Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bls operations rebased #64

Merged
merged 21 commits into from
Aug 9, 2021
Merged

Bls operations rebased #64

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
041b949
add implementation proofs for core_verify_pk_in_g1
May 10, 2021
3aa0a6a
undo stuff commited by mistake and fix proofs
Jul 12, 2021
4f054f0
fix clear_cofactor_p2
Jul 13, 2021
77c23d3
fix aggregate_in_g2 by adding an assumption
Jul 14, 2021
02309c3
clear goal 9 (sig_from_Jacobian preconditions)
Jul 21, 2021
b3eb480
make miller_loop_n_1 param readonly
Jul 21, 2021
a573b5d
now remains the postcond
Jul 21, 2021
38047ed
core_verify_pk_in_g2 should now work
Jul 29, 2021
16d57ea
fix module name
Jul 30, 2021
a5d2d98
squash for rebasing onto core_verify_impl
May 25, 2021
aee024b
temporary fix
Jul 30, 2021
968f5ee
merge core_verify_pk_in_g2
Jul 30, 2021
b277e45
minor stuff
Jul 30, 2021
ea4a87e
add null_aug override
Aug 2, 2021
d26c31b
demo_BasicVerify_A_ov should now work
Aug 2, 2021
afd795f
fix core_verify_pk_in_g2 for null aug
Aug 2, 2021
03eb53b
remove print_readably
Aug 3, 2021
28758e0
finish merging
Aug 3, 2021
fdd517f
fix min_key.saw
Aug 3, 2021
2a37a46
temporarily replace DST_len by concrete value
Aug 4, 2021
d15756e
remove reall_ prefix
Aug 9, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions patches/blst_header.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
diff --git a/bindings/blst.h b/bindings/blst.h
index 3a333b1..cbd3642 100644
--- a/bindings/blst.h
+++ b/bindings/blst.h
@@ -168,10 +168,10 @@ bool blst_p1_is_equal(const blst_p1 *a, const blst_p1 *b);
bool blst_p1_is_inf(const blst_p1 *a);
const blst_p1 *blst_p1_generator();

-bool blst_p1_affine_on_curve(const blst_p1_affine *p);
-bool blst_p1_affine_in_g1(const blst_p1_affine *p);
+limb_t blst_p1_affine_on_curve(const blst_p1_affine *p);
+limb_t blst_p1_affine_in_g1(const blst_p1_affine *p);
bool blst_p1_affine_is_equal(const blst_p1_affine *a, const blst_p1_affine *b);
-bool blst_p1_affine_is_inf(const blst_p1_affine *a);
+limb_t blst_p1_affine_is_inf(const blst_p1_affine *a);
const blst_p1_affine *blst_p1_affine_generator();

typedef struct { blst_fp2 x, y, z; } blst_p2;
@@ -194,10 +194,10 @@ bool blst_p2_is_equal(const blst_p2 *a, const blst_p2 *b);
bool blst_p2_is_inf(const blst_p2 *a);
const blst_p2 *blst_p2_generator();

-bool blst_p2_affine_on_curve(const blst_p2_affine *p);
-bool blst_p2_affine_in_g2(const blst_p2_affine *p);
+limb_t blst_p2_affine_on_curve(const blst_p2_affine *p);
+limb_t blst_p2_affine_in_g2(const blst_p2_affine *p);
bool blst_p2_affine_is_equal(const blst_p2_affine *a, const blst_p2_affine *b);
-bool blst_p2_affine_is_inf(const blst_p2_affine *a);
+limb_t blst_p2_affine_is_inf(const blst_p2_affine *a);
const blst_p2_affine *blst_p2_affine_generator();

/*
@@ -351,7 +351,7 @@ BLST_ERROR blst_core_verify_pk_in_g1(const blst_p1_affine *pk,
size_t aug_len DEFNULL);
BLST_ERROR blst_core_verify_pk_in_g2(const blst_p2_affine *pk,
const blst_p1_affine *signature,
- bool hash_or_encode,
+ int hash_or_encode,
const byte *msg, size_t msg_len,
const byte *DST DEFNULL,
size_t DST_len DEFNULL,
5 changes: 3 additions & 2 deletions proof/aggregate_in_g2.saw
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@

// NOTE: we only consider inputs that either have the infinity-bit set or compressed-bit set

// aggregate_in_g2_error_precond describes the circumstances under which aggregate_in_g2 returns an error (assuming either the compressed bit is set of the infinity bit is set)
// aggregate_in_g2_error_precond describes the circumstances under which aggregate_in_g2 returns an error (assuming either the compressed bit is set or the infinity bit is set)
let {{
aggregate_in_g2_error_precond : [96][8] -> Bool
aggregate_in_g2_error_precond zwire =
Expand Down Expand Up @@ -95,7 +95,8 @@ let overrides = foldr concat [vec_overrides,curve_operations_e2_ovs] [POINTonE2_

// Assumptions

uncompress_not_point_O <- admit_cryptol {{ \x -> (is_point_O E' (uncompress_E2_OK x)) == if uncompress_E2_x_fp x != Fp_2.field_zero then False else apply is_point_O E' (uncompress_E2_OK x) }};
// uncompressing a valid point that does not have the infinity bit set does not return point_O:
uncompress_not_point_O <- admit_cryptol {{ \x -> (is_point_O E' (uncompress_E2_OK x)) == if (uncompress_E2_imp x != nothing) then False else apply is_point_O E' (uncompress_E2_OK x) }};

uncompress_on_curve <- admit_cryptol {{ \x -> (is_point_affine E' (uncompress_E2_OK x)) == True }};

Expand Down
4 changes: 2 additions & 2 deletions proof/api-extra-for-release-2.saw
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
/*
Copyright (c) 2020 Galois, Inc.
SPDX-License-Identifier: Apache-2.0 OR MIT
* Copyright (c) 2020 Galois, Inc.
* SPDX-License-Identifier: Apache-2.0 OR MIT
*/

blst_p1_affine_in_g1_ov <- verify_unint "blst_p1_affine_in_g1"
Expand Down
138 changes: 138 additions & 0 deletions proof/bls_operations.c
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
#include "blst.h"
#include <stdio.h> // for NULL

// TODO: Move

// Two variants:
// _A: min signature size
// _B: min pk size

// Explicitly note that demo_DST_A is 43 bytes to avoid the null terminator
// (needed for SAW to treat the allocation as 32 bytes)
byte demo_DST_A[43] = "BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_";
byte demo_DST_B[43] = "BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_";

// KeyGen maps directly to blst_keygen

// SkToPk
void demo_SkToPk_A(unsigned char out[96], const blst_scalar *SK) {
blst_p2 pk;
blst_sk_to_pk_in_g2(&pk, SK);
blst_p2_compress(out, &pk);
}

void demo_SkToPk_B(unsigned char out[48], const blst_scalar *SK) {
blst_p1 pk;
blst_sk_to_pk_in_g1(&pk, SK);
blst_p1_compress(out, &pk);
};

// KeyValidate

limb_t demo_KeyValidate_A(const unsigned char in[96]) {
blst_p2_affine pk;
BLST_ERROR r;
r = blst_p2_uncompress(&pk, in);
/*
return r == BLST_SUCCESS &&
blst_p2_affine_on_curve(&pk) &&
!blst_p2_affine_is_inf(&pk) &&
blst_p2_affine_in_g2(&pk);
*/
if (r != BLST_SUCCESS) return 0;
if (! blst_p2_affine_on_curve(&pk)) return 0;
if (blst_p2_affine_is_inf(&pk)) return 0;
if (! blst_p2_affine_in_g2(&pk)) return 0;
return 1;
};

limb_t demo_KeyValidate_B(const unsigned char in[48]) {
blst_p1_affine pk;
BLST_ERROR r;
r = blst_p1_uncompress(&pk, in);
if (r != BLST_SUCCESS) return 0;
if (! blst_p1_affine_on_curve(&pk)) return 0;
if (blst_p1_affine_is_inf(&pk)) return 0;
if (! blst_p1_affine_in_g1(&pk)) return 0;
return 1;
};


// BasicSign

void demo_BasicSign_A(byte out[48], const blst_scalar *SK,
const byte *message, size_t message_len) {
// TODO: Figure out how to use globals in SAW?
//const byte local_DST_A[] = "BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_AUG_";
blst_p1 Q1, Q2;
// TODO: Double check, but I think aug is supposed to be a public key? That
// will determine the size it should be.
// TODO: Is DST_len supposted to include the null terminator? It's 44 with
// the null terminator, and 43 without.
blst_hash_to_g1(&Q1, message, message_len, demo_DST_A, 43, NULL, 0); // no "aug" string
// blst_p1_mult(&Q, &Q, SK, 256); // or 255?
blst_sign_pk_in_g2(&Q2, &Q1, SK);
blst_p1_compress(out, &Q2);
};

void demo_BasicSign_B(byte out[96], const blst_scalar *SK,
const byte *message, size_t message_len) {
blst_p2 Q1, Q2;
blst_hash_to_g2(&Q1, message, message_len, demo_DST_B, 43, NULL, 0); // no "aug" string
blst_sign_pk_in_g1(&Q2, &Q1, SK);
blst_p2_compress(out, &Q2);
};

// BasicVerify

limb_t demo_BasicVerify_A(const byte sig[48], const byte pk[96], const byte *message, size_t message_len) {
blst_p1_affine R;
blst_p1 Q;
blst_p2_affine PK;
// uncompress and check the sig
if (blst_p1_uncompress(&R, sig) != BLST_SUCCESS) return 0;
if (! blst_p1_affine_on_curve(&R)) return 0;
if (blst_p1_affine_is_inf(&R)) return 0;
if (! blst_p1_affine_in_g1(&R)) return 0;

if (!demo_KeyValidate_A(pk)) return 0;

// TODO: Use KeyValidate below instead to better match the spec?
// uncompress and check the pub key
if (blst_p2_uncompress(&PK, pk) != BLST_SUCCESS) return 0;
/*
if (! blst_p2_affine_on_curve(&PK)) return 0;
if (blst_p2_affine_is_inf(&PK)) return 0;
if (! blst_p2_affine_in_g2(&PK)) return 0;
*/

if (blst_core_verify_pk_in_g2(&PK, &R, 1, message, message_len, demo_DST_A, 43, NULL, 0) != BLST_SUCCESS)
return 0;
return 1;
};

bool demo_BasicVerify_B(const byte sig[96], const byte pk[48], const byte *message, size_t message_len) {
blst_p2_affine R;
blst_p2 Q;
blst_p1_affine PK;
// uncompress and check the sig
if (blst_p2_uncompress(&R, sig) != BLST_SUCCESS) return 0;
if (! blst_p2_affine_on_curve(&R)) return 0;
if (blst_p2_affine_is_inf(&R)) return 0;
if (! blst_p2_affine_in_g2(&R)) return 0;

// TODO: Maybe remove the above checks if the override handles error cases.
// Can't remove pubkey checks? (Same goes for A variant)

// uncompress and check the pub key
if (blst_p1_uncompress(&PK, pk) != BLST_SUCCESS) return 0;
if (! blst_p1_affine_on_curve(&PK)) return 0;
if (blst_p1_affine_is_inf(&PK)) return 0;
if (! blst_p1_affine_in_g1(&PK)) return 0;


// TODO: fix DST string
if (blst_core_verify_pk_in_g1(&PK, &R, 1, message, message_len, demo_DST_A, 43, NULL, 0) != BLST_SUCCESS)
return 0;
return 1;
};
Loading