2022-11-11 03:35:09 +00:00
|
|
|
use core::ops::Deref;
|
|
|
|
|
|
|
|
|
|
use zeroize::Zeroizing;
|
2023-03-02 14:06:03 +00:00
|
|
|
use rand_core::OsRng;
|
2022-11-11 03:35:09 +00:00
|
|
|
|
2023-03-02 14:06:03 +00:00
|
|
|
use sha2::Sha256;
|
2022-11-04 12:03:29 +00:00
|
|
|
|
2022-10-29 08:54:42 +00:00
|
|
|
use group::{ff::Field, Group};
|
|
|
|
|
use multiexp::BatchVerifier;
|
|
|
|
|
|
2023-03-02 14:06:03 +00:00
|
|
|
use ciphersuite::{Ciphersuite, Ed25519};
|
|
|
|
|
|
2022-11-04 12:03:29 +00:00
|
|
|
use crate::{
|
|
|
|
|
SchnorrSignature,
|
|
|
|
|
aggregate::{SchnorrAggregator, SchnorrAggregate},
|
|
|
|
|
};
|
2022-10-29 08:54:42 +00:00
|
|
|
|
2023-03-02 14:06:03 +00:00
|
|
|
mod rfc8032;
|
|
|
|
|
|
2022-11-04 12:03:29 +00:00
|
|
|
pub(crate) fn sign<C: Ciphersuite>() {
|
2022-11-11 03:35:09 +00:00
|
|
|
let private_key = Zeroizing::new(C::random_nonzero_F(&mut OsRng));
|
|
|
|
|
let nonce = Zeroizing::new(C::random_nonzero_F(&mut OsRng));
|
2022-10-29 08:54:42 +00:00
|
|
|
let challenge = C::random_nonzero_F(&mut OsRng); // Doesn't bother to craft an HRAm
|
2022-11-11 03:35:09 +00:00
|
|
|
assert!(SchnorrSignature::<C>::sign(&private_key, nonce, challenge)
|
|
|
|
|
.verify(C::generator() * private_key.deref(), challenge));
|
2022-10-29 08:54:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The above sign function verifies signing works
|
|
|
|
|
// This verifies invalid signatures don't pass, using zero signatures, which should effectively be
|
|
|
|
|
// random
|
2022-11-04 12:03:29 +00:00
|
|
|
pub(crate) fn verify<C: Ciphersuite>() {
|
2022-10-29 08:54:42 +00:00
|
|
|
assert!(!SchnorrSignature::<C> { R: C::G::identity(), s: C::F::zero() }
|
|
|
|
|
.verify(C::generator() * C::random_nonzero_F(&mut OsRng), C::random_nonzero_F(&mut OsRng)));
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-04 12:03:29 +00:00
|
|
|
pub(crate) fn batch_verify<C: Ciphersuite>() {
|
2022-10-29 08:54:42 +00:00
|
|
|
// Create 5 signatures
|
|
|
|
|
let mut keys = vec![];
|
|
|
|
|
let mut challenges = vec![];
|
|
|
|
|
let mut sigs = vec![];
|
|
|
|
|
for i in 0 .. 5 {
|
2022-11-11 03:35:09 +00:00
|
|
|
keys.push(Zeroizing::new(C::random_nonzero_F(&mut OsRng)));
|
2022-10-29 08:54:42 +00:00
|
|
|
challenges.push(C::random_nonzero_F(&mut OsRng));
|
2022-11-11 03:35:09 +00:00
|
|
|
sigs.push(SchnorrSignature::<C>::sign(
|
|
|
|
|
&keys[i],
|
|
|
|
|
Zeroizing::new(C::random_nonzero_F(&mut OsRng)),
|
|
|
|
|
challenges[i],
|
|
|
|
|
));
|
2022-10-29 08:54:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Batch verify
|
|
|
|
|
{
|
|
|
|
|
let mut batch = BatchVerifier::new(5);
|
|
|
|
|
for (i, sig) in sigs.iter().enumerate() {
|
2022-11-11 03:35:09 +00:00
|
|
|
sig.batch_verify(&mut OsRng, &mut batch, i, C::generator() * keys[i].deref(), challenges[i]);
|
2022-10-29 08:54:42 +00:00
|
|
|
}
|
2023-03-02 13:45:09 +00:00
|
|
|
batch.verify_vartime_with_vartime_blame().unwrap();
|
2022-10-29 08:54:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Shift 1 from s from one to another and verify it fails
|
|
|
|
|
// This test will fail if unique factors aren't used per-signature, hence its inclusion
|
|
|
|
|
{
|
|
|
|
|
let mut batch = BatchVerifier::new(5);
|
|
|
|
|
for (i, mut sig) in sigs.clone().drain(..).enumerate() {
|
|
|
|
|
if i == 1 {
|
|
|
|
|
sig.s += C::F::one();
|
|
|
|
|
}
|
|
|
|
|
if i == 2 {
|
|
|
|
|
sig.s -= C::F::one();
|
|
|
|
|
}
|
2022-11-11 03:35:09 +00:00
|
|
|
sig.batch_verify(&mut OsRng, &mut batch, i, C::generator() * keys[i].deref(), challenges[i]);
|
2022-10-29 08:54:42 +00:00
|
|
|
}
|
2023-03-02 13:45:09 +00:00
|
|
|
if let Err(blame) = batch.verify_vartime_with_vartime_blame() {
|
2022-10-29 08:54:42 +00:00
|
|
|
assert!((blame == 1) || (blame == 2));
|
|
|
|
|
} else {
|
|
|
|
|
panic!("Batch verification considered malleated signatures valid");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-04 12:03:29 +00:00
|
|
|
pub(crate) fn aggregate<C: Ciphersuite>() {
|
|
|
|
|
// Create 5 signatures
|
|
|
|
|
let mut keys = vec![];
|
|
|
|
|
let mut challenges = vec![];
|
2023-03-02 14:06:03 +00:00
|
|
|
let mut aggregator = SchnorrAggregator::<Sha256, C>::new();
|
2022-11-04 12:03:29 +00:00
|
|
|
for i in 0 .. 5 {
|
2022-11-11 03:35:09 +00:00
|
|
|
keys.push(Zeroizing::new(C::random_nonzero_F(&mut OsRng)));
|
2022-11-04 12:03:29 +00:00
|
|
|
challenges.push(C::random_nonzero_F(&mut OsRng));
|
|
|
|
|
aggregator.aggregate(
|
2022-11-11 03:35:09 +00:00
|
|
|
C::generator() * keys[i].deref(),
|
2022-11-04 12:03:29 +00:00
|
|
|
challenges[i],
|
2022-11-11 03:35:09 +00:00
|
|
|
SchnorrSignature::<C>::sign(
|
|
|
|
|
&keys[i],
|
|
|
|
|
Zeroizing::new(C::random_nonzero_F(&mut OsRng)),
|
|
|
|
|
challenges[i],
|
|
|
|
|
),
|
2022-11-04 12:03:29 +00:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let aggregate = aggregator.complete().unwrap();
|
|
|
|
|
let aggregate =
|
|
|
|
|
SchnorrAggregate::<C>::read::<&[u8]>(&mut aggregate.serialize().as_ref()).unwrap();
|
2023-03-02 14:06:03 +00:00
|
|
|
assert!(aggregate.verify::<Sha256>(
|
2022-11-04 12:03:29 +00:00
|
|
|
keys
|
|
|
|
|
.iter()
|
2022-11-11 03:35:09 +00:00
|
|
|
.map(|key| C::generator() * key.deref())
|
2022-11-04 12:03:29 +00:00
|
|
|
.zip(challenges.iter().cloned())
|
|
|
|
|
.collect::<Vec<_>>()
|
|
|
|
|
.as_ref()
|
|
|
|
|
));
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-29 08:54:42 +00:00
|
|
|
#[test]
|
|
|
|
|
fn test() {
|
2023-03-02 14:06:03 +00:00
|
|
|
sign::<Ed25519>();
|
|
|
|
|
verify::<Ed25519>();
|
|
|
|
|
batch_verify::<Ed25519>();
|
|
|
|
|
aggregate::<Ed25519>();
|
2022-10-29 08:54:42 +00:00
|
|
|
}
|
