Paillier check. Mta and Dec unit tests.

crypto/paillier/paillier.go

@@ -52,7 +52,8 @@ type (
 )
 
 var (
-	ErrMessageTooLong = fmt.Errorf("the message is too large or < 0")
+	ErrMessageTooLong   = fmt.Errorf("the message is too large or < 0")
+	ErrMessageMalFormed = fmt.Errorf("the message is mal-formed")
 
 	zero = big.NewInt(0)
 	one  = big.NewInt(1)
@@ -173,6 +174,10 @@ func (privateKey *PrivateKey) Decrypt(c *big.Int) (m *big.Int, err error) {
 	if c.Cmp(zero) == -1 || c.Cmp(N2) != -1 { // c < 0 || c >= N2 ?
 		return nil, ErrMessageTooLong
 	}
+	cg := new(big.Int).GCD(nil, nil, c, N2)
+	if cg.Cmp(one) == 1 {
+		return nil, ErrMessageMalFormed
+	}
 	// 1. L(u) = (c^LambdaN-1 mod N2) / N
 	Lc := L(new(big.Int).Exp(c, privateKey.LambdaN, N2), privateKey.N)
 	// 2. L(u) = (Gamma^LambdaN-1 mod N2) / N

crypto/paillier/paillier_test.go

@@ -64,6 +64,9 @@ func TestEncryptDecrypt(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, 0, exp.Cmp(ret),
 		"wrong decryption ", ret, " is not ", exp)
+	cypher = new(big.Int).Set(privateKey.N)
+	_, err = privateKey.Decrypt(cypher)
+	assert.Error(t, err)
 }
 
 func TestHomoMul(t *testing.T) {

crypto/zkp/dec/dec_test.go

@@ -50,8 +50,8 @@ func TestDec(test *testing.T) {
 func TestDecWithCompositions(test *testing.T) {
     ec := tss.EC()
     q := ec.Params().N
-    q3 := new(big.Int).Mul(q, q)
-    q3 = new(big.Int).Mul(q, q3)
+    q3 := new(big.Int).Mul(q, new(big.Int).Mul(q, q))
+    // modQ3 := common.ModInt(q3)
     modN := common.ModInt(q)
     zero := big.NewInt(0)
 
@@ -59,21 +59,21 @@ func TestDecWithCompositions(test *testing.T) {
     NCap, s, t, err := crypto.GenerateNTildei(primes)
     assert.NoError(test, err)
 
-    sk, pk, err := paillier.GenerateKeyPair(testSafePrimeBits*2, time.Minute*10)
+    _, pk, err := paillier.GenerateKeyPair(testSafePrimeBits*2, time.Minute*10)
     assert.NoError(test, err)
     N2 := pk.NSquare()
 
-    // Ki
+    // Ki = enc(ki,𝜌i)
     𝛾i := common.GetRandomPositiveInt(q)
     ki := common.GetRandomPositiveInt(q)
-    Ki, 𝜌i, err := sk.EncryptAndReturnRandomness(ki)
+    Ki, 𝜌i, err := pk.EncryptAndReturnRandomness(ki)
 
     proof1, err := NewProof(ec, pk, Ki, modN.Add(zero,ki), NCap, s, t, ki, 𝜌i)
     assert.NoError(test, err)
     ok1 := proof1.Verify(ec, pk, Ki, modN.Add(zero,ki), NCap, s, t)
     assert.True(test, ok1, "proof must verify")
 
-    // 𝛾K
+    // 𝛾K = (𝛾i ⊗ Ki)
     𝛾K, err := pk.HomoMult(𝛾i, Ki)
     𝜌ʹ := big.NewInt(1).Exp(𝜌i, 𝛾i, N2)
     yʹ := q3.Mul(𝛾i, ki)
@@ -82,19 +82,19 @@ func TestDecWithCompositions(test *testing.T) {
     ok2 := proof2.Verify(ec, pk, 𝛾K, modN.Add(zero,yʹ), NCap, s, t)
     assert.True(test, ok2, "proof must verify")
 
-    // Dji
+    // Di = (𝛾i ⊗ Ki) ⊕ enc(-𝛽,si)
     x := common.GetRandomPositiveInt(q)
-    y := new(big.Int).Add(x, q)
-    Dji, sij, err := sk.EncryptAndReturnRandomness(y)
+    𝛽ʹ := new(big.Int).Add(x, q)
+    T, si, err := pk.EncryptAndReturnRandomness(𝛽ʹ)
     assert.NoError(test, err)
-    Dji, err = pk.HomoAdd(𝛾K, Dji)
+    Di, err := pk.HomoAdd(𝛾K, T)
 
-    𝜌ʺ := N2.Mul(𝜌ʹ,sij)
-    yʺ := q3.Add(y, yʹ)
-    proof3, err := NewProof(ec, pk, Dji, modN.Add(zero, yʺ), NCap, s, t, yʺ, 𝜌ʺ)
+    𝜌ʺ := N2.Mul(big.NewInt(1).Exp(𝜌i, 𝛾i, N2),si)
+    yʺ := q3.Add(𝛽ʹ, q3.Mul(𝛾i, ki))
+    proof3, err := NewProof(ec, pk, Di, modN.Add(zero, yʺ), NCap, s, t, yʺ, 𝜌ʺ)
     assert.NoError(test, err)
 
-    ok3 := proof3.Verify(ec, pk, Dji, modN.Add(zero, yʺ), NCap, s, t)
+    ok3 := proof3.Verify(ec, pk, Di, modN.Add(zero, yʺ), NCap, s, t)
     assert.True(test, ok3, "proof must verify")
 
 }

ecdsa/signing/mta.go

@@ -22,6 +22,7 @@ type MtAOut struct {
     Sij *big.Int
     Rij *big.Int
     Beta *big.Int
+    BetaNeg *big.Int
     Proofji *zkpaffg.ProofAffg
 }
 
@@ -64,6 +65,7 @@ func NewMtA(ec elliptic.Curve, Kj *big.Int, gammai *big.Int, BigGammai *crypto.E
         Sij:    sij,
         Rij:    rij,
         Beta:   beta,
+        BetaNeg:   betaNeg,
         Proofji:  Psiji,
     }, nil
 }

ecdsa/signing/mta_test.go

@@ -7,9 +7,11 @@
 package signing
 
 import (
+	"math/big"
 	"testing"
 	"time"
 
+	zkpdec "github.com/binance-chain/tss-lib/crypto/zkp/dec"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/binance-chain/tss-lib/common"
@@ -61,4 +63,40 @@ func TestAffg(test *testing.T) {
     assert.Equal(test, 0, lhs.Cmp(rhs))
     ok := MtaOut.Proofji.Verify(ec, pkj, pki, NCap, s, t, Kj, MtaOut.Dji, MtaOut.Fji, BigGammai)
     assert.True(test, ok)
+}
+
+func TestDec(test *testing.T) {
+	ec := tss.EC()
+	q := ec.Params().N
+	q3 := new(big.Int).Mul(q, new(big.Int).Mul(q, q))
+	modN := common.ModInt(ec.Params().N)
+
+	_, pki, err := paillier.GenerateKeyPair(testPaillierKeyLength, 10*time.Minute)
+	assert.NoError(test, err)
+	_, pkj, err := paillier.GenerateKeyPair(testPaillierKeyLength, 10*time.Minute)
+	assert.NoError(test, err)
+
+	kj := common.GetRandomPositiveInt(q)
+	Kj, 𝜌j, err := pkj.EncryptAndReturnRandomness(kj)
+	assert.NoError(test, err)
+
+	𝛾i := common.GetRandomPositiveInt(q)
+	Γi := crypto.ScalarBaseMult(ec, 𝛾i)
+
+	NCap, s, t, err := keygen.LoadNTildeH1H2FromTestFixture(1)
+	assert.NoError(test, err)
+
+	N2 := pkj.NSquare()
+
+	MtaOut, err := NewMtA(ec, Kj, 𝛾i, Γi, pkj, pki, NCap, s, t)
+	assert.NoError(test, err)
+
+	𝜌𝛾s := N2.Mul(big.NewInt(1).Exp(𝜌j, 𝛾i, N2), MtaOut.Sij)
+	𝛾k𝛽ʹ := q3.Add(MtaOut.BetaNeg, q3.Mul(𝛾i,kj))
+
+	proofD, err := zkpdec.NewProof(ec, pkj, MtaOut.Dji, modN.Add(zero,𝛾k𝛽ʹ), NCap, s, t, 𝛾k𝛽ʹ, 𝜌𝛾s)
+	assert.NoError(test, err)
+	okD := proofD.Verify(ec, pkj, MtaOut.Dji, modN.Add(zero,𝛾k𝛽ʹ), NCap, s, t)
+	assert.True(test, okD, "proof must verify")
+
 }