feat(ecc): Add subgroup check BLS12-381 using untwist frobenius endomorphism (#649)

* add naive subgroup check to pairing

* add naive test

* fmt

* move subgroup check to IsGroup trait

* nits

* add jacobian point file

* refactor to use endomorphism

* nit

* Add untwist tests

* nit

* add out of subgroup checks

* add doc comments

* fix fmt

* add unwraps to groth16

* make imports compatible with std

* fmt

* nits

* ci

---------

Co-authored-by: Mauro Toscano <[email protected]>

Author: PatStiles

crypto/src/commitments/kzg.rs

@@ -200,7 +200,7 @@ impl<const N: usize, F: IsPrimeField<RepresentativeType = UnsignedInteger<N>>, P
                 &(alpha_g2.operate_with(&(g2.operate_with_self(x.representative())).neg())),
             ),
         ]);
-        e == FieldElement::one()
+        e == Ok(FieldElement::one())
     }
 
     fn open_batch(

math/src/elliptic_curve/short_weierstrass/curves/bls12_381/compression.rs

@@ -1,27 +1,21 @@
 use super::field_extension::BLS12381PrimeField;
-use crate::cyclic_group::IsGroup;
-use crate::elliptic_curve::short_weierstrass::curves::bls12_381::curve::BLS12381Curve;
-use crate::elliptic_curve::short_weierstrass::point::ShortWeierstrassProjectivePoint;
-use crate::field::element::FieldElement;
-use crate::unsigned_integer::element::U256;
-
-#[cfg(feature = "std")]
 use crate::{
-    elliptic_curve::traits::FromAffine, errors::ByteConversionError, traits::ByteConversion,
+    elliptic_curve::short_weierstrass::{
+        curves::bls12_381::curve::BLS12381Curve, point::ShortWeierstrassProjectivePoint,
+    },
+    field::element::FieldElement,
 };
 #[cfg(feature = "std")]
 use std::{cmp::Ordering, ops::Neg};
 
+#[cfg(feature = "std")]
+use crate::{
+    cyclic_group::IsGroup, elliptic_curve::traits::FromAffine, errors::ByteConversionError,
+    traits::ByteConversion,
+};
+
 pub type G1Point = ShortWeierstrassProjectivePoint<BLS12381Curve>;
 pub type BLS12381FieldElement = FieldElement<BLS12381PrimeField>;
-const MODULUS: U256 =
-    U256::from_hex_unchecked("73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001");
-
-pub fn check_point_is_in_subgroup(point: &G1Point) -> bool {
-    let inf = G1Point::neutral_element();
-    let aux_point = point.operate_with_self(MODULUS);
-    inf == aux_point
-}
 
 #[cfg(feature = "std")]
 pub fn decompress_g1_point(input_bytes: &mut [u8; 48]) -> Result<G1Point, ByteConversionError> {
@@ -68,7 +62,8 @@ pub fn decompress_g1_point(input_bytes: &mut [u8; 48]) -> Result<G1Point, ByteCo
     let point =
         G1Point::from_affine(x, y.clone()).map_err(|_| ByteConversionError::InvalidValue)?;
 
-    check_point_is_in_subgroup(&point)
+    point
+        .is_in_subgroup()
         .then_some(point)
         .ok_or(ByteConversionError::PointNotInSubgroup)
 }
@@ -117,13 +112,13 @@ mod tests {
     fn test_zero_point() {
         let g1 = BLS12381Curve::generator();
 
-        assert!(super::check_point_is_in_subgroup(&g1));
+        assert!(g1.is_in_subgroup());
         let new_x = BLS12381FieldElement::zero();
         let new_y = BLS12381FieldElement::one() + BLS12381FieldElement::one();
 
         let false_point2 = G1Point::from_affine(new_x, new_y).unwrap();
 
-        assert!(!super::check_point_is_in_subgroup(&false_point2));
+        assert!(!false_point2.is_in_subgroup());
     }
 
     #[cfg(feature = "std")]

math/src/elliptic_curve/short_weierstrass/curves/bls12_381/curve.rs

@@ -1,10 +1,18 @@
-use super::field_extension::{BLS12381PrimeField, Degree2ExtensionField};
+use super::{
+    field_extension::{BLS12381PrimeField, Degree2ExtensionField},
+    twist::BLS12381TwistCurve,
+};
+use crate::cyclic_group::IsGroup;
 use crate::elliptic_curve::short_weierstrass::point::ShortWeierstrassProjectivePoint;
 use crate::elliptic_curve::traits::IsEllipticCurve;
+use crate::unsigned_integer::element::U256;
 use crate::{
     elliptic_curve::short_weierstrass::traits::IsShortWeierstrass, field::element::FieldElement,
 };
 
+pub const SUBGROUP_ORDER: U256 =
+    U256::from_hex_unchecked("73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001");
+
 pub type BLS12381FieldElement = FieldElement<BLS12381PrimeField>;
 pub type BLS12381TwistCurveFieldElement = FieldElement<Degree2ExtensionField>;
 
@@ -35,18 +43,111 @@ impl IsShortWeierstrass for BLS12381Curve {
     }
 }
 
+/// This is equal to the frobenius trace of the BLS12 381 curve minus one or seed value z.
+pub const MILLER_LOOP_CONSTANT: u64 = 0xd201000000010000;
+
+/// 𝛽 : primitive cube root of unity of 𝐹ₚ that §satisfies the minimal equation
+/// 𝛽² + 𝛽 + 1 = 0 mod 𝑝
+pub const CUBE_ROOT_OF_UNITY_G1: BLS12381FieldElement = FieldElement::from_hex_unchecked(
+    "5f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe",
+);
+
+/// x-coordinate of 𝜁 ∘ 𝜋_q ∘ 𝜁⁻¹, where 𝜁 is the isomorphism u:E'(𝔽ₚ₆) −> E(𝔽ₚ₁₂) from the twist to E
+pub const ENDO_U: BLS12381TwistCurveFieldElement =
+BLS12381TwistCurveFieldElement::const_from_raw([
+    FieldElement::from_hex_unchecked("0"),
+    FieldElement::from_hex_unchecked("1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaad")
+]);
+
+/// y-coordinate of 𝜁 ∘ 𝜋_q ∘ 𝜁⁻¹, where 𝜁 is the isomorphism u:E'(𝔽ₚ₆) −> E(𝔽ₚ₁₂) from the twist to E
+pub const ENDO_V: BLS12381TwistCurveFieldElement =
+BLS12381TwistCurveFieldElement::const_from_raw([
+    FieldElement::from_hex_unchecked("135203e60180a68ee2e9c448d77a2cd91c3dedd930b1cf60ef396489f61eb45e304466cf3e67fa0af1ee7b04121bdea2"),
+    FieldElement::from_hex_unchecked("6af0e0437ff400b6831e36d6bd17ffe48395dabc2d3435e77f76e17009241c5ee67992f72ec05f4c81084fbede3cc09")
+]);
+
+impl ShortWeierstrassProjectivePoint<BLS12381Curve> {
+    /// Returns 𝜙(P) = (𝑥, 𝑦) ⇒ (𝛽𝑥, 𝑦), where 𝛽 is the Cube Root of Unity in the base prime field
+    /// https://eprint.iacr.org/2022/352.pdf 2 Preliminaries
+    fn phi(&self) -> Self {
+        // This clone is unsightly
+        let mut a = self.clone();
+        a.0.value[0] = a.x() * CUBE_ROOT_OF_UNITY_G1;
+        a
+    }
+
+    /// 𝜙(P) = −𝑢²P
+    /// https://eprint.iacr.org/2022/352.pdf 4.3 Prop. 4
+    pub fn is_in_subgroup(&self) -> bool {
+        self.operate_with_self(MILLER_LOOP_CONSTANT)
+            .operate_with_self(MILLER_LOOP_CONSTANT)
+            .neg()
+            == self.phi()
+    }
+}
+
+impl ShortWeierstrassProjectivePoint<BLS12381TwistCurve> {
+    /// 𝜓(P) = 𝜁 ∘ 𝜋ₚ ∘ 𝜁⁻¹, where 𝜁 is the isomorphism u:E'(𝔽ₚ₆) −> E(𝔽ₚ₁₂) from the twist to E,, 𝜋ₚ is the p-power frobenius endomorphism
+    /// and 𝜓 satisifies minmal equation 𝑋² + 𝑡𝑋 + 𝑞 = 𝑂
+    /// https://eprint.iacr.org/2022/352.pdf 4.2 (7)
+    fn psi(&self) -> Self {
+        let [x, y, z] = self.coordinates();
+        Self::new([
+            x.conjugate() * ENDO_U,
+            y.conjugate() * ENDO_V,
+            z.conjugate(),
+        ])
+    }
+
+    /// 𝜓(P) = 𝑢P, where 𝑢 = SEED of the curve
+    /// https://eprint.iacr.org/2022/352.pdf 4.2
+    pub fn is_in_subgroup(&self) -> bool {
+        self.psi() == self.operate_with_self(MILLER_LOOP_CONSTANT).neg()
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
     use crate::{
-        cyclic_group::IsGroup, elliptic_curve::traits::EllipticCurveError,
+        cyclic_group::IsGroup,
+        elliptic_curve::{
+            short_weierstrass::curves::bls12_381::field_extension::BLS12381_PRIME_FIELD_ORDER,
+            traits::EllipticCurveError,
+        },
         field::element::FieldElement,
+        unsigned_integer::element::U384,
     };
 
-    use super::BLS12381Curve;
+    // -15132376222941642751 = MILLER_LOOP_CONSTANT + 1 = -d20100000000ffff
+    // we want the positive of this coordinate based on x^2 - tx + q
+    pub const TRACE_OF_FROBENIUS: U256 = U256::from_u64(15132376222941642751);
+
+    const ENDO_U_2: BLS12381TwistCurveFieldElement =
+    BLS12381TwistCurveFieldElement::const_from_raw([
+        FieldElement::from_hex_unchecked("1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaac"),
+        FieldElement::from_hex_unchecked("0")
+    ]);
+
+    const ENDO_V_2: BLS12381TwistCurveFieldElement =
+    BLS12381TwistCurveFieldElement::const_from_raw([
+        FieldElement::from_hex_unchecked("1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaaa"),
+        FieldElement::from_hex_unchecked("0")
+    ]);
+
+    // Cmoputes the psi^2() 'Untwist Frobenius Endomorphism'
+    fn psi_square(
+        p: &ShortWeierstrassProjectivePoint<BLS12381TwistCurve>,
+    ) -> ShortWeierstrassProjectivePoint<BLS12381TwistCurve> {
+        let [x, y, z] = p.coordinates();
+        // Since power of frobenius map is 2 we apply once as applying twice is inverse
+        ShortWeierstrassProjectivePoint::new([x * ENDO_U_2, y * ENDO_V_2, z.clone()])
+    }
 
     #[allow(clippy::upper_case_acronyms)]
     type FEE = FieldElement<BLS12381PrimeField>;
+    #[allow(clippy::upper_case_acronyms)]
+    type FTE = FieldElement<Degree2ExtensionField>;
 
     fn point_1() -> ShortWeierstrassProjectivePoint<BLS12381Curve> {
         let x = FEE::new_base("36bb494facde72d0da5c770c4b16d9b2d45cfdc27604a25a1a80b020798e5b0dbd4c6d939a8f8820f042a29ce552ee5");
@@ -117,4 +218,74 @@ mod tests {
             g.operate_with_self(3_u16)
         );
     }
+
+    #[test]
+    fn generator_g1_is_in_subgroup() {
+        let g = BLS12381Curve::generator();
+        assert!(g.is_in_subgroup())
+    }
+
+    #[test]
+    fn arbitrary_g1_point_is_in_subgroup() {
+        let g = BLS12381Curve::generator().operate_with_self(32u64);
+        assert!(g.is_in_subgroup())
+    }
+
+    //TODO
+    #[test]
+    fn arbitrary_g1_point_not_in_subgroup() {
+        let x = FEE::new_base("178212cbe4a3026c051d4f867364b3ea84af623f93233b347ffcd3d6b16f16e0a7aedbe1c78d33c6beca76b2b75c8486");
+        let y = FEE::new_base("13a8b1347e5b43bc4051754b2a29928b5df78cf03ca3b1f73d0424b09fccdef116c9f0ecbec7420a99b2dd785209e9d");
+        let p = BLS12381Curve::create_point_from_affine(x, y).unwrap();
+        assert!(!p.is_in_subgroup())
+    }
+
+    #[test]
+    fn generator_g2_is_in_subgroup() {
+        let g = BLS12381TwistCurve::generator();
+        assert!(g.is_in_subgroup())
+    }
+
+    #[test]
+    fn arbitrary_g2_point_is_in_subgroup() {
+        let g = BLS12381TwistCurve::generator().operate_with_self(32u64);
+        assert!(g.is_in_subgroup())
+    }
+
+    //`TODO`
+    #[test]
+    fn arbitrary_g2_point_not_in_subgroup() {
+        let x = FTE::new([
+            FEE::new(U384::from_hex_unchecked("97798b4a61ac301bbee71e36b5174e2f4adfe3e1729bdae1fcc9965ae84181be373aa80414823eed694f1270014012d")),
+            FEE::new(U384::from_hex_unchecked("c9852cc6e61868966249aec153b50b29b3c22409f4c7880fd13121981c103c8ef84d9ea29b552431360e82cf69219fa"))
+        ]);
+        let y = FTE::new([
+            FEE::new(U384::from_hex_unchecked("16cb3a60f3fa52c8273aceeb94c4c7303e8074aa9eedec7355bbb1e8cceedd4ec1497f573f62822140377b8e339619ed")),
+            FEE::new(U384::from_hex_unchecked("1cd919b08afe06bebe9adf6223a55868a6fd8b77efc5c67b60fff39be36e9b44b7f10db16827c83b43ad2dad1947778"))
+        ]);
+
+        let p = BLS12381TwistCurve::create_point_from_affine(x, y).unwrap();
+        assert!(!p.is_in_subgroup())
+    }
+
+    #[test]
+    fn g2_conjugate_works() {
+        let a = FTE::zero();
+        let mut expected = a.conjugate();
+        expected = expected.conjugate();
+
+        assert_eq!(a, expected);
+    }
+
+    #[test]
+    fn untwist_morphism_has_minimal_poly() {
+        // generator
+        let p = BLS12381TwistCurve::generator();
+        let psi_square = psi_square(&p);
+        let tx = p.psi().operate_with_self(TRACE_OF_FROBENIUS).neg();
+        let q = p.operate_with_self(BLS12381_PRIME_FIELD_ORDER);
+        // Minimal Polynomial of Untwist Frobenius Endomorphism: X^2 + tX + q, where X = psh(P) -> psi(p)^2 - t * psi(p) + q * p = 0
+        let min_poly = psi_square.operate_with(&tx.neg()).operate_with(&q);
+        assert!(min_poly.is_neutral_element())
+    }
 }

math/src/elliptic_curve/short_weierstrass/curves/bls12_381/field_extension.rs

@@ -181,6 +181,11 @@ impl FieldElement<Degree2ExtensionField> {
     pub fn new_base(a_hex: &str) -> Self {
         Self::new([FieldElement::new(U384::from(a_hex)), FieldElement::zero()])
     }
+
+    pub fn conjugate(&self) -> Self {
+        let [a, b] = self.value();
+        Self::new([a.clone(), -b])
+    }
 }
 
 impl FieldElement<Degree6ExtensionField> {

math/src/elliptic_curve/short_weierstrass/curves/bls12_381/pairing.rs

@@ -1,18 +1,26 @@
-use super::field_extension::{Degree12ExtensionField, Degree2ExtensionField};
-use crate::{
-    elliptic_curve::short_weierstrass::curves::bls12_381::field_extension::Degree6ExtensionField,
-    field::element::FieldElement, unsigned_integer::element::UnsignedInteger,
+use super::{
+    curve::{BLS12381Curve, MILLER_LOOP_CONSTANT},
+    field_extension::{Degree12ExtensionField, Degree2ExtensionField},
+    twist::BLS12381TwistCurve,
 };
-
-use super::{curve::BLS12381Curve, twist::BLS12381TwistCurve};
 use crate::{
     cyclic_group::IsGroup,
-    elliptic_curve::short_weierstrass::curves::bls12_381::field_extension::LevelTwoResidue,
-    elliptic_curve::short_weierstrass::point::ShortWeierstrassProjectivePoint,
-    elliptic_curve::short_weierstrass::traits::IsShortWeierstrass,
-    elliptic_curve::traits::IsPairing, field::extensions::cubic::HasCubicNonResidue,
+    elliptic_curve::{
+        short_weierstrass::{
+            curves::bls12_381::field_extension::{Degree6ExtensionField, LevelTwoResidue},
+            point::ShortWeierstrassProjectivePoint,
+            traits::IsShortWeierstrass,
+        },
+        traits::IsPairing,
+    },
+    errors::PairingError,
+    field::{element::FieldElement, extensions::cubic::HasCubicNonResidue},
+    unsigned_integer::element::{UnsignedInteger, U256},
 };
 
+pub const SUBGROUP_ORDER: U256 =
+    U256::from_hex_unchecked("73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001");
+
 #[derive(Clone)]
 pub struct BLS12381AtePairing;
 impl IsPairing for BLS12381AtePairing {
@@ -23,21 +31,22 @@ impl IsPairing for BLS12381AtePairing {
     /// Compute the product of the ate pairings for a list of point pairs.
     fn compute_batch(
         pairs: &[(&Self::G1Point, &Self::G2Point)],
-    ) -> FieldElement<Self::OutputField> {
+    ) -> Result<FieldElement<Self::OutputField>, PairingError> {
         let mut result = FieldElement::one();
         for (p, q) in pairs {
+            if !p.is_in_subgroup() || !q.is_in_subgroup() {
+                return Err(PairingError::PointNotInSubgroup);
+            }
             if !p.is_neutral_element() && !q.is_neutral_element() {
                 let p = p.to_affine();
                 let q = q.to_affine();
                 result = result * miller(&q, &p);
             }
         }
-        final_exponentiation(&result)
+        Ok(final_exponentiation(&result))
     }
 }
 
-/// This is equal to the frobenius trace of the BLS12 381 curve minus one.
-const MILLER_LOOP_CONSTANT: u64 = 0xd201000000010000;
 fn double_accumulate_line(
     t: &mut ShortWeierstrassProjectivePoint<BLS12381TwistCurve>,
     p: &ShortWeierstrassProjectivePoint<BLS12381Curve>,
@@ -255,20 +264,33 @@ mod tests {
                 &p.operate_with_self(a * b).to_affine(),
                 &q.neg().to_affine(),
             ),
-        ]);
+        ])
+        .unwrap();
         assert_eq!(result, FieldElement::one());
     }
 
     #[test]
     fn ate_pairing_returns_one_when_one_element_is_the_neutral_element() {
         let p = BLS12381Curve::generator().to_affine();
         let q = ShortWeierstrassProjectivePoint::neutral_element();
-        let result = BLS12381AtePairing::compute_batch(&[(&p.to_affine(), &q)]);
+        let result = BLS12381AtePairing::compute_batch(&[(&p.to_affine(), &q)]).unwrap();
         assert_eq!(result, FieldElement::one());
 
         let p = ShortWeierstrassProjectivePoint::neutral_element();
         let q = BLS12381TwistCurve::generator();
-        let result = BLS12381AtePairing::compute_batch(&[(&p, &q.to_affine())]);
+        let result = BLS12381AtePairing::compute_batch(&[(&p, &q.to_affine())]).unwrap();
         assert_eq!(result, FieldElement::one());
     }
+
+    #[test]
+    fn ate_pairing_errors_when_one_element_is_not_in_subgroup() {
+        let p = ShortWeierstrassProjectivePoint::new([
+            FieldElement::one(),
+            FieldElement::one(),
+            FieldElement::one(),
+        ]);
+        let q = ShortWeierstrassProjectivePoint::neutral_element();
+        let result = BLS12381AtePairing::compute_batch(&[(&p.to_affine(), &q)]);
+        assert!(result.is_err())
+    }
 }