import "golang.org/x/crypto/bn256"
Package bn256 implements a particular bilinear group at the 128-bit security level.
Bilinear groups are the basis of many of the new cryptographic protocols that have been proposed over the past decade. They consist of a triplet of groups (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ is a generator of the respective group). That function is called a pairing function.
This package specifically implements the Optimal Ate pairing over a 256-bit Barreto-Naehrig curve as described in http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible with the implementation described in that paper.
bn256.go constants.go curve.go gfp12.go gfp2.go gfp6.go optate.go twist.go
var Order = bigFromBase10("65000549695646603732796438742359905742570406053903786389881062969044166799969")
Order is the number of elements in both G₁ and G₂: 36u⁴+36u³+18u³+6u+1.
RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r.
RandomG1 returns x and g₂ˣ where x is a random, non-zero number read from r.
type G1 struct {
// contains filtered or unexported fields
}
G1 is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.
Add sets e to a+b and then returns e. BUG(agl): this function is not complete: a==b fails.
Marshal converts n to a byte slice.
Neg sets e to -a and then returns e.
ScalarBaseMult sets e to g*k where g is the generator of the group and then returns e.
ScalarMult sets e to a*k and then returns e.
Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.
type G2 struct {
// contains filtered or unexported fields
}
G2 is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.
Add sets e to a+b and then returns e. BUG(agl): this function is not complete: a==b fails.
Marshal converts n into a byte slice.
ScalarBaseMult sets e to g*k where g is the generator of the group and then returns out.
ScalarMult sets e to a*k and then returns e.
Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.
type GT struct {
// contains filtered or unexported fields
}
GT is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.
Pair calculates an Optimal Ate pairing.
Code:
// This implements the tripartite Diffie-Hellman algorithm from "A One // Round Protocol for Tripartite Diffie-Hellman", A. Joux. // http://www.springerlink.com/content/cddc57yyva0hburb/fulltext.pdf // Each of three parties, a, b and c, generate a private value. a, _ := rand.Int(rand.Reader, Order) b, _ := rand.Int(rand.Reader, Order) c, _ := rand.Int(rand.Reader, Order) // Then each party calculates g₁ and g₂ times their private value. pa := new(G1).ScalarBaseMult(a) qa := new(G2).ScalarBaseMult(a) pb := new(G1).ScalarBaseMult(b) qb := new(G2).ScalarBaseMult(b) pc := new(G1).ScalarBaseMult(c) qc := new(G2).ScalarBaseMult(c) // Now each party exchanges its public values with the other two and // all parties can calculate the shared key. k1 := Pair(pb, qc) k1.ScalarMult(k1, a) k2 := Pair(pc, qa) k2.ScalarMult(k2, b) k3 := Pair(pa, qb) k3.ScalarMult(k3, c) // k1, k2 and k3 will all be equal.
Add sets e to a+b and then returns e.
Marshal converts n into a byte slice.
Neg sets e to -a and then returns e.
ScalarMult sets e to a*k and then returns e.
Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.
☞ this implementation is not constant time.
☞ this function is not complete: a==b fails.
☞ this function is not complete: a==b fails.
Package bn256 imports 3 packages (graph) and is imported by 3 packages. Updated about 13 hours ago. Refresh now. Tools for package owners.