Support BLS12-381

[xhliu]

https://hackmd.io/@benjaminion/bls12-381
zcash/zcash#2502

BLS12 in 5 slides: https://docs.google.com/presentation/d/1uN-ziUVXP1xtxEyKc5piHcVnOqcrTk26WIk-fzkbOMs/edit#slide=id.p

However, neither RSK nor Ethereum have activated native support for this curve. https://medium.com/iovlabs-innovation-stories/choosing-the-right-curve-bf183d477a

Since neither EIP-2537, nor EVM384 precompiles have been implemented on mainnet
https://ethresear.ch/t/do-not-add-bls12-precompile-implement-pasta-curves-w-o-trusted-setup-instead/12808

For platform-agnostic applications, the choice requires a tradeoff between performance (BN254) and security (BLS12-381). We recommend choosing BLS12-381 as it is more secure, still fast enough to be practical, but slower than BN254. https://docs.gnark.consensys.net/en/latest/Concepts/schemes_curves/#bn254-and-bls12-381-curves

Reference implementation

Go impl in Eth https://github.com/ethereum/go-ethereum/tree/master/crypto/bls12381

Circom impl by 0xparc: https://github.com/yi-sun/circom-pairing/tree/master/circuits
See section Adapting to other elliptic curves, adapted from https://github.com/paulmillr/noble-bls12-381

Test

• Use ZoKrates in bls12 mode as in https://www.dailambda.jp/blog/2021-02-21-zokratez/
• Eth Go
• https://github.com/paulmillr/noble-bls12-381
• Snarkjs also supports BLS12 https://twitter.com/LightProtocol/status/1468376397068619784?s=20&t=RDyIZfCeEkCg4fmMwtnIIg

[xhliu]

As we did before for BN256:
Golang
https://github.com/ethereum/go-ethereum/tree/master/crypto/bn256/google

->
sCrypt
https://github.com/sCrypt-Inc/boilerplate/blob/master/contracts/bn256.scrypt https://github.com/sCrypt-Inc/boilerplate/blob/master/contracts/bn256pairing.scrypt

[xhliu]

https://eips.ethereum.org/EIPS/eip-2537