sl-oblivious 1.1.0

OT protocols
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

// Copyright (c) Silence Laboratories Pte. Ltd. All Rights Reserved.
// This software is licensed under the Silence Laboratories License Agreement.

use elliptic_curve::{
    group::Curve,
    subtle::{Choice, ConstantTimeEq},
    CurveArithmetic, Field,
};
use rand::prelude::*;

use crate::{constants::DLOG_CHALLENGE_LABEL, utils::TranscriptProtocol};

/// Non-interactive Proof of knowledge of discrete logarithm with Fiat-Shamir transform.
#[derive(Clone)]
#[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
pub struct DLogProof<C: CurveArithmetic> {
    /// Public point `t`.
    pub t: C::AffinePoint,

    /// Challenge response
    pub s: C::Scalar,
}

impl<C> DLogProof<C>
where
    C: CurveArithmetic,
{
    /// Prove knowledge of discrete logarithm.
    // TODO: Do we need merlin?
    pub fn prove<R: CryptoRng + RngCore>(
        x: &C::Scalar,
        base_point: &C::ProjectivePoint,
        transcript: &mut impl TranscriptProtocol<C>,
        rng: &mut R,
    ) -> Self {
        let r = C::Scalar::random(rng);
        let t = *base_point * r;
        let y = *base_point * x;
        let c = Self::fiat_shamir(&y, &t, base_point, transcript);

        let s = r + c * x;

        Self {
            t: t.to_affine(),
            s,
        }
    }

    /// Verify knowledge of discrete logarithm.
    pub fn verify(
        &self,
        y: &C::ProjectivePoint,
        base_point: &C::ProjectivePoint,
        transcript: &mut impl TranscriptProtocol<C>,
    ) -> Choice {
        let t = C::ProjectivePoint::from(self.t);
        let c = Self::fiat_shamir(y, &t, base_point, transcript);
        let lhs = *base_point * self.s;
        let rhs = t + *y * c;

        lhs.ct_eq(&rhs)
    }

    /// Get fiat-shamir challenge for Discrete log proof.
    pub fn fiat_shamir(
        y: &C::ProjectivePoint,
        t: &C::ProjectivePoint,
        base_point: &C::ProjectivePoint,
        transcript: &mut impl TranscriptProtocol<C>,
    ) -> C::Scalar {
        transcript.append_point(b"y", y);
        transcript.append_point(b"t", t);
        transcript.append_point(b"base-point", base_point);
        transcript.challenge_scalar(&DLOG_CHALLENGE_LABEL)
    }
}

#[cfg(test)]
mod tests {
    use k256::{ProjectivePoint, Scalar, Secp256k1};
    use merlin::Transcript;
    use rand::thread_rng;

    use super::DLogProof;

    #[test]
    pub fn dlog_proof() {
        use k256::{ProjectivePoint, Scalar};
        use merlin::Transcript;
        use rand::thread_rng;

        let mut rng = thread_rng();
        let mut transcript = Transcript::new(b"test-dlog-proof");

        let x = Scalar::generate_biased(&mut rng);
        let base_point = ProjectivePoint::GENERATOR;
        let y = base_point * x;

        let proof = DLogProof::<Secp256k1>::prove(
            &x,
            &base_point,
            &mut transcript,
            &mut rng,
        );

        let mut verify_transcript = Transcript::new(b"test-dlog-proof");

        assert_ne!(
            proof
                .verify(&y, &base_point, &mut verify_transcript)
                .unwrap_u8(),
            0
        );
    }

    #[test]
    pub fn wrong_dlog_proof() {
        let mut rng = thread_rng();
        let mut transcript = Transcript::new(b"test-dlog-proof");

        let x = Scalar::generate_biased(&mut rng);
        let base_point = ProjectivePoint::GENERATOR;
        let wrong_scalar = Scalar::generate_biased(&mut rng);
        let y = base_point * x;

        let proof = DLogProof::<Secp256k1>::prove(
            &wrong_scalar,
            &base_point,
            &mut transcript,
            &mut rng,
        );

        let mut verify_transcript = Transcript::new(b"test-dlog-proof");

        assert_ne!(
            !proof
                .verify(&y, &base_point, &mut verify_transcript)
                .unwrap_u8(),
            0
        );
    }

    #[test]
    pub fn dlog_proof_fiat_shamir() {
        use k256::{ProjectivePoint, Scalar};
        use merlin::Transcript;

        let mut rng = thread_rng();
        let mut transcript = Transcript::new(b"test-dlog-proof");

        let x = Scalar::generate_biased(&mut rng);
        let base_point = ProjectivePoint::GENERATOR;
        let y = base_point * x;

        let proof = DLogProof::<Secp256k1>::prove(
            &x,
            &base_point,
            &mut transcript,
            &mut rng,
        );

        let mut verify_transcript = Transcript::new(b"test-dlog-proof-wrong");

        assert_ne!(
            !proof
                .verify(&y, &base_point, &mut verify_transcript)
                .unwrap_u8(),
            0,
            "Proof should fail with wrong transcript"
        );
    }
}