Crate bls_on_arkworks

source ·
Expand description

This crate implements BLS12-381 signatures on top of the arkworks crates ecosystem.

The interface for BLS signatures is defined in the following IRTF spec: https://www.ietf.org/archive/id/draft-irtf-cfrg-bls-signature-05.html

This crate aims to implement BLS Signatures in a way that’s compatible with Ethereum. The variant selected by Ethereum are explained in the beacon chain spec. The scheme used by Ethereum is BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_. Its parameters are defined here:

  • SC: proof-of-possession
  • SV: minimal-pubkey-size
  • EC: BLS12-381, as defined in Appendix A.
  • H: SHA-256
  • hash_to_point: BLS12381G2_XMD:SHA-256_SSWU_RO_ with the ASCII-encoded domain separation tag BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_
  • hash_pubkey_to_point: BLS12381G2_XMD:SHA-256_SSWU_RO_ with the ASCII-encoded domain separation tag BLS_POP_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_

While the Domain Separation Tag (DST) isn’t hardcoded in this crate, we are hardcoding the choice of elliptic curve (BLS12-381), hash function (SHA-256), and variant (minimal-pubkey-size).

Modules

  • errors
    Error enum to wrap underlying failures
  • types
    Types and type aliases for BLS operations.

Constants

  • DST_ETHEREUM
    Domain separation tags to use if you’re working with Ethereum

Functions

  • aggregate
    (spec link) Aggregates multiple signatures into one.
  • aggregate_verify
    (spec link) Checks an aggregated signature over several (PK, message) pairs.
  • hash_to_point
    (spec link) A cryptographic hash function that takes as input an arbitrary octet string and returns a point on an elliptic curve. Functions of this kind are defined in hash-to-curve-spec.
  • key_validate
    (spec link) Ensures that a public key is valid. In particular, it ensures that a public key represents a valid, non-identity point that is in the correct subgroup.
  • keygen
    (spec link) Generates a secret key SK deterministically from a secret octet string IKM. IKM MUST be at least 32 bytes long, but it MAY be longer.
  • os2ip
    (spec link) Converts an octet string to a nonnegative integer. This function loads bytes as a big-endian number and returns a valid SecretKey between 0 and p-1.
  • point_to_pubkey
    (spec link) Invoke the appropriate serialization routine depending on signature variant For minimal-pubkey-size: point_to_pubkey(P) := point_to_octets_E1(P)
  • point_to_pubkey_uncompressed
    Version of point_to_pubkey returning uncompressed format.
  • point_to_signature
    (spec link) Invoke the appropriate serialization routine depending on signature variant For minimal-pubkey-size: point_to_signature(P) := point_to_octets_E2(P)
  • point_to_signature_uncompressed
    Version of point_to_signature returning uncompressed format.
  • pubkey_subgroup_check
    (spec link) Invoke the appropriate subgroup check routine (Section 1.3) depending on signature variant: For minimal-pubkey-size: pubkey_subgroup_check(P) := subgroup_check_E1(P).
  • pubkey_to_point
    (spec link) Invoke the appropriate deserialization routine depending on signature variant For minimal-pubkey-size: pubkey_to_point(ostr) := octets_to_point_E1(ostr)
  • sign
    (spec link) Computes a signature from SK, a secret key, and message, an octet string.
  • signature_subgroup_check
    (spec link) Invoke the appropriate subgroup check routine (Section 1.3) depending on signature variant: For minimal-pubkey-size: signature_subgroup_check(P) := subgroup_check_E2(P).
  • signature_to_point
    (spec link) Invoke the appropriate deserialization routine depending on signature variant For minimal-pubkey-size: signature_to_point(ostr) := octets_to_point_E2(ostr)
  • sk_to_pk
    (spec link) Takes a secret key SK and outputs the corresponding public key PK.
  • verify
    (spec link) Checks that a signature is valid for the octet string message under the public key PK.