Crate bn254

Elliptic Curve Digital Signature Algorithm (ECDSA) using the bn254 curve, also known as bn128 or bn256.

This module has been designed with the goal of being compatible with the bn256Add(G1), bn256ScalarMul(G1) and bn256Pairing provided by precompiled contracts on the Ethereum Virtual Machine (EVM).

Signature verification: e(H(m), PubKey) = e(Signature, G2::one)

This module handles public keys in G2 in order to avoid performing the hashing to G2, which involves a costly multiplication with the cofactor.

Test vectors: the following resources have been used for testing BN256 functionalities

• test vectors from Ethereum
• test vectors from Asecurity

Hashing to G1: In order to hash a specific message to G1 this module uses the try and increment algorithm. The running time of this algorithm is dependant on the input message, so it should be used only with public inputs. Alternatively different hashing methods can be implemented as specified in:

• hash_to_ algorithms

Resources: The following resources have been used as a reference to implement aggregate signatures:

• BLS IRTF draft
• BLSmultisig
• bls-signatures-better-than-schnorr

Disclaimer

This module does not implement a defense against Rogue-key attacks, which means it should be used in protocols where the possession of the private key of each individual has been proven (i.e., by signing a message).

Structs

ECDSA

ECDSA with curve bn254.

PrivateKey

The Private Key as an element of Fr

PublicKey

The Public Key as a point in G2

PublicKeyG1

The Public Key as a point in G1

Signature

The Signature as a point in G1

Enums

Error

Functions

check_public_keys

Function to check if 2 Public Keys in G1 and G2 are valid

Type Aliases

Result