Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using the right domain separator when hashing to BLS12-381 G1 #77

Closed
randombit opened this issue Aug 23, 2023 · 4 comments
Closed

Using the right domain separator when hashing to BLS12-381 G1 #77

randombit opened this issue Aug 23, 2023 · 4 comments

Comments

@randombit
Copy link
Contributor

Working on #74 I am running into a problem I am not sure how to address.

G1.hashToCurve uses the G2 domain separator ("BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_") instead of the appropriate one for G1. I tried to fix this with the following change:

diff --git a/src/bls12-381.ts b/src/bls12-381.ts
index d4c7250..700b27e 100644
--- a/src/bls12-381.ts
+++ b/src/bls12-381.ts
@@ -1075,7 +1087,10 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
     ),
     a: Fp.ZERO,
     b: _4n,
-    htfDefaults: { ...htfDefaults, m: 1 },
+    htfDefaults: { ...htfDefaults, m: 1,
+                   DST: 'BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_',
+                   encodeDST: 'BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_',
+                 },

but it does not seem to have any effect.

I can work around this by explicitly setting the domain separator to use when signing or verifying a short signature, but this feels pretty awkward/error prone.

I think this is missed by the existing hash to curve tests since they always use some explicit dst.
@paulmillr
Copy link
Owner

I can work around this by explicitly setting the domain separator to use when signing or verifying a short signature, but this feels pretty awkward/error prone.

Why?

G1.hashToCurve uses the G2 domain separator

I don't think there is a such thing as standard G1 or G2 DSTs.

@randombit
Copy link
Contributor Author

Why?

Mostly because if you don't specify it, you'll use not just a wrong domain separator but even one that is reserved for G2.

I don't think there is a such thing as standard G1 or G2 DSTs.

Maybe not standard per se but this internet draft specifies the DSTs for G1 and G2 https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-04#section-4.2.1 and the current G2 default DST used in this library is exactly the one from that draft.

That same domain separator is also used by https://github.com/ethereum/py_ecc https://github.com/supranational/blst https://github.com/filecoin-project/lotus and those are just the first three that pop up if I search that string. I think despite being just a draft every BLS implementation out there has followed it since there is nothing better wrt standardization.

@paulmillr
Copy link
Owner

there is nothing better wrt standardization

true

So, this feels like a miss from my end. If you could fix it, that would be great.

@randombit
Copy link
Contributor Author

Fix for this is included in #74

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@randombit @paulmillr