search

miracl / amcl

32 stars 20 forks source link

Failed Ate2 Pairing (tested in Go) #1

Closed jstuczyn closed 5 years ago

jstuczyn commented 5 years ago

Hi!

I've got a problem getting ate2 pairings to work correctly. I'm not sure whether it is a bug or if I'm not using it the right way. Basically while I can get two 'normal' ate pairings (followed by final exponentiation) to produce expected results, the equivalent ate2 (followed by final exponentiation) fails that. I've tested the issue on BLS381 and BN254 curves. The sample code explaining the issue is as follows: 

func TestPairings(t *testing.T) {
    var RAW [100]byte
    rng := amcl.NewRAND()
    rng.Clean()
    for i := 0; i < 100; i++ {
        RAW[i] = byte(i)
    }
    rng.Seed(100, RAW[:])

    ord := BLS381.NewBIGints(BLS381.CURVE_Order)

    r := BLS381.Randomnum(ord, rng)
    s := BLS381.Randomnum(ord, rng)

    gen1 := BLS381.ECP_generator()
    gen2 := BLS381.ECP2_generator()

    g1r := BLS381.G1mul(gen1, r)
    g1s := BLS381.G1mul(gen1, s)
    g2r := BLS381.G2mul(gen2, r)
    g2s := BLS381.G2mul(gen2, s)

    Gt1 := BLS381.Fexp(BLS381.Ate(g2r, g1s))
    Gt2 := BLS381.Fexp(BLS381.Ate(g2s, g1r))

    if !Gt1.Equals(Gt2) {
        // does NOT fail here
        t.Log("ate: e(rP, sQ) != e(sP, rQ)")
        t.Fail()
    }

    v := BLS381.Ate2(g2r, g1s, g2s, g1r)
    v = BLS381.Fexp(v)
    // unity test as seen at https://github.com/miracl/amcl/blob/master/version3/go/BLS.go
    if !v.Isunity() {
        // fails here
        t.Log("ate2: e(rP, sQ) != e(sP, rQ)")
        t.Fail()
    }
}
triplewz commented 5 years ago

Hello, you used Ate2 incorrectly. 1 2 I used BN254 package, it passed.

func TestPairings(t *testing.T) {
    var RAW [100]byte
    rng := amcl.NewRAND()
    rng.Clean()
    for i := 0; i < 100; i++ {
        RAW[i] = byte(i)
    }
    rng.Seed(100, RAW[:])

    ord := BN254.NewBIGints(BN254.CURVE_Order)

    r := BN254.Randomnum(ord, rng)
    s := BN254.Randomnum(ord, rng)

    gen1 := BN254.ECP_generator()
    gen2 := BN254.ECP2_generator()

    g1r := BN254.G1mul(gen1, r)
    g1s := BN254.G1mul(gen1, s)
    g2r := BN254.G2mul(gen2, r)
    g2s := BN254.G2mul(gen2, s)

    Gt1 := BN254.Fexp(BN254.Ate(g2r, g1s))
    Gt2 := BN254.Fexp(BN254.Ate(g2s, g1r))

    if !Gt1.Equals(Gt2) {
        // does NOT fail here
        t.Log("ate: e(rP, sQ) != e(sP, rQ)")
        t.Fail()
    }

    r_neg := BN254.Modneg(r,GroupOrder)
    g2r_neg := BN254.G2mul(gen2,r_neg)

    v := BN254.Ate2(g2r_neg, g1s, g2s, g1r)
    v = BN254.Fexp(v)

    if !v.Isunity() {
        t.Log("ate2: e(rP, sQ) != e(sP, rQ)")
        t.Fail()
    }
}
jstuczyn commented 5 years ago

Hi,

thanks for the clarification, it makes perfect sense now (and works as expected)!