From af2e557d9eb824a0c8d5c42a8cf1c8f09c8d16a7 Mon Sep 17 00:00:00 2001
From: MITSUNARI Shigeo <herumi@nifty.com>
Date: Mon, 17 Sep 2018 11:43:16 +0900
Subject: add signHash and verifyHash for hashed value

---
 include/bls/bls.h   | 11 +++++++++++
 include/bls/bls.hpp | 35 +++++++++++++++++++++++++++++++----
 src/bls_c_impl.hpp  | 23 +++++++++++++++++++++++
 test/bls_test.hpp   | 44 ++++++++++++++++++++++++++++++--------------
 4 files changed, 95 insertions(+), 18 deletions(-)

diff --git a/include/bls/bls.h b/include/bls/bls.h
index 21cd5b0..b2b8604 100644
--- a/include/bls/bls.h
+++ b/include/bls/bls.h
@@ -72,6 +72,7 @@ BLS_DLL_API int blsSecretKeySetLittleEndian(blsSecretKey *sec, const void *buf,
 
 BLS_DLL_API void blsGetPublicKey(blsPublicKey *pub, const blsSecretKey *sec);
 
+// calculate the has of m and sign the hash
 BLS_DLL_API void blsSign(blsSignature *sig, const blsSecretKey *sec, const void *m, mclSize size);
 
 // return 1 if valid
@@ -122,6 +123,16 @@ BLS_DLL_API int blsPublicKeyIsValidOrder(const blsPublicKey *pub);
 
 #ifndef BLS_MINIMUM_API
 
+/*
+	sign the hash
+	use the low (bitSize of r) - 1 bit of h
+	return 0 if success else -1
+	NOTE : return false if h is zero or c1 or -c1 value for BN254. see hashTest() in test/bls_test.hpp
+*/
+BLS_DLL_API int blsSignHash(blsSignature *sig, const blsSecretKey *sec, const void *h, mclSize size);
+// return 1 if valid
+BLS_DLL_API int blsVerifyHash(const blsSignature *sig, const blsPublicKey *pub, const void *h, mclSize size);
+
 // sub
 BLS_DLL_API void blsSecretKeySub(blsSecretKey *sec, const blsSecretKey *rhs);
 BLS_DLL_API void blsPublicKeySub(blsPublicKey *pub, const blsPublicKey *rhs);
diff --git a/include/bls/bls.hpp b/include/bls/bls.hpp
index a1aa444..3dbacd7 100644
--- a/include/bls/bls.hpp
+++ b/include/bls/bls.hpp
@@ -209,7 +209,18 @@ public:
 	}
 	void getPublicKey(PublicKey& pub) const;
 	// constant time sign
-	void sign(Signature& sig, const std::string& m) const;
+	// sign hash(m)
+	void sign(Signature& sig, const void *m, size_t size) const;
+	void sign(Signature& sig, const std::string& m) const
+	{
+		sign(sig, m.c_str(), m.size());
+	}
+	// sign hashed value
+	void signHash(Signature& sig, const void *h, size_t size) const;
+	void signHash(Signature& sig, const std::string& h) const
+	{
+		signHash(sig, h.c_str(), h.size());
+	}
 	/*
 		make Pop(Proof of Possesion)
 		pop = prv.sign(pub)
@@ -392,9 +403,21 @@ public:
 		int ret = mclBnG1_setStr(&self_.v, str.c_str(), str.size(), ioMode);
 		if (ret != 0) throw std::runtime_error("mclBnG1_setStr");
 	}
+	bool verify(const PublicKey& pub, const void *m, size_t size) const
+	{
+		return blsVerify(&self_, &pub.self_, m, size) == 1;
+	}
 	bool verify(const PublicKey& pub, const std::string& m) const
 	{
-		return blsVerify(&self_, &pub.self_, m.c_str(), m.size()) == 1;
+		return verify(pub, m.c_str(), m.size());
+	}
+	bool verifyHash(const PublicKey& pub, const void *h, size_t size) const
+	{
+		return blsVerifyHash(&self_, &pub.self_, h, size) == 1;
+	}
+	bool verifyHash(const PublicKey& pub, const std::string& h) const
+	{
+		return verifyHash(pub, h.c_str(), h.size());
 	}
 	/*
 		verify self(pop) with pub
@@ -445,9 +468,13 @@ inline void SecretKey::getPublicKey(PublicKey& pub) const
 {
 	blsGetPublicKey(&pub.self_, &self_);
 }
-inline void SecretKey::sign(Signature& sig, const std::string& m) const
+inline void SecretKey::sign(Signature& sig, const void *m, size_t size) const
+{
+	blsSign(&sig.self_, &self_, m, size);
+}
+inline void SecretKey::signHash(Signature& sig, const void *h, size_t size) const
 {
-	blsSign(&sig.self_, &self_, m.c_str(), m.size());
+	if (blsSignHash(&sig.self_, &self_, h, size) != 0) throw std::runtime_error("bad h");
 }
 inline void SecretKey::getPop(Signature& pop) const
 {
diff --git a/src/bls_c_impl.hpp b/src/bls_c_impl.hpp
index 75e5a44..768c206 100644
--- a/src/bls_c_impl.hpp
+++ b/src/bls_c_impl.hpp
@@ -267,6 +267,29 @@ int blsPublicKeyIsValidOrder(const blsPublicKey *pub)
 }
 
 #ifndef BLS_MINIMUM_API
+inline bool toG1(G1& Hm, const void *h, mclSize size)
+{
+	Fp t;
+	t.setArrayMask((const char *)h, size);
+	bool b;
+	BN::mapToG1(&b, Hm, t);
+	return b;
+}
+int blsSignHash(blsSignature *sig, const blsSecretKey *sec, const void *h, mclSize size)
+{
+	G1 Hm;
+	if (!toG1(Hm, h, size)) return -1;
+	mclBnG1_mulCT(&sig->v, cast(&Hm), &sec->v);
+	return 0;
+}
+
+int blsVerifyHash(const blsSignature *sig, const blsPublicKey *pub, const void *h, mclSize size)
+{
+	G1 Hm;
+	if (!toG1(Hm, h, size)) return 0;
+	return isEqualTwoPairings(*cast(&sig->v), getQcoeff().data(), Hm, *cast(&pub->v));
+}
+
 void blsSecretKeySub(blsSecretKey *sec, const blsSecretKey *rhs)
 {
 	mclBnFr_sub(&sec->v, &sec->v, &rhs->v);
diff --git a/test/bls_test.hpp b/test/bls_test.hpp
index b2a7860..d713118 100644
--- a/test/bls_test.hpp
+++ b/test/bls_test.hpp
@@ -17,7 +17,7 @@ void streamTest(const T& t)
 }
 
 template<class T>
-void testSet()
+void testSetForBN254()
 {
 	/*
 		mask value to be less than r if the value >= (1 << (192 + 62))
@@ -43,8 +43,9 @@ void testSet()
 	}
 }
 
-void IdTestBN256()
+void testForBN254()
 {
+	CYBOZU_TEST_EQUAL(bls::getOpUnitSize(), 4);
 	bls::Id id;
 	CYBOZU_TEST_ASSERT(id.isZero());
 	id = 5;
@@ -56,20 +57,30 @@ void IdTestBN256()
 		os << id;
 		CYBOZU_TEST_EQUAL(os.str(), "0x4000000000000000300000000000000020000000000000001");
 	}
-	testSet<bls::Id>();
-}
-
-void SecretKeyTestBN256()
-{
-	testSet<bls::SecretKey>();
+	testSetForBN254<bls::Id>();
+	testSetForBN254<bls::SecretKey>();
 }
 
-CYBOZU_TEST_AUTO(bn256)
+void hashTest(int type)
 {
-	bls::init(MCL_BN254);
-	IdTestBN256();
-	SecretKeyTestBN256();
-	CYBOZU_TEST_EQUAL(bls::getOpUnitSize(), 4);
+	bls::SecretKey sec;
+	sec.init();
+	bls::PublicKey pub;
+	sec.getPublicKey(pub);
+	const std::string h = "\x01\x02\x03";
+	bls::Signature sig;
+	sec.signHash(sig, h);
+	CYBOZU_TEST_ASSERT(sig.verifyHash(pub, h));
+	CYBOZU_TEST_ASSERT(!sig.verifyHash(pub, "\x01\x02\04"));
+	if (type == MCL_BN254) {
+		const uint64_t c1[] = { 0x0c00000000000004ull, 0xcf0f000000000006ull, 0x26cd890000000003ull, 0x2523648240000001ull };
+		const uint64_t mc1[] = { 0x9b0000000000000full, 0x921200000000000dull, 0x9366c48000000004ull };
+		CYBOZU_TEST_EXCEPTION(sec.signHash(sig, "", 0), std::exception);
+		CYBOZU_TEST_EXCEPTION(sec.signHash(sig, "\x00", 1), std::exception);
+		CYBOZU_TEST_EXCEPTION(sec.signHash(sig, "\x00\x00", 2), std::exception);
+		CYBOZU_TEST_EXCEPTION(sec.signHash(sig, c1, 32), std::exception);
+		CYBOZU_TEST_EXCEPTION(sec.signHash(sig, mc1, 24), std::exception);
+	}
 }
 
 void blsTest()
@@ -433,7 +444,12 @@ CYBOZU_TEST_AUTO(all)
 	};
 	for (size_t i = 0; i < CYBOZU_NUM_OF_ARRAY(tbl); i++) {
 		printf("curve=%s\n", tbl[i].name);
-		bls::init(tbl[i].type);
+		int type = tbl[i].type;
+		bls::init(type);
+		if (type == MCL_BN254) {
+			testForBN254();
+		}
 		testAll();
+		hashTest(type);
 	}
 }
-- 
cgit v1.2.3