In the Commitment computation step 2 the spec says: "generators = BBS.create_generators(M + 2, api_id)". Only M+1 of these generators are used.

In my computation I use "generators = BBS.create_generators(M + 1, api_id)" and all commitment test vectors (SHA and SHAKE) verify. Cheers Greg.

Hello,

I've encountered an issue while testing my code against the commit001.json fixture in the bls12-381-sha-256 folder. My code is producing a commit different from the expected one.

Considering that committedMessages is an empty array in this case, the commitment C should be equal to Q_2 * secret_prover_blind, correct? My secret_prover_blind is correct and matches 1b6f406b17aaf92dc7deb911c7cae49756a6623b5c385b5ae6214d7e3d9597f7. Therefore, I suspect the issue lies in the computation of Q_2.

I have already implemented the test vectors for the Generators, and they all passed successfully. So, I don't really know what might be causing the problem. Any guidance or suggestions would be greatly appreciated.

Thank you!

For calculate_domain(PK, generators, header, api_id) are we thinking something like:

Procedure:

1. dom_array = (M + L + 1, ...generators)
2. dom_octs = serialize(dom_array) || api_id
3. dom_input = PK || dom_octs || I2OSP(length(header), 8) || header
4. return hash_to_scalar(dom_input, domain_dst)

It's not defined in the document and has a different signature than that in BBS Signatures.

In Blind Signature step 3:

3. if M != 0, M = M - octet_point_length - octet_scalar_length

==> but there is the challenge on the end so shouldn't M = M - octet_point_length - 2*octet_scalar_length?