Update EIP-2537: Rephrased subgroup check part #8322
Conversation
|
@shamatar, @ineffectualproperty, @ralexstokes I rephrased a bit the subgroup check section including the fast subgroup check. |
|
The nature of suggestion is great, but now phrasing mentioning double and add and subgroup check is misleading. If you just say that
it'll be clear enough |
|
Separately on mandatory checks: if no one found any use case when out of group elements are interesting for multiplication/addition then we can make subgroup checks mandatory iff fast subgroup checks are also mandatory. Of course, gas schedule will change, but most likely change will only be substantial for G1 add |
|
@shamatar thanks for the comment.
any suggestion on the words to use ? the "double-and-add" part was already present in the original text |
Head branch was pushed to by a user without write access
|
@shamatar I adjusted the text to include ALL the calls and added a new separate document (similar to the existing one for hash to curve) in https://github.com/asanso/EIPs/blob/patch-9/assets/eip-2537/fast_subgroup_checks.md . Thoughts ? cc @ineffectualproperty @ralexstokes |
|
The commit 1f129eb (as a parent of 9271b4d) contains errors. |
|
Actually I found an example where we may need to allow out-of-main-subgroup points https://github.com/ethyla/bls12-381-hash-to-curve/blob/main/src/readable_Hash_to_curve.sol |
|
@shamatar what exactly in that file? |
|
It's a full hash-to-curve implementation (starting from byte string and then using field element -> curve point precompile). I'm checking how is map-to-curve specified now. If it clears a cofactor internally then such case would not be applicable, but as far as I remember it's not. Full author's comment https://ethereum-magicians.org/t/eip-2537-bls12-precompile-discussion-thread/4187/60 |
|
At least my implementation clears a cofactor for fp-to-g1. Now checking the spec |
|
Spec is also defined to clear a cofactor |
|
So one reason more to work in the subgroup for all the operations correct ? |
|
Kind of. I think original IETF draft for mapping to curve suggests to get two points, add them and then clear cofactor, that makes sense because clearing cofactor is amortized this way. But if we want to keep a number of exposed precompile function manageable, we can build-in those cofactor cleanups. My only concern is at some point we will see a use case where secondary subgroup point is needed. Yes, it's hard to produce it in EVM because precompiles will give only main subgroup, but I do not claim a knowledge of all possible cases |
|
I've also mentioned concerned about subgroup checks here: https://ethereum-magicians.org/t/eip-2537-bls12-precompile-discussion-thread/4187/63 The issue is that without them, libraries cannot use endomorphism acceleration or the result will be wrong. They might also not be able to use projective coordinates with complete formula (from Renes 2015), though Jacobian coordinates would work OK. As mentioned in https://ethereum-magicians.org/t/eip-2537-bls12-precompile-discussion-thread/4187/66, there are 3 paths ahead:
Some important point is that for large MSMs, endomorphism acceleration doesn't help, hence subgroup check cost is paid in vain. For single scalar mul, it represents about 1/3 (G1) and 1/5 (G2) more operations. (benchmarks in the link) I do agree with @asanso that having them on all operations is reasonable due to the risk of some crypto libraries defaulting to endomorphism acceleration and outputting wrong result. |
| A subgroup check **is mandatory** during the pairing call. Implementations *should* use fast subgroup checks: at the time of writing, multiplication gas cost is based on the `double-and-add` multiplication method that has a clear "worst case" (all bits are equal to one). For pairing operations, it is expected that implementations use faster subgroup checks, e.g. by using the wNAF multiplication method for elliptic curves that is ~ `40%` cheaper with windows size equal to 4. (Tested empirically. Savings are due to lower hamming weight of the group order and even lower hamming weight for wNAF. Concretely, subgroup check for both G1 and G2 points in a pair are around `35000` combined). | ||
|
|
||
| The check **is mandatory** during **ALL** the calls. Implementations *should* use fast subgroup checks. It can be stated that it **must** be performed by fast subgroup checks to achieve a speedup, resulting in a discount over naive implementations based on the `double-and-add` multiplication method, which has a clear "worst-case" scenario where all bits are equal to one. | ||
| Before accepting an input, it is recommended to subject the input to the appropriate endomorphism test as described in https://eprint.iacr.org/2021/1130.pdf. |
There was a problem hiding this comment.
MUST perform a subgroup check, and reject invalid point.
There was a problem hiding this comment.
@mratsim what do you mean? is there anything wrong with this part of the text ?
There was a problem hiding this comment.
AFAIK, in RFC MUST is the way to specify that something is mandatory, and the spec should explicitly mention that it returns as an error on failure.
There was a problem hiding this comment.
@mratsim Is the problem the capitalization of 'must' rather than using lowercase? Or am I missing something else? :)
There was a problem hiding this comment.
To be clear, I have 2 issues:
- Instead of is mandatory: "scalar multiplications, MSMs and pairings MUST perform a subgroup check. Implementations SHOULD use the fast subgroup check method from 2021/1130 detailed in <link to fast subgroupcheck markdown file>"
- "On inputs that fail the subgroup check the precompile MUST return an error."
Rationale:
- MUST is how mandatory steps are usually specified. I added details since EC add and hashing-to-curve do not have subgroup checks. And now we have a dedicated document for fast subgroup-checks.
- Similar to the paragraph on Field elements encoding with "On inputs that can not be a valid encodings of field elements the precompile must return an error.", it's important to spell what happens on failure or people have to look at the implementations to make sure. For example what if for MSM, the offending point and its corresponding coefficient were skipped?
I can make a PR to this PR.
There was a problem hiding this comment.
I can make a PR to this PR.
@mratsim this would be great.
One you are on it I everyone agrees you can already to the PR to this PR with this strategy:
- Misuse resistance approach. See @asanso, enforce subgroup check except on addition.
assuming @shamatar @ralexstokes @ineffectualproperty agree
There was a problem hiding this comment.
@shamatar @ralexstokes @ineffectualproperty #8456 got merged with :
Misuse resistance approach. See @asanso, enforce subgroup check except on addition.
Unless you want me to revert it , this is what the status quo is
|
mratsim/constantine#368 (comment)
|
ATTENTION: ERC-RELATED PULL REQUESTS NOW OCCUR IN ETHEREUM/ERCS
--
When opening a pull request to submit a new EIP, please use the suggested template: https://github.com/ethereum/EIPs/blob/master/eip-template.md
We have a GitHub bot that automatically merges some PRs. It will merge yours immediately if certain criteria are met: