Unexpected failure of ep2_mul[_lwnaf] above the prime group order

[FiloSottile]

I have a point and I want to scale it by the cofactor. I get three different answers with three different methods.

ep2_mul_basic

void ep2_scale_by_cofactor(ep2_t p) {
    bn_t k;
    bn_new(k);
    bn_read_str(k, "5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5", 127, 16); // FROM RUST IMPLEMENTATION
    ep2_mul_basic(p, p, k);
    bn_free(k);
}

This matches the result of the ebfull/pairing Rust implementation when used with the cofactor lifted from there.

https://github.com/ebfull/pairing/blob/a8583dd81840d1b970ff90905bfa582d67910e41/src/bls12_381/ec.rs#L1346-L1353

ep2_mul

void ep2_scale_by_cofactor(ep2_t p) {
    bn_t k;
    bn_new(k);
    bn_read_str(k, "5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5", 127, 16); // FROM RUST IMPLEMENTATION
    ep2_mul(p, p, k); // FOR SOME REASON ep2_mul[_lwnaf] returns a wrong result
    bn_free(k);
}

Using the default ep2_mul implementation returns a different result when used with the same cofactor value.

ep2_mul_cof_b12

Using the ahem unexported ep2_mul_cof_b12 from ep2_map returns a yet different result.

---

Full cmake:

cmake -DALLOC=DYNAMIC -DFP_PRIME=381 \
		-DSHLIB=off -DSTLIB=on -DRAND=UDEV -DTESTS=1 -DBENCH=0 \
		-DCOMP="-O3 -funroll-loops -Wno-unused-function"

[conradoplg]

From what I understand, ep2_mul_lwnaf calls ep2_mul_glv_imp which only works modulo the prime group order, so it can't be used to multiply by the cofactor. (Yep, needs better documentation... 😓 )

As per ep2_mul_cof_b12, at a glance, I have no idea... @dfaranha, do you remember from where that formula comes from?

[FiloSottile]

I think it's not just a matter of documentation, if possible a error should be raised instead of returning a wrong value, and maybe ep2_mul shouldn't be a macro for a limited multiplication function.

[conradoplg]

Agreed, makes sense to raise an error.

I think the idea is that ep2_mul is guaranteed to work only on the prime-order subgroup. Again, needs better documentation...

[FiloSottile]

>>> x = -0xd201000000010000
>>> cofactor = (x**8 - 4*x**7 + 5*x**6 - 4*x**4 + 6*x**3 - 4*x**2 - 4*x + 13) / 9
>>> hex(cofactor)
'0x5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5L'

The value I lifted from the code checks out with the formula (x⁸ - 4x⁷ + 5x⁶ - 4x⁴ + 6x³ - 4x² - 4x + 13) / 9 from https://github.com/ebfull/pairing/blob/master/src/bls12_381/README.md.

The x variable corresponds with fp_param_get_var:

>>> x == -(2**63 + 2**62 + 2**60 + 2**57 + 2**48 + 2**16)
True

Now I'm trying to match this to the formula in ep2_mul_cof_b12, which AFAICT is:

(x² - x - 1)P + Ψ(x - 1)P + Ψ²(2P)

But that's where I am stuck.

[conradoplg]

The formula seems to match section 4.1 of https://eprint.iacr.org/2017/419.pdf , needs more investigation...

[conradoplg]

From a cursory reading, it does states that it multiplies the point by a multiple of the cofactor, which would explain the difference.

[dfaranha]

Exactly, the method of Fuentes et al. computes a compact expansion of a multiple of the cofactor using lattice reduction.

[FiloSottile]

Thanks, that explains ep2_mul_cof_b12, about which I can't complain anyway since it's unexported.

In FiloSottile/powersoftau#3 I verified the value of the coefficient, so I think the only issue left is about the unexpected failure of ep2_mul[_lwnaf].

[mogisawa]

Hello. (I hope my poor english make a sence ...)
I think better that it is left as it is. I think ep2_mul[_lwnaf] is designed for the sub-group.
In the general, computing in the sub-group is faster. And once a point in the sub-group, scalar-multiplication(or add, double, sub) computed in the sub-group.
So we should know when a point in the sub-group is generated by cofactor multiplication of a point on the curve whole. Because before/after of cofactor*P shows different characteristic.
In addition, checking by computing is too expensive.
Use ep2_mul_basic with general point, including points that is not in sub-group,
use ep2_mul with points that in sub-group only,
and use ep2_mul_cof_b12 with general points to mapping to sub-group, it does not cofactor multiplicate.

[dfaranha]

Thanks again for the feedback!

The documentation of the ep2 module now explicitly states this limitation of the ep2_mul() macro and general implementation.
I added ep2_mul_big() for the general case when the scalar is beyond the order and ep2_mul_cof for multiplication by the cofactor (or small multiples of it) in a way that the resulting point is in the large prime order subgroup.

Hope it is a bit more clear for future users.