Problem Statement / Feature Objective
The BLS key sharing protocol serializes the shared public key as a pair of G1 points (coefficient a0, commitment a1) using little-endian byte order for the x-coordinate but big-endian for the y-coordinate. The deserialization path assumes both coordinates are little-endian, causing all shared keys reconstructed from serialized form to be invalid points on the curve.
Technical Invariants & Bounds
- BLS12-381 G1 point: 48 bytes (x: 381 bits + y: 3 bits in big-endian).
- Serialization format: x coordinate as 48-byte big-endian, y sign as 1 bit in the highest byte.
- Current code reads both as little-endian (x reversed, y bit from wrong byte).
- Decompressed points fail curve equation b = x^3 + ax + b (mod q).
- Affects all validators using distributed key generation for aggregate committees.
Codebase Navigation Guide
- src/crypto/bls-keys.rs - deserialize_shared_public_key() and serialize_shared_public_key().
- src/crypto/dkg.rs - DistributedKeyGeneration round 1 message handling.
- src/network/dkg-message.rs - DKG message wire format.
- tests/crypto/dkg_serialization_roundtrip_test.rs - round-trip tests.
Implementation Blueprint
- In src/crypto/bls-keys.rs, audit deserialize_shared_public_key(): read x as big-endian (48 bytes, MSB first), extract y sign bit from bytes[47] & 0x80.
- Fix serialize_shared_public_key() to write x in big-endian with y-sign in the MSB of the last byte.
- Add a round-trip test: generate a random shared key, serialize, deserialize, and assert the point is unchanged and satisfies the curve equation.
- Add a regression test with a known hard-coded serialized byte string from the spec test vectors.
- Run the full DKG test suite to ensure no other serialization paths are affected.
Problem Statement / Feature Objective
The BLS key sharing protocol serializes the shared public key as a pair of G1 points (coefficient a0, commitment a1) using little-endian byte order for the x-coordinate but big-endian for the y-coordinate. The deserialization path assumes both coordinates are little-endian, causing all shared keys reconstructed from serialized form to be invalid points on the curve.
Technical Invariants & Bounds
Codebase Navigation Guide
Implementation Blueprint