paillier 1.0.0 → 1.2.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: f63285c7920e05242437975a03efa519083e7eed
-  data.tar.gz: dd8ac8fd45845371b140c96bcba512e4ece04607
+SHA256:
+  metadata.gz: 784166f6728fa330be600b47c2be1a643ff20471b6029723083a94806681a93a
+  data.tar.gz: '05960d00f769c0be21772270addb3a9f247b925621b2ebc7d78d7a86e8aac5fc'
 SHA512:
-  metadata.gz: 7951656a310e1b9a1ad402de9b765a51be1a690537cb24390527abfecf67389866921c35bc2b97174097fa65acabeb52686c5c14009af1c1f297bf950442728c
-  data.tar.gz: bbbc5f266370f5f55d87932d5744acf4c518208eae95237f10da1b41f73ed5cfebd048b20bf62ad7520a89b435fa46e5057d6ee7bef78e834c025fd73045ce6b
+  metadata.gz: 9288c168ac05ed5584d6c7878ec248b0dea02b0c3c9bd866c810c5f4a962677fc65a6338573835eb6e4e651fdb39bb4239d561f7600ec6898e3b1adfae55dff6
+  data.tar.gz: 84c1f5a371d5ba2e6be59c3193b9a1814882cff4a843549f5e0d10842869c2b074e1402f4fe359a71428e2d49ed07545cc92c5ad8dd218f9df04083d1d2b6cae

data/lib/paillier.rb

@@ -8,11 +8,10 @@ require 'bigdecimal/math' # For 'log'
 require_relative 'paillier/primes'
 require_relative 'paillier/keys'
 require_relative 'paillier/signatures'
+require_relative 'paillier/zkp'
 
 module Paillier
 
-	KeySize = 2048
-
 	def self.gcd(u,v) # :nodoc:
 		while(v > 0)
 			u, v = v, u % v
@@ -100,7 +99,7 @@ module Paillier
 		while( true )
 			# We have to use BigMath here to make sure 'log' doesn't round
 			# to infinity and throw an exception
-			big_n = BigDecimal.new(pub.n)
+			big_n = BigDecimal(pub.n)
 			r = Primes.generateCoprime(BigMath.log(big_n, 2).round, pub.n)
 			if( r > 0 and r < pub.n )
 				break
@@ -123,8 +122,11 @@ module Paillier
 	#
 	# Arguments:
 	#	publicKey: (Paillier::PublicKey)
-	#	plaintext: (Int)
+	#	plaintext: (Int, OpenSSL::BN, String)
 	def self.encrypt(publicKey, plaintext)
+		if( plaintext.is_a?(String) )
+			plaintext = OpenSSL::BN.new(plaintext)
+		end
 		return rEncrypt(publicKey, plaintext)[1]
 	end
 
@@ -136,9 +138,15 @@ module Paillier
 	#
 	# Arguments:
 	#	publicKey: (Paillier::PublicKey)
-	#	a: (Int)
-	#	b: (Int)
+	#	a: (Int, OpenSSL::BN, String)
+	#	b: (Int, OpenSSL::BN, String)
 	def self.eAdd(publicKey, a, b)
+		if( a.is_a?(String) )
+			a = OpenSSL::BN.new(a)
+		end
+		if( b.is_a?(String) )
+			b = OpenSSL::BN.new(b)
+		end
 		return a.to_bn.mod_mul(b, publicKey.n_sq)
 	end
 
@@ -150,9 +158,15 @@ module Paillier
 	#
 	# Arguments:
 	#	publicKey: (Paillier::PublicKey)
-	#	a: (Int)
-	#	b: (Int)
+	#	a: (Int, OpenSSL::BN, String)
+	#	n: (Int, OpenSSL::BN, String)
 	def self.eAddConst(publicKey, a, n)
+		if( a.is_a?(String) )
+			a = OpenSSL::BN.new(a)
+		end
+		if( n.is_a?(String) )
+			n = OpenSSL::BN.new(n)
+		end
 		return a.to_bn.mod_mul(modPow(publicKey.g, n, publicKey.n_sq), publicKey.n_sq)
 	end
 
@@ -164,7 +178,15 @@ module Paillier
 	#
 	# Arguments:
 	#	publicKey: (Paillier::PublicKey)
+	#	a: (Int, OpenSSL::BN, String)
+	#	n: (Int, OpenSSL::BN, String)
 	def self.eMulConst(publicKey, a, n)
+		if( a.is_a?(String) )
+			a = OpenSSL::BN.new(a)
+		end
+		if( n.is_a?(String) )
+			n = OpenSSL::BN.new(n)
+		end
 		return modPow(a, n, publicKey.n_sq)
 	end
 
@@ -177,8 +199,11 @@ module Paillier
 	# Arguments:
 	#	privKey: (Paillier::PrivateKey)
 	#	pubKey: (Paillier::PublicKey)
-	#	ciphertext: (Int)
+	#	ciphertext: (Int, OpenSSL::BN, String)
 	def self.decrypt(privKey, pubKey, ciphertext)
+		if( ciphertext.is_a?(String) )
+			ciphertext = OpenSSL::BN.new(ciphertext)
+		end
 		# We want to run: x = ((cipher ** priv.l) % pub.n_sq) - 1
 		# But the numbers are too big, so we'll use openssl
 		x = ciphertext.to_bn.mod_exp(privKey.l, pubKey.n_sq) - 1
@@ -195,8 +220,11 @@ module Paillier
 	# Arguments:
 	#	priv: (Paillier::PrivateKey)
 	#	pub: (Paillier::PublicKey)
-	#	data: (Int)
+	#	data: (Int, OpenSSL::BN, String)
 	def self.sign(priv, pub, data)
+		if( data.is_a?(String) )
+			data = OpenSSL::BN.new(data)
+		end
 		hashData = hash(data)
 		# L(u) = (u-1)/n
 		numerators1 = ((hashData.to_bn.mod_exp(priv.l, pub.n_sq) - 1) / pub.n.to_bn)[0]
@@ -225,9 +253,12 @@ module Paillier
 	#
 	# Arguments:
 	#	pub: (Paillier::PublicKey)
-	#	message: (Int)
+	#	message: (Int, OpenSSL::BN, String)
 	#	sig: (Paillier::Signature)
 	def self.validSignature?(pub, message, sig)
+		if( message.is_a?(String) )
+			message = OpenSSL::BN.new(message)
+		end
 		hash = Digest::SHA256.hexdigest(message.to_s).to_i(16)
 		# We want to run (g ** s1) * (s2 ** n) % (n**2)
 		# But all those numbers are huge, so we approach it in stages

data/lib/paillier/keys.rb

@@ -6,6 +6,31 @@ module Paillier
 			@l = l
 			@m = m
 		end
+
+		# Serialize a private key to string form
+		#
+		# Example:
+		#	>> priv, pub = Paillier.generateKeypair(2048)
+		#	>> priv.to_s
+		#	=> "110107191408889682017277609474037601699496910..."
+		#
+		def to_s
+			return "#{@l},#{@m}"
+		end
+
+		# De-serialize a private key string back into object form
+		#
+		# Example:
+		#	>> s = priv.to_s
+		#	>> newPriv = Paillier::PrivateKey.from_s(s)
+		#	=> #<Paillier::PrivateKey>
+		#
+		# Arguments:
+		#	string (String)
+		def PrivateKey.from_s(string)
+			l,m = string.split(",")
+			return PrivateKey.new(l.to_i, m.to_i)
+		end
 	end
 
 	class PublicKey

data/lib/paillier/primes.rb

@@ -10,33 +10,37 @@ module Paillier
 			return int.to_s(2).length
 		end
 
-		def self.defaultK(bits)
-			double = bits * 2
-			return (40 > double) ? 40 : double
-		end
-
-		# This is based on the Wikipedia article on the Fermat primality test
-		# returns true if probably prime, false if definitely composite
-		def self.probabilisticPrimeTest(target, k)
-			for _ in (1 .. k)
-				a = rand(2 .. (target-2))
-				# We want to run "x = (a ** target-1) % target", but the values
-				# are huge. Instead we call out to openssl and do it with mod_exp
-				mod = a.to_bn.mod_exp(target-1, target)
-				if( mod != 1 )
-					return false # Def composite
-				end
-			end
-			return true # probs prime
-		end
+        # This is an implementation of the Rabin-Miller primality test.
+        # Previous versions used Little Fermat, but that is not effective
+        # in all cases; specifically, it can be thwarted by Carmichael 
+        # numbers. We use 50 rounds as the default, in order to get a certainty
+        # of 2^-100 that we have found a prime. This implementation is adapted
+        # from https://rosettacode.org/wiki/Miller-Rabin_primality_test#Ruby
+        def self.probabilisticPrimeTest(target, k=50)
+            d = target-1
+            s = 0
+            while d % 2 == 0
+                d /= 2
+                s += 1
+            end
+            k.times do
+                a = 2 + rand(target-4)
+                x = a.to_bn.mod_exp(d, target)
+                next if x == 1 || x == target-1
+                (s - 1).times do
+                    x = x.to_bn.mod_exp(2, target)
+                    return false if x == 1
+                    break if x == target - 1
+                end
+                return false if x != target-1
+            end
+            return true # probs prime
+        end
 
-		def self.isProbablyPrime?(possible, k=nil)
+		def self.isProbablyPrime?(possible, k=50)
 			if( possible == 1 )
 				return true
 			end
-			if( k.nil? )
-				k = defaultK(bitLength(possible))
-			end
 			for i in SmallPrimes
 				if( possible == i )
 					return true
@@ -59,14 +63,10 @@ module Paillier
 		end
 
 		# Get a random prime of appropriate length
-		def self.generatePrime(bits, k=nil)
+		def self.generatePrime(bits, k=50)
 			if( bits < 8 )
 				raise "Bits less than eight!"
 			end
-			if( k == nil )
-				k = defaultK(bits)
-			end
-
 			while( true )
 				lowerBound = (2 ** (bits-1) + 1)
 				size = ((2 ** bits) - lowerBound)
@@ -82,7 +82,7 @@ module Paillier
 				raise "Bits less than eight!"
 			end
 
-			# If we find a number not coprome to n then finding `p` and `q` is trivial.
+			# If we find a number not coprime to n then finding `p` and `q` is trivial.
 			# This will almost never happen for keys of reasonable size, so if
 			# `coprime_to` is big enough we won't bother running the expensive test.
 			no_test_needed = false

data/lib/paillier/zkp.rb

@@ -0,0 +1,311 @@
+
+# needed for bignums
+require 'set'
+require 'openssl'
+require 'securerandom'
+require_relative 'primes'
+
+BitStringLength = 256 #:nodoc:
+
+module Paillier
+
+	module ZKP
+
+		# The ZKP class is used for performing zero-knowledge content proofs.
+		# Initialization of a ZKP object generates a commitment that the user can send along with a ciphertext to another party.
+		# That party can then use the commitment to confirm that the ciphertext exists in the set of pre-determined valid messages.
+		class ZKP
+
+			# Commitment generated by the ZKP object on initialization, used in ZKPVerify? function
+			attr_reader :commitment
+
+			# Ciphertext generated by the ZKP object; accessible using both myZKP.ciphertext and myZKP.cyphertext
+			attr_reader :ciphertext, :cyphertext
+
+						
+			# Constructor function for a ZKP object. On initialization, generates a ZKPCommit object for use in verification
+			# 
+			# Example:
+			# 	>> myZKP = Paillier::ZKP::ZKP.new(key, 65, [23, 38, 52, 65, 77, 94])
+			#		=> [#<@p = plaintext>, #<@pubkey = <key>>, #<@ciphertext = <ciphertext>>, #<@cyphertext = <ciphertext>>, #<@commitment = <commitment>>]
+			# 
+			# Arguments:
+			# 	public_key: The key to be used for the encryption (Paillier::PublicKey)
+			# 	plaintext: The message to be encrypted (Integer)
+			# 	valid_messages: The set of valid messages for encryption (Array)
+			#
+			# NOTE: the order of valid_messages should be the same for both prover and verifier
+			def initialize(public_key, plaintext, valid_messages)
+				@p = plaintext
+				@pubkey = public_key
+				@r, @ciphertext = Paillier.rEncrypt(@pubkey, @p)
+				@cyphertext = @ciphertext
+				@a_s = Array.new()
+				@e_s = Array.new()
+				@z_s = Array.new()
+				@power = nil
+				@commitment = nil
+
+				# we generate a random value omega such that omega is coprime to n
+				while( true )
+					big_n = BigDecimal( @pubkey.n )
+					@omega = Primes.generateCoprime(BigMath.log(big_n, 2).round, @pubkey.n)
+					if( @omega > 0 and @omega < @pubkey.n)
+						break
+					end
+				end
+				
+				# a_p = omega ^ n (mod n^2); 'a' calculation for the plaintext
+				a_p = @omega.to_bn.mod_exp( @pubkey.n, @pubkey.n_sq)
+
+				valid_messages.each_with_index do |m_k, k|
+					# g_mk = g ^ m_k (mod n^2)
+					g_mk = @pubkey.g.to_bn.mod_exp(m_k.to_bn, @pubkey.n_sq)
+					
+					# u_k = c / g_mk (mod n^2)
+					# NOTE: this is modular algebra, so u_k = c * invmod(g_mk) (mod n^2)
+					u_k = @ciphertext.to_bn.mod_mul(Paillier.modInv(g_mk, @pubkey.n_sq), @pubkey.n_sq)
+					unless ( @p == m_k )
+						# randomly generate a coprime of n for z_k
+						while( true )
+							big_n = BigDecimal(@pubkey.n)
+							z_k = Primes::generateCoprime(BigMath.log(big_n, 2).round, @pubkey.n)
+							if( z_k > 0 and z_k < @pubkey.n )
+								break
+							end
+						end
+						@z_s.push(z_k.to_bn)
+
+						# generate a random e < 2^BitStringLength
+						e_k = SecureRandom.random_number((2 ** 256) - 1)
+						@e_s.push(e_k.to_bn)
+
+						# calculate z_k
+						# z_nth = z^n (mod n^2)
+						z_nth = z_k.to_bn.mod_exp(@pubkey.n, @pubkey.n_sq)
+						# u_eth = u^e_k (mod n^2)
+						u_eth = u_k.to_bn.mod_exp(e_k.to_bn, @pubkey.n_sq)
+						# a_k = z_nth / u_eth (mod n^2) = z_nth * invmod(u_eth) (mod n^2)
+						a_k = z_nth.to_bn.mod_mul( Paillier.modInv(u_eth, @pubkey.n_sq), @pubkey.n_sq )
+
+						@a_s.push(a_k.to_bn)
+					else
+						@power = k
+						@a_s.push(a_p.to_bn)
+					end
+				end
+				# attempting to craft a ZKP object with an invalid message throws exception
+				if(@power == nil)
+					raise ArgumentError, "Input message does not exist in array of valid messages.", caller
+				end
+				# we have now generated all a_s, and all e_s and z_s, save for e_p and z_p
+				# to generate e_p and z_p, we need to generate the challenge string, hash(a_s)
+				# to make the proof non-interactive
+				sha256 = OpenSSL::Digest::SHA256.new
+				for a_k in @a_s do
+					sha256 << a_k.to_s
+				end
+				challenge_string = sha256.digest.unpack('H*')[0].to_i(16)
+
+				# now that we have the "challenge string", we calculate e_p and z_p
+				e_sum = 0.to_bn
+				big_mod = 2.to_bn
+				big_mod = big_mod ** 256
+				for e_k in @e_s do
+					e_sum = (e_sum + e_k).to_bn % big_mod
+				end
+				# the sum of all e_s must add up to the challenge_string
+				e_p = (OpenSSL::BN.new(challenge_string) - e_sum).to_bn % big_mod
+				# r_ep = r ^ e_p (mod n)
+				r_ep = @r.to_bn.mod_exp(e_p.to_bn, @pubkey.n)
+				# z_p = omega * r^e_p (mod n)
+				z_p = @omega.to_bn.mod_mul(r_ep.to_bn, @pubkey.n)
+
+				@e_s.insert(@power, e_p.to_bn)
+				@z_s.insert(@power, z_p.to_bn)
+				@commitment = ZKPCommit.new(@a_s, @e_s, @z_s)
+				
+			end 
+		end 
+
+		# Wrapper function that creates a ZKP object for the user.
+		# Instead of needing to call Paillier::ZKP::ZKP.new(args), the user calls Paillier::ZKP.new(args).
+		#
+		# Example:
+		# 	>> myZKP = Paillier::ZKP.new(key, 65, [23, 38, 52, 65, 77, 94])
+		#		=> [#<@p = plaintext>, #<@pubkey = <key>>, #<@ciphertext = <ciphertext>>, #<@cyphertext = <ciphertext>>, #<@commitment = <commitment>>]
+		# 
+		# Arguments:
+		# 	public_key: The key to be used for the encryption (Paillier::PublicKey)
+		# 	plaintext: The message to be encrypted (Integer)
+		# 	valid_messages: The set of valid messages for encryption (Array)
+		#
+		# NOTE: the order of valid_messages should be the same for both prover and verifier
+		def self.new(pubkey, message, valid_messages)
+			return Paillier::ZKP::ZKP.new(pubkey, message, valid_messages)
+		end
+
+		# Function that verifies whether a ciphertext is within the set of valid messages.
+		#
+		# Example:
+		#
+		#		>> Paillier::ZKP.verifyZKP?(key, ciphertext, [23, 38, 65, 77, 94], commitment)
+		#		=> true
+		#
+		# Arguments:
+		#		pubkey: The key used for the encryption (Paillier::PublicKey)
+		#		ciphertext: The ciphertext generated using the public key (OpenSSL::BN)
+		#		valid_messages: The set of valid messages for encryption (Array)
+		#		commitment: The commitment generated by the prover (Paillier::ZKP::ZKPCommit)
+		#
+		# NOTE: the order of valid_messages should be the same for both prover and verifier
+		def self.verifyZKP?(pubkey, ciphertext, valid_messages, commitment)
+			u_s = Array.new
+			for m_k in valid_messages do		
+				# g_mk = g ^ m_k (mod n^2)
+				g_mk = pubkey.g.to_bn.mod_exp(m_k.to_bn, pubkey.n_sq)
+				# u_k = c / g_mk (mod n^2) = c * invmod(g_mk) (mod n^2)
+				u_k = OpenSSL::BN.new(ciphertext).mod_mul( Paillier.modInv(g_mk, pubkey.n_sq), pubkey.n_sq )
+				u_s.push(u_k)
+			end
+
+			# calculate the challenge_string
+			sha256 = OpenSSL::Digest::SHA256.new
+			for a_k in commitment.a_s do
+				sha256 << a_k.to_s
+			end
+			challenge_string = sha256.digest.unpack('H*')[0].to_i(16)
+
+			e_sum = 0.to_bn
+			big_mod = 2.to_bn
+			big_mod = big_mod ** 256
+			for e_k in commitment.e_s do
+				e_sum = (e_sum + e_k.to_bn) % big_mod
+			end
+
+			# first we check that the sum matches correctly
+			unless e_sum == OpenSSL::BN.new(challenge_string)
+				return false
+			end
+			# then we check that z_k^n = a_k * (u_k^e_k) (mod n^2)
+			for i in (0 .. (commitment.z_s.size - 1)) do
+				a_k = commitment.a_s[i]
+				e_k = commitment.e_s[i]
+				u_k = u_s[i]
+				z_k = commitment.z_s[i]
+				# left hand side
+				# z_kn = z_k ^ n (mod n^2)
+				z_kn = z_k.to_bn.mod_exp(pubkey.n, pubkey.n_sq)
+				# right hand side
+				# u_ke = u_k ^ e_k (mod n^2)
+				u_ke = u_k.to_bn.mod_exp(e_k, pubkey.n_sq)
+				# a_kue = a_k * u_ke (mod n^2)
+				a_kue = a_k.to_bn.mod_mul(u_ke, pubkey.n_sq)
+
+				# z_k ^ n ?= a_k * (u_k ^ e_k)
+				unless(z_kn == a_kue)
+					return false
+				end
+			end
+			# if it passes both tests, then we have validated the contents
+			return true
+		end 
+
+		# Wrapper class used for containing the components of the ZKP commitment
+		class ZKPCommit
+
+			attr_reader :a_s, :e_s, :z_s #:nodoc:
+			
+			def initialize(a_s, e_s, z_s) # :nodoc:
+				@a_s = a_s
+				@e_s = e_s
+				@z_s = z_s
+			end
+		
+			# Serializes a commitment	
+			#
+			# Example:
+			# 
+			# 	>> myZKP = Paillier::ZKP.new(key, 65, [23, 38, 52, 65, 77, 94])
+			#		=> [#<@p = plaintext>, #<@pubkey = <key>>, #<@ciphertext = <ciphertext>>, #<@cyphertext = <ciphertext>>, #<@commitment = <commitment>>]
+			#		>> myZKP.commitment.to_s
+			#		=> "<a1>,<a2>,<a3>,<a4>,<a5>,<a6>,;<e1>,<e2>,<e3>,<e4>,<e5>,;<z1>,<z2>,<z3>,<z4>,<z5>,"
+			def to_s()
+				a_s_string = @a_s.join(',')
+				e_s_string = @e_s.join(',')
+				z_s_string = @z_s.join(',')
+				return "#{a_s_string};#{e_s_string};#{z_s_string}"
+			end
+
+			# Deserializes a commitment
+			#
+			# Example:
+			#
+			#		>> commit = Paillier::ZKP::ZKPCommit.from_s(commitment_string)
+			#		=> #<Paillier::ZKP::ZKPCommit: @a_s=[<a1>,<a2>, .. ,<an>], @e_s=[<e1>,<e2>, .. ,<en>], @z_s=[<z1>,<z2>, .. ,<zn>]>
+			#
+			# Arguments:
+			#		commitment_string: Serialization of a commitment (String)
+			def ZKPCommit.from_s(string)
+				# these will hold the final result from string-parsing
+				a_s = Array.new
+				e_s = Array.new
+				z_s = Array.new
+
+				# separate at the semicolons
+				a_s_string, e_s_string, z_s_string = string.split(";")
+
+				# separate at the commas
+				a_s_strings = a_s_string.split(",")
+				e_s_strings = e_s_string.split(",")
+				z_s_strings = z_s_string.split(",")
+
+				# convert into arrays of bignums
+				for a in a_s_strings do
+					a_s.push(OpenSSL::BN.new(a))
+				end
+				for e in e_s_strings do
+					e_s.push(OpenSSL::BN.new(e))
+				end
+				for z in z_s_strings do
+					z_s.push(OpenSSL::BN.new(z))
+				end
+
+				# create the object with these arrays
+				return ZKPCommit.new(a_s, e_s, z_s)
+			end
+
+			# == operator overload to compare two ZKP commit objects
+			def ==(y) #:nodoc:
+				# if the array sizes don't match return false
+				if @a_s.size != y.a_s.size
+					return false
+				end
+				if @e_s.size != y.e_s.size
+					return false
+				end
+				if @z_s.size != y.z_s.size
+					return false
+				end
+				# if the corresponding elements in the arrays don't math return false
+				for i in (0 .. (@a_s.size - 1)) do
+					if(@a_s[i] != y.a_s[i])
+						return false
+					end
+				end
+				for i in (0 .. (@e_s.size - 1)) do
+					if(@e_s[i] != y.e_s[i])
+						return false
+					end
+				end
+				for i in (0 .. (@z_s.size - 1)) do
+					if(@z_s[i] != y.z_s[i])
+						return false
+					end
+				end
+				# else return true
+				return true
+			end
+		end	
+	end 
+end 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: paillier
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.2.4
 platform: ruby
 authors:
 - Daylighting Society
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-12-18 00:00:00.000000000 Z
+date: 2018-11-10 00:00:00.000000000 Z
 dependencies: []
 description: An implementation of Paillier homomorphic addition public key system
 email: paillier@daylightingsociety.org
@@ -20,6 +20,7 @@ files:
 - lib/paillier/keys.rb
 - lib/paillier/primes.rb
 - lib/paillier/signatures.rb
+- lib/paillier/zkp.rb
 homepage: https://paillier.daylightingsociety.org
 licenses:
 - LGPL-3.0
@@ -39,8 +40,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.4
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Paillier Homomorphic Cryptosystem