Switch from pairing to bls12-381

[DrPeterVanNostrand]

Description

Currently we depend on filecoin's fork of pairing, it would be ideal to switch that dependency to the bls12-381 crate. The bls12-381 crate refactors out the bls12_381 module from pairing and makes some improvements to the API which are currently using.

It would be ideal to switch this dependency for the following reasons:

• bls12-381 has a much better API (types from abstract algebra are now named how you would see them in cryptography papers), which makes the code much easier to read
• Field and group types (and their arithmetic operations) are not implemented using macros (as opposed to in pairing and ff), which makes the code much easier to read and modify
• A single optimization has been made (as far as I can tell), that results in faster exponentiation in scalar fields
• Zcash is actively developing a handful of new crates for field, group, and elliptic curve arithmetic: bls12-381, jubjub, group, any improvements that they make will be added to these crates and (probably) not to pairing.

Things that have not (as of today) changed from pairing to bls12-381:

• The Miller Loop is identical (i.e. no speed improvements in the pairing's bilinear map have been made)
• Field addition, subtraction, and multiplication are identical (i.e. no speed improvements)

Why we can't switch today

We use Zcash's sapling-crypto crate which depends on pairing. Sapling has not yet been ported to using the new bls12-381 crate. Some of the functionality that we rely on has been refactored out of sapling-crypto into the crate jubjub, but this refactor does not include every part of Sapling that we depend on (mainly Pedersen hash, params, and circuit).

Notes for when switching from pairing to bls12-381

The the two crates are almost identical except for:

• Scalar field elements (Fr in pairing) for the Bls12-381 curve group are now called Scalar in bls12-381. The FrRepr type has been completely removed :)
• Base field elements (Fq in pairing) are now called Fp in bls12-381
• Field extension types F_p^k (Fq2, Fq6, and Fq12 in pairing) are now called Fp2, Fp6, and Fp12
• Some field and group operations in bls12-381 now default to constant time (and return constant-time subtle wrapper types for booleans and options - this is fine as these wrapper types can be converted into their Rust primitives).
• Scalar field elements are little-endian encoded (same as in pairing, i.e. the bytes and limbs that you pass in to create a scalar, or read out, are little endian), however bls12-381 now big-endian encodes base field elements (which were little-endian in pairing).

[dignifiedquire]

Not needed anymore, we are now using blstrs and paired, with the goal to merge them into a single implementation at some point. We might consider updating our APIs there to match bls12-381 but this will be work happening there first.