Add BLS signature following spec
This MR implements BLS signature following the specification v4 (draft) available here. It fixes #34 (closed). It provides the 3 different schemes described in the paper. The specification describes two versions for the schemes: short pk/large signature and large pk/short signature. The first one is implemented, but both or the latter can be implemented very easily if required.
- 2d85f6af adds the signature for the three schemes (Basic, Aug and Pop)
- 1660d092 implements it for blst backend
- a0992558 adds the test vectors from https://github.com/algorand/bls_sigs_ref/pull/7
- dc83192e is required because blst hashes the salt used by keygen to generate the secret key from the ikm. It is not in the specification version before v4 (bls_sigs_ref, where the test vectors come from, uses v2) but it is in v4, see https://github.com/supranational/blst/issues/74. The files are generated from the previous commit and using the util script with the commands:
dune build @generate_test_vectors_for_bls_sig_g2_basic -f
dune build @generate_test_vectors_for_bls_sig_g2_aug -f
dune build @generate_test_vectors_for_bls_sig_g2_pop -f
dune build @generate_test_vectors_for_bls_pop_g2 -f
The reviewer MUST verify that by removing the lines hashing the salt and by removing the suffix _blst
in the test vector names, the tests are passing without dc83192e!
- fbdf1269 and 7a4fca6a fakes the implementation for JS and Rust. Rust backend is going to be replaced by the blst backend in the near future. For the JS backend, no decision has been made yet.
Test files are verbose on purpose. It should be self-contained when reading a test function.
TODO:
-
add signatures with points on the curve but not in the subgroup. -
blst_core_verify_pk_in_g1
verifies the point and the signature are points on the curve and in the subgroup, which is already verified on the OCaml thanks to the typechecker. We could avoid it.