From dbb811a397dbc3216382da0337858791ca307ec1 Mon Sep 17 00:00:00 2001
From: Jakub Sztandera <kubuxu@protonmail.ch>
Date: Mon, 23 Sep 2024 11:26:55 +0200
Subject: [PATCH] bls12-381: Add edge case signature (#549)

* bls12-381 circl: Use RFC DST by default

circl was using nil DST while kilic is using RFC DST, standardise on RFC
DST

Signed-off-by: Jakub Sztandera <oss@kubuxu.com>

* bls12-381: Add edge case signature

This signature does not validate when using kilic@master
Add it to tests to highlight the issue and prevent this implementation
from updating to it.

The issue appears in this commit: https://github.com/kilic/bls12-381/commit/7536ae1cb938a818cffabc34c4f9a7335b1c7f9a
and is not related to assembly code (it reproduces even on M series macs)

Signed-off-by: Jakub Sztandera <oss@kubuxu.com>

---------

Signed-off-by: Jakub Sztandera <oss@kubuxu.com>
---
 pairing/bls12381/bls12381_test.go | 30 ++++++++++++++++++++++++++++++
 pairing/bls12381/circl/g1.go      |  4 +++-
 pairing/bls12381/circl/g2.go      |  4 +++-
 sign/bls/bls.go                   |  2 +-
 4 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/pairing/bls12381/bls12381_test.go b/pairing/bls12381/bls12381_test.go
index 46ec9eb6e..74d70537b 100644
--- a/pairing/bls12381/bls12381_test.go
+++ b/pairing/bls12381/bls12381_test.go
@@ -810,3 +810,33 @@ func BLSBenchmark(b *testing.B, curveOption string) {
 		}
 	})
 }
+
+// This signature fails to validate when using kilic@7536ae1cb938a818cffabc34c4f9a7335b1c7f9a or latter
+func TestSignatureEdgeCase(t *testing.T) {
+	// G2 pubkey
+	publicBytes := []byte{0x83, 0xcf, 0xf, 0x28, 0x96, 0xad, 0xee, 0x7e, 0xb8, 0xb5, 0xf0, 0x1f, 0xca, 0xd3, 0x91, 0x22, 0x12, 0xc4, 0x37, 0xe0, 0x7, 0x3e, 0x91, 0x1f, 0xb9, 0x0, 0x22, 0xd3, 0xe7, 0x60, 0x18, 0x3c, 0x8c, 0x4b, 0x45, 0xb, 0x6a, 0xa, 0x6c, 0x3a, 0xc6, 0xa5, 0x77, 0x6a, 0x2d, 0x10, 0x64, 0x51, 0xd, 0x1f, 0xec, 0x75, 0x8c, 0x92, 0x1c, 0xc2, 0x2b, 0xe, 0x17, 0xe6, 0x3a, 0xaf, 0x4b, 0xcb, 0x5e, 0xd6, 0x63, 0x4, 0xde, 0x9c, 0xf8, 0x9, 0xbd, 0x27, 0x4c, 0xa7, 0x3b, 0xab, 0x4a, 0xf5, 0xa6, 0xe9, 0xc7, 0x6a, 0x4b, 0xc0, 0x9e, 0x76, 0xea, 0xe8, 0x99, 0x1e, 0xf5, 0xec, 0xe4, 0x5a}
+	message := []byte{0xa1, 0xc6, 0xbe, 0xc3, 0xb9, 0xa6, 0xf0, 0x98, 0x9d, 0x4d, 0x80, 0x2d, 0xbf, 0xe2, 0xb9, 0xb, 0x49, 0x5f, 0xa1, 0x74, 0x2b, 0x58, 0x99, 0x63, 0x45, 0x1e, 0xeb, 0xa9, 0xb1, 0x87, 0xb8, 0x15}
+	// G1 signature
+	sig := []byte{0x95, 0x89, 0x0, 0x9b, 0x47, 0xbf, 0xd9, 0xe3, 0x65, 0x10, 0x6b, 0x11, 0xa3, 0x42, 0xfe, 0x50, 0x75, 0xeb, 0x44, 0x5, 0xb0, 0x2b, 0x80, 0xe8, 0x93, 0x42, 0x69, 0x86, 0xcf, 0xb6, 0x0, 0x77, 0x99, 0x8e, 0x3b, 0x47, 0x99, 0x68, 0x86, 0xe0, 0x35, 0xca, 0x1c, 0xde, 0x5f, 0xd9, 0x62, 0x89}
+
+	var suites = []struct {
+		name  string
+		suite pairing.Suite
+	}{
+		{"kilic", kilic.NewBLS12381Suite()},
+		{"circl", circl.NewSuiteBLS12381()},
+	}
+	for _, s := range suites {
+		suite := s.suite
+		t.Run(s.name, func(t *testing.T) {
+			schemeOnG1 := bls.NewSchemeOnG1(suite)
+			pubkey := suite.G2().Point()
+			err := pubkey.UnmarshalBinary(publicBytes)
+			require.NoError(t, err)
+
+			err = schemeOnG1.Verify(pubkey, message, sig)
+			require.NoError(t, err)
+		})
+
+	}
+}
diff --git a/pairing/bls12381/circl/g1.go b/pairing/bls12381/circl/g1.go
index 3916bfffb..3f21a5741 100644
--- a/pairing/bls12381/circl/g1.go
+++ b/pairing/bls12381/circl/g1.go
@@ -97,5 +97,7 @@ func (p *G1Elt) Mul(s kyber.Scalar, q kyber.Point) kyber.Point {
 
 func (p *G1Elt) IsInCorrectGroup() bool { return p.inner.IsOnG1() }
 
-func (p *G1Elt) Hash(msg []byte) kyber.Point       { p.inner.Hash(msg, nil); return p }
+var domainG1 = []byte("BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_")
+
+func (p *G1Elt) Hash(msg []byte) kyber.Point       { p.inner.Hash(msg, domainG1); return p }
 func (p *G1Elt) Hash2(msg, dst []byte) kyber.Point { p.inner.Hash(msg, dst); return p }
diff --git a/pairing/bls12381/circl/g2.go b/pairing/bls12381/circl/g2.go
index eb8d3355f..6414b4eb9 100644
--- a/pairing/bls12381/circl/g2.go
+++ b/pairing/bls12381/circl/g2.go
@@ -97,5 +97,7 @@ func (p *G2Elt) Mul(s kyber.Scalar, q kyber.Point) kyber.Point {
 
 func (p *G2Elt) IsInCorrectGroup() bool { return p.inner.IsOnG2() }
 
-func (p *G2Elt) Hash(msg []byte) kyber.Point       { p.inner.Hash(msg, nil); return p }
+var domainG2 = []byte("BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_")
+
+func (p *G2Elt) Hash(msg []byte) kyber.Point       { p.inner.Hash(msg, domainG2); return p }
 func (p *G2Elt) Hash2(msg, dst []byte) kyber.Point { p.inner.Hash(msg, dst); return p }
diff --git a/sign/bls/bls.go b/sign/bls/bls.go
index 03c2e7c58..b08cfa6bb 100644
--- a/sign/bls/bls.go
+++ b/sign/bls/bls.go
@@ -87,7 +87,7 @@ func (s *scheme) Verify(X kyber.Point, msg, sig []byte) error {
 	HM := hashable.Hash(msg)
 	sigPoint := s.sigGroup.Point()
 	if err := sigPoint.UnmarshalBinary(sig); err != nil {
-		return err
+		return fmt.Errorf("bls: unmarshalling signature point: %w", err)
 	}
 	if !s.pairing(X, HM, sigPoint) {
 		return errors.New("bls: invalid signature")