bn256 - ActiveState ActiveGo 1.8
...

Package bn256

import "golang.org/x/crypto/bn256"
Overview
Index
Examples

Overview ▾

Package bn256 implements a particular bilinear group at the 128-bit security level.

Bilinear groups are the basis of many of the new cryptographic protocols that have been proposed over the past decade. They consist of a triplet of groups (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ is a generator of the respective group). That function is called a pairing function.

This package specifically implements the Optimal Ate pairing over a 256-bit Barreto-Naehrig curve as described in http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible with the implementation described in that paper.

Variables

Order is the number of elements in both G₁ and G₂: 36u⁴+36u³+18u²+6u+1. 

var Order = bigFromBase10("65000549695646603732796438742359905742570406053903786389881062969044166799969")

func RandomG1 

func RandomG1(r io.Reader) (*big.Int, *G1, error)

RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r.

func RandomG2 

func RandomG2(r io.Reader) (*big.Int, *G2, error)

RandomG1 returns x and g₂ˣ where x is a random, non-zero number read from r.

type G1

G1 is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input. 

type G1 struct {
    // contains filtered or unexported fields
}

func (*G1) Add 

func (e *G1) Add(a, b *G1) *G1

Add sets e to a+b and then returns e. BUG(agl): this function is not complete: a==b fails.

func (*G1) Marshal 

func (n *G1) Marshal() []byte

Marshal converts n to a byte slice.

func (*G1) Neg 

func (e *G1) Neg(a *G1) *G1

Neg sets e to -a and then returns e.

func (*G1) ScalarBaseMult 

func (e *G1) ScalarBaseMult(k *big.Int) *G1

ScalarBaseMult sets e to g*k where g is the generator of the group and then returns e.

func (*G1) ScalarMult 

func (e *G1) ScalarMult(a *G1, k *big.Int) *G1

ScalarMult sets e to a*k and then returns e.

func (*G1) String 

func (g *G1) String() string

func (*G1) Unmarshal 

func (e *G1) Unmarshal(m []byte) (*G1, bool)

Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.

type G2

G2 is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input. 

type G2 struct {
    // contains filtered or unexported fields
}

func (*G2) Add 

func (e *G2) Add(a, b *G2) *G2

Add sets e to a+b and then returns e. BUG(agl): this function is not complete: a==b fails.

func (*G2) Marshal 

func (n *G2) Marshal() []byte

Marshal converts n into a byte slice.

func (*G2) ScalarBaseMult 

func (e *G2) ScalarBaseMult(k *big.Int) *G2

ScalarBaseMult sets e to g*k where g is the generator of the group and then returns out.

func (*G2) ScalarMult 

func (e *G2) ScalarMult(a *G2, k *big.Int) *G2

ScalarMult sets e to a*k and then returns e.

func (*G2) String 

func (g *G2) String() string

func (*G2) Unmarshal 

func (e *G2) Unmarshal(m []byte) (*G2, bool)

Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.

type GT

GT is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input. 

type GT struct {
    // contains filtered or unexported fields
}

func Pair 

func Pair(g1 *G1, g2 *G2) *GT

Pair calculates an Optimal Ate pairing.

Example

Code:

// This implements the tripartite Diffie-Hellman algorithm from "A One
// Round Protocol for Tripartite Diffie-Hellman", A. Joux.
// http://www.springerlink.com/content/cddc57yyva0hburb/fulltext.pdf

// Each of three parties, a, b and c, generate a private value.
a, _ := rand.Int(rand.Reader, Order)
b, _ := rand.Int(rand.Reader, Order)
c, _ := rand.Int(rand.Reader, Order)

// Then each party calculates g₁ and g₂ times their private value.
pa := new(G1).ScalarBaseMult(a)
qa := new(G2).ScalarBaseMult(a)

pb := new(G1).ScalarBaseMult(b)
qb := new(G2).ScalarBaseMult(b)

pc := new(G1).ScalarBaseMult(c)
qc := new(G2).ScalarBaseMult(c)

// Now each party exchanges its public values with the other two and
// all parties can calculate the shared key.
k1 := Pair(pb, qc)
k1.ScalarMult(k1, a)

k2 := Pair(pc, qa)
k2.ScalarMult(k2, b)

k3 := Pair(pa, qb)
k3.ScalarMult(k3, c)

// k1, k2 and k3 will all be equal.

func (*GT) Add 

func (e *GT) Add(a, b *GT) *GT

Add sets e to a+b and then returns e.

func (*GT) Marshal 

func (n *GT) Marshal() []byte

Marshal converts n into a byte slice.

func (*GT) Neg 

func (e *GT) Neg(a *GT) *GT

Neg sets e to -a and then returns e.

func (*GT) ScalarMult 

func (e *GT) ScalarMult(a *GT, k *big.Int) *GT

ScalarMult sets e to a*k and then returns e.

func (*GT) String 

func (g *GT) String() string

func (*GT) Unmarshal 

func (e *GT) Unmarshal(m []byte) (*GT, bool)

Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.

Bugs

  • this implementation is not constant time.

  • this function is not complete: a==b fails.

  • this function is not complete: a==b fails.