default disable to verifyOrder

5 years ago · 0eb04f7e8a
parent fbe7d2e38d
commit 0eb04f7e8a
6 changed files with 32 additions and 10 deletions
--- a/api.md
+++ b/api.md
@ -133,8 +133,8 @@ This function affects `setStr()` and `deserialize()` for G1/G2.
 void mclBn_verifyOrderG1(int doVerify);
 void mclBn_verifyOrderG2(int doVerify);
 ```
- verify if `doVerify` is 1 or does not. The default parameter is 1.
- The cost of verification is not small, so set `doVerify = 0` carefully if necessary.
+- verify if `doVerify` is 1 or does not. The default parameter is 0 because the cost of verification is not small.
+- Set `doVerify = 1` if considering subgroup attack is necessary.
 - This is not thread safe.

 ## Setter / Getter
--- a/include/mcl/bn.hpp
+++ b/include/mcl/bn.hpp
@ -1030,11 +1030,7 @@ struct Param {
 			twist_b_type = tb_generic;
 		}
 		G1::init(0, cp.b, mcl::ec::Jacobi);
-		if (isBLS12) {
-			G1::setOrder(r);
-		}
 		G2::init(0, twist_b, mcl::ec::Jacobi);
-		G2::setOrder(r);

 		const mpz_class largest_c = isBLS12 ? abs_z : gmp::abs(z * 6 + 2);
 		useNAF = gmp::getNAF(siTbl, largest_c);
@ -1074,7 +1070,6 @@ struct Param {
 		if (!*pb) return;
 		G1::init(pb, para.a, para.b);
 		if (!*pb) return;
-		G1::setOrder(Fr::getOp().mp);
 		mapTo.init(0, 0, para.curveType);
 		Fp x0, y0;
 		x0.setStr(pb, para.gx);
--- a/include/mcl/ec.hpp
+++ b/include/mcl/ec.hpp
@ -880,7 +880,7 @@ public:
 				if (ec::local::get_a_flag(y) ^ a) {
 					Fp::neg(y, y);
 				}
-				return;
+				goto verifyOrder;
 			}
 			if (fp::isZeroArray(buf, n1)) {
 				clear();
@ -935,6 +935,7 @@ public:
 				return;
 			}
 		}
+	verifyOrder:
 		if (verifyOrder_ && !isValidOrder()) {
 			*pb = false;
 		} else {
--- a/readme.md
+++ b/readme.md
@ -286,6 +286,7 @@ If `MCL_USE_OLD_MAPTO_FOR_BLS12` is defined, then the old function is used, but

 # History

+- 2019/Dec/05 v1.03 disable to check the order in setStr
 - 2019/Sep/30 v1.00 add some functions to bn.h ; [api.md](api.md).
 - 2019/Sep/22 v0.99 add mclBnG1_mulVec, etc.
 - 2019/Sep/08 v0.98 bugfix Ec::add(P, Q, R) when P == R
--- a/test/bench.hpp
+++ b/test/bench.hpp
@ -82,15 +82,15 @@ void testBench(const G1& P, const G2& Q)
 	G2 QQ;
 	std::string s;
 	s = P.getStr();
+	verifyOrderG1(true);
 	CYBOZU_BENCH_C("G1::setStr chk", C, PP.setStr, s);
 	verifyOrderG1(false);
 	CYBOZU_BENCH_C("G1::setStr    ", C, PP.setStr, s);
-	verifyOrderG1(true);
 	s = Q.getStr();
+	verifyOrderG2(true);
 	CYBOZU_BENCH_C("G2::setStr chk", C, QQ.setStr, s);
 	verifyOrderG2(false);
 	CYBOZU_BENCH_C("G2::setStr    ", C, QQ.setStr, s);
-	verifyOrderG2(true);
 	CYBOZU_BENCH_C("hashAndMapToG1", C, hashAndMapToG1, PP, "abc", 3);
 	CYBOZU_BENCH_C("hashAndMapToG2", C, hashAndMapToG2, QQ, "abc", 3);
 #endif
--- a/test/bls12_test.cpp
+++ b/test/bls12_test.cpp
@ -747,6 +747,31 @@ CYBOZU_TEST_AUTO(eth2)
 	CYBOZU_TEST_EQUAL(Q1, Q2);
 }

+CYBOZU_TEST_AUTO(deserialize)
+{
+	if (BN::param.cp.curveType != MCL_BLS12_381) return;
+	G1 P;
+	G2 Q;
+	mapToG1(P, 5);
+	mapToG2(Q, 5);
+	char buf1[128];
+	char buf2[128];
+	size_t n1 = P.serialize(buf1, sizeof(buf1));
+	CYBOZU_TEST_ASSERT(n1 > 0);
+	CYBOZU_TEST_EQUAL(P.deserialize(buf1, n1), n1);
+	size_t n2 = Q.serialize(buf2, sizeof(buf2));
+	CYBOZU_TEST_ASSERT(n2 > 0);
+	CYBOZU_TEST_EQUAL(Q.deserialize(buf2, n2), n2);
+	for (int i = 0; i < 2; i++) {
+		bool doVerify = i == 0;
+		printf("verifyOrder(%d)\n", doVerify);
+		verifyOrderG1(doVerify);
+		verifyOrderG2(doVerify);
+		CYBOZU_BENCH_C("deserializeG1", 1000, P.deserialize, buf1, n1);
+		CYBOZU_BENCH_C("deserializeG2", 1000, Q.deserialize, buf2, n2);
+	}
+}
+
 typedef std::vector<Fp> FpVec;

 void f(FpVec& zv, const FpVec& xv, const FpVec& yv)