generate h1 and h2 (s and t) as non-trivial quadratic residues

tangle-network · Oct 17, 2023 · 7c1b56a · 7c1b56a
1 parent 0fcfbbc
commit 7c1b56a
Showing 1 changed file with 11 additions and 7 deletions.
diff --git a/multi-party-ecdsa/src/gg_2020/party_i.rs b/multi-party-ecdsa/src/gg_2020/party_i.rs
@@ -158,19 +158,23 @@ pub fn generate_h1_h2_N_tilde(
     #[cfg(any(test, feature = "dev"))]
     let (ek_tilde, dk_tilde) = Paillier::keypair().keys();
 
+    // Generate h1 and h2 (s and t in CGGMP20) following section 6.4.1 (and Figure 6) of CGGMP20 .
+    // Ref: <https://eprint.iacr.org/2021/060.pdf#page=38>.
     let one = BigInt::one();
     let phi = (&dk_tilde.p - &one) * (&dk_tilde.q - &one);
-    let h1 = BigInt::sample_below(&ek_tilde.n);
-    let (xhi, xhi_inv) = loop {
-        let xhi_ = BigInt::sample_below(&phi);
-        match BigInt::mod_inv(&xhi_, &phi) {
-            Some(inv) => break (xhi_, inv),
+    let tau = BigInt::sample_below(&ek_tilde.n);
+    let h1 = BigInt::mod_pow(&tau, &BigInt::from(2), &ek_tilde.n);
+    // For GG18/20 implementation, we need the inverse of lambda as well.
+    let (lambda, lambda_inv) = loop {
+        let lambda_ = BigInt::sample_below(&phi);
+        match BigInt::mod_inv(&lambda_, &phi) {
+            Some(inv) => break (lambda_, inv),
             None => continue,
         }
     };
-    let h2 = BigInt::mod_pow(&h1, &xhi, &ek_tilde.n);
+    let h2 = BigInt::mod_pow(&h1, &lambda, &ek_tilde.n);
 
-    (ek_tilde.n, h1, h2, xhi, xhi_inv, phi)
+    (ek_tilde.n, h1, h2, lambda, lambda_inv, phi)
 }
 
 impl Keys {