首頁 探索 說明
登入
iang
/
arctic
1
0
複刻 0
Files 問題管理 0 合併請求 0 Wiki
目錄樹: bfe6dcde04
分支列表 標籤列表
arctic
/
src
/
arctic.rs

arctic.rs 4.1 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157 
  1. use crate::lagrange::*;
    2. 

  2. use crate::shine;
    3. 

  3. use curve25519_dalek::ristretto::RistrettoPoint;
    4. 

  4. use curve25519_dalek::scalar::Scalar;
    5. 

  5. use sha2::Digest;
    6. 

  6. use sha2::Sha256;
    7. 

  7. 

  8. type PubKey = RistrettoPoint;
    9. 

  9. 

  10. pub struct SecKey {
    11. 

  11.     n: u32,
    12. 

  12.     t: u32,
    13. 

  13.     k: u32,
    14. 

  14.     sk: Scalar,
    15. 

  15.     rk: shine::PreprocKey,
    16. 

  16. }
    17. 

  17. 

  18. type Signature = (RistrettoPoint, Scalar);
    19. 

  19. 

  20. pub fn keygen(n: u32, t: u32) -> (PubKey, Vec<SecKey>) {
    21. 

  21.     assert!(t >= 1);
    22. 

  22.     assert!(n >= 2 * t - 1);
    23. 

  23. 

  24.     let mut seckeys: Vec<SecKey> = Vec::new();
    25. 

  25. 

  26.     // The Shine key shares
    27. 

  27.     let shinekeys = shine::Key::keygen(n, t);
    28. 

  28. 

  29.     // The signature key shares
    30. 

  30.     let shamirpoly = ScalarPoly::rand((t as usize) - 1);
    31. 

  31.     let pubkey = shine::commit(&shamirpoly.coeffs[0]);
    32. 

  32.     for k in 1..n + 1 {
    33. 

  33.         seckeys.push(SecKey {
    34. 

  34.             n,
    35. 

  35.             t,
    36. 

  36.             k,
    37. 

  37.             sk: shamirpoly.eval(&Scalar::from(k)),
    38. 

  38.             rk: shine::PreprocKey::preproc(&shinekeys[(k as usize) - 1]),
    39. 

  39.         });
    40. 

  40.     }
    41. 

  41. 

  42.     (pubkey, seckeys)
    43. 

  43. }
    44. 

  44. 

  45. fn hash2(combcomm: &RistrettoPoint, pk: &PubKey, msg: &[u8]) -> Scalar {
    46. 

  46.     let mut hash = Sha256::new();
    47. 

  47.     hash.update(combcomm.compress().as_bytes());
    48. 

  48.     hash.update(pk.compress().as_bytes());
    49. 

  49.     hash.update(msg);
    50. 

  50.     let mut hashval = [0u8; 32];
    51. 

  51.     hashval[0..32].copy_from_slice(&hash.finalize());
    52. 

  52.     Scalar::from_bytes_mod_order(hashval)
    53. 

  53. }
    54. 

  54. 

  55. fn hash3(pk: &PubKey, coalition: &[u32], msg: &[u8]) -> [u8; 32] {
    56. 

  56.     let mut hash = Sha256::new();
    57. 

  57.     hash.update(pk.compress().as_bytes());
    58. 

  58.     hash.update(coalition.len().to_le_bytes());
    59. 

  59.     for c in coalition {
    60. 

  60.         hash.update(c.to_le_bytes());
    61. 

  61.     }
    62. 

  62.     hash.update(msg);
    63. 

  63.     hash.finalize().into()
    64. 

  64. }
    65. 

  65. 

  66. pub fn sign1(pk: &PubKey, sk: &SecKey, coalition: &[u32], msg: &[u8]) -> RistrettoPoint {
    67. 

  67.     assert!(coalition.len() >= 2 * (sk.t as usize) - 1);
    68. 

  68.     let w = hash3(pk, coalition, msg);
    69. 

  69.     shine::commit(&sk.rk.partialeval(&w))
    70. 

  70. }
    71. 

  71. 

  72. pub fn sign2_polys(
    73. 

  73.     pk: &PubKey,
    74. 

  74.     sk: &SecKey,
    75. 

  75.     coalition: &[u32],
    76. 

  76.     lag_polys: &[ScalarPoly],
    77. 

  77.     msg: &[u8],
    78. 

  78.     commitments: &[RistrettoPoint],
    79. 

  79. ) -> Option<Scalar> {
    80. 

  80.     // If the inputs are _malformed_, abort
    81. 

  81. 

  82.     assert!(coalition.len() == lag_polys.len());
    83. 

  83.     assert!(coalition.len() == commitments.len());
    84. 

  84.     assert!(coalition.len() >= 2 * (sk.t as usize) - 1);
    85. 

  85. 

  86.     // Find my own entry in the coalition; abort if it's not there
    87. 

  87.     let kindex = coalition.iter().position(|&k| k == sk.k).unwrap();
    88. 

  88. 

  89.     let w = hash3(pk, coalition, msg);
    90. 

  90.     let my_eval = sk.rk.partialeval(&w);
    91. 

  91.     let my_commit = shine::commit(&my_eval);
    92. 

  92. 

  93.     assert!(commitments[kindex] == my_commit);
    94. 

  94. 

  95.     // If the inputs are just corrupt values from malicious other
    96. 

  96.     // parties, return None but don't crash
    97. 

  97. 

  98.     let combcomm = shine::combinecomm_polys(sk.t, lag_polys, commitments)?;
    99. 

  99.     let c = hash2(&combcomm, pk, msg);
    100. 

  100. 

  101.     Some(my_eval + c * sk.sk)
    102. 

  102. }
    103. 

  103. 

  104. pub fn sign2(
    105. 

  105.     pk: &PubKey,
    106. 

  106.     sk: &SecKey,
    107. 

  107.     coalition: &[u32],
    108. 

  108.     msg: &[u8],
    109. 

  109.     commitments: &[RistrettoPoint],
    110. 

  110. ) -> Option<Scalar> {
    111. 

  111.     let polys = lagrange_polys(coalition);
    112. 

  112.     sign2_polys(pk, sk, coalition, &polys, msg, commitments)
    113. 

  113. }
    114. 

  114. 

  115. pub fn combine_polys(
    116. 

  116.     pk: &PubKey,
    117. 

  117.     t: u32,
    118. 

  118.     coalition: &[u32],
    119. 

  119.     lag_polys: &[ScalarPoly],
    120. 

  120.     msg: &[u8],
    121. 

  121.     commitments: &[RistrettoPoint],
    122. 

  122.     sigshares: &[Scalar],
    123. 

  123. ) -> Option<Signature> {
    124. 

  124.     assert!(coalition.len() == lag_polys.len());
    125. 

  125.     assert!(coalition.len() == commitments.len());
    126. 

  126.     assert!(coalition.len() == sigshares.len());
    127. 

  127.     assert!(coalition.len() >= 2 * (t as usize) - 1);
    128. 

  128. 

  129.     let z = interpolate_polys_0(lag_polys, sigshares);
    130. 

  130. 

  131.     // Check the answer
    132. 

  132. 

  133.     let combcomm = shine::combinecomm_polys(t, lag_polys, commitments)?;
    134. 

  134.     let c = hash2(&combcomm, pk, msg);
    135. 

  135. 

  136.     if shine::commit(&z) == combcomm + c * pk {
    137. 

  137.         return Some((combcomm, z));
    138. 

  138.     }
    139. 

  139.     None
    140. 

  140. }
    141. 

  141. 

  142. pub fn combine(
    143. 

  143.     pk: &PubKey,
    144. 

  144.     t: u32,
    145. 

  145.     coalition: &[u32],
    146. 

  146.     msg: &[u8],
    147. 

  147.     commitments: &[RistrettoPoint],
    148. 

  148.     sigshares: &[Scalar],
    149. 

  149. ) -> Option<Signature> {
    150. 

  150.     let polys = lagrange_polys(coalition);
    151. 

  151.     combine_polys(pk, t, coalition, &polys, msg, commitments, sigshares)
    152. 

  152. }
    153. 

  153. 

  154. pub fn verify(pk: &PubKey, msg: &[u8], sig: &Signature) -> bool {
    155. 

  155.     let c = hash2(&sig.0, pk, msg);
    156. 

  156.     shine::commit(&sig.1) == sig.0 + c * pk
    157. 

  157. }
    158.