github.com/cloudflare/circl@v1.5.0/sign/bls/bls.go

// Package bls provides BLS signatures using the BLS12-381 pairing curve.
//
// This packages implements the IETF/CFRG draft for BLS signatures [1].
// Currently only the BASIC mode (one of the three modes specified
// in the draft) is supported. The pairing function is instantiated
// with the BLS12-381 curve.
//
// # Groups
//
// The BLS signature scheme can be instantiated with keys in one of the
// two groups: G1 or G2, which correspond to the input domain of a pairing
// function e(G1,G2) -> Gt.
// Thus, choosing keys in G1 implies that signature values are internally
// represented in G2; or viceversa. Use the types KeyG1SigG2 or KeyG2SigG1
// to express this preference.
//
// # Serialization
//
// The serialization of elements in G1 and G2 follows the recommendation
// given in [2], in order to be compatible with other implementations of
// BLS12-381 curve.
//
// # References
//
// [1] https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-05
//
// [2] https://github.com/zkcrypto/bls12_381/blob/0.7.0/src/notes/serialization.rs
package bls

import (
	"crypto"
	"crypto/sha256"
	"encoding/binary"
	"errors"
	"io"

	GG "github.com/cloudflare/circl/ecc/bls12381"
	"golang.org/x/crypto/hkdf"
)

var (
	ErrInvalid    = errors.New("bls: invalid BLS instance")
	ErrInvalidKey = errors.New("bls: invalid key")
	ErrKeyGen     = errors.New("bls: too many unsuccessful key generation tries")
	ErrShortIKM   = errors.New("bls: IKM material shorter than 32 bytes")
	ErrAggregate  = errors.New("bls: error while aggregating signatures")
)

const (
	dstG1 = "BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_"
	dstG2 = "BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_"
)

type Signature = []byte

type (
	// G1 group used for keys defined in pairing group G1.
	G1 struct{ g GG.G1 }
	// G2 group used for keys defined in pairing group G2.
	G2 struct{ g GG.G2 }
	// KeyG1SigG2 sets the keys to G1 and signatures to G2.
	KeyG1SigG2 = G1
	// KeyG2SigG1 sets the keys to G2 and signatures to G1.
	KeyG2SigG1 = G2
)

func (f *G1) setBytes(b []byte) error { return f.g.SetBytes(b) }
func (f *G2) setBytes(b []byte) error { return f.g.SetBytes(b) }

func (f *G1) hash(msg []byte) { f.g.Hash(msg, []byte(dstG1)) }
func (f *G2) hash(msg []byte) { f.g.Hash(msg, []byte(dstG2)) }

// KeyGroup determines the group used for keys, while the other
// group is used for signatures.
type KeyGroup interface{ G1 | G2 }

type PrivateKey[K KeyGroup] struct {
	key GG.Scalar
	pub *PublicKey[K]
}

type PublicKey[K KeyGroup] struct{ key K }

func (k *PrivateKey[K]) Public() crypto.PublicKey { return k.PublicKey() }

// PublicKey computes the corresponding public key. The key is cached
// for further invocations to this function.
func (k *PrivateKey[K]) PublicKey() *PublicKey[K] {
	if k.pub == nil {
		k.pub = new(PublicKey[K])
		switch any(k).(type) {
		case *PrivateKey[G1]:
			kk := any(&k.pub.key).(*G1)
			kk.g.ScalarMult(&k.key, GG.G1Generator())
		case *PrivateKey[G2]:
			kk := any(&k.pub.key).(*G2)
			kk.g.ScalarMult(&k.key, GG.G2Generator())
		default:
			panic(ErrInvalid)
		}
	}

	return k.pub
}

func (k *PrivateKey[K]) Equal(x crypto.PrivateKey) bool {
	xx, ok := x.(*PrivateKey[K])
	if !ok {
		return false
	}

	switch any(k).(type) {
	case *PrivateKey[G1], *PrivateKey[G2]:
		return k.key.IsEqual(&xx.key) == 1
	default:
		panic(ErrInvalid)
	}
}

// Validate explicitly determines if a private key is valid.
func (k *PrivateKey[K]) Validate() bool {
	switch any(k).(type) {
	case *PrivateKey[G1], *PrivateKey[G2]:
		return k.key.IsZero() == 0
	default:
		panic(ErrInvalid)
	}
}

// MarshalBinary returns a slice with the representation of
// the underlying PrivateKey scalar (in big-endian order).
func (k *PrivateKey[K]) MarshalBinary() ([]byte, error) {
	switch any(k).(type) {
	case *PrivateKey[G1], *PrivateKey[G2]:
		return k.key.MarshalBinary()
	default:
		panic(ErrInvalid)
	}
}

func (k *PrivateKey[K]) UnmarshalBinary(data []byte) error {
	switch any(k).(type) {
	case *PrivateKey[G1], *PrivateKey[G2]:
		if err := k.key.UnmarshalBinary(data); err != nil {
			return err
		}
		if !k.Validate() {
			return ErrInvalidKey
		}
		k.pub = nil
		return nil
	default:
		panic(ErrInvalid)
	}
}

// Validate explicitly determines if a public key is valid.
func (k *PublicKey[K]) Validate() bool {
	switch any(k).(type) {
	case *PublicKey[G1]:
		kk := any(k.key).(G1)
		return !kk.g.IsIdentity() && kk.g.IsOnG1()
	case *PublicKey[G2]:
		kk := any(k.key).(G2)
		return !kk.g.IsIdentity() && kk.g.IsOnG2()
	default:
		panic(ErrInvalid)
	}
}

func (k *PublicKey[K]) Equal(x crypto.PublicKey) bool {
	xx, ok := x.(*PublicKey[K])
	if !ok {
		return false
	}

	switch any(k).(type) {
	case *PublicKey[G1]:
		xxx := any(xx.key).(G1)
		kk := any(k.key).(G1)
		return kk.g.IsEqual(&xxx.g)
	case *PublicKey[G2]:
		xxx := any(xx.key).(G2)
		kk := any(k.key).(G2)
		return kk.g.IsEqual(&xxx.g)
	default:
		panic(ErrInvalid)
	}
}

// MarshalBinary returns a slice with the compressed
// representation of the underlying element in G1 or G2.
func (k *PublicKey[K]) MarshalBinary() ([]byte, error) {
	switch any(k).(type) {
	case *PublicKey[G1]:
		kk := any(k.key).(G1)
		return kk.g.BytesCompressed(), nil
	case *PublicKey[G2]:
		kk := any(k.key).(G2)
		return kk.g.BytesCompressed(), nil
	default:
		panic(ErrInvalid)
	}
}

func (k *PublicKey[K]) UnmarshalBinary(data []byte) error {
	switch any(k).(type) {
	case *PublicKey[G1]:
		kk := any(&k.key).(*G1)
		return kk.setBytes(data)
	case *PublicKey[G2]:
		kk := any(&k.key).(*G2)
		return kk.setBytes(data)
	default:
		panic(ErrInvalid)
	}
}

// KeyGen derives a private key for the specified group (G1 or G2).
// The length of ikm material should be at least 32 bytes length.
// The salt value should be either empty or a uniformly random
// bytes whose length equals the output length of SHA-256.
func KeyGen[K KeyGroup](ikm, salt, keyInfo []byte) (*PrivateKey[K], error) {
	// Implements recommended method at:
	// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-05#name-keygen
	if len(ikm) < 32 {
		return nil, ErrShortIKM
	}

	ikmZero := make([]byte, len(ikm)+1)
	keyInfoTwo := make([]byte, len(keyInfo)+2)
	copy(ikmZero, ikm)
	copy(keyInfoTwo, keyInfo)
	const L = uint16(48)
	binary.BigEndian.PutUint16(keyInfoTwo[len(keyInfo):], L)
	OKM := make([]byte, L)

	var ss GG.Scalar
	for tries := 8; tries > 0; tries-- {
		rd := hkdf.New(sha256.New, ikmZero, salt, keyInfoTwo)
		n, err := io.ReadFull(rd, OKM)
		if n != len(OKM) || err != nil {
			return nil, err
		}

		ss.SetBytes(OKM)

		if ss.IsZero() == 1 {
			digest := sha256.Sum256(salt)
			salt = digest[:]
		} else {
			return &PrivateKey[K]{key: ss, pub: nil}, nil
		}
	}

	return nil, ErrKeyGen
}

// Sign computes a signature of a message using a key (defined in
// G1 or G1).
func Sign[K KeyGroup](k *PrivateKey[K], msg []byte) Signature {
	if !k.Validate() {
		panic(ErrInvalidKey)
	}

	switch any(k).(type) {
	case *PrivateKey[G1]:
		var Q GG.G2
		Q.Hash(msg, []byte(dstG2))
		Q.ScalarMult(&k.key, &Q)
		return Q.BytesCompressed()
	case *PrivateKey[G2]:
		var Q GG.G1
		Q.Hash(msg, []byte(dstG1))
		Q.ScalarMult(&k.key, &Q)
		return Q.BytesCompressed()
	default:
		panic(ErrInvalid)
	}
}

// Verify returns true if the signature of a message is valid for the
// corresponding public key.
func Verify[K KeyGroup](pub *PublicKey[K], msg []byte, sig Signature) bool {
	var (
		a, b interface {
			setBytes([]byte) error
			hash([]byte)
		}
		listG1 [2]*GG.G1
		listG2 [2]*GG.G2
	)

	switch any(pub).(type) {
	case *PublicKey[G1]:
		aa, bb := new(G2), new(G2)
		a, b = aa, bb
		k := any(pub.key).(G1)
		listG1[0], listG1[1] = &k.g, GG.G1Generator()
		listG2[0], listG2[1] = &aa.g, &bb.g
	case *PublicKey[G2]:
		aa, bb := new(G1), new(G1)
		a, b = aa, bb
		k := any(pub.key).(G2)
		listG2[0], listG2[1] = &k.g, GG.G2Generator()
		listG1[0], listG1[1] = &aa.g, &bb.g
	default:
		panic(ErrInvalid)
	}

	err := b.setBytes(sig)
	if err != nil {
		return false
	}
	if !pub.Validate() {
		return false
	}
	a.hash(msg)

	res := GG.ProdPairFrac(listG1[:], listG2[:], []int{1, -1})
	return res.IsIdentity()
}

// Aggregate produces a unified signature given a list of signatures.
// To specify the group of keys pass either G1{} or G2{} as the first
// parameter.
func Aggregate[K KeyGroup](k K, sigs []Signature) (Signature, error) {
	if len(sigs) == 0 {
		return nil, ErrAggregate
	}

	switch any(k).(type) {
	case G1:
		var P, Q GG.G2
		P.SetIdentity()
		for _, sig := range sigs {
			if err := Q.SetBytes(sig); err != nil {
				return nil, err
			}
			P.Add(&P, &Q)
		}
		return P.BytesCompressed(), nil

	case G2:
		var P, Q GG.G1
		P.SetIdentity()
		for _, sig := range sigs {
			if err := Q.SetBytes(sig); err != nil {
				return nil, err
			}
			P.Add(&P, &Q)
		}
		return P.BytesCompressed(), nil

	default:
		panic(ErrInvalid)
	}
}

// VerifyAggregate returns true if the aggregated signature is valid for
// the list of messages and public keys provided. The slices must have
// equal size and have at least one element.
func VerifyAggregate[K KeyGroup](pubs []*PublicKey[K], msgs [][]byte, aggSig Signature) bool {
	if len(pubs) != len(msgs) || len(pubs) == 0 {
		return false
	}

	for _, p := range pubs {
		if !p.Validate() {
			return false
		}
	}

	n := len(pubs)
	listG1 := make([]*GG.G1, n+1)
	listG2 := make([]*GG.G2, n+1)
	listSigns := make([]int, n+1)

	listG1[n] = GG.G1Generator()
	listG2[n] = GG.G2Generator()
	listSigns[n] = -1

	switch any(pubs).(type) {
	case []*PublicKey[G1]:
		for i := range msgs {
			listG2[i] = new(GG.G2)
			listG2[i].Hash(msgs[i], []byte(dstG2))

			xP := any(pubs[i].key).(G1)
			listG1[i] = &xP.g
			listSigns[i] = 1
		}

		err := listG2[n].SetBytes(aggSig)
		if err != nil {
			return false
		}

	case []*PublicKey[G2]:
		for i := range msgs {
			listG1[i] = new(GG.G1)
			listG1[i].Hash(msgs[i], []byte(dstG1))

			xP := any(pubs[i].key).(G2)
			listG2[i] = &xP.g
			listSigns[i] = 1
		}

		err := listG1[n].SetBytes(aggSig)
		if err != nil {
			return false
		}

	default:
		panic(ErrInvalid)
	}

	C := GG.ProdPairFrac(listG1, listG2, listSigns)
	return C.IsIdentity()
}