Byzantium: EIP-196/197 elliptic curve precompiled contracts

Paper.tex

@@ -798,6 +798,9 @@ \section{Message Call} \label{ch:call}
 \Xi_{\mathtt{RIP160}}(\boldsymbol{\sigma}_1, g, I, \mathbf{t}) & \text{if} \quad r = 3 \\
 \Xi_{\mathtt{ID}}(\boldsymbol{\sigma}_1, g, I, \mathbf{t}) & \text{if} \quad r = 4 \\
 \Xi_{\mathtt{EXPMOD}}(\boldsymbol{\sigma}_1, g, I, \mathbf{t}) & \text{if} \quad r = 5 \\
+\Xi_{\mathtt{BN\_ADD}}(\boldsymbol{\sigma}_1, g, I, \mathbf{t}) & \text{if} \quad r = 6 \\
+\Xi_{\mathtt{BN\_MUL}}(\boldsymbol{\sigma}_1, g, I, \mathbf{t}) & \text{if} \quad r = 7 \\
+\Xi_{\mathtt{SNARKV}}(\boldsymbol{\sigma}_1, g, I, \mathbf{t}) & \text{if} \quad r = 8 \\
 \Xi(\boldsymbol{\sigma}_1, g, I, \mathbf{t}) & \text{otherwise} \end{cases} \\
 I_a & \equiv & r \\
 I_o & \equiv & o \\
@@ -1477,6 +1480,130 @@ \section{Precompiled Contracts}\label{app:precompiled}
 \end{cases}
 \end{eqnarray}
 
+\subsection{zkSNARK Related Precompiled Contracts}
+
+We choose two numbers, both of which are prime.
+\begin{eqnarray}
+p &\equiv& 21888242871839275222246405745257275088696311157297823662689037894645226208583 \\
+q &\equiv& 21888242871839275222246405745257275088548364400416034343698204186575808495617
+\end{eqnarray}
+Since $p$ is a prime number, $\{0, 1, \ldots, p - 1\}$ forms a field with addition and multiplication modulo $p$. We call this field $F_p$.
+
+We define a set~$C_1$ with
+\begin{equation}
+C_1\equiv\{(X,Y)\in F_p\times F_p\mid Y^2=X^3+3\}\cup\{(0,0)\}
+\end{equation}
+We define a binary operation $+$ on $C_1$ with
+\begin{eqnarray}\label{eq:ec-addition}
+(X_1, Y_1) + (X_2, Y_2)&\equiv&\begin{cases}
+(X,Y)&\text{if}\ X_1\neq X_2\\
+(0,0)&\text{otherwise}
+\end{cases}\\
+X&\equiv&\lambda^2-X_1-X_2\\
+Y&\equiv&\lambda(X_1-X)-Y_1\\
+\lambda&\equiv&\frac{Y_2-Y_1}{X_2-X_1}
+\end{eqnarray}
+
+$(C_1,+)$ is known to form a group. We define the scalar multiplication $\cdot$ with
+\begin{equation}\label{eq:ec-scalar-multiplication}
+n\cdot P\equiv(0,0)+\underbrace{P+\cdots+P}_{n}
+\end{equation}
+for a natural number $n$ and a point $P$ in $C_1$.
+
+We define $P_1$ to be a point $(1,2)$ on $C_1$. Let $G_1$ be the subgroup of $(C_1,+)$ generated by $P_1$. $G_1$ is known to be a cyclic group of order $q$. For a point $P$ in $G_1$, we define $\log_{P_1}(P)$ to be the smallest natural number $n$ satisfying $n\cdot P_1=P$. $\log_{P_1}(P)$ is at most $q-1$.
+
+Let $F_{p^2}$ be a field $F_p[i]/(i+1)$. We define a set $C_2$ with
+\begin{equation}
+C_2\equiv\{(X,Y)\in F_{p^2}\times F_{p^2}\mid Y^2=X^3+3\}\cup\{(0,0)\}
+\end{equation}
+We define a binary operation $+$ and a scalar multiplication $\cdot$ with the same equations (\ref{eq:ec-addition}) and (\ref{eq:ec-scalar-multiplication}). $(C_2,+)$ is also known to be a group. We define $P_2$ in $C_2$ with
+\begin{eqnarray}
+P_2&\equiv&
+(11559732032986387107991004021392285783925812861821192530917403151452391805634 \times i\\\nonumber &&+ 10857046999023057135944570762232829481370756359578518086990519993285655852781,\\\nonumber && 4082367875863433681332203403145435568316851327593401208105741076214120093531 \times i\\\nonumber &&+ 8495653923123431417604973247489272438418190587263600148770280649306958101930)
+\end{eqnarray}
+We define $G_2$ to be the subgroup of $(C_2,+)$ generated by $P_2$. $G_2$ is known to be a cyclic group of order $q$. For a point $P$ in $G_2$, we define $\log_{P_2}(P)$ be the smallest natural number $n$ satisfying $n\cdot P_2=P$. With this definition, $\log_{P_2}(P)$ is at most $q-1$.
+
+A 32 byte number $\mathbf{x}\in\mathbf{P}_{256}$ might and might not represent an element of $F_p$.
+\begin{equation}
+\delta_p(\mathbf x)\equiv\begin{cases}
+\mathbf x&\text{if}\ \mathbf x<p\\
+\varnothing&\text{otherwise}
+\end{cases}
+\end{equation}
+
+A 64 byte data $\mathbf x\in\mathbf B_{512}$ might and might not represent an element of $G_1$.
+\begin{eqnarray}
+\delta_1(\mathbf x)&\equiv&\begin{cases}
+g_1&\text{if}\ g_1\in G_1\\
+\varnothing&\text{otherwise}
+\end{cases}\\
+g_1&\equiv&\begin{cases}
+(x,y)&\text{if}\ x\neq\varnothing\wedge y\neq\varnothing\\
+\varnothing&\text{otherwise}
+\end{cases}\\
+x&\equiv&\delta_p(\mathbf x[0..31])\\
+y&\equiv&\delta_p(\mathbf x[32..63])
+\end{eqnarray}
+
+A 128 byte data $\mathbf x\in\mathbf B_{1024}$ might and might not represent an element of $G_2$.
+\begin{eqnarray}
+\delta_2(\mathbf x)&\equiv&\begin{cases}
+g_2&\text{if}\ g_2\in G_2\\
+\varnothing&\text{otherwise}
+\end{cases}\\
+g_2&\equiv&\begin{cases}
+((x_0i+y_0),(x_1i+y_1))&\text{if}\ x_0\neq\varnothing\wedge y_0\neq\varnothing\wedge x_1\neq\varnothing\wedge y_1\neq\varnothing\\
+\varnothing&\text{otherwise}
+\end{cases}\\
+x_0&\equiv&\delta_p(\mathbf x[0..31])\\
+y_0&\equiv&\delta_p(\mathbf x[32..63])\\
+x_1&\equiv&\delta_p(\mathbf x[64..95])\\
+y_1&\equiv&\delta_p(\mathbf x[96..127])
+\end{eqnarray}
+
+We define a precompiled contract for zkSNARK verification.
+\begin{eqnarray}
+\Xi_{\mathtt{SNARKV}}&\equiv&\Xi_{\mathtt{PRE}}\quad\text{except:}\\
+\qquad\Xi_{\mathtt{SNARKV}}(\boldsymbol\sigma,g,I)&=&(\varnothing,0,A^0,())\quad\text{if}\ F\\
+F&\equiv&(|I_\mathbf{d}|\bmod 192\neq 0\vee(\exists j.\ a_j=\varnothing\vee b_j=\varnothing))\\
+k &=& \dfrac{|I_\mathbf{d}|}{192} \\
+g_r&=& 60000k + 40000 \\
+\mathbf o[0..31]&\equiv&\begin{cases}
+0x0000000000000000000000000000000000000000000000000000000000000001&\text{if}\ v\wedge\neg F\\
+0x0000000000000000000000000000000000000000000000000000000000000000&\text{if}\ \neg v\wedge\neg F
+\end{cases}\\
+v&\equiv&(\log_{P_1}(a_1)\times\log_{P_2}(b_1)+\cdots+\log_{P_1}(a_k)\times\log_{P_2}(b_k)\equiv 1\mod q)\\
+a_1&\equiv&\delta_1(I_{\mathbf d}[0..63])\\
+b_1&\equiv&\delta_2(I_{\mathbf d}[64..191])\\\nonumber
+\vdots\\
+a_k&\equiv&\delta_1(I_{\mathbf d}[(|I_{\mathbf d}|-192)..(|I_{\mathbf d}|-129)])\\
+b_k&\equiv&\delta_2(I_{\mathbf d}[(|I_{\mathbf d}|-128)..(|I_{\mathbf d}|-1)])
+\end{eqnarray}
+
+We define a precompiled contract for addition on $G_1$.
+\begin{eqnarray}
+\Xi_{\mathtt{BN\_ADD}}&\equiv&\Xi_{\mathtt{BN\_PRE}}\quad\text{except:}\\
+\Xi_{\mathtt{BN\_ADD}}(\boldsymbol\sigma,g,I)&=&(\varnothing,0,A^0,())\quad\text{if}\ x=\varnothing\vee y=\varnothing\\
+g_r &=& 500\\
+\mathbf o&\equiv&\delta_1^{-1}(x+y)\quad\text{where $+$ is the group operation in $G_1$}\\
+x&\equiv&\delta_1(\bar I_{\mathbf d}[0..63])\\
+y&\equiv&\delta_1(\bar I_{\mathbf d}[64..127])\\
+\label{eq:complemented_input}\bar I_{\mathbf d}[x]&\equiv&\begin{cases}
+I_{\mathbf d}[x]&\text{if}\ x < |I_{\mathbf d}|\\
+0&\text{otherwise}
+\end{cases}
+\end{eqnarray}
+
+We define a precompiled contract for scalar multiplication on $G_1$, where $\bar I_{\mathbf d}$ is defined in (\ref{eq:complemented_input}).
+\begin{eqnarray}
+\Xi_{\mathtt{BN\_MUL}}&\equiv&\Xi_{\mathtt{PRE}}\quad\text{except:}\\
+\Xi_{\mathtt{BN\_MUL}}(\boldsymbol\sigma,g,I)&=&(\varnothing,0,A^0,())\quad\text{if}\ x=\varnothing\\
+g_r &=& 40000\\
+\mathbf o&\equiv&\delta_1^{-1}(n\cdot x)\quad\text{where $\cdot$ is the scalar multiplication in $G_1$}\\
+n&\equiv&\bar I_{\mathbf d}[0..31]\\
+x&\equiv&\delta_1(\bar I_{\mathbf d}[32..95])
+\end{eqnarray}
+
 \section{Signing Transactions}\label{app:signing}
 
 The method of signing transactions is similar to the `Electrum style signatures'; it utilises the SECP-256k1 curve as described by \cite{gura2004comparing}.