1 // Copyright 2012 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 // Package bn256 implements a particular bilinear group.
7 // Bilinear groups are the basis of many of the new cryptographic protocols
8 // that have been proposed over the past decade. They consist of a triplet of
9 // groups (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ
10 // (where gₓ is a generator of the respective group). That function is called
11 // a pairing function.
13 // This package specifically implements the Optimal Ate pairing over a 256-bit
14 // Barreto-Naehrig curve as described in
15 // http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible
16 // with the implementation described in that paper.
18 // This package previously claimed to operate at a 128-bit security level.
19 // However, recent improvements in attacks mean that is no longer true. See
20 // https://moderncrypto.org/mail-archive/curves/2016/000740.html.
22 // Deprecated: due to its weakened security, new systems should not rely on this
23 // elliptic curve. This package is frozen, and not implemented in constant time.
24 // There is a more complete implementation at github.com/cloudflare/bn256, but
25 // note that it suffers from the same security issues of the underlying curve.
26 package bn256 // import "golang.org/x/crypto/bn256"
34 // G1 is an abstract cyclic group. The zero value is suitable for use as the
35 // output of an operation, but cannot be used as an input.
40 // RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r.
41 func RandomG1(r io.Reader) (*big.Int, *G1, error) {
46 k, err = rand.Int(r, Order)
55 return k, new(G1).ScalarBaseMult(k), nil
58 func (e *G1) String() string {
60 return "bn256.G1" + newCurvePoint(nil).String()
62 return "bn256.G1" + e.p.String()
65 // ScalarBaseMult sets e to g*k where g is the generator of the group and
67 func (e *G1) ScalarBaseMult(k *big.Int) *G1 {
69 e.p = newCurvePoint(nil)
71 e.p.Mul(curveGen, k, new(bnPool))
75 // ScalarMult sets e to a*k and then returns e.
76 func (e *G1) ScalarMult(a *G1, k *big.Int) *G1 {
78 e.p = newCurvePoint(nil)
80 e.p.Mul(a.p, k, new(bnPool))
84 // Add sets e to a+b and then returns e.
86 // Warning: this function is not complete, it fails for a equal to b.
87 func (e *G1) Add(a, b *G1) *G1 {
89 e.p = newCurvePoint(nil)
91 e.p.Add(a.p, b.p, new(bnPool))
95 // Neg sets e to -a and then returns e.
96 func (e *G1) Neg(a *G1) *G1 {
98 e.p = newCurvePoint(nil)
104 // Marshal converts n to a byte slice.
105 func (e *G1) Marshal() []byte {
106 // Each value is a 256-bit number.
107 const numBytes = 256 / 8
109 if e.p.IsInfinity() {
110 return make([]byte, numBytes*2)
115 xBytes := new(big.Int).Mod(e.p.x, p).Bytes()
116 yBytes := new(big.Int).Mod(e.p.y, p).Bytes()
118 ret := make([]byte, numBytes*2)
119 copy(ret[1*numBytes-len(xBytes):], xBytes)
120 copy(ret[2*numBytes-len(yBytes):], yBytes)
125 // Unmarshal sets e to the result of converting the output of Marshal back into
126 // a group element and then returns e.
127 func (e *G1) Unmarshal(m []byte) (*G1, bool) {
128 // Each value is a 256-bit number.
129 const numBytes = 256 / 8
131 if len(m) != 2*numBytes {
136 e.p = newCurvePoint(nil)
139 e.p.x.SetBytes(m[0*numBytes : 1*numBytes])
140 e.p.y.SetBytes(m[1*numBytes : 2*numBytes])
142 if e.p.x.Sign() == 0 && e.p.y.Sign() == 0 {
143 // This is the point at infinity.
151 if !e.p.IsOnCurve() {
159 // G2 is an abstract cyclic group. The zero value is suitable for use as the
160 // output of an operation, but cannot be used as an input.
165 // RandomG1 returns x and g₂ˣ where x is a random, non-zero number read from r.
166 func RandomG2(r io.Reader) (*big.Int, *G2, error) {
171 k, err = rand.Int(r, Order)
180 return k, new(G2).ScalarBaseMult(k), nil
183 func (e *G2) String() string {
185 return "bn256.G2" + newTwistPoint(nil).String()
187 return "bn256.G2" + e.p.String()
190 // ScalarBaseMult sets e to g*k where g is the generator of the group and
192 func (e *G2) ScalarBaseMult(k *big.Int) *G2 {
194 e.p = newTwistPoint(nil)
196 e.p.Mul(twistGen, k, new(bnPool))
200 // ScalarMult sets e to a*k and then returns e.
201 func (e *G2) ScalarMult(a *G2, k *big.Int) *G2 {
203 e.p = newTwistPoint(nil)
205 e.p.Mul(a.p, k, new(bnPool))
209 // Add sets e to a+b and then returns e.
211 // Warning: this function is not complete, it fails for a equal to b.
212 func (e *G2) Add(a, b *G2) *G2 {
214 e.p = newTwistPoint(nil)
216 e.p.Add(a.p, b.p, new(bnPool))
220 // Marshal converts n into a byte slice.
221 func (n *G2) Marshal() []byte {
222 // Each value is a 256-bit number.
223 const numBytes = 256 / 8
225 if n.p.IsInfinity() {
226 return make([]byte, numBytes*4)
231 xxBytes := new(big.Int).Mod(n.p.x.x, p).Bytes()
232 xyBytes := new(big.Int).Mod(n.p.x.y, p).Bytes()
233 yxBytes := new(big.Int).Mod(n.p.y.x, p).Bytes()
234 yyBytes := new(big.Int).Mod(n.p.y.y, p).Bytes()
236 ret := make([]byte, numBytes*4)
237 copy(ret[1*numBytes-len(xxBytes):], xxBytes)
238 copy(ret[2*numBytes-len(xyBytes):], xyBytes)
239 copy(ret[3*numBytes-len(yxBytes):], yxBytes)
240 copy(ret[4*numBytes-len(yyBytes):], yyBytes)
245 // Unmarshal sets e to the result of converting the output of Marshal back into
246 // a group element and then returns e.
247 func (e *G2) Unmarshal(m []byte) (*G2, bool) {
248 // Each value is a 256-bit number.
249 const numBytes = 256 / 8
251 if len(m) != 4*numBytes {
256 e.p = newTwistPoint(nil)
259 e.p.x.x.SetBytes(m[0*numBytes : 1*numBytes])
260 e.p.x.y.SetBytes(m[1*numBytes : 2*numBytes])
261 e.p.y.x.SetBytes(m[2*numBytes : 3*numBytes])
262 e.p.y.y.SetBytes(m[3*numBytes : 4*numBytes])
264 if e.p.x.x.Sign() == 0 &&
265 e.p.x.y.Sign() == 0 &&
266 e.p.y.x.Sign() == 0 &&
267 e.p.y.y.Sign() == 0 {
268 // This is the point at infinity.
276 if !e.p.IsOnCurve() {
284 // GT is an abstract cyclic group. The zero value is suitable for use as the
285 // output of an operation, but cannot be used as an input.
290 func (e *GT) String() string {
292 return "bn256.GT" + newGFp12(nil).String()
294 return "bn256.GT" + e.p.String()
297 // ScalarMult sets e to a*k and then returns e.
298 func (e *GT) ScalarMult(a *GT, k *big.Int) *GT {
302 e.p.Exp(a.p, k, new(bnPool))
306 // Add sets e to a+b and then returns e.
307 func (e *GT) Add(a, b *GT) *GT {
311 e.p.Mul(a.p, b.p, new(bnPool))
315 // Neg sets e to -a and then returns e.
316 func (e *GT) Neg(a *GT) *GT {
320 e.p.Invert(a.p, new(bnPool))
324 // Marshal converts n into a byte slice.
325 func (n *GT) Marshal() []byte {
328 xxxBytes := n.p.x.x.x.Bytes()
329 xxyBytes := n.p.x.x.y.Bytes()
330 xyxBytes := n.p.x.y.x.Bytes()
331 xyyBytes := n.p.x.y.y.Bytes()
332 xzxBytes := n.p.x.z.x.Bytes()
333 xzyBytes := n.p.x.z.y.Bytes()
334 yxxBytes := n.p.y.x.x.Bytes()
335 yxyBytes := n.p.y.x.y.Bytes()
336 yyxBytes := n.p.y.y.x.Bytes()
337 yyyBytes := n.p.y.y.y.Bytes()
338 yzxBytes := n.p.y.z.x.Bytes()
339 yzyBytes := n.p.y.z.y.Bytes()
341 // Each value is a 256-bit number.
342 const numBytes = 256 / 8
344 ret := make([]byte, numBytes*12)
345 copy(ret[1*numBytes-len(xxxBytes):], xxxBytes)
346 copy(ret[2*numBytes-len(xxyBytes):], xxyBytes)
347 copy(ret[3*numBytes-len(xyxBytes):], xyxBytes)
348 copy(ret[4*numBytes-len(xyyBytes):], xyyBytes)
349 copy(ret[5*numBytes-len(xzxBytes):], xzxBytes)
350 copy(ret[6*numBytes-len(xzyBytes):], xzyBytes)
351 copy(ret[7*numBytes-len(yxxBytes):], yxxBytes)
352 copy(ret[8*numBytes-len(yxyBytes):], yxyBytes)
353 copy(ret[9*numBytes-len(yyxBytes):], yyxBytes)
354 copy(ret[10*numBytes-len(yyyBytes):], yyyBytes)
355 copy(ret[11*numBytes-len(yzxBytes):], yzxBytes)
356 copy(ret[12*numBytes-len(yzyBytes):], yzyBytes)
361 // Unmarshal sets e to the result of converting the output of Marshal back into
362 // a group element and then returns e.
363 func (e *GT) Unmarshal(m []byte) (*GT, bool) {
364 // Each value is a 256-bit number.
365 const numBytes = 256 / 8
367 if len(m) != 12*numBytes {
375 e.p.x.x.x.SetBytes(m[0*numBytes : 1*numBytes])
376 e.p.x.x.y.SetBytes(m[1*numBytes : 2*numBytes])
377 e.p.x.y.x.SetBytes(m[2*numBytes : 3*numBytes])
378 e.p.x.y.y.SetBytes(m[3*numBytes : 4*numBytes])
379 e.p.x.z.x.SetBytes(m[4*numBytes : 5*numBytes])
380 e.p.x.z.y.SetBytes(m[5*numBytes : 6*numBytes])
381 e.p.y.x.x.SetBytes(m[6*numBytes : 7*numBytes])
382 e.p.y.x.y.SetBytes(m[7*numBytes : 8*numBytes])
383 e.p.y.y.x.SetBytes(m[8*numBytes : 9*numBytes])
384 e.p.y.y.y.SetBytes(m[9*numBytes : 10*numBytes])
385 e.p.y.z.x.SetBytes(m[10*numBytes : 11*numBytes])
386 e.p.y.z.y.SetBytes(m[11*numBytes : 12*numBytes])
391 // Pair calculates an Optimal Ate pairing.
392 func Pair(g1 *G1, g2 *G2) *GT {
393 return >{optimalAte(g2.p, g1.p, new(bnPool))}
396 // bnPool implements a tiny cache of *big.Int objects that's used to reduce the
397 // number of allocations made during processing.
403 func (pool *bnPool) Get() *big.Int {
415 pool.bns = pool.bns[:l-1]
419 func (pool *bnPool) Put(bn *big.Int) {
423 pool.bns = append(pool.bns, bn)
427 func (pool *bnPool) Count() int {