Skip to content

Add Ethereum-compatible aliases for BLS12-381 #4186

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 25 commits into
base: dev
Choose a base branch
from
+1,710 −4
Open

Add Ethereum-compatible aliases for BLS12-381 #4186

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
1a443fe
Add Ethereum-compatible aliases for BLS12-381
Jim8y Sep 22, 2025
67b0fbb
Format codebase
Jim8y Sep 22, 2025
7f3fe50
Merge branch 'dev' into feature/bls12-eth-aliases
ajara87 Sep 25, 2025
dc9b374
Merge branch 'dev' into feature/bls12-eth-aliases
Jim8y Oct 14, 2025
1f82a9b
Implement BLS12-381 multi exponentiation
Jim8y Oct 17, 2025
be21a84
Merge branch 'dev' into feature/bls12-eth-aliases
shargon Oct 18, 2025
3f69ba9
Merge branch 'dev' into feature/bls12-eth-aliases
shargon Oct 20, 2025
9607bd7
Update src/Neo/SmartContract/Native/CryptoLib.BLS12_381.cs
shargon Oct 20, 2025
b6fb04b
Merge branch 'dev' into feature/bls12-eth-aliases
Jim8y Oct 23, 2025
5f4dbe5
Harden BLS12-381 multi exponentiation
Jim8y Oct 23, 2025
2e8378c
Merge branch 'dev' into feature/bls12-eth-aliases
cschuchardt88 Oct 23, 2025
434c62e
Merge branch 'dev' into feature/bls12-eth-aliases
shargon Oct 23, 2025
dc23a56
Add subgroup validation tests for BLS multi exp
Jim8y Nov 4, 2025
bcabd4e
Merge origin/dev into feature/bls12-eth-aliases
Jim8y Nov 4, 2025
5b40385
Fix BLS12-381 multiexp endianness and add Ethereum tests
Jim8y Nov 6, 2025
15cb14b
Document bls12381MultiExp scalar encoding
Jim8y Nov 6, 2025
a39ed8e
Revert "Document bls12381MultiExp scalar encoding"
Jim8y Nov 6, 2025
7fa60b7
Validate pairing inputs for BLS12-381
Jim8y Nov 6, 2025
a49a6b7
Merge branch 'dev' into feature/bls12-eth-aliases
Jim8y Nov 8, 2025
7d468ce
Add EVM-compatible BLS12 alias entrypoints
Jim8y Nov 10, 2025
df66f45
Add EIP-2537 serialize helpers and boundary tests
Jim8y Nov 20, 2025
93713e8
Add edge-case coverage for eth BLS serialize/deserialize
Jim8y Nov 20, 2025
8dedeed
Tweak assertion message
Jim8y Nov 20, 2025
f2c75e6
Update tests/Neo.UnitTests/SmartContract/Native/UT_CryptoLib.cs
shargon Nov 27, 2025
421bc93
Update tests/Neo.UnitTests/SmartContract/Native/UT_CryptoLib.cs
shargon Nov 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions docs/native-contracts-api.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,8 +77,18 @@ When calling a native contract method by transaction script, there are several t
| bls12381Deserialize | Deserialize a bls12381 point. | Byte[](*data*) | InteropInterface | 1<<19 | 0 | -- | -- |
| bls12381Equal | Determines whether the specified points are equal. | InteropInterface(*x*), InteropInterface(*y*) | Boolean | 1<<5 | 0 | -- | -- |
| bls12381Add | Add operation of two points. | InteropInterface(*x*), InteropInterface(*y*) | InteropInterface | 1<<19 | 0 | -- | -- |
| bls12_g1add | Ethereum-style G1 addition using uncompressed big-endian coordinates (x|y, 64-byte limbs). Input is two concatenated 128-byte encodings; output is the same encoding. | Byte[](*input*) | Byte[] | 1<<19 | 0 | -- | HF_Faun |
| bls12_g2add | Ethereum-style G2 addition using uncompressed big-endian coordinates (x0|x1|y0|y1, 64-byte limbs). Input is two concatenated 256-byte encodings; output is the same encoding. | Byte[](*input*) | Byte[] | 1<<19 | 0 | -- | HF_Faun |
| bls12381Mul | Mul operation of gt point and multiplier | InteropInterface(*x*), Byte[](*mul*), Boolean(*neg*) | InteropInterface | 1<<21 | 0 | -- | -- |
| bls12_g1mul | Ethereum-style G1 scalar multiplication using uncompressed big-endian coordinates and big-endian scalar. Input is 128-byte point + 32-byte scalar; output is the same encoding. | Byte[](*input*) | Byte[] | 1<<21 | 0 | -- | HF_Faun |
| bls12_g2mul | Ethereum-style G2 scalar multiplication using uncompressed big-endian coordinates and big-endian scalar. Input is 256-byte point + 32-byte scalar; output is the same encoding. | Byte[](*input*) | Byte[] | 1<<21 | 0 | -- | HF_Faun |
| bls12_g1multiexp | Ethereum-style G1 MSM using uncompressed big-endian point encodings and big-endian scalars. Input is k concatenated (128-byte point | 32-byte scalar) pairs; output is the same encoding. | Byte[](*input*) | Byte[] | 1<<23 | 0 | -- | HF_Faun |
| bls12_g2multiexp | Ethereum-style G2 MSM using uncompressed big-endian point encodings and big-endian scalars. Input is k concatenated (256-byte point | 32-byte scalar) pairs; output is the same encoding. | Byte[](*input*) | Byte[] | 1<<23 | 0 | -- | HF_Faun |
| bls12381MultiExp | Multi exponentiation operation for bls12381 points. | Array(*pairs*) | InteropInterface | 1<<23 | 0 | -- | HF_Faun |
| bls12381Pairing | Pairing operation of g1 and g2 | InteropInterface(*g1*), InteropInterface(*g2*) | InteropInterface | 1<<23 | 0 | -- | -- |
| bls12_pairing | Ethereum-style pairing check (EIP-2537): accepts k concatenated pairs of uncompressed G1/G2 encodings and returns 32-byte result (LSB set for success). | Byte[](*input*) | Byte[] | 1<<23 | 0 | -- | HF_Faun |
| bls12_deserialize | Deserialize a G1/G2 point using Ethereum uncompressed big-endian encoding. | Byte[](*data*) | InteropInterface | 1<<19 | 0 | -- | HF_Faun |
| bls12_serialize | Serialize a G1/G2 point using Ethereum uncompressed big-endian encoding. | InteropInterface(*g*) | Byte[] | 1<<19 | 0 | -- | HF_Faun |
| recoverSecp256K1 | Recovers the public key from a secp256k1 signature in a single byte array format. | Byte[](*messageHash*), Byte[](*signature*) | Byte[] | 1<<15 | 0 | -- | HF_Echidna |
| ripemd160 | Computes the hash value for the specified byte array using the ripemd160 algorithm. | Byte[](*data*) | Byte[] | 1<<15 | 0 | -- | -- |
| sha256 | Computes the hash value for the specified byte array using the sha256 algorithm. | Byte[](*data*) | Byte[] | 1<<15 | 0 | -- | -- |
Expand All @@ -88,6 +98,8 @@ When calling a native contract method by transaction script, there are several t
| verifyWithECDsa | -- | Byte[](*message*), Byte[](*pubkey*), Byte[](*signature*), NamedCurveHash(*curve*) | Boolean | 1<<15 | 0 | -- | Deprecated in HF_Cockatrice |
| verifyWithEd25519 | Verifies that a digital signature is appropriate for the provided key and message using the Ed25519 algorithm. | Byte[](*message*), Byte[](*pubkey*), Byte[](*signature*) | Boolean | 1<<15 | 0 | -- | HF_Echidna |

**Note:** Methods prefixed with `bls12_` follow the EIP-2537 (Ethereum) uncompressed encoding: G1 inputs are `x || y` (128 bytes), G2 inputs are `x0 || x1 || y0 || y1` (256 bytes), scalars are 32-byte big-endian, and the identity is encoded as all-zero bytes. The existing `bls12381*` methods keep Neo's compressed encoding.


## LedgerContract

Expand Down
8 changes: 8 additions & 0 deletions src/Neo.Cryptography.BLS12_381/G2Affine.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,14 @@ private static G2Affine FromBytes(ReadOnlySpan<byte> bytes, bool compressed, boo

if (compressed)
{
if (infinity_flag_set)
{
// Infinity encoding: compression flag set, sort flag unset, x == 0.
if (!compression_flag_set || sort_flag_set || !x.IsZero)
throw new FormatException();
return Identity;
}

// Recover a y-coordinate given x by y = sqrt(x^3 + 4)
var y = ((x.Square() * x) + B).Sqrt();
y = ConditionalSelect(in y, -y, y.LexicographicallyLargest() ^ sort_flag_set);
Expand Down
Loading