revm_precompile/bls12_381/
g1_msm.rs

1use super::crypto_backend::{encode_g1_point, p1_msm, read_g1, read_scalar};
2use crate::bls12_381::utils::remove_g1_padding;
3use crate::bls12_381_const::{
4    DISCOUNT_TABLE_G1_MSM, G1_MSM_ADDRESS, G1_MSM_BASE_GAS_FEE, G1_MSM_INPUT_LENGTH,
5    PADDED_G1_LENGTH, SCALAR_LENGTH,
6};
7use crate::bls12_381_utils::msm_required_gas;
8use crate::{PrecompileError, PrecompileOutput, PrecompileResult, PrecompileWithAddress};
9use primitives::Bytes;
10use std::vec::Vec;
11
12/// [EIP-2537](https://eips.ethereum.org/EIPS/eip-2537#specification) BLS12_G1MSM precompile.
13pub const PRECOMPILE: PrecompileWithAddress = PrecompileWithAddress(G1_MSM_ADDRESS, g1_msm);
14
15/// Implements EIP-2537 G1MSM precompile.
16/// G1 multi-scalar-multiplication call expects `160*k` bytes as an input that is interpreted
17/// as byte concatenation of `k` slices each of them being a byte concatenation
18/// of encoding of G1 point (`128` bytes) and encoding of a scalar value (`32`
19/// bytes).
20/// Output is an encoding of multi-scalar-multiplication operation result - single G1
21/// point (`128` bytes).
22/// See also: <https://eips.ethereum.org/EIPS/eip-2537#abi-for-g1-multiexponentiation>
23pub(super) fn g1_msm(input: &Bytes, gas_limit: u64) -> PrecompileResult {
24    let input_len = input.len();
25    if input_len == 0 || input_len % G1_MSM_INPUT_LENGTH != 0 {
26        return Err(PrecompileError::Other(format!(
27            "G1MSM input length should be multiple of {}, was {}",
28            G1_MSM_INPUT_LENGTH, input_len
29        )));
30    }
31
32    let k = input_len / G1_MSM_INPUT_LENGTH;
33    let required_gas = msm_required_gas(k, &DISCOUNT_TABLE_G1_MSM, G1_MSM_BASE_GAS_FEE);
34    if required_gas > gas_limit {
35        return Err(PrecompileError::OutOfGas);
36    }
37
38    let mut g1_points: Vec<_> = Vec::with_capacity(k);
39    let mut scalars = Vec::with_capacity(k);
40    for i in 0..k {
41        let encoded_g1_element =
42            &input[i * G1_MSM_INPUT_LENGTH..i * G1_MSM_INPUT_LENGTH + PADDED_G1_LENGTH];
43        let encoded_scalar = &input[i * G1_MSM_INPUT_LENGTH + PADDED_G1_LENGTH
44            ..i * G1_MSM_INPUT_LENGTH + PADDED_G1_LENGTH + SCALAR_LENGTH];
45
46        // Filter out points infinity as an optimization, since it is a no-op.
47        // Note: Previously, points were being batch converted from Jacobian to Affine.
48        // In `blst`, this would essentially, zero out all of the points.
49        // Since all points are now in affine, this bug is avoided.
50        if encoded_g1_element.iter().all(|i| *i == 0) {
51            continue;
52        }
53
54        let [a_x, a_y] = remove_g1_padding(encoded_g1_element)?;
55
56        // NB: Scalar multiplications, MSMs and pairings MUST perform a subgroup check.
57        let p0_aff = read_g1(a_x, a_y)?;
58
59        // If the scalar is zero, then this is a no-op.
60        //
61        // Note: This check is made after checking that g1 is valid.
62        // this is because we want the precompile to error when
63        // G1 is invalid, even if the scalar is zero.
64        if encoded_scalar.iter().all(|i| *i == 0) {
65            continue;
66        }
67
68        g1_points.push(p0_aff);
69        scalars.push(read_scalar(encoded_scalar)?);
70    }
71
72    // Return the encoding for the point at the infinity according to EIP-2537
73    // if there are no points in the MSM.
74    const ENCODED_POINT_AT_INFINITY: [u8; PADDED_G1_LENGTH] = [0; PADDED_G1_LENGTH];
75    if g1_points.is_empty() {
76        return Ok(PrecompileOutput::new(
77            required_gas,
78            ENCODED_POINT_AT_INFINITY.into(),
79        ));
80    }
81
82    let multiexp_aff = p1_msm(g1_points, scalars);
83
84    let out = encode_g1_point(&multiexp_aff);
85    Ok(PrecompileOutput::new(required_gas, out.into()))
86}
87
88#[cfg(test)]
89mod test {
90    use super::*;
91    use primitives::hex;
92
93    #[test]
94    fn bls_g1multiexp_g1_not_on_curve_but_in_subgroup() {
95        let input = Bytes::from(hex!("000000000000000000000000000000000a2833e497b38ee3ca5c62828bf4887a9f940c9e426c7890a759c20f248c23a7210d2432f4c98a514e524b5184a0ddac00000000000000000000000000000000150772d56bf9509469f9ebcd6e47570429fd31b0e262b66d512e245c38ec37255529f2271fd70066473e393a8bead0c30000000000000000000000000000000000000000000000000000000000000000"));
96        let fail = g1_msm(&input, G1_MSM_BASE_GAS_FEE);
97        assert_eq!(
98            fail,
99            Err(PrecompileError::Other(
100                "Element not on G1 curve".to_string()
101            ))
102        );
103    }
104}