Paul Miller

We have this curve, and it's called bn254.

Take a look at bls12-381 implementation for Fp2 (G2) impl there. We provide necessary abstractions for extension fields, so it can be done.

As a side note, alt_bn128 was its name when it was thought if having 128-bit security. Now that it was found to be shitty, it became bn254. https://moderncrypto.org/mail-archive/curves/2016/000740.html https://github.com/zcash/zcash/issues/714 https://xn--2-umb.com/22/pairings/

As you've mentioned in the first post: unfortunately, no. We need to press on eth core, because it's really tragic.

Disadvantage: user may erroneously sign 2 txs, producing different non-deterministic nonces, and push those txs, which will leak their private key.

Contributions are welcome.

bn254 pairings have been added.

See "Sign 3 msgs with 3 keys" example in readme. Threshold = aggregated sigs.

We don't provide out-of-box API for it, but could be simple to implement. Resources for myself and others about m-of-n threshold sigs on bls: https://www.jcraige.com/threshold-bls-signatures https://xn--2-umb.com/22/bls-signatures/

I kinda agree, but we're stuck with the current type for a long time, until next major version. Which will probably need re-audit, etc. Updating docs seems like a nice...