bls12-381 0.2.2 → 0.3.0

data/lib/bls/point.rb

@@ -1,9 +1,18 @@
 # frozen_string_literal: true
 
 require 'bigdecimal'
+require 'h2c'
 
 module BLS
 
+  # Point serialization flags
+  POINT_COMPRESSION_FLAG = 0x80
+  POINT_INFINITY_FLAG = 0x40
+  POINT_Y_FLAG = 0x20
+
+  autoload :PointG1, "bls/point/g1"
+  autoload :PointG2, "bls/point/g2"
+
   class PointError < StandardError; end
 
   # Abstract Point class that consist of projective coordinates.
@@ -224,240 +233,8 @@ module BLS
     end
   end
 
-  class PointG1 < ProjectivePoint
-
-    BASE = PointG1.new(Fq.new(Curve::G_X), Fq.new(Curve::G_Y), Fq::ONE)
-    ZERO = PointG1.new(Fq::ONE, Fq::ONE, Fq::ZERO)
-    MAX_BITS = Fq::MAX_BITS
-
-    # Parse PointG1 from form hex.
-    # @param [String] hex hex value of PointG1.
-    # @return [PointG1]
-    # @raise [BLS::PointError] Occurs when hex length does not match, or point does not on G1.
-    def self.from_hex(hex)
-      bytes = [hex].pack('H*')
-      point = case bytes.bytesize
-              when 48
-                compressed_value = hex.to_i(16)
-                b_flag = BLS.mod(compressed_value, POW_2_383) / POW_2_382
-                return ZERO if b_flag == 1
-
-                x = BLS.mod(compressed_value, POW_2_381)
-                full_y = BLS.mod(x**3 + Fq.new(Curve::B).value, Curve::P)
-                y = BLS.pow_mod(full_y, (Curve::P + 1) / 4, Curve::P)
-                raise PointError, 'The given point is not on G1: y**2 = x**3 + b.' unless (BLS.pow_mod(y, 2, Curve::P) - full_y).zero?
-
-                a_flag = BLS.mod(compressed_value, POW_2_382) / POW_2_381
-                y = Curve::P - y unless ((y * 2) / Curve::P) == a_flag
-                PointG1.new(Fq.new(x), Fq.new(y), Fq::ONE)
-              when 96
-                return ZERO unless (bytes[0].unpack1('H*').to_i(16) & (1 << 6)).zero?
-
-                x = bytes[0...PUBLIC_KEY_LENGTH].unpack1('H*').to_i(16)
-                y = bytes[PUBLIC_KEY_LENGTH..-1].unpack1('H*').to_i(16)
-                PointG1.new(Fq.new(x), Fq.new(y), Fq::ONE)
-              else
-                raise PointError, 'Invalid point G1, expected 48 or 96 bytes.'
-              end
-      point.validate!
-      point
-    end
-
-    def to_hex(compressed: false)
-      if compressed
-        if self == PointG1::ZERO
-          hex = POW_2_383 + POW_2_382
-        else
-          x, y = to_affine
-          flag = (y.value * 2) / Curve::P
-          hex = x.value + flag * POW_2_381 + POW_2_383
-        end
-        BLS.num_to_hex(hex, PUBLIC_KEY_LENGTH)
-      else
-        if self == PointG1::ZERO
-          (1 << 6).to_s(16) + '00' * (2 * PUBLIC_KEY_LENGTH - 1)
-        else
-          x, y = to_affine
-          BLS.num_to_hex(x.value, PUBLIC_KEY_LENGTH) + BLS.num_to_hex(y.value, PUBLIC_KEY_LENGTH)
-        end
-      end
-    end
-
-    # Parse Point from private key.
-    # @param [String|Integer] private_key a private key with hex or number.
-    # @return [PointG1] G1Point corresponding to private keys.
-    # @raise [BLS::Error] Occur when the private key is zero.
-    def self.from_private_key(private_key)
-      BASE * BLS.normalize_priv_key(private_key)
-    end
-
-    # Validate this point whether on curve over Fq.
-    # @raise [PointError] Occur when this point not on curve over Fq.
-    def validate!
-      b = Fq.new(Curve::B)
-      return if zero?
-
-      left = y.pow(2) * z - x.pow(3)
-      right = b * z.pow(3)
-      raise PointError, 'Invalid point: not on curve over Fq' unless left == right
-    end
-
-    # Sparse multiplication against precomputed coefficients.
-    # @param [PointG2] p
-    def miller_loop(p)
-      BLS.miller_loop(p.pairing_precomputes, to_affine)
-    end
-  end
-
-  class PointG2 < ProjectivePoint
-
-    attr_accessor :precomputes
-
-    MAX_BITS = Fq2::MAX_BITS
-    BASE = PointG2.new(Fq2.new(Curve::G2_X), Fq2.new(Curve::G2_Y), Fq2::ONE)
-    ZERO = PointG2.new(Fq2::ONE, Fq2::ONE, Fq2::ZERO)
-
-    # Parse PointG1 from form hex.
-    # @param [String] hex hex value of PointG2. Currently, only uncompressed formats(196 bytes) are supported.
-    # @return [BLS::PointG2] PointG2 object.
-    # @raise [BLS::PointError]
-    def self.from_hex(hex)
-      bytes = [hex].pack('H*')
-      point = case bytes.bytesize
-              when 96
-                raise PointError, 'Compressed format not supported yet.'
-              when 192
-                return ZERO unless (bytes[0].unpack1('H*').to_i(16) & (1 << 6)).zero?
-
-                x1 = bytes[0...PUBLIC_KEY_LENGTH].unpack1('H*').to_i(16)
-                x0 = bytes[PUBLIC_KEY_LENGTH...(2 * PUBLIC_KEY_LENGTH)].unpack1('H*').to_i(16)
-                y1 = bytes[(2 * PUBLIC_KEY_LENGTH)...(3 * PUBLIC_KEY_LENGTH)].unpack1('H*').to_i(16)
-                y0 = bytes[(3 * PUBLIC_KEY_LENGTH)..-1].unpack1('H*').to_i(16)
-                PointG2.new(Fq2.new([x0, x1]), Fq2.new([y0, y1]), Fq2::ONE)
-              else
-                raise PointError, 'Invalid uncompressed point G2, expected 192 bytes.'
-              end
-      point.validate!
-      point
-    end
-
-    # Parse Point from private key.
-    # @param [String|Integer] private_key a private key with hex or number.
-    # @return [PointG1] G1Point corresponding to private keys.
-    # @raise [BLS::Error] Occur when the private key is zero.
-    def self.from_private_key(private_key)
-      BASE * BLS.normalize_priv_key(private_key)
-    end
-
-    # Convert hash to PointG2
-    # @param [String] message a hash with hex format.
-    # @return [BLS::PointG2] point.
-    # @raise [BLS::PointError]
-    def self.hash_to_curve(message)
-      raise PointError, 'expected hex string' unless message[/^[a-fA-F0-9]*$/]
-
-      u = BLS.hash_to_field(message, 2)
-      q0 = PointG2.new(*BLS.isogeny_map_g2(*BLS.map_to_curve_sswu_g2(u[0])))
-      q1 = PointG2.new(*BLS.isogeny_map_g2(*BLS.map_to_curve_sswu_g2(u[1])))
-      r = q0 + q1
-      BLS.clear_cofactor_g2(r)
-    end
-
-    def to_hex(compressed: false)
-      raise ArgumentError, 'Not supported' if compressed
-
-      if self == PointG2::ZERO
-        (1 << 6).to_s(16) + '00' * (4 * PUBLIC_KEY_LENGTH - 1)
-      else
-        validate!
-        x, y = to_affine.map(&:values)
-        BLS.num_to_hex(x[1], PUBLIC_KEY_LENGTH) +
-          BLS.num_to_hex(x[0], PUBLIC_KEY_LENGTH) +
-          BLS.num_to_hex(y[1], PUBLIC_KEY_LENGTH) +
-          BLS.num_to_hex(y[0], PUBLIC_KEY_LENGTH)
-      end
-    end
-
-    # Convert to signature with hex format.
-    # @return [String] signature with hex format.
-    def to_signature
-      if self == PointG2::ZERO
-        sum = POW_2_383 + POW_2_382
-        return BLS.num_to_hex(sum, PUBLIC_KEY_LENGTH) + BLS.num_to_hex(0, PUBLIC_KEY_LENGTH)
-      end
-      validate!
-      x, y = to_affine.map(&:values)
-      tmp = y[1] > 0 ? y[1] * 2 : y[0] * 2
-      aflag1 = tmp / Curve::P
-      z1 = x[1] + aflag1 * POW_2_381 + POW_2_383
-      z2 = x[0]
-      BLS.num_to_hex(z1, PUBLIC_KEY_LENGTH) + BLS.num_to_hex(z2, PUBLIC_KEY_LENGTH)
-    end
-
-    def validate!
-      b = Fq2.new(Curve::B2)
-      return if zero?
-
-      left = y.pow(2) * z - x.pow(3)
-      right = b * z.pow(3)
-      raise PointError, 'Invalid point: not on curve over Fq2' unless left == right
-    end
-
-    def clear_pairing_precomputes
-      self.precomputes = nil
-    end
-
-    def pairing_precomputes
-      return precomputes if precomputes
-
-      self.precomputes = calc_pairing_precomputes(*to_affine)
-      precomputes
-    end
-
-    private
-
-    def calc_pairing_precomputes(x, y)
-      q_x, q_y, q_z = [x, y, Fq2::ONE]
-      r_x, r_y, r_z = [q_x, q_y, q_z]
-      ell_coeff = []
-      i = BLS_X_LEN - 2
-      while i >= 0
-        t0 = r_y.square
-        t1 = r_z.square
-        t2 = t1.multiply(3).multiply_by_b
-        t3 = t2 * 3
-        t4 = (r_y + r_z).square - t1 - t0
-        ell_coeff << [t2 - t0, r_x.square * 3, t4.negate]
-        r_x = (t0 - t3) * r_x * r_y / 2
-        r_y = ((t0 + t3) / 2).square - t2.square * 3
-        r_z = t0 * t4
-        unless BLS.bit_get(Curve::X, i).zero?
-          t0 = r_y - q_y * r_z
-          t1 = r_x - q_x * r_z
-          ell_coeff << [t0 * q_x - t1 * q_y, t0.negate, t1]
-          t2 = t1.square
-          t3 = t2 * t1
-          t4 = t2 * r_x
-          t5 = t3 - t4 * 2 + t0.square * r_z
-          r_x = t1 * t5
-          r_y = (t4 - t5) * t0 - t3 * r_y
-          r_z *= t3
-        end
-        i -= 1
-      end
-      ell_coeff
-    end
-  end
-
   module_function
 
-  def clear_cofactor_g2(p)
-    t1 = p.multiply_unsafe(Curve::X).negate
-    t2 = p.from_affine_tuple(BLS.psi(*p.to_affine))
-    p2 = p.from_affine_tuple(BLS.psi2(*p.double.to_affine))
-    p2 - t2 + (t1 + t2).multiply_unsafe(Curve::X).negate - t1 - p
-  end
-
   def norm_p1(point)
     point.is_a?(PointG1) ? point : PointG1.from_hex(point)
   end
@@ -466,52 +243,12 @@ module BLS
     point.is_a?(PointG2) ? point : PointG2.from_hex(point)
   end
 
-  def norm_p2h(point)
-    point.is_a?(PointG2) ? point : PointG2.hash_to_curve(point)
+  def norm_p1h(point)
+    point.is_a?(PointG1) ? point : PointG1.hash_to_curve(point)
   end
 
-  # Convert hash to Field.
-  # @param [String] message hash value with hex format.
-  # @return [Array[Integer]] byte array.
-  def hash_to_field(message, degree, random_oracle: true)
-    count = random_oracle ? 2 : 1
-    l = 64
-    len_in_bytes = count * degree * l
-    pseudo_random_bytes = BLS.expand_message_xmd(message, len_in_bytes)
-    u = Array.new(count)
-    count.times do |i|
-      e = Array.new(degree)
-      degree.times do |j|
-        elm_offset = l * (j + i * degree)
-        tv = pseudo_random_bytes[elm_offset...(elm_offset + l)]
-        e[j] = BLS.mod(BLS.os2ip(tv), Curve::P)
-      end
-      u[i] = e
-    end
-    u
+  def norm_p2h(point)
+    point.is_a?(PointG2) ? point : PointG2.hash_to_curve(point)
   end
 
-  # @param [String] message hash value with hex format.
-  # @param [Integer] len_in_bytes length
-  # @return [Array[Integer]] byte array.
-  # @raise BLS::Error
-  def expand_message_xmd(message, len_in_bytes)
-    b_in_bytes = BigDecimal(SHA256_DIGEST_SIZE)
-    r_in_bytes = b_in_bytes * 2
-    ell = (BigDecimal(len_in_bytes) / b_in_bytes).ceil
-    raise BLS::Error, 'Invalid xmd length' if ell > 255
-
-    dst_prime = DST_LABEL.bytes + BLS.i2osp(DST_LABEL.bytesize, 1)
-    z_pad = BLS.i2osp(0, r_in_bytes)
-    l_i_b_str = BLS.i2osp(len_in_bytes, 2)
-    b = Array.new(ell)
-    payload = z_pad + [message].pack('H*').bytes + l_i_b_str + BLS.i2osp(0, 1) + dst_prime
-    b_0 = Digest::SHA256.digest(payload.pack('C*'))
-    b[0] = Digest::SHA256.digest((b_0.bytes + BLS.i2osp(1, 1) + dst_prime).pack('C*'))
-    (1..ell).each do |i|
-      args = BLS.bin_xor(b_0, b[i - 1]).bytes + BLS.i2osp(i + 1, 1) + dst_prime
-      b[i] = Digest::SHA256.digest(args.pack('C*'))
-    end
-    b.map(&:bytes).flatten[0...len_in_bytes]
-  end
 end

data/lib/bls/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module BLS
-  VERSION = '0.2.2'
+  VERSION = '0.3.0'
 end

data/lib/bls.rb

@@ -5,6 +5,7 @@ require 'bls/version'
 require 'bls/math'
 require 'bls/curve'
 require 'bls/field'
+require 'bls/h2c'
 require 'bls/point'
 require 'bls/pairing'
 
@@ -19,82 +20,134 @@ module BLS
   PUBLIC_KEY_LENGTH = 48
   SHA256_DIGEST_SIZE = 32
 
-  DST_LABEL = 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_'
-
   module_function
 
   # Generate BLS signature: s = pk x H(m)
-  # @param [String] message Message digest(hash value with hex format) to be signed.
+  # @param [String] message Message digest(hex format) to be signed.
   # @param [Integer|String] private_key The private key used for signing. Integer or String(hex).
+  # @param [Symbol] sig_type Signature type, :g1 or :g2.
+  # If :g1 is specified, the signature is a point on G1 and the public key is a point on G2.
+  # If :g2 is specified, the signature is a point on G2 and the public key is a point on G1.
   # @return [PointG2] The signature point.
-  def sign(message, private_key)
-    msg_point = BLS.norm_p2h(message)
+  def sign(message, private_key, sig_type: :g2)
+    msg_point = case sig_type
+                when :g1
+                  BLS.norm_p1h(message)
+                when :g2
+                  BLS.norm_p2h(message)
+                else
+                  raise Error, 'sig_type must be :g1 or :g2.'
+                end
     msg_point * BLS.normalize_priv_key(private_key)
   end
 
   # Generate public key from +private_key+.
   # @param [Integer|String] private_key The private key. Integer or String(hex).
-  # @return [BLS::PointG1] public key.
-  def get_public_key(private_key)
-    PointG1.from_private_key(private_key)
+  # @param [Symbol] key_type Public key type, :g1 or :g2.
+  # @return [BLS::PointG1|BLS::PointG2] public key.
+  def get_public_key(private_key, key_type: :g1)
+    case key_type
+    when :g1
+      PointG1.from_private_key(private_key)
+    when :g2
+      PointG2.from_private_key(private_key)
+    else
+      raise Error, 'key_type must be :g1 or :g2.'
+    end
   end
 
-  # Verify BLS signature.
-  # @param [String] signature
+  # Verify BLS signature. Verify one of the following:
+  # * Public key is a point on G1, signature is a point on G2 or
+  # * Public key is a point on G2, signature is a point on G1.
+  # @param [BLS::PointG1|BLS::PointG2] signature
   # @param [String] message Message digest(hash value with hex format) to be verified.
-  # @param [String|BLS::PointG1] public_key Public key with hex format or PointG1.
+  # @param [BLS::PointG2|BLS::PointG1] public_key Public key with hex format or PointG1.
   # @return [Boolean] verification result.
   def verify(signature, message, public_key)
-    p = BLS.norm_p1(public_key)
-    hm = BLS.norm_p2h(message)
-    g = PointG1::BASE
-    s = BLS.norm_p2(signature)
-    ephm = BLS.pairing(p.negate, hm, with_final_exp: false)
-    egs = BLS.pairing(g, s, with_final_exp: false)
+    unless signature.is_a?(PointG1) && public_key.is_a?(PointG2) ||
+      signature.is_a?(PointG2) && public_key.is_a?(PointG1)
+      raise BLS::Error, 'Invalid signature or public key. If the public key is PointG1, the signature must be an element of Point::G2 or vice versa.'
+    end
+    g = public_key.is_a?(PointG1) ? PointG1::BASE : PointG2::BASE
+    ephm = if public_key.is_a?(PointG1)
+             hm = BLS.norm_p2h(message)
+             BLS.pairing(public_key.negate, hm, with_final_exp: false)
+           else
+             hm = BLS.norm_p1h(message)
+             BLS.pairing(hm, public_key.negate, with_final_exp: false)
+           end
+    egs = if public_key.is_a?(PointG1)
+            BLS.pairing(g, signature, with_final_exp: false)
+          else
+            BLS.pairing(signature, g, with_final_exp: false)
+          end
     exp = (egs * ephm).final_exponentiate
-    exp == Fq12::ONE
+    exp == Fp12::ONE
   end
 
   # Aggregate multiple public keys.
-  # @param [Array[String]] public_keys the list of public keys.
-  # @return [BLS::PointG1] aggregated public key.
+  # @param [Array[BLS::PointG1]|Array[BLS::PointG2]] public_keys the list of public keys.
+  # @return [BLS::PointG1|BLS::PointG2] aggregated public key.
   def aggregate_public_keys(public_keys)
     raise BLS::Error, 'Expected non-empty array.' if public_keys.empty?
-
-    public_keys.map { |p| BLS.norm_p1(p) }.inject(PointG1::ZERO) { |sum, p| sum + p }
+    g1_flag = public_keys.first.is_a?(PointG1)
+    sum = g1_flag ? PointG1::ZERO : PointG2::ZERO
+    public_keys.each do |pubkey|
+      if g1_flag && !pubkey.is_a?(PointG1) || !g1_flag && !pubkey.is_a?(PointG2)
+        raise BLS::Error, 'Point G1 and G2 are mixed.'
+      end
+      sum += pubkey
+    end
+    sum
   end
 
   # Aggregate multiple signatures.
   # e(G, S) = e(G, sum(n)Si) = mul(n)(e(G, Si))
-  # @param [Array[String|BLS::PointG2]] signatures multiple signatures.
-  # @return [BLS::PointG2] aggregated signature.
+  # @param [Array[BLS::PointG2]|Array[BLS::PointG2]] signatures multiple signatures.
+  # @return [BLS::PointG2|BLS::PointG1] aggregated signature.
   def aggregate_signatures(signatures)
     raise BLS::Error, 'Expected non-empty array.' if signatures.empty?
 
-    signatures.map { |s| BLS.norm_p2(s) }.inject(PointG2::ZERO) { |sum, s| sum + s }
+    g2_flag = signatures.first.is_a?(PointG2)
+    sum = g2_flag ? PointG2::ZERO : PointG1::ZERO
+    signatures.each do |signature|
+      if g2_flag && !signature.is_a?(PointG2) || !g2_flag && !signature.is_a?(PointG1)
+        raise BLS::Error, 'Signature G1 and G2 are mixed.'
+      end
+      sum += signature
+    end
+    sum
   end
 
   # Verify aggregated signature.
-  # @param [BLS::PointG2] signature aggregated signature.
+  # @param [BLS::PointG2|BLS::PointG1] signature aggregated signature(BLS::PointG2 or BLS::PointG1).
   # @param [Array[String]] messages the list of message.
-  # @param [Array[String|BLS::PointG1]] public_keys the list of public keys with hex or BLS::PointG1 format.
+  # @param [Array[BLS::PointG1]|Array[BLS::PointG2]] public_keys the list of public keys(BLS::PointG1 or BLS::PointG2).
   # @return [Boolean] verification result.
   def verify_batch(signature, messages, public_keys)
     raise BLS::Error, 'Expected non-empty array.' if messages.empty?
     raise BLS::Error, 'Public keys count should equal msg count.' unless messages.size == public_keys.size
 
-    n_message = messages.map { |m| BLS.norm_p2h(m) }
-    n_public_keys = public_keys.map { |p| BLS.norm_p1(p) }
+    sig_g2_flag = signature.is_a?(PointG2)
+    public_keys.each do |public_key|
+      if sig_g2_flag && !public_key.is_a?(PointG1) || !sig_g2_flag && !public_key.is_a?(PointG2)
+        raise BLS::Error, "Public key must be #{sig_g2_flag ? 'PointG1' : 'PointG2'}"
+      end
+    end
+
+    n_message = messages.map { |m| sig_g2_flag ? BLS.norm_p2h(m) : BLS.norm_p1h(m)}
     paired = []
+    zero = sig_g2_flag ? PointG1::ZERO : PointG2::ZERO
     n_message.each do |message|
-      group_pubkey = n_message.each_with_index.inject(PointG1::ZERO)do|group_pubkey, (sub_message, i)|
-        sub_message == message ? group_pubkey + n_public_keys[i] : group_pubkey
+      group_pubkey = n_message.each_with_index.inject(zero)do|group_pubkey, (sub_message, i)|
+        sub_message == message ? group_pubkey + public_keys[i] : group_pubkey
       end
-      paired << BLS.pairing(group_pubkey, message, with_final_exp: false)
+      paired << (sig_g2_flag ? BLS.pairing(group_pubkey, message, with_final_exp: false) :
+                   BLS.pairing(message, group_pubkey, with_final_exp: false))
     end
-    sig = BLS.norm_p2(signature)
-    paired << BLS.pairing(PointG1::BASE.negate, sig, with_final_exp: false)
-    product = paired.inject(Fq12::ONE) { |a, b| a * b }
-    product.final_exponentiate == Fq12::ONE
+    paired << (sig_g2_flag ? BLS.pairing(PointG1::BASE.negate, signature, with_final_exp: false) :
+                 BLS.pairing(signature, PointG2::BASE.negate, with_final_exp: false))
+    product = paired.inject(Fp12::ONE) { |a, b| a * b }
+    product.final_exponentiate == Fp12::ONE
   end
 end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: bls12-381
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.3.0
 platform: ruby
 authors:
 - Shigeyuki Azuchi
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-01-26 00:00:00.000000000 Z
+date: 2023-07-21 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: h2c
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -61,9 +75,12 @@ files:
 - lib/bls.rb
 - lib/bls/curve.rb
 - lib/bls/field.rb
+- lib/bls/h2c.rb
 - lib/bls/math.rb
 - lib/bls/pairing.rb
 - lib/bls/point.rb
+- lib/bls/point/g1.rb
+- lib/bls/point/g2.rb
 - lib/bls/version.rb
 homepage: https://github.com/azuchi/bls12-381
 licenses: