[primitives] Prevent Rogue public-key attack

[alxiong]

Currently, our bls-over-bn254::aggregate() is following IRTF's standard instead of the modified version by BDN18, thus either have the assumption that every signed messages are distinct (e.g. by prepending the pk) or there's Proof of Possession on the sk, or else our implementation will be vulnerable to Rogue pk attack.

However, we didn't prepend the pk during signing, nor do we have utility for proof of knowledge/possession of sk. I think the easiest way to fix it is just implement BDN18

Choice of $H_1$

As described in BDN18, we need a random oracle-like $H_1: \mathbb{G}_1^n \rightarrow R^n$ where $R:=\set{1, 2, \ldots, 2^{128}}$ (which is essentially a 16 bytes value excluding 0).

I think we can just use ChaChaRng with a public random seed (say: today's Ethereum random beacon value), and ask it to spit out 2 * u64 (and reject highly unlikely 0) for each $r_i, i\in [n]$

[chancharles92]

I thought we discussed a similar topic before and @jbearer was suggesting that we can trust the ETH account address to ensure that the pk is not rogue. Is the original solution not working anymore?