Skip to main content

Module paillier_blum_modulus

paillier_zk

Module paillier_blum_modulus 

Source
Expand description

ZK-proof of Paillier-Blum modulus. Called Пmod or Rmod in the CGGMP24 paper.

§Description

A party P has a Paillier-Blum modulus N = pq, with p and q being primes such that gcd(N, phi(N)) = 1 and p,q = 3 \mod 4. P wants to prove that those equalities about N hold, without disclosing p and q.

§Example

use fast_paillier::backend::Integer;
let mut rng = rand_core::OsRng;

// 0. Prover P derives two Blum primes and makes a Paillier-Blum modulus
let p = Integer::generate_safe_prime(&mut rng, 256);
let q = Integer::generate_safe_prime(&mut rng, 256);
let n = &p * &q;

// 1. P computes a non-interactive proof that `n` is a Paillier-Blum modulus:
use paillier_zk::paillier_blum_modulus as p;

// Security parameter
const SECURITY: usize = 33;
// Verifier and prover share the same state
let shared_state = "some shared state";

let data = p::Data { n: &n };
let pdata = p::PrivateData { p: &p, q: &q };

let proof =
    p::non_interactive::prove::<{SECURITY}, sha2::Sha256>(
        &shared_state,
        data,
        pdata,
        &mut rng,
    )?;

// 2. P sends `data, commitment, proof` to the verifier V

send(&data, &proof);

// 3. V receives and verifies the proof:

let (data, proof) = recv();

p::non_interactive::verify::<{SECURITY}, sha2::Sha256>(
    &shared_state,
    data,
    &proof,
    &mut rng,
)?;

If the verification succeeded, V can continue communication with P

Modules§

interactive
The interactive version of the ZK proof. Should be completed in 3 rounds: prover commits to data, verifier responds with a random challenge, and prover gives proof with commitment and challenge.
non_interactive
The non-interactive version of proof. Completed in one round, for example see the documentation of parent module.

Structs§

Challenge
Verifier’s challenge to prover. Can be obtained deterministically by non_interactive::challenge or randomly by interactive::challenge
Commitment
Prover’s first message, obtained by interactive::commit
Data
Public data that both parties know: the Paillier-Blum modulus
NiProof
The non-interactive ZK proof. Computed by non_interactive::prove. Combines commitment and proof.
PrivateData
Private data of prover
Proof
The ZK proof. Computed by interactive::prove. Consists of M proofs for each challenge
ProofPoint
A part of proof. Having enough of those guarantees security