Description
At file: github.com/ethereum/go-ethereum/crypto/bn256/google/bn256.go
// This package specifically implements the Optimal Ate pairing over a 256-bit
// Barreto-Naehrig curve as described in
// http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible
// with the implementation described in that paper.It does not. On Page 2, Paragraph 3 at that paper, the parameters are:
p = 36u^4 + 36u^3 + 24u^2 + 6u + 1, with u = v^3 and v = 1868033, BN curve: y^2 = x^3 + 3 over F_p
So that the parameter u is 1868033^3, which is 6518589491078791937
However, in the source code of ethereum, at file github.com/ethereum/go-ethereum/crypto/bn256/google/constants.go
// u is the BN parameter that determines the prime: 1868033³.
var u = bigFromBase10("4965661367192848881")the parameter u is 4965661367192848881. And note that the comment still says that the number is 1868033³, but in the source code, it is not.
So there are at least two problems in "bn256" in this repo:
- This package does not implement the exact BN curve described in that paper
- The comment and the actual value are not consistent
In addition, I have this question: All the parameters in "bn256" in this repo is different from Go's offcial crypto package. The parameters of "bn256" in this repo is actually consistent with libsnark's "alt_bn128", instead of Go's offcial one. And yes, "alt_bn128" is actually another name of "bn256", right? But why there are two sets of different parameters? It's confusing.