I’ve written before about Bitcoin’s elliptic curve and Monero’s elliptic curve. In the Monero post I wrote “Bitcoin and Ethereum use the elliptic curve secp256k1.” That’s true, but it’s incomplete. Ethereum does use the elliptic curve secp256k1 for digital signatures, as does Bitcoin, but Ethereum also uses a different elliptic curve for its consensus layer.
Ethereum’s consensus layer uses the elliptic curve BLS12-381. This post will say a little bit about this curve, starting with unpacking the cryptic name. I won’t go into the advanced math behind the curve’s design but instead will focus on concrete calculations in Python to try to make the curve more tangible. The same curve is used in other cryptocurrencies, including Zcash.
First of all, BLS stands for Paulo Barreto, Ben Lynn, and Michael Scott, the developers of a family of elliptic curves known as the BLS curves, including BLS12-381. Incidentally, in the context of cryptography, BLS can refer to the BLS curves or to BLS signatures. The “L” is the same person in both instances, but the “B” and “S” in BLS signatures refer to Dan Boneh and Hovav Shacham.
The 381 in BLS12-381 refers to the fact that it is defined over a finite field whose order is a 381-bit number, namely
p = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab
We can verify that p is prime and that it has 381 bits.
>>> from sympy import isprime >>> isprime(p) True >>> 2**380 < p < 2**381 True
The value of p comes from applying a certain polynomial to a parameter z with low Hamming weight, i.e. with lots of zeros in its binary representation. Why this matters is beyond the scope of this post, but we can show that it’s true.
>>> z = -0xd201000000010000 >>> p == (z-1)**2*(z**4 - z**2 + 1)//3 + z True
The elliptic curve BLS12-381 is the set of points satisfying
y² = x³ + 4 mod p.
The 12 in BLS12-381 refers to an embedding degree k that we’ll get to shortly.
The elliptic curve BLS12-381 is pairing friendly, which is the reason for its use in the Ethereum consensus layer. This layer uses pairing-based cryptography to aggregate signatures. I may write more about that someday, but not today.
As I wrote a couple months ago,
An elliptic curve E/Fq is said to be pairing-friendly if r divides qk − 1 for some small k. Here r is the size of the largest prime-order subgroup of the curve.
In the case of BLS12-381, r = z4 − z2 + 1 and r is a 255-bit prime number.
>>> r = z**4 - z**2 + 1 >>> isprime(r) True >>> 2**254 < r < 2**255 True
And now we can verify that that the embedding degree is 12, showing the BLS12-381 is a pairing-friendly curve.
>>> (p**12 - 1) % r 0
So what is being paired with what? And what is being embedded into what? The group G1 of order r, is a subgroup of BLS12-381. It is paired with another group G2 also of order r, and there is a bilinear mapping from (G1, G2) to the multiplicative group of the finite field with p12 elements. For more details, see the section on BLS12-381 in Ben Edginton’s book Upgrading Ethereum: A technical handbook on Ethereum’s move to proof of stake and beyond.