refactor: move Pi-PRM and utilities to tss-core

src/presign/mod.rs

@@ -31,13 +31,15 @@ use crate::utilities::{
         PaillierAffineOpWithGroupComInRangeStatement,
     },
     dec_q::{PaillierDecryptionModQProof, PaillierDecryptionModQStatement},
-    enc::{PaillierEncryptionInRangeProof, PaillierEncryptionInRangeStatement},
     log_star::{
         KnowledgeOfExponentPaillierEncryptionProof,
         KnowledgeOfExponentPaillierEncryptionStatement,
     },
     mul::{PaillierMulProof, PaillierMulStatement},
 };
+use tss_core::zkproof::enc::{
+    PaillierEncryptionInRangeProof, PaillierEncryptionInRangeStatement,
+};
 
 use serde::{Deserialize, Serialize};
 use zeroize::Zeroize;

src/presign/rounds.rs

@@ -16,6 +16,11 @@
 
 use std::{collections::HashMap, marker::PhantomData};
 
+use super::{
+    IdentifiableAbortBroadcastMessage, PreSigningP2PMessage1,
+    PreSigningP2PMessage2, PreSigningP2PMessage3, PreSigningSecrets,
+    PresigningOutput, PresigningTranscript, DEFAULT_ENCRYPTION_KEY, SSID,
+};
 use crate::{
     utilities::{
         aff_g::{
@@ -27,32 +32,27 @@ use crate::{
             PaillierDecryptionModQProof, PaillierDecryptionModQStatement,
             PaillierDecryptionModQWitness,
         },
-        enc::{
-            PaillierEncryptionInRangeProof, PaillierEncryptionInRangeStatement,
-            PaillierEncryptionInRangeWitness,
-        },
         log_star::{
             KnowledgeOfExponentPaillierEncryptionProof,
             KnowledgeOfExponentPaillierEncryptionStatement,
             KnowledgeOfExponentPaillierEncryptionWitness,
         },
         mul::{PaillierMulProof, PaillierMulStatement, PaillierMulWitness},
-        sample_relatively_prime_integer, L_PRIME,
     },
     ErrorType, ProofVerificationErrorData,
 };
-
-use super::{
-    IdentifiableAbortBroadcastMessage, PreSigningP2PMessage1,
-    PreSigningP2PMessage2, PreSigningP2PMessage3, PreSigningSecrets,
-    PresigningOutput, PresigningTranscript, DEFAULT_ENCRYPTION_KEY, SSID,
-};
 use curv::{
     arithmetic::{traits::*, Modulo, Samplable},
     cryptographic_primitives::secret_sharing::feldman_vss::VerifiableSS,
     elliptic::curves::{Point, Scalar, Secp256k1},
     BigInt,
 };
+use tss_core::security_level::L_PRIME;
+use tss_core::utilities::sample_relatively_prime_integer;
+use tss_core::zkproof::enc::{
+    PaillierEncryptionInRangeProof, PaillierEncryptionInRangeStatement,
+    PaillierEncryptionInRangeWitness,
+};
 
 use paillier::{
     Add, Decrypt, EncryptWithChosenRandomness, EncryptionKey, Mul, Paillier,
@@ -117,13 +117,15 @@ impl Round0 {
                     N0: self.secrets.ek.n.clone(),
                     NN0: self.secrets.ek.nn.clone(),
                     K: K_i.clone(),
-                    s: self.S.get(j).unwrap_or(&BigInt::zero()).clone(),
-                    t: self.T.get(j).unwrap_or(&BigInt::zero()).clone(),
-                    N_hat: self
-                        .N_hats
-                        .get(j)
-                        .unwrap_or(&BigInt::zero())
-                        .clone(),
+                    RPParam: tss_core::utilities::RingPedersenParams {
+                        N: self
+                            .N_hats
+                            .get(j)
+                            .unwrap_or(&BigInt::zero())
+                            .clone(),
+                        s: self.S.get(j).unwrap_or(&BigInt::zero()).clone(),
+                        t: self.T.get(j).unwrap_or(&BigInt::zero()).clone(),
+                    },
                     phantom: PhantomData,
                 };
                 let psi_0_j_i =

src/sign/rounds.rs

@@ -45,11 +45,11 @@ use crate::{
             PaillierMultiplicationVersusGroupStatement,
             PaillierMultiplicationVersusGroupWitness,
         },
-        sample_relatively_prime_integer,
     },
     ErrorType, NoOfflineStageErrorData, ProofVerificationErrorData,
 };
 use thiserror::Error;
+use tss_core::utilities::sample_relatively_prime_integer;
 
 use zeroize::Zeroize;
 

src/utilities/aff_g/mod.rs

@@ -33,14 +33,7 @@
 //! and
 //!             D = C^{x} · (1+N0)^{y} · ρ^{N0} mod N0^{2}.
 
-use super::sample_relatively_prime_integer;
-use crate::{
-    utilities::{
-        fixed_array, mod_pow_with_negative, L, L_PLUS_EPSILON, L_PRIME,
-        L_PRIME_PLUS_EPSILON,
-    },
-    Error,
-};
+use crate::{utilities::fixed_array, Error};
 use curv::{
     arithmetic::{traits::*, Modulo},
     cryptographic_primitives::hashing::{Digest, DigestExt},
@@ -55,7 +48,13 @@ use rand::Rng;
 use rand_chacha::{rand_core::SeedableRng, ChaChaRng};
 use serde::{Deserialize, Serialize};
 use std::marker::PhantomData;
+use tss_core::security_level::{
+    L, L_PLUS_EPSILON, L_PRIME, L_PRIME_PLUS_EPSILON,
+};
 use tss_core::utilities::RingPedersenParams;
+use tss_core::utilities::{
+    mod_pow_with_negative, sample_relatively_prime_integer,
+};
 
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct PaillierAffineOpWithGroupComInRangeStatement<

src/utilities/dec_q/mod.rs

@@ -15,11 +15,7 @@
     @license GPL-3.0+ <https://github.com/KZen-networks/multi-party-ecdsa/blob/master/LICENSE>
 */
 
-use super::{sample_relatively_prime_integer, L, L_PLUS_EPSILON};
-use crate::{
-    utilities::{fixed_array, mod_pow_with_negative},
-    Error,
-};
+use crate::{utilities::fixed_array, Error};
 use curv::{
     arithmetic::{traits::*, Modulo},
     cryptographic_primitives::hashing::{Digest, DigestExt},
@@ -34,7 +30,11 @@ use rand::Rng;
 use rand_chacha::{rand_core::SeedableRng, ChaChaRng};
 use serde::{Deserialize, Serialize};
 use std::marker::PhantomData;
+use tss_core::security_level::{L, L_PLUS_EPSILON};
 use tss_core::utilities::RingPedersenParams;
+use tss_core::utilities::{
+    mod_pow_with_negative, sample_relatively_prime_integer,
+};
 
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct PaillierDecryptionModQStatement<E: Curve, H: Digest + Clone> {

src/utilities/log_star/mod.rs

@@ -21,8 +21,6 @@
 //! The Prover has secret input (x,ρ) such that
 //!         x ∈ ± 2l, and C = (1 + N0)^x · ρ^N0 mod N0^2 and X = g^x    ∈ G.
 
-use super::sample_relatively_prime_integer;
-use crate::utilities::{mod_pow_with_negative, L};
 use curv::{
     arithmetic::{traits::*, Modulo},
     cryptographic_primitives::hashing::{Digest, DigestExt},
@@ -35,7 +33,11 @@ use paillier::{
 };
 use serde::{Deserialize, Serialize};
 use std::marker::PhantomData;
+use tss_core::security_level::L;
 use tss_core::utilities::RingPedersenParams;
+use tss_core::utilities::{
+    mod_pow_with_negative, sample_relatively_prime_integer,
+};
 use zk_paillier::zkproofs::IncorrectProof;
 
 #[derive(Clone, Debug, Serialize, Deserialize)]

src/utilities/mod.rs

@@ -1,11 +1,5 @@
-use curv::{
-    arithmetic::{BasicOps, Integer, Modulo, NumberTests, Samplable, Zero},
-    BigInt,
-};
-
 pub mod aff_g;
 pub mod dec_q;
-pub mod enc;
 pub mod log_star;
 pub mod mul;
 pub mod mul_star;
@@ -37,27 +31,6 @@ pub fn fixed_array<const N: usize>(
     seed.try_into()
 }
 
-pub fn sample_relatively_prime_integer(n: &BigInt) -> BigInt {
-    let mut sample = BigInt::sample_below(n);
-    while BigInt::gcd(&sample, n) != BigInt::from(1) {
-        sample = BigInt::sample_below(n);
-    }
-    sample
-}
-
-pub fn mod_pow_with_negative(
-    v: &BigInt,
-    pow: &BigInt,
-    modulus: &BigInt,
-) -> BigInt {
-    if BigInt::is_negative(pow) {
-        let temp = BigInt::mod_pow(v, &pow.abs(), modulus);
-        BigInt::mod_inv(&temp, modulus).unwrap_or_else(BigInt::zero)
-    } else {
-        BigInt::mod_pow(v, pow, modulus)
-    }
-}
-
 pub const SEC_PARAM: usize = 256;
 pub const SEC_BYTES: usize = SEC_PARAM / 8;
 pub const OT_PARAM: usize = 128;

src/utilities/mul/mod.rs

@@ -15,11 +15,8 @@
     @license GPL-3.0+ <https://github.com/KZen-networks/multi-party-ecdsa/blob/master/LICENSE>
 */
 
-use super::sample_relatively_prime_integer;
-use crate::{
-    utilities::{fixed_array, mod_pow_with_negative},
-    Error,
-};
+use crate::utilities::fixed_array;
+use crate::Error;
 use curv::{
     arithmetic::{traits::*, Modulo},
     cryptographic_primitives::hashing::{Digest, DigestExt},
@@ -34,6 +31,9 @@ use rand::Rng;
 use rand_chacha::{rand_core::SeedableRng, ChaChaRng};
 use serde::{Deserialize, Serialize};
 use std::marker::PhantomData;
+use tss_core::utilities::{
+    mod_pow_with_negative, sample_relatively_prime_integer,
+};
 
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct PaillierMulStatement<E: Curve, H: Digest + Clone> {

src/utilities/mul_star/mod.rs

@@ -21,8 +21,6 @@
 //! The Prover has secret input (x,ρ) such that
 //!         x ∈ ± 2l, and C = (1 + N0)^x · ρ^N0 mod N0^2 and X = g^x    ∈ G.
 
-use super::sample_relatively_prime_integer;
-use crate::utilities::{mod_pow_with_negative, L};
 use curv::{
     arithmetic::{traits::*, Modulo},
     cryptographic_primitives::hashing::{Digest, DigestExt},
@@ -32,7 +30,11 @@ use curv::{
 use paillier::EncryptionKey;
 use serde::{Deserialize, Serialize};
 use std::marker::PhantomData;
+use tss_core::security_level::L;
 use tss_core::utilities::RingPedersenParams;
+use tss_core::utilities::{
+    mod_pow_with_negative, sample_relatively_prime_integer,
+};
 use zk_paillier::zkproofs::IncorrectProof;
 
 #[derive(Clone, Debug, Serialize, Deserialize)]

tss-core/Cargo.toml

@@ -10,6 +10,7 @@ curv-kzen.workspace = true
 serde.workspace = true
 zeroize.workspace = true
 paillier.workspace = true
+sha2.workspace = true
 
 bincode = "1.3.3"
 merlin = "3.0.0"

tss-core/src/lib.rs

@@ -1,2 +1,3 @@
+pub mod security_level;
 pub mod utilities;
 pub mod zkproof;

tss-core/src/security_level/mod.rs

@@ -0,0 +1,72 @@
+pub struct SecurityLevel {
+    // pub param: usize,
+    // pub zk_iterations: usize,
+    pub paillier_key_size: usize,
+    // pub paillier_min_bit_length: usize,
+    // pub paillier_max_bit_length: usize,
+    // pub length: usize,
+    // pub blind_factor: usize,
+    // pub ot_param: usize,
+}
+
+pub const LEVEL1: SecurityLevel = SecurityLevel {
+    // param: 256,
+    // ot_param: 256,
+    // zk_iterations: 80,
+    paillier_key_size: 2048,
+    // paillier_min_bit_length: 2047,
+    // paillier_max_bit_length: 2048,
+    // blind_factor: 256,
+    // length: 256,
+};
+
+pub const LEVEL0: SecurityLevel = SecurityLevel {
+    // param: 64,
+    // zk_iterations: 80,
+    paillier_key_size: 256,
+    // paillier_min_bit_length: 255,
+    // paillier_max_bit_length: 256,
+    // blind_factor: 64,
+    // length: 64,
+    // ot_param: 64,
+};
+
+#[cfg(all(not(test), not(feature = "dev")))]
+pub const DEFAULT_LEVEL: SecurityLevel = LEVEL1;
+#[cfg(any(test, feature = "dev"))]
+pub const DEFAULT_LEVEL: SecurityLevel = LEVEL0;
+
+// placeholders. Use until we can merge the levels. There is some mismatch
+// between the levels between different crates.
+
+pub const SEC_PARAM: usize = 256;
+pub const SEC_BYTES: usize = SEC_PARAM / 8;
+pub const OT_PARAM: usize = 128;
+pub const OT_BYTES: usize = OT_PARAM / 8;
+pub const STAT_PARAM: usize = 80;
+
+// ZK_MOD_ITERATIONS is the number of iterations that are performed to prove the
+// validity of a Paillier-Blum modulus N.
+// Theoretically, the number of iterations corresponds to the statistical
+// security parameter, and would be 80.
+// The way it is used in the refresh protocol ensures that the prover cannot
+// guess in advance the secret ρ used to instantiate the hash function.
+// Since sampling primes is expensive, we argue that the security can be
+// reduced.
+pub const ZK_MOD_ITERATIONS: usize = 12;
+
+#[allow(clippy::identity_op)]
+pub const L: usize = 1 * SEC_PARAM; // = 256
+pub const L_PRIME: usize = 5 * SEC_PARAM; // = 1280
+pub const EPSILON: usize = 2 * SEC_PARAM; // = 512
+pub const L_PLUS_EPSILON: usize = L + EPSILON; // = 768
+pub const L_PRIME_PLUS_EPSILON: usize = L_PRIME + EPSILON; // = 1792
+
+pub const BITS_INT_MODN: usize = 8 * SEC_PARAM; // = 2048
+pub const BYTES_INT_MODN: usize = BITS_INT_MODN / 8; // = 256
+
+pub const BITS_BLUM_PRIME: usize = 4 * SEC_PARAM; // = 1024
+pub const BITS_PAILLIER: usize = 2 * BITS_BLUM_PRIME; // = 2048
+
+pub const BYTES_PAILLIER: usize = BITS_PAILLIER / 8; // = 256
+pub const BYTES_CIPHERTEXT: usize = 2 * BYTES_PAILLIER; // = 512