Riskless/static/js/modules/crypto/paillier.js

import { cryptoRandom, generate_prime } from "./random_primes.js";
import { mod_exp } from "./math.js";

class Cyphertext {
    constructor(key, plainText, r) {
        if (r === undefined) {
            r = cryptoRandom(4096);

            // Resample to avoid modulo bias.
            while (r >= key.n) {
                r = cryptoRandom(4096);
            }
        }

        // Compute g^m by binomial theorem.
        let gm = (1n + key.n * plainText) % key.n2;

        // Compute g^m r^n from crt.
        this.cyphertext = (gm * mod_exp(r, key.n, key.n2)) % key.n2;

        // Force into range.
        while (this.cyphertext < 0n) {
            this.cyphertext += key.n2;
        }

        this.r = r;
        this.pubKey = key;
        this.plainText = plainText;

        this.readOnly = false;
    }

    update(c) {
        this.cyphertext = (this.cyphertext * c.cyphertext) % this.pubKey.n2;
        this.r = (this.r * c.r) % this.pubKey.n2;
        this.plainText += c.plainText;

        // Force into range
        while (this.cyphertext < 0n) {
            this.cyphertext += this.pubKey.n2;
        }
    }

    toString() {
        return "0x" + this.cyphertext.toString(16);
    }

    prove() {
        return new ProofSessionProver(this);
    }

    asReadOnlyCyphertext() {
        return new ReadOnlyCyphertext(this.pubKey, this.cyphertext);
    }
}

class ProofSessionProver {
    constructor(cipherText) {
        this.cipherText = cipherText;

        this.rp = cryptoRandom(4096);
        while (this.rp >= this.cipherText.pubKey.n) {
            this.rp = cryptoRandom(4096);
        }
    }

    get a() {
        return mod_exp(this.rp, this.cipherText.pubKey.n, this.cipherText.pubKey.n2);
    }

    noise() {
        return mod_exp(this.rp, this.cipherText.pubKey.n, this.cipherText.pubKey.n2);
    }

    prove(challenge) {
        return (
            ((this.rp % this.cipherText.pubKey.n) *
                mod_exp(this.cipherText.r, challenge, this.cipherText.pubKey.n)) %
            this.cipherText.pubKey.n
        );
    }

    asVerifier() {
        return this.cipherText
            .asReadOnlyCyphertext()
            .prove(this.cipherText.plainText, this.noise());
    }
}

window.Cyphertext = Cyphertext;

export class ReadOnlyCyphertext {
    constructor(key, cyphertext) {
        this.cyphertext = cyphertext;
        this.pubKey = key;

        this.readOnly = true;
    }

    update(c) {
        this.cyphertext = (this.cyphertext * c.cyphertext) % this.pubKey.n2;

        // Force into range
        while (this.cyphertext < 0n) {
            this.cyphertext += this.pubKey.n2;
        }
    }

    prove(plainText, a) {
        return new ProofSessionVerifier(this, plainText, a);
    }

    clone() {
        return new ReadOnlyCyphertext(this.pubKey, this.cyphertext);
    }
}

class ProofSessionVerifier {
    constructor(cipherText, plainText, a) {
        // Clone, otherwise the update below will mutate the original value
        this.cipherText = cipherText.clone();
        this.cipherText.update(this.cipherText.pubKey.encrypt(-1n * plainText, 1n));
        // Shift the challenge down by 1 to ensure it is smaller than either prime factor.
        this.challenge = cryptoRandom(2048) << 1n;
        this.a = a;

        this.plainText = plainText;
    }

    verify(proof) {
        // check coprimality
        if (gcd(proof, this.cipherText.pubKey.n) !== 1n) return -1;
        if (gcd(this.cipherText.cyphertext, this.cipherText.pubKey.n) !== 1n) return -2;
        if (gcd(this.a, this.cipherText.pubKey.n) !== 1n) return -3;

        // check exp
        return mod_exp(proof, this.cipherText.pubKey.n, this.cipherText.pubKey.n2) ===
            (this.a *
                mod_exp(
                    this.cipherText.cyphertext,
                    this.challenge,
                    this.cipherText.pubKey.n2
                )) %
                this.cipherText.pubKey.n2
            ? 1
            : -4;
    }
}

window.ReadOnlyCyphertext = ReadOnlyCyphertext;

export class PaillierPubKey {
    constructor(n) {
        this.n = n;
        this.n2 = this.n ** 2n;
        this.g = this.n + 1n;
    }

    encrypt(m, r) {
        return new Cyphertext(this, m, r);
    }

    toJSON() {
        return {
            n: "0x" + this.n.toString(16),
        };
    }

    static fromJSON(data) {
        return new PaillierPubKey(BigInt(data.n));
    }
}

class PaillierPrivKey {
    constructor(p, q) {
        this.n = p * q;
        // precompute square of n
        this.n2 = this.n ** 2n;
        this.lambda = (p - 1n) * (q - 1n);
        this.mu = mod_exp(this.lambda, this.lambda - 1n, this.n);
    }

    decrypt(c) {
        return (((mod_exp(c, this.lambda, this.n2) - 1n) / this.n) * this.mu) % this.n;
    }
}

export function generate_keypair() {
    let p, q, pubKey, privKey;

    if (window.sessionStorage.getItem("p") === null) {
        p = generate_prime();
        window.sessionStorage.setItem("p", p);
    } else {
        p = BigInt(window.sessionStorage.getItem("p"));
    }

    if (window.sessionStorage.getItem("q") === null) {
        q = generate_prime();
        window.sessionStorage.setItem("q", q);
    } else {
        q = BigInt(window.sessionStorage.getItem("q"));
    }

    pubKey = new PaillierPubKey(p * q);
    privKey = new PaillierPrivKey(p, q);

    return { pubKey, privKey };
}

// p = a.prove(); v = p.asVerifier(); v.verify(p.prove(v.challenge));
Ensure bit length of randomly generated numbers are fine 2023-03-19 15:31:29 +00:00			`import { cryptoRandom, generate_prime } from "./random_primes.js";`
Mid refactor to stop polluting the namespace so much 2023-03-03 17:34:15 +00:00			`import { mod_exp } from "./math.js";`

paillier integration sort of 2023-03-17 10:42:11 +00:00			`class Cyphertext {`
Ensure bit length of randomly generated numbers are fine 2023-03-19 15:31:29 +00:00			`constructor(key, plainText, r) {`
			`if (r === undefined) {`
			`r = cryptoRandom(4096);`

			`// Resample to avoid modulo bias.`
			`while (r >= key.n) {`
			`r = cryptoRandom(4096);`
			`}`
Some paillier bits 2023-02-11 14:59:24 +00:00			`}`

			`// Compute g^m by binomial theorem.`
.... 2023-04-07 17:59:33 +00:00			`let gm = (1n + key.n * plainText) % key.n2;`
paillier integration sort of 2023-03-17 10:42:11 +00:00
... 2023-04-06 19:42:24 +00:00			`// Compute g^m r^n from crt.`
.... 2023-04-07 17:59:33 +00:00			`this.cyphertext = (gm * mod_exp(r, key.n, key.n2)) % key.n2;`
... 2023-04-06 19:42:24 +00:00
			`// Force into range.`
			`while (this.cyphertext < 0n) {`
.... 2023-04-07 17:59:33 +00:00			`this.cyphertext += key.n2;`
... 2023-04-06 19:42:24 +00:00			`}`

paillier integration sort of 2023-03-17 10:42:11 +00:00			`this.r = r;`
code for proof system 2023-03-18 15:41:37 +00:00			`this.pubKey = key;`
paillier integration sort of 2023-03-17 10:42:11 +00:00			`this.plainText = plainText;`

			`this.readOnly = false;`
			`}`

			`update(c) {`
Ensure ciphertexts are cloned to avoid mutating actual object. 2023-04-09 17:36:58 +00:00			`this.cyphertext = (this.cyphertext * c.cyphertext) % this.pubKey.n2;`
			`this.r = (this.r * c.r) % this.pubKey.n2;`
paillier integration sort of 2023-03-17 10:42:11 +00:00			`this.plainText += c.plainText;`
Fix bug where ciphertexts could end up negative 2023-04-06 11:15:19 +00:00
			`// Force into range`
			`while (this.cyphertext < 0n) {`
Ensure ciphertexts are cloned to avoid mutating actual object. 2023-04-09 17:36:58 +00:00			`this.cyphertext += this.pubKey.n2;`
Fix bug where ciphertexts could end up negative 2023-04-06 11:15:19 +00:00			`}`
paillier integration sort of 2023-03-17 10:42:11 +00:00			`}`

			`toString() {`
			`return "0x" + this.cyphertext.toString(16);`
			`}`
code for proof system 2023-03-18 15:41:37 +00:00
			`prove() {`
			`return new ProofSessionProver(this);`
			`}`

			`asReadOnlyCyphertext() {`
			`return new ReadOnlyCyphertext(this.pubKey, this.cyphertext);`
			`}`
paillier integration sort of 2023-03-17 10:42:11 +00:00			`}`

code for proof system 2023-03-18 15:41:37 +00:00			`class ProofSessionProver {`
			`constructor(cipherText) {`
			`this.cipherText = cipherText;`

Ensure bit length of randomly generated numbers are fine 2023-03-19 15:31:29 +00:00			`this.rp = cryptoRandom(4096);`
code for proof system 2023-03-18 15:41:37 +00:00			`while (this.rp >= this.cipherText.pubKey.n) {`
Ensure bit length of randomly generated numbers are fine 2023-03-19 15:31:29 +00:00			`this.rp = cryptoRandom(4096);`
code for proof system 2023-03-18 15:41:37 +00:00			`}`
			`}`

Some verification working 2023-03-24 16:53:02 +00:00			`get a() {`
Ensure ciphertexts are cloned to avoid mutating actual object. 2023-04-09 17:36:58 +00:00			`return mod_exp(this.rp, this.cipherText.pubKey.n, this.cipherText.pubKey.n2);`
Some verification working 2023-03-24 16:53:02 +00:00			`}`

code for proof system 2023-03-18 15:41:37 +00:00			`noise() {`
Ensure ciphertexts are cloned to avoid mutating actual object. 2023-04-09 17:36:58 +00:00			`return mod_exp(this.rp, this.cipherText.pubKey.n, this.cipherText.pubKey.n2);`
code for proof system 2023-03-18 15:41:37 +00:00			`}`

			`prove(challenge) {`
Ensure bit length of randomly generated numbers are fine 2023-03-19 15:31:29 +00:00			`return (`
			`((this.rp % this.cipherText.pubKey.n) *`
			`mod_exp(this.cipherText.r, challenge, this.cipherText.pubKey.n)) %`
			`this.cipherText.pubKey.n`
			`);`
			`}`

			`asVerifier() {`
			`return this.cipherText`
			`.asReadOnlyCyphertext()`
			`.prove(this.cipherText.plainText, this.noise());`
code for proof system 2023-03-18 15:41:37 +00:00			`}`
			`}`

			`window.Cyphertext = Cyphertext;`

paillier integration sort of 2023-03-17 10:42:11 +00:00			`export class ReadOnlyCyphertext {`
			`constructor(key, cyphertext) {`
			`this.cyphertext = cyphertext;`
code for proof system 2023-03-18 15:41:37 +00:00			`this.pubKey = key;`
paillier integration sort of 2023-03-17 10:42:11 +00:00
			`this.readOnly = true;`
			`}`

			`update(c) {`
Ensure ciphertexts are cloned to avoid mutating actual object. 2023-04-09 17:36:58 +00:00			`this.cyphertext = (this.cyphertext * c.cyphertext) % this.pubKey.n2;`
Fix bug where ciphertexts could end up negative 2023-04-06 11:15:19 +00:00
			`// Force into range`
			`while (this.cyphertext < 0n) {`
Ensure ciphertexts are cloned to avoid mutating actual object. 2023-04-09 17:36:58 +00:00			`this.cyphertext += this.pubKey.n2;`
Fix bug where ciphertexts could end up negative 2023-04-06 11:15:19 +00:00			`}`
paillier integration sort of 2023-03-17 10:42:11 +00:00			`}`
code for proof system 2023-03-18 15:41:37 +00:00
Some verification working 2023-03-24 16:53:02 +00:00			`prove(plainText, a) {`
Ensure bit length of randomly generated numbers are fine 2023-03-19 15:31:29 +00:00			`return new ProofSessionVerifier(this, plainText, a);`
code for proof system 2023-03-18 15:41:37 +00:00			`}`
Ensure ciphertexts are cloned to avoid mutating actual object. 2023-04-09 17:36:58 +00:00
			`clone() {`
			`return new ReadOnlyCyphertext(this.pubKey, this.cyphertext);`
			`}`
paillier integration sort of 2023-03-17 10:42:11 +00:00			`}`

code for proof system 2023-03-18 15:41:37 +00:00			`class ProofSessionVerifier {`
Ensure bit length of randomly generated numbers are fine 2023-03-19 15:31:29 +00:00			`constructor(cipherText, plainText, a) {`
Ensure ciphertexts are cloned to avoid mutating actual object. 2023-04-09 17:36:58 +00:00			`// Clone, otherwise the update below will mutate the original value`
			`this.cipherText = cipherText.clone();`
Ensure bit length of randomly generated numbers are fine 2023-03-19 15:31:29 +00:00			`this.cipherText.update(this.cipherText.pubKey.encrypt(-1n * plainText, 1n));`
			`// Shift the challenge down by 1 to ensure it is smaller than either prime factor.`
			`this.challenge = cryptoRandom(2048) << 1n;`
code for proof system 2023-03-18 15:41:37 +00:00			`this.a = a;`
Ensure ciphertexts are cloned to avoid mutating actual object. 2023-04-09 17:36:58 +00:00
			`this.plainText = plainText;`
code for proof system 2023-03-18 15:41:37 +00:00			`}`

			`verify(proof) {`
			`// check coprimality`
Fix bug where ciphertexts could end up negative 2023-04-06 11:15:19 +00:00			`if (gcd(proof, this.cipherText.pubKey.n) !== 1n) return -1;`
			`if (gcd(this.cipherText.cyphertext, this.cipherText.pubKey.n) !== 1n) return -2;`
			`if (gcd(this.a, this.cipherText.pubKey.n) !== 1n) return -3;`
code for proof system 2023-03-18 15:41:37 +00:00
			`// check exp`
.... 2023-04-07 17:59:33 +00:00			`return mod_exp(proof, this.cipherText.pubKey.n, this.cipherText.pubKey.n2) ===`
code for proof system 2023-03-18 15:41:37 +00:00			`(this.a *`
			`mod_exp(`
			`this.cipherText.cyphertext,`
			`this.challenge,`
.... 2023-04-07 17:59:33 +00:00			`this.cipherText.pubKey.n2`
code for proof system 2023-03-18 15:41:37 +00:00			`)) %`
.... 2023-04-07 17:59:33 +00:00			`this.cipherText.pubKey.n2`
Fix bug where ciphertexts could end up negative 2023-04-06 11:15:19 +00:00			`? 1`
			`: -4;`
code for proof system 2023-03-18 15:41:37 +00:00			`}`
			`}`

			`window.ReadOnlyCyphertext = ReadOnlyCyphertext;`

paillier integration sort of 2023-03-17 10:42:11 +00:00			`export class PaillierPubKey {`
			`constructor(n) {`
			`this.n = n;`
.... 2023-04-07 17:59:33 +00:00			`this.n2 = this.n ** 2n;`
paillier integration sort of 2023-03-17 10:42:11 +00:00			`this.g = this.n + 1n;`
			`}`

Ensure bit length of randomly generated numbers are fine 2023-03-19 15:31:29 +00:00			`encrypt(m, r) {`
			`return new Cyphertext(this, m, r);`
Colors and claiming regions 2023-02-08 17:55:45 +00:00			`}`
... 2023-03-13 14:52:14 +00:00
			`toJSON() {`
			`return {`
			`n: "0x" + this.n.toString(16),`
			`};`
			`}`

			`static fromJSON(data) {`
			`return new PaillierPubKey(BigInt(data.n));`
			`}`
Colors and claiming regions 2023-02-08 17:55:45 +00:00			`}`

... 2023-03-13 14:52:14 +00:00			`class PaillierPrivKey {`
needs to be taken mod n for some reason. 2023-02-12 16:51:28 +00:00			`constructor(p, q) {`
			`this.n = p * q;`
.... 2023-04-07 17:59:33 +00:00			`// precompute square of n`
			`this.n2 = this.n ** 2n;`
needs to be taken mod n for some reason. 2023-02-12 16:51:28 +00:00			`this.lambda = (p - 1n) * (q - 1n);`
Mid refactor to stop polluting the namespace so much 2023-03-03 17:34:15 +00:00			`this.mu = mod_exp(this.lambda, this.lambda - 1n, this.n);`
needs to be taken mod n for some reason. 2023-02-12 16:51:28 +00:00			`}`

			`decrypt(c) {`
.... 2023-04-07 17:59:33 +00:00			`return (((mod_exp(c, this.lambda, this.n2) - 1n) / this.n) * this.mu) % this.n;`
move prime generation out 2023-02-08 15:52:02 +00:00			`}`
Colors and claiming regions 2023-02-08 17:55:45 +00:00			`}`

Mid refactor to stop polluting the namespace so much 2023-03-03 17:34:15 +00:00			`export function generate_keypair() {`
... 2023-03-13 14:52:14 +00:00			`let p, q, pubKey, privKey;`

Store primes in sessionStorage to make reloading the page quicker. 2023-02-13 14:55:25 +00:00			`if (window.sessionStorage.getItem("p") === null) {`
			`p = generate_prime();`
			`window.sessionStorage.setItem("p", p);`
			`} else {`
			`p = BigInt(window.sessionStorage.getItem("p"));`
			`}`

			`if (window.sessionStorage.getItem("q") === null) {`
			`q = generate_prime();`
			`window.sessionStorage.setItem("q", q);`
			`} else {`
			`q = BigInt(window.sessionStorage.getItem("q"));`
			`}`
Colors and claiming regions 2023-02-08 17:55:45 +00:00
... 2023-03-13 14:52:14 +00:00			`pubKey = new PaillierPubKey(p * q);`
			`privKey = new PaillierPrivKey(p, q);`
Mid refactor to stop polluting the namespace so much 2023-03-03 17:34:15 +00:00
			`return { pubKey, privKey };`
			`}`
Ensure ciphertexts are cloned to avoid mutating actual object. 2023-04-09 17:36:58 +00:00
			`// p = a.prove(); v = p.asVerifier(); v.verify(p.prove(v.challenge));`