README
¶
bn256
Package sm9 implements a particular bilinear group at the 128-bit security
level. It is a modification of the official version at
https://golang.org/x/crypto/bn256 but all operations are ~10 times faster on
amd64 and arm64. There is a lattices branch for non-commercial use where
non-pairing operations are up to ~20 times faster.
Bilinear groups are the basis of many of the new cryptographic protocols that have been proposed over the past decade. They consist of a triplet of groups (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ is a generator of the respective group). That function is called a pairing function.
This package specifically implements the Optimal Ate pairing over a 256-bit Barreto-Naehrig curve as described in http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible with the implementation described in that paper.
Benchmarks
branch master:
BenchmarkG1-4 10000 154995 ns/op
BenchmarkG2-4 3000 541503 ns/op
BenchmarkGT-4 1000 1267811 ns/op
BenchmarkPairing-4 1000 1630584 ns/op
branch lattices:
BenchmarkG1-4 20000 92198 ns/op
BenchmarkG2-4 5000 340622 ns/op
BenchmarkGT-4 2000 635061 ns/op
BenchmarkPairing-4 1000 1629943 ns/op
official version:
BenchmarkG1-4 1000 2268491 ns/op
BenchmarkG2-4 300 7227637 ns/op
BenchmarkGT-4 100 15121359 ns/op
BenchmarkPairing-4 50 20296164 ns/op
Documentation
¶
Overview ¶
Package sm9 implements a particular bilinear group at the 128-bit security level.
Bilinear groups are the basis of many of the new cryptographic protocols that have been proposed over the past decade. They consist of a triplet of groups (G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ is a generator of the respective group). That function is called a pairing function.
This package specifically implements the Optimal Ate pairing over a 256-bit Barreto-Naehrig curve as described in http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible with the implementation described in that paper.
Index ¶
- Variables
- func AffineToPoint(x, y *big.Int) (xyz *[12]uint64)
- func CompressP(x, y *big.Int) []byte
- func CurveP2InternalP(point *curvePoint) (out *[12]uint64)
- func DecompressP(data []byte) (x, y *big.Int)
- func DecompressPointX4Y(x *big.Int, ybit bool) *big.Int
- func FieldMul(res, in1, in2 []uint64)
- func G1ToBig(g1 *G1) (x, y *big.Int)
- func G2ToBytes(point *G2) []byte
- func GtToBytes(point *GT) []byte
- func InitBigTable(Bx, By *big.Int) *[43][32 * 8]uint64
- func InternalP2CurveAffineP(xyz *[12]uint64) (out *curvePointAffine)
- func InternalP2CurveP(xyz *[12]uint64) (out *curvePoint)
- func JacobianAdd(p1, p2 *[12]uint64) (r1 *[12]uint64)
- func JacobianAddAffine(p1, p2 *[12]uint64) (r1 *[12]uint64)
- func JacobianDouble(p1 *[12]uint64) (r1 *[12]uint64)
- func ModInverseOrder(a *big.Int) *big.Int
- func ModInverseP(a []uint64) []uint64
- func ModSqrtP(a *big.Int) *big.Int
- func MontgomaryR() []uint64
- func MontgomaryR2() []uint64
- func PointNegCondition(p1 *[12]uint64, condition int)
- func PointToAffine(xyz *[12]uint64) (x, y *big.Int)
- type Curve
- func (curve *Curve) Add(x1, y1, x2, y2 *big.Int) (x, y *big.Int)
- func (curve *Curve) CombinedMult(bigX, bigY *big.Int, baseScalar, scalar []byte) (x, y *big.Int)
- func (curve *Curve) Compress(x, y *big.Int) []byte
- func (curve *Curve) Decompress(in []byte) (x, y *big.Int, err error)
- func (curve *Curve) Double(x1, y1 *big.Int) (x, y *big.Int)
- func (curve *Curve) IsOnCurve(x, y *big.Int) bool
- func (curve *Curve) Neg(x1, y1 *big.Int) (x, y *big.Int)
- func (curve *Curve) Params() *elliptic.CurveParams
- func (curve *Curve) ScalarBaseMult(k []byte) (x, y *big.Int)
- func (curve *Curve) ScalarMult(x1, y1 *big.Int, k []byte) (x, y *big.Int)
- type G1
- func (e *G1) Add(a, b *G1) *G1
- func (e *G1) CombinedMult(H *G1, baseScalar, scalar *big.Int) *G1
- func (e *G1) Marshal() []byte
- func (e *G1) Neg(a *G1) *G1
- func (e *G1) ScalarBaseMult(k *big.Int) *G1
- func (e *G1) ScalarMult(a *G1, k *big.Int) *G1
- func (e *G1) Set(a *G1) *G1
- func (g *G1) String() string
- func (e *G1) Unmarshal(m []byte) ([]byte, error)
- type G2
- type GT
- func (e *GT) Add(a, b *GT) *GT
- func (e *GT) Finalize() *GT
- func (e *GT) Marshal() []byte
- func (e *GT) Neg(a *GT) *GT
- func (e *GT) ScalarBaseMult(k *big.Int) *GT
- func (e *GT) ScalarMult(a *GT, k *big.Int) *GT
- func (e *GT) Set(a *GT) *GT
- func (g *GT) String() string
- func (e *GT) Unmarshal(m []byte) ([]byte, error)
Constants ¶
This section is empty.
Variables ¶
var DoubleGx = &gfP{0x8fdf2548f0fde68, 0xc80ddebf804d6dd4, 0xc8cef5282905b7ca, 0x6007e08434132464}
var G1x = &gfP{0x22e935e29860501b, 0xa946fd5e0073282c, 0xefd0cec817a649be, 0x5129787c869140b5}
need mogo format //somin 1023change and check; var G1x = &gfP{0xe8c4e4817c66dddd, 0xe1e4086909dc3280, 0xf5ed0704487d01d6, 0x93de051d62bf718f}
var G1y = &gfP{0xee779649eb87f7c7, 0x15563cbdec30a576, 0x326353912824efbf, 0x7215717763c39828}
var Order = bigFromBase16("B640000002A3A6F1D603AB4FF58EC74449F2934B18EA8BEEE56EE19CD69ECF25")
Order is the number of elements in both G₁ and G₂: 36u⁴+36u³+18u²+6u+1.
var Sm9_p = bigFromBase16("B640000002A3A6F1D603AB4FF58EC74521F2934B1A7AEEDBE56F9B27E351457D") //checked
p is a prime over which we form a basic field: 36u⁴+36u³+24u²+6u+1.//u = t
Functions ¶
func AffineToPoint ¶
func CurveP2InternalP ¶
func CurveP2InternalP(point *curvePoint) (out *[12]uint64)
func DecompressP ¶
Decompress decompress a byte string to a point
func DecompressPointX4Y ¶
decompressPoint decompresses a point on the given curve given the X point and the solution to use.
func InitBigTable ¶
func InternalP2CurveAffineP ¶
func InternalP2CurveAffineP(xyz *[12]uint64) (out *curvePointAffine)
func InternalP2CurveP ¶
func InternalP2CurveP(xyz *[12]uint64) (out *curvePoint)
func JacobianAdd ¶
func JacobianAddAffine ¶
func JacobianDouble ¶
func ModInverseP ¶
func montEncode(c, a *gfP) { gfpMul(c, a, r2) }
func MontgomaryR ¶
func MontgomaryR() []uint64
func MontgomaryR2 ¶
func MontgomaryR2() []uint64
func PointNegCondition ¶
func PointToAffine ¶
Types ¶
type Curve ¶
type Curve struct {
*elliptic.CurveParams
}
func (*Curve) CombinedMult ¶
CombinedMult do baseScalar*G + scalar*(X,Y)
func (*Curve) Params ¶
func (curve *Curve) Params() *elliptic.CurveParams
Params returns the parameters for the curve.
func (*Curve) ScalarBaseMult ¶
ScalarBaseMult returns k*G, where G is the base point of the group and k is an integer in big-endian form.
type G1 ¶
type G1 struct {
// contains filtered or unexported fields
}
G1 is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.
func (*G1) ScalarBaseMult ¶
ScalarBaseMult sets e to g*k where g is the generator of the group and then returns e.
func (*G1) ScalarMult ¶
ScalarMult sets e to a*k and then returns e.
type G2 ¶
type G2 struct {
// contains filtered or unexported fields
}
G2 is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.
func (*G2) ScalarBaseMult ¶
ScalarBaseMult sets e to g*k where g is the generator of the group and then returns out.
func (*G2) ScalarMult ¶
ScalarMult sets e to a*k and then returns e.
type GT ¶
type GT struct {
// contains filtered or unexported fields
}
GT is an abstract cyclic group. The zero value is suitable for use as the output of an operation, but cannot be used as an input.
func Miller ¶
Miller applies Miller's algorithm, which is a bilinear function from the source groups to F_p^12. Miller(g1, g2).Finalize() is equivalent to Pair(g1, g2).
func (*GT) ScalarBaseMult ¶
ScalarBaseMult sets e to g*k where g is the generator of the group and then returns out.
func (*GT) ScalarMult ¶
ScalarMult sets e to a*k and then returns e.
Source Files