apply pr suggestions

nucypher · Feb 1, 2023 · 1f76347 · 1f76347
1 parent dd9e458
commit 1f76347
Show file tree

Hide file tree

Showing 7 changed files with 128 additions and 40 deletions.
diff --git a/ferveo/src/lib.rs b/ferveo/src/lib.rs
@@ -83,6 +83,7 @@ mod test_dkg_full {
         let plaintext = tpke::checked_decrypt_with_shared_secret(
             &ciphertext,
             aad,
+            &dkg.pvss_params.g_inv(),
             &shared_secret,
         )
         .unwrap();
@@ -130,6 +131,7 @@ mod test_dkg_full {
         let plaintext = tpke::checked_decrypt_with_shared_secret(
             &ciphertext,
             aad,
+            &dkg.pvss_params.g_inv(),
             &shared_secret,
         )
         .unwrap();

diff --git a/ferveo/src/vss/pvss.rs b/ferveo/src/vss/pvss.rs
@@ -41,6 +41,12 @@ pub struct PubliclyVerifiableParams<E: PairingEngine> {
     pub h: E::G2Projective,
 }
 
+impl<E: PairingEngine> PubliclyVerifiableParams<E> {
+    pub fn g_inv(&self) -> E::G1Prepared {
+        E::G1Prepared::from(-self.g.into_affine())
+    }
+}
+
 /// Each validator posts a transcript to the chain. Once enough
 /// validators have done this (their total voting power exceeds
 /// 2/3 the total), this will be aggregated into a final key
@@ -156,8 +162,6 @@ impl<E: PairingEngine, T> PubliclyVerifiableSS<E, T> {
                 let a_i = commitment[validator.share_index];
                 // We verify that e(G, Y_i) = e(A_i, ek_i) for validator i
                 // See #4 in 4.2.3 section of https://eprint.iacr.org/2022/898.pdf
-                // Y = \sum_i y_i \alpha^i
-                // A = \sum_i a_i \alpha^i
                 // e(G,Y) = e(A, ek)
                 E::pairing(dkg.pvss_params.g, *y_i) == E::pairing(a_i, ek_i)
             })
@@ -338,7 +342,7 @@ mod test_pvss {
         assert!(!pvss.verify_optimistic());
     }
 
-    /// Check that if PVSS shares are tempered with, the full verification fails
+    /// Check that if PVSS shares are tampered with, the full verification fails
     #[test]
     fn test_verify_pvss_bad_shares() {
         let rng = &mut ark_std::test_rng();

diff --git a/tpke-wasm/src/lib.rs b/tpke-wasm/src/lib.rs
@@ -2,6 +2,8 @@ mod utils;
 
 extern crate group_threshold_cryptography as tpke;
 
+use ark_bls12_381::G1Affine;
+use ark_ec::AffineCurve;
 use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use serde::{Deserialize, Serialize};
 use serde_with::serde_as;
@@ -18,6 +20,8 @@ pub type TpkeDecryptionShare = tpke::DecryptionShareFast<E>;
 pub type TpkePublicDecryptionContext = tpke::PublicDecryptionContextFast<E>;
 pub type TpkeSharedSecret =
     <ark_bls12_381::Bls12_381 as ark_ec::PairingEngine>::Fqk;
+pub type TpkeG1Prepared =
+    <ark_bls12_381::Bls12_381 as ark_ec::PairingEngine>::G1Prepared;
 
 #[wasm_bindgen]
 #[derive(Clone, Debug)]
@@ -222,6 +226,7 @@ impl Setup {
 pub struct Ciphertext {
     pub(crate) ciphertext: TpkeCiphertext,
     pub(crate) aad: Vec<u8>,
+    pub(crate) g_inv: TpkeG1Prepared,
 }
 
 #[wasm_bindgen]
@@ -233,11 +238,15 @@ pub fn encrypt(
     set_panic_hook();
 
     let mut rng = rand::thread_rng();
+    // TODO: Expose `TpkeG1Prepared` to WASM and use it here
+    let g_inv = TpkeG1Prepared::from(-G1Affine::prime_subgroup_generator());
     let ciphertext =
         tpke::encrypt::<_, E>(message, aad, &public_key.0, &mut rng);
+
     Ciphertext {
         ciphertext,
         aad: aad.to_vec(),
+        g_inv,
     }
 }
 
@@ -248,7 +257,8 @@ pub fn decrypt(ciphertext: &Ciphertext, private_key: &PrivateKey) -> Vec<u8> {
     tpke::checked_decrypt(
         &ciphertext.ciphertext,
         &ciphertext.aad,
-        private_key.0,
+        &ciphertext.g_inv,
+        &private_key.0,
     )
     .unwrap()
 }
@@ -311,6 +321,7 @@ pub fn decrypt_with_shared_secret(
     tpke::checked_decrypt_with_shared_secret(
         &ciphertext.ciphertext,
         &ciphertext.aad,
+        &ciphertext.g_inv,
         &shared_secret.0,
     )
     .unwrap()

diff --git a/tpke/benches/tpke.rs b/tpke/benches/tpke.rs
@@ -50,8 +50,15 @@ impl SetupFast {
 
         let mut decryption_shares: Vec<DecryptionShareFast<E>> = vec![];
         for context in contexts.iter() {
-            decryption_shares
-                .push(context.create_share(&ciphertext, aad).unwrap());
+            decryption_shares.push(
+                context
+                    .create_share(
+                        &ciphertext,
+                        aad,
+                        &contexts[0].setup_params.g_inv,
+                    )
+                    .unwrap(),
+            );
         }
 
         let pub_contexts = contexts[0].clone().public_decryption_contexts;
@@ -105,7 +112,15 @@ impl SetupSimple {
         // Creating decryption shares
         let decryption_shares: Vec<_> = contexts
             .iter()
-            .map(|context| context.create_share(&ciphertext, aad).unwrap())
+            .map(|context| {
+                context
+                    .create_share(
+                        &ciphertext,
+                        aad,
+                        &contexts[0].setup_params.g_inv,
+                    )
+                    .unwrap()
+            })
             .collect();
 
         let pub_contexts = contexts[0].clone().public_decryption_contexts;
@@ -157,6 +172,7 @@ pub fn bench_create_decryption_share(c: &mut Criterion) {
                             ctx.create_share(
                                 &setup.shared.ciphertext,
                                 &setup.shared.aad,
+                                &setup.contexts[0].setup_params.g_inv,
                             )
                         })
                         .collect::<Vec<_>>()
@@ -176,6 +192,7 @@ pub fn bench_create_decryption_share(c: &mut Criterion) {
                             ctx.create_share(
                                 &setup.shared.ciphertext,
                                 &setup.shared.aad,
+                                &setup.contexts[0].setup_params.g_inv,
                             )
                         })
                         .collect::<Vec<_>>()
@@ -342,6 +359,7 @@ pub fn bench_share_encrypt_decrypt(c: &mut Criterion) {
                     checked_decrypt_with_shared_secret::<E>(
                         &setup.shared.ciphertext,
                         &setup.shared.aad,
+                        &setup.contexts[0].setup_params.g_inv,
                         &setup.shared.shared_secret,
                     )
                     .unwrap(),
@@ -373,6 +391,7 @@ pub fn bench_validity_checks(c: &mut Criterion) {
                 black_box(check_ciphertext_validity(
                     &setup.shared.ciphertext,
                     &setup.shared.aad,
+                    &setup.contexts[0].setup_params.g_inv,
                 ))
                 .unwrap();
             }

diff --git a/tpke/src/ciphertext.rs b/tpke/src/ciphertext.rs
@@ -106,8 +106,8 @@ pub fn encrypt<R: RngCore, E: PairingEngine>(
 pub fn check_ciphertext_validity<E: PairingEngine>(
     c: &Ciphertext<E>,
     aad: &[u8],
+    g_inv: &E::G1Prepared,
 ) -> Result<()> {
-    let g_inv = E::G1Prepared::from(-E::G1Affine::prime_subgroup_generator());
     // H_G2(U, aad)
     let hash_g2 = E::G2Prepared::from(construct_tag_hash::<E>(
         c.commitment,
@@ -118,7 +118,7 @@ pub fn check_ciphertext_validity<E: PairingEngine>(
     let is_ciphertext_valid = E::product_of_pairings(&[
         // e(U, H_G2(U, aad)) = e(G, W)
         (E::G1Prepared::from(c.commitment), hash_g2),
-        (g_inv, E::G2Prepared::from(c.auth_tag)),
+        (g_inv.clone(), E::G2Prepared::from(c.auth_tag)),
     ]) == E::Fqk::one();
 
     if is_ciphertext_valid {
@@ -131,12 +131,13 @@ pub fn check_ciphertext_validity<E: PairingEngine>(
 pub fn checked_decrypt<E: PairingEngine>(
     ciphertext: &Ciphertext<E>,
     aad: &[u8],
-    privkey: E::G2Affine,
+    g_inv: &E::G1Prepared,
+    privkey: &E::G2Affine,
 ) -> Result<Vec<u8>> {
-    check_ciphertext_validity(ciphertext, aad)?;
+    check_ciphertext_validity(ciphertext, aad, g_inv)?;
     let s = E::product_of_pairings(&[(
         E::G1Prepared::from(ciphertext.commitment),
-        E::G2Prepared::from(privkey),
+        E::G2Prepared::from(*privkey),
     )]);
     Ok(decrypt_with_shared_secret(ciphertext, &s))
 }
@@ -157,9 +158,10 @@ fn decrypt_with_shared_secret<E: PairingEngine>(
 pub fn checked_decrypt_with_shared_secret<E: PairingEngine>(
     ciphertext: &Ciphertext<E>,
     aad: &[u8],
+    g_inv: &E::G1Prepared,
     s: &E::Fqk,
 ) -> Result<Vec<u8>> {
-    check_ciphertext_validity(ciphertext, aad)?;
+    check_ciphertext_validity(ciphertext, aad, g_inv)?;
     Ok(decrypt_with_shared_secret(ciphertext, s))
 }
 

diff --git a/tpke/src/context.rs b/tpke/src/context.rs
@@ -41,8 +41,9 @@ impl<E: PairingEngine> PrivateDecryptionContextFast<E> {
         &self,
         ciphertext: &Ciphertext<E>,
         aad: &[u8],
+        g_inv: &E::G1Prepared,
     ) -> Result<DecryptionShareFast<E>> {
-        check_ciphertext_validity::<E>(ciphertext, aad)?;
+        check_ciphertext_validity::<E>(ciphertext, aad, g_inv)?;
 
         let decryption_share = ciphertext
             .commitment
@@ -70,8 +71,9 @@ impl<E: PairingEngine> PrivateDecryptionContextSimple<E> {
         &self,
         ciphertext: &Ciphertext<E>,
         aad: &[u8],
+        g_inv: &E::G1Prepared,
     ) -> Result<DecryptionShareSimple<E>> {
-        check_ciphertext_validity::<E>(ciphertext, aad)?;
+        check_ciphertext_validity::<E>(ciphertext, aad, g_inv)?;
 
         let u = ciphertext.commitment;
         let z_i = self.private_key_share.private_key_share;