[LightClient] Switch from SNARKed Schnorr to BLS precompile #2551
Comments
|
Checking the BLS signature is only part of the QC verification. How do we prove efficiently the aggregated key is consistent with the 2/3N +1 threshold without snarks? |
|
each QC verification accept a bitmap, bunch of |
|
If there are many keys, even with the precompile won't the on chain QC verification be too expensive? |
|
If we don't change current QC which uses "short sig" version of BLS, each pub key add is G2Add which is 600 gas; if we upgrade to "short pk" version, then G1Add is 375 gas. (Source: https://eips.ethereum.org/EIPS/eip-2537) For comparison, PlonkVerifier is roughly 377k gas. With 100~200 nodes; the BLS precompile approaches takes 37.5k to 120k. It's definitely cheaper. |
Currently, we use Schnorr signatures over BN curve for light client state attestation. The rationale is explained in https://www.notion.so/espressosys/Espresso-ZK-Light-Client-65f34074049048dd882eac0ad7aa1fcd
But with upcoming EIP-2537 on BLS precompile scheduled to be released in March 2025, we should consider switching back to directly verifying BLS12-381 QC on the contract instead.
cc @mrain @philippecamacho @elliedavidson @jbearer
The text was updated successfully, but these errors were encountered: