# RFC (from L2s) on BLS Subgroup checks The L1 core devs are having discussions around subgroup checks for the BLS precompiles scheduled to be included via [EIP-2537](https://eips.ethereum.org/EIPS/eip-2537) in the Pectra upgrade. The issue is including a subgroup check into the MSM doing so means that we largely loose the sub-linear benefits of the MSM as the sub-group checks start to be a large component of the total computation. That said, they do have to be done at some point for every input, so the question is whether it is worth building them into the pre-compile to avoid having a foot-gun or whether they would be used in a way where the costs of doing the subgroup checks on every MSM (even if already verified) is not worth it. ## Proposals Some of the ideas proposed are: a. Just have the subgroup check be included b. have a flag to disable the check as a part of the precompile c. have two separate precompiles, one with and one without the check d. no subgroup checks, and we ask devs to be _very_ careful Here's a doc with a bit more info if it helps: https://hackmd.io/@ralexstokes/eip-2537-rfc ## RFC The questions it would be really helpful to get some feedback on are: 1. Would you switch to BLS for your proving system and if so, would you over multiple MSMs over the same points such that the subgroup checks would be a large portion of the overall computation? 2. If you were to ship EIP-2537 on you chain, how painful would it be from a circuit implementation standpoint to offer flags or multiple precompiles etc? ## Feedback ### Youssef el Housni - Linea The current best approach to check a point $P$ is on the prime subgroup of BLS12-381 is to check: $P == -x_0^2*\Phi(P)$ where $x_0$ is the constant `0xd201000000010000` and $\Phi$ the $j=0$ endomorphism. In a MSM, subgroup checking all the $N$ $P_i$ points boils down to $N$ $x_0^2$-multiplications (optimized addition chain) and $N$ $\Phi$ evaluations ($N$ $F_p$-multiplications). If we want to batch this check we need to check: $\sum_i a^i * P_i == -x_0^2 * \sum_i a^i * P_i$ with a random scalar to avoid rogue attacks. So it means we need another MSM ($\sum_i a^i * P_i$) in the gas count. So subgroup checking individual points is probably better. This is said, if the scalar in the MSM precompile are random then we can subgroup check the MSM resulting point only (the MSM scalars will act as the random $a^i$ for the batch check). So I guess having the MSM precompile without subgroup check and a separate check precompile that users would call on all MSM inputs or just the result depending if the scalars are random or not would make sense.
Last changed by  
Carl Beekhuizen
597

Read more

The Case for ⚡️🎰 Quick Slots in Hegota

TL;DR We are proposing shorter slots for Hegota as it will significantly improve the UX of Ethereum. 6 second-slots is possibly too much alongside FOCIL, so we are proposing to go as low as possible given our available resources. Why it matters Slot time is the heartbeat of Ethereum's user experience. Every second we shave off directly translates to faster transaction landings, faster CEX deposits, and faster IRL payments. Depending on how far we can push it, this could be the single biggest UX upgrade in Ethereum's history, a step-change in how it feels to use the network. Beyond UX, shorter slots improve protocol economics in meaningful ways: Users get tighter DEX pricing because arbitrage loss scales with $\sqrt{slot_time}$ (Milionis et al.), so shorter slots mean less value lost to arbitrageurs. Less MEV surplus per slot because MEV extraction is non-linear in slot time, reducing the value available to searchers and builders.

2/10/2026
Electra Weak Subjectivity Calculations

Special thanks to Mikhail Kalinin and Justin Traglia for correcting several mistakes. The Weak Subjectivity Period (WSP) is the period of time a node can stop observing the chain for and when they return not be tricked by an adversary as to who is and isn't a validator. To execute a weak subjectivity attack, an attacker creates two diverging chains starting the moment the chain was last observed such that a minimal amount of their attacking balance needs to equivocate (and be slashed) in order for the attack to succeed. When a node is following the chain and is thus fully aware of all validator balances, the minimum amount of balance that needs to equivocate and be slashed is $\frac 1 3$ of the total active balance. As two divergent chains each need $\frac 2 3$ of the balance to finalize an epoch and the minimum intersection of $\frac 2 3$ and $\frac 2 3$ of the same set is $\frac 1 3$. The WSP is parameterized by the Decay Parameter $D, ; \left(0<D<\frac 1 3 \right)$, which determines by how much we're willing to weaken the normal $\frac 1 3$ slashing guarentee for nodes that stop viewing the chain for the duration of the WSP.

4/1/2025
RollCall #6 Summary

Details Recording: https://youtu.be/k-7z6lgleLw Agenda: https://github.com/ethereum/pm/issues/1071 L1 Blob Basefee spike event on June 20: Breif overview of the spike and the fixes coming up in the Pectra upgrade Discussion about the posibility of have the target blob basefee be something other than the max basefee//2 (as per the discussions in PeerDAS Breakout Room #3)

7/10/2024
Contributing to the KZG Ceremony using an air-gapped machine

🚨🚨Steps 0 and 1 should be done well ahead of your contribution slot🚨🚨 This document will guide you through the process of contributing to the KZG Ceremony using Ignacio Hagopian's go-kzg-ceremony-client on an air-gapped computer. Step 0: Check your slot has been scheduled correctly for your address: Verify that your Ethereum address that you will use to contribute is included in the scheduled slots and that the date (in UTC - convert to your timezone here) is correct: [{"address":"0xcab81f14a3fc98034a05bab30f8d0e53e978c833","nonce":"0x4000","start_time":"2023-04-14T12:00:00Z","end_time":"2023-04-14T16:00:00Z"}, {"address":"0x32262672c6d1b814019f4ca4e2fc53285a919704","nonce":"0x4000","start_time":"2023-04-14T12:00:00Z","end_time":"2023-04-14T16:00:00Z"}, {"address":"0x051f77131b0ea6d149608021E06c7206317782CC","nonce":"0x4000","start_time":"2023-04-09T08:00:00Z","end_time":"2023-04-09T12:00:00Z"},

4/14/2023
Read more from Carl Beekhuizen
Published on HackMD