feat: end-to-end modexp, ecadd, ecmul and ecpairing #39
Conversation
NikitaMasych
force-pushed
the
dl-precompiles
branch
from
e21c448 to
dfce813
Compare
| let x1 = convert_uint256_to_field_element(cs, &x1, base_field_params); | ||
| let y1 = convert_uint256_to_field_element(cs, &y1, base_field_params); | ||
|
|
||
| let point1_on_curve = is_on_curve(cs, (&x1, &y1), base_field_params); |
There was a problem hiding this comment.
You can optimize this place. Optimize reduction (inside equal is reduction also mul doing reduction)
There was a problem hiding this comment.
Can you clarify how to do that? Do I need to somehow call normalization manually before operations?
| let mut x_cubed_plus_b = x_cubed.add(cs, &mut b); | ||
| let mut y_squared = y.square(cs); | ||
|
|
||
| BN256BaseNNField::equals(cs, &mut y_squared, &mut x_cubed_plus_b) |
There was a problem hiding this comment.
Remove these mutable links (hint: all problems in mul)
There was a problem hiding this comment.
Do you mean I shall make changes in boojum to accept immutable links and then clone and make mutable ops there in inner functions?
| /// This function computes the Miller loop for the BN256 curve, using | ||
| /// _Algorithm 1_ from https://eprint.iacr.org/2010/354.pdf. Frobenius | ||
| /// map is taken from https://hackmd.io/@Wimet/ry7z1Xj-2. | ||
| pub fn evaluate( |
There was a problem hiding this comment.
Critical bug: You should have used subgroup check during the Miller loop. Here is the article: https://eprint.iacr.org/2022/352.pdf
There was a problem hiding this comment.
There was a problem hiding this comment.
You do need to perform a subgroup check for G2 when working with the Bn256 (or BN254) curve.
The BN256 curve is designed so that both G1 and G2 have a prime order q. However, because G2 is defined over F_p^2, there are elements on the curve that do not necessarily belong to the prime-order subgroup. The reason a subgroup check is required for G2 is that G2 operates over Fp2, where the elliptic curve has more points (the full curve over Fp2 has order p2−1), and only a subset of those points are in the prime-order subgroup. Therefore, G2 can have points outside the correct prime-order subgroup, making the check necessary.
For G1 in the BN256 (BN254) curve, you do not typically need to perform a subgroup check.
The cofactor for the G1 group is 1, meaning the total number of points on the elliptic curve over Fp is exactly q×1. Therefore, there is no risk of having points in a larger group (i.e., no larger cofactor to worry about), and any valid point generated by the group operation already lies in the correct subgroup of prime order q. ( in contrast, there is bls12 curve which have a lot of cofactors so we need subgroup check for G1 and G2)
But the fact that EIP-197 does not mention it is suspicious to me so i decide do some research:
Since small subgroup attack is directly breaking DLA for some curves their coffactor could be huge enough to be safe. This article explain how the same curve but with different parameters could change security level https://eprint.iacr.org/2015/247.pdf and the last author of this blog compute for us the bit of security https://blog.bren2010.io/blog/notes-on-bn256
and this is 2^100 what is quite big for use subgroup check. I checked our curve and we dont have safe parameters but the security is approximately 2^100. So do we need to add subgroup check in our precompiles? ( checked some zk project with the same curve and they did check)
Why do I suggest to use the subgroup check for BN256 during Miller loop? because if you look at the article which i previously sent, subgroup check uses the twisted frobenius map, the same as miller loop. we can just reuse frob map to check if point in the right subgroup.
Subgroup check for BN256 curve is of the form: twisted_frob(Q) = [6*u^2]*Q so shouldn’t be such expensive
NikitaMasych
force-pushed
the
dl-precompiles
branch
2 times, most recently
from
66ec15f to
4cfd997
Compare
NikitaMasych
force-pushed
the
dl-precompiles
branch
from
b8dfc04 to
33e963e
Compare
|
I want to write about this in general because there are many places where this problem is. In pairing, you use a lot of normalization even when the value is already normalized. In some cases, it will be optimized as follows: if self.tracker.max_moduluses == 1 && self.form == RepresentationForm::Normalized {
return;
}But not every normalized value will have a self.tracker.max_moduluses = = 1. That's why, in many cases, you do over constraint. In most of the functions, we use mul, which normalizes itself. Take this into consideration! This can be a good optimization |
|
After the easy part, you need to check that F_q^12 isn't zero before the hard part. (exception case) |
NikitaMasych
force-pushed
the
dl-precompiles
branch
from
ace6d01 to
193a52a
Compare
…ort pairing_ce as bn254 in zkevm_opcode_defs
…ase and recursion layers
…tion for one instance
… encoding for ecpairing fsm
NikitaMasych
force-pushed
the
dl-precompiles
branch
from
9ac39e5 to
a76e983
Compare
What?
Implementation of
modexp,ecadd,ecmulandecpairingprecompiles as circuits.Previous PRs
Since the migration to monolithic workspace with crates was in place, this PR aggregates several separate ones, which had been opened to corresponding crates repositories and had reviews.
Homogeneity with previous PRs
Code has certain changes apart from contained in previous PRs such as caused by rebasing and noticing missed problems.