FP12 to Bytes in golang wrapper #101

MariusVanDerWijden · 2022-01-18T10:29:01Z

I've been trying to add BLST to our BLS fuzzing framework for go-ethereum in anticipation of EIP-2537.
One thing I struggle with is how to do pairings and get the result instead of just verifying if the result is 1.
I'm pretty sure that I can create the pairing as follows. My problem is now to compare the results from BLST to the other libraries.
Gnark and our internal library both provide a way to marshal the result (an FP12) into bytes, so we can compare them.
It would be great if blst exposed something similar too.

var b []byte
ctx := blst.PairingCtx(false, b)
// compute pairing using blst
blst.PairingRawAggregate(ctx, blG2, blG1)
blstResult := blst.PairingAsFp12(ctx)

My wip PR for inclusion of blst into geth: ethereum/go-ethereum#24249

dot-asm · 2022-01-18T12:14:34Z

It's not really a big problem as soon as there is an agreement on representation. Say, big-endian 48-byte arrays in order of appearance?

dot-asm · 2022-01-18T12:25:13Z

On a tangential note. The purpose of blst.PairingRawAggregate is to facilitate multi-input operations. It's faster that way. For single inputs one can just as well use blst.Fp12MillerLoop. This is not an objection to using PairingRawAggregate, but merely an informational note in case you find the additional steps incurred by PairingRawAggregate distracting;-)

MariusVanDerWijden · 2022-01-18T12:32:02Z

No, not a big problem, just that it's not possible to get the bytes representation (since P12 is an alias for a c-struct)

dot-asm · 2022-01-18T12:44:09Z

Do answer the question:-) Can we agree on big-endian?

MariusVanDerWijden · 2022-01-18T13:14:35Z

That's what the others do:

func (z *E12) Bytes() (r [SizeOfGT]byte) {
	_z := *z
	_z.FromMont()
	binary.BigEndian.PutUint64(r[568:576], _z.C0.B0.A0[0])
	binary.BigEndian.PutUint64(r[560:568], _z.C0.B0.A0[1])
	binary.BigEndian.PutUint64(r[552:560], _z.C0.B0.A0[2])
	binary.BigEndian.PutUint64(r[544:552], _z.C0.B0.A0[3])
	binary.BigEndian.PutUint64(r[536:544], _z.C0.B0.A0[4])
	binary.BigEndian.PutUint64(r[528:536], _z.C0.B0.A0[5])

	binary.BigEndian.PutUint64(r[520:528], _z.C0.B0.A1[0])
	binary.BigEndian.PutUint64(r[512:520], _z.C0.B0.A1[1])
	binary.BigEndian.PutUint64(r[504:512], _z.C0.B0.A1[2])
	binary.BigEndian.PutUint64(r[496:504], _z.C0.B0.A1[3])
	binary.BigEndian.PutUint64(r[488:496], _z.C0.B0.A1[4])
	binary.BigEndian.PutUint64(r[480:488], _z.C0.B0.A1[5])

	binary.BigEndian.PutUint64(r[472:480], _z.C0.B1.A0[0])
	binary.BigEndian.PutUint64(r[464:472], _z.C0.B1.A0[1])
	binary.BigEndian.PutUint64(r[456:464], _z.C0.B1.A0[2])
	binary.BigEndian.PutUint64(r[448:456], _z.C0.B1.A0[3])
	binary.BigEndian.PutUint64(r[440:448], _z.C0.B1.A0[4])
	binary.BigEndian.PutUint64(r[432:440], _z.C0.B1.A0[5])

	binary.BigEndian.PutUint64(r[424:432], _z.C0.B1.A1[0])
	binary.BigEndian.PutUint64(r[416:424], _z.C0.B1.A1[1])
	binary.BigEndian.PutUint64(r[408:416], _z.C0.B1.A1[2])
	binary.BigEndian.PutUint64(r[400:408], _z.C0.B1.A1[3])
	binary.BigEndian.PutUint64(r[392:400], _z.C0.B1.A1[4])
	binary.BigEndian.PutUint64(r[384:392], _z.C0.B1.A1[5])

	binary.BigEndian.PutUint64(r[376:384], _z.C0.B2.A0[0])
	binary.BigEndian.PutUint64(r[368:376], _z.C0.B2.A0[1])
	binary.BigEndian.PutUint64(r[360:368], _z.C0.B2.A0[2])
	binary.BigEndian.PutUint64(r[352:360], _z.C0.B2.A0[3])
	binary.BigEndian.PutUint64(r[344:352], _z.C0.B2.A0[4])
	binary.BigEndian.PutUint64(r[336:344], _z.C0.B2.A0[5])

	binary.BigEndian.PutUint64(r[328:336], _z.C0.B2.A1[0])
	binary.BigEndian.PutUint64(r[320:328], _z.C0.B2.A1[1])
	binary.BigEndian.PutUint64(r[312:320], _z.C0.B2.A1[2])
	binary.BigEndian.PutUint64(r[304:312], _z.C0.B2.A1[3])
	binary.BigEndian.PutUint64(r[296:304], _z.C0.B2.A1[4])
	binary.BigEndian.PutUint64(r[288:296], _z.C0.B2.A1[5])

	binary.BigEndian.PutUint64(r[280:288], _z.C1.B0.A0[0])
	binary.BigEndian.PutUint64(r[272:280], _z.C1.B0.A0[1])
	binary.BigEndian.PutUint64(r[264:272], _z.C1.B0.A0[2])
	binary.BigEndian.PutUint64(r[256:264], _z.C1.B0.A0[3])
	binary.BigEndian.PutUint64(r[248:256], _z.C1.B0.A0[4])
	binary.BigEndian.PutUint64(r[240:248], _z.C1.B0.A0[5])

	binary.BigEndian.PutUint64(r[232:240], _z.C1.B0.A1[0])
	binary.BigEndian.PutUint64(r[224:232], _z.C1.B0.A1[1])
	binary.BigEndian.PutUint64(r[216:224], _z.C1.B0.A1[2])
	binary.BigEndian.PutUint64(r[208:216], _z.C1.B0.A1[3])
	binary.BigEndian.PutUint64(r[200:208], _z.C1.B0.A1[4])
	binary.BigEndian.PutUint64(r[192:200], _z.C1.B0.A1[5])

	binary.BigEndian.PutUint64(r[184:192], _z.C1.B1.A0[0])
	binary.BigEndian.PutUint64(r[176:184], _z.C1.B1.A0[1])
	binary.BigEndian.PutUint64(r[168:176], _z.C1.B1.A0[2])
	binary.BigEndian.PutUint64(r[160:168], _z.C1.B1.A0[3])
	binary.BigEndian.PutUint64(r[152:160], _z.C1.B1.A0[4])
	binary.BigEndian.PutUint64(r[144:152], _z.C1.B1.A0[5])

	binary.BigEndian.PutUint64(r[136:144], _z.C1.B1.A1[0])
	binary.BigEndian.PutUint64(r[128:136], _z.C1.B1.A1[1])
	binary.BigEndian.PutUint64(r[120:128], _z.C1.B1.A1[2])
	binary.BigEndian.PutUint64(r[112:120], _z.C1.B1.A1[3])
	binary.BigEndian.PutUint64(r[104:112], _z.C1.B1.A1[4])
	binary.BigEndian.PutUint64(r[96:104], _z.C1.B1.A1[5])

	binary.BigEndian.PutUint64(r[88:96], _z.C1.B2.A0[0])
	binary.BigEndian.PutUint64(r[80:88], _z.C1.B2.A0[1])
	binary.BigEndian.PutUint64(r[72:80], _z.C1.B2.A0[2])
	binary.BigEndian.PutUint64(r[64:72], _z.C1.B2.A0[3])
	binary.BigEndian.PutUint64(r[56:64], _z.C1.B2.A0[4])
	binary.BigEndian.PutUint64(r[48:56], _z.C1.B2.A0[5])

	binary.BigEndian.PutUint64(r[40:48], _z.C1.B2.A1[0])
	binary.BigEndian.PutUint64(r[32:40], _z.C1.B2.A1[1])
	binary.BigEndian.PutUint64(r[24:32], _z.C1.B2.A1[2])
	binary.BigEndian.PutUint64(r[16:24], _z.C1.B2.A1[3])
	binary.BigEndian.PutUint64(r[8:16], _z.C1.B2.A1[4])
	binary.BigEndian.PutUint64(r[0:8], _z.C1.B2.A1[5])

	return
}

so I think BigEndian would be in line

mratsim · 2022-01-18T15:15:05Z

Regarding repr of FP12 elements there will be mismatch with libraries that use Fp->Fp2->Fp4->Fp12 towering like Miracl and Constantine.

Given a sextic twist, we can express all elements in terms of z = (1+𝑖)¹ᐟ⁶

An Fp12 element coordinates becomes in the canonical repr:

c₀ + c₁ z + c₂ z² + c₃ z³ + c₄ z⁴ + c₅ z⁵

Fp2 -> Fp4 -> Fp12 towering

To map the coefficients to the canonical repr we start from this repr

(a₀ + a₁ u) + (a₂ + a₃u) v + (a₄ + a₅u) v²

with:

u = sqrt(1+𝑖)
v = u¹ᐟ³ = z

Hence we find:
c₀ <=> a₀
c₁ <=> a₂
c₂ <=> a₄
c₃ <=> a₁
c₄ <=> a₃
c₅ <=> a₅

Fp2 -> Fp6 -> Fp12 towering

To map the coefficients to the canonical repr we start from this repr

(b₀ + b₁ x + b₂ x²) + (b₃ + b₄ x + b₅ x²) y

with:

x = (1+𝑖)¹ᐟ³
y = sqrt(x) = z

Hence we find:
c₀ <=> b₀
c₁ <=> b₃
c₂ <=> b₁
c₃ <=> b₄
c₄ <=> b₂
c₅ <=> b₅

Conclusion

I suggest:

BigEndian bytes for the finite field elements
The canonical polynomial order as power of Fp2 elements in order [1, z, z², z³, z⁴, z⁵]
Fp2 elements as [1, 𝑖] finite field elements

Discussion

cc @gbotrel, @kilic

dot-asm · 2022-01-18T16:37:17Z

Canonization makes perfect sense. I have no preferences on coefficient's order, ascending or descending, so I just await for further feedback...

mratsim · 2022-01-18T17:55:39Z

Py-ECC doesn't use towerings, it goes Fp2 -> Fp12 directly so the canonical representation is well suited for them as well. (cc @hwwhww @pipermerriam)

See supranational#101 for details.

dot-asm · 2022-01-31T08:56:30Z

Please review #102.

See #101 for details.

dot-asm · 2022-05-26T16:19:19Z

Resolved. Thanks!

dot-asm added a commit to dot-asm/blst that referenced this issue Jan 31, 2022

fp12_tower.c: add blst_bendian_from_fp12.

b7bcc86

See supranational#101 for details.

dot-asm mentioned this issue Jan 31, 2022

fp12_tower.c: add blst_bendian_from_fp12. #102

Closed

mratsim mentioned this issue Feb 15, 2022

GT compression Consensys/gnark-crypto#129

Merged

mratsim mentioned this issue Feb 24, 2022

Implement serialization / deserialization of Gt zkcrypto/bls12_381#10

Open

gbotrel mentioned this issue May 25, 2022

serialization: canonical GT elements Consensys/gnark-crypto#195

Closed

dot-asm added a commit that referenced this issue May 26, 2022

fp12_tower.c: add blst_bendian_from_fp12.

b9080ca

See #101 for details.

dot-asm closed this as completed May 26, 2022

mratsim mentioned this issue Dec 11, 2023

about serialization of bn254 curve point privacy-scaling-explorations/halo2curves#109

Open

mratsim mentioned this issue Jan 11, 2024

Constantine backend grandinetech/rust-kzg#251

Merged

mratsim mentioned this issue Apr 20, 2024

Update EIP-2537: rename PAIRING to PAIRING_CHECK; introduce PAIRING_PRODUCT precomiple ethereum/EIPs#8309

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FP12 to Bytes in golang wrapper #101

FP12 to Bytes in golang wrapper #101

MariusVanDerWijden commented Jan 18, 2022 •

edited

dot-asm commented Jan 18, 2022

dot-asm commented Jan 18, 2022

MariusVanDerWijden commented Jan 18, 2022

dot-asm commented Jan 18, 2022

MariusVanDerWijden commented Jan 18, 2022 •

edited

mratsim commented Jan 18, 2022 •

edited

dot-asm commented Jan 18, 2022

mratsim commented Jan 18, 2022

dot-asm commented Jan 31, 2022

dot-asm commented May 26, 2022

FP12 to Bytes in golang wrapper #101

FP12 to Bytes in golang wrapper #101

Comments

MariusVanDerWijden commented Jan 18, 2022 • edited

dot-asm commented Jan 18, 2022

dot-asm commented Jan 18, 2022

MariusVanDerWijden commented Jan 18, 2022

dot-asm commented Jan 18, 2022

MariusVanDerWijden commented Jan 18, 2022 • edited

mratsim commented Jan 18, 2022 • edited

Fp2 -> Fp4 -> Fp12 towering

Fp2 -> Fp6 -> Fp12 towering

Conclusion

Discussion

dot-asm commented Jan 18, 2022

mratsim commented Jan 18, 2022

dot-asm commented Jan 31, 2022

dot-asm commented May 26, 2022

MariusVanDerWijden commented Jan 18, 2022 •

edited

MariusVanDerWijden commented Jan 18, 2022 •

edited

mratsim commented Jan 18, 2022 •

edited