Faster subgroup membership tests.

dfaranha · dfaranha · commit df6c55ee2b2c · 2022-06-19T15:33:42.000+02:00
diff --git a/include/relic_epx.h b/include/relic_epx.h
@@ -707,7 +707,7 @@ void ep2_rhs(fp2_t rhs, const ep2_t p);
  *
  * @param[in] p				- the point to test.
  */
-int ep2_on_curve(ep2_t p);
+int ep2_on_curve(const ep2_t p);
 
 /**
  * Builds a precomputation table for multiplying a random prime elliptic point.
@@ -1347,7 +1347,7 @@ void ep4_rhs(fp4_t rhs, const ep4_t p);
  *
  * @param[in] p				- the point to test.
  */
-int ep4_on_curve(ep4_t p);
+int ep4_on_curve(const ep4_t p);
 
 /**
  * Builds a precomputation table for multiplying a random prime elliptic point.
diff --git a/src/ep/relic_ep_map.c b/src/ep/relic_ep_map.c
@@ -148,11 +148,8 @@ void ep_map_from_field(ep_t p, const uint8_t *uniform_bytes, int len) {
 				break;
 			case EP_B12:
 			case EP_B24:
-				/* multiply by 1-x (x the BLS parameter) to get the correct group. */
-				/* XXX(rsw) is this guaranteed to work? It could fail if one
-				 *          of the prime-squared subgroups is cyclic, but
-				 *          maybe there's an argument that this is never the case...
-				 */
+				/* Multiply by (1-x) to get the correct group, as proven in
+				 * Piellard. https://eprint.iacr.org/2022/352.pdf */
 				fp_prime_get_par(k);
 				bn_neg(k, k);
 				bn_add_dig(k, k, 1);
diff --git a/src/epx/relic_ep2_util.c b/src/epx/relic_ep2_util.c
@@ -169,7 +169,7 @@ void ep2_rhs(fp2_t rhs, const ep2_t p) {
 }
 
 
-int ep2_on_curve(ep2_t p) {
+int ep2_on_curve(const ep2_t p) {
 	ep2_t t;
 	int r = 0;
 
diff --git a/src/epx/relic_ep4_util.c b/src/epx/relic_ep4_util.c
@@ -182,7 +182,7 @@ void ep4_rhs(fp4_t rhs, const ep4_t p) {
 }
 
 
-int ep4_on_curve(ep4_t p) {
+int ep4_on_curve(const ep4_t p) {
 	ep4_t t;
 	int r = 0;
 
diff --git a/src/pc/relic_pc_util.c b/src/pc/relic_pc_util.c
@@ -66,21 +66,19 @@ void gt_get_gen(gt_t g) {
 
 int g1_is_valid(const g1_t a) {
 	bn_t n;
-	g1_t t, u, v;
+	g1_t u, v;
 	int r = 0;
 
 	if (g1_is_infty(a)) {
 		return 0;
 	}
 
 	bn_null(n);
-	g1_null(t);
 	g1_null(u);
 	g1_null(v);
 
 	RLC_TRY {
 		bn_new(n);
-		g1_new(t);
 		g1_new(u);
 		g1_new(v);
 
@@ -90,24 +88,26 @@ int g1_is_valid(const g1_t a) {
 			r = g1_on_curve(a);
 		} else {
 			switch (ep_curve_is_pairf()) {
-				/* Formulas from "Faster Subgroup Checks for BLS12-381" by Bowe.
-				 * https://eprint.iacr.org/2019/814.pdf, together with tweaks
-				 * by Mike Scott. */
+				/* Formulas from "Co-factor clearing and subgroup membership
+				 * testing on pairing-friendly curves" by El Housni, Guillevic,
+				 * Piellard. https://eprint.iacr.org/2022/352.pdf */
 				case EP_B12:
-					/* Check [(z^2−1)](\psi(P)+P) == -P.*/
+				case EP_B24:
+					/* Check [\psi(P) == [z^2 - 1]P. */
 					fp_prime_get_par(n);
 					bn_sqr(n, n);
+					if (ep_curve_is_pairf() == EP_B24) {
+						bn_sqr(n, n);
+					}
 					bn_sub_dig(n, n, 1);
-					ep_psi(t, a);
-					ep_add(t, t, a);
-					ep_copy(u, t);
+					ep_copy(u, a);
 					for (int i = bn_bits(n) - 2; i >= 0; i--) {
 						g1_dbl(u, u);
 						if (bn_get_bit(n, i)) {
-							g1_add(u, u, t);
+							g1_add(u, u, a);
 						}
 					}
-					g1_neg(v, a);
+					ep_psi(v, a);
 					r = g1_on_curve(a) && (g1_cmp(v, u) == RLC_EQ);
 					break;
 				default:
@@ -126,7 +126,6 @@ int g1_is_valid(const g1_t a) {
 		RLC_THROW(ERR_CAUGHT);
 	} RLC_FINALLY {
 		bn_free(n);
-		g1_free(t);
 		g1_free(u);
 		g1_free(v);
 	}
@@ -183,17 +182,19 @@ int g2_is_valid(const g2_t a) {
 			r = g2_on_curve(a) && (g2_cmp(u, v) == RLC_EQ);
 		} else {
 			switch (ep_curve_is_pairf()) {
-				/* Formulas from "Faster Subgroup Checks for BLS12-381" by Bowe.
-				 * https://eprint.iacr.org/2019/814.pdf */
+				/* Formulas from "Co-factor clearing and subgroup membership
+				 * testing on pairing-friendly curves" by El Housni, Guillevic,
+				 * Piellard. https://eprint.iacr.org/2022/352.pdf */
 				case EP_B12:
+				case EP_B24:
 #if FP_PRIME == 383
 					/* Since p mod n = r, we can check instead that
 					 * psi^4(P) + P == \psi^2(P). */
 					ep2_frb(u, a, 4);
 					ep2_add(u, u, a);
 					ep2_frb(v, a, 2);
 #else
-					/* Check [z]psi^3(P) + P == \psi^2(P). */
+					/* Check \psi(P) == z(P). */
 					fp_prime_get_par(n);
 					g2_copy(u, a);
 					for (int i = bn_bits(n) - 2; i >= 0; i--) {
@@ -205,9 +206,7 @@ int g2_is_valid(const g2_t a) {
 					if (bn_sign(n) == RLC_NEG) {
 						g2_neg(u, u);
 					}
-					g2_frb(u, u, 3);
-					g2_frb(v, a, 2);
-					g2_add(u, u, a);
+					g2_frb(v, a, 1);
 #endif
 					r = g2_on_curve(a) && (g2_cmp(u, v) == RLC_EQ);
 					break;
@@ -305,15 +304,13 @@ int gt_is_valid(const gt_t a) {
 #endif
 					r &= fp12_test_cyc((void *)a);
 					break;
-#if FP_PRIME == 315 || FP_PRIME == 317 || FP_PRIME == 509
 				case EP_B24:
 					/* Check that a^u = a^p. */
 					gt_frb(u, a, 1);
 					fp24_exp_cyc_sps((void *)v, (void *)a, b, l, bn_sign(n));
 					r = (gt_cmp(u, v) == RLC_EQ);
-					r = fp24_test_cyc((void *)a);
+					r &= fp24_test_cyc((void *)a);
 					break;
-#endif
 				default:
 					/* Common case. */
 					bn_sub_dig(n, n, 1);

Original file line number	Diff line number	Diff line change
`@@ -169,7 +169,7 @@ void ep2_rhs(fp2_t rhs, const ep2_t p) {`
`169`	`169`	`}`
`170`	`170`
`171`	`171`
`172`		`-int ep2_on_curve(ep2_t p) {`
	`172`	`+int ep2_on_curve(const ep2_t p) {`
`173`	`173`	`ep2_t t;`
`174`	`174`	`int r = 0;`
`175`	`175`
Original file line number	Diff line number	Diff line change
`@@ -182,7 +182,7 @@ void ep4_rhs(fp4_t rhs, const ep4_t p) {`
`182`	`182`	`}`
`183`	`183`
`184`	`184`
`185`		`-int ep4_on_curve(ep4_t p) {`
	`185`	`+int ep4_on_curve(const ep4_t p) {`
`186`	`186`	`ep4_t t;`
`187`	`187`	`int r = 0;`
`188`	`188`