--- eip: <to be assigned> title: Precompiles for BLS12-381 author: Alex Stokes (@ralexstokes), Gregory Markou <greg@chainsafe.io> discussions-to: make post on FEM status: Draft type: Standards Track category (*only required for Standard Track): Core created: 2020-02-19 --- # NOTE: This is a draft EIP that is currently incomplete; this version is circulating for discussion purposes. ## Abstract <!--A short (~200 word) description of the technical issue being addressed.--> BLS12-381 precompiles permit efficient cryptographic operations inside the EVM that are otherwise prohibitively expensive. Support for this curve enables interoperability with Eth2.0 and a host of other blockchain projects (ZCash, Filecoin, Chia, Dfinity, Algorand, ...) along with applications to secure zk-SNARKs. ## Motivation <!--The motivation is critical for EIPs that want to change the Ethereum protocol. It should clearly explain why the existing protocol specification is inadequate to address the problem that the EIP solves. EIP submissions without sufficient motivation may be rejected outright.--> This EIP introduces precompiles to the EVM for arithmetic operations on the elliptic curve BLS12-381, https://electriccoin.co/blog/new-snark-curve/. This pairing-friendly elliptic curve is the host of validator identities in Eth2.0 (as it affords efficient signature aggregation under the BLS signature scheme https://crypto.stanford.edu/~dabo/pubs/papers/BLSmultisig.html) and has applications to zk-SNARKS as seen in systems like Zcash (see prior link on electriccoin.co). The necessary arithmetic operations include elliptic curve addition and scalar multiplication for two groups defined on the BLS12-381 construction, commonly called G1 and G2. Along with the addition and multiplication operations, this EIP suggests another precompile for the optimal Ate pairing defined on BLS12-381. Addition of these precompiles to the EVM will support interoperability use cases with Eth2.0 and other blockchain projects along with the efficient verification of secure zk-SNARKs from within a smart contract. Specific applications for Eth2.0 include deposit contract verification and prerequisite infrastructure for an on-chain Eth2.0 light client. Readers should understand that such a light client is a requirement for the development of a trustless bridge between Eth1.0 and Eth2.0. BLS12-381 also supports zk-SNARKs enabling privacy and scaling applications (e.g. zk-rollups) at a greater security level (given current estimations) than the existing elliptic curve incorporated as an EVM precompile, alt_bn128. ## Specification <!--The technical specification should describe the syntax and semantics of any new feature. The specification should be detailed enough to allow competing, interoperable implementations for any of the current Ethereum platforms (go-ethereum, parity, cpp-ethereum, ethereumj, ethereumjs, and [others](https://github.com/ethereum/wiki/wiki/Clients)).--> For blocks where `block.number >= FORK_BLKNUM`, add the following precompiled contracts for point addition `ECADD-Gi` and scalar multiplication `ECMUL-Gi` on the elliptic curve BLS12-381 for groups G1 and G2 and the pairing function: Address of ECADD-G1: 0x10 Address of ECADD-G2: 0x11 Address of ECMUL-G1: 0x12 Address of ECMUL-G2: 0x13 Address of PAIRING: 0x14 Refer to https://electriccoin.co/blog/new-snark-curve/ for the definition of the curve. ### Encoding Field elements in G1 are encoded as 48 byte big-endian integers. Field elements in G2 are encoded as 96 byte big-endian integers. TODO: resolve questions around encoding. ### Semantics #### ECADD-Gi Input: two curve points (x, y). Output: curve point `x + y`, where `+` is point addition on the elliptic curve BLS12-381 as specified. Fails on invalid input and consumes all gas provided. #### ECMUL-Gi Input: curve point and scalar (x, s). Output: curve point `s * x`, where `*` is the scalar multiplication on the elliptic curve BLS12-381 as specified. Fails on invalid input and consumes all gas provided. #### PAIRING TODO: specify pairing. ### Gas costs TBD pending further analysis. ## Rationale <!--The rationale fleshes out the specification by describing what motivated the design and why particular design decisions were made. It should describe alternate designs that were considered and related work, e.g. how the feature is supported in other languages. The rationale may also provide evidence of consensus within the community, and should discuss important objections or concerns raised during discussion.--> TODO: rationale pending full specification ## Backwards Compatibility <!--All EIPs that introduce backwards incompatibilities must include a section describing these incompatibilities and their severity. The EIP must explain how the author proposes to deal with these incompatibilities. EIP submissions without a sufficient backwards compatibility treatise may be rejected outright.--> As with the introduction of any precompiled contract, contracts that already use the given addresses will change their semantics. Because of that, the addresses are taken from the "reserved range" below 256. ## Test Cases <!--Test cases for an implementation are mandatory for EIPs that are affecting consensus changes. Other EIPs can choose to include links to test cases if applicable.--> Test cases are forthcoming. ## Implementation <!--The implementations must be completed before any EIP is given status "Final", but it need not be completed before the EIP is accepted. While there is merit to the approach of reaching consensus on the specification and rationale before writing code, the principle of "rough consensus and running code" is still useful when it comes to resolving many discussions of API details.--> Implementations of the curve in: - Go: https://github.com/phoreproject/bls - Rust: https://github.com/zkcrypto/bls12_381 - Python: https://github.com/ethereum/py_ecc NOTE: suggested implementations pending further review. ## Security Considerations <!--All EIPs must contain a section that discusses the security implications/considerations relevant to the proposed change. Include information that might be important for security discussions, surfaces risks and can be used throughout the life cycle of the proposal. E.g. include security-relevant design decisions, concerns, important discussions, implementation-specific guidance and pitfalls, an outline of threats and risks and how they are being addressed. EIP submissions missing the "Security Considerations" section will be rejected. An EIP cannot proceed to status "Final" without a Security Considerations discussion deemed sufficient by the reviewers.--> NOTE: security considerations pending further discussion. ## Copyright Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
Last changed by  
Alex Stokes
6116

Read more

relay monitor design doc

thanks to @metachris, @bertcmiller and @thegostep for helpful discussions on this design intro this document assumes knowledge of the general mev-boost architecture. you will want to be familar with the builder-specs: https://github.com/ethereum/builder-specs and here are some diagrams that are relevant, both from the flashbots/mev-boost repo on github: high-level architecture

8/5/2022
mev-boost circuit breaker proposal

what? the merge supports an "external builder network" where proposers can work w/ specialized actors to get execution payloads skillfully crafted to maximize validator rewards. these specialized actors have the responsibility to ensure the availability of the execution payloads they build and if they fail in this responsibility it will look like the proposer failed to propose a block from the protocol's point of view. this failure mode -- a "liveness" failure -- should be prevented at most costs as it means less transaction throughput for users and an overall reduced quality of service. there are several mitigations for this type of failure and this proposal specifies a "last resort". specifically, users of the external builder network will implement a "circuit breaker" (random resource for more info: https://martinfowler.com/bliki/CircuitBreaker.html) using globally available inputs (simply, the chain) to decide if they should make a local decision to stop using the external builder network.

7/27/2022
Untitled

response to "biggest blocker" on eip-4444 ama: question: https://www.reddit.com/r/ethereum/comments/qzvsfq/comment/hloqmpr/?utm_source=share&utm_medium=web2x&context=3 from HarryZKE I don't think the biggest challenges are technical following the roadmap of EIP-4444. Clients today already implement some form of pruning so it is not a big ask to extend this mechanism to more types of data a node already manages. The bigger challenge will be coordinating around the guarantees the protocol provides for history on the network and how expired history will still be accessible if something along these lines is deployed. In an ideal world, there will be several high-quality sources for historic Ethereum data, just like the role the Internet Archive intends to serve for Internet data. And moreover, these sources would provide this data for free, acting altruistically, even if only as a token of good faith to support other for-profit endeavors they undertake.

11/22/2021
Finality gadget (FG) working group - call #0

8/15/2019
Read more from Alex Stokes
Published on HackMD