Review Пenc - Githubissues

survived commented 1 year ago

@d86leader I noticed that you implemented both interactive and non-interactive proofs, but expose only interface for non-interactive ones. It's fine for CGGMP purposes, but interactive proofs might be useful for other protocols we may implement in the future. Also I believe that providing interface for interactive proofs and building non-interactive proofs on top of that interface will keep code cleaner.

It can be accomplished by separating proofs into two modules (taking Пenc as an example):

paillier_zk::paillier_encryption_in_range that implements interactive proof

pub fn commit<R: RngCore>(
  rng: &mut R, 
  security: &SecurityParams, 
  aux: &Aux, 
  data: &Data, 
  pdata: &PrivateData,
) -> (Commitment, PrivateCommitment);

pub fn challenge<R: RngCore>(rng: &mut R) -> Challenge;

pub fn prove(
  security: &SecurityParams, 
  aux: &Aux, 
  data: &Data, 
  pdata: &PrivateData,
  challenge: &Challenge,
) -> Proof;

pub fn verify(security, aux, data, challenge, proof) -> Result<(), InvalidProof>;

paillier_zk::paillier_encryption_in_range::non_interactive that provides a non-interactive proof implementation on top of the previous one:

pub fn prove<D: Digest>(
  shared_state: D,
  security: &SecurityParams, 
  aux: &Aux, 
  data: &Data, 
  pdata: &PrivateData,
  challenge: &Challenge,
) -> NonInteractiveProof;

pub fn verify<D: Digest>(
  shared_state: D,
  security: &SecurityParams, 
  aux: &Aux, 
  data: &Data, 
  proof: &NonInteractiveProof,
) -> Result<(), InvalidProof>;

prove and verify encapsulate challenge derivation. It should be derived in this way:

seed = H(shared_state || security || aux || ...)
challenge = super::challenge(&mut ChaCha20Rng::from_seed(seed))

shared_state refers to any common state parties have by the time they prove a knowledge. It's broader than hash_to_curve::Tag, so protocol implementation can easily salt any information they want into the challenge.

maurges commented 1 year ago

expose only interface for non-interactive ones

That's just an oversight, the idea was to expose both interfaces. Looking at Пenc, I have just forgotten to make fn prove public >_>

I like your idea with interactive and non-interactive modules thought, let's do it this way

maurges commented 1 year ago

Closing to stop getting notifications from pushes to master

LFDT-Lockness / paillier-zk

Review Пenc #2