Usage of EIP-2537

Seeking input to help define the functionality exposed of the EIP-2537 precompiles, which expose:

1. Routines for arithmetic in the BLS12-381 elliptic curve and associated groups
2. Routines for verifying signatures in the BLS signature scheme used in Ethereum's consensus layer (and several other chains).

Potential use cases include:

1. Applications that want to reason about validators inside the EVM, e.g. restaking, light clients, bridges, staking pools
2. Users of zero-knowlege proofs, in particular zkRollups

Question for review

There is a notion of a subgroup check where various precompiles would verify that untrusted input points actually belong to the relevant groups they must reside in. For the purposes of EIP-2537, the question comes down to user safety vs. cost. Currently, the EIP proposes that inputs are subject to a subgroup check which was selected as this exposes the safest API for users but incurs a higher gas cost during operation. In particular, users of the multi-scalar-multiplication (MSM) operation could potentially incur the subgroup check for each input multiple times over (in the event they need to use the MSM multiple times in their application), even if the inputs have already been verified by the precompile on the first call, or are known to be safe as they are stored within the contract (eg. a CRS/set of pubkeys).

Additional ask

If you can provide a realistic input your application would have for this precompile, it would help with gas benchmarking as we finalize EIP-2537 for the upcoming Pectra hard fork.

For example, a zkRollup could provide the call data from an L1 update transaction.