miracl / amcl Goto Github PK

C++ 13.19% C 17.91% Batchfile 0.01% Go 11.52% Java 13.26% JavaScript 12.33% HTML 1.27% Rust 14.54% Swift 12.68% Python 3.21% Shell 0.08%

amcl's Introduction

MIRACL

What is MIRACL? Multiprecision Integer and Rational Arithmetic Cryptographic Library – the MIRACL Crypto SDK – is a C software library that is widely regarded by developers as the gold standard open source SDK for elliptic curve cryptography (ECC).

Why is it different? While many other cryptographic SDKs are focused on PC use, MIRACL also enables developers to build security into highly constrained environments, including embedded, mobile apps and SCADA.

Full documentation can be accessed here:

MIRACL enables

Reduced program code
Greatly simplified program development
Developer-designed APIs
Rapid implementation, using inline code wrappers, example programs and other innovations

These unique qualities are the reason MIRACL, and the solutions and services built using it, are in use in hundreds of organizations across the world, including BAE Systems, Hitachi, Intel, Panasonic, Toyota and many others.

Features and Benefits: why MIRACL is the right choice

MIRACL delivers a wide and unique range of benefits, enabling developers to secure even the most constrained environments quickly, easily and effectively. It features, amongst others:

An inline C++ wrapper – greatly simplifying program development
Over 25 example programs in C and C++, covering a wide range of applications, to give development a head start
Optimization of both embedded processors and RAM, to help developers overcome device and memory constraints
Compatibility with industry security technologies including AES encryption, RSA public key cryptography, Diffie-Hellman key exchange, DSA digital signature, and others
A set of tools that enable any new number-theoretic technique to be implemented quickly

The MIRACL library consists of well over 100 routines that cover all aspects of multi-precision arithmetic. Two new data-types are defined - big for large integers and flash (short for floating-slash) for large rational numbers. The large integer routines are based on Knuth’s algorithms, described in Chapter 4 of his classic work ‘The Art of Computer Programming’. Floating-slash arithmetic, which works with rounded fractions, was originally proposed by D. Matula and P. Kornerup. All routines have been thoroughly optimised for speed and efficiency, while at the same time remaining standard, portable C. However optional fast assembly language alternatives for certain time-critical routines are also included, particularly for the popular Intel 80x86 range of processors. A C++ interface is also provided. Full source code is included.

Bug Tracker

MIRACL Ltd. uses JIRA for bug and feature tracking which is integrated with our development system. If you find a bug, you should report bugs into the MIRACL bug tracker . You can check that the bug hasn't already been reported by searching for it. If you find the bug already reported, you can add a comment of your own about it, or change its status to "Confirmed". If the bug hasn't been reported, you can file a new bug report.

Community

MIRACL Ltd. is most of all a community of like-minded information security professionals who believe that cryptography is a necessary tool to advance individual freedom and safeguard privacy. MIRACL Ltd. acts on that belief by providing tools that can be used to secure information, guard privacy and advance individual freedom.
Anyone who uses MIRACL Ltd. code or services is part of this global community, and we invite you to help shape MIRACL to better meet your needs. To make it yours!
Keep track of development and community news.

Follow @MIRACL on https://twitter.com/MIRACL
Read our blog for the latest security and crypto news first
Have a question that's not a feature request or bug report? Contact Us.

Contributing:

MIRACL Ltd. provides an Open Source suite of solutions for data security. The MIRACL Ltd. team firmly believes that our solutions and the organizations and users who benefit by them all derive value from active contributions from the community.
You can contribute to help shape and improve our MIRACL Ltd. products. If you have ideas and suggestions on new features and improvements that you would like to see and help bring to MIRACL Ltd., please fork the public available code on GitHub.

Authors:

MIRACL Ltd.

Copyright and License:

MIRACL SDK provides developers with an extensive and efficient set of cryptographic functions. For further information about its features and functionalities please refer to https://miracl.com.

MIRACL SDK is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

MIRACL SDK is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.

You can be released from the requirements of the license by purchasing a commercial license. Buying such a license is mandatory as soon as you develop commercial activities involving MIRACL without disclosing the source code of your own applications, or shipping MIRACL with a closed source product.

For full details regarding our MIRACL Ltd. terms of service please refer to the following links:

amcl's People

Contributors

Stargazers

Watchers

Forkers

philipp-classen acatarineu webmaster128 lovesh kealan xjump keeper-security nymtech petrn jonspock rafaeltm mikelodder7 kirk-baird xijunke zildj1an schermannr cryptomathician madeep2000 hailingu

amcl's Issues

Addition of elements in fp12

Hello,

I am using amcl with the https://github.com/fentec-project/CiFEr where they instantiate BN254.
The BN254 internally uses fp12 to represent points. For some implementation we need addition
in fp12 which is unfortunately not implemented in the library. Is there a reason why this is not
in general possible.

Aside
Do you know of any pairing friendly curve where addition of curve elements is possible ?

Potential bug in is_infinity in ecp.rs

In the method is_infinity in ecp.rs, the last line returns true meaning that if a new curve type was introduced and we forget to update is_infinity method, it will always return true for that curve type. But if we use a match expression then the compiler will complain that the match is not exhaustive if we introduce a new curve type. It is shown in PR #14
Also is_infinity copies the contents both in ecp.rs and ecp2.rs which is not needed. The above PR removes that copying.

bls.js and bls256.js don't load in IE 11

SCRIPT1003: Expected ':'
bls.js (73,18)
SCRIPT1003: Expected ':'
bls256.js (73,18)

These files define a few functions in the form:

        bls_hashit: function(m) {

Then switch to just declaring a function:

	KeyPairGenerate(rng,S,W) {

I'm not sure how that even works in other browsers since it is in the body of an object.

All of the other .js files are loading with no errors.

A bug might exit in amcl-go

Hello, Mike,
When I used func Minus to compute a-b, I always got the wrong answer. The testing code is as follows.

func TestMinus(t *testing.T) {
	n := SECP256K1.NewBIGints(SECP256K1.CURVE_Order)
	rng := amcl.NewRAND()

	//using Minus to compute r1-r2
	r1 := SECP256K1.Randomnum(n,rng)
	r2 := SECP256K1.Randomnum(n,rng)
	sub1 := r1.Minus(r2)
	sub1.Mod(n)
	fmt.Println(sub1)           //the answer is wrong

	//using Modneg and Plus to compute r1-r2
	r2_neg := SECP256K1.Modneg(r2,n)
	sub2 := r1.Plus(r2_neg)
	sub2.Mod(n)
	fmt.Println(sub2)         //the answer is right
	fmt.Println(*sub1==*sub2)     //false
}

invmodp in big goes in infinite loop when inverting 0

I am using the Rust code. When using invmodp in big.rs here for inverting 0, it gets stuck in endless loop instead of returning 0. Or should it instead be an exception since we expect inverse to follow x*inverse(x)=1

Pairing function does not return 1 for P=infinity, Q=infinity

If I understood correctly, the pairing function e must return the neutral group element 1 for

e(P, 0) for every P
e(0, Q) for every Q

which implies that e(0, 0) == 1 must be satisfied.

After be9d80b, the first two of the following tests work, the 3rd fails. Is this a bug?

  it("satisfies e(P,0) == 1", () => {
    const P = g1.mul(new ctx.BIG(5));
    const Q = new ctx.ECP2();
    expect(ctx.PAIR.fexp(ctx.PAIR.ate(Q, P)).isunity()).toEqual(true);
  });

  it("satisfies e(0,Q) == 1", () => {
    const P = new ctx.ECP();
    const Q = g2.mul(new ctx.BIG(8));
    expect(ctx.PAIR.fexp(ctx.PAIR.ate(Q, P)).isunity()).toEqual(true);
  });

  it("satisfies e(0,0) == 1", () => {
    const P = new ctx.ECP();
    const Q = new ctx.ECP2();
    expect(ctx.PAIR.fexp(ctx.PAIR.ate(Q, P)).isunity()).toEqual(true);
  });

Use JS version of amcl in nodejs environments

I'm trying to port some academic caller code using amcl 2.2 from a Browser dummy page to a testing framework (probably Jest). Along the way I noticed that all the JS code of amcl (in both version 2.2 and version 3) does not use commonjs or es6 module exports, so it only works when loaded into global scope in browsers.

Are there any plans for nodejs based command line testing or packaging as a commonjs or es6 module? I'd offer to help out with this if this direction is supported by the maintainers.

Point compression for ECP2

ECP supports getting bytes of a compressed point in the tobytes method but ECP2 does not. What would be the challenges of doing so?

Methods add, sub missing in FP12, FP24, FP48

Is there a reason those methods don't exist? I don't strictly need them but am curious for consistency reasons.

API inconsistency in ECP.mul

While FP.mul, FP2.mul and BIG.imul/.pmul/.pxmul multiply in-place, ECP.mul, ECP2.mul, ECP4.mul, ECP8.mul are not mutating the object. Is this intended?

This is very easy to get wrong I think, see e.g. this code which does noops like

var Y=new ECP();
Y.copy(ePK.z);
Y.mul(x.f);

all over the place.

Error compiling on armhf platform

Hi everyone,

I am getting an error when compiling the library as part of hyperledger fabric (fabric-amcl) on a raspberry pi 4 (raspbian, armhf architecture). As far as I can tell it is due to the int representation on 32-bit platforms which could be easily fixed. Here is the error:

Building build/bin/orderer
GOBIN=/go/src/github.com/hyperledger/fabric/build/bin go install -tags "" -ldflags "-X github.com/hyperledger/fabric/common/metadata.Version=2.2.1 -X github.com/hyperledger/fabric/common/metadata.CommitSHA=344fda6 -X github.com/hyperledger/fabric/common/metadata.BaseDockerLabel=org.hyperledger.fabric -X github.com/hyperledger/fabric/common/metadata.DockerNamespace=hyperledger" github.com/hyperledger/fabric/cmd/orderer
# github.com/hyperledger/fabric-amcl/amcl/FP256BN
vendor/github.com/hyperledger/fabric-amcl/amcl/FP256BN/FP.go:110:18: constant 30564559323915749 overflows int
vendor/github.com/hyperledger/fabric-amcl/amcl/FP256BN/FP.go:394:11: constant 30564559323915749 overflows int
vendor/github.com/hyperledger/fabric-amcl/amcl/FP256BN/FP.go:394:20: constant 30564559323915754 overflows int
vendor/github.com/hyperledger/fabric-amcl/amcl/FP256BN/FP.go:394:25: constant 3820569915489469 overflows int
vendor/github.com/hyperledger/fabric-amcl/amcl/FP256BN/FP.go:397:11: constant 30564559323915749 overflows int
vendor/github.com/hyperledger/fabric-amcl/amcl/FP256BN/FP.go:397:20: constant 30564559323915752 overflows int
vendor/github.com/hyperledger/fabric-amcl/amcl/FP256BN/FP.go:397:25: constant 7641139830978938 overflows int
make: *** [Makefile:209: build/bin/orderer] Error 2

If no fix is desired please also let me know, eventually what I could do as a workaround. Or am I the only crazy person trying to compile the hyperledger fabric images on 32-bit architecture? :) I am trying to do this in order to lower the hurdles in deploying hyperledger fabric on standard raspberry pis for people who are not well versed with blockchain and/or uncommon cpu architectures.

FP256BN Plus and math.MaxInt64

The following test

import (
	"math"
	"math/rand"
	"testing"

	"github.com/stretchr/testify/assert"
)

func TestMaxInt(t *testing.T) {
	r1 := int(rand.Int63())
	r2 := int(rand.Int63())

	i1 := FP256BN.NewBIGint(math.MaxInt64 - r1)
	i2 := FP256BN.NewBIGint(r1)
	i3 := FP256BN.NewBIGint(math.MaxInt64 - r2)
	i4 := FP256BN.NewBIGint(r2)
	i5 := FP256BN.NewBIGint(2)

	i6 := i1.Plus(i2).Plus(i3).Plus(i4).Plus(i5)

	zero := FP256BN.NewBIGint(0)

	assert.NotEqual(t, zero, i6)
}

fails whereas it looks like it should be succeeding. The test was conducted with go version go1.14.4 linux/amd64 against the curve

32. FP256BN

generated by config64.py (git revision 5387e6a895243dde0).

Please check the code for FP12.pow(BIG)

I have been testing a number of crypto libraries with the BLS12-381 curve and have noticed a discrepancy in the result of FP12.pow(BIG) in the JS library for AMCL version 3.

Here is a test case:

FP12 pt: 
[[[18cd7a565a749009cc4c5f6601ea0856a47a3323f9ebb5953e4c2b1c4010d0dc7ca86ef548c4332b4cc2602e92e19f0f,09e148c258387a5e91c961df72cd340c19cdcdf799c249458969e00bf4d1275dbfcb139b49857e189f19ce71ae7fa8ee],
[0a2ac22c8737727e985aea988b18549379dc9821dd42d0974e7fd89b3d3c13114371ebfb3304cbda9d26c7a0a0b83025,0728ccef15044f5df498bb80ce5313d6dfc9a3ae9d4e4bb0f3ea398d8a2af607479cd6f66a6daeeb495d22aa8de2e256]],
[[0938dfc7cb18005c641319bb00149ce4a25edfa4aa50557aa8c780cce9cc6351261920f7212a41a3b0b097d3e827d3c3,07e500c72020555a613e32a7726c5d66350163663e4bdbc1b8b65b22c49dd19c91e7c859790a5290c526a391d2e896ef],
[171201bdd27cbe71d915e6e7d3cef10ce7251fa9b863c71652e0e63c16702c83993559129ee682b9c8c597b9849b843d,12c5a8f92088dba00d78e4c33bb18010e5bcd5ae193aedc291186dd9091ada24fc0d61f0efe90857e4528fc013583d12]],
[[1301d3f107fdcbbaffc05707e0e2611dc8d4ed9ad90c0fd221df7e706b4b4d46c943daf03a6f3a1eddd2d2c9bc4ddbc5,018fde8c2958612913a7ac368d9c778adaaf7dd88bedab9ada2e709ef173091735dd153382584c2bc0c7993937318ecd],
[19b0de4003f7f0c81918595a674a1d9d67bfcdafc2194aa7c2d799c3f21015e52018cd6999add6bc685dfc8b33ef41e2,03bce826c38b87e80c66b61ef71d705e67faeb0acf6f89fc5a6d4d9957bb766dc76b5c82d7f0d553260f4e2a7ef1c6b8]]]

BIG num:
0000000000000000000000000000000082fda182fda9e0755870887b25421b85b1f50051a22b4041135f9c153e354e02

(By the way, it would be VERY nice if there was a set(string) function on each class that accepts the output of the toString() for that class.)

For the other libraries I get this result for pt.pow(num):

FP12 result:
00c40389f91081c4a147c38944ec0c8696c45d4404a15990733226fbda393d4f69a70875240304cba6ea58d69a6739f3
15ab5b2d3e69220a755ca5e3eab9c6d2ef3d99fed681fd330a9f9a6ec8365a679e69402b71f6706c3e54ac0af7ff355e
0faeb132568224efce5169db3a9f0754bd3b028a8a9626a31f7673b6658e96f6b70984bd11bb572aa5d5f41cdb0c6c3e
0c2223234ff6fa4525002c36d574d9c70cf9ce4a81162ef54909af38a6768b40ed47348aa6f27f4e63aac352eff23524
0d334017e82fe7b51dace4ea243ba2897226c8eb6a6f16d2eb22e443f42b35a956c47ff83b6b012945253e579b4b903f
0f1063b5f569a9c4946dff4b73dc892f2234f2da0bab7926f3e4190cc3eeb07598f7e39f19456b74ac392a215baceb6e
04145ba9d429a25887aeb091bd03df38b908956665efaa8bff1c1d459ae787f9c7776dde504c7b6371cc0ce5352a5260
05ef1024a7b1cfb5f5f39efce60140d0df9e89ddf7aab232af493ff57cad9409119a19da7018123aac6531eae1068a57
002fd10ca8a397210c31a3fda02f68e1179868fffd6636afab08e14e6f026bce6f203d8b8f2ad5cc88e061ecda56f84a
15ad17363cf7246c68baa971644b3fbbe34f1b8ed8034619373debf0797c0d0096faec29bf29d6b559fb530ebe10e11f
175293de14123c3f530bf11903323f1a525d61f7f0fe9d0ef0fd3056f094bd61060bf1730a0037f71b782ff97f2e752b
10731a03c2a59150f572a8c2bf10241a650f3100faeec7204257222b5938bcb86b7fe00628d93d22e8076aeb59515d61

But in AMCL I get:

[[[17cdc384c7ce3e1ed2d11f04f692012710137e98f9b228e6c8fc9081b41ef35a02372d8f2d75421c210187c5e6f9db58,08b6852d7f5772b1e049f8ca8091c3b0121bb76c412493fc5bdb156e7161dc03a4a792c77d55bec457cf13894316d036],[15fb6af1f71a9e4688067a0bc56e7b547e9ef27feedc40dc91e02f62c252ce65586fff97ec67adad73368ed3474a765a,1224c3ac9873814d8e496e03f4400f8cb43826a86f8ee928cc11d1ae69d83416bc702160ae164371f7ec49fd91bc044d]],[[0f257efbbc8543fb9ce6959eefb9e8e8f1d7d4b9d7f24d04a867df8b1db735dfba3b1c0053e805a805f752a59d9dcc9f,01808b073d9d4fcdc023076e9b659b60da1a415ad213c24d891b0ea81a138cbeb7b369dc4bf8b1a8b1e16f351653dfed],[1799ea9ed9db2cdc6bae34fc4fec3f535500e0bcdf5ee3ed01ed5df4265c609ce8beaba683d0bdc88c40a88b2fb3474d,1969b47f62c7df1f62c8ae4c41527196afeed0dedd2b4587cfa0f79a978359e4fc23a30cb8a5642e4202c0a5a54d7d1f]],[[04950dee0be2ec1e54eb6c338198aaa5a7e0fbe35302ec21e7563b2f8e22707b4c7e80c0b3f39cb53b792e1279217979,02b9288d0c8dc4e821ba23b8c1a79c4afeddc363acc01f36fa7dee1808f873fe16286915065c7c3d4f4e550fb57efe65],[141b039ca264c22502f0f6ad8386c205a5f8e7bc95c70c4b75742eec892812bb11fa162d2156861f7aded25246f13ada,16a4f9a37208a154a7f85abbbd893d8583d077db7fd50a7e7d09d0512016e4f15efda050177a94249324bedc4cfbfbb0]]]

In case it's not clear, if you remove the brackets from the AMCL result you get 12 hex strings. The result from the other libraries is presented as 12 hex strings, in the same order as the AMCL result. The 12 hex strings from the two results should be exactly the same, in the same order.

I can provide a number of other examples if you need them.

Thank you

Help!Urgent!

I need to generate pk with the corresponding sk。
In my code,The first loop, I want to use an array of sk and pk, first select sk randomly , then Q * sk[i], and then give the result to pk[i]
The second loop is to output the contents of sk[i] and pk[i].
But when I run the program，My results are shown in Figure 2，It is like stuck, and will not continue。
What's wrong?

Two small change suggestions

Sorry - running short of time. Next time I'll try to generate a pull request.

Allow generating a Java library on MacOS:

$ git diff version3/java/config64.py 
--- a/version3/java/config64.py
+++ b/version3/java/config64.py
@@ -9,7 +9,7 @@ org1text="org"
 org2text="apache"
 org3text="milagro"
 
-if sys.platform.startswith("linux")  :
+if (sys.platform.startswith("linux") or sys.platform.startswith("darwin"))  :
        copytext="cp "
        deltext="rm "
        slashtext="/"

version3/java/DBIG32 and version3/java/DBIG64 have a syntax error around line 235: cast_to_chunk() is in the BIG class. This should be caught by your test platform...

 		int i,wd,bt;
 		wd=m/CONFIG_BIG.BASEBITS;
 		bt=m%CONFIG_BIG.BASEBITS;
-		w[wd]&=((cast_to_chunk(1)<<bt)-1);
+		w[wd]&=((BIG.cast_to_chunk(1)<<bt)-1);
 		for (i=wd+1;i<BIG.DNLEN;i++) w[i]=0;

Does the library support type-1 curvers?

Question about SECP256K1 curve in go

Hello, mike, I found it shows "package NIST256" in ROM_SECP256K1_64.go line 22, I wonder if it should be "package SECP256K1"?

Swift issues

bls.swift: bls_hashit() is private but public in JavaScript. I need this function to be visible.
fp.swift: The fp*.swift files are missing fromBytes() and toBytes().
var x = FP(1) is throwing an error (see below). var x = FP(0) works fine.

I'm using a 64-bit version of the Swift library created using config64.py and selecting only option 21 (BLS381). For now I'm using the actual source files collected by config64.py rather than using the compiled library. The only modifications I've made to the AMCL code are to make bls_hashit public and to comment out the "import amcl" lines due to the way I have imported the files.

Here is the stacktrace:

ECP()
::y = FP(1)       ecp.swift: line 37
::::nres()          fp.swift: line 144
::::::d = BIG.mul(self.x, FP.r2modp);        fp.swift: 42
::::::self.x = FP.mod(DBIG(ROM.Modulus))   fp.swift: 43
::::::::BIG.monty(ROM.Modulus, ROM.MConst, d)   fp.swift:129
::::::::::let (top, bot) = BIG.muladd(a, b, c, r)             big.swift:940
::::::::::::let (tp,bt)=a.multipliedFullWidth(by: b) .        big.swift:107
::::::::::::var bot = Chunk(bt)&CONFIG_BIG.BMASK    big.swift:108

ERROR: Fatal error: Not enough bits to represent the passed value.

Here are the values of a, b, c, r, and bt above:

a = Chunk    262029922845399286
b = Chunk    143833713099123371 
c = Chunk    0
r = Chunk    145867405174699950
bt = 0b1000010111111001110001100101111000101010010000010000100001010010

In big.swift:108, bot is inferred to be an Int64.

Int64.multipliedFullWidth returns (Int64, UInt64) so bt is a UINT64.

Chunk is an Int64.

I would guess that the problem is with Chunk(bt) which is equivalent to Int64(UInt64).

Since bt has the high bit set the type conversion is not accepted.

Moving the bitmask op from outside to inside the parentheses isn't allowed by Swift due to type incompatibilities.

Add new curve

Hello, I want to add a new WEIERSTRASS type of curve（256bit）, how to set the parameters in ROM.go.

The new curve's parameters are:
p: FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF
a: -3
b: 28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93
n: FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123
Gx: 32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7
Gy: BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0

What do "R2modp" and "MConst" mean? How to set them？

Swift compile for iOS

I need to compile AMCL for use on IOS but I'm getting an error while trying to do that.

Choose a Scheme to support - 0 to finish: 21
<unknown>:0: warning: using sysroot for 'MacOSX' but targeting 'iPhone'
<module-includes>:1:9: note: in file included from <module-includes>:1:
#import "DispatchOverlayShims.h"
        ^
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift/shims/DispatchOverlayShims.h:219:20: error: implicit conversion of C pointer type 'dispatch_data_t _Nonnull' (aka 'struct dispatch_data_s *') to Objective-C pointer type '__swift_shims_dispatch_data_t _Nonnull' (aka 'id') requires a bridged cast
    return applier(data, off, loc, size);
                   ^
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift/shims/DispatchOverlayShims.h:219:20: note: use __bridge to convert directly (no change in ownership)
    return applier(data, off, loc, size);
                   ^
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift/shims/DispatchOverlayShims.h:219:20: note: use __bridge_transfer to transfer ownership of a +1 'dispatch_data_t _Nonnull' (aka 'struct dispatch_data_s *') into ARC
    return applier(data, off, loc, size);
                   ^
<unknown>:0: error: could not build Objective-C module '_SwiftDispatchOverlayShims'
Traceback (most recent call last):
  File "config64.py", line 302, in <module>
    curveset("bls381","48","58","381","3","NOT_SPECIAL","WEIERSTRASS","BLS","M_TYPE","NEGATIVEX","65","128")
  File "config64.py", line 148, in curveset
    run_in_shell("swiftc amcl"+slashtext+"*.swift " + target + sysroot + "-O -Ounchecked -whole-module-optimization -emit-library -emit-module -module-name amcl")
  File "config64.py", line 21, in run_in_shell
    subprocess.check_call(cmd, shell=True)
  File "/usr/local/Cellar/python/3.7.4/Frameworks/Python.framework/Versions/3.7/lib/python3.7/subprocess.py", line 347, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command 'swiftc amcl/*.swift -target x86_64-apple-ios12.2-simulator -Fsystem /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk -O -Ounchecked -whole-module-optimization -emit-library -emit-module -module-name amcl' returned non-zero exit status 1.

Since the error is in a Swift library I'm not sure how to proceed. I have XCode 10.3 installed which is the latest version. As an alternative I added the source files to my Swift project and used them without building the .dylib but it would be nice to know that the library build process works if we need it.

In the next-to-last line of output you can see that I added -Fsystem /Applications/.../iPhoneOS.sdk but I'm still getting the sysroot warning in the first line.

I added the amcl files to an existing XCode project designed to build a .dylib and it worked after adding "public" on all methods and adding header files such as BIG.h. Although it would be nice to get the current compilation method working another alternative would be to use a .xcodeproj file for configuration and call xcodebuild in the config script.

Failed Ate2 Pairing (tested in Go)

Hi!

I've got a problem getting ate2 pairings to work correctly. I'm not sure whether it is a bug or if I'm not using it the right way. Basically while I can get two 'normal' ate pairings (followed by final exponentiation) to produce expected results, the equivalent ate2 (followed by final exponentiation) fails that. I've tested the issue on BLS381 and BN254 curves. The sample code explaining the issue is as follows:

func TestPairings(t *testing.T) {
	var RAW [100]byte
	rng := amcl.NewRAND()
	rng.Clean()
	for i := 0; i < 100; i++ {
		RAW[i] = byte(i)
	}
	rng.Seed(100, RAW[:])

	ord := BLS381.NewBIGints(BLS381.CURVE_Order)

	r := BLS381.Randomnum(ord, rng)
	s := BLS381.Randomnum(ord, rng)

	gen1 := BLS381.ECP_generator()
	gen2 := BLS381.ECP2_generator()

	g1r := BLS381.G1mul(gen1, r)
	g1s := BLS381.G1mul(gen1, s)
	g2r := BLS381.G2mul(gen2, r)
	g2s := BLS381.G2mul(gen2, s)

	Gt1 := BLS381.Fexp(BLS381.Ate(g2r, g1s))
	Gt2 := BLS381.Fexp(BLS381.Ate(g2s, g1r))

	if !Gt1.Equals(Gt2) {
		// does NOT fail here
		t.Log("ate: e(rP, sQ) != e(sP, rQ)")
		t.Fail()
	}

	v := BLS381.Ate2(g2r, g1s, g2s, g1r)
	v = BLS381.Fexp(v)
	// unity test as seen at https://github.com/miracl/amcl/blob/master/version3/go/BLS.go
	if !v.Isunity() {
		// fails here
		t.Log("ate2: e(rP, sQ) != e(sP, rQ)")
		t.Fail()
	}
}

Pairing function does not fulfil point addition property for infinity

Using the JavaScript version of amcl 3 (master), I created the following tests:

e(P+R,Q) == e(P,Q)*e(R,Q)
e(P+0,Q) == e(P,Q)*e(0,Q) (same as 1. with R=0)
e(P,Q+R) == e(P,Q)*e(P,R)
e(P,Q+0) == e(P,Q)*e(P,0) (same as 3. with R=0)

and it truns out that 2 and 4 fail.

I assume the group operation in the result group of the pairing is multiplication of FP12, since no addition on FP12 is implemented and tests 1. and 3. pass with FP12.mul. In this case, I think e(X, 0) and e(0, Y) (where 0 is the point at infinity) must be the multiplicative identity in FP12. However, the library returns the zero FP12.

Is this a bug?

Test code 1.-4.

  it("satisfies e(P+R,Q) == e(P,Q)*e(R,Q)", () => {
    // Use arbitrary points P, R, Q. Must hold for all.
    const P = g1.mul(new ctx.BIG(5));
    const R = g1.mul(new ctx.BIG(42));
    const Q = g2.mul(new ctx.BIG(8));

    const PR = new ctx.ECP();
    PR.copy(P);
    PR.add(R);

    const ePRQ = ctx.PAIR.fexp(ctx.PAIR.ate(Q, PR));
    const ePQ = ctx.PAIR.fexp(ctx.PAIR.ate(Q, P));
    const eRQ = ctx.PAIR.fexp(ctx.PAIR.ate(Q, R));

    const ePQeRQ = new ctx.FP12(ePQ); // the product e(P,Q)*e(R,Q)
    ePQeRQ.mul(eRQ);
    expect(ePRQ.equals(ePQeRQ)).toEqual(true);
  });

  it("satisfies e(P+0,Q) == e(P,Q)*e(0,Q)", () => {
    // Use arbitrary points P, Q and R=0.
    const P = g1.mul(new ctx.BIG(5));
    const R = new ctx.ECP();
    const Q = g2.mul(new ctx.BIG(8));

    const PR = new ctx.ECP();
    PR.copy(P);
    PR.add(R);

    const ePRQ = ctx.PAIR.fexp(ctx.PAIR.ate(Q, PR));
    const ePQ = ctx.PAIR.fexp(ctx.PAIR.ate(Q, P));
    const eRQ = ctx.PAIR.fexp(ctx.PAIR.ate(Q, R));

    const ePQeRQ = new ctx.FP12(ePQ); // the product e(P,Q)*e(R,Q)
    ePQeRQ.mul(eRQ);
    expect(ePRQ.equals(ePQeRQ)).toEqual(true);
  });

  it("satisfies e(P,Q+R) == e(P,Q)*e(P,R)", () => {
    // Use arbitrary points P, Q, R. Must hold for all.
    const P = g1.mul(new ctx.BIG(5));
    const Q = g2.mul(new ctx.BIG(8));
    const R = g2.mul(new ctx.BIG(42));

    const QR = new ctx.ECP2();
    QR.copy(Q);
    QR.add(R);

    const ePQR = ctx.PAIR.fexp(ctx.PAIR.ate(QR, P));
    const ePQ = ctx.PAIR.fexp(ctx.PAIR.ate(Q, P));
    const ePR = ctx.PAIR.fexp(ctx.PAIR.ate(R, P));

    const ePQePR = new ctx.FP12(ePQ); // the product e(P,Q)*e(P,R)
    ePQePR.mul(ePR);
    expect(ePQR.equals(ePQePR)).toEqual(true);
  });

  it("satisfies e(P,Q+0) == e(P,Q)*e(P,0)", () => {
    // Use arbitrary points P, Q and R=0.
    const P = g1.mul(new ctx.BIG(5));
    const Q = g2.mul(new ctx.BIG(8));
    const R = new ctx.ECP2();

    const QR = new ctx.ECP2();
    QR.copy(Q);
    QR.add(R);

    const ePQR = ctx.PAIR.fexp(ctx.PAIR.ate(QR, P));
    const ePQ = ctx.PAIR.fexp(ctx.PAIR.ate(Q, P));
    const ePR = ctx.PAIR.fexp(ctx.PAIR.ate(R, P));

    const ePQePR = new ctx.FP12(ePQ); // the product e(P,Q)*e(P,R)
    ePQePR.mul(ePR);
    expect(ePQR.equals(ePQePR)).toEqual(true);
  });