Module bls_signatures_rs::bn256

BLS aggregate signatures with bn256.

This module has been designed with the goal of being compatible with the bn256Add(G1), bn256ScalarMul(G1) and bn256Pairing provided by Ethereum.

BLS verification: e(H(m), PubKey) = e(Signature, G2::one)

This module handles public keys in G2 in order to avoid performing the hashing to G2, which involves a costly multiplication with the cofactor.

Test vectors: the following resources have been used for testing BN256 functionalities

• test vectors from Ethereum
• test vectors from Asecurity

Hashing to G1: In order to hash a specific message to G1 this module uses the try and increment algorithm. The running time of this algorithm is dependant on the input message, so it should be used only with public inputs. Alternatively different hashing methods can be implemented as specified in:

• hash_to_ algorithms

BLS resources: The following resources have been used as a reference to implement BLS signatures:

• BLS IRTF draft
• BLSmultisig
• bls-signatures-better-than-schnorr

Disclaimer

This module does not implement a defense against Rogue-key attacks, which means it should be used in protocols where the possession of the private key of each individual has been proven (i.e., by signing a message)

Modules

error

Errors returned by the bn256 library

Structs

Bn256	BLS multi signatures with curve bn256.
PrivateKey	The scalar used as private key
PublicKey	The public key as point in G2