BitGo · zahin-mohammad · Jul 28, 2023 · Aug 14, 2023 · Aug 14, 2023 · Aug 14, 2023
@@ -2,7 +2,7 @@
 
 module.exports = {
   require: 'ts-node/register',
-  timeout: '20000',
+  timeout: '40000',
   reporter: 'min',
   'reporter-option': ['cdn=true', 'json=false'],
   exit: true,

@@ -10,6 +10,7 @@
     "build": "yarn tsc --build --incremental --verbose .",
     "fmt": "prettier --write .",
     "check-fmt": "prettier --check .",
+    "fix-fmt": "prettier --write .",
     "clean": "rm -r ./dist",
     "lint": "eslint --quiet .",
     "prepare": "npm run build"

@@ -0,0 +1,32 @@
+import * as bcu from 'bigint-crypto-utils';
+import { PublicKey, PrivateKey, KeyPair } from 'paillier-bigint';
+import { prove } from './paillierBlumProof';
+import { DeserializedKeyPairWithPaillierBlumProof, RawPaillierKey } from './types';
+
+// Implementation based on paillier-bigint's generateRandomKeys
+export async function generatePaillierKey(bitlength = 3072): Promise<RawPaillierKey> {
+  let [p, q, n] = [BigInt(0), BigInt(0), BigInt(0)];
+  do {
+    p = await bcu.prime(Math.floor(bitlength / 2) + 1);
+    q = await bcu.prime(Math.floor(bitlength / 2));
+    n = p * q;
+  } while (q === p || q % BigInt(4) !== BigInt(3) || p % BigInt(4) !== BigInt(3) || bcu.bitLength(n) !== bitlength);
+  const lambda = (p - BigInt(1)) * (q - BigInt(1));
+  const mu = bcu.modInv(lambda, n);
+  return { n, lambda, mu, p, q };
+}
+
+export async function generatePaillierKeyWithProof(
+  bitlength = 3072
+): Promise<DeserializedKeyPairWithPaillierBlumProof> {
+  const key = await generatePaillierKey(bitlength);
+  const proof = await prove(key.p, key.q);
+  return { ...key, ...proof };
+}
+
+export function rawPaillierKeyToPaillierKey(n: bigint, lambda: bigint, mu: bigint, p: bigint, q: bigint): KeyPair {
+  const g = n + BigInt(1);
+  const publicKey = new PublicKey(n, g);
+  const privateKey = new PrivateKey(lambda, mu, publicKey, p, q);
+  return { publicKey, privateKey };
+}
@@ -1,6 +1,7 @@
 export * as EcdsaTypes from './types';
-export * as EcdsaRangeProof from './rangeproof';
-export * as EcdsaPaillierProof from './paillierproof';
+export * as EcdsaRangeProof from './rangeProof';
+export * as EcdsaPaillierProof from './paillierProof';
 export * as EcdsaZkVProof from './zkVProof';
-
+export * as EcdsaNoSmallFactorsProof from './noSmallFactorsProof';
+export * from './generatePaillierKey';
 export const minModulusBitLength = 3072;
@@ -0,0 +1,145 @@
+/**
+ * Implementation of No Small Factors ($\Pi^\text{fac}).
+ * https://eprint.iacr.org/2020/492.pdf Section B.4
+ */
+import { createHash } from 'crypto';
+import { bitLength, randBetween } from 'bigint-crypto-utils';
+import { modPow } from 'bigint-mod-arith';
+import { bigIntFromBufferBE, bigIntToBufferBE } from '../../util';
+import { DeserializedNoSmallFactorsProof } from './types';
+
+const ORDER = BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141');
+const ELL = BigInt(256);
+const EPSILON = BigInt(BigInt(2) * ELL);
+
+/**
+ * Generate pseudo-random challenge value $e$ for $(N, w)$.
+ * @param N - the prime number to verify is a product of two large primes.
+ * @param w - a random number with the same bitLength as N, that satisfies the Jacobi of w is -1 wrt N.
+ * @returns {bigint} - challenge value $e$.
+ */
+function generateE(N: bigint, w: bigint): bigint {
+  const digest = createHash('shake256', { outputLength: 1 + Math.floor((bitLength(ORDER) + 7) / 8) })
+    .update(bigIntToBufferBE(N))
+    .update('$')
+    .update(bigIntToBufferBE(w))
+    .update('$')
+    .digest();
+  const e = bigIntFromBufferBE(digest.subarray(1)) % ORDER;
+  if (digest[0] & 1) {
+    return -e;
+  }
+  return e;
+}
+
+/**
+ * Calculate the closest integer square root of $n$.
+ * @param n - the number to calculate the square root of.
+ * @returns {bigint} - $n$'s closest integer square root.
+ */
+function isqrt(n: bigint): bigint {
+  if (n < BigInt(0)) {
+    throw new Error();
+  }
+  if (n < BigInt(2)) {
+    return n;
+  }
+  function newtonIteration(n: bigint, x0: bigint) {
+    const x1 = (n / x0 + x0) >> BigInt(1);
+    if (x0 === x1 || x0 === x1 - BigInt(1)) {
+      return x0;
+    }
+    return newtonIteration(n, x1);
+  }
+  return newtonIteration(n, BigInt(1));
+}
+
+/**
+ * Prove that $n0$ has no small factors, where $n0$ is the product of two large primes.
+ * @param p - a large prime.
+ * @param q - a large prime.
+ * @param w - a random number with the same bitLength as $p * q$, that satisfies the Jacobi of w is -1 wrt $n0$.
+ * @param nHat - a safe bi-prime, such as that returned from rangeProof.generateNTilde.
+ * @param s - security parameters for $nHat$ such as the $h1$ value returned from rangeProof.generateNTilde.
+ * @param t - security parameters for $nHat$ such as the $h2$ value returned from rangeProof.generateNTilde.
+ * @returns proof that the product of $p * q$ has no small factors.
+ */
+export function prove(
+  p: bigint,
+  q: bigint,
+  w: bigint,
+  nHat: bigint,
+  s: bigint,
+  t: bigint
+): DeserializedNoSmallFactorsProof {
+  const n0 = p * q;
+  const e = generateE(n0, w);
+  const sqrtN0 = isqrt(n0);
+  const alpha = randBetween(sqrtN0 << (ELL + EPSILON), -sqrtN0 << (ELL + EPSILON));
+  const beta = randBetween(sqrtN0 << (ELL + EPSILON), -sqrtN0 << (ELL + EPSILON));
+  const rho = randBetween((nHat * n0) << ELL, -(nHat * n0) << ELL);
+  // Commit to p.
+  const mu = randBetween(BigInt(1) << ELL, BigInt(-1) << ELL);
+  const P = (modPow(s, p, nHat) * modPow(t, mu, nHat)) % nHat;
+  // Commit to q.
+  const nu = randBetween(BigInt(1) << ELL, BigInt(-1) << ELL);
+  const Q = (modPow(s, q, nHat) * modPow(t, nu, nHat)) % nHat;
+  // Commit to alpha.
+  const x = randBetween(BigInt(1) << (ELL + EPSILON), BigInt(-1) << (ELL + EPSILON));
+  const A = (modPow(s, alpha, nHat) * modPow(t, x, nHat)) % nHat;
+  // Commit to beta.
+  const y = randBetween(BigInt(1) << (ELL + EPSILON), BigInt(-1) << (ELL + EPSILON));
+  const B = (modPow(s, beta, nHat) * modPow(t, y, nHat)) % nHat;
+  // Commit to Q and alpha.
+  const r = randBetween((nHat * n0) << (ELL + EPSILON), -(nHat * n0) << (ELL + EPSILON));
+  const T = (modPow(Q, alpha, nHat) * modPow(t, r, nHat)) % nHat;
+
+  const rhoHat = rho - nu * p;
+  const z1 = alpha + e * p;
+  const z2 = beta + e * q;
+  const w1 = x + e * mu;
+  const w2 = y + e * nu;
+  const v = r + e * rhoHat;
+
+  return { P, Q, A, B, T, rho, z1, z2, w1, w2, v };
+}
+
+/**
+ * Verify that $n0$ is not the product of any small factors.
+ * @param n0 - a modulus that is the product of $p$ and $q$.
+ * @param w - a random number with the same bitLength as $n0$, that satisfies the Jacobi of w is -1 wrt $n0$.
+ * @param nHat - a safe bi-prime, such as that returned from rangeProof.generateNTilde.
+ * @param s - security parameters for $nHat$ such as the $h1$ value returned from rangeProof.generateNTilde.
+ * @param t - security parameters for $nHat$ such as the $h2$ value returned from rangeProof.generateNTilde.
+ * @param proof - a proof generated by noSmallFactors.prove.
+ * @returns true if verification successful.
+ */
+export function verify(
+  n0: bigint,
+  w: bigint,
+  nHat: bigint,
+  s: bigint,
+  t: bigint,
+  proof: DeserializedNoSmallFactorsProof
+): boolean {
+  const { P, Q, A, B, T, rho, z1, z2, w1, w2, v } = proof;
+  const e = generateE(n0, w);
+  const sqrtN0 = isqrt(n0);
+  const R = (modPow(s, n0, nHat) * modPow(t, rho, nHat)) % nHat;
+  if ((modPow(s, z1, nHat) * modPow(t, w1, nHat)) % nHat !== (A * modPow(P, e, nHat)) % nHat) {
+    throw new Error('Could not verify no small factors proof');
+  }
+  if ((modPow(s, z2, nHat) * modPow(t, w2, nHat)) % nHat !== (B * modPow(Q, e, nHat)) % nHat) {
+    throw new Error('Could not verify no small factors proof');
+  }
+  if ((modPow(Q, z1, nHat) * modPow(t, v, nHat)) % nHat !== (T * modPow(R, e, nHat)) % nHat) {
+    throw new Error('Could not verify no small factors proof');
+  }
+  if (z1 < -sqrtN0 << (ELL + EPSILON) || z1 > sqrtN0 << (ELL + EPSILON)) {
+    throw new Error('Could not verify no small factors proof');
+  }
+  if (z2 < -sqrtN0 << (ELL + EPSILON) || z2 > sqrtN0 << (ELL + EPSILON)) {
+    throw new Error('Could not verify no small factors proof');
+  }
+  return true;
+}
@@ -0,0 +1,149 @@
+import { createHash } from 'crypto';
+import { bitLength, randBits, isProbablyPrime } from 'bigint-crypto-utils';
+import { gcd, modInv, modPow } from 'bigint-mod-arith';
+import { bigIntFromBufferBE, bigIntToBufferBE } from '../../util';
+import { DeserializedPaillierBlumProof } from './types';
+
+// Security parameter.
+const m = 80;
+
+/**
+ * Generate psuedo-random quadratic residue for (N, w, i).
+ * @param N - the prime number to verify is a product of two large primes.
+ * @param w - a random number with the same bitLength as N, that satisfies the Jacobi of w is -1 wrt N.
+ * @returns {bigint[]} - set of challenges for N
+ */
+function generateY(N, w): bigint[] {
+  const NBuf = bigIntToBufferBE(N);
+  const wBuf = bigIntToBufferBE(w, NBuf.length);
+  let counter = 0;
+  return Array(m)
+    .fill(null)
+    .map((_) => {
+      while (true) {
+        let h = bigIntFromBufferBE(
+          // TypeScript doesn't like us using `outputLength` in the transform options,
+          // but it is required for shake256.
+          createHash('shake256', { outputLength: Math.floor((bitLength(N) + 7) / 8) })
+            .update(Buffer.from([counter++]))
+            .update('$')
+            .update(NBuf)
+            .update('$')
+            .update(wBuf)
+            .update('$')
+            .digest()
+        );
+        h = (h * h) % N;
+        if (gcd(h, N) === BigInt(1)) {
+          return h;
+        }
+      }
+    });
+}
+
+// https://en.wikipedia.org/wiki/Jacobi_symbol#Implementation_in_C++
+function jacobi(a, n): bigint {
+  // a/n is represented as (a,n)
+  if (n <= BigInt(0)) {
+    throw new Error('n must greater than 0');
+  }
+  if (n % BigInt(2) !== BigInt(1)) {
+    throw new Error('n must be odd');
+  }
+  // step 1
+  a = a % n;
+  let t = BigInt(1);
+  let r;
+  // step 3
+  while (a !== BigInt(0)) {
+    // step 2
+    while (a % BigInt(2) === BigInt(0)) {
+      a /= BigInt(2);
+      r = n % BigInt(8);
+      if (r === BigInt(3) || r === BigInt(5)) {
+        t = -t;
+      }
+    }
+    // step 4
+    r = n;
+    n = a;
+    a = r;
+    if (a % BigInt(4) === BigInt(3) && n % BigInt(4) === BigInt(3)) {
+      t = -t;
+    }
+    a = a % n;
+  }
+  if (n === BigInt(1)) {
+    return t;
+  }
+  return BigInt(0);
+}
+
+/**
+ * Prove that a modulus (p*q) is the product of two large safe primes (p and q).
+ * @param {bigint} p The larger prime factor of the modulus
+ * @param {bigint} q The smaller prime factor of the modulus.
+ * @returns {DeserializedPaillierBlumProof} The proof that the modulus is the product of two large primes.
+ */
+export async function prove(p: bigint, q: bigint): Promise<DeserializedPaillierBlumProof> {
+  // Prover selects random w with Jacobi symbol 1 wrt N.
+  const N = p * q;
+  const l = (p - BigInt(1)) * (q - BigInt(1));
+  const d = modInv(N, l);
+  let w;
+  while (true) {
+    w = bigIntFromBufferBE(Buffer.from(await randBits(bitLength(N))));
+    if (jacobi(w, N) === BigInt(-1)) {
+      break;
+    }
+  }
+  // This is calculating the inverse of the function y^4 mod N,
+  // i.e.y ^ (1 / 4), where N = pq is a blum integer using HOC - Fact 2.160
+  // from cacr.uwaterloo.ca / hac / about / chap2.pdf
+  // Prover generates y_i.
+  const y = generateY(N, w);
+  // Prover calculates z_i = y_i ^ d mod N
+  const z = y.map((y_i) => modPow(y_i, d, N));
+  // Prover calculates x_i = y_i ^ 1/4 mod N using [HOC - Fact 2.160]
+  const e = ((l + BigInt(4)) / BigInt(8)) ** BigInt(2);
+  const x = y.map((y_i) => modPow(y_i, e, N));
+  return { w, x, z };
+}
+
+/**
+ * Verify that N is the product of two large primes.
+ * @param {bigint} N The prime number being verified.
+ * @param {DeserializedPaillierBlumProof} The proof to verify N is a product of two large primes.
+ * @returns {boolean} True if N is a product of two large primes, and false otherwise.
+ */
+export async function verify(N: bigint, { w, x, z }: DeserializedPaillierBlumProof): Promise<boolean> {
+  // Verifier checks N > 1.
+  if (N <= 1) {
+    throw new Error('N must be greater than 1');
+  }
+  // Verifier checks N is odd.
+  if (N % BigInt(2) !== BigInt(1)) {
+    throw new Error('N must be an odd number');
+  }
+  // Verifier checks N is not prime.
+  if (await isProbablyPrime(N, 24)) {
+    throw new Error('N must be a composite number');
+  }
+  // Verifier checks that the Jacobi symbol for w is 1 wrt N.
+  if (jacobi(w, N) !== BigInt(-1)) {
+    throw new Error('Jacobi symbol of w must be -1 wrt to N');
+  }
+  // Verifier generates y_i.
+  const y = generateY(N, w);
+  for (let i = 0; i < m; i++) {
+    // Verifier checks z_i ^ N mod N == y_i.
+    if (modPow(z[i], N, N) !== y[i]) {
+      throw new Error(`Paillier verification of z[${i}] failed`);
+    }
+    // Verifier checks x_i ^ 4 mod N == y_i.
+    if (modPow(x[i], 4, N) !== y[i]) {
+      throw new Error(`Paillier verification of x[${i}] failed`);
+    }
+  }
+  return true;
+}