aboutsummaryrefslogtreecommitdiffstats
path: root/crypto/bn256/google/bn256.go
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/bn256/google/bn256.go')
-rw-r--r--crypto/bn256/google/bn256.go40
1 files changed, 26 insertions, 14 deletions
diff --git a/crypto/bn256/google/bn256.go b/crypto/bn256/google/bn256.go
index 5da83e033..e0402e51f 100644
--- a/crypto/bn256/google/bn256.go
+++ b/crypto/bn256/google/bn256.go
@@ -2,7 +2,7 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-// Package bn256 implements a particular bilinear group at the 128-bit security level.
+// Package bn256 implements a particular bilinear group.
//
// Bilinear groups are the basis of many of the new cryptographic protocols
// that have been proposed over the past decade. They consist of a triplet of
@@ -14,6 +14,10 @@
// Barreto-Naehrig curve as described in
// http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible
// with the implementation described in that paper.
+//
+// (This package previously claimed to operate at a 128-bit security level.
+// However, recent improvements in attacks mean that is no longer true. See
+// https://moderncrypto.org/mail-archive/curves/2016/000740.html.)
package bn256
import (
@@ -50,8 +54,8 @@ func RandomG1(r io.Reader) (*big.Int, *G1, error) {
return k, new(G1).ScalarBaseMult(k), nil
}
-func (g *G1) String() string {
- return "bn256.G1" + g.p.String()
+func (e *G1) String() string {
+ return "bn256.G1" + e.p.String()
}
// CurvePoints returns p's curve points in big integer
@@ -98,15 +102,19 @@ func (e *G1) Neg(a *G1) *G1 {
}
// Marshal converts n to a byte slice.
-func (n *G1) Marshal() []byte {
- n.p.MakeAffine(nil)
-
- xBytes := new(big.Int).Mod(n.p.x, P).Bytes()
- yBytes := new(big.Int).Mod(n.p.y, P).Bytes()
-
+func (e *G1) Marshal() []byte {
// Each value is a 256-bit number.
const numBytes = 256 / 8
+ if e.p.IsInfinity() {
+ return make([]byte, numBytes*2)
+ }
+
+ e.p.MakeAffine(nil)
+
+ xBytes := new(big.Int).Mod(e.p.x, P).Bytes()
+ yBytes := new(big.Int).Mod(e.p.y, P).Bytes()
+
ret := make([]byte, numBytes*2)
copy(ret[1*numBytes-len(xBytes):], xBytes)
copy(ret[2*numBytes-len(yBytes):], yBytes)
@@ -175,8 +183,8 @@ func RandomG2(r io.Reader) (*big.Int, *G2, error) {
return k, new(G2).ScalarBaseMult(k), nil
}
-func (g *G2) String() string {
- return "bn256.G2" + g.p.String()
+func (e *G2) String() string {
+ return "bn256.G2" + e.p.String()
}
// CurvePoints returns the curve points of p which includes the real
@@ -216,6 +224,13 @@ func (e *G2) Add(a, b *G2) *G2 {
// Marshal converts n into a byte slice.
func (n *G2) Marshal() []byte {
+ // Each value is a 256-bit number.
+ const numBytes = 256 / 8
+
+ if n.p.IsInfinity() {
+ return make([]byte, numBytes*4)
+ }
+
n.p.MakeAffine(nil)
xxBytes := new(big.Int).Mod(n.p.x.x, P).Bytes()
@@ -223,9 +238,6 @@ func (n *G2) Marshal() []byte {
yxBytes := new(big.Int).Mod(n.p.y.x, P).Bytes()
yyBytes := new(big.Int).Mod(n.p.y.y, P).Bytes()
- // Each value is a 256-bit number.
- const numBytes = 256 / 8
-
ret := make([]byte, numBytes*4)
copy(ret[1*numBytes-len(xxBytes):], xxBytes)
copy(ret[2*numBytes-len(xyBytes):], xyBytes)