Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix incorrect decomposition in GLV #803

Merged
merged 5 commits into from
Mar 25, 2024
Merged

Fix incorrect decomposition in GLV #803

merged 5 commits into from
Mar 25, 2024

Conversation

weikengchen
Copy link
Member

@weikengchen weikengchen commented Mar 8, 2024
edited
Loading

Description

As #802 pointed out, there are situations when the GLV decomposition does not work as expected---for BN254, it decomposes a randomly chosen scalar into 128-bit k1 and 191-bit k2.

After comparing with other implementations, it seems that beta_2 needs to be negated. In addition, it has been a long-standing issue in the current implementation that beta_1 and beta_2, which should have been rounded division, was implemented by floor division. This can lead to an issue as the original GLV paper https://www.iacr.org/archive/crypto2001/21390189.pdf, Lemma 2, it does leverage the fact that, by rounded division, the gap between the actual beta_1 and the integer beta_1, as well as the gap between the actual beta_2 and the integer beta_2, are bounded by 1/2 each. We then use triangle inequality to conclude a bound of the decomposition. How tight this bound is does have something to do with how the division is done.

So, this PR made three changes:

  • add into test template a very quick test whether GLV decomposition does give small numbers
  • negate beta_2, which would be consistent with the comments in the code and I believe was the correct implementation all the time
  • use rounded division

We couldn't discover this issue before in BLS12-377 and BLS12-381 partly because that they seem to be doing fine if beta_2's sign is flipped.

Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.

  • Targeted PR against correct branch (master)
  • Linked to GitHub issue with discussion and accepted design OR have an explanation in the PR that describes this work.
  • Wrote unit tests
  • Updated relevant documentation in the code
  • Added a relevant changelog entry to the Pending section in CHANGELOG.md
  • Re-reviewed Files changed in the GitHub PR explorer

@weikengchen weikengchen requested review from a team as code owners March 8, 2024 06:03
@weikengchen weikengchen requested review from z-tech, Pratyush and mmagician and removed request for a team March 8, 2024 06:03
@weikengchen weikengchen changed the title Remedy the GLV implementation Fix incorrect decomposition in GLV Mar 8, 2024
@Pratyush Pratyush added this pull request to the merge queue Mar 24, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Mar 24, 2024
@mmagician mmagician added this pull request to the merge queue Mar 25, 2024
Merged via the queue into master with commit bb663bc Mar 25, 2024
40 checks passed
@mmagician mmagician deleted the fix-glv branch March 25, 2024 11:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Pratyush Pratyush Pratyush approved these changes

@z-tech z-tech Awaiting requested review from z-tech z-tech is a code owner automatically assigned from arkworks-rs/maintainers

@mmagician mmagician Awaiting requested review from mmagician mmagician is a code owner automatically assigned from arkworks-rs/maintainers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@weikengchen @Pratyush @mmagician