version 5.3.0 (#13)

Author: anderspkd

CMakeLists.txt

@@ -16,7 +16,7 @@
 
 cmake_minimum_required( VERSION 3.14 )
 
-project( scl VERSION 5.2.0 DESCRIPTION "Secure Computation Library" )
+project( scl VERSION 5.3.0 DESCRIPTION "Secure Computation Library" )
 
 if(NOT CMAKE_BUILD_TYPE)
   set(CMAKE_BUILD_TYPE Release)
@@ -99,6 +99,7 @@ if(CMAKE_BUILD_TYPE MATCHES "Debug")
     test/scl/util/test_sha3.cc
     test/scl/util/test_sha256.cc
     test/scl/util/test_traits.cc
+    test/scl/util/test_ecdsa.cc
 
     test/scl/gf7.cc
     test/scl/math/test_mersenne61.cc

RELEASE.txt

@@ -1,3 +1,13 @@
+5.3.0: ECDSA
+- Added functionality for creating ECDSA signatures.
+
+5.2.0: Protocol environment extensions
+- Make it possible to create "checkpoints" through the protocol environment
+  clock.
+- fix a bug that prevented the documentation from being buildt
+- Rename ProtocolEnvironment to Env, and introduce a typedef for backwards
+  compatability.
+
 5.1.2: Style changes
 - Change naming style of private field members.
 

include/scl/util/iuf_hash.h

@@ -64,6 +64,16 @@ struct IUFHash {
     return Update(data.data(), N);
   }
 
+  /**
+   * @brief Update the hash function with the content of a string.
+   * @param string the string.
+   * @return the updated Hash object.
+   */
+  IUFHash<HashImpl>& Update(std::string_view string) {
+    return Update(reinterpret_cast<const unsigned char*>(string.data()),
+                  string.size());
+  }
+
   /**
    * @brief Finalize and return the digest.
    * @return a digest.

include/scl/util/sign.h

@@ -0,0 +1,170 @@
+/* SCL --- Secure Computation Library
+ * Copyright (C) 2023 Anders Dalskov
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#ifndef SCL_UTIL_SIGN_H
+#define SCL_UTIL_SIGN_H
+
+#include <memory>
+
+#include "scl/math/curves/secp256k1.h"
+#include "scl/math/ff.h"
+
+namespace scl::util {
+
+/**
+ * @brief A signature for some signature scheme.
+ * @tparam SignatureScheme the signature scheme.
+ */
+template <typename SignatureScheme>
+struct Signature;
+
+class ECDSA;
+
+/**
+ * @brief An ECDSA signature.
+ */
+template <>
+struct Signature<ECDSA> {
+ private:
+  using ElementType = math::FF<math::Secp256k1::Order>;
+
+ public:
+  /**
+   * @brief The size of an ECDSA signature in bytes.
+   */
+  constexpr static std::size_t ByteSize() {
+    return ElementType::ByteSize() * 2;
+  }
+
+  /**
+   * @brief Read an ECDSA signature from a buffer.
+   * @param buf the buffer.
+   * @return an ECDSA signature.
+   */
+  static Signature<ECDSA> Read(const unsigned char* buf) {
+    return {ElementType::Read(buf),
+            ElementType::Read(buf + ElementType::ByteSize())};
+  }
+
+  /**
+   * @brief Write an ECDSA signature to a stream.
+   * @param buf the buffer.
+   */
+  void Write(unsigned char* buf) const {
+    r.Write(buf);
+    s.Write(buf + ElementType::ByteSize());
+  }
+
+  /**
+   * @brief The r part of an ECDSA signature.
+   */
+  ElementType r;
+
+  /**
+   * @brief The s part of an ECDSA signature.
+   */
+  ElementType s;
+};
+
+/**
+ * @brief The ECDSA signature scheme.
+ */
+class ECDSA {
+  using Curve = math::EC<math::Secp256k1>;
+
+ public:
+  /**
+   * @brief Public key type. A curve point.
+   */
+  using PublicKey = Curve;
+
+  /**
+   * @brief Secret key type. An element modulo the order of the curve.
+   */
+  using SecretKey = Curve::Order;
+
+  /**
+   * @brief Derive the public key correspond to a given secret key.
+   * @param secret_key the secret key.
+   * @return A public key.
+   */
+  static PublicKey Derive(const SecretKey& secret_key) {
+    return secret_key * PublicKey::Generator();
+  }
+
+  /**
+   * @brief Sign a message.
+   * @tparam D a digest type.
+   * @param secret_key the secret key for signing.
+   * @param digest the digest to sign.
+   * @param prg a PRG used to select the nonce in the signature.
+   * @return an ECDSA signature.
+   */
+  template <typename D>
+  static Signature<ECDSA> Sign(const SecretKey& secret_key,
+                               const D& digest,
+                               PRG& prg) {
+    const auto k = Curve::Order::Random(prg);
+    const auto R = k * PublicKey::Generator();
+    const auto rx = ConversionFunc(R);
+    const auto h = DigestToElement<Curve::Order>(digest);
+
+    return {rx, k.Inverse() * (h + secret_key * rx)};
+  }
+
+  /**
+   * @brief Verify a signature.
+   * @param public_key the public key of the signer.
+   * @param signature the signature to verify.
+   * @param digest the digest that was signed.
+   * @return true if the signature is valid and false otherwise.
+   */
+  template <typename D>
+  static bool Verify(const PublicKey& public_key,
+                     const Signature<ECDSA>& signature,
+                     const D& digest) {
+    const auto h = DigestToElement<SecretKey>(digest);
+    const auto [r, s] = signature;
+    const auto si = s.Inverse();
+    const auto R1 = (h * si) * Curve::Generator();
+    const auto R2 = (r * si) * public_key;
+    const auto R = R1 + R2;
+    return !R.PointAtInfinity() && ConversionFunc(R) == r;
+  }
+
+ private:
+  template <typename T, typename D>
+  static T DigestToElement(const D& digest) {
+    if (digest.size() < T::ByteSize()) {
+      unsigned char buf[T::ByteSize()] = {0};
+      std::copy(digest.begin(), digest.end(), buf);
+      return T::Read(buf);
+    }
+    return T::Read(digest.data());
+  }
+
+  static Curve::Order ConversionFunc(const PublicKey& R) {
+    const auto rx_f = R.ToAffine()[0];
+    unsigned char rx_bytes[Curve::Field::ByteSize()];
+    rx_f.Write(rx_bytes);
+    return Curve::Order::Read(rx_bytes);
+  }
+};
+
+}  // namespace scl::util
+
+#endif  // SCL_UTIL_SIGN_H

test/scl/simulation/test_event.cc

@@ -32,7 +32,7 @@ std::string ToString(sim::Event* e) {
 
 }  // namespace
 
-TEST_CASE("Event", "[sim]") {
+TEST_CASE("Simulation Event", "[sim]") {
   SECTION("START") {
     sim::Event e(sim::Event::Type::START, util::Time::Duration::zero());
     REQUIRE(ToString(&e) == "START at 0 ms");

test/scl/util/test_ecdsa.cc

@@ -0,0 +1,48 @@
+/* SCL --- Secure Computation Library
+ * Copyright (C) 2023 Anders Dalskov
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <array>
+#include <catch2/catch.hpp>
+
+#include "scl/math/curves/secp256k1.h"
+#include "scl/util/hash.h"
+#include "scl/util/sign.h"
+
+using namespace scl;
+
+TEST_CASE("ECDSA derive", "[util]") {
+  auto prg = util::PRG::Create("ecdsa derive");
+  const auto sk = util::ECDSA::SecretKey::Random(prg);
+  const auto pk = util::ECDSA::Derive(sk);
+  REQUIRE(pk == sk * math::EC<math::Secp256k1>::Generator());
+}
+
+TEST_CASE("ECDSA sign", "[util]") {
+  auto prg = util::PRG::Create("ecdsa sign");
+  const auto m = util::Hash<256>{}.Update("message").Finalize();
+  const auto sk = util::ECDSA::SecretKey::Random(prg);
+  const auto sig = util::ECDSA::Sign(sk, m, prg);
+
+  const auto pk = util::ECDSA::Derive(sk);
+  REQUIRE(util::ECDSA::Verify(pk, sig, m));
+
+  const std::array<unsigned char, 3> m_small = {1, 2, 3};
+  const auto sig_small = util::ECDSA::Sign(sk, m_small, prg);
+  REQUIRE(util::ECDSA::Verify(pk, sig_small, m_small));
+
+  REQUIRE_FALSE(util::ECDSA::Verify(pk, sig_small, m));
+}