# Field extentions

I think it's worth while to go over how pairing works in reality, since `MMM` doesn't do a practical dive into this, short of saying that $\mathbb{G}_2\subset \mathbb{F}_{p^{12}}$ in our case.

## Embedding degree

Why are we dealing with $\mathbb{F}_{p^{12}}$ at all? Well, we're technically dealing with not the entire EC group, but the cyclic subgroup $\langle X\rangle$ generated by the point $X$ which is the base of our DL problem (ie $X^d\equiv Y\implies [d]X = Y$). The embedding process (aka taking points from $\mathbb{G}_1$ and map them into $\mathbb{F}_{p^m}$) is done by the pairing $e(x, y)$ which, for a point $x$ in the n-order subgroup of the curve, will be an n-th root of unity for some $y$, required by the condition that $e(ax, by)=e(x,y)^{ab}$. In order for this to hold, there must be enough roots of unity in the field, which happens when $p^k\equiv 1\mod \ell$, where $\ell$ is the order of the cyclic subgroup. For us, this is $k=12$, so the embedding must go from the curve to $\mathbb{F}_{p^{12}}$. 

We need to deal with this massive extension for the pairing operation because the curve defined over this extension is the smallest extension which contains subgroups of order $r$ that we can use for pairings, one subgroup in which contains only points with zero trace, which we choose to be $\mathbb{G}_2$.

So we have $\mathbb{G}_1\subset E(\mathbb{F}_p)$ with $|\mathbb{G}_1|=r$, and $\mathbb{G}_2\subset E(\mathbb{F}_{p^{12}})$ with $|\mathbb{G}_2|=r$ which we want to use for our pairing.

## 12-th order extension of the base field

Given an irreducible polynomial $N \in \mathbb{F}_p[x]$ of degree $m=12$, the elements of this extension are those given by $\{a_{m-1}x^{m-1}+\cdots+a_1x+a_0 \,|\, a_i\in \mathbb{F}_p\}$

Multiplication is defined by multiplying the two polynomials, then using polynomial long division on the polynomial $N$ to get the remainder, and inverses are defined via the extended euclidean algorithm. 

You can "tower" extensions if the order of one divides the order of the other, so if $m_j | m_{j+1}$, then $\mathbb{F}_p \subset \mathbb{F}_{p^{m_1}}\subset\cdots\subset \mathbb{F}_{p^{m_k}}$.

The [standard tower](https://eprint.iacr.org/2010/354.pdf) for BN254 is given by the following (see [here](https://github.com/ethereum/py_pairing/blob/master/py_ecc/bn128/bn128_field_elements.py) or [here](https://github.com/arkworks-rs/algebra/tree/master/curves/bn254/src/fields)):
\begin{align}
\mathbb{F}_{p^2}&=\mathbb{F}_{p}[u]/(u^2-\beta)\\
\mathbb{F}_{p^6}&=\mathbb{F}_{p^2}[v]/(v^3-\xi)\\
\mathbb{F}_{p^{12}}&=\mathbb{F}_{p^6}[w]/(w^2-v)
\end{align}
where $\beta$ is a quadratic nonresidue in $\mathbb{F}_p$ and $\xi$ neither a quadratic or cubic residue in $\mathbb{F_{p^2}}$, which amounts to saying that $X^6-\xi$ is irreducible in the ring $\mathbb{F}_{p^2}[X]$. Here, $\beta=-1,\xi=9+u$, which brings about $u^2=-1, w^2=v, v^3=9+u$, and therefore:
$$\mathbb{F}_{p^{12}} = \mathbb{F}_{p^2}[w]/(w^6-(9+u))$$

This brings about the following nice points
- any element in this extension can be written as $g+hw$ with $g,h\in\mathbb{F}_{p^6}$, which means that the $p^6$-th power of any element in the extension $x^{p^6}=g-hw$ is free to compute
- Likewise writing each $g,h$ in terms of coefficients from $\mathbb{F}_{p^2}$ lets you compute the $p$-th, $p^2$-th, and $p^3$-th powers easily as well

## Twists

Dealing with elements directly in $\mathbb{F}_{p^{12}}$ is very unruly and inefficient, but it is possible to define a coordinate transformation such that such that the curve in the 12-th order extension is mapped to a lower degree field. 

For BN254, we define a sextic twist (aka drops the degree of extension by 6) such that the twisted curve is defined on $\mathbb{F}_{p^2}$ instead of $\mathbb{F}_{p^{12}}$. Defining $u^6=(1+i)^{-1}$, the twist performs $(x,y)\to(x/u^2,y/u^3)$ to produce our new curve $E^\prime(\mathbb{F}_{p^2})$:

$$ y'^2 = x'^3 + \frac{3}{9+i}$$

Very nice. Note though that points in $E(\mathbb{F}_p)$ are pairs of ints, while points on the twist are pairs of complex ints, so points in $\mathbb{G}_2$ take more storage despite them being also valid as the domain for keys and signatures.

See [this](https://eips.ethereum.org/EIPS/eip-197) for industry definition of this twist.

Since $X^6-\xi$ is irreducible, with roots $w\in\mathbb{F}_{p^{12}}$, we therefore have a homomorphism
$$\Psi:E^\prime(\mathbb{F}_{p^2})\to E(\mathbb{F}_{p^{12}})\,;\,(x',y') = (w^2x', w^3y')$$

which is injective, but not surjective, and defines the twist mapping!

---

We also need one more thing before we talk about pairings. This is a bit technical (I know right, something in this document being technical? pshhaw), and is closely related to concepts from Galois theory which is above the scope of this review, but suffice to say you can define an *algrebraic closure* $\overline{\mathbb{F}}_p$, which is the field where every non-constant polynomial with coefficients in the field has a root in the field, which we can think about as the union of all valid extensions $\mathbb{F}_{p^m}$. Defining a curve over the algebraic closure is a concise way to say that we're interested in points lying in $\mathbb{F}_p, \mathbb{F}_{p^2}, \mathbb{F}_{p^6}, \mathbb{F}_{p^{12}}$ that satisfy the curve equation. 

There is a mapping $\phi_p:E(\overline{\mathbb{F}}_p)\to E(\overline{\mathbb{F}}_p); (x,y)\to(x^p,y^p)$ called the Frobenius morphism. It can [can be shown](https://link.springer.com/book/10.1007/978-0-387-09494-6) that the set of points fixed by $\phi$ are *exactly* the finite group $E(\mathbb{F}_p)$, so application of this mapping to the curve defined on the base field will leave things structurally unchanged. This mapping will crop back up later in our definition of optimal ate pairing.

## G1, G2

Now actually having the field extension primer, we can talk about what exactly $\mathbb{G}_1,\mathbb{G}_2$ are.

Recall that the $r$-torsion points of a curve are all the points $X$ such that $rX=\mathcal{O}$, with $\mathcal{O}$ the point at infinity. Ie, these are all points of order dividing r. We therefore define
- $\mathbb{G}_1\triangleq E(\mathbb{F}_p)[r]$ is the only subgroup of the $r$-torsion of $E$ on $\mathbb{F}_p$ of order $r$
- $\mathbb{G}_2\triangleq E^\prime(\mathbb{F}_{p^2})[r]$ is the only subgroup of the $r$-torsion of $E^\prime$ on $\mathbb{F}_{p^2}$ of order $r$

### Membership checks
#### G1

In our scheme, to hash a message to $E$, we use `hash_to_field` and `field_to_curve`, and then multiply the mapped curve point by the generator of the curve to create a point in $\mathbb{G}_1$. Fortunately, by [Theorem 2.3.1 of Silverman](https://link.springer.com/book/10.1007/978-0-387-09494-6), we have 
$$ |E(\mathbb{F}_p)|=p+1-t$$
and for BN curves generated by a value $z=2^{62}-2^{54}+2^{44}$, we have $p(z)+1-t(z)=r(z)$, implying that $|E(\mathbb{F}_p)|=r\implies \mathbb{G}_1 = E(\mathbb{F}_p)[r]=E(\mathbb{F}_p)$! In this way, since $r$-torsions give us some notion of structure, this means that the "prime factorization" of the curve is simply the curve itself, so its smallest possible prime order subgroup is just the group, no extra structure to be found.

We therefore only need to check if a pair $(x,y)\in\mathbb{F}_r\times\mathbb{F}_r$ is on the curve $E(\mathbb{F}_p)$ for membership in $\mathbb{G}_1$. 

#### G2

This is a bit trickier. You can check easily if the point $(x,y)\in\mathbb{F}_{p^2}\times\mathbb{F}_{p^2}$ lies on $E^\prime(\mathbb{F}_{p^2})$, but unfortunately the order of the twist curve is not given by the order of the $r$-torsion, ie $|E^\prime(\mathbb{F}_{p^2})|=c_2r$, where $c_2$ is the $\mathbb{G}_2$ cofactor. [You can show](https://hackmd.io/@jpw/bn254#mathbb-G_2-order) that $c_2=p+t-1$. Thinking about $r$-torsions as structure again, it makes sense that this is the case even just from the consideration of the total number of elements in the preimage of $\mathbb{G}_2$ ($\mathbb{F}_{p^2}\times\mathbb{F}_{p^2}$) vs $\mathbb{G}_1$ ($\mathbb{F}_p$); with that many more elements to consider, it makes sense that there is additional structure in the group to now deal with. 

You can just rely on the definition of the $r$-torsion if you want to check if $[r](x,y)=\mathcal{O}$, but with 254 bits of r, this is slooooooow.

Faster algorithms exist. For instance, defined the untwist-Frobenius-twist endomorphism of [Galbraith-Scott](https://eprint.iacr.org/2008/117.pdf):

$$\psi:E^\prime(\mathbb{F}_{p^2})\to E^\prime(\mathbb{F}_{p^2}) = \Psi^{-1}\circ\phi_p\circ \Psi\,;\, (x^\prime, y^\prime)\to (\xi^{(p-1)/3}x^{\prime p}, \xi^{(p-1)/2}y^{\prime p})$$

where $\Psi$ is the twist mapping, and recall $\xi=9+u$. Membership in $\mathbb{G}_2$ therefore [boils down to verifying](https://eprint.iacr.org/2022/352.pdf) if the following holds: $Q=(x^\prime, y^\prime); \psi(Q)=[6x^2]Q$, and [more recent work](https://eprint.iacr.org/2022/348.pdf) improves this to the following:
$$[x+1]Q + \psi([x]Q) + \psi([x]Q) = \psi^3([2x]Q)$$

## optimal ate pairing

finally, we're here!! fuck.

So our goal here is to take a point $X\in\mathbb{G}_1= E(\mathbb{F}_p)$, and a point $Y\in\mathbb{G}_2\subset E^\prime(\mathbb{F}_{p^{12}})$, and map them to a point in a target group $\mathbb{G}_T\subset\mathbb{F}_{p^{12}}$, denoted by the map $e$, and corresponds qualitatively to multiplying a point in $\mathbb{G}_1$ by a point in $\mathbb{G}_2$. 

We need bilinearity, therefore requiring:
$$
e([a]X, [b]Y) = e(X, [b]Y)^a = e(X, Y)^{ab} = e(X, [a]Y)^b = e([b]X, [a]Y)
$$

The "best" way to create this $e$ is the "optimal ate pairing", which has an *excellent* guide for [high speed calculations in software](https://eprint.iacr.org/2010/354.pdf).

Before we dig into the pairing itself, we need to know how to define a line passing through two points on the twisted curve, and what the line is evaluated at a point on the curve. Specifcally, $R_1=(x^\prime_1, y^\prime_1), R_2=(x^\prime_2, y^\prime_2)\in E^\prime(\mathbb{F}_{p^2})$, and $T=(x,y)\in E(\mathbb{F}_p)$, we have the line $\ell$ defined as:

$$ 
\ell_{\Psi(R_1),\Psi(R_2)}(T) = \begin{cases}
w^2 (x^\prime_2-x^\prime_1)y + w^3(y^\prime_1-y^\prime_2)x + w^5(x^\prime_1 y^\prime_2-x^\prime_2 y^\prime_1) & R_1\neq R_2\\
(3x^{\prime 3}-2y^{\prime 2})(9+u) + w^3(2yy^\prime) + w^4(-3xx^{\prime 2})               & R_1=R_2
\end{cases}
$$

Armed with this knowledge, we now can define the optimal ate pairing $e:\mathbb{G}_1\times\mathbb{G}_2\to\mathbb{G}_T$ to be:

\begin{align}
e(X, Y) =\bigg(&f_{6z+2,Y}(X)\\
\times &\ell_{[6z+2]\Psi(Y),\phi_p(\Psi(Y))}(X)\\
\times &\ell_{[6z+2]\Psi(Y)+\phi_p(\Psi(Y)), -\phi_p(\Psi(Y))}(X)\bigg)^{\frac{p^{12}-1}{r}}
\end{align}

now THATS a mouthful, say that 5 times fast. Here, $z$ is the parameter of the curve. The pairing is based on rational functions $f_{i,Q}:\mathbb{N}\times\mathbb{G}_2\to\mathbb{F}_{p^{12}}$ that are evaluated iteratively in what's called Miller's algorithm. 

Fantastically, the [paper](https://crypto.stanford.edu/miller/miller.pdf) that describes this process was never published, but the algorithm, the imeplementation of which is refered to as "Miller's loops", says that:

$$
f_{i+j,Y} = f_{i,Y}f_{j,Y}\ell_{[i]\Psi(Y),[j]\Psi(Y)}
$$

TECHNICALLY there is another factor in the denominator of these iterations that describes the evaluation of the point $\Psi(Y)$ on the vertical line passing through $X$. However, we can ignore this evaluation, for reasons summarized well by [this](https://crypto.stanford.edu/pbc/notes/ep/optimize.html):

<blockquote>

To compute a Tate pairing, a quotient is iteratively calculated (Miller’s algorithm) and then raised to power of $(p^k-1)/r$, the Tate exponent. Each factor of the denominator is the equation of a vertical line evaluated at a particular point, i.e. the equation $X-a$ evaluated at some point $(x,y)$, which gives the factor $(x-a)$. 

Because of the way we have selected our groups, $x\in\mathbb{F}_{p^d}$, (note that the map $\Psi$ leaves the $x$-coordinate of its input in the same field), and $a\in\mathbb{F}_p$, hence $(x-a)\in\mathbb{F}_{p^d}$. 

Any element $a\in\mathbb{F}_{p^d}$ satisfies $a^{p^d-1}$. Observe $p^d-1$ divides $(p^k-1)/r$, because $r$ cannot divide $p^d-1$ (otherwise $d$ would be the embedding degree, not $k$). Thus each factor $(x-a)$ raised to the Tate exponent is 1, so it can be left out of the quotient. Hence, there is no need to compute the denominator at any time in Miller's algorithm.

</blockquote>

Slick.

### Toy implementation

In decimals, we know $z=4965661367192848881$, and therefore $6z+2=29793968203157093288$. Optimised implementations represent this bound in $\{-1, 0, 1\}$ basis, not binary, since it has a lower Hamming weight, just fyi, so in that case we get the following.

There will be miller's loop to determine the first term in the optimal ate pairing. Then for the final two terms, we notice that:

- $\ell_{[6z+2]\Psi(Y),\phi_p(\Psi(Y))}(X)$
    - Notice that $$\begin{align}\phi_p(\Psi(Y)) &= \left((w^2 x^\prime)^p, (w^3y^\prime)^p\right) \\&= \left(w^2\xi^{(p-1)/3}x^{\prime p}, w^3\xi^{(p-1)/2}y^{\prime p}\right) \\&= \Psi\left(\xi^{(p-1)/3}\bar{x}^\prime, \xi^{(p-1)/2}\bar{y}^\prime\right)\end{align}$$
    - Since $[n]\Psi(Q)=\Psi([n]Q)$ by the homomorphism, we just evaluate the line now at the point $Q^\prime = (\xi^{(p-1)/3}\bar{x}^\prime, \xi^{(p-1)/2}\bar{y}^\prime)=(x_1, y_1)$
    
- $\ell_{[6z+2]\Psi(Y)+\phi_p(\Psi(Y)), -\phi_p(\Psi(Y))}(X)$
    - You can likewise show that this is easily evaluated at the point $-Q$


In [None]:
fn e(p: &G1Affine, q: &G2Affine) -> Fq12 {
    //membership checks, see sections above
    assert!(p.is_in_g1());
    assert!(q.is_in_g2());
    
    if p.is_identity().into() || q.is_identity.into() {
        return Fq12::One();
    }
    
    let mut r = *q;
    let mut f = Fq12::One(); //starting point of iteration
    
    //begin miller's loop, calculating f_{[6z+2],q}(p)
    for i in (0..BOUND.len() - 1).rev() {
        f = f * f * line(twist(&r), twist(&r), p);
        r = r.double();
        match BOUND[i] {
            1 => {
                f = f * line(untwist(&r), untwist(q), p);
                r.add_assign(q);
            },
            -1 => {
                f = f * line(untwist(&r),untwist(-q), p);
                r.sub_assign(q);
            },
            0 => {},
            _ => panic!("digit not in correct basis")
        }
    }
    let qp = q.frobenius_map();
    f = f * line(twist(&r), twist(&qp), p);
    r.add_assign(qp);
    let qpp = -qp.frobenius_map();
    f = f* line(twist(&r), twist(&qpp), p);
    
    final_exponentiation(&f)
}

## Final exponentiation

Arguably, this is the most computationally expensive step since the bit size of the exponent in the pairing is huge, so the naïve approach would be silly. I mean, there are issues with the $\mathbb{G}_2$ cofactor clearing to create elements in $\mathbb{G}_2$ from the field because of the size of the cofactor, so if multiplication is slow, exponentiation is not guaranteed to be better *a priori*. 

The following takes the lead from [this](https://eprint.iacr.org/2020/875.pdf) and [that](https://eprint.iacr.org/2008/490.pdf). 

The most efficient calculation of these pairings relies on notions of *cyclotomic subgroups*. oof. 

Up until this point, we were precise in our definitions of $\mathbb{G}_1$ and $\mathbb{G}_2$, but have been unclear about what exactly the target group of the pairing should be. We now formally define the target group $\mathbb{G}_T$ to be the group of $r$-th roots of unity over the multipicative group $\mathbb{F}_{p^k}^\ast=(\mathbb{F}_{p^k}/ \{0\}, \ast)$, denoted commonly by $\mu_r$. Why the roots o f unity? Great question. Remember that this mapping has to satisfy a few key real-world properties. First, it has to be a trapdoor, namely preimage resistance (assuming DL hardness), and mapping backwards from the roots of unity is a very difficult problem. Second, it allows for an easy metric against which we can compare two mappings. For example, in the case of signature verification $e(\sigma_i, g_2)=e(H(m), P(i))$, it is very natural to want to set the actual value of each side of this equation to "one", therefore implying the image domain to be the roots of unity. 

In the following, let $(\mathbb{F}_{p^k}^\ast)^r$ is the subgroup of $r$-th powers, namely all elements in $\mathbb{F}_{p^k}^\ast$ that are expressed as $x^r$ for some $x$. We can then define the quotient group $\mathbb{F}_{p^k}^\ast / (\mathbb{F}_{p^k}^\ast)^r$ which represent the coset of $r$ powers, namely each element in this quotient group differ by a power of $r$. 

Note that $\forall x\in\mathbb{F}_{p^k}^\ast$, $\left(x^{\frac{p^k-1}{r}}\right)^r = x^{p^k-1} = 1$, which means elements of the form $x^{\frac{p^k-1}{r}}\in\mathbb{F}_{p}^\ast / (\mathbb{F}_{p}^\ast)^r$, which is precisely what the pairing function $e$ does. There is a natural isomorphism between the quotient group and the roots of unity, so we can equivalently talk about either. For the purposes of the following, however, we'll keep to the quotient group representation since it admits a few additional insights we can use to our advantage. 

---

Aside: this is not a light topic to cover, even for the level of depth in this document (hard to believe, I know), but is a result from Galois theory and the so called *Kummer theorems*, see [this](https://websites.umich.edu/~asnowden/teaching/2019/776/cft-01.pdf)

---

Since the optimal ate pairing is mapping our "multiplication" of an element from $\mathbb{G}_1$ and an element from $\mathbb{G}_2$ to the group of roots of unity by means of exponentiation of an element from the base field extension $\mathbb{F}_{p^{12}}$, it would be useful to represent our exponent $(p^{12}-1)/r$ in a form closer related to the roots of unity to which we're mapping. To do this, we define what's called the cyclotomic polynomial, defined by an order $n$. This polynomial contains all of the irreducible factors of $x^n-1$ (which defines the roots of unity), and is therefore the polynomial whose roots are the roots of unity. In this sense, this polynomial captures all of the structure of the roots of unity, and because of its irreducibility, we can use it to build other mappings that deal with the group of roots of unity.

Specifically, we define the $k$-th cyclotomic polynomial $\varPhi(x)$ to be:
$$\frac{p^k-1}{\varPhi_k(p)} = \prod_{j\vert k, j\neq k}\Phi_j(p) $$

which allows us to break down the exponent of the "final exponentiation" step. Writing the embedding degree $k=ds$, where $d$ is a positive integer, we can write:

$$ \frac{p^k-1}{r}=\underbrace{\left[(p^s-1)\cdot\frac{\sum_{i=0}^{d-1}p^{is}}{\varPhi_k(p)}\right]}_\text{easy part}\cdot\underbrace{\left[\frac{\varPhi_k(p)}{r}\right]}_\text{hard part}$$

### Easy part

For BN254, this decomposes the easy part into $(p^6-1)(p^2+1)$ for $k=12$ (note that we choose this decomposition because exponentiation by powers of $p$ are very efficient, see the discussion [earlier](#12-th-order-extension-of-the-base-field)). The easy part will involve something like $x^{p^6-1}=x^{p^6}\cdot x^{-1}$, which is one conjugation, one inversion, and one multiplication (remember that conjugation in $\mathbb{F}_{p^{12}}$ for an element $x=a+bw$ is simply $\bar{x}=a-bw$). Then taking $\left(x^{p^6-1}\right)^{p^2}$ is just applying our Frobenius morphism $\phi$, and then finally we multipy by our already-computed value $x^{p^6-1}$, and voila!

Easy part = 1 conjugation + 1 inversion + 1 multiplication + 5 multiplications + 1 multiplication

### Hard part

For BN254, the hard part decomposes into $\frac{p^4-p^2+1}{r}$. It seems that the typical way to go here is to take a base-$p$ expansion, namely defining $\lambda\triangleq m\varphi_k(p)/r$ with $r\nmid m$, and finding a vector $\tau$ of $w+1$ integers $\tau=(\lambda_0,\ldots,\lambda_w)$ such that $\lambda=\sum\lambda_i p^i$ minimizing the L1-norm of $\tau$. Recall that for us:
$$
\begin{align}
    p(z) &= 36z^4 + 36z^3 + 24z^2 + 6z + 1\\
    r(z) &= 36z^4 + 36z^3 + 18z^2 + 6z + 1\\
    t(z) &= 6z^2+1
\end{align}
$$
so substituting these into the hard part of the polynomial as a function of the curve family generator $z$ yields $\lambda_3 p^3+\lambda_2 p^2 +\lambda_1 p + \lambda_0$ with:
$$
\begin{align}
\lambda_3(z) &= 1\\
\lambda_2(z) &= 6z^2+1\\
\lambda_1(z) &= -36z^3 -18z^2-12z+1\\
\lambda_0(z) &= -36z^3 - 30z^2-18z -2
\end{align}
$$

We now then compute the hard part as a series of multiplications in terms of powers of the easy part. 

1. Compute $f_\mathrm{easy}^z, (f_\mathrm{easy}^z)^z, (f_\mathrm{easy}^{z^2})^z$
2. Use the Frobenius operator, which has efficient representations in powers 1, 2, and 3 of the prime, to compute $f_\mathrm{easy}^p, f_\mathrm{easy}^{p^2}, f_\mathrm{easy}^{p^3}, (f_\mathrm{easy}^z)^p, (f_\mathrm{easy}^{z^2})^p, (f_\mathrm{easy}^{z^3})^p, (f_\mathrm{easy}^{z^3})^{p^2}$

The evaluation then amounts to:

$$ \underbrace{[f_\mathrm{easy}^p \cdot f_\mathrm{easy}^{p^2} \cdot f_\mathrm{easy}^{p^3}]}_{\equiv y_0} \cdot \underbrace{[1/f_\mathrm{easy}]^2}_{\equiv y_1^2} \cdot \underbrace{[(f_\mathrm{easy}^{z^2})^p]^6}_{\equiv y_2^6} \cdot \underbrace{[1/(f_\mathrm{easy}^z)^p]^{12}}_{\equiv y_3^{12}} \cdot \underbrace{[1/(f_\mathrm{easy}^z \cdot (f_\mathrm{easy}^{z^2})^p)]^{18}}_{\equiv y_4^{18}} \cdot \underbrace{[1/f_\mathrm{easy}^{z^2}]^{30}}_{\equiv y_5^{30}} \cdot
\underbrace{[1/(f_\mathrm{easy}^{z^3} \cdot (f_\mathrm{easy}^{z^3})^p)]^{36}}_{\equiv y_6^{36}}$$

These evaluations have efficient algorithms that have been around [for a long time](https://www.sciencedirect.com/science/article/pii/0196677481900031). We take the vector addition chain approach, which is more or less the equivalent of "flattening" that we also see crop up in the reduction of polynomial constraints in instance-witness definitions of R1CS systems. You can show that the following definitions yield efficient computation of these multiexponentials which we take from [the original manuscript](https://eprint.iacr.org/2008/490.pdf):
$$
\begin{align*}
T_0 &\leftarrow (y_6)^2 \\
T_0 &\leftarrow T_0 \cdot y_4 \\
T_0 &\leftarrow T_0 \cdot y_5 \\
T_1 &\leftarrow y_3 \cdot y_5 \\
T_1 &\leftarrow T_1 \cdot T_0 \\
T_0 &\leftarrow T_0 \cdot y_2 \\
T_1 &\leftarrow (T_1)^2 \\
T_1 &\leftarrow T_1 \cdot T_0 \\
T_1 &\leftarrow (T_1)^2 \\
T_0 &\leftarrow T_1 \cdot y_1 \\
T_1 &\leftarrow T_1 \cdot y_0 \\
T_0 &\leftarrow (T_0)^2 \\
f_\mathrm{hard} &\leftarrow T_0 \cdot T_1
\end{align*}
$$
which is only a few multiplications and squarings! Efficient.




## BONUS - glued miller loop and improved signature performance

This is pretty sick. Remember that eventually we want to check the relation $e(\sigma_i, g_2)=e(H(m), P(i) )$ for verification. You could just naively evaluate lhs and rhs and check for equality. Right? Or notice that:

$$ 
\begin{align}
e(\sigma_i, g_2) &= e(H(m), P(i)) \\
\implies e(\sigma_i, g_2)e(H(m), P(i))^{-1} &= 1\\
\implies e(\sigma_i, g_2)e(H(m), -P(i)) &= 1 \\
\implies \left(f_{[6z+2], \sigma_i}(g_2)f_{[6z+2], H(m)}(-P(i))\right)^\frac{p^{12}-1}{r} &= 1
\end{align}
$$

which results in only having to evaluate a single Miller loop, followed by a single exponentiation at the end! Also during the recursion we don't need to track $f_{i,s}(G)$ nor $f_{i,H(m)}(-xG)$, just their product, which saves a multiplication in $\mathbb{F}_{12}$ in each iteration of this *glued* Miller loop. The savings compound since we're aggregating many partial signatures, and the idea works exactly the same for the aggregated signatures. Namely, verification is equivalent to:

$$ 
\left(f_{[6z+2], \sigma_i}(g_2)\prod_{i}^t f_{[6z+2], H(m)}(-P(i))\right)^\frac{p^{12}-1}{r} = 1
$$

---

This is the jist of it. There's so many more things to work with, like different pairings like the [Xate pairing](https://link.springer.com/chapter/10.1007/978-3-540-85538-5_13), but that's beyond the scope here.