Closed randombit closed 10 months ago
paulmillr
commented
10 months ago I can work around this by explicitly setting the domain separator to use when signing or verifying a short signature, but this feels pretty awkward/error prone.
Why?
G1.hashToCurve uses the G2 domain separator
I don't think there is a such thing as standard G1 or G2 DSTs.
randombit
commented
10 months ago Why?
Mostly because if you don't specify it, you'll use not just a wrong domain separator but even one that is reserved for G2.
I don't think there is a such thing as standard G1 or G2 DSTs.
Maybe not standard per se but this internet draft specifies the DSTs for G1 and G2 https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-04#section-4.2.1 and the current G2 default DST used in this library is exactly the one from that draft.
That same domain separator is also used by https://github.com/ethereum/py_ecc https://github.com/supranational/blst https://github.com/filecoin-project/lotus and those are just the first three that pop up if I search that string. I think despite being just a draft every BLS implementation out there has followed it since there is nothing better wrt standardization.
paulmillr
commented
10 months ago there is nothing better wrt standardization
true
So, this feels like a miss from my end. If you could fix it, that would be great.
randombit
commented
10 months ago Fix for this is included in #74
Working on #74 I am running into a problem I am not sure how to address.
G1.hashToCurve uses the G2 domain separator ("BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RONUL") instead of the appropriate one for G1. I tried to fix this with the following change:
but it does not seem to have any effect.
I can work around this by explicitly setting the domain separator to use when signing or verifying a short signature, but this feels pretty awkward/error prone.
I think this is missed by the existing hash to curve tests since they always use some explicit dst.