Merge pull request #1 from dfnsco/unambiguous-challenge

Use unambiguous encoding to derive challanges
LFDT-Lockness · Jun 21, 2024 · 88cae37 · 88cae37
2 parents 560039b + b0f4228
commit 88cae37
Show file tree

Hide file tree

Showing 11 changed files with 352 additions and 407 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+## v0.4.0
+* security fix: derive challenges for zero-knowledge proof unambiguously
+
 ## v0.3.0
 * Update `generic-ec` dep to v0.3 [#48]
 

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "paillier-zk"
-version = "0.3.0"
+version = "0.4.0"
 edition = "2021"
 license = "MIT OR Apache-2.0"
 description = "ZK-proofs for Paillier encryption scheme"
@@ -11,7 +11,7 @@ keywords = ["paillier", "zk-proofs", "zero-knowledge"]
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-generic-ec = "0.3"
+generic-ec = { version = "0.4", features = ["udigest"] }
 rand_core = { version = "0.6", default-features = false }
 digest = "0.10"
 fast-paillier = "0.1"
@@ -22,9 +22,12 @@ thiserror = "1"
 serde = { version = "1", features = ["derive"], optional = true }
 serde_with = { version = "3", default-features = false, features = ["macros"], optional = true }
 
+udigest = { version = "0.2", default-features = false, features = ["inline-struct", "derive"] }
+rand_hash = "0.1"
+
 [dev-dependencies]
-generic-ec = { version = "0.3", features = ["all-curves"] }
-rand_dev = { version = "0.1.0", default-features = false }
+generic-ec = { version = "0.4", features = ["udigest", "all-curves"] }
+rand_dev = { version = "0.1", default-features = false }
 sha2 = { version = "0.10", default-features = false }
 
 subtle = { version = "2.4", default-features = false }
@@ -46,3 +49,4 @@ required-features = ["serde"]
 
 [package.metadata.docs.rs]
 all-features = true
+
diff --git a/src/common.rs b/src/common.rs
@@ -1,4 +1,3 @@
-pub mod rng;
 pub mod sqrt;
 
 use std::sync::Arc;
@@ -64,6 +63,17 @@ impl Aux {
                 .into()),
         }
     }
+
+    /// Returns a stripped version of `Aux` that contains only public data which can be digested
+    /// via [`udigest::Digestable`]
+    pub fn digest_public_data(&self) -> impl udigest::Digestable {
+        let order = rug::integer::Order::Msf;
+        udigest::inline_struct!("paillier_zk.aux" {
+            s: udigest::Bytes(self.s.to_digits::<u8>(order)),
+            t: udigest::Bytes(self.t.to_digits::<u8>(order)),
+            rsa_modulo: udigest::Bytes(self.rsa_modulo.to_digits::<u8>(order)),
+        })
+    }
 }
 
 /// Error indicating that proof is invalid
@@ -257,6 +267,27 @@ pub fn fail_if_ne<T: PartialEq, E>(err: E, lhs: T, rhs: T) -> Result<(), E> {
     }
 }
 
+/// Digests an integer
+///
+/// To be used within `#[udigest(with = "...")]` attribute
+pub fn digest_integer<B: udigest::Buffer>(
+    value: &Integer,
+    encoder: udigest::encoding::EncodeValue<B>,
+) {
+    let digits = value.to_digits::<u8>(rug::integer::Order::Msf);
+    encoder.encode_leaf_value(digits)
+}
+
+/// Digests any encryption key
+///
+/// To be used within `#[udigest(with = "...")]` attribute
+pub fn digest_encryption_key<B: udigest::Buffer>(
+    value: &&dyn fast_paillier::AnyEncryptionKey,
+    encoder: udigest::encoding::EncodeValue<B>,
+) {
+    digest_integer::<B>(value.n(), encoder)
+}
+
 /// A common logic shared across tests and doctests
 #[cfg(test)]
 pub mod test {

diff --git a/src/common/rng.rs b/src/common/rng.rs