diff --git a/neps/nep-0488.md b/neps/nep-0488.md index acd7a121d..a2e1d6b40 100644 --- a/neps/nep-0488.md +++ b/neps/nep-0488.md @@ -16,8 +16,8 @@ A pre-compiled NEAR runtime functions for operations on BLS12-381 curve. It is a ## Motivation -The BLS12-381[^1], [11](https://hackmd.io/@benjaminion/bls12-381), [52](https://eprint.iacr.org/2019/403.pdf)] is a wildly -used[[2](https://zips.z.cash/protocol/protocol.pdf),[3](https://github.com/ethereum/consensus-specs/blob/master/specs/phase0/beacon-chain.md), [4](https://internetcomputer.org/docs/current/references/ic-interface-spec#certificate), [5](https://wiki.tezosagora.org/learn/futuredevelopments/layer2#zkchannels), [6](https://spec.filecoin.io/), [7](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09#name-adoption-status-of-pairing-)] elliptic curve with 120+ bits of security[[8](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09#section-4.2.1)] which support **the *pairing* operation*.* It is a good alternative for bn254 elliptic curve[[9](https://eprint.iacr.org/2005/133), [12](https://hackmd.io/@jpw/bn254)], which also supports the aggregation, and is currently implemented as NEAR precompiles[[10](https://github.com/near/NEPs/issues/98)]. Recent research shows that it contains only <100 bits of security[[13](https://www.ietf.org/archive/id/draft-irtf-cfrg-pairing-friendly-curves-02.html#name-for-100-bits-of-security)] and we can see the tendency of switching from bn254 to bls12-381(ZCash[[14](https://electriccoin.co/blog/new-snark-curve/)], Ethereum[[15](https://eips.ethereum.org/EIPS/eip-2537)], Tezos[[16](https://medium.com/metastatedev/meanwhile-at-cryptium-labs-2-part-2-adding-the-pairing-equipped-elliptic-curve-bls12-381-to-tezos-cfce907e4be3)]). +The BLS12-381[^1][^11][^52] is a wildly +used[^2],[^3](https://github.com/ethereum/consensus-specs/blob/master/specs/phase0/beacon-chain.md), [4](https://internetcomputer.org/docs/current/references/ic-interface-spec#certificate), [5](https://wiki.tezosagora.org/learn/futuredevelopments/layer2#zkchannels), [6](https://spec.filecoin.io/), [7](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09#name-adoption-status-of-pairing-)] elliptic curve with 120+ bits of security[[8](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09#section-4.2.1)] which support **the *pairing* operation*.* It is a good alternative for bn254 elliptic curve[[9](https://eprint.iacr.org/2005/133), [12](https://hackmd.io/@jpw/bn254)], which also supports the aggregation, and is currently implemented as NEAR precompiles[[10](https://github.com/near/NEPs/issues/98)]. Recent research shows that it contains only <100 bits of security[[13](https://www.ietf.org/archive/id/draft-irtf-cfrg-pairing-friendly-curves-02.html#name-for-100-bits-of-security)] and we can see the tendency of switching from bn254 to bls12-381(ZCash[[14](https://electriccoin.co/blog/new-snark-curve/)], Ethereum[[15](https://eips.ethereum.org/EIPS/eip-2537)], Tezos[[16](https://medium.com/metastatedev/meanwhile-at-cryptium-labs-2-part-2-adding-the-pairing-equipped-elliptic-curve-bls12-381-to-tezos-cfce907e4be3)]). The implementation of BLS12-381 curve operations from this NEP as a precompile will allows effective verify the BLS-signature and zkSNARKs. At the moment, BLS signature verification for BLS12-381 is impossible due to the limitation of the gas in 300 TGas for one transaction. @@ -1218,60 +1218,58 @@ There are no backward compatibility questions. The previous NEP for supporting BLS signature based on BLS12-381[[26](https://github.com/nearprotocol/neps/pull/446)] -## References - [^1]: BLS 2002 [https://www.researchgate.net/publication/2894224_Constructing_Elliptic_Curves_with_Prescribed_Embedding_Degrees](https://www.researchgate.net/publication/2894224_Constructing_Elliptic_Curves_with_Prescribed_Embedding_Degrees) -2. ZCash protocol: [https://zips.z.cash/protocol/protocol.pdf](https://zips.z.cash/protocol/protocol.pdf) -3. Ethereum 2 specification: [https://github.com/ethereum/consensus-specs/blob/master/specs/phase0/beacon-chain.md](https://github.com/ethereum/consensus-specs/blob/master/specs/phase0/beacon-chain.md) -4. Dfinity: [https://internetcomputer.org/docs/current/references/ic-interface-spec#certificate](https://internetcomputer.org/docs/current/references/ic-interface-spec#certificate) -5. Tezos: [https://wiki.tezosagora.org/learn/futuredevelopments/layer2#zkchannels](https://wiki.tezosagora.org/learn/futuredevelopments/layer2#zkchannels) -6. Filecoin: [https://spec.filecoin.io/](https://spec.filecoin.io/) -7. Specification of pairing friendly curves with a list of applications in the table: [https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09#name-adoption-status-of-pairing-](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09#name-adoption-status-of-pairing-) -8. Specification of pairing friendly curves, the security level for BLS12-381: [https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09#section-4.2.1](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09#section-4.2.1) -9. BN2005: [https://eprint.iacr.org/2005/133](https://eprint.iacr.org/2005/133) -10. NEP-98 for BN254 precompile on NEAR: https://github.com/near/NEPs/issues/98 -11. BLS12-381 for the Rest of Us: [https://hackmd.io/@benjaminion/bls12-381](https://hackmd.io/@benjaminion/bls12-381) -12. BN254 for the Rest of Us: [https://hackmd.io/@jpw/bn254](https://hackmd.io/@jpw/bn254) -13. Some analytics of different curve security: [https://www.ietf.org/archive/id/draft-irtf-cfrg-pairing-friendly-curves-02.html#name-for-100-bits-of-security](https://www.ietf.org/archive/id/draft-irtf-cfrg-pairing-friendly-curves-02.html#name-for-100-bits-of-security) -14. ZCash Transfer from bn254 to bls12-381: [https://electriccoin.co/blog/new-snark-curve/](https://electriccoin.co/blog/new-snark-curve/) -15. EIP-2537 Precompiles for Ethereum for BLS12-381: [https://eips.ethereum.org/EIPS/eip-2537](https://eips.ethereum.org/EIPS/eip-2537) -16. The article, where Tezos announce the support of BLS12-381 [https://medium.com/metastatedev/meanwhile-at-cryptium-labs-2-part-2-adding-the-pairing-equipped-elliptic-curve-bls12-381-to-tezos-cfce907e4be3](https://medium.com/metastatedev/meanwhile-at-cryptium-labs-2-part-2-adding-the-pairing-equipped-elliptic-curve-bls12-381-to-tezos-cfce907e4be3) -17. Article about Rainbow Bridge [https://near.org/blog/eth-near-rainbow-bridge](https://near.org/blog/eth-near-rainbow-bridge) -18. EIP-196. Precompiles for BN254: [https://eips.ethereum.org/EIPS/eip-196](https://eips.ethereum.org/EIPS/eip-196) -19. Intro into zkSNARKs: [https://media.consensys.net/introduction-to-zksnarks-with-examples-3283b554fc3b](https://media.consensys.net/introduction-to-zksnarks-with-examples-3283b554fc3b) -20. Zeropool project: [https://zeropool.network/](https://zeropool.network/) -21. Motivation for EIP-2537: [https://www.youtube.com/watch?v=al4YpfDVmS4&ab_channel=EthereumCatHerders](https://www.youtube.com/watch?v=al4YpfDVmS4&ab_channel=EthereumCatHerders) -22. NEAR blog post about Roll Ups: [https://near.org/blog/layer-2](https://near.org/blog/layer-2) -23. Ledger post about Roll Ups: [https://www.ledger.com/academy/what-are-blockchain-rollups](https://www.ledger.com/academy/what-are-blockchain-rollups) -24. Precompiles on Aurora: [https://doc.aurora.dev/evm/precompiles/](https://doc.aurora.dev/evm/precompiles/) -25. Pippenger Algorithm: [https://github.com/wborgeaud/python-pippenger/blob/master/pippenger.pdf](https://github.com/wborgeaud/python-pippenger/blob/master/pippenger.pdf) -26. NEP-446 proposal for BLS-signature verification precompile: [https://github.com/nearprotocol/neps/pull/446](https://github.com/nearprotocol/neps/pull/446) -27. EIP-1962 EC arithmetic and pairings with runtime definitions: [https://eips.ethereum.org/EIPS/eip-1962](https://eips.ethereum.org/EIPS/eip-1962) -28. Drawbacks of NEP-446: [https://github.com/near/NEPs/pull/446#pullrequestreview-1314601508](https://github.com/near/NEPs/pull/446#pullrequestreview-1314601508) -29. BLS12-381 Milagro: [https://github.com/sigp/incubator-milagro-crypto-rust/tree/057d238936c0cbbe3a59dfae6f2405db1090f474](https://github.com/sigp/incubator-milagro-crypto-rust/tree/057d238936c0cbbe3a59dfae6f2405db1090f474) -30. BLST: [https://github.com/supranational/blst](https://github.com/supranational/blst), -31. BLST EIP-2537 adaptation: [https://github.com/sean-sn/blst_eip2537](https://github.com/sean-sn/blst_eip2537) -32. EIP-1962 implementation matter labs Rust: https://github.com/matter-labs/eip1962 -33. zCash origin rust implementation: [https://github.com/zcash/zcash/tree/master/src/rust/src](https://github.com/zcash/zcash/tree/master/src/rust/src) -34. MCL library: [https://github.com/herumi/bls](https://github.com/herumi/bls) -35. filecoin/bls-signature: [https://github.com/filecoin-project/bls-signatures](https://github.com/filecoin-project/bls-signatures) -36. zkCrypto: [https://github.com/zkcrypto/bls12_381](https://github.com/zkcrypto/bls12_381), [https://github.com/zkcrypto/pairing](https://github.com/zkcrypto/pairing) -37. BLS12-381 code bases for ETH2.0 client Chia library C++: [https://github.com/Chia-Network/bls-signatures](https://github.com/Chia-Network/bls-signatures) -38. Adjoint Lib: [https://github.com/sdiehl/pairing](https://github.com/sdiehl/pairing) -39. Ethereum Go implementation for EIP-2537: [https://github.com/ethereum/go-ethereum/tree/master/core/vm/testdata/precompiles](https://github.com/ethereum/go-ethereum/tree/master/core/vm/testdata/precompiles) -40. Noble JS implementation: [https://github.com/paulmillr/noble-bls12-381](https://github.com/paulmillr/noble-bls12-381) -41. EIP-1962 implementation matter labs Go: https://github.com/kilic/eip2537, -42. EIP-1962 implementation matter labs C++: https://github.com/matter-labs-archive/eip1962_cpp -43. EIP-2537 with links: [https://github.com/matter-labs-forks/EIPs/blob/bls12_381/EIPS/eip-2537.md](https://github.com/matter-labs-forks/EIPs/blob/bls12_381/EIPS/eip-2537.md) -44. Pairing-friendly curves specification, crypto libs: [https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09#name-cryptographic-libraries](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09#name-cryptographic-libraries) -45. Comparing different libs for pairing-friendly curves: [https://hackmd.io/@gnark/eccbench](https://hackmd.io/@gnark/eccbench) -46. Bench vectors from EIP2537: [https://eips.ethereum.org/assets/eip-2537/bench_vectors](https://eips.ethereum.org/assets/eip-2537/bench_vectors) -47. Metter Labs tests for EIP2537: [https://github.com/matter-labs/eip1962/tree/master/src/test/test_vectors/eip2537](https://github.com/matter-labs/eip1962/tree/master/src/test/test_vectors/eip2537) -48. Tests from Go Ethereum implementation: [https://github.com/ethereum/go-ethereum/tree/master/core/vm/testdata/precompiles](https://github.com/ethereum/go-ethereum/tree/master/core/vm/testdata/precompiles) -49. EIP-2537 Map To Curve specification: [https://eips.ethereum.org/assets/eip-2537/field_to_curve](https://eips.ethereum.org/assets/eip-2537/field_to_curve) -50. The current implementation of BN254: [https://github.com/near/nearcore/blob/master/runtime/near-vm-runner/src/logic/logic.rs](https://github.com/near/nearcore/blob/master/runtime/near-vm-runner/src/logic/logic.rs) -51. draft-irtf-cfrg-pairing-friendly-curves-11 [https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-11#name-bls-curves-for-the-128-bit-](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-11#name-bls-curves-for-the-128-bit-) *(*[https://github.com/ethereum/consensus-specs/blob/dev/specs/altair/bls.md](https://github.com/ethereum/consensus-specs/blob/dev/specs/altair/bls.md) → [https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-04](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-04) → this ref*)* -52. Paper with BLS12-381: [https://eprint.iacr.org/2019/403.pdf](https://eprint.iacr.org/2019/403.pdf) -53. Zkcrypto points encoding: [https://github.com/zkcrypto/pairing/blob/0.14.0/src/bls12_381/README.md](https://github.com/zkcrypto/pairing/blob/0.14.0/src/bls12_381/README.md) -54. Draft PR for BLS12-381 operations in nearcore: https://github.com/near/nearcore/pull/9317 -55. Audit for BLST library: [https://research.nccgroup.com/wp-content/uploads/2021/01/NCC_Group_EthereumFoundation_ETHF002_Report_2021-01-20_v1.0.pdf](https://research.nccgroup.com/wp-content/uploads/2021/01/NCC_Group_EthereumFoundation_ETHF002_Report_2021-01-20_v1.0.pdf) +[^2]: ZCash protocol: [https://zips.z.cash/protocol/protocol.pdf](https://zips.z.cash/protocol/protocol.pdf) +[^3]: Ethereum 2 specification: [https://github.com/ethereum/consensus-specs/blob/master/specs/phase0/beacon-chain.md](https://github.com/ethereum/consensus-specs/blob/master/specs/phase0/beacon-chain.md) +[^4]: Dfinity: [https://internetcomputer.org/docs/current/references/ic-interface-spec#certificate](https://internetcomputer.org/docs/current/references/ic-interface-spec#certificate) +[^5]: Tezos: [https://wiki.tezosagora.org/learn/futuredevelopments/layer2#zkchannels](https://wiki.tezosagora.org/learn/futuredevelopments/layer2#zkchannels) +[^6]: Filecoin: [https://spec.filecoin.io/](https://spec.filecoin.io/) +[^7]: Specification of pairing friendly curves with a list of applications in the table: [https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09#name-adoption-status-of-pairing-](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09#name-adoption-status-of-pairing-) +[^8]: Specification of pairing friendly curves, the security level for BLS12-381: [https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09#section-4.2.1](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09#section-4.2.1) +[^9]: BN2005: [https://eprint.iacr.org/2005/133](https://eprint.iacr.org/2005/133) +[^10]: NEP-98 for BN254 precompile on NEAR: https://github.com/near/NEPs/issues/98 +[^11]: BLS12-381 for the Rest of Us: [https://hackmd.io/@benjaminion/bls12-381](https://hackmd.io/@benjaminion/bls12-381) +[^12]: BN254 for the Rest of Us: [https://hackmd.io/@jpw/bn254](https://hackmd.io/@jpw/bn254) +[^13]: Some analytics of different curve security: [https://www.ietf.org/archive/id/draft-irtf-cfrg-pairing-friendly-curves-02.html#name-for-100-bits-of-security](https://www.ietf.org/archive/id/draft-irtf-cfrg-pairing-friendly-curves-02.html#name-for-100-bits-of-security) +[^14]: ZCash Transfer from bn254 to bls12-381: [https://electriccoin.co/blog/new-snark-curve/](https://electriccoin.co/blog/new-snark-curve/) +[^15]: EIP-2537 Precompiles for Ethereum for BLS12-381: [https://eips.ethereum.org/EIPS/eip-2537](https://eips.ethereum.org/EIPS/eip-2537) +[^16]: The article, where Tezos announce the support of BLS12-381 [https://medium.com/metastatedev/meanwhile-at-cryptium-labs-2-part-2-adding-the-pairing-equipped-elliptic-curve-bls12-381-to-tezos-cfce907e4be3](https://medium.com/metastatedev/meanwhile-at-cryptium-labs-2-part-2-adding-the-pairing-equipped-elliptic-curve-bls12-381-to-tezos-cfce907e4be3) +[^17]: Article about Rainbow Bridge [https://near.org/blog/eth-near-rainbow-bridge](https://near.org/blog/eth-near-rainbow-bridge) +[^18]: EIP-196. Precompiles for BN254: [https://eips.ethereum.org/EIPS/eip-196](https://eips.ethereum.org/EIPS/eip-196) +[^19]: Intro into zkSNARKs: [https://media.consensys.net/introduction-to-zksnarks-with-examples-3283b554fc3b](https://media.consensys.net/introduction-to-zksnarks-with-examples-3283b554fc3b) +[^20]: Zeropool project: [https://zeropool.network/](https://zeropool.network/) +[^21]: Motivation for EIP-2537: [https://www.youtube.com/watch?v=al4YpfDVmS4&ab_channel=EthereumCatHerders](https://www.youtube.com/watch?v=al4YpfDVmS4&ab_channel=EthereumCatHerders) +[^22]: NEAR blog post about Roll Ups: [https://near.org/blog/layer-2](https://near.org/blog/layer-2) +[^23]: Ledger post about Roll Ups: [https://www.ledger.com/academy/what-are-blockchain-rollups](https://www.ledger.com/academy/what-are-blockchain-rollups) +[^24]: Precompiles on Aurora: [https://doc.aurora.dev/evm/precompiles/](https://doc.aurora.dev/evm/precompiles/) +[^25]: Pippenger Algorithm: [https://github.com/wborgeaud/python-pippenger/blob/master/pippenger.pdf](https://github.com/wborgeaud/python-pippenger/blob/master/pippenger.pdf) +[^26]: NEP-446 proposal for BLS-signature verification precompile: [https://github.com/nearprotocol/neps/pull/446](https://github.com/nearprotocol/neps/pull/446) +[^27]: EIP-1962 EC arithmetic and pairings with runtime definitions: [https://eips.ethereum.org/EIPS/eip-1962](https://eips.ethereum.org/EIPS/eip-1962) +[^28]: Drawbacks of NEP-446: [https://github.com/near/NEPs/pull/446#pullrequestreview-1314601508](https://github.com/near/NEPs/pull/446#pullrequestreview-1314601508) +[^29]: BLS12-381 Milagro: [https://github.com/sigp/incubator-milagro-crypto-rust/tree/057d238936c0cbbe3a59dfae6f2405db1090f474](https://github.com/sigp/incubator-milagro-crypto-rust/tree/057d238936c0cbbe3a59dfae6f2405db1090f474) +[^30]: BLST: [https://github.com/supranational/blst](https://github.com/supranational/blst), +[^31]: BLST EIP-2537 adaptation: [https://github.com/sean-sn/blst_eip2537](https://github.com/sean-sn/blst_eip2537) +[^32]: EIP-1962 implementation matter labs Rust: https://github.com/matter-labs/eip1962 +[^33]: zCash origin rust implementation: [https://github.com/zcash/zcash/tree/master/src/rust/src](https://github.com/zcash/zcash/tree/master/src/rust/src) +[^34]: MCL library: [https://github.com/herumi/bls](https://github.com/herumi/bls) +[^35]: filecoin/bls-signature: [https://github.com/filecoin-project/bls-signatures](https://github.com/filecoin-project/bls-signatures) +[^36]: zkCrypto: [https://github.com/zkcrypto/bls12_381](https://github.com/zkcrypto/bls12_381), [https://github.com/zkcrypto/pairing](https://github.com/zkcrypto/pairing) +[^37]: BLS12-381 code bases for ETH2.0 client Chia library C++: [https://github.com/Chia-Network/bls-signatures](https://github.com/Chia-Network/bls-signatures) +[^38]: Adjoint Lib: [https://github.com/sdiehl/pairing](https://github.com/sdiehl/pairing) +[^39]: Ethereum Go implementation for EIP-2537: [https://github.com/ethereum/go-ethereum/tree/master/core/vm/testdata/precompiles](https://github.com/ethereum/go-ethereum/tree/master/core/vm/testdata/precompiles) +[^40]: Noble JS implementation: [https://github.com/paulmillr/noble-bls12-381](https://github.com/paulmillr/noble-bls12-381) +[^41]: EIP-1962 implementation matter labs Go: https://github.com/kilic/eip2537, +[^42]: EIP-1962 implementation matter labs C++: https://github.com/matter-labs-archive/eip1962_cpp +[^43]: EIP-2537 with links: [https://github.com/matter-labs-forks/EIPs/blob/bls12_381/EIPS/eip-2537.md](https://github.com/matter-labs-forks/EIPs/blob/bls12_381/EIPS/eip-2537.md) +[^44]: Pairing-friendly curves specification, crypto libs: [https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09#name-cryptographic-libraries](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09#name-cryptographic-libraries) +[^45]: Comparing different libs for pairing-friendly curves: [https://hackmd.io/@gnark/eccbench](https://hackmd.io/@gnark/eccbench) +[^46]: Bench vectors from EIP2537: [https://eips.ethereum.org/assets/eip-2537/bench_vectors](https://eips.ethereum.org/assets/eip-2537/bench_vectors) +[^47]: Metter Labs tests for EIP2537: [https://github.com/matter-labs/eip1962/tree/master/src/test/test_vectors/eip2537](https://github.com/matter-labs/eip1962/tree/master/src/test/test_vectors/eip2537) +[^48]: Tests from Go Ethereum implementation: [https://github.com/ethereum/go-ethereum/tree/master/core/vm/testdata/precompiles](https://github.com/ethereum/go-ethereum/tree/master/core/vm/testdata/precompiles) +[^49]: EIP-2537 Map To Curve specification: [https://eips.ethereum.org/assets/eip-2537/field_to_curve](https://eips.ethereum.org/assets/eip-2537/field_to_curve) +[^50]: The current implementation of BN254: [https://github.com/near/nearcore/blob/master/runtime/near-vm-runner/src/logic/logic.rs](https://github.com/near/nearcore/blob/master/runtime/near-vm-runner/src/logic/logic.rs) +[^51]: draft-irtf-cfrg-pairing-friendly-curves-11 [https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-11#name-bls-curves-for-the-128-bit-](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-11#name-bls-curves-for-the-128-bit-) *(*[https://github.com/ethereum/consensus-specs/blob/dev/specs/altair/bls.md](https://github.com/ethereum/consensus-specs/blob/dev/specs/altair/bls.md) → [https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-04](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-04) → this ref*)* +[^52]: Paper with BLS12-381: [https://eprint.iacr.org/2019/403.pdf](https://eprint.iacr.org/2019/403.pdf) +[^53]: Zkcrypto points encoding: [https://github.com/zkcrypto/pairing/blob/0.14.0/src/bls12_381/README.md](https://github.com/zkcrypto/pairing/blob/0.14.0/src/bls12_381/README.md) +[^54]: Draft PR for BLS12-381 operations in nearcore: https://github.com/near/nearcore/pull/9317 +[^55]: Audit for BLST library: [https://research.nccgroup.com/wp-content/uploads/2021/01/NCC_Group_EthereumFoundation_ETHF002_Report_2021-01-20_v1.0.pdf](https://research.nccgroup.com/wp-content/uploads/2021/01/NCC_Group_EthereumFoundation_ETHF002_Report_2021-01-20_v1.0.pdf)