ethereum · hujw77 · Nov 22, 2023 · Nov 22, 2023 · Nov 22, 2023 · Nov 23, 2023
@@ -2,7 +2,7 @@
 eip: 2537
 title: Precompile for BLS12-381 curve operations
 description: Adds operation on BLS12-381 curve as a precompile in a set necessary to efficiently perform operations such as BLS signature verification.
-author: Alex Vlasov (@shamatar), Kelly Olson (@ineffectualproperty), Alex Stokes (@ralexstokes), Antonio Sanso (@asanso)
+author: Alex Vlasov (@shamatar), Kelly Olson (@ineffectualproperty), Alex Stokes (@ralexstokes), Antonio Sanso (@asanso), hujw77 (@hujw77)
 discussions-to: https://ethereum-magicians.org/t/eip2537-bls12-precompile-discussion-thread/4187
 status: Review
 type: Standards Track
@@ -243,19 +243,19 @@ Assuming a constant `30 MGas/second`, the following prices are suggested.
 
 #### G1 addition
 
-`500` gas
+`600` gas
 
 #### G1 multiplication
 
 `12000` gas
 
 #### G2 addition
 
-`800` gas
+`4500` gas
 
 #### G2 multiplication
 
-`45000` gas
+`55000` gas
 
 #### G1/G2 Multiexponentiation
 
@@ -273,15 +273,15 @@ Discounts table as a vector of pairs `[k, discount]`:
 
 #### Pairing operation
 
-The cost of the pairing operation is `43000*k + 65000` where `k` is a number of pairs.
+Cost of the pairing operation is `23000*k + 115000` where `k` is a number of pairs.
 
 #### Fp-to-G1 mapping operation
 
 Fp -> G1 mapping is `5500` gas.
 
 #### Fp2-to-G2 mapping operation
 
-Fp2 -> G2 mapping is `75000` gas
+Fp2 -> G2 mapping is `110000` gas
 
 #### Gas schedule clarifications for the variable-length input
 
@@ -336,17 +336,18 @@ Explicit separate multiexponentiation operation that allows one to save executio
 
 There are no backward compatibility questions.
 
+
 ### Subgroup checks
 
 A subgroup check **is mandatory** during the pairing call. Implementations *should* use fast subgroup checks: at the time of writing, multiplication gas cost is based on the `double-and-add` multiplication method that has a clear "worst case" (all bits are equal to one). For pairing operations, it is expected that implementations use faster subgroup checks, e.g. by using the wNAF multiplication method for elliptic curves that is ~ `40%` cheaper with windows size equal to 4. (Tested empirically. Savings are due to lower hamming weight of the group order and even lower hamming weight for wNAF. Concretely, subgroup check for both G1 and G2 points in a pair are around `35000` combined).
 
 
 
-### Field to curve mapping
+#### Field to curve mapping
 
 Algorithms and set of parameters for SWU mapping method is provided by a separate [document](../assets/eip-2537/field_to_curve.md)
 
-## Test Cases
+### Test Cases
 
 Due to the large test parameters space, we first provide properties that various operations must satisfy. We use additive notation for point operations, capital letters (`P`, `Q`) for points, small letters (`a`, `b`) for scalars. The generator for G1 is labeled as `G`, the generator for G2 is labeled as `H`, otherwise we assume random points on a curve in a correct subgroup. `0` means either scalar zero or point at infinity. `1` means either scalar one or multiplicative identity. `group_order` is the main subgroup order. `e(P, Q)` means pairing operation where `P` is in G1, `Q` is in G2.
 
@@ -366,7 +367,6 @@ Required properties for pairing operation:
 - Degeneracy `e(P, 0*Q) = e(0*P, Q) = 1`
 - Bilinearity `e(a*P, b*Q) = e(a*b*P, Q) = e(P, a*b*Q)` (internal test, not visible through ABI)
 
-Test vectors can be found [in the test vectors files](../assets/eip-2537/test-vectors.md).
 
 ### Benchmarking test cases