Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Precompiled contract for pairing check. #212

Merged
merged 22 commits into from
Dec 7, 2017
Merged

Precompiled contract for pairing check. #212

merged 22 commits into from
Dec 7, 2017

Conversation

chriseth
Copy link
Contributor

Precompiled contracts for elliptic curve pairing operations are required in order to perform zkSNARK verification within the block gas limit.

Replaces #197

EIPS/pairings.md Outdated
Output: If the length of the input is incorrect or any of the inputs are not elements of
the respective group or are not encoded correctly, the call fails.
Otherwise, return one if
log_P1(a1) * log_P2(b1) + ... + log_P1(ak) * log_P2(bk) = 0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On which ring is this equation evaluated?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

log_P is defined to map into F_q and that is the ring / field where this expression is evaluated.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is q common both to G_1 and G_2?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, the answer is there above.

EIPS/pairings.md Outdated

### Definition of the groups

The groups `G_1` and `G_1` are cyclic groups on the elliptic curve `alt_bn128` defined by the curve equation
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess it's G_1 and G_2

EIPS/pairings.md Outdated
The group `G_2` is a cyclic group of prime order in the same elliptic curve over a different field `F_p^2 = F_p[X] / (X^2 + 1)` (p is the same as above) with generator
```
P2 = (
11559732032986387107991004021392285783925812861821192530917403151452391805634 * i +
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should stick to X instead of i. An element of F_p^2 would look like a polynomial of X. (Of course i is an intuitive choice because i * i + 1 = 0.)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh right, it should be consistent.

EIPS/pairings.md Outdated
The precompiled contract is defined as follows, where the two groups `G_1` and `G_2` and their generators `P_1` and `P_2` are defined below (they have the same order `q`):

```
Input: (a1, b1, a2, b2, ..., ak, bk) from (G_1 x G_2)^k
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's worth clarifying if k = 0 is allowed (usually I don't say this, but now it's about protocol consensus).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would say of course it is, but it probably makes sense to be explicit about that.

@chriseth chriseth mentioned this pull request Feb 22, 2017
8 tasks
EIPS/pairings.md Outdated

### Definition of the groups

The groups `G_1` and `G_2` are cyclic groups of prime order `q` on the elliptic curve `alt_bn128` defined by the curve equation
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mention that q=21888242871839275222246405745257275088548364400416034343698204186575808495617

EIPS/pairings.md Outdated
```
Input: (a1, b1, a2, b2, ..., ak, bk) from (G_1 x G_2)^k
Output: If the length of the input is incorrect or any of the inputs are not elements of
the respective group or are not encoded correctly, the call fails.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mention explicitly that we have to check that the second elements are in the group G_2 (which is a subgroup of the full elliptic curve). In order to do that, verify that the order of the element is q=21888242871839275222246405745257275088548364400416034343698204186575808495617 (the prime group order of G_2).

TODO: Check that G_2 is the only subgroup of the elliptic curve with that order.

Copy link
Member

@pirapira pirapira Feb 26, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Zcash does something slightly different for the purpose zcash-hackworks/bn@ef95df6

The Zcash implementation adds an element of G_2 at the end.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I edited my post above because zcash does something else for input checking.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The article by Barreto and Naehrig "Pairing-Friendly Elliptic Curves of Prime Order" mentions that the order of the curve twist is n(2p-n) (the proof is left to the reader, so it would be nice to find such a reader) where n is the order of the field and p the order of the original curve. Since G_2 has the same order p and both p and n are primes, it suffices to verify the order of the point is p as long as p does not divide 2p-n, which is the case with our numbers.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that the order of the curve twist is n(2p-n) (the proof is left to the reader, so it would be nice to find such a reader)

Consider a transformation that takes (x, y) into (x / cbrt(xi / 3), y / sqrt(xi / 3)). If one puts in an (x, y) pair that is on the original curve, with order n (ie. x**3 - y**2 = 3), into this transformation, then one should get out a value that satisfies x**3 - y**2 = 3/xi. However, xi / 3 is a quadratic nonresidue (though it is a cubic residue), so any x value that provides two points on the original curve would provide no points when transformed in this way, and because nonresidue * nonresidue = residue, any x value that provides no points on the original curve would provide two points when transformed. There are 2p possible points on the original curve (taking a possible point as a pair (x, parity of y), of which n turn out to be actual points; hence, the transformation gives us 2p - n points (though no proof yet that they are all linearly dependent).

I haven't gotten any further yet but this seems like the right path.

EIPS/pairings.md Outdated

## Specification

Add a precompiled contracts for a bilinear function on groups on the elliptic curve "alt_bn128". We will define the precompiled contract in terms of a discrete logarithm. The discrete logarithm is of course assumed to be hard to compute, but we will give an equivalent specification that makes use of elliptic curve pairing functions which can be efficiently computed below.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In some libraries, I saw alt_bn128 is an alternative implementation of bn128. I got an impression they are for the same curve.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, this is the case, probably better call it just bn128, because alt_bn128 is just implementation-specific label for the same curve in one particular library (libsnark, https://github.com/scipr-lab/libsnark)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@NikVolf the curve might be the same, but the generators used seem to be different:
https://github.com/scipr-lab/libsnark/blob/master/src/algebra/curves/bn128/bn128_init.cpp#L166 - https://github.com/scipr-lab/libsnark/blob/master/src/algebra/curves/alt_bn128/alt_bn128_init.cpp#L208 (but it might just be a different encoding)
In that case, we should perhaps move this wording closer to the specification of the generators.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here are the permalinks.

alt_bn128 generator: https://github.com/scipr-lab/libff/blob/a44f482e18b8ac04d034c193bd9d7df7817ad73f/libff/algebra/curves/alt_bn128/alt_bn128_init.cpp#L208-L211

bn128 generator: https://github.com/scipr-lab/libff/blob/a44f482e18b8ac04d034c193bd9d7df7817ad73f/libff/algebra/curves/bn128/bn128_init.cpp#L166-L169

The numbers can be copy/pasted and they're both valid G2 points on the bn128 curve, so they are different generators (with the same encoding).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also note that currently the cpp-ethereum implementation is not actually using the alt_bn128 optimization, but the bn128 generator points (if I remember correctly) ethereum/aleth#4450

EIPS/pairings.md Outdated
4082367875863433681332203403145435568316851327593401208105741076214120093531 * i +
8495653923123431417604973247489272438418190587263600148770280649306958101930
)
```
Copy link
Member

@pirapira pirapira Feb 26, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let G_3 be the cyclic subgroup generated by P3, where P3 is very similar to P2 but uses -i instead of i. Is it the case that G_3 has the same order as G_2? If that's the case, the current input checking method checks <G_2, G_3> I guess.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why can't it be that P3 is just another element of the same cyclic group?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The question is the other way around, why is it the case that P3 is just another element of the same cyclic group?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(I guess Lagrange's theorem might be useful.)

EIPS/pairings.md Outdated

```
Input: (a1, b1, a2, b2, ..., ak, bk) from (G_1 x G_2)^k
Output: If the length of the input is incorrect or any of the inputs are not elements of
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a distinct break from the pattern of an infinitely zero-extended input. Why not prepend the number of elements?

pirapira added a commit to pirapira/yellowpaper that referenced this pull request Apr 13, 2017
pirapira added a commit to pirapira/yellowpaper that referenced this pull request Apr 18, 2017
@nicola
Copy link

nicola commented May 7, 2017

How much would the cost to validate a zksnark?

@cdetrio
Copy link
Member

cdetrio commented Dec 1, 2017

To summarize some of the discussion (now hidden in outdated comments), and expand on it further:

  • comments from @pirapira and @NikVolf that bn128 and alt_bn128 are the same curve. Specifying alt_bn128 is merely an optimization, and not strictly relevant to compatibility of precompile implementations. It could be relevant to the gas cost, if the chosen cost was based on a processing speed only attainable with the alt_bn128 optimization. But that isn't the case (currently the cpp client still uses an unoptimized implementation enable libsnark/libff alt_bn128 optimizations aleth#4450).
  • bn128 and alt_bn128 use different generators, but the choice of generator points is also not relevant to precompile implementations. The text states as much: "Both generators have the same prime order q and the actual choice of the generators does not matter, as long as they have order q."
  • The alt_bn128 generator was perhaps included because the pairing precompile is based on the zkSNARKs in Zcash. However, the pairing precompile is more general than the Zcash implementation. So while the alt_bn128 generator is a necessary input in order to verify a Zcash transaction, it is not necessary to implement the precompile. Other zkSNARK circuits and proofs may use different generator points, and the precompile can also verify those proofs because it is not dependent on any particular generator.

These points are hinted at in the text, in a confusing way: "the actual choice of the generators does not matter... The group G2 has generator P2 = (Xa + Xb, Ya + Yb)." If the choice doesn't matter, then why specify it? This is confusing to the average implementer, so some clarification would help.

@pirapira
Copy link
Member

pirapira commented Dec 1, 2017

@cdetrio if we avoid mentioning a generator, we need an alternative way to specify a group on the curve.

@pirapira
Copy link
Member

pirapira commented Dec 1, 2017

@cdetrio I doubt there is a shorter way than to mention a generator explicitly.

@pirapira
Copy link
Member

pirapira commented Dec 1, 2017

@cdetrio and then, exploring an alternative definition is beyond editorship.

Maybe the BN parameters and so on can be added as an informational EIP. A link can be added from here then.

@pirapira
Copy link
Member

pirapira commented Dec 4, 2017

Looks good to me.

Now I'm wondering if I should wait for @cdetrio 's alternative.

@pirapira
Copy link
Member

pirapira commented Dec 4, 2017

I wouldn't believe the existence of those subgroups of order q without shown at least one generator. With a concrete generator, I can multiply it by q and then believe the existence of those subgroups.

The uniqueness part is not so hard. Basically, q is big enough.

)
```

Note that `G_2` is the only group of order `q` of that elliptic curve over the field `F_p^2`. Any other generator of order `q` instead of `P2` would define the same `G_2`. However, the concrete value of `P2` is useful for skeptical readers who doubt the existence of a group of order `q`. They can be instructed to compare the concrete values of `q * P2` and `P2`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cdetrio is this better now?

@pirapira pirapira merged commit 6131f33 into master Dec 7, 2017
@pirapira pirapira deleted the pairings branch December 7, 2017 11:23
@pirapira
Copy link
Member

pirapira commented Dec 7, 2017

I think @cdetrio's findings can be filed as an informational EIP, and this one can link to that.

pirapira added a commit to pirapira/yellowpaper that referenced this pull request Jan 17, 2018
pirapira added a commit to pirapira/yellowpaper that referenced this pull request Jan 19, 2018
pirapira added a commit to pirapira/yellowpaper that referenced this pull request Jan 19, 2018
pirapira added a commit to pirapira/yellowpaper that referenced this pull request Jan 19, 2018
pirapira added a commit to pirapira/yellowpaper that referenced this pull request Jan 19, 2018
pirapira added a commit to pirapira/yellowpaper that referenced this pull request Jan 19, 2018
pirapira added a commit to pirapira/yellowpaper that referenced this pull request Jan 19, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants