03/03/2022:

BLS12-377 / BW6 <- Justin talks about Zexe , 2chain of curve

$E_1(F_q)$ of order $r$ $E_2(F_t)$ of order $q$ <-- circuits in $F_q$ , means I can express group operations efficiently, $E_1(F_q) + E_1(F_q)$

$G_t$ is in $F_q^{12}$

Benchmark

Per iteration of the loop

In total:

6 * log(n) * GT_MUL + 6 * log(n) * Scalar_mul

for n = 2**30

math.log2(n) * (6gtmul + 6scmul) 7031880.0 constraints

Justin says 1000 for $F_r$ non native arithmetic multiplication

3 Fr multiplication per round of sumcheck

P(x1,x2,x3) = x1x2 + x2x3 + x1x3

P(x,r2,r3) → P(0,r2,r3) + P(1,r2,r3) → 2Fr + 2Fr + 1 ?? →

Prover sends (r2 + r3)x1 + r2r3, already in affine form so 2 Fr operation per evaluation

in total 2 * 2 + 1 = 5 Fr operation per “round” + hash(3 elements) ← 1000 constraints using Poseidon

Using non native field arithmetic, supposing 1000 constraints for Fr operations, it’s (1000*5+3000)*log(n) = 240000 constraints for n=2**30

Using sub Groth16 proof:

Need to do scalar multiplication on ALL the public inputs → log(n) elements in $F_r$

Spartan:

2 choices of “curves”:

BW6: One curve where circuit native in $F_q$ → native operations for Gt, “Non Native Arithmetic” for $F_r$
BLS12-377: ANother curve where circuit is native in $F_r$

Do a Groth16 proof for sumcheck, over $F_r$
Do a Groth16 proof for polynomial commitment + verification of first proof over $F_q$

F_r operatiopn can do natively
Problematic because 1-2 order of magnitude
Potential tricks: $r << q$ , that means we can embed one element $F_r$ directly in one $F_q$ , could potentialy write many operations, like add/mul and only doing the modulo at the end