cloudflare / bn256 Goto Github PK

Another Go release, another breakage. We've updated to Go 1.12 a couple days ago, and just noticed that the ARM64 builder is choking on the bn256 assembly code.

https://travis-ci.org/ethereum/go-ethereum/jobs/499751860#L2129

I tried using this package inside a go plugin and it doesn't work as expected. When attempting to Unmarshal() a G2, a "bn256: malformed point" error is returned.

I made a minimal example here. I checked the bug with versions 1.12.13 and 1.13.5 of go.

I suspect this might be the result of using assembly, but I never used assembly in go, so I don't have the expertise to properly check this hypothesis. If this is the case it's probably more of a go issue, but I wanted to ask here first, maybe you can help me somehow.

Sorry for not using the template the contributing guidelines mention, but I couldn't find it.

Hey guys!
I was wondering what algo or calculator you used to determine the NAF representation of u ?
More context: I was breezing through go-ethereum's implementation and the NAF form caught my eye (see ethereum/go-ethereum#27957). Now from what I know, the NAF form cannot have non zero bits adjacent to each other but not sure whether there can be some exceptions to this.

https://godoc.org/golang.org/x/crypto/bn256 refers to this package as a faster implementation, but also warns that neither version provides 128-bit security.

However, https://godoc.org/github.com/cloudflare/bn256 still says it offers 128-bit security.

Presumably the cloudflare/bn256 documentation should be updated similarly to the x/crypto/bn256 documentation?

(Disclaimer: I don't know anything about bn256, the linked moderncrypto post is jibberish to me.)

While investigating dedis/kyber#400, I found that this package (which kyber is derived from) has a behaviour that seems surprising. After adding a point to itself, it is no longer on the curve. If you add two unrelated points, the point stays on the curve:

func TestG2_2add(t *testing.T) {
	_, Ga, err := RandomG2(rand.Reader)
	if err != nil {
		t.Fatal(err)
	}
	_, Gb, err := RandomG2(rand.Reader)
	if err != nil {
		t.Fatal(err)
	}
	Ga.Add(Ga, Gb)
	require.True(t, Ga.p.IsOnCurve())
	Ga.Add(Ga, Ga)
	require.True(t, Ga.p.IsOnCurve())
}

func TestG2_2mul(t *testing.T) {
	_, Ga, err := RandomG2(rand.Reader)
	if err != nil {
		t.Fatal(err)
	}
	two := bigFromBase10("2")
	Ga.ScalarMult(Ga, two)
	ma := Ga.Marshal()

	_, err = Ga.Unmarshal(ma)
	// fails due to "bn256: malformed point"
	require.NoError(t, err)
}

As the second test shows, multiply by 2 also creates this situation where the twistPoint is no longer on the curve (detected by the IsOnCurve inside of Unmarshal).

Thanks to @tobowers and @Daeinar for help finding this.

Hello,
when I tested gfp,func GFpNeg and GFpSub returned a correct result, but GFpAdd returned a wrong one.So I wonder if there exits a problem?

1.Testing GFpNeg (pass).

func TestGFpNeg(t *testing.T) {
	n := &gfP{0x0123456789abcdef, 0xfedcba9876543210, 0xdeadbeefdeadbeef, 0xfeebdaedfeebdaed}
	w := &gfP{0xfedcba9876543211, 0x0123456789abcdef, 0x2152411021524110, 0x0114251201142512}
	h := &gfP{}

	gfpNeg(h, n)
	if *h != *w {
		t.Errorf("negation mismatch: have %#x, want %#x", *h, *w)
	}
}

2.Tesing GFpSub (pass).

func TestGFpSub(t *testing.T) {
	a := &gfP{0x0123456789abcdef, 0xfedcba9876543210, 0xdeadbeefdeadbeef, 0xfeebdaedfeebdaed}
	b := &gfP{0xfedcba9876543210, 0x0123456789abcdef, 0xfeebdaedfeebdaed, 0xdeadbeefdeadbeef}
	w := &gfP{0x02468acf13579bdf, 0xfdb97530eca86420, 0xdfc1e401dfc1e402, 0x203e1bfe203e1bfd}
	h := &gfP{}

	gfpSub(h, a, b)
	if *h != *w {
		t.Errorf("subtraction mismatch: have %#x, want %#x", *h, *w)
	}
}

3.Tesing GFpAdd (failed).

func TestGfpAdd(t *testing.T) {
	a := &gfP{0x0123456789abcdef, 0xfedcba9876543210, 0xdeadbeefdeadbeef, 0xfeebdaedfeebdaed}
	b := &gfP{0xfedcba9876543210, 0x0123456789abcdef, 0xfeebdaedfeebdaed, 0xdeadbeefdeadbeef}
	a_neg := &gfP{0xfedcba9876543211, 0x0123456789abcdef, 0x2152411021524110, 0x0114251201142512}
	c1 := &gfP{}
	c2 := &gfP{}

	gfpAdd(c1,b,a_neg)
	gfpSub(c2,b,a)

	if *c1 != *c2 {
		t.Errorf("c1 should equal to c2!")
	}
}

Do not know if this project still accept new enhancement, this change can improve pairing performance more than 30%.

emmansun@b532ebb

Reference:

• Fast Squaring in the Cyclotomic Subgroup
• dclxvi

#19 wasn't the right way to fix that issue, the lattices branch should be 1 commit ahead of master (with the one commit being the implementation of lattices).

Hello,when I tried to run the test cases of the lattice version, it failed because of "github.com/cloudflare/bn256.gfpMul: relocation target runtime.support_bmi2 not defined", what's the reason? And how to solve this problem? Thanks.

Hello,
I want to use a new bn curve (y^2=x^3+b) with the following parameters:

b:5
u:600000000058F98A
p(u)=36u⁴+36u³+24u²+6u+1
p:B640000002A3A6F1D603AB4FF58EC74521F2934B1A7AEEDBE56F9B27E351457D
n(u)=36u⁴+36u³+18u²+6u+1
n:B640000002A3A6F1D603AB4FF58EC74449F2934B18EA8BEEE56EE19CD69ECF25
G1x:93DE051D62BF718FF5ED0704487D01D6E1E4086909DC3280E8C4E4817C66DDDD
G1y:21FE8DDA4F21E607631065125C395BBC1C1C00CBFA6024350C464CD70A3EA616
F(p^2)=Fp(i),where i^2 = -2

How to set the parameters?
Thanks.

Hey all, @Bren2010. We've received a downstream PR against go-ethereum that supposedly improves addition by a factor of 3. Would you be interested in maybe reviewing and upstreaming this PR here? ethereum/go-ethereum#21515

As the title says.

Thank you for your work on this library.

I was wondering if there are any plans to implement hashing to curve G2. Right now, I see the implementation for hashing to curve G1.

Hi!
The official implementation lacks hashing to G1/G2 which is vital for some applications like implementation of the Pythia PRF Service ( https://eprint.iacr.org/2015/644.pdf http://pages.cs.wisc.edu/~ace/papers/pythia-talk.pdf ) and short signatures.

I know there exist implementations and docs for those:
https://www.di.ens.fr/~fouque/pub/latincrypt12.pdf

https://github.com/ace0/relic/blob/master/src/ep/relic_ep_map.c#L39 (C, G1)
https://github.com/ace0/relic/blob/master/src/epx/relic_ep2_map.c#L163 (C, G2)

https://github.com/randombit/pairings.py/blob/master/bn256.py#L1076 (Python, G1)

it would be so helpful if you implemented it along with your optimizations.

Thanks in advance

This is not in the master branch but on the lattices branch.

After the (potentially secret) scalar decomposition, the following code uses a branch if x.BitLen() > maxLen that depends on the scalar hence on potentially secret data:

edit: Reading the scalar mul and addition, seems like in general the code isn't constant-time. Feel free to close in that case.

This will not compile with Go 1.11.

You can use golang.org/x/sys/cpu instead: https://godoc.org/golang.org/x/sys/cpu#pkg-variables

I have not found it in Faster Computation of the Tate Pairing or http://cryptojedi.org/papers/dclxvi-20100714.pdf.