ftu/blindsig2.c

188 lines
6.1 KiB
C
Raw Normal View History

// This is a (very rough) test of BLST blind signatures based on run.me from BLST's Python example code
// Do not trust this to be secure, also this doesn't do a lot of the sanity checking yet
#include <stdio.h>
#include <string.h>
#include <time.h>
#include <assert.h>
#include "blst/blst.h"
const byte dst[] = "MY-DST";
double time_taken;
clock_t t;
byte signer_private_key[32];
byte signer_public_key[96];
void printbytes(byte *toprint, int length){
for(int i=0;i<length;i++){
printf("%.2x ", toprint[i]);
}
printf("\n");
}
void signer_key_setup(){
blst_scalar sk;
blst_p2 pk;
blst_p2_affine pk_affine;
byte myikm[32] = {'*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*'};
// On signer's side:
printf("IKM: ");
printbytes(myikm, 32);
blst_keygen(&sk, myikm, 32, 0, 0);
blst_bendian_from_scalar(signer_private_key, &sk);
printf("Secret Key: ");
printbytes(signer_private_key, 32);
blst_sk_to_pk_in_g2(&pk, &sk);
blst_p2_to_affine(&pk_affine, &pk);
blst_p2_affine_compress(signer_public_key, &pk_affine);
printf("Compressed Public Key (affine): ");
printbytes(signer_public_key, 96);
}
void signer(byte *compressed_signature, byte *msg_for_wire){
blst_scalar sk;
blst_p1 msg, signature;
blst_p1_affine msg_affine;
byte debug_print_buf[256];
// get the secret key as a scalar
blst_scalar_from_bendian(&sk, signer_private_key);
// Deserialize the message - it's already a serialized P1 point, we don't need to (literally) rehash it
blst_p1_uncompress(&msg_affine, msg_for_wire);
// i do not know why deserializing always gives you affine points
blst_p1_from_affine(&msg, &msg_affine);
// Confirm the message point is in the G1 group
assert(blst_p1_in_g1(&msg));
// sign with it
blst_sign_pk_in_g2(&signature, &msg, &sk);
// Serialize and print the signature
blst_p1_serialize(debug_print_buf, &signature);
printf("Signature: ");
printbytes(debug_print_buf, 96);
// Compress and print the signature
blst_p1_compress(compressed_signature, &signature);
printf("Compressed Signature: ");
printbytes(compressed_signature, 48);
}
void verifier(byte *compressed_signature, byte *msg){
blst_p1_affine sig;
blst_p2_affine pk;
blst_p1_uncompress(&sig, compressed_signature);
blst_p2_uncompress(&pk, signer_public_key);
BLST_ERROR returned;
// TODO: check if in g2 group
returned = blst_core_verify_pk_in_g2(&pk, &sig, 1, msg, 16, dst, strlen((char *) dst), signer_public_key, 96);
if(returned == BLST_SUCCESS){
printf("Verified!\n");
}else{
printf("Not verified!\n");
}
}
// main is the "user" in this test
int main(){
byte debug_print_buf[256];
byte compressed_blinded_signature[48];
byte compressed_signature[48];
byte msg[16] = {'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A'};
byte blinding_r_bytes[32] = {'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R'};
blst_scalar blinding_r, inverse_blinding_r;
blst_p1 hash, msg_for_wire;
byte msg_for_wire_bytes[96];
blst_p1_affine returned_signature_affine;
blst_p1 returned_signature, unblinded_signature;
printf("msg is now ", msg);
printbytes(msg, 16);
printf("\n");
// Set up the signer's keys first so that we can know its public key
signer_key_setup();
// Get a hash of the message - we put the signer's public key in aug here, I don't know why
blst_hash_to_g1(&hash, msg, 16, dst, strlen((char *) dst), signer_public_key, 96);
printf("HASH: ");
blst_p1_serialize(debug_print_buf, &hash);
printbytes(debug_print_buf, 96);
// Get a BLST scalar of your "random" (LOL) blinding factor r
blst_scalar_from_bendian(&blinding_r, blinding_r_bytes);
printf("R BYTES: ");
printbytes(blinding_r_bytes, 32);
// Blind the message by signing it with the blinding factor R as if it was a secret key
blst_sign_pk_in_g2(&msg_for_wire, &hash, &blinding_r);
// Serialize the blinded message to send it over the wire
blst_p1_compress(msg_for_wire_bytes, &msg_for_wire);
printf("Blinded and compressed for wire: ");
printbytes(msg_for_wire_bytes, 48);
// Send the message off to be signed and get the results back
signer(compressed_blinded_signature, msg_for_wire_bytes);
printf("COMPRESSED BLINDED SIG: ");
printbytes(compressed_blinded_signature, 48);
// We now have the signature back. returned_signature is a blst_p1_affine because this is pk_in_g2.
blst_p1_uncompress(&returned_signature_affine, compressed_blinded_signature);
// Convert the uncompressed returned signature from an affine to a P1
blst_p1_from_affine(&returned_signature, &returned_signature_affine);
// Confirm the signature point is in the G1 group
assert(blst_p1_in_g1(&returned_signature));
printf("RETURNED SIGNATURE: ");
blst_p1_serialize(debug_print_buf, &returned_signature);
printbytes(debug_print_buf, 96);
// Get the inverse of R. We'll need this to unblind the signature.
blst_sk_inverse(&inverse_blinding_r, &blinding_r);
// Print the inverse of R
printf("INVERSE R: ");
blst_bendian_from_scalar(debug_print_buf, &inverse_blinding_r);
printbytes(debug_print_buf, 32);
// Sign the blinded signature we get back from the signer with the inverse of the blinding factor
blst_sign_pk_in_g2(&unblinded_signature, &returned_signature, &inverse_blinding_r);
blst_p1_compress(compressed_signature, &unblinded_signature);
printf("UNBLINDED SIGNATURE: ");
printbytes(compressed_signature, 48);
// uncomment to change the message and have the signature fail the check
//msg[8] = ' ';
printf("msg is now ", msg);
printbytes(msg, 16);
printf("\n");
// Now on verifier's side (after compressed_signature, serialized_public_key, and msg are passed over the network)
verifier(compressed_signature, msg);
}