-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fast subgroup checks #14
Comments
Apparently Celo (https://github.com/celo-org/celo-blockchain/tree/master/crypto/bls12381) gets a big speed improvement from batching subgroup checks, its worth considering combining batching with the fast algorithm described in Sean Bowe's paper. |
Fast subgroup check from Bowe's eprint/2019/814 is more efficient than multiplying by the cofactor only on the G2 case (the G1 cofactor is small). The G2 subgroup check is (partially) done in zkcrypto/bls12_381: the The I forked the zkcrypto/bis12_381 into heliaxdev/bls12_381 and implemented (as an exercise) the G1 subgroup check as in Bowe's paper. |
I think what's happening in the G1 case is that the implementation of multiply in bls12_381 is constant-time, therefore |
Actually the celo implementation I linked to is written in Go, and while it uses Bowe's method, it doesn't do the batching. The batching is instead implemented in zexe (celo-org/zexe#4) and it seems like the performance speedup is substantial. So now we have yet another dependency issue to deal with, as zexe seemes like an arkworks fork? |
(as exercies) I have done the |
Probably going to be integrated into arkworks anyway, so nothing probably required from our end right now. |
#58 (comment) provide benchmarks of the fast subgroup check for G1 and G2. |
The protocol extensively sends/receives points on the BLS12-381 curve from third parties, there may be many subgroup checks needed to ensure that all such points lie in the prime order subgroup.
This task involves two parts:
The text was updated successfully, but these errors were encountered: