jaeaster
commented
1 year ago From @nikkolasg
So I've learned there is no precompile for G2 operations (except pairing) - only one that exists is in pure Solidity https://twitter.com/musalbas/status/959067013640372225 and cost 2M gas. --> that means it's not realistically possible to use G2 for encryption --> that means it's not realistically possible to have BLS signature on G1 unless we do the trick of having two public keys for the same network.
Now it's a question of priority. I think we can wait until resharing is done and see where we are in a couple of months, (after the next release of Eth) (a) if BLS12-381 EIP is finally supported, then we can try again encryption on G2 (b) if NOT, then we have to decide either (1) we do the trick of both groups, same share, OR (2) we continue to say it's a trusted relay etc...
We need to determine if our onchain proof and/or signature verification is reasonably gas efficient.
The simplest path at the moment is to use G2 for encryption and DLEQ proof verification, which allows us to do BLS signature verification in G1.
IF the gas costs are "OK" → then move work to do medusa DKG on G2
IF cost is NOT OK → then either
"OK" is roughly defined to be ~100 - 300k gas for: 1) Submitting a ciphertext (DLEQ Proof, paid by users) 2) Submitting a reencryption result (BLS signature verify, paid by nodes (ultimately paid by users))
Another point to consider is that a ciphertext will only ever be submitted once, while it can be reencrypted many times. So, depending on the application, it could be reasonable to have ~500k gas for submitting a ciphertext if submitting a reencryption result is ~100k gas.