### 10 unstable releases (3 breaking)

Uses old Rust 2015

0.4.3 | Apr 2, 2017 |
---|---|

0.4.2 | Dec 14, 2016 |

0.4.1 | Oct 14, 2016 |

0.4.0 | Sep 19, 2016 |

0.1.0 | Jul 6, 2016 |

#**435** in Cryptography

**83** downloads per month

Used in zksnark

**MIT/Apache**

**2.5MB**

2.5K
SLoC

# bn

This is a pairing cryptography library written in pure Rust. It makes use of the Barreto-Naehrig (BN) curve construction from [BCTV2015] to provide two cyclic groups **G _{1}** and

**G**, with an efficient bilinear pairing:

_{2}*e: G _{1} × G_{2} → G_{T}*

## Security warnings

This library, like other pairing cryptography libraries implementing this construction, is not resistant to side-channel attacks.

## Usage

Add the

crate to your dependencies in `bn`

...`Cargo .toml`

`[``dependencies``]`
`bn ``=` `"`0.4.3`"`

...and add an

declaration to your crate root:`extern` `crate`

`extern` `crate` bn`;`

## API

is an element of F`Fr`_{r}

is a point on the BN curve E/Fq : y^2 = x^3 + b`G1`

is a point on the twisted BN curve E'/Fq2 : y^2 = x^3 + b/xi`G2`

is a group element (written multiplicatively) obtained with the`Gt`

function over`pairing`

and`G1`

.`G2`

### Examples

#### Joux's key agreement protocol

In a typical Diffie-Hellman key exchange, relying on ECDLP, a three-party key exchange requires two rounds. A single round protocol is possible through the use of a bilinear pairing: given Alice's public key *a*P_{1} and Bob's public key *b*P_{2}, Carol can compute the shared secret with her private key *c* by *e*(*a*P_{1}, *b*P_{2})^{c}.

(See

for the full example.)`examples /joux.rs`

`//` Generate private keys
`let` alice_sk `=` `Fr``::`random`(`rng`)``;`
`let` bob_sk `=` `Fr``::`random`(`rng`)``;`
`let` carol_sk `=` `Fr``::`random`(`rng`)``;`
`//` Generate public keys in G1 and G2
`let` `(`alice_pk1`,` alice_pk2`)` `=` `(``G1``::`one`(``)` `*` alice_sk`,` `G2``::`one`(``)` `*` alice_sk`)``;`
`let` `(`bob_pk1`,` bob_pk2`)` `=` `(``G1``::`one`(``)` `*` bob_sk`,` `G2``::`one`(``)` `*` bob_sk`)``;`
`let` `(`carol_pk1`,` carol_pk2`)` `=` `(``G1``::`one`(``)` `*` carol_sk`,` `G2``::`one`(``)` `*` carol_sk`)``;`
`//` Each party computes the shared secret
`let` alice_ss `=` `pairing``(`bob_pk1`,` carol_pk2`)``.``pow``(`alice_sk`)``;`
`let` bob_ss `=` `pairing``(`carol_pk1`,` alice_pk2`)``.``pow``(`bob_sk`)``;`
`let` carol_ss `=` `pairing``(`alice_pk1`,` bob_pk2`)``.``pow``(`carol_sk`)``;`
`assert!``(`alice_ss `==` bob_ss `&&` bob_ss `==` carol_ss`)``;`

## License

Licensed under either of

- MIT license, (LICENSE-MIT or http://opensource.org/licenses/MIT)
- Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)

at your option.

Copyright 2016 Zcash Electric Coin Company. The Zcash Company promises to maintain the "bn" crate on crates.io under this MIT/Apache-2.0 dual license.

### Authors

### Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.