Closed nomeata closed 2 years ago
Thanks for catching the underscores/dashes bug. SSWU vs SVDW is more complicated. It refers to the Hash-To-Curve method to be used as in https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-09 . If using BLS12381 curve the SSWU method should be used, and the text SSWU used here. The fall-back method for other curves in the SVDW method (until the standard comes up with isogenies for those curves).
Are you saying that miracl currently uses SVDW for BLS, and that it should be using SSWU, so this “bug” report is about more than just the domain separator?
No. If using BLS12381 and to be standards compatible the domain separator should be
BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RONUL
The SSWU method is fully supported, and automatically invoked for BLS12381. However is using any other curve, like for example BLS12383, then
BLS_SIG_BLS12383G1_XMD:SHA-256_SVDW_RONUL
would be appropriate, as no SSWU method has been proposed for this curve, so it falls back to using the SVDW method.
SSWU is faster than SVDW.
I created the bls code I am using by selecting
BLS12381
(option 31 in the config), but in order for this to work with another implementation of BLS, I had to make the following changeI don’t fully know what that means, only that https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-04 mentions the later form (underscores instead of dashes, a dash in SHA-256, SSWU onstead of SVDW).