Expand description
This crate implements BLS12-381 signatures on top of the arkworks crates ecosystem.
The interface for BLS signatures is defined in the following IRTF spec: https://www.ietf.org/archive/id/draft-irtf-cfrg-bls-signature-05.html
This crate aims to implement BLS Signatures in a way that’s compatible with Ethereum. The variant selected by
Ethereum are explained in the beacon chain spec.
The scheme used by Ethereum is BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_.
Its parameters are defined here:
- SC: proof-of-possession
- SV: minimal-pubkey-size
- EC: BLS12-381, as defined in Appendix A.
- H: SHA-256
- hash_to_point:
BLS12381G2_XMD:SHA-256_SSWU_RO_with the ASCII-encoded domain separation tagBLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_ - hash_pubkey_to_point:
BLS12381G2_XMD:SHA-256_SSWU_RO_with the ASCII-encoded domain separation tagBLS_POP_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_
While the Domain Separation Tag (DST) isn’t hardcoded in this crate, we are hardcoding the choice of elliptic curve (BLS12-381), hash function (SHA-256), and variant (minimal-pubkey-size).
Modules§
Constants§
- DST_
ETHEREUM - Domain separation tags to use if you’re working with Ethereum
Functions§
- aggregate
- (spec link) Aggregates multiple signatures into one.
- aggregate_
verify - (spec link) Checks an aggregated signature over several (PK, message) pairs.
- hash_
to_ point - (spec link) A cryptographic hash function that takes as input an arbitrary octet string and returns a point on an elliptic curve. Functions of this kind are defined in hash-to-curve-spec.
- key_
validate - (spec link) Ensures that a public key is valid. In particular, it ensures that a public key represents a valid, non-identity point that is in the correct subgroup.
- keygen
- (spec link) Generates a secret key SK deterministically from a secret octet string IKM. IKM MUST be at least 32 bytes long, but it MAY be longer.
- os2ip
- (spec link)
Converts an octet string to a nonnegative integer.
This function loads bytes as a big-endian number and returns a valid
SecretKeybetween 0 and p-1. - point_
to_ pubkey - (spec link)
Invoke the appropriate serialization routine depending on signature variant
For minimal-pubkey-size:
point_to_pubkey(P) := point_to_octets_E1(P) - point_
to_ pubkey_ uncompressed - Version of
point_to_pubkeyreturning uncompressed format. - point_
to_ signature - (spec link)
Invoke the appropriate serialization routine depending on signature variant
For minimal-pubkey-size:
point_to_signature(P) := point_to_octets_E2(P) - point_
to_ signature_ uncompressed - Version of
point_to_signaturereturning uncompressed format. - pubkey_
subgroup_ check - (spec link)
Invoke the appropriate subgroup check routine (Section 1.3) depending on signature variant:
For minimal-pubkey-size:
pubkey_subgroup_check(P) := subgroup_check_E1(P). - pubkey_
to_ point - (spec link)
Invoke the appropriate deserialization routine depending on signature variant
For minimal-pubkey-size:
pubkey_to_point(ostr) := octets_to_point_E1(ostr) - sign
- (spec link) Computes a signature from SK, a secret key, and message, an octet string.
- signature_
subgroup_ check - (spec link)
Invoke the appropriate subgroup check routine (Section 1.3) depending on signature variant:
For minimal-pubkey-size:
signature_subgroup_check(P) := subgroup_check_E2(P). - signature_
to_ point - (spec link) Invoke the appropriate deserialization routine depending on signature variant For minimal-pubkey-size: signature_to_point(ostr) := octets_to_point_E2(ostr)
- sk_
to_ pk - (spec link) Takes a secret key SK and outputs the corresponding public key PK.
- verify
- (spec link) Checks that a signature is valid for the octet string message under the public key PK.