Error handling and support for reversible encoding

Signed-off-by: lovesh <lovesh.bond@gmail.com>

Author: lovesh

src/accumulator/accumulator.ts

@@ -41,7 +41,7 @@ import {
   universalAccumulatorFixedInitialElements
 } from '@docknetwork/crypto-wasm';
 import { MembershipWitness, NonMembershipWitness } from './accumulatorWitness';
-import { getUint8ArraysFromObject } from '../util';
+import { getUint8ArraysFromObject, isNumberBiggerThanNBits } from '../util';
 import { IAccumulatorState, IUniversalAccumulatorState } from './IAccumulatorState';
 import { IInitialElementsStore } from './IInitialElementsStore';
 
@@ -81,7 +81,8 @@ export abstract class Accumulator {
 
   /**
    * To add arbitrary bytes like byte representation of UUID or some other user id or something else as an accumulator
-   * member, encode it first using this.
+   * member, encode it first using this. This is an irreversible encoding as a hash function is used to convert a message
+   * of arbitrary length to a fixed length encoding.
    * @param bytes
    */
   static encodeBytesAsAccumulatorMember(bytes: Uint8Array): Uint8Array {
@@ -90,12 +91,10 @@ export abstract class Accumulator {
 
   /**
    * To add a positive number as an accumulator member, encode it first using this.
+   * Encodes a positive integer of at most 4 bytes
    * @param num - should be a positive integer
    */
   static encodePositiveNumberAsAccumulatorMember(num: number): Uint8Array {
-    if (!Number.isInteger(num) || num < 0) {
-      throw new Error(`Need a positive integer to encode but found ${num} `);
-    }
     return generateFieldElementFromNumber(num);
   }
 

src/bbs-plus/signature.ts

@@ -1,5 +1,5 @@
 import { SignatureParamsG1 } from './params';
-import { generateFieldElementFromNumber, VerifyResult } from '@docknetwork/crypto-wasm';
+import { fieldElementAsBytes, generateFieldElementFromNumber, VerifyResult } from '@docknetwork/crypto-wasm';
 import {
   bbsBlindSignG1,
   bbsEncodeMessageForSigning,
@@ -8,6 +8,7 @@ import {
   bbsVerifyG1,
   generateRandomFieldElement
 } from '@docknetwork/crypto-wasm';
+import { isNumberBiggerThanNBits } from '../util';
 
 export abstract class Signature {
   value: Uint8Array;
@@ -16,16 +17,66 @@ export abstract class Signature {
     this.value = value;
   }
 
+  /**
+   * This is an irreversible encoding as a hash function is used to convert a message of
+   * arbitrary length to a fixed length encoding.
+   * @param message
+   */
   static encodeMessageForSigning(message: Uint8Array): Uint8Array {
     return bbsEncodeMessageForSigning(message);
   }
 
-  static encodePositiveNumberMessage(num: number): Uint8Array {
-    if (!Number.isInteger(num) || num < 0) {
-      throw new Error(`Need a positive integer to encode but found ${num} `);
-    }
+  /**
+   * Encodes a positive integer of at most 4 bytes
+   * @param num
+   */
+  static encodePositiveNumberForSigning(num: number): Uint8Array {
     return generateFieldElementFromNumber(num);
   }
+
+  /**
+   * Encode the given string to bytes and create a field element by considering the bytes in little-endian format.
+   * Note that this will add trailing 0s to the bytes to make the size 32 bytes
+   * @param message - utf-8 string of at most 32 bytes
+   */
+  static reversibleEncodeStringMessageForSigning(message: string): Uint8Array {
+    const encoder = new TextEncoder();
+    const bytes = encoder.encode(message);
+    const maxLength = 32;
+    if (bytes.length > maxLength) {
+      throw new Error(`Expects a string with at most ${maxLength} bytes`);
+    }
+    // Create a little-endian representation
+    const fieldElementBytes = new Uint8Array(maxLength);
+    fieldElementBytes.set(bytes);
+    fieldElementBytes.set(new Uint8Array(maxLength - bytes.length), bytes.length);
+    return fieldElementAsBytes(fieldElementBytes);
+  }
+
+  /**
+   * Decode the given representation. This should **only** be used when the encoding was done
+   * using `this.reversibleEncodeStringMessageForSigning`. Also, this function trims any characters from the first
+   * occurrence of a null characters (UTF-16 code unit 0) so if the encoded (using `this.reversibleEncodeStringMessageForSigning`)
+   * string also had a null then the decoded string will be different from it.
+   * @param message
+   */
+  static reversibleDecodeStringMessageForSigning(message: Uint8Array): string {
+    const maxLength = 32;
+    if (message.length > maxLength) {
+      throw new Error(`Expects a message with at most ${maxLength} bytes`);
+    }
+    const decoder = new TextDecoder();
+    const decoded = decoder.decode(message);
+    const chars = [];
+    for (let i = 0; i < maxLength; i++) {
+      // If a null character found then stop looking further
+      if (decoded.charCodeAt(i) == 0) {
+        break;
+      }
+      chars.push(decoded.charAt(i));
+    }
+    return chars.join('');
+  }
 }
 
 export class SignatureG1 extends Signature {

src/index.ts

@@ -6,3 +6,4 @@ export * from './saver';
 export * from './legosnark';
 export * from './bound-check';
 export * from './ICompressed';
+export * from './bytearray-wrapper';

src/saver/util.ts

@@ -1,9 +1,9 @@
 export function getChunkBitSize(chunkBitSize?: number): number {
   if (chunkBitSize === undefined) {
-    return 8;
+    return 16;
   }
-  if (chunkBitSize !== 4 && chunkBitSize !== 8) {
-    throw new Error(`Chunk bit size of ${chunkBitSize} is not acceptable. Only 4 and 8 allowed`);
+  if (chunkBitSize !== 4 && chunkBitSize !== 8 && chunkBitSize !== 16) {
+    throw new Error(`Chunk bit size of ${chunkBitSize} is not acceptable. Only 4, 8 and 16 allowed`);
   }
   return chunkBitSize;
 }

src/util.ts

@@ -3,7 +3,6 @@
  * @param json
  * @returns
  */
-import exp from 'constants';
 import { generateFieldElementFromBytes } from '@docknetwork/crypto-wasm';
 
 export function jsonObjToUint8Array(json: string): Uint8Array {
@@ -35,3 +34,8 @@ export function getUint8ArraysFromObject(obj: Record<string, any>, keys: string[
 export function bytesToChallenge(bytes: Uint8Array): Uint8Array {
   return generateFieldElementFromBytes(bytes);
 }
+
+export function isNumberBiggerThanNBits(num: number, bits: number): boolean {
+  // Following can be done using bit shifts, but they only work for small number of shifts. Checked in Chrome and FF
+  return num.toString(2).length > bits;
+}

tests/bbs-plus.spec.ts

@@ -8,7 +8,7 @@ import {
   SignatureG1,
   SignatureParamsG1
 } from '../src';
-import { stringToBytes } from './utils';
+import { getRevealedUnrevealed, stringToBytes } from './utils';
 
 function getMessages(count: number): Uint8Array[] {
   const messages: Uint8Array[] = [];
@@ -219,4 +219,48 @@ describe('BBS+ signature', () => {
     const sig2 = SignatureG1.generate(messages5, sk, params5, true);
     expect(sig2.verify(messages5, pk, params5, true).verified).toEqual(true);
   });
+
+  it('should support reversible encoding', () => {
+    const messages = [
+      'John Jacob Smith Sr.',
+      'San Francisco, California',
+      'john.jacob.smith.1971@gmail.com',
+      '+1 123-4567890009',
+      'user-id:1234567890012134'
+    ];
+    const count = messages.length;
+    const encodedMessages = new Array<Uint8Array>(5);
+    for (let i = 0; i < count; i++) {
+      encodedMessages[i] = SignatureG1.reversibleEncodeStringMessageForSigning(messages[i]);
+      const decoded = SignatureG1.reversibleDecodeStringMessageForSigning(encodedMessages[i]);
+      expect(decoded).toEqual(messages[i]);
+    }
+    const params = SignatureParamsG1.generate(count);
+    const keypair = KeypairG2.generate(params);
+    const sig = SignatureG1.generate(encodedMessages, keypair.secretKey, params, false);
+    expect(sig.verify(encodedMessages, keypair.publicKey, params, false).verified).toEqual(true);
+
+    // Reveal all messages! This is done for testing purposes only.
+    let revealed: Set<number> = new Set();
+    for (let i = 0; i < count; i++) {
+      revealed.add(i);
+    }
+
+    const [revealedMsgs, unrevealedMsgs] = getRevealedUnrevealed(encodedMessages, revealed);
+    const protocol = PoKSigProtocol.initialize(encodedMessages, sig, params, false, undefined, revealed);
+    const challengeContributionP = protocol.challengeContribution(params, true, revealedMsgs);
+    const challengeProver = bytesToChallenge(challengeContributionP);
+    const proof = protocol.generateProof(challengeProver);
+
+    const challengeContributionV = proof.challengeContribution(params, true, revealedMsgs);
+    const challengeVerifier = bytesToChallenge(challengeContributionV);
+
+    expect(challengeProver).toEqual(challengeVerifier);
+
+    expect(proof.verify(challengeVerifier, keypair.publicKey, params, false, revealedMsgs).verified).toEqual(true);
+    for (let i = 0; i < count; i++) {
+      const decoded = SignatureG1.reversibleDecodeStringMessageForSigning(revealedMsgs.get(i) as Uint8Array);
+      expect(decoded).toEqual(messages[i]);
+    }
+  });
 });

tests/composite-proofs/saver.spec.ts

@@ -10,7 +10,8 @@ import {
   SaverEncryptionGens,
   SaverEncryptionGensUncompressed,
   SaverEncryptionKeyUncompressed,
-  SaverProvingKeyUncompressed, SaverSecretKey,
+  SaverProvingKeyUncompressed,
+  SaverSecretKey,
   SaverVerifyingKeyUncompressed,
   SetupParam,
   SignatureG1,
@@ -24,9 +25,9 @@ import {
 import { getRevealedUnrevealed, stringToBytes } from '../utils';
 
 describe('Verifiable encryption of signed messages', () => {
-  const messageCount = 5;
-  const chunkBitSize = 8;
+  const chunkBitSize = 16;
   const encMsgIdx = 1;
+  let messageCount;
 
   let snarkProvingKey: SaverProvingKeyUncompressed,
     snarkVerifyingKey: SaverVerifyingKeyUncompressed,
@@ -41,6 +42,7 @@ describe('Verifiable encryption of signed messages', () => {
     sigParams2: SignatureParamsG1,
     sigSk2: Uint8Array,
     sigPk2: Uint8Array;
+  let messages1AsStrings: string[], messages2AsStrings: string[];
   let messages1: Uint8Array[], messages2: Uint8Array[], sig1: SignatureG1, sig2: SignatureG1;
 
   beforeAll(async () => {
@@ -50,15 +52,51 @@ describe('Verifiable encryption of signed messages', () => {
   it('do decryptor setup', () => {
     const gens = SaverEncryptionGens.generate();
     const [snarkPk, sk, ek, dk] = SaverDecryptor.setup(gens, chunkBitSize);
+    console.log(snarkPk.value.length, ek.value.length, gens.value.length);
     saverEncGens = gens.decompress();
     snarkProvingKey = snarkPk.decompress();
     snarkVerifyingKey = snarkPk.getVerifyingKeyUncompressed();
     saverSk = sk;
     saverEk = ek.decompress();
     saverDk = dk.decompress();
+    console.log(
+      snarkProvingKey.value.length,
+      snarkVerifyingKey.value.length,
+      saverEk.value.length,
+      saverDk.value.length,
+      saverEncGens.value.length
+    );
   }, 300000);
 
   it('do signers setup', () => {
+    // Setup the messages, its important to use a reversible encoding for the messages used in verifiable encryption as
+    // the decryptor should be able to decrypt the message without the holder's help.
+
+    messages1AsStrings = [
+      'John Jacob Smith Sr.',
+      'San Francisco, California',
+      'john.jacob.smith.1971@gmail.com',
+      '+1 123-4567890009',
+      'user-id:1234567890012134'
+    ];
+
+    messages2AsStrings = [
+      'Alice Jr. from Wonderland',
+      'Wonderland',
+      'alice.wonderland.1980@gmail.com',
+      '+1 456-7891230991',
+      'user-id:9876543210987654'
+    ];
+
+    messageCount = messages1AsStrings.length;
+
+    messages1 = [];
+    messages2 = [];
+    for (let i = 0; i < messageCount; i++) {
+      messages1.push(SignatureG1.reversibleEncodeStringMessageForSigning(messages1AsStrings[i]));
+      messages2.push(SignatureG1.reversibleEncodeStringMessageForSigning(messages2AsStrings[i]));
+    }
+
     sigParams1 = SignatureParamsG1.generate(messageCount);
     const sigKeypair1 = KeypairG2.generate(sigParams1);
     sigSk1 = sigKeypair1.secretKey;
@@ -69,13 +107,6 @@ describe('Verifiable encryption of signed messages', () => {
     sigSk2 = sigKeypair2.secretKey;
     sigPk2 = sigKeypair2.publicKey;
 
-    messages1 = [];
-    messages2 = [];
-    for (let i = 0; i < messageCount; i++) {
-      messages1.push(generateRandomFieldElement());
-      messages2.push(generateRandomFieldElement());
-    }
-
     sig1 = SignatureG1.generate(messages1, sigSk1, sigParams1, false);
     sig2 = SignatureG1.generate(messages2, sigSk2, sigParams2, false);
     expect(sig1.verify(messages1, sigPk1, sigParams1, false).verified).toEqual(true);
@@ -95,6 +126,7 @@ describe('Verifiable encryption of signed messages', () => {
     sigParams: SignatureParamsG1,
     sigPk: Uint8Array,
     messages: Uint8Array[],
+    messagesAsStrings: string[],
     sig: SignatureG1,
     label: string
   ) {
@@ -133,14 +165,16 @@ describe('Verifiable encryption of signed messages', () => {
     expect(proof.verifyWithDeconstructedProofSpec(verifierStatements, metaStatements).verified).toEqual(true);
 
     decryptAndVerify(proof, 1, messages[encMsgIdx]);
+    const decoded = SignatureG1.reversibleDecodeStringMessageForSigning(messages[encMsgIdx]);
+    expect(decoded).toEqual(messagesAsStrings[encMsgIdx]);
   }
 
   it('prove knowledge of verifiable encryption of 1 message from 1st signature', () => {
-    proveAndVerifySingle(sigParams1, sigPk1, messages1, sig1, 'public test label 1');
+    proveAndVerifySingle(sigParams1, sigPk1, messages1, messages1AsStrings, sig1, 'public test label 1');
   }, 20000);
 
   it('prove knowledge of verifiable encryption of 1 message from 2nd signature', () => {
-    proveAndVerifySingle(sigParams2, sigPk2, messages2, sig2, 'public test label 2');
+    proveAndVerifySingle(sigParams2, sigPk2, messages2, messages2AsStrings, sig2, 'public test label 2');
   }, 20000);
 
   it('prove knowledge of verifiable encryption of 1 message from both signatures', () => {

tests/saver.spec.ts

@@ -12,6 +12,7 @@ import {
   SaverEncryptionKeyUncompressed,
   SaverProvingKey,
   SaverProvingKeyUncompressed,
+  SaverSecretKey,
   SaverVerifyingKey,
   SaverVerifyingKeyUncompressed
 } from '../src';
@@ -59,22 +60,23 @@ describe('SAVER setup', () => {
   });
 
   it('do setup for decryptor', () => {
-    expect(getChunkBitSize()).toEqual(8);
+    expect(getChunkBitSize()).toEqual(16);
     expect(getChunkBitSize(4)).toEqual(4);
     expect(getChunkBitSize(8)).toEqual(8);
+    expect(getChunkBitSize(16)).toEqual(16);
     expect(() => getChunkBitSize(2)).toThrow();
     expect(() => getChunkBitSize(3)).toThrow();
     expect(() => getChunkBitSize(10)).toThrow();
-    expect(() => getChunkBitSize(16)).toThrow();
+    expect(() => getChunkBitSize(17)).toThrow();
 
     expect(() => SaverDecryptor.setup(encGens, 2)).toThrow();
     expect(() => SaverDecryptor.setup(encGens, 3)).toThrow();
     expect(() => SaverDecryptor.setup(encGens, 10)).toThrow();
-    expect(() => SaverDecryptor.setup(encGens, 16)).toThrow();
+    expect(() => SaverDecryptor.setup(encGens, 17)).toThrow();
 
-    const [snarkPk, sk, ek, dk] = SaverDecryptor.setup(encGens, 8);
+    const [snarkPk, sk, ek, dk] = SaverDecryptor.setup(encGens, 16);
     expect(snarkPk instanceof SaverProvingKey).toBe(true);
-    expect(sk instanceof Uint8Array).toBe(true);
+    expect(sk instanceof SaverSecretKey).toBe(true);
     expect(ek instanceof SaverEncryptionKey).toBe(true);
     expect(dk instanceof SaverDecryptionKey).toBe(true);
 

tests/utils.ts

@@ -18,6 +18,11 @@ export function areUint8ArraysEqual(arr1: Uint8Array, arr2: Uint8Array): boolean
   return true;
 }
 
+/**
+ * Given messages and indices to reveal, returns 2 maps, one for revealed messages and one for unrevealed
+ * @param messages
+ * @param revealedIndices
+ */
 export function getRevealedUnrevealed(
   messages: Uint8Array[],
   revealedIndices: Set<number>