From 2a1719e1c85a4601be06153e3ab592b538eab5b6 Mon Sep 17 00:00:00 2001
From: Alex Vlasov <alex.m.vlasov@gmail.com>
Date: Thu, 27 Feb 2020 20:52:21 +0300
Subject: [PATCH 1/2] initial

---
 EIPS/eip-x.md | 273 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 273 insertions(+)
 create mode 100644 EIPS/eip-x.md

diff --git a/EIPS/eip-x.md b/EIPS/eip-x.md
new file mode 100644
index 00000000000000..443ffe7c2f3c26
--- /dev/null
+++ b/EIPS/eip-x.md
@@ -0,0 +1,273 @@
+---
+eip: -
+title: EY SW6-Bis curve operations
+author: Alex Vlasov (@shamatar)
+discussions-to: https://github.com/ethereum/EIPs/pull/2539
+status: Draft
+type: Standards Track
+category: Core
+created: 2020-02-27
+requires : 1109, 2046
+---
+
+<!--You can leave these HTML comments in your merged EIP and delete the visible duplicate text guides, they will not appear and may be helpful to refer to if you edit it again. This is the suggested template for new EIPs. Note that an EIP number will be assigned by an editor. When opening a pull request to submit your EIP, please use an abbreviated title in the filename, `eip-draft_title_abbrev.md`. The title should be 44 characters or less.-->
+
+## Simple Summary
+<!--"If you can't explain it simply, you don't understand it well enough." Provide a simplified and layman-accessible explanation of the EIP.-->
+
+This precompile adds operation on the SW6 bis curve generated by EY as a precompile in a set necessary to *efficiently* perform operations such as BLS signature verification and perform SNARKs verifications. This curve has a subgroup order equal to the base field of BLS12-377 curve (that in it's term has high 2-addicity). This allow to create zero-knowledge proofs that e.g. aggregate BLS signatures over BLS12-377 curve or can be used in privacy solutions as described in Zexe paper.
+
+## Abstract
+<!--A short (~200 word) description of the technical issue being addressed.-->
+
+If `block.number >= X` we introduce *seven* separate precompiles to perform the following operations (addresses to be determined):
+
+- G1ADD - to perform point addition on a curve defined over prime field
+- G1MUL - to perform point multiplication on a curve defined over prime field
+- G1MULTIEXP - to perform multiexponentiation on a curve defined over prime field
+- G2ADD - to perform point addition on a curve twist defined over quadratic extension of the base field
+- G2MUL - to perform point multiplication on a curve twist defined over quadratic extension of the base field
+- G2MULTIEXP - to perform multiexponentiation on a curve twist defined over quadratic extension of the base field
+- PAIRING - to perform a pairing operations between a set of *pairs* of (G1, G2) points
+
+Multiexponentiation operation is included to efficiently aggregate public keys or individual signer's signatures during BLS signature verification, as well as public inputs in SNARKs.
+
+## Motivation
+<!--The motivation is critical for EIPs that want to change the Ethereum protocol. It should clearly explain why the existing protocol specification is inadequate to address the problem that the EIP solves. EIP submissions without sufficient motivation may be rejected outright.-->
+
+Motivation of this precompile is to add a cryptographic primitive that allows to get 120+ bits of security for operations and allow aggregation of zero-knowledge proofs over BLS12-377.
+
+## Specification
+<!--The technical specification should describe the syntax and semantics of any new feature. The specification should be detailed enough to allow competing, interoperable implementations for any of the current Ethereum platforms (go-ethereum, parity, cpp-ethereum, ethereumj, ethereumjs, and [others](https://github.com/ethereum/wiki/wiki/Clients)).-->
+
+Curve parameters:
+
+This curve is in a short Weierstrass form with embedding degree of `k = 6` and is fully defined by the following set of parameters:
+
+```
+Base field modulus = 0x0122e824fb83ce0ad187c94004faff3eb926186a81d14688528275ef8087be41707ba638e584e91903cebaff25b423048689c8ed12f9fd9071dcd3dc73ebff2e98a116c25667a8f8160cf8aeeaf0a437e6913e6870000082f49d00000000008b
+A coefficient = 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+B coefficient = 0x00e5241d1152d2630be6a0f86214786f7531bee709f64a4d69bb09a1a52296710b131d54478f5996b338fda135b8d225881c16e23fa6749ba636396b157a00887bfc2ce488e8e4d1950732fe15d7ade34b040e027c6f57e1583776d162252d4e
+Main subgroup order = 0x1ae3a4617c510eac63b05c06ca1493b1a22d9f300f5138f1ef3622fba094800170b5d44300000008508c00000000001
+Extension tower:
+Fp3 construction:
+Fp cubic non-residue = 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002
+A coefficient for twist c0 = 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+A coefficient for twist c1 = 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+A coefficient for twist c2 = 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+B coefficient for twist c0 = 0x00a760152721d6bb464578b0bf2df1a0313d6563921b4e1280f39d53c9bd6ea0a5aa946fa999ca1462a3404345bd814689ae64d76c52eba6da8f9ef9b70801e25f574306bb6a20ab14016d4d40beb78eaf76dd9c88deaf3fbbd1eda2c44a5a11
+B coefficient for twist c1 = 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+B coefficient for twist c2 = 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+Generators:
+G1:
+X = 0x00eb8ba8e7c74bc2270f56572d2a32d4e15f9191e6bcb660f3d7abbdb3e5e98f155f6dc727c18ab19f3e33b16dbdaa0ec4595c929bc84cf97b762b9a148d6be3c9eb3a43977da150cb038c2a49f342494a676f63fe47e054f1f30bc53d383994
+Y = 0x008ab7286a8ebe965c379df96da296d16e8a80455899b89da18edffc63f1eaed8a452cb8394bac62f366f3492cfceb4b25ccf9d712e3c4fbfed1007d79f7395a74e518e87a8e18123a12bcf99d6bd94dbb919d7551b47562a4eb066ff933cfe9
+G2:
+X c0 = 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+X c1 = 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+X c2 = 0x00749b080e2948a62385c54bf393589201ac6be96b028ac04b095c6dd5b356733004ff768354adf09c51c7904674405615790bfc0d0f773c63821a31b6f64d7bc5f9f732950f683ad47dc5a4142a8673463409ecedfe3e124b6b9e3463d0a7d1
+Y c0 = 0x010d5da8d5fc276ac5e6c8d1dd06456ced54ff148c251e2071425189bb82271713d4cf602e8dce71c9a65c37586ff09937df02c37575d8e5e16eaad099275154f7d9111c0358a7ddb462f1285b67b7720c8994b44222473e6b0b1b6dcc26b2e2
+Y c1 = 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+Y c2 = 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+Pairing parameters:
+|ate_loop_scalar| (miller loop scalar) = 0x122e824fb83ce0ad187c94004faff3eb926186a81d14688528275ef8087be41707ba638e584e91903cebaff25b4230484db8ea6fb34eca5aba1ce1c074ab5f37e7e3ccf55729568f719967f30e75c37cf85e124400000826f9440000000008a
+ate_loop_scalar is negative = false
+final_exp_scalar (final exponentiation power) = 0x147fe546f00083377e9fbf6a033031c7b3bcd091704b16560d93a4388a54ed259b6dde22664d830a4a2bf0cead97e54990018ad199a375b8669e863e1e623778150e7d6485ea546b25966013c2a43b6cd6d44630e70730955a7583ce9c5dc0b6be101610c672471296249743f64217723fb8f9c3dc4223fd7634e5627884e9f63b1994f35769e747c3c195cfff160602031810ff73d4ec6f22f65ba73fe0cfd7f8b981c7d9f6e01f062bf0158de06a4aede6f53a6b077333b1aa94a06a90215ca0d86c9fa849739e3230f1596de77c7b2ee2d771c5e5998c42d3e90ea4458daf3ad76841e9d27ab1e4c5119b34223e74a14ddb89f929f5b28353c0558af093f274393b9c632878699ba64293e7d0075cb5167b63be5e10fbefb1af502a62b5dbed3f1d14017a13b27d1ebfaad3b935c23da9b6bc20195a6353c7a4a8809bd39c41064148e0d106e5c4904596f0103749d215d88a22ca543df15d308d6f9c1a523da7a821b64fb7a2151bcdbf531d025406218acba869c3345495666cc8c80e8254abb89005e17121aca99bae35a034a96972a96e34dc6179c46c5db2043cad82b851ad64e95d27006422cd6c0a4d65f2dd5394d9f8654a1cc668784d9461ff0199990f310fd22bc5a2e5a3a3e98e676dbd576af55f393832e4cec581e06defb193ae651771309d686632e64143a5ebae2c32011e1eaaed662965a7f09c961a56377529bf03c068f4d721928
+Breaking final exponentiation hard part into the two parts (usually labeled w0 and w1)
+|w0| = 0x68f6427062e1b0b828e2c6f9f4f149496a147eaf584608da311dc0a5ef6ff10a7f6ef02c228c497824cd7cfb1e8685ab521a3d9309c6dd03ba806d298c79fc59521646d73808c511aff40fcf00000826f9440000000008c
+w0 is negative = false
+|w1| = 0xad1972339049ce762c77d5ac34cb12efc856a0853c9db94cc61c554757551c0c832ba4061000003b3de5800000000089
+```
+
+#### Fine points and encoding of base elements
+
+##### Field elements encoding:
+
+To encode points involved in the operation one has to encode elements of the base field and the extension field. Base field is 761 bit long.
+
+Base field element (Fp) is encoded as `96` bytes by performing BigEndian encoding of the corresponding (unsigned) integer. Corresponding integer **must** be less than field modulus.
+
+For elements of the quadratic extension field (Fp3) encoding is byte concatenation of individual encoding of the coefficients totaling in `3 * 96 = 288` bytes for a total encoding. For an Fp2 element in a form `el = c0 + c1 * v + c * v^2` where `v` is formal cubic non-residue and `c0`, `c1` and `c2` are Fp elements the corresponding byte encoding will be `encode(c0) || encode(c1) || encode(c2)` where `||` means byte concatenation.
+
+If encodings to not follow this spec anywhere during parsing in the precompile the precompile *must* return an error.
+
+##### Encoding of uncompressed points:
+
+Points in either G1 (in base field) or in G2 (in extension field) are encoded as byte concatenation of encodings of the `x` and `y` affine coordinates. Total encoding length for G1 point is thus `192` bytes and for G2 point is `576` bytes.
+
+##### Point of infinity encoding:
+
+Also referred as "zero point". For curves with `B != 0` point with coordinates `(0, 0)` (formal zeroes in Fp or Fp3) is *not* on the curve, so encoding of such point `(0, 0)` is used as a convention to encode point of infinity.
+
+##### Boolean encoding for subgroup checks:
+
+For subgroup checks it's required to encode whether it's required to run a subgroup check for the G1/G2 point or not. For this we encode a boolean as a *single byte* `0x00` for `false` and `0x01` for `true`.
+
+##### Encoding of scalars for multiplication operation:
+
+Group order has 377 bits so scalars for multiplication operation is redundantly encoded as `48` bytes by performing BigEndian encoding of the corresponding (unsigned) integer. Corresponding integer is **not** required to be less than or equal than main subgroup size.
+
+#### ABI for operations
+
+##### ABI for G1 addition
+
+G1 addition call expects `384` bytes as an input that is interpreted as byte concatenation of two G1 points (`192` bytes each). Output is an encoding of addition operation result.
+
+Error cases:
+- Either of points being not on the curve must result in error
+- Field elements encoding rules apply (obviously)
+- Input has invalid length
+
+##### ABI for G1 multiplication
+
+G1 multiplication call expects `240` bytes as an input that is interpreted as byte concatenation of encoding of G1 point (`192` bytes) and encoding of a scalar value (`48` bytes). Output is an encoding of multiplication operation result.
+
+Error cases:
+- Point being not on the curve must result in error
+- Field elements encoding rules apply (obviously)
+- Input has invalid length
+
+##### ABI for G1 multiexponentiation
+
+G1 multiplication call expects `240*k` bytes as an input that is interpreted as byte concatenation of `k` slices each of them being a byte concatenation of encoding of G1 point (`192` bytes) and encoding of a scalar value (`48` bytes). Output is an encoding of multiexponentiation operation result.
+
+Error cases:
+- Any of G1 points being not on the curve must result in error
+- Field elements encoding rules apply (obviously)
+- Input has invalid length
+
+##### ABI for G2 addition
+
+G2 addition call expects `1152` bytes as an input that is interpreted as byte concatenation of two G2 points (`576` bytes each). Output is an encoding of addition operation result.
+
+Error cases:
+- Either of points being not on the curve must result in error
+- Field elements encoding rules apply (obviously)
+- Input has invalid length
+
+##### ABI for G2 multiplication
+
+G2 multiplication call expects `624` bytes as an input that is interpreted as byte concatenation of encoding of G2 point (`576` bytes) and encoding of a scalar value (`48` bytes). Output is an encoding of multiplication operation result.
+
+Error cases:
+- Point being not on the curve must result in error
+- Field elements encoding rules apply (obviously)
+- Input has invalid length
+
+##### ABI for G2 multiexponentiation
+
+G2 multiplication call expects `624*k` bytes as an input that is interpreted as byte concatenation of `k` slices each of them being a byte concatenation of encoding of G2 point (`576` bytes) and encoding of a scalar value (`48` bytes). Output is an encoding of multiexponentiation operation result.
+
+Error cases:
+- Any of G2 points being not on the curve must result in error
+- Field elements encoding rules apply (obviously)
+- Input has invalid length
+
+##### ABI for pairing
+
+Pairing call expects `770*k` bytes as an inputs that is interpreted as byte concatenation of `k` slices. Each slice has the following structure:
+- single byte to encode if the following G1 point needs a subgroup check
+- `192` bytes of G1 point encoding
+- single byte to encode if the following G2 point needs a subgroup check
+- `576` bytes of G2 point encoding
+
+Output is a single byte `0x01` if pairing result is equal to multiplicative identity in a pairing target field and `0x00` otherwise.
+
+Error cases:
+- Invalid encoding of any boolean variable must result in error
+- Any of G1 or G2 points being not on the curve must result in error
+- Any of G1 or G2 points for which subgroup check is requested in not actually in a subgroup
+- Field elements encoding rules apply (obviously)
+- Input has invalid length
+
+#### Gas schedule
+
+Assuming a constant `30 MGas/second` following prices are suggested.
+
+##### G1 addition
+
+`1600` gas
+
+##### G1 multiplication
+
+`60000` gas
+
+##### G2 addition
+
+`17000` gas
+
+##### G2 multiplication
+
+`530000` gas
+
+##### G1/G2 Multiexponentiation
+
+Multiexponentiations are expected to be performed by the Peppinger algorithm (we can also say that is **must** be performed by Peppinger algorithm to have a speedup that results in a discount over naive implementation by multiplying each pair separately and adding the results). For this case there was a table prepared for discount in case of `k <= 128` points in the multiexponentiation with a discount cup `max_discount` for `k > 128`.
+
+To avoid non-integer arithmetic call cost is calculated as `k * multiplication_cost * discount / multiplier` where `multiplier = 1000`, `k` is a number of (scalar, point) pairs for the call, `multiplication_cost` is a corresponding single multiplication call cost for G1/G2.
+
+Discounts table as a vector of pairs `[k, discount]`:
+
+```
+[[1, 1200], [2, 888], [3, 764], [4, 641], [5, 594], [6, 547], [7, 500], [8, 453], [9, 438], [10, 423], [11, 408], [12, 394], [13, 379], [14, 364], [15, 349], [16, 334], [17, 330], [18, 326], [19, 322], [20, 318], [21, 314], [22, 310], [23, 306], [24, 302], [25, 298], [26, 294], [27, 289], [28, 285], [29, 281], [30, 277], [31, 273], [32, 269], [33, 268], [34, 266], [35, 265], [36, 263], [37, 262], [38, 260], [39, 259], [40, 257], [41, 256], [42, 254], [43, 253], [44, 251], [45, 250], [46, 248], [47, 247], [48, 245], [49, 244], [50, 242], [51, 241], [52, 239], [53, 238], [54, 236], [55, 235], [56, 233], [57, 232], [58, 231], [59, 229], [60, 228], [61, 226], [62, 225], [63, 223], [64, 222], [65, 221], [66, 220], [67, 219], [68, 219], [69, 218], [70, 217], [71, 216], [72, 216], [73, 215], [74, 214], [75, 213], [76, 213], [77, 212], [78, 211], [79, 211], [80, 210], [81, 209], [82, 208], [83, 208], [84, 207], [85, 206], [86, 205], [87, 205], [88, 204], [89, 203], [90, 202], [91, 202], [92, 201], [93, 200], [94, 199], [95, 199], [96, 198], [97, 197], [98, 196], [99, 196], [100, 195], [101, 194], [102, 193], [103, 193], [104, 192], [105, 191], [106, 191], [107, 190], [108, 189], [109, 188], [110, 188], [111, 187], [112, 186], [113, 185], [114, 185], [115, 184], [116, 183], [117, 182], [118, 182], [119, 181], [120, 180], [121, 179], [122, 179], [123, 178], [124, 177], [125, 176], [126, 176], [127, 175], [128, 174]]
+```
+
+`max_discount = 174`
+
+##### Pairing operaiton
+
+Base cost of the pairing operation is `900000*k + 75000` where `k` is a number of pairs.
+
+Each point (either G1 or G2) for which subgroup check is requested and performed adds the corresponding G1/G2 multiplication cost to it.
+
+## Rationale
+<!--The rationale fleshes out the specification by describing what motivated the design and why particular design decisions were made. It should describe alternate designs that were considered and related work, e.g. how the feature is supported in other languages. The rationale may also provide evidence of consensus within the community, and should discuss important objections or concerns raised during discussion.-->
+Motivation section covers a total motivation to have operations over this curve to be available. We also extend a rationale for move specific fine points.
+
+#### Multiexponentiation as a separate call
+
+Explicit separate multiexponentiation operation that allows one to save execution time (so gas) by both the algorithm used (namely Peppinger algorithm) and (usually forgotten) by the fact that `CALL` operation in Ethereum is expensive (at the time of writing), so one would have to pay non-negigible overhead if e.g. for multiexponentiation of `100` points would have to call the multipication precompile `100` times and addition for `99` times (roughly `138600` would be saved).
+
+#### Explicit subgroup checks
+
+Subgroup checks are made optional both due to the fact that they can be performed explicitly by the caller (by multiplication operation) and due to the fact that subgroup checks in G2 that are expensive are not required in most of the cases cause G2 points are usually "hardcoded" and not supplied by the untrusted third party.
+
+## Backwards Compatibility
+<!--All EIPs that introduce backwards incompatibilities must include a section describing these incompatibilities and their severity. The EIP must explain how the author proposes to deal with these incompatibilities. EIP submissions without a sufficient backwards compatibility treatise may be rejected outright.-->
+There are no backward compatibility questions.
+
+## Test Cases
+<!--Test cases for an implementation are mandatory for EIPs that are affecting consensus changes. Other EIPs can choose to include links to test cases if applicable.-->
+
+Due to the large test parameters space we first provide properties that various operations must satisfy. We use additive notation for point operations, capital letters (`P`, `Q`) for points, small letters (`a`, `b`) for scalars. Generator for G1 is labeled as `G`, generator for G2 is labeled as `H`, otherwise we assume random point on a curve in a correct subgroup. `0` means either scalar zero or point of infinity. `1` means either scalar one or multiplicative identity. `group_order` is a main subgroup order. `e(P, Q)` means pairing operation where `P` is in G1, `Q` is in G2. 
+
+Requeired properties for basic ops (add/multiply):
+
+- Commutativity: `P + Q = Q + P`
+- Additive negation: `P + (-P) = 0`
+- Doubling `P + P = 2*P`
+- Subgroup check: `group_order * P = 0`
+- Trivial multiplication check: `1 * P = P`
+- Multiplication by zero: `0 * P = 0`
+- Multiplication by the unnormalized scalar `(scalar + group_order) * P = scalar * P`
+
+Required properties for pairing operation:
+- Degeneracy `e(P, 0*Q) = e(0*P, Q) = 1` 
+- Bilinearity `e(a*P, b*Q) = e(a*b*P, Q) = e(P, a*b*Q)` (internal test, not visible through ABI)
+
+Test vector for all operations are expanded in this [gist](https://gist.github.com/shamatar/c2cf7608fb4dee4d23f40461da15ad8c) until it's final.
+
+## Implementation
+<!--The implementations must be completed before any EIP is given status "Final", but it need not be completed before the EIP is accepted. While there is merit to the approach of reaching consensus on the specification and rationale before writing code, the principle of "rough consensus and running code" is still useful when it comes to resolving many discussions of API details.-->
+There is a various choice of existing implementations:
+- EY's `zk-swap-libff` 
+- EIP1962 code bases with fixed parameters
+
+## Security Considerations
+<!--All EIPs must contain a section that discusses the security implications/considerations relevant to the proposed change. Include information that might be important for security discussions, surfaces risks and can be used throughout the life cycle of the proposal. E.g. include security-relevant design decisions, concerns, important discussions, implementation-specific guidance and pitfalls, an outline of threats and risks and how they are being addressed. EIP submissions missing the "Security Considerations" section will be rejected. An EIP cannot proceed to status "Final" without a Security Considerations discussion deemed sufficient by the reviewers.-->
+Strictly following the spec will eliminate security implications or consensus implications in a contrast to the previous BN254 precompile.
+
+Important topic is a "constant time" property for performed operations. We explicitly state that this precompile **IS NOT REQUIRED** to perform all the operations using constant time algorithms.
+
+## Copyright
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).

From 9c30e6d28860ac2cee1e0955f2b47c6fb2b6626b Mon Sep 17 00:00:00 2001
From: Alex Vlasov <alex.m.vlasov@gmail.com>
Date: Thu, 27 Feb 2020 22:24:40 +0300
Subject: [PATCH 2/2] set EIP number

---
 EIPS/{eip-x.md => eip-2541.md} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename EIPS/{eip-x.md => eip-2541.md} (99%)

diff --git a/EIPS/eip-x.md b/EIPS/eip-2541.md
similarity index 99%
rename from EIPS/eip-x.md
rename to EIPS/eip-2541.md
index 443ffe7c2f3c26..fa84edcddf1586 100644
--- a/EIPS/eip-x.md
+++ b/EIPS/eip-2541.md
@@ -1,8 +1,8 @@
 ---
-eip: -
+eip: 2541
 title: EY SW6-Bis curve operations
 author: Alex Vlasov (@shamatar)
-discussions-to: https://github.com/ethereum/EIPs/pull/2539
+discussions-to: https://github.com/ethereum/EIPs/pull/2541
 status: Draft
 type: Standards Track
 category: Core