-
Notifications
You must be signed in to change notification settings - Fork 23
/
keygen-genesis.rs
242 lines (229 loc) · 8.02 KB
/
keygen-genesis.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
use clap::AppSettings;
use client_server_helpers::*;
use concordium_base::{
common::*,
curve_arithmetic::Curve,
elgamal::PublicKey,
id::{
constants::{ArCurve, BlsG2, IpPairing},
types::*,
},
ps_sig,
};
use curve25519_dalek::edwards::CompressedEdwardsY;
use sha2::{Digest, Sha512};
use std::{fs, path::PathBuf};
use structopt::StructOpt;
type Bls12 = IpPairing;
type G1 = ArCurve;
type G2 = BlsG2;
#[derive(StructOpt)]
struct KeygenIp {
#[structopt(long = "seed", help = "File with seed.")]
seed: PathBuf,
#[structopt(
long = "ip-identity",
help = "The integer identifying the identity provider"
)]
ip_identity: u32,
#[structopt(long = "name", help = "Name of the identity provider")]
name: String,
#[structopt(long = "url", help = "url to identity provider")]
url: String,
#[structopt(long = "description", help = "Description of identity provider")]
description: String,
#[structopt(
long = "bound",
help = "Upper bound on messages signed by the IP",
default_value = "30"
)]
bound: u32,
#[structopt(long = "out-pub", help = "File to output the public keys to.")]
out_pub: PathBuf,
}
#[derive(StructOpt)]
struct KeygenAr {
#[structopt(long = "seed", help = "File with seed.")]
seed: PathBuf,
#[structopt(
long = "ar-identity",
help = "The integer identifying the anonymity revoker"
)]
ar_identity: ArIdentity,
#[structopt(long = "name", help = "Name of the anonymity revoker")]
name: String,
#[structopt(long = "url", help = "url to anonymity revoker")]
url: String,
#[structopt(long = "description", help = "Description of anonymity revoker")]
description: String,
#[structopt(long = "out-pub", help = "File to output the public keys to.")]
out_pub: PathBuf,
}
#[derive(StructOpt)]
#[structopt(
about = "Keys for identity providers and anonymity revokers for genesis",
author = "Concordium",
version = "1"
)]
enum KeygenTool {
#[structopt(name = "keygen-ip", about = "Generate identity provider keys")]
KeygenIp(KeygenIp),
#[structopt(name = "keygen-ar", about = "Generate anonymity revoker keys")]
KeygenAr(KeygenAr),
}
fn main() {
let app = KeygenTool::clap()
.setting(AppSettings::ArgRequiredElseHelp)
.global_setting(AppSettings::ColoredHelp);
let matches = app.get_matches();
let kg = KeygenTool::from_clap(&matches);
use KeygenTool::*;
match kg {
KeygenIp(kgip) => {
if let Err(e) = handle_generate_ip_keys(kgip) {
eprintln!("{}", e)
}
}
KeygenAr(kgar) => {
if let Err(e) = handle_generate_ar_keys(kgar) {
eprintln!("{}", e)
}
}
}
}
macro_rules! succeed_or_die {
($e:expr, $match:ident => $s:expr) => {
match $e {
Ok(v) => v,
Err($match) => return Err(format!($s, $match)),
}
};
($e:expr, $s:expr) => {
match $e {
Some(x) => x,
None => return Err($s.to_owned()),
}
};
}
fn handle_generate_ar_keys(kgar: KeygenAr) -> Result<(), String> {
let bytes_from_file = succeed_or_die!(fs::read(kgar.seed), e => "Could not read random input from provided file because {}");
let generator =
G1::hash_to_group(&bytes_from_file).expect("Hashing to curve expected to succeed");
let key =
G1::hash_to_group(&to_bytes(&generator)).expect("Hashing to curve expected to succeed");
let ar_public_key = PublicKey { generator, key };
let ar_identity = kgar.ar_identity;
let name = kgar.name;
let url = kgar.url;
let description = kgar.description;
let public_ar_info = ArInfo {
ar_identity,
ar_description: Description {
name,
url,
description,
},
ar_public_key,
};
let ver_public_ar_info = Versioned::new(VERSION_0, public_ar_info);
match write_json_to_file(&kgar.out_pub, &ver_public_ar_info) {
Ok(_) => println!("Wrote public keys to {}.", kgar.out_pub.to_string_lossy()),
Err(e) => {
return Err(format!(
"Could not JSON write public keys to file because {}",
e
));
}
}
Ok(())
}
fn handle_generate_ip_keys(kgip: KeygenIp) -> Result<(), String> {
let bytes_from_file = succeed_or_die!(fs::read(kgip.seed), e => "Could not read random input from provided file because {}");
let ip_public_key = generate_ps_pk(kgip.bound, &bytes_from_file);
let ip_cdi_verify_key = hash_to_ed25519(&bytes_from_file).unwrap();
let id = kgip.ip_identity;
let name = kgip.name;
let url = kgip.url;
let description = kgip.description;
let ip_id = IpIdentity(id);
let ip_info = IpInfo {
ip_identity: ip_id,
ip_description: Description {
name,
url,
description,
},
ip_verify_key: ip_public_key,
ip_cdi_verify_key,
};
let versioned_ip_info_public = Versioned::new(VERSION_0, ip_info);
match write_json_to_file(&kgip.out_pub, &versioned_ip_info_public) {
Ok(_) => println!("Wrote public keys to {}.", kgip.out_pub.to_string_lossy()),
Err(e) => {
return Err(format!(
"Could not JSON write public keys to file because {}",
e
));
}
}
Ok(())
}
/// This function uses the functions for hashing to G1 and G2 from
/// curve_arithmetic to generate random looking group elements to
/// create an instance of `ps_sig::PublicKey`.
pub fn generate_ps_pk(n: u32, bytes: &[u8]) -> ps_sig::PublicKey<Bls12> {
let mut ys: Vec<G1> = Vec::with_capacity(n as usize);
let mut y_tildas: Vec<G2> = Vec::with_capacity(n as usize);
let mut g1_element = G1::hash_to_group(bytes).expect("Hashing to curve expected to succeed");
let mut g2_element =
G2::hash_to_group(&to_bytes(&g1_element)).expect("Hashing to curve expected to succeed");
for _ in 0..n {
ys.push(g1_element);
y_tildas.push(g2_element);
g1_element = G1::hash_to_group(&to_bytes(&g2_element))
.expect("Hashing to curve expected to succeed");
g2_element = G2::hash_to_group(&to_bytes(&g1_element))
.expect("Hashing to curve expected to succeed");
}
let x_tilda =
G2::hash_to_group(&to_bytes(&g2_element)).expect("Hashing to curve expected to succeed");
ps_sig::PublicKey {
g: G1::one_point(),
g_tilda: G2::one_point(),
ys,
y_tildas,
x_tilda,
}
}
/// Implements a slight modification of <https://tools.ietf.org/id/draft-irtf-cfrg-vrf-07.html#rfc.section.5.4.1.1>.
/// The difference is that this one does not concatenate the input
/// to Sha512 with the single octet values 0 and 1, and neither does it
/// concatenate with a public key.
pub fn hash_to_ed25519(msg: &[u8]) -> Option<ed25519_dalek::VerifyingKey> {
let mut p_candidate_bytes = [0u8; 32];
let mut h: Sha512 = Sha512::new();
h.update(b"concordium_genesis_ed25519");
h.update(msg);
for ctr in 0..=u8::MAX {
let mut attempt_h = h.clone();
attempt_h.update(ctr.to_le_bytes()); // ctr_string
let hash = attempt_h.finalize();
p_candidate_bytes.copy_from_slice(&hash[..32]);
let p_candidate = CompressedEdwardsY(p_candidate_bytes);
if let Some(ed_point) = p_candidate.decompress() {
// Make sure the point is not of small order, i.e., it will
// not be 0 after multiplying by cofactor.
if !ed_point.is_small_order() {
return Some(
ed25519_dalek::VerifyingKey::from_bytes(
&ed_point.mul_by_cofactor().compress().to_bytes(),
)
.unwrap(),
);
}
}
}
// Each iteration of the loop succeeds with probability about a half,
// so the return below will not happen.
None
}