Ejemplo n.º 1
0
// Unblind a signature
func (client BlindingClient) Unblind(blindSignature *BlindSignatureInt, BlindingParams *BlindingParamsPrivateInt) (signature *SignatureInt, err error) {
	// ToDo: Test Params
	ScalarRs1Inv, err := client.curve.ModInverse(BlindingParams.ScalarRs1) // inv(rs1)
	if err != nil {
		return nil, err // should never happen
	}
	ScalarRs2Inv, err := client.curve.ModInverse(BlindingParams.ScalarRs2) // inv(rs2)
	if err != nil {
		return nil, err // should never happen
	}
	ScalarR1R2 := eccutil.ManyMult(BlindingParams.ScalarR1, BlindingParams.ScalarR2) // r1 * r2

	ScalarS1 := eccutil.ManyMult(blindSignature.ScalarS1, ScalarRs1Inv, ScalarR1R2, BlindingParams.ScalarW, BlindingParams.ScalarA) // ss1 * (inv(rs1)) * (r1 * r2) * w * a
	ScalarS2 := eccutil.ManyMult(blindSignature.ScalarS2, ScalarRs2Inv, ScalarR1R2, BlindingParams.ScalarZ, BlindingParams.ScalarB) // ss2 * (inv(rs2)) * (r1 * r2) * z * b
	//cparams := curve.curve.Params()
	ScalarS1 = ScalarS1.Mod(ScalarS1, client.curve.Params.N) // s1 = (ss1 * inv(rs1) * r1 * r2 * w * a)  mod N
	ScalarS2 = ScalarS2.Mod(ScalarS2, client.curve.Params.N) // s2 = (ss2 * inv(rs2) * r1 * r2 * z * b)  mod N
	ScalarS := new(big.Int)
	ScalarS = ScalarS.Add(ScalarS1, ScalarS2) // s = s1 + s2

	PointR := client.curve.AddPoints(BlindingParams.PointR1, BlindingParams.PointR2) // R = R1 + R2

	ScalarR := eccutil.ManyMult(BlindingParams.ScalarR1, BlindingParams.ScalarR2) // r1 * r2
	ScalarR = ScalarR.Mod(ScalarR, client.curve.Params.N)                         //r = (r1 * r2) mod N

	signaturet := new(SignatureInt)
	signaturet.PointR = PointR
	signaturet.ScalarS = ScalarS
	signaturet.ScalarR = ScalarR
	return signaturet, nil
}
Ejemplo n.º 2
0
// Sign signs a blinded message
func (signer *Signer) Sign(blindmessage *BlindMessageInt, privateParams *SignRequestPrivateInt) (signature *BlindSignatureInt, err error) {
	if privateParams.IsUsed {
		return nil, eccutil.ErrParamReuse
	}
	//cparams := signer.curve.curve.Params()
	privkeyInt := new(big.Int)
	privkeyInt = privkeyInt.SetBytes(signer.privkey)

	_, err = signer.curve.TestParams(privkeyInt, blindmessage.M1, blindmessage.M2, privateParams.ScalarRs1, privateParams.ScalarKs1, privateParams.ScalarLs1, privateParams.ScalarRs2, privateParams.ScalarKs2, privateParams.ScalarLs2)
	if err != nil {
		return nil, err // Should never fire
	}

	mt1 := eccutil.ManyMult(privkeyInt, blindmessage.M1)                                               // SigPriv * m1
	mt2 := eccutil.ManyMult(privkeyInt, blindmessage.M2)                                               // SigPriv * m2
	ms1 := eccutil.ManyMult(privateParams.ScalarRs1, privateParams.ScalarKs1, privateParams.ScalarLs1) // rs1 * k1 * l1
	ms2 := eccutil.ManyMult(privateParams.ScalarRs2, privateParams.ScalarKs2, privateParams.ScalarLs2) // rs2 * k2 * l2

	ss1, ss2 := new(big.Int), new(big.Int)
	ss1 = ss1.Sub(mt1, ms1)                   // (SigPriv * m1) - (rs1 * k1 * l1)
	ss2 = ss2.Sub(mt2, ms2)                   // (SigPriv * m2) - (rs2 * k2 * l2)
	ss1 = ss1.Mod(ss1, signer.curve.Params.N) // ss1 = (SigPriv * m1 - rs1 * k1 * l1)  mod N
	ss2 = ss2.Mod(ss2, signer.curve.Params.N) // ss2 = (SigPriv * m2 - rs2 * k2 * l2)  mod N
	signaturet := new(BlindSignatureInt)
	signaturet.ScalarS1 = ss1
	signaturet.ScalarS2 = ss2
	return signaturet, nil
}
Ejemplo n.º 3
0
// CalculateBlindingParams generates the w,z,e,d,a,b privateParams blinding parameters and calculates r1,r2 (included in privateParams)
func (client BlindingClient) CalculateBlindingParams(params *SignRequestPublicInt) (privateParams *BlindingParamsPrivateInt, err error) {
	var loopcount int
	for {
		if loopcount > eccutil.MaxLoopCount {
			return nil, eccutil.ErrMaxLoop
		}
		ScalarRs1, err := client.curve.ExtractR(params.PointRs1)
		if err != nil {
			return nil, err
		}
		ScalarRs2, err := client.curve.ExtractR(params.PointRs2)
		if err != nil {
			return nil, err
		}

		loopcount++
		ScalarW, err := client.curve.GenNVint() // This limits W substantially and is likely unnecessary
		if err != nil {
			continue
		}
		ScalarZ, err := client.curve.GenNVint() // This limits Z substantially and is likely unnecessary
		if err != nil {
			continue
		}
		ScalarE := new(big.Int)
		ScalarD := new(big.Int)

		gcd := new(big.Int)
		gcd = gcd.GCD(ScalarE, ScalarD, ScalarW, ScalarZ) // Int.GCD(w, z, e, d) == 1
		if gcd.Cmp(eccutil.TestOne) != 0 {
			continue
		}

		ScalarA, err := client.curve.GenNVint() // This limits A substantially and is likely unnecessary
		if err != nil {
			continue
		}
		ScalarB, err := client.curve.GenNVint() // This limits B substantially and is likely unnecessary
		if err != nil {
			continue
		}
		_, _ = ScalarA, ScalarB
		ta := eccutil.ManyMult(ScalarW, ScalarA, params.ScalarLs1).Bytes() // w * a * ls1 -> byte ta
		tb := eccutil.ManyMult(ScalarZ, ScalarB, params.ScalarLs2).Bytes() // z * b * ls2 -> byte tb

		PointR1 := client.curve.ScalarMult(params.PointRs1, ta)
		PointR2 := client.curve.ScalarMult(params.PointRs2, tb)

		ScalarR1, err := client.curve.ExtractR(PointR1) // scalarmult(ta,R1).x mod P  != 0
		if err != nil {
			continue
		}
		ScalarR2, err := client.curve.ExtractR(PointR2) // scalarmult(tb,R2).x mod P  != 0
		if err != nil {
			continue
		}

		// Probably useless test
		_, err = client.curve.TestParams(ScalarW, ScalarZ, ScalarE, ScalarD, ScalarA, ScalarB, ScalarR1, ScalarR2, ScalarRs1, ScalarRs2, params.ScalarLs1, params.ScalarLs2)
		if err != nil {
			continue
		}
		bp := new(BlindingParamsPrivateInt)
		bp.ScalarW, bp.ScalarZ = ScalarW, ScalarZ
		bp.ScalarE, bp.ScalarD = ScalarE, ScalarD
		bp.ScalarA, bp.ScalarB = ScalarA, ScalarB
		bp.PointR1, bp.PointR2 = PointR1, PointR2
		bp.ScalarR1, bp.ScalarR2 = ScalarR1, ScalarR2
		bp.ScalarRs1, bp.ScalarRs2 = ScalarRs1, ScalarRs2
		bp.IsUsed = false
		return bp, nil
	}
}
Ejemplo n.º 4
0
// Blind blinds a message msg for blinding using params. Returns blinded message or error
func (client BlindingClient) Blind(msg []byte, SignerParams *SignRequestPublicInt, BlindingParams *BlindingParamsPrivateInt) (blindmessage *BlindMessageInt, err error) {
	// Test message as int
	msgi := new(big.Int)
	msgi = msgi.SetBytes(msg)
	_, err = client.curve.TestParams(msgi)
	if err != nil {
		return nil, err
	}
	// Test BlindingParams as unused
	if BlindingParams.IsUsed {
		return nil, eccutil.ErrParamReuse
	}
	ScalarRs1, err := client.curve.ExtractR(SignerParams.PointRs1)
	if err != nil {
		return nil, err
	}
	ScalarRs2, err := client.curve.ExtractR(SignerParams.PointRs2)
	if err != nil {
		return nil, err
	}
	_, err = client.curve.TestParams(ScalarRs1, ScalarRs2, SignerParams.ScalarLs1, SignerParams.ScalarLs2)
	if err != nil {
		return nil, err
	}
	//inverse: ScalarA, ScalarB, ScalarR1, ScalarR2
	ScalarAInverse, err := client.curve.ModInverse(BlindingParams.ScalarA)
	if err != nil {
		return nil, err // Should not ever happen
	}
	ScalarBInverse, err := client.curve.ModInverse(BlindingParams.ScalarB)
	if err != nil {
		return nil, err // Should not ever happen
	}
	ScalarR1Inverse, err := client.curve.ModInverse(BlindingParams.ScalarR1)
	if err != nil {
		return nil, err // Should not ever happen
	}
	ScalarR2Inverse, err := client.curve.ModInverse(BlindingParams.ScalarR2)
	if err != nil {
		return nil, err // Should not ever happen
	}

	t1 := eccutil.ManyMult(BlindingParams.ScalarE, msgi, ScalarRs1, ScalarR1Inverse, ScalarR2Inverse, ScalarAInverse) // t1 = e * m * rs1 * r1i * r2i * ai
	// This differs from the paper which says ScalarE here. That is an error in the paper, as shown in the proof that uses ScalarD
	t2 := eccutil.ManyMult(BlindingParams.ScalarD, msgi, ScalarRs2, ScalarR1Inverse, ScalarR2Inverse, ScalarBInverse) // t2 = e * m * rs2 * r1i * r2i * bi  (should that not be d instead of e? or reverse?)

	//cparams := curve.curve.Params()
	m1, m2 := new(big.Int), new(big.Int)
	m1 = m1.Mod(t1, client.curve.Params.N)
	m2 = m2.Mod(t2, client.curve.Params.N)

	_, err = client.curve.TestParams(m1, m2) // Should never fire
	if err != nil {
		return nil, err
	}

	blindmessaget := new(BlindMessageInt)
	blindmessaget.M1 = m1
	blindmessaget.M2 = m2
	blindmessaget.params = SignerParams

	return blindmessaget, nil
}