Use BLS12-318 curve and add multi_verify

Author: hwwhww

eth/utils/bls.py

@@ -4,8 +4,11 @@
     Tuple,
 )
 
+from eth_utils import (
+    big_endian_to_int,
+)
 
-from py_ecc.optimized_bn128 import (  # NOQA
+from py_ecc.optimized_bls12_381 import (  # NOQA
     G1,
     G2,
     Z1,
@@ -18,104 +21,128 @@
     FQ12,
     pairing,
     normalize,
-    field_modulus,
+    field_modulus as q,
     b,
     b2,
     is_on_curve,
     curve_order,
     final_exponentiate
 )
-from eth.utils.blake import blake
+from eth_hash.auto import keccak as hash
+
 
+G2_cofactor = 305502333931268344200999753193121504214466019254188142667664032982267604182971884026507427359259977847832272839041616661285803823378372096355777062779109  # noqa: E501
+qmod = q ** 2 - 1
+eighth_roots_of_unity = [
+    FQ2([1, 1]) ** ((qmod * k) // 8)
+    for k in range(8)
+]
 
-CACHE = {}  # type: Dict[bytes, Tuple[FQ2, FQ2, FQ2]]
-# 16th root of unity
-HEX_ROOT = FQ2([21573744529824266246521972077326577680729363968861965890554801909984373949499,
-                16854739155576650954933913186877292401521110422362946064090026408937773542853])
 
+#
+# Helpers
+#
+def modular_squareroot(value: int) -> int:
+    """
+    ``modular_squareroot(x)`` returns the value ``y`` such that ``y**2 % q == x``,
+    and None if this is not possible. In cases where there are two solutions,
+    the value with higher imaginary component is favored;
+    if both solutions have equal imaginary component the value with higher real
+    component is favored.
+    """
+    candidate_squareroot = value ** ((qmod + 8) // 16)
+    check = candidate_squareroot ** 2 / value
+    if check in eighth_roots_of_unity[::2]:
+        x1 = candidate_squareroot / eighth_roots_of_unity[eighth_roots_of_unity.index(check) // 2]
+        x2 = FQ2([-x1.coeffs[0], -x1.coeffs[1]])
+        # x2 = - x2
+        return x1 if (x1.coeffs[1], x1.coeffs[0]) > (x2.coeffs[1], x2.coeffs[0]) else x2
+    return None
+
+
+def hash_to_G2(message: bytes, domain: int) -> Tuple[FQ2, FQ2, FQ2]:
+    domain_in_bytes = domain.to_bytes(8, 'big')
+    x1 = big_endian_to_int(hash(domain_in_bytes + b'\x01' + message))
+    x2 = big_endian_to_int(hash(domain_in_bytes + b'\x02' + message))
+    x_coordinate = FQ2([x1, x2])  # x1 + x2 * i
+    while 1:
+        x_cubed_plus_b2 = x_coordinate ** 3 + FQ2([4, 4])
+        y_coordinate = modular_squareroot(x_cubed_plus_b2)
+        if y_coordinate is not None:
+            break
+        x_coordinate += FQ2([1, 0])  # Add one until we get a quadratic residue
 
-assert HEX_ROOT ** 8 != FQ2([1, 0])
-assert HEX_ROOT ** 16 == FQ2([1, 0])
+    return multiply(
+        (x_coordinate, y_coordinate, FQ2([1, 0])),
+        G2_cofactor
+    )
 
 
+#
+# G1
+#
 def compress_G1(pt: Tuple[FQ2, FQ2, FQ2]) -> int:
     x, y = normalize(pt)
-    return x.n + 2**255 * (y.n % 2)
+    return x.n + 2**383 * (y.n % 2)
 
 
 def decompress_G1(p: int) -> Tuple[FQ, FQ, FQ]:
     if p == 0:
         return (FQ(1), FQ(1), FQ(0))
-    x = p % 2**255
-    y_mod_2 = p // 2**255
-    y = pow((x**3 + b.n) % field_modulus, (field_modulus + 1) // 4, field_modulus)
-    assert pow(y, 2, field_modulus) == (x**3 + b.n) % field_modulus
+    x = p % 2**383
+    y_mod_2 = p // 2**383
+    y = pow((x**3 + b.n) % q, (q + 1) // 4, q)
+    assert pow(y, 2, q) == (x**3 + b.n) % q
     if y % 2 != y_mod_2:
-        y = field_modulus - y
+        y = q - y
     return (FQ(x), FQ(y), FQ(1))
 
 
-def sqrt_fq2(x: FQ2) -> FQ2:
-    y = x ** ((field_modulus ** 2 + 15) // 32)
-    while y**2 != x:
-        y *= HEX_ROOT
-    return y
-
-
-def hash_to_G2(m: bytes) -> Tuple[FQ2, FQ2, FQ2]:
-    """
-    WARNING: this function has not been standardized yet.
-    """
-    if m in CACHE:
-        return CACHE[m]
-    k2 = m
-    while 1:
-        k1 = blake(k2)
-        k2 = blake(k1)
-        x1 = int.from_bytes(k1, 'big') % field_modulus
-        x2 = int.from_bytes(k2, 'big') % field_modulus
-        x = FQ2([x1, x2])
-        xcb = x**3 + b2
-        if xcb ** ((field_modulus ** 2 - 1) // 2) == FQ2([1, 0]):
-            break
-    y = sqrt_fq2(xcb)
-    o = multiply((x, y, FQ2([1, 0])), 2 * field_modulus - curve_order)
-    CACHE[m] = o
-    return o
-
-
+#
+# G2
+#
 def compress_G2(pt: Tuple[FQ2, FQ2, FQ2]) -> Tuple[int, int]:
     assert is_on_curve(pt, b2)
     x, y = normalize(pt)
-    return (x.coeffs[0] + 2**255 * (y.coeffs[0] % 2), x.coeffs[1])
+    return (x.coeffs[0] + 2**383 * (y.coeffs[0] % 2), x.coeffs[1])
 
 
 def decompress_G2(p: bytes) -> Tuple[FQ2, FQ2, FQ2]:
-    x1 = p[0] % 2**255
-    y1_mod_2 = p[0] // 2**255
+    x1 = p[0] % 2**383
+    y1_mod_2 = p[0] // 2**383
     x2 = p[1]
     x = FQ2([x1, x2])
     if x == FQ2([0, 0]):
         return FQ2([1, 0]), FQ2([1, 0]), FQ2([0, 0])
-    y = sqrt_fq2(x**3 + b2)
+    y = modular_squareroot(x**3 + b2)
     if y.coeffs[0] % 2 != y1_mod_2:
         y = y * -1
-    assert is_on_curve((x, y, FQ2([1, 0])), b2)
+
     return x, y, FQ2([1, 0])
 
 
-def sign(m: bytes, k: int) -> Tuple[int, int]:
-    return compress_G2(multiply(hash_to_G2(m), k))
+#
+# APIs
+#
+def sign(message: bytes,
+         privkey: int,
+         domain: int) -> Tuple[int, int]:
+    return compress_G2(
+        multiply(
+            hash_to_G2(message, domain),
+            privkey
+        )
+    )
 
 
 def privtopub(k: int) -> int:
     return compress_G1(multiply(G1, k))
 
 
-def verify(m: bytes, pub: int, sig: bytes) -> bool:
+def verify(m: bytes, pub: int, sig: bytes, domain: int) -> bool:
     final_exponentiation = final_exponentiate(
         pairing(decompress_G2(sig), G1, False) *
-        pairing(hash_to_G2(m), neg(decompress_G1(pub)), False)
+        pairing(hash_to_G2(m, domain), neg(decompress_G1(pub)), False)
     )
     return final_exponentiation == FQ12.one()
 
@@ -132,3 +159,22 @@ def aggregate_pubs(pubs: Iterable[int]) -> int:
     for p in pubs:
         o = add(o, decompress_G1(p))
     return compress_G1(o)
+
+
+def multi_verify(pubs, msgs, sig, domain):
+    len_msgs = len(msgs)
+    assert len(pubs) == len_msgs
+
+    o = FQ12([1] + [0] * 11)
+    for m in set(msgs):
+        # aggregate the pubs
+        group_pub = Z1
+        for i in range(len_msgs):
+            if msgs[i] == m:
+                group_pub = add(group_pub, decompress_G1(pubs[i]))
+
+        o *= pairing(hash_to_G2(m, domain), group_pub, False)
+    o *= pairing(decompress_G2(sig), neg(G1), False)
+
+    final_exponentiation = final_exponentiate(o)
+    return final_exponentiation == FQ12.one()

setup.py

@@ -13,7 +13,7 @@
         "eth-utils>=1.3.0b0,<2.0.0",
         "lru-dict>=1.1.6",
         "mypy_extensions>=0.4.1,<1.0.0",
-        "py-ecc==1.4.3",
+        "py-ecc>=1.4.6,<2.0.0",
         "pyethash>=0.1.27,<1.0.0",
         "rlp>=1.0.3,<2.0.0",
         "trie>=1.3.5,<2.0.0",

tests/core/bls-utils/test_bls.py

@@ -1,6 +1,5 @@
 import pytest
 
-pytest.importorskip('eth.utils.bls')  # noqa E402
 from eth.utils.bls import (
     G1,
     G2,
@@ -15,15 +14,11 @@
     privtopub,
     aggregate_sigs,
     aggregate_pubs,
-    verify
-)
-
-from tests.core.helpers import (
-    greater_equal_python36,
+    verify,
+    multi_verify,
 )
 
 
-@greater_equal_python36
 @pytest.mark.parametrize(
     'privkey',
     [
@@ -37,19 +32,20 @@
     ]
 )
 def test_bls_core(privkey):
+    domain = 0
     p1 = multiply(G1, privkey)
     p2 = multiply(G2, privkey)
     msg = str(privkey).encode('utf-8')
-    msghash = hash_to_G2(msg)
+    msghash = hash_to_G2(msg, domain=domain)
+
     assert normalize(decompress_G1(compress_G1(p1))) == normalize(p1)
     assert normalize(decompress_G2(compress_G2(p2))) == normalize(p2)
     assert normalize(decompress_G2(compress_G2(msghash))) == normalize(msghash)
-    sig = sign(msg, privkey)
+    sig = sign(msg, privkey, domain=domain)
     pub = privtopub(privkey)
-    assert verify(msg, pub, sig)
+    assert verify(msg, pub, sig, domain=domain)
 
 
-@greater_equal_python36
 @pytest.mark.parametrize(
     'msg, privkeys',
     [
@@ -58,8 +54,40 @@ def test_bls_core(privkey):
     ]
 )
 def test_signature_aggregation(msg, privkeys):
-    sigs = [sign(msg, k) for k in privkeys]
+    domain = 0
+    sigs = [sign(msg, k, domain=domain) for k in privkeys]
     pubs = [privtopub(k) for k in privkeys]
     aggsig = aggregate_sigs(sigs)
     aggpub = aggregate_pubs(pubs)
-    assert verify(msg, aggpub, aggsig)
+    assert verify(msg, aggpub, aggsig, domain=domain)
+
+
+@pytest.mark.parametrize(
+    'msg_1, msg_2, privkeys',
+    [
+        (b'cow', b'wow', [1, 5, 124, 735, 127409812145, 90768492698215092512159, 0]),
+    ]
+)
+def test_multi_aggregation(msg_1, msg_2, privkeys):
+    domain = 0
+    sigs_1 = [sign(msg_1, k, domain=domain) for k in privkeys]
+
+    pubs_1 = [privtopub(k) for k in privkeys]
+    aggsig_1 = aggregate_sigs(sigs_1)
+    aggpub_1 = aggregate_pubs(pubs_1)
+
+    sigs_2 = [sign(msg_2, k, domain=domain) for k in privkeys]
+    pubs_2 = [privtopub(k) for k in privkeys]
+    aggsig_2 = aggregate_sigs(sigs_2)
+    aggpub_2 = aggregate_pubs(pubs_2)
+
+    msgs = [msg_1, msg_2]
+    pubs = [aggpub_1, aggpub_2]
+    aggsig = aggregate_sigs([aggsig_1, aggsig_2])
+
+    assert multi_verify(
+        pubs=pubs,
+        msgs=msgs,
+        sig=aggsig,
+        domain=domain,
+    )