|
|
#[macro_use]
extern crate arrayref;
extern crate generic_array;
extern crate mimc_rs;
extern crate num;
extern crate num_bigint;
extern crate num_traits;
extern crate rand;
use blake2::{Blake2b, Digest};
use mimc_rs::Mimc7;
use poseidon_rs::Poseidon;
use std::cmp::min;
use num_bigint::{BigInt, RandBigInt, Sign, ToBigInt};
use num_traits::{One, Zero};
use generic_array::GenericArray;
mod utils;
#[macro_use]
extern crate lazy_static;
lazy_static! {
static ref D: BigInt = BigInt::parse_bytes(b"168696", 10).unwrap();
static ref A: BigInt = BigInt::parse_bytes(b"168700", 10).unwrap();
static ref Q: BigInt = BigInt::parse_bytes(
b"21888242871839275222246405745257275088548364400416034343698204186575808495617",
10,
)
.unwrap();
static ref B8: Point = Point {
x: BigInt::parse_bytes(
b"5299619240641551281634865583518297030282874472190772894086521144482721001553",
10,
)
.unwrap(),
y: BigInt::parse_bytes(
b"16950150798460657717958625567821834550301663161624707787222815936182638968203",
10,
)
.unwrap(),
};
static ref ORDER: BigInt = BigInt::parse_bytes(
b"21888242871839275222246405745257275088614511777268538073601725287587578984328",
10,
)
.unwrap();
static ref SUBORDER: BigInt = &BigInt::parse_bytes(
b"21888242871839275222246405745257275088614511777268538073601725287587578984328",
10,
)
.unwrap()
>> 3;
}
#[derive(Clone, Debug)]
pub struct Point {
pub x: BigInt,
pub y: BigInt,
}
impl Point {
pub fn add(&self, q: &Point) -> Result<Point, String> {
// x = (x1*y2+y1*x2)/(c*(1+d*x1*x2*y1*y2))
// y = (y1*y2-x1*x2)/(c*(1-d*x1*x2*y1*y2))
// x = (x1 * y2 + y1 * x2) / (1 + d * x1 * y1 * y2)
let one: BigInt = One::one();
let x_num: BigInt = &self.x * &q.y + &self.y * &q.x;
let x_den: BigInt = &one + &D.clone() * &self.x * &q.x * &self.y * &q.y;
let x_den_inv = utils::modinv(&x_den, &Q)?;
let x: BigInt = utils::modulus(&(&x_num * &x_den_inv), &Q);
// y = (y1 * y2 - a * x1 * x2) / (1 - d * x1 * x2 * y1 * y2)
let y_num = &self.y * &q.y - &A.clone() * &self.x * &q.x;
let y_den = utils::modulus(&(&one - &D.clone() * &self.x * &q.x * &self.y * &q.y), &Q);
let y_den_inv = utils::modinv(&y_den, &Q)?;
let y: BigInt = utils::modulus(&(&y_num * &y_den_inv), &Q);
Ok(Point { x: x, y: y })
}
pub fn mul_scalar(&self, n: &BigInt) -> Result<Point, String> {
let mut r: Point = Point {
x: Zero::zero(),
y: One::one(),
};
let mut rem: BigInt = n.clone();
let mut exp: Point = self.clone();
let zero: BigInt = Zero::zero();
let one: BigInt = One::one();
while rem != zero {
let is_odd = &rem & &one == one;
if is_odd == true {
r = r.add(&exp)?;
}
exp = exp.add(&exp)?;
rem = rem >> 1;
}
r.x = utils::modulus(&r.x, &Q);
r.y = utils::modulus(&r.y, &Q);
Ok(r)
}
pub fn compress(&self) -> [u8; 32] {
let mut r: [u8; 32] = [0; 32];
let (_, y_bytes) = self.y.to_bytes_le();
let len = min(y_bytes.len(), r.len());
r[..len].copy_from_slice(&y_bytes[..len]);
if &self.x > &(&Q.clone() >> 1) {
r[31] = r[31] | 0x80;
}
r
}
pub fn equals(&self, p: Point) -> bool {
if self.x == p.x && self.y == p.y {
return true;
}
false
}
}
pub fn decompress_point(bb: [u8; 32]) -> Result<Point, String> {
// https://tools.ietf.org/html/rfc8032#section-5.2.3
let mut sign: bool = false;
let mut b = bb.clone();
if b[31] & 0x80 != 0x00 {
sign = true;
b[31] = b[31] & 0x7F;
}
let y: BigInt = BigInt::from_bytes_le(Sign::Plus, &b[..]);
if y >= Q.clone() {
return Err("y outside the Finite Field over R".to_string());
}
let one: BigInt = One::one();
// x^2 = (1 - y^2) / (a - d * y^2) (mod p)
let den = utils::modinv(
&utils::modulus(
&(&A.clone() - utils::modulus(&(&D.clone() * (&y * &y)), &Q)),
&Q,
),
&Q,
)?;
let mut x: BigInt = utils::modulus(&((one - utils::modulus(&(&y * &y), &Q)) * den), &Q);
x = utils::modsqrt(&x, &Q)?;
if sign && !(&x > &(&Q.clone() >> 1)) || (!sign && (&x > &(&Q.clone() >> 1))) {
x = x * -1.to_bigint().unwrap();
}
x = utils::modulus(&x, &Q);
Ok(Point { x: x, y: y })
}
pub struct Signature {
r_b8: Point,
s: BigInt,
}
impl Signature {
pub fn compress(&self) -> [u8; 64] {
let mut b: Vec<u8> = Vec::new();
b.append(&mut self.r_b8.compress().to_vec());
let (_, s_bytes) = self.s.to_bytes_le();
let mut s_32bytes: [u8; 32] = [0; 32];
let len = min(s_bytes.len(), s_32bytes.len());
s_32bytes[..len].copy_from_slice(&s_bytes[..len]);
b.append(&mut s_32bytes.to_vec());
let mut r: [u8; 64] = [0; 64];
r[..].copy_from_slice(&b[..]);
r
}
}
pub fn decompress_signature(b: &[u8; 64]) -> Result<Signature, String> {
let r_b8_bytes: [u8; 32] = *array_ref!(b[..32], 0, 32);
let s: BigInt = BigInt::from_bytes_le(Sign::Plus, &b[32..]);
let r_b8 = decompress_point(r_b8_bytes);
match r_b8 {
Result::Err(err) => return Err(err.to_string()),
Result::Ok(res) => Ok(Signature {
r_b8: res.clone(),
s: s,
}),
}
}
pub struct PrivateKey {
key: BigInt,
}
impl PrivateKey {
pub fn public(&self) -> Result<Point, String> {
// https://tools.ietf.org/html/rfc8032#section-5.1.5
let pk = B8.mul_scalar(&self.key)?;
Ok(pk.clone())
}
pub fn sign_mimc(&self, msg: BigInt) -> Result<Signature, String> {
// https://tools.ietf.org/html/rfc8032#section-5.1.6
let mut hasher = Blake2b::new();
let (_, sk_bytes) = self.key.to_bytes_be();
hasher.input(sk_bytes);
let mut h = hasher.result(); // h: hash(sk)
// s: h[32:64]
let s = GenericArray::<u8, generic_array::typenum::U32>::from_mut_slice(&mut h[32..64]);
let (_, msg_bytes) = msg.to_bytes_be();
let r_bytes = utils::concatenate_arrays(s, &msg_bytes);
let mut r = BigInt::from_bytes_be(Sign::Plus, &r_bytes[..]);
r = utils::modulus(&r, &SUBORDER);
let r8: Point = B8.mul_scalar(&r)?;
let a = &self.public()?;
let hm_input = vec![r8.x.clone(), r8.y.clone(), a.x.clone(), a.y.clone(), msg];
let mimc7 = Mimc7::new();
let hm = mimc7.hash(hm_input)?;
let mut s = &self.key << 3;
s = hm * s;
s = r + s;
s = s % &SUBORDER.clone();
Ok(Signature {
r_b8: r8.clone(),
s: s,
})
}
pub fn sign_poseidon(&self, msg: BigInt) -> Result<Signature, String> {
// https://tools.ietf.org/html/rfc8032#section-5.1.6
let mut hasher = Blake2b::new();
let (_, sk_bytes) = self.key.to_bytes_be();
hasher.input(sk_bytes);
let mut h = hasher.result(); // h: hash(sk)
// s: h[32:64]
let s = GenericArray::<u8, generic_array::typenum::U32>::from_mut_slice(&mut h[32..64]);
let (_, msg_bytes) = msg.to_bytes_be();
let r_bytes = utils::concatenate_arrays(s, &msg_bytes);
let mut r = BigInt::from_bytes_be(Sign::Plus, &r_bytes[..]);
r = utils::modulus(&r, &SUBORDER);
let r8: Point = B8.mul_scalar(&r)?;
let a = &self.public()?;
let hm_input = vec![r8.x.clone(), r8.y.clone(), a.x.clone(), a.y.clone(), msg];
let poseidon = Poseidon::new();
let hm = poseidon.hash(hm_input)?;
let mut s = &self.key << 3;
s = hm * s;
s = r + s;
s = s % &SUBORDER.clone();
Ok(Signature {
r_b8: r8.clone(),
s: s,
})
}
pub fn sign_schnorr(&self, m: Vec<u8>) -> Result<(Point, BigInt), String> {
// random r
let mut rng = rand::thread_rng();
let k = rng.gen_biguint(1024).to_bigint().unwrap();
// r = k·G
let r = B8.mul_scalar(&k)?;
// h = H(x, r, m)
let pk = &self.public()?;
let h = schnorr_hash(&pk, m, &r)?;
// s= k+x·h
let s = k + &self.key * &h;
Ok((r, s))
}
}
pub fn schnorr_hash(pk: &Point, m: Vec<u8>, c: &Point) -> Result<BigInt, String> {
let b: &mut Vec<u8> = &mut Vec::new();
// other option could be to do it without compressing the points, and concatenating x|y
b.append(&mut pk.compress().to_vec());
b.append(&mut c.compress().to_vec());
b.append(&mut m.clone());
let poseidon = Poseidon::new();
let h = poseidon.hash_bytes(b.to_vec())?;
println!("h {:?}", h.to_string());
Ok(h)
}
pub fn verify_schnorr(pk: Point, m: Vec<u8>, r: Point, s: BigInt) -> Result<bool, String> {
// sG = s·G
let sg = B8.mul_scalar(&s)?;
// r + h · x
let h = schnorr_hash(&pk, m, &r)?;
let pk_h = pk.mul_scalar(&h)?;
let right = r.add(&pk_h)?;
Ok(sg.equals(right))
}
pub fn new_key() -> PrivateKey {
// https://tools.ietf.org/html/rfc8032#section-5.1.5
let mut rng = rand::thread_rng();
let sk_raw = rng.gen_biguint(1024).to_bigint().unwrap();
let mut hasher = Blake2b::new();
let (_, sk_raw_bytes) = sk_raw.to_bytes_be();
hasher.input(sk_raw_bytes);
let mut h = hasher.result();
h[0] = h[0] & 0xF8;
h[31] = h[31] & 0x7F;
h[31] = h[31] | 0x40;
let sk = BigInt::from_bytes_le(Sign::Plus, &h[..]);
PrivateKey { key: sk }
}
pub fn verify_mimc(pk: Point, sig: Signature, msg: BigInt) -> bool {
let hm_input = vec![
sig.r_b8.x.clone(),
sig.r_b8.y.clone(),
pk.x.clone(),
pk.y.clone(),
msg,
];
let mimc7 = Mimc7::new();
let hm = match mimc7.hash(hm_input) {
Result::Err(_) => return false,
Result::Ok(hm) => hm,
};
let l = match B8.mul_scalar(&sig.s) {
Result::Err(_) => return false,
Result::Ok(l) => l,
};
let r = match sig
.r_b8
.add(&pk.mul_scalar(&(8.to_bigint().unwrap() * hm)).unwrap())
{
Result::Err(_) => return false,
Result::Ok(r) => r,
};
l.equals(r)
}
pub fn verify_poseidon(pk: Point, sig: Signature, msg: BigInt) -> bool {
let hm_input = vec![
sig.r_b8.x.clone(),
sig.r_b8.y.clone(),
pk.x.clone(),
pk.y.clone(),
msg,
];
let poseidon = Poseidon::new();
let hm = match poseidon.hash(hm_input) {
Result::Err(_) => return false,
Result::Ok(hm) => hm,
};
let l = match B8.mul_scalar(&sig.s) {
Result::Err(_) => return false,
Result::Ok(l) => l,
};
let r = match sig
.r_b8
.add(&pk.mul_scalar(&(8.to_bigint().unwrap() * hm)).unwrap())
{
Result::Err(_) => return false,
Result::Ok(r) => r,
};
l.equals(r)
}
#[cfg(test)]
mod tests {
use super::*;
extern crate rustc_hex;
use rustc_hex::{FromHex, ToHex};
#[test]
fn test_add_same_point() {
let p: Point = Point {
x: BigInt::parse_bytes(
b"17777552123799933955779906779655732241715742912184938656739573121738514868268",
10,
)
.unwrap(),
y: BigInt::parse_bytes(
b"2626589144620713026669568689430873010625803728049924121243784502389097019475",
10,
)
.unwrap(),
};
let q: Point = Point {
x: BigInt::parse_bytes(
b"17777552123799933955779906779655732241715742912184938656739573121738514868268",
10,
)
.unwrap(),
y: BigInt::parse_bytes(
b"2626589144620713026669568689430873010625803728049924121243784502389097019475",
10,
)
.unwrap(),
};
let res = p.add(&q).unwrap();
assert_eq!(
res.x.to_string(),
"6890855772600357754907169075114257697580319025794532037257385534741338397365"
);
assert_eq!(
res.y.to_string(),
"4338620300185947561074059802482547481416142213883829469920100239455078257889"
);
}
#[test]
fn test_add_different_points() {
let p: Point = Point {
x: BigInt::parse_bytes(
b"17777552123799933955779906779655732241715742912184938656739573121738514868268",
10,
)
.unwrap(),
y: BigInt::parse_bytes(
b"2626589144620713026669568689430873010625803728049924121243784502389097019475",
10,
)
.unwrap(),
};
let q: Point = Point {
x: BigInt::parse_bytes(
b"16540640123574156134436876038791482806971768689494387082833631921987005038935",
10,
)
.unwrap(),
y: BigInt::parse_bytes(
b"20819045374670962167435360035096875258406992893633759881276124905556507972311",
10,
)
.unwrap(),
};
let res = p.add(&q).unwrap();
assert_eq!(
res.x.to_string(),
"7916061937171219682591368294088513039687205273691143098332585753343424131937"
);
assert_eq!(
res.y.to_string(),
"14035240266687799601661095864649209771790948434046947201833777492504781204499"
);
}
#[test]
fn test_mul_scalar() {
let p: Point = Point {
x: BigInt::parse_bytes(
b"17777552123799933955779906779655732241715742912184938656739573121738514868268",
10,
)
.unwrap(),
y: BigInt::parse_bytes(
b"2626589144620713026669568689430873010625803728049924121243784502389097019475",
10,
)
.unwrap(),
};
let res_m = p.mul_scalar(&3.to_bigint().unwrap()).unwrap();
let res_a = p.add(&p).unwrap();
let res_a = res_a.add(&p).unwrap();
assert_eq!(res_m.x, res_a.x);
assert_eq!(
res_m.x.to_string(),
"19372461775513343691590086534037741906533799473648040012278229434133483800898"
);
assert_eq!(
res_m.y.to_string(),
"9458658722007214007257525444427903161243386465067105737478306991484593958249"
);
let n = BigInt::parse_bytes(
b"14035240266687799601661095864649209771790948434046947201833777492504781204499",
10,
)
.unwrap();
let res2 = p.mul_scalar(&n).unwrap();
assert_eq!(
res2.x.to_string(),
"17070357974431721403481313912716834497662307308519659060910483826664480189605"
);
assert_eq!(
res2.y.to_string(),
"4014745322800118607127020275658861516666525056516280575712425373174125159339"
);
}
#[test]
fn test_new_key_sign_verify_mimc_0() {
let sk = new_key();
let pk = sk.public().unwrap();
let msg = 5.to_bigint().unwrap();
let sig = sk.sign_mimc(msg.clone()).unwrap();
let v = verify_mimc(pk, sig, msg);
assert_eq!(v, true);
}
#[test]
fn test_new_key_sign_verify_mimc_1() {
let sk = new_key();
let pk = sk.public().unwrap();
let msg = BigInt::parse_bytes(b"123456789012345678901234567890", 10).unwrap();
let sig = sk.sign_mimc(msg.clone()).unwrap();
let v = verify_mimc(pk, sig, msg);
assert_eq!(v, true);
}
#[test]
fn test_new_key_sign_verify_poseidon_0() {
let sk = new_key();
let pk = sk.public().unwrap();
let msg = 5.to_bigint().unwrap();
let sig = sk.sign_poseidon(msg.clone()).unwrap();
let v = verify_poseidon(pk, sig, msg);
assert_eq!(v, true);
}
#[test]
fn test_new_key_sign_verify_poseidon_1() {
let sk = new_key();
let pk = sk.public().unwrap();
let msg = BigInt::parse_bytes(b"123456789012345678901234567890", 10).unwrap();
let sig = sk.sign_poseidon(msg.clone()).unwrap();
let v = verify_poseidon(pk, sig, msg);
assert_eq!(v, true);
}
#[test]
fn test_point_compress_decompress() {
let p: Point = Point {
x: BigInt::parse_bytes(
b"17777552123799933955779906779655732241715742912184938656739573121738514868268",
10,
)
.unwrap(),
y: BigInt::parse_bytes(
b"2626589144620713026669568689430873010625803728049924121243784502389097019475",
10,
)
.unwrap(),
};
let p_comp = p.compress();
assert_eq!(
p_comp[..].to_hex(),
"53b81ed5bffe9545b54016234682e7b2f699bd42a5e9eae27ff4051bc698ce85"
);
let p2 = decompress_point(p_comp).unwrap();
assert_eq!(p.x, p2.x);
assert_eq!(p.y, p2.y);
}
#[test]
fn test_point_decompress0() {
let y_bytes_raw = "b5328f8791d48f20bec6e481d91c7ada235f1facf22547901c18656b6c3e042f"
.from_hex()
.unwrap();
let mut y_bytes: [u8; 32] = [0; 32];
y_bytes.copy_from_slice(&y_bytes_raw);
let p = decompress_point(y_bytes).unwrap();
let expected_px_raw = "b86cc8d9c97daef0afe1a4753c54fb2d8a530dc74c7eee4e72b3fdf2496d2113"
.from_hex()
.unwrap();
let mut e_px_bytes: [u8; 32] = [0; 32];
e_px_bytes.copy_from_slice(&expected_px_raw);
let expected_px: BigInt = BigInt::from_bytes_le(Sign::Plus, &e_px_bytes);
assert_eq!(&p.x, &expected_px);
}
#[test]
fn test_point_decompress1() {
let y_bytes_raw = "70552d3ff548e09266ded29b33ce75139672b062b02aa66bb0d9247ffecf1d0b"
.from_hex()
.unwrap();
let mut y_bytes: [u8; 32] = [0; 32];
y_bytes.copy_from_slice(&y_bytes_raw);
let p = decompress_point(y_bytes).unwrap();
let expected_px_raw = "30f1635ba7d56f9cb32c3ffbe6dca508a68c7f43936af11a23c785ce98cb3404"
.from_hex()
.unwrap();
let mut e_px_bytes: [u8; 32] = [0; 32];
e_px_bytes.copy_from_slice(&expected_px_raw);
let expected_px: BigInt = BigInt::from_bytes_le(Sign::Plus, &e_px_bytes);
assert_eq!(&p.x, &expected_px);
}
#[test]
fn test_point_decompress_loop() {
for _ in 0..5 {
let mut rng = rand::thread_rng();
let sk_raw = rng.gen_biguint(1024).to_bigint().unwrap();
let mut hasher = Blake2b::new();
let (_, sk_raw_bytes) = sk_raw.to_bytes_be();
hasher.input(sk_raw_bytes);
let mut h = hasher.result();
h[0] = h[0] & 0xF8;
h[31] = h[31] & 0x7F;
h[31] = h[31] | 0x40;
let sk = BigInt::from_bytes_le(Sign::Plus, &h[..]);
let point = B8.mul_scalar(&sk).unwrap();
let cmp_point = point.compress();
let dcmp_point = decompress_point(cmp_point).unwrap();
assert_eq!(&point.x, &dcmp_point.x);
assert_eq!(&point.y, &dcmp_point.y);
}
}
#[test]
fn test_signature_compress_decompress() {
let sk = new_key();
let pk = sk.public().unwrap();
for i in 0..5 {
let msg_raw = "123456".to_owned() + &i.to_string();
let msg = BigInt::parse_bytes(msg_raw.as_bytes(), 10).unwrap();
let sig = sk.sign_mimc(msg.clone()).unwrap();
let compressed_sig = sig.compress();
let decompressed_sig = decompress_signature(&compressed_sig).unwrap();
assert_eq!(&sig.r_b8.x, &decompressed_sig.r_b8.x);
assert_eq!(&sig.r_b8.y, &decompressed_sig.r_b8.y);
assert_eq!(&sig.s, &decompressed_sig.s);
let v = verify_mimc(pk.clone(), decompressed_sig, msg);
assert_eq!(v, true);
}
}
#[test]
fn test_schnorr_signature() {
let sk = new_key();
let pk = sk.public().unwrap();
let msg: Vec<u8> = ("123456".to_owned() + &1.to_string()).as_bytes().to_vec();
let (s, e) = sk.sign_schnorr(msg.clone()).unwrap();
println!("s {:?}", s.x.to_string());
println!("s {:?}", s.y.to_string());
println!("e {:?}", e.to_string());
let verification = verify_schnorr(pk, msg, s, e).unwrap();
assert_eq!(true, verification);
}
}
|