From 7c1b56a37c0336afa84d547843d65d9d43640213 Mon Sep 17 00:00:00 2001 From: davidsemakula Date: Tue, 17 Oct 2023 18:16:01 +0300 Subject: [PATCH] generate h1 and h2 (s and t) as non-trivial quadratic residues --- multi-party-ecdsa/src/gg_2020/party_i.rs | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/multi-party-ecdsa/src/gg_2020/party_i.rs b/multi-party-ecdsa/src/gg_2020/party_i.rs index 98cd4ac..0feb86b 100644 --- a/multi-party-ecdsa/src/gg_2020/party_i.rs +++ b/multi-party-ecdsa/src/gg_2020/party_i.rs @@ -158,19 +158,23 @@ pub fn generate_h1_h2_N_tilde( #[cfg(any(test, feature = "dev"))] let (ek_tilde, dk_tilde) = Paillier::keypair().keys(); + // Generate h1 and h2 (s and t in CGGMP20) following section 6.4.1 (and Figure 6) of CGGMP20 . + // Ref: . let one = BigInt::one(); let phi = (&dk_tilde.p - &one) * (&dk_tilde.q - &one); - let h1 = BigInt::sample_below(&ek_tilde.n); - let (xhi, xhi_inv) = loop { - let xhi_ = BigInt::sample_below(&phi); - match BigInt::mod_inv(&xhi_, &phi) { - Some(inv) => break (xhi_, inv), + let tau = BigInt::sample_below(&ek_tilde.n); + let h1 = BigInt::mod_pow(&tau, &BigInt::from(2), &ek_tilde.n); + // For GG18/20 implementation, we need the inverse of lambda as well. + let (lambda, lambda_inv) = loop { + let lambda_ = BigInt::sample_below(&phi); + match BigInt::mod_inv(&lambda_, &phi) { + Some(inv) => break (lambda_, inv), None => continue, } }; - let h2 = BigInt::mod_pow(&h1, &xhi, &ek_tilde.n); + let h2 = BigInt::mod_pow(&h1, &lambda, &ek_tilde.n); - (ek_tilde.n, h1, h2, xhi, xhi_inv, phi) + (ek_tilde.n, h1, h2, lambda, lambda_inv, phi) } impl Keys {