crypto, tests/fuzzers: add gnark bn254 precompile methods for fuzzing (#30585)

Makes the gnark precompile methods more amenable to fuzzing

Author: kevaundray

crypto/bn256/gnark/g1.go

@@ -0,0 +1,51 @@
+package bn256
+
+import (
+	"math/big"
+
+	"github.com/consensys/gnark-crypto/ecc/bn254"
+)
+
+// G1 is the affine representation of a G1 group element.
+//
+// Since this code is used for precompiles, using Jacobian
+// points are not beneficial because there are no intermediate
+// points to allow us to save on inversions.
+//
+// Note: We also use this struct so that we can conform to the existing API
+// that the precompiles want.
+type G1 struct {
+	inner bn254.G1Affine
+}
+
+// Add adds `a` and `b` together, storing the result in `g`
+func (g *G1) Add(a, b *G1) {
+	g.inner.Add(&a.inner, &b.inner)
+}
+
+// ScalarMult computes the scalar multiplication between `a` and
+// `scalar`, storing the result in `g`
+func (g *G1) ScalarMult(a *G1, scalar *big.Int) {
+	g.inner.ScalarMultiplication(&a.inner, scalar)
+}
+
+// Unmarshal deserializes `buf` into `g`
+//
+// Note: whether the deserialization is of a compressed
+// or an uncompressed point, is encoded in the bytes.
+//
+// For our purpose, the point will always be serialized
+// as uncompressed, ie 64 bytes.
+//
+// This method also checks whether the point is on the
+// curve and in the prime order subgroup.
+func (g *G1) Unmarshal(buf []byte) (int, error) {
+	return g.inner.SetBytes(buf)
+}
+
+// Marshal serializes the point into a byte slice.
+//
+// Note: The point is serialized as uncompressed.
+func (p *G1) Marshal() []byte {
+	return p.inner.Marshal()
+}

crypto/bn256/gnark/g2.go

@@ -0,0 +1,38 @@
+package bn256
+
+import (
+	"github.com/consensys/gnark-crypto/ecc/bn254"
+)
+
+// G2 is the affine representation of a G2 group element.
+//
+// Since this code is used for precompiles, using Jacobian
+// points are not beneficial because there are no intermediate
+// points and G2 in particular is only used for the pairing input.
+//
+// Note: We also use this struct so that we can conform to the existing API
+// that the precompiles want.
+type G2 struct {
+	inner bn254.G2Affine
+}
+
+// Unmarshal deserializes `buf` into `g`
+//
+// Note: whether the deserialization is of a compressed
+// or an uncompressed point, is encoded in the bytes.
+//
+// For our purpose, the point will always be serialized
+// as uncompressed, ie 128 bytes.
+//
+// This method also checks whether the point is on the
+// curve and in the prime order subgroup.
+func (g *G2) Unmarshal(buf []byte) (int, error) {
+	return g.inner.SetBytes(buf)
+}
+
+// Marshal serializes the point into a byte slice.
+//
+// Note: The point is serialized as uncompressed.
+func (g *G2) Marshal() []byte {
+	return g.inner.Marshal()
+}

crypto/bn256/gnark/gt.go

@@ -0,0 +1,65 @@
+package bn256
+
+import (
+	"fmt"
+	"math/big"
+
+	"github.com/consensys/gnark-crypto/ecc/bn254"
+)
+
+// GT is the affine representation of a GT field element.
+//
+// Note: GT is not explicitly used in mainline code.
+// It is needed for fuzzing.
+type GT struct {
+	inner bn254.GT
+}
+
+// Pair compute the optimal Ate pairing between a G1 and
+// G2 element.
+//
+// Note: This method is not explicitly used in mainline code.
+// It is needed for fuzzing. It should also be noted,
+// that the output of this function may not match other
+func Pair(a_ *G1, b_ *G2) *GT {
+	a := a_.inner
+	b := b_.inner
+
+	pairingOutput, err := bn254.Pair([]bn254.G1Affine{a}, []bn254.G2Affine{b})
+
+	if err != nil {
+		// Since this method is only called during fuzzing, it is okay to panic here.
+		// We do not return an error to match the interface of the other bn256 libraries.
+		panic(fmt.Sprintf("gnark/bn254 encountered error: %v", err))
+	}
+
+	return &GT{
+		inner: pairingOutput,
+	}
+}
+
+// Unmarshal deserializes `buf` into `g`
+//
+// Note: This method is not explicitly used in mainline code.
+// It is needed for fuzzing.
+func (g *GT) Unmarshal(buf []byte) error {
+	return g.inner.SetBytes(buf)
+}
+
+// Marshal serializes the point into a byte slice.
+//
+// Note: This method is not explicitly used in mainline code.
+// It is needed for fuzzing.
+func (g *GT) Marshal() []byte {
+	bytes := g.inner.Bytes()
+	return bytes[:]
+}
+
+// Exp raises `base` to the power of `exponent`
+//
+// Note: This method is not explicitly used in mainline code.
+// It is needed for fuzzing.
+func (g *GT) Exp(base GT, exponent *big.Int) *GT {
+	g.inner.Exp(base.inner, exponent)
+	return g
+}

crypto/bn256/gnark/pairing.go

@@ -0,0 +1,73 @@
+package bn256
+
+import (
+	"github.com/consensys/gnark-crypto/ecc/bn254"
+)
+
+// Computes the following relation: ∏ᵢ e(Pᵢ, Qᵢ) =? 1
+//
+// To explain why gnark returns a (bool, error):
+//
+//   - If the function `e` does not return a result then internally
+//     an error is returned.
+//   - If `e` returns a result, then error will be nil,
+//     but if this value is not `1` then the boolean value will be false
+//
+// We therefore check for an error, and return false if its non-nil and
+// then return the value of the boolean if not.
+func PairingCheck(a_ []*G1, b_ []*G2) bool {
+	a := getInnerG1s(a_)
+	b := getInnerG2s(b_)
+
+	// Assume that len(a) == len(b)
+	//
+	// The pairing function will return
+	// false, if this is not the case.
+	size := len(a)
+
+	// Check if input is empty -- gnark will
+	// return false on an empty input, however
+	// the ossified behavior is to return true
+	// on an empty input, so we add this if statement.
+	if size == 0 {
+		return true
+	}
+
+	ok, err := bn254.PairingCheck(a, b)
+	if err != nil {
+		return false
+	}
+	return ok
+}
+
+// getInnerG1s gets the inner gnark G1 elements.
+//
+// These methods are used for two reasons:
+//
+//   - We use a new type `G1`, so we need to convert from
+//     []*G1 to []*bn254.G1Affine
+//   - The gnark API accepts slices of values and not slices of
+//     pointers to values, so we need to return []bn254.G1Affine
+//     instead of []*bn254.G1Affine.
+func getInnerG1s(pointerSlice []*G1) []bn254.G1Affine {
+	gnarkValues := make([]bn254.G1Affine, 0, len(pointerSlice))
+	for _, ptr := range pointerSlice {
+		if ptr != nil {
+			gnarkValues = append(gnarkValues, ptr.inner)
+		}
+	}
+	return gnarkValues
+}
+
+// getInnerG2s gets the inner gnark G2 elements.
+//
+// The rationale for this method is the same as `getInnerG1s`.
+func getInnerG2s(pointerSlice []*G2) []bn254.G2Affine {
+	gnarkValues := make([]bn254.G2Affine, 0, len(pointerSlice))
+	for _, ptr := range pointerSlice {
+		if ptr != nil {
+			gnarkValues = append(gnarkValues, ptr.inner)
+		}
+	}
+	return gnarkValues
+}

tests/fuzzers/bn256/bn256_fuzz.go

@@ -22,12 +22,12 @@ import (
 	"io"
 	"math/big"
 
-	"github.com/consensys/gnark-crypto/ecc/bn254"
 	cloudflare "github.com/ethereum/go-ethereum/crypto/bn256/cloudflare"
+	gnark "github.com/ethereum/go-ethereum/crypto/bn256/gnark"
 	google "github.com/ethereum/go-ethereum/crypto/bn256/google"
 )
 
-func getG1Points(input io.Reader) (*cloudflare.G1, *google.G1, *bn254.G1Affine) {
+func getG1Points(input io.Reader) (*cloudflare.G1, *google.G1, *gnark.G1) {
 	_, xc, err := cloudflare.RandomG1(input)
 	if err != nil {
 		// insufficient input
@@ -37,14 +37,14 @@ func getG1Points(input io.Reader) (*cloudflare.G1, *google.G1, *bn254.G1Affine)
 	if _, err := xg.Unmarshal(xc.Marshal()); err != nil {
 		panic(fmt.Sprintf("Could not marshal cloudflare -> google: %v", err))
 	}
-	xs := new(bn254.G1Affine)
-	if err := xs.Unmarshal(xc.Marshal()); err != nil {
+	xs := new(gnark.G1)
+	if _, err := xs.Unmarshal(xc.Marshal()); err != nil {
 		panic(fmt.Sprintf("Could not marshal cloudflare -> gnark: %v", err))
 	}
 	return xc, xg, xs
 }
 
-func getG2Points(input io.Reader) (*cloudflare.G2, *google.G2, *bn254.G2Affine) {
+func getG2Points(input io.Reader) (*cloudflare.G2, *google.G2, *gnark.G2) {
 	_, xc, err := cloudflare.RandomG2(input)
 	if err != nil {
 		// insufficient input
@@ -54,14 +54,14 @@ func getG2Points(input io.Reader) (*cloudflare.G2, *google.G2, *bn254.G2Affine)
 	if _, err := xg.Unmarshal(xc.Marshal()); err != nil {
 		panic(fmt.Sprintf("Could not marshal cloudflare -> google: %v", err))
 	}
-	xs := new(bn254.G2Affine)
-	if err := xs.Unmarshal(xc.Marshal()); err != nil {
+	xs := new(gnark.G2)
+	if _, err := xs.Unmarshal(xc.Marshal()); err != nil {
 		panic(fmt.Sprintf("Could not marshal cloudflare -> gnark: %v", err))
 	}
 	return xc, xg, xs
 }
 
-// fuzzAdd fuzzez bn256 addition between the Google and Cloudflare libraries.
+// fuzzAdd fuzzes bn256 addition between the Google, Cloudflare and Gnark libraries.
 func fuzzAdd(data []byte) int {
 	input := bytes.NewReader(data)
 	xc, xg, xs := getG1Points(input)
@@ -72,17 +72,16 @@ func fuzzAdd(data []byte) int {
 	if yc == nil {
 		return 0
 	}
-	// Ensure both libs can parse the second curve point
+	// Ensure libs can parse the second curve point
 	// Add the two points and ensure they result in the same output
 	rc := new(cloudflare.G1)
 	rc.Add(xc, yc)
 
 	rg := new(google.G1)
 	rg.Add(xg, yg)
 
-	tmpX := new(bn254.G1Jac).FromAffine(xs)
-	tmpY := new(bn254.G1Jac).FromAffine(ys)
-	rs := new(bn254.G1Affine).FromJacobian(tmpX.AddAssign(tmpY))
+	rs := new(gnark.G1)
+	rs.Add(xs, ys)
 
 	if !bytes.Equal(rc.Marshal(), rg.Marshal()) {
 		panic("add mismatch: cloudflare/google")
@@ -94,8 +93,8 @@ func fuzzAdd(data []byte) int {
 	return 1
 }
 
-// fuzzMul fuzzez bn256 scalar multiplication between the Google and Cloudflare
-// libraries.
+// fuzzMul fuzzes bn256 scalar multiplication between the Google, Cloudflare
+// and Gnark libraries.
 func fuzzMul(data []byte) int {
 	input := bytes.NewReader(data)
 	pc, pg, ps := getG1Points(input)
@@ -122,15 +121,13 @@ func fuzzMul(data []byte) int {
 	rg := new(google.G1)
 	rg.ScalarMult(pg, new(big.Int).SetBytes(buf))
 
-	rs := new(bn254.G1Jac)
-	psJac := new(bn254.G1Jac).FromAffine(ps)
-	rs.ScalarMultiplication(psJac, new(big.Int).SetBytes(buf))
-	rsAffine := new(bn254.G1Affine).FromJacobian(rs)
+	rs := new(gnark.G1)
+	rs.ScalarMult(ps, new(big.Int).SetBytes(buf))
 
 	if !bytes.Equal(rc.Marshal(), rg.Marshal()) {
 		panic("scalar mul mismatch: cloudflare/google")
 	}
-	if !bytes.Equal(rc.Marshal(), rsAffine.Marshal()) {
+	if !bytes.Equal(rc.Marshal(), rs.Marshal()) {
 		panic("scalar mul mismatch: cloudflare/gnark")
 	}
 	return 1
@@ -150,17 +147,26 @@ func fuzzPair(data []byte) int {
 	// Pair the two points and ensure they result in the same output
 	clPair := cloudflare.Pair(pc, tc).Marshal()
 	gPair := google.Pair(pg, tg).Marshal()
+	sPair := gnark.Pair(ps, ts).Marshal()
+
 	if !bytes.Equal(clPair, gPair) {
 		panic("pairing mismatch: cloudflare/google")
 	}
-	cPair, err := bn254.Pair([]bn254.G1Affine{*ps}, []bn254.G2Affine{*ts})
-	if err != nil {
-		panic(fmt.Sprintf("gnark/bn254 encountered error: %v", err))
+
+	normalizedClPair := normalizeGTToGnark(clPair).Marshal()
+	if !bytes.Equal(normalizedClPair, sPair) {
+		panic("pairing mismatch: cloudflare/gnark")
 	}
 
-	// gnark uses a different pairing algorithm which might produce
-	// different but also correct outputs, we need to scale the output by s
+	return 1
+}
 
+// normalizeGTToGnark scales a Cloudflare/Google GT element by `s`
+// so that it can be compared with a gnark GT point.
+//
+// For the definition of `s` see 3.5 in https://eprint.iacr.org/2015/192.pdf
+func normalizeGTToGnark(cloudflareOrGoogleGT []byte) *gnark.GT {
+	// Compute s = 2*u(6*u^2 + 3*u + 1)
 	u, _ := new(big.Int).SetString("0x44e992b44a6909f1", 0)
 	u_exp2 := new(big.Int).Exp(u, big.NewInt(2), nil)   // u^2
 	u_6_exp2 := new(big.Int).Mul(big.NewInt(6), u_exp2) // 6*u^2
@@ -170,14 +176,12 @@ func fuzzPair(data []byte) int {
 	u_2 := new(big.Int).Mul(big.NewInt(2), u)           // 2*u
 	s := u_2.Mul(u_2, inner)                            // 2*u(6*u^2 + 3*u + 1)
 
-	gRes := new(bn254.GT)
-	if err := gRes.SetBytes(clPair); err != nil {
+	// Scale the Cloudflare/Google GT element by `s`
+	gRes := new(gnark.GT)
+	if err := gRes.Unmarshal(cloudflareOrGoogleGT); err != nil {
 		panic(err)
 	}
 	gRes = gRes.Exp(*gRes, s)
-	if !bytes.Equal(cPair.Marshal(), gRes.Marshal()) {
-		panic("pairing mismatch: cloudflare/gnark")
-	}
 
-	return 1
+	return gRes
 }