// Package blindsecp256k1 implements the Blind signature scheme explained at
|
|
// http://www.isecure-journal.com/article_39171_47f9ec605dd3918c2793565ec21fcd7a.pdf
|
|
//
|
|
// LICENSE can be found at https://github.com/arnaucube/go-blindsecp256k1/blob/master/LICENSE
|
|
//
|
|
package blindsecp256k1
|
|
|
|
// WARNING: WIP code
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/rand"
|
|
"math/big"
|
|
|
|
"github.com/ethereum/go-ethereum/crypto/secp256k1"
|
|
)
|
|
|
|
var (
|
|
// G represents the base point of secp256k1
|
|
G *Point = &Point{
|
|
X: secp256k1.S256().Gx,
|
|
Y: secp256k1.S256().Gy,
|
|
}
|
|
|
|
// N represents the order of G of secp256k1
|
|
N *big.Int = secp256k1.S256().N
|
|
)
|
|
|
|
// Point represents a point on the secp256k1 curve
|
|
type Point struct {
|
|
X *big.Int
|
|
Y *big.Int
|
|
}
|
|
|
|
// Add performs the Point addition
|
|
func (p *Point) Add(q *Point) *Point {
|
|
x, y := secp256k1.S256().Add(p.X, p.Y, q.X, q.Y)
|
|
return &Point{
|
|
X: x,
|
|
Y: y,
|
|
}
|
|
}
|
|
|
|
// Mul performs the Point scalar multiplication
|
|
func (p *Point) Mul(scalar *big.Int) *Point {
|
|
x, y := secp256k1.S256().ScalarMult(p.X, p.Y, scalar.Bytes())
|
|
return &Point{
|
|
X: x,
|
|
Y: y,
|
|
}
|
|
}
|
|
|
|
// WIP
|
|
func newRand() *big.Int {
|
|
var b [32]byte
|
|
_, err := rand.Read(b[:])
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
bi := new(big.Int).SetBytes(b[:])
|
|
return new(big.Int).Mod(bi, N)
|
|
}
|
|
|
|
// PrivateKey represents the signer's private key
|
|
type PrivateKey big.Int
|
|
|
|
// PublicKey represents the signer's public key
|
|
type PublicKey Point
|
|
|
|
// NewPrivateKey returns a new random private key
|
|
func NewPrivateKey() *PrivateKey {
|
|
k := newRand()
|
|
sk := PrivateKey(*k)
|
|
return &sk
|
|
}
|
|
|
|
// BigInt returns a *big.Int representation of the PrivateKey
|
|
func (sk *PrivateKey) BigInt() *big.Int {
|
|
return (*big.Int)(sk)
|
|
}
|
|
|
|
// Public returns the PublicKey from the PrivateKey
|
|
func (sk *PrivateKey) Public() *PublicKey {
|
|
Q := G.Mul(sk.BigInt())
|
|
pk := PublicKey(*Q)
|
|
return &pk
|
|
}
|
|
|
|
// Point returns a *Point representation of the PublicKey
|
|
func (pk *PublicKey) Point() *Point {
|
|
return (*Point)(pk)
|
|
}
|
|
|
|
// SignerPrivateData contains the secret values from the Signer
|
|
type SignerPrivateData struct {
|
|
D *PrivateKey
|
|
K *big.Int
|
|
}
|
|
|
|
// SignerPublicData contains the public values from the Signer (generated from
|
|
// its SignerPrivateData)
|
|
type SignerPublicData struct {
|
|
// Q is the Signer Public Key
|
|
Q *PublicKey // = skG
|
|
R *Point // = kG
|
|
}
|
|
|
|
// NewSigner returns a new SignerPrivateData with random D & K
|
|
func NewSigner() *SignerPrivateData {
|
|
sk := NewPrivateKey()
|
|
k := newRand()
|
|
return &SignerPrivateData{
|
|
D: sk,
|
|
K: k,
|
|
}
|
|
}
|
|
|
|
// PublicData returns the SignerPublicData from the SignerPrivateData
|
|
func (signer *SignerPrivateData) PublicData() *SignerPublicData {
|
|
return &SignerPublicData{
|
|
Q: signer.D.Public(), // Q = dG
|
|
R: G.Mul(signer.K), // R = kG
|
|
}
|
|
}
|
|
|
|
// BlindSign performs the blind signature on the given mBlinded using
|
|
// SignerPrivateData values
|
|
func (signer *SignerPrivateData) BlindSign(mBlinded *big.Int) *big.Int {
|
|
// TODO add pending checks
|
|
// s' = d(m') + k
|
|
sBlind := new(big.Int).Add(
|
|
new(big.Int).Mul(signer.D.BigInt(), mBlinded),
|
|
signer.K)
|
|
return sBlind
|
|
}
|
|
|
|
// UserSecretData contains the secret values from the User (a, b, c) and the
|
|
// public F
|
|
type UserSecretData struct {
|
|
A *big.Int
|
|
B *big.Int
|
|
C *big.Int
|
|
|
|
F *Point // public
|
|
}
|
|
|
|
// Blind performs the blinding operation on m using SignerPublicData parameters
|
|
func Blind(m *big.Int, signer *SignerPublicData) (*big.Int, *UserSecretData) {
|
|
u := &UserSecretData{}
|
|
u.A = newRand()
|
|
u.B = newRand()
|
|
u.C = newRand()
|
|
binv := new(big.Int).ModInverse(u.B, N)
|
|
|
|
// F = b^-1 R + a b^-1 Q + c G
|
|
bR := signer.R.Mul(binv)
|
|
abinv := new(big.Int).Mul(u.A, binv)
|
|
abinv = new(big.Int).Mod(abinv, N)
|
|
abQ := signer.Q.Point().Mul(abinv)
|
|
cG := G.Mul(u.C)
|
|
u.F = bR.Add(abQ).Add(cG)
|
|
// TODO check F==O
|
|
|
|
r := new(big.Int).Mod(u.F.X, N)
|
|
|
|
// m' = br(m)+a
|
|
br := new(big.Int).Mul(u.B, r)
|
|
brm := new(big.Int).Mul(br, m)
|
|
mBlinded := new(big.Int).Add(brm, u.A)
|
|
mBlinded = new(big.Int).Mod(mBlinded, N)
|
|
return mBlinded, u
|
|
}
|
|
|
|
// Signature contains the signature values S & F
|
|
type Signature struct {
|
|
S *big.Int
|
|
F *Point
|
|
}
|
|
|
|
// Unblind performs the unblinding operation of the blinded signature for the
|
|
// given message m and the UserSecretData
|
|
func Unblind(sBlind, m *big.Int, u *UserSecretData) *Signature {
|
|
// s = b^-1 s' + c
|
|
binv := new(big.Int).ModInverse(u.B, N)
|
|
bs := new(big.Int).Mul(binv, sBlind)
|
|
s := new(big.Int).Add(bs, u.C)
|
|
s = new(big.Int).Mod(s, N)
|
|
|
|
return &Signature{
|
|
S: s,
|
|
F: u.F,
|
|
}
|
|
}
|
|
|
|
// Verify checks the signature of the message m for the given PublicKey
|
|
func Verify(m *big.Int, signature *Signature, q *PublicKey) bool {
|
|
// TODO add pending checks
|
|
sG := G.Mul(signature.S) // sG
|
|
|
|
r := new(big.Int).Mod(signature.F.X, N) // r = Fx mod N
|
|
rm := new(big.Int).Mul(r, m)
|
|
rm = new(big.Int).Mod(rm, N)
|
|
rmQ := q.Point().Mul(rm)
|
|
rmQF := rmQ.Add(signature.F) // rmQ + F
|
|
|
|
// check sG == rmQ + F
|
|
if bytes.Equal(sG.X.Bytes(), rmQF.X.Bytes()) &&
|
|
bytes.Equal(sG.Y.Bytes(), rmQF.Y.Bytes()) {
|
|
return true
|
|
}
|
|
return false
|
|
}
|