cryptogolang.org/x/crypto/bn256 Index | Examples | Files

package bn256

import "golang.org/x/crypto/bn256"

Package bn256 implements a particular bilinear group.

Bilinear groups are the basis of many of the new cryptographic protocols that have been proposed over the past decade. They consist of a triplet of groups (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ is a generator of the respective group). That function is called a pairing function.

This package specifically implements the Optimal Ate pairing over a 256-bit Barreto-Naehrig curve as described in http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible with the implementation described in that paper.

This package previously claimed to operate at a 128-bit security level. However, recent improvements in attacks mean that is no longer true. See https://moderncrypto.org/mail-archive/curves/2016/000740.html.

Deprecated: due to its weakened security, new systems should not rely on this elliptic curve. This package is frozen, and not implemented in constant time. There is a more complete implementation at github.com/cloudflare/bn256, but note that it suffers from the same security issues of the underlying curve.

Index

Examples

Variables 

var Order = bigFromBase10("65000549695646603732796438742359905742570406053903786389881062969044166799969")

Order is the number of elements in both G₁ and G₂: 36u⁴+36u³+18u²+6u+1.

Types

type G1 

type G1 struct {
	// contains filtered or unexported fields
}

G1 is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.

func RandomG1 

func RandomG1(r io.Reader) (*big.Int, *G1, error)

RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r.

func (*G1) Add 

func (e *G1) Add(a, b *G1) *G1

Add sets e to a+b and then returns e.

Warning: this function is not complete, it fails for a equal to b.

func (*G1) Marshal 

func (e *G1) Marshal() []byte

Marshal converts n to a byte slice.

func (*G1) Neg 

func (e *G1) Neg(a *G1) *G1

Neg sets e to -a and then returns e.

func (*G1) ScalarBaseMult 

func (e *G1) ScalarBaseMult(k *big.Int) *G1

ScalarBaseMult sets e to g*k where g is the generator of the group and then returns e.

func (*G1) ScalarMult 

func (e *G1) ScalarMult(a *G1, k *big.Int) *G1

ScalarMult sets e to a*k and then returns e.

func (*G1) String 

func (e *G1) String() string

func (*G1) Unmarshal 

func (e *G1) Unmarshal(m []byte) (*G1, bool)

Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.

type G2 

type G2 struct {
	// contains filtered or unexported fields
}

G2 is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.

func RandomG2 

func RandomG2(r io.Reader) (*big.Int, *G2, error)

RandomG2 returns x and g₂ˣ where x is a random, non-zero number read from r.

func (*G2) Add 

func (e *G2) Add(a, b *G2) *G2

Add sets e to a+b and then returns e.

Warning: this function is not complete, it fails for a equal to b.

func (*G2) Marshal 

func (n *G2) Marshal() []byte

Marshal converts n into a byte slice.

func (*G2) ScalarBaseMult 

func (e *G2) ScalarBaseMult(k *big.Int) *G2

ScalarBaseMult sets e to g*k where g is the generator of the group and then returns out.

func (*G2) ScalarMult 

func (e *G2) ScalarMult(a *G2, k *big.Int) *G2

ScalarMult sets e to a*k and then returns e.

func (*G2) String 

func (e *G2) String() string

func (*G2) Unmarshal 

func (e *G2) Unmarshal(m []byte) (*G2, bool)

Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.

type GT 

type GT struct {
	// contains filtered or unexported fields
}

GT is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.

func Pair 

func Pair(g1 *G1, g2 *G2) *GT

Pair calculates an Optimal Ate pairing.

Example

Code: 

{
	// This implements the tripartite Diffie-Hellman algorithm from "A One
	// Round Protocol for Tripartite Diffie-Hellman", A. Joux.
	// http://www.springerlink.com/content/cddc57yyva0hburb/fulltext.pdf

	// Each of three parties, a, b and c, generate a private value.
	a, _ := rand.Int(rand.Reader, Order)
	b, _ := rand.Int(rand.Reader, Order)
	c, _ := rand.Int(rand.Reader, Order)

	// Then each party calculates g₁ and g₂ times their private value.
	pa := new(G1).ScalarBaseMult(a)
	qa := new(G2).ScalarBaseMult(a)

	pb := new(G1).ScalarBaseMult(b)
	qb := new(G2).ScalarBaseMult(b)

	pc := new(G1).ScalarBaseMult(c)
	qc := new(G2).ScalarBaseMult(c)

	// Now each party exchanges its public values with the other two and
	// all parties can calculate the shared key.
	k1 := Pair(pb, qc)
	k1.ScalarMult(k1, a)

	k2 := Pair(pc, qa)
	k2.ScalarMult(k2, b)

	k3 := Pair(pa, qb)
	k3.ScalarMult(k3, c)

	// k1, k2 and k3 will all be equal.
}

func (*GT) Add 

func (e *GT) Add(a, b *GT) *GT

Add sets e to a+b and then returns e.

func (*GT) Marshal 

func (n *GT) Marshal() []byte

Marshal converts n into a byte slice.

func (*GT) Neg 

func (e *GT) Neg(a *GT) *GT

Neg sets e to -a and then returns e.

func (*GT) ScalarMult 

func (e *GT) ScalarMult(a *GT, k *big.Int) *GT

ScalarMult sets e to a*k and then returns e.

func (*GT) String 

func (e *GT) String() string

func (*GT) Unmarshal 

func (e *GT) Unmarshal(m []byte) (*GT, bool)

Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.

Source Files

bn256.go constants.go curve.go gfp12.go gfp2.go gfp6.go optate.go twist.go

Version
v0.34.0 (latest)
Published
Feb 22, 2025
Platform
linux/amd64
Imports
3 packages
Last checked
9 hours ago

Tools for package owners.