Update hash_to_g2 in BLS

[kirk-baird]

The purpose of this PR is to update the hash_to_g2 function to match those specified in the BLS Standards. Riad has kindly already prepared the ciphersuite BLS12381G2-SHA256-SSWU-RO. It can be found in section 8.7 of the hash-to-curve standard. I've written a few extra notes in the hopes of assisting anyone implementing it.

Things worth noting:

• The links are currently pointing at the draft of the standard which is changing and hence they will need to be updated once it is finalised.
• Pseudo Code for clear_cofactor is currently being written and when it's complete we should point to that instead of the paper currently being pointed too.
• The standard states that serialisation should be done the same as Zcash which ours is slightly different.

Let me know if you would like me to expand into more detail on any parts of hash_to_curve

[hwwhww]

Thank you for the interpretation!

The document is for the latest version (draft-irtf-cfrg-hash-to-curve-04). Perhaps note the IETF version here so that we can keep this doc synced. :)

[hwwhww]

Does HKDF-Extract function take parameter salt in bytes? Should we note that which encoding format for the DST value?

[kirk-baird]

Yep the salt for HKDF-Extract is DST. The standard has the type of salt as a string hence I left it as a string here. However my implementation (and I'm sure others will too) takes bytes so I would not be against also displaying it as bytes.

[hwwhww]

It should be

Suggested change

	hash_to_curve(message_hash)
	P = hash_to_curve(message_hash)

Can we just rename hash_to_G2 to hash_to_curve?

[kirk-baird]

Oh I've been spending too much time in rust land I've forgotten my return statements. I think it should be return hash_to_curve(message_hash)

I was very tempted to rename hash_to_g2 however as hash_to_g2 takes Bytes32 whereas hash_to_curve takes Bytes I decided to make the abstraction. What are your thoughts on this?

[benjaminion]

The current signature of hash_to_G2 is hash_to_G2(message_hash: Bytes32, domain: Bytes8). This draft has hash_to_G2(message_hash: Bytes32). How should we handle the domain parameter?

[kirk-baird]

The current signature of hash_to_G2 is hash_to_G2(message_hash: Bytes32, domain: Bytes8). This draft has hash_to_G2(message_hash: Bytes32). How should we handle the domain parameter?

At this point it looks like there will be a wrapper class around the message and domain which will do hash_tree_root and the hash of that wrapper object will be passed to BLS.

You can see here for the discussion about the wrapper object.

[kirk-baird]

This has been updated to version 5 of the hash to curve draft and is ready for review :)

Let me know if you want more of less details on any sections.

p.s. I haven't made updates based on the bls signatures draft just the hash to curve draft.

[JustinDrake]

Could mention that "RO" stands for "random oracle"

[JustinDrake]

Should this ciphersuite only be used for the proof of possession (deposit_data.signature)?

[JustinDrake]

Should the ciphersuite be BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_ (notice the extra - after RO-)?

[CarlBeek]

I don't think so, the IETF spec has a hash_to_point definition for messages of this ciphersuite which is distinct from hash_pubkey_to_point. My understanding is that if you use the PoP defined by the IETF spec, you should use BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_ or BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_NUL_ if their PoP is not used.

Considering that we do not use the exact PoP defined by the IETF spec, I think we should not claim to use the PoP ciphersuite anywhere.

Suggested change

	We use the following Ciphersuite `BLS_SIG_BLS12381G2-SHA256-SSWU-RO_POP_`.
	We use the following Ciphersuite `BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_NUL_`.

[kirk-baird]

I believe we should just use one ciphersuite for both PoP and regular signature validation.
The extra - after RO- is deliberate as that's how the examples were given in the IETF spec.

I agree with Carl, if we don't use the specified PoP we should not use that in our ciphersuite tag. However, I then ask why do we not use that standardized PoP?

[JustinDrake]

The extra - after RO- is deliberate as that's how the examples were given in the IETF spec.

Right :) The extra - were missing and added them in.

why do we not use that standardized PoP?

What is the difference between the standardized PoP and the currently specified PoP?

[kirk-baird]

Good question,
The standardize PoP signs the message:
msg = bytes(public_key)

Where as we sign the message:
msg = signing_root(deposit.data)
Which contains withdrawal_credentials and amount along with the public_key.

[CarlBeek]

The standardize PoP signs the message:
msg = bytes(public_key)

Note that there is a specific domain separation tag just for signing pubkeys. (A third tag not mentioned here yet.)

[kirk-baird]

You're right sorry, I didn't notice the tag was slightly different between regular signatures and PoP.
PoP: BLS_POP_BLS12381G2-SHA256-SSWU-RO-_POP_
Regular Signature: BLS_SIG_BLS12381G2-SHA256-SSWU-RO-_POP_

With the option of changing the last _POP_ to _NUL_ if required.

[kirk-baird]

Closed in favour of #1532