Added file structure for Schnorr signature module.

Author: damrobi

mithril-stm/Cargo.toml

@@ -14,11 +14,12 @@ include = ["**/*.rs", "Cargo.toml", "README.md", ".gitignore"]
 crate-type = ["lib", "cdylib", "staticlib"]
 
 [features]
-default = ["rug-backend"]
+default = ["rug-backend", "future_snark"]
 rug-backend = ["rug/default"]
 num-integer-backend = ["num-bigint", "num-rational", "num-traits"]
 benchmark-internals = [] # For benchmarking multi_sig
 future_proof_system = [] # For activating future proof systems
+future_snark = [] # For activating snark features
 
 [dependencies]
 blake2 = "0.10.6"

mithril-stm/src/lib.rs

@@ -118,6 +118,8 @@ mod merkle_tree;
 mod parameters;
 mod participant;
 mod single_signature;
+#[cfg(feature = "future_snark")]
+mod schnorr_signatures;
 
 pub use aggregate_signature::{
     AggregateSignature, AggregateSignatureType, AggregateVerificationKey, BasicVerifier, Clerk,

mithril-stm/src/schnorr_signatures/helper.rs

@@ -0,0 +1,63 @@
+use midnight_circuits::{
+    ecc::{
+        hash_to_curve::HashToCurveGadget,
+        native::EccChip,
+    },
+    hash::poseidon::PoseidonChip,
+    instructions::{
+        HashToCurveCPU,
+        hash::HashCPU,
+    },
+    types::AssignedNative,
+};
+
+pub use midnight_curves::{
+    Bls12, EDWARDS_D, Fq as JubjubBase, Fq as BlsScalar, Fr as JubjubScalar,
+    G1Affine as BlstG1Affine, G1Projective as BlstG1, G2Affine as BlstG2Affine, JubjubAffine,
+    JubjubExtended as Jubjub, JubjubExtended, JubjubSubgroup, MODULUS,
+};
+
+
+
+use ff::Field;
+use group::Group;
+use rand_core::{CryptoRng, RngCore};
+use subtle::{Choice, ConstantTimeEq};
+use thiserror::Error;
+
+// use crate::schnorr_signatures::{get_coordinates, jubjub_base_to_scalar, is_on_curve};
+
+
+
+pub fn get_coordinates(point: JubjubSubgroup) -> (JubjubBase, JubjubBase) {
+    let extended: JubjubExtended = point.into(); // Convert to JubjubExtended
+    let affine: JubjubAffine = extended.into(); // Convert to JubjubAffine (affine coordinates)
+    let x = affine.get_u(); // Get x-coordinate
+    let y = affine.get_v(); // Get y-coordinate
+    (x, y)
+}
+
+pub fn jubjub_base_to_scalar(x: JubjubBase) -> JubjubScalar {
+    let bytes = x.to_bytes_le();
+    JubjubScalar::from_raw([
+        u64::from_le_bytes(bytes[0..8].try_into().unwrap()),
+        u64::from_le_bytes(bytes[8..16].try_into().unwrap()),
+        u64::from_le_bytes(bytes[16..24].try_into().unwrap()),
+        u64::from_le_bytes(bytes[24..32].try_into().unwrap()),
+    ])
+}
+
+
+pub fn is_on_curve(u: JubjubBase, v: JubjubBase) -> Choice {
+    let u2 = u.square();
+    let v2 = v.square();
+
+    // Left-hand side: v² - u²
+    let lhs = v2 - u2;
+
+    // Right-hand side: 1 + EDWARDS_D * (u² * v²)
+    let rhs = JubjubBase::ONE + EDWARDS_D * u2 * v2;
+
+    // Compare in constant time
+    lhs.ct_eq(&rhs)
+}

mithril-stm/src/schnorr_signatures/mod.rs

@@ -0,0 +1,116 @@
+pub use midnight_curves::{
+    Bls12, EDWARDS_D, Fq as JubjubBase, Fq as BlsScalar, Fr as JubjubScalar,
+    G1Affine as BlstG1Affine, G1Projective as BlstG1, G2Affine as BlstG2Affine, JubjubAffine,
+    JubjubExtended as Jubjub, JubjubExtended, JubjubSubgroup, MODULUS,
+};
+
+use midnight_circuits::{
+    ecc::{
+        hash_to_curve::HashToCurveGadget,
+        native::EccChip,
+    },
+    hash::poseidon::PoseidonChip,
+    instructions::{
+        HashToCurveCPU,
+        hash::HashCPU,
+    },
+    types::AssignedNative,
+};
+
+use ff::{Field};
+use group::Group;
+
+use subtle::{Choice, ConstantTimeEq};
+use thiserror::Error;
+
+pub mod helper;
+mod signature;
+mod signing_key;
+mod verification_key;
+
+pub use signature::*;
+pub use signing_key::*;
+pub use verification_key::*;
+
+
+
+type JubjubHashToCurve = HashToCurveGadget<
+    JubjubBase,
+    Jubjub,
+    AssignedNative<JubjubBase>,
+    PoseidonChip<JubjubBase>,
+    EccChip<Jubjub>,
+>;
+
+type PoseidonHash = PoseidonChip<JubjubBase>;
+
+pub const DST_SIGNATURE: JubjubBase = JubjubBase::from_raw([2u64, 0, 0, 0]);
+
+
+#[derive(Debug, Error)]
+pub enum SignatureError {
+    #[error("Verification failed: Signature is invalid.")]
+    VerificationFailed,
+    /// This error occurs when the serialization of the raw bytes failed
+    #[error("Invalid bytes")]
+    SerializationError,
+}
+
+
+
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use rand_core::OsRng;
+
+    /// Test signing functionality.
+    #[test]
+    fn test_signature_verification_valid() {
+        let mut rng = OsRng;
+        let sk = SigningKey::generate(&mut rng);
+        let msg = JubjubBase::random(&mut rng);
+
+        // Sign the message
+        let signature = sk.sign(msg, &mut rng);
+
+        // Ensure the components of the signature are non-default values
+        assert_ne!(
+            signature.sigma,
+            JubjubSubgroup::identity(),
+            "Signature sigma should not be the identity element."
+        );
+        assert_ne!(
+            signature.s,
+            JubjubScalar::ZERO,
+            "Signature s component should not be zero."
+        );
+        assert_ne!(
+            signature.c,
+            JubjubBase::ZERO,
+            "Signature c component should not be zero."
+        );
+
+        signature.verify(msg, &VerificationKey::from(&sk)).unwrap();
+    }
+
+    #[test]
+    fn test_signature_verification_invalid_signature() {
+        let mut rng = OsRng;
+        let sk = SigningKey::generate(&mut rng);
+        let msg = JubjubBase::random(&mut rng);
+        let vk: VerificationKey = (&sk).into();
+
+        // Generate signature and tamper with it
+        let mut signature = sk.sign(msg, &mut rng);
+        signature.s = JubjubScalar::random(&mut rng); // Modify `s` component
+
+        // Verify the modified signature
+        let result = signature.verify(msg, &vk);
+        assert!(
+            result.is_err(),
+            "Invalid signature should fail verification, but it passed."
+        );
+    }
+
+}

mithril-stm/src/schnorr_signatures/signature.rs

@@ -0,0 +1,70 @@
+
+use midnight_circuits::{
+    instructions::{
+        HashToCurveCPU,
+        hash::HashCPU,
+    },
+};
+
+pub use midnight_curves::{Fq as JubjubBase, Fr as JubjubScalar,
+    JubjubSubgroup,
+};
+
+
+use group::Group;
+
+use crate::schnorr_signatures::helper::{get_coordinates, jubjub_base_to_scalar, is_on_curve};
+use crate::schnorr_signatures::verification_key::*;
+use crate::schnorr_signatures::{JubjubHashToCurve, SignatureError, PoseidonHash, DST_SIGNATURE};
+
+
+
+/// Schnorr signature including the value sigma used for the lottery
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub struct SchnorrSignature {
+    pub sigma: JubjubSubgroup,
+    pub s: JubjubScalar,
+    pub c: JubjubBase,
+}
+
+impl SchnorrSignature {
+    /// Verify a signature against a verification key.
+    pub fn verify(&self, msg: JubjubBase, vk: &VerificationKey) -> Result<(), SignatureError> {
+        let g = JubjubSubgroup::generator();
+        let hash = JubjubHashToCurve::hash_to_curve(&[msg]);
+        let c_scalar = jubjub_base_to_scalar(self.c);
+
+        let (hx, hy) = get_coordinates(hash);
+        let (vk_x, vk_y) = get_coordinates(vk.0);
+        let (sigma_x, sigma_y) = get_coordinates(self.sigma);
+        let cap_r_1_prime = &hash * &self.s + &self.sigma * &c_scalar;
+        let cap_r_2_prime = &g * &self.s + &vk.0 * &c_scalar;
+        let (cap_r_1_x_prime, cap_r_1_y_prime) = get_coordinates(cap_r_1_prime);
+        let (cap_r_2_x_prime, cap_r_2_y_prime) = get_coordinates(cap_r_2_prime);
+        let c_prime = PoseidonHash::hash(&[
+            DST_SIGNATURE,
+            hx,
+            hy,
+            vk_x,
+            vk_y,
+            sigma_x,
+            sigma_y,
+            cap_r_1_x_prime,
+            cap_r_1_y_prime,
+            cap_r_2_x_prime,
+            cap_r_2_y_prime,
+        ]);
+
+        if c_prime != self.c {
+            return Err(SignatureError::VerificationFailed);
+        }
+
+        Ok(())
+    }
+
+    pub fn sigma(&self) -> (JubjubBase, JubjubBase) {
+        let (x, y) = get_coordinates(self.sigma);
+        (x, y)
+    }
+}
+

mithril-stm/src/schnorr_signatures/signing_key.rs

@@ -0,0 +1,83 @@
+
+pub use midnight_curves::{Fq as JubjubBase, Fr as JubjubScalar,
+    JubjubExtended as Jubjub, JubjubExtended, JubjubSubgroup,
+};
+use midnight_circuits::{
+    instructions::{
+        HashToCurveCPU,
+        hash::HashCPU,
+    },
+};
+
+use ff::Field;
+use group::Group;
+use rand_core::{CryptoRng, RngCore};
+use thiserror::Error;
+
+use crate::schnorr_signatures::helper::{get_coordinates, jubjub_base_to_scalar, is_on_curve};
+use crate::schnorr_signatures::verification_key::*;
+use crate::schnorr_signatures::signature::*;
+
+use crate::schnorr_signatures::{JubjubHashToCurve, SignatureError, PoseidonHash, DST_SIGNATURE};
+
+
+
+/// The signing key is a scalar from the Jubjub scalar field
+#[derive(Debug, Clone)]
+pub struct SigningKey(JubjubScalar);
+
+/// Implementation of the Schnorr signature scheme using the Jubjub curve
+impl SigningKey {
+    pub fn generate(rng: &mut (impl RngCore + CryptoRng)) -> Self {
+        let sk = JubjubScalar::random(rng);
+        SigningKey(sk)
+    }
+
+    /// A slightly modified version of the regular Schnorr signature (I think)
+    /// We include the computation of sigma, a value depending only on the msg 
+    /// and the secret key as it is used for the lottery process
+    pub fn sign(&self, msg: JubjubBase, rng: &mut (impl RngCore + CryptoRng)) -> SchnorrSignature {
+        let g = JubjubSubgroup::generator();
+        let vk = &g * &self.0;
+
+        let hash = JubjubHashToCurve::hash_to_curve(&[msg]);
+        let sigma = &hash * &self.0;
+        let r = JubjubScalar::random(rng);
+        let cap_r_1 = &hash * &r;
+        let cap_r_2 = &g * &r;
+
+        let (hx, hy) = get_coordinates(hash);
+        let (vk_x, vk_y) = get_coordinates(vk);
+        let (sigma_x, sigma_y) = get_coordinates(sigma);
+        let (cap_r_1_x, cap_r_1_y) = get_coordinates(cap_r_1);
+        let (cap_r_2_x, cap_r_2_y) = get_coordinates(cap_r_2);
+
+        let c = PoseidonHash::hash(&[
+            DST_SIGNATURE,
+            hx,
+            hy,
+            vk_x,
+            vk_y,
+            sigma_x,
+            sigma_y,
+            cap_r_1_x,
+            cap_r_1_y,
+            cap_r_2_x,
+            cap_r_2_y,
+        ]);
+        let c_scalar = jubjub_base_to_scalar(c);
+        let s = r - self.0 * c_scalar;
+
+        SchnorrSignature { sigma, s, c }
+    }
+
+}
+
+
+impl From<&SigningKey> for VerificationKey {
+    fn from(sk: &SigningKey) -> Self {
+        let g = JubjubSubgroup::generator();
+        let vk = &g * &sk.0;
+        VerificationKey(vk)
+    }
+}