Skip to content

Commit

Permalink
EIP-197: pairing checking precompiled contract
Browse files Browse the repository at this point in the history
As described in ethereum/EIPs#212
  • Loading branch information
pirapira committed Jan 19, 2018
1 parent acded14 commit befe654
Showing 1 changed file with 56 additions and 0 deletions.
56 changes: 56 additions & 0 deletions Paper.tex
Original file line number Diff line number Diff line change
Expand Up @@ -1520,6 +1520,62 @@ \subsection{zkSNARK Related Precompiled Contracts}
\end{eqnarray}
We define $G_2$ to be the subgroup of $(C_2,+)$ generated by $P_2$. $G_2$ is known to be a cyclic group of order $q$. For a point $P$ in $G_2$, we define $\log_{P_2}(P)$ be the smallest natural number $n$ satisfying $n\cdot P_2=P$. With this definition, $\log_{P_2}(P)$ is at most $q-1$.

A 32 byte number $\mathbf{x}\in\mathbf{P}_{256}$ might and might not represent an element of $F_p$.
\begin{equation}
\delta_p(\mathbf x)\equiv\begin{cases}
\mathbf x&\text{if}\ \mathbf x<p\\
\varnothing&\text{otherwise}
\end{cases}
\end{equation}

A 64 byte data $\mathbf x\in\mathbf B_{512}$ might and might not represent an element of $G_1$.
\begin{eqnarray}
\delta_1(\mathbf x)&\equiv&\begin{cases}
g_1&\text{if}\ g_1\in G_1\\
\varnothing&\text{otherwise}
\end{cases}\\
g_1&\equiv&\begin{cases}
(x,y)&\text{if}\ x\neq\varnothing\wedge y\neq\varnothing\\
\varnothing&\text{otherwise}
\end{cases}\\
x&\equiv&\delta_p(\mathbf x[0..31])\\
y&\equiv&\delta_p(\mathbf x[32..63])
\end{eqnarray}

A 128 byte data $\mathbf x\in\mathbf B_{1024}$ might and might not represent an element of $G_2$.
\begin{eqnarray}
\delta_2(\mathbf x)&\equiv&\begin{cases}
g_2&\text{if}\ g_2\in G_2\\
\varnothing&\text{otherwise}
\end{cases}\\
g_2&\equiv&\begin{cases}
((x_0i+y_0),(x_1i+y_1))&\text{if}\ x_0\neq\varnothing\wedge y_0\neq\varnothing\wedge x_1\neq\varnothing\wedge y_1\neq\varnothing\\
\varnothing&\text{otherwise}
\end{cases}\\
x_0&\equiv&\delta_p(\mathbf x[0..31])\\
y_0&\equiv&\delta_p(\mathbf x[32..63])\\
x_1&\equiv&\delta_p(\mathbf x[64..95])\\
y_1&\equiv&\delta_p(\mathbf x[96..127])
\end{eqnarray}

We define a precompiled contract for zkSNARK verification.
\begin{eqnarray}
\Xi_{\mathtt{SNARKV}}&\equiv&\Xi_{\mathtt{PRE}}\quad\text{except:}\\
\qquad\Xi_{\mathtt{SNARKV}}(\boldsymbol\sigma,g,I)&=&(\varnothing,0,A^0,())\quad\text{if}\ F\\
F&\equiv&(|I_\mathbf{d}|\bmod 192\neq 0\vee(\exists j.\ a_j=\varnothing\vee b_j=\varnothing))\\
g_r&=&?\\
\mathbf o[0..31]&\equiv&\begin{cases}
0x0000000000000000000000000000000000000000000000000000000000000001&\text{if}\ v\wedge\neg F\\
0x0000000000000000000000000000000000000000000000000000000000000000&\text{if}\ \neg v\wedge\neg F
\end{cases}\\
v&\equiv&(\log_{P_1}(a_1)\times\log_{P_2}(b_1)+\cdots+\log_{P_1}(a_k)\times\log_{P_2}(b_k)\equiv 0\mod q)\\
a_1&\equiv&\delta_1(I_{\mathbf d}[0..63])\\
b_1&\equiv&\delta_2(I_{\mathbf d}[64..191])\\\nonumber
\vdots\\
a_k&\equiv&\delta_1(I_{\mathbf d}[(|I_{\mathbf d}|-192)..(|I_{\mathbf d}|-129)])\\
b_k&\equiv&\delta_2(I_{\mathbf d}[(|I_{\mathbf d}|-128)..(|I_{\mathbf d}|-1)])
\end{eqnarray}

\section{Signing Transactions}\label{app:signing}

The method of signing transactions is similar to the `Electrum style signatures'; it utilises the SECP-256k1 curve as described by \cite{gura2004comparing}.
Expand Down

0 comments on commit befe654

Please sign in to comment.