Skip to content

feat: bls#2048

Draft
thesimplekid wants to merge 7 commits into
cashubtc:mainfrom
thesimplekid:bls
Draft

feat: bls#2048
thesimplekid wants to merge 7 commits into
cashubtc:mainfrom
thesimplekid:bls

Conversation

@thesimplekid

@thesimplekid thesimplekid commented Jun 7, 2026

Copy link
Copy Markdown
Collaborator

Description

  • handle keyset rotation/migration

Notes to the reviewers

Suggested CHANGELOG Updates

CHANGED

ADDED

REMOVED

FIXED

Checklist

  • I followed the code style guidelines
  • I ran just quick-check before committing
  • If the Wallet API was modified (added/removed/changed), I have reflected those changes in the FFI bindings (crates/cdk-ffi)

@github-project-automation github-project-automation Bot moved this to Backlog in CDK Jun 7, 2026
a1denvalu3
a1denvalu3 reviewed Jun 8, 2026
View reviewed changes
Comment thread crates/cashu/src/nuts/nut02.rs Outdated
MintKeyPair::from_secret_key(SecretKey::bls_from_reduced_bytes(&digest))
}
KeySetVersion::Version02 => MintKeyPair::from_secret_key(
SecretKey::bls_from_reduced_bytes(&secret_key.secret_bytes()),

@a1denvalu3 a1denvalu3 Jun 8, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Keys should also be rejection sampled, because the curve order of BLS is much smaller than $2^{256}$. Since $r$ is smaller than $2^{256}$, the probability that a random 256-bit integer $x$ is larger than or equal to $r$ is:
$$P(x \geq r) = 1 - \frac{r}{2^{256}} \approx 1 - 0.4528 = \mathbf{54.72%}$$

nutshell reference: https://github.com/cashubtc/nutshell/pull/999/changes#diff-3fb6bb16c1a8d73a624c853e623ef777662162ec5378f7970ad1ec2233caffbfR235-R247

a1denvalu3
a1denvalu3 reviewed Jun 9, 2026
View reviewed changes
Comment thread crates/cashu/src/nuts/nut01/bls.rs Outdated
weight_material.extend_from_slice(&(i as u32).to_be_bytes());
weight_material.push(counter);
let weight = Sha256Hash::hash(&weight_material).to_byte_array();
let scalar = BlsSecretKey::from_reduced_bytes(&weight);

@a1denvalu3 a1denvalu3 Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

from_reduced_bytes reduces the sample modulo r instead of erroring? we should reject sample here as well. I'm pretty sure that's how the spec goes.

@robwoodgate robwoodgate Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well spotted! Also, the counter should be u32, not u8 - it is part of the transcript, so a change in byte width means the transcript is different to spec.

@thesimplekid
feat: bls
feee199
@thesimplekid
fix: remove extra hash step
c51066d
@thesimplekid
fix: use rejection sampling
bd395ef
@thesimplekid
fix: reject non-secp256k1 pubkeys in P2PK/HTLC to prevent panic
48fbad3
@thesimplekid
fix: use rejection sampling for BLS batch weights per NUT-00
63e0f21 
derive_batch_weights used modular reduction and a single-byte counter,
diverging from the spec (rejection sampling against BLS_FR_ORDER with a
u32_BE counter) and failing the published NUT-00 batch test vector. Use
canonical BlsSecretKey::from_bytes (rejects x >= order) plus a non-zero
check, and encode the counter as u32_BE. Adds the NUT-00 batch vector as
a conformance test.
@thesimplekid
fix: rejection-sample BLS blinding factors in generate_bls
e2e5138 
generate_bls reduced 32 random bytes modulo the field order, biasing the
distribution and admitting the forbidden zero scalar. Rejection-sample a
canonical non-zero scalar in Fr* instead.
@thesimplekid
test(fuzz): add BLS12-381 (v3) fuzz targets
ed4b5be 
Adds two libFuzzer targets for the new pairing-based protocol:

- fuzz_bls_pubkey_in_conditions: injects *valid* compressed BLS G1/G2
  points into the secp256k1-only P2PK/HTLC pubkey positions (data field,
  pubkeys, refund_keys) and runs verify_p2pk/verify_htlc, asserting they
  return an error rather than panic. Random hex strings essentially never
  decode to a subgroup-correct BLS point, so this reaches the
  check_duplicate_pubkeys panic that the existing fuzz_p2pk_verify could
  not. Would have caught the parsing-panic DoS.
- fuzz_bls_dhke: stresses panic-safety of BLS point/scalar parsing and the
  blind/sign/unblind/verify and batch-verify paths (including the
  rejection-sampling weight loop), and checks soundness invariants: honest
  v3 proofs verify, honest batches batch-verify, tampering fails.

Adds bls_g1_pubkey_from/bls_g2_pubkey_from helpers to the fuzz lib.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers
@robwoodgate robwoodgate robwoodgate left review comments
@a1denvalu3 a1denvalu3 a1denvalu3 approved these changes
Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

CDK
Status: Backlog

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@thesimplekid @robwoodgate @a1denvalu3