From 686a6163fd6e92d8afd12dc3f1715d74d38c3e43 Mon Sep 17 00:00:00 2001 From: Antonio Sanso Date: Thu, 3 Jun 2021 08:52:54 +0200 Subject: [PATCH 01/15] fixing serialization format link --- draft-irtf-cfrg-bls-signature.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-irtf-cfrg-bls-signature.md b/draft-irtf-cfrg-bls-signature.md index 86d347e..ffa1bd4 100644 --- a/draft-irtf-cfrg-bls-signature.md +++ b/draft-irtf-cfrg-bls-signature.md @@ -118,7 +118,7 @@ organization="Algorand" - + BLS12-381 From a4dd2039ab8f533e1603d90c8abbf6e00f54718d Mon Sep 17 00:00:00 2001 From: Antonio Sanso Date: Thu, 3 Jun 2021 08:55:23 +0200 Subject: [PATCH 02/15] fixing serialization format link --- draft-irtf-cfrg-bls-signature.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-irtf-cfrg-bls-signature.md b/draft-irtf-cfrg-bls-signature.md index ffa1bd4..8ef73ae 100644 --- a/draft-irtf-cfrg-bls-signature.md +++ b/draft-irtf-cfrg-bls-signature.md @@ -118,7 +118,7 @@ organization="Algorand" - + BLS12-381 From e2aa452f191bcf747060910dc25a88a50ca66ef3 Mon Sep 17 00:00:00 2001 From: Antonio Sanso Date: Thu, 3 Jun 2021 08:55:59 +0200 Subject: [PATCH 03/15] fixing serialization format link --- draft-irtf-cfrg-bls-signature.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-irtf-cfrg-bls-signature.md b/draft-irtf-cfrg-bls-signature.md index 8ef73ae..0c68ca2 100644 --- a/draft-irtf-cfrg-bls-signature.md +++ b/draft-irtf-cfrg-bls-signature.md @@ -118,7 +118,7 @@ organization="Algorand" - + BLS12-381 From fa5ed6985362a5072bf528eef6827657b04acacb Mon Sep 17 00:00:00 2001 From: Antonio Sanso Date: Thu, 3 Jun 2021 17:29:40 +0200 Subject: [PATCH 04/15] strawman patch for https://github.com/cfrg/draft-irtf-cfrg-bls-signature/issues/38 --- draft-irtf-cfrg-bls-signature.md | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/draft-irtf-cfrg-bls-signature.md b/draft-irtf-cfrg-bls-signature.md index 0c68ca2..f26e4ef 100644 --- a/draft-irtf-cfrg-bls-signature.md +++ b/draft-irtf-cfrg-bls-signature.md @@ -753,7 +753,7 @@ Procedure: ## CoreAggregateVerify The CoreAggregateVerify algorithm checks an aggregated signature -over several (PK, message) pairs. +over several (PK, message) pairs. This function first aggregates public keys of the same message. ~~~ result = CoreAggregateVerify((PK_1, ..., PK_n), @@ -771,17 +771,24 @@ Outputs: Precondition: n >= 1, otherwise return INVALID. Procedure: -1. R = signature_to_point(signature) -2. If R is INVALID, return INVALID -3. If signature_subgroup_check(R) is INVALID, return INVALID -4. C1 = 1 (the identity element in GT) -5. for i in 1, ..., n: -6. If KeyValidate(PK_i) is INVALID, return INVALID -7. xP = pubkey_to_point(PK_i) -8. Q = hash_to_point(message_i) -9. C1 = C1 * pairing(Q, xP) -10. C2 = pairing(R, P) -11. If C1 == C2, return VALID, else return INVALID +1 compute the l distinct messages m_1, m_l +2. Aggregate the public keys of the same message to l sets of public keys QK_1_1, ...,QK_1_m, QK_2_1,..., QK_2_p, ..., QK_l_1,...,QK_l_q +3. R = signature_to_point(signature) +4. If R is INVALID, return INVALID +5. If signature_subgroup_check(R) is INVALID, return INVALID +6. C1 = 1 (the identity element in GT) +7. for i in 1, ..., l: +8. aggregate = pubkey_to_point(QK_i_1) + for j in 2,...,len(QK_i): +9. next = pubkey_to_point(PK_j_k) +10. aggregate = aggregate + next +11. RK_i = point_to_pubkey(aggregate) +12. If KeyValidate(RK_i) is INVALID, return INVALID +13. xP = pubkey_to_point(RK_i) +14. Q = hash_to_point(m_i) +15. C1 = C1 * pairing(Q, xP) +16. C2 = pairing(R, P) +17. If C1 == C2, return VALID, else return INVALID ~~~ # BLS Signatures {#schemes} From 2e80fd3ce52891a2abd7b0f13d8c045c73325a68 Mon Sep 17 00:00:00 2001 From: Antonio Sanso Date: Thu, 3 Jun 2021 18:00:00 +0200 Subject: [PATCH 05/15] strawman patch for https://github.com/cfrg/draft-irtf-cfrg-bls-signature/issues/38 --- draft-irtf-cfrg-bls-signature.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-irtf-cfrg-bls-signature.md b/draft-irtf-cfrg-bls-signature.md index f26e4ef..8a06922 100644 --- a/draft-irtf-cfrg-bls-signature.md +++ b/draft-irtf-cfrg-bls-signature.md @@ -780,7 +780,7 @@ Procedure: 7. for i in 1, ..., l: 8. aggregate = pubkey_to_point(QK_i_1) for j in 2,...,len(QK_i): -9. next = pubkey_to_point(PK_j_k) +9. next = pubkey_to_point(PK_i_j) 10. aggregate = aggregate + next 11. RK_i = point_to_pubkey(aggregate) 12. If KeyValidate(RK_i) is INVALID, return INVALID From a3f5b8010fbc924191b891c1d88c94ca4985f6ec Mon Sep 17 00:00:00 2001 From: Antonio Sanso Date: Mon, 7 Jun 2021 13:31:39 +0200 Subject: [PATCH 06/15] reverting unrelated commits --- draft-irtf-cfrg-bls-signature.md | 32 +++++++++++++------------------- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/draft-irtf-cfrg-bls-signature.md b/draft-irtf-cfrg-bls-signature.md index 8a06922..230d5db 100644 --- a/draft-irtf-cfrg-bls-signature.md +++ b/draft-irtf-cfrg-bls-signature.md @@ -753,7 +753,7 @@ Procedure: ## CoreAggregateVerify The CoreAggregateVerify algorithm checks an aggregated signature -over several (PK, message) pairs. This function first aggregates public keys of the same message. +over several (PK, message) pairs. ~~~ result = CoreAggregateVerify((PK_1, ..., PK_n), @@ -771,24 +771,17 @@ Outputs: Precondition: n >= 1, otherwise return INVALID. Procedure: -1 compute the l distinct messages m_1, m_l -2. Aggregate the public keys of the same message to l sets of public keys QK_1_1, ...,QK_1_m, QK_2_1,..., QK_2_p, ..., QK_l_1,...,QK_l_q -3. R = signature_to_point(signature) -4. If R is INVALID, return INVALID -5. If signature_subgroup_check(R) is INVALID, return INVALID -6. C1 = 1 (the identity element in GT) -7. for i in 1, ..., l: -8. aggregate = pubkey_to_point(QK_i_1) - for j in 2,...,len(QK_i): -9. next = pubkey_to_point(PK_i_j) -10. aggregate = aggregate + next -11. RK_i = point_to_pubkey(aggregate) -12. If KeyValidate(RK_i) is INVALID, return INVALID -13. xP = pubkey_to_point(RK_i) -14. Q = hash_to_point(m_i) -15. C1 = C1 * pairing(Q, xP) -16. C2 = pairing(R, P) -17. If C1 == C2, return VALID, else return INVALID +1. R = signature_to_point(signature) +2. If R is INVALID, return INVALID +3. If signature_subgroup_check(R) is INVALID, return INVALID +4. C1 = 1 (the identity element in GT) +5. for i in 1, ..., n: +6. If KeyValidate(PK_i) is INVALID, return INVALID +7. xP = pubkey_to_point(PK_i) +8. Q = hash_to_point(message_i) +9. C1 = C1 * pairing(Q, xP) +10. C2 = pairing(R, P) +11. If C1 == C2, return VALID, else return INVALID ~~~ # BLS Signatures {#schemes} @@ -1388,3 +1381,4 @@ of possession scheme of (#schemepop). [@BDN18] prove the security of another rogue key defense; this defense is not standardized in this document. + From 103b76e621a5fc8d1f6acf6b57a193fa413d07c4 Mon Sep 17 00:00:00 2001 From: Antonio Sanso Date: Mon, 7 Jun 2021 13:40:56 +0200 Subject: [PATCH 07/15] reverting --- draft-irtf-cfrg-bls-signature.md | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/draft-irtf-cfrg-bls-signature.md b/draft-irtf-cfrg-bls-signature.md index 230d5db..6798f42 100644 --- a/draft-irtf-cfrg-bls-signature.md +++ b/draft-irtf-cfrg-bls-signature.md @@ -753,7 +753,7 @@ Procedure: ## CoreAggregateVerify The CoreAggregateVerify algorithm checks an aggregated signature -over several (PK, message) pairs. +over several (PK, message) pairs. This function first aggregates public keys of the same message. ~~~ result = CoreAggregateVerify((PK_1, ..., PK_n), @@ -771,17 +771,24 @@ Outputs: Precondition: n >= 1, otherwise return INVALID. Procedure: -1. R = signature_to_point(signature) -2. If R is INVALID, return INVALID -3. If signature_subgroup_check(R) is INVALID, return INVALID -4. C1 = 1 (the identity element in GT) -5. for i in 1, ..., n: -6. If KeyValidate(PK_i) is INVALID, return INVALID -7. xP = pubkey_to_point(PK_i) -8. Q = hash_to_point(message_i) -9. C1 = C1 * pairing(Q, xP) -10. C2 = pairing(R, P) -11. If C1 == C2, return VALID, else return INVALID +1 compute the l distinct messages m_1, m_l +2. Aggregate the public keys of the same message to l sets of public keys QK_1_1, ...,QK_1_m, QK_2_1,..., QK_2_p, ..., QK_l_1,...,QK_l_q +3. R = signature_to_point(signature) +4. If R is INVALID, return INVALID +5. If signature_subgroup_check(R) is INVALID, return INVALID +6. C1 = 1 (the identity element in GT) +7. for i in 1, ..., l: +8. aggregate = pubkey_to_point(QK_i_1) + for j in 2,...,len(QK_i): +9. next = pubkey_to_point(PK_i_j) +10. aggregate = aggregate + next +11. RK_i = point_to_pubkey(aggregate) +12. If KeyValidate(RK_i) is INVALID, return INVALID +13. xP = pubkey_to_point(RK_i) +14. Q = hash_to_point(m_i) +15. C1 = C1 * pairing(Q, xP) +16. C2 = pairing(R, P) +17. If C1 == C2, return VALID, else return INVALID ~~~ # BLS Signatures {#schemes} From bf1a00b319f5966e051de30874497e119c6feb81 Mon Sep 17 00:00:00 2001 From: Antonio Sanso Date: Wed, 9 Jun 2021 08:50:51 +0200 Subject: [PATCH 08/15] applying suggestion by zhenfei zhang --- draft-irtf-cfrg-bls-signature.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-irtf-cfrg-bls-signature.md b/draft-irtf-cfrg-bls-signature.md index 6798f42..f423af4 100644 --- a/draft-irtf-cfrg-bls-signature.md +++ b/draft-irtf-cfrg-bls-signature.md @@ -771,7 +771,7 @@ Outputs: Precondition: n >= 1, otherwise return INVALID. Procedure: -1 compute the l distinct messages m_1, m_l +1 Group the n input messages into l distinct messages, denoted by m_1, ... m_l 2. Aggregate the public keys of the same message to l sets of public keys QK_1_1, ...,QK_1_m, QK_2_1,..., QK_2_p, ..., QK_l_1,...,QK_l_q 3. R = signature_to_point(signature) 4. If R is INVALID, return INVALID From d00effe2f22757d84486c4bba5fd98683e0fc9ce Mon Sep 17 00:00:00 2001 From: Antonio Sanso Date: Wed, 9 Jun 2021 08:52:50 +0200 Subject: [PATCH 09/15] fixing indentation --- draft-irtf-cfrg-bls-signature.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/draft-irtf-cfrg-bls-signature.md b/draft-irtf-cfrg-bls-signature.md index f423af4..c2ff2ea 100644 --- a/draft-irtf-cfrg-bls-signature.md +++ b/draft-irtf-cfrg-bls-signature.md @@ -773,11 +773,11 @@ Precondition: n >= 1, otherwise return INVALID. Procedure: 1 Group the n input messages into l distinct messages, denoted by m_1, ... m_l 2. Aggregate the public keys of the same message to l sets of public keys QK_1_1, ...,QK_1_m, QK_2_1,..., QK_2_p, ..., QK_l_1,...,QK_l_q -3. R = signature_to_point(signature) -4. If R is INVALID, return INVALID -5. If signature_subgroup_check(R) is INVALID, return INVALID -6. C1 = 1 (the identity element in GT) -7. for i in 1, ..., l: +3. R = signature_to_point(signature) +4. If R is INVALID, return INVALID +5. If signature_subgroup_check(R) is INVALID, return INVALID +6. C1 = 1 (the identity element in GT) +7. for i in 1, ..., l: 8. aggregate = pubkey_to_point(QK_i_1) for j in 2,...,len(QK_i): 9. next = pubkey_to_point(PK_i_j) From 7ac7057d0eff798c6760b302e2e69b9fbf96db9b Mon Sep 17 00:00:00 2001 From: Antonio Sanso Date: Wed, 9 Jun 2021 09:03:31 +0200 Subject: [PATCH 10/15] small fix --- draft-irtf-cfrg-bls-signature.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-irtf-cfrg-bls-signature.md b/draft-irtf-cfrg-bls-signature.md index c2ff2ea..cda6f44 100644 --- a/draft-irtf-cfrg-bls-signature.md +++ b/draft-irtf-cfrg-bls-signature.md @@ -780,7 +780,7 @@ Procedure: 7. for i in 1, ..., l: 8. aggregate = pubkey_to_point(QK_i_1) for j in 2,...,len(QK_i): -9. next = pubkey_to_point(PK_i_j) +9. next = pubkey_to_point(QK_i_j) 10. aggregate = aggregate + next 11. RK_i = point_to_pubkey(aggregate) 12. If KeyValidate(RK_i) is INVALID, return INVALID From 9bcc643f4c64fcd9a5b1e33236c89e932754ab3c Mon Sep 17 00:00:00 2001 From: Antonio Sanso Date: Wed, 9 Jun 2021 09:06:57 +0200 Subject: [PATCH 11/15] adding single public key validation as suggested by Quan --- draft-irtf-cfrg-bls-signature.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/draft-irtf-cfrg-bls-signature.md b/draft-irtf-cfrg-bls-signature.md index cda6f44..2cc4160 100644 --- a/draft-irtf-cfrg-bls-signature.md +++ b/draft-irtf-cfrg-bls-signature.md @@ -778,8 +778,10 @@ Procedure: 5. If signature_subgroup_check(R) is INVALID, return INVALID 6. C1 = 1 (the identity element in GT) 7. for i in 1, ..., l: + if KeyValidate(QK_i_1) is INVALID, return INVALID 8. aggregate = pubkey_to_point(QK_i_1) for j in 2,...,len(QK_i): + If KeyValidate(QK_i_j) is INVALID, return INVALID 9. next = pubkey_to_point(QK_i_j) 10. aggregate = aggregate + next 11. RK_i = point_to_pubkey(aggregate) From c722f0377f2f95fef080b0886bfe6fdc813006d2 Mon Sep 17 00:00:00 2001 From: Antonio Sanso Date: Wed, 9 Jun 2021 09:09:42 +0200 Subject: [PATCH 12/15] applying suggestion by zhenfei zhang --- draft-irtf-cfrg-bls-signature.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-irtf-cfrg-bls-signature.md b/draft-irtf-cfrg-bls-signature.md index 2cc4160..8c72dfe 100644 --- a/draft-irtf-cfrg-bls-signature.md +++ b/draft-irtf-cfrg-bls-signature.md @@ -772,7 +772,7 @@ Precondition: n >= 1, otherwise return INVALID. Procedure: 1 Group the n input messages into l distinct messages, denoted by m_1, ... m_l -2. Aggregate the public keys of the same message to l sets of public keys QK_1_1, ...,QK_1_m, QK_2_1,..., QK_2_p, ..., QK_l_1,...,QK_l_q +2. Aggregate the public keys of the same message to l sets of public keys {QK_1_1, ...,QK_1_m}, {QK_2_1,..., QK_2_p}, ..., {QK_l_1,...,QK_l_q} 3. R = signature_to_point(signature) 4. If R is INVALID, return INVALID 5. If signature_subgroup_check(R) is INVALID, return INVALID From 945b99e583cf3fe534fe89c3fdfd9a265afdfbba Mon Sep 17 00:00:00 2001 From: Antonio Sanso Date: Wed, 9 Jun 2021 10:04:19 +0200 Subject: [PATCH 13/15] adding single public key validation as suggested by Quan --- draft-irtf-cfrg-bls-signature.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/draft-irtf-cfrg-bls-signature.md b/draft-irtf-cfrg-bls-signature.md index 8c72dfe..424bc65 100644 --- a/draft-irtf-cfrg-bls-signature.md +++ b/draft-irtf-cfrg-bls-signature.md @@ -785,12 +785,13 @@ Procedure: 9. next = pubkey_to_point(QK_i_j) 10. aggregate = aggregate + next 11. RK_i = point_to_pubkey(aggregate) -12. If KeyValidate(RK_i) is INVALID, return INVALID -13. xP = pubkey_to_point(RK_i) -14. Q = hash_to_point(m_i) -15. C1 = C1 * pairing(Q, xP) -16. C2 = pairing(R, P) -17. If C1 == C2, return VALID, else return INVALID +12. If len(QK_i) > 1: +13. If KeyValidate(RK_i) is INVALID, return INVALID +14. xP = pubkey_to_point(RK_i) +15. Q = hash_to_point(m_i) +16. C1 = C1 * pairing(Q, xP) +17. C2 = pairing(R, P) +18. If C1 == C2, return VALID, else return INVALID ~~~ # BLS Signatures {#schemes} From 249b75e84d5bda587830d9a2b7d0741d52c5b775 Mon Sep 17 00:00:00 2001 From: Antonio Sanso Date: Fri, 11 Jun 2021 15:12:01 +0200 Subject: [PATCH 14/15] applying suggestion by zhenfei zhang --- draft-irtf-cfrg-bls-signature.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/draft-irtf-cfrg-bls-signature.md b/draft-irtf-cfrg-bls-signature.md index 424bc65..1c9e7f3 100644 --- a/draft-irtf-cfrg-bls-signature.md +++ b/draft-irtf-cfrg-bls-signature.md @@ -772,7 +772,7 @@ Precondition: n >= 1, otherwise return INVALID. Procedure: 1 Group the n input messages into l distinct messages, denoted by m_1, ... m_l -2. Aggregate the public keys of the same message to l sets of public keys {QK_1_1, ...,QK_1_m}, {QK_2_1,..., QK_2_p}, ..., {QK_l_1,...,QK_l_q} +2. Aggregate the public keys of the same message to l sets of public keys QK_set_1 = {QK_1_1, ...,QK_1_m}, QK_set_2 = {QK_2_1,..., QK_2_p}, ..., QK_set_l = {QK_l_1,...,QK_l_q} 3. R = signature_to_point(signature) 4. If R is INVALID, return INVALID 5. If signature_subgroup_check(R) is INVALID, return INVALID @@ -780,12 +780,12 @@ Procedure: 7. for i in 1, ..., l: if KeyValidate(QK_i_1) is INVALID, return INVALID 8. aggregate = pubkey_to_point(QK_i_1) - for j in 2,...,len(QK_i): + for j in 2,...,len(QK_set_i): If KeyValidate(QK_i_j) is INVALID, return INVALID 9. next = pubkey_to_point(QK_i_j) 10. aggregate = aggregate + next 11. RK_i = point_to_pubkey(aggregate) -12. If len(QK_i) > 1: +12. If len(QK_set_1) > 1: 13. If KeyValidate(RK_i) is INVALID, return INVALID 14. xP = pubkey_to_point(RK_i) 15. Q = hash_to_point(m_i) From 924739d14b7c05dbe33826d37b1bb735d65a98f4 Mon Sep 17 00:00:00 2001 From: Antonio Sanso Date: Fri, 11 Jun 2021 15:13:03 +0200 Subject: [PATCH 15/15] applying suggestion by zhenfei zhang --- draft-irtf-cfrg-bls-signature.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-irtf-cfrg-bls-signature.md b/draft-irtf-cfrg-bls-signature.md index 1c9e7f3..c713e10 100644 --- a/draft-irtf-cfrg-bls-signature.md +++ b/draft-irtf-cfrg-bls-signature.md @@ -785,7 +785,7 @@ Procedure: 9. next = pubkey_to_point(QK_i_j) 10. aggregate = aggregate + next 11. RK_i = point_to_pubkey(aggregate) -12. If len(QK_set_1) > 1: +12. If len(QK_set_i) > 1: 13. If KeyValidate(RK_i) is INVALID, return INVALID 14. xP = pubkey_to_point(RK_i) 15. Q = hash_to_point(m_i)