Add Blind signature scheme by Pointcheval-Sanders
This commit is contained in:
parent
02982526d7
commit
7c8a81e0cd
|
@ -8,11 +8,15 @@ BOLT is a system for conducting **privacy-preserving off-chain payments** betwee
|
|||
|
||||
The libbolt library is a proof of concept implementation that relies on experimental libraries and dependencies at the moment. It is not suitable for production software yet.
|
||||
|
||||
# NOTE
|
||||
|
||||
Active development of libbolt is ongoing at [Bolt Labs, Inc](https://github.com/boltlabs-inc/libbolt) to instantiate on a cryptocurrency. We will submit pull requests periodically when new features are complete.
|
||||
|
||||
# Dependencies
|
||||
|
||||
* secp256k1
|
||||
* sodiumoxide
|
||||
* bn
|
||||
* pairing
|
||||
* curve25519_dalek
|
||||
* merlin
|
||||
* bulletproofs
|
||||
|
@ -55,7 +59,7 @@ To use the libbolt library, add the `libbolt` crate to your dependency file in `
|
|||
|
||||
```toml
|
||||
[dependencies]
|
||||
bolt = "0.2.0"
|
||||
bolt = "0.3.0"
|
||||
```
|
||||
|
||||
Then add an extern declaration at the root of your crate as follows:
|
||||
|
|
203
src/cl.rs
203
src/cl.rs
|
@ -19,12 +19,21 @@ pub struct SecretKey<E: Engine> {
|
|||
pub y: Vec<E::Fr>
|
||||
}
|
||||
|
||||
#[derive(Clone, Serialize, Deserialize)]
|
||||
//#[derive(Clone, Serialize, Deserialize)]
|
||||
#[derive(Clone)]
|
||||
pub struct PublicKey<E: Engine> {
|
||||
pub X: E::G2,
|
||||
pub Y: Vec<E::G2>,
|
||||
}
|
||||
|
||||
//#[derive(Clone, Serialize, Deserialize)]
|
||||
#[derive(Clone)]
|
||||
pub struct BlindPublicKey<E: Engine> {
|
||||
pub X: E::G2,
|
||||
pub Y1: Vec<E::G1>,
|
||||
pub Y2: Vec<E::G2>,
|
||||
}
|
||||
|
||||
#[derive(Clone)]
|
||||
pub struct Signature<E: Engine> {
|
||||
pub h: E::G1,
|
||||
|
@ -37,6 +46,13 @@ pub struct KeyPair<E: Engine> {
|
|||
pub public: PublicKey<E>
|
||||
}
|
||||
|
||||
#[derive(Clone)]
|
||||
pub struct BlindKeyPair<E: Engine> {
|
||||
pub secret: SecretKey<E>,
|
||||
pub public: BlindPublicKey<E>
|
||||
}
|
||||
|
||||
|
||||
impl<E: Engine> SecretKey<E> {
|
||||
pub fn generate<R: Rng>(csprng: &mut R, l: usize) -> Self {
|
||||
let mut y: Vec<E::Fr> = Vec::new();
|
||||
|
@ -51,8 +67,9 @@ impl<E: Engine> SecretKey<E> {
|
|||
pub fn sign<R: Rng>(&self, csprng: &mut R, message: &Vec<E::Fr>) -> Signature<E> {
|
||||
let h = E::G1::rand(csprng);
|
||||
let mut s = E::Fr::zero();
|
||||
// assert(self.y.len() == message.len());
|
||||
for i in 0 .. self.y.len() {
|
||||
// check vector length first
|
||||
assert_eq!(self.y.len(), message.len());
|
||||
for i in 0 .. message.len() {
|
||||
// s = s + (self.y[i] * message[i]);
|
||||
let mut res_yi = self.y[i];
|
||||
res_yi.mul_assign(&message[i]);
|
||||
|
@ -69,21 +86,22 @@ impl<E: Engine> SecretKey<E> {
|
|||
Signature { h: h, H: H }
|
||||
}
|
||||
|
||||
pub fn blind<R: Rng>(&self, csprng: &mut R, signature: &Signature<E>) -> Signature<E> {
|
||||
pub fn blind<R: Rng>(&self, csprng: &mut R, bf: &E::Fr, signature: &Signature<E>) -> Signature<E> {
|
||||
let r = E::Fr::rand(csprng);
|
||||
let t = E::Fr::rand(csprng);
|
||||
let t = bf.clone();
|
||||
let mut h1 = signature.h;
|
||||
h1.mul_assign(r); // sigma1 ^ r
|
||||
|
||||
let mut h = signature.h;
|
||||
let mut H1 = signature.H;
|
||||
h.mul_assign(t); // sigma1 ^ t
|
||||
h.mul_assign(t); // sigma1 ^ t (blinding factor)
|
||||
H1.add_assign(&h); // (sigma2 * sigma1 ^ t)
|
||||
|
||||
// (sigma2 * sigma1 ^ t) ^ r
|
||||
H1.mul_assign(r);
|
||||
Signature { h: h1, H: H1 }
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
@ -158,6 +176,55 @@ impl<E: Engine> PublicKey<E> {
|
|||
}
|
||||
}
|
||||
|
||||
impl<E: Engine> BlindPublicKey<E> {
|
||||
pub fn from_secret(mpk: &PublicParams<E>, secret: &SecretKey<E>) -> Self {
|
||||
let mut Y1: Vec<E::G1> = Vec::new();
|
||||
let mut Y2: Vec<E::G2> = Vec::new();
|
||||
for i in 0..secret.y.len() {
|
||||
// Y[i] = g2 ^ y[i]
|
||||
let mut g1y = mpk.g1;
|
||||
let mut g2y = mpk.g2;
|
||||
g1y.mul_assign(secret.y[i]);
|
||||
g2y.mul_assign(secret.y[i]);
|
||||
Y1.push(g1y);
|
||||
Y2.push(g2y);
|
||||
}
|
||||
// X = g2 ^ x
|
||||
let mut X = mpk.g2;
|
||||
X.mul_assign(secret.x);
|
||||
BlindPublicKey {
|
||||
X: X,
|
||||
Y1: Y1,
|
||||
Y2: Y2
|
||||
}
|
||||
}
|
||||
|
||||
pub fn verify(&self, mpk: &PublicParams<E>, message: &Vec<E::Fr>, signature: &Signature<E>) -> bool {
|
||||
let mut L = E::G2::zero();
|
||||
let l = self.Y2.len();
|
||||
assert_eq!(message.len(), l + 1);
|
||||
|
||||
for i in 0 .. l {
|
||||
// L = L + self.Y[i].mul(message[i]);
|
||||
let mut Y = self.Y2[i];
|
||||
Y.mul_assign(message[i]); // Y_i ^ m_i
|
||||
L.add_assign(&Y); // L += Y_i ^m_i
|
||||
}
|
||||
|
||||
// Y_(l+1) ^ t
|
||||
let mut Yt = mpk.g2;
|
||||
Yt.mul_assign(message[l]);
|
||||
L.add_assign(&Yt);
|
||||
|
||||
let mut X2 = self.X;
|
||||
X2.add_assign(&L); // X2 = X + L
|
||||
let lhs = E::pairing(signature.h, X2);
|
||||
let rhs = E::pairing(signature.H, mpk.g2);
|
||||
signature.h != E::G1::one() && lhs == rhs
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
pub fn setup<R: Rng, E: Engine>(csprng: &mut R) -> PublicParams<E> {
|
||||
|
@ -167,6 +234,9 @@ pub fn setup<R: Rng, E: Engine>(csprng: &mut R) -> PublicParams<E> {
|
|||
return mpk;
|
||||
}
|
||||
|
||||
///
|
||||
/// KeyPair - implements the standard CL signature variant by Pointcheval-Sanders - Section 3.1
|
||||
///
|
||||
impl<E: Engine> KeyPair<E> {
|
||||
pub fn generate<R: Rng>(csprng: &mut R, mpk: &PublicParams<E>, l: usize) -> Self {
|
||||
let secret = SecretKey::generate(csprng, l);
|
||||
|
@ -174,6 +244,7 @@ impl<E: Engine> KeyPair<E> {
|
|||
KeyPair { secret, public }
|
||||
}
|
||||
|
||||
/// sign a vector of messages (of size l)
|
||||
pub fn sign<R: Rng>(&self, csprng: &mut R, message: &Vec<E::Fr>) -> Signature<E> {
|
||||
self.secret.sign(csprng, message)
|
||||
}
|
||||
|
@ -181,34 +252,50 @@ impl<E: Engine> KeyPair<E> {
|
|||
pub fn verify(&self, mpk: &PublicParams<E>, message: &Vec<E::Fr>, signature: &Signature<E>) -> bool {
|
||||
self.public.verify(mpk, message, signature)
|
||||
}
|
||||
|
||||
pub fn blind<R: Rng>(&self, csprng: &mut R, signature: &Signature<E>) -> Signature<E> {
|
||||
self.secret.blind(csprng, signature)
|
||||
}
|
||||
}
|
||||
|
||||
//impl<E: Engine> SignaturePS<E> {
|
||||
// pub fn new(_h: E::G1, _H: E::G1) -> SignaturePS {
|
||||
// SignaturePS {
|
||||
// h: _h, H: _H
|
||||
// }
|
||||
// }
|
||||
//
|
||||
// pub fn hash(&self, prefix: &str) -> Fr {
|
||||
// let mut output_buf: Vec<u8> = Vec::new();
|
||||
// output_buf.extend_from_slice(prefix.as_bytes());
|
||||
// concat_g1_to_vector(&mut output_buf, &self.h);
|
||||
// concat_g1_to_vector(&mut output_buf, &self.H);
|
||||
//
|
||||
// // println!("DEBUG: signature len => {}", output_buf.len());
|
||||
// // let's hash the final output_buf
|
||||
// let sha2_digest = sha512::hash(output_buf.as_slice());
|
||||
//
|
||||
// let mut hash_buf: [u8; 64] = [0; 64];
|
||||
// hash_buf.copy_from_slice(&sha2_digest[0..64]);
|
||||
// return Fr::interpret(&hash_buf);
|
||||
// }
|
||||
//}
|
||||
///
|
||||
/// BlindingKeyPair - implements the blinding signature scheme in Pointcheval-Sanders - Section 3.1.1
|
||||
///
|
||||
impl<E: Engine> BlindKeyPair<E> {
|
||||
/// generate public/private keypair given public params and size of vectors
|
||||
pub fn generate<R: Rng>(csprng: &mut R, mpk: &PublicParams<E>, l: usize) -> Self {
|
||||
let secret = SecretKey::generate(csprng, l);
|
||||
let public = BlindPublicKey::from_secret(mpk, &secret);
|
||||
BlindKeyPair { secret, public }
|
||||
}
|
||||
|
||||
/// sign a vector of messages
|
||||
pub fn sign<R: Rng>(&self, csprng: &mut R, message: &Vec<E::Fr>) -> Signature<E> {
|
||||
self.secret.sign(csprng, message)
|
||||
}
|
||||
|
||||
/// computes a blind signature from an existing one
|
||||
pub fn blind<R: Rng>(&self, csprng: &mut R, bf: &E::Fr, signature: &Signature<E>) -> Signature<E> {
|
||||
self.secret.blind(csprng, bf, signature)
|
||||
}
|
||||
|
||||
/// unblinds a signature given knowledge of blinding factor, t. Output should be
|
||||
/// verifiable with standard signature scheme.
|
||||
pub fn unblind(&self, bf: &E::Fr, signature: &Signature<E>) -> Signature<E> {
|
||||
let mut H = signature.h;
|
||||
let inv_bf = bf.inverse().unwrap();
|
||||
|
||||
// sigma2 / sigma1 ^ t
|
||||
H.mul_assign(inv_bf);
|
||||
H.add_assign(&signature.H);
|
||||
|
||||
Signature { h: signature.h, H: H }
|
||||
}
|
||||
|
||||
/// verify a blinded signature without unblinding it first
|
||||
pub fn verify(&self, mpk: &PublicParams<E>, message: &Vec<E::Fr>, bf: &E::Fr, signature: &Signature<E>) -> bool {
|
||||
let mut m = message.clone();
|
||||
let t = bf.clone();
|
||||
m.push(t);
|
||||
self.public.verify(mpk, &m, signature)
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
// display CL signature (PS)
|
||||
|
@ -264,27 +351,35 @@ mod tests {
|
|||
assert_eq!(keypair.verify(&mpk, &message2, &sig), false);
|
||||
}
|
||||
|
||||
// #[test]
|
||||
// fn scheme_ps_sign_and_verify_works() {
|
||||
// // test ability to sign/verify a vector of messages
|
||||
// let rng = &mut thread_rng();
|
||||
//
|
||||
// let mpk = setup_ps();
|
||||
// let l = 5;
|
||||
// let keypair = keygen_ps(&mpk, l);
|
||||
//
|
||||
// let mut m1 : Vec<Fr> = Vec::new();
|
||||
// let mut m2 : Vec<Fr> = Vec::new();
|
||||
//
|
||||
// for i in 0 .. l {
|
||||
// m1.push(Fr::random(rng));
|
||||
// m2.push(Fr::random(rng));
|
||||
// }
|
||||
//
|
||||
// let signature = sign_ps(&mpk, &keypair.sk, &m1);
|
||||
//
|
||||
// assert!(verify_ps(&mpk, &keypair.pk, &m1, &signature) == true);
|
||||
// assert!(verify_ps(&mpk, &keypair.pk, &m2, &signature) == false);
|
||||
// }
|
||||
#[test]
|
||||
fn blind_sign_and_verify() {
|
||||
let mut rng = &mut rand::thread_rng();
|
||||
|
||||
let l = 5;
|
||||
let mpk = setup(&mut rng);
|
||||
let keypair = BlindKeyPair::<Bls12>::generate(&mut rng, &mpk, l);
|
||||
|
||||
let mut message1 : Vec<Fr> = Vec::new();
|
||||
let mut message2 : Vec<Fr> = Vec::new();
|
||||
|
||||
for i in 0..l {
|
||||
message1.push(Fr::rand(&mut rng));
|
||||
message2.push(Fr::rand(&mut rng));
|
||||
}
|
||||
|
||||
let sig = keypair.sign(&mut rng, &message1);
|
||||
|
||||
let t = Fr::rand(&mut rng);
|
||||
let blind_sig = keypair.blind(&mut rng, &t,&sig);
|
||||
|
||||
// pick another blinding factor
|
||||
let t1 = Fr::rand(&mut rng);
|
||||
|
||||
// verify blind signatures and provide blinding factor as input
|
||||
assert_eq!(keypair.verify(&mpk,&message1, &t,&blind_sig), true);
|
||||
assert_eq!(keypair.verify(&mpk,&message2, &t,&blind_sig), false);
|
||||
assert_eq!(keypair.verify(&mpk,&message1, &t1,&blind_sig), false);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -62,7 +62,6 @@ use serde::{Serialize, Deserialize};
|
|||
pub mod prf;
|
||||
pub mod sym;
|
||||
pub mod ote;
|
||||
pub mod bls;
|
||||
pub mod cl;
|
||||
pub mod clsigs;
|
||||
pub mod commit_scheme;
|
||||
|
|
Loading…
Reference in New Issue