Add Ethereum-compatible aliases for BLS12-381 #4186
Conversation
Jim8y
force-pushed
the
feature/bls12-eth-aliases
branch
from
a157ce3 to
1a443fe
Compare
vncoelho
left a comment
vncoelho
left a comment
There was a problem hiding this comment.
Looks good, it can be in the next release
roman-khimov
left a comment
roman-khimov
left a comment
There was a problem hiding this comment.
What's preventing contracts from using the already existing names?
|
|
||
| [ContractMethod(Hardfork.HF_Gorgon, CpuFee = 1 << 19, Name = "bls12_g1add")] | ||
| public static InteropInterface Bls12G1Add(InteropInterface x, InteropInterface y) | ||
| => Bls12381Add(x, y); |
There was a problem hiding this comment.
Adds Ethereum-compatible aliases
CryptoLib calls won't be compatible with Ethereum anyway, so I don't think this PR can be accepted. It adds an ambiguity to the CryptoLib interface.
There was a problem hiding this comment.
BTW, the same thing (if we really care about specific names which is questionable to me since it's about N3 contracts, they're different from EVM/Solidity contracts anyway) can be provided by devpack without contract modifications (and code/manifest bloat).
Wi1l-B0t
left a comment
Wi1l-B0t
left a comment
There was a problem hiding this comment.
It seems to be just for compatibility.
hi roman @roman-khimov , this is a requested change for neox, i am not sure the detail, but i guess its related to eip standards, you or anna should know it better than me. |
roman-khimov
left a comment
roman-khimov
left a comment
There was a problem hiding this comment.
Aliases are not needed. We need to add compatibility with https://eips.ethereum.org/EIPS/eip-2537 and the only thing that can be incompatible now is bls12381MultiExp. So there is some functional extension we need here rather than aliases.
Yes, the EIP-2537 has been updated several times since Feb 2024, but now it gets finalized. The history can be referred https://github.com/ethereum/EIPs/commits/master/EIPS/eip-2537.md. |
|
@neo-project/ngd-shanghai Need testing. |
| { | ||
| var scalar = ParseScalar(pair[1]); | ||
| if (!scalar.IsZero) | ||
| g1Accumulator += new G1Projective(g1Affine) * scalar; |
There was a problem hiding this comment.
We need to make sure that subgroup check is executed before any multiplication operation. This was fixed in Ethereum through ethereum/EIPs#8456.
Briefly speaking, we need:
- "IsOnCurve" check after G1 point decoding and G2 point decoding, e.g. https://github.com/ethereum/go-ethereum/blob/v1.16.5/core/vm/contracts.go#L1212;
- "IsInSubGroup" check before multiply and pairing computation, e.g. https://github.com/ethereum/go-ethereum/blob/v1.16.5/core/vm/contracts.go#L1005 and https://github.com/ethereum/go-ethereum/blob/v1.16.5/core/vm/contracts.go#L1173.
About the detailed implementation of these checks, please ref https://github.com/Consensys/gnark-crypto/blob/v0.19.0/ecc/bls12-381/g1.go#L193-L218 and https://github.com/Consensys/gnark-crypto/blob/v0.19.0/ecc/bls12-381/g2.go#L200-L223.
| /// <param name="pairs">Array of [point, scalar] pairs.</param> | ||
| /// <returns>The accumulated point.</returns> | ||
| [ContractMethod(Hardfork.HF_Faun, CpuFee = 1 << 23)] | ||
| public static InteropInterface Bls12381MultiExp(Array pairs) |
There was a problem hiding this comment.
Maybe we need to check the length, a max is required or it could deny the service with 1024 pairs
There was a problem hiding this comment.
Cpu should be paid in each iteration
|
the right way to execute a test by filters is |
|
failed_tests_20251107_120156.log |
superboyiii
left a comment
superboyiii
left a comment
There was a problem hiding this comment.
My fault. My go test code has a little bug and it's fixed. Now I tried several test cases, all passed.
Can you show your testcases. Manual testing is not enough and testcase scripts also need to be added. |
Jim8y
added
Port-to-3.x
|
Agree with @Wi1l-B0t , the testcases should be added |
| /// <param name="pairs">Array of [point, scalar] pairs.</param> | ||
| /// <returns>The accumulated point.</returns> | ||
| [ContractMethod(Hardfork.HF_Faun, CpuFee = 1 << 23)] | ||
| public static InteropInterface Bls12381MultiExp(Array pairs) |
There was a problem hiding this comment.
Cpu should be paid in each iteration
I made a repo for my test tools: BLS12-381-TEST. It's including a go tool. It randomly picks G1 or G2 points and scalars and get |
| { | ||
| var scalar = ParseScalar(pair[1]); | ||
| if (!scalar.IsZero) | ||
| g1Accumulator += new G1Projective(g1Affine) * scalar; |
There was a problem hiding this comment.
Similar to what I've mentioned in #4185 (comment), MultiExp() is also a choice here, ref https://github.com/ethereum/go-ethereum/blob/v1.16.7/core/vm/contracts.go#L1015. Only for performance.
|
Tested. g1add, g1mul, g2add, g2mul and pairing all work well. |
Can you show your testcases and testdata ? |
Again: https://github.com/superboyiii/BLS12-381-TEST# |
|
Can this test be added as UT? |
| G1Projective g => new(g), | ||
| _ => throw new ArgumentException("BLS12-381 type mismatch") | ||
| }; | ||
| EnsureG1PointValid(in g1a); |
There was a problem hiding this comment.
This change (along with the change a couple of lines below) needs a mainnet states compatibility check from @superboyiii because it changes the existing CryptoLib API.
There was a problem hiding this comment.
It probably needs a hardfork guard in this case.
| } | ||
|
|
||
| [ContractMethod(Hardfork.HF_Faun, CpuFee = 1 << 21, Name = "bls12_g1mul")] | ||
| public static byte[] Bls12G1Mul(byte[] input) |
There was a problem hiding this comment.
So far, we had bls12381Add, bls12381Mul and etc. in CryptoLib manifest. And right now we add bls12_g1add, bls12_g1mul and etc., so it's not clear from a side user PoW that these methods work with Eth-compatible serialization format. So at least the naming must be improved and unified.
The bigger question is compatibility with existing CryptoLib interface. Why can't we introduce deserialisation/serialization APIs that will deserialize/serialize from/to Eth-compatible format? This allow to remove these duplicating bls12_g1add, bls12_g1mul and etc. which makes CryptoLib's API cleaner.
This problem is similar to https://github.com/neo-project/neo/pull/4185/files/546a6d07afa3a7171891b1f761f5bb26e63528ab#r2526423615.
There was a problem hiding this comment.
I agree with @AnnaShaleva, it will be easier and clearer. But we should have a clear comment on what format each method accepts
|
We need add check for G2 like this, when infinity, return Identity. But seems need a hardfork for safe. |
|
We need change remote branch to |
|
Any progress? |
Co-authored-by: Owen <[email protected]>
Co-authored-by: Owen <[email protected]>
This is requested and needed by NeoX.
Description
Adds Ethereum-compatible aliases for the BLS12-381 native contract methods (
bls12_*) whileretaining the existing
bls12381*surface. This keeps Neo and EVM tooling interoperable withoutschema changes. Updated tests cover both naming schemes, and the expected genesis manifest now
includes the new ABI entries.
Fixes # (issue)
Type of change
How Has This Been Tested?
dotnet test tests/Neo.UnitTests/Neo.UnitTests.csproj --filter CryptoLibTest Configuration:
Checklist: