Documentation
¶
Overview ¶
Package bn256 implements a particular bilinear group.
Bilinear groups are the basis of many of the new cryptographic protocols that have been proposed over the past decade. They consist of a triplet of groups (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ is a generator of the respective group). That function is called a pairing function.
This package specifically implements the Optimal Ate pairing over a 256-bit Barreto-Naehrig curve as described in http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible with the implementation described in that paper.
(This package previously claimed to operate at a 128-bit security level. However, recent improvements in attacks mean that is no longer true. See https://moderncrypto.org/mail-archive/curves/2016/000740.html.)
Index ¶
- Variables
- func PairingCheck(a []*G1, b []*G2) bool
- type G1
- func (e *G1) Add(a, b *G1) *G1
- func (e *G1) CurvePoints() (*big.Int, *big.Int, *big.Int, *big.Int)
- func (e *G1) Marshal() []byte
- func (e *G1) Neg(a *G1) *G1
- func (e *G1) ScalarBaseMult(k *big.Int) *G1
- func (e *G1) ScalarMult(a *G1, k *big.Int) *G1
- func (e *G1) String() string
- func (e *G1) Unmarshal(m []byte) ([]byte, error)
- type G2
- type GT
- Bugs
Examples ¶
Constants ¶
This section is empty.
Variables ¶
var Order = bigFromBase10("21888242871839275222246405745257275088548364400416034343698204186575808495617")
Order is the number of elements in both G₁ and G₂: 36u⁴+36u³+18u²+6u+1.
var P = bigFromBase10("21888242871839275222246405745257275088696311157297823662689037894645226208583")
p is a prime over which we form a basic field: 36u⁴+36u³+24u²+6u+1.
var XiTo2PMinusTacc1 = []byte{149, 80, 137, 227, 60, 253, 240, 174, 42, 61, 22, 248, 133, 77, 35, 131, 164, 53, 138, 150}
XiTo2PMinusTacc1 is Tacc, represented as little-endian 64-bit words.
var XiTo2PMinusTacc2 = []byte{149, 191, 36, 82, 139, 52, 12, 242, 186, 147, 195, 5, 209, 47, 82, 245, 248, 79, 113, 19}
XiTo2PMinusTacc2 is Tacc, represented as little-endian 64-bit words.
var XiTo2PMinusTacc3 = []byte{149, 169, 227, 120, 40, 18, 229, 152, 55, 22, 154, 210, 219, 186, 142, 89, 63, 241, 121, 134}
XiTo2PMinusTacc3 is Tacc, represented as little-endian 64-bit words.
var XiTo2PMinusTacc4 = []byte{149, 120, 51, 108, 108, 194, 170, 186, 94, 154, 14, 134, 212, 83, 89, 31, 128, 207, 31, 190}
XiTo2PMinusTacc4 is Tacc, represented as little-endian 64-bit words.
var XiTo2PMinusTacc5 = []byte{149, 148, 86, 132, 241, 47, 108, 243, 16, 119, 156, 199, 14, 27, 20, 24, 245, 142, 17, 61}
XiTo2PMinusTacc5 is Tacc, represented as little-endian 64-bit words.
var XiTo2PMinusTacc6 = []byte{149, 128, 30, 204, 127, 145, 176, 159, 42, 116, 217, 155, 15, 153, 114, 165, 198, 179, 153, 87}
XiTo2PMinusTacc6 is Tacc, represented as little-endian 64-bit words.
XiTo2PMinusTnum1 is a prime over which we form a basic field.
XiTo2PMinusTnum2 is a prime over which we form a basic field.
Functions ¶
func PairingCheck ¶
PairingCheck calculates the Optimal Ate pairing for a set of points.
Types ¶
type G1 ¶
type G1 struct {
// contains filtered or unexported fields
}
G1 is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.
func (*G1) Add ¶
Add sets e to a+b and then returns e. BUG(agl): this function is not complete: a==b fails.
func (*G1) CurvePoints ¶
CurvePoints returns p's curve points in big integer
func (*G1) ScalarBaseMult ¶
ScalarBaseMult sets e to g*k where g is the generator of the group and then returns e.
func (*G1) ScalarMult ¶
ScalarMult sets e to a*k and then returns e.
type G2 ¶
type G2 struct {
// contains filtered or unexported fields
}
G2 is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.
func (*G2) Add ¶
Add sets e to a+b and then returns e. BUG(agl): this function is not complete: a==b fails.
func (*G2) CurvePoints ¶
func (e *G2) CurvePoints() (*gfP2, *gfP2, *gfP2, *gfP2)
CurvePoints returns the curve points of p which includes the real and imaginary parts of the curve point.
func (*G2) ScalarBaseMult ¶
ScalarBaseMult sets e to g*k where g is the generator of the group and then returns out.
func (*G2) ScalarMult ¶
ScalarMult sets e to a*k and then returns e.
type GT ¶
type GT struct {
// contains filtered or unexported fields
}
GT is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.
func Pair ¶
Pair calculates an Optimal Ate pairing.
Example ¶
// This implements the tripartite Diffie-Hellman algorithm from "A One // Round Protocol for Tripartite Diffie-Hellman", A. Joux. // http://www.springerlink.com/content/cddc57yyva0hburb/fulltext.pdf // Each of three parties, a, b and c, generate a private value. a, _ := rand.Int(rand.Reader, Order) b, _ := rand.Int(rand.Reader, Order) c, _ := rand.Int(rand.Reader, Order) // Then each party calculates g₁ and g₂ times their private value. pa := new(G1).ScalarBaseMult(a) qa := new(G2).ScalarBaseMult(a) pb := new(G1).ScalarBaseMult(b) qb := new(G2).ScalarBaseMult(b) pc := new(G1).ScalarBaseMult(c) qc := new(G2).ScalarBaseMult(c) // Now each party exchanges its public values with the other two and // all parties can calculate the shared key. k1 := Pair(pb, qc) k1.ScalarMult(k1, a) k2 := Pair(pc, qa) k2.ScalarMult(k2, b) k3 := Pair(pa, qb) k3.ScalarMult(k3, c) // k1, k2 and k3 will all be equal.
Output:
func (*GT) ScalarMult ¶
ScalarMult sets e to a*k and then returns e.
Notes ¶
Bugs ¶
this implementation is not constant time.
this function is not complete: a==b fails.
this function is not complete: a==b fails.
Source Files