Proof of Possession computation and verification

[philippecamacho]

When a public key is registered to the stake table, it must come with a Proof of Possession in order to avoid rogue key attacks on BLS signature aggregation (see https://eprint.iacr.org/2018/483.pdf section 1.1)

Implement the algorithm to both generate and verify this proof following https://www.ietf.org/archive/id/draft-irtf-cfrg-bls-signature-05.html#section-3.3.

See related discussion.

[chancharles92]

Yes, and it only needs to be done one-time when registering the key. No need to have it in the consensus protocol.

[philippecamacho]

Given our specific context (the staking verification keys are stored in a smart contract table) we can consider the following alternative (see notion discussion):

• The user owns a staking BLS key pair $(sk,vk)$ and ethereum address $A$.
• He signs the ethereum address $A$ using $sk$ and obtains $\sigma$
• He calls the stake table smart contract from address $A$ and provides $\sigma,vk$.
• The contract checks that $\sigma$ is a valid signature on $A$ (obtained as msg.sender) using $vk$

Unless a malicious user is able to convince someone owning $sk$ to sign his ethereum address $A$ the registration process ensures the user actually owns $sk$.

[philippecamacho]

As discussed we will go for Jeb`s idea but using a Schnorr signature in $\mathbb{G}_1$ in order to sign the ethereum address. By doing so we keep avoid the complications of BKG+23 (*) while keeping the gas cost for registering a new key low.

cc @jbearer @chancharles92 @bbuenz @ggutoski

(*) see https://espresso.zulipchat.com/#narrow/stream/330838-Crypto/topic/Aggregate.20Signatures/near/362260583