[Confused] About verifing mcl MCL_BN_SNARK1 curve on EVM

[benbaley]

Hi @herumi I'm a beginner in cryptography, I don't know much about the details of the algorithm, I want to do a PairingCheck verification of the MCL_BN_SNARK1 curve on EVM, I found solidity's algorithm on BLS verification in thehubbleproject's repository, I followed the steps below:

1. generate a private key with the MCL_BN_SNARK1 curve in mcl and sign a message
2. Verify the signature and publickey through verifySingle in EVM(bn256Pairing), but it pairing failed
3. further checking shows that the results of HashAndMapTo of 2 algorithms(in mcl and thehubbleproject) are completely different
4. I checked that both mcl and thehubbleproject use Fouque-Tibouchi, the MapToMode in mcl uses MCL_MAP_TO_MODE_ORIGINAL by default, which looks a bit like draft-irtf-cfrg-hash-to-curve-03, but the solidity implementation of thehubbleproject is more like draft-irtf-cfrg-hash-to-curve-07 or I'm not sure

Is HashAndMapTo algorithm in mcl and thehubbleproject's solidity implementation the key to the problem? How can I verify mcl.MCL_BN_SNARK1 on EVM? Can I get your help please?

[herumi]

I implemented a Fouque-Tibouchi algorithm for BN_SNARK1 before. https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-07 shows the algorithm not for MCL_BN_SNARK1 but BLS12-381.

Though I do not know thehubbleprojects, do you want the same method of mcl as it?

[benbaley]

Thank you for your reply. Yes, I'm trying to find an algorithm that can verify the mcl.BN_SNARK1 curve signature in EVM(solidity) Do you mean that you have implemented the Fouque-Tibouchi algorithm in solidity before? Looking forward to your reply :)

[herumi]

There are some variations to the algorithm:

• The way to convert a hashed value to Fr.
• The choice of a square root, etc.

So, we have to select the same them. By the way, BLS12-381 is better than BN_SNARK1 because of security. Do you need BN_SNARK1?

[benbaley]

Thank you very much! I will try to find the differents between them And, I think Ethereum will support bls12-381 later, but the implementation of bls12-381 in EVM is still for testing purposes (here) at this phase.

[herumi]

Do you know the implementation of EVM by C/C++/Python? If I can see it, it is easy to check the difference between mcl and EVM. (But I have many tasks, so I'm not sure to get the time.)

[benbaley]

I don't know much about it either, the following items look somewhat similar 😂

• evmone is a C++ implementation of the EVM
• Py-EVM is an implementation of the Ethereum protocol in Python

[herumi]

I saw those links, but I could not find the algorithm of mapToPoint. Do you know the original specification document?

[benbaley]

The implementation of python version seems to be here, but I'm not sure I'll go with the bls12-381 implementation, after all, ETH 2.0 will support it soon thank you very much for your support