algebra icon indicating copy to clipboard operation
algebra copied to clipboard
verified publisher icon arkworks-rs

In version 0.3, `multi_scalar_mul` output is incorrect if scalar exceeds curve order.

Open guidovranken opened this issue 2 years ago • 1 comments

Summary of Bug

If VariableBaseMSM::multi_scalar_mul is called with a scalar that exceeds the curve order, the output will not be correct. The scalar is not or incorrectly reduced. Compare to regular point mul which handles this correctly.

Version

0.3.0

Steps to Reproduce

use ark_ff::PrimeField;
use ark_ff::biginteger::BigInteger256;
use ark_ff::biginteger::BigInteger384;
use ark_ec::msm::VariableBaseMSM;
use ark_ec::AffineCurve;
use ark_ec::ProjectiveCurve;
fn main() {                                                                                                
    let s: [u64; 4] = [ 
        0x025607A7919D793F,
        0xBDF7228F3A3DBD99,
        0x68D0564B14693662,
        0xAF6DD88BB87CB4AC];
    let point = ark_bls12_381::G1Affine::prime_subgroup_generator();
    let scalar = BigInteger256::new(s);
    assert!(
        point.mul(scalar).into_affine() ==
        VariableBaseMSM::multi_scalar_mul(&[point], &[scalar]).into_affine());
}

guidovranken avatar Jun 09 '23 18:06 guidovranken

In v0.4, the reduction happens in PrimeField::into_bigint at https://github.com/arkworks-rs/algebra/blob/master/ec/src/scalar_mul/variable_base/mod.rs#L22 PrimeField::BigInt behaves this way, which maybe important somewhere.

burdges avatar Jun 09 '23 20:06 burdges