From e3a87019dde5cd51dd83ac47d820ff07e93703c2 Mon Sep 17 00:00:00 2001 From: Omer Shlomovits Date: Sun, 10 May 2020 13:29:03 +0300 Subject: [PATCH] alternate lindell (#26) * alternate lindell * update mp-ecdsa --- Cargo.toml | 6 +- src/ecdsa/two_party/party1.rs | 115 +++++++++------------------------- src/ecdsa/two_party/party2.rs | 100 ++++++----------------------- src/ecdsa/two_party/test.rs | 109 ++++---------------------------- src/poc.rs | 32 +--------- src/schnorr/two_party/test.rs | 1 - 6 files changed, 66 insertions(+), 297 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 25bb552..b1b5795 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "kms" -version = "0.2.1" +version = "0.2.2" authors = [ "Omer ", "Gary " @@ -21,7 +21,7 @@ tag = "v0.3.4" [dependencies.zk-paillier] git = "https://github.com/KZen-networks/zk-paillier" -tag = "v0.2.5" +tag = "v0.2.8" [dependencies.multi-party-schnorr] git = "https://github.com/KZen-networks/multi-party-schnorr" @@ -34,7 +34,7 @@ tag = "v0.2.3" [dependencies.multi-party-ecdsa] git = "https://github.com/KZen-networks/multi-party-ecdsa" -tag = "v0.2.9" +rev = "0a4931b8247b2f187dcb9ff7c7c096444feadcc3" [dependencies.centipede] git = "https://github.com/KZen-networks/centipede" diff --git a/src/ecdsa/two_party/party1.rs b/src/ecdsa/two_party/party1.rs index 3d3586c..92490d7 100644 --- a/src/ecdsa/two_party/party1.rs +++ b/src/ecdsa/two_party/party1.rs @@ -18,13 +18,14 @@ use super::hd_key; use super::{MasterKey1, MasterKey2, Party1Public}; use ecdsa::two_party::party2::SignMessage; use multi_party_ecdsa::protocols::two_party_ecdsa::lindell_2017::party_two::EphKeyGenFirstMsg; -use multi_party_ecdsa::protocols::two_party_ecdsa::lindell_2017::party_two::PDLFirstMessage as Party2PDLFirstMsg; -use multi_party_ecdsa::protocols::two_party_ecdsa::lindell_2017::party_two::PDLSecondMessage as Party2PDLSecondMsg; use multi_party_ecdsa::protocols::two_party_ecdsa::lindell_2017::{party_one, party_two}; +use multi_party_ecdsa::utilities::zk_pdl_with_slack::PDLwSlackProof; +use multi_party_ecdsa::utilities::zk_pdl_with_slack::PDLwSlackStatement; +use zk_paillier::zkproofs::CompositeDLogProof; use paillier::EncryptionKey; use rotation::two_party::Rotation; -use zk_paillier::zkproofs::{NICorrectKeyProof, RangeProofNi}; +use zk_paillier::zkproofs::NICorrectKeyProof; use Errors::{self, SignError}; #[derive(Debug, Serialize, Deserialize)] @@ -33,7 +34,9 @@ pub struct KeyGenParty1Message2 { pub ek: EncryptionKey, pub c_key: BigInt, pub correct_key_proof: NICorrectKeyProof, - pub range_proof: RangeProofNi, + pub pdl_statement: PDLwSlackStatement, + pub pdl_proof: PDLwSlackProof, + pub composite_dlog_proof: CompositeDLogProof, } #[derive(Debug, Serialize, Deserialize)] @@ -41,7 +44,9 @@ pub struct RotationParty1Message1 { pub ek: EncryptionKey, pub c_key_new: BigInt, pub correct_key_proof: NICorrectKeyProof, - pub range_proof: RangeProofNi, + pub pdl_statement: PDLwSlackStatement, + pub pdl_proof: PDLwSlackProof, + pub composite_dlog_proof: CompositeDLogProof, } impl MasterKey1 { @@ -180,10 +185,9 @@ impl MasterKey1 { let party_one_private = party_one::Party1Private::set_private_key(&ec_key_pair_party1, &paillier_key_pair); - let range_proof = party_one::PaillierKeyPair::generate_range_proof( - &paillier_key_pair, - &party_one_private, - ); + let (pdl_statement, pdl_proof, composite_dlog_proof) = + party_one::PaillierKeyPair::pdl_proof(&party_one_private, &paillier_key_pair); + let correct_key_proof = party_one::PaillierKeyPair::generate_ni_proof_correct_key(&paillier_key_pair); ( @@ -192,39 +196,15 @@ impl MasterKey1 { ek: paillier_key_pair.ek.clone(), c_key: paillier_key_pair.encrypted_share.clone(), correct_key_proof, - range_proof, + pdl_statement, + pdl_proof, + composite_dlog_proof, }, paillier_key_pair, party_one_private, ) } - pub fn key_gen_third_message( - party_two_pdl_first_message: &Party2PDLFirstMsg, - party_one_private: &party_one::Party1Private, - ) -> (party_one::PDLFirstMessage, party_one::PDLdecommit, BigInt) { - party_one::PaillierKeyPair::pdl_first_stage( - &party_one_private, - &party_two_pdl_first_message, - ) - } - - pub fn key_gen_fourth_message( - pdl_party_two_first_message: &Party2PDLFirstMsg, - pdl_party_two_second_message: &Party2PDLSecondMsg, - party_one_private: party_one::Party1Private, - pdl_decommit: party_one::PDLdecommit, - alpha: BigInt, - ) -> Result { - party_one::PaillierKeyPair::pdl_second_stage( - pdl_party_two_first_message, - pdl_party_two_second_message, - party_one_private, - pdl_decommit, - alpha, - ) - } - pub fn sign_first_message() -> (party_one::EphKeyGenFirstMsg, party_one::EphEcKeyPair) { party_one::EphKeyGenFirstMsg::create() } @@ -272,60 +252,27 @@ impl MasterKey1 { } } - pub fn rotation_first_message( - &self, - cf: &Rotation, - ) -> (RotationParty1Message1, party_one::Party1Private) { - let (ek_new, c_key_new, new_private, correct_key_proof, range_proof) = - party_one::Party1Private::refresh_private_key(&self.private, &cf.rotation.to_big_int()); - + pub fn rotation_first_message(self, cf: &Rotation) -> (RotationParty1Message1, MasterKey1) { + let ( + ek_new, + c_key_new, + new_private, + correct_key_proof, + pdl_statement, + pdl_proof, + composite_dlog_proof, + ) = party_one::Party1Private::refresh_private_key(&self.private, &cf.rotation.to_big_int()); + let master_key_new = self.rotate(cf, new_private, &ek_new, &c_key_new); ( RotationParty1Message1 { ek: ek_new, c_key_new, correct_key_proof, - range_proof, + pdl_statement, + pdl_proof, + composite_dlog_proof, }, - new_private, - ) - } - - pub fn rotation_second_message( - rotate_party_two_message_one: &Party2PDLFirstMsg, - party_one_private: &party_one::Party1Private, - ) -> (party_one::PDLFirstMessage, party_one::PDLdecommit, BigInt) { - party_one::PaillierKeyPair::pdl_first_stage( - &party_one_private, - &rotate_party_two_message_one, + master_key_new, ) } - - pub fn rotation_third_message( - self, - rotation_first_message: &RotationParty1Message1, - party_one_private_new: party_one::Party1Private, - cf: &Rotation, - rotate_party_two_first_message: &Party2PDLFirstMsg, - rotate_party_two_second_message: &Party2PDLSecondMsg, - pdl_decommit: party_one::PDLdecommit, - alpha: BigInt, - ) -> Result<(party_one::PDLSecondMessage, MasterKey1), ()> { - let rotate_party_one_third_message = party_one::PaillierKeyPair::pdl_second_stage( - rotate_party_two_first_message, - rotate_party_two_second_message, - party_one_private_new.clone(), - pdl_decommit, - alpha, - ); - let master_key_new = self.rotate( - cf, - party_one_private_new, - &rotation_first_message.ek, - &rotation_first_message.c_key_new, - ); - match rotate_party_one_third_message { - Ok(x) => Ok((x, master_key_new)), - Err(_) => Err(()), - } - } } diff --git a/src/ecdsa/two_party/party2.rs b/src/ecdsa/two_party/party2.rs index 175df94..ddd3dd1 100644 --- a/src/ecdsa/two_party/party2.rs +++ b/src/ecdsa/two_party/party2.rs @@ -13,8 +13,6 @@ use curv::{BigInt, FE, GE}; use multi_party_ecdsa::protocols::two_party_ecdsa::lindell_2017::party_one::EphKeyGenFirstMsg as Party1EphKeyGenFirstMsg; use multi_party_ecdsa::protocols::two_party_ecdsa::lindell_2017::party_one::KeyGenFirstMsg as Party1KeyGenFirstMsg; -use multi_party_ecdsa::protocols::two_party_ecdsa::lindell_2017::party_one::PDLFirstMessage as Party1PDLFirstMsg; -use multi_party_ecdsa::protocols::two_party_ecdsa::lindell_2017::party_one::PDLSecondMessage as Party1PDLSecondMsg; use super::party1::{KeyGenParty1Message2, RotationParty1Message1}; use multi_party_ecdsa::protocols::two_party_ecdsa::lindell_2017::{party_one, party_two}; @@ -34,7 +32,6 @@ pub struct SignMessage { #[derive(Debug, Serialize, Deserialize)] pub struct Party2SecondMessage { pub key_gen_second_message: party_two::KeyGenSecondMsg, - pub pdl_first_message: party_two::PDLFirstMessage, } impl MasterKey2 { @@ -160,14 +157,7 @@ impl MasterKey2 { pub fn key_gen_second_message( party_one_first_message: &Party1KeyGenFirstMsg, party_one_second_message: &KeyGenParty1Message2, - ) -> Result< - ( - Party2SecondMessage, - party_two::PaillierPublic, - party_two::PDLchallenge, - ), - (), - > { + ) -> Result<(Party2SecondMessage, party_two::PaillierPublic), ()> { let paillier_encryption_key = party_one_second_message.ek.clone(); let paillier_encrypted_share = party_one_second_message.c_key.clone(); @@ -182,12 +172,11 @@ impl MasterKey2 { encrypted_secret_share: paillier_encrypted_share.clone(), }; - let range_proof_verify = party_two::PaillierPublic::verify_range_proof( + let pdl_verify = party_two::PaillierPublic::pdl_verify( + &party_one_second_message.composite_dlog_proof, + &party_one_second_message.pdl_statement, + &party_one_second_message.pdl_proof, &party_two_paillier, - &party_one_second_message.range_proof, - ); - - let (pdl_first_message, pdl_chal) = party_two_paillier.pdl_challenge( &party_one_second_message .ecdh_second_message .comm_witness @@ -198,43 +187,23 @@ impl MasterKey2 { .correct_key_proof .verify(&party_two_paillier.ek); - match range_proof_verify { + match pdl_verify { Ok(_proof) => match correct_key_verify { Ok(_proof) => match party_two_second_message { Ok(t) => Ok(( Party2SecondMessage { key_gen_second_message: t, - pdl_first_message, }, party_two_paillier, - pdl_chal, )), Err(_verify_com_and_dlog_party_one) => Err(()), }, Err(_correct_key_error) => Err(()), }, - Err(_range_proof_error) => Err(()), + Err(_pdl_error) => Err(()), } } - pub fn key_gen_third_message( - pdl_chal: &party_two::PDLchallenge, - ) -> party_two::PDLSecondMessage { - party_two::PaillierPublic::pdl_decommit_c_tag_tag(&pdl_chal) - } - - pub fn key_gen_fourth_message( - pdl_chal: &party_two::PDLchallenge, - party_one_pdl_first_message: &Party1PDLFirstMsg, - party_one_pdl_second_message: &Party1PDLSecondMsg, - ) -> Result<(), ()> { - party_two::PaillierPublic::verify_pdl( - pdl_chal, - party_one_pdl_first_message, - party_one_pdl_second_message, - ) - } - pub fn sign_first_message() -> ( party_two::EphKeyGenFirstMsg, party_two::EphCommWitness, @@ -274,66 +243,35 @@ impl MasterKey2 { // is rotation and not new key gen. // party2 needs to verify range proof on c_key_new and correct key proof on the new paillier keys pub fn rotate_first_message( - &self, + self, cf: &Rotation, party_one_rotation_first_message: &RotationParty1Message1, - ) -> Result< - ( - party_two::PDLFirstMessage, - party_two::PDLchallenge, - party_two::PaillierPublic, - ), - (), - > { + ) -> Result { let party_two_paillier = party_two::PaillierPublic { ek: party_one_rotation_first_message.ek.clone(), encrypted_secret_share: party_one_rotation_first_message.c_key_new.clone(), }; - let range_proof_verify = party_one_rotation_first_message.range_proof.verify( - &party_two_paillier.ek, - &party_two_paillier.encrypted_secret_share, + + let pdl_verify = party_two::PaillierPublic::pdl_verify( + &party_one_rotation_first_message.composite_dlog_proof, + &party_one_rotation_first_message.pdl_statement, + &party_one_rotation_first_message.pdl_proof, + &party_two_paillier, + &(self.public.p1 * &cf.rotation), ); let correct_key_verify = party_one_rotation_first_message .correct_key_proof .verify(&party_two_paillier.ek); - let (pdl_first_message, pdl_chal) = - party_two_paillier.pdl_challenge(&(&self.public.p1 * &cf.rotation)); + let master_key = self.rotate(cf, &party_two_paillier); - match range_proof_verify { + match pdl_verify { Ok(_proof) => match correct_key_verify { - Ok(_proof) => Ok((pdl_first_message, pdl_chal, party_two_paillier)), + Ok(_proof) => Ok(master_key), Err(_correct_key_error) => Err(()), }, Err(_range_proof_error) => Err(()), } } - - pub fn rotate_second_message( - pdl_chal: &party_two::PDLchallenge, - ) -> party_two::PDLSecondMessage { - party_two::PaillierPublic::pdl_decommit_c_tag_tag(&pdl_chal) - } - - pub fn rotate_third_message( - self, - cf: &Rotation, - party_two_paillier: &party_two::PaillierPublic, - pdl_chal: &party_two::PDLchallenge, - party_one_pdl_first_message: &Party1PDLFirstMsg, - party_one_pdl_second_message: &Party1PDLSecondMsg, - ) -> Result { - match party_two::PaillierPublic::verify_pdl( - pdl_chal, - party_one_pdl_first_message, - party_one_pdl_second_message, - ) { - Ok(_) => { - let master_key = self.rotate(cf, party_two_paillier); - Ok(master_key) - } - Err(_) => Err(()), - } - } } diff --git a/src/ecdsa/two_party/test.rs b/src/ecdsa/two_party/test.rs index ea33ac5..23d9254 100644 --- a/src/ecdsa/two_party/test.rs +++ b/src/ecdsa/two_party/test.rs @@ -159,47 +159,16 @@ mod tests { let random2 = Rotation { rotation: one.clone(), }; + //rotation: - let (rotation_party_one_first_message, party_one_private_new) = + let (rotation_party_one_first_message, party_one_master_key_rotated) = party_one_master_key_half_recovered.rotation_first_message(&random1); let result_rotate_party_one_first_message = party_two_master_key.rotate_first_message(&random2, &rotation_party_one_first_message); assert!(result_rotate_party_one_first_message.is_ok()); - let (rotation_party_two_first_message, party_two_pdl_chal, party_two_paillier) = - result_rotate_party_one_first_message.unwrap(); - let (rotation_party_one_second_message, party_one_pdl_decommit, alpha) = - MasterKey1::rotation_second_message( - &rotation_party_two_first_message, - &party_one_private_new, - ); - let rotation_party_two_second_message = - MasterKey2::rotate_second_message(&party_two_pdl_chal); - let result_rotate_party_two_second_message = party_one_master_key_half_recovered - .rotation_third_message( - &rotation_party_one_first_message, - party_one_private_new, - &random1, - &rotation_party_two_first_message, - &rotation_party_two_second_message, - party_one_pdl_decommit, - alpha, - ); - assert!(result_rotate_party_two_second_message.is_ok()); - let (rotation_party_one_third_message, party_one_master_key_rotated) = - result_rotate_party_two_second_message.unwrap(); - - let result_rotate_party_one_third_message = party_two_master_key.rotate_third_message( - &random2, - &party_two_paillier, - &party_two_pdl_chal, - &rotation_party_one_second_message, - &rotation_party_one_third_message, - ); - assert!(result_rotate_party_one_third_message.is_ok()); - - let party_two_master_key_rotated = result_rotate_party_one_third_message.unwrap(); + let party_two_master_key_rotated = result_rotate_party_one_first_message.unwrap(); //test by signing: let message = BigInt::from(1234); @@ -447,33 +416,7 @@ mod tests { ); assert!(key_gen_second_message.is_ok()); - - let (party_two_second_message, party_two_paillier, party_two_pdl_chal) = - key_gen_second_message.unwrap(); - - let (party_one_third_message, party_one_pdl_decommit, alpha) = - MasterKey1::key_gen_third_message( - &party_two_second_message.pdl_first_message, - &party_one_private, - ); - - let party_two_third_message = MasterKey2::key_gen_third_message(&party_two_pdl_chal); - - let party_one_fourth_message = MasterKey1::key_gen_fourth_message( - &party_two_second_message.pdl_first_message, - &party_two_third_message, - party_one_private.clone(), - party_one_pdl_decommit, - alpha, - ) - .expect("pdl error party 2"); - - MasterKey2::key_gen_fourth_message( - &party_two_pdl_chal, - &party_one_third_message, - &party_one_fourth_message, - ) - .expect("pdl error party1"); + let party_two_paillier = key_gen_second_message.unwrap().1; // chain code let (cc_party_one_first_message, cc_comm_witness, cc_ec_key_pair1) = @@ -537,46 +480,16 @@ mod tests { ); //rotation: - let (rotation_party_one_first_message, party_one_private_new) = + let (rotation_party_one_first_message, party_one_master_key_rotated) = party_one_master_key.rotation_first_message(&random1); - let result_rotate_party_one_first_message = + let result_rotate_party_two = party_two_master_key.rotate_first_message(&random2, &rotation_party_one_first_message); - assert!(result_rotate_party_one_first_message.is_ok()); - - let (rotation_party_two_first_message, party_two_pdl_chal, party_two_paillier) = - result_rotate_party_one_first_message.unwrap(); - let (rotation_party_one_second_message, party_one_pdl_decommit, alpha) = - MasterKey1::rotation_second_message( - &rotation_party_two_first_message, - &party_one_private_new, - ); - let rotation_party_two_second_message = - MasterKey2::rotate_second_message(&party_two_pdl_chal); - let result_rotate_party_two_second_message = party_one_master_key.rotation_third_message( - &rotation_party_one_first_message, - party_one_private_new, - &random1, - &rotation_party_two_first_message, - &rotation_party_two_second_message, - party_one_pdl_decommit, - alpha, - ); - assert!(result_rotate_party_two_second_message.is_ok()); - let (rotation_party_one_third_message, party_one_master_key_rotated) = - result_rotate_party_two_second_message.unwrap(); - - let result_rotate_party_one_third_message = party_two_master_key.rotate_third_message( - &random2, - &party_two_paillier, - &party_two_pdl_chal, - &rotation_party_one_second_message, - &rotation_party_one_third_message, - ); - assert!(result_rotate_party_one_third_message.is_ok()); - - let party_two_master_key_rotated = result_rotate_party_one_third_message.unwrap(); + assert!(result_rotate_party_two.is_ok()); - (party_one_master_key_rotated, party_two_master_key_rotated) + ( + party_one_master_key_rotated, + result_rotate_party_two.unwrap(), + ) } } diff --git a/src/poc.rs b/src/poc.rs index b209c25..2b4b69d 100644 --- a/src/poc.rs +++ b/src/poc.rs @@ -78,9 +78,9 @@ mod tests { EcdsaMasterKey1::key_gen_first_message(); let (kg_party_two_first_message, _kg_ec_key_pair_party2) = EcdsaMasterKey2::key_gen_first_message(); - let (kg_party_one_second_message, _paillier_key_pair, party_one_private) = + let (kg_party_one_second_message, _party_one_paillier_key_pair, _party_one_private) = EcdsaMasterKey1::key_gen_second_message( - kg_comm_witness, + kg_comm_witness.clone(), &kg_ec_key_pair_party1, &kg_party_two_first_message.d_log_proof, ); @@ -89,35 +89,7 @@ mod tests { &kg_party_one_first_message, &kg_party_one_second_message, ); - assert!(key_gen_second_message.is_ok()); - - let (party_two_second_message, _party_two_paillier, party_two_pdl_chal) = - key_gen_second_message.unwrap(); - - let (party_one_third_message, party_one_pdl_commit, alpha) = - EcdsaMasterKey1::key_gen_third_message( - &party_two_second_message.pdl_first_message, - &party_one_private, - ); - - let party_two_third_message = EcdsaMasterKey2::key_gen_third_message(&party_two_pdl_chal); - - let party_one_fourth_message = EcdsaMasterKey1::key_gen_fourth_message( - &party_two_second_message.pdl_first_message, - &party_two_third_message, - party_one_private, - party_one_pdl_commit, - alpha, - ) - .expect("pdl error party 2"); - - EcdsaMasterKey2::key_gen_fourth_message( - &party_two_pdl_chal, - &party_one_third_message, - &party_one_fourth_message, - ) - .expect("pdl error party1"); // recovery party two: let secret_decrypted = Msegmentation::decrypt(&encryptions, &G, &y, &segment_size); diff --git a/src/schnorr/two_party/test.rs b/src/schnorr/two_party/test.rs index 317d535..669523d 100644 --- a/src/schnorr/two_party/test.rs +++ b/src/schnorr/two_party/test.rs @@ -599,5 +599,4 @@ mod tests { pubkey_view_party2.get_element() ); } - }