generic_schnorr/

lib.rs

//! Schnorr signature implementation generic over the underlying group.

#![cfg_attr(not(test), no_std)]

use group::Group;
use group::ff::PrimeField;
use group::prime::PrimeGroup;
use rand_core::{CryptoRng, RngCore};
#[cfg(feature = "serde")]
use serde::{Deserialize, Serialize};

/// Signature produced by [`sign`].
#[derive(Debug, Copy, Clone, Eq, PartialEq, Hash)]
#[allow(non_snake_case)]
#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
pub struct Signature<Point, Scalar> {
    pub R: Point,
    pub s: Scalar,
}

impl<Point, Scalar> Signature<Point, Scalar> {
    /// Get the inner `R` and `s` parameters of the signature.
    pub const fn as_inner(&self) -> (&Point, &Scalar) {
        (&self.R, &self.s)
    }
}

/// Produce a [`Signature`] over `message`.
///
/// The group arithmetic uses `generator` to produce
/// public keys.
///
/// ## Safety
///
/// The user must not provide a random number generator
/// instance that is likely to produce nonce values that
/// have already been instantiated for previous signatures.
/// This poses the risk of exposing the underlying
/// secret key.
pub fn sign<Rng, HashToField, Point, Scalar>(
    generator: &Point,
    message: &[u8],
    secret_key: &Scalar,
    rng: Rng,
    hash_to_field: HashToField,
) -> Signature<Point, Scalar>
where
    HashToField: FnOnce(&Point, &Point, &[u8]) -> Scalar,
    Rng: RngCore + CryptoRng,
    Point: PrimeGroup + Group<Scalar = Scalar>,
    Scalar: PrimeField,
{
    let nonce = Scalar::random(rng);

    #[allow(non_snake_case)]
    let R = *generator * nonce;

    let challenge = hash_to_field(
        &R,                         // commit to nonce
        &(*generator * secret_key), // commit to public key
        message,                    // commit to message,
    );

    let s = (challenge * secret_key) + nonce;

    Signature { R, s }
}

/// Verify a signature.
///
/// The group arithmetic uses `generator` to produce
/// public keys.
pub fn verify<HashToField, Point, Scalar>(
    generator: &Point,
    message: &[u8],
    public_key: &Point,
    Signature { R, s }: &Signature<Point, Scalar>,
    hash_to_field: HashToField,
) -> bool
where
    HashToField: FnOnce(&Point, &Point, &[u8]) -> Scalar,
    Point: PrimeGroup + Group<Scalar = Scalar>,
    Scalar: PrimeField,
{
    let challenge = hash_to_field(
        R,          // commit to nonce
        public_key, // commit to public key
        message,    // commit to message,
    );

    (*public_key * challenge + R - *generator * s)
        .is_identity()
        .into()
}

#[cfg(test)]
mod tests {
    use group::GroupEncoding;
    use group::ff::{Field, FromUniformBytes};
    use pasta_curves::pallas;
    use rand_chacha::ChaCha20Rng;
    use rand_core::SeedableRng;

    use super::*;

    #[test]
    fn test_sign_verify() {
        let mut csprng = test_csprng();

        let message = b"eat shit";
        let generator = pallas::Point::generator();
        let secret_key = pallas::Scalar::random(&mut csprng);

        let signature = sign(&generator, message, &secret_key, &mut csprng, hash_to_field);

        assert!(verify(
            &generator,
            message,
            &(generator * secret_key),
            &signature,
            hash_to_field,
        ));
    }

    fn test_csprng() -> ChaCha20Rng {
        ChaCha20Rng::from_seed([0xbe; 32])
    }

    fn hash_to_field(
        nonce: &pallas::Point,
        public_key: &pallas::Point,
        message: &[u8],
    ) -> pallas::Scalar {
        let mut xof_stream = {
            let mut hasher = blake3::Hasher::new();
            hasher.update(&nonce.to_bytes());
            hasher.update(&public_key.to_bytes());
            hasher.update(message);
            hasher.finalize_xof()
        };

        let mut output = [0u8; 64];
        xof_stream.fill(&mut output);

        pallas::Scalar::from_uniform_bytes(&output)
    }
}