Merge pull request #67 from chain/feature/dealer-verify-shares

Have the dealer verify shares

Author: hdevalence

src/aggregated_range_proof/dealer.rs

@@ -1,9 +1,13 @@
+use rand::Rng;
+
 use curve25519_dalek::ristretto::RistrettoPoint;
 use curve25519_dalek::scalar::Scalar;
 use curve25519_dalek::traits::Identity;
+
 use generators::GeneratorsView;
 use inner_product_proof;
 use proof_transcript::ProofTranscript;
+
 use util;
 
 use super::messages::*;
@@ -25,12 +29,30 @@ impl Dealer {
         if !m.is_power_of_two() {
             return Err("m is not valid: must be a power of 2");
         }
+
+        // At the end of the protocol, the dealer will attempt to
+        // verify the proof, and if it fails, determine which party's
+        // shares were invalid.
+        //
+        // However, verifying the proof requires either knowledge of
+        // all of the challenges, or a copy of the initial transcript
+        // state.
+        //
+        // The dealer has all of the challenges, but using them for
+        // verification would require duplicating the verification
+        // logic.  Instead, we keep a copy of the initial transcript
+        // state.
+        let initial_transcript = transcript.clone();
+
+        // Commit to aggregation parameters
         transcript.commit_u64(n as u64);
         transcript.commit_u64(m as u64);
+
         Ok(DealerAwaitingValueCommitments {
             n,
             m,
             transcript,
+            initial_transcript,
             gens,
         })
     }
@@ -42,6 +64,9 @@ pub struct DealerAwaitingValueCommitments<'a, 'b> {
     n: usize,
     m: usize,
     transcript: &'a mut ProofTranscript,
+    /// The dealer keeps a copy of the initial transcript state, so
+    /// that it can attempt to verify the aggregated proof at the end.
+    initial_transcript: ProofTranscript,
     gens: GeneratorsView<'b>,
 }
 
@@ -79,6 +104,7 @@ impl<'a, 'b> DealerAwaitingValueCommitments<'a, 'b> {
                 n: self.n,
                 m: self.m,
                 transcript: self.transcript,
+                initial_transcript: self.initial_transcript,
                 gens: self.gens,
                 value_challenge: value_challenge.clone(),
             },
@@ -91,6 +117,7 @@ pub struct DealerAwaitingPolyCommitments<'a, 'b> {
     n: usize,
     m: usize,
     transcript: &'a mut ProofTranscript,
+    initial_transcript: ProofTranscript,
     gens: GeneratorsView<'b>,
     value_challenge: ValueChallenge,
 }
@@ -122,6 +149,7 @@ impl<'a, 'b> DealerAwaitingPolyCommitments<'a, 'b> {
                 n: self.n,
                 m: self.m,
                 transcript: self.transcript,
+                initial_transcript: self.initial_transcript,
                 gens: self.gens,
                 value_challenge: self.value_challenge,
                 poly_challenge: poly_challenge.clone(),
@@ -135,31 +163,26 @@ pub struct DealerAwaitingProofShares<'a, 'b> {
     n: usize,
     m: usize,
     transcript: &'a mut ProofTranscript,
+    initial_transcript: ProofTranscript,
     gens: GeneratorsView<'b>,
     value_challenge: ValueChallenge,
     poly_challenge: PolyChallenge,
 }
 
 impl<'a, 'b> DealerAwaitingProofShares<'a, 'b> {
-    pub fn receive_shares(
-        self,
+    /// Assembles proof shares into an `AggregatedProof`.
+    ///
+    /// Used as a helper function by `receive_trusted_shares` (which
+    /// just hands back the result) and `receive_shares` (which
+    /// validates the proof shares.
+    fn assemble_shares(
+        &mut self,
         proof_shares: &[ProofShare],
-    ) -> Result<(AggregatedProof, Vec<ProofShareVerifier>), &'static str> {
+    ) -> Result<AggregatedProof, &'static str> {
         if self.m != proof_shares.len() {
             return Err("Length of proof shares doesn't match expected length m");
         }
 
-        let mut share_verifiers = Vec::new();
-        for (j, proof_share) in proof_shares.iter().enumerate() {
-            share_verifiers.push(ProofShareVerifier {
-                proof_share: proof_share.clone(),
-                n: self.n,
-                j: j,
-                value_challenge: self.value_challenge.clone(),
-                poly_challenge: self.poly_challenge.clone(),
-            });
-        }
-
         let value_commitments = proof_shares
             .iter()
             .map(|ps| ps.value_commitment.V)
@@ -221,7 +244,7 @@ impl<'a, 'b> DealerAwaitingProofShares<'a, 'b> {
             r_vec.clone(),
         );
 
-        let aggregated_proof = AggregatedProof {
+        Ok(AggregatedProof {
             n: self.n,
             value_commitments,
             A,
@@ -232,8 +255,59 @@ impl<'a, 'b> DealerAwaitingProofShares<'a, 'b> {
             t_x_blinding,
             e_blinding,
             ipp_proof,
-        };
+        })
+    }
+
+    /// Assemble the final aggregated proof from the given
+    /// `proof_shares`, and validate that all input shares and the
+    /// aggregated proof are well-formed.  If the aggregated proof is
+    /// not well-formed, this function detects which party submitted a
+    /// malformed share and returns that information as part of the
+    /// error.
+    ///
+    /// XXX define error types so we can surface the blame info
+    pub fn receive_shares<R: Rng>(
+        mut self,
+        rng: &mut R,
+        proof_shares: &[ProofShare],
+    ) -> Result<AggregatedProof, &'static str> {
+        let proof = self.assemble_shares(proof_shares)?;
 
-        Ok((aggregated_proof, share_verifiers))
+        // See comment in `Dealer::new` for why we use `initial_transcript`
+        if proof.verify(rng, &mut self.initial_transcript).is_ok() {
+            Ok(proof)
+        } else {
+            // Create a list of bad shares
+            let mut bad_shares = Vec::new();
+            for (j, share) in proof_shares.iter().enumerate() {
+                match share.verify_share(self.n, j, &self.value_challenge, &self.poly_challenge) {
+                    Ok(_) => {}
+                    Err(_) => bad_shares.push(j),
+                }
+            }
+            // XXX pass this upwards
+            println!("bad shares: {:?}", bad_shares);
+            Err("proof failed to verify")
+        }
+    }
+
+    /// Assemble the final aggregated proof from the given
+    /// `proof_shares`, but does not validate that they are well-formed.
+    ///
+    /// ## WARNING
+    ///
+    /// This function does **NOT** validate the proof shares.  It is
+    /// suitable for creating aggregated proofs when all parties are
+    /// known by the dealer to be honest (for instance, when there's
+    /// only one party playing all roles).
+    ///
+    /// Otherwise, use `receive_shares`, which validates that all
+    /// shares are well-formed, or else detects which party(ies)
+    /// submitted malformed shares.
+    pub fn receive_trusted_shares(
+        mut self,
+        proof_shares: &[ProofShare],
+    ) -> Result<AggregatedProof, &'static str> {
+        self.assemble_shares(proof_shares)
     }
 }

src/aggregated_range_proof/messages.rs

@@ -120,22 +120,6 @@ impl ProofShare {
     }
 }
 
-pub struct ProofShareVerifier {
-    pub proof_share: ProofShare,
-    pub n: usize,
-    pub j: usize,
-    pub value_challenge: ValueChallenge,
-    pub poly_challenge: PolyChallenge,
-}
-
-impl ProofShareVerifier {
-    /// Returns whether the proof share is valid (Ok) or invalid (Err)
-    pub fn verify_share(&self) -> Result<(), &'static str> {
-        self.proof_share
-            .verify_share(self.n, self.j, &self.value_challenge, &self.poly_challenge)
-    }
-}
-
 #[derive(Serialize, Deserialize, Clone, Debug)]
 pub struct AggregatedProof {
     pub n: usize,

src/aggregated_range_proof/mod.rs

@@ -13,7 +13,7 @@ pub mod party;
 
 pub use self::messages::AggregatedProof;
 
-struct SinglePartyAggregator {}
+pub struct SinglePartyAggregator {}
 
 impl SinglePartyAggregator {
     /// Create an aggregated rangeproof of multiple values.
@@ -24,15 +24,14 @@ impl SinglePartyAggregator {
     /// The length of `values` must be a power of 2.
     ///
     /// XXX this should allow proving about existing commitments.
-    fn generate_proof<R: Rng>(
+    pub fn generate_proof<R: Rng>(
         generators: &Generators,
         transcript: &mut ProofTranscript,
         rng: &mut R,
         values: &[u64],
         n: usize,
     ) -> Result<AggregatedProof, &'static str> {
         use self::dealer::*;
-        use self::messages::*;
         use self::party::*;
 
         let dealer = Dealer::new(generators.all(), n, values.len(), transcript)?;
@@ -66,9 +65,7 @@ impl SinglePartyAggregator {
             .map(|p| p.apply_challenge(&poly_challenge))
             .collect();
 
-        let (proof, _) = dealer.receive_shares(&proof_shares)?;
-
-        Ok(proof)
+        dealer.receive_trusted_shares(&proof_shares)
     }
 }
 
@@ -180,4 +177,72 @@ mod tests {
     fn create_and_verify_n_64_m_8() {
         singleparty_create_and_verify_helper(64, 8);
     }
+
+    #[test]
+    fn detect_dishonest_party_during_aggregation() {
+        use self::dealer::*;
+        use self::party::*;
+
+        // Simulate four parties, two of which will be dishonest and use a 64-bit value.
+        let m = 4;
+        let n = 32;
+
+        let generators = Generators::new(PedersenGenerators::default(), n, m);
+
+        let mut rng = OsRng::new().unwrap();
+        let mut transcript = ProofTranscript::new(b"AggregatedRangeProofTest");
+
+        // Parties 0, 2 are honest and use a 32-bit value
+        let v0 = rng.next_u32() as u64;
+        let v0_blinding = Scalar::random(&mut rng);
+        let party0 = Party::new(v0, v0_blinding, n, &generators).unwrap();
+
+        let v2 = rng.next_u32() as u64;
+        let v2_blinding = Scalar::random(&mut rng);
+        let party2 = Party::new(v2, v2_blinding, n, &generators).unwrap();
+
+        // Parties 1, 3 are dishonest and use a 64-bit value
+        let v1 = rng.next_u64();
+        let v1_blinding = Scalar::random(&mut rng);
+        let party1 = Party::new(v1, v1_blinding, n, &generators).unwrap();
+
+        let v3 = rng.next_u64();
+        let v3_blinding = Scalar::random(&mut rng);
+        let party3 = Party::new(v3, v3_blinding, n, &generators).unwrap();
+
+        let dealer = Dealer::new(generators.all(), n, m, &mut transcript).unwrap();
+
+        let (party0, value_com0) = party0.assign_position(0, &mut rng);
+        let (party1, value_com1) = party1.assign_position(1, &mut rng);
+        let (party2, value_com2) = party2.assign_position(2, &mut rng);
+        let (party3, value_com3) = party3.assign_position(3, &mut rng);
+
+        let (dealer, value_challenge) = dealer
+            .receive_value_commitments(&[value_com0, value_com1, value_com2, value_com3])
+            .unwrap();
+
+        let (party0, poly_com0) = party0.apply_challenge(&value_challenge, &mut rng);
+        let (party1, poly_com1) = party1.apply_challenge(&value_challenge, &mut rng);
+        let (party2, poly_com2) = party2.apply_challenge(&value_challenge, &mut rng);
+        let (party3, poly_com3) = party3.apply_challenge(&value_challenge, &mut rng);
+
+        let (dealer, poly_challenge) = dealer
+            .receive_poly_commitments(&[poly_com0, poly_com1, poly_com2, poly_com3])
+            .unwrap();
+
+        let share0 = party0.apply_challenge(&poly_challenge);
+        let share1 = party1.apply_challenge(&poly_challenge);
+        let share2 = party2.apply_challenge(&poly_challenge);
+        let share3 = party3.apply_challenge(&poly_challenge);
+
+        match dealer.receive_shares(&mut rng, &[share0, share1, share2, share3]) {
+            Ok(_proof) => {
+                panic!("The proof was malformed, but it was not detected");
+            }
+            Err(e) => {
+                // XXX when we have error types, check that it was party 1 that did it
+                assert_eq!(e, "proof failed to verify");
+            }
+        }
+    }
 }