From a0258343bb37d47152d40e880d6091502a17b81e Mon Sep 17 00:00:00 2001
From: th4s <th4s@metavoid.xyz>
Date: Thu, 14 Dec 2023 15:33:05 +0100
Subject: [PATCH] Fixed bug in implementation. 2PC Ghash working

---
 src/ghash/mod.rs      | 44 ++++++++++++++++++++++++-------------------
 src/ghash/prover.rs   | 20 +++++++++-----------
 src/ghash/verifier.rs | 22 ++++++++++------------
 3 files changed, 44 insertions(+), 42 deletions(-)

diff --git a/src/ghash/mod.rs b/src/ghash/mod.rs
index c876aeb..41e51a3 100644
--- a/src/ghash/mod.rs
+++ b/src/ghash/mod.rs
@@ -22,8 +22,8 @@ pub fn ghash(blocks: &[Gf2_128], prover: &mut Prover, verifier: &mut Verifier) -
     let d2 = verifier.handshake_a_open_d();
     let d = d1 + d2;
 
-    prover.handshake_a_set_d(d);
-    verifier.handshake_a_set_d(d);
+    prover.handshake_a_set_di(d);
+    verifier.handshake_a_set_di(d);
 
     prover.handshake_a_set_hi();
     verifier.handshake_a_set_hi();
@@ -56,7 +56,7 @@ fn pascal_tri<T: Field>(n: usize) -> Vec<Vec<T>> {
 #[cfg(test)]
 mod tests {
     use super::*;
-    use mpz_share_conversion_core::fields::{compute_product_repeated, p256::P256, UniformRand};
+    use mpz_share_conversion_core::fields::{compute_product_repeated, UniformRand};
     use rand::thread_rng;
 
     #[test]
@@ -89,7 +89,7 @@ mod tests {
     #[test]
     fn test_ghash_invariants() {
         let mut rng = thread_rng();
-        let blocks: Vec<Gf2_128> = (0..10).map(|_| Gf2_128::rand(&mut rng)).collect();
+        let blocks: Vec<Gf2_128> = (0..1).map(|_| Gf2_128::rand(&mut rng)).collect();
 
         let h1: Gf2_128 = Gf2_128::rand(&mut rng);
         let h2: Gf2_128 = Gf2_128::rand(&mut rng);
@@ -99,29 +99,35 @@ mod tests {
 
         let _ = ghash(&blocks, &mut prover, &mut verifier);
 
-        assert_eq!(prover.h1, prover.hi[1]);
-        assert_eq!(verifier.h2, verifier.hi[1]);
+        assert_eq!(prover.d_powers[0], Gf2_128::one());
+        assert_eq!(verifier.d_powers[0], Gf2_128::one());
+        assert_eq!(prover.d_powers[1], verifier.d_powers[1]);
+
+        assert_eq!(prover.ai[1] + verifier.bi[1], prover.r1 * verifier.r2);
+        assert_eq!(prover.h1 + verifier.h2, prover.hi[0] + verifier.hi[0]);
+        assert_eq!(prover.d_powers[1] + prover.ai[1] + verifier.bi[1], h1 + h2);
     }
 
     #[test]
     fn test_pascal_tri() {
-        let pascal = pascal_tri::<P256>(4);
+        // This is an extension field so no naive arithmetic!
+        let pascal = pascal_tri::<Gf2_128>(4);
 
-        let expected0 = vec![P256::one()];
-        let expected1 = vec![P256::one(), P256::one()];
-        let expected2 = vec![P256::one(), P256::new(2).unwrap(), P256::one()];
+        let expected0 = vec![Gf2_128::one()];
+        let expected1 = vec![Gf2_128::one(), Gf2_128::one()];
+        let expected2 = vec![Gf2_128::one(), Gf2_128::zero(), Gf2_128::one()];
         let expected3 = vec![
-            P256::one(),
-            P256::new(3).unwrap(),
-            P256::new(3).unwrap(),
-            P256::one(),
+            Gf2_128::one(),
+            Gf2_128::one(),
+            Gf2_128::one(),
+            Gf2_128::one(),
         ];
         let expected4 = vec![
-            P256::one(),
-            P256::new(4).unwrap(),
-            P256::new(6).unwrap(),
-            P256::new(4).unwrap(),
-            P256::one(),
+            Gf2_128::one(),
+            Gf2_128::zero(),
+            Gf2_128::zero(),
+            Gf2_128::zero(),
+            Gf2_128::one(),
         ];
 
         assert_eq!(pascal[0], expected0);
diff --git a/src/ghash/prover.rs b/src/ghash/prover.rs
index f76df5e..2c7fcec 100644
--- a/src/ghash/prover.rs
+++ b/src/ghash/prover.rs
@@ -12,7 +12,7 @@ pub struct Prover {
     pub(crate) h1: Gf2_128,
     pub(crate) r1: Gf2_128,
     pub(crate) ai: Vec<Gf2_128>,
-    pub(crate) d: Option<Gf2_128>,
+    pub(crate) d_powers: Vec<Gf2_128>,
     pub(crate) hi: Vec<Gf2_128>,
 }
 
@@ -26,13 +26,13 @@ impl Prover {
             h1,
             r1,
             ai: vec![],
-            d: None,
+            d_powers: vec![],
             hi: vec![],
         }
     }
 
     pub fn preprocess_ole_input(&self, ole: &mut Ole<Gf2_128>) {
-        let mut r1_powers = vec![Gf2_128::new(1)];
+        let mut r1_powers = vec![Gf2_128::one()];
 
         compute_product_repeated(&mut r1_powers, self.r1, self.block_num);
         ole.input(Role::Sender, r1_powers)
@@ -43,25 +43,23 @@ impl Prover {
     }
 
     pub fn handshake_a_open_d(&self) -> Gf2_128 {
-        self.h1 + -self.r1
+        self.h1 + -self.ai[1]
     }
 
-    pub fn handshake_a_set_d(&mut self, d: Gf2_128) {
-        self.d = Some(d);
+    pub fn handshake_a_set_di(&mut self, d: Gf2_128) {
+        self.d_powers = vec![Gf2_128::one(), d];
+        compute_product_repeated(&mut self.d_powers, d, self.block_num);
     }
 
     pub fn handshake_a_set_hi(&mut self) {
-        let mut di = vec![Gf2_128::one(), self.d.unwrap()];
-        compute_product_repeated(&mut di, self.d.unwrap(), self.block_num);
-
         let pascal_tri = pascal_tri::<Gf2_128>(self.block_num);
 
-        for pascal_row in pascal_tri.iter() {
+        for pascal_row in pascal_tri.iter().skip(1) {
             let h_pow_share = pascal_row
                 .iter()
                 .enumerate()
                 .fold(Gf2_128::new(0), |acc, (i, &el)| {
-                    acc + el * di[i] * self.ai[pascal_row.len() - 1 - i]
+                    acc + el * self.d_powers[pascal_row.len() - 1 - i] * self.ai[i]
                 });
             self.hi.push(h_pow_share);
         }
diff --git a/src/ghash/verifier.rs b/src/ghash/verifier.rs
index 581a9d1..a4c88c7 100644
--- a/src/ghash/verifier.rs
+++ b/src/ghash/verifier.rs
@@ -12,7 +12,7 @@ pub struct Verifier {
     pub(crate) h2: Gf2_128,
     pub(crate) r2: Gf2_128,
     pub(crate) bi: Vec<Gf2_128>,
-    pub(crate) d: Option<Gf2_128>,
+    pub(crate) d_powers: Vec<Gf2_128>,
     pub(crate) hi: Vec<Gf2_128>,
 }
 
@@ -26,13 +26,13 @@ impl Verifier {
             h2,
             r2,
             bi: vec![],
-            d: None,
+            d_powers: vec![],
             hi: vec![],
         }
     }
 
     pub fn preprocess_ole_input(&self, ole: &mut Ole<Gf2_128>) {
-        let mut r2_powers = vec![Gf2_128::new(1)];
+        let mut r2_powers = vec![Gf2_128::one()];
 
         compute_product_repeated(&mut r2_powers, self.r2, self.block_num);
         ole.input(Role::Receiver, r2_powers)
@@ -43,32 +43,30 @@ impl Verifier {
     }
 
     pub fn handshake_a_open_d(&self) -> Gf2_128 {
-        self.h2 + -self.r2
+        self.h2 + -self.bi[1]
     }
 
-    pub fn handshake_a_set_d(&mut self, d: Gf2_128) {
-        self.d = Some(d);
+    pub fn handshake_a_set_di(&mut self, d: Gf2_128) {
+        self.d_powers = vec![Gf2_128::one(), d];
+        compute_product_repeated(&mut self.d_powers, d, self.block_num);
     }
 
     pub fn handshake_a_set_hi(&mut self) {
-        let mut di = vec![Gf2_128::one(), self.d.unwrap()];
-        compute_product_repeated(&mut di, self.d.unwrap(), self.block_num);
-
         let pascal_tri = pascal_tri::<Gf2_128>(self.block_num);
 
-        for pascal_row in pascal_tri.iter() {
+        for pascal_row in pascal_tri.iter().skip(1) {
             let h_pow_share = pascal_row
                 .iter()
                 .enumerate()
                 .fold(Gf2_128::new(0), |acc, (i, &el)| {
-                    acc + el * di[i] * self.bi[pascal_row.len() - 1 - i]
+                    acc + el * self.d_powers[pascal_row.len() - 1 - i] * self.bi[i]
                 });
             self.hi.push(h_pow_share);
         }
     }
 
     pub fn handshake_output_ghash(&self, blocks: &[Gf2_128]) -> Gf2_128 {
-        let mut res = Gf2_128::new(0);
+        let mut res = Gf2_128::zero();
 
         for (i, block) in blocks.iter().enumerate() {
             res = res + *block * self.hi[i];