2023-07-05

BN254 Point Compression for L2s

A Groth16 proof has two $G_{1}$ points and one $G_{2}$ . In the BN254 pairing curve these take 64 and 128 bytes respectively uncrompressed totaling 256 bytes for a proof. With compression points will take only 32 and 64 bytes respectively, halving the size of a proof.

On Ethereum calldata costs $16$ gas per byte, so any compression would need to perform better than that. This gives a budget of 512 and 1024 gas for $G_{1}$ and $G_{2}$ point compression respectively. This will be hard to achieve. On Optimism the cost of calldata is higher by a factor

$\frac{l1_gas_price}{l2_gas_price} \cdot dynamic_overhead$

Where the dynamic_overhead is set to 0.684 and the gas price ratio fluctuates wildly with the last half year ranging between $50$ to $20000$ . Taking the lower bound this puts the compression budget at 550 gas per byte, or 17k gas per $G_{1}$ point and double for $G_{2}$ . This seems doable, let's do it!

The field $F_{1}$

The base field $F_{1} = Z / p Z$ are the numbers modulo $p$ where

$p = 36 \cdot t^{4} + 36 \cdot t^{3} + 24 \cdot t^{2} + 6 \cdot t + 1 t = 4965661367192848881$

Addition and multiplications are trivially implemented using EVMs addmod and mulmod operations at 8 gas each. $⌊ \frac{2 ^{256} - 1}{p - 1} ⌋ = 5$ so we can add up to five elements using add without overflowing. Negation can be done using $p - n$ but the result will be unreduced in range $[1, p]$ . $⌊ \frac{2 ^{256} - 1}{p} ⌋ = 5$ so we can also add up to five unreduced negations without overflowing.

Exponentiation can be done using repeated multiplication. Efficient strategies for specific exponents can be found using addchain so the exact cost depends on the exponent. Exponentiation can also be done using the modexp precompile which for $F_{1}$ costs $200$ to $1349$ gas, depending on the exponent.

Inversion in $F_{1}$

By Fermat's little theorem, in $F_{1}$ we have $a = a^{p}$ . Dividing both sides by $a^{2}$ we get

$a^{- 1} = a^{p - 2}$

Computing this takes $247 \cdot Square_{F_{1}} + 56 \cdot Mul_{F_{1}}$ using an addition chain generated with addchain. Implemented using mulmod this would take at least $2424$ gas. The modexp precompile costs $1349$ gas.

To do. Inversion using half-extended GCD?

Square roots in $F_{1}$

$a = a^{p}$ taking the square root of both sides we would get $a = a^{\frac{p}{2}}$ but $\frac{p}{2}$ is not an integer so this does not lead to a usable method. Instead $\frac{p - 1}{2}$ is an integer. By Fermat's little theorem in $F_{1}$ we have $a^{p} = a$ . Dividing both sides by $a$ we get $a^{p - 1} = 1$ and taking the square root on both sides we get $a^{\frac{p - 1}{2}} = \pm 1$ . We also have $[p]_{4} = 3$ so $\frac{p + 1}{4}$ is an integer. Observe

$(\pm a^{\frac{p + 1}{4}})^{2} = a^{\frac{p + 1}{2}} = a^{\frac{p - 1}{2}} \cdot a = \pm a$

So if $a^{\frac{p + 1}{2}} = 1$ we have then $a = \pm a^{\frac{p + 1}{4}}$ . It can be shown that if $a^{\frac{p + 1}{2}} = - 1$ the square root does not exist, so this method covers all square roots. In fact, only half of the elements in $F_{1}$ have a square root, and if it exists for $a$ it is absent for $- a$ and vice versa.

The exponential $\frac{p + 1}{4}$ takes $246 \cdot Square_{F_{1}} + 54 \cdot Mul_{F_{1}}$ using an addition chain generated with addchain, which takes at least $2400$ gas using mulmod. Using modexp the exponent takes $1338$ gas.

The field $F_{2}$

Construct the extension field $F_{2} = F_{1} [i] / (i^{2} + 1)$ . That is, each element is written $x_{0} + x_{1} \cdot i$ with $i^{2} = - 1$ , much like the complex numbers. In fact, we get all of our complex arithmetic identities:

$(a + b \cdot i) + (c + d \cdot i) (a + b \cdot i) - (c + d \cdot i) (a + b \cdot i) \cdot (c + d \cdot i) (a + b \cdot i)^{2} (a + b \cdot i)^{- 1} = (a + c) + (b + d) \cdot i = (a - c) + (b - d) \cdot i = (a \cdot c - b \cdot d) + (a \cdot d + b \cdot c) \cdot i = (a^{2} - b^{2}) + (2 \cdot a \cdot b) \cdot i = (\frac{a}{a ^{2} + b ^{2}}) + (\frac{b}{a ^{2} + b ^{2}}) \cdot i$

Multiplication as above requires $2 \cdot Add_{F_{1}} + 4 \cdot Mul_{F_{1}}$ . It can be done with fewer multiplications using Karatsuba's method. Take $u = a \cdot c$ , $v = b \cdot d$ and $s = (a + b) \cdot (c + d)$ , then the result is $(u - v) + (s - u - v) \cdot i$ . This requires $5 \cdot Add_{F_{1}} + 3 \cdot Mul_{F_{1}}$ . Since addmod and mulmod cost the same in EVM, this is not a worthwhile trade-off. (To do. We can change some to cheaper adds)

Squaring as above requires $Add_{F_{1}} + 2 \cdot Square_{F_{1}} + Mul_{F_{1}} + Double_{F_{1}}$ . Factoring $a^{2} + b^{2}$ as $(a + b) \cdot (a - b)$ we can exchange one $Square_{F_{1}}$ for an $Add_{F_{1}}$ .

Square roots in $F_{2}$

Square root is the hard part. We can again take inspiration from Gnark and see that it uses algorithm 9 from ARH12. This amounts to computing

$α = a^{\frac{q - 1}{2}} a = \pm a^{\frac{q + 1}{4}} \cdot {i (1 + α)^{\frac{q - 1}{2}} α = - 1 α \neq = - 1$

This is a lot of exponentiation in $F_{2}$ , for which we cannot use the affordable precompile. So instead we consider a more traditional approach, algorithm 8 from ARH12. Give $x + y \cdot i$ with $x, y \in F_{1}$ we are looking for $a, b \in F_{1}$ such that:

$x + y \cdot i = (a + b \cdot i)^{2} = (a^{2} - b^{2}) + (2 \cdot a \cdot b) \cdot i$

which gives the system of quadratic equations

$x y = a^{2} - b^{2} = 2 \cdot a \cdot b$

The solution to this is

$a b = \pm \frac{x \pm x ^{2} + y ^{2}}{2} = \frac{y}{2 \cdot a}$

Show me

we take $b = \frac{y}{2 \cdot a}$ and substitute this back in the first equation and apply the quadratic formula

$x x 4 \cdot a^{2} \cdot x 0 a^{2} a^{2} a^{2} a = a^{2} - (\frac{y}{2 \cdot a})^{2} = a^{2} - \frac{y ^{2}}{4 \cdot a ^{2}} = 4 \cdot a^{4} - y^{2} = (- y^{2}) - 4 \cdot x \cdot (a^{2}) + 4 \cdot (a^{2})^{2} = \frac{- ( - 4 \cdot x ) \pm ( - 4 \cdot x ) ^{2} - 4 \cdot ( 4 ) \cdot ( - y ^{2} )}{8} = \frac{4 \cdot x \pm 16 \cdot x ^{2} + 16 \cdot y ^{2}}{8} = \frac{x \pm x ^{2} + y ^{2}}{2} = \pm \frac{x \pm x ^{2} + y ^{2}}{4}$

The inner $\pm$ needs to have a specific value, only one will result in a square for the outer square root. There does not seem to be an efficient method of computing this sign other than trying both values. Since trying is expensive (involves a modexp) it is better to provide it as a hint. The outer $\pm$ reflects the two possible solutions of the quadratic equation.

Computing the square root requires two $F_{1}$ square roots and one $F_{1}$ inversion, which can be done using three calls to modexp costing $4025$ gas total.

Compressing $G_{1}$ points

The $G_{1}$ elliptic curve are the $(x, y) \in F_{1}^{2}$ satisfying a short Weierstrass equation

$y^{2} = x^{3} + 3$

One such solution is $(1, 2)$ , which is the chosen generator for this group.

Give an $x$ coordinate we can recover the $y$ coordinate by taking the square root of $x^{3} + 3$ . This has either two solutions $y, - y$ or none. This means that we can distinguish the point as (when fully reduced) exactly one will be $> \frac{p}{2}$ and exactly one will be an odd number.

Compressing $G_{2}$ points

The $G_{2}$ elliptic curve are the $(x, y) \in F_{2}^{2}$ satisfying a short Weierstrass equation

$y^{2} = x^{3} + \frac{3}{9 + i}$

where $\frac{3}{9 + i} = \frac{27}{82} - \frac{3}{82} \cdot i$ .

Given an $x$ coordinate we can recover $y$ the same as before, but now with math happening in $F_{2}$ . Given $x = a + b \cdot i$ :

$x^{3} x^{3} + \frac{3}{9 + i} = (a + b \cdot i)^{3} = (a^{3} - 3 \cdot a \cdot b^{2}) + (3 \cdot a^{2} \cdot b - b^{3}) \cdot i = a^{3} + 3 \cdot a^{2} \cdot b \cdot i + 3 \cdot a \cdot b^{2} \cdot i^{2} + b^{3} \cdot i^{3} = (a^{3} - 3 \cdot a \cdot b^{2}) + (3 \cdot a^{2} \cdot b - b^{3}) \cdot i = (\frac{27}{82} + a^{3} - 3 \cdot a \cdot b^{2}) - (\frac{3}{82} + b^{3} - 3 \cdot a^{2} \cdot b) \cdot i$

The $y$ coordinate is a square root of this value. As before, $- y$ is also a solution.

Compressing two points

In Ote15 an efficient method for storing two points on the same curve $y^{2} = x^{3} + a \cdot x + b$ is presented. (As mentioned by Zac Williamson). Given two points $(x_{1}, y_{1}), (x_{2}, y_{2})$ on a curve compute

$A = \frac{x _{1} - x _{2}}{y _{1} - y _{2}} B = y_{1} - y_{2} C = x_{2}$

we can recover the two points by

$x_{1} = A \cdot B + C x_{2} = C y_{1} = \frac{A \cdot ( ( x _{1} + x _{2} ) ^{2} - x _{1} \cdot x _{2} + a ) + B}{2} y_{2} = y_{1} - B$

For the special case $y_{1} = y_{2}$ we can instead store $(x_{1}, x_{2}, y_{1})$ . An extra bit is required to distinguish these cases.

Implementation and benchmark

An implementation of the above $G_{1}$ and $G_{2}$ compression is done in Solidity in Verifier.sol.

Decompressing $G_{1}$ points takes $2390$ gas so becomes worthwhile at $75$ gas/byte.
Decompressing $G_{2}$ points takes $7605$ gas so becomes worthwhile at $118$ gas/byte.

These numbers are close enough that we can consider doing both $G_{1}$ and $G_{2}$ compression. For a Groth16 verification this adds $11366$ gas overhead, so becomes worthwhile at $89$ gas/byte. This is not economical on Ethereum, but it is on Optimism.

Safety

This compression method takes in existing proofs, so zero-knowledge is unaffected. After decompression it calls the original verifier, so soundness is unaffected. This leaves completeness, which is only preserved if the method works for all valid proofs. This can be accomplished by making sure the method works on all points in $G_{1}$ and $G_{2}$ , taking care to handle zero values and the point at infinity correctly. (Although it is at best extremely unlikely a valid proof will contain those.)

Appendix: Abusing ECADD?

Given $a, b, c, d \in F_{1}$ such that $(a, b), (c, d) \in G_{1}$ the ecadd precompile returns for 150 gas

$x y = (\frac{d - b}{c - a})^{2} - a - c = (2 \cdot a + c) \cdot (\frac{d - b}{c - a}) - (\frac{d - b}{c - a})^{3} - b$

if $(a, b) \neq = (c, d)$ , or else

$x y = (\frac{3 \cdot a ^{2}}{2 \cdot b})^{2} - 2 \cdot a = (3 \cdot a) \cdot (\frac{3 \cdot a ^{2}}{2 \cdot b}) - (\frac{3 \cdot a ^{2}}{2 \cdot b})^{3} - b$

This contains an inversion for much cheaper than we can do, but it seems hard to extract this. The first case could maybe be abused to compute $\frac{1}{a ^{2}}$ , but turning this in to a problem with valid $G_{1}$ points is going to be challenging.

References

BN05 Baretto, Naehrig (2005). Pairing-Friendly Elliptic Curves of Prime Order.
Shi10 Shirase (2010). Barreto-Naehrig Curve With Fixed Coefficient.
BDMO10 Beuchat et al. (2010). High-Speed Software Implementation of the Optimal Ate Pairing over Barreto-Naehrig Curves.
ARH12 Adj, Ridrígues-Henríquez (2012). Square root computation over even extension fields.
DLZZ22 Dai, Lin, Zhao, Zhou (2022). Fast Subgroup Membership Testings for $G_{1}$ , $G_{2}$ and $G_{T}$ on Pairing-friendly Curves.
AGO22 Adiguzel-Goktas, Ozdemir (2022). Square Root Computation In Finite Fields.
Wan22 Wang (2022). BN254 For The Rest Of Us.
EIP-196: Precompiled contracts for addition and scalar multiplication on the elliptic curve alt_bn128.
EIP-197: Precompiled contracts for optimal ate pairing check on the elliptic curve alt_bn128.
EIP-198: Big integer modular exponentiation.
EIP-1108: Reduce alt_bn128 precompile gas costs.
EIP-2565: ModExp Gas Cost.
BN254.sol by Espresso Systems.
EllipticCurve.sol by The Witnet Project.
BN256G2.sol by Mustafa Al-Bassam.
BLS.sol by Antonio Sanso. See also the Ethresearch post.

https://eprint.iacr.org/2020/010.pdf

BN254 Point Compression for L2s

The field F1​

Inversion in F1​

Square roots in F1​

The field F2​

Square roots in F2​

Compressing G1​ points

Compressing G2​ points