Use Scott's subgroup membership tests for G1 and G2 of BLS12-381.

[simonmasson]

Description

Implementation of the fast subgroup check for G1 and G2 using the Scott algorithm from eprint 2021/1130.

The Scott's implementation (eprint 2021/1130) is slightly faster than Bowe's implementation:

Author	G1 subgroup check	G2 subgroup check
Bowe	50.435ns	68.635ns
Scott	42.917ns	60.793ns

closes: #XXXX

---

Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.

• Targeted PR against correct branch (master)
• Linked to Github issue with discussion and accepted design OR have an explanation in the PR that describes this work.
• Wrote unit tests
• Updated relevant documentation in the code
• Added a relevant changelog entry to the Pending section in CHANGELOG.md
• Re-reviewed Files changed in the Github PR explorer

[Pratyush]

Hmm why this rename?

[simonmasson]

Because Parameters is also used for the SWModelParameters struct... See below in this file

type G1Parameters = self::g1::Parameters

[Pratyush]

maybe instead of importing crate::*, we can use crate::Parameters wherever necessary? That way we don't have to rename anything.

[Pratyush]

Do you have a script to calculate this value? Or maybe a comment that can let us check it?

[Pratyush]

Some documentation for this would be great =)

[Pratyush]

Suggested change

	if (-*p + x_times_p).is_zero() {
	if (x_times_p - p).is_zero() {

[simonmasson]

this is not working, and neither x_times_p - *p. The only way I found is to write x_times_p + (-*p)... Any suggestion?

[Pratyush]

It was because x_times_p was GroupAffine. The following code should work:

Suggested change

	if (-*p + x_times_p).is_zero() {
	if x_times_p.add_mixed(-*p).is_zero() {

[Pratyush]

Hmm if you'd like, we can add a mul_limbs (or some other name) method similar to this one on GroupProjective: https://docs.rs/ark-ec/0.3.0/ark_ec/trait.ProjectiveCurve.html#method.mul. That way you can directly use point.mul_limbs(Parameters::X).

[Pratyush]

Alternatively, you can also just use the existing point.mul_bits(BitIteratorBE::without_leading_zeros(Parameters::X))

[simonmasson]

the mul_bits function is private and so I was not able to use it...

[Pratyush]

Suggested change

	p.mul(BigInteger([Parameters0::X[0], 0, 0, 0])).into();
	p.mul_bits(BitIteratorBE::without_leading_zeros(Parameters::X).into();

[simonmasson]

the mul_bits function is private and so I was not able to use it...

[simonmasson]

It would be much cleaner like that, I agree :)

[Pratyush]

Hmm I'll make a PR to expose that API, but for the time being we can use the existing code. If you can leave a TODO then i'll refactor to use that later.

[Pratyush]

Let's avoid the inversion here:

Suggested change

	let mut x_times_p: GroupAffine<_> =
	p.mul(BigInteger([Parameters0::X[0], 0, 0, 0])).into();
	let mut x_times_p = p.mul(BigInteger([Parameters0::X[0], 0, 0, 0]));

[Pratyush]

Suggested change

	let mut x2_times_p: GroupAffine<_> = x_times_p
	.mul(BigInteger([Parameters0::X[0], 0, 0, 0]))
	.into();
	let mut x2_times_p = x_times_p.mul(BigInteger([Parameters0::X[0], 0, 0, 0]));

[Pratyush]

Suggested change

	(x2_times_p + sigma_p).is_zero()
	x2_times_p.add_mixed(sigma_p).is_zero()

[Pratyush]

Suggested change

	let mut x_times_point: GroupAffine<_> =
	point.mul(BigInteger([Parameters0::X[0], 0, 0, 0])).into();
	let mut x_times_point =
	point.mul(BigInteger([Parameters0::X[0], 0, 0, 0]));

[Pratyush]

Some documentation on how these constants are derived would be great.

[Pratyush]

Ditto here.

[Pratyush]

Suggested change

	if Parameters0::X_IS_NEGATIVE {
	x_times_point = -x_times_point;
	}
	let p_times_point = psi(point);
	(-x_times_point + p_times_point).is_zero()
	// The check is `p_times_point - x_times_point == 0`?
	// If `x` is negative, then the LHS becomes `p_times_point + x_times_point`.
	// If `x` is positive, then it remains `p_times_point - x_times_point`.
	// So, we negate if `x` is positive, and add the result.
	if !Parameters0::X_IS_NEGATIVE {
	x_times_point = -x_times_point;
	}
	let p_times_point = psi(point);
	x_times_point.add_mixed(p_times_point).is_zero()

[Pratyush]

Left another round of reviews, focusing on adding some more documentation (eg: links to descriptions of the algorithms in papers or blogposts etc) and on not doing unnecessary affine operations. Thanks for your patience @simonmasson!

[simonmasson]

Thank you for all the comments/suggestions! I add some changes, let me know if something else is needed.

[daira]

Is there an intended distinction between ^ and ** here?

[simonmasson]

No. I will change ^ into ** here :-)

[weikengchen]

I will need to double check the paper.

Based on the paper, it seems that the following is not expected:

BETA^2 + BETA + 1 = 0

Rather, it is expected:

lambda^2 + lambda + 1 = 0

where for BLS-12, lambda = -u^2.

And, if beta is the cubic root of unity, then:

BETA^3 = 1

[weikengchen]

Let me correct my previous post.

For the beta we are finding,

BETA^3  = 1 (mod Fq)
BETA^2 + BETA + 1 = 0 (mod Fq)

Both are satisfied.

Because x^3 - 1 = (x - 1)(x^2 + x + 1).

[weikengchen]

I added some documents and renamed some method names. Let me ping @Pratyush to do a final pass.

[weikengchen]

There is some offline discussion with Simon. I will update this PR soon to reflect the discussion.

[yelhousni]

So it seems there was an error in Scott preprint for G2 membership test proof. However, the result is still correct (more on that here: https://eprint.iacr.org/2022/352.pdf).

[weikengchen]

I think one todo is to add additional comment to reference to the new paper for the proof.

It is a relief that the original method still works. (not common)