Documentation improvements, code cleaned up

[pdyraga]

Here we ship a number of improvements we did when we were evaluating the library to use for our project.

Summary of changes:

• Cleared up single-mode naming as well as removed G and Mu parameters from Paillier keys. We always use G = N + 1 (threshold version is not secure with another choice of G by the way), N is the only one parameter needed for a public key. Also, Mu is needed only for decrypting and can be computed from Lambda and N so there is no need to keep it in the private key.
• Added documentation to <Key, Enc, Dec> single-mode functions with an important note that p and q supplied to CreatePrivateKey must be either of equal length or gcd(pq, (p-1)(q-1)) = 1 which is assured if both primes are of equal length. This requirement is mentioned both in [KL 08] and [DJN 10].
• Removed single-mode PrivateKey's String() method and cached N^2 value from PublicKey. It's better to have no code encouraging to turn key into a string and printing it somewhere, especially that string contained private Lambda parameter. Computing N^2 is just a really small piece of encryption/decryption work and if we decide we need to tweak performance, we will need a different approach anyway. Removing it from PublicKey lets to keep this structure clean.
• Removed G parameter from ThresholdKey. G is always equal to N+1, only then threshold scheme is safe.
• Added documentation explaining how ThresholdKey is generated, how message is encrypted and decrypted, how zero-knowledge proof is constructed.
• Made internal functions not being exported.
• Removed dead code.
• Added test ensuring threshold version is a homomorphic encryption scheme.
• Explained how do we handle negative Lambda parameter values when decrypting (modular multiplicative inverse).

[KL 08]: Jonathan Katz, Yehuda Lindell, (2008) Introduction to Modern Cryptography: Principles and Protocols, Chapman & Hall/CRC

[DJN 10]: Ivan Damgard, Mads Jurik, Jesper Buus Nielsen, (2010) A Generalization of Paillier’s Public-Key System with Applications to Electronic Voting Aarhus University, Dept. of Computer Science, BRICS

[didiercrunch]

Wow, thanks a lot for that PR. I'll verify everything and merge it as soon as I get home.

Cheers,

Didier

On Tue, Jun 5, 2018, 9:55 AM pdyraga notifications@github.com wrote:

Here we ship a number of improvements we did when we were evaluating the library to use for our project.

Summary of changes:

• Cleared up single-mode naming as well as removed G and Mu parameters from Paillier keys. We always use G = N + 1 (threshold version is not secure with another choice of G by the way), N is the only one parameter needed for a public key. Also, Mu is needed only for decrypting and can be computed from Lambda and N so there is no need to keep it in the private key.
• Added documentation to <Key, Enc, Dec> single-mode functions with an important note that p and q supplied to CreatePrivateKey must be either of equal length or gcd(pq, (p-1)(q-1)) = 1 which is assured if both primes are of equal length. This requirement is mentioned both in [KL 08] and [DJN 10].
• Removed single-mode PrivateKey's String() method and cached N^2 value from PublicKey. It's better to have no code encouraging to turn key into a string and printing it somewhere, especially that string contained private Lambda parameter. Computing N^2 is just a really small piece of encryption/decryption work and if we decide we need to tweak performance, we will need a different approach anyway. Removing it from PublicKey lets to keep this structure clean.
• Removed G parameter from ThresholdKey. G is always equal to N+1, only then threshold scheme is safe.
• Added documentation explaining how ThresholdKey is generated, how message is encrypted and decrypted, how zero-knowledge proof is constructed.
• Made internal functions not being exported.
• Removed dead code.
• Added test ensuring threshold version is a homomorphic encryption scheme.
• Explained how do we handle negative Lambda parameter values when decrypting (modular multiplicative inverse).

[KL 08]: Jonathan Katz, Yehuda Lindell, (2008) Introduction to Modern Cryptography: Principles and Protocols, Chapman & Hall/CRC

[DJN 10]: Ivan Damgard, Mads Jurik, Jesper Buus Nielsen, (2010) A Generalization of Paillier’s Public-Key System with Applications to Electronic Voting Aarhus University, Dept. of Computer Science, BRICS

You can view, comment on, or merge this pull request online at:

https://github.com/didiercrunch/paillier/pull/2 Commit Summary

• Fixed test for LCM
• Added test for Lambda parameter computation
• Cleared up Paillier scheme API
• Do not cache N^2 value in PublicKey
• G parameter moved from PublicKey to ThresholdKey
• Removed PrivateKey's String() method
• Comment about G value moved to ThresholdKey
• Merge pull request #1 from keep-network/evaluate-and-fix
• Explained how do we compute D from Chinese Remainder Theorem
• Added documentation to the threshold Paillier key generator
• Do not export internal threshold generator functions
• Improved documentation for a secret share computation fn
• Small improvements to the threshold key generator tests
• G parameter removed from ThresholdKey
• Do not export internal ThresholdKey functions
• Improved documentation for ThresholdKey functions
• Removed unused ThresholdKey.divide function
• Added test ensuring threshold Paillier is a partially homomorphic system
• Added documentation describing how partial decryptions are combined
• Removed unneeded return statements from tests
• Added documentation to code evaluating ZKP
• Removed G parameter serialization code for ThresholdKey
• Explained how Fiat-Shamir heuristic works on a high level
• ThresholdKeyGenerator self-ref renamed from this to tkg
• ThresholdKey self-ref renamed from this to tk
• ThresholdPrivateKey self-ref renamed from this to tpk
• PartialDecryptionZKP self-ref renamed from this to pd
• ThresholdKey renamed to ThresholdPublicKey
• Shortened name of the partial decryption verification function
• Explained how do we handle negative lambda parameter value
• Merge pull request #3 from keep-network/threshold-rabbit-hole

File Changes

• M encoding.go https://github.com/didiercrunch/paillier/pull/2/files#diff-0 (46)
• M encoding_test.go https://github.com/didiercrunch/paillier/pull/2/files#diff-1 (18)
• M paillier.go https://github.com/didiercrunch/paillier/pull/2/files#diff-2 (86)
• M paillier_test.go https://github.com/didiercrunch/paillier/pull/2/files#diff-3 (52)
• M thresholdkey.go https://github.com/didiercrunch/paillier/pull/2/files#diff-4 (314)
• M thresholdkey_generator.go https://github.com/didiercrunch/paillier/pull/2/files#diff-5 (211)
• M thresholdkey_generator_test.go https://github.com/didiercrunch/paillier/pull/2/files#diff-6 (70)
• M thresholdkey_test.go https://github.com/didiercrunch/paillier/pull/2/files#diff-7 (114)

Patch Links:

• https://github.com/didiercrunch/paillier/pull/2.patch
• https://github.com/didiercrunch/paillier/pull/2.diff

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/didiercrunch/paillier/pull/2, or mute the thread https://github.com/notifications/unsubscribe-auth/AC4UlMtEy5J-vakIE69VlS-0Oe4bNLivks5t5o3VgaJpZM4Ua4Ab .

[didiercrunch]

This is an outstanding pull request with absolutely brilliant code. I do not know what you are doing, but what ever it is, please continue.

didier