core: add Ethereum-compatible aliases for BLS12-381

Close #4041.

Signed-off-by: Tural Devrishev <tural@nspcc.ru>

Author: Tural Devrishev

go.mod

@@ -72,3 +72,5 @@ require (
 	google.golang.org/grpc v1.75.1 // indirect
 	google.golang.org/protobuf v1.36.9 // indirect
 )
+
+replace github.com/nspcc-dev/neo-go/pkg/interop => ./pkg/interop

pkg/compiler/native_test.go

@@ -251,6 +251,7 @@ func TestNativeHelpersCompile(t *testing.T) {
 		{"bls12381Mul", []string{"crypto.Bls12381Point{}", "[]byte{1, 2, 3}", "true"}},
 		{"bls12381Pairing", []string{"crypto.Bls12381Point{}", "crypto.Bls12381Point{}"}},
 		{"keccak256", []string{"[]byte{1, 2, 3}"}},
+		{"bls12381MultiExp", []string{"[]crypto.Bls12381Pair{}"}},
 	})
 	runNativeTestCases(t, *cs.ByName(nativenames.StdLib).Metadata(), "std", []nativeTestCase{
 		{"serialize", []string{"[]byte{1, 2, 3}"}},

pkg/config/hardfork.go

@@ -54,6 +54,8 @@ const (
 	// https://github.com/neo-project/neo/pull/4147,
 	// https://github.com/neo-project/neo/pull/4150), #4057 (ported from
 	// https://github.com/neo-project/neo/pull/4278).
+	// https://github.com/neo-project/neo/pull/4150), #4050 (ported from
+	// https://github.com/neo-project/neo/pull/4186).
 	HFFaun // Faun
 	// hfLast denotes the end of hardforks enum. Consider adding new hardforks
 	// before hfLast.

pkg/core/native/crypto.go

@@ -6,8 +6,10 @@ import (
 	"encoding/binary"
 	"errors"
 	"fmt"
+	"github.com/consensys/gnark-crypto/ecc/bls12-381/fp"
 	"math/big"
 
+	bls12381 "github.com/consensys/gnark-crypto/ecc/bls12-381"
 	"github.com/consensys/gnark-crypto/ecc/bls12-381/fr"
 	"github.com/decred/dcrd/dcrec/secp256k1/v4"
 	"github.com/decred/dcrd/dcrec/secp256k1/v4/ecdsa"
@@ -46,6 +48,16 @@ const (
 	Secp256r1Keccak256 NamedCurveHash = 123
 )
 
+const (
+	Bls12FieldElementLength = 64
+	Bls12G1EncodedLength    = 2 * Bls12FieldElementLength
+
+	Bls12G2EncodedLength = 4 * Bls12FieldElementLength
+	// Bls12381MultiExpMaxPairs is the maximum number of (point, scalar) pairs
+	// accepted by the Bls12381MultiExp native contract.
+	Bls12381MultiExpMaxPairs = 128
+)
+
 func newCrypto() *Crypto {
 	c := &Crypto{ContractMD: *interop.NewContractMD(nativenames.CryptoLib, nativeids.CryptoLib)}
 	defer c.BuildHFSpecificMD(c.ActiveIn())
@@ -134,6 +146,11 @@ func newCrypto() *Crypto {
 		manifest.NewParameter("signature", smartcontract.ByteArrayType))
 	md = NewMethodAndPrice(c.recoverSecp256K1, 1<<15, callflag.NoneFlag, config.HFEchidna)
 	c.AddMethod(md, desc)
+
+	desc = NewDescriptor("bls12381MultiExp", smartcontract.InteropInterfaceType,
+		manifest.NewParameter("pairs", smartcontract.ArrayType))
+	md = NewMethodAndPrice(c.bls12381MultiExp, 1<<23, callflag.NoneFlag, config.HFFaun)
+	c.AddMethod(md, desc)
 	return c
 }
 
@@ -335,6 +352,185 @@ func (c *Crypto) bls12381Deserialize(_ *interop.Context, args []stackitem.Item)
 	return stackitem.NewInterop(*p)
 }
 
+func (c *Crypto) bls12381EthereumPointSerialize(_ *interop.Context, args []stackitem.Item) stackitem.Item {
+	return serializeEthereumPoint(args[0])
+}
+
+func (c *Crypto) bls12381EthereumPointDeserialize(_ *interop.Context, args []stackitem.Item) stackitem.Item {
+	return deserializeEthereumPoint(args[0])
+}
+
+func (c *Crypto) bls12381EthereumPointsSerialize(_ *interop.Context, args []stackitem.Item) stackitem.Item {
+	points, ok := args[0].Value().([]stackitem.Item)
+	if !ok {
+		panic("points must be with array type")
+	}
+	res := make([]stackitem.Item, 0, len(points))
+	for _, p := range points {
+		res = append(res, serializeEthereumPoint(p))
+	}
+	return stackitem.NewArray(res)
+}
+
+func (c *Crypto) bls12381EthereumPointsDeserialize(_ *interop.Context, args []stackitem.Item) stackitem.Item {
+	points, ok := args[0].Value().([]stackitem.Item)
+	if !ok {
+		panic("points must be with array type")
+	}
+	res := make([]stackitem.Item, 0, len(points))
+	for _, p := range points {
+		res = append(res, deserializeEthereumPoint(p))
+	}
+	return stackitem.NewArray(res)
+}
+
+func (c *Crypto) bls12381EthereumPointsAndScalarsSerialize(_ *interop.Context, args []stackitem.Item) stackitem.Item {
+	pairs, ok := args[0].Value().([]stackitem.Item)
+	if !ok {
+		panic("points must be with array type")
+	}
+	res := make([]stackitem.Item, 0, len(pairs))
+	for _, si := range pairs {
+		if si.Type() != stackitem.ArrayT && si.Type() != stackitem.StructT {
+			panic("pair must be Array or Struct")
+		}
+		pair := si.Value().([]stackitem.Item)
+		if len(pair) != 2 {
+			panic("pair must contain point and scalar")
+		}
+		scalarLE, err := pair[1].TryBytes()
+		if err != nil {
+			panic(fmt.Errorf("can't get scalar bytes: %w", err))
+		}
+		scalarBytes := make([]byte, fr.Bytes)
+		copy(scalarBytes, scalarLE)
+		res = append(res, stackitem.NewArray([]stackitem.Item{
+			serializeEthereumPoint(pair[0]),
+			stackitem.NewByteArray(scalarBytes),
+		}))
+	}
+	return stackitem.NewArray(res)
+}
+
+func (c *Crypto) bls12381EthereumPointsAndScalarsDeserialize(_ *interop.Context, args []stackitem.Item) stackitem.Item {
+	pairs, ok := args[0].Value().([]stackitem.Item)
+	if !ok {
+		panic("points must be with array type")
+	}
+	res := make([]stackitem.Item, 0, len(pairs))
+	for _, si := range pairs {
+		if si.Type() != stackitem.ArrayT && si.Type() != stackitem.StructT {
+			panic("pair must be Array or Struct")
+		}
+		pair := si.Value().([]stackitem.Item)
+		if len(pair) != 2 {
+			panic("pair must contain point and scalar")
+		}
+		scalarBytes, err := pair[1].TryBytes()
+		if err != nil {
+			panic(fmt.Errorf("invalid multiplier: %w", err))
+		}
+		scalar, err := scalarFromBytes(scalarBytes, false)
+		if err != nil {
+			panic(fmt.Errorf("can't get scalar from bytes: %w", err))
+		}
+		res = append(res, stackitem.NewArray([]stackitem.Item{
+			deserializeEthereumPoint(pair[0]),
+			stackitem.NewBigInteger(scalar.BigInt(new(big.Int))),
+		}))
+	}
+	return stackitem.NewArray(res)
+}
+
+func serializeEthereumPoint(point stackitem.Item) stackitem.Item {
+	if point.Type() != stackitem.InteropT {
+		panic(fmt.Errorf("point type must be an %s, got %s", stackitem.InteropT, point.Type()))
+	}
+	p, ok := point.Value().(blsPoint)
+	if !ok {
+		panic("serialized item is not a bls12381 point")
+	}
+	var (
+		g1 *bls12381.G1Affine
+		g2 *bls12381.G2Affine
+	)
+	switch p := p.point.(type) {
+	case *bls12381.G1Affine:
+		g1 = p
+	case *bls12381.G1Jac:
+		g1 = new(bls12381.G1Affine).FromJacobian(p)
+	case *bls12381.G2Affine:
+		g2 = p
+	case *bls12381.G2Jac:
+		g2 = new(bls12381.G2Affine).FromJacobian(p)
+	default:
+		panic("invalid point type")
+	}
+	if g1 != nil {
+		if g1.IsInfinity() {
+			return stackitem.NewByteArray(make([]byte, Bls12G1EncodedLength))
+		}
+		bytes := g1.RawBytes()
+		return stackitem.NewByteArray(toEthereum(bytes[:]))
+	}
+	if g2.IsInfinity() {
+		return stackitem.NewByteArray(make([]byte, Bls12G2EncodedLength))
+	}
+	bytes := g2.RawBytes()
+	return stackitem.NewByteArray(toEthereum(bytes[:]))
+}
+
+func deserializeEthereumPoint(point stackitem.Item) stackitem.Item {
+	buf, err := point.TryBytes()
+	if err != nil {
+		panic(fmt.Errorf("invalid serialized ethereum point: %w", err))
+	}
+	if l := len(buf); l != Bls12G1EncodedLength && l != Bls12G2EncodedLength {
+		panic(fmt.Errorf("ethereum point must be with length %d or %d bytes, got %d bytes", Bls12G1EncodedLength, Bls12G2EncodedLength, l))
+	}
+	var p any
+	if len(buf) == Bls12G1EncodedLength {
+		g1 := &bls12381.G1Affine{}
+		_, err = g1.SetBytes(fromEthereum(buf))
+		p = g1
+	} else {
+		g2 := &bls12381.G2Affine{}
+		_, err = g2.SetBytes(fromEthereum(buf))
+		p = g2
+	}
+	if err != nil {
+		panic(err)
+	}
+	return stackitem.NewInterop(blsPoint{point: p})
+}
+
+func fromEthereum(data []byte) []byte {
+	var (
+		count = len(data) / Bls12FieldElementLength
+		res   = make([]byte, count*fp.Bytes)
+	)
+	for i := range count {
+		for _, b := range data[i*Bls12FieldElementLength : (i+1)*Bls12FieldElementLength-fp.Bytes] {
+			if b != 0 {
+				panic("bls12-381 field element overflow")
+			}
+		}
+		copy(res[i*fp.Bytes:(i+1)*fp.Bytes], data[(i+1)*Bls12FieldElementLength-fp.Bytes:(i+1)*Bls12FieldElementLength])
+	}
+	return res
+}
+
+func toEthereum(data []byte) []byte {
+	var (
+		count = len(data) / fp.Bytes
+		res   = make([]byte, count*Bls12FieldElementLength)
+	)
+	for i := range count {
+		copy(res[(i+1)*Bls12FieldElementLength-fp.Bytes:(i+1)*Bls12FieldElementLength], data[i*fp.Bytes:(i+1)*fp.Bytes])
+	}
+	return res
+}
+
 func (c *Crypto) bls12381Equal(_ *interop.Context, args []stackitem.Item) stackitem.Item {
 	a, okA := args[0].(*stackitem.Interop).Value().(blsPoint)
 	b, okB := args[1].(*stackitem.Interop).Value().(blsPoint)
@@ -362,6 +558,78 @@ func (c *Crypto) bls12381Add(_ *interop.Context, args []stackitem.Item) stackite
 	return stackitem.NewInterop(p)
 }
 
+func (c *Crypto) bls12381MultiExp(_ *interop.Context, args []stackitem.Item) stackitem.Item {
+	pairs := args[0].Value().([]stackitem.Item)
+	if len(pairs) == 0 {
+		panic("BLS12-381 multi exponent requires at least one pair")
+	}
+	if len(pairs) > Bls12381MultiExpMaxPairs {
+		panic(fmt.Sprintf("BLS12-381 multi exponent supports at most %d pairs", Bls12381MultiExpMaxPairs))
+	}
+	var (
+		useG2       int // 1 => use G2
+		accumulator blsPoint
+	)
+	for _, si := range pairs {
+		if si.Type() != stackitem.ArrayT && si.Type() != stackitem.StructT {
+			panic("BLS12-381 multi exponent pair must be Array or Struct")
+		}
+		pair := si.Value().([]stackitem.Item)
+		if len(pair) != 2 {
+			panic("BLS12-381 multi exponent pair must contain point and scalar")
+		}
+		if pair[0].Type() != stackitem.InteropT {
+			panic("BLS12-381 multi exponent requires interop points")
+		}
+		point, ok := pair[0].Value().(blsPoint)
+		if !ok {
+			panic("BLS12-381 multi exponent interop must contain blsPoint")
+		}
+		switch point.point.(type) {
+		case *bls12381.G1Jac, *bls12381.G1Affine:
+			useG2 = ensureGroupType(useG2, -1)
+		case *bls12381.G2Jac, *bls12381.G2Affine:
+			useG2 = ensureGroupType(useG2, 1)
+		default:
+			panic("BLS12-381 type mismatch")
+		}
+		mulBytes, err := pair[1].TryBytes()
+		if err != nil {
+			panic(fmt.Errorf("invalid multiplier: %w", err))
+		}
+		alpha, err := scalarFromBytes(mulBytes, false)
+		if err != nil {
+			panic(err)
+		}
+		if alpha.BigInt(new(big.Int)).Sign() == 0 {
+			continue
+		}
+		res, err := blsPointMul(point, alpha.BigInt(new(big.Int)))
+		if err != nil {
+			panic(err)
+		}
+		if accumulator.point == nil {
+			accumulator.point = res.point
+		} else if accumulator, err = blsPointAdd(accumulator, res); err != nil {
+			panic(err)
+		}
+	}
+	if useG2 == 0 {
+		panic("BLS12-381 multi exponent requires at least one valid pair")
+	}
+	return stackitem.NewInterop(accumulator)
+}
+
+func ensureGroupType(useG2, isG2 int) int {
+	if useG2 == 0 {
+		return isG2
+	}
+	if useG2 != isG2 {
+		panic("BLS12-381 multi exponent cannot mix groups")
+	}
+	return isG2
+}
+
 func scalarFromBytes(bytes []byte, neg bool) (*fr.Element, error) {
 	alpha := new(fr.Element)
 	if len(bytes) != fr.Bytes {