From 678c808410e29d31a4eb34f8bddd7b9f33823272 Mon Sep 17 00:00:00 2001 From: Antonio Sanso Date: Thu, 18 Apr 2024 13:53:13 +0200 Subject: [PATCH 1/4] Create fast_subgroup_checks.md --- assets/eip-2537/fast_subgroup_checks.md | 51 +++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 assets/eip-2537/fast_subgroup_checks.md diff --git a/assets/eip-2537/fast_subgroup_checks.md b/assets/eip-2537/fast_subgroup_checks.md new file mode 100644 index 00000000000000..2c5c999b428b9c --- /dev/null +++ b/assets/eip-2537/fast_subgroup_checks.md @@ -0,0 +1,51 @@ +# Fast subgroup checks used by EIP 2537 + +### Fields and Groups + +Field Fp is defined as the finite field of size `p` with elements represented as integers between 0 and p-1 (both inclusive). + +Field Fp2 is defined as `Fp[X]/(X^2-nr2)` with elements `el = c0 + c1 * v`, where `v` is the formal square root of `nr2` represented as integer pairs `(c0,c1)`. + +Group G1 is defined as a set of Fp pairs (points) `(x,y)` such that either `(x,y)` is `(0,0)` or `x,y` satisfy the curve Fp equation. + +Group G2 is defined as a set of Fp2 pairs (points) `(x',y')` such that either `(x,y)` is `(0,0)` or `(x',y')` satisfy the curve Fp2 equation. + +## Curve parameters + +The set of parameters used by fast subgroup checks: + +``` +|x| (seed) = 15132376222941642752 +x is negative = true +Cube root of unity modulo p - Beta = 793479390729215512621379701633421447060886740281060493010456487427281649075476305620758731620350 +r = 4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939437 * v +s = 2973677408986561043442465346520108879172042883009249989176415018091420807192182638567116318576472649347015917690530 + 1028732146235106349975324479215795277384839936929757896155643118032610843298655225875571310552543014690878354869257 * v +``` + +## Helper function to compute the conjugate over Fp2 - `conjugate` + +`conjugate(c0 + c1 * v) := c0 - c1 * v` + +## G1 endomorphism - `phi` + +The endomorphism `phi` transform the point from `(x,y)` to `(Beta*x,y)` where `Beta` is a precomputed cube root of unity modulo `p` given above in parameters sections: + +`phi((x,y)) := (Beta*x,y)` + +## G2 endomorphism - `psi` + +`psi((x,y)) := (conjugate(x)*r,conjugate(y)*s)` + +# The G1 case + +Before accepting a point `P` as input that purports to be a member of G1 subject the input to the following endomorphism test: `phi(P) + x^2*P = 0` + + +# The G2 case + +Before accepting a point `P` as input that purports to be a member of G2 subject the input to the following endomorphism test: `psi(P) + x*P = 0` + +# Resources + +* https://eprint.iacr.org/2021/1130.pdf, sec.4 +* https://eprint.iacr.org/2022/352.pdf, sec. 4.2 From aba26864b5ef413e9b0989f6c5224fd6731a85aa Mon Sep 17 00:00:00 2001 From: Antonio Sanso Date: Thu, 18 Apr 2024 13:55:21 +0200 Subject: [PATCH 2/4] Update eip-2537.md --- EIPS/eip-2537.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/EIPS/eip-2537.md b/EIPS/eip-2537.md index 2a6d2104817d5a..b1c5b1e819b9e8 100644 --- a/EIPS/eip-2537.md +++ b/EIPS/eip-2537.md @@ -338,9 +338,10 @@ There are no backward compatibility questions. ### Subgroup checks -A subgroup check **is mandatory** during the pairing call. Implementations *should* use fast subgroup checks: at the time of writing, multiplication gas cost is based on the `double-and-add` multiplication method that has a clear "worst case" (all bits are equal to one). For pairing operations, it is expected that implementations use faster subgroup checks, e.g. by using the wNAF multiplication method for elliptic curves that is ~ `40%` cheaper with windows size equal to 4. (Tested empirically. Savings are due to lower hamming weight of the group order and even lower hamming weight for wNAF. Concretely, subgroup check for both G1 and G2 points in a pair are around `35000` combined). - +The check **is mandatory** during **ALL** the calls. Implementations *should* use fast subgroup checks. It can be stated that it **must** be performed by fast subgroup checks to achieve a speedup, resulting in a discount over naive implementations based on the `double-and-add` multiplication method, which has a clear "worst-case" scenario where all bits are equal to one. +Before accepting an input, it is recommended to subject the input to the appropriate endomorphism test as described in https://eprint.iacr.org/2021/1130.pdf. +The algorithms and set of parameters for fast subgroup checks are provided by a separate [document](../assets/eip-2537/fast_subgroup_checks.md) ### Field to curve mapping From 356eb843a40fb60f4125c50fa1661429648a52a0 Mon Sep 17 00:00:00 2001 From: Mamy Ratsimbazafy Date: Sat, 20 Apr 2024 11:23:17 +0200 Subject: [PATCH 3/4] eip2537: clarify subgroup errors --- EIPS/eip-2537.md | 58 +++++++++++++++++++++++++++++++----------------- 1 file changed, 38 insertions(+), 20 deletions(-) diff --git a/EIPS/eip-2537.md b/EIPS/eip-2537.md index b1c5b1e819b9e8..fc4d7060ebf50e 100644 --- a/EIPS/eip-2537.md +++ b/EIPS/eip-2537.md @@ -91,10 +91,10 @@ One should note that base field modulus `p` is equal to `3 mod 4` that allows an ### Fields and Groups -Field Fp is defined as the finite field of size `p` with elements represented as integers between 0 and p-1 (both inclusive). +Field Fp is defined as the finite field of size `p` with elements represented as integers between 0 and p-1 (both inclusive). Field Fp2 is defined as `Fp[X]/(X^2-nr2)` with elements `el = c0 + c1 * v`, where `v` is the formal square root of `nr2` represented as integer pairs `(c0,c1)`. - + Group G1 is defined as a set of Fp pairs (points) `(x,y)` such that either `(x,y)` is `(0,0)` or `x,y` satisfy the curve Fp equation. Group G2 is defined as a set of Fp2 pairs (points) `(x',y')` such that either `(x,y)` is `(0,0)` or `(x',y')` satisfy the curve Fp2 equation. @@ -138,9 +138,13 @@ G1 addition call expects `256` bytes as an input that is interpreted as byte con Error cases: - Invalid coordinate encoding -- Either of points not in G1 (i.e. neither on a curve nor the infinity point) +- An input is neither a point on the G1 elliptic curve nor the infinity point - Input has invalid length +Note: + +There is no subgroup check for the G1 addition precompile. + #### ABI for G1 multiplication G1 multiplication call expects `160` bytes as an input that is interpreted as byte concatenation of encoding of a G1 point (`128` bytes) and encoding of a scalar value (`32` bytes). Output is an encoding of the multiplication operation result - a single G1 point (`128` bytes). @@ -148,7 +152,8 @@ G1 multiplication call expects `160` bytes as an input that is interpreted as by Error cases: - Invalid coordinate encoding -- The point not in G1 (i.e. neither on a curve nor the infinity point) +- An input is neither a point on the G1 elliptic curve nor the infinity point +- An input is on the G1 elliptic curve but not in the correct subgroup - Input has invalid length #### ABI for G1 MSM @@ -158,8 +163,9 @@ G1 MSM call expects `160*k` (`k` being a **positive** integer) bytes as an input Error cases: - Invalid coordinate encoding -- Any point not in G1 (i.e. neither on a curve nor the infinity point) -- Input has invalid length +- An input is neither a point on the G1 elliptic curve nor the infinity point +- An input is on the G1 elliptic curve but not in the correct subgroup +- Input has invalid length #### ABI for G2 addition @@ -168,8 +174,12 @@ G2 addition call expects `512` bytes as an input that is interpreted as byte con Error cases: - Invalid coordinate encoding -- Either of points not in G2 (i.e. neither on a curve nor the infinity point) -- Input has invalid length +- An input is neither a point on the G2 elliptic curve nor the infinity point +- Input has invalid length + +Note: + +There is no subgroup check for the G2 addition precompile. #### ABI for G2 multiplication @@ -178,8 +188,9 @@ G2 multiplication call expects `288` bytes as an input that is interpreted as by Error cases: - Invalid coordinate encoding -- Either of points not in G1 (i.e. neither on a curve nor the infinity point) -- Input has invalid length +- An input is neither a point on the G2 elliptic curve nor the infinity point +- An input is on the G2 elliptic curve but not in the correct subgroup +- Input has invalid length #### ABI for G2 MSM @@ -189,8 +200,9 @@ G2 MSM call expects `288*k` (`k` being a **positive** integer) bytes as an input Error cases: - Invalid coordinate encoding -- Any point not in G2 (i.e. neither on a curve nor the infinity point) -- Input has invalid length +- An input is neither a point on the G2 elliptic curve nor the infinity point +- An input is on the G2 elliptic curve but not in the correct subgroup +- Input has invalid length #### ABI for pairing @@ -206,9 +218,13 @@ Output is a `32` bytes where first `31` bytes are equal to `0x00` and the last b Error cases: - Invalid coordinate encoding -- Any of points being not on the respective curve -- Any of points is not in the correct subgroup -- Input has invalid length +- An input is neither a point on its respective elliptic curve nor the infinity point +- An input is on its respective elliptic curve but not in the correct subgroup +- Input has invalid length + +Note: + +If any input is the infinity point, pairing result will be 1. Protocols may want to check and reject infinity points prior to calling the precompile. #### ABI for mapping Fp element to G1 point @@ -217,7 +233,7 @@ Field-to-curve call expects `64` bytes as an input that is interpreted as an ele Error cases: - Input has invalid length -- Input is not correctly encoded +- Input is not correctly encoded #### ABI for mapping Fp2 element to G2 point @@ -226,7 +242,7 @@ Field-to-curve call expects `128` bytes as an input that is interpreted as a an Error cases: - Input has invalid length -- Input is not correctly encoded +- Input is not correctly encoded ### Gas burning on error @@ -338,10 +354,12 @@ There are no backward compatibility questions. ### Subgroup checks -The check **is mandatory** during **ALL** the calls. Implementations *should* use fast subgroup checks. It can be stated that it **must** be performed by fast subgroup checks to achieve a speedup, resulting in a discount over naive implementations based on the `double-and-add` multiplication method, which has a clear "worst-case" scenario where all bits are equal to one. -Before accepting an input, it is recommended to subject the input to the appropriate endomorphism test as described in https://eprint.iacr.org/2021/1130.pdf. +Scalar multiplications, MSMs and pairings MUST perform a subgroup check. +Implementations SHOULD use the optimized subgroup check method detailed in a dedicated [document](../assets/eip-2537/fast_subgroup_checks.md). + +On any input that fail the subgroup check, the precompile MUST return an error. -The algorithms and set of parameters for fast subgroup checks are provided by a separate [document](../assets/eip-2537/fast_subgroup_checks.md) +As endomorphism acceleration requires input on the correct subgroup, implementers MAY use endomorphism acceleration. ### Field to curve mapping From 5832c5326b0fa6997325032c86a18013a37553c2 Mon Sep 17 00:00:00 2001 From: Antonio Sanso Date: Mon, 22 Apr 2024 09:42:34 +0200 Subject: [PATCH 4/4] Update assets/eip-2537/fast_subgroup_checks.md Co-authored-by: lightclient <14004106+lightclient@users.noreply.github.com> --- assets/eip-2537/fast_subgroup_checks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/eip-2537/fast_subgroup_checks.md b/assets/eip-2537/fast_subgroup_checks.md index 2c5c999b428b9c..c70afd329db072 100644 --- a/assets/eip-2537/fast_subgroup_checks.md +++ b/assets/eip-2537/fast_subgroup_checks.md @@ -1,4 +1,4 @@ -# Fast subgroup checks used by EIP 2537 +# Fast subgroup checks used by EIP-2537 ### Fields and Groups