diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..d9a8098 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,7 @@ +# Changelog + +## v0.4.1 +* Fixed a bug that could cause a valid range proof to be rejected by verifier with small probability + (the larger a range, the smaller probability) [#26] + +[#26]: https://github.com/ZenGo-X/zk-paillier/pull/26 diff --git a/Cargo.toml b/Cargo.toml index ec46cfb..69d7993 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "zk-paillier" -version = "0.4.0" +version = "0.4.1" edition = "2018" description = "Collection of Paillier cryptosystem zero knowledge proofs written in Rust" license = "GPL-3.0-or-later" diff --git a/src/zkproofs/correct_key_ni.rs b/src/zkproofs/correct_key_ni.rs index 7904429..bd1579f 100644 --- a/src/zkproofs/correct_key_ni.rs +++ b/src/zkproofs/correct_key_ni.rs @@ -84,7 +84,7 @@ impl NiCorrectKeyProof { mask_generation(key_length, &seed_bn) % &ek.n }) .collect::>(); - let alpha_primorial: BigInt = BigInt::from_str_radix(&P, 10).unwrap(); + let alpha_primorial: BigInt = BigInt::from_str_radix(P, 10).unwrap(); let gcd_test = alpha_primorial.gcd(&ek.n); let derived_rho_vec = (0..M2) diff --git a/src/zkproofs/range_proof.rs b/src/zkproofs/range_proof.rs index 93d2b36..aab47f5 100644 --- a/src/zkproofs/range_proof.rs +++ b/src/zkproofs/range_proof.rs @@ -120,7 +120,7 @@ impl RangeProof { // commit to challenge let m = compute_digest(&e.0); let r = BigInt::sample_below(&ek.n); - let com = get_paillier_commitment(&ek, &m, &r); + let com = get_paillier_commitment(ek, &m, &r); (Commitment(com), ChallengeRandomness(r), e) } @@ -199,7 +199,7 @@ impl RangeProof { e: &ChallengeBits, ) -> Result<(), IncorrectProof> { let m = compute_digest(&e.0); - let com_tag = get_paillier_commitment(&ek, &m, &r.0); + let com_tag = get_paillier_commitment(ek, &m, &r.0); if com.0 == com_tag { Ok(()) } else { @@ -230,19 +230,19 @@ impl RangeProof { w2: data.w2[i].clone(), r2: data.r2[i].clone(), } - } else if secret_x + &data.w1[i] > range_scaled_third - && secret_x + &data.w1[i] < range_scaled_two_thirds + } else if secret_x + &data.w1[i] >= range_scaled_third + && secret_x + &data.w1[i] <= range_scaled_two_thirds { Response::Mask { j: 1, masked_x: secret_x + &data.w1[i], - masked_r: secret_r * &data.r1[i] % &ek.n, + masked_r: (secret_r * &data.r1[i]) % &ek.n, } } else { Response::Mask { j: 2, masked_x: secret_x + &data.w2[i], - masked_r: secret_r * &data.r2[i] % &ek.n, + masked_r: (secret_r * &data.r2[i]) % &ek.n, } } }) @@ -297,12 +297,14 @@ impl RangeProof { res = false; } - let flag = (*w2 < range_scaled_third - && *w1 > range_scaled_third - && *w1 < range_scaled_two_thirds) - || (*w1 < range_scaled_third - && *w2 > range_scaled_third - && *w2 < range_scaled_two_thirds); + let flag = (*w2 >= BigInt::zero() + && *w2 <= range_scaled_third + && *w1 >= range_scaled_third + && *w1 <= range_scaled_two_thirds) + || (*w1 >= BigInt::zero() + && *w1 <= range_scaled_third + && *w2 >= range_scaled_third + && *w2 <= range_scaled_two_thirds); if !flag { res = false; @@ -475,6 +477,57 @@ mod tests { assert!(result.is_ok()); } + #[test] + fn test_range_proof_correct_proof_for_small_range_many_times() { + for _ in 0..100 { + // common: + let range = BigInt::from(6000); + // prover: + let (ek, _dk) = test_keypair().keys(); + let (verifier_ek, verifier_dk) = test_keypair().keys(); + // verifier: + let (com, r, e) = RangeProof::verifier_commit(&verifier_ek); + let (challenge, verification_aid) = CorrectKey::challenge(&verifier_ek); + let proof_results = CorrectKey::prove(&verifier_dk, &challenge); + let _result = CorrectKey::verify(&proof_results.unwrap(), &verification_aid); + assert!(RangeProof::verify_commit(&verifier_ek, &com, &r, &e).is_ok()); + // prover: + let (encrypted_pairs, data_and_randmoness_pairs) = + RangeProof::generate_encrypted_pairs(&ek, &range, STATISTICAL_ERROR_FACTOR); + // prover: + let secret_r = BigInt::sample_below(&ek.n); + let secret_x = BigInt::sample_below(&range.div_floor(&BigInt::from(3))); + // common: + let cipher_x = Paillier::encrypt_with_chosen_randomness( + &ek, + RawPlaintext::from(&secret_x), + &Randomness(secret_r.clone()), + ); + // verifer decommits (tested in test_commit_decommit) + // prover: + let z_vector = RangeProof::generate_proof( + &ek, + &secret_x, + &secret_r, + &e, + &range, + &data_and_randmoness_pairs, + STATISTICAL_ERROR_FACTOR, + ); + // verifier: + let result = RangeProof::verifier_output( + &ek, + &e, + &encrypted_pairs, + &z_vector, + &range, + &cipher_x.0, + STATISTICAL_ERROR_FACTOR, + ); + assert!(result.is_ok()); + } + } + #[test] fn test_range_proof_incorrect_proof() { // common: diff --git a/src/zkproofs/range_proof_ni.rs b/src/zkproofs/range_proof_ni.rs index 7e0eed2..7e0bbe8 100644 --- a/src/zkproofs/range_proof_ni.rs +++ b/src/zkproofs/range_proof_ni.rs @@ -176,6 +176,23 @@ mod tests { .expect("range proof error"); } + #[test] + fn test_verifier_for_correct_proofs_for_small_range_many_times() { + for _ in 0..100 { + let (ek, _dk) = test_keypair().keys(); + let range = BigInt::sample(6000); + let secret_r = BigInt::sample_below(&ek.n); + let secret_x = BigInt::sample_below(&range.div_floor(&BigInt::from(3))); + let cipher_x = Paillier::encrypt_with_chosen_randomness( + &ek, + RawPlaintext::from(&secret_x), + &Randomness(secret_r.clone()), + ); + let range_proof = RangeProofNi::prove(&ek, &range, &cipher_x.0, &secret_x, &secret_r); + range_proof.verify(&ek, &cipher_x.0).unwrap(); + } + } + #[test] #[should_panic] fn test_verifier_for_incorrect_proof() {