Skip to content

Elliptic Curve Pairing

The pairing extension enables usage of the optimal Ate pairing check on the BN254 and BLS12-381 elliptic curves. The following field extension tower for Fp12\mathbb{F}_{p^{12}} is used for pairings in this crate:

Fp2=Fp[u]/(u2β)Fp6=Fp2[v]/(v3ξ)Fp12=Fp6[w]/(w2v)\mathbb{F_{p^2}} = \mathbb{F_{p}}[u]/(u^2 - \beta)\\ \mathbb{F_{p^6}} = \mathbb{F_{p^2}}[v]/(v^3 - \xi)\\ \mathbb{F_{p^{12}}} = \mathbb{F_{p^6}}[w]/(w^2 - v)

The main feature of the pairing extension is the pairing_check function, which asserts that a product of pairings evaluates to 1. For example, for the BLS12-381 curve,

    let res = Bls12_381::pairing_check(&[p0, -q0], &[p1, q1]);
    assert!(res.is_ok());

This asserts that e(p0,q0)e(p1,q1)=1e(p_0, q_0) e(p_1, q_1) = 1. Naturally, this can be extended to more points by adding more elements to the arrays.

The pairing extension additionally provides field operations in Fp12\mathbb{F}_{p^{12}} for both BN254 and BLS12-381 curves where F\mathbb{F} is the coordinate field.

See the Pairing guest library for usage details.