threshold-bls 0.2.2

Threshold BLS signature scheme implementation library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

use crate::group::{Element, Point, Scalar};
use crate::sig::bls::{common::BLSScheme, BLSError};
use crate::sig::{BlindScheme, Scheme};
use rand_core::RngCore;
use serde::{Deserialize, Serialize};
use thiserror::Error;

/// BlindError are errors which may be returned from a blind signature scheme
#[derive(Debug, Error)]
pub enum BlindError {
    /// InvalidToken is thrown out when the token used to unblind can not be
    /// inversed. This error should not happen if you use the Token that was
    /// returned by the blind operation.
    #[error("invalid token")]
    InvalidToken,

    /// Raised when (de)serialization fails
    #[error("could not deserialize: {0}")]
    BincodeError(#[from] bincode::Error),

    #[error("invalid signature verification: {0}")]
    SignatureError(#[from] BLSError),
}

/// Blinding a message before requesting a signature requires the usage of a
/// private blinding factor that is called a Token. To unblind the signature
/// afterwards, one needs the same token as what the blinding method returned.
/// In this blind signature scheme, the token is simply a field element.
#[derive(Clone, Debug, Serialize, Deserialize)]
#[serde(bound = "S: Serialize + serde::de::DeserializeOwned")]
pub struct Token<S: Scalar>(S);

impl<S: Scalar> Default for Token<S> {
    fn default() -> Self {
        Self::new()
    }
}

impl<S: Scalar> Token<S> {
    /// Instantiates a token with the `Zero` element of the underlying scalar
    pub fn new() -> Self {
        Self(S::new())
    }
}

/// The blinder follows the protocol described
/// in this [paper](https://eprint.iacr.org/2018/733.pdf).
impl<I> BlindScheme for I
where
    I: Scheme + BLSScheme,
{
    type Token = Token<I::Private>;
    type Error = BlindError;

    fn blind_msg<R: RngCore>(msg: &[u8], rng: &mut R) -> (Self::Token, Vec<u8>) {
        let r = I::Private::rand(rng);

        let mut h = I::Signature::new();

        // r * H(m)
        // XXX result from zexe API but it shouldn't
        h.map(msg).expect("could not map to the group");
        h.mul(&r);

        let serialized = bincode::serialize(&h).expect("serialization should not fail");
        (Token(r), serialized)
    }

    fn unblind_sig(t: &Self::Token, sigbuff: &[u8]) -> Result<Vec<u8>, Self::Error> {
        let mut sig: I::Signature = bincode::deserialize(sigbuff)?;

        // r^-1 * ( r * H(m)^x) = H(m)^x
        let ri = t.0.inverse().ok_or(BlindError::InvalidToken)?;
        sig.mul(&ri);

        let serialized = bincode::serialize(&sig)?;
        Ok(serialized)
    }

    fn blind_verify(
        public: &I::Public,
        blinded_msg: &[u8],
        blinded_sig: &[u8],
    ) -> Result<(), Self::Error> {
        // message point
        let blinded_msg: I::Signature = bincode::deserialize(blinded_msg)?;
        // signature point
        let blinded_sig: I::Signature = bincode::deserialize(blinded_sig)?;

        if !I::final_exp(public, &blinded_sig, &blinded_msg) {
            return Err(BlindError::from(BLSError::InvalidSig));
        }
        Ok(())
    }

    fn blind_sign(private: &I::Private, blinded_msg: &[u8]) -> Result<Vec<u8>, Self::Error> {
        // (r * H(m))^x
        let mut hm: I::Signature = bincode::deserialize(blinded_msg)?;
        hm.mul(private);
        Ok(bincode::serialize(&hm)?)
    }
}

#[cfg(test)]
#[cfg(feature = "bls12_381")]
mod tests {
    use super::*;
    use crate::curve::bls12381::PairingCurve as PCurve;
    use crate::sig::bls::{G1Scheme, G2Scheme};
    use crate::sig::SignatureScheme;
    use rand::thread_rng;

    #[cfg(feature = "bls12_381")]
    #[test]
    fn blind_g1() {
        blind_test::<G1Scheme<PCurve>>();
    }

    #[cfg(feature = "bls12_381")]
    #[test]
    fn blind_g2() {
        blind_test::<G2Scheme<PCurve>>();
    }

    fn blind_test<B>()
    where
        B: BlindScheme + SignatureScheme,
    {
        let (private, public) = B::keypair(&mut thread_rng());
        let msg = vec![1, 9, 6, 9];

        let (token, blinded) = B::blind_msg(&msg, &mut thread_rng());

        // signs the blinded message w/o hashing
        let blinded_sig = B::blind_sign(&private, &blinded).unwrap();
        B::blind_verify(&public, &blinded, &blinded_sig).unwrap();

        let clear_sig = B::unblind_sig(&token, &blinded_sig).expect("unblind should go well");
        B::verify(&public, &msg, &clear_sig).unwrap();
    }
}