ecPairing

README.md

@@ -11,15 +11,27 @@ In the next weeks we will add more optimizations and benchmarks.
 | --- | --- | --- |
 | ecAdd | ✅ | ✅ |
 | ecMul | ✅ | ✅ |
-| ecPairing | 🏗️ | ❌ |
+| ecPairing | ✅ | ✅ |
 | modexp | ✅ | 🏗️ |
 
 ## Summary
 
 - `ecAdd` is optimized with finite field arithmetic in Montgomery form and optimized modular inverse with a modification of the binary extended Euclidean algorithm that skips the Montgomery reduction step for inverting. There is not much more room for optimizations, maybe we could think of Montgomery squaring (SOS) to improve the finite field squaring.
 - `ecMul` is optimized with finite field arithmetic in Montgomery form, optimized modular inverse with a modification of the binary extended Euclidean algorithm that skips the Montgomery reduction step for inverting, and the elliptic curve point arithmetic is being done in homogeneous projective coordinates. There are some other possible optimizations to implement, one is the one discussed in the Slack channel (endomorphism: GLV or wGLV), the [windowed method](https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication#Windowed_method), the [sliding-window method](https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication#Sliding-window_method), [wNAF (windowed non-adjacent form)](https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication#w-ary_non-adjacent_form_(wNAF)_method) to improve the elliptic curve point arithmetic, and Montgomery squaring (SOS) to improve the finite field squaring, Jacobian projective coordinates (this would have similar performance and gas costs as working with the homogeneous projective coordinates but it would be free to add it since we need this representation for `ecPairing`).
 - `modexp` status: TODO
-- `ecPairing` will be implemented as it is detailed in this document. We currently have the towered field extensions working and started working on the line functions for the addition and the double step of the miller loop.
+- `ecPairing`:
+    We have based our algorithm implementation primarily on the guidelines presented in the paper ["High-Speed Software Implementation of the Optimal Ate Pairing over Barreto–Naehrig Curves"](https://eprint.iacr.org/2010/354.pdf) . This implementation includes the utilization of Tower Extension Field Arithmetic and the Frobenius Operator.
+
+    To enhance the performance of the Miller loop, we have incorporated specific optimizations, we have optimized line evaluation based on the techniques outlined in ["The Realm of the Pairings"](https://eprint.iacr.org/2013/722.pdf) . Also, instead of using Jacobian coordinates, we have adopted projective coordinates. This choice is particularly advantageous given the large inversion/multiplication ratio in this context.
+
+    In the final exponentiation phase, we have integrated the methods presented in ["Memory-saving computation of the pairing final exponentiation on BN curves"](https://eprint.iacr.org/2015/192.pdf). This includes the Fuentes et al. method and the addition chain. We have also applied Faster Squaring in the Cyclotomic Subgroup, as described in [”Faster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions”](https://eprint.iacr.org/2009/565.pdf).
+
+    **Remaining Optimizations:** While our implementation has achieved notable results, there are still some straightforward optimizations that can be implemented:
+
+    - **Initial Iterations of Miller Loop:** We can avoid unnecessary multiplications by handling the first iterations of the Miller loop separately.
+    - **Optimizing Accumulated Value:** We are currently naively multiplying two fp12 elements, which contain many zeros. Modifying this calculation could enhance efficiency.
+
+    **Future Investigations:**  We need to investigate the reliability of additional optimizations, such as the application of the GLV method for multiplication of rational points of elliptic curves.
 
 
 # Used algorithms
@@ -35,12 +47,7 @@ In the next weeks we will add more optimizations and benchmarks.
 
 ## Resources
 
-- [EVM precompiles list](https://www.evm.codes/precompiled?fork=shanghai)
-- [EIP-196: Precompiled contracts for addition and scalar multiplication on the elliptic curve alt_bn128](https://eips.ethereum.org/EIPS/eip-196)
-- [EIP-197: Precompiled contracts for optimal ate pairing check on the elliptic curve alt_bn128](https://eips.ethereum.org/EIPS/eip-197)
-- [EIP-198: Big integer modular exponentiation](https://eips.ethereum.org/EIPS/eip-198)
-- [EIP-1108: Reduce alt_bn128 precompile gas costs](https://eips.ethereum.org/EIPS/eip-1108)
-- [EIP-2565: ModExp Gas Cost](https://eips.ethereum.org/EIPS/eip-2565)
+You can find a curated list of helpful resources that we've used for guiding our implementations in [References](./References.md)
 
 ## Development