mpc-ristretto 0.1.0

A library for performing secure multiparty computation using the Ristretto group.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217

//! Pedersen commitment implementation, borrowed from
//! https://github.com/dalek-cryptography/bulletproofs/blob/main/src/generators.rs#L29

use curve25519_dalek::{
    constants::{RISTRETTO_BASEPOINT_COMPRESSED, RISTRETTO_BASEPOINT_POINT},
    ristretto::RistrettoPoint,
    scalar::Scalar,
    traits::MultiscalarMul,
};
use rand_core::{OsRng, RngCore};
use sha3::{Digest, Sha3_512};

/// Implementation of a Pedersen commitment scheme, modified from:
/// https://github.com/dalek-cryptography/bulletproofs/blob/main/src/generators.rs#L29
#[allow(non_snake_case)]
#[derive(Copy, Clone)]
pub(crate) struct PedersenGens {
    /// Base for the committed value
    pub B: RistrettoPoint,
    /// Base for the blinding factor
    pub B_blinding: RistrettoPoint,
}

impl PedersenGens {
    /// Creates a Pedersen commitment using the value scalar and a blinding factor.
    pub fn commit(&self, value: Scalar, blinding: Scalar) -> RistrettoPoint {
        RistrettoPoint::multiscalar_mul(&[value, blinding], &[self.B, self.B_blinding])
    }
}

impl Default for PedersenGens {
    fn default() -> Self {
        PedersenGens {
            B: RISTRETTO_BASEPOINT_POINT,
            B_blinding: RistrettoPoint::hash_from_bytes::<Sha3_512>(
                RISTRETTO_BASEPOINT_COMPRESSED.as_bytes(),
            ),
        }
    }
}

/// Represents a Pedersen commitment to and underlying value
#[derive(Clone, Debug)]
pub(crate) struct PedersenCommitment {
    /// The commitment to x generated by xG + rH for randomness r
    commitment: RistrettoPoint,
    /// The blinding factor `r` used in commitment generation
    blinding_factor: Scalar,
    /// The underlying value `x` that has been comitted to
    value: Scalar,
}

impl PedersenCommitment {
    /// Fetch the commitment
    #[inline]
    pub fn get_commitment(&self) -> RistrettoPoint {
        self.commitment
    }

    #[inline]
    pub fn get_blinding(&self) -> Scalar {
        self.blinding_factor
    }

    #[inline]
    pub fn get_value(&self) -> Scalar {
        self.value
    }

    /// Create a Pedersen commitment to a value
    pub fn commit(value: Scalar) -> PedersenCommitment {
        // Sample a secure random blinding scalar
        let mut rng = OsRng {};
        let blinding_factor = Scalar::random(&mut rng);

        Self {
            commitment: PedersenGens::default().commit(value, blinding_factor),
            blinding_factor,
            value,
        }
    }

    /// Verify a commitment
    #[allow(dead_code)]
    pub fn verify(&self) -> bool {
        PedersenCommitment::verify_from_values(self.commitment, self.blinding_factor, self.value)
    }

    /// A convenience method for verifying a commitment that does not require the user to
    /// build a PedersenCommitment instance
    pub fn verify_from_values(
        commitment: RistrettoPoint,
        blinding_factor: Scalar,
        value: Scalar,
    ) -> bool {
        PedersenGens::default()
            .commit(value, blinding_factor)
            .eq(&commitment)
    }
}

/// A hash commitment to a RistrettoPoint
#[derive(Clone, Debug)]
pub struct RistrettoCommitment {
    /// The commitment to the underlying value
    commitment: Scalar,
    /// The randomness used to blind the input to the hash
    blinding_factor: Scalar,
    /// The underlying RistrettoPoint that has been salted and hashed into `commitment`
    value: RistrettoPoint,
}

impl RistrettoCommitment {
    #[inline]
    pub fn get_commitment(&self) -> Scalar {
        self.commitment
    }

    #[inline]
    pub fn get_blinding(&self) -> Scalar {
        self.blinding_factor
    }

    #[inline]
    pub fn get_value(&self) -> RistrettoPoint {
        self.value
    }

    /// Create a hash commitment from the given RistrettoPoint
    pub fn commit(point: RistrettoPoint) -> RistrettoCommitment {
        // Allocate an 8 byte buffer for the blinding factor and fill with random bytes
        let mut rng = OsRng {};
        let blinding_factor = rng.next_u64();

        // Compute SHA3_512(point||blinding)
        let mut hasher = Sha3_512::new();
        hasher.input(point.compress().as_bytes());
        hasher.input(blinding_factor.to_le_bytes());

        Self {
            commitment: Scalar::from_hash(hasher),
            blinding_factor: Scalar::from(blinding_factor),
            value: point,
        }
    }

    /// Verify a commitment
    pub fn verify(&self) -> bool {
        RistrettoCommitment::verify_from_values(self.commitment, self.blinding_factor, self.value)
    }

    /// Verify a commitment from the values, avoid constructing a RistrettoCommitment instance
    pub fn verify_from_values(
        commitment: Scalar,
        blinding_factor: Scalar,
        value: RistrettoPoint,
    ) -> bool {
        // Hash the value and the blinding factor
        let mut hasher = Sha3_512::new();
        hasher.input(value.compress().as_bytes());

        let blinding_factor_bytes: [u8; 8] = blinding_factor.to_bytes()[..8]
            .try_into()
            .expect("Not enough bytes in hash");
        hasher.input(blinding_factor_bytes);

        Scalar::from_hash(hasher).eq(&commitment)
    }
}

#[cfg(test)]
mod pedersen_tests {
    use curve25519_dalek::scalar::Scalar;
    use rand_core::OsRng;

    use super::PedersenCommitment;

    #[test]
    fn test_commit_and_open() {
        // Commit to a random value, open it correctly, then attempt to open it incorrectly
        let mut rng = OsRng {};
        let value = Scalar::random(&mut rng);
        let bad_value = Scalar::random(&mut rng);

        let commitment = PedersenCommitment::commit(value);
        assert!(commitment.verify());
        assert!(!PedersenCommitment::verify_from_values(
            commitment.commitment,
            commitment.blinding_factor,
            bad_value
        ))
    }
}

#[cfg(test)]
mod hash_commit_tests {
    use curve25519_dalek::ristretto::RistrettoPoint;
    use rand_core::OsRng;

    use super::RistrettoCommitment;

    #[test]
    fn test_commit_and_open() {
        // Commit to a random value, open it correctly, then attempt to open it incorrectly
        let mut rng = OsRng {};
        let value = RistrettoPoint::random(&mut rng);
        let bad_value = RistrettoPoint::random(&mut rng);

        let commitment = RistrettoCommitment::commit(value);
        assert!(commitment.verify());
        assert!(!RistrettoCommitment::verify_from_values(
            commitment.get_commitment(),
            commitment.get_blinding(),
            bad_value
        ))
    }
}