Skip to main content

revm_precompile/bls12_381/
g2_msm.rs

1//! BLS12-381 G2 msm precompile. More details in [`g2_msm`]
2use super::utils::{pad_g2_point, remove_g2_padding};
3use crate::{
4    bls12_381_const::{
5        DISCOUNT_TABLE_G2_MSM, G2_MSM_ADDRESS, G2_MSM_BASE_GAS_FEE, G2_MSM_INPUT_LENGTH,
6        PADDED_G2_LENGTH, SCALAR_LENGTH,
7    },
8    bls12_381_utils::msm_required_gas,
9    crypto, eth_precompile_fn, EthPrecompileOutput, EthPrecompileResult, Precompile,
10    PrecompileHalt, PrecompileId,
11};
12
13eth_precompile_fn!(g2_msm_precompile, g2_msm);
14
15/// [EIP-2537](https://eips.ethereum.org/EIPS/eip-2537#specification) BLS12_G2MSM precompile.
16pub const PRECOMPILE: Precompile =
17    Precompile::new(PrecompileId::Bls12G2Msm, G2_MSM_ADDRESS, g2_msm_precompile);
18
19/// Implements EIP-2537 G2MSM precompile.
20/// G2 multi-scalar-multiplication call expects `288*k` bytes as an input that is interpreted
21/// as byte concatenation of `k` slices each of them being a byte concatenation
22/// of encoding of G2 point (`256` bytes) and encoding of a scalar value (`32`
23/// bytes).
24/// Output is an encoding of multi-scalar-multiplication operation result - single G2
25/// point (`256` bytes).
26/// See also: <https://eips.ethereum.org/EIPS/eip-2537#abi-for-g2-multiexponentiation>
27pub fn g2_msm(input: &[u8], gas_limit: u64) -> EthPrecompileResult {
28    let input_len = input.len();
29    if input_len == 0 || !input_len.is_multiple_of(G2_MSM_INPUT_LENGTH) {
30        return Err(PrecompileHalt::Bls12381G2MsmInputLength);
31    }
32
33    let k = input_len / G2_MSM_INPUT_LENGTH;
34    let required_gas = msm_required_gas(k, &DISCOUNT_TABLE_G2_MSM, G2_MSM_BASE_GAS_FEE);
35    if required_gas > gas_limit {
36        return Err(PrecompileHalt::OutOfGas);
37    }
38
39    let mut valid_pairs_iter = (0..k).map(|i| {
40        let start = i * G2_MSM_INPUT_LENGTH;
41        let padded_g2 = &input[start..start + PADDED_G2_LENGTH];
42        let scalar_bytes = &input[start + PADDED_G2_LENGTH..start + G2_MSM_INPUT_LENGTH];
43
44        // Remove padding from G2 point - this validates padding format
45        let [x_0, x_1, y_0, y_1] = remove_g2_padding(padded_g2)?;
46        let scalar_array: [u8; SCALAR_LENGTH] = scalar_bytes.try_into().unwrap();
47
48        Ok(((*x_0, *x_1, *y_0, *y_1), scalar_array))
49    });
50
51    let unpadded_result = crypto().bls12_381_g2_msm(&mut valid_pairs_iter)?;
52
53    // Pad the result for EVM compatibility
54    let padded_result = pad_g2_point(&unpadded_result);
55
56    Ok(EthPrecompileOutput::new(required_gas, padded_result.into()))
57}