Update EIP-2537: Editorial

[khovratovich]

Edited a few sentences that were ambiguous.

Added the Fp, Fp2, G1, G2 definitions.

[eth-bot]

✅ All reviewers have approved.

[asanso]

why H and not G?

[khovratovich]

Just to resolve ambiguity. Because G1 is used for a group of points.

[ralexstokes]

generally looks good

[shamatar]

If clarifications are in the process, then we should double check (as I no longer remember if it was well covered in the original documents, it was too long ago):

• subgroup checks for non-pairing operations: I think they should be on the caller's responsibility, so implementation should only do "on curve" check
• number of input-pairs into pairing operation and multiexp operation: empty input must return an error and not zero-point/identity

I will check a the original document, but second confirmation will be great

Note: if we require(!) and not suggest all implementations to do fast subgroup checks, then actually it will be fine to require inputs to be in the main subgroups (G1/G2) and not just "on curve". Otherwise slow subgroup check via multiplication will ruin gas schedule and make additions expensive

[khovratovich]

• subgroup checks for non-pairing operations: I think they should be on the caller's responsibility, so implementation should only do "on curve" check
• number of input-pairs into pairing operation and multiexp operation: empty input must return an error and not zero-point/identity

Both are true in the current document.

[asanso]

rather than use this naive expensive subgroup check (in particular for G2) I'd rather suggest to point to https://eprint.iacr.org/2021/1130.pdf

[khovratovich]

Can we provide complexity estimates for this method? What is the value of u?

[asanso]

it's all in the paper. 'u' is the seed for generating BLS12-381 and pretty short ( -0xd201000000010000)

[shamatar]

Yes, you should not require "check by multiplication" only. Whether we should require fast subgroup checks or not is a separate question

[khovratovich]

Reformulated the text with your link @asanso

[asanso]

• subgroup checks for non-pairing operations: I think they should be on the caller's responsibility, so implementation should only do "on curve" check
• number of input-pairs into pairing operation and multiexp operation: empty input must return an error and not zero-point/identity

Both are true in the current document.

I agree with @khovratovich that the current situation is ambiguous. Moreover, it is even more convoluted than that, as leaving the responsibility to callers to check the subgroup for non-pairing operations opens the door to subtle issues. For example, in order to expedite scalar multiplication, implementers might be tempted (within their rights) to apply GLV endomorphism optimization. However, the problem arises because the GLV is defined and valid only within the 'magic subgroup'.

[shamatar]

If no one knows a good reasonable case for explicit wanting to mix-in not-main-subgroup point for non-pairing cases, I can perform some basic gas measurements in case of fast subgroup check. Hopefully costs should not change too much for multiplication and addition since they are dominated by one final inversion

[github-actions]

The commit 21f396f (as a parent of ba051b3) contains errors.
Please inspect the Run Summary for details.

[khovratovich]

The CI validator does not like a link to ePrint. Probably we can ignore this error.

[asanso]

@khovratovich IMHO it would be good to separate the really good editorial changes and typos you corrected from the subgroup check discussion. How about slit this PR in 2 so we could merge the editorial changes/typos first ?

[eth-bot]

All Reviewers Have Approved; Performing Automatic Merge...