From 230c1248a201235788859fcc29344010e0abc057 Mon Sep 17 00:00:00 2001 From: Hridam Basu Date: Wed, 14 Jun 2023 10:31:32 +0530 Subject: [PATCH 01/15] add module level docs --- src/zkp/pifac.rs | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/src/zkp/pifac.rs b/src/zkp/pifac.rs index 0ae0aed9..b00acfc8 100644 --- a/src/zkp/pifac.rs +++ b/src/zkp/pifac.rs @@ -6,7 +6,15 @@ // License, Version 2.0 found in the LICENSE-APACHE file in the root directory // of this source tree. -//! Implements the ZKP from Figure 28 of +//! Implements a zero-knowledge proof that the modulus N can be factored into +//! two numbers greater than 2^ell for a parameter ell. +//! +//! The proof is defined in Figure 28 of CGGMP[^cite], and uses a standard +//! Fiat-Shamir transformation to make the proof non-interactive. +//! +//! [^cite]: Ran Canetti, Rosario Gennaro, Steven Goldfeder, Nikolaos Makriyannis, and Udi Peled. +//! UC Non-Interactive, Proactive, Threshold ECDSA with Identifiable Aborts. +//! [EPrint archive, 2021](https://eprint.iacr.org/2021/060.pdf). use crate::{ errors::*, @@ -24,6 +32,8 @@ use std::fmt::Debug; use tracing::error; use zeroize::ZeroizeOnDrop; +/// Proof that the modulus N can be factored into two numbers greater than 2^ell +/// for a parameter ell. #[derive(Debug, Serialize, Deserialize, Clone)] pub(crate) struct PiFacProof { P: Commitment, @@ -39,6 +49,7 @@ pub(crate) struct PiFacProof { v: MaskedRandomness, } +/// Common input and setup parameters known to both the prover and verifier. #[derive(Serialize)] pub(crate) struct PiFacInput { setup_params: VerifiedRingPedersen, @@ -46,6 +57,7 @@ pub(crate) struct PiFacInput { } impl PiFacInput { + /// Generate public input for proving and verifying [`PiFacProof`] about N. pub(crate) fn new(setup_params: &VerifiedRingPedersen, N0: &BigNumber) -> Self { Self { setup_params: setup_params.clone(), @@ -54,6 +66,8 @@ impl PiFacInput { } } +/// The prover's secret knowledge: the factors p and q of the modulus N where N +/// = pq. #[derive(ZeroizeOnDrop)] pub(crate) struct PiFacSecret { p: BigNumber, From baf6c73caa6d250ae38a655ac4d3c1d236f807d7 Mon Sep 17 00:00:00 2001 From: Hridam Basu Date: Wed, 14 Jun 2023 10:49:04 +0530 Subject: [PATCH 02/15] commoninput and proversecret names updated --- src/auxinfo/proof.rs | 8 ++++---- src/zkp/pifac.rs | 40 ++++++++++++++++++++-------------------- 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/src/auxinfo/proof.rs b/src/auxinfo/proof.rs index a5cf2704..e0555c61 100644 --- a/src/auxinfo/proof.rs +++ b/src/auxinfo/proof.rs @@ -13,7 +13,7 @@ use crate::{ participant::InnerProtocolParticipant, ring_pedersen::VerifiedRingPedersen, zkp::{ - pifac::{PiFacInput, PiFacProof, PiFacSecret}, + pifac::{CommonInput, PiFacProof, ProverSecret}, pimod::{PiModInput, PiModProof, PiModSecret}, Proof, ProofContext, }, @@ -77,8 +77,8 @@ impl AuxInfoProof { )?; Self::append_pifac_transcript(&mut transcript, context, sid, rho)?; let pifac = PiFacProof::prove( - &PiFacInput::new(verifier_params, N), - &PiFacSecret::new(p, q), + &CommonInput::new(verifier_params, N), + &ProverSecret::new(p, q), context, &mut transcript, rng, @@ -107,7 +107,7 @@ impl AuxInfoProof { .verify(&PiModInput::new(N), context, &mut transcript)?; Self::append_pifac_transcript(&mut transcript, context, sid, rho)?; self.pifac.verify( - &PiFacInput::new(verifier_params, N), + &CommonInput::new(verifier_params, N), context, &mut transcript, )?; diff --git a/src/zkp/pifac.rs b/src/zkp/pifac.rs index b00acfc8..7314ddb3 100644 --- a/src/zkp/pifac.rs +++ b/src/zkp/pifac.rs @@ -51,12 +51,12 @@ pub(crate) struct PiFacProof { /// Common input and setup parameters known to both the prover and verifier. #[derive(Serialize)] -pub(crate) struct PiFacInput { +pub(crate) struct CommonInput { setup_params: VerifiedRingPedersen, N0: BigNumber, } -impl PiFacInput { +impl CommonInput { /// Generate public input for proving and verifying [`PiFacProof`] about N. pub(crate) fn new(setup_params: &VerifiedRingPedersen, N0: &BigNumber) -> Self { Self { @@ -69,12 +69,12 @@ impl PiFacInput { /// The prover's secret knowledge: the factors p and q of the modulus N where N /// = pq. #[derive(ZeroizeOnDrop)] -pub(crate) struct PiFacSecret { +pub(crate) struct ProverSecret { p: BigNumber, q: BigNumber, } -impl Debug for PiFacSecret { +impl Debug for ProverSecret { fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { f.debug_struct("pifac::Secret") .field("p", &"[redacted]") @@ -83,7 +83,7 @@ impl Debug for PiFacSecret { } } -impl PiFacSecret { +impl ProverSecret { pub(crate) fn new(p: &BigNumber, q: &BigNumber) -> Self { Self { p: p.clone(), @@ -93,8 +93,8 @@ impl PiFacSecret { } impl Proof for PiFacProof { - type CommonInput = PiFacInput; - type ProverSecret = PiFacSecret; + type CommonInput = CommonInput; + type ProverSecret = ProverSecret; #[cfg_attr(feature = "flame_it", flame("PiFacProof"))] fn prove( input: &Self::CommonInput, @@ -241,7 +241,7 @@ impl PiFacProof { fn fill_transcript( transcript: &mut Transcript, context: &impl ProofContext, - input: &PiFacInput, + input: &CommonInput, P: &Commitment, Q: &Commitment, A: &Commitment, @@ -283,16 +283,16 @@ mod tests { fn random_no_small_factors_proof( rng: &mut R, - ) -> Result<(PiFacInput, PiFacProof)> { + ) -> Result<(CommonInput, PiFacProof)> { let (p0, q0) = prime_gen::get_prime_pair_from_pool_insecure(rng).unwrap(); let N0 = &p0 * &q0; let setup_params = VerifiedRingPedersen::gen(rng, &())?; let mut transcript = Transcript::new(b"PiFac Test"); - let input = PiFacInput::new(&setup_params, &N0); + let input = CommonInput::new(&setup_params, &N0); let proof = PiFacProof::prove( &input, - &PiFacSecret::new(&p0, &q0), + &ProverSecret::new(&p0, &q0), &(), &mut transcript, rng, @@ -328,7 +328,7 @@ mod tests { let (input, proof) = random_no_small_factors_proof(&mut rng)?; { - let incorrect_N = PiFacInput::new( + let incorrect_N = CommonInput::new( &input.setup_params, &prime_gen::try_get_prime_from_pool_insecure(&mut rng).unwrap(), ); @@ -337,7 +337,7 @@ mod tests { } { let incorrect_startup_params = - PiFacInput::new(&VerifiedRingPedersen::gen(&mut rng, &())?, &input.N0); + CommonInput::new(&VerifiedRingPedersen::gen(&mut rng, &())?, &input.N0); let mut transcript = Transcript::new(b"PiFac Test"); assert!(proof .verify(&incorrect_startup_params, &(), &mut transcript) @@ -348,7 +348,7 @@ mod tests { let (not_p0, not_q0) = prime_gen::get_prime_pair_from_pool_insecure(&mut rng).unwrap(); let incorrect_factors = PiFacProof::prove( &input, - &PiFacSecret::new(¬_p0, ¬_q0), + &ProverSecret::new(¬_p0, ¬_q0), &(), &mut transcript, &mut rng, @@ -362,10 +362,10 @@ mod tests { let small_p = BigNumber::from(7u64); let small_q = BigNumber::from(11u64); let setup_params = VerifiedRingPedersen::gen(&mut rng, &())?; - let small_input = PiFacInput::new(&setup_params, &(&small_p * &small_q)); + let small_input = CommonInput::new(&setup_params, &(&small_p * &small_q)); let small_proof = PiFacProof::prove( &input, - &PiFacSecret::new(&small_p, &small_q), + &ProverSecret::new(&small_p, &small_q), &(), &mut transcript, &mut rng, @@ -377,10 +377,10 @@ mod tests { let mut transcript = Transcript::new(b"PiFac Test"); let regular_sized_q = prime_gen::try_get_prime_from_pool_insecure(&mut rng).unwrap(); - let mixed_input = PiFacInput::new(&setup_params, &(&small_p * ®ular_sized_q)); + let mixed_input = CommonInput::new(&setup_params, &(&small_p * ®ular_sized_q)); let mixed_proof = PiFacProof::prove( &input, - &PiFacSecret::new(&small_p, ®ular_sized_q), + &ProverSecret::new(&small_p, ®ular_sized_q), &(), &mut transcript, &mut rng, @@ -393,10 +393,10 @@ mod tests { let mut transcript = Transcript::new(b"PiFac Test"); let small_fac_p = ¬_p0 * &BigNumber::from(2u64); let small_fac_input = - PiFacInput::new(&setup_params, &(&small_fac_p * ®ular_sized_q)); + CommonInput::new(&setup_params, &(&small_fac_p * ®ular_sized_q)); let small_fac_proof = PiFacProof::prove( &input, - &PiFacSecret::new(&small_fac_p, ®ular_sized_q), + &ProverSecret::new(&small_fac_p, ®ular_sized_q), &(), &mut transcript, &mut rng, From 06f9097ff8d057e3ebb9f94373a2755c20d82700 Mon Sep 17 00:00:00 2001 From: Hridam Basu Date: Wed, 14 Jun 2023 11:34:44 +0530 Subject: [PATCH 03/15] update field and struct names to be more descriptive and add docs --- src/zkp/pifac.rs | 72 +++++++++++++++++++++++++++--------------------- 1 file changed, 41 insertions(+), 31 deletions(-) diff --git a/src/zkp/pifac.rs b/src/zkp/pifac.rs index 7314ddb3..101008de 100644 --- a/src/zkp/pifac.rs +++ b/src/zkp/pifac.rs @@ -36,16 +36,26 @@ use zeroize::ZeroizeOnDrop; /// for a parameter ell. #[derive(Debug, Serialize, Deserialize, Clone)] pub(crate) struct PiFacProof { - P: Commitment, - Q: Commitment, - A: Commitment, - B: Commitment, - T: Commitment, + /// Commitment to the factor p using randomness meu. + commitment_p: Commitment, + /// Commitment to the factor q using randomness neu. + commitment_q: Commitment, + /// Commitment to randomness alpha and x. + commitment_alpha: Commitment, + /// Commitment to randomness beta and y. + commitment_beta: Commitment, + /// Combination of commitment to Q using ring Pedersen parameter r. + commitment_combine_Q_r: Commitment, + /// Randomness for commitment. sigma: CommitmentRandomness, - z1: BigNumber, - z2: BigNumber, - w1: MaskedRandomness, - w2: MaskedRandomness, + /// Mask p with randomness alpha. + mask_alpha_p: BigNumber, + /// Mask q with randomness beta. + mask_beta_q: BigNumber, + /// Mask meu with randomness x. + maskedrandomness_meu: MaskedRandomness, + /// Mask neu with randomness y. + maskedrandomness_neu: MaskedRandomness, v: MaskedRandomness, } @@ -145,16 +155,16 @@ impl Proof for PiFacProof { let v = sigma_hat.remask(&r, &e); let proof = Self { - P, - Q, - A, - B, - T, + commitment_p: P, + commitment_q: Q, + commitment_alpha: A, + commitment_beta: B, + commitment_combine_Q_r: T, sigma, - z1, - z2, - w1, - w2, + mask_alpha_p: z1, + mask_beta_q: z2, + maskedrandomness_meu: w1, + maskedrandomness_neu: w2, v, }; Ok(proof) @@ -170,11 +180,11 @@ impl Proof for PiFacProof { transcript, context, input, - &self.P, - &self.Q, - &self.A, - &self.B, - &self.T, + &self.commitment_p, + &self.commitment_q, + &self.commitment_alpha, + &self.commitment_beta, + &self.commitment_combine_Q_r, &self.sigma, )?; @@ -182,8 +192,8 @@ impl Proof for PiFacProof { let e = plusminus_challenge_from_transcript(transcript)?; let eq_check_1 = { - let lhs = input.setup_params.scheme().reconstruct(&self.z1, &self.w1); - let rhs = input.setup_params.scheme().combine(&self.A, &self.P, &e); + let lhs = input.setup_params.scheme().reconstruct(&self.mask_alpha_p, &self.maskedrandomness_meu); + let rhs = input.setup_params.scheme().combine(&self.commitment_alpha, &self.commitment_p, &e); lhs == rhs }; if !eq_check_1 { @@ -192,8 +202,8 @@ impl Proof for PiFacProof { } let eq_check_2 = { - let lhs = input.setup_params.scheme().reconstruct(&self.z2, &self.w2); - let rhs = input.setup_params.scheme().combine(&self.B, &self.Q, &e); + let lhs = input.setup_params.scheme().reconstruct(&self.mask_beta_q, &self.maskedrandomness_neu); + let rhs = input.setup_params.scheme().combine(&self.commitment_beta, &self.commitment_q, &e); lhs == rhs }; if !eq_check_2 { @@ -209,8 +219,8 @@ impl Proof for PiFacProof { let lhs = input .setup_params .scheme() - .reconstruct_with_commitment(&self.Q, &self.z1, &self.v); - let rhs = input.setup_params.scheme().combine(&self.T, &R, &e); + .reconstruct_with_commitment(&self.commitment_q, &self.mask_alpha_p, &self.v); + let rhs = input.setup_params.scheme().combine(&self.commitment_combine_Q_r, &R, &e); lhs == rhs }; if !eq_check_3 { @@ -223,11 +233,11 @@ impl Proof for PiFacProof { let two_ell_eps = BigNumber::one() << (ELL + EPSILON); // 2^{ELL + EPSILON} * sqrt(N_0) let z_bound = &sqrt_N0 * &two_ell_eps; - if self.z1 < -z_bound.clone() || self.z1 > z_bound { + if self.mask_alpha_p < -z_bound.clone() || self.mask_alpha_p > z_bound { error!("self.z1 > z_bound check failed"); return Err(InternalError::ProtocolError); } - if self.z2 < -z_bound.clone() || self.z2 > z_bound { + if self.mask_beta_q < -z_bound.clone() || self.mask_beta_q > z_bound { error!("self.z2 > z_bound check failed"); return Err(InternalError::ProtocolError); } From ec5ca1cb428a4b80bfd01017ffddf28af820c230 Mon Sep 17 00:00:00 2001 From: Hridam Basu Date: Wed, 14 Jun 2023 12:10:03 +0530 Subject: [PATCH 04/15] fmt --- src/zkp/pifac.rs | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) diff --git a/src/zkp/pifac.rs b/src/zkp/pifac.rs index 101008de..9c8a10ac 100644 --- a/src/zkp/pifac.rs +++ b/src/zkp/pifac.rs @@ -38,7 +38,7 @@ use zeroize::ZeroizeOnDrop; pub(crate) struct PiFacProof { /// Commitment to the factor p using randomness meu. commitment_p: Commitment, - /// Commitment to the factor q using randomness neu. + /// Commitment to the factor q using randomness neu. commitment_q: Commitment, /// Commitment to randomness alpha and x. commitment_alpha: Commitment, @@ -192,8 +192,15 @@ impl Proof for PiFacProof { let e = plusminus_challenge_from_transcript(transcript)?; let eq_check_1 = { - let lhs = input.setup_params.scheme().reconstruct(&self.mask_alpha_p, &self.maskedrandomness_meu); - let rhs = input.setup_params.scheme().combine(&self.commitment_alpha, &self.commitment_p, &e); + let lhs = input + .setup_params + .scheme() + .reconstruct(&self.mask_alpha_p, &self.maskedrandomness_meu); + let rhs = + input + .setup_params + .scheme() + .combine(&self.commitment_alpha, &self.commitment_p, &e); lhs == rhs }; if !eq_check_1 { @@ -202,8 +209,15 @@ impl Proof for PiFacProof { } let eq_check_2 = { - let lhs = input.setup_params.scheme().reconstruct(&self.mask_beta_q, &self.maskedrandomness_neu); - let rhs = input.setup_params.scheme().combine(&self.commitment_beta, &self.commitment_q, &e); + let lhs = input + .setup_params + .scheme() + .reconstruct(&self.mask_beta_q, &self.maskedrandomness_neu); + let rhs = + input + .setup_params + .scheme() + .combine(&self.commitment_beta, &self.commitment_q, &e); lhs == rhs }; if !eq_check_2 { @@ -216,11 +230,15 @@ impl Proof for PiFacProof { .setup_params .scheme() .reconstruct(&input.N0, self.sigma.as_masked()); - let lhs = input + let lhs = input.setup_params.scheme().reconstruct_with_commitment( + &self.commitment_q, + &self.mask_alpha_p, + &self.v, + ); + let rhs = input .setup_params .scheme() - .reconstruct_with_commitment(&self.commitment_q, &self.mask_alpha_p, &self.v); - let rhs = input.setup_params.scheme().combine(&self.commitment_combine_Q_r, &R, &e); + .combine(&self.commitment_combine_Q_r, &R, &e); lhs == rhs }; if !eq_check_3 { From 2887675d72acd7c5db3d475073ba8c7f56778981 Mon Sep 17 00:00:00 2001 From: Hridam Basu Date: Fri, 16 Jun 2023 18:57:15 +0530 Subject: [PATCH 05/15] minor fits fixed --- src/zkp/pifac.rs | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/src/zkp/pifac.rs b/src/zkp/pifac.rs index 9c8a10ac..5bcd84dc 100644 --- a/src/zkp/pifac.rs +++ b/src/zkp/pifac.rs @@ -7,7 +7,8 @@ // of this source tree. //! Implements a zero-knowledge proof that the modulus N can be factored into -//! two numbers greater than 2^ell for a parameter ell. +//! two numbers greater than `2^ℓ` for a parameter ell where `ℓ` is +//! [`parameters::ELL`](crate::parameters::ELL). //! //! The proof is defined in Figure 28 of CGGMP[^cite], and uses a standard //! Fiat-Shamir transformation to make the proof non-interactive. @@ -63,7 +64,7 @@ pub(crate) struct PiFacProof { #[derive(Serialize)] pub(crate) struct CommonInput { setup_params: VerifiedRingPedersen, - N0: BigNumber, + modulus: BigNumber, } impl CommonInput { @@ -71,13 +72,13 @@ impl CommonInput { pub(crate) fn new(setup_params: &VerifiedRingPedersen, N0: &BigNumber) -> Self { Self { setup_params: setup_params.clone(), - N0: N0.clone(), + modulus: N0.clone(), } } } -/// The prover's secret knowledge: the factors p and q of the modulus N where N -/// = pq. +/// The prover's secret knowledge: the factors `p` and `q` of the modulus `N` +/// where `N = pq`. #[derive(ZeroizeOnDrop)] pub(crate) struct ProverSecret { p: BigNumber, @@ -114,7 +115,7 @@ impl Proof for PiFacProof { rng: &mut R, ) -> Result { // Small names for scaling factors in our ranges - let sqrt_N0 = &sqrt(&input.N0); + let sqrt_N0 = &sqrt(&input.modulus); let alpha = random_plusminus_scaled(rng, ELL + EPSILON, sqrt_N0); let beta = random_plusminus_scaled(rng, ELL + EPSILON, sqrt_N0); @@ -122,7 +123,7 @@ impl Proof for PiFacProof { let sigma = input .setup_params .scheme() - .commitment_randomness(ELL, &input.N0, rng); + .commitment_randomness(ELL, &input.modulus, rng); let (P, mu) = input.setup_params.scheme().commit(&secret.p, ELL, rng); let (Q, nu) = input.setup_params.scheme().commit(&secret.q, ELL, rng); @@ -138,7 +139,7 @@ impl Proof for PiFacProof { &Q, &alpha, ELL + EPSILON, - &input.N0, + &input.modulus, rng, ); @@ -229,7 +230,7 @@ impl Proof for PiFacProof { let R = input .setup_params .scheme() - .reconstruct(&input.N0, self.sigma.as_masked()); + .reconstruct(&input.modulus, self.sigma.as_masked()); let lhs = input.setup_params.scheme().reconstruct_with_commitment( &self.commitment_q, &self.mask_alpha_p, @@ -246,7 +247,7 @@ impl Proof for PiFacProof { return Err(InternalError::ProtocolError); } - let sqrt_N0 = sqrt(&input.N0); + let sqrt_N0 = sqrt(&input.modulus); // 2^{ELL + EPSILON} let two_ell_eps = BigNumber::one() << (ELL + EPSILON); // 2^{ELL + EPSILON} * sqrt(N_0) @@ -365,7 +366,7 @@ mod tests { } { let incorrect_startup_params = - CommonInput::new(&VerifiedRingPedersen::gen(&mut rng, &())?, &input.N0); + CommonInput::new(&VerifiedRingPedersen::gen(&mut rng, &())?, &input.modulus); let mut transcript = Transcript::new(b"PiFac Test"); assert!(proof .verify(&incorrect_startup_params, &(), &mut transcript) From ceffd643baa2e171e10396e49f1b7f86eafb5469 Mon Sep 17 00:00:00 2001 From: Hridam Basu Date: Fri, 16 Jun 2023 19:58:43 +0530 Subject: [PATCH 06/15] names changed --- src/zkp/pifac.rs | 86 +++++++++++++++++++++++++----------------------- 1 file changed, 44 insertions(+), 42 deletions(-) diff --git a/src/zkp/pifac.rs b/src/zkp/pifac.rs index 5bcd84dc..baa6ef6e 100644 --- a/src/zkp/pifac.rs +++ b/src/zkp/pifac.rs @@ -37,27 +37,29 @@ use zeroize::ZeroizeOnDrop; /// for a parameter ell. #[derive(Debug, Serialize, Deserialize, Clone)] pub(crate) struct PiFacProof { - /// Commitment to the factor p using randomness meu. - commitment_p: Commitment, + /// Commitment to the factor `p` (`P` in the paper) + p_commitment: Commitment, /// Commitment to the factor q using randomness neu. - commitment_q: Commitment, + q_commitment: Commitment, /// Commitment to randomness alpha and x. - commitment_alpha: Commitment, + p_mask_commitment: Commitment, /// Commitment to randomness beta and y. - commitment_beta: Commitment, + q_mask_commitment: Commitment, /// Combination of commitment to Q using ring Pedersen parameter r. - commitment_combine_Q_r: Commitment, + // Commitment to q + p's commitment randomness + q_link_commitment: Commitment, /// Randomness for commitment. sigma: CommitmentRandomness, /// Mask p with randomness alpha. - mask_alpha_p: BigNumber, + p_masked: BigNumber, /// Mask q with randomness beta. - mask_beta_q: BigNumber, + q_masked: BigNumber, /// Mask meu with randomness x. - maskedrandomness_meu: MaskedRandomness, + masked_p_commitment_randomness: MaskedRandomness, /// Mask neu with randomness y. - maskedrandomness_neu: MaskedRandomness, - v: MaskedRandomness, + masked_q_commitment_randomness: MaskedRandomness, + // Masked (p + q's commitment randomness) + masked_p_link: MaskedRandomness, } /// Common input and setup parameters known to both the prover and verifier. @@ -156,17 +158,17 @@ impl Proof for PiFacProof { let v = sigma_hat.remask(&r, &e); let proof = Self { - commitment_p: P, - commitment_q: Q, - commitment_alpha: A, - commitment_beta: B, - commitment_combine_Q_r: T, + p_commitment: P, + q_commitment: Q, + p_mask_commitment: A, + q_mask_commitment: B, + q_link_commitment: T, sigma, - mask_alpha_p: z1, - mask_beta_q: z2, - maskedrandomness_meu: w1, - maskedrandomness_neu: w2, - v, + p_masked: z1, + q_masked: z2, + masked_p_commitment_randomness: w1, + masked_q_commitment_randomness: w2, + masked_p_link: v, }; Ok(proof) } @@ -181,68 +183,68 @@ impl Proof for PiFacProof { transcript, context, input, - &self.commitment_p, - &self.commitment_q, - &self.commitment_alpha, - &self.commitment_beta, - &self.commitment_combine_Q_r, + &self.p_commitment, + &self.q_commitment, + &self.p_mask_commitment, + &self.q_mask_commitment, + &self.q_link_commitment, &self.sigma, )?; // Verifier samples e in +- q (where q is the group order) let e = plusminus_challenge_from_transcript(transcript)?; - let eq_check_1 = { + let masked_p_commitment_is_valid = { let lhs = input .setup_params .scheme() - .reconstruct(&self.mask_alpha_p, &self.maskedrandomness_meu); + .reconstruct(&self.p_masked, &self.masked_p_commitment_randomness); let rhs = input .setup_params .scheme() - .combine(&self.commitment_alpha, &self.commitment_p, &e); + .combine(&self.p_mask_commitment, &self.p_commitment, &e); lhs == rhs }; - if !eq_check_1 { + if !masked_p_commitment_is_valid { error!("eq_check_1 failed"); return Err(InternalError::ProtocolError); } - let eq_check_2 = { + let masked_q_commitment_is_valid = { let lhs = input .setup_params .scheme() - .reconstruct(&self.mask_beta_q, &self.maskedrandomness_neu); + .reconstruct(&self.q_masked, &self.masked_q_commitment_randomness); let rhs = input .setup_params .scheme() - .combine(&self.commitment_beta, &self.commitment_q, &e); + .combine(&self.q_mask_commitment, &self.q_commitment, &e); lhs == rhs }; - if !eq_check_2 { + if !masked_q_commitment_is_valid { error!("eq_check_2 failed"); return Err(InternalError::ProtocolError); } - let eq_check_3 = { + let modulus_links_provided_factors = { let R = input .setup_params .scheme() .reconstruct(&input.modulus, self.sigma.as_masked()); let lhs = input.setup_params.scheme().reconstruct_with_commitment( - &self.commitment_q, - &self.mask_alpha_p, - &self.v, + &self.q_commitment, + &self.p_masked, + &self.masked_p_link, ); let rhs = input .setup_params .scheme() - .combine(&self.commitment_combine_Q_r, &R, &e); + .combine(&self.q_link_commitment, &R, &e); lhs == rhs }; - if !eq_check_3 { + if !modulus_links_provided_factors { error!("eq_check_3 failed"); return Err(InternalError::ProtocolError); } @@ -252,11 +254,11 @@ impl Proof for PiFacProof { let two_ell_eps = BigNumber::one() << (ELL + EPSILON); // 2^{ELL + EPSILON} * sqrt(N_0) let z_bound = &sqrt_N0 * &two_ell_eps; - if self.mask_alpha_p < -z_bound.clone() || self.mask_alpha_p > z_bound { + if self.p_masked < -z_bound.clone() || self.p_masked > z_bound { error!("self.z1 > z_bound check failed"); return Err(InternalError::ProtocolError); } - if self.mask_beta_q < -z_bound.clone() || self.mask_beta_q > z_bound { + if self.q_masked < -z_bound.clone() || self.q_masked > z_bound { error!("self.z2 > z_bound check failed"); return Err(InternalError::ProtocolError); } From dd6f9b3f6e3e65f678a3bac34f9ce6b254f07892 Mon Sep 17 00:00:00 2001 From: Hridam Basu Date: Sat, 17 Jun 2023 00:16:26 +0530 Subject: [PATCH 07/15] names updated --- src/zkp/pifac.rs | 115 ++++++++++++++++++++++++++--------------------- 1 file changed, 64 insertions(+), 51 deletions(-) diff --git a/src/zkp/pifac.rs b/src/zkp/pifac.rs index baa6ef6e..90a7d9a9 100644 --- a/src/zkp/pifac.rs +++ b/src/zkp/pifac.rs @@ -37,28 +37,29 @@ use zeroize::ZeroizeOnDrop; /// for a parameter ell. #[derive(Debug, Serialize, Deserialize, Clone)] pub(crate) struct PiFacProof { - /// Commitment to the factor `p` (`P` in the paper) + /// Commitment to the factor `p` (`P` in the paper). p_commitment: Commitment, - /// Commitment to the factor q using randomness neu. + /// Commitment to the factor `q` (`Q` in the paper). q_commitment: Commitment, - /// Commitment to randomness alpha and x. + /// Commitment to randomness alpha and `x` (`A` in the paper). p_mask_commitment: Commitment, - /// Commitment to randomness beta and y. + /// Commitment to randomness beta and `y` (`B` in the paper). q_mask_commitment: Commitment, - /// Combination of commitment to Q using ring Pedersen parameter r. + /// Combination of commitment to `Q` using ring Pedersen parameter `r` (`T` + /// in the paper). // Commitment to q + p's commitment randomness q_link_commitment: Commitment, /// Randomness for commitment. sigma: CommitmentRandomness, - /// Mask p with randomness alpha. + /// Mask p with randomness `alpha` (`z1` in the paper`). p_masked: BigNumber, - /// Mask q with randomness beta. + /// Mask q with randomness `beta` (`z2` in the paper). q_masked: BigNumber, - /// Mask meu with randomness x. + /// Mask meu with randomness `x` (`w1` in the paper). masked_p_commitment_randomness: MaskedRandomness, - /// Mask neu with randomness y. + /// Mask neu with randomness y (`w2` in the paper). masked_q_commitment_randomness: MaskedRandomness, - // Masked (p + q's commitment randomness) + /// Masked (p + q's commitment randomness): (`v` in the paper). masked_p_link: MaskedRandomness, } @@ -119,56 +120,68 @@ impl Proof for PiFacProof { // Small names for scaling factors in our ranges let sqrt_N0 = &sqrt(&input.modulus); - let alpha = random_plusminus_scaled(rng, ELL + EPSILON, sqrt_N0); - let beta = random_plusminus_scaled(rng, ELL + EPSILON, sqrt_N0); + let p_mask = random_plusminus_scaled(rng, ELL + EPSILON, sqrt_N0); + let q_mask = random_plusminus_scaled(rng, ELL + EPSILON, sqrt_N0); let sigma = input .setup_params .scheme() .commitment_randomness(ELL, &input.modulus, rng); - let (P, mu) = input.setup_params.scheme().commit(&secret.p, ELL, rng); - let (Q, nu) = input.setup_params.scheme().commit(&secret.q, ELL, rng); - let (A, x) = input - .setup_params - .scheme() - .commit(&alpha, ELL + EPSILON, rng); - let (B, y) = input - .setup_params - .scheme() - .commit(&beta, ELL + EPSILON, rng); - let (T, r) = input.setup_params.scheme().commit_with_commitment( - &Q, - &alpha, + let (p_commitment, mu) = input.setup_params.scheme().commit(&secret.p, ELL, rng); + let (q_commitment, nu) = input.setup_params.scheme().commit(&secret.q, ELL, rng); + let (p_mask_commitment, x) = + input + .setup_params + .scheme() + .commit(&p_mask, ELL + EPSILON, rng); + let (q_mask_commitment, y) = + input + .setup_params + .scheme() + .commit(&q_mask, ELL + EPSILON, rng); + let (q_link_commitment, r) = input.setup_params.scheme().commit_with_commitment( + &q_commitment, + &p_mask, ELL + EPSILON, &input.modulus, rng, ); - Self::fill_transcript(transcript, context, input, &P, &Q, &A, &B, &T, &sigma)?; + Self::fill_transcript( + transcript, + context, + input, + &p_commitment, + &q_commitment, + &p_mask_commitment, + &q_mask_commitment, + &q_link_commitment, + &sigma, + )?; // Verifier samples e in +- q (where q is the group order) let e = plusminus_challenge_from_transcript(transcript)?; let sigma_hat = nu.mask_neg(&sigma, &secret.p); - let z1 = &alpha + &e * &secret.p; - let z2 = &beta + &e * &secret.q; - let w1 = mu.mask(&x, &e); - let w2 = nu.mask(&y, &e); - let v = sigma_hat.remask(&r, &e); + let p_masked = &p_mask + &e * &secret.p; + let q_masked = &q_mask + &e * &secret.q; + let masked_p_commitment_randomness = mu.mask(&x, &e); + let masked_q_commitment_randomness = nu.mask(&y, &e); + let masked_p_link = sigma_hat.remask(&r, &e); let proof = Self { - p_commitment: P, - q_commitment: Q, - p_mask_commitment: A, - q_mask_commitment: B, - q_link_commitment: T, + p_commitment, + q_commitment, + p_mask_commitment, + q_mask_commitment, + q_link_commitment, sigma, - p_masked: z1, - q_masked: z2, - masked_p_commitment_randomness: w1, - masked_q_commitment_randomness: w2, - masked_p_link: v, + p_masked, + q_masked, + masked_p_commitment_randomness, + masked_q_commitment_randomness, + masked_p_link, }; Ok(proof) } @@ -199,11 +212,11 @@ impl Proof for PiFacProof { .setup_params .scheme() .reconstruct(&self.p_masked, &self.masked_p_commitment_randomness); - let rhs = - input - .setup_params - .scheme() - .combine(&self.p_mask_commitment, &self.p_commitment, &e); + let rhs = input.setup_params.scheme().combine( + &self.p_mask_commitment, + &self.p_commitment, + &e, + ); lhs == rhs }; if !masked_p_commitment_is_valid { @@ -216,11 +229,11 @@ impl Proof for PiFacProof { .setup_params .scheme() .reconstruct(&self.q_masked, &self.masked_q_commitment_randomness); - let rhs = - input - .setup_params - .scheme() - .combine(&self.q_mask_commitment, &self.q_commitment, &e); + let rhs = input.setup_params.scheme().combine( + &self.q_mask_commitment, + &self.q_commitment, + &e, + ); lhs == rhs }; if !masked_q_commitment_is_valid { From 60b806a6b54f4fab22f7c1637b3f9d6dc9f9616f Mon Sep 17 00:00:00 2001 From: Hridam Basu Date: Tue, 20 Jun 2023 23:43:38 +0530 Subject: [PATCH 08/15] backticks added --- src/zkp/pifac.rs | 50 +++++++++++++++++++++++++----------------------- 1 file changed, 26 insertions(+), 24 deletions(-) diff --git a/src/zkp/pifac.rs b/src/zkp/pifac.rs index 90a7d9a9..9f68d674 100644 --- a/src/zkp/pifac.rs +++ b/src/zkp/pifac.rs @@ -6,9 +6,9 @@ // License, Version 2.0 found in the LICENSE-APACHE file in the root directory // of this source tree. -//! Implements a zero-knowledge proof that the modulus N can be factored into -//! two numbers greater than `2^ℓ` for a parameter ell where `ℓ` is -//! [`parameters::ELL`](crate::parameters::ELL). +//! Implements a zero-knowledge proof that the modulus `N` can be factored into +//! ...two numbers greater than `2^ℓ`, where `ℓ` is a fixed parameter defined by +//! parameters::ELL. //! //! The proof is defined in Figure 28 of CGGMP[^cite], and uses a standard //! Fiat-Shamir transformation to make the proof non-interactive. @@ -33,33 +33,33 @@ use std::fmt::Debug; use tracing::error; use zeroize::ZeroizeOnDrop; -/// Proof that the modulus N can be factored into two numbers greater than 2^ell -/// for a parameter ell. +/// Proof that the modulus `N` can be factored into two numbers greater than +/// `2^ℓ` for a parameter `ℓ`. #[derive(Debug, Serialize, Deserialize, Clone)] pub(crate) struct PiFacProof { /// Commitment to the factor `p` (`P` in the paper). p_commitment: Commitment, /// Commitment to the factor `q` (`Q` in the paper). q_commitment: Commitment, - /// Commitment to randomness alpha and `x` (`A` in the paper). + /// Commitment to randomness `alpha` and `x` (`A` in the paper). p_mask_commitment: Commitment, - /// Commitment to randomness beta and `y` (`B` in the paper). + /// Commitment to randomness `beta` and `y` (`B` in the paper). q_mask_commitment: Commitment, - /// Combination of commitment to `Q` using ring Pedersen parameter `r` (`T` - /// in the paper). - // Commitment to q + p's commitment randomness + /// Commitment linking `q` to the commitment randomness used in + /// `p_commitment`. q_link_commitment: Commitment, /// Randomness for commitment. - sigma: CommitmentRandomness, - /// Mask p with randomness `alpha` (`z1` in the paper`). + link_randomness: CommitmentRandomness, + /// Mask `p` with randomness `alpha` (`z1` in the paper`). p_masked: BigNumber, - /// Mask q with randomness `beta` (`z2` in the paper). + /// Mask `q` with randomness `beta` (`z2` in the paper). q_masked: BigNumber, /// Mask meu with randomness `x` (`w1` in the paper). masked_p_commitment_randomness: MaskedRandomness, /// Mask neu with randomness y (`w2` in the paper). masked_q_commitment_randomness: MaskedRandomness, - /// Masked (p + q's commitment randomness): (`v` in the paper). + /// Masked commitment randomness linking `p` to the commitment randomness + /// used in `q_commitment` (`v` in the paper). masked_p_link: MaskedRandomness, } @@ -71,7 +71,8 @@ pub(crate) struct CommonInput { } impl CommonInput { - /// Generate public input for proving and verifying [`PiFacProof`] about N. + /// Generate public input for proving and verifying [`PiFacProof`] about + /// `N`. pub(crate) fn new(setup_params: &VerifiedRingPedersen, N0: &BigNumber) -> Self { Self { setup_params: setup_params.clone(), @@ -123,10 +124,11 @@ impl Proof for PiFacProof { let p_mask = random_plusminus_scaled(rng, ELL + EPSILON, sqrt_N0); let q_mask = random_plusminus_scaled(rng, ELL + EPSILON, sqrt_N0); - let sigma = input - .setup_params - .scheme() - .commitment_randomness(ELL, &input.modulus, rng); + let link_randomness = + input + .setup_params + .scheme() + .commitment_randomness(ELL, &input.modulus, rng); let (p_commitment, mu) = input.setup_params.scheme().commit(&secret.p, ELL, rng); let (q_commitment, nu) = input.setup_params.scheme().commit(&secret.q, ELL, rng); @@ -157,13 +159,13 @@ impl Proof for PiFacProof { &p_mask_commitment, &q_mask_commitment, &q_link_commitment, - &sigma, + &link_randomness, )?; // Verifier samples e in +- q (where q is the group order) let e = plusminus_challenge_from_transcript(transcript)?; - let sigma_hat = nu.mask_neg(&sigma, &secret.p); + let sigma_hat = nu.mask_neg(&link_randomness, &secret.p); let p_masked = &p_mask + &e * &secret.p; let q_masked = &q_mask + &e * &secret.q; let masked_p_commitment_randomness = mu.mask(&x, &e); @@ -176,7 +178,7 @@ impl Proof for PiFacProof { p_mask_commitment, q_mask_commitment, q_link_commitment, - sigma, + link_randomness, p_masked, q_masked, masked_p_commitment_randomness, @@ -201,7 +203,7 @@ impl Proof for PiFacProof { &self.p_mask_commitment, &self.q_mask_commitment, &self.q_link_commitment, - &self.sigma, + &self.link_randomness, )?; // Verifier samples e in +- q (where q is the group order) @@ -245,7 +247,7 @@ impl Proof for PiFacProof { let R = input .setup_params .scheme() - .reconstruct(&input.modulus, self.sigma.as_masked()); + .reconstruct(&input.modulus, self.link_randomness.as_masked()); let lhs = input.setup_params.scheme().reconstruct_with_commitment( &self.q_commitment, &self.p_masked, From 88df9bda6d688895bf93593d1c2cde189c0dd88e Mon Sep 17 00:00:00 2001 From: Hridam Basu Date: Wed, 21 Jun 2023 16:58:49 +0530 Subject: [PATCH 09/15] names changed --- src/zkp/pifac.rs | 47 +++++++++++++++++++++++------------------------ 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/src/zkp/pifac.rs b/src/zkp/pifac.rs index 9f68d674..1b10881b 100644 --- a/src/zkp/pifac.rs +++ b/src/zkp/pifac.rs @@ -41,22 +41,22 @@ pub(crate) struct PiFacProof { p_commitment: Commitment, /// Commitment to the factor `q` (`Q` in the paper). q_commitment: Commitment, - /// Commitment to randomness `alpha` and `x` (`A` in the paper). + /// `A` in the paper. p_mask_commitment: Commitment, - /// Commitment to randomness `beta` and `y` (`B` in the paper). + /// `B` in the paper. q_mask_commitment: Commitment, /// Commitment linking `q` to the commitment randomness used in /// `p_commitment`. q_link_commitment: Commitment, /// Randomness for commitment. link_randomness: CommitmentRandomness, - /// Mask `p` with randomness `alpha` (`z1` in the paper`). + /// Mask `p` (`z1` in the paper`). p_masked: BigNumber, - /// Mask `q` with randomness `beta` (`z2` in the paper). + /// Mask `q` (`z2` in the paper). q_masked: BigNumber, - /// Mask meu with randomness `x` (`w1` in the paper). + /// `w1` in the paper. masked_p_commitment_randomness: MaskedRandomness, - /// Mask neu with randomness y (`w2` in the paper). + /// `w2` in the paper. masked_q_commitment_randomness: MaskedRandomness, /// Masked commitment randomness linking `p` to the commitment randomness /// used in `q_commitment` (`v` in the paper). @@ -73,10 +73,13 @@ pub(crate) struct CommonInput { impl CommonInput { /// Generate public input for proving and verifying [`PiFacProof`] about /// `N`. - pub(crate) fn new(setup_params: &VerifiedRingPedersen, N0: &BigNumber) -> Self { + pub(crate) fn new( + verifier_commitment_params: &VerifiedRingPedersen, + prover_modulus: &BigNumber, + ) -> Self { Self { - setup_params: setup_params.clone(), - modulus: N0.clone(), + setup_params: verifier_commitment_params.clone(), + modulus: prover_modulus.clone(), } } } @@ -222,7 +225,7 @@ impl Proof for PiFacProof { lhs == rhs }; if !masked_p_commitment_is_valid { - error!("eq_check_1 failed"); + error!("masked_p_commitment_is_valid failed"); return Err(InternalError::ProtocolError); } @@ -239,12 +242,12 @@ impl Proof for PiFacProof { lhs == rhs }; if !masked_q_commitment_is_valid { - error!("eq_check_2 failed"); + error!("masked_q_commitment_is_valid failed"); return Err(InternalError::ProtocolError); } let modulus_links_provided_factors = { - let R = input + let reconstructed_commitment = input .setup_params .scheme() .reconstruct(&input.modulus, self.link_randomness.as_masked()); @@ -253,27 +256,23 @@ impl Proof for PiFacProof { &self.p_masked, &self.masked_p_link, ); - let rhs = input - .setup_params - .scheme() - .combine(&self.q_link_commitment, &R, &e); + let rhs = input.setup_params.scheme().combine( + &self.q_link_commitment, + &reconstructed_commitment, + &e, + ); lhs == rhs }; if !modulus_links_provided_factors { - error!("eq_check_3 failed"); + error!("modulus_links_provided_factors failed"); return Err(InternalError::ProtocolError); } - let sqrt_N0 = sqrt(&input.modulus); - // 2^{ELL + EPSILON} - let two_ell_eps = BigNumber::one() << (ELL + EPSILON); - // 2^{ELL + EPSILON} * sqrt(N_0) - let z_bound = &sqrt_N0 * &two_ell_eps; - if self.p_masked < -z_bound.clone() || self.p_masked > z_bound { + if crate::utils::within_bound_by_size(&self.p_masked, ELL + EPSILON) { error!("self.z1 > z_bound check failed"); return Err(InternalError::ProtocolError); } - if self.q_masked < -z_bound.clone() || self.q_masked > z_bound { + if crate::utils::within_bound_by_size(&self.q_masked, ELL + EPSILON) { error!("self.z2 > z_bound check failed"); return Err(InternalError::ProtocolError); } From 71cb5b464b1f02da0409ebf604c7ce4542c3c1ab Mon Sep 17 00:00:00 2001 From: Hridam Basu Date: Wed, 21 Jun 2023 19:22:57 +0530 Subject: [PATCH 10/15] allow unknown lints --- src/protocol.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/protocol.rs b/src/protocol.rs index 6f327cc2..eadb818f 100644 --- a/src/protocol.rs +++ b/src/protocol.rs @@ -641,6 +641,7 @@ impl std::fmt::Display for Identifier { } #[cfg(test)] +#[allow(unknown_lints)] mod tests { use super::*; use crate::{ From 2cd5c826333adc3f5e1461465d4ee33ca160b4f8 Mon Sep 17 00:00:00 2001 From: Hridam Basu Date: Mon, 26 Jun 2023 18:07:07 +0530 Subject: [PATCH 11/15] last --- src/protocol.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/src/protocol.rs b/src/protocol.rs index eadb818f..6f327cc2 100644 --- a/src/protocol.rs +++ b/src/protocol.rs @@ -641,7 +641,6 @@ impl std::fmt::Display for Identifier { } #[cfg(test)] -#[allow(unknown_lints)] mod tests { use super::*; use crate::{ From 258601ec978c2ecc9c8119c02a38fc72e445b62a Mon Sep 17 00:00:00 2001 From: Hridam Basu Date: Tue, 4 Jul 2023 00:33:06 +0530 Subject: [PATCH 12/15] some nits fixed --- src/utils.rs | 4 ++++ src/zkp/pifac.rs | 22 +++++++++++----------- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/src/utils.rs b/src/utils.rs index 9a54c978..352e5540 100644 --- a/src/utils.rs +++ b/src/utils.rs @@ -83,6 +83,10 @@ pub(crate) fn within_bound_by_size(value: &BigNumber, n: usize) -> bool { value <= &bound && value >= &-bound } +/*pub(crate) within_bound_by_sqrt_modulus(value: &BigNumber, x: usize) -> bool { + let +}*/ + /// Compute a^e (mod n). #[cfg_attr(feature = "flame_it", flame("utils"))] pub(crate) fn modpow(a: &BigNumber, e: &BigNumber, n: &BigNumber) -> BigNumber { diff --git a/src/zkp/pifac.rs b/src/zkp/pifac.rs index 1b10881b..2d680791 100644 --- a/src/zkp/pifac.rs +++ b/src/zkp/pifac.rs @@ -7,8 +7,8 @@ // of this source tree. //! Implements a zero-knowledge proof that the modulus `N` can be factored into -//! ...two numbers greater than `2^ℓ`, where `ℓ` is a fixed parameter defined by -//! parameters::ELL. +//! two numbers greater than `2^ℓ`, where `ℓ` is a fixed parameter defined by +//! [`parameters::ELL`](crate::parameters::ELL). //! //! The proof is defined in Figure 28 of CGGMP[^cite], and uses a standard //! Fiat-Shamir transformation to make the proof non-interactive. @@ -41,9 +41,9 @@ pub(crate) struct PiFacProof { p_commitment: Commitment, /// Commitment to the factor `q` (`Q` in the paper). q_commitment: Commitment, - /// `A` in the paper. + /// Commitment to a mask for p (`A` in the paper). p_mask_commitment: Commitment, - /// `B` in the paper. + /// Commitment to a mask for q (`B` in the paper). q_mask_commitment: Commitment, /// Commitment linking `q` to the commitment randomness used in /// `p_commitment`. @@ -54,9 +54,9 @@ pub(crate) struct PiFacProof { p_masked: BigNumber, /// Mask `q` (`z2` in the paper). q_masked: BigNumber, - /// `w1` in the paper. + /// Masked commitment randomness used to form `p_commitment` (`w1` in the paper). masked_p_commitment_randomness: MaskedRandomness, - /// `w2` in the paper. + /// Masked commitment randomness used to form `q_commitment` (`w2` in the paper). masked_q_commitment_randomness: MaskedRandomness, /// Masked commitment randomness linking `p` to the commitment randomness /// used in `q_commitment` (`v` in the paper). @@ -124,8 +124,8 @@ impl Proof for PiFacProof { // Small names for scaling factors in our ranges let sqrt_N0 = &sqrt(&input.modulus); - let p_mask = random_plusminus_scaled(rng, ELL + EPSILON, sqrt_N0); - let q_mask = random_plusminus_scaled(rng, ELL + EPSILON, sqrt_N0); + let p_mask = random_plusminus_scaled(rng, ELL + EPSILON, sqrt_N0); // `alpha` in the paper + let q_mask = random_plusminus_scaled(rng, ELL + EPSILON, sqrt_N0); // `beta` in the paper let link_randomness = input @@ -269,11 +269,11 @@ impl Proof for PiFacProof { } if crate::utils::within_bound_by_size(&self.p_masked, ELL + EPSILON) { - error!("self.z1 > z_bound check failed"); + error!("p is out of range!"); return Err(InternalError::ProtocolError); - } + } if crate::utils::within_bound_by_size(&self.q_masked, ELL + EPSILON) { - error!("self.z2 > z_bound check failed"); + error!("q is out of range!"); return Err(InternalError::ProtocolError); } From 466d23b37ce5f87235ae42e1074419ce984a2d9c Mon Sep 17 00:00:00 2001 From: Hridam Basu Date: Wed, 5 Jul 2023 13:17:23 +0530 Subject: [PATCH 13/15] fmt --- src/utils.rs | 4 ++-- src/zkp/pifac.rs | 8 +++++--- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/utils.rs b/src/utils.rs index 352e5540..b11445a2 100644 --- a/src/utils.rs +++ b/src/utils.rs @@ -84,9 +84,9 @@ pub(crate) fn within_bound_by_size(value: &BigNumber, n: usize) -> bool { } /*pub(crate) within_bound_by_sqrt_modulus(value: &BigNumber, x: usize) -> bool { - let + let }*/ - + /// Compute a^e (mod n). #[cfg_attr(feature = "flame_it", flame("utils"))] pub(crate) fn modpow(a: &BigNumber, e: &BigNumber, n: &BigNumber) -> BigNumber { diff --git a/src/zkp/pifac.rs b/src/zkp/pifac.rs index 2d680791..602da93b 100644 --- a/src/zkp/pifac.rs +++ b/src/zkp/pifac.rs @@ -54,9 +54,11 @@ pub(crate) struct PiFacProof { p_masked: BigNumber, /// Mask `q` (`z2` in the paper). q_masked: BigNumber, - /// Masked commitment randomness used to form `p_commitment` (`w1` in the paper). + /// Masked commitment randomness used to form `p_commitment` (`w1` in the + /// paper). masked_p_commitment_randomness: MaskedRandomness, - /// Masked commitment randomness used to form `q_commitment` (`w2` in the paper). + /// Masked commitment randomness used to form `q_commitment` (`w2` in the + /// paper). masked_q_commitment_randomness: MaskedRandomness, /// Masked commitment randomness linking `p` to the commitment randomness /// used in `q_commitment` (`v` in the paper). @@ -271,7 +273,7 @@ impl Proof for PiFacProof { if crate::utils::within_bound_by_size(&self.p_masked, ELL + EPSILON) { error!("p is out of range!"); return Err(InternalError::ProtocolError); - } + } if crate::utils::within_bound_by_size(&self.q_masked, ELL + EPSILON) { error!("q is out of range!"); return Err(InternalError::ProtocolError); From 9a28b34819a467406b7bae9f693c111ea34a9a62 Mon Sep 17 00:00:00 2001 From: Hridam Basu Date: Wed, 5 Jul 2023 23:20:26 +0530 Subject: [PATCH 14/15] implemented util fn --- src/auxinfo/output.rs | 3 +-- src/utils.rs | 20 +++++++++++++++++--- src/zkp/pifac.rs | 10 ++++++---- 3 files changed, 24 insertions(+), 9 deletions(-) diff --git a/src/auxinfo/output.rs b/src/auxinfo/output.rs index d9cde93c..1251106a 100644 --- a/src/auxinfo/output.rs +++ b/src/auxinfo/output.rs @@ -120,9 +120,8 @@ impl Output { #[cfg(test)] mod tests { - use crate::{paillier::DecryptionKey, utils::testing::init_testing}; - use super::*; + use crate::{paillier::DecryptionKey, utils::testing::init_testing}; #[test] fn from_into_parts_works() { diff --git a/src/utils.rs b/src/utils.rs index b11445a2..aa9f1a14 100644 --- a/src/utils.rs +++ b/src/utils.rs @@ -6,7 +6,10 @@ // License, Version 2.0 found in the LICENSE-APACHE file in the root directory // of this source tree. -use crate::errors::{CallerError, InternalError, Result}; +use crate::{ + errors::{CallerError, InternalError, Result}, + zkp::pifac::sqrt, +}; use generic_array::GenericArray; use k256::{ elliptic_curve::{bigint::Encoding, group::ff::PrimeField, AffinePoint, Curve}, @@ -83,10 +86,21 @@ pub(crate) fn within_bound_by_size(value: &BigNumber, n: usize) -> bool { value <= &bound && value >= &-bound } -/*pub(crate) within_bound_by_sqrt_modulus(value: &BigNumber, x: usize) -> bool { - let +/*/// Find the square root of a positive BigNumber, rounding down. +fn sqrt(num: &BigNumber) -> BigNumber { + // convert to a struct with a square root function first + let num_bigint: BigInt = BigInt::from_bytes_be(Sign::Plus, &num.to_bytes()); + let sqrt = num_bigint.sqrt(); + BigNumber::from_slice(sqrt.to_bytes_be().1) }*/ +/// Returns `true` if `value ∊ [-2^n * sqrt(n), 2^n * sqrt(nzero)]`. +pub(crate) fn within_bound_by_sqrt_modulus(value: &BigNumber, n: usize, nzero: &BigNumber) -> bool { + let sqrt_n = sqrt(nzero); + let bound = sqrt_n * (BigNumber::one() << n); + value <= &bound && value >= &-bound +} + /// Compute a^e (mod n). #[cfg_attr(feature = "flame_it", flame("utils"))] pub(crate) fn modpow(a: &BigNumber, e: &BigNumber, n: &BigNumber) -> BigNumber { diff --git a/src/zkp/pifac.rs b/src/zkp/pifac.rs index 602da93b..32915c77 100644 --- a/src/zkp/pifac.rs +++ b/src/zkp/pifac.rs @@ -48,7 +48,7 @@ pub(crate) struct PiFacProof { /// Commitment linking `q` to the commitment randomness used in /// `p_commitment`. q_link_commitment: Commitment, - /// Randomness for commitment. + /// Randomness linking `q` to `p_commitment`. link_randomness: CommitmentRandomness, /// Mask `p` (`z1` in the paper`). p_masked: BigNumber, @@ -270,11 +270,13 @@ impl Proof for PiFacProof { return Err(InternalError::ProtocolError); } - if crate::utils::within_bound_by_size(&self.p_masked, ELL + EPSILON) { + if crate::utils::within_bound_by_sqrt_modulus(&self.p_masked, ELL + EPSILON, &input.modulus) + { error!("p is out of range!"); return Err(InternalError::ProtocolError); } - if crate::utils::within_bound_by_size(&self.q_masked, ELL + EPSILON) { + if crate::utils::within_bound_by_sqrt_modulus(&self.q_masked, ELL + EPSILON, &input.modulus) + { error!("q is out of range!"); return Err(InternalError::ProtocolError); } @@ -315,7 +317,7 @@ impl PiFacProof { } /// Find the square root of a positive BigNumber, rounding down -fn sqrt(num: &BigNumber) -> BigNumber { +pub(crate) fn sqrt(num: &BigNumber) -> BigNumber { // convert to a struct with a square root function first let num_bigint: BigInt = BigInt::from_bytes_be(Sign::Plus, &num.to_bytes()); let sqrt = num_bigint.sqrt(); From e784dd12273b0079d786678466b1a1d4f5bb875b Mon Sep 17 00:00:00 2001 From: Hridam Basu Date: Thu, 6 Jul 2023 11:45:16 +0530 Subject: [PATCH 15/15] within bound fn use reversed --- src/utils.rs | 20 +------------------- src/zkp/pifac.rs | 14 ++++++++------ 2 files changed, 9 insertions(+), 25 deletions(-) diff --git a/src/utils.rs b/src/utils.rs index aa9f1a14..9a54c978 100644 --- a/src/utils.rs +++ b/src/utils.rs @@ -6,10 +6,7 @@ // License, Version 2.0 found in the LICENSE-APACHE file in the root directory // of this source tree. -use crate::{ - errors::{CallerError, InternalError, Result}, - zkp::pifac::sqrt, -}; +use crate::errors::{CallerError, InternalError, Result}; use generic_array::GenericArray; use k256::{ elliptic_curve::{bigint::Encoding, group::ff::PrimeField, AffinePoint, Curve}, @@ -86,21 +83,6 @@ pub(crate) fn within_bound_by_size(value: &BigNumber, n: usize) -> bool { value <= &bound && value >= &-bound } -/*/// Find the square root of a positive BigNumber, rounding down. -fn sqrt(num: &BigNumber) -> BigNumber { - // convert to a struct with a square root function first - let num_bigint: BigInt = BigInt::from_bytes_be(Sign::Plus, &num.to_bytes()); - let sqrt = num_bigint.sqrt(); - BigNumber::from_slice(sqrt.to_bytes_be().1) -}*/ - -/// Returns `true` if `value ∊ [-2^n * sqrt(n), 2^n * sqrt(nzero)]`. -pub(crate) fn within_bound_by_sqrt_modulus(value: &BigNumber, n: usize, nzero: &BigNumber) -> bool { - let sqrt_n = sqrt(nzero); - let bound = sqrt_n * (BigNumber::one() << n); - value <= &bound && value >= &-bound -} - /// Compute a^e (mod n). #[cfg_attr(feature = "flame_it", flame("utils"))] pub(crate) fn modpow(a: &BigNumber, e: &BigNumber, n: &BigNumber) -> BigNumber { diff --git a/src/zkp/pifac.rs b/src/zkp/pifac.rs index 32915c77..7fec11b2 100644 --- a/src/zkp/pifac.rs +++ b/src/zkp/pifac.rs @@ -270,17 +270,19 @@ impl Proof for PiFacProof { return Err(InternalError::ProtocolError); } - if crate::utils::within_bound_by_sqrt_modulus(&self.p_masked, ELL + EPSILON, &input.modulus) - { + let sqrt_modulus = sqrt(&input.modulus); + // 2^{ELL + EPSILON} + let two_ell_eps = BigNumber::one() << (ELL + EPSILON); + // 2^{ELL + EPSILON} * sqrt(N_0) + let z_bound = &sqrt_modulus * &two_ell_eps; + if self.p_masked < -z_bound.clone() || self.p_masked > z_bound { error!("p is out of range!"); return Err(InternalError::ProtocolError); } - if crate::utils::within_bound_by_sqrt_modulus(&self.q_masked, ELL + EPSILON, &input.modulus) - { + if self.q_masked < -z_bound.clone() || self.q_masked > z_bound { error!("q is out of range!"); return Err(InternalError::ProtocolError); } - Ok(()) } } @@ -317,7 +319,7 @@ impl PiFacProof { } /// Find the square root of a positive BigNumber, rounding down -pub(crate) fn sqrt(num: &BigNumber) -> BigNumber { +fn sqrt(num: &BigNumber) -> BigNumber { // convert to a struct with a square root function first let num_bigint: BigInt = BigInt::from_bytes_be(Sign::Plus, &num.to_bytes()); let sqrt = num_bigint.sqrt();