# RFC (from L2s) on BLS Subgroup checks The L1 core devs are having discussions around subgroup checks for the BLS precompiles scheduled to be included via [EIP-2537](https://eips.ethereum.org/EIPS/eip-2537) in the Pectra upgrade. The issue is including a subgroup check into the MSM doing so means that we largely loose the sub-linear benefits of the MSM as the sub-group checks start to be a large component of the total computation. That said, they do have to be done at some point for every input, so the question is whether it is worth building them into the pre-compile to avoid having a foot-gun or whether they would be used in a way where the costs of doing the subgroup checks on every MSM (even if already verified) is not worth it. ## Proposals Some of the ideas proposed are: a. Just have the subgroup check be included b. have a flag to disable the check as a part of the precompile c. have two separate precompiles, one with and one without the check d. no subgroup checks, and we ask devs to be _very_ careful Here's a doc with a bit more info if it helps: https://hackmd.io/@ralexstokes/eip-2537-rfc ## RFC The questions it would be really helpful to get some feedback on are: 1. Would you switch to BLS for your proving system and if so, would you over multiple MSMs over the same points such that the subgroup checks would be a large portion of the overall computation? 2. If you were to ship EIP-2537 on you chain, how painful would it be from a circuit implementation standpoint to offer flags or multiple precompiles etc? ## Feedback ### Youssef el Housni - Linea The current best approach to check a point $P$ is on the prime subgroup of BLS12-381 is to check: $P == -x_0^2*\Phi(P)$ where $x_0$ is the constant `0xd201000000010000` and $\Phi$ the $j=0$ endomorphism. In a MSM, subgroup checking all the $N$ $P_i$ points boils down to $N$ $x_0^2$-multiplications (optimized addition chain) and $N$ $\Phi$ evaluations ($N$ $F_p$-multiplications). If we want to batch this check we need to check: $\sum_i a^i * P_i == -x_0^2 * \sum_i a^i * P_i$ with a random scalar to avoid rogue attacks. So it means we need another MSM ($\sum_i a^i * P_i$) in the gas count. So subgroup checking individual points is probably better. This is said, if the scalar in the MSM precompile are random then we can subgroup check the MSM resulting point only (the MSM scalars will act as the random $a^i$ for the batch check). So I guess having the MSM precompile without subgroup check and a separate check precompile that users would call on all MSM inputs or just the result depending if the scalars are random or not would make sense.