G1 scalar multiplication broken

Question

G1 scalar multiplication broken

guidovranken opened this issue 2 years ago · comments

E.g.

operation name: BLS_G1_Mul
ecc curve: BLS12_381
A X: 2674736064367537260466998576948875816092530018012391451554681294626372801079300749663553872848166173052838590852969
A Y: 3619055641023526422433505315233071744479608227444754666537459325486807540183936935747247430414964574839706132741773
B: 3638679436378936848011985967149037743560824448519656435014878498369902353448401626833740454655344039476234037291460

Module blst result:

X: 2420522379105166237330931279101207136986356163083438814561315919773076272752130507492102976255873958259923434933629
Y: 2167883459710336113266071890834859867424269085235508973773802256649553360178155716888080711451644385870827634784624


Module mcl result:

X: 3630710938911769022168321454376168011713659061422211005903595928572540878877077836249381528565259190238903931918164
Y: 1529482165903275566472273829191566410015239344673907207854862277051904655036590437496849295408992499176141844354755

This was broken by a recent modification, possibly in this commit range: fcc447f...12eec03

MITSUNARI Shigeo · Answer 1 · Mon Apr 11 2022 04:27:23 GMT+0800 (China Standard Time)

What type is the value B?
The type y of G1::mul(z, x, y) should be Fr or mpz_class.
(Fp is not accepted. This is breaking backward compatibility. I forgot it.)
The value is larger than r (= the order of G1), so could you use mpz_class or set (B % r, which can be computed by Fr::setLittleEndianMod).
Using Fr is better than because it is faster than using mpz_class.

int main()
{
    initPairing(mcl::BLS12_381);
    G1 A, P;
    A.x.setStr("2674736064367537260466998576948875816092530018012391451554681294626372801079300749663553872848166173052838590852969", 10);
    A.y.setStr("3619055641023526422433505315233071744479608227444754666537459325486807540183936935747247430414964574839706132741773", 10);
    A.z = 1;
    const char *str = "3638679436378936848011985967149037743560824448519656435014878498369902353448401626833740454655344039476234037291460";
    mpz_class B1;
    mcl::gmp::setStr(B1, str, 10);

    G1::mul(P, A, B1);
    P.normalize();
    std::cout << "P.x=" << P.x << std::endl;
    std::cout << "P.y=" << P.y << std::endl;

    P.clear();
    Fr B2;
    // this value is B1 % r
    B2.setStr("38284638566776436211710320506911110215984697616190089678472849175738187020541", 10);
    G1::mul(P, A, B2);
    P.normalize();
    std::cout << "P.x=" << P.x << std::endl;
    std::cout << "P.y=" << P.y << std::endl;
}

MITSUNARI Shigeo · Answer 2 · Mon Apr 11 2022 07:40:18 GMT+0800 (China Standard Time)

I'll fix this issue. Please wait a moment.

MITSUNARI Shigeo · Answer 3 · Mon Apr 11 2022 15:01:55 GMT+0800 (China Standard Time)

mul supports Fp as scalar type at https://github.com/herumi/mcl/tree/dev .
Thank you for your report. Could you try it?

Guido Vranken · Answer 4 · Mon Apr 11 2022 18:13:05 GMT+0800 (China Standard Time)

Confirmed fixed as far as I can tell. Thanks!