xgcl/tpc/sm2/sm2m/outsource/os_sign.go

package outsource

import (
	"crypto/rand"
	"errors"
	"io"
	"math/big"

	"xdx.jelly/xgcl/grand"
	"xdx.jelly/xgcl/he/paillier"
	"xdx.jelly/xgcl/sm/sm2"
)

// 外包服务计算

type OSSignContext struct {
	k1p *big.Int
}

func NewOSSignContext() *OSSignContext {
	return &OSSignContext{}
}

// Step1 需要临时保存k1
func (o *OSSignContext) Step1(rnd io.Reader) (pp *sm2.PublicKey, err error) {
	for {
		k, err := rand.Int(rnd, sm2.OrderN())
		if err != nil {
			return nil, err
		}
		if k.Sign() == 0 {
			continue
		}

		x, y := sm2.Curve256.ScalarBaseMult(k.Bytes())

		o.k1p = k
		pp = &sm2.PublicKey{Curve: sm2.Curve(), X: x, Y: y}
		return pp, nil
	}
}

// Step2 input s1 in [1, N-1]
func (o *OSSignContext) Step2(s1 *big.Int, s2 *big.Int, encryptedKey *paillier.Cipher, evalKey *paillier.PublicKey) (w *paillier.Cipher, err error) {
	if o.k1p == nil || o.k1p.Sign() == 0 {
		return nil, errors.New("call Prepare first")
	}
	if s1 == nil || s2 == nil {
		return nil, errors.New("s1 or s2 is nil")
	}

	// s1, s2不能为0 mod n, 否则外包服务可能被套取到用户的密钥.
	if s1.Sign() <= 0 || s1.Cmp(sm2.OrderN()) >= 0 || s2.Sign() <= 0 || s2.Cmp(sm2.OrderN()) >= 0 {
		return nil, errors.New("s1 or s2 not in range [1, N-1]")
	}

	s := new(big.Int).Mul(o.k1p, s1)
	s.Add(s, s2).Mod(s, sm2.OrderN()) // s = k*s1 + s2 mod N

	// check s = 0?

	// 计算 w = encryptedClientKey^s mod n^2 = Enc(ds * s)
	w = (&paillier.Cipher{}).HomomorphicScalarMul(encryptedKey, s, evalKey)

	// blind the result
	if true {
		k, err := rand.Int(grand.Reader, sm2.OrderN())
		if err != nil {
			return nil, err
		}
		k.Mul(k, sm2.OrderN())
		w.HomomorphicAddInt(w, k, evalKey)
	} else {
		kn, err := rand.Int(grand.Reader, sm2.OrderN())
		if err != nil {
			return nil, err
		}
		kn.Mul(kn, sm2.OrderN())
		blind, err := paillier.Encrypt(kn, evalKey, grand.Reader)
		if err != nil {
			return nil, err
		}
		w.HomomorphicAdd(w, blind, evalKey) // c = Enc(dc*(k1*s1+s2) + k*N)
	}
	return w, nil
}

// outsourcingContext 需要序列化后保存到redis中
func (o *OSSignContext) Marshal() ([]byte, error) {
	buf := make([]byte, sm2.ByteSize())
	return o.k1p.FillBytes(buf), nil
}

func (o *OSSignContext) Unmarshal(b []byte) error {
	if len(b) != sm2.ByteSize() {
		return errors.New("input data invalid")
	}
	if o.k1p == nil {
		o.k1p = new(big.Int)
	}
	o.k1p.SetBytes(b)
	return nil
}

// clientSignContext 外包服务客户端(与JS的outsource.ClientSigner一致)
type clientSignContext struct {
	pprivateKey *paillier.PrivateKey
	r           *big.Int
	k1pp        *big.Int
	rnd         io.Reader
}

// NewClientSignContext simple factory for creating clientSignContext.
func NewClientSignContext(pprivateKey *paillier.PrivateKey, rnd io.Reader) *clientSignContext {
	ctx := &clientSignContext{
		pprivateKey: pprivateKey,
		rnd:         rnd,
	}
	if rnd == nil {
		ctx.rnd = grand.Reader
	}
	return ctx
}

// Step1 客户端签名第一步 返回p给虎符服务端
//
// pp是外包服务第一步返回的P'=k1p*G
// 返回p = k1p * k2pp * G
func (c *clientSignContext) Step1(e []byte, pp *sm2.PublicKey) (p *sm2.PublicKey, err error) {
	c.k1pp, err = rand.Int(c.rnd, sm2.OrderN())
	if err != nil {
		return nil, err
	}
	x, y := sm2.Curve256.ScalarMult(pp.X, pp.Y, c.k1pp.Bytes())

	p = &sm2.PublicKey{Curve: sm2.Curve(), X: x, Y: y}
	return p, nil
}

// Step2 客户端签名第二步, 收到虎符服务端返回的r, s1, s2, 计算s1p, 把s1p, s2p给外包服务
func (c *clientSignContext) Step2(r *big.Int, s1 *big.Int, s2 *big.Int) (s1p *big.Int, s2p *big.Int, err error) {
	c.r = r
	if r.Sign() == 0 {
		return nil, nil, errors.New("Outsource sign failed, r = 0")
	}
	s1p = c.k1pp
	c.k1pp = nil
	s1p.Mul(s1p, s1).Mod(s1p, sm2.OrderN())
	s2p = s2
	return s1p, s2p, nil
}

// Step3 客户端签名第三步, 收到外包服务返回的w = Enc(s+r), 输出签名
func (c *clientSignContext) Step3(w *paillier.Cipher) (*sm2.Signature, error) {
	s, err := c.pprivateKey.Decrypt(w)
	if err != nil {
		return nil, err
	}
	if s.Sign() == 0 {
		return nil, errors.New("Outsource sign failed, s = 0")
	}
	s.Sub(s, c.r).Mod(s, sm2.OrderN())
	r := c.r
	c.r = nil
	return &sm2.Signature{R: r, S: s}, nil
}