Add Support for signatures on the G2 curve for BDN (#53)

* Add support for signatures on G2 to bdn
* Adapt bdn_test.go to new BDN interface
* Make API functions methods of the Scheme type
* Generalize G1- and G2-related comments
* Fixing bdn tests
* Make the BDN test suite generic over suite and scheme
* Keeping public APIs from v1

---------

Co-authored-by: Yolan Romailler <anomalroil@users.noreply.github.com>
Co-authored-by: Jakub Sztandera <kubuxu@protocol.ai>

Author: 3 people

go.mod

@@ -4,13 +4,13 @@ go 1.18
 
 require (
 	github.com/cloudflare/circl v1.3.7
-	github.com/drand/kyber-bls12381 v0.2.5
-	github.com/jonboulle/clockwork v0.3.0
-	github.com/stretchr/testify v1.8.2
+	github.com/drand/kyber-bls12381 v0.3.1
+	github.com/jonboulle/clockwork v0.4.0
+	github.com/stretchr/testify v1.9.0
 	go.dedis.ch/fixbuf v1.0.3
 	go.dedis.ch/protobuf v1.0.11
-	golang.org/x/crypto v0.17.0
-	golang.org/x/sys v0.15.0
+	golang.org/x/crypto v0.21.0
+	golang.org/x/sys v0.18.0
 )
 
 require (

go.sum

@@ -3,22 +3,18 @@ github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBS
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/drand/kyber-bls12381 v0.2.5 h1:4ugiCmXQsvgAuylSk929rK49WGFxCxT/7ArH2vw6Tlg=
-github.com/drand/kyber-bls12381 v0.2.5/go.mod h1:8fm2tmRaAdYRGMTh5tjF7qrGHywC+rmM5hrUFL+9fCI=
-github.com/jonboulle/clockwork v0.3.0 h1:9BSCMi8C+0qdApAp4auwX0RkLGUjs956h0EkuQymUhg=
-github.com/jonboulle/clockwork v0.3.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
+github.com/drand/kyber-bls12381 v0.3.1 h1:KWb8l/zYTP5yrvKTgvhOrk2eNPscbMiUOIeWBnmUxGo=
+github.com/drand/kyber-bls12381 v0.3.1/go.mod h1:H4y9bLPu7KZA/1efDg+jtJ7emKx+ro3PU7/jWUVt140=
+github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4=
+github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc=
 github.com/kilic/bls12-381 v0.1.0 h1:encrdjqKMEvabVQ7qYOKu1OvhqpK4s47wDYtNiPtlp4=
 github.com/kilic/bls12-381 v0.1.0/go.mod h1:vDTTHJONJ6G+P2R74EhnyotQDTliQDnFEwhdmfzw1ig=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
-github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 go.dedis.ch/fixbuf v1.0.3 h1:hGcV9Cd/znUxlusJ64eAlExS+5cJDIyTyEG+otu5wQs=
 go.dedis.ch/fixbuf v1.0.3/go.mod h1:yzJMt34Wa5xD37V5RTdmp38cz3QhMagdGoem9anUalw=
 go.dedis.ch/kyber/v3 v3.0.4/go.mod h1:OzvaEnPvKlyrWyp3kGXlFdp7ap1VC6RkZDTaPikqhsQ=
@@ -29,14 +25,13 @@ go.dedis.ch/protobuf v1.0.7/go.mod h1:pv5ysfkDX/EawiPqcW3ikOxsL5t+BqnV6xHSmE79KI
 go.dedis.ch/protobuf v1.0.11 h1:FTYVIEzY/bfl37lu3pR4lIj+F9Vp1jE8oh91VmxKgLo=
 go.dedis.ch/protobuf v1.0.11/go.mod h1:97QR256dnkimeNdfmURz0wAMNVbd1VmLXhG1CrTYrJ4=
 golang.org/x/crypto v0.0.0-20190123085648-057139ce5d2b/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
-golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/sys v0.0.0-20190124100055-b90733256f2e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201101102859-da207088b7d1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
-golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

sign/bdn/bdn.go

@@ -67,29 +67,68 @@ func hashPointToR(pubs []kyber.Point) ([]kyber.Scalar, error) {
 	return coefs, nil
 }
 
+type Scheme struct {
+	blsScheme sign.AggregatableScheme
+	sigGroup  kyber.Group
+	keyGroup  kyber.Group
+	pairing   func(signature, public, hashedPoint kyber.Point) bool
+}
+
+// NewSchemeOnG1 returns a sign.Scheme that uses G1 for its signature space and G2
+// for its public keys
+func NewSchemeOnG1(suite pairing.Suite) *Scheme {
+	sigGroup := suite.G1()
+	keyGroup := suite.G2()
+	pairing := func(public, hashedMsg, sigPoint kyber.Point) bool {
+		return suite.ValidatePairing(hashedMsg, public, sigPoint, keyGroup.Point().Base())
+	}
+	return &Scheme{
+		blsScheme: bls.NewSchemeOnG1(suite),
+		sigGroup:  sigGroup,
+		keyGroup:  keyGroup,
+		pairing:   pairing,
+	}
+}
+
+// NewSchemeOnG2 returns a sign.Scheme that uses G2 for its signature space and
+// G1 for its public key
+func NewSchemeOnG2(suite pairing.Suite) *Scheme {
+	sigGroup := suite.G2()
+	keyGroup := suite.G1()
+	pairing := func(public, hashedMsg, sigPoint kyber.Point) bool {
+		return suite.ValidatePairing(public, hashedMsg, keyGroup.Point().Base(), sigPoint)
+	}
+	return &Scheme{
+		blsScheme: bls.NewSchemeOnG2(suite),
+		sigGroup:  sigGroup,
+		keyGroup:  keyGroup,
+		pairing:   pairing,
+	}
+}
+
 // NewKeyPair creates a new BLS signing key pair. The private key x is a scalar
-// and the public key X is a point on curve G2.
-func NewKeyPair(suite pairing.Suite, random cipher.Stream) (kyber.Scalar, kyber.Point) {
-	return bls.NewSchemeOnG1(suite).NewKeyPair(random)
+// and the public key X is a point on the scheme's key group.
+func (scheme *Scheme) NewKeyPair(random cipher.Stream) (kyber.Scalar, kyber.Point) {
+	return scheme.blsScheme.NewKeyPair(random)
 }
 
 // Sign creates a BLS signature S = x * H(m) on a message m using the private
-// key x. The signature S is a point on curve G1.
-func Sign(suite pairing.Suite, x kyber.Scalar, msg []byte) ([]byte, error) {
-	return bls.NewSchemeOnG1(suite).Sign(x, msg)
+// key x. The signature S is a point on the scheme's signature group.
+func (scheme *Scheme) Sign(x kyber.Scalar, msg []byte) ([]byte, error) {
+	return scheme.blsScheme.Sign(x, msg)
 }
 
 // Verify checks the given BLS signature S on the message m using the public
 // key X by verifying that the equality e(H(m), X) == e(H(m), x*B2) ==
 // e(x*H(m), B2) == e(S, B2) holds where e is the pairing operation and B2 is
-// the base point from curve G2.
-func Verify(suite pairing.Suite, x kyber.Point, msg, sig []byte) error {
-	return bls.NewSchemeOnG1(suite).Verify(x, msg, sig)
+// the base point from the scheme's key group.
+func (scheme *Scheme) Verify(x kyber.Point, msg, sig []byte) error {
+	return scheme.blsScheme.Verify(x, msg, sig)
 }
 
 // AggregateSignatures aggregates the signatures using a coefficient for each
-// one of them where c = H(pk) and H: G2 -> R with R = {1, ..., 2^128}
-func AggregateSignatures(suite pairing.Suite, sigs [][]byte, mask *sign.Mask) (kyber.Point, error) {
+// one of them where c = H(pk) and H: keyGroup -> R with R = {1, ..., 2^128}
+func (scheme *Scheme) AggregateSignatures(sigs [][]byte, mask *sign.Mask) (kyber.Point, error) {
 	if len(sigs) != mask.CountEnabled() {
 		return nil, errors.New("length of signatures and public keys must match")
 	}
@@ -99,7 +138,7 @@ func AggregateSignatures(suite pairing.Suite, sigs [][]byte, mask *sign.Mask) (k
 		return nil, err
 	}
 
-	agg := suite.G1().Point()
+	agg := scheme.sigGroup.Point()
 	for i, buf := range sigs {
 		peerIndex := mask.IndexOfNthEnabled(i)
 		if peerIndex < 0 {
@@ -108,7 +147,7 @@ func AggregateSignatures(suite pairing.Suite, sigs [][]byte, mask *sign.Mask) (k
 			return nil, errors.New("couldn't find the index")
 		}
 
-		sig := suite.G1().Point()
+		sig := scheme.sigGroup.Point()
 		err = sig.UnmarshalBinary(buf)
 		if err != nil {
 			return nil, err
@@ -125,14 +164,14 @@ func AggregateSignatures(suite pairing.Suite, sigs [][]byte, mask *sign.Mask) (k
 
 // AggregatePublicKeys aggregates a set of public keys (similarly to
 // AggregateSignatures for signatures) using the hash function
-// H: G2 -> R with R = {1, ..., 2^128}.
-func AggregatePublicKeys(suite pairing.Suite, mask *sign.Mask) (kyber.Point, error) {
+// H: keyGroup -> R with R = {1, ..., 2^128}.
+func (scheme *Scheme) AggregatePublicKeys(mask *sign.Mask) (kyber.Point, error) {
 	coefs, err := hashPointToR(mask.Publics())
 	if err != nil {
 		return nil, err
 	}
 
-	agg := suite.G2().Point()
+	agg := scheme.keyGroup.Point()
 	for i := 0; i < mask.CountEnabled(); i++ {
 		peerIndex := mask.IndexOfNthEnabled(i)
 		if peerIndex < 0 {
@@ -149,3 +188,43 @@ func AggregatePublicKeys(suite pairing.Suite, mask *sign.Mask) (kyber.Point, err
 
 	return agg, nil
 }
+
+// v1 API Deprecated ----------------------------------
+
+// NewKeyPair creates a new BLS signing key pair. The private key x is a scalar
+// and the public key X is a point on curve G2.
+// Deprecated: use the new scheme methods instead.
+func NewKeyPair(suite pairing.Suite, random cipher.Stream) (kyber.Scalar, kyber.Point) {
+	return NewSchemeOnG1(suite).NewKeyPair(random)
+}
+
+// Sign creates a BLS signature S = x * H(m) on a message m using the private
+// key x. The signature S is a point on curve G1.
+// Deprecated: use the new scheme methods instead.
+func Sign(suite pairing.Suite, x kyber.Scalar, msg []byte) ([]byte, error) {
+	return NewSchemeOnG1(suite).Sign(x, msg)
+}
+
+// Verify checks the given BLS signature S on the message m using the public
+// key X by verifying that the equality e(H(m), X) == e(H(m), x*B2) ==
+// e(x*H(m), B2) == e(S, B2) holds where e is the pairing operation and B2 is
+// the base point from curve G2.
+// Deprecated: use the new scheme methods instead.
+func Verify(suite pairing.Suite, x kyber.Point, msg, sig []byte) error {
+	return NewSchemeOnG1(suite).Verify(x, msg, sig)
+}
+
+// AggregateSignatures aggregates the signatures using a coefficient for each
+// one of them where c = H(pk) and H: G2 -> R with R = {1, ..., 2^128}
+// Deprecated: use the new scheme methods instead.
+func AggregateSignatures(suite pairing.Suite, sigs [][]byte, mask *sign.Mask) (kyber.Point, error) {
+	return NewSchemeOnG1(suite).AggregateSignatures(sigs, mask)
+}
+
+// AggregatePublicKeys aggregates a set of public keys (similarly to
+// AggregateSignatures for signatures) using the hash function
+// H: G2 -> R with R = {1, ..., 2^128}.
+// Deprecated: use the new scheme methods instead.
+func AggregatePublicKeys(suite pairing.Suite, mask *sign.Mask) (kyber.Point, error) {
+	return NewSchemeOnG1(suite).AggregatePublicKeys(mask)
+}