diff --git a/src/constraints.rs b/src/constraints.rs index f2b962d..125bdc8 100644 --- a/src/constraints.rs +++ b/src/constraints.rs @@ -1,32 +1,33 @@ -use crate::{Parameters, Signature}; +use crate::{Parameters, PublicKey, Signature}; use ark_ec::{AffineCurve, ProjectiveCurve}; use ark_ed_on_bn254::{constraints::EdwardsVar, EdwardsParameters, FqParameters}; use ark_ff::{ fields::{Field, Fp256}, - to_bytes, ToConstraintField, + to_bytes, PrimeField, ToConstraintField, }; use ark_r1cs_std::{ alloc::{AllocVar, AllocationMode}, bits::uint8::UInt8, boolean::Boolean, - fields::fp::FpVar, + eq::EqGadget, + fields::{fp::FpVar, FieldVar}, groups::{curves::twisted_edwards::AffineVar, GroupOpsBounds}, prelude::CurveVar, ToBitsGadget, }; use ark_relations::r1cs::{ConstraintSynthesizer, ConstraintSystemRef, Namespace, SynthesisError}; -use ark_std::ops::Mul; +use ark_std::ops::{Add, Mul}; use core::{borrow::Borrow, marker::PhantomData}; use derivative::Derivative; // hash +use arkworks_native_gadgets::poseidon as poseidon_native; use arkworks_r1cs_gadgets::poseidon; -use arkworks_r1cs_gadgets::poseidon::{FieldHasherGadget, PoseidonGadget}; +use arkworks_r1cs_gadgets::poseidon::{FieldHasherGadget, PoseidonGadget, PoseidonParametersVar}; -// type ConstraintF = <::BaseField as Field>::BasePrimeField; -type ConstraintF = ::ScalarField; // Fr +use crate::ConstraintF; #[derive(Derivative)] #[derivative( @@ -42,6 +43,25 @@ where _group: PhantomData<*const C>, } +impl AllocVar, ConstraintF> for PublicKeyVar +where + C: ProjectiveCurve, + GC: CurveVar>, + for<'a> &'a GC: GroupOpsBounds<'a, C, GC>, +{ + fn new_variable>>( + cs: impl Into>>, + f: impl FnOnce() -> Result, + mode: AllocationMode, + ) -> Result { + let pub_key = GC::new_variable(cs, f, mode)?; + Ok(Self { + pub_key, + _group: PhantomData, + }) + } +} + #[derive(Derivative)] #[derivative( Debug(bound = "C: ProjectiveCurve, GC: CurveVar>"), @@ -51,8 +71,6 @@ pub struct SignatureVar>> where for<'a> &'a GC: GroupOpsBounds<'a, C, GC>, { - // s: FpVar, - // s: C::ScalarField, s: Vec>>, r: GC, _curve: PhantomData, @@ -61,8 +79,7 @@ where impl AllocVar, ConstraintF> for SignatureVar where C: ProjectiveCurve, - // TODO not sure on '+ AllocVarar' - GC: CurveVar> + AllocVar>, + GC: CurveVar>, for<'a> &'a GC: GroupOpsBounds<'a, C, GC>, { fn new_variable>>( @@ -86,8 +103,8 @@ where let r = GC::new_variable(cs.clone(), || Ok(val.borrow().r), mode)?; Ok(Self { - s: s, // TODO not sure of FpVar::Constant - r: r, + s, + r, _curve: PhantomData, }) }) @@ -129,8 +146,7 @@ pub struct BlindSigVerifyGadget &'a GC: GroupOpsBounds<'a, C, GC>, { - params: Parameters, - // sig: Signature, + _params: Parameters, // TODO review if needed, maybe delete _gc: PhantomData, } @@ -143,8 +159,9 @@ where EdwardsParameters, FpVar>, >: From, - FpVar<::ScalarField>: Mul>>, - FpVar<::ScalarField>: From<::ScalarField>, + ::BaseField: PrimeField, + FpVar<::BaseField>: Mul>>, + FpVar<::BaseField>: From>>, { fn verify( parameters: &ParametersVar, @@ -152,32 +169,85 @@ where m: FpVar>, s: &SignatureVar, q: &PublicKeyVar, - ) -> Result>, SynthesisError> - where - ::ScalarField: Iterator, // WIP - ::ScalarField: From< - ::ScalarField> as Mul>>>::Output, - >, - { + ) -> Result>, SynthesisError> { let s_s = s.s.clone(); let sG = parameters .generator .scalar_mul_le(s_s.to_bits_le()?.iter())?; - // G * s == R + Q * (R.x * H(m)) // Note: in a circuit that aggregates multiple verifications, the hashing step could be // done outside the signature verification, once for all 1 votes and once for all 0 votes, // saving lots of constraints let hm = poseidon_hash.hash(&[m])?; let r = EdwardsVar::from(s.r.clone()); // WIP + let rx_fpvar: FpVar> = r.x.into(); - let rx_hm: ConstraintF = ConstraintF::::from(hm * r.x); - let rx_hm_fp: FpVar> = FpVar::>::from(rx_hm); - - let Q_rx_hm = q.pub_key.scalar_mul_le(rx_hm_fp.to_bits_le()?.iter())?; + // G * s == R + Q * (R.x * H(m)) + let Q_rx_hm_0 = q.pub_key.scalar_mul_le(rx_fpvar.to_bits_le()?.iter())?; + let Q_rx_hm = Q_rx_hm_0.scalar_mul_le(hm.to_bits_le()?.iter())?; let RHS = s.r.clone() + Q_rx_hm; sG.is_eq(&RHS) } } + +#[cfg(test)] +mod test { + use super::*; + use crate::{poseidon_setup_params, BlindSigScheme}; + use ark_ed_on_bn254::constraints::EdwardsVar as BabyJubJubVar; + use ark_ed_on_bn254::EdwardsProjective as BabyJubJub; + + use arkworks_native_gadgets::poseidon; + use arkworks_utils::Curve; + + use ark_relations::r1cs::ConstraintSystem; + + type Fq = ::BaseField; + // type Fr = ::ScalarField; + type S = BlindSigScheme; + + #[test] + fn test_verify() { + let poseidon_params = poseidon_setup_params::(Curve::Bn254, 5, 3); + let poseidon_hash = poseidon::Poseidon::new(poseidon_params); + let mut rng = ark_std::test_rng(); + + // create signature using native-rust lib + let params = S::setup(); + let (pk, sk) = S::keygen(¶ms, &mut rng); + let (k, signer_r) = S::new_request_params(¶ms, &mut rng); + let m = Fq::from(1234); + let (m_blinded, u) = S::blind(¶ms, &mut rng, &poseidon_hash, m, signer_r).unwrap(); + let s_blinded = S::blind_sign(sk, k, m_blinded); + let s = S::unblind(s_blinded, u); + let verified = S::verify(¶ms, &poseidon_hash, m, s.clone(), pk); + assert!(verified); + + // use the constraint system to verify the signature + type SG = BlindSigVerifyGadget; + let cs = ConstraintSystem::::new_ref(); + + let params_var = + ParametersVar::::new_constant(cs.clone(), params).unwrap(); + let signature_var = + SignatureVar::::new_witness(cs.clone(), || Ok(&s)).unwrap(); + let pk_var = + PublicKeyVar::::new_witness(cs.clone(), || Ok(&pk)).unwrap(); + let m_var = FpVar::::new_witness(cs.clone(), || Ok(&m)).unwrap(); + let poseidon_hash_var = + PoseidonGadget::::from_native(&mut cs.clone(), poseidon_hash).unwrap(); + + let valid_sig = SG::verify( + ¶ms_var, + &poseidon_hash_var, + m_var, + &signature_var, + &pk_var, + ) + .unwrap(); + valid_sig.enforce_equal(&Boolean::::TRUE).unwrap(); + assert!(cs.is_satisfied().unwrap()); + } +} diff --git a/src/lib.rs b/src/lib.rs index eac07f2..c4b303b 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -30,7 +30,7 @@ use ark_ed_on_bn254::{ EdwardsAffine, EdwardsParameters, EdwardsProjective, FqParameters, Fr, FrParameters, }; -type ConstraintF = <::BaseField as Field>::BasePrimeField; +pub type ConstraintF = <::BaseField as Field>::BasePrimeField; pub type SecretKey = ::ScalarField; pub type PublicKey = ::Affine; pub type BlindedSignature = ::ScalarField; @@ -177,7 +177,7 @@ where { let sG = parameters.generator.mul(s.s.into_repr()); - // TODO hash(m) must be \in Fr + // TODO the output of hash(m) must be \in Fr let hm = poseidon_hash.hash(&[m]).unwrap(); // let hm_fr = C::ScalarField::from_repr(hm.into_repr()).unwrap(); let hm_fr = C::ScalarField::from_le_bytes_mod_order(&to_bytes!(hm).unwrap()); // WIP TMP