Pairing check optimisation

[shramee]

Description

Minor optimisation on residue witness scaling cofactor mul.

Changed it to E6 (from E12) for fewer constraints and logic gates.

Optimization Results By Curve

	BN254		BLS381
	R1CS	SCS	R1CS	SCS
Before	1167090	4586889	990001	3879548
After	1166782	4586709	989785	3879428
Diff	-308	-180	-216	-120

How has this been tested?

• All tests run

How has this been benchmarked?

• Benchmarked on Macbook Pro M3, 36GB RAM

Checklist:

• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I did not modify files generated from templates
• golangci-lint does not output errors locally
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules
• I have added tests that prove my fix is effective or that my feature works na

[ivokub]

cc. @yelhousni.

[yelhousni]

initial idea was to constrain the Fp12 scalingFactor to be in Fp6 to avoid additional check in-circuit as per 7.1 of https://eprint.iacr.org/2024/640. But this also should work and is sound IMO.

[shramee]

Yeah,
I've just made the Fp12 that needs constraining just be Fp6 instead.
In my lib I'm using a more optimised version, because actually the FP6 itself is sparse.

https://github.com/shramee/cairo_pairing/blob/27af4f2b714ad739c9b2896e5f5e838248a1ae5a/legacy/bn_legacy/src/curve/residue_witness.cairo#L96

This uses enums, known values (roots) and a custom Fq6 mul formulas.

[yelhousni]

Actually in our case the scaling factor is even just 1 because we do the easy part (that kills the non-residue) before doing Novakovic-Eagen final exp check. But I kept the trivial multiplication by 1 just in case anyone would use this check right after the Miller loop.