ECP2 multiply by FP in golang? about core HOT 15 CLOSED

miracl commented on July 21, 2024

ECP2 multiply by FP in golang?

from core.

Comments (15)

mcarrickscott commented on July 21, 2024

Hello Alex, What you are doing seems rather unusual, and so there is no supported way of doing it. Normally an elliptic curve point is defined as coordinates modulo p. These field coordinates are managed by the FP type. Curve points are multiplied by group elements, that is BIG numbers modulo r, where r is the size of the group. But if you really want to multiply an ECP2 by an FP, then you need to first convert the FP to a BIG (and ideally reduce it modulo the group order r). So what you tried with your getter should have worked. What went wrong? Did it fail to compile, or did you get an unexpected result? Mike

…

On Thu, Mar 11, 2021 at 2:13 AM Alex Guo ***@***.***> wrote: Hi there, I'm looking through ECP2.go, we need a way to multiply ECP2 struct with a FP. What is the general way to do this? Already tried this and it didn't work: func (E *ECP2) mul(e *BIG) *ECP2 { along with a GetBIG getter: func (F *FP) GetBIG() *BIG { F.reduce() return F.redc() } I'm willing to contribute the code for it as long as I can see it'll be straightforward. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#39>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAU3ZDSO6T46AVRBOS52WODTDAKKJANCNFSM4Y7KD7HA> .

from core.

mallochine commented on July 21, 2024

Compiled, but got an unexpected result.

Are you familiar with herumi/bls?

Is there anything like the "evaluatePolynomial" that is in herumi/bls? Because that's where the ECP2 * FP appears.

https://github.com/herumi/mcl/blob/0114a3029f74829e79dc51de6dfb28f5da580632/include/mcl/lagrange.hpp#L64

/*
	out = f(x) = c[0] + c[1] * x + c[2] * x^2 + ... + c[cSize - 1] * x^(cSize - 1)
	@retval 0 if succeed else -1 (if cSize == 0)
*/
template<class G, class T>
void evaluatePolynomial(bool *pb, G& out, const G *c, size_t cSize, const T& x)
{
	if (cSize == 0) {
		*pb = false;
		return;
	}
	if (cSize == 1) {
		out = c[0];
		*pb = true;
		return;
	}
	G y = c[cSize - 1];
	for (int i = (int)cSize - 2; i >= 0; i--) {
		G::mul(y, y, x);
		G::add(y, y, c[i]);
	}
	out = y;
	*pb = true;
}

from core.

mcarrickscott commented on July 21, 2024

OK, so that is a templated function. I don't see how or where G and T are actually instantiated, but I guess G is an ECP2 and T is an FP ?? I would also guess that you are doing some kind of multi-signature on BLS curves using a secret sharing scheme?? Can you point me to the calling code? Not immediately familiar with the details, but I strongly suspect that T should in fact be a BIG (modulo the group order), not an FP. Does your code work OK for the case cSize=1? Mike Elliptic curve points are multiplied by

…

On Thu, Mar 11, 2021 at 10:49 AM Alex Guo ***@***.***> wrote: Compiled, but got an unexpected result. Are you familiar with herumi/bls? Is there anything like the "evaluatePolynomial" that is in herumi/bls? Because that's where the ECP2 * FP appears. https://github.com/herumi/mcl/blob/0114a3029f74829e79dc51de6dfb28f5da580632/include/mcl/lagrange.hpp#L64 /* out = f(x) = c[0] + c[1] * x + c[2] * x^2 + ... + c[cSize - 1] * x^(cSize - 1) @RetVal 0 if succeed else -1 (if cSize == 0) */ template<class G, class T> void evaluatePolynomial(bool *pb, G& out, const G *c, size_t cSize, const T& x) { if (cSize == 0) { *pb = false; return; } if (cSize == 1) { out = c[0]; *pb = true; return; } G y = c[cSize - 1]; for (int i = (int)cSize - 2; i >= 0; i--) { G::mul(y, y, x); G::add(y, y, c[i]); } out = y; *pb = true; } — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#39 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAU3ZDSBDFGNOH3FOASWPXTTDCGZXANCNFSM4Y7KD7HA> .

from core.

mallochine commented on July 21, 2024

Regarding calling code, I have taken notes on those indeed. They are

https://github.com/herumi/bls-go-binary/blob/master/bls/bls.go#L457

// Set --
func (pub *PublicKey) Set(mpk []PublicKey, id *ID) error {
  // #nosec
  ret := C.blsPublicKeyShare(&pub.v, &mpk[0].v, (C.mclSize)(len(mpk)), &id.v)
  if ret != 0 {
    return fmt.Errorf("err blsPublicKeyShare")
  }
  return nil
}

https://github.com/herumi/bls/blob/4ae022a6bb71dc518d81f22141d71d2a1f767ab3/src/bls_c_impl.hpp#L567

int blsPublicKeyShare(blsPublicKey *pub, const blsPublicKey *mpk, mclSize k, const blsId *id)
{
  bool b;
  mcl::evaluatePolynomial(&b, *cast(&pub->v), cast(&mpk->v), k, *cast(&id->v));
  return b ? 0 : -1;
}

from core.

mallochine commented on July 21, 2024

The structs are defined here, where Fr is just FP without a modulo (is that the same thing as BIG?)

https://github.com/herumi/bls/blob/8b240cf9f80c9b3c20d05ecab74b086065e72b31/include/bls/bls.h#L60

typedef struct {
	mclBnFr v;
} blsId;

typedef struct {
#ifdef BLS_ETH
	mclBnG1 v;
#else
	mclBnG2 v;
#endif
} blsPublicKey;

https://github.com/herumi/mcl/blob/0114a3029f74829e79dc51de6dfb28f5da580632/include/mcl/bn.h#L96

typedef struct {
  mclBnFp x, y, z;
} mclBnG1;

typedef struct {
  mclBnFp2 x, y, z;
} mclBnG2;

from core.

mallochine commented on July 21, 2024

seems to me like I've reached a deadend, where miracl/core simply doesn't do the same thing as herumi/bls

You have no idea how sad this makes me.

from core.

mallochine commented on July 21, 2024

This is Fr, maybe this explains the problem:

#ifndef MCLBN_FP_UNIT_SIZE
	#error "define MCLBN_FP_UNIT_SIZE 4(, 6 or 8)"
#endif
#ifndef MCLBN_FR_UNIT_SIZE
	#define MCLBN_FR_UNIT_SIZE MCLBN_FP_UNIT_SIZE
#endif

/*
	G1 and G2 are isomorphism to Fr
*/
typedef struct {
	uint64_t d[MCLBN_FR_UNIT_SIZE];
} mclBnFr;

from core.

mcarrickscott commented on July 21, 2024

As it happens this just appeared - https://eprint.iacr.org/2021/323.pdf Which suggests a way forward. Rather than following the c code at https://github.com/herumi/bls-eth-go-binary instead look to the rust code at https://github.com/sigp/milagro_bls This latter implementation is based on the Milagro library, from which miracl core is forked. Mike

…

On Fri, Mar 12, 2021 at 4:21 AM Alex Guo ***@***.***> wrote: This is Fr, maybe this explains the problem: #ifndef MCLBN_FP_UNIT_SIZE #error "define MCLBN_FP_UNIT_SIZE 4(, 6 or 8)" #endif #ifndef MCLBN_FR_UNIT_SIZE #define MCLBN_FR_UNIT_SIZE MCLBN_FP_UNIT_SIZE #endif /* G1 and G2 are isomorphism to Fr */ typedef struct { uint64_t d[MCLBN_FR_UNIT_SIZE]; } mclBnFr; — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#39 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAU3ZDUV75X5CAO3C7H3UKTTDGCCBANCNFSM4Y7KD7HA> .

from core.

mallochine commented on July 21, 2024

Hey, reading through milagro_bls gave me new ideas for where things could be going wrong! Thanks!

Basically I think I was using the wrong mul!

herumi/bls uses:

		G::mul(y, y, x);
		G::add(y, y, c[i]);

That a group mul, which means the function I should've been using was "G2mul" in PAIR.go

from core.

mallochine commented on July 21, 2024

OK sorry to trouble you so far for the questions! If you have a minute to quickly answer -- is "ECP2.Add" (ECP2.go) the same thing as G::add? Just a sanity check...

from core.

mallochine commented on July 21, 2024

I have in my notes from corresponding with herumi that the naive algorithm for mul and add should be:

The naive algorithm is (x + y) % r and (x * y) % r.

from core.

mcarrickscott commented on July 21, 2024

To manipulate group elements (not to be confused with field elements - FPs), the appropriate functions are Modmult/Modadd/Modsqr and Modneg from BIGXX.go Note that there are two ways of implementing BLS, as signatures and public keys can be in G1 and G2, or the other way around. Depends on which it is more important to keep small, signatures or public keys. In miracl core this needs to be explicitly implemented (see the notes in testbls.cpp for more details). It seems herumi implements the same idea via code like typedef struct { #ifdef BLS_ETH mclBnG1 v; #else mclBnG2 v; #endif } blsPublicKey; Mike

…

On Fri, Mar 12, 2021 at 11:23 PM Alex Guo ***@***.***> wrote: I have in my notes from corresponding with herumi that the naive algorithm for mul and add should be: The naive algorithm is (x + y) % r and (x * y) % r. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#39 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAU3ZDV7FDU7M7X5OYT5PI3TDKH63ANCNFSM4Y7KD7HA> .

from core.

mallochine commented on July 21, 2024

HUGE THANKS TO YOU Michael Scott! For helping illuminate the math behind what's going on here.

The final root cause analysis

ECP2.mul definitely the wrong function to use. Should've been G2mul
FP.mul and FP.add were also the wrong functions, should've been Modmul, Modadd using the CURVE_Order as you so greatly pointed out.

Want me to contribute open source code for this?

It would be the miracl/core port of herumi/bls "blsPublicKeyShare", "PublicKey.Set", "SecretKey.Set". I don't think you have this code in there yet.

It looks like this:

func (sk *SecretKey) Set(msk []SecretKey, id *ID) error {
  if len(msk) == 0 {
    return errors.New("No secret keys given.")
  }
  if len(msk) == 1 {
    sk.v = msk[0].CloneFP()
    return nil
  }
  sk.v = msk[len(msk)-1].CloneFP()

  m := BN254.NewBIGints(BN254.CURVE_Order)
  sk0 := sk.v.GetBIG()
  id0 := id.v.GetBIG()

  for i := len(msk) - 2; i >= 0; i-- {
    sk0 = BN254.Modmul(sk0, id0, m)
    sk0 = BN254.Modadd(sk0, msk[i].v.GetBIG(), m)
  }

  sk.v = BN254.NewFPbig(sk0)

  return nil
}

func (pk *PublicKey) Set(pks []PublicKey, id *ID) error {
  pk.v = BN254.NewECP2()
  if len(pks) == 0 {
    return errors.New("No secret keys given.")
  }
  pk.v.Copy(pks[len(pks)-1].v)
  if len(pks) == 1 {
    return nil
  }
  for i := len(pks) - 2; i >= 0; i-- {
    pk.v = BN254.G2mul(pk.v, id.v.GetBIG())
    pk.v.Add(pks[i].v)
  }
  return nil
}

from core.

mcarrickscott commented on July 21, 2024

Hello Alex, That's great that it all worked out.. I have a policy that new features should be supported across ALL languages, which will be a lot of work. I will probably get around to it eventually as it seems a popular application of BLS signature. Having your code in here as an issue will suffice for now, but thanks for the offer. Mike

…

On Tue, Mar 16, 2021 at 7:34 AM Alex Guo ***@***.***> wrote: HUGE THANKS TO YOU Michael Scott! For helping illuminate the math behind what's going on here. The final root cause analysis 1. ECP2.mul definitely the wrong function to use. Should've been G2mul 2. FP.mul and FP.add were also the wrong functions, should've been Modmul, Modadd using the CURVE_Order as you so greatly pointed out. Want me to contribute open source code for this? It would be the miracl/core port of herumi/bls "blsPublicKeyShare", "PublicKey.Set", "SecretKey.Set". I don't think you have this code in there yet. It looks like this: func (sk *SecretKey) Set(msk []SecretKey, id *ID) error { if len(msk) == 0 { return errors.New("No secret keys given.") } if len(msk) == 1 { sk.v = msk[0].CloneFP() return nil } sk.v = msk[len(msk)-1].CloneFP() m := BN254.NewBIGints(BN254.CURVE_Order) sk0 := sk.v.GetBIG() id0 := id.v.GetBIG() for i := len(msk) - 2; i >= 0; i-- { sk0 = BN254.Modmul(sk0, id0, m) sk0 = BN254.Modadd(sk0, msk[i].v.GetBIG(), m) } sk.v = BN254.NewFPbig(sk0) return nil } func (pk *PublicKey) Set(pks []PublicKey, id *ID) error { pk.v = BN254.NewECP2() if len(pks) == 0 { return errors.New("No secret keys given.") } pk.v.Copy(pks[len(pks)-1].v) if len(pks) == 1 { return nil } for i := len(pks) - 2; i >= 0; i-- { pk.v = BN254.G2mul(pk.v, id.v.GetBIG()) pk.v.Add(pks[i].v) } return nil } — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#39 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAU3ZDS4BFMNHH3PNLZPC3TTD4CXHANCNFSM4Y7KD7HA> .

from core.

mallochine commented on July 21, 2024

OK, that's fine, but feel free to ping me anytime for questions about how herumi/bls implemented Set for PublicKey and SecretKey!

SecretKey was FP, PublicKey was ECP2 (i.e. G2).

from core.

ECP2 multiply by FP in golang? about core HOT 15 CLOSED

Comments (15)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent