Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update hash_to_g2 in BLS #1398
Update hash_to_g2 in BLS #1398
Changes from 7 commits
6b7d10f
ba63e8b
ac67b82
7e66720
cfe7f31
4dfb033
706fd52
b444cc0
19c67ec
ce16f37
d3a9583
b6fa1cb
edb9bfc
6b14553
7f71659
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this ciphersuite only be used for the proof of possession (
deposit_data.signature
)?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should the ciphersuite be
BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_
(notice the extra-
afterRO-
)?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think so, the IETF spec has a
hash_to_point
definition for messages of this ciphersuite which is distinct fromhash_pubkey_to_point
. My understanding is that if you use the PoP defined by the IETF spec, you should useBLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_
orBLS_SIG_BLS12381G2-SHA256-SSWU-RO-_NUL_
if their PoP is not used.Considering that we do not use the exact PoP defined by the IETF spec, I think we should not claim to use the PoP ciphersuite anywhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe we should just use one ciphersuite for both PoP and regular signature validation.
The extra
-
afterRO-
is deliberate as that's how the examples were given in the IETF spec.I agree with Carl, if we don't use the specified PoP we should not use that in our ciphersuite tag. However, I then ask why do we not use that standardized PoP?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right :) The extra
-
were missing and added them in.What is the difference between the standardized PoP and the currently specified PoP?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question,
The standardize PoP signs the message:
msg = bytes(public_key)
Where as we sign the message:
msg = signing_root(deposit.data)
Which contains
withdrawal_credentials
andamount
along with thepublic_key
.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that there is a specific domain separation tag just for signing pubkeys. (A third tag not mentioned here yet.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right sorry, I didn't notice the tag was slightly different between regular signatures and PoP.
PoP:
BLS_POP_BLS12381G2-SHA256-SSWU-RO-_POP_
Regular Signature:
BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_
With the option of changing the last
_POP_
to_NUL_
if required.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could mention that "RO" stands for "random oracle"