Implement BLS12-381 multi exponentiation

Jim8y · Jim8y · commit 1f82a9b8482b · 2025-10-17T10:26:43.000+08:00
diff --git a/docs/native-contracts-api.md b/docs/native-contracts-api.md
@@ -78,6 +78,7 @@ When calling a native contract method by transaction script, there are several t
 | bls12381Equal | Determines whether the specified points are equal. | InteropInterface(*x*), InteropInterface(*y*) | Boolean | 1<<5 | 0 | -- | -- |
 | bls12381Add | Add operation of two points. | InteropInterface(*x*), InteropInterface(*y*) | InteropInterface | 1<<19 | 0 | -- | -- |
 | bls12381Mul | Mul operation of gt point and multiplier | InteropInterface(*x*), Byte[](*mul*), Boolean(*neg*) | InteropInterface | 1<<21 | 0 | -- | -- |
+| bls12381MultiExp | Multi exponentiation operation for bls12381 points. | Array(*pairs*) | InteropInterface | 1<<23 | 0 | -- | HF_Gorgon |
 | bls12381Pairing | Pairing operation of g1 and g2 | InteropInterface(*g1*), InteropInterface(*g2*) | InteropInterface | 1<<23 | 0 | -- | -- |
 | recoverSecp256K1 | Recovers the public key from a secp256k1 signature in a single byte array format. | Byte[](*messageHash*), Byte[](*signature*) | Byte[] | 1<<15 | 0 | -- | HF_Echidna |
 | ripemd160 | Computes the hash value for the specified byte array using the ripemd160 algorithm. | Byte[](*data*) | Byte[] | 1<<15 | 0 | -- | -- |
diff --git a/src/Neo/SmartContract/Native/CryptoLib.BLS12_381.cs b/src/Neo/SmartContract/Native/CryptoLib.BLS12_381.cs
@@ -12,6 +12,8 @@
 using Neo.Cryptography.BLS12_381;
 using Neo.VM.Types;
 using System;
+using Array = Neo.VM.Types.Array;
+using VMBuffer = Neo.VM.Types.Buffer;
 
 namespace Neo.SmartContract.Native
 {
@@ -97,14 +99,6 @@ public static InteropInterface Bls12381Add(InteropInterface x, InteropInterface
             };
         }
 
-        [ContractMethod(Hardfork.HF_Gorgon, CpuFee = 1 << 19, Name = "bls12_g1add")]
-        public static InteropInterface Bls12G1Add(InteropInterface x, InteropInterface y)
-            => Bls12381Add(x, y);
-
-        [ContractMethod(Hardfork.HF_Gorgon, CpuFee = 1 << 19, Name = "bls12_g2add")]
-        public static InteropInterface Bls12G2Add(InteropInterface x, InteropInterface y)
-            => Bls12381Add(x, y);
-
         /// <summary>
         /// Mul operation of gt point and multiplier
         /// </summary>
@@ -127,13 +121,76 @@ public static InteropInterface Bls12381Mul(InteropInterface x, byte[] mul, bool
             };
         }
 
-        [ContractMethod(Hardfork.HF_Gorgon, CpuFee = 1 << 21, Name = "bls12_g1mul")]
-        public static InteropInterface Bls12G1Mul(InteropInterface x, byte[] mul, bool neg)
-            => Bls12381Mul(x, mul, neg);
+        /// <summary>
+        /// Multi exponentiation operation for bls12381 points.
+        /// </summary>
+        /// <param name="pairs">Array of [point, scalar] pairs.</param>
+        /// <returns>The accumulated point.</returns>
+        [ContractMethod(Hardfork.HF_Gorgon, CpuFee = 1 << 23)]
+        public static InteropInterface Bls12381MultiExp(Array pairs)
+        {
+            if (pairs is null || pairs.Count == 0)
+                throw new ArgumentException("BLS12-381 multi exponent requires at least one pair");
+
+            bool? useG2 = null;
+            G1Projective g1Accumulator = G1Projective.Identity;
+            G2Projective g2Accumulator = G2Projective.Identity;
 
-        [ContractMethod(Hardfork.HF_Gorgon, CpuFee = 1 << 21, Name = "bls12_g2mul")]
-        public static InteropInterface Bls12G2Mul(InteropInterface x, byte[] mul, bool neg)
-            => Bls12381Mul(x, mul, neg);
+            foreach (StackItem item in pairs)
+            {
+                if (item is not Array pair || pair.Count != 2)
+                    throw new ArgumentException("BLS12-381 multi exponent pair must contain point and scalar");
+
+                if (pair[0] is not InteropInterface pointInterface)
+                    throw new ArgumentException("BLS12-381 multi exponent requires interop points");
+
+                var point = pointInterface.GetInterface<object>();
+                switch (point)
+                {
+                    case G1Affine g1Affine:
+                        EnsureGroupType(ref useG2, false);
+                        {
+                            var scalar = ParseScalar(pair[1]);
+                            if (!scalar.IsZero)
+                                g1Accumulator += new G1Projective(g1Affine) * scalar;
+                        }
+                        break;
+                    case G1Projective g1Projective:
+                        EnsureGroupType(ref useG2, false);
+                        {
+                            var scalar = ParseScalar(pair[1]);
+                            if (!scalar.IsZero)
+                                g1Accumulator += g1Projective * scalar;
+                        }
+                        break;
+                    case G2Affine g2Affine:
+                        EnsureGroupType(ref useG2, true);
+                        {
+                            var scalar = ParseScalar(pair[1]);
+                            if (!scalar.IsZero)
+                                g2Accumulator += new G2Projective(g2Affine) * scalar;
+                        }
+                        break;
+                    case G2Projective g2Projective:
+                        EnsureGroupType(ref useG2, true);
+                        {
+                            var scalar = ParseScalar(pair[1]);
+                            if (!scalar.IsZero)
+                                g2Accumulator += g2Projective * scalar;
+                        }
+                        break;
+                    default:
+                        throw new ArgumentException("BLS12-381 type mismatch");
+                }
+            }
+
+            if (useG2 is null)
+                throw new ArgumentException("BLS12-381 multi exponent requires at least one valid pair");
+
+            return useG2.Value
+                ? new InteropInterface(g2Accumulator)
+                : new InteropInterface(g1Accumulator);
+        }
 
         /// <summary>
         /// Pairing operation of g1 and g2
@@ -159,8 +216,40 @@ public static InteropInterface Bls12381Pairing(InteropInterface g1, InteropInter
             return new(Bls12.Pairing(in g1a, in g2a));
         }
 
-        [ContractMethod(Hardfork.HF_Gorgon, CpuFee = 1 << 23, Name = "bls12_pairing")]
-        public static InteropInterface Bls12Pairing(InteropInterface g1, InteropInterface g2)
-            => Bls12381Pairing(g1, g2);
+        private static void EnsureGroupType(ref bool? current, bool isG2)
+        {
+            if (current is null)
+            {
+                current = isG2;
+            }
+            else if (current.Value != isG2)
+            {
+                throw new ArgumentException("BLS12-381 multi exponent cannot mix groups");
+            }
+        }
+
+        private static Scalar ParseScalar(StackItem scalarItem)
+        {
+            ReadOnlySpan<byte> data = scalarItem switch
+            {
+                ByteString bs when bs.GetSpan().Length == Scalar.Size => bs.GetSpan(),
+                VMBuffer buffer when buffer.Size == Scalar.Size => buffer.InnerBuffer.Span,
+                _ => throw new ArgumentException("BLS12-381 scalar must be 32 bytes"),
+            };
+
+            Span<byte> littleEndian = stackalloc byte[Scalar.Size];
+            data.CopyTo(littleEndian);
+
+            try
+            {
+                return Scalar.FromBytes(littleEndian);
+            }
+            catch (FormatException)
+            {
+                var wide = new byte[Scalar.Size * 2];
+                littleEndian.CopyTo(wide);
+                return Scalar.FromBytesWide(wide);
+            }
+        }
     }
 }
diff --git a/tests/Neo.UnitTests/SmartContract/Native/UT_CryptoLib.cs b/tests/Neo.UnitTests/SmartContract/Native/UT_CryptoLib.cs
@@ -21,11 +21,14 @@
 using Neo.SmartContract;
 using Neo.SmartContract.Native;
 using Neo.VM;
+using Neo.VM.Types;
 using Org.BouncyCastle.Utilities.Encoders;
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Numerics;
 using System.Text;
+using VMArray = Neo.VM.Types.Array;
 
 namespace Neo.UnitTests.SmartContract.Native
 {
@@ -265,30 +268,98 @@ public void TestBls12381Pairing()
         }
 
         [TestMethod]
-        public void TestBls12AddAliases()
+        public void TestBls12381MultiExpG1()
         {
-            var expected = InvokeBlsAddMethod("bls12381Add");
-            foreach (var alias in new[] { "bls12_g1add", "bls12_g2add" })
+            var g1Point = G1Affine.FromCompressed(g1);
+            var pair1 = new VMArray(new StackItem[]
             {
-                CollectionAssert.AreEqual(expected, InvokeBlsAddMethod(alias));
-            }
+                StackItem.FromInterface(g1Point),
+                new ByteString(CreateScalarBytes(1))
+            });
+            var pair2 = new VMArray(new StackItem[]
+            {
+                StackItem.FromInterface(g1Point),
+                new ByteString(CreateScalarBytes(2))
+            });
+            var pairs = new VMArray(new StackItem[] { pair1, pair2 });
+
+            var result = CryptoLib.Bls12381MultiExp(pairs);
+            var actual = result.GetInterface<G1Projective>();
+
+            var expected = new G1Projective(g1Point) * CreateScalar(3);
+            Assert.AreEqual(new G1Affine(expected).ToCompressed().ToHexString(),
+                new G1Affine(actual).ToCompressed().ToHexString());
         }
 
         [TestMethod]
-        public void TestBls12MulAliases()
+        public void TestBls12381MultiExpG2()
         {
-            var expected = InvokeBlsMulMethod("bls12381Mul", false);
-            foreach (var alias in new[] { "bls12_g1mul", "bls12_g2mul" })
+            var g2Point = G2Affine.FromCompressed(g2);
+            var pair = new VMArray(new StackItem[]
             {
-                CollectionAssert.AreEqual(expected, InvokeBlsMulMethod(alias, false));
-            }
+                StackItem.FromInterface(new G2Projective(g2Point)),
+                new ByteString(CreateScalarBytes(5))
+            });
+            var pairs = new VMArray(new StackItem[] { pair });
+
+            var result = CryptoLib.Bls12381MultiExp(pairs);
+            var actual = result.GetInterface<G2Projective>();
+
+            var expected = new G2Projective(g2Point) * CreateScalar(5);
+            Assert.AreEqual(new G2Affine(expected).ToCompressed().ToHexString(),
+                new G2Affine(actual).ToCompressed().ToHexString());
         }
 
         [TestMethod]
-        public void TestBls12PairingAlias()
+        public void TestBls12381MultiExpReducesScalar()
         {
-            var expected = InvokeBlsPairingMethod("bls12381Pairing");
-            CollectionAssert.AreEqual(expected, InvokeBlsPairingMethod("bls12_pairing"));
+            var g1Point = G1Affine.FromCompressed(g1);
+            var oversized = (BigInteger.One << 260) + 5;
+            var scalarBytes = CreateScalarBytes(oversized);
+            var pair = new VMArray(new StackItem[]
+            {
+                StackItem.FromInterface(g1Point),
+                new ByteString(scalarBytes)
+            });
+            var pairs = new VMArray(new StackItem[] { pair });
+
+            var wide = new byte[Scalar.Size * 2];
+            System.Array.Copy(scalarBytes, wide, scalarBytes.Length);
+            var reducedScalar = Scalar.FromBytesWide(wide);
+
+            var result = CryptoLib.Bls12381MultiExp(pairs);
+            var actual = result.GetInterface<G1Projective>();
+
+            var expected = new G1Projective(g1Point) * reducedScalar;
+            Assert.AreEqual(new G1Affine(expected).ToCompressed().ToHexString(),
+                new G1Affine(actual).ToCompressed().ToHexString());
+        }
+
+        [TestMethod]
+        public void TestBls12381MultiExpMixedGroupFails()
+        {
+            var g1Point = G1Affine.FromCompressed(g1);
+            var g2Point = G2Affine.FromCompressed(g2);
+            var pair1 = new VMArray(new StackItem[]
+            {
+                StackItem.FromInterface(g1Point),
+                new ByteString(CreateScalarBytes(1))
+            });
+            var pair2 = new VMArray(new StackItem[]
+            {
+                StackItem.FromInterface(g2Point),
+                new ByteString(CreateScalarBytes(1))
+            });
+            var pairs = new VMArray(new StackItem[] { pair1, pair2 });
+
+            Assert.ThrowsExactly<ArgumentException>(() => CryptoLib.Bls12381MultiExp(pairs));
+        }
+
+        [TestMethod]
+        public void TestBls12381MultiExpEmptyFails()
+        {
+            var pairs = new VMArray();
+            Assert.ThrowsExactly<ArgumentException>(() => CryptoLib.Bls12381MultiExp(pairs));
         }
 
         [TestMethod]
@@ -1153,7 +1224,7 @@ public void TestVerifyWithEd25519()
         {
             // byte[] privateKey = "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60".HexToBytes();
             byte[] publicKey = "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a".HexToBytes();
-            byte[] message = Array.Empty<byte>();
+            byte[] message = System.Array.Empty<byte>();
             byte[] signature = ("e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e06522490155" +
                                 "5fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b").HexToBytes();
 
@@ -1169,13 +1240,13 @@ public void TestVerifyWithEd25519()
 
             // Test with an invalid signature
             byte[] invalidSignature = new byte[signature.Length];
-            Array.Copy(signature, invalidSignature, signature.Length);
+            System.Array.Copy(signature, invalidSignature, signature.Length);
             invalidSignature[0] ^= 0x01; // Flip one bit
             Assert.IsFalse(CallVerifyWithEd25519(message, publicKey, invalidSignature));
 
             // Test with an invalid public key
             byte[] invalidPublicKey = new byte[publicKey.Length];
-            Array.Copy(publicKey, invalidPublicKey, publicKey.Length);
+            System.Array.Copy(publicKey, invalidPublicKey, publicKey.Length);
             invalidPublicKey[0] ^= 0x01; // Flip one bit
             Assert.IsFalse(CallVerifyWithEd25519(message, invalidPublicKey, signature));
         }
@@ -1203,61 +1274,22 @@ private bool CallVerifyWithEd25519(byte[] message, byte[] publicKey, byte[] sign
             }
         }
 
-        private byte[] InvokeBlsAddMethod(string methodName)
+        private static byte[] CreateScalarBytes(BigInteger value)
         {
-            var snapshotCache = TestBlockchain.GetTestSnapshotCache();
-            using ScriptBuilder script = new();
-            script.EmitDynamicCall(NativeContract.CryptoLib.Hash, "bls12381Deserialize", gt);
-            script.EmitDynamicCall(NativeContract.CryptoLib.Hash, "bls12381Deserialize", gt);
-            script.EmitPush(2);
-            script.Emit(OpCode.PACK);
-            script.EmitPush(CallFlags.All);
-            script.EmitPush(methodName);
-            script.EmitPush(NativeContract.CryptoLib.Hash);
-            script.EmitSysCall(ApplicationEngine.System_Contract_Call);
-            return ExecuteBlsScript(script, snapshotCache);
+            if (value < 0)
+                throw new ArgumentOutOfRangeException(nameof(value));
+
+            var bytes = new byte[Scalar.Size];
+            var mask = (BigInteger.One << (Scalar.Size * 8)) - BigInteger.One;
+            var truncated = value & mask;
+            if (!truncated.TryWriteBytes(bytes, out _, isBigEndian: false))
+                throw new InvalidOperationException("Unable to encode scalar value.");
+            return bytes;
         }
 
-        private byte[] InvokeBlsMulMethod(string methodName, bool neg)
-        {
-            var snapshotCache = TestBlockchain.GetTestSnapshotCache();
-            using ScriptBuilder script = new();
-            byte[] data = new byte[32];
-            data[0] = 0x03;
-            script.EmitPush(neg);
-            script.EmitPush(data);
-            script.EmitDynamicCall(NativeContract.CryptoLib.Hash, "bls12381Deserialize", gt);
-            script.EmitPush(3);
-            script.Emit(OpCode.PACK);
-            script.EmitPush(CallFlags.All);
-            script.EmitPush(methodName);
-            script.EmitPush(NativeContract.CryptoLib.Hash);
-            script.EmitSysCall(ApplicationEngine.System_Contract_Call);
-            return ExecuteBlsScript(script, snapshotCache);
-        }
+        private static byte[] CreateScalarBytes(uint value) => CreateScalarBytes(new BigInteger(value));
 
-        private byte[] InvokeBlsPairingMethod(string methodName)
-        {
-            var snapshotCache = TestBlockchain.GetTestSnapshotCache();
-            using ScriptBuilder script = new();
-            script.EmitDynamicCall(NativeContract.CryptoLib.Hash, "bls12381Deserialize", g2);
-            script.EmitDynamicCall(NativeContract.CryptoLib.Hash, "bls12381Deserialize", g1);
-            script.EmitPush(2);
-            script.Emit(OpCode.PACK);
-            script.EmitPush(CallFlags.All);
-            script.EmitPush(methodName);
-            script.EmitPush(NativeContract.CryptoLib.Hash);
-            script.EmitSysCall(ApplicationEngine.System_Contract_Call);
-            return ExecuteBlsScript(script, snapshotCache);
-        }
+        private static Scalar CreateScalar(uint value) => Scalar.FromBytes(CreateScalarBytes(value));
 
-        private byte[] ExecuteBlsScript(ScriptBuilder script, StoreCache snapshotCache)
-        {
-            using var engine = ApplicationEngine.Create(TriggerType.Application, null, snapshotCache,
-                settings: TestProtocolSettings.Default);
-            engine.LoadScript(script.ToArray());
-            Assert.AreEqual(VMState.HALT, engine.Execute());
-            return engine.ResultStack.Pop().GetInterface<Gt>().ToArray();
-        }
     }
 }
diff --git a/tests/Neo.UnitTests/SmartContract/Native/UT_NativeContract.cs b/tests/Neo.UnitTests/SmartContract/Native/UT_NativeContract.cs
