hedera-services icon indicating copy to clipboard operation
hedera-services copied to clipboard

Published 20 hours ago verified publisher icon hashgraph

Modify HashToCurve/HashToGroup algorithm

Open mxtartaglia-sl opened this issue 5 months ago • 1 comments

Messages must be mapped or encoded to points in the curve to be signed. The same hashing process/strategy must be followed where the signature is produced and in all places that verify that signature.

Our current algorithm produces a SHA-256 hashed value of the message to sign, then gets a random curve point as if the hash was a random seed.

As explained by the S.C. team, cc: @Nana-EC @AlfredoG87 and @david-bakin-sl, at least the hashing method should be changed to 'keccak256` to ensure cross-chain compatibility.

A POC implementation of the hashing mechanism in solidity can be observed here: https://github.com/hashgraph/hedera-smart-contracts/blob/main/contracts/bls-signature/Pairing.sol#L57-L59

   function hashToG1(bytes memory _message) internal view returns (G1Point memory) {
        uint256 h = uint256(keccak256(_message));
        return curveMul(P1(), h);
    }

P1 is the generator point of G1. @rsinha pointed out we cannot use that implementation.

Given that the method for computing the message coordinate from a message hash has to be the same across the parings API and the possible implementations in smart contracts, this task will depend on finding a suitable algorithm for hashing that can be implemented in both places. @rsinha.

mxtartaglia-sl avatar Sep 12 '24 18:09 mxtartaglia-sl