blsful 3.1.0

BLS signature implementation according to the IETF spec on the BLS12-381 curve.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167

use crate::impls::inner_types::*;
use crate::*;
use std::time::{Duration, SystemTime, UNIX_EPOCH};

const SALT: &[u8] = b"BLS_POK__BLS12381_XOF:HKDF-SHA2-256_";

/// Methods for creating a signature proof of knowledge as in
/// <https://miracl.com/assets/pdf-downloads/mpin4.pdf>
pub trait BlsSignatureProof:
    Pairing
    + HashToPoint<Output = Self::Signature>
    + HashToScalar<Output = <Self::Signature as Group>::Scalar>
{
    /// Create the value `U` and `x`
    fn generate_commitment<B: AsRef<[u8]>, D: AsRef<[u8]>>(
        msg: B,
        dst: D,
    ) -> BlsResult<(Self::Signature, <Self::Signature as Group>::Scalar)> {
        let mut x = <Self::Signature as Group>::Scalar::random(get_crypto_rng());
        // Should only happen with negligible probability but just in case
        while x.is_zero().into() {
            x = <Self::Signature as Group>::Scalar::random(get_crypto_rng());
        }
        let a = Self::hash_to_point(msg, dst);
        Ok((a * x, x))
    }

    /// Create the timestamp based challenge for `y`
    fn generate_timestamp_based_y(u: Self::Signature) -> (<Self::Signature as Group>::Scalar, u64) {
        let t = SystemTime::now()
            .duration_since(UNIX_EPOCH)
            .unwrap()
            .as_millis() as u64;
        (Self::compute_y(u, t), t)
    }

    /// Shared methods for generating `y` challenge
    fn compute_y(u: Self::Signature, t: u64) -> <Self::Signature as Group>::Scalar {
        let u_bytes = u.to_bytes();
        let u_ref = u_bytes.as_ref();
        let u_len = u_ref.len();
        let mut bytes = vec![0u8; 8 + u_len];
        bytes[..u_len].copy_from_slice(u_ref);
        bytes[u_len..].copy_from_slice(&t.to_le_bytes());
        Self::hash_to_scalar(&bytes, SALT)
    }

    /// Create the value `V`
    fn generate_proof(
        commitment: Self::Signature,
        x: <Self::Signature as Group>::Scalar,
        y: <Self::Signature as Group>::Scalar,
        sig: Self::Signature,
    ) -> BlsResult<(Self::Signature, Self::Signature)> {
        if commitment.is_identity().into() {
            return Err(BlsError::InvalidInputs(
                "commitment is the identity point".to_string(),
            ));
        }
        if sig.is_identity().into() {
            return Err(BlsError::InvalidInputs(
                "signature is the identity point".to_string(),
            ));
        }
        if x.is_zero().into() {
            return Err(BlsError::InvalidInputs("x is the zero".to_string()));
        }
        if y.is_zero().into() {
            return Err(BlsError::InvalidInputs("y is the zero".to_string()));
        }
        Ok((commitment, -(sig * (x + y))))
    }

    /// Create the value `V` using a timestamp
    fn generate_timestamp_proof<B: AsRef<[u8]>, D: AsRef<[u8]>>(
        msg: B,
        dst: D,
        sig: Self::Signature,
    ) -> BlsResult<(Self::Signature, Self::Signature, u64)> {
        if sig.is_identity().into() {
            return Err(BlsError::InvalidInputs(
                "signature is the identity point".to_string(),
            ));
        }
        let mut x = <Self::Signature as Group>::Scalar::random(get_crypto_rng());
        // Should only happen with negligible probability but just in case
        while x.is_zero().into() {
            x = <Self::Signature as Group>::Scalar::random(get_crypto_rng());
        }
        let a = Self::hash_to_point(msg, dst);
        debug_assert_eq!(a.is_identity().unwrap_u8(), 0u8);
        let u = a * x;
        debug_assert_eq!(u.is_identity().unwrap_u8(), 0u8);
        let (y, t) = Self::generate_timestamp_based_y(u);
        debug_assert_eq!(y.is_zero().unwrap_u8(), 0u8);
        let v = sig * (x + y);
        debug_assert_eq!(v.is_identity().unwrap_u8(), 0u8);
        Ok((u, -v, t))
    }

    /// Verify the signature proof of knowledge
    fn verify<B: AsRef<[u8]>, D: AsRef<[u8]>>(
        commitment: Self::Signature,
        proof: Self::Signature,
        pk: Self::PublicKey,
        y: <Self::Signature as Group>::Scalar,
        msg: B,
        dst: D,
    ) -> BlsResult<()> {
        if commitment.is_identity().into() {
            return Err(BlsError::InvalidInputs(
                "commitment is the identity point".to_string(),
            ));
        }
        if proof.is_identity().into() {
            return Err(BlsError::InvalidInputs(
                "proof is the identity point".to_string(),
            ));
        }
        if pk.is_identity().into() {
            return Err(BlsError::InvalidInputs(
                "pk is the identity point".to_string(),
            ));
        }
        if y.is_zero().into() {
            return Err(BlsError::InvalidInputs("y is the zero".to_string()));
        }

        let a = Self::hash_to_point(msg, dst);
        debug_assert_eq!(a.is_identity().unwrap_u8(), 0u8);
        if Self::pairing(&[
            (proof, <Self::PublicKey as Group>::generator()),
            (commitment + a * y, pk),
        ])
        .is_identity()
        .into()
        {
            Ok(())
        } else {
            Err(BlsError::InvalidProof)
        }
    }

    /// Verify a timestamp proof of knowledge
    fn verify_timestamp_proof<B: AsRef<[u8]>, D: AsRef<[u8]>>(
        commitment: Self::Signature,
        proof: Self::Signature,
        pk: Self::PublicKey,
        t: u64,
        timeout_ms: Option<u64>,
        msg: B,
        dst: D,
    ) -> BlsResult<()> {
        if let Some(tt) = timeout_ms {
            let now = SystemTime::now();
            let since = UNIX_EPOCH + Duration::from_millis(t);
            let elapsed = now.duration_since(since).unwrap().as_millis() as u64;
            if elapsed > tt {
                return Err(BlsError::InvalidProof);
            }
        }

        let y = Self::compute_y(commitment, t);
        debug_assert_eq!(y.is_zero().unwrap_u8(), 0u8);
        Self::verify(commitment, proof, pk, y, msg, dst)
    }
}