go-blindsecp256k1/blindsecp256k1.go

// Package blindsecp256k1 implements the Blind signature scheme explained at
// "New Blind Signature Schemes Based on the (Elliptic Curve) Discrete
// Logarithm Problem", by Hamid Mala & Nafiseh Nezhadansari
// https://sci-hub.do/10.1109/ICCKE.2013.6682844
//
// LICENSE can be found at https://github.com/arnaucube/go-blindsecp256k1/blob/master/LICENSE
//
package blindsecp256k1

// WARNING: WIP code

import (
	"bytes"
	"crypto/rand"
	"fmt"
	"math/big"

	"github.com/btcsuite/btcd/btcec"
	"github.com/ethereum/go-ethereum/crypto"
)

var (
	// G represents the base point of secp256k1
	G *Point = &Point{
		X: btcec.S256().Gx,
		Y: btcec.S256().Gy,
	}

	// N represents the order of G of secp256k1
	N *big.Int = btcec.S256().N

	// B (from y^2 = x^3 + B)
	B *big.Int = btcec.S256().B

	// Q = (P+1)/4
	Q = new(big.Int).Div(new(big.Int).Add(btcec.S256().P,
		big.NewInt(1)), big.NewInt(4))
)

// Point represents a point on the secp256k1 curve
type Point struct {
	X *big.Int
	Y *big.Int
}

// Add performs the Point addition
func (p *Point) Add(q *Point) *Point {
	x, y := btcec.S256().Add(p.X, p.Y, q.X, q.Y)
	return &Point{
		X: x,
		Y: y,
	}
}

// Mul performs the Point scalar multiplication
func (p *Point) Mul(scalar *big.Int) *Point {
	x, y := btcec.S256().ScalarMult(p.X, p.Y, scalar.Bytes())
	return &Point{
		X: x,
		Y: y,
	}
}

func (p *Point) Compress() [33]byte {
	xBytes := p.X.Bytes()
	sign := byte(0)
	if isOdd(p.Y) {
		sign = byte(1)
	}
	var b [33]byte
	copy(b[32-len(xBytes):32], xBytes)
	b[32] = sign
	return b
}

func isOdd(b *big.Int) bool {
	return b.Bit(0) != 0
}

func squareMul(r, x *big.Int, bit bool) *big.Int {
	// r = new(big.Int).Mul(r, r) // r^2
	r = new(big.Int).Exp(r, big.NewInt(2), N)
	if bit {
		r = new(big.Int).Mul(r, x)
	}
	return new(big.Int).Mod(r, N)
}

// https://en.wikipedia.org/wiki/Exponentiation_by_squaring
func sqrtQ(x *big.Int) *big.Int {
	// xBytes := x.Bytes()
	qBytes := Q.Bytes()
	r := big.NewInt(1)
	// fmt.Println(hex.EncodeToString(qBytes))
	for _, b := range qBytes {
		// fmt.Printf("%d, %x %d\n", i, b, r)
		// fmt.Printf("%x %s\n", b, r.String())
		switch b {
		// Most common case, where all 8 bits are set.
		case 0xff:
			r = squareMul(r, x, true)
			r = squareMul(r, x, true)
			r = squareMul(r, x, true)
			r = squareMul(r, x, true)
			r = squareMul(r, x, true)
			r = squareMul(r, x, true)
			r = squareMul(r, x, true)
			r = squareMul(r, x, true)
			// fmt.Printf("%x %s\n", b, r.String())

		// First byte of Q (0x3f), where all but the top two bits are
		// set. Note that this case only applies six operations, since
		// the highest bit of Q resides in bit six of the first byte. We
		// ignore the first two bits, since squaring for these bits will
		// result in an invalid result. We forgo squaring f before the
		// first multiply, since 1^2 = 1.
		case 0x3f:
			r = new(big.Int).Mul(r, x)
			r = squareMul(r, x, true)
			r = squareMul(r, x, true)
			r = squareMul(r, x, true)
			r = squareMul(r, x, true)
			r = squareMul(r, x, true)

		// Byte 28 of Q (0xbf), where only bit 7 is unset.
		case 0xbf:
			r = squareMul(r, x, true)
			r = squareMul(r, x, false)
			r = squareMul(r, x, true)
			r = squareMul(r, x, true)
			r = squareMul(r, x, true)
			r = squareMul(r, x, true)
			r = squareMul(r, x, true)
			r = squareMul(r, x, true)

		// Byte 31 of Q (0x0c), where only bits 3 and 4 are set.
		default:
			r = squareMul(r, x, false)
			r = squareMul(r, x, false)
			r = squareMul(r, x, false)
			r = squareMul(r, x, false)
			r = squareMul(r, x, true)
			r = squareMul(r, x, true)
			r = squareMul(r, x, false)
			r = squareMul(r, x, false)
		}
	}
	return r
}

// https://bitcointalk.org/index.php?topic=162805.msg1712294#msg1712294
// func (p *Point) Decompress(b [33]byte) error {
func Decompress(b [33]byte) (*Point, error) {
	fmt.Println(b)
	x := new(big.Int).SetBytes(b[:32])
	fmt.Println(x)
	var sign bool
	if b[32] == byte(1) {
		sign = true
	}

	// y2 = x3+ ax2 + b (where A==0, B==7)

	// compute x^3 + B mod p
	x3 := new(big.Int).Mul(x, x)
	x3 = new(big.Int).Mul(x3, x)
	// x3 := new(big.Int).Exp(x, big.NewInt(3), N)
	x3 = new(big.Int).Add(x3, B)
	x3 = new(big.Int).Mod(x3, N)

	// sqrt mod p of x^3 + B
	fmt.Println("x3", x3)
	y := new(big.Int).ModSqrt(x3, N)
	// y := sqrtQ(x3)
	if y == nil {
		return nil, fmt.Errorf("not sqrt mod of x^3")
	}
	fmt.Println("y", y)
	fmt.Println("y", new(big.Int).Sub(N, y))
	fmt.Println("y", new(big.Int).Mod(new(big.Int).Neg(y), N))
	if sign != isOdd(y) {
		y = new(big.Int).Sub(N, y)
		// TODO check if needed Mod
	}

	// check that y is a square root of x^3 + B
	y2 := new(big.Int).Mul(y, y)
	y2 = new(big.Int).Mod(y2, N)
	if !bytes.Equal(y2.Bytes(), x3.Bytes()) {
		return nil, fmt.Errorf("invalid square root")
	}

	if sign != isOdd(y) {
		return nil, fmt.Errorf("sign does not match oddness")
	}

	p := &Point{X: x, Y: y}
	// p = &Point{}
	// p.X = x
	// p.Y = y
	// fmt.Println("I", p.X, p.Y)
	return p, nil
}

// WIP
func newRand() *big.Int {
	var b [32]byte
	_, err := rand.Read(b[:])
	if err != nil {
		panic(err)
	}
	bi := new(big.Int).SetBytes(b[:])
	return new(big.Int).Mod(bi, N)
}

// PrivateKey represents the signer's private key
type PrivateKey big.Int

// PublicKey represents the signer's public key
type PublicKey Point

// NewPrivateKey returns a new random private key
func NewPrivateKey() *PrivateKey {
	k := newRand()
	sk := PrivateKey(*k)
	return &sk
}

// BigInt returns a *big.Int representation of the PrivateKey
func (sk *PrivateKey) BigInt() *big.Int {
	return (*big.Int)(sk)
}

// Public returns the PublicKey from the PrivateKey
func (sk *PrivateKey) Public() *PublicKey {
	Q := G.Mul(sk.BigInt())
	pk := PublicKey(*Q)
	return &pk
}

// Point returns a *Point representation of the PublicKey
func (pk *PublicKey) Point() *Point {
	return (*Point)(pk)
}

// NewRequestParameters returns a new random k (secret) & R (public) parameters
func NewRequestParameters() (*big.Int, *Point) {
	k := newRand()
	return k, G.Mul(k) // R = kG
}

// BlindSign performs the blind signature on the given mBlinded using the
// PrivateKey and the secret k values
func (sk *PrivateKey) BlindSign(mBlinded *big.Int, k *big.Int) *big.Int {
	// TODO add pending checks
	// s' = dm' + k
	sBlind := new(big.Int).Add(
		new(big.Int).Mul(sk.BigInt(), mBlinded),
		k)
	return sBlind
}

// UserSecretData contains the secret values from the User (a, b, c) and the
// public F
type UserSecretData struct {
	A *big.Int
	B *big.Int

	F *Point // public (in the paper is R)
}

// Blind performs the blinding operation on m using signerR parameter
func Blind(m *big.Int, signerR *Point) (*big.Int, *UserSecretData) {
	u := &UserSecretData{}
	u.A = newRand()
	u.B = newRand()

	// (R) F = aR' + bG
	aR := signerR.Mul(u.A)
	bG := G.Mul(u.B)
	u.F = aR.Add(bG)

	// TODO check that F != O (point at infinity)

	rx := new(big.Int).Mod(u.F.X, N)

	// m' = a^-1 rx h(m)
	ainv := new(big.Int).ModInverse(u.A, N)
	ainvrx := new(big.Int).Mul(ainv, rx)
	hBytes := crypto.Keccak256(m.Bytes())
	h := new(big.Int).SetBytes(hBytes)
	mBlinded := new(big.Int).Mul(ainvrx, h)

	return mBlinded, u
}

// Signature contains the signature values S & F
type Signature struct {
	S *big.Int
	F *Point
}

// Unblind performs the unblinding operation of the blinded signature for the
// given message m and the UserSecretData
func Unblind(sBlind, m *big.Int, u *UserSecretData) *Signature {
	// s = a s' + b
	as := new(big.Int).Mul(u.A, sBlind)
	s := new(big.Int).Add(as, u.B)

	return &Signature{
		S: s,
		F: u.F,
	}
}

// Verify checks the signature of the message m for the given PublicKey
func Verify(m *big.Int, s *Signature, q *PublicKey) bool {
	// TODO add pending checks

	sG := G.Mul(s.S) // sG

	hBytes := crypto.Keccak256(m.Bytes())
	h := new(big.Int).SetBytes(hBytes)

	rx := new(big.Int).Mod(s.F.X, N)
	rxh := new(big.Int).Mul(rx, h)
	// rxhG := G.Mul(rxh) // originally the paper uses G
	rxhG := q.Point().Mul(rxh)

	right := s.F.Add(rxhG)

	// check sG == R + rx h(m) G (where R in this code is F)
	if bytes.Equal(sG.X.Bytes(), right.X.Bytes()) &&
		bytes.Equal(sG.Y.Bytes(), right.Y.Bytes()) {
		return true
	}
	return false
}