Split prover and verifier statements for BBS and BBS+

Signed-off-by: lovesh <[email protected]>
docknetwork · Mar 4, 2024 · 0c54a1c · 0c54a1c
1 parent 9e075a1
commit 0c54a1c
Show file tree

Hide file tree

Showing 29 changed files with 1,178 additions and 449 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -42,10 +42,10 @@ rayon = { version = "1" }
 digest = { version = "0.10", default-features = false, features = ["alloc"] }
 serde = { version = "1.0", default-features = false, features = ["derive"] }
 serde_with = { version = "1.10.0", default-features = false, features = ["macros"] }
-zeroize = { version = "1.6.0", features = ["derive"] }
+zeroize = { version = "1.7.0", features = ["derive"] }
 blake2 = { version = "0.10", default-features = false }
 ark-bls12-381 = { version = "^0.4.0", default-features = false, features = [ "curve" ] }
-itertools = "0.10.5"
+itertools = "0.12.1"
 
 [profile.release]
 lto = true

diff --git a/kvac/src/bddt_2016/setup.rs b/kvac/src/bddt_2016/setup.rs
@@ -1,9 +1,12 @@
 use ark_ec::{AffineRepr, CurveGroup, VariableBaseMSM};
-use ark_ff::PrimeField;
+use ark_ff::{
+    field_hashers::{DefaultFieldHasher, HashToField},
+    PrimeField,
+};
 use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
-use ark_std::{rand::RngCore, vec::Vec};
+use ark_std::{cfg_iter, rand::RngCore, vec::Vec};
 use core::iter::once;
-use digest::Digest;
+use digest::{Digest, DynDigest};
 use dock_crypto_utils::{
     affine_group_element_from_byte_slices, concat_slices, join,
     misc::{n_projective_group_elements, seq_pairs_satisfy},
@@ -143,6 +146,13 @@ impl<G: AffineRepr> MACParams<G> {
         let commitment = self.commit_to_messages(indexed_messages_sorted_by_index, s)?;
         Ok(commitment + self.h)
     }
+
+    pub fn is_valid(&self) -> bool {
+        !(self.g_0.is_zero()
+            || self.g.is_zero()
+            || self.h.is_zero()
+            || cfg_iter!(self.g_vec).any(|v| v.is_zero()))
+    }
 }
 
 impl<G: AffineRepr> MultiMessageSignatureParams for MACParams<G> {
@@ -161,6 +171,11 @@ impl<F: PrimeField> SecretKey<F> {
     pub fn new<R: RngCore>(rng: &mut R) -> Self {
         Self(F::rand(rng))
     }
+
+    pub fn generate_using_seed<D: DynDigest + Default + Clone>(seed: &[u8]) -> Self {
+        let hasher = <DefaultFieldHasher<D> as HashToField<F>>::new(b"BDDT16-MAC-KEYGEN-SALT");
+        Self(hasher.hash_to_field(seed, 1).pop().unwrap())
+    }
 }
 
 impl<G: AffineRepr> PublicKey<G> {

diff --git a/proof_system/src/proof_spec.rs b/proof_system/src/proof_spec.rs
@@ -192,7 +192,7 @@ impl<E: Pairing> ProofSpec<E> {
         // knowledge proof
         for (i, st) in self.statements.0.iter().enumerate() {
             match st {
-                Statement::PoKBBSSignatureG1(s) => {
+                Statement::PoKBBSSignatureG1Prover(s) => {
                     for k in s.revealed_messages.keys() {
                         revealed_wit_refs.insert((i, *k));
                     }
@@ -433,14 +433,14 @@ impl<E: Pairing> ProofSpec<E> {
 
         for (s_idx, statement) in self.statements.0.iter().enumerate() {
             match statement {
-                Statement::PoKBBSSignatureG1(s) => {
+                Statement::PoKBBSSignatureG1Verifier(s) => {
                     let params = s.get_params(&self.setup_params, s_idx)?;
                     derived_bbs_p.on_new_statement_idx(params, s_idx);
 
                     let pk = s.get_public_key(&self.setup_params, s_idx)?;
                     derived_bbs_pk.on_new_statement_idx(pk, s_idx);
                 }
-                Statement::PoKBBSSignature23G1(s) => {
+                Statement::PoKBBSSignature23G1Verifier(s) => {
                     let params = s.get_params(&self.setup_params, s_idx)?;
                     derived_bbs.on_new_statement_idx(params, s_idx);
 

diff --git a/proof_system/src/prover.rs b/proof_system/src/prover.rs
@@ -200,16 +200,15 @@ impl<E: Pairing> Proof<E> {
         }
 
         macro_rules! sig_protocol_init {
-            ($s: ident, $s_idx: ident, $w: ident, $protocol: ident, $protocol_variant: ident, $label: ident) => {{
+            ($s: ident, $s_idx: ident, $w: ident, $protocol: ident, $func_name: ident, $protocol_variant: ident, $label: ident) => {{
                 // Prepare blindings for this signature proof
                 let blindings_map = build_blindings_map::<E>(
                     &mut blindings,
                     $s_idx,
                     $w.unrevealed_messages.keys().cloned(),
                 );
                 let sig_params = $s.get_params(&proof_spec.setup_params, $s_idx)?;
-                let pk = $s.get_public_key(&proof_spec.setup_params, $s_idx)?;
-                let mut sp = $protocol::new($s_idx, &$s.revealed_messages, sig_params, pk);
+                let mut sp = $protocol::$func_name($s_idx, &$s.revealed_messages, sig_params);
                 sp.init(rng, blindings_map, $w)?;
                 transcript.set_label($label);
                 sp.challenge_contribution(&mut transcript)?;
@@ -252,26 +251,28 @@ impl<E: Pairing> Proof<E> {
             .enumerate()
         {
             match statement {
-                Statement::PoKBBSSignatureG1(s) => match witness {
+                Statement::PoKBBSSignatureG1Prover(s) => match witness {
                     Witness::PoKBBSSignatureG1(w) => {
                         sig_protocol_init!(
                             s,
                             s_idx,
                             w,
                             PoKBBSPlusSigG1SubProtocol,
+                            new_for_prover,
                             PoKBBSSignatureG1,
                             BBS_PLUS_LABEL
                         );
                     }
                     _ => err_incompat_witness!(s_idx, s, witness),
                 },
-                Statement::PoKBBSSignature23G1(s) => match witness {
+                Statement::PoKBBSSignature23G1Prover(s) => match witness {
                     Witness::PoKBBSSignature23G1(w) => {
                         sig_protocol_init!(
                             s,
                             s_idx,
                             w,
                             PoKBBSSigG1SubProtocol,
+                            new_for_prover,
                             PoKBBSSignature23G1,
                             BBS_23_LABEL
                         );
@@ -572,7 +573,19 @@ impl<E: Pairing> Proof<E> {
                 },
                 Statement::PoKPSSignature(s) => match witness {
                     Witness::PoKPSSignature(w) => {
-                        sig_protocol_init!(s, s_idx, w, PSSignaturePoK, PSSignaturePoK, PS_LABEL);
+                        // Prepare blindings for this PS sig proof
+                        let blindings_map = build_blindings_map::<E>(
+                            &mut blindings,
+                            s_idx,
+                            w.unrevealed_messages.keys().cloned(),
+                        );
+                        let params = s.get_params(&proof_spec.setup_params, s_idx)?;
+                        let pk = s.get_public_key(&proof_spec.setup_params, s_idx)?;
+                        let mut sp = PSSignaturePoK::new(s_idx, &s.revealed_messages, params, pk);
+                        sp.init::<R>(rng, blindings_map, w)?;
+                        transcript.set_label(PS_LABEL);
+                        sp.challenge_contribution(&mut transcript)?;
+                        sub_protocols.push(SubProtocol::PSSignaturePoK(sp));
                     }
                     _ => err_incompat_witness!(s_idx, s, witness),
                 },
@@ -667,18 +680,15 @@ impl<E: Pairing> Proof<E> {
                 },
                 Statement::PoKBDDT16MAC(s) => match witness {
                     Witness::PoKOfBDDT16MAC(w) => {
-                        // Prepare blindings for this BDDT16 MAC proof
-                        let blindings_map = build_blindings_map::<E>(
-                            &mut blindings,
+                        sig_protocol_init!(
+                            s,
                             s_idx,
-                            w.unrevealed_messages.keys().cloned(),
+                            w,
+                            PoKOfMACSubProtocol,
+                            new,
+                            PoKOfBDDT16MAC,
+                            BDDT16_KVAC_LABEL
                         );
-                        let params = s.get_params(&proof_spec.setup_params, s_idx)?;
-                        let mut sp = PoKOfMACSubProtocol::new(s_idx, &s.revealed_messages, params);
-                        sp.init::<R>(rng, blindings_map, w)?;
-                        transcript.set_label(BDDT16_KVAC_LABEL);
-                        sp.challenge_contribution(&mut transcript)?;
-                        sub_protocols.push(SubProtocol::PoKOfBDDT16MAC(sp));
                     }
                     _ => err_incompat_witness!(s_idx, s, witness),
                 },

diff --git a/proof_system/src/statement/bbs_23.rs b/proof_system/src/statement/bbs_23.rs
@@ -5,7 +5,8 @@ use serde::{Deserialize, Serialize};
 use serde_with::{serde_as, Same};
 
 use crate::{
-    error::ProofSystemError, impl_bbs_statement, setup_params::SetupParams, statement::Statement,
+    error::ProofSystemError, impl_bbs_prover_statement, impl_bbs_verifier_statement,
+    setup_params::SetupParams, statement::Statement,
 };
 use bbs_plus::prelude::{PublicKeyG2, SignatureParams23G1};
 use dock_crypto_utils::serde_utils::*;
@@ -16,7 +17,22 @@ use dock_crypto_utils::serde_utils::*;
     Clone, Debug, PartialEq, Eq, CanonicalSerialize, CanonicalDeserialize, Serialize, Deserialize,
 )]
 #[serde(bound = "")]
-pub struct PoKBBSSignature23G1<E: Pairing> {
+pub struct PoKBBSSignature23G1Prover<E: Pairing> {
+    /// Messages being revealed.
+    #[serde_as(as = "BTreeMap<Same, ArkObjectBytes>")]
+    pub revealed_messages: BTreeMap<usize, E::ScalarField>,
+    /// If the statement was created by passing the signature params directly, then it will not be None
+    pub signature_params: Option<SignatureParams23G1<E>>,
+    /// If the statement was created by passing the index of signature params in `SetupParams`, then it will not be None
+    pub signature_params_ref: Option<usize>,
+}
+
+#[serde_as]
+#[derive(
+    Clone, Debug, PartialEq, Eq, CanonicalSerialize, CanonicalDeserialize, Serialize, Deserialize,
+)]
+#[serde(bound = "")]
+pub struct PoKBBSSignature23G1Verifier<E: Pairing> {
     /// Messages being revealed.
     #[serde_as(as = "BTreeMap<Same, ArkObjectBytes>")]
     pub revealed_messages: BTreeMap<usize, E::ScalarField>,
@@ -30,10 +46,18 @@ pub struct PoKBBSSignature23G1<E: Pairing> {
     pub public_key_ref: Option<usize>,
 }
 
-impl<E: Pairing> PoKBBSSignature23G1<E> {
-    impl_bbs_statement!(
+impl<E: Pairing> PoKBBSSignature23G1Prover<E> {
+    impl_bbs_prover_statement!(
+        SignatureParams23G1,
+        PoKBBSSignature23G1Prover,
+        BBSSignatureParams23
+    );
+}
+
+impl<E: Pairing> PoKBBSSignature23G1Verifier<E> {
+    impl_bbs_verifier_statement!(
         SignatureParams23G1,
-        PoKBBSSignature23G1,
+        PoKBBSSignature23G1Verifier,
         BBSSignatureParams23
     );
 }
diff --git a/proof_system/src/statement/bbs_plus.rs b/proof_system/src/statement/bbs_plus.rs
@@ -8,13 +8,29 @@ use crate::{error::ProofSystemError, setup_params::SetupParams, statement::State
 use bbs_plus::prelude::{PublicKeyG2, SignatureParamsG1};
 use dock_crypto_utils::serde_utils::*;
 
+/// Public values like setup params and revealed messages for proving knowledge of BBS+ signature.
+#[serde_as]
+#[derive(
+    Clone, Debug, PartialEq, Eq, CanonicalSerialize, CanonicalDeserialize, Serialize, Deserialize,
+)]
+#[serde(bound = "")]
+pub struct PoKBBSSignatureG1Prover<E: Pairing> {
+    /// Messages being revealed.
+    #[serde_as(as = "BTreeMap<Same, ArkObjectBytes>")]
+    pub revealed_messages: BTreeMap<usize, E::ScalarField>,
+    /// If the statement was created by passing the signature params directly, then it will not be None
+    pub signature_params: Option<SignatureParamsG1<E>>,
+    /// If the statement was created by passing the index of signature params in `SetupParams`, then it will not be None
+    pub signature_params_ref: Option<usize>,
+}
+
 /// Public values like setup params, public key and revealed messages for proving knowledge of BBS+ signature.
 #[serde_as]
 #[derive(
     Clone, Debug, PartialEq, Eq, CanonicalSerialize, CanonicalDeserialize, Serialize, Deserialize,
 )]
 #[serde(bound = "")]
-pub struct PoKBBSSignatureG1<E: Pairing> {
+pub struct PoKBBSSignatureG1Verifier<E: Pairing> {
     /// Messages being revealed.
     #[serde_as(as = "BTreeMap<Same, ArkObjectBytes>")]
     pub revealed_messages: BTreeMap<usize, E::ScalarField>,
@@ -29,7 +45,52 @@ pub struct PoKBBSSignatureG1<E: Pairing> {
 }
 
 #[macro_export]
-macro_rules! impl_bbs_statement {
+macro_rules! impl_bbs_prover_statement {
+    ($params: ident, $stmt: ident, $setup_param_name: ident) => {
+        /// Create a statement by passing the signature parameters directly.
+        pub fn new_statement_from_params(
+            signature_params: $params<E>,
+            revealed_messages: BTreeMap<usize, E::ScalarField>,
+        ) -> Statement<E> {
+            Statement::$stmt(Self {
+                revealed_messages,
+                signature_params: Some(signature_params),
+                signature_params_ref: None,
+            })
+        }
+
+        /// Create a statement by passing the index of signature parameters in `SetupParams`.
+        pub fn new_statement_from_params_ref(
+            signature_params_ref: usize,
+            revealed_messages: BTreeMap<usize, E::ScalarField>,
+        ) -> Statement<E> {
+            Statement::$stmt(Self {
+                revealed_messages,
+                signature_params: None,
+                signature_params_ref: Some(signature_params_ref),
+            })
+        }
+
+        /// Get signature params for the statement index `s_idx` either from `self` or from given `setup_params`.
+        pub fn get_params<'a>(
+            &'a self,
+            setup_params: &'a [SetupParams<E>],
+            st_idx: usize,
+        ) -> Result<&'a $params<E>, ProofSystemError> {
+            extract_param!(
+                setup_params,
+                &self.signature_params,
+                self.signature_params_ref,
+                $setup_param_name,
+                IncompatibleBBSPlusSetupParamAtIndex,
+                st_idx
+            )
+        }
+    };
+}
+
+#[macro_export]
+macro_rules! impl_bbs_verifier_statement {
     ($params: ident, $stmt: ident, $setup_param_name: ident) => {
         /// Create a statement by passing the signature parameters and public key directly.
         pub fn new_statement_from_params(
@@ -95,6 +156,18 @@ macro_rules! impl_bbs_statement {
     };
 }
 
-impl<E: Pairing> PoKBBSSignatureG1<E> {
-    impl_bbs_statement!(SignatureParamsG1, PoKBBSSignatureG1, BBSPlusSignatureParams);
+impl<E: Pairing> PoKBBSSignatureG1Prover<E> {
+    impl_bbs_prover_statement!(
+        SignatureParamsG1,
+        PoKBBSSignatureG1Prover,
+        BBSPlusSignatureParams
+    );
+}
+
+impl<E: Pairing> PoKBBSSignatureG1Verifier<E> {
+    impl_bbs_verifier_statement!(
+        SignatureParamsG1,
+        PoKBBSSignatureG1Verifier,
+        BBSPlusSignatureParams
+    );
 }