Skip to main content

Module paillier_encryption_in_range

paillier_zk

Module paillier_encryption_in_range 

Source
Expand description

ZK-proof of paillier encryption in range. Called Пenc or Renc in the CGGMP24 paper.

§Description

A party P has key, pkey - public and private keys in paillier cryptosystem. P also has plaintext, nonce, and ciphertext = key.encrypt_with(plaintext, nonce).

P wants to prove that plaintext is at most l bits, without disclosing it, the pkey, and nonce

§Example

use paillier_zk::{paillier_encryption_in_range as p, IntegerExt};
use fast_paillier::backend::Integer;

let shared_state = "some shared state";

let mut rng = rand_core::OsRng;

// 0. Setup: prover and verifier share common Ring-Pedersen parameters:

let aux: p::Aux = pregenerated::verifier_aux();
let security = p::SecurityParams {
    l: 256,
    epsilon: 512,
    q: Integer::curve_order::<generic_ec::curves::Secp256k1>(),
};

// 1. Setup: prover prepares the paillier keys

let private_key: fast_paillier::DecryptionKey =
    pregenerated::prover_decryption_key();
let key = private_key.encryption_key();

// 2. Setup: prover has some plaintext and encrypts it

let plaintext = Integer::from_rng_half_pm(&mut rng, &(Integer::one() << security.l));
let (ciphertext, nonce) = key.encrypt_with_random(&mut rng, &plaintext)?;

// 3. Prover computes a non-interactive proof that plaintext is at most 1024 bits:

let data = p::Data { key, ciphertext: &ciphertext };
let proof = p::non_interactive::prove::<sha2::Sha256>(
    &shared_state,
    &aux,
    data,
    p::PrivateData {
        plaintext: &plaintext,
        nonce: &nonce,
    },
    &security,
    &mut rng,
)?;

// 4. Prover sends this data to verifier

send(&data, &proof);

// 5. Verifier receives the data and the proof and verifies it

let (data, proof) = recv();
p::non_interactive::verify::<sha2::Sha256>(
    &shared_state,
    &aux,
    data,
    &security,
    &proof,
);

If the verification succeeded, verifier can continue communication with prover

Modules§

interactive
The interactive version of the ZK proof. Should be completed in 3 rounds: prover commits to data, verifier responds with a random challenge, and prover gives proof with commitment and challenge.
non_interactive
The non-interactive version of proof. Completed in one round, for example see the documentation of parent module.

Structs§

Aux
Auxiliary data known to both prover and verifier
Commitment
Prover’s first message, obtained by interactive::commit
Data
Public data that both parties know
InvalidProof
Error indicating that proof is invalid
NiProof
The non-interactive ZK proof. Computed by non_interactive::prove. Combines commitment and proof.
PrivateCommitment
Prover’s data accompanying the commitment. Kept as state between rounds in the interactive protocol.
PrivateData
Private data of prover
Proof
The ZK proof. Computed by interactive::prove.
SecurityParams
Security parameters for proof. Choosing the values is a tradeoff between speed and chance of rejecting a valid proof or accepting an invalid proof

Type Aliases§

Challenge
Verifier’s challenge to prover. Can be obtained deterministically by non_interactive::challenge or randomly by interactive::challenge