updated to draft 06

microsoft · Jun 27, 2024 · 5d77f79 · 5d77f79
1 parent 79fe732
commit 5d77f79
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 TypeScript reference implementation for the [BBS signature scheme](https://github.com/decentralized-identity/bbs-signature). The goal is to help understand and verify the specification. This is NOT a production-ready implementation; testing is minimal and no effort is made to optimize and protect against specialized attacks (e.g., side-channel resistance). 
 
-This project aims to keep up to date with the [latest specification](https://identity.foundation/bbs-signature/draft-irtf-cfrg-bbs-signatures.html), but may be behind since the specification changes often; the current implementation matches the *21 December 2023* version of the specification, matching the [draft-irtf-cfrg-bbs-signatures-05](https://datatracker.ietf.org/doc/draft-irtf-cfrg-bbs-signatures/05/) version submitted to the CFRG.
+This project aims to keep up to date with the [latest specification](https://identity.foundation/bbs-signature/draft-irtf-cfrg-bbs-signatures.html), but may be behind since the specification changes often; the current implementation matches the *26 June 2024* version of the specification, matching the [draft-irtf-cfrg-bbs-signatures-06](https://datatracker.ietf.org/doc/draft-irtf-cfrg-bbs-signatures/06/) version submitted to the CFRG.
 
 Given the rapid evolution of the BBS scheme, there might be inconsistencies between the specification and the code; please open issues or file PRs if you find any!
 

diff --git a/src/bbs.ts b/src/bbs.ts
@@ -78,7 +78,7 @@ export class BBS {
     const L = messages.length;
     const domain = this.calculate_domain(PK, generators, header);
     utils.log("domain", domain);
-    const e = this.hash_to_scalar(this.serialize([SK, domain, ...messages]));
+    const e = this.hash_to_scalar(this.serialize([SK, ...messages, domain]));
     utils.log("e", e);
 
     // B = P1 + Q_1 * domain + H_1 * msg_1 + ... + H_L * msg_L
@@ -313,9 +313,17 @@ export class BBS {
 
   // https://identity.foundation/bbs-signature/draft-irtf-cfrg-bbs-signatures.html#name-challenge-calculation
   calculate_challenge(Abar: G1Point, Bbar: G1Point, D: G1Point, T1: G1Point, T2: G1Point, i_array: number[], msg_array: FrScalar[], domain: FrScalar, ph: Uint8Array): FrScalar {
+    if (i_array.length !== msg_array.length) {
+      throw "i_array and msg_array should have the same length";
+    }
     const challenge = this.hash_to_scalar(
       utils.concat(
-        this.serialize([Abar, Bbar, D, T1, T2, i_array.length, ...i_array, ...msg_array, domain]),
+        this.serialize([
+          // R
+          i_array.length, 
+          // i_1, msg_1, i_2, msg_2, ...
+          ...i_array.flatMap((val, idx) => [val, msg_array[idx]]), 
+          Abar, Bbar, D, T1, T2, domain]),
         utils.i2osp(ph.length, 8),
         ph));
     return challenge;
@@ -380,7 +388,7 @@ export class BBS {
 
   // https://identity.foundation/bbs-signature/draft-irtf-cfrg-bbs-signatures.html#name-octets-to-proof
   octets_to_proof(proof_octets: Uint8Array): BBSProof {
-    const proof_len_floor = 3 * this.cs.octet_point_length + 4 * this.cs.octet_scalar_length;
+    const proof_len_floor = 2 * this.cs.octet_point_length + 4 * this.cs.octet_scalar_length;
     if (proof_octets.length < proof_len_floor) {
       throw "invalid proof (length)";
     }