188 lines
6.1 KiB
C
188 lines
6.1 KiB
C
|
// This is a (very rough) test of BLST blind signatures based on run.me from BLST's Python example code
|
||
|
// Do not trust this to be secure, also this doesn't do a lot of the sanity checking yet
|
||
|
|
||
|
#include <stdio.h>
|
||
|
#include <string.h>
|
||
|
#include <time.h>
|
||
|
#include <assert.h>
|
||
|
#include "blst/blst.h"
|
||
|
|
||
|
const byte dst[] = "MY-DST";
|
||
|
double time_taken;
|
||
|
clock_t t;
|
||
|
|
||
|
byte signer_private_key[32];
|
||
|
byte signer_public_key[96];
|
||
|
|
||
|
void printbytes(byte *toprint, int length){
|
||
|
for(int i=0;i<length;i++){
|
||
|
printf("%.2x ", toprint[i]);
|
||
|
}
|
||
|
printf("\n");
|
||
|
}
|
||
|
|
||
|
void signer_key_setup(){
|
||
|
blst_scalar sk;
|
||
|
blst_p2 pk;
|
||
|
blst_p2_affine pk_affine;
|
||
|
|
||
|
byte myikm[32] = {'*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*'};
|
||
|
|
||
|
// On signer's side:
|
||
|
printf("IKM: ");
|
||
|
printbytes(myikm, 32);
|
||
|
|
||
|
blst_keygen(&sk, myikm, 32, 0, 0);
|
||
|
|
||
|
blst_bendian_from_scalar(signer_private_key, &sk);
|
||
|
printf("Secret Key: ");
|
||
|
printbytes(signer_private_key, 32);
|
||
|
|
||
|
blst_sk_to_pk_in_g2(&pk, &sk);
|
||
|
|
||
|
blst_p2_to_affine(&pk_affine, &pk);
|
||
|
|
||
|
blst_p2_affine_compress(signer_public_key, &pk_affine);
|
||
|
printf("Compressed Public Key (affine): ");
|
||
|
printbytes(signer_public_key, 96);
|
||
|
}
|
||
|
|
||
|
void signer(byte *compressed_signature, byte *msg_for_wire){
|
||
|
blst_scalar sk;
|
||
|
blst_p1 msg, signature;
|
||
|
blst_p1_affine msg_affine;
|
||
|
byte debug_print_buf[256];
|
||
|
|
||
|
// get the secret key as a scalar
|
||
|
blst_scalar_from_bendian(&sk, signer_private_key);
|
||
|
|
||
|
// Deserialize the message - it's already a serialized P1 point, we don't need to (literally) rehash it
|
||
|
blst_p1_uncompress(&msg_affine, msg_for_wire);
|
||
|
|
||
|
// i do not know why deserializing always gives you affine points
|
||
|
blst_p1_from_affine(&msg, &msg_affine);
|
||
|
|
||
|
// Confirm the message point is in the G1 group
|
||
|
assert(blst_p1_in_g1(&msg));
|
||
|
|
||
|
// sign with it
|
||
|
blst_sign_pk_in_g2(&signature, &msg, &sk);
|
||
|
|
||
|
// Serialize and print the signature
|
||
|
blst_p1_serialize(debug_print_buf, &signature);
|
||
|
printf("Signature: ");
|
||
|
printbytes(debug_print_buf, 96);
|
||
|
|
||
|
// Compress and print the signature
|
||
|
blst_p1_compress(compressed_signature, &signature);
|
||
|
printf("Compressed Signature: ");
|
||
|
printbytes(compressed_signature, 48);
|
||
|
}
|
||
|
|
||
|
void verifier(byte *compressed_signature, byte *msg){
|
||
|
blst_p1_affine sig;
|
||
|
blst_p2_affine pk;
|
||
|
|
||
|
blst_p1_uncompress(&sig, compressed_signature);
|
||
|
blst_p2_uncompress(&pk, signer_public_key);
|
||
|
|
||
|
BLST_ERROR returned;
|
||
|
|
||
|
// TODO: check if in g2 group
|
||
|
|
||
|
returned = blst_core_verify_pk_in_g2(&pk, &sig, 1, msg, 16, dst, strlen((char *) dst), signer_public_key, 96);
|
||
|
|
||
|
if(returned == BLST_SUCCESS){
|
||
|
printf("Verified!\n");
|
||
|
}else{
|
||
|
printf("Not verified!\n");
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// main is the "user" in this test
|
||
|
int main(){
|
||
|
byte debug_print_buf[256];
|
||
|
byte compressed_blinded_signature[48];
|
||
|
byte compressed_signature[48];
|
||
|
byte msg[16] = {'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A'};
|
||
|
byte blinding_r_bytes[32] = {'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R'};
|
||
|
blst_scalar blinding_r, inverse_blinding_r;
|
||
|
blst_p1 hash, msg_for_wire;
|
||
|
byte msg_for_wire_bytes[96];
|
||
|
blst_p1_affine returned_signature_affine;
|
||
|
blst_p1 returned_signature, unblinded_signature;
|
||
|
|
||
|
printf("msg is now ", msg);
|
||
|
printbytes(msg, 16);
|
||
|
printf("\n");
|
||
|
|
||
|
// Set up the signer's keys first so that we can know its public key
|
||
|
signer_key_setup();
|
||
|
|
||
|
// Get a hash of the message - we put the signer's public key in aug here, I don't know why
|
||
|
blst_hash_to_g1(&hash, msg, 16, dst, strlen((char *) dst), signer_public_key, 96);
|
||
|
|
||
|
printf("HASH: ");
|
||
|
blst_p1_serialize(debug_print_buf, &hash);
|
||
|
printbytes(debug_print_buf, 96);
|
||
|
|
||
|
// Get a BLST scalar of your "random" (LOL) blinding factor r
|
||
|
blst_scalar_from_bendian(&blinding_r, blinding_r_bytes);
|
||
|
|
||
|
printf("R BYTES: ");
|
||
|
printbytes(blinding_r_bytes, 32);
|
||
|
|
||
|
// Blind the message by signing it with the blinding factor R as if it was a secret key
|
||
|
blst_sign_pk_in_g2(&msg_for_wire, &hash, &blinding_r);
|
||
|
|
||
|
// Serialize the blinded message to send it over the wire
|
||
|
blst_p1_compress(msg_for_wire_bytes, &msg_for_wire);
|
||
|
|
||
|
printf("Blinded and compressed for wire: ");
|
||
|
printbytes(msg_for_wire_bytes, 48);
|
||
|
|
||
|
// Send the message off to be signed and get the results back
|
||
|
signer(compressed_blinded_signature, msg_for_wire_bytes);
|
||
|
|
||
|
printf("COMPRESSED BLINDED SIG: ");
|
||
|
printbytes(compressed_blinded_signature, 48);
|
||
|
|
||
|
// We now have the signature back. returned_signature is a blst_p1_affine because this is pk_in_g2.
|
||
|
blst_p1_uncompress(&returned_signature_affine, compressed_blinded_signature);
|
||
|
|
||
|
// Convert the uncompressed returned signature from an affine to a P1
|
||
|
blst_p1_from_affine(&returned_signature, &returned_signature_affine);
|
||
|
|
||
|
// Confirm the signature point is in the G1 group
|
||
|
assert(blst_p1_in_g1(&returned_signature));
|
||
|
|
||
|
printf("RETURNED SIGNATURE: ");
|
||
|
blst_p1_serialize(debug_print_buf, &returned_signature);
|
||
|
printbytes(debug_print_buf, 96);
|
||
|
|
||
|
// Get the inverse of R. We'll need this to unblind the signature.
|
||
|
blst_sk_inverse(&inverse_blinding_r, &blinding_r);
|
||
|
|
||
|
// Print the inverse of R
|
||
|
printf("INVERSE R: ");
|
||
|
blst_bendian_from_scalar(debug_print_buf, &inverse_blinding_r);
|
||
|
printbytes(debug_print_buf, 32);
|
||
|
|
||
|
// Sign the blinded signature we get back from the signer with the inverse of the blinding factor
|
||
|
blst_sign_pk_in_g2(&unblinded_signature, &returned_signature, &inverse_blinding_r);
|
||
|
|
||
|
blst_p1_compress(compressed_signature, &unblinded_signature);
|
||
|
|
||
|
printf("UNBLINDED SIGNATURE: ");
|
||
|
printbytes(compressed_signature, 48);
|
||
|
|
||
|
// uncomment to change the message and have the signature fail the check
|
||
|
//msg[8] = ' ';
|
||
|
|
||
|
printf("msg is now ", msg);
|
||
|
printbytes(msg, 16);
|
||
|
printf("\n");
|
||
|
|
||
|
// Now on verifier's side (after compressed_signature, serialized_public_key, and msg are passed over the network)
|
||
|
verifier(compressed_signature, msg);
|
||
|
}
|