bw6756

package
v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 25, 2022 License: Apache-2.0 Imports: 13 Imported by: 10

Documentation

Overview

Package bw6756 efficient elliptic curve and pairing implementation for bw6-756.

Index

Constants

View Source 
const ID = ecc.BW6_756

ID BW6_756 ID

View Source 
const SizeOfG1AffineCompressed = 96

SizeOfG1AffineCompressed represents the size in bytes that a G1Affine need in binary form, compressed

View Source 
const SizeOfG1AffineUncompressed = SizeOfG1AffineCompressed * 2

SizeOfG1AffineUncompressed represents the size in bytes that a G1Affine need in binary form, uncompressed

View Source 
const SizeOfG2AffineCompressed = 96

SizeOfG2AffineCompressed represents the size in bytes that a G2Affine need in binary form, compressed

View Source 
const SizeOfG2AffineUncompressed = SizeOfG2AffineCompressed * 2

SizeOfG2AffineUncompressed represents the size in bytes that a G2Affine need in binary form, uncompressed

View Source 
const SizeOfGT = fptower.SizeOfGT

SizeOfGT represents the size in bytes that a GT element need in binary form

Variables

This section is empty.

Functions

func BatchJacobianToAffineG1 

func BatchJacobianToAffineG1(points []G1Jac, result []G1Affine)

BatchJacobianToAffineG1 converts points in Jacobian coordinates to Affine coordinates performing a single field inversion (Montgomery batch inversion trick) result must be allocated with len(result) == len(points)

func BatchProjectiveToAffineG1 

func BatchProjectiveToAffineG1(points []g1Proj, result []G1Affine)

BatchProjectiveToAffineG1 converts points in Projective coordinates to Affine coordinates performing a single field inversion (Montgomery batch inversion trick) result must be allocated with len(result) == len(points)

func Generators 

func Generators() (g1Jac G1Jac, g2Jac G2Jac, g1Aff G1Affine, g2Aff G2Affine)

Generators return the generators of the r-torsion group, resp. in ker(pi-id), ker(Tr)

func NoSubgroupChecks 

func NoSubgroupChecks() func(*Decoder)

NoSubgroupChecks returns an option to use in NewDecoder(...) which disable subgroup checks on the points the decoder will read. Use with caution, as crafted points from an untrusted source can lead to crypto-attacks.

func PairingCheck 

func PairingCheck(P []G1Affine, Q []G2Affine) (bool, error)

PairingCheck calculates the reduced pairing for a set of points and returns True if the result is One

func RawEncoding 

func RawEncoding() func(*Encoder)

RawEncoding returns an option to use in NewEncoder(...) which sets raw encoding mode to true points will not be compressed using this option

Types

type Decoder 

type Decoder struct {
	// contains filtered or unexported fields
}

Decoder reads bw6-756 object values from an inbound stream

func NewDecoder 

func NewDecoder(r io.Reader, options ...func(*Decoder)) *Decoder

NewDecoder returns a binary decoder supporting curve bw6-756 objects in both compressed and uncompressed (raw) forms

func (*Decoder) BytesRead 

func (dec *Decoder) BytesRead() int64

BytesRead return total bytes read from reader

func (*Decoder) Decode 

func (dec *Decoder) Decode(v interface{}) (err error)

Decode reads the binary encoding of v from the stream type must be *uint64, *fr.Element, *fp.Element, *G1Affine, *G2Affine, *[]G1Affine or *[]G2Affine

type Encoder 

type Encoder struct {
	// contains filtered or unexported fields
}

Encoder writes bw6-756 object values to an output stream

func NewEncoder 

func NewEncoder(w io.Writer, options ...func(*Encoder)) *Encoder

NewEncoder returns a binary encoder supporting curve bw6-756 objects

func (*Encoder) BytesWritten 

func (enc *Encoder) BytesWritten() int64

BytesWritten return total bytes written on writer

func (*Encoder) Encode 

func (enc *Encoder) Encode(v interface{}) (err error)

Encode writes the binary encoding of v to the stream type must be uint64, *fr.Element, *fp.Element, *G1Affine, *G2Affine, []G1Affine or []G2Affine

type G1Affine 

type G1Affine struct {
	X, Y fp.Element
}

G1Affine point in affine coordinates

func BatchScalarMultiplicationG1 

func BatchScalarMultiplicationG1(base *G1Affine, scalars []fr.Element) []G1Affine

BatchScalarMultiplicationG1 multiplies the same base (generator) by all scalars and return resulting points in affine coordinates uses a simple windowed-NAF like exponentiation algorithm

func EncodeToCurveG1SSWU 

func EncodeToCurveG1SSWU(msg, dst []byte) (G1Affine, error)

EncodeToCurveG1SSWU maps a fp.Element to a point on the curve using the Simplified Shallue and van de Woestijne Ulas map https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/13/#section-6.6.3

func EncodeToCurveG1Svdw 

func EncodeToCurveG1Svdw(msg, dst []byte) (G1Affine, error)

EncodeToCurveG1Svdw maps an fp.Element to a point on the curve using the Shallue and van de Woestijne map https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#section-2.2.2

func HashToCurveG1SSWU 

func HashToCurveG1SSWU(msg, dst []byte) (G1Affine, error)

HashToCurveG1SSWU hashes a byte string to the G1 curve. Usable as a random oracle. https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#section-3

func HashToCurveG1Svdw 

func HashToCurveG1Svdw(msg, dst []byte) (G1Affine, error)

HashToCurveG1Svdw maps an fp.Element to a point on the curve using the Shallue and van de Woestijne map https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#section-3

func MapToCurveG1Svdw 

func MapToCurveG1Svdw(t fp.Element) G1Affine

MapToCurveG1Svdw maps an fp.Element to a point on the curve using the Shallue and van de Woestijne map https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#section-2.2.1

func (*G1Affine) Add 

func (p *G1Affine) Add(a, b *G1Affine) *G1Affine

Add adds two point in affine coordinates. This should rarely be used as it is very inneficient compared to Jacobian TODO implement affine addition formula

func (*G1Affine) Bytes 

func (p *G1Affine) Bytes() (res [SizeOfG1AffineCompressed]byte)

Bytes returns binary representation of p will store X coordinate in regular form and a parity bit we follow the BLS12-381 style encoding as specified in ZCash and now IETF The most significant bit, when set, indicates that the point is in compressed form. Otherwise, the point is in uncompressed form. The second-most significant bit indicates that the point is at infinity. If this bit is set, the remaining bits of the group element's encoding should be set to zero. The third-most significant bit is set if (and only if) this point is in compressed form and it is not the point at infinity and its y-coordinate is the lexicographically largest of the two associated with the encoded x-coordinate.

func (*G1Affine) ClearCofactor 

func (p *G1Affine) ClearCofactor(a *G1Affine) *G1Affine

ClearCofactor maps a point in curve to r-torsion

func (*G1Affine) Equal 

func (p *G1Affine) Equal(a *G1Affine) bool

Equal tests if two points (in Affine coordinates) are equal

func (*G1Affine) FromJacobian 

func (p *G1Affine) FromJacobian(p1 *G1Jac) *G1Affine

FromJacobian rescale a point in Jacobian coord in z=1 plane

func (*G1Affine) IsInSubGroup 

func (p *G1Affine) IsInSubGroup() bool

IsInSubGroup returns true if p is in the correct subgroup, false otherwise

func (*G1Affine) IsInfinity 

func (p *G1Affine) IsInfinity() bool

IsInfinity checks if the point is infinity (in affine, it's encoded as (0,0))

func (*G1Affine) IsOnCurve 

func (p *G1Affine) IsOnCurve() bool

IsOnCurve returns true if p in on the curve

func (*G1Affine) Marshal 

func (p *G1Affine) Marshal() []byte

Marshal converts p to a byte slice (without point compression)

func (*G1Affine) MultiExp 

func (p *G1Affine) MultiExp(points []G1Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G1Affine, error)

MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf

func (*G1Affine) Neg 

func (p *G1Affine) Neg(a *G1Affine) *G1Affine

Neg computes -G

func (*G1Affine) RawBytes 

func (p *G1Affine) RawBytes() (res [SizeOfG1AffineUncompressed]byte)

RawBytes returns binary representation of p (stores X and Y coordinate) see Bytes() for a compressed representation

func (*G1Affine) ScalarMultiplication 

func (p *G1Affine) ScalarMultiplication(a *G1Affine, s *big.Int) *G1Affine

ScalarMultiplication computes and returns p = a*s

func (*G1Affine) Set 

func (p *G1Affine) Set(a *G1Affine) *G1Affine

Set sets p to the provided point

func (*G1Affine) SetBytes 

func (p *G1Affine) SetBytes(buf []byte) (int, error)

SetBytes sets p from binary representation in buf and returns number of consumed bytes bytes in buf must match either RawBytes() or Bytes() output if buf is too short io.ErrShortBuffer is returned if buf contains compressed representation (output from Bytes()) and we're unable to compute the Y coordinate (i.e the square root doesn't exist) this function retunrs an error this check if the resulting point is on the curve and in the correct subgroup

func (*G1Affine) String 

func (p *G1Affine) String() string

func (*G1Affine) Sub 

func (p *G1Affine) Sub(a, b *G1Affine) *G1Affine

Sub subs two point in affine coordinates. This should rarely be used as it is very inneficient compared to Jacobian TODO implement affine addition formula

func (*G1Affine) Unmarshal 

func (p *G1Affine) Unmarshal(buf []byte) error

Unmarshal is an allias to SetBytes()

type G1Jac 

type G1Jac struct {
	X, Y, Z fp.Element
}

G1Jac is a point with fp.Element coordinates

func (*G1Jac) AddAssign 

func (p *G1Jac) AddAssign(a *G1Jac) *G1Jac

AddAssign point addition in montgomery form https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl

func (*G1Jac) AddMixed 

func (p *G1Jac) AddMixed(a *G1Affine) *G1Jac

AddMixed point addition http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-madd-2007-bl

func (*G1Jac) ClearCofactor 

func (p *G1Jac) ClearCofactor(a *G1Jac) *G1Jac

ClearCofactor maps a point in E(Fp) to E(Fp)[r]

func (*G1Jac) Double 

func (p *G1Jac) Double(q *G1Jac) *G1Jac

Double doubles a point in Jacobian coordinates https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G1Jac) DoubleAssign 

func (p *G1Jac) DoubleAssign() *G1Jac

DoubleAssign doubles a point in Jacobian coordinates https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G1Jac) Equal 

func (p *G1Jac) Equal(a *G1Jac) bool

Equal tests if two points (in Jacobian coordinates) are equal

func (*G1Jac) FromAffine 

func (p *G1Jac) FromAffine(Q *G1Affine) *G1Jac

FromAffine sets p = Q, p in Jacboian, Q in affine

func (*G1Jac) IsInSubGroup 

func (p *G1Jac) IsInSubGroup() bool

IsInSubGroup returns true if p is on the r-torsion, false otherwise. Z[r,0]+Z[-lambdaG1Affine, 1] is the kernel of (u,v)->u+lambdaG1Affinev mod r. Expressing r, lambdaG1Affine as polynomials in x, a short vector of this Zmodule is (x+1), (x**3-x**2+1). So we check that (x+1)p+(x**3-x**2+1)*phi(p) is the infinity.

func (*G1Jac) IsOnCurve 

func (p *G1Jac) IsOnCurve() bool

IsOnCurve returns true if p in on the curve

func (*G1Jac) MultiExp 

func (p *G1Jac) MultiExp(points []G1Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G1Jac, error)

MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf

func (*G1Jac) Neg 

func (p *G1Jac) Neg(a *G1Jac) *G1Jac

Neg computes -G

func (*G1Jac) ScalarMultiplication 

func (p *G1Jac) ScalarMultiplication(a *G1Jac, s *big.Int) *G1Jac

ScalarMultiplication computes and returns p = a*s see https://www.iacr.org/archive/crypto2001/21390189.pdf

func (*G1Jac) Set 

func (p *G1Jac) Set(a *G1Jac) *G1Jac

Set sets p to the provided point

func (*G1Jac) String 

func (p *G1Jac) String() string

func (*G1Jac) SubAssign 

func (p *G1Jac) SubAssign(a *G1Jac) *G1Jac

SubAssign subtracts two points on the curve

type G2Affine 

type G2Affine struct {
	X, Y fp.Element
}

G2Affine point in affine coordinates

func BatchScalarMultiplicationG2 

func BatchScalarMultiplicationG2(base *G2Affine, scalars []fr.Element) []G2Affine

BatchScalarMultiplicationG2 multiplies the same base (generator) by all scalars and return resulting points in affine coordinates uses a simple windowed-NAF like exponentiation algorithm

func EncodeToCurveG2SSWU 

func EncodeToCurveG2SSWU(msg, dst []byte) (G2Affine, error)

EncodeToCurveG2SSWU maps a fp.Element to a point on the curve using the Simplified Shallue and van de Woestijne Ulas map https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/13/#section-6.6.3

func EncodeToCurveG2Svdw 

func EncodeToCurveG2Svdw(msg, dst []byte) (G2Affine, error)

EncodeToCurveG2Svdw maps an fp.Element to a point on the curve using the Shallue and van de Woestijne map https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#section-2.2.2

func HashToCurveG2SSWU 

func HashToCurveG2SSWU(msg, dst []byte) (G2Affine, error)

HashToCurveG2SSWU hashes a byte string to the G2 curve. Usable as a random oracle. https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#section-3

func HashToCurveG2Svdw 

func HashToCurveG2Svdw(msg, dst []byte) (G2Affine, error)

HashToCurveG2Svdw maps an fp.Element to a point on the curve using the Shallue and van de Woestijne map https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#section-3

func MapToCurveG2Svdw 

func MapToCurveG2Svdw(t fp.Element) G2Affine

MapToCurveG2Svdw maps an fp.Element to a point on the curve using the Shallue and van de Woestijne map https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#section-2.2.1

func (*G2Affine) Add 

func (p *G2Affine) Add(a, b *G2Affine) *G2Affine

Add adds two point in affine coordinates. This should rarely be used as it is very inneficient compared to Jacobian TODO implement affine addition formula

func (*G2Affine) Bytes 

func (p *G2Affine) Bytes() (res [SizeOfG2AffineCompressed]byte)

Bytes returns binary representation of p will store X coordinate in regular form and a parity bit we follow the BLS12-381 style encoding as specified in ZCash and now IETF The most significant bit, when set, indicates that the point is in compressed form. Otherwise, the point is in uncompressed form. The second-most significant bit indicates that the point is at infinity. If this bit is set, the remaining bits of the group element's encoding should be set to zero. The third-most significant bit is set if (and only if) this point is in compressed form and it is not the point at infinity and its y-coordinate is the lexicographically largest of the two associated with the encoded x-coordinate.

func (*G2Affine) ClearCofactor 

func (p *G2Affine) ClearCofactor(a *G2Affine) *G2Affine

ClearCofactor maps a point in curve to r-torsion

func (*G2Affine) Equal 

func (p *G2Affine) Equal(a *G2Affine) bool

Equal tests if two points (in Affine coordinates) are equal

func (*G2Affine) FromJacobian 

func (p *G2Affine) FromJacobian(p1 *G2Jac) *G2Affine

FromJacobian rescale a point in Jacobian coord in z=1 plane

func (*G2Affine) IsInSubGroup 

func (p *G2Affine) IsInSubGroup() bool

IsInSubGroup returns true if p is in the correct subgroup, false otherwise

func (*G2Affine) IsInfinity 

func (p *G2Affine) IsInfinity() bool

IsInfinity checks if the point is infinity (in affine, it's encoded as (0,0))

func (*G2Affine) IsOnCurve 

func (p *G2Affine) IsOnCurve() bool

IsOnCurve returns true if p in on the curve

func (*G2Affine) Marshal 

func (p *G2Affine) Marshal() []byte

Marshal converts p to a byte slice (without point compression)

func (*G2Affine) MultiExp 

func (p *G2Affine) MultiExp(points []G2Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G2Affine, error)

MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf

func (*G2Affine) Neg 

func (p *G2Affine) Neg(a *G2Affine) *G2Affine

Neg computes -G

func (*G2Affine) RawBytes 

func (p *G2Affine) RawBytes() (res [SizeOfG2AffineUncompressed]byte)

RawBytes returns binary representation of p (stores X and Y coordinate) see Bytes() for a compressed representation

func (*G2Affine) ScalarMultiplication 

func (p *G2Affine) ScalarMultiplication(a *G2Affine, s *big.Int) *G2Affine

ScalarMultiplication computes and returns p = a*s

func (*G2Affine) Set 

func (p *G2Affine) Set(a *G2Affine) *G2Affine

Set sets p to the provided point

func (*G2Affine) SetBytes 

func (p *G2Affine) SetBytes(buf []byte) (int, error)

SetBytes sets p from binary representation in buf and returns number of consumed bytes bytes in buf must match either RawBytes() or Bytes() output if buf is too short io.ErrShortBuffer is returned if buf contains compressed representation (output from Bytes()) and we're unable to compute the Y coordinate (i.e the square root doesn't exist) this function retunrs an error this check if the resulting point is on the curve and in the correct subgroup

func (*G2Affine) String 

func (p *G2Affine) String() string

func (*G2Affine) Sub 

func (p *G2Affine) Sub(a, b *G2Affine) *G2Affine

Sub subs two point in affine coordinates. This should rarely be used as it is very inneficient compared to Jacobian TODO implement affine addition formula

func (*G2Affine) Unmarshal 

func (p *G2Affine) Unmarshal(buf []byte) error

Unmarshal is an allias to SetBytes()

type G2Jac 

type G2Jac struct {
	X, Y, Z fp.Element
}

G2Jac is a point with fp.Element coordinates

func (*G2Jac) AddAssign 

func (p *G2Jac) AddAssign(a *G2Jac) *G2Jac

AddAssign point addition in montgomery form https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl

func (*G2Jac) AddMixed 

func (p *G2Jac) AddMixed(a *G2Affine) *G2Jac

AddMixed point addition http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-madd-2007-bl

func (*G2Jac) ClearCofactor 

func (p *G2Jac) ClearCofactor(a *G2Jac) *G2Jac

ClearCofactor maps a point in curve to r-torsion

func (*G2Jac) Double 

func (p *G2Jac) Double(q *G2Jac) *G2Jac

Double doubles a point in Jacobian coordinates https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G2Jac) DoubleAssign 

func (p *G2Jac) DoubleAssign() *G2Jac

DoubleAssign doubles a point in Jacobian coordinates https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2007-bl

func (*G2Jac) Equal 

func (p *G2Jac) Equal(a *G2Jac) bool

Equal tests if two points (in Jacobian coordinates) are equal

func (*G2Jac) FromAffine 

func (p *G2Jac) FromAffine(Q *G2Affine) *G2Jac

FromAffine sets p = Q, p in Jacboian, Q in affine

func (*G2Jac) IsInSubGroup 

func (p *G2Jac) IsInSubGroup() bool

IsInSubGroup returns true if p is on the r-torsion, false otherwise. Z[r,0]+Z[-lambdaG2Affine, 1] is the kernel of (u,v)->u+lambdaG2Affinev mod r. Expressing r, lambdaG2Affine as polynomials in x, a short vector of this Zmodule is (x+1), (x**3-x**2+1). So we check that (x+1)p+(x**3-x**2+1)*phi(p) is the infinity.

func (*G2Jac) IsOnCurve 

func (p *G2Jac) IsOnCurve() bool

IsOnCurve returns true if p in on the curve

func (*G2Jac) MultiExp 

func (p *G2Jac) MultiExp(points []G2Affine, scalars []fr.Element, config ecc.MultiExpConfig) (*G2Jac, error)

MultiExp implements section 4 of https://eprint.iacr.org/2012/549.pdf

func (*G2Jac) Neg 

func (p *G2Jac) Neg(a *G2Jac) *G2Jac

Neg computes -G

func (*G2Jac) ScalarMultiplication 

func (p *G2Jac) ScalarMultiplication(a *G2Jac, s *big.Int) *G2Jac

ScalarMultiplication computes and returns p = a*s see https://www.iacr.org/archive/crypto2001/21390189.pdf

func (*G2Jac) Set 

func (p *G2Jac) Set(a *G2Jac) *G2Jac

Set sets p to the provided point

func (*G2Jac) String 

func (p *G2Jac) String() string

func (*G2Jac) SubAssign 

func (p *G2Jac) SubAssign(a *G2Jac) *G2Jac

SubAssign subtracts two points on the curve

type GT 

type GT = fptower.E6

GT target group of the pairing

func FinalExponentiation 

func FinalExponentiation(z *GT, _z ...*GT) GT

FinalExponentiation computes the final expo x**(c*(p**3-1)(p+1)(p**2-p+1)/r)

func MillerLoop 

func MillerLoop(P []G1Affine, Q []G2Affine) (GT, error)

MillerLoop Optimal Tate alternative (or twisted ate or Eta revisited) Alg.2 in https://eprint.iacr.org/2021/1359.pdf

func Pair 

func Pair(P []G1Affine, Q []G2Affine) (GT, error)

Pair calculates the reduced pairing for a set of points

Source Files

View all Source files

Directories

Path Synopsis
Package fp contains field arithmetic operations for modulus = 0xf76adb...000001.
 Package fp contains field arithmetic operations for modulus = 0xf76adb...000001.
fr
Package fr contains field arithmetic operations for modulus = 0x3eeb04...000001.
 Package fr contains field arithmetic operations for modulus = 0x3eeb04...000001.
fft
Package fft provides in-place discrete Fourier transform.
 Package fft provides in-place discrete Fourier transform.
kzg
Package kzg provides a KZG commitment scheme.
 Package kzg provides a KZG commitment scheme.
mimc
Package mimc provides MiMC hash function using Miyaguchi–Preneel construction.
 Package mimc provides MiMC hash function using Miyaguchi–Preneel construction.
permutation
Package permutation provides an API to build permutation proofs.
 Package permutation provides an API to build permutation proofs.
plookup
Package plookup provides an API to build plookup proofs.
 Package plookup provides an API to build plookup proofs.
polynomial
Package polynomial provides polynomial methods and commitment schemes.
 Package polynomial provides polynomial methods and commitment schemes.
internal
fptower
Package twistededwards provides bw6-756's twisted edwards "companion curve" defined on fr.
 Package twistededwards provides bw6-756's twisted edwards "companion curve" defined on fr.
eddsa
Package eddsa provides EdDSA signature scheme on bw6-756's twisted edwards curve.
 Package eddsa provides EdDSA signature scheme on bw6-756's twisted edwards curve.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.