mattrglobal / bbs-signatures-spec Goto Github PK

Such as https://eprint.iacr.org/2009/095.pdf

Rather than adding required-reveal statements at a higher level (like linked data proofs) where they are difficult or impossible to enforce, for the next draft I think it would be beneficial to tie signature generation and verification to this information.

There are a few ways that this could be done, but I think that adding a required-reveal flag to the message generators is a good approach. For example, at the moment h[i] is defined as hash_to_curve_g1( w || I2OSP(0, 1) || I2OSP(i + 1, 4) || I2OSP(0, 1) || I2OSP(count, 4) ). The input to the hash could be extended with the required-reveal state of that message index, I2OSP(ri, 1) where ri is 0 or 1. For use cases where required-reveal statements are not important, the set of indices would be omitted and default to 0 for each index.

SpkVerify would be updated to take the required-reveal indices into account and reject verification when the message input is not provided.

If possible, it would be awesome to have deterministic signatures, so that test vectors / higher order data structures can be made stable.

The bbs crate currently follows draft 5, which is incompatible with later drafts. This needs to be added to the current spec as the values of the message generators will change depending on the draft version.

The spec currently says that this function returns a point in G1. I believe this is intended to be G2?

hash_to_curve_g2(ostr) -> P

    The cryptographic hash function that takes as an arbitrary octet string input and returns a point in **G1** as defined in [I-D.irtf-cfrg-hash-to-curve]. The algorithm is BLS12381G2_XMD:BLAKE2B_SSWU_RO, i.e use Blake2b-512 as part of expand message digest, apply the isogeny simplified SWU map to compute a point in G2 using the random oracle method. The domain separation tag value is dst.