BLS::PointError Exception: Invalid point: not on curve over Fq about bls12-381 HOT 13 CLOSED

hmm, since the public key and signature groups are reversed, the message also needs to be an element of G1 instead of G2 (part hm = BLS.norm_p2h(message)).
However, this library does not have a function to hash the elements of G1, so it will not be possible to verify the current situation.

I will implement it when I have time.

from bls12-381.

@tuminfei I released v0.3.0. you can use G2 public key and G1 signature with BLS#verify.

from bls12-381.

These are the project libraries that I refer to

https://github.com/herumi/bls-go-binary/tree/master
https://github.com/dfinity/verify-bls-signatures

from bls12-381.

public_key_hash = "b31b406c9f6648695a88154ae2e4f5fe87883d4ad81c2844c5571b2d91d401cdd40836e763a7c18dccb84629b0d808f7142c3175bc8231dc09bd53637efd6f2568801385ec973d34e6eef9c8c8280a9f4a114163a43a8540941ba367f0c7cb28"

This is public key not public key hash?

from bls12-381.

der_key = check_delegation(delegation, canister_id, true)
public_key_hash = extract_der(der_key).str2hex
public_key = BLS::PointG1.from_hex(public_key_hash)

I did the conversion, converted to hash.
Do you mean that I use BLS::PointG1.from_hex this method wrong?

from bls12-381.

I can verify the signature by using the rust library or goLang library.

use ic_verify_bls_signature::*;
use rand::Rng;

fn test_bls_signature(
    expected_result: bool,
    sig: &'static str,
    msg: &'static str,
    key: &'static str,
) {
    let sig = hex::decode(sig).expect("Invalid hex");
    let msg = hex::decode(msg).expect("Invalid hex");
    let key = hex::decode(key).expect("Invalid hex");

    let result = verify_bls_signature(&sig, &msg, &key);

    assert_eq!(expected_result, result.is_ok());
}

#[test]
fn verify_valid() {
    // derived from agent-rs tests
    test_bls_signature(
        true,
        "b1dd133edb8c9ee98e78449b5537e1b44e51d7807cbcf15b1f11eb08fc326da3a4e9b639131e985c01e27e1750ed7253",
        "0d69632d73746174652d726f6f742b2c26a884dbe39b122a1e4bf9bec9fac8d92b6d8e9f6d03f35b0d78cb3c3e1c",
        "b31b406c9f6648695a88154ae2e4f5fe87883d4ad81c2844c5571b2d91d401cdd40836e763a7c18dccb84629b0d808f7142c3175bc8231dc09bd53637efd6f2568801385ec973d34e6eef9c8c8280a9f4a114163a43a8540941ba367f0c7cb28");
}

from bls12-381.

I see. The above is just converting the public key to a hex value, not a hash. It is the public key itself.

In your case, the public key is 96 bytes and the signature is 48 bytes. Considering that both are compressed data, the public key would be the element on G2 not G1, and the signature would be the element on G1.

use ic_verify_bls_signature::*;

Please include the URL of the library that has above method.

from bls12-381.

I see. The above is just converting the public key to a hex value, not a hash. It is the public key itself.

In your case, the public key is 96 bytes and the signature is 48 bytes. Considering that both are compressed data, the public key would be the element on G2 not G1, and the signature would be the element on G1.

use ic_verify_bls_signature::*;

Please include the URL of the library that has above method.

https://github.com/dfinity/verify-bls-signatures

from bls12-381.

/// A BLS12-381 public key usable for signature verification
#[derive(Clone, Eq, PartialEq)]
pub struct PublicKey {
    pk: G2Affine,
}

/// Deserialize a BLS12-381 public key
    pub fn deserialize(bytes: &[u8]) -> Result<Self, InvalidPublicKey> {
        let bytes: Result<[u8; Self::BYTES], _> = bytes.try_into();

        match bytes {
            Err(_) => Err(InvalidPublicKey::WrongLength),
            Ok(b) => {
                let pk = G2Affine::from_compressed(&b);
                if bool::from(pk.is_some()) {
                    Ok(Self::new(pk.unwrap()))
                } else {
                    Err(InvalidPublicKey::InvalidPoint)
                }
            }
        }
    }

It seems that it is a public key of G2

from bls12-381.

yes, so you need to use BLS::PointG2 not BLS::PointG1 for public key. But currently this library dose not support compressed format for BLS::PointG2. Therefore, it is necessary to pass a public key in uncompressed format to BLS::PointG2#from_hex.

from bls12-381.

Thank you so much. Also, how do I verify if I use the public key of G2?

def verify(signature, message, public_key)
    p = BLS.norm_p1(public_key)
    hm = BLS.norm_p2h(message)
    g = PointG1::BASE
    s = BLS.norm_p2(signature)
    ephm = BLS.pairing(p.negate, hm, with_final_exp: false)
    egs = BLS.pairing(g, s, with_final_exp: false)
    exp = (egs * ephm).final_exponentiate
    exp == Fq12::ONE
end

from bls12-381.

Looking forward to your update, thanks

from bls12-381.

Thank you for your support

from bls12-381.