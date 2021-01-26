GooSig

GooSig was created for the Handshake Project to address a very specific problem: an airdrop to Github users' RSA keys allows Github users to be identified on-chain. In order to anonymize who is receiving coins from the airdrop, cryptographic trickery is required: GooSig allows the creation of signatures originating from RSA private keys without revealing the RSA public key.

GooSig makes use of (G)roups of Unkn(o)wn (O)rder, and implements a cryptographic protocol devised by Dan Boneh and Riad S. Wahby at the Stanford Center for Blockchain Research. It was originally ported from the python reference implementation to javascript, but has since been implemented in C as well.

Usage

const Goo = require ( 'goosig' ); const rsa = require ( 'bcrypto/lib/rsa' ); const priv = rsa.privateKeyGenerate( 2048 ); const pub = rsa.publicKeyCreate(priv); const goo = new Goo(Goo.RSA2048, 2 , 3 ); const s_prime = goo.generate(); const C1 = goo.challenge(s_prime, pub); const ct = goo.encrypt(s_prime, pub); const pt = goo.decrypt(ct, priv); pt.equals(s_prime) === true ; const msg = Buffer.alloc( 32 , 0xff ); const sig = goo.sign(msg, s_prime, priv); const result = goo.verify(msg, sig, C1); result === true ;

Moduli

The design of GooSig requires a public RSA modulus whose prime factorization is unknown.

In the early 1990s, RSA Labs generated several RSA moduli for the RSA factoring challenge. RSA Labs claims to have destroyed the hard drives containing the primes.

There are 4 built-in moduli exposed on the Goo object.

AOL1 - America Online Root CA 1 (now defunct) (2048 bit).

AOL2 - America Online Root CA 2 (now defunct) (4096 bit) - notable for being one of the few 4096 bit moduli in the wild.

RSA2048 - From the RSA factoring challenge, and at one point had a $200,000 bounty on it (2048 bit).

RSA617 - Also from the factoring challenge (2048 bit). Generated later, in 1997.

Original Links (archive.org):

The above links are preserved in the /etc directory.

The modulus definitions reside in lib/constants.js.

Benchmarks

GooSig verifications are fairly complex and difficult to optimize. C verification time is currently around 1ms with highend consumer-grade hardware. We hope to get sub-1ms verification times by mainnet launch.

Javascript

Timings for 4096 -bit RSA GoUO, 2048-bit Signer PK: ◷ Generation: 64.00 ms, σ=5.71 ms, max=84.65 ms, min=60.80 ms ◷ Signing: 1097.95 ms, σ=48.20 ms, max=1196.90 ms, min=1025.47 ms ◷ Verifying: 61.25 ms, σ=6.40 ms, max=83.81 ms, min=58.02 ms Timings for 4096 -bit RSA GoUO, 4096-bit Signer PK: ◷ Generation: 65.08 ms, σ=2.29 ms, max=71.01 ms, min=63.59 ms ◷ Signing: 1768.06 ms, σ=284.67 ms, max=2469.98 ms, min=1526.67 ms ◷ Verifying: 59.30 ms, σ=0.66 ms, max=60.51 ms, min=58.26 ms Timings for 2048 -bit RSA GoUO, 2048-bit Signer PK: ◷ Generation: 10.77 ms, σ=0.40 ms, max=12.10 ms, min=10.45 ms ◷ Signing: 303.64 ms, σ=27.47 ms, max=372.32 ms, min=267.90 ms ◷ Verifying: 20.31 ms, σ=0.86 ms, max=22.36 ms, min=19.60 ms Timings for 2048 -bit RSA GoUO, 4096-bit Signer PK: ◷ Generation: 31.74 ms, σ=0.66 ms, max=33.81 ms, min=30.98 ms ◷ Signing: 779.28 ms, σ=163.26 ms, max=1261.87 ms, min=589.59 ms ◷ Verifying: 20.46 ms, σ=1.85 ms, max=27.17 ms, min=19.62 ms

C (libgmp)

Timings for 4096 -bit RSA GoUO, 2048-bit Signer PK: ◷ Generation: 6.21 ms, σ=0.26 ms, max=7.11 ms, min=6.03 ms ◷ Signing: 95.29 ms, σ=7.54 ms, max=123.13 ms, min=91.12 ms ◷ Verifying: 4.15 ms, σ=0.17 ms, max=4.79 ms, min=4.06 ms Timings for 4096 -bit RSA GoUO, 4096-bit Signer PK: ◷ Generation: 6.37 ms, σ=0.12 ms, max=6.71 ms, min=6.24 ms ◷ Signing: 153.96 ms, σ=15.93 ms, max=194.38 ms, min=136.60 ms ◷ Verifying: 4.32 ms, σ=0.84 ms, max=7.47 ms, min=4.04 ms Timings for 2048 -bit RSA GoUO, 2048-bit Signer PK: ◷ Generation: 1.19 ms, σ=0.23 ms, max=2.03 ms, min=1.12 ms ◷ Signing: 26.22 ms, σ=3.92 ms, max=40.60 ms, min=23.92 ms ◷ Verifying: 1.34 ms, σ=0.02 ms, max=1.37 ms, min=1.31 ms Timings for 2048 -bit RSA GoUO, 4096-bit Signer PK: ◷ Generation: 3.93 ms, σ=0.11 ms, max=4.18 ms, min=3.81 ms ◷ Signing: 69.51 ms, σ=13.73 ms, max=97.56 ms, min=48.25 ms ◷ Verifying: 1.38 ms, σ=0.18 ms, max=2.04 ms, min=1.32 ms

Contribution and License Agreement

If you contribute code to this project, you are implicitly allowing your code to be distributed under the MIT license. You are also implicitly verifying that all code is your original work. </legalese>

License

Parts of this software are based on libGooPy.

libGooPy

Copyright (c) 2018, Dan Boneh, Riad S. Wahby (Apache License).

Copyright (c) 2018, Christopher Jeffrey (MIT License).

See LICENSE for more info.