Introduce BLS library into codebase

[blukat29]

Is your request related to a problem? Please describe.
Klaytn needs to bring in BLS algorithm for RANDAO, optimized consensus and EIP-2537.

BLS functionality can be split into two layers:

• BLS12-381 arithmetic: functions like G1.Add(P,Q). An example usage is the EIP-2537 precompiles.
• BLS (simple or aggregate) signature: functions like Sign() and AggregateVerify(). Example usages are RANDAO and block signatures.

Klaytn should need both layers.

Describe the solution you'd like
Below are potential Go open sources we can use.

• geth/crypto/bls12381 package implements BLS12-381 arithmetic. It has been stable since 2022 and geth implements EIP-2537 using this package. So I think it's a safe bet to use geth's crypto/bls12381 if Klaytn will support EIP-2537.
• celo/crypto/bls12381 is similar to geth/crypto/bls12381, but has diverted from geth's since 2021.
• celo-bls-go is another package used by celo blockchain for its consensus. celo-bls-go implements BLS12-377 curve. Note that Ethereum uses BLS12-381.
• prysm/crypto/bls is a package within prysm consensus layer (CL) client that implements BLS signature. It is a wrapper around the supranational/blst package. It is configured as (G1=pub,G2=sig) mode.
• supranational/blst package is an independent BLS library. It supports both modes - (G1=pub,G2=sig) and (G1=sig,G2=pub).

I propose to combine approaches of geth and prysm.

• Use geth/crypto/bls12381 for BLS12-381 arithmetic.
• Import supranational/blst and write klaytn/bls wrapper for BLS signatures.

To summarize,

Layer	geth (EL)	celo (CL+EL)	prysm (CL)	klaytn (CL+EL)
BLS (simple and aggregate) signature	(not needed)	celo/crypto/bls + celo-bls-go (BLS12-377)	prysm/crypto/bls + supranational/blst	klaytn/crypto/bls + supranational/blst
BLS12-381 arithmetic	geth/crypto/bls12381	celo/crypto/bls12381	(not needed)	klaytn/crypto/bls12381

Describe alternatives you've considered
Instead of adding source code to klaytn/klaytn repo, we might simply import geth and prysm internal packages.

Additional context
Other cases:

• ConsenSys/teku is an Ethereum CL in Java and uses Java binding of supranational/blst.
• status-im/nimbus-eth1 (EL) and status-im/nimbus-eth2 (CL) both depend on status-im/nim-blscurve written in the Nim language. The nim-blscurve supports two backends, the C binding of supranational/blst and miracl crypto lib.
• sigp/lighthouse is a CL in Rust and supports two backends, the Rust binding of supranational/blst and Apache Milagro crypto lib
• ChainSafe/lodestar is a CL in TypeScript and depends on @chainsafe/bls. @chainsafe/bls supports two backends, a JS binding of supranational/blst and herumi/bls-eth-wasm.
• Overall, it seems supranational/blst is a popular choice an an underlying crypto library.

Benchmark tests

• BLS library benchmark (2023.04) - Google Sheets.pdf
• geth/crypto/bls12381 performance is consistent with EIP-2537 gas pricing.
• supranational/blst takes up to 2ms to Sign once, Verify once, or AggregateVerify 100 signatures. I think it is enough for consensus purposes.
• (G1=sig,G2=pub) mode is less than 0.5ms/op faster than (G1=pub,G2=sig) mode. I think performance is not a critical factor in choosing the mode.

[exalate-issue-sync]

Exalate commented: Issue Created by: blukat29

[aidan-kwon]

closed via #1824 #1825

[ian0371]

For BLS key derivation and pop generation, these are the requirements:

• deriving BLS key from the input keying material (IKM) should be possible. (in our case, IKM is the node key)
• signing public key with a domain separator tag (DST) for pop should be possible.
  • DST for pop: BLS_POP_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_
  • fyi, DST for sig: BLS_SIG_...

In terms of ERC-2333, the seed is the nodekey, and the derived BLS key is master_SK, where derive_master_SK(seed) -> master_SK.

For typescript implementation, there is no library that supports both features. Thus,

• use bls-keygen for BLS key derivation (or low-level bls-hd-key), and
• use bls-signatures for pop generation.

Sample code)

import loadBls from "bls-signatures";

import { deriveKeyFromEntropy } from "@chainsafe/bls-keygen";

type Unpromisify<T> = T extends Promise<infer U> ? U : T;

let BLS: Unpromisify<ReturnType<typeof loadBls>>;

function deriveKey(ikm: Uint8Array) {
  return deriveKeyFromEntropy(ikm);
}

function generatePop(privkey: Uint8Array) {
  const blskey = BLS.PrivateKey.from_bytes(privkey, true);
  const pop = BLS.PopSchemeMPL.pop_prove(blskey);
  return pop.serialize();
}

async function main() {
  BLS = await loadBls();

  const nodekey = Buffer.from(
    "ac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80",
    "hex",
  );
  const blskey = deriveKey(nodekey);
  const pop = generatePop(blskey);
  console.log("blskey", Buffer.from(blskey).toString("hex"));
  console.log("pop", Buffer.from(pop).toString("hex"));
}

// We recommend this pattern to be able to use async/await everywhere
// and properly handle errors.
main().catch((error) => {
  console.error(error);
  process.exitCode = 1;
});