-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Proposal] alt_bn128 curve math #98
Comments
@akhi3030 Is this implemented and can be closed? |
@nearmax: in near/nearcore#6824, we stabalised |
@akhi3030 Yes, please, create a new issue and close this one. Could you take ownership of getting the spec updated? 🙏 |
Happy to do so! |
The remaining work is now tracked in #426. Please prefer continuing discussions on that issue. |
Proposal
To implement a set of zkSNAKs verifiers (like Groth16 or PLONK) I suggest to add alt_bn128 math functions into VM:
To learn more about alt_bn128 and subgroups G1 and G2 see EIP-196 and EIP-197.
Functions
All formulas below are defined in additive notation. If data is wrong serialized, the function returns Error.
alt_bn128_g1_multiexp(items:&[G1, Fr]) -> Result<G1>
Compute with Pippenger's algorithm, where are Fr scalars and are G1 group elements.
Bad data: If a is more or equal then Fr order or is not in G1 group, function returns Error.
Complexity: . I propose to use regularization for .
Gas formula:
B
is linear component, corresponding to deserialization complexity.alt_bn128_g1_sum(items:&[G1, bool]) -> Result<G1>
Compute .
Bad data: If a is not one or zero or is not in G1 group, function returns Error.
Complexity: linear
Gas formula:
alt_bn128_pairing_check(items:&[G1,G2]) -> Result<bool>
Compute
Bad data: If is not in G1 group or is not in G2 subgroup, function returns Error.
Complexity: linear
Gas formula:
Data encoding
G1 is serialized as two U256 (x and y) in LE.
G2 is serialized as four U256 (re(x), im(x), re(y), im(y)) in LE.
bool is serialized as one byte.
Tuple is serialized as concatenated chunks of serialized elements.
Slice is serialized as concatenated chunks of serialized elements.
Implementation
alt_bn128 functions implemented as fork of parity-bn with minor updates:
The crate should be published and moved to nearprotocol.
The text was updated successfully, but these errors were encountered: