noble-curves icon indicating copy to clipboard operation
noble-curves copied to clipboard

Published 20 hours ago verified publisher icon paulmillr

Support for bn254 G2

Open matthiasgeihs opened this issue 2 years ago • 12 comments
trafficstars

With support for bls12-381 being stagnant (EIP-2537), to the best of my knowledge, using curve alt_bn128 is currently the only way to have efficient pairings on Ethereum (EIP-197). Any plans to integrate this curve with noble-curves?

For my use case, I would only need the group operations to be included in the library, not the pairing, basically asking for a similar thing as https://github.com/indutny/elliptic/issues/154. The goal is to be able to write a JavaScript / TypeScript interface that can generate the inputs to the smart contract that then computes the pairing for verification.

matthiasgeihs avatar Aug 04 '23 11:08 matthiasgeihs

We have this curve, and it's called bn254.

paulmillr avatar Aug 04 '23 13:08 paulmillr

@paulmillr Turns out I might actually need to compute in G_2 of alt_bn128/bn254 as well. Any suggestions how to go about this? (Background: Planning to implement Catalano-Fiore Vector Commitments.)

matthiasgeihs avatar Aug 07 '23 06:08 matthiasgeihs

Take a look at bls12-381 implementation for Fp2 (G2) impl there.

We provide necessary abstractions for extension fields, so it can be done.

paulmillr avatar Aug 07 '23 08:08 paulmillr

Thanks for the hint. Looks like a bit of work (and proper understanding) is required to do that right. Not sure if I can dedicate the necessary time currently, but will keep it in the back of my head. (Might otherwise reside to using a Rust library and compiling Rust to WASM.)

matthiasgeihs avatar Aug 07 '23 13:08 matthiasgeihs

As a side note, alt_bn128 was its name when it was thought if having 128-bit security. Now that it was found to be shitty, it became bn254.

https://moderncrypto.org/mail-archive/curves/2016/000740.html https://github.com/zcash/zcash/issues/714 https://xn--2-umb.com/22/pairings/

paulmillr avatar Aug 07 '23 16:08 paulmillr

I know about the issue. But are there any better alternatives on Ethereum as long as bls12-381 is not supported natively? (see EIP-2537 discussion thread)

matthiasgeihs avatar Aug 07 '23 16:08 matthiasgeihs

As you've mentioned in the first post: unfortunately, no. We need to press on eth core, because it's really tragic.

paulmillr avatar Aug 07 '23 16:08 paulmillr

The goal is to be able to write a JavaScript / TypeScript interface that can generate the inputs to the smart contract that then computes the pairing for verification.

hey @matthiasgeihs, wondering if you managed to do this? or what did you end up using

fedealconada avatar Feb 08 '24 10:02 fedealconada

@fedealconada I've been resorting to existing libraries such as ffjavascript.

matthiasgeihs avatar Feb 12 '24 15:02 matthiasgeihs

i would also like this feature!

lucadonnoh avatar Apr 13 '24 21:04 lucadonnoh

I would also love to have bn254 pairings and g2. Are you planning to add this to the repository?

rishabh-vasudevan19 avatar Apr 29 '24 13:04 rishabh-vasudevan19

Contributions are welcome.

paulmillr avatar Apr 29 '24 14:04 paulmillr

bn254 pairings have been added.

paulmillr avatar Aug 03 '24 16:08 paulmillr