Add rust-native blind-sig impl

.gitignore

@@ -0,0 +1,2 @@
+/target
+/Cargo.lock

Cargo.toml

@@ -0,0 +1,26 @@
+[package]
+name = "ark-ec-blind-signatures"
+version = "0.0.1"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+ark-ff = { version = "^0.3.0", default-features = false }
+ark-std = { version = "^0.3.0", default-features = false }
+ark-r1cs-std = { version = "^0.3.0", default-features = false }
+ark-ec = { version = "^0.3.0", default-features = false }
+ark-bn254 = { version = "^0.3.0", default-features = false }
+ark-ed-on-bn254 = { version = "^0.3.0", default-features = true, features = [ "r1cs" ] }
+ark-crypto-primitives = { version = "^0.3.0", default-features = true, features = [ "r1cs" ] }
+# ark-sponge = { version = "^0.3.0", default-features = true, features = [ "r1cs" ] }
+# ark-sponge = { git = "https://github.com/arkworks-rs/sponge.git", rev = "41843d179dc4655869955297833d096d1962120f", default-features=true, features=["r1cs"] }
+arkworks-utils = { git = "https://github.com/webb-tools/arkworks-gadgets", name="arkworks-utils", features=["poseidon_bn254_x5_3"] }
+arkworks-native-gadgets = { git = "https://github.com/webb-tools/arkworks-gadgets", name="arkworks-native-gadgets"}
+ark-relations = { version = "^0.3.0", default-features = false }
+ark-snark = { version = "^0.3.0", default-features = false }
+ark-groth16 = { version = "^0.3.0" }
+tracing = { version = "0.1", default-features = false, features = [ "attributes" ] }
+tracing-subscriber = { version = "0.2" }
+lazy_static = "1.4.0"
+rand = "0.8.4"

README.md

@@ -0,0 +1,9 @@
+# ark-ec-blind-signatures
+Blind signatures over elliptic curve implementation (native & r1cs gadgets) using arkworks.
+
+Blind signature over elliptic curves, based on *"[New Blind Signature Schemes Based on the (Elliptic Curve) Discrete Logarithm Problem](https://sci-hub.st/10.1109/iccke.2013.6682844)"* paper by Hamid Mala & Nafiseh Nezhadansari.
+
+
+> Warning: experimental code, do not use in production.
+
+Target: Groth16 over Bn254 (for Ethereum), so the curve used for the blind signatures is ed-on-bn254 ([BabyJubJub](https://github.com/barryWhiteHat/baby_jubjub)).

src/lib.rs

@@ -0,0 +1,196 @@
+#[allow(non_snake_case)]
+#[allow(clippy::many_single_char_names)]
+
+// pub type ConstraintF = ark_bn254::Fr;
+// pub type ConstraintF = ark_ed_on_bn254::Fq; // base field
+pub type ConstraintF = ark_ed_on_bn254::Fr; // scalar field
+
+use ark_ec::{AffineCurve, ProjectiveCurve, TEModelParameters};
+use ark_ed_on_bn254::{EdwardsAffine, EdwardsParameters, EdwardsProjective, FqParameters, Fr};
+use ark_ff::{
+    to_bytes, BigInteger, BigInteger256, Field, Fp256, FpParameters, One, PrimeField, Zero,
+};
+
+use ark_std::rand::{CryptoRng, RngCore};
+use ark_std::UniformRand;
+
+// hash
+use arkworks_native_gadgets::poseidon;
+use arkworks_native_gadgets::poseidon::FieldHasher;
+use arkworks_utils::{
+    bytes_matrix_to_f, bytes_vec_to_f, parse_vec, poseidon_params::setup_poseidon_params, Curve,
+};
+
+const GX: Fp256<FqParameters> = <EdwardsParameters as TEModelParameters>::AFFINE_GENERATOR_COEFFS.0;
+const GY: Fp256<FqParameters> = <EdwardsParameters as TEModelParameters>::AFFINE_GENERATOR_COEFFS.1;
+
+#[macro_use]
+extern crate lazy_static;
+
+lazy_static! {
+    static ref G_AFFINE: EdwardsAffine = EdwardsAffine::new(GX, GY);
+    static ref G: EdwardsProjective = G_AFFINE.into_projective();
+}
+
+// Fr modulus (bigendian)
+const FR_MODULUS: BigInteger256 = BigInteger256::new([
+    0x677297DC392126F1,
+    0xAB3EEDB83920EE0A,
+    0x370A08B6D0302B0B,
+    0x060C89CE5C263405,
+]);
+
+// poseidon
+pub fn poseidon_setup_params<F: PrimeField>(
+    curve: Curve,
+    exp: i8,
+    width: u8,
+) -> poseidon::PoseidonParameters<F> {
+    let pos_data = setup_poseidon_params(curve, exp, width).unwrap();
+
+    let mds_f = bytes_matrix_to_f(&pos_data.mds);
+    let rounds_f = bytes_vec_to_f(&pos_data.rounds);
+
+    poseidon::PoseidonParameters {
+        mds_matrix: mds_f,
+        round_keys: rounds_f,
+        full_rounds: pos_data.full_rounds,
+        partial_rounds: pos_data.partial_rounds,
+        sbox: poseidon::sbox::PoseidonSbox(pos_data.exp),
+        width: pos_data.width,
+    }
+}
+
+pub struct PrivateKey(ConstraintF);
+pub type PublicKey = EdwardsAffine;
+pub type BlindedSignature = ConstraintF;
+pub struct Signature {
+    s: ConstraintF,
+    r: EdwardsAffine,
+}
+
+#[derive(Debug)]
+pub struct UserSecretData {
+    a: ConstraintF,
+    b: ConstraintF,
+    r: EdwardsAffine,
+}
+impl UserSecretData {
+    fn new_empty() -> Self {
+        UserSecretData {
+            a: ConstraintF::from(0),
+            b: ConstraintF::from(0),
+            r: G_AFFINE.clone(), // WIP
+        }
+    }
+}
+
+pub fn new_sk<R: RngCore>(rng: &mut R) -> PrivateKey {
+    let sk: PrivateKey = PrivateKey(ConstraintF::rand(rng));
+    sk
+}
+
+impl PrivateKey {
+    pub fn public(&self) -> PublicKey {
+        let pk: PublicKey = G.mul(self.0.into_repr()).into_affine();
+        pk
+    }
+    pub fn blind_sign(&self, m_blinded: ConstraintF, k: ConstraintF) -> BlindedSignature {
+        self.0 * m_blinded + k
+    }
+}
+
+pub fn new_request_params<R: RngCore>(rng: &mut R) -> (ConstraintF, EdwardsAffine) {
+    let k = ConstraintF::rand(rng);
+    let R = G.mul(k.into_repr()).into_affine();
+    (k, R)
+}
+
+fn new_blind_params<R: RngCore>(rng: &mut R, signer_r: EdwardsAffine) -> UserSecretData {
+    let mut u: UserSecretData = UserSecretData::new_empty();
+    u.a = ConstraintF::rand(rng);
+    u.b = ConstraintF::rand(rng);
+
+    // R = aR' + bG
+    let aR = signer_r.mul(u.a.into_repr());
+    let bG = G.mul(u.b.into_repr());
+    u.r = aR.into_affine() + bG.into_affine();
+
+    // check that u.r.x can be safely converted into Fr, and if not, choose other u.a & u.b values
+    let x_repr = u.r.x.into_repr();
+    if !(x_repr >= ConstraintF::one().into_repr() && x_repr < FR_MODULUS) {
+        return new_blind_params(rng, signer_r);
+    }
+    return u;
+}
+
+pub fn blind<R: RngCore>(
+    rng: &mut R,
+    poseidon_hash: &poseidon::Poseidon<ConstraintF>,
+    m: ConstraintF,
+    signer_r: EdwardsAffine,
+) -> Result<(ConstraintF, UserSecretData), ark_crypto_primitives::Error> {
+    let u = new_blind_params(rng, signer_r);
+    // use unwrap, as we already checked that R.x is inside Fr and will not give None
+    let x_fr = ConstraintF::from_repr(u.r.x.into_repr()).unwrap();
+
+    // m' = a^-1 rx h(m)
+    let h_m = poseidon_hash.hash(&[m])?;
+    let m_blinded = u.a.inverse().unwrap() * x_fr * h_m;
+
+    Ok((m_blinded, u))
+}
+
+pub fn unblind(s_blinded: ConstraintF, u: UserSecretData) -> Signature {
+    // s = a s' + b
+    let s = u.a * s_blinded + u.b;
+    Signature { s, r: u.r }
+}
+
+pub fn verify(
+    poseidon_hash: &poseidon::Poseidon<ConstraintF>,
+    m: ConstraintF,
+    s: Signature,
+    q: PublicKey,
+) -> bool {
+    let sG = G.mul(s.s.into_repr());
+
+    let h_m = poseidon_hash.hash(&[m]).unwrap();
+
+    let x_repr = s.r.x.into_repr();
+    if !(x_repr >= ConstraintF::one().into_repr() && x_repr < FR_MODULUS) {
+        return false; // error, s.r.x does not fit in Fr
+    }
+    let x_fr = ConstraintF::from_repr(s.r.x.into_repr()).unwrap();
+    let right = s.r + q.mul((x_fr * h_m).into_repr()).into_affine();
+
+    sG.into_affine() == right
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_blind() {
+        let poseidon_params = poseidon_setup_params::<ConstraintF>(Curve::Bn254, 5, 3);
+        let poseidon_hash = poseidon::Poseidon::new(poseidon_params);
+
+        let mut rng = ark_std::test_rng();
+
+        let sk = new_sk(&mut rng);
+        let pk = sk.public();
+
+        let (k, signer_r) = new_request_params(&mut rng);
+        let m = ConstraintF::from(1234);
+
+        let (m_blinded, u) = blind(&mut rng, &poseidon_hash, m, signer_r).unwrap();
+
+        let s_blinded = sk.blind_sign(m_blinded, k);
+
+        let s = unblind(s_blinded, u);
+
+        let verified = verify(&poseidon_hash, m, s, pk);
+        assert!(verified);
+    }
+}