#pairing #crypto #cryptography


Pairing cryptography with the Barreto-Naehrig curve

10 unstable releases (3 breaking)

Uses old Rust 2015

0.4.3 Apr 2, 2017
0.4.2 Dec 14, 2016
0.4.1 Oct 14, 2016
0.4.0 Sep 19, 2016
0.1.0 Jul 6, 2016

#435 in Cryptography

Download history 10/week @ 2021-06-03 25/week @ 2021-06-10 8/week @ 2021-06-17 10/week @ 2021-06-24 17/week @ 2021-07-01 12/week @ 2021-07-08 69/week @ 2021-07-15 11/week @ 2021-07-22 42/week @ 2021-07-29 32/week @ 2021-08-05 21/week @ 2021-08-12 10/week @ 2021-08-19 4/week @ 2021-08-26 1/week @ 2021-09-02 14/week @ 2021-09-09 11/week @ 2021-09-16

83 downloads per month
Used in zksnark


2.5K SLoC

bn Crates.io Build status

This is a pairing cryptography library written in pure Rust. It makes use of the Barreto-Naehrig (BN) curve construction from [BCTV2015] to provide two cyclic groups G1 and G2, with an efficient bilinear pairing:

e: G1 × G2 → GT

Security warnings

This library, like other pairing cryptography libraries implementing this construction, is not resistant to side-channel attacks.


Add the bn crate to your dependencies in Cargo.toml...

bn = "0.4.3"

...and add an extern crate declaration to your crate root:

extern crate bn;


  • Fr is an element of Fr
  • G1 is a point on the BN curve E/Fq : y^2 = x^3 + b
  • G2 is a point on the twisted BN curve E'/Fq2 : y^2 = x^3 + b/xi
  • Gt is a group element (written multiplicatively) obtained with the pairing function over G1 and G2.


Joux's key agreement protocol

In a typical Diffie-Hellman key exchange, relying on ECDLP, a three-party key exchange requires two rounds. A single round protocol is possible through the use of a bilinear pairing: given Alice's public key aP1 and Bob's public key bP2, Carol can compute the shared secret with her private key c by e(aP1, bP2)c.

(See examples/joux.rs for the full example.)

// Generate private keys
let alice_sk = Fr::random(rng);
let bob_sk = Fr::random(rng);
let carol_sk = Fr::random(rng);

// Generate public keys in G1 and G2
let (alice_pk1, alice_pk2) = (G1::one() * alice_sk, G2::one() * alice_sk);
let (bob_pk1, bob_pk2) = (G1::one() * bob_sk, G2::one() * bob_sk);
let (carol_pk1, carol_pk2) = (G1::one() * carol_sk, G2::one() * carol_sk);

// Each party computes the shared secret
let alice_ss = pairing(bob_pk1, carol_pk2).pow(alice_sk);
let bob_ss = pairing(carol_pk1, alice_pk2).pow(bob_sk);
let carol_ss = pairing(alice_pk1, bob_pk2).pow(carol_sk);

assert!(alice_ss == bob_ss && bob_ss == carol_ss);


Licensed under either of

at your option.

Copyright 2016 Zcash Electric Coin Company. The Zcash Company promises to maintain the "bn" crate on crates.io under this MIT/Apache-2.0 dual license.



Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.