Documentation

Overview

    Package bn256 implements a particular bilinear group at the 128-bit security level.

    Bilinear groups are the basis of many of the new cryptographic protocols that have been proposed over the past decade. They consist of a triplet of groups (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ is a generator of the respective group). That function is called a pairing function.

    This package specifically implements the Optimal Ate pairing over a 256-bit Barreto-Naehrig curve as described in http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is not compatible with the implementation described in that paper, as different parameters are chosen.

    (This package previously claimed to operate at a 128-bit security level. However, recent improvements in attacks mean that is no longer true. See https://moderncrypto.org/mail-archive/curves/2016/000740.html.)

    Index

    Constants

    This section is empty.

    Variables

    View Source
    var Order = bigFromBase10("21888242871839275222246405745257275088548364400416034343698204186575808495617")

      Order is the number of elements in both G₁ and G₂: 36u⁴+36u³+18u²+6u+1. Needs to be highly 2-adic for efficient SNARK key and proof generation. Order - 1 = 2^28 * 3^2 * 13 * 29 * 983 * 11003 * 237073 * 405928799 * 1670836401704629 * 13818364434197438864469338081. Refer to https://eprint.iacr.org/2013/879.pdf and https://eprint.iacr.org/2013/507.pdf for more information on these parameters.

      View Source
      var P = bigFromBase10("21888242871839275222246405745257275088696311157297823662689037894645226208583")

        P is a prime over which we form a basic field: 36u⁴+36u³+24u²+6u+1.

        Functions

        func PairingCheck

        func PairingCheck(a []*G1, b []*G2) bool

          PairingCheck calculates the Optimal Ate pairing for a set of points.

          Types

          type G1

          type G1 struct {
          	// contains filtered or unexported fields
          }

            G1 is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.

            func RandomG1

            func RandomG1(r io.Reader) (*big.Int, *G1, error)

              RandomG1 returns x and g₁ˣ where x is a random, non-zero number read from r.

              func (*G1) Add

              func (e *G1) Add(a, b *G1) *G1

                Add sets e to a+b and then returns e.

                func (*G1) Marshal

                func (e *G1) Marshal() []byte

                  Marshal converts e to a byte slice.

                  func (*G1) Neg

                  func (e *G1) Neg(a *G1) *G1

                    Neg sets e to -a and then returns e.

                    func (*G1) ScalarBaseMult

                    func (e *G1) ScalarBaseMult(k *big.Int) *G1

                      ScalarBaseMult sets e to g*k where g is the generator of the group and then returns e.

                      func (*G1) ScalarMult

                      func (e *G1) ScalarMult(a *G1, k *big.Int) *G1

                        ScalarMult sets e to a*k and then returns e.

                        func (*G1) Set

                        func (e *G1) Set(a *G1) *G1

                          Set sets e to a and then returns e.

                          func (*G1) String

                          func (g *G1) String() string

                          func (*G1) Unmarshal

                          func (e *G1) Unmarshal(m []byte) ([]byte, error)

                            Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.

                            type G2

                            type G2 struct {
                            	// contains filtered or unexported fields
                            }

                              G2 is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.

                              func RandomG2

                              func RandomG2(r io.Reader) (*big.Int, *G2, error)

                                RandomG2 returns x and g₂ˣ where x is a random, non-zero number read from r.

                                func (*G2) Add

                                func (e *G2) Add(a, b *G2) *G2

                                  Add sets e to a+b and then returns e.

                                  func (*G2) Marshal

                                  func (e *G2) Marshal() []byte

                                    Marshal converts e into a byte slice.

                                    func (*G2) Neg

                                    func (e *G2) Neg(a *G2) *G2

                                      Neg sets e to -a and then returns e.

                                      func (*G2) ScalarBaseMult

                                      func (e *G2) ScalarBaseMult(k *big.Int) *G2

                                        ScalarBaseMult sets e to g*k where g is the generator of the group and then returns out.

                                        func (*G2) ScalarMult

                                        func (e *G2) ScalarMult(a *G2, k *big.Int) *G2

                                          ScalarMult sets e to a*k and then returns e.

                                          func (*G2) Set

                                          func (e *G2) Set(a *G2) *G2

                                            Set sets e to a and then returns e.

                                            func (*G2) String

                                            func (e *G2) String() string

                                            func (*G2) Unmarshal

                                            func (e *G2) Unmarshal(m []byte) ([]byte, error)

                                              Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.

                                              type GT

                                              type GT struct {
                                              	// contains filtered or unexported fields
                                              }

                                                GT is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.

                                                func Miller

                                                func Miller(g1 *G1, g2 *G2) *GT

                                                  Miller applies Miller's algorithm, which is a bilinear function from the source groups to F_p^12. Miller(g1, g2).Finalize() is equivalent to Pair(g1, g2).

                                                  func Pair

                                                  func Pair(g1 *G1, g2 *G2) *GT

                                                    Pair calculates an Optimal Ate pairing.

                                                    func (*GT) Add

                                                    func (e *GT) Add(a, b *GT) *GT

                                                      Add sets e to a+b and then returns e.

                                                      func (*GT) Finalize

                                                      func (e *GT) Finalize() *GT

                                                        Finalize is a linear function from F_p^12 to GT.

                                                        func (*GT) Marshal

                                                        func (e *GT) Marshal() []byte

                                                          Marshal converts e into a byte slice.

                                                          func (*GT) Neg

                                                          func (e *GT) Neg(a *GT) *GT

                                                            Neg sets e to -a and then returns e.

                                                            func (*GT) ScalarMult

                                                            func (e *GT) ScalarMult(a *GT, k *big.Int) *GT

                                                              ScalarMult sets e to a*k and then returns e.

                                                              func (*GT) Set

                                                              func (e *GT) Set(a *GT) *GT

                                                                Set sets e to a and then returns e.

                                                                func (*GT) String

                                                                func (g *GT) String() string

                                                                func (*GT) Unmarshal

                                                                func (e *GT) Unmarshal(m []byte) ([]byte, error)

                                                                  Unmarshal sets e to the result of converting the output of Marshal back into a group element and then returns e.