Use baby step giant step for solving discrete log in pairing group an…

…d add hashing utils Signed-off-by: lovesh <lovesh.bond@gmail.com>
docknetwork · Jun 5, 2024 · 3652320 · 3652320
1 parent a1f322a
commit 3652320
Show file tree

Hide file tree

Showing 30 changed files with 311 additions and 639 deletions.
diff --git a/README.md b/README.md
@@ -16,13 +16,14 @@ Library providing privacy enhancing cryptographic primitives.
    - prove knowledge of a BBS+ signature and the corresponding messages
    - prove knowledge of a modified PS signature and the corresponding messages
    - equality of signed messages (from same or different signatures) in zero knowledge
+   - inequality of signed messages with public or committed values in zero knowledge
    - the (non)membership of a certain signed message(s)in the accumulator
    - numeric bounds (min, max) on the messages can be proved in zero-knowledge 
-   - verifiable encryption of signed messages under BBS+. 
+   - verifiable encryption of signed messages under BBS+ or PS. 
    - zk-SNARK created from R1CS and WASM generated by [Circom](https://docs.circom.io/) with witnesses as BBS+ signed messages (not exclusively though). 
 5. [Verifiable encryption](./saver) using [SAVER](https://eprint.iacr.org/2019/1270).
 6. [Compression and amortization of Sigma protocols](./compressed_sigma). This is PoC implementation.
-7. [Secret sharing schemes and DKG](./secret_sharing_and_dkg). Implements verifiable secret sharing schemes and DKG from Gennaro and FROST. Also implements protocol to do a distributed DLOG check.
+7. [Secret sharing schemes and DKG](./secret_sharing_and_dkg). Implements several verifiable secret sharing schemes and DKG from Gennaro and FROST. Also implements protocol to do a distributed DLOG check.
 8. [Cocount and PS signatures](./coconut/). Based on the paper [Security Analysis of Coconut, an Attribute-Based Credential Scheme with Threshold Issuance](https://eprint.iacr.org/2022/011)
 9. [LegoGroth16](./legogroth16/).  LegoGroth16, the [LegoSNARK](https://eprint.iacr.org/2019/142) variant of [Groth16](https://eprint.iacr.org/2016/260) zkSNARK proof system
 10. [Oblivious Transfer (OT) and Oblivious Transfer Extensions (OTE)](./oblivious_transfer).

diff --git a/bbs_plus/src/setup.rs b/bbs_plus/src/setup.rs
@@ -49,10 +49,7 @@
 
 use crate::error::BBSPlusError;
 use ark_ec::{pairing::Pairing, AffineRepr, CurveGroup, VariableBaseMSM};
-use ark_ff::{
-    field_hashers::{DefaultFieldHasher, HashToField},
-    PrimeField,
-};
+use ark_ff::PrimeField;
 use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use ark_std::{cfg_iter, fmt::Debug, rand::RngCore, vec::Vec, UniformRand};
 use digest::{Digest, DynDigest};
@@ -64,7 +61,7 @@ use dock_crypto_utils::{
     affine_group_element_from_byte_slices,
     aliases::*,
     concat_slices,
-    hashing_utils::projective_group_elem_from_try_and_incr,
+    hashing_utils::{hash_to_field, projective_group_elem_from_try_and_incr},
     iter::*,
     join,
     misc::{n_projective_group_elements, seq_pairs_satisfy},
@@ -96,13 +93,13 @@ use serde_with::serde_as;
 pub struct SecretKey<F: PrimeField>(#[serde_as(as = "ArkObjectBytes")] pub F);
 
 impl<F: PrimeField> SecretKey<F> {
+    pub const DST: &'static [u8] = b"BBS-SIG-KEYGEN-SALT";
     pub fn generate_using_seed<D>(seed: &[u8]) -> Self
     where
         F: PrimeField,
         D: Default + DynDigest + Clone,
     {
-        let hasher = <DefaultFieldHasher<D> as HashToField<F>>::new(b"BBS-SIG-KEYGEN-SALT");
-        Self(hasher.hash_to_field(seed, 1).pop().unwrap())
+        Self(hash_to_field::<F, D>(Self::DST, seed))
     }
 }
 

diff --git a/delegatable_credentials/Cargo.toml b/delegatable_credentials/Cargo.toml
@@ -5,7 +5,8 @@ edition.workspace = true
 authors.workspace = true
 license.workspace = true
 repository.workspace = true
-description = "Schemes used to develop DAC (Delegatable Anonymous Credentials)"
+description = "Schemes used to develop DAC (Delegatable Anonymous Credentials). Implements structure preseving signatures, Mercurial Signature, set commitment scheme"
+keywords = ["mercurial-signature", "set-commitment", "SPS-EQ"]
 
 [dependencies]
 ark-ff.workspace = true

diff --git a/delegatable_credentials/src/mercurial_sig.rs b/delegatable_credentials/src/mercurial_sig.rs
@@ -2,29 +2,24 @@
 //! Implements 2 variations of the algorithms, one where signature is in group G1 and public key in group G2
 //! and the other where signature is in group G2 and public key in group G1
 
+use crate::error::DelegationError;
 use ark_ec::{pairing::Pairing, AffineRepr, CurveGroup, Group, VariableBaseMSM};
-use ark_ff::{
-    field_hashers::{DefaultFieldHasher, HashToField},
-    Field, PrimeField, Zero,
-};
+use ark_ff::{Field, PrimeField, Zero};
 use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use ark_std::{cfg_iter, fmt::Debug, rand::RngCore, vec::Vec, UniformRand};
-use digest::DynDigest;
-
-use zeroize::{Zeroize, ZeroizeOnDrop};
-
-use dock_crypto_utils::serde_utils::*;
-
+use dock_crypto_utils::{
+    aliases::{FullDigest, SyncIfParallel},
+    hashing_utils::hash_to_field_many,
+    msm::WindowTable,
+    serde_utils::*,
+};
 use serde::{Deserialize, Serialize};
 use serde_with::serde_as;
-
-use dock_crypto_utils::msm::WindowTable;
+use zeroize::{Zeroize, ZeroizeOnDrop};
 
 #[cfg(feature = "parallel")]
 use rayon::prelude::*;
 
-use crate::error::DelegationError;
-
 /// Secret key used by the signer to sign messages
 #[serde_as]
 #[derive(
@@ -105,6 +100,8 @@ pub struct SignatureG2<E: Pairing> {
 }
 
 impl<E: Pairing> SecretKey<E> {
+    pub const DST: &'static [u8] = b"MERCURIAL-SIG-KEYGEN-SALT";
+
     pub fn new<R: RngCore>(rng: &mut R, size: u32) -> Result<Self, DelegationError> {
         if size == 0 {
             return Err(DelegationError::NeedNonZeroSize);
@@ -118,15 +115,16 @@ impl<E: Pairing> SecretKey<E> {
 
     pub fn generate_using_seed<D>(seed: &[u8], size: u32) -> Result<Self, DelegationError>
     where
-        D: DynDigest + Default + Clone,
+        D: FullDigest + SyncIfParallel,
     {
         if size == 0 {
             return Err(DelegationError::NeedNonZeroSize);
         }
-        let hasher = <DefaultFieldHasher<D> as HashToField<E::ScalarField>>::new(
-            b"MERCURIAL-SIG-KEYGEN-SALT",
-        );
-        Ok(Self(hasher.hash_to_field(seed, size as usize)))
+        Ok(Self(hash_to_field_many::<E::ScalarField, D>(
+            Self::DST,
+            seed,
+            size,
+        )))
     }
 
     /// ConvertSK from the paper.

diff --git a/delegatable_credentials/src/msbm/keys.rs b/delegatable_credentials/src/msbm/keys.rs
@@ -5,15 +5,15 @@ use crate::{
     set_commitment::SetCommitmentSRS,
 };
 use ark_ec::{pairing::Pairing, AffineRepr, CurveGroup, Group};
-use ark_ff::{
-    field_hashers::{DefaultFieldHasher, HashToField},
-    PrimeField, Zero,
-};
+use ark_ff::{PrimeField, Zero};
 use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use ark_std::{cfg_iter, ops::Neg, rand::RngCore, vec, vec::Vec, UniformRand};
-use digest::DynDigest;
 use zeroize::{Zeroize, ZeroizeOnDrop};
 
+use dock_crypto_utils::{
+    aliases::{FullDigest, SyncIfParallel},
+    hashing_utils::hash_to_field,
+};
 #[cfg(feature = "parallel")]
 use rayon::prelude::*;
 
@@ -64,20 +64,22 @@ pub struct UpdateKey<E: Pairing> {
 }
 
 impl<E: Pairing> RootIssuerSecretKey<E> {
+    pub const DST: &'static [u8] = b"MERCURIAL-SIG-KEYGEN-SALT-0";
+
     pub fn new<R: RngCore>(rng: &mut R, size: u32) -> Result<Self, DelegationError> {
         let m_sk = SecretKey::new(rng, size)?;
         Ok(Self(E::ScalarField::rand(rng), m_sk))
     }
 
     pub fn generate_using_seed<D>(seed: &[u8], size: u32) -> Result<Self, DelegationError>
     where
-        D: DynDigest + Default + Clone,
+        D: FullDigest + SyncIfParallel,
     {
         let m_sk = SecretKey::generate_using_seed::<D>(seed, size)?;
-        let hasher = <DefaultFieldHasher<D> as HashToField<E::ScalarField>>::new(
-            b"MERCURIAL-SIG-KEYGEN-SALT-0",
-        );
-        Ok(Self(hasher.hash_to_field(seed, 1).pop().unwrap(), m_sk))
+        Ok(Self(
+            hash_to_field::<E::ScalarField, D>(Self::DST, seed),
+            m_sk,
+        ))
     }
 }
 

diff --git a/delegatable_credentials/src/protego/keys.rs b/delegatable_credentials/src/protego/keys.rs
@@ -6,7 +6,7 @@ use ark_ec::{pairing::Pairing, AffineRepr, CurveGroup};
 use ark_ff::PrimeField;
 use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use ark_std::{rand::RngCore, vec::Vec, UniformRand};
-use digest::DynDigest;
+use dock_crypto_utils::aliases::{FullDigest, SyncIfParallel};
 use zeroize::{Zeroize, ZeroizeOnDrop};
 
 /// Secret key of the credential issuer. The size of the key would be at least 3 and at most 7 depending on it
@@ -62,7 +62,7 @@ impl<E: Pairing> IssuerSecretKey<E> {
         supports_audit: bool,
     ) -> Result<Self, DelegationError>
     where
-        D: DynDigest + Default + Clone,
+        D: FullDigest + SyncIfParallel,
     {
         Ok(Self {
             secret_key: SecretKey::generate_using_seed::<D>(

diff --git a/kvac/src/bddt_2016/mac.rs b/kvac/src/bddt_2016/mac.rs
@@ -112,7 +112,7 @@ impl<G: AffineRepr> MAC<G> {
 
         let s = G::ScalarField::rand(rng);
         // `b` is the part of signature on uncommitted messages,
-        // i.e. partial_sig = h + sum(g_vec__i * m_i) for all i in uncommitted_messages
+        // i.e. partial_sig = h + sum(g_vec_i * m_i) for all i in uncommitted_messages
         let b = params.b(uncommitted_messages, &s)?;
 
         let mut e = G::ScalarField::rand(rng);

diff --git a/kvac/src/bddt_2016/setup.rs b/kvac/src/bddt_2016/setup.rs
@@ -1,26 +1,26 @@
 use ark_ec::{AffineRepr, CurveGroup, VariableBaseMSM};
-use ark_ff::{
-    field_hashers::{DefaultFieldHasher, HashToField},
-    PrimeField,
-};
+use ark_ff::PrimeField;
 use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use ark_std::{cfg_iter, rand::RngCore, vec::Vec};
 use core::iter::once;
 use digest::{Digest, DynDigest};
 use dock_crypto_utils::{
-    affine_group_element_from_byte_slices, concat_slices, join,
+    affine_group_element_from_byte_slices, concat_slices,
+    hashing_utils::hash_to_field,
+    iter::pair_valid_items_with_slice,
+    join,
     misc::{n_projective_group_elements, seq_pairs_satisfy},
     serde_utils::ArkObjectBytes,
+    signature::MultiMessageSignatureParams,
+    try_iter::CheckLeft,
 };
+
 use itertools::process_results;
 use serde::{Deserialize, Serialize};
 use serde_with::serde_as;
 use zeroize::{Zeroize, ZeroizeOnDrop};
 
 use crate::error::KVACError;
-use dock_crypto_utils::{iter::pair_valid_items_with_slice, try_iter::CheckLeft};
-
-use dock_crypto_utils::signature::MultiMessageSignatureParams;
 
 #[cfg(feature = "parallel")]
 use rayon::prelude::*;
@@ -150,13 +150,14 @@ impl<G: AffineRepr> MultiMessageSignatureParams for &MACParams<G> {
 }
 
 impl<F: PrimeField> SecretKey<F> {
+    pub const DST: &'static [u8] = b"BDDT16-MAC-KEYGEN-SALT";
+
     pub fn new<R: RngCore>(rng: &mut R) -> Self {
         Self(F::rand(rng))
     }
 
     pub fn generate_using_seed<D: DynDigest + Default + Clone>(seed: &[u8]) -> Self {
-        let hasher = <DefaultFieldHasher<D> as HashToField<F>>::new(b"BDDT16-MAC-KEYGEN-SALT");
-        Self(hasher.hash_to_field(seed, 1).pop().unwrap())
+        Self(hash_to_field::<F, D>(Self::DST, seed))
     }
 }
 

diff --git a/oblivious_transfer/Cargo.toml b/oblivious_transfer/Cargo.toml
@@ -5,7 +5,8 @@ edition.workspace = true
 authors.workspace = true
 license.workspace = true
 repository.workspace = true
-description = "Oblivious Transfer (OT), Oblivious Transfer Extensions (OTE)"
+description = "Oblivious Transfer (OT), Oblivious Transfer Extensions (OTE) and multiplication protocol using them"
+keywords = ["oblivious-transfer", "simplest-OT", "OT-multiplication"]
 
 [dependencies]
 ark-ff.workspace = true

diff --git a/saver/src/encryption.rs b/saver/src/encryption.rs
@@ -29,6 +29,7 @@ use serde_with::serde_as;
 use crate::utils::CHUNK_TYPE;
 use dock_crypto_utils::{ff::non_zero_random, serde_utils::*};
 
+use dock_crypto_utils::solve_discrete_log::solve_discrete_log_bsgs_alt;
 #[cfg(feature = "parallel")]
 use rayon::prelude::*;
 
@@ -505,6 +506,7 @@ impl<E: Pairing> Encryption<E> {
         let c_0_rho = c_0.mul_bigint((-sk.0).into_bigint());
         let c_0_rho_prepared = E::G1Prepared::from(c_0_rho.into_affine());
         let mut decrypted_chunks = vec![];
+        // chunk_max_val = 2^chunk_bit_size - 1
         let chunk_max_val: u32 = (1 << chunk_bit_size) - 1;
         let pairing_powers = if let Some(p) = pairing_powers { p } else { &[] };
         for i in 0..n {
@@ -582,17 +584,8 @@ impl<E: Pairing> Encryption<E> {
         g_i_v_i: PairingOutput<E>,
         p: PairingOutput<E>,
     ) -> crate::Result<CHUNK_TYPE> {
-        if p == g_i_v_i {
-            return Ok(1);
-        }
-        let mut cur = g_i_v_i;
-        for j in 2..=chunk_max_val {
-            cur += g_i_v_i;
-            if cur == p {
-                return Ok(j);
-            }
-        }
-        Err(SaverError::CouldNotFindDiscreteLog)
+        solve_discrete_log_bsgs_alt(chunk_max_val, g_i_v_i, p)
+            .ok_or(SaverError::CouldNotFindDiscreteLog)
     }
 
     /// Relies on precomputation

diff --git a/schnorr_pok/Cargo.toml b/schnorr_pok/Cargo.toml
@@ -5,7 +5,8 @@ edition.workspace = true
 authors.workspace = true
 license.workspace = true
 repository.workspace = true
-description = "Schnorr protocol for proof of knowledge of one or more discrete logs"
+description = "Schnorr protocol for proof of knowledge of one or more discrete logs. Working in elliptic curve and pairing groups"
+keywords = ["Schnorr", "proof-of-knowledge", "ZKPoK"]
 
 [lib]
 doctest = false

diff --git a/secret_sharing_and_dkg/Cargo.toml b/secret_sharing_and_dkg/Cargo.toml
@@ -5,7 +5,8 @@ edition.workspace = true
 authors.workspace = true
 license.workspace = true
 repository.workspace = true
-description = "Secret sharing schemes and DKGs."
+description = "Secret sharing schemes like Shamir's, Feldman's, Pedersen's and Publicly Verifiable Secret Sharing scheme and DKGs like FROST"
+keywords = ["secret-sharing", "VSS", "PVSS", "DKG", "Shamir"]
 
 [dependencies]
 ark-ff.workspace = true

diff --git a/secret_sharing_and_dkg/README.md b/secret_sharing_and_dkg/README.md
@@ -1,7 +1,7 @@
 # Secret sharing and distributed key generation
 
-Implements Secret Sharing (SS), Verifiable Secret Sharing (VSS), Distributed Verifiable Secret Sharing (DVSS) and Distributed 
-Key Generation (DKG) algorithms. DVSS and DKG do not require a trusted dealer. Also implements a distributed discrete log check.
+Implements Secret Sharing (SS), Verifiable Secret Sharing (VSS), Distributed Verifiable Secret Sharing (DVSS), Distributed 
+Key Generation (DKG) and Publicly Verifiable Secret Sharing (PVSS) algorithms. DVSS and DKG do not require a trusted dealer. Also implements a distributed discrete log check.
 
 
 1. [Shamir secret sharing (Requires a trusted dealer)](./src/shamir_ss.rs)
@@ -11,4 +11,5 @@ Key Generation (DKG) algorithms. DVSS and DKG do not require a trusted dealer. A
 1. [Feldman Distributed Verifiable Secret Sharing](./src/feldman_dvss_dkg.rs)
 1. [Secure Distributed Key Generation for Discrete-Log Based Cryptosystems](./src/gennaro_dkg.rs)
 1. [Distributed Key Generation from FROST](./src/frost_dkg.rs)
-1. [Distributed discrete log (DLOG) check](./src/distributed_dlog_check)
+1. [Distributed discrete log (DLOG) check](./src/distributed_dlog_check)
+1. [Publicly Verifiable Secret Sharing](./src/baghery_pvss)