search

herumi / bls

300 stars 131 forks source link

Random verification results. #57

Closed Raycoms closed 4 years ago

Raycoms commented 4 years ago 
    blsInit(MCL_BLS12_381, MCLBN_COMPILED_TIME_VAR);
    blsSetETHmode(BLS_ETH_MODE_LATEST);

    int n = 7;
    const size_t k = 5;

    blsSecretKey masterSec;
    blsPublicKey masterPub;
    blsSecretKeySetByCSPRNG(&masterSec);
    blsGetPublicKey(&masterPub, &masterSec);

    blsSecretKey secs [n];
    blsPublicKey pubs [n];
    blsSignature sigs [n];
    blsId ids [n];

    char msg[] = "hello";
    const size_t msgSize = strlen(msg);

    for (int i = 0; i < n; i++)
    {
        blsId id;
        blsIdSetInt(&id, i + 1);
        ids[i] = id;

        blsSecretKeyShare(&secs[i], &masterSec, k, &id);
        blsPublicKeyShare(&pubs[i], &masterPub, k, &id);

        blsSign(&sigs[i], &secs[i], msg, msgSize);
    }

    blsSignature sig;
    cout << blsSignatureRecover(&sig, sigs, ids, n) << endl;
    cout << blsVerify(&sig, &masterPub, msg, msgSize) << endl;

So I wrote this little program to create a threshold signature and verify it. The problem is that on random occasions verify spits out 1 and 0.

I also extended this further to check if it works down to the threshold and the same applies.

Short comment: It is very confusing that some methods return 0 and some methods return 1 on success. This could be more consistent.

Raycoms commented 4 years ago

Hnet com-image

herumi commented 4 years ago

Short comment: It is very confusing that some methods return 0 and some methods return 1 on success. This could be more consistent.

I use the following rules:

  1. If a return value is necessary, then 0 means false.
    1. A getter or a function returning bool value such as isZero, isValid, Verify returns 1 or 0.
  2. Otherwise, returns 0 if success or error code.
Raycoms commented 4 years ago

Any idea on the random result?

herumi commented 4 years ago

Please see the sample of k_of_n.

Raycoms commented 4 years ago

So, I have to generate k keys and then generate n keys from those k keys that will be distributed to all processes and will be used for signing? And the first one of the k keys in the array is the actual master key I can use for verification?

Raycoms commented 4 years ago

And if blsSignatureRecover(&sig, &signatureVec[1], &idVec[1], K) and if this here works, then does that means we got K correct signatures?

Raycoms commented 4 years ago

BLS_DLL_API int blsSecretKeyShare(blsSecretKey sec, const blsSecretKey msk, mclSize k, const blsId *id);

Should probably then be called blsSecretKeyVec so that users know what they're dealing with

Raycoms commented 4 years ago 
And if blsSignatureRecover(&sig, &signatureVec[1], &idVec[1], K) and if this here works, then does that means we got K correct signatures?

Or do I have to do this 1..k times?

herumi commented 4 years ago

I've updated k_of_nSample. Please see it.

Raycoms commented 4 years ago

Thanks, that was helpful

Raycoms commented 4 years ago

Short followup question: // The master signature can be recovered from any K subset of N sigs.

It says this here, but no where actually the master signature is recovered. (I need to send this master signature to the other processes as a proof)

herumi commented 4 years ago

It says this here, but no where actually the master signature is recovered. (I need to send this master signature to the other processes as a proof)

https://github.com/herumi/bls/blob/master/sample/minsample.c#L84

This shows that the recoverd signature is valid for the master public key mpk. You can check all the recoverd signatures are the same for any K subset.