core: add Ethereum-compatible aliases for BLS12-381

Tural Devrishev · Tural Devrishev · commit 11020de2e2b9 · 2025-10-27T14:01:43.000+04:00
Close #4041. Signed-off-by: Tural Devrishev <tural@nspcc.ru>
diff --git a/docs/node-configuration.md b/docs/node-configuration.md
@@ -582,7 +582,7 @@ in development and can change in an incompatible way.
 | `Cockatrice`    | Introduces the ability to update native contracts. Includes a couple of new native smart contract APIs: `keccak256` of native CryptoLib contract and `getCommitteeAddress` of native NeoToken contract. | https://github.com/nspcc-dev/neo-go/pull/3402 <br> https://github.com/neo-project/neo/pull/2942 <br> https://github.com/nspcc-dev/neo-go/pull/3301 <br> https://github.com/neo-project/neo/pull/2925 <br> https://github.com/nspcc-dev/neo-go/pull/3362 <br> https://github.com/neo-project/neo/pull/3154 |
 | `Domovoi`       | Makes node use executing contract state for the contract call permissions check instead of the state stored in the native Management contract. In C# also makes System.Runtime.GetNotifications interop properly count stack references of notification parameters which prevents users from creating objects that exceed MaxStackSize constraint, but NeoGo has never had this bug, thus proper behaviour is preserved even before HFDomovoi. It results in the fact that some T5 testnet transactions have different ApplicationLogs compared to the C# node, but the node states match. | https://github.com/nspcc-dev/neo-go/pull/3476 <br> https://github.com/neo-project/neo/pull/3290 <br> https://github.com/nspcc-dev/neo-go/pull/3473 <br> https://github.com/neo-project/neo/pull/3290 <br> https://github.com/neo-project/neo/pull/3301 <br> https://github.com/nspcc-dev/neo-go/pull/3485 |
 | `Echidna`       | Introduces `Designation` event extension with `Old` and `New` roles data to native RoleManagement contract. Adds support for `base64UrlEncode` and `base64UrlDecode` methods to native StdLib contract. Extends the list of required call flags for `registerCandidate`, `unregisterCandidate`and `vote` methods of native NeoToken contract with AllowNotify flag. Enables `onNEP17Payment` method of NEO contract for candidate registration. Introduces constraint for maximum number of execution notifications. Adds support for `recoverSecp256K1` method of native CryptoLib contract. Introduces `setMillisecondsPerBlock` and `getMillisecondsPerBlock` methods of native Policy contract. Introduces support for NotaryAssisted transaction attribute and native Notary contract. | https://github.com/nspcc-dev/neo-go/pull/3554 <br> https://github.com/nspcc-dev/neo-go/pull/3761 <br> https://github.com/nspcc-dev/neo-go/pull/3554 <br> https://github.com/neo-project/neo/pull/3597 <br> https://github.com/nspcc-dev/neo-go/pull/3700 <br> https://github.com/nspcc-dev/neo-go/pull/3640 <br> https://github.com/neo-project/neo/pull/3548 <br> https://github.com/nspcc-dev/neo-go/pull/3863 <br> https://github.com/neo-project/neo/pull/3696 <br> https://github.com/neo-project/neo/pull/3895 <br> https://github.com/nspcc-dev/neo-go/pull/3835 <br> https://github.com/nspcc-dev/neo-go/pull/3854 <br> https://github.com/neo-project/neo/pull/3175 <br> https://github.com/nspcc-dev/neo-go/pull/3478 <br> https://github.com/neo-project/neo/pull/3178 |
-| `Faun`          | Adds `getBlockedAccounts` method to native Policy contract. Adds `hexEncode` and `hexDecode` methods to native StdLib contract. | https://github.com/nspcc-dev/neo-go/pull/3932 <br> https://github.com/nspcc-dev/neo-go/pull/4004 <br> https://github.com/neo-project/neo/pull/4147 <br> https://github.com/neo-project/neo/pull/4150 |
+| `Faun`          | Adds `getBlockedAccounts` method to native Policy contract. Adds `hexEncode` and `hexDecode` methods to native StdLib contract. | https://github.com/nspcc-dev/neo-go/pull/3932 <br> https://github.com/nspcc-dev/neo-go/pull/4004 <br> https://github.com/neo-project/neo/pull/4147 <br> https://github.com/neo-project/neo/pull/4150 <br> https://github.com/nspcc-dev/neo-go/pull/4050 <br> https://github.com/neo-project/neo/pull/4186 |
 
 ## DB compatibility
 
diff --git a/go.mod b/go.mod
@@ -72,3 +72,5 @@ require (
 	google.golang.org/grpc v1.75.1 // indirect
 	google.golang.org/protobuf v1.36.9 // indirect
 )
+
+replace github.com/nspcc-dev/neo-go/pkg/interop => ./pkg/interop
diff --git a/pkg/compiler/native_test.go b/pkg/compiler/native_test.go
@@ -250,6 +250,7 @@ func TestNativeHelpersCompile(t *testing.T) {
 		{"bls12381Mul", []string{"crypto.Bls12381Point{}", "[]byte{1, 2, 3}", "true"}},
 		{"bls12381Pairing", []string{"crypto.Bls12381Point{}", "crypto.Bls12381Point{}"}},
 		{"keccak256", []string{"[]byte{1, 2, 3}"}},
+		{"bls12381MultiExp", []string{"[]crypto.Bls12381Pair{}"}},
 	})
 	runNativeTestCases(t, *cs.ByName(nativenames.StdLib).Metadata(), "std", []nativeTestCase{
 		{"serialize", []string{"[]byte{1, 2, 3}"}},
diff --git a/pkg/config/hardfork.go b/pkg/config/hardfork.go
@@ -52,7 +52,8 @@ const (
 	HFEchidna // Echidna
 	// HFFaun represents hard-fork introduced in #3931, #4004 (ported from
 	// https://github.com/neo-project/neo/pull/4147,
-	// https://github.com/neo-project/neo/pull/4150).
+	// https://github.com/neo-project/neo/pull/4150), #4050 (ported from
+	// https://github.com/neo-project/neo/pull/4186).
 	HFFaun // Faun
 	// hfLast denotes the end of hardforks enum. Consider adding new hardforks
 	// before hfLast.
diff --git a/pkg/core/native/crypto.go b/pkg/core/native/crypto.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"math/big"
 
+	bls12381 "github.com/consensys/gnark-crypto/ecc/bls12-381"
 	"github.com/consensys/gnark-crypto/ecc/bls12-381/fr"
 	"github.com/decred/dcrd/dcrec/secp256k1/v4"
 	"github.com/decred/dcrd/dcrec/secp256k1/v4/ecdsa"
@@ -40,10 +41,11 @@ type NamedCurveHash byte
 
 // Various pairs of named elliptic curves and hash functions.
 const (
-	Secp256k1Sha256    NamedCurveHash = 22
-	Secp256r1Sha256    NamedCurveHash = 23
-	Secp256k1Keccak256 NamedCurveHash = 122
-	Secp256r1Keccak256 NamedCurveHash = 123
+	Secp256k1Sha256          NamedCurveHash = 22
+	Secp256r1Sha256          NamedCurveHash = 23
+	Secp256k1Keccak256       NamedCurveHash = 122
+	Secp256r1Keccak256       NamedCurveHash = 123
+	Bls12381MultiExpMaxPairs                = 128
 )
 
 func newCrypto() *Crypto {
@@ -134,6 +136,11 @@ func newCrypto() *Crypto {
 		manifest.NewParameter("signature", smartcontract.ByteArrayType))
 	md = NewMethodAndPrice(c.recoverSecp256K1, 1<<15, callflag.NoneFlag, config.HFEchidna)
 	c.AddMethod(md, desc)
+
+	desc = NewDescriptor("bls12381MultiExp", smartcontract.InteropInterfaceType,
+		manifest.NewParameter("pairs", smartcontract.ArrayType))
+	md = NewMethodAndPrice(c.bls12381MultiExp, 1<<23, callflag.NoneFlag, config.HFFaun)
+	c.AddMethod(md, desc)
 	return c
 }
 
@@ -362,6 +369,96 @@ func (c *Crypto) bls12381Add(_ *interop.Context, args []stackitem.Item) stackite
 	return stackitem.NewInterop(p)
 }
 
+func (c *Crypto) bls12381MultiExp(_ *interop.Context, args []stackitem.Item) stackitem.Item {
+	pairs := args[0].Value().([]stackitem.Item)
+	if len(pairs) == 0 {
+		panic("BLS12-381 multi exponent requires at least one pair")
+	}
+	if len(pairs) > Bls12381MultiExpMaxPairs {
+		panic(fmt.Sprintf("BLS12-381 multi exponent supports at most %d pairs", Bls12381MultiExpMaxPairs))
+	}
+	var (
+		useG2       int // 1 => use G2
+		accumulator blsPoint
+	)
+	for _, si := range pairs {
+		if si.Type() != stackitem.ArrayT && si.Type() != stackitem.StructT {
+			panic("BLS12-381 multi exponent pair must be Array or Struct")
+		}
+		pair := si.Value().([]stackitem.Item)
+		if len(pair) != 2 {
+			panic("BLS12-381 multi exponent pair must contain point and scalar")
+		}
+		if pair[0].Type() != stackitem.InteropT {
+			panic("BLS12-381 multi exponent requires interop points")
+		}
+		point, ok := pair[0].Value().(blsPoint)
+		if !ok {
+			panic("BLS12-381 multi exponent interop must contain blsPoint")
+		}
+		switch point.point.(type) {
+		case *bls12381.G1Jac, *bls12381.G1Affine:
+			useG2 = ensureGroupType(useG2, -1)
+		case *bls12381.G2Jac, *bls12381.G2Affine:
+			useG2 = ensureGroupType(useG2, 1)
+		default:
+			panic("BLS12-381 type mismatch")
+		}
+		scalar, err := parseScalar(pair[1])
+		if err != nil {
+			panic(err)
+		}
+		if scalar.BigInt(new(big.Int)).Sign() == 0 {
+			continue
+		}
+		res, err := blsPointMul(point, scalar.BigInt(new(big.Int)))
+		if err != nil {
+			panic(err)
+		}
+		if accumulator.point == nil {
+			accumulator.point = res.point
+		} else if accumulator, err = blsPointAdd(accumulator, res); err != nil {
+			panic(err)
+		}
+	}
+	if useG2 == 0 {
+		panic("BLS12-381 multi exponent requires at least one valid pair")
+	}
+	return stackitem.NewInterop(accumulator)
+}
+
+func ensureGroupType(useG2, isG2 int) int {
+	if useG2 == 0 {
+		return isG2
+	}
+	if useG2 != isG2 {
+		panic("BLS12-381 multi exponent cannot mix groups")
+	}
+	return isG2
+}
+
+func parseScalar(item stackitem.Item) (*fr.Element, error) {
+	bytes, err := item.TryBytes()
+	if err != nil {
+		return nil, fmt.Errorf("invalid multiplier: %w", err)
+	}
+	l := len(bytes)
+	if l != fr.Bytes && l != 2*fr.Bytes {
+		return nil, fmt.Errorf("invalid multiplier: 32- or 64-bytes scalar is expected, got %d", l)
+	}
+	if l == fr.Bytes {
+		v, err := fr.LittleEndian.Element((*[fr.Bytes]byte)(bytes))
+		if err == nil {
+			return &v, nil
+		}
+	}
+	beBytes := make([]byte, l)
+	for i := range l {
+		beBytes[l-i-1] = bytes[i]
+	}
+	return new(fr.Element).SetBigInt(new(big.Int).SetBytes(beBytes)), nil
+}
+
 func scalarFromBytes(bytes []byte, neg bool) (*fr.Element, error) {
 	alpha := new(fr.Element)
 	if len(bytes) != fr.Bytes {
diff --git a/pkg/core/native/crypto_test.go b/pkg/core/native/crypto_test.go
@@ -4,15 +4,18 @@ import (
 	"crypto/ed25519"
 	"encoding/binary"
 	"encoding/hex"
+	"fmt"
 	"math"
 	"math/big"
 	"slices"
 	"testing"
 
+	bls12381 "github.com/consensys/gnark-crypto/ecc/bls12-381"
 	"github.com/consensys/gnark-crypto/ecc/bls12-381/fr"
 	"github.com/nspcc-dev/neo-go/pkg/core/interop"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/hash"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
+	"github.com/nspcc-dev/neo-go/pkg/encoding/bigint"
 	"github.com/nspcc-dev/neo-go/pkg/vm"
 	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
 	"github.com/stretchr/testify/require"
@@ -393,3 +396,109 @@ func TestKeccak256(t *testing.T) {
 
 	require.Equal(t, expected, actual)
 }
+
+func TestBlsMultiExp(t *testing.T) {
+	const (
+		g1Hex = "97f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bb"
+		g2Hex = "93e02b6052719f607dacd3a088274f65596bd0d09920b61ab5da61bbdc7f5049334cf11213945d57e5ac7d055d042b7e" +
+			"024aa2b2f08f0a91260805272dc51051c6e47ad4fa403b02b4510b647ae3d1770bac0326a805bbefd48056c8c121bdb8"
+	)
+	g1, err := hex.DecodeString(g1Hex)
+	require.NoError(t, err)
+
+	g2, err := hex.DecodeString(g2Hex)
+	require.NoError(t, err)
+
+	crypto := newCrypto()
+
+	t.Run("multiExpG1", func(t *testing.T) {
+		var g1Point bls12381.G1Affine
+		_, err = g1Point.SetBytes(g1)
+		require.NoError(t, err)
+		one := make([]byte, fr.Bytes)
+		bigint.ToPreallocatedBytes(new(big.Int).SetUint64(1), one)
+		two := make([]byte, fr.Bytes)
+		bigint.ToPreallocatedBytes(new(big.Int).SetUint64(2), two)
+
+		pairs := stackitem.NewArray([]stackitem.Item{
+			stackitem.NewArray([]stackitem.Item{
+				stackitem.NewInterop(blsPoint{point: &g1Point}),
+				stackitem.NewByteArray(one),
+			}),
+			stackitem.NewArray([]stackitem.Item{
+				stackitem.NewInterop(blsPoint{point: &g1Point}),
+				stackitem.NewByteArray(two),
+			}),
+		})
+		actual, ok := crypto.bls12381MultiExp(nil, []stackitem.Item{pairs}).(*stackitem.Interop).Value().(blsPoint)
+		require.True(t, ok)
+		expected, err := blsPointMul(blsPoint{point: &g1Point}, new(big.Int).SetUint64(3))
+		require.NoError(t, err)
+		require.Equal(t, expected, actual)
+	})
+
+	t.Run("multiExpG2", func(t *testing.T) {
+		var g2Point bls12381.G2Affine
+		_, err = g2Point.SetBytes(g2)
+		require.NoError(t, err)
+		five := make([]byte, fr.Bytes)
+		bigint.ToPreallocatedBytes(new(big.Int).SetUint64(5), five)
+
+		pairs := stackitem.NewArray([]stackitem.Item{
+			stackitem.NewArray([]stackitem.Item{
+				stackitem.NewInterop(blsPoint{point: &g2Point}),
+				stackitem.NewByteArray(five),
+			}),
+		})
+		actual, ok := crypto.bls12381MultiExp(nil, []stackitem.Item{pairs}).(*stackitem.Interop).Value().(blsPoint)
+		require.True(t, ok)
+		expected, err := blsPointMul(blsPoint{point: &g2Point}, new(big.Int).SetUint64(5))
+		require.NoError(t, err)
+		require.Equal(t, expected, actual)
+	})
+
+	t.Run("reduces scalar", func(t *testing.T) {
+		var g1Point bls12381.G1Affine
+		_, err = g1Point.SetBytes(g1)
+		require.NoError(t, err)
+		twoPlusR := make([]byte, fr.Bytes)
+		bigint.ToPreallocatedBytes(new(big.Int).Add(fr.Modulus(), big.NewInt(2)), twoPlusR)
+
+		pairs := stackitem.NewArray([]stackitem.Item{
+			stackitem.NewArray([]stackitem.Item{
+				stackitem.NewInterop(blsPoint{point: &g1Point}),
+				stackitem.NewByteArray(twoPlusR),
+			}),
+		})
+		actual, ok := crypto.bls12381MultiExp(nil, []stackitem.Item{pairs}).(*stackitem.Interop).Value().(blsPoint)
+		require.True(t, ok)
+		expected, err := blsPointMul(blsPoint{point: &g1Point}, new(big.Int).SetUint64(2))
+		require.NoError(t, err)
+		require.Equal(t, expected, actual)
+	})
+
+	t.Run("empty pairs", func(t *testing.T) {
+		require.PanicsWithValue(t, "BLS12-381 multi exponent requires at least one pair", func() {
+			crypto.bls12381MultiExp(nil, []stackitem.Item{stackitem.NewArray([]stackitem.Item{})})
+		})
+	})
+	t.Run("too many pairs", func(t *testing.T) {
+		require.PanicsWithValue(t, fmt.Sprintf("BLS12-381 multi exponent supports at most %d pairs", Bls12381MultiExpMaxPairs), func() {
+			crypto.bls12381MultiExp(nil, []stackitem.Item{stackitem.NewArray(make([]stackitem.Item, Bls12381MultiExpMaxPairs+1))})
+		})
+	})
+	t.Run("invalid pair type", func(t *testing.T) {
+		require.PanicsWithValue(t, "BLS12-381 multi exponent pair must be Array or Struct", func() {
+			crypto.bls12381MultiExp(nil, []stackitem.Item{stackitem.NewArray([]stackitem.Item{
+				stackitem.NewMap(),
+			})})
+		})
+	})
+	t.Run("invalid pair length", func(t *testing.T) {
+		require.PanicsWithValue(t, "BLS12-381 multi exponent pair must contain point and scalar", func() {
+			crypto.bls12381MultiExp(nil, []stackitem.Item{stackitem.NewArray([]stackitem.Item{
+				stackitem.NewArray(nil),
+			})})
+		})
+	})
+}
diff --git a/pkg/core/native/native_test/cryptolib_test.go b/pkg/core/native/native_test/cryptolib_test.go
@@ -10,8 +10,10 @@ import (
 	bls12381 "github.com/consensys/gnark-crypto/ecc/bls12-381"
 	"github.com/consensys/gnark-crypto/ecc/bls12-381/fr"
 	"github.com/decred/dcrd/dcrec/secp256k1/v4"
+	"github.com/nspcc-dev/neo-go/pkg/compiler"
 	"github.com/nspcc-dev/neo-go/pkg/config"
 	"github.com/nspcc-dev/neo-go/pkg/core/native"
+	"github.com/nspcc-dev/neo-go/pkg/core/native/nativehashes"
 	"github.com/nspcc-dev/neo-go/pkg/core/native/nativenames"
 	"github.com/nspcc-dev/neo-go/pkg/io"
 	"github.com/nspcc-dev/neo-go/pkg/neotest"
@@ -595,3 +597,69 @@ func TestCryptoLib_RecoverSecp256K1_EIP2098Compat(t *testing.T) {
 		committeeInvoker.Invoke(t, pubBytes, "recoverSecp256K1", msgH, sigCompact)
 	}
 }
+
+func TestCryptoLib_Bls12381MultiExp(t *testing.T) {
+	bc, acc := chain.NewSingleWithCustomConfig(t, func(c *config.Blockchain) {
+		c.Hardforks = map[string]uint32{
+			config.HFFaun.String(): 2,
+		}
+	})
+
+	e := neotest.NewExecutor(t, bc, acc, acc)
+	c := e.CommitteeInvoker(nativehashes.CryptoLib)
+
+	var g1Point bls12381.G1Affine
+	_, err := g1Point.SetBytes(g1)
+	require.NoError(t, err)
+
+	c.InvokeFail(t, "method not found: bls12381MultiExp/1", "bls12381MultiExp", stackitem.NewArray(nil))
+
+	script := io.NewBufBinWriter()
+	multiplier := make([]byte, fr.Bytes)
+	multiplier[0] = 1
+	emit.Bytes(script.BinWriter, multiplier)
+	emit.AppCall(script.BinWriter, c.Hash, "bls12381Deserialize", callflag.All, g1)
+	emit.Opcodes(script.BinWriter, opcode.PUSH2, opcode.PACK, opcode.PUSH1, opcode.PACK, opcode.PUSH1, opcode.PACK)
+	emit.AppCallNoArgs(script.BinWriter, c.Hash, "bls12381MultiExp", callflag.All)
+
+	e.AddNewBlock(t)
+	stack, err := c.TestInvokeScript(t, script.Bytes(), c.Signers)
+	require.NoError(t, err)
+	require.Equal(t, 1, stack.Len())
+	itm := stack.Pop().Item()
+	require.Equal(t, stackitem.InteropT, itm.Type())
+	actual, ok := itm.(*stackitem.Interop).Value().(serializable)
+	require.True(t, ok)
+	require.Equal(t, hex.EncodeToString(g1), hex.EncodeToString(actual.Bytes()))
+}
+
+func TestCryptoLib_Bls12381MultiExpInteropAPI(t *testing.T) {
+	bc, acc := chain.NewSingleWithCustomConfig(t, func(c *config.Blockchain) {
+		c.Hardforks = map[string]uint32{
+			config.HFFaun.String(): 0,
+		}
+	})
+	e := neotest.NewExecutor(t, bc, acc, acc)
+
+	src := `package testcryptolib
+		import "github.com/nspcc-dev/neo-go/pkg/interop/native/crypto"
+		func Bls12381MultiExp(point, scalar []byte) []byte {
+			pairs := []crypto.Bls12381Pair{
+				{
+					Point: crypto.Bls12381Deserialize(point),
+					Scalar: scalar,
+				},
+			}
+			return crypto.Bls12381Serialize(crypto.Bls12381MultiExp(pairs))
+		}`
+
+	ctr := neotest.CompileSource(t, e.Validator.ScriptHash(), strings.NewReader(src), &compiler.Options{
+		Name: "testcryptolib_contract",
+	})
+	e.DeployContract(t, ctr, nil)
+
+	ctrInvoker := e.NewInvoker(ctr.Hash, e.Committee)
+	multiplier := make([]byte, fr.Bytes)
+	multiplier[0] = 1
+	ctrInvoker.Invoke(t, g1, "bls12381MultiExp", g1, multiplier)
+}
diff --git a/pkg/core/native/native_test/management_test.go b/pkg/core/native/native_test/management_test.go
diff --git a/pkg/interop/native/crypto/crypto.go b/pkg/interop/native/crypto/crypto.go

Original file line number	Diff line number	Diff line change
`@@ -72,3 +72,5 @@ require (`
`72`	`72`	`google.golang.org/grpc v1.75.1 // indirect`
`73`	`73`	`google.golang.org/protobuf v1.36.9 // indirect`
`74`	`74`	`)`
	`75`	`+`
	`76`	`+replace github.com/nspcc-dev/neo-go/pkg/interop => ./pkg/interop`