Points at infinity.

[mratsim]

For milagro-crypto the points at infinity over FP and FP2 are:

https://github.com/status-im/nim-milagro-crypto/blob/290f927865f9e575920dca5f415c58b554dbe92e/src/milagro_crypto/generated/ecp_BLS381.c#L165-L178

https://github.com/status-im/nim-milagro-crypto/blob/290f927865f9e575920dca5f415c58b554dbe92e/src/milagro_crypto/generated/ecp2_BLS381.c#L41-L49

So for FP:

• Edwards curve: infinite at (0, 1, 1)
• Montgomery curve: infinite at (0, 0, 0)
• Weierstrass curve: infinite at (0, 1, 0)

and FP2: infinite at (0, 1, 0)

The research implementation of BLS uses Z1 and Z2 infinites defined in Py-Ecc: https://github.com/ethereum/py_ecc/blob/master/py_ecc/optimized_bn128/optimized_curve.py#L39-L42

# Point at infinity over FQ
Z1 = (FQ.one(), FQ.one(), FQ.zero())
# Point at infinity for twisted curve over FQ2
Z2 = (FQ2.one(), FQ2.one(), FQ2.zero())

https://github.com/ethereum/beacon_chain/blob/eea52999a578fbd29751330a6f2bb27e60c67f7f/beacon_chain/utils/bls.py

from py_ecc.optimized_bn128 import (  # NOQA
    G1,
    G2,
    Z1,
    Z2,

...

def aggregate_sigs(sigs):
    o = Z2
    for s in sigs:
        o = add(o, decompress_G2(s))
    return compress_G2(o)

def aggregate_pubs(pubs):
    o = Z1
    for p in pubs:
        o = add(o, decompress_G1(p))
    return compress_G1(o)

So I'm not sure what curve type Py-ECC is using.

Furthermore BN128 is different from BLS12-381, at best it's a naming problem, otherwise we can't use the proof of concept test_bls as reference

[mratsim]

Issue solved, basically the beacon chain is mocking BLS12-381 use with BN128 which was already implemented in Python as it is needed for a precompile.

See Sharding call #0 on Vitalik's answers: https://notes.ethereum.org/s/r1wW6TZrQ#BLS-Signatures