search

paulmillr / noble-curves

Audited & minimal JS implementation of elliptic curve cryptography.
https://paulmillr.com/noble
MIT License
623 stars 56 forks source link

bls12-381 verify method with G2 curve not working #76

Closed parviz-mv closed 10 months ago

parviz-mv commented 10 months ago

Hi! I'm trying to verify the created signature with the bls12-381 G2 curve, but I'm encountering the following error:
Error: bad point: equation left != right .

First, I generate a key pair, then create a signature using the private key. After that, I attempt to verify the signature using the public key: 

const privateKey = bls12_381.utils.randomPrivateKey();
const publicKey = bls12_381.G2.ProjectivePoint.fromPrivateKey(privateKey).toRawBytes(true);
const message = Buffer.from("Hello world!").toString("hex");
const signature = bls12_381.sign(message, privateKey);
const isSignatureValid = bls12_381.verify(signature, message, publicKey);

Also, in the documentation of @mattrglobal/bbs-signatures, it is stated that the length of the signature must be 112 bytes for the G2 curve. However, I am getting 96 bytes.

Everything works fine when using the G1 curve. However, I suspect that the implementation for G2 is not yet available. Could you please confirm?

paulmillr commented 10 months ago

public key must be in g1 for signatures to be in g2

parviz-mv commented 10 months ago

@paulmillr thank you for response. I mean can I create signature using G2 key as public key? Is not supported at all or just not supported by library?

I am confused by another BLS/BBS implementation which is using G2 public key for signing:

Element Size Equation
Private Key F
Public Key G2
Signature G1 + 2*F
Proof 5G1 + (4 + no_of_hidden_messages)F
paulmillr commented 10 months ago

G1 is used for public keys, G2 is used for signatures If you need G1 sigs and G2 pubkeys, we don't support it: see #74