Unexpected failure of ep2_mul[_lwnaf] above the prime group order about relic HOT 10 CLOSED

From what I understand, ep2_mul_lwnaf calls ep2_mul_glv_imp which only works modulo the prime group order, so it can't be used to multiply by the cofactor. (Yep, needs better documentation... 😓 )

As per ep2_mul_cof_b12, at a glance, I have no idea... @dfaranha, do you remember from where that formula comes from?

from relic.

I think it's not just a matter of documentation, if possible a error should be raised instead of returning a wrong value, and maybe ep2_mul shouldn't be a macro for a limited multiplication function.

from relic.

Agreed, makes sense to raise an error.

I think the idea is that ep2_mul is guaranteed to work only on the prime-order subgroup. Again, needs better documentation...

from relic.

>>> x = -0xd201000000010000
>>> cofactor = (x**8 - 4*x**7 + 5*x**6 - 4*x**4 + 6*x**3 - 4*x**2 - 4*x + 13) / 9
>>> hex(cofactor)
'0x5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5L'

The value I lifted from the code checks out with the formula (x⁸ - 4x⁷ + 5x⁶ - 4x⁴ + 6x³ - 4x² - 4x + 13) / 9 from https://github.com/ebfull/pairing/blob/master/src/bls12_381/README.md.

The x variable corresponds with fp_param_get_var:

>>> x == -(2**63 + 2**62 + 2**60 + 2**57 + 2**48 + 2**16)
True

Now I'm trying to match this to the formula in ep2_mul_cof_b12, which AFAICT is:

(x² - x - 1)P + Ψ(x - 1)P + Ψ²(2P)

But that's where I am stuck.

from relic.

The formula seems to match section 4.1 of https://eprint.iacr.org/2017/419.pdf , needs more investigation...

from relic.

From a cursory reading, it does states that it multiplies the point by a multiple of the cofactor, which would explain the difference.

from relic.

Exactly, the method of Fuentes et al. computes a compact expansion of a multiple of the cofactor using lattice reduction.

from relic.

Thanks, that explains ep2_mul_cof_b12, about which I can't complain anyway since it's unexported.

In FiloSottile/powersoftau#3 I verified the value of the coefficient, so I think the only issue left is about the unexpected failure of ep2_mul[_lwnaf].

from relic.

Hello. (I hope my poor english make a sence ...)
I think better that it is left as it is. I think ep2_mul[_lwnaf] is designed for the sub-group.
In the general, computing in the sub-group is faster. And once a point in the sub-group, scalar-multiplication(or add, double, sub) computed in the sub-group.
So we should know when a point in the sub-group is generated by cofactor multiplication of a point on the curve whole. Because before/after of cofactor*P shows different characteristic.
In addition, checking by computing is too expensive.
Use ep2_mul_basic with general point, including points that is not in sub-group,
use ep2_mul with points that in sub-group only,
and use ep2_mul_cof_b12 with general points to mapping to sub-group, it does not cofactor multiplicate.

from relic.

Thanks again for the feedback!

The documentation of the ep2 module now explicitly states this limitation of the ep2_mul() macro and general implementation.
I added ep2_mul_big() for the general case when the scalar is beyond the order and ep2_mul_cof for multiplication by the cofactor (or small multiples of it) in a way that the resulting point is in the large prime order subgroup.

Hope it is a bit more clear for future users.

from relic.