Keygen zk proofs for Paillier keys

[ggutoski]

At first the migration from curv to k256 will not include zk proofs for Paillier keys. These proofs should be implemented after the keygen enhancements described in axelarnetwork/tofnd#70 are complete.

The zengo multi-party-ecdsa/curv libraries have some zk proofs for Paillier keys. Documentation is minimal and the correspondence between with the GG20 paper is not clear but it's a place to start:

• main Paillier keys: https://github.com/axelarnetwork/tofn/blob/18638349ee2e1c500e85fbc0b99c703518bf5b4b/src/protocol/gg20/keygen/r1.rs#L55
• zkp Paillier keys: https://github.com/axelarnetwork/tofn/blob/18638349ee2e1c500e85fbc0b99c703518bf5b4b/src/protocol/gg20/keygen/r2.rs#L48

The GG20 paper has very little on these proofs:

• main Paillier keys: section 3.1, page 13:

  Each player P_i proves in ZK that ... N_i is square-free using the proof of Gennaro, Micciancio, and Rabin [30], and that h_1 h_2 generate the same group modulo N_i

• zkp Paillier keys: I couldn't find anything in GG20, had to dig into GG18 appendix A:

  Therefore our initialization protocol must be augmented with each player P_i generating an additional RSA modulus ~N_i, and values h_1i, h_2i, together with a proof that they are of the correct form (see [14]). [The reference [14] is a Fujisaki-Okamoto paper from 1997.]

[ggutoski]

References for NICorrectKeyProof: zk-paillier/correct_key_ni.rs at master · ZenGo-X/zk-paillier

// This protocol is based on the NIZK protocol in https://eprint.iacr.org/2018/057.pdf
// for parameters = e = N, m2 = 11, alpha = 6370 see https://eprint.iacr.org/2018/987.pdf 6.2.3
// for full details.      

It's not clear to me why the zk proof for the zkp Paillier keys is different from the zk proof for the main Paillier keys.