bn256

package
v1.6.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 1, 2017 License: GPL-3.0 Imports: 3 Imported by: 0

Documentation

Overview

Package bn256 implements a particular bilinear group at the 128-bit security level.

Bilinear groups are the basis of many of the new cryptographic protocols that have been proposed over the past decade. They consist of a triplet of groups (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ is a generator of the respective group). That function is called a pairing function.

This package specifically implements the Optimal Ate pairing over a 256-bit Barreto-Naehrig curve as described in http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible with the implementation described in that paper.

Index

Examples

Constants

This section is empty.

Variables

View Source
var Order = bigFromBase10("21888242871839275222246405745257275088548364400416034343698204186575808495617")

Order is the number of elements in both G₁ and G₂: 36u⁴+36u³+18u²+6u+1.

View Source
var P = bigFromBase10("21888242871839275222246405745257275088696311157297823662689037894645226208583")

p is a prime over which we form a basic field: 36u⁴+36u³+24u²+6u+1.

Functions

func PairingCheck

func PairingCheck(a []*G1, b []*G2) bool

Types

type G1

type G1 struct {
	// contains filtered or unexported fields
}

G1 is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.

func RandomG1 added in v1.6.2

func RandomG1(r io.Reader) (*big.Int, *G1, error)

RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r.

func (*G1) Add added in v1.6.2

func (e *G1) Add(a, b *G1) *G1

Add sets e to a+b and then returns e. BUG(agl): this function is not complete: a==b fails.

func (*G1) CurvePoints added in v1.6.2

func (e *G1) CurvePoints() (*big.Int, *big.Int, *big.Int, *big.Int)

CurvePoints returns p's curve points in big integer

func (*G1) Marshal added in v1.6.2

func (n *G1) Marshal() []byte

Marshal converts n to a byte slice.

func (*G1) Neg added in v1.6.2

func (e *G1) Neg(a *G1) *G1

Neg sets e to -a and then returns e.

func (*G1) ScalarBaseMult added in v1.6.2

func (e *G1) ScalarBaseMult(k *big.Int) *G1

ScalarBaseMult sets e to g*k where g is the generator of the group and then returns e.

func (*G1) ScalarMult added in v1.6.2

func (e *G1) ScalarMult(a *G1, k *big.Int) *G1

ScalarMult sets e to a*k and then returns e.

func (*G1) String added in v1.6.2

func (g *G1) String() string

func (*G1) Unmarshal added in v1.6.2

func (e *G1) Unmarshal(m []byte) (*G1, bool)

Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.

type G2

type G2 struct {
	// contains filtered or unexported fields
}

G2 is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.

func RandomG2 added in v1.6.2

func RandomG2(r io.Reader) (*big.Int, *G2, error)

RandomG1 returns x and g₂ˣ where x is a random, non-zero number read from r.

func (*G2) Add added in v1.6.2

func (e *G2) Add(a, b *G2) *G2

Add sets e to a+b and then returns e. BUG(agl): this function is not complete: a==b fails.

func (*G2) CurvePoints added in v1.6.2

func (e *G2) CurvePoints() (*gfP2, *gfP2, *gfP2, *gfP2)

CurvePoints returns the curve points of p which includes the real and imaginary parts of the curve point.

func (*G2) Marshal added in v1.6.2

func (n *G2) Marshal() []byte

Marshal converts n into a byte slice.

func (*G2) ScalarBaseMult added in v1.6.2

func (e *G2) ScalarBaseMult(k *big.Int) *G2

ScalarBaseMult sets e to g*k where g is the generator of the group and then returns out.

func (*G2) ScalarMult added in v1.6.2

func (e *G2) ScalarMult(a *G2, k *big.Int) *G2

ScalarMult sets e to a*k and then returns e.

func (*G2) String added in v1.6.2

func (g *G2) String() string

func (*G2) Unmarshal added in v1.6.2

func (e *G2) Unmarshal(m []byte) (*G2, bool)

Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.

type GT added in v1.6.2

type GT struct {
	// contains filtered or unexported fields
}

GT is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.

func Pair added in v1.6.2

func Pair(g1 *G1, g2 *G2) *GT

Pair calculates an Optimal Ate pairing.

Example
// This implements the tripartite Diffie-Hellman algorithm from "A One
// Round Protocol for Tripartite Diffie-Hellman", A. Joux.
// http://www.springerlink.com/content/cddc57yyva0hburb/fulltext.pdf

// Each of three parties, a, b and c, generate a private value.
a, _ := rand.Int(rand.Reader, Order)
b, _ := rand.Int(rand.Reader, Order)
c, _ := rand.Int(rand.Reader, Order)

// Then each party calculates g₁ and g₂ times their private value.
pa := new(G1).ScalarBaseMult(a)
qa := new(G2).ScalarBaseMult(a)

pb := new(G1).ScalarBaseMult(b)
qb := new(G2).ScalarBaseMult(b)

pc := new(G1).ScalarBaseMult(c)
qc := new(G2).ScalarBaseMult(c)

// Now each party exchanges its public values with the other two and
// all parties can calculate the shared key.
k1 := Pair(pb, qc)
k1.ScalarMult(k1, a)

k2 := Pair(pc, qa)
k2.ScalarMult(k2, b)

k3 := Pair(pa, qb)
k3.ScalarMult(k3, c)

// k1, k2 and k3 will all be equal.
Output:

func (*GT) Add added in v1.6.2

func (e *GT) Add(a, b *GT) *GT

Add sets e to a+b and then returns e.

func (*GT) Marshal added in v1.6.2

func (n *GT) Marshal() []byte

Marshal converts n into a byte slice.

func (*GT) Neg added in v1.6.2

func (e *GT) Neg(a *GT) *GT

Neg sets e to -a and then returns e.

func (*GT) ScalarMult added in v1.6.2

func (e *GT) ScalarMult(a *GT, k *big.Int) *GT

ScalarMult sets e to a*k and then returns e.

func (*GT) String added in v1.6.2

func (g *GT) String() string

func (*GT) Unmarshal added in v1.6.2

func (e *GT) Unmarshal(m []byte) (*GT, bool)

Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.

Notes

Bugs

  • this implementation is not constant time.

  • this function is not complete: a==b fails.

  • this function is not complete: a==b fails.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL