init: v1.0.0

sm/sm9/dkgc/doc.go

@@ -0,0 +1,4 @@
+// package dkgc is the distributed KGC mechanism
+// CAUTION: this package is currently in an experimental state
+// DO NOT USE THIS UNLESS YOU KNOW WHAT YOU ARE DOING
+package dkgc

sm/sm9/dkgc/kgc.go

@@ -0,0 +1,113 @@
+package dkgc
+
+import (
+	"crypto/rand"
+	"io"
+	"math/big"
+
+	"xdx.jelly/xgcl/sm/sm9"
+)
+
+type DoubleKGC struct {
+	ks         sm9.MastSignPrivateKey
+	commonPubs sm9.MastSignPublicKey
+}
+
+func (dk *DoubleKGC) GenerateMastKey() {
+
+}
+
+var alpha = big.NewInt(2)
+var alphaInv = new(big.Int).ModInverse(alpha, sm9.Order())
+
+func ComputeHHat(id []byte) (*big.Int, *big.Int, bool) {
+	h1 := sm9.H1(id, []byte{0x01})
+	hh := new(big.Int).ModSqrt(h1, sm9.Order())
+	if hh == nil {
+		hh = new(big.Int).Lsh(h1, 1)
+		hh.ModSqrt(hh, sm9.Order())
+		return h1, hh, false
+	}
+	return h1, hh, true
+}
+
+func UserRandom0(reader io.Reader, basePoint *sm9.G1) (*big.Int, *sm9.G1, error) {
+	r, err := rand.Int(reader, sm9.Order())
+	if err != nil || r.Sign() == 0 {
+		return nil, nil, err
+	}
+	R := &sm9.G1{}
+	R.ScalarMult(basePoint, r)
+	return r, R, nil
+}
+
+func KGC1ComputeData(reader io.Reader, R *sm9.G1, ks *sm9.MastSignPrivateKey, hh *big.Int) (*big.Int, *sm9.G1, error) {
+	r, err := rand.Int(reader, sm9.Order())
+	if err != nil {
+		return nil, nil, err
+	}
+
+	t1 := new(big.Int).Add(hh, &ks.Int)
+	t1.Mod(t1, sm9.Order())
+	if t1.Sign() == 0 {
+		panic("Got zero of t1")
+	}
+	t1.ModInverse(t1, sm9.Order())
+	t1.Mul(t1, r)
+	t1.Mod(t1, sm9.Order())
+
+	r.ModInverse(r, sm9.Order())
+	T1 := new(sm9.G1).ScalarMult(R, r)
+	return t1, T1, nil
+}
+
+func KGC2ComputeData(T1 *sm9.G1, ks *sm9.MastSignPrivateKey, hh *big.Int) (*sm9.G1, error) {
+	t2 := new(big.Int).Add(hh, &ks.Int)
+	t2.ModInverse(t2, sm9.Order())
+	T2 := new(sm9.G1).ScalarMult(T1, t2)
+	return T2, nil
+}
+
+func UserComputeSignKey(id []byte, t1 *big.Int, T2 *sm9.G1, r *big.Int, pubs1, pubs2, pubs *sm9.MastSignPublicKey, basePoint *sm9.G1) (*sm9.UserSignKey, *sm9.MastSignPublicKey, error) {
+	h1, hh, isSquare := ComputeHHat(id)
+	rInv := new(big.Int).ModInverse(r, sm9.Order())
+	if isSquare {
+		// h1 is square
+		d := new(big.Int).Mul(h1, t1)
+		d.Mul(d, rInv)
+		d.Mod(d, sm9.Order())
+		ds := new(sm9.G1).ScalarMult(T2, d)
+		ds.Neg(ds)
+		// ds.Add(ds, sm9.G1Generator())
+		ds.Add(ds, basePoint)
+
+		g := new(sm9.G2).Add(&pubs1.G2, &pubs2.G2)
+		g.ScalarMult(g, hh)
+		g.Add(g, &pubs.G2)
+		return &sm9.UserSignKey{
+				G1: *ds,
+			}, &sm9.MastSignPublicKey{
+				G2: *g,
+			}, nil
+	} else {
+		d := new(big.Int).Mul(h1, t1)
+		d.Mul(d, rInv)
+		d.Mul(d, alpha)
+		d.Mod(d, sm9.Order())
+
+		ds := new(sm9.G1).ScalarMult(T2, d)
+		ds.Neg(ds)
+		// ds.Add(ds, sm9.G1Generator())
+		ds.Add(ds, basePoint)
+
+		g := new(sm9.G2).Add(&pubs1.G2, &pubs2.G2)
+		g.ScalarMult(g, hh)
+		g.ScalarMult(g, alphaInv)
+		g.Add(g, new(sm9.G2).ScalarMult(&pubs.G2, alphaInv))
+		return &sm9.UserSignKey{
+				G1: *ds,
+			}, &sm9.MastSignPublicKey{
+				G2: *g,
+			}, nil
+	}
+}

sm/sm9/dkgc/kgc_test.go

@@ -0,0 +1,272 @@
+package dkgc
+
+import (
+	"crypto/rand"
+	"fmt"
+	"math/big"
+	"testing"
+	"time"
+
+	"xdx.jelly/xgcl/grand"
+	"xdx.jelly/xgcl/internal"
+	"xdx.jelly/xgcl/sm/sm9"
+)
+
+func spiner() {
+	start := time.Now()
+	for {
+		for _, c := range "|/-\\" {
+			fmt.Printf("\r%c  ", c)
+			now := time.Since(start)
+			s := int(now.Seconds())
+			if s > 3600 {
+				fmt.Printf("%dh%dm%ds       ", s/3600, s%3600/60, s%60)
+			} else if s > 60 {
+				fmt.Printf("%dm%ds       ", s/60, s%60)
+			} else {
+				fmt.Printf("%.1fs        ", now.Seconds())
+			}
+			time.Sleep(100 * time.Millisecond)
+		}
+	}
+}
+
+func BenchmarkReportSpeedDKGC(b *testing.B) {
+
+	ks1, pubs1, err := sm9.GenerateMastSignPrivateKey(rand.Reader)
+	if err != nil {
+		b.Fatal(err)
+	}
+	ks2, pubs2, err := sm9.GenerateMastSignPrivateKey(rand.Reader)
+	if err != nil {
+		b.Fatal(err)
+	}
+
+	ks := new(sm9.MastSignPrivateKey)
+	ks.Int.Mul(&ks1.Int, &ks2.Int)
+	ks.Int.Mod(&ks.Int, sm9.Order())
+	ks.Public().G2.ScalarBaseMult(&ks.Int)
+	pubs := ks.Public()
+
+	uid := grand.GetRandom(10)
+	msg := grand.GetRandom(10)
+	// uid := []byte("Alice")
+	// msg := []byte("Chinese IBS standard")
+	ra, R, err := UserRandom0(rand.Reader, sm9.G1Generator())
+	if err != nil {
+		b.Fatal(err)
+	}
+
+	_, hh, _ := ComputeHHat(uid)
+
+	t1, T1, err := KGC1ComputeData(rand.Reader, R, ks1, hh)
+	if err != nil {
+		b.Fatal(err)
+	}
+	T2, err := KGC2ComputeData(T1, ks2, hh)
+	if err != nil {
+		b.Fatal(err)
+	}
+	ds, userPubs, err := UserComputeSignKey(uid, t1, T2, ra, pubs1, pubs2, pubs, sm9.G1Generator())
+	if err != nil {
+		b.Fatal(err)
+	}
+
+	signature, _ := sm9.Sign(msg, ds, userPubs, grand.GetRandom(32))
+
+	//bn256.SetUseLattice(false)
+	if !sm9.Verify(signature, uid, msg, userPubs) {
+		b.Logf("\n%x\n%x\n", uid, msg)
+		b.Fatal("verify failed")
+	}
+
+}
+
+func TestDKGC(t *testing.T) {
+	go spiner()
+	for {
+		for i := 1; i < 1000; i++ {
+			ks1, pubs1, err := sm9.GenerateMastSignPrivateKey(rand.Reader)
+			if err != nil {
+				t.Fatal(err)
+			}
+			ks2, pubs2, err := sm9.GenerateMastSignPrivateKey(rand.Reader)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			ks := new(sm9.MastSignPrivateKey)
+			ks.Int.Mul(&ks1.Int, &ks2.Int)
+			ks.Int.Mod(&ks.Int, sm9.Order())
+			ks.Public().G2.ScalarBaseMult(&ks.Int)
+			pubs := ks.Public()
+
+			uid := grand.GetRandom(i)
+			msg := grand.GetRandom(i)
+			// uid := []byte("Alice")
+			// msg := []byte("Chinese IBS standard")
+			ra, R, err := UserRandom0(rand.Reader, sm9.G1Generator())
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			_, hh, _ := ComputeHHat(uid)
+
+			t1, T1, err := KGC1ComputeData(rand.Reader, R, ks1, hh)
+			if err != nil {
+				t.Fatal(err)
+			}
+			T2, err := KGC2ComputeData(T1, ks2, hh)
+			if err != nil {
+				t.Fatal(err)
+			}
+			ds, userPubs, err := UserComputeSignKey(uid, t1, T2, ra, pubs1, pubs2, pubs, sm9.G1Generator())
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			signature, _ := sm9.Sign(msg, ds, userPubs, grand.GetRandom(32))
+			//bn256.SetUseLattice(false)
+			if !sm9.Verify(signature, uid, msg, userPubs) {
+				t.Logf("\n%x\n%x\n", uid, msg)
+				t.Fatal("verify failed")
+			}
+		}
+	}
+}
+
+func TestDKGCWithTPC(t *testing.T) {
+	go spiner()
+	for {
+		for i := 1; i < 1000; i++ {
+			ks1, pubs1, err := sm9.GenerateMastSignPrivateKey(rand.Reader)
+			if err != nil {
+				t.Fatal(err)
+			}
+			ks2, pubs2, err := sm9.GenerateMastSignPrivateKey(rand.Reader)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			ks := new(sm9.MastSignPrivateKey)
+			ks.Int.Mul(&ks1.Int, &ks2.Int)
+			ks.Int.Mod(&ks.Int, sm9.Order())
+			ks.Public().G2.ScalarBaseMult(&ks.Int)
+			pubs := ks.Public()
+
+			uid := grand.GetRandom(i)
+			msg := grand.GetRandom(i)
+			// uid := []byte("Alice")
+			// msg := []byte("Chinese IBS standard")
+
+			serverKey, basePoint, err := ServerGenerateKey(rand.Reader)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			ra, R, err := UserRandom0(rand.Reader, &basePoint.G1)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			_, hh, _ := ComputeHHat(uid)
+
+			t1, T1, err := KGC1ComputeData(rand.Reader, R, ks1, hh)
+			if err != nil {
+				t.Fatal(err)
+			}
+			T2, err := KGC2ComputeData(T1, ks2, hh)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			clientKey, userPubs, err := UserComputeSignKey(uid, t1, T2, ra, pubs1, pubs2, pubs, &basePoint.G1)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			// signature := sm9.Sign(msg, ds, userPubs, grand.GetRandom(32))
+			csc := &ClientSignContext{}
+			u, err := csc.ComputeSignData(rand.Reader, userPubs)
+			if err != nil {
+				t.Fatal(err)
+			}
+			h, k1, k2, err := ServerComputeSignData(rand.Reader, u, msg, userPubs, serverKey)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			signature, err := csc.ComputeSignature(uid, h, k1, k2, clientKey)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			if !sm9.Verify(signature, uid, msg, userPubs) {
+				t.Logf("\n%x\n%x\n", uid, msg)
+				t.Fatal("verify failed")
+			}
+		}
+	}
+}
+
+func TestDKGCReport(t *testing.T) {
+	ks1, pubs1, err := sm9.GenerateMastSignPrivateKey(rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ks2, pubs2, err := sm9.GenerateMastSignPrivateKey(rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ks := new(sm9.MastSignPrivateKey)
+	ks.Int.Mul(&ks1.Int, &ks2.Int)
+	ks.Int.Mod(&ks.Int, sm9.Order())
+	ks.Public().G2.ScalarBaseMult(&ks.Int)
+	pubs := ks.Public()
+
+	uid := grand.GetRandom(10)
+	msg := grand.GetRandom(10)
+
+	ra, R, err := UserRandom0(rand.Reader, sm9.G1Generator())
+	if err != nil {
+		t.Fatal(err)
+	}
+	var t1 *big.Int
+	var T1, T2 *sm9.G1
+	count, duation := internal.SingleThreadTester(func() {
+		_, hh, _ := ComputeHHat(uid)
+		t1, T1, err = KGC1ComputeData(rand.Reader, R, ks1, hh)
+		if err != nil {
+			t.Fatal(err)
+		}
+	})
+	fmt.Printf("KGC1 compute: %d, used time: %d ms, %d pcs/s\n", count, duation.Milliseconds(), int(internal.Rate(count, duation)))
+
+	count, duation = internal.SingleThreadTester(func() {
+		_, hh, _ := ComputeHHat(uid)
+		T2, err = KGC2ComputeData(T1, ks2, hh)
+		if err != nil {
+			t.Fatal(err)
+		}
+	})
+	fmt.Printf("KGC2 compute: %d, used time: %d ms, %d pcs/s\n", count, duation.Milliseconds(), int(internal.Rate(count, duation)))
+
+	var ds *sm9.UserSignKey
+	var userPubs *sm9.MastSignPublicKey
+	count, duation = internal.SingleThreadTester(func() {
+		ds, userPubs, err = UserComputeSignKey(uid, t1, T2, ra, pubs1, pubs2, pubs, sm9.G1Generator())
+		if err != nil {
+			t.Fatal(err)
+		}
+	})
+	fmt.Printf("User compute: %d, used time: %d ms, %d pcs/s\n", count, duation.Milliseconds(), int(internal.Rate(count, duation)))
+
+	signature, _ := sm9.Sign(msg, ds, userPubs, grand.GetRandom(32))
+
+	if !sm9.Verify(signature, uid, msg, userPubs) {
+		t.Logf("\n%x\n%x\n", uid, msg)
+		t.Fatal("verify failed")
+	}
+
+}

sm/sm9/dkgc/sign.go

@@ -0,0 +1,106 @@
+package dkgc
+
+import (
+	"crypto/rand"
+	"io"
+	"math/big"
+
+	"xdx.jelly/xgcl/sm/sm9"
+)
+
+type ServerKey struct {
+	big.Int
+}
+
+type ClientKey = sm9.UserSignKey
+
+func ServerGenerateKey(r io.Reader) (sk *ServerKey, basePoint *ClientKey, err error) {
+	for {
+		x, err := rand.Int(r, sm9.Order())
+		if err != nil {
+			return nil, nil, err
+		}
+		if x.Sign() == 0 {
+			continue
+		}
+		sk = &ServerKey{
+			Int: *x,
+		}
+		basePoint = &ClientKey{}
+		y := new(big.Int).Set(x)
+		y.ModInverse(y, sm9.Order())
+		basePoint.G1.ScalarBaseMult(y)
+		return sk, basePoint, nil
+	}
+}
+
+type ClientSignContext struct {
+	r1 big.Int
+}
+
+func (csc *ClientSignContext) ComputeSignData(r io.Reader, pubs *sm9.MastSignPublicKey) (u *sm9.GT, err error) {
+	for {
+		x, err := rand.Int(r, sm9.Order())
+		if err != nil {
+			return nil, err
+		}
+		if x.Sign() == 0 {
+			continue
+		}
+		csc.r1 = *x
+		break
+	}
+	u = sm9.Pairing(sm9.G1Generator(), &pubs.G2)
+	u.ScalarMult(u, &csc.r1)
+	return u, nil
+}
+
+func (csc *ClientSignContext) ComputeSignature(id []byte, h, k1, k2 *big.Int, kc *ClientKey) (*sm9.Signature, error) {
+	sig := &sm9.Signature{}
+	sig.H = *h
+	x := new(big.Int)
+	x.Mul(&csc.r1, k1)
+	x.Add(x, k2)
+	sig.S.ScalarMult(&kc.G1, x)
+	return sig, nil
+}
+
+func ServerComputeSignData(r io.Reader, u *sm9.GT, m []byte, pubs *sm9.MastSignPublicKey, ks *ServerKey) (h, k1, k2 *big.Int, err error) {
+	r2 := new(big.Int)
+	r3 := new(big.Int)
+	for {
+		r2, err = rand.Int(r, sm9.Order())
+		if err != nil {
+			return nil, nil, nil, err
+		}
+		if r2.Sign() == 0 {
+			continue
+		}
+		break
+	}
+
+	for {
+		r3, err = rand.Int(r, sm9.Order())
+		if err != nil {
+			return nil, nil, nil, err
+		}
+		if r3.Sign() == 0 {
+			continue
+		}
+		break
+	}
+
+	g := sm9.Pairing(sm9.G1Generator(), &pubs.G2)
+	g.ScalarMult(g, r3)
+	w := new(sm9.GT)
+	w.ScalarMult(u, r2)
+	w.Add(w, g)
+	h = sm9.H2(m, w.Marshal())
+
+	k1 = new(big.Int).Mul(r2, &ks.Int)
+	k1.Mod(k1, sm9.Order())
+	k2 = new(big.Int).Sub(r3, h)
+	k2.Mul(k2, &ks.Int)
+	k2.Mod(k2, sm9.Order())
+	return h, k1, k2, nil
+}