Implement BLS verification

beacon-light-client/solidity/package.json

@@ -4,6 +4,7 @@
   "description": "",
   "main": "index.js",
   "scripts": {
+    "ts": "yarn node --import tsx",
     "build:tsc": "tsc -p ./tsconfig.json",
     "build:sol": "hardhat compile",
     "test": "yarn hardhat test",
@@ -44,6 +45,7 @@
     "bullmq": "^5.4.0",
     "dotenv": "^16.4.4",
     "env-paths": "^3.0.0",
+    "tsx": "^4.7.1",
     "typescript": "5.2.2"
   },
   "exports": {

beacon-light-client/solidity/test/utils/bls.ts

@@ -24,46 +24,46 @@ import * as nodeCrypto from 'crypto';
 // Fp₂(v) / (v³ - ξ) where ξ = u + 1
 // Fp₆(w) / (w² - γ) where γ = v
 export const CURVE = {
-    // G1 is the order-q subgroup of E1(Fp) : y² = x³ + 4, #E1(Fp) = h1q, where
-    // characteristic; z + (z⁴ - z² + 1)(z - 1)²/3
-    P: 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn,
-    // order; z⁴ − z² + 1
-    r: 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001n,
-    // cofactor; (z - 1)²/3
-    h: 0x396c8c005555e1568c00aaab0000aaabn,
-    // generator's coordinates
-    // x = 3685416753713387016781088315183077757961620795782546409894578378688607592378376318836054947676345821548104185464507
-    // y = 1339506544944476473020471379941921221584933875938349620426543736416511423956333506472724655353366534992391756441569
-    Gx: 0x17f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bbn,
-    Gy: 0x08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1n,
-    b: 4n,
+  // G1 is the order-q subgroup of E1(Fp) : y² = x³ + 4, #E1(Fp) = h1q, where
+  // characteristic; z + (z⁴ - z² + 1)(z - 1)²/3
+  P: 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn,
+  // order; z⁴ − z² + 1
+  r: 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001n,
+  // cofactor; (z - 1)²/3
+  h: 0x396c8c005555e1568c00aaab0000aaabn,
+  // generator's coordinates
+  // x = 3685416753713387016781088315183077757961620795782546409894578378688607592378376318836054947676345821548104185464507
+  // y = 1339506544944476473020471379941921221584933875938349620426543736416511423956333506472724655353366534992391756441569
+  Gx: 0x17f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bbn,
+  Gy: 0x08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1n,
+  b: 4n,
 
-    // G2 is the order-q subgroup of E2(Fp²) : y² = x³+4(1+√−1),
-    // where Fp2 is Fp[√−1]/(x2+1). #E2(Fp2 ) = h2q, where
-    // G² - 1
-    // h2q
-    P2:
-        0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn *
-        0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn -
-        1n,
-    // cofactor
-    h2: 0x5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5n,
-    G2x: [
-        0x024aa2b2f08f0a91260805272dc51051c6e47ad4fa403b02b4510b647ae3d1770bac0326a805bbefd48056c8c121bdb8n,
-        0x13e02b6052719f607dacd3a088274f65596bd0d09920b61ab5da61bbdc7f5049334cf11213945d57e5ac7d055d042b7en,
-    ],
-    // y =
-    // 927553665492332455747201965776037880757740193453592970025027978793976877002675564980949289727957565575433344219582,
-    // 1985150602287291935568054521177171638300868978215655730859378665066344726373823718423869104263333984641494340347905
-    G2y: [
-        0x0ce5d527727d6e118cc9cdc6da2e351aadfd9baa8cbdd3a76d429a695160d12c923ac9cc3baca289e193548608b82801n,
-        0x0606c4a02ea734cc32acd2b02bc28b99cb3e287e85a763af267492ab572e99ab3f370d275cec1da1aaa9075ff05f79ben,
-    ],
-    b2: [4n, 4n],
-    // The BLS parameter x for BLS12-381
-    x: 0xd201000000010000n,
-    h2Eff:
-        0xbc69f08f2ee75b3584c6a0ea91b352888e2a8e9145ad7689986ff031508ffe1329c2f178731db956d82bf015d1212b02ec0ec69d7477c1ae954cbc06689f6a359894c0adebbf6b4e8020005aaa95551n,
+  // G2 is the order-q subgroup of E2(Fp²) : y² = x³+4(1+√−1),
+  // where Fp2 is Fp[√−1]/(x2+1). #E2(Fp2 ) = h2q, where
+  // G² - 1
+  // h2q
+  P2:
+    0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn *
+    0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn -
+    1n,
+  // cofactor
+  h2: 0x5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5n,
+  G2x: [
+    0x024aa2b2f08f0a91260805272dc51051c6e47ad4fa403b02b4510b647ae3d1770bac0326a805bbefd48056c8c121bdb8n,
+    0x13e02b6052719f607dacd3a088274f65596bd0d09920b61ab5da61bbdc7f5049334cf11213945d57e5ac7d055d042b7en,
+  ],
+  // y =
+  // 927553665492332455747201965776037880757740193453592970025027978793976877002675564980949289727957565575433344219582,
+  // 1985150602287291935568054521177171638300868978215655730859378665066344726373823718423869104263333984641494340347905
+  G2y: [
+    0x0ce5d527727d6e118cc9cdc6da2e351aadfd9baa8cbdd3a76d429a695160d12c923ac9cc3baca289e193548608b82801n,
+    0x0606c4a02ea734cc32acd2b02bc28b99cb3e287e85a763af267492ab572e99ab3f370d275cec1da1aaa9075ff05f79ben,
+  ],
+  b2: [4n, 4n],
+  // The BLS parameter x for BLS12-381
+  x: 0xd201000000010000n,
+  h2Eff:
+    0xbc69f08f2ee75b3584c6a0ea91b352888e2a8e9145ad7689986ff031508ffe1329c2f178731db956d82bf015d1212b02ec0ec69d7477c1ae954cbc06689f6a359894c0adebbf6b4e8020005aaa95551n,
 };
 
 export function mod(a: bigint, b: bigint) {
@@ -83,7 +83,7 @@ const SHA256_DIGEST_SIZE = 32;
 // p = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab
 // m = 2 (or 1 for G1 see section 8.8.1)
 // k = 128
-const htfDefaults = {
+export const htfDefaults = {
   // DST: a domain separation tag
   // defined in section 2.2.5
   DST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_', // to comply with https://github.com/ethereum/consensus-specs/blob/dev/specs/phase0/beacon-chain.md#bls-signatures
@@ -184,7 +184,7 @@ function concatBytes(...arrays: Uint8Array[]): Uint8Array {
 }
 
 // UTF8 to ui8a
-function stringToBytes(str: string) {
+export function stringToBytes(str: string) {
   const bytes = new Uint8Array(str.length);
   for (let i = 0; i < str.length; i++) {
     bytes[i] = str.charCodeAt(i);
@@ -225,7 +225,7 @@ function strxor(a: Uint8Array, b: Uint8Array): Uint8Array {
 
 // Produces a uniformly random byte string using a cryptographic hash function H that outputs b bits
 // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.4.1
-async function expand_message_xmd(
+export async function expand_message_xmd(
   msg: Uint8Array,
   DST: Uint8Array,
   lenInBytes: number,
@@ -259,7 +259,7 @@ async function expand_message_xmd(
 // count - the number of elements of F to output.
 // Outputs:
 // [u_0, ..., u_(count - 1)], a list of field elements.
-async function hash_to_field(
+export async function hash_to_field(
   msg: Uint8Array,
   count: number,
   options = {},

beacon-light-client/solidity/test/utils/test.ts

@@ -0,0 +1,203 @@
+import { expand_message_xmd, stringToBytes, htfDefaults, hash_to_field } from "./bls";
+import { Fp2, isogenyMapG2, map_to_curve_simple_swu_9mod16 } from "../../../../vendor/circom-pairing/test/math"
+import { PointG2 } from "../../../../vendor/circom-pairing/test/index"
+import { Field } from '@noble/bls12-381';
+import { formatHex } from '@dendreth/utils/ts-utils/bls';
+
+function bigintToBytes(value: bigint): Uint8Array {
+    // Determine the required number of bytes to represent the bigint
+    const byteLength = Math.ceil(value.toString(16).length / 2);
+
+    // Initialize a Uint8Array to hold the bytes
+    const byteArray = new Uint8Array(byteLength);
+
+    // Convert the bigint to bytes
+    for (let i = 0; i < byteLength; i++) {
+        // Get the least significant byte and store it in the array
+        byteArray[byteLength - i - 1] = Number(value & BigInt(0xFF));
+        // Shift the value to the right by 8 bits (1 byte)
+        value >>= BigInt(8);
+    }
+
+    return byteArray;
+}
+
+function bigintTo12Limbs(value: bigint): bigint[] {
+    const numLimbs = 12; // Number of limbs
+    const limbSize = 64; // Each limb size in bits
+
+    // Create an array to hold the limbs
+    const limbs = new Array<bigint>(numLimbs);
+
+    // Loop through each limb and extract 64 bits at a time
+    for (let i = 0; i < numLimbs; i++) {
+        // Use a mask to extract the least significant 64 bits
+        const mask = (BigInt(1) << BigInt(limbSize)) - BigInt(1);
+        limbs[i] = value & mask;
+        // Shift the value to the right by 64 bits for the next limb
+        value >>= BigInt(limbSize);
+    }
+
+    return limbs;
+}
+
+function uint8ArrayToHexString(arr: Uint8Array): string {
+    return Array.from(arr)
+        .map(byte => byte.toString(16).padStart(2, '0'))
+        .join('');
+}
+
+type Fp2_4 = [Fp2, Fp2, Fp2, Fp2];
+
+const xnum = [
+    [
+        0x171d6541fa38ccfaed6dea691f5fb614cb14b4e7f4e810aa22d6108f142b85757098e38d0f671c7188e2aaaaaaaa5ed1n,
+        0x0n,
+    ],
+    [
+        0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71en,
+        0x8ab05f8bdd54cde190937e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe38dn,
+    ],
+    [
+        0x0n,
+        0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71an,
+    ],
+    [
+        0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6n,
+        0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6n,
+    ],
+].map((pair) => Fp2.fromBigTuple(pair)) as Fp2_4;
+const xden = [
+    [0x0n, 0x0n],
+    [0x1n, 0x0n],
+    [
+        0xcn,
+        0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa9fn,
+    ],
+    [
+        0x0n,
+        0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa63n,
+    ],
+].map((pair) => Fp2.fromBigTuple(pair)) as Fp2_4;
+const ynum = [
+    [
+        0x124c9ad43b6cf79bfbf7043de3811ad0761b0f37a1e26286b0e977c69aa274524e79097a56dc4bd9e1b371c71c718b10n,
+        0x0n,
+    ],
+    [
+        0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71cn,
+        0x8ab05f8bdd54cde190937e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe38fn,
+    ],
+    [
+        0x0n,
+        0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97ben,
+    ],
+    [
+        0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706n,
+        0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706n,
+    ],
+].map((pair) => Fp2.fromBigTuple(pair)) as Fp2_4;
+const yden = [
+    [0x1n, 0x0n],
+    [
+        0x12n,
+        0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa99n,
+    ],
+    [
+        0x0n,
+        0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa9d3n,
+    ],
+    [
+        0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa8fbn,
+        0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa8fbn,
+    ],
+].map((pair) => Fp2.fromBigTuple(pair)) as Fp2_4;
+const ISOGENY_COEFFICIENTS_G2: [Fp2_4, Fp2_4, Fp2_4, Fp2_4] = [xnum, xden, ynum, yden];
+
+
+function hexToBytes(hex: string): Uint8Array {
+    if (typeof hex !== "string") {
+        throw new TypeError("hexToBytes: expected string, got " + typeof hex);
+    }
+    if (hex.length % 2)
+        throw new Error("hexToBytes: received invalid unpadded hex");
+    const array = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < array.length; i++) {
+        const j = i * 2;
+        const hexByte = hex.slice(j, j + 2);
+        if (hexByte.length !== 2) throw new Error("Invalid byte sequence");
+        const byte = Number.parseInt(hexByte, 16);
+        if (Number.isNaN(byte) || byte < 0)
+            throw new Error("Invalid byte sequence");
+        array[i] = byte;
+    }
+    return array;
+}
+
+
+// 3-isogeny map from E' to E
+// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#appendix-E.3
+function nobleIsogenyMap<T extends Field<T>>(COEFF: [T[], T[], T[], T[]], x: T, y: T): [T, T] {
+    const [xNum, xDen, yNum, yDen] = COEFF.map((val) =>
+        val.reduce((acc, i) => acc.multiply(x).add(i))
+    );
+    x = xNum.div(xDen); // xNum / xDen
+    y = y.multiply(yNum.div(yDen)); // y * (yNum / yDev)
+    return [x, y];
+}
+
+function ensureBytes(hex: string | Uint8Array): Uint8Array {
+    // Uint8Array.from() instead of hash.slice() because node.js Buffer
+    // is instance of Uint8Array, and its slice() creates **mutable** copy
+    return hex instanceof Uint8Array ? Uint8Array.from(hex) : hexToBytes(hex);
+}
+type Hex = Uint8Array | string;
+
+// Encodes byte string to elliptic curve
+// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3
+// async function testHashToCurve(msg: Hex) {
+//     msg = ensureBytes(msg);
+//     const u = await hash_to_field(msg, 2);
+//     // console.log(`hash_to_curve(msg}) u0=${new Fp2(u[0])} u1=${new Fp2(u[1])}`);
+//     console.log("map_to_curve_simple_swu_9mod16", map_to_curve_simple_swu_9mod16(u[0]));
+//     const Q0 = new PointG2(
+//         ...isogenyMapG2(map_to_curve_simple_swu_9mod16(u[0]))
+//     );
+//     const Q1 = new PointG2(
+//         ...isogenyMapG2(map_to_curve_simple_swu_9mod16(u[1]))
+//     );
+//     // const R = Q0.add(Q1);
+
+//     return u;
+// }
+
+(async () => {
+    let msg = new Uint8Array([103, 140, 163, 210, 238, 252, 75, 8, 227, 27, 60, 229, 125, 150, 241, 222, 217, 156, 178, 17, 14, 199, 15, 172, 94, 179, 249, 0, 197, 206, 104, 200, 165, 253, 55, 147, 171, 191, 118, 189, 133, 138, 2, 22, 237, 6, 62, 10, 68, 105, 208, 102, 66, 70, 170, 114, 194, 80, 215, 5, 63, 95, 202, 1, 99, 153, 67, 115, 7, 122, 235, 255, 142, 44, 3, 65, 190, 166, 218, 72, 230, 196, 24, 88, 146, 193, 211, 90, 37, 173, 71, 152, 21, 226, 89, 79, 239, 81, 149, 135, 188, 51, 52, 116, 26, 30, 126, 31, 35, 240, 201, 101, 33, 61, 220, 192, 86, 47, 214, 243, 224, 136, 50, 56, 42, 233, 148, 244, 203, 198, 195, 120, 36, 221, 181, 53, 160, 58, 167, 131, 216, 183, 83, 232, 151, 87, 46, 54, 128, 123, 231, 212, 130, 19, 28, 96, 108, 111, 137, 154, 40, 184, 74, 69, 100, 64, 177, 98, 248, 32, 12, 97, 49, 187, 39, 159, 168, 247, 29, 246, 209, 110, 77, 73, 20, 23, 174, 143, 93, 92, 162, 48, 134, 119, 213, 139, 234, 205, 91, 113, 204, 121, 57, 4, 41, 180, 144, 76, 107, 59, 176, 43, 11, 127, 34, 38, 164, 9, 141, 78, 245, 175, 145, 112, 129, 109, 18, 250, 85, 16, 124, 182, 242, 158, 84, 219, 13, 207, 186, 82, 157, 132, 225, 236, 45, 185, 228, 161, 169, 106, 25, 155, 251, 254, 223]);
+
+    const DST = stringToBytes(htfDefaults.DST);
+
+    let hash_to_field_result = await hash_to_field(msg, 2);
+    // let map_to_curve: PointG2 = map_to_curve_simple_swu_9mod16(hash_to_field_result[0]);
+    // let iso_map_r = nobleIsogenyMap(ISOGENY_COEFFICIENTS_G2, map_to_curve[0], map_to_curve[1]);
+    // let clear_cof_g2_r = clearCofactor(iso_map_r);
+
+    let hash_to_curve_test_res: PointG2 = await PointG2.hashToCurve(
+        formatHex(uint8ArrayToHexString(msg)),
+    );
+
+    // let without_cofactor_hash2curve = await testHashToCurve(msg);
+
+    // console.log('hash_to_field_result is: ', hash_to_field_result);
+    console.log('####################################################');
+    console.log('hash_to_curve_test_res', hash_to_curve_test_res.toAffine());
+    console.log('####################################################');
+    // console.log('without_cofactor_hash2curve is: ', without_cofactor_hash2curve);
+
+
+    // let a = 164432780807461518526223636504241229349588394649409730072519387299403412015098917482545551400313990282635303577913n;
+
+    // for (let i = 1n; i <= 12n; i++) {
+    //     console.log((a % (2n ** 32n)));
+    //     a = a / (2n ** 32n);
+    // }
+})();