Documentation ¶
Overview ¶
Package bls12381 provides bilinear pairings using the BLS12-381 curve.
A pairing system consists of three groups G1 and G2 (additive notation) and Gt (multiplicative notation) of the same order. Scalars can be used interchangeably between groups.
These groups have the same order equal to:
Order = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
Serialization Format ¶
Elements of G1 and G2 can be encoded in uncompressed form (the x-coordinate followed by the y-coordinate) or in compressed form (just the x-coordinate). G1 elements occupy 96 bytes in uncompressed form, and 48 bytes in compressed form. G2 elements occupy 192 bytes in uncompressed form, and 96 bytes in compressed form.
The most-significant three bits of a G1 or G2 encoding should be masked away before the coordinates are interpreted. These bits are used to unambiguously represent the underlying element:
* The most significant bit, when set, indicates that the point is in compressed form. Otherwise, the point is in uncompressed form.
* The second-most significant bit indicates that the point is at infinity. If this bit is set, the remaining bits of the group element's encoding should be set to zero.
* The third-most significant bit is set if (and only if) this point is in compressed form AND it is not the point at infinity AND its y-coordinate is the lexicographically largest of the two associated with the encoded x-coordinate.
|------------------------------------------------------| | Serialization Format | |-----|-------|-------|-----------------|--------------| | MSB | MSB-1 | MSB-2 | Description | Encoding | |-----|-------|-------|-----------------|--------------| | | | | Non-compressed, | | | 0 | 0 | 0 | Non-Infinity, | e || x || y | | | | | Zero. | | |-----|-------|-------|-----------------|--------------| | | | | Non-compressed, | | | 0 | 0 | 1 | Non-Infinity, | Invalid | | | | | One. | | |-----|-------|-------|-----------------|--------------| | | | | Non-compressed, | | | 0 | 1 | 0 | Infinity, | e || 0 || 0 | | | | | Zero. | | |-----|-------|-------|-----------------|--------------| | | | | Non-compressed, | | | 0 | 1 | 1 | Infinity, | Invalid | | | | | One. | | |-----|-------|-------|-----------------|--------------| | | | | Compressed, | | | 1 | 0 | 0 | Non-Infinity, | e || x | | | | | Small y-coord | | |-----|-------|-------|-----------------|--------------| | | | | Compressed, | | | 1 | 0 | 1 | Non-Infinity, | e || x | | | | | Big y-coord | | |-----|-------|-------|-----------------|--------------| | | | | Compressed, | | | 1 | 1 | 0 | Infinity, | e || 0 | | | | | Zero. | | |-----|-------|-------|-----------------|--------------| | | | | Compressed, | | | 1 | 1 | 1 | Infinity, | Invalid | | | | | One. | | |------------------------------------------------------|
Index ¶
- Constants
- func Order() []byte
- type G1
- func (g *G1) Add(P, Q *G1)
- func (g G1) Bytes() []byte
- func (g G1) BytesCompressed() []byte
- func (g *G1) Double()
- func (g *G1) Encode(input, dst []byte)
- func (g *G1) Hash(input, dst []byte)
- func (g *G1) IsEqual(p *G1) bool
- func (g *G1) IsIdentity() bool
- func (g *G1) IsOnG1() bool
- func (g *G1) Neg()
- func (g *G1) ScalarMult(k *Scalar, P *G1)
- func (g *G1) SetBytes(b []byte) error
- func (g *G1) SetIdentity()
- func (g G1) String() string
- type G2
- func (g *G2) Add(P, Q *G2)
- func (g G2) Bytes() []byte
- func (g G2) BytesCompressed() []byte
- func (g *G2) Double()
- func (g *G2) Encode(input, dst []byte)
- func (g *G2) Hash(input, dst []byte)
- func (g *G2) IsEqual(p *G2) bool
- func (g *G2) IsIdentity() bool
- func (g *G2) IsOnG2() bool
- func (g *G2) Neg()
- func (g *G2) ScalarMult(k *Scalar, P *G2)
- func (g *G2) SetBytes(b []byte) error
- func (g *G2) SetIdentity()
- func (g G2) String() string
- type Gt
- func (z *Gt) Exp(x *Gt, n *Scalar)
- func (z *Gt) Inv(x *Gt)
- func (z Gt) IsEqual(x *Gt) bool
- func (z Gt) IsIdentity() bool
- func (z Gt) MarshalBinary() ([]byte, error)
- func (z *Gt) Mul(x, y *Gt)
- func (z *Gt) SetIdentity()
- func (z *Gt) Sqr(x *Gt)
- func (z Gt) String() string
- func (z *Gt) UnmarshalBinary(b []byte) error
- type Scalar
Constants ¶
const G1Size = 2 * ff.FpSize
G1Size is the length in bytes of an element in G1 in uncompressed form..
const G1SizeCompressed = ff.FpSize
G1SizeCompressed is the length in bytes of an element in G1 in compressed form.
const G2Size = 2 * ff.Fp2Size
G2Size is the length in bytes of an element in G2 in uncompressed form..
const G2SizeCompressed = ff.Fp2Size
G2SizeCompressed is the length in bytes of an element in G2 in compressed form.
const GtSize = ff.URootSize
GtSize is the length in bytes of an element in Gt.
const ScalarSize = ff.ScalarSize
Variables ¶
This section is empty.
Functions ¶
Types ¶
type G1 ¶
type G1 struct {
// contains filtered or unexported fields
}
G1 is a point in the BLS12 curve over Fp.
func (G1) BytesCompressed ¶
Bytes serializes a G1 element in compressed form.
func (*G1) Encode ¶
EncodeToCurve is a non-uniform encoding from an input byte string (and an optional domain separation tag) to elements in G1. This function must not be used as a hash function, otherwise use G1.Hash instead.
func (*G1) Hash ¶
Hash produces an element of G1 from the hash of an input byte string and an optional domain separation tag. This function is safe to use when a random oracle returning points in G1 be required.
func (*G1) IsIdentity ¶
IsIdentity return true if the point is the identity of G1.
type G2 ¶
type G2 struct {
// contains filtered or unexported fields
}
G2 is a point in the twist of the BLS12 curve over Fp2.
func (G2) BytesCompressed ¶
Bytes serializes a G2 element in compressed form.
func (*G2) Encode ¶
EncodeToCurve is a non-uniform encoding from an input byte string (and an optional domain separation tag) to elements in G2. This function must not be used as a hash function, otherwise use G2.Hash instead.
func (*G2) Hash ¶
Hash produces an element of G2 from the hash of an input byte string and an optional domain separation tag. This function is safe to use when a random oracle returning points in G2 be required.
func (*G2) IsIdentity ¶
IsIdentity return true if the point is the identity of G2.
type Gt ¶
type Gt struct {
// contains filtered or unexported fields
}
Gt represents an element of the output (multiplicative) group of a pairing.
func ProdPairFrac ¶
ProdPairFrac computes the product e(P, Q)^sign where sign is 1 or -1
func (Gt) IsIdentity ¶
func (Gt) MarshalBinary ¶
func (*Gt) SetIdentity ¶
func (z *Gt) SetIdentity()