mithril_stm/bls_multi_signature/
proof_of_possession.rs

1use crate::bls_multi_signature::helper::unsafe_helpers::{
2    compress_p1, scalar_to_pk_in_g1, uncompress_p1,
3};
4use crate::bls_multi_signature::signing_key::SigningKey;
5use crate::bls_multi_signature::POP;
6use crate::error::{blst_err_to_mithril, MultiSignatureError};
7use blst::blst_p1;
8use blst::min_sig::Signature as BlstSig;
9
10/// MultiSig proof of possession, which contains two elements from G1. However,
11/// the two elements have different types: `k1` is represented as a BlstSig
12/// as it has the same structure, and this facilitates its verification. On
13/// the other hand, `k2` is a G1 point, as it does not share structure with
14/// the BLS signature, and we need to have an ad-hoc verification mechanism.
15#[derive(Debug, Clone, Copy, PartialEq, Eq)]
16pub struct ProofOfPossession {
17    k1: BlstSig,
18    k2: blst_p1,
19}
20
21impl ProofOfPossession {
22    /// Convert to a 96 byte string.
23    ///
24    /// # Layout
25    /// The layout of a `MspPoP` encoding is
26    /// * K1 (G1 point)
27    /// * K2 (G1 point)
28    pub fn to_bytes(self) -> [u8; 96] {
29        let mut pop_bytes = [0u8; 96];
30        pop_bytes[..48].copy_from_slice(&self.k1.to_bytes());
31
32        pop_bytes[48..].copy_from_slice(&compress_p1(&self.k2)[..]);
33        pop_bytes
34    }
35
36    /// Deserialize a byte string to a `PublicKeyPoP`.
37    pub fn from_bytes(bytes: &[u8]) -> Result<Self, MultiSignatureError> {
38        let k1 = match BlstSig::from_bytes(&bytes[..48]) {
39            Ok(key) => key,
40            Err(e) => {
41                return Err(blst_err_to_mithril(e, None, None)
42                    .expect_err("If it passed, blst returns and error different to SUCCESS."))
43            }
44        };
45
46        let k2 = uncompress_p1(&bytes[48..96])?;
47
48        Ok(Self { k1, k2 })
49    }
50
51    pub(crate) fn to_k1(self) -> BlstSig {
52        self.k1
53    }
54
55    pub(crate) fn to_k2(self) -> blst_p1 {
56        self.k2
57    }
58}
59
60impl From<&SigningKey> for ProofOfPossession {
61    /// Convert a secret key into an `MspPoP`. This is performed by computing
62    /// `k1 =  H_G1(b"PoP" || mvk)` and `k2 = g1 * sk` where `H_G1` hashes into
63    /// `G1` and `g1` is the generator in `G1`.
64    fn from(sk: &SigningKey) -> Self {
65        let k1 = sk.to_blst_sk().sign(POP, &[], &[]);
66        let k2 = scalar_to_pk_in_g1(&sk.to_blst_sk());
67        Self { k1, k2 }
68    }
69}