// Package blindsecp256k1v0 implements the Blind signature scheme explained at // "An Efficient Blind Signature Scheme Based on the Elliptic Curve Discrete // Logarithm Problem", by Morteza Nikooghadama & Ali Zakerolhosseini // http://www.isecure-journal.com/article_39171_47f9ec605dd3918c2793565ec21fcd7a.pdf // // LICENSE can be found at https://github.com/arnaucube/go-blindsecp256k1/blob/master/LICENSE // package blindsecp256k1v0 // WARNING: WIP code import ( "bytes" "crypto/rand" "math/big" "github.com/arnaucube/go-blindsecp256k1" ) // WIP func newRand() *big.Int { var b [32]byte _, err := rand.Read(b[:]) if err != nil { panic(err) } bi := new(big.Int).SetBytes(b[:]) return new(big.Int).Mod(bi, blindsecp256k1.N) } // PrivateKey represents the signer's private key type PrivateKey big.Int // NewPrivateKey returns a new random private key func NewPrivateKey() *PrivateKey { k := newRand() sk := PrivateKey(*k) return &sk } // BigInt returns a *big.Int representation of the PrivateKey func (sk *PrivateKey) BigInt() *big.Int { return (*big.Int)(sk) } // Public returns the PublicKey from the PrivateKey func (sk *PrivateKey) Public() *blindsecp256k1.PublicKey { Q := blindsecp256k1.G.Mul(sk.BigInt()) pk := blindsecp256k1.PublicKey(*Q) return &pk } // NewRequestParameters returns a new random k (secret) & R (public) parameters func NewRequestParameters() (*big.Int, *blindsecp256k1.Point) { k := newRand() return k, blindsecp256k1.G.Mul(k) // R = kG } // BlindSign performs the blind signature on the given mBlinded using // SignerPrivateData values func (sk *PrivateKey) BlindSign(mBlinded *big.Int, k *big.Int) *big.Int { // TODO add pending checks // s' = d(m') + k sBlind := new(big.Int).Add( new(big.Int).Mul(sk.BigInt(), mBlinded), k) return sBlind } // UserSecretData contains the secret values from the User (a, b, c) and the // public F type UserSecretData struct { A *big.Int B *big.Int C *big.Int F *blindsecp256k1.Point // public } // Blind performs the blinding operation on m using SignerPublicData parameters func Blind(m *big.Int, signerPubK *blindsecp256k1.PublicKey, signerR *blindsecp256k1.Point) (*big.Int, *UserSecretData) { u := &UserSecretData{} u.A = newRand() u.B = newRand() u.C = newRand() binv := new(big.Int).ModInverse(u.B, blindsecp256k1.N) // F = b^-1 R + a b^-1 Q + c G bR := signerR.Mul(binv) abinv := new(big.Int).Mul(u.A, binv) abinv = new(big.Int).Mod(abinv, blindsecp256k1.N) abQ := signerPubK.Point().Mul(abinv) cG := blindsecp256k1.G.Mul(u.C) u.F = bR.Add(abQ).Add(cG) // TODO check F==O r := new(big.Int).Mod(u.F.X, blindsecp256k1.N) // m' = br(m)+a br := new(big.Int).Mul(u.B, r) brm := new(big.Int).Mul(br, m) mBlinded := new(big.Int).Add(brm, u.A) mBlinded = new(big.Int).Mod(mBlinded, blindsecp256k1.N) return mBlinded, u } // Signature contains the signature values S & F type Signature struct { S *big.Int F *blindsecp256k1.Point } // Unblind performs the unblinding operation of the blinded signature for the // given message m and the UserSecretData func Unblind(sBlind, m *big.Int, u *UserSecretData) *Signature { // s = b^-1 s' + c binv := new(big.Int).ModInverse(u.B, blindsecp256k1.N) bs := new(big.Int).Mul(binv, sBlind) s := new(big.Int).Add(bs, u.C) s = new(big.Int).Mod(s, blindsecp256k1.N) return &Signature{ S: s, F: u.F, } } // Verify checks the signature of the message m for the given PublicKey func Verify(m *big.Int, signature *Signature, q *blindsecp256k1.PublicKey) bool { // TODO add pending checks sG := blindsecp256k1.G.Mul(signature.S) // sG r := new(big.Int).Mod(signature.F.X, blindsecp256k1.N) // r = Fx mod N rm := new(big.Int).Mul(r, m) rm = new(big.Int).Mod(rm, blindsecp256k1.N) rmQ := q.Point().Mul(rm) rmQF := rmQ.Add(signature.F) // rmQ + F // check sG == rmQ + F if bytes.Equal(sG.X.Bytes(), rmQF.X.Bytes()) && bytes.Equal(sG.Y.Bytes(), rmQF.Y.Bytes()) { return true } return false }