Add support for BLS possession proof

Author: palas

cardano-api/src/Cardano/Api/Key.hs

@@ -72,6 +72,8 @@ module Cardano.Api.Key
 
     -- | BLS12-381 key type
   , BlsKey
+  , BlsPossessionProof
+  , createBlsPossessionProof
 
     -- ** Type proxy
   , HasTypeProxy (..)

cardano-api/src/Cardano/Api/Key/Internal/Leios.hs

@@ -17,6 +17,10 @@ module Cardano.Api.Key.Internal.Leios
   , Hash (..)
   , VerificationKey (..)
   , SigningKey (..)
+
+    -- * Possession proof
+  , BlsPossessionProof
+  , createBlsPossessionProof
   )
 where
 
@@ -35,6 +39,7 @@ import Cardano.Crypto.DSIGN.Class qualified as Crypto
 import Cardano.Crypto.Hash.Class qualified as Crypto
 import Cardano.Ledger.Hashes (HASH)
 
+import Data.ByteString (ByteString)
 import Data.Either.Combinators (maybeToRight)
 import Data.String (IsString (..))
 
@@ -149,3 +154,57 @@ instance HasTextEnvelope (SigningKey BlsKey) where
 
   textEnvelopeDefaultDescr :: SigningKey BlsKey -> TextEnvelopeDescr
   textEnvelopeDefaultDescr _ = "BLS12-381 signing key"
+
+-- | BlsPossessionProof is used in the Leios protocol to prove ownership of a BLS signing key
+-- when registering a BLS verification key for a stake pool. This is required to prevent malicious
+-- actors from registering a BLS verification key for a stake pool without actually owning the
+-- corresponding signing key.
+newtype BlsPossessionProof = BlsPossessionProof (Crypto.PossessionProofDSIGN Crypto.BLS12381MinSigDSIGN)
+  deriving stock Eq
+  deriving newtype (ToCBOR, FromCBOR)
+  deriving anyclass SerialiseAsCBOR
+
+instance Show BlsPossessionProof where
+  show _ = "BlsPossessionProof"
+
+instance Pretty BlsPossessionProof where
+  pretty _ = "BlsPossessionProof"
+
+-- | Proof-of-possession ciphersuite DST for the minimal-signature-size BLS12-381 variant.
+--
+-- It is used when creating and verifying proofs of possession to ensure domain separation
+-- between signing contexts.
+minSigPoPContext :: Crypto.BLS12381SignContext
+minSigPoPContext = Crypto.BLS12381SignContext (Just minSigPoPDST) Nothing
+
+-- TODO: This is a provisional definition. Import @minSigPoPDST@ from
+-- @Cardano.Crypto.DSIGN.BLS12381@ (cardano-crypto-class) when
+-- IntersectMBO/cardano-base#635 is merged and the dependency is bumped.
+minSigPoPDST :: ByteString
+minSigPoPDST = "BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_POP_"
+
+-- | Create a proof of possession for a BLS signing key.
+--
+-- This proof demonstrates that the holder of a BLS verification key knows the corresponding
+-- secret key, which is required before the key can safely participate in signature aggregation.
+-- Without this proof, an attacker could register a crafted verification key that cancels out
+-- honest participants' keys during aggregation (a rogue key attack).
+createBlsPossessionProof :: SigningKey BlsKey -> BlsPossessionProof
+createBlsPossessionProof (BlsSigningKey sk) =
+  BlsPossessionProof (Crypto.createPossessionProofDSIGN minSigPoPContext sk)
+
+instance HasTypeProxy BlsPossessionProof where
+  data AsType BlsPossessionProof = AsBlsPossessionProof
+  proxyToAsType _ = AsBlsPossessionProof
+
+instance HasTextEnvelope BlsPossessionProof where
+  textEnvelopeType :: AsType BlsPossessionProof -> TextEnvelopeType
+  textEnvelopeType _ =
+    "BlsPossessionProof_"
+      <> fromString (Crypto.algorithmNameDSIGN proxy)
+   where
+    proxy :: Proxy Crypto.BLS12381MinSigDSIGN
+    proxy = Proxy
+
+  textEnvelopeDefaultDescr :: BlsPossessionProof -> TextEnvelopeDescr
+  textEnvelopeDefaultDescr _ = "BLS12-381 possession proof"