This page is a placeholder. All examples on this page are currently AI-generated and are not correct. This documentation will be completed in the future with accurate, tested examples.
Overview
Address: 0x0000000000000000000000000000000000000013
Introduced: Prague (EIP-2537)
EIP: EIP-2537
The BLS12-381 Map Fp2 to G2 precompile maps an element from the quadratic extension field Fp2 to a point on the G2 curve. This is the G2 equivalent of the G1 hash-to-curve operation, essential for BLS signatures where messages are hashed to G2 (the standard BLS variant).
G2 operates over Fp2, the quadratic extension field Fp2 = Fp[u]/(u²+1), providing additional algebraic structure required for pairing-based cryptography. Most BLS signature schemes hash messages to G2 rather than G1 for efficiency reasons.
Hash-to-Curve for G2
The complete hash-to-curve process for G2:
- Hash message to two Fp2 elements using hash_to_field (external)
- Map each Fp2 element to G2 point using this precompile (0x13)
- Add the two points (use G2_ADD precompile 0x0e)
- Clear cofactor to ensure point is in correct subgroup (if needed)
This precompile implements step 2: mapping a single Fp2 element to a G2 curve point.
Extension Field Fp2
Fp2 is constructed as Fp[u]/(u²+1), where:
- Elements have form:
a = c0 + c1*u
- Addition:
(a0 + a1*u) + (b0 + b1*u) = (a0+b0) + (a1+b1)*u
- Multiplication:
(a0 + a1*u) * (b0 + b1*u) = (a0*b0 - a1*b1) + (a0*b1 + a1*b0)*u
- Constraint:
u² = -1
Each component c0, c1 is an element of the base field Fp.
Gas Cost
Fixed cost: 75,000 gas (current implementation)
Note: The EIP-2537 specification proposes 23,800 gas for this operation. The current implementation uses 75,000 gas which may represent a pre-repricing value or conservative estimate. Consult the latest EIP-2537 status for the finalized gas cost. Code uses 75,000 in /Users/williamcory/voltaire/src/precompiles/precompiles.ts line 1196.
Higher than G1 mapping (5,500 gas) due to:
- Larger field (Fp2 vs Fp)
- More complex curve arithmetic
- G2 point operations are inherently more expensive
Still much cheaper than scalar multiplication operations.
Total input length: 128 bytes (exactly)
Fp2 element encoding:
- Element is
c0 + c1*u where u² = -1
- Each component must be < field modulus p
- Both components big-endian, left-padded to 64 bytes
- All values where c0, c1 ∈ [0, p-1] are valid
BLS12-381 field modulus p:
Total output length: 256 bytes (G2 point in uncompressed form)
G2 point structure:
- x = x.c0 + x.c1*u (Fp2 element)
- y = y.c0 + y.c1*u (Fp2 element)
- Satisfies curve equation: y² = x³ + 4(1+u)
Usage Examples
TypeScript
Zig
Error Conditions
- Out of gas: Gas limit less than 75,000 (current implementation)
- Invalid input length: Input not exactly 128 bytes
- Field element overflow: c0 >= p or c1 >= p
- Invalid Fp2 encoding: Malformed extension field element
All Fp2 elements with both components in range [0, p-1] are valid inputs.
Use Cases
BLS Signature Scheme (Standard Variant)
Standard BLS hashes messages to G2, signs in G2:
Aggregate Signatures
Multiple signatures on different messages:
Threshold Signatures
Distribute signing authority across multiple parties:
Boneh-Lynn-Shacham Signatures
Original BLS paper construction:
- Short signatures (G2 points)
- Aggregation without interaction
- Batch verification
Implementation Details
- Algorithm: Simplified SWU map for G2 curve
- Curve: BLS12-381 G2 over Fp2 (twist curve)
- Equation: y² = x³ + 4(1+u) where u² = -1
- Properties: Deterministic, constant-time, uniform distribution
- Zig: Uses blst library via C FFI
- TypeScript: Uses @noble/curves BLS12-381
G2 Curve Properties
G2 is the twist of the base curve:
- Defined over Fp2 instead of Fp
- Same group order as G1
- Larger representation (256 bytes vs 128 bytes)
- Slower arithmetic but richer structure for pairings
Why Hash to G2?
BLS signatures typically hash to G2 because:
- Verification efficiency: Public keys in G1 (smaller)
- Signature aggregation: Addition in G2 during signing
- Pairing efficiency: G1 in first position of pairing is faster
Alternative (hash to G1) is used when aggregating public keys instead.
Hash-to-Curve Standards
Implements mapping from:
Complete hash-to-curve (standards-compliant):
- hash_to_field: message → (u0, u1) where ui ∈ Fp2
- map_to_curve: ui → Qi for i = 0,1 (this precompile)
- Q = Q0 + Q1 (use G2_ADD)
- P = clear_cofactor(Q)
Security Considerations
Constant-Time Execution
Critical for signature schemes:
- No timing leakage of field element values
- Uniform execution across all valid inputs
- Protects against side-channel attacks on secret keys
Two-map construction (u0, u1) ensures:
- Output distribution indistinguishable from random
- No bias toward specific curve points
- Security proofs require uniformity
Domain Separation Tags
Use unique DST per protocol:
Prevents cross-protocol attacks.
Subgroup Checking
After mapping, ensure point is in correct subgroup:
- G2 has cofactor h = 0x5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5
- Clear cofactor by multiplying:
P = h * Q
- Or use cofactor clearing map (protocol-specific)
Gas Comparison
| Operation | Gas | Notes |
|---|
| Map Fp to G1 | 5,500 | Base field |
| Map Fp2 to G2 | 75,000 | Extension field (13.6x) |
| G1 Add | 500 | Point addition |
| G2 Add | 800 | Point addition |
| G1 Mul | 12,000 | Scalar multiplication |
| G2 Mul | 45,000 | Scalar multiplication |
G2 operations consistently ~3-13x more expensive than G1.
Complete Hash-to-G2 Cost
Plus external hash_to_field computation. Note: If EIP-2537 repricing occurs (23,800 per map), total would be ~48,400 gas.
Test Vectors
Zero Fp2 Element
Non-zero c0, Zero c1
Both Components Non-zero
Determinism Verification