EIP-2537 - HackMD

# EIP-2537 This document is meant to track the effort of trying to make [EIP-2537](https://eips.ethereum.org/EIPS/eip-2537) part of the Shangai hard fork (Q1 2023?). This precompile adds operation on [BLS12-381 curve](https://hackmd.io/@benjaminion/bls12-381). ## Status quo [BN254](https://hackmd.io/@jpw/bn254) is currently the only curve with precompiled contracts on Ethereum for elliptic curve addition, scalar multiplication, and pairings ([EIP 196](https://eips.ethereum.org/EIPS/eip-196), [EIP 197](https://eips.ethereum.org/EIPS/eip-197)). The problem is that the bits of security of BN254 dropped from 128 to [around 100](https://github.com/zcash/zcash/issues/714) after new algorithms of [Kim-Barbulescu](https://eprint.iacr.org/2015/1027.pdf). ### Issues with BN254 As stated above [BN254](https://hackmd.io/@jpw/bn254) doesn't provide anymore a 128 bit security level. On top the hash to point map has **NOT** been standardized. This made many implementers to rely on [hash and pray](https://github.com/thehubbleproject/hubble-contracts/issues/171) hashing that is susceptible to grinding kind of attacks. ## Real world examples of pairing used in smart contracts * [Groth16 implementation](https://github.com/iden3/snarkjs/blob/master/templates/verifier_groth16.sol.ejs#L111) * [Tornado Cash](https://github.com/tornadocash/tornado-core/blob/master/contracts/Verifier.sol#L143) * [BLS aggregation](https://github.com/thehubbleproject/hubble-contracts/blob/master/contracts/libs/BLS.sol#L73-L86) ## Testing [ bls12-381-tests](https://github.com/ethereum/bls12-381-tests/) provides a test-suite for BLS12-381. This suite is currently employed by: * Teku * Nimbus * Prysm * Lodestar ## Misc The generators in https://eips.ethereum.org/EIPS/eip-2537 are different from the one defined in https://hackmd.io/@benjaminion/bls12-381 ## Test [geth](https://github.com/ethereum/go-ethereum/tree/master/core/vm/testdata/precompiles) !!!! WRONG https://github.com/ethereum/go-ethereum/blob/63aaac81007ad46b208570c17cae78b7f60931d4/core/vm/testdata/precompiles/blsG1Mul.json#L17 # Resources fast subgroup check https://hackmd.io/@yelhousni/bls12_subgroup_check geth gas https://github.com/ethereum/go-ethereum/blob/34aac1d7562bf141fe6da1d4f3cdea8819e7b23b/params/protocol_params.go#L179 ## investigate ``` def case09_pairing_check(): yield 'pairing_check_bls', [ { "Input": int_to_hex(int(G1[0]), 64) + (int_to_hex(int(G1[1]), 64)) + int_to_hex(0, 256) + int_to_hex(0, 128) + int_to_hex(int(G2[0].coeffs[0]), 64) + int_to_hex( int(G2[0].coeffs[1]), 64) + int_to_hex(int(G2[1].coeffs[0]), 64) + int_to_hex(int(G2[1].coeffs[1])), "Name": "bls_pairing_e(G1,0)=e(0,G2)", "Expected": int_to_hex(0, 64), "Gas": 161000, "NoBenchmark": False }, ] ``` ``` --- FAIL: TestPrecompiledBLS12381Pairing (0.00s) --- FAIL: TestPrecompiledBLS12381Pairing/bls_pairing_e(G1,0)=e(0,G2)-Gas=138000 (0.00s) contracts_test.go:102: invalid input length contracts_test.go:107: bls_pairing_e(G1,0)=e(0,G2): gas wrong, expected 161000, got 138000 FAIL exit status 1 FAIL github.com/ethereum/go-ethereum/core/vm 0.280s ```