links

neps/nep-0486.md

@@ -16,29 +16,30 @@ A pre-compiled NEAR runtime functions for operations on BLS12-381 curve. It is a
 
 ## Motivation
 
-The BLS12-381 [[1](https://www.researchgate.net/publication/2894224_Constructing_Elliptic_Curves_with_Prescribed_Embedding_Degrees), [11](https://hackmd.io/@benjaminion/bls12-381), [52](https://eprint.iacr.org/2019/403.pdf)] is a wildly used[2-6, 7] elliptic curve with 120+ bits of security[8] which support **the *pairing* operation*.* It is a good alternative for bn254 elliptic curve[9, 12], which also supports the aggregation, and is currently implemented as NEAR precompiles[10]. Recent research shows that it contains only <100 bits of security[13] and we can see the tendency of switching from bn254 to bls12-381(ZCash[14], Ethereum[15], Tezos[16]).
+The BLS12-381 [[1](https://www.researchgate.net/publication/2894224_Constructing_Elliptic_Curves_with_Prescribed_Embedding_Degrees), [11](https://hackmd.io/@benjaminion/bls12-381), [52](https://eprint.iacr.org/2019/403.pdf)] is a wildly 
+used[[2](https://zips.z.cash/protocol/protocol.pdf),[3](https://github.com/ethereum/consensus-specs/blob/master/specs/phase0/beacon-chain.md), [4](https://internetcomputer.org/docs/current/references/ic-interface-spec#certificate), [5](https://wiki.tezosagora.org/learn/futuredevelopments/layer2#zkchannels), [6](https://spec.filecoin.io/), [7](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09#name-adoption-status-of-pairing-)] elliptic curve with 120+ bits of security[[8](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09#section-4.2.1)] which support **the *pairing* operation*.* It is a good alternative for bn254 elliptic curve[[9](https://eprint.iacr.org/2005/133), [12](https://hackmd.io/@jpw/bn254)], which also supports the aggregation, and is currently implemented as NEAR precompiles[[10](https://github.com/near/NEPs/issues/98)]. Recent research shows that it contains only <100 bits of security[[13](https://www.ietf.org/archive/id/draft-irtf-cfrg-pairing-friendly-curves-02.html#name-for-100-bits-of-security)] and we can see the tendency of switching from bn254 to bls12-381(ZCash[[14](https://electriccoin.co/blog/new-snark-curve/)], Ethereum[[15](https://eips.ethereum.org/EIPS/eip-2537)], Tezos[[16](https://medium.com/metastatedev/meanwhile-at-cryptium-labs-2-part-2-adding-the-pairing-equipped-elliptic-curve-bls12-381-to-tezos-cfce907e4be3)]).
 
 The implementation of  BLS12-381 curve operations from this NEP as a precompile will allows effective verify the BLS-signature and zkSNARKs. At the moment, BLS signature verification for BLS12-381 is impossible due to the limitation of the gas in 300 TGas for one transaction.
 
-Effective BLS-signature verification based on BLS12-381 elliptic curve will be useful for c*ross-chain interactions.* Some of the blockchains use the BLS signature in the protocols. If we want to implement the Clients for this blockchain on-chain in Near, we should be able to effectively verify the BLS signature. We can want to have a Client for a specific blockchain on Near for creating a bridge to verify the transaction from another blockchain and use it in Near. Examples of blockchains that use BLS signature based on BLS12-381: Eth2.0[3], Filecoin[6] and Tezos[5]. Especially, it is necessary for Rainbow Bridge[17] to make trustless transfers from Ethereum 2.0 to Near.
+Effective BLS-signature verification based on BLS12-381 elliptic curve will be useful for c*ross-chain interactions.* Some of the blockchains use the BLS signature in the protocols. If we want to implement the Clients for this blockchain on-chain in Near, we should be able to effectively verify the BLS signature. We can want to have a Client for a specific blockchain on Near for creating a bridge to verify the transaction from another blockchain and use it in Near. Examples of blockchains that use BLS signature based on BLS12-381: Eth2.0[3], Filecoin[6] and Tezos[5]. Especially, it is necessary for Rainbow Bridge[[17](https://near.org/blog/eth-near-rainbow-bridge)] to make trustless transfers from Ethereum 2.0 to Near.
 
-zkSNARKs is useful for working with users' private information[18-19]. Zeropool[20] is a project who implements zkSNARKs verifier on Near and is currently based on alt-bn128. Implementation of the precompiles for BLS12-381 can make the projects like that more secure. zkSNARKs is also used in Roll Ups[21-23] scaling solutions.
+zkSNARKs is useful for working with users' private information[[18](https://eips.ethereum.org/EIPS/eip-196),[19](https://media.consensys.net/introduction-to-zksnarks-with-examples-3283b554fc3b)]. Zeropool[[20](https://zeropool.network/)] is a project who implements zkSNARKs verifier on Near and is currently based on alt-bn128. Implementation of the precompiles for BLS12-381 can make the projects like that more secure. zkSNARKs is also used in Roll Ups[[21](https://www.youtube.com/watch?v=al4YpfDVmS4&ab_channel=EthereumCatHerders),[22](https://near.org/blog/layer-2),[23](https://www.ledger.com/academy/what-are-blockchain-rollups)] scaling solutions.
 
-This proposal is based on a similar proposal for Ethereum: EIP-2537[15].
+This proposal is based on a similar proposal for Ethereum: EIP-2537[[15](https://eips.ethereum.org/EIPS/eip-2537)].
 
 In this NEP we propose to add the following functions as precompile:
 
-- ***bls12381_g1_sum*** — the function which adds the points from G1 on an elliptic curve. This function is useful for the aggregation of private keys in BLS Signature. Can be used for simple addition in G1. Separate from multiexp function due to gas cost. A similar function exists in Near for BN254 curve[10].
+- ***bls12381_g1_sum*** — the function which adds the points from G1 on an elliptic curve. This function is useful for the aggregation of private keys in BLS Signature. Can be used for simple addition in G1. Separate from multiexp function due to gas cost. A similar function exists in Near for BN254 curve[[10](https://github.com/near/NEPs/issues/98)].
 - ***bls12381_g2_sum*** — the function which adds the points from G2 on an elliptic curve. This function is useful for the aggregation of signatures in BLS Signature. Can be used for simple addition in G2. Separate from multiexp function due to gas cost.
-- ***bls12381_g1_multiexp —*** for points $g_i \in G_1$ and scalars $s_i$ calculate $\sum g_i s_i$. Can be used for multiplication on the scalar. Can be useful for zkSNARKs verification. This operation can be performed in a more optimized way than just straightforward multiplication and addition by using Pippenger algorithm[25]. A similar function exists both in Near for BN254[10] and in EIP-2537[15].
+- ***bls12381_g1_multiexp —*** for points $g_i \in G_1$ and scalars $s_i$ calculate $\sum g_i s_i$. Can be used for multiplication on the scalar. Can be useful for zkSNARKs verification. This operation can be performed in a more optimized way than just straightforward multiplication and addition by using Pippenger algorithm[[25](https://github.com/wborgeaud/python-pippenger/blob/master/pippenger.pdf)]. A similar function exists both in Near for BN254[[10](https://github.com/near/NEPs/issues/98)] and in EIP-2537[[15](https://eips.ethereum.org/EIPS/eip-2537)].
 - ***bls12381_g2_multiexp —***  for points $g_i \in G_2$ and scalars $s_i$ calculate $\sum g_i s_i$. Can be used for multiplication on the scalar.
-- ***bls12381_g1_map_to_curve —*** map base field element into the $G_1$ point. Doesn’t perform mapping of the byte string into field elements (can be done in different ways and quite fast). Transfer field element into a curve. It is necessary for signature schemes. Function from EIP-2537[15].
-- ***bls12381_g2_map_to_curve —*** map extension field element into the $G_2$ point. Doesn’t perform mapping of the byte string into extension field elements. Function from EIP-2537[15].
+- ***bls12381_g1_map_to_curve —*** map base field element into the $G_1$ point. Doesn’t perform mapping of the byte string into field elements (can be done in different ways and quite fast). Transfer field element into a curve. It is necessary for signature schemes. Function from EIP-2537[[15](https://eips.ethereum.org/EIPS/eip-2537)].
+- ***bls12381_g2_map_to_curve —*** map extension field element into the $G_2$ point. Doesn’t perform mapping of the byte string into extension field elements. Function from EIP-2537[[15](https://eips.ethereum.org/EIPS/eip-2537)].
 - ***bls12381_g1_decompress —*** accepts points from $G_1$  in compressed form and returns in decompressed form. Some protocols provide points in compressed forms (for example, Light Client updates in Ethereum 2), and decompressing is a time-consuming operation. Other functions accept only decompressed points for simplicity and for gas consumption optimization.
 - ***bls12381_g2_decompress —*** accepts points from $G_2$  in compressed form and returns in decompressed form.
-- ***bls12381_pairing —***  verifying that $\prod e(p_i, q_i) = 1$, where $e$ is a pairing operation and $p_i \in G_1 \land q_i \in G_2$. Necessary function for verification BLS-signatures or zkSNARKs.  A similar function exists both in Near for BN254[10] and in EIP-2537[15].
+- ***bls12381_pairing —***  verifying that $\prod e(p_i, q_i) = 1$, where $e$ is a pairing operation and $p_i \in G_1 \land q_i \in G_2$. Necessary function for verification BLS-signatures or zkSNARKs.  A similar function exists both in Near for BN254[[10](https://github.com/near/NEPs/issues/98)] and in EIP-2537[[15](https://eips.ethereum.org/EIPS/eip-2537)].
 
-By using these functions, we can reproduce all functionality from EIP-2537[15]. Which can be useful for Aurora[24] to support Ethereum functionality on Near.
+By using these functions, we can reproduce all functionality from EIP-2537[[15](https://eips.ethereum.org/EIPS/eip-2537)]. Which can be useful for Aurora[[24](https://doc.aurora.dev/evm/precompiles/)] to support Ethereum functionality on Near.
 
 ## Specification
 
@@ -58,7 +59,7 @@ $$
 
 together with an imaginary point at infinity 0, where: $A, B \in F_p$, p is prime > 3, and $4A^3 + 27B^2 \not \equiv 0 \mod p$
 
-In the case of BLS12-381 equation is $y^2 \equiv x^3 + 4 \mod p$ ([1-4])
+In the case of BLS12-381 equation is $y^2 \equiv x^3 + 4 \mod p$ ([[15],[51],[14],[11]])
 
 **Parameters for our case:**