You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The pairing equality called as part of test_verify_g1 should
fail but this is not the case. The reason behind it is a bit "subtle" see below:
The test:
#[test]
fn test_verify_g1() {
let powers = [rand_g1().into()];
let tau = rand_g2().into();
let _ = BLST::verify_g1(&powers, tau);
}
samples two random elements in G1 and G2 having two different $\tau$: $\tau_1G1$ and $\tau_2G2$ so, as said, the pairing check is supposed to fail. Both the implementations of verify_g1(BLST and Arkworks) used the Vitalik's batch optimization for Fast verification of multiple BLS signatures. With a furher optimization (due the fact the second input of the pairing is always the same). Looking at the BLST implementation of verify_g1:
fn verify_g1(powers: &[crate::G1], tau: crate::G2) -> Result<(), crate::CeremonyError> {
// Parse ZCash format
let powers = powers
.into_par_iter()
.map(|p| blst_p1_affine::try_from(*p))
.collect::<Result<Vec<_>, _>>()?;
let tau = blst_p2_affine::try_from(tau)?;
let tau = p2_from_affine(&tau);
// Compute random linear combination
let (factors, sum) = random_factors(powers.len() - 1);
let g2 = unsafe { *blst_p2_generator() };
let lhs_g1 = p1s_mult_pippenger(&powers[1..], &factors[..]);
let lhs_g2 = p2_to_affine(&p2_mult(&g2, &sum));
let rhs_g1 = p1s_mult_pippenger(&powers[..factors.len()], &factors[..]);
let rhs_g2 = p2_to_affine(&p2_mult(&tau, &sum));
// Check pairing
if pairing(&lhs_g1, &lhs_g2) != pairing(&rhs_g1, &rhs_g2) {
return Err(CeremonyError::G1PairingFailed);
}
Ok(())
}
we note that powers.len() = 1 so:
When let (factors, sum) = random_factors(powers.len() - 1); is called sum is equal to 0
Powers arrays of length one is a verifiably illegal state of this sequencer, so this not a security concern for this particular service. That being said, in the interest of this code being potentially reusable for other purposes, a PR with a fix is welcome :).
The pairing equality called as part of test_verify_g1 should
fail but this is not the case. The reason behind it is a bit "subtle" see below:
The test:
samples two random elements in$\tau$ : $\tau_1G1$ and $\tau_2G2$ so, as said, the pairing check is supposed to fail. Both the implementations of
G1
andG2
having two differentverify_g1
(BLST and Arkworks) used the Vitalik's batch optimization for Fast verification of multiple BLS signatures. With a furher optimization (due the fact the second input of the pairing is always the same). Looking at the BLST implementation ofverify_g1
:we note that
powers.len()
= 1 so:let (factors, sum) = random_factors(powers.len() - 1);
is calledsum
is equal to 0p1s_mult_pippenger
the
G1
generator is returned.The pairing equality than becomes:
The text was updated successfully, but these errors were encountered: