BLS12_381 G1 fromHex() Instantiation Bug #143
Comments
|
Update: ok, I already have the suspicion that I am not doing it right and this would rather expect the point coordinates. Will have a second look, leaving this open for the moment nevertheless until fully settled. |
|
Something like this mapToCurve() method? 🤔 This is not exposed though atm, right? |
|
However executing it with vector 2 from https://eips.ethereum.org/assets/eip-2537/map_fp_to_G1_bls.json errors The output of the vector is 128 bytes: But G1 element is either compressed 48 bytes (curve coordinate x is 381 (~384) bits - 384/8 = 48), or decompressed 96 bytes (x + y, both 48 bytes). I don't understand what the output means if it's not a point. |
|
🙏 Thanks for having a quick look! 
Regarding the test vectors, these describe the input and output formats required by the EVM and this still needs some transformation, e.g. for the above these are the two 48 byte coordinate values as concatenated bytes each padded to 64 bytes (if I am not mistaken). |
|
The types are not exported, but it's available if you use it in JS (type-less) script, or REPL - can be used for debugging. I will fix it. |
|
Ah, sorry, I might be thinking a bit too much in TypeScript terms. But exporting would definitely help! Side note: I also had to copy over the type for I've now applied the usage of Results are still different from the test vectors though, so e.g. for the first stdout | test/precompiles/eip-2537-bls.spec.ts > Precompiles: map_fp_to_G1_bls.json > bls_g1map_
Direct result Noble (ProjectivePoint)
{
x: 2651141094918884883245946750082163419780511923462098120393192671331038429847241762506451968056272389809307136423689n,
y: 3877564604549600802964132537294381446492072628340998558677591803218630687606854818909123819118480929847725344378738n
}
Serialized EVM byte result
0x0000000000000000000000000000000011398d3b324810a1b093f8e35aa8571cced95858207e7f49c4fd74656096d61d8a2f9a23cdb18a4dd11cd1d66f41f7090000000000000000000000000000000019316b6fb2ba7717355d5d66a361899057e1e84a6823039efc7beccefe09d023fb2713b1c415fcf278eb0c39a89b4f72Expected (to be compared with last value (EVM result)): 00000000000000000000000000000000184bb665c37ff561a89ec2122dd343f20e0f4cbcaec84e3c3052ea81d1834e192c426074b02ed3dca4e7676ce4ce48ba0000000000000000000000000000000004407b8d35af4dacc809927071fc0405218f1401a6d15af775810e4e460064bcc9468beeba82fdc751be70476c888bf3I had a closer look at the EIP again:
It seems there is a very specific definition of how a mapping is done in the context of the EIP. Is the mapping you expose in the library actually matching that? Or is this at least similar to your mapping and would it be somewhat easy [tm] to adopt? 😬 |
|
(so, and maybe some "instructions" how to read this There is still a lot of MCL code in it, since I use this for the implementation to run in parallel and compare results. So all At the end of the file there is a class |
|
Ok, but seems your implementation is relatively close to the algorithm stated already? mapToCurve: (scalars: bigint[]) => {
const { x, y } = G1_SWU(Fp.create(scalars[0]));
return isogenyMapG1(x, y);
}Can't fully judge though. |
|
Ah, sorry, I'll stop soon, but also just to let you know: so what already basically works atm are the g1add, g1mul, g2add and g2mul precompiles. 🙂 |
|
I've just added eip2537 vectors that pass, check out 7d04544 |
|
Oh, how cool is that! Looks good as far as I can judge! This needs a release, right? I have now also added basic integrations for the msm precompiles, using a naive implementation (the EIP mentions an optimized algorithm Pippenger's algorithm which should be used, but I would assume that So, msm also generally seems to work (some 0/infinity cases still failing, but otherwise tests pass). 🙂 |
|
I don't want to release something which would need a new release to fix bugs after they appear in monorepo. The suggestion is that we polish it until everything is smooth. Could you use the unreleased version for now? There are 3 different ways:
|
|
Makes sense! Done: https://github.com/holgerd77/noble-curves/tree/build-1b1fe7f Tests (for mapFpToG1) passes! 🙂
Great! 🎉 Will report back for G2. |
|
Oh wait, I used MCL. 🤦 Wait... |
|
Typing seems to be a bit more complicated, is there a way to get this to a
|
|
I can also change my So: it works, final confirmation (for G1)! 🎉
|
|
Ah, ok, so for G2 it is not working yet:
This still seems to need some generalization. |
|
Have you managed to find finalExponentiate? It’s a method on Fp12. Fp12 is created with pairing. |
|
Will look into pairing likely tomorrow, thanks for the pointer |
|
fp2 to g2 fixed in 5fcd71a |
|
Aaaaaannd pairing precompile basically working as well! 🎉 
Thanks a lot for your help so far! 🙏 I have some 0/infinity edge cases still missing (in total 8/131 of our local tests are still failing), but I think we definitely have a PoC that all works! I think I'll take the whole next week still for cleaning things up, fixing the last tests and generally looking at edge cases, since all this is pretty complex and I think deserves some more attention still. So no need to imminently rush a release (as you want), maybe we can target end of next week, would that work? Or still rather too early? |
Of course. What's up with pairing(G1, 0) == pairing(0, G2)? I assume 0 is I think the error needs to be try-catched at your level. https://eips.ethereum.org/EIPS/eip-2537#abi-for-pairing-check
The question is whether noble has valid behavior; or not. |
|
Ah, thanks, yeah, that was easy to add: if (G1 === bls12_381.G1.ProjectivePoint.ZERO || G2 === bls12_381.G2.ProjectivePoint.ZERO) {
return ONE_BUFFER
}
I've a few more of these 0/infinity cases in other precompiles as well, will try to fix them throughout the morning. |
Ok, all local tests with Noble passing!! 🎉 After a second thought, if you could bring forward a release that would actually help me on the process. I would feel comfortable enough on the changes from my side. Thing is that with my GitHub integration, installed versions for This should go away with an npm integration and with this I could then properly with the official cross-client BLS tests from https://github.com/ethereum/tests, which gets easier when I can trigger the CI by pushing the code (atm the build fails). |
|
I will publish the release today. |
|
and keep an eye on ethereum/js-ethereum-cryptography#113 |
We are currently switchign to use
@noble/curvesas default for the BLS precompiles, see ethereumjs/ethereumjs-monorepo#3471.Right now I am implementing the precompile for mapping an FP element to a G1 point (also see EIP).
Not yet working, I was trying to use the
bls12_381.G1.ProjectivePoint.fromHex()method for this.Beside the question that I am not 100% sure if this is the right way to do it there might be a bug in the method implementation:
Using
@noble/curvesv1.4.0gives following error on this test:Uncaught Error: Invalid point G1, expected 48/96 bytes at fromBytes (/ethereumjs-monorepo/packages/evm/node_modules/@noble/curves/src/bls12-381.ts:1179:15) at Function.fromHex (/ethereumjs-monorepo/packages/evm/node_modules/@noble/curves/src/abstract/weierstrass.ts:318:34) at /ethereumjs-monorepo/packages/evm/src/precompiles/<repl>.ts:1:42 at Script.runInThisContext (node:vm:136:12) at runInContext (/.nvm/versions/node/v20.12.2/lib/node_modules/ts-node/src/repl.ts:673:19) at Object.execCommand (/.nvm/versions/node/v20.12.2/lib/node_modules/ts-node/src/repl.ts:639:28) at /.nvm/versions/node/v20.12.2/lib/node_modules/ts-node/src/repl.ts:661:47 at Array.reduce (<anonymous>) at appendCompileAndEvalInput (/.nvm/versions/node/v20.12.2/lib/node_modules/ts-node/src/repl.ts:661:23) at evalCodeInternal (/.nvm/versions/node/v20.12.2/lib/node_modules/ts-node/src/repl.ts:222:12)I guess this should work if I am not overlooking something obvious?
The text was updated successfully, but these errors were encountered: