Documentation
¶
Overview ¶
Package bn254 efficient elliptic curve and pairing implementation for bn254.
Index ¶
- Constants
- func BatchJacobianToAffineG1(points []G1Jac, result []G1Affine)
- func Generators() (g1Jac G1Jac, g2Jac G2Jac, g1Aff G1Affine, g2Aff G2Affine)
- func PairingCheck(P []G1Affine, Q []G2Affine) (bool, error)
- func RawEncoding() func(*Encoder)
- type Decoder
- type Encoder
- type G1Affine
- func (p *G1Affine) Add(a, b *G1Affine) *G1Affine
- func (p *G1Affine) Bytes() (res [SizeOfG1AffineCompressed]byte)
- func (p *G1Affine) Equal(a *G1Affine) bool
- func (p *G1Affine) FromJacobian(p1 *G1Jac) *G1Affine
- func (p *G1Affine) IsInSubGroup() bool
- func (p *G1Affine) IsInfinity() bool
- func (p *G1Affine) IsOnCurve() bool
- func (p *G1Affine) Marshal() []byte
- func (p *G1Affine) MultiExp(points []G1Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G1Affine, error)
- func (p *G1Affine) Neg(a *G1Affine) *G1Affine
- func (p *G1Affine) RawBytes() (res [SizeOfG1AffineUncompressed]byte)
- func (p *G1Affine) ScalarMultiplication(a *G1Affine, s *big.Int) *G1Affine
- func (p *G1Affine) Set(a *G1Affine) *G1Affine
- func (p *G1Affine) SetBytes(buf []byte) (int, error)
- func (p *G1Affine) String() string
- func (p *G1Affine) Sub(a, b *G1Affine) *G1Affine
- func (p *G1Affine) Unmarshal(buf []byte) error
- type G1Jac
- func (p *G1Jac) AddAssign(a *G1Jac) *G1Jac
- func (p *G1Jac) AddMixed(a *G1Affine) *G1Jac
- func (p *G1Jac) Double(q *G1Jac) *G1Jac
- func (p *G1Jac) DoubleAssign() *G1Jac
- func (p *G1Jac) Equal(a *G1Jac) bool
- func (p *G1Jac) FromAffine(Q *G1Affine) *G1Jac
- func (p *G1Jac) IsInSubGroup() bool
- func (p *G1Jac) IsOnCurve() bool
- func (p *G1Jac) MultiExp(points []G1Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G1Jac, error)
- func (p *G1Jac) Neg(a *G1Jac) *G1Jac
- func (p *G1Jac) ScalarMultiplication(a *G1Jac, s *big.Int) *G1Jac
- func (p *G1Jac) Set(a *G1Jac) *G1Jac
- func (p *G1Jac) String() string
- func (p *G1Jac) SubAssign(a *G1Jac) *G1Jac
- type G2Affine
- func (p *G2Affine) Add(a, b *G2Affine) *G2Affine
- func (p *G2Affine) Bytes() (res [SizeOfG2AffineCompressed]byte)
- func (p *G2Affine) ClearCofactor(a *G2Affine) *G2Affine
- func (p *G2Affine) Equal(a *G2Affine) bool
- func (p *G2Affine) FromJacobian(p1 *G2Jac) *G2Affine
- func (p *G2Affine) IsInSubGroup() bool
- func (p *G2Affine) IsInfinity() bool
- func (p *G2Affine) IsOnCurve() bool
- func (p *G2Affine) Marshal() []byte
- func (p *G2Affine) MultiExp(points []G2Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G2Affine, error)
- func (p *G2Affine) Neg(a *G2Affine) *G2Affine
- func (p *G2Affine) RawBytes() (res [SizeOfG2AffineUncompressed]byte)
- func (p *G2Affine) ScalarMultiplication(a *G2Affine, s *big.Int) *G2Affine
- func (p *G2Affine) Set(a *G2Affine) *G2Affine
- func (p *G2Affine) SetBytes(buf []byte) (int, error)
- func (p *G2Affine) String() string
- func (p *G2Affine) Sub(a, b *G2Affine) *G2Affine
- func (p *G2Affine) Unmarshal(buf []byte) error
- type G2Jac
- func (p *G2Jac) AddAssign(a *G2Jac) *G2Jac
- func (p *G2Jac) AddMixed(a *G2Affine) *G2Jac
- func (p *G2Jac) ClearCofactor(a *G2Jac) *G2Jac
- func (p *G2Jac) Double(q *G2Jac) *G2Jac
- func (p *G2Jac) DoubleAssign() *G2Jac
- func (p *G2Jac) Equal(a *G2Jac) bool
- func (p *G2Jac) FromAffine(Q *G2Affine) *G2Jac
- func (p *G2Jac) IsInSubGroup() bool
- func (p *G2Jac) IsOnCurve() bool
- func (p *G2Jac) MultiExp(points []G2Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G2Jac, error)
- func (p *G2Jac) Neg(a *G2Jac) *G2Jac
- func (p *G2Jac) ScalarMultiplication(a *G2Jac, s *big.Int) *G2Jac
- func (p *G2Jac) Set(a *G2Jac) *G2Jac
- func (p *G2Jac) String() string
- func (p *G2Jac) SubAssign(a *G2Jac) *G2Jac
- type GT
Constants ¶
const ID = ecc.BN254
ID bn254 ID
const SizeOfG1AffineCompressed = 32
SizeOfG1AffineCompressed represents the size in bytes that a G1Affine need in binary form, compressed
const SizeOfG1AffineUncompressed = SizeOfG1AffineCompressed * 2
SizeOfG1AffineUncompressed represents the size in bytes that a G1Affine need in binary form, uncompressed
const SizeOfG2AffineCompressed = 32 * 2
SizeOfG2AffineCompressed represents the size in bytes that a G2Affine need in binary form, compressed
const SizeOfG2AffineUncompressed = SizeOfG2AffineCompressed * 2
SizeOfG2AffineUncompressed represents the size in bytes that a G2Affine need in binary form, uncompressed
const SizeOfGT = fptower.SizeOfGT
SizeOfGT represents the size in bytes that a GT element need in binary form
Variables ¶
This section is empty.
Functions ¶
func BatchJacobianToAffineG1 ¶ added in v0.5.0
BatchJacobianToAffineG1 converts points in Jacobian coordinates to Affine coordinates performing a single field inversion (Montgomery batch inversion trick) result must be allocated with len(result) == len(points)
func Generators ¶
Generators return the generators of the r-torsion group, resp. in ker(pi-id), ker(Tr)
func PairingCheck ¶
PairingCheck calculates the reduced pairing for a set of points and returns True if the result is One
func RawEncoding ¶
func RawEncoding() func(*Encoder)
RawEncoding returns an option to use in NewEncoder(...) which sets raw encoding mode to true points will not be compressed using this option
Types ¶
type Decoder ¶
type Decoder struct {
// contains filtered or unexported fields
}
Decoder reads bn254 object values from an inbound stream
func NewDecoder ¶
NewDecoder returns a binary decoder supporting curve bn254 objects in both compressed and uncompressed (raw) forms
type Encoder ¶
type Encoder struct {
// contains filtered or unexported fields
}
Encoder writes bn254 object values to an output stream
func NewEncoder ¶
NewEncoder returns a binary encoder supporting curve bn254 objects
func (*Encoder) BytesWritten ¶
BytesWritten return total bytes written on writer
type G1Affine ¶
G1Affine point in affine coordinates
func BatchScalarMultiplicationG1 ¶
BatchScalarMultiplicationG1 multiplies the same base (generator) by all scalars and return resulting points in affine coordinates uses a simple windowed-NAF like exponentiation algorithm
func EncodeToCurveG1Svdw ¶
EncodeToCurveG1Svdw maps an fp.Element to a point on the curve using the Shallue and van de Woestijne map https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#section-2.2.2
func HashToCurveG1Svdw ¶
HashToCurveG1Svdw maps an fp.Element to a point on the curve using the Shallue and van de Woestijne map https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#section-3
func MapToCurveG1Svdw ¶
MapToCurveG1Svdw maps an fp.Element to a point on the curve using the Shallue and van de Woestijne map https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#section-2.2.1
func (*G1Affine) Add ¶ added in v0.5.0
Add adds two point in affine coordinates. This should rarely be used as it is very inneficient compared to Jacobian TODO implement affine addition formula
func (*G1Affine) Bytes ¶
func (p *G1Affine) Bytes() (res [SizeOfG1AffineCompressed]byte)
Bytes returns binary representation of p will store X coordinate in regular form and a parity bit as we have less than 3 bits available in our coordinate, we can't follow BLS12-381 style encoding (ZCash/IETF) we use the 2 most significant bits instead 00 -> uncompressed 10 -> compressed, use smallest lexicographically square root of Y^2 11 -> compressed, use largest lexicographically square root of Y^2 01 -> compressed infinity point the "uncompressed infinity point" will just have 00 (uncompressed) followed by zeroes (infinity = 0,0 in affine coordinates)
func (*G1Affine) FromJacobian ¶
FromJacobian rescale a point in Jacobian coord in z=1 plane
func (*G1Affine) IsInSubGroup ¶
IsInSubGroup returns true if p is in the correct subgroup, false otherwise
func (*G1Affine) IsInfinity ¶
IsInfinity checks if the point is infinity (in affine, it's encoded as (0,0))
func (*G1Affine) MultiExp ¶
func (p *G1Affine) MultiExp(points []G1Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G1Affine, error)
MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf
func (*G1Affine) RawBytes ¶
func (p *G1Affine) RawBytes() (res [SizeOfG1AffineUncompressed]byte)
RawBytes returns binary representation of p (stores X and Y coordinate) see Bytes() for a compressed representation
func (*G1Affine) ScalarMultiplication ¶
ScalarMultiplication computes and returns p = a*s
func (*G1Affine) SetBytes ¶
SetBytes sets p from binary representation in buf and returns number of consumed bytes bytes in buf must match either RawBytes() or Bytes() output if buf is too short io.ErrShortBuffer is returned if buf contains compressed representation (output from Bytes()) and we're unable to compute the Y coordinate (i.e the square root doesn't exist) this function retunrs an error this check if the resulting point is on the curve and in the correct subgroup
type G1Jac ¶
G1Jac is a point with fp.Element coordinates
func (*G1Jac) AddAssign ¶
AddAssign point addition in montgomery form https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl
func (*G1Jac) AddMixed ¶
AddMixed point addition http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-madd-2007-bl
func (*G1Jac) Double ¶
Double doubles a point in Jacobian coordinates https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl
func (*G1Jac) DoubleAssign ¶
DoubleAssign doubles a point in Jacobian coordinates https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl
func (*G1Jac) FromAffine ¶
FromAffine sets p = Q, p in Jacboian, Q in affine
func (*G1Jac) IsInSubGroup ¶
IsInSubGroup returns true if p is on the r-torsion, false otherwise. For bn curves, the r-torsion in E(Fp) is the full group, so we just check that the point is on the curve.
func (*G1Jac) MultiExp ¶
func (p *G1Jac) MultiExp(points []G1Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G1Jac, error)
MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf
func (*G1Jac) ScalarMultiplication ¶
ScalarMultiplication computes and returns p = a*s see https://www.iacr.org/archive/crypto2001/21390189.pdf
type G2Affine ¶
G2Affine point in affine coordinates
func BatchScalarMultiplicationG2 ¶
BatchScalarMultiplicationG2 multiplies the same base (generator) by all scalars and return resulting points in affine coordinates uses a simple windowed-NAF like exponentiation algorithm
func EncodeToCurveG2Svdw ¶
EncodeToCurveG2Svdw maps an fp.Element to a point on the curve using the Shallue and van de Woestijne map https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#section-2.2.2
func HashToCurveG2Svdw ¶
HashToCurveG2Svdw maps an fp.Element to a point on the curve using the Shallue and van de Woestijne map https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#section-3
func MapToCurveG2Svdw ¶
MapToCurveG2Svdw maps an fp.Element to a point on the curve using the Shallue and van de Woestijne map https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#section-2.2.1
func (*G2Affine) Add ¶ added in v0.5.0
Add adds two point in affine coordinates. This should rarely be used as it is very inneficient compared to Jacobian TODO implement affine addition formula
func (*G2Affine) Bytes ¶
func (p *G2Affine) Bytes() (res [SizeOfG2AffineCompressed]byte)
Bytes returns binary representation of p will store X coordinate in regular form and a parity bit as we have less than 3 bits available in our coordinate, we can't follow BLS12-381 style encoding (ZCash/IETF) we use the 2 most significant bits instead 00 -> uncompressed 10 -> compressed, use smallest lexicographically square root of Y^2 11 -> compressed, use largest lexicographically square root of Y^2 01 -> compressed infinity point the "uncompressed infinity point" will just have 00 (uncompressed) followed by zeroes (infinity = 0,0 in affine coordinates)
func (*G2Affine) ClearCofactor ¶
ClearCofactor maps a point in curve to r-torsion
func (*G2Affine) FromJacobian ¶
FromJacobian rescale a point in Jacobian coord in z=1 plane
func (*G2Affine) IsInSubGroup ¶
IsInSubGroup returns true if p is in the correct subgroup, false otherwise
func (*G2Affine) IsInfinity ¶
IsInfinity checks if the point is infinity (in affine, it's encoded as (0,0))
func (*G2Affine) MultiExp ¶
func (p *G2Affine) MultiExp(points []G2Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G2Affine, error)
MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf
func (*G2Affine) RawBytes ¶
func (p *G2Affine) RawBytes() (res [SizeOfG2AffineUncompressed]byte)
RawBytes returns binary representation of p (stores X and Y coordinate) see Bytes() for a compressed representation
func (*G2Affine) ScalarMultiplication ¶
ScalarMultiplication computes and returns p = a*s
func (*G2Affine) SetBytes ¶
SetBytes sets p from binary representation in buf and returns number of consumed bytes bytes in buf must match either RawBytes() or Bytes() output if buf is too short io.ErrShortBuffer is returned if buf contains compressed representation (output from Bytes()) and we're unable to compute the Y coordinate (i.e the square root doesn't exist) this function retunrs an error this check if the resulting point is on the curve and in the correct subgroup
type G2Jac ¶
G2Jac is a point with fptower.E2 coordinates
func (*G2Jac) AddAssign ¶
AddAssign point addition in montgomery form https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl
func (*G2Jac) AddMixed ¶
AddMixed point addition http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-madd-2007-bl
func (*G2Jac) ClearCofactor ¶
ClearCofactor maps a point in curve to r-torsion
func (*G2Jac) Double ¶
Double doubles a point in Jacobian coordinates https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl
func (*G2Jac) DoubleAssign ¶
DoubleAssign doubles a point in Jacobian coordinates https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl
func (*G2Jac) FromAffine ¶
FromAffine sets p = Q, p in Jacboian, Q in affine
func (*G2Jac) IsInSubGroup ¶
IsInSubGroup returns true if p is on the r-torsion, false otherwise. Z[r,0]+Z[-lambdaG2Affine, 1] is the kernel of (u,v)->u+lambdaG2Affinev mod r. Expressing r, lambdaG2Affine as polynomials in x, a short vector of this Zmodule is (4x+2), (-12x**2+4*x). So we check that (4x+2)p+(-12x**2+4*x)phi(p) is the infinity.
func (*G2Jac) MultiExp ¶
func (p *G2Jac) MultiExp(points []G2Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G2Jac, error)
MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf
func (*G2Jac) ScalarMultiplication ¶
ScalarMultiplication computes and returns p = a*s see https://www.iacr.org/archive/crypto2001/21390189.pdf
type GT ¶
GT target group of the pairing
func FinalExponentiation ¶
FinalExponentiation computes the final expo x**(p**6-1)(p**2+1)(p**4 - p**2 +1)/r
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
Package fp contains field arithmetic operations for modulus = 0x30644e...7cfd47.
|
Package fp contains field arithmetic operations for modulus = 0x30644e...7cfd47. |
|
Package fr contains field arithmetic operations for modulus = 0x30644e...000001.
|
Package fr contains field arithmetic operations for modulus = 0x30644e...000001. |
|
fft
Package fft provides in-place discrete Fourier transform.
|
Package fft provides in-place discrete Fourier transform. |
|
kzg
Package kzg provides a KZG commitment scheme.
|
Package kzg provides a KZG commitment scheme. |
|
mimc
Package mimc provides MiMC hash function using Miyaguchi–Preneel construction.
|
Package mimc provides MiMC hash function using Miyaguchi–Preneel construction. |
|
polynomial
Package polynomial provides polynomial methods and commitment schemes.
|
Package polynomial provides polynomial methods and commitment schemes. |
|
internal
|
|
|
Package twistededwards provides bn254's twisted edwards "companion curve" defined on fr.
|
Package twistededwards provides bn254's twisted edwards "companion curve" defined on fr. |
|
eddsa
Package eddsa provides EdDSA signature scheme on bn254's twisted edwards curve.
|
Package eddsa provides EdDSA signature scheme on bn254's twisted edwards curve. |