README
¶
简介
BLS12-381是Sean Bowe在2017年设计的椭圆曲线,用于对Zcash协议进行更新,该曲线pairing-friendly并且可用于高效构建zkSnarks,许多协议使用它来实现数字签名和零知识证明。
BLS12-381里的两个数字解释如下:
12:曲线的嵌入度(后面再介绍概念)
381:曲线上的点坐标表示所需的bit位数,即有限域的modulus q 的位数。因为点的坐标来自质数阶有限域,我们可以用384位(48Bytes)来表示每个域元素,留3 bit来做标志位或者算术优化。这个位数是由安全需求与实现高效所共同决定的。
使用案例
在以太坊的官方源码里,bls12381主要在core/vm/contracts.go文件里被使用
func (c *bls12381MapG2) Run(input []byte) ([]byte, error)方法里
g := bls12381.NewG2()
// fe是一个长度为96的字节切片
r, err := g.MapToCurve(fe)
return g.EncodePoint(r)
func (c *bls12381MapG1) Run(input []byte) ([]byte, error)
g := bls12381.NewG1()
// fe是一个长度为48的字节切片
r, err := g.MapToCurve(fe)
return g.EncodePoint(r)
func (c *bls12381Pairing) Run(input []byte) ([]byte, error)
func (c *bls12381Pairing) Run(input []byte) ([]byte, error) {
// Implements EIP-2537 Pairing precompile logic.
// > Pairing call expects `384*k` bytes as an inputs that is interpreted as byte concatenation of `k` slices. Each slice has the following structure:
// > - `128` bytes of G1 point encoding
// > - `256` bytes of G2 point encoding
// > Output is a `32` bytes where last single byte is `0x01` if pairing result is equal to multiplicative identity in a pairing target field and `0x00` otherwise
// > (which is equivalent of Big Endian encoding of Solidity values `uint256(1)` and `uin256(0)` respectively).
k := len(input) / 384
if len(input) == 0 || len(input)%384 != 0 {
return nil, errBLS12381InvalidInputLength
}
// Initialize BLS12-381 pairing engine
e := bls12381.NewPairingEngine()
g1, g2 := e.G1, e.G2
// Decode pairs
for i := 0; i < k; i++ {
off := 384 * i
t0, t1, t2 := off, off+128, off+384
// Decode G1 point
p1, err := g1.DecodePoint(input[t0:t1])
if err != nil {
return nil, err
}
// Decode G2 point
p2, err := g2.DecodePoint(input[t1:t2])
if err != nil {
return nil, err
}
// 'point is on curve' check already done,
// Here we need to apply subgroup checks.
if !g1.InCorrectSubgroup(p1) {
return nil, errBLS12381G1PointSubgroup
}
if !g2.InCorrectSubgroup(p2) {
return nil, errBLS12381G2PointSubgroup
}
// Update pairing engine with G1 and G2 ponits
e.AddPair(p1, p2)
}
// Prepare 32 byte output
out := make([]byte, 32)
// Compute pairing and set the result
if e.Check() {
out[31] = 1
}
return out, nil
}
说明
因为编译器自动忽略的原因,以下源文件没有被understanding-ethereum包含进来:
- arithmetic_decl.go
- arithmetic_x86.s
- arithmetic_x86_adx.go
- arithmetic_x86_noadx.go
Documentation
¶
Index ¶
- type E
- type Engine
- type G1
- func (g *G1) Add(r, p1, p2 *PointG1) *PointG1
- func (g *G1) Affine(p *PointG1) *PointG1
- func (g *G1) ClearCofactor(p *PointG1)
- func (g *G1) DecodePoint(in []byte) (*PointG1, error)
- func (g *G1) Double(r, p *PointG1) *PointG1
- func (g *G1) EncodePoint(p *PointG1) []byte
- func (g *G1) Equal(p1, p2 *PointG1) bool
- func (g *G1) FromBytes(in []byte) (*PointG1, error)
- func (g *G1) InCorrectSubgroup(p *PointG1) bool
- func (g *G1) IsAffine(p *PointG1) bool
- func (g *G1) IsOnCurve(p *PointG1) bool
- func (g *G1) IsZero(p *PointG1) bool
- func (g *G1) MapToCurve(in []byte) (*PointG1, error)
- func (g *G1) MulScalar(c, p *PointG1, e *big.Int) *PointG1
- func (g *G1) MultiExp(r *PointG1, points []*PointG1, powers []*big.Int) (*PointG1, error)
- func (g *G1) Neg(r, p *PointG1) *PointG1
- func (g *G1) New() *PointG1
- func (g *G1) One() *PointG1
- func (g *G1) Q() *big.Int
- func (g *G1) Sub(c, a, b *PointG1) *PointG1
- func (g *G1) ToBytes(p *PointG1) []byte
- func (g *G1) Zero() *PointG1
- type G2
- func (g *G2) Add(r, p1, p2 *PointG2) *PointG2
- func (g *G2) Affine(p *PointG2) *PointG2
- func (g *G2) ClearCofactor(p *PointG2)
- func (g *G2) DecodePoint(in []byte) (*PointG2, error)
- func (g *G2) Double(r, p *PointG2) *PointG2
- func (g *G2) EncodePoint(p *PointG2) []byte
- func (g *G2) Equal(p1, p2 *PointG2) bool
- func (g *G2) FromBytes(in []byte) (*PointG2, error)
- func (g *G2) InCorrectSubgroup(p *PointG2) bool
- func (g *G2) IsAffine(p *PointG2) bool
- func (g *G2) IsOnCurve(p *PointG2) bool
- func (g *G2) IsZero(p *PointG2) bool
- func (g *G2) MapToCurve(in []byte) (*PointG2, error)
- func (g *G2) MulScalar(c, p *PointG2, e *big.Int) *PointG2
- func (g *G2) MultiExp(r *PointG2, points []*PointG2, powers []*big.Int) (*PointG2, error)
- func (g *G2) Neg(r, p *PointG2) *PointG2
- func (g *G2) New() *PointG2
- func (g *G2) One() *PointG2
- func (g *G2) Q() *big.Int
- func (g *G2) Sub(c, a, b *PointG2) *PointG2
- func (g *G2) ToBytes(p *PointG2) []byte
- func (g *G2) Zero() *PointG2
- type GT
- func (g *GT) Add(c, a, b *E)
- func (g *GT) Exp(c, a *E, s *big.Int)
- func (g *GT) FromBytes(in []byte) (*E, error)
- func (g *GT) Inverse(c, a *E)
- func (g *GT) IsValid(e *E) bool
- func (g *GT) Mul(c, a, b *E)
- func (g *GT) New() *E
- func (g *GT) Q() *big.Int
- func (g *GT) Square(c, a *E)
- func (g *GT) Sub(c, a, b *E)
- func (g *GT) ToBytes(e *E) []byte
- type PointG1
- type PointG2
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type E ¶
type E = fe12
E is type for target group element
type Engine ¶
Engine is BLS12-381 elliptic curve pairing engine
func NewPairingEngine ¶
func NewPairingEngine() *Engine
NewPairingEngine creates new pairing engine instance.
func (*Engine) AddPairInv ¶
AddPairInv adds a G1, G2 point pair to pairing engine. G1 point is negated.
type G1 ¶
type G1 struct {
// contains filtered or unexported fields
}
G1 is struct for G1 group.
func (*G1) Affine ¶
Add adds two G1 points p1, p2 and assigns the result to point at first argument.
func (*G1) ClearCofactor ¶
ClearCofactor maps given a G1 point to correct subgroup
func (*G1) DecodePoint ¶
DecodePoint given encoded (x, y) coordinates in 128 bytes returns a valid G1 Point.
func (*G1) Double ¶
Double doubles a G1 point p and assigns the result to the point at first argument.
func (*G1) EncodePoint ¶
EncodePoint encodes a point into 128 bytes.
func (*G1) FromBytes ¶
FromBytes constructs a new point given uncompressed byte input. FromBytes does not take zcash flags into account. Byte input expected to be larger than 96 bytes. First 96 bytes should be concatenation of x and y values. Point (0, 0) is considered as infinity.
func (*G1) InCorrectSubgroup ¶
InCorrectSubgroup checks whether given point is in correct subgroup.
func (*G1) MapToCurve ¶
MapToCurve given a byte slice returns a valid G1 point. This mapping function implements the Simplified Shallue-van de Woestijne-Ulas method. https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06 Input byte slice should be a valid field element, otherwise an error is returned.
func (*G1) MulScalar ¶
MulScalar multiplies a point by given scalar value in big.Int and assigns the result to point at first argument.
func (*G1) MultiExp ¶
MultiExp calculates multi exponentiation. Given pairs of G1 point and scalar values (P_0, e_0), (P_1, e_1), ... (P_n, e_n) calculates r = e_0 * P_0 + e_1 * P_1 + ... + e_n * P_n Length of points and scalars are expected to be equal, otherwise an error is returned. Result is assigned to point at first argument.
func (*G1) New ¶
New creates a new G1 Point which is equal to zero in other words point at infinity.
func (*G1) Sub ¶
Sub subtracts two G1 points p1, p2 and assigns the result to point at first argument.
type G2 ¶
type G2 struct {
// contains filtered or unexported fields
}
G2 is struct for G2 group.
func (*G2) ClearCofactor ¶
ClearCofactor maps given a G2 point to correct subgroup
func (*G2) DecodePoint ¶
DecodePoint given encoded (x, y) coordinates in 256 bytes returns a valid G1 Point.
func (*G2) Double ¶
Double doubles a G2 point p and assigns the result to the point at first argument.
func (*G2) EncodePoint ¶
EncodePoint encodes a point into 256 bytes.
func (*G2) FromBytes ¶
FromBytes constructs a new point given uncompressed byte input. FromBytes does not take zcash flags into account. Byte input expected to be larger than 96 bytes. First 192 bytes should be concatenation of x and y values Point (0, 0) is considered as infinity.
func (*G2) InCorrectSubgroup ¶
InCorrectSubgroup checks whether given point is in correct subgroup.
func (*G2) MapToCurve ¶
MapToCurve given a byte slice returns a valid G2 point. This mapping function implements the Simplified Shallue-van de Woestijne-Ulas method. https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-6.6.2 Input byte slice should be a valid field element, otherwise an error is returned.
func (*G2) MulScalar ¶
MulScalar multiplies a point by given scalar value in big.Int and assigns the result to point at first argument.
func (*G2) MultiExp ¶
MultiExp calculates multi exponentiation. Given pairs of G2 point and scalar values (P_0, e_0), (P_1, e_1), ... (P_n, e_n) calculates r = e_0 * P_0 + e_1 * P_1 + ... + e_n * P_n Length of points and scalars are expected to be equal, otherwise an error is returned. Result is assigned to point at first argument.
func (*G2) New ¶
New creates a new G2 Point which is equal to zero in other words point at infinity.
func (*G2) Sub ¶
Sub subtracts two G2 points p1, p2 and assigns the result to point at first argument.
type GT ¶
type GT struct {
// contains filtered or unexported fields
}
GT is type for target multiplicative group GT.
func (*GT) Add ¶
Add adds two field element `a` and `b` and assigns the result to the element in first argument.
func (*GT) Exp ¶
Exp exponents an element `a` by a scalar `s` and assigns the result to the element in first argument.
func (*GT) FromBytes ¶
FromBytes expects 576 byte input and returns target group element FromBytes returns error if given element is not on correct subgroup.
func (*GT) Inverse ¶
Inverse inverses an element `a` and assigns the result to the element in first argument.
func (*GT) Mul ¶
Mul multiplies two field element `a` and `b` and assigns the result to the element in first argument.
func (*GT) Square ¶
Square squares an element `a` and assigns the result to the element in first argument.
Source Files