Use zeroize to zero memory of sensitive objects on Drop, remove un-necessary member from Saver subprotocol, more docs and several refactorings

Signed-off-by: lovesh <lovesh.bond@gmail.com>

Author: lovesh

README.md

@@ -11,7 +11,7 @@ Library providing privacy enhancing cryptographic primitives.
 1. [Schnorr proof of knowledge protocol](./schnorr_pok) to prove knowledge of discrete log. [This](https://crypto.stanford.edu/cs355/19sp/lec5.pdf) is a good reference. 
 2. [BBS+ signature](./bbs_plus) for anonymous credentials. Based on the paper [Anonymous Attestation Using the Strong Diffie Hellman Assumption Revisited](https://eprint.iacr.org/2016/663)
 3. [Dynamic accumulators, both positive and universal](./vb_accumulator). Based on the paper [Dynamic Universal Accumulator with Batch Update over Bilinear Groups](https://eprint.iacr.org/2020/777)
-4. [Proof system](./proof_system) that combines above primitives for use cases like prove knowledge of a BBS+ signature and the corresponding messages and the (non)membership of a certain message in the accumulator.
+4. [Composite proof system](./proof_system) that combines above primitives for use cases like prove knowledge of a BBS+ signature and the corresponding messages and the (non)membership of a certain message(s) in the accumulator. Also numeric bounds (min, max) on the messages can be proved in zero-knowledge and verifiable encryption of messages is also supported.
 5. [Verifiable encryption](./saver) using [SAVER](https://eprint.iacr.org/2019/1270).
 6. [Compression and amortization of Sigma protocols](./compressed_sigma). This is PoC implementation.
 

bbs_plus/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "bbs_plus"
-version = "0.6.0"
+version = "0.7.0"
 edition = "2021"
 authors = ["Dock.io"]
 license = "Apache-2.0"
@@ -18,10 +18,11 @@ ark-ec = { version = "^0.3.0", default-features = false }
 ark-std = { version = "^0.3.0", default-features = false }
 digest = "0.9"
 rayon = { version = "1", optional = true }
-schnorr_pok = { version = "0.5.0", default-features = false, path = "../schnorr_pok" }
+schnorr_pok = { version = "0.6.0", default-features = false, path = "../schnorr_pok" }
 dock_crypto_utils = { version = "0.4.0", default-features = false, path = "../utils" }
 serde = { version = "1.0", default-features = false, features = ["derive"] }
 serde_with = { version = "1.10.0", default-features = false, features = ["macros"] }
+zeroize = { version = "1.5.5", features = ["derive"] }
 
 [dev-dependencies]
 blake2 = { version = "0.9", default-features = false }

bbs_plus/README.md

@@ -5,6 +5,16 @@ Provides
 - signature creation and verification in both groups G1 and G2.
 - proof of knowledge of signature and corresponding messages in group G1 as that is more efficient.
 
+### Modules
+
+1. Signature parameters and key generation module - [`setup`]
+2. Signature module - [`signature`]
+3. Proof of knowledge of signature module - [`proof`]
+
 The implementation tries to use the same variable names as the paper and thus violate Rust's naming conventions at places.
 
+[`setup`]: crate::setup
+[`signature`]: crate::signature
+[`proof`]: crate::proof
+
 License: Apache-2.0

bbs_plus/src/lib.rs

@@ -6,7 +6,17 @@
 //! - signature creation and verification in both groups G1 and G2.
 //! - proof of knowledge of signature and corresponding messages in group G1 as that is more efficient.
 //!
+//! ## Modules
+//!
+//! 1. Signature parameters and key generation module - [`setup`]
+//! 2. Signature module - [`signature`]
+//! 3. Proof of knowledge of signature module - [`proof`]
+//!
 //! The implementation tries to use the same variable names as the paper and thus violate Rust's naming conventions at places.
+//!
+//! [`setup`]: crate::setup
+//! [`signature`]: crate::signature
+//! [`proof`]: crate::proof
 
 pub mod error;
 pub mod proof;

bbs_plus/src/proof.rs

@@ -1,5 +1,4 @@
 //! Proof of knowledge of the signature and corresponding messages as per section 4.5 of the paper
-//! <https://eprint.iacr.org/2016/663.pdf>
 //! # Examples
 //!
 //! Creating proof of knowledge of signature and verifying it:
@@ -14,12 +13,23 @@
 //! let params_g1 = SignatureParamsG1::<Bls12_381>::generate_using_rng(&mut rng, 5);
 //! let keypair_g2 = KeypairG2::<Bls12_381>::generate(&mut rng, &params_g1);
 //!
+//! let pk_g2 = &keypair_g2.public_key;
+//!
+//! // Verifiers should check that the signature parameters and public key are valid before verifying
+//! // any signatures. This just needs to be done once when the verifier fetches/receives them.
+//!
+//! assert!(params_g1.is_valid());
+//! assert!(pk_g2.is_valid());
+//!
 //! // `messages` contains elements of the scalar field
 //! let sig_g1 = SignatureG1::<Bls12_381>::new(&mut rng, &messages, &keypair_g2.secret_key, &params_g1).unwrap();
+//!
 //! let mut blindings = BTreeMap::new();
 //! let mut revealed_indices = BTreeSet::new();
-//! // Populate blindings with message index and corresponding blinding
-//! // Populate revealed_indices with 0-based indices of revealed messages
+//!
+//! // Populate `blindings` with message index and corresponding blinding
+//! // Populate `revealed_indices` with 0-based indices of revealed messages
+//!
 //! let pok = PoKOfSignatureG1Protocol::init(
 //!             &mut rng,
 //!             &sig_g1,
@@ -38,7 +48,7 @@
 //!             .verify(
 //!                 &revealed_msgs,
 //!                 &challenge,
-//!                 &keypair_g2.public_key,
+//!                 pk_g2,
 //!                 &params_g1,
 //!             )
 //!             .unwrap();
@@ -67,6 +77,7 @@ use schnorr_pok::{error::SchnorrError, SchnorrCommitment, SchnorrResponse};
 use serde::{Deserialize, Serialize};
 use serde_with::serde_as;
 pub use serialization::*;
+use zeroize::Zeroize;
 
 /// Proof of knowledge of BBS+ signature in group G1
 /// The BBS+ signature proves validity of a set of messages {m_i}, i in I. This stateful protocol proves knowledge of such
@@ -334,11 +345,28 @@ where
     }
 }
 
+impl<E: PairingEngine> Zeroize for PoKOfSignatureG1Protocol<E> {
+    fn zeroize(&mut self) {
+        // Other members of `self` are public anyway
+        self.sc_comm_1.zeroize();
+        self.sc_wits_1.zeroize();
+        self.sc_comm_2.zeroize();
+        self.sc_wits_2.zeroize();
+    }
+}
+
+impl<E: PairingEngine> Drop for PoKOfSignatureG1Protocol<E> {
+    fn drop(&mut self) {
+        self.zeroize();
+    }
+}
+
 impl<E> PoKOfSignatureG1Proof<E>
 where
     E: PairingEngine,
 {
-    /// Verify if the proof is valid
+    /// Verify if the proof is valid. Assumes that the public key and parameters have been
+    /// validated already.
     pub fn verify(
         &self,
         revealed_msgs: &BTreeMap<usize, E::Fr>,
@@ -675,22 +703,23 @@ mod tests {
         let proof = pok.gen_proof(&challenge_prover).unwrap();
         proof_create_duration += start.elapsed();
 
+        let public_key = &keypair.public_key;
+        assert!(params.is_valid());
+        assert!(public_key.is_valid());
+
         let mut chal_bytes_verifier = vec![];
         proof
             .challenge_contribution(&revealed_msgs, &params, &mut chal_bytes_verifier)
             .unwrap();
         let challenge_verifier =
             compute_random_oracle_challenge::<Fr, Blake2b>(&chal_bytes_verifier);
 
+        assert_eq!(chal_bytes_prover, chal_bytes_verifier);
+
         let mut proof_verif_duration = Duration::default();
         let start = Instant::now();
         proof
-            .verify(
-                &revealed_msgs,
-                &challenge_verifier,
-                &keypair.public_key,
-                &params,
-            )
+            .verify(&revealed_msgs, &challenge_verifier, public_key, &params)
             .unwrap();
         proof_verif_duration += start.elapsed();
 

bbs_plus/src/setup.rs

@@ -44,6 +44,7 @@ use ark_std::{
 };
 use digest::{BlockInput, Digest, FixedOutput, Reset, Update};
 use schnorr_pok::{error::SchnorrError, impl_proof_of_knowledge_of_discrete_log};
+use zeroize::Zeroize;
 
 use dock_crypto_utils::hashing_utils::{
     field_elem_from_seed, projective_group_elem_from_try_and_incr,
@@ -58,10 +59,24 @@ use serde_with::serde_as;
 /// Secret key used by the signer to sign messages
 #[serde_as]
 #[derive(
-    Clone, PartialEq, Eq, Debug, CanonicalSerialize, CanonicalDeserialize, Serialize, Deserialize,
+    Clone,
+    PartialEq,
+    Eq,
+    Debug,
+    CanonicalSerialize,
+    CanonicalDeserialize,
+    Serialize,
+    Deserialize,
+    Zeroize,
 )]
 pub struct SecretKey<F: PrimeField + SquareRootField>(#[serde_as(as = "FieldBytes")] pub F);
 
+impl<F: PrimeField + SquareRootField> Drop for SecretKey<F> {
+    fn drop(&mut self) {
+        self.zeroize();
+    }
+}
+
 // TODO: Add "prepared" version of public key
 
 impl<F: PrimeField + SquareRootField> SecretKey<F> {
@@ -166,7 +181,9 @@ macro_rules! impl_sig_params {
                 }
             }
 
-            /// Check that all group elements are non-zero (returns false if any element is zero)
+            /// Check that all group elements are non-zero (returns false if any element is zero).
+            /// A verifier on receiving these parameters must first check that they are valid and only
+            /// then use them for any signature or proof of knowledge of signature verification.
             pub fn is_valid(&self) -> bool {
                 !(self.g1.is_zero()
                     || self.g2.is_zero()
@@ -274,7 +291,8 @@ macro_rules! impl_public_key {
                 Self(params.g2.mul(secret_key.0.into_repr()).into())
             }
 
-            /// Public key shouldn't be 0
+            /// Public key shouldn't be 0. A verifier on receiving this must first check that its
+            /// valid and only then use it for any signature or proof of knowledge of signature verification.
             pub fn is_valid(&self) -> bool {
                 !self.0.is_zero()
             }
@@ -300,6 +318,18 @@ macro_rules! impl_keypair {
             pub public_key: $pk<E>,
         }
 
+        impl<E: PairingEngine> Zeroize for $name<E> {
+            fn zeroize(&mut self) {
+                self.secret_key.zeroize();
+            }
+        }
+
+        impl<E: PairingEngine> Drop for $name<E> {
+            fn drop(&mut self) {
+                self.zeroize();
+            }
+        }
+
         /// Create a secret key and corresponding public key
         impl<E: PairingEngine> $name<E> {
             pub fn generate_using_seed<D>(seed: &[u8], params: &$params<E>) -> Self
@@ -366,8 +396,8 @@ mod tests {
             let keypair = $keypair::<Bls12_381>::generate_using_rng(&mut $rng, &params);
             test_serialization!($keypair<Bls12_381>, keypair);
 
-            let pk = keypair.public_key;
-            let sk = keypair.secret_key;
+            let pk = keypair.public_key.clone();
+            let sk = keypair.secret_key.clone();
             test_serialization!($public_key<Bls12_381>, pk);
             test_serialization!(SecretKey<<Bls12_381 as PairingEngine>::Fr>, sk);
         };
@@ -405,10 +435,12 @@ mod tests {
             assert_eq!(
                 keypair,
                 $keypair {
-                    secret_key: sk,
+                    secret_key: sk.clone(),
                     public_key: pk
                 }
             );
+            drop(sk);
+            drop(keypair);
         };
     }