Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🗼 Tower Extensions (Fq2, Fq6, and Fq12) and Torus Compression for BN254 precompiles #38

Draft
wants to merge 76 commits into
base: dl-precompiles
Choose a base branch
from
Draft

🗼 Tower Extensions (Fq2, Fq6, and Fq12) and Torus Compression for BN254 precompiles #38

wants to merge 76 commits into from

Conversation

ZamDimon
Copy link

@ZamDimon ZamDimon commented Mar 29, 2024
edited

What ❔

This pull request primarily focuses on helper gadgets for EC pairing implementation under the constraint system.

To implement pairing, we introduce the following new functionality:

  • Tower extension $\mathbb{F}_{p^2} \mapsto \mathbb{F}_{p^6} \mapsto \mathbb{F}_{p^{12}}$ under the constraint system.
  • Twisted elliptic curve $E'(\mathbb{F}_{p^2})$ support.
  • Consequently, we implement the NonNativeField<F, T> trait over $\mathbb{F}_{p^k}$ extensions and basic arithmetic for all of the extensions.
  • Torus compression ($\mathbb{T}_2$) that makes final exponentiation step more R1CS-friendly.

Why ❔

  1. Currently, no EC pairing is implemented under the constraint system.
  2. Field extensions are implemented outside the constraint system (see here); however, no such functionality is available under the constraint system.

Checklist

  • PR title corresponds to the body of PR (we generate changelog entries from PRs).
  • Tests for the changes have been added / updated.
  • Documentation comments have been added / updated.
  • Code has been formatted via zk fmt and zk lint.

ZamDimon and others added 28 commits March 12, 2024 16:12
@ZamDimon
add sage source files and README.md file
7afe9cd
@ZamDimon
✨ add the basic multiplication version
ada1149
@ZamDimon
✨ update beta parameter in wnaf scalar multiplication
1b1ed54
@ZamDimon
🧑‍💻 verify that chosen beta parameter is valid on bn254 curve
7359f51
@ZamDimon
📝 specify what parameters were chosen in the Sage file for wnaf multi…
7cb291e 
…plication
@ZamDimon
➕ find values a1,b1,a2,b2 for BN254 curve
4bf6ed4
@ZamDimon
🔀 convert constants to Fq field elements
930220e
@ZamDimon
🧹 fix all the constants
a0aa6c3
@ZamDimon
🧹 polish the code
241dd3a
@ZamDimon
💭 fix comment
1cafd0b
@ZamDimon
⬆️ add basic implementation for zeroable_affine
2eaea09
@ZamDimon
✨ basic implementation of a line function
b487274
@ZamDimon
⚡ add tangent function evaluation
f4a644b
@ZamDimon
🚨 run cargo fmt
3b4ed5d
@NikitaMasych
🚧 added basic tower extension
ccf0f9c
@ZamDimon
🚧 completed basic fp2 and fp6 implementation
34386af
@ZamDimon
✨ complete fp12 implementation
7308d02
@ZamDimon
💚 make it somewhat working
2f50fd5
@ZamDimon
✨ add basic outline of tower extension trait implementations needed f…
2f92e96 
…or usage under the curve
@ZamDimon
💚 add ExtendedSWProjective struct for twisted curve
23b911a
@NikitaMasych
🚧 added field-specific parametrization for tower and frobenius map draft
dd53cab
@NikitaMasych
🔀 tower extension params
c73c454
@ZamDimon
🩹 make getting b_twist a bit neater
76fb529
@ZamDimon
🧪 add basic outline of ec_pairing final function
024965c
@ZamDimon
✨ complete the easy_part of final exp
d48492e
@ZamDimon
✨ add hard_exp part
f329b5a
@ZamDimon
🐛 fix c0c1c4 notation to c0c3c4
e6a4ac3
@ZamDimon
🔀 Merge pull request #3 from `distributed-lab/feature/tower-extension…
8d307d6 
…-trait-impls`

🗼 Tower Extension Implementation
@ZamDimon ZamDimon marked this pull request as draft March 29, 2024 16:00
@NikitaMasych
Copy link

Hey, @jules, I have added fixes for the above notes from you, though since we moved BN254-specific functionality to era-zkevm_circuits, you can check the changes in conjugated PR

NikitaMasych and others added 17 commits May 3, 2024 15:29
@NikitaMasych @ZamDimon
🔥 removed duplicating normalization for fq12
16aaaca
@NikitaMasych @ZamDimon
✨ added enforce_reduced to sw_projective
902bc84
@ZamDimon
🚧 continue with modmul implementation
e93d297
@ZamDimon
✨ add basic working modmul
814b8f6
@ZamDimon
🎨 tiny polishes in modexp
a7f3b6f
@ZamDimon
🔥 remove useless .py sage file in modexp
df347dc
@ZamDimon
🩹 fixes according to the PR review
2589656
@NikitaMasych
✨ added CSPlaceholder implementation for tower of extensions, NonNati…
9e25358 
…veFieldOverU16Params and NonNativeFieldOverU16
✨ implemented CircuitVarLengthEncodable for tower of extensions and N…
ab529a3 
…onNativeFieldOverU16
✨ added implementation of serialize and deserialize for FFProxyValue
9772403
@NikitaMasych
✨ added equality traits implementation to FFProxyValue
0baba09
@ZamDimon
Merge branch 'feature/bn254-ec-pairing' into feature/modexp
15ae1dd
@ZamDimon
🔀 Merge pull request #4 from feature/modexp
db3c41b 
Modexp Implementation
@ZamDimon
🔀 merge ecpairing branch
65e3b1d
@ZamDimon
✨ add TorusWrapper implementation
393ede6
@ZamDimon
🐛 fix issues in torus
9f22dde
@ZamDimon
🔀 Merge pull request #5 from feature/bn254-pairing-torus
61dd23d 
🔬 Torus Compression Implementation
@ZamDimon ZamDimon changed the title 👫 BN254 EC Pairing implementation under Boojum constraint system 🗼 Tower Extensions (Fq2, Fq6, and Fq12) and Torus Compression for BN254 precompiles May 22, 2024
@ZamDimon
Copy link
Author

Since we moved the BN254-specific implementations outside this repo (namely, we moved them here), we rename this pull request to include information about gadgets only. We also close other pull requests not related to gadgets.

This was referenced May 22, 2024
Closed
Closed
@jules jules changed the base branch from main to dl-precompiles May 23, 2024 13:26
jules
jules requested changes May 23, 2024
View reviewed changes
Copy link
Member

@jules jules left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looking great guys, just a few final notes :)

src/gadgets/non_native_field/implementations/implementation_u16.rs
// We need this to ensure no conflicting implementations without negative impls

#[derive(Derivative)]
#[derivative(Clone, Copy, Debug, Hash)]
#[derive(Derivative, Serialize, PartialEq)]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what was the reason for adding serialize functionality to this type?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In circuits for ec_pairing we use internal FSM state with Fq12 as intermediate value element, thus it was needed to add it here because otherwise it wouldn't get compiled

src/gadgets/tower_extension/algebraic_torus.rs
Comment on lines +238 to +247
for i in BitIterator::new(exponent) {
if found_one {
result = result.square::<CS, SAFE>(cs);
} else {
found_one = i;
}

if i {
result = result.mul::<CS, SAFE>(cs, self);
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is non-homogenous and needs to be updated to use conditional selection gates

src/gadgets/tower_extension/fq2.rs Outdated
Comment on lines 255 to 257
if power % 2 == 0 {
return self.clone();
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also non-homogenous in case the power can variate between circuits

src/gadgets/tower_extension/fq12.rs
Comment on lines +86 to +95
for i in BitIterator::new(exponent) {
if found_one {
result = result.square(cs);
} else {
found_one = i;
}

if i {
result = result.mul(cs, self);
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same thing here, seems like this will cause divergent circuits based on input

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NikitaMasych NikitaMasych NikitaMasych left review comments

@jules jules jules requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ZamDimon @NikitaMasych @jules