bw6756

package
v0.14.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 3, 2024 License: Apache-2.0 Imports: 14 Imported by: 10

Documentation

Overview

Package bw6756 efficient elliptic curve, pairing and hash to curve implementation for bw6-756.

bw6-756: A Brezing--Weng curve (2-chain with bls12-378)

embedding degree k=6
seed x₀=11045256207009841153
𝔽p: p=366325390957376286590726555727219947825377821289246188278797409783441745356050456327989347160777465284190855125642086860525706497928518803244008749360363712553766506755227344593404398783886857865261088226271336335268413437902849
𝔽r: r=605248206075306171733248481581800960739847691770924913753520744034740935903401304776283802348837311170974282940417
(E/𝔽p): Y²=X³+1
(Eₜ/𝔽p): Y² = X³+33 (M-type twist)
r ∣ #E(Fp) and r ∣ #Eₜ(𝔽p)

case t % r % x₀ = 3

Extension fields tower:

𝔽p³[u] = 𝔽p/u³-33
𝔽p⁶[v] = 𝔽p³/v²-u

optimal Ate loops:

x₀+1, x₀²-x₀-1

Security: estimated 126-bit level following [https://eprint.iacr.org/2019/885.pdf] (r is 378 bits and p⁶ is 4536 bits)

Warning

This code has not been audited and is provided as-is. In particular, there is no security guarantees such as constant time implementation or side-channel attack resistance.

Index

Constants

View Source
const ID = ecc.BW6_756

ID BW6_756 ID

View Source
const SizeOfG1AffineCompressed = 96

SizeOfG1AffineCompressed represents the size in bytes that a G1Affine need in binary form, compressed

View Source
const SizeOfG1AffineUncompressed = SizeOfG1AffineCompressed * 2

SizeOfG1AffineUncompressed represents the size in bytes that a G1Affine need in binary form, uncompressed

View Source
const SizeOfG2AffineCompressed = 96

SizeOfG2AffineCompressed represents the size in bytes that a G2Affine need in binary form, compressed

View Source
const SizeOfG2AffineUncompressed = SizeOfG2AffineCompressed * 2

SizeOfG2AffineUncompressed represents the size in bytes that a G2Affine need in binary form, uncompressed

View Source
const SizeOfGT = fptower.SizeOfGT

SizeOfGT represents the size in bytes that a GT element need in binary form

Variables

View Source
var (
	ErrInvalidInfinityEncoding = errors.New("invalid infinity point encoding")
	ErrInvalidEncoding         = errors.New("invalid point encoding")
)
View Source
var LoopCounter [191]int8

optimal Ate loop counters

View Source
var LoopCounter1 [191]int8

Functions

func CurveCoefficients added in v0.10.0

func CurveCoefficients() (a, b fp.Element)

CurveCoefficients returns the a, b coefficients of the curve equation.

func Generators

func Generators() (g1Jac G1Jac, g2Jac G2Jac, g1Aff G1Affine, g2Aff G2Affine)

Generators return the generators of the r-torsion group, resp. in ker(pi-id), ker(Tr)

func NoSubgroupChecks

func NoSubgroupChecks() func(*Decoder)

NoSubgroupChecks returns an option to use in NewDecoder(...) which disable subgroup checks on the points the decoder will read. Use with caution, as crafted points from an untrusted source can lead to crypto-attacks.

func PairingCheck

func PairingCheck(P []G1Affine, Q []G2Affine) (bool, error)

PairingCheck calculates the reduced pairing for a set of points and returns True if the result is One ∏ᵢ e(Pᵢ, Qᵢ) =? 1

This function doesn't check that the inputs are in the correct subgroup. See IsInSubGroup.

func PairingCheckFixedQ added in v0.13.0

func PairingCheckFixedQ(P []G1Affine, lines [][2][len(LoopCounter) - 1]LineEvaluationAff) (bool, error)

PairingCheckFixedQ calculates the reduced pairing for a set of points and returns True if the result is One ∏ᵢ e(Pᵢ, Qᵢ) =? 1 where Q are fixed points in G2.

This function doesn't check that the inputs are in the correct subgroup. See IsInSubGroup.

func PrecomputeLines added in v0.13.0

func PrecomputeLines(Q G2Affine) (PrecomputedLines [2][len(LoopCounter) - 1]LineEvaluationAff)

PrecomputeLines precomputes the lines for the fixed-argument Miller loop

func RawEncoding

func RawEncoding() func(*Encoder)

RawEncoding returns an option to use in NewEncoder(...) which sets raw encoding mode to true points will not be compressed using this option

Types

type Decoder

type Decoder struct {
	// contains filtered or unexported fields
}

Decoder reads bw6-756 object values from an inbound stream

func NewDecoder

func NewDecoder(r io.Reader, options ...func(*Decoder)) *Decoder

NewDecoder returns a binary decoder supporting curve bw6-756 objects in both compressed and uncompressed (raw) forms

func (*Decoder) BytesRead

func (dec *Decoder) BytesRead() int64

BytesRead return total bytes read from reader

func (*Decoder) Decode

func (dec *Decoder) Decode(v interface{}) (err error)

Decode reads the binary encoding of v from the stream type must be *uint64, *fr.Element, *fp.Element, *G1Affine, *G2Affine, *[]G1Affine or *[]G2Affine

type Encoder

type Encoder struct {
	// contains filtered or unexported fields
}

Encoder writes bw6-756 object values to an output stream

func NewEncoder

func NewEncoder(w io.Writer, options ...func(*Encoder)) *Encoder

NewEncoder returns a binary encoder supporting curve bw6-756 objects

func (*Encoder) BytesWritten

func (enc *Encoder) BytesWritten() int64

BytesWritten return total bytes written on writer

func (*Encoder) Encode

func (enc *Encoder) Encode(v interface{}) (err error)

Encode writes the binary encoding of v to the stream type must be uint64, *fr.Element, *fp.Element, *G1Affine, *G2Affine, []G1Affine or []G2Affine

type G1Affine

type G1Affine struct {
	X, Y fp.Element
}

G1Affine is a point in affine coordinates (x,y)

func BatchJacobianToAffineG1

func BatchJacobianToAffineG1(points []G1Jac) []G1Affine

BatchJacobianToAffineG1 converts points in Jacobian coordinates to Affine coordinates performing a single field inversion using the Montgomery batch inversion trick.

func BatchScalarMultiplicationG1

func BatchScalarMultiplicationG1(base *G1Affine, scalars []fr.Element) []G1Affine

BatchScalarMultiplicationG1 multiplies the same base by all scalars and return resulting points in affine coordinates uses a simple windowed-NAF-like multiplication algorithm.

func EncodeToG1 added in v0.8.0

func EncodeToG1(msg, dst []byte) (G1Affine, error)

EncodeToG1 hashes a message to a point on the G1 curve using the SSWU map. It is faster than HashToG1, but the result is not uniformly distributed. Unsuitable as a random oracle. dst stands for "domain separation tag", a string unique to the construction using the hash function https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#roadmap

func HashToG1 added in v0.8.0

func HashToG1(msg, dst []byte) (G1Affine, error)

HashToG1 hashes a message to a point on the G1 curve using the SSWU map. Slower than EncodeToG1, but usable as a random oracle. dst stands for "domain separation tag", a string unique to the construction using the hash function https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#roadmap

func MapToCurve1 added in v0.11.0

func MapToCurve1(u *fp.Element) G1Affine

https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#name-simplified-swu-method MapToCurve1 implements the SSWU map No cofactor clearing or isogeny

func MapToG1 added in v0.8.0

func MapToG1(u fp.Element) G1Affine

MapToG1 invokes the SSWU map, and guarantees that the result is in g1

func (*G1Affine) Add

func (p *G1Affine) Add(a, b *G1Affine) *G1Affine

Add adds two points in affine coordinates. It uses the Jacobian addition with a.Z=b.Z=1 and converts the result to affine coordinates.

https://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-mmadd-2007-bl

func (*G1Affine) Bytes

func (p *G1Affine) Bytes() (res [SizeOfG1AffineCompressed]byte)

Bytes returns binary representation of p will store X coordinate in regular form and a parity bit we follow the BLS12-381 style encoding as specified in ZCash and now IETF

The most significant bit, when set, indicates that the point is in compressed form. Otherwise, the point is in uncompressed form.

The second-most significant bit indicates that the point is at infinity. If this bit is set, the remaining bits of the group element's encoding should be set to zero.

The third-most significant bit is set if (and only if) this point is in compressed form and it is not the point at infinity and its y-coordinate is the lexicographically largest of the two associated with the encoded x-coordinate.

func (*G1Affine) ClearCofactor

func (p *G1Affine) ClearCofactor(a *G1Affine) *G1Affine

ClearCofactor maps a point in curve to r-torsion

func (*G1Affine) Double added in v0.11.0

func (p *G1Affine) Double(a *G1Affine) *G1Affine

Double doubles a point in affine coordinates. It converts the point to Jacobian coordinates, doubles it using Jacobian addition with a.Z=1, and converts it back to affine coordinates.

http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-mdbl-2007-bl

func (*G1Affine) Equal

func (p *G1Affine) Equal(a *G1Affine) bool

Equal tests if two points in affine coordinates are equal.

func (*G1Affine) Fold added in v0.14.0

func (p *G1Affine) Fold(points []G1Affine, combinationCoeff fr.Element, config ecc.MultiExpConfig) (*G1Affine, error)

Fold computes the multi-exponentiation \sum_{i=0}^{len(points)-1} points[i] * combinationCoeff^i and stores the result in p. It returns error in case configuration is invalid.

func (*G1Affine) FromJacobian

func (p *G1Affine) FromJacobian(p1 *G1Jac) *G1Affine

FromJacobian converts a point p1 from Jacobian to affine coordinates.

func (*G1Affine) IsInSubGroup

func (p *G1Affine) IsInSubGroup() bool

IsInSubGroup returns true if the affine point p is in the correct subgroup, false otherwise.

func (*G1Affine) IsInfinity

func (p *G1Affine) IsInfinity() bool

IsInfinity checks if the affine point p is infinity, which is encoded as (0,0). N.B.: (0,0) is never on the curve for j=0 curves (Y²=X³+B).

func (*G1Affine) IsOnCurve

func (p *G1Affine) IsOnCurve() bool

IsOnCurve returns true if the affine point p in on the curve.

func (*G1Affine) Marshal

func (p *G1Affine) Marshal() []byte

Marshal converts p to a byte slice (without point compression)

func (*G1Affine) MultiExp

func (p *G1Affine) MultiExp(points []G1Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G1Affine, error)

MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf

This call return an error if len(scalars) != len(points) or if provided config is invalid.

func (*G1Affine) Neg

func (p *G1Affine) Neg(a *G1Affine) *G1Affine

Neg sets p to the affine negative point -a = (a.X, -a.Y).

func (*G1Affine) RawBytes

func (p *G1Affine) RawBytes() (res [SizeOfG1AffineUncompressed]byte)

RawBytes returns binary representation of p (stores X and Y coordinate) see Bytes() for a compressed representation

func (*G1Affine) ScalarMultiplication

func (p *G1Affine) ScalarMultiplication(a *G1Affine, s *big.Int) *G1Affine

ScalarMultiplication computes and returns p = [s]a where p and a are affine points.

func (*G1Affine) ScalarMultiplicationBase added in v0.9.1

func (p *G1Affine) ScalarMultiplicationBase(s *big.Int) *G1Affine

ScalarMultiplicationBase computes and returns p = [s]g where g is the affine point generating the prime subgroup.

func (*G1Affine) Set

func (p *G1Affine) Set(a *G1Affine) *G1Affine

Set sets p to a in affine coordinates.

func (*G1Affine) SetBytes

func (p *G1Affine) SetBytes(buf []byte) (int, error)

SetBytes sets p from binary representation in buf and returns number of consumed bytes

bytes in buf must match either RawBytes() or Bytes() output

if buf is too short io.ErrShortBuffer is returned

if buf contains compressed representation (output from Bytes()) and we're unable to compute the Y coordinate (i.e the square root doesn't exist) this function returns an error

this check if the resulting point is on the curve and in the correct subgroup

func (*G1Affine) String

func (p *G1Affine) String() string

String returns the string representation E(x,y) of the affine point p or "O" if it is infinity.

func (*G1Affine) Sub

func (p *G1Affine) Sub(a, b *G1Affine) *G1Affine

Sub subtracts two points in affine coordinates. It uses a similar approach to Add, but negates the second point before adding.

func (*G1Affine) Unmarshal

func (p *G1Affine) Unmarshal(buf []byte) error

Unmarshal is an alias to SetBytes()

type G1Jac

type G1Jac struct {
	X, Y, Z fp.Element
}

G1Jac is a point in Jacobian coordinates (x=X/Z², y=Y/Z³)

func (*G1Jac) AddAssign

func (p *G1Jac) AddAssign(q *G1Jac) *G1Jac

AddAssign sets p to p+a in Jacobian coordinates.

https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl

func (*G1Jac) AddMixed

func (p *G1Jac) AddMixed(a *G1Affine) *G1Jac

AddMixed sets p to p+a in Jacobian coordinates, where a.Z = 1.

http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-madd-2007-bl

func (*G1Jac) ClearCofactor

func (p *G1Jac) ClearCofactor(q *G1Jac) *G1Jac

ClearCofactor maps a point in E(Fp) to E(Fp)[r]

func (*G1Jac) Double

func (p *G1Jac) Double(q *G1Jac) *G1Jac

Double sets p to [2]q in Jacobian coordinates.

https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G1Jac) DoubleAssign

func (p *G1Jac) DoubleAssign() *G1Jac

DoubleAssign doubles p in Jacobian coordinates.

https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G1Jac) DoubleMixed added in v0.13.0

func (p *G1Jac) DoubleMixed(a *G1Affine) *G1Jac

Double sets p to [2]q in Jacobian coordinates.

https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G1Jac) Equal

func (p *G1Jac) Equal(q *G1Jac) bool

Equal tests if two points in Jacobian coordinates are equal.

func (*G1Jac) Fold added in v0.14.0

func (p *G1Jac) Fold(points []G1Affine, combinationCoeff fr.Element, config ecc.MultiExpConfig) (*G1Jac, error)

Fold computes the multi-exponentiation \sum_{i=0}^{len(points)-1} points[i] * combinationCoeff^i and stores the result in p. It returns error in case configuration is invalid.

func (*G1Jac) FromAffine

func (p *G1Jac) FromAffine(a *G1Affine) *G1Jac

FromAffine converts a point a from affine to Jacobian coordinates.

func (*G1Jac) IsInSubGroup

func (p *G1Jac) IsInSubGroup() bool

Z[r,0]+Z[-lambdaG1Affine, 1] is the kernel of (u,v)->u+lambdaG1Affinev mod r. Expressing r, lambdaG1Affine as polynomials in x, a short vector of this Zmodule is (x+1), (x³-x²+1). So we check that (x+1)p+(x³-x²+1)ϕ(p) is the infinity.

func (*G1Jac) IsOnCurve

func (p *G1Jac) IsOnCurve() bool

IsOnCurve returns true if the Jacobian point p in on the curve.

func (*G1Jac) JointScalarMultiplication added in v0.13.0

func (p *G1Jac) JointScalarMultiplication(a1, a2 *G1Affine, s1, s2 *big.Int) *G1Jac

JointScalarMultiplication computes [s1]a1+[s2]a2 using Strauss-Shamir technique where a1 and a2 are affine points.

func (*G1Jac) JointScalarMultiplicationBase added in v0.9.1

func (p *G1Jac) JointScalarMultiplicationBase(a *G1Affine, s1, s2 *big.Int) *G1Jac

JointScalarMultiplicationBase computes [s1]g+[s2]a using Straus-Shamir technique where g is the prime subgroup generator.

func (*G1Jac) MultiExp

func (p *G1Jac) MultiExp(points []G1Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G1Jac, error)

MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf

This call return an error if len(scalars) != len(points) or if provided config is invalid.

func (*G1Jac) Neg

func (p *G1Jac) Neg(q *G1Jac) *G1Jac

Neg sets p to the Jacobian negative point -q = (q.X, -q.Y, q.Z).

func (*G1Jac) ScalarMultiplication

func (p *G1Jac) ScalarMultiplication(q *G1Jac, s *big.Int) *G1Jac

ScalarMultiplication computes and returns p = [s]a where p and a are Jacobian points. using the GLV technique. see https://www.iacr.org/archive/crypto2001/21390189.pdf

func (*G1Jac) ScalarMultiplicationBase added in v0.13.0

func (p *G1Jac) ScalarMultiplicationBase(s *big.Int) *G1Jac

ScalarMultiplicationBase computes and returns p = [s]g where g is the prime subgroup generator.

func (*G1Jac) Set

func (p *G1Jac) Set(q *G1Jac) *G1Jac

Set sets p to a in Jacobian coordinates.

func (*G1Jac) String

func (p *G1Jac) String() string

String converts p to affine coordinates and returns its string representation E(x,y) or "O" if it is infinity.

func (*G1Jac) SubAssign

func (p *G1Jac) SubAssign(q *G1Jac) *G1Jac

SubAssign sets p to p-a in Jacobian coordinates. It uses a similar approach to AddAssign, but negates the point a before adding.

type G2Affine

type G2Affine struct {
	X, Y fp.Element
}

G2Affine is a point in affine coordinates (x,y)

func BatchScalarMultiplicationG2

func BatchScalarMultiplicationG2(base *G2Affine, scalars []fr.Element) []G2Affine

BatchScalarMultiplicationG2 multiplies the same base by all scalars and return resulting points in affine coordinates uses a simple windowed-NAF-like multiplication algorithm.

func EncodeToG2 added in v0.8.0

func EncodeToG2(msg, dst []byte) (G2Affine, error)

EncodeToG2 hashes a message to a point on the G2 curve using the SSWU map. It is faster than HashToG2, but the result is not uniformly distributed. Unsuitable as a random oracle. dst stands for "domain separation tag", a string unique to the construction using the hash function https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#roadmap

func HashToG2 added in v0.8.0

func HashToG2(msg, dst []byte) (G2Affine, error)

HashToG2 hashes a message to a point on the G2 curve using the SSWU map. Slower than EncodeToG2, but usable as a random oracle. dst stands for "domain separation tag", a string unique to the construction using the hash function https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#roadmap

func MapToCurve2 added in v0.11.0

func MapToCurve2(u *fp.Element) G2Affine

https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#name-simplified-swu-method MapToCurve2 implements the SSWU map No cofactor clearing or isogeny

func MapToG2 added in v0.8.0

func MapToG2(u fp.Element) G2Affine

MapToG2 invokes the SSWU map, and guarantees that the result is in g2

func RandomOnG2 added in v0.14.0

func RandomOnG2() (G2Affine, error)

RandomOnG2 produces a random point in G2 using standard map-to-curve methods, which means the relative discrete log of the generated point with respect to the canonical generator is not known.

func (*G2Affine) Add

func (p *G2Affine) Add(a, b *G2Affine) *G2Affine

Add adds two points in affine coordinates. It uses the Jacobian addition with a.Z=b.Z=1 and converts the result to affine coordinates.

https://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-mmadd-2007-bl

func (*G2Affine) Bytes

func (p *G2Affine) Bytes() (res [SizeOfG2AffineCompressed]byte)

Bytes returns binary representation of p will store X coordinate in regular form and a parity bit we follow the BLS12-381 style encoding as specified in ZCash and now IETF

The most significant bit, when set, indicates that the point is in compressed form. Otherwise, the point is in uncompressed form.

The second-most significant bit indicates that the point is at infinity. If this bit is set, the remaining bits of the group element's encoding should be set to zero.

The third-most significant bit is set if (and only if) this point is in compressed form and it is not the point at infinity and its y-coordinate is the lexicographically largest of the two associated with the encoded x-coordinate.

func (*G2Affine) ClearCofactor

func (p *G2Affine) ClearCofactor(a *G2Affine) *G2Affine

ClearCofactor maps a point in curve to r-torsion

func (*G2Affine) Double added in v0.11.0

func (p *G2Affine) Double(a *G2Affine) *G2Affine

Double doubles a point in affine coordinates. It converts the point to Jacobian coordinates, doubles it using Jacobian addition with a.Z=1, and converts it back to affine coordinates.

http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-mdbl-2007-bl

func (*G2Affine) Equal

func (p *G2Affine) Equal(a *G2Affine) bool

Equal tests if two points in affine coordinates are equal.

func (*G2Affine) Fold added in v0.14.0

func (p *G2Affine) Fold(points []G2Affine, combinationCoeff fr.Element, config ecc.MultiExpConfig) (*G2Affine, error)

Fold computes the multi-exponentiation \sum_{i=0}^{len(points)-1} points[i] * combinationCoeff^i and stores the result in p. It returns error in case configuration is invalid.

func (*G2Affine) FromJacobian

func (p *G2Affine) FromJacobian(p1 *G2Jac) *G2Affine

FromJacobian converts a point p1 from Jacobian to affine coordinates.

func (*G2Affine) IsInSubGroup

func (p *G2Affine) IsInSubGroup() bool

IsInSubGroup returns true if the affine point p is in the correct subgroup, false otherwise.

func (*G2Affine) IsInfinity

func (p *G2Affine) IsInfinity() bool

IsInfinity checks if the affine point p is infinity, which is encoded as (0,0). N.B.: (0,0) is never on the curve for j=0 curves (Y²=X³+B).

func (*G2Affine) IsOnCurve

func (p *G2Affine) IsOnCurve() bool

IsOnCurve returns true if the affine point p in on the curve.

func (*G2Affine) Marshal

func (p *G2Affine) Marshal() []byte

Marshal converts p to a byte slice (without point compression)

func (*G2Affine) MultiExp

func (p *G2Affine) MultiExp(points []G2Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G2Affine, error)

MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf

This call return an error if len(scalars) != len(points) or if provided config is invalid.

func (*G2Affine) Neg

func (p *G2Affine) Neg(a *G2Affine) *G2Affine

Neg sets p to the affine negative point -a = (a.X, -a.Y).

func (*G2Affine) RawBytes

func (p *G2Affine) RawBytes() (res [SizeOfG2AffineUncompressed]byte)

RawBytes returns binary representation of p (stores X and Y coordinate) see Bytes() for a compressed representation

func (*G2Affine) ScalarMultiplication

func (p *G2Affine) ScalarMultiplication(a *G2Affine, s *big.Int) *G2Affine

ScalarMultiplication computes and returns p = [s]a where p and a are affine points.

func (*G2Affine) ScalarMultiplicationBase added in v0.13.0

func (p *G2Affine) ScalarMultiplicationBase(s *big.Int) *G2Affine

ScalarMultiplicationBase computes and returns p = [s]g where g is the affine point generating the prime subgroup.

func (*G2Affine) Set

func (p *G2Affine) Set(a *G2Affine) *G2Affine

Set sets p to a in affine coordinates.

func (*G2Affine) SetBytes

func (p *G2Affine) SetBytes(buf []byte) (int, error)

SetBytes sets p from binary representation in buf and returns number of consumed bytes

bytes in buf must match either RawBytes() or Bytes() output

if buf is too short io.ErrShortBuffer is returned

if buf contains compressed representation (output from Bytes()) and we're unable to compute the Y coordinate (i.e the square root doesn't exist) this function returns an error

this check if the resulting point is on the curve and in the correct subgroup

func (*G2Affine) String

func (p *G2Affine) String() string

String returns the string representation E(x,y) of the affine point p or "O" if it is infinity.

func (*G2Affine) Sub

func (p *G2Affine) Sub(a, b *G2Affine) *G2Affine

Sub subtracts two points in affine coordinates. It uses a similar approach to Add, but negates the second point before adding.

func (*G2Affine) Unmarshal

func (p *G2Affine) Unmarshal(buf []byte) error

Unmarshal is an alias to SetBytes()

type G2Jac

type G2Jac struct {
	X, Y, Z fp.Element
}

G2Jac is a point in Jacobian coordinates (x=X/Z², y=Y/Z³)

func (*G2Jac) AddAssign

func (p *G2Jac) AddAssign(q *G2Jac) *G2Jac

AddAssign sets p to p+a in Jacobian coordinates.

https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl

func (*G2Jac) AddMixed

func (p *G2Jac) AddMixed(a *G2Affine) *G2Jac

AddMixed sets p to p+a in Jacobian coordinates, where a.Z = 1.

http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-madd-2007-bl

func (*G2Jac) ClearCofactor

func (p *G2Jac) ClearCofactor(q *G2Jac) *G2Jac

ClearCofactor maps a point in curve to r-torsion

func (*G2Jac) Double

func (p *G2Jac) Double(q *G2Jac) *G2Jac

Double sets p to [2]q in Jacobian coordinates.

https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G2Jac) DoubleAssign

func (p *G2Jac) DoubleAssign() *G2Jac

DoubleAssign doubles p in Jacobian coordinates.

https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G2Jac) DoubleMixed added in v0.13.0

func (p *G2Jac) DoubleMixed(a *G2Affine) *G2Jac

Double sets p to [2]q in Jacobian coordinates.

https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G2Jac) Equal

func (p *G2Jac) Equal(q *G2Jac) bool

Equal tests if two points in Jacobian coordinates are equal.

func (*G2Jac) Fold added in v0.14.0

func (p *G2Jac) Fold(points []G2Affine, combinationCoeff fr.Element, config ecc.MultiExpConfig) (*G2Jac, error)

Fold computes the multi-exponentiation \sum_{i=0}^{len(points)-1} points[i] * combinationCoeff^i and stores the result in p. It returns error in case configuration is invalid.

func (*G2Jac) FromAffine

func (p *G2Jac) FromAffine(a *G2Affine) *G2Jac

FromAffine converts a point a from affine to Jacobian coordinates.

func (*G2Jac) IsInSubGroup

func (p *G2Jac) IsInSubGroup() bool

Z[r,0]+Z[-lambdaG2Affine, 1] is the kernel of (u,v)->u+lambdaG2Affinev mod r. Expressing r, lambdaG2Affine as polynomials in x, a short vector of this Zmodule is (x+1), (x³-x²+1). So we check that (x+1)p+(x³-x²+1)ϕ(p) is the infinity.

func (*G2Jac) IsOnCurve

func (p *G2Jac) IsOnCurve() bool

IsOnCurve returns true if the Jacobian point p in on the curve.

func (*G2Jac) MultiExp

func (p *G2Jac) MultiExp(points []G2Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G2Jac, error)

MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf

This call return an error if len(scalars) != len(points) or if provided config is invalid.

func (*G2Jac) Neg

func (p *G2Jac) Neg(q *G2Jac) *G2Jac

Neg sets p to the Jacobian negative point -q = (q.X, -q.Y, q.Z).

func (*G2Jac) ScalarMultiplication

func (p *G2Jac) ScalarMultiplication(q *G2Jac, s *big.Int) *G2Jac

ScalarMultiplication computes and returns p = [s]a where p and a are Jacobian points. using the GLV technique. see https://www.iacr.org/archive/crypto2001/21390189.pdf

func (*G2Jac) ScalarMultiplicationBase added in v0.13.0

func (p *G2Jac) ScalarMultiplicationBase(s *big.Int) *G2Jac

ScalarMultiplicationBase computes and returns p = [s]g where g is the prime subgroup generator.

func (*G2Jac) Set

func (p *G2Jac) Set(q *G2Jac) *G2Jac

Set sets p to a in Jacobian coordinates.

func (*G2Jac) String

func (p *G2Jac) String() string

String converts p to affine coordinates and returns its string representation E(x,y) or "O" if it is infinity.

func (*G2Jac) SubAssign

func (p *G2Jac) SubAssign(q *G2Jac) *G2Jac

SubAssign sets p to p-a in Jacobian coordinates. It uses a similar approach to AddAssign, but negates the point a before adding.

type GT

type GT = fptower.E6

GT target group of the pairing

func FinalExponentiation

func FinalExponentiation(z *GT, _z ...*GT) GT

FinalExponentiation computes the exponentiation (∏ᵢ zᵢ)ᵈ where d = (p^6-1)/r = (p^6-1)/Φ_6(p) ⋅ Φ_6(p)/r = (p^3-1)(p+1)(p^2 - p +1)/r we use instead d=s ⋅ (p^3-1)(p+1)(p^2 - p +1)/r where s is the cofactor (x_0+1) (El Housni and Guillevic)

func MillerLoop

func MillerLoop(P []G1Affine, Q []G2Affine) (GT, error)

MillerLoop computes the multi-Miller loop ∏ᵢ MillerLoop(Pᵢ, Qᵢ) = ∏ᵢ { fᵢ_{x₀+1+λ(x₀³-x₀²-x₀),Qᵢ}(Pᵢ) }

Alg.2 in https://eprint.iacr.org/2021/1359.pdf Eq. (6') in https://hackmd.io/@gnark/BW6-761-changes

func MillerLoopFixedQ added in v0.13.0

func MillerLoopFixedQ(P []G1Affine, lines [][2][len(LoopCounter) - 1]LineEvaluationAff) (GT, error)

MillerLoopFixedQ computes the multi-Miller loop as in MillerLoop but Qᵢ are fixed points in G2 known in advance.

func Pair

func Pair(P []G1Affine, Q []G2Affine) (GT, error)

Pair calculates the reduced pairing for a set of points ∏ᵢ e(Pᵢ, Qᵢ).

This function doesn't check that the inputs are in the correct subgroup. See IsInSubGroup.

func PairFixedQ added in v0.13.0

func PairFixedQ(P []G1Affine, lines [][2][len(LoopCounter) - 1]LineEvaluationAff) (GT, error)

PairFixedQ calculates the reduced pairing for a set of points ∏ᵢ e(Pᵢ, Qᵢ) where Q are fixed points in G2.

This function doesn't check that the inputs are in the correct subgroup. See IsInSubGroup.

type LineEvaluationAff added in v0.13.0

type LineEvaluationAff struct {
	R0 fp.Element
	R1 fp.Element
}

Directories

Path Synopsis
Package ecdsa provides ECDSA signature scheme on the bw6-756 curve.
Package ecdsa provides ECDSA signature scheme on the bw6-756 curve.
fp
Package fp contains field arithmetic operations for modulus = 0xf76adb...000001.
Package fp contains field arithmetic operations for modulus = 0xf76adb...000001.
hash_to_field
Package htf provides hasher based on RFC 9380 Section 5.
Package htf provides hasher based on RFC 9380 Section 5.
fr
Package fr contains field arithmetic operations for modulus = 0x3eeb04...000001.
Package fr contains field arithmetic operations for modulus = 0x3eeb04...000001.
fft
Package fft provides in-place discrete Fourier transform on powers-of-two subgroups of 𝔽ᵣˣ (the multiplicative group (ℤ/rℤ, x) ).
Package fft provides in-place discrete Fourier transform on powers-of-two subgroups of 𝔽ᵣˣ (the multiplicative group (ℤ/rℤ, x) ).
fri
Package fri provides the FRI (multiplicative) commitment scheme.
Package fri provides the FRI (multiplicative) commitment scheme.
gkr
hash_to_field
Package htf provides hasher based on RFC 9380 Section 5.
Package htf provides hasher based on RFC 9380 Section 5.
iop
Package iop provides an API to computations common to iop backends (permutation, quotient).
Package iop provides an API to computations common to iop backends (permutation, quotient).
mimc
Package mimc provides MiMC hash function using Miyaguchi–Preneel construction.
Package mimc provides MiMC hash function using Miyaguchi–Preneel construction.
pedersen
Package pedersen allows to compute and verify Pedersen vector commitments
Package pedersen allows to compute and verify Pedersen vector commitments
permutation
Package permutation provides an API to build permutation proofs.
Package permutation provides an API to build permutation proofs.
plookup
Package plookup provides an API to build plookup proofs.
Package plookup provides an API to build plookup proofs.
polynomial
Package polynomial provides polynomial methods and commitment schemes.
Package polynomial provides polynomial methods and commitment schemes.
internal
Package kzg provides a KZG commitment scheme.
Package kzg provides a KZG commitment scheme.
Package twistededwards provides bw6-756's twisted edwards "companion curve" defined on fr.
Package twistededwards provides bw6-756's twisted edwards "companion curve" defined on fr.
eddsa
Package eddsa provides EdDSA signature scheme on bw6-756's twisted edwards curve.
Package eddsa provides EdDSA signature scheme on bw6-756's twisted edwards curve.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL