abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-05-06 16:36:16 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
d72866b28eddb7be390e3b43ab53394c9135bb8a
GmSSL/src/sm2_blind.c
Zhi Guan d72866b28e Update SM2 Blind Signature
2022-11-02 21:40:10 +08:00

249 lines
5.6 KiB
C
Raw Blame History

/*
* Copyright 2014-2022 The GmSSL Project. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the License); you may
* not use this file except in compliance with the License.
*
* http://www.apache.org/licenses/LICENSE-2.0
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <assert.h>
#include <gmssl/sm2.h>
#include <gmssl/mem.h>
#include <gmssl/asn1.h>
#include <gmssl/error.h>
#include <gmssl/sm2_blind.h>
int sm2_blind_sign_commit(SM2_Fn k, uint8_t *commit, size_t *commitlen)
{
SM2_POINT K;
uint8_t k_bytes[32];
sm2_fn_rand(k); // FIXME: check return
sm2_bn_to_bytes(k, k_bytes);
// commitment = k * G
sm2_point_mul_generator(&K, k_bytes);
sm2_point_to_compressed_octets(&K, commit);
*commitlen = 33;
gmssl_secure_clear(k_bytes, sizeof(k_bytes));
return 1;
}
int sm2_blind_sign_init(SM2_BLIND_SIGN_CTX *ctx, const SM2_KEY *public_key, const char *id, size_t idlen)
{
ctx->public_key = *public_key;
sm3_init(&ctx->sm3_ctx);
if (id) {
uint8_t z[SM3_DIGEST_SIZE];
if (idlen <= 0 || idlen > SM2_MAX_ID_LENGTH) {
error_print();
return -1;
}
sm2_compute_z(z, &public_key->public_key, id, idlen);
sm3_update(&ctx->sm3_ctx, z, sizeof(z));
}
return 1;
}
int sm2_blind_sign_update(SM2_BLIND_SIGN_CTX *ctx, const uint8_t *data, size_t datalen)
{
if (!ctx) {
error_print();
return -1;
}
if (data && datalen > 0) {
sm3_update(&ctx->sm3_ctx, data, datalen);
}
return 1;
}
int sm2_blind_sign_finish(SM2_BLIND_SIGN_CTX *ctx,
const uint8_t *commit, size_t commitlen,
uint8_t blinded_sig_r[32])
{
int ret = -1;
SM2_Fn a;
SM2_Fn b;
SM2_POINT K;
SM2_Fn e;
SM2_Fn r;
uint8_t dgst[32];
sm3_finish(&ctx->sm3_ctx, dgst);
sm2_bn_from_bytes(e, dgst);
if (sm2_bn_cmp(e, SM2_N) >= 0) {
sm2_bn_sub(e, e, SM2_N);
}
//FIXME: return value of sm2_fn_rand()
sm2_fn_rand(a);
sm2_bn_to_bytes(a, ctx->blind_factor_a);
sm2_fn_rand(b);
sm2_bn_to_bytes(b, ctx->blind_factor_b);
if (sm2_point_from_octets(&K, commit, commitlen) != 1) {
error_print();
goto end;
}
// K'(x1, y1) = a * K + b * G
if (sm2_point_mul_sum(&K, ctx->blind_factor_a, &K, ctx->blind_factor_b) != 1) {
error_print();
goto end;
}
sm2_bn_from_bytes(r, K.x);
if (sm2_bn_cmp(r, SM2_N) >= 0) {
sm2_bn_sub(r, r, SM2_N);
}
// r = x1 + e (mod n)
sm2_fn_add(r, r, e);
sm2_bn_to_bytes(r, ctx->sig_r);
// r' = a^-1 * (r + b)
sm2_fn_add(r, r, b);
sm2_fn_inv(a, a);
sm2_fn_mul(r, r, a);
sm2_bn_to_bytes(r, blinded_sig_r);
ret = 1;
end:
gmssl_secure_clear(a, sizeof(a));
gmssl_secure_clear(b, sizeof(b));
return ret;
}
int sm2_blind_sign(const SM2_KEY *key, const SM2_Fn k, const uint8_t blinded_r[32], uint8_t blinded_s[32])
{
SM2_Fn x;
SM2_Fn r;
SM2_Fn s;
sm2_bn_from_bytes(x, key->private_key);
sm2_bn_from_bytes(r, blinded_r);
// s = (1 + x)^-1 * (k - r * x) (mod n)
sm2_fn_mul(r, r, x);
sm2_fn_sub(s, k, r);
sm2_fn_add(x, x, SM2_ONE);
sm2_fn_inv(x, x);
sm2_fn_mul(s, s, x);
sm2_bn_to_bytes(s, blinded_s);
gmssl_secure_clear(x, sizeof(x));
gmssl_secure_clear(r, sizeof(r));
gmssl_secure_clear(s, sizeof(s));
return 1;
}
int sm2_blind_sign_unblind(SM2_BLIND_SIGN_CTX *ctx, const uint8_t blinded_sig_s[32], uint8_t *sig, size_t *siglen)
{
SM2_Fn a;
SM2_Fn b;
SM2_Fn s;
SM2_SIGNATURE signature;
sm2_bn_from_bytes(a, ctx->blind_factor_a);
sm2_bn_from_bytes(b, ctx->blind_factor_b);
sm2_bn_from_bytes(s, blinded_sig_s);
// s = a * s' + b
sm2_fn_mul(s, s, a);
sm2_fn_add(s, s, b);
memcpy(signature.r, ctx->sig_r, 32);
sm2_bn_to_bytes(s, signature.s);
*siglen = 0;
sm2_signature_to_der(&signature, &sig, siglen);
gmssl_secure_clear(a, sizeof(a));
gmssl_secure_clear(b, sizeof(b));
gmssl_secure_clear(ctx, sizeof(*ctx));
return 1;
}
int test_sm2_blind_sign(void)
{
int r = -1;
// signer
SM2_KEY key;
SM2_Fn k;
uint8_t commit[65];
size_t commitlen;
// caller
SM2_KEY public_key;
SM2_BLIND_SIGN_CTX sign_ctx;
uint8_t msg[128] = {0};
uint8_t blinded_sig_s[32];
uint8_t blinded_sig_r[32];
uint8_t sig[128];
size_t siglen;
// verifier
SM2_SIGN_CTX verify_ctx;
// signer
if (sm2_key_generate(&key) != 1
|| sm2_key_set_public_key(&public_key, &key.public_key) != 1) {
error_print();
goto end;
}
if (sm2_blind_sign_commit(k, commit, &commitlen) != 1) {
error_print();
return -1;
}
format_bytes(stderr, 0, 0, "signer: commitment", commit, commitlen);
// caller
if (sm2_blind_sign_init(&sign_ctx, &public_key,
SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID)) != 1
|| sm2_blind_sign_update(&sign_ctx, msg, 32) != 1
|| sm2_blind_sign_update(&sign_ctx, msg + 32, 32) != 1
|| sm2_blind_sign_update(&sign_ctx, msg + 64, 64) != 1
|| sm2_blind_sign_finish(&sign_ctx, commit, commitlen, blinded_sig_r) != 1) {
error_print();
goto end;
}
format_bytes(stderr, 0, 0, "caller: blinded_sig_r", blinded_sig_r, sizeof(blinded_sig_r));
// signer
if (sm2_blind_sign(&key, k, blinded_sig_r, blinded_sig_s) != 1) {
error_print();
goto end;
}
format_bytes(stderr, 0, 0, "signer: blinded_sig_s", blinded_sig_s, sizeof(blinded_sig_s));
// caller
if (sm2_blind_sign_unblind(&sign_ctx, blinded_sig_s, sig, &siglen) != 1) {
error_print();
goto end;
}
format_bytes(stderr, 0, 0, "caller: unblinded_sig", sig, siglen);
// verifier
if (sm2_verify_init(&verify_ctx, &public_key,
SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID)) != 1
|| sm2_verify_update(&verify_ctx, msg, sizeof(msg)) != 1
|| (r = sm2_verify_finish(&verify_ctx, sig, siglen)) < 0) {
error_print();
goto end;
}
format_print(stderr, 0, 0, "verifier: %s\n", r == 1 ? "success" : "failure");
end:
gmssl_secure_clear(&key, sizeof(key));
gmssl_secure_clear(&sign_ctx, sizeof(sign_ctx));
return r;
}
Reference in New Issue View Git Blame Copy Permalink