algebra icon indicating copy to clipboard operation
algebra copied to clipboard
verified publisher icon arkworks-rs

Clarify guarantees in traits around point validity

Open ValarDragon opened this issue 5 years ago • 3 comments

The elliptic curve point API's (AffineCurve, ProjectiveCurve) currently claim that the interface should be providing quite strong guarantees, all points should be on the curve, and moreover in the prime order subgroup.

However this guarantee isn't achieved at the moment.

I've only looked at short weierstrass jacobian curves so far (which encompasses the BLS12 curves), and they don't guarantee that points are on the curve, or that they are in the prime order subgroup for AffineCurve.

The new() method for AffineGroup (which implements AffineCurve) does not ensure that points are on the curve.

Also the sw curve's Affine Curve implementation of from_random_bytes() uses get_point_from_x(), which as stated in its comments provides no guarantees around being in the prime order subgroup.

I believe that the trait comments should drop the description that they are in the prime order subgroup, and we should have new traits that enforce that this is the case. (Or alternatively, make the two above methods enforce the claimed properties)

ValarDragon avatar Nov 09 '20 21:11 ValarDragon

@kobigurk @paberr do you have any thoughts around this? We could have a separate trait that handles the boundary conversions, and leave AffineCurve to be only prime order.

Pratyush avatar Nov 09 '20 22:11 Pratyush

One idea would be to put these methods in SWModelParameters and in TEModelParameters (I don't see how to put them in ModelParameters, because the trait doesn't understand the notion of AffineCurve.

Pratyush avatar Nov 09 '20 22:11 Pratyush

Good point! In my opinion, the current methods are useful and needed so I'd leave them as is. New traits/methods sound like a good idea to me. Ideally they'd be wrappers that check validity and maybe one that multiplies by the cofactor, but that should be marked clearly. That bit us on the gadget side when we migrated our pre-refactor gadgets to the new constrain system.

kobigurk avatar Nov 18 '20 12:11 kobigurk

We now have a new_unchecked which doesn't check for subgroup membership, and have changed new to instead do the on-curve and in-subgroup checks.

(These methods were anyway methods on the structs, and not part of the corresponding traits.)

Pratyush avatar Aug 31 '22 19:08 Pratyush