paillier 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: f63285c7920e05242437975a03efa519083e7eed
+  data.tar.gz: dd8ac8fd45845371b140c96bcba512e4ece04607
+SHA512:
+  metadata.gz: 7951656a310e1b9a1ad402de9b765a51be1a690537cb24390527abfecf67389866921c35bc2b97174097fa65acabeb52686c5c14009af1c1f297bf950442728c
+  data.tar.gz: bbbc5f266370f5f55d87932d5744acf4c518208eae95237f10da1b41f73ed5cfebd048b20bf62ad7520a89b435fa46e5057d6ee7bef78e834c025fd73045ce6b

data/lib/paillier.rb

@@ -0,0 +1,240 @@
+#!/usr/bin/env ruby
+
+require 'openssl'
+require 'digest'
+require 'bigdecimal'
+require 'bigdecimal/math' # For 'log'
+
+require_relative 'paillier/primes'
+require_relative 'paillier/keys'
+require_relative 'paillier/signatures'
+
+module Paillier
+
+	KeySize = 2048
+
+	def self.gcd(u,v) # :nodoc:
+		while(v > 0)
+			u, v = v, u % v
+		end
+		return u
+	end
+
+	def self.extendedGcd(a, b) # :nodoc:
+		# Make sure we're always using Bignums instead of ints
+		# The behavior of the division operator is very different for bignums,
+		# so it's important to use a consistent data type.
+		a = a.to_bn
+		b = b.to_bn
+		# Can't use .abs with bignums, implemented it manually
+		last_remainder = (a > 0) ? a : (-1 * a)
+		remainder = (b > 0) ? b : (-1 * b)
+		x, last_x, y, last_y = 0, 1, 1, 0
+		while( remainder != 0 )
+			t_last_remainder = remainder
+			quotient, remainder = last_remainder / remainder
+			last_remainder = t_last_remainder
+			x, last_x = last_x - quotient*x, x
+			y, last_y = last_y - quotient*y, y
+		end
+
+		return last_remainder, last_x * (a < 0 ? -1 : 1)
+	end
+
+	# Multiplicative inverse of 'a' mod 'p'
+	# Returns 'b' such that a * b == 1 mod p
+	def self.modInv(a, p) # :nodoc:
+		if a == 0
+			raise ArgumentError, "0 has no inverse mod #{p}"
+		end
+		(g, x) = extendedGcd(a, p)
+		if( g != 1 )
+			raise ArgumentError, "#{a} has no inverse mod #{p}"
+		end
+		return x % p
+	end 
+
+	# Returns modular exponent
+	# (base ** exponent) % modulus
+	# Handles very big numbers
+	def self.modPow(base, exponent, modulus) # :nodoc:
+		return base.to_bn.mod_exp(exponent, modulus)
+	end
+
+	# Generates a new public private keypair
+	#
+	# Example:
+	#	>> Paillier.generateKeypair(2048)
+	#	=> [#<Paillier::PrivateKey>, #<Paillier::PublicKey>]
+	#
+	# Arguments:
+	#	bits: (Int)
+	def self.generateKeypair(bits)
+		p = Primes.generatePrime(bits/2)
+		q = Primes.generatePrime(bits/2)
+		n = p * q
+
+		# actual keygen grumble grumble
+		# all the libraries we found did it wrong and just made lambda = phi(n)
+		# and set mu to phi(n)^-1
+		# this is the actual spec for it
+		lambda_n = ( (p-1) * (q-1) ) / gcd( (p-1), (q-1) )
+
+		# this is technically a shortcut but not incorrect, the public key is unrelated to the private one
+		g = n + 1
+
+		# intermediary step
+		u = (g.to_bn.mod_exp(lambda_n, n * n)).to_i
+		# intermediary step
+		u_2 = (u - 1) / n
+		# now we have mu
+		mu = Paillier.modInv(u_2, n)
+		
+		return PrivateKey.new(lambda_n, mu), PublicKey.new(n)
+	end
+
+	# For a Zero-Knowledge Proofs we need to demonstrate that we know 'r',
+	# therefore 'r' must be returned.
+	def self.rEncrypt(pub, plain) # :nodoc:
+		r = -1
+		while( true )
+			# We have to use BigMath here to make sure 'log' doesn't round
+			# to infinity and throw an exception
+			big_n = BigDecimal.new(pub.n)
+			r = Primes.generateCoprime(BigMath.log(big_n, 2).round, pub.n)
+			if( r > 0 and r < pub.n )
+				break
+			end
+		end
+		# We want to run: x = ((r ** pub.n) % pub.n_sq)
+		# But the numbers are too big, so we'll use openssl
+		x = r.to_bn.mod_exp(pub.n, pub.n_sq)
+		# We want to run: cipher = (((g ** plain) % pub.n_sq) * x) % pub.n_sq
+		# But similarly the math is real slow and we'll use openssl
+		cipher = (pub.g.to_bn.mod_exp(plain, pub.n_sq)).mod_mul(x, pub.n_sq)
+		return r, cipher
+	end
+
+	# Encrypts a message with the provided public key
+	#
+	# Example:
+	#	>> Paillier.encrypt(publicKey, 3)
+	#	=> #<OpenSSL::BN:cyphertext>
+	#
+	# Arguments:
+	#	publicKey: (Paillier::PublicKey)
+	#	plaintext: (Int)
+	def self.encrypt(publicKey, plaintext)
+		return rEncrypt(publicKey, plaintext)[1]
+	end
+
+	# Adds one encrypted int to another
+	#
+	# Example:
+	#	>> Paillier.eAdd(publicKey, cx, cy)
+	#	=> #<OpenSSL::BN::cyphertext>
+	#
+	# Arguments:
+	#	publicKey: (Paillier::PublicKey)
+	#	a: (Int)
+	#	b: (Int)
+	def self.eAdd(publicKey, a, b)
+		return a.to_bn.mod_mul(b, publicKey.n_sq)
+	end
+
+	# Adds a plaintext constant 'n' to an encrypted int
+	#
+	# Example:
+	#	>> Paillier.eAddConst(publicKey, cyphertext, 3)
+	#	=> #<OpenSSL::BN::cyphertext>
+	#
+	# Arguments:
+	#	publicKey: (Paillier::PublicKey)
+	#	a: (Int)
+	#	b: (Int)
+	def self.eAddConst(publicKey, a, n)
+		return a.to_bn.mod_mul(modPow(publicKey.g, n, publicKey.n_sq), publicKey.n_sq)
+	end
+
+	# Multiplies an encrypted int by a constant
+	#
+	# Example:
+	#	>> Paillier.eMulConst(publicKey, cyphertext, 2)
+	#	=> #<OpenSSL::BN::cyphertext>
+	#
+	# Arguments:
+	#	publicKey: (Paillier::PublicKey)
+	def self.eMulConst(publicKey, a, n)
+		return modPow(a, n, publicKey.n_sq)
+	end
+
+	# Decrypts a message, returning plaintext
+	#
+	# Example:
+	#	>> Paillier.decrypt(priv, pub, Paillier.encrypt(priv, pub, 3))
+	#	=> 3
+	#
+	# Arguments:
+	#	privKey: (Paillier::PrivateKey)
+	#	pubKey: (Paillier::PublicKey)
+	#	ciphertext: (Int)
+	def self.decrypt(privKey, pubKey, ciphertext)
+		# We want to run: x = ((cipher ** priv.l) % pub.n_sq) - 1
+		# But the numbers are too big, so we'll use openssl
+		x = ciphertext.to_bn.mod_exp(privKey.l, pubKey.n_sq) - 1
+		plain = (x.to_i / pubKey.n.to_i).to_bn.mod_mul(privKey.m, pubKey.n)
+		return plain
+	end
+
+	# Returns a detached signature for any message
+	#
+	# Example:
+	#	>> Paillier.sign(priv, pub, 3)
+	#	=> #<Paillier::Signature>
+	#
+	# Arguments:
+	#	priv: (Paillier::PrivateKey)
+	#	pub: (Paillier::PublicKey)
+	#	data: (Int)
+	def self.sign(priv, pub, data)
+		hashData = hash(data)
+		# L(u) = (u-1)/n
+		numerators1 = ((hashData.to_bn.mod_exp(priv.l, pub.n_sq) - 1) / pub.n.to_bn)[0]
+		denominators1 = ((pub.g.to_bn.mod_exp(priv.l, pub.n_sq) - 1) / pub.n.to_bn)[0]
+		#s1 = ((numerators1[0] / denominators1[0]))[0] % pub.n
+		inverse_denom = Paillier.modInv(denominators1.to_i, pub.n)
+		s1 = numerators1.to_bn.mod_mul(inverse_denom, pub.n)
+		
+		inverse_n = Paillier.modInv(pub.n, priv.l)
+		inverse_g = Paillier.modInv(pub.g.to_bn.mod_exp(s1.to_bn, pub.n).to_i, pub.n)
+		s2 = (hashData * inverse_g).to_bn.mod_exp(inverse_n, pub.n)
+
+		return Signature.new(s1, s2)
+	end
+
+	def self.hash(message) # :nodoc:
+		return Digest::SHA256.hexdigest(message.to_s).to_i(16)
+	end
+
+	# Validates the signature for a given message
+	# Returns true if signature is good, false otherwise
+	#
+	# Example:
+	#	>> Paillier.validSignature(pub, 3, Paillier.sign(priv, pub, 3))
+	#	=> true
+	#
+	# Arguments:
+	#	pub: (Paillier::PublicKey)
+	#	message: (Int)
+	#	sig: (Paillier::Signature)
+	def self.validSignature?(pub, message, sig)
+		hash = Digest::SHA256.hexdigest(message.to_s).to_i(16)
+		# We want to run (g ** s1) * (s2 ** n) % (n**2)
+		# But all those numbers are huge, so we approach it in stages
+		a = pub.g.to_bn.mod_exp(sig.s1, pub.n_sq)
+		b = sig.s2.to_bn.mod_exp(pub.n, pub.n_sq)
+		sighash = a.mod_mul(b, pub.n_sq)
+		return (hash == sighash)
+	end
+
+end

data/lib/paillier/keys.rb

@@ -0,0 +1,44 @@
+module Paillier
+	class PrivateKey
+		attr_reader :l, :m # :nodoc:
+
+		def initialize(l,m) # :nodoc:
+			@l = l
+			@m = m
+		end
+	end
+
+	class PublicKey
+		attr_reader :n, :n_sq, :g # :nodoc:
+
+		def initialize(n) # :nodoc:
+			@n = n
+			@n_sq = n * n
+			@g = n+1
+		end
+
+		# Serialize a public key to string form
+		#
+		# Example:
+		#	>> priv, pub = Paillier.generateKeypair(2048)
+		#	>> pub.to_s
+		#	=> "110107191408889682017277609474037601699496910..."
+		#
+		def to_s
+			return "#{@n}"
+		end
+
+		# De-serialize a public key string back into object form
+		#
+		# Example:
+		#	>> s = pub.to_s
+		#	>> newPub = Paillier::PublicKey.from_s(s)
+		#	=> #<Paillier::PublicKey>
+		#
+		# Arguments:
+		#	string (String)
+		def PublicKey.from_s(string)
+			return PublicKey.new(string.to_i)
+		end
+	end
+end

data/lib/paillier/primes.rb

@@ -0,0 +1,103 @@
+require 'openssl'
+require 'securerandom'
+
+module Paillier
+	module Primes # :nodoc:
+
+		SmallPrimes = [2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97]
+
+		def self.bitLength(int)
+			return int.to_s(2).length
+		end
+
+		def self.defaultK(bits)
+			double = bits * 2
+			return (40 > double) ? 40 : double
+		end
+
+		# This is based on the Wikipedia article on the Fermat primality test
+		# returns true if probably prime, false if definitely composite
+		def self.probabilisticPrimeTest(target, k)
+			for _ in (1 .. k)
+				a = rand(2 .. (target-2))
+				# We want to run "x = (a ** target-1) % target", but the values
+				# are huge. Instead we call out to openssl and do it with mod_exp
+				mod = a.to_bn.mod_exp(target-1, target)
+				if( mod != 1 )
+					return false # Def composite
+				end
+			end
+			return true # probs prime
+		end
+
+		def self.isProbablyPrime?(possible, k=nil)
+			if( possible == 1 )
+				return true
+			end
+			if( k.nil? )
+				k = defaultK(bitLength(possible))
+			end
+			for i in SmallPrimes
+				if( possible == i )
+					return true
+				elsif( possible % i == 0 )
+					return false
+				end
+			end
+			# This isn't a known prime number, so we'll check for primality
+			# probabilistically
+			return probabilisticPrimeTest(possible, k)
+		end
+
+		# Expensive test to prove coprimality.
+		# If GCD == 1, the numbers are coprime
+		def self.isCoprime?(p, q)
+			while(q > 0)
+				p, q = q, p % q
+			end
+			return (p == 1)
+		end
+
+		# Get a random prime of appropriate length
+		def self.generatePrime(bits, k=nil)
+			if( bits < 8 )
+				raise "Bits less than eight!"
+			end
+			if( k == nil )
+				k = defaultK(bits)
+			end
+
+			while( true )
+				lowerBound = (2 ** (bits-1) + 1)
+				size = ((2 ** bits) - lowerBound)
+				possible = (lowerBound + SecureRandom.random_number(size)) | 1
+				if isProbablyPrime?(possible, k)
+					return possible
+				end
+			end
+		end
+
+		def self.generateCoprime(bits, coprime_to)
+			if( bits < 8 )
+				raise "Bits less than eight!"
+			end
+
+			# If we find a number not coprome to n then finding `p` and `q` is trivial.
+			# This will almost never happen for keys of reasonable size, so if
+			# `coprime_to` is big enough we won't bother running the expensive test.
+			no_test_needed = false
+			if( coprime_to > (2 ** 1024) )
+				no_test_needed = true
+			end
+
+			while( true )
+				lowerBound = (2 ** (bits-1) + 1)
+				size = ((2 ** bits) - lowerBound)
+				possible = (lowerBound + SecureRandom.random_number(size)) | 1
+				if no_test_needed or isCoprime?(possible, coprime_to)
+					return possible
+				end
+			end
+		end
+	end
+end

data/lib/paillier/signatures.rb

@@ -0,0 +1,34 @@
+module Paillier
+	class Signature
+		attr_reader :s1, :s2 # :nodoc:
+
+		def initialize(s1, s2) # :nodoc:
+			@s1 = s1.to_i
+			@s2 = s2.to_i
+		end
+
+		# Serialize a signature to string form
+		#
+		# Example:
+		#	>> sig = Paillier.sign(priv, pub, 3)
+		#	>> sig.to_s
+		#	=> "127609169397718360449546194929999128..."
+		def to_s()
+			return "#{s1},#{s2}"
+		end
+
+		# De-serialize a signature string to object form
+		#
+		# Example:
+		#	>> s = sig.to_s
+		#	>> newSig = Paillier::Signature.from_s(s)
+		#	=> #<Paillier::Signature>
+		#
+		# Arguments:
+		#	string (String)
+		def Signature.from_s(string)
+			(s1, s2) = string.split(",")
+			return Signature.new(s1, s2)
+		end
+	end
+end

metadata

@@ -0,0 +1,47 @@
+--- !ruby/object:Gem::Specification
+name: paillier
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Daylighting Society
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-12-18 00:00:00.000000000 Z
+dependencies: []
+description: An implementation of Paillier homomorphic addition public key system
+email: paillier@daylightingsociety.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/paillier.rb
+- lib/paillier/keys.rb
+- lib/paillier/primes.rb
+- lib/paillier/signatures.rb
+homepage: https://paillier.daylightingsociety.org
+licenses:
+- LGPL-3.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.4
+signing_key: 
+specification_version: 4
+summary: Paillier Homomorphic Cryptosystem
+test_files: []