Switch to big-endian (#305)

bindings/csharp/Ckzg.Bindings/Ckzg.cs

@@ -102,6 +102,7 @@ public static partial class Ckzg
         ThrowOnUninitializedTrustedSetup(ckzgSetup);
         ThrowOnInvalidLength(proof, nameof(proof), BytesPerProof);
         ThrowOnInvalidLength(blob, nameof(blob), BytesPerBlob);
+        ThrowOnInvalidLength(commitment, nameof(commitment), BytesPerCommitment);
 
         fixed (byte* proofPtr = proof, blobPtr = blob, commitmentPtr = commitment)
         {

bindings/go/main_test.go

@@ -33,10 +33,10 @@ func getRandFieldElement(seed int64) Bytes32 {
 		panic("failed to get random field element")
 	}
 
-	// This leaves the last byte in fieldElementBytes as
+	// This leaves the first byte in fieldElementBytes as
 	// zero, which guarantees it's a canonical field element.
 	var fieldElementBytes Bytes32
-	copy(fieldElementBytes[:], bytes)
+	copy(fieldElementBytes[1:], bytes)
 	return fieldElementBytes
 }
 

bindings/java/src/testFixtures/java/ethereum/ckzg4844/TestUtils.java

@@ -48,7 +48,7 @@ public class TestUtils {
     final byte[][] blob =
         IntStream.range(0, CKZG4844JNI.getFieldElementsPerBlob())
             .mapToObj(__ -> randomBLSFieldElement())
-            .map(fieldElement -> fieldElement.toArray(ByteOrder.LITTLE_ENDIAN))
+            .map(fieldElement -> fieldElement.toArray(ByteOrder.BIG_ENDIAN))
             .toArray(byte[][]::new);
     return flatten(blob);
   }
@@ -83,7 +83,7 @@ public class TestUtils {
     final byte[][] blob =
         IntStream.range(0, CKZG4844JNI.getFieldElementsPerBlob())
             .mapToObj(__ -> UInt256.valueOf(CKZG4844JNI.BLS_MODULUS.add(BigInteger.valueOf(42))))
-            .map(greaterThanModulus -> greaterThanModulus.toArray(ByteOrder.LITTLE_ENDIAN))
+            .map(greaterThanModulus -> greaterThanModulus.toArray(ByteOrder.BIG_ENDIAN))
             .toArray(byte[][]::new);
     return flatten(blob);
   }
@@ -230,7 +230,7 @@ public class TestUtils {
   }
 
   public static byte[] randomBLSFieldElementBytes() {
-    return randomBLSFieldElement().toArray(ByteOrder.LITTLE_ENDIAN);
+    return randomBLSFieldElement().toArray(ByteOrder.BIG_ENDIAN);
   }
 
   public static List<String> getFiles(String path) {

bindings/nim/tests/test_abi.nim

@@ -48,7 +48,7 @@ proc createKateBlobs(s: KzgSettings, n: int): KateBlobs =
     discard urandom(blob)
     for i in 0..<len(blob):
       # don't overflow modulus
-      if blob[i] > MAX_TOP_BYTE and i %% BYTES_PER_FIELD_ELEMENT == 31:
+      if blob[i] > MAX_TOP_BYTE and i %% BYTES_PER_FIELD_ELEMENT == 0:
         blob[i] = MAX_TOP_BYTE
     result.blobs.add(blob)
 

bindings/nim/tests/test_kzg.nim

@@ -11,7 +11,7 @@ proc createKateBlobs(ctx: KzgCtx, n: int): KateBlobs =
     discard urandom(blob)
     for i in 0..<len(blob):
       # don't overflow modulus
-      if blob[i] > MAX_TOP_BYTE and i %% BYTES_PER_FIELD_ELEMENT == 31:
+      if blob[i] > MAX_TOP_BYTE and i %% BYTES_PER_FIELD_ELEMENT == 0:
         blob[i] = MAX_TOP_BYTE
     result.blobs.add(blob)
 
@@ -81,13 +81,12 @@ suite "verify proof (high-level)":
     let res = loadTrustedSetupFile(trustedSetupFile)
     check res.isOk
     ctx = res.get
-    
+
     discard ctx.blobToKzgCommitment(blob)
     let kp = ctx.computeKzgProof(blob, inputPoint)
     discard ctx.computeBlobKzgProof(blob, commitment)
     discard ctx.verifyKzgProof(commitment, inputPoint, claimedValue, kp.get.proof)
     discard ctx.verifyBlobKzgProof(blob, commitment, proof)
-    
+
     let kb = ctx.createKateBlobs(1)
     discard ctx.verifyBlobKzgProofBatch(kb.blobs, kb.kates, [kp.get.proof])
-    

bindings/nim/tests/test_kzg_ex.nim

@@ -11,7 +11,7 @@ proc createKateBlobs(n: int): KateBlobs =
     discard urandom(blob)
     for i in 0..<len(blob):
       # don't overflow modulus
-      if blob[i] > MAX_TOP_BYTE and i %% BYTES_PER_FIELD_ELEMENT == 31:
+      if blob[i] > MAX_TOP_BYTE and i %% BYTES_PER_FIELD_ELEMENT == 0:
         blob[i] = MAX_TOP_BYTE
     result.blobs.add(blob)
 

bindings/node.js/test/kzg.test.ts

@@ -47,7 +47,7 @@ const generateRandomBlob = (): Uint8Array => {
   return new Uint8Array(
     randomBytes(BYTES_PER_BLOB).map((x, i) => {
       // Set the top byte to be low enough that the field element doesn't overflow the BLS modulus
-      if (x > MAX_TOP_BYTE && i % BYTES_PER_FIELD_ELEMENT == 31) {
+      if (x > MAX_TOP_BYTE && i % BYTES_PER_FIELD_ELEMENT == 0) {
         return Math.floor(Math.random() * MAX_TOP_BYTE);
       }
       return x;

bindings/rust/benches/kzg_benches.rs

@@ -8,7 +8,7 @@ use std::sync::Arc;
 fn generate_random_field_element(rng: &mut ThreadRng) -> Bytes32 {
     let mut arr = [0u8; BYTES_PER_FIELD_ELEMENT];
     rng.fill(&mut arr[..]);
-    arr[BYTES_PER_FIELD_ELEMENT - 1] = 0;
+    arr[0] = 0;
     arr.into()
 }
 
@@ -18,7 +18,7 @@ fn generate_random_blob(rng: &mut ThreadRng) -> Blob {
     // Ensure that the blob is canonical by ensuring that
     // each field element contained in the blob is < BLS_MODULUS
     for i in 0..FIELD_ELEMENTS_PER_BLOB {
-        arr[i * BYTES_PER_FIELD_ELEMENT + BYTES_PER_FIELD_ELEMENT - 1] = 0;
+        arr[i * BYTES_PER_FIELD_ELEMENT] = 0;
     }
     arr.into()
 }

bindings/rust/src/bindings/mod.rs

@@ -514,7 +514,7 @@ mod tests {
         // Ensure that the blob is canonical by ensuring that
         // each field element contained in the blob is < BLS_MODULUS
         for i in 0..FIELD_ELEMENTS_PER_BLOB {
-            arr[i * BYTES_PER_FIELD_ELEMENT + BYTES_PER_FIELD_ELEMENT - 1] = 0;
+            arr[i * BYTES_PER_FIELD_ELEMENT] = 0;
         }
         arr.into()
     }

src/c_kzg_4844.c

@@ -519,19 +519,21 @@ static void bytes_from_g1(Bytes48 *out, const g1_t *in) {
  * @param[in] in The field element to be serialized
  */
 static void bytes_from_bls_field(Bytes32 *out, const fr_t *in) {
-    blst_scalar_from_fr((blst_scalar *)out->bytes, in);
+    blst_scalar s;
+    blst_scalar_from_fr(&s, in);
+    blst_bendian_from_scalar(out->bytes, &s);
 }
 
 /**
  * Serialize a 64-bit unsigned integer into bytes.
  *
- * @remark The output format is little-endian.
+ * @remark The output format is big-endian.
  *
  * @param[out] out An 8-byte array to store the serialized integer
  * @param[in]  n   The integer to be serialized
  */
 static void bytes_from_uint64(uint8_t out[8], uint64_t n) {
-    for (int i = 0; i < 8; i++) {
+    for (int i = 7; i >= 0; i--) {
         out[i] = n & 0xFF;
         n >>= 8;
     }
@@ -549,7 +551,7 @@ static void bytes_from_uint64(uint8_t out[8], uint64_t n) {
  */
 static void hash_to_bls_field(fr_t *out, const Bytes32 *b) {
     blst_scalar tmp;
-    blst_scalar_from_lendian(&tmp, b->bytes);
+    blst_scalar_from_bendian(&tmp, b->bytes);
     blst_fr_from_scalar(out, &tmp);
 }
 
@@ -562,7 +564,7 @@ static void hash_to_bls_field(fr_t *out, const Bytes32 *b) {
  */
 static C_KZG_RET bytes_to_bls_field(fr_t *out, const Bytes32 *b) {
     blst_scalar tmp;
-    blst_scalar_from_lendian(&tmp, b->bytes);
+    blst_scalar_from_bendian(&tmp, b->bytes);
     if (!blst_scalar_fr_check(&tmp)) return C_KZG_BADARGS;
     blst_fr_from_scalar(out, &tmp);
     return C_KZG_OK;
@@ -660,11 +662,11 @@ static void compute_challenge(
     memcpy(offset, FIAT_SHAMIR_PROTOCOL_DOMAIN, DOMAIN_STR_LENGTH);
     offset += DOMAIN_STR_LENGTH;
 
-    /* Copy polynomial degree (16-bytes, little-endian) */
-    bytes_from_uint64(offset, FIELD_ELEMENTS_PER_BLOB);
-    offset += sizeof(uint64_t);
+    /* Copy polynomial degree (16-bytes, big-endian) */
     bytes_from_uint64(offset, 0);
     offset += sizeof(uint64_t);
+    bytes_from_uint64(offset, FIELD_ELEMENTS_PER_BLOB);
+    offset += sizeof(uint64_t);
 
     /* Copy blob */
     memcpy(offset, blob->bytes, BYTES_PER_BLOB);

src/test_c_kzg_4844.c

@@ -356,21 +356,25 @@ static void test_g1_mul__test_different_bit_lengths(void) {
     Bytes32 b;
     fr_t f, two;
     g1_t g, r, check;
+    blst_scalar s;
 
     fr_from_uint64(&f, 1);
     fr_from_uint64(&two, 2);
-    bytes_from_bls_field(&b, &f);
+    blst_scalar_from_fr(&s, &f);
+    /* blst_p1_mult needs it to be little-endian */
+    blst_lendian_from_scalar(b.bytes, &s);
 
     for (int i = 1; i < 255; i++) {
         get_rand_g1(&g);
 
-        blst_p1_mult(&check, &g, (const byte *)&b, 256);
+        blst_p1_mult(&check, &g, b.bytes, 256);
         g1_mul(&r, &g, &f);
 
         ASSERT("points are equal", blst_p1_is_equal(&check, &r));
 
         blst_fr_mul(&f, &f, &two);
-        bytes_from_bls_field(&b, &f);
+        blst_scalar_from_fr(&s, &f);
+        blst_lendian_from_scalar(b.bytes, &s);
     }
 }
 
@@ -425,11 +429,11 @@ static void test_blob_to_kzg_commitment__succeeds_x_less_than_modulus(void) {
      * A valid field element is x < BLS_MODULUS.
      * Therefore, x = BLS_MODULUS - 1 should be valid.
      *
-     * int(BLS_MODULUS - 1).to_bytes(32, 'little').hex()
+     * int(BLS_MODULUS - 1).to_bytes(32, 'big').hex()
      */
     bytes32_from_hex(
         &field_element,
-        "00000000fffffffffe5bfeff02a4bd5305d8a10908d83933487d9d2953a7ed73"
+        "73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000"
     );
 
     memset(&blob, 0, sizeof(blob));
@@ -448,11 +452,11 @@ static void test_blob_to_kzg_commitment__fails_x_equal_to_modulus(void) {
      * A valid field element is x < BLS_MODULUS.
      * Therefore, x = BLS_MODULUS should be invalid.
      *
-     * int(BLS_MODULUS).to_bytes(32, 'little').hex()
+     * int(BLS_MODULUS).to_bytes(32, 'big').hex()
      */
     bytes32_from_hex(
         &field_element,
-        "01000000fffffffffe5bfeff02a4bd5305d8a10908d83933487d9d2953a7ed73"
+        "73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001"
     );
 
     memset(&blob, 0, sizeof(blob));
@@ -471,11 +475,11 @@ static void test_blob_to_kzg_commitment__fails_x_greater_than_modulus(void) {
      * A valid field element is x < BLS_MODULUS.
      * Therefore, x = BLS_MODULUS + 1 should be invalid.
      *
-     * int(BLS_MODULUS + 1).to_bytes(32, 'little').hex()
+     * int(BLS_MODULUS + 1).to_bytes(32, 'big').hex()
      */
     bytes32_from_hex(
         &field_element,
-        "02000000fffffffffe5bfeff02a4bd5305d8a10908d83933487d9d2953a7ed73"
+        "73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000002"
     );
 
     memset(&blob, 0, sizeof(blob));
@@ -516,7 +520,7 @@ static void test_blob_to_kzg_commitment__succeeds_expected_commitment(void) {
 
     bytes32_from_hex(
         &field_element,
-        "ad5570f5a3810b7af9d4b24bc1c2ea670245db2eaa49aae654b8f7393a9a6214"
+        "14629a3a39f7b854e6aa49aa2edb450267eac2c14bb2d4f97a0b81a3f57055ad"
     );
 
     /* Initialize the blob with a single field element */
@@ -910,7 +914,7 @@ static void test_compute_powers__succeeds_expected_powers(void) {
     /* Convert random field element to a fr_t */
     bytes32_from_hex(
         &field_element_bytes,
-        "e1c3192925d7eb42bd9861585eba38d231736117ca42e2b4968146a00d41f51b"
+        "1bf5410da0468196b4e242ca17617331d238ba5e586198bd42ebd7252919c3e1"
     );
     ret = bytes_to_bls_field(&field_element_fr, &field_element_bytes);
     ASSERT_EQUALS(ret, C_KZG_OK);
@@ -925,21 +929,21 @@ static void test_compute_powers__succeeds_expected_powers(void) {
      */
     bytes32_from_hex(
         &expected_bytes[0],
-        "0100000000000000000000000000000000000000000000000000000000000000"
+        "0000000000000000000000000000000000000000000000000000000000000001"
     );
     bytes32_from_hex(
         &expected_bytes[1],
-        "e1c3192925d7eb42bd9861585eba38d231736117ca42e2b4968146a00d41f51b"
+        "1bf5410da0468196b4e242ca17617331d238ba5e586198bd42ebd7252919c3e1"
     );
 
     /*
-     * b = bytes.fromhex("e1c3192925d...")
-     * i = (int.from_bytes(b, "little") ** 2) % BLS_MODULUS
-     * print(i.to_bytes(32, "little").hex())
+     * b = bytes.fromhex("1bf5410da0468196b...")
+     * i = (int.from_bytes(b, "big") ** 2) % BLS_MODULUS
+     * print(i.to_bytes(32, "big").hex())
      */
     bytes32_from_hex(
         &expected_bytes[2],
-        "0e8a454760e9de40001e89f33d8c9ea9f30345d4b6615dbcf83f6988cb7b412f"
+        "2f417bcb88693ff8bc5d61b6d44503f3a99e8c3df3891e0040dee96047458a0e"
     );
 
     for (int i = 0; i < n; i++) {
@@ -1099,11 +1103,11 @@ static void test_compute_kzg_proof__succeeds_expected_proof(void) {
 
     bytes32_from_hex(
         &field_element,
-        "138a16c66bdd9b0b17978ebd00bedf62307aa545d6b899b35703aedb696e3869"
+        "69386e69dbae0357b399b8d645a57a3062dfbe00bd8e97170b9bdd6bc6168a13"
     );
     bytes32_from_hex(
         &input_value,
-        "0d32bafe47065f59692005d9d4b8b4ef67bd0de4c517a91ae0f9b441b84fea03"
+        "03ea4fb841b4f9e01aa917c5e40dbd67efb4b8d4d9052069595f0647feba320d"
     );
 
     /* Initialize the blob with a single field element */
@@ -1350,7 +1354,7 @@ static void test_verify_kzg_proof__fails_z_not_field_element(void) {
 
     get_rand_g1_bytes(&c);
     bytes32_from_hex(
-        &z, "01000000fffffffffe5bfeff02a4bd5305d8a10908d83933487d9d2953a7ed73"
+        &z, "73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001"
     );
     get_rand_field_element(&y);
     get_rand_g1_bytes(&proof);
@@ -1369,7 +1373,7 @@ static void test_verify_kzg_proof__fails_y_not_field_element(void) {
     get_rand_g1_bytes(&c);
     get_rand_field_element(&z);
     bytes32_from_hex(
-        &y, "01000000fffffffffe5bfeff02a4bd5305d8a10908d83933487d9d2953a7ed73"
+        &y, "73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001"
     );
     get_rand_g1_bytes(&proof);
 
@@ -1509,7 +1513,7 @@ static void test_compute_and_verify_blob_kzg_proof__fails_invalid_blob(void) {
 
     bytes32_from_hex(
         &field_element,
-        "01000000fffffffffe5bfeff02a4bd5305d8a10908d83933487d9d2953a7ed73"
+        "73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001"
     );
     memset(&blob, 0, sizeof(blob));
     memcpy(blob.bytes, field_element.bytes, BYTES_PER_FIELD_ELEMENT);
@@ -1678,7 +1682,7 @@ static void test_verify_kzg_proof_batch__fails_invalid_blob(void) {
     /* Overwrite one field element in the blob with modulus */
     bytes32_from_hex(
         &field_element,
-        "01000000fffffffffe5bfeff02a4bd5305d8a10908d83933487d9d2953a7ed73"
+        "73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001"
     );
     memcpy(blobs[1].bytes, field_element.bytes, BYTES_PER_FIELD_ELEMENT);