You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Note for compatibility, when a fast cofactor clearing method exist, it is usually incompatible with the "normal" scalar multiplication by the actual cofactor. As clear cofactor is only used in 2 cases, random testing and hash-to-curve, we should implement the hash-to-curve version.
Unless the cofactor is 1 (for BN254 curves) we are unfortunately working on a subgroup of an elliptic curve.
This means that when generating a random point for testing we may be generating a point out of our subgroup of interest.
In particular for scalar multiplication accelerated by endomorphism, the point MUST be on the subgroup or the result is incorrect.
A simple way to generate a point in the proper subgroup is to scalar multiply a random point by the cofactor of the curve:
More efficient ways exist and are detailed in the IETF hash-to-curve draft https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-08#section-7 and (Wahby, Boneh, 2019, Fast and simple constant-time hashingto the BLS12-381 elliptic curve, https://eprint.iacr.org/2019/403.pdf). For BLS G1 in particular we can simply multiply by
1-u
with u the BLS parameter.Note for compatibility, when a fast cofactor clearing method exist, it is usually incompatible with the "normal" scalar multiplication by the actual cofactor. As clear cofactor is only used in 2 cases, random testing and hash-to-curve, we should implement the hash-to-curve version.
For G2 see https://github.com/status-im/nim-blscurve/blob/1a18d0db/blscurve/hash_to_curve.nim#L454-L512
Sage implementation: https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve/blob/ead9c911/poc/clear_h_bls12381g2.sage
The text was updated successfully, but these errors were encountered: