Skip to content
This repository has been archived by the owner on Dec 27, 2023. It is now read-only.

update InCorrectSubgroup #34

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

update InCorrectSubgroup #34

wants to merge 2 commits into from

Conversation

oznurkalkar
Copy link

@oznurkalkar oznurkalkar commented Dec 14, 2021
edited
Loading

Changed InCorrectSubgroup to M. Scott's method in https://eprint.iacr.org/2021/1130

On i7-3770 CPU @ 3.40GHz

BenchmarkG2SubgroupCheck-8 153520 ns/op
BenchmarkG2SubgroupCheckOld-8 167288 ns/op

@oznurkalkar
Copy link
Author

changed gt.isValid to M. Scott's method in https://eprint.iacr.org/2021/1130

On i7-3770 CPU @ 3.40GHz

BenchmarkGT_IsValid-8 250904 ns/op
BenchmarkGT_IsValidOld-8 2301026 ns/op

AnomalRoil
AnomalRoil approved these changes Feb 8, 2023
View reviewed changes
Copy link

@AnomalRoil AnomalRoil left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. We'd love to get the faster method in the drand team, if possible.

g2.go
Comment on lines +760 to +770
// A note on group membership tests for G1, G2
// and GT on BLS pairing-friendly curves
// M. Scott
// https://eprint.iacr.org/2021/1130.pdf

// [z]ψ^3(P) − ψ^2(P) + P = O
t0, t1 := g.New().Set(p), g.New()
// ψ^3(P) − [u]P = O
t0, t1 := g.New().Set(p), g.New().Set(p)

g.psi(t0)
g.psi(t0)
g.Neg(t1, t0) // - ψ^2(P)
g.psi(t0) // ψ^3(P)
g.mulX(t0) // - x ψ^3(P)
g.Neg(t0, t0)

g.Add(t0, t0, t1)
g.Add(t0, t0, p)
g.psi(t0) //ψ(P)
g.mulX(t1) //-[u]P
g.Add(t0, t0, t1) //ψ(P)-[u]P
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me, this method works as better proven also in https://hal.inria.fr/hal-03608264/document
Note that u == x but it's just a question of notation.

gt.go
Comment on lines +70 to +75
g.fp12.frobeniusMap1(r0)
r1.set(r0)
g.fp12.frobeniusMap1(r0)
r2.set(r0)
g.fp12.frobeniusMap2(r0)
g.Mul(r0, r0, e)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
g.fp12.frobeniusMap1(r0)
r1.set(r0)
g.fp12.frobeniusMap1(r0)
r2.set(r0)
g.fp12.frobeniusMap2(r0)
g.Mul(r0, r0, e)
g.fp12.frobeniusMap1(r0) // r0 = e^p
r1.set(r0) // r1 = e^p
g.fp12.frobeniusMap1(r0) // r0 = e^(p^2)
r2.set(r0) // r2 = e^(p^2)
g.fp12.frobeniusMap2(r0) // r0 = e^(p^4)
g.Mul(r0, r0, e) // r0 = e·e^(p^4)

gt.go
r2.set(r0)
g.fp12.frobeniusMap2(r0)
g.Mul(r0, r0, e)
if !r0.Equal(r2) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if !r0.Equal(r2) {
// cyclotomic test
if !r0.Equal(r2) {

gt.go
g.Exp(r0, e, bigFromHex("0xd201000000010000"))
g.Mul(r0, r0, r1)

return r0.IsOne()
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, you are doing the cyclotomic test e·e^(p^4) == e^(p^2) and then you test if e^p = e^u as in Scott paper.

Suggested change
return r0.IsOne()
// e^(p-u) = e^(p+1-t) == 1
return r0.IsOne()

gt.go
Comment on lines +79 to +80
g.Exp(r0, e, bigFromHex("0xd201000000010000"))
g.Mul(r0, r0, r1)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
g.Exp(r0, e, bigFromHex("0xd201000000010000"))
g.Mul(r0, r0, r1)
g.Exp(r0, e, bigFromHex("0xd201000000010000")) // r0 = e^-u
g.Mul(r0, r0, r1) // r0 = e^-u · e^p = e^(p-u)

@AnomalRoil AnomalRoil mentioned this pull request Feb 21, 2024
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@AnomalRoil AnomalRoil AnomalRoil approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@oznurkalkar @AnomalRoil