EIP-2537: Precompile for BLS12-381 curve operations

[OlivierBBB]

EIP-2537: Precompile for BLS12-381 curve operations

Progress

• spec
• constraints
• tracer

Impact

• Add precompile to a new BLS module
  • all comparisons will require two interactions with WCP (48 byte data)
  • well formedness of coordinates is ok in circuit
  • 48 byte modular arithmetic isn't
  • understanding logic of EVM for the precompiles
  • understanding the relevant gnark circuit API's
• Existing modules:
  • HUB precompile processing
  • OOB for detecting FAILURE_KNOWN_TO_HUB
  • TRM for updated IS_PRECOMPILE flag
  • MMIO for lookup to new BLS module

Notes

From an arithmetization perspective, our focus is on:

• Understanding the meaning of the inputs and the outputs of each precompile (e.g., what does success = 1 mean?).
• What operations need to be delegated to external circuits. We likely can internally check for the correctness of the encoding, the length and if a point is at infinity. Group and subgroup membership need to be delegated to external circuits.
• Define the interface to communicate with external circuits.
• gnark PR: feat: add Pectra BLS12-381 elliptic curve precompiles gnark#1447

Test vectors

• testing all the precompiles failing

Checks performed by the arithmetization

• Coordinate encoding
• Input length, specifically whether a small point coordinate belongs to $\mathbb{F}p$ ($< p$) or a large point coordinate belongs to $\mathbb{F}{p^2}$ ($&lt; p^2$).
• Point at infinity

Checks performed by external circuits

Let $\mathbb{G}_1$ be $\mathbb{C}_1$ subgroup and $\mathbb{G}_2$ be $\mathbb{C}_2$ subgroup.

• $\mathbb{C}_1$ and $\mathbb{G}_1$ mermbership
• $\mathbb{C}_2$ and $\mathbb{G}_2$ mermbership

Checks overview

• BLS12_G1ADD, $\mathbb{C_1} \times \mathbb{C_1}$ (256 bytes) $\rightarrow \mathbb{C_1}$ (128 bytes)
  • coordinate encoding
  • input length
  • points at infinity
  • $\mathbb{C}_1$ mermbership
• BLS12_G1MSM, $(\mathbb{G_1} \times \mathbb{N})^k$ ($160 \cdot k$ bytes) $\rightarrow \mathbb{G_1}$ (128 bytes) with $k &gt; 0$
  • coordinate encoding
  • input length
  • point at infinity
  • $\mathbb{C}_1$ and $\mathbb{G}_1$ mermbership
• BLS12_G2ADD $\mathbb{C_2} \times \mathbb{C_2}$ (512 bytes) $\rightarrow \mathbb{C_2}$ (256 bytes)
  • coordinate encoding
  • input length
  • points at infinity
  • $\mathbb{C}_2$ mermbership
• BLS12_G2MSM $(\mathbb{G_2} \times \mathbb{N})^k$ ($288 \cdot k$ bytes) $\rightarrow \mathbb{G_2}$ (256 bytes) with $k &gt; 0$
  • coordinate encoding
  • input length
  • point at infinity
  • $\mathbb{C}_2$ and $\mathbb{G}_2$ mermbership
• BLS12_PAIRING_CHECK $(\mathbb{G_1} \times \mathbb{G_2})^k$ ($384 \cdot k$ bytes) $\rightarrow {0,1}$ (right padded to 32 bytes) with $k &gt; 0$
  • coordinate encoding
  • input length
  • point at infinity
  • $\mathbb{C}_1$ and $\mathbb{G}_1$ mermbership
  • $\mathbb{C}_2$ and $\mathbb{G}_2$ mermbership
• BLS12_MAP_FP_TO_G1 $\mathbb{F}_p$ (64 bytes) $\rightarrow \mathbb{G_1}$ (128 bytes)
  • coordinate encoding
  • input length
• BLS12_MAP_FP2_TO_G2 $\mathbb{F}_{p^2}$ (128 bytes) $\rightarrow \mathbb{G_2}$ (256 bytes)
  • coordinate encoding
  • input length