Barretenberg: src/barretenberg/crypto/schnorr/proof_of_possession.hpp Source File

// === AUDIT STATUS ===

// internal:    { status: not started, auditors: [], date: YYYY-MM-DD }

// external_1:  { status: not started, auditors: [], date: YYYY-MM-DD }

// external_2:  { status: not started, auditors: [], date: YYYY-MM-DD }

// =====================


#pragma once


#include <utility>


#include "barretenberg/common/serialize.hpp"

#include "schnorr.hpp"


namespace bb::crypto {


template <typename G1, typename Hash> struct SchnorrProofOfPossession {

    using Fq = typename G1::Fq;

    using Fr = typename G1::Fr;

    using affine_element = typename G1::affine_element;

    using element = typename G1::element;

    using key_pair = crypto::schnorr_key_pair<Fr, G1>;


    // challenge = e = H_reg(pk,pk,R)

    std::array<uint8_t, 32> challenge;

    // response = z = k - e * sk

    Fr response = Fr::zero();


    // restore default constructor to enable deserialization

    SchnorrProofOfPossession() = default;


    SchnorrProofOfPossession(const key_pair& account)

    {

        auto secret_key = account.private_key;

        auto public_key = account.public_key;


        // Fr::random_element() will call std::random_device, which in turn relies on system calls to generate a string

        // of random bits. It is important to ensure that the execution environment will correctly supply system calls

        // that give std::random_device access to an entropy source that produces a string of non-deterministic

        // uniformly random bits. For example, when compiling into a wasm binary, it is essential that the random_get

        // method is overloaded to utilise a suitable entropy source

        // (see https://github.com/WebAssembly/WASI/blob/main/phases/snapshot/docs.md)

        // TODO: securely erase `k`

        Fr k = Fr::random_element();


        affine_element R = G1::one * k;


        auto challenge_bytes = generate_challenge(public_key, R);

        std::copy(challenge_bytes.begin(), challenge_bytes.end(), challenge.begin());


        Fr challenge_fr = Fr::serialize_from_buffer(&challenge_bytes[0]);

        response = k - challenge_fr * secret_key;

    }


    bool verify(const affine_element& public_key) const

    {

        Fr challenge_fr = Fr::serialize_from_buffer(&challenge[0]);

        // this ensures that a default constructed proof is invalid

        if (response.is_zero())

            return false;


        if (!public_key.on_curve() || public_key.is_point_at_infinity())

            return false;


        // R = e•pk + z•G

        affine_element R = element(public_key) * challenge_fr + G1::one * response;

        if (R.is_point_at_infinity())

            return false;


        // recompute the challenge e

        auto challenge_computed = generate_challenge(public_key, R);

        return std::equal(challenge.begin(), challenge.end(), challenge_computed.begin(), challenge_computed.end());

    }


  private:


    static auto generate_challenge(const affine_element& public_key, const affine_element& R)

    {

        // Domain separation challenges

        const std::string domain_separator_pop("h_reg");


        // buffer containing (domain_sep, G, X, X, R)

        std::vector<uint8_t> challenge_buf;


        // write domain separator

        std::copy(domain_separator_pop.begin(), domain_separator_pop.end(), std::back_inserter(challenge_buf));


        // write the group generator

        write(challenge_buf, G1::affine_one);


        // write X twice as per the spec

        write(challenge_buf, public_key);

        write(challenge_buf, public_key);


        // write R

        write(challenge_buf, R);


        // generate the raw bits of H_reg(X,X,R)

        return Hash::hash(challenge_buf);

    }


};


template <typename B, typename G1, typename Hash>


inline void read(B& it, SchnorrProofOfPossession<G1, Hash>& proof_of_possession)

{

    read(it, proof_of_possession.challenge);

    read(it, proof_of_possession.response);

}


template <typename B, typename G1, typename Hash>


inline void write(B& buf, SchnorrProofOfPossession<G1, Hash> const& proof_of_possession)

{

    write(buf, proof_of_possession.challenge);

    write(buf, proof_of_possession.response);

}


} // namespace bb::crypto

buf
uint8_t const  * buf
Definition data_store.hpp:9

bb::crypto
Definition aes128.cpp:158

bb::crypto::read
void read(B &it, SchnorrProofOfPossession< G1, Hash > &proof_of_possession)
Definition proof_of_possession.hpp:130

bb::crypto::write
void write(B &buf, SchnorrProofOfPossession< G1, Hash > const &proof_of_possession)
Definition proof_of_possession.hpp:137

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

serialize.hpp

schnorr.hpp

bb::crypto::SchnorrProofOfPossession
A proof of possession is a Schnorr proof of knowledge of a secret key corresponding to a given public...
Definition proof_of_possession.hpp:24

bb::crypto::SchnorrProofOfPossession::affine_element
typename G1::affine_element affine_element
Definition proof_of_possession.hpp:27

bb::crypto::SchnorrProofOfPossession::Fr
typename G1::Fr Fr
Definition proof_of_possession.hpp:26

bb::crypto::SchnorrProofOfPossession::Fq
typename G1::Fq Fq
Definition proof_of_possession.hpp:25

bb::crypto::SchnorrProofOfPossession::SchnorrProofOfPossession
SchnorrProofOfPossession()=default

bb::crypto::SchnorrProofOfPossession::generate_challenge
static auto generate_challenge(const affine_element &public_key, const affine_element &R)
Generate the Fiat-Shamir challenge e = H_reg(G,X,X,R)
Definition proof_of_possession.hpp:103

bb::crypto::SchnorrProofOfPossession::challenge
std::array< uint8_t, 32 > challenge
Definition proof_of_possession.hpp:32

bb::crypto::SchnorrProofOfPossession::response
Fr response
Definition proof_of_possession.hpp:34

bb::crypto::SchnorrProofOfPossession::element
typename G1::element element
Definition proof_of_possession.hpp:28

bb::crypto::SchnorrProofOfPossession::SchnorrProofOfPossession
SchnorrProofOfPossession(const key_pair &account)
Create a new proof of possession for a given account.
Definition proof_of_possession.hpp:46

bb::crypto::SchnorrProofOfPossession::verify
bool verify(const affine_element &public_key) const
verifies that an unserialized signature is valid
Definition proof_of_possession.hpp:75

bb::crypto::schnorr_key_pair
Definition schnorr.hpp:22

bb::crypto::schnorr_key_pair::private_key
Fr private_key
Definition schnorr.hpp:23

bb::crypto::schnorr_key_pair::public_key
G1::affine_element public_key
Definition schnorr.hpp:24

bb::field< Bn254FrParams >::random_element
static field random_element(numeric::RNG *engine=nullptr) noexcept
Definition field_impl.hpp:665

bb::field< Bn254FrParams >::serialize_from_buffer
static field serialize_from_buffer(const uint8_t *buffer)
Definition field_declarations.hpp:377

bb::field< Bn254FrParams >::zero
static constexpr field zero()
Definition field_declarations.hpp:240