From 24e0452d1868e3f41bed17cc92407bba9eb13046 Mon Sep 17 00:00:00 2001
From: Sergey Minaev <sergey.minaev@avast.com>
Date: Mon, 24 Oct 2022 16:59:14 +0500
Subject: [PATCH] BBS Update: align impl to Signature test vector.

Signed-off-by: Sergey Minaev <sergey.minaev@avast.com>
---
 pkg/crypto/primitive/bbs12381g2pub/bbs.go     | 12 ++---
 .../primitive/bbs12381g2pub/bbs_test.go       | 42 +++++++--------
 pkg/crypto/primitive/bbs12381g2pub/fr.go      | 12 +++--
 pkg/crypto/primitive/bbs12381g2pub/fr_test.go | 38 +++++++++++++
 pkg/crypto/primitive/bbs12381g2pub/keys.go    | 32 +++++++----
 .../primitive/bbs12381g2pub/keys_test.go      | 10 ++--
 .../bbs12381g2pub/signature_message.go        |  6 ++-
 .../bbs12381g2pub/signature_message_test.go   | 53 +++++++++++++++++++
 .../bbs12381g2pub/signature_proof.go          |  7 +--
 9 files changed, 159 insertions(+), 53 deletions(-)
 create mode 100644 pkg/crypto/primitive/bbs12381g2pub/fr_test.go
 create mode 100644 pkg/crypto/primitive/bbs12381g2pub/signature_message_test.go

diff --git a/pkg/crypto/primitive/bbs12381g2pub/bbs.go b/pkg/crypto/primitive/bbs12381g2pub/bbs.go
index 9144cf6a48..ba63ee270e 100644
--- a/pkg/crypto/primitive/bbs12381g2pub/bbs.go
+++ b/pkg/crypto/primitive/bbs12381g2pub/bbs.go
@@ -190,12 +190,14 @@ func (bbs *BBSG2Pub) SignWithKey(header []byte, messages [][]byte, privKey *Priv
 		return nil, fmt.Errorf("build generators from public key: %w", err)
 	}
 
+	messagesFr := ParseSignatureMessages(messages)
+
 	esBuilder := newEcnodeForHashBuilder()
 	esBuilder.addScalar(privKey.FR)
 	esBuilder.addScalar(pubKeyWithGenerators.domain)
 
-	for _, msg := range messages {
-		esBuilder.addBytes(msg)
+	for _, msgFr := range messagesFr {
+		esBuilder.addScalar(msgFr.FR)
 	}
 
 	es := Hash2scalars(esBuilder.build(), 2)
@@ -204,7 +206,6 @@ func (bbs *BBSG2Pub) SignWithKey(header []byte, messages [][]byte, privKey *Priv
 	exp.Add(exp, e)
 	exp.Inverse(exp)
 
-	messagesFr := ParseSignatureMessages(messages)
 	b := computeB(s, messagesFr, pubKeyWithGenerators)
 
 	sig := g1.New()
@@ -222,12 +223,9 @@ func (bbs *BBSG2Pub) SignWithKey(header []byte, messages [][]byte, privKey *Priv
 func computeB(s *bls12381.Fr, messages []*SignatureMessage, key *PublicKeyWithGenerators) *bls12381.PointG1 {
 	const basesOffset = 2
 
-	bindingBasis := g1.One()
-	bindingExp := bls12381.NewFr().One()
-
 	cb := newCommitmentBuilder(len(messages) + basesOffset)
 
-	cb.add(bindingBasis, bindingExp)
+	cb.add(key.p1, bls12381.NewFr().One())
 	cb.add(key.q1, s)
 	cb.add(key.q2, key.domain)
 
diff --git a/pkg/crypto/primitive/bbs12381g2pub/bbs_test.go b/pkg/crypto/primitive/bbs12381g2pub/bbs_test.go
index 373b338aeb..d5c1243f65 100644
--- a/pkg/crypto/primitive/bbs12381g2pub/bbs_test.go
+++ b/pkg/crypto/primitive/bbs12381g2pub/bbs_test.go
@@ -17,7 +17,7 @@ import (
 )
 
 func TestBlsG2Pub_Verify(t *testing.T) {
-	privateKeyBytes := hexStringToBytesTest(t, "47d2ede63ab4c329092b342ab526b1079dbc2595897d4f2ab2de4d841cbe7d56")
+	privateKeyBytes := hexToBytes(t, "47d2ede63ab4c329092b342ab526b1079dbc2595897d4f2ab2de4d841cbe7d56")
 
 	privateKey, err := bbs12381g2pub.UnmarshalPrivateKey(privateKeyBytes)
 	require.NoError(t, err)
@@ -25,7 +25,7 @@ func TestBlsG2Pub_Verify(t *testing.T) {
 	pkBytes, err := privateKey.PublicKey().Marshal()
 	require.NoError(t, err)
 
-	sigBytes := hexStringToBytesTest(t,
+	sigBytes := hexToBytes(t,
 		"84d9677e651d7e039ff1bd3c6c37a6d465b23ebcc1291cf0082cd94c3971ff2ec64d8ddfd0c2f68d37429f6c751003a7"+
 			"5435cae4b55250e5a3e357b7bd52589ff830820cd5e07a6125d846245efacccb"+
 			"5814139b8bef5b329b3a269f576565d33bf6254916468f9e997a685ac68508a6")
@@ -135,15 +135,15 @@ func TestBBSG2Pub_Sign(t *testing.T) {
 }
 
 func TestBBSG2Pub_SignWithPredefinedKeys(t *testing.T) {
-	privateKeyBytes := hexStringToBytesTest(t, "47d2ede63ab4c329092b342ab526b1079dbc2595897d4f2ab2de4d841cbe7d56")
-	header := hexStringToBytesTest(t, "11223344556677889900aabbccddeeff")
+	privateKeyBytes := hexToBytes(t, "47d2ede63ab4c329092b342ab526b1079dbc2595897d4f2ab2de4d841cbe7d56")
+	header := hexToBytes(t, "11223344556677889900aabbccddeeff")
 	messagesBytes := default10messages(t)
 
 	bls := bbs12381g2pub.New()
 	signature, err := bls.Sign(header, messagesBytes, privateKeyBytes)
 	require.NoError(t, err)
 
-	expectedSignatureBytes := hexStringToBytesTest(t,
+	expectedSignatureBytes := hexToBytes(t,
 		"9157456791e4f9cae1130372f7cf37709ba661e43df5c23cc1c76be91abff7e2603e2ddaaa71fc42bd6f9d44bd58315b"+
 			"09ee5cc4e7614edde358f2c497b6b05c8b118fae3f71a52af482dceffccb3785"+
 			"1907573c03d2890dffbd1f660cdf89c425d4e0498bbf73dd96ff15ad9a8b581a")
@@ -152,7 +152,7 @@ func TestBBSG2Pub_SignWithPredefinedKeys(t *testing.T) {
 }
 
 func TestBBSG2Pub_VerifyProof_SeveralDisclosedMessages(t *testing.T) {
-	privateKeyBytes := hexStringToBytesTest(t, "47d2ede63ab4c329092b342ab526b1079dbc2595897d4f2ab2de4d841cbe7d56")
+	privateKeyBytes := hexToBytes(t, "47d2ede63ab4c329092b342ab526b1079dbc2595897d4f2ab2de4d841cbe7d56")
 
 	privateKey, err := bbs12381g2pub.UnmarshalPrivateKey(privateKeyBytes)
 	require.NoError(t, err)
@@ -160,10 +160,10 @@ func TestBBSG2Pub_VerifyProof_SeveralDisclosedMessages(t *testing.T) {
 	pkBytes, err := privateKey.PublicKey().Marshal()
 	require.NoError(t, err)
 
-	proofBytes := hexStringToBytesTest(t, "000a0005ab1a7238bc9ba5065c9d1f395720f97b8d68208e89edb1fa8f1cde16c07b7771a46359ef198317ca71cfae5937200485b3e62de95b4d05a95c8d882197c56e582f74b5e6e1e4ae866a93fa13ae32690b8ea1bbbd7f1138f18a750ede1915a6d2898eec5b19028f2765585f36be4f152bd4ac2ad280743bed14ec78e0cdbf80f0547b37b1de62d71144f03e1fdec89b05000000748adcb65ca0ed38b9c6d1649bef5cd942175affdb9c7ad5212b371f0472d39228dc6c220cc80846fb2f44911b7aed2f32000000020910a8400998e7903a401b439d9a84723e46c9f0c03a9949ac9ee2d545caf72a50cd0f2f340a04a22ffbc8c4c6aa15af1ae972c18bbe6b463707836fb08d624089a4b92531729d0ce3f44ca36b47331a4c9a51af11d5b0f9bf4b55d8d09db24c8df59c6ad111ae0f9af56e16681a53df0000000a5916c0c291dc659d25699f2b182e2fbafe091bdf7a0667a4e4f047e80fa3d64214ee7f20d63f31472ec2eeac73ca01e51c2e420f3a26cda4e0cbe82e64f92a62075131c9dfde53d16e8c3e1d0b56bd6ac203f07af450cb94b019c6bb667df2465f9317c9ac178e58f638eb52751638fd54a211ab0ab3aeee8d87a69392de458f6ddb6b9f007589f6bdb5376eeffc4f64f7c7c0c426197be97f4f83a1a6f06ff74473dde98edbb444976ef4083237a859807d1a4c1e94fe68b69609fa00431e4b4622a39bd74791ce4b1f7545291b5ded098a757f680cbe1612312c8f841a8d0b077e5cf3eb5cf85f0ed9a3a061c3aa447c9a6bc87808d3ee1f293d157d1f41f14edd5cd0b1fcb5112d7e09386a276f396d4f31f1660bb65f0206eb92d669d2800f1e0f418be23895ad0cac055f973b50c38d57df54563e5493dd7910308ed9a6") //nolint:lll
+	proofBytes := hexToBytes(t, "000a0005ab1a7238bc9ba5065c9d1f395720f97b8d68208e89edb1fa8f1cde16c07b7771a46359ef198317ca71cfae5937200485b3e62de95b4d05a95c8d882197c56e582f74b5e6e1e4ae866a93fa13ae32690b8ea1bbbd7f1138f18a750ede1915a6d2898eec5b19028f2765585f36be4f152bd4ac2ad280743bed14ec78e0cdbf80f0547b37b1de62d71144f03e1fdec89b05000000748adcb65ca0ed38b9c6d1649bef5cd942175affdb9c7ad5212b371f0472d39228dc6c220cc80846fb2f44911b7aed2f32000000020910a8400998e7903a401b439d9a84723e46c9f0c03a9949ac9ee2d545caf72a50cd0f2f340a04a22ffbc8c4c6aa15af1ae972c18bbe6b463707836fb08d624089a4b92531729d0ce3f44ca36b47331a4c9a51af11d5b0f9bf4b55d8d09db24c8df59c6ad111ae0f9af56e16681a53df0000000a5916c0c291dc659d25699f2b182e2fbafe091bdf7a0667a4e4f047e80fa3d64214ee7f20d63f31472ec2eeac73ca01e51c2e420f3a26cda4e0cbe82e64f92a62075131c9dfde53d16e8c3e1d0b56bd6ac203f07af450cb94b019c6bb667df2465f9317c9ac178e58f638eb52751638fd54a211ab0ab3aeee8d87a69392de458f6ddb6b9f007589f6bdb5376eeffc4f64f7c7c0c426197be97f4f83a1a6f06ff74473dde98edbb444976ef4083237a859807d1a4c1e94fe68b69609fa00431e4b4622a39bd74791ce4b1f7545291b5ded098a757f680cbe1612312c8f841a8d0b077e5cf3eb5cf85f0ed9a3a061c3aa447c9a6bc87808d3ee1f293d157d1f41f14edd5cd0b1fcb5112d7e09386a276f396d4f31f1660bb65f0206eb92d669d2800f1e0f418be23895ad0cac055f973b50c38d57df54563e5493dd7910308ed9a6") //nolint:lll
 
 	// TODO   "header": "11223344556677889900aabbccddeeff"
-	nonce := hexStringToBytesTest(t, "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501")
+	nonce := hexToBytes(t, "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501")
 
 	messagesBytes := default10messages(t)
 	revealedMessagesBytes := [][]byte{messagesBytes[0], messagesBytes[2]}
@@ -210,7 +210,7 @@ func TestBBSG2Pub_VerifyProof_SeveralDisclosedMessages(t *testing.T) {
 }
 
 func TestBBSG2Pub_DeriveProof(t *testing.T) {
-	privKeyBytes := hexStringToBytesTest(t, "47d2ede63ab4c329092b342ab526b1079dbc2595897d4f2ab2de4d841cbe7d56")
+	privKeyBytes := hexToBytes(t, "47d2ede63ab4c329092b342ab526b1079dbc2595897d4f2ab2de4d841cbe7d56")
 
 	privKey, err := bbs12381g2pub.UnmarshalPrivateKey(privKeyBytes)
 	require.NoError(t, err)
@@ -228,7 +228,7 @@ func TestBBSG2Pub_DeriveProof(t *testing.T) {
 
 	require.NoError(t, bls.Verify(nil, messagesBytes, signatureBytes, pubKeyBytes))
 
-	nonce := hexStringToBytesTest(t, "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501")
+	nonce := hexToBytes(t, "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501")
 	revealedIndexes := []int{0, 2}
 	proofBytes, err := bls.DeriveProof(nil, messagesBytes, signatureBytes, nonce, pubKeyBytes, revealedIndexes)
 	require.NoError(t, err)
@@ -251,22 +251,22 @@ func TestBBSG2Pub_DeriveProof(t *testing.T) {
 
 func default10messages(t *testing.T) [][]byte {
 	messagesBytes := [][]byte{
-		hexStringToBytesTest(t, "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a45f02"),
-		hexStringToBytesTest(t, "87a8bd656d49ee07b8110e1d8fd4f1dcef6fb9bc368c492d9bc8c4f98a739ac6"),
-		hexStringToBytesTest(t, "96012096adda3f13dd4adbe4eea481a4c4b5717932b73b00e31807d3c5894b90"),
-		hexStringToBytesTest(t, "ac55fb33a75909edac8994829b250779298aa75d69324a365733f16c333fa943"),
-		hexStringToBytesTest(t, "d183ddc6e2665aa4e2f088af9297b78c0d22b4290273db637ed33ff5cf703151"),
-		hexStringToBytesTest(t, "515ae153e22aae04ad16f759e07237b43022cb1ced4c176e0999c6a8ba5817cc"),
-		hexStringToBytesTest(t, "496694774c5604ab1b2544eababcf0f53278ff5040c1e77c811656e8220417a2"),
-		hexStringToBytesTest(t, "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c23364568523f8b91"),
-		hexStringToBytesTest(t, "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b7320912416"),
-		hexStringToBytesTest(t, "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb075f9b80"),
+		hexToBytes(t, "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a45f02"),
+		hexToBytes(t, "87a8bd656d49ee07b8110e1d8fd4f1dcef6fb9bc368c492d9bc8c4f98a739ac6"),
+		hexToBytes(t, "96012096adda3f13dd4adbe4eea481a4c4b5717932b73b00e31807d3c5894b90"),
+		hexToBytes(t, "ac55fb33a75909edac8994829b250779298aa75d69324a365733f16c333fa943"),
+		hexToBytes(t, "d183ddc6e2665aa4e2f088af9297b78c0d22b4290273db637ed33ff5cf703151"),
+		hexToBytes(t, "515ae153e22aae04ad16f759e07237b43022cb1ced4c176e0999c6a8ba5817cc"),
+		hexToBytes(t, "496694774c5604ab1b2544eababcf0f53278ff5040c1e77c811656e8220417a2"),
+		hexToBytes(t, "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c23364568523f8b91"),
+		hexToBytes(t, "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b7320912416"),
+		hexToBytes(t, "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb075f9b80"),
 	}
 
 	return messagesBytes
 }
 
-func hexStringToBytesTest(t *testing.T, msg string) []byte {
+func hexToBytes(t *testing.T, msg string) []byte {
 	bytes, err := hex.DecodeString(msg)
 	require.NoError(t, err)
 
diff --git a/pkg/crypto/primitive/bbs12381g2pub/fr.go b/pkg/crypto/primitive/bbs12381g2pub/fr.go
index adf5b9f2ed..f725e1194d 100644
--- a/pkg/crypto/primitive/bbs12381g2pub/fr.go
+++ b/pkg/crypto/primitive/bbs12381g2pub/fr.go
@@ -17,10 +17,9 @@ import (
 )
 
 const (
-	logP2     = 384
 	k         = 128
 	h2sDST    = csID + "H2S_"
-	expandLen = (logP2 + k) / 8
+	expandLen = (logR2 + k + 7) / 8 //nolint:gomnd
 )
 
 func parseFr(data []byte) *bls12381.Fr {
@@ -74,20 +73,25 @@ func Hash2scalar(message []byte) *bls12381.Fr {
 
 // Hash2scalars convert messages represented in bytes to Fr.
 func Hash2scalars(msg []byte, cnt int) []*bls12381.Fr {
+	return hash2scalars(msg, []byte(h2sDST), cnt)
+}
+
+func hash2scalars(msg, dst []byte, cnt int) []*bls12381.Fr {
 	bufLen := cnt * expandLen
 	msgLen := len(msg)
 	roundSz := 1
 	msgLenSz := 4
 
 	msgExt := make([]byte, msgLen+roundSz+msgLenSz)
+	// msgExt is a concatenation of: msg || I2OSP(round, 1) || I2OSP(cnt, 4)
 	copy(msgExt, msg)
-	copy(msgExt[msgLen+1:], uint32ToBytes(uint32(msgLen)))
+	copy(msgExt[msgLen+1:], uint32ToBytes(uint32(cnt)))
 
 	out := make([]*bls12381.Fr, cnt)
 
 	for round, completed := byte(0), false; !completed; {
 		msgExt[msgLen] = round
-		buf, _ := bls12381intern.ExpandMsgXOF(sha3.NewShake256(), msgExt, []byte(h2sDST), bufLen) //nolint:errcheck
+		buf, _ := bls12381intern.ExpandMsgXOF(sha3.NewShake256(), msgExt, dst, bufLen) //nolint:errcheck
 
 		ok := true
 		for i := 0; i < cnt && ok; i++ {
diff --git a/pkg/crypto/primitive/bbs12381g2pub/fr_test.go b/pkg/crypto/primitive/bbs12381g2pub/fr_test.go
new file mode 100644
index 0000000000..29c0f023b6
--- /dev/null
+++ b/pkg/crypto/primitive/bbs12381g2pub/fr_test.go
@@ -0,0 +1,38 @@
+/*
+Copyright SecureKey Technologies Inc. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package bbs12381g2pub_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	bbs "github.com/hyperledger/aries-framework-go/pkg/crypto/primitive/bbs12381g2pub"
+)
+
+func TestHash2Scalars(t *testing.T) {
+	msg := hexToBytes(t, "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a45f02")
+
+	t.Run("single", func(t *testing.T) {
+		sc := bbs.Hash2scalar(msg).ToBytes()
+		require.Equal(t, hexToBytes(t, "260cab748e24ccc2bbd66f5b834d692622fa131f5ce898fa57217434c9ed14fa"), sc)
+	})
+
+	t.Run("multiple", func(t *testing.T) {
+		sc := bbs.Hash2scalars(msg, 10)
+		require.Equal(t, hexToBytes(t, "5c6e62607c16397ee6d9624673be9a7ddacbc7b7dd290bdb853cf4c74a34de0a"), sc[0].ToBytes())
+		require.Equal(t, hexToBytes(t, "2a3524e43413a5d1b34c4c8ed119c4c5a2f9b84392ff0fea0d34e1be44ceafbc"), sc[1].ToBytes())
+		require.Equal(t, hexToBytes(t, "4b649b82eed1e62117d91cd8d22438e72f3f931a0f8ad683d1ade253333c472a"), sc[2].ToBytes())
+		require.Equal(t, hexToBytes(t, "64338965f1d37d17a14b6f431128c0d41a7c3924a5f484c282d20205afdfdb8f"), sc[3].ToBytes())
+		require.Equal(t, hexToBytes(t, "0dfe01c01ff8654e43a611b76aaf4faec618a50d85d34f7cc89879b179bde3d5"), sc[4].ToBytes())
+		require.Equal(t, hexToBytes(t, "6b6935016e64791f5d719f8206284fbe27dbb8efffb4141512c3fbfbfa861a0f"), sc[5].ToBytes())
+		require.Equal(t, hexToBytes(t, "0dfe13f85a36df5ebfe0efac3759becfcc2a18b134fd22485c151db85f981342"), sc[6].ToBytes())
+		require.Equal(t, hexToBytes(t, "5071751012c142046e7c3508decb0b7ba9a453d06ce7787189f4d93a821d538e"), sc[7].ToBytes())
+		require.Equal(t, hexToBytes(t, "5cdae3304e745553a75134d914db5b282cc62d295e3ed176fb12f792919fd85e"), sc[8].ToBytes())
+		require.Equal(t, hexToBytes(t, "32b67dfbba729831798279071a39021b66fd68ee2e68684a0f6901cd6fcb8256"), sc[9].ToBytes())
+	})
+}
diff --git a/pkg/crypto/primitive/bbs12381g2pub/keys.go b/pkg/crypto/primitive/bbs12381g2pub/keys.go
index abe595eae4..a27aec6123 100644
--- a/pkg/crypto/primitive/bbs12381g2pub/keys.go
+++ b/pkg/crypto/primitive/bbs12381g2pub/keys.go
@@ -21,12 +21,13 @@ import (
 )
 
 const (
-	seedSize      = frCompressedSize
-	seedDST       = csID + "SIG_GENERATOR_SEED_"
-	generatorDST  = csID + "SIG_GENERATOR_DST_"
-	generatorSeed = csID + "MESSAGE_GENERATOR_SEED"
-	logR2         = 251
-	seedLen       = ((logR2 + k) + 7) / 8 //nolint:gomnd
+	seedSize        = frCompressedSize
+	seedDST         = csID + "SIG_GENERATOR_SEED_"
+	generatorDST    = csID + "SIG_GENERATOR_DST_"
+	generatorSeed   = csID + "MESSAGE_GENERATOR_SEED"
+	generatorBPSeed = csID + "BP_MESSAGE_GENERATOR_SEED"
+	logR2           = 251
+	seedLen         = ((logR2 + k) + 7) / 8 //nolint:gomnd
 )
 
 // PublicKey defines BLS Public Key.
@@ -42,6 +43,7 @@ type PrivateKey struct {
 // PublicKeyWithGenerators extends PublicKey with a blinding generator h0, a commitment to the secret key w,
 // and a generator for each message h.
 type PublicKeyWithGenerators struct {
+	p1 *bls12381.PointG1
 	q1 *bls12381.PointG1
 	q2 *bls12381.PointG1
 	h  []*bls12381.PointG1
@@ -58,7 +60,12 @@ func (pk *PublicKey) ToPublicKeyWithGenerators(messagesCount int, header []byte)
 	specGenCnt := 2
 	genCnt := messagesCount + specGenCnt
 
-	generators, err := CreateGenerators(genCnt)
+	generators, err := CreateMessageGenerators(genCnt)
+	if err != nil {
+		return nil, err
+	}
+
+	bpGenerators, err := crateGenerators(genCnt, []byte(generatorBPSeed))
 	if err != nil {
 		return nil, err
 	}
@@ -77,6 +84,7 @@ func (pk *PublicKey) ToPublicKeyWithGenerators(messagesCount int, header []byte)
 	domain := Hash2scalar(domainBuilder.build())
 
 	return &PublicKeyWithGenerators{
+		p1:            bpGenerators[0],
 		q1:            generators[0],
 		q2:            generators[1],
 		h:             generators[2:],
@@ -97,11 +105,15 @@ func hashToG1(data, dst []byte) (*bls12381.PointG1, error) {
 	return g1.FromBytes(g.ToBytes(p))
 }
 
-// CreateGenerators create `cnt` determenistic generators.
-func CreateGenerators(cnt int) ([]*bls12381.PointG1, error) {
+// CreateMessageGenerators create `cnt` determenistic generators.
+func CreateMessageGenerators(cnt int) ([]*bls12381.PointG1, error) {
+	return crateGenerators(cnt, []byte(generatorSeed))
+}
+
+func crateGenerators(cnt int, seed []byte) ([]*bls12381.PointG1, error) {
 	generators := make([]*bls12381.PointG1, cnt)
 
-	v, err := bls12381intern.ExpandMsgXOF(sha3.NewShake256(), []byte(generatorSeed), []byte(seedDST), seedLen)
+	v, err := bls12381intern.ExpandMsgXOF(sha3.NewShake256(), seed, []byte(seedDST), seedLen)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/crypto/primitive/bbs12381g2pub/keys_test.go b/pkg/crypto/primitive/bbs12381g2pub/keys_test.go
index 6567507ae3..0a6d8f32a1 100644
--- a/pkg/crypto/primitive/bbs12381g2pub/keys_test.go
+++ b/pkg/crypto/primitive/bbs12381g2pub/keys_test.go
@@ -67,21 +67,21 @@ func TestPrivateKey_PublicKey(t *testing.T) {
 
 	t.Run("pre-generated key pair", func(t *testing.T) {
 		// original hex seed 746869732d49532d6a7573742d616e2d546573742d494b4d2d746f2d67656e65726174652d246528724074232d6b6579
-		privateKeyB58 := "5qNVd4Wsp7LPC7vxrbuVMsAkAGif2dA82wm1Wte1zH4Z"
-		publicKeyB58 := "25pRBEBDHvG5ryqsEB5tw6eAa3Ds8bx6jMKhEtXnWjCLNg7ikYokwaNtpggZZY3MvWTxBPCidfxFBq2ZiVVTpioCh6GJLs4iESiEydJca9kmeMkEkqK6ePudqoqLHSv4NA7p" // nolint: lll
+		privateKeyBytes := hexToBytes(t, "47d2ede63ab4c329092b342ab526b1079dbc2595897d4f2ab2de4d841cbe7d56")
+		publicKeyBytesExpeted := hexToBytes(t, "b65b7cbff4e81b723456a13936b6bcc77a078bf6291765f3ae13170072249dd7daa7ec1bd82b818ab60198030b45b8fa159c155fc3841a9ad4045e37161c9f0d9a4f361b93cfdc67d365f3be1a398e56aa173d7a55e01b4a8dd2494e7fb90da7") // nolint: lll
 
-		privateKey, err := bbs.UnmarshalPrivateKey(base58.Decode(privateKeyB58))
+		privateKey, err := bbs.UnmarshalPrivateKey(privateKeyBytes)
 		require.NoError(t, err)
 
 		publicKeyBytes, err := privateKey.PublicKey().Marshal()
-		require.Equal(t, publicKeyB58, base58.Encode(publicKeyBytes))
+		require.Equal(t, publicKeyBytesExpeted, publicKeyBytes)
 		require.NoError(t, err)
 	})
 }
 
 func TestGenerators(t *testing.T) {
 	msgCnt := 2
-	generators, err := bbs.CreateGenerators(msgCnt + 2)
+	generators, err := bbs.CreateMessageGenerators(msgCnt + 2)
 	require.NoError(t, err)
 
 	bytes := bls12381.NewG1().ToCompressed(generators[0])
diff --git a/pkg/crypto/primitive/bbs12381g2pub/signature_message.go b/pkg/crypto/primitive/bbs12381g2pub/signature_message.go
index 9f156d3f83..253875ff7e 100644
--- a/pkg/crypto/primitive/bbs12381g2pub/signature_message.go
+++ b/pkg/crypto/primitive/bbs12381g2pub/signature_message.go
@@ -10,6 +10,10 @@ import (
 	bls12381 "github.com/kilic/bls12-381"
 )
 
+const (
+	dstMapMsg = csID + "MAP_MSG_TO_SCALAR_AS_HASH_"
+)
+
 // SignatureMessage defines a message to be used for a signature check.
 type SignatureMessage struct {
 	FR *bls12381.Fr
@@ -20,7 +24,7 @@ func parseSignatureMessage(message []byte) *SignatureMessage {
 	encodedForHashMsg := newEcnodeForHashBuilder()
 	encodedForHashMsg.addBytes(message)
 
-	elm := Hash2scalar(encodedForHashMsg.build())
+	elm := hash2scalars(encodedForHashMsg.build(), []byte(dstMapMsg), 1)[0]
 
 	return &SignatureMessage{
 		FR: elm,
diff --git a/pkg/crypto/primitive/bbs12381g2pub/signature_message_test.go b/pkg/crypto/primitive/bbs12381g2pub/signature_message_test.go
new file mode 100644
index 0000000000..c952b47175
--- /dev/null
+++ b/pkg/crypto/primitive/bbs12381g2pub/signature_message_test.go
@@ -0,0 +1,53 @@
+/*
+Copyright SecureKey Technologies Inc. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package bbs12381g2pub_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	bbs "github.com/hyperledger/aries-framework-go/pkg/crypto/primitive/bbs12381g2pub"
+)
+
+func TestParseSignatureMessages(t *testing.T) {
+	msgs := [][]byte{
+		hexToBytes(t, "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a45f02"),
+		hexToBytes(t, "87a8bd656d49ee07b8110e1d8fd4f1dcef6fb9bc368c492d9bc8c4f98a739ac6"),
+		hexToBytes(t, "96012096adda3f13dd4adbe4eea481a4c4b5717932b73b00e31807d3c5894b90"),
+		hexToBytes(t, "ac55fb33a75909edac8994829b250779298aa75d69324a365733f16c333fa943"),
+		hexToBytes(t, "d183ddc6e2665aa4e2f088af9297b78c0d22b4290273db637ed33ff5cf703151"),
+		hexToBytes(t, "515ae153e22aae04ad16f759e07237b43022cb1ced4c176e0999c6a8ba5817cc"),
+		hexToBytes(t, "496694774c5604ab1b2544eababcf0f53278ff5040c1e77c811656e8220417a2"),
+		hexToBytes(t, "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c23364568523f8b91"),
+		hexToBytes(t, "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b7320912416"),
+		hexToBytes(t, "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb075f9b80"),
+	}
+
+	sc := bbs.ParseSignatureMessages(msgs)
+
+	require.Equal(t,
+		hexToBytes(t, "4e67c49cf68df268bca0624880770bb57dbe8460c89883cc0ac496785b68bbe9"), sc[0].FR.ToBytes())
+	require.Equal(t,
+		hexToBytes(t, "12d92c990f37ffab1c6ac4b0cd83378ffb8a8610259d62d3b885fc4c1bc50f7f"), sc[1].FR.ToBytes())
+	require.Equal(t,
+		hexToBytes(t, "41a157520e8752ca100a365ffde4683fb9610bf105b40933bb98dcacbbd56ace"), sc[2].FR.ToBytes())
+	require.Equal(t,
+		hexToBytes(t, "3344daad11febac28f0f8e3740cd2921fd6da18ebc7e9692a8287cedea5f4bf4"), sc[3].FR.ToBytes())
+	require.Equal(t,
+		hexToBytes(t, "0407198a8ffc4640b840fc924e5308f405ca86035d05366718aafd0b688876f3"), sc[4].FR.ToBytes())
+	require.Equal(t,
+		hexToBytes(t, "1918fa78c85628cb3ac705cc4843197d3fce88c8132d9242d87201e65a4d3743"), sc[5].FR.ToBytes())
+	require.Equal(t,
+		hexToBytes(t, "0a272f853369d70526d7bd37281bb87d1c8db7d0975dd833812bb9d264f4b0eb"), sc[6].FR.ToBytes())
+	require.Equal(t,
+		hexToBytes(t, "00776f91d1ecb5cc01ffe155ae05efea0b820f3d40bada5142bb852f9922b7e1"), sc[7].FR.ToBytes())
+	require.Equal(t,
+		hexToBytes(t, "3902ced42427bca88822f818912d2f4c0d88ba1d1fc7a9b0e2321674a5d53f27"), sc[8].FR.ToBytes())
+	require.Equal(t,
+		hexToBytes(t, "397864d9292b1f4a5fff5fa33088ed8e1a9ec52346dbd5f66ee0f978bd67595d"), sc[9].FR.ToBytes())
+}
diff --git a/pkg/crypto/primitive/bbs12381g2pub/signature_proof.go b/pkg/crypto/primitive/bbs12381g2pub/signature_proof.go
index 221f9f266b..31d2186e67 100644
--- a/pkg/crypto/primitive/bbs12381g2pub/signature_proof.go
+++ b/pkg/crypto/primitive/bbs12381g2pub/signature_proof.go
@@ -70,9 +70,6 @@ func (sp *PoKOfSignatureProof) verifyVC2Proof(challenge *bls12381.Fr, pubKey *Pu
 	revealedMessages map[int]*SignatureMessage, messages []*SignatureMessage) error {
 	revealedMessagesCount := len(revealedMessages)
 
-	bindingBasis := g1.One()
-	bindingExp := bls12381.NewFr().One()
-
 	basesVC2 := make([]*bls12381.PointG1, 0, 2+pubKey.messagesCount-revealedMessagesCount)
 	basesVC2 = append(basesVC2, sp.d, pubKey.q1)
 
@@ -80,8 +77,8 @@ func (sp *PoKOfSignatureProof) verifyVC2Proof(challenge *bls12381.Fr, pubKey *Pu
 	basesDisclosed := make([]*bls12381.PointG1, 0, disclousedElementsCnt)
 	exponentsDisclosed := make([]*bls12381.Fr, 0, disclousedElementsCnt)
 
-	basesDisclosed = append(basesDisclosed, bindingBasis, pubKey.q2)
-	exponentsDisclosed = append(exponentsDisclosed, bindingExp, pubKey.domain)
+	basesDisclosed = append(basesDisclosed, pubKey.p1, pubKey.q2)
+	exponentsDisclosed = append(exponentsDisclosed, bls12381.NewFr().One(), pubKey.domain)
 
 	revealedMessagesInd := 0