Closed randombit closed 10 months ago
I can work around this by explicitly setting the domain separator to use when signing or verifying a short signature, but this feels pretty awkward/error prone.
Why?
G1.hashToCurve uses the G2 domain separator
I don't think there is a such thing as standard G1 or G2 DSTs.
Why?
Mostly because if you don't specify it, you'll use not just a wrong domain separator but even one that is reserved for G2.
I don't think there is a such thing as standard G1 or G2 DSTs.
Maybe not standard per se but this internet draft specifies the DSTs for G1 and G2 https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-04#section-4.2.1 and the current G2 default DST used in this library is exactly the one from that draft.
That same domain separator is also used by https://github.com/ethereum/py_ecc https://github.com/supranational/blst https://github.com/filecoin-project/lotus and those are just the first three that pop up if I search that string. I think despite being just a draft every BLS implementation out there has followed it since there is nothing better wrt standardization.
there is nothing better wrt standardization
true
So, this feels like a miss from my end. If you could fix it, that would be great.
Fix for this is included in #74
Working on #74 I am running into a problem I am not sure how to address.
G1.hashToCurve uses the G2 domain separator ("BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RONUL") instead of the appropriate one for G1. I tried to fix this with the following change:
but it does not seem to have any effect.
I can work around this by explicitly setting the domain separator to use when signing or verifying a short signature, but this feels pretty awkward/error prone.
I think this is missed by the existing hash to curve tests since they always use some explicit dst.