You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

240 lines
5.4 KiB

  1. package babyjub
  2. import (
  3. "fmt"
  4. "math/big"
  5. )
  6. // Q is the order of the integer field where the curve point coordinates are (Zq).
  7. var Q *big.Int
  8. // A is one of the babyjub constants.
  9. var A *big.Int
  10. // D is one of the babyjub constants.
  11. var D *big.Int
  12. // Zero is 0.
  13. var Zero *big.Int
  14. // One is 1.
  15. var One *big.Int
  16. // MinusOne is -1.
  17. var MinusOne *big.Int
  18. // Order of the babyjub curve.
  19. var Order *big.Int
  20. // SubOrder is the order of the subgroup of the babyjub curve that contains the
  21. // points that we use.
  22. var SubOrder *big.Int
  23. // B8 is a base point of the babyjub multiplied by 8 to make it a base point of
  24. // the subgroup in the curve.
  25. var B8 *Point
  26. // NewIntFromString creates a new big.Int from a decimal integer encoded as a
  27. // string. It will panic if the string is not a decimal integer.
  28. func NewIntFromString(s string) *big.Int {
  29. v, ok := new(big.Int).SetString(s, 10)
  30. if !ok {
  31. panic(fmt.Sprintf("Bad base 10 string %s", s))
  32. }
  33. return v
  34. }
  35. // init initializes global numbers and the subgroup base.
  36. func init() {
  37. Zero = big.NewInt(0)
  38. One = big.NewInt(1)
  39. MinusOne = big.NewInt(-1)
  40. Q = NewIntFromString(
  41. "21888242871839275222246405745257275088548364400416034343698204186575808495617")
  42. A = NewIntFromString("168700")
  43. D = NewIntFromString("168696")
  44. Order = NewIntFromString(
  45. "21888242871839275222246405745257275088614511777268538073601725287587578984328")
  46. SubOrder = new(big.Int).Rsh(Order, 3)
  47. B8 = NewPoint()
  48. B8.X = NewIntFromString(
  49. "17777552123799933955779906779655732241715742912184938656739573121738514868268")
  50. B8.Y = NewIntFromString(
  51. "2626589144620713026669568689430873010625803728049924121243784502389097019475")
  52. }
  53. // Point represents a point of the babyjub curve.
  54. type Point struct {
  55. X *big.Int
  56. Y *big.Int
  57. }
  58. // NewPoint creates a new Point.
  59. func NewPoint() *Point {
  60. return &Point{X: big.NewInt(0), Y: big.NewInt(1)}
  61. }
  62. // Set copies a Point c into the Point p
  63. func (p *Point) Set(c *Point) *Point {
  64. p.X.Set(c.X)
  65. p.Y.Set(c.Y)
  66. return p
  67. }
  68. // Add adds Point a and b into res
  69. func (res *Point) Add(a *Point, b *Point) *Point {
  70. // x = (a.x * b.y + b.x * a.y) * (1 + D * a.x * b.x * a.y * b.y)^-1 mod q
  71. x1a := new(big.Int).Mul(a.X, b.Y)
  72. x1b := new(big.Int).Mul(b.X, a.Y)
  73. x1a.Add(x1a, x1b) // x1a = a.x * b.y + b.x * a.y
  74. x2 := new(big.Int).Set(D)
  75. x2.Mul(x2, a.X)
  76. x2.Mul(x2, b.X)
  77. x2.Mul(x2, a.Y)
  78. x2.Mul(x2, b.Y)
  79. x2.Add(One, x2)
  80. x2.Mod(x2, Q)
  81. x2.ModInverse(x2, Q) // x2 = (1 + D * a.x * b.x * a.y * b.y)^-1
  82. // y = (a.y * b.y + A * a.x * a.x) * (1 - D * a.x * b.x * a.y * b.y)^-1 mod q
  83. y1a := new(big.Int).Mul(a.Y, b.Y)
  84. y1b := new(big.Int).Set(A)
  85. y1b.Mul(y1b, a.X)
  86. y1b.Mul(y1b, b.X)
  87. y1a.Sub(y1a, y1b) // y1a = a.y * b.y - A * a.x * b.x
  88. y2 := new(big.Int).Set(D)
  89. y2.Mul(y2, a.X)
  90. y2.Mul(y2, b.X)
  91. y2.Mul(y2, a.Y)
  92. y2.Mul(y2, b.Y)
  93. y2.Sub(One, y2)
  94. y2.Mod(y2, Q)
  95. y2.ModInverse(y2, Q) // y2 = (1 - D * a.x * b.x * a.y * b.y)^-1
  96. res.X = x1a.Mul(x1a, x2)
  97. res.X = res.X.Mod(res.X, Q)
  98. res.Y = y1a.Mul(y1a, y2)
  99. res.Y = res.Y.Mod(res.Y, Q)
  100. return res
  101. }
  102. // Mul multiplies the Point p by the scalar s and stores the result in res,
  103. // which is also returned.
  104. func (res *Point) Mul(s *big.Int, p *Point) *Point {
  105. res.X = big.NewInt(0)
  106. res.Y = big.NewInt(1)
  107. exp := NewPoint().Set(p)
  108. for i := 0; i < s.BitLen(); i++ {
  109. if s.Bit(i) == 1 {
  110. res.Add(res, exp)
  111. }
  112. exp.Add(exp, exp)
  113. }
  114. return res
  115. }
  116. // InCurve returns true when the Point p is in the babyjub curve.
  117. func (p *Point) InCurve() bool {
  118. x2 := new(big.Int).Set(p.X)
  119. x2.Mul(x2, x2)
  120. x2.Mod(x2, Q)
  121. y2 := new(big.Int).Set(p.Y)
  122. y2.Mul(y2, y2)
  123. y2.Mod(y2, Q)
  124. a := new(big.Int).Mul(A, x2)
  125. a.Add(a, y2)
  126. a.Mod(a, Q)
  127. b := new(big.Int).Set(D)
  128. b.Mul(b, x2)
  129. b.Mul(b, y2)
  130. b.Add(One, b)
  131. b.Mod(b, Q)
  132. return a.Cmp(b) == 0
  133. }
  134. // InSubGroup returns true when the Point p is in the subgroup of the babyjub
  135. // curve.
  136. func (p *Point) InSubGroup() bool {
  137. if !p.InCurve() {
  138. return false
  139. }
  140. res := NewPoint().Mul(SubOrder, p)
  141. return (res.X.Cmp(Zero) == 0) && (res.Y.Cmp(One) == 0)
  142. }
  143. // PointCoordSign returns the sign of the curve point coordinate. It returns
  144. // false if the sign is positive and false if the sign is negative.
  145. func PointCoordSign(c *big.Int) bool {
  146. if c.Cmp(new(big.Int).Rsh(Q, 1)) == 1 {
  147. return true
  148. }
  149. return false
  150. }
  151. func PackPoint(ay *big.Int, sign bool) [32]byte {
  152. leBuf := BigIntLEBytes(ay)
  153. if sign {
  154. leBuf[31] = leBuf[31] | 0x80
  155. }
  156. return leBuf
  157. }
  158. // Compress the point into a 32 byte array that contains the y coordinate in
  159. // little endian and the sign of the x coordinate.
  160. func (p *Point) Compress() [32]byte {
  161. sign := false
  162. if PointCoordSign(p.X) {
  163. sign = true
  164. }
  165. return PackPoint(p.Y, sign)
  166. }
  167. // Decompress a compressed Point into p, and also returns the decompressed
  168. // Point. Returns error if the compressed Point is invalid.
  169. func (p *Point) Decompress(leBuf [32]byte) (*Point, error) {
  170. sign := false
  171. if (leBuf[31] & 0x80) != 0x00 {
  172. sign = true
  173. leBuf[31] = leBuf[31] & 0x7F
  174. }
  175. SetBigIntFromLEBytes(p.Y, leBuf[:])
  176. if p.Y.Cmp(Q) >= 0 {
  177. return nil, fmt.Errorf("p.y >= Q")
  178. }
  179. y2 := new(big.Int).Mul(p.Y, p.Y)
  180. y2.Mod(y2, Q)
  181. xa := big.NewInt(1)
  182. xa.Sub(xa, y2) // xa == 1 - y^2
  183. xb := new(big.Int).Mul(D, y2)
  184. xb.Mod(xb, Q)
  185. xb.Sub(A, xb) // xb = A - d * y^2
  186. if xb.Cmp(big.NewInt(0)) == 0 {
  187. return nil, fmt.Errorf("division by 0")
  188. }
  189. xb.ModInverse(xb, Q)
  190. p.X.Mul(xa, xb) // xa / xb
  191. p.X.Mod(p.X, Q)
  192. p.X.ModSqrt(p.X, Q)
  193. if (sign && !PointCoordSign(p.X)) || (!sign && PointCoordSign(p.X)) {
  194. p.X.Mul(p.X, MinusOne)
  195. }
  196. p.X.Mod(p.X, Q)
  197. return p, nil
  198. }