Module paillier_zk::paillier_blum_modulus

source ·
Expand description

ZK-proof of Paillier-Blum modulus. Called Пmod or Rmod in the CGGMP21 paper.

§Description

A party P has a modulus N = pq, with p and q being Blum primes, and gcd(N, phi(N)) = 1. P wants to prove that those equalities about N hold, without disclosing p and q.

§Example

use rug::{Integer, Complete};
let mut rng = rand_core::OsRng;

// 0. Prover P derives two Blum primes and makes a Paillier-Blum modulus
let p = fast_paillier::utils::generate_safe_prime(&mut rng, 256);
let q = fast_paillier::utils::generate_safe_prime(&mut rng, 256);
let n = (&p * &q).complete();

// 1. P computes a non-interactive proof that `n` is a Paillier-Blum modulus:
use paillier_zk::paillier_blum_modulus as p;

// Security parameter
const SECURITY: usize = 33;
// Verifier and prover share the same state
let shared_state = "some shared state";

let data = p::Data { n };
let pdata = p::PrivateData { p, q };

let (commitment, proof) =
    p::non_interactive::prove::<{SECURITY}, sha2::Sha256>(
        &shared_state,
        &data,
        &pdata,
        &mut rng,
    )?;

// 2. P sends `data, commitment, proof` to the verifier V

send(&data, &commitment, &proof);

// 3. V receives and verifies the proof:

let (data, commitment, proof) = recv();

p::non_interactive::verify::<{SECURITY}, sha2::Sha256>(
    &shared_state,
    &data,
    &commitment,
    &proof,
)?;

If the verification succeeded, V can continue communication with P

Modules§

  • interactive
    The interactive version of the ZK proof. Should be completed in 3 rounds: prover commits to data, verifier responds with a random challenge, and prover gives proof with commitment and challenge.
  • non_interactive
    The non-interactive version of proof. Completed in one round, for example see the documentation of parent module.

Structs§