...

Package bn256

import "golang.org/x/crypto/bn256"
Overview
Index
Examples

Overview ▾

Package bn256 implements a particular bilinear group.

Bilinear groups are the basis of many of the new cryptographic protocols that have been proposed over the past decade. They consist of a triplet of groups (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ is a generator of the respective group). That function is called a pairing function.

This package specifically implements the Optimal Ate pairing over a 256-bit Barreto-Naehrig curve as described in http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible with the implementation described in that paper.

This package previously claimed to operate at a 128-bit security level. However, recent improvements in attacks mean that is no longer true. See https://moderncrypto.org/mail-archive/curves/2016/000740.html.

Deprecated: due to its weakened security, new systems should not rely on this elliptic curve. This package is frozen, and not implemented in constant time. There is a more complete implementation at github.com/cloudflare/bn256, but note that it suffers from the same security issues of the underlying curve.

Variables

Order is the number of elements in both G₁ and G₂: 36u⁴+36u³+18u²+6u+1. 

var Order = bigFromBase10("65000549695646603732796438742359905742570406053903786389881062969044166799969")

type G1

G1 is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input. 

type G1 struct {
    // contains filtered or unexported fields
}

func RandomG1 

func RandomG1(r io.Reader) (*big.Int, *G1, error)

RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r.

func (*G1) Add 

func (e *G1) Add(a, b *G1) *G1

Add sets e to a+b and then returns e.

Warning: this function is not complete, it fails for a equal to b.

func (*G1) Marshal 

func (e *G1) Marshal() []byte

Marshal converts n to a byte slice.

func (*G1) Neg 

func (e *G1) Neg(a *G1) *G1

Neg sets e to -a and then returns e.

func (*G1) ScalarBaseMult 

func (e *G1) ScalarBaseMult(k *big.Int) *G1

ScalarBaseMult sets e to g*k where g is the generator of the group and then returns e.

func (*G1) ScalarMult 

func (e *G1) ScalarMult(a *G1, k *big.Int) *G1

ScalarMult sets e to a*k and then returns e.

func (*G1) String 

func (e *G1) String() string

func (*G1) Unmarshal 

func (e *G1) Unmarshal(m []byte) (*G1, bool)

Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.

type G2

G2 is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input. 

type G2 struct {
    // contains filtered or unexported fields
}

func RandomG2 

func RandomG2(r io.Reader) (*big.Int, *G2, error)

RandomG2 returns x and g₂ˣ where x is a random, non-zero number read from r.

func (*G2) Add 

func (e *G2) Add(a, b *G2) *G2

Add sets e to a+b and then returns e.

Warning: this function is not complete, it fails for a equal to b.

func (*G2) Marshal 

func (n *G2) Marshal() []byte

Marshal converts n into a byte slice.

func (*G2) ScalarBaseMult 

func (e *G2) ScalarBaseMult(k *big.Int) *G2

ScalarBaseMult sets e to g*k where g is the generator of the group and then returns out.

func (*G2) ScalarMult 

func (e *G2) ScalarMult(a *G2, k *big.Int) *G2

ScalarMult sets e to a*k and then returns e.

func (*G2) String 

func (e *G2) String() string

func (*G2) Unmarshal 

func (e *G2) Unmarshal(m []byte) (*G2, bool)

Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.

type GT

GT is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input. 

type GT struct {
    // contains filtered or unexported fields
}

func Pair 

func Pair(g1 *G1, g2 *G2) *GT

Pair calculates an Optimal Ate pairing.

Example

Code:

// This implements the tripartite Diffie-Hellman algorithm from "A One
// Round Protocol for Tripartite Diffie-Hellman", A. Joux.
// http://www.springerlink.com/content/cddc57yyva0hburb/fulltext.pdf

// Each of three parties, a, b and c, generate a private value.
a, _ := rand.Int(rand.Reader, Order)
b, _ := rand.Int(rand.Reader, Order)
c, _ := rand.Int(rand.Reader, Order)

// Then each party calculates g₁ and g₂ times their private value.
pa := new(G1).ScalarBaseMult(a)
qa := new(G2).ScalarBaseMult(a)

pb := new(G1).ScalarBaseMult(b)
qb := new(G2).ScalarBaseMult(b)

pc := new(G1).ScalarBaseMult(c)
qc := new(G2).ScalarBaseMult(c)

// Now each party exchanges its public values with the other two and
// all parties can calculate the shared key.
k1 := Pair(pb, qc)
k1.ScalarMult(k1, a)

k2 := Pair(pc, qa)
k2.ScalarMult(k2, b)

k3 := Pair(pa, qb)
k3.ScalarMult(k3, c)

// k1, k2 and k3 will all be equal.

func (*GT) Add 

func (e *GT) Add(a, b *GT) *GT

Add sets e to a+b and then returns e.

func (*GT) Marshal 

func (n *GT) Marshal() []byte

Marshal converts n into a byte slice.

func (*GT) Neg 

func (e *GT) Neg(a *GT) *GT

Neg sets e to -a and then returns e.

func (*GT) ScalarMult 

func (e *GT) ScalarMult(a *GT, k *big.Int) *GT

ScalarMult sets e to a*k and then returns e.

func (*GT) String 

func (e *GT) String() string

func (*GT) Unmarshal 

func (e *GT) Unmarshal(m []byte) (*GT, bool)

Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.