bls12-381 0.2.2 → 0.3.0

data/lib/bls/h2c.rb

@@ -0,0 +1,114 @@
+module BLS
+  module H2C
+
+    LENGTH = 64
+
+    module_function
+
+    # @param [String] message hash value with hex format.
+    # @param [Integer] len_in_bytes length
+    # @return [Array[Integer]] byte array.
+    # @raise BLS::Error
+    def expand_message_xmd(message, len_in_bytes)
+      b_in_bytes = BigDecimal(SHA256_DIGEST_SIZE)
+      r_in_bytes = b_in_bytes * 2
+      ell = (BigDecimal(len_in_bytes) / b_in_bytes).ceil
+      raise BLS::Error, 'Invalid xmd length' if ell > 255
+
+      dst_prime = PointG2::DST_BASIC.bytes + BLS.i2osp(PointG2::DST_BASIC.bytesize, 1)
+      z_pad = BLS.i2osp(0, r_in_bytes)
+      l_i_b_str = BLS.i2osp(len_in_bytes, 2)
+      b = Array.new(ell)
+      payload = z_pad + [message].pack('H*').bytes + l_i_b_str + BLS.i2osp(0, 1) + dst_prime
+      b_0 = Digest::SHA256.digest(payload.pack('C*'))
+      b[0] = Digest::SHA256.digest((b_0.bytes + BLS.i2osp(1, 1) + dst_prime).pack('C*'))
+      (1..ell).each do |i|
+        args = BLS.bin_xor(b_0, b[i - 1]).bytes + BLS.i2osp(i + 1, 1) + dst_prime
+        b[i] = Digest::SHA256.digest(args.pack('C*'))
+      end
+      b.map(&:bytes).flatten[0...len_in_bytes]
+    end
+
+    module G2
+      module_function
+
+      # Convert hash to Field.
+      # @param [String] message hash value with hex format.
+      # @return [Array[Integer]] byte array.
+      def hash_to_field(message, random_oracle: true)
+        degree = 2
+        count = random_oracle ? 2 : 1
+        len_in_bytes = count * degree * LENGTH
+        pseudo_random_bytes = BLS::H2C.expand_message_xmd(message, len_in_bytes)
+        u = Array.new(count)
+        count.times do |i|
+          e = Array.new(degree)
+          degree.times do |j|
+            elm_offset = LENGTH * (j + i * degree)
+            tv = pseudo_random_bytes[elm_offset...(elm_offset + LENGTH)]
+            e[j] = BLS.mod(BLS.os2ip(tv), Curve::P)
+          end
+          u[i] = e
+        end
+        u
+      end
+
+      # Optimized SWU Map - Fp2 to G2': y^2 = x^3 + 240i * x + 1012 + 1012i
+      def map_to_curve_sswu(t)
+        iso_3_a = Fp2.new([0, 240])
+        iso_3_b = Fp2.new([1012, 1012])
+        iso_3_z = Fp2.new([-2, -1])
+        t = Fp2.new(t) if t.is_a?(Array)
+        t2 = t**2
+        iso_3_z_t2 = iso_3_z * t2
+        ztzt = iso_3_z_t2 + iso_3_z_t2**2
+        denominator = (iso_3_a * ztzt).negate
+        numerator = iso_3_b * (ztzt + Fp2::ONE)
+        denominator = iso_3_z * iso_3_a if denominator.zero?
+        v = denominator**3
+        u = numerator**3 + iso_3_a * numerator * denominator**2 + iso_3_b * v
+        success, sqrt_candidate_or_gamma = BLS.sqrt_div_fp2(u, v)
+        y = success ? sqrt_candidate_or_gamma : nil
+        sqrt_candidate_x1 = sqrt_candidate_or_gamma * t**3
+        u = iso_3_z_t2**3 * u
+        success2 = false
+        Fp2::ETAS.each do |eta|
+          eta_sqrt_candidate = eta * sqrt_candidate_x1
+          temp = eta_sqrt_candidate**2 * v - u
+          if temp.zero? && !success && !success2
+            y = eta_sqrt_candidate
+            success2 = true
+          end
+        end
+        raise BLS::PointError, 'Hash to Curve - Optimized SWU failure' if !success && !success2
+
+        numerator *= iso_3_z_t2 if success2
+        y = y.negate if BLS.sgn0(t) != BLS.sgn0(y)
+        y *= denominator
+        [numerator, y, denominator]
+      end
+
+      # 3-isogeny map from E' to E
+      # Converts from Jacobi (xyz) to Projective (xyz) coordinates.
+      def isogeny_map(x, y, z)
+        mapped = Array.new(4, Fp2::ZERO)
+        z_powers = [z, z**2, z**3]
+        ISOGENY_COEFFICIENTS.each.with_index do |k, i|
+          mapped[i] = k[-1]
+          arr = k[0...-1].reverse
+          arr.each.with_index do |a, j|
+            mapped[i] = mapped[i] * x + z_powers[j] * a
+          end
+        end
+        mapped[2] *= y
+        mapped[3] *= z
+        z2 = mapped[1] * mapped[3]
+        x2 = mapped[0] * mapped[3]
+        y2 = mapped[1] * mapped[2]
+        [x2, y2, z2]
+      end
+
+    end
+
+  end
+end

data/lib/bls/math.rb

@@ -25,7 +25,7 @@ module BLS
 
   # Convert byte to non-negative integer.
   # @param [Array[Integer]] bytes byte array.
-  # @return [Array[Integer]] byte array.
+  # @return [Integer] Integer.
   def os2ip(bytes)
     res = 0
     bytes.each do |b|
@@ -66,71 +66,14 @@ module BLS
     res.pack('C*')
   end
 
-  # Optimized SWU Map - FQ2 to G2': y^2 = x^3 + 240i * x + 1012 + 1012i
-  def map_to_curve_sswu_g2(t)
-    iso_3_a = Fq2.new([0, 240])
-    iso_3_b = Fq2.new([1012, 1012])
-    iso_3_z = Fq2.new([-2, -1])
-    t = Fq2.new(t) if t.is_a?(Array)
-    t2 = t**2
-    iso_3_z_t2 = iso_3_z * t2
-    ztzt = iso_3_z_t2 + iso_3_z_t2**2
-    denominator = (iso_3_a * ztzt).negate
-    numerator = iso_3_b * (ztzt + Fq2::ONE)
-    denominator = iso_3_z * iso_3_a if denominator.zero?
-    v = denominator**3
-    u = numerator**3 + iso_3_a * numerator * denominator**2 + iso_3_b * v
-    success, sqrt_candidate_or_gamma = BLS.sqrt_div_fq2(u, v)
-    y = success ? sqrt_candidate_or_gamma : nil
-    sqrt_candidate_x1 = sqrt_candidate_or_gamma * t**3
-    u = iso_3_z_t2**3 * u
-    success2 = false
-    Fq2::ETAS.each do |eta|
-      eta_sqrt_candidate = eta * sqrt_candidate_x1
-      temp = eta_sqrt_candidate**2 * v - u
-      if temp.zero? && !success && !success2
-        y = eta_sqrt_candidate
-        success2 = true
-      end
-    end
-    raise BLS::PointError, 'Hash to Curve - Optimized SWU failure' if !success && !success2
-
-    numerator *= iso_3_z_t2 if success2
-    y = y.negate if BLS.sgn0(t) != BLS.sgn0(y)
-    y *= denominator
-    [numerator, y, denominator]
-  end
-
-  # 3-isogeny map from E' to E
-  # Converts from Jacobi (xyz) to Projective (xyz) coordinates.
-  def isogeny_map_g2(x, y, z)
-    mapped = Array.new(4, Fq2::ZERO)
-    z_powers = [z, z**2, z**3]
-    ISOGENY_COEFFICIENTS.each.with_index do |k, i|
-      mapped[i] = k[-1]
-      arr = k[0...-1].reverse
-      arr.each.with_index do |a, j|
-        mapped[i] = mapped[i] * x + z_powers[j] * a
-      end
-    end
-    mapped[2] *= y
-    mapped[3] *= z
-    z2 = mapped[1] * mapped[3]
-    x2 = mapped[0] * mapped[3]
-    y2 = mapped[1] * mapped[2]
-    [x2, y2, z2]
-  end
-
   # Normalize private key.
   # @param [String|Integer] private_key a private key with hex or number.
-  # @return [BLS::Fq] private key field.
+  # @return [BLS::Fr] Normalized private key.
   # @raise [BLS::Error] Occur when the private key is zero.
   def normalize_priv_key(private_key)
     k = private_key.is_a?(String) ? private_key.to_i(16) : private_key
-    fq = Fq.new(k)
-    raise BLS::Error, 'Private key cannot be 0' if fq.zero?
-
-    fq
+    raise BLS::Error, "Private key must be 0 < private_key < #{Fr::ORDER}" if k <= 0
+    Fr.new(k)
   end
 
   # Convert number to +byte_length+ bytes hex string.

data/lib/bls/pairing.rb

@@ -6,7 +6,7 @@ module BLS
   # @param [BLS::PointG1] p
   # @param [BLS::PointG2] q
   # @param [Boolean] with_final_exp
-  # @return [BLS::Fq12]
+  # @return [BLS::Fp12]
   # @raise [BLS::PairingError] Occur when p.zero? or q.zero?
   # @raise [ArgumentError]
   def pairing(p, q, with_final_exp: true)

data/lib/bls/point/g1.rb

@@ -0,0 +1,105 @@
+module BLS
+  class PointG1 < BLS::ProjectivePoint
+
+    DST_BASIC = 'BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_'
+
+    KEY_SIZE_COMPRESSED = 48
+    KEY_SIZE_UNCOMPRESSED = 96
+
+    BASE = PointG1.new(Fp.new(Curve::G_X), Fp.new(Curve::G_Y), Fp::ONE)
+    ZERO = PointG1.new(Fp::ONE, Fp::ONE, Fp::ZERO)
+    MAX_BITS = Fp::MAX_BITS
+
+    # Parse PointG1 from form hex.
+    # @param [String] hex hex value of PointG1.
+    # @return [PointG1]
+    # @raise [BLS::PointError] Occurs when hex length does not match, or point does not on G1.
+    def self.from_hex(hex)
+      bytes = [hex].pack('H*')
+      point = case bytes.bytesize
+              when KEY_SIZE_COMPRESSED
+                compressed_value = hex.to_i(16)
+                b_flag = BLS.mod(compressed_value, POW_2_383) / POW_2_382
+                return ZERO if b_flag == 1
+
+                x = BLS.mod(compressed_value, POW_2_381)
+                full_y = BLS.mod(x**3 + Fp.new(Curve::B).value, Curve::P)
+                y = BLS.pow_mod(full_y, (Curve::P + 1) / 4, Curve::P)
+                raise PointError, 'The given point is not on G1: y**2 = x**3 + b.' unless (BLS.pow_mod(y, 2, Curve::P) - full_y).zero?
+
+                a_flag = BLS.mod(compressed_value, POW_2_382) / POW_2_381
+                y = Curve::P - y unless ((y * 2) / Curve::P) == a_flag
+                PointG1.new(Fp.new(x), Fp.new(y), Fp::ONE)
+              when KEY_SIZE_UNCOMPRESSED
+                return ZERO unless (bytes[0].unpack1('H*').to_i(16) & (1 << 6)).zero?
+
+                x = bytes[0...PUBLIC_KEY_LENGTH].unpack1('H*').to_i(16)
+                y = bytes[PUBLIC_KEY_LENGTH..-1].unpack1('H*').to_i(16)
+                PointG1.new(Fp.new(x), Fp.new(y), Fp::ONE)
+              else
+                raise PointError, 'Invalid point G1, expected 48 or 96 bytes.'
+              end
+      point.validate!
+      point
+    end
+
+    def to_hex(compressed: false)
+      if compressed
+        if self == PointG1::ZERO
+          hex = POW_2_383 + POW_2_382
+        else
+          x, y = to_affine
+          flag = (y.value * 2) / Curve::P
+          hex = x.value + flag * POW_2_381 + POW_2_383
+        end
+        BLS.num_to_hex(hex, PUBLIC_KEY_LENGTH)
+      else
+        if self == PointG1::ZERO
+          (1 << 6).to_s(16) + '00' * (2 * PUBLIC_KEY_LENGTH - 1)
+        else
+          x, y = to_affine
+          BLS.num_to_hex(x.value, PUBLIC_KEY_LENGTH) + BLS.num_to_hex(y.value, PUBLIC_KEY_LENGTH)
+        end
+      end
+    end
+
+    # Parse Point from private key.
+    # @param [String|Integer] private_key a private key with hex or number.
+    # @return [PointG1] G1Point corresponding to private keys.
+    # @raise [BLS::Error] Occur when the private key is zero.
+    def self.from_private_key(private_key)
+      BASE * BLS.normalize_priv_key(private_key)
+    end
+
+    # Convert hash to PointG1
+    # @param [String] message a hash with hex format.
+    # @return [BLS::PointG1] point.
+    # @raise [BLS::PointError]
+    def self.hash_to_curve(message)
+      raise PointError, 'expected hex string' unless message[/^[a-fA-F0-9]*$/]
+
+      h2c = ::H2C.get(::H2C::Suite::BLS12381G1_XMDSHA256_SWU_RO_, PointG1::DST_BASIC)
+      p = h2c.digest([message].pack('H*'))
+
+      PointG1.new(Fp.new(p.x), Fp.new(p.y), Fp::ONE)
+    end
+
+    # Validate this point whether on curve over Fp.
+    # @raise [PointError] Occur when this point not on curve over Fp.
+    def validate!
+      b = Fp.new(Curve::B)
+      return if zero?
+
+      left = y.pow(2) * z - x.pow(3)
+      right = b * z.pow(3)
+      raise PointError, 'Invalid point: not on curve over Fp' unless left == right
+    end
+
+    # Sparse multiplication against precomputed coefficients.
+    # @param [PointG2] p
+    def miller_loop(p)
+      BLS.miller_loop(p.pairing_precomputes, to_affine)
+    end
+  end
+
+end

data/lib/bls/point/g2.rb

@@ -0,0 +1,188 @@
+module BLS
+  class PointG2 < BLS::ProjectivePoint
+
+    attr_accessor :precomputes
+
+    DST_BASIC = 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_'
+
+    KEY_SIZE_COMPRESSED = 96
+    KEY_SIZE_UNCOMPRESSED = 192
+
+    MAX_BITS = Fp2::MAX_BITS
+    BASE = PointG2.new(Fp2.new(Curve::G2_X), Fp2.new(Curve::G2_Y), Fp2::ONE)
+    ZERO = PointG2.new(Fp2::ONE, Fp2::ONE, Fp2::ZERO)
+
+    # Parse PointG2 from form hex.
+    # https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-07#section-appendix.c
+    # @param [String] hex hex value of PointG2. Currently, only uncompressed formats(196 bytes) are supported.
+    # @return [BLS::PointG2] PointG2.
+    # @raise [BLS::PointError]
+    def self.from_hex(hex)
+      bytes = [hex].pack('H*')
+      m_byte = bytes[0].unpack1('C')& 0xe0
+      if [0x20, 0x60, 0xe0].include?(m_byte)
+        raise PointError, "Invalid encoding flag: #{m_byte.to_s(16)}"
+      end
+
+      c_bit = m_byte & POINT_COMPRESSION_FLAG # compression flag
+      i_bit = m_byte & POINT_INFINITY_FLAG # infinity flag
+      s_bit = m_byte & POINT_Y_FLAG # y coordinate sign flag
+      bytes[0] = [bytes[0].unpack1('C') & 0x1f].pack('C') # set flag to 0
+
+      if i_bit == POINT_INFINITY_FLAG && bytes.unpack1('H*').to_i(16) > 0
+        raise PointError, 'Invalid point, infinity point should be all 0.'
+      end
+
+      point = if bytes.bytesize == KEY_SIZE_COMPRESSED && c_bit == POINT_COMPRESSION_FLAG # compress format
+                return ZERO if i_bit == POINT_INFINITY_FLAG
+                x1 = bytes[0...PUBLIC_KEY_LENGTH].unpack1('H*').to_i(16)
+                x0 = bytes[PUBLIC_KEY_LENGTH...(2 * PUBLIC_KEY_LENGTH)].unpack1('H*').to_i(16)
+                x = Fp2.new([x0, x1])
+                right = x ** 3 + Fp2.new(Curve::B2)
+                y = right.sqrt
+                raise PointError, 'Invalid compressed G2 point' unless y
+                bit_y = if y.coeffs[1].value == 0
+                          (y.coeffs[0].value * 2) / Curve::P
+                        else
+                          (y.coeffs[1].value * 2) / Curve::P == 1 ? 1 : 0
+                        end
+                y = s_bit > 0 && bit_y > 0 ? y : y.negate
+                PointG2.new(x, y, Fp2::ONE)
+              elsif bytes.bytesize == KEY_SIZE_UNCOMPRESSED && c_bit != POINT_COMPRESSION_FLAG # uncompressed format
+                return ZERO if i_bit == POINT_INFINITY_FLAG
+                x1 = bytes[0...PUBLIC_KEY_LENGTH].unpack1('H*').to_i(16)
+                x0 = bytes[PUBLIC_KEY_LENGTH...(2 * PUBLIC_KEY_LENGTH)].unpack1('H*').to_i(16)
+                y1 = bytes[(2 * PUBLIC_KEY_LENGTH)...(3 * PUBLIC_KEY_LENGTH)].unpack1('H*').to_i(16)
+                y0 = bytes[(3 * PUBLIC_KEY_LENGTH)..-1].unpack1('H*').to_i(16)
+                PointG2.new(Fp2.new([x0, x1]), Fp2.new([y0, y1]), Fp2::ONE)
+              else
+                raise PointError, 'Invalid point G2, expected 96/192 bytes.'
+              end
+      point.validate!
+      point
+    end
+
+    # Parse Point from private key.
+    # @param [String|Integer] private_key a private key with hex or number.
+    # @return [PointG1] G1Point corresponding to private keys.
+    # @raise [BLS::Error] Occur when the private key is zero.
+    def self.from_private_key(private_key)
+      BASE * BLS.normalize_priv_key(private_key)
+    end
+
+    # Convert hash to PointG2
+    # @param [String] message a hash with hex format.
+    # @return [BLS::PointG2] point.
+    # @raise [BLS::PointError]
+    def self.hash_to_curve(message)
+      raise PointError, 'expected hex string' unless message[/^[a-fA-F0-9]*$/]
+
+      u = BLS::H2C::G2.hash_to_field(message)
+      q0 = PointG2.new(*BLS::H2C::G2.isogeny_map(*BLS::H2C::G2.map_to_curve_sswu(u[0])))
+      q1 = PointG2.new(*BLS::H2C::G2.isogeny_map(*BLS::H2C::G2.map_to_curve_sswu(u[1])))
+      r = q0 + q1
+      clear_cofactor(r)
+    end
+
+    # Serialize pont as hex value.
+    # @param [Boolean] compressed whether to compress the point.
+    # @return [String] hex value of point.
+    def to_hex(compressed: false)
+      if compressed
+        if zero?
+          x1 = POW_2_383 + POW_2_382
+          x0= 0
+        else
+          x, y = to_affine
+          flag = if y.coeffs[1].value == 0
+                   (y.coeffs[0].value * 2) / Curve::P
+                 else
+                   ((y.coeffs[1].value * 2) / Curve::P).zero? ? 0 : 1
+                 end
+          x1 = x.coeffs[1].value + flag * POW_2_381 + POW_2_383
+          x0 = x.coeffs[0].value
+        end
+        BLS.num_to_hex(x1, PUBLIC_KEY_LENGTH) + BLS.num_to_hex(x0, PUBLIC_KEY_LENGTH)
+      else
+        if self == PointG2::ZERO
+          (1 << 6).to_s(16) + '00' * (4 * PUBLIC_KEY_LENGTH - 1)
+        else
+          validate!
+          x, y = to_affine.map(&:values)
+          BLS.num_to_hex(x[1], PUBLIC_KEY_LENGTH) +
+            BLS.num_to_hex(x[0], PUBLIC_KEY_LENGTH) +
+            BLS.num_to_hex(y[1], PUBLIC_KEY_LENGTH) +
+            BLS.num_to_hex(y[0], PUBLIC_KEY_LENGTH)
+        end
+      end
+    end
+
+    # Convert to signature with hex format.
+    # @return [String] signature with hex format.
+    # @deprecated Use {#to_hex} instead.
+    def to_signature
+      to_hex(compressed: true)
+    end
+
+    def validate!
+      b = Fp2.new(Curve::B2)
+      return if zero?
+
+      left = y.pow(2) * z - x.pow(3)
+      right = b * z.pow(3)
+      raise PointError, 'Invalid point: not on curve over Fp2' unless left == right
+    end
+
+    def clear_pairing_precomputes
+      self.precomputes = nil
+    end
+
+    def pairing_precomputes
+      return precomputes if precomputes
+
+      self.precomputes = calc_pairing_precomputes(*to_affine)
+      precomputes
+    end
+
+    private
+
+    def calc_pairing_precomputes(x, y)
+      q_x, q_y, q_z = [x, y, Fp2::ONE]
+      r_x, r_y, r_z = [q_x, q_y, q_z]
+      ell_coeff = []
+      i = BLS_X_LEN - 2
+      while i >= 0
+        t0 = r_y.square
+        t1 = r_z.square
+        t2 = t1.multiply(3).multiply_by_b
+        t3 = t2 * 3
+        t4 = (r_y + r_z).square - t1 - t0
+        ell_coeff << [t2 - t0, r_x.square * 3, t4.negate]
+        r_x = (t0 - t3) * r_x * r_y / 2
+        r_y = ((t0 + t3) / 2).square - t2.square * 3
+        r_z = t0 * t4
+        unless BLS.bit_get(Curve::X, i).zero?
+          t0 = r_y - q_y * r_z
+          t1 = r_x - q_x * r_z
+          ell_coeff << [t0 * q_x - t1 * q_y, t0.negate, t1]
+          t2 = t1.square
+          t3 = t2 * t1
+          t4 = t2 * r_x
+          t5 = t3 - t4 * 2 + t0.square * r_z
+          r_x = t1 * t5
+          r_y = (t4 - t5) * t0 - t3 * r_y
+          r_z *= t3
+        end
+        i -= 1
+      end
+      ell_coeff
+    end
+    def self.clear_cofactor(p)
+      t1 = p.multiply_unsafe(Curve::X).negate
+      t2 = p.from_affine_tuple(BLS.psi(*p.to_affine))
+      p2 = p.from_affine_tuple(BLS.psi2(*p.double.to_affine))
+      p2 - t2 + (t1 + t2).multiply_unsafe(Curve::X).negate - t1 - p
+    end
+  end
+
+end