diff --git a/src/schnorr_blind/mod.rs b/src/schnorr_blind/mod.rs index 8db30ea..b21c76c 100644 --- a/src/schnorr_blind/mod.rs +++ b/src/schnorr_blind/mod.rs @@ -1,8 +1,10 @@ #![allow(non_snake_case)] #![allow(clippy::many_single_char_names)] +use crate::BlindSignatureScheme; + // #[cfg(feature="r1cs")] -pub mod constraints; +// pub mod constraints; use ark_ec::{models::twisted_edwards_extended::GroupAffine, AffineCurve, ProjectiveCurve}; @@ -27,7 +29,9 @@ pub type SecretKey = ::ScalarField; pub type PublicKey = ::Affine; pub type BlindedSignature = ::ScalarField; -// #[derive(Derivative)] +#[derive(Clone, Debug)] +pub struct Msg(pub [ConstraintF; MSG_LEN]); + #[derive(Clone, Default, Debug)] pub struct Signature { s: C::ScalarField, // ScalarField == Fr @@ -54,77 +58,70 @@ impl UserSecretData { #[derivative(Clone(bound = "C: ProjectiveCurve"), Debug)] pub struct Parameters { pub generator: C::Affine, + pub poseidon_hash: poseidon::Poseidon>, + // pub poseidon_hash: Box>>, // WIP } -pub struct BlindSigScheme { +pub struct SchnorrBlindSig { _group: PhantomData, } -impl BlindSigScheme +impl BlindSignatureScheme for SchnorrBlindSig where C::ScalarField: PrimeField, GroupAffine: From<::Affine>, // WIP + ::ScalarField: From, + <::BaseField as Field>::BasePrimeField: From>, { - pub fn setup() -> Parameters { + type Parameters = Parameters; + type Fq = C::BaseField; + type Fr = C::ScalarField; + type ConstraintF = ConstraintF; // WIP merge it with Fq + type PointAffine = C::Affine; + type SecretKey = SecretKey; + type PublicKey = PublicKey; + // type Msg = Msg; + type BlindedSignature = BlindedSignature; + type Signature = Signature; + type UserSecretData = UserSecretData; + + fn setup(poseidon_hash: &poseidon::Poseidon>) -> Self::Parameters { let generator = C::prime_subgroup_generator().into(); - Parameters { generator } + Parameters { + generator, + poseidon_hash: poseidon_hash.clone(), // WIP + } } // signer - pub fn keygen(parameters: &Parameters, rng: &mut R) -> (PublicKey, SecretKey) { + fn keygen( + parameters: &Self::Parameters, + rng: &mut R, + ) -> (Self::PublicKey, Self::SecretKey) { let secret_key = C::ScalarField::rand(rng); let public_key = parameters.generator.mul(secret_key).into(); (public_key, secret_key) } - pub fn new_request_params( - parameters: &Parameters, + fn new_request_params( + parameters: &Self::Parameters, rng: &mut R, - ) -> (C::ScalarField, C::Affine) { + ) -> (Self::Fr, Self::PointAffine) { let r = C::ScalarField::rand(rng); let R_ = parameters.generator.mul(r).into(); (r, R_) } - pub fn blind_sign( - sk: SecretKey, - r: C::ScalarField, - m_blinded: C::ScalarField, - ) -> BlindedSignature { + fn blind_sign(sk: SecretKey, r: Self::Fr, m_blinded: Self::Fr) -> Self::BlindedSignature { r + m_blinded * sk } - // new_k_and_R returns a new k \in Fr, and R=k * G, such that R.x \in Fr - fn new_k_and_R(parameters: &Parameters, rng: &mut R) -> (C::ScalarField, C::Affine) - where - ::ScalarField: From, - { - // TODO, for schorr, the H(R, m) needs to be \in Fr, not R.x - let k = C::ScalarField::rand(rng); - - let R: C::Affine = parameters.generator.mul(k.into_repr()).into(); - let r = EdwardsAffine::from(R); // WIP - - let one = BigInteger256::from(1u64); - let x_repr = r.x.into_repr(); - let modulus = <::Params as FpParameters>::MODULUS; - let modulus_repr = BigInteger256::try_from(modulus.into()).unwrap(); - - if !(x_repr >= one && x_repr < modulus_repr) { - // TODO maybe add a counter of attempts with a limit - return Self::new_k_and_R(parameters, rng); - } - - (k, R) - } - // non_blind_sign performs a non-blind signature, which can be verified with the same check // than a blind-signature - pub fn non_blind_sign( - parameters: &Parameters, + fn non_blind_sign( + parameters: &Self::Parameters, rng: &mut R, - poseidon_hash: &poseidon::Poseidon>, - sk: SecretKey, + sk: Self::SecretKey, m: &[ConstraintF], ) -> Result, ark_crypto_primitives::Error> where @@ -134,55 +131,22 @@ where let (r, R) = Self::new_k_and_R(parameters, rng); let R_ed = EdwardsAffine::from(R); // WIP - let hm = poseidon_hash.hash(m)?; + let hm = parameters.poseidon_hash.hash(m)?; let to_hash: [ConstraintF; 3] = [R_ed.x.into(), R_ed.y.into(), hm]; - let h = poseidon_hash.hash(&to_hash)?; + let h = parameters.poseidon_hash.hash(&to_hash)?; let h_fr = C::ScalarField::from_le_bytes_mod_order(&to_bytes!(h)?); // WIP TMP let s = r + h_fr * sk; Ok(Signature { s, r: R }) } - // requester - pub fn new_blind_params( - parameters: &Parameters, + fn blind( + parameters: &Self::Parameters, rng: &mut R, - signer_pk: PublicKey, - signer_r: C::Affine, - ) -> UserSecretData - where - ::ScalarField: From, - { - let mut u: UserSecretData = UserSecretData::new_empty(parameters); - u.alpha = C::ScalarField::rand(rng); - u.beta = C::ScalarField::rand(rng); - - // R = R' + alpha * G + beta * X - let alphaG = parameters.generator.mul(u.alpha.into_repr()); - let betaPk = signer_pk.mul(u.beta.into_repr()); - u.R = signer_r + alphaG.into_affine() + betaPk.into_affine(); - - let R = EdwardsAffine::from(u.R); // WIP - let one = BigInteger256::from(1u64); - let x_repr = R.x.into_repr(); - let modulus = <::Params as FpParameters>::MODULUS; - let modulus_repr = BigInteger256::try_from(modulus.into()).unwrap(); - - if !(x_repr >= one && x_repr < modulus_repr) { - // TODO maybe add a counter of attempts with a limit - return Self::new_blind_params(parameters, rng, signer_pk, signer_r); - } - u - } - - pub fn blind( - parameters: &Parameters, - rng: &mut R, - poseidon_hash: &poseidon::Poseidon>, - m: &[ConstraintF], - signer_pk: PublicKey, - signer_r: C::Affine, - ) -> Result<(C::ScalarField, UserSecretData), ark_crypto_primitives::Error> + m: &[Self::ConstraintF], + signer_pk: Self::PublicKey, + signer_r: Self::PointAffine, + ) -> Result<(Self::Fr, Self::UserSecretData), ark_crypto_primitives::Error> where ::ScalarField: From, <::BaseField as Field>::BasePrimeField: From>, @@ -195,27 +159,26 @@ where // m' = H(R, m) + beta // TODO hash(R, m) must be \in Fr - let hm_0 = poseidon_hash.hash(m)?; + let hm_0 = parameters.poseidon_hash.hash(m)?; let to_hash: [ConstraintF; 3] = [r.x.into(), r.y.into(), hm_0]; - let h = poseidon_hash.hash(&to_hash)?; + let h = parameters.poseidon_hash.hash(&to_hash)?; let h_fr = C::ScalarField::from_le_bytes_mod_order(&to_bytes!(h)?); // WIP TMP let m_blinded = h_fr + u.beta; Ok((m_blinded, u)) } - pub fn unblind(s_blinded: C::ScalarField, u: &UserSecretData) -> Signature { + fn unblind(s_blinded: Self::Fr, u: &Self::UserSecretData) -> Self::Signature { // s = s' + alpha let s = s_blinded + u.alpha; Signature { s, r: u.R } } - pub fn verify( - parameters: &Parameters, - poseidon_hash: &poseidon::Poseidon>, - m: &[ConstraintF], - s: Signature, - q: PublicKey, + fn verify( + parameters: &Self::Parameters, + m: &[Self::ConstraintF], + s: Self::Signature, + q: Self::PublicKey, ) -> bool where ::ScalarField: From, @@ -223,12 +186,12 @@ where { let sG = parameters.generator.mul(s.s.into_repr()); - let r = EdwardsAffine::from(s.r); // WIP + let r = EdwardsAffine::from(s.r); // WIP: let r = s.r.into_affine(); // TODO the output of hash(R, m) must be \in Fr - let hm_0 = poseidon_hash.hash(m).unwrap(); + let hm_0 = parameters.poseidon_hash.hash(m).unwrap(); let to_hash: [ConstraintF; 3] = [r.x.into(), r.y.into(), hm_0]; - let h = poseidon_hash.hash(&to_hash).unwrap(); + let h = parameters.poseidon_hash.hash(&to_hash).unwrap(); let h_fr = C::ScalarField::from_le_bytes_mod_order(&to_bytes!(h).unwrap()); // WIP TMP // TODO the output of hash(R, m) must be \in Fr @@ -245,6 +208,68 @@ where } } +impl SchnorrBlindSig +where + C::ScalarField: PrimeField, + GroupAffine: From<::Affine>, // WIP +{ + // new_k_and_R returns a new k \in Fr, and R=k * G, such that R.x \in Fr + fn new_k_and_R(parameters: &Parameters, rng: &mut R) -> (C::ScalarField, C::Affine) + where + ::ScalarField: From, + { + // TODO, for Schnorr, the H(R, m) needs to be \in Fr, not R.x + let k = C::ScalarField::rand(rng); + + let R: C::Affine = parameters.generator.mul(k.into_repr()).into(); + let r = EdwardsAffine::from(R); // WIP + + let one = BigInteger256::from(1u64); + let x_repr = r.x.into_repr(); + let modulus = <::Params as FpParameters>::MODULUS; + let modulus_repr = BigInteger256::try_from(modulus.into()).unwrap(); + + if !(x_repr >= one && x_repr < modulus_repr) { + // TODO maybe add a counter of attempts with a limit + return Self::new_k_and_R(parameters, rng); + } + + (k, R) + } + + // requester + fn new_blind_params( + parameters: &Parameters, + rng: &mut R, + signer_pk: PublicKey, + signer_r: C::Affine, + ) -> UserSecretData + where + ::ScalarField: From, + { + let mut u: UserSecretData = UserSecretData::new_empty(parameters); + u.alpha = C::ScalarField::rand(rng); + u.beta = C::ScalarField::rand(rng); + + // R = R' + alpha * G + beta * X + let alphaG = parameters.generator.mul(u.alpha.into_repr()); + let betaPk = signer_pk.mul(u.beta.into_repr()); + u.R = signer_r + alphaG.into_affine() + betaPk.into_affine(); + + let R = EdwardsAffine::from(u.R); // WIP + let one = BigInteger256::from(1u64); + let x_repr = R.x.into_repr(); + let modulus = <::Params as FpParameters>::MODULUS; + let modulus_repr = BigInteger256::try_from(modulus.into()).unwrap(); + + if !(x_repr >= one && x_repr < modulus_repr) { + // TODO maybe add a counter of attempts with a limit + return Self::new_blind_params(parameters, rng, signer_pk, signer_r); + } + u + } +} + // poseidon pub fn poseidon_setup_params( curve: Curve, @@ -275,46 +300,46 @@ mod tests { #[test] fn test_blind_signature_flow_native() { - type S = BlindSigScheme; + type S = SchnorrBlindSig; let poseidon_params = poseidon_setup_params::(Curve::Bn254, 5, 4); let poseidon_hash = poseidon::Poseidon::new(poseidon_params); let mut rng = ark_std::test_rng(); - let params = S::setup(); + let params = S::setup(&poseidon_hash); let (pk, sk) = S::keygen(¶ms, &mut rng); - let (r, signer_r) = S::new_request_params(¶ms, &mut rng); + let (r, signer_R) = S::new_request_params(¶ms, &mut rng); let m = [Fq::from(1234), Fq::from(5689), Fq::from(3456)]; - let (m_blinded, u) = S::blind(¶ms, &mut rng, &poseidon_hash, &m, pk, signer_r).unwrap(); + let (m_blinded, u) = S::blind(¶ms, &mut rng, &m, pk, signer_R).unwrap(); let s_blinded = S::blind_sign(sk, r, m_blinded); let s = S::unblind(s_blinded, &u); - let verified = S::verify(¶ms, &poseidon_hash, &m, s, pk); + let verified = S::verify(¶ms, &m, s, pk); assert!(verified); } #[test] fn test_non_blind_signature() { - type S = BlindSigScheme; + type S = SchnorrBlindSig; let poseidon_params = poseidon_setup_params::(Curve::Bn254, 5, 4); let poseidon_hash = poseidon::Poseidon::new(poseidon_params); let mut rng = ark_std::test_rng(); - let params = S::setup(); + let params = S::setup(&poseidon_hash); let (pk, sk) = S::keygen(¶ms, &mut rng); let m = [Fq::from(1234), Fq::from(5689), Fq::from(3456)]; - let s = S::non_blind_sign(¶ms, &mut rng, &poseidon_hash, sk, &m).unwrap(); + let s = S::non_blind_sign(¶ms, &mut rng, sk, &m).unwrap(); // verify using the same verification method used for blind-signatures - let verified = S::verify(¶ms, &poseidon_hash, &m, s, pk); + let verified = S::verify(¶ms, &m, s, pk); assert!(verified); } }