[draft] Handover Protocol (or The PR Formerly Known as Spongebob)

ferveo-tdec/benches/tpke.rs

@@ -20,7 +20,7 @@ struct SetupShared {
     shares_num: usize,
     msg: Vec<u8>,
     aad: Vec<u8>,
-    pubkey: PublicKey<E>,
+    pubkey: DkgPublicKey<E>,
     privkey: PrivateKeyShare<E>,
     ciphertext: Ciphertext<E>,
     shared_secret: SharedSecret<E>,

ferveo-tdec/src/ciphertext.rs

@@ -14,7 +14,7 @@ use sha2::{digest::Digest, Sha256};
 use zeroize::ZeroizeOnDrop;
 
 use crate::{
-    htp_bls12381_g2, Error, PrivateKeyShare, PublicKey, Result, SecretBox,
+    htp_bls12381_g2, DkgPublicKey, Error, PrivateKeyShare, Result, SecretBox,
     SharedSecret,
 };
 
@@ -98,7 +98,7 @@ impl<E: Pairing> CiphertextHeader<E> {
 pub fn encrypt<E: Pairing>(
     message: SecretBox<Vec<u8>>,
     aad: &[u8],
-    pubkey: &PublicKey<E>,
+    pubkey: &DkgPublicKey<E>,
     rng: &mut impl rand::Rng,
 ) -> Result<Ciphertext<E>> {
     // r

ferveo-tdec/src/context.rs

@@ -2,14 +2,14 @@ use ark_ec::pairing::Pairing;
 
 use crate::{
     prepare_combine_simple, BlindedKeyShare, CiphertextHeader,
-    DecryptionSharePrecomputed, DecryptionShareSimple, PrivateKeyShare,
-    PublicKey, Result,
+    DecryptionSharePrecomputed, DecryptionShareSimple, PrivateKeyShare, Result,
+    ShareCommitment,
 };
 
 #[derive(Clone, Debug)]
 pub struct PublicDecryptionContextFast<E: Pairing> {
     pub domain: E::ScalarField,
-    pub public_key: PublicKey<E>,
+    pub public_key: ShareCommitment<E>, // FIXME
     pub blinded_key_share: BlindedKeyShare<E>,
     // This decrypter's contribution to N(0), namely (-1)^|domain| * \prod_i omega_i
     pub lagrange_n_0: E::ScalarField,
@@ -19,12 +19,13 @@ pub struct PublicDecryptionContextFast<E: Pairing> {
 #[derive(Clone, Debug)]
 pub struct PublicDecryptionContextSimple<E: Pairing> {
     pub domain: E::ScalarField,
-    pub public_key: PublicKey<E>,
+    pub share_commitment: ShareCommitment<E>,
     pub blinded_key_share: BlindedKeyShare<E>,
     pub h: E::G2Affine,
-    pub validator_public_key: E::G2,
+    pub validator_public_key: ferveo_common::PublicKey<E>,
 }
 
+// TODO: Mark for removal
 #[derive(Clone, Debug)]
 pub struct SetupParams<E: Pairing> {
     pub b: E::ScalarField, // Validator private key

ferveo-tdec/src/decryption.rs

@@ -50,7 +50,7 @@ impl<E: Pairing> ValidatorShareChecksum<E> {
             return false;
         }
 
-        // TODO: use multipairing here (h_inv)
+        // TODO: use multipairing here (h_inv) - Issue #192
         // e(C_i, ek_i) == e(U, H)
         if E::pairing(self.checksum, *validator_public_key)
             != E::pairing(ciphertext.commitment, *h)
@@ -234,7 +234,7 @@ pub fn verify_decryption_shares_simple<E: Pairing>(
     {
         let is_valid = decryption_share.verify(
             y_i,
-            &pub_context.validator_public_key.into_affine(),
+            &pub_context.validator_public_key.encryption_key,
             &pub_context.h.into(),
             ciphertext,
         );

ferveo-tdec/src/key_share.rs

@@ -1,53 +1,72 @@
 use std::ops::Mul;
 
-use ark_ec::{pairing::Pairing, AffineRepr, CurveGroup};
-use ark_ff::One;
-use ark_std::UniformRand;
-use ferveo_common::serialization;
-use rand_core::RngCore;
+use ark_ec::{pairing::Pairing, CurveGroup};
+use ark_ff::Field;
+use ferveo_common::{serialization, Keypair};
 use serde::{Deserialize, Serialize};
 use serde_with::serde_as;
 use zeroize::{Zeroize, ZeroizeOnDrop};
 
 #[serde_as]
 #[derive(Debug, Copy, Clone, Serialize, Deserialize, PartialEq, Eq)]
-pub struct PublicKey<E: Pairing>(
+pub struct DkgPublicKey<E: Pairing>(
+    #[serde_as(as = "serialization::SerdeAs")] pub E::G1Affine,
+);
+
+#[serde_as]
+#[derive(Debug, Copy, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct ShareCommitment<E: Pairing>(
     #[serde_as(as = "serialization::SerdeAs")] pub E::G1Affine, // A_{i, \omega_i}
 );
 
-#[derive(Debug, Clone)]
+// TODO: Improve by adding share commitment here
+// TODO: Is this a test utility perhaps?
+#[derive(Debug, Copy, Clone)]
 pub struct BlindedKeyShare<E: Pairing> {
-    pub blinding_key: E::G2Affine,      // [b] H
-    pub blinded_key_share: E::G2Affine, // [b] Z_{i, \omega_i}
+    pub validator_public_key: E::G2Affine, // [b] H
+    pub blinded_key_share: E::G2Affine,    // [b] Z_{i, \omega_i}
 }
 
 impl<E: Pairing> BlindedKeyShare<E> {
-    pub fn verify_blinding<R: RngCore>(
-        &self,
-        public_key: &PublicKey<E>,
-        rng: &mut R,
-    ) -> bool {
-        let g = E::G1Affine::generator();
-        let alpha = E::ScalarField::rand(rng);
+    // TODO: Salvage and cleanup
+    // pub fn verify_blinding<R: RngCore>(
+    //     &self,
+    //     public_key: &PublicKey<E>,
+    //     rng: &mut R,
+    // ) -> bool {
+    //     let g = E::G1Affine::generator();
+    //     let alpha = E::ScalarField::rand(rng);
 
-        let alpha_a =
-            E::G1Prepared::from(g + public_key.0.mul(alpha).into_affine());
+    //     let alpha_a =
+    //         E::G1Prepared::from(g + public_key.0.mul(alpha).into_affine());
 
-        // \sum_i(Y_i)
-        let alpha_z = E::G2Prepared::from(
-            self.blinding_key + self.blinded_key_share.mul(alpha).into_affine(),
-        );
+    //     // \sum_i(Y_i)
+    //     let alpha_z = E::G2Prepared::from(
+    //         self.blinding_key + self.blinded_key_share.mul(alpha).into_affine(),
+    //     );
 
-        // e(g, Yi) == e(Ai, [b] H)
-        let g_inv = E::G1Prepared::from(-g.into_group());
-        E::multi_pairing([g_inv, alpha_a], [alpha_z, self.blinding_key.into()])
-            .0
-            == E::TargetField::one()
-    }
+    //     // e(g, Yi) == e(Ai, [b] H)
+    //     let g_inv = E::G1Prepared::from(-g.into_group());
+    //     E::multi_pairing([g_inv, alpha_a], [alpha_z, self.blinding_key.into()])
+    //         .0
+    //         == E::TargetField::one()
+    // }
 
-    pub fn multiply_by_omega_inv(&mut self, omega_inv: &E::ScalarField) {
-        self.blinded_key_share =
-            self.blinded_key_share.mul(-*omega_inv).into_affine();
+    // pub fn multiply_by_omega_inv(&mut self, omega_inv: &E::ScalarField) {
+    //     self.blinded_key_share =
+    //         self.blinded_key_share.mul(-*omega_inv).into_affine();
+    // }
+    pub fn unblind(
+        &self,
+        validator_keypair: &Keypair<E>,
+    ) -> PrivateKeyShare<E> {
+        let unblinding_factor = validator_keypair
+            .decryption_key
+            .inverse()
+            .expect("Validator decryption key must have an inverse");
+        PrivateKeyShare::<E>(
+            self.blinded_key_share.mul(unblinding_factor).into_affine(),
+        )
     }
 }
 
@@ -58,13 +77,3 @@ impl<E: Pairing> BlindedKeyShare<E> {
 pub struct PrivateKeyShare<E: Pairing>(
     #[serde_as(as = "serialization::SerdeAs")] pub E::G2Affine,
 );
-
-impl<E: Pairing> PrivateKeyShare<E> {
-    pub fn blind(&self, b: E::ScalarField) -> BlindedKeyShare<E> {
-        let blinding_key = E::G2Affine::generator().mul(b).into_affine();
-        BlindedKeyShare::<E> {
-            blinding_key,
-            blinded_key_share: self.0.mul(b).into_affine(),
-        }
-    }
-}

ferveo-tdec/src/lib.rs

@@ -1,5 +1,6 @@
 #![warn(rust_2018_idioms)]
 
+// TODO: Use explicit imports - #194
 pub mod ciphertext;
 pub mod combine;
 pub mod context;
@@ -59,7 +60,7 @@ pub mod test_common {
     use std::{ops::Mul, usize};
 
     pub use ark_bls12_381::Bls12_381 as EllipticCurve;
-    use ark_ec::{pairing::Pairing, AffineRepr};
+    use ark_ec::{pairing::Pairing, AffineRepr, CurveGroup};
     pub use ark_ff::UniformRand;
     use ark_ff::{Field, Zero};
     use ark_poly::{
@@ -76,7 +77,7 @@ pub mod test_common {
         threshold: usize,
         rng: &mut impl rand::Rng,
     ) -> (
-        PublicKey<E>,
+        DkgPublicKey<E>,
         PrivateKeyShare<E>,
         Vec<PrivateDecryptionContextSimple<E>>,
     ) {
@@ -86,50 +87,74 @@ pub mod test_common {
         // The dealer chooses a uniformly random polynomial f of degree t-1
         let threshold_poly =
             DensePolynomial::<E::ScalarField>::rand(threshold - 1, rng);
+
         // Domain, or omega Ω
         let fft_domain =
             ark_poly::GeneralEvaluationDomain::<E::ScalarField>::new(
                 shares_num,
             )
             .unwrap();
+
+        // domain points: - ω_j in Ω
+        let domain_points = fft_domain.elements().collect::<Vec<_>>();
+
         // `evals` are evaluations of the polynomial f over the domain, omega: f(ω_j) for ω_j in Ω
         let evals = threshold_poly.evaluate_over_domain_by_ref(fft_domain);
 
-        let shares_x = fft_domain.elements().collect::<Vec<_>>();
+        // A_j, share commitments of participants:  [f(ω_j)] G
+        let share_commitments = fast_multiexp(&evals.evals, g.into_group());
 
-        // A - public key shares of participants
-        let pubkey_shares = fast_multiexp(&evals.evals, g.into_group());
-        let pubkey_share = g.mul(evals.evals[0]);
-        debug_assert!(pubkey_shares[0] == E::G1Affine::from(pubkey_share));
+        // FIXME: These 2 lines don't make sense
+        //let pubkey_share = g.mul(evals.evals[0]);
+        //debug_assert!(share_commitments[0] == E::G1Affine::from(pubkey_share));
 
-        // Y, but only when b = 1 - private key shares of participants
+        // Z_j, private key shares of participants (unblinded): [f(ω_j)] H
+        // NOTE: In production, these are never produced this way, as the DKG
+        // directly generates blinded shares Y_j. Only then, node j can use their
+        // validator key to unblind Y_j and obtain the private key share Z_j.
         let privkey_shares = fast_multiexp(&evals.evals, h.into_group());
 
-        // a_0
-        let x = threshold_poly.coeffs[0];
-        // F_0
-        let pubkey = g.mul(x);
-        let privkey = h.mul(x);
+        // The shared secret is the free coefficient from threshold poly
+        let a_0 = threshold_poly.coeffs[0];
+
+        // F_0, group's public key
+        let group_pubkey = g.mul(a_0);
 
+        // group's private key (NOTE: just for tests, this is NEVER constructed in production)
+        let group_privkey = h.mul(a_0);
+
+        // As in SSS, shared secret should be f(0), which is also the free coefficient
         let secret = threshold_poly.evaluate(&E::ScalarField::zero());
-        debug_assert!(secret == x);
+        debug_assert!(secret == a_0);
 
         let mut private_contexts = vec![];
         let mut public_contexts = vec![];
 
-        // (domain, A, Y)
-        for (index, (domain, public, private)) in
-            izip!(shares_x.iter(), pubkey_shares.iter(), privkey_shares.iter())
-                .enumerate()
+        // (domain_point, A, Z)
+        for (index, (domain_point, share_commit, private_share)) in izip!(
+            domain_points.iter(),
+            share_commitments.iter(),
+            privkey_shares.iter()
+        )
+        .enumerate()
         {
-            let private_key_share = PrivateKeyShare::<E>(*private);
-            let b = E::ScalarField::rand(rng);
-            let blinded_key_share = private_key_share.blind(b);
+            let private_key_share = PrivateKeyShare::<E>(*private_share);
+            let blinding_factor = E::ScalarField::rand(rng);
+
+            let validator_public_key = h.mul(blinding_factor).into_affine();
+            let blinded_key_share = BlindedKeyShare::<E> {
+                validator_public_key,
+                blinded_key_share: private_key_share
+                    .0
+                    .mul(blinding_factor)
+                    .into_affine(),
+            };
+
             private_contexts.push(PrivateDecryptionContextSimple::<E> {
                 index,
                 setup_params: SetupParams {
-                    b,
-                    b_inv: b.inverse().unwrap(),
+                    b: blinding_factor,
+                    b_inv: blinding_factor.inverse().unwrap(),
                     g,
                     h_inv: E::G2Prepared::from(-h.into_group()),
                     g_inv: E::G1Prepared::from(-g.into_group()),
@@ -139,20 +164,22 @@ pub mod test_common {
                 public_decryption_contexts: vec![],
             });
             public_contexts.push(PublicDecryptionContextSimple::<E> {
-                domain: *domain,
-                public_key: PublicKey::<E>(*public),
+                domain: *domain_point,
+                share_commitment: ShareCommitment::<E>(*share_commit), // FIXME
                 blinded_key_share,
                 h,
-                validator_public_key: h.mul(b),
+                validator_public_key: ferveo_common::PublicKey {
+                    encryption_key: blinded_key_share.validator_public_key,
+                },
             });
         }
-        for private in private_contexts.iter_mut() {
-            private.public_decryption_contexts = public_contexts.clone();
+        for private_ctxt in private_contexts.iter_mut() {
+            private_ctxt.public_decryption_contexts = public_contexts.clone();
         }
 
         (
-            PublicKey(pubkey.into()),
-            PrivateKeyShare(privkey.into()),
+            DkgPublicKey(group_pubkey.into()),
+            PrivateKeyShare(group_privkey.into()), // TODO: Not the correct type, but whatever
             private_contexts,
         )
     }
@@ -162,7 +189,7 @@ pub mod test_common {
         threshold: usize,
         rng: &mut impl rand::Rng,
     ) -> (
-        PublicKey<E>,
+        DkgPublicKey<E>,
         PrivateKeyShare<E>,
         Vec<PrivateDecryptionContextSimple<E>>,
     ) {
@@ -411,6 +438,7 @@ mod tests {
 
         // There is no share aggregation in current version of tpke (it's mocked).
         // ShareEncryptions are called BlindedKeyShares.
+        // TOOD: ^Fix this comment later
 
         let pub_contexts = &contexts[0].public_decryption_contexts;
         assert!(verify_decryption_shares_simple(
@@ -430,7 +458,7 @@ mod tests {
 
         assert!(!has_bad_checksum.verify(
             &pub_contexts[0].blinded_key_share.blinded_key_share,
-            &pub_contexts[0].validator_public_key.into_affine(),
+            &pub_contexts[0].validator_public_key.encryption_key,
             &pub_contexts[0].h.into_group(),
             &ciphertext,
         ));
@@ -441,7 +469,7 @@ mod tests {
 
         assert!(!has_bad_share.verify(
             &pub_contexts[0].blinded_key_share.blinded_key_share,
-            &pub_contexts[0].validator_public_key.into_affine(),
+            &pub_contexts[0].validator_public_key.encryption_key,
             &pub_contexts[0].h.into_group(),
             &ciphertext,
         ));