Fix bit length proof

2023-04-28 10:32:05 +01:00
parent 574287d07b
commit 6005cd6aff
6 changed files with 77 additions and 37 deletions
--- a/static/js/modules/crypto/random_primes.js
+++ b/static/js/modules/crypto/random_primes.js
@ -1,6 +1,6 @@
 import { mod_exp } from "./math.js";

-export const KEY_SIZE = 512;
+export const KEY_SIZE = 2048;

 export function cryptoRandom(bits) {
    if (bits === undefined) {
--- a/static/js/modules/interface/player.js
+++ b/static/js/modules/interface/player.js
@ -8,6 +8,7 @@ import {
    proveFortify,
    proveRange,
    proveRegions,
+    verifyBitLength,
    verifyFortify,
    verifyRegions,
 } from "./proofs.js";
@ -208,12 +209,24 @@ export class Player {
        for (let regionName of Object.keys(data.fortify.fortify)) {
            let region = Region.getRegion(regionName);

-            region.reinforce(
-                new ReadOnlyCiphertext(
-                    this.paillierPubKey,
-                    BigInt(data.fortify.fortify[regionName])
-                )
+            let c1 = region.strength.cipherText.clone();
+            let c2 = new ReadOnlyCiphertext(
+                this.paillierPubKey,
+                BigInt(data.fortify.fortify[regionName])
            );
+
+            c1.update(c2);
+
+            let v = verifyBitLength({
+                ...data.fortify.rangeProofs[regionName],
+                cipherText: c1,
+            });
+
+            if (v !== null && v <= 8) {
+                region.reinforce(c2);
+            } else {
+                return false;
+            }
        }

        // request proofs
--- a/static/js/modules/interface/proofs.js
+++ b/static/js/modules/interface/proofs.js
@ -45,6 +45,11 @@ function cryptoShuffle(l) {

 const ROUNDS = 24;

+/**
+ * R-S transform.
+ *
+ * Uses the hash of the proof content to produce verifier coins
+ */
 function getCoins(text) {
    // Construct verifier coins
    let hasher = new jsSHA("SHA3-256", "TEXT");
@ -186,6 +191,9 @@ window.verifyRegions = verifyRegions;

 // verifyRegions(proveRegions({A:paillier.pubKey.encrypt(0n),B:paillier.pubKey.encrypt(1n),C:paillier.pubKey.encrypt(0n),D:paillier.pubKey.encrypt(0n),E:paillier.pubKey.encrypt(0n)}), paillier.pubKey)

+/**
+ * BCDG Range proof
+ */
 export function proveRange(cipherText, rangeUpper) {
    if (cipherText.readOnly) {
        throw "Cannot prove range of ReadOnlyCiphertext";
@ -322,6 +330,18 @@ export function proveBitLength(cipherText) {
        m >>= 1n;
    }

+    // Pad out
+    while (bitCommitments.length < 8) {
+        let c = key.encrypt(0n);
+        bitCommitments.push(c);
+
+        let c2 = c.clone();
+        c2.mul(e);
+        prod.update(c2);
+
+        e <<= 1n;
+    }
+
    let bitProofs = [];

    for (let bitCommitment of bitCommitments) {
@ -394,7 +414,13 @@ function proveOneOfTwo(cipherText) {
                cProofs: proof.cs.map((p) => p.proveNI()),
            });
        } else {
-            let c1Index = proof.cs.findIndex((c) => c.plainText === 1n);
+            let c1Index;
+            if (cipherText.plainText === paillier.pubKey.n2 - 1n) {
+                c1Index = proof.cs.findIndex((c) => c.plainText === 1n);
+            } else {
+                c1Index = proof.cs.findIndex((c) => c.plainText === 0n);
+            }
+
            let c1 = proof.cs[c1Index].clone();
            c1.update(cipherText);

@ -699,8 +725,6 @@ export function verifyFortify(obj, key) {
        }
    }

-    // TODO verify range proofs
-
    return true;
 }