Closed dannywillems closed 2 years ago
sean-sn
commented
2 years ago Which spec are you are referring to? We are using this specification: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-04#section-2.3
Step 4 of the procedure is to hash the salt, which is the line in the keygen function you referenced.
dannywillems
commented
2 years ago Oh, I noticed only now I was checking different versions and hashing the salt looks it has been added in the version 04 (see version 03). It is not there before. And bls_sigs_ref follows the version 02 apparently. Why has it been added?
dot-asm
commented
2 years ago Why has it been added?
This is not exactly right forum to ask this question:-) But on serious note, we just follow the spec, so... the issue is effectively resolved.
The function
blst_keygenhashes the salt before using the HKDF, which is not the case in the specification. Is there any reason?When writing an OCaml binding (available here), I tried to use the test vectors available in bls_sigs_ref. The test vectors use the seed to generate the sk and therefore the tests were not passing. While removing the hash, all the test vectors are fine (without any surprise ofc). If anyone else would like to use the test vectors generated by bls_sigs_ref, I regenerated the correct signature for the current version (3f7d97e2095d5b7a958c6f30390ad0535a0db60d) of keygen. The MR history should be enough clear to be convinced the values are correct. The files can also be regenerated from the original as described in the MR.