Skip to content

G
Geth-Modification
Unverified Commit 1ea75379 authored by Sad Pencil's avatar Sad Pencil Committed by GitHub
Browse files
Options

crypto/bn256: refine comments according to #19577, #21595, and #21836 (#21847)

parent 92c56eb8
Hide whitespace changes
Inline Side-by-side
Showing with 12 additions and 4 deletions
crypto/bn256/cloudflare/bn256.go
View file @ 1ea75379
...@@ -9,8 +9,13 @@ ...@@ -9,8 +9,13 @@
// //
// This package specifically implements the Optimal Ate pairing over a 256-bit // This package specifically implements the Optimal Ate pairing over a 256-bit
// Barreto-Naehrig curve as described in // Barreto-Naehrig curve as described in
// http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible // http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is not
// with the implementation described in that paper. // compatible with the implementation described in that paper, as different
// parameters are chosen.
//
// (This package previously claimed to operate at a 128-bit security level.
// However, recent improvements in attacks mean that is no longer true. See
// https://moderncrypto.org/mail-archive/curves/2016/000740.html.)
package bn256 package bn256
import ( import (
......
crypto/bn256/google/bn256.go
View file @ 1ea75379
...@@ -12,8 +12,9 @@ ...@@ -12,8 +12,9 @@
// //
// This package specifically implements the Optimal Ate pairing over a 256-bit // This package specifically implements the Optimal Ate pairing over a 256-bit
// Barreto-Naehrig curve as described in // Barreto-Naehrig curve as described in
// http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible // http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is not
// with the implementation described in that paper. // compatible with the implementation described in that paper, as different
// parameters are chosen.
// //
// (This package previously claimed to operate at a 128-bit security level. // (This package previously claimed to operate at a 128-bit security level.
// However, recent improvements in attacks mean that is no longer true. See // However, recent improvements in attacks mean that is no longer true. See
......
crypto/bn256/google/constants.go
View file @ 1ea75379
...@@ -20,7 +20,9 @@ var u = bigFromBase10("4965661367192848881") ...@@ -20,7 +20,9 @@ var u = bigFromBase10("4965661367192848881")
var P = bigFromBase10("21888242871839275222246405745257275088696311157297823662689037894645226208583") var P = bigFromBase10("21888242871839275222246405745257275088696311157297823662689037894645226208583")
// Order is the number of elements in both G₁ and G₂: 36u⁴+36u³+18u²+6u+1. // Order is the number of elements in both G₁ and G₂: 36u⁴+36u³+18u²+6u+1.
// Needs to be highly 2-adic for efficient SNARK key and proof generation.
// Order - 1 = 2^28 * 3^2 * 13 * 29 * 983 * 11003 * 237073 * 405928799 * 1670836401704629 * 13818364434197438864469338081. // Order - 1 = 2^28 * 3^2 * 13 * 29 * 983 * 11003 * 237073 * 405928799 * 1670836401704629 * 13818364434197438864469338081.
// Refer to https://eprint.iacr.org/2013/879.pdf and https://eprint.iacr.org/2013/507.pdf for more information on these parameters.
var Order = bigFromBase10("21888242871839275222246405745257275088548364400416034343698204186575808495617") var Order = bigFromBase10("21888242871839275222246405745257275088548364400416034343698204186575808495617")
// xiToPMinus1Over6 is ξ^((p-1)/6) where ξ = i+9. // xiToPMinus1Over6 is ξ^((p-1)/6) where ξ = i+9.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment