BLS domain separator wrong?

[nomeata]

I created the bls code I am using by selecting BLS12381 (option 31 in the config), but in order for this to work with another implementation of BLS, I had to make the following change

@@ -67,7 +67,7 @@ static void BLS_HASH_TO_POINT(ECP_BLS12381 *P, octet *M)
     char dst[50];
     octet DST = {0,sizeof(dst),dst};

-    OCT_jstring(&DST,(char *)"BLS_SIG_BLS12381G1_XMD:SHA256-SVDW-RO-_NUL_");
+    OCT_jstring(&DST,(char *)"BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_");
     hash_to_field(MC_SHA2,HASH_TYPE_BLS12381,u,&DST,M,2);

     ECP_BLS12381_map2point(P,&u[0]);

I don’t fully know what that means, only that https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-04 mentions the later form (underscores instead of dashes, a dash in SHA-256, SSWU onstead of SVDW).

[mcarrickscott]

Thanks for catching the underscores/dashes bug. SSWU vs SVDW is more complicated. It refers to the Hash-To-Curve method to be used as in https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-09 . If using BLS12381 curve the SSWU method should be used, and the text SSWU used here. The fall-back method for other curves in the SVDW method (until the standard comes up with isogenies for those curves).

[nomeata]

Are you saying that miracl currently uses SVDW for BLS, and that it should be using SSWU, so this “bug” report is about more than just the domain separator?

[mcarrickscott]

No. If using BLS12381 and to be standards compatible the domain separator should be

BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RONUL

The SSWU method is fully supported, and automatically invoked for BLS12381. However is using any other curve, like for example BLS12383, then

BLS_SIG_BLS12383G1_XMD:SHA-256_SVDW_RONUL

would be appropriate, as no SSWU method has been proposed for this curve, so it falls back to using the SVDW method.

SSWU is faster than SVDW.