AVM: Add bn256 pairing opcodes experimentally (#4013)

* add bn256 add, scalar multiply and pairing opcode * replace with gnark bn254 and bench * update opcost for bn256 according to benchmark Some doc tweaks, and moved implementation to pairing.go These opcodes should stay in vFuture until 1. We consider the serialization format 2. We have unit tests 3. We consider BLS 12-381 (and the opcodes of eip 2537) 4. Audit of gnark-crypto library Co-authored-by: Bo Yao <by677@nyu.edu> Co-authored-by: Bo Yao <bo@abstrlabs.com> Co-authored-by: bo-abstrlabs <96916614+bo-abstrlabs@users.noreply.github.com> Co-authored-by: chris erway <chris.erway@algorand.com>
algorand · May 24, 2022 · 8088e04 · 8088e04
1 parent b3e19e7
commit 8088e04
Show file tree

Hide file tree

Showing 12 changed files with 396 additions and 45 deletions.
diff --git a/data/transactions/logic/README.md b/data/transactions/logic/README.md
@@ -276,6 +276,9 @@ return stack matches the name of the input value.
 | `ecdsa_verify v` | for (data A, signature B, C and pubkey D, E) verify the signature of the data against the pubkey => {0 or 1} |
 | `ecdsa_pk_recover v` | for (data A, recovery id B, signature C, D) recover a public key |
 | `ecdsa_pk_decompress v` | decompress pubkey A into components X, Y |
+| `bn256_add` | for (curve points A and B) return the curve point A + B |
+| `bn256_scalar_mul` | for (curve point A, scalar K) return the curve point KA |
+| `bn256_pairing` | for (points in G1 group G1s, points in G2 group G2s), return whether they are paired => {0 or 1} |
 | `+` | A plus B. Fail on overflow. |
 | `-` | A minus B. Fail if B > A. |
 | `/` | A divided by B (truncated division). Fail if B == 0. |

diff --git a/data/transactions/logic/TEAL_opcodes.md b/data/transactions/logic/TEAL_opcodes.md
@@ -1097,6 +1097,36 @@ The notation A,B indicates that A and B are interpreted as a uint128 value, with
 - **Cost**: 130
 - Availability: v7
 
+## bn256_add
+
+- Opcode: 0x99
+- Stack: ..., A: []byte, B: []byte &rarr; ..., []byte
+- for (curve points A and B) return the curve point A + B
+- **Cost**: 70
+- Availability: v7
+
+A, B are curve points in G1 group. Each point consists of (X, Y) where X and Y are 256 bit integers, big-endian encoded. The encoded point is 64 bytes from concatenation of 32 byte X and 32 byte Y.
+
+## bn256_scalar_mul
+
+- Opcode: 0x9a
+- Stack: ..., A: []byte, B: []byte &rarr; ..., []byte
+- for (curve point A, scalar K) return the curve point KA
+- **Cost**: 970
+- Availability: v7
+
+A is a curve point in G1 Group and encoded as described in `bn256_add`. Scalar K is a big-endian encoded big integer that has no padding zeros.
+
+## bn256_pairing
+
+- Opcode: 0x9b
+- Stack: ..., A: []byte, B: []byte &rarr; ..., uint64
+- for (points in G1 group G1s, points in G2 group G2s), return whether they are paired => {0 or 1}
+- **Cost**: 8700
+- Availability: v7
+
+G1s are encoded by the concatenation of encoded G1 points, as described in `bn256_add`. G2s are encoded by the concatenation of encoded G2 points. Each G2 is in form (XA0+i*XA1, YA0+i*YA1) and encoded by big-endian field element XA0, XA1, YA0 and YA1 in sequence.
+
 ## b+
 
 - Opcode: 0xa0