feat: added HashToG2 and BLS G2 signature verification circuit for BLS12-381

[weijiguo]

Description

This PR implemented circuit for HashToG2 and BLS G2 signature verification for the BLS12-381 curve. The implementation is based on affine coordinations.

Along with the said functionalities, it also added G2.addUnified(p, q) function which can handle the case that p == q. And as an optimization, it also adopted a new hint to calculate the sqrtRatio function with the gnark-crypto library to save constraints. Therefore this PR depends on an update to gnark-crypto

Fixes # (issue)
#648

Type of change

• New feature (non-breaking change which adds functionality)

How has this been tested?

Added unit tests to cover:

• G2.addUnified for BLS12-381
• HashToG2 for BLS12-381

How has this been benchmarked?

Added test cases for HashToG2. Results: 2761896 constraints with SCS and 779198 with R1CS for simple message ("abcd").

Checklist:

• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• I did not modify files generated from templates
• golangci-lint does not output errors locally
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

[weijiguo]

L'et also make it a draft for now as I have a related pending question here: #1041

The background is that I want to ensure that the Domain Separation Tag is constant.

[yelhousni]

Hi @weijiguo, thank you for this contribution! this is a great work! As you would imagine, it takes a bit of time to review all of this. But it's definitely a great PR that we are looking to merge.

[weijiguo]

Hi @yelhousni @ivokub now that we have the 0.11 version. Can you spare some time to review yet? Really appreciate your time among your tight schedule.

[weijiguo]

static check fails due to needing to merge Consensys/gnark-crypto#481 first

[ivokub]

Hi @weijiguo - actually I started reviewing the PR about a month ago, but then realized it would require a bit of work to understand completely and postponed. But indeed, it would be a great addition and it would be good to review. I'll retry again soon, hopefully being more successful.

For example - the first issue I encountered with Consensys/gnark-crypto#481 is that it is implemented only for the BLS12-381 in the code generated path, so would have to add to the code generation. And I think exposing the individual method may overload the ecc/bls12-381 package, so maybe there is a better way for exposing the required functionality.

[weijiguo]

@ivokub Understood. Thanks again.

[weijiguo]

Consensys/gnark-crypto#481

Hi @ivokub I just updated Consensys/gnark-crypto#481

Specifically, I updated the template to expose G2SqrtRatio and re-generate the ecc codes, which renders two .go file updates (hash_to_g2.go for bls12_377 and bls12_381)

Could you please take a look again?

[weijiguo]

This PR has been contracted for auditing. Please expect a few weeks before a report could be provided.

[ivokub]

This PR has been contracted for auditing. Please expect a few weeks before a report could be provided.

Thanks for the update. I'll also try to go over it myself soon, it has been long in the backlog. Sorry for the delays.

[ivokub]

This PR has been contracted for auditing. Please expect a few weeks before a report could be provided.

Is there a status? We have completed map to G1 in different PR #1447. I also made some methods in gnark-crypto public to be able to use the isogeny maps (see Consensys/gnark-crypto#674). I wanted to incorporate current PR with #1447, but there are some conventional differences. I'd like to rewrite a bit, but I'd do it in a separate PR not to create conflicts.

It will take a few days and I'll ping again when its done.

[weijiguo]

Yes, we had the initial audit report. We are working on the final report that we could publish. In the initial report, no security issue had been found.

[weijiguo]

Hi @ivokub please be advised that we have published the audit report covering this PR here

Thanks,
Weiji