Implement https://sci-hub.do/10.1109/ICCKE.2013.6682844

Previous to this commit there was the implementation of "[An Efficient Blind Signature Scheme Based on the Elliptic Curve Discrete Logarithm Problem](http://www.isecure-journal.com/article_39171_47f9ec605dd3918c2793565ec21fcd7a.pdf)" paper by by Morteza Nikooghadama & Ali Zakerolhosseini. This commit adds the implementation of "[New Blind Signature Schemes Based on the (Elliptic Curve) Discrete Logarithm Problem](https://sci-hub.do/10.1109/ICCKE.2013.6682844)" paper by Hamid Mala & Nafiseh Nezhadansari.
2026-02-06 19:16:40 +01:00 · 2021-01-11 21:08:46 +01:00
parent c3e4afc552
commit ec095bba83
10 changed files with 573 additions and 42 deletions
--- a/v0/README.md
+++ b/v0/README.md
@@ -0,0 +1,5 @@
+# go-blindsecp256k1/v0
+
+The directory `v0` implements the blind signature over [secp256k1](https://en.bitcoin.it/wiki/Secp256k1), based on *"[An Efficient Blind Signature Scheme Based on the Elliptic Curve Discrete Logarithm Problem](http://www.isecure-journal.com/article_39171_47f9ec605dd3918c2793565ec21fcd7a.pdf)"* paper by by Morteza Nikooghadama & Ali Zakerolhosseini.
+
+The implementation of *"[New Blind Signature Schemes Based on the (Elliptic Curve) Discrete Logarithm Problem](https://sci-hub.do/10.1109/ICCKE.2013.6682844)"* paper by Hamid Mala & Nafiseh Nezhadansari, can be found at the root directory of this repository: https://github.com/arnaucube/go-blindsecp256k1
--- a/v0/blindsecp256k1v0.go
+++ b/v0/blindsecp256k1v0.go
@@ -0,0 +1,214 @@
+// Package blindsecp256k1v0 implements the Blind signature scheme explained at
+// "An Efficient Blind Signature Scheme Based on the Elliptic Curve Discrete
+// Logarithm Problem", by Morteza Nikooghadama & Ali Zakerolhosseini
+// http://www.isecure-journal.com/article_39171_47f9ec605dd3918c2793565ec21fcd7a.pdf
+//
+// LICENSE can be found at https://github.com/arnaucube/go-blindsecp256k1/blob/master/LICENSE
+//
+package blindsecp256k1v0
+
+// WARNING: WIP code
+
+import (
+	"bytes"
+	"crypto/rand"
+	"math/big"
+
+	"github.com/btcsuite/btcd/btcec"
+)
+
+var (
+	// G represents the base point of secp256k1
+	G *Point = &Point{
+		X: btcec.S256().Gx,
+		Y: btcec.S256().Gy,
+	}
+
+	// N represents the order of G of secp256k1
+	N *big.Int = btcec.S256().N
+)
+
+// Point represents a point on the secp256k1 curve
+type Point struct {
+	X *big.Int
+	Y *big.Int
+}
+
+// Add performs the Point addition
+func (p *Point) Add(q *Point) *Point {
+	x, y := btcec.S256().Add(p.X, p.Y, q.X, q.Y)
+	return &Point{
+		X: x,
+		Y: y,
+	}
+}
+
+// Mul performs the Point scalar multiplication
+func (p *Point) Mul(scalar *big.Int) *Point {
+	x, y := btcec.S256().ScalarMult(p.X, p.Y, scalar.Bytes())
+	return &Point{
+		X: x,
+		Y: y,
+	}
+}
+
+// WIP
+func newRand() *big.Int {
+	var b [32]byte
+	_, err := rand.Read(b[:])
+	if err != nil {
+		panic(err)
+	}
+	bi := new(big.Int).SetBytes(b[:])
+	return new(big.Int).Mod(bi, N)
+}
+
+// PrivateKey represents the signer's private key
+type PrivateKey big.Int
+
+// PublicKey represents the signer's public key
+type PublicKey Point
+
+// NewPrivateKey returns a new random private key
+func NewPrivateKey() *PrivateKey {
+	k := newRand()
+	sk := PrivateKey(*k)
+	return &sk
+}
+
+// BigInt returns a *big.Int representation of the PrivateKey
+func (sk *PrivateKey) BigInt() *big.Int {
+	return (*big.Int)(sk)
+}
+
+// Public returns the PublicKey from the PrivateKey
+func (sk *PrivateKey) Public() *PublicKey {
+	Q := G.Mul(sk.BigInt())
+	pk := PublicKey(*Q)
+	return &pk
+}
+
+// Point returns a *Point representation of the PublicKey
+func (pk *PublicKey) Point() *Point {
+	return (*Point)(pk)
+}
+
+// SignerPrivateData contains the secret values from the Signer
+type SignerPrivateData struct {
+	D *PrivateKey
+	K *big.Int
+}
+
+// SignerPublicData contains the public values from the Signer (generated from
+// its SignerPrivateData)
+type SignerPublicData struct {
+	// Q is the Signer Public Key
+	Q *PublicKey // = skG
+	R *Point     // = kG
+}
+
+// NewSigner returns a new SignerPrivateData with random D & K
+func NewSigner() *SignerPrivateData {
+	sk := NewPrivateKey()
+	k := newRand()
+	return &SignerPrivateData{
+		D: sk,
+		K: k,
+	}
+}
+
+// PublicData returns the SignerPublicData from the SignerPrivateData
+func (signer *SignerPrivateData) PublicData() *SignerPublicData {
+	return &SignerPublicData{
+		Q: signer.D.Public(), // Q = dG
+		R: G.Mul(signer.K),   // R = kG
+	}
+}
+
+// BlindSign performs the blind signature on the given mBlinded using
+// SignerPrivateData values
+func (signer *SignerPrivateData) BlindSign(mBlinded *big.Int) *big.Int {
+	// TODO add pending checks
+	// s' = d(m') + k
+	sBlind := new(big.Int).Add(
+		new(big.Int).Mul(signer.D.BigInt(), mBlinded),
+		signer.K)
+	return sBlind
+}
+
+// UserSecretData contains the secret values from the User (a, b, c) and the
+// public F
+type UserSecretData struct {
+	A *big.Int
+	B *big.Int
+	C *big.Int
+
+	F *Point // public
+}
+
+// Blind performs the blinding operation on m using SignerPublicData parameters
+func Blind(m *big.Int, signer *SignerPublicData) (*big.Int, *UserSecretData) {
+	u := &UserSecretData{}
+	u.A = newRand()
+	u.B = newRand()
+	u.C = newRand()
+	binv := new(big.Int).ModInverse(u.B, N)
+
+	// F = b^-1 R + a b^-1 Q + c G
+	bR := signer.R.Mul(binv)
+	abinv := new(big.Int).Mul(u.A, binv)
+	abinv = new(big.Int).Mod(abinv, N)
+	abQ := signer.Q.Point().Mul(abinv)
+	cG := G.Mul(u.C)
+	u.F = bR.Add(abQ).Add(cG)
+	// TODO check F==O
+
+	r := new(big.Int).Mod(u.F.X, N)
+
+	// m' = br(m)+a
+	br := new(big.Int).Mul(u.B, r)
+	brm := new(big.Int).Mul(br, m)
+	mBlinded := new(big.Int).Add(brm, u.A)
+	mBlinded = new(big.Int).Mod(mBlinded, N)
+	return mBlinded, u
+}
+
+// Signature contains the signature values S & F
+type Signature struct {
+	S *big.Int
+	F *Point
+}
+
+// Unblind performs the unblinding operation of the blinded signature for the
+// given message m and the UserSecretData
+func Unblind(sBlind, m *big.Int, u *UserSecretData) *Signature {
+	// s = b^-1 s' + c
+	binv := new(big.Int).ModInverse(u.B, N)
+	bs := new(big.Int).Mul(binv, sBlind)
+	s := new(big.Int).Add(bs, u.C)
+	s = new(big.Int).Mod(s, N)
+
+	return &Signature{
+		S: s,
+		F: u.F,
+	}
+}
+
+// Verify checks the signature of the message m for the given PublicKey
+func Verify(m *big.Int, signature *Signature, q *PublicKey) bool {
+	// TODO add pending checks
+	sG := G.Mul(signature.S) // sG
+
+	r := new(big.Int).Mod(signature.F.X, N) // r = Fx mod N
+	rm := new(big.Int).Mul(r, m)
+	rm = new(big.Int).Mod(rm, N)
+	rmQ := q.Point().Mul(rm)
+	rmQF := rmQ.Add(signature.F) // rmQ + F
+
+	// check sG == rmQ + F
+	if bytes.Equal(sG.X.Bytes(), rmQF.X.Bytes()) &&
+		bytes.Equal(sG.Y.Bytes(), rmQF.Y.Bytes()) {
+		return true
+	}
+	return false
+}
--- a/v0/blindsecp256k1v0_test.go
+++ b/v0/blindsecp256k1v0_test.go
@@ -0,0 +1,30 @@
+package blindsecp256k1v0
+
+import (
+	"math/big"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestFlow(t *testing.T) {
+	// message to be signed
+	msg := new(big.Int).SetBytes([]byte("test"))
+
+	// create new signer
+	signerPrivateData := NewSigner()
+	signerPublicData := signerPrivateData.PublicData()
+
+	// user blinds the msg
+	msgBlinded, user := Blind(msg, signerPublicData)
+
+	// signer signs the blinded message
+	sBlind := signerPrivateData.BlindSign(msgBlinded)
+
+	// user unblinds the blinded signature
+	sig := Unblind(sBlind, msg, user)
+
+	// signature can be verified with signer PublicKey (Q)
+	verified := Verify(msg, sig, signerPublicData.Q)
+	assert.True(t, verified)
+}