EIP-2537: Precompile for BLS12-381 curve operations #66

OlivierBBB · 2025-01-22T14:01:13Z

EIP-2537: Precompile for BLS12-381 curve operations

Add precompile to a new BLS module
- all comparisons will require two interactions with WCP (48 byte data)
- well formedness of coordinates is ok in circuit
- 48 byte modular arithmetic isn't
- understanding logic of EVM for the precompiles
- understanding the relevant gnark circuit API's
Existing modules:
- HUB precompile processing
- OOB for detecting FAILURE_KNOWN_TO_HUB
- TRM for updated IS_PRECOMPILE flag
- MMIO for lookup to new BLS module

From an arithmetization perspective, our focus is on:

Understanding the meaning of the inputs and the outputs of each precompile (e.g., what does success = 1 mean?).
What operations need to be delegated to external circuits. We likely can internally check for the correctness of the encoding, the length and if a point is at infinity. Group and subgroup membership need to be delegated to external circuits.
Define the interface to communicate with external circuits.
gnark PR: feat: add Pectra BLS12-381 elliptic curve precompiles gnark#1447

Coordinate encoding
Input length, specifically whether a small point coordinate belongs to $\mathbb{F}p$ ($< p$) or a large point coordinate belongs to $\mathbb{F}{p^2}$ ($< p^2$).
Point at infinity

Let $\mathbb{G}_1$ be $\mathbb{C}_1$ subgroup and $\mathbb{G}_2$ be $\mathbb{C}_2$ subgroup.

BLS12_G1ADD, $\mathbb{C_1} \times \mathbb{C_1}$ (256 bytes) $\rightarrow \mathbb{C_1}$ (128 bytes)
- coordinate encoding
- input length
- points at infinity
- $\mathbb{C}_1$ mermbership
BLS12_G1MSM, $(\mathbb{G_1} \times \mathbb{N})^k$ ($160 \cdot k$ bytes) $\rightarrow \mathbb{G_1}$ (128 bytes) with $k > 0$
- coordinate encoding
- input length
- point at infinity
- $\mathbb{C}_1$ and $\mathbb{G}_1$ mermbership
BLS12_G2ADD $\mathbb{C_2} \times \mathbb{C_2}$ (512 bytes) $\rightarrow \mathbb{C_2}$ (256 bytes)
- coordinate encoding
- input length
- points at infinity
- $\mathbb{C}_2$ mermbership
BLS12_G2MSM $(\mathbb{G_2} \times \mathbb{N})^k$ ($288 \cdot k$ bytes) $\rightarrow \mathbb{G_2}$ (256 bytes) with $k > 0$
- coordinate encoding
- input length
- point at infinity
- $\mathbb{C}_2$ and $\mathbb{G}_2$ mermbership
BLS12_PAIRING_CHECK $(\mathbb{G_1} \times \mathbb{G_2})^k$ ($384 \cdot k$ bytes) $\rightarrow {0,1}$ (right padded to 32 bytes) with $k > 0$
- coordinate encoding
- input length
- point at infinity
- $\mathbb{C}_1$ and $\mathbb{G}_1$ mermbership
- $\mathbb{C}_2$ and $\mathbb{G}_2$ mermbership
BLS12_MAP_FP_TO_G1 $\mathbb{F}_p$ (64 bytes) $\rightarrow \mathbb{G_1}$ (128 bytes)
- coordinate encoding
- input length
BLS12_MAP_FP2_TO_G2 $\mathbb{F}_{p^2}$ (128 bytes) $\rightarrow \mathbb{G_2}$ (256 bytes)
- coordinate encoding
- input length

The text was updated successfully, but these errors were encountered:

OlivierBBB added London to Pectra London to Pectra Pectra EIP's for the Pectra hardfork labels Jan 22, 2025

OlivierBBB changed the title ~~EIP-2537~~ EIP-2537: Precompile for BLS12-381 curve operations Jan 22, 2025

lorenzogentile404 self-assigned this Jan 22, 2025

OlivierBBB added the will implement For those EIP's that will be implemented on Linea label Feb 7, 2025

lorenzogentile404 linked a pull request Mar 17, 2025 that will close this issue

66 eip 2537 precompile for bls12 381 curve operations #129

Open

OlivierBBB added this to the London to Pectra milestone Mar 22, 2025