diff --git a/api.md b/api.md index a2e285b..eee225d 100644 --- a/api.md +++ b/api.md @@ -133,8 +133,8 @@ This function affects `setStr()` and `deserialize()` for G1/G2. void mclBn_verifyOrderG1(int doVerify); void mclBn_verifyOrderG2(int doVerify); ``` -- verify if `doVerify` is 1 or does not. The default parameter is 1. -- The cost of verification is not small, so set `doVerify = 0` carefully if necessary. +- verify if `doVerify` is 1 or does not. The default parameter is 0 because the cost of verification is not small. +- Set `doVerify = 1` if considering subgroup attack is necessary. - This is not thread safe. ## Setter / Getter diff --git a/include/mcl/bn.hpp b/include/mcl/bn.hpp index c74840c..b56f6ba 100644 --- a/include/mcl/bn.hpp +++ b/include/mcl/bn.hpp @@ -1030,11 +1030,7 @@ struct Param { twist_b_type = tb_generic; } G1::init(0, cp.b, mcl::ec::Jacobi); - if (isBLS12) { - G1::setOrder(r); - } G2::init(0, twist_b, mcl::ec::Jacobi); - G2::setOrder(r); const mpz_class largest_c = isBLS12 ? abs_z : gmp::abs(z * 6 + 2); useNAF = gmp::getNAF(siTbl, largest_c); @@ -1074,7 +1070,6 @@ struct Param { if (!*pb) return; G1::init(pb, para.a, para.b); if (!*pb) return; - G1::setOrder(Fr::getOp().mp); mapTo.init(0, 0, para.curveType); Fp x0, y0; x0.setStr(pb, para.gx); diff --git a/include/mcl/ec.hpp b/include/mcl/ec.hpp index 195394d..8cf3a49 100644 --- a/include/mcl/ec.hpp +++ b/include/mcl/ec.hpp @@ -880,7 +880,7 @@ public: if (ec::local::get_a_flag(y) ^ a) { Fp::neg(y, y); } - return; + goto verifyOrder; } if (fp::isZeroArray(buf, n1)) { clear(); @@ -935,6 +935,7 @@ public: return; } } + verifyOrder: if (verifyOrder_ && !isValidOrder()) { *pb = false; } else { diff --git a/readme.md b/readme.md index 60539b5..5f6a06b 100644 --- a/readme.md +++ b/readme.md @@ -286,6 +286,7 @@ If `MCL_USE_OLD_MAPTO_FOR_BLS12` is defined, then the old function is used, but # History +- 2019/Dec/05 v1.03 disable to check the order in setStr - 2019/Sep/30 v1.00 add some functions to bn.h ; [api.md](api.md). - 2019/Sep/22 v0.99 add mclBnG1_mulVec, etc. - 2019/Sep/08 v0.98 bugfix Ec::add(P, Q, R) when P == R diff --git a/test/bench.hpp b/test/bench.hpp index cf2a728..c8c3911 100644 --- a/test/bench.hpp +++ b/test/bench.hpp @@ -82,15 +82,15 @@ void testBench(const G1& P, const G2& Q) G2 QQ; std::string s; s = P.getStr(); + verifyOrderG1(true); CYBOZU_BENCH_C("G1::setStr chk", C, PP.setStr, s); verifyOrderG1(false); CYBOZU_BENCH_C("G1::setStr ", C, PP.setStr, s); - verifyOrderG1(true); s = Q.getStr(); + verifyOrderG2(true); CYBOZU_BENCH_C("G2::setStr chk", C, QQ.setStr, s); verifyOrderG2(false); CYBOZU_BENCH_C("G2::setStr ", C, QQ.setStr, s); - verifyOrderG2(true); CYBOZU_BENCH_C("hashAndMapToG1", C, hashAndMapToG1, PP, "abc", 3); CYBOZU_BENCH_C("hashAndMapToG2", C, hashAndMapToG2, QQ, "abc", 3); #endif diff --git a/test/bls12_test.cpp b/test/bls12_test.cpp index c967006..fe0ca7a 100644 --- a/test/bls12_test.cpp +++ b/test/bls12_test.cpp @@ -747,6 +747,31 @@ CYBOZU_TEST_AUTO(eth2) CYBOZU_TEST_EQUAL(Q1, Q2); } +CYBOZU_TEST_AUTO(deserialize) +{ + if (BN::param.cp.curveType != MCL_BLS12_381) return; + G1 P; + G2 Q; + mapToG1(P, 5); + mapToG2(Q, 5); + char buf1[128]; + char buf2[128]; + size_t n1 = P.serialize(buf1, sizeof(buf1)); + CYBOZU_TEST_ASSERT(n1 > 0); + CYBOZU_TEST_EQUAL(P.deserialize(buf1, n1), n1); + size_t n2 = Q.serialize(buf2, sizeof(buf2)); + CYBOZU_TEST_ASSERT(n2 > 0); + CYBOZU_TEST_EQUAL(Q.deserialize(buf2, n2), n2); + for (int i = 0; i < 2; i++) { + bool doVerify = i == 0; + printf("verifyOrder(%d)\n", doVerify); + verifyOrderG1(doVerify); + verifyOrderG2(doVerify); + CYBOZU_BENCH_C("deserializeG1", 1000, P.deserialize, buf1, n1); + CYBOZU_BENCH_C("deserializeG2", 1000, Q.deserialize, buf2, n2); + } +} + typedef std::vector FpVec; void f(FpVec& zv, const FpVec& xv, const FpVec& yv)