Error thrown in Optimal Ate Pairing

[tarakby]

Hi, There seems to be an edge-case computation of the optimal ate pairing on BLS12-381 (at least) that tries to compute the modular inverse of zero. Although the G_T result seems correct, the inversion raises the error ERR_NO_VALID and causes core_get()->code = RLC_ERR.

This can happen when attempting to compute e(p, q)*e(p, -q) = 1 or e(p, q)*e(-p, q) = 1 for any random p in G_1, q in G_2. To reproduce:

    ep_t elemsG1[2];
    ep2_t elemsG2[2];

    // G1 points are opposite
    ep_new(elemsG1[0]);  ep_new(elemsG1[1]);
    ep_rand(elemsG1[1]); 
    ep_neg(elemsG1[0], elemsG1[1])

    // G2 points are equal
    ep2_new(elemsG2[0]); ep2_new(elemsG2[1]);
    ep2_rand(elemsG2[1]);
    ep2_copy(elemsG2[0], elemsG2[1]);

    fp12_t pair;
    fp12_new(&pair);
    // G_T identity is expected
    pp_map_sim_oatep_k12(pair, (ep_t*)(elemsG1) , (ep2_t*)(elemsG2), 2); // pair is indeed equal to 1

    ep_free(elemsG1[0]);    ep_free(elemsG1[1]);
    ep2_free(elemsG2[0]);   ep2_free(elemsG2[1]);  

The outcome includes:

ERROR THROWN in relic_fp_inv.c:204
ERROR THROWN in relic_fp_inv.c:204
ERROR THROWN in relic_fp_inv.c:204
ERROR THROWN in relic_fp_inv.c:204
ERROR THROWN in relic_fp_inv.c:204

In the example above, The G_1 points are opposite and G_2 points are equal, but the errors also happen in the case where G_1 points are equal but G_2 points are opposite.

Thanks!

[dfaranha]

You're right, this is a bug in the simultaneous decompression code. Can you please check if 44fa77621111baa1bb2cb20f9948f34a7fdba19a fixes it for you as well?

In that case, I will propagate the fix the other curve choices.

[tarakby]

Thank you for the update! I appreciate the quick reply and fix! I confirm the issue is fixed 🙏🏼