POP sign and prove modes

e-asphyx · e-asphyx · commit 4dc6646b6c14 · 2025-04-07T21:34:49.000+03:00
diff --git a/blst.go b/blst.go
@@ -455,29 +455,29 @@ func (p *P1) AddOrDoubleAffine(other *P1Affine) {
 	C.blst_p1_add_or_double_affine((*p1)(p), (*p1)(p), (*p1Affine)(other))
 }
 
-func HashToP1(digest, suite, aug []byte) *P1 {
+func HashToP1(msg, suite, aug []byte) *P1 {
 	var (
 		q p1
 		a *byte
 	)
 	if len(aug) != 0 {
 		a = &aug[0]
 	}
-	C.blst_hash_to_g1(&q, (*C.uint8_t)(&digest[0]), C.size_t(len(digest)),
+	C.blst_hash_to_g1(&q, (*C.uint8_t)(&msg[0]), C.size_t(len(msg)),
 		(*C.uint8_t)(&suite[0]), C.size_t(len(suite)),
 		(*C.uint8_t)(a), C.size_t(len(aug)))
 	return (*P1)(&q)
 }
 
-func EncodeToP1(digest, suite, aug []byte) *P1 {
+func EncodeToP1(msg, suite, aug []byte) *P1 {
 	var (
 		q p1
 		a *byte
 	)
 	if len(aug) != 0 {
 		a = &aug[0]
 	}
-	C.blst_encode_to_g1(&q, (*C.uint8_t)(&digest[0]), C.size_t(len(digest)),
+	C.blst_encode_to_g1(&q, (*C.uint8_t)(&msg[0]), C.size_t(len(msg)),
 		(*C.uint8_t)(&suite[0]), C.size_t(len(suite)),
 		(*C.uint8_t)(a), C.size_t(len(aug)))
 	return (*P1)(&q)
@@ -515,29 +515,29 @@ func (p *P2) AddOrDoubleAffine(other *P2Affine) {
 	C.blst_p2_add_or_double_affine((*p2)(p), (*p2)(p), (*p2Affine)(other))
 }
 
-func HashToP2(digest, suite, aug []byte) *P2 {
+func HashToP2(msg, suite, aug []byte) *P2 {
 	var (
 		q p2
 		a *byte
 	)
 	if len(aug) != 0 {
 		a = &aug[0]
 	}
-	C.blst_hash_to_g2(&q, (*C.uint8_t)(&digest[0]), C.size_t(len(digest)),
+	C.blst_hash_to_g2(&q, (*C.uint8_t)(&msg[0]), C.size_t(len(msg)),
 		(*C.uint8_t)(&suite[0]), C.size_t(len(suite)),
 		(*C.uint8_t)(a), C.size_t(len(aug)))
 	return (*P2)(&q)
 }
 
-func EncodeToP2(digest, suite, aug []byte) *P2 {
+func EncodeToP2(msg, suite, aug []byte) *P2 {
 	var (
 		q p2
 		a *byte
 	)
 	if len(aug) != 0 {
 		a = &aug[0]
 	}
-	C.blst_encode_to_g2(&q, (*C.uint8_t)(&digest[0]), C.size_t(len(digest)),
+	C.blst_encode_to_g2(&q, (*C.uint8_t)(&msg[0]), C.size_t(len(msg)),
 		(*C.uint8_t)(&suite[0]), C.size_t(len(suite)),
 		(*C.uint8_t)(a), C.size_t(len(aug)))
 	return (*P2)(&q)
diff --git a/minpk/minpk.go b/minpk/minpk.go
@@ -58,29 +58,43 @@ func PrivateKeyFromBytes(data []byte) (*PrivateKey, error) {
 	}
 }
 
-func Sign(priv *PrivateKey, digest []byte, scheme blst.Scheme) *Signature {
+func Sign(priv *PrivateKey, msg []byte, scheme blst.Scheme) *Signature {
 	var aug []byte
 	if scheme == blst.Augmentation {
 		aug = priv.PublicKey().Bytes()
 	}
-	hash := blst.HashToP2(digest, scheme.SuiteG(2), aug)
-	return (*Signature)((*blst.Scalar)(priv).SignInG1Affine(hash))
+	point := blst.HashToP2(msg, scheme.Tag(2), aug)
+	return (*Signature)((*blst.Scalar)(priv).SignInG1Affine(point))
 }
 
-func Verify(pub *PublicKey, digest []byte, sig *Signature, scheme blst.Scheme) error {
-	return sig.Verify(pub, digest, scheme)
+func Prove(priv *PrivateKey) *Signature {
+	pub := priv.PublicKey().Bytes()
+	point := blst.HashToP2(pub, blst.ProofOfPossessionTag(2), nil)
+	return (*Signature)((*blst.Scalar)(priv).SignInG1Affine(point))
+}
+
+func Verify(pub *PublicKey, msg []byte, sig *Signature, scheme blst.Scheme) error {
+	return sig.Verify(pub, msg, scheme)
+}
+
+func VerifyProof(pub *PublicKey, sig *Signature) error {
+	return sig.VerifyProof(pub)
 }
 
 func AggregateVerify(items []*PubDigestPair, sig *Signature, scheme blst.Scheme) error {
 	return sig.AggregateVerify(items, scheme)
 }
 
-func (priv *PrivateKey) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
+func (priv *PrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) ([]byte, error) {
 	scheme := blst.Basic
 	if s, ok := opts.(blst.Scheme); ok {
 		scheme = s
 	}
-	return Sign(priv, digest, scheme).Bytes(), nil
+	return Sign(priv, msg, scheme).Bytes(), nil
+}
+
+func (priv *PrivateKey) Prove() *Signature {
+	return Prove(priv)
 }
 
 func (priv *PrivateKey) PublicKey() *PublicKey {
@@ -168,12 +182,16 @@ func (sig *Signature) IsValid() error {
 	}
 }
 
-func (sig *Signature) Verify(pub *PublicKey, digest []byte, scheme blst.Scheme) error {
+func (sig *Signature) Verify(pub *PublicKey, msg []byte, scheme blst.Scheme) error {
 	var aug []byte
 	if scheme == blst.Augmentation {
 		aug = pub.Bytes()
 	}
-	return (*blst.P2Affine)(sig).CoreVerify(true, (*blst.P1Affine)(pub), true, digest, true, scheme.SuiteG(2), aug)
+	return (*blst.P2Affine)(sig).CoreVerify(true, (*blst.P1Affine)(pub), true, msg, true, scheme.Tag(2), aug)
+}
+
+func (sig *Signature) VerifyProof(pub *PublicKey) error {
+	return (*blst.P2Affine)(sig).CoreVerify(true, (*blst.P1Affine)(pub), true, pub.Bytes(), true, blst.ProofOfPossessionTag(2), nil)
 }
 
 func AggregateSignatures(sigs []*Signature) (*Signature, error) {
@@ -243,5 +261,5 @@ func (sig *Signature) AggregateVerify(items []*PubDigestPair, scheme blst.Scheme
 		pairs:  items,
 		scheme: scheme,
 	}
-	return (*blst.P2Affine)(sig).CoreAggregateVerify(true, pairs, true, true, scheme.SuiteG(2))
+	return (*blst.P2Affine)(sig).CoreAggregateVerify(true, pairs, true, true, scheme.Tag(2))
 }
diff --git a/minsig/minsig.go b/minsig/minsig.go
@@ -58,29 +58,43 @@ func PrivateKeyFromBytes(data []byte) (*PrivateKey, error) {
 	}
 }
 
-func Sign(priv *PrivateKey, digest []byte, scheme blst.Scheme) *Signature {
+func Sign(priv *PrivateKey, msg []byte, scheme blst.Scheme) *Signature {
 	var aug []byte
 	if scheme == blst.Augmentation {
 		aug = priv.PublicKey().Bytes()
 	}
-	hash := blst.HashToP1(digest, scheme.SuiteG(1), aug)
-	return (*Signature)((*blst.Scalar)(priv).SignInG2Affine(hash))
+	point := blst.HashToP1(msg, scheme.Tag(1), aug)
+	return (*Signature)((*blst.Scalar)(priv).SignInG2Affine(point))
 }
 
-func Verify(pub *PublicKey, digest []byte, sig *Signature, scheme blst.Scheme) error {
-	return sig.Verify(pub, digest, scheme)
+func Prove(priv *PrivateKey) *Signature {
+	pub := priv.PublicKey().Bytes()
+	point := blst.HashToP1(pub, blst.ProofOfPossessionTag(1), nil)
+	return (*Signature)((*blst.Scalar)(priv).SignInG2Affine(point))
+}
+
+func Verify(pub *PublicKey, msg []byte, sig *Signature, scheme blst.Scheme) error {
+	return sig.Verify(pub, msg, scheme)
+}
+
+func VerifyProof(pub *PublicKey, sig *Signature) error {
+	return sig.VerifyProof(pub)
 }
 
 func AggregateVerify(items []*PubDigestPair, sig *Signature, scheme blst.Scheme) error {
 	return sig.AggregateVerify(items, scheme)
 }
 
-func (priv *PrivateKey) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
+func (priv *PrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) ([]byte, error) {
 	scheme := blst.Basic
 	if s, ok := opts.(blst.Scheme); ok {
 		scheme = s
 	}
-	return Sign(priv, digest, scheme).Bytes(), nil
+	return Sign(priv, msg, scheme).Bytes(), nil
+}
+
+func (priv *PrivateKey) Prove() *Signature {
+	return Prove(priv)
 }
 
 func (priv *PrivateKey) PublicKey() *PublicKey {
@@ -167,12 +181,16 @@ func (sig *Signature) IsValid() error {
 	}
 }
 
-func (sig *Signature) Verify(pub *PublicKey, digest []byte, scheme blst.Scheme) error {
+func (sig *Signature) Verify(pub *PublicKey, msg []byte, scheme blst.Scheme) error {
 	var aug []byte
 	if scheme == blst.Augmentation {
 		aug = pub.Bytes()
 	}
-	return (*blst.P1Affine)(sig).CoreVerify(true, (*blst.P2Affine)(pub), true, digest, true, scheme.SuiteG(1), aug)
+	return (*blst.P1Affine)(sig).CoreVerify(true, (*blst.P2Affine)(pub), true, msg, true, scheme.Tag(1), aug)
+}
+
+func (sig *Signature) VerifyProof(pub *PublicKey) error {
+	return (*blst.P1Affine)(sig).CoreVerify(true, (*blst.P2Affine)(pub), true, pub.Bytes(), true, blst.ProofOfPossessionTag(1), nil)
 }
 
 func AggregateSignatures(sigs []*Signature) (*Signature, error) {
@@ -242,5 +260,5 @@ func (sig *Signature) AggregateVerify(items []*PubDigestPair, scheme blst.Scheme
 		pairs:  items,
 		scheme: scheme,
 	}
-	return (*blst.P1Affine)(sig).CoreAggregateVerify(true, pairs, true, true, scheme.SuiteG(1))
+	return (*blst.P1Affine)(sig).CoreAggregateVerify(true, pairs, true, true, scheme.Tag(1))
 }
diff --git a/utils.go b/utils.go
@@ -51,21 +51,28 @@ func runInParallel(n int, fn func(i int) error) error {
 type Scheme int
 
 const (
-	Basic Scheme = iota
+	Basic Scheme = 1 + iota
 	Augmentation
+	ProofOfPossession
 )
 
 func (Scheme) HashFunc() crypto.Hash {
 	return 0
 }
 
-func (s Scheme) SuiteG(g int) []byte {
+func (s Scheme) Tag(g int) []byte {
 	switch s {
 	case Basic:
-		return []byte(fmt.Sprintf("BLS_SIG_BLS12381G%d_XMD:SHA-256_SSWU_RO_NUL_", g))
+		return fmt.Appendf(nil, "BLS_SIG_BLS12381G%d_XMD:SHA-256_SSWU_RO_NUL_", g)
 	case Augmentation:
-		return []byte(fmt.Sprintf("BLS_SIG_BLS12381G%d_XMD:SHA-256_SSWU_RO_AUG_", g))
+		return fmt.Appendf(nil, "BLS_SIG_BLS12381G%d_XMD:SHA-256_SSWU_RO_AUG_", g)
+	case ProofOfPossession:
+		return fmt.Appendf(nil, "BLS_SIG_BLS12381G%d_XMD:SHA-256_SSWU_RO_POP_", g)
 	default:
-		return make([]byte, 0)
+		panic("unknown scheme")
 	}
 }
+
+func ProofOfPossessionTag(g int) []byte {
+	return fmt.Appendf(nil, "BLS_POP_BLS12381G%d_XMD:SHA-256_SSWU_RO_POP_", g)
+}

Original file line number	Diff line number	Diff line change
`@@ -455,29 +455,29 @@ func (p P1) AddOrDoubleAffine(other P1Affine) {`
`455`	`455`	`C.blst_p1_add_or_double_affine((p1)(p), (p1)(p), (*p1Affine)(other))`
`456`	`456`	`}`
`457`	`457`
`458`		`-func HashToP1(digest, suite, aug []byte) *P1 {`
	`458`	`+func HashToP1(msg, suite, aug []byte) *P1 {`
`459`	`459`	`var (`
`460`	`460`	`q p1`
`461`	`461`	`a *byte`
`462`	`462`	`)`
`463`	`463`	`if len(aug) != 0 {`
`464`	`464`	`a = &aug[0]`
`465`	`465`	`}`
`466`		`- C.blst_hash_to_g1(&q, (*C.uint8_t)(&digest[0]), C.size_t(len(digest)),`
	`466`	`+ C.blst_hash_to_g1(&q, (*C.uint8_t)(&msg[0]), C.size_t(len(msg)),`
`467`	`467`	`(*C.uint8_t)(&suite[0]), C.size_t(len(suite)),`
`468`	`468`	`(*C.uint8_t)(a), C.size_t(len(aug)))`
`469`	`469`	`return (*P1)(&q)`
`470`	`470`	`}`
`471`	`471`
`472`		`-func EncodeToP1(digest, suite, aug []byte) *P1 {`
	`472`	`+func EncodeToP1(msg, suite, aug []byte) *P1 {`
`473`	`473`	`var (`
`474`	`474`	`q p1`
`475`	`475`	`a *byte`
`476`	`476`	`)`
`477`	`477`	`if len(aug) != 0 {`
`478`	`478`	`a = &aug[0]`
`479`	`479`	`}`
`480`		`- C.blst_encode_to_g1(&q, (*C.uint8_t)(&digest[0]), C.size_t(len(digest)),`
	`480`	`+ C.blst_encode_to_g1(&q, (*C.uint8_t)(&msg[0]), C.size_t(len(msg)),`
`481`	`481`	`(*C.uint8_t)(&suite[0]), C.size_t(len(suite)),`
`482`	`482`	`(*C.uint8_t)(a), C.size_t(len(aug)))`
`483`	`483`	`return (*P1)(&q)`
`@@ -515,29 +515,29 @@ func (p P2) AddOrDoubleAffine(other P2Affine) {`
`515`	`515`	`C.blst_p2_add_or_double_affine((p2)(p), (p2)(p), (*p2Affine)(other))`
`516`	`516`	`}`
`517`	`517`
`518`		`-func HashToP2(digest, suite, aug []byte) *P2 {`
	`518`	`+func HashToP2(msg, suite, aug []byte) *P2 {`
`519`	`519`	`var (`
`520`	`520`	`q p2`
`521`	`521`	`a *byte`
`522`	`522`	`)`
`523`	`523`	`if len(aug) != 0 {`
`524`	`524`	`a = &aug[0]`
`525`	`525`	`}`
`526`		`- C.blst_hash_to_g2(&q, (*C.uint8_t)(&digest[0]), C.size_t(len(digest)),`
	`526`	`+ C.blst_hash_to_g2(&q, (*C.uint8_t)(&msg[0]), C.size_t(len(msg)),`
`527`	`527`	`(*C.uint8_t)(&suite[0]), C.size_t(len(suite)),`
`528`	`528`	`(*C.uint8_t)(a), C.size_t(len(aug)))`
`529`	`529`	`return (*P2)(&q)`
`530`	`530`	`}`
`531`	`531`
`532`		`-func EncodeToP2(digest, suite, aug []byte) *P2 {`
	`532`	`+func EncodeToP2(msg, suite, aug []byte) *P2 {`
`533`	`533`	`var (`
`534`	`534`	`q p2`
`535`	`535`	`a *byte`
`536`	`536`	`)`
`537`	`537`	`if len(aug) != 0 {`
`538`	`538`	`a = &aug[0]`
`539`	`539`	`}`
`540`		`- C.blst_encode_to_g2(&q, (*C.uint8_t)(&digest[0]), C.size_t(len(digest)),`
	`540`	`+ C.blst_encode_to_g2(&q, (*C.uint8_t)(&msg[0]), C.size_t(len(msg)),`
`541`	`541`	`(*C.uint8_t)(&suite[0]), C.size_t(len(suite)),`
`542`	`542`	`(*C.uint8_t)(a), C.size_t(len(aug)))`
`543`	`543`	`return (*P2)(&q)`
Original file line number	Diff line number	Diff line change
`@@ -58,29 +58,43 @@ func PrivateKeyFromBytes(data []byte) (*PrivateKey, error) {`
`58`	`58`	`}`
`59`	`59`	`}`
`60`	`60`
`61`		`-func Sign(priv PrivateKey, digest []byte, scheme blst.Scheme) Signature {`
	`61`	`+func Sign(priv PrivateKey, msg []byte, scheme blst.Scheme) Signature {`
`62`	`62`	`var aug []byte`
`63`	`63`	`if scheme == blst.Augmentation {`
`64`	`64`	`aug = priv.PublicKey().Bytes()`
`65`	`65`	`}`
`66`		`- hash := blst.HashToP2(digest, scheme.SuiteG(2), aug)`
`67`		`- return (Signature)((blst.Scalar)(priv).SignInG1Affine(hash))`
	`66`	`+ point := blst.HashToP2(msg, scheme.Tag(2), aug)`
	`67`	`+ return (Signature)((blst.Scalar)(priv).SignInG1Affine(point))`
`68`	`68`	`}`
`69`	`69`
`70`		`-func Verify(pub PublicKey, digest []byte, sig Signature, scheme blst.Scheme) error {`
`71`		`- return sig.Verify(pub, digest, scheme)`
	`70`	`+func Prove(priv PrivateKey) Signature {`
	`71`	`+ pub := priv.PublicKey().Bytes()`
	`72`	`+ point := blst.HashToP2(pub, blst.ProofOfPossessionTag(2), nil)`
	`73`	`+ return (Signature)((blst.Scalar)(priv).SignInG1Affine(point))`
	`74`	`+}`
	`75`	`+`
	`76`	`+func Verify(pub PublicKey, msg []byte, sig Signature, scheme blst.Scheme) error {`
	`77`	`+ return sig.Verify(pub, msg, scheme)`
	`78`	`+}`
	`79`	`+`
	`80`	`+func VerifyProof(pub PublicKey, sig Signature) error {`
	`81`	`+ return sig.VerifyProof(pub)`
`72`	`82`	`}`
`73`	`83`
`74`	`84`	`func AggregateVerify(items []PubDigestPair, sig Signature, scheme blst.Scheme) error {`
`75`	`85`	`return sig.AggregateVerify(items, scheme)`
`76`	`86`	`}`
`77`	`87`
`78`		`-func (priv *PrivateKey) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {`
	`88`	`+func (priv *PrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) ([]byte, error) {`
`79`	`89`	`scheme := blst.Basic`
`80`	`90`	`if s, ok := opts.(blst.Scheme); ok {`
`81`	`91`	`scheme = s`
`82`	`92`	`}`
`83`		`- return Sign(priv, digest, scheme).Bytes(), nil`
	`93`	`+ return Sign(priv, msg, scheme).Bytes(), nil`
	`94`	`+}`
	`95`	`+`
	`96`	`+func (priv PrivateKey) Prove() Signature {`
	`97`	`+ return Prove(priv)`
`84`	`98`	`}`
`85`	`99`
`86`	`100`	`func (priv PrivateKey) PublicKey() PublicKey {`
`@@ -168,12 +182,16 @@ func (sig *Signature) IsValid() error {`
`168`	`182`	`}`
`169`	`183`	`}`
`170`	`184`
`171`		`-func (sig Signature) Verify(pub PublicKey, digest []byte, scheme blst.Scheme) error {`
	`185`	`+func (sig Signature) Verify(pub PublicKey, msg []byte, scheme blst.Scheme) error {`
`172`	`186`	`var aug []byte`
`173`	`187`	`if scheme == blst.Augmentation {`
`174`	`188`	`aug = pub.Bytes()`
`175`	`189`	`}`
`176`		`- return (blst.P2Affine)(sig).CoreVerify(true, (blst.P1Affine)(pub), true, digest, true, scheme.SuiteG(2), aug)`
	`190`	`+ return (blst.P2Affine)(sig).CoreVerify(true, (blst.P1Affine)(pub), true, msg, true, scheme.Tag(2), aug)`
	`191`	`+}`
	`192`	`+`
	`193`	`+func (sig Signature) VerifyProof(pub PublicKey) error {`
	`194`	`+ return (blst.P2Affine)(sig).CoreVerify(true, (blst.P1Affine)(pub), true, pub.Bytes(), true, blst.ProofOfPossessionTag(2), nil)`
`177`	`195`	`}`
`178`	`196`
`179`	`197`	`func AggregateSignatures(sigs []Signature) (Signature, error) {`
`@@ -243,5 +261,5 @@ func (sig Signature) AggregateVerify(items []PubDigestPair, scheme blst.Scheme`
`243`	`261`	`pairs: items,`
`244`	`262`	`scheme: scheme,`
`245`	`263`	`}`
`246`		`- return (*blst.P2Affine)(sig).CoreAggregateVerify(true, pairs, true, true, scheme.SuiteG(2))`
	`264`	`+ return (*blst.P2Affine)(sig).CoreAggregateVerify(true, pairs, true, true, scheme.Tag(2))`
`247`	`265`	`}`