-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Precompiled contracts for addition and scalar multiplication on the elliptic curve alt_bn128 #213
Changes from 2 commits
d8992d1
bc6de05
fdbf2ab
0ed49ac
8856795
5785324
350c8b5
0063de1
68fa87e
e0c717c
8f686cc
a0b9771
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
## Preamble | ||
<pre> | ||
EIP: <to be assigned> | ||
Title: Precompiled contracts for addition and scalar multiplication | ||
on the elliptic curve alt_bn128 | ||
Author: Christian Reitwiessner<[email protected]> | ||
Type: Standard Track | ||
Category: Core | ||
Status: Draft | ||
Created: 2017-02-02 | ||
</pre> | ||
|
||
## Simple Summary | ||
|
||
Precompiled contracts for elliptic curve operations are required in order to perform zkSNARK verification within the block gas limit. | ||
|
||
## Abstract | ||
|
||
This EIP suggests to add precompiled contracts for addition and scalar multiplication on a specific pairing-friendly elliptic curve. This can in turn be combined with https://github.com/ethereum/EIPs/pull/212 to verify zkSNARKs in Ethereum smart contracts. The general benefit of zkSNARKs for Ethereum is that it will increase the privacy for users (because of the Zero-Knowledge property) and might also be a scalability solution (because of the succinctness and efficient verifiability property). | ||
|
||
## Motivation | ||
|
||
Current smart contract executions on Ethereum are fully transparent, which makes them unsuitable for several use-cases that involve private information like the location, identity or history of past transactions. The technology of zkSNARKs could be a solution to this problem. While the Ethereum Virtual Machine can make use of zkSNARKs in theory, they are currently too expensive | ||
to fit the block gas limit. Because of that, this EIP proposes to specify certain parameters for some elementary primitives that enable zkSNARKs so that they can be implemented more efficiently and the gas cost be reduced. | ||
|
||
Note that fixing these parameters will in no way limit the use-cases for zkSNARKs, it will even allow for incorporating some advances in zkSNARK research without the need for a further hard fork. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I cannot immediately grasp how fixing parameters makes it easier to incorporate advances. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Changed the wording. |
||
|
||
## Specification | ||
|
||
Add precompiled contracts for point addition (ADD) and scalar multiplication (MUL) on the elliptic curve "alt_bn128". | ||
|
||
Address of ADD: 0x6 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. EIP 101 also uses this address. |
||
Address for MUL: 0x7 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. EIP 101 uses this address too. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we make sure the precompiled addresses are continuous in the end? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't think so. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The available addresses seem to be There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Would it make sense changing #96 to use continuous addresses? |
||
|
||
The curve is defined by: | ||
``` | ||
Y^2 = X^3 + 3 | ||
over the field F_p with | ||
p = 21888242871839275222246405745257275088696311157297823662689037894645226208583 | ||
``` | ||
|
||
### Encoding | ||
|
||
Field elements and scalars are encoded as 32 byte big-endian numbers. Curve points are encoded as two field elements `(x, y)`, where the point at infinity is encoded as `(0, 0)`. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Isn't zero already used? I guess the elements of F_p are represented by numbers in the range of There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, but There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. OK. Somehow I was thinking about |
||
|
||
For both precompiled contracts, if the input is shorter than expected, it is padded with zeros at the end. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is the padding bit-wise or byte-wise? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Also, does it make sense to pad a big-endian number at the end? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Changed the wording, please see if you come to the conclusion that these questions are irrelevant :-) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I was reading "if any parameter is less than 2^255, thus any parameter is shorter than expected, the caller should pad the input at the end before calling the contract". Now this interpretation is impossible. |
||
|
||
The length of the returned data is always as specified (i.e. it is not "unpadded"). | ||
|
||
### Exact semantics | ||
|
||
Invalid input: For both contracts, if any input point does not lie on the curve or any of the field elements (point coordinates or scalar) is equal or larger than the field modulus p, the contract fails. | ||
|
||
#### ADD | ||
Input: two curve points `(x, y)`. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Does this mean the input has 128 bytes, or are field elements put in RLP or some structure? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Clarified above. |
||
Output: curve point `x + y`, where `+` is point addition on the elliptic curve `alt_bn128` specified above. | ||
Fails on invalid input and consumes all gas provided. | ||
|
||
#### MUL | ||
Input: curve point and scalar `(x, s)`. | ||
Output: curve point `s * x`, where `*` is the scalar multiplication on the elliptic curve `alt_bn128` specified above. | ||
Fails on invalid input and consumes all gas. | ||
|
||
### Gas costs | ||
|
||
To be determined. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Three or four clients have already implemented this. So cross-benchmark should be possible already, for determining the ga s costs. |
||
|
||
## Rationale | ||
|
||
The specific curve `alt_bn128` was chosen because it is particularly well-suited for zkSNARKs, or, more specifically their verification building block of pairing functions. Furthermore, by choosing this curve, we can use synergy effects with ZCash and re-use some of their components and artifacts. | ||
|
||
The feature of adding curve and field parameters to the inputs was considered but ultimately rejected since it complicates the specification: The gas costs are much harder to determine and it would be possible to call the contracts on something which is not an actual elliptic curve. | ||
|
||
A non-compact point encoding was chosen since it still allows to perform some operations in the smart contract itself (inclusion of the full y coordinate) and two encoded points can be compared for equality (no third projective coordinate). | ||
|
||
## Backwards Compatibility | ||
|
||
As with the introduction of any precompiled contract, contracts that already use the given addresses will change their semantics. Because of that, the addresses are taken from the "reserved range" below 256. | ||
|
||
## Test Cases | ||
|
||
To be written. | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can someone create those tests cases and include them here? |
||
## Implementation | ||
|
||
Implementation of these primitives are available here: | ||
|
||
- [libsnark](https://github.com/scipr-lab/libsnark/blob/master/src/algebra/curves/alt_bn128/alt_bn128_g1.hpp) (C++) | ||
- [bn](https://github.com/zcash/bn/blob/master/src/groups/mod.rs) (Rust) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. link is broken There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. To be precise, the |
||
|
||
In both codebases, a specific group on the curve alt_bn128 is used and is called G1. | ||
|
||
- [Python](https://github.com/ethereum/research/blob/master/zksnark/bn128_curve.py) - probably most self-contained and best readable. | ||
|
||
## Copyright | ||
|
||
Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why the
<pre>
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That was part of the template.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You might be using an old template.