EIP Draft: Replace alt_bn128 Precompiles With EVM Bytecode

# EIP Draft: Replace alt_bn128 Precompiles With EVM Bytecode --- eip: TBD title: Replace alt_bn128 Precompiles With EVM Bytecode authors: Paul D. (@poemm) discussions-to: TBD type: Standards Track category: Core status: Draft created: TBD --- ## Simple Summary We propose replacing the alt_bn128 precompiles with EVM bytecode. ## Abstract alt_bn128 precompiles has low cryptographic security, much lower than the desired 128-bits. And alt_bn128 precompiles may soon be obsolete as new precompiles are accepted. We propose a path to deprecation which replaces precompiles with formally verified functionally equivalent EVM bytecode, and replaces precompile gas formulas with regular EVM gas accounting. ## Motivation We are motivated to remove obsolete code from Ethereum clients. Obsolete code leaves a large attack surface, but provides little value. We are also motivated to "lower the bar" for implementing a new Ethereum client, improving client diversity. ## Specification Starting at block `TBD`, precompiles at addresses 0x00..006, 0x00..007, and 0x00..008 will execute functionally equivalent (i.e. formally verified) EVM bytecode. Gas accounting is switched from formulas to the standard EVM opcode gas accounting. The bytecode for pairings will not fit in 24kb, so we will also deploy and call helper contracts with TBD addresses. ## Rationale Elliptic curve precompiles add a significant amount of code, some say 15,000 lines of likely bug-ridden code. With BLS12-381 precompiles, BN128 precompiles become functionally obsolete, but remain a large attack surface in Ethereum clients. It would be good to "trade" attack surface by removing BN128 precompile code when adding BLS12-381 code. The bytecode will be formally verified to be functionally equivalent to a high-level mathematical specification. [Weierstrudel](https://github.com/AztecProtocol/weierstrudel) showed us that we can implement fast ECMUL in pure EVM. Likewise, ECADD (a part of ECMUL) can also be implemented in pure EVM. Finally, ECPAIRING has potential to be implemented in EVM384, which is fast in both [runtime](https://notes.ethereum.org/@poemm/evm384-update4) and [gas](https://notes.ethereum.org/@poemm/evm384-update5). ## Backwards Compatibility Dapps which observe gas of precompiles may break. But there was never any promise of fixed gas costs. In fact, gas costs for precompiles frequently change. ## Test Cases TBD (same as the precompile) ## Reference Implementation The reference implementation will be formally verified EVM bytecode. ## Security Considerations TBD ## Copyright Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).