-
Notifications
You must be signed in to change notification settings - Fork 0
/
mta.go
95 lines (86 loc) · 3.4 KB
/
mta.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
package mta
import (
"crypto/rand"
"github.com/cronokirby/saferith"
"github.com/w3-key/mps-lean/pkg/hash"
"github.com/w3-key/mps-lean/pkg/math/curve"
"github.com/w3-key/mps-lean/pkg/math/sample"
"github.com/w3-key/mps-lean/pkg/paillier"
"github.com/w3-key/mps-lean/pkg/pedersen"
zkaffg "github.com/w3-key/mps-lean/pkg/zk/affg"
zkaffp "github.com/w3-key/mps-lean/pkg/zk/affp"
)
// ProveAffG returns the necessary messages for the receiver of the
// h is a hash function initialized with the sender's ID.
// - senderSecretShare = aᵢ
// - senderSecretSharePoint = Aᵢ = aᵢ⋅G
// - receiverEncryptedShare = Encⱼ(bⱼ)
// The elements returned are :
// - Beta = β
// - D = (aⱼ ⊙ Bᵢ) ⊕ encᵢ(- β, s)
// - F = encⱼ(-β, r)
// - Proof = zkaffg proof of correct encryption.
func ProveAffG(group curve.Curve, h *hash.Hash,
senderSecretShare *saferith.Int, senderSecretSharePoint curve.Point, receiverEncryptedShare *paillier.Ciphertext,
sender *paillier.SecretKey, receiver *paillier.PublicKey, verifier *pedersen.Parameters) (Beta *saferith.Int, D, F *paillier.Ciphertext, Proof *zkaffg.Proof) {
D, F, S, R, BetaNeg := newMta(senderSecretShare, receiverEncryptedShare, sender, receiver)
Proof = zkaffg.NewProof(group, h, zkaffg.Public{
Kv: receiverEncryptedShare,
Dv: D,
Fp: F,
Xp: senderSecretSharePoint,
Prover: sender.PublicKey,
Verifier: receiver,
Aux: verifier,
}, zkaffg.Private{
X: senderSecretShare,
Y: BetaNeg,
S: S,
R: R,
})
Beta = BetaNeg.Neg(1)
return
}
// ProveAffP generates a proof for the a specified verifier.
// This function is specified as to make clear which parameters must be input to zkaffg.
// h is a hash function initialized with the sender's ID.
// - senderSecretShare = aᵢ
// - senderSecretSharePoint = Aᵢ = Encᵢ(aᵢ)
// - receiverEncryptedShare = Encⱼ(bⱼ)
// The elements returned are :
// - Beta = β
// - D = (aⱼ ⊙ Bᵢ) ⊕ encᵢ(-β, s)
// - F = encⱼ(-β, r)
// - Proof = zkaffp proof of correct encryption.
func ProveAffP(group curve.Curve, h *hash.Hash,
senderSecretShare *saferith.Int, senderEncryptedShare *paillier.Ciphertext, senderEncryptedShareNonce *saferith.Nat,
receiverEncryptedShare *paillier.Ciphertext,
sender *paillier.SecretKey, receiver *paillier.PublicKey, verifier *pedersen.Parameters) (Beta *saferith.Int, D, F *paillier.Ciphertext, Proof *zkaffp.Proof) {
D, F, S, R, BetaNeg := newMta(senderSecretShare, receiverEncryptedShare, sender, receiver)
Proof = zkaffp.NewProof(group, h, zkaffp.Public{
Kv: receiverEncryptedShare,
Dv: D,
Fp: F,
Xp: senderEncryptedShare,
Prover: sender.PublicKey,
Verifier: receiver,
Aux: verifier,
}, zkaffp.Private{
X: senderSecretShare,
Y: BetaNeg,
S: S,
Rx: senderEncryptedShareNonce,
R: R,
})
Beta = BetaNeg.Neg(1)
return
}
func newMta(senderSecretShare *saferith.Int, receiverEncryptedShare *paillier.Ciphertext,
sender *paillier.SecretKey, receiver *paillier.PublicKey) (D, F *paillier.Ciphertext, S, R *saferith.Nat, BetaNeg *saferith.Int) {
BetaNeg = sample.IntervalLPrime(rand.Reader)
F, R = sender.Enc(BetaNeg) // F = encᵢ(-β, r)
D, S = receiver.Enc(BetaNeg)
tmp := receiverEncryptedShare.Clone().Mul(receiver, senderSecretShare) // tmp = aᵢ ⊙ Bⱼ
D.Add(receiver, tmp) // D = encⱼ(-β;s) ⊕ (aᵢ ⊙ Bⱼ) = encⱼ(aᵢ•bⱼ-β)
return
}