[keys]: add features: account.sign and verify() fns

DougAnderson444 · DougAnderson444 · commit fe86cb0778d1 · 2024-07-26T17:10:00.000-03:00
diff --git a/crates/delano-keys/Cargo.toml b/crates/delano-keys/Cargo.toml
@@ -20,6 +20,7 @@ serde = { version = "1.0.130", features = ["derive"], optional = true }
 serde_json = { version = "1.0", optional = true }
 getrandom = "0.2"
 sha2 = "0.10"
+thiserror = "1.0"
 
 [dev-dependencies]
 rand = "0.8"
diff --git a/crates/delano-keys/src/kdf.rs b/crates/delano-keys/src/kdf.rs
@@ -1,17 +1,24 @@
 //! If `derive` is feature is enabled, this crate provides a key derivation mechanism for BLS12-381.
+use crate::error::Error;
 use crate::vk;
 use blastkids::kdf;
 
+use bls12_381_plus::elliptic_curve::hash2curve::ExpandMsgXmd;
 // re-exports
 pub use bls12_381_plus::group::{Group, GroupEncoding};
-pub use bls12_381_plus::G1Projective as G1;
-pub use bls12_381_plus::G2Projective as G2;
+pub use bls12_381_plus::G1Projective;
+pub use bls12_381_plus::G2Projective;
 pub use bls12_381_plus::Scalar;
+use bls12_381_plus::{group::Curve, G2Affine};
 pub use secrecy::zeroize::{Zeroize, ZeroizeOnDrop, Zeroizing};
 pub use secrecy::{ExposeSecret, Secret};
 
 use bls12_381_plus::elliptic_curve::ops::MulByGenerator;
 
+/// Domain Separation Tag for Proof of Possession, as our Signatures are in G2 (and public keys are in G1).
+/// See <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-04#section-4.2.3> for more details.
+const DST: &'static [u8] = b"BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_";
+
 /// Seed and master key Manager.
 ///
 /// Generic over the type of curve used, [either G1 or G2](https://hackmd.io/@benjaminion/bls12-381#Swapping-G1-and-G2)
@@ -91,9 +98,9 @@ impl Manager {
         // Derive the first normal secret key in advance
         // so we can get our Deterministic Public Keys for this account
         // for any length / size
-        let sk_normal_0 = Zeroizing::new(kdf::ckd_sk_normal::<G2>(sk.expose_secret(), 0));
-        let pk_normal_g1 = G1::mul_by_generator(&sk_normal_0);
-        let pk_hardened_g2 = G2::mul_by_generator(sk.expose_secret());
+        let sk_normal_0 = Zeroizing::new(kdf::ckd_sk_normal::<G2Projective>(sk.expose_secret(), 0));
+        let pk_normal_g1 = G1Projective::mul_by_generator(&sk_normal_0);
+        let pk_hardened_g2 = G2Projective::mul_by_generator(sk.expose_secret());
 
         Account {
             index,
@@ -110,13 +117,13 @@ impl Manager {
 pub struct Account {
     pub index: u32,
     sk: Secret<Scalar>,
-    pub pk_g1: G1,
-    pub pk_g2: G2,
+    pub pk_g1: G1Projective,
+    pub pk_g2: G2Projective,
 }
 
 impl Account {
     /// Create a new account from a secret key and public key
-    pub fn new(index: u32, sk: Scalar, pk_g1: G1, pk_g2: G2) -> Self {
+    pub fn new(index: u32, sk: Scalar, pk_g1: G1Projective, pk_g2: G2Projective) -> Self {
         Self {
             index,
             sk: Secret::new(sk),
@@ -133,19 +140,55 @@ impl Account {
     pub fn expand_to(&self, length: u8) -> Secret<Vec<Scalar>> {
         Secret::new(
             (0..length)
-                .map(|i| kdf::ckd_sk_normal::<G2>(self.sk.expose_secret(), i as u32))
+                .map(|i| kdf::ckd_sk_normal::<G2Projective>(self.sk.expose_secret(), i as u32))
                 .collect::<Vec<Scalar>>(),
         )
     }
+
+    /// Generates a signature for this account's [G1Projective] public key.
+    pub fn sign(&self, message: &[u8]) -> [u8; G2Affine::COMPRESSED_BYTES] {
+        let sk_normal_0 = Zeroizing::new(kdf::ckd_sk_normal::<G2Projective>(
+            self.sk.expose_secret(),
+            0,
+        ));
+
+        // Hash the msg to G2
+        let g2_point = G2Projective::hash::<ExpandMsgXmd<sha2::Sha256>>(message, DST);
+
+        let signature = g2_point * *sk_normal_0;
+
+        signature.to_compressed()
+    }
+}
+
+/// Verify a signed message ([G2Compressed]) against a [G1] public key.
+pub fn verify(pk: &G1Projective, message: &[u8], signature: &[u8]) -> Result<bool, Error> {
+    // let err msg say that signature was not a valid G2 point
+    let sig_g2 = try_decompress_g2(signature.to_vec())?;
+    let pk_affine = pk.to_affine();
+
+    // Hash the msg to G2Affine
+    let hashed_msg_g2 = G2Projective::hash::<ExpandMsgXmd<sha2::Sha256>>(message, DST).to_affine();
+    let g1_generator = G1Projective::generator().to_affine();
+
+    // Verify the signature by checking the pairing(G1_pubkey, G2_hashed_msg) == pairing(G1_generator, G2_signature)
+    let result = bls12_381_plus::pairing(&pk_affine, &hashed_msg_g2)
+        == bls12_381_plus::pairing(&g1_generator, &sig_g2);
+
+    Ok(result)
 }
 
 /// Given an Account's root Public Keys and a desired [VK] length,
 /// derive the expanded Verification Key [VK] for the Account size.
 ///
 /// The length is the target length of the entire Verification Key [VK]
-pub fn derive(pk_g1: &G1, pk_g2: &G2, length: u8) -> Vec<vk::VK> {
+pub fn derive(pk_g1: &G1Projective, pk_g2: &G2Projective, length: u8) -> Vec<vk::VK> {
     let vk_g2_expanded: Vec<vk::VK> = (0..(length - 1))
-        .map(|i| vk::VK::G2(blastkids::kdf::ckd_pk_normal::<G2>(pk_g2, i as u32)))
+        .map(|i| {
+            vk::VK::G2(blastkids::kdf::ckd_pk_normal::<G2Projective>(
+                pk_g2, i as u32,
+            ))
+        })
         .collect();
 
     // concat pk_g1, vk_g2_expanded
@@ -155,6 +198,19 @@ pub fn derive(pk_g1: &G1, pk_g2: &G2, length: u8) -> Vec<vk::VK> {
     vk
 }
 
+/// Try Decompress G2
+pub(crate) fn try_decompress_g2(value: Vec<u8>) -> Result<G2Affine, Error> {
+    let mut bytes = [0u8; G2Affine::COMPRESSED_BYTES];
+    bytes.copy_from_slice(&value);
+    let maybe_g2 = G2Affine::from_compressed(&bytes);
+
+    if maybe_g2.is_none().into() {
+        return Err(Error::InvalidG2Point);
+    } else {
+        Ok(maybe_g2.unwrap())
+    }
+}
+
 #[cfg(test)]
 mod basic_test {
 
@@ -174,9 +230,9 @@ mod basic_test {
         // get the pk from each of the expanded keys
         // remember, the first VK is sk[0] * G1 and 2nd VK is sk[0] * G2Projective
         // so we need len - 1 secret keys
-        let pk_g1 = G1::mul_by_generator(&expanded.expose_secret()[0]);
-        let pk_g2_0 = G2::mul_by_generator(&expanded.expose_secret()[0]);
-        let pk_g2_1 = G2::mul_by_generator(&expanded.expose_secret()[1]);
+        let pk_g1 = G1Projective::mul_by_generator(&expanded.expose_secret()[0]);
+        let pk_g2_0 = G2Projective::mul_by_generator(&expanded.expose_secret()[0]);
+        let pk_g2_1 = G2Projective::mul_by_generator(&expanded.expose_secret()[1]);
 
         let vk = derive(&account.pk_g1, &account.pk_g2, 3);
 
@@ -190,9 +246,50 @@ mod basic_test {
             vk,
             vec![
                 vk::VK::G1(account.pk_g1),
-                vk::VK::G2(blastkids::kdf::ckd_pk_normal::<G2>(&account.pk_g2, 0)),
-                vk::VK::G2(blastkids::kdf::ckd_pk_normal::<G2>(&account.pk_g2, 1))
+                vk::VK::G2(blastkids::kdf::ckd_pk_normal::<G2Projective>(
+                    &account.pk_g2,
+                    0
+                )),
+                vk::VK::G2(blastkids::kdf::ckd_pk_normal::<G2Projective>(
+                    &account.pk_g2,
+                    1
+                ))
             ]
         );
     }
+
+    // Tests signature and verify
+    #[test]
+    fn test_sign_roundtrip() {
+        let seed = Zeroizing::new([69u8; 32]);
+        let manager: Manager = Manager::from_seed(seed);
+
+        // For each account indices: 0, 1, 2, 3
+        let indices = vec![0, 1, 2, 3];
+
+        for index in indices {
+            let account = manager.account(index);
+
+            let message = b"hello world";
+            let signature = account.sign(message);
+
+            let verified = verify(&account.pk_g1, message, &signature).unwrap();
+            assert!(verified);
+        }
+    }
+
+    // Failing signature verification
+    #[test]
+    fn test_sign_roundtrip_fail() {
+        let seed = Zeroizing::new([69u8; 32]);
+        let manager: Manager = Manager::from_seed(seed);
+
+        let account = manager.account(1);
+
+        let message = b"hello world";
+        let signature = account.sign(message);
+
+        let verified = verify(&account.pk_g1, b"hello world!", &signature).unwrap();
+        assert!(!verified);
+    }
 }
