Overview
Address:0x000000000000000000000000000000000000000c
Introduced: Prague (EIP-2537)
EIP: EIP-2537
The BLS12-381 G1 Mul precompile performs elliptic curve scalar multiplication on the BLS12-381 curve’s G1 group. It takes a G1 point and a scalar, returning the point multiplied by that scalar (P * k). This operation is fundamental for BLS signature generation, key derivation, and cryptographic commitments.
EIP-2537 introduces BLS12-381 curve operations to enable efficient BLS signatures, which are used in Ethereum 2.0 for validator consensus and signature aggregation. Scalar multiplication is one of the most common operations in elliptic curve cryptography.
The BLS12-381 curve provides 128-bit security with efficient pairing operations, making it ideal for aggregatable signatures and zkSNARK applications.
Gas Cost
Fixed:12000 gas
This reflects the computational complexity of scalar multiplication, which is significantly more expensive than point addition due to the repeated doubling-and-add algorithm.
Input Format
y^2 = x^3 + 4 over the BLS12-381 base field (Fp).
Point at infinity is represented as all zeros (128 bytes).
Scalar is a 256-bit value (reduced modulo group order if necessary).
Output Format
TypeScript Example
Zig Example
Error Conditions
- Out of gas: gasLimit < 12000
- Invalid input length: input.len != 160
- Invalid point: Point coordinates don’t satisfy curve equation y² = x³ + 4
- Point not in subgroup: Point not in correct subgroup (fails validation)
- Coordinate out of range: x or y >= field modulus
error.InvalidPoint.
Scalar Multiplication Properties
- P * 0 = O (multiplication by zero gives point at infinity)
- P * 1 = P (multiplication by one is identity)
- O * k = O (infinity times any scalar is infinity)
- P * (a + b) = P * a + P * b (distributive property)
- P * (-k) = -(P * k) (negation of scalar negates point)
Use Cases
- BLS signature generation: Computing signatures from secret keys
- Public key derivation: Deriving public keys from private keys
- Threshold cryptography: Secret sharing schemes
- Cryptographic commitments: Pedersen commitments on BLS12-381
- Zero-knowledge proofs: zkSNARK/zkSTARK operations
- Distributed key generation: Multi-party computation protocols
- Verifiable random functions: VRF implementations
Implementation Details
- Zig: Uses blst library for secure scalar multiplication
- TypeScript: Uses @noble/curves bls12-381 implementation
- Algorithm: Windowed scalar multiplication (efficient for large scalars)
- Constant-time: Implementation uses constant-time operations where possible
- Scalar range: Full 256-bit range, reduced modulo group order internally
Performance Characteristics
- Time complexity: O(log k) where k is scalar value
- Fixed gas cost: Predictable cost regardless of scalar value
- Optimizations: Uses precomputed tables and efficient field arithmetic
- Hardware acceleration: blst library can use CPU-specific optimizations
BLS12-381 G1 Parameters
- Curve equation: y² = x³ + 4
- Base field: Fp (381-bit prime)
- Group order (r): 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
- Coordinate size: 48 bytes (padded to 64 bytes in encoding)
- Generator G1: (x, y) as defined in BLS12-381 spec
- Point at infinity: All zeros (128 bytes)
Test Vectors
Security Considerations
- Point validation ensures input is on curve and in correct subgroup
- Scalar can be any 256-bit value (automatically reduced)
- Uses constant-time operations to prevent timing attacks
- blst library is audited and battle-tested
- Point at infinity handled correctly as identity element
Comparison with BN254 Mul
| Feature | BLS12-381 G1 Mul | BN254 Mul |
|---|---|---|
| Address | 0x0c | 0x07 |
| Gas cost | 12000 | 6000 |
| Security | 128-bit | ~100-bit |
| Coordinate size | 48 bytes (64 padded) | 32 bytes |
| Input size | 160 bytes | 96 bytes |
| Use case | BLS signatures, ETH2 | zkSNARKs, privacy |