2019-08-26 17:46:25 +02:00
|
|
|
"""
|
2019-12-21 10:44:07 +01:00
|
|
|
ECC blind signature functionality based on
|
|
|
|
"An Efficient Blind Signature Scheme
|
2019-08-26 17:46:25 +02:00
|
|
|
Based on the Elliptic CurveDiscrete Logarithm Problem" by Morteza Nikooghadama
|
|
|
|
<mnikooghadam@sbu.ac.ir> and Ali Zakerolhosseini <a-zaker@sbu.ac.ir>,
|
|
|
|
http://www.isecure-journal.com/article_39171_47f9ec605dd3918c2793565ec21fcd7a.pdf
|
|
|
|
"""
|
|
|
|
|
|
|
|
# variable names are based on the math in the paper, so they don't conform
|
|
|
|
# to PEP8
|
|
|
|
|
2019-12-25 22:09:17 +01:00
|
|
|
import time
|
2020-03-29 14:51:55 +02:00
|
|
|
from hashlib import sha256
|
|
|
|
from struct import pack, unpack
|
2019-12-25 22:09:17 +01:00
|
|
|
|
2019-08-26 17:46:25 +02:00
|
|
|
from .openssl import OpenSSL
|
|
|
|
|
2020-03-29 14:51:55 +02:00
|
|
|
# first byte in serialisation can contain data
|
|
|
|
Y_BIT = 0x01
|
|
|
|
COMPRESSED_BIT = 0x02
|
2019-08-26 17:46:25 +02:00
|
|
|
|
2020-03-29 14:51:55 +02:00
|
|
|
# formats
|
|
|
|
BIGNUM = '!32s'
|
|
|
|
EC = '!B32s'
|
|
|
|
PUBKEY = '!BB33s'
|
|
|
|
|
|
|
|
|
|
|
|
class Expiration(object):
|
|
|
|
"""Expiration of pubkey"""
|
|
|
|
@staticmethod
|
|
|
|
def deserialize(val):
|
|
|
|
"""Create an object out of int"""
|
|
|
|
year = ((val & 0xF0) >> 4) + 2020
|
|
|
|
month = val & 0x0F
|
|
|
|
assert month < 12
|
|
|
|
return Expiration(year, month)
|
|
|
|
|
|
|
|
def __init__(self, year, month):
|
|
|
|
assert isinstance(year, int)
|
|
|
|
assert year > 2019 and year < 2036
|
|
|
|
assert isinstance(month, int)
|
|
|
|
assert month < 12
|
|
|
|
self.year = year
|
|
|
|
self.month = month
|
|
|
|
self.exp = year + month / 12.0
|
2019-12-25 22:09:17 +01:00
|
|
|
|
|
|
|
def serialize(self):
|
2020-03-29 14:51:55 +02:00
|
|
|
"""Make int out of object"""
|
|
|
|
return ((self.year - 2020) << 4) + self.month
|
2019-12-25 22:09:17 +01:00
|
|
|
|
2020-03-29 14:51:55 +02:00
|
|
|
def verify(self):
|
|
|
|
"""Check if the pubkey has expired"""
|
|
|
|
now = time.gmtime()
|
|
|
|
return self.exp >= now.tm_year + (now.tm_mon - 1) / 12.0
|
|
|
|
|
|
|
|
|
|
|
|
class Value(object):
|
|
|
|
"""Value of a pubkey"""
|
2019-12-25 22:09:17 +01:00
|
|
|
@staticmethod
|
2020-03-29 14:51:55 +02:00
|
|
|
def deserialize(val):
|
|
|
|
"""Make object out of int"""
|
|
|
|
return Value(val)
|
|
|
|
|
|
|
|
def __init__(self, value=0xFF):
|
|
|
|
assert isinstance(value, int)
|
|
|
|
self.value = value
|
|
|
|
|
|
|
|
def serialize(self):
|
|
|
|
"""Make int out of object"""
|
|
|
|
return self.value & 0xFF
|
2019-12-25 22:09:17 +01:00
|
|
|
|
|
|
|
def verify(self, value):
|
2020-03-29 14:51:55 +02:00
|
|
|
"""Verify against supplied value"""
|
|
|
|
return value <= self.value
|
2019-12-25 22:09:17 +01:00
|
|
|
|
|
|
|
|
2019-08-26 17:46:25 +02:00
|
|
|
class ECCBlind(object): # pylint: disable=too-many-instance-attributes
|
|
|
|
"""
|
|
|
|
Class for ECC blind signature functionality
|
|
|
|
"""
|
|
|
|
|
|
|
|
# init
|
|
|
|
k = None
|
|
|
|
R = None
|
|
|
|
F = None
|
2020-03-29 14:51:55 +02:00
|
|
|
d = None
|
2019-08-26 17:46:25 +02:00
|
|
|
Q = None
|
|
|
|
a = None
|
|
|
|
b = None
|
|
|
|
c = None
|
|
|
|
binv = None
|
|
|
|
r = None
|
|
|
|
m = None
|
|
|
|
m_ = None
|
|
|
|
s_ = None
|
|
|
|
signature = None
|
2020-03-29 14:51:55 +02:00
|
|
|
exp = None
|
|
|
|
val = None
|
2019-08-26 17:46:25 +02:00
|
|
|
|
2020-03-29 14:51:55 +02:00
|
|
|
def ec_get_random(self):
|
2019-08-26 17:46:25 +02:00
|
|
|
"""
|
2020-03-29 14:51:55 +02:00
|
|
|
Random integer within the EC order
|
2019-08-26 17:46:25 +02:00
|
|
|
"""
|
2020-03-29 14:51:55 +02:00
|
|
|
randomnum = OpenSSL.BN_new()
|
|
|
|
OpenSSL.BN_rand(randomnum, OpenSSL.BN_num_bits(self.n), 0, 0)
|
|
|
|
return randomnum
|
2019-08-26 17:46:25 +02:00
|
|
|
|
2020-03-29 14:51:55 +02:00
|
|
|
def ec_invert(self, a):
|
2019-08-26 17:46:25 +02:00
|
|
|
"""
|
|
|
|
ECC inversion
|
|
|
|
"""
|
2021-01-03 18:23:00 +01:00
|
|
|
inverse = OpenSSL.BN_mod_inverse(None, a, self.n, self.ctx)
|
2019-08-26 17:46:25 +02:00
|
|
|
return inverse
|
|
|
|
|
2020-03-29 14:51:55 +02:00
|
|
|
def ec_gen_keypair(self):
|
2019-08-26 17:46:25 +02:00
|
|
|
"""
|
|
|
|
Generate an ECC keypair
|
2020-03-29 14:51:55 +02:00
|
|
|
We're using compressed keys
|
2019-08-26 17:46:25 +02:00
|
|
|
"""
|
2020-03-29 14:51:55 +02:00
|
|
|
d = self.ec_get_random()
|
|
|
|
Q = OpenSSL.EC_POINT_new(self.group)
|
2021-01-03 18:23:00 +01:00
|
|
|
OpenSSL.EC_POINT_mul(self.group, Q, d, None, None, None)
|
2019-08-26 17:46:25 +02:00
|
|
|
return (d, Q)
|
|
|
|
|
2020-03-29 14:51:55 +02:00
|
|
|
def ec_Ftor(self, F):
|
2019-08-27 23:11:42 +02:00
|
|
|
"""
|
|
|
|
x0 coordinate of F
|
|
|
|
"""
|
|
|
|
# F = (x0, y0)
|
|
|
|
x0 = OpenSSL.BN_new()
|
|
|
|
y0 = OpenSSL.BN_new()
|
2020-03-29 14:51:55 +02:00
|
|
|
OpenSSL.EC_POINT_get_affine_coordinates(self.group, F, x0, y0, self.ctx)
|
|
|
|
OpenSSL.BN_free(y0)
|
2019-08-27 23:11:42 +02:00
|
|
|
return x0
|
|
|
|
|
2020-03-29 14:51:55 +02:00
|
|
|
def _ec_point_serialize(self, point):
|
|
|
|
"""Make an EC point into a string"""
|
|
|
|
try:
|
|
|
|
x = OpenSSL.BN_new()
|
|
|
|
y = OpenSSL.BN_new()
|
|
|
|
OpenSSL.EC_POINT_get_affine_coordinates(
|
2021-01-03 18:23:00 +01:00
|
|
|
self.group, point, x, y, None)
|
2020-03-29 14:51:55 +02:00
|
|
|
y_byte = (OpenSSL.BN_is_odd(y) & Y_BIT) | COMPRESSED_BIT
|
|
|
|
l_ = OpenSSL.BN_num_bytes(self.n)
|
|
|
|
try:
|
|
|
|
bx = OpenSSL.malloc(0, l_)
|
|
|
|
OpenSSL.BN_bn2binpad(x, bx, l_)
|
|
|
|
out = bx.raw
|
|
|
|
except AttributeError:
|
|
|
|
# padding manually
|
|
|
|
bx = OpenSSL.malloc(0, OpenSSL.BN_num_bytes(x))
|
|
|
|
OpenSSL.BN_bn2bin(x, bx)
|
2021-02-02 19:10:02 +01:00
|
|
|
out = bx.raw.rjust(l_, b'\x00')
|
2020-03-29 14:51:55 +02:00
|
|
|
return pack(EC, y_byte, out)
|
|
|
|
|
|
|
|
finally:
|
|
|
|
OpenSSL.BN_clear_free(x)
|
|
|
|
OpenSSL.BN_clear_free(y)
|
|
|
|
|
|
|
|
def _ec_point_deserialize(self, data):
|
|
|
|
"""Make a string into an EC point"""
|
|
|
|
y_bit, x_raw = unpack(EC, data)
|
2021-01-03 18:23:00 +01:00
|
|
|
x = OpenSSL.BN_bin2bn(x_raw, OpenSSL.BN_num_bytes(self.n), None)
|
2020-03-29 14:51:55 +02:00
|
|
|
y_bit &= Y_BIT
|
|
|
|
retval = OpenSSL.EC_POINT_new(self.group)
|
|
|
|
OpenSSL.EC_POINT_set_compressed_coordinates(self.group,
|
|
|
|
retval,
|
|
|
|
x,
|
|
|
|
y_bit,
|
|
|
|
self.ctx)
|
2019-12-25 22:09:17 +01:00
|
|
|
return retval
|
|
|
|
|
2020-03-29 14:51:55 +02:00
|
|
|
def _bn_serialize(self, bn):
|
|
|
|
"""Make a string out of BigNum"""
|
|
|
|
l_ = OpenSSL.BN_num_bytes(self.n)
|
|
|
|
try:
|
|
|
|
o = OpenSSL.malloc(0, l_)
|
|
|
|
OpenSSL.BN_bn2binpad(bn, o, l_)
|
|
|
|
return o.raw
|
|
|
|
except AttributeError:
|
|
|
|
o = OpenSSL.malloc(0, OpenSSL.BN_num_bytes(bn))
|
|
|
|
OpenSSL.BN_bn2bin(bn, o)
|
2021-02-02 19:10:02 +01:00
|
|
|
return o.raw.rjust(l_, b'\x00')
|
2020-03-29 14:51:55 +02:00
|
|
|
|
|
|
|
def _bn_deserialize(self, data):
|
|
|
|
"""Make a BigNum out of string"""
|
2021-01-03 18:23:00 +01:00
|
|
|
x = OpenSSL.BN_bin2bn(data, OpenSSL.BN_num_bytes(self.n), None)
|
2020-03-29 14:51:55 +02:00
|
|
|
return x
|
|
|
|
|
|
|
|
def _init_privkey(self, privkey):
|
|
|
|
"""Initialise private key out of string/bytes"""
|
|
|
|
self.d = self._bn_deserialize(privkey)
|
|
|
|
|
|
|
|
def privkey(self):
|
|
|
|
"""Make a private key into a string"""
|
|
|
|
return pack(BIGNUM, self.d)
|
|
|
|
|
|
|
|
def _init_pubkey(self, pubkey):
|
|
|
|
"""Initialise pubkey out of string/bytes"""
|
|
|
|
unpacked = unpack(PUBKEY, pubkey)
|
|
|
|
self.expiration = Expiration.deserialize(unpacked[0])
|
|
|
|
self.value = Value.deserialize(unpacked[1])
|
|
|
|
self.Q = self._ec_point_deserialize(unpacked[2])
|
|
|
|
|
|
|
|
def pubkey(self):
|
|
|
|
"""Make a pubkey into a string"""
|
|
|
|
return pack(PUBKEY, self.expiration.serialize(),
|
|
|
|
self.value.serialize(),
|
|
|
|
self._ec_point_serialize(self.Q))
|
|
|
|
|
|
|
|
def __init__(self, curve="secp256k1", pubkey=None, privkey=None, # pylint: disable=too-many-arguments
|
|
|
|
year=2025, month=11, value=0xFF):
|
2019-08-26 17:46:25 +02:00
|
|
|
self.ctx = OpenSSL.BN_CTX_new()
|
|
|
|
|
2020-03-29 14:51:55 +02:00
|
|
|
# ECC group
|
|
|
|
self.group = OpenSSL.EC_GROUP_new_by_curve_name(
|
|
|
|
OpenSSL.get_curve(curve))
|
2019-08-27 23:11:42 +02:00
|
|
|
|
2020-03-29 14:51:55 +02:00
|
|
|
# Order n
|
|
|
|
self.n = OpenSSL.BN_new()
|
|
|
|
OpenSSL.EC_GROUP_get_order(self.group, self.n, self.ctx)
|
2019-08-27 23:11:42 +02:00
|
|
|
|
2020-03-29 14:51:55 +02:00
|
|
|
# Generator G
|
|
|
|
self.G = OpenSSL.EC_GROUP_get0_generator(self.group)
|
2019-08-26 17:46:25 +02:00
|
|
|
|
|
|
|
# Identity O (infinity)
|
|
|
|
self.iO = OpenSSL.EC_POINT_new(self.group)
|
|
|
|
OpenSSL.EC_POINT_set_to_infinity(self.group, self.iO)
|
|
|
|
|
2020-03-29 14:51:55 +02:00
|
|
|
if privkey:
|
|
|
|
assert pubkey
|
|
|
|
# load both pubkey and privkey from bytes
|
|
|
|
self._init_privkey(privkey)
|
|
|
|
self._init_pubkey(pubkey)
|
|
|
|
elif pubkey:
|
|
|
|
# load pubkey from bytes
|
|
|
|
self._init_pubkey(pubkey)
|
|
|
|
else:
|
|
|
|
# new keypair
|
|
|
|
self.d, self.Q = self.ec_gen_keypair()
|
|
|
|
if not year or not month:
|
|
|
|
now = time.gmtime()
|
|
|
|
if now.tm_mon == 12:
|
|
|
|
self.expiration = Expiration(now.tm_year + 1, 1)
|
|
|
|
else:
|
|
|
|
self.expiration = Expiration(now.tm_year, now.tm_mon + 1)
|
|
|
|
else:
|
|
|
|
self.expiration = Expiration(year, month)
|
|
|
|
self.value = Value(value)
|
|
|
|
|
|
|
|
def __del__(self):
|
|
|
|
OpenSSL.BN_free(self.n)
|
|
|
|
OpenSSL.BN_CTX_free(self.ctx)
|
2019-12-25 22:09:17 +01:00
|
|
|
|
2019-08-26 17:46:25 +02:00
|
|
|
def signer_init(self):
|
|
|
|
"""
|
|
|
|
Init signer
|
|
|
|
"""
|
|
|
|
# Signer: Random integer k
|
2020-03-29 14:51:55 +02:00
|
|
|
self.k = self.ec_get_random()
|
2019-08-26 17:46:25 +02:00
|
|
|
|
|
|
|
# R = kG
|
|
|
|
self.R = OpenSSL.EC_POINT_new(self.group)
|
2021-01-03 18:23:00 +01:00
|
|
|
OpenSSL.EC_POINT_mul(self.group, self.R, self.k, None, None, None)
|
2019-08-26 17:46:25 +02:00
|
|
|
|
2020-03-29 14:51:55 +02:00
|
|
|
return self._ec_point_serialize(self.R)
|
2019-08-27 23:11:42 +02:00
|
|
|
|
|
|
|
def create_signing_request(self, R, msg):
|
2019-08-26 17:46:25 +02:00
|
|
|
"""
|
|
|
|
Requester creates a new signing request
|
|
|
|
"""
|
2020-03-29 14:51:55 +02:00
|
|
|
self.R = self._ec_point_deserialize(R)
|
|
|
|
msghash = sha256(msg).digest()
|
2019-08-26 17:46:25 +02:00
|
|
|
|
|
|
|
# Requester: 3 random blinding factors
|
|
|
|
self.F = OpenSSL.EC_POINT_new(self.group)
|
|
|
|
OpenSSL.EC_POINT_set_to_infinity(self.group, self.F)
|
|
|
|
temp = OpenSSL.EC_POINT_new(self.group)
|
|
|
|
abinv = OpenSSL.BN_new()
|
|
|
|
|
|
|
|
# F != O
|
|
|
|
while OpenSSL.EC_POINT_cmp(self.group, self.F, self.iO, self.ctx) == 0:
|
2020-03-29 14:51:55 +02:00
|
|
|
self.a = self.ec_get_random()
|
|
|
|
self.b = self.ec_get_random()
|
|
|
|
self.c = self.ec_get_random()
|
2019-08-26 17:46:25 +02:00
|
|
|
|
|
|
|
# F = b^-1 * R...
|
2020-03-29 14:51:55 +02:00
|
|
|
self.binv = self.ec_invert(self.b)
|
2021-01-03 18:23:00 +01:00
|
|
|
OpenSSL.EC_POINT_mul(self.group, temp, None, self.R, self.binv,
|
|
|
|
None)
|
2019-08-26 17:46:25 +02:00
|
|
|
OpenSSL.EC_POINT_copy(self.F, temp)
|
|
|
|
|
|
|
|
# ... + a*b^-1 * Q...
|
|
|
|
OpenSSL.BN_mul(abinv, self.a, self.binv, self.ctx)
|
2021-01-03 18:23:00 +01:00
|
|
|
OpenSSL.EC_POINT_mul(self.group, temp, None, self.Q, abinv, None)
|
|
|
|
OpenSSL.EC_POINT_add(self.group, self.F, self.F, temp, None)
|
2019-08-26 17:46:25 +02:00
|
|
|
|
|
|
|
# ... + c*G
|
2021-01-03 18:23:00 +01:00
|
|
|
OpenSSL.EC_POINT_mul(self.group, temp, None, self.G, self.c, None)
|
|
|
|
OpenSSL.EC_POINT_add(self.group, self.F, self.F, temp, None)
|
2019-08-26 17:46:25 +02:00
|
|
|
|
|
|
|
# F = (x0, y0)
|
2020-03-29 14:51:55 +02:00
|
|
|
self.r = self.ec_Ftor(self.F)
|
2019-08-26 17:46:25 +02:00
|
|
|
|
|
|
|
# Requester: Blinding (m' = br(m) + a)
|
|
|
|
self.m = OpenSSL.BN_new()
|
2019-12-25 22:09:17 +01:00
|
|
|
OpenSSL.BN_bin2bn(msghash, len(msghash), self.m)
|
2019-08-26 17:46:25 +02:00
|
|
|
|
|
|
|
self.m_ = OpenSSL.BN_new()
|
|
|
|
OpenSSL.BN_mod_mul(self.m_, self.b, self.r, self.n, self.ctx)
|
|
|
|
OpenSSL.BN_mod_mul(self.m_, self.m_, self.m, self.n, self.ctx)
|
|
|
|
OpenSSL.BN_mod_add(self.m_, self.m_, self.a, self.n, self.ctx)
|
2020-03-29 14:51:55 +02:00
|
|
|
return self._bn_serialize(self.m_)
|
2019-08-26 17:46:25 +02:00
|
|
|
|
2019-08-27 23:11:42 +02:00
|
|
|
def blind_sign(self, m_):
|
2019-08-26 17:46:25 +02:00
|
|
|
"""
|
|
|
|
Signer blind-signs the request
|
|
|
|
"""
|
2020-03-29 14:51:55 +02:00
|
|
|
self.m_ = self._bn_deserialize(m_)
|
2019-08-26 17:46:25 +02:00
|
|
|
self.s_ = OpenSSL.BN_new()
|
2020-03-29 14:51:55 +02:00
|
|
|
OpenSSL.BN_mod_mul(self.s_, self.d, self.m_, self.n, self.ctx)
|
2019-08-26 17:46:25 +02:00
|
|
|
OpenSSL.BN_mod_add(self.s_, self.s_, self.k, self.n, self.ctx)
|
2020-03-29 14:51:55 +02:00
|
|
|
OpenSSL.BN_free(self.k)
|
|
|
|
return self._bn_serialize(self.s_)
|
2019-08-26 17:46:25 +02:00
|
|
|
|
2019-08-27 23:11:42 +02:00
|
|
|
def unblind(self, s_):
|
2019-08-26 17:46:25 +02:00
|
|
|
"""
|
|
|
|
Requester unblinds the signature
|
|
|
|
"""
|
2020-03-29 14:51:55 +02:00
|
|
|
self.s_ = self._bn_deserialize(s_)
|
2019-08-26 17:46:25 +02:00
|
|
|
s = OpenSSL.BN_new()
|
|
|
|
OpenSSL.BN_mod_mul(s, self.binv, self.s_, self.n, self.ctx)
|
|
|
|
OpenSSL.BN_mod_add(s, s, self.c, self.n, self.ctx)
|
2020-03-29 14:51:55 +02:00
|
|
|
OpenSSL.BN_free(self.a)
|
|
|
|
OpenSSL.BN_free(self.b)
|
|
|
|
OpenSSL.BN_free(self.c)
|
2019-08-26 17:46:25 +02:00
|
|
|
self.signature = (s, self.F)
|
2020-03-29 14:51:55 +02:00
|
|
|
return self._bn_serialize(s) + self._ec_point_serialize(self.F)
|
2019-08-26 17:46:25 +02:00
|
|
|
|
2020-03-29 14:51:55 +02:00
|
|
|
def verify(self, msg, signature, value=1):
|
2019-08-26 17:46:25 +02:00
|
|
|
"""
|
|
|
|
Verify signature with certifier's pubkey
|
|
|
|
"""
|
2019-08-27 23:11:42 +02:00
|
|
|
|
|
|
|
# convert msg to BIGNUM
|
|
|
|
self.m = OpenSSL.BN_new()
|
2020-03-29 14:51:55 +02:00
|
|
|
msghash = sha256(msg).digest()
|
2019-12-25 22:09:17 +01:00
|
|
|
OpenSSL.BN_bin2bn(msghash, len(msghash), self.m)
|
2019-08-27 23:11:42 +02:00
|
|
|
|
|
|
|
# init
|
2020-03-29 14:51:55 +02:00
|
|
|
s, self.F = (self._bn_deserialize(signature[0:32]),
|
|
|
|
self._ec_point_deserialize(signature[32:]))
|
2019-08-27 23:11:42 +02:00
|
|
|
if self.r is None:
|
2020-03-29 14:51:55 +02:00
|
|
|
self.r = self.ec_Ftor(self.F)
|
2019-08-27 23:11:42 +02:00
|
|
|
|
2019-08-26 17:46:25 +02:00
|
|
|
lhs = OpenSSL.EC_POINT_new(self.group)
|
|
|
|
rhs = OpenSSL.EC_POINT_new(self.group)
|
|
|
|
|
2021-01-03 18:23:00 +01:00
|
|
|
OpenSSL.EC_POINT_mul(self.group, lhs, s, None, None, None)
|
2019-08-27 23:11:42 +02:00
|
|
|
|
2021-01-03 18:23:00 +01:00
|
|
|
OpenSSL.EC_POINT_mul(self.group, rhs, None, self.Q, self.m, None)
|
|
|
|
OpenSSL.EC_POINT_mul(self.group, rhs, None, rhs, self.r, None)
|
2019-08-26 17:46:25 +02:00
|
|
|
OpenSSL.EC_POINT_add(self.group, rhs, rhs, self.F, self.ctx)
|
|
|
|
|
|
|
|
retval = OpenSSL.EC_POINT_cmp(self.group, lhs, rhs, self.ctx)
|
|
|
|
if retval == -1:
|
|
|
|
raise RuntimeError("EC_POINT_cmp returned an error")
|
2020-03-29 14:51:55 +02:00
|
|
|
elif not self.value.verify(value):
|
|
|
|
return False
|
|
|
|
elif not self.expiration.verify():
|
|
|
|
return False
|
2019-12-25 22:09:17 +01:00
|
|
|
elif retval != 0:
|
|
|
|
return False
|
|
|
|
return True
|