eip: <to be assigned>
title: Precompiles for BLS12-381
author: Alex Stokes (@ralexstokes), Gregory Markou <firstname.lastname@example.org>
discussions-to: make post on FEM
type: Standards Track
category (*only required for Standard Track): Core
This is a draft EIP that is currently incomplete; this version is circulating for discussion purposes.
<!--A short (~200 word) description of the technical issue being addressed.-->
BLS12-381 precompiles permit efficient cryptographic operations inside the EVM that are otherwise prohibitively expensive. Support for this curve enables interoperability with Eth2.0 and a host of other blockchain projects (ZCash, Filecoin, Chia, Dfinity, Algorand, ...) along with applications to secure zk-SNARKs.
<!--The motivation is critical for EIPs that want to change the Ethereum protocol. It should clearly explain why the existing protocol specification is inadequate to address the problem that the EIP solves. EIP submissions without sufficient motivation may be rejected outright.-->
This EIP introduces precompiles to the EVM for arithmetic operations on the elliptic curve BLS12-381, https://electriccoin.co/blog/new-snark-curve/. This pairing-friendly elliptic curve is the host of validator identities in Eth2.0 (as it affords efficient signature aggregation under the BLS signature scheme https://crypto.stanford.edu/~dabo/pubs/papers/BLSmultisig.html) and has applications to zk-SNARKS as seen in systems like Zcash (see prior link on electriccoin.co).
The necessary arithmetic operations include elliptic curve addition and scalar multiplication for two groups defined on the BLS12-381 construction, commonly called G1 and G2. Along with the addition and multiplication operations, this EIP suggests another precompile for the optimal Ate pairing defined on BLS12-381.
Addition of these precompiles to the EVM will support interoperability use cases with Eth2.0 and other blockchain projects along with the efficient verification of secure zk-SNARKs from within a smart contract. Specific applications for Eth2.0 include deposit contract verification and prerequisite infrastructure for an on-chain Eth2.0 light client. Readers should understand that such a light client is a requirement for the development of a trustless bridge between Eth1.0 and Eth2.0.
BLS12-381 also supports zk-SNARKs enabling privacy and scaling applications (e.g. zk-rollups) at a greater security level (given current estimations) than the existing elliptic curve incorporated as an EVM precompile, alt_bn128.
<!--The technical specification should describe the syntax and semantics of any new feature. The specification should be detailed enough to allow competing, interoperable implementations for any of the current Ethereum platforms (go-ethereum, parity, cpp-ethereum, ethereumj, ethereumjs, and [others](https://github.com/ethereum/wiki/wiki/Clients)).-->
For blocks where `block.number >= FORK_BLKNUM`, add the following precompiled contracts for point addition `ECADD-Gi` and scalar multiplication `ECMUL-Gi` on the elliptic curve BLS12-381 for groups G1 and G2 and the pairing function:
Address of ECADD-G1: 0x10
Address of ECADD-G2: 0x11
Address of ECMUL-G1: 0x12
Address of ECMUL-G2: 0x13
Address of PAIRING: 0x14
Refer to https://electriccoin.co/blog/new-snark-curve/ for the definition of the curve.
Field elements in G1 are encoded as 48 byte big-endian integers. Field elements in G2 are encoded as 96 byte big-endian integers.
TODO: resolve questions around encoding.
Input: two curve points (x, y). Output: curve point `x + y`, where `+` is point addition on the elliptic curve BLS12-381 as specified. Fails on invalid input and consumes all gas provided.
Input: curve point and scalar (x, s). Output: curve point `s * x`, where `*` is the scalar multiplication on the elliptic curve BLS12-381 as specified. Fails on invalid input and consumes all gas provided.
TODO: specify pairing.
### Gas costs
TBD pending further analysis.
<!--The rationale fleshes out the specification by describing what motivated the design and why particular design decisions were made. It should describe alternate designs that were considered and related work, e.g. how the feature is supported in other languages. The rationale may also provide evidence of consensus within the community, and should discuss important objections or concerns raised during discussion.-->
TODO: rationale pending full specification
## Backwards Compatibility
<!--All EIPs that introduce backwards incompatibilities must include a section describing these incompatibilities and their severity. The EIP must explain how the author proposes to deal with these incompatibilities. EIP submissions without a sufficient backwards compatibility treatise may be rejected outright.-->
As with the introduction of any precompiled contract, contracts that already use the given addresses will change their semantics. Because of that, the addresses are taken from the "reserved range" below 256.
## Test Cases
<!--Test cases for an implementation are mandatory for EIPs that are affecting consensus changes. Other EIPs can choose to include links to test cases if applicable.-->
Test cases are forthcoming.
<!--The implementations must be completed before any EIP is given status "Final", but it need not be completed before the EIP is accepted. While there is merit to the approach of reaching consensus on the specification and rationale before writing code, the principle of "rough consensus and running code" is still useful when it comes to resolving many discussions of API details.-->
Implementations of the curve in:
- Go: https://github.com/phoreproject/bls
- Rust: https://github.com/zkcrypto/bls12_381
- Python: https://github.com/ethereum/py_ecc
NOTE: suggested implementations pending further review.
## Security Considerations
<!--All EIPs must contain a section that discusses the security implications/considerations relevant to the proposed change. Include information that might be important for security discussions, surfaces risks and can be used throughout the life cycle of the proposal. E.g. include security-relevant design decisions, concerns, important discussions, implementation-specific guidance and pitfalls, an outline of threats and risks and how they are being addressed. EIP submissions missing the "Security Considerations" section will be rejected. An EIP cannot proceed to status "Final" without a Security Considerations discussion deemed sufficient by the reviewers.-->
NOTE: security considerations pending further discussion.
Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).