// This is a (very rough) test of BLST blind signatures based on run.me from BLST's Python example code
// Do not trust this to be secure, also this doesn't do a lot of the sanity checking yet

#include <stdio.h>
#include <string.h>
#include <time.h>
#include <assert.h>
#include "../blst/blst.h"

const byte dst[] = "MY-DST";
double time_taken;
clock_t t;

byte signer_private_key[32];
byte signer_public_key[96];

void printbytes(byte *toprint, int length){
    for(int i=0;i<length;i++){
        printf("%.2x ", toprint[i]);
    }
    printf("\n");
}

void signer_key_setup(){
    blst_scalar sk;
    blst_p2 pk;
    blst_p2_affine pk_affine;

    byte myikm[32] = {'*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*', '*'};

    // On signer's side:
    printf("IKM: ");
    printbytes(myikm, 32);

    blst_keygen(&sk, myikm, 32, 0, 0);

    blst_bendian_from_scalar(signer_private_key, &sk);
    printf("Secret Key: ");
    printbytes(signer_private_key, 32);

    blst_sk_to_pk_in_g2(&pk, &sk);

    blst_p2_to_affine(&pk_affine, &pk);

    blst_p2_affine_compress(signer_public_key, &pk_affine);
    printf("Compressed Public Key (affine): ");
    printbytes(signer_public_key, 96);
}

void signer(byte *compressed_signature, byte *msg_for_wire){
    blst_scalar sk;
    blst_p1 msg, signature;
    blst_p1_affine msg_affine;
    byte debug_print_buf[256];

    // get the secret key as a scalar
    blst_scalar_from_bendian(&sk, signer_private_key);

    // Deserialize the message - it's already a serialized P1 point, we don't need to (literally) rehash it
    blst_p1_uncompress(&msg_affine, msg_for_wire);

    // i do not know why deserializing always gives you affine points
    blst_p1_from_affine(&msg, &msg_affine);

    // Confirm the message point is in the G1 group
    assert(blst_p1_in_g1(&msg));

    // sign with it
    blst_sign_pk_in_g2(&signature, &msg, &sk);

    // Serialize and print the signature
    blst_p1_serialize(debug_print_buf, &signature);
    printf("Signature: ");
    printbytes(debug_print_buf, 96);

    // Compress and print the signature
    blst_p1_compress(compressed_signature, &signature);
    printf("Compressed Signature: ");
    printbytes(compressed_signature, 48);
}

void verifier(byte *compressed_signature, byte *msg){
    blst_p1_affine sig;
    blst_p2_affine pk;

    blst_p1_uncompress(&sig, compressed_signature);
    blst_p2_uncompress(&pk, signer_public_key);

    BLST_ERROR returned;

    // TODO: check if in g2 group
    
    returned = blst_core_verify_pk_in_g2(&pk, &sig, 1, msg, 16, dst, strlen((char *) dst), signer_public_key, 96);

    if(returned == BLST_SUCCESS){
        printf("Verified!\n");
    }else{
        printf("Not verified!\n");
    }
}

// main is the "user" in this test
int main(){
    byte debug_print_buf[256];
    byte compressed_blinded_signature[48];
    byte compressed_signature[48];
    byte msg[16] = {'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A'};
    byte blinding_r_bytes[32] = {'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R', 'R'};
    blst_scalar blinding_r, inverse_blinding_r;
    blst_p1 hash, msg_for_wire;
    byte msg_for_wire_bytes[96];
    blst_p1_affine returned_signature_affine;
    blst_p1 returned_signature, unblinded_signature;

    printf("msg is now ", msg);
    printbytes(msg, 16);
    printf("\n");

    // Set up the signer's keys first so that we can know its public key
    signer_key_setup();

    // Get a hash of the message - we put the signer's public key in aug here, I don't know why
    blst_hash_to_g1(&hash, msg, 16, dst, strlen((char *) dst), signer_public_key, 96);

    printf("HASH: ");
    blst_p1_serialize(debug_print_buf, &hash);
    printbytes(debug_print_buf, 96);

    // Get a BLST scalar of your "random" (LOL) blinding factor r
    blst_scalar_from_bendian(&blinding_r, blinding_r_bytes);

    printf("R BYTES: ");
    printbytes(blinding_r_bytes, 32);

    // Blind the message by signing it with the blinding factor R as if it was a secret key
    blst_sign_pk_in_g2(&msg_for_wire, &hash, &blinding_r);

    // Serialize the blinded message to send it over the wire
    blst_p1_compress(msg_for_wire_bytes, &msg_for_wire);

    printf("Blinded and compressed for wire: ");
    printbytes(msg_for_wire_bytes, 48);

    // Send the message off to be signed and get the results back
    signer(compressed_blinded_signature, msg_for_wire_bytes);

    printf("COMPRESSED BLINDED SIG: ");
    printbytes(compressed_blinded_signature, 48);

    // We now have the signature back. returned_signature is a blst_p1_affine because this is pk_in_g2.
    blst_p1_uncompress(&returned_signature_affine, compressed_blinded_signature);

    // Convert the uncompressed returned signature from an affine to a P1
    blst_p1_from_affine(&returned_signature, &returned_signature_affine);

    // Confirm the signature point is in the G1 group
    assert(blst_p1_in_g1(&returned_signature));

    printf("RETURNED SIGNATURE: ");
    blst_p1_serialize(debug_print_buf, &returned_signature);
    printbytes(debug_print_buf, 96);

    // Get the inverse of R. We'll need this to unblind the signature.
    blst_sk_inverse(&inverse_blinding_r, &blinding_r);

    // Print the inverse of R
    printf("INVERSE R: ");
    blst_bendian_from_scalar(debug_print_buf, &inverse_blinding_r);
    printbytes(debug_print_buf, 32);

    // Sign the blinded signature we get back from the signer with the inverse of the blinding factor
    blst_sign_pk_in_g2(&unblinded_signature, &returned_signature, &inverse_blinding_r);

    blst_p1_compress(compressed_signature, &unblinded_signature);

    printf("UNBLINDED SIGNATURE: ");
    printbytes(compressed_signature, 48);

    // uncomment to change the message and have the signature fail the check
    //msg[8] = ' ';

    printf("msg is now ", msg);
    printbytes(msg, 16);
    printf("\n");

    // Now on verifier's side (after compressed_signature, serialized_public_key, and msg are passed over the network)
    verifier(compressed_signature, msg);
}