I am trying to call mcl/ecdsa.h from go, but I found that the struct ecdsaPrecomputedPublicKey is not defined anywhere.

This program (excluding includes):

int main(int argc, char* argv[]) {
	std::array<uint64_t, bls::local::keySize> key_data{
		0x1000000000000000,
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000000000
	};
	bls::SecretKey secret_key;
	secret_key.set(key_data.data());
}

segfaults for some reason:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000420300 in mcl::fp::maskArray<unsigned long> (bitSize=18446744073709551615, n=0, x=0x7fffffffd080)
    at src/fp.cpp:579
579                             maskArray(y, op.N, op.bitSize - 1);
(gdb) up
#1  mcl::fp::copyAndMask (y=y@entry=0x7fffffffd080, x=x@entry=0x7fffffffd040, xByteSize=0, xByteSize@entry=32, 
    op=..., maskMode=<optimized out>, maskMode@entry=mcl::fp::SmallMask) at src/fp.cpp:579
579                             maskArray(y, op.N, op.bitSize - 1);
(gdb) 
#2  0x000000000040401e in mcl::FpT<mcl::bn::local::FrTag, 256ul>::setArrayMask<char> (n=n@entry=32, 
    x=x@entry=0x7fffffffd040 "\320xi", this=0x7fffffffd080, this@entry=0x7fffffffd030)
    at ./../mcl/src/bn_c_impl.hpp:106
106             cast(x)->setArrayMask((const char *)buf, bufSize);
(gdb) 
#3  mclBnFr_setLittleEndian (x=x@entry=0x7fffffffd080, buf=buf@entry=0x7fffffffd060, bufSize=bufSize@entry=32)
    at ./../mcl/src/bn_c_impl.hpp:106
106             cast(x)->setArrayMask((const char *)buf, bufSize);
(gdb) 
#4  0x000000000040352b in bls::SecretKey::setLittleEndian (bufSize=32, buf=0x7fffffffd060, this=0x7fffffffd080)
    at submodules/bls/include/bls/bls.hpp:202
202                     mclBnFr_setLittleEndian(&self_.v, buf, bufSize);
(gdb) 
#5  bls::SecretKey::set (p=0x7fffffffd060, this=0x7fffffffd080) at submodules/bls/include/bls/bls.hpp:197
197                     setLittleEndian(p, local::keySize * sizeof(uint64_t));

at secret_key.set(key_data.data());. What is weird is that identical code works in another larger program. Compiling with GCC 8.1.1 and -O3.

Hi, all.
When I run the C sharp solution in Visual stuido 2017, an error happens in 'bn256.cs' file.

public static void init()
		{
			const int curveFp254BNb = 0;
			const int maxUnitSize = 4;
			if (mclBn_init(curveFp254BNb, maxUnitSize) != 0) { // the value is -4404.
				throw new InvalidOperationException("mclBn_init");
			}
		}

Is any BUGs in the current version ?

See #21 and dfinity-side-projects/bn#14 for some previous discussion. This would be needed for inclusion into standard FOSS distributions like Debian and Fedora.

@@ -106,6 +105,16 @@ include_directories(
 add_library(mcl STATIC ${SRCS})
 if(NOT MSVC)
 add_library(mcl_dy SHARED ${SRCS})
+set_target_properties(mcl_dy PROPERTIES OUTPUT_NAME mcl VERSION 1.0.0 SOVERSION 1)
+# SOVERSION must match VERSION's major number and be bumped whenever non-backwards-ABI-compatible changes
+# are made. The other numbers in VERSION should be bumped for other changes as you wish; one common standard
+# is libtool's scheme: https://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
+#
+# For semantics of ABI compatibility including when you must bump SOVERSION, see:
+# https://community.kde.org/Policies/Binary_Compatibility_Issues_With_C%2B%2B#The_Do.27s_and_Don.27ts
+#
+# Since ABI compatibility is a strict requirement that is only necessary for shared-library systems,
+# these library version numbers do not necessarily need to match the release version of the overall package.
 endif()
 
 file(GLOB MCL_HEADERS include/mcl/*.hpp include/mcl/*.h)

Thanks for the great library!

Maybe

Should compare with 0, not 1? E.g.,

func (x *Fr) SetHashOf(buf []byte) bool {
	// #nosec
	return C.mclBnFr_setHashOf(x.getPointer(), unsafe.Pointer(&buf[0]), C.size_t(len(buf))) == 0
}

Since the success value seems to be 0, and the failure value seems to be -1:

Current situation with hand-written makefiles is less than ideal, because:

1. There is no make install.
2. A lot of things are hardcoded (e.g. -O* always overrides compilation flags you can set from the command line, you can't compile with -flto because ar command is hardcoded, linking of 32bit libmcl_dy.so on 64bit system fails because no -m32 is passed to linker)
3. Windows and Linux need separate makefiles.

I want to use the library in a golang project use cgo, first, I use "sudo make install" and the libraries install in "/usr/local", but "/usr/local/lib" has only "libmcl.a" and "libmcl.so", and I move "libmclbn384.a" and "libmclbn384.so" from "mcl/lib" to "/usr/local/lib" and the go code works well.

but if I want to use pure static library(copy the *.a and *.h to golang project), How should I do? I think I should change all the header file about path, and specify the link path where the static library locate. I try to do that, but don't work. Is there some idea to do that? I'm not familiar with C++.

/*
#cgo  CFLAGS:-DMCLBN_FP_UNIT_SIZE=6
#cgo LDFLAGS:-L ./lib -lmclbn384 -lmcl
#include "./include/bn.h"
*/
import "C"
import "fmt"
import "unsafe"

Hi herumi, release20170402 can not be compiled without GMP. Do you have plan to release new versions? Thanks.

It would be useful to use our own hashing scheme and use mapToG2 directly as in this example

Currently impossible in wasm build as mapToG1, mapToG2, Fp, Fp2, etc. are not exposed.

as the title:
i have a byte array:
char a[64]={};
how can i encrypt a to EncG1 or EncG2?
i need encryt every byte using many encryption loops?

In https://github.com/herumi/libsnark, you said: ""mcl_bn128": an alternative to "bn128", using the new MCL elliptic curve library. Somewhat slower on x86-64 but supported and optimized for different architectures."

I just added mcl_bn128 to libsnark (latest version) base on your fork(just need to change some include path and function name). But I'm curious the percent of slow, that is for x64 CPU, should I use mcl_bn128 to replace the bn128?

I've looked at the "Indifferentiable hashing to Barreto Naehrig curves" paper and for Fp254BNb the assumption that g(1) = 1 + b is a nonzero quare in Fp does not hold, which I assume is the reason why mapping fails for sqrt(-3) and -sqrt(-3). I didn't study these proofs closely to see whether the broken assumption leads to other values that will not be mappable. Do you know of any? Also, what about G2?

As a side note, page 3 of the paper has an interesting remark:

like Icart’s encoding and many others, this encoding f will not yield a gener-
ically secure hash function construction if we simply compose it with a ran-
dom oracle to the base field (e.g. it is easy to distinguish such a hash function
from a random oracle to the curve since its image has a simple algebraic de-
scription and only contains a constant fraction of all points). However, we
show (in Section 5) that it is well-distributed in the sense of Farashahi et al.
[17]. This implies
 that if h1 , h2 are random oracles to the base field, then
m -> f(h1(m)) + f(h2(m)) is a good, generically secure hash function to the
BN curve (it is indifferentiable from a random oracle);

However, it seems this is what BN256_G1_hashAndMapTo (and G2 variant) do, i.e. they just hash a message to a value in Fp and then map this value to get a point on the curve.

Hi, I need to generate points deterministically in order to make comparisons with alternative implementations.

What I have so far is the following:

	var f Fr
	f.SetInt64(x)

	var g1, gout G1
	// TODO set g1 to the base point
	G1Mul(&gout, &g1, &f)

but obviously gout is zero because g1 is zero.

How can I set g1 to the base point? I didn't see an API to do it.

Any (easy) way to change littlte endian to big endian when doing serialization.

I ran make, copied the lib files to my /usr/local/lib/
I tried to import the built libmclbn512, got an error
Error opening shared object "libmclbn512.so": /usr/local/lib/libmclbn512.so: undefined symbol: _ZN3mcl2fp2Op18destroyFpGeneratorEPNS0_11FpGeneratorE

Edited Makefile to include $(LIB_OBJ) next to $(BN512_OBJ) on L169.
Recompiled, imported with no error.

• hashAndMapToG1 is very slow, it should be at least 10 times faster.
• implement portable SHA-2 instead of SHA-1.
• try to import evm2wasm for 256-bit arithmetic operations.
• try to use clang wasm backend.

Hi,all.
I wanna complie the C sharp solution to test the results, but there is a error msg "ERR=System.DllNotFoundException: couldn't load 'mclBn256.dll'" in my Visual studio 2017.

How to deal with this problem?

Thank you all!

#30 (comment)

Constant time version of these seems to be constant in a sense that it doesn't reveal information about particular bits of the input, but it does reveal information about the bitlength of input, i.e. multiplying a point from bn256::G1 by 42 is much faster than multiplying it by a "proper" 254bit scalar. I wonder if that can be a problem?

Hi, how could I compile a shared library with the full code using ndk? Thanks.

** Why I ask
I need to use MCL with my project. So the following code is used first, it succeeds to generate libmcl.so.

include $(CLEAR_VARS)
LOCAL_SHARED_LIBRARIES := gmp gmpxx crypto
LOCAL_MODULE := mcl
LOCAL_ARM_NEON := true
LOCAL_SRC_FILES := ./src/fp.cpp \
	./src/bn_c384.cpp
LOCAL_CFLAGS += -I$(LOCAL_PATH)/include/
LOCAL_CFLAGS += -Wall
LOCAL_CPPFLAGS += -fexceptions
include $(BUILD_SHARED_LIBRARY)

But there are some error when using libmcl.so to compile my project.

/home/luopeng/my_sec_data/jni/include/mcl/fp.hpp:530: error: undefined reference to 'mcl::fp::detectIoMode(int, std::__ndk1::ios_base const&)'
/home/luopeng/my_sec_data/jni/include/mcl/fp_tower.hpp:474: error: undefined reference to 'mcl::fp::detectIoMode(int, std::__ndk1::ios_base const&)'

Then I notice that detectIoMode is under a macro. So I add the following compile option.

LOCAL_CPPFLAGS += -DCYBOZU_DONT_USE_STRING

But it fails to generate the libmcl.so.

/home/luopeng/mcl/mcl/jni/include/mcl/gmp_util.hpp:714:45: error: too few arguments to function call, expected at least 3, have 2
printf("\"%s\",\n", mcl::gmp::getStr(p, 16).c_str());
~~~~~~~~~~~~~~~~      ^                    

So, do you have any advice? thanks.

Herumi san,
I am wondering whether any possible way to call mcl from golang ?

I am using the curve bn254.
I found the performance of the mcl::EcT<Fp2>::load() is weird slow.

In my computer, load 1M(1024768) G2 from a data file using 450 seconds (single thread).
It seems that the main cost is the function getYfromX() which need to compute the Square Root of the Y.

Since the data file is generated by myself, how can I save the G2 with the Y? I know, in this case, the data file size will *2. Maybe I should not use the mcl::IoMode::IoSerialize, which flag should I use? I do not understand all those flags.

My code looks like:

typedef mcl::EcT<Fp2> G2;
struct imembuf : public std::streambuf {
  imembuf(char const* array, size_t len) {
    char* p(const_cast<char*>(array));
		this->setg(p, p, p + len);
  }
};

struct imemstream : virtual imembuf, std::istream {
  imemstream(char* array, size_t len)
      : imembuf(array, len), std::istream(static_cast<std::streambuf*>(this)) {}
};

bool BinToG2(uint8_t const* buf, G2* g) {
  bool ret;
  imemstream in((char*)buf, 64);
  g->load(&ret, in, mcl::IoMode::IoSerialize);
  return ret;
}

In some scenario, for example, proofs of data possession, proofs of data retrievability, we do not need that safe, it's not the transaction.
I just implement the paper https://hovav.net/ucsd/dist/verstore.pdf . In paper 3.3, it requires to calculate 10000 times ui^fi for a 320KB file, which ui is a group point and fi is a field number (BN128). Now it needs several seconds (one core).
I hope I can improve the speed 10 times, and I am seeking a fewer bits curve.
Is it possible?
Could you please provide a curve which just use 80 bits or 64 bits?

Can you please give the curve parameter of BN462 in decimal form, please? Thanks a lot.

And, now the libsnarks depends on ate-pairing, do you have port a new version libsnarks which base on mcl?

I just tested the bls12-381.
To my surprise, the bls12-381 is much slower than bn254.
I tested 1000 times ecc_mul, bn254 use 90ms, and bls12-381 use 900ms.
Why? Maybe I made some mistakes(some optimize compile flags)?

Hi!
Could not find base points for BLS12_381 (G1, G2). Is there something like in Relic
https://github.com/relic-toolkit/relic/blob/086643803fc64bb109112b16160cb5c8a7ab5e66/src/epx/relic_ep2_curve.c#L89

I could use to multiply by a base point?

The main README.md says that the JNI interface is described in /java/java.md but that file doesn't exist. (never mind - I found it in ffi/java/java.md)

Also, I was trying to do 'make test_java' on MacOS with Java 8 and had to add two -I statements in order to find jni.h and jni_md.h:
-I/Library/Java/JavaVirtualMachines/jdk1.8.0_201.jdk/Contents/Home/include
-I/Library/Java/JavaVirtualMachines/jdk1.8.0_201.jdk/Contents/Home/include/darwin

When make arrives at compiling ElgamalTest.java, it gets the following error

javac ElgamalTest.java
ElgamalTest.java:2: error: package com.herumi.mcl does not exist
import com.herumi.mcl.*;

I found com.herumi.mcl.* in mcladt. What is the relationship between mcl and mcladt?

I would like to run MCL with Java, but not on Android. Is there a way to do that?

Thanks again for your nice library.

Hi @herumi

I am interested in contributing to the repo to attempt to provide faster signature verification. For this, I wanted to understand the underlying implementation of the miller_loop and finalexp functions. As far as I understand, these functions are implemented in the llvm IR. I am having some trouble understanding what is going on. Do you have more high-level code on the miller_loop and finalexp implementation?

Kind regards

I init the mcl with code like:

static struct LibInit {
    LibInit()
    {
        mcl::bn256::initPairing(mcl::bn::CurveSNARK1); // init mcl library
    }
} s_libInit;

And I got an exception in xbyak.h RegExp::RegExp(...).
The caller function is MixPack::init and the code is
this->m = Xbyak::util::rsp + rspPos;

The static const Xbyak::util::rsp is not initialized yet.
I print the rsp, looks like:

(gdb) print Xbyak::util::rsp
$5 = {<Xbyak::Reg32e> = {<Xbyak::Reg> = {<Xbyak::Operand> = {static EXT8BIT = 32 ' ', idx_ = 0, kind_ = 0, bit_ = 0, zero_ = 0, mask_ = 0,
        rounding_ = 0}, <No data fields>}, <No data fields>}, <No data fields>}

I understand that the c++ static variables init order is somehow like magic. So it seems that I should not init the mcl by a static variable's constructor.
But I need to define some global variables looks like:

std::vector<size_t> mcl_bn128_G1::wnaf_window_table;
std::vector<size_t> mcl_bn128_G1::fixed_base_exp_window_table;
mcl_bn128_G1 mcl_bn128_G1::G1_zero;
mcl_bn128_G1 mcl_bn128_G1::G1_one;

So, what should I do? Any suggestion? Thanks.

1. What is the plaintxt range of the Elgamal ? If the mcl::ecparam::secp160k1 is used, shoud the plaintext domain be 160-bits (i.e., 2^160) ?
2. Should we need to cache all the elements in the plaintext range (the setCache method in the private key class), if we want to use Elgamal to do arithmetic computation ?

The speed of g*f (BN curve) in mcl is very fast, much faster than normal wNAF algorithm.

In my scenario, the g is hardcoded, so I think I can accelerate the speed of g*f by precompute and cache some data, for example, 2g, 4g, 8g,16g ... , then I can convert theg*fto test_bit&add. But to my surprise, I found the test_bit&add version only slightly faster (20%~30%) than mcl version.

So, what should I do? How can I accelerate the speed for 100% or more by precompute/cache? Could you please give some suggestions (or some URLs)?

include/mcl/mpir.h:1789:3: error: use of undeclared identifier 'GMP_NAIL_BITS'
__GMPN_ADD (__gmp_c, __gmp_wp, __gmp_xp, __gmp_xsize, __gmp_yp, __gmp_ysize);

Hello. When I import ffi/go/mcl.go to own project and then build, I have that error

# github.com/herumi/mcl/ffi/go/mcl
In file included from vendor/src/github.com/herumi/mcl/ffi/go/mcl/mcl.go:10:
/usr/local/include/mcl/bn.h:13:3: error: #error "define MCLBN_FP_UNIT_SIZE 4(, 6 or 8)"
  #error "define MCLBN_FP_UNIT_SIZE 4(, 6 or 8)"
   ^~~~~

Compilation finished with exit code 2

How correct build mcl to using in golang?
Thanks!!!

I think it's a stupid question...

How can I get the zero and one element in G?
Should I use G1 zero(Fp(0), Fp(0))?
And, as my understanding, the one is the generator of the G, but how to get it?

Hi，
You support two 381 bits BN curve : N-381-1 and BN-381-2. The first one is a A Family of Implementation-Friendly BN Elliptic Curves, the second one is used in relic-toolkit. Then , are they both security? And , is there other difference except their params. And which one is more faster?

I am having an issue with xbyak that is causing some of the tests (most importantly bn_test.exe) to crash. I have investigated the issue and concluded that the problem has something to do with xbyak because the problem goes away whenever xbyak is not enabled.

However having xbyak disabled leads to further breakage when trying to compile bls with the xbyak disabled mcl library. (that error is related to an undefined reference to a fp::Op related function that is #ifdef'd out in the mcl code whenever MCL_USE_XBYAK=1 is set)

It potentially causes race condition.

mcl.init(mcl.BLS12_381).then(() => {
	console.log("mcl initialized to BLS12-381.");
	console.log("G1 = " + mcl.getBasePointG1().getStr(16));
});

G1 prints as 0, so it is apparently not initialized. I can't tell from reading mcl.js how to properly initialize G1 and G2. I would like to use the same G1 and G2 points as zksnark.

I see your note on initialization but I don't see similar initialization functions in the JavaScript API. Can you please clarify how to initialize G1 and G2 in JavaScript?

Also, there is no function mcl.getBasePointG2() that we can use to verify that G2 is properly initialized.

Is Fp supposed to be a number in the range [0..p] where p defines the modular field of the elliptic curve? In BLS12-381, p is 381 bits long so Fp should also be 381 bits long. However, deserializeHexStrToFp limits the number to 256 bits.

Unable to deserialize 'eca3a7bd15e08e0f6771805cbc4b8905654e9d356d5398a2aa4cbc71a55017c'
test.js:23975 Error: fromHexStr:length must be even 63
    at Object.exports.fromHexStr (test.js:22820)
    at exports.Fp.deserializeHexStr (test.js:22950)
    at Object.exports.deserializeHexStrToFp (test.js:23113)

What I actually want to generate is a random number in [0..p). Does mcl-wasm provide a function to do that?

The build of bls includes common.mk from this repository, it contains some useful settings.

It would be good to install it into e.g. $(prefix)/share/mcl/common.mk which would be necessary for e.g. herumi/bls#17.

I found Fp has operator+-*/, and EcT has operator+-, but does not have operator*, why?
Does here have any essential reasons?

How can I get the order of G2 group of CurveSNARK1?

How can I use the BN462 curve?

I am unable to deserialize some hex strings in mcl-wasm in the browser.
The first test string is 63 hex characters so it fails due to not being an even number of characters. If I put "0" on the front to make it 64 characters, there is an error in the C code. Adding a leading space to the short string also generates an error.

How do I create an Fr number that is smaller than 32 bytes? For example, I would like mcl.deserializeHexStrToFr("07") to work. Is there an alternative method?

As a side issue, the error message is confusing. "Error: fromHexStr:length must be even 63" would be more understandable if it was "fromHexStr:length must be even; length is 63".

Code:

  	let t1str = null;
    	let t1 = null;
    	try {
    		t1str = "eca3a7bd15e08e0f6771805cbc4b8905654e9d356d5398a2aa4cbc71a55017c";
    		t1 = mcl.deserializeHexStrToFr(t1str);
    	} catch (ex) {
    		console.log("Unable to deserialize '" + t1str + "'");
    		console.log(ex);
    	}
    	
       	try {
    		t1str = "0eca3a7bd15e08e0f6771805cbc4b8905654e9d356d5398a2aa4cbc71a55017c";
    		t1 = mcl.deserializeHexStrToFr(t1str);
    	} catch (ex) {
    		console.log("Unable to deserialize '" + t1str + "'");
    		console.log(ex);
    	}

Output:

mcl initialized to BLS12-381.

test.js:23974 Unable to deserialize 'eca3a7bd15e08e0f6771805cbc4b8905654e9d356d5398a2aa4cbc71a55017c'
test.js:23975 Error: fromHexStr:length must be even 63
    at Object.exports.fromHexStr (test.js:22820)
    at exports.Fr.deserializeHexStr (test.js:22950)
    at Object.exports.deserializeHexStrToFr (test.js:23070)
    at <anonymous>:1:1

test.js:23982 Unable to deserialize '0eca3a7bd15e08e0f6771805cbc4b8905654e9d356d5398a2aa4cbc71a55017c'
test.js:23983 Error: err _wrapDeserialize
    at test.js:22856
    at exports.Fr._setter (test.js:22983)
    at exports.Fr.deserialize (test.js:23033)
    at exports.Fr.deserializeHexStr (test.js:22950)
    at Object.exports.deserializeHexStrToFr (test.js:23070)
    at <anonymous>:1:1

1. current MCL uses (CYBOZULIB_TAG release2018050) which the following error pops out.

error: ‘uintToDec’ is not a member of ‘cybozu::itoa_local’
size_t len = cybozu::itoa_local::uintToDec(buf, bufSize - pos, r);                           

2. the uintToDec is in this commit but not in release2018050.

Likely a minor issue, but pairing on Fp254BNb (I didn't check other curves) returns 0 whenever it is passed an element from G2 that is zero (if element from G1 is zero, it correctly returns 1).

I'm one of the contributors of Homebrew, a community-driven package manager for macOS.

Homebrew has a package for your creation mcl.

Homebrew needs stable releases to update package.
Since there is no release after 2014, homebrew's mcl remains old.

Are you planning any release on your homepage or Github?