Go to file

Daira Hopwood ebf8b553f7 Merge pull request #23 from daira/dual-license Ensure that GitHub's "View license" link points to complete license information		2023-03-11 11:50:38 +00:00
benches	Improve benchmarks and add serialization benchmarks.	2016-10-14 13:23:53 -06:00
examples	Add `Group` trait, more methods to API, repr(C) everything.	2016-09-11 21:30:38 -06:00
shootout	Public API, reorganize tests, benchmarks and shootout.	2016-09-11 12:58:18 -06:00
src	Add test that y coordinate remains 1 in jacobian when G1/G2 are negated.	2017-04-02 13:49:44 -06:00
tests	Add 'normalize' to Group trait for converting something into affine.	2016-10-14 13:23:49 -06:00
.gitignore	Initial commit.	2016-06-28 22:07:14 -06:00
.travis.yml	Add travis testing configuration.	2016-09-11 13:05:29 -06:00
COPYING.md	Ensure that GitHub's "View license" link points to complete license information.	2022-01-04 19:45:50 +00:00
Cargo.toml	Version bump	2017-04-02 13:50:16 -06:00
LICENSE-APACHE	Initial commit.	2016-06-28 22:07:14 -06:00
LICENSE-MIT	Update copyright in LICENSE-MIT.	2022-01-04 19:45:50 +00:00
README.md	Ensure that GitHub's "View license" link points to complete license information.	2022-01-04 19:45:50 +00:00

README.md

bn

This is a pairing cryptography library written in pure Rust. It makes use of the Barreto-Naehrig (BN) curve construction from [BCTV2015] to provide two cyclic groups G₁ and G₂, with an efficient bilinear pairing:

e: G₁ × G₂ → G_T

Security warnings

This library, like other pairing cryptography libraries implementing this construction, is not resistant to side-channel attacks.

Usage

Add the bn crate to your dependencies in Cargo.toml...

[dependencies]
bn = "0.4.3"

...and add an extern crate declaration to your crate root:

extern crate bn;

API

Fr is an element of F_r
G1 is a point on the BN curve E/Fq : y^2 = x^3 + b
G2 is a point on the twisted BN curve E'/Fq2 : y^2 = x^3 + b/xi
Gt is a group element (written multiplicatively) obtained with the pairing function over G1 and G2.

Examples

Joux's key agreement protocol

In a typical Diffie-Hellman key exchange, relying on ECDLP, a three-party key exchange requires two rounds. A single round protocol is possible through the use of a bilinear pairing: given Alice's public key aP₁ and Bob's public key bP₂, Carol can compute the shared secret with her private key c by e(aP₁, bP₂)^c.

(See examples/joux.rs for the full example.)

// Generate private keys
let alice_sk = Fr::random(rng);
let bob_sk = Fr::random(rng);
let carol_sk = Fr::random(rng);

// Generate public keys in G1 and G2
let (alice_pk1, alice_pk2) = (G1::one() * alice_sk, G2::one() * alice_sk);
let (bob_pk1, bob_pk2) = (G1::one() * bob_sk, G2::one() * bob_sk);
let (carol_pk1, carol_pk2) = (G1::one() * carol_sk, G2::one() * carol_sk);

// Each party computes the shared secret
let alice_ss = pairing(bob_pk1, carol_pk2).pow(alice_sk);
let bob_ss = pairing(carol_pk1, alice_pk2).pow(bob_sk);
let carol_ss = pairing(alice_pk1, bob_pk2).pow(carol_sk);

assert!(alice_ss == bob_ss && bob_ss == carol_ss);

License

Licensed under either of

MIT license, (LICENSE-MIT or http://opensource.org/licenses/MIT)
Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)

at your option.

Authors

Sean Bowe

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

README.md Unescape Escape

bn