ec pairing simplify (#873)

* wip testing

* wip compilation

* fix: ecc circuit can handle all inputs

* if all pairs are zero then success == true

* chore: refactor

Author: roynalnaruto

bus-mapping/src/circuit_input_builder/execution.rs

@@ -2,7 +2,7 @@
 
 use std::{
     marker::PhantomData,
-    ops::{Add, Mul},
+    ops::{Add, Mul, Neg},
 };
 
 use crate::{
@@ -21,7 +21,11 @@ use ethers_core::k256::elliptic_curve::subtle::CtOption;
 use gadgets::impl_expr;
 use halo2_proofs::{
     arithmetic::{CurveAffine, Field},
-    halo2curves::bn256::{Fq, Fq2, Fr, G1Affine, G2Affine},
+    circuit::Value,
+    halo2curves::{
+        bn256::{Fq, Fq2, Fr, G1Affine, G2Affine},
+        group::prime::PrimeCurveAffine,
+    },
     plonk::Expression,
 };
 
@@ -1175,6 +1179,28 @@ impl EcPairingPair {
             .collect()
     }
 
+    /// ...
+    pub fn to_g1_affine_tuple(&self) -> (Value<Fq>, Value<Fq>) {
+        (
+            Value::known(Fq::from_bytes(&self.g1_point.0.to_le_bytes()).unwrap()),
+            Value::known(Fq::from_bytes(&self.g1_point.1.to_le_bytes()).unwrap()),
+        )
+    }
+
+    /// ...
+    pub fn to_g2_affine_tuple(&self) -> (Value<Fq2>, Value<Fq2>) {
+        (
+            Value::known(Fq2 {
+                c0: Fq::from_bytes(&self.g2_point.1.to_le_bytes()).unwrap(),
+                c1: Fq::from_bytes(&self.g2_point.0.to_le_bytes()).unwrap(),
+            }),
+            Value::known(Fq2 {
+                c0: Fq::from_bytes(&self.g2_point.3.to_le_bytes()).unwrap(),
+                c1: Fq::from_bytes(&self.g2_point.2.to_le_bytes()).unwrap(),
+            }),
+        )
+    }
+
     /// Returns the big-endian representation of the G2 point in the pair.
     pub fn g2_bytes_be(&self) -> Vec<u8> {
         std::iter::empty()
@@ -1199,69 +1225,16 @@ impl EcPairingPair {
             .collect()
     }
 
-    /// Padding pair for ECC circuit. The pairing check is done with a constant number
-    /// `N_PAIRING_PER_OP` of (G1, G2) pairs. The ECC circuit under the hood uses halo2-lib to
-    /// compute the multi-miller loop, which allows `(G1::Infinity, G2::Generator)` pair to skip
-    /// the loop for that pair. So in case the EVM inputs are less than `N_PAIRING_PER_OP` we pad
-    /// the ECC Circuit inputs by this pair. Any EVM input of `(G1::Infinity, G2)` or
-    /// `(G1, G2::Infinity)` is also transformed into `(G1::Infinity, G2::Generator)`.
-    pub fn ecc_padding() -> Self {
-        Self {
-            g1_point: (U256::zero(), U256::zero()),
-            g2_point: (
-                U256([
-                    0x97e485b7aef312c2,
-                    0xf1aa493335a9e712,
-                    0x7260bfb731fb5d25,
-                    0x198e9393920d483a,
-                ]),
-                U256([
-                    0x46debd5cd992f6ed,
-                    0x674322d4f75edadd,
-                    0x426a00665e5c4479,
-                    0x1800deef121f1e76,
-                ]),
-                U256([
-                    0x55acdadcd122975b,
-                    0xbc4b313370b38ef3,
-                    0xec9e99ad690c3395,
-                    0x090689d0585ff075,
-                ]),
-                U256([
-                    0x4ce6cc0166fa7daa,
-                    0xe3d1e7690c43d37b,
-                    0x4aab71808dcb408f,
-                    0x12c85ea5db8c6deb,
-                ]),
-            ),
-        }
-    }
-
-    /// Padding pair for EVM circuit. The pairing check is done with a constant number
+    /// Padding pair for EcPairing operation. The pairing check is done with a constant number
     /// `N_PAIRING_PER_OP` of (G1, G2) pairs. In case EVM inputs are less in number, we pad them
     /// with `(G1::Infinity, G2::Infinity)` for simplicity.
-    pub fn evm_padding() -> Self {
+    pub fn padding_pair() -> Self {
         Self {
             g1_point: (U256::zero(), U256::zero()),
             g2_point: (U256::zero(), U256::zero(), U256::zero(), U256::zero()),
         }
     }
 
-    /// Whether or not we swap the EVM pair with ECC pair. We do this iff:
-    /// - G1 is (0, 0)
-    /// - G2 is (0, 0, 0, 0)
-    ///
-    /// because for the above case, we have:
-    /// - (G1::identity, G2::identity) as inputs from the EVM.
-    /// - (G1::identity, G2::generator) as inputs to ECC Circuit.
-    pub fn swap(&self) -> bool {
-        (self.g1_point.0.is_zero() && self.g1_point.1.is_zero())
-            && (self.g2_point.0.is_zero()
-                && self.g2_point.1.is_zero()
-                && self.g2_point.2.is_zero()
-                && self.g2_point.3.is_zero())
-    }
-
     fn is_valid(&self) -> bool {
         let fq_from_u256 = |buf: &mut [u8; 32], u256: U256| -> CtOption<Fq> {
             u256.to_little_endian(buf);
@@ -1353,6 +1326,24 @@ impl EcPairingOp {
     pub fn is_valid(&self) -> bool {
         self.pairs.iter().all(|pair| pair.is_valid())
     }
+
+    /// Dummy pairing op that satisfies the pairing check.
+    pub fn dummy_pairing_check_ok() -> Self {
+        let g1 = G1Affine::from(G1Affine::generator() * Fr::from(2));
+        let g1_neg = g1.neg();
+        let g2 = G2Affine::from(G2Affine::generator() * Fr::from(3));
+        let other_g1 = G1Affine::from(G1Affine::generator() * Fr::from(6));
+        let other_g2 = G2Affine::generator();
+        Self {
+            pairs: [
+                EcPairingPair::new(g1_neg, g2),
+                EcPairingPair::new(other_g1, other_g2),
+                EcPairingPair::new(G1Affine::identity(), G2Affine::generator()),
+                EcPairingPair::new(G1Affine::identity(), G2Affine::generator()),
+            ],
+            output: 1.into(),
+        }
+    }
 }
 
 /// Event representating an exponentiation `a ^ b == d (mod m)` in precompile modexp.

bus-mapping/src/evm/opcodes/precompiles/ec_pairing.rs

@@ -1,4 +1,5 @@
 use eth_types::U256;
+use itertools::Itertools;
 
 use crate::{
     circuit_input_builder::{
@@ -33,7 +34,7 @@ pub(crate) fn opt_data(
         );
     }
 
-    let (op, aux_data) = if let Some(input) = input_bytes {
+    let op = if let Some(input) = input_bytes {
         if (input.len() > N_PAIRING_PER_OP * N_BYTES_PER_PAIR)
             || (input.len() % N_BYTES_PER_PAIR != 0)
         {
@@ -49,11 +50,11 @@ pub(crate) fn opt_data(
                 && input.len() <= N_PAIRING_PER_OP * N_BYTES_PER_PAIR
         );
         // process input bytes.
-        let (mut ecc_pairs, mut evm_pairs): (Vec<EcPairingPair>, Vec<EcPairingPair>) = input
+        let mut pairs = input
             .chunks_exact(N_BYTES_PER_PAIR)
             .map(|chunk| {
                 // process <= 192 bytes chunk at a time.
-                let evm_circuit_pair = EcPairingPair {
+                EcPairingPair {
                     g1_point: (
                         U256::from_big_endian(&chunk[0x00..0x20]),
                         U256::from_big_endian(&chunk[0x20..0x40]),
@@ -64,47 +65,27 @@ pub(crate) fn opt_data(
                         U256::from_big_endian(&chunk[0x80..0xA0]),
                         U256::from_big_endian(&chunk[0xA0..0xC0]),
                     ),
-                };
-                // if EVM inputs were 0s.
-                let ecc_circuit_pair = if evm_circuit_pair.swap() {
-                    EcPairingPair::ecc_padding()
-                } else {
-                    evm_circuit_pair
-                };
-                (ecc_circuit_pair, evm_circuit_pair)
+                }
             })
-            .unzip();
+            .collect_vec();
         // pad the pairs to make them of fixed size: N_PAIRING_PER_OP.
-        ecc_pairs.resize(N_PAIRING_PER_OP, EcPairingPair::ecc_padding());
-        evm_pairs.resize(N_PAIRING_PER_OP, EcPairingPair::evm_padding());
-        (
-            EcPairingOp {
-                pairs: <[_; N_PAIRING_PER_OP]>::try_from(ecc_pairs).unwrap(),
-                output: pairing_check,
-            },
-            EcPairingAuxData(EcPairingOp {
-                pairs: <[_; N_PAIRING_PER_OP]>::try_from(evm_pairs).unwrap(),
-                output: pairing_check,
-            }),
-        )
+        pairs.resize(N_PAIRING_PER_OP, EcPairingPair::padding_pair());
+        EcPairingOp {
+            pairs: <[_; N_PAIRING_PER_OP]>::try_from(pairs).unwrap(),
+            output: pairing_check,
+        }
     } else {
-        // if no input bytes.
-        let ecc_pairs = [EcPairingPair::ecc_padding(); N_PAIRING_PER_OP];
-        let evm_pairs = [EcPairingPair::evm_padding(); N_PAIRING_PER_OP];
-        (
-            EcPairingOp {
-                pairs: ecc_pairs,
-                output: pairing_check,
-            },
-            EcPairingAuxData(EcPairingOp {
-                pairs: evm_pairs,
-                output: pairing_check,
-            }),
-        )
+        let pairs = [EcPairingPair::padding_pair(); N_PAIRING_PER_OP];
+        EcPairingOp {
+            pairs,
+            output: pairing_check,
+        }
     };
 
     (
-        Some(PrecompileEvent::EcPairing(Box::new(op))),
-        Some(PrecompileAuxData::EcPairing(Box::new(Ok(aux_data)))),
+        Some(PrecompileEvent::EcPairing(Box::new(op.clone()))),
+        Some(PrecompileAuxData::EcPairing(Box::new(Ok(
+            EcPairingAuxData(op),
+        )))),
     )
 }