Consensys · yelhousni · Jul 3, 2024 · May 23, 2024 · May 24, 2024 · May 24, 2024
diff --git a/internal/stats/latest.stats b/internal/stats/latest.stats
diff --git a/std/algebra/emulated/fields_bn254/e12_pairing.go b/std/algebra/emulated/fields_bn254/e12_pairing.go
@@ -4,6 +4,76 @@ import (
 	"github.com/consensys/gnark/std/math/emulated"
 )
 
+func (e Ext12) nSquare(z *E12, n int) *E12 {
+	for i := 0; i < n; i++ {
+		z = e.Square(z)
+	}
+	return z
+}
+
+// Exponentiation by U=6u+2 where t is the seed u=4965661367192848881
+func (e Ext12) ExpByU(x *E12) *E12 {
+	// ExpByU computation is derived from the addition chain:
+	//	_10      = 2*1
+	//	_11      = 1 + _10
+	//	_110     = 2*_11
+	//	_111     = 1 + _110
+	//	_1100    = 2*_110
+	//	_1111    = _11 + _1100
+	//	_1100000 = _1100 << 3
+	//	_1100111 = _111 + _1100000
+	//	i22      = ((_1100111 << 2 + 1) << 5 + _1111) << 3
+	//	i38      = ((1 + i22) << 4 + _111) << 9 + _111
+	//	i50      = 2*((i38 << 4 + _11) << 5 + _1111)
+	//	i61      = ((1 + i50) << 5 + _111) << 3 + _11
+	//	i75      = ((i61 << 6 + _111) << 4 + _111) << 2
+	//	return     ((1 + i75) << 2 + 1) << 3
+	//
+	// Operations: 64 squares 18 multiplies
+	//
+	// Generated by github.com/mmcloughlin/addchain v0.4.0.
+
+	z := e.Square(x)
+	t0 := e.Mul(x, z)
+	t1 := e.Square(t0)
+	z = e.Mul(x, t1)
+	t2 := e.Square(t1)
+	t1 = e.Mul(t0, t2)
+	t2 = e.nSquare(t2, 3)
+	t2 = e.Mul(z, t2)
+	t2 = e.nSquare(t2, 2)
+	t2 = e.Mul(x, t2)
+	t2 = e.nSquare(t2, 5)
+	t2 = e.Mul(t1, t2)
+	t2 = e.nSquare(t2, 3)
+	t2 = e.Mul(x, t2)
+	t2 = e.nSquare(t2, 4)
+	t2 = e.Mul(z, t2)
+	t2 = e.nSquare(t2, 9)
+	t2 = e.Mul(z, t2)
+	t2 = e.nSquare(t2, 4)
+	t2 = e.Mul(t0, t2)
+	t2 = e.nSquare(t2, 5)
+	t1 = e.Mul(t1, t2)
+	t1 = e.Square(t1)
+	t1 = e.Mul(x, t1)
+	t1 = e.nSquare(t1, 5)
+	t1 = e.Mul(z, t1)
+	t1 = e.nSquare(t1, 3)
+	t0 = e.Mul(t0, t1)
+	t0 = e.nSquare(t0, 6)
+	t0 = e.Mul(z, t0)
+	t0 = e.nSquare(t0, 4)
+	z = e.Mul(z, t0)
+	z = e.nSquare(z, 2)
+	z = e.Mul(x, z)
+	z = e.nSquare(z, 2)
+	z = e.Mul(x, z)
+	z = e.nSquare(z, 3)
+
+	return z
+}
+
 func (e Ext12) nSquareTorus(z *E6, n int) *E6 {
 	for i := 0; i < n; i++ {
 		z = e.SquareTorus(z)
@@ -14,7 +84,7 @@ func (e Ext12) nSquareTorus(z *E6, n int) *E6 {
 // Exponentiation by the seed t=4965661367192848881
 // The computations are performed on E6 compressed form using Torus-based arithmetic.
 func (e Ext12) ExptTorus(x *E6) *E6 {
-	// Expt computation is derived from the addition chain:
+	// ExptTorus computation is derived from the addition chain:
 	//
 	//	_10     = 2*1
 	//	_100    = 2*_10
@@ -351,3 +421,127 @@ func (e Ext12) FrobeniusCubeTorus(y *E6) *E6 {
 
 	return res
 }
+
+// FinalExponentiationCheck checks that a Miller function output x lies in the
+// same equivalence class as the reduced pairing. This replaces the final
+// exponentiation step in-circuit.
+// The method follows Section 4 of [On Proving Pairings] paper by A. Novakovic and L. Eagen.
+//
+// [On Proving Pairings]: https://eprint.iacr.org/2024/640.pdf
+func (e Ext12) FinalExponentiationCheck(x *E12) *E12 {
+	res, err := e.fp.NewHint(finalExpHint, 24, &x.C0.B0.A0, &x.C0.B0.A1, &x.C0.B1.A0, &x.C0.B1.A1, &x.C0.B2.A0, &x.C0.B2.A1, &x.C1.B0.A0, &x.C1.B0.A1, &x.C1.B1.A0, &x.C1.B1.A1, &x.C1.B2.A0, &x.C1.B2.A1)
+	if err != nil {
+		// err is non-nil only for invalid number of inputs
+		panic(err)
+	}
+
+	residueWitness := E12{
+		C0: E6{
+			B0: E2{A0: *res[0], A1: *res[1]},
+			B1: E2{A0: *res[2], A1: *res[3]},
+			B2: E2{A0: *res[4], A1: *res[5]},
+		},
+		C1: E6{
+			B0: E2{A0: *res[6], A1: *res[7]},
+			B1: E2{A0: *res[8], A1: *res[9]},
+			B2: E2{A0: *res[10], A1: *res[11]},
+		},
+	}
+	cubicNonResiduePower := E12{
+		C0: E6{
+			B0: E2{A0: *res[12], A1: *res[13]},
+			B1: E2{A0: *res[14], A1: *res[15]},
+			B2: E2{A0: *res[16], A1: *res[17]},
+		},
+		C1: E6{
+			B0: E2{A0: *res[18], A1: *res[19]},
+			B1: E2{A0: *res[20], A1: *res[21]},
+			B2: E2{A0: *res[22], A1: *res[23]},
+		},
+	}
+
+	// Check that  x * cubicNonResiduePower == residueWitness^λ
+	// where λ = 6u + 2 + q^3 - q^2 + q, with u the BN254 seed
+	// and residueWitness, cubicNonResiduePower from the hint.
+	t2 := e.Mul(&cubicNonResiduePower, x)
+
+	t1 := e.FrobeniusCube(&residueWitness)
+	t0 := e.FrobeniusSquare(&residueWitness)
+	t1 = e.DivUnchecked(t1, t0)
+	t0 = e.Frobenius(&residueWitness)
+	t1 = e.Mul(t1, t0)
+
+	// exponentiation by U=6u+2
+	t0 = e.ExpByU(&residueWitness)
+
+	t0 = e.Mul(t0, t1)
+
+	e.AssertIsEqual(t0, t2)
+
+	return nil
+}
+
+func (e Ext12) Frobenius(x *E12) *E12 {
+	t0 := e.Ext2.Conjugate(&x.C0.B0)
+	t1 := e.Ext2.Conjugate(&x.C0.B1)
+	t2 := e.Ext2.Conjugate(&x.C0.B2)
+	t3 := e.Ext2.Conjugate(&x.C1.B0)
+	t4 := e.Ext2.Conjugate(&x.C1.B1)
+	t5 := e.Ext2.Conjugate(&x.C1.B2)
+	t1 = e.Ext2.MulByNonResidue1Power2(t1)
+	t2 = e.Ext2.MulByNonResidue1Power4(t2)
+	t3 = e.Ext2.MulByNonResidue1Power1(t3)
+	t4 = e.Ext2.MulByNonResidue1Power3(t4)
+	t5 = e.Ext2.MulByNonResidue1Power5(t5)
+	return &E12{
+		C0: E6{
+			B0: *t0,
+			B1: *t1,
+			B2: *t2,
+		},
+		C1: E6{
+			B0: *t3,
+			B1: *t4,
+			B2: *t5,
+		},
+	}
+}
+
+func (e Ext12) FrobeniusSquare(x *E12) *E12 {
+	z00 := &x.C0.B0
+	z01 := e.Ext2.MulByNonResidue2Power2(&x.C0.B1)
+	z02 := e.Ext2.MulByNonResidue2Power4(&x.C0.B2)
+	z10 := e.Ext2.MulByNonResidue2Power1(&x.C1.B0)
+	z11 := e.Ext2.MulByNonResidue2Power3(&x.C1.B1)
+	z12 := e.Ext2.MulByNonResidue2Power5(&x.C1.B2)
+	return &E12{
+		C0: E6{B0: *z00, B1: *z01, B2: *z02},
+		C1: E6{B0: *z10, B1: *z11, B2: *z12},
+	}
+}
+
+func (e Ext12) FrobeniusCube(x *E12) *E12 {
+	t0 := e.Ext2.Conjugate(&x.C0.B0)
+	t1 := e.Ext2.Conjugate(&x.C0.B1)
+	t2 := e.Ext2.Conjugate(&x.C0.B2)
+	t3 := e.Ext2.Conjugate(&x.C1.B0)
+	t4 := e.Ext2.Conjugate(&x.C1.B1)
+	t5 := e.Ext2.Conjugate(&x.C1.B2)
+	t1 = e.Ext2.MulByNonResidue3Power2(t1)
+	t2 = e.Ext2.MulByNonResidue3Power4(t2)
+	t3 = e.Ext2.MulByNonResidue3Power1(t3)
+	t4 = e.Ext2.MulByNonResidue3Power3(t4)
+	t5 = e.Ext2.MulByNonResidue3Power5(t5)
+	return &E12{
+		C0: E6{
+			B0: *t0,
+			B1: *t1,
+			B2: *t2,
+		},
+		C1: E6{
+			B0: *t3,
+			B1: *t4,
+			B2: *t5,
+		},
+	}
+}
diff --git a/std/algebra/emulated/fields_bn254/hints.go b/std/algebra/emulated/fields_bn254/hints.go
@@ -27,6 +27,7 @@ func GetHints() []solver.Hint {
 		// E12
 		divE12Hint,
 		inverseE12Hint,
+		finalExpHint,
 	}
 }
 
@@ -268,3 +269,126 @@ func divE12Hint(nativeMod *big.Int, nativeInputs, nativeOutputs []*big.Int) erro
 			return nil
 		})
 }
+
+func finalExpHint(nativeMod *big.Int, nativeInputs, nativeOutputs []*big.Int) error {
+	// This follows section 4.3.2 of https://eprint.iacr.org/2024/640.pdf
+	return emulated.UnwrapHint(nativeInputs, nativeOutputs,
+		func(mod *big.Int, inputs, outputs []*big.Int) error {
+			var tmp, x3, cubicNonResiduePower, x, millerLoop, residueWitness, residueWitnessInv, one, root27thOf1 bn254.E12
+			var exp1, exp2, rInv, mInv big.Int
+
+			millerLoop.C0.B0.A0.SetBigInt(inputs[0])
+			millerLoop.C0.B0.A1.SetBigInt(inputs[1])
+			millerLoop.C0.B1.A0.SetBigInt(inputs[2])
+			millerLoop.C0.B1.A1.SetBigInt(inputs[3])
+			millerLoop.C0.B2.A0.SetBigInt(inputs[4])
+			millerLoop.C0.B2.A1.SetBigInt(inputs[5])
+			millerLoop.C1.B0.A0.SetBigInt(inputs[6])
+			millerLoop.C1.B0.A1.SetBigInt(inputs[7])
+			millerLoop.C1.B1.A0.SetBigInt(inputs[8])
+			millerLoop.C1.B1.A1.SetBigInt(inputs[9])
+			millerLoop.C1.B2.A0.SetBigInt(inputs[10])
+			millerLoop.C1.B2.A1.SetBigInt(inputs[11])
+
+			// exp1 = (p^12-1)/3
+			exp1.SetString("4030969696062745741797811005853058291874379204406359442560681893891674450106959530046539719647151210908190211459382793062006703141168852426020468083171325367934590379984666859998399967609544754664110191464072930598755441160008826659219834762354786403012110463250131961575955268597858015384895449311534622125256548620283853223733396368939858981844663598065852816056384933498610930035891058807598891752166582271931875150099691598048016175399382213304673796601585080509443902692818733420199004555566113537482054218823936116647313678747500267068559627206777530424029211671772692598157901876223857571299238046741502089890557442500582300718504160740314926185458079985126192563953772118929726791041828902047546977272656240744693339962973939047279285351052107950250121751682659529260304162131862468322644288196213423232132152125277136333208005221619443705106431645884840489295409272576227859206166894626854018093044908314720", 10)
+			// root27thOf1 = (0, c010, c011, 0, 0, 0, 0, 0, 0, 0, 0, 0)
+			// is a 27-th root of  unity which is necessarily a cubic non-residue
+			// since h/r = (p^12-1)/r = 27·l and 3 does not divide l.
+			// it was computed as w^((p^12-1)/27) = c2 * w^2 + c8 * w^8 where
+			// Fp12 = Fp[w]/w^12-18w^6+82 which is isomorphic to our Fp12 tower
+			// then c010 = (c2 + 9 * c8) % p and c011 = c8
+			root27thOf1.C0.B1.A0.SetString("9483667112135124394372960210728142145589475128897916459350428495526310884707")
+			root27thOf1.C0.B1.A1.SetString("4534159768373982659291990808346042891252278737770656686799127720849666919525")
+
+			if one.Exp(millerLoop, &exp1).IsOne() {
+				// residueWitness = millerLoop is a cubic residue
+				cubicNonResiduePower.SetOne()
+				residueWitness.Set(&millerLoop)
+			} else if one.Exp(*millerLoop.Mul(&millerLoop, &root27thOf1), &exp1).IsOne() {
+				// residueWitness = millerLoop * root27thOf1 is a cubic residue
+				cubicNonResiduePower.Set(&root27thOf1)
+				residueWitness.Set(&millerLoop)
+			} else {
+				// residueWitness = millerLoop * root27thOf1^2 is a cubic residue
+				cubicNonResiduePower.Square(&root27thOf1)
+				residueWitness.Mul(&millerLoop, &root27thOf1)
+			}
+
+			// 1. compute r-th root:
+			// Exponentiate to rInv where
+			// rInv = 1/r mod (p^12-1)/r
+			rInv.SetString("495819184011867778744231927046742333492451180917315223017345540833046880485481720031136878341141903241966521818658471092566752321606779256340158678675679238405722886654128392203338228575623261160538734808887996935946888297414610216445334190959815200956855428635568184508263913274453942864817234480763055154719338281461936129150171789463489422401982681230261920147923652438266934726901346095892093443898852488218812468761027620988447655860644584419583586883569984588067403598284748297179498734419889699245081714359110559679136004228878808158639412436468707589339209058958785568729925402190575720856279605832146553573981587948304340677613460685405477047119496887534881410757668344088436651291444274840864486870663164657544390995506448087189408281061890434467956047582679858345583941396130713046072603335601764495918026585155498301896749919393", 10)
+			residueWitness.Exp(residueWitness, &rInv)
+
+			// 2. compute m-th root:
+			// where m = (6x + 2 + q^3 - q^2 + q)/(3r)
+			// Exponentiate to mInv where
+			// mInv = 1/m mod p^12-1
+			mInv.SetString("17840267520054779749190587238017784600702972825655245554504342129614427201836516118803396948809179149954197175783449826546445899524065131269177708416982407215963288737761615699967145070776364294542559324079147363363059480104341231360692143673915822421222230661528586799190306058519400019024762424366780736540525310403098758015600523609594113357130678138304964034267260758692953579514899054295817541844330584721967571697039986079722203518034173581264955381924826388858518077894154909963532054519350571947910625755075099598588672669612434444513251495355121627496067454526862754597351094345783576387352673894873931328099247263766690688395096280633426669535619271711975898132416216382905928886703963310231865346128293216316379527200971959980873989485521004596686352787540034457467115536116148612884807380187255514888720048664139404687086409399", 10)
+			residueWitness.Exp(residueWitness, &mInv)
+
+			// 3. compute cube root:
+			// since gcd(3, (p^12-1)/r) ≠ 1 we use a modified Toneelli-Shanks algorithm
+			// see Alg.4 of https://eprint.iacr.org/2024/640.pdf
+			// Typo in the paper: p^k-1 = 3^n * s instead of p-1 = 3^r * s
+			// where k=12 and n=3 here and exp2 = (s+1)/3
+			residueWitnessInv.Inverse(&residueWitness)
+			exp2.SetString("149295173928249842288807815031594751550902933496531831205951181255247201855813315927649619246190785589192230054051214557852100116339587126889646966043382421034614458517950624444385183985538694617189266350521219651805757080000326913304438324531658755667115202342597480058368713651772519088329461085612393412046538837788290860138273939590365147475728281409846400594680923462911515927255224400281440435265428973034513894448136725853630228718495637529802733207466114092942366766400693830377740909465411612499335341437923559875826432546203713595131838044695464089778859691547136762894737106526809539677749557286722299625576201574095640767352005953344997266128077036486155280146436004404804695964512181557316554713802082990544197776406442186936269827816744738898152657469728130713344598597476387715653492155415311971560450078713968012341037230430349766855793764662401499603533676762082513303932107208402000670112774382027", 10)
+			x.Exp(residueWitness, &exp2)
+
+			// 3^t is ord(x^3 / residueWitness)
+			x3.Square(&x).Mul(&x3, &x).Mul(&x3, &residueWitnessInv)
+			t := 0
+			for !x3.IsOne() {
+				t++
+				tmp.Square(&x3)
+				x3.Mul(&tmp, &x3)
+			}
+
+			for t != 0 {
+				x.Mul(&x, tmp.Exp(root27thOf1, &exp2))
+
+				// 3^t is ord(x^3 / residueWitness)
+				x3.Square(&x).Mul(&x3, &x).Mul(&x3, &residueWitnessInv)
+				t = 0
+				for !x3.IsOne() {
+					t++
+					tmp.Square(&x3)
+					x3.Mul(&tmp, &x3)
+				}
+			}
+
+			// x is now the cube root of residueWitness
+			residueWitness.Set(&x)
+
+			residueWitness.C0.B0.A0.BigInt(outputs[0])
+			residueWitness.C0.B0.A1.BigInt(outputs[1])
+			residueWitness.C0.B1.A0.BigInt(outputs[2])
+			residueWitness.C0.B1.A1.BigInt(outputs[3])
+			residueWitness.C0.B2.A0.BigInt(outputs[4])
+			residueWitness.C0.B2.A1.BigInt(outputs[5])
+			residueWitness.C1.B0.A0.BigInt(outputs[6])
+			residueWitness.C1.B0.A1.BigInt(outputs[7])
+			residueWitness.C1.B1.A0.BigInt(outputs[8])
+			residueWitness.C1.B1.A1.BigInt(outputs[9])
+			residueWitness.C1.B2.A0.BigInt(outputs[10])
+			residueWitness.C1.B2.A1.BigInt(outputs[11])
+
+			// we also need to return the cubic non-residue power
+			cubicNonResiduePower.C0.B0.A0.BigInt(outputs[12])
+			cubicNonResiduePower.C0.B0.A1.BigInt(outputs[13])
+			cubicNonResiduePower.C0.B1.A0.BigInt(outputs[14])
+			cubicNonResiduePower.C0.B1.A1.BigInt(outputs[15])
+			cubicNonResiduePower.C0.B2.A0.BigInt(outputs[16])
+			cubicNonResiduePower.C0.B2.A1.BigInt(outputs[17])
+			cubicNonResiduePower.C1.B0.A0.BigInt(outputs[18])
+			cubicNonResiduePower.C1.B0.A1.BigInt(outputs[19])
+			cubicNonResiduePower.C1.B1.A0.BigInt(outputs[20])
+			cubicNonResiduePower.C1.B1.A1.BigInt(outputs[21])
+			cubicNonResiduePower.C1.B2.A0.BigInt(outputs[22])
+			cubicNonResiduePower.C1.B2.A1.BigInt(outputs[23])
+
+			return nil
+		})
+}