# RFC (from L2s) on BLS Subgroup checks The L1 core devs are having discussions around subgroup checks for the BLS precompiles scheduled to be included via [EIP-2537](https://eips.ethereum.org/EIPS/eip-2537) in the Pectra upgrade. The issue is including a subgroup check into the MSM doing so means that we largely loose the sub-linear benefits of the MSM as the sub-group checks start to be a large component of the total computation. That said, they do have to be done at some point for every input, so the question is whether it is worth building them into the pre-compile to avoid having a foot-gun or whether they would be used in a way where the costs of doing the subgroup checks on every MSM (even if already verified) is not worth it. ## Proposals Some of the ideas proposed are: a. Just have the subgroup check be included b. have a flag to disable the check as a part of the precompile c. have two separate precompiles, one with and one without the check d. no subgroup checks, and we ask devs to be _very_ careful Here's a doc with a bit more info if it helps: https://hackmd.io/@ralexstokes/eip-2537-rfc ## RFC The questions it would be really helpful to get some feedback on are: 1. Would you switch to BLS for your proving system and if so, would you over multiple MSMs over the same points such that the subgroup checks would be a large portion of the overall computation? 2. If you were to ship EIP-2537 on you chain, how painful would it be from a circuit implementation standpoint to offer flags or multiple precompiles etc? ## Feedback ### Youssef el Housni - Linea The current best approach to check a point $P$ is on the prime subgroup of BLS12-381 is to check: $P == -x_0^2*\Phi(P)$ where $x_0$ is the constant `0xd201000000010000` and $\Phi$ the $j=0$ endomorphism. In a MSM, subgroup checking all the $N$ $P_i$ points boils down to $N$ $x_0^2$-multiplications (optimized addition chain) and $N$ $\Phi$ evaluations ($N$ $F_p$-multiplications). If we want to batch this check we need to check: $\sum_i a^i * P_i == -x_0^2 * \sum_i a^i * P_i$ with a random scalar to avoid rogue attacks. So it means we need another MSM ($\sum_i a^i * P_i$) in the gas count. So subgroup checking individual points is probably better. This is said, if the scalar in the MSM precompile are random then we can subgroup check the MSM resulting point only (the MSM scalars will act as the random $a^i$ for the batch check). So I guess having the MSM precompile without subgroup check and a separate check precompile that users would call on all MSM inputs or just the result depending if the scalars are random or not would make sense.
Last changed by  
Carl Beekhuizen
111

Read more

Electra Weak Subjectivity Calculations

Special thanks to Mikhail Kalinin and Justin Traglia for correcting several mistakes. The Weak Subjectivity Period (WSP) is the period of time a node can stop observing the chain for and when they return not be tricked by an adversary as to who is and isn't a validator. To execute a weak subjectivity attack, an attacker creates two diverging chains starting the moment the chain was last observed such that a minimal amount of their attacking balance needs to equivocate (and be slashed) in order for the attack to succeed. When a node is following the chain and is thus fully aware of all validator balances, the minimum amount of balance that needs to equivocate and be slashed is $\frac 1 3$ of the total active balance. As two divergent chains each need $\frac 2 3$ of the balance to finalize an epoch and the minimum intersection of $\frac 2 3$ and $\frac 2 3$ of the same set is $\frac 1 3$. The WSP is parameterized by the Decay Parameter $D, ; \left(0<D<\frac 1 3 \right)$, which determines by how much we're willing to weaken the normal $\frac 1 3$ slashing guarentee for nodes that stop viewing the chain for the duration of the WSP.

4/1/2025
RollCall #6 Summary

Details Recording: https://youtu.be/k-7z6lgleLw Agenda: https://github.com/ethereum/pm/issues/1071 L1 Blob Basefee spike event on June 20: Breif overview of the spike and the fixes coming up in the Pectra upgrade Discussion about the posibility of have the target blob basefee be something other than the max basefee//2 (as per the discussions in PeerDAS Breakout Room #3)

7/10/2024
Contributing to the KZG Ceremony using an air-gapped machine

🚨🚨Steps 0 and 1 should be done well ahead of your contribution slot🚨🚨 This document will guide you through the process of contributing to the KZG Ceremony using Ignacio Hagopian's go-kzg-ceremony-client on an air-gapped computer. Step 0: Check your slot has been scheduled correctly for your address: Verify that your Ethereum address that you will use to contribute is included in the scheduled slots and that the date (in UTC - convert to your timezone here) is correct: [{"address":"0xcab81f14a3fc98034a05bab30f8d0e53e978c833","nonce":"0x4000","start_time":"2023-04-14T12:00:00Z","end_time":"2023-04-14T16:00:00Z"}, {"address":"0x32262672c6d1b814019f4ca4e2fc53285a919704","nonce":"0x4000","start_time":"2023-04-14T12:00:00Z","end_time":"2023-04-14T16:00:00Z"}, {"address":"0x051f77131b0ea6d149608021E06c7206317782CC","nonce":"0x4000","start_time":"2023-04-09T08:00:00Z","end_time":"2023-04-09T12:00:00Z"},

4/14/2023
KZG Summoning Ceremony Timeline

subject to change gantt title Timeline dateFormat YYYY-MM-DD axisFormat %m-%y section Dev Crypto Dev :2022-05-17, 2022-08-15 Crypto Audit Fixes :2022-08-29, 1w

1/16/2023
Read more from Carl Beekhuizen
Published on HackMD