diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4fffb2f --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +/target +/Cargo.lock diff --git a/Cargo.toml b/Cargo.toml new file mode 100644 index 0000000..e4b5e09 --- /dev/null +++ b/Cargo.toml @@ -0,0 +1,26 @@ +[package] +name = "ark-ec-blind-signatures" +version = "0.0.1" +edition = "2021" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] +ark-ff = { version = "^0.3.0", default-features = false } +ark-std = { version = "^0.3.0", default-features = false } +ark-r1cs-std = { version = "^0.3.0", default-features = false } +ark-ec = { version = "^0.3.0", default-features = false } +ark-bn254 = { version = "^0.3.0", default-features = false } +ark-ed-on-bn254 = { version = "^0.3.0", default-features = true, features = [ "r1cs" ] } +ark-crypto-primitives = { version = "^0.3.0", default-features = true, features = [ "r1cs" ] } +# ark-sponge = { version = "^0.3.0", default-features = true, features = [ "r1cs" ] } +# ark-sponge = { git = "https://github.com/arkworks-rs/sponge.git", rev = "41843d179dc4655869955297833d096d1962120f", default-features=true, features=["r1cs"] } +arkworks-utils = { git = "https://github.com/webb-tools/arkworks-gadgets", name="arkworks-utils", features=["poseidon_bn254_x5_3"] } +arkworks-native-gadgets = { git = "https://github.com/webb-tools/arkworks-gadgets", name="arkworks-native-gadgets"} +ark-relations = { version = "^0.3.0", default-features = false } +ark-snark = { version = "^0.3.0", default-features = false } +ark-groth16 = { version = "^0.3.0" } +tracing = { version = "0.1", default-features = false, features = [ "attributes" ] } +tracing-subscriber = { version = "0.2" } +lazy_static = "1.4.0" +rand = "0.8.4" diff --git a/README.md b/README.md new file mode 100644 index 0000000..019b50e --- /dev/null +++ b/README.md @@ -0,0 +1,9 @@ +# ark-ec-blind-signatures +Blind signatures over elliptic curve implementation (native & r1cs gadgets) using arkworks. + +Blind signature over elliptic curves, based on *"[New Blind Signature Schemes Based on the (Elliptic Curve) Discrete Logarithm Problem](https://sci-hub.st/10.1109/iccke.2013.6682844)"* paper by Hamid Mala & Nafiseh Nezhadansari. + + +> Warning: experimental code, do not use in production. + +Target: Groth16 over Bn254 (for Ethereum), so the curve used for the blind signatures is ed-on-bn254 ([BabyJubJub](https://github.com/barryWhiteHat/baby_jubjub)). diff --git a/src/lib.rs b/src/lib.rs new file mode 100644 index 0000000..f5446fa --- /dev/null +++ b/src/lib.rs @@ -0,0 +1,196 @@ +#[allow(non_snake_case)] +#[allow(clippy::many_single_char_names)] + +// pub type ConstraintF = ark_bn254::Fr; +// pub type ConstraintF = ark_ed_on_bn254::Fq; // base field +pub type ConstraintF = ark_ed_on_bn254::Fr; // scalar field + +use ark_ec::{AffineCurve, ProjectiveCurve, TEModelParameters}; +use ark_ed_on_bn254::{EdwardsAffine, EdwardsParameters, EdwardsProjective, FqParameters, Fr}; +use ark_ff::{ + to_bytes, BigInteger, BigInteger256, Field, Fp256, FpParameters, One, PrimeField, Zero, +}; + +use ark_std::rand::{CryptoRng, RngCore}; +use ark_std::UniformRand; + +// hash +use arkworks_native_gadgets::poseidon; +use arkworks_native_gadgets::poseidon::FieldHasher; +use arkworks_utils::{ + bytes_matrix_to_f, bytes_vec_to_f, parse_vec, poseidon_params::setup_poseidon_params, Curve, +}; + +const GX: Fp256 = ::AFFINE_GENERATOR_COEFFS.0; +const GY: Fp256 = ::AFFINE_GENERATOR_COEFFS.1; + +#[macro_use] +extern crate lazy_static; + +lazy_static! { + static ref G_AFFINE: EdwardsAffine = EdwardsAffine::new(GX, GY); + static ref G: EdwardsProjective = G_AFFINE.into_projective(); +} + +// Fr modulus (bigendian) +const FR_MODULUS: BigInteger256 = BigInteger256::new([ + 0x677297DC392126F1, + 0xAB3EEDB83920EE0A, + 0x370A08B6D0302B0B, + 0x060C89CE5C263405, +]); + +// poseidon +pub fn poseidon_setup_params( + curve: Curve, + exp: i8, + width: u8, +) -> poseidon::PoseidonParameters { + let pos_data = setup_poseidon_params(curve, exp, width).unwrap(); + + let mds_f = bytes_matrix_to_f(&pos_data.mds); + let rounds_f = bytes_vec_to_f(&pos_data.rounds); + + poseidon::PoseidonParameters { + mds_matrix: mds_f, + round_keys: rounds_f, + full_rounds: pos_data.full_rounds, + partial_rounds: pos_data.partial_rounds, + sbox: poseidon::sbox::PoseidonSbox(pos_data.exp), + width: pos_data.width, + } +} + +pub struct PrivateKey(ConstraintF); +pub type PublicKey = EdwardsAffine; +pub type BlindedSignature = ConstraintF; +pub struct Signature { + s: ConstraintF, + r: EdwardsAffine, +} + +#[derive(Debug)] +pub struct UserSecretData { + a: ConstraintF, + b: ConstraintF, + r: EdwardsAffine, +} +impl UserSecretData { + fn new_empty() -> Self { + UserSecretData { + a: ConstraintF::from(0), + b: ConstraintF::from(0), + r: G_AFFINE.clone(), // WIP + } + } +} + +pub fn new_sk(rng: &mut R) -> PrivateKey { + let sk: PrivateKey = PrivateKey(ConstraintF::rand(rng)); + sk +} + +impl PrivateKey { + pub fn public(&self) -> PublicKey { + let pk: PublicKey = G.mul(self.0.into_repr()).into_affine(); + pk + } + pub fn blind_sign(&self, m_blinded: ConstraintF, k: ConstraintF) -> BlindedSignature { + self.0 * m_blinded + k + } +} + +pub fn new_request_params(rng: &mut R) -> (ConstraintF, EdwardsAffine) { + let k = ConstraintF::rand(rng); + let R = G.mul(k.into_repr()).into_affine(); + (k, R) +} + +fn new_blind_params(rng: &mut R, signer_r: EdwardsAffine) -> UserSecretData { + let mut u: UserSecretData = UserSecretData::new_empty(); + u.a = ConstraintF::rand(rng); + u.b = ConstraintF::rand(rng); + + // R = aR' + bG + let aR = signer_r.mul(u.a.into_repr()); + let bG = G.mul(u.b.into_repr()); + u.r = aR.into_affine() + bG.into_affine(); + + // check that u.r.x can be safely converted into Fr, and if not, choose other u.a & u.b values + let x_repr = u.r.x.into_repr(); + if !(x_repr >= ConstraintF::one().into_repr() && x_repr < FR_MODULUS) { + return new_blind_params(rng, signer_r); + } + return u; +} + +pub fn blind( + rng: &mut R, + poseidon_hash: &poseidon::Poseidon, + m: ConstraintF, + signer_r: EdwardsAffine, +) -> Result<(ConstraintF, UserSecretData), ark_crypto_primitives::Error> { + let u = new_blind_params(rng, signer_r); + // use unwrap, as we already checked that R.x is inside Fr and will not give None + let x_fr = ConstraintF::from_repr(u.r.x.into_repr()).unwrap(); + + // m' = a^-1 rx h(m) + let h_m = poseidon_hash.hash(&[m])?; + let m_blinded = u.a.inverse().unwrap() * x_fr * h_m; + + Ok((m_blinded, u)) +} + +pub fn unblind(s_blinded: ConstraintF, u: UserSecretData) -> Signature { + // s = a s' + b + let s = u.a * s_blinded + u.b; + Signature { s, r: u.r } +} + +pub fn verify( + poseidon_hash: &poseidon::Poseidon, + m: ConstraintF, + s: Signature, + q: PublicKey, +) -> bool { + let sG = G.mul(s.s.into_repr()); + + let h_m = poseidon_hash.hash(&[m]).unwrap(); + + let x_repr = s.r.x.into_repr(); + if !(x_repr >= ConstraintF::one().into_repr() && x_repr < FR_MODULUS) { + return false; // error, s.r.x does not fit in Fr + } + let x_fr = ConstraintF::from_repr(s.r.x.into_repr()).unwrap(); + let right = s.r + q.mul((x_fr * h_m).into_repr()).into_affine(); + + sG.into_affine() == right +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn test_blind() { + let poseidon_params = poseidon_setup_params::(Curve::Bn254, 5, 3); + let poseidon_hash = poseidon::Poseidon::new(poseidon_params); + + let mut rng = ark_std::test_rng(); + + let sk = new_sk(&mut rng); + let pk = sk.public(); + + let (k, signer_r) = new_request_params(&mut rng); + let m = ConstraintF::from(1234); + + let (m_blinded, u) = blind(&mut rng, &poseidon_hash, m, signer_r).unwrap(); + + let s_blinded = sk.blind_sign(m_blinded, k); + + let s = unblind(s_blinded, u); + + let verified = verify(&poseidon_hash, m, s, pk); + assert!(verified); + } +}