bbs-signature
bbs-signature copied to clipboard
decentralized-identity
Deterministic SPK
Although deterministic proof generation should not be used in practice it may be useful to support it, so we can more easily create and update test vectors. This MUST NEVER be used in practice. The main idea is to incorporate a secret key managed by the holder of the bbs signature into spkGen that is going to be used for the generation of the random elements. This secret MUST be unique for every proof generation procedure. One possible method then, is to use the same algorithm as in deterministic signing, i.e.,
H = XOF(Holders_SK || msg_i1 ||…||msg_iR || pm)
r1~ = OS2IP(H.read(64)) mod q
r2~ = OS2IP(H.read(64)) mod q
.
.
.
In spkGen, maybe we can also use RFC 8937, which gives good security properties and is easy to use, since you don't need direct access to the secret key itself. Each random element (in the non-deterministic case) could be
random_element_i = OS2IP(HKDF-Expand(HKDF-Extract(HASH(Sig(Holders_SK, DST)), PRF(L)), i, 64)) mod q
To get a deterministic spk, we could just replace the PRF with an XOF or hash. That said, this does "bound" the holder to use a secret, even in the non-deterministic case.
In Rust this is often done by making the method generic over a rand::Rng + CryptoRng and then substituting a deterministic generator, like a seeded ChaCha permutation.
