[3392] BBS update: optimize D definition in proof gen.

Signed-off-by: Sergey Minaev <[email protected]>

pkg/crypto/primitive/bbs12381g2pub/bbs_test.go

@@ -166,7 +166,7 @@ func TestBBSG2Pub_VerifyProof_SeveralDisclosedMessages(t *testing.T) {
 	pkBytes, err := privateKey.PublicKey().Marshal()
 	require.NoError(t, err)
 
-	proofBytes := hexStringToBytesTest(t, "000a000589bb7f2662f787a87e205fd2f0b6b130e26040cf709359e5cb734b545f461c7fdd8cc35ef85ade32efa449d8c6712a7690f205b468dac30eae9e28da3cea5372520fac0f2a80c16aec7e420ed3c04ec5cca8cb32bfa91083fc106129a9035c3088cc8cdbe6ed083962e7e34562928734d9cec9bcb0ad9355116709f844402cbfe8ad0b542199b5b3adf5132cc96d594700000074943803ea10df094657ac0277aa9ae8738bade0898163c22bce7fd9d986ec07ae58920888026df450dfe2fe46f65ef290000000026e3bdf3df40df5885b9962cacacae6c7687f04c2c673a1f23cb73b067461ca9d646c1616afde5cd0911a752e4dc45dd493b7b0faa695688c3cf387edd3d9d48891e949783029b20e4c5a4480f64238a680f5e48dffcffd61dcd08a2e354634ac73cdc7612c2adfabfaef736f7288da1e0000000a5ed77af0675487ebbdaaa73ebc0d2235804928dd603326878aedd9714be745bb187d6188b10a42ea38da50a76d0c3308e8f101c0ea71f5caa99d0ddca929252328904bd2c92bd1ca9fdff5197c8fb66ff3323aae22180ccd672bb92086bc8b57496d36667bf9ed67a63763d75d3e71fcda6ff5e15399dda6432558238090cfea4da5c52986a874d4da93c231b78365ccb0370c3fb8cf10de36726fc283151d8954e8594209733e772226424b619d3f692236b65f244c121d8e11415d7f9e245015341d76585f3e3257304b0b894ac6fa3357c500da7c8aa15dfa3c1b7cca1da0375e63c9f6b062b02fdce1860e216b5fbd86bd5a3c5838a8cb87467b06f07c1360ba28286e40bdf07c954685c6dd2f64b9ae986fd3079834148eea0a44869b8d71421ae35157f0641db09bf7728606e7d7e6f6cf133a3e2db80940638f39be61") //nolint:lll
+	proofBytes := hexStringToBytesTest(t, "000a0005820930990a3481f389a845ee9f81d0d32988308206fb855b8cdbc325e03b2e2d01fdd774ea83542dec75e9474b8dc4678b983f06aa58d00e88abd7bed4378eb6a909ae79f4f2ddb798a20e6467b11e1ba516fc388acb6b88462dc8311807a56b87a76929a331e2fc996d750657d2a1bfcb3df60e53775d5656d1ee62e526eb7cb6386aecd7a87d3d546f1843094ee0db00000074a9b7e161a2b32bcc48ae6ee263967cfc60980b7f18e88d2216ccebb52f2656b02de12bc0045f667b6ea50f3a58f2b895000000023392d8b8958f20d88345f666538794bcf688d3ddf9bcb53a3e7ff2b592bc2a8810fa643a1e262db5747f754687312aada9c62f86472aeab858aff948462d80b0b5a8878c9245ed2873b68f70a60a9c7d8fea9518b2a975a5cc4179a1619cdebf75c549e0a00cf1c4e38d415f46b01c250000000a23d535e387835f8550a588159608729ab8b407684eb6791bf80d0816fe14e0e62fd86bc7fd472656b18e59a4fa6db45d4e92d99753f8bdaefee58be8d8ad6e03494a77ed190b1bb31924a7e9aa1033203caa8e04df000ebd2c5cf64eeeb1a10e698e1acb9a451f7479a48d84fb7baa8338bae18aa91613ebbf9482c0346787e4521962006a1cdd032fafedcb32ff7aa697f694a903033adbedcdee0baec8953f644b3b8780623501cc7ba52ace8dc8d967be4c0e78b7d767f0b1bb9ffa8b4be16264ac5ad8d82c3500cc3bc4471ba981e7bbcab089bbe63d19a72fd28168f3d9595729254b9367435a594d4d6b750f2306f2d8dc9a8264fb8c12d8bd8eba0acb4429de451f1b53278fa312e5145783d80eaf64db2e302d935e3052fa38844259445f710a875885f184f9305f878b045384e12dda0f28cadec8912b1daec9a121") //nolint:lll
 
 	// TODO   "header": "11223344556677889900aabbccddeeff"
 	nonce := hexStringToBytesTest(t, "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501")
@@ -201,7 +201,7 @@ func TestBBSG2Pub_VerifyProof_SeveralDisclosedMessages(t *testing.T) {
 		proofBytesCopy := make([]byte, len(proofBytes))
 
 		copy(proofBytesCopy, proofBytes)
-		proofBytesCopy[21] = 255 - proofBytesCopy[21]
+		proofBytesCopy[22] = 255 - proofBytesCopy[22]
 
 		err = bls.VerifyProof(revealedMessagesBytes, proofBytesCopy, nonce, pkBytes)
 		require.Error(t, err)

pkg/crypto/primitive/bbs12381g2pub/proof_of_knowledge.go

@@ -53,6 +53,7 @@ func NewPoKOfSignature(signature *Signature, messages []*SignatureMessage, revea
 	cbD.add(b, r1)
 	cbD.add(pubKey.q1, r2)
 	d := cbD.build()
+	g1.Neg(d, d)
 
 	sPrime := bls12381.NewFr()
 	sPrime.Mul(r2, r3)
@@ -131,7 +132,7 @@ func newVC2Signature(d *bls12381.PointG1, r3 *bls12381.Fr, pubKey *PublicKeyWith
 		secrets2 = append(secrets2, hiddenFRCopy)
 	}
 
-	pokVC2 := committing2.FinishNegFirst()
+	pokVC2 := committing2.Finish()
 
 	return pokVC2, secrets2
 }
@@ -215,24 +216,3 @@ func (pc *ProverCommittingG1) Finish() *ProverCommittedG1 {
 		commitment:      commitment,
 	}
 }
-
-// FinishNegFirst is modified Finish() for case where first element should be neg while calc
-// TODO: this is a hack to align the current impl and a draft update of BBS spec.
-// As soon as the spec would be stable enough, this should be removed
-// and probably some re-design of helpers and/or structures will be required.
-func (pc *ProverCommittingG1) FinishNegFirst() *ProverCommittedG1 {
-	blindings := make([]*bls12381.Fr, len(pc.blindingFactors))
-	copy(blindings, pc.blindingFactors)
-
-	negFirst := bls12381.NewFr()
-
-	negFirst.Neg(blindings[0])
-	blindings[0] = negFirst
-	commitment := sumOfG1Products(pc.bases, blindings)
-
-	return &ProverCommittedG1{
-		bases:           pc.bases,
-		blindingFactors: pc.blindingFactors,
-		commitment:      commitment,
-	}
-}

pkg/crypto/primitive/bbs12381g2pub/signature_proof.go

@@ -56,7 +56,7 @@ func (sp *PoKOfSignatureProof) Verify(challenge *bls12381.Fr, pubKey *PublicKeyW
 func (sp *PoKOfSignatureProof) verifyVC1Proof(challenge *bls12381.Fr, pubKey *PublicKeyWithGenerators) error {
 	basesVC1 := []*bls12381.PointG1{sp.aPrime, pubKey.q1}
 	aBarD := new(bls12381.PointG1)
-	g1.Sub(aBarD, sp.aBar, sp.d)
+	g1.Add(aBarD, sp.aBar, sp.d)
 
 	err := sp.proofVC1.Verify(basesVC1, aBarD, challenge)
 	if err != nil {
@@ -70,14 +70,11 @@ func (sp *PoKOfSignatureProof) verifyVC2Proof(challenge *bls12381.Fr, pubKey *Pu
 	revealedMessages map[int]*SignatureMessage, messages []*SignatureMessage) error {
 	revealedMessagesCount := len(revealedMessages)
 
-	negD := g1.New()
-	g1.Neg(negD, sp.d)
-
 	bindingBasis := g1.One()
 	bindingExp := bls12381.NewFr().One()
 
 	basesVC2 := make([]*bls12381.PointG1, 0, 2+pubKey.messagesCount-revealedMessagesCount)
-	basesVC2 = append(basesVC2, negD, pubKey.q1)
+	basesVC2 = append(basesVC2, sp.d, pubKey.q1)
 
 	disclousedElementsCnt := 1 /* binding */ + 1 /* domain */ + revealedMessagesCount
 	basesDisclosed := make([]*bls12381.PointG1, 0, disclousedElementsCnt)