search

status-im / nim-blscurve

Nim implementation of BLS signature scheme (Boneh-Lynn-Shacham) over Barreto-Lynn-Scott (BLS) curve BLS12-381
Apache License 2.0
26 stars 11 forks source link

Key generation according to draft standard #35

Closed mratsim closed 4 years ago

mratsim commented 4 years ago

The current key generation predates the draft standard which is likely to be adopted (though it expired on Feb 9)

Implementation

https://github.com/status-im/nim-blscurve/blob/501f1fc3a0d2ab7954dc294d571ffd7aa969d55d/blscurve/common.nim#L834-L883

https://github.com/status-im/nim-blscurve/blob/501f1fc3a0d2ab7954dc294d571ffd7aa969d55d/blscurve/bls.nim#L90-L98

Draft standard

https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-00#section-2.3

   The KeyGen algorithm generates a pair (PK, SK) deterministically
   using the secret octet string IKM.

   KeyGen uses HKDF \[RFC5869\] instantiated with the hash function H.

   For security, IKM MUST be infeasible to guess, e.g., generated by a
   trusted source of randomness.  IKM MUST be at least 32 bytes long,
   but it MAY be longer.
   Because KeyGen is deterministic, implementations MAY choose either to
   store the resulting (PK, SK) or to store IKM and call KeyGen to
   derive the keys when necessary.

   (PK, SK) = KeyGen(IKM)

   Inputs:
   - IKM, a secret octet string. See requirements above.

   Outputs:
   - PK, a public key encoded as an octet string.
   - SK, the corresponding secret key, an integer 0 <= SK < r.

   Definitions:
   - HKDF-Extract is as defined in RFC5869, instantiated with hash H.
   - HKDF-Expand is as defined in RFC5869, instantiated with hash H.
   - L is the integer given by ceil((1.5 * ceil(log2(r))) / 8).
   - "BLS-SIG-KEYGEN-SALT-" is an ASCII string comprising 20 octets.
   - "" is the empty string.

   Procedure:
   1. PRK = HKDF-Extract("BLS-SIG-KEYGEN-SALT-", IKM)
   2. OKM = HKDF-Expand(PRK, "", L)
   3. x = OS2IP(OKM) mod r
   4. xP = x * P
   5. SK = x
   6. PK = point_to_pubkey(xP)
   7. return (PK, SK)

HKDF with extract/expand step separation is already implemented as part of the hash_to_curve PR.

mratsim commented 4 years ago

Removing good first issue tag. The L = ceil((1.5 * ceil(log2(r))) / 8) step part to pass as info param to HKDF-Expand is non-trivial given that r (the prime order) seems to be 52435875175126190479447740508185965837690552500527637822603658699938581184513

mratsim commented 4 years ago

closed by #36