From e220629a5b82af717ec0c298e1756c439e939934 Mon Sep 17 00:00:00 2001 From: zhenfei Date: Tue, 12 Mar 2024 20:11:17 -0400 Subject: [PATCH 1/4] Update eip-2537.md --- EIPS/eip-2537.md | 66 +++++++++++++++++++++++++++++++++--------------- 1 file changed, 45 insertions(+), 21 deletions(-) diff --git a/EIPS/eip-2537.md b/EIPS/eip-2537.md index bd405965aef96..185aa7290bcff 100644 --- a/EIPS/eip-2537.md +++ b/EIPS/eip-2537.md @@ -25,19 +25,20 @@ The motivation of this precompile is to add a cryptographic primitive that allow ### Constants |Name|Value|Comment| -| --- |--- | --- | -|`FORK_TIMESTAMP` | *TBD* | Mainnet | -|BLS12_G1ADD | 0x0b | precompile address | -|BLS12_G1MUL | 0x0c | precompile address | -|BLS12_G1MULTIEXP | 0x0d | precompile address | -|BLS12_G2ADD | 0x0e | precompile address | -|BLS12_G2MUL | 0x0f | precompile address | -|BLS12_G2MULTIEXP | 0x10 | precompile address | -|BLS12_PAIRING | 0x11 | precompile address | -|BLS12_MAP_FP_TO_G1 | 0x12 | precompile address | -|BLS12_MAP_FP2_TO_G2 | 0x13 | precompile address | - -If `block.timestamp >= FORK_TIMESTAMP` we introduce *nine* separate precompiles to perform the following operations: +| --- |--- | --- | +|`FORK_TIMESTAMP` | *TBD* | Mainnet | +|BLS12_G1ADD | 0x0b | precompile address | +|BLS12_G1MUL | 0x0c | precompile address | +|BLS12_G1MULTIEXP | 0x0d | precompile address | +|BLS12_G2ADD | 0x0e | precompile address | +|BLS12_G2MUL | 0x0f | precompile address | +|BLS12_G2MULTIEXP | 0x10 | precompile address | +|BLS12_PAIRING_CHECK | 0x11 | precompile address | +|BLS12_PAIRING_PRODUCT | 0x11 | precompile address | +|BLS12_MAP_FP_TO_G1 | 0x12 | precompile address | +|BLS12_MAP_FP2_TO_G2 | 0x13 | precompile address | + +If `block.timestamp >= FORK_TIMESTAMP` we introduce *ten* separate precompiles to perform the following operations: - BLS12_G1ADD - to perform point addition in G1 (curve over base prime field) with a gas cost of `500` gas - BLS12_G1MUL - to perform point multiplication in G1 (curve over base prime field) with a gas cost of `12000` gas @@ -45,7 +46,8 @@ If `block.timestamp >= FORK_TIMESTAMP` we introduce *nine* separate precompiles - BLS12_G2ADD - to perform point addition in G2 (curve over quadratic extension of the base prime field) with a gas cost of `800` gas - BLS12_G2MUL - to perform point multiplication in G2 (curve over quadratic extension of the base prime field) with a gas cost of `45000` gas - BLS12_G2MULTIEXP - to perform multiexponentiation in G2 (curve over quadratic extension of the base prime field) with a gas cost formula defined in the corresponding section -- BLS12_PAIRING - to perform a pairing operations between a set of *pairs* of (G1, G2) points a gas cost formula defined in the corresponding section +- BLS12_PAIRING_CHECK - to perform a pairing operations between a set of *pairs* of (G1, G2) points a gas cost formula defined in the corresponding section; returns 1 is the result is identity, 0 otherwise. +- BLS12_PAIRING_PRODUCT - to perform a pairing product operations between a set of *pairs* of (G1, G2) points a gas cost formula defined in the corresponding section; returns a degree 12 extension field element. - BLS12_MAP_FP_TO_G1 - maps base field element into the G1 point with a gas cost of `5500` gas - BLS12_MAP_FP2_TO_G2 - maps extension field element into the G2 point with a gas cost of `75000` gas @@ -113,9 +115,9 @@ For elements of the quadratic extension field (Fp2), encoding is byte concatenat On inputs that can not be a valid encodings of field elements the precompile *must* return an error. -#### Encoding of points in G1/G2: +#### Encoding of points in G1/G2/GT: -Points of G1 and G2 are encoded as byte concatenation of the respective encodings of the `x` and `y` coordinates. Total encoding length for a G1 point is thus `128` bytes and for a G2 point is `256` bytes. +Points of G1, G2 and GT are encoded as byte concatenation of the respective encodings of the `x` and `y` coordinates. Total encoding length for a G1 point is thus `128` bytes, for a G2 point is `256` bytes and for a GT element is `768` byte. #### Point of infinity encoding: @@ -192,9 +194,9 @@ Error cases: - Any point not in G2 (i.e. neither on a curve nor the infinity point) - Input has invalid length -#### ABI for pairing +#### ABI for pairing check -Pairing call expects `384*k` (`k` being a **positive** integer) bytes as an inputs that is interpreted as byte concatenation of `k` slices. Each slice has the following structure: +Pairing check call expects `384*k` (`k` being a **positive** integer) bytes as an inputs that is interpreted as byte concatenation of `k` slices. Each slice has the following structure: - `128` bytes of G1 point encoding - `256` bytes of G2 point encoding @@ -210,6 +212,24 @@ Error cases: - Any of points is not in the correct subgroup - Input has invalid length +#### ABI for pairing product + +Pairing product call expects `384*k` (`k` being a **positive** integer) bytes as an inputs that is interpreted as byte concatenation of `k` slices. Each slice has the following structure: + +- `128` bytes of G1 point encoding +- `256` bytes of G2 point encoding + +Each point is expected to be in the subgroup of order `q`. + +Output is a `768` bytes, representing a degree `12` extension of base field element, each of size `64` bytes. + +Error cases: + +- Invalid coordinate encoding +- Any of points being not on the respective curve +- Any of points is not in the correct subgroup +- Input has invalid length + #### ABI for mapping Fp element to G1 point Field-to-curve call expects `64` bytes as an input that is interpreted as an element of Fp. Output of this call is `128` bytes and is an encoded G1 point. @@ -271,9 +291,13 @@ Discounts table as a vector of pairs `[k, discount]`: `max_discount = 174` -#### Pairing operation +#### Pairing check operation + +The cost of the pairing check operation is `43000*k + 65000` where `k` is a number of pairs. + +#### Pairing product operation -The cost of the pairing operation is `43000*k + 65000` where `k` is a number of pairs. +The cost of the pairing product operation is `43000*k + 65000` where `k` is a number of pairs. #### Fp-to-G1 mapping operation @@ -338,7 +362,7 @@ There are no backward compatibility questions. ### Subgroup checks -A subgroup check **is mandatory** during the pairing call. Implementations *should* use fast subgroup checks: at the time of writing, multiplication gas cost is based on the `double-and-add` multiplication method that has a clear "worst case" (all bits are equal to one). For pairing operations, it is expected that implementations use faster subgroup checks, e.g. by using the wNAF multiplication method for elliptic curves that is ~ `40%` cheaper with windows size equal to 4. (Tested empirically. Savings are due to lower hamming weight of the group order and even lower hamming weight for wNAF. Concretely, subgroup check for both G1 and G2 points in a pair are around `35000` combined). +A subgroup check **is mandatory** during both the pairing check and pairing product call. Implementations *should* use fast subgroup checks: at the time of writing, multiplication gas cost is based on the `double-and-add` multiplication method that has a clear "worst case" (all bits are equal to one). For pairing operations, it is expected that implementations use faster subgroup checks, e.g. by using the wNAF multiplication method for elliptic curves that is ~ `40%` cheaper with windows size equal to 4. (Tested empirically. Savings are due to lower hamming weight of the group order and even lower hamming weight for wNAF. Concretely, subgroup check for both G1 and G2 points in a pair are around `35000` combined). From c4f2e3288b52100d75d888c37d560897bffe6c03 Mon Sep 17 00:00:00 2001 From: zhenfei Date: Thu, 14 Mar 2024 08:57:06 -0400 Subject: [PATCH 2/4] fixing precompile addresses --- EIPS/eip-2537.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/EIPS/eip-2537.md b/EIPS/eip-2537.md index 185aa7290bcff..6abc84264c226 100644 --- a/EIPS/eip-2537.md +++ b/EIPS/eip-2537.md @@ -34,9 +34,9 @@ The motivation of this precompile is to add a cryptographic primitive that allow |BLS12_G2MUL | 0x0f | precompile address | |BLS12_G2MULTIEXP | 0x10 | precompile address | |BLS12_PAIRING_CHECK | 0x11 | precompile address | -|BLS12_PAIRING_PRODUCT | 0x11 | precompile address | -|BLS12_MAP_FP_TO_G1 | 0x12 | precompile address | -|BLS12_MAP_FP2_TO_G2 | 0x13 | precompile address | +|BLS12_PAIRING_PRODUCT | 0x12 | precompile address | +|BLS12_MAP_FP_TO_G1 | 0x13 | precompile address | +|BLS12_MAP_FP2_TO_G2 | 0x14 | precompile address | If `block.timestamp >= FORK_TIMESTAMP` we introduce *ten* separate precompiles to perform the following operations: From 669fe1af1c3870bbacf87996ab024ce6a8830dae Mon Sep 17 00:00:00 2001 From: zhenfei Date: Tue, 23 Apr 2024 12:23:42 -0400 Subject: [PATCH 3/4] revert pairing product --- EIPS/eip-2537.md | 54 ++++++++++++++---------------------------------- 1 file changed, 16 insertions(+), 38 deletions(-) diff --git a/EIPS/eip-2537.md b/EIPS/eip-2537.md index 6abc84264c226..bd6e8f338ea01 100644 --- a/EIPS/eip-2537.md +++ b/EIPS/eip-2537.md @@ -25,18 +25,19 @@ The motivation of this precompile is to add a cryptographic primitive that allow ### Constants |Name|Value|Comment| -| --- |--- | --- | -|`FORK_TIMESTAMP` | *TBD* | Mainnet | -|BLS12_G1ADD | 0x0b | precompile address | -|BLS12_G1MUL | 0x0c | precompile address | -|BLS12_G1MULTIEXP | 0x0d | precompile address | -|BLS12_G2ADD | 0x0e | precompile address | -|BLS12_G2MUL | 0x0f | precompile address | -|BLS12_G2MULTIEXP | 0x10 | precompile address | -|BLS12_PAIRING_CHECK | 0x11 | precompile address | -|BLS12_PAIRING_PRODUCT | 0x12 | precompile address | -|BLS12_MAP_FP_TO_G1 | 0x13 | precompile address | -|BLS12_MAP_FP2_TO_G2 | 0x14 | precompile address | +| --- |--- | --- | +|`FORK_TIMESTAMP` | *TBD* | Mainnet | +|BLS12_G1ADD | 0x0b | precompile address | +|BLS12_G1MUL | 0x0c | precompile address | +|BLS12_G1MULTIEXP | 0x0d | precompile address | +|BLS12_G2ADD | 0x0e | precompile address | +|BLS12_G2MUL | 0x0f | precompile address | +|BLS12_G2MULTIEXP | 0x10 | precompile address | +|BLS12_PAIRING_CHECK | 0x11 | precompile address | +|BLS12_MAP_FP_TO_G1 | 0x12 | precompile address | +|BLS12_MAP_FP2_TO_G2 | 0x13 | precompile address | + +If `block.timestamp >= FORK_TIMESTAMP` we introduce *nine* separate precompiles to perform the following operations: If `block.timestamp >= FORK_TIMESTAMP` we introduce *ten* separate precompiles to perform the following operations: @@ -47,7 +48,6 @@ If `block.timestamp >= FORK_TIMESTAMP` we introduce *ten* separate precompiles t - BLS12_G2MUL - to perform point multiplication in G2 (curve over quadratic extension of the base prime field) with a gas cost of `45000` gas - BLS12_G2MULTIEXP - to perform multiexponentiation in G2 (curve over quadratic extension of the base prime field) with a gas cost formula defined in the corresponding section - BLS12_PAIRING_CHECK - to perform a pairing operations between a set of *pairs* of (G1, G2) points a gas cost formula defined in the corresponding section; returns 1 is the result is identity, 0 otherwise. -- BLS12_PAIRING_PRODUCT - to perform a pairing product operations between a set of *pairs* of (G1, G2) points a gas cost formula defined in the corresponding section; returns a degree 12 extension field element. - BLS12_MAP_FP_TO_G1 - maps base field element into the G1 point with a gas cost of `5500` gas - BLS12_MAP_FP2_TO_G2 - maps extension field element into the G2 point with a gas cost of `75000` gas @@ -115,9 +115,9 @@ For elements of the quadratic extension field (Fp2), encoding is byte concatenat On inputs that can not be a valid encodings of field elements the precompile *must* return an error. -#### Encoding of points in G1/G2/GT: +#### Encoding of points in G1/G2: -Points of G1, G2 and GT are encoded as byte concatenation of the respective encodings of the `x` and `y` coordinates. Total encoding length for a G1 point is thus `128` bytes, for a G2 point is `256` bytes and for a GT element is `768` byte. +Points of G1 and G2 are encoded as byte concatenation of the respective encodings of the `x` and `y` coordinates. Total encoding length for a G1 point is thus `128` bytes and for a G2 point is `256` bytes. #### Point of infinity encoding: @@ -212,24 +212,6 @@ Error cases: - Any of points is not in the correct subgroup - Input has invalid length -#### ABI for pairing product - -Pairing product call expects `384*k` (`k` being a **positive** integer) bytes as an inputs that is interpreted as byte concatenation of `k` slices. Each slice has the following structure: - -- `128` bytes of G1 point encoding -- `256` bytes of G2 point encoding - -Each point is expected to be in the subgroup of order `q`. - -Output is a `768` bytes, representing a degree `12` extension of base field element, each of size `64` bytes. - -Error cases: - -- Invalid coordinate encoding -- Any of points being not on the respective curve -- Any of points is not in the correct subgroup -- Input has invalid length - #### ABI for mapping Fp element to G1 point Field-to-curve call expects `64` bytes as an input that is interpreted as an element of Fp. Output of this call is `128` bytes and is an encoded G1 point. @@ -295,10 +277,6 @@ Discounts table as a vector of pairs `[k, discount]`: The cost of the pairing check operation is `43000*k + 65000` where `k` is a number of pairs. -#### Pairing product operation - -The cost of the pairing product operation is `43000*k + 65000` where `k` is a number of pairs. - #### Fp-to-G1 mapping operation Fp -> G1 mapping is `5500` gas. @@ -362,7 +340,7 @@ There are no backward compatibility questions. ### Subgroup checks -A subgroup check **is mandatory** during both the pairing check and pairing product call. Implementations *should* use fast subgroup checks: at the time of writing, multiplication gas cost is based on the `double-and-add` multiplication method that has a clear "worst case" (all bits are equal to one). For pairing operations, it is expected that implementations use faster subgroup checks, e.g. by using the wNAF multiplication method for elliptic curves that is ~ `40%` cheaper with windows size equal to 4. (Tested empirically. Savings are due to lower hamming weight of the group order and even lower hamming weight for wNAF. Concretely, subgroup check for both G1 and G2 points in a pair are around `35000` combined). +A subgroup check **is mandatory** during the pairing call. Implementations *should* use fast subgroup checks: at the time of writing, multiplication gas cost is based on the `double-and-add` multiplication method that has a clear "worst case" (all bits are equal to one). For pairing operations, it is expected that implementations use faster subgroup checks, e.g. by using the wNAF multiplication method for elliptic curves that is ~ `40%` cheaper with windows size equal to 4. (Tested empirically. Savings are due to lower hamming weight of the group order and even lower hamming weight for wNAF. Concretely, subgroup check for both G1 and G2 points in a pair are around `35000` combined). From 7260f97ff16a557cc0fe66004b8a176830ff7cac Mon Sep 17 00:00:00 2001 From: zhenfei Date: Tue, 23 Apr 2024 12:24:56 -0400 Subject: [PATCH 4/4] clean up --- EIPS/eip-2537.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/EIPS/eip-2537.md b/EIPS/eip-2537.md index bd6e8f338ea01..d40f5e6dbc064 100644 --- a/EIPS/eip-2537.md +++ b/EIPS/eip-2537.md @@ -39,15 +39,13 @@ The motivation of this precompile is to add a cryptographic primitive that allow If `block.timestamp >= FORK_TIMESTAMP` we introduce *nine* separate precompiles to perform the following operations: -If `block.timestamp >= FORK_TIMESTAMP` we introduce *ten* separate precompiles to perform the following operations: - - BLS12_G1ADD - to perform point addition in G1 (curve over base prime field) with a gas cost of `500` gas - BLS12_G1MUL - to perform point multiplication in G1 (curve over base prime field) with a gas cost of `12000` gas - BLS12_G1MULTIEXP - to perform multiexponentiation in G1 (curve over base prime field) with a gas cost formula defined in the corresponding section - BLS12_G2ADD - to perform point addition in G2 (curve over quadratic extension of the base prime field) with a gas cost of `800` gas - BLS12_G2MUL - to perform point multiplication in G2 (curve over quadratic extension of the base prime field) with a gas cost of `45000` gas - BLS12_G2MULTIEXP - to perform multiexponentiation in G2 (curve over quadratic extension of the base prime field) with a gas cost formula defined in the corresponding section -- BLS12_PAIRING_CHECK - to perform a pairing operations between a set of *pairs* of (G1, G2) points a gas cost formula defined in the corresponding section; returns 1 is the result is identity, 0 otherwise. +- BLS12_PAIRING_CHECK - to perform a pairing operations between a set of *pairs* of (G1, G2) points a gas cost formula defined in the corresponding section; returns 1 if the result is identity, 0 otherwise. - BLS12_MAP_FP_TO_G1 - maps base field element into the G1 point with a gas cost of `5500` gas - BLS12_MAP_FP2_TO_G2 - maps extension field element into the G2 point with a gas cost of `75000` gas