[Short group signatures](https://crypto.stanford.edu/~xb/crypto04a/groupsigs.pdf) by Boneh, Boyen, and Shachum
and later improved in [ASM](http://web.cs.iastate.edu/~wzhang/teach-552/ReadingList/552-14.pdf) as BBS+ and touched on again
in section 4.3 in [CDL](https://eprint.iacr.org/2016/663.pdf).
---
This crate implements the BBS+ signature scheme which allows for signing many committed messages.
BBS+ signatures can be created in typical cryptographic fashion where the signer and signature holder are the same
party or where they are two distinct parties. BBS+ signatures can also be used to generate signature proofs of knowledge
and selective disclosure zero-knowledge proofs. To start, all that is needed is to add this to your `Cargo.toml`.
```toml
[dependencies]
bbs = "0.4"
```
Add in the main section of code to get all the traits, structs, and functions needed.
```rust
use bbs::prelude::*;
```
## Keygen
BBS+ supports two types of public keys. One that is created as described in the paper where the message specific generators
are randomly generated
and a deterministic version that looks like a BLS public key and whose message specific generators are computed using
IETF's [Hash to Curve](https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/?include_text=1) algorithm which is also constant time combined with known inputs.
`generate(message_count: usize)` - returns a keypair used for creating BBS+ signatures
`PublicKey` - *w ⟵ 𝔾2, h0, (h1, ... , hL) ⟵ 𝔾1L*
`DeterministicPublicKey` - *w ⟵ 𝔾2*. This can be converted to a public key by calling the `to_public_key` method.
There is a convenience class `Issuer` that can be used for this as well.
```rust
let (pk, sk) = Issuer::new_keys(5).unwrap();
```
or
```rust
let (dpk, sk) = Issuer::new_short_keys(None);
let pk = dpk.to_public_key(5).unwrap();
```
## Signing
Signing can be done where the signer knows all the messages or where the signature recipient commits to some messages beforehand
and the signer completes the signature with the remaining messages.
To create a signature:
```rust
let (pk, sk) = Issuer::new_keys(5).unwrap();
let messages = vec![
SignatureMessage::hash(b"message 1"),
SignatureMessage::hash(b"message 2"),
SignatureMessage::hash(b"message 3"),
SignatureMessage::hash(b"message 4"),
SignatureMessage::hash(b"message 5"),
];
let signature = Signature::new(messages.as_slice(), &sk, &pk).unwrap();
assert!(signature.verify(messages.as_slice(), &pk).unwrap());
```
or
```rust
// Generated by the issuer
let (pk, sk) = Issuer::new_keys(5).unwrap();
// Done by the signature recipient
let message = SignatureMessage::hash(b"message_0");
let signature_blinding = Signature::generate_blinding();
let commitment = &pk.h[0] * &message + &pk.h0 * &signature_blinding;
// Completed by the signer
// `commitment` is received from the recipient
let messages = sm_map![
1 => b"message_1",
2 => b"message_2",
3 => b"message_3",
4 => b"message_4"
];
let blind_signature = BlindSignature::new(&commitment, &messages, &sk, &pk).unwrap();
// Completed by the recipient
// receives `blind_signature` from signer
// Recipient knows all `messages` that are signed
let signature = blind_signature.to_unblinded(&signature_blinding);
let mut msgs = messages
.iter()
.map(|(_, m)| m.clone())
.collect::>();
msgs.insert(0, message.clone());
let res = signature.verify(msgs.as_slice(), &pk);
assert!(res.is_ok());
assert!(res.unwrap());
```
This by itself is considered insecure without the signer completing a proof of knowledge of committed messages generated
by the recipient and sent with the commitment. It is **IMPORTANT** that the signature issuer complete this step.
For simplicity, the `Issuer` and `Prover` structs can be used as follows to handle this.
```rust
let (pk, sk) = Issuer::new_keys(5).unwrap();
let signing_nonce = Issuer::generate_signing_nonce();
// Send `signing_nonce` to holder
// Recipient wants to hide a message in each signature to be able to link
// them together
let link_secret = Prover::new_link_secret();
let mut messages = BTreeMap::new();
messages.insert(0, link_secret.clone());
let (ctx, signature_blinding) =
Prover::new_blind_signature_context(&pk, &messages, &signing_nonce).unwrap();
// Send `ctx` to signer
let messages = sm_map![
1 => b"message_1",
2 => b"message_2",
3 => b"message_3",
4 => b"message_4"
];
// Will fail if `ctx` is invalid
let blind_signature = Issuer::blind_sign(&ctx, &messages, &sk, &pk, &signing_nonce).unwrap();
// Send `blind_signature` to recipient
// Recipient knows all `messages` that are signed
let mut msgs = messages
.iter()
.map(|(_, m)| m.clone())
.collect::>();
msgs.insert(0, link_secret.clone());
let res =
Prover::complete_signature(&pk, msgs.as_slice(), &blind_signature, &signature_blinding);
assert!(res.is_ok());
```
## Proofs
Verifiers ask a Prover to reveal some number of signed messages (from zero to all of them), while and the remaining
messages are hidden. If the Prover agrees, she completes a signature proof of knowledge and proof of committed values.
These messages could be combined in other zero-knowledge proofs like zkSNARKs or Bulletproofs like bound checks or
set memberships. If this is the case, the hidden messages will need to linked to the other proofs using a common
blinding factor. This crate provides three message classifications for proofs to accommodate this flexibility.
- *ProofMessage::Revealed*: message will become known to the verifier. Caveat: cryptography operates on integers and not directly on strings. Usually the hash of the string is signed. The verifier will learn the revealed hash and not the message content. The prover must send the preimage so the verifier can check if the hashes are equal after verifying the signature.
- *ProofMessage::Hidden*: message is not shown to the verifier. There are two kinds of hidden messages.
- *HiddenMessage::ProofSpecificBlinding*: message is hidden and not used in any other proof, the blinding is specific to this signature only.
- *HiddenMessage::ExternalBlinding*: message is hidden but is also used in another proof. For example, to show two messages are the same across two signature or 'linked', the same blinding factor must be used for both proofs. This kind groups the blinding factor and the message.
To begin a zero-knowledge proof exchange, the verifier indicates which messages to be revealed and provides a nonce
limit the prover's ability to cheat i.e. create a valid proof without knowing the actual messages or signature.
The Verifier must trust the signer of the credential and know the message structure i.e. what message is at index 1, 2, 3, ... etc.
```rust
let (pk, sk) = Issuer::new_keys(5).unwrap();
let messages = vec![
SignatureMessage::hash(b"message_1"),
SignatureMessage::hash(b"message_2"),
SignatureMessage::hash(b"message_3"),
SignatureMessage::hash(b"message_4"),
SignatureMessage::hash(b"message_5"),
];
let signature = Signature::new(messages.as_slice(), &sk, &pk).unwrap();
let nonce = Verifier::generate_proof_nonce();
let proof_request = Verifier::new_proof_request(&[1, 3], &pk).unwrap();
// Sends `proof_request` and `nonce` to the prover
let proof_messages = vec![
pm_hidden!(b"message_1"),
pm_revealed!(b"message_2"),
pm_hidden!(b"message_3"),
pm_revealed!(b"message_4"),
pm_hidden!(b"message_5"),
];
let pok = Prover::commit_signature_pok(&proof_request, proof_messages.as_slice(), &signature)
.unwrap();
// complete other zkps as desired and compute `challenge_hash`
// add bytes from other proofs
let mut challenge_bytes = Vec::new();
challenge_bytes.extend_from_slice(pok.to_bytes().as_slice());
challenge_bytes.extend_from_slice(nonce.to_bytes().as_slice());
let challenge = ProofNonce::hash(&challenge_bytes);
let proof = Prover::generate_signature_pok(pok, &challenge).unwrap();
// Send `proof` and `challenge` to Verifier
match Verifier::verify_signature_pok(&proof_request, &proof, &nonce) {
Ok(_) => assert!(true), // check revealed messages
Err(_) => assert!(false), // Why did the proof failed
};
```