From 06812fdc56318663917c6369a1b9d94eb10bfe2d Mon Sep 17 00:00:00 2001 From: echo Date: Tue, 29 Aug 2023 16:57:58 +0800 Subject: [PATCH 1/8] Add field element to curve mapping operation --- EIPS/eip-2539.md | 50 ++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 40 insertions(+), 10 deletions(-) diff --git a/EIPS/eip-2539.md b/EIPS/eip-2539.md index d84fa690191bb1..4f02c81928c394 100644 --- a/EIPS/eip-2539.md +++ b/EIPS/eip-2539.md @@ -24,20 +24,24 @@ If `block.number >= X` we introduce *nine* separate precompiles to perform the f - BLS12_377_G2MUL - to perform point multiplication on a curve twist defined over quadratic extension of the base field - BLS12_377_G2MULTIEXP - to perform multiexponentiation on a curve twist defined over quadratic extension of the base field - BLS12_377_PAIRING - to perform a pairing operations between a set of *pairs* of (G1, G2) points +- BLS12_377_MAP_FP_TO_G1 - maps base field element into the G1 point +- BLS12_377_MAP_FP2_TO_G2 - maps extension field element into the G2 point Multiexponentiation operation is included to efficiently aggregate public keys or individual signer's signatures during BLS signature verification. ### Proposed addresses table -|Precompile |Address | -|---|---| -|BLS12_377_G1ADD | 0x13 | -|BLS12_377_G1MUL | 0x14 | -|BLS12_377_G1MULTIEXP | 0x15 | -|BLS12_377_G2ADD | 0x16 | -|BLS12_377_G2MUL | 0x17 | -|BLS12_377_G2MULTIEXP | 0x18 | -|BLS12_377_PAIRING | 0x19 | +| Precompile | Address | +| ----------------------- | ------- | +| BLS12_377_G1ADD | 0x13 | +| BLS12_377_G1MUL | 0x14 | +| BLS12_377_G1MULTIEXP | 0x15 | +| BLS12_377_G2ADD | 0x16 | +| BLS12_377_G2MUL | 0x17 | +| BLS12_377_G2MULTIEXP | 0x18 | +| BLS12_377_PAIRING | 0x19 | +| BLS12_377_MAP_FP_TO_G1 | 0x20 | +| BLS12_377_MAP_FP2_TO_G2 | 0x21 | ## Motivation Motivation of this precompile is to add a cryptographic primitive that allows to get 120+ bits of security for operations over pairing friendly curve compared to the existing BN254 precompile that only provides 80 bits of security. In addition it allows efficient one-time recursive proof aggregations, e.g. proofs about existence of BLS12-377 based signature. @@ -171,6 +175,24 @@ Error cases: - Field elements encoding rules apply (obviously) - Input has invalid length +##### ABI for mapping Fp element to G1 point + +Field-to-curve call expects `64` bytes an an input that is interpreted as a an element of the base field. Output of this call is `128` bytes and is G1 point following respective encoding rules. + +Error cases: + +- Input has invalid length +- Input is not a valid field element + +##### ABI for mapping Fp2 element to G2 point + +Field-to-curve call expects `128` bytes an an input that is interpreted as a an element of the quadratic extension field. Output of this call is `256` bytes and is G2 point following respective encoding rules. + +Error cases: + +- Input has invalid length +- Input is not a valid field element + #### Prevention of DDoS on error handling This precompile performs extensive computations and in case of any errors during execution it MUST consume all gas from the the gas schedule for the corresponding operation. @@ -213,6 +235,14 @@ Discounts table as a vector of pairs `[k, discount]`: Cost of the pairing operation is `55000*k + 65000` where `k` is a number of pairs. +##### Fp-to-G1 mapping operation + +Fp -> G1 mapping is `5500` gas. + +##### Fp2-to-G2 mapping operation + +Fp2 -> G2 mapping is `75000` gas + ## Rationale Motivation section covers a total motivation to have operations over BLS12-377 curve available. We also extend a rationale for move specific fine points. @@ -263,4 +293,4 @@ Strictly following the spec will eliminate security implications or consensus im Important topic is a "constant time" property for performed operations. We explicitly state that this precompile **IS NOT REQUIRED** to perform all the operations using constant time algorithms. ## Copyright -Copyright and related rights waived via [CC0](../LICENSE.md). \ No newline at end of file +Copyright and related rights waived via [CC0](../LICENSE.md). From f467a81cf375b781a4280a4b7104da3a8ce1c520 Mon Sep 17 00:00:00 2001 From: echo Date: Tue, 29 Aug 2023 16:59:25 +0800 Subject: [PATCH 2/8] Add author --- EIPS/eip-2539.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EIPS/eip-2539.md b/EIPS/eip-2539.md index 4f02c81928c394..ee468527e4cbe7 100644 --- a/EIPS/eip-2539.md +++ b/EIPS/eip-2539.md @@ -1,7 +1,7 @@ --- eip: 2539 title: BLS12-377 curve operations -author: Alex Vlasov (@shamatar) +author: Alex Vlasov (@shamatar), hujw77 (@hujw77) discussions-to: https://ethereum-magicians.org/t/eip-2539-bls12-377-precompile-discussion-thread/4659 status: Stagnant type: Standards Track From 21c5304ab8a7c4156c35a779a3a8c137b6492087 Mon Sep 17 00:00:00 2001 From: echo Date: Wed, 30 Aug 2023 09:41:22 +0800 Subject: [PATCH 3/8] Move to Draft --- EIPS/eip-2539.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EIPS/eip-2539.md b/EIPS/eip-2539.md index ee468527e4cbe7..1aacc2c9f0b7a0 100644 --- a/EIPS/eip-2539.md +++ b/EIPS/eip-2539.md @@ -3,7 +3,7 @@ eip: 2539 title: BLS12-377 curve operations author: Alex Vlasov (@shamatar), hujw77 (@hujw77) discussions-to: https://ethereum-magicians.org/t/eip-2539-bls12-377-precompile-discussion-thread/4659 -status: Stagnant +status: Draft type: Standards Track category: Core created: 2020-02-26 From 27aa8af84d4b31e619e2c7486fc28ba211db3e1d Mon Sep 17 00:00:00 2001 From: echo Date: Tue, 5 Sep 2023 16:20:53 +0800 Subject: [PATCH 4/8] Update addresses table --- EIPS/eip-2539.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/EIPS/eip-2539.md b/EIPS/eip-2539.md index 1aacc2c9f0b7a0..ef5ddecd82802f 100644 --- a/EIPS/eip-2539.md +++ b/EIPS/eip-2539.md @@ -33,15 +33,15 @@ Multiexponentiation operation is included to efficiently aggregate public keys o | Precompile | Address | | ----------------------- | ------- | -| BLS12_377_G1ADD | 0x13 | -| BLS12_377_G1MUL | 0x14 | -| BLS12_377_G1MULTIEXP | 0x15 | -| BLS12_377_G2ADD | 0x16 | -| BLS12_377_G2MUL | 0x17 | -| BLS12_377_G2MULTIEXP | 0x18 | -| BLS12_377_PAIRING | 0x19 | -| BLS12_377_MAP_FP_TO_G1 | 0x20 | -| BLS12_377_MAP_FP2_TO_G2 | 0x21 | +| BLS12_377_G1ADD | 0x15 | +| BLS12_377_G1MUL | 0x16 | +| BLS12_377_G1MULTIEXP | 0x17 | +| BLS12_377_G2ADD | 0x18 | +| BLS12_377_G2MUL | 0x19 | +| BLS12_377_G2MULTIEXP | 0x1a | +| BLS12_377_PAIRING | 0x1b | +| BLS12_377_MAP_FP_TO_G1 | 0x1c | +| BLS12_377_MAP_FP2_TO_G2 | 0x1d | ## Motivation Motivation of this precompile is to add a cryptographic primitive that allows to get 120+ bits of security for operations over pairing friendly curve compared to the existing BN254 precompile that only provides 80 bits of security. In addition it allows efficient one-time recursive proof aggregations, e.g. proofs about existence of BLS12-377 based signature. From fcc3289b0e0a37eadb1cd112b619532960926b98 Mon Sep 17 00:00:00 2001 From: echo Date: Wed, 6 Sep 2023 10:59:15 +0800 Subject: [PATCH 5/8] Fix CI error --- EIPS/eip-2539.md | 152 +++++++++++++++++++++++------------------------ 1 file changed, 75 insertions(+), 77 deletions(-) diff --git a/EIPS/eip-2539.md b/EIPS/eip-2539.md index ef5ddecd82802f..585e758908ad4a 100644 --- a/EIPS/eip-2539.md +++ b/EIPS/eip-2539.md @@ -1,6 +1,7 @@ --- eip: 2539 title: BLS12-377 curve operations +description: Precompiles for BLS12-377 curve operations author: Alex Vlasov (@shamatar), hujw77 (@hujw77) discussions-to: https://ethereum-magicians.org/t/eip-2539-bls12-377-precompile-discussion-thread/4659 status: Draft @@ -10,11 +11,10 @@ created: 2020-02-26 requires: 1109, 2046 --- -## Simple Summary -This precompile adds operation on BLS12-377 curve (from Zexe paper) as a precompile in a set necessary to *efficiently* perform operations such as BLS signature verification and perform SNARKs verifications. Unique properties of BLS12-377 also later allow to have SNARKs that check BLS12-377 pairing in an efficient way and allow e.g. constant-size BLS signature aggregation. - ## Abstract +This precompile adds operation on BLS12-377 curve (from Zexe paper) as a precompile in a set necessary to *efficiently* perform operations such as BLS signature verification and perform SNARKs verifications. Unique properties of BLS12-377 also later allow to have SNARKs that check BLS12-377 pairing in an efficient way and allow e.g. constant-size BLS signature aggregation. + If `block.number >= X` we introduce *nine* separate precompiles to perform the following operations: - BLS12_377_G1ADD - to perform point addition on a curve defined over prime field @@ -44,6 +44,7 @@ Multiexponentiation operation is included to efficiently aggregate public keys o | BLS12_377_MAP_FP2_TO_G2 | 0x1d | ## Motivation + Motivation of this precompile is to add a cryptographic primitive that allows to get 120+ bits of security for operations over pairing friendly curve compared to the existing BN254 precompile that only provides 80 bits of security. In addition it allows efficient one-time recursive proof aggregations, e.g. proofs about existence of BLS12-377 based signature. ## Specification @@ -80,9 +81,9 @@ Pairing parameters: x is negative = false ``` -#### Fine points and encoding of base elements +### Fine points and encoding of base elements -##### Field elements encoding: +#### Field elements encoding: To encode points involved in the operation one has to encode elements of the base field and the extension field. @@ -92,132 +93,130 @@ For elements of the quadratic extension field (Fp2) encoding is byte concatenati If encodings do not follow this spec anywhere during parsing in the precompile the precompile *must* return an error. -##### Encoding of points in G1/G2: +#### Encoding of points in G1/G2: Points in either G1 (in base field) or in G2 (in extension field) are encoded as byte concatenation of encodings of the `x` and `y` affine coordinates. Total encoding length for G1 point is thus `128` bytes and for G2 point is `256` bytes. -##### Point of infinity encoding: +#### Point of infinity encoding: Also referred as "zero point". For BLS12 curves point with coordinates `(0, 0)` (formal zeroes in Fp or Fp2) is *not* on the curve, so encoding of such point `(0, 0)` is used as a convention to encode point of infinity. -##### Encoding of scalars for multiplication operation: +#### Encoding of scalars for multiplication operation: Scalar for multiplication operation is encoded as `32` bytes by performing BigEndian encoding of the corresponding (unsigned) integer. Corresponding integer is **not** required to be less than or equal than main subgroup size. -#### ABI for operations +### ABI for operations -##### ABI for G1 addition +#### ABI for G1 addition G1 addition call expects `256` bytes as an input that is interpreted as byte concatenation of two G1 points (`128` bytes each). Output is an encoding of addition operation result - single G1 point (`128` bytes). Error cases: -- Either of points being not on the curve must result in error -- Field elements encoding rules apply (obviously) -- Input has invalid length + - Either of points being not on the curve must result in error + - Field elements encoding rules apply (obviously) + - Input has invalid length -##### ABI for G1 multiplication +#### ABI for G1 multiplication G1 multiplication call expects `160` bytes as an input that is interpreted as byte concatenation of encoding of G1 point (`128` bytes) and encoding of a scalar value (`32` bytes). Output is an encoding of multiplication operation result - single G1 point (`128` bytes). Error cases: -- Point being not on the curve must result in error -- Field elements encoding rules apply (obviously) -- Input has invalid length + - Point being not on the curve must result in error + - Field elements encoding rules apply (obviously) + - Input has invalid length -##### ABI for G1 multiexponentiation +#### ABI for G1 multiexponentiation G1 multiexponentiation call expects `160*k` bytes as an input that is interpreted as byte concatenation of `k` slices each of them being a byte concatenation of encoding of G1 point (`128` bytes) and encoding of a scalar value (`32` bytes). Output is an encoding of multiexponentiation operation result - single G1 point (`128` bytes). Error cases: -- Any of G1 points being not on the curve must result in error -- Field elements encoding rules apply (obviously) -- Input has invalid length + - Any of G1 points being not on the curve must result in error + - Field elements encoding rules apply (obviously) + - Input has invalid length -##### ABI for G2 addition +#### ABI for G2 addition G2 addition call expects `512` bytes as an input that is interpreted as byte concatenation of two G2 points (`256` bytes each). Output is an encoding of addition operation result - single G2 point (`256` bytes). Error cases: -- Either of points being not on the curve must result in error -- Field elements encoding rules apply (obviously) -- Input has invalid length + - Either of points being not on the curve must result in error + - Field elements encoding rules apply (obviously) + - Input has invalid length -##### ABI for G2 multiplication +#### ABI for G2 multiplication G2 multiplication call expects `288` bytes as an input that is interpreted as byte concatenation of encoding of G2 point (`256` bytes) and encoding of a scalar value (`32` bytes). Output is an encoding of multiplication operation result - single G2 point (`256` bytes). Error cases: -- Point being not on the curve must result in error -- Field elements encoding rules apply (obviously) -- Input has invalid length + - Point being not on the curve must result in error + - Field elements encoding rules apply (obviously) + - Input has invalid length -##### ABI for G2 multiexponentiation +#### ABI for G2 multiexponentiation G2 multiexponentiation call expects `288*k` bytes as an input that is interpreted as byte concatenation of `k` slices each of them being a byte concatenation of encoding of G2 point (`256` bytes) and encoding of a scalar value (`32` bytes). Output is an encoding of multiexponentiation operation result - single G2 point (`256` bytes). Error cases: -- Any of G2 points being not on the curve must result in error -- Field elements encoding rules apply (obviously) -- Input has invalid length + - Any of G2 points being not on the curve must result in error + - Field elements encoding rules apply (obviously) + - Input has invalid length -##### ABI for pairing +#### ABI for pairing Pairing call expects `384*k` bytes as an inputs that is interpreted as byte concatenation of `k` slices. Each slice has the following structure: -- `128` bytes of G1 point encoding -- `256` bytes of G2 point encoding + - `128` bytes of G1 point encoding + - `256` bytes of G2 point encoding Output is a `32` bytes where first `31` bytes are equal to `0x00` and the last byte is `0x01` if pairing result is equal to multiplicative identity in a pairing target field and `0x00` otherwise. Error cases: -- Invalid encoding of any boolean variable must result in error -- Any of G1 or G2 points being not on the curve must result in error -- Any of G1 or G2 points are not in the correct subgroup -- Field elements encoding rules apply (obviously) -- Input has invalid length + - Invalid encoding of any boolean variable must result in error + - Any of G1 or G2 points being not on the curve must result in error + - Any of G1 or G2 points are not in the correct subgroup + - Field elements encoding rules apply (obviously) + - Input has invalid length -##### ABI for mapping Fp element to G1 point +#### ABI for mapping Fp element to G1 point Field-to-curve call expects `64` bytes an an input that is interpreted as a an element of the base field. Output of this call is `128` bytes and is G1 point following respective encoding rules. Error cases: + - Input has invalid length + - Input is not a valid field element -- Input has invalid length -- Input is not a valid field element - -##### ABI for mapping Fp2 element to G2 point +#### ABI for mapping Fp2 element to G2 point Field-to-curve call expects `128` bytes an an input that is interpreted as a an element of the quadratic extension field. Output of this call is `256` bytes and is G2 point following respective encoding rules. Error cases: + - Input has invalid length + - Input is not a valid field element -- Input has invalid length -- Input is not a valid field element - -#### Prevention of DDoS on error handling +### Prevention of DDoS on error handling This precompile performs extensive computations and in case of any errors during execution it MUST consume all gas from the the gas schedule for the corresponding operation. -#### Gas schedule +### Gas schedule Assuming a constant `30 MGas/second` following prices are suggested. -##### G1 addition +#### G1 addition `600` gas -##### G1 multiplication +#### G1 multiplication `12000` gas -##### G2 addition +#### G2 addition `4500` gas -##### G2 multiplication +#### G2 multiplication `55000` gas -##### G1/G2 Multiexponentiation +#### G1/G2 Multiexponentiation Multiexponentiations are expected to be performed by the Peppinger algorithm (we can also say that is **must** be performed by Peppinger algorithm to have a speedup that results in a discount over naive implementation by multiplying each pair separately and adding the results). For this case there was a table prepared for discount in case of `k <= 128` points in the multiexponentiation with a discount cup `max_discount` for `k > 128`. @@ -231,22 +230,22 @@ Discounts table as a vector of pairs `[k, discount]`: `max_discount = 174` -##### Pairing operation +#### Pairing operation Cost of the pairing operation is `55000*k + 65000` where `k` is a number of pairs. -##### Fp-to-G1 mapping operation +#### Fp-to-G1 mapping operation Fp -> G1 mapping is `5500` gas. -##### Fp2-to-G2 mapping operation +#### Fp2-to-G2 mapping operation Fp2 -> G2 mapping is `75000` gas ## Rationale Motivation section covers a total motivation to have operations over BLS12-377 curve available. We also extend a rationale for move specific fine points. -#### Multiexponentiation as a separate call +### Multiexponentiation as a separate call Explicit separate multiexponentiation operation that allows one to save execution time (so gas) by both the algorithm used (namely Peppinger algorithm) and (usually forgotten) by the fact that `CALL` operation in Ethereum is expensive (at the time of writing), so one would have to pay non-negigible overhead if e.g. for multiexponentiation of `100` points would have to call the multipication precompile `100` times and addition for `99` times (roughly `138600` would be saved). @@ -264,28 +263,27 @@ Subgroup check **is mandatory** during the pairing call. Implementations *should Due to the large test parameters space we first provide properties that various operations must satisfy. We use additive notation for point operations, capital letters (`P`, `Q`) for points, small letters (`a`, `b`) for scalars. Generator for G1 is labeled as `G`, generator for G2 is labeled as `H`, otherwise we assume random point on a curve in a correct subgroup. `0` means either scalar zero or point of infinity. `1` means either scalar one or multiplicative identity. `group_order` is a main subgroup order. `e(P, Q)` means pairing operation where `P` is in G1, `Q` is in G2. Requeired properties for basic ops (add/multiply): - -- Commutativity: `P + Q = Q + P` -- Additive negation: `P + (-P) = 0` -- Doubling `P + P = 2*P` -- Subgroup check: `group_order * P = 0` -- Trivial multiplication check: `1 * P = P` -- Multiplication by zero: `0 * P = 0` -- Multiplication by the unnormalized scalar `(scalar + group_order) * P = scalar * P` + - Commutativity: `P + Q = Q + P` + - Additive negation: `P + (-P) = 0` + - Doubling `P + P = 2*P` + - Subgroup check: `group_order * P = 0` + - Trivial multiplication check: `1 * P = P` + - Multiplication by zero: `0 * P = 0` + - Multiplication by the unnormalized scalar `(scalar + group_order) * P = scalar * P` Required properties for pairing operation: -- Degeneracy `e(P, 0*Q) = e(0*P, Q) = 1` -- Bilinearity `e(a*P, b*Q) = e(a*b*P, Q) = e(P, a*b*Q)` (internal test, not visible through ABI) + - Degeneracy `e(P, 0*Q) = e(0*P, Q) = 1` + - Bilinearity `e(a*P, b*Q) = e(a*b*P, Q) = e(P, a*b*Q)` (internal test, not visible through ABI) -Test vector for all operations are expanded in this `csv` files in [repo](https://github.com/matter-labs/eip1962/tree/master/src/test/test_vectors/eip2537). +Test vector for all operations are expanded in this `csv` files in (github.com/matter-labs/eip1962/tree/master/src/test/test_vectors/eip2537). -## Implementation +## Reference Implementation There is a various choice of existing implementations of the curve operations. It may require extra work to add an ABI: -- EIP1962 code bases with fixed parameters - - [Rust](https://github.com/matter-labs/eip1962) - - [C++](https://github.com/matter-labs/eip1962_cpp) -- Original implementation linked in Zexe paper in [Rust](https://github.com/scipr-lab/zexe) -- Standalone in [Go](https://github.com/kilic/bls12-377) + - EIP1962 code bases with fixed parameters + - Rust: github.com/matter-labs/eip1962 + - C++: github.com/matter-labs/eip1962_cpp + - Original implementation linked in Zexe paper in Rust: github.com/scipr-lab/zexe + - Standalone in Go: github.com/kilic/bls12-377 ## Security Considerations Strictly following the spec will eliminate security implications or consensus implications in a contrast to the previous BN254 precompile. From 4c28c6dc0ab8ec1bc261552f6490c5ea53cf101c Mon Sep 17 00:00:00 2001 From: echo Date: Wed, 6 Sep 2023 11:04:08 +0800 Subject: [PATCH 6/8] Fix CI error --- EIPS/eip-2539.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/EIPS/eip-2539.md b/EIPS/eip-2539.md index 585e758908ad4a..bfacc01bc34ffe 100644 --- a/EIPS/eip-2539.md +++ b/EIPS/eip-2539.md @@ -11,10 +11,12 @@ created: 2020-02-26 requires: 1109, 2046 --- -## Abstract +## Preamble This precompile adds operation on BLS12-377 curve (from Zexe paper) as a precompile in a set necessary to *efficiently* perform operations such as BLS signature verification and perform SNARKs verifications. Unique properties of BLS12-377 also later allow to have SNARKs that check BLS12-377 pairing in an efficient way and allow e.g. constant-size BLS signature aggregation. +## Abstract + If `block.number >= X` we introduce *nine* separate precompiles to perform the following operations: - BLS12_377_G1ADD - to perform point addition on a curve defined over prime field @@ -243,6 +245,7 @@ Fp -> G1 mapping is `5500` gas. Fp2 -> G2 mapping is `75000` gas ## Rationale + Motivation section covers a total motivation to have operations over BLS12-377 curve available. We also extend a rationale for move specific fine points. ### Multiexponentiation as a separate call @@ -250,11 +253,12 @@ Motivation section covers a total motivation to have operations over BLS12-377 c Explicit separate multiexponentiation operation that allows one to save execution time (so gas) by both the algorithm used (namely Peppinger algorithm) and (usually forgotten) by the fact that `CALL` operation in Ethereum is expensive (at the time of writing), so one would have to pay non-negigible overhead if e.g. for multiexponentiation of `100` points would have to call the multipication precompile `100` times and addition for `99` times (roughly `138600` would be saved). ## Backwards Compatibility + There are no backward compatibility questions. -## Important notes +### Important notes -### Subgroup checks +#### Subgroup checks Subgroup check **is mandatory** during the pairing call. Implementations *should* use fast subgroup checks: at the time of writing multiplication gas cost is based on `double-and-add` multiplication method that has a clear "worst case" (all bits are equal to one). For pairing operation it's expected that implementation uses faster subgroup check, e.g. by using wNAF multiplication method for elliptic curves that is ~ `40%` cheaper with windows size equal to 4. (Tested empirically. Savings are due to lower hamming weight of the group order and even lower hamming weight for wNAF. Concretely, subgroup check for both G1 and G2 points in a pair are around `35000` combined). @@ -275,9 +279,10 @@ Required properties for pairing operation: - Degeneracy `e(P, 0*Q) = e(0*P, Q) = 1` - Bilinearity `e(a*P, b*Q) = e(a*b*P, Q) = e(P, a*b*Q)` (internal test, not visible through ABI) -Test vector for all operations are expanded in this `csv` files in (github.com/matter-labs/eip1962/tree/master/src/test/test_vectors/eip2537). +Test vector for all operations are expanded in this `csv` files in matter-labs' 1962 proposol. ## Reference Implementation + There is a various choice of existing implementations of the curve operations. It may require extra work to add an ABI: - EIP1962 code bases with fixed parameters - Rust: github.com/matter-labs/eip1962 @@ -286,9 +291,11 @@ There is a various choice of existing implementations of the curve operations. I - Standalone in Go: github.com/kilic/bls12-377 ## Security Considerations + Strictly following the spec will eliminate security implications or consensus implications in a contrast to the previous BN254 precompile. Important topic is a "constant time" property for performed operations. We explicitly state that this precompile **IS NOT REQUIRED** to perform all the operations using constant time algorithms. ## Copyright + Copyright and related rights waived via [CC0](../LICENSE.md). From ccd09e7e3deb4be95731bb080c6925455d2e2820 Mon Sep 17 00:00:00 2001 From: echo Date: Wed, 6 Sep 2023 11:07:03 +0800 Subject: [PATCH 7/8] Fix CI error --- EIPS/eip-2539.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/EIPS/eip-2539.md b/EIPS/eip-2539.md index bfacc01bc34ffe..e984df4c0b5f48 100644 --- a/EIPS/eip-2539.md +++ b/EIPS/eip-2539.md @@ -11,12 +11,10 @@ created: 2020-02-26 requires: 1109, 2046 --- -## Preamble +## Abstract This precompile adds operation on BLS12-377 curve (from Zexe paper) as a precompile in a set necessary to *efficiently* perform operations such as BLS signature verification and perform SNARKs verifications. Unique properties of BLS12-377 also later allow to have SNARKs that check BLS12-377 pairing in an efficient way and allow e.g. constant-size BLS signature aggregation. -## Abstract - If `block.number >= X` we introduce *nine* separate precompiles to perform the following operations: - BLS12_377_G1ADD - to perform point addition on a curve defined over prime field @@ -285,8 +283,8 @@ Test vector for all operations are expanded in this `csv` files in matter-labs' There is a various choice of existing implementations of the curve operations. It may require extra work to add an ABI: - EIP1962 code bases with fixed parameters - - Rust: github.com/matter-labs/eip1962 - - C++: github.com/matter-labs/eip1962_cpp + - Rust: matter-labs + - C++: matter-labs - Original implementation linked in Zexe paper in Rust: github.com/scipr-lab/zexe - Standalone in Go: github.com/kilic/bls12-377 From 9678bac20d1cea129ac3638d8be85d1a1d1be5fd Mon Sep 17 00:00:00 2001 From: echo Date: Wed, 6 Sep 2023 11:09:19 +0800 Subject: [PATCH 8/8] Fix CI error --- EIPS/eip-2539.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EIPS/eip-2539.md b/EIPS/eip-2539.md index e984df4c0b5f48..1f7240a2058b56 100644 --- a/EIPS/eip-2539.md +++ b/EIPS/eip-2539.md @@ -282,7 +282,7 @@ Test vector for all operations are expanded in this `csv` files in matter-labs' ## Reference Implementation There is a various choice of existing implementations of the curve operations. It may require extra work to add an ABI: - - EIP1962 code bases with fixed parameters + - Code bases with fixed parameters - Rust: matter-labs - C++: matter-labs - Original implementation linked in Zexe paper in Rust: github.com/scipr-lab/zexe