aboutsummaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
Diffstat (limited to 'crypto')
-rw-r--r--crypto/bn256/cloudflare/gfp_amd64.s2
-rw-r--r--crypto/bn256/cloudflare/gfp_decl.go7
-rw-r--r--crypto/bn256/google/bn256.go40
-rw-r--r--crypto/bn256/google/curve.go10
-rw-r--r--crypto/bn256/google/twist.go10
5 files changed, 52 insertions, 17 deletions
diff --git a/crypto/bn256/cloudflare/gfp_amd64.s b/crypto/bn256/cloudflare/gfp_amd64.s
index 3a785d200..bdb4ffb78 100644
--- a/crypto/bn256/cloudflare/gfp_amd64.s
+++ b/crypto/bn256/cloudflare/gfp_amd64.s
@@ -110,7 +110,7 @@ TEXT ·gfpMul(SB),0,$160-24
MOVQ b+16(FP), SI
// Jump to a slightly different implementation if MULX isn't supported.
- CMPB runtime·support_bmi2(SB), $0
+ CMPB ·hasBMI2(SB), $0
JE nobmi2Mul
mulBMI2(0(DI),8(DI),16(DI),24(DI), 0(SI))
diff --git a/crypto/bn256/cloudflare/gfp_decl.go b/crypto/bn256/cloudflare/gfp_decl.go
index 6a8a4fddb..fdea5c11a 100644
--- a/crypto/bn256/cloudflare/gfp_decl.go
+++ b/crypto/bn256/cloudflare/gfp_decl.go
@@ -5,6 +5,13 @@ package bn256
// This file contains forward declarations for the architecture-specific
// assembly implementations of these functions, provided that they exist.
+import (
+ "golang.org/x/sys/cpu"
+)
+
+//nolint:varcheck
+var hasBMI2 = cpu.X86.HasBMI2
+
// go:noescape
func gfpNeg(c, a *gfP)
diff --git a/crypto/bn256/google/bn256.go b/crypto/bn256/google/bn256.go
index 5da83e033..e0402e51f 100644
--- a/crypto/bn256/google/bn256.go
+++ b/crypto/bn256/google/bn256.go
@@ -2,7 +2,7 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-// Package bn256 implements a particular bilinear group at the 128-bit security level.
+// Package bn256 implements a particular bilinear group.
//
// Bilinear groups are the basis of many of the new cryptographic protocols
// that have been proposed over the past decade. They consist of a triplet of
@@ -14,6 +14,10 @@
// Barreto-Naehrig curve as described in
// http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible
// with the implementation described in that paper.
+//
+// (This package previously claimed to operate at a 128-bit security level.
+// However, recent improvements in attacks mean that is no longer true. See
+// https://moderncrypto.org/mail-archive/curves/2016/000740.html.)
package bn256
import (
@@ -50,8 +54,8 @@ func RandomG1(r io.Reader) (*big.Int, *G1, error) {
return k, new(G1).ScalarBaseMult(k), nil
}
-func (g *G1) String() string {
- return "bn256.G1" + g.p.String()
+func (e *G1) String() string {
+ return "bn256.G1" + e.p.String()
}
// CurvePoints returns p's curve points in big integer
@@ -98,15 +102,19 @@ func (e *G1) Neg(a *G1) *G1 {
}
// Marshal converts n to a byte slice.
-func (n *G1) Marshal() []byte {
- n.p.MakeAffine(nil)
-
- xBytes := new(big.Int).Mod(n.p.x, P).Bytes()
- yBytes := new(big.Int).Mod(n.p.y, P).Bytes()
-
+func (e *G1) Marshal() []byte {
// Each value is a 256-bit number.
const numBytes = 256 / 8
+ if e.p.IsInfinity() {
+ return make([]byte, numBytes*2)
+ }
+
+ e.p.MakeAffine(nil)
+
+ xBytes := new(big.Int).Mod(e.p.x, P).Bytes()
+ yBytes := new(big.Int).Mod(e.p.y, P).Bytes()
+
ret := make([]byte, numBytes*2)
copy(ret[1*numBytes-len(xBytes):], xBytes)
copy(ret[2*numBytes-len(yBytes):], yBytes)
@@ -175,8 +183,8 @@ func RandomG2(r io.Reader) (*big.Int, *G2, error) {
return k, new(G2).ScalarBaseMult(k), nil
}
-func (g *G2) String() string {
- return "bn256.G2" + g.p.String()
+func (e *G2) String() string {
+ return "bn256.G2" + e.p.String()
}
// CurvePoints returns the curve points of p which includes the real
@@ -216,6 +224,13 @@ func (e *G2) Add(a, b *G2) *G2 {
// Marshal converts n into a byte slice.
func (n *G2) Marshal() []byte {
+ // Each value is a 256-bit number.
+ const numBytes = 256 / 8
+
+ if n.p.IsInfinity() {
+ return make([]byte, numBytes*4)
+ }
+
n.p.MakeAffine(nil)
xxBytes := new(big.Int).Mod(n.p.x.x, P).Bytes()
@@ -223,9 +238,6 @@ func (n *G2) Marshal() []byte {
yxBytes := new(big.Int).Mod(n.p.y.x, P).Bytes()
yyBytes := new(big.Int).Mod(n.p.y.y, P).Bytes()
- // Each value is a 256-bit number.
- const numBytes = 256 / 8
-
ret := make([]byte, numBytes*4)
copy(ret[1*numBytes-len(xxBytes):], xxBytes)
copy(ret[2*numBytes-len(xyBytes):], xyBytes)
diff --git a/crypto/bn256/google/curve.go b/crypto/bn256/google/curve.go
index 3e679fdc7..819cb81da 100644
--- a/crypto/bn256/google/curve.go
+++ b/crypto/bn256/google/curve.go
@@ -245,11 +245,19 @@ func (c *curvePoint) Mul(a *curvePoint, scalar *big.Int, pool *bnPool) *curvePoi
return c
}
+// MakeAffine converts c to affine form and returns c. If c is ∞, then it sets
+// c to 0 : 1 : 0.
func (c *curvePoint) MakeAffine(pool *bnPool) *curvePoint {
if words := c.z.Bits(); len(words) == 1 && words[0] == 1 {
return c
}
-
+ if c.IsInfinity() {
+ c.x.SetInt64(0)
+ c.y.SetInt64(1)
+ c.z.SetInt64(0)
+ c.t.SetInt64(0)
+ return c
+ }
zInv := pool.Get().ModInverse(c.z, P)
t := pool.Get().Mul(c.y, zInv)
t.Mod(t, P)
diff --git a/crypto/bn256/google/twist.go b/crypto/bn256/google/twist.go
index 1f5a4d9de..43364ff5b 100644
--- a/crypto/bn256/google/twist.go
+++ b/crypto/bn256/google/twist.go
@@ -225,11 +225,19 @@ func (c *twistPoint) Mul(a *twistPoint, scalar *big.Int, pool *bnPool) *twistPoi
return c
}
+// MakeAffine converts c to affine form and returns c. If c is ∞, then it sets
+// c to 0 : 1 : 0.
func (c *twistPoint) MakeAffine(pool *bnPool) *twistPoint {
if c.z.IsOne() {
return c
}
-
+ if c.IsInfinity() {
+ c.x.SetZero()
+ c.y.SetOne()
+ c.z.SetZero()
+ c.t.SetZero()
+ return c
+ }
zInv := newGFp2(pool).Invert(c.z, pool)
t := newGFp2(pool).Mul(c.y, zInv, pool)
zInv2 := newGFp2(pool).Square(zInv, pool)