Computing the Optimal Ate Pairing over the BLS12-381 Curve

The post BLS12-381 For The Rest Of Us constitutes the base point for this article, so I highly recommend reading it to get a solid background of the BLS1-381 curve. This post will reuse some parts with an emphasy on the computational aspect of the optimal Ate pairing over such curve.

For those with a poor background on Pairing-Based Cryptography (PBC) but with a decent background on Elliptic-Curve Cryptoraphy (ECC) I recommend reading the following resources in order:

Only after (and not before) you feel sufficiently comfortable with both PBC and ECC come back to this post and start to make sense out of it. The full list of consulted resources can be found at the end of this post.

The implementation in zkASM has been done in this PR.

The Curve

The BLS12-381 is the elliptic curve

E

of the form:

y^{2} = x^{3} + 4

defined over a finite field

F_{p}

, where the prime

p

is the following

381

-bit number:

p = 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787

The number of points

# E (F_{p}) = p + 1 - t

can be factorized as follows:

3 * 11^2 * 10177^2 * 859267^2 * 52437899^2 * 52435875175126190479447740508185965837690552500527637822603658699938581184513

where t = x + 1 = -15132376222941642751 is known as the trace of Frobenius and x is the BLS-family parameter that generates this specific curve.

Therefore, its

255

-bit prime factor:

r = 52435875175126190479447740508185965837690552500527637822603658699938581184513

is the only one with sufficiently size for cryptographic purposes.

The point

P \in E (F_{p})

with coordinates:

x = 3685416753713387016781088315183077757961620795782546409894578378688607592378376318836054947676345821548104185464507
y = 1339506544944476473020471379941921221584933875938349620426543736416511423956333506472724655353366534992391756441569

is a point of order

r

, i.e. a generator of the subgroup of size

r

of the curve.

The embedding degree

k

of this curve is

12

Tower of Extension Fields

To represent

F_{p^{12}}

we use the following tower of extension fields:
fields:

\begin{aligned} F_{p^{2}} & = F_{p} [u] / (u^{2} - β), \\ F_{p^{6}} & = F_{p^{2}} [v] / (v^{3} - ξ), \\ F_{p^{12}} & = F_{p^{6}} [w] / (w^{2} - v), \end{aligned}

where

β

is not a quadratic residue in

F_{p}

and

ξ

is neither a quadratic residue or a cubic residue in

F_{p^{2}}

In the particular case of the BLS12-381, we have

β = - 1

and

ξ = 1 + u

and therefore:

\begin{aligned} F_{p^{2}} & = F_{p} [u] / (u^{2} + 1), \\ F_{p^{6}} & = F_{p^{2}} [v] / (v^{3} - (1 + u)), \\ F_{p^{12}} & = F_{p^{6}} [w] / (w^{2} - v), \end{aligned}

from which we can extract the identities

u^{2} = - 1

w^{2} = v

v^{3} = 1 + u

and consequently the idenity

w^{6} = 1 + u

Using the latter identity, we can also write:

F_{p^{12}} = F_{p^{2}} [w] / (w^{6} - (1 + u))

These two representations of

F_{p^{12}}

will allow us to apply some optimizations:

Writing any element
$f \in F_{p^{12}}$ as
$f = g + h w$ , with
$g, h \in F_{p^{6}}$ implies
$f^{p^{6}} = \bar{f} = g - h w$ . Thus, computing the
$p^{6}$ -th power of any element in
$F_{p^{12}}$ is computationally "free".
Now, if we write
$g = g_{0} + g_{1} v + g_{2} v^{2}$ and
$h = h_{0} + h_{1} v + h_{2} v^{2}$ where
$g_{0}$ ,
$g_{1}$ ,
$g_{2}$ ,
$h_{0}$ ,
$h_{1}$ ,
$h_{2} \in F_{p^{2}}$ we have:

$f = g_{0} + h_{0} w + g_{1} w^{2} + h_{1} w^{3} + g_{2} w^{4} + h_{2} w^{5},$
which will allow us to compute
$f^{p}$ and
$f^{p^{2}}$ (needed for the final exponentiation) very efficiently.

Twist

BLS curves admits a sextic twist

E^{'}

defined over

F_{p^{2}}

of the form:

y^{' 2} = x^{' 3} + 4 \cdot (1 + u) .

This means that pairing computations can be restricted to points

P \in E (F_{p})

and

Q \in E^{'} (F_{p^{2}})

and avoid computations over

F_{p^{12}}

entirely.

The point

P \in E^{'} (F_{p^{2}})

with coordinates:

x = 352701069587466618187139116011060144890029952792775240219908644239793785735715026873347600343865175952761926303160 + 3059144344244213709971259814753781636986470325476647558659373206291635324768958432433509563104347017837885763365758·u
y = 1985150602287291935568054521177171638300868978215655730859378665066344726373823718423869104263333984641494340347905 + 927553665492332455747201965776037880757740193453592970025027978793976877002675564980949289727957565575433344219582·u

is a point of order

r

, i.e. a generator of the subgroup of size

r

of the curve.

The following mapping, known as the untwist:

φ (x^{'}, y^{'}) = (x^{'} / w^{2}, y^{'} / w^{3})

with:

1/w^2 = (2001204777610833696708894912867952078278441409969503942666029068062015825245418932221343814564507832018947136279894 + 2001204777610833696708894912867952078278441409969503942666029068062015825245418932221343814564507832018947136279893·u)·w^4
1/w^3 = (2001204777610833696708894912867952078278441409969503942666029068062015825245418932221343814564507832018947136279894 + 2001204777610833696708894912867952078278441409969503942666029068062015825245418932221343814564507832018947136279893·u)·w^3

defines a group isomorphism from

E^{'} (F_{p^{2}}) [r]

E (F_{p^{12}}) [r] \cap Ker (π_{p} - [p])

and we are going to use it to convert points from the twisted curve

E^{'}

to the curve

E

only whenever required.

The inverse mapping, the twist, is defined as:

φ^{- 1} (x^{'}, y^{'}) = (x^{'} w^{2}, y^{'} w^{3}) .

The Pairing

The optimal Ate pairing

e : G_{1} \times G_{2} \to G_{T}

over the BLS12-381 curve is defined by:

e (P, Q) = {\overset{―}{f_{| x |, Q} (P)}}^{\frac{p^{12} - 1}{r}}

where:

$G_{1} = E (F_{p}) [r]$ is the only subgroup of the
$r$ -torsion of
$E$ over
$F_{p}$ .
$G_{2} = E (F_{p^{12}}) [r] \cap Ker (π_{p} - [p])$ , represented for point arithmetic efficiency by
$E^{'} (F_{p^{2}}) [r]$ . The former is the trace zero subgroup of the
$r$ -torsion of
$E$ over
$F_{p^{12}}$ , whereas the latter is the only subgroup of the
$r$ -torsion of
$E^{'}$ over
$F_{p^{2}}$ .
$G_{T} = μ_{r}$ is the set of
$r$ -th roots of unity over
$F_{p^{12}}^{*}$ .

x = -15132376222941642752, which is a number of

64

bits that can be expressed in binary as:

2^63 + 2^62 + 2^60 + 2^57 + 2^48 + 2^16
[1,1,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
0b1101001000000001000000000000000000000000000000010000000000000000

and has a Hamming weight of 6.

$f_{i, Q}$ , for any
$i \in N$ and
$Q \in G_{2}$ , is a
$F_{p^{12}}$ rational function on
$E$ that is computed using Miller's "double-and-add"-style algorithm:

$\begin{array}{r} f_{i + j, Q} = f_{i, Q} \cdot f_{j, Q} \cdot \frac{ℓ_{[i] φ (Q), [j] φ (Q)}}{v_{[i + j] φ (Q)}}, \\ f_{i + 1, Q} = f_{m, Q} \cdot \frac{ℓ_{[i] φ (Q), φ (Q)}}{v_{[i + 1] φ (Q)}}, \end{array}$
starting with
$f_{1, Q} = 1$ .

The conjugate of an element in

f = a + b w

F_{p^{12}}

\bar{f} = a - b w

. Hence, if we write

f = g_{0} + h_{0} w + g_{1} w^{2} + h_{1} w^{3} + g_{2} w^{4} + h_{2} w^{5}

we have:

\bar{f} = g_{0} - h_{0} w + g_{1} w^{2} - h_{1} w^{3} + g_{2} w^{4} - h_{2} w^{5} .

Therefore, what we want to compute is the following:















def e(P,Q):
    assert(subgroup_check_G1(P))
    assert(subgroup_check_G2(Q))
    if ((P == 0) or (Q == 0)) return 1 # Here, 0 represents the 
                                       # point at infinity
    R = Q
    f = 1
    for i in range(len(x)-2,-1,-1):
        f = f * f * line(untwist(R),untwist(R),P)
        R = 2 * R
        if x[i] == 1:
            f = f * line(untwist(R),untwist(Q),P)
            R = R + Q

    return final_exponentiation(conjugate(f))

In what follows we explain how to compute each of the components of the previous pseudocode snippet.

Subgroup Checks

To summary 2019/814, we have:

A point
$P \in E (F_{p})$ belongs to
$G_{1} = E (F_{p}) [r]$ if and only if:

$[\frac{x^{2} - 1}{3}] ([2] σ (P) - P - σ^{2} (P)) = σ^{2} (P)$
where
$σ : E (F_{p}) \to E (F_{p})$ is the well-known endomorphism^[1] defined by
$(a, b) \to (γ \cdot a, b)$ , where
$γ \in F_{p}^{*}$ is of order
$3$ .
```
𝛄 = 4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939436
```
This is clearly much cheaper than the naive scalar multiplication by
$r$ , since its main cost is the scalar multiplication by
$(x^{2} - 1) / 3$ , which is half the size of
$r$ and has low Hamming weight.
A point
$Q \in E^{'} (F_{p^{2}})$ belongs to
$G_{2} = E^{'} (F_{p^{2}}) [r]$ if and only if:

$[x] ψ^{3} (Q) + Q = ψ^{2} (Q)$
where
$ψ : E^{'} (F_{p^{2}}) \to E^{'} (F_{p^{2}})$ is the untwist-Frobenius-twist endomorphism, i.e.,
$ψ := φ^{- 1} π_{p} φ$ .

Again, this is much cheaper than the naive scalar multiplication by
$r$ , since its main cost is the scalar multiplication by
$x$ , which is roughly a fourth the size of
$r$ .

Line Equations

Different Points

Given two points

Q_{1} = (x_{1}^{'}, y_{1}^{'})

and

Q_{2} = (x_{2}^{'}, y_{2}^{'})

in the twisted curve

E^{'} (F_{p^{2}})

such that

x_{1}^{'} \neq y_{1}^{'}

and

x_{2}^{'} \neq y_{2}^{'}

and a point

P = (x, y)

in the curve

E (F_{p})

, the evaluation at

P

of the line passing through

φ (Q_{1})

and

φ (Q_{2})

is given by:

ℓ_{φ (Q_{1}), φ (Q_{2})} (P) = (x_{1}^{'} y_{2}^{'} - x_{2}^{'} y_{1}^{'}) + w^{2} (y_{1}^{'} - y_{2}^{'}) x + w^{3} (x_{2}^{'} - x_{1}^{'}) y

The Same Points

Given a point

Q = (x^{'}, y^{'})

in the twisted curve

E^{'} (F_{p^{2}})

and a point

P = (x, y)

in the curve

E (F_{p})

, the evaluation at

P

of the line passing through

φ (Q)

is given by:

ℓ_{φ (Q), φ (Q)} (P) = w (3 x^{' 3} - 2 y^{' 2}) + w^{3} (- 3 x x^{' 2}) + w^{4} (2 y y^{'})

Final Exponentiation

In the final exponentiation, we raise an element

f \in F_{p^{12}}

to the power

(p^{12} - 1) / r

First, divide the exponent as follows:

\frac{p^{12} - 1}{r} = \underset{easy part}{\underset{⏟}{(p^{6} - 1) (p^{2} + 1)}} \underset{hard part}{\underset{⏟}{\frac{p^{4} - p^{2} + 1}{r}}}

The Easy Part

Let's start with the easy part of the easy part, when we first attempt to compute

f^{p^{6} - 1}

. But since,

f^{p^{6}} = \bar{f}

, we have

f^{p^{6} - 1} = \bar{f} \cdot f^{- 1}

, just one conjugate, one inversion and one multiplication in

F_{p^{12}}

To finish the easy part, we first compute

(f^{(p^{6} - 1)})^{p^{2}}

which is the Frobenius operator applied to

f^{p^{6} - 1}

and then multiply the result by

f^{p^{6} - 1}

to finally obtain

m := f^{(p^{6} - 1) (p^{2} + 1)} \in F_{p^{12}}

Importantly, after the computation of the easy part, the resulting field element becomes a member of the cyclotomic subgroup

G_{ϕ_{6} (p^{2})} = G_{ϕ_{12} (p)} = {a \in F_{p^{12}} ∣ a^{ϕ_{12} (p)} = a^{p^{4} - p^{2} + 1} = a^{p^{6} + 1} = 1}

, which means that inversion from now on can be computed by simply conjugation. Moreover, when an element

a

belongs to

G_{ϕ_{6} (p^{2})}

, one can compute

a^{2}

using fewer multiplications and therefore the overall costs of performing exponentiations (see this section).

The Hard Part

Following Section 5 of this 2020/875, we can write:

\frac{p^{4} - p^{2} + 1}{r} = \frac{(| x | + 1)^{2} \cdot (p - | x |) \cdot (x^{2} + p^{2} - 1)}{3} + 1.

To compute it, we proceed as follows:





































def hard_part(m):
    x = abs(x)
    
    # 1] m^{(x+1)/3}
    y1 = m**((x+1)/3)
    
    # 2] m^{(x+1)^2/3}
    y2 = y1**(x+1)
    
    # 3.1] m^{(x+1)^2/3*-x}
    y31 = conjugate(y2)**x
    
    # 3.2] m^{(x+1)^2/3*p}
    y32 = Frobenius1(y2)
    
    # 4] m^{(x+1)^2/3*(p-x)}
    y4 = y31*y32
    
    # 5.1] m^{(x+1)^2/3*(p-x)*x^2}
    y51 = (y4**x)**x
    
    # 5.2] m^{(x+1)^2/3*(p-x)*p^2}
    y52 = Frobenius2(y4)
    
    # 5.3] m^{(x+1)^2/3*(p-x)*-1}
    y53 = conjugate(y4)
    
    # 6] m^{(x+1)^2/3*(p-x)*(x^2+p^2)}
    y6 = y51*y52
    
    # 7] m^{(x+1)^2/3*(p-x)*(x^2+p^2-1)}
    y7 = y6*y53
    
    # 8] m^{(x+1)^2/3*(p-x)*(x^2+p^2-1)+1}
    y8 = y7*m

    return y8

(recall that, at this point, computing the conjugate is the same as computing the inverse)

Frobenius Operator

As we have shown, in the final exponentation we must compute the first and second Frobenius operator

π_{p}, π_{p}^{2}

over an element in

F_{p^{12}}

. Recalling that

π_{p}^{i} (x) = x^{p^{i}}

, a naive implementation would take

O (\log p)

F_{p^{12}}

-operations, but we will do it much better.

Recall that we can write any element

f \in F_{p^{12}}

as:

f = g + h w = g_{0} + h_{0} w + g_{1} w^{2} + h_{1} w^{3} + g_{2} w^{4} + h_{2} w^{5}

where

g = g_{0} + g_{1} v + g_{2} v^{2}

and

h = h_{0} + h_{1} v + h_{2} v^{2}

with

g, h \in F_{p^{6}}

and

g_{i}, h_{i} \in F_{p^{2}}

Then, we have:

\begin{array}{r} f^{p} = {\bar{g}}_{0} + {\bar{h}}_{0} γ_{1, 1} w + {\bar{g}}_{1} γ_{1, 2} w^{2} + {\bar{h}}_{1} γ_{1, 3} w^{3} + {\bar{g}}_{2} γ_{1, 4} w^{4} + {\bar{h}}_{2} γ_{1, 5} w^{5}, \\ f^{p^{2}} = g_{0} + h_{0} γ_{2, 1} w + g_{1} γ_{2, 2} w^{2} + h_{1} γ_{2, 3} w^{3} + g_{2} γ_{2, 4} w^{4} + h_{2} γ_{2, 5} w^{5}, \end{array}

with

γ_{1, i} = (1 + u)^{i \frac{p - 1}{6}}

and

γ_{2, i} = (1 + u)^{i \frac{p^{2} - 1}{6}} = γ_{1, i} \cdot {\bar{γ}}_{1, i}

Expand to see the proof

We will now show that raising an

F_{p^{2}}

-element over any power of

p

is almost cost free and therefore so is raising

f

Take
$b = b_{0} + b_{1} u \in F_{p^{2}}$ with
$b_{0}, b_{1} \in F_{p}$ . Then,
$b^{p^{2 i}} = b_{0} + b_{1} (u^{(p^{2})^{i}}) = b_{0} + b_{1} u = b$ from Lagrange theorem. Similarly,
$b^{p^{2 i - 1}} = \frac{b^{p^{2 i}}}{b^{p^{2}} \cdot b^{p}} = \frac{b}{b \cdot b^{- p}} = \frac{1}{b^{- p}} = b^{p} = \bar{b}$ .
Notice
$w^{p} = (w^{6})^{\frac{p - 1}{6}} w = (1 + u)^{\frac{p - 1}{6}} w$ and therefore
$(w^{i})^{p} = γ_{1, i} w^{i}$ , where
$γ_{1, i} = (1 + u)^{i \frac{p - 1}{6}}$ .

Using all the previous observations, we have:

\begin{aligned} f^{p} & = (g_{0} + h_{0} w + g_{1} w^{2} + h_{1} w^{3} + g_{2} w^{4} + h_{2} w^{5})^{p} \\ = {\bar{g}}_{0} + {\bar{h}}_{0} w^{p} + {\bar{g}}_{1} w^{2 p} + {\bar{h}}_{1} w^{3 p} + {\bar{g}}_{2} w^{4 p} + {\bar{h}}_{2} w^{5} \\ = {\bar{g}}_{0} + {\bar{h}}_{0} γ_{1, 1} w + {\bar{g}}_{1} γ_{1, 2} w^{2} + {\bar{h}}_{1} γ_{1, 3} w^{3} + {\bar{g}}_{2} γ_{1, 4} w^{4} + {\bar{h}}_{2} γ_{1, 5} w^{5}, \end{aligned}

which can be computed using a few multiplications and a few conjugations, assuming each

γ_{1, i}

is pre-computed for

i \in [5]

Similarly, notice

w^{p^{2}} = (1 + u)^{\frac{p^{2} - 1}{6}} w = (γ_{1, 1})^{1 + p} w = γ_{1, 1} \cdot {\bar{γ}}_{1, 1} w

and therefore

(w^{i})^{p^{2}} = γ_{2, i} w^{i}

, where

γ_{2, i} = γ_{1, i} \cdot {\bar{γ}}_{1, i}

Hence, assuming the precomputation of

γ_{1, i}, γ_{2, i}

for

i \in [5]

, we can compute

f^{p}

and

f^{p^{2}}

almost for free.

Speeding up Exponentiations in the Cyclotomic Subgroup

I follow 2010/542 closely for this section.

Recall that:

\begin{aligned} F_{p^{2}} & = F_{p} [u] / (u^{2} + 1), \\ F_{p^{6}} & = F_{p^{2}} [v] / (v^{3} - (1 + u)), \\ F_{p^{12}} & = F_{p^{6}} [w] / (w^{2} - v) . \end{aligned}

and also:

F_{p^{12}} = F_{p^{2}} [w] / (w^{6} - (1 + u))

For this optimitzation, it will be useful to introduce

F_{p^{4}}

and represent

F_{p^{12}}

as a degree-3 extension of

F_{p^{4}}

\begin{aligned} F_{p^{4}} & = F_{p^{2}} [V] / (V^{2} - (1 + u)), \\ F_{p^{12}} & = F_{p^{4}} [w] / (w^{3} - V), \end{aligned}

where

V = w^{3}

; so that an element

f

F_{p^{12}}

can be written as

f = (g_{0} + g_{1} V) + (g_{2} + g_{3} V) w + (g_{4} + g_{5} V) w^{2}

. We can equivalently write

f = g_{0} + g_{2} w + g_{4} w^{2} + g_{1} w^{3} + g_{3} w^{4} + g_{5} w^{5}

These optimizations are due to "compression" and "decompression" techniques, which exploits the algebraic relationships arising from elements belonging to the cyclotomic subgroup

G_{ϕ_{6} (p^{2})}

Compression and Decompression

f = g_{0} + g_{2} w + g_{4} w^{2} + g_{1} w^{3} + g_{3} w^{4} + g_{5} w^{5} \in G_{ϕ_{6} (p^{2})}

then the compression function

C

is:

C (f) = [g_{2}, g_{3}, g_{4}, g_{5}] .

and the decompression function

D

is:

D ([{\tilde{g}}_{2}, {\tilde{g}}_{3}, {\tilde{g}}_{4}, {\tilde{g}}_{5}]) = {\tilde{g}}_{0} + {\tilde{g}}_{2} w + {\tilde{g}}_{4} w^{2} + {\tilde{g}}_{1} w^{3} + {\tilde{g}}_{3} w^{4} + {\tilde{g}}_{5} w^{5},

where:

{\begin{cases} {\tilde{g}}_{1} = \frac{{\tilde{g}}_{5}^{2} (1 + u) + 3 {\tilde{g}}_{4}^{2} - 2 {\tilde{g}}_{3}}{4 {\tilde{g}}_{2}}, {\tilde{g}}_{0} = (2 {\tilde{g}}_{1}^{2} + {\tilde{g}}_{2} {\tilde{g}}_{5} - 3 {\tilde{g}}_{3} {\tilde{g}}_{4}) (1 + u) + 1, & if {\tilde{g}}_{2} \neq 0 \\ {\tilde{g}}_{1} = \frac{2 {\tilde{g}}_{4} {\tilde{g}}_{5}}{{\tilde{g}}_{3}}, {\tilde{g}}_{0} = (2 {\tilde{g}}_{1}^{2} - 3 {\tilde{g}}_{3} {\tilde{g}}_{4}) (1 + u) + 1, & if {\tilde{g}}_{2} = 0 \end{cases}

Compressed Squaring

Now, on input

f \in G_{ϕ_{6} (p^{2})}

we will be able to compute its square on compressed form. That is,

C (f^{2}) = [h_{2}, h_{3}, h_{4}, h_{5}]

, where

h = f^{2} = h_{0} + h_{2} w + h_{4} w^{2} + h_{1} w^{3} + h_{3} w^{4} + h_{5} w^{5}

\begin{aligned} h_{2} & = 2 (g_{2} + 3 (1 + u) B_{4, 5}), \\ h_{3} & = 3 (A_{4, 5} - (2 + u) B_{4, 5}) - 2 g_{3}, \\ h_{4} & = 3 (A_{2, 3} - (2 + u) B_{2, 3}) - 2 g_{4}, \\ h_{5} & = 2 (g_{5} + 3 B_{2, 3}), \\ A_{i, j} & = (g_{i} + g_{j}) (g_{i} + (1 + u) g_{j}), \\ B_{i, j} & = g_{i} \cdot g_{j} . \end{aligned}

Exponentiation in the Cyclotomic Subgroup

Given

f \in G_{ϕ_{6} (p^{2})} \subset F_{p^{12}}^{*}

and

e \geq 1

, the idea is to compute

f^{e}

using the squaring formula in compressed form.

Represent

e

in binary as

e = e_{ℓ - 1} e_{ℓ - 2} \dots e_{1} e_{0}

with

e_{ℓ - 1} = 1

and define

H_{e} = {i : 1 \leq i \leq ℓ - 1 and e_{i} = 1}

. Then:

f^{e} = \prod_{i = 0}^{ℓ - 1} f^{e_{i} \cdot 2^{i}} = \prod_{i = 0}^{ℓ - 1} (f^{2^{i}})^{e_{i}} = f^{e_{0}} \prod_{i \in H_{e}} D (C (f)^{2^{i}}) .

Therefore, we can use the square-and-multiply algorithm to compute such product. Since we are going to be squaring in compressed form, we start at

C (f)

rather than the standard

f

in such algorithm.












def exp_cyclo(f,e):
    Cf = comp(f);
    result = 1;
    for i in range(len(e)):
        if (e[i] == 1) {
            result = decomp(Cf) * result;
        }

        Cf = square_comp(Cf);
    }

    return result;

Resources

The endomorphism
$σ$ acts as a multiplication map
$[λ] P$ , where
$λ = t^{2} - 1$ . ↩︎

Computing the Optimal Ate Pairing over the BLS12-381 Curve

The Curve

Tower of Extension Fields

Twist

The Pairing

Subgroup Checks

Line Equations

Different Points

The Same Points

Final Exponentiation

The Easy Part

The Hard Part

Frobenius Operator

Speeding up Exponentiations in the Cyclotomic Subgroup

Compression and Decompression

Compressed Squaring

Exponentiation in the Cyclotomic Subgroup

Resources

Read more

Elliptic Curves over Goldilocks

Fflonk

Computing the Optimal Ate Pairing over the BN254 Curve

The Sponge Construction in Polygon zkEVM