algebra icon indicating copy to clipboard operation
algebra copied to clipboard

Published 20 hours ago verified publisher icon arkworks-rs

affine versioned pairing supporting for BitVM

Open PayneJoe opened this issue 1 year ago • 6 comments

Description

This PR propose is to give caller an another more option to choose when do pairing. In current implementation, the coefficients of divisor line function is computed through projective coordinates as it's more efficient (than affine coordinates) when computing pairings, while it's not when verifying pairings (recursive snark). As Andrija and Liam stated in 5.2 section of On Proving Pairings.

So for supporting verifying pairings for BN254 in BitVM, I add one more optional method for pairing.

closes: #XXXX

Before we can merge this PR, please make sure that all the following items have been checked off. If any of the checklist items are not applicable, please leave them but write a little note why.

  • [x] Targeted PR against correct branch (master)
  • [x] Linked to GitHub issue with discussion and accepted design OR have an explanation in the PR that describes this work.
  • [x] Wrote unit tests
  • [x] Updated relevant documentation in the code
  • [x] Added a relevant changelog entry to the Pending section in CHANGELOG.md
  • [x] Re-reviewed Files changed in the GitHub PR explorer

PayneJoe avatar Jul 02 '24 07:07 PayneJoe

So this pairing computation results in another target group element?

swasilyev avatar Jul 02 '24 15:07 swasilyev

So this pairing computation results in another target group element?

the test result proves that it's equal with current pairing result (same element of Gt), even so for the sake of consistency with script implementation in BitVM we need a benchmark, this pairing in arkworks is my benchmark

PayneJoe avatar Jul 02 '24 16:07 PayneJoe

Eh. Why then we need code that computes the same result in a supposedly slower way?

swasilyev avatar Jul 03 '24 18:07 swasilyev

Eh. Why then we need code that computes the same result in a supposedly slower way?

Okay, let me introduce a naive and toy case to explain why we need that, what the benchmark actually mean.

If I want to implement a division algorithm for two numbers (whatever number is okay, even big integer) with javascript language, say a / b. I might need a benchmark to test if my javascript versioned algorithm is right. By now we do not have the same algorithm (a / b) implementation in C++, we only have the equivalence algorithm, say a * 1/b.

So if I use assertion javascript(a / b) == c++(a * 1/b) in my unit test, someone else may argue that this test is not convincing enough since the two algorithms are not consistent with each other, javascript(a / b) == c++(a / b) is just what I want.

PayneJoe avatar Jul 04 '24 01:07 PayneJoe

Eh. Why then we need code that computes the same result in a supposedly slower way?

PS: Most of the time, you are computing pairings (in snark verifier), so projective is your option, if you are verifying pairings, affine is your option. It's the best option for recursive snark.

PayneJoe avatar Jul 04 '24 05:07 PayneJoe

I think what will happen with this PR is that it would be held off until the R1CS gadget for verifying affine pairing is done. If the value is the same, we do not need this in algebra, and the R1CS witness generation would be in R1CS.

weikengchen avatar Jul 04 '24 06:07 weikengchen