├── LICENSE ├── README.md ├── bench_test.go ├── benchmarks.md ├── examples └── main.go ├── go.mod ├── go.sum ├── helpers.go ├── helpers_test.go ├── ring.go ├── ring_test.go ├── serde.go ├── serde_test.go └── types.go /LICENSE: -------------------------------------------------------------------------------- 1 | GNU LESSER GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | 9 | This version of the GNU Lesser General Public License incorporates 10 | the terms and conditions of version 3 of the GNU General Public 11 | License, supplemented by the additional permissions listed below. 12 | 13 | 0. Additional Definitions. 14 | 15 | As used herein, "this License" refers to version 3 of the GNU Lesser 16 | General Public License, and the "GNU GPL" refers to version 3 of the GNU 17 | General Public License. 18 | 19 | "The Library" refers to a covered work governed by this License, 20 | other than an Application or a Combined Work as defined below. 21 | 22 | An "Application" is any work that makes use of an interface provided 23 | by the Library, but which is not otherwise based on the Library. 24 | Defining a subclass of a class defined by the Library is deemed a mode 25 | of using an interface provided by the Library. 26 | 27 | A "Combined Work" is a work produced by combining or linking an 28 | Application with the Library. The particular version of the Library 29 | with which the Combined Work was made is also called the "Linked 30 | Version". 31 | 32 | The "Minimal Corresponding Source" for a Combined Work means the 33 | Corresponding Source for the Combined Work, excluding any source code 34 | for portions of the Combined Work that, considered in isolation, are 35 | based on the Application, and not on the Linked Version. 36 | 37 | The "Corresponding Application Code" for a Combined Work means the 38 | object code and/or source code for the Application, including any data 39 | and utility programs needed for reproducing the Combined Work from the 40 | Application, but excluding the System Libraries of the Combined Work. 41 | 42 | 1. Exception to Section 3 of the GNU GPL. 43 | 44 | You may convey a covered work under sections 3 and 4 of this License 45 | without being bound by section 3 of the GNU GPL. 46 | 47 | 2. Conveying Modified Versions. 48 | 49 | If you modify a copy of the Library, and, in your modifications, a 50 | facility refers to a function or data to be supplied by an Application 51 | that uses the facility (other than as an argument passed when the 52 | facility is invoked), then you may convey a copy of the modified 53 | version: 54 | 55 | a) under this License, provided that you make a good faith effort to 56 | ensure that, in the event an Application does not supply the 57 | function or data, the facility still operates, and performs 58 | whatever part of its purpose remains meaningful, or 59 | 60 | b) under the GNU GPL, with none of the additional permissions of 61 | this License applicable to that copy. 62 | 63 | 3. Object Code Incorporating Material from Library Header Files. 64 | 65 | The object code form of an Application may incorporate material from 66 | a header file that is part of the Library. You may convey such object 67 | code under terms of your choice, provided that, if the incorporated 68 | material is not limited to numerical parameters, data structure 69 | layouts and accessors, or small macros, inline functions and templates 70 | (ten or fewer lines in length), you do both of the following: 71 | 72 | a) Give prominent notice with each copy of the object code that the 73 | Library is used in it and that the Library and its use are 74 | covered by this License. 75 | 76 | b) Accompany the object code with a copy of the GNU GPL and this license 77 | document. 78 | 79 | 4. Combined Works. 80 | 81 | You may convey a Combined Work under terms of your choice that, 82 | taken together, effectively do not restrict modification of the 83 | portions of the Library contained in the Combined Work and reverse 84 | engineering for debugging such modifications, if you also do each of 85 | the following: 86 | 87 | a) Give prominent notice with each copy of the Combined Work that 88 | the Library is used in it and that the Library and its use are 89 | covered by this License. 90 | 91 | b) Accompany the Combined Work with a copy of the GNU GPL and this license 92 | document. 93 | 94 | c) For a Combined Work that displays copyright notices during 95 | execution, include the copyright notice for the Library among 96 | these notices, as well as a reference directing the user to the 97 | copies of the GNU GPL and this license document. 98 | 99 | d) Do one of the following: 100 | 101 | 0) Convey the Minimal Corresponding Source under the terms of this 102 | License, and the Corresponding Application Code in a form 103 | suitable for, and under terms that permit, the user to 104 | recombine or relink the Application with a modified version of 105 | the Linked Version to produce a modified Combined Work, in the 106 | manner specified by section 6 of the GNU GPL for conveying 107 | Corresponding Source. 108 | 109 | 1) Use a suitable shared library mechanism for linking with the 110 | Library. A suitable mechanism is one that (a) uses at run time 111 | a copy of the Library already present on the user's computer 112 | system, and (b) will operate properly with a modified version 113 | of the Library that is interface-compatible with the Linked 114 | Version. 115 | 116 | e) Provide Installation Information, but only if you would otherwise 117 | be required to provide such information under section 6 of the 118 | GNU GPL, and only to the extent that such information is 119 | necessary to install and execute a modified version of the 120 | Combined Work produced by recombining or relinking the 121 | Application with a modified version of the Linked Version. (If 122 | you use option 4d0, the Installation Information must accompany 123 | the Minimal Corresponding Source and Corresponding Application 124 | Code. If you use option 4d1, you must provide the Installation 125 | Information in the manner specified by section 6 of the GNU GPL 126 | for conveying Corresponding Source.) 127 | 128 | 5. Combined Libraries. 129 | 130 | You may place library facilities that are a work based on the 131 | Library side by side in a single library together with other library 132 | facilities that are not Applications and are not covered by this 133 | License, and convey such a combined library under terms of your 134 | choice, if you do both of the following: 135 | 136 | a) Accompany the combined library with a copy of the same work based 137 | on the Library, uncombined with any other library facilities, 138 | conveyed under the terms of this License. 139 | 140 | b) Give prominent notice with the combined library that part of it 141 | is a work based on the Library, and explaining where to find the 142 | accompanying uncombined form of the same work. 143 | 144 | 6. Revised Versions of the GNU Lesser General Public License. 145 | 146 | The Free Software Foundation may publish revised and/or new versions 147 | of the GNU Lesser General Public License from time to time. Such new 148 | versions will be similar in spirit to the present version, but may 149 | differ in detail to address new problems or concerns. 150 | 151 | Each version is given a distinguishing version number. If the 152 | Library as you received it specifies that a certain numbered version 153 | of the GNU Lesser General Public License "or any later version" 154 | applies to it, you have the option of following the terms and 155 | conditions either of that published version or of any later version 156 | published by the Free Software Foundation. If the Library as you 157 | received it does not specify a version number of the GNU Lesser 158 | General Public License, you may choose any version of the GNU Lesser 159 | General Public License ever published by the Free Software Foundation. 160 | 161 | If the Library as you received it specifies that a proxy can decide 162 | whether future versions of the GNU Lesser General Public License shall 163 | apply, that proxy's public statement of acceptance of any version is 164 | permanent authorization for you to choose that version for the 165 | Library. 166 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ring-go 2 | Implementation of linkable ring signatures using elliptic curve crypto in pure Go. It supports ring signatures over both ed25519 and secp256k1. 3 | 4 | ### requirements 5 | go 1.19 6 | 7 | ### get 8 | `go get github.com/noot/ring-go` 9 | 10 | ### references 11 | This implementation is based off of [Ring Confidential Transactions](https://eprint.iacr.org/2015/1098.pdf), in particular section 2, which defines MLSAG (Multilayered Linkable Spontaneous Anonymous Group signatures). 12 | 13 | ### usage 14 | 15 | See `examples/main.go`. 16 | 17 | ```go 18 | package main 19 | 20 | import ( 21 | "fmt" 22 | 23 | ring "github.com/noot/ring-go" 24 | "golang.org/x/crypto/sha3" 25 | ) 26 | 27 | func signAndVerify(curve ring.Curve) { 28 | privkey := curve.NewRandomScalar() 29 | msgHash := sha3.Sum256([]byte("helloworld")) 30 | 31 | // size of the public key ring (anonymity set) 32 | const size = 16 33 | 34 | // our key's secret index within the set 35 | const idx = 7 36 | 37 | keyring, err := ring.NewKeyRing(curve, size, privkey, idx) 38 | if err != nil { 39 | panic(err) 40 | } 41 | 42 | sig, err := keyring.Sign(msgHash, privkey) 43 | if err != nil { 44 | panic(err) 45 | } 46 | 47 | ok := sig.Verify(msgHash) 48 | if !ok { 49 | fmt.Println("failed to verify :(") 50 | return 51 | } 52 | 53 | fmt.Println("verified signature!") 54 | } 55 | 56 | func main() { 57 | fmt.Println("using secp256k1...") 58 | signAndVerify(ring.Secp256k1()) 59 | fmt.Println("using ed25519...") 60 | signAndVerify(ring.Ed25519()) 61 | } 62 | ``` 63 | -------------------------------------------------------------------------------- /bench_test.go: -------------------------------------------------------------------------------- 1 | package ring 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/athanorlabs/go-dleq/types" 7 | ) 8 | 9 | const idx = 0 10 | 11 | func benchmarkSign(b *testing.B, curve types.Curve, keyring *Ring, privkey types.Scalar, size, idx int) { 12 | for i := 0; i < b.N; i++ { 13 | _, err := keyring.Sign(testMsg, privkey) 14 | if err != nil { 15 | panic(err) 16 | } 17 | } 18 | } 19 | 20 | func mustKeyRing(curve types.Curve, privkey types.Scalar, size, idx int) *Ring { 21 | keyring, err := NewKeyRing(curve, size, privkey, idx) 22 | if err != nil { 23 | panic(err) 24 | } 25 | return keyring 26 | } 27 | 28 | func BenchmarkSign2_Secp256k1(b *testing.B) { 29 | const size = 2 30 | curve := Secp256k1() 31 | privkey := curve.NewRandomScalar() 32 | keyring := mustKeyRing(curve, privkey, size, idx) 33 | benchmarkSign(b, curve, keyring, privkey, size, idx) 34 | } 35 | 36 | func BenchmarkSign4_Secp256k1(b *testing.B) { 37 | const size = 4 38 | curve := Secp256k1() 39 | privkey := curve.NewRandomScalar() 40 | keyring := mustKeyRing(curve, privkey, size, idx) 41 | benchmarkSign(b, curve, keyring, privkey, size, idx) 42 | } 43 | 44 | func BenchmarkSign8_Secp256k1(b *testing.B) { 45 | const size = 8 46 | curve := Secp256k1() 47 | privkey := curve.NewRandomScalar() 48 | keyring := mustKeyRing(curve, privkey, size, idx) 49 | benchmarkSign(b, curve, keyring, privkey, size, idx) 50 | } 51 | 52 | func BenchmarkSign16_Secp256k1(b *testing.B) { 53 | const size = 16 54 | curve := Secp256k1() 55 | privkey := curve.NewRandomScalar() 56 | keyring := mustKeyRing(curve, privkey, size, idx) 57 | benchmarkSign(b, curve, keyring, privkey, size, idx) 58 | } 59 | 60 | func BenchmarkSign32_Secp256k1(b *testing.B) { 61 | const size = 32 62 | curve := Secp256k1() 63 | privkey := curve.NewRandomScalar() 64 | keyring := mustKeyRing(curve, privkey, size, idx) 65 | benchmarkSign(b, curve, keyring, privkey, size, idx) 66 | } 67 | 68 | func BenchmarkSign64_Secp256k1(b *testing.B) { 69 | const size = 64 70 | curve := Secp256k1() 71 | privkey := curve.NewRandomScalar() 72 | keyring := mustKeyRing(curve, privkey, size, idx) 73 | benchmarkSign(b, curve, keyring, privkey, size, idx) 74 | } 75 | 76 | func BenchmarkSign128_Secp256k1(b *testing.B) { 77 | const size = 128 78 | curve := Secp256k1() 79 | privkey := curve.NewRandomScalar() 80 | keyring := mustKeyRing(curve, privkey, size, idx) 81 | benchmarkSign(b, curve, keyring, privkey, size, idx) 82 | } 83 | 84 | func BenchmarkSign2_Ed25519(b *testing.B) { 85 | const size = 2 86 | curve := Ed25519() 87 | privkey := curve.NewRandomScalar() 88 | keyring := mustKeyRing(curve, privkey, size, idx) 89 | benchmarkSign(b, curve, keyring, privkey, size, idx) 90 | } 91 | 92 | func BenchmarkSign4_Ed25519(b *testing.B) { 93 | const size = 4 94 | curve := Ed25519() 95 | privkey := curve.NewRandomScalar() 96 | keyring := mustKeyRing(curve, privkey, size, idx) 97 | benchmarkSign(b, curve, keyring, privkey, size, idx) 98 | } 99 | 100 | func BenchmarkSign8_Ed25519(b *testing.B) { 101 | const size = 8 102 | curve := Ed25519() 103 | privkey := curve.NewRandomScalar() 104 | keyring := mustKeyRing(curve, privkey, size, idx) 105 | benchmarkSign(b, curve, keyring, privkey, size, idx) 106 | } 107 | 108 | func BenchmarkSign16_Ed25519(b *testing.B) { 109 | const size = 16 110 | curve := Ed25519() 111 | privkey := curve.NewRandomScalar() 112 | keyring := mustKeyRing(curve, privkey, size, idx) 113 | benchmarkSign(b, curve, keyring, privkey, size, idx) 114 | } 115 | 116 | func BenchmarkSign32_Ed25519(b *testing.B) { 117 | const size = 32 118 | curve := Ed25519() 119 | privkey := curve.NewRandomScalar() 120 | keyring := mustKeyRing(curve, privkey, size, idx) 121 | benchmarkSign(b, curve, keyring, privkey, size, idx) 122 | } 123 | 124 | func BenchmarkSign64_Ed25519(b *testing.B) { 125 | const size = 64 126 | curve := Ed25519() 127 | privkey := curve.NewRandomScalar() 128 | keyring := mustKeyRing(curve, privkey, size, idx) 129 | benchmarkSign(b, curve, keyring, privkey, size, idx) 130 | } 131 | 132 | func BenchmarkSign128_Ed25519(b *testing.B) { 133 | const size = 128 134 | curve := Ed25519() 135 | privkey := curve.NewRandomScalar() 136 | keyring := mustKeyRing(curve, privkey, size, idx) 137 | benchmarkSign(b, curve, keyring, privkey, size, idx) 138 | } 139 | 140 | func benchmarkVerify(b *testing.B, sig *RingSig) { 141 | for i := 0; i < b.N; i++ { 142 | ok := sig.Verify(testMsg) 143 | if !ok { 144 | panic("did not verify signature") 145 | } 146 | } 147 | } 148 | 149 | func mustSig(curve types.Curve, size int) *RingSig { 150 | privkey := curve.NewRandomScalar() 151 | keyring := mustKeyRing(curve, privkey, size, idx) 152 | 153 | sig, err := keyring.Sign(testMsg, privkey) 154 | if err != nil { 155 | panic(err) 156 | } 157 | 158 | return sig 159 | } 160 | 161 | func BenchmarkVerify2_Secp256k1(b *testing.B) { 162 | const size = 2 163 | curve := Secp256k1() 164 | sig := mustSig(curve, size) 165 | benchmarkVerify(b, sig) 166 | } 167 | 168 | func BenchmarkVerify4_Secp256k1(b *testing.B) { 169 | const size = 4 170 | curve := Secp256k1() 171 | sig := mustSig(curve, size) 172 | benchmarkVerify(b, sig) 173 | } 174 | 175 | func BenchmarkVerify8_Secp256k1(b *testing.B) { 176 | const size = 8 177 | curve := Secp256k1() 178 | sig := mustSig(curve, size) 179 | benchmarkVerify(b, sig) 180 | } 181 | 182 | func BenchmarkVerify16_Secp256k1(b *testing.B) { 183 | const size = 16 184 | curve := Secp256k1() 185 | sig := mustSig(curve, size) 186 | benchmarkVerify(b, sig) 187 | } 188 | 189 | func BenchmarkVerify32_Secp256k1(b *testing.B) { 190 | const size = 32 191 | curve := Secp256k1() 192 | sig := mustSig(curve, size) 193 | benchmarkVerify(b, sig) 194 | } 195 | 196 | func BenchmarkVerify64_Secp256k1(b *testing.B) { 197 | const size = 64 198 | curve := Secp256k1() 199 | sig := mustSig(curve, size) 200 | benchmarkVerify(b, sig) 201 | } 202 | 203 | func BenchmarkVerify128_Secp256k1(b *testing.B) { 204 | const size = 128 205 | curve := Secp256k1() 206 | sig := mustSig(curve, size) 207 | benchmarkVerify(b, sig) 208 | } 209 | 210 | func BenchmarkVerify2_Ed25519(b *testing.B) { 211 | const size = 2 212 | curve := Ed25519() 213 | sig := mustSig(curve, size) 214 | benchmarkVerify(b, sig) 215 | } 216 | 217 | func BenchmarkVerify4_Ed25519(b *testing.B) { 218 | const size = 4 219 | curve := Ed25519() 220 | sig := mustSig(curve, size) 221 | benchmarkVerify(b, sig) 222 | } 223 | 224 | func BenchmarkVerify8_Ed25519(b *testing.B) { 225 | const size = 8 226 | curve := Ed25519() 227 | sig := mustSig(curve, size) 228 | benchmarkVerify(b, sig) 229 | } 230 | 231 | func BenchmarkVerify16_Ed25519(b *testing.B) { 232 | const size = 16 233 | curve := Ed25519() 234 | sig := mustSig(curve, size) 235 | benchmarkVerify(b, sig) 236 | } 237 | 238 | func BenchmarkVerify32_Ed25519(b *testing.B) { 239 | const size = 32 240 | curve := Ed25519() 241 | sig := mustSig(curve, size) 242 | benchmarkVerify(b, sig) 243 | } 244 | 245 | func BenchmarkVerify64_Ed25519(b *testing.B) { 246 | const size = 64 247 | curve := Ed25519() 248 | sig := mustSig(curve, size) 249 | benchmarkVerify(b, sig) 250 | } 251 | 252 | func BenchmarkVerify128_Ed25519(b *testing.B) { 253 | const size = 128 254 | curve := Ed25519() 255 | sig := mustSig(curve, size) 256 | benchmarkVerify(b, sig) 257 | } 258 | -------------------------------------------------------------------------------- /benchmarks.md: -------------------------------------------------------------------------------- 1 | # Benchmarks 2 | 3 | The current library benchmarks for signing and verification are located below. For ring signatures, the signing and verification time are linearly proportional to the number of members of the ring (or "anonymity set"), which is what's observed. 4 | 5 | > Note: the number directly after `BenchmarkSign` or `BenchmarkVerify` in the test name is the ring size being benchmarked. 6 | 7 | > Note: the ns/op value on the right is the time it took for signing or verification (depending on the test). The middle value is the number of times the operation was executed by the Go benchmarker. 8 | 9 | Summary: 10 | - secp256k1 signing and verification is around 0.41ms per ring member 11 | - ed25519 signing and verification is around is around 0.12ms per ring member 12 | 13 | ``` 14 | goos: linux 15 | goarch: amd64 16 | pkg: github.com/noot/ring-go 17 | cpu: 12th Gen Intel(R) Core(TM) i7-1280P 18 | 19 | BenchmarkSign2_Secp256k1-20 1075 1113687 ns/op 20 | BenchmarkSign4_Secp256k1-20 651 1832647 ns/op 21 | BenchmarkSign8_Secp256k1-20 334 3389785 ns/op 22 | BenchmarkSign16_Secp256k1-20 184 6279636 ns/op 23 | BenchmarkSign32_Secp256k1-20 86 12556732 ns/op 24 | BenchmarkSign64_Secp256k1-20 44 24592647 ns/op 25 | BenchmarkSign128_Secp256k1-20 21 47949180 ns/op 26 | 27 | BenchmarkSign2_Ed25519-20 3184 338455 ns/op 28 | BenchmarkSign4_Ed25519-20 2102 561543 ns/op 29 | BenchmarkSign8_Ed25519-20 1141 1024334 ns/op 30 | BenchmarkSign16_Ed25519-20 601 1959393 ns/op 31 | BenchmarkSign32_Ed25519-20 312 3812862 ns/op 32 | BenchmarkSign64_Ed25519-20 158 7554431 ns/op 33 | BenchmarkSign128_Ed25519-20 72 15137610 ns/op 34 | 35 | BenchmarkVerify2_Secp256k1-20 1647 759506 ns/op 36 | BenchmarkVerify4_Secp256k1-20 788 1507848 ns/op 37 | BenchmarkVerify8_Secp256k1-20 391 3060683 ns/op 38 | BenchmarkVerify16_Secp256k1-20 193 6173042 ns/op 39 | BenchmarkVerify32_Secp256k1-20 93 12352394 ns/op 40 | BenchmarkVerify64_Secp256k1-20 45 25246452 ns/op 41 | BenchmarkVerify128_Secp256k1-20 21 51882164 ns/op 42 | 43 | BenchmarkVerify2_Ed25519-20 4797 238406 ns/op 44 | BenchmarkVerify4_Ed25519-20 2349 457389 ns/op 45 | BenchmarkVerify8_Ed25519-20 1244 932592 ns/op 46 | BenchmarkVerify16_Ed25519-20 636 1823156 ns/op 47 | BenchmarkVerify32_Ed25519-20 320 3781398 ns/op 48 | BenchmarkVerify64_Ed25519-20 156 7524581 ns/op 49 | BenchmarkVerify128_Ed25519-20 78 14955353 ns/op 50 | ``` 51 | -------------------------------------------------------------------------------- /examples/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | 6 | ring "github.com/noot/ring-go" 7 | "golang.org/x/crypto/sha3" 8 | ) 9 | 10 | func signAndVerify(curve ring.Curve) { 11 | privkey := curve.NewRandomScalar() 12 | msgHash := sha3.Sum256([]byte("helloworld")) 13 | 14 | // size of the public key ring (anonymity set) 15 | const size = 16 16 | 17 | // our key's secret index within the set 18 | const idx = 7 19 | 20 | keyring, err := ring.NewKeyRing(curve, size, privkey, idx) 21 | if err != nil { 22 | panic(err) 23 | } 24 | 25 | sig, err := keyring.Sign(msgHash, privkey) 26 | if err != nil { 27 | panic(err) 28 | } 29 | 30 | ok := sig.Verify(msgHash) 31 | if !ok { 32 | fmt.Println("failed to verify :(") 33 | return 34 | } 35 | 36 | fmt.Println("verified signature!") 37 | } 38 | 39 | func main() { 40 | fmt.Println("using secp256k1...") 41 | signAndVerify(ring.Secp256k1()) 42 | fmt.Println("using ed25519...") 43 | signAndVerify(ring.Ed25519()) 44 | } 45 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/noot/ring-go 2 | 3 | go 1.19 4 | 5 | require ( 6 | filippo.io/edwards25519 v1.0.0 7 | github.com/athanorlabs/go-dleq v0.1.0 8 | github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0 9 | github.com/stretchr/testify v1.7.2 10 | golang.org/x/crypto v0.24.0 11 | ) 12 | 13 | require ( 14 | github.com/davecgh/go-spew v1.1.1 // indirect 15 | github.com/kr/text v0.2.0 // indirect 16 | github.com/pmezard/go-difflib v1.0.0 // indirect 17 | golang.org/x/sys v0.21.0 // indirect 18 | gopkg.in/yaml.v3 v3.0.1 // indirect 19 | ) 20 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | filippo.io/edwards25519 v1.0.0 h1:0wAIcmJUqRdI8IJ/3eGi5/HwXZWPujYXXlkrQogz0Ek= 2 | filippo.io/edwards25519 v1.0.0/go.mod h1:N1IkdkCkiLB6tki+MYJoSx2JTY9NUlxZE7eHn5EwJns= 3 | github.com/athanorlabs/go-dleq v0.1.0 h1:0/llWZG8fz2uintMBKOiBC502zCsDA8nt8vxI73W9Qc= 4 | github.com/athanorlabs/go-dleq v0.1.0/go.mod h1:DWry6jSD7A13MKmeZA0AX3/xBeQCXDoygX99VPwL3yU= 5 | github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= 6 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 7 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 8 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 9 | github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0 h1:HbphB4TFFXpv7MNrT52FGrrgVXF1owhMVTHFZIlnvd4= 10 | github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0/go.mod h1:DZGJHZMqrU4JJqFAWUS2UO1+lbSKsdiOoYi9Zzey7Fc= 11 | github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= 12 | github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= 13 | github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= 14 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 15 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 16 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 17 | github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s= 18 | github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= 19 | golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= 20 | golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= 21 | golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= 22 | golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= 23 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 24 | gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= 25 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 26 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 27 | -------------------------------------------------------------------------------- /helpers.go: -------------------------------------------------------------------------------- 1 | package ring 2 | 3 | import ( 4 | "filippo.io/edwards25519" 5 | "filippo.io/edwards25519/field" 6 | "fmt" 7 | dsecp256k1 "github.com/decred/dcrd/dcrec/secp256k1/v4" 8 | "golang.org/x/crypto/sha3" 9 | 10 | "github.com/athanorlabs/go-dleq/ed25519" 11 | "github.com/athanorlabs/go-dleq/secp256k1" 12 | "github.com/athanorlabs/go-dleq/types" 13 | ) 14 | 15 | func hashToCurve(pk types.Point) types.Point { 16 | switch k := pk.(type) { 17 | case *ed25519.PointImpl: 18 | return hashToCurveEd25519(k) 19 | case *secp256k1.PointImpl: 20 | return hashToCurveSecp256k1(k) 21 | default: 22 | panic("unsupported point type") 23 | } 24 | } 25 | 26 | // hashToCurveEd25519 hashes a point and attempts to set the hash to a point. 27 | // It's effectively hashing to a y-coordinate, as an encoded ed25519 point 28 | // is the y-coordinate with the highest bit set for whether x is positive/negative. 29 | // It repeatedly hashes the hash until it finds a valid point. 30 | func hashToCurveEd25519(pk *ed25519.PointImpl) *ed25519.PointImpl { 31 | const safety = 128 32 | compressedKey := pk.Encode() 33 | hash := sha3.Sum256(compressedKey) 34 | 35 | for i := 0; i < safety; i++ { 36 | point, err := new(edwards25519.Point).SetBytes(hash[:]) 37 | if err == nil { 38 | return ed25519.NewPoint( 39 | new(edwards25519.Point).MultByCofactor(point), 40 | ) 41 | } 42 | 43 | hash = sha3.Sum256(hash[:]) 44 | } 45 | 46 | panic("failed to hash ed25519 point to curve") 47 | } 48 | 49 | // hashToCurveEd25519Alt hashes a point to a x-coordinate and attempts to find a 50 | // corresponding y-coordinate. It repeatedly hashes the hash until it finds a valid point. 51 | // 52 | // this is slightly slower than hashToCurveEd25519. 53 | // I *think* they're effectively the same security-wise, as this impl hashes to an x-coordinate, 54 | // and the above hashes to a y-coordinate. 55 | func hashToCurveEd25519Alt(pk *ed25519.PointImpl) *ed25519.PointImpl { //nolint:deadcode,unused 56 | const safety = 128 57 | compressedKey := pk.Encode() 58 | hash := sha3.Sum512(compressedKey) 59 | 60 | for i := 0; i < safety; i++ { 61 | x, err := new(field.Element).SetWideBytes(hash[:]) 62 | if err != nil { 63 | panic(err) // this shouldn't happen 64 | } 65 | 66 | point, err := decompressYEd25519(x) 67 | if err == nil { 68 | return point 69 | } 70 | 71 | hash = sha3.Sum512(hash[:]) 72 | } 73 | 74 | panic("failed to hash ed25519 point to curve") 75 | } 76 | 77 | // see https://crypto.stackexchange.com/questions/101961/find-ed25519-y-coordinate-from-x-coordinate 78 | func decompressYEd25519(x *field.Element) (*ed25519.PointImpl, error) { //nolint:unused 79 | // y^2 = (1 + x^2) / (1 + d*(x^2)) where d = 121665/121666 80 | one := new(field.Element).One() 81 | xSq := new(field.Element).Square(x) 82 | 83 | // d*x^2 84 | dd := new(field.Element).Mult32(one, 121666) 85 | dd = new(field.Element).Invert(dd) 86 | dxSq := new(field.Element).Mult32(xSq, 121665) 87 | dxSq = new(field.Element).Multiply(dxSq, dd) 88 | 89 | // (1 + d*x^2)^-1 90 | denom := new(field.Element).Add(one, dxSq) 91 | denom = new(field.Element).Invert(denom) 92 | 93 | // 1 + x^2 94 | num := new(field.Element).Add(one, xSq) 95 | 96 | // find y 97 | y, wasSquare := new(field.Element).SqrtRatio(num, denom) 98 | if wasSquare != 1 { 99 | return nil, fmt.Errorf("failed to decompress Y") 100 | } 101 | 102 | var out [32]byte 103 | copy(out[:], y.Bytes()) 104 | out[31] |= byte(x.IsNegative() << 7) 105 | 106 | point, err := new(edwards25519.Point).SetBytes(out[:]) 107 | if err != nil { 108 | return nil, err 109 | } 110 | 111 | return ed25519.NewPoint( 112 | new(edwards25519.Point).MultByCofactor(point), 113 | ), nil 114 | } 115 | 116 | // based off https://github.com/particl/particl-core/blob/master/src/secp256k1/src/modules/mlsag/main_impl.h#L139 117 | func hashToCurveSecp256k1(pk *secp256k1.PointImpl) *secp256k1.PointImpl { 118 | const safety = 128 119 | compressedKey := pk.Encode() 120 | hash := sha3.Sum256(compressedKey) 121 | fe := &dsecp256k1.FieldVal{} 122 | fe.SetBytes(&hash) 123 | maybeY := &dsecp256k1.FieldVal{} 124 | 125 | for i := 0; i < safety; i++ { 126 | ok := dsecp256k1.DecompressY(fe, false, maybeY) 127 | if ok { 128 | return secp256k1.NewPointFromCoordinates(*fe, *maybeY) 129 | } 130 | 131 | hash = sha3.Sum256(hash[:]) 132 | fe.SetBytes(&hash) 133 | } 134 | 135 | return nil 136 | } 137 | -------------------------------------------------------------------------------- /helpers_test.go: -------------------------------------------------------------------------------- 1 | package ring 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/stretchr/testify/require" 7 | ) 8 | 9 | func TestHashToCurveSecp256k1(t *testing.T) { 10 | curve := Secp256k1() 11 | privkey := curve.NewRandomScalar() 12 | p := hashToCurve(curve.ScalarBaseMul(privkey)) 13 | require.NotNil(t, p) 14 | } 15 | 16 | func TestHashToCurveEd25519(t *testing.T) { 17 | curve := Ed25519() 18 | privkey := curve.NewRandomScalar() 19 | p := hashToCurve(curve.ScalarBaseMul(privkey)) 20 | require.NotNil(t, p) 21 | } 22 | -------------------------------------------------------------------------------- /ring.go: -------------------------------------------------------------------------------- 1 | package ring 2 | 3 | import ( 4 | "errors" 5 | "fmt" 6 | 7 | "github.com/athanorlabs/go-dleq/ed25519" 8 | "github.com/athanorlabs/go-dleq/types" 9 | ) 10 | 11 | // Ring represents a group of public keys such that one of the group created a signature. 12 | type Ring struct { 13 | pubkeys []types.Point 14 | curve types.Curve 15 | } 16 | 17 | // Size returns the size of the ring, ie. the number of public keys in it. 18 | func (r *Ring) Size() int { 19 | return len(r.pubkeys) 20 | } 21 | 22 | // Equals checks whether the supplied ring is equal to the current ring. 23 | // The ring's public keys must be in the same order for the rings to be equal 24 | func (r *Ring) Equals(other *Ring) bool { 25 | if r.Size() != other.Size() { 26 | return false 27 | } 28 | 29 | for i, p := range r.pubkeys { 30 | if !p.Equals(other.pubkeys[i]) { 31 | return false 32 | } 33 | } 34 | bp, abp := r.curve.BasePoint(), r.curve.AltBasePoint() 35 | obp, oabp := other.curve.BasePoint(), other.curve.AltBasePoint() 36 | return bp.Equals(obp) && abp.Equals(oabp) 37 | } 38 | 39 | // RingSig represents a ring signature. 40 | type RingSig struct { 41 | ring *Ring // array of public keys 42 | c types.Scalar // ring signature challenge 43 | s []types.Scalar // ring signature values 44 | image types.Point // key image 45 | } 46 | 47 | // PublicKeys returns a copy of the ring signature's public keys. 48 | func (r *RingSig) PublicKeys() []types.Point { 49 | ret := make([]types.Point, len(r.ring.pubkeys)) 50 | for i, pk := range r.ring.pubkeys { 51 | ret[i] = pk.Copy() 52 | } 53 | return ret 54 | } 55 | 56 | // Ring returns the ring from the RingSig struct 57 | func (r *RingSig) Ring() *Ring { 58 | return r.ring 59 | } 60 | 61 | // NewKeyRingFromPublicKeys takes public key ring and places the public key corresponding to `privkey` 62 | // in index idx of the ring. 63 | // It returns a ring of public keys of length `len(ring)+1`. 64 | func NewKeyRingFromPublicKeys(curve types.Curve, pubkeys []types.Point, privkey types.Scalar, idx int) (*Ring, error) { 65 | size := len(pubkeys) + 1 66 | newRing := make([]types.Point, size) 67 | pubkey := curve.ScalarBaseMul(privkey) 68 | 69 | if idx > len(pubkeys) { 70 | return nil, errors.New("index out of bounds: idx > len(pubkeys)") 71 | } 72 | 73 | if idx < 0 { 74 | return nil, errors.New("index out of bounds: idx < 0") 75 | } 76 | 77 | // ensure that privkey is nonzero 78 | if privkey.IsZero() { 79 | return nil, errors.New("private key is zero") 80 | } 81 | 82 | newRing[idx] = pubkey 83 | pubkeysMap := make(map[types.Point]struct{}) 84 | pubkeysMap[pubkey] = struct{}{} 85 | 86 | for i := 0; i < size; i++ { 87 | if i == idx { 88 | continue 89 | } 90 | 91 | if i < idx { 92 | newRing[i] = pubkeys[i] 93 | } else { 94 | newRing[i] = pubkeys[i-1] 95 | } 96 | pubkeysMap[newRing[i]] = struct{}{} 97 | } 98 | 99 | if len(pubkeysMap) != len(newRing) { 100 | return nil, errors.New("duplicate public keys in ring") 101 | } 102 | 103 | return &Ring{ 104 | pubkeys: newRing, 105 | curve: curve, 106 | }, nil 107 | } 108 | 109 | // NewFixedKeyRingFromPublicKeys takes public keys and a curve to create a ring 110 | func NewFixedKeyRingFromPublicKeys(curve types.Curve, pubkeys []types.Point) (*Ring, error) { 111 | pubkeysMap := make(map[types.Point]struct{}) 112 | 113 | size := len(pubkeys) 114 | newRing := make([]types.Point, size) 115 | for i := 0; i < size; i++ { 116 | pubkeysMap[pubkeys[i]] = struct{}{} 117 | newRing[i] = pubkeys[i].Copy() 118 | } 119 | 120 | if len(pubkeysMap) != len(newRing) { 121 | return nil, errors.New("duplicate public keys in ring") 122 | } 123 | 124 | return &Ring{ 125 | pubkeys: newRing, 126 | curve: curve, 127 | }, nil 128 | } 129 | 130 | // NewKeyRing creates a ring with size specified by `size` and places the public key corresponding 131 | // to `privkey` in index idx of the ring. 132 | // It returns a ring of public keys of length `size`. 133 | func NewKeyRing(curve types.Curve, size int, privkey types.Scalar, idx int) (*Ring, error) { 134 | if idx >= size { 135 | return nil, errors.New("index out of bounds") 136 | } 137 | 138 | // ensure that privkey is nonzero 139 | if privkey.IsZero() { 140 | return nil, errors.New("private key is zero") 141 | } 142 | 143 | ring := make([]types.Point, size) 144 | pubkey := curve.ScalarBaseMul(privkey) 145 | ring[idx] = pubkey 146 | 147 | for i := 0; i < size; i++ { 148 | if i == idx { 149 | continue 150 | } 151 | priv := curve.NewRandomScalar() 152 | ring[i] = curve.ScalarBaseMul(priv) 153 | } 154 | 155 | return &Ring{ 156 | pubkeys: ring, 157 | curve: curve, 158 | }, nil 159 | } 160 | 161 | // Sign creates a ring signature on the given message using the public key ring 162 | // and a private key of one of the members of the ring. 163 | func (r *Ring) Sign(m [32]byte, privkey types.Scalar) (*RingSig, error) { 164 | ourIdx := -1 165 | pubkey := r.curve.ScalarBaseMul(privkey) 166 | for i, pk := range r.pubkeys { 167 | if pk.Equals(pubkey) { 168 | ourIdx = i 169 | break 170 | } 171 | } 172 | 173 | if ourIdx == -1 { 174 | return nil, errors.New("failed to find given key in public key set") 175 | } 176 | 177 | return Sign(m, r, privkey, ourIdx) 178 | } 179 | 180 | // Sign creates a ring signature on the given message using the provided private key 181 | // and ring of public keys. 182 | func Sign(m [32]byte, ring *Ring, privkey types.Scalar, ourIdx int) (*RingSig, error) { 183 | size := len(ring.pubkeys) 184 | if size < 2 { 185 | return nil, errors.New("size of ring less than two") 186 | } 187 | 188 | if ourIdx >= size { 189 | return nil, errors.New("secret index out of range of ring size") 190 | } 191 | 192 | // ensure that privkey is nonzero 193 | if privkey.IsZero() { 194 | return nil, errors.New("private key is zero") 195 | } 196 | 197 | // check that key at index s is indeed the signer 198 | pubkey := ring.curve.ScalarBaseMul(privkey) 199 | if !ring.pubkeys[ourIdx].Equals(pubkey) { 200 | return nil, errors.New("secret index in ring is not signer") 201 | } 202 | 203 | // setup 204 | curve := ring.curve 205 | h := hashToCurve(pubkey) 206 | sig := &RingSig{ 207 | ring: ring, 208 | // calculate key image I = x * H_p(P) where H_p is a hash-to-curve function 209 | image: curve.ScalarMul(privkey, h), 210 | } 211 | 212 | // start at c[j] 213 | c := make([]types.Scalar, size) 214 | s := make([]types.Scalar, size) 215 | 216 | // pick random scalar u, calculate L[j] = u*G 217 | u := curve.NewRandomScalar() 218 | l := curve.ScalarBaseMul(u) 219 | 220 | // compute R[j] = u*H_p(P[j]) 221 | r := curve.ScalarMul(u, h) 222 | 223 | // calculate challenge c[j+1] = H(m, L_j, R_j) 224 | idx := (ourIdx + 1) % size 225 | c[idx] = challenge(ring.curve, m, l, r) 226 | 227 | // start loop at j+1 228 | for i := 1; i < size; i++ { 229 | idx := (ourIdx + i) % size 230 | if ring.pubkeys[idx] == nil { 231 | return nil, fmt.Errorf("no public key at index %d", idx) 232 | } 233 | 234 | // pick random scalar s_i 235 | s[idx] = curve.NewRandomScalar() 236 | 237 | // calculate L_i = s_i*G + c_i*P_i 238 | cP := curve.ScalarMul(c[idx], ring.pubkeys[idx]) 239 | sG := curve.ScalarBaseMul(s[idx]) 240 | l := cP.Add(sG) 241 | 242 | // calculate R_i = s_i*H_p(P_i) + c_i*I 243 | cI := curve.ScalarMul(c[idx], sig.image) 244 | hp := hashToCurve(ring.pubkeys[idx]) 245 | sH := curve.ScalarMul(s[idx], hp) 246 | r := cI.Add(sH) 247 | 248 | // calculate c[i+1] = H(m, L_i, R_i) 249 | c[(idx+1)%size] = challenge(curve, m, l, r) 250 | } 251 | 252 | // close ring by finding s[j] = u - c[j]*x 253 | cx := c[ourIdx].Mul(privkey) 254 | s[ourIdx] = u.Sub(cx) 255 | 256 | // check that u*G = s[j]*G + c[j]*P[j] 257 | cP := curve.ScalarMul(c[ourIdx], pubkey) 258 | sG := curve.ScalarBaseMul(s[ourIdx]) 259 | lNew := cP.Add(sG) 260 | if !lNew.Equals(l) { 261 | // this should not happen 262 | return nil, errors.New("failed to close ring: uG != sG + cP") 263 | } 264 | 265 | // check that u*H_p(P[j]) = s[j]*H_p(P[j]) + c[j]*I 266 | cI := curve.ScalarMul(c[ourIdx], sig.image) 267 | sH := curve.ScalarMul(s[ourIdx], h) 268 | rNew := cI.Add(sH) 269 | if !rNew.Equals(r) { 270 | // this should not happen 271 | return nil, errors.New("failed to close ring: uH(P) != sH(P) + cI") 272 | } 273 | 274 | // check that H(m, L[j], R[j]) == c[j+1] 275 | cCheck := challenge(ring.curve, m, l, r) 276 | if !cCheck.Eq(c[(ourIdx+1)%size]) { 277 | return nil, errors.New("challenge check failed") 278 | } 279 | 280 | // everything ok, add values to signature 281 | sig.s = s 282 | sig.c = c[0] 283 | return sig, nil 284 | } 285 | 286 | // Verify verifies the ring signature for the given message. 287 | // It returns true if a valid signature, false otherwise. 288 | func (sig *RingSig) Verify(m [32]byte) bool { 289 | // setup 290 | ring := sig.ring 291 | size := len(ring.pubkeys) 292 | c := make([]types.Scalar, size) 293 | c[0] = sig.c 294 | curve := ring.curve 295 | 296 | // calculate c[i+1] = H(m, s[i]*G + c[i]*P[i]) 297 | // and c[0] = H)(m, s[n-1]*G + c[n-1]*P[n-1]) where n is the ring size 298 | for i := 0; i < size; i++ { 299 | // calculate L_i = s_i*G + c_i*P_i 300 | cP := curve.ScalarMul(c[i], ring.pubkeys[i]) 301 | sG := curve.ScalarBaseMul(sig.s[i]) 302 | l := cP.Add(sG) 303 | 304 | // calculate R_i = s_i*H_p(P_i) + c_i*I 305 | cI := curve.ScalarMul(c[i], sig.image) 306 | h := hashToCurve(ring.pubkeys[i]) 307 | sH := curve.ScalarMul(sig.s[i], h) 308 | r := cI.Add(sH) 309 | 310 | // calculate c[i+1] = H(m, L_i, R_i) 311 | if i == size-1 { 312 | c[0] = challenge(curve, m, l, r) 313 | } else { 314 | c[i+1] = challenge(curve, m, l, r) 315 | } 316 | } 317 | 318 | return sig.c.Eq(c[0]) 319 | } 320 | 321 | // Link returns true if the two signatures were created by the same signer, 322 | // false otherwise. 323 | func Link(sigA, sigB *RingSig) bool { 324 | switch sigA.Ring().curve.(type) { 325 | case *ed25519.CurveImpl: 326 | cofactor := Ed25519().ScalarFromInt(8) 327 | imageA := sigA.image.ScalarMul(cofactor) 328 | imageB := sigB.image.ScalarMul(cofactor) 329 | return imageA.Equals(imageB) 330 | default: 331 | return sigA.image.Equals(sigB.image) 332 | } 333 | } 334 | 335 | func challenge(curve types.Curve, m [32]byte, l, r types.Point) types.Scalar { 336 | t := append(m[:], append(l.Encode(), r.Encode()...)...) 337 | c, err := curve.HashToScalar(t) 338 | if err != nil { 339 | // this should not happen 340 | panic(err) 341 | } 342 | return c 343 | } 344 | -------------------------------------------------------------------------------- /ring_test.go: -------------------------------------------------------------------------------- 1 | package ring 2 | 3 | import ( 4 | "crypto/rand" 5 | "encoding/hex" 6 | "math/big" 7 | "testing" 8 | 9 | "github.com/athanorlabs/go-dleq/types" 10 | "github.com/stretchr/testify/require" 11 | "golang.org/x/crypto/sha3" 12 | ) 13 | 14 | var ( 15 | testMsg = sha3.Sum256([]byte("helloworld")) 16 | ) 17 | 18 | func createSigWithCurve(t *testing.T, curve types.Curve, size, idx int) *RingSig { 19 | // instantiate private key 20 | privkey := curve.NewRandomScalar() 21 | 22 | // generate keyring 23 | keyring, err := NewKeyRing(curve, size, privkey, idx) 24 | require.NoError(t, err) 25 | 26 | // sign message 27 | sig, err := keyring.Sign(testMsg, privkey) 28 | require.NoError(t, err) 29 | return sig 30 | } 31 | 32 | func createSig(t *testing.T, size, idx int) *RingSig { 33 | return createSigWithCurve(t, Secp256k1(), size, idx) 34 | } 35 | 36 | func TestSign_Loop_Ed25519(t *testing.T) { 37 | maxSize := 100 38 | curve := Ed25519() 39 | for i := 2; i < maxSize; i++ { 40 | idx, err := rand.Int(rand.Reader, big.NewInt(int64(i))) 41 | require.NoError(t, err) 42 | sig := createSigWithCurve(t, curve, i, int(idx.Int64())) 43 | require.True(t, sig.Verify(testMsg)) 44 | } 45 | } 46 | 47 | func TestSign_Loop_Secp256k1(t *testing.T) { 48 | maxSize := 100 49 | for i := 2; i < maxSize; i++ { 50 | idx, err := rand.Int(rand.Reader, big.NewInt(int64(i))) 51 | require.NoError(t, err) 52 | sig := createSig(t, i, int(idx.Int64())) 53 | require.True(t, sig.Verify(testMsg)) 54 | } 55 | } 56 | 57 | func TestNewKeyRing(t *testing.T) { 58 | curve := Secp256k1() 59 | privkey := curve.NewRandomScalar() 60 | keyring, err := NewKeyRing(curve, 2, privkey, 0) 61 | require.NoError(t, err) 62 | require.NotNil(t, keyring) 63 | require.Equal(t, 2, len(keyring.pubkeys)) 64 | } 65 | 66 | func TestNewKeyRing3(t *testing.T) { 67 | curve := Secp256k1() 68 | privkey := curve.NewRandomScalar() 69 | keyring, err := NewKeyRing(curve, 3, privkey, 1) 70 | require.NoError(t, err) 71 | require.NotNil(t, keyring) 72 | require.Equal(t, 3, len(keyring.pubkeys)) 73 | } 74 | 75 | func TestNewKeyRing_IdxOutOfBounds(t *testing.T) { 76 | curve := Secp256k1() 77 | privkey := curve.NewRandomScalar() 78 | _, err := NewKeyRing(curve, 2, privkey, 3) 79 | require.Error(t, err) 80 | } 81 | 82 | func TestGenKeyRing(t *testing.T) { 83 | curve := Secp256k1() 84 | privkey := curve.NewRandomScalar() 85 | s := 0 86 | size := 3 87 | 88 | // generate some pubkeys for the keyring 89 | pubkeys := make([]types.Point, size) 90 | for i := 0; i < size; i++ { 91 | priv := curve.NewRandomScalar() 92 | pubkeys[i] = curve.ScalarBaseMul(priv) 93 | } 94 | 95 | keyring, err := NewKeyRingFromPublicKeys(curve, pubkeys, privkey, s) 96 | require.NoError(t, err) 97 | require.NotNil(t, keyring) 98 | require.Equal(t, size+1, keyring.Size()) 99 | require.True(t, keyring.pubkeys[s].Equals(curve.ScalarBaseMul(privkey))) 100 | 101 | fixedkeys := make([]types.Point, size+1) 102 | fixedkeys[0] = curve.ScalarBaseMul(privkey) 103 | copy(fixedkeys[1:], pubkeys) 104 | keyring, err = NewFixedKeyRingFromPublicKeys(curve, fixedkeys) 105 | require.NoError(t, err) 106 | require.NotNil(t, keyring) 107 | for i := 0; i < size; i++ { 108 | require.True(t, keyring.pubkeys[i].Equals(fixedkeys[i])) 109 | } 110 | } 111 | 112 | func TestRing_Equals(t *testing.T) { 113 | curve := Secp256k1() 114 | privkey := curve.NewRandomScalar() 115 | keyring, err := NewKeyRing(curve, 10, privkey, 0) 116 | require.NoError(t, err) 117 | keyring2, err := NewKeyRing(curve, 10, privkey, 0) 118 | require.NoError(t, err) 119 | require.False(t, keyring.Equals(keyring2)) // NewKeyRing generates random pubkeys 120 | keyring3, err := NewFixedKeyRingFromPublicKeys(curve, keyring.pubkeys) 121 | require.NoError(t, err) 122 | require.True(t, keyring.Equals(keyring3)) 123 | } 124 | 125 | func TestSig_RingEquals(t *testing.T) { 126 | curve := Secp256k1() 127 | privkey := curve.NewRandomScalar() 128 | keyring, err := NewKeyRing(curve, 10, privkey, 0) 129 | require.NoError(t, err) 130 | keyring2, err := NewKeyRing(curve, 10, privkey, 0) 131 | require.NoError(t, err) 132 | sig, err := keyring.Sign(testMsg, privkey) 133 | require.NoError(t, err) 134 | sig2, err := keyring2.Sign(testMsg, privkey) 135 | require.NoError(t, err) 136 | require.False(t, sig.Ring().Equals(keyring2)) 137 | require.True(t, sig.Ring().Equals(keyring)) 138 | require.False(t, sig2.Ring().Equals(keyring)) 139 | require.True(t, sig2.Ring().Equals(keyring2)) 140 | } 141 | 142 | func TestSign(t *testing.T) { 143 | createSig(t, 9, 0) 144 | } 145 | 146 | func TestSignAgain(t *testing.T) { 147 | createSig(t, 100, 17) 148 | } 149 | 150 | func TestVerify(t *testing.T) { 151 | sig := createSig(t, 5, 4) 152 | require.True(t, sig.Verify(testMsg)) 153 | } 154 | 155 | func TestVerifyFalse(t *testing.T) { 156 | curve := Secp256k1() 157 | sig := createSig(t, 5, 2) 158 | 159 | // alter signature 160 | sig.c = curve.NewRandomScalar() 161 | require.False(t, sig.Verify(testMsg)) 162 | } 163 | 164 | func TestVerifyWrongMessage(t *testing.T) { 165 | sig := createSig(t, 5, 1) 166 | fakeMsg := sha3.Sum256([]byte("noot")) 167 | require.False(t, sig.Verify(fakeMsg)) 168 | } 169 | 170 | func TestLinkabilityTrue(t *testing.T) { 171 | curve := Secp256k1() 172 | privkey := curve.NewRandomScalar() 173 | msg1 := "helloworld" 174 | msgHash1 := sha3.Sum256([]byte(msg1)) 175 | 176 | keyring1, err := NewKeyRing(curve, 2, privkey, 0) 177 | require.NoError(t, err) 178 | 179 | sig1, err := keyring1.Sign(msgHash1, privkey) 180 | require.NoError(t, err) 181 | 182 | msg2 := "hello world" 183 | msgHash2 := sha3.Sum256([]byte(msg2)) 184 | 185 | keyring2, err := NewKeyRing(curve, 2, privkey, 0) 186 | require.NoError(t, err) 187 | 188 | sig2, err := keyring2.Sign(msgHash2, privkey) 189 | require.NoError(t, err) 190 | require.True(t, Link(sig1, sig2)) 191 | } 192 | 193 | func TestLinkabilityTrue_imageSmallSubgroup(t *testing.T) { 194 | // test for the audit case where one image has a small subgroup 195 | // point added to it in an attempt to break the linkability property. 196 | // ensure that the two images can still be linked. 197 | 198 | // point from https://monero.stackexchange.com/questions/8671/what-are-the-hex-representations-of-the-small-subgroup-curve-points-on-ed25519 199 | subgroupPointBytes, err := hex.DecodeString("0100000000000000000000000000000000000000000000000000000000000000") 200 | require.NoError(t, err) 201 | subgroupPoint, err := Ed25519().DecodeToPoint(subgroupPointBytes) 202 | require.NoError(t, err) 203 | 204 | curve := Ed25519() 205 | privkey := curve.NewRandomScalar() 206 | msg1 := "helloworld" 207 | msgHash1 := sha3.Sum256([]byte(msg1)) 208 | 209 | keyring1, err := NewKeyRing(curve, 2, privkey, 0) 210 | require.NoError(t, err) 211 | 212 | sig1, err := keyring1.Sign(msgHash1, privkey) 213 | require.NoError(t, err) 214 | 215 | msg2 := "hello world" 216 | msgHash2 := sha3.Sum256([]byte(msg2)) 217 | 218 | keyring2, err := NewKeyRing(curve, 2, privkey, 0) 219 | require.NoError(t, err) 220 | 221 | sig2, err := keyring2.Sign(msgHash2, privkey) 222 | require.NoError(t, err) 223 | sig2.image = sig2.image.Add(subgroupPoint) 224 | require.True(t, Link(sig1, sig2)) 225 | } 226 | 227 | func TestLinkabilityFalse(t *testing.T) { 228 | curve := Secp256k1() 229 | privkey1 := curve.NewRandomScalar() 230 | msg1 := "helloworld" 231 | msgHash1 := sha3.Sum256([]byte(msg1)) 232 | 233 | keyring1, err := NewKeyRing(curve, 2, privkey1, 0) 234 | require.NoError(t, err) 235 | 236 | sig1, err := keyring1.Sign(msgHash1, privkey1) 237 | require.NoError(t, err) 238 | 239 | privkey2 := curve.NewRandomScalar() 240 | msg2 := "hello world" 241 | msgHash2 := sha3.Sum256([]byte(msg2)) 242 | 243 | keyring2, err := NewKeyRing(curve, 2, privkey2, 0) 244 | require.NoError(t, err) 245 | 246 | sig2, err := keyring2.Sign(msgHash2, privkey2) 247 | require.NoError(t, err) 248 | require.False(t, Link(sig1, sig2)) 249 | } 250 | -------------------------------------------------------------------------------- /serde.go: -------------------------------------------------------------------------------- 1 | package ring 2 | 3 | import ( 4 | "bytes" 5 | "encoding/binary" 6 | "errors" 7 | 8 | "github.com/athanorlabs/go-dleq/types" 9 | ) 10 | 11 | // Serialize converts the signature to a byte array. 12 | func (r *RingSig) Serialize() ([]byte, error) { 13 | sig := []byte{} 14 | size := len(r.ring.pubkeys) 15 | 16 | b := make([]byte, 4) 17 | binary.BigEndian.PutUint32(b, uint32(size)) 18 | sig = append(sig, b[:]...) 19 | sig = append(sig, r.c.Encode()...) 20 | sig = append(sig, r.image.Encode()...) 21 | 22 | for i := 0; i < size; i++ { 23 | sig = append(sig, r.s[i].Encode()...) 24 | sig = append(sig, r.ring.pubkeys[i].Encode()...) 25 | } 26 | 27 | return sig, nil 28 | } 29 | 30 | // Deserialize converts the byteified signature into a *RingSig. 31 | func (sig *RingSig) Deserialize(curve Curve, in []byte) error { 32 | reader := bytes.NewBuffer(in) 33 | pointLen := curve.CompressedPointSize() 34 | 35 | size := binary.BigEndian.Uint32(reader.Next(4)) 36 | if len(in) < int(size)*pointLen { 37 | return errors.New("input too short") 38 | } 39 | 40 | // WARN: this assumes the groups have an encoded scalar length of 32! 41 | // which is fine for ed25519 and secp256k1, but may need to be changed 42 | // if other curves are added. 43 | const scalarLen = 32 44 | 45 | var err error 46 | sig.c, err = curve.DecodeToScalar(reader.Next(scalarLen)) 47 | if err != nil { 48 | return err 49 | } 50 | 51 | sig.image, err = curve.DecodeToPoint(reader.Next(pointLen)) 52 | if err != nil { 53 | return err 54 | } 55 | 56 | sig.ring = &Ring{ 57 | pubkeys: make([]types.Point, size), 58 | curve: curve, 59 | } 60 | sig.s = make([]types.Scalar, size) 61 | 62 | for i := 0; i < int(size); i++ { 63 | sig.s[i], err = curve.DecodeToScalar(reader.Next(scalarLen)) 64 | if err != nil { 65 | return err 66 | } 67 | 68 | sig.ring.pubkeys[i], err = curve.DecodeToPoint(reader.Next(pointLen)) 69 | if err != nil { 70 | return err 71 | } 72 | } 73 | 74 | return nil 75 | } 76 | -------------------------------------------------------------------------------- /serde_test.go: -------------------------------------------------------------------------------- 1 | package ring 2 | 3 | import ( 4 | "crypto/rand" 5 | "math/big" 6 | "testing" 7 | 8 | "github.com/stretchr/testify/require" 9 | "golang.org/x/crypto/sha3" 10 | ) 11 | 12 | func testSerializeAndDeserialize(t *testing.T, curve Curve, size, idx int) { 13 | privkey := curve.NewRandomScalar() 14 | msgHash := sha3.Sum256([]byte("helloworld")) 15 | 16 | keyring, err := NewKeyRing(curve, size, privkey, idx) 17 | require.NoError(t, err) 18 | 19 | sig, err := Sign(msgHash, keyring, privkey, idx) 20 | require.NoError(t, err) 21 | 22 | byteSig, err := sig.Serialize() 23 | require.NoError(t, err) 24 | 25 | res := new(RingSig) 26 | err = res.Deserialize(curve, byteSig) 27 | require.NoError(t, err) 28 | require.Equal(t, sig.ring.Size(), res.ring.Size()) 29 | require.Equal(t, sig.c, res.c) 30 | require.True(t, sig.image.Equals(res.image)) 31 | require.Equal(t, sig.s, res.s) 32 | 33 | for i := 0; i < sig.ring.Size(); i++ { 34 | require.True(t, res.ring.pubkeys[i].Equals(sig.ring.pubkeys[i])) 35 | } 36 | } 37 | 38 | func TestSerializeAndDeserialize_Secp256k1(t *testing.T) { 39 | maxSize := 16 40 | curve := Secp256k1() 41 | for i := 2; i < maxSize; i++ { 42 | idx, err := rand.Int(rand.Reader, big.NewInt(int64(i))) 43 | require.NoError(t, err) 44 | testSerializeAndDeserialize(t, curve, i, int(idx.Int64())) 45 | } 46 | } 47 | 48 | func TestSerializeAndDeserialize_Ed25519(t *testing.T) { 49 | maxSize := 16 50 | curve := Ed25519() 51 | for i := 2; i < maxSize; i++ { 52 | idx, err := rand.Int(rand.Reader, big.NewInt(int64(i))) 53 | require.NoError(t, err) 54 | testSerializeAndDeserialize(t, curve, i, int(idx.Int64())) 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /types.go: -------------------------------------------------------------------------------- 1 | package ring 2 | 3 | import ( 4 | "github.com/athanorlabs/go-dleq/ed25519" 5 | "github.com/athanorlabs/go-dleq/secp256k1" 6 | "github.com/athanorlabs/go-dleq/types" 7 | ) 8 | 9 | type ( 10 | // Curve represents an elliptic curve that can be used for signing. 11 | Curve = types.Curve 12 | ) 13 | 14 | // Ed25519 returns a new ed25519 curve instance. 15 | func Ed25519() types.Curve { 16 | return ed25519.NewCurve() 17 | } 18 | 19 | // Secp256k1 returns a new secp256k1 curve instance 20 | func Secp256k1() types.Curve { 21 | return secp256k1.NewCurve() 22 | } 23 | --------------------------------------------------------------------------------