feat(rust/catalyst-voting): Tally proof generation and verification

.config/dictionaries/project.dic

@@ -51,6 +51,7 @@ dbsync
 dcbor
 decompressor
 delegators
+dleq
 dockerhub
 Dominik
 dotenv

rust/catalyst-voting/Cargo.toml

@@ -13,7 +13,8 @@ workspace = true
 [dependencies]
 thiserror = "1.0.56"
 rand_core = "0.6.4"
-curve25519-dalek = { version = "4.0" }
+curve25519-dalek = { version = "4.0", features = ["digest"] }
+blake2b_simd = "1.0.2"
 
 [dev-dependencies]
 proptest = {version = "1.5.0" }

rust/catalyst-voting/src/crypto/group/babystep_giantstep.rs → rust/catalyst-voting/src/crypto/babystep_giantstep.rs

@@ -3,7 +3,7 @@
 
 use std::collections::HashMap;
 
-use super::{GroupElement, Scalar};
+use super::group::{GroupElement, Scalar};
 
 /// Default balance value.
 /// Make steps asymmetric, in order to better use caching of baby steps.

rust/catalyst-voting/src/crypto/elgamal.rs

@@ -1,7 +1,7 @@
 //! Implementation of the lifted ``ElGamal`` crypto system, and combine with `ChaCha`
 //! stream cipher to produce a hybrid encryption scheme.
 
-use std::ops::{Add, Mul};
+use std::ops::{Add, Deref, Mul};
 
 use rand_core::CryptoRngCore;
 
@@ -19,6 +19,22 @@ pub struct PublicKey(GroupElement);
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub struct Ciphertext(GroupElement, GroupElement);
 
+impl Deref for SecretKey {
+    type Target = Scalar;
+
+    fn deref(&self) -> &Self::Target {
+        &self.0
+    }
+}
+
+impl Deref for PublicKey {
+    type Target = GroupElement;
+
+    fn deref(&self) -> &Self::Target {
+        &self.0
+    }
+}
+
 impl SecretKey {
     /// Generate a random `SecretKey` value from the random number generator.
     pub fn generate<R: CryptoRngCore>(rng: &mut R) -> Self {
@@ -35,23 +51,33 @@ impl SecretKey {
 impl Ciphertext {
     /// Generate a zero `Ciphertext`.
     /// The same as encrypt a `Scalar::zero()` message and `Scalar::zero()` randomness.
-    pub(crate) fn zero() -> Self {
+    pub fn zero() -> Self {
         Ciphertext(GroupElement::zero(), GroupElement::zero())
     }
+
+    /// Get the first element of the `Ciphertext`.
+    pub fn first(&self) -> &GroupElement {
+        &self.0
+    }
+
+    /// Get the second element of the `Ciphertext`.
+    pub fn second(&self) -> &GroupElement {
+        &self.1
+    }
 }
 
 /// Given a `message` represented as a `Scalar`, return a ciphertext using the
 /// lifted ``ElGamal`` mechanism.
 /// Returns a ciphertext of type `Ciphertext`.
-pub(crate) fn encrypt(message: &Scalar, public_key: &PublicKey, randomness: &Scalar) -> Ciphertext {
+pub fn encrypt(message: &Scalar, public_key: &PublicKey, randomness: &Scalar) -> Ciphertext {
     let e1 = GroupElement::GENERATOR.mul(randomness);
     let e2 = &GroupElement::GENERATOR.mul(message) + &public_key.0.mul(randomness);
     Ciphertext(e1, e2)
 }
 
 /// Decrypt ``ElGamal`` `Ciphertext`, returns the original message represented as a
 /// `GroupElement`.
-pub(crate) fn decrypt(cipher: &Ciphertext, secret_key: &SecretKey) -> GroupElement {
+pub fn decrypt(cipher: &Ciphertext, secret_key: &SecretKey) -> GroupElement {
     &(&cipher.0 * &secret_key.0.negate()) + &cipher.1
 }
 

rust/catalyst-voting/src/crypto/group/mod.rs

@@ -1,8 +1,6 @@
 //! Group definitions used in voting protocol.
 //! For more information, see: <https://input-output-hk.github.io/catalyst-voices/architecture/08_concepts/voting_transaction/crypto/#a-group-definition>
 
-mod babystep_giantstep;
 mod ristretto255;
 
-pub(crate) use babystep_giantstep::BabyStepGiantStep;
 pub(crate) use ristretto255::{GroupElement, Scalar};

rust/catalyst-voting/src/crypto/group/ristretto255.rs

@@ -9,7 +9,8 @@ use std::{
 
 use curve25519_dalek::{
     constants::{RISTRETTO_BASEPOINT_POINT, RISTRETTO_BASEPOINT_TABLE},
-    ristretto::RistrettoPoint as Point,
+    digest::{consts::U64, Digest},
+    ristretto::{CompressedRistretto, RistrettoPoint as Point},
     scalar::Scalar as IScalar,
     traits::Identity,
 };
@@ -67,6 +68,22 @@ impl Scalar {
     pub fn inverse(&self) -> Scalar {
         Scalar(self.0.invert())
     }
+
+    /// Convert this `Scalar` to its underlying sequence of bytes.
+    pub fn to_bytes(&self) -> [u8; 32] {
+        self.0.to_bytes()
+    }
+
+    /// Attempt to construct a `Scalar` from a canonical byte representation.
+    pub fn from_bytes(bytes: [u8; 32]) -> Option<Scalar> {
+        IScalar::from_canonical_bytes(bytes).map(Scalar).into()
+    }
+
+    /// Generate a `Scalar` from a hash digest.
+    pub fn from_hash<D>(hash: D) -> Scalar
+    where D: Digest<OutputSize = U64> {
+        Scalar(IScalar::from_hash(hash))
+    }
 }
 
 impl GroupElement {
@@ -77,6 +94,19 @@ impl GroupElement {
     pub fn zero() -> Self {
         GroupElement(Point::identity())
     }
+
+    /// Convert this `GroupElement` to its underlying sequence of bytes.
+    /// Always encode the compressed value.
+    pub fn to_bytes(&self) -> [u8; 32] {
+        self.0.compress().to_bytes()
+    }
+
+    /// Attempt to construct a `Scalar` from a compressed value byte representation.
+    pub fn from_bytes(bytes: &[u8; 32]) -> Option<Self> {
+        Some(GroupElement(
+            CompressedRistretto::from_slice(bytes).ok()?.decompress()?,
+        ))
+    }
 }
 
 // `std::ops` traits implementations
@@ -133,6 +163,14 @@ impl Sub<&Scalar> for &Scalar {
     }
 }
 
+impl Sub<&GroupElement> for &GroupElement {
+    type Output = GroupElement;
+
+    fn sub(self, other: &GroupElement) -> GroupElement {
+        GroupElement(self.0 + (-other.0))
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use proptest::{
@@ -152,6 +190,21 @@ mod tests {
         }
     }
 
+    #[proptest]
+    fn scalar_to_bytes_from_bytes_test(e1: Scalar) {
+        let bytes = e1.to_bytes();
+        let e2 = Scalar::from_bytes(bytes).unwrap();
+        assert_eq!(e1, e2);
+    }
+
+    #[proptest]
+    fn group_element_to_bytes_from_bytes_test(e: Scalar) {
+        let ge1 = GroupElement::GENERATOR.mul(&e);
+        let bytes = ge1.to_bytes();
+        let ge2 = GroupElement::from_bytes(&bytes).unwrap();
+        assert_eq!(ge1, ge2);
+    }
+
     #[proptest]
     fn scalar_arithmetic_tests(e1: Scalar, e2: Scalar, e3: Scalar) {
         assert_eq!(&(&e1 + &e2) + &e3, &e1 + &(&e2 + &e3));
@@ -174,6 +227,7 @@ mod tests {
         let ge3 = GroupElement::GENERATOR.mul(&(&e1 + &e2));
 
         assert_eq!(&ge1 + &ge2, ge3);
+        assert_eq!(&(&ge1 + &ge2) - &ge2, ge1);
 
         let ge = GroupElement::GENERATOR.mul(&e1).mul(&e1.inverse());
         assert_eq!(ge, GroupElement::GENERATOR);

rust/catalyst-voting/src/crypto/hash.rs

@@ -0,0 +1,50 @@
+//! Blake2b-256 hash implementation.
+
+use curve25519_dalek::digest::{
+    consts::U64, typenum::Unsigned, FixedOutput, HashMarker, Output, OutputSizeUser, Update,
+};
+
+/// Blake2b-512 hasher instance.
+pub struct Blake2b512Hasher(blake2b_simd::State);
+
+impl Blake2b512Hasher {
+    /// Create a new `Blake2b256Hasher`.
+    pub fn new() -> Self {
+        Self(
+            blake2b_simd::Params::new()
+                .hash_length(Self::output_size())
+                .to_state(),
+        )
+    }
+}
+
+// Implementation of the `digest::Digest` trait for `Blake2b256Hasher`.
+
+impl Default for Blake2b512Hasher {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+impl Update for Blake2b512Hasher {
+    fn update(&mut self, data: &[u8]) {
+        self.0.update(data);
+    }
+}
+
+impl OutputSizeUser for Blake2b512Hasher {
+    type OutputSize = U64;
+
+    fn output_size() -> usize {
+        Self::OutputSize::USIZE
+    }
+}
+
+impl FixedOutput for Blake2b512Hasher {
+    fn finalize_into(self, out: &mut Output<Self>) {
+        let hash = self.0.finalize();
+        out.copy_from_slice(hash.as_bytes());
+    }
+}
+
+impl HashMarker for Blake2b512Hasher {}

rust/catalyst-voting/src/crypto/mod.rs

@@ -1,4 +1,7 @@
 //! Crypto primitives which are used by voting protocol.
 
+pub(crate) mod babystep_giantstep;
 pub(crate) mod elgamal;
 pub(crate) mod group;
+pub(crate) mod hash;
+pub(crate) mod zk_dl_equality;

rust/catalyst-voting/src/crypto/zk_dl_equality.rs

@@ -0,0 +1,111 @@
+//! Non-interactive Zero Knowledge proof of Discrete Logarithm
+//! Equality (DLEQ).
+//!
+//! The proof is the following:
+//!
+//! `NIZK{(base_1, base_2, point_1, point_2), (dlog): point_1 = base_1^dlog AND point_2 =
+//! base_2^dlog}`
+//!
+//! which makes the statement, the two bases `base_1` and `base_2`, and the two
+//! points `point_1` and `point_2`. The witness, on the other hand
+//! is the discrete logarithm, `dlog`.
+
+// cspell: words NIZK dlog
+
+use curve25519_dalek::digest::Update;
+
+use super::{
+    group::{GroupElement, Scalar},
+    hash::Blake2b512Hasher,
+};
+
+/// DLEQ proof struct
+pub struct DleqProof(Scalar, Scalar);
+
+/// Generates a DLEQ proof.
+pub fn generate_dleq_proof(
+    base_1: &GroupElement, base_2: &GroupElement, point_1: &GroupElement, point_2: &GroupElement,
+    dlog: &Scalar, randomness: &Scalar,
+) -> DleqProof {
+    let a_1 = base_1 * randomness;
+    let a_2 = base_2 * randomness;
+
+    let challenge = calculate_challenge(base_1, base_2, point_1, point_2, &a_1, &a_2);
+    let response = &(dlog * &challenge) + randomness;
+
+    DleqProof(challenge, response)
+}
+
+/// Verify a DLEQ proof.
+pub fn verify_dleq_proof(
+    proof: &DleqProof, base_1: &GroupElement, base_2: &GroupElement, point_1: &GroupElement,
+    point_2: &GroupElement,
+) -> bool {
+    let a_1 = &(base_1 * &proof.1) - &(point_1 * &proof.0);
+    let a_2 = &(base_2 * &proof.1) - &(point_2 * &proof.0);
+
+    let challenge = calculate_challenge(base_1, base_2, point_1, point_2, &a_1, &a_2);
+    challenge == proof.0
+}
+
+/// Calculates the challenge value.
+/// Its a hash value represented as `Scalar` of all provided elements.
+fn calculate_challenge(
+    base_1: &GroupElement, base_2: &GroupElement, point_1: &GroupElement, point_2: &GroupElement,
+    a_1: &GroupElement, a_2: &GroupElement,
+) -> Scalar {
+    let blake2b_hasher = Blake2b512Hasher::new()
+        .chain(base_1.to_bytes())
+        .chain(base_2.to_bytes())
+        .chain(point_1.to_bytes())
+        .chain(point_2.to_bytes())
+        .chain(a_1.to_bytes())
+        .chain(a_2.to_bytes());
+
+    Scalar::from_hash(blake2b_hasher)
+}
+
+#[cfg(test)]
+mod tests {
+    use std::ops::Mul;
+
+    use test_strategy::proptest;
+
+    use super::*;
+
+    #[proptest]
+    fn zk_dleq_test(e1: Scalar, e2: Scalar, dlog1: Scalar, dlog2: Scalar, randomness: Scalar) {
+        let base_1 = GroupElement::GENERATOR.mul(&e1);
+        let base_2 = GroupElement::GENERATOR.mul(&e2);
+
+        let point_1 = base_1.mul(&dlog1);
+        let point_2 = base_2.mul(&dlog1);
+
+        let proof = generate_dleq_proof(&base_1, &base_2, &point_1, &point_2, &dlog1, &randomness);
+        assert!(verify_dleq_proof(
+            &proof, &base_1, &base_2, &point_1, &point_2
+        ));
+
+        // use different discrete logarithm for both points
+        let point_1 = base_1.mul(&dlog2);
+        let point_2 = base_2.mul(&dlog2);
+
+        let proof = generate_dleq_proof(&base_1, &base_2, &point_1, &point_2, &dlog1, &randomness);
+        assert!(!verify_dleq_proof(
+            &proof, &base_1, &base_2, &point_1, &point_2
+        ));
+
+        // use different discrete logarithm across points
+        let point_1 = base_1.mul(&dlog1);
+        let point_2 = base_2.mul(&dlog2);
+
+        let proof = generate_dleq_proof(&base_1, &base_2, &point_1, &point_2, &dlog1, &randomness);
+        assert!(!verify_dleq_proof(
+            &proof, &base_1, &base_2, &point_1, &point_2
+        ));
+        let proof = generate_dleq_proof(&base_1, &base_2, &point_1, &point_2, &dlog2, &randomness);
+        assert!(!verify_dleq_proof(
+            &proof, &base_1, &base_2, &point_1, &point_2
+        ));
+    }
+}