Crate bls_on_arkworks
source ·Expand description
This crate implements BLS12-381 signatures on top of the arkworks
crates ecosystem.
The interface for BLS signatures is defined in the following IRTF spec: https://www.ietf.org/archive/id/draft-irtf-cfrg-bls-signature-05.html
This crate aims to implement BLS Signatures in a way that’s compatible with Ethereum. The variant selected by
Ethereum are explained in the beacon chain spec.
The scheme used by Ethereum is BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_
.
Its parameters are defined here:
- SC: proof-of-possession
- SV: minimal-pubkey-size
- EC: BLS12-381, as defined in Appendix A.
- H: SHA-256
- hash_to_point:
BLS12381G2_XMD:SHA-256_SSWU_RO_
with the ASCII-encoded domain separation tagBLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_
- hash_pubkey_to_point:
BLS12381G2_XMD:SHA-256_SSWU_RO_
with the ASCII-encoded domain separation tagBLS_POP_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_
While the Domain Separation Tag (DST) isn’t hardcoded in this crate, we are hardcoding the choice of elliptic curve (BLS12-381), hash function (SHA-256), and variant (minimal-pubkey-size).
Modules
- Error enum to wrap underlying failures
- Types and type aliases for BLS operations.
Constants
- Domain separation tags to use if you’re working with Ethereum
Functions
- (spec link) Aggregates multiple signatures into one.
- (spec link) Checks an aggregated signature over several (PK, message) pairs.
- (spec link) A cryptographic hash function that takes as input an arbitrary octet string and returns a point on an elliptic curve. Functions of this kind are defined in hash-to-curve-spec.
- (spec link) Ensures that a public key is valid. In particular, it ensures that a public key represents a valid, non-identity point that is in the correct subgroup.
- (spec link) Generates a secret key SK deterministically from a secret octet string IKM. IKM MUST be at least 32 bytes long, but it MAY be longer.
- (spec link) Invoke the appropriate serialization routine depending on signature variant For minimal-pubkey-size:
point_to_pubkey(P) := point_to_octets_E1(P)
- Version of
point_to_pubkey
returning uncompressed format. - (spec link) Invoke the appropriate serialization routine depending on signature variant For minimal-pubkey-size:
point_to_signature(P) := point_to_octets_E2(P)
- Version of
point_to_signature
returning uncompressed format. - (spec link) Invoke the appropriate subgroup check routine (Section 1.3) depending on signature variant: For minimal-pubkey-size:
pubkey_subgroup_check(P) := subgroup_check_E1(P)
. - (spec link) Invoke the appropriate deserialization routine depending on signature variant For minimal-pubkey-size:
pubkey_to_point(ostr) := octets_to_point_E1(ostr)
- (spec link) Computes a signature from SK, a secret key, and message, an octet string.
- (spec link) Invoke the appropriate subgroup check routine (Section 1.3) depending on signature variant: For minimal-pubkey-size:
signature_subgroup_check(P) := subgroup_check_E2(P)
. - (spec link) Invoke the appropriate deserialization routine depending on signature variant For minimal-pubkey-size: signature_to_point(ostr) := octets_to_point_E2(ostr)
- (spec link) Takes a secret key SK and outputs the corresponding public key PK.
- (spec link) Checks that a signature is valid for the octet string message under the public key PK.