UNPKG

blocklock-js

Version:

A library for encrypting and decrypting data for the future

github.com/randa-mu/blocklock-js

randa-mu/blocklock-js

336 lines (298 loc) 12.4 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
import { Buffer as BufferPolyfill } from 'buffer' declare let Buffer: typeof BufferPolyfill globalThis.Buffer = BufferPolyfill import * as asn1js from "asn1js" import { bn254, htfDefaultsG1, mapToG1 } from './bn254' import { xor } from './utils' import { Fp, Fp12, Fp2 } from '@noble/curves/abstract/tower' import { AffinePoint } from '@noble/curves/abstract/weierstrass' import { createHasher, expand_message_xmd, expand_message_xof, hash_to_field } from "@noble/curves/abstract/hash-to-curve" import { CHash } from "@noble/curves/abstract/utils" import { keccak_256 } from "@noble/hashes/sha3" export type G1 = AffinePoint<Fp> export type G2 = AffinePoint<Fp2> export type GT = Fp12 export interface Ciphertext { U: G2, V: Uint8Array W: Uint8Array } // Various options used to customize the IBE scheme export type IbeOpts = { hash: CHash, // hash function k: number, // k-bit collision resistance of hash expand_fn: 'xmd' | 'xof', // "xmd": expand_message_xmd, "xof": expand_message_xof, see RFC9380, Section 5.3. dsts: DstOpts, } // Various DSTs used throughout the IBE scheme export type DstOpts = { H1_G1: Uint8Array, H2: Uint8Array, H3: Uint8Array, H4: Uint8Array, } // Default IBE options. export const DEFAULT_OPTS: IbeOpts = { hash: keccak_256, k: 128, expand_fn: 'xmd', dsts: { H1_G1: Buffer.from('IBE_BN254G1_XMD:KECCAK-256_SVDW_RO_H1_'), H2: Buffer.from('IBE_BN254_XMD:KECCAK-256_H2_'), H3: Buffer.from('IBE_BN254_XMD:KECCAK-256_H3_'), H4: Buffer.from('IBE_BN254_XMD:KECCAK-256_H4_'), } } // Our H4 hash function can output at most 2**16 - 1 = 65535 pseudorandom bytes. const H4_MAX_OUTPUT_LEN: number = 65535 /* * Convert the identity into a point on the curve. */ export function get_identity_g1(identity: Uint8Array, opts: IbeOpts = DEFAULT_OPTS): G1 { return hash_identity_to_point_g1(identity, opts) } /* * Encryption function for IBE based on https://www.iacr.org/archive/crypto2001/21390212.pdf Section 6 / https://eprint.iacr.org/2023/189.pdf, Algorithm 1 * with the identity on G1, and the master public key on G2. */ export function encrypt_towards_identity_g1(m: Uint8Array, identity: Uint8Array, pk_g2: G2, opts: IbeOpts = DEFAULT_OPTS): Ciphertext { // We can encrypt at most 2**16 - 1 = 65535 bytes with our H4 hash function. const n_bytes = m.length if (n_bytes > H4_MAX_OUTPUT_LEN) { throw new Error(`cannot encrypt messages larger than our hash output: ${H4_MAX_OUTPUT_LEN} bytes.`) } // Compute the identity's public key on G1 // 3: PK_\rho \gets e(H_1(\rho), P) const identity_g1 = hash_identity_to_point_g1(identity, opts) const identity_g1p = bn254.G1.ProjectivePoint.fromAffine(identity_g1) const pk_g2p = bn254.G2.ProjectivePoint.fromAffine(pk_g2) const pk_rho = bn254.pairing(identity_g1p, pk_g2p) // Sample a one-time key // 4: \sigma \getsr \{0,1\}^\ell const sigma = new Uint8Array(32); crypto.getRandomValues(sigma) // Derive an ephemeral keypair // 5: r \gets H_3(\sigma, M) const r = hash_sigma_m_to_field(sigma, m, opts) // 6: U \gets [r]G_2 const u_g2 = bn254.G2.ProjectivePoint.BASE.multiply(r).toAffine() // Hide the one-time key // 7: V \gets \sigma \xor H_2((PK_\rho)^r) const shared_key = bn254.fields.Fp12.pow(pk_rho, r) const v = xor(sigma, hash_shared_key_to_bytes(shared_key, sigma.length, opts)) // Encrypt message m using a hash-based stream cipher with key \sigma // 8: W \gets M \xor H_4(\sigma) const w = xor(m, hash_sigma_to_bytes(sigma, n_bytes, opts)) // 9: return ciphertext return { U: u_g2, V: v, W: w } } /* * Decryption function for IBE based on https://www.iacr.org/archive/crypto2001/21390212.pdf Section 6 / https://eprint.iacr.org/2023/189.pdf, Algorithm 1 * with the identity on G1, and the master public key on G2. */ export function decrypt_g1(ciphertext: Ciphertext, decryption_key_g1: G1, opts: IbeOpts = DEFAULT_OPTS): Uint8Array { // Get the one-time decryption key const key = preprocess_decryption_key_g1(ciphertext, decryption_key_g1, opts) return decrypt_g1_with_preprocess(ciphertext, key, opts) } /** * Decryption function for IBE based on https://www.iacr.org/archive/crypto2001/21390212.pdf Section 6 / https://eprint.iacr.org/2023/189.pdf, Algorithm 1 * with the identity on G1, and the master public key on G2. */ export function decrypt_g1_with_preprocess(ciphertext: Ciphertext, preprocessed_decryption_key: Uint8Array, opts: IbeOpts = DEFAULT_OPTS): Uint8Array { // Check well-formedness of the ciphertext if (ciphertext.W.length > H4_MAX_OUTPUT_LEN) { throw new Error(`cannot decrypt messages larger than our hash output: ${H4_MAX_OUTPUT_LEN} bytes.`) } if (ciphertext.V.length !== opts.hash.outputLen) { throw new Error(`cannot decrypt encryption key of invalid length != ${opts.hash.outputLen} bytes.`) } if (ciphertext.V.length !== preprocessed_decryption_key.length) { throw new Error(`preprocessed decryption key of invalid length`) } // \ell = min(len(w), opts.hash.outputLen) const ell_bytes = ciphertext.W.length // Get the one-time decryption key // 3: \sigma' \gets V \xor H_2(e(\pi_\rho, U)) const sigma2 = xor(ciphertext.V, preprocessed_decryption_key) // Decrypt the message // 4: M' \gets W \xor H_4(\sigma') const m2 = xor(ciphertext.W, hash_sigma_to_bytes(sigma2, ell_bytes, opts)) // Derive the ephemeral keypair with the candidate \sigma' // 5: r \gets H_3(\sigma, M) const r = hash_sigma_m_to_field(sigma2, m2, opts) // Verify that \sigma' is consistent with the message and ephemeral public key // 6: if U = [r]G_2 then return M' else return \bot const u_g2 = bn254.G2.ProjectivePoint.BASE.multiply(r) if (bn254.G2.ProjectivePoint.fromAffine(ciphertext.U).equals(u_g2)) { return m2 } else { throw new Error("invalid proof: rP check failed") } } /** * Preprocess a signature by computing the hash of the pairing, i.e., * H_2(e(\pi_\rho, U)). * @param ciphertext ciphertext to preprocess the decryption key for * @param decryption_key_g1 decryption key on g1 for the ciphertext * @param opts IBE scheme options * @returns preprocessed decryption key */ export function preprocess_decryption_key_g1(ciphertext: Ciphertext, decryption_key_g1: G1, opts: IbeOpts = DEFAULT_OPTS): Uint8Array { const u_g2p = bn254.G2.ProjectivePoint.fromAffine(ciphertext.U) u_g2p.assertValidity() // throws an error if point is invalid // Derive the shared key using the decryption key and the ciphertext's ephemeral public key const decryption_key_g1p = bn254.G1.ProjectivePoint.fromAffine(decryption_key_g1) const shared_key = bn254.pairing(decryption_key_g1p, u_g2p) // Return the mask H_2(e(\pi_\rho, U)) return hash_shared_key_to_bytes(shared_key, ciphertext.V.length, opts) } /** * Serialize Ciphertext to ASN.1 structure * Ciphertext ::= SEQUENCE { * u SEQUENCE { * x SEQUENCE { * c0 INTEGER, * c1 INTEGER * }, * y SEQUENCE { * c0 INTEGER, * c1 INTEGER * } * }, * v OCTET STRING, * w OCTET STRING * } */ export function serializeCiphertext(ct: Ciphertext): Uint8Array { const sequence = new asn1js.Sequence({ value: [ new asn1js.Sequence({ value: [ new asn1js.Sequence({ value: [ asn1js.Integer.fromBigInt(ct.U.x.c0), asn1js.Integer.fromBigInt(ct.U.x.c1), ] }), new asn1js.Sequence({ value: [ asn1js.Integer.fromBigInt(ct.U.y.c0), asn1js.Integer.fromBigInt(ct.U.y.c1), ] }), ] }), new asn1js.OctetString({ valueHex: ct.V }), new asn1js.OctetString({ valueHex: ct.W }), ], }); return new Uint8Array(sequence.toBER()) } export function deserializeCiphertext(ct: Uint8Array): Ciphertext { const schema = new asn1js.Sequence({ name: "ciphertext", value: [ new asn1js.Sequence({ name: "U", value: [ new asn1js.Sequence({ name: "x", value: [ new asn1js.Integer(), new asn1js.Integer(), ] }), new asn1js.Sequence({ name: "y", value: [ new asn1js.Integer(), new asn1js.Integer(), ] }), ] }), new asn1js.OctetString({ name: "V" }), new asn1js.OctetString({ name: "W" }), ], }); // Verify the validity of the schema const res = asn1js.verifySchema(ct, schema) if (!res.verified) { throw new Error("invalid ciphertext") } const V = new Uint8Array(res.result['V'].valueBlock.valueHex) const W = new Uint8Array(res.result['W'].valueBlock.valueHex) function bytesToBigInt(bytes: ArrayBuffer) { const byteArray = Array.from(new Uint8Array(bytes)) const hex: string = byteArray.map(e => e.toString(16).padStart(2, '0')).join('') return BigInt('0x' + hex) } const x = bn254.fields.Fp2.create({ c0: bytesToBigInt(res.result['x'].valueBlock.value[0].valueBlock.valueHex), c1: bytesToBigInt(res.result['x'].valueBlock.value[1].valueBlock.valueHex), }) const y = bn254.fields.Fp2.create({ c0: bytesToBigInt(res.result['y'].valueBlock.value[0].valueBlock.valueHex), c1: bytesToBigInt(res.result['y'].valueBlock.value[1].valueBlock.valueHex), }) const U = { x, y } return { U, V, W, } } // Concrete instantiation of H_1 that outputs a point on G1 // H_1: \{0, 1\}^\ast \rightarrow G_1 function hash_identity_to_point_g1(identity: Uint8Array, opts: IbeOpts): G1 { const hasher = createHasher(bn254.G1.ProjectivePoint, mapToG1, { p: htfDefaultsG1.p, m: htfDefaultsG1.m, hash: opts.hash, k: opts.k, DST: opts.dsts.H1_G1, expand: opts.expand_fn, }) return hasher.hashToCurve(identity).toAffine() } // Concrete instantiation of H_2 that outputs a uniformly random byte string of length n // H_2: G_T \rightarrow \{0, 1\}^\ell function hash_shared_key_to_bytes(shared_key: GT, n: number, opts: IbeOpts): Uint8Array { // encode shared_key as BE(shared_key.c0.c0.c0) || BE(shared_key.c0.c0.c1) || BE(shared_key.c0.c1.c0) || ... if (opts.expand_fn == "xmd") { return expand_message_xmd(bn254.fields.Fp12.toBytes(shared_key), opts.dsts.H2, n, opts.hash) } else { return expand_message_xof(bn254.fields.Fp12.toBytes(shared_key), opts.dsts.H2, n, opts.k, opts.hash) } } // Concrete instantiation of H_3 that outputs a point in Fp // H_3: \{0, 1\}^\ell \times \{0, 1\}^\ell \rightarrow Fp function hash_sigma_m_to_field(sigma: Uint8Array, m: Uint8Array, opts: IbeOpts): bigint { // input = \sigma || m const input = new Uint8Array(sigma.length + m.length) input.set(sigma) input.set(m, sigma.length) // hash_to_field(\sigma || m) return hash_to_field(input, 1, { p: htfDefaultsG1.p, m: htfDefaultsG1.m, hash: opts.hash, k: opts.k, DST: opts.dsts.H3, expand: opts.expand_fn, })[0][0]; } // Concrete instantiation of H_4 that outputs a uniformly random byte string of length n // H_4: \{0, 1\}^\ell \rightarrow \{0, 1\}^\ell function hash_sigma_to_bytes(sigma: Uint8Array, n: number, opts: IbeOpts): Uint8Array { if (opts.expand_fn == "xmd") { return expand_message_xmd(sigma, opts.dsts.H4, n, opts.hash) } else { return expand_message_xof(sigma, opts.dsts.H4, n, opts.k, opts.hash) } }