CIP-30: BLS12-377 Precompiles #1157
Conversation
kilic
requested review from
asaj,
kevjue,
kobigurk and
timmoreton
as code owners
|
Update: I talked to @shamatar and he identified a metering issue that will result in gas price changes and a slight divergence between the EIPs. So hold off on making gas changes until those come back |
|
Zexe test vectors are generated with https://github.com/kilic/zexe/blob/eip2539/algebra/src/bls12_377/curves/eip2539_test.rs @prestwich we may want to reduce scalar multiplication gas price in short term since GLV multiplication which is more efficient is planned to be implemented. |
|
Matter test vectors are generated with https://github.com/kilic/eip1962-1/tree/celo1157/src/public_interface/celo1157 However there are some issues of matter eip1962 implementation.
|
|
See gas metering update PR here: |
My open PR in 1962 addresses the b coefficient issue matter-labs/eip1962#14 I'll notify the Matter team and see if they'll take a look at the pairing output issue |
I've also updated coefficients in my optimizations branch (that uses special forms of non-residues), but what is a problem with a line there exactly? If number of pairs is even we should get combinations like |
core/vm/contracts.go
Outdated
| errBLS12377G2PointSubgroup = errors.New("g2 point is not on correct subgroup") | ||
| ) | ||
|
|
||
| // bls12377G1Add implements EIP-2537 G1Add precompile. |
There was a problem hiding this comment.
should be EIP-2539 throughout :)
|
I've been running some compatibility tests between this work and the rust eip1962 lib. I'm getting a mismatch on the pairing function with a specific input (below). The Golang implementation (accessed via geth rpc) returns I am working on this branch of eip1962: I would appreciate someone else checking this out and telling me if it's likely to be an error in my testing setup while I try to debug locally |
|
Did mismatch happen in the very first call or in a kind of fuzzing attempt?
I have added a small test below that demonstrates the issue. |
@kilic Should I run this test for BLS12-377 curve? (to double check) |
|
Fixed the hardcoded parameters. Please use the "tuning" branch for now, it contains an API implementation for 2539, so can be tested from outside (signatures should match) |
On the very first call. I've also been running the others with random inputs generated by the eip1962 library without issues |
I will update my work to use the |
|
There is a demo how to build generic fuzzer for precompiles like 2537/2539 in this repo https://github.com/shamatar/algebraic_fuzzer It does not perform any actual comparison, just fuzzes G1 addition for now, but it looks to be ok to template it over some form of generators and runners |
|
There is now also branch with square root functions for 1 mod 16 (case of base field of BLS12-377), so we can actually fix a fuzzer for points in invalid subgroup and not on curve |
|
My eip2539 branch of the fuzzer has been updated here: https://github.com/prestwich/algebraic_fuzzer We are provisioning a node to run it for a bit. |
Ran about 1billion iterations of EIP-2539 and 1.5 billion of EIP-2537. No issues encountered. Given we have tests and a large number of fuzzing runs against an integration, we should update the gas costs to match the latest EIP2539. Any other things that need to be done before this is ready for review for inclusion in Donut? |
|
hey @kilic, I'm starting to shephard client integration. :) Can you please do the following:
|
params/protocol_params.go
Outdated
| Bls12377G2AddGas uint64 = 0 // Price for BLS12-377 elliptic curve G2 point addition | ||
| Bls12377G2MulGas uint64 = 0 // Price for BLS12-377 elliptic curve G2 point scalar multiplication | ||
| Bls12377PairingBaseGas uint64 = 0 // Base gas price for BLS12-377 elliptic curve pairing check | ||
| Bls12377PairingPerPairGas uint64 = 0 // Per-point pair gas price for BLS12-377 elliptic curve pairing check |
There was a problem hiding this comment.
We still need to fill these in
use assigned operations in fp2 add math comments
variable used in asm
add mixed addition use mixed addition in multiexp
add g1 wnaf mul
remove glvVector remove unused one fix spelling checks
redefine precompileaddresses in tests
|
Closed in favor of #1341 |
Description
This pr adds BLS12-377 elliptic curve operations as precompiles. Precompiles are added in same fashion with EIP-2537 except the mapping functions.
Background
Elliptic curve library is adapted from BLS12-381 and EIP-1962 works. x86 optimised field implementation is generated with fp and native go implementation is generated with goff
Other changes
Gas table for these new precompiles set is not decided yet. Rather than actual numbers placeholder constants are placed.
Tests
Underlying elliptic curve library is heavily tested in terms of mathematical properties.
Original library BLS12-381 is subjected to the security audit under drand project and also made its way to be backend of EIP-2537 go-ethereum precompiles* for the next HF.
Cross and fuzz testing are not applied for the adapted library yet, also static call test vectors are not generated.
Backwards compatibility
Precompiles are included next to Celo specific precompile bundle. It is assumed that precompile addresses incrementally follow the others.