Garaga

Report a Bug - Request a Feature - Ask a Question

Table of Contents

• About
• Architecture overview
• Prerequisites
• Usage
• Benchmarks
• Get Support
• Contribute
• Security
• License
• Acknowledgements
• Resources (documents)
• Contributors

About

Efficient pairing library using polynomial representation of field elements, written in Cairo 🐺.

Garaga can enable efficient pairing operations in StarkNet, by using polynomial representation of field elements. This is a work in progress, and is not yet ready for production use.

Here are some interesting use cases enabled by Garaga:

• SNARKs on StarkNet: would enable privacy-preserving computations on StarkNet.
• KZG cryptographic commitment scheme.
• Identity-based encryption schemes.
• Attribute-based encryption schemes.
• BLS (Boneh–Lynn–Shacham) Digital Signature scheme.

We are exploring many optimizations techniques. For example, we are currently working on a new technique to reduce the number of constraints in the pairing computation. This technique is based on the idea of using a polynomial representation of field elements.

Architecture overview

Prerequisites

Cairo

• cairo-lang
• Python 3.9
• protostar

Specifically for profiling and testing, the following tools dependencies are required:

• Go
• pprof
• graphviz

Usage

One time step: prepare virtual environment, dependencies and tools:

make setup

Compile all .cairo files (optional)

make build

re-compile Go parsing tool for tests (optional)

make go 

Run .cairo programs (interactive script!)

make run

Run and profile .cairo programs (interactive script!)

make run-profile

Run all or specific protostar tests

protostar test-cairo0 --max-steps 10000000 -x
protostar test-cairo0 --max-steps 10000000 tests/protostar_tests/bn254/test_e2.cairo
protostar test-cairo0 --max-steps 10000000 tests/protostar_tests/bn254/test_pair.cairo::test_final_exp
protostar test-cairo0 --max-steps 10000000 tests/protostar_tests/bls12_381/test_e12.cairo

Benchmarks

Operation on curve BN254	Cairo steps or estimation
miller_loop	320 848
multi_miller_loop (N points)	~ N * 260441 + 60407
final_exponentiation	270 215
Groth16 circuit example (4 public inputs)	1 671 116

Operation on curve BLS12-381	Cairo steps (number) (OBSOLETE: Wait for optimisation, expect /8)
miller_loop	2 177 205
miller_loop with pre-computed G2 values	1 974 939
final_exponentiation	3 666 209
e(P:G1, Q:G2)	5 843 414
e(P:G1, Q:G2) with pre-computed G2 values	5 641 148

Work is in progress to convert fq_bigint library to built-ins, which should reduce the above costs by more than 70%.

Support

Reach out to the maintainer at one of the following places:

• GitHub Discussions

• Garaga on telegram

Contributing

See the open issues for a list of proposed features (and known issues).
Please read our contribution guidelines, and thank you for being involved!

If you want to say thank you or/and support active development of Garaga:

• Add a GitHub Star to the project.
• Tweet about Garaga.
• Write interesting articles about the project on Dev.to, Medium or your personal blog.

Thank you for taking the time to contribute! Contributions are what make the open-source community such an amazing place to learn, inspire, and create. Any contributions you make will benefit everybody else and are greatly appreciated.

Security

Garaga follows good practices of security, but 100% security cannot be assured. Garaga is provided "as is" without any warranty. Use at your own risk.

For more information and to report security issues, please refer to our security documentation.

License

This project is licensed under the MIT license.

See LICENSE for more information.

Acknowledgements

• Huge props to tekkac and feltroidprime for their initial work on provable pairing-based cryptography in StarkNet.
• Credits to Nethermind for their initial work on optimized modular arithmetic.
• Herodotus for supporting this project.
• Gnark project and team, especially yelhousni for his amazing knowledge and support.
• OnlyDust and Starkware.

Resources

Here are some interesting resources about pairing-based cryptography:

Note: This list is not exhaustive, and is not intended to be.

• Document A :: Pairing for beginners : A beginner-friendly overall introduction of the concept and techniques, including Towered extension fields in section 7.3. (2012)
• Document B :: Efficient Hardware Implementation of IFp-Arithmetic for Pairing-Friendly Curves : Fast Fp modular multiplication using polynomial representation of field elements. Currently being implemented. (2012)
• Document C :: High-Speed Software Implementation of the Optimal Ate Pairing over Barreto–Naehrig Curves Useful, relatively effective ready-to-use formulas including for Fp, Fp12 arithmetics. Should be composable with Document B.
• Document D :: Efficient Multiplication over Extension Fields Generalized Arithmetic on any extension field using polynomial representation of field elements. This work could enable polynomial representation of elements of finite field of any prime order, and thus very efficient pairing for any BN curve, including alt_bn128.
• Document E :: Accelerated tower arithmetic Close to state-of-the art solution for Fp12 arithmetics. Similar to Document D but harder. (2019)

Contributors

For a full list of all authors and contributors, see the contributors page.

Thanks goes to these wonderful people (emoji key):

Feltroid Prime 💻	Abdel @ StarkWare 💻	Tarik K. 💻	Bachir Arif 💻	Renaud Dubois 💻
Add your contributions

This project follows the all-contributors specification. Contributions of any kind welcome!