diff --git a/FIPS/fip-0105.md b/FIPS/fip-0105.md new file mode 100644 index 000000000..5ed5a12da --- /dev/null +++ b/FIPS/fip-0105.md @@ -0,0 +1,167 @@ +--- +fip: "0105" +title: BLS12-381 Precompiles for FEVM (EIP-2537) +author: "Aarav Mehta (@aaravm), Michael Seiler (@snissn)" +discussions-to: https://github.com/filecoin-project/FIPs/discussions/1135 +status: Draft +type: Technical +category: Core +created: 2025-04-11 +--- + +# FIP-0105: BLS12-381 Precompiles for FEVM (EIP-2537) + +## Simple Summary +This proposal introduces precompiles in the FEVM for efficient cryptographic operations on the BLS12-381 elliptic curve, as defined in EIP-2537. These enable fast BLS signature verification and aggregation, improve Ethereum compatibility, and unlock advanced cryptographic use cases on Filecoin. + +## Abstract +This FIP proposes the addition of precompiled functions in the FEVM to support BLS12-381 curve operations, matching the functionality defined in [EIP-2537](https://eips.ethereum.org/EIPS/eip-2537). These precompiles enable point addition, multi-scalar multiplication (MSM), field-to-curve mapping, and pairing checks, facilitating secure and performant BLS signature schemes. This enhancement increases the cryptographic capabilities of FEVM and aligns with Ethereum ecosystem standards. + +## Change Motivation +BLS12-381 precompiles are essential for supporting cryptographic primitives that require high security (≥120-bit) and efficient signature aggregation. These operations are fundamental to threshold signatures, decentralized identities, zk-rollups, and consensus mechanisms. Currently, the FEVM lacks native support for BLS12-381 operations, creating a performance and compatibility gap with Ethereum-based applications and protocols that rely on this curve. This FIP bridges that gap, bringing parity with Ethereum and enabling new cryptographic use cases on Filecoin. + +## Specification +This FIP proposes the addition of precompiled contracts to support elliptic curve operations over BLS12-381, fully aligned with the functionality and encoding rules defined in EIP-2537. The included precompiles enable essential cryptographic primitives—such as point addition, multi-scalar multiplication, field-to-curve mapping, and pairing checks—using the BLS12-381 curve. + +The following precompile addresses are proposed: + +| Operation | Address | Description | +|---------------------------|---------|-------------------------------------------------| +| `BLS12_G1ADD` | `0x0b` | Adds two G1 points (128-byte input, 64-byte each) | +| `BLS12_G1MSM` | `0x0c` | Multi-scalar multiplication over G1 | +| `BLS12_G2ADD` | `0x0d` | Adds two G2 points | +| `BLS12_G2MSM` | `0x0e` | Multi-scalar multiplication over G2 | +| `BLS12_PAIRING_CHECK` | `0x0f` | Performs a pairing check over (G1, G2) pairs | +| `BLS12_MAP_FP_TO_G1` | `0x10` | Maps an Fp element to a point in G1 | +| `BLS12_MAP_FP2_TO_G2` | `0x11` | Maps an Fp2 element to a point in G2 | + +Each operation uses the same ABI and data layout as described in EIP-2537, including: +- **Big-endian byte encoding** of points, scalars, and field elements. +- **Subgroup checks** where required (e.g. for MSMs and pairings). +- **Canonical encoding and validation rules** for input field elements. +- **Deterministic failure modes** on malformed input (e.g. invalid length, non-curve points). + +The implementation ensures full compatibility with Ethereum tooling and semantics, enabling cross-chain cryptographic applications and reuse of existing test vectors and infrastructure. + +## Design Rationale +This proposal adopts Ethereum’s EIP-2537 to ensure compatibility with existing tooling and cross-chain applications. By aligning with Ethereum’s design and ABI, developers can reuse BLS-based libraries and workflows without modification. + +The inclusion of MSM and field-to-curve mapping operations as precompiles supports important cryptographic use cases such as BLS signature aggregation, zero-knowledge proof systems, L2 subnet consensus, aggregate proofs, and decentralized identity protocols. Exposing these operations as precompiled contracts ensures correctness, consistent validation behavior, and alignment with protocol-layer cryptographic expectations. + +## Backwards Compatibility +This FIP introduces new precompile addresses and does not affect existing contract behavior. Contracts not using these addresses remain unaffected. The precompiles are fully opt-in and backwards-compatible. + +## Test Cases +A comprehensive test suite accompanies this proposal to ensure the correctness, safety, and conformance of the BLS12-381 precompiles with [EIP-2537](https://eips.ethereum.org/EIPS/eip-2537). Tests are divided into success, failure, and edge-case categories, each validating specific behaviors under both standard and adversarial inputs. + +### **Success Case Coverage** + +These verify correctness and adherence to cryptographic properties: + +#### **G1ADD / G2ADD** +- Point addition with valid G1/G2 inputs +- Addition with identity point (0) +- Doubling (`P + P`) +- Subtraction (`P + (-P)` → 0) +- Commutativity checks + +#### **G1MSM / G2MSM** +- Weighted sums with valid `(point, scalar)` pairs +- Scalars: `0`, `1`, and random values +- Mix of valid points, including points at infinity +- Multiple pairs and varying lengths + +#### **MAP_FP_TO_G1 / MAP_FP2_TO_G2** +- Mapping various valid field elements (from clean byte strings) +- Verifies resulting points lie on curve and in correct subgroup + +#### **PAIRING** +- Pairing identity: `e(0, 0) = 1`, `e(P, Q) * e(P, -Q) = 1` +- Bilinearity: `e(aP, bQ) = e(P, Q)^{ab}` +- Zero contributions: `e(P, 0) = e(0, Q) = 1` +- Multi-pair checks validating associativity and multiplicative accumulation +- Mix of G1 and G2 in normal and negated forms + +### **Failure Case Coverage** + +These verify rejection of malformed, incomplete, or semantically invalid inputs: + +#### **General Input Errors (All Opcodes)** +- Empty input +- Short input +- Extra bytes (long input) +- Invalid top bytes +- Field elements with illegal encodings +- Invalid curve points +- Point not in correct subgroup +- Mismatched input sizes (e.g., unaligned MSM pairs) + +### **Edge Case Behaviors (Covered across modules)** +- Point at infinity as operand in MSM or pairing +- Scalar = 0 in MSM (yields zero contribution) +- Double vs. add equivalence in G1ADD/G2ADD +- Mixed representations and ordering (commutative symmetry) +- Subgroup validation logic invoked only *after* full field element validation + +This comprehensive suite ensures correct implementation of the BLS12-381 arithmetic under realistic usage and malicious input conditions, supporting conformance with EIP-2537. + +### Solidity-Based Tests (Planned) + +While Rust-based unit tests validate core functionality, Solidity-based integration tests are planned to ensure end-to-end compatibility within the FEVM execution environment. + +## Security Considerations + +This FIP introduces a set of precompiled contracts to perform cryptographic operations over the BLS12-381 elliptic curve, consistent with Ethereum’s [EIP-2537](https://eips.ethereum.org/EIPS/eip-2537). These include G1/G2 addition, multi-scalar multiplication (MSM), mapping from field elements to curve points, and bilinear pairing checks. The implementation uses the audited `blst` library (Supranational) for cryptographic primitives and mirrors the design and operational constraints of the Ethereum specification. + +### Surface and Context + +The BLS precompiles expose powerful cryptographic primitives used in aggregate signature verification, threshold cryptography, and zero-knowledge systems. As such, correctness and safety are critical. These operations act on untrusted input and therefore must defend against malformed data, invalid encoding, and subgroup-related attacks. + +### Threat Model and Risks + +The following threat vectors and risk areas are addressed: + +#### 1. **Curve Membership and Subgroup Checks** +- Operations involving scalar multiplication and pairings **must** perform subgroup checks to prevent cofactor-related attacks and ensure that only points in the prime-order subgroups are used. +- Our implementation adheres to the subgroup-check requirements laid out in EIP-2537, applying them **after** curve membership and field validity checks to ensure consistency and avoid leaking information about malformed inputs. + +#### 2. **Input Validation** +- All precompiles validate the length and structure of input bytes prior to deserialization. +- Inputs failing length checks, field modulus checks, or invalid encoding formats are rejected early with clear failure paths. +- Particular care is taken in mapping precompiles to avoid processing non-canonical field elements or incorrect byte representations. + +#### 3. **Point at Infinity Handling** +- All operations explicitly handle identity elements and correctly return zero points where expected (e.g., scalar multiplication by zero, or adding a point to its negation). +- Pairings involving points at infinity are treated as identity elements but still undergo validation to ensure that no malformed input is accepted. + +#### 4. **Error Handling and Deterministic Fails** +- The implementation provides deterministic and transparent error behavior for all malformed inputs. +- Inputs that are malformed in ways that could lead to unpredictable behavior (e.g., truncated input, invalid field elements) result in failure with no side effects. + +#### 5. **Compatibility and Cross-Chain Consistency** +- Matching Ethereum’s EIP-2537 ensures consistency for cross-chain cryptographic applications and tooling. +- Test vectors and behaviors are aligned with Ethereum’s reference implementation to support shared ecosystem tooling and audits. + +### Implementation Safeguards + +- The implementation includes extensive unit tests covering edge cases, invalid inputs, and critical functional properties (e.g., bilinearity of pairing, subgroup correctness). +- All tests are built against known-good vectors and checked for conformance against Ethereum-compatible expectations. +- The use of precompiles restricts these operations to controlled execution contexts, reducing the attack surface compared to userland implementations. + +## Incentive Considerations +Enabling efficient BLS operations enhances support for use cases like decentralized storage verification, threshold signing, and zk-rollup integration. These use cases directly improve Filecoin’s reliability, performance, and application ecosystem. While no direct protocol incentive changes are introduced, better cryptographic primitives contribute to Filecoin’s long-term network utility. + +## Product Considerations +BLS precompiles improve developer experience by enabling advanced applications (e.g., zk-proof aggregation, BLS-based voting, and signature-based storage proofs). This upgrade positions Filecoin as a capable and attractive platform for cryptographically advanced dApps and aligns with emerging Ethereum tooling standards. + +## Implementation +Reference implementation will be integrated into the `builtin-actors` FEVM runtime. A pull request with a working precompile set and test coverage can be viewed [here](https://github.com/filecoin-project/builtin-actors/pull/1669). + +## TODO +- Implement Solidity-level integration tests in FEVM test suite. + +## Copyright +Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/). + + + diff --git a/README.md b/README.md index a932bd902..6bc98cae8 100644 --- a/README.md +++ b/README.md @@ -139,4 +139,5 @@ This improvement protocol helps achieve that objective for all members of the Fi | [0101](https://github.com/filecoin-project/FIPs/blob/master/FIPS/fip-0101.md) | Removal of the ProveCommitAggregate method from the miner actor | FIP | Rod Vagg (@rvagg) | Accepted | | [0102](./FRCs/frc-0102.md) | Wallet-Signing Envelope for Arbitrary Messages | FRC | "Hugo Dias (@hugomrdias), Bumblefudge (@bumblefudge)" | Draft | | [0103](https://github.com/filecoin-project/FIPs/blob/master/FIPS/fip-0103.md) | Removal of the ExtendSectorExpiration method from the miner actor | FIP | Rod Vagg (@rvagg) | Draft | +| [0105](https://github.com/filecoin-project/FIPs/blob/master/FIPS/fip-0105.md) | Add Support for EIP-2537 (BLS12-381 Precompiles) in the FEVM | FIP | Aarav Mehta (@aaravm), Michael Seiler (@snissn) | Draft | | [0106](https://github.com/filecoin-project/FIPs/blob/master/FIPS/fip-0106.md) | Removal of the ProveReplicaUpdates method from the miner actor | FIP | Rod Vagg (@rvagg) | Draft |