the signature result is different with phoreproject's

[mdj33]

signed the same msg with same private key, seems the signature result is different with github.com/phoreproject/bls/g1pubs

i guess the algorithm to get hash of msg is different, is that true? if need to keep consistency?

[herumi]

If you want to use G1 as public key and use the same hash-to-function with Ethereum, then make a library with -DBLS_ETH=1 and #define BLS_ETH and blsSetETHmode. cf. see https://github.com/herumi/bls-eth-go-binary .

[mdj33]

i do take use of the bls-eth-go-binary library to test. however, the signature result is not same with phoreproject's, did you ever compare that? same private key: 4aac41b5cb665b93e031faa751944b1f14d77cb17322403cba8df1d6e4541a4d same msg: []byte("message to be signed.") the signed result: herumi: 83d1d10bcb456554b84651bcb4c5c2ac80c76d055f41ebcc0effc0748a3aaff24db59da3f862dd2b7970e8294b09996803db94cf1cc92372abe5d640dd5540b1a97d2b932145e412c57a8f51569c24d94bb40e117de6e04d9f604a26a9af40e1 g1pub: b109abd216d46eae1b9331b159d2309926db827ea31b6e394222b35bfcfc2278b67670918b60f8fb1ab03c7729d758dd0ce43845c1df29df24dcafe3585a5543eefcec44a1f4d56f6307aecd80fd77434bc36104754cb603ba191b6244df2d50

[herumi]

Though I don't know g1pub, my library supports draft-05~07 at https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/ .

[mdj33]

I see that you also forked herumi/phoreproject-bls in which g1pub module reside, it is same bls curve library coded by golang, g1pub just has the pubkey at G1, sign at G2 same as bls-eth-go-binary

[herumi]

If the hash-to-curve function is different, then the signature will be different even if a public key and private key and message are all the same.

[mratsim]

Phoreproject is tracking the draft IETF standard from over a year ago: https://github.com/phoreproject/bls/blob/a88a5ae26844d7293359422888d7c7f69f43c845/hash.go#L9-L113

Since then the standard changed to HKDF and then a custom expand_message_XMD

[mratsim]

To be clear, their code is dated from March 19, 2019. Assuming they implemented Draft 3 from March 11, 2019, those are the changes they have to implement to be in line with the hashing draft:

https://tools.ietf.org/rfcdiff?url1=https://tools.ietf.org/id/draft-irtf-cfrg-hash-to-curve-03.txt&url2=https://tools.ietf.org/id/draft-irtf-cfrg-hash-to-curve-08.txt

[mdj33]

ok, many thanks for your clarification!

[herumi]

My library with EthModeDraft07 outputed:

https://github.com/herumi/bls-eth-go-binary/blob/master/examples/sample.go#L51-L66

sample4
sec:4aac41b5cb665b93e031faa751944b1f14d77cb17322403cba8df1d6e4541a4d
pub:841c5235ec7f4eed02b3f3bb60622d3ed0aba74016f4850c6d7c962656a4b78d72a15caeef62dfe656d03990590c0026
sig:af7ab839885d3189502b1092895c4676357ef7a32863bd4253eb4c7ab12fc3aa5a9d9a82e1e641c1c85965c468e1d33018e8a0bbe1d4aef5e751b3c94876c4de312d7ccca34c9fe6b80d8dd00c6a499759cea7febfc661f80831f9547c158c84

The hash function of my library outputs the same value at https://www.ietf.org/id/draft-irtf-cfrg-hash-to-curve-08.html#section-h.10.1 .

And dst = "BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_ROPOP" for BLS. https://github.com/herumi/mcl/blob/master/include/mcl/mapto_wb19.hpp#L474

[meyer9]

Phore does not use the correct hash-to-curve function. The spec changed over time and Phore only supports the previous spec. This could be fixed by porting SSWU and SVD hash implementations to Phore, but I don't have time to do that. You can submit an issue on the phoreproject repo.

I actually implemented the new expand message function, but I have not implemented the new hash functions.

I might be able to work on this tonight if I have time, but generally doing crypto work for me is extremely boring, methodical and frustrating. Debugging hash functions is basically repeating a binary search over and over until it produces the right result.

[mdj33]

@herumi I also got the same sign output as yours "af7ab8..." with BLS_ETH_MODE_DRAFT_07. the previous different sign output "83d1d1..." is based on BLS_ETH_MODE_LATEST.
so , what is the difference for BLS_ETH_MODE_DRAFT_07 and BLS_ETH_MODE_LATEST mode?

[herumi]

The latest value of BLS_ETH_MODE_LATEST is not updated yet. I'll update it later.