SIMD-0302

TL;DR

Extend the existing `sol_alt_bn128_group_op` syscall to support native G2 curve point arithmetic (addition, subtraction, and scalar multiplication) on the BN254 curve.

Summary

Extend the existing `sol_alt_bn128_group_op` syscall to support native G2 curve point arithmetic (addition, subtraction, and scalar multiplication) on the BN254 curve.

Motivation

Solana today provides syscalls for Alt‑BN128 G1 group operations (`ALT_BN128_ADD`, `ALT_BN128_SUB`, `ALT_BN128_MUL`) and for pairing checks, as well as compression/decompression for G2 points. However, there is no direct support for arithmetic on G2 points themselves, as they were not included in the Ethereum Precompile on which the syscalls were based. Adding native G2 syscalls will enable: - Batch Groth16 verification: Multiple proofs could be aggregated into single verification calls - KZG polynomial commitments: Enable efficient multi-point opening proofs and batch verification - Other more advanced ZK systems for batch or direct verification

Key Changes

• G2 point: A point on the twist subgroup of BN254, represented as two Fq₂
• _G2 Addition (ALT_BN128_G2_ADD) and Subtraction (ALT_BN128_G2_SUB)_:
• Input points MUST be validated to ensure they are on the curve (satisfy the G2 curve equation).
• The _subgroup check is skipped_. The addition formulas are valid for any point on the curve (including those not in the prime-order subgroup). Skipping this costly check allows for cheaper accumulation of points.
• _G2 Scalar Multiplication (ALT_BN128_G2_MUL)_:
• Input points MUST undergo _full validation_, including the field check, curve equation check, and the _subgroup check_.
• Enforcing the subgroup check is required to safely support faster endomorphism-based scalar multiplication algorithms.

Impact

- Native G2 ops reduce compute units by approximately 10×–20× compared to pure‑BPF implementations. - Enables newer and more advanced ZK verification methods as well as batch proof verification

Security Considerations

None