[fix] Added square-and-multiply fallback for final exponentiation for Bn254 and Bls12_381 curves (#23)

Added a fallback for final exponentiation in the pairing extension for
the case that the hint fails to prove that the final exponentiation is
equal to 1.

This is a temporary fix. We will scope out a better approach after the
security reviews.

Closes INT-3381

Author: Avaneesh-axiom

extensions/pairing/guest/src/bls12_381/mod.rs

@@ -657,3 +657,11 @@ impl PairingIntrinsics for Bls12_381 {
         ],
     ];
 }
+
+impl Bls12_381 {
+    // FINAL_EXPONENT = (p^12 - 1) / r in big-endian
+    // Validated by a test in test.rs
+    pub const FINAL_EXPONENT: [u8; 540] = hex!(
+        "02ee1db5dcc825b7e1bda9c0496a1c0a89ee0193d4977b3f7d4507d07363baa13f8d14a917848517badc3a43d1073776ab353f2c30698e8cc7deada9c0aadff5e9cfee9a074e43b9a660835cc872ee83ff3a0f0f1c0ad0d6106feaf4e347aa68ad49466fa927e7bb9375331807a0dce2630d9aa4b113f414386b0e8819328148978e2b0dd39099b86e1ab656d2670d93e4d7acdd350da5359bc73ab61a0c5bf24c374693c49f570bcd2b01f3077ffb10bf24dde41064837f27611212596bc293c8d4c01f25118790f4684d0b9c40a68eb74bb22a40ee7169cdc1041296532fef459f12438dfc8e2886ef965e61a474c5c85b0129127a1b5ad0463434724538411d1676a53b5a62eb34c05739334f46c02c3f0bd0c55d3109cd15948d0a1fad20044ce6ad4c6bec3ec03ef19592004cedd556952c6d8823b19dadd7c2498345c6e5308f1c511291097db60b1749bf9b71a9f9e0100418a3ef0bc627751bbd81367066bca6a4c1b6dcfc5cceb73fc56947a403577dfa9e13c24ea820b09c1d9f7c31759c3635de3f7a3639991708e88adce88177456c49637fd7961be1a4c7e79fb02faa732e2f3ec2bea83d196283313492caa9d4aff1c910e9622d2a73f62537f2701aaef6539314043f7bbce5b78c7869aeb2181a67e49eeed2161daf3f881bd88592d767f67c4717489119226c2f011d4cab803e9d71650a6f80698e2f8491d12191a04406fbc8fbd5f48925f98630e68bfb24c0bcb9b55df57510"
+    );
+}

extensions/pairing/guest/src/bls12_381/pairing.rs

@@ -18,8 +18,8 @@ use {
 
 use super::{Bls12_381, Fp, Fp12, Fp2};
 use crate::pairing::{
-    Evaluatable, EvaluatedLine, FromLineMType, LineMulMType, MillerStep, MultiMillerLoop,
-    PairingCheck, PairingCheckError, PairingIntrinsics, UnevaluatedLine,
+    exp_check_fallback, Evaluatable, EvaluatedLine, FromLineMType, LineMulMType, MillerStep,
+    MultiMillerLoop, PairingCheck, PairingCheckError, PairingIntrinsics, UnevaluatedLine,
 };
 #[cfg(all(feature = "halo2curves", not(target_os = "zkvm")))]
 use crate::{
@@ -362,7 +362,8 @@ impl PairingCheck for Bls12_381 {
         if fc * s == c_q {
             Ok(())
         } else {
-            Err(PairingCheckError)
+            let f = Self::multi_miller_loop(P, Q);
+            exp_check_fallback(&f, &Self::FINAL_EXPONENT)
         }
     }
 }

extensions/pairing/guest/src/bls12_381/tests.rs

@@ -2,11 +2,13 @@ use group::ff::Field;
 use halo2curves_axiom::bls12_381::{
     Fq, Fq12, Fq2, Fq6, G1Affine, G2Affine, G2Prepared, MillerLoopResult, FROBENIUS_COEFF_FQ12_C1,
 };
+use num_bigint::BigUint;
+use num_traits::One;
 use openvm_algebra_guest::{field::FieldExtension, IntMod};
 use openvm_ecc_guest::{weierstrass::WeierstrassPoint, AffinePoint};
 use rand::{rngs::StdRng, SeedableRng};
 
-use super::{Fp, Fp12, Fp2};
+use super::{Fp, Fp12, Fp2, BLS12_381_MODULUS, BLS12_381_ORDER};
 use crate::{
     bls12_381::{
         utils::{
@@ -295,3 +297,9 @@ fn test_bls12381_pairing_check_hint_host() {
     assert_eq!(c, c_cmp);
     assert_eq!(s, s_cmp);
 }
+
+#[test]
+fn test_bls12381_final_exponent() {
+    let final_exp = (BLS12_381_MODULUS.pow(12) - BigUint::one()) / BLS12_381_ORDER.clone();
+    assert_eq!(Bls12_381::FINAL_EXPONENT.to_vec(), final_exp.to_bytes_be());
+}

extensions/pairing/guest/src/bn254/mod.rs

@@ -172,6 +172,12 @@ impl Bn254 {
             "e3b02326637fd382d25ba28fc97d80212b6f79eca7b504079a0441acbc3cc007"
         )),
     };
+
+    // FINAL_EXPONENT = (p^12 - 1) / r in big-endian
+    // Validated by a test in test.rs
+    pub const FINAL_EXPONENT: [u8; 349] = hex!(
+        "2f4b6dc97020fddadf107d20bc842d43bf6369b1ff6a1c71015f3f7be2e1e30a73bb94fec0daf15466b2383a5d3ec3d15ad524d8f70c54efee1bd8c3b21377e563a09a1b705887e72eceaddea3790364a61f676baaf977870e88d5c6c8fef0781361e443ae77f5b63a2a2264487f2940a8b1ddb3d15062cd0fb2015dfc6668449aed3cc48a82d0d602d268c7daab6a41294c0cc4ebe5664568dfc50e1648a45a4a1e3a5195846a3ed011a337a02088ec80e0ebae8755cfe107acf3aafb40494e406f804216bb10cf430b0f37856b42db8dc5514724ee93dfb10826f0dd4a0364b9580291d2cd65664814fde37ca80bb4ea44eacc5e641bbadf423f9a2cbf813b8d145da90029baee7ddadda71c7f3811c4105262945bba1668c3be69a3c230974d83561841d766f9c9d570bb7fbe04c7e8a6c3c760c0de81def35692da361102b6b9b2b918837fa97896e84abb40a4efb7e54523a486964b64ca86f120"
+    );
 }
 
 impl IntrinsicCurve for Bn254 {

extensions/pairing/guest/src/bn254/pairing.rs

@@ -14,8 +14,8 @@ use {
 
 use super::{Bn254, Fp, Fp12, Fp2};
 use crate::pairing::{
-    Evaluatable, EvaluatedLine, FromLineDType, LineMulDType, MillerStep, MultiMillerLoop,
-    PairingCheck, PairingCheckError, PairingIntrinsics, UnevaluatedLine,
+    exp_check_fallback, Evaluatable, EvaluatedLine, FromLineDType, LineMulDType, MillerStep,
+    MultiMillerLoop, PairingCheck, PairingCheckError, PairingIntrinsics, UnevaluatedLine,
 };
 #[cfg(all(feature = "halo2curves", not(target_os = "zkvm")))]
 use crate::{
@@ -391,7 +391,8 @@ impl PairingCheck for Bn254 {
         if fc * c_mul * u == Fp12::ONE {
             Ok(())
         } else {
-            Err(PairingCheckError)
+            let f = Self::multi_miller_loop(P, Q);
+            exp_check_fallback(&f, &Self::FINAL_EXPONENT)
         }
     }
 }

extensions/pairing/guest/src/bn254/tests.rs

@@ -2,6 +2,8 @@ use group::{ff::Field, prime::PrimeCurveAffine};
 use halo2curves_axiom::bn256::{
     Fq, Fq12, Fq2, Fq6, G1Affine, G2Affine, G2Prepared, Gt, FROBENIUS_COEFF_FQ12_C1,
 };
+use num_bigint::BigUint;
+use num_traits::One;
 use openvm_algebra_guest::{field::FieldExtension, IntMod};
 use openvm_ecc_guest::{weierstrass::WeierstrassPoint, AffinePoint};
 use rand::{rngs::StdRng, SeedableRng};
@@ -14,7 +16,7 @@ use crate::{
             convert_bn254_halo2_fq2_to_fp2, convert_bn254_halo2_fq_to_fp,
             convert_g2_affine_halo2_to_openvm,
         },
-        Bn254, G2Affine as OpenVmG2Affine,
+        Bn254, G2Affine as OpenVmG2Affine, BN254_MODULUS, BN254_ORDER,
     },
     pairing::{
         fp2_invert_assign, fp6_invert_assign, fp6_square_assign, FinalExp, MultiMillerLoop,
@@ -280,3 +282,9 @@ fn test_bn254_pairing_check_hint_host() {
     assert_eq!(c, c_cmp);
     assert_eq!(u, u_cmp);
 }
+
+#[test]
+fn test_bn254_final_exponent() {
+    let final_exp = (BN254_MODULUS.pow(12) - BigUint::one()) / BN254_ORDER.clone();
+    assert_eq!(Bn254::FINAL_EXPONENT.to_vec(), final_exp.to_bytes_be());
+}

extensions/pairing/guest/src/pairing/mod.rs

@@ -11,7 +11,7 @@ pub use miller_loop::*;
 pub use miller_step::*;
 use openvm_algebra_guest::{
     field::{ComplexConjugate, FieldExtension},
-    Field, IntMod,
+    ExpBytes, Field, IntMod,
 };
 use openvm_ecc_guest::AffinePoint;
 #[allow(unused_imports)]
@@ -55,6 +55,20 @@ pub trait PairingCheck {
     ) -> Result<(), PairingCheckError>;
 }
 
+// Square and multiply implementation of final exponentiation. Used if the hint fails to prove
+// the pairing check.
+// `exp` should be big-endian.
+pub fn exp_check_fallback<F: Field + ExpBytes>(f: &F, exp: &[u8]) -> Result<(), PairingCheckError>
+where
+    for<'a> &'a F: core::ops::Mul<&'a F, Output = F>,
+{
+    if f.exp_bytes(true, exp) == F::ONE {
+        Ok(())
+    } else {
+        Err(PairingCheckError)
+    }
+}
+
 pub const fn shifted_funct7<P: PairingIntrinsics>(funct7: PairingBaseFunct7) -> usize {
     P::PAIRING_IDX * (PairingBaseFunct7::PAIRING_MAX_KINDS as usize) + funct7 as usize
 }
@@ -68,3 +82,45 @@ impl core::fmt::Display for PairingCheckError {
         write!(f, "Pairing check failed")
     }
 }
+
+#[cfg(all(test, not(target_os = "zkvm")))]
+mod tests {
+    use num_bigint::BigUint;
+    use openvm_algebra_moduli_macros::{moduli_declare, moduli_init};
+
+    use super::*;
+
+    moduli_declare! {
+        F13 { modulus = "13" },
+    }
+
+    moduli_init! {
+        "13",
+    }
+
+    impl Field for F13 {
+        type SelfRef<'a> = &'a Self;
+        const ZERO: Self = <Self as IntMod>::ZERO;
+        const ONE: Self = <Self as IntMod>::ONE;
+
+        fn double_assign(&mut self) {
+            IntMod::double_assign(self);
+        }
+
+        fn square_assign(&mut self) {
+            IntMod::square_assign(self);
+        }
+    }
+
+    #[test]
+    fn test_pairing_check_fallback() {
+        let a = F13::from_u8(2);
+        let b = BigUint::from(12u32);
+        let result = exp_check_fallback(&a, &b.to_bytes_be());
+        assert_eq!(result, Ok(()));
+
+        let b = BigUint::from(11u32);
+        let result = exp_check_fallback(&a, &b.to_bytes_be());
+        assert_eq!(result, Err(PairingCheckError));
+    }
+}