You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

352 lines
8.2 KiB

3 years ago
  1. // Package blindsecp256k1 implements the Blind signature scheme explained at
  2. // "New Blind Signature Schemes Based on the (Elliptic Curve) Discrete
  3. // Logarithm Problem", by Hamid Mala & Nafiseh Nezhadansari
  4. // https://sci-hub.st/10.1109/ICCKE.2013.6682844
  5. //
  6. // LICENSE can be found at https://github.com/arnaucube/go-blindsecp256k1/blob/master/LICENSE
  7. //
  8. package blindsecp256k1
  9. // WARNING: WIP code
  10. import (
  11. "bytes"
  12. "crypto/ecdsa"
  13. "crypto/rand"
  14. "fmt"
  15. "math/big"
  16. "github.com/ethereum/go-ethereum/crypto"
  17. "github.com/ethereum/go-ethereum/crypto/secp256k1"
  18. )
  19. var (
  20. s256 *secp256k1.BitCurve = secp256k1.S256()
  21. zero *big.Int = big.NewInt(0)
  22. // B (from y^2 = x^3 + B)
  23. B *big.Int = s256.B
  24. // P represents the secp256k1 finite field
  25. P *big.Int = s256.P
  26. // G represents the base point of secp256k1
  27. G *Point = &Point{
  28. X: s256.Gx,
  29. Y: s256.Gy,
  30. }
  31. // N represents the order of G of secp256k1
  32. N *big.Int = s256.N
  33. )
  34. // Point represents a point on the secp256k1 curve
  35. type Point struct {
  36. X *big.Int
  37. Y *big.Int
  38. }
  39. // Add performs the Point addition
  40. func (p *Point) Add(q *Point) *Point {
  41. x, y := s256.Add(p.X, p.Y, q.X, q.Y)
  42. return &Point{
  43. X: x,
  44. Y: y,
  45. }
  46. }
  47. // Mul performs the Point scalar multiplication
  48. func (p *Point) Mul(scalar *big.Int) *Point {
  49. x, y := s256.ScalarMult(p.X, p.Y, scalar.Bytes())
  50. return &Point{
  51. X: x,
  52. Y: y,
  53. }
  54. }
  55. func (p *Point) isValid() error {
  56. if !s256.IsOnCurve(p.X, p.Y) {
  57. return fmt.Errorf("Point is not on secp256k1")
  58. }
  59. if bytes.Equal(p.X.Bytes(), zero.Bytes()) &&
  60. bytes.Equal(p.Y.Bytes(), zero.Bytes()) {
  61. return fmt.Errorf("Point (%s, %s) can not be (0, 0)",
  62. p.X.String(), p.Y.String())
  63. }
  64. return nil
  65. }
  66. // Compress packs a Point to a byte array of 33 bytes, encoded in
  67. // little-endian.
  68. func (p *Point) Compress() [33]byte {
  69. xBytes := p.X.Bytes()
  70. odd := byte(0)
  71. if isOdd(p.Y) {
  72. odd = byte(1)
  73. }
  74. var b [33]byte
  75. copy(b[32-len(xBytes):32], xBytes)
  76. b[32] = odd
  77. return b
  78. }
  79. func isOdd(b *big.Int) bool {
  80. return b.Bit(0) != 0
  81. }
  82. // DecompressPoint unpacks a Point from the given byte array of 33 bytes
  83. // https://bitcointalk.org/index.php?topic=162805.msg1712294#msg1712294
  84. func DecompressPoint(b [33]byte) (*Point, error) {
  85. x := new(big.Int).SetBytes(b[:32])
  86. var odd bool
  87. if b[32] == byte(1) {
  88. odd = true
  89. }
  90. // secp256k1: y2 = x3+ ax2 + b (where A==0, B==7)
  91. // compute x^3 + B mod p
  92. x3 := new(big.Int).Mul(x, x)
  93. x3 = new(big.Int).Mul(x3, x)
  94. // x3 := new(big.Int).Exp(x, big.NewInt(3), nil)
  95. x3 = new(big.Int).Add(x3, B)
  96. x3 = new(big.Int).Mod(x3, P)
  97. // sqrt mod p of x^3 + B
  98. y := new(big.Int).ModSqrt(x3, P)
  99. if y == nil {
  100. return nil, fmt.Errorf("not sqrt mod of x^3")
  101. }
  102. if odd != isOdd(y) {
  103. y = new(big.Int).Sub(P, y)
  104. // TODO if needed Mod
  105. }
  106. // check that y is a square root of x^3 + B
  107. y2 := new(big.Int).Mul(y, y)
  108. y2 = new(big.Int).Mod(y2, P)
  109. if !bytes.Equal(y2.Bytes(), x3.Bytes()) {
  110. return nil, fmt.Errorf("invalid square root")
  111. }
  112. if odd != isOdd(y) {
  113. return nil, fmt.Errorf("odd does not match oddness")
  114. }
  115. p := &Point{X: x, Y: y}
  116. return p, p.isValid()
  117. }
  118. // WIP
  119. func newRand() (*big.Int, error) {
  120. pk, err := ecdsa.GenerateKey(s256, rand.Reader)
  121. if err != nil {
  122. return nil, err
  123. }
  124. return pk.D, nil
  125. }
  126. // PrivateKey represents the signer's private key
  127. type PrivateKey big.Int
  128. // PublicKey represents the signer's public key
  129. type PublicKey Point
  130. // NewPrivateKey returns a new random private key
  131. func NewPrivateKey() (*PrivateKey, error) {
  132. k, err := newRand()
  133. if err != nil {
  134. return nil, err
  135. }
  136. if err := checkBigIntSize(k); err != nil {
  137. return nil, fmt.Errorf("k error: %s", err)
  138. }
  139. sk := PrivateKey(*k)
  140. return &sk, nil
  141. }
  142. // BigInt returns a *big.Int representation of the PrivateKey
  143. func (sk *PrivateKey) BigInt() *big.Int {
  144. return (*big.Int)(sk)
  145. }
  146. // Public returns the PublicKey from the PrivateKey
  147. func (sk *PrivateKey) Public() *PublicKey {
  148. q := G.Mul(sk.BigInt())
  149. pk := PublicKey(*q)
  150. return &pk
  151. }
  152. // Point returns a *Point representation of the PublicKey
  153. func (pk *PublicKey) Point() *Point {
  154. return (*Point)(pk)
  155. }
  156. // NewRequestParameters returns a new random k (secret) & R (public) parameters
  157. func NewRequestParameters() (*big.Int, *Point, error) {
  158. k, err := newRand()
  159. if err != nil {
  160. return nil, nil, err
  161. }
  162. // k, R = kG
  163. return k, G.Mul(k), nil
  164. }
  165. func checkBigIntSize(b *big.Int) error {
  166. // check b.Bytes()==32, as go returns big-endian representation of the
  167. // bigint, so if length is not 32 we have a smaller value than expected
  168. // if len(b.Bytes()) != 32 { //nolint:gomnd
  169. // return fmt.Errorf("invalid length, need 32 bytes")
  170. // }
  171. return nil
  172. }
  173. // BlindSign performs the blind signature on the given mBlinded using the
  174. // PrivateKey and the secret k values.
  175. func (sk *PrivateKey) BlindSign(mBlinded *big.Int, k *big.Int) (*big.Int, error) {
  176. // TODO add pending checks
  177. if mBlinded.Cmp(N) != -1 {
  178. return nil, fmt.Errorf("mBlinded not inside the finite field")
  179. }
  180. if bytes.Equal(mBlinded.Bytes(), big.NewInt(0).Bytes()) {
  181. return nil, fmt.Errorf("mBlinded can not be 0")
  182. }
  183. if err := checkBigIntSize(mBlinded); err != nil {
  184. return nil, fmt.Errorf("mBlinded error: %s", err)
  185. }
  186. if err := checkBigIntSize(k); err != nil {
  187. return nil, fmt.Errorf("k error: %s", err)
  188. }
  189. // s' = dm' + k
  190. sBlind := new(big.Int).Add(
  191. new(big.Int).Mul(sk.BigInt(), mBlinded),
  192. k)
  193. sBlind = new(big.Int).Mod(sBlind, N)
  194. return sBlind, nil
  195. }
  196. // UserSecretData contains the secret values from the User (a, b) and the
  197. // public F
  198. type UserSecretData struct {
  199. A *big.Int
  200. B *big.Int
  201. F *Point // public (in the paper is named R)
  202. }
  203. // Blind performs the blinding operation on m using signerR parameter
  204. func Blind(m *big.Int, signerR *Point) (*big.Int, *UserSecretData, error) {
  205. if err := signerR.isValid(); err != nil {
  206. return nil, nil, fmt.Errorf("signerR %s", err)
  207. }
  208. var err error
  209. u := &UserSecretData{}
  210. u.A, err = newRand()
  211. if err != nil {
  212. return nil, nil, err
  213. }
  214. u.B, err = newRand()
  215. if err != nil {
  216. return nil, nil, err
  217. }
  218. // (R) F = aR' + bG
  219. aR := signerR.Mul(u.A)
  220. bG := G.Mul(u.B)
  221. u.F = aR.Add(bG)
  222. if err := u.F.isValid(); err != nil {
  223. return nil, nil, fmt.Errorf("u.F %s", err)
  224. }
  225. rx := new(big.Int).Mod(u.F.X, N)
  226. // m' = a^-1 rx h(m)
  227. ainv := new(big.Int).ModInverse(u.A, N)
  228. ainvrx := new(big.Int).Mul(ainv, rx)
  229. hBytes := crypto.Keccak256(m.Bytes())
  230. h := new(big.Int).SetBytes(hBytes)
  231. mBlinded := new(big.Int).Mul(ainvrx, h)
  232. mBlinded = new(big.Int).Mod(mBlinded, N)
  233. return mBlinded, u, nil
  234. }
  235. // Signature contains the signature values S & F
  236. type Signature struct {
  237. S *big.Int
  238. F *Point
  239. }
  240. // Compress packs a Signature to a byte array of 65 bytes, encoded in
  241. // little-endian.
  242. func (s *Signature) Compress() [65]byte {
  243. var b [65]byte
  244. sBytes := s.S.Bytes()
  245. fBytes := s.F.Compress()
  246. copy(b[:32], swapEndianness(sBytes))
  247. copy(b[32:], fBytes[:])
  248. return b
  249. }
  250. // DecompressSignature unpacks a Signature from the given byte array of 65 bytes
  251. func DecompressSignature(b [65]byte) (*Signature, error) {
  252. s := new(big.Int).SetBytes(swapEndianness(b[:32]))
  253. var fBytes [33]byte
  254. copy(fBytes[:], b[32:])
  255. f, err := DecompressPoint(fBytes)
  256. if err != nil {
  257. return nil, err
  258. }
  259. sig := &Signature{S: s, F: f}
  260. return sig, nil
  261. }
  262. // Unblind performs the unblinding operation of the blinded signature for the
  263. // given the UserSecretData
  264. func Unblind(sBlind *big.Int, u *UserSecretData) *Signature {
  265. // s = a s' + b
  266. as := new(big.Int).Mul(u.A, sBlind)
  267. s := new(big.Int).Add(as, u.B)
  268. s = new(big.Int).Mod(s, N)
  269. return &Signature{
  270. S: s,
  271. F: u.F,
  272. }
  273. }
  274. // Verify checks the signature of the message m for the given PublicKey
  275. func Verify(m *big.Int, s *Signature, q *PublicKey) bool {
  276. // TODO add pending checks
  277. if err := s.F.isValid(); err != nil {
  278. return false
  279. }
  280. if err := q.Point().isValid(); err != nil {
  281. return false
  282. }
  283. sG := G.Mul(s.S) // sG
  284. hBytes := crypto.Keccak256(m.Bytes())
  285. h := new(big.Int).SetBytes(hBytes)
  286. rx := new(big.Int).Mod(s.F.X, N)
  287. rxh := new(big.Int).Mul(rx, h)
  288. // do mod, as go-ethereum/crypto/secp256k1 can not handle scalars > 256 bits
  289. rxhMod := new(big.Int).Mod(rxh, N)
  290. // rxhG := G.Mul(rxh) // originally the paper uses G
  291. rxhG := q.Point().Mul(rxhMod)
  292. right := s.F.Add(rxhG)
  293. // check sG == R + rx h(m) Q (where R in this code is F)
  294. if bytes.Equal(sG.X.Bytes(), right.X.Bytes()) &&
  295. bytes.Equal(sG.Y.Bytes(), right.Y.Bytes()) {
  296. return true
  297. }
  298. return false
  299. }