Module paillier_zk::paillier_blum_modulus
source · Expand description
ZK-proof of Paillier-Blum modulus. Called Пmod or Rmod in the CGGMP21 paper.
§Description
A party P has a modulus N = pq
, with p and q being Blum primes, and
gcd(N, phi(N)) = 1
. P wants to prove that those equalities about N hold,
without disclosing p and q.
§Example
use rug::{Integer, Complete};
let mut rng = rand_core::OsRng;
// 0. Prover P derives two Blum primes and makes a Paillier-Blum modulus
let p = fast_paillier::utils::generate_safe_prime(&mut rng, 256);
let q = fast_paillier::utils::generate_safe_prime(&mut rng, 256);
let n = (&p * &q).complete();
// 1. P computes a non-interactive proof that `n` is a Paillier-Blum modulus:
use paillier_zk::paillier_blum_modulus as p;
// Security parameter
const SECURITY: usize = 33;
// Verifier and prover share the same state
let shared_state = "some shared state";
let data = p::Data { n };
let pdata = p::PrivateData { p, q };
let (commitment, proof) =
p::non_interactive::prove::<{SECURITY}, sha2::Sha256>(
&shared_state,
&data,
&pdata,
&mut rng,
)?;
// 2. P sends `data, commitment, proof` to the verifier V
send(&data, &commitment, &proof);
// 3. V receives and verifies the proof:
let (data, commitment, proof) = recv();
p::non_interactive::verify::<{SECURITY}, sha2::Sha256>(
&shared_state,
&data,
&commitment,
&proof,
)?;
If the verification succeeded, V can continue communication with P
Modules§
- The interactive version of the ZK proof. Should be completed in 3 rounds: prover commits to data, verifier responds with a random challenge, and prover gives proof with commitment and challenge.
- The non-interactive version of proof. Completed in one round, for example see the documentation of parent module.
Structs§
- Verifier’s challenge to prover. Can be obtained deterministically by
non_interactive::challenge
or randomly byinteractive::challenge
- Prover’s first message, obtained by
interactive::commit
- Public data that both parties know: the Paillier-Blum modulus
- Private data of prover
- The ZK proof. Computed by
interactive::prove
ornon_interactive::prove
. Consists of M proofs for each challenge - A part of proof. Having enough of those guarantees security