Fixtures and tooling update

[BasileiosKal]

This PR:

• Updates existing fixtures and adds SHA256 suite ones. Proof fixture files are included but not added to the spec to avoid further conflicts with #210.
• Updates the fixtures tooling to read and write the fixtures on the document.
• Closes #217. Updates the message-generators tooling to return the correct file format.

Notes

1. This PR depends on #216 (in all the fixtures i am not prepending the length of the ciphersuite's ID encoding when hashing).
2. The message-generators tooling is "deactivated" on the workflow since it is not up to date with the spec. The generator files are not the ones returned by that tool and should be the correct ones.

[tmarkovski]

Would it be possible to include fixtures for some of the other utility operations, specifically scalars = hash_to_scalar(msg_octets, count). This operation is harder to validate as it's always a dependent part inside existing operations. A simple fixture for hashing an octet string into 1 and 2 scalars would go a long way.

[tmarkovski]

Some of the DST or SEED values contain RO_ in them, while some use R0_, letter O vs number 0. Is this intentional?

[BasileiosKal]

R.e., the R0_ in the DST's it's a typo. Thanks for identifying it, would never had picked it up 😅 The correct form is RO_ (not with the zero). The fixtures use the correct DST (with RO_)

R.e., the make_generators procedure, the current one is not up to date with the latest spec. PR #220 updates it. This PR has "deactivated" that tooling for the workflow, i.e., the generators fixtures are not yet created from that tool. Will reactivate it after #220 is merged.

[BasileiosKal]

Added hash-to-scalar and MapMessageToScalarAsHash test vectors. @tmarkovski hope those will be useful!

[BasileiosKal]

@tmarkovski, @christianpaquin I just pushed some new test vectors, after fixing a typo i made in one of the dst's. Sorry about that. It should be consistent now. Please use the updated ones in your testings!

[tmarkovski]

Happy to report that all test vectors are passing at present! Thanks for updating the test vectors and looking into the my issue.

Test Results

``` running 62 tests test encoding::test::to_octet_string_test ... ok test hashing::test::test_encode ... ok test encoding::test::encode_for_hash_test_vector ... ok test hashing::test::hash_to_curve_1_scalar_output_sha ... ok test hashing::test::hash_to_curve_1_scalar_output_shake ... ok test hashing::test::hash_to_curve_10_scalar_output_shake ... ok test hashing::test::map_message_to_scalar_test ... ok test key::test::get_random_key ... ok test key::test::gen_key_from_ikm ... ok test key::test::sk_to_pk_test ... ok test proof::test::proof_suite_1::case_bls12_381_sha_256_proof_proof007_json ... ok test generators::test::generators_test::case_bls12_381_sha_256_generators_json_bls12381sha256 ... ok test generators::test::generators_test::case_bls12_381_shake_256_generators_json_bls12381shake256 ... ok test proof::test::proof_suite_1::case_bls12_381_sha_256_proof_proof008_json ... ok test proof::test::proof_suite_1::case_bls12_381_sha_256_proof_proof009_json ... ok test proof::test::proof_suite_1::case_bls12_381_sha_256_proof_proof012_json ... ok test proof::test::proof_suite_1::case_bls12_381_sha_256_proof_proof001_json ... ok test proof::test::proof_suite_1::case_bls12_381_sha_256_proof_proof006_json ... ok test proof::test::proof_suite_2::case_bls12_381_shake_256_proof_proof001_json ... ok test proof::test::proof_suite_1::case_bls12_381_sha_256_proof_proof004_json ... ok test proof::test::proof_suite_1::case_bls12_381_sha_256_proof_proof005_json ... ok test proof::test::proof_suite_1::case_bls12_381_sha_256_proof_proof002_json ... ok test proof::test::proof_suite_1::case_bls12_381_sha_256_proof_proof011_json ... ok test proof::test::proof_suite_1::case_bls12_381_sha_256_proof_proof013_json ... ok test proof::test::proof_suite_1::case_bls12_381_sha_256_proof_proof010_json ... ok test proof::test::proof_suite_1::case_bls12_381_sha_256_proof_proof003_json ... ok test proof::test::proof_suite_2::case_bls12_381_shake_256_proof_proof007_json ... ok test proof::test::proof_suite_2::case_bls12_381_shake_256_proof_proof008_json ... ok test proof::test::proof_suite_2::case_bls12_381_shake_256_proof_proof009_json ... ok test proof::test::proof_suite_2::case_bls12_381_shake_256_proof_proof012_json ... ok test signature::test::signature_from_octets_fails_incorrect_size ... ok test signature::test::signature_from_octets_succeeds ... ok test proof::test::test_proof_from_bytes ... ok test signature::test::signature_from_octets_succeeds_slice ... ok test proof::test::proof_suite_2::case_bls12_381_shake_256_proof_proof006_json ... ok test proof::test::proof_suite_2::case_bls12_381_shake_256_proof_proof004_json ... ok test proof::test::proof_suite_2::case_bls12_381_shake_256_proof_proof003_json ... ok test proof::test::proof_suite_2::case_bls12_381_shake_256_proof_proof002_json ... ok test proof::test::proof_suite_2::case_bls12_381_shake_256_proof_proof005_json ... ok test signature::test::signature_suite_1::case_bls12_381_sha_256_signature_signature001_json ... ok test signature::test::signature_suite_1::case_bls12_381_sha_256_signature_signature002_json ... ok test proof::test::proof_suite_2::case_bls12_381_shake_256_proof_proof010_json ... ok test proof::test::proof_suite_2::case_bls12_381_shake_256_proof_proof013_json ... ok test proof::test::proof_suite_2::case_bls12_381_shake_256_proof_proof011_json ... ok test signature::test::signature_suite_1::case_bls12_381_sha_256_signature_signature003_json ... ok test signature::test::signature_suite_1::case_bls12_381_sha_256_signature_signature005_json ... ok test signature::test::signature_suite_2::case_bls12_381_shake_256_signature_signature001_json ... ok test signature::test::signature_suite_2::case_bls12_381_shake_256_signature_signature002_json ... ok test signature::test::signature_suite_1::case_bls12_381_sha_256_signature_signature004_json ... ok test signature::test::signature_suite_1::case_bls12_381_sha_256_signature_signature006_json ... ok test signature::test::signature_suite_1::case_bls12_381_sha_256_signature_signature007_json ... ok test signature::test::signature_to_octets_succeeds ... ok test signature::test::signature_suite_2::case_bls12_381_shake_256_signature_signature003_json ... ok test signature::test::signature_suite_1::case_bls12_381_sha_256_signature_signature008_json ... ok test signature::test::signature_suite_1::case_bls12_381_sha_256_signature_signature009_json ... ok test signature::test::signature_suite_2::case_bls12_381_shake_256_signature_signature005_json ... ok test signature::test::signature_suite_2::case_bls12_381_shake_256_signature_signature004_json ... ok test signature::test::signature_suite_2::case_bls12_381_shake_256_signature_signature006_json ... ok test signature::test::signature_suite_2::case_bls12_381_shake_256_signature_signature008_json ... ok test signature::test::signature_suite_2::case_bls12_381_shake_256_signature_signature007_json ... ok test signature::test::signature_suite_2::case_bls12_381_shake_256_signature_signature009_json ... ok test test::bbs_demo ... ok test result: ok. 62 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.92s running 5 tests test src/lib.rs - Bbs::message (line 56) ... ok test src/lib.rs - Bbs::message_with (line 89) ... ok test src/lib.rs - Bbs::message (line 65) ... ok test src/lib.rs - Bbs::sign (line 115) ... ok test src/lib.rs - Bbs::verify (line 143) ... ok test result: ok. 5 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.46s ```

My thoughts and findings:

• Most negative tests are hard to validate for the reason they specify. Once my positive tests worked, I only assumed the negative tests are working as well, since they were all failing before.
• Tests without header and presentation header might be useful as well
• I stumbled on the use of hex and treating messages as encoded scalars, but this has already been addressed I think. Might be useful to add variable length message inputs.
• Why does the Sign algorithm accept SK and PK as input, but doesn't validate if the PK is correct. SkToPk is fairly inexpensive operation, it seems that only SK is needed. Is there a security concern similar to what affected ECDSA?

[jovfer]

@tmarkovski are the implementation and tests (referred in your message above) public? If so, could you please share a link?

[christianpaquin]

It would be good to add a signing test over 0 messages, and a proof test disclosing no messages, to provide test cases for edge conditions (to validate the handling of empty argument arrays).

[tplooker]

@tmarkovski are the implementation and tests (referred in your message above) public? If so, could you please share a link?

I believe it is this @jovfer? https://github.com/trinsic-id/bbs/tree/main

[christianpaquin]

FYI @BasileiosKal, my implementation now validates these test vectors; simply sync with main and npm test.

[tplooker]

I've attempted to capture all the comments from this PR in #225 and #7. Because we have three implementations verifying these fixtures I'd like to merge at this point and publish a new draft revision ahead of the IETF meeting.

[tplooker]

Multiple approvals, reviewed on last WG call, residual gaps captured in issues, merging

[christianpaquin]

Great. I updated my lib to fetch fixtures from the main branch.