Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adopt the IRTF CFRG draft standard #5

Open
burdges opened this issue Jun 14, 2019 · 6 comments
Open

Adopt the IRTF CFRG draft standard #5

burdges opened this issue Jun 14, 2019 · 6 comments

Comments

@burdges
Copy link
Collaborator

burdges commented Jun 14, 2019

There is a new hash to curve function implemented in the fork https://github.com/kwantam/pairing/ via zkcrypto/pairing#56 (comment) which should be evaluated.

There is also a draft BLS standard by the IETF at https://datatracker.ietf.org/doc/draft-boneh-bls-signature/ but they only hash-to-G1, which makes verification slow after extensive aggregation. In fact, you'd only ever use BLS with extensive aggregation, so this sounds silly, but perhaps hash-to-G2 is so slow that more extensive aggregation is required before hash-to-G2 wins.

Also, the standard recommends hashing-to-G1 with try-and-increment, which sound archaic. We currently use Michael Orru's adaptation of Fouque-Tibouchi as implemented in zkcrypto/pairing#30 but Wahby-Boneh sounds interesting too.

@burdges
Copy link
Collaborator Author

burdges commented Jun 14, 2019

Appears the IETF working draft is https://github.com/pairingwg/bls_standard/blob/master/minutes/spec-v1.md not the version on the webpage.

@kwantam
Copy link

kwantam commented Jun 14, 2019

Sorry to chase you around :) but just a quick note: the hash-to-curve impl is in https://github.com/kwantam/bls_sigs_ref/. (My fork of the pairing crate just adds a feature that (effectively) exposes the constructors for the low-level point representations.)

@burdges
Copy link
Collaborator Author

burdges commented Jun 27, 2019

I'm interested in aligning with https://github.com/kwantam/bls_sigs_ref as much as possible, although I obviously want to provide more flexibility than the standard, like permitting signatures on either group. See also https://github.com/algorand/bls_sigs_ref

I suppose the hashing functionality could be relegated to some trait that supported both STROBE and conventional hash functions, as BLS has no need for the superior domain separation of STROBE.

@burdges burdges changed the title Evaluate the IETF draft standard Evaluate the IRTF CFRG draft standard Nov 2, 2019
@burdges
Copy link
Collaborator Author

burdges commented Nov 2, 2019

Ideally we should increase the compliance with the IRTF CFRG drafts for BLS signatures and hash-to-curve throughout, without doing anything silly like using SHA2-HMACs everywhere.

@kwantam
Copy link

kwantam commented Nov 2, 2019

Depends on what you mean by silly 😄

At the least it's sensible to try and make sure that whatever hash function to the base field you decide to use has an indifferentiability proof in some reasonable model. Hash-to-curve is adding (very barebones) support for defining alternative hash-to-base functions in the next draft. KMAC and cSHAKE both look like they'd work if you want to use a SHA-3--ish function, and Blake2X-on-Blake2b also looks like it could work.

I'm happy to give feedback on whatever you land on.


edit:

more flexibility than the standard, like permitting signatures on either group.

I'm sure you know this by now, but the most recent version of the BLS document supports signatures on both groups.

@burdges
Copy link
Collaborator Author

burdges commented Nov 2, 2019

Thanks! I'll attempt to catch back up on this eventually, but not anytime this month I fear.

@burdges burdges changed the title Evaluate the IRTF CFRG draft standard Adopt the IRTF CFRG draft standard Sep 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants