Incorrect DST in blsGetPop and blsVerifyPop

[lgremy]

In §4.2.3 of BLS Signatures, the DST for the hash to elliptic curve function called in PopProve is BLS_POP_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_. However, in the implementation of blsGetPop, the DST being used is the one of blsSign, which is BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_, since the underlying function to be called is void msgToG2(G2& out, const void *msg, size_t msgSize) const, for which the DST is set to BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_.

If this is correct, the same remark is also applicable to blsVerifyPop. It would be possible to continue to factorize code between blsSign and blsGetPop on one hand, and blsVerify and blsVerifyPop on the other hand, but it must exclude the call to msgToG2 with the enforced DST.

[herumi]

Proof of possession is not required in Ethereum, so it has not been updated.