forked from dedis/kyber
-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* implement ethereum bn254 * pull in missing changes from geth * make G2 points affine in ValidatePairing * move bn254 to own dir * fix bn254 GT Base and Null * test G1 suite against gnark-crypto * adapt G2 test to gnark-crypto, fix bn254 marshal ids * fix G1 hashToPoint reference tests * fix pairing/bn254/gfp_amd64.s * use keccak256 instead of sha256 in bn254 * implement TestGT for bn254 * implement hashToField, expandMsgXmd * implement mapToPoint * implement hashToPoint * rename toPointG1 -> fromBigInt * add comments on mapToPoint, cleanup * fix TestPointG1_HashToPoint with new keccak256 impl * use ref implementation of expand_message_xmd * panic if DST length > 255 * remove unnecessary iteration in expandMsgXmd * update tests to use full length DSTs * set DST in group instead of suite * fix: actually write bytes in zeroPadBytes * fix: leftpad intermediate prb in expandMsgXmd * fix: leftpad intermediate xored hashes in expandMsgXmd * add instructions to create hash-to-point reference values, remove old TODO * remove irrelevant issue400 test for bn254 * use CX instead of R15 in amd64 replaying fix from geth, see: ethereum/go-ethereum@ec64358 When using -buildmode=shared, R15 is clobbered by a global variable access; use a different register instead. * remove gfp.h in bn254 * use geth's Unmarshal func: error out on invalid coordinates * make constants z0 and z1 private * check that random points are different in TestG1Ops * implement Stringer interface for bn254 groups * remove irrelevant benchmarks * implement SVDW from RFC9380 for bn254 G1 map-to-point * encode the right variable in hashToField * borrow expand_message_xmd implementation from kilic-bls12381 * update test vectors in TestPointG1_HashToPoint, TestHashToField * test expandMsgXmd against a copy of gnark's * fix default DST for hash-to-curve * remove unused fromBigInt func * add sources for gfp exp/sqrt functions * use curveB constant in g(x) * create new DST buffers instead of passing refs
- Loading branch information
1 parent
266eb7b
commit 6fadd9d
Showing
30 changed files
with
9,814 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
Copyright (c) 2009 The Go Authors. All rights reserved. | ||
|
||
Redistribution and use in source and binary forms, with or without | ||
modification, are permitted provided that the following conditions are | ||
met: | ||
|
||
* Redistributions of source code must retain the above copyright | ||
notice, this list of conditions and the following disclaimer. | ||
* Redistributions in binary form must reproduce the above | ||
copyright notice, this list of conditions and the following disclaimer | ||
in the documentation and/or other materials provided with the | ||
distribution. | ||
* Neither the name of Google Inc. nor the names of its | ||
contributors may be used to endorse or promote products derived from | ||
this software without specific prior written permission. | ||
|
||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | ||
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | ||
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | ||
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | ||
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | ||
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | ||
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | ||
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
## bn254 | ||
|
||
Package bn254 implements a particular bilinear group. | ||
|
||
Note: this _is_ the curve implemented in Ethereum. | ||
|
||
Bilinear groups are the basis of many of the new cryptographic protocols that | ||
have been proposed over the past decade. They consist of a triplet of groups | ||
(G₁, G₂ and GT) such that there exists a function e(g₁ˣ,g₂ʸ)=gTˣʸ (where gₓ is a | ||
generator of the respective group). That function is called a pairing function. | ||
|
||
This package specifically implements the Optimal Ate pairing over a 256-bit | ||
Barreto-Naehrig curve as described in | ||
http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible with | ||
the implementation described in that paper. | ||
|
||
This package previously claimed to operate at a 128-bit security level. However, | ||
recent improvements in attacks mean that is no longer true. See | ||
https://moderncrypto.org/mail-archive/curves/2016/000740.html. | ||
|
||
## Kyber additions | ||
|
||
The basis for this package is [Cloudflare's bn256 implementation](https://github.com/cloudflare/bn256) | ||
which itself is an improved version of the [official bn256 package](https://golang.org/x/crypto/bn256). | ||
The package at hand maintains compatibility to Cloudflare's library. The biggest difference is the replacement of their | ||
[public API](https://github.com/cloudflare/bn256/blob/master/bn256.go) by a new | ||
one that is compatible to Kyber's scalar, point, group, and suite interfaces. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
package bn254 | ||
|
||
import ( | ||
"github.com/drand/kyber" | ||
) | ||
|
||
// SuiteBn254 is an adapter that implements the suites.Suite interface so that | ||
// bn254 can be used as a common suite to generate key pairs for instance but | ||
// still preserves the properties of the pairing (e.g. the Pair function). | ||
// | ||
// It's important to note that the Point function will generate a point | ||
// compatible with public keys only (group G2) where the signature must be | ||
// used as a point from the group G1. | ||
type SuiteBn254 struct { | ||
*Suite | ||
kyber.Group | ||
} | ||
|
||
// NewSuiteBn254 makes a new BN254 suite | ||
func NewSuiteBn254() *SuiteBn254 { | ||
return &SuiteBn254{ | ||
Suite: NewSuite(), | ||
} | ||
} | ||
|
||
// Point generates a point from the G2 group that can only be used | ||
// for public keys | ||
func (s *SuiteBn254) Point() kyber.Point { | ||
return s.G2().Point() | ||
} | ||
|
||
// PointLen returns the length of a G2 point | ||
func (s *SuiteBn254) PointLen() int { | ||
return s.G2().PointLen() | ||
} | ||
|
||
// Scalar generates a scalar | ||
func (s *SuiteBn254) Scalar() kyber.Scalar { | ||
return s.G1().Scalar() | ||
} | ||
|
||
// ScalarLen returns the lenght of a scalar | ||
func (s *SuiteBn254) ScalarLen() int { | ||
return s.G1().ScalarLen() | ||
} | ||
|
||
// String returns the name of the suite | ||
func (s *SuiteBn254) String() string { | ||
return "bn254.adapter" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
package bn254 | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/drand/kyber/util/key" | ||
"github.com/stretchr/testify/require" | ||
) | ||
|
||
func TestAdapter_SuiteBn254(t *testing.T) { | ||
suite := NewSuiteBn254() | ||
|
||
pair := key.NewKeyPair(suite) | ||
pubkey, err := pair.Public.MarshalBinary() | ||
require.Nil(t, err) | ||
privkey, err := pair.Private.MarshalBinary() | ||
require.Nil(t, err) | ||
|
||
pubhex := suite.Point() | ||
err = pubhex.UnmarshalBinary(pubkey) | ||
require.Nil(t, err) | ||
|
||
privhex := suite.Scalar() | ||
err = privhex.UnmarshalBinary(privkey) | ||
require.Nil(t, err) | ||
|
||
require.Equal(t, "bn254.adapter", suite.String()) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
package bn254 | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/drand/kyber/sign/bls" | ||
"github.com/drand/kyber/sign/test" | ||
) | ||
|
||
func TestBLSSchemeBN254G1(t *testing.T) { | ||
suite := NewSuite() | ||
s := bls.NewSchemeOnG1(suite) | ||
test.SchemeTesting(t, s) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
package bn254 | ||
|
||
import ( | ||
"math/big" | ||
) | ||
|
||
func bigFromBase10(s string) *big.Int { | ||
n, _ := new(big.Int).SetString(s, 10) | ||
return n | ||
} | ||
|
||
// u is the BN parameter. | ||
var u = bigFromBase10("4965661367192848881") | ||
|
||
// Order is the number of elements in both G₁ and G₂: 36u⁴+36u³+18u²+6u+1. | ||
// Needs to be highly 2-adic for efficient SNARK key and proof generation. | ||
// Order - 1 = 2^28 * 3^2 * 13 * 29 * 983 * 11003 * 237073 * 405928799 * 1670836401704629 * 13818364434197438864469338081. | ||
// Refer to https://eprint.iacr.org/2013/879.pdf and https://eprint.iacr.org/2013/507.pdf for more information on these parameters. | ||
var Order = bigFromBase10("21888242871839275222246405745257275088548364400416034343698204186575808495617") | ||
|
||
// p is a prime over which we form a basic field: 36u⁴+36u³+24u²+6u+1. | ||
var p = bigFromBase10("21888242871839275222246405745257275088696311157297823662689037894645226208583") | ||
|
||
// p2 is p, represented as little-endian 64-bit words. | ||
var p2 = [4]uint64{0x3c208c16d87cfd47, 0x97816a916871ca8d, 0xb85045b68181585d, 0x30644e72e131a029} | ||
|
||
var curveB = newGFp(3) | ||
|
||
// np is the negative inverse of p, mod 2^256. | ||
var np = [4]uint64{0x87d20782e4866389, 0x9ede7d651eca6ac9, 0xd8afcbd01833da80, 0xf57a22b791888c6b} | ||
|
||
// rN1 is R^-1 where R = 2^256 mod p. | ||
var rN1 = &gfP{0xed84884a014afa37, 0xeb2022850278edf8, 0xcf63e9cfb74492d9, 0x2e67157159e5c639} | ||
|
||
// r2 is R^2 where R = 2^256 mod p. | ||
var r2 = &gfP{0xf32cfc5b538afa89, 0xb5e71911d44501fb, 0x47ab1eff0a417ff6, 0x06d89f71cab8351f} | ||
|
||
// r3 is R^3 where R = 2^256 mod p. | ||
var r3 = &gfP{0xb1cd6dafda1530df, 0x62f210e6a7283db6, 0xef7f0b0c0ada0afb, 0x20fd6e902d592544} | ||
|
||
// xiToPMinus1Over6 is ξ^((p-1)/6) where ξ = i+9. | ||
var xiToPMinus1Over6 = &gfP2{gfP{0xa222ae234c492d72, 0xd00f02a4565de15b, 0xdc2ff3a253dfc926, 0x10a75716b3899551}, gfP{0xaf9ba69633144907, 0xca6b1d7387afb78a, 0x11bded5ef08a2087, 0x02f34d751a1f3a7c}} | ||
|
||
// xiToPMinus1Over3 is ξ^((p-1)/3) where ξ = i+9. | ||
var xiToPMinus1Over3 = &gfP2{gfP{0x6e849f1ea0aa4757, 0xaa1c7b6d89f89141, 0xb6e713cdfae0ca3a, 0x26694fbb4e82ebc3}, gfP{0xb5773b104563ab30, 0x347f91c8a9aa6454, 0x7a007127242e0991, 0x1956bcd8118214ec}} | ||
|
||
// xiToPMinus1Over2 is ξ^((p-1)/2) where ξ = i+9. | ||
var xiToPMinus1Over2 = &gfP2{gfP{0xa1d77ce45ffe77c7, 0x07affd117826d1db, 0x6d16bd27bb7edc6b, 0x2c87200285defecc}, gfP{0xe4bbdd0c2936b629, 0xbb30f162e133bacb, 0x31a9d1b6f9645366, 0x253570bea500f8dd}} | ||
|
||
// xiToPSquaredMinus1Over3 is ξ^((p²-1)/3) where ξ = i+9. | ||
var xiToPSquaredMinus1Over3 = &gfP{0x3350c88e13e80b9c, 0x7dce557cdb5e56b9, 0x6001b4b8b615564a, 0x2682e617020217e0} | ||
|
||
// xiTo2PSquaredMinus2Over3 is ξ^((2p²-2)/3) where ξ = i+9 (a cubic root of unity, mod p). | ||
var xiTo2PSquaredMinus2Over3 = &gfP{0x71930c11d782e155, 0xa6bb947cffbe3323, 0xaa303344d4741444, 0x2c3b3f0d26594943} | ||
|
||
// xiToPSquaredMinus1Over6 is ξ^((1p²-1)/6) where ξ = i+9 (a cubic root of -1, mod p). | ||
var xiToPSquaredMinus1Over6 = &gfP{0xca8d800500fa1bf2, 0xf0c5d61468b39769, 0x0e201271ad0d4418, 0x04290f65bad856e6} | ||
|
||
// xiTo2PMinus2Over3 is ξ^((2p-2)/3) where ξ = i+9. | ||
var xiTo2PMinus2Over3 = &gfP2{gfP{0x5dddfd154bd8c949, 0x62cb29a5a4445b60, 0x37bc870a0c7dd2b9, 0x24830a9d3171f0fd}, gfP{0x7361d77f843abe92, 0xa5bb2bd3273411fb, 0x9c941f314b3e2399, 0x15df9cddbb9fd3ec}} | ||
|
||
// g(Z) | ||
var c1 = &gfP{0x115482203dbf392d, 0x926242126eaa626a, 0xe16a48076063c052, 0x07c5909386eddc93} | ||
|
||
// -Z / 2 | ||
var c2 = &gfP{0xb461a4448976f7d5, 0xc6843fb439555fa7, 0x28f0d12384840918, 0x112ceb58a394e07d} | ||
|
||
// sqrt(-g(Z) * (3 * Z^2 + 4 * A)) | ||
var c3 = &gfP{0x7c8487078735ab72, 0x51da7e0048bfb8d4, 0x945cfd183cbd7bf4, 0x0b70b1ec48ae62c6} | ||
|
||
// 4 * -g(Z) / (3 * Z^2 + 4 * A) | ||
var c4 = &gfP{0xa79a2bdca0800831, 0x19fd7617e49815a1, 0xbb8d0c885550c7b1, 0x05c4aeb6ec7e0f48} | ||
|
||
var pMinus1Over2 = [4]uint64{0x9e10460b6c3e7ea3, 0xcbc0b548b438e546, 0xdc2822db40c0ac2e, 0x183227397098d014} | ||
|
||
var pPlus1Over4 = [4]uint64{0x4f082305b61f3f52, 0x65e05aa45a1c72a3, 0x6e14116da0605617, 0xc19139cb84c680a} |
Oops, something went wrong.