diff --git a/src/lib.rs b/src/lib.rs index a7a4f43..bacfbda 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1,314 +1,2 @@ -#![allow(non_snake_case)] -#![allow(clippy::many_single_char_names)] - -// #[cfg(feature="r1cs")] -pub mod constraints; - -use ark_ec::{models::twisted_edwards_extended::GroupAffine, AffineCurve, ProjectiveCurve}; - -use ark_ff::{to_bytes, BigInteger256, Field, FpParameters, PrimeField}; - -use ark_std::marker::PhantomData; -use ark_std::{rand::Rng, UniformRand}; -use derivative::Derivative; - -// hash -use arkworks_native_gadgets::poseidon; -use arkworks_native_gadgets::poseidon::FieldHasher; -use arkworks_utils::{ - bytes_matrix_to_f, bytes_vec_to_f, poseidon_params::setup_poseidon_params, Curve, -}; - -// WIP -use ark_ed_on_bn254::{EdwardsAffine, EdwardsParameters}; - -pub type ConstraintF = <::BaseField as Field>::BasePrimeField; -pub type SecretKey = ::ScalarField; -pub type PublicKey = ::Affine; -pub type BlindedSignature = ::ScalarField; - -// #[derive(Derivative)] -#[derive(Clone, Default, Debug)] -pub struct Signature { - s: C::ScalarField, // ScalarField == Fr - r: ::Affine, -} - -#[derive(Clone, Default, Debug)] -pub struct UserSecretData { - a: C::ScalarField, - b: C::ScalarField, - r: C::Affine, -} -impl UserSecretData { - fn new_empty(parameters: &Parameters) -> Self { - UserSecretData { - a: C::ScalarField::from(0_u32), - b: C::ScalarField::from(0_u32), - r: parameters.generator, // WIP - } - } -} - -#[derive(Derivative)] -#[derivative(Clone(bound = "C: ProjectiveCurve"), Debug)] -pub struct Parameters { - pub generator: C::Affine, -} - -pub struct BlindSigScheme { - _group: PhantomData, -} - -impl BlindSigScheme -where - C::ScalarField: PrimeField, - GroupAffine: From<::Affine>, // WIP -{ - pub fn setup() -> Parameters { - let generator = C::prime_subgroup_generator().into(); - Parameters { generator } - } - - // signer - pub fn keygen(parameters: &Parameters, rng: &mut R) -> (PublicKey, SecretKey) { - let secret_key = C::ScalarField::rand(rng); - let public_key = parameters.generator.mul(secret_key).into(); - (public_key, secret_key) - } - - pub fn new_request_params( - parameters: &Parameters, - rng: &mut R, - ) -> (C::ScalarField, C::Affine) { - let k = C::ScalarField::rand(rng); - let R = parameters.generator.mul(k).into(); - (k, R) - } - - pub fn blind_sign( - sk: SecretKey, - k: C::ScalarField, - m_blinded: C::ScalarField, - ) -> BlindedSignature { - sk * m_blinded + k - } - - // new_k_and_R returns a new k \in Fr, and R=k * G, such that R.x \in Fr - fn new_k_and_R(parameters: &Parameters, rng: &mut R) -> (C::ScalarField, C::Affine) - where - ::ScalarField: From, - { - let k = C::ScalarField::rand(rng); - - let R: C::Affine = parameters.generator.mul(k.into_repr()).into(); - let r = EdwardsAffine::from(R); // WIP - - let one = BigInteger256::from(1u64); - let x_repr = r.x.into_repr(); - let modulus = <::Params as FpParameters>::MODULUS; - let modulus_repr = BigInteger256::try_from(modulus.into()).unwrap(); - - if !(x_repr >= one && x_repr < modulus_repr) { - // TODO maybe add a counter of attempts with a limit - return Self::new_k_and_R(parameters, rng); - } - - (k, R) - } - - // non_blind_sign performs a non-blind signature, which can be verified with the same check - // than a blind-signature - pub fn non_blind_sign( - parameters: &Parameters, - rng: &mut R, - poseidon_hash: &poseidon::Poseidon>, - sk: SecretKey, - m: &[ConstraintF], - ) -> Result, ark_crypto_primitives::Error> - where - ::ScalarField: From, - { - let (k, R) = Self::new_k_and_R(parameters, rng); - let r = EdwardsAffine::from(R); // WIP - let x_fr = C::ScalarField::from(r.x.into_repr()); - - let hm = poseidon_hash.hash(m)?; - let hm_fr = C::ScalarField::from_le_bytes_mod_order(&to_bytes!(hm)?); // WIP TMP - - let s = k + (x_fr * hm_fr) * sk; - Ok(Signature { s, r: R }) - } - - // requester - pub fn new_blind_params( - parameters: &Parameters, - rng: &mut R, - signer_r: C::Affine, - ) -> UserSecretData - where - ::ScalarField: From, - { - let mut u: UserSecretData = UserSecretData::new_empty(parameters); - u.a = C::ScalarField::rand(rng); - u.b = C::ScalarField::rand(rng); - - // R = aR' + bG - let aR = signer_r.mul(u.a.into_repr()); - let bG = parameters.generator.mul(u.b.into_repr()); - u.r = aR.into_affine() + bG.into_affine(); - - let r = EdwardsAffine::from(u.r); // WIP - let one = BigInteger256::from(1u64); - let x_repr = r.x.into_repr(); - let modulus = <::Params as FpParameters>::MODULUS; - let modulus_repr = BigInteger256::try_from(modulus.into()).unwrap(); - - if !(x_repr >= one && x_repr < modulus_repr) { - // TODO maybe add a counter of attempts with a limit - return Self::new_blind_params(parameters, rng, signer_r); - } - u - } - - pub fn blind( - parameters: &Parameters, - rng: &mut R, - poseidon_hash: &poseidon::Poseidon>, - m: &[ConstraintF], - signer_r: C::Affine, - ) -> Result<(C::ScalarField, UserSecretData), ark_crypto_primitives::Error> - where - ::ScalarField: From, - { - let u = Self::new_blind_params(parameters, rng, signer_r); - - // get X coordinate, as in new_blind_params we already checked that R.x is inside Fr and - // will not overflow (giving None) - let r = EdwardsAffine::from(u.r); // WIP - let x_fr = C::ScalarField::from(r.x.into_repr()); - - // m' = a^-1 rx h(m) - // TODO hash(m) must be \in Fr - let hm = poseidon_hash.hash(m)?; - // let hm_fr = C::ScalarField::from_repr(hm.into_repr()).unwrap(); - let hm_fr = C::ScalarField::from_le_bytes_mod_order(&to_bytes!(hm)?); // WIP TMP - let m_blinded = u.a.inverse().unwrap() * x_fr * hm_fr; - // let m_blinded = C::ScalarField::from(u.a.inverse().unwrap() * x_fr) * hm_fr; - - Ok((m_blinded, u)) - } - - pub fn unblind(s_blinded: C::ScalarField, u: &UserSecretData) -> Signature { - // s = a s' + b - let s = u.a * s_blinded + u.b; - Signature { s, r: u.r } - } - - pub fn verify( - parameters: &Parameters, - poseidon_hash: &poseidon::Poseidon>, - m: &[ConstraintF], - s: Signature, - q: PublicKey, - ) -> bool - where - ::ScalarField: From, - { - let sG = parameters.generator.mul(s.s.into_repr()); - - // TODO the output of hash(m) must be \in Fr - let hm = poseidon_hash.hash(m).unwrap(); - // let hm_fr = C::ScalarField::from_repr(hm.into_repr()).unwrap(); - let hm_fr = C::ScalarField::from_le_bytes_mod_order(&to_bytes!(hm).unwrap()); // WIP TMP - - // check that s.R.x is in Fr - let r = EdwardsAffine::from(s.r); // WIP - let one = BigInteger256::from(1u64); - let x_repr = r.x.into_repr(); - let modulus = <::Params as FpParameters>::MODULUS; - let modulus_repr = BigInteger256::try_from(modulus.into()).unwrap(); - if !(x_repr >= one && x_repr < modulus_repr) { - return false; - } - // get s.R.x - let x_fr = C::ScalarField::from(r.x.into_repr()); - let right = s.r + q.mul((x_fr * hm_fr).into_repr()).into_affine(); - - sG.into_affine() == right - } -} - -// poseidon -pub fn poseidon_setup_params( - curve: Curve, - exp: i8, - width: u8, -) -> poseidon::PoseidonParameters { - let pos_data = setup_poseidon_params(curve, exp, width).unwrap(); - - let mds_f = bytes_matrix_to_f(&pos_data.mds); - let rounds_f = bytes_vec_to_f(&pos_data.rounds); - - poseidon::PoseidonParameters { - mds_matrix: mds_f, - round_keys: rounds_f, - full_rounds: pos_data.full_rounds, - partial_rounds: pos_data.partial_rounds, - sbox: poseidon::sbox::PoseidonSbox(pos_data.exp), - width: pos_data.width, - } -} - -#[cfg(test)] -mod tests { - use super::*; - use ark_ed_on_bn254::EdwardsProjective; - pub type Fq = ark_ed_on_bn254::Fq; // base field - // pub type Fr = ark_ed_on_bn254::Fr; // scalar field - - #[test] - fn test_blind_signature_flow_native() { - type S = BlindSigScheme; - - let poseidon_params = poseidon_setup_params::(Curve::Bn254, 5, 4); - let poseidon_hash = poseidon::Poseidon::new(poseidon_params); - - let mut rng = ark_std::test_rng(); - - let params = S::setup(); - let (pk, sk) = S::keygen(¶ms, &mut rng); - - let (k, signer_r) = S::new_request_params(¶ms, &mut rng); - let m = [Fq::from(1234), Fq::from(5689), Fq::from(3456)]; - - let (m_blinded, u) = S::blind(¶ms, &mut rng, &poseidon_hash, &m, signer_r).unwrap(); - - let s_blinded = S::blind_sign(sk, k, m_blinded); - - let s = S::unblind(s_blinded, &u); - - let verified = S::verify(¶ms, &poseidon_hash, &m, s, pk); - assert!(verified); - } - - #[test] - fn test_non_blind_signature() { - type S = BlindSigScheme; - - let poseidon_params = poseidon_setup_params::(Curve::Bn254, 5, 4); - let poseidon_hash = poseidon::Poseidon::new(poseidon_params); - - let mut rng = ark_std::test_rng(); - - let params = S::setup(); - let (pk, sk) = S::keygen(¶ms, &mut rng); - - let m = [Fq::from(1234), Fq::from(5689), Fq::from(3456)]; - let s = S::non_blind_sign(¶ms, &mut rng, &poseidon_hash, sk, &m).unwrap(); - - // verify using the same verification method used for blind-signatures - let verified = S::verify(¶ms, &poseidon_hash, &m, s, pk); - assert!(verified); - } -} +pub mod mala_nezhadansari; +pub mod schnorr_blind; diff --git a/src/constraints.rs b/src/mala_nezhadansari/constraints.rs similarity index 99% rename from src/constraints.rs rename to src/mala_nezhadansari/constraints.rs index cf06619..936b990 100644 --- a/src/constraints.rs +++ b/src/mala_nezhadansari/constraints.rs @@ -1,4 +1,4 @@ -use crate::{Parameters, PublicKey, Signature}; +use crate::mala_nezhadansari::{ConstraintF, Parameters, PublicKey, Signature}; use ark_ec::ProjectiveCurve; use ark_ed_on_bn254::{constraints::EdwardsVar, EdwardsParameters, FqParameters}; @@ -24,8 +24,6 @@ use arkworks_native_gadgets::poseidon as poseidon_native; // use arkworks_r1cs_gadgets::poseidon; use arkworks_r1cs_gadgets::poseidon::{FieldHasherGadget, PoseidonGadget}; -use crate::ConstraintF; - #[derive(Derivative)] #[derivative( Debug(bound = "C: ProjectiveCurve, GC: CurveVar>"), @@ -470,7 +468,7 @@ where #[cfg(test)] mod test { use super::*; - use crate::{poseidon_setup_params, BlindSigScheme}; + use crate::mala_nezhadansari::{poseidon_setup_params, BlindSigScheme}; use ark_ed_on_bn254::constraints::EdwardsVar as BabyJubJubVar; use ark_ed_on_bn254::EdwardsProjective as BabyJubJub; diff --git a/src/mala_nezhadansari/mod.rs b/src/mala_nezhadansari/mod.rs new file mode 100644 index 0000000..a7a4f43 --- /dev/null +++ b/src/mala_nezhadansari/mod.rs @@ -0,0 +1,314 @@ +#![allow(non_snake_case)] +#![allow(clippy::many_single_char_names)] + +// #[cfg(feature="r1cs")] +pub mod constraints; + +use ark_ec::{models::twisted_edwards_extended::GroupAffine, AffineCurve, ProjectiveCurve}; + +use ark_ff::{to_bytes, BigInteger256, Field, FpParameters, PrimeField}; + +use ark_std::marker::PhantomData; +use ark_std::{rand::Rng, UniformRand}; +use derivative::Derivative; + +// hash +use arkworks_native_gadgets::poseidon; +use arkworks_native_gadgets::poseidon::FieldHasher; +use arkworks_utils::{ + bytes_matrix_to_f, bytes_vec_to_f, poseidon_params::setup_poseidon_params, Curve, +}; + +// WIP +use ark_ed_on_bn254::{EdwardsAffine, EdwardsParameters}; + +pub type ConstraintF = <::BaseField as Field>::BasePrimeField; +pub type SecretKey = ::ScalarField; +pub type PublicKey = ::Affine; +pub type BlindedSignature = ::ScalarField; + +// #[derive(Derivative)] +#[derive(Clone, Default, Debug)] +pub struct Signature { + s: C::ScalarField, // ScalarField == Fr + r: ::Affine, +} + +#[derive(Clone, Default, Debug)] +pub struct UserSecretData { + a: C::ScalarField, + b: C::ScalarField, + r: C::Affine, +} +impl UserSecretData { + fn new_empty(parameters: &Parameters) -> Self { + UserSecretData { + a: C::ScalarField::from(0_u32), + b: C::ScalarField::from(0_u32), + r: parameters.generator, // WIP + } + } +} + +#[derive(Derivative)] +#[derivative(Clone(bound = "C: ProjectiveCurve"), Debug)] +pub struct Parameters { + pub generator: C::Affine, +} + +pub struct BlindSigScheme { + _group: PhantomData, +} + +impl BlindSigScheme +where + C::ScalarField: PrimeField, + GroupAffine: From<::Affine>, // WIP +{ + pub fn setup() -> Parameters { + let generator = C::prime_subgroup_generator().into(); + Parameters { generator } + } + + // signer + pub fn keygen(parameters: &Parameters, rng: &mut R) -> (PublicKey, SecretKey) { + let secret_key = C::ScalarField::rand(rng); + let public_key = parameters.generator.mul(secret_key).into(); + (public_key, secret_key) + } + + pub fn new_request_params( + parameters: &Parameters, + rng: &mut R, + ) -> (C::ScalarField, C::Affine) { + let k = C::ScalarField::rand(rng); + let R = parameters.generator.mul(k).into(); + (k, R) + } + + pub fn blind_sign( + sk: SecretKey, + k: C::ScalarField, + m_blinded: C::ScalarField, + ) -> BlindedSignature { + sk * m_blinded + k + } + + // new_k_and_R returns a new k \in Fr, and R=k * G, such that R.x \in Fr + fn new_k_and_R(parameters: &Parameters, rng: &mut R) -> (C::ScalarField, C::Affine) + where + ::ScalarField: From, + { + let k = C::ScalarField::rand(rng); + + let R: C::Affine = parameters.generator.mul(k.into_repr()).into(); + let r = EdwardsAffine::from(R); // WIP + + let one = BigInteger256::from(1u64); + let x_repr = r.x.into_repr(); + let modulus = <::Params as FpParameters>::MODULUS; + let modulus_repr = BigInteger256::try_from(modulus.into()).unwrap(); + + if !(x_repr >= one && x_repr < modulus_repr) { + // TODO maybe add a counter of attempts with a limit + return Self::new_k_and_R(parameters, rng); + } + + (k, R) + } + + // non_blind_sign performs a non-blind signature, which can be verified with the same check + // than a blind-signature + pub fn non_blind_sign( + parameters: &Parameters, + rng: &mut R, + poseidon_hash: &poseidon::Poseidon>, + sk: SecretKey, + m: &[ConstraintF], + ) -> Result, ark_crypto_primitives::Error> + where + ::ScalarField: From, + { + let (k, R) = Self::new_k_and_R(parameters, rng); + let r = EdwardsAffine::from(R); // WIP + let x_fr = C::ScalarField::from(r.x.into_repr()); + + let hm = poseidon_hash.hash(m)?; + let hm_fr = C::ScalarField::from_le_bytes_mod_order(&to_bytes!(hm)?); // WIP TMP + + let s = k + (x_fr * hm_fr) * sk; + Ok(Signature { s, r: R }) + } + + // requester + pub fn new_blind_params( + parameters: &Parameters, + rng: &mut R, + signer_r: C::Affine, + ) -> UserSecretData + where + ::ScalarField: From, + { + let mut u: UserSecretData = UserSecretData::new_empty(parameters); + u.a = C::ScalarField::rand(rng); + u.b = C::ScalarField::rand(rng); + + // R = aR' + bG + let aR = signer_r.mul(u.a.into_repr()); + let bG = parameters.generator.mul(u.b.into_repr()); + u.r = aR.into_affine() + bG.into_affine(); + + let r = EdwardsAffine::from(u.r); // WIP + let one = BigInteger256::from(1u64); + let x_repr = r.x.into_repr(); + let modulus = <::Params as FpParameters>::MODULUS; + let modulus_repr = BigInteger256::try_from(modulus.into()).unwrap(); + + if !(x_repr >= one && x_repr < modulus_repr) { + // TODO maybe add a counter of attempts with a limit + return Self::new_blind_params(parameters, rng, signer_r); + } + u + } + + pub fn blind( + parameters: &Parameters, + rng: &mut R, + poseidon_hash: &poseidon::Poseidon>, + m: &[ConstraintF], + signer_r: C::Affine, + ) -> Result<(C::ScalarField, UserSecretData), ark_crypto_primitives::Error> + where + ::ScalarField: From, + { + let u = Self::new_blind_params(parameters, rng, signer_r); + + // get X coordinate, as in new_blind_params we already checked that R.x is inside Fr and + // will not overflow (giving None) + let r = EdwardsAffine::from(u.r); // WIP + let x_fr = C::ScalarField::from(r.x.into_repr()); + + // m' = a^-1 rx h(m) + // TODO hash(m) must be \in Fr + let hm = poseidon_hash.hash(m)?; + // let hm_fr = C::ScalarField::from_repr(hm.into_repr()).unwrap(); + let hm_fr = C::ScalarField::from_le_bytes_mod_order(&to_bytes!(hm)?); // WIP TMP + let m_blinded = u.a.inverse().unwrap() * x_fr * hm_fr; + // let m_blinded = C::ScalarField::from(u.a.inverse().unwrap() * x_fr) * hm_fr; + + Ok((m_blinded, u)) + } + + pub fn unblind(s_blinded: C::ScalarField, u: &UserSecretData) -> Signature { + // s = a s' + b + let s = u.a * s_blinded + u.b; + Signature { s, r: u.r } + } + + pub fn verify( + parameters: &Parameters, + poseidon_hash: &poseidon::Poseidon>, + m: &[ConstraintF], + s: Signature, + q: PublicKey, + ) -> bool + where + ::ScalarField: From, + { + let sG = parameters.generator.mul(s.s.into_repr()); + + // TODO the output of hash(m) must be \in Fr + let hm = poseidon_hash.hash(m).unwrap(); + // let hm_fr = C::ScalarField::from_repr(hm.into_repr()).unwrap(); + let hm_fr = C::ScalarField::from_le_bytes_mod_order(&to_bytes!(hm).unwrap()); // WIP TMP + + // check that s.R.x is in Fr + let r = EdwardsAffine::from(s.r); // WIP + let one = BigInteger256::from(1u64); + let x_repr = r.x.into_repr(); + let modulus = <::Params as FpParameters>::MODULUS; + let modulus_repr = BigInteger256::try_from(modulus.into()).unwrap(); + if !(x_repr >= one && x_repr < modulus_repr) { + return false; + } + // get s.R.x + let x_fr = C::ScalarField::from(r.x.into_repr()); + let right = s.r + q.mul((x_fr * hm_fr).into_repr()).into_affine(); + + sG.into_affine() == right + } +} + +// poseidon +pub fn poseidon_setup_params( + curve: Curve, + exp: i8, + width: u8, +) -> poseidon::PoseidonParameters { + let pos_data = setup_poseidon_params(curve, exp, width).unwrap(); + + let mds_f = bytes_matrix_to_f(&pos_data.mds); + let rounds_f = bytes_vec_to_f(&pos_data.rounds); + + poseidon::PoseidonParameters { + mds_matrix: mds_f, + round_keys: rounds_f, + full_rounds: pos_data.full_rounds, + partial_rounds: pos_data.partial_rounds, + sbox: poseidon::sbox::PoseidonSbox(pos_data.exp), + width: pos_data.width, + } +} + +#[cfg(test)] +mod tests { + use super::*; + use ark_ed_on_bn254::EdwardsProjective; + pub type Fq = ark_ed_on_bn254::Fq; // base field + // pub type Fr = ark_ed_on_bn254::Fr; // scalar field + + #[test] + fn test_blind_signature_flow_native() { + type S = BlindSigScheme; + + let poseidon_params = poseidon_setup_params::(Curve::Bn254, 5, 4); + let poseidon_hash = poseidon::Poseidon::new(poseidon_params); + + let mut rng = ark_std::test_rng(); + + let params = S::setup(); + let (pk, sk) = S::keygen(¶ms, &mut rng); + + let (k, signer_r) = S::new_request_params(¶ms, &mut rng); + let m = [Fq::from(1234), Fq::from(5689), Fq::from(3456)]; + + let (m_blinded, u) = S::blind(¶ms, &mut rng, &poseidon_hash, &m, signer_r).unwrap(); + + let s_blinded = S::blind_sign(sk, k, m_blinded); + + let s = S::unblind(s_blinded, &u); + + let verified = S::verify(¶ms, &poseidon_hash, &m, s, pk); + assert!(verified); + } + + #[test] + fn test_non_blind_signature() { + type S = BlindSigScheme; + + let poseidon_params = poseidon_setup_params::(Curve::Bn254, 5, 4); + let poseidon_hash = poseidon::Poseidon::new(poseidon_params); + + let mut rng = ark_std::test_rng(); + + let params = S::setup(); + let (pk, sk) = S::keygen(¶ms, &mut rng); + + let m = [Fq::from(1234), Fq::from(5689), Fq::from(3456)]; + let s = S::non_blind_sign(¶ms, &mut rng, &poseidon_hash, sk, &m).unwrap(); + + // verify using the same verification method used for blind-signatures + let verified = S::verify(¶ms, &poseidon_hash, &m, s, pk); + assert!(verified); + } +} diff --git a/src/schnorr_blind/mod.rs b/src/schnorr_blind/mod.rs new file mode 100644 index 0000000..8bb4364 --- /dev/null +++ b/src/schnorr_blind/mod.rs @@ -0,0 +1,320 @@ +#![allow(non_snake_case)] +#![allow(clippy::many_single_char_names)] + +// #[cfg(feature="r1cs")] +// pub mod constraints; + +use ark_ec::{models::twisted_edwards_extended::GroupAffine, AffineCurve, ProjectiveCurve}; + +use ark_ff::{to_bytes, BigInteger256, Field, Fp256, FpParameters, PrimeField}; + +use ark_std::marker::PhantomData; +use ark_std::{rand::Rng, UniformRand}; +use derivative::Derivative; + +// hash +use arkworks_native_gadgets::poseidon; +use arkworks_native_gadgets::poseidon::FieldHasher; +use arkworks_utils::{ + bytes_matrix_to_f, bytes_vec_to_f, poseidon_params::setup_poseidon_params, Curve, +}; + +// WIP +use ark_ed_on_bn254::{EdwardsAffine, EdwardsParameters, FqParameters}; + +pub type ConstraintF = <::BaseField as Field>::BasePrimeField; +pub type SecretKey = ::ScalarField; +pub type PublicKey = ::Affine; +pub type BlindedSignature = ::ScalarField; + +// #[derive(Derivative)] +#[derive(Clone, Default, Debug)] +pub struct Signature { + s: C::ScalarField, // ScalarField == Fr + r: ::Affine, +} + +#[derive(Clone, Default, Debug)] +pub struct UserSecretData { + alpha: C::ScalarField, + beta: C::ScalarField, + R: C::Affine, +} +impl UserSecretData { + fn new_empty(parameters: &Parameters) -> Self { + UserSecretData { + alpha: C::ScalarField::from(0_u32), + beta: C::ScalarField::from(0_u32), + R: parameters.generator, // WIP + } + } +} + +#[derive(Derivative)] +#[derivative(Clone(bound = "C: ProjectiveCurve"), Debug)] +pub struct Parameters { + pub generator: C::Affine, +} + +pub struct BlindSigScheme { + _group: PhantomData, +} + +impl BlindSigScheme +where + C::ScalarField: PrimeField, + GroupAffine: From<::Affine>, // WIP +{ + pub fn setup() -> Parameters { + let generator = C::prime_subgroup_generator().into(); + Parameters { generator } + } + + // signer + pub fn keygen(parameters: &Parameters, rng: &mut R) -> (PublicKey, SecretKey) { + let secret_key = C::ScalarField::rand(rng); + let public_key = parameters.generator.mul(secret_key).into(); + (public_key, secret_key) + } + + pub fn new_request_params( + parameters: &Parameters, + rng: &mut R, + ) -> (C::ScalarField, C::Affine) { + let r = C::ScalarField::rand(rng); + let R_ = parameters.generator.mul(r).into(); + (r, R_) + } + + pub fn blind_sign( + sk: SecretKey, + r: C::ScalarField, + m_blinded: C::ScalarField, + ) -> BlindedSignature { + r + m_blinded * sk + } + + // new_k_and_R returns a new k \in Fr, and R=k * G, such that R.x \in Fr + fn new_k_and_R(parameters: &Parameters, rng: &mut R) -> (C::ScalarField, C::Affine) + where + ::ScalarField: From, + { + // TODO, for schorr, the H(R, m) needs to be \in Fr, not R.x + let k = C::ScalarField::rand(rng); + + let R: C::Affine = parameters.generator.mul(k.into_repr()).into(); + let r = EdwardsAffine::from(R); // WIP + + let one = BigInteger256::from(1u64); + let x_repr = r.x.into_repr(); + let modulus = <::Params as FpParameters>::MODULUS; + let modulus_repr = BigInteger256::try_from(modulus.into()).unwrap(); + + if !(x_repr >= one && x_repr < modulus_repr) { + // TODO maybe add a counter of attempts with a limit + return Self::new_k_and_R(parameters, rng); + } + + (k, R) + } + + // non_blind_sign performs a non-blind signature, which can be verified with the same check + // than a blind-signature + pub fn non_blind_sign( + parameters: &Parameters, + rng: &mut R, + poseidon_hash: &poseidon::Poseidon>, + sk: SecretKey, + m: &[ConstraintF], + ) -> Result, ark_crypto_primitives::Error> + where + ::ScalarField: From, + <::BaseField as Field>::BasePrimeField: From>, + { + let (r, R) = Self::new_k_and_R(parameters, rng); + let R_ed = EdwardsAffine::from(R); // WIP + + let hm = poseidon_hash.hash(m)?; + let to_hash: [ConstraintF; 3] = [R_ed.x.into(), R_ed.y.into(), hm]; + let h = poseidon_hash.hash(&to_hash)?; + let h_fr = C::ScalarField::from_le_bytes_mod_order(&to_bytes!(h)?); // WIP TMP + + let s = r + h_fr * sk; + Ok(Signature { s, r: R }) + } + + // requester + pub fn new_blind_params( + parameters: &Parameters, + rng: &mut R, + signer_pk: PublicKey, + signer_r: C::Affine, + ) -> UserSecretData + where + ::ScalarField: From, + { + let mut u: UserSecretData = UserSecretData::new_empty(parameters); + u.alpha = C::ScalarField::rand(rng); + u.beta = C::ScalarField::rand(rng); + + // R = R' + alpha * G + beta * X + let alphaG = parameters.generator.mul(u.alpha.into_repr()); + let betaPk = signer_pk.mul(u.beta.into_repr()); + u.R = signer_r + alphaG.into_affine() + betaPk.into_affine(); + + let R = EdwardsAffine::from(u.R); // WIP + let one = BigInteger256::from(1u64); + let x_repr = R.x.into_repr(); + let modulus = <::Params as FpParameters>::MODULUS; + let modulus_repr = BigInteger256::try_from(modulus.into()).unwrap(); + + if !(x_repr >= one && x_repr < modulus_repr) { + // TODO maybe add a counter of attempts with a limit + return Self::new_blind_params(parameters, rng, signer_pk, signer_r); + } + u + } + + pub fn blind( + parameters: &Parameters, + rng: &mut R, + poseidon_hash: &poseidon::Poseidon>, + m: &[ConstraintF], + signer_pk: PublicKey, + signer_r: C::Affine, + ) -> Result<(C::ScalarField, UserSecretData), ark_crypto_primitives::Error> + where + ::ScalarField: From, + <::BaseField as Field>::BasePrimeField: From>, + { + let u = Self::new_blind_params(parameters, rng, signer_pk, signer_r); + + // get X coordinate, as in new_blind_params we already checked that R.x is inside Fr and + // will not overflow (giving None) + let r = EdwardsAffine::from(u.R); // WIP + + // m' = H(R, m) + beta + // TODO hash(R, m) must be \in Fr + let hm_0 = poseidon_hash.hash(m)?; + let to_hash: [ConstraintF; 3] = [r.x.into(), r.y.into(), hm_0]; + let h = poseidon_hash.hash(&to_hash)?; + let h_fr = C::ScalarField::from_le_bytes_mod_order(&to_bytes!(h)?); // WIP TMP + let m_blinded = h_fr + u.beta; + + Ok((m_blinded, u)) + } + + pub fn unblind(s_blinded: C::ScalarField, u: &UserSecretData) -> Signature { + // s = s' + alpha + let s = s_blinded + u.alpha; + Signature { s, r: u.R } + } + + pub fn verify( + parameters: &Parameters, + poseidon_hash: &poseidon::Poseidon>, + m: &[ConstraintF], + s: Signature, + q: PublicKey, + ) -> bool + where + ::ScalarField: From, + <::BaseField as Field>::BasePrimeField: From>, + { + let sG = parameters.generator.mul(s.s.into_repr()); + + let r = EdwardsAffine::from(s.r); // WIP + + // TODO the output of hash(R, m) must be \in Fr + let hm_0 = poseidon_hash.hash(m).unwrap(); + let to_hash: [ConstraintF; 3] = [r.x.into(), r.y.into(), hm_0]; + let h = poseidon_hash.hash(&to_hash).unwrap(); + let h_fr = C::ScalarField::from_le_bytes_mod_order(&to_bytes!(h).unwrap()); // WIP TMP + + // TODO the output of hash(R, m) must be \in Fr + let one = BigInteger256::from(1u64); + let x_repr = r.x.into_repr(); + let modulus = <::Params as FpParameters>::MODULUS; + let modulus_repr = BigInteger256::try_from(modulus.into()).unwrap(); + if !(x_repr >= one && x_repr < modulus_repr) { + return false; + } + let right = s.r + q.mul(h_fr.into_repr()).into_affine(); + + sG.into_affine() == right + } +} + +// poseidon +pub fn poseidon_setup_params( + curve: Curve, + exp: i8, + width: u8, +) -> poseidon::PoseidonParameters { + let pos_data = setup_poseidon_params(curve, exp, width).unwrap(); + + let mds_f = bytes_matrix_to_f(&pos_data.mds); + let rounds_f = bytes_vec_to_f(&pos_data.rounds); + + poseidon::PoseidonParameters { + mds_matrix: mds_f, + round_keys: rounds_f, + full_rounds: pos_data.full_rounds, + partial_rounds: pos_data.partial_rounds, + sbox: poseidon::sbox::PoseidonSbox(pos_data.exp), + width: pos_data.width, + } +} + +#[cfg(test)] +mod tests { + use super::*; + use ark_ed_on_bn254::EdwardsProjective; + pub type Fq = ark_ed_on_bn254::Fq; // base field + // pub type Fr = ark_ed_on_bn254::Fr; // scalar field + + #[test] + fn test_blind_signature_flow_native() { + type S = BlindSigScheme; + + let poseidon_params = poseidon_setup_params::(Curve::Bn254, 5, 4); + let poseidon_hash = poseidon::Poseidon::new(poseidon_params); + + let mut rng = ark_std::test_rng(); + + let params = S::setup(); + let (pk, sk) = S::keygen(¶ms, &mut rng); + + let (r, signer_r) = S::new_request_params(¶ms, &mut rng); + let m = [Fq::from(1234), Fq::from(5689), Fq::from(3456)]; + + let (m_blinded, u) = S::blind(¶ms, &mut rng, &poseidon_hash, &m, pk, signer_r).unwrap(); + + let s_blinded = S::blind_sign(sk, r, m_blinded); + + let s = S::unblind(s_blinded, &u); + + let verified = S::verify(¶ms, &poseidon_hash, &m, s, pk); + assert!(verified); + } + + #[test] + fn test_non_blind_signature() { + type S = BlindSigScheme; + + let poseidon_params = poseidon_setup_params::(Curve::Bn254, 5, 4); + let poseidon_hash = poseidon::Poseidon::new(poseidon_params); + + let mut rng = ark_std::test_rng(); + + let params = S::setup(); + let (pk, sk) = S::keygen(¶ms, &mut rng); + + let m = [Fq::from(1234), Fq::from(5689), Fq::from(3456)]; + let s = S::non_blind_sign(¶ms, &mut rng, &poseidon_hash, sk, &m).unwrap(); + + // verify using the same verification method used for blind-signatures + let verified = S::verify(¶ms, &poseidon_hash, &m, s, pk); + assert!(verified); + } +}