sonr/crypto/signatures/bbs/secret_key.go

//
// Copyright Coinbase, Inc. All Rights Reserved.
//
// SPDX-License-Identifier: Apache-2.0
//

package bbs

import (
	crand "crypto/rand"
	"crypto/sha256"
	"errors"
	"fmt"
	"io"

	"golang.org/x/crypto/hkdf"
	"golang.org/x/crypto/sha3"

	"github.com/onsonr/sonr/crypto/core/curves"
)

// SecretKey is a BBS+ signing key
type SecretKey struct {
	value curves.PairingScalar
}

func NewSecretKey(curve *curves.PairingCurve) (*SecretKey, error) {
	// The salt used with generating secret keys
	// See section 2.3 from https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-04
	const hkdfKeyGenSalt = "BLS-SIG-KEYGEN-SALT-"
	const Size = 33
	var ikm [Size]byte
	cnt, err := crand.Read(ikm[:32])
	if err != nil {
		return nil, err
	}
	if cnt != Size-1 {
		return nil, fmt.Errorf("unable to read sufficient random data")
	}

	// https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-04#section-2.3
	h := sha256.New()
	n, err := h.Write([]byte(hkdfKeyGenSalt))
	if err != nil {
		return nil, err
	}
	if n != len(hkdfKeyGenSalt) {
		return nil, fmt.Errorf("incorrect salt bytes written to be hashed")
	}
	salt := h.Sum(nil)

	// Leaves key_info parameter as the default empty string
	// and just adds parameter I2OSP(L, 2)
	kdf := hkdf.New(sha256.New, ikm[:], salt, []byte{0, 48})
	var okm [64]byte
	read, err := kdf.Read(okm[:48])
	if err != nil {
		return nil, err
	}
	if read != 48 {
		return nil, fmt.Errorf("failed to create secret key")
	}
	v, err := curve.Scalar.SetBytesWide(okm[:])
	if err != nil {
		return nil, err
	}
	value, ok := v.(curves.PairingScalar)
	if !ok {
		return nil, fmt.Errorf("invalid scalar")
	}
	return &SecretKey{
		value: value.SetPoint(curve.PointG2),
	}, nil
}

func NewKeys(curve *curves.PairingCurve) (*PublicKey, *SecretKey, error) {
	sk, err := NewSecretKey(curve)
	if err != nil {
		return nil, nil, err
	}
	return sk.PublicKey(), sk, nil
}

func (sk *SecretKey) Init(curve *curves.PairingCurve) *SecretKey {
	sk.value = curve.NewScalar()
	return sk
}

func (sk SecretKey) MarshalBinary() ([]byte, error) {
	return sk.value.Bytes(), nil
}

func (sk *SecretKey) UnmarshalBinary(in []byte) error {
	value, err := sk.value.SetBytes(in)
	if err != nil {
		return err
	}
	var ok bool
	sk.value, ok = value.(curves.PairingScalar)
	if !ok {
		return errors.New("incorrect type conversion")
	}
	return nil
}

// Sign generates a new signature where all messages are known to the signer
func (sk *SecretKey) Sign(generators *MessageGenerators, msgs []curves.Scalar) (*Signature, error) {
	if generators.length < len(msgs) {
		return nil, fmt.Errorf("not enough message generators")
	}
	if len(msgs) < 1 {
		return nil, fmt.Errorf("invalid messages")
	}
	if sk.value.IsZero() {
		return nil, fmt.Errorf("invalid secret key")
	}

	drbg := sha3.NewShake256()
	_, _ = drbg.Write(sk.value.Bytes())
	addDeterministicNonceData(generators, msgs, drbg)
	// Should yield non-zero values for `e` and `s`, very small likelihood of being zero
	e := getNonZeroScalar(sk.value, drbg)
	s := getNonZeroScalar(sk.value, drbg)
	b := computeB(s, msgs, generators)
	exp, err := e.Add(sk.value).Invert()
	if err != nil {
		return nil, err
	}
	return &Signature{
		a: b.Mul(exp).(curves.PairingPoint),
		e: e,
		s: s,
	}, nil
}

// PublicKey returns the corresponding public key
func (sk *SecretKey) PublicKey() *PublicKey {
	return &PublicKey{
		value: sk.value.Point().Generator().Mul(sk.value).(curves.PairingPoint),
	}
}

// computes g1 + s * h0 + msgs[0] * h[0] + msgs[1] * h[1] ...
func computeB(s curves.Scalar, msgs []curves.Scalar, generators *MessageGenerators) curves.PairingPoint {
	nMsgs := len(msgs)
	points := make([]curves.Point, nMsgs+2)
	points[1] = generators.Get(0)
	points[0] = points[1].Generator()

	scalars := make([]curves.Scalar, nMsgs+2)
	scalars[0] = msgs[0].One()
	scalars[1] = s
	for i, m := range msgs {
		points[i+2] = generators.Get(i + 1)
		scalars[i+2] = m
	}
	pt := points[0].SumOfProducts(points, scalars)
	return pt.(curves.PairingPoint)
}

func addDeterministicNonceData(generators *MessageGenerators, msgs []curves.Scalar, drbg io.Writer) {
	for i := 0; i <= generators.length; i++ {
		_, _ = drbg.Write(generators.Get(i).ToAffineUncompressed())
	}
	for _, m := range msgs {
		_, _ = drbg.Write(m.Bytes())
	}
}

func getNonZeroScalar(sc curves.Scalar, reader io.Reader) curves.Scalar {
	// Should yield non-zero values for `e` and `s`, very small likelihood of being zero
	e := sc.Random(reader)
	for e.IsZero() {
		e = sc.Random(reader)
	}
	return e
}
feature/1114 implement account interface (#1167) - refactor: move session-related code to middleware package - refactor: update PKL build process and adjust related configurations - feat: integrate base.cosmos.v1 Genesis module - refactor: pass session context to modal rendering functions - refactor: move nebula package to app directory and update templ version - refactor: Move home section video view to dedicated directory - refactor: remove unused views file - refactor: move styles and UI components to global scope - refactor: Rename images.go to cdn.go - feat: Add Empty State Illustrations - refactor: Consolidate Vault Index Logic - fix: References to App.wasm and remove Vault Directory embedded CDN files - refactor: Move CDN types to Models - fix: Correct line numbers in templ error messages for arch_templ.go - refactor: use common types for peer roles - refactor: move common types and ORM to a shared package - fix: Config import dwn - refactor: move nebula directory to app - feat: Rebuild nebula - fix: correct file paths in panels templates - feat: Remove duplicate types - refactor: Move dwn to pkg/core - refactor: Binary Structure - feat: Introduce Crypto Pkg - fix: Broken Process Start - *feat: Update pkg/ structure - feat: Refactor PKL Structure - build: update pkl build process - chore: Remove Empty Files - refactor: remove unused macaroon package - feat: Add WebAwesome Components - refactor: consolidate build and generation tasks into a single taskfile, remove redundant makefile targets - refactor: refactor server and move components to pkg/core/dwn - build: update go modules - refactor: move gateway logic into dedicated hway command - feat: Add KSS (Krawczyk-Song-Song) MPC cryptography module - feat: Implement MPC-based JWT signing and UCAN token generation - feat: add support for MPC-based JWT signing - feat: Implement MPC-based UCAN capabilities for smart accounts - feat: add address field to keyshareSource - feat: Add comprehensive MPC test suite for keyshares, UCAN tokens, and token attenuations - refactor: improve MPC keyshare management and signing process - feat: enhance MPC capability hierarchy documentation - refactor: rename GenerateKeyshares function to NewKeyshareSource for clarity - refactor: remove unused Ethereum address computation - feat: Add HasHandle and IsAuthenticated methods to HTTPContext - refactor: Add context.Context support to session HTTPContext - refactor: Resolve context interface conflicts in HTTPContext - feat: Add session ID context key and helper functions - feat: Update WebApp Page Rendering - refactor: Simplify context management by using single HTTPContext key - refactor: Simplify HTTPContext creation and context management in session middleware - refactor: refactor session middleware to use a single data structure - refactor: Simplify HTTPContext implementation and session data handling - refactor: Improve session context handling and prevent nil pointer errors - refactor: Improve session context handling with nil safety and type support - refactor: improve session data injection - feat: add full-screen modal component and update registration flow - chore: add .air.toml to .gitignore - feat: add Air to devbox and update dependencies** 2024-11-23 01:28:58 -05:00			`//`
			`// Copyright Coinbase, Inc. All Rights Reserved.`
			`//`
			`// SPDX-License-Identifier: Apache-2.0`
			`//`

			`package bbs`

			`import (`
			`crand "crypto/rand"`
			`"crypto/sha256"`
			`"errors"`
			`"fmt"`
			`"io"`

			`"golang.org/x/crypto/hkdf"`
			`"golang.org/x/crypto/sha3"`

feature/1121 implement ucan validation (#1176) - refactor: remove unused auth components - refactor: improve devbox configuration and deployment process - refactor: improve devnet and testnet setup - fix: update templ version to v0.2.778 - refactor: rename pkl/net.matrix to pkl/matrix.net - refactor: migrate webapp components to nebula - refactor: protobuf types - chore: update dependencies for improved security and stability - feat: implement landing page and vault gateway servers - refactor: Migrate data models to new module structure and update related files - feature/1121-implement-ucan-validation - refactor: Replace hardcoded constants with model types in attns.go - feature/1121-implement-ucan-validation - chore: add origin Host struct and update main function to handle multiple hosts - build: remove unused static files from dwn module - build: remove unused static files from dwn module - refactor: Move DWN models to common package - refactor: move models to pkg/common - refactor: move vault web app assets to embed module - refactor: update session middleware import path - chore: configure port labels and auto-forwarding behavior - feat: enhance devcontainer configuration - feat: Add UCAN middleware for Echo with flexible token validation - feat: add JWT middleware for UCAN authentication - refactor: update package URI and versioning in PklProject files - fix: correct sonr.pkl import path - refactor: move JWT related code to auth package - feat: introduce vault configuration retrieval and management - refactor: Move vault components to gateway module and update file paths - refactor: remove Dexie and SQLite database implementations - feat: enhance frontend with PWA features and WASM integration - feat: add Devbox features and streamline Dockerfile - chore: update dependencies to include TigerBeetle - chore(deps): update go version to 1.23 - feat: enhance devnet setup with PATH environment variable and updated PWA manifest - fix: upgrade tigerbeetle-go dependency and remove indirect dependency - feat: add PostgreSQL support to devnet and testnet deployments - refactor: rename keyshare cookie to token cookie - feat: upgrade Go version to 1.23.3 and update dependencies - refactor: update devnet and testnet configurations - feat: add IPFS configuration for devnet - I'll help you update the ipfs.config.pkl to include all the peers from the shell script. Here's the updated configuration: - refactor: move mpc package to crypto directory - feat: add BIP32 support for various cryptocurrencies - feat: enhance ATN.pkl with additional capabilities - refactor: simplify smart account and vault attenuation creation - feat: add new capabilities to the Attenuation type - refactor: Rename MPC files for clarity and consistency - feat: add DIDKey support for cryptographic operations - feat: add devnet and testnet deployment configurations - fix: correct key derivation in bip32 package - refactor: rename crypto/bip32 package to crypto/accaddr - fix: remove duplicate indirect dependency - refactor: move vault package to root directory - refactor: update routes for gateway and vault - refactor: remove obsolete web configuration file - refactor: remove unused TigerBeetle imports and update host configuration - refactor: adjust styles directory path - feat: add broadcastTx and simulateTx functions to gateway - feat: add PinVault handler 2024-12-02 14:27:18 -05:00			`"github.com/onsonr/sonr/crypto/core/curves"`
feature/1114 implement account interface (#1167) - refactor: move session-related code to middleware package - refactor: update PKL build process and adjust related configurations - feat: integrate base.cosmos.v1 Genesis module - refactor: pass session context to modal rendering functions - refactor: move nebula package to app directory and update templ version - refactor: Move home section video view to dedicated directory - refactor: remove unused views file - refactor: move styles and UI components to global scope - refactor: Rename images.go to cdn.go - feat: Add Empty State Illustrations - refactor: Consolidate Vault Index Logic - fix: References to App.wasm and remove Vault Directory embedded CDN files - refactor: Move CDN types to Models - fix: Correct line numbers in templ error messages for arch_templ.go - refactor: use common types for peer roles - refactor: move common types and ORM to a shared package - fix: Config import dwn - refactor: move nebula directory to app - feat: Rebuild nebula - fix: correct file paths in panels templates - feat: Remove duplicate types - refactor: Move dwn to pkg/core - refactor: Binary Structure - feat: Introduce Crypto Pkg - fix: Broken Process Start - *feat: Update pkg/ structure - feat: Refactor PKL Structure - build: update pkl build process - chore: Remove Empty Files - refactor: remove unused macaroon package - feat: Add WebAwesome Components - refactor: consolidate build and generation tasks into a single taskfile, remove redundant makefile targets - refactor: refactor server and move components to pkg/core/dwn - build: update go modules - refactor: move gateway logic into dedicated hway command - feat: Add KSS (Krawczyk-Song-Song) MPC cryptography module - feat: Implement MPC-based JWT signing and UCAN token generation - feat: add support for MPC-based JWT signing - feat: Implement MPC-based UCAN capabilities for smart accounts - feat: add address field to keyshareSource - feat: Add comprehensive MPC test suite for keyshares, UCAN tokens, and token attenuations - refactor: improve MPC keyshare management and signing process - feat: enhance MPC capability hierarchy documentation - refactor: rename GenerateKeyshares function to NewKeyshareSource for clarity - refactor: remove unused Ethereum address computation - feat: Add HasHandle and IsAuthenticated methods to HTTPContext - refactor: Add context.Context support to session HTTPContext - refactor: Resolve context interface conflicts in HTTPContext - feat: Add session ID context key and helper functions - feat: Update WebApp Page Rendering - refactor: Simplify context management by using single HTTPContext key - refactor: Simplify HTTPContext creation and context management in session middleware - refactor: refactor session middleware to use a single data structure - refactor: Simplify HTTPContext implementation and session data handling - refactor: Improve session context handling and prevent nil pointer errors - refactor: Improve session context handling with nil safety and type support - refactor: improve session data injection - feat: add full-screen modal component and update registration flow - chore: add .air.toml to .gitignore - feat: add Air to devbox and update dependencies** 2024-11-23 01:28:58 -05:00			`)`

			`// SecretKey is a BBS+ signing key`
			`type SecretKey struct {`
			`value curves.PairingScalar`
			`}`

			`func NewSecretKey(curve curves.PairingCurve) (SecretKey, error) {`
			`// The salt used with generating secret keys`
			`// See section 2.3 from https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-04`
			`const hkdfKeyGenSalt = "BLS-SIG-KEYGEN-SALT-"`
			`const Size = 33`
			`var ikm [Size]byte`
			`cnt, err := crand.Read(ikm[:32])`
			`if err != nil {`
			`return nil, err`
			`}`
			`if cnt != Size-1 {`
			`return nil, fmt.Errorf("unable to read sufficient random data")`
			`}`

			`// https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-04#section-2.3`
			`h := sha256.New()`
			`n, err := h.Write([]byte(hkdfKeyGenSalt))`
			`if err != nil {`
			`return nil, err`
			`}`
			`if n != len(hkdfKeyGenSalt) {`
			`return nil, fmt.Errorf("incorrect salt bytes written to be hashed")`
			`}`
			`salt := h.Sum(nil)`

			`// Leaves key_info parameter as the default empty string`
			`// and just adds parameter I2OSP(L, 2)`
			`kdf := hkdf.New(sha256.New, ikm[:], salt, []byte{0, 48})`
			`var okm [64]byte`
			`read, err := kdf.Read(okm[:48])`
			`if err != nil {`
			`return nil, err`
			`}`
			`if read != 48 {`
			`return nil, fmt.Errorf("failed to create secret key")`
			`}`
			`v, err := curve.Scalar.SetBytesWide(okm[:])`
			`if err != nil {`
			`return nil, err`
			`}`
			`value, ok := v.(curves.PairingScalar)`
			`if !ok {`
			`return nil, fmt.Errorf("invalid scalar")`
			`}`
			`return &SecretKey{`
			`value: value.SetPoint(curve.PointG2),`
			`}, nil`
			`}`

			`func NewKeys(curve curves.PairingCurve) (PublicKey, *SecretKey, error) {`
			`sk, err := NewSecretKey(curve)`
			`if err != nil {`
			`return nil, nil, err`
			`}`
			`return sk.PublicKey(), sk, nil`
			`}`

			`func (sk SecretKey) Init(curve curves.PairingCurve) *SecretKey {`
			`sk.value = curve.NewScalar()`
			`return sk`
			`}`

			`func (sk SecretKey) MarshalBinary() ([]byte, error) {`
			`return sk.value.Bytes(), nil`
			`}`

			`func (sk *SecretKey) UnmarshalBinary(in []byte) error {`
			`value, err := sk.value.SetBytes(in)`
			`if err != nil {`
			`return err`
			`}`
			`var ok bool`
			`sk.value, ok = value.(curves.PairingScalar)`
			`if !ok {`
			`return errors.New("incorrect type conversion")`
			`}`
			`return nil`
			`}`

			`// Sign generates a new signature where all messages are known to the signer`
			`func (sk SecretKey) Sign(generators MessageGenerators, msgs []curves.Scalar) (*Signature, error) {`
			`if generators.length < len(msgs) {`
			`return nil, fmt.Errorf("not enough message generators")`
			`}`
			`if len(msgs) < 1 {`
			`return nil, fmt.Errorf("invalid messages")`
			`}`
			`if sk.value.IsZero() {`
			`return nil, fmt.Errorf("invalid secret key")`
			`}`

			`drbg := sha3.NewShake256()`
			`_, _ = drbg.Write(sk.value.Bytes())`
			`addDeterministicNonceData(generators, msgs, drbg)`
			// Should yield non-zero values for `e` and `s`, very small likelihood of being zero
			`e := getNonZeroScalar(sk.value, drbg)`
			`s := getNonZeroScalar(sk.value, drbg)`
			`b := computeB(s, msgs, generators)`
			`exp, err := e.Add(sk.value).Invert()`
			`if err != nil {`
			`return nil, err`
			`}`
			`return &Signature{`
			`a: b.Mul(exp).(curves.PairingPoint),`
			`e: e,`
			`s: s,`
			`}, nil`
			`}`

			`// PublicKey returns the corresponding public key`
			`func (sk SecretKey) PublicKey() PublicKey {`
			`return &PublicKey{`
			`value: sk.value.Point().Generator().Mul(sk.value).(curves.PairingPoint),`
			`}`
			`}`

			`// computes g1 + s * h0 + msgs[0] * h[0] + msgs[1] * h[1] ...`
			`func computeB(s curves.Scalar, msgs []curves.Scalar, generators *MessageGenerators) curves.PairingPoint {`
			`nMsgs := len(msgs)`
			`points := make([]curves.Point, nMsgs+2)`
			`points[1] = generators.Get(0)`
			`points[0] = points[1].Generator()`

			`scalars := make([]curves.Scalar, nMsgs+2)`
			`scalars[0] = msgs[0].One()`
			`scalars[1] = s`
			`for i, m := range msgs {`
			`points[i+2] = generators.Get(i + 1)`
			`scalars[i+2] = m`
			`}`
			`pt := points[0].SumOfProducts(points, scalars)`
			`return pt.(curves.PairingPoint)`
			`}`

			`func addDeterministicNonceData(generators *MessageGenerators, msgs []curves.Scalar, drbg io.Writer) {`
			`for i := 0; i <= generators.length; i++ {`
			`_, _ = drbg.Write(generators.Get(i).ToAffineUncompressed())`
			`}`
			`for _, m := range msgs {`
			`_, _ = drbg.Write(m.Bytes())`
			`}`
			`}`

			`func getNonZeroScalar(sc curves.Scalar, reader io.Reader) curves.Scalar {`
			// Should yield non-zero values for `e` and `s`, very small likelihood of being zero
			`e := sc.Random(reader)`
			`for e.IsZero() {`
			`e = sc.Random(reader)`
			`}`
			`return e`
			`}`