Merge pull request #249 from stratosnet/audit

update dev based on audit fix

crypto/bls/config.go

@@ -0,0 +1,6 @@
+package bls
+
+const (
+	blsParams    = "type a\nq 111883039802014540742638515425631208377440717422111030738555230553573602549347\nh 76553482352810235020926853532\nr 1461501637330902918203684757158419293741609123839\nexp2 160\nexp1 76\nsign1 -1\nsign0 -1"
+	blsGenerator = "[7450342596568074891770011364444075585630992484704200481904768097661178197184, 12840831487288433404479563278842210281426538508788525550982744564854326501497]"
+)

crypto/bls/keypair.go

@@ -0,0 +1,68 @@
+package bls
+
+import (
+	"encoding/json"
+	"io/ioutil"
+)
+
+type KeyPair struct {
+	PublicKey  []byte `json:"publicKey"`
+	PrivateKey []byte `json:"privateKey"`
+}
+
+// NewKeyPair creates a new BLS keypair
+func NewKeyPair() (privateKey, publicKey []byte, err error) {
+	if err = verifyInitialization(); err != nil {
+		return nil, nil, err
+	}
+
+	privateKeyElement := pairing.NewZr().Rand()
+	privateKey = privateKeyElement.BigInt().Bytes()
+
+	publicKeyElement := pairing.NewG2().PowZn(generator, privateKeyElement)
+	publicKey = publicKeyElement.CompressedBytes()
+	return
+}
+
+// NewKeyPairFromBytes creates a new BLS keypair deterministically based on a given seed
+func NewKeyPairFromBytes(seed []byte) (privateKey, publicKey []byte, err error) {
+	if err = verifyInitialization(); err != nil {
+		return nil, nil, err
+	}
+
+	privateKeyElement := pairing.NewZr().SetFromHash(seed)
+	privateKey = privateKeyElement.BigInt().Bytes()
+
+	publicKeyElement := pairing.NewG2().PowZn(generator, privateKeyElement)
+	publicKey = publicKeyElement.CompressedBytes()
+	return
+}
+
+// StoreKeyPair stores a BLS keypair to a file
+func StoreKeyPair(privateKey, publicKey []byte, fileLocation string) error {
+	keyPair := KeyPair{
+		PublicKey:  publicKey,
+		PrivateKey: privateKey,
+	}
+	keyPairJson, err := json.Marshal(keyPair)
+	if err != nil {
+		return err
+	}
+
+	return ioutil.WriteFile(fileLocation, keyPairJson, 0666)
+}
+
+// LoadKeyPair loads a BLS keypair from a file
+func LoadKeyPair(keyPairLocation string) (privateKey, publicKey []byte, err error) {
+	keyPairJson, err := ioutil.ReadFile(keyPairLocation)
+	if err != nil {
+		return nil, nil, err
+	}
+	keyPair := &KeyPair{}
+	err = json.Unmarshal(keyPairJson, keyPair)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return keyPair.PrivateKey, keyPair.PublicKey, nil
+}

crypto/bls/signature.go

@@ -0,0 +1,158 @@
+package bls
+
+import (
+	"math/big"
+
+	"github.com/Nik-U/pbc"
+	"github.com/pkg/errors"
+)
+
+var (
+	pairing   *pbc.Pairing
+	generator *pbc.Element
+)
+
+func init() {
+	err := loadPairing()
+	if err != nil {
+		panic(err)
+	}
+
+	err = loadGenerator()
+	if err != nil {
+		panic(err)
+	}
+}
+
+// loadPairing Loads the pairing used by the pbc library. Must be called before signatures can be created or verified.
+func loadPairing() error {
+	params, err := pbc.NewParamsFromString(blsParams)
+	if err != nil {
+		return err
+	}
+
+	pairing = params.NewPairing()
+	return nil
+}
+
+// loadGenerator loads the generator params for the pbc library. Must be called after LoadPairing, and before other methods
+func loadGenerator() error {
+	if pairing == nil {
+		return errors.New("The BLS pairing hasn't been initialized yet")
+	}
+
+	generatorValue, success := pairing.NewG2().SetString(blsGenerator, 0)
+	if generatorValue == nil || !success {
+		return errors.New("Invalid generator params for BLS signature")
+	}
+
+	generator = generatorValue
+	return nil
+}
+
+// Sign signs some data using a BLS private key
+func Sign(data, privateKey []byte) (signature []byte, err error) {
+	if err := verifyInitialization(); err != nil {
+		return nil, err
+	}
+
+	defer func() {
+		if r := recover(); r != nil {
+			err = errors.Errorf("BLS signature error, low-level cgocall signal error: %v", r)
+		}
+	}()
+
+	h := pairing.NewG1().SetFromHash(data)
+	privateKeyElement := pairing.NewZr().SetBig(big.NewInt(0).SetBytes(privateKey))
+	signatureElement := pairing.NewG2().ThenMul(pairing.NewG2().PowZn(h, privateKeyElement))
+
+	return signatureElement.CompressedBytes(), nil
+}
+
+// SignAndAggregate signs the data using the privateKey, then aggregate the signature with an existing signature
+func SignAndAggregate(data, privateKey, existingSignature []byte) (signature []byte, err error) {
+	if err := verifyInitialization(); err != nil {
+		return nil, err
+	}
+
+	defer func() {
+		if r := recover(); r != nil {
+			err = errors.Errorf("BLS signature error, low-level cgocall signal error: %v", r)
+		}
+	}()
+
+	existingSignatureElement := pairing.NewG2().SetCompressedBytes(existingSignature)
+
+	h := pairing.NewG1().SetFromHash(data)
+	privateKeyElement := pairing.NewZr().SetBig(big.NewInt(0).SetBytes(privateKey))
+	signatureElement := existingSignatureElement.ThenMul(pairing.NewG2().PowZn(h, privateKeyElement))
+
+	return signatureElement.CompressedBytes(), nil
+}
+
+// AggregateSignatures aggregates multiple signatures together
+func AggregateSignatures(signatures ...[]byte) (aggregatedSignature []byte, err error) {
+	if err := verifyInitialization(); err != nil {
+		return nil, err
+	}
+
+	defer func() {
+		if r := recover(); r != nil {
+			err = errors.Errorf("BLS signature error, low-level cgocall signal error: %v", r)
+		}
+	}()
+
+	aggregatedSignatureElement := pairing.NewG2()
+	for _, signature := range signatures {
+		signatureElement := pairing.NewG2().SetCompressedBytes(signature)
+		aggregatedSignatureElement = aggregatedSignatureElement.ThenMul(signatureElement)
+	}
+
+	return aggregatedSignatureElement.CompressedBytes(), nil
+}
+
+// Verify verifies a BLS signature. It requires a public key for each private key that was used in generating the signature
+func Verify(data, signature []byte, pubKeys ...[]byte) (result bool, err error) {
+	if err := verifyInitialization(); err != nil {
+		return false, err
+	}
+
+	if len(pubKeys) < 1 {
+		return false, errors.New("BLS signatures cannot be verified without providing a public key")
+	}
+
+	defer func() {
+		if r := recover(); r != nil {
+			result = false
+			err = errors.Errorf("BLS verification error, low-level cgocall signal error: %v", r)
+		}
+	}()
+
+	var combinedPubKey *pbc.Element
+	for _, pubKey := range pubKeys {
+		pubKeyElement := pairing.NewG2().SetCompressedBytes(pubKey)
+		if combinedPubKey == nil {
+			combinedPubKey = pubKeyElement
+		} else {
+			combinedPubKey = combinedPubKey.ThenMul(pubKeyElement)
+		}
+	}
+
+	h := pairing.NewG1().SetFromHash(data)
+	signatureElement := pairing.NewG1().SetCompressedBytes(signature)
+
+	tmp1 := pairing.NewGT().Pair(h, combinedPubKey)
+	tmp2 := pairing.NewGT().Pair(signatureElement, generator)
+	return tmp1.Equals(tmp2), nil
+}
+
+func verifyInitialization() error {
+	if pairing == nil {
+		return errors.New("The BLS pairing hasn't been initialized yet")
+	}
+
+	if generator == nil {
+		return errors.New("The BLS generator params haven't been initialized yet")
+	}
+	return nil
+}

crypto/crypto.go

@@ -0,0 +1,14 @@
+package crypto
+
+import (
+	"github.com/stratosnet/stratos-chain/crypto/sha3"
+)
+
+// Keccak256 calculates and returns the Keccak256 hash of the input data.
+func Keccak256(data ...[]byte) []byte {
+	d := sha3.NewKeccak256()
+	for _, b := range data {
+		d.Write(b)
+	}
+	return d.Sum(nil)
+}

crypto/sha3/LICENSE

@@ -0,0 +1,27 @@
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

crypto/sha3/PATENTS

@@ -0,0 +1,22 @@
+Additional IP Rights Grant (Patents)
+
+"This implementation" means the copyrightable works distributed by
+Google as part of the Go project.
+
+Google hereby grants to You a perpetual, worldwide, non-exclusive,
+no-charge, royalty-free, irrevocable (except as stated in this section)
+patent license to make, have made, use, offer to sell, sell, import,
+transfer and otherwise run, modify and propagate the contents of this
+implementation of Go, where such license applies only to those patent
+claims, both currently owned or controlled by Google and acquired in
+the future, licensable by Google that are necessarily infringed by this
+implementation of Go.  This grant does not include claims that would be
+infringed only as a consequence of further modification of this
+implementation.  If you or your agent or exclusive licensee institute or
+order or agree to the institution of patent litigation against any
+entity (including a cross-claim or counterclaim in a lawsuit) alleging
+that this implementation of Go or any code incorporated within this
+implementation of Go constitutes direct or contributory patent
+infringement, or inducement of patent infringement, then any patent
+rights granted to you under this License for this implementation of Go
+shall terminate as of the date such litigation is filed.

crypto/sha3/doc.go

@@ -0,0 +1,62 @@
+// Copyright 2014 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package sha3 implements the SHA-3 fixed-output-length hash functions and
+// the SHAKE variable-output-length hash functions defined by FIPS-202.
+//
+// Both types of hash function use the "sponge" construction and the Keccak
+// permutation. For a detailed specification see http://keccak.noekeon.org/
+//
+// # Guidance
+//
+// If you aren't sure what function you need, use SHAKE256 with at least 64
+// bytes of output. The SHAKE instances are faster than the SHA3 instances;
+// the latter have to allocate memory to conform to the hash.Hash interface.
+//
+// If you need a secret-key MAC (message authentication code), prepend the
+// secret key to the input, hash with SHAKE256 and read at least 32 bytes of
+// output.
+//
+// # Security strengths
+//
+// The SHA3-x (x equals 224, 256, 384, or 512) functions have a security
+// strength against preimage attacks of x bits. Since they only produce "x"
+// bits of output, their collision-resistance is only "x/2" bits.
+//
+// The SHAKE-256 and -128 functions have a generic security strength of 256 and
+// 128 bits against all attacks, provided that at least 2x bits of their output
+// is used.  Requesting more than 64 or 32 bytes of output, respectively, does
+// not increase the collision-resistance of the SHAKE functions.
+//
+// # The sponge construction
+//
+// A sponge builds a pseudo-random function from a public pseudo-random
+// permutation, by applying the permutation to a state of "rate + capacity"
+// bytes, but hiding "capacity" of the bytes.
+//
+// A sponge starts out with a zero state. To hash an input using a sponge, up
+// to "rate" bytes of the input are XORed into the sponge's state. The sponge
+// is then "full" and the permutation is applied to "empty" it. This process is
+// repeated until all the input has been "absorbed". The input is then padded.
+// The digest is "squeezed" from the sponge in the same way, except that output
+// output is copied out instead of input being XORed in.
+//
+// A sponge is parameterized by its generic security strength, which is equal
+// to half its capacity; capacity + rate is equal to the permutation's width.
+// Since the KeccakF-1600 permutation is 1600 bits (200 bytes) wide, this means
+// that the security strength of a sponge instance is equal to (1600 - bitrate) / 2.
+//
+// # Recommendations
+//
+// The SHAKE functions are recommended for most new uses. They can produce
+// output of arbitrary length. SHAKE256, with an output length of at least
+// 64 bytes, provides 256-bit security against all attacks.  The Keccak team
+// recommends it for most applications upgrading from SHA2-512. (NIST chose a
+// much stronger, but much slower, sponge instance for SHA3-512.)
+//
+// The SHA-3 functions are "drop-in" replacements for the SHA-2 functions.
+// They produce output of the same length, with the same security strengths
+// against all attacks. This means, in particular, that SHA3-256 only has
+// 128-bit collision resistance, because its output length is 32 bytes.
+package sha3