From 6b7d10f64d6f3cb99c2bcfbe0c3d399de84d85cd Mon Sep 17 00:00:00 2001 From: = <=> Date: Thu, 5 Sep 2019 13:13:10 +1000 Subject: [PATCH 01/14] Update hash to g2 in BLS readme Signed-off-by: = <=> --- specs/bls_signature.md | 51 +++++++++++++++--------------------------- 1 file changed, 18 insertions(+), 33 deletions(-) diff --git a/specs/bls_signature.md b/specs/bls_signature.md index 652279cd7f..5e77c88382 100644 --- a/specs/bls_signature.md +++ b/specs/bls_signature.md @@ -68,45 +68,30 @@ We require: ### `hash_to_G2` ```python -G2_cofactor = 305502333931268344200999753193121504214466019254188142667664032982267604182971884026507427359259977847832272839041616661285803823378372096355777062779109 -q = 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787 - -def hash_to_G2(message_hash: Bytes32, domain: Bytes8) -> Tuple[uint384, uint384]: - # Initial candidate x coordinate - x_re = int.from_bytes(hash(message_hash + domain + b'\x01'), 'big') - x_im = int.from_bytes(hash(message_hash + domain + b'\x02'), 'big') - x_coordinate = Fq2([x_re, x_im]) # x = x_re + i * x_im - - # Test candidate y coordinates until a one is found - while 1: - y_coordinate_squared = x_coordinate ** 3 + Fq2([4, 4]) # The curve is y^2 = x^3 + 4(i + 1) - y_coordinate = modular_squareroot(y_coordinate_squared) - if y_coordinate is not None: # Check if quadratic residue found - return multiply_in_G2((x_coordinate, y_coordinate), G2_cofactor) - x_coordinate += Fq2([1, 0]) # Add 1 and try again +def hash_to_G2(message_hash: Bytes32) -> Tuple[uint384, uint384]: + hash_to_curve(message_hash) ``` -### `modular_squareroot` +`hash_to_curve` is found in the [BLS standard](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve) and uses the ciphersuite `BLS12381G2-SHA256-SSWU-RO` found in section 8.7. It consists of three parts: -`modular_squareroot(x)` returns a solution `y` to `y**2 % q == x`, and `None` if none exists. If there are two solutions, the one with higher imaginary component is favored; if both solutions have equal imaginary component, the one with higher real component is favored (note that this is equivalent to saying that the single solution with either imaginary component > p/2 or imaginary component zero and real component > p/2 is favored). +* `hash_to_base` - Converting a message from bytes to a field point. The required constant parameters are: Security `k = 128` bits, Field Degree `m = 2` (i.e. Fp2), Length of HKDF `L = 64`, `H = SHA256`, Domain Separation Tag `DST = BLS12381G2-SHA256-SSWU-RO`. +* `map_to_curve` - Converting a field point to a point on the elliptic curve (G2 Point). First apply a [Simplified SWU Map](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-04#section-6.9.2) to the [3-Isogney curve](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-04#section-8.7) `E'`. Note this can be improved with am optimised SWU Map found in section 4 of [this paper](https://eprint.iacr.org/2019/403.pdf). Second map the `E'` point to G2 using `iso_map` detailed [here](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-04#appendix-C.2). +* `clear_cofactor` - Ensuring resultant G2 Point is in the correct subfield this should be done using the method described in section 4.1 of [this paper](https://eprint.iacr.org/2017/419). Note pseudo code is in the process being be added to the standard. -The following is a sample implementation; implementers are free to implement modular square roots as they wish. Note that `x2 = -x1` is an _additive modular inverse_ so real and imaginary coefficients remain in `[0 .. q-1]`. `coerce_to_int(element: Fq) -> int` is a function that takes Fq element `element` (i.e. integers `mod q`) and converts it to a regular integer. +Details of the `hash_to_curve` function are shown below. ```python -Fq2_order = q ** 2 - 1 -eighth_roots_of_unity = [Fq2([1,1]) ** ((Fq2_order * k) // 8) for k in range(8)] - -def modular_squareroot(value: Fq2) -> Fq2: - candidate_squareroot = value ** ((Fq2_order + 8) // 16) - check = candidate_squareroot ** 2 / value - if check in eighth_roots_of_unity[::2]: - x1 = candidate_squareroot / eighth_roots_of_unity[eighth_roots_of_unity.index(check) // 2] - x2 = -x1 - x1_re, x1_im = coerce_to_int(x1.coeffs[0]), coerce_to_int(x1.coeffs[1]) - x2_re, x2_im = coerce_to_int(x2.coeffs[0]), coerce_to_int(x2.coeffs[1]) - return x1 if (x1_im > x2_im or (x1_im == x2_im and x1_re > x2_re)) else x2 - return None -``` +def hash_to_curve(alpha: Bytes) -> Tuple[unit384, uint384]: + u0 = hash_to_base(alpha, 0) + u1 = hash_to_base(alpha, 1) + Q0 = map_to_curve(u0) + Q1 = map_to_curve(u1) + R = Q0 + Q1 # Point Addition + P = clear_cofactor(R) + return P + ``` + + An implementation of `hash_to_curve` can be found [here](https://github.com/kwantam/bls_sigs_ref/blob/master/python-impl/opt_swu_g2.py#L130). ## Aggregation operations From ba63e8bd2b27341849fdbe7545084c18efb0bb60 Mon Sep 17 00:00:00 2001 From: Kirk Baird Date: Thu, 5 Sep 2019 20:21:48 +1000 Subject: [PATCH 02/14] Permalink for reference implementation bls_signature.md Co-Authored-By: Hsiao-Wei Wang --- specs/bls_signature.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/bls_signature.md b/specs/bls_signature.md index 5e77c88382..11622f6a13 100644 --- a/specs/bls_signature.md +++ b/specs/bls_signature.md @@ -91,7 +91,7 @@ def hash_to_curve(alpha: Bytes) -> Tuple[unit384, uint384]: return P ``` - An implementation of `hash_to_curve` can be found [here](https://github.com/kwantam/bls_sigs_ref/blob/master/python-impl/opt_swu_g2.py#L130). + An implementation of `hash_to_curve` can be found [here](https://github.com/kwantam/bls_sigs_ref/blob/d82335835cfddd9b9e7f30b99d2dab653d2c3a14/python-impl/opt_swu_g2.py#L130). ## Aggregation operations From ac67b82ca1c1f7d888236e7b1f2ed7318f82dd77 Mon Sep 17 00:00:00 2001 From: = <=> Date: Thu, 5 Sep 2019 20:22:22 +1000 Subject: [PATCH 03/14] Minor touch ups Signed-off-by: = <=> --- specs/bls_signature.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/specs/bls_signature.md b/specs/bls_signature.md index 5e77c88382..3a49c432ac 100644 --- a/specs/bls_signature.md +++ b/specs/bls_signature.md @@ -69,10 +69,10 @@ We require: ```python def hash_to_G2(message_hash: Bytes32) -> Tuple[uint384, uint384]: - hash_to_curve(message_hash) + return hash_to_curve(message_hash) ``` -`hash_to_curve` is found in the [BLS standard](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve) and uses the ciphersuite `BLS12381G2-SHA256-SSWU-RO` found in section 8.7. It consists of three parts: +`hash_to_curve` is found in the [BLS standard](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve) with this interpretation reflecting draft version 4. We use the ciphersuite `BLS12381G2-SHA256-SSWU-RO` found in section 8.7. It consists of three parts: * `hash_to_base` - Converting a message from bytes to a field point. The required constant parameters are: Security `k = 128` bits, Field Degree `m = 2` (i.e. Fp2), Length of HKDF `L = 64`, `H = SHA256`, Domain Separation Tag `DST = BLS12381G2-SHA256-SSWU-RO`. * `map_to_curve` - Converting a field point to a point on the elliptic curve (G2 Point). First apply a [Simplified SWU Map](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-04#section-6.9.2) to the [3-Isogney curve](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-04#section-8.7) `E'`. Note this can be improved with am optimised SWU Map found in section 4 of [this paper](https://eprint.iacr.org/2019/403.pdf). Second map the `E'` point to G2 using `iso_map` detailed [here](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-04#appendix-C.2). From cfe7f311e3d1a86c800a2f8944316193e70507c8 Mon Sep 17 00:00:00 2001 From: Kirk Baird Date: Thu, 26 Sep 2019 09:19:37 +1000 Subject: [PATCH 04/14] Minor typo Signed-off-by: Kirk Baird --- specs/bls_signature.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/bls_signature.md b/specs/bls_signature.md index 8f91187998..253086c033 100644 --- a/specs/bls_signature.md +++ b/specs/bls_signature.md @@ -81,7 +81,7 @@ def hash_to_G2(message_hash: Bytes32) -> Tuple[uint384, uint384]: Details of the `hash_to_curve` function are shown below. ```python -def hash_to_curve(alpha: Bytes) -> Tuple[unit384, uint384]: +def hash_to_curve(alpha: Bytes) -> Tuple[uint384, uint384]: u0 = hash_to_base(alpha, 0) u1 = hash_to_base(alpha, 1) Q0 = map_to_curve(u0) From 4dfb033481c0128d80c7c4c3f02daa79f6568f4f Mon Sep 17 00:00:00 2001 From: Kirk Baird Date: Tue, 19 Nov 2019 14:28:32 +1100 Subject: [PATCH 05/14] Update spec to match version 5 of the hash to curve standard Signed-off-by: Kirk Baird --- specs/bls_signature.md | 38 +++++++++++++++++++++++++------------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/specs/bls_signature.md b/specs/bls_signature.md index 253086c033..5d27f1878e 100644 --- a/specs/bls_signature.md +++ b/specs/bls_signature.md @@ -14,8 +14,7 @@ - [G1 points](#g1-points) - [G2 points](#g2-points) - [Helpers](#helpers) - - [`hash_to_G2`](#hash_to_g2) - - [`modular_squareroot`](#modular_squareroot) + - [`hash_to_G2`](#hash_to_G2) - [Aggregation operations](#aggregation-operations) - [`bls_aggregate_pubkeys`](#bls_aggregate_pubkeys) - [`bls_aggregate_signatures`](#bls_aggregate_signatures) @@ -33,6 +32,18 @@ The BLS12-381 curve parameters are defined [here](https://z.cash/blog/new-snark- We represent points in the groups G1 and G2 following [zkcrypto/pairing](https://github.com/zkcrypto/pairing/tree/master/src/bls12_381). We denote by `q` the field modulus and by `i` the imaginary unit. +## Ciphersuite + +We use the following Ciphersuite `BLS_SIG_BLS12381G2-SHA256-SSWU-RO_POP_`. + +Where: +* `POP` refers to proof of possession. +* `G2` refers to signatures on G2. +* `SHA256` is the hash function used. +* `SSWU` refers to the Simplified SWU Map from a finite field element to an elliptic curve point. +* `RO` refers to `hash-to-curve` function rather than `encode-to-curve`. +* `BLS12381G2-SHA256-SSWU-RO` refers to the [hash to curve version 5](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2) ciphersuite. + ### G1 points A point in G1 is represented as a 384-bit integer `z` decomposed as a 381-bit integer `x` and three 1-bit flags in the top bits: @@ -67,21 +78,22 @@ We require: ### `hash_to_G2` -```python -def hash_to_G2(message_hash: Bytes32) -> Tuple[uint384, uint384]: - return hash_to_curve(message_hash) -``` - -`hash_to_curve` is found in the [BLS standard](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve) with this interpretation reflecting draft version 4. We use the ciphersuite `BLS12381G2-SHA256-SSWU-RO` found in section 8.7. It consists of three parts: +`hash_to_g2` is equivaent `hash_to_curve` found in the [BLS standard](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-3) with this interpretation reflecting draft version 5. We use the hash to curve ciphersuite `BLS12381G2-SHA256-SSWU-RO` found in section 8.9.2. It consists of three parts: -* `hash_to_base` - Converting a message from bytes to a field point. The required constant parameters are: Security `k = 128` bits, Field Degree `m = 2` (i.e. Fp2), Length of HKDF `L = 64`, `H = SHA256`, Domain Separation Tag `DST = BLS12381G2-SHA256-SSWU-RO`. -* `map_to_curve` - Converting a field point to a point on the elliptic curve (G2 Point). First apply a [Simplified SWU Map](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-04#section-6.9.2) to the [3-Isogney curve](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-04#section-8.7) `E'`. Note this can be improved with am optimised SWU Map found in section 4 of [this paper](https://eprint.iacr.org/2019/403.pdf). Second map the `E'` point to G2 using `iso_map` detailed [here](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-04#appendix-C.2). -* `clear_cofactor` - Ensuring resultant G2 Point is in the correct subfield this should be done using the method described in section 4.1 of [this paper](https://eprint.iacr.org/2017/419). Note pseudo code is in the process being be added to the standard. +* `hash_to_base` - Converting a message from bytes to a field point found in [section 5.3](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-5.3). The required constant parameters are: + * Field Degree: `m = 2` + * Length of HKDF: `L = 64`, + * Hash Function: `H = SHA256`, + * Domain Separation Tag: `DST = BLS_SIG_BLS12381G2-SHA256-SSWU-RO_POP_`. +* `map_to_curve` - Converting a field point to a point on the elliptic curve (G2 Point) in two steps: + * First apply a [Simplified SWU Map](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-6.6.3) to the [3-Isogney curve](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2) `E'`. + * Second map the `E'` point to G2 using the `iso_map` detailed [here](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#appendix-C.3). +* `clear_cofactor` - Ensure the point is in the correct subfield by multiplying by the curve co-efficient `h_eff` as found [here](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2). Details of the `hash_to_curve` function are shown below. ```python -def hash_to_curve(alpha: Bytes) -> Tuple[uint384, uint384]: +def hash_to_G2(alpha: Bytes) -> Tuple[uint384, uint384]: u0 = hash_to_base(alpha, 0) u1 = hash_to_base(alpha, 1) Q0 = map_to_curve(u0) @@ -91,7 +103,7 @@ def hash_to_curve(alpha: Bytes) -> Tuple[uint384, uint384]: return P ``` - An implementation of `hash_to_curve` can be found [here](https://github.com/kwantam/bls_sigs_ref/blob/d82335835cfddd9b9e7f30b99d2dab653d2c3a14/python-impl/opt_swu_g2.py#L130). + An implementation of `hash_to_curve` can be found [here](https://github.com/kwantam/bls_sigs_ref/blob/93b58f3e9f9ef55085f9ad78c708fa5ad9b894df/python-impl/opt_swu_g2.py#L131). ## Aggregation operations From 706fd524fd84266a4ea8979ef1fc6c0ce2c0d09c Mon Sep 17 00:00:00 2001 From: Kirk Baird Date: Tue, 19 Nov 2019 14:32:25 +1100 Subject: [PATCH 06/14] Fix indent and warning Signed-off-by: Kirk Baird --- specs/bls_signature.md | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/specs/bls_signature.md b/specs/bls_signature.md index 5d27f1878e..e326e338d3 100644 --- a/specs/bls_signature.md +++ b/specs/bls_signature.md @@ -2,8 +2,6 @@ **Notice**: This document is a placeholder to facilitate the emergence of cross-client testnets. Substantive changes are postponed until [BLS standardisation](https://github.com/pairingwg/bls_standard) is finalized. -**Warning**: The constructions in this document should not be considered secure. In particular, the `hash_to_G2` function is known to be unsecure. - ## Table of contents @@ -81,13 +79,13 @@ We require: `hash_to_g2` is equivaent `hash_to_curve` found in the [BLS standard](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-3) with this interpretation reflecting draft version 5. We use the hash to curve ciphersuite `BLS12381G2-SHA256-SSWU-RO` found in section 8.9.2. It consists of three parts: * `hash_to_base` - Converting a message from bytes to a field point found in [section 5.3](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-5.3). The required constant parameters are: - * Field Degree: `m = 2` - * Length of HKDF: `L = 64`, - * Hash Function: `H = SHA256`, - * Domain Separation Tag: `DST = BLS_SIG_BLS12381G2-SHA256-SSWU-RO_POP_`. + * Field Degree: `m = 2` + * Length of HKDF: `L = 64`, + * Hash Function: `H = SHA256`, + * Domain Separation Tag: `DST = BLS_SIG_BLS12381G2-SHA256-SSWU-RO_POP_`. * `map_to_curve` - Converting a field point to a point on the elliptic curve (G2 Point) in two steps: - * First apply a [Simplified SWU Map](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-6.6.3) to the [3-Isogney curve](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2) `E'`. - * Second map the `E'` point to G2 using the `iso_map` detailed [here](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#appendix-C.3). + * First apply a [Simplified SWU Map](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-6.6.3) to the [3-Isogney curve](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2) `E'`. + * Second map the `E'` point to G2 using the `iso_map` detailed [here](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#appendix-C.3). * `clear_cofactor` - Ensure the point is in the correct subfield by multiplying by the curve co-efficient `h_eff` as found [here](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2). Details of the `hash_to_curve` function are shown below. From b444cc084216e248daf57077254b4af1ed3d224f Mon Sep 17 00:00:00 2001 From: Kirk Baird Date: Mon, 25 Nov 2019 09:34:21 +1100 Subject: [PATCH 07/14] Add TOC for ciphersuite Signed-off-by: Kirk Baird --- specs/bls_signature.md | 1 + 1 file changed, 1 insertion(+) diff --git a/specs/bls_signature.md b/specs/bls_signature.md index e326e338d3..6537569d21 100644 --- a/specs/bls_signature.md +++ b/specs/bls_signature.md @@ -8,6 +8,7 @@ - [BLS signature verification](#bls-signature-verification) - [Table of contents](#table-of-contents) - [Curve parameters](#curve-parameters) + - [Ciphersuite](#ciphersuite) - [Point representations](#point-representations) - [G1 points](#g1-points) - [G2 points](#g2-points) From 19c67ecde76580657aac98a4488cb61c0e64f180 Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 26 Nov 2019 15:57:12 +0000 Subject: [PATCH 08/14] Fix ciphersuite typo Also revamp ciphersuite breakdown --- specs/bls_signature.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/specs/bls_signature.md b/specs/bls_signature.md index 6537569d21..6f89ef9265 100644 --- a/specs/bls_signature.md +++ b/specs/bls_signature.md @@ -33,15 +33,15 @@ We represent points in the groups G1 and G2 following [zkcrypto/pairing](https:/ ## Ciphersuite -We use the following Ciphersuite `BLS_SIG_BLS12381G2-SHA256-SSWU-RO_POP_`. - -Where: -* `POP` refers to proof of possession. -* `G2` refers to signatures on G2. -* `SHA256` is the hash function used. -* `SSWU` refers to the Simplified SWU Map from a finite field element to an elliptic curve point. -* `RO` refers to `hash-to-curve` function rather than `encode-to-curve`. -* `BLS12381G2-SHA256-SSWU-RO` refers to the [hash to curve version 5](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2) ciphersuite. +We use the `BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_` ciphersuite where: + +* `BLS_SIG_` refers to BLS signatures +* `BLS12381G2-SHA256-SSWU-RO-` is the hash to curve ciphersuite (see spec [here](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2): + * `BLS12381G2-` refers to the use of the BLS12-381 curve with signatures on G2 + * `SHA256-` refers to the use of SHA256 as the internal `hash_to_base` function + * `SSWU-` refers to use of the simplified SWU mapping finite field elements to elliptic curve points + * `RO-` refers to the hash to curve outputs being indifferentiable from a random oracle +* `_POP_` refers to the use proofs of possession to prevent rogue key attacks ### G1 points From ce16f37303ac34b15c9730cacc5a405a8dc346c9 Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 26 Nov 2019 16:03:15 +0000 Subject: [PATCH 09/14] Update bls_signature.md --- specs/bls_signature.md | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/specs/bls_signature.md b/specs/bls_signature.md index 6f89ef9265..7b425fa0a1 100644 --- a/specs/bls_signature.md +++ b/specs/bls_signature.md @@ -13,7 +13,7 @@ - [G1 points](#g1-points) - [G2 points](#g2-points) - [Helpers](#helpers) - - [`hash_to_G2`](#hash_to_G2) + - [`hash_to_G2`](#hash_to_g2) - [Aggregation operations](#aggregation-operations) - [`bls_aggregate_pubkeys`](#bls_aggregate_pubkeys) - [`bls_aggregate_signatures`](#bls_aggregate_signatures) @@ -36,7 +36,7 @@ We represent points in the groups G1 and G2 following [zkcrypto/pairing](https:/ We use the `BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_` ciphersuite where: * `BLS_SIG_` refers to BLS signatures -* `BLS12381G2-SHA256-SSWU-RO-` is the hash to curve ciphersuite (see spec [here](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2): +* `BLS12381G2-SHA256-SSWU-RO-` is the hash to curve ciphersuite (see spec [here](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2)): * `BLS12381G2-` refers to the use of the BLS12-381 curve with signatures on G2 * `SHA256-` refers to the use of SHA256 as the internal `hash_to_base` function * `SSWU-` refers to use of the simplified SWU mapping finite field elements to elliptic curve points @@ -45,7 +45,7 @@ We use the `BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_` ciphersuite where: ### G1 points -A point in G1 is represented as a 384-bit integer `z` decomposed as a 381-bit integer `x` and three 1-bit flags in the top bits: +A G1 point is represented as a 384-bit integer `z` decomposed as a 381-bit integer `x` and three 1-bit flags in the top bits: * `x = z % 2**381` * `a_flag = (z % 2**382) // 2**381` @@ -77,17 +77,17 @@ We require: ### `hash_to_G2` -`hash_to_g2` is equivaent `hash_to_curve` found in the [BLS standard](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-3) with this interpretation reflecting draft version 5. We use the hash to curve ciphersuite `BLS12381G2-SHA256-SSWU-RO` found in section 8.9.2. It consists of three parts: +`hash_to_G2` is equivalent to `hash_to_curve` found in the [BLS standard](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-3). We use the hash to curve ciphersuite `BLS12381G2-SHA256-SSWU-RO-` found in section 8.9.2. It consists of three parts: -* `hash_to_base` - Converting a message from bytes to a field point found in [section 5.3](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-5.3). The required constant parameters are: - * Field Degree: `m = 2` - * Length of HKDF: `L = 64`, - * Hash Function: `H = SHA256`, - * Domain Separation Tag: `DST = BLS_SIG_BLS12381G2-SHA256-SSWU-RO_POP_`. -* `map_to_curve` - Converting a field point to a point on the elliptic curve (G2 Point) in two steps: +* `hash_to_base`—Converts a message from bytes to a field point. See [section 5.3](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-5.3). The required parameters are: + * field degree—`m = 2` + * length of HKDF—`L = 64` + * hash function—`H = SHA256` + * domain separation tag—`DST = BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_` +* `map_to_curve`—Converting a field point to a point on the elliptic curve (G2 Point) in two steps: * First apply a [Simplified SWU Map](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-6.6.3) to the [3-Isogney curve](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2) `E'`. * Second map the `E'` point to G2 using the `iso_map` detailed [here](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#appendix-C.3). -* `clear_cofactor` - Ensure the point is in the correct subfield by multiplying by the curve co-efficient `h_eff` as found [here](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2). +* `clear_cofactor`—Ensure the point is in the correct subfield by multiplying by the curve co-efficient `h_eff` as found [here](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2). Details of the `hash_to_curve` function are shown below. @@ -97,22 +97,22 @@ def hash_to_G2(alpha: Bytes) -> Tuple[uint384, uint384]: u1 = hash_to_base(alpha, 1) Q0 = map_to_curve(u0) Q1 = map_to_curve(u1) - R = Q0 + Q1 # Point Addition + R = Q0 + Q1 # point addition P = clear_cofactor(R) return P ``` - An implementation of `hash_to_curve` can be found [here](https://github.com/kwantam/bls_sigs_ref/blob/93b58f3e9f9ef55085f9ad78c708fa5ad9b894df/python-impl/opt_swu_g2.py#L131). +An implementation of `hash_to_curve` can be found [here](https://github.com/kwantam/bls_sigs_ref/blob/93b58f3e9f9ef55085f9ad78c708fa5ad9b894df/python-impl/opt_swu_g2.py#L131). ## Aggregation operations ### `bls_aggregate_pubkeys` -Let `bls_aggregate_pubkeys(pubkeys: List[Bytes48]) -> Bytes48` return `pubkeys[0] + .... + pubkeys[len(pubkeys)-1]`, where `+` is the elliptic curve addition operation over the G1 curve. (When `len(pubkeys) == 0` the empty sum is the G1 point at infinity.) +Let `bls_aggregate_pubkeys(pubkeys: List[Bytes48]) -> Bytes48` return `pubkeys[0] + .... + pubkeys[len(pubkeys) - 1]`, where `+` is the elliptic curve addition operation over the G1 curve. (When `len(pubkeys) == 0` the empty sum is the G1 point at infinity.) ### `bls_aggregate_signatures` -Let `bls_aggregate_signatures(signatures: List[Bytes96]) -> Bytes96` return `signatures[0] + .... + signatures[len(signatures)-1]`, where `+` is the elliptic curve addition operation over the G2 curve. (When `len(signatures) == 0` the empty sum is the G2 point at infinity.) +Let `bls_aggregate_signatures(signatures: List[Bytes96]) -> Bytes96` return `signatures[0] + .... + signatures[len(signatures) - 1]`, where `+` is the elliptic curve addition operation over the G2 curve. (When `len(signatures) == 0` the empty sum is the G2 point at infinity.) ## Signature verification @@ -139,4 +139,4 @@ Let `bls_verify_multiple(pubkeys: List[Bytes48], message_hashes: List[Bytes32], * Verify that each `pubkey` in `pubkeys` is a valid G1 point. * Verify that `signature` is a valid G2 point. * Verify that `len(pubkeys)` equals `len(message_hashes)` and denote the length `L`. -* Verify that `e(pubkeys[0], hash_to_G2(message_hashes[0], domain)) * ... * e(pubkeys[L-1], hash_to_G2(message_hashes[L-1], domain)) == e(g, signature)`. +* Verify that `e(pubkeys[0], hash_to_G2(message_hashes[0], domain)) * ... * e(pubkeys[L - 1], hash_to_G2(message_hashes[L - 1], domain)) == e(g, signature)`. From d3a95837d850b3ab749433b7ad946c4f886cac88 Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 26 Nov 2019 16:25:07 +0000 Subject: [PATCH 10/14] Update bls_signature.md --- specs/bls_signature.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/specs/bls_signature.md b/specs/bls_signature.md index 7b425fa0a1..105f8adb09 100644 --- a/specs/bls_signature.md +++ b/specs/bls_signature.md @@ -7,7 +7,7 @@ - [BLS signature verification](#bls-signature-verification) - [Table of contents](#table-of-contents) - - [Curve parameters](#curve-parameters) + - [Draft standards](#draft-standards) - [Ciphersuite](#ciphersuite) - [Point representations](#point-representations) - [G1 points](#g1-points) @@ -23,9 +23,18 @@ -## Curve parameters +## Draft standards -The BLS12-381 curve parameters are defined [here](https://z.cash/blog/new-snark-curve). +This specification follows three Internet Research Task Force (IRTF) Crypto Forum Research Group (CFRG) drafts: + +* [`pairing-friendly-curves-00`](https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-00) (published November 1, 2019) + * [Section 4.2.2](https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-00#section-4.2.2) defines the BLS12-381 curve parameters, including G1 and G2 generators. +* [`hash-to-curve-05`](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05) (published November 2, 2019) + * [Section 8.9.2](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2) defines the hash-to-curve ciphersuite for BLS12-381 G2. +* [`bls-signature-00`](https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-00) (published August 8, 2019) + * [Section 4.2.3](https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-00#section-4.2.3) defines the proof of possession ciphersuite for BLS12-381. + +Note that the above drafts are not ratified as Internet Engineering Task Force (IEFT) standards. Despite the lack of official IEFT standardisation, various blockchain projects have agreed to use the specific drafts above as de facto "blockchain BLS standard" to encourage interoperability. ## Point representations @@ -36,7 +45,7 @@ We represent points in the groups G1 and G2 following [zkcrypto/pairing](https:/ We use the `BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_` ciphersuite where: * `BLS_SIG_` refers to BLS signatures -* `BLS12381G2-SHA256-SSWU-RO-` is the hash to curve ciphersuite (see spec [here](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2)): +* `BLS12381G2-SHA256-SSWU-RO-` is the hash to curve ciphersuite (see [hash-to-curve-05#section-8.9.2](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2)): * `BLS12381G2-` refers to the use of the BLS12-381 curve with signatures on G2 * `SHA256-` refers to the use of SHA256 as the internal `hash_to_base` function * `SSWU-` refers to use of the simplified SWU mapping finite field elements to elliptic curve points From b6fa1cb8ee9170d0af15b74358f55ec9c0c77f7c Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 26 Nov 2019 16:37:17 +0000 Subject: [PATCH 11/14] Update bls_signature.md --- specs/bls_signature.md | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/specs/bls_signature.md b/specs/bls_signature.md index 105f8adb09..82293bcc07 100644 --- a/specs/bls_signature.md +++ b/specs/bls_signature.md @@ -28,11 +28,8 @@ This specification follows three Internet Research Task Force (IRTF) Crypto Forum Research Group (CFRG) drafts: * [`pairing-friendly-curves-00`](https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-00) (published November 1, 2019) - * [Section 4.2.2](https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-00#section-4.2.2) defines the BLS12-381 curve parameters, including G1 and G2 generators. * [`hash-to-curve-05`](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05) (published November 2, 2019) - * [Section 8.9.2](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2) defines the hash-to-curve ciphersuite for BLS12-381 G2. * [`bls-signature-00`](https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-00) (published August 8, 2019) - * [Section 4.2.3](https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-00#section-4.2.3) defines the proof of possession ciphersuite for BLS12-381. Note that the above drafts are not ratified as Internet Engineering Task Force (IEFT) standards. Despite the lack of official IEFT standardisation, various blockchain projects have agreed to use the specific drafts above as de facto "blockchain BLS standard" to encourage interoperability. @@ -50,7 +47,7 @@ We use the `BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_` ciphersuite where: * `SHA256-` refers to the use of SHA256 as the internal `hash_to_base` function * `SSWU-` refers to use of the simplified SWU mapping finite field elements to elliptic curve points * `RO-` refers to the hash to curve outputs being indifferentiable from a random oracle -* `_POP_` refers to the use proofs of possession to prevent rogue key attacks +* `_POP_` refers to the use proofs of possession to prevent rogue key attacks (see [bls-signature-00#section-4.2.3](https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-00#section-4.2.3)) ### G1 points @@ -88,15 +85,15 @@ We require: `hash_to_G2` is equivalent to `hash_to_curve` found in the [BLS standard](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-3). We use the hash to curve ciphersuite `BLS12381G2-SHA256-SSWU-RO-` found in section 8.9.2. It consists of three parts: -* `hash_to_base`—Converts a message from bytes to a field point. See [section 5.3](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-5.3). The required parameters are: +* `hash_to_base`—Converts a message from bytes to a field point. See [hash-to-curve-05#section-5.3](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-5.3). The required parameters are: * field degree—`m = 2` * length of HKDF—`L = 64` * hash function—`H = SHA256` * domain separation tag—`DST = BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_` -* `map_to_curve`—Converting a field point to a point on the elliptic curve (G2 Point) in two steps: - * First apply a [Simplified SWU Map](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-6.6.3) to the [3-Isogney curve](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2) `E'`. - * Second map the `E'` point to G2 using the `iso_map` detailed [here](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#appendix-C.3). -* `clear_cofactor`—Ensure the point is in the correct subfield by multiplying by the curve co-efficient `h_eff` as found [here](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2). +* `map_to_curve`—Converts a field point to a point on the elliptic curve (G2 Point) in two steps: + 1) applies a [simplified SWU Map](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-6.6.3) to the [3-Isogney curve](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2) `E'` + 2) maps the `E'` point to G2 using the `iso_map` detailed in [hash-to-curve-05#appendix-C.3](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#appendix-C.3). +* `clear_cofactor`—Ensures the point is in the correct subfield by multiplying by the curve coefficient `h_eff` as found in [hash-to-curve-05#section-8.9.2](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2). Details of the `hash_to_curve` function are shown below. @@ -125,11 +122,11 @@ Let `bls_aggregate_signatures(signatures: List[Bytes96]) -> Bytes96` return `sig ## Signature verification -In the following, `e` is the pairing function and `g` is the G1 generator with the following coordinates (see [here](https://github.com/zkcrypto/pairing/tree/master/src/bls12_381#g1)): +In the following, `e` is the pairing function and `g` is the G1 generator with the following coordinates (see `x` and `y` in [pairing-friendly-curves-00#section-4.2.2](https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-00#section-4.2.2)): ```python -g_x = 3685416753713387016781088315183077757961620795782546409894578378688607592378376318836054947676345821548104185464507 -g_y = 1339506544944476473020471379941921221584933875938349620426543736416511423956333506472724655353366534992391756441569 +g_x = 0x17f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bb +g_y = 0x08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1 g = Fq2([g_x, g_y]) ``` From edb9bfc8574e06bbcdd030c4779aa4322ee16324 Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 26 Nov 2019 17:02:53 +0000 Subject: [PATCH 12/14] Update bls_signature.md --- specs/bls_signature.md | 54 ++++++++++++++++++++---------------------- 1 file changed, 26 insertions(+), 28 deletions(-) diff --git a/specs/bls_signature.md b/specs/bls_signature.md index 82293bcc07..b82381be06 100644 --- a/specs/bls_signature.md +++ b/specs/bls_signature.md @@ -1,17 +1,17 @@ -# BLS signature verification +# BLS signatures **Notice**: This document is a placeholder to facilitate the emergence of cross-client testnets. Substantive changes are postponed until [BLS standardisation](https://github.com/pairingwg/bls_standard) is finalized. ## Table of contents -- [BLS signature verification](#bls-signature-verification) +- [BLS signatures](#bls-signatures) - [Table of contents](#table-of-contents) - [Draft standards](#draft-standards) - - [Ciphersuite](#ciphersuite) - [Point representations](#point-representations) - [G1 points](#g1-points) - [G2 points](#g2-points) + - [Ciphersuite](#ciphersuite) - [Helpers](#helpers) - [`hash_to_G2`](#hash_to_g2) - [Aggregation operations](#aggregation-operations) @@ -37,18 +37,6 @@ Note that the above drafts are not ratified as Internet Engineering Task Force ( We represent points in the groups G1 and G2 following [zkcrypto/pairing](https://github.com/zkcrypto/pairing/tree/master/src/bls12_381). We denote by `q` the field modulus and by `i` the imaginary unit. -## Ciphersuite - -We use the `BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_` ciphersuite where: - -* `BLS_SIG_` refers to BLS signatures -* `BLS12381G2-SHA256-SSWU-RO-` is the hash to curve ciphersuite (see [hash-to-curve-05#section-8.9.2](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2)): - * `BLS12381G2-` refers to the use of the BLS12-381 curve with signatures on G2 - * `SHA256-` refers to the use of SHA256 as the internal `hash_to_base` function - * `SSWU-` refers to use of the simplified SWU mapping finite field elements to elliptic curve points - * `RO-` refers to the hash to curve outputs being indifferentiable from a random oracle -* `_POP_` refers to the use proofs of possession to prevent rogue key attacks (see [bls-signature-00#section-4.2.3](https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-00#section-4.2.3)) - ### G1 points A G1 point is represented as a 384-bit integer `z` decomposed as a 381-bit integer `x` and three 1-bit flags in the top bits: @@ -79,23 +67,23 @@ We require: * if `b_flag1 == 1` then `a_flag1 == x1 == x2 == 0` and `(z1, z2)` represents the point at infinity * if `b_flag1 == 0` then `(z1, z2)` represents the point `(x1 * i + x2, y)` where `y` is the valid coordinate such that the imaginary part `y_im` of `y` satisfies `(y_im * 2) // q == a_flag1` -## Helpers +## Ciphersuite -### `hash_to_G2` +We use the `BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_` ciphersuite where: + +* `BLS_SIG_` refers to BLS signatures +* `BLS12381G2-SHA256-SSWU-RO-` is the hash to curve ciphersuite (see [hash-to-curve-05#section-8.9.2](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2)): + * `BLS12381G2-` refers to the use of the BLS12-381 curve with signatures on G2 + * `SHA256-` refers to the use of SHA256 as the internal `hash_to_base` function + * `SSWU-` refers to use of the simplified SWU mapping finite field elements to elliptic curve points + * `RO-` refers to the hash to curve outputs being indifferentiable from a random oracle +* `_POP_` refers to the use proofs of possession to prevent rogue key attacks (see [bls-signature-00#section-4.2.3](https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-00#section-4.2.3)) -`hash_to_G2` is equivalent to `hash_to_curve` found in the [BLS standard](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-3). We use the hash to curve ciphersuite `BLS12381G2-SHA256-SSWU-RO-` found in section 8.9.2. It consists of three parts: +## Helpers -* `hash_to_base`—Converts a message from bytes to a field point. See [hash-to-curve-05#section-5.3](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-5.3). The required parameters are: - * field degree—`m = 2` - * length of HKDF—`L = 64` - * hash function—`H = SHA256` - * domain separation tag—`DST = BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_` -* `map_to_curve`—Converts a field point to a point on the elliptic curve (G2 Point) in two steps: - 1) applies a [simplified SWU Map](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-6.6.3) to the [3-Isogney curve](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2) `E'` - 2) maps the `E'` point to G2 using the `iso_map` detailed in [hash-to-curve-05#appendix-C.3](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#appendix-C.3). -* `clear_cofactor`—Ensures the point is in the correct subfield by multiplying by the curve coefficient `h_eff` as found in [hash-to-curve-05#section-8.9.2](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2). +### `hash_to_G2` -Details of the `hash_to_curve` function are shown below. +`hash_to_G2` is equivalent to `hash_to_curve` found in [hash-to-curve-05#section-3](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-3). It is defined as ```python def hash_to_G2(alpha: Bytes) -> Tuple[uint384, uint384]: @@ -108,6 +96,16 @@ def hash_to_G2(alpha: Bytes) -> Tuple[uint384, uint384]: return P ``` +* `hash_to_base` converts a message from bytes to a field point (see [hash-to-curve-05#section-5.3](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-5.3)). The parameters are: + * domain separation tag—`DST = BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_` + * hash function—`H = SHA256` + * field degree—`m = 2` + * length of HKDF—`L = 64` +* `map_to_curve` converts a field point to a G2 point in two steps: + 1) it applies a simplified SWU map (see [hash-to-curve-05#section-6.6.3](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-6.6.3)) to the 3-Isogney curve `E'` (see [hash-to-curve-05#section-8.9.2](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2)) + 2) it maps the point on `E'` to a G2 point using `iso_map` (see [hash-to-curve-05#appendix-C.3](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#appendix-C.3)) +* `clear_cofactor` ensures the point is in the correct subfield by multiplying by the curve coefficient `h_eff` (see [hash-to-curve-05#section-8.9.2](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2)). + An implementation of `hash_to_curve` can be found [here](https://github.com/kwantam/bls_sigs_ref/blob/93b58f3e9f9ef55085f9ad78c708fa5ad9b894df/python-impl/opt_swu_g2.py#L131). ## Aggregation operations From 6b14553dcc8e720468c679e25ef03be6af4aab31 Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 26 Nov 2019 17:42:36 +0000 Subject: [PATCH 13/14] Update bls_signature.md --- specs/bls_signature.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/specs/bls_signature.md b/specs/bls_signature.md index b82381be06..7ec2be38b2 100644 --- a/specs/bls_signature.md +++ b/specs/bls_signature.md @@ -1,13 +1,11 @@ # BLS signatures -**Notice**: This document is a placeholder to facilitate the emergence of cross-client testnets. Substantive changes are postponed until [BLS standardisation](https://github.com/pairingwg/bls_standard) is finalized. - ## Table of contents - [BLS signatures](#bls-signatures) - [Table of contents](#table-of-contents) - - [Draft standards](#draft-standards) + - [Standards drafts](#standards-drafts) - [Point representations](#point-representations) - [G1 points](#g1-points) - [G2 points](#g2-points) @@ -23,7 +21,7 @@ -## Draft standards +## Standards drafts This specification follows three Internet Research Task Force (IRTF) Crypto Forum Research Group (CFRG) drafts: @@ -31,11 +29,11 @@ This specification follows three Internet Research Task Force (IRTF) Crypto Foru * [`hash-to-curve-05`](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05) (published November 2, 2019) * [`bls-signature-00`](https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-00) (published August 8, 2019) -Note that the above drafts are not ratified as Internet Engineering Task Force (IEFT) standards. Despite the lack of official IEFT standardisation, various blockchain projects have agreed to use the specific drafts above as de facto "blockchain BLS standard" to encourage interoperability. +Note that the above standards drafts are not ratified as Internet Engineering Task Force (IEFT) standards. Despite the lack of IEFT standardization various blockchain projects are using the above drafts as the "de facto BLS standard for blockchains" to facilitate interoperability. ## Point representations -We represent points in the groups G1 and G2 following [zkcrypto/pairing](https://github.com/zkcrypto/pairing/tree/master/src/bls12_381). We denote by `q` the field modulus and by `i` the imaginary unit. +We represent points in the G1 and G2 groups following [zkcrypto/pairing](https://github.com/zkcrypto/pairing/tree/master/src/bls12_381). We denote by `q` the field modulus and by `i` the imaginary unit. ### G1 points @@ -102,7 +100,7 @@ def hash_to_G2(alpha: Bytes) -> Tuple[uint384, uint384]: * field degree—`m = 2` * length of HKDF—`L = 64` * `map_to_curve` converts a field point to a G2 point in two steps: - 1) it applies a simplified SWU map (see [hash-to-curve-05#section-6.6.3](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-6.6.3)) to the 3-Isogney curve `E'` (see [hash-to-curve-05#section-8.9.2](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2)) + 1) it applies a simplified SWU map (see [hash-to-curve-05#section-6.6.3](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-6.6.3)) to the 3-isogeny curve `E'` (see [hash-to-curve-05#section-8.9.2](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2)) 2) it maps the point on `E'` to a G2 point using `iso_map` (see [hash-to-curve-05#appendix-C.3](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#appendix-C.3)) * `clear_cofactor` ensures the point is in the correct subfield by multiplying by the curve coefficient `h_eff` (see [hash-to-curve-05#section-8.9.2](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-8.9.2)). From 7f71659906a59662fbaa22aca00f8c65a791bf9c Mon Sep 17 00:00:00 2001 From: Justin Date: Tue, 26 Nov 2019 17:46:16 +0000 Subject: [PATCH 14/14] Update bls_signature.md --- specs/bls_signature.md | 33 +++++++++++++++------------------ 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/specs/bls_signature.md b/specs/bls_signature.md index 7ec2be38b2..fc59fecb43 100644 --- a/specs/bls_signature.md +++ b/specs/bls_signature.md @@ -10,14 +10,13 @@ - [G1 points](#g1-points) - [G2 points](#g2-points) - [Ciphersuite](#ciphersuite) - - [Helpers](#helpers) - - [`hash_to_G2`](#hash_to_g2) - - [Aggregation operations](#aggregation-operations) - - [`bls_aggregate_pubkeys`](#bls_aggregate_pubkeys) - - [`bls_aggregate_signatures`](#bls_aggregate_signatures) + - [Hash to G2](#hash_to_g2) - [Signature verification](#signature-verification) - [`bls_verify`](#bls_verify) - [`bls_verify_multiple`](#bls_verify_multiple) + - [Aggregation](#aggregation) + - [`bls_aggregate_pubkeys`](#bls_aggregate_pubkeys) + - [`bls_aggregate_signatures`](#bls_aggregate_signatures) @@ -77,9 +76,7 @@ We use the `BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_` ciphersuite where: * `RO-` refers to the hash to curve outputs being indifferentiable from a random oracle * `_POP_` refers to the use proofs of possession to prevent rogue key attacks (see [bls-signature-00#section-4.2.3](https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-00#section-4.2.3)) -## Helpers - -### `hash_to_G2` +## Hash to G2 `hash_to_G2` is equivalent to `hash_to_curve` found in [hash-to-curve-05#section-3](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-3). It is defined as @@ -106,16 +103,6 @@ def hash_to_G2(alpha: Bytes) -> Tuple[uint384, uint384]: An implementation of `hash_to_curve` can be found [here](https://github.com/kwantam/bls_sigs_ref/blob/93b58f3e9f9ef55085f9ad78c708fa5ad9b894df/python-impl/opt_swu_g2.py#L131). -## Aggregation operations - -### `bls_aggregate_pubkeys` - -Let `bls_aggregate_pubkeys(pubkeys: List[Bytes48]) -> Bytes48` return `pubkeys[0] + .... + pubkeys[len(pubkeys) - 1]`, where `+` is the elliptic curve addition operation over the G1 curve. (When `len(pubkeys) == 0` the empty sum is the G1 point at infinity.) - -### `bls_aggregate_signatures` - -Let `bls_aggregate_signatures(signatures: List[Bytes96]) -> Bytes96` return `signatures[0] + .... + signatures[len(signatures) - 1]`, where `+` is the elliptic curve addition operation over the G2 curve. (When `len(signatures) == 0` the empty sum is the G2 point at infinity.) - ## Signature verification In the following, `e` is the pairing function and `g` is the G1 generator with the following coordinates (see `x` and `y` in [pairing-friendly-curves-00#section-4.2.2](https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-00#section-4.2.2)): @@ -142,3 +129,13 @@ Let `bls_verify_multiple(pubkeys: List[Bytes48], message_hashes: List[Bytes32], * Verify that `signature` is a valid G2 point. * Verify that `len(pubkeys)` equals `len(message_hashes)` and denote the length `L`. * Verify that `e(pubkeys[0], hash_to_G2(message_hashes[0], domain)) * ... * e(pubkeys[L - 1], hash_to_G2(message_hashes[L - 1], domain)) == e(g, signature)`. + +## Aggregation + +### `bls_aggregate_pubkeys` + +Let `bls_aggregate_pubkeys(pubkeys: List[Bytes48]) -> Bytes48` return `pubkeys[0] + .... + pubkeys[len(pubkeys) - 1]`, where `+` is the elliptic curve addition operation over the G1 curve. (When `len(pubkeys) == 0` the empty sum is the G1 point at infinity.) + +### `bls_aggregate_signatures` + +Let `bls_aggregate_signatures(signatures: List[Bytes96]) -> Bytes96` return `signatures[0] + .... + signatures[len(signatures) - 1]`, where `+` is the elliptic curve addition operation over the G2 curve. (When `len(signatures) == 0` the empty sum is the G2 point at infinity.)