blst icon indicating copy to clipboard operation
blst copied to clipboard
verified publisher icon supranational

Point multiplication behavior for scalars bigger than the main subgroup order

Open chfast opened this issue 1 year ago • 1 comments

I noticed that the blst_p1_mult API can take scalar of any size. But if the scalar value is not less than BLS12_381_r the implementation selects the slower "w5" algorithm.

https://github.com/supranational/blst/blob/master/src/e1.c#L526-L527

I wonder if for scalars of 256 bits it is not better to reduce its value by doing mod BLS12_381_r.

chfast avatar Oct 31 '24 12:10 chfast

As quoted commentary implies, the case is not cared for. With rationale that in real-life application the scalar would be a result of calculation and the said calculation is expected to produce properly bound value. If the application trusts somebody else to perform the calculation (a.k.a. accepting inputs from the internet), then it's expected that application would vet the inputs and take an action (of application choice) if it's found out-of-range, most likely reject it, prior passing it to the library.

dot-asm avatar Nov 01 '24 11:11 dot-asm