-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
On-chain BLS signature verification #31
Comments
Ethereum has pre-compiled (re: cheaper) contracts for addition, scalar multiplication, and a pairing check on BLS can run on what we will henceforth call |
The Dfinity Barreto-Naerig and BLS library appear to support the necessary curve. We'll have to make sure we use |
Now, here's where it get tricky. It appears that verifying BLS "multisig" (note: in traditional cryptography multisig means n-of-n) and threshold signatures (t-of-n) require two pairings checks, and aggregate signatures verification requires We need to confirm that understanding. If the threshold verification only requires two, happy day- we can make this work on Ethereum. Even better if we can get it down to one- I've seen references to BLS implementations where Signature aggregation requiring If that is the case, anywhere where we need significant signature aggregation will instead need to use a challenge-based mechanism, or some other trick like a verified circuit that has "cached" the aggregated signature verification off-chain, speeding up the on-chain verification step. |
On the gas cost of the pairing check -> https://github.com/ethereum/go-ethereum/blob/5bbd7fb390a539a7183bccc5f2b75b4e564ed398/core/vm/contracts.go#L348 |
So after some spelunking, I don't think this necessarily means what we think it means… And indeed I don't think what the EIP implements matches what the Go BLS lib exposes for use with First off, if we look at where the Also worth noting, if we use the 256-bit config, we only support this curve setting: https://github.com/keep-network/bn/blob/master/mcl/include/mcl/bn.h#L80-L89 And, this is not the default build setting: https://github.com/keep-network/bn/blob/181e0679edcd42c847bda59a5e2016174f942696/bls/Makefile#L8-L11 Additionally, the fact that there is a
The curve identifiers used in BN seem to be from this IETF document on BN curves. However, herumi's older library ate-pairing specifically distinguishes between Net-net… I think we're going to have to do some work if we want to use the same curve supported in the EIP, and we'll need to figure out if we're comfortable with it. |
I got a little optimistic that The big question is whether |
Right, I'm talking about the actual Ethereum curve though. Checking to see which that matches. |
The above links are to the |
Ohh the links in the code formatting are fancy! Also I need coffee. |
|
Also worth checking if the threshold sig works (by plugging it into the guard tower stuff)? The other Bn curve didn't seem to. |
My confusion there is basically… The pairing construction should be the same irrespective of curve parameters, no? Or are those two entangled somehow? Or are we saying the bn pairings aren't type 3 constructions for any curve? |
I'm not sure whether |
@mhluongo @ngrinkevich This is no longer research work - we have a part of it implemented and now we are integrating the rest of the code on-chain, correct? |
Moving it to Feb '19 board. Please correct me if I am mistaken about the scope of this issue and the outstanding work. |
We will need to adjust off-chain protocol to produce public key as G2. Also, we'll need to update key marshalling logic to output full compressed G2 point. |
Moving to Sprint 1 (Feb 11th-Feb15th) |
Add 'try catch' statements to writing disk commands
We need to be able to verify single and threshold signatures on-chain. Aggregated signature verification would also be great, though it appears to be too expensive for practical use without new precompiled contracts.
Getting this to done, I'd like to see
Once we're there, the BLS verification implementation can be pulled out into its own lib.
The text was updated successfully, but these errors were encountered: