-
Notifications
You must be signed in to change notification settings - Fork 11
Resources & TODO
- Secret and public key generation
- Message signing
- Message verification
This is common to every elliptic curve crypto need including secp256k1
The new things that BLS brings to the table are:
- Signature aggregation
- Public key aggregation ==> for multi signatures
This would work a bit like a petition where everyone can stamp the message with his signature.
Everything except key generation! We can't use the following exported procs
proc ECP_BLS381_SP_DSA*(sha: HashType, csprng: ptr Csprng, ephemeralKey, privkey, msg, out_sig_c, out_sig_d: ptr Octet): EcdhError {.amcl.}
## IEEE-1363 ECDSA Signature
## sha is the hash type
## csprng is a pointer to a cryptographically secure random number generator
## ephemeralKey. This value is used when csprng is nil
## privkey the input private signing key
## msg the input message to be signed
## out_sig_c: c component of the output signature
## out_sig_d: d component of the output signature
proc ECP_BLS381_VP_DSA*(sha: HashType, pubkey, msg, sig_c, sig_d: ptr Octet): EcdhError {.amcl.}
## IEEE-1363 ECDSA Signature Verification
## sha is the hash type
## pubkey: the input public key
## msg: the input message
## sig_c: c component of the input signature
## sig_d: d component of the input signatureas those require a CSPRNG, for our usage we need deterministic signatures so we need to implement them from the curve primitives.
-
Layman's Guide to Elliptic Curve Digital Signatures: you will find, examples, 2D graphs. Key points: normally elliptic curve would require floating point but by using modulus math we can transform all fractions to (big) integers.
-
The fundamentals of ECDSA: you will find key generation, signature and verification. Note that this ECDSA scheme uses a crypto-secure random number generator. As noted in Wikipedia:
Another way ECDSA signature may leak private keys is when k is generated by a faulty random number generator. Such a failure in random number generation caused users of Android Bitcoin Wallet to lose their funds in August 2013. To ensure that k is unique for each message one may bypass random number generation completely and generate deterministic signatures by deriving k from both the message and the private key.
-
To be read in parallel, switch to the other when stuck, it helps a lot:
BLS is a particular curve because it is pairing friendly. The key point is that what we call elliptic curve with modulus, is also called elliptic curve over FP (or FQ). FP is an extension field i.e. same operations/rules as normal math, except that everything is modulo the modulus. And we also need equations of higher order (FP2 to FP12) which are solved using complex integer numbers.
The complex i is called “u” in the Zcash spec.