Breaking Change: BLS Signature Verification

Hello everyone,

We want to let you know that there will be a breaking change to BLS Signature Verification that will impact all development teams. This breaking change is related to the core Flow protocol, therefore will have minimal to no impact to teams developing on Flow.

This change will go into effect: With the Aug. 24, 2022 Mainnet Spork

Why This Change Happened

Flow internal nodes communication is authenticated using BLS signatures. Flow protocol implementation relies on the Flow cryptography library to implement the different BLS functions.

There are ongoing efforts to standardize BLS signature implementations and usage under IETF drafts. The Flow cryptography library is continually updated to comply with BLS signatures draft and the hashing to curve draft.

What Changes

The ciphersuite used by Flow signatures is now set to: BLS_SIG_BLS12381G1_XOF:KMAC128_SSWU_RO_POP_ following the specifications on the two IETF drafts.

When authenticating messages within the protocol, a domain separation tag (DST) is used to scope the signature to a specific sub-protocol or domain. The full DST includes the sub-protocol tag, the BLS ciphersuite above, as well as general protocol information. Here is an example of a full DST used for a sub-protocol called mydomain ,
FLOW-mydomain-V00-CS00-with-BLS_SIG_BLS12381G1_XOF:KMAC128_SSWU_RO_POP_ . Protocol nodes use this DST to generate signatures, and the same DST needs to be used when verifying signatures.

Proofs of possession of private keys is a way to secure BLS signature aggregations when used in the Flow protocol. A special cipher suite is required for these proofs, it is now set to BLS_POP_BLS12381G1_XOF:KMAC128_SSWU_RO_POP_ .

  • Access API: After the Spork, any node signature queried through the access API requires the new DST to be used for signature verifications, this applies to the block header signatures for instance. Using the older node software (Flow-go version) leads to valid signatures being evaluated as invalid. This does not impact verifications involving Flow account signatures (for instance transaction signatures).

  • Cadence: BLS signature verification, BLS Proof of possession verification and KMAC 128 for BLS will be used with the updated ciphersuite which changes the behaviour of each of these functions.

Action Required

  • Access API Client changes: If you have been using the flow-go repository to verify node signatures, rebuilding your Go project with the correct flow-go version (including the updated cryptography module under Flow-go) will fix the issue. If you have been using your own implementation to verify signatures, then DSTs need to be updated to the new values.

  • Cadence changes: If you have been generating BLS signatures off-chain and validating them on-chain, make sure to update the DSTs used to generate these signatures. Signatures and PoPs need to be generated using the new ciphersuite in order to be valid under the new Cadence signature and PoP verifications.

Otherwise, no action is required.

If you have any questions regarding this breaking change, please ask our team on Discord, or reply directly in this thread for further assistance.

Thank you,
The Flow Team :ocean:

Hey Flow Team!

We currently use “FLOW-V0.0-user” as the DST when signing data with our backend service and verifying it on chain.

publicKey.verify(
  signature: sig.decodeHex(),
  signedData: data.toString().utf8,
  domainSeparationTag: "FLOW-V0.0-user",
  hashAlgorithm: HashAlgorithm.SHA3_256
)

Is the change already deployed on Testnet? Is “FLOW-V0.0-user” now deprecated? If so, are we able to update our current contracts on Mainnet that implement it - like we did for secure cadence?

Thanks in advance,
Rob