Refactor: final exponentiation in pairings #375

yelhousni · 2023-04-07T12:44:54Z

@feltroidprime was porting the Karabina optimisations in our final exp to Garaga and encountered a problem with: https://github.com/ConsenSys/gnark-crypto/blob/f93a56c714c4e6266429cac111a004e9eec7daa0/ecc/bls12-381/internal/fptower/e12.go#L227
When computing e(P,Q) * e(-P,Q) the decompression fails (in the corresponding Garaga code) at: https://github.com/ConsenSys/gnark-crypto/blob/f93a56c714c4e6266429cac111a004e9eec7daa0/ecc/bls12-381/internal/fptower/e12.go#L258
This is because g2 and g3 are both zero in that test case. In gnark-crypto this test does not fail because the case g2==g3==0 is handled "implicitly". Since we take the convention of 1/0 = 0 the returned value in this case is 1, which is what is expected as per the proof of Theorem 3.1 of Karabina's paper.

This is said, in this PR I make a suggestion to:

"Explicitly" handle the g2==g3==0 case, and
Return 1 when the result of the easy part is 1 — which is what happens in similar cases to e(P,Q) * e(-P,Q). This saves the hard part computation since 1^d==1.

yelhousni added 3 commits April 7, 2023 14:16

refactor(DecompressKarabina): handle g2=g3=0 case "explicitly"

a78ebec

docs: remove DO NOT EDIT from non-autogenerated files

1fb8e0d

feat(pairing): return 1 after easy part if result is 1

8bbe770

yelhousni added cleanup Suggestion to clean up the code perf labels Apr 7, 2023

yelhousni added this to the v0.10.0 milestone Apr 7, 2023

yelhousni requested a review from gbotrel April 7, 2023 12:44

yelhousni self-assigned this Apr 7, 2023

yelhousni added 3 commits April 7, 2023 15:27

refactor(BatchDecompressKarabina): handle g2=g3=0 case "explicitly"

bb34d12

fix(linter): ineffassign in Fpk marshal

0d88fe2

docs: remove comment

7af857f

gbotrel approved these changes Apr 11, 2023

View reviewed changes

yelhousni merged commit e700949 into develop Apr 11, 2023
5 checks passed

yelhousni deleted the refactor/FinalExp branch April 11, 2023 15:21

Provide feedback