ayashunsky
commented
8 months ago BLS12-381 uses 2 groups: G1: with points on an elliptic curve over the field F_p; G2: with points on an elliptic curve over the field field F_p² (implying the sextic twist is used). Thus, curve points are represented as 2 field elements in the first case and 4 field elements in the second.
BLS12-381 signature verification requires the following top-level components:
-
hash_to_point input: message = bls_field_array[n]. Apparently we should take n = ceil((message length in bytes)/47). output: group element (bls_field_array[2] or bls_field_array[4], depending on the group).
-
pairing input: element of G1 (bls_field_element[2]) and element of G2 (bls_field_element[4]) output: bls_field_element[12] NB: it is posible to design an optimized component "pairing_check" with input: first element of G1 (bls_field_element[2]), first element of G2 (bls_field_element[4]) second element of G1 (bls_field_element[2]), second element of G2 (bls_field_element[4]) output: boolean
-
is_in_group input: candidate elliptic curve point (bls_field_array[2] or bls_field_array[4], depending on the group) output: boolean
nkaskov
We need BLS12-381 curve and field arithmetics support in order to build zk-apps with BLS signature.
As a result of this task, all types of BLS signatures (including aggregated ones) have to be efficiently implemented. This might require adding new builtins for BLS pairings.
The list of target signature algorithms is in the comment below.
Depends on: https://github.com/NilFoundation/zkLLVM/issues/288