔽p¹²

type E2 

type E2 = fptower.E2

𝔽p²

type E6 

type E6 = fptower.E6

𝔽p⁶

type Encoder 

type Encoder struct {
	// contains filtered or unexported fields
}

Encoder writes bn254 object values to an output stream

func NewEncoder 

func NewEncoder(w io.Writer, options ...func(*Encoder)) *Encoder

NewEncoder returns a binary encoder supporting curve bn254 objects

func (*Encoder) BytesWritten 

func (enc *Encoder) BytesWritten() int64

BytesWritten return total bytes written on writer

func (*Encoder) Encode 

func (enc *Encoder) Encode(v interface{}) (err error)

Encode writes the binary encoding of v to the stream type must be uint64, *fr.Element, *fp.Element, *G1Affine, *G2Affine, []G1Affine or []G2Affine

type G1Affine 

type G1Affine struct {
	X, Y fp.Element
}

G1Affine is a point in affine coordinates (x,y)

func BatchJacobianToAffineG1 

func BatchJacobianToAffineG1(points []G1Jac) []G1Affine

BatchJacobianToAffineG1 converts points in Jacobian coordinates to Affine coordinates performing a single field inversion using the Montgomery batch inversion trick.

func BatchScalarMultiplicationG1 

func BatchScalarMultiplicationG1(base *G1Affine, scalars []fr.Element) []G1Affine

BatchScalarMultiplicationG1 multiplies the same base by all scalars and return resulting points in affine coordinates uses a simple windowed-NAF-like multiplication algorithm.

func EncodeToG1 

func EncodeToG1(msg, dst []byte) (G1Affine, error)

EncodeToG1 hashes a message to a point on the G1 curve using the SVDW map. It is faster than HashToG1, but the result is not uniformly distributed. Unsuitable as a random oracle. dst stands for "domain separation tag", a string unique to the construction using the hash function https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#roadmap

func HashToG1 

func HashToG1(msg, dst []byte) (G1Affine, error)

HashToG1 hashes a message to a point on the G1 curve using the SVDW map. Slower than EncodeToG1, but usable as a random oracle. dst stands for "domain separation tag", a string unique to the construction using the hash function https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#roadmap

func MapToCurve1 

func MapToCurve1(u *fp.Element) G1Affine

MapToCurve1 implements the Shallue and van de Woestijne method, applicable to any elliptic curve in Weierstrass form No cofactor clearing or isogeny https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#straightline-svdw

func MapToG1 

func MapToG1(u fp.Element) G1Affine

MapToG1 invokes the SVDW map, and guarantees that the result is in g1

func (*G1Affine) Add 

func (p *G1Affine) Add(a, b *G1Affine) *G1Affine

Add adds two points in affine coordinates. It uses the Jacobian addition with a.Z=b.Z=1 and converts the result to affine coordinates.

https://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-mmadd-2007-bl

func (*G1Affine) Bytes 

func (p *G1Affine) Bytes() (res [SizeOfG1AffineCompressed]byte)

Bytes returns binary representation of p will store X coordinate in regular form and a parity bit as we have less than 3 bits available in our coordinate, we can't follow BLS12-381 style encoding (ZCash/IETF)

we use the 2 most significant bits instead 

00 -> uncompressed
10 -> compressed, use smallest lexicographically square root of Y^2
11 -> compressed, use largest lexicographically square root of Y^2
01 -> compressed infinity point
the "uncompressed infinity point" will just have 00 (uncompressed) followed by zeroes (infinity = 0,0 in affine coordinates)

func (*G1Affine) Double 

func (p *G1Affine) Double(a *G1Affine) *G1Affine

Double doubles a point in affine coordinates. It converts the point to Jacobian coordinates, doubles it using Jacobian addition with a.Z=1, and converts it back to affine coordinates.

http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-mdbl-2007-bl

func (*G1Affine) Equal 

func (p *G1Affine) Equal(a *G1Affine) bool

Equal tests if two points in affine coordinates are equal.

func (*G1Affine) Fold 

func (p *G1Affine) Fold(points []G1Affine, combinationCoeff fr.Element, config ecc.MultiExpConfig) (*G1Affine, error)

Fold computes the multi-exponentiation \sum_{i=0}^{len(points)-1} points[i] * combinationCoeff^i and stores the result in p. It returns error in case configuration is invalid.

func (*G1Affine) FromJacobian 

func (p *G1Affine) FromJacobian(p1 *G1Jac) *G1Affine

FromJacobian converts a point p1 from Jacobian to affine coordinates.

func (*G1Affine) IsInSubGroup 

func (p *G1Affine) IsInSubGroup() bool

IsInSubGroup returns true if the affine point p is in the correct subgroup, false otherwise.

func (*G1Affine) IsInfinity 

func (p *G1Affine) IsInfinity() bool

IsInfinity checks if the affine point p is infinity, which is encoded as (0,0). N.B.: (0,0) is never on the curve for j=0 curves (Y²=X³+B).

func (*G1Affine) IsOnCurve 

func (p *G1Affine) IsOnCurve() bool

IsOnCurve returns true if the affine point p in on the curve.

func (*G1Affine) Marshal 

func (p *G1Affine) Marshal() []byte

Marshal converts p to a byte slice (without point compression)

func (*G1Affine) MultiExp 

func (p *G1Affine) MultiExp(points []G1Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G1Affine, error)

MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf

This call return an error if len(scalars) != len(points) or if provided config is invalid.

func (*G1Affine) Neg 

func (p *G1Affine) Neg(a *G1Affine) *G1Affine

Neg sets p to the affine negative point -a = (a.X, -a.Y).

func (*G1Affine) RawBytes 

func (p *G1Affine) RawBytes() (res [SizeOfG1AffineUncompressed]byte)

RawBytes returns binary representation of p (stores X and Y coordinate) see Bytes() for a compressed representation

func (*G1Affine) ScalarMultiplication 

func (p *G1Affine) ScalarMultiplication(a *G1Affine, s *big.Int) *G1Affine

ScalarMultiplication computes and returns p = [s]a where p and a are affine points.

func (*G1Affine) ScalarMultiplicationBase 

func (p *G1Affine) ScalarMultiplicationBase(s *big.Int) *G1Affine

ScalarMultiplicationBase computes and returns p = [s]g where g is the affine point generating the prime subgroup.

func (*G1Affine) Set 

func (p *G1Affine) Set(a *G1Affine) *G1Affine

Set sets p to a in affine coordinates.

func (*G1Affine) SetBytes 

func (p *G1Affine) SetBytes(buf []byte) (int, error)

SetBytes sets p from binary representation in buf and returns number of consumed bytes

bytes in buf must match either RawBytes() or Bytes() output

if buf is too short io.ErrShortBuffer is returned

if buf contains compressed representation (output from Bytes()) and we're unable to compute the Y coordinate (i.e the square root doesn't exist) this function returns an error

this check if the resulting point is on the curve and in the correct subgroup

func (*G1Affine) SetInfinity 

func (p *G1Affine) SetInfinity() *G1Affine

SetInfinity sets p to the infinity point, which is encoded as (0,0). N.B.: (0,0) is never on the curve for j=0 curves (Y²=X³+B).

func (*G1Affine) String 

func (p *G1Affine) String() string

String returns the string representation E(x,y) of the affine point p or "O" if it is infinity.

func (*G1Affine) Sub 

func (p *G1Affine) Sub(a, b *G1Affine) *G1Affine

Sub subtracts two points in affine coordinates. It uses a similar approach to Add, but negates the second point before adding.

func (*G1Affine) Unmarshal 

func (p *G1Affine) Unmarshal(buf []byte) error

Unmarshal is an alias to SetBytes()

type G1Jac 

type G1Jac struct {
	X, Y, Z fp.Element
}

G1Jac is a point in Jacobian coordinates (x=X/Z², y=Y/Z³)

func (*G1Jac) AddAssign 

func (p *G1Jac) AddAssign(q *G1Jac) *G1Jac

AddAssign sets p to p+a in Jacobian coordinates.

https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl

func (*G1Jac) AddMixed 

func (p *G1Jac) AddMixed(a *G1Affine) *G1Jac

AddMixed sets p to p+a in Jacobian coordinates, where a.Z = 1.

http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-madd-2007-bl

func (*G1Jac) Double 

func (p *G1Jac) Double(q *G1Jac) *G1Jac

Double sets p to [2]q in Jacobian coordinates.

https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G1Jac) DoubleAssign 

func (p *G1Jac) DoubleAssign() *G1Jac

DoubleAssign doubles p in Jacobian coordinates.

https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G1Jac) DoubleMixed 

func (p *G1Jac) DoubleMixed(a *G1Affine) *G1Jac

Double sets p to [2]q in Jacobian coordinates.

https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G1Jac) Equal 

func (p *G1Jac) Equal(q *G1Jac) bool

Equal tests if two points in Jacobian coordinates are equal.

func (*G1Jac) Fold 

func (p *G1Jac) Fold(points []G1Affine, combinationCoeff fr.Element, config ecc.MultiExpConfig) (*G1Jac, error)

Fold computes the multi-exponentiation \sum_{i=0}^{len(points)-1} points[i] * combinationCoeff^i and stores the result in p. It returns error in case configuration is invalid.

func (*G1Jac) FromAffine 

func (p *G1Jac) FromAffine(a *G1Affine) *G1Jac

FromAffine converts a point a from affine to Jacobian coordinates.

func (*G1Jac) IsInSubGroup 

func (p *G1Jac) IsInSubGroup() bool

IsInSubGroup returns true if p is on the r-torsion, false otherwise. the curve is of prime order i.e. E(𝔽p) is the full group so we just check that the point is on the curve.

func (*G1Jac) IsOnCurve 

func (p *G1Jac) IsOnCurve() bool

IsOnCurve returns true if the Jacobian point p in on the curve.

func (*G1Jac) JointScalarMultiplication 

func (p *G1Jac) JointScalarMultiplication(a1, a2 *G1Affine, s1, s2 *big.Int) *G1Jac

JointScalarMultiplication computes [s1]a1+[s2]a2 using Strauss-Shamir technique where a1 and a2 are affine points.

func (*G1Jac) JointScalarMultiplicationBase 

func (p *G1Jac) JointScalarMultiplicationBase(a *G1Affine, s1, s2 *big.Int) *G1Jac

JointScalarMultiplicationBase computes [s1]g+[s2]a using Straus-Shamir technique where g is the prime subgroup generator.

func (*G1Jac) MultiExp 

func (p *G1Jac) MultiExp(points []G1Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G1Jac, error)

MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf

This call return an error if len(scalars) != len(points) or if provided config is invalid.

func (*G1Jac) Neg 

func (p *G1Jac) Neg(q *G1Jac) *G1Jac

Neg sets p to the Jacobian negative point -q = (q.X, -q.Y, q.Z).

func (*G1Jac) ScalarMultiplication 

func (p *G1Jac) ScalarMultiplication(q *G1Jac, s *big.Int) *G1Jac

ScalarMultiplication computes and returns p = [s]a where p and a are Jacobian points. using the GLV technique. see https://www.iacr.org/archive/crypto2001/21390189.pdf

func (*G1Jac) ScalarMultiplicationBase 

func (p *G1Jac) ScalarMultiplicationBase(s *big.Int) *G1Jac

ScalarMultiplicationBase computes and returns p = [s]g where g is the prime subgroup generator.

func (*G1Jac) Set 

func (p *G1Jac) Set(q *G1Jac) *G1Jac

Set sets p to a in Jacobian coordinates.

func (*G1Jac) String 

func (p *G1Jac) String() string

String converts p to affine coordinates and returns its string representation E(x,y) or "O" if it is infinity.

func (*G1Jac) SubAssign 

func (p *G1Jac) SubAssign(q *G1Jac) *G1Jac

SubAssign sets p to p-a in Jacobian coordinates. It uses a similar approach to AddAssign, but negates the point a before adding.

type G2Affine 

type G2Affine struct {
	X, Y fptower.E2
}

G2Affine is a point in affine coordinates (x,y)

func BatchScalarMultiplicationG2 

func BatchScalarMultiplicationG2(base *G2Affine, scalars []fr.Element) []G2Affine

BatchScalarMultiplicationG2 multiplies the same base by all scalars and return resulting points in affine coordinates uses a simple windowed-NAF-like multiplication algorithm.

func EncodeToG2 

func EncodeToG2(msg, dst []byte) (G2Affine, error)

EncodeToG2 hashes a message to a point on the G2 curve using the SVDW map. It is faster than HashToG2, but the result is not uniformly distributed. Unsuitable as a random oracle. dst stands for "domain separation tag", a string unique to the construction using the hash function https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#roadmap

func HashToG2 

func HashToG2(msg, dst []byte) (G2Affine, error)

HashToG2 hashes a message to a point on the G2 curve using the SVDW map. Slower than EncodeToG2, but usable as a random oracle. dst stands for "domain separation tag", a string unique to the construction using the hash function https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#roadmap

func MapToCurve2 

func MapToCurve2(u *fptower.E2) G2Affine

MapToCurve2 implements the Shallue and van de Woestijne method, applicable to any elliptic curve in Weierstrass form No cofactor clearing or isogeny https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#straightline-svdw

func MapToG2 

func MapToG2(u fptower.E2) G2Affine

MapToG2 invokes the SVDW map, and guarantees that the result is in g2

func RandomOnG2 

func RandomOnG2() (G2Affine, error)

RandomOnG2 produces a random point in G2 using standard map-to-curve methods, which means the relative discrete log of the generated point with respect to the canonical generator is not known.

func (*G2Affine) Add 

func (p *G2Affine) Add(a, b *G2Affine) *G2Affine

Add adds two points in affine coordinates. It uses the Jacobian addition with a.Z=b.Z=1 and converts the result to affine coordinates.

https://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-mmadd-2007-bl

func (*G2Affine) Bytes 

func (p *G2Affine) Bytes() (res [SizeOfG2AffineCompressed]byte)

Bytes returns binary representation of p will store X coordinate in regular form and a parity bit as we have less than 3 bits available in our coordinate, we can't follow BLS12-381 style encoding (ZCash/IETF)

we use the 2 most significant bits instead 

00 -> uncompressed
10 -> compressed, use smallest lexicographically square root of Y^2
11 -> compressed, use largest lexicographically square root of Y^2
01 -> compressed infinity point
the "uncompressed infinity point" will just have 00 (uncompressed) followed by zeroes (infinity = 0,0 in affine coordinates)

func (*G2Affine) ClearCofactor 

func (p *G2Affine) ClearCofactor(a *G2Affine) *G2Affine

ClearCofactor maps a point in curve to r-torsion

func (*G2Affine) Double 

func (p *G2Affine) Double(a *G2Affine) *G2Affine

Double doubles a point in affine coordinates. It converts the point to Jacobian coordinates, doubles it using Jacobian addition with a.Z=1, and converts it back to affine coordinates.

http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-mdbl-2007-bl

func (*G2Affine) Equal 

func (p *G2Affine) Equal(a *G2Affine) bool

Equal tests if two points in affine coordinates are equal.

func (*G2Affine) Fold 

func (p *G2Affine) Fold(points []G2Affine, combinationCoeff fr.Element, config ecc.MultiExpConfig) (*G2Affine, error)

Fold computes the multi-exponentiation \sum_{i=0}^{len(points)-1} points[i] * combinationCoeff^i and stores the result in p. It returns error in case configuration is invalid.

func (*G2Affine) FromJacobian 

func (p *G2Affine) FromJacobian(p1 *G2Jac) *G2Affine

FromJacobian converts a point p1 from Jacobian to affine coordinates.

func (*G2Affine) IsInSubGroup 

func (p *G2Affine) IsInSubGroup() bool

IsInSubGroup returns true if the affine point p is in the correct subgroup, false otherwise.

func (*G2Affine) IsInfinity 

func (p *G2Affine) IsInfinity() bool

IsInfinity checks if the affine point p is infinity, which is encoded as (0,0). N.B.: (0,0) is never on the curve for j=0 curves (Y²=X³+B).

func (*G2Affine) IsOnCurve 

func (p *G2Affine) IsOnCurve() bool

IsOnCurve returns true if the affine point p in on the curve.

func (*G2Affine) Marshal 

func (p *G2Affine) Marshal() []byte

Marshal converts p to a byte slice (without point compression)

func (*G2Affine) MultiExp 

func (p *G2Affine) MultiExp(points []G2Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G2Affine, error)

MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf

This call return an error if len(scalars) != len(points) or if provided config is invalid.

func (*G2Affine) Neg 

func (p *G2Affine) Neg(a *G2Affine) *G2Affine

Neg sets p to the affine negative point -a = (a.X, -a.Y).

func (*G2Affine) RawBytes 

func (p *G2Affine) RawBytes() (res [SizeOfG2AffineUncompressed]byte)

RawBytes returns binary representation of p (stores X and Y coordinate) see Bytes() for a compressed representation

func (*G2Affine) ScalarMultiplication 

func (p *G2Affine) ScalarMultiplication(a *G2Affine, s *big.Int) *G2Affine

ScalarMultiplication computes and returns p = [s]a where p and a are affine points.

func (*G2Affine) ScalarMultiplicationBase 

func (p *G2Affine) ScalarMultiplicationBase(s *big.Int) *G2Affine

ScalarMultiplicationBase computes and returns p = [s]g where g is the affine point generating the prime subgroup.

func (*G2Affine) Set 

func (p *G2Affine) Set(a *G2Affine) *G2Affine

Set sets p to a in affine coordinates.

func (*G2Affine) SetBytes 

func (p *G2Affine) SetBytes(buf []byte) (int, error)

SetBytes sets p from binary representation in buf and returns number of consumed bytes

bytes in buf must match either RawBytes() or Bytes() output

if buf is too short io.ErrShortBuffer is returned

if buf contains compressed representation (output from Bytes()) and we're unable to compute the Y coordinate (i.e the square root doesn't exist) this function returns an error

this check if the resulting point is on the curve and in the correct subgroup

func (*G2Affine) SetInfinity 

func (p *G2Affine) SetInfinity() *G2Affine

SetInfinity sets p to the infinity point, which is encoded as (0,0). N.B.: (0,0) is never on the curve for j=0 curves (Y²=X³+B).

func (*G2Affine) String 

func (p *G2Affine) String() string

String returns the string representation E(x,y) of the affine point p or "O" if it is infinity.

func (*G2Affine) Sub 

func (p *G2Affine) Sub(a, b *G2Affine) *G2Affine

Sub subtracts two points in affine coordinates. It uses a similar approach to Add, but negates the second point before adding.

func (*G2Affine) Unmarshal 

func (p *G2Affine) Unmarshal(buf []byte) error

Unmarshal is an alias to SetBytes()

type G2Jac 

type G2Jac struct {
	X, Y, Z fptower.E2
}

G2Jac is a point in Jacobian coordinates (x=X/Z², y=Y/Z³)

func (*G2Jac) AddAssign 

func (p *G2Jac) AddAssign(q *G2Jac) *G2Jac

AddAssign sets p to p+a in Jacobian coordinates.

https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl

func (*G2Jac) AddMixed 

func (p *G2Jac) AddMixed(a *G2Affine) *G2Jac

AddMixed sets p to p+a in Jacobian coordinates, where a.Z = 1.

http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-madd-2007-bl

func (*G2Jac) ClearCofactor 

func (p *G2Jac) ClearCofactor(q *G2Jac) *G2Jac

ClearCofactor maps a point in curve to r-torsion

func (*G2Jac) Double 

func (p *G2Jac) Double(q *G2Jac) *G2Jac

Double sets p to [2]q in Jacobian coordinates.

https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G2Jac) DoubleAssign 

func (p *G2Jac) DoubleAssign() *G2Jac

DoubleAssign doubles p in Jacobian coordinates.

https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G2Jac) DoubleMixed 

func (p *G2Jac) DoubleMixed(a *G2Affine) *G2Jac

Double sets p to [2]q in Jacobian coordinates.

https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G2Jac) Equal 

func (p *G2Jac) Equal(q *G2Jac) bool

Equal tests if two points in Jacobian coordinates are equal.

func (*G2Jac) Fold 

func (p *G2Jac) Fold(points []G2Affine, combinationCoeff fr.Element, config ecc.MultiExpConfig) (*G2Jac, error)

Fold computes the multi-exponentiation \sum_{i=0}^{len(points)-1} points[i] * combinationCoeff^i and stores the result in p. It returns error in case configuration is invalid.

func (*G2Jac) FromAffine 

func (p *G2Jac) FromAffine(a *G2Affine) *G2Jac

FromAffine converts a point a from affine to Jacobian coordinates.

func (*G2Jac) IsInSubGroup 

func (p *G2Jac) IsInSubGroup() bool

IsInSubGroup returns true if p is on the r-torsion, false otherwise. https://eprint.iacr.org/2022/348.pdf, sec. 3 and 5.1 [r]P == 0 <==> [x₀+1]P + ψ([x₀]P) + ψ²([x₀]P) = ψ³([2x₀]P)

func (*G2Jac) IsOnCurve 

func (p *G2Jac) IsOnCurve() bool

IsOnCurve returns true if the Jacobian point p in on the curve.

func (*G2Jac) MultiExp 

func (p *G2Jac) MultiExp(points []G2Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G2Jac, error)

MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf

This call return an error if len(scalars) != len(points) or if provided config is invalid.

func (*G2Jac) Neg 

func (p *G2Jac) Neg(q *G2Jac) *G2Jac

Neg sets p to the Jacobian negative point -q = (q.X, -q.Y, q.Z).

func (*G2Jac) ScalarMultiplication 

func (p *G2Jac) ScalarMultiplication(q *G2Jac, s *big.Int) *G2Jac

ScalarMultiplication computes and returns p = [s]a where p and a are Jacobian points. using the GLV technique. see https://www.iacr.org/archive/crypto2001/21390189.pdf

func (*G2Jac) ScalarMultiplicationBase 

func (p *G2Jac) ScalarMultiplicationBase(s *big.Int) *G2Jac

ScalarMultiplicationBase computes and returns p = [s]g where g is the prime subgroup generator.

func (*G2Jac) Set 

func (p *G2Jac) Set(q *G2Jac) *G2Jac

Set sets p to a in Jacobian coordinates.

func (*G2Jac) String 

func (p *G2Jac) String() string

String converts p to affine coordinates and returns its string representation E(x,y) or "O" if it is infinity.

func (*G2Jac) SubAssign 

func (p *G2Jac) SubAssign(q *G2Jac) *G2Jac

SubAssign sets p to p-a in Jacobian coordinates. It uses a similar approach to AddAssign, but negates the point a before adding.

type GT 

type GT = fptower.E12

GT target group of the pairing

func FinalExponentiation 

func FinalExponentiation(z *GT, _z ...*GT) GT

FinalExponentiation computes the exponentiation (∏ᵢ zᵢ)ᵈ where d = (p¹²-1)/r = (p¹²-1)/Φ₁₂(p) ⋅ Φ₁₂(p)/r = (p⁶-1)(p²+1)(p⁴ - p² +1)/r we use instead d=s ⋅ (p⁶-1)(p²+1)(p⁴ - p² +1)/r where s is the cofactor 2x₀(6x₀²+3x₀+1)

func MillerLoop 

func MillerLoop(P []G1Affine, Q []G2Affine) (GT, error)

MillerLoop computes the multi-Miller loop ∏ᵢ MillerLoop(Pᵢ, Qᵢ) = ∏ᵢ { fᵢ_{6x₀+2,Qᵢ}(Pᵢ) · ℓᵢ_{[6x₀+2]Qᵢ,π(Qᵢ)}(Pᵢ) · ℓᵢ_{[6x₀+2]Qᵢ+π(Qᵢ),-π²(Qᵢ)}(Pᵢ) }

func MillerLoopFixedQ 

func MillerLoopFixedQ(P []G1Affine, lines [][2][len(LoopCounter)]LineEvaluationAff) (GT, error)

MillerLoopFixedQ computes the multi-Miller loop as in MillerLoop but Qᵢ are fixed points in G2 known in advance.

func Pair 

func Pair(P []G1Affine, Q []G2Affine) (GT, error)

Pair calculates the reduced pairing for a set of points ∏ᵢ e(Pᵢ, Qᵢ).

This function doesn't check that the inputs are in the correct subgroup. See IsInSubGroup.

func PairFixedQ 

func PairFixedQ(P []G1Affine, lines [][2][len(LoopCounter)]LineEvaluationAff) (GT, error)

PairFixedQ calculates the reduced pairing for a set of points ∏ᵢ e(Pᵢ, Qᵢ) where Q are fixed points in G2.

This function doesn't check that the inputs are in the correct subgroup. See IsInSubGroup.

type LineEvaluationAff 

type LineEvaluationAff struct {
	R0 fptower.E2
	R1 fptower.E2
}

Source Files

View all Source files

Directories

Path Synopsis
Package ecdsa provides ECDSA signature scheme on the bn254 curve.
 Package ecdsa provides ECDSA signature scheme on the bn254 curve.
Package fflonk provides fflonk commitment, based on shplonk.
 Package fflonk provides fflonk commitment, based on shplonk.
fp
Package fp contains field arithmetic operations for modulus = 0x30644e...7cfd47.
 Package fp contains field arithmetic operations for modulus = 0x30644e...7cfd47.
hash_to_field
Package htf provides hasher based on RFC 9380 Section 5.
 Package htf provides hasher based on RFC 9380 Section 5.
fr
Package fr contains field arithmetic operations for modulus = 0x30644e...000001.
 Package fr contains field arithmetic operations for modulus = 0x30644e...000001.
fft
Package fft provides in-place discrete Fourier transform on powers-of-two subgroups of 𝔽ᵣˣ (the multiplicative group (ℤ/rℤ, x) ).
 Package fft provides in-place discrete Fourier transform on powers-of-two subgroups of 𝔽ᵣˣ (the multiplicative group (ℤ/rℤ, x) ).
fri
Package fri provides the FRI (multiplicative) commitment scheme.
 Package fri provides the FRI (multiplicative) commitment scheme.
gkr
hash_to_field
Package htf provides hasher based on RFC 9380 Section 5.
 Package htf provides hasher based on RFC 9380 Section 5.
iop
Package iop provides an API to computations common to iop backends (permutation, quotient).
 Package iop provides an API to computations common to iop backends (permutation, quotient).
mimc
Package mimc provides MiMC hash function using Miyaguchi–Preneel construction.
 Package mimc provides MiMC hash function using Miyaguchi–Preneel construction.
mimc/test_vectors
pedersen
Package pedersen allows to compute and verify Pedersen vector commitments
 Package pedersen allows to compute and verify Pedersen vector commitments
permutation
Package permutation provides an API to build permutation proofs.
 Package permutation provides an API to build permutation proofs.
plookup
Package plookup provides an API to build plookup proofs.
 Package plookup provides an API to build plookup proofs.
polynomial
Package polynomial provides polynomial methods and commitment schemes.
 Package polynomial provides polynomial methods and commitment schemes.
poseidon2
sis
sumcheck
tensor-commitment
test_vector_utils
Package kzg provides a KZG commitment scheme.
 Package kzg provides a KZG commitment scheme.
Package shplonk provides a SHPLONK commitment scheme, cf https://eprint.iacr.org/2020/081.pdf
 Package shplonk provides a SHPLONK commitment scheme, cf https://eprint.iacr.org/2020/081.pdf
Package twistededwards provides bn254's twisted edwards "companion curve" defined on fr.
 Package twistededwards provides bn254's twisted edwards "companion curve" defined on fr.
eddsa
Package eddsa provides EdDSA signature scheme on bn254's twisted edwards curve.
 Package eddsa provides EdDSA signature scheme on bn254's twisted edwards curve.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.