-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
perf: replace BN254 final exp by a class equivalence check #1143
Conversation
cool |
Actually we can feed the hint with the points instead of the Miller function to compute the witness residue. This means we compute the Miller loop out-circuit (in the hint) and based on that we compute the witness residue However, we need the Miller loop out-circuit to match exactly the in-circuit version to have the same witness residue. Previously in gnark-crypto we used This saves an additional 571,337 scs in the ECPAIR precompile. |
Some remarks:
|
Moreover 1/m' mod h doesn't exist for BLS12-381 ... |
yes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. I got the idea of having last ML and FinalExp in the same call.
we can do this actually for the whole multi-pairing, but for the precompile we need to have fixed circuits regardless of the number of pairs so I did the trick only for the last Miller loop. |
Description
For pairing checks of the form
∏ e(Pi, Qi) == 1
we replace the final exponentiation by class equivalence check as described in https://eprint.iacr.org/2024/640.pdf (Section 4). We compute in a hint the residue witnessc
and check in-circuit thatf * w == c^λ
wheref = ∏ MillerLoop(Pi, Qi)
,w
some hinted scaler to ensuref*w
is a cubic residue andλ=6u+2+q^3-q^2+q
the optimal exponent (instead ofr
) withu
the curve seed. Exponentiation by6u+2
is done using an optimized addition chain.The paper suggests to include
c^(6u+2)
in the multi-Miller loop computation so that the mutualized squarings in the loop would catch the squarings needed forc^(6u+2)
too but I don't see how this can be done since we needf
to computec
. One thing we can maybe do later is to pushf
and all the hint outputs to the torus or at least the cyclotomic subgroup by doing the easy part of the final exponentiation so that the FE elimination trick should be conducted with torus-based arithmetic over Fp6 (or at least with cyclotomic squarings over Fp12).Edit: the squaring mutualization is possible (see #1143 (comment)). Cyclotomic subgroup / torus push becomes inefficient now that squarings are for "free".
Small typo in Alg.4 of the paper for the modified Tonelli-Shanks: p^k-1 = 3^n * s instead of p-1 = 3^r * s
Type of change
How has this been tested?
The existing
TestPairingCheckTestSolve
works for this.How has this been benchmarked?
Compared to the previous torus-based final exponentiation, this PR saves in the ECPair precompile:
807,0341,378,371 scsChecklist:
golangci-lint
does not output errors locally