optimize BLS PoP to follow IETF draft

[perturbing]

In #587 we added BLS signatures to cardano-base, this because Leios will need them. This issue suggest dropping $\mu_2$ from the proof of possession.

In the work that has been done, the proof of possession protocol followed the Leios paper. Where we roughly define (see the code here)

• $ \mu_1 = sign("PoP" | vk\_bytes, sk) \in G_{1/2}$
• $\mu_2 = g_{\{1/2\}}^{sk} \in G_{\{1/2\}}$ (note that this is just the public key in the other group)

For a $vk \in G_{\{2/1\}}$. The latter, $\mu_2$ has been added to follow the paper, breaking what the IETF does (which just returns $\mu_1$ as the proof). In normal BLS signatures, what the IETF standardizes, the latter has no additional use. In academics, this is often added to the model of BLS signatures to aid the security proofs. This is since there is an isomorphism between $G_1$ and $G_2$, and the math is easier if you have the representation of the public key without this mapping, by just checking that $e(pk,g_1) = e(g_2, \mu_2) = e(g_2, pk')$ (for $pk \in G_1$ and $pk' \in G_2$).

Now note that in Leios we also use the BLS key as a VRF, which does not warrant the use of a proof of possession, but we should still be careful with changes that do not follow the paper.

If we do make this change, this will save bytes in the PoP, but also the verification time of such a PoP will become equivalent to just a signature check (we currently do roughly the work of two such checks). Additionally, this will make our implementation IETF compliant, making it easier for other languages to grab off-the-shelf BLS signature libs instead of having to implement their own crypto.

• Check with research that dropping $\mu_2$ poses no security risk (the security proofs also hold with just using the isomorphism)
• Implement the changes

The below image shows the adjusted BLS protocol for Leios (BLS signatures + VRF over the same keys)

[perturbing]

Note that the initial paper on BLS signatures and rogue attacks also uses just the single $\mu_1$ in its proof on page 9 (indicating that the above is secure).

[pyrros]

The issue here is that the isomorphism between the groups exists in so-called "Type 2" settings whereas most applications choose "Type 3" settings where such an isomorphism is unavailable.

In practical terms, it does seem infeasible for an adversary to (effectively) be able to apply a secret value to arbitrary elements of G1 (the PoP is effectively a signature, which in turn is a "raise this to your secret exponent" check) but not to elements of G2. OTOH, even in somewhat recent works it seems that we need to roll out the isomorphism assumption to handle more complex proofs. In the linked papers, MSP-PoP does not need the isomorphism, only AMSP-PoP, but Mithril has more complex corruption scenarios inside the proofs.

There does not seem to be an adversarial avenue to exploit this, and the proofs would still work by replacing the 2nd PoP element with some knowledge assumption or by shifting to AGM or GGM when reasoning about the group. I've not investigated the latter approach in depth yet.