Skip to main content
This page is a placeholder. All examples on this page are currently AI-generated and are not correct. This documentation will be completed in the future with accurate, tested examples.

Overview

Address: 0x0000000000000000000000000000000000000013 Introduced: Prague (EIP-2537) EIP: EIP-2537 The BLS12-381 Map Fp2 to G2 precompile maps an element from the quadratic extension field Fp2 to a point on the G2 curve. This is the G2 equivalent of the G1 hash-to-curve operation, essential for BLS signatures where messages are hashed to G2 (the standard BLS variant). G2 operates over Fp2, the quadratic extension field Fp2 = Fp[u]/(u²+1), providing additional algebraic structure required for pairing-based cryptography. Most BLS signature schemes hash messages to G2 rather than G1 for efficiency reasons.

Hash-to-Curve for G2

The complete hash-to-curve process for G2:
  1. Hash message to two Fp2 elements using hash_to_field (external)
  2. Map each Fp2 element to G2 point using this precompile (0x13)
  3. Add the two points (use G2_ADD precompile 0x0e)
  4. Clear cofactor to ensure point is in correct subgroup (if needed)
This precompile implements step 2: mapping a single Fp2 element to a G2 curve point.

Extension Field Fp2

Fp2 is constructed as Fp[u]/(u²+1), where:
  • Elements have form: a = c0 + c1*u
  • Addition: (a0 + a1*u) + (b0 + b1*u) = (a0+b0) + (a1+b1)*u
  • Multiplication: (a0 + a1*u) * (b0 + b1*u) = (a0*b0 - a1*b1) + (a0*b1 + a1*b0)*u
  • Constraint: u² = -1
Each component c0, c1 is an element of the base field Fp.

Gas Cost

Fixed cost: 75,000 gas (current implementation) Note: The EIP-2537 specification proposes 23,800 gas for this operation. The current implementation uses 75,000 gas which may represent a pre-repricing value or conservative estimate. Consult the latest EIP-2537 status for the finalized gas cost. Code uses 75,000 in /Users/williamcory/voltaire/src/precompiles/precompiles.ts line 1196. Higher than G1 mapping (5,500 gas) due to:
  • Larger field (Fp2 vs Fp)
  • More complex curve arithmetic
  • G2 point operations are inherently more expensive
Still much cheaper than scalar multiplication operations.

Input Format

Total input length: 128 bytes (exactly) Fp2 element encoding:
  • Element is c0 + c1*u where u² = -1
  • Each component must be < field modulus p
  • Both components big-endian, left-padded to 64 bytes
  • All values where c0, c1 ∈ [0, p-1] are valid
BLS12-381 field modulus p:

Output Format

Total output length: 256 bytes (G2 point in uncompressed form) G2 point structure:
  • x = x.c0 + x.c1*u (Fp2 element)
  • y = y.c0 + y.c1*u (Fp2 element)
  • Satisfies curve equation: y² = x³ + 4(1+u)

Usage Examples

TypeScript

Zig

Error Conditions

  • Out of gas: Gas limit less than 75,000 (current implementation)
  • Invalid input length: Input not exactly 128 bytes
  • Field element overflow: c0 >= p or c1 >= p
  • Invalid Fp2 encoding: Malformed extension field element
All Fp2 elements with both components in range [0, p-1] are valid inputs.

Use Cases

BLS Signature Scheme (Standard Variant)

Standard BLS hashes messages to G2, signs in G2:

Aggregate Signatures

Multiple signatures on different messages:

Threshold Signatures

Distribute signing authority across multiple parties:

Boneh-Lynn-Shacham Signatures

Original BLS paper construction:
  • Short signatures (G2 points)
  • Aggregation without interaction
  • Batch verification

Implementation Details

  • Algorithm: Simplified SWU map for G2 curve
  • Curve: BLS12-381 G2 over Fp2 (twist curve)
  • Equation: y² = x³ + 4(1+u) where u² = -1
  • Properties: Deterministic, constant-time, uniform distribution
  • Zig: Uses blst library via C FFI
  • TypeScript: Uses @noble/curves BLS12-381

G2 Curve Properties

G2 is the twist of the base curve:
  • Defined over Fp2 instead of Fp
  • Same group order as G1
  • Larger representation (256 bytes vs 128 bytes)
  • Slower arithmetic but richer structure for pairings

Why Hash to G2?

BLS signatures typically hash to G2 because:
  1. Verification efficiency: Public keys in G1 (smaller)
  2. Signature aggregation: Addition in G2 during signing
  3. Pairing efficiency: G1 in first position of pairing is faster
Alternative (hash to G1) is used when aggregating public keys instead.

Hash-to-Curve Standards

Implements mapping from: Complete hash-to-curve (standards-compliant):
  1. hash_to_field: message → (u0, u1) where ui ∈ Fp2
  2. map_to_curve: ui → Qi for i = 0,1 (this precompile)
  3. Q = Q0 + Q1 (use G2_ADD)
  4. P = clear_cofactor(Q)

Security Considerations

Constant-Time Execution

Critical for signature schemes:
  • No timing leakage of field element values
  • Uniform execution across all valid inputs
  • Protects against side-channel attacks on secret keys

Uniform Distribution

Two-map construction (u0, u1) ensures:
  • Output distribution indistinguishable from random
  • No bias toward specific curve points
  • Security proofs require uniformity

Domain Separation Tags

Use unique DST per protocol:
Prevents cross-protocol attacks.

Subgroup Checking

After mapping, ensure point is in correct subgroup:
  • G2 has cofactor h = 0x5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5
  • Clear cofactor by multiplying: P = h * Q
  • Or use cofactor clearing map (protocol-specific)

Performance Notes

Gas Comparison

OperationGasNotes
Map Fp to G15,500Base field
Map Fp2 to G275,000Extension field (13.6x)
G1 Add500Point addition
G2 Add800Point addition
G1 Mul12,000Scalar multiplication
G2 Mul45,000Scalar multiplication
G2 operations consistently ~3-13x more expensive than G1.

Complete Hash-to-G2 Cost

Plus external hash_to_field computation. Note: If EIP-2537 repricing occurs (23,800 per map), total would be ~48,400 gas.

Test Vectors

Zero Fp2 Element

Non-zero c0, Zero c1

Both Components Non-zero

Determinism Verification