-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EIP-1895: Support for an Elliptic Curve Cycle #1895
Merged
Merged
Changes from 17 commits
Commits
Show all changes
18 commits
Select commit
Hold shift + click to select a range
8b546c3
new(EIP): draft for elliptic curve cycles
836609e
fix(typo): remove trailing copy-pasta
4abf800
typo(clean): encoding table for y
c4ab8cf
doc(email): Add contact by mail
ad0a5bd
fix(typo): Correct format for email
cae25c7
fix(typo): Remove duplicate header
bcde638
feature(eipnum): Adds EIPnum
6857bfb
doc(summary): Update summary
4d559ac
rename(1895): Rename the eip in order to pass CI
ba52112
feature(1895): Rename eip file
5adf0df
fix(typo): Adds missing s to the type
8719d70
fix(typo): Fix spelling mistakes and rephrases
c0cd65d
typo(fix): remaining grammar mistakes
4b74a19
typo(grammar): Fix singular
b93ea35
fix(reference): clean the references
b208467
eip(reference): Add initials to the references
4f47b35
fix(typo): Fix grammar
a5fe8ba
fix(grammar): Rephrase the simple summary
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,164 @@ | ||
| --- | ||
| eip: 1895 | ||
| title: Support for an Elliptic Curve Cycle | ||
| author: Alexandre Belling <alexandrebelling8@gmail.com> | ||
| discussions-to: https://ethresear.ch/t/reducing-the-verification-cost-of-a-snark-through-hierarchical-aggregation/5128 | ||
| status: Draft | ||
| type: Standards Track | ||
| category: Core | ||
| created: 2018-31-03 | ||
| --- | ||
|
|
||
| ## Simple Summary | ||
|
|
||
| The EVM currently supports elliptic curves operations for curve *alt-bn128* thanks to precompiles `ecadd` and `ecmul` and `ecpairing`. The classes MNT4 and 6 contains cycles of curves and this enable doing operation on one curve inside a SNARK on the other (end reversely). This EIP suggests adding support for those curves. | ||
|
|
||
| ## Abstract | ||
|
|
||
| Adds supports for the following operations through precompiles: | ||
|
|
||
| * `ecadd` on MNT4 | ||
| * `ecmul` on MNT4 | ||
| * `ecpairing` on MNT4 | ||
|
|
||
| ## Motivation | ||
|
|
||
| Elliptic curve is the basic block of recursive SNARKs (ie: verifying a SNARK inside a SNARK) and this addresses the issue of scalable zero-knowledge. More generally this addresses partly the scalability issue as SNARKs verification are constant time in the size of the circuit being verified. | ||
|
|
||
| More concretely, today if the EVM has to deal with 1000s of SNARK verification it would take around 1.5 billion gas and would be impractical for Ethereum. Recursive SNARKs for instance make it possible to aggregate multiple proofs into a single one that can be verified like any other SNARK. It massively reduces the cost of verifications then. | ||
|
|
||
| However, this is impossible using *alt-bn128* and in my knowledge, the only family of pairing-friendly curves known to produce cycles are MNT4 and MNT6. A complete characterization of the cycles existing between those two families is proposed in [On cycles of pairing-friendly elliptic curves | ||
| ](https://arxiv.org/pdf/1803.02067.pdf) | ||
|
|
||
| ## Specification | ||
|
|
||
| ### The curve | ||
|
|
||
| The proposed cycle has been introduced in [Scalable Zero Knowledge via Cycles of Elliptic Curves](https://eprint.iacr.org/2014/595.pdf). | ||
|
|
||
| ### MNT4 definition | ||
|
|
||
| The groups `G_1` and `G_2` are cyclic groups of prime order : | ||
|
|
||
| ```. | ||
| q = 475922286169261325753349249653048451545124878552823515553267735739164647307408490559963137 | ||
| ``` | ||
|
|
||
| `G_1` is defined over the field `F_p` of prime order : | ||
|
|
||
| ```. | ||
| p = 475922286169261325753349249653048451545124879242694725395555128576210262817955800483758081 | ||
| ``` | ||
|
|
||
| with generator P: | ||
|
|
||
| ```. | ||
| P = ( | ||
| 60760244141852568949126569781626075788424196370144486719385562369396875346601926534016838, | ||
| 363732850702582978263902770815145784459747722357071843971107674179038674942891694705904306 | ||
| ) | ||
| ``` | ||
|
|
||
| Both p and q can be written in 298 bits. | ||
|
|
||
| The group G_1 is defined on the curve defined by the equation `Y² = X³ + aX + b` where: | ||
|
|
||
| ```. | ||
| a = 2 | ||
| b = 423894536526684178289416011533888240029318103673896002803341544124054745019340795360841685 | ||
| ``` | ||
|
|
||
| The twisted group G_2 is defined over the field `F_p^2 = F_p / <<To be completed>>` | ||
|
|
||
| The twisted group G_2 is defined on the curve defined by the equation `Y² = X² + aX + b` where : | ||
|
|
||
| ```. | ||
| a = 34 + i * 0 | ||
| b = 0 + i * 67372828414711144619833451280373307321534573815811166723479321465776723059456513877937430 | ||
| ``` | ||
|
|
||
| G_2 generator is generated by : | ||
|
|
||
| ```. | ||
| P2 = ( | ||
| 438374926219350099854919100077809681842783509163790991847867546339851681564223481322252708 + | ||
| i * 37620953615500480110935514360923278605464476459712393277679280819942849043649216370485641, | ||
| 37437409008528968268352521034936931842973546441370663118543015118291998305624025037512482 + | ||
| i * 424621479598893882672393190337420680597584695892317197646113820787463109735345923009077489 | ||
| ) | ||
| ``` | ||
|
|
||
| ### The operations and gas cost | ||
|
|
||
| The following operations and their gas cost would be implemented | ||
|
|
||
| ```. | ||
| MNT_X_ADD = <<To be estimated>> | ||
| MNT_X_MUL = <<To be estimated>> | ||
| MNT_X_PAIRING = <<To be estimated>> | ||
| ``` | ||
|
|
||
| Where `X` is either 4. | ||
|
|
||
| ### Encoding | ||
|
|
||
| The curves points P(X, Y) over F_p are represented in their compressed form C(X, Y): | ||
|
|
||
| ```. | ||
| C = X | s | ||
| ``` | ||
|
|
||
| where `s` represents `Y` as follow: | ||
|
|
||
| ```. | ||
| | `s'` | `Y` | | ||
| |--------|--------------------------| | ||
| | `0x00` | Point at infinity | | ||
| | `0x02` | Solution with `y` even | | ||
| | `0x03` | Solution with `y` odd | | ||
| ``` | ||
|
|
||
| Compression operation from affine coordinate is trivial: | ||
|
|
||
| ```. | ||
| s = 0x02 | (s & 0x01) | ||
| ``` | ||
|
|
||
| In the EVM the compressed form allows us to represents curve points with 2 uint256 instead of 3. | ||
|
|
||
| ### Edge cases | ||
|
|
||
| * Several acceptable representations for the point at infinity | ||
|
|
||
| ## Rationale | ||
|
|
||
| The curve has 80 bits of security (whereas MNT6 has 120 bits) which might not be considered enough for critical security level, (for instance transfering several billions), but enough for others. If it turns out this is not enough security for adoption, there is another option : another cycle is being used by Coda but is defined over a 753 bits sized field which might also be prohibitively low (no reference to this curve from Coda's publications found). | ||
|
|
||
| Independently of the cycle chosen, the groups and field elements are represented with integers larger than 256 bits (even for the 80 bits of security), therefore it might be necessary to also add support for larger field size operations. | ||
|
|
||
| We currently don't know more efficient pairing-friendly cycles and don't know if there are. It might be possible to circumvent this problem though by relaxing the constraint that all the curves of the cycle must be pairing friendly). If we had a cycle with only one pairing friendly curve we would still be able to compose proofs by alternating between SNARKs and any other general purpose zero-knowledge cryptosystems. | ||
|
|
||
| Assuming we find a convenient cycle, we don't need to implement support for all the curves it contains, only one. The best choice would be the fastest one as the overall security of the recursive snark do not depends on which curve the verification is made. | ||
|
|
||
| Proper benchmarks will be done in order to make this choice and to price the operations in gas. | ||
|
|
||
| ## Test Cases | ||
|
|
||
| <!--Test cases for an implementation are mandatory for EIPs that are affecting consensus changes. Other EIPs can choose to include links to test cases if applicable.--> | ||
|
|
||
| ## References | ||
|
|
||
| * *Eli-Ben-Sasson, Alessandro Chiesa, Eran Tromer, Madars Virza, [BCTV14], April 28, 2015, Scalable Zero Knowledge via Cycles of Elliptic Curves : https://eprint.iacr.org/2014/595.pdf* | ||
| * *Alessandro Chiesa, Lynn Chua, Matthew Weidner, [CCW18], November 5, 2018, On cycles of pairing-friendly elliptic curves : https://arxiv.org/pdf/1803.02067.pdf* | ||
|
|
||
| ## Implementation | ||
|
|
||
| <!--The implementations must be completed before any EIP is given status "Final", but it need not be completed before the EIP is accepted. While there is merit to the approach of reaching consensus on the specification and rationale before writing code, the principle of "rough consensus and running code" is still useful when it comes to resolving many discussions of API details.--> | ||
AlexandreBelling marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| * [go-boojum](https://github.com/AlexandreBelling/go-boojum) : A PoC demo of an application of recursive SNARKs | ||
| * [libff](https://github.com/scipr-lab/libff) : a C++ library for finite fields and elliptic curves | ||
| * [coda](https://github.com/CodaProtocol/coda) : a new cryptocurrency protocol with a lightweight, constant sized blockchain. | ||
|
|
||
| ## Copyright | ||
|
|
||
| Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/). | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure how to read this sentence:
"The classes MNT4 and 6 contains cycles of curves and this enable doing operation on one curve inside a SNARK on the other (end reversely)."
Could you perhaps clarify it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@AlexandreBelling Could you still clarify the sentence?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it make more sense if I rephrase like that ?
"An elliptic curve cycle is a set of elliptic curves with the property that the inner-field of one curve is the outer-field of the other one. Cycles make it possible to do elliptic curve operations for one of the curves inside zkSNARK circuit that is proven and verified using the other curve of the cycle."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's an explanation, but the sentence structure is still unclear to me. It looks like the grammar is not correct. So you could leave the sentence in there, just fix the grammar. Perhaps ask an English native speaker to correct it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hum ok, I have asked someone to help me fix it. I now believe it means what it's supposed to mean :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This might be "Two elliptic curves were generated such that group order of one curve is coordinates field characteristic of the other curve, and reverse."
We have a good arXiv paper referenced describing this property already, making it unreasonable explaining cycle here on github. I would also refer to my favorite IACR 2014/595 preprint.