EcPairing EVM Circuit Gadget (Valid Inputs) (#675)

* feat(bus-mapping): ecPairing and refactor

* feat(circuits): ecPairing

* wip

* checks for evm_input_rlc

* fix: input rlc (ecc circuit) for ecPairing

* refactor copy circuit test (max rows changed)

* chore: docs for padding pairs

---------

Co-authored-by: Zhang Zhuo <[email protected]>

Author: roynalnaruto

bus-mapping/src/circuit_input_builder.rs

@@ -37,8 +37,8 @@ use ethers_core::{
 use ethers_providers::JsonRpcClient;
 pub use execution::{
     CopyBytes, CopyDataType, CopyEvent, CopyEventStepsBuilder, CopyStep, EcAddOp, EcMulOp,
-    EcPairingOp, ExecState, ExecStep, ExpEvent, ExpStep, NumberOrHash, PrecompileEvent,
-    PrecompileEvents,
+    EcPairingOp, EcPairingPair, ExecState, ExecStep, ExpEvent, ExpStep, NumberOrHash,
+    PrecompileEvent, PrecompileEvents, N_BYTES_PER_PAIR, N_PAIRING_PER_OP,
 };
 use hex::decode_to_slice;
 
@@ -116,7 +116,7 @@ impl Default for CircuitsParams {
             max_inner_blocks: 64,
             // TODO: Check whether this value is correct or we should increase/decrease based on
             // this lib tests
-            max_copy_rows: 1000,
+            max_copy_rows: 2000,
             max_mpt_rows: 1000,
             max_exp_steps: 1000,
             max_bytecode: 512,

bus-mapping/src/circuit_input_builder/execution.rs

@@ -1060,53 +1060,117 @@ impl EcMulOp {
 /// call are < 4, we append (G1::infinity, G2::generator) until we have the required no. of inputs.
 pub const N_PAIRING_PER_OP: usize = 4;
 
+/// The number of bytes taken to represent a pair (G1, G2).
+pub const N_BYTES_PER_PAIR: usize = 192;
+
+/// Pair of (G1, G2).
+#[derive(Copy, Clone, Debug, PartialEq, Eq)]
+pub struct EcPairingPair {
+    /// G1 point.
+    pub g1_point: G1Affine,
+    /// G2 point.
+    pub g2_point: G2Affine,
+}
+
+impl EcPairingPair {
+    /// Returns the big-endian representation of the G1 point in the pair.
+    pub fn g1_bytes_be(&self) -> Vec<u8> {
+        std::iter::empty()
+            .chain(self.g1_point.x.to_bytes().iter().rev())
+            .chain(self.g1_point.y.to_bytes().iter().rev())
+            .cloned()
+            .collect()
+    }
+
+    /// Returns the big-endian representation of the G2 point in the pair.
+    pub fn g2_bytes_be(&self) -> Vec<u8> {
+        std::iter::empty()
+            .chain(self.g2_point.x.c0.to_bytes().iter().rev())
+            .chain(self.g2_point.x.c1.to_bytes().iter().rev())
+            .chain(self.g2_point.y.c0.to_bytes().iter().rev())
+            .chain(self.g2_point.y.c1.to_bytes().iter().rev())
+            .cloned()
+            .collect()
+    }
+
+    /// Returns the uncompressed big-endian byte representation of the (G1, G2) pair.
+    pub fn to_bytes_be(&self) -> Vec<u8> {
+        std::iter::empty()
+            .chain(self.g1_point.x.to_bytes().iter().rev())
+            .chain(self.g1_point.y.to_bytes().iter().rev())
+            .chain(self.g2_point.x.c0.to_bytes().iter().rev())
+            .chain(self.g2_point.x.c1.to_bytes().iter().rev())
+            .chain(self.g2_point.y.c0.to_bytes().iter().rev())
+            .chain(self.g2_point.y.c1.to_bytes().iter().rev())
+            .cloned()
+            .collect()
+    }
+
+    /// Create a new pair.
+    pub fn new(g1_point: G1Affine, g2_point: G2Affine) -> Self {
+        Self { g1_point, g2_point }
+    }
+
+    /// Padding pair for ECC circuit. The pairing check is done with a constant number
+    /// `N_PAIRING_PER_OP` of (G1, G2) pairs. The ECC circuit under the hood uses halo2-lib to
+    /// compute the multi-miller loop, which allows `(G1::Infinity, G2::Generator)` pair to skip
+    /// the loop for that pair. So in case the EVM inputs are less than `N_PAIRING_PER_OP` we pad
+    /// the ECC Circuit inputs by this pair. Any EVM input of `(G1::Infinity, G2)` or
+    /// `(G1, G2::Infinity)` is also transformed into `(G1::Infinity, G2::Generator)`.
+    pub fn ecc_padding() -> Self {
+        Self {
+            g1_point: G1Affine::identity(),
+            g2_point: G2Affine::generator(),
+        }
+    }
+
+    /// Padding pair for EVM circuit. The pairing check is done with a constant number
+    /// `N_PAIRING_PER_OP` of (G1, G2) pairs. In case EVM inputs are less in number, we pad them
+    /// with `(G1::Infinity, G2::Infinity)` for simplicity.
+    pub fn evm_padding() -> Self {
+        Self {
+            g1_point: G1Affine::identity(),
+            g2_point: G2Affine::identity(),
+        }
+    }
+}
+
 /// EcPairing operation
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, PartialEq, Eq)]
 pub struct EcPairingOp {
-    /// tuples of G1 and G2 points.
-    pub inputs: [(G1Affine, G2Affine); N_PAIRING_PER_OP],
+    /// tuples of G1 and G2 points supplied to the ECC circuit.
+    pub pairs: [EcPairingPair; N_PAIRING_PER_OP],
     /// Result from the pairing check.
     pub output: Word,
 }
 
 impl Default for EcPairingOp {
     fn default() -> Self {
+        let g1_point = G1Affine::generator();
+        let g2_point = G2Affine::generator();
         Self {
-            inputs: [
-                (G1Affine::generator(), G2Affine::generator()),
-                (G1Affine::identity(), G2Affine::generator()),
-                (G1Affine::identity(), G2Affine::generator()),
-                (G1Affine::identity(), G2Affine::generator()),
+            pairs: [
+                EcPairingPair { g1_point, g2_point },
+                EcPairingPair { g1_point, g2_point },
+                EcPairingPair { g1_point, g2_point },
+                EcPairingPair { g1_point, g2_point },
             ],
             output: Word::zero(),
         }
     }
 }
 
 impl EcPairingOp {
-    /// Returns the uncompressed little-endian byte representation of inputs to the EcPairingOp.
-    pub fn to_bytes_le(&self) -> Vec<u8> {
-        self.inputs
+    /// Returns the uncompressed big-endian byte representation of inputs to the EcPairingOp.
+    pub fn to_bytes_be(&self) -> Vec<u8> {
+        self.pairs
             .iter()
-            .flat_map(|i| {
-                std::iter::empty()
-                    .chain(i.0.x.to_bytes().iter())
-                    .chain(i.0.y.to_bytes().iter())
-                    .chain(i.1.x.c0.to_bytes().iter())
-                    .chain(i.1.x.c1.to_bytes().iter())
-                    .chain(i.1.y.c0.to_bytes().iter())
-                    .chain(i.1.y.c1.to_bytes().iter())
-                    .cloned()
-                    .collect::<Vec<u8>>()
-            })
+            .flat_map(|pair| pair.to_bytes_be())
             .collect::<Vec<u8>>()
     }
 
     /// A check on the op to tell the ECC Circuit whether or not to skip the op.
     pub fn skip_by_ecc_circuit(&self) -> bool {
-        self.inputs[0].0.is_identity().into()
-            && self.inputs[1].0.is_identity().into()
-            && self.inputs[2].0.is_identity().into()
-            && self.inputs[3].0.is_identity().into()
+        false
     }
 }

bus-mapping/src/evm/opcodes/precompiles/ec_add.rs

@@ -1,14 +1,12 @@
 use crate::{
-    circuit_input_builder::{CircuitInputStateRef, EcAddOp, ExecStep, PrecompileEvent},
+    circuit_input_builder::{EcAddOp, PrecompileEvent},
     precompile::{EcAddAuxData, PrecompileAuxData},
 };
 
-pub(crate) fn handle(
+pub(crate) fn opt_data(
     input_bytes: Option<Vec<u8>>,
     output_bytes: Option<Vec<u8>>,
-    state: &mut CircuitInputStateRef,
-    exec_step: &mut ExecStep,
-) {
+) -> (Option<PrecompileEvent>, Option<PrecompileAuxData>) {
     let input_bytes = input_bytes.map_or(vec![0u8; 128], |mut bytes| {
         bytes.resize(128, 0u8);
         bytes
@@ -19,8 +17,10 @@ pub(crate) fn handle(
     });
 
     let aux_data = EcAddAuxData::new(&input_bytes, &output_bytes);
-    exec_step.aux_data = Some(PrecompileAuxData::EcAdd(aux_data));
-
     let ec_add_op = EcAddOp::new_from_bytes(&input_bytes, &output_bytes);
-    state.push_precompile_event(PrecompileEvent::EcAdd(ec_add_op));
+
+    (
+        Some(PrecompileEvent::EcAdd(ec_add_op)),
+        Some(PrecompileAuxData::EcAdd(aux_data)),
+    )
 }

bus-mapping/src/evm/opcodes/precompiles/ec_mul.rs

@@ -1,14 +1,12 @@
 use crate::{
-    circuit_input_builder::{CircuitInputStateRef, EcMulOp, ExecStep, PrecompileEvent},
+    circuit_input_builder::{EcMulOp, PrecompileEvent},
     precompile::{EcMulAuxData, PrecompileAuxData},
 };
 
-pub(crate) fn handle(
+pub(crate) fn opt_data(
     input_bytes: Option<Vec<u8>>,
     output_bytes: Option<Vec<u8>>,
-    state: &mut CircuitInputStateRef,
-    exec_step: &mut ExecStep,
-) {
+) -> (Option<PrecompileEvent>, Option<PrecompileAuxData>) {
     let input_bytes = input_bytes.map_or(vec![0u8; 96], |mut bytes| {
         bytes.resize(96, 0u8);
         bytes
@@ -19,8 +17,10 @@ pub(crate) fn handle(
     });
 
     let aux_data = EcMulAuxData::new(&input_bytes, &output_bytes);
-    exec_step.aux_data = Some(PrecompileAuxData::EcMul(aux_data));
-
     let ec_mul_op = EcMulOp::new_from_bytes(&input_bytes, &output_bytes);
-    state.push_precompile_event(PrecompileEvent::EcMul(ec_mul_op));
+
+    (
+        Some(PrecompileEvent::EcMul(ec_mul_op)),
+        Some(PrecompileAuxData::EcMul(aux_data)),
+    )
 }

bus-mapping/src/evm/opcodes/precompiles/ec_pairing.rs

@@ -0,0 +1,119 @@
+use eth_types::{ToLittleEndian, U256};
+use halo2_proofs::halo2curves::{
+    bn256::{Fq, Fq2, G1Affine, G2Affine},
+    group::cofactor::CofactorCurveAffine,
+};
+
+use crate::{
+    circuit_input_builder::{
+        EcPairingOp, EcPairingPair, PrecompileEvent, N_BYTES_PER_PAIR, N_PAIRING_PER_OP,
+    },
+    precompile::{EcPairingAuxData, PrecompileAuxData},
+};
+
+pub(crate) fn opt_data(
+    input_bytes: Option<Vec<u8>>,
+    output_bytes: Option<Vec<u8>>,
+) -> (Option<PrecompileEvent>, Option<PrecompileAuxData>) {
+    // assertions.
+    let output_bytes = output_bytes.expect("precompile should return at least 0 on failure");
+    debug_assert_eq!(output_bytes.len(), 32, "ecPairing returns EVM word: 1 or 0");
+    let pairing_check = output_bytes[31];
+    debug_assert!(
+        pairing_check == 1 || pairing_check == 0,
+        "ecPairing returns 1 or 0"
+    );
+    debug_assert_eq!(output_bytes.iter().take(31).sum::<u8>(), 0);
+    if input_bytes.is_none() {
+        debug_assert_eq!(pairing_check, 1);
+    }
+
+    let (op, aux_data) = if let Some(input) = input_bytes {
+        debug_assert!(
+            input.len() % N_BYTES_PER_PAIR == 0
+                && input.len() <= N_PAIRING_PER_OP * N_BYTES_PER_PAIR
+        );
+        // process input bytes.
+        let (mut ecc_pairs, mut evm_pairs): (Vec<EcPairingPair>, Vec<EcPairingPair>) = input
+            .chunks_exact(N_BYTES_PER_PAIR)
+            .map(|chunk| {
+                // process 192 bytes chunk at a time.
+                // process g1.
+                let g1_point = {
+                    let g1_x =
+                        Fq::from_bytes(&U256::from_big_endian(&chunk[0x00..0x20]).to_le_bytes())
+                            .unwrap();
+                    let g1_y =
+                        Fq::from_bytes(&U256::from_big_endian(&chunk[0x20..0x40]).to_le_bytes())
+                            .unwrap();
+                    G1Affine { x: g1_x, y: g1_y }
+                };
+                // process g2.
+                let g2_point = {
+                    let g2_x1 =
+                        Fq::from_bytes(&U256::from_big_endian(&chunk[0x40..0x60]).to_le_bytes())
+                            .unwrap();
+                    let g2_x2 =
+                        Fq::from_bytes(&U256::from_big_endian(&chunk[0x60..0x80]).to_le_bytes())
+                            .unwrap();
+                    let g2_y1 =
+                        Fq::from_bytes(&U256::from_big_endian(&chunk[0x80..0xA0]).to_le_bytes())
+                            .unwrap();
+                    let g2_y2 =
+                        Fq::from_bytes(&U256::from_big_endian(&chunk[0xA0..0xC0]).to_le_bytes())
+                            .unwrap();
+                    G2Affine {
+                        x: Fq2 {
+                            c0: g2_x1,
+                            c1: g2_x2,
+                        },
+                        y: Fq2 {
+                            c0: g2_y1,
+                            c1: g2_y2,
+                        },
+                    }
+                };
+
+                let evm_circuit_pair = EcPairingPair { g1_point, g2_point };
+                let ecc_circuit_pair =
+                    if g1_point.is_identity().into() || g2_point.is_identity().into() {
+                        EcPairingPair::ecc_padding()
+                    } else {
+                        evm_circuit_pair
+                    };
+                (ecc_circuit_pair, evm_circuit_pair)
+            })
+            .unzip();
+        ecc_pairs.resize(N_PAIRING_PER_OP, EcPairingPair::ecc_padding());
+        evm_pairs.resize(N_PAIRING_PER_OP, EcPairingPair::evm_padding());
+        (
+            EcPairingOp {
+                pairs: <[_; N_PAIRING_PER_OP]>::try_from(ecc_pairs).unwrap(),
+                output: pairing_check.into(),
+            },
+            EcPairingAuxData(EcPairingOp {
+                pairs: <[_; N_PAIRING_PER_OP]>::try_from(evm_pairs).unwrap(),
+                output: pairing_check.into(),
+            }),
+        )
+    } else {
+        // if no input bytes.
+        let ecc_pairs = [EcPairingPair::ecc_padding(); N_PAIRING_PER_OP];
+        let evm_pairs = [EcPairingPair::evm_padding(); N_PAIRING_PER_OP];
+        (
+            EcPairingOp {
+                pairs: ecc_pairs,
+                output: pairing_check.into(),
+            },
+            EcPairingAuxData(EcPairingOp {
+                pairs: evm_pairs,
+                output: pairing_check.into(),
+            }),
+        )
+    };
+
+    (
+        Some(PrecompileEvent::EcPairing(Box::new(op))),
+        Some(PrecompileAuxData::EcPairing(Box::new(aux_data))),
+    )
+}

bus-mapping/src/evm/opcodes/precompiles/ecrecover.rs

@@ -5,16 +5,14 @@ use eth_types::{
 use halo2_proofs::halo2curves::secp256k1::Fq;
 
 use crate::{
-    circuit_input_builder::{CircuitInputStateRef, ExecStep, PrecompileEvent},
+    circuit_input_builder::PrecompileEvent,
     precompile::{EcrecoverAuxData, PrecompileAuxData},
 };
 
-pub(crate) fn handle(
+pub(crate) fn opt_data(
     input_bytes: Option<Vec<u8>>,
     output_bytes: Option<Vec<u8>>,
-    state: &mut CircuitInputStateRef,
-    exec_step: &mut ExecStep,
-) {
+) -> (Option<PrecompileEvent>, Option<PrecompileAuxData>) {
     let input_bytes = input_bytes.map_or(vec![0u8; 128], |mut bytes| {
         bytes.resize(128, 0u8);
         bytes
@@ -44,19 +42,22 @@ pub(crate) fn handle(
                 msg_hash: Fq::from_bytes(&aux_data.msg_hash.to_be_bytes()).unwrap(),
             };
             assert_eq!(aux_data.recovered_addr, sign_data.get_addr());
-            state.push_precompile_event(PrecompileEvent::Ecrecover(sign_data));
+            (
+                Some(PrecompileEvent::Ecrecover(sign_data)),
+                Some(PrecompileAuxData::Ecrecover(aux_data)),
+            )
         } else {
             log::warn!(
                 "could not recover pubkey. ecrecover aux_data={:?}",
                 aux_data
             );
+            (None, Some(PrecompileAuxData::Ecrecover(aux_data)))
         }
     } else {
         log::warn!(
             "invalid recoveryId for ecrecover. sig_v={:?}",
             aux_data.sig_v
         );
+        (None, Some(PrecompileAuxData::Ecrecover(aux_data)))
     }
-
-    exec_step.aux_data = Some(PrecompileAuxData::Ecrecover(aux_data));
 }