Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fast subgroup checks #14

Closed
ghost opened this issue Mar 9, 2021 · 8 comments
Closed

Fast subgroup checks #14

ghost opened this issue Mar 9, 2021 · 8 comments
Assignees

Comments

@ghost
Copy link

ghost commented Mar 9, 2021

The protocol extensively sends/receives points on the BLS12-381 curve from third parties, there may be many subgroup checks needed to ensure that all such points lie in the prime order subgroup.

This task involves two parts:

  1. Identify every place in the protocol where such subgroup checks are necessary
  2. Implement a fast subgroup check algorithm, e.g. https://eprint.iacr.org/2019/814.pdf
@ghost ghost assigned simonmasson Mar 15, 2021
@ghost
Copy link
Author

ghost commented Mar 16, 2021

Apparently Celo (https://github.com/celo-org/celo-blockchain/tree/master/crypto/bls12381) gets a big speed improvement from batching subgroup checks, its worth considering combining batching with the fast algorithm described in Sean Bowe's paper.

@simonmasson
Copy link

Fast subgroup check from Bowe's eprint/2019/814 is more efficient than multiplying by the cofactor only on the G2 case (the G1 cofactor is small).

The G2 subgroup check is (partially) done in zkcrypto/bls12_381: the clear_cofactor function uses the Bowe's trick but is not used in the is_torsion_free function.

The arkworks-rs/curves implementation does not provide a is_torsion_free function.

I forked the zkcrypto/bis12_381 into heliaxdev/bls12_381 and implemented (as an exercise) the G1 subgroup check as in Bowe's paper.

@ghost
Copy link
Author

ghost commented Mar 18, 2021

I think what's happening in the G1 case is that the implementation of multiply in bls12_381 is constant-time, therefore $[(z^2-1)/3] P$ costs exactly the same as $[q] P$ which would make the fast subgroup check actually slower. In order to actually take advantage of the fast test, the final multiply needs to only work on [u8; 16] instead of [u8; 32] otherwise it will continue to double the base point

@ghost
Copy link
Author

ghost commented Mar 19, 2021

Actually the celo implementation I linked to is written in Go, and while it uses Bowe's method, it doesn't do the batching.

The batching is instead implemented in zexe (celo-org/zexe#4) and it seems like the performance speedup is substantial. So now we have yet another dependency issue to deal with, as zexe seemes like an arkworks fork?

@simonmasson
Copy link

(as exercies) I have done the is_torsion_free_optimized functions for G1 and G2 using the Bowe's trick and the gain is significant as expected. See heliaxdev/bls12_381 commit de80c8ab4cd2ceb2b7b9026f2571546695eaeb26 and 6a8eb9f9c534bf035a407d17081fa2e313bb0e1d for details.

@ghost
Copy link
Author

ghost commented Apr 13, 2021

Probably going to be integrated into arkworks anyway, so nothing probably required from our end right now.

@simonmasson
Copy link

#58 (comment) provide benchmarks of the fast subgroup check for G1 and G2.

@ghost ghost mentioned this issue Apr 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant