· 6 years ago · Dec 27, 2019, 10:18 PM
1#![allow(dead_code)]
2#![allow(unused_variables)]
3#![allow(unused_mut)]
4extern crate rand;
5//extern crate bn;
6//use bn::{Group, Fr, G1, G2, pairing};
7use rand::RngCore;
8use bls12_381 as bls;
9use sha2::{Sha256, Sha512, Digest};
10use hex_slice::AsHex;
11use std::iter::Sum;
12
13pub trait MyRandom {
14 fn new_random<T: RngCore>(rng: &mut T) -> Self;
15}
16
17impl MyRandom for bls::Scalar {
18 fn new_random<T: RngCore>(rng: &mut T) -> Self {
19 loop {
20 let mut random_bytes = [0u8; 32];
21 rng.fill_bytes(&mut random_bytes);
22 let scalar = bls::Scalar::from_bytes(&random_bytes);
23 if scalar.is_some().unwrap_u8() == 1 {
24 break scalar.unwrap()
25 }
26 }
27 }
28}
29
30struct Parameters<'a> {
31 g1: bls::G1Affine,
32 hs: Vec<bls::G1Affine>,
33 g2: bls::G2Affine,
34 rng: &'a mut dyn RngCore
35}
36
37impl<'a> Parameters<'a> {
38 fn new<T: RngCore>(attributes_size: usize, rng: &'a mut T) -> Self {
39 let g1 = bls::G1Affine::generator();
40 let g2 = bls::G2Affine::generator();
41
42 let mut hs = Vec::with_capacity(attributes_size);
43 for i in 0 .. attributes_size {
44 let message = format!("h{}", i);
45 let h = g1.hash_to_point(message.as_bytes());
46 hs.push(h);
47 }
48
49 Parameters {
50 g1: g1,
51 hs: hs,
52 g2: g2,
53 rng: rng
54 }
55 }
56
57 fn random_scalar(&mut self) -> bls::Scalar {
58 bls::Scalar::new_random(&mut self.rng)
59 }
60}
61
62fn sha256_hash(message: &[u8]) -> [u8; 48] {
63 let mut hasher = Sha512::new();
64 hasher.input(message);
65 let hash_result = hasher.result();
66 assert_eq!(hash_result.len(), 64);
67
68 let mut hash_data = [0u8; 48];
69 hash_data.copy_from_slice(&hash_result[0..48]);
70 //println!("{:x}", hash_data.as_hex());
71 hash_data
72}
73
74pub trait HashableGenerator {
75 fn hash_to_point(&self, message: &[u8]) -> Self;
76 fn is_valid(&self) -> bool;
77}
78
79impl HashableGenerator for bls::G1Affine {
80 fn hash_to_point(&self, message: &[u8]) -> Self {
81 for i in 0u32 .. {
82 let i_data = i.to_le_bytes();
83
84 let mut data = Vec::with_capacity(message.len() + i_data.len());
85 data.extend_from_slice(message);
86 data.extend_from_slice(&i_data);
87
88 let hash = sha256_hash(data.as_slice());
89
90 let point = {
91 let point_optional = Self::from_compressed_unchecked(&hash);
92 if point_optional.is_none().unwrap_u8() == 1 {
93 continue;
94 }
95 let affine_point = point_optional.unwrap();
96 let projective_point = bls::G1Projective::from(affine_point).clear_cofactor();
97 Self::from(projective_point)
98 };
99
100 assert_eq!(bool::from(point.is_on_curve()), true);
101 assert_eq!(bool::from(point.is_torsion_free()), true);
102
103 return point;
104 }
105 unreachable!();
106 }
107
108 fn is_valid(&self) -> bool {
109 bool::from(self.is_on_curve()) && bool::from(self.is_torsion_free())
110 }
111}
112
113fn compute_polynomial(coefficients: &Vec<bls::Scalar>, x_primitive: u64)
114 -> bls::Scalar
115{
116 let x = bls::Scalar([x_primitive, 0, 0, 0]);
117 coefficients.iter()
118 .enumerate()
119 .map(|(i, coefficient)| coefficient * x.pow(&[i as u64, 0, 0, 0]))
120 .fold(bls::Scalar::zero(), |result, x| result + x)
121}
122
123type ScalarList = Vec<bls::Scalar>;
124type PointList = Vec<bls::G2Projective>;
125type VerifyKey = (bls::G2Projective, PointList);
126type SecretKey = (bls::Scalar, ScalarList);
127
128fn ttp_keygen(params: &mut Parameters, threshold: usize, number_authorities: usize)
129 -> (Vec<SecretKey>, Vec<VerifyKey>) {
130 let attributes_size = params.hs.len();
131 assert!(number_authorities >= threshold && threshold > 0);
132 assert!(attributes_size > 0);
133
134 let mut create_n_random_scalars = |n| -> Vec<_> {
135 (0..n).map(|_| params.random_scalar()).collect()
136 };
137
138 // Generate polynomials
139 let v_poly = create_n_random_scalars(threshold);
140 let w_poly: Vec<Vec<bls::Scalar>> =
141 (0..attributes_size).map(|_| create_n_random_scalars(threshold)).collect();
142
143 // Generate shares
144 let x_shares: Vec<bls::Scalar> = (1..number_authorities + 1).map(
145 |i| compute_polynomial(&v_poly, i as u64)).collect();
146 let y_shares: Vec<Vec<bls::Scalar>> = (1..number_authorities + 1).map(
147 |i| w_poly.iter().map(move |w_coefficients|
148 compute_polynomial(&w_coefficients, i as u64)).collect()).collect();
149
150 // Set the keys
151 // sk_i = (x, (y_1, y_2, ..., y_q))
152 // vk_i = (g2^x, (g2^y_1, g2^y_2, ..., g2^y_q)) = (a, (B_1, B_2, ..., B_q))
153 let verify_keys: Vec<(bls::G2Projective, Vec<bls::G2Projective>)> =
154 x_shares.iter()
155 .enumerate()
156 .map(
157 |(i, x)| (params.g2 * x, y_shares[i].iter().map(|y| params.g2 * y).collect()))
158 .collect();
159 let secret_keys: Vec<(bls::Scalar, Vec<bls::Scalar>)> =
160 x_shares.into_iter().zip(y_shares).collect();
161
162 (secret_keys, verify_keys)
163}
164
165fn lagrange_basis(range_len: u64) -> ScalarList {
166 let x = bls::Scalar::zero();
167 let mut lagrange_result = ScalarList::new();
168 for i in 1..=range_len {
169 let mut numerator = bls::Scalar::one();
170 let mut denominator = bls::Scalar::one();
171
172 for j in 1..=range_len {
173 if j == i {
174 continue;
175 }
176 numerator = numerator * (x - bls::Scalar::from(j));
177 denominator = denominator * (bls::Scalar::from(i) - bls::Scalar::from(j));
178 }
179
180 let result = numerator * denominator.invert().unwrap();
181 lagrange_result.push(result);
182 }
183 lagrange_result
184}
185
186pub trait GeneratorPoint {
187 fn get_identity() -> Self;
188 fn add(&self, rhs: &Self) -> Self;
189}
190
191impl GeneratorPoint for bls::G1Projective {
192 fn get_identity() -> Self {
193 Self::identity()
194 }
195
196 fn add(&self, rhs: &Self) -> Self {
197 self + rhs
198 }
199}
200
201impl GeneratorPoint for bls::G2Projective {
202 fn get_identity() -> Self {
203 Self::identity()
204 }
205
206 fn add(&self, rhs: &Self) -> Self {
207 self + rhs
208 }
209}
210
211fn ecc_sum<G: GeneratorPoint + Sized>(points: &Vec<G>) -> G {
212 points.iter()
213 .fold(G::get_identity(), |result, x| result.add(x))
214}
215
216fn ec_sum(points: &Vec<bls::G2Projective>) -> bls::G2Projective {
217 points.iter()
218 .fold(bls::G2Projective::identity(), |result, x| result + *x)
219}
220
221fn aggregate_keys(params: &mut Parameters, verify_keys: &Vec<VerifyKey>)
222 -> (bls::G2Projective, PointList) {
223 let lagrange = lagrange_basis(verify_keys.len() as u64);
224
225 let (alpha, beta): (Vec<&bls::G2Projective>, Vec<&PointList>) =
226 verify_keys.iter().map(|&(ref a, ref b)| (a, b)).unzip();
227
228 let attributes_size = beta[0].len();
229
230 assert_eq!(lagrange.len(), alpha.len());
231
232 let aggregate_alpha: bls::G2Projective = ec_sum(
233 &alpha.iter().zip(lagrange.iter()).map(|(a, l)| *a * l).collect());
234 let aggregate_beta: PointList = (0..attributes_size).map(|i| ec_sum(
235 &beta.iter().zip(lagrange.iter()).map(|(b, l)| b[i] * l).collect())).collect();
236
237 return (aggregate_alpha, aggregate_beta)
238}
239
240fn test_ttp_keygen() {
241 let (threshold, number_authorities) = (5, 7);
242
243 let mut rng = rand::thread_rng();
244
245 let mut parameters = Parameters::new(2, &mut rng);
246
247 let (secret_keys, verify_keys) = ttp_keygen(&mut parameters, threshold, number_authorities);
248
249 let verify_key = aggregate_keys(&mut parameters, &verify_keys);
250
251 let sigs_x: Vec<bls::G1Projective> = secret_keys.iter()
252 .map(|(x, _)| parameters.g1 * x)
253 .collect();
254 let l = lagrange_basis(6);
255 let sig = ecc_sum(&l.iter().zip(sigs_x.iter()).map(|(l_i, s_i)| s_i * l_i).collect());
256
257 let ppair_1 = bls::pairing(&bls::G1Affine::from(sig), ¶meters.g2);
258 let ppair_2 = bls::pairing(¶meters.g1, &bls::G2Affine::from(verify_key.0));
259 assert_eq!(ppair_1, ppair_2);
260}
261
262fn main() {
263 test_ttp_keygen();
264
265 let (threshold, number_authorities) = (5, 7);
266
267 let mut rng = rand::thread_rng();
268 let mut parameters = Parameters::new(2, &mut rng);
269
270 let (secret_keys, verify_keys) = ttp_keygen(&mut parameters, threshold, number_authorities);
271 let verify_key = aggregate_keys(&mut parameters, &verify_keys);
272
273 let g1 = bls::G1Affine::generator();
274 let g2 = bls::G2Affine::generator();
275
276 let x = bls::Scalar::new_random(&mut rng);
277
278 let result_1 = bls::G1Affine::from(g1 * x);
279 let result_2 = bls::G2Affine::from(g2 * x);
280
281 let pair_1 = bls::pairing(&result_1, &g2);
282 let pair_2 = bls::pairing(&g1, &result_2);
283
284 let foo = result_1.hash_to_point(b"hello world");
285
286 assert_eq!(pair_1, pair_2);
287
288 println!("{:?}", x);
289 println!("{:?}", result_1);
290 println!("{:?}", pair_1);
291
292 //let pairx = pairing(&g1, &g2);
293
294 /*
295 // Generate private keys
296 let alice_sk = Fr::random(&mut rng);
297 let bob_sk = Fr::random(&mut rng);
298 let carol_sk = Fr::random(&mut rng);
299
300 // Generate public keys in G1 and G2
301 let (alice_pk1, alice_pk2) = (G1::one() * alice_sk, G2::one() * alice_sk);
302 let (bob_pk1, bob_pk2) = (G1::one() * bob_sk, G2::one() * bob_sk);
303 let (carol_pk1, carol_pk2) = (G1::one() * carol_sk, G2::one() * carol_sk);
304
305 // Each party computes the shared secret
306 let alice_ss = pairing(bob_pk1, carol_pk2).pow(alice_sk);
307 let bob_ss = pairing(carol_pk1, alice_pk2).pow(bob_sk);
308 let carol_ss = pairing(alice_pk1, bob_pk2).pow(carol_sk);
309
310 assert!(alice_ss == bob_ss && bob_ss == carol_ss);
311 */
312
313 println!("Hello, world!");
314}