use hashToCurve and remove unsafe

Author: klkvr

examples/rust-multisig/src/main.rs

@@ -1,9 +1,5 @@
 use alloy::{primitives::U256, providers::ProviderBuilder, sol, sol_types::SolValue};
-use blst::{
-    blst_bendian_from_fp, blst_fp, blst_fp2, blst_fp_from_bendian, blst_keygen, blst_p1,
-    blst_p1_affine, blst_p1_to_affine, blst_p2, blst_p2_add_or_double, blst_p2_affine,
-    blst_p2_from_affine, blst_p2_to_affine, blst_scalar, blst_sign_pk_in_g1, blst_sk_to_pk_in_g1,
-};
+use blst::min_pk::{AggregateSignature, SecretKey, Signature};
 use rand::RngCore;
 use BLS::G2Point;
 
@@ -14,112 +10,41 @@ sol! {
     "../../out/BLSMultisig.sol/BLSMultisig.json"
 }
 
-impl From<BLS::Fp> for blst_fp {
-    fn from(value: BLS::Fp) -> Self {
-        let data = value.abi_encode();
+impl From<[u8; 96]> for BLS::G1Point {
+    fn from(value: [u8; 96]) -> Self {
+        let mut data = [0u8; 128];
+        data[16..64].copy_from_slice(&value[0..48]);
+        data[80..128].copy_from_slice(&value[48..96]);
 
-        let mut val = blst_fp::default();
-        unsafe { blst_fp_from_bendian(&mut val, data[16..].as_ptr()) };
-
-        val
-    }
-}
-
-impl From<blst_fp> for BLS::Fp {
-    fn from(value: blst_fp) -> Self {
-        let mut data = [0u8; 48];
-        unsafe { blst_bendian_from_fp(data.as_mut_ptr(), &value) };
-
-        Self {
-            a: U256::from_be_slice(&data[..16]),
-            b: U256::from_be_slice(&data[16..]),
-        }
-    }
-}
-
-impl From<BLS::Fp2> for blst_fp2 {
-    fn from(value: BLS::Fp2) -> Self {
-        Self {
-            fp: [value.c0.into(), value.c1.into()],
-        }
-    }
-}
-
-impl From<blst_fp2> for BLS::Fp2 {
-    fn from(value: blst_fp2) -> Self {
-        Self {
-            c0: value.fp[0].into(),
-            c1: value.fp[1].into(),
-        }
-    }
-}
-
-impl From<BLS::G2Point> for blst_p2 {
-    fn from(value: BLS::G2Point) -> Self {
-        let b_aff = blst_p2_affine {
-            x: value.x.into(),
-            y: value.y.into(),
-        };
-
-        let mut b = blst_p2::default();
-        unsafe { blst_p2_from_affine(&mut b, &b_aff) };
-
-        b
-    }
-}
-
-impl From<blst_p2> for BLS::G2Point {
-    fn from(value: blst_p2) -> Self {
-        let mut affine = blst_p2_affine::default();
-        unsafe { blst_p2_to_affine(&mut affine, &value) };
-
-        BLS::G2Point {
-            x: affine.x.into(),
-            y: affine.y.into(),
-        }
+        BLS::G1Point::abi_decode(&data, false).unwrap()
     }
 }
 
-impl From<blst_p1> for BLS::G1Point {
-    fn from(value: blst_p1) -> Self {
-        let mut affine = blst_p1_affine::default();
-        unsafe { blst_p1_to_affine(&mut affine, &value) };
+impl From<[u8; 192]> for BLS::G2Point {
+    fn from(value: [u8; 192]) -> Self {
+        let mut data = [0u8; 256];
+        data[16..64].copy_from_slice(&value[48..96]);
+        data[80..128].copy_from_slice(&value[0..48]);
+        data[144..192].copy_from_slice(&value[144..192]);
+        data[208..256].copy_from_slice(&value[96..144]);
 
-        BLS::G1Point {
-            x: affine.x.into(),
-            y: affine.y.into(),
-        }
+        BLS::G2Point::abi_decode(&data, false).unwrap()
     }
 }
 
 /// Generates `num` BLS keys and returns them as a tuple of secret keys and public keys, sorted by public key.
-fn generate_keys(num: usize) -> (Vec<blst_scalar>, Vec<BLS::G1Point>) {
+fn generate_keys(num: usize) -> (Vec<SecretKey>, Vec<BLS::G1Point>) {
     let mut rng = rand::thread_rng();
     let mut keys = Vec::with_capacity(num);
 
     for _ in 0..num {
         let mut ikm = [0u8; 32];
         rng.fill_bytes(&mut ikm);
 
-        let key_info: &[u8] = &[];
-
-        // secret key
-        let mut sk = blst_scalar::default();
-        unsafe {
-            blst_keygen(
-                &mut sk,
-                ikm.as_ptr(),
-                ikm.len(),
-                key_info.as_ptr(),
-                key_info.len(),
-            )
-        };
-
-        // public key
-        let mut pk = blst_p1::default();
-        unsafe { blst_sk_to_pk_in_g1(&mut pk, &sk) }
-
-        keys.push((sk, BLS::G1Point::from(pk)));
+        let sk = SecretKey::key_gen(&ikm, &[]).unwrap();
+        let pk: BLS::G1Point = sk.sk_to_pk().serialize().into();
+
+        keys.push((sk, pk));
     }
 
     keys.sort_by(|(_, pk1), (_, pk2)| pk1.cmp(pk2));
@@ -128,24 +53,20 @@ fn generate_keys(num: usize) -> (Vec<blst_scalar>, Vec<BLS::G1Point>) {
 }
 
 /// Signs a message with the provided keys and returns the aggregated signature.
-fn sign_message(keys: &[blst_scalar], message: blst_p2) -> G2Point {
-    let mut signatures = Vec::new();
+fn sign_message(keys: &[SecretKey], msg: &[u8]) -> G2Point {
+    let mut sigs = Vec::new();
 
     // create individual signatures
     for key in keys {
-        let mut sig = blst_p2::default();
-        unsafe { blst_sign_pk_in_g1(&mut sig, &message, key) };
-
-        signatures.push(sig);
+        let sig = key.sign(msg, b"BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_", &[]);
+        sigs.push(sig);
     }
 
-    // aggregate signatures by adding them
-    let mut agg_sig = signatures.swap_remove(0);
-    for sig in signatures {
-        unsafe { blst_p2_add_or_double(&mut agg_sig, &agg_sig, &sig) };
-    }
+    let agg_sig = Signature::from_aggregate(
+        &AggregateSignature::aggregate(sigs.iter().collect::<Vec<_>>().as_slice(), false).unwrap(),
+    );
 
-    agg_sig.into()
+    agg_sig.serialize().into()
 }
 
 #[tokio::main]
@@ -160,15 +81,7 @@ pub async fn main() {
 
     let operation = BLSMultisig::Operation::default();
 
-    let point: blst_p2 = multisig
-        .getOperationPoint(operation.clone())
-        .call()
-        .await
-        .unwrap()
-        ._0
-        .into();
-
-    let signature = sign_message(&keys, point);
+    let signature = sign_message(&keys, &operation.abi_encode());
 
     let receipt = multisig
         .verifyAndExecute(BLSMultisig::SignedOperation {

src/BLSMultisig.sol

@@ -3,12 +3,12 @@ pragma solidity ^0.8.23;
 
 import {BLS} from "./sign/BLS.sol";
 
-/// @notice BLS-powered multisignature wallet, demonstrating the use of 
+/// @notice BLS-powered multisignature wallet, demonstrating the use of
 /// aggregated BLS signatures for verification
-/// @dev This is for demonstration purposes only, do not use in production. This contract does 
+/// @dev This is for demonstration purposes only, do not use in production. This contract does
 /// not include protection from rogue public-key attacks. You
 contract BLSMultisig {
-    /// @notice Public keys of signers. This may contain a pre-aggregated 
+    /// @notice Public keys of signers. This may contain a pre-aggregated
     /// public keys for common sets of signers as well.
     mapping(bytes32 => bool) public signers;
 
@@ -52,7 +52,7 @@ contract BLSMultisig {
 
     /// @notice Maps an operation to a point on G2 which needs to be signed.
     function getOperationPoint(Operation memory op) public view returns (BLS.G2Point memory) {
-        return BLS.MapFp2ToG2(BLS.Fp2(BLS.Fp(0, 0), BLS.Fp(0, uint256(keccak256(abi.encode(op))))));
+        return BLS.hashToCurveG2(abi.encode(op));
     }
 
     /// @notice Accepts an operation signed by a subset of the signers and executes it

src/sign/BLS.sol

@@ -6,6 +6,8 @@ pragma solidity ^0.8.23;
 ///         defined in EIP-2537, see <https://eips.ethereum.org/EIPS/eip-2537>.
 /// @dev Precompile addresses come from the BLS addresses submodule in AlphaNet, see
 ///      <https://github.com/paradigmxyz/alphanet/blob/main/crates/precompile/src/addresses.rs>
+/// @notice `hashToCurve` logic is based on <https://github.com/ethyla/bls12-381-hash-to-curve/blob/main/src/HashToCurve.sol>
+/// with small modifications.
 library BLS {
     /// @dev A base field element (Fp) is encoded as 64 bytes by performing the
     /// BigEndian encoding of the corresponding (unsigned) integer. Due to the size of p,
@@ -150,4 +152,137 @@ library BLS {
         require(success, "MAP_FP2_TO_G2 failed");
         return abi.decode(output, (G2Point));
     }
+
+    /// @notice Computes a point in G2 from a message
+    /// @dev Uses the eip-2537 precompiles
+    /// @param message Arbitrarylength byte string to be hashed
+    /// @return A point in G2
+    function hashToCurveG2(bytes memory message) internal view returns (G2Point memory) {
+        // 1. u = hash_to_field(msg, 2)
+        Fp2[2] memory u = hashToFieldFp2(message, bytes("BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_"));
+        // 2. Q0 = map_to_curve(u[0])
+        G2Point memory q0 = MapFp2ToG2(u[0]);
+        // 3. Q1 = map_to_curve(u[1])
+        G2Point memory q1 = MapFp2ToG2(u[1]);
+        // 4. R = Q0 + Q1
+        return G2Add(q0, q1);
+    }
+
+    /// @notice Computes a field point from a message
+    /// @dev Follows https://datatracker.ietf.org/doc/html/rfc9380#section-5.2
+    /// @param message Arbitrarylength byte string to be hashed
+    /// @param dst The domain separation tag
+    /// @return Two field points
+    function hashToFieldFp2(bytes memory message, bytes memory dst) private view returns (Fp2[2] memory) {
+        // 1. len_in_bytes = count * m * L
+        // so always 2 * 2 * 64 = 256
+        uint16 lenInBytes = 256;
+        // 2. uniform_bytes = expand_message(msg, DST, len_in_bytes)
+        bytes32[] memory pseudoRandomBytes = expandMsgXmd(message, dst, lenInBytes);
+        Fp2[2] memory u;
+        // No loop here saves 800 gas hardcoding offset an additional 300
+        // 3. for i in (0, ..., count - 1):
+        // 4.   for j in (0, ..., m - 1):
+        // 5.     elm_offset = L * (j + i * m)
+        // 6.     tv = substr(uniform_bytes, elm_offset, HTF_L)
+        // uint8 HTF_L = 64;
+        // bytes memory tv = new bytes(64);
+        // 7.     e_j = OS2IP(tv) mod p
+        // 8.   u_i = (e_0, ..., e_(m - 1))
+        // tv = bytes.concat(pseudo_random_bytes[0], pseudo_random_bytes[1]);
+        u[0].c0 = _modfield(pseudoRandomBytes[0], pseudoRandomBytes[1]);
+        u[0].c1 = _modfield(pseudoRandomBytes[2], pseudoRandomBytes[3]);
+        u[1].c0 = _modfield(pseudoRandomBytes[4], pseudoRandomBytes[5]);
+        u[1].c1 = _modfield(pseudoRandomBytes[6], pseudoRandomBytes[7]);
+        // 9. return (u_0, ..., u_(count - 1))
+        return u;
+    }
+
+    /// @notice Computes a field point from a message
+    /// @dev Follows https://datatracker.ietf.org/doc/html/rfc9380#section-5.3
+    /// @dev bytes32[] because len_in_bytes is always a multiple of 32 in our case even 128
+    /// @param message Arbitrarylength byte string to be hashed
+    /// @param dst The domain separation tag of at most 255 bytes
+    /// @param lenInBytes The length of the requested output in bytes
+    /// @return A field point
+    function expandMsgXmd(bytes memory message, bytes memory dst, uint16 lenInBytes)
+        private
+        pure
+        returns (bytes32[] memory)
+    {
+        // 1.  ell = ceil(len_in_bytes / b_in_bytes)
+        // b_in_bytes seems to be 32 for sha256
+        // ceil the division
+        uint256 ell = (lenInBytes - 1) / 32 + 1;
+
+        // 2.  ABORT if ell > 255 or len_in_bytes > 65535 or len(DST) > 255
+        require(ell <= 255, "len_in_bytes too large for sha256");
+        // Not really needed because of parameter type
+        // require(lenInBytes <= 65535, "len_in_bytes too large");
+        // no length normalizing via hashing
+        require(dst.length <= 255, "dst too long");
+
+        bytes memory dstPrime = bytes.concat(dst, bytes1(uint8(dst.length)));
+
+        // 4.  Z_pad = I2OSP(0, s_in_bytes)
+        // this should be sha256 blocksize so 64 bytes
+        bytes memory zPad = new bytes(64);
+
+        // 5.  l_i_b_str = I2OSP(len_in_bytes, 2)
+        // length in byte string?
+        bytes2 libStr = bytes2(lenInBytes);
+
+        // 6.  msg_prime = Z_pad || msg || l_i_b_str || I2OSP(0, 1) || DST_prime
+        bytes memory msgPrime = bytes.concat(zPad, message, libStr, hex"00", dstPrime);
+
+        // 7.  b_0 = H(msg_prime)
+        bytes32 b_0 = sha256(msgPrime);
+
+        bytes32[] memory b = new bytes32[](ell);
+
+        // 8.  b_1 = H(b_0 || I2OSP(1, 1) || DST_prime)
+        b[0] = sha256(bytes.concat(b_0, hex"01", dstPrime));
+
+        // 9.  for i in (2, ..., ell):
+        for (uint8 i = 2; i <= ell; i++) {
+            // 10.    b_i = H(strxor(b_0, b_(i - 1)) || I2OSP(i, 1) || DST_prime)
+            bytes memory tmp = abi.encodePacked(b_0 ^ b[i - 2], i, dstPrime);
+            b[i - 1] = sha256(tmp);
+        }
+        // 11. uniform_bytes = b_1 || ... || b_ell
+        // 12. return substr(uniform_bytes, 0, len_in_bytes)
+        // Here we don't need the uniform_bytes because b is already properly formed
+        return b;
+    }
+
+    // passing two bytes32 instead of bytes memory saves approx 700 gas per call
+    // Computes the mod against the bls12-381 field modulus
+    function _modfield(bytes32 _b1, bytes32 _b2) private view returns (Fp memory r) {
+        (bool success, bytes memory output) = address(0x5).staticcall(
+            abi.encode(
+                // arg[0] = base.length
+                0x40,
+                // arg[1] = exp.length
+                0x20,
+                // arg[2] = mod.length
+                0x40,
+                // arg[3] = base.bits @ + 0x60
+                // places the first 32 bytes of _b1 and the last 32 bytes of _b2
+                _b1,
+                _b2,
+                // arg[4] = exp
+                // exponent always 1
+                1,
+                // arg[5] = mod
+                // this field_modulus as hex 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787
+                // we add the 0 prefix so that the result will be exactly 64 bytes
+                // saves 300 gas per call instead of sending it along every time
+                // places the first 32 bytes and the last 32 bytes of the field modulus
+                0x000000000000000000000000000000001a0111ea397fe69a4b1ba7b6434bacd7, // arg[5] = mod
+                0x64774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab //
+            )
+        );
+        require(success, "MODEXP failed");
+        return abi.decode(output, (Fp));
+    }
 }