NEP-488: Precompile for BLS12-381 curve operations #488
Conversation
olga24912
changed the title
frol
added
WG-protocol
|
Thank you @olga24912 for submitting this NEP. As a moderator, I reviewed this NEP and it meets the proposed template guidelines. I am moving this NEP to the REVIEW stage and would like to ask the @near/wg-protocol working group members to assign 2 Technical Reviewers to complete a technical review (see expectations below). Just for clarity, Technical Reviewers play a crucial role in scaling NEAR ecosystem as they provide their in-depth expertise in the niche topic while work group members can stay on guard of the NEAR ecosystem. The discussions may get too deep and it would be inefficient for each WG member to dive into every single comment, so NEAR Developer Governance designed this process that includes subject matter experts helping us to scale by writing a summary with the raised concerns and how they were addressed. Technical Review Guidelines
Technical Summary guidelines:
Here is a nice example and a template for your convenience: Please tag the @near/nep-moderators once you are done, so we can move this NEP to the voting stage. Thanks again. |
frol
added
S-review/needs-wg-to-assign-sme
There was a problem hiding this comment.
The changes LGTM, thank you!
I think the last question that deserves thinking about is, the encoding of error value returns.
This being said, I would already suggest moving forward with the audit and the stakeholder review, taking into account that there could be minor changes remaining considering the exact encoding of return values.
There was a problem hiding this comment.
As a subject matter expert, I recommend the working group to accept this NEP.
Here are some points in the discussion that I wish to highlight:
- Scope of the proposed functionality: unlike the previous BLS NEP (NEP-446: Efficient BLS-signature verificationΒ #446), this NEP introduces an API suitable for different uses, including verification of BLS signatures and zkSNARKs, as well as different variants of BLS signatures and zkSNARKs. This is desirable because different variants may be in use by existing systems, and with this NEP NEAR will be able to interoperate with them without having to introduce separate functions for each of them. One aspect of functionality that led to a disagreement is whether there should be a means to reduce the inputs to the map-to-curve functions modulo
$p$ . Such functionality could be provided either as a part of the aforementioned map-to-curve functions or as a separate function. The point against providing this functionality was that in RFC 9380, which describes hashing to elliptic curves, reduction modulo$p$ is a part of thehash_to_fieldfunction. This function can use multiple different hash functions, so it is not possible to provide all of them in a single host function. Another point is that the input to be reduced modulo$p$ can be of variable length, which complicates the API (especially when multiple inputs need to be provided at once) and also complicates the gas pricing. The point for adding such functionality is that several hash functions are already available as host functions in NEAR, so adding a function to reduce values modulo$p$ would mean that it would be possible to verify BLS signatures without performing any substantial computations in WASM. For the Eth2NEAR bridge, the gas cost of performing the reduction in WASM was found to be acceptable, but this may not be the case for other uses. Anyway, this functionality can be added later (as a separate function). - Detailed API design: during the discussion of this NEP, concerns were raised about the specifics of the proposed API, especially about error handling. The original proposal included terminating the smart contract on invalid inputs, but this was found to complicate certain uses. Instead, the proposal was changed to return an error code in those situations. The current proposal provides for a single error code to be returned for any kind of invalid data, so that the implementation is not constrained in how it checks for errors. Another change that resulted from the discussion was that now some functions operate on multiple values, while in the original proposal they only operated on a single value.
- Last but not least, there were discussions about what information should be included in the specification and what shouldn't, how it should be presented, and also the reviewers pointed out multiple minor errors in the text. While this is less important than the substance, it is important nevertheless.
Also I wish to say thank you to all the reviewers, it's not often that you have to review a NEP this large, and you did it.
|
With approvals from two SMEs, I will work with protocol working group to schedule the working group call for the final approval stage. |
walnut-the-cat
added
S-voting/needs-wg-voting-indication
|
As a working group member, I lean towards approving this NEP. The BLS host function allows us to restore completely trustless bridging from Ethereum to NEAR, which is quite important for the entire NEAR ecosystem. |
|
As the moderator, I would like to thank @abacabadabacaba and @michelabdalla for submitting the technical review. Based on your comments above, it seems like this proposal is ready for the working group members for review. @near/wg-protocol β Can you please fully read this NEP and comment in the thread if you are leaning towards approving or rejecting it? Please make sure to include your rationale and any feedback that you have for the author. Once we get 2/3 voting indications, we will schedule a public call for the author to present the NEP and for the working group members to formalize the voting. |
|
As a working group member, I lean towards approving this NEP for the same reason as @bowenwang1996 |
|
As a working group member, I lean towards approving this NEP. It allows going back to a trustless bridge between NEAR and Ethereum, and provides important primitives to develop ZK technology on top of NEAR. I appreciate the effort from @olga24912 and all SME (@abacabadabacaba @Ekleog-NEAR @michelabdalla), for pushing this NEP to the finish line, it has been a massive effort, and the quality of the whole process was very high. |
|
As the moderator, I would like to thank @olga24912 for submitting this Protocol NEP and for the @near/wg-protocol work group members for your review. Based on the voting indications above, it seems like this proposal is close to a decision. We are therefore scheduling the seventh Work Group Name Working group meeting next week, where this NEP can enter the final voting stage. Anyone can discuss the technical details by adding your comments to this discussion. And join the call to learn about the final decision and how to get more involved. Meeting Info |
ori-near
added
S-voting/final-comment-period
|
As a working group member, I lean towards approving this NEP. |
|
Thank you to everyone who attended the Seventh Protocol Work Group call today! The work group members reviewed NEP-488 and reached the following consensus: Status: Approved π@birchmd:NEP-488: Precompile for BLS12-381 curve operations #488 (comment) Meeting Recording: @olga24912 Thank you for authoring this NEP! Next Steps:
|
ori-near
added
S-approved
neps/nep-0488.md
Outdated
| [^17]: Article about Rainbow Bridge [https://near.org/blog/eth-near-rainbow-bridge](https://near.org/blog/eth-near-rainbow-bridge) | ||
| [^19]: Intro into zkSNARKs: [https://media.consensys.net/introduction-to-zksnarks-with-examples-3283b554fc3b](https://media.consensys.net/introduction-to-zksnarks-with-examples-3283b554fc3b) | ||
| [^20]: Zeropool project: [https://zeropool.network/](https://zeropool.network/) | ||
| [^24]: Precompiles on Aurora: [https://doc.aurora.dev/evm/precompiles/](https://doc.aurora.dev/evm/precompiles/) |
There was a problem hiding this comment.
The link seems to have changed to https://doc.aurora.dev/dev-reference/precompiles/
neps/nep-0488.md
Outdated
|
|
||
| For elements from $F_p$ the first three bits will always be $0$, because the first byte of $p$ equals $1$. As a result, | ||
| we can use these bits to encode extra information: the encoding format, the point at infinity, and the points' sign. | ||
| Read more in sections: Uncompressed/compressed points on curve $E(F_p)$/$E'(F_{p^2})$. |
There was a problem hiding this comment.
GitHub doesn't render the latter LaTeX expression $E'(F_{p^2})$ .
|
Hi everyone! I would like to know your opinion about the input for sum/multiexp. I propose to accept any points on the curve as input for sum, and only points from the subgroup for multiexp. Initially, in the NEP, I suggested accepting any points on the curve as input for both sum and multiexp to save gas. However, the implementation is currently under audit, and already the second auditor has expressed doubts about this decision. Recently, I changed the input for sum and multiexp to only points from G1/G2. However, now I think that the optimal solution would be to allow sum to accept any points, while multiexp should only accept points from G1/G2. I will now write my thoughts on this matter:
As a result, it seems reasonable to me to accept points from the subgroup as input for multiexp and to accept any points on the curve for sum. What is your opinion? @abacabadabacaba @Ekleog-NEAR @michelabdalla @adr1anh @akhi3030 |
|
I don't have a deep enough technical understanding to have an opinion unfortunately. |
A pre-compiled NEAR runtime functions for operations on BLS12-381 curve. It is a necessary set to efficiently perform operations such as BLS signature and zkSNARKs verifications.
Related PR: #446
NEP Status (Updated by NEP Moderators)
Status: Approved
Meeting Recording:
https://bit.ly/41V49Ke
SME reviews:
Protocol Work Group voting indications (β | π | π ):