feat(rust): add bbs+ signature scheme

Signed-off-by: Michael Lodder <mike@ockam.io>

Author: Michael Lodder

implementations/rust/ockam/ockam_signature_bbs/Cargo.toml

@@ -0,0 +1,35 @@
+[package]
+name = "bbs"
+version = "0.1.0"
+authors = ["Ockam Developers"]
+edition = "2018"
+license = "Apache-2.0"
+homepage = "https://github.com/ockam-network/ockam"
+repository = "https://github.com/ockam-network/ockam/tree/develop/implementations/rust/ockam/ockam_signature_bbs"
+readme = "README.md"
+categories = ["cryptography", "asynchronous", "authentication","no-std","algorithms"]
+keywords = ["ockam", "crypto", "signature", "signing", "bls"]
+description = """The Ockam BLS signature impementation.
+"""
+
+[features]
+
+[dependencies]
+bls = { version = "0.1", path = "../ockam_signature_bls", package = "ockam_signature_bls" }
+bls12_381_plus = "0.4"
+blake2 = { version = "0.9", default-features = false }
+digest = { version = "0.9", default-features = false }
+ff = "0.9"
+group = "0.9"
+hmac-drbg = "0.3"
+managed = { version = "0.8", features = ["map"] }
+pairing = "0.19"
+rand_core = "0.6"
+serde = { version = "1.0", features = ["derive"] }
+short_group_signatures_core = { version = "0.1", path = "../ockam_signature_core", package = "ockam_signature_core" }
+subtle = { version = "2.4", default-features = false }
+typenum = "1.13"
+zeroize = { version = "1.2", features = ["zeroize_derive"] }
+
+[dev-dependencies]
+rand_xorshift = "0.3"

implementations/rust/ockam/ockam_signature_bbs/DEVELOP.md

@@ -0,0 +1 @@
+../../DEVELOP.md

implementations/rust/ockam/ockam_signature_bbs/LICENSE

@@ -0,0 +1 @@
+../../../../LICENSE

implementations/rust/ockam/ockam_signature_bbs/README.md

@@ -0,0 +1,54 @@
+# ockam\_signature\_bbs
+
+[![crate][crate-image]][crate-link]
+[![docs][docs-image]][docs-link]
+[![license][license-image]][license-link]
+[![discuss][discuss-image]][discuss-link]
+
+Ockam is a library for building devices that communicate securely, privately
+and trustfully with cloud services and other devices.
+
+In order to support a variety of proving protocols, this crate implements the BBS+ signature scheme which can be used to generate zero-knowledge proofs about signed attributes and the signatures themselves.
+
+The main [Ockam][main-ockam-crate-link] has optional dependency on this crate.
+
+## Usage
+
+Add this to your `Cargo.toml`:
+
+```
+[dependencies]
+ockam_signature_bbs = "0.1.0"
+```
+
+## Crate Features
+
+```
+[dependencies]
+ockam_signature_bbs = { version = "0.1.0", default-features = false }
+```
+
+Please note that Cargo features are unioned across the entire dependency
+graph of a project. If any other crate you depend on has not opted out of
+`ockam_signature_bbs` default features, Cargo will build `ockam_signature_bbs` with the std
+feature enabled whether or not your direct dependency on `ockam_signature_bbs`
+has `default-features = false`.
+
+## License
+
+This code is licensed under the terms of the [Apache License 2.0][license-link].
+
+[main-ockam-crate-link]: https://crates.io/crates/ockam
+[ockam-vault-crate-link]: https://crates.io/crates/ockam_signature_bbs
+
+[crate-image]: https://img.shields.io/crates/v/ockam_signature_bbs.svg
+[crate-link]: https://crates.io/crates/ockam_signature_bbs
+
+[docs-image]: https://docs.rs/ockam_signature_bbs/badge.svg
+[docs-link]: https://docs.rs/ockam_signature_bbs
+
+[license-image]: https://img.shields.io/badge/License-Apache%202.0-green.svg
+[license-link]: https://github.com/ockam-network/ockam/blob/HEAD/LICENSE
+
+[discuss-image]: https://img.shields.io/badge/Discuss-Github%20Discussions-ff70b4.svg
+[discuss-link]: https://github.com/ockam-network/ockam/discussions

implementations/rust/ockam/ockam_signature_bbs/src/blind_signature.rs

@@ -0,0 +1,146 @@
+use crate::{Commitment, Message, MessageGenerators, Signature, SignatureBlinding, MAX_MSGS};
+use blake2::Blake2b;
+use bls::SecretKey;
+use bls12_381_plus::{G1Projective, Scalar};
+use core::convert::TryFrom;
+use digest::Digest;
+use ff::Field;
+use group::Curve;
+use hmac_drbg::HmacDRBG;
+use serde::{Deserialize, Deserializer, Serialize, Serializer};
+use short_group_signatures_core::{error::Error, lib::*};
+use subtle::CtOption;
+use typenum::{marker_traits::NonZero, U64};
+
+/// A BBS+ blind signature
+/// structurally identical to `Signature` but is used to
+/// help with misuse and confusion.
+///
+/// 1 or more messages have been hidden by the signature recipient
+/// so the signer only knows a subset of the messages to be signed
+#[derive(Debug, Copy, Clone, PartialEq, Eq)]
+pub struct BlindSignature {
+    pub(crate) a: G1Projective,
+    pub(crate) e: Scalar,
+    pub(crate) s: Scalar,
+}
+
+impl Serialize for BlindSignature {
+    fn serialize<S>(&self, s: S) -> Result<S::Ok, S::Error>
+    where
+        S: Serializer,
+    {
+        let sig = Signature {
+            a: self.a,
+            e: self.e,
+            s: self.s,
+        };
+        sig.serialize(s)
+    }
+}
+
+impl<'de> Deserialize<'de> for BlindSignature {
+    fn deserialize<D>(d: D) -> Result<BlindSignature, D::Error>
+    where
+        D: Deserializer<'de>,
+    {
+        let sig = Signature::deserialize(d)?;
+        Ok(Self {
+            a: sig.a,
+            e: sig.e,
+            s: sig.s,
+        })
+    }
+}
+
+impl BlindSignature {
+    /// The number of bytes in a signature
+    pub const BYTES: usize = 112;
+
+    /// Generate a blind signature where only a subset of messages are known to the signer
+    /// The rest are encoded as a commitment
+    pub fn new<N>(
+        commitment: Commitment,
+        sk: &SecretKey,
+        generators: &MessageGenerators<N>,
+        msgs: &[(usize, Message)],
+    ) -> Result<Self, Error>
+    where
+        N: ArrayLength<G1Projective> + NonZero,
+    {
+        if N::to_usize() < msgs.len() {
+            return Err(Error::new(1, "not enough message generators"));
+        }
+        if sk.0.is_zero() {
+            return Err(Error::new(2, "invalid secret key"));
+        }
+
+        let mut hasher = Blake2b::new();
+        hasher.update(generators.h0.to_affine().to_uncompressed());
+        for h in &generators.h {
+            hasher.update(h.to_affine().to_uncompressed());
+        }
+        for (_, m) in msgs.iter() {
+            hasher.update(m.to_bytes())
+        }
+        let nonce = hasher.finalize();
+        let mut drbg = HmacDRBG::<Blake2b>::new(&sk.to_bytes()[..], &nonce[..], &[]);
+        // Should yield non-zero values for `e` and `s`, very small likelihood of it being zero
+        let e = Scalar::from_bytes_wide(
+            &<[u8; 64]>::try_from(&drbg.generate::<U64>(Some(&[1u8]))[..]).unwrap(),
+        );
+        let s = Scalar::from_bytes_wide(
+            &<[u8; 64]>::try_from(&drbg.generate::<U64>(Some(&[2u8]))[..]).unwrap(),
+        );
+
+        // Can't go more than 128, but that's quite a bit
+        let mut points = [G1Projective::identity(); MAX_MSGS];
+        let mut scalars = [Scalar::one(); MAX_MSGS];
+
+        points[0] = commitment.0;
+        points[1] = G1Projective::generator();
+        points[2] = generators.h0;
+        scalars[2] = s;
+
+        let mut i = 3;
+        for (idx, m) in msgs.iter() {
+            points[i] = generators.h[*idx];
+            scalars[i] = m.0;
+            i += 1;
+        }
+
+        let b = G1Projective::sum_of_products(&points[..i], &scalars[..i]);
+        let exp = (e + sk.0).invert().unwrap();
+
+        Ok(Self { a: b * exp, e, s })
+    }
+
+    /// Once signature on committed attributes (blind signature) is received, the signature needs to be unblinded.
+    /// Takes the blinding factor used in the commitment.
+    pub fn to_unblinded(self, blinding: SignatureBlinding) -> Signature {
+        Signature {
+            a: self.a,
+            e: self.e,
+            s: self.s + blinding.0,
+        }
+    }
+
+    /// Get the byte representation of this signature
+    pub fn to_bytes(&self) -> [u8; Self::BYTES] {
+        let sig = Signature {
+            a: self.a,
+            e: self.e,
+            s: self.s,
+        };
+        sig.to_bytes()
+    }
+
+    /// Convert a byte sequence into a signature
+    pub fn from_bytes(data: &[u8; Self::BYTES]) -> CtOption<Self> {
+        Signature::from_bytes(data).map(|sig| Self {
+            a: sig.a,
+            e: sig.e,
+            s: sig.s,
+        })
+    }
+}

implementations/rust/ockam/ockam_signature_bbs/src/blind_signature_context.rs

@@ -0,0 +1,148 @@
+use crate::{Challenge, Commitment, MessageGenerators, Nonce, COMMITMENT_BYTES, FIELD_BYTES};
+use blake2::VarBlake2b;
+use bls12_381_plus::{G1Projective, Scalar};
+use core::convert::TryFrom;
+use digest::{Update, VariableOutput};
+use group::Curve;
+use short_group_signatures_core::{error::Error, lib::*};
+use subtle::ConstantTimeEq;
+use typenum::NonZero;
+
+/// Contains the data used for computing a blind signature and verifying
+/// proof of hidden messages from a prover
+#[derive(Debug, Clone)]
+pub struct BlindSignatureContext {
+    /// The blinded signature commitment
+    pub commitment: Commitment,
+    /// The challenge hash for the Fiat-Shamir heuristic
+    pub challenge: Challenge,
+    /// The proofs for the hidden messages
+    pub proofs: Vec<Challenge, U16>,
+}
+
+impl BlindSignatureContext {
+    /// Store the generators as a sequence of bytes
+    /// Each point is compressed to big-endian format
+    /// Needs (N + 1) * 32 + 48 * 2 space otherwise it will panic
+    pub fn to_bytes(&self, buffer: &mut [u8]) {
+        buffer[0..COMMITMENT_BYTES].copy_from_slice(&self.commitment.to_bytes());
+        let mut offset = COMMITMENT_BYTES;
+        let mut end = offset + FIELD_BYTES;
+
+        buffer[offset..end].copy_from_slice(&self.challenge.to_bytes());
+
+        offset = end;
+        end += FIELD_BYTES;
+
+        for i in 0..self.proofs.len() {
+            buffer[offset..end].copy_from_slice(&self.proofs[i].to_bytes());
+            offset = end;
+            end += FIELD_BYTES;
+        }
+    }
+
+    /// Convert a byte sequence into the blind signature context
+    /// Expected size is (N + 1) * 32 + 48 bytes
+    pub fn from_bytes<B: AsRef<[u8]>>(bytes: B) -> Option<Self> {
+        let size = FIELD_BYTES * 2 + COMMITMENT_BYTES;
+        let buffer = bytes.as_ref();
+        if buffer.len() < size {
+            return None;
+        }
+        if buffer.len() - COMMITMENT_BYTES % FIELD_BYTES != 0 {
+            return None;
+        }
+
+        let commitment =
+            Commitment::from_bytes(slicer!(buffer, 0, COMMITMENT_BYTES, COMMITMENT_BYTES));
+        if commitment.is_none().unwrap_u8() == 1 {
+            return None;
+        }
+        let mut offset = COMMITMENT_BYTES;
+        let mut end = COMMITMENT_BYTES + FIELD_BYTES;
+
+        let challenge = Challenge::from_bytes(slicer!(buffer, offset, end, FIELD_BYTES));
+        if challenge.is_none().unwrap_u8() == 1 {
+            return None;
+        }
+
+        let times = (buffer.len() - COMMITMENT_BYTES - FIELD_BYTES) / FIELD_BYTES;
+
+        offset = end;
+        end += FIELD_BYTES;
+
+        let mut proofs = Vec::<Challenge, U16>::new();
+        for _ in 0..times {
+            let p = Challenge::from_bytes(slicer!(buffer, offset, end, FIELD_BYTES));
+            if p.is_none().unwrap_u8() == 1 {
+                return None;
+            }
+            proofs.push(p.unwrap()).unwrap();
+            offset = end;
+            end += FIELD_BYTES;
+        }
+
+        Some(Self {
+            commitment: commitment.unwrap(),
+            challenge: challenge.unwrap(),
+            proofs,
+        })
+    }
+
+    /// Assumes the proof of hidden messages
+    /// If other proofs were included, those will need to be verified another way
+    pub fn verify<S>(
+        &self,
+        known_messages: &[usize],
+        generators: &MessageGenerators<S>,
+        nonce: Nonce,
+    ) -> Result<bool, Error>
+    where
+        S: ArrayLength<G1Projective> + NonZero,
+    {
+        let mut known = HashSet::new();
+        let mut points = Vec::<G1Projective, U32>::new();
+        for idx in known_messages {
+            if *idx >= S::to_usize() {
+                return Err(Error::new(1, "index out of bounds"));
+            }
+            known.insert(*idx);
+        }
+        for i in 0..S::to_usize() {
+            if !known.contains(&i) {
+                points
+                    .push(generators.h[i])
+                    .map_err(|_| Error::new((i + 1) as u32, "allocate more space"))?;
+            }
+        }
+        points
+            .push(generators.h0)
+            .map_err(|_| Error::new(S::to_u32(), "allocate more space"))?;
+        points
+            .push(self.commitment.0)
+            .map_err(|_| Error::new(S::to_u32(), "allocate more space"))?;
+
+        let mut scalars = self
+            .proofs
+            .iter()
+            .map(|p| p.0)
+            .collect::<Vec<Scalar, U32>>();
+        scalars
+            .push(self.challenge.0.neg())
+            .map_err(|_| Error::new(S::to_u32(), "allocate more space"))?;
+
+        let mut res = [0u8; COMMITMENT_BYTES];
+        let mut hasher = VarBlake2b::new(COMMITMENT_BYTES).unwrap();
+
+        let commitment = crate::util::sum_of_products(points.as_ref(), scalars.as_mut());
+        hasher.update(&commitment.to_affine().to_uncompressed());
+        hasher.update(&self.commitment.0.to_affine().to_uncompressed());
+        hasher.update(nonce.to_bytes());
+        hasher.finalize_variable(|out| {
+            res.copy_from_slice(out);
+        });
+        let challenge = Scalar::from_okm(&res);
+
+        Ok(self.challenge.0.ct_eq(&challenge).unwrap_u8() == 1)
+    }
+}