github.com/ronperry/cryptoedge@v0.0.0-20150815114006-cc363e290743/jjm/requestor.go (about) 1 package jjm 2 3 /* 4 Blinding phase: 5 Requestor: 6 MUST test input (r1,r2,ls1,ls2) 7 curve.Blind: 8 Input: 9 from Signer: Rs1, Rs2, ls1, ls2 10 from Self: Message m 11 Calculation: 12 Random: w, z 13 Int.GCD(w, z, e, d) == 1 // Double check ordering. ew + dz == 1 14 Random: a, b 15 R1 = w * a * ls1 x Rs1 16 R2 = z * b * ls2 x Rs2 17 r1 = R1.x mod P , r1 != 0 18 r2 = R2.x mod P , r1 != 0 19 20 rs1 = Rs1.x mod P 21 rs2 = Rs2.x mod P 22 23 // rs1, rs2, r1, r2 must be GCD(x, P)/relative prime to P. P should be a prime, so that's not a problem 24 r1i = Int.ModInv(r1, P) 25 r2i = Int.ModInv(r2, P) 26 ai = Int.ModInv(a, P) 27 bi = Int.ModInv(b, P) 28 m1 = e * m * rs1 * r1i * r2i * ai mod N 29 m2 = e * m * rs2 * r1i * r2i * bi mod N 30 Public: m1, m2 31 Secret: a,b,w,z,e,d,m 32 Unblinding phase: 33 Requestor: 34 curve.Unblind: 35 Input: 36 from Self: rs1, rs2, r1, r2, R1, R2, w, z, a, b 37 from Signer: ss1, ss2 38 Calculation: 39 rs1i = Int.ModInv(rs1, P) 40 rs2i = Int.ModInv(rs2, P) 41 s1 = ss1 * rs1i * r1 * r2 * w * a mod N 42 s2 = ss2 * rs2i * r1 * r2 * z * b mod N 43 s = s1 + s2 44 R = R1 + R2 45 r = (r1 * r2) mod N 46 Output: 47 s, r , R 48 */ 49 50 import ( 51 "github.com/ronperry/cryptoedge/eccutil" 52 "math/big" 53 ) 54 55 // BlindMessageInt contains a blinded message to be signed 56 type BlindMessageInt struct { 57 M1, M2 *big.Int 58 params *SignRequestPublicInt 59 } 60 61 // BlindingParamsPrivateInt holds the blinding parameters private to the requestor. To be used exactly once. 62 type BlindingParamsPrivateInt struct { 63 ScalarW, ScalarZ *big.Int // w,z random. GCD(w,z) == 1 64 ScalarE, ScalarD *big.Int // e,d -> ew + dz == 1 65 ScalarA, ScalarB *big.Int // random 66 67 PointR1, PointR2 *eccutil.Point // R1=w * a * l1 x RS1, R2=w*a*l2 x RS2 68 ScalarR1, ScalarR2 *big.Int // R1.x, R2.x mod P !=0 . Precalculated 69 ScalarRs1, ScalarRs2 *big.Int // Simplification 70 IsUsed bool 71 } 72 73 // SignatureInt is the unblinded signature 74 type SignatureInt struct { 75 PointR *eccutil.Point 76 ScalarS *big.Int 77 ScalarR *big.Int 78 } 79 80 // BlindingClient a blinding client 81 type BlindingClient struct { 82 curve *eccutil.Curve 83 PubKey *eccutil.Point 84 } 85 86 // NewBlindingClient returns a new BlindingClient 87 func NewBlindingClient(curve *eccutil.Curve, pubKey *eccutil.Point) *BlindingClient { 88 bc := new(BlindingClient) 89 bc.curve = curve 90 bc.PubKey = pubKey 91 return bc 92 } 93 94 // Unblind a signature 95 func (client BlindingClient) Unblind(blindSignature *BlindSignatureInt, BlindingParams *BlindingParamsPrivateInt) (signature *SignatureInt, err error) { 96 // ToDo: Test Params 97 ScalarRs1Inv, err := client.curve.ModInverse(BlindingParams.ScalarRs1) // inv(rs1) 98 if err != nil { 99 return nil, err // should never happen 100 } 101 ScalarRs2Inv, err := client.curve.ModInverse(BlindingParams.ScalarRs2) // inv(rs2) 102 if err != nil { 103 return nil, err // should never happen 104 } 105 ScalarR1R2 := eccutil.ManyMult(BlindingParams.ScalarR1, BlindingParams.ScalarR2) // r1 * r2 106 107 ScalarS1 := eccutil.ManyMult(blindSignature.ScalarS1, ScalarRs1Inv, ScalarR1R2, BlindingParams.ScalarW, BlindingParams.ScalarA) // ss1 * (inv(rs1)) * (r1 * r2) * w * a 108 ScalarS2 := eccutil.ManyMult(blindSignature.ScalarS2, ScalarRs2Inv, ScalarR1R2, BlindingParams.ScalarZ, BlindingParams.ScalarB) // ss2 * (inv(rs2)) * (r1 * r2) * z * b 109 //cparams := curve.curve.Params() 110 ScalarS1 = ScalarS1.Mod(ScalarS1, client.curve.Params.N) // s1 = (ss1 * inv(rs1) * r1 * r2 * w * a) mod N 111 ScalarS2 = ScalarS2.Mod(ScalarS2, client.curve.Params.N) // s2 = (ss2 * inv(rs2) * r1 * r2 * z * b) mod N 112 ScalarS := new(big.Int) 113 ScalarS = ScalarS.Add(ScalarS1, ScalarS2) // s = s1 + s2 114 115 PointR := client.curve.AddPoints(BlindingParams.PointR1, BlindingParams.PointR2) // R = R1 + R2 116 117 ScalarR := eccutil.ManyMult(BlindingParams.ScalarR1, BlindingParams.ScalarR2) // r1 * r2 118 ScalarR = ScalarR.Mod(ScalarR, client.curve.Params.N) //r = (r1 * r2) mod N 119 120 signaturet := new(SignatureInt) 121 signaturet.PointR = PointR 122 signaturet.ScalarS = ScalarS 123 signaturet.ScalarR = ScalarR 124 return signaturet, nil 125 } 126 127 // Blind blinds a message msg for blinding using params. Returns blinded message or error 128 func (client BlindingClient) Blind(msg []byte, SignerParams *SignRequestPublicInt, BlindingParams *BlindingParamsPrivateInt) (blindmessage *BlindMessageInt, err error) { 129 // Test message as int 130 msgi := new(big.Int) 131 msgi = msgi.SetBytes(msg) 132 _, err = client.curve.TestParams(msgi) 133 if err != nil { 134 return nil, err 135 } 136 // Test BlindingParams as unused 137 if BlindingParams.IsUsed { 138 return nil, eccutil.ErrParamReuse 139 } 140 ScalarRs1, err := client.curve.ExtractR(SignerParams.PointRs1) 141 if err != nil { 142 return nil, err 143 } 144 ScalarRs2, err := client.curve.ExtractR(SignerParams.PointRs2) 145 if err != nil { 146 return nil, err 147 } 148 _, err = client.curve.TestParams(ScalarRs1, ScalarRs2, SignerParams.ScalarLs1, SignerParams.ScalarLs2) 149 if err != nil { 150 return nil, err 151 } 152 //inverse: ScalarA, ScalarB, ScalarR1, ScalarR2 153 ScalarAInverse, err := client.curve.ModInverse(BlindingParams.ScalarA) 154 if err != nil { 155 return nil, err // Should not ever happen 156 } 157 ScalarBInverse, err := client.curve.ModInverse(BlindingParams.ScalarB) 158 if err != nil { 159 return nil, err // Should not ever happen 160 } 161 ScalarR1Inverse, err := client.curve.ModInverse(BlindingParams.ScalarR1) 162 if err != nil { 163 return nil, err // Should not ever happen 164 } 165 ScalarR2Inverse, err := client.curve.ModInverse(BlindingParams.ScalarR2) 166 if err != nil { 167 return nil, err // Should not ever happen 168 } 169 170 t1 := eccutil.ManyMult(BlindingParams.ScalarE, msgi, ScalarRs1, ScalarR1Inverse, ScalarR2Inverse, ScalarAInverse) // t1 = e * m * rs1 * r1i * r2i * ai 171 // This differs from the paper which says ScalarE here. That is an error in the paper, as shown in the proof that uses ScalarD 172 t2 := eccutil.ManyMult(BlindingParams.ScalarD, msgi, ScalarRs2, ScalarR1Inverse, ScalarR2Inverse, ScalarBInverse) // t2 = e * m * rs2 * r1i * r2i * bi (should that not be d instead of e? or reverse?) 173 174 //cparams := curve.curve.Params() 175 m1, m2 := new(big.Int), new(big.Int) 176 m1 = m1.Mod(t1, client.curve.Params.N) 177 m2 = m2.Mod(t2, client.curve.Params.N) 178 179 _, err = client.curve.TestParams(m1, m2) // Should never fire 180 if err != nil { 181 return nil, err 182 } 183 184 blindmessaget := new(BlindMessageInt) 185 blindmessaget.M1 = m1 186 blindmessaget.M2 = m2 187 blindmessaget.params = SignerParams 188 189 return blindmessaget, nil 190 } 191 192 // CalculateBlindingParams generates the w,z,e,d,a,b privateParams blinding parameters and calculates r1,r2 (included in privateParams) 193 func (client BlindingClient) CalculateBlindingParams(params *SignRequestPublicInt) (privateParams *BlindingParamsPrivateInt, err error) { 194 var loopcount int 195 for { 196 if loopcount > eccutil.MaxLoopCount { 197 return nil, eccutil.ErrMaxLoop 198 } 199 ScalarRs1, err := client.curve.ExtractR(params.PointRs1) 200 if err != nil { 201 return nil, err 202 } 203 ScalarRs2, err := client.curve.ExtractR(params.PointRs2) 204 if err != nil { 205 return nil, err 206 } 207 208 loopcount++ 209 ScalarW, err := client.curve.GenNVint() // This limits W substantially and is likely unnecessary 210 if err != nil { 211 continue 212 } 213 ScalarZ, err := client.curve.GenNVint() // This limits Z substantially and is likely unnecessary 214 if err != nil { 215 continue 216 } 217 ScalarE := new(big.Int) 218 ScalarD := new(big.Int) 219 220 gcd := new(big.Int) 221 gcd = gcd.GCD(ScalarE, ScalarD, ScalarW, ScalarZ) // Int.GCD(w, z, e, d) == 1 222 if gcd.Cmp(eccutil.TestOne) != 0 { 223 continue 224 } 225 226 ScalarA, err := client.curve.GenNVint() // This limits A substantially and is likely unnecessary 227 if err != nil { 228 continue 229 } 230 ScalarB, err := client.curve.GenNVint() // This limits B substantially and is likely unnecessary 231 if err != nil { 232 continue 233 } 234 _, _ = ScalarA, ScalarB 235 ta := eccutil.ManyMult(ScalarW, ScalarA, params.ScalarLs1).Bytes() // w * a * ls1 -> byte ta 236 tb := eccutil.ManyMult(ScalarZ, ScalarB, params.ScalarLs2).Bytes() // z * b * ls2 -> byte tb 237 238 PointR1 := client.curve.ScalarMult(params.PointRs1, ta) 239 PointR2 := client.curve.ScalarMult(params.PointRs2, tb) 240 241 ScalarR1, err := client.curve.ExtractR(PointR1) // scalarmult(ta,R1).x mod P != 0 242 if err != nil { 243 continue 244 } 245 ScalarR2, err := client.curve.ExtractR(PointR2) // scalarmult(tb,R2).x mod P != 0 246 if err != nil { 247 continue 248 } 249 250 // Probably useless test 251 _, err = client.curve.TestParams(ScalarW, ScalarZ, ScalarE, ScalarD, ScalarA, ScalarB, ScalarR1, ScalarR2, ScalarRs1, ScalarRs2, params.ScalarLs1, params.ScalarLs2) 252 if err != nil { 253 continue 254 } 255 bp := new(BlindingParamsPrivateInt) 256 bp.ScalarW, bp.ScalarZ = ScalarW, ScalarZ 257 bp.ScalarE, bp.ScalarD = ScalarE, ScalarD 258 bp.ScalarA, bp.ScalarB = ScalarA, ScalarB 259 bp.PointR1, bp.PointR2 = PointR1, PointR2 260 bp.ScalarR1, bp.ScalarR2 = ScalarR1, ScalarR2 261 bp.ScalarRs1, bp.ScalarRs2 = ScalarRs1, ScalarRs2 262 bp.IsUsed = false 263 return bp, nil 264 } 265 }