public class BLS12_381MessageAugmentation
extends java.lang.Object
BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_AUG_.
Differs from BLS12_381BasicScheme by prepending the public-key
encoding to the message before hashing. The augmentation defends against
rogue-key attacks in aggregate-verification without the standalone
proof-of-possession step that BLS12_381ProofOfPossession requires.
The public-key prefix used in the hash-to-curve input is the
Zcash-format 48-byte compressed G1 encoding produced by
BLS12_381Serialization.compressG1(org.bouncycastle.math.ec.ECPoint), matching
draft-irtf-cfrg-bls-signature's point_to_pubkey so signatures are
potentially interoperable with other BLS implementations once verified
against published test vectors.
| Modifier and Type | Field and Description |
|---|---|
static byte[] |
DST |
| Modifier and Type | Method and Description |
|---|---|
static boolean |
aggregateVerify(ECPoint[] pks,
byte[][] messages,
BLS12_381G2Point sigAgg)
Aggregate verification under the MessageAugmentation suite.
|
static BLS12_381G2Point |
sign(java.math.BigInteger sk,
byte[] message)
Sign under the MessageAugmentation suite:
sig = sk * H(SkToPk(sk) || message) with the AUG DST. |
static boolean |
verify(ECPoint pk,
byte[] message,
BLS12_381G2Point signature)
Verify under the MessageAugmentation suite.
|
public static BLS12_381G2Point sign(java.math.BigInteger sk, byte[] message)
sig = sk * H(SkToPk(sk) || message) with the AUG DST.public static boolean verify(ECPoint pk, byte[] message, BLS12_381G2Point signature)
true iff
pk is a valid prime-order G1 point, signature is a
valid prime-order G2 point, and the pairing equation
e(G1_gen, sig) == e(pk, H(pk || message)) holds.public static boolean aggregateVerify(ECPoint[] pks, byte[][] messages, BLS12_381G2Point sigAgg)
H(pk_i || msg_i) input unique even when the msg_i repeat.