Zcash-style serialization for BLS12-381 (#129)

Co-authored-by: kevaundray <37423678+kevaundray@users.noreply.github.com>
Co-authored-by: Pratyush Mishra <pratyushmishra@berkeley.edu>

Author: 3 people

bls12_381/Cargo.toml

@@ -16,11 +16,12 @@ edition = "2021"
 ark-ff = { version="^0.3.0", default-features = false }
 ark-ec = { version="^0.3.0", default-features = false }
 ark-std = { version="^0.3.0", default-features = false }
+ark-serialize = { version="^0.3.0", default-features = false }
 
 [dev-dependencies]
-ark-serialize = { version="^0.3.0", default-features = false }
 ark-algebra-test-templates = { version="^0.3.0", default-features = false }
 ark-algebra-bench-templates = { version = "^0.3.0", default-features = false }
+hex = "^0.4.0"
 
 [features]
 default = [ "curve" ]

bls12_381/src/curves/g1.rs

@@ -7,7 +7,13 @@ use ark_ec::{
     AffineRepr, Group,
 };
 use ark_ff::{Field, MontFp, PrimeField, Zero};
+use ark_serialize::{Compress, SerializationError};
 use ark_std::{ops::Neg, One};
+
+use crate::util::{
+    read_g1_compressed, read_g1_uncompressed, serialize_fq, EncodingFlags, G1_SERIALIZED_SIZE,
+};
+
 pub type G1Affine = bls12::G1Affine<crate::Parameters>;
 pub type G1Projective = bls12::G1Projective<crate::Parameters>;
 
@@ -70,6 +76,66 @@ impl SWCurveConfig for Parameters {
         let h_eff = one_minus_x().into_bigint();
         Parameters::mul_affine(&p, h_eff.as_ref()).into()
     }
+
+    fn deserialize_with_mode<R: ark_serialize::Read>(
+        mut reader: R,
+        compress: ark_serialize::Compress,
+        validate: ark_serialize::Validate,
+    ) -> Result<Affine<Self>, ark_serialize::SerializationError> {
+        let p = if compress == ark_serialize::Compress::Yes {
+            read_g1_compressed(&mut reader)?
+        } else {
+            read_g1_uncompressed(&mut reader)?
+        };
+
+        if validate == ark_serialize::Validate::Yes && !p.is_in_correct_subgroup_assuming_on_curve()
+        {
+            return Err(SerializationError::InvalidData);
+        }
+        Ok(p)
+    }
+
+    fn serialize_with_mode<W: ark_serialize::Write>(
+        item: &Affine<Self>,
+        mut writer: W,
+        compress: ark_serialize::Compress,
+    ) -> Result<(), SerializationError> {
+        let encoding = EncodingFlags {
+            is_compressed: compress == ark_serialize::Compress::Yes,
+            is_infinity: item.is_zero(),
+            is_lexographically_largest: item.y > -item.y,
+        };
+        let mut p = *item;
+        if encoding.is_infinity {
+            p = G1Affine::zero();
+        }
+        // need to access the field struct `x` directly, otherwise we get None from xy()
+        // method
+        let x_bytes = serialize_fq(p.x);
+        if encoding.is_compressed {
+            let mut bytes: [u8; G1_SERIALIZED_SIZE] = x_bytes;
+
+            encoding.encode_flags(&mut bytes);
+            writer.write_all(&bytes)?;
+        } else {
+            let mut bytes = [0u8; 2 * G1_SERIALIZED_SIZE];
+            bytes[0..G1_SERIALIZED_SIZE].copy_from_slice(&x_bytes[..]);
+            bytes[G1_SERIALIZED_SIZE..].copy_from_slice(&serialize_fq(p.y)[..]);
+
+            encoding.encode_flags(&mut bytes);
+            writer.write_all(&bytes)?;
+        };
+
+        Ok(())
+    }
+
+    fn serialized_size(compress: Compress) -> usize {
+        if compress == Compress::Yes {
+            G1_SERIALIZED_SIZE
+        } else {
+            G1_SERIALIZED_SIZE * 2
+        }
+    }
 }
 
 fn one_minus_x() -> Fr {

bls12_381/src/curves/g2.rs

@@ -8,8 +8,13 @@ use ark_ec::{
     AffineRepr, CurveGroup, Group,
 };
 use ark_ff::{Field, MontFp, Zero};
+use ark_serialize::{Compress, SerializationError};
 
-use crate::*;
+use super::util::{serialize_fq, EncodingFlags, G2_SERIALIZED_SIZE};
+use crate::{
+    util::{read_g2_compressed, read_g2_uncompressed},
+    *,
+};
 
 pub type G2Affine = bls12::G2Affine<crate::Parameters>;
 pub type G2Projective = bls12::G2Projective<crate::Parameters>;
@@ -105,6 +110,75 @@ impl SWCurveConfig for Parameters {
         psi2_p2 += &-psi_p;
         (psi2_p2 - p_projective).into_affine()
     }
+
+    fn deserialize_with_mode<R: ark_serialize::Read>(
+        mut reader: R,
+        compress: ark_serialize::Compress,
+        validate: ark_serialize::Validate,
+    ) -> Result<Affine<Self>, ark_serialize::SerializationError> {
+        let p = if compress == ark_serialize::Compress::Yes {
+            read_g2_compressed(&mut reader)?
+        } else {
+            read_g2_uncompressed(&mut reader)?
+        };
+
+        if validate == ark_serialize::Validate::Yes && !p.is_in_correct_subgroup_assuming_on_curve()
+        {
+            return Err(SerializationError::InvalidData);
+        }
+        Ok(p)
+    }
+
+    fn serialize_with_mode<W: ark_serialize::Write>(
+        item: &Affine<Self>,
+        mut writer: W,
+        compress: ark_serialize::Compress,
+    ) -> Result<(), SerializationError> {
+        let encoding = EncodingFlags {
+            is_compressed: compress == ark_serialize::Compress::Yes,
+            is_infinity: item.is_zero(),
+            is_lexographically_largest: item.y > -item.y,
+        };
+        let mut p = *item;
+        if encoding.is_infinity {
+            p = G2Affine::zero();
+        }
+
+        let mut x_bytes = [0u8; G2_SERIALIZED_SIZE];
+        let c1_bytes = serialize_fq(p.x.c1);
+        let c0_bytes = serialize_fq(p.x.c0);
+        x_bytes[0..48].copy_from_slice(&c1_bytes[..]);
+        x_bytes[48..96].copy_from_slice(&c0_bytes[..]);
+        if encoding.is_compressed {
+            let mut bytes: [u8; G2_SERIALIZED_SIZE] = x_bytes;
+
+            encoding.encode_flags(&mut bytes);
+            writer.write_all(&bytes)?;
+        } else {
+            let mut bytes = [0u8; 2 * G2_SERIALIZED_SIZE];
+
+            let mut y_bytes = [0u8; G2_SERIALIZED_SIZE];
+            let c1_bytes = serialize_fq(p.y.c1);
+            let c0_bytes = serialize_fq(p.y.c0);
+            y_bytes[0..48].copy_from_slice(&c1_bytes[..]);
+            y_bytes[48..96].copy_from_slice(&c0_bytes[..]);
+            bytes[0..G2_SERIALIZED_SIZE].copy_from_slice(&x_bytes);
+            bytes[G2_SERIALIZED_SIZE..].copy_from_slice(&y_bytes);
+
+            encoding.encode_flags(&mut bytes);
+            writer.write_all(&bytes)?;
+        };
+
+        Ok(())
+    }
+
+    fn serialized_size(compress: ark_serialize::Compress) -> usize {
+        if compress == Compress::Yes {
+            G2_SERIALIZED_SIZE
+        } else {
+            2 * G2_SERIALIZED_SIZE
+        }
+    }
 }
 
 pub const G2_GENERATOR_X: Fq2 = Fq2::new(G2_GENERATOR_X_C0, G2_GENERATOR_X_C1);

bls12_381/src/curves/mod.rs

@@ -4,6 +4,7 @@ use crate::{Fq, Fq12Config, Fq2Config, Fq6Config};
 
 pub mod g1;
 pub mod g2;
+pub(crate) mod util;
 
 #[cfg(test)]
 mod tests;

bls12_381/src/curves/tests.rs

@@ -0,0 +1,119 @@
+use ark_algebra_test_templates::*;
+use ark_ec::{AffineRepr, CurveGroup, Group};
+use ark_ff::{fields::Field, One, UniformRand, Zero};
+use ark_serialize::{CanonicalDeserialize, CanonicalSerialize, Compress, Validate};
+use ark_std::{rand::Rng, test_rng, vec};
+
+use crate::{Bls12_381, Fq, Fq2, Fr, G1Affine, G1Projective, G2Affine, G2Projective};
+
+test_group!(g1; G1Projective; sw);
+test_group!(g2; G2Projective; sw);
+test_group!(pairing_output; ark_ec::pairing::PairingOutput<Bls12_381>; msm);
+test_pairing!(pairing; crate::Bls12_381);
+
+#[test]
+fn test_g1_endomorphism_beta() {
+    assert!(crate::g1::BETA.pow(&[3u64]).is_one());
+}
+
+#[test]
+fn test_g1_subgroup_membership_via_endomorphism() {
+    let mut rng = test_rng();
+    let generator = G1Projective::rand(&mut rng).into_affine();
+    assert!(generator.is_in_correct_subgroup_assuming_on_curve());
+}
+
+#[test]
+fn test_g1_subgroup_non_membership_via_endomorphism() {
+    let mut rng = test_rng();
+    loop {
+        let x = Fq::rand(&mut rng);
+        let greatest = rng.gen();
+
+        if let Some(p) = G1Affine::get_point_from_x_unchecked(x, greatest) {
+            if !p.mul_bigint(Fr::characteristic()).is_zero() {
+                assert!(!p.is_in_correct_subgroup_assuming_on_curve());
+                return;
+            }
+        }
+    }
+}
+
+#[test]
+fn test_g2_subgroup_membership_via_endomorphism() {
+    let mut rng = test_rng();
+    let generator = G2Projective::rand(&mut rng).into_affine();
+    assert!(generator.is_in_correct_subgroup_assuming_on_curve());
+}
+
+#[test]
+fn test_g2_subgroup_non_membership_via_endomorphism() {
+    let mut rng = test_rng();
+    loop {
+        let x = Fq2::rand(&mut rng);
+        let greatest = rng.gen();
+
+        if let Some(p) = G2Affine::get_point_from_x_unchecked(x, greatest) {
+            if !p.mul_bigint(Fr::characteristic()).is_zero() {
+                assert!(!p.is_in_correct_subgroup_assuming_on_curve());
+                return;
+            }
+        }
+    }
+}
+
+// Test vectors and macro adapted from https://github.com/zkcrypto/bls12_381/blob/e224ad4ea1babfc582ccd751c2bf128611d10936/src/tests/mod.rs
+macro_rules! test_vectors {
+    ($projective:ident, $affine:ident, $compress:expr, $expected:ident) => {
+        let mut e = $projective::zero();
+
+        let mut v = vec![];
+        {
+            let mut expected = $expected;
+            for _ in 0..1000 {
+                let e_affine = $affine::from(e);
+                let mut serialized = vec![0u8; e.serialized_size($compress)];
+                e_affine
+                    .serialize_with_mode(serialized.as_mut_slice(), $compress)
+                    .unwrap();
+                v.extend_from_slice(&serialized[..]);
+
+                let mut decoded = serialized;
+                let len_of_encoding = decoded.len();
+                (&mut decoded[..]).copy_from_slice(&expected[0..len_of_encoding]);
+                expected = &expected[len_of_encoding..];
+                let decoded =
+                    $affine::deserialize_with_mode(&decoded[..], $compress, Validate::Yes).unwrap();
+                assert_eq!(e_affine, decoded);
+
+                e += &$projective::generator();
+            }
+        }
+
+        assert_eq!(&v[..], $expected);
+    };
+}
+
+#[test]
+fn g1_compressed_valid_test_vectors() {
+    let bytes: &'static [u8] = include_bytes!("g1_compressed_valid_test_vectors.dat");
+    test_vectors!(G1Projective, G1Affine, Compress::Yes, bytes);
+}
+
+#[test]
+fn g1_uncompressed_valid_test_vectors() {
+    let bytes: &'static [u8] = include_bytes!("g1_uncompressed_valid_test_vectors.dat");
+    test_vectors!(G1Projective, G1Affine, Compress::No, bytes);
+}
+
+#[test]
+fn g2_compressed_valid_test_vectors() {
+    let bytes: &'static [u8] = include_bytes!("g2_compressed_valid_test_vectors.dat");
+    test_vectors!(G2Projective, G2Affine, Compress::Yes, bytes);
+}
+
+#[test]
+fn g2_uncompressed_valid_test_vectors() {
+    let bytes: &'static [u8] = include_bytes!("g2_uncompressed_valid_test_vectors.dat");
+    test_vectors!(G2Projective, G2Affine, Compress::No, bytes);
+}