Update EIP-2537: rename PAIRING to PAIRING_CHECK; introduce PAIRING_PRODUCT precomiple

EIPS/eip-2537.md

@@ -25,27 +25,29 @@ The motivation of this precompile is to add a cryptographic primitive that allow
 ### Constants
 
 |Name|Value|Comment|
-|         ---         |---    |         ---        |
-|`FORK_TIMESTAMP`     | *TBD* | Mainnet            |
-|BLS12_G1ADD          | 0x0b  | precompile address |
-|BLS12_G1MUL          | 0x0c  | precompile address |
-|BLS12_G1MULTIEXP     | 0x0d  | precompile address |
-|BLS12_G2ADD          | 0x0e  | precompile address |
-|BLS12_G2MUL          | 0x0f  | precompile address |
-|BLS12_G2MULTIEXP     | 0x10  | precompile address |
-|BLS12_PAIRING        | 0x11  | precompile address |
-|BLS12_MAP_FP_TO_G1   | 0x12  | precompile address |
-|BLS12_MAP_FP2_TO_G2  | 0x13  | precompile address |
-
-If `block.timestamp >= FORK_TIMESTAMP` we introduce *nine* separate precompiles to perform the following operations:
+|         ---          |---    |         ---        |
+|`FORK_TIMESTAMP`      | *TBD* | Mainnet            |
+|BLS12_G1ADD           | 0x0b  | precompile address |
+|BLS12_G1MUL           | 0x0c  | precompile address |
+|BLS12_G1MULTIEXP      | 0x0d  | precompile address |
+|BLS12_G2ADD           | 0x0e  | precompile address |
+|BLS12_G2MUL           | 0x0f  | precompile address |
+|BLS12_G2MULTIEXP      | 0x10  | precompile address |
+|BLS12_PAIRING_CHECK   | 0x11  | precompile address |
+|BLS12_PAIRING_PRODUCT | 0x11  | precompile address |
+|BLS12_MAP_FP_TO_G1    | 0x12  | precompile address |
+|BLS12_MAP_FP2_TO_G2   | 0x13  | precompile address |
+
+If `block.timestamp >= FORK_TIMESTAMP` we introduce *ten* separate precompiles to perform the following operations:
 
 - BLS12_G1ADD - to perform point addition in G1 (curve over base prime field) with a gas cost of `500` gas
 - BLS12_G1MUL - to perform point multiplication in G1 (curve over base prime field) with a gas cost of `12000` gas
 - BLS12_G1MULTIEXP - to perform multiexponentiation in G1 (curve over base prime field) with a gas cost formula defined in the corresponding section
 - BLS12_G2ADD - to perform point addition in G2 (curve over quadratic extension of the base prime field) with a gas cost of `800` gas
 - BLS12_G2MUL - to perform point multiplication in G2 (curve over quadratic extension of the base prime field) with a gas cost of `45000` gas
 - BLS12_G2MULTIEXP - to perform multiexponentiation in G2 (curve over quadratic extension of the base prime field) with a gas cost formula defined in the corresponding section
-- BLS12_PAIRING - to perform a pairing operations between a set of *pairs* of (G1, G2) points a gas cost formula defined in the corresponding section
+- BLS12_PAIRING_CHECK - to perform a pairing operations between a set of *pairs* of (G1, G2) points a gas cost formula defined in the corresponding section; returns 1 is the result is identity, 0 otherwise.
+- BLS12_PAIRING_PRODUCT - to perform a pairing product operations between a set of *pairs* of (G1, G2) points a gas cost formula defined in the corresponding section; returns a degree 12 extension field element.
 - BLS12_MAP_FP_TO_G1 - maps base field element into the G1 point with a gas cost of `5500` gas
 - BLS12_MAP_FP2_TO_G2 - maps extension field element into the G2 point with a gas cost of `75000` gas
 
@@ -113,9 +115,9 @@ For elements of the quadratic extension field (Fp2), encoding is byte concatenat
 
 On inputs that can not be a valid encodings of field elements the precompile *must* return an error.
 
-#### Encoding of points in G1/G2:
+#### Encoding of points in G1/G2/GT:
 
-Points of G1 and G2 are encoded as byte concatenation of the respective encodings of the `x` and `y` coordinates. Total encoding length for a  G1 point is thus `128` bytes and for a G2 point is `256` bytes.
+Points of G1, G2 and GT are encoded as byte concatenation of the respective encodings of the `x` and `y` coordinates. Total encoding length for a  G1 point is thus `128` bytes, for a G2 point is `256` bytes and for a GT element is `768` byte.
 
 #### Point of infinity encoding:
 
@@ -192,9 +194,9 @@ Error cases:
 - Any point not in G2  (i.e. neither on a curve nor the infinity point) 
 - Input has invalid length 
 
-#### ABI for pairing
+#### ABI for pairing check
 
-Pairing call expects `384*k`  (`k` being a **positive** integer)  bytes as an inputs that is interpreted as byte concatenation of `k` slices. Each slice has the following structure:
+Pairing check call expects `384*k`  (`k` being a **positive** integer)  bytes as an inputs that is interpreted as byte concatenation of `k` slices. Each slice has the following structure:
 
 - `128` bytes of G1 point encoding
 - `256` bytes of G2 point encoding
@@ -210,6 +212,24 @@ Error cases:
 - Any of points is not in the correct subgroup 
 - Input has invalid length 
 
+#### ABI for pairing product
+
+Pairing product call expects `384*k`  (`k` being a **positive** integer)  bytes as an inputs that is interpreted as byte concatenation of `k` slices. Each slice has the following structure:
+
+- `128` bytes of G1 point encoding
+- `256` bytes of G2 point encoding
+
+Each point is expected to be in the subgroup of order `q`.
+
+Output is a `768` bytes, representing a degree `12` extension of base field element, each of size `64` bytes.
+
+Error cases:
+
+- Invalid coordinate encoding
+- Any of points being not on the respective curve
+- Any of points is not in the correct subgroup 
+- Input has invalid length 
+
 #### ABI for mapping Fp element to G1 point
 
 Field-to-curve call expects `64` bytes as an input that is interpreted as an element of Fp. Output of this call is `128` bytes and is an encoded G1 point.
@@ -271,9 +291,13 @@ Discounts table as a vector of pairs `[k, discount]`:
 
 `max_discount = 174`
 
-#### Pairing operation
+#### Pairing check operation
+
+The cost of the pairing check operation is `43000*k + 65000` where `k` is a number of pairs.
+
+#### Pairing product operation
 
-The cost of the pairing operation is `43000*k + 65000` where `k` is a number of pairs.
+The cost of the pairing product operation is `43000*k + 65000` where `k` is a number of pairs.
 
 #### Fp-to-G1 mapping operation
 
@@ -338,7 +362,7 @@ There are no backward compatibility questions.
 
 ### Subgroup checks
 
-A subgroup check **is mandatory** during the pairing call. Implementations *should* use fast subgroup checks: at the time of writing, multiplication gas cost is based on the `double-and-add` multiplication method that has a clear "worst case" (all bits are equal to one). For pairing operations, it is expected that implementations use faster subgroup checks, e.g. by using the wNAF multiplication method for elliptic curves that is ~ `40%` cheaper with windows size equal to 4. (Tested empirically. Savings are due to lower hamming weight of the group order and even lower hamming weight for wNAF. Concretely, subgroup check for both G1 and G2 points in a pair are around `35000` combined).
+A subgroup check **is mandatory** during both the pairing check and pairing product call. Implementations *should* use fast subgroup checks: at the time of writing, multiplication gas cost is based on the `double-and-add` multiplication method that has a clear "worst case" (all bits are equal to one). For pairing operations, it is expected that implementations use faster subgroup checks, e.g. by using the wNAF multiplication method for elliptic curves that is ~ `40%` cheaper with windows size equal to 4. (Tested empirically. Savings are due to lower hamming weight of the group order and even lower hamming weight for wNAF. Concretely, subgroup check for both G1 and G2 points in a pair are around `35000` combined).