In §4.2.3 of BLS Signatures, the DST for the hash to elliptic curve function called in PopProve is BLS_POP_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_. However, in the implementation of blsGetPop, the DST being used is the one of blsSign, which is BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_, since the underlying function to be called is void msgToG2(G2& out, const void *msg, size_t msgSize) const, for which the DST is set to BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_.
If this is correct, the same remark is also applicable to blsVerifyPop. It would be possible to continue to factorize code between blsSign and blsGetPop on one hand, and blsVerify and blsVerifyPop on the other hand, but it must exclude the call to msgToG2 with the enforced DST.
In §4.2.3 of BLS Signatures, the DST for the hash to elliptic curve function called in
PopProve
isBLS_POP_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_
. However, in the implementation ofblsGetPop
, the DST being used is the one ofblsSign
, which isBLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_
, since the underlying function to be called isvoid msgToG2(G2& out, const void *msg, size_t msgSize) const
, for which the DST is set toBLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_
.If this is correct, the same remark is also applicable to
blsVerifyPop
. It would be possible to continue to factorize code betweenblsSign
andblsGetPop
on one hand, andblsVerify
andblsVerifyPop
on the other hand, but it must exclude the call tomsgToG2
with the enforced DST.