diff --git a/Cargo.toml b/Cargo.toml index 52c4f2b9..c898e454 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -13,7 +13,7 @@ init_with = "1.1.0" itertools = "0.7" log = "0.4.1" merkle = { git = "https://github.com/afck/merkle.rs", branch = "public-proof" } -pairing = "0.14.2" +pairing = { version = "0.14.2", features = ["u128-support"] } protobuf = { version = "2.0.0", optional = true } rand = "0.4.2" reed-solomon-erasure = "3.1.0" diff --git a/src/crypto/keygen.rs b/src/crypto/keygen.rs new file mode 100644 index 00000000..63d7c0ec --- /dev/null +++ b/src/crypto/keygen.rs @@ -0,0 +1,613 @@ +//! Utilities for distributed key generation. +//! +//! A `BivarPoly` can be used for Verifiable Secret Sharing (VSS) and for key generation by a +//! trusted dealer. In a perfectly synchronous setting, e.g. on a blockchain or other agreed +//! transaction log, it works like this: +//! +//! The dealer generates a `BivarPoly` of degree `t` and publishes the `BivariateCommitment`, +//! with which the polynomial's values can be publicly verified. They then send _row_ `m > 0` to +//! node number `m`. Node `m`, in turn, sends _value_ `s` to node number `s`. Then if `2 * t + 1` +//! nodes confirm that they received a valid row, and there are at most `t` faulty nodes, then at +//! least `t + 1` honest nodes sent on an entry of every other node's column to that node. So we +//! know that every node can now reconstruct its column and the value at `0` of its column. These +//! values all lie on a univariate polynomial of degree `t`, so they can be used as secret keys. +//! +//! For Distributed Key Generation (DKG), every node proposes a polynomial via VSS. After a fixed +//! number (at least `N - 2 * t` if there are `N` nodes and up to `t` faulty ones) of them have +//! successfully been distributed, every node adds up the resulting secrets. Since the sum of +//! polynomials of degree `t` is itself a polynomial of degree `t`, these sums are still valid +//! secret keys, but now nobody knows the master key (number `0`). +// TODO: Expand this explanation and add examples, once the API is complete and stable. + +use std::borrow::Borrow; +use std::{cmp, iter, ops}; + +use pairing::{CurveAffine, CurveProjective, Engine, Field, PrimeField}; +use rand::Rng; + +/// A univariate polynomial in the prime field. +#[derive(Clone, Debug)] +pub struct Poly { + /// The coefficients of a polynomial. + coeff: Vec, +} + +impl PartialEq for Poly { + fn eq(&self, other: &Self) -> bool { + self.coeff == other.coeff + } +} + +impl>, E: Engine> ops::AddAssign for Poly { + fn add_assign(&mut self, rhs: B) { + let len = cmp::max(self.coeff.len(), rhs.borrow().coeff.len()); + self.coeff.resize(len, E::Fr::zero()); + for (self_c, rhs_c) in self.coeff.iter_mut().zip(&rhs.borrow().coeff) { + self_c.add_assign(rhs_c); + } + self.remove_zeros(); + } +} + +impl<'a, B: Borrow>, E: Engine> ops::Add for &'a Poly { + type Output = Poly; + + fn add(self, rhs: B) -> Poly { + (*self).clone() + rhs + } +} + +impl>, E: Engine> ops::Add for Poly { + type Output = Poly; + + fn add(mut self, rhs: B) -> Poly { + self += rhs; + self + } +} + +impl>, E: Engine> ops::SubAssign for Poly { + fn sub_assign(&mut self, rhs: B) { + let len = cmp::max(self.coeff.len(), rhs.borrow().coeff.len()); + self.coeff.resize(len, E::Fr::zero()); + for (self_c, rhs_c) in self.coeff.iter_mut().zip(&rhs.borrow().coeff) { + self_c.sub_assign(rhs_c); + } + self.remove_zeros(); + } +} + +impl<'a, B: Borrow>, E: Engine> ops::Sub for &'a Poly { + type Output = Poly; + + fn sub(self, rhs: B) -> Poly { + (*self).clone() - rhs + } +} + +impl>, E: Engine> ops::Sub for Poly { + type Output = Poly; + + fn sub(mut self, rhs: B) -> Poly { + self -= rhs; + self + } +} + +// Clippy thinks using any `+` and `-` in a `Mul` implementation is suspicious. +#[cfg_attr(feature = "cargo-clippy", allow(suspicious_arithmetic_impl))] +impl<'a, B: Borrow>, E: Engine> ops::Mul for &'a Poly { + type Output = Poly; + + fn mul(self, rhs: B) -> Self::Output { + let coeff = (0..(self.coeff.len() + rhs.borrow().coeff.len() - 1)) + .map(|i| { + let mut c = E::Fr::zero(); + for j in i.saturating_sub(rhs.borrow().degree())..(1 + cmp::min(i, self.degree())) { + let mut s = self.coeff[j]; + s.mul_assign(&rhs.borrow().coeff[i - j]); + c.add_assign(&s); + } + c + }) + .collect(); + Poly { coeff } + } +} + +impl>, E: Engine> ops::Mul for Poly { + type Output = Poly; + + fn mul(self, rhs: B) -> Self::Output { + &self * rhs + } +} + +impl, E: Engine> ops::MulAssign for Poly { + fn mul_assign(&mut self, rhs: B) { + *self = &*self * rhs; + } +} + +impl Poly { + /// Creates a random polynomial. + pub fn random(degree: usize, rng: &mut R) -> Self { + Poly { + coeff: (0..(degree + 1)).map(|_| rng.gen()).collect(), + } + } + + /// Returns the polynomial with constant value `0`. + pub fn zero() -> Self { + Poly { coeff: Vec::new() } + } + + /// Returns the polynomial with constant value `1`. + pub fn one() -> Self { + Self::monomial(0) + } + + /// Returns the polynomial with constant value `c`. + pub fn constant(c: E::Fr) -> Self { + Poly { coeff: vec![c] } + } + + /// Returns the identity function, i.e. the polynomial "`x`". + pub fn identity() -> Self { + Self::monomial(1) + } + + /// Returns the (monic) monomial "`x.pow(degree)`". + pub fn monomial(degree: usize) -> Self { + Poly { + coeff: iter::repeat(E::Fr::zero()) + .take(degree) + .chain(iter::once(E::Fr::one())) + .collect(), + } + } + + /// Returns the unique polynomial `f` of degree `samples.len() - 1` with the given values + /// `(x, f(x))`. + pub fn interpolate<'a, T, I>(samples_repr: I) -> Self + where + I: IntoIterator, + T: Into<::Repr> + Clone + 'a, + { + let convert = |(x_repr, y): (&T, &E::Fr)| { + let x = E::Fr::from_repr(x_repr.clone().into()).expect("invalid index"); + (x, *y) + }; + let samples: Vec<(E::Fr, E::Fr)> = samples_repr.into_iter().map(convert).collect(); + Self::compute_interpolation(&samples) + } + + /// Returns the degree. + pub fn degree(&self) -> usize { + self.coeff.len() - 1 + } + + /// Returns the value at the point `i`. + pub fn evaluate::Repr>>(&self, i: T) -> E::Fr { + let mut result = match self.coeff.last() { + None => return E::Fr::zero(), + Some(c) => *c, + }; + let x = E::Fr::from_repr(i.into()).expect("invalid index"); + for c in self.coeff.iter().rev().skip(1) { + result.mul_assign(&x); + result.add_assign(c); + } + result + } + + /// Returns the corresponding commitment. + pub fn commitment(&self) -> Commitment { + let to_g1 = |c: &E::Fr| E::G1Affine::one().mul(*c); + Commitment { + coeff: self.coeff.iter().map(to_g1).collect(), + } + } + + /// Removes all trailing zero coefficients. + fn remove_zeros(&mut self) { + let zeros = self.coeff.iter().rev().take_while(|c| c.is_zero()).count(); + let len = self.coeff.len() - zeros; + self.coeff.truncate(len) + } + + /// Returns the unique polynomial `f` of degree `samples.len() - 1` with the given values + /// `(x, f(x))`. + fn compute_interpolation(samples: &[(E::Fr, E::Fr)]) -> Self { + if samples.is_empty() { + return Poly::zero(); + } else if samples.len() == 1 { + return Poly::constant(samples[0].1); + } + // The degree is at least 1 now. + let degree = samples.len() - 1; + // Interpolate all but the last sample. + let prev = Self::compute_interpolation(&samples[..degree]); + let (x, mut y) = samples[degree]; // The last sample. + y.sub_assign(&prev.evaluate(x)); + let step = Self::lagrange(x, &samples[..degree]); + prev + step * Self::constant(y) + } + + /// Returns the Lagrange base polynomial that is `1` in `p` and `0` in every `samples[i].0`. + fn lagrange(p: E::Fr, samples: &[(E::Fr, E::Fr)]) -> Self { + let mut result = Self::one(); + for &(sx, _) in samples { + let mut denom = p; + denom.sub_assign(&sx); + denom = denom.inverse().expect("sample points must be distinct"); + result *= (Self::identity() - Self::constant(sx)) * Self::constant(denom); + } + result + } +} + +/// A commitment to a univariate polynomial. +#[derive(Debug, Clone)] +#[cfg_attr(feature = "serialization-serde", derive(Serialize, Deserialize))] +pub struct Commitment { + /// The coefficients of the polynomial. + #[cfg_attr(feature = "serialization-serde", serde(with = "super::serde_impl::projective_vec"))] + coeff: Vec, +} + +impl PartialEq for Commitment { + fn eq(&self, other: &Self) -> bool { + self.coeff == other.coeff + } +} + +impl>, E: Engine> ops::AddAssign for Commitment { + fn add_assign(&mut self, rhs: B) { + let len = cmp::max(self.coeff.len(), rhs.borrow().coeff.len()); + self.coeff.resize(len, E::G1::zero()); + for (self_c, rhs_c) in self.coeff.iter_mut().zip(&rhs.borrow().coeff) { + self_c.add_assign(rhs_c); + } + self.remove_zeros(); + } +} + +impl<'a, B: Borrow>, E: Engine> ops::Add for &'a Commitment { + type Output = Commitment; + + fn add(self, rhs: B) -> Commitment { + (*self).clone() + rhs + } +} + +impl>, E: Engine> ops::Add for Commitment { + type Output = Commitment; + + fn add(mut self, rhs: B) -> Commitment { + self += rhs; + self + } +} + +impl Commitment { + /// Returns the polynomial's degree. + pub fn degree(&self) -> usize { + self.coeff.len() - 1 + } + + /// Returns the `i`-th public key share. + pub fn evaluate::Repr>>(&self, i: T) -> E::G1 { + let mut result = match self.coeff.last() { + None => return E::G1::zero(), + Some(c) => *c, + }; + let x = E::Fr::from_repr(i.into()).expect("invalid index"); + for c in self.coeff.iter().rev().skip(1) { + result.mul_assign(x); + result.add_assign(c); + } + result + } + + /// Removes all trailing zero coefficients. + fn remove_zeros(&mut self) { + let zeros = self.coeff.iter().rev().take_while(|c| c.is_zero()).count(); + let len = self.coeff.len() - zeros; + self.coeff.truncate(len) + } +} + +/// A symmetric bivariate polynomial in the prime field. +/// +/// This can be used for Verifiable Secret Sharing and Distributed Key Generation. See the module +/// documentation for details. +#[derive(Debug, Clone)] +pub struct BivarPoly { + /// The polynomial's degree in each of the two variables. + degree: usize, + /// The coefficients of the polynomial. Coefficient `(i, j)` for `i <= j` is in position + /// `j * (j + 1) / 2 + i`. + coeff: Vec, +} + +impl BivarPoly { + /// Creates a random polynomial. + pub fn random(degree: usize, rng: &mut R) -> Self { + BivarPoly { + degree, + coeff: (0..coeff_pos(degree + 1, 0)).map(|_| rng.gen()).collect(), + } + } + + /// Returns the polynomial's degree: It is the same in both variables. + pub fn degree(&self) -> usize { + self.degree + } + + /// Returns the polynomial's value at the point `(x, y)`. + pub fn evaluate::Repr>>(&self, x: T, y: T) -> E::Fr { + let x_pow = self.powers(x); + let y_pow = self.powers(y); + // TODO: Can we save a few multiplication steps here due to the symmetry? + let mut result = E::Fr::zero(); + for (i, x_pow_i) in x_pow.into_iter().enumerate() { + for (j, y_pow_j) in y_pow.iter().enumerate() { + let mut summand = self.coeff[coeff_pos(i, j)]; + summand.mul_assign(&x_pow_i); + summand.mul_assign(y_pow_j); + result.add_assign(&summand); + } + } + result + } + + /// Returns the `x`-th row, as a univariate polynomial. + pub fn row::Repr>>(&self, x: T) -> Poly { + let x_pow = self.powers(x); + let coeff: Vec = (0..=self.degree) + .map(|i| { + let mut result = E::Fr::zero(); + for (j, x_pow_j) in x_pow.iter().enumerate() { + let mut summand = self.coeff[coeff_pos(i, j)]; + summand.mul_assign(x_pow_j); + result.add_assign(&summand); + } + result + }) + .collect(); + Poly { coeff } + } + + /// Returns the corresponding commitment. That information can be shared publicly. + pub fn commitment(&self) -> BivarCommitment { + let to_pub = |c: &E::Fr| E::G1Affine::one().mul(*c); + BivarCommitment { + degree: self.degree, + coeff: self.coeff.iter().map(to_pub).collect(), + } + } + + /// Returns the `0`-th to `degree`-th power of `x`. + fn powers::Repr>>(&self, x_repr: T) -> Vec { + powers(x_repr, self.degree) + } +} + +/// A commitment to a bivariate polynomial. +#[derive(Debug, Clone)] +#[cfg_attr(feature = "serialization-serde", derive(Serialize, Deserialize))] +pub struct BivarCommitment { + /// The polynomial's degree in each of the two variables. + degree: usize, + /// The commitments to the coefficients. + #[cfg_attr(feature = "serialization-serde", serde(with = "super::serde_impl::projective_vec"))] + coeff: Vec, +} + +impl BivarCommitment { + /// Returns the polynomial's degree: It is the same in both variables. + pub fn degree(&self) -> usize { + self.degree + } + + /// Returns the commitment's value at the point `(x, y)`. + pub fn evaluate::Repr>>(&self, x: T, y: T) -> E::G1 { + let x_pow = self.powers(x); + let y_pow = self.powers(y); + // TODO: Can we save a few multiplication steps here due to the symmetry? + let mut result = E::G1::zero(); + for (i, x_pow_i) in x_pow.into_iter().enumerate() { + for (j, y_pow_j) in y_pow.iter().enumerate() { + let mut summand = self.coeff[coeff_pos(i, j)]; + summand.mul_assign(x_pow_i); + summand.mul_assign(*y_pow_j); + result.add_assign(&summand); + } + } + result + } + + /// Returns the `x`-th row, as a commitment to a univariate polynomial. + pub fn row::Repr>>(&self, x: T) -> Commitment { + let x_pow = self.powers(x); + let coeff: Vec = (0..=self.degree) + .map(|i| { + let mut result = E::G1::zero(); + for (j, x_pow_j) in x_pow.iter().enumerate() { + let mut summand = self.coeff[coeff_pos(i, j)]; + summand.mul_assign(*x_pow_j); + result.add_assign(&summand); + } + result + }) + .collect(); + Commitment { coeff } + } + + /// Returns the `0`-th to `degree`-th power of `x`. + fn powers::Repr>>(&self, x_repr: T) -> Vec { + powers(x_repr, self.degree) + } +} + +/// Returns the `0`-th to `degree`-th power of `x`. +fn powers>(x_repr: T, degree: usize) -> Vec

{ + let x = &P::from_repr(x_repr.into()).expect("invalid index"); + let mut x_pow_i = P::one(); + iter::once(x_pow_i) + .chain((0..degree).map(|_| { + x_pow_i.mul_assign(x); + x_pow_i + })) + .collect() +} + +/// Returns the position of coefficient `(i, j)` in the vector describing a symmetric bivariate +/// polynomial. +fn coeff_pos(i: usize, j: usize) -> usize { + // Since the polynomial is symmetric, we can order such that `j >= i`. + if j >= i { + j * (j + 1) / 2 + i + } else { + i * (i + 1) / 2 + j + } +} + +#[cfg(test)] +mod tests { + use std::collections::BTreeMap; + + use super::{coeff_pos, BivarPoly, Poly}; + + use pairing::bls12_381::Bls12; + use pairing::{CurveAffine, Engine, Field, PrimeField}; + use rand; + + type Fr = ::Fr; + + fn fr(x: i64) -> Fr { + let mut result = Fr::from_repr((x.abs() as u64).into()).unwrap(); + if x < 0 { + result.negate(); + } + result + } + + #[test] + fn test_coeff_pos() { + let mut i = 0; + let mut j = 0; + for n in 0..100 { + assert_eq!(n, coeff_pos(i, j)); + if i >= j { + j += 1; + i = 0; + } else { + i += 1; + } + } + } + + #[test] + fn poly() { + // The polynomial "`5 * x.pow(3) + x.pow(1) - 2`". + let poly: Poly = + Poly::monomial(3) * Poly::constant(fr(5)) + Poly::monomial(1) - Poly::constant(fr(2)); + let coeff = vec![fr(-2), fr(1), fr(0), fr(5)]; + assert_eq!(Poly { coeff }, poly); + let samples = vec![ + (fr(-1), fr(-8)), + (fr(2), fr(40)), + (fr(3), fr(136)), + (fr(5), fr(628)), + ]; + for &(x, y) in &samples { + assert_eq!(y, poly.evaluate(x)); + } + let sample_iter = samples.iter().map(|&(ref x, ref y)| (x, y)); + assert_eq!(Poly::interpolate(sample_iter), poly); + } + + #[test] + fn distributed_key_generation() { + let mut rng = rand::thread_rng(); + let dealer_num = 3; + let node_num = 5; + let faulty_num = 2; + + // For distributed key generation, a number of dealers, only one of who needs to be honest, + // generates random bivariate polynomials and publicly commits to them. In partice, the + // dealers can e.g. be any `faulty_num + 1` nodes. + let bi_polys: Vec> = (0..dealer_num) + .map(|_| BivarPoly::random(faulty_num, &mut rng)) + .collect(); + let pub_bi_commits: Vec<_> = bi_polys.iter().map(BivarPoly::commitment).collect(); + + let mut sec_keys = vec![fr(0); node_num]; + + // Each dealer sends row `m` to node `m`, where the index starts at `1`. Don't send row `0` + // to anyone! The nodes verify their rows, and send _value_ `s` on to node `s`. They again + // verify the values they received, and collect them. + for (bi_poly, bi_commit) in bi_polys.iter().zip(&pub_bi_commits) { + for m in 1..=node_num { + // Node `m` receives its row and verifies it. + let row_poly = bi_poly.row(m as u64); + let row_commit = bi_commit.row(m as u64); + assert_eq!(row_poly.commitment(), row_commit); + // Node `s` receives the `s`-th value and verifies it. + for s in 1..=node_num { + let val = row_poly.evaluate(s as u64); + let val_g1 = ::G1Affine::one().mul(val); + assert_eq!(bi_commit.evaluate(m as u64, s as u64), val_g1); + // The node can't verify this directly, but it should have the correct value: + assert_eq!(bi_poly.evaluate(m as u64, s as u64), val); + } + + // A cheating dealer who modified the polynomial would be detected. + let wrong_poly = row_poly.clone() + Poly::monomial(2) * Poly::constant(fr(5)); + assert_ne!(wrong_poly.commitment(), row_commit); + + // If `2 * faulty_num + 1` nodes confirm that they received a valid row, then at + // least `faulty_num + 1` honest ones did, and sent the correct values on to node + // `s`. So every node received at least `faulty_num + 1` correct entries of their + // column/row (remember that the bivariate polynomial is symmetric). They can + // reconstruct the full row and in particular value `0` (which no other node knows, + // only the dealer). E.g. let's say nodes `1`, `2` and `4` are honest. Then node + // `m` received three correct entries from that row: + let received: BTreeMap<_, _> = [1, 2, 4] + .iter() + .map(|&i| (i, bi_poly.evaluate(m as u64, i as u64))) + .collect(); + let my_row = Poly::interpolate(&received); + assert_eq!(bi_poly.evaluate(m as u64, 0), my_row.evaluate(0)); + assert_eq!(row_poly, my_row); + + // The node sums up all values number `0` it received from the different dealer. No + // dealer and no other node knows the sum in the end. + sec_keys[m - 1].add_assign(&my_row.evaluate(0)); + } + } + + // Each node now adds up all the first values of the rows it received from the different + // dealers (excluding the dealers where fewer than `2 * faulty_num + 1` nodes confirmed). + // The whole first column never gets added up in practice, because nobody has all the + // information. We do it anyway here; entry `0` is the secret key that is not known to + // anyone, neither a dealer, nor a node: + let mut sec_key_set = Poly::zero(); + for bi_poly in &bi_polys { + sec_key_set += bi_poly.row(0); + } + for m in 1..=node_num { + assert_eq!(sec_key_set.evaluate(m as u64), sec_keys[m - 1]); + } + + // The sum of the first rows of the public commitments is the commitment to the secret key + // set. + let mut sum_commit = Poly::zero().commitment(); + for bi_commit in &pub_bi_commits { + sum_commit += bi_commit.row(0); + } + assert_eq!(sum_commit, sec_key_set.commitment()); + } +} diff --git a/src/crypto/mod.rs b/src/crypto/mod.rs index 3050e791..7b1ed446 100644 --- a/src/crypto/mod.rs +++ b/src/crypto/mod.rs @@ -1,5 +1,9 @@ mod error; +pub mod keygen; +#[cfg(feature = "serialization-serde")] +mod serde_impl; +use self::keygen::{Commitment, Poly}; use byteorder::{BigEndian, ByteOrder}; use init_with::InitWith; use pairing::{CurveAffine, CurveProjective, Engine, Field, PrimeField}; @@ -149,34 +153,30 @@ impl PartialEq for DecryptionShare { pub struct PublicKeySet { /// The coefficients of a polynomial whose value at `0` is the "master key", and value at /// `i + 1` is key share number `i`. - coeff: Vec>, + commit: Commitment, +} + +impl From> for PublicKeySet { + fn from(commit: Commitment) -> PublicKeySet { + PublicKeySet { commit } + } } impl PublicKeySet { /// Returns the threshold `t`: any set of `t + 1` signature shares can be combined into a full /// signature. pub fn threshold(&self) -> usize { - self.coeff.len() - 1 + self.commit.degree() } /// Returns the public key. - pub fn public_key(&self) -> &PublicKey { - &self.coeff[0] + pub fn public_key(&self) -> PublicKey { + PublicKey(self.commit.evaluate(0)) } /// Returns the `i`-th public key share. - pub fn public_key_share(&self, i: T) -> PublicKey - where - T: Into<::Repr>, - { - let mut x = E::Fr::one(); - x.add_assign(&E::Fr::from_repr(i.into()).expect("invalid index")); - let mut pk = self.coeff.last().expect("at least one coefficient").0; - for c in self.coeff.iter().rev().skip(1) { - pk.mul_assign(x); - pk.add_assign(&c.0); - } - PublicKey(pk) + pub fn public_key_share::Repr>>(&self, i: T) -> PublicKey { + PublicKey(self.commit.evaluate(from_repr_plus_1::(i.into()))) } /// Combines the shares into a signature that can be verified with the main public key. @@ -186,7 +186,7 @@ impl PublicKeySet { IND: Into<::Repr> + Clone + 'a, { let samples = shares.into_iter().map(|(i, share)| (i, &share.0)); - Ok(Signature(interpolate(self.coeff.len(), samples)?)) + Ok(Signature(interpolate(self.commit.degree() + 1, samples)?)) } /// Combines the shares to decrypt the ciphertext. @@ -196,7 +196,7 @@ impl PublicKeySet { IND: Into<::Repr> + Clone + 'a, { let samples = shares.into_iter().map(|(i, share)| (i, &share.0)); - let g = interpolate(self.coeff.len(), samples)?; + let g = interpolate(self.commit.degree() + 1, samples)?; Ok(xor_vec(&hash_bytes::(g, ct.1.len()), &ct.1)) } } @@ -205,45 +205,41 @@ impl PublicKeySet { pub struct SecretKeySet { /// The coefficients of a polynomial whose value at `0` is the "master key", and value at /// `i + 1` is key share number `i`. - coeff: Vec, + poly: Poly, } impl SecretKeySet { /// Creates a set of secret key shares, where any `threshold + 1` of them can collaboratively /// sign and decrypt. - pub fn new(threshold: usize, rng: &mut R) -> Self { + pub fn random(threshold: usize, rng: &mut R) -> Self { SecretKeySet { - coeff: (0..(threshold + 1)).map(|_| rng.gen()).collect(), + poly: Poly::random(threshold, rng), } } /// Returns the threshold `t`: any set of `t + 1` signature shares can be combined into a full /// signature. pub fn threshold(&self) -> usize { - self.coeff.len() - 1 + self.poly.degree() } /// Returns the `i`-th secret key share. - pub fn secret_key_share(&self, i: T) -> SecretKey - where - T: Into<::Repr>, - { - let x = from_repr_plus_1(i.into()); - let mut pk = *self.coeff.last().expect("at least one coefficient"); - for c in self.coeff.iter().rev().skip(1) { - pk.mul_assign(&x); - pk.add_assign(c); - } - SecretKey(pk) + pub fn secret_key_share::Repr>>(&self, i: T) -> SecretKey { + SecretKey(self.poly.evaluate(from_repr_plus_1::(i.into()))) } /// Returns the corresponding public key set. That information can be shared publicly. pub fn public_keys(&self) -> PublicKeySet { - let to_pub = |c: &E::Fr| PublicKey(E::G1Affine::one().mul(*c)); PublicKeySet { - coeff: self.coeff.iter().map(to_pub).collect(), + commit: self.poly.commitment(), } } + + /// Returns the secret master key. + #[cfg(test)] + fn secret_key(&self) -> SecretKey { + SecretKey(self.poly.evaluate(0)) + } } /// Returns a hash of the given message in `G2`. @@ -287,7 +283,7 @@ fn xor_vec(x: &[u8], y: &[u8]) -> Vec { /// Given a list of `t` samples `(i - 1, f(i) * g)` for a polynomial `f` of degree `t - 1`, and a /// group generator `g`, returns `f(0) * g`. -pub fn interpolate<'a, C, ITR, IND>(t: usize, items: ITR) -> Result +fn interpolate<'a, C, ITR, IND>(t: usize, items: ITR) -> Result where C: CurveProjective, ITR: IntoIterator, @@ -352,19 +348,18 @@ mod tests { #[test] fn test_threshold_sig() { let mut rng = rand::thread_rng(); - let sk_set = SecretKeySet::::new(3, &mut rng); + let sk_set = SecretKeySet::::random(3, &mut rng); let pk_set = sk_set.public_keys(); // Make sure the keys are different, and the first coefficient is the main key. - assert_eq!(*pk_set.public_key(), pk_set.coeff[0]); - assert_ne!(*pk_set.public_key(), pk_set.public_key_share(0)); - assert_ne!(*pk_set.public_key(), pk_set.public_key_share(1)); - assert_ne!(*pk_set.public_key(), pk_set.public_key_share(2)); + assert_ne!(pk_set.public_key(), pk_set.public_key_share(0)); + assert_ne!(pk_set.public_key(), pk_set.public_key_share(1)); + assert_ne!(pk_set.public_key(), pk_set.public_key_share(2)); // Make sure we don't hand out the main secret key to anyone. - assert_ne!(SecretKey(sk_set.coeff[0]), sk_set.secret_key_share(0)); - assert_ne!(SecretKey(sk_set.coeff[0]), sk_set.secret_key_share(1)); - assert_ne!(SecretKey(sk_set.coeff[0]), sk_set.secret_key_share(2)); + assert_ne!(sk_set.secret_key(), sk_set.secret_key_share(0)); + assert_ne!(sk_set.secret_key(), sk_set.secret_key_share(1)); + assert_ne!(sk_set.secret_key(), sk_set.secret_key_share(2)); let msg = "Totally real news"; @@ -420,7 +415,7 @@ mod tests { #[test] fn test_threshold_enc() { let mut rng = rand::thread_rng(); - let sk_set = SecretKeySet::::new(3, &mut rng); + let sk_set = SecretKeySet::::random(3, &mut rng); let pk_set = sk_set.public_keys(); let msg = b"Totally real news"; let ciphertext = pk_set.public_key().encrypt(&msg[..]); @@ -511,76 +506,3 @@ mod tests { assert_eq!(sig, deser_sig); } } - -#[cfg(feature = "serialization-serde")] -mod serde { - use pairing::{CurveAffine, CurveProjective, EncodedPoint, Engine}; - - use super::{DecryptionShare, PublicKey, Signature}; - use serde::de::Error as DeserializeError; - use serde::{Deserialize, Deserializer, Serialize, Serializer}; - - const ERR_LEN: &str = "wrong length of deserialized group element"; - const ERR_CODE: &str = "deserialized bytes don't encode a group element"; - - impl Serialize for PublicKey { - fn serialize(&self, s: S) -> Result { - serialize_projective(&self.0, s) - } - } - - impl<'de, E: Engine> Deserialize<'de> for PublicKey { - fn deserialize>(d: D) -> Result { - Ok(PublicKey(deserialize_projective(d)?)) - } - } - - impl Serialize for Signature { - fn serialize(&self, s: S) -> Result { - serialize_projective(&self.0, s) - } - } - - impl<'de, E: Engine> Deserialize<'de> for Signature { - fn deserialize>(d: D) -> Result { - Ok(Signature(deserialize_projective(d)?)) - } - } - - impl Serialize for DecryptionShare { - fn serialize(&self, s: S) -> Result { - serialize_projective(&self.0, s) - } - } - - impl<'de, E: Engine> Deserialize<'de> for DecryptionShare { - fn deserialize>(d: D) -> Result { - Ok(DecryptionShare(deserialize_projective(d)?)) - } - } - - /// Serializes the compressed representation of a group element. - fn serialize_projective(c: &C, s: S) -> Result - where - S: Serializer, - C: CurveProjective, - { - c.into_affine().into_compressed().as_ref().serialize(s) - } - - /// Deserializes the compressed representation of a group element. - fn deserialize_projective<'de, D, C>(d: D) -> Result - where - D: Deserializer<'de>, - C: CurveProjective, - { - let bytes = >::deserialize(d)?; - if bytes.len() != ::Compressed::size() { - return Err(D::Error::custom(ERR_LEN)); - } - let mut compressed = ::Compressed::empty(); - compressed.as_mut().copy_from_slice(&bytes); - let to_err = |_| D::Error::custom(ERR_CODE); - Ok(compressed.into_affine().map_err(to_err)?.into_projective()) - } -} diff --git a/src/crypto/serde_impl.rs b/src/crypto/serde_impl.rs new file mode 100644 index 00000000..5e98a4d9 --- /dev/null +++ b/src/crypto/serde_impl.rs @@ -0,0 +1,119 @@ +use std::borrow::Borrow; +use std::marker::PhantomData; + +use pairing::{CurveAffine, CurveProjective, EncodedPoint, Engine}; + +use super::{DecryptionShare, PublicKey, Signature}; +use serde::de::Error as DeserializeError; +use serde::{Deserialize, Deserializer, Serialize, Serializer}; + +const ERR_LEN: &str = "wrong length of deserialized group element"; +const ERR_CODE: &str = "deserialized bytes don't encode a group element"; + +/// A wrapper type to facilitate serialization and deserialization of group elements. +struct CurveWrap(B, PhantomData); + +impl CurveWrap { + fn new(c: B) -> Self { + CurveWrap(c, PhantomData) + } +} + +impl> Serialize for CurveWrap { + fn serialize(&self, s: S) -> Result { + serialize_projective(self.0.borrow(), s) + } +} + +impl<'de, C: CurveProjective> Deserialize<'de> for CurveWrap { + fn deserialize>(d: D) -> Result { + Ok(CurveWrap::new(deserialize_projective(d)?)) + } +} + +impl Serialize for PublicKey { + fn serialize(&self, s: S) -> Result { + serialize_projective(&self.0, s) + } +} + +impl<'de, E: Engine> Deserialize<'de> for PublicKey { + fn deserialize>(d: D) -> Result { + Ok(PublicKey(deserialize_projective(d)?)) + } +} + +impl Serialize for Signature { + fn serialize(&self, s: S) -> Result { + serialize_projective(&self.0, s) + } +} + +impl<'de, E: Engine> Deserialize<'de> for Signature { + fn deserialize>(d: D) -> Result { + Ok(Signature(deserialize_projective(d)?)) + } +} + +impl Serialize for DecryptionShare { + fn serialize(&self, s: S) -> Result { + serialize_projective(&self.0, s) + } +} + +impl<'de, E: Engine> Deserialize<'de> for DecryptionShare { + fn deserialize>(d: D) -> Result { + Ok(DecryptionShare(deserialize_projective(d)?)) + } +} + +/// Serializes the compressed representation of a group element. +fn serialize_projective(c: &C, s: S) -> Result +where + S: Serializer, + C: CurveProjective, +{ + c.into_affine().into_compressed().as_ref().serialize(s) +} + +/// Deserializes the compressed representation of a group element. +fn deserialize_projective<'de, D, C>(d: D) -> Result +where + D: Deserializer<'de>, + C: CurveProjective, +{ + let bytes = >::deserialize(d)?; + if bytes.len() != ::Compressed::size() { + return Err(D::Error::custom(ERR_LEN)); + } + let mut compressed = ::Compressed::empty(); + compressed.as_mut().copy_from_slice(&bytes); + let to_err = |_| D::Error::custom(ERR_CODE); + Ok(compressed.into_affine().map_err(to_err)?.into_projective()) +} + +/// Serialization and deserialization of vectors of projective curve elements. +pub mod projective_vec { + use super::CurveWrap; + + use pairing::CurveProjective; + use serde::{Deserialize, Deserializer, Serialize, Serializer}; + + pub fn serialize(vec: &[C], s: S) -> Result + where + S: Serializer, + C: CurveProjective, + { + let wrap_vec: Vec> = vec.iter().map(CurveWrap::new).collect(); + wrap_vec.serialize(s) + } + + pub fn deserialize<'de, D, C>(d: D) -> Result, D::Error> + where + D: Deserializer<'de>, + C: CurveProjective, + { + let wrap_vec = >>::deserialize(d)?; + Ok(wrap_vec.into_iter().map(|CurveWrap(c, _)| c).collect()) + } +} diff --git a/src/lib.rs b/src/lib.rs index ab134f42..e9c81c3c 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -4,6 +4,8 @@ //! honey badger of BFT protocols" after a paper with the same title. #![feature(optin_builtin_traits)] +// TODO: Remove this once https://github.com/rust-lang-nursery/error-chain/issues/245 is resolved. +#![allow(renamed_and_removed_lints)] extern crate bincode; extern crate byteorder;