CIP-0166? | Efficient scalars for BLS12-381

[euonymos]

While working on the Hydrozoa project, we decided to use pair-based accumulators as part of ZKifing proofs of membership for the L2 utxo set in the rule-based regime. We are pretty happy with the results, since KZG commitments are easier to work with than Merkle tree-like structures we wanted to use previously.

Operations over scalars for BLS12-381 in Plutus might require some improvements; probably it will become the next bottleneck for this particular use case after MSM makes it to Plutus, as our benchmarks suggest.

By drafting this CIP, I mostly wanted to share those results with the community and establish a place for a potential discussion on the topic, since the current state of things feels a bit rough around the edges, at least it questions Scalar module in Aiken and other frameworks (initially we ported it to Scalus, but now we likely will use unbounded integers as this approach proves to be less expensive).

I am happy to hear from everyone who has a take or related ideas. Thanks.

Link for reading current version: here

[jmagan]

I think this CIP will add considerable value to the ZK capabilities in Cardano L1. The rationale is correct and spot-on regarding one of the biggest use cases where we encounter these Plutus/Plinth limitations. It's quite unfortunate that we almost exhaust the Plutus execution budget with just a few elements using bilinear accumulators, and it's even worse to consider that most of the budget is spent on unoptimized 'simple' multiplication and addition operations on Fr.

I have a couple of observations:

• The introduction of a new type to represent Fr could be avoided since we currently abstract it using Integer in other BLS operations. This is already mentioned in the CIP, and I think it would be more flexible to handle the conversion in the binding layer.
• As @euonymos mentioned, I would add all the Fr-related operations natively supported in blst. These could be useful later for creating algorithms in embedded curves like JubJub, namely inversion.

[rphair]

Tagging Triage to introduce at the CIP meeting in a few hours: https://hackmd.io/@cip-editors/119

@euonymos it's nice to see that Plutus expert review has already started & as usual we would be happy to hear from @zliu41 @effectfully @kwxm and others about this.

[rphair]

Most of the subsections her actually belong in the Rationale section, in which implementation details and comparative approaches are considered. This includes performance considerations for what you have simply described the need for doing here in the Motivation section.

[rphair]

I think it would serve this CIP & the repository well, by assuring portability / readability / responsiveness, if you could implement these graphs in Mermaid (I think the same set of points that produced the text renderings can be applied to a graph). And if & when someday it is possible for an AI to interpret these graphs, that would make it more achievable.

[rphair]

@euonymos we decided to leave this in Triage because this was submitted shortly before today's CIP meeting and therefore to allow time for the already tagged Plutus reviewers to contribute their assessment about whether this change is doable (if not planned already).

A potential benefit for prompt review was also suggested at the meeting: the upcoming mid-term hard fork, in which some similar improvements for curve primitive support is planned, might also be able to include this change.

[euonymos]

• The introduction of a new type to represent Fr could be avoided since we currently abstract it using Integer in other BLS operations. This is already mentioned in the CIP, and I think it would be more flexible to handle the conversion in the binding layer.

Yes, this would be ideal since otherwise, we would end up having two sets of functions - old for integers and new for Fr. But how can we decide whether and Integer arguments belong to a field? Another thing to consider is that if we munge to/from Montgomery representation on every operation, it will be prohibitively wasteful.

And speaking more broadly, do we want to support only the scalar field of BLS of prime fields in general, at the level of Plutus API, in case we add another curve in the future, for example?

[euonymos]

It would be nice to hear the thoughts of the Plutus team @effectfully @ana-pantilie @zliu41 @SeungheonOh.

[rphair]

Still hoping for Plutus participation... there were some likely reviewers at the CIP meeting today, but discussion went entirely towards Leios CIP review due to massive turnout of those stakeholders & concerned devs. I think we are on track to consider this as a candidate at the following CIP meeting: https://hackmd.io/@cip-editors/121

[kwxm]

Still hoping for Plutus participation...

I'll try to take a close look at this by the end of the week. Sorry for the delay.

[SeungheonOh]

Left some comments. Thanks for the nice writing and nice plots. These seem like a reasonable and very useful addition.

With addition of new type for scalar in $F_r$, I think we should change existing builtins(i.e. scalar multiplication in $G1$ and $G2$) to use the new $F_r$ scalar. This does require changing existing builtins similar to how we have different semantics variant.

[SeungheonOh]

is it

bytestring_to_bls12_381_fr: bool -> bytestring -> bls12_381_fr

or

bytestring_to_bls12_381_fr: [(bool, bytestring)] -> bls12_381_fr

I assume it's former. It's just a bit confusing; please update to clarify. Same goes with other ones below.

[SeungheonOh]

also these belong in the below section in "Function definition"

[perturbing]

Given the shared correspondence between the underlying blst lib it is

bytestring_to_bls12_381_fr: bool -> bytestring -> bls12_381_fr

[SeungheonOh]

20% of onchain exbudget I assume?

[SeungheonOh]

nitpick: this looks like a type signature. It'd be better to write out

"bls12_381_fr to bytestring to integer"

[SeungheonOh]

How come "percent" for 1 is 13% and for 2 is 12% when they have exactly same CPU budget?

also diff is 0 for consistency.

[SeungheonOh]

Cost of integer operation depends on the sizes of integers used. So it doesn't really complicate cost in perspective of VM. Not sure how else using Integer can complicates the cost model.

[perturbing]

@jmagan

can you explain what exactly you mean with

The introduction of a new type to represent Fr could be avoided since we currently abstract it using Integer in other BLS operations. This is already mentioned in the CIP, and I think it would be more flexible to handle the conversion in the binding layer.

[jmagan]

@perturbing

I initially thought that $F_r$ was a simpler type — essentially an Integer reduced modulo r, similar to Scalar. However, that’s not the case: it’s actually an opaque type that stores the value in Montgomery form.

My first idea was to use plain Integer instead, abstracting away the $F_r$ type, much like we do in the scalar point multiplication primitive of BLS.

Mainly because I think using the blst conversion interface approach could cause problems within Plutus scripts. For instance, in polynomial multiplication (e.g., when constructing a polynomial from terms like $(x - a_n)$, we’d need to convert every $a_n$ term to $F_r$, perform the multiplication, and then convert back to Integer. This could be significantly more budget-expensive than performing the operations directly on integers.

Moreover, the use of Fr here doesn’t seem to provide any additional benefit, since the Montgomery representation is mainly an internal optimization for arithmetic efficiency.

That’s why I was considering keeping Fr as an internal detail, only using it at the interface between Plutus and the blst library. Exposing it more widely to end users might not add much value. However, as @euonymos pointed out, this could also become computationally expensive, since every function argument and return value would require a conversion between Integer and Fr.

[rphair]

Accepted as CIP candidate at today's CIP meeting based mainly on positive response from Plutus stakeholders. @euonymos please rename this directory to CIP-0166 and update your "Link for reading current version" 🎉