Integrate verifiable encryption using TZ21 in proof system

Signed-off-by: lovesh <lovesh.bond@gmail.com>

Author: lovesh

legogroth16/src/lib.rs

@@ -10,10 +10,6 @@
 // #[macro_use]
 // extern crate bench_utils;
 
-#[cfg(feature = "r1cs")]
-#[macro_use]
-extern crate derivative;
-
 /// Reduce an R1CS instance to a *Quadratic Arithmetic Program* instance.
 pub(crate) mod r1cs_to_qap;
 

proof_system/Cargo.toml

@@ -39,6 +39,8 @@ bulletproofs_plus_plus = { version = "0.6.0", default-features = false, path = "
 smc_range_proof = { version = "0.6.0", default-features = false, path = "../smc_range_proof" }
 short_group_sig = { version = "0.4.0", default-features = false, path = "../short_group_sig" }
 kvac = { version = "0.5.0", default-features = false, path = "../kvac" }
+verifiable_encryption = { version = "0.1.0", default-features = false, path = "../verifiable_encryption" }
+sha3 = { version = "0.10.6", default-features = false }
 
 [dev-dependencies]
 ark-bls12-381.workspace = true
@@ -49,8 +51,8 @@ test_utils = { default-features = false, path = "../test_utils" }
 
 [features]
 default = ["parallel"]
-std = ["ark-ff/std", "ark-ec/std", "ark-std/std", "ark-serialize/std", "schnorr_pok/std", "dock_crypto_utils/std", "serde/std", "saver/std", "ark-groth16/std", "legogroth16/std", "ark-r1cs-std/std", "ark-relations/std", "merlin/std", "coconut-crypto/std", "bulletproofs_plus_plus/std", "smc_range_proof/std", "short_group_sig/std", "kvac/std"]
+std = ["ark-ff/std", "ark-ec/std", "ark-std/std", "ark-serialize/std", "schnorr_pok/std", "dock_crypto_utils/std", "serde/std", "saver/std", "ark-groth16/std", "legogroth16/std", "ark-r1cs-std/std", "ark-relations/std", "merlin/std", "coconut-crypto/std", "bulletproofs_plus_plus/std", "smc_range_proof/std", "short_group_sig/std", "kvac/std", "verifiable_encryption/std"]
 print-trace = ["ark-std/print-trace", "schnorr_pok/print-trace", "bbs_plus/print-trace", "vb_accumulator/print-trace", "dock_crypto_utils/print-trace"]
-parallel = ["std", "ark-ff/parallel", "ark-ec/parallel", "ark-std/parallel", "rayon", "schnorr_pok/parallel", "bbs_plus/parallel", "vb_accumulator/parallel", "saver/parallel", "ark-groth16/parallel", "legogroth16/parallel", "ark-r1cs-std/parallel", "dock_crypto_utils/parallel", "coconut-crypto/parallel", "bulletproofs_plus_plus/parallel", "smc_range_proof/parallel", "short_group_sig/parallel", "kvac/parallel"]
+parallel = ["std", "ark-ff/parallel", "ark-ec/parallel", "ark-std/parallel", "rayon", "schnorr_pok/parallel", "bbs_plus/parallel", "vb_accumulator/parallel", "saver/parallel", "ark-groth16/parallel", "legogroth16/parallel", "ark-r1cs-std/parallel", "dock_crypto_utils/parallel", "coconut-crypto/parallel", "bulletproofs_plus_plus/parallel", "smc_range_proof/parallel", "short_group_sig/parallel", "kvac/parallel", "verifiable_encryption/parallel"]
 wasmer-js = ["legogroth16/wasmer-js"]
 wasmer-sys = ["legogroth16/wasmer-sys"]

proof_system/src/constants.rs

@@ -22,3 +22,5 @@ pub const KB_POS_ACCUM_MEM_LABEL: &'static [u8; 34] = b"KB-positive-accumulator-
 pub const KB_POS_ACCUM_CDH_MEM_LABEL: &'static [u8; 38] = b"KB-positive-accumulator-CDH-membership";
 
 pub const BBDT16_KVAC_LABEL: &'static [u8; 14] = b"BDDT-2016-KVAC";
+pub const VE_TZ_21_LABEL: &'static [u8; 8] = b"VE-TZ-21";
+pub const VE_TZ_21_ROBUST_LABEL: &'static [u8; 15] = b"VE-TZ-21-Robust";

proof_system/src/error.rs

@@ -9,6 +9,7 @@ use saver::error::SaverError;
 use schnorr_pok::error::SchnorrError;
 use smc_range_proof::prelude::SmcRangeProofError;
 use vb_accumulator::error::VBAccumulatorError;
+use verifiable_encryption::error::VerifiableEncryptionError;
 
 #[derive(Debug)]
 pub enum ProofSystemError {
@@ -111,6 +112,10 @@ pub enum ProofSystemError {
     UnequalResponseOfSaverCiphertextAndChunk(usize),
     ResponseForWitnessNotFoundForStatement(usize),
     NoResponseFoundForWitnessRef(usize, usize),
+    MissingBlindingForStatementAtIndex(usize, usize),
+    VerifiableEncryption(u32, VerifiableEncryptionError),
+    NotALegoGroth16StatementProof,
+    NotAVeTZ21StatementProof,
 }
 
 impl From<SchnorrError> for ProofSystemError {

proof_system/src/lib.rs

@@ -164,7 +164,7 @@ extern crate core;
 pub mod setup_params;
 #[macro_use]
 mod derived_params;
-mod constants;
+pub mod constants;
 pub mod error;
 mod macros;
 pub mod meta_statement;

proof_system/src/prover.rs

@@ -26,7 +26,8 @@ use crate::{
         COMPOSITE_PROOF_LABEL, CONTEXT_LABEL, KB_POS_ACCUM_CDH_MEM_LABEL, KB_POS_ACCUM_MEM_LABEL,
         KB_UNI_ACCUM_CDH_MEM_LABEL, KB_UNI_ACCUM_CDH_NON_MEM_LABEL, KB_UNI_ACCUM_MEM_LABEL,
         KB_UNI_ACCUM_NON_MEM_LABEL, NONCE_LABEL, PS_LABEL, VB_ACCUM_CDH_MEM_LABEL,
-        VB_ACCUM_CDH_NON_MEM_LABEL, VB_ACCUM_MEM_LABEL, VB_ACCUM_NON_MEM_LABEL,
+        VB_ACCUM_CDH_NON_MEM_LABEL, VB_ACCUM_MEM_LABEL, VB_ACCUM_NON_MEM_LABEL, VE_TZ_21_LABEL,
+        VE_TZ_21_ROBUST_LABEL,
     },
     meta_statement::{EqualWitnesses, WitnessRef},
     prelude::SnarkpackSRS,
@@ -63,9 +64,11 @@ use crate::{
         r1cs_legogorth16::R1CSLegogroth16Protocol,
         saver::SaverProtocol,
         schnorr::SchnorrProtocol,
+        verifiable_encryption_tz_21::VeTZ21Protocol,
     },
 };
 use dock_crypto_utils::{
+    aliases::FullDigest,
     expect_equality,
     hashing_utils::field_elem_from_try_and_incr,
     signature::MultiMessageSignatureParams,
@@ -136,7 +139,7 @@ impl<E: Pairing> Proof<E> {
     /// Also returns the randomness used by statements using SAVER and LegoGroth16 proofs which can
     /// then be used as helpers in subsequent proof creations where these proofs are reused than
     /// creating fresh proofs.
-    pub fn new<R: RngCore, D: Digest>(
+    pub fn new<R: RngCore, D: FullDigest + Digest>(
         rng: &mut R,
         proof_spec: ProofSpec<E>,
         witnesses: Witnesses<E>,
@@ -248,6 +251,36 @@ impl<E: Pairing> Proof<E> {
             }};
         }
 
+        macro_rules! ve_tz_21_init {
+            ($rng: ident, $s_idx: ident, $s: ident, $w: ident, $init_name: ident, $label: ident) => {{
+                let witness_count = $w.len();
+                let comm_key = $s.get_comm_key(&proof_spec.setup_params, $s_idx)?;
+                // +1 since commitment includes randomness as well to make it perfectly hiding
+                if comm_key.len() < (witness_count + 1) {
+                    return Err(ProofSystemError::IncompatiblePedCommSetupParamAtIndex(
+                        $s_idx,
+                    ));
+                }
+                // Get blindings for all the witnesses
+                let mut b = Vec::with_capacity(witness_count);
+                for i in 0..witness_count {
+                    if let Some(blinding) = blindings.remove(&($s_idx, i)) {
+                        b.push(blinding);
+                    } else {
+                        return Err(ProofSystemError::MissingBlindingForStatementAtIndex(
+                            $s_idx, i,
+                        ));
+                    }
+                }
+                let enc_params = $s.get_enc_params(&proof_spec.setup_params, $s_idx)?;
+                let mut sp = VeTZ21Protocol::new($s_idx, comm_key, enc_params);
+                sp.$init_name::<R, D>($rng, $w, b)?;
+                transcript.set_label($label);
+                sp.challenge_contribution(&mut transcript)?;
+                sub_protocols.push(SubProtocol::VeTZ21(sp));
+            }};
+        }
+
         /// Build a map of blindings for witnesses of given the statement index. The key is the witness
         /// index and value is the blinding. Also removes that blinding from the global blindings map
         /// containing blinding for each witness reference.
@@ -771,6 +804,18 @@ impl<E: Pairing> Proof<E> {
                     }
                     _ => err_incompat_witness!(s_idx, s, witness),
                 },
+                Statement::VeTZ21(s) => match witness {
+                    Witness::VeTZ21(w) => {
+                        ve_tz_21_init!(rng, s_idx, s, w, init, VE_TZ_21_LABEL);
+                    }
+                    _ => err_incompat_witness!(s_idx, s, witness),
+                },
+                Statement::VeTZ21Robust(s) => match witness {
+                    Witness::VeTZ21Robust(w) => {
+                        ve_tz_21_init!(rng, s_idx, s, w, init_robust, VE_TZ_21_ROBUST_LABEL);
+                    }
+                    _ => err_incompat_witness!(s_idx, s, witness),
+                },
                 _ => return Err(ProofSystemError::InvalidStatement),
             }
         }
@@ -979,6 +1024,13 @@ impl<E: Pairing> Proof<E> {
                 SubProtocol::KBUniversalAccumulatorNonMembershipKV(mut sp) => {
                     sp.gen_proof_contribution(&challenge)?
                 }
+                SubProtocol::VeTZ21(mut sp) => {
+                    if sp.ve_proof.is_some() {
+                        sp.gen_proof_contribution(&challenge)?
+                    } else {
+                        sp.gen_proof_contribution_robust(&challenge)?
+                    }
+                }
             });
         }
 
@@ -1086,30 +1138,6 @@ impl<E: Pairing> Proof<E> {
         field_elem_from_try_and_incr::<E::ScalarField, D>(bytes)
     }
 
-    pub fn get_saver_ciphertext_and_proof(
-        &self,
-        index: usize,
-    ) -> Result<(&Ciphertext<E>, &ark_groth16::Proof<E>), ProofSystemError> {
-        let st = self.statement_proof(index)?;
-        if let StatementProof::Saver(s) = st {
-            Ok((&s.ciphertext, &s.snark_proof))
-        } else {
-            Err(ProofSystemError::NotASaverStatementProof)
-        }
-    }
-
-    pub fn get_legogroth16_proof(
-        &self,
-        index: usize,
-    ) -> Result<&legogroth16::Proof<E>, ProofSystemError> {
-        let st = self.statement_proof(index)?;
-        match st {
-            StatementProof::BoundCheckLegoGroth16(s) => Ok(&s.snark_proof),
-            StatementProof::R1CSLegoGroth16(s) => Ok(&s.snark_proof),
-            _ => Err(ProofSystemError::NotASaverStatementProof),
-        }
-    }
-
     pub fn for_aggregate(&self) -> Self {
         let mut statement_proofs = vec![];
         for sp in self.statement_proofs() {
@@ -1177,4 +1205,22 @@ impl<E: Pairing> Proof<E> {
             }
         }
     }
+
+    // fn get_ve_func_args<'a, 'b: 'a>(s_idx: usize, s: &'a VerifiableEncryptionTZ21<E::G1Affine>, proof_spec: &'b ProofSpec<E>, witness_count: usize, blindings: &'b mut BTreeMap<WitnessRef, E::ScalarField>) -> Result<(Vec<E::ScalarField>, &'a [E::G1Affine], &'a ElgamalEncryptionParams<E::G1Affine>), ProofSystemError> {
+    //     let comm_key = s.get_comm_key(&proof_spec.setup_params, s_idx)?;
+    //     // +1 since commitment includes randomness as well to make it perfectly hiding
+    //     if comm_key.len() < (witness_count + 1) {
+    //         return Err(ProofSystemError::IncompatiblePedCommSetupParamAtIndex(s_idx))
+    //     }
+    //     let mut b = Vec::with_capacity(witness_count);
+    //     for i in 0..witness_count {
+    //         if let Some(blinding) = blindings.remove(&(s_idx, i)) {
+    //             b.push(blinding);
+    //         } else {
+    //             return Err(ProofSystemError::MissingBlindingForStatementAtIndex(s_idx, i))
+    //         }
+    //     }
+    //     let enc_params = s.get_enc_params(&proof_spec.setup_params, s_idx)?;
+    //     Ok((b, comm_key.as_slice(), enc_params))
+    // }
 }

proof_system/src/setup_params.rs

@@ -9,7 +9,8 @@ use crate::{
     prelude::bound_check_smc::SmcParamsAndCommitmentKey,
     statement::bound_check_smc_with_kv::SmcParamsAndCommitmentKeyAndSecretKey,
 };
-use ark_ec::pairing::Pairing;
+use ark_ec::{pairing::Pairing, AffineRepr};
+use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use ark_std::vec::Vec;
 use bbs_plus::prelude::{
     PublicKeyG2 as BBSPublicKeyG2, SignatureParams23G1 as BBSSignatureParams23G1,
@@ -74,6 +75,7 @@ pub enum SetupParams<E: Pairing> {
     BBDT16MACParams(MACParams<E::G1Affine>),
     PedersenCommitmentKeyG2(#[serde_as(as = "Vec<ArkObjectBytes>")] Vec<E::G2Affine>),
     CommitmentKeyG2(#[serde_as(as = "ArkObjectBytes")] PedersenCommitmentKey<E::G2Affine>),
+    ElgamalEncryption(ElgamalEncryptionParams<E::G1Affine>),
 }
 
 macro_rules! delegate {
@@ -109,7 +111,8 @@ macro_rules! delegate {
                 KBPositiveAccumulatorPublicKey,
                 BBDT16MACParams,
                 PedersenCommitmentKeyG2,
-                CommitmentKeyG2
+                CommitmentKeyG2,
+                ElgamalEncryption
             : $($tt)+
         }
     }};
@@ -148,7 +151,8 @@ macro_rules! delegate_reverse {
                 KBPositiveAccumulatorPublicKey,
                 BBDT16MACParams,
                 PedersenCommitmentKeyG2,
-                CommitmentKeyG2
+                CommitmentKeyG2,
+                ElgamalEncryption
             : $($tt)+
         }
 
@@ -176,6 +180,19 @@ macro_rules! extract_param {
     }};
 }
 
+/// Elgamal encryption parameters generated by the decryptor
+#[serde_as]
+#[derive(
+    Clone, Debug, PartialEq, CanonicalSerialize, CanonicalDeserialize, Serialize, Deserialize,
+)]
+pub struct ElgamalEncryptionParams<G: AffineRepr> {
+    /// Generator used in the scheme to generate public key and ephemeral public key by sender/encryptor
+    #[serde_as(as = "ArkObjectBytes")]
+    pub gen: G,
+    #[serde_as(as = "ArkObjectBytes")]
+    pub public_key: G,
+}
+
 mod serialization {
     use super::*;
     use ark_serialize::{

proof_system/src/statement/mod.rs

@@ -21,6 +21,7 @@ pub mod ped_comm;
 pub mod ps_signature;
 pub mod r1cs_legogroth16;
 pub mod saver;
+pub mod verifiable_encryption_tz_21;
 
 /// Type of relation being proved and the public values for the relation
 #[derive(Clone, Debug, PartialEq, Serialize, Deserialize)]
@@ -128,6 +129,12 @@ pub enum Statement<E: Pairing> {
     ),
     PoKBBSSignature23IETFG1Prover(bbs_23_ietf::PoKBBSSignature23IETFG1Prover<E>),
     PoKBBSSignature23IETFG1Verifier(bbs_23_ietf::PoKBBSSignature23IETFG1Verifier<E>),
+    /// Verifiable Encryption using DKGith protocol in the scheme TZ21
+    // TODO: This should have the const generics used by the corresponding protocol
+    VeTZ21(verifiable_encryption_tz_21::VerifiableEncryptionTZ21<E::G1Affine>),
+    /// Verifiable Encryption using Robust DKGith protocol in the scheme TZ21
+    // TODO: This should have the const generics used by the corresponding protocol
+    VeTZ21Robust(verifiable_encryption_tz_21::VerifiableEncryptionTZ21<E::G1Affine>),
 }
 
 /// A collection of statements
@@ -205,7 +212,9 @@ macro_rules! delegate {
                 KBUniversalAccumulatorNonMembershipKV,
                 KBUniversalAccumulatorNonMembershipKVFullVerifier,
                 PoKBBSSignature23IETFG1Prover,
-                PoKBBSSignature23IETFG1Verifier
+                PoKBBSSignature23IETFG1Verifier,
+                VeTZ21,
+                VeTZ21Robust
             : $($tt)+
         }
     }}
@@ -260,7 +269,9 @@ macro_rules! delegate_reverse {
                 KBUniversalAccumulatorNonMembershipKV,
                 KBUniversalAccumulatorNonMembershipKVFullVerifier,
                 PoKBBSSignature23IETFG1Prover,
-                PoKBBSSignature23IETFG1Verifier
+                PoKBBSSignature23IETFG1Verifier,
+                VeTZ21,
+                VeTZ21Robust
             : $($tt)+
         }