#![allow(clippy::derive_hash_xor_eq)]
#![cfg_attr(
feature = "use-insecure-test-only-mock-crypto",
allow(clippy::trivially_copy_pass_by_ref)
)]
#![warn(missing_docs)]
pub use ff;
pub use group;
pub use pairing;
mod cmp_pairing;
mod into_fr;
#[cfg(feature = "codec-support")]
#[macro_use]
mod codec_impl;
pub mod error;
pub mod poly;
pub mod serde_impl;
use std::borrow::Borrow;
use std::cmp::Ordering;
use std::convert::TryInto;
use std::fmt;
use std::hash::{Hash, Hasher};
use std::ops::{AddAssign, Mul, MulAssign, SubAssign};
use std::slice::Iter;
use std::vec::Vec;
use ff::Field;
use hex_fmt::HexFmt;
use log::debug;
use pairing::Engine;
use rand::distributions::{Distribution, Standard};
use rand::{rngs::OsRng, Rng, RngCore, SeedableRng};
use rand_chacha::ChaChaRng;
use serde::{Deserialize, Serialize};
use zeroize::Zeroize;
use crate::cmp_pairing::cmp_projective;
use crate::error::{Error, ScalaromBytesError, ScalaromBytesResult, Result};
use crate::poly::{Commitment, Poly};
pub use crate::into_fr::IntoScalar;
mod util;
use util::sha3_256;
#[cfg(feature = "use-insecure-test-only-mock-crypto")]
mod mock;
#[cfg(feature = "use-insecure-test-only-mock-crypto")]
pub use crate::mock::{
Mersenne8 as Scalar, Mocktography as PEngine, Ms8Affine as G1Affine,
Ms8Affine as G2Affine, Ms8Projective as G1Projective, Ms8Projective as G2Projective, PK_SIZE, SIG_SIZE,
};
#[cfg(not(feature = "use-insecure-test-only-mock-crypto"))]
pub use bls12_381::{Bls12 as PEngine, Scalar, G1Affine, G2Affine, G1Projective, G2Projective};
use group::{Curve, Group, GroupEncoding};
#[cfg(not(feature = "use-insecure-test-only-mock-crypto"))]
pub const PK_SIZE: usize = 48;
#[cfg(not(feature = "use-insecure-test-only-mock-crypto"))]
pub const SIG_SIZE: usize = 96;
#[derive(Deserialize, Serialize, Copy, Clone, PartialEq, Eq)]
pub struct PublicKey(#[serde(with = "serde_impl::projective_publickey")] G1Projective);
impl Hash for PublicKey {
fn hash<H: Hasher>(&self, state: &mut H) {
self.0.to_affine().to_bytes().as_ref().hash(state);
}
}
impl fmt::Debug for PublicKey {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
let uncomp = self.0.to_affine().to_bytes();
write!(f, "PublicKey({:0.10})", HexFmt(uncomp))
}
}
impl PartialOrd for PublicKey {
fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
Some(self.cmp(&other))
}
}
impl Ord for PublicKey {
fn cmp(&self, other: &Self) -> Ordering {
cmp_projective(&self.0, &other.0)
}
}
impl PublicKey {
pub fn from(g1: G1Projective) -> Self {
PublicKey(g1)
}
pub fn verify_g2<H: Into<G2Affine>>(&self, sig: &Signature, hash: H) -> bool {
PEngine::pairing(&self.0.to_affine(), &hash.into()) == PEngine::pairing(&G1Affine::generator(), &sig.0.to_affine())
}
pub fn verify<M: AsRef<[u8]>>(&self, sig: &Signature, msg: M) -> bool {
self.verify_g2(sig, hash_g2(msg))
}
pub fn encrypt<M: AsRef<[u8]>>(&self, msg: M) -> Ciphertext {
self.encrypt_with_rng(&mut OsRng, msg)
}
pub fn encrypt_with_rng<R: RngCore, M: AsRef<[u8]>>(&self, rng: &mut R, msg: M) -> Ciphertext {
let r: Scalar = Scalar::random(rng);
let u = G1Affine::generator().mul(r);
let v: Vec<u8> = {
let g = self.0.to_affine().mul(r);
xor_with_hash(g, msg.as_ref())
};
let w = hash_g1_g2(u, &v).to_affine().mul(r);
Ciphertext(u, v, w)
}
pub fn from_bytes<B: Borrow<[u8; PK_SIZE]>>(bytes: B) -> ScalaromBytesResult<Self> {
let mut compressed: <G1Affine as GroupEncoding>::Repr = Default::default();
compressed.as_mut().copy_from_slice(bytes.borrow());
let opt_affine: Option<G1Affine> = G1Affine::from_bytes(&compressed).into();
let projective = opt_affine.ok_or(ScalaromBytesError::Invalid)?.into();
Ok(PublicKey(projective))
}
pub fn to_bytes(&self) -> [u8; PK_SIZE] {
let mut bytes = [0u8; PK_SIZE];
bytes.copy_from_slice(self.0.to_affine().to_bytes().as_ref());
bytes
}
}
#[cfg_attr(feature = "codec-support", derive(codec::Encode, codec::Decode))]
#[derive(Deserialize, Serialize, Clone, Copy, PartialEq, Eq, Hash, Ord, PartialOrd)]
pub struct PublicKeyShare(PublicKey);
impl fmt::Debug for PublicKeyShare {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
let uncomp = (self.0).0.to_affine().to_uncompressed();
write!(f, "PublicKeyShare({:0.10})", HexFmt(uncomp))
}
}
impl PublicKeyShare {
pub fn verify_g2<H: Into<G2Affine>>(&self, sig: &SignatureShare, hash: H) -> bool {
self.0.verify_g2(&sig.0, hash)
}
pub fn verify<M: AsRef<[u8]>>(&self, sig: &SignatureShare, msg: M) -> bool {
self.verify_g2(sig, hash_g2(msg))
}
pub fn verify_decryption_share(&self, share: &DecryptionShare, ct: &Ciphertext) -> bool {
let Ciphertext(ref u, ref v, ref w) = *ct;
let hash = hash_g1_g2(*u, v);
PEngine::pairing(&share.0.to_affine(), &hash.to_affine()) == PEngine::pairing(&(self.0).0.to_affine(), &w.to_affine())
}
pub fn from_bytes<B: Borrow<[u8; PK_SIZE]>>(bytes: B) -> ScalaromBytesResult<Self> {
Ok(PublicKeyShare(PublicKey::from_bytes(bytes)?))
}
pub fn to_bytes(&self) -> [u8; PK_SIZE] {
self.0.to_bytes()
}
}
#[derive(Deserialize, Serialize, Clone, PartialEq, Eq)]
pub struct Signature(#[serde(with = "serde_impl::projective")] G2Projective);
impl PartialOrd for Signature {
fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
Some(self.cmp(&other))
}
}
impl Ord for Signature {
fn cmp(&self, other: &Self) -> Ordering {
cmp_projective(&self.0, &other.0)
}
}
impl Distribution<Signature> for Standard {
fn sample<R: Rng + ?Sized>(&self, rng: &mut R) -> Signature {
Signature(G2Projective::random(rng))
}
}
impl fmt::Debug for Signature {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
let uncomp = self.0.to_affine().to_uncompressed();
write!(f, "Signature({:0.10})", HexFmt(uncomp))
}
}
impl Hash for Signature {
fn hash<H: Hasher>(&self, state: &mut H) {
self.0.to_affine().to_bytes().as_ref().hash(state);
}
}
impl Signature {
pub fn parity(&self) -> bool {
let uncomp = self.0.to_affine().to_uncompressed();
let xor_bytes: u8 = uncomp.as_ref().iter().fold(0, |result, byte| result ^ byte);
let parity = 0 != xor_bytes.count_ones() % 2;
debug!("Signature: {:0.10}, parity: {}", HexFmt(uncomp), parity);
parity
}
pub fn from_bytes<B: Borrow<[u8; SIG_SIZE]>>(bytes: B) -> ScalaromBytesResult<Self> {
let mut compressed: <G2Affine as GroupEncoding>::Repr = Default::default();
compressed.as_mut().copy_from_slice(bytes.borrow());
let opt_affine: Option<G2Affine> = G2Affine::from_bytes(&compressed).into();
let projective = opt_affine.ok_or(ScalaromBytesError::Invalid)?.into();
Ok(Signature(projective))
}
pub fn to_bytes(&self) -> [u8; SIG_SIZE] {
let mut bytes = [0u8; SIG_SIZE];
bytes.copy_from_slice(self.0.to_affine().to_bytes().as_ref());
bytes
}
}
#[cfg_attr(feature = "codec-support", derive(codec::Encode, codec::Decode))]
#[derive(Deserialize, Serialize, Clone, PartialEq, Eq, Hash, Ord, PartialOrd)]
pub struct SignatureShare(pub Signature);
impl Distribution<SignatureShare> for Standard {
fn sample<R: Rng + ?Sized>(&self, rng: &mut R) -> SignatureShare {
SignatureShare(rng.gen())
}
}
impl fmt::Debug for SignatureShare {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
let uncomp = (self.0).0.to_affine().to_uncompressed();
write!(f, "SignatureShare({:0.10})", HexFmt(uncomp))
}
}
impl SignatureShare {
pub fn from_bytes<B: Borrow<[u8; SIG_SIZE]>>(bytes: B) -> ScalaromBytesResult<Self> {
Ok(SignatureShare(Signature::from_bytes(bytes)?))
}
pub fn to_bytes(&self) -> [u8; SIG_SIZE] {
self.0.to_bytes()
}
}
#[derive(PartialEq, Eq, Clone)]
pub struct SecretKey(Scalar);
impl Zeroize for SecretKey {
fn zeroize(&mut self) {
self.0.zeroize();
}
}
impl Drop for SecretKey {
fn drop(&mut self) {
self.zeroize();
}
}
impl Default for SecretKey {
fn default() -> Self {
let mut fr = Scalar::zero();
SecretKey::from_mut(&mut fr)
}
}
impl Distribution<SecretKey> for Standard {
fn sample<R: Rng + ?Sized>(&self, rng: &mut R) -> SecretKey {
SecretKey(Scalar::random(rng))
}
}
impl fmt::Debug for SecretKey {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
f.debug_tuple("SecretKey").field(&DebugDots).finish()
}
}
impl SecretKey {
pub fn from_mut(fr: &mut Scalar) -> Self {
let sk = SecretKey(*fr);
fr.zeroize();
sk
}
pub fn random() -> Self {
rand::random()
}
pub fn public_key(&self) -> PublicKey {
PublicKey(G1Affine::generator().mul(self.0))
}
pub fn sign_g2<H: Into<G2Affine>>(&self, hash: H) -> Signature {
Signature(hash.into().mul(self.0))
}
pub fn sign<M: AsRef<[u8]>>(&self, msg: M) -> Signature {
self.sign_g2(hash_g2(msg))
}
pub fn decrypt(&self, ct: &Ciphertext) -> Option<Vec<u8>> {
if !ct.verify() {
return None;
}
let Ciphertext(ref u, ref v, _) = *ct;
let g = u.to_affine().mul(self.0);
Some(xor_with_hash(g, v))
}
pub fn reveal(&self) -> String {
format!("SecretKey({:?})", self.0)
}
}
#[derive(Clone, PartialEq, Eq, Default)]
pub struct SecretKeyShare(SecretKey);
impl Distribution<SecretKeyShare> for Standard {
fn sample<R: Rng + ?Sized>(&self, rng: &mut R) -> SecretKeyShare {
SecretKeyShare(rng.gen())
}
}
impl fmt::Debug for SecretKeyShare {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
f.debug_tuple("SecretKeyShare").field(&DebugDots).finish()
}
}
impl SecretKeyShare {
pub fn from_mut(fr: &mut Scalar) -> Self {
SecretKeyShare(SecretKey::from_mut(fr))
}
pub fn public_key_share(&self) -> PublicKeyShare {
PublicKeyShare(self.0.public_key())
}
pub fn sign_g2<H: Into<G2Affine>>(&self, hash: H) -> SignatureShare {
SignatureShare(self.0.sign_g2(hash))
}
pub fn sign<M: AsRef<[u8]>>(&self, msg: M) -> SignatureShare {
SignatureShare(self.0.sign(msg))
}
pub fn decrypt_share(&self, ct: &Ciphertext) -> Option<DecryptionShare> {
if !ct.verify() {
return None;
}
Some(self.decrypt_share_no_verify(ct))
}
pub fn decrypt_share_no_verify(&self, ct: &Ciphertext) -> DecryptionShare {
DecryptionShare(ct.0.to_affine().mul((self.0).0))
}
pub fn reveal(&self) -> String {
format!("SecretKeyShare({:?})", (self.0).0)
}
}
#[derive(Deserialize, Serialize, Debug, Clone, PartialEq, Eq)]
pub struct Ciphertext(
#[serde(with = "serde_impl::projective")] G1Projective,
Vec<u8>,
#[serde(with = "serde_impl::projective")] G2Projective,
);
impl Hash for Ciphertext {
fn hash<H: Hasher>(&self, state: &mut H) {
let Ciphertext(ref u, ref v, ref w) = *self;
u.to_affine().to_bytes().as_ref().hash(state);
v.hash(state);
w.to_affine().to_bytes().as_ref().hash(state);
}
}
impl PartialOrd for Ciphertext {
fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
Some(self.cmp(&other))
}
}
impl Ord for Ciphertext {
fn cmp(&self, other: &Self) -> Ordering {
let Ciphertext(ref u0, ref v0, ref w0) = self;
let Ciphertext(ref u1, ref v1, ref w1) = other;
cmp_projective(u0, u1)
.then(v0.cmp(v1))
.then(cmp_projective(w0, w1))
}
}
impl Ciphertext {
pub fn verify(&self) -> bool {
let Ciphertext(ref u, ref v, ref w) = *self;
let hash = hash_g1_g2(*u, v);
PEngine::pairing(&G1Affine::generator(), &w.to_affine()) == PEngine::pairing(&u.to_affine(), &hash.to_affine())
}
pub fn to_bytes(&self) -> Vec<u8> {
let Ciphertext(ref u, ref v, ref w) = *self;
let mut bytes = Vec::with_capacity(48 + 96 + v.len());
bytes.extend_from_slice(&u.to_affine().to_compressed());
bytes.extend_from_slice(&w.to_affine().to_compressed());
bytes.extend_from_slice(&v);
bytes
}
pub fn from_bytes(bytes: &[u8]) -> Option<Self> {
if bytes.len() < 48 + 96 {
return None;
}
let u_bytes: [u8; 48] = bytes[..48].try_into().expect("slice has correct length");
let u_res = G1Affine::from_compressed(&u_bytes);
if u_res.is_none().unwrap_u8() == 1 {
return None;
}
let w_bytes: [u8; 96] = bytes[48..48 + 96].try_into().expect("slice has correct length");
let w_res = G2Affine::from_compressed(&w_bytes);
if w_res.is_none().unwrap_u8() == 1 {
return None;
}
let u = G1Projective::from(u_res.unwrap());
let w = G2Projective::from(w_res.unwrap());
let v = bytes[48 + 96..].to_vec();
Some(Ciphertext(u, v, w))
}
}
#[derive(Clone, Deserialize, Serialize, PartialEq, Eq)]
pub struct DecryptionShare(#[serde(with = "serde_impl::projective")] G1Projective);
impl DecryptionShare {
pub fn to_bytes(&self) -> [u8; 48] {
self.0.to_affine().to_compressed()
}
pub fn from_bytes(bytes: &[u8; 48]) -> Option<Self> {
let res = G1Affine::from_compressed(bytes);
if res.is_none().unwrap_u8() == 1 {
return None;
}
Some(DecryptionShare(G1Projective::from(res.unwrap())))
}
}
impl Distribution<DecryptionShare> for Standard {
fn sample<R: Rng + ?Sized>(&self, rng: &mut R) -> DecryptionShare {
DecryptionShare(G1Projective::random(rng))
}
}
impl Hash for DecryptionShare {
fn hash<H: Hasher>(&self, state: &mut H) {
self.0.to_affine().to_bytes().as_ref().hash(state);
}
}
impl fmt::Debug for DecryptionShare {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
f.debug_tuple("DecryptionShare").field(&DebugDots).finish()
}
}
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, Eq, Ord, PartialOrd)]
pub struct PublicKeySet {
commit: Commitment,
}
impl Hash for PublicKeySet {
fn hash<H: Hasher>(&self, state: &mut H) {
self.commit.hash(state);
}
}
impl From<Commitment> for PublicKeySet {
fn from(commit: Commitment) -> PublicKeySet {
PublicKeySet { commit }
}
}
impl PublicKeySet {
pub fn coefficients(&self) -> Iter<G1Projective> {
self.commit.coeff.iter()
}
pub fn threshold(&self) -> usize {
self.commit.degree()
}
pub fn public_key(&self) -> PublicKey {
PublicKey(self.commit.coeff[0])
}
pub fn public_key_share<T: IntoScalar>(&self, i: T) -> PublicKeyShare {
let value = self.commit.evaluate(into_fr_plus_1(i));
PublicKeyShare(PublicKey(value))
}
pub fn combine_signatures<'a, T, I>(&self, shares: I) -> Result<Signature>
where
I: IntoIterator<Item = (T, &'a SignatureShare)>,
T: IntoScalar,
{
let samples = shares.into_iter().map(|(i, share)| (i, &(share.0).0));
Ok(Signature(interpolate(self.commit.degree(), samples)?))
}
pub fn decrypt<'a, T, I>(&self, shares: I, ct: &Ciphertext) -> Result<Vec<u8>>
where
I: IntoIterator<Item = (T, &'a DecryptionShare)>,
T: IntoScalar,
{
let samples = shares.into_iter().map(|(i, share)| (i, &share.0));
let g = interpolate(self.commit.degree(), samples)?;
Ok(xor_with_hash(g, &ct.1))
}
}
#[derive(Clone, PartialEq, Eq)]
pub struct SecretKeySet {
poly: Poly,
}
impl From<Poly> for SecretKeySet {
fn from(poly: Poly) -> SecretKeySet {
SecretKeySet { poly }
}
}
impl SecretKeySet {
pub fn random<R: Rng>(threshold: usize, rng: &mut R) -> Self {
SecretKeySet::try_random(threshold, rng)
.unwrap_or_else(|e| panic!("Failed to create random `SecretKeySet`: {}", e))
}
pub fn try_random<R: Rng>(threshold: usize, rng: &mut R) -> Result<Self> {
Poly::try_random(threshold, rng).map(SecretKeySet::from)
}
pub fn threshold(&self) -> usize {
self.poly.degree()
}
pub fn secret_key_share<T: IntoScalar>(&self, i: T) -> SecretKeyShare {
let mut fr = self.poly.evaluate(into_fr_plus_1(i));
SecretKeyShare::from_mut(&mut fr)
}
pub fn public_keys(&self) -> PublicKeySet {
PublicKeySet {
commit: self.poly.commitment(),
}
}
#[cfg(test)]
fn secret_key(&self) -> SecretKey {
let mut fr = self.poly.evaluate(0);
SecretKey::from_mut(&mut fr)
}
}
pub fn hash_g2<M: AsRef<[u8]>>(msg: M) -> G2Projective{
let digest = sha3_256(msg.as_ref());
G2Projective::random(&mut ChaChaRng::from_seed(digest))
}
fn hash_g1_g2<M: AsRef<[u8]>>(g1: G1Projective, msg: M) -> G2Projective {
let mut msg = if msg.as_ref().len() > 64 {
sha3_256(msg.as_ref()).to_vec()
} else {
msg.as_ref().to_vec()
};
msg.extend(g1.to_affine().to_bytes().as_ref());
hash_g2(&msg)
}
fn xor_with_hash(g1: G1Projective, bytes: &[u8]) -> Vec<u8> {
let digest = sha3_256(g1.to_affine().to_bytes().as_ref());
let rng = ChaChaRng::from_seed(digest);
let xor = |(a, b): (u8, &u8)| a ^ b;
rng.sample_iter(&Standard).zip(bytes).map(xor).collect()
}
fn interpolate<C, B, T, I>(t: usize, items: I) -> Result<C>
where
C: Curve,
<C as Group>::Scalar: MulAssign<Scalar> + MulAssign<<C as Group>::Scalar>,
I: IntoIterator<Item = (T, B)>,
T: IntoScalar,
B: Borrow<C>,
{
let samples: Vec<_> = items
.into_iter()
.take(t + 1)
.map(|(i, sample)| (into_fr_plus_1(i), sample))
.collect();
if samples.len() <= t {
return Err(Error::NotEnoughShares);
}
if t == 0 {
return Ok(*samples[0].1.borrow());
}
let mut x_prod: Vec<C::Scalar> = Vec::with_capacity(t);
let mut tmp = C::Scalar::one();
x_prod.push(tmp);
for (x, _) in samples.iter().take(t) {
tmp.mul_assign(*x);
x_prod.push(tmp);
}
tmp = C::Scalar::one();
for (i, (x, _)) in samples[1..].iter().enumerate().rev() {
tmp.mul_assign(*x);
x_prod[i].mul_assign(tmp);
}
let mut result = C::identity();
for (mut l0, (x, sample)) in x_prod.into_iter().zip(&samples) {
let mut denom = C::Scalar::one();
for (x0, _) in samples.iter().filter(|(x0, _)| x0 != x) {
let mut diff = *x0;
diff.sub_assign(x);
denom.mul_assign(diff);
}
let opt_inv: Option<_> = denom.invert().into();
l0.mul_assign(&opt_inv.ok_or(Error::DuplicateEntry)?);
result.add_assign(*sample.borrow() * l0);
}
Ok(result)
}
fn into_fr_plus_1<I: IntoScalar>(x: I) -> Scalar {
let mut result = Scalar::one();
result.add_assign(&x.into_fr());
result
}
struct DebugDots;
impl fmt::Debug for DebugDots {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
write!(f, "...")
}
}
#[cfg(test)]
mod tests {
use super::*;
use std::collections::BTreeMap;
use rand::{self, distributions::Standard, random, Rng};
#[test]
fn test_interpolate() {
let mut rng = rand::thread_rng();
for deg in 0..5 {
println!("deg = {}", deg);
let comm = Poly::random(deg, &mut rng).commitment();
let mut values = Vec::new();
let mut x = 0;
for _ in 0..=deg {
x += rng.gen_range(1..5);
values.push((x - 1, comm.evaluate(x)));
}
let actual = interpolate(deg, values).expect("wrong number of values");
assert_eq!(comm.evaluate(0), actual);
}
}
#[test]
fn test_simple_sig() {
let sk0 = SecretKey::random();
let sk1 = SecretKey::random();
let pk0 = sk0.public_key();
let msg0 = b"Real news";
let msg1 = b"Fake news";
assert!(pk0.verify(&sk0.sign(msg0), msg0));
assert!(!pk0.verify(&sk1.sign(msg0), msg0)); assert!(!pk0.verify(&sk0.sign(msg1), msg0)); }
#[test]
fn test_threshold_sig() {
let mut rng = rand::thread_rng();
let sk_set = SecretKeySet::random(3, &mut rng);
let pk_set = sk_set.public_keys();
let pk_master = pk_set.public_key();
assert_ne!(pk_master, pk_set.public_key_share(0).0);
assert_ne!(pk_master, pk_set.public_key_share(1).0);
assert_ne!(pk_master, pk_set.public_key_share(2).0);
let sk_master = sk_set.secret_key();
let sk_share_0 = sk_set.secret_key_share(0).0;
let sk_share_1 = sk_set.secret_key_share(1).0;
let sk_share_2 = sk_set.secret_key_share(2).0;
assert_ne!(sk_master, sk_share_0);
assert_ne!(sk_master, sk_share_1);
assert_ne!(sk_master, sk_share_2);
let msg = "Totally real news";
let sigs: BTreeMap<_, _> = [5, 8, 7, 10]
.iter()
.map(|&i| {
let sig = sk_set.secret_key_share(i).sign(msg);
(i, sig)
})
.collect();
for (i, sig) in &sigs {
assert!(pk_set.public_key_share(*i).verify(sig, msg));
}
let sig = pk_set.combine_signatures(&sigs).expect("signatures match");
assert!(pk_set.public_key().verify(&sig, msg));
let sigs2: BTreeMap<_, _> = [42, 43, 44, 45]
.iter()
.map(|&i| {
let sig = sk_set.secret_key_share(i).sign(msg);
(i, sig)
})
.collect();
let sig2 = pk_set.combine_signatures(&sigs2).expect("signatures match");
assert_eq!(sig, sig2);
}
#[test]
fn test_simple_enc() {
let sk_bob: SecretKey = random();
let sk_eve: SecretKey = random();
let pk_bob = sk_bob.public_key();
let msg = b"Muffins in the canteen today! Don't tell Eve!";
let ciphertext = pk_bob.encrypt(&msg[..]);
assert!(ciphertext.verify());
let ciphertext_bytes = ciphertext.to_bytes();
let decoded_ciphertext = Ciphertext::from_bytes(&ciphertext_bytes).expect("invalid ciphertext");
assert_eq!(ciphertext, decoded_ciphertext);
let decrypted = sk_bob.decrypt(&ciphertext).expect("invalid ciphertext");
assert_eq!(msg[..], decrypted[..]);
let decrypted_eve = sk_eve.decrypt(&ciphertext).expect("invalid ciphertext");
assert_ne!(msg[..], decrypted_eve[..]);
let Ciphertext(u, v, w) = ciphertext;
let fake_ciphertext = Ciphertext(u, vec![0; v.len()], w);
assert!(!fake_ciphertext.verify());
assert_eq!(None, sk_bob.decrypt(&fake_ciphertext));
}
#[test]
fn test_random_extreme_thresholds() {
let mut rng = rand::thread_rng();
let sks = SecretKeySet::random(0, &mut rng);
assert_eq!(0, sks.threshold());
assert!(SecretKeySet::try_random(usize::max_value(), &mut rng).is_err());
}
#[test]
fn test_threshold_enc() {
let mut rng = rand::thread_rng();
let sk_set = SecretKeySet::random(3, &mut rng);
let pk_set = sk_set.public_keys();
let msg = b"Totally real news";
let ciphertext = pk_set.public_key().encrypt(&msg[..]);
let shares: BTreeMap<_, _> = [5, 8, 7, 10]
.iter()
.map(|&i| {
let dec_share = sk_set
.secret_key_share(i)
.decrypt_share(&ciphertext)
.expect("ciphertext is invalid");
let encoded_decryption_share = dec_share.to_bytes();
let decoded_encryption_share =
DecryptionShare::from_bytes(&encoded_decryption_share)
.expect("invalid decryption share");
assert_eq!(dec_share, decoded_encryption_share);
(i, dec_share)
})
.collect();
for (i, share) in &shares {
pk_set
.public_key_share(*i)
.verify_decryption_share(share, &ciphertext);
}
let decrypted = pk_set
.decrypt(&shares, &ciphertext)
.expect("decryption shares match");
assert_eq!(msg[..], decrypted[..]);
}
#[test]
fn test_hash_g2() {
let rng = rand::thread_rng();
let msg: Vec<u8> = rng.sample_iter(&Standard).take(1000).collect();
let msg_end0: Vec<u8> = msg.iter().chain(b"end0").cloned().collect();
let msg_end1: Vec<u8> = msg.iter().chain(b"end1").cloned().collect();
assert_eq!(hash_g2(&msg), hash_g2(&msg));
assert_ne!(hash_g2(&msg), hash_g2(&msg_end0));
assert_ne!(hash_g2(&msg_end0), hash_g2(&msg_end1));
}
#[test]
fn test_hash_g1_g2() {
let mut rng = rand::thread_rng();
let msg: Vec<u8> = (&mut rng).sample_iter(&Standard).take(1000).collect();
let msg_end0: Vec<u8> = msg.iter().chain(b"end0").cloned().collect();
let msg_end1: Vec<u8> = msg.iter().chain(b"end1").cloned().collect();
let g0 = G1Projective::random(&mut rng);
let g1 = G1Projective::random(&mut rng);
assert_eq!(hash_g1_g2(g0, &msg), hash_g1_g2(g0, &msg));
assert_ne!(hash_g1_g2(g0, &msg), hash_g1_g2(g0, &msg_end0));
assert_ne!(hash_g1_g2(g0, &msg_end0), hash_g1_g2(g0, &msg_end1));
assert_ne!(hash_g1_g2(g0, &msg), hash_g1_g2(g1, &msg));
}
#[test]
fn test_xor_with_hash() {
let mut rng = rand::thread_rng();
let g0 = G1Projective::random(&mut rng);
let g1 = G1Projective::random(&mut rng);
let xwh = xor_with_hash;
assert_eq!(xwh(g0, &[0; 5]), xwh(g0, &[0; 5]));
assert_ne!(xwh(g0, &[0; 5]), xwh(g1, &[0; 5]));
assert_eq!(5, xwh(g0, &[0; 5]).len());
assert_eq!(6, xwh(g0, &[0; 6]).len());
assert_eq!(20, xwh(g0, &[0; 20]).len());
}
#[test]
fn test_from_to_bytes() {
let sk: SecretKey = random();
let sig = sk.sign("Please sign here: ______");
let pk = sk.public_key();
let pk2 = PublicKey::from_bytes(pk.to_bytes()).expect("invalid pk representation");
assert_eq!(pk, pk2);
let sig2 = Signature::from_bytes(sig.to_bytes()).expect("invalid sig representation");
assert_eq!(sig, sig2);
}
#[test]
fn test_serde() {
let sk = SecretKey::random();
let sig = sk.sign("Please sign here: ______");
let pk = sk.public_key();
let ser_pk = bincode::serialize(&pk).expect("serialize public key");
let deser_pk = bincode::deserialize(&ser_pk).expect("deserialize public key");
let serde_ser_pk = serde_json::to_string(&pk).expect("serde_json serialize public key");
let serde_deser_pk: PublicKey = serde_json::from_str(&serde_ser_pk).expect("serde_json deserialized public key");
assert_eq!(serde_ser_pk.chars().count(), PK_SIZE * 2 + 2); assert_eq!(pk, deser_pk);
assert_eq!(pk, serde_deser_pk);
let ser_sig = bincode::serialize(&sig).expect("serialize signature");
let deser_sig = bincode::deserialize(&ser_sig).expect("deserialize signature");
assert_eq!(ser_sig.len(), SIG_SIZE);
assert_eq!(sig, deser_sig);
let threshold = 3;
let sk_set = SecretKeySet::random(threshold, &mut OsRng::default());
let pk_set = sk_set.public_keys();
let ser_pk_set = serde_json::to_string(&pk_set).expect("serialize public key set");
let de_pk_set = serde_json::from_str(&ser_pk_set).expect("deserialize public key set");
assert_eq!(pk_set, de_pk_set);
for i in 0..sk_set.threshold() {
let sk_share = sk_set.secret_key_share(i);
let pk_share = sk_share.public_key_share();
let ser_pk_share = serde_json::to_string(&pk_share).expect("serialize public key share");
let de_pk_share: PublicKeyShare = serde_json::from_str(&ser_pk_share).expect("serialize public key share");
assert_eq!(pk_share, de_pk_share);
}
}
#[cfg(feature = "codec-support")]
#[test]
fn test_codec() {
use codec::{Decode, Encode};
use rand::distributions::{Distribution, Standard};
use rand::thread_rng;
macro_rules! assert_codec {
($obj:expr, $type:ty) => {
let encoded: Vec<u8> = $obj.encode();
let decoded: $type = <$type>::decode(&mut &encoded[..]).unwrap();
assert_eq!(decoded, $obj.clone());
};
}
let sk = SecretKey::random();
let pk = sk.public_key();
assert_codec!(pk, PublicKey);
let pk_share = PublicKeyShare(pk);
assert_codec!(pk_share, PublicKeyShare);
let sig = sk.sign(b"this is a test");
assert_codec!(sig, Signature);
let sig_share = SignatureShare(sig);
assert_codec!(sig_share, SignatureShare);
let cipher_text = pk.encrypt(b"cipher text");
assert_codec!(cipher_text, Ciphertext);
let dec_share: DecryptionShare = Standard.sample(&mut thread_rng());
assert_codec!(dec_share, DecryptionShare);
let sk_set = SecretKeySet::random(3, &mut thread_rng());
let pk_set = sk_set.public_keys();
assert_codec!(pk_set, PublicKeySet);
}
#[test]
fn test_size() {
assert_eq!(<<G1Affine as GroupEncoding>::Repr as Default>::default().as_ref().len(), PK_SIZE);
assert_eq!(<<G2Affine as GroupEncoding>::Repr as Default>::default().as_ref().len(), SIG_SIZE);
}
#[test]
fn test_zeroize() {
let zero_sk = SecretKey::from_mut(&mut Scalar::zero());
let mut sk = SecretKey::random();
assert_ne!(zero_sk, sk);
sk.zeroize();
assert_eq!(zero_sk, sk);
}
#[test]
fn test_rng_seed() {
let sk1 = SecretKey::random();
let sk2 = SecretKey::random();
assert_ne!(sk1, sk2);
let mut seed = [0u8; 32];
rand::thread_rng().fill_bytes(&mut seed);
let mut rng = ChaChaRng::from_seed(seed);
let sk3: SecretKey = rng.sample(Standard);
let mut rng = ChaChaRng::from_seed(seed);
let sk4: SecretKey = rng.sample(Standard);
assert_eq!(sk3, sk4);
}
}