feat: added HashToG2 and BLS G2 signature verification circuit for BLS12-381

[weijiguo]

Description

This PR implemented circuit for HashToG2 and BLS G2 signature verification for the BLS12-381 curve. The implementation is based on affine coordinations.

Along with the said functionalities, it also added G2.addUnified(p, q) function which can handle the case that p == q. And as an optimization, it also adopted a new hint to calculate the sqrtRatio function with the gnark-crypto library to save constraints. Therefore this PR depends on an update to gnark-crypto

Fixes # (issue)
#648

Type of change

• New feature (non-breaking change which adds functionality)

How has this been tested?

Added unit tests to cover:

• G2.addUnified for BLS12-381
• HashToG2 for BLS12-381

How has this been benchmarked?

Added test cases for HashToG2. Results: 2761896 constraints with SCS and 779198 with R1CS for simple message ("abcd").

Checklist:

• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• I did not modify files generated from templates
• golangci-lint does not output errors locally
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

[weijiguo]

L'et also make it a draft for now as I have a related pending question here: #1041

The background is that I want to ensure that the Domain Separation Tag is constant.

[yelhousni]

Hi @weijiguo, thank you for this contribution! this is a great work! As you would imagine, it takes a bit of time to review all of this. But it's definitely a great PR that we are looking to merge.

[weijiguo]

Hi @yelhousni @ivokub now that we have the 0.11 version. Can you spare some time to review yet? Really appreciate your time among your tight schedule.

[weijiguo]

static check fails due to needing to merge Consensys/gnark-crypto#481 first

[ivokub]

Hi @weijiguo - actually I started reviewing the PR about a month ago, but then realized it would require a bit of work to understand completely and postponed. But indeed, it would be a great addition and it would be good to review. I'll retry again soon, hopefully being more successful.

For example - the first issue I encountered with Consensys/gnark-crypto#481 is that it is implemented only for the BLS12-381 in the code generated path, so would have to add to the code generation. And I think exposing the individual method may overload the ecc/bls12-381 package, so maybe there is a better way for exposing the required functionality.

[weijiguo]

@ivokub Understood. Thanks again.