Support raw signing of hashes and aggregated verification#13
Conversation
|
I'll merge this patch, please wait a moment. |
|
@codablock
|
|
There are three special values, i.e., zero, sqrt(-3), -sqrt(-3) in Fp. hashAndMapToG1 functions ignores the possibility that hashed value becomes the special values.
I see.
My aggregate signature implementation uses the hashed value for given message, But if hashed values are given, we can be sure that there are no same values.
Internally, the hash function of mcl can be changed. There is no C api for bls, is it better to append not verifyHash but the api?
The difference between BN curve and BLS12 is according to the mapTo point algorithm. see https://github.com/herumi/bls/blob/dev/test/bls_test.hpp#L459-L463 The probability that squareRoot success per one loop is about 1/2, so if one byte is appended at the bottom of hashed value, |
Ok I think I understand this solution, it basically shifts the FP element to the left by 8 bits to give the mapping algorithm room for searching y. While looking into the details I was also wondering why Fp is implemented by masking input values instead of calculating I'm comparing your implementation with another library (https://github.com/Chia-Network/bls-signatures, which is based on https://github.com/relic-toolkit/relic) and try to figure out were these differ and incompatibilities might occur. In relic, the finite fields are of prime order, so I assume all the field arithmetic differs, meaning that produced signatures and public keys very likely would differ as well. I also figured out that mapping to G1 and G2 for BN curves would differ between your libraries and the relic based ones. Relic does not implement the technique from "Indifferentiable hashing to Barreto Naehrig curves" and only uses the naive implementation. Or does the use of naive mapping instead of the mentioned technique result in the same points on the curves (I assume they would differ)? |
I wondered which way to choose (%p or mask), and I chose mask for simplicity. %p requires long integer division for large data.I think that it is inevitable that specifications differ according to implementation.
Yes, the map-to-point algorithm for BN-curve is faster, then I chose it. |
|
I assume I can close this PR as you're doing your own implementation now? FYI: Chia-Network/bls-signatures#19 seems to be an implementation of the Fouque tibouchi mapping but for BLS curves instead of BN curves. Not sure why you choose the naive mapping for the BLS curve, but maybe you can consider using the Fouque tibouchi for BLS as well? |
Does not
I did not know how to implement it for BLS, I'll read it, thank you. |
|
@herumi I'm not sure I understand your question. I see that you have not implemented blsVerifyAggregation with the duplication check. In my code I ensure that I never call this function with duplicated hashes. |
I see. I was planning to implement blsVerifyAggregatedHashes after hearing your reply. |
|
Looks good :) |
|
I pushed it into master. |
I modified mcl to use calcBN for BLS12 (herumi/mcl@76b13b0) so also changed a test for BLS(1c36a87). And I'm sorry that I found naiveMapTo is 1.2~1.5 times faster than calcBN. |
2 participants
This PR adds support for signHash/verifyHash and verifyAggregatedHashes. The code for aggregated verification is based on https://github.com/herumi/mcl/blob/265b4649f4b456e3fe5fcdce4ca436167adc78e4/include/mcl/aggregate_sig.hpp#L109.
The reason to allow signing of raw hashes is that we don't want to rely on the internals of the BLS library when it comes to hashing. We use internal wrappers around the BLS library which forces us to provide a public key every time we sign something. This public key is than hashed together with the actual message to prevent rogue public key attacks.
verifyAggregatedHashes is useful for us as we do batched verification as much as possible to reduce the number of required pairings.
I also added tests for verifyAggregatedHashes, but noticed that they fail for some reason on BLS12_381. The last check in the test modifies the first input hash and asserts that verification fails. For some reason, this works well on all the other curves but fails on the BLS12_381. Expected behavior would be that verification fails.
I'm not sure if this is related to the verifyAggregatedHashes function or if there is some general error in the BLS12_381 implementation and might need some advise here.