README
¶
High Speed BLS12-381 Implementation in Go
The code is from https://github.com/kilic/bls12-381 with some modification, including adding Apache license headers.
Following is the original readme content.
High Speed BLS12-381 Implementation in Go
Pairing Instance
A Group instance or a pairing engine instance is not suitable for concurrent processing since an instance has its own preallocated memory for temporary variables. A new instance must be created for each thread.
Base Field
x86 optimized base field is generated with kilic/fp and for native go is generated with goff. Generated codes are slightly edited in both for further requirements.
Scalar Field
Both standart big.Int module and x86 optimized implementation are available for scalar field elements and opereations.
Serialization
Point serialization is in line with zkcrypto library.
Hashing to Curve
Hashing to curve implementations for both G1 and G2 follows _XMD:SHA-256_SSWU_RO_ and _XMD:SHA-256_SSWU_NU_ suites as defined in v7 of irtf hash to curve draft.
Benchmarks
on 2.3 GHz i7
BenchmarkPairing 667720 ns/op
Documentation
¶
Index ¶
- Variables
- type E
- type Engine
- type G1
- func (g *G1) Add(r, p1, p2 *PointG1) *PointG1
- func (g *G1) Affine(p *PointG1) *PointG1
- func (g *G1) ClearCofactor(p *PointG1)
- func (g *G1) Double(r, p *PointG1) *PointG1
- func (g *G1) EncodeToCurve(f func() hash.Hash, msg, domain []byte) (*PointG1, error)
- func (g *G1) Equal(p1, p2 *PointG1) bool
- func (g *G1) FromBytes(in []byte) (*PointG1, error)
- func (g *G1) FromCompressed(compressed []byte) (*PointG1, error)
- func (g *G1) FromUncompressed(uncompressed []byte) (*PointG1, error)
- func (g *G1) HashToCurve(f func() hash.Hash, msg, domain []byte) (*PointG1, error)
- func (g *G1) InCorrectSubgroup(p *PointG1) bool
- func (g *G1) IsAffine(p *PointG1) bool
- func (g *G1) IsOnCurve(p *PointG1) bool
- func (g *G1) IsZero(p *PointG1) bool
- func (g *G1) MapToCurve(in []byte) (*PointG1, error)
- func (g *G1) MulScalar(c, p *PointG1, e *big.Int) *PointG1
- func (g *G1) MultiExp(r *PointG1, points []*PointG1, powers []*big.Int) (*PointG1, error)
- func (g *G1) Neg(r, p *PointG1) *PointG1
- func (g *G1) New() *PointG1
- func (g *G1) One() *PointG1
- func (g *G1) Q() *big.Int
- func (g *G1) Sub(c, a, b *PointG1) *PointG1
- func (g *G1) ToBytes(p *PointG1) []byte
- func (g *G1) ToCompressed(p *PointG1) []byte
- func (g *G1) ToUncompressed(p *PointG1) ([]byte, error)
- func (g *G1) Zero() *PointG1
- type G2
- func (g *G2) Add(r, p1, p2 *PointG2) *PointG2
- func (g *G2) Affine(p *PointG2) *PointG2
- func (g *G2) ClearCofactor(p *PointG2) *PointG2
- func (g *G2) Double(r, p *PointG2) *PointG2
- func (g *G2) EncodeToCurve(f func() hash.Hash, msg, domain []byte) (*PointG2, error)
- func (g *G2) Equal(p1, p2 *PointG2) bool
- func (g *G2) FromBytes(in []byte) (*PointG2, error)
- func (g *G2) FromCompressed(compressed []byte) (*PointG2, error)
- func (g *G2) FromUncompressed(uncompressed []byte) (*PointG2, error)
- func (g *G2) HashToCurve(f func() hash.Hash, msg, domain []byte) (*PointG2, error)
- func (g *G2) InCorrectSubgroup(p *PointG2) bool
- func (g *G2) IsAffine(p *PointG2) bool
- func (g *G2) IsOnCurve(p *PointG2) bool
- func (g *G2) IsZero(p *PointG2) bool
- func (g *G2) MapToCurve(in []byte) (*PointG2, error)
- func (g *G2) MulScalar(c, p *PointG2, e *big.Int) *PointG2
- func (g *G2) MultiExp(r *PointG2, points []*PointG2, powers []*big.Int) (*PointG2, error)
- func (g *G2) Neg(r, p *PointG2) *PointG2
- func (g *G2) New() *PointG2
- func (g *G2) One() *PointG2
- func (g *G2) Q() *big.Int
- func (g *G2) Sub(c, a, b *PointG2) *PointG2
- func (g *G2) ToBytes(p *PointG2) []byte
- func (g *G2) ToCompressed(p *PointG2) []byte
- func (g *G2) ToUncompressed(p *PointG2) ([]byte, error)
- func (g *G2) Zero() *PointG2
- type GT
- func (g *GT) Add(c, a, b *E)
- func (g *GT) Exp(c, a *E, s *big.Int)
- func (g *GT) FromBytes(in []byte) (*E, error)
- func (g *GT) Inverse(c, a *E)
- func (g *GT) IsValid(e *E) bool
- func (g *GT) Mul(c, a, b *E)
- func (g *GT) New() *E
- func (g *GT) Q() *big.Int
- func (g *GT) Square(c, a *E)
- func (g *GT) Sub(c, a, b *E)
- func (g *GT) ToBytes(e *E) []byte
- type PointG1
- type PointG2
Constants ¶
This section is empty.
Variables ¶
var G1One = g1One
var G2One = g2One
var Inp uint64 = 0x89f3fffcfffcfffd
Inp = -p^(-1) mod 2^64
Functions ¶
This section is empty.
Types ¶
type E ¶
type E = fe12
E is type for target group element
type Engine ¶
Engine is BLS12-381 elliptic curve pairing engine
func (*Engine) AddPair ¶
AddPair adds a g1, g2 point pair to pairing engine returns nil if no more pairs can be added
func (*Engine) AddPairInv ¶
AddPairInv adds a G1, G2 point pair to pairing engine. G1 point is negated. returns nil if no more pairs can be added
type G1 ¶
type G1 struct {
// contains filtered or unexported fields
}
G1 is struct for G1 group.
func (*G1) Affine ¶
Add adds two G1 points p1, p2 and assigns the result to point at first argument.
func (*G1) ClearCofactor ¶
ClearCofactor maps given a G1 point to correct subgroup
func (*G1) Double ¶
Double doubles a G1 point p and assigns the result to the point at first argument.
func (*G1) EncodeToCurve ¶
EncodeToCurve given a message and domain seperator tag returns the hash result which is a valid curve point. Implementation follows BLS12381G1_XMD:SHA-256_SSWU_NU_ suite at https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-08
func (*G1) FromBytes ¶
FromBytes constructs a new point given uncompressed byte input. FromBytes does not take zcash flags into account. Byte input expected to be larger than 96 bytes. First 96 bytes should be concatenation of x and y values. Point (0, 0) is considered as infinity.
func (*G1) FromCompressed ¶
FromCompressed expects byte slice larger than 96 bytes and given bytes returns a new point in G1. Serialization rules are in line with zcash library. See below for details. https://github.com/zcash/librustzcash/blob/master/pairing/src/bls12_381/README.md#serialization https://docs.rs/bls12_381/0.1.1/bls12_381/notes/serialization/index.html
func (*G1) FromUncompressed ¶
FromUncompressed expects byte slice larger than 96 bytes and given bytes returns a new point in G1. Serialization rules are in line with zcash library. See below for details. https://github.com/zcash/librustzcash/blob/master/pairing/src/bls12_381/README.md#serialization https://docs.rs/bls12_381/0.1.1/bls12_381/notes/serialization/index.html
func (*G1) HashToCurve ¶
HashToCurve given a message and domain seperator tag returns the hash result which is a valid curve point. Implementation follows BLS12381G1_XMD:SHA-256_SSWU_RO_ suite at https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-08
func (*G1) InCorrectSubgroup ¶
InCorrectSubgroup checks whether given point is in correct subgroup.
func (*G1) MapToCurve ¶
MapToCurve given a byte slice returns a valid G1 point. This mapping function implements the Simplified Shallue-van de Woestijne-Ulas method. https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-08 Input byte slice should be a valid field element, otherwise an error is returned.
func (*G1) MulScalar ¶
MulScalar multiplies a point by given scalar value in big.Int and assigns the result to point at first argument.
func (*G1) MultiExp ¶
MultiExp calculates multi exponentiation. Given pairs of G1 point and scalar values (P_0, e_0), (P_1, e_1), ... (P_n, e_n) calculates r = e_0 * P_0 + e_1 * P_1 + ... + e_n * P_n Length of points and scalars are expected to be equal, otherwise an error is returned. Result is assigned to point at first argument.
func (*G1) New ¶
New creates a new G1 Point which is equal to zero in other words point at infinity.
func (*G1) Sub ¶
Sub subtracts two G1 points p1, p2 and assigns the result to point at first argument.
func (*G1) ToBytes ¶
ToBytes serializes a point into bytes in uncompressed form. ToBytes does not take zcash flags into account. ToBytes returns (0, 0) if point is infinity.
func (*G1) ToCompressed ¶
ToCompressed given a G1 point returns bytes in compressed form of the point. Serialization rules are in line with zcash library. See below for details. https://github.com/zcash/librustzcash/blob/master/pairing/src/bls12_381/README.md#serialization https://docs.rs/bls12_381/0.1.1/bls12_381/notes/serialization/index.html
func (*G1) ToUncompressed ¶
ToUncompressed given a G1 point returns bytes in uncompressed (x, y) form of the point. Serialization rules are in line with zcash library. See below for details. https://github.com/zcash/librustzcash/blob/master/pairing/src/bls12_381/README.md#serialization https://docs.rs/bls12_381/0.1.1/bls12_381/notes/serialization/index.html
type G2 ¶
type G2 struct {
// contains filtered or unexported fields
}
G2 is struct for G2 group.
func (*G2) ClearCofactor ¶
ClearCofactor maps given a G2 point to correct subgroup
func (*G2) Double ¶
Double doubles a G2 point p and assigns the result to the point at first argument.
func (*G2) EncodeToCurve ¶
EncodeToCurve given a message and domain seperator tag returns the hash result which is a valid curve point. Implementation follows BLS12381G1_XMD:SHA-256_SSWU_NU_ suite at https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-08
func (*G2) FromBytes ¶
FromBytes constructs a new point given uncompressed byte input. FromBytes does not take zcash flags into account. Byte input expected to be larger than 96 bytes. First 192 bytes should be concatenation of x and y values Point (0, 0) is considered as infinity.
func (*G2) FromCompressed ¶
FromCompressed expects byte slice larger than 96 bytes and given bytes returns a new point in G2. Serialization rules are in line with zcash library. See below for details. https://github.com/zcash/librustzcash/blob/master/pairing/src/bls12_381/README.md#serialization https://docs.rs/bls12_381/0.1.1/bls12_381/notes/serialization/index.html
func (*G2) FromUncompressed ¶
FromUncompressed expects byte slice larger than 192 bytes and given bytes returns a new point in G2. Serialization rules are in line with zcash library. See below for details. https://github.com/zcash/librustzcash/blob/master/pairing/src/bls12_381/README.md#serialization https://docs.rs/bls12_381/0.1.1/bls12_381/notes/serialization/index.html
func (*G2) HashToCurve ¶
HashToCurve given a message and domain seperator tag returns the hash result which is a valid curve point. Implementation follows BLS12381G1_XMD:SHA-256_SSWU_RO_ suite at https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-08
func (*G2) InCorrectSubgroup ¶
InCorrectSubgroup checks whether given point is in correct subgroup.
func (*G2) MapToCurve ¶
MapToCurve given a byte slice returns a valid G2 point. This mapping function implements the Simplified Shallue-van de Woestijne-Ulas method. https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-6.6.2 Input byte slice should be a valid field element, otherwise an error is returned.
func (*G2) MulScalar ¶
MulScalar multiplies a point by given scalar value in big.Int and assigns the result to point at first argument.
func (*G2) MultiExp ¶
MultiExp calculates multi exponentiation. Given pairs of G2 point and scalar values (P_0, e_0), (P_1, e_1), ... (P_n, e_n) calculates r = e_0 * P_0 + e_1 * P_1 + ... + e_n * P_n Length of points and scalars are expected to be equal, otherwise an error is returned. Result is assigned to point at first argument.
func (*G2) New ¶
New creates a new G2 Point which is equal to zero in other words point at infinity.
func (*G2) Sub ¶
Sub subtracts two G2 points p1, p2 and assigns the result to point at first argument.
func (*G2) ToBytes ¶
ToBytes serializes a point into bytes in uncompressed form, does not take zcash flags into account, returns (0, 0) if point is infinity.
func (*G2) ToCompressed ¶
ToCompressed given a G2 point returns bytes in compressed form of the point. Serialization rules are in line with zcash library. See below for details. https://github.com/zcash/librustzcash/blob/master/pairing/src/bls12_381/README.md#serialization https://docs.rs/bls12_381/0.1.1/bls12_381/notes/serialization/index.html
func (*G2) ToUncompressed ¶
ToUncompressed given a G2 point returns bytes in uncompressed (x, y) form of the point. Serialization rules are in line with zcash library. See below for details. https://github.com/zcash/librustzcash/blob/master/pairing/src/bls12_381/README.md#serialization https://docs.rs/bls12_381/0.1.1/bls12_381/notes/serialization/index.html
type GT ¶
type GT struct {
// contains filtered or unexported fields
}
GT is type for target multiplicative group GT.
func (*GT) Add ¶
Add adds two field element `a` and `b` and assigns the result to the element in first argument.
func (*GT) Exp ¶
Exp exponents an element `a` by a scalar `s` and assigns the result to the element in first argument.
func (*GT) FromBytes ¶
FromBytes expects 576 byte input and returns target group element FromBytes returns error if given element is not on correct subgroup.
func (*GT) Inverse ¶
Inverse inverses an element `a` and assigns the result to the element in first argument.
func (*GT) Mul ¶
Mul multiplies two field element `a` and `b` and assigns the result to the element in first argument.
func (*GT) Square ¶
Square squares an element `a` and assigns the result to the element in first argument.
type PointG1 ¶
type PointG1 [3]fe
PointG1 is type for point in G1. PointG1 is both used for Affine and Jacobian point representation. If z is equal to one the point is accounted as in affine form.
Source Files