arnaucube/ark-ec-blind-signatures
1
1
Fork 0
mirror of https://github.com/arnaucube/ark-ec-blind-signatures.git synced 2026-01-12 00:21:29 +01:00
Code Issues Projects Releases Wiki Activity

Adapt schnorr_blind/mod.rs to new BlindSignatureScheme trait

Browse Source
This commit is contained in:
arnaucube
2023-01-04 11:13:01 +01:00
parent cf682c2d95
commit efb1a304f4
1 changed files with 145 additions and 120 deletions
Download Patch File Download Diff File Expand all files Collapse all files

265
src/schnorr_blind/mod.rs
View File

@@ -1,8 +1,10 @@
#![allow(non_snake_case)]
#![allow(clippy::many_single_char_names)]
use crate::BlindSignatureScheme;
// #[cfg(feature="r1cs")]
pub mod constraints;
// pub mod constraints;
use ark_ec::{models::twisted_edwards_extended::GroupAffine, AffineCurve, ProjectiveCurve};
@@ -27,7 +29,9 @@ pub type SecretKey<C> = <C as ProjectiveCurve>::ScalarField;
pub type PublicKey<C> = <C as ProjectiveCurve>::Affine;
pub type BlindedSignature<C> = <C as ProjectiveCurve>::ScalarField;
// #[derive(Derivative)]
#[derive(Clone, Debug)]
pub struct Msg<const MSG_LEN: usize, C: ProjectiveCurve>(pub [ConstraintF<C>; MSG_LEN]);
#[derive(Clone, Default, Debug)]
pub struct Signature<C: ProjectiveCurve> {
s: C::ScalarField, // ScalarField == Fr
@@ -54,52 +58,167 @@ impl<C: ProjectiveCurve> UserSecretData<C> {
#[derivative(Clone(bound = "C: ProjectiveCurve"), Debug)]
pub struct Parameters<C: ProjectiveCurve> {
pub generator: C::Affine,
pub poseidon_hash: poseidon::Poseidon<ConstraintF<C>>,
// pub poseidon_hash: Box<dyn FieldHasher<ConstraintF<C>>>, // WIP
}
pub struct BlindSigScheme<C: ProjectiveCurve> {
pub struct SchnorrBlindSig<C: ProjectiveCurve> {
_group: PhantomData<C>,
}
impl<C: ProjectiveCurve> BlindSigScheme<C>
impl<C: ProjectiveCurve> BlindSignatureScheme for SchnorrBlindSig<C>
where
C::ScalarField: PrimeField,
GroupAffine<EdwardsParameters>: From<<C as ProjectiveCurve>::Affine>, // WIP
<C as ProjectiveCurve>::ScalarField: From<BigInteger256>,
<<C as ProjectiveCurve>::BaseField as Field>::BasePrimeField: From<Fp256<FqParameters>>,
{
pub fn setup() -> Parameters<C> {
type Parameters = Parameters<C>;
type Fq = C::BaseField;
type Fr = C::ScalarField;
type ConstraintF = ConstraintF<C>; // WIP merge it with Fq
type PointAffine = C::Affine;
type SecretKey = SecretKey<C>;
type PublicKey = PublicKey<C>;
// type Msg = Msg<MSG_LEN, C>;
type BlindedSignature = BlindedSignature<C>;
type Signature = Signature<C>;
type UserSecretData = UserSecretData<C>;
fn setup(poseidon_hash: &poseidon::Poseidon<ConstraintF<C>>) -> Self::Parameters {
let generator = C::prime_subgroup_generator().into();
Parameters { generator }
Parameters {
generator,
poseidon_hash: poseidon_hash.clone(), // WIP
}
}
// signer
pub fn keygen<R: Rng>(parameters: &Parameters<C>, rng: &mut R) -> (PublicKey<C>, SecretKey<C>) {
fn keygen<R: Rng>(
parameters: &Self::Parameters,
rng: &mut R,
) -> (Self::PublicKey, Self::SecretKey) {
let secret_key = C::ScalarField::rand(rng);
let public_key = parameters.generator.mul(secret_key).into();
(public_key, secret_key)
}
pub fn new_request_params<R: Rng>(
parameters: &Parameters<C>,
fn new_request_params<R: Rng>(
parameters: &Self::Parameters,
rng: &mut R,
) -> (C::ScalarField, C::Affine) {
) -> (Self::Fr, Self::PointAffine) {
let r = C::ScalarField::rand(rng);
let R_ = parameters.generator.mul(r).into();
(r, R_)
}
pub fn blind_sign(
sk: SecretKey<C>,
r: C::ScalarField,
m_blinded: C::ScalarField,
) -> BlindedSignature<C> {
fn blind_sign(sk: SecretKey<C>, r: Self::Fr, m_blinded: Self::Fr) -> Self::BlindedSignature {
r + m_blinded * sk
}
// non_blind_sign performs a non-blind signature, which can be verified with the same check
// than a blind-signature
fn non_blind_sign<R: Rng>(
parameters: &Self::Parameters,
rng: &mut R,
sk: Self::SecretKey,
m: &[ConstraintF<C>],
) -> Result<Signature<C>, ark_crypto_primitives::Error>
where
<C as ProjectiveCurve>::ScalarField: From<BigInteger256>,
<<C as ProjectiveCurve>::BaseField as Field>::BasePrimeField: From<Fp256<FqParameters>>,
{
let (r, R) = Self::new_k_and_R(parameters, rng);
let R_ed = EdwardsAffine::from(R); // WIP
let hm = parameters.poseidon_hash.hash(m)?;
let to_hash: [ConstraintF<C>; 3] = [R_ed.x.into(), R_ed.y.into(), hm];
let h = parameters.poseidon_hash.hash(&to_hash)?;
let h_fr = C::ScalarField::from_le_bytes_mod_order(&to_bytes!(h)?); // WIP TMP
let s = r + h_fr * sk;
Ok(Signature { s, r: R })
}
fn blind<R: Rng>(
parameters: &Self::Parameters,
rng: &mut R,
m: &[Self::ConstraintF],
signer_pk: Self::PublicKey,
signer_r: Self::PointAffine,
) -> Result<(Self::Fr, Self::UserSecretData), ark_crypto_primitives::Error>
where
<C as ProjectiveCurve>::ScalarField: From<BigInteger256>,
<<C as ProjectiveCurve>::BaseField as Field>::BasePrimeField: From<Fp256<FqParameters>>,
{
let u = Self::new_blind_params(parameters, rng, signer_pk, signer_r);
// get X coordinate, as in new_blind_params we already checked that R.x is inside Fr and
// will not overflow (giving None)
let r = EdwardsAffine::from(u.R); // WIP
// m' = H(R, m) + beta
// TODO hash(R, m) must be \in Fr
let hm_0 = parameters.poseidon_hash.hash(m)?;
let to_hash: [ConstraintF<C>; 3] = [r.x.into(), r.y.into(), hm_0];
let h = parameters.poseidon_hash.hash(&to_hash)?;
let h_fr = C::ScalarField::from_le_bytes_mod_order(&to_bytes!(h)?); // WIP TMP
let m_blinded = h_fr + u.beta;
Ok((m_blinded, u))
}
fn unblind(s_blinded: Self::Fr, u: &Self::UserSecretData) -> Self::Signature {
// s = s' + alpha
let s = s_blinded + u.alpha;
Signature { s, r: u.R }
}
fn verify(
parameters: &Self::Parameters,
m: &[Self::ConstraintF],
s: Self::Signature,
q: Self::PublicKey,
) -> bool
where
<C as ProjectiveCurve>::ScalarField: From<BigInteger256>,
<<C as ProjectiveCurve>::BaseField as Field>::BasePrimeField: From<Fp256<FqParameters>>,
{
let sG = parameters.generator.mul(s.s.into_repr());
let r = EdwardsAffine::from(s.r); // WIP: let r = s.r.into_affine();
// TODO the output of hash(R, m) must be \in Fr
let hm_0 = parameters.poseidon_hash.hash(m).unwrap();
let to_hash: [ConstraintF<C>; 3] = [r.x.into(), r.y.into(), hm_0];
let h = parameters.poseidon_hash.hash(&to_hash).unwrap();
let h_fr = C::ScalarField::from_le_bytes_mod_order(&to_bytes!(h).unwrap()); // WIP TMP
// TODO the output of hash(R, m) must be \in Fr
let one = BigInteger256::from(1u64);
let x_repr = r.x.into_repr();
let modulus = <<C::ScalarField as PrimeField>::Params as FpParameters>::MODULUS;
let modulus_repr = BigInteger256::try_from(modulus.into()).unwrap();
if !(x_repr >= one && x_repr < modulus_repr) {
return false;
}
let right = s.r + q.mul(h_fr.into_repr()).into_affine();
sG.into_affine() == right
}
}
impl<C: ProjectiveCurve> SchnorrBlindSig<C>
where
C::ScalarField: PrimeField,
GroupAffine<EdwardsParameters>: From<<C as ProjectiveCurve>::Affine>, // WIP
{
// new_k_and_R returns a new k \in Fr, and R=k * G, such that R.x \in Fr
fn new_k_and_R<R: Rng>(parameters: &Parameters<C>, rng: &mut R) -> (C::ScalarField, C::Affine)
where
<C as ProjectiveCurve>::ScalarField: From<BigInteger256>,
{
// TODO, for schorr, the H(R, m) needs to be \in Fr, not R.x
// TODO, for Schnorr, the H(R, m) needs to be \in Fr, not R.x
let k = C::ScalarField::rand(rng);
let R: C::Affine = parameters.generator.mul(k.into_repr()).into();
@@ -118,33 +237,8 @@ where
(k, R)
}
// non_blind_sign performs a non-blind signature, which can be verified with the same check
// than a blind-signature
pub fn non_blind_sign<R: Rng>(
parameters: &Parameters<C>,
rng: &mut R,
poseidon_hash: &poseidon::Poseidon<ConstraintF<C>>,
sk: SecretKey<C>,
m: &[ConstraintF<C>],
) -> Result<Signature<C>, ark_crypto_primitives::Error>
where
<C as ProjectiveCurve>::ScalarField: From<BigInteger256>,
<<C as ProjectiveCurve>::BaseField as Field>::BasePrimeField: From<Fp256<FqParameters>>,
{
let (r, R) = Self::new_k_and_R(parameters, rng);
let R_ed = EdwardsAffine::from(R); // WIP
let hm = poseidon_hash.hash(m)?;
let to_hash: [ConstraintF<C>; 3] = [R_ed.x.into(), R_ed.y.into(), hm];
let h = poseidon_hash.hash(&to_hash)?;
let h_fr = C::ScalarField::from_le_bytes_mod_order(&to_bytes!(h)?); // WIP TMP
let s = r + h_fr * sk;
Ok(Signature { s, r: R })
}
// requester
pub fn new_blind_params<R: Rng>(
fn new_blind_params<R: Rng>(
parameters: &Parameters<C>,
rng: &mut R,
signer_pk: PublicKey<C>,
@@ -174,75 +268,6 @@ where
}
u
}
pub fn blind<R: Rng>(
parameters: &Parameters<C>,
rng: &mut R,
poseidon_hash: &poseidon::Poseidon<ConstraintF<C>>,
m: &[ConstraintF<C>],
signer_pk: PublicKey<C>,
signer_r: C::Affine,
) -> Result<(C::ScalarField, UserSecretData<C>), ark_crypto_primitives::Error>
where
<C as ProjectiveCurve>::ScalarField: From<BigInteger256>,
<<C as ProjectiveCurve>::BaseField as Field>::BasePrimeField: From<Fp256<FqParameters>>,
{
let u = Self::new_blind_params(parameters, rng, signer_pk, signer_r);
// get X coordinate, as in new_blind_params we already checked that R.x is inside Fr and
// will not overflow (giving None)
let r = EdwardsAffine::from(u.R); // WIP
// m' = H(R, m) + beta
// TODO hash(R, m) must be \in Fr
let hm_0 = poseidon_hash.hash(m)?;
let to_hash: [ConstraintF<C>; 3] = [r.x.into(), r.y.into(), hm_0];
let h = poseidon_hash.hash(&to_hash)?;
let h_fr = C::ScalarField::from_le_bytes_mod_order(&to_bytes!(h)?); // WIP TMP
let m_blinded = h_fr + u.beta;
Ok((m_blinded, u))
}
pub fn unblind(s_blinded: C::ScalarField, u: &UserSecretData<C>) -> Signature<C> {
// s = s' + alpha
let s = s_blinded + u.alpha;
Signature { s, r: u.R }
}
pub fn verify(
parameters: &Parameters<C>,
poseidon_hash: &poseidon::Poseidon<ConstraintF<C>>,
m: &[ConstraintF<C>],
s: Signature<C>,
q: PublicKey<C>,
) -> bool
where
<C as ProjectiveCurve>::ScalarField: From<BigInteger256>,
<<C as ProjectiveCurve>::BaseField as Field>::BasePrimeField: From<Fp256<FqParameters>>,
{
let sG = parameters.generator.mul(s.s.into_repr());
let r = EdwardsAffine::from(s.r); // WIP
// TODO the output of hash(R, m) must be \in Fr
let hm_0 = poseidon_hash.hash(m).unwrap();
let to_hash: [ConstraintF<C>; 3] = [r.x.into(), r.y.into(), hm_0];
let h = poseidon_hash.hash(&to_hash).unwrap();
let h_fr = C::ScalarField::from_le_bytes_mod_order(&to_bytes!(h).unwrap()); // WIP TMP
// TODO the output of hash(R, m) must be \in Fr
let one = BigInteger256::from(1u64);
let x_repr = r.x.into_repr();
let modulus = <<C::ScalarField as PrimeField>::Params as FpParameters>::MODULUS;
let modulus_repr = BigInteger256::try_from(modulus.into()).unwrap();
if !(x_repr >= one && x_repr < modulus_repr) {
return false;
}
let right = s.r + q.mul(h_fr.into_repr()).into_affine();
sG.into_affine() == right
}
}
// poseidon
@@ -275,46 +300,46 @@ mod tests {
#[test]
fn test_blind_signature_flow_native() {
type S = BlindSigScheme<EdwardsProjective>;
type S = SchnorrBlindSig<EdwardsProjective>;
let poseidon_params = poseidon_setup_params::<Fq>(Curve::Bn254, 5, 4);
let poseidon_hash = poseidon::Poseidon::new(poseidon_params);
let mut rng = ark_std::test_rng();
let params = S::setup();
let params = S::setup(&poseidon_hash);
let (pk, sk) = S::keygen(&params, &mut rng);
let (r, signer_r) = S::new_request_params(&params, &mut rng);
let (r, signer_R) = S::new_request_params(&params, &mut rng);
let m = [Fq::from(1234), Fq::from(5689), Fq::from(3456)];
let (m_blinded, u) = S::blind(&params, &mut rng, &poseidon_hash, &m, pk, signer_r).unwrap();
let (m_blinded, u) = S::blind(&params, &mut rng, &m, pk, signer_R).unwrap();
let s_blinded = S::blind_sign(sk, r, m_blinded);
let s = S::unblind(s_blinded, &u);
let verified = S::verify(&params, &poseidon_hash, &m, s, pk);
let verified = S::verify(&params, &m, s, pk);
assert!(verified);
}
#[test]
fn test_non_blind_signature() {
type S = BlindSigScheme<EdwardsProjective>;
type S = SchnorrBlindSig<EdwardsProjective>;
let poseidon_params = poseidon_setup_params::<Fq>(Curve::Bn254, 5, 4);
let poseidon_hash = poseidon::Poseidon::new(poseidon_params);
let mut rng = ark_std::test_rng();
let params = S::setup();
let params = S::setup(&poseidon_hash);
let (pk, sk) = S::keygen(&params, &mut rng);
let m = [Fq::from(1234), Fq::from(5689), Fq::from(3456)];
let s = S::non_blind_sign(&params, &mut rng, &poseidon_hash, sk, &m).unwrap();
let s = S::non_blind_sign(&params, &mut rng, sk, &m).unwrap();
// verify using the same verification method used for blind-signatures
let verified = S::verify(&params, &poseidon_hash, &m, s, pk);
let verified = S::verify(&params, &m, s, pk);
assert!(verified);
}
}