EIP-2537 (BLS12 precompile) discussion thread

jtguibas · October 28, 2022, 9:46pm

@vethereum @JustinZal While the BLS precompile would make verifying data relating to the consensus layer easier, my team and I at Succinct have actually been able to get around this by verifying BLS signatures inside a zkSNARK and then verifying that proof on-chain.

Using this technique, we have created a gas-efficient trust-minimized light client for Ethereum which can be deployed on any execution layer that supports the BN254 curve (Proof of Consensus Bridging between Ethereum and Gnosis Chain | Succinct Labs Blog).

Inside our smart contract, we have a zkBLSVerify function which can be called to emulate the BLS precompile. The tradeoff is that a proof must be generated off-chain (< 2 minutes). The function below is taken from our smart contract (code here), so it’s specific to our use case, but it can very easily be generalized to any other application that requires the precompile.

function zkBLSVerify(bytes32 signingRoot, bytes32 syncCommitteeRoot, uint256 claimedParticipation, Groth16Proof memory proof) internal view returns (bool) {
        require(sszToPoseidon[syncCommitteeRoot] != 0, "Must map SSZ commitment to Posedion commitment");
        uint256[34] memory inputs;
        inputs[0] = claimedParticipation;
        inputs[1] = uint256(sszToPoseidon[syncCommitteeRoot]);
        uint256 signingRootNumeric = uint256(signingRoot);
        for (uint256 i = 0; i < 32; i++) {
            inputs[(32 - 1 - i) + 2] = signingRootNumeric % 2 ** 8;
            signingRootNumeric = signingRootNumeric / 2**8;
        }
        return verifySignatureProof(proof.a, proof.b, proof.c, inputs);
    }

If the BLS precompile is a blocker for an exciting application you have in mind, please let us know and we would be happy to help out (just email us at hello@succinct.xyz).

weikengchen · October 29, 2022, 2:00am

Agreed with @jtguibas. Without a precompile contract for BLS curve, verifying the signature can be difficult. By the way, when we talk about BLS signature, it is BLS12-381 BLS signatures right? (The two BLS are different).

QEDK · December 9, 2022, 8:36am

I assume at this point, it’s safe to assume that this will not be a part of the Shanghai upgrade?

matt · December 9, 2022, 4:22pm

Yes, safe to assume at this point.

dankrad · January 19, 2023, 10:53am

I was wondering if there is a motivation for not including compression/decompression in the EIP? Is it because providing uncompressed elements is cheaper at 16 gas/byte?

In that case, it may be that we need to reconsider this as for rollups this ratio will be different and data will be much more expensive as compared to computation. Since the desire of many rollups is to stay as close as possible to Ethereum L1, maybe we should add precompiles for decompression?

shamatar · January 19, 2023, 8:55pm

The reason to not include decompression is indeed the cost (on L1 ). There was already large scope in this EIP and so G1 and G2 decompressions were skipped.

jeljelih · April 26, 2023, 5:48am

Does anyone have an idea when this EIP can move to next stage? Do you think we can have BLS precompiles in 2023?

darcys22 · June 21, 2023, 1:07am

Excited for this to get into a hardfork soon!

shemnon · July 23, 2023, 12:17am

It will not be in a 2023 hard fork. No one on an ACD call was there to champion it during late scoping calls.

CluEleSsUK · July 26, 2023, 3:04pm

Late to the party, but I’d like to express interest in the BLS12-381 precompiles for a variety of use cases it could open up on-chain:

registration of distributed validators
consumption and verification of drand randomness beacons on-chain (a threshold network for generating randomness, an alternative to RANDAO)
identity-based decryption (such as timelock decryption)

As another commenter noted, it would be amazing to have hash to curve and hash to field implemented as well.

Dire-0x · July 26, 2023, 11:31pm

What’s the path to get this activated?

Also very interested in its use to utilize drand beacons onchain.

_pm · August 7, 2023, 4:48pm

I understand there are no champions for the eip, but the situation is really bad. The operations are already present in consensus-layer clients, running on every node.

Right now, all zk apps are using bn254, which has terrible security level - much less than 128 bits.

At some point it would be, or already is - possible to forge proofs for such protocols.

Developing zk apps takes longer when compared to ordinary contracts, which means the sooner this is deployed, the better. Apps, especially ones without ownership, would not be able to easily upgrade from bn.

xinbenlv · August 8, 2023, 9:18pm

Oh, sad. It seems another chicken-and-egg problem for requesting a precompile!

It seems a pattern that whenever a precompile is proposed, there will be a lot of debate about whether there is likely to be a lot of usage. The chicken-and-egg nature is that without deploying the precompile, we can’t calculate the adoption, and without the adoption, it’s hard to argue for making it a precompile and thus lack of interest

Good news, we are propose to have a “progressive path towards precompiles”, where author proposes a precompile, but instead of requiring it to be deployed as precompile first, they deploy a precompile candidate which is a traditional smart contract (with higher gas cost per operation, though), and see if there is usage. Once the usage is validated, the data can be used to (1) justify the need for such precompile, and (2) serve as call pattern to help client implementor tune performance

See more Progressive precompiles via CREATE2 shadowing

_pm · August 18, 2023, 11:31am

I don’t think BLS pairings can be implemented in pure solidity. They’re very heavy.

xinbenlv · August 24, 2023, 2:07pm

Has anyone evaluated the gas used if using solidity to impl BLS?

lei335 · September 12, 2023, 10:17am

Just the G1 neg will use about 4956 gas, you can image the pairing will use how many gas.

QEDK · November 9, 2023, 9:33am

I can see that the EIP needs a champion to take it through, hate to ask the obvious but do any of the original EIP authors intend to take on that role (courtesy ping to @shamatar @ralexstokes), failing that, could we have a long-standing community member take on that role (maybe @axic @matt @maxsam4), failing that, I would be happy to take on that role.

ralexstokes · November 9, 2023, 11:11am

hi @QEDK ! I intend to push for inclusion of this EIP in the next hard fork after dencun

the core dev process hasn’t really focused on planning this next hard fork yet so there hasn’t been much activity as we all focus on the deneb/cancun EIPs

QEDK · November 9, 2023, 1:02pm

that’s great to hear, hopefully we can get this included in the fork after Dencun! Let me (or us at Avail) know if we can help speed up the process.

developeruche · November 26, 2023, 8:51pm

I just Implemented a KZG poly-commit to replace a Merkle Tree system though the interpolation, commitment, and proof generation were done in Rust, coming to write the verification contract now and just seeing this precompile has not been included yet