bgls/kosk: fix prefixes, add prefix to verify aggregate signature.

Project-Arda · Apr 7, 2018 · 677a049 · 677a049
1 parent 3b2a9df
commit 677a049
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 9 deletions.
diff --git a/bgls/bgls_test.go b/bgls/bgls_test.go
@@ -64,8 +64,6 @@ func TestAggregation(t *testing.T) {
 		aggSig = AggregateSignatures(sigs)
 		assert.False(t, VerifyAggregateSignature(curve, aggSig, pubkeys, msgs),
 			"Aggregate Signature succeeding with duplicate messages")
-		assert.True(t, KoskVerifyAggregateSignature(curve, aggSig, pubkeys, msgs),
-			"Aggregate Kosk signature failing with duplicate messages")
 		assert.False(t, VerifyAggregateSignature(curve, aggSig, pubkeys[:N], msgs[:N]),
 			"Aggregate Point1 succeeding with invalid signature")
 		msgs[0] = msgs[1]

diff --git a/bgls/blsKosk.go b/bgls/blsKosk.go
@@ -17,11 +17,11 @@ package bgls
 // One solution to fix this is to ensure that it
 // is impossible for pk1 to sign the same pkA that is used in authentication.
 // The way this is implemented here is to make the sign/verify methods prepend a
-// null byte to any message that is being signed, and to make authentication
-// prepend 0x01 to public key before its signed. Since one would only ever
+// 0x01 byte to any message that is being signed, and to make authentication
+// prepend a null to public key before its signed. Since one would only ever
 // authenticate their own public key, noone could get a signature from you that
 // would work for their own authentication. (As all signatures you give out, other
-// than your own authentication, have a null byte prepended instead of a 0x01 byte)
+// than your own authentication, have a 0x01 byte prepended instead of a null byte)
 //
 // This method sacrifices interoperability between KoskBls and normal BLS,
 // however the advantage is that the authentications are aggregatable. They're
@@ -46,11 +46,11 @@ func Authenticate(curve CurveSystem, sk *big.Int) Point {
 }
 
 // AuthenticateCustHash generates an Aggregatable Authentication for a given secret key.
-// It signs the public key generated from sk, with a 0x01 byte prepended to it.
+// It signs the public key generated from sk, with a null byte prepended to it.
 // This runs with the specified hash function.
 func AuthenticateCustHash(curve CurveSystem, sk *big.Int, hash func([]byte) Point) Point {
 	msg := LoadPublicKey(curve, sk).Marshal()
-	msg = append(make([]byte, 1), msg...)
+	msg = append(make([]byte, 0), msg...)
 	return SignCustHash(sk, msg, hash)
 }
 
@@ -64,7 +64,7 @@ func CheckAuthentication(curve CurveSystem, pubkey Point, authentication Point)
 // for this public key.
 func CheckAuthenticationCustHash(curve CurveSystem, pubkey Point, authentication Point, hash func([]byte) Point) bool {
 	msg := pubkey.Marshal()
-	msg = append(make([]byte, 1), msg...)
+	msg = append(make([]byte, 0), msg...)
 	return VerifySingleSignatureCustHash(curve, authentication, pubkey, msg, hash)
 }
 
@@ -98,7 +98,11 @@ func KoskVerifySingleSignatureCustHash(curve CurveSystem, pubKey Point, msg []by
 // KoskVerifyAggregateSignature verifies that the aggregated signature proves
 // that all messages were signed by the associated keys.
 func KoskVerifyAggregateSignature(curve CurveSystem, aggsig Point, keys []Point, msgs [][]byte) bool {
-	return verifyAggSig(curve, aggsig, keys, msgs, true)
+	newMsgs := make([][]byte, len(msgs))
+	for i := 0; i < len(msgs); i++ {
+		newMsgs[i] = append([]byte{1}, msgs[i]...)
+	}
+	return verifyAggSig(curve, aggsig, keys, newMsgs, true)
 }
 
 // Verify checks that a single message has been signed by a set of keys

diff --git a/bgls/blsKosk_test.go b/bgls/blsKosk_test.go
@@ -92,3 +92,42 @@ func TestKoskMultiSigWithMultiplicity(t *testing.T) {
 		}
 	}
 }
+
+func TestKoskAggregation(t *testing.T) {
+	for _, curve := range curves {
+		N, Size := 6, 32
+		msgs := make([][]byte, N+1)
+		sigs := make([]Point, N+1)
+		pubkeys := make([]Point, N+1)
+		for i := 0; i < N; i++ {
+			msgs[i] = make([]byte, Size)
+			rand.Read(msgs[i])
+
+			sk, vk, _ := KeyGen(curve)
+			sig := KoskSign(curve, sk, msgs[i])
+			pubkeys[i] = vk
+			sigs[i] = sig
+		}
+		aggSig := AggregateSignatures(sigs[:N])
+		assert.True(t, KoskVerifyAggregateSignature(curve, aggSig, pubkeys[:N], msgs[:N]),
+			"Aggregate Point verification failed")
+		assert.False(t, KoskVerifyAggregateSignature(curve, aggSig, pubkeys[:N-1], msgs[:N]),
+			"Aggregate Point verification succeeding without enough pubkeys")
+		skf, vkf, _ := KeyGen(curve)
+		pubkeys[N] = vkf
+		sigs[N] = KoskSign(curve, skf, msgs[0])
+		msgs[N] = msgs[0]
+		aggSig = AggregateSignatures(sigs)
+		assert.True(t, KoskVerifyAggregateSignature(curve, aggSig, pubkeys, msgs),
+			"Aggregate Signature failing with duplicate messages")
+		assert.False(t, KoskVerifyAggregateSignature(curve, aggSig, pubkeys[:N], msgs[:N]),
+			"Aggregate Point succeeding with invalid signature")
+		msgs[0] = msgs[1]
+		msgs[1] = msgs[N]
+		aggSig = AggregateSignatures(sigs[:N])
+		assert.False(t, KoskVerifyAggregateSignature(curve, aggSig, pubkeys[:N], msgs[:N]),
+			"Aggregate Point1 succeeded with messages 0 and 1 switched")
+
+		// TODO Add tests to make sure there is no mutation
+	}
+}