Skip to content
This repository was archived by the owner on Apr 18, 2025. It is now read-only.

ec pairing simplify #873

Merged
merged 5 commits into from
Sep 2, 2023
Merged

ec pairing simplify #873

merged 5 commits into from
Sep 2, 2023

Conversation

roynalnaruto
Copy link

@roynalnaruto roynalnaruto commented Sep 1, 2023
edited
Loading

Description

EVM behaviour is as follows:

  1. Process G1 and G2 bytes
  2. If G1 is invalid, i.e. point not on curve then is_success == false
  3. If G2 is invalid, i.e. point not on curve then is_success == false
  4. If G1 and G2 both are valid
    • If G1 is G1::identity (with random valid G2) then skip pair while computing miller loop
    • If G2 is G2::identity (with random valid G1) then skip pair while computing miller loop

Before PR

Before this PR, the inputs to the ECC Circuit were possibly different from the inputs to EVM. Specifically, in the case where (G1::identity, G2::identity) were input to EVM, we replaced them with (G1::identity, G2::generator) for the ECC Circuit.

The problem with this approach:
We were struggling to handle valid vs invalid inputs. The case where (G1::identity, G2::random) or (G1::random, G2::identity) was not covered

After PR

The Ecc Circuit now handles the exact same input as provided to EVM. There is no "swapping" of inputs. The padded pair (to make 4 pairs) is also (G1::identity, G2::identity).

We use several conditions to appropriately pass pairs to the multi miller loop algorithm, so that we avoid panic in all cases.

  • is_zero_pair covers:
    • G1: (0, 0) and G2: random valid
    • G2: (0, 0, 0, 0) and G1: random valid
  • are_pairs_zero represents whether all pairs satisfy is_zero_pair
  • If either G1 is invalid (not on curve) or G2 is invalid (not on curve):
    • Swap the pair with (G1::random, G2::random)
    • EVM would interpret this as a failure case, hence pairing_check == false
    • However if we use the invalid points, the multi_miller_loop would panic
    • So we swap with random points, expecting the pairing check to fail
    • And we add an assertion that pairing_check == false if is_valid == false
  • if G1: (0, 0) and G2: random valid or G2: (0, 0, 0, 0) and G1: random valid then
    • Swap the pair with (G1::identity, G2::generator)
  • If all the pairs are zero, i.e. are_pairs_zero == true then
    • Swap the pairs with dummy pairs that satisfy the pairing check
    • This is done because EVM interprets this as pairing_check == 1 although multi_miller_loop panics

Issue Link

Closes #868

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

@lispc lispc merged commit 89e7511 into develop Sep 2, 2023
@lispc lispc deleted the fix/ec-pairing-simplify branch September 2, 2023 02:11
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lispc lispc Awaiting requested review from lispc

@zhenfeizhang zhenfeizhang Awaiting requested review from zhenfeizhang

Assignees
No one assigned
Labels
crate-bus-mapping crate-zkevm-circuits
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

pairing bug:
2 participants
@roynalnaruto @lispc