diff --git a/blssig/aggregation.go b/blssig/aggregation.go index 22e5bc9a..2fc56562 100644 --- a/blssig/aggregation.go +++ b/blssig/aggregation.go @@ -6,12 +6,12 @@ import ( "fmt" "runtime/debug" - "github.com/filecoin-project/go-f3/gpbft" - "github.com/filecoin-project/go-f3/internal/measurements" + "go.dedis.ch/kyber/v4" "go.opentelemetry.io/otel/metric" - "go.dedis.ch/kyber/v4" - "go.dedis.ch/kyber/v4/sign" + "github.com/filecoin-project/go-f3/gpbft" + "github.com/filecoin-project/go-f3/internal/bls/bdn" + "github.com/filecoin-project/go-f3/internal/measurements" ) // Max size of the point cache. @@ -93,7 +93,7 @@ func (v *Verifier) VerifyAggregate(msg []byte, signature []byte, pubkeys []gpbft return v.scheme.Verify(aggPubKey, msg, signature) } -func (v *Verifier) pubkeysToMask(pubkeys []gpbft.PubKey) (*sign.Mask, error) { +func (v *Verifier) pubkeysToMask(pubkeys []gpbft.PubKey) (*bdn.Mask, error) { kPubkeys := make([]kyber.Point, 0, len(pubkeys)) for i, p := range pubkeys { point, err := v.pubkeyToPoint(p) @@ -103,9 +103,9 @@ func (v *Verifier) pubkeysToMask(pubkeys []gpbft.PubKey) (*sign.Mask, error) { kPubkeys = append(kPubkeys, point.Clone()) } - mask, err := sign.NewMask(kPubkeys, nil) + mask, err := bdn.NewMask(v.keyGroup, kPubkeys, nil) if err != nil { - return nil, fmt.Errorf("creating key mask: %w", err) + return nil, fmt.Errorf("creating bdn mask: %w", err) } for i := range kPubkeys { err := mask.SetBit(i, true) diff --git a/blssig/cache_test.go b/blssig/cache_test.go index 33eb651a..d9bfd7da 100644 --- a/blssig/cache_test.go +++ b/blssig/cache_test.go @@ -5,16 +5,16 @@ import ( "testing" "github.com/stretchr/testify/require" - bls12381 "go.dedis.ch/kyber/v4/pairing/bls12381/kilic" - "go.dedis.ch/kyber/v4/sign/bdn" "github.com/filecoin-project/go-f3/gpbft" + "github.com/filecoin-project/go-f3/internal/bls/bdn" + bls12381 "github.com/filecoin-project/go-f3/internal/bls/gnark" ) const maxCacheMemory uint64 = 10 << 20 // 10MiB func TestCacheMemory(t *testing.T) { - suite := bls12381.NewBLS12381Suite() + suite := bls12381.NewSuiteBLS12381() scheme := bdn.NewSchemeOnG2(suite) rand := suite.RandomStream() diff --git a/blssig/signer.go b/blssig/signer.go index f7618778..f90027ef 100644 --- a/blssig/signer.go +++ b/blssig/signer.go @@ -6,9 +6,9 @@ import ( "errors" "github.com/filecoin-project/go-f3/gpbft" + "github.com/filecoin-project/go-f3/internal/bls/bdn" + bls12381 "github.com/filecoin-project/go-f3/internal/bls/gnark" "go.dedis.ch/kyber/v4" - bls12381 "go.dedis.ch/kyber/v4/pairing/bls12381/kilic" - "go.dedis.ch/kyber/v4/sign/bdn" ) var _ gpbft.Signer = (*Signer)(nil) @@ -21,7 +21,7 @@ type Signer struct { func SignerWithKeyOnG1(pub gpbft.PubKey, privKey kyber.Scalar) *Signer { return &Signer{ - scheme: bdn.NewSchemeOnG2(bls12381.NewBLS12381Suite()), + scheme: bdn.NewSchemeOnG2(bls12381.NewSuiteBLS12381()), pubKey: pub, privKey: privKey, } diff --git a/blssig/verifier.go b/blssig/verifier.go index 1dece32f..282d700d 100644 --- a/blssig/verifier.go +++ b/blssig/verifier.go @@ -8,11 +8,11 @@ import ( "sync" "go.dedis.ch/kyber/v4" - bls12381 "go.dedis.ch/kyber/v4/pairing/bls12381/kilic" - "go.dedis.ch/kyber/v4/sign/bdn" "go.opentelemetry.io/otel/metric" "github.com/filecoin-project/go-f3/gpbft" + "github.com/filecoin-project/go-f3/internal/bls/bdn" + bls12381 "github.com/filecoin-project/go-f3/internal/bls/gnark" "github.com/filecoin-project/go-f3/internal/measurements" ) @@ -25,7 +25,7 @@ type Verifier struct { } func VerifierWithKeyOnG1() *Verifier { - suite := bls12381.NewBLS12381Suite() + suite := bls12381.NewSuiteBLS12381() return &Verifier{ scheme: bdn.NewSchemeOnG2(suite), keyGroup: suite.G1(), diff --git a/blssig/verifier_test.go b/blssig/verifier_test.go index b1e4551a..6ad70b3b 100644 --- a/blssig/verifier_test.go +++ b/blssig/verifier_test.go @@ -4,14 +4,14 @@ import ( "context" "testing" + "github.com/filecoin-project/go-f3/internal/bls/bdn" + bls12381 "github.com/filecoin-project/go-f3/internal/bls/gnark" "github.com/stretchr/testify/require" - bls12381 "go.dedis.ch/kyber/v4/pairing/bls12381/kilic" - "go.dedis.ch/kyber/v4/sign/bdn" ) func BenchmarkBLSSigning(b *testing.B) { var ( - blsSuit = bls12381.NewBLS12381Suite() + blsSuit = bls12381.NewSuiteBLS12381() blsSchema = bdn.NewSchemeOnG2(blsSuit) ) privKey, pubKey := blsSchema.NewKeyPair(blsSuit.RandomStream()) diff --git a/go.mod b/go.mod index 4455239c..207261c8 100644 --- a/go.mod +++ b/go.mod @@ -3,6 +3,7 @@ module github.com/filecoin-project/go-f3 go 1.22 require ( + github.com/consensys/gnark-crypto v0.12.1 github.com/filecoin-project/go-bitfield v0.2.4 github.com/filecoin-project/go-clock v0.1.0 github.com/filecoin-project/go-state-types v0.14.0 @@ -35,7 +36,9 @@ require ( github.com/andybalholm/brotli v1.1.0 // indirect github.com/benbjohnson/clock v1.3.5 // indirect github.com/beorn7/perks v1.0.1 // indirect + github.com/bits-and-blooms/bitset v1.13.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/consensys/bavard v0.1.13 // indirect github.com/containerd/cgroups v1.1.0 // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect @@ -62,7 +65,6 @@ require ( github.com/jackpal/go-nat-pmp v1.0.2 // indirect github.com/jbenet/go-temp-err-catcher v0.1.0 // indirect github.com/jbenet/goprocess v0.1.4 // indirect - github.com/kilic/bls12-381 v0.1.0 // indirect github.com/klauspost/compress v1.17.9 // indirect github.com/klauspost/cpuid/v2 v2.2.7 // indirect github.com/koron/go-ssdp v0.0.4 // indirect @@ -82,6 +84,7 @@ require ( github.com/mikioh/tcpinfo v0.0.0-20190314235526-30a79bb1804b // indirect github.com/mikioh/tcpopt v0.0.0-20190314235656-172688c1accc // indirect github.com/minio/sha256-simd v1.0.1 // indirect + github.com/mmcloughlin/addchain v0.4.0 // indirect github.com/mr-tron/base58 v1.2.0 // indirect github.com/multiformats/go-base32 v0.1.0 // indirect github.com/multiformats/go-base36 v0.2.0 // indirect @@ -128,6 +131,7 @@ require ( github.com/stretchr/objx v0.5.2 // indirect github.com/syndtr/goleveldb v1.0.0 // indirect github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 // indirect + go.dedis.ch/fixbuf v1.0.3 // indirect go.opentelemetry.io/otel/trace v1.28.0 // indirect go.uber.org/dig v1.17.1 // indirect go.uber.org/fx v1.21.1 // indirect @@ -140,4 +144,5 @@ require ( google.golang.org/protobuf v1.34.2 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect lukechampine.com/blake3 v1.2.1 // indirect + rsc.io/tmplfunc v0.0.3 // indirect ) diff --git a/go.sum b/go.sum index e9926b05..11a0ee6f 100644 --- a/go.sum +++ b/go.sum @@ -18,12 +18,18 @@ github.com/benbjohnson/clock v1.3.5/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZx github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/bits-and-blooms/bitset v1.13.0 h1:bAQ9OPNFYbGHV6Nez0tmNI0RiEu7/hxlYJRUA0wFAVE= +github.com/bits-and-blooms/bitset v1.13.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8= github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g= github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/consensys/bavard v0.1.13 h1:oLhMLOFGTLdlda/kma4VOJazblc7IM5y5QPd2A/YjhQ= +github.com/consensys/bavard v0.1.13/go.mod h1:9ItSMtA/dXMAiL7BG6bqW2m3NdSEObYWoH223nGHukI= +github.com/consensys/gnark-crypto v0.12.1 h1:lHH39WuuFgVHONRl3J0LRBtuYdQTumFSDtJF7HpyG8M= +github.com/consensys/gnark-crypto v0.12.1/go.mod h1:v2Gy7L/4ZRosZ7Ivs+9SfUDr0f5UlG+EM5t7MPHiLuY= github.com/containerd/cgroups v0.0.0-20201119153540-4cbc285b3327/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE= github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM= github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw= @@ -108,6 +114,7 @@ github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OI github.com/google/pprof v0.0.0-20240207164012-fb44976bdcd5 h1:E/LAvt58di64hlYjx7AsNS6C/ysHWYo+2qPCZKTQhRo= github.com/google/pprof v0.0.0-20240207164012-fb44976bdcd5/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/subcommands v1.2.0/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= @@ -152,8 +159,6 @@ github.com/jbenet/goprocess v0.1.4/go.mod h1:5yspPrukOVuOLORacaBi858NqyClJPQxYZl github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= -github.com/kilic/bls12-381 v0.1.0 h1:encrdjqKMEvabVQ7qYOKu1OvhqpK4s47wDYtNiPtlp4= -github.com/kilic/bls12-381 v0.1.0/go.mod h1:vDTTHJONJ6G+P2R74EhnyotQDTliQDnFEwhdmfzw1ig= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= @@ -173,6 +178,8 @@ github.com/kr/pty v1.1.3/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/leanovate/gopter v0.2.9 h1:fQjYxZaynp97ozCzfOyOuAGOU4aU/z37zf/tOujFk7c= +github.com/leanovate/gopter v0.2.9/go.mod h1:U2L/78B+KVFIx2VmW6onHJQzXtFb+p5y3y2Sh+Jxxv8= github.com/libp2p/go-buffer-pool v0.1.0 h1:oK4mSFcQz7cTQIfqbe4MIj9gLW+mnanjyFtc6cdF0Y8= github.com/libp2p/go-buffer-pool v0.1.0/go.mod h1:N+vh8gMqimBzdKkSMVuydVDq+UV5QTWy5HSiZacSbPg= github.com/libp2p/go-flow-metrics v0.1.0 h1:0iPhMI8PskQwzh57jB9WxIuIOQ0r+15PChFGkx3Q3WM= @@ -224,6 +231,9 @@ github.com/minio/sha256-simd v0.0.0-20190131020904-2d45a736cd16/go.mod h1:2FMWW+ github.com/minio/sha256-simd v0.1.1-0.20190913151208-6de447530771/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM= github.com/minio/sha256-simd v1.0.1 h1:6kaan5IFmwTNynnKKpDHe6FWHohJOHhCPchzK49dzMM= github.com/minio/sha256-simd v1.0.1/go.mod h1:Pz6AKMiUdngCLpeTL/RJY1M9rUuPMYujV5xJjtbRSN8= +github.com/mmcloughlin/addchain v0.4.0 h1:SobOdjm2xLj1KkXN5/n0xTIWyZA2+s99UCY1iPfkHRY= +github.com/mmcloughlin/addchain v0.4.0/go.mod h1:A86O+tHqZLMNO4w6ZZ4FlVQEadcoqkyU72HC5wJ4RlU= +github.com/mmcloughlin/profile v0.1.1/go.mod h1:IhHD7q1ooxgwTgjxQYkACGA77oFTDdFVejUS1/tS/qU= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/mr-tron/base58 v1.1.0/go.mod h1:xcD2VGqlgYjBdcBLw+TuYLr8afG+Hj8g2eTVqeSzSU8= @@ -434,6 +444,8 @@ go.dedis.ch/fixbuf v1.0.3 h1:hGcV9Cd/znUxlusJ64eAlExS+5cJDIyTyEG+otu5wQs= go.dedis.ch/fixbuf v1.0.3/go.mod h1:yzJMt34Wa5xD37V5RTdmp38cz3QhMagdGoem9anUalw= go.dedis.ch/kyber/v4 v4.0.0-pre2.0.20240916105431-b283c0cdd30a h1:FF9ZER1DSNuJWcpC/P9AJ9LpswxPxyyQ65YTOqdzDd0= go.dedis.ch/kyber/v4 v4.0.0-pre2.0.20240916105431-b283c0cdd30a/go.mod h1:tg6jwKTYEjm94VxkFwiQy+ec9hoQvccIU989wNjXWVI= +go.dedis.ch/protobuf v1.0.11 h1:FTYVIEzY/bfl37lu3pR4lIj+F9Vp1jE8oh91VmxKgLo= +go.dedis.ch/protobuf v1.0.11/go.mod h1:97QR256dnkimeNdfmURz0wAMNVbd1VmLXhG1CrTYrJ4= go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA= go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= @@ -555,7 +567,6 @@ golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200602225109-6fdc65e7d980/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201101102859-da207088b7d1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -661,6 +672,8 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWD gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= @@ -672,5 +685,7 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= lukechampine.com/blake3 v1.2.1 h1:YuqqRuaqsGV71BV/nm9xlI0MKUv4QC54jQnBChWbGnI= lukechampine.com/blake3 v1.2.1/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k= +rsc.io/tmplfunc v0.0.3 h1:53XFQh69AfOa8Tw0Jm7t+GV7KZhOi6jzsCzTtKbMvzU= +rsc.io/tmplfunc v0.0.3/go.mod h1:AG3sTPzElb1Io3Yg4voV9AGZJuleGAwaVRxL9M49PhA= sourcegraph.com/sourcegraph/go-diff v0.5.0/go.mod h1:kuch7UrkMzY0X+p9CRK03kfuPQ2zzQcaEFbx8wA8rck= sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4/go.mod h1:ketZ/q3QxT9HOBeFhu6RdvsftgpsbFHBF5Cas6cDKZ0= diff --git a/internal/bls/LICENSE b/internal/bls/LICENSE new file mode 100644 index 00000000..411d65a2 --- /dev/null +++ b/internal/bls/LICENSE @@ -0,0 +1,375 @@ +This code is (c) by DEDIS/EPFL 2017 under the MPL v2 or later version. + +Mozilla Public License Version 2.0 +================================== + +1. Definitions +-------------- + +1.1. "Contributor" + means each individual or legal entity that creates, contributes to + the creation of, or owns Covered Software. + +1.2. "Contributor Version" + means the combination of the Contributions of others (if any) used + by a Contributor and that particular Contributor's Contribution. + +1.3. "Contribution" + means Covered Software of a particular Contributor. + +1.4. "Covered Software" + means Source Code Form to which the initial Contributor has attached + the notice in Exhibit A, the Executable Form of such Source Code + Form, and Modifications of such Source Code Form, in each case + including portions thereof. + +1.5. "Incompatible With Secondary Licenses" + means + + (a) that the initial Contributor has attached the notice described + in Exhibit B to the Covered Software; or + + (b) that the Covered Software was made available under the terms of + version 1.1 or earlier of the License, but not also under the + terms of a Secondary License. + +1.6. "Executable Form" + means any form of the work other than Source Code Form. + +1.7. "Larger Work" + means a work that combines Covered Software with other material, in + a separate file or files, that is not Covered Software. + +1.8. "License" + means this document. + +1.9. "Licensable" + means having the right to grant, to the maximum extent possible, + whether at the time of the initial grant or subsequently, any and + all of the rights conveyed by this License. + +1.10. "Modifications" + means any of the following: + + (a) any file in Source Code Form that results from an addition to, + deletion from, or modification of the contents of Covered + Software; or + + (b) any new file in Source Code Form that contains any Covered + Software. + +1.11. "Patent Claims" of a Contributor + means any patent claim(s), including without limitation, method, + process, and apparatus claims, in any patent Licensable by such + Contributor that would be infringed, but for the grant of the + License, by the making, using, selling, offering for sale, having + made, import, or transfer of either its Contributions or its + Contributor Version. + +1.12. "Secondary License" + means either the GNU General Public License, Version 2.0, the GNU + Lesser General Public License, Version 2.1, the GNU Affero General + Public License, Version 3.0, or any later versions of those + licenses. + +1.13. "Source Code Form" + means the form of the work preferred for making modifications. + +1.14. "You" (or "Your") + means an individual or a legal entity exercising rights under this + License. For legal entities, "You" includes any entity that + controls, is controlled by, or is under common control with You. For + purposes of this definition, "control" means (a) the power, direct + or indirect, to cause the direction or management of such entity, + whether by contract or otherwise, or (b) ownership of more than + fifty percent (50%) of the outstanding shares or beneficial + ownership of such entity. + +2. License Grants and Conditions +-------------------------------- + +2.1. Grants + +Each Contributor hereby grants You a world-wide, royalty-free, +non-exclusive license: + +(a) under intellectual property rights (other than patent or trademark) + Licensable by such Contributor to use, reproduce, make available, + modify, display, perform, distribute, and otherwise exploit its + Contributions, either on an unmodified basis, with Modifications, or + as part of a Larger Work; and + +(b) under Patent Claims of such Contributor to make, use, sell, offer + for sale, have made, import, and otherwise transfer either its + Contributions or its Contributor Version. + +2.2. Effective Date + +The licenses granted in Section 2.1 with respect to any Contribution +become effective for each Contribution on the date the Contributor first +distributes such Contribution. + +2.3. Limitations on Grant Scope + +The licenses granted in this Section 2 are the only rights granted under +this License. No additional rights or licenses will be implied from the +distribution or licensing of Covered Software under this License. +Notwithstanding Section 2.1(b) above, no patent license is granted by a +Contributor: + +(a) for any code that a Contributor has removed from Covered Software; + or + +(b) for infringements caused by: (i) Your and any other third party's + modifications of Covered Software, or (ii) the combination of its + Contributions with other software (except as part of its Contributor + Version); or + +(c) under Patent Claims infringed by Covered Software in the absence of + its Contributions. + +This License does not grant any rights in the trademarks, service marks, +or logos of any Contributor (except as may be necessary to comply with +the notice requirements in Section 3.4). + +2.4. Subsequent Licenses + +No Contributor makes additional grants as a result of Your choice to +distribute the Covered Software under a subsequent version of this +License (see Section 10.2) or under the terms of a Secondary License (if +permitted under the terms of Section 3.3). + +2.5. Representation + +Each Contributor represents that the Contributor believes its +Contributions are its original creation(s) or it has sufficient rights +to grant the rights to its Contributions conveyed by this License. + +2.6. Fair Use + +This License is not intended to limit any rights You have under +applicable copyright doctrines of fair use, fair dealing, or other +equivalents. + +2.7. Conditions + +Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted +in Section 2.1. + +3. Responsibilities +------------------- + +3.1. Distribution of Source Form + +All distribution of Covered Software in Source Code Form, including any +Modifications that You create or to which You contribute, must be under +the terms of this License. You must inform recipients that the Source +Code Form of the Covered Software is governed by the terms of this +License, and how they can obtain a copy of this License. You may not +attempt to alter or restrict the recipients' rights in the Source Code +Form. + +3.2. Distribution of Executable Form + +If You distribute Covered Software in Executable Form then: + +(a) such Covered Software must also be made available in Source Code + Form, as described in Section 3.1, and You must inform recipients of + the Executable Form how they can obtain a copy of such Source Code + Form by reasonable means in a timely manner, at a charge no more + than the cost of distribution to the recipient; and + +(b) You may distribute such Executable Form under the terms of this + License, or sublicense it under different terms, provided that the + license for the Executable Form does not attempt to limit or alter + the recipients' rights in the Source Code Form under this License. + +3.3. Distribution of a Larger Work + +You may create and distribute a Larger Work under terms of Your choice, +provided that You also comply with the requirements of this License for +the Covered Software. If the Larger Work is a combination of Covered +Software with a work governed by one or more Secondary Licenses, and the +Covered Software is not Incompatible With Secondary Licenses, this +License permits You to additionally distribute such Covered Software +under the terms of such Secondary License(s), so that the recipient of +the Larger Work may, at their option, further distribute the Covered +Software under the terms of either this License or such Secondary +License(s). + +3.4. Notices + +You may not remove or alter the substance of any license notices +(including copyright notices, patent notices, disclaimers of warranty, +or limitations of liability) contained within the Source Code Form of +the Covered Software, except that You may alter any license notices to +the extent required to remedy known factual inaccuracies. + +3.5. Application of Additional Terms + +You may choose to offer, and to charge a fee for, warranty, support, +indemnity or liability obligations to one or more recipients of Covered +Software. However, You may do so only on Your own behalf, and not on +behalf of any Contributor. You must make it absolutely clear that any +such warranty, support, indemnity, or liability obligation is offered by +You alone, and You hereby agree to indemnify every Contributor for any +liability incurred by such Contributor as a result of warranty, support, +indemnity or liability terms You offer. You may include additional +disclaimers of warranty and limitations of liability specific to any +jurisdiction. + +4. Inability to Comply Due to Statute or Regulation +--------------------------------------------------- + +If it is impossible for You to comply with any of the terms of this +License with respect to some or all of the Covered Software due to +statute, judicial order, or regulation then You must: (a) comply with +the terms of this License to the maximum extent possible; and (b) +describe the limitations and the code they affect. Such description must +be placed in a text file included with all distributions of the Covered +Software under this License. Except to the extent prohibited by statute +or regulation, such description must be sufficiently detailed for a +recipient of ordinary skill to be able to understand it. + +5. Termination +-------------- + +5.1. The rights granted under this License will terminate automatically +if You fail to comply with any of its terms. However, if You become +compliant, then the rights granted under this License from a particular +Contributor are reinstated (a) provisionally, unless and until such +Contributor explicitly and finally terminates Your grants, and (b) on an +ongoing basis, if such Contributor fails to notify You of the +non-compliance by some reasonable means prior to 60 days after You have +come back into compliance. Moreover, Your grants from a particular +Contributor are reinstated on an ongoing basis if such Contributor +notifies You of the non-compliance by some reasonable means, this is the +first time You have received notice of non-compliance with this License +from such Contributor, and You become compliant prior to 30 days after +Your receipt of the notice. + +5.2. If You initiate litigation against any entity by asserting a patent +infringement claim (excluding declaratory judgment actions, +counter-claims, and cross-claims) alleging that a Contributor Version +directly or indirectly infringes any patent, then the rights granted to +You by any and all Contributors for the Covered Software under Section +2.1 of this License shall terminate. + +5.3. In the event of termination under Sections 5.1 or 5.2 above, all +end user license agreements (excluding distributors and resellers) which +have been validly granted by You or Your distributors under this License +prior to termination shall survive termination. + +************************************************************************ +* * +* 6. Disclaimer of Warranty * +* ------------------------- * +* * +* Covered Software is provided under this License on an "as is" * +* basis, without warranty of any kind, either expressed, implied, or * +* statutory, including, without limitation, warranties that the * +* Covered Software is free of defects, merchantable, fit for a * +* particular purpose or non-infringing. The entire risk as to the * +* quality and performance of the Covered Software is with You. * +* Should any Covered Software prove defective in any respect, You * +* (not any Contributor) assume the cost of any necessary servicing, * +* repair, or correction. This disclaimer of warranty constitutes an * +* essential part of this License. No use of any Covered Software is * +* authorized under this License except under this disclaimer. * +* * +************************************************************************ + +************************************************************************ +* * +* 7. Limitation of Liability * +* -------------------------- * +* * +* Under no circumstances and under no legal theory, whether tort * +* (including negligence), contract, or otherwise, shall any * +* Contributor, or anyone who distributes Covered Software as * +* permitted above, be liable to You for any direct, indirect, * +* special, incidental, or consequential damages of any character * +* including, without limitation, damages for lost profits, loss of * +* goodwill, work stoppage, computer failure or malfunction, or any * +* and all other commercial damages or losses, even if such party * +* shall have been informed of the possibility of such damages. This * +* limitation of liability shall not apply to liability for death or * +* personal injury resulting from such party's negligence to the * +* extent applicable law prohibits such limitation. Some * +* jurisdictions do not allow the exclusion or limitation of * +* incidental or consequential damages, so this exclusion and * +* limitation may not apply to You. * +* * +************************************************************************ + +8. Litigation +------------- + +Any litigation relating to this License may be brought only in the +courts of a jurisdiction where the defendant maintains its principal +place of business and such litigation shall be governed by laws of that +jurisdiction, without reference to its conflict-of-law provisions. +Nothing in this Section shall prevent a party's ability to bring +cross-claims or counter-claims. + +9. Miscellaneous +---------------- + +This License represents the complete agreement concerning the subject +matter hereof. If any provision of this License is held to be +unenforceable, such provision shall be reformed only to the extent +necessary to make it enforceable. Any law or regulation which provides +that the language of a contract shall be construed against the drafter +shall not be used to construe this License against a Contributor. + +10. Versions of the License +--------------------------- + +10.1. New Versions + +Mozilla Foundation is the license steward. Except as provided in Section +10.3, no one other than the license steward has the right to modify or +publish new versions of this License. Each version will be given a +distinguishing version number. + +10.2. Effect of New Versions + +You may distribute the Covered Software under the terms of the version +of the License under which You originally received the Covered Software, +or under the terms of any subsequent version published by the license +steward. + +10.3. Modified Versions + +If you create software not governed by this License, and you want to +create a new license for such software, you may create and use a +modified version of this License if you rename the license and remove +any references to the name of the license steward (except to note that +such modified license differs from this License). + +10.4. Distributing Source Code Form that is Incompatible With Secondary +Licenses + +If You choose to distribute Source Code Form that is Incompatible With +Secondary Licenses under the terms of this version of the License, the +notice described in Exhibit B of this License must be attached. + +Exhibit A - Source Code Form License Notice +------------------------------------------- + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, You can obtain one at http://mozilla.org/MPL/2.0/. + +If it is not possible or desirable to put the notice in a particular +file, then You may include the notice in a location (such as a LICENSE +file in a relevant directory) where a recipient would be likely to look +for such a notice. + +You may add additional accurate notices of copyright ownership. + +Exhibit B - "Incompatible With Secondary Licenses" Notice +--------------------------------------------------------- + + This Source Code Form is "Incompatible With Secondary Licenses", as + defined by the Mozilla Public License, v. 2.0. \ No newline at end of file diff --git a/internal/bls/README.md b/internal/bls/README.md new file mode 100644 index 00000000..b5eddb6c --- /dev/null +++ b/internal/bls/README.md @@ -0,0 +1 @@ +# A temporary fork of part of dedis/kyber diff --git a/internal/bls/bdn/bdn.go b/internal/bls/bdn/bdn.go new file mode 100644 index 00000000..141a0b70 --- /dev/null +++ b/internal/bls/bdn/bdn.go @@ -0,0 +1,221 @@ +// Package bdn implements the Boneh-Drijvers-Neven signature scheme which is +// an implementation of the bls package which is robust against rogue public-key attacks. Those +// attacks could allow an attacker to forge a public-key and then make a verifiable +// signature for an aggregation of signatures. It fixes the situation by +// adding coefficients to the aggregate. +// +// See the papers: +// https://eprint.iacr.org/2018/483.pdf +// https://crypto.stanford.edu/~dabo/pubs/papers/BLSmultisig.html +package bdn + +import ( + "crypto/cipher" + "errors" + "fmt" + "slices" + + "go.dedis.ch/kyber/v4" + "go.dedis.ch/kyber/v4/pairing" + "go.dedis.ch/kyber/v4/sign" + "go.dedis.ch/kyber/v4/sign/bls" + "golang.org/x/crypto/blake2s" +) + +// For the choice of H, we're mostly worried about the second preimage attack. In +// other words, find m' where H(m) == H(m') +// We also use the entire roster so that the coefficient will vary for the same +// public key used in different roster +func hashPointToR(group kyber.Group, pubs []kyber.Point) ([]kyber.Scalar, error) { + h, err := blake2s.NewXOF(blake2s.OutputLengthUnknown, nil) + if err != nil { + return nil, err + } + for _, pub := range pubs { + peer, err := pub.MarshalBinary() + if err != nil { + return nil, err + } + _, err = h.Write(peer) + if err != nil { + return nil, err + } + } + + out := make([]byte, 16*len(pubs)) + _, err = h.Read(out) + if err != nil { + return nil, err + } + + coefs := make([]kyber.Scalar, len(pubs)) + for i := range coefs { + scalar := group.Scalar() + bytes := out[i*16 : (i+1)*16] + if scalar.ByteOrder() != kyber.LittleEndian { + slices.Reverse(bytes) + } + scalar.SetBytes(bytes) + coefs[i] = scalar + } + + return coefs, nil +} + +type Scheme struct { + blsScheme sign.AggregatableScheme + sigGroup kyber.Group + keyGroup kyber.Group + pairing func(signature, public, hashedPoint kyber.Point) bool +} + +// NewSchemeOnG1 returns a sign.Scheme that uses G1 for its signature space and G2 +// for its public keys +func NewSchemeOnG1(suite pairing.Suite) *Scheme { + sigGroup := suite.G1() + keyGroup := suite.G2() + pairing := func(public, hashedMsg, sigPoint kyber.Point) bool { + return suite.ValidatePairing(hashedMsg, public, sigPoint, keyGroup.Point().Base()) + } + return &Scheme{ + blsScheme: bls.NewSchemeOnG1(suite), + sigGroup: sigGroup, + keyGroup: keyGroup, + pairing: pairing, + } +} + +// NewSchemeOnG2 returns a sign.Scheme that uses G2 for its signature space and +// G1 for its public key +func NewSchemeOnG2(suite pairing.Suite) *Scheme { + sigGroup := suite.G2() + keyGroup := suite.G1() + pairing := func(public, hashedMsg, sigPoint kyber.Point) bool { + return suite.ValidatePairing(public, hashedMsg, keyGroup.Point().Base(), sigPoint) + } + return &Scheme{ + blsScheme: bls.NewSchemeOnG2(suite), + sigGroup: sigGroup, + keyGroup: keyGroup, + pairing: pairing, + } +} + +// NewKeyPair creates a new BLS signing key pair. The private key x is a scalar +// and the public key X is a point on the scheme's key group. +func (scheme *Scheme) NewKeyPair(random cipher.Stream) (kyber.Scalar, kyber.Point) { + return scheme.blsScheme.NewKeyPair(random) +} + +// Sign creates a BLS signature S = x * H(m) on a message m using the private +// key x. The signature S is a point on the scheme's signature group. +func (scheme *Scheme) Sign(x kyber.Scalar, msg []byte) ([]byte, error) { + return scheme.blsScheme.Sign(x, msg) +} + +// Verify checks the given BLS signature S on the message m using the public +// key X by verifying that the equality e(H(m), X) == e(H(m), x*B2) == +// e(x*H(m), B2) == e(S, B2) holds where e is the pairing operation and B2 is +// the base point from the scheme's key group. +func (scheme *Scheme) Verify(x kyber.Point, msg, sig []byte) error { + return scheme.blsScheme.Verify(x, msg, sig) +} + +// AggregateSignatures aggregates the signatures using a coefficient for each +// one of them where c = H(pk) and H: keyGroup -> R with R = {1, ..., 2^128} +func (scheme *Scheme) AggregateSignatures(sigs [][]byte, mask *Mask) (kyber.Point, error) { + agg := scheme.sigGroup.Point() + for i := range mask.publics { + if enabled, err := mask.GetBit(i); err != nil { + // this should never happen because of the loop boundary + // an error here is probably a bug in the mask implementation + return nil, fmt.Errorf("couldn't find the index %d: %w", i, err) + } else if !enabled { + continue + } + + if len(sigs) == 0 { + return nil, errors.New("length of signatures and public keys must match") + } + + buf := sigs[0] + sigs = sigs[1:] + + sig := scheme.sigGroup.Point() + err := sig.UnmarshalBinary(buf) + if err != nil { + return nil, err + } + + sigC := sig.Clone().Mul(mask.publicCoefs[i], sig) + // c+1 because R is in the range [1, 2^128] and not [0, 2^128-1] + sigC = sigC.Add(sigC, sig) + agg = agg.Add(agg, sigC) + } + + if len(sigs) > 0 { + return nil, errors.New("length of signatures and public keys must match") + } + + return agg, nil +} + +// AggregatePublicKeys aggregates a set of public keys (similarly to +// AggregateSignatures for signatures) using the hash function +// H: keyGroup -> R with R = {1, ..., 2^128}. +func (scheme *Scheme) AggregatePublicKeys(mask *Mask) (kyber.Point, error) { + agg := scheme.keyGroup.Point() + for i := range mask.publics { + if enabled, err := mask.GetBit(i); err != nil { + // this should never happen because of the loop boundary + // an error here is probably a bug in the mask implementation + return nil, fmt.Errorf("couldn't find the index %d: %w", i, err) + } else if !enabled { + continue + } + + agg = agg.Add(agg, mask.publicTerms[i]) + } + + return agg, nil +} + +// v1 API Deprecated ---------------------------------- + +// NewKeyPair creates a new BLS signing key pair. The private key x is a scalar +// and the public key X is a point on curve G2. +// Deprecated: use the new scheme methods instead. +func NewKeyPair(suite pairing.Suite, random cipher.Stream) (kyber.Scalar, kyber.Point) { + return NewSchemeOnG1(suite).NewKeyPair(random) +} + +// Sign creates a BLS signature S = x * H(m) on a message m using the private +// key x. The signature S is a point on curve G1. +// Deprecated: use the new scheme methods instead. +func Sign(suite pairing.Suite, x kyber.Scalar, msg []byte) ([]byte, error) { + return NewSchemeOnG1(suite).Sign(x, msg) +} + +// Verify checks the given BLS signature S on the message m using the public +// key X by verifying that the equality e(H(m), X) == e(H(m), x*B2) == +// e(x*H(m), B2) == e(S, B2) holds where e is the pairing operation and B2 is +// the base point from curve G2. +// Deprecated: use the new scheme methods instead. +func Verify(suite pairing.Suite, x kyber.Point, msg, sig []byte) error { + return NewSchemeOnG1(suite).Verify(x, msg, sig) +} + +// AggregateSignatures aggregates the signatures using a coefficient for each +// one of them where c = H(pk) and H: G2 -> R with R = {1, ..., 2^128} +// Deprecated: use the new scheme methods instead. +func AggregateSignatures(suite pairing.Suite, sigs [][]byte, mask *Mask) (kyber.Point, error) { + return NewSchemeOnG1(suite).AggregateSignatures(sigs, mask) +} + +// AggregatePublicKeys aggregates a set of public keys (similarly to +// AggregateSignatures for signatures) using the hash function +// H: G2 -> R with R = {1, ..., 2^128}. +// Deprecated: use the new scheme methods instead. +func AggregatePublicKeys(suite pairing.Suite, mask *Mask) (kyber.Point, error) { + return NewSchemeOnG1(suite).AggregatePublicKeys(mask) +} diff --git a/internal/bls/bdn/bdn_test.go b/internal/bls/bdn/bdn_test.go new file mode 100644 index 00000000..7160491a --- /dev/null +++ b/internal/bls/bdn/bdn_test.go @@ -0,0 +1,254 @@ +package bdn + +import ( + "encoding" + "encoding/hex" + "fmt" + "testing" + + "github.com/stretchr/testify/require" + "go.dedis.ch/kyber/v4" + "go.dedis.ch/kyber/v4/pairing/bn256" + "go.dedis.ch/kyber/v4/sign/bls" + "go.dedis.ch/kyber/v4/util/random" + + "github.com/filecoin-project/go-f3/internal/bls/gnark" +) + +var suite = bn256.NewSuiteBn256() +var two = suite.Scalar().Add(suite.Scalar().One(), suite.Scalar().One()) +var three = suite.Scalar().Add(two, suite.Scalar().One()) + +// Reference test for other languages +func TestBDN_HashPointToR_BN256(t *testing.T) { + p1 := suite.Point().Base() + p2 := suite.Point().Mul(two, suite.Point().Base()) + p3 := suite.Point().Mul(three, suite.Point().Base()) + + coefs, err := hashPointToR(suite, []kyber.Point{p1, p2, p3}) + + require.NoError(t, err) + require.Equal(t, "35b5b395f58aba3b192fb7e1e5f2abd3", coefs[0].String()) + require.Equal(t, "14dcc79d46b09b93075266e47cd4b19e", coefs[1].String()) + require.Equal(t, "933f6013eb3f654f9489d6d45ad04eaf", coefs[2].String()) + //require.Equal(t, 16, coefs[0].MarshalSize()) + + mask, _ := NewMask(suite, []kyber.Point{p1, p2, p3}, nil) + mask.SetBit(0, true) + mask.SetBit(1, true) + mask.SetBit(2, true) + + agg, err := AggregatePublicKeys(suite, mask) + require.NoError(t, err) + + buf, err := agg.MarshalBinary() + require.NoError(t, err) + ref := "1432ef60379c6549f7e0dbaf289cb45487c9d7da91fc20648f319a9fbebb23164abea76cdf7b1a3d20d539d9fe096b1d6fb3ee31bf1d426cd4a0d09d603b09f55f473fde972aa27aa991c249e890c1e4a678d470592dd09782d0fb3774834f0b2e20074a49870f039848a6b1aff95e1a1f8170163c77098e1f3530744d1826ce" + require.Equal(t, ref, fmt.Sprintf("%x", buf)) +} + +func TestBDN_AggregateSignatures(t *testing.T) { + msg := []byte("Hello Boneh-Lynn-Shacham") + private1, public1 := NewKeyPair(suite, random.New()) + private2, public2 := NewKeyPair(suite, random.New()) + sig1, err := Sign(suite, private1, msg) + require.NoError(t, err) + sig2, err := Sign(suite, private2, msg) + require.NoError(t, err) + + mask, _ := NewMask(suite, []kyber.Point{public1, public2}, nil) + mask.SetBit(0, true) + mask.SetBit(1, true) + + _, err = AggregateSignatures(suite, [][]byte{sig1}, mask) + require.Error(t, err) + + aggregatedSig, err := AggregateSignatures(suite, [][]byte{sig1, sig2}, mask) + require.NoError(t, err) + + aggregatedKey, err := AggregatePublicKeys(suite, mask) + require.NoError(t, err) + + sig, err := aggregatedSig.MarshalBinary() + require.NoError(t, err) + + err = Verify(suite, aggregatedKey, msg, sig) + require.NoError(t, err) + + mask.SetBit(1, false) + aggregatedKey, err = AggregatePublicKeys(suite, mask) + require.NoError(t, err) + + err = Verify(suite, aggregatedKey, msg, sig) + require.Error(t, err) +} + +func TestBDN_SubsetSignature(t *testing.T) { + msg := []byte("Hello Boneh-Lynn-Shacham") + private1, public1 := NewKeyPair(suite, random.New()) + private2, public2 := NewKeyPair(suite, random.New()) + _, public3 := NewKeyPair(suite, random.New()) + sig1, err := Sign(suite, private1, msg) + require.NoError(t, err) + sig2, err := Sign(suite, private2, msg) + require.NoError(t, err) + + mask, _ := NewMask(suite, []kyber.Point{public1, public3, public2}, nil) + mask.SetBit(0, true) + mask.SetBit(2, true) + + aggregatedSig, err := AggregateSignatures(suite, [][]byte{sig1, sig2}, mask) + require.NoError(t, err) + + aggregatedKey, err := AggregatePublicKeys(suite, mask) + require.NoError(t, err) + + sig, err := aggregatedSig.MarshalBinary() + require.NoError(t, err) + + err = Verify(suite, aggregatedKey, msg, sig) + require.NoError(t, err) +} + +func TestBDN_RogueAttack(t *testing.T) { + msg := []byte("Hello Boneh-Lynn-Shacham") + scheme := bls.NewSchemeOnG1(suite) + // honest + _, public1 := scheme.NewKeyPair(random.New()) + // attacker + private2, public2 := scheme.NewKeyPair(random.New()) + + // create a forged public-key for public1 + rogue := public1.Clone().Sub(public2, public1) + + pubs := []kyber.Point{public1, rogue} + + sig, err := Sign(suite, private2, msg) + require.NoError(t, err) + + // Old scheme not resistant to the attack + agg := scheme.AggregatePublicKeys(pubs...) + require.NoError(t, scheme.Verify(agg, msg, sig)) + + // New scheme that should detect + mask, _ := NewMask(suite, pubs, nil) + mask.SetBit(0, true) + mask.SetBit(1, true) + agg, err = AggregatePublicKeys(suite, mask) + require.NoError(t, err) + require.Error(t, Verify(suite, agg, msg, sig)) +} + +func Benchmark_BDN_AggregateSigs(b *testing.B) { + private1, public1 := NewKeyPair(suite, random.New()) + private2, public2 := NewKeyPair(suite, random.New()) + msg := []byte("Hello many times Boneh-Lynn-Shacham") + sig1, err := Sign(suite, private1, msg) + require.Nil(b, err) + sig2, err := Sign(suite, private2, msg) + require.Nil(b, err) + + mask, _ := NewMask(suite, []kyber.Point{public1, public2}, nil) + mask.SetBit(0, true) + mask.SetBit(1, false) + + b.ResetTimer() + for i := 0; i < b.N; i++ { + AggregateSignatures(suite, [][]byte{sig1, sig2}, mask) + } +} + +func Benchmark_BDN_BLS12381_AggregateVerify(b *testing.B) { + suite := gnark.NewSuiteBLS12381() + schemeOnG2 := NewSchemeOnG2(suite) + + rng := random.New() + pubKeys := make([]kyber.Point, 3000) + privKeys := make([]kyber.Scalar, 3000) + for i := range pubKeys { + privKeys[i], pubKeys[i] = schemeOnG2.NewKeyPair(rng) + } + + mask, err := NewMask(suite.G1(), pubKeys, nil) + require.NoError(b, err) + for i := range pubKeys { + require.NoError(b, mask.SetBit(i, true)) + } + + msg := []byte("Hello many times Boneh-Lynn-Shacham") + sigs := make([][]byte, len(privKeys)) + for i, k := range privKeys { + s, err := schemeOnG2.Sign(k, msg) + require.NoError(b, err) + sigs[i] = s + } + + sig, err := schemeOnG2.AggregateSignatures(sigs, mask) + require.NoError(b, err) + sigb, err := sig.MarshalBinary() + require.NoError(b, err) + + b.ResetTimer() + for i := 0; i < b.N; i++ { + pk, err := schemeOnG2.AggregatePublicKeys(mask) + require.NoError(b, err) + require.NoError(b, schemeOnG2.Verify(pk, msg, sigb)) + } +} + +func unmarshalHex[T encoding.BinaryUnmarshaler](t *testing.T, into T, s string) T { + t.Helper() + b, err := hex.DecodeString(s) + require.NoError(t, err) + require.NoError(t, into.UnmarshalBinary(b)) + return into +} + +// This tests exists to make sure we don't accidentally make breaking changes to signature +// aggregation by using checking against known aggregated signatures and keys. +func TestBDNFixtures(t *testing.T) { + schemeOnG1 := NewSchemeOnG1(suite) + + public1 := unmarshalHex(t, suite.G2().Point(), "1a30714035c7a161e286e54c191b8c68345bd8239c74925a26290e8e1ae97ed6657958a17dca12c943fadceb11b824402389ff427179e0f10194da3c1b771c6083797d2b5915ea78123cbdb99ea6389d6d6b67dcb512a2b552c373094ee5693524e3ebb4a176f7efa7285c25c80081d8cb598745978f1a63b886c09a316b1493") + private1 := unmarshalHex(t, suite.G2().Scalar(), "49cfe5e9f4532670137184d43c0299f8b635bcacf6b0af7cab262494602d9f38") + public2 := unmarshalHex(t, suite.G2().Point(), "603bc61466ec8762ec6de2ba9a80b9d302d08f580d1685ac45a8e404a6ed549719dc0faf94d896a9983ff23423772720e3de5d800bc200de6f7d7e146162d3183b8880c5c0d8b71ca4b3b40f30c12d8cc0679c81a47c239c6aa7e9cc2edab4a927fe865cd413c1c17e3df8f74108e784cd77dd3e161bdaf30019a55826a32a1f") + private2 := unmarshalHex(t, suite.G2().Scalar(), "493abea4bb35b74c78ad9245f9d37883aeb6ee91f7fb0d8a8e11abf7aa2be581") + public3 := unmarshalHex(t, suite.G2().Point(), "56118769a1f0b6286abacaa32109c1497ab0819c5d21f27317e184b6681c283007aa981cb4760de044946febdd6503ab77a4586bc29c04159e53a6fa5dcb9c0261ccd1cb2e28db5204ca829ac9f6be95f957a626544adc34ba3bc542533b6e2f5cbd0567e343641a61a42b63f26c3625f74b66f6f46d17b3bf1688fae4d455ec") + private3 := unmarshalHex(t, suite.G2().Scalar(), "7fb0ebc317e161502208c3c16a4af890dedc3c7b275e8a04e99c0528aa6a19aa") + + sig1Exp, err := hex.DecodeString("0913b76987be19f943be23b636cab9a2484507717326bd8bbdcdbbb6b8d5eb9253cfb3597c3fa550ee4972a398813650825a871f8e0b242ae5ddbce1b7c0e2a8") + require.NoError(t, err) + sig2Exp, err := hex.DecodeString("21195d29b1863bca1559e24375211d1411d8a28a8f4c772870b07f4ccda2fd5e337c1315c210475c683e3aa8b87d3aed3f7255b3087daa30d1e1432dd61d7484") + require.NoError(t, err) + sig3Exp, err := hex.DecodeString("3c1ac80345c1733630dbdc8106925c867544b521c259f9fa9678d477e6e5d3d212b09bc0d95137c3dbc0af2241415156c56e757d5577a609293584d045593195") + require.NoError(t, err) + + aggSigExp := unmarshalHex(t, suite.G1().Point(), "43c1d2ad5a7d71a08f3cd7495db6b3c81a4547af1b76438b2f215e85ec178fea048f93f6ffed65a69ea757b47761e7178103bb347fd79689652e55b6e0054af2") + aggKeyExp := unmarshalHex(t, suite.G2().Point(), "43b5161ede207b9a69fc93114b0c5022b76cc22e813ba739c7e622d826b132333cd637505399963b94e393ec7f5d4875f82391620b34be1fde1f232204fa4f723935d4dbfb725f059456bcf2557f846c03190969f7b800e904d25b0b5bcbdd421c9877d443f0313c3425dfc1e7e646b665d27b9e649faadef1129f95670d70e1") + + msg := []byte("Hello many times Boneh-Lynn-Shacham") + sig1, err := schemeOnG1.Sign(private1, msg) + require.Nil(t, err) + require.Equal(t, sig1Exp, sig1) + + sig2, err := schemeOnG1.Sign(private2, msg) + require.Nil(t, err) + require.Equal(t, sig2Exp, sig2) + + sig3, err := schemeOnG1.Sign(private3, msg) + require.Nil(t, err) + require.Equal(t, sig3Exp, sig3) + + mask, _ := NewMask(suite, []kyber.Point{public1, public2, public3}, nil) + mask.SetBit(0, true) + mask.SetBit(1, false) + mask.SetBit(2, true) + + aggSig, err := schemeOnG1.AggregateSignatures([][]byte{sig1, sig3}, mask) + require.NoError(t, err) + require.True(t, aggSigExp.Equal(aggSig)) + + aggKey, err := schemeOnG1.AggregatePublicKeys(mask) + require.NoError(t, err) + require.True(t, aggKeyExp.Equal(aggKey)) +} diff --git a/internal/bls/bdn/mask.go b/internal/bls/bdn/mask.go new file mode 100644 index 00000000..8e695b87 --- /dev/null +++ b/internal/bls/bdn/mask.go @@ -0,0 +1,221 @@ +package bdn + +import ( + "errors" + "fmt" + "slices" + + "go.dedis.ch/kyber/v4" +) + +// Mask is a bitmask of the participation to a collective signature. +type Mask struct { + // The bitmask indicating which public keys are enabled/disabled for aggregation. This is + // the only mutable field. + mask []byte + + // The following fields are immutable and should not be changed after the mask is created. + // They may be shared between multiple masks. + + // Public keys for aggregation & signature verification. + publics []kyber.Point + // Coefficients used when aggregating signatures. + publicCoefs []kyber.Scalar + // Terms used to aggregate public keys + publicTerms []kyber.Point +} + +// NewMask creates a new mask from a list of public keys. If a key is provided, it +// will set the bit of the key to 1 or return an error if it is not found. +// +// The returned Mask will contain pre-computed terms and coefficients for all provided public +// keys, so it should be re-used for optimal performance (e.g., by creating a "base" mask and +// cloning it whenever aggregating signatures and/or public keys). +func NewMask(group kyber.Group, publics []kyber.Point, myKey kyber.Point) (*Mask, error) { + m := &Mask{ + publics: publics, + } + m.mask = make([]byte, m.Len()) + + if myKey != nil { + for i, key := range publics { + if key.Equal(myKey) { + err := m.SetBit(i, true) + return m, err + } + } + + return nil, errors.New("key not found") + } + + var err error + m.publicCoefs, err = hashPointToR(group, publics) + if err != nil { + return nil, fmt.Errorf("failed to hash public keys: %w", err) + } + + m.publicTerms = make([]kyber.Point, len(publics)) + for i, pub := range publics { + pubC := pub.Clone().Mul(m.publicCoefs[i], pub) + m.publicTerms[i] = pubC.Add(pubC, pub) + } + + return m, nil +} + +// Mask returns the bitmask as a byte array. +func (m *Mask) Mask() []byte { + clone := make([]byte, len(m.mask)) + copy(clone, m.mask) + return clone +} + +// Len returns the length of the byte array necessary to store the bitmask. +func (m *Mask) Len() int { + return (len(m.publics) + 7) / 8 +} + +// SetMask replaces the current mask by the new one if the length matches. +func (m *Mask) SetMask(mask []byte) error { + if m.Len() != len(mask) { + return fmt.Errorf("mismatching mask lengths") + } + + m.mask = mask + return nil +} + +// GetBit returns true if the given bit is set. +func (m *Mask) GetBit(i int) (bool, error) { + if i >= len(m.publics) || i < 0 { + return false, errors.New("index out of range") + } + + byteIndex := i / 8 + mask := byte(1) << uint(i&7) + return m.mask[byteIndex]&mask != 0, nil +} + +// SetBit turns on or off the bit at the given index. +func (m *Mask) SetBit(i int, enable bool) error { + if i >= len(m.publics) || i < 0 { + return errors.New("index out of range") + } + + byteIndex := i / 8 + mask := byte(1) << uint(i&7) + if enable { + m.mask[byteIndex] |= mask + } else { + m.mask[byteIndex] &^= mask + } + return nil +} + +// forEachBitEnabled is a helper to iterate over the bits set to 1 in the mask +// and to return the result of the callback only if it is positive. +func (m *Mask) forEachBitEnabled(f func(i, j, n int) int) int { + n := 0 + for i, b := range m.mask { + for j := uint(0); j < 8; j++ { + mm := byte(1) << (j & 7) + + if b&mm != 0 { + if res := f(i, int(j), n); res >= 0 { + return res + } + + n++ + } + } + } + + return -1 +} + +// IndexOfNthEnabled returns the index of the nth enabled bit or -1 if out of bounds. +func (m *Mask) IndexOfNthEnabled(nth int) int { + return m.forEachBitEnabled(func(i, j, n int) int { + if n == nth { + return i*8 + int(j) + } + + return -1 + }) +} + +// NthEnabledAtIndex returns the sum of bits set to 1 until the given index. In other +// words, it returns how many bits are enabled before the given index. +func (m *Mask) NthEnabledAtIndex(idx int) int { + return m.forEachBitEnabled(func(i, j, n int) int { + if i*8+int(j) == idx { + return n + } + + return -1 + }) +} + +// Publics returns a copy of the list of public keys. +func (m *Mask) Publics() []kyber.Point { + pubs := make([]kyber.Point, len(m.publics)) + copy(pubs, m.publics) + return pubs +} + +// Participants returns the list of public keys participating. +func (m *Mask) Participants() []kyber.Point { + pp := []kyber.Point{} + for i, p := range m.publics { + byteIndex := i / 8 + mask := byte(1) << uint(i&7) + if (m.mask[byteIndex] & mask) != 0 { + pp = append(pp, p) + } + } + + return pp +} + +// CountEnabled returns the number of bit set to 1 +func (m *Mask) CountEnabled() int { + count := 0 + for i := range m.publics { + byteIndex := i / 8 + mask := byte(1) << uint(i&7) + if (m.mask[byteIndex] & mask) != 0 { + count++ + } + } + return count +} + +// CountTotal returns the number of potential participants +func (m *Mask) CountTotal() int { + return len(m.publics) +} + +// Merge merges the given mask to the current one only if +// the length matches +func (m *Mask) Merge(mask []byte) error { + if len(m.mask) != len(mask) { + return errors.New("mismatching mask length") + } + + for i := range m.mask { + m.mask[i] |= mask[i] + } + + return nil +} + +// Clone copies the mask while keeping the precomputed coefficients, etc. This method is thread safe +// and does not modify the original mask. Modifications to the new Mask will not affect the original. +func (m *Mask) Clone() *Mask { + return &Mask{ + mask: slices.Clone(m.mask), + publics: m.publics, + publicCoefs: m.publicCoefs, + publicTerms: m.publicTerms, + } +} diff --git a/internal/bls/bdn/mask_test.go b/internal/bls/bdn/mask_test.go new file mode 100644 index 00000000..9cccecab --- /dev/null +++ b/internal/bls/bdn/mask_test.go @@ -0,0 +1,153 @@ +package bdn + +import ( + "crypto/rand" + "testing" + + "github.com/stretchr/testify/require" + "go.dedis.ch/kyber/v4" + "go.dedis.ch/kyber/v4/util/key" +) + +const n = 17 + +var publics []kyber.Point + +func init() { + publics = make([]kyber.Point, n) + + for i := 0; i < n; i++ { + kp := key.NewKeyPair(suite) + publics[i] = kp.Public + } +} + +func TestMask_CreateMask(t *testing.T) { + mask, err := NewMask(suite, publics, nil) + require.NoError(t, err) + + require.Equal(t, len(publics), len(mask.Publics())) + require.Equal(t, 0, mask.CountEnabled()) + require.Equal(t, n, mask.CountTotal()) + require.Equal(t, n/8+1, mask.Len()) + require.Equal(t, uint8(0), mask.Mask()[0]) + + mask, err = NewMask(suite, publics, publics[2]) + require.NoError(t, err) + + require.Equal(t, len(publics), len(mask.Publics())) + require.Equal(t, 1, mask.CountEnabled()) + require.Equal(t, uint8(0x4), mask.Mask()[0]) + + _, err = NewMask(suite, publics, suite.G1().Point()) + require.Error(t, err) +} + +func TestMask_SetBit(t *testing.T) { + mask, err := NewMask(suite, publics, publics[2]) + require.NoError(t, err) + + // Make sure the mask is initially as we'd expect. + + bit, err := mask.GetBit(1) + require.NoError(t, err) + require.False(t, bit) + + bit, err = mask.GetBit(2) + require.NoError(t, err) + require.True(t, bit) + + // Set bit 1 + + err = mask.SetBit(1, true) + require.NoError(t, err) + require.Equal(t, uint8(0x6), mask.Mask()[0]) + require.Equal(t, 2, len(mask.Participants())) + + bit, err = mask.GetBit(1) + require.NoError(t, err) + require.True(t, bit) + + // Set bit 1 again, nothing should change + + err = mask.SetBit(1, true) + require.NoError(t, err) + require.Equal(t, uint8(0x6), mask.Mask()[0]) + require.Equal(t, 2, len(mask.Participants())) + + bit, err = mask.GetBit(1) + require.NoError(t, err) + require.True(t, bit) + + // Unset bit 2 + + err = mask.SetBit(2, false) + require.NoError(t, err) + require.Equal(t, uint8(0x2), mask.Mask()[0]) + require.Equal(t, 1, len(mask.Participants())) + + bit, err = mask.GetBit(2) + require.NoError(t, err) + require.False(t, bit) + + // Set bit 10 (using byte 2 now) + + err = mask.SetBit(10, true) + require.NoError(t, err) + require.Equal(t, uint8(0x2), mask.Mask()[0]) + require.Equal(t, uint8(0x4), mask.Mask()[1]) + require.Equal(t, 2, len(mask.Participants())) + + bit, err = mask.GetBit(10) + require.NoError(t, err) + require.True(t, bit) + + // And make sure the range limit works. + + err = mask.SetBit(-1, true) + require.Error(t, err) + err = mask.SetBit(len(publics), true) + require.Error(t, err) +} + +func TestMask_SetAndMerge(t *testing.T) { + mask, err := NewMask(suite, publics, publics[2]) + require.NoError(t, err) + + err = mask.SetMask([]byte{}) + require.Error(t, err) + + err = mask.SetMask([]byte{0, 0, 0}) + require.NoError(t, err) + + err = mask.Merge([]byte{}) + require.Error(t, err) + + err = mask.Merge([]byte{0x6, 0, 0}) + require.NoError(t, err) + require.Equal(t, uint8(0x6), mask.Mask()[0]) +} + +func TestMask_PositionalQueries(t *testing.T) { + mask, err := NewMask(suite, publics, publics[2]) + require.NoError(t, err) + + for i := 0; i < 10000; i++ { + bb := make([]byte, 3) + _, err := rand.Read(bb) + require.NoError(t, err) + bb[2] &= byte(1) << 7 + + err = mask.SetMask(bb) + require.NoError(t, err) + + for j := 0; j < mask.CountEnabled(); j++ { + idx := mask.IndexOfNthEnabled(j) + n := mask.NthEnabledAtIndex(idx) + require.Equal(t, j, n) + } + + require.Equal(t, -1, mask.IndexOfNthEnabled(mask.CountEnabled()+1)) + require.Equal(t, -1, mask.NthEnabledAtIndex(-1)) + } +} diff --git a/internal/bls/gnark/adapter.go b/internal/bls/gnark/adapter.go new file mode 100644 index 00000000..cca42e0b --- /dev/null +++ b/internal/bls/gnark/adapter.go @@ -0,0 +1,48 @@ +package gnark + +import ( + "go.dedis.ch/kyber/v4" +) + +// SuiteBLS12381 is an adapter that implements the suites.Suite interface so that +// bls12381 can be used as a common suite to generate key pairs for instance but +// still preserves the properties of the pairing (e.g. the Pair function). +// +// It's important to note that the Point function will generate a point +// compatible with public keys only (group G2) where the signature must be +// used as a point from the group G1. +type SuiteBLS12381 struct { + Suite + kyber.Group +} + +// NewSuiteBLS12381 makes a new BN256 suite +func NewSuiteBLS12381() *SuiteBLS12381 { + return &SuiteBLS12381{} +} + +// Point generates a point from the G2 group that can only be used +// for public keys +func (s *SuiteBLS12381) Point() kyber.Point { + return s.G2().Point() +} + +// PointLen returns the length of a G2 point +func (s *SuiteBLS12381) PointLen() int { + return s.G2().PointLen() +} + +// Scalar generates a scalar +func (s *SuiteBLS12381) Scalar() kyber.Scalar { + return s.G1().Scalar() +} + +// ScalarLen returns the length of a scalar +func (s *SuiteBLS12381) ScalarLen() int { + return s.G1().ScalarLen() +} + +// String returns the name of the suite +func (s *SuiteBLS12381) String() string { + return "gnark.adapter" +} diff --git a/internal/bls/gnark/adapter_test.go b/internal/bls/gnark/adapter_test.go new file mode 100644 index 00000000..1e457aeb --- /dev/null +++ b/internal/bls/gnark/adapter_test.go @@ -0,0 +1,28 @@ +package gnark + +import ( + "testing" + + "github.com/stretchr/testify/require" + "go.dedis.ch/kyber/v4/util/key" +) + +func TestAdapter_SuiteBLS12381(t *testing.T) { + suite := NewSuiteBLS12381() + + pair := key.NewKeyPair(suite) + pubkey, err := pair.Public.MarshalBinary() + require.Nil(t, err) + privkey, err := pair.Private.MarshalBinary() + require.Nil(t, err) + + pubhex := suite.Point() + err = pubhex.UnmarshalBinary(pubkey) + require.Nil(t, err) + + privhex := suite.Scalar() + err = privhex.UnmarshalBinary(privkey) + require.Nil(t, err) + + require.Equal(t, "gnark.adapter", suite.String()) +} diff --git a/internal/bls/gnark/g1.go b/internal/bls/gnark/g1.go new file mode 100644 index 00000000..a4041462 --- /dev/null +++ b/internal/bls/gnark/g1.go @@ -0,0 +1,142 @@ +package gnark + +import ( + "crypto/cipher" + "fmt" + "io" + "math/big" + + bls12381 "github.com/consensys/gnark-crypto/ecc/bls12-381" + "go.dedis.ch/kyber/v4" +) + +var _ kyber.SubGroupElement = &G1Elt{} + +// G1Elt is a wrapper around a G1 point on the BLS12-381 Gnark curve. +type G1Elt struct{ inner bls12381.G1Jac } + +// MarshalBinary returns a compressed point, without any domain separation tag information +func (p *G1Elt) MarshalBinary() (data []byte, err error) { + var g1aff bls12381.G1Affine + g1aff.FromJacobian(&p.inner) + res := g1aff.Bytes() + return res[:], nil +} + +// UnmarshalBinary populates the point from a compressed point representation. +func (p *G1Elt) UnmarshalBinary(data []byte) error { + var g1aff bls12381.G1Affine + _, err := g1aff.SetBytes(data) + if err != nil { + return fmt.Errorf("setting affine representation: %w", err) + } + + p.inner.FromAffine(&g1aff) + return nil +} + +func (p *G1Elt) String() string { return p.inner.String() } + +func (p *G1Elt) MarshalSize() int { return bls12381.SizeOfG1AffineCompressed } + +// MarshalTo writes a compressed point to the Writer, without any domain separation tag information +func (p *G1Elt) MarshalTo(w io.Writer) (int, error) { + buf, err := p.MarshalBinary() + if err != nil { + return 0, err + } + return w.Write(buf) +} + +// UnmarshalFrom populates the point from a compressed point representation read from the Reader. +func (p *G1Elt) UnmarshalFrom(r io.Reader) (int, error) { + buf := make([]byte, p.MarshalSize()) + n, err := io.ReadFull(r, buf) + if err != nil { + return n, err + } + return n, p.UnmarshalBinary(buf) +} + +func (p *G1Elt) Equal(p2 kyber.Point) bool { x := p2.(*G1Elt); return p.inner.Equal(&x.inner) } + +func (p *G1Elt) Null() kyber.Point { + p.inner.X.SetZero() + p.inner.Y.SetOne() + p.inner.Z.SetZero() + return p +} + +func (p *G1Elt) Base() kyber.Point { + p.inner, _, _, _ = bls12381.Generators() + return p +} + +func (p *G1Elt) Pick(rand cipher.Stream) kyber.Point { + var buf [32]byte + rand.XORKeyStream(buf[:], buf[:]) + return p.Hash(buf[:]) +} + +func (p *G1Elt) Set(p2 kyber.Point) kyber.Point { p.inner = p2.(*G1Elt).inner; return p } + +func (p *G1Elt) Clone() kyber.Point { return new(G1Elt).Set(p) } + +func (p *G1Elt) EmbedLen() int { + panic("bls12-381: unsupported operation") +} + +func (p *G1Elt) Embed(_ []byte, _ cipher.Stream) kyber.Point { + panic("bls12-381: unsupported operation") +} + +func (p *G1Elt) Data() ([]byte, error) { + panic("bls12-381: unsupported operation") +} + +func (p *G1Elt) Add(a, b kyber.Point) kyber.Point { + aa, bb := a.(*G1Elt), b.(*G1Elt) + p.inner.Set(&aa.inner) + p.inner.AddAssign(&bb.inner) + return p +} + +func (p *G1Elt) Sub(a, b kyber.Point) kyber.Point { + aa, bb := a.(*G1Elt), b.(*G1Elt) + p.inner.Set(&aa.inner) + p.inner.SubAssign(&bb.inner) + return p +} + +func (p *G1Elt) Neg(a kyber.Point) kyber.Point { + p.inner.Neg(&a.(*G1Elt).inner) + return p +} + +func (p *G1Elt) Mul(s kyber.Scalar, q kyber.Point) kyber.Point { + if q == nil { + q = new(G1Elt).Base() + } + ss, qq := s.(*Scalar), q.(*G1Elt) + var scalar big.Int + ss.inner.BigInt(&scalar) + p.inner.ScalarMultiplication(&qq.inner, &scalar) + return p +} + +func (p *G1Elt) IsInCorrectGroup() bool { + return !(p.inner.X.IsZero() && p.inner.Y.IsZero() && p.inner.X.IsZero()) && + p.inner.IsOnCurve() && p.inner.IsInSubGroup() +} + +var domainG1 = []byte("BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_") + +func (p *G1Elt) Hash(msg []byte) kyber.Point { return p.Hash2(msg, domainG1) } +func (p *G1Elt) Hash2(msg, dst []byte) kyber.Point { + g1aff, err := bls12381.HashToG1(msg, dst) + if err != nil { + panic(fmt.Errorf("error while hashing: %w", err)) + } + p.inner.FromAffine(&g1aff) + return p +} diff --git a/internal/bls/gnark/g2.go b/internal/bls/gnark/g2.go new file mode 100644 index 00000000..48f6a291 --- /dev/null +++ b/internal/bls/gnark/g2.go @@ -0,0 +1,142 @@ +package gnark + +import ( + "crypto/cipher" + "fmt" + "io" + "math/big" + + bls12381 "github.com/consensys/gnark-crypto/ecc/bls12-381" + "go.dedis.ch/kyber/v4" +) + +var _ kyber.SubGroupElement = &G2Elt{} + +// G2Elt is a wrapper around the Gnark G2 point type. +type G2Elt struct{ inner bls12381.G2Jac } + +// MarshalBinary returns a compressed point, without any domain separation tag information +func (p *G2Elt) MarshalBinary() (data []byte, err error) { + var g2aff bls12381.G2Affine + g2aff.FromJacobian(&p.inner) + res := g2aff.Bytes() + return res[:], nil +} + +// UnmarshalBinary populates the point from a compressed point representation. +func (p *G2Elt) UnmarshalBinary(data []byte) error { + var g2aff bls12381.G2Affine + _, err := g2aff.SetBytes(data) + if err != nil { + return fmt.Errorf("setting affine representation: %w", err) + } + + p.inner.FromAffine(&g2aff) + return nil +} + +func (p *G2Elt) String() string { return p.inner.String() } + +func (p *G2Elt) MarshalSize() int { return bls12381.SizeOfG2AffineCompressed } + +// MarshalTo writes a compressed point to the Writer, without any domain separation tag information +func (p *G2Elt) MarshalTo(w io.Writer) (int, error) { + buf, err := p.MarshalBinary() + if err != nil { + return 0, err + } + return w.Write(buf) +} + +// UnmarshalFrom populates the point from a compressed point representation read from the Reader. +func (p *G2Elt) UnmarshalFrom(r io.Reader) (int, error) { + buf := make([]byte, p.MarshalSize()) + n, err := io.ReadFull(r, buf) + if err != nil { + return n, err + } + return n, p.UnmarshalBinary(buf) +} + +func (p *G2Elt) Equal(p2 kyber.Point) bool { x := p2.(*G2Elt); return p.inner.Equal(&x.inner) } + +func (p *G2Elt) Null() kyber.Point { + p.inner.X.SetZero() + p.inner.Y.SetOne() + p.inner.Z.SetZero() + return p +} + +func (p *G2Elt) Base() kyber.Point { + _, p.inner, _, _ = bls12381.Generators() + return p +} + +func (p *G2Elt) Pick(rand cipher.Stream) kyber.Point { + var buf [32]byte + rand.XORKeyStream(buf[:], buf[:]) + return p.Hash(buf[:]) +} + +func (p *G2Elt) Set(p2 kyber.Point) kyber.Point { p.inner = p2.(*G2Elt).inner; return p } + +func (p *G2Elt) Clone() kyber.Point { return new(G2Elt).Set(p) } + +func (p *G2Elt) EmbedLen() int { + panic("bls12-381: unsupported operation") +} + +func (p *G2Elt) Embed(_ []byte, _ cipher.Stream) kyber.Point { + panic("bls12-381: unsupported operation") +} + +func (p *G2Elt) Data() ([]byte, error) { + panic("bls12-381: unsupported operation") +} + +func (p *G2Elt) Add(a, b kyber.Point) kyber.Point { + aa, bb := a.(*G2Elt), b.(*G2Elt) + p.inner.Set(&aa.inner) + p.inner.AddAssign(&bb.inner) + return p +} + +func (p *G2Elt) Sub(a, b kyber.Point) kyber.Point { + aa, bb := a.(*G2Elt), b.(*G2Elt) + p.inner.Set(&aa.inner) + p.inner.SubAssign(&bb.inner) + return p +} + +func (p *G2Elt) Neg(a kyber.Point) kyber.Point { + p.inner.Neg(&a.(*G2Elt).inner) + return p +} + +func (p *G2Elt) Mul(s kyber.Scalar, q kyber.Point) kyber.Point { + if q == nil { + q = new(G2Elt).Base() + } + ss, qq := s.(*Scalar), q.(*G2Elt) + var scalar big.Int + ss.inner.BigInt(&scalar) + p.inner.ScalarMultiplication(&qq.inner, &scalar) + return p +} + +func (p *G2Elt) IsInCorrectGroup() bool { + return !(p.inner.X.IsZero() && p.inner.Y.IsZero() && p.inner.X.IsZero()) && + p.inner.IsOnCurve() && p.inner.IsInSubGroup() +} + +var domainG2 = []byte("BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_") + +func (p *G2Elt) Hash(msg []byte) kyber.Point { return p.Hash2(msg, domainG2) } +func (p *G2Elt) Hash2(msg, dst []byte) kyber.Point { + g1aff, err := bls12381.HashToG2(msg, dst) + if err != nil { + panic(fmt.Errorf("error while hashing: %w", err)) + } + p.inner.FromAffine(&g1aff) + return p +} diff --git a/internal/bls/gnark/group.go b/internal/bls/gnark/group.go new file mode 100644 index 00000000..e08a4cf9 --- /dev/null +++ b/internal/bls/gnark/group.go @@ -0,0 +1,23 @@ +package gnark + +import ( + fr "github.com/consensys/gnark-crypto/ecc/bls12-381/fr" + "go.dedis.ch/kyber/v4" +) + +var ( + G1 kyber.Group = &groupBls{name: "bls12-381.G1", newPoint: func() kyber.Point { return new(G1Elt).Null() }} + G2 kyber.Group = &groupBls{name: "bls12-381.G2", newPoint: func() kyber.Point { return new(G2Elt).Null() }} + GT kyber.Group = &groupBls{name: "bls12-381.GT", newPoint: func() kyber.Point { return new(GTElt).Null() }} +) + +type groupBls struct { + name string + newPoint func() kyber.Point +} + +func (g groupBls) String() string { return g.name } +func (g groupBls) ScalarLen() int { return fr.Bytes } +func (g groupBls) Scalar() kyber.Scalar { return new(Scalar).SetInt64(0) } +func (g groupBls) PointLen() int { return g.newPoint().MarshalSize() } +func (g groupBls) Point() kyber.Point { return g.newPoint() } diff --git a/internal/bls/gnark/gt.go b/internal/bls/gnark/gt.go new file mode 100644 index 00000000..13f684bc --- /dev/null +++ b/internal/bls/gnark/gt.go @@ -0,0 +1,108 @@ +package gnark + +import ( + "crypto/cipher" + "io" + "math/big" + + bls12381 "github.com/consensys/gnark-crypto/ecc/bls12-381" + "go.dedis.ch/kyber/v4" +) + +var gtBase *bls12381.GT + +func init() { + _, _, g1, g2 := bls12381.Generators() + gt, err := bls12381.Pair([]bls12381.G1Affine{g1}, []bls12381.G2Affine{g2}) + if err != nil { + panic(err) + } + gtBase = > +} + +var _ kyber.Point = >Elt{} + +// GTElt is a wrapper around the Circl Gt point type. +type GTElt struct{ inner bls12381.GT } + +// MarshalBinary returns a compressed point, without any domain separation tag information +func (p *GTElt) MarshalBinary() (data []byte, err error) { + res := p.inner.Bytes() + return res[:], nil +} + +// UnmarshalBinary populates the point from a compressed point representation. +func (p *GTElt) UnmarshalBinary(data []byte) error { return p.inner.Unmarshal(data) } + +func (p *GTElt) String() string { return p.inner.String() } + +func (p *GTElt) MarshalSize() int { return bls12381.SizeOfGT } + +// MarshalTo writes a compressed point to the Writer, without any domain separation tag information +func (p *GTElt) MarshalTo(w io.Writer) (int, error) { + buf, err := p.MarshalBinary() + if err != nil { + return 0, err + } + return w.Write(buf) +} + +// UnmarshalFrom populates the point from a compressed point representation read from the Reader. +func (p *GTElt) UnmarshalFrom(r io.Reader) (int, error) { + buf := make([]byte, p.MarshalSize()) + n, err := io.ReadFull(r, buf) + if err != nil { + return n, err + } + return n, p.UnmarshalBinary(buf) +} + +func (p *GTElt) Equal(p2 kyber.Point) bool { x := p2.(*GTElt); return p.inner.Equal(&x.inner) } + +func (p *GTElt) Null() kyber.Point { p.inner.SetOne(); return p } + +func (p *GTElt) Base() kyber.Point { p.inner = *gtBase; return p } + +func (p *GTElt) Pick(_ cipher.Stream) kyber.Point { + panic("bls12-381: unsupported operation") +} + +func (p *GTElt) Set(p2 kyber.Point) kyber.Point { p.inner = p2.(*GTElt).inner; return p } + +func (p *GTElt) Clone() kyber.Point { return new(GTElt).Set(p) } + +func (p *GTElt) EmbedLen() int { + panic("bls12-381: unsupported operation") +} + +func (p *GTElt) Embed(_ []byte, _ cipher.Stream) kyber.Point { + panic("bls12-381: unsupported operation") +} + +func (p *GTElt) Data() ([]byte, error) { + panic("bls12-381: unsupported operation") +} + +func (p *GTElt) Add(a, b kyber.Point) kyber.Point { + aa, bb := a.(*GTElt), b.(*GTElt) + p.inner.Mul(&aa.inner, &bb.inner) + return p +} + +func (p *GTElt) Sub(a, b kyber.Point) kyber.Point { + return p.Add(a, new(GTElt).Neg(b)) +} + +func (p *GTElt) Neg(a kyber.Point) kyber.Point { + aa := a.(*GTElt) + p.inner.Inverse(&aa.inner) + return p +} + +func (p *GTElt) Mul(s kyber.Scalar, q kyber.Point) kyber.Point { + qq, ss := q.(*GTElt), s.(*Scalar) + var scalar big.Int + ss.inner.BigInt(&scalar) + p.inner.Exp(qq.inner, &scalar) + return p +} diff --git a/internal/bls/gnark/scalar.go b/internal/bls/gnark/scalar.go new file mode 100644 index 00000000..38047b52 --- /dev/null +++ b/internal/bls/gnark/scalar.go @@ -0,0 +1,109 @@ +package gnark + +import ( + "crypto/cipher" + "io" + "math/big" + + fr "github.com/consensys/gnark-crypto/ecc/bls12-381/fr" + "go.dedis.ch/kyber/v4" + "go.dedis.ch/kyber/v4/util/random" +) + +var _ kyber.Scalar = &Scalar{} + +type Scalar struct{ inner fr.Element } + +func (s *Scalar) MarshalBinary() (data []byte, err error) { res := s.inner.Bytes(); return res[:], nil } + +func (s *Scalar) UnmarshalBinary(data []byte) error { s.inner.SetBytes(data); return nil } + +func (s *Scalar) String() string { return s.inner.String() } + +func (s *Scalar) MarshalSize() int { return fr.Bytes } + +func (s *Scalar) MarshalTo(w io.Writer) (int, error) { + buf := s.inner.Bytes() + return w.Write(buf[:]) +} + +func (s *Scalar) UnmarshalFrom(r io.Reader) (int, error) { + buf := make([]byte, s.MarshalSize()) + n, err := io.ReadFull(r, buf) + if err != nil { + return n, err + } + s.inner.SetBytes(buf) + return n, nil +} + +func (s *Scalar) Equal(s2 kyber.Scalar) bool { + x := s2.(*Scalar) + return s.inner.Cmp(&x.inner) == 0 +} + +func (s *Scalar) Set(a kyber.Scalar) kyber.Scalar { + aa := a.(*Scalar) + s.inner.Set(&aa.inner) + return s +} + +func (s *Scalar) Clone() kyber.Scalar { return new(Scalar).Set(s) } + +func (s *Scalar) SetInt64(v int64) kyber.Scalar { + s.inner.SetInt64(v) + + return s +} + +func (s *Scalar) Zero() kyber.Scalar { s.inner.SetUint64(0); return s } + +func (s *Scalar) Add(a, b kyber.Scalar) kyber.Scalar { + aa, bb := a.(*Scalar), b.(*Scalar) + s.inner.Add(&aa.inner, &bb.inner) + return s +} + +func (s *Scalar) Sub(a, b kyber.Scalar) kyber.Scalar { + aa, bb := a.(*Scalar), b.(*Scalar) + s.inner.Sub(&aa.inner, &bb.inner) + return s +} + +func (s *Scalar) Neg(a kyber.Scalar) kyber.Scalar { + s.Set(a) + s.inner.Neg(&s.inner) + return s +} + +func (s *Scalar) One() kyber.Scalar { s.inner.SetUint64(1); return s } + +func (s *Scalar) Mul(a, b kyber.Scalar) kyber.Scalar { + aa, bb := a.(*Scalar), b.(*Scalar) + s.inner.Mul(&aa.inner, &bb.inner) + return s +} + +func (s *Scalar) Div(a, b kyber.Scalar) kyber.Scalar { return s.Mul(new(Scalar).Inv(b), a) } + +func (s *Scalar) Inv(a kyber.Scalar) kyber.Scalar { + aa := a.(*Scalar) + s.inner.Inverse(&aa.inner) + return s +} + +func (s *Scalar) Pick(stream cipher.Stream) kyber.Scalar { + n := random.Int(fr.Modulus(), stream) + s.inner.SetBigInt(n) + return s +} + +func (s *Scalar) SetBytes(data []byte) kyber.Scalar { s.inner.SetBytes(data); return s } + +func (s *Scalar) ByteOrder() kyber.ByteOrder { + return kyber.BigEndian +} + +func (s *Scalar) GroupOrder() *big.Int { + return fr.Modulus() +} diff --git a/internal/bls/gnark/suite.go b/internal/bls/gnark/suite.go new file mode 100644 index 00000000..f500f33b --- /dev/null +++ b/internal/bls/gnark/suite.go @@ -0,0 +1,83 @@ +package gnark + +import ( + "crypto/cipher" + "crypto/sha256" + "fmt" + "hash" + "io" + + bls12381 "github.com/consensys/gnark-crypto/ecc/bls12-381" + "go.dedis.ch/kyber/v4" + "go.dedis.ch/kyber/v4/pairing" + "go.dedis.ch/kyber/v4/util/random" + "go.dedis.ch/kyber/v4/xof/blake2xb" +) + +var _ pairing.Suite = Suite{} + +type Suite struct{} + +func NewSuite() (s Suite) { return } + +func (s Suite) String() string { return "bls12381" } +func (s Suite) G1() kyber.Group { return G1 } +func (s Suite) G2() kyber.Group { return G2 } +func (s Suite) GT() kyber.Group { return GT } + +func (s Suite) Pair(p1, p2 kyber.Point) kyber.Point { + aa, bb := p1.(*G1Elt), p2.(*G2Elt) + var g1aff bls12381.G1Affine + g1aff.FromJacobian(&aa.inner) + var g2aff bls12381.G2Affine + g2aff.FromJacobian(&bb.inner) + gt, err := bls12381.Pair([]bls12381.G1Affine{g1aff}, []bls12381.G2Affine{g2aff}) + if err != nil { + panic(fmt.Errorf("error in gnark pairing: %w", err)) + } + + return >Elt{gt} +} + +func (s Suite) ValidatePairing(p1, p2, p3, p4 kyber.Point) bool { + a, b := p1.(*G1Elt), p2.(*G2Elt) + c, d := p3.(*G1Elt), p4.(*G2Elt) + + var aAff, cAff bls12381.G1Affine + var bAff, dAff bls12381.G2Affine + aAff.FromJacobian(&a.inner) + bAff.FromJacobian(&b.inner) + cAff.FromJacobian(&c.inner) + dAff.FromJacobian(&d.inner) + + cAff.Neg(&cAff) + + out, err := bls12381.PairingCheck( + []bls12381.G1Affine{aAff, cAff}, + []bls12381.G2Affine{bAff, dAff}, + ) + if err != nil { + panic(fmt.Errorf("error in gnark pairing: %w", err)) + } + return out +} + +func (s Suite) Read(_ io.Reader, _ ...interface{}) error { + panic("Suite.Read(): deprecated in drand") +} + +func (s Suite) Write(_ io.Writer, _ ...interface{}) error { + panic("Suite.Write(): deprecated in drand") +} + +func (s Suite) Hash() hash.Hash { + return sha256.New() +} + +func (s Suite) XOF(seed []byte) kyber.XOF { + return blake2xb.New(seed) +} + +func (s Suite) RandomStream() cipher.Stream { + return random.New() +} diff --git a/internal/bls/gnark/suite_test.go b/internal/bls/gnark/suite_test.go new file mode 100644 index 00000000..532441b2 --- /dev/null +++ b/internal/bls/gnark/suite_test.go @@ -0,0 +1,49 @@ +package gnark + +import ( + "crypto/sha256" + "encoding/binary" + "encoding/hex" + "testing" + + "go.dedis.ch/kyber/v4/pairing" + + "go.dedis.ch/kyber/v4" +) + +func TestVerifySigOnG2(t *testing.T) { + pk := "868f005eb8e6e4ca0a47c8a77ceaa5309a47978a7c71bc5cce96366b5d7a569937c529eeda66c7293784a9402801af31" + sig := "8d61d9100567de44682506aea1a7a6fa6e5491cd27a0a0ed349ef6910ac5ac20ff7bc3e09d7c046566c9f7f3c6f3b10104990e7cb424998203d8f7de586fb7fa5f60045417a432684f85093b06ca91c769f0e7ca19268375e659c2a2352b4655" + prevSig := "176f93498eac9ca337150b46d21dd58673ea4e3581185f869672e59fa4cb390a" + round := uint64(1) + + suite := NewSuite() + pkb, _ := hex.DecodeString(pk) + pubkeyP := suite.G1().Point() + pubkeyP.UnmarshalBinary(pkb) + sigb, _ := hex.DecodeString(sig) + sigP := suite.G2().Point() + sigP.UnmarshalBinary(sigb) + prev, _ := hex.DecodeString(prevSig) + h := sha256.New() + h.Write(prev) + _ = binary.Write(h, binary.BigEndian, round) + msg := h.Sum(nil) + + base := suite.G1().Point().Base().Clone() + MsgP := suite.G2().Point().(kyber.HashablePoint).Hash(msg) + if !suite.ValidatePairing(base, sigP, pubkeyP, MsgP) { + t.Fatalf("Error validating pairing") + } +} + +func TestImplementInterfaces(_ *testing.T) { + var _ kyber.Point = &G1Elt{} + var _ kyber.Point = &G2Elt{} + var _ kyber.Point = >Elt{} + var _ kyber.HashablePoint = &G1Elt{} + var _ kyber.HashablePoint = &G2Elt{} + // var _ kyber.hashablePoint = &KyberGT{} // GT is not hashable for now + var _ kyber.Group = &groupBls{} + var _ pairing.Suite = &Suite{} +} diff --git a/sim/signing/bls.go b/sim/signing/bls.go index cf551897..10ac51e2 100644 --- a/sim/signing/bls.go +++ b/sim/signing/bls.go @@ -8,8 +8,9 @@ import ( "github.com/filecoin-project/go-f3/blssig" "github.com/filecoin-project/go-f3/gpbft" "go.dedis.ch/kyber/v4/pairing" - bls12381 "go.dedis.ch/kyber/v4/pairing/bls12381/kilic" - "go.dedis.ch/kyber/v4/sign/bdn" + + "github.com/filecoin-project/go-f3/internal/bls/bdn" + bls12381 "github.com/filecoin-project/go-f3/internal/bls/gnark" ) var _ Backend = (*BLSBackend)(nil) @@ -36,7 +37,7 @@ func (b *BLSBackend) Sign(ctx context.Context, sender gpbft.PubKey, msg []byte) } func NewBLSBackend() *BLSBackend { - suite := bls12381.NewBLS12381Suite() + suite := bls12381.NewSuiteBLS12381() return &BLSBackend{ Verifier: blssig.VerifierWithKeyOnG1(), signersByPubKey: make(map[string]*blssig.Signer), diff --git a/test/signing_suite_test.go b/test/signing_suite_test.go index b1a4e097..4d5680a3 100644 --- a/test/signing_suite_test.go +++ b/test/signing_suite_test.go @@ -5,13 +5,14 @@ import ( "slices" "testing" + "github.com/stretchr/testify/require" + "github.com/stretchr/testify/suite" + "github.com/filecoin-project/go-f3/blssig" "github.com/filecoin-project/go-f3/gpbft" + "github.com/filecoin-project/go-f3/internal/bls/bdn" + bls12381 "github.com/filecoin-project/go-f3/internal/bls/gnark" "github.com/filecoin-project/go-f3/sim/signing" - "github.com/stretchr/testify/require" - "github.com/stretchr/testify/suite" - bls12381 "go.dedis.ch/kyber/v4/pairing/bls12381/kilic" - "go.dedis.ch/kyber/v4/sign/bdn" ) type ( @@ -25,7 +26,7 @@ type ( func TestBLSSigning(t *testing.T) { var ( - blsSuit = bls12381.NewBLS12381Suite() + blsSuit = bls12381.NewSuiteBLS12381() blsSchema = bdn.NewSchemeOnG2(blsSuit) ) t.Parallel()