Wrap RP randomizers in secrets where appropriate

entropyxyz · Dec 2, 2024 · 1a63f27 · 1a63f27
1 parent 1fcfe3c
commit 1a63f27
Show file tree

Hide file tree

Showing 9 changed files with 130 additions and 103 deletions.
diff --git a/synedrion/src/cggmp21/sigma/aff_g.rs b/synedrion/src/cggmp21/sigma/aff_g.rs
@@ -93,10 +93,10 @@ impl<P: SchemeParams> AffGProof<P> {
         let r_mod = Randomizer::random(rng, pk0);
         let r_y_mod = Randomizer::random(rng, pk1);
 
-        let gamma = Signed::random_bounded_bits_scaled(rng, P::L_BOUND + P::EPS_BOUND, hat_cap_n);
-        let m = Signed::random_bounded_bits_scaled(rng, P::L_BOUND, hat_cap_n);
-        let delta = Signed::random_bounded_bits_scaled(rng, P::L_BOUND + P::EPS_BOUND, hat_cap_n);
-        let mu = Signed::random_bounded_bits_scaled(rng, P::L_BOUND, hat_cap_n);
+        let gamma = Secret::init_with(|| Signed::random_bounded_bits_scaled(rng, P::L_BOUND + P::EPS_BOUND, hat_cap_n));
+        let m = Secret::init_with(|| Signed::random_bounded_bits_scaled(rng, P::L_BOUND, hat_cap_n));
+        let delta = Secret::init_with(|| Signed::random_bounded_bits_scaled(rng, P::L_BOUND + P::EPS_BOUND, hat_cap_n));
+        let mu = Secret::init_with(|| Signed::random_bounded_bits_scaled(rng, P::L_BOUND, hat_cap_n));
 
         let cap_a = (cap_c * &alpha + Ciphertext::new_with_randomizer_signed(pk0, &beta, &r_mod.to_wire())).to_wire();
         let cap_b_x = secret_scalar_from_signed::<P>(&alpha).mul_by_generator();
@@ -142,8 +142,8 @@ impl<P: SchemeParams> AffGProof<P> {
         // Modified: $z_2 = \beta - e y$
         let z2 = *(beta + (-y) * e).expose_secret();
 
-        let z3 = gamma + e_wide * m;
-        let z4 = delta + e_wide * mu;
+        let z3 = *(gamma + m * e_wide).expose_secret();
+        let z4 = *(delta + mu * e_wide).expose_secret();
 
         let omega = (r_mod * rho.pow_signed_vartime(&e)).to_wire();
 
@@ -250,14 +250,14 @@ impl<P: SchemeParams> AffGProof<P> {
         // s^{z_1} t^{z_3} = E S^e \mod \hat{N}
         let cap_e_mod = self.cap_e.to_precomputed(setup);
         let cap_s_mod = self.cap_s.to_precomputed(setup);
-        if setup.commit_nonsecret(&self.z1, &self.z3) != &cap_e_mod * &cap_s_mod.pow_signed_vartime(&e) {
+        if setup.commit_public(&self.z1, &self.z3) != &cap_e_mod * &cap_s_mod.pow_signed_vartime(&e) {
             return false;
         }
 
         // s^{z_2} t^{z_4} = F T^e \mod \hat{N}
         let cap_f_mod = self.cap_f.to_precomputed(setup);
         let cap_t_mod = self.cap_t.to_precomputed(setup);
-        if setup.commit_nonsecret(&self.z2, &self.z4) != &cap_f_mod * &cap_t_mod.pow_signed_vartime(&e) {
+        if setup.commit_public(&self.z2, &self.z4) != &cap_f_mod * &cap_t_mod.pow_signed_vartime(&e) {
             return false;
         }
 

diff --git a/synedrion/src/cggmp21/sigma/dec.rs b/synedrion/src/cggmp21/sigma/dec.rs
@@ -63,8 +63,8 @@ impl<P: SchemeParams> DecProof<P> {
         let hat_cap_n = &setup.modulus_bounded(); // $\hat{N}$
 
         let alpha = Secret::init_with(|| Signed::random_bounded_bits(rng, P::L_BOUND + P::EPS_BOUND));
-        let mu = Signed::random_bounded_bits_scaled(rng, P::L_BOUND, hat_cap_n);
-        let nu = Signed::random_bounded_bits_scaled(rng, P::L_BOUND + P::EPS_BOUND, hat_cap_n);
+        let mu = Secret::init_with(|| Signed::random_bounded_bits_scaled(rng, P::L_BOUND, hat_cap_n));
+        let nu = Secret::init_with(|| Signed::random_bounded_bits_scaled(rng, P::L_BOUND + P::EPS_BOUND, hat_cap_n));
         let r = Randomizer::random(rng, pk0);
 
         let cap_s = setup.commit(y, &mu).to_wire();
@@ -96,7 +96,7 @@ impl<P: SchemeParams> DecProof<P> {
         let e = Signed::from_xof_reader_bounded(&mut reader, &P::CURVE_ORDER);
 
         let z1 = *(alpha.to_wide() + y.mul_wide(&e)).expose_secret();
-        let z2 = nu + e.to_wide() * mu;
+        let z2 = *(nu + mu * e.to_wide()).expose_secret();
 
         let omega = (r * rho.pow_signed_vartime(&e)).to_wire();
 
@@ -158,7 +158,7 @@ impl<P: SchemeParams> DecProof<P> {
         // s^{z_1} t^{z_2} == T S^e
         let cap_s_mod = self.cap_s.to_precomputed(setup);
         let cap_t_mod = self.cap_t.to_precomputed(setup);
-        if setup.commit_nonsecret_wide(&self.z1, &self.z2) != &cap_t_mod * &cap_s_mod.pow_signed_vartime(&e) {
+        if setup.commit_public_wide(&self.z1, &self.z2) != &cap_t_mod * &cap_s_mod.pow_signed_vartime(&e) {
             return false;
         }
 

diff --git a/synedrion/src/cggmp21/sigma/enc.rs b/synedrion/src/cggmp21/sigma/enc.rs
@@ -57,9 +57,9 @@ impl<P: SchemeParams> EncProof<P> {
         // TODO (#86): should we instead sample in range $+- 2^{\ell + \eps} - q 2^\ell$?
         // This will ensure that the range check on the prover side will pass.
         let alpha = Secret::init_with(|| Signed::random_bounded_bits(rng, P::L_BOUND + P::EPS_BOUND));
-        let mu = Signed::random_bounded_bits_scaled(rng, P::L_BOUND, hat_cap_n);
+        let mu = Secret::init_with(|| Signed::random_bounded_bits_scaled(rng, P::L_BOUND, hat_cap_n));
         let r = Randomizer::random(rng, pk0);
-        let gamma = Signed::random_bounded_bits_scaled(rng, P::L_BOUND + P::EPS_BOUND, hat_cap_n);
+        let gamma = Secret::init_with(|| Signed::random_bounded_bits_scaled(rng, P::L_BOUND + P::EPS_BOUND, hat_cap_n));
 
         let cap_s = setup.commit(k, &mu).to_wire();
         let cap_a = Ciphertext::new_with_randomizer_signed(pk0, &alpha, &r.to_wire()).to_wire();
@@ -82,7 +82,7 @@ impl<P: SchemeParams> EncProof<P> {
 
         let z1 = *(alpha + k * e).expose_secret();
         let z2 = (r * rho.pow_signed_vartime(&e)).to_wire();
-        let z3 = gamma + mu * e.to_wide();
+        let z3 = *(gamma + mu * e.to_wide()).expose_secret();
 
         Self {
             e,
@@ -137,7 +137,7 @@ impl<P: SchemeParams> EncProof<P> {
         // s^{z_1} t^{z_3} == C S^e \mod \hat{N}
         let cap_c_mod = self.cap_c.to_precomputed(setup);
         let cap_s_mod = self.cap_s.to_precomputed(setup);
-        if setup.commit_nonsecret(&self.z1, &self.z3) != &cap_c_mod * &cap_s_mod.pow_signed_vartime(&e) {
+        if setup.commit_public(&self.z1, &self.z3) != &cap_c_mod * &cap_s_mod.pow_signed_vartime(&e) {
             return false;
         }
 

diff --git a/synedrion/src/cggmp21/sigma/fac.rs b/synedrion/src/cggmp21/sigma/fac.rs
@@ -68,30 +68,32 @@ impl<P: SchemeParams> FacProof<P> {
             Secret::init_with(|| Signed::random_bounded_bits_scaled(rng, P::L_BOUND + P::EPS_BOUND, &sqrt_cap_n));
         let beta =
             Secret::init_with(|| Signed::random_bounded_bits_scaled(rng, P::L_BOUND + P::EPS_BOUND, &sqrt_cap_n));
-        let mu = Signed::random_bounded_bits_scaled(rng, P::L_BOUND, hat_cap_n);
+        let mu = Secret::init_with(|| Signed::random_bounded_bits_scaled(rng, P::L_BOUND, hat_cap_n));
         let nu = Secret::init_with(|| Signed::random_bounded_bits_scaled(rng, P::L_BOUND, hat_cap_n));
 
         // N_0 \hat{N}
         let scale = pk0.modulus_bounded().mul_wide(hat_cap_n);
 
         let sigma =
             Signed::<<P::Paillier as PaillierParams>::Uint>::random_bounded_bits_scaled_wide(rng, P::L_BOUND, &scale);
-        let r = Signed::<<P::Paillier as PaillierParams>::Uint>::random_bounded_bits_scaled_wide(
-            rng,
-            P::L_BOUND + P::EPS_BOUND,
-            &scale,
-        );
-        let x = Signed::random_bounded_bits_scaled(rng, P::L_BOUND + P::EPS_BOUND, hat_cap_n);
-        let y = Signed::random_bounded_bits_scaled(rng, P::L_BOUND + P::EPS_BOUND, hat_cap_n);
+        let r = Secret::init_with(|| {
+            Signed::<<P::Paillier as PaillierParams>::Uint>::random_bounded_bits_scaled_wide(
+                rng,
+                P::L_BOUND + P::EPS_BOUND,
+                &scale,
+            )
+        });
+        let x = Secret::init_with(|| Signed::random_bounded_bits_scaled(rng, P::L_BOUND + P::EPS_BOUND, hat_cap_n));
+        let y = Secret::init_with(|| Signed::random_bounded_bits_scaled(rng, P::L_BOUND + P::EPS_BOUND, hat_cap_n));
 
         let p = sk0.p_signed();
         let q = sk0.q_signed();
 
         let cap_p = setup.commit(&p, &mu).to_wire();
-        let cap_q = setup.commit_secret(&q, &nu);
+        let cap_q = setup.commit(&q, &nu);
         let cap_a = setup.commit_wide(&alpha, &x).to_wire();
         let cap_b = setup.commit_wide(&beta, &y).to_wire();
-        let cap_t = (&cap_q.pow_secret_signed_wide(&alpha) * &setup.commit_base_xwide(&r)).to_wire();
+        let cap_t = (&cap_q.pow_signed_wide(&alpha) * &setup.commit_zero_xwide(&r)).to_wire();
         let cap_q = cap_q.to_wire();
 
         let mut reader = XofHasher::new_with_dst(HASH_TAG)
@@ -114,12 +116,12 @@ impl<P: SchemeParams> FacProof<P> {
 
         let p_wide = sk0.p_wide_signed();
 
-        let hat_sigma = sigma - ((p_wide * &nu).to_wide()).expose_secret();
+        let hat_sigma = sigma - (p_wide * &nu).expose_secret().to_wide();
         let z1 = *(alpha + (p * e).to_wide()).expose_secret();
         let z2 = *(beta + (q * e).to_wide()).expose_secret();
-        let omega1 = x + e_wide * mu;
+        let omega1 = *(x + mu * e_wide).expose_secret();
         let omega2 = *(nu * e_wide + &y).expose_secret();
-        let v = r + e_wide.to_wide() * hat_sigma;
+        let v = *(r + &(hat_sigma * e_wide.to_wide())).expose_secret();
 
         Self {
             e,
@@ -165,25 +167,25 @@ impl<P: SchemeParams> FacProof<P> {
         }
 
         // R = s^{N_0} t^\sigma
-        let cap_r = &setup.commit_xwide(&Secret::init_with(|| pk0.modulus_bounded()), &self.sigma);
+        let cap_r = &setup.commit_public_xwide(&pk0.modulus_bounded(), &self.sigma);
 
         // s^{z_1} t^{\omega_1} == A * P^e \mod \hat{N}
         let cap_a_mod = self.cap_a.to_precomputed(setup);
         let cap_p_mod = self.cap_p.to_precomputed(setup);
-        if setup.commit_nonsecret_wide(&self.z1, &self.omega1) != &cap_a_mod * &cap_p_mod.pow_signed_vartime(&e) {
+        if setup.commit_public_wide(&self.z1, &self.omega1) != &cap_a_mod * &cap_p_mod.pow_signed_vartime(&e) {
             return false;
         }
 
         // s^{z_2} t^{\omega_2} == B * Q^e \mod \hat{N}
         let cap_b_mod = self.cap_b.to_precomputed(setup);
         let cap_q_mod = self.cap_q.to_precomputed(setup);
-        if setup.commit_nonsecret_wide(&self.z2, &self.omega2) != &cap_b_mod * &cap_q_mod.pow_signed_vartime(&e) {
+        if setup.commit_public_wide(&self.z2, &self.omega2) != &cap_b_mod * &cap_q_mod.pow_signed_vartime(&e) {
             return false;
         }
 
         // Q^{z_1} * t^v == T * R^e \mod \hat{N}
         let cap_t_mod = self.cap_t.to_precomputed(setup);
-        if &cap_q_mod.pow_signed_wide(&self.z1) * &setup.commit_base_xwide(&self.v)
+        if &cap_q_mod.pow_signed_wide_vartime(&self.z1) * &setup.commit_public_base_xwide(&self.v)
             != &cap_t_mod * &cap_r.pow_signed_vartime(&e)
         {
             return false;

diff --git a/synedrion/src/cggmp21/sigma/log_star.rs b/synedrion/src/cggmp21/sigma/log_star.rs
@@ -65,9 +65,9 @@ impl<P: SchemeParams> LogStarProof<P> {
         let hat_cap_n = &setup.modulus_bounded(); // $\hat{N}$
 
         let alpha = Secret::init_with(|| Signed::random_bounded_bits(rng, P::L_BOUND + P::EPS_BOUND));
-        let mu = Signed::random_bounded_bits_scaled(rng, P::L_BOUND, hat_cap_n);
+        let mu = Secret::init_with(|| Signed::random_bounded_bits_scaled(rng, P::L_BOUND, hat_cap_n));
         let r = Randomizer::random(rng, pk0);
-        let gamma = Signed::random_bounded_bits_scaled(rng, P::L_BOUND + P::EPS_BOUND, hat_cap_n);
+        let gamma = Secret::init_with(|| Signed::random_bounded_bits_scaled(rng, P::L_BOUND + P::EPS_BOUND, hat_cap_n));
 
         let cap_s = setup.commit(x, &mu).to_wire();
         let cap_a = Ciphertext::new_with_randomizer_signed(pk0, &alpha, &r.to_wire()).to_wire();
@@ -94,7 +94,7 @@ impl<P: SchemeParams> LogStarProof<P> {
 
         let z1 = *(alpha + x * e).expose_secret();
         let z2 = (r * rho.pow_signed_vartime(&e)).to_wire();
-        let z3 = gamma + mu * e.to_wide();
+        let z3 = *(gamma + mu * e.to_wide()).expose_secret();
 
         Self {
             e,
@@ -161,7 +161,7 @@ impl<P: SchemeParams> LogStarProof<P> {
         // s^{z_1} t^{z_3} == D S^e \mod \hat{N}
         let cap_d_mod = self.cap_d.to_precomputed(setup);
         let cap_s_mod = self.cap_s.to_precomputed(setup);
-        if setup.commit_nonsecret(&self.z1, &self.z3) != &cap_d_mod * &cap_s_mod.pow_signed_vartime(&e) {
+        if setup.commit_public(&self.z1, &self.z3) != &cap_d_mod * &cap_s_mod.pow_signed_vartime(&e) {
             return false;
         }
 

diff --git a/synedrion/src/cggmp21/sigma/mul_star.rs b/synedrion/src/cggmp21/sigma/mul_star.rs
@@ -74,8 +74,8 @@ impl<P: SchemeParams> MulStarProof<P> {
 
         let r = Randomizer::random(rng, pk0);
         let alpha = Secret::init_with(|| Signed::random_bounded_bits(rng, P::L_BOUND + P::EPS_BOUND));
-        let gamma = Signed::random_bounded_bits_scaled(rng, P::L_BOUND + P::EPS_BOUND, hat_cap_n);
-        let m = Signed::random_bounded_bits_scaled(rng, P::L_BOUND, hat_cap_n);
+        let gamma = Secret::init_with(|| Signed::random_bounded_bits_scaled(rng, P::L_BOUND + P::EPS_BOUND, hat_cap_n));
+        let m = Secret::init_with(|| Signed::random_bounded_bits_scaled(rng, P::L_BOUND, hat_cap_n));
 
         let cap_a = (cap_c * &alpha).mul_randomizer(&r.to_wire()).to_wire();
         let cap_b_x = secret_scalar_from_signed::<P>(&alpha).mul_by_generator();
@@ -101,7 +101,7 @@ impl<P: SchemeParams> MulStarProof<P> {
         let e = Signed::from_xof_reader_bounded(&mut reader, &P::CURVE_ORDER);
 
         let z1 = *(alpha + x * e).expose_secret();
-        let z2 = gamma + e.to_wide() * m;
+        let z2 = *(gamma + m * e.to_wide()).expose_secret();
         let omega = (r * rho.pow_signed(&e)).to_wire();
 
         Self {
@@ -170,7 +170,7 @@ impl<P: SchemeParams> MulStarProof<P> {
         // s^{z_1} t^{z_2} == E S^e
         let cap_e_mod = self.cap_e.to_precomputed(setup);
         let cap_s_mod = self.cap_s.to_precomputed(setup);
-        if setup.commit_nonsecret(&self.z1, &self.z2) != &cap_e_mod * &cap_s_mod.pow_signed_vartime(&e) {
+        if setup.commit_public(&self.z1, &self.z2) != &cap_e_mod * &cap_s_mod.pow_signed_vartime(&e) {
             return false;
         }
 

diff --git a/synedrion/src/cggmp21/sigma/prm.rs b/synedrion/src/cggmp21/sigma/prm.rs
@@ -91,7 +91,7 @@ impl<P: SchemeParams> PrmProof<P> {
     ) -> Self {
         debug_assert!(&secret.modulus() == setup.modulus());
         let proof_secret = PrmSecret::<P>::random(rng, secret);
-        let commitment = PrmCommitment::new(&proof_secret, setup.base());
+        let commitment = PrmCommitment::new(&proof_secret, setup.base_randomizer());
 
         let totient = secret.totient_nonzero();
         let challenge = PrmChallenge::new(&commitment, setup, aux);
@@ -125,8 +125,8 @@ impl<P: SchemeParams> PrmProof<P> {
             let z = self.proof[i];
             let e = challenge.0[i];
             let a = self.commitment.0[i].to_montgomery(monty_params);
-            let pwr = setup.base().pow_bounded(&z);
-            let test = if e { pwr == a * setup.power() } else { pwr == a };
+            let pwr = setup.base_randomizer().pow_bounded(&z);
+            let test = if e { pwr == a * setup.base_value() } else { pwr == a };
             if !test {
                 return false;
             }