chore: Native curve audit - pairing#21104
Merged
federicobarbacovi merged 16 commits intoMar 11, 2026
Merged
Conversation
| @@ -239,12 +197,7 @@ template <typename quadratic_field, typename base_field, typename Fq12Params> cl | |||
| }; | |||
| } | |||
|
|
|||
Contributor
Author
There was a problem hiding this comment.
I tried implementing cyclotomic squaring as explained in https://eprint.iacr.org/2010/542.pdf (and use the squaring to compute powers). It wasn't faster than the current implementation. While squaring in compressed form uses fewer operations, decompression requires an inversion. During an exponentation, we need to decompress many times. I tried to use a batch inversion trick, but that stil didn't make the calculation faster. For this reason, I removed the implementation (which is present in the history of this branch) in favour of simpler code.
| file(GLOB_RECURSE TEST_SOURCE_FILES *.test.cpp) | ||
| file(GLOB_RECURSE BENCH_SOURCE_FILES *.bench.cpp) | ||
| file(GLOB_RECURSE FUZZERS_SOURCE_FILES *.fuzzer.cpp) | ||
| file(GLOB_RECURSE SOURCE_FILES CONFIGURE_DEPENDS *.cpp) |
Contributor
Author
There was a problem hiding this comment.
Auto re-discover some files. Discussed with @ludamad and he's ok with it
Contributor
There was a problem hiding this comment.
thanks, this is helpful!
federicobarbacovi
requested review from
Copilot and
notnotraju
and removed request for
Copilot
notnotraju
reviewed
Mar 6, 2026
notnotraju
reviewed
Mar 6, 2026
notnotraju
reviewed
Mar 6, 2026
notnotraju
reviewed
Mar 6, 2026
notnotraju
reviewed
Mar 6, 2026
| constexpr bool operator==(const field6& other) const { return c0 == other.c0 && c1 == other.c1 && c2 == other.c2; } | ||
|
|
||
| /** | ||
| * @brief Multiply a field6 element by a0 + a1 * v. |
notnotraju
reviewed
Mar 6, 2026
| { | ||
| base_field A = a0 * c0; | ||
| base_field B = a1 * c1; | ||
| base_field C = Fq6Params::mul_by_non_residue(a1 * c2); |
Contributor
There was a problem hiding this comment.
I won't complain if you change the name of the mul_by_non_residue method, it confused me!
notnotraju
reviewed
Mar 6, 2026
|
|
||
| constexpr void final_exponentiation_easy_part(const fq12& elt, fq12& r); | ||
| * | ||
| * @details When calculating pairings, point operations are calculated via an ad-hoc method, so it's more sensible to |
notnotraju
reviewed
Mar 6, 2026
notnotraju
reviewed
Mar 6, 2026
notnotraju
reviewed
Mar 6, 2026
notnotraju
reviewed
Mar 10, 2026
notnotraju
approved these changes
Mar 10, 2026
notnotraju
left a comment
notnotraju
left a comment
Contributor
There was a problem hiding this comment.
Looks great, thank you! A few tiny nits here and there.
federicobarbacovi
force-pushed
the
fb/native_curve_audit_pairing
branch
from
eaed213 to
7d20477
Compare
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Mar 11, 2026
BEGIN_COMMIT_OVERRIDE chore: Native curve audit - pairing (#21104) feat: batch hiding kernel and translator proofs (#21246) fix: remove obsolete KZG:masking_challenge from batched translator expected manifest (#21371) fix: add TLS alignment pad to fix x86_64-macos segfault (#21372) END_COMMIT_OVERRIDE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🧾 Audit Context
ecc/curve audit: pairing. In this PR we add documentation and testing for pairings. We also rewrite the implementation of the Miller loop to follow standard references.
🛠️ Changes Made
Note: I tried implementing cyclotomic squaring but the result was not faster than the current implementation (it was slower). The problem is the inversion that is required to decompress the squaring (which were computed in compressed form). Even using a batch inversion trick didn't help. The paper I tried to implement is: https://eprint.iacr.org/2010/542.pdf
✅ Checklist
📌 Notes for Reviewers
(Optional) Call out anything that reviewers should pay close attention to — like logic changes, performance implications, or potential regressions.