native: move BLS12-381-related operations to a separate file

No functional changes, just refactoring.

Signed-off-by: Anna Shaleva <shaleva.ann@nspcc.ru>
This commit is contained in:
Anna Shaleva 2023-06-15 18:57:59 +03:00
parent ea13fbe94a
commit 31e2076810
2 changed files with 207 additions and 159 deletions

View file

@ -7,7 +7,6 @@ import (
"fmt" "fmt"
"math/big" "math/big"
bls12381 "github.com/consensys/gnark-crypto/ecc/bls12-381"
"github.com/consensys/gnark-crypto/ecc/bls12-381/fr" "github.com/consensys/gnark-crypto/ecc/bls12-381/fr"
"github.com/decred/dcrd/dcrec/secp256k1/v4" "github.com/decred/dcrd/dcrec/secp256k1/v4"
"github.com/nspcc-dev/neo-go/pkg/core/dao" "github.com/nspcc-dev/neo-go/pkg/core/dao"
@ -190,31 +189,12 @@ func (c *Crypto) bls12381Deserialize(_ *interop.Context, args []stackitem.Item)
if err != nil { if err != nil {
panic(fmt.Errorf("invalid serialized bls12381 point: %w", err)) panic(fmt.Errorf("invalid serialized bls12381 point: %w", err))
} }
var res interface{} p := new(blsPoint)
switch l := len(buf); l { err = p.FromBytes(buf)
case bls12381.SizeOfG1AffineCompressed: if err != nil {
g1Affine := new(bls12381.G1Affine) panic(err)
_, err = g1Affine.SetBytes(buf)
if err != nil {
panic(fmt.Errorf("failed to decode bls12381 G1Affine point: %w", err))
}
res = g1Affine
case bls12381.SizeOfG2AffineCompressed:
g2Affine := new(bls12381.G2Affine)
_, err = g2Affine.SetBytes(buf)
if err != nil {
panic(fmt.Errorf("failed to decode bls12381 G2Affine point: %w", err))
}
res = g2Affine
case bls12381.SizeOfGT:
gt := new(bls12381.GT)
err := gt.SetBytes(buf)
if err != nil {
panic(fmt.Errorf("failed to decode GT point: %w", err))
}
res = gt
} }
return stackitem.NewInterop(blsPoint{point: res}) return stackitem.NewInterop(*p)
} }
func (c *Crypto) bls12381Equal(_ *interop.Context, args []stackitem.Item) stackitem.Item { func (c *Crypto) bls12381Equal(_ *interop.Context, args []stackitem.Item) stackitem.Item {
@ -236,77 +216,12 @@ func (c *Crypto) bls12381Add(_ *interop.Context, args []stackitem.Item) stackite
if !(okA && okB) { if !(okA && okB) {
panic("some of the arguments are not a bls12381 point") panic("some of the arguments are not a bls12381 point")
} }
var res interface{}
switch x := a.point.(type) { p, err := blsPointAdd(a, b)
case *bls12381.G1Affine: if err != nil {
switch y := b.point.(type) { panic(err)
case *bls12381.G1Affine:
xJac := new(bls12381.G1Jac)
xJac.FromAffine(x)
xJac.AddMixed(y)
res = xJac
case *bls12381.G1Jac:
yJac := new(bls12381.G1Jac)
yJac.Set(y)
yJac.AddMixed(x)
res = yJac
default:
panic(fmt.Errorf("add: inconsistent bls12381 point types: %T and %T", x, y))
}
case *bls12381.G1Jac:
resJac := new(bls12381.G1Jac)
resJac.Set(x)
switch y := b.point.(type) {
case *bls12381.G1Affine:
resJac.AddMixed(y)
case *bls12381.G1Jac:
resJac.AddAssign(y)
default:
panic(fmt.Errorf("add: inconsistent bls12381 point types: %T and %T", x, y))
}
res = resJac
case *bls12381.G2Affine:
switch y := b.point.(type) {
case *bls12381.G2Affine:
xJac := new(bls12381.G2Jac)
xJac.FromAffine(x)
xJac.AddMixed(y)
res = xJac
case *bls12381.G2Jac:
yJac := new(bls12381.G2Jac)
yJac.Set(y)
yJac.AddMixed(x)
res = yJac
default:
panic(fmt.Errorf("add: inconsistent bls12381 point types: %T and %T", x, y))
}
case *bls12381.G2Jac:
resJac := new(bls12381.G2Jac)
resJac.Set(x)
switch y := b.point.(type) {
case *bls12381.G2Affine:
resJac.AddMixed(y)
case *bls12381.G2Jac:
resJac.AddAssign(y)
default:
panic(fmt.Errorf("add: inconsistent bls12381 point types: %T and %T", x, y))
}
res = resJac
case *bls12381.GT:
resGT := new(bls12381.GT)
resGT.Set(x)
switch y := b.point.(type) {
case *bls12381.GT:
// It's multiplication, see https://github.com/neo-project/Neo.Cryptography.BLS12_381/issues/4.
resGT.Mul(x, y)
default:
panic(fmt.Errorf("add: inconsistent bls12381 point types: %T and %T", x, y))
}
res = resGT
default:
panic(fmt.Errorf("add: unexpected bls12381 point type: %T", x))
} }
return stackitem.NewInterop(blsPoint{point: res}) return stackitem.NewInterop(p)
} }
func scalarFromBytes(bytes []byte, neg bool) (*fr.Element, error) { func scalarFromBytes(bytes []byte, neg bool) (*fr.Element, error) {
@ -347,46 +262,11 @@ func (c *Crypto) bls12381Mul(_ *interop.Context, args []stackitem.Item) stackite
alphaBi := new(big.Int) alphaBi := new(big.Int)
alpha.BigInt(alphaBi) alpha.BigInt(alphaBi)
var res interface{} p, err := blsPointMul(a, alphaBi)
switch x := a.point.(type) { if err != nil {
case *bls12381.G1Affine: panic(err)
// The result is in Jacobian form in the reference implementation.
g1Jac := new(bls12381.G1Jac)
g1Jac.FromAffine(x)
g1Jac.ScalarMultiplication(g1Jac, alphaBi)
res = g1Jac
case *bls12381.G1Jac:
g1Jac := new(bls12381.G1Jac)
g1Jac.ScalarMultiplication(x, alphaBi)
res = g1Jac
case *bls12381.G2Affine:
// The result is in Jacobian form in the reference implementation.
g2Jac := new(bls12381.G2Jac)
g2Jac.FromAffine(x)
g2Jac.ScalarMultiplication(g2Jac, alphaBi)
res = g2Jac
case *bls12381.G2Jac:
g2Jac := new(bls12381.G2Jac)
g2Jac.ScalarMultiplication(x, alphaBi)
res = g2Jac
case *bls12381.GT:
gt := new(bls12381.GT)
// C# implementation differs a bit from go's. They use double-and-add algorithm, see
// https://github.com/neo-project/Neo.Cryptography.BLS12_381/blob/844bc3a4f7d8ba2c545ace90ca124f8ada4c8d29/src/Neo.Cryptography.BLS12_381/Gt.cs#L102
// and https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication#Double-and-add,
// Pay attention that C#'s Gt.Double() squares (not doubles!) the initial GT point.
// Thus.C#'s scalar multiplication operation over Gt and Scalar is effectively an exponent.
// Go's exponent algorithm differs a bit from the C#'s double-and-add in that go's one
// uses 2-bits windowed method for multiplication. However, the resulting GT point is
// absolutely the same between two implementations.
gt.Exp(*x, alphaBi)
res = gt
default:
panic(fmt.Errorf("mul: unexpected bls12381 point type: %T", x))
} }
return stackitem.NewInterop(blsPoint{point: res}) return stackitem.NewInterop(p)
} }
func (c *Crypto) bls12381Pairing(_ *interop.Context, args []stackitem.Item) stackitem.Item { func (c *Crypto) bls12381Pairing(_ *interop.Context, args []stackitem.Item) stackitem.Item {
@ -395,33 +275,12 @@ func (c *Crypto) bls12381Pairing(_ *interop.Context, args []stackitem.Item) stac
if !(okA && okB) { if !(okA && okB) {
panic("some of the arguments are not a bls12381 point") panic("some of the arguments are not a bls12381 point")
} }
var (
x *bls12381.G1Affine p, err := blsPointPairing(a, b)
y *bls12381.G2Affine
)
switch p := a.point.(type) {
case *bls12381.G1Affine:
x = p
case *bls12381.G1Jac:
x = new(bls12381.G1Affine)
x.FromJacobian(p)
default:
panic(fmt.Errorf("pairing: unexpected bls12381 point type (g1): %T", x))
}
switch p := b.point.(type) {
case *bls12381.G2Affine:
y = p
case *bls12381.G2Jac:
y = new(bls12381.G2Affine)
y.FromJacobian(p)
default:
panic(fmt.Errorf("pairing: unexpected bls12381 point type (g2): %T", x))
}
gt, err := bls12381.Pair([]bls12381.G1Affine{*x}, []bls12381.G2Affine{*y})
if err != nil { if err != nil {
panic(fmt.Errorf("failed to perform pairing operation: %w", err)) panic(err)
} }
return stackitem.NewInterop(blsPoint{&gt}) return stackitem.NewInterop(p)
} }
// Metadata implements the Contract interface. // Metadata implements the Contract interface.

View file

@ -3,6 +3,7 @@ package native
import ( import (
"errors" "errors"
"fmt" "fmt"
"math/big"
bls12381 "github.com/consensys/gnark-crypto/ecc/bls12-381" bls12381 "github.com/consensys/gnark-crypto/ecc/bls12-381"
"github.com/nspcc-dev/neo-go/pkg/vm/stackitem" "github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
@ -102,3 +103,191 @@ func (p blsPoint) Bytes() []byte {
panic(errors.New("unknown bls12381 point type")) panic(errors.New("unknown bls12381 point type"))
} }
} }
// FromBytes deserializes BLS12-381 point from the given byte slice in compressed form.
func (p *blsPoint) FromBytes(buf []byte) error {
switch l := len(buf); l {
case bls12381.SizeOfG1AffineCompressed:
g1Affine := new(bls12381.G1Affine)
_, err := g1Affine.SetBytes(buf)
if err != nil {
return fmt.Errorf("failed to decode bls12381 G1Affine point: %w", err)
}
p.point = g1Affine
case bls12381.SizeOfG2AffineCompressed:
g2Affine := new(bls12381.G2Affine)
_, err := g2Affine.SetBytes(buf)
if err != nil {
return fmt.Errorf("failed to decode bls12381 G2Affine point: %w", err)
}
p.point = g2Affine
case bls12381.SizeOfGT:
gt := new(bls12381.GT)
err := gt.SetBytes(buf)
if err != nil {
return fmt.Errorf("failed to decode GT point: %w", err)
}
p.point = gt
}
return nil
}
// blsPointAdd performs addition of two BLS12-381 points.
func blsPointAdd(a, b blsPoint) (blsPoint, error) {
var (
res any
err error
)
switch x := a.point.(type) {
case *bls12381.G1Affine:
switch y := b.point.(type) {
case *bls12381.G1Affine:
xJac := new(bls12381.G1Jac)
xJac.FromAffine(x)
xJac.AddMixed(y)
res = xJac
case *bls12381.G1Jac:
yJac := new(bls12381.G1Jac)
yJac.Set(y)
yJac.AddMixed(x)
res = yJac
default:
err = fmt.Errorf("add: inconsistent bls12381 point types: %T and %T", x, y)
}
case *bls12381.G1Jac:
resJac := new(bls12381.G1Jac)
resJac.Set(x)
switch y := b.point.(type) {
case *bls12381.G1Affine:
resJac.AddMixed(y)
case *bls12381.G1Jac:
resJac.AddAssign(y)
default:
err = fmt.Errorf("add: inconsistent bls12381 point types: %T and %T", x, y)
}
res = resJac
case *bls12381.G2Affine:
switch y := b.point.(type) {
case *bls12381.G2Affine:
xJac := new(bls12381.G2Jac)
xJac.FromAffine(x)
xJac.AddMixed(y)
res = xJac
case *bls12381.G2Jac:
yJac := new(bls12381.G2Jac)
yJac.Set(y)
yJac.AddMixed(x)
res = yJac
default:
err = fmt.Errorf("add: inconsistent bls12381 point types: %T and %T", x, y)
}
case *bls12381.G2Jac:
resJac := new(bls12381.G2Jac)
resJac.Set(x)
switch y := b.point.(type) {
case *bls12381.G2Affine:
resJac.AddMixed(y)
case *bls12381.G2Jac:
resJac.AddAssign(y)
default:
err = fmt.Errorf("add: inconsistent bls12381 point types: %T and %T", x, y)
}
res = resJac
case *bls12381.GT:
resGT := new(bls12381.GT)
resGT.Set(x)
switch y := b.point.(type) {
case *bls12381.GT:
// It's multiplication, see https://github.com/neo-project/Neo.Cryptography.BLS12_381/issues/4.
resGT.Mul(x, y)
default:
err = fmt.Errorf("add: inconsistent bls12381 point types: %T and %T", x, y)
}
res = resGT
default:
err = fmt.Errorf("add: unexpected bls12381 point type: %T", x)
}
return blsPoint{point: res}, err
}
// blsPointAdd performs scalar multiplication of two BLS12-381 points.
func blsPointMul(a blsPoint, alphaBi *big.Int) (blsPoint, error) {
var (
res any
err error
)
switch x := a.point.(type) {
case *bls12381.G1Affine:
// The result is in Jacobian form in the reference implementation.
g1Jac := new(bls12381.G1Jac)
g1Jac.FromAffine(x)
g1Jac.ScalarMultiplication(g1Jac, alphaBi)
res = g1Jac
case *bls12381.G1Jac:
g1Jac := new(bls12381.G1Jac)
g1Jac.ScalarMultiplication(x, alphaBi)
res = g1Jac
case *bls12381.G2Affine:
// The result is in Jacobian form in the reference implementation.
g2Jac := new(bls12381.G2Jac)
g2Jac.FromAffine(x)
g2Jac.ScalarMultiplication(g2Jac, alphaBi)
res = g2Jac
case *bls12381.G2Jac:
g2Jac := new(bls12381.G2Jac)
g2Jac.ScalarMultiplication(x, alphaBi)
res = g2Jac
case *bls12381.GT:
gt := new(bls12381.GT)
// C# implementation differs a bit from go's. They use double-and-add algorithm, see
// https://github.com/neo-project/Neo.Cryptography.BLS12_381/blob/844bc3a4f7d8ba2c545ace90ca124f8ada4c8d29/src/Neo.Cryptography.BLS12_381/Gt.cs#L102
// and https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication#Double-and-add,
// Pay attention that C#'s Gt.Double() squares (not doubles!) the initial GT point.
// Thus.C#'s scalar multiplication operation over Gt and Scalar is effectively an exponent.
// Go's exponent algorithm differs a bit from the C#'s double-and-add in that go's one
// uses 2-bits windowed method for multiplication. However, the resulting GT point is
// absolutely the same between two implementations.
gt.Exp(*x, alphaBi)
res = gt
default:
err = fmt.Errorf("mul: unexpected bls12381 point type: %T", x)
}
return blsPoint{point: res}, err
}
func blsPointPairing(a, b blsPoint) (blsPoint, error) {
var (
x *bls12381.G1Affine
y *bls12381.G2Affine
)
switch p := a.point.(type) {
case *bls12381.G1Affine:
x = p
case *bls12381.G1Jac:
x = new(bls12381.G1Affine)
x.FromJacobian(p)
default:
return blsPoint{}, fmt.Errorf("pairing: unexpected bls12381 point type (g1): %T", x)
}
switch p := b.point.(type) {
case *bls12381.G2Affine:
y = p
case *bls12381.G2Jac:
y = new(bls12381.G2Affine)
y.FromJacobian(p)
default:
return blsPoint{}, fmt.Errorf("pairing: unexpected bls12381 point type (g2): %T", x)
}
gt, err := bls12381.Pair([]bls12381.G1Affine{*x}, []bls12381.G2Affine{*y})
if err != nil {
return blsPoint{}, fmt.Errorf("failed to perform pairing operation: %w", err)
}
return blsPoint{&gt}, nil
}