The Miller Loop is the costliest operation in pairings. Unlike the final exponentiation, it must be called once per multi-pairing element as well and so when doing large batched BLS signature verification (128 signatures in Eth2), 99% of the time is spent in the Miller loop.
It can be "addition-chained" for at least 10% perf boost, especially for BN254-Nogami and BLS12-381 which have a low Hamming weight
mratsim
commented
2 years ago
The Miller Loop is the costliest operation in pairings. Unlike the final exponentiation, it must be called once per multi-pairing element as well and so when doing large batched BLS signature verification (128 signatures in Eth2), 99% of the time is spent in the Miller loop.
It can be "addition-chained" for at least 10% perf boost, especially for BN254-Nogami and BLS12-381 which have a low Hamming weight