wip

nucypher · Feb 5, 2024 · da8614a · da8614a
1 parent 6fd65bd
commit da8614a
Show file tree

Hide file tree

Showing 10 changed files with 203 additions and 161 deletions.
diff --git a/ferveo-tdec/benches/tpke.rs b/ferveo-tdec/benches/tpke.rs
@@ -1,6 +1,6 @@
 #![allow(clippy::redundant_closure)]
 
-use ark_bls12_381::{Bls12_381, Fr, G1Affine as G1, G2Affine as G2};
+use ark_bls12_381::{Bls12_381, Fr};
 use ark_ec::pairing::Pairing;
 use criterion::{
     black_box, criterion_group, criterion_main, BenchmarkId, Criterion,
@@ -25,8 +25,8 @@ struct SetupShared {
     shares_num: usize,
     msg: Vec<u8>,
     aad: Vec<u8>,
-    pubkey: G1,
-    privkey: G2,
+    pubkey: PublicKeyShare<E>,
+    privkey: PrivateKeyShare<E>,
     ciphertext: Ciphertext<E>,
     shared_secret: SharedSecret<E>,
 }

diff --git a/ferveo-tdec/src/ciphertext.rs b/ferveo-tdec/src/ciphertext.rs
@@ -13,7 +13,10 @@ use serde_with::serde_as;
 use sha2::{digest::Digest, Sha256};
 use zeroize::ZeroizeOnDrop;
 
-use crate::{htp_bls12381_g2, Error, Result, SecretBox, SharedSecret};
+use crate::{
+    htp_bls12381_g2, Error, PrivateKeyShare, PublicKeyShare, Result, SecretBox,
+    SharedSecret,
+};
 
 #[serde_as]
 #[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
@@ -95,7 +98,7 @@ impl<E: Pairing> CiphertextHeader<E> {
 pub fn encrypt<E: Pairing>(
     message: SecretBox<Vec<u8>>,
     aad: &[u8],
-    pubkey: &E::G1Affine,
+    pubkey: &PublicKeyShare<E>,
     rng: &mut impl rand::Rng,
 ) -> Result<Ciphertext<E>> {
     // r
@@ -105,7 +108,8 @@ pub fn encrypt<E: Pairing>(
     // h
     let h_gen = E::G2Affine::generator();
 
-    let ry_prep = E::G1Prepared::from(pubkey.mul(rand_element).into());
+    let ry_prep =
+        E::G1Prepared::from(pubkey.public_key_share.mul(rand_element).into());
     // s
     let product = E::pairing(ry_prep, h_gen).0;
     // u
@@ -140,13 +144,13 @@ pub fn encrypt<E: Pairing>(
 pub fn decrypt_symmetric<E: Pairing>(
     ciphertext: &Ciphertext<E>,
     aad: &[u8],
-    private_key: &E::G2Affine,
+    private_key: &PrivateKeyShare<E>,
     g_inv: &E::G1Prepared,
 ) -> Result<Vec<u8>> {
     ciphertext.check(aad, g_inv)?;
     let shared_secret = E::pairing(
         E::G1Prepared::from(ciphertext.commitment),
-        E::G2Prepared::from(*private_key),
+        E::G2Prepared::from(private_key.private_key_share),
     )
     .0;
     let shared_secret = SharedSecret(shared_secret);

diff --git a/ferveo-tdec/src/decryption.rs b/ferveo-tdec/src/decryption.rs
@@ -2,15 +2,16 @@ use std::ops::Mul;
 
 use ark_ec::{pairing::Pairing, CurveGroup};
 use ark_ff::{Field, One, Zero};
+use ark_std::UniformRand;
 use ferveo_common::serialization;
 use itertools::{izip, zip_eq};
 use rand_core::RngCore;
 use serde::{de::DeserializeOwned, Deserialize, Serialize};
 use serde_with::serde_as;
 
 use crate::{
-    generate_random, Ciphertext, CiphertextHeader, PrivateKeyShare,
-    PublicDecryptionContextFast, PublicDecryptionContextSimple, Result,
+    Ciphertext, CiphertextHeader, PrivateKeyShare, PublicDecryptionContextFast,
+    PublicDecryptionContextSimple, Result,
 };
 
 #[serde_as]
@@ -226,6 +227,15 @@ impl<E: Pairing> DecryptionSharePrecomputed<E> {
     }
 }
 
+pub fn generate_random_scalars<R: RngCore, E: Pairing>(
+    n: usize,
+    rng: &mut R,
+) -> Vec<E::ScalarField> {
+    (0..n)
+        .map(|_| E::ScalarField::rand(rng))
+        .collect::<Vec<_>>()
+}
+
 // TODO: Remove this code? Currently only used in benchmarks. Move to benchmark suite?
 pub fn batch_verify_decryption_shares<R: RngCore, E: Pairing>(
     pub_contexts: &[PublicDecryptionContextFast<E>],
@@ -249,7 +259,7 @@ pub fn batch_verify_decryption_shares<R: RngCore, E: Pairing>(
 
     // For each ciphertext, generate num_shares random scalars
     let alpha_ij = (0..num_ciphertexts)
-        .map(|_| generate_random::<_, E>(num_shares, rng))
+        .map(|_| generate_random_scalars::<_, E>(num_shares, rng))
         .collect::<Vec<_>>();
 
     let mut pairings_a = Vec::with_capacity(num_shares + 1);

diff --git a/ferveo-tdec/src/key_share.rs b/ferveo-tdec/src/key_share.rs
@@ -1,11 +1,14 @@
 use std::ops::Mul;
 
 use ark_ec::{pairing::Pairing, AffineRepr, CurveGroup};
-use ark_ff::One;
+use ark_ff::{One, Zero};
 use ark_std::UniformRand;
+use itertools::zip_eq;
 use rand_core::RngCore;
 use zeroize::ZeroizeOnDrop;
 
+use crate::lagrange_basis_at;
+
 #[derive(Debug, Clone)]
 pub struct PublicKeyShare<E: Pairing> {
     pub public_key_share: E::G1Affine, // A_{i, \omega_i}
@@ -18,15 +21,6 @@ pub struct BlindedKeyShare<E: Pairing> {
     pub blinding_key_prepared: E::G2Prepared,
 }
 
-pub fn generate_random<R: RngCore, E: Pairing>(
-    n: usize,
-    rng: &mut R,
-) -> Vec<E::ScalarField> {
-    (0..n)
-        .map(|_| E::ScalarField::rand(rng))
-        .collect::<Vec<_>>()
-}
-
 impl<E: Pairing> BlindedKeyShare<E> {
     pub fn verify_blinding<R: RngCore>(
         &self,
@@ -72,4 +66,39 @@ impl<E: Pairing> PrivateKeyShare<E> {
             blinded_key_share: self.private_key_share.mul(b).into_affine(),
         }
     }
+
+    /// From PSS paper, section 4.2.3, (https://link.springer.com/content/pdf/10.1007/3-540-44750-4_27.pdf)
+    pub fn update_share(
+        &self,
+        share_updates: &[PrivateKeyShareUpdate<E>],
+    ) -> PrivateKeyShare<E> {
+        let updated_key_share = share_updates
+            .iter()
+            .fold(self.private_key_share.into_group(), |acc, delta| {
+                acc + delta.0
+            })
+            .into_affine();
+        PrivateKeyShare {
+            private_key_share: updated_key_share,
+        }
+    }
+
+    /// From the PSS paper, section 4.2.4, (https://link.springer.com/content/pdf/10.1007/3-540-44750-4_27.pdf)
+    pub fn recover_share_from_updated_private_shares(
+        x_r: &E::ScalarField,
+        domain_points: &[E::ScalarField],
+        updated_private_shares: &[PrivateKeyShare<E>],
+    ) -> PrivateKeyShare<E> {
+        // Interpolate new shares to recover y_r
+        let lagrange = lagrange_basis_at::<E>(domain_points, x_r);
+        let prods = zip_eq(updated_private_shares, lagrange)
+            .map(|(y_j, l)| y_j.private_key_share.mul(l));
+        let y_r = prods.fold(E::G2::zero(), |acc, y_j| acc + y_j);
+        PrivateKeyShare {
+            private_key_share: y_r.into_affine(),
+        }
+    }
 }
+
+#[derive(Debug, Clone, PartialEq, Eq, ZeroizeOnDrop)]
+pub struct PrivateKeyShareUpdate<E: Pairing>(pub E::G2Affine);
diff --git a/ferveo-tdec/src/lib.rs b/ferveo-tdec/src/lib.rs
@@ -77,8 +77,8 @@ pub mod test_common {
         shares_num: usize,
         rng: &mut impl RngCore,
     ) -> (
-        E::G1Affine,
-        E::G2Affine,
+        PublicKeyShare<E>,
+        PrivateKeyShare<E>,
         Vec<PrivateDecryptionContextFast<E>>,
     ) {
         assert!(shares_num >= threshold);
@@ -138,7 +138,7 @@ pub mod test_common {
         )
         .enumerate()
         {
-            let private_key_share = PrivateKeyShare::<E> {
+            let private_key_share = PrivateKeyShare {
                 private_key_share: *private,
             };
             let b = E::ScalarField::rand(rng);
@@ -171,16 +171,24 @@ pub mod test_common {
             private.public_decryption_contexts = public_contexts.clone();
         }
 
-        (pubkey.into(), privkey.into(), private_contexts)
+        (
+            PublicKeyShare {
+                public_key_share: pubkey.into(),
+            },
+            PrivateKeyShare {
+                private_key_share: privkey.into(),
+            },
+            private_contexts,
+        )
     }
 
     pub fn setup_simple<E: Pairing>(
         threshold: usize,
         shares_num: usize,
         rng: &mut impl rand::Rng,
     ) -> (
-        E::G1Affine,
-        E::G2Affine,
+        PublicKeyShare<E>,
+        PrivateKeyShare<E>,
         Vec<PrivateDecryptionContextSimple<E>>,
     ) {
         assert!(shares_num >= threshold);
@@ -259,15 +267,23 @@ pub mod test_common {
             private.public_decryption_contexts = public_contexts.clone();
         }
 
-        (pubkey.into(), privkey.into(), private_contexts)
+        (
+            PublicKeyShare {
+                public_key_share: pubkey.into(),
+            },
+            PrivateKeyShare {
+                private_key_share: privkey.into(),
+            },
+            private_contexts,
+        )
     }
 
     pub fn setup_precomputed<E: Pairing>(
         shares_num: usize,
         rng: &mut impl rand::Rng,
     ) -> (
-        E::G1Affine,
-        E::G2Affine,
+        PublicKeyShare<E>,
+        PrivateKeyShare<E>,
         Vec<PrivateDecryptionContextSimple<E>>,
     ) {
         // In precomputed variant, the security threshold is equal to the number of shares

diff --git a/ferveo/src/api.rs b/ferveo/src/api.rs
@@ -9,6 +9,7 @@ pub use ferveo_tdec::api::{
     prepare_combine_simple, share_combine_precomputed, share_combine_simple,
     Fr, G1Affine, G1Prepared, G2Affine, SecretBox, E,
 };
+use ferveo_tdec::PublicKeyShare;
 use generic_array::{
     typenum::{Unsigned, U48},
     GenericArray,
@@ -58,8 +59,15 @@ pub fn encrypt(
     pubkey: &DkgPublicKey,
 ) -> Result<Ciphertext> {
     let mut rng = rand::thread_rng();
-    let ciphertext =
-        ferveo_tdec::api::encrypt(message, aad, &pubkey.0, &mut rng)?;
+    let ciphertext = ferveo_tdec::api::encrypt(
+        message,
+        aad,
+        // &pubkey.0,
+        &PublicKeyShare {
+            public_key_share: pubkey.0,
+        },
+        &mut rng,
+    )?;
     Ok(Ciphertext(ciphertext))
 }
 
@@ -91,7 +99,7 @@ impl Ciphertext {
     }
 }
 
-#[serde_as]
+#[serde_as] // TODO: Redundant serde_as?
 #[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq)]
 pub struct CiphertextHeader(ferveo_tdec::api::CiphertextHeader);
 
@@ -218,7 +226,7 @@ impl Dkg {
     }
 
     pub fn public_key(&self) -> DkgPublicKey {
-        DkgPublicKey(self.0.public_key())
+        DkgPublicKey(self.0.public_key().public_key_share)
     }
 
     pub fn generate_transcript<R: RngCore>(