Skalman pok new interface #29
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,37 +1,48 @@ | ||
| [package] | ||
| authors = ["Jack Grigg <[email protected]>", "Jeff Burdges <[email protected]>", "Syed Hosseini <[email protected]>"] | ||
| description = "Aggregate BLS-like signatures" | ||
| documentation = "https://docs.rs/bls-like" | ||
| homepage = "https://github.com/w3f/bls" | ||
| license = "MIT/Apache-2.0" | ||
| name = "bls-like" | ||
| repository = "https://github.com/w3f/bls" | ||
| version = "0.1.0" | ||
| edition = "2018" | ||
|
|
||
| [dependencies] | ||
| arrayref = "0.3" | ||
| rand = "0.7" | ||
| rand_core = "0.5" | ||
| rand_chacha = "0.2" | ||
| sha3 = "0.8" | ||
| sha2 = "0.9.2" | ||
| digest = "0.9.0" | ||
|
|
||
| #arkwork dependencies | ||
| ark-ff = { git = "https://github.com/arkworks-rs/algebra", default-features = false } | ||
| ark-ec = { git = "https://github.com/arkworks-rs/algebra", default-features = false } | ||
| ark-serialize-derive = { package = "ark-serialize-derive", git = "https://github.com/arkworks-rs/algebra" } | ||
| ark-serialize = { git = "https://github.com/arkworks-rs/algebra", default-features = false, features = [ "derive" ] } | ||
| ark-bls12-381 = { git = "https://github.com/arkworks-rs/curves", default-features = false, features = [ "curve" ] } | ||
|
|
||
|
|
||
| # algebra-core = { git = "https://github.com/scipr-lab/zexe" } | ||
| # algebra-serialize-derive = { package = "ark-serialize-derive", git = "https://github.com/arkworks-rs/algebra" } | ||
| # algebra = { git = "https://github.com/scipr-lab/zexe", features = ["bls12_381"] } | ||
|
|
||
| #for cleaning up secret keys | ||
| [dependencies.zeroize] | ||
| version = "1.0.0" | ||
| default-features = false | ||
| features = ["zeroize_derive"] | ||
|
|
||
| [dependencies.serde] | ||
| version = "^1.0" | ||
| default-features = false | ||
| optional = true | ||
|
|
||
| [dev-dependencies] | ||
| rand= "0.7.3" | ||
|
|
||
| [dependencies.thiserror] | ||
| version = "1.0.10" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,155 @@ | ||
| //! ## Implementation of ProofofPossion trait for BLS keys using schnorr sginature | ||
| //! ## TODO: I assume this can also moved to pop.rs but for now I put it separately to help reviews | ||
| use crate::engine::{EngineBLS}; | ||
| use crate::pop::{ProofOfPossessionGenerator, ProofOfPossessionVerifier, SchnorrProof}; | ||
|
|
||
| use crate::single::{SecretKey,PublicKey}; | ||
|
|
||
| use digest::{Digest}; | ||
|
|
||
| use ark_serialize::{CanonicalSerialize}; | ||
| use ark_ec::ProjectiveCurve; | ||
|
|
||
| use ark_ff::bytes::{FromBytes, ToBytes}; | ||
|
|
||
| use super::Message; | ||
|
|
||
| // TODO: Delete after migration to secret key model | ||
| // pub struct BLSSchnorrProof<E: EngineBLS> : trait B: { | ||
| // pub public_key : PublicKey<E>, | ||
| // pub proof_of_possession : SchnorrProof<E>, | ||
| // } | ||
|
|
||
| /// Generate Schnorr Signature for an arbitrary message using a key ment to use in BLS scheme | ||
| trait BLSSchnorrPoPGenerator<E: EngineBLS, H: Digest> : ProofOfPossessionGenerator<E,H> { | ||
| /// Produce a secret witness scalar `k`, aka nonce, from hash of | ||
| /// H( H(s) | H(public_key)) because our key does not have the | ||
| /// randomness redundacy exists in EdDSA secret key. | ||
| fn witness_scalar(&self) -> <<E as EngineBLS>::PublicKeyGroup as ProjectiveCurve>::ScalarField; | ||
| } | ||
|
|
||
| impl<E: EngineBLS, H: Digest> BLSSchnorrPoPGenerator<E,H> for SecretKey<E> | ||
| { | ||
| /// TODO: BROKEN NOW Switch to https://github.com/arkworks-rs/algebra/pull/164/files | ||
| fn witness_scalar(&self) -> <<E as EngineBLS>::PublicKeyGroup as ProjectiveCurve>::ScalarField { | ||
| let mut secret_key_as_bytes = vec![0; self.into_vartime().0.serialized_size()]; | ||
|
|
||
| let affine_public_key = self.into_public().0.into_affine(); | ||
| let mut public_key_as_bytes = vec![0; affine_public_key.serialized_size()]; | ||
|
|
||
| self.into_vartime().0.serialize(&mut secret_key_as_bytes[..]).unwrap(); | ||
| affine_public_key.serialize(&mut public_key_as_bytes[..]).unwrap(); | ||
|
|
||
| let secret_key_hash = <H as Digest>::new().chain(secret_key_as_bytes); | ||
| let public_key_hash = <H as Digest>::new().chain(public_key_as_bytes); | ||
|
|
||
| let mut scalar_bytes = <H as Digest>::new().chain(secret_key_hash.finalize()).chain(public_key_hash.finalize()).finalize(); | ||
| let random_scalar : &mut [u8] = scalar_bytes.as_mut_slice(); | ||
| random_scalar[31] &= 31; // BROKEN HACK DO BOT DEPLOY | ||
| <<<E as EngineBLS>::PublicKeyGroup as ProjectiveCurve>::ScalarField as FromBytes>::read(&*random_scalar).unwrap() | ||
| } | ||
|
|
||
| } | ||
|
|
||
| impl<E: EngineBLS, H: Digest> ProofOfPossessionGenerator<E,H> for SecretKey<E> { | ||
|
|
||
| fn generate_pok(&self, message: Message) -> SchnorrProof<E> { | ||
| //First we should figure out the base point in E, I think the secret key trait/struct knows about it. | ||
|
|
||
| //choose random scaler k | ||
| //For now we don't we just use a trick similar to Ed25519 | ||
| //we use hash of concatination of hash the secret key and the public key | ||
|
|
||
| //schnorr equations | ||
|
|
||
| //R = rG. | ||
| //k = H(R|M) | ||
| //s = k*private_key + r | ||
| // publishing (s, R) verifying that (s*G = H(R|M)*Publickey + R | ||
| // instead we actually doing H(s*G - H(R|M)*Publickey|M) == H(R|M) == k | ||
| // avoiding one curve addition in expense of a hash. | ||
| let mut r = <dyn BLSSchnorrPoPGenerator<E,H>>::witness_scalar(self); | ||
|
|
||
| let mut r_point = <<E as EngineBLS>::PublicKeyGroup as ProjectiveCurve>::prime_subgroup_generator(); | ||
| r_point *= r; //todo perhaps we need to mandate E to have a hard coded point | ||
|
|
||
| let mut r_point_as_bytes = Vec::<u8>::new(); | ||
| r_point.into_affine().write(&mut r_point_as_bytes).unwrap(); | ||
|
|
||
| let mut k_as_hash = <H as Digest>::new().chain(r_point_as_bytes).chain(message.0).finalize(); | ||
|
There was a problem hiding this comment. one should include the public key here. There was a problem hiding this comment. M was public key before but I thought we decided to replace with any arbitary message which can be public key as well. You want public key to be a mandatory part of the message? |
||
| let random_scalar : &mut [u8] = k_as_hash.as_mut_slice(); | ||
| random_scalar[31] &= 31; // BROKEN HACK DO BOT DEPLOY | ||
|
There was a problem hiding this comment. right this part.. what is the group order again? they just added hash to field, right? There was a problem hiding this comment. Yes they did. It wasn't merged at the time, but I think it should have made it to the master/main now: #32 . |
||
|
|
||
| let k = <<<E as EngineBLS>::PublicKeyGroup as ProjectiveCurve>::ScalarField as FromBytes>::read(&*random_scalar).unwrap(); | ||
| let s = (k * self.into_vartime().0) + r; | ||
|
|
||
| ::zeroize::Zeroize::zeroize(&mut r); //clear secret key from memory | ||
|
|
||
| (s,k) | ||
| } | ||
| } | ||
|
|
||
| impl<E: EngineBLS, H: Digest> ProofOfPossessionVerifier<E,H> for PublicKey<E> { | ||
| /// verify the validity of schnoor proof for a given publick key by | ||
| /// making sure this is equal to zero | ||
| /// H(+s G - k Publkey|M) == k | ||
| fn verify_pok(&self, message: Message, schnorr_proof: SchnorrProof<E>) -> bool { | ||
| let mut schnorr_point = <<E as EngineBLS>::PublicKeyGroup as ProjectiveCurve>::prime_subgroup_generator(); | ||
| schnorr_point *= schnorr_proof.0; | ||
| let mut k_public_key = self.0; | ||
| k_public_key *= -schnorr_proof.1; | ||
| schnorr_point += k_public_key; | ||
|
|
||
| let mut schnorr_point_as_bytes = Vec::<u8>::new(); | ||
| schnorr_point.into_affine().write(&mut schnorr_point_as_bytes).unwrap(); | ||
|
|
||
| let mut scalar_bytes = <H as Digest>::new().chain(schnorr_point_as_bytes).chain(message.0).finalize(); | ||
| let random_scalar = scalar_bytes.as_mut_slice(); | ||
| random_scalar[31] &= 31; // BROKEN HACK DO BOT DEPLOY | ||
|
|
||
| let witness_scaler = schnorr_proof.1; | ||
|
|
||
| <<<E as EngineBLS>::PublicKeyGroup as ProjectiveCurve>::ScalarField as FromBytes>::read(&*random_scalar).unwrap() == witness_scaler | ||
|
|
||
| } | ||
|
|
||
| } | ||
|
|
||
| #[cfg(test)] | ||
|
|
||
| mod tests { | ||
| #[test] | ||
| fn bls_pop_sign() { | ||
| use crate::pop::{ProofOfPossessionGenerator}; | ||
| use crate::single::{Keypair}; | ||
| use crate::engine::{ZBLS}; | ||
| use crate::Message; | ||
| use rand::{thread_rng}; | ||
| use sha2::Sha512; | ||
|
|
||
| let challenge_message = Message::new(b"ctx",b"sign this message, if you really have the secret key"); | ||
| let keypair = Keypair::<ZBLS>::generate(thread_rng()); | ||
| <dyn ProofOfPossessionGenerator<ZBLS, Sha512>>::generate_pok(&keypair.secret, challenge_message); | ||
| } | ||
|
|
||
| #[test] | ||
| fn bls_pop_sign_and_verify() | ||
| { | ||
| use rand::{thread_rng}; | ||
| use sha2::Sha512; | ||
|
|
||
| use crate::single::{Keypair}; | ||
| use crate::engine::{ZBLS}; | ||
| use crate::Message; | ||
| use crate::pop::{ProofOfPossessionGenerator, ProofOfPossessionVerifier}; | ||
|
|
||
|
|
||
| let challenge_message = Message::new(b"ctx",b"sign this message, if you really have the secret key"); | ||
| let keypair = Keypair::<ZBLS>::generate(thread_rng()); | ||
| let secret_key = keypair.secret; | ||
| let proof_pair = <dyn ProofOfPossessionGenerator<ZBLS, Sha512>>::generate_pok(&secret_key, challenge_message); | ||
| assert!(<dyn ProofOfPossessionVerifier<ZBLS, Sha512>>::verify_pok(&keypair.public, challenge_message, proof_pair), "valid pok does not verify") | ||
|
|
||
| } | ||
|
|
||
| } | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm tempted to use a transcript abstraction instead of
Messagelike in schnorrkel, ring-vrf, and now the apk crate.Messagemade sense for BLS signatures message. And maybe still does. I do not see much point in a schnorr proof.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should maybe make this PoK do both G1 and G2 if we're going that route, no? I guess that's a seperate thing that depends upon only
Engine. Ugh.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made issues #30 and #31 to follow up with these.