arnaucube/ark-ec-blind-signatures
1
1
Fork 0
mirror of https://github.com/arnaucube/ark-ec-blind-signatures.git synced 2026-01-12 00:21:29 +01:00
Code Issues Projects Releases Wiki Activity

Abstract types to use arkworks generics

Browse Source
This commit is contained in:
arnaucube
2022-10-10 12:20:25 +02:00
parent 13319d8483
commit c7c37cc128
3 changed files with 200 additions and 142 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
Cargo.toml
View File

@@ -2,8 +2,7 @@
name = "ark-ec-blind-signatures" name = "ark-ec-blind-signatures"
version = "0.0.1" version = "0.0.1"
edition = "2021" edition = "2021"
repository = "https://github.com/aragonzkresearch/ark-ec-blind-signatures"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies] [dependencies]
ark-ff = { version = "^0.3.0", default-features = false } ark-ff = { version = "^0.3.0", default-features = false }
@@ -17,10 +16,11 @@ ark-crypto-primitives = { version = "^0.3.0", default-features = true, features
# ark-sponge = { git = "https://github.com/arkworks-rs/sponge.git", rev = "41843d179dc4655869955297833d096d1962120f", default-features=true, features=["r1cs"] } # ark-sponge = { git = "https://github.com/arkworks-rs/sponge.git", rev = "41843d179dc4655869955297833d096d1962120f", default-features=true, features=["r1cs"] }
arkworks-utils = { git = "https://github.com/webb-tools/arkworks-gadgets", name="arkworks-utils", features=["poseidon_bn254_x5_3"] } arkworks-utils = { git = "https://github.com/webb-tools/arkworks-gadgets", name="arkworks-utils", features=["poseidon_bn254_x5_3"] }
arkworks-native-gadgets = { git = "https://github.com/webb-tools/arkworks-gadgets", name="arkworks-native-gadgets"} arkworks-native-gadgets = { git = "https://github.com/webb-tools/arkworks-gadgets", name="arkworks-native-gadgets"}
arkworks-r1cs-gadgets = { git = "https://github.com/webb-tools/arkworks-gadgets", name="arkworks-r1cs-gadgets"}
ark-relations = { version = "^0.3.0", default-features = false } ark-relations = { version = "^0.3.0", default-features = false }
ark-snark = { version = "^0.3.0", default-features = false } ark-snark = { version = "^0.3.0", default-features = false }
ark-groth16 = { version = "^0.3.0" } ark-groth16 = { version = "^0.3.0" }
tracing = { version = "0.1", default-features = false, features = [ "attributes" ] } tracing = { version = "0.1", default-features = false, features = [ "attributes" ] }
tracing-subscriber = { version = "0.2" } tracing-subscriber = { version = "0.2" }
lazy_static = "1.4.0" lazy_static = "1.4.0"
rand = "0.8.4" derivative = { version = "2.0", features = ["use_core"] }

4
README.md
View File

@@ -1,9 +1,9 @@
# ark-ec-blind-signatures # ark-ec-blind-signatures
Blind signatures over elliptic curve implementation (native & r1cs gadgets) using arkworks. Blind signatures over elliptic curve implementation (native & r1cs gadgets) using arkworks.
Blind signature over elliptic curves, based on *"[New Blind Signature Schemes Based on the (Elliptic Curve) Discrete Logarithm Problem](https://sci-hub.st/10.1109/iccke.2013.6682844)"* paper by Hamid Mala & Nafiseh Nezhadansari. [Blind signature](https://en.wikipedia.org/wiki/Blind_signature) over elliptic curves, based on *"[New Blind Signature Schemes Based on the (Elliptic Curve) Discrete Logarithm Problem](https://sci-hub.st/10.1109/iccke.2013.6682844)"* paper by Hamid Mala & Nafiseh Nezhadansari.
> Warning: experimental code, do not use in production. > Warning: experimental code, do not use in production.
Target: Groth16 over Bn254 (for Ethereum), so the curve used for the blind signatures is ed-on-bn254 ([BabyJubJub](https://github.com/barryWhiteHat/baby_jubjub)). Target: Groth16 over Bn254 (for Ethereum), ed-on-bn254 ([BabyJubJub](https://github.com/barryWhiteHat/baby_jubjub)) for the signatures.

332
src/lib.rs
View File

@@ -1,18 +1,22 @@
#[allow(non_snake_case)] #![allow(non_snake_case)]
#[allow(clippy::many_single_char_names)] #![allow(clippy::many_single_char_names)]
// pub type ConstraintF = ark_bn254::Fr; // #[cfg(feature="r1cs")]
// pub type ConstraintF = ark_ed_on_bn254::Fq; // base field pub mod constraints;
pub type ConstraintF = ark_ed_on_bn254::Fr; // scalar field
use ark_ec::{AffineCurve, ProjectiveCurve, TEModelParameters}; use ark_ec::{
use ark_ed_on_bn254::{EdwardsAffine, EdwardsParameters, EdwardsProjective, FqParameters, Fr}; models::twisted_edwards_extended::GroupAffine, AffineCurve, ProjectiveCurve, TEModelParameters,
use ark_ff::{
to_bytes, BigInteger, BigInteger256, Field, Fp256, FpParameters, One, PrimeField, Zero,
}; };
use ark_ff::{
to_bytes, BigInteger, BigInteger256, Field, Fp256, FpParameters, FromBytes, One, PrimeField,
Zero,
};
use ark_std::marker::PhantomData;
use ark_std::rand::{CryptoRng, RngCore}; use ark_std::rand::{CryptoRng, RngCore};
use ark_std::UniformRand; use ark_std::{ops::Mul, rand::Rng, UniformRand};
use derivative::Derivative;
// hash // hash
use arkworks_native_gadgets::poseidon; use arkworks_native_gadgets::poseidon;
@@ -21,24 +25,174 @@ use arkworks_utils::{
bytes_matrix_to_f, bytes_vec_to_f, parse_vec, poseidon_params::setup_poseidon_params, Curve, bytes_matrix_to_f, bytes_vec_to_f, parse_vec, poseidon_params::setup_poseidon_params, Curve,
}; };
const GX: Fp256<FqParameters> = <EdwardsParameters as TEModelParameters>::AFFINE_GENERATOR_COEFFS.0; // WIP
const GY: Fp256<FqParameters> = <EdwardsParameters as TEModelParameters>::AFFINE_GENERATOR_COEFFS.1; use ark_ed_on_bn254::{
EdwardsAffine, EdwardsParameters, EdwardsProjective, FqParameters, Fr, FrParameters,
};
#[macro_use] pub type SecretKey<C> = <C as ProjectiveCurve>::ScalarField;
extern crate lazy_static; pub type PublicKey<C> = <C as ProjectiveCurve>::Affine;
pub type BlindedSignature<C> = <C as ProjectiveCurve>::ScalarField;
lazy_static! { // #[derive(Derivative)]
static ref G_AFFINE: EdwardsAffine = EdwardsAffine::new(GX, GY); #[derive(Clone, Default, Debug)]
static ref G: EdwardsProjective = G_AFFINE.into_projective(); pub struct Signature<C: ProjectiveCurve> {
s: C::ScalarField, // ScalarField == Fr
r: <C as ProjectiveCurve>::Affine,
} }
// Fr modulus (bigendian) #[derive(Debug)]
const FR_MODULUS: BigInteger256 = BigInteger256::new([ pub struct UserSecretData<C: ProjectiveCurve> {
0x677297DC392126F1, a: C::ScalarField,
0xAB3EEDB83920EE0A, b: C::ScalarField,
0x370A08B6D0302B0B, r: C::Affine,
0x060C89CE5C263405, }
]); impl<C: ProjectiveCurve> UserSecretData<C> {
fn new_empty(parameters: &Parameters<C>) -> Self {
UserSecretData {
a: C::ScalarField::from(0 as u32),
b: C::ScalarField::from(0 as u32),
r: parameters.generator, // WIP
}
}
}
#[derive(Derivative)]
#[derivative(Clone(bound = "C: ProjectiveCurve"), Debug)]
pub struct Parameters<C: ProjectiveCurve> {
pub generator: C::Affine,
}
pub struct BlindSigScheme<C: ProjectiveCurve> {
_group: PhantomData<C>,
}
impl<C: ProjectiveCurve> BlindSigScheme<C>
where
C::ScalarField: PrimeField,
GroupAffine<EdwardsParameters>: From<<C as ProjectiveCurve>::Affine>, // WIP
{
pub fn setup() -> Parameters<C> {
let generator = C::prime_subgroup_generator().into();
Parameters { generator }
}
// signer
pub fn keygen<R: Rng>(parameters: &Parameters<C>, rng: &mut R) -> (PublicKey<C>, SecretKey<C>) {
let secret_key = C::ScalarField::rand(rng);
let public_key = parameters.generator.mul(secret_key).into();
(public_key, secret_key)
}
pub fn new_request_params<R: Rng>(
parameters: &Parameters<C>,
rng: &mut R,
) -> (C::ScalarField, C::Affine) {
let k = C::ScalarField::rand(rng);
let R = parameters.generator.mul(k).into();
(k, R)
}
pub fn blind_sign(
sk: SecretKey<C>,
k: C::ScalarField,
m_blinded: C::ScalarField,
) -> BlindedSignature<C> {
sk * m_blinded + k
}
// requester
pub fn new_blind_params<R: Rng>(
parameters: &Parameters<C>,
rng: &mut R,
signer_r: C::Affine,
) -> UserSecretData<C>
where
<C as ProjectiveCurve>::ScalarField: From<BigInteger256>,
{
let mut u: UserSecretData<C> = UserSecretData::new_empty(parameters);
u.a = C::ScalarField::rand(rng);
u.b = C::ScalarField::rand(rng);
// R = aR' + bG
let aR = signer_r.mul(u.a.into_repr());
let bG = parameters.generator.mul(u.b.into_repr());
u.r = aR.into_affine() + bG.into_affine();
let r = EdwardsAffine::from(u.r); // WIP
let one = BigInteger256::from(1u64);
let x_repr = r.x.into_repr();
let modulus = <<C::ScalarField as PrimeField>::Params as FpParameters>::MODULUS;
let modulus_repr = BigInteger256::try_from(modulus.into()).unwrap();
if !(x_repr >= one && x_repr < modulus_repr) {
return Self::new_blind_params(parameters, rng, signer_r);
}
u
}
pub fn blind<R: Rng>(
parameters: &Parameters<C>,
rng: &mut R,
poseidon_hash: &poseidon::Poseidon<C::ScalarField>,
m: C::ScalarField,
signer_r: C::Affine,
) -> Result<(C::ScalarField, UserSecretData<C>), ark_crypto_primitives::Error>
where
<C as ProjectiveCurve>::ScalarField: Mul<Fp256<FrParameters>>,
<C as ProjectiveCurve>::ScalarField:
From<<<C as ProjectiveCurve>::ScalarField as Mul<Fp256<FrParameters>>>::Output>,
<C as ProjectiveCurve>::ScalarField: From<BigInteger256>,
{
let u = Self::new_blind_params(parameters, rng, signer_r);
// get X coordinate, as in new_blind_params we already checked that R.x is inside Fr and
// will not give None
let r = EdwardsAffine::from(u.r); // WIP
let x_fr = C::ScalarField::from(r.x.into_repr());
// m' = a^-1 rx h(m)
let h_m = poseidon_hash.hash(&[m])?;
let m_blinded = C::ScalarField::from(u.a.inverse().unwrap() * x_fr) * h_m;
Ok((m_blinded, u))
}
pub fn unblind(s_blinded: C::ScalarField, u: UserSecretData<C>) -> Signature<C> {
// s = a s' + b
let s = u.a * s_blinded + u.b;
Signature { s, r: u.r }
}
pub fn verify(
parameters: &Parameters<C>,
poseidon_hash: &poseidon::Poseidon<C::ScalarField>,
m: C::ScalarField,
s: Signature<C>,
q: PublicKey<C>,
) -> bool
where
<C as ProjectiveCurve>::ScalarField: From<BigInteger256>,
{
let sG = parameters.generator.mul(s.s.into_repr());
let h_m = poseidon_hash.hash(&[m]).unwrap();
// check that s.R.x is in Fr
let r = EdwardsAffine::from(s.r); // WIP
let one = BigInteger256::from(1u64);
let x_repr = r.x.into_repr();
let modulus = <<C::ScalarField as PrimeField>::Params as FpParameters>::MODULUS;
let modulus_repr = BigInteger256::try_from(modulus.into()).unwrap();
if !(x_repr >= one && x_repr < modulus_repr) {
return false;
}
// get s.R.x
let x_fr = C::ScalarField::from(r.x.into_repr());
let right = s.r + q.mul((x_fr * h_m).into_repr()).into_affine();
sG.into_affine() == right
}
}
// poseidon // poseidon
pub fn poseidon_setup_params<F: PrimeField>( pub fn poseidon_setup_params<F: PrimeField>(
@@ -61,115 +215,10 @@ pub fn poseidon_setup_params<F: PrimeField>(
} }
} }
pub struct PrivateKey(ConstraintF);
pub type PublicKey = EdwardsAffine;
pub type BlindedSignature = ConstraintF;
pub struct Signature {
s: ConstraintF,
r: EdwardsAffine,
}
#[derive(Debug)]
pub struct UserSecretData {
a: ConstraintF,
b: ConstraintF,
r: EdwardsAffine,
}
impl UserSecretData {
fn new_empty() -> Self {
UserSecretData {
a: ConstraintF::from(0),
b: ConstraintF::from(0),
r: G_AFFINE.clone(), // WIP
}
}
}
pub fn new_sk<R: RngCore>(rng: &mut R) -> PrivateKey {
let sk: PrivateKey = PrivateKey(ConstraintF::rand(rng));
sk
}
impl PrivateKey {
pub fn public(&self) -> PublicKey {
let pk: PublicKey = G.mul(self.0.into_repr()).into_affine();
pk
}
pub fn blind_sign(&self, m_blinded: ConstraintF, k: ConstraintF) -> BlindedSignature {
self.0 * m_blinded + k
}
}
pub fn new_request_params<R: RngCore>(rng: &mut R) -> (ConstraintF, EdwardsAffine) {
let k = ConstraintF::rand(rng);
let R = G.mul(k.into_repr()).into_affine();
(k, R)
}
fn new_blind_params<R: RngCore>(rng: &mut R, signer_r: EdwardsAffine) -> UserSecretData {
let mut u: UserSecretData = UserSecretData::new_empty();
u.a = ConstraintF::rand(rng);
u.b = ConstraintF::rand(rng);
// R = aR' + bG
let aR = signer_r.mul(u.a.into_repr());
let bG = G.mul(u.b.into_repr());
u.r = aR.into_affine() + bG.into_affine();
// check that u.r.x can be safely converted into Fr, and if not, choose other u.a & u.b values
let x_repr = u.r.x.into_repr();
if !(x_repr >= ConstraintF::one().into_repr() && x_repr < FR_MODULUS) {
return new_blind_params(rng, signer_r);
}
return u;
}
pub fn blind<R: RngCore>(
rng: &mut R,
poseidon_hash: &poseidon::Poseidon<ConstraintF>,
m: ConstraintF,
signer_r: EdwardsAffine,
) -> Result<(ConstraintF, UserSecretData), ark_crypto_primitives::Error> {
let u = new_blind_params(rng, signer_r);
// use unwrap, as we already checked that R.x is inside Fr and will not give None
let x_fr = ConstraintF::from_repr(u.r.x.into_repr()).unwrap();
// m' = a^-1 rx h(m)
let h_m = poseidon_hash.hash(&[m])?;
let m_blinded = u.a.inverse().unwrap() * x_fr * h_m;
Ok((m_blinded, u))
}
pub fn unblind(s_blinded: ConstraintF, u: UserSecretData) -> Signature {
// s = a s' + b
let s = u.a * s_blinded + u.b;
Signature { s, r: u.r }
}
pub fn verify(
poseidon_hash: &poseidon::Poseidon<ConstraintF>,
m: ConstraintF,
s: Signature,
q: PublicKey,
) -> bool {
let sG = G.mul(s.s.into_repr());
let h_m = poseidon_hash.hash(&[m]).unwrap();
let x_repr = s.r.x.into_repr();
if !(x_repr >= ConstraintF::one().into_repr() && x_repr < FR_MODULUS) {
return false; // error, s.r.x does not fit in Fr
}
let x_fr = ConstraintF::from_repr(s.r.x.into_repr()).unwrap();
let right = s.r + q.mul((x_fr * h_m).into_repr()).into_affine();
sG.into_affine() == right
}
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use super::*; use super::*;
pub type ConstraintF = ark_ed_on_bn254::Fr; // scalar field
#[test] #[test]
fn test_blind() { fn test_blind() {
@@ -178,19 +227,28 @@ mod tests {
let mut rng = ark_std::test_rng(); let mut rng = ark_std::test_rng();
let sk = new_sk(&mut rng); let params = BlindSigScheme::<EdwardsProjective>::setup();
let pk = sk.public(); let (pk, sk) = BlindSigScheme::<EdwardsProjective>::keygen(&params, &mut rng);
let (k, signer_r) = new_request_params(&mut rng); let (k, signer_r) =
BlindSigScheme::<EdwardsProjective>::new_request_params(&params, &mut rng);
let m = ConstraintF::from(1234); let m = ConstraintF::from(1234);
let (m_blinded, u) = blind(&mut rng, &poseidon_hash, m, signer_r).unwrap(); let (m_blinded, u) = BlindSigScheme::<EdwardsProjective>::blind(
&params,
&mut rng,
&poseidon_hash,
m,
signer_r,
)
.unwrap();
let s_blinded = sk.blind_sign(m_blinded, k); let s_blinded = BlindSigScheme::<EdwardsProjective>::blind_sign(sk, k, m_blinded);
let s = unblind(s_blinded, u); let s = BlindSigScheme::<EdwardsProjective>::unblind(s_blinded, u);
let verified = verify(&poseidon_hash, m, s, pk); let verified =
BlindSigScheme::<EdwardsProjective>::verify(&params, &poseidon_hash, m, s, pk);
assert!(verified); assert!(verified);
} }
} }