New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Precompiled contract for pairing check. #212

Merged
merged 22 commits into from Dec 7, 2017

Conversation

Projects
None yet
9 participants
@chriseth
Contributor

chriseth commented Feb 13, 2017

Precompiled contracts for elliptic curve pairing operations are required in order to perform zkSNARK verification within the block gas limit.

Replaces #197

@pirapira pirapira referenced this pull request Feb 13, 2017

Closed

Byzantium changes #229

12 of 12 tasks complete
Show outdated Hide outdated EIPS/pairings.md
Show outdated Hide outdated EIPS/pairings.md
Show outdated Hide outdated EIPS/pairings.md
Show outdated Hide outdated EIPS/pairings.md

@chriseth chriseth referenced this pull request Feb 22, 2017

Merged

Integrate libsnark #3587

8 of 8 tasks complete
Show outdated Hide outdated EIPS/pairings.md
Show outdated Hide outdated EIPS/pairings.md
Show outdated Hide outdated EIPS/pairings.md
Show outdated Hide outdated EIPS/pairings.md
Show outdated Hide outdated EIPS/pairings.md

pirapira added a commit to pirapira/yellowpaper that referenced this pull request Apr 13, 2017

@pirapira pirapira referenced this pull request Apr 13, 2017

Closed

[WIP] zkSNARK #296

pirapira added a commit to pirapira/yellowpaper that referenced this pull request Apr 18, 2017

@pirapira pirapira referenced this pull request Apr 21, 2017

Closed

All Core Devs Meeting #14 #12

@chfast chfast referenced this pull request Apr 21, 2017

Closed

[META] Byzantium implementation progress #4050

17 of 17 tasks complete
@nicola

This comment has been minimized.

Show comment
Hide comment
@nicola

nicola May 7, 2017

How much would the cost to validate a zksnark?

nicola commented May 7, 2017

How much would the cost to validate a zksnark?

@cdetrio

This comment has been minimized.

Show comment
Hide comment
@cdetrio

cdetrio Dec 1, 2017

Member

To summarize some of the discussion (now hidden in outdated comments), and expand on it further:

  • comments from @pirapira and @NikVolf that bn128 and alt_bn128 are the same curve. Specifying alt_bn128 is merely an optimization, and not strictly relevant to compatibility of precompile implementations. It could be relevant to the gas cost, if the chosen cost was based on a processing speed only attainable with the alt_bn128 optimization. But that isn't the case (currently the cpp client still uses an unoptimized implementation ethereum/aleth#4450).
  • bn128 and alt_bn128 use different generators, but the choice of generator points is also not relevant to precompile implementations. The text states as much: "Both generators have the same prime order q and the actual choice of the generators does not matter, as long as they have order q."
  • The alt_bn128 generator was perhaps included because the pairing precompile is based on the zkSNARKs in Zcash. However, the pairing precompile is more general than the Zcash implementation. So while the alt_bn128 generator is a necessary input in order to verify a Zcash transaction, it is not necessary to implement the precompile. Other zkSNARK circuits and proofs may use different generator points, and the precompile can also verify those proofs because it is not dependent on any particular generator.

These points are hinted at in the text, in a confusing way: "the actual choice of the generators does not matter... The group G2 has generator P2 = (Xa + Xb, Ya + Yb)." If the choice doesn't matter, then why specify it? This is confusing to the average implementer, so some clarification would help.

Member

cdetrio commented Dec 1, 2017

To summarize some of the discussion (now hidden in outdated comments), and expand on it further:

  • comments from @pirapira and @NikVolf that bn128 and alt_bn128 are the same curve. Specifying alt_bn128 is merely an optimization, and not strictly relevant to compatibility of precompile implementations. It could be relevant to the gas cost, if the chosen cost was based on a processing speed only attainable with the alt_bn128 optimization. But that isn't the case (currently the cpp client still uses an unoptimized implementation ethereum/aleth#4450).
  • bn128 and alt_bn128 use different generators, but the choice of generator points is also not relevant to precompile implementations. The text states as much: "Both generators have the same prime order q and the actual choice of the generators does not matter, as long as they have order q."
  • The alt_bn128 generator was perhaps included because the pairing precompile is based on the zkSNARKs in Zcash. However, the pairing precompile is more general than the Zcash implementation. So while the alt_bn128 generator is a necessary input in order to verify a Zcash transaction, it is not necessary to implement the precompile. Other zkSNARK circuits and proofs may use different generator points, and the precompile can also verify those proofs because it is not dependent on any particular generator.

These points are hinted at in the text, in a confusing way: "the actual choice of the generators does not matter... The group G2 has generator P2 = (Xa + Xb, Ya + Yb)." If the choice doesn't matter, then why specify it? This is confusing to the average implementer, so some clarification would help.

@pirapira

This comment has been minimized.

Show comment
Hide comment
@pirapira

pirapira Dec 1, 2017

Member

@cdetrio if we avoid mentioning a generator, we need an alternative way to specify a group on the curve.

Member

pirapira commented Dec 1, 2017

@cdetrio if we avoid mentioning a generator, we need an alternative way to specify a group on the curve.

@pirapira

This comment has been minimized.

Show comment
Hide comment
@pirapira

pirapira Dec 1, 2017

Member

@cdetrio I doubt there is a shorter way than to mention a generator explicitly.

Member

pirapira commented Dec 1, 2017

@cdetrio I doubt there is a shorter way than to mention a generator explicitly.

@pirapira

This comment has been minimized.

Show comment
Hide comment
@pirapira

pirapira Dec 1, 2017

Member

@cdetrio and then, exploring an alternative definition is beyond editorship.

Maybe the BN parameters and so on can be added as an informational EIP. A link can be added from here then.

Member

pirapira commented Dec 1, 2017

@cdetrio and then, exploring an alternative definition is beyond editorship.

Maybe the BN parameters and so on can be added as an informational EIP. A link can be added from here then.

pirapira and others added some commits Dec 1, 2017

@pirapira

This comment has been minimized.

Show comment
Hide comment
@pirapira

pirapira Dec 4, 2017

Member

Looks good to me.

Now I'm wondering if I should wait for @cdetrio 's alternative.

Member

pirapira commented Dec 4, 2017

Looks good to me.

Now I'm wondering if I should wait for @cdetrio 's alternative.

@pirapira

This comment has been minimized.

Show comment
Hide comment
@pirapira

pirapira Dec 4, 2017

Member

I wouldn't believe the existence of those subgroups of order q without shown at least one generator. With a concrete generator, I can multiply it by q and then believe the existence of those subgroups.

The uniqueness part is not so hard. Basically, q is big enough.

Member

pirapira commented Dec 4, 2017

I wouldn't believe the existence of those subgroups of order q without shown at least one generator. With a concrete generator, I can multiply it by q and then believe the existence of those subgroups.

The uniqueness part is not so hard. Basically, q is big enough.

pirapira added some commits Dec 4, 2017

Make eip-197.md Final
The EIP is already active on the main net.
)
```
Note that `G_2` is the only group of order `q` of that elliptic curve over the field `F_p^2`. Any other generator of order `q` instead of `P2` would define the same `G_2`. However, the concrete value of `P2` is useful for skeptical readers who doubt the existence of a group of order `q`. They can be instructed to compare the concrete values of `q * P2` and `P2`.

This comment has been minimized.

@pirapira

pirapira Dec 4, 2017

Member

@cdetrio is this better now?

@pirapira

pirapira Dec 4, 2017

Member

@cdetrio is this better now?

@pirapira pirapira merged commit 6131f33 into master Dec 7, 2017

@pirapira pirapira deleted the pairings branch Dec 7, 2017

@pirapira

This comment has been minimized.

Show comment
Hide comment
@pirapira

pirapira Dec 7, 2017

Member

I think @cdetrio's findings can be filed as an informational EIP, and this one can link to that.

Member

pirapira commented Dec 7, 2017

I think @cdetrio's findings can be filed as an informational EIP, and this one can link to that.

pirapira added a commit to pirapira/yellowpaper that referenced this pull request Jan 17, 2018

pirapira added a commit to pirapira/yellowpaper that referenced this pull request Jan 19, 2018

pirapira added a commit to pirapira/yellowpaper that referenced this pull request Jan 19, 2018

pirapira added a commit to pirapira/yellowpaper that referenced this pull request Jan 19, 2018

pirapira added a commit to pirapira/yellowpaper that referenced this pull request Jan 19, 2018

pirapira added a commit to pirapira/yellowpaper that referenced this pull request Jan 19, 2018

pirapira added a commit to pirapira/yellowpaper that referenced this pull request Jan 19, 2018

@aerth aerth referenced this pull request Jun 5, 2018

Merged

HF7 @ 36050 #24

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment