diff --git a/src/e2f/mod.rs b/src/e2f/mod.rs index 37adbd9..6d49ad3 100644 --- a/src/e2f/mod.rs +++ b/src/e2f/mod.rs @@ -3,85 +3,177 @@ mod prover; mod verifier; +use crate::ole::Ole; +use mpz_share_conversion_core::fields::p256::P256; pub use prover::Prover; pub use verifier::Verifier; +/// Returns the x-coordinate shares of the sum of the two EC points +pub fn e2f( + prover_point: (P256, P256), + prover: &mut Prover, + verifier_point: (P256, P256), + verifier: &mut Verifier, +) -> (P256, P256) { + let mut ole = Ole::default(); + + // Preprocessing + prover.preprocess1(); + verifier.preprocess1(); + + prover.preprocess2_ole_input(&mut ole); + verifier.preprocess2_ole_input(&mut ole); + + prover.preprocess2_ole_output(&mut ole); + verifier.preprocess2_ole_output(&mut ole); + + prover.preprocess3(); + verifier.preprocess3(); + + prover.preprocess4(); + verifier.preprocess4(); + + // Handshake + prover.handshake5_input_ec(prover_point); + verifier.handshake5_input_ec(verifier_point); + + let varespilon1_share_prover = prover.handshake5_varepsilon1_share_open(); + let varespilon1_share_verifier = verifier.handshake5_varepsilon1_share_open(); + let varepsilon1 = varespilon1_share_prover + varespilon1_share_verifier; + + prover.handshake5_set_omega(varepsilon1); + verifier.handshake5_set_omega(varepsilon1); + + let omega_share_prover = prover.handshake6_omega_share_open(); + let omega_share_verifier = verifier.handshake6_omega_share_open(); + let omega = omega_share_prover + omega_share_verifier; + + let varespilon2_share_prover = prover.handshake6_varepsilon2_share_open(); + let varespilon2_share_verifier = verifier.handshake6_varepsilon2_share_open(); + let varepsilon2 = varespilon2_share_prover + varespilon2_share_verifier; + + prover.handshake6_set_eta(omega, varepsilon2); + verifier.handshake6_set_eta(omega, varepsilon2); + + let varepsilon3_share_prover = prover.handshake7_varepsilon3_share_open(); + let varepsilon3_share_verifier = verifier.handshake7_varepsilon3_share_open(); + let varepsilon3 = varepsilon3_share_prover + varepsilon3_share_verifier; + + prover.handshake7_set_z1(varepsilon3); + verifier.handshake7_set_z2(varepsilon3); + + // Output + let z1 = prover.handshake8_z1_open(); + let z2 = verifier.handshake8_z2_open(); + + (z1, z2) +} + #[cfg(test)] mod tests { - use super::{Prover, Verifier}; - use crate::ole::Ole; - use mpz_share_conversion_core::{fields::p256::P256, Field}; - use p256::elliptic_curve::sec1::ToEncodedPoint; - use p256::{EncodedPoint, NonZeroScalar, PublicKey}; + use super::*; + use mpz_share_conversion_core::Field; + use p256::{elliptic_curve::sec1::ToEncodedPoint, EncodedPoint, NonZeroScalar, PublicKey}; use rand::thread_rng; #[test] fn test_e2f() { - // Initialize let mut rng = thread_rng(); - let prover_scalar = p256::NonZeroScalar::random(&mut rng); - let verifier_scalar = p256::NonZeroScalar::random(&mut rng); + let prover_scalar = NonZeroScalar::random(&mut rng); + let verifier_scalar = NonZeroScalar::random(&mut rng); let prover_ec = point_to_p256(scalar_to_encoded_point(prover_scalar)); - let verifier_ec = point_to_p256(scalar_to_encoded_point(verifier_scalar)); - - let mut ole = Ole::default(); let mut prover = Prover::default(); + + let verifier_ec = point_to_p256(scalar_to_encoded_point(verifier_scalar)); let mut verifier = Verifier::default(); - // Preprocessing - prover.preprocess1(); - verifier.preprocess1(); - - prover.preprocess2_ole_input(&mut ole); - verifier.preprocess2_ole_input(&mut ole); - - prover.preprocess2_ole_output(&mut ole); - verifier.preprocess2_ole_output(&mut ole); - - prover.preprocess3(); - verifier.preprocess3(); - - prover.preprocess4(); - verifier.preprocess4(); - - // Handshake - prover.handshake5_input_ec(prover_ec); - verifier.handshake5_input_ec(verifier_ec); - - let varespilon1_share_prover = prover.handshake5_varepsilon1_share_open(); - let varespilon1_share_verifier = verifier.handshake5_varepsilon1_share_open(); - let varepsilon1 = varespilon1_share_prover + varespilon1_share_verifier; - - prover.handshake5_set_omega(varepsilon1); - verifier.handshake5_set_omega(varepsilon1); - - let omega_share_prover = prover.handshake6_omega_share_open(); - let omega_share_verifier = verifier.handshake6_omega_share_open(); - let omega = omega_share_prover + omega_share_verifier; - - let varespilon2_share_prover = prover.handshake6_varepsilon2_share_open(); - let varespilon2_share_verifier = verifier.handshake6_varepsilon2_share_open(); - let var_epsilon2 = varespilon2_share_prover + varespilon2_share_verifier; - - prover.handshake6_set_eta(omega, var_epsilon2); - verifier.handshake6_set_eta(omega, var_epsilon2); - - let varepsilon3_share_prover = prover.handshake7_varepsilon3_share_open(); - let varepsilon3_share_verifier = verifier.handshake7_varepsilon3_share_open(); - let varepsilon3 = varepsilon3_share_prover + varepsilon3_share_verifier; - - prover.handshake7_set_z1(varepsilon3); - verifier.handshake7_set_z2(varepsilon3); - - // Output - let z1 = prover.handshake8_z1_open(); - let z2 = verifier.handshake8_z2_open(); + let (z1, z2) = e2f(prover_ec, &mut prover, verifier_ec, &mut verifier); let x_ec_expected = add_ec_points(prover_ec, verifier_ec); assert_eq!(z1 + z2, x_ec_expected.0); } + #[test] + fn test_sharing_sums() { + let mut rng = thread_rng(); + let prover_scalar = NonZeroScalar::random(&mut rng); + let verifier_scalar = NonZeroScalar::random(&mut rng); + + let prover_ec = point_to_p256(scalar_to_encoded_point(prover_scalar)); + let mut prover = Prover::default(); + + let verifier_ec = point_to_p256(scalar_to_encoded_point(verifier_scalar)); + let mut verifier = Verifier::default(); + + let _ = e2f(prover_ec, &mut prover, verifier_ec, &mut verifier); + + // Assertions + + // c + let c = prover.a1.unwrap() * prover.b1.unwrap() + + prover.a1_b2_share.unwrap() + + prover.a2_b1_share.unwrap() + + verifier.a2_b1_share.unwrap() + + verifier.a1_b2_share.unwrap() + + verifier.a2.unwrap() * verifier.b2.unwrap(); + assert_eq!(prover.c1.unwrap() + verifier.c2.unwrap(), c); + + // c_prime + let c_prime = prover.a1.unwrap() * prover.b1_prime.unwrap() + + prover.a1_b2_prime_share.unwrap() + + prover.a2_b1_prime_share.unwrap() + + verifier.a2_b1_prime_share.unwrap() + + verifier.a1_b2_prime_share.unwrap() + + verifier.a2.unwrap() * verifier.b2_prime.unwrap(); + assert_eq!( + prover.c1_prime.unwrap() + verifier.c2_prime.unwrap(), + c_prime + ); + + // r_squared + let r_squared = prover.r1.unwrap() * prover.r1.unwrap() + + P256::new(2).unwrap() * (prover.r1_r2_share.unwrap() + verifier.r1_r2_share.unwrap()) + + verifier.r2.unwrap() * verifier.r2.unwrap(); + assert_eq!( + prover.r_squared_share.unwrap() + verifier.r_squared_share.unwrap(), + r_squared + ); + + // omega + let b = prover.b1.unwrap() + verifier.b2.unwrap(); + let varepsilon1 = -prover.ec_point.unwrap().0 + verifier.ec_point.unwrap().0 + -b; + let omega = varepsilon1 * (prover.a1.unwrap() + verifier.a2.unwrap()) + + prover.c1.unwrap() + + verifier.c2.unwrap(); + assert_eq!( + prover.omega_share.unwrap() + verifier.omega_share.unwrap(), + omega + ); + + // eta + let b_prime = prover.b1_prime.unwrap() + verifier.b2_prime.unwrap(); + let varepsilon2 = -prover.ec_point.unwrap().1 + verifier.ec_point.unwrap().1 + -b_prime; + let eta = (prover.omega_share.unwrap() + verifier.omega_share.unwrap()).inverse() + * (varepsilon2 * (prover.a1.unwrap() + verifier.a2.unwrap()) + + prover.c1_prime.unwrap() + + verifier.c2_prime.unwrap()); + assert_eq!(prover.eta_share.unwrap() + verifier.eta_share.unwrap(), eta); + + // z + let varepsilon3 = prover.eta_share.unwrap() + + verifier.eta_share.unwrap() + + -prover.r1.unwrap() + + -verifier.r2.unwrap(); + let z = varepsilon3 * varepsilon3 + + P256::new(2).unwrap() * varepsilon3 * (prover.r1.unwrap() + verifier.r2.unwrap()) + + prover.r_squared_share.unwrap() + + verifier.r_squared_share.unwrap() + + -prover.ec_point.unwrap().0 + + -verifier.ec_point.unwrap().0; + assert_eq!(prover.z1.unwrap() + verifier.z2.unwrap(), z); + } + #[test] fn test_add_ec_points() { let mut rng = thread_rng(); diff --git a/src/e2f/prover.rs b/src/e2f/prover.rs index e7f20b2..563edee 100644 --- a/src/e2f/prover.rs +++ b/src/e2f/prover.rs @@ -7,34 +7,34 @@ use rand::thread_rng; #[derive(Debug, Default)] pub struct Prover { // Preprocess 1 - a1: Option, - b1: Option, - b1_prime: Option, - r1: Option, + pub(crate) a1: Option, + pub(crate) b1: Option, + pub(crate) b1_prime: Option, + pub(crate) r1: Option, // Preprocess 2 - a1_b2_share: Option, - a2_b1_share: Option, - a1_b2_prime_share: Option, - a2_b1_prime_share: Option, - r1_r2_share: Option, + pub(crate) a1_b2_share: Option, + pub(crate) a2_b1_share: Option, + pub(crate) a1_b2_prime_share: Option, + pub(crate) a2_b1_prime_share: Option, + pub(crate) r1_r2_share: Option, // Preprocess 3 - c1: Option, - c1_prime: Option, + pub(crate) c1: Option, + pub(crate) c1_prime: Option, // Preprocess 4 - r_squared_share: Option, + pub(crate) r_squared_share: Option, // Handshake 5 - ec_point: Option<(P256, P256)>, - omega_share: Option, + pub(crate) ec_point: Option<(P256, P256)>, + pub(crate) omega_share: Option, // Handshake 6 - eta_share: Option, + pub(crate) eta_share: Option, // Handshake 7 - z1: Option, + pub(crate) z1: Option, } impl Prover { diff --git a/src/e2f/verifier.rs b/src/e2f/verifier.rs index 1acb5df..2999865 100644 --- a/src/e2f/verifier.rs +++ b/src/e2f/verifier.rs @@ -7,34 +7,34 @@ use rand::thread_rng; #[derive(Debug, Default)] pub struct Verifier { // Preprocess 1 - a2: Option, - b2: Option, - b2_prime: Option, - r2: Option, + pub(crate) a2: Option, + pub(crate) b2: Option, + pub(crate) b2_prime: Option, + pub(crate) r2: Option, // Preprocess 2 - a1_b2_share: Option, - a2_b1_share: Option, - a1_b2_prime_share: Option, - a2_b1_prime_share: Option, - r1_r2_share: Option, + pub(crate) a1_b2_share: Option, + pub(crate) a2_b1_share: Option, + pub(crate) a1_b2_prime_share: Option, + pub(crate) a2_b1_prime_share: Option, + pub(crate) r1_r2_share: Option, // Preprocess 3 - c2: Option, - c2_prime: Option, + pub(crate) c2: Option, + pub(crate) c2_prime: Option, // Preprocess 4 - r_squared_share: Option, + pub(crate) r_squared_share: Option, // Handshake 5 - ec_point: Option<(P256, P256)>, - omega_share: Option, + pub(crate) ec_point: Option<(P256, P256)>, + pub(crate) omega_share: Option, // Handshake 6 - eta_share: Option, + pub(crate) eta_share: Option, // Handshake 7 - z2: Option, + pub(crate) z2: Option, } impl Verifier { @@ -131,7 +131,7 @@ impl Verifier { let r_squared_share = self.r_squared_share.unwrap(); let x2 = self.ec_point.unwrap().0; - self.z2 = Some(varepsilon3 * varepsilon3 + two * varepsilon3 * r2 + r_squared_share + -x2); + self.z2 = Some(two * varepsilon3 * r2 + r_squared_share + -x2); } pub fn handshake8_z2_open(&self) -> P256 {