Upgrade wasmer to 3.0, add serializations and use forked merlin with

serialization

Signed-off-by: lovesh <[email protected]>

Cargo.toml

@@ -14,7 +14,8 @@ members = [
     "delegatable_credentials",
     "secret_sharing_and_dkg",
     "legogroth16",
-    "oblivious_transfer"
+    "oblivious_transfer",
+    "merlin"
 ]
 resolver = "2"
 
@@ -40,8 +41,8 @@ serde_with = { version = "1.10.0", default-features = false, features = ["macros
 zeroize = { version = "1.6.0", features = ["derive"] }
 blake2 = { version = "0.10", default-features = false }
 ark-bls12-381 = { version = "^0.4.0", default-features = false, features = [ "curve" ] }
-merlin = { version = "^3.0", default-features = false }
-legogroth16 = { version = "0.6.0" , default-features = false }
+merlin = { package = "dock_merlin", version = "1.0", default-features = false, path = "./merlin" }
+legogroth16 = { version = "0.8.0" , default-features = false }
 
 [profile.release]
 lto = true

bbs_plus/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "bbs_plus"
-version = "0.14.0"
+version = "0.15.0"
 edition.workspace = true
 authors.workspace = true
 license.workspace = true
@@ -19,10 +19,10 @@ ark-std.workspace = true
 digest.workspace = true
 rayon = {workspace = true, optional = true}
 itertools = "0.10.5"
-schnorr_pok = { version = "0.11.0", default-features = false, path = "../schnorr_pok" }
-dock_crypto_utils = { version = "0.12.0", default-features = false, path = "../utils" }
-oblivious_transfer_protocols = { version = "0.1.0", default-features = false, path = "../oblivious_transfer" }
-secret_sharing_and_dkg = { version = "0.4.0", default-features = false, path = "../secret_sharing_and_dkg" }
+schnorr_pok = { version = "0.12.0", default-features = false, path = "../schnorr_pok" }
+dock_crypto_utils = { version = "0.13.0", default-features = false, path = "../utils" }
+oblivious_transfer_protocols = { version = "0.2.0", default-features = false, path = "../oblivious_transfer" }
+secret_sharing_and_dkg = { version = "0.6.0", default-features = false, path = "../secret_sharing_and_dkg" }
 sha3 = { version = "0.10.6", default-features = false }
 serde.workspace = true
 serde_with.workspace = true

bbs_plus/src/error.rs

@@ -48,6 +48,7 @@ pub enum BBSPlusError {
     UnexpectedMultiplicationParty2(ParticipantId),
     IncorrectEByParticipant(ParticipantId),
     IncorrectSByParticipant(ParticipantId),
+    ParticipantCannotBePresentInOthers(ParticipantId),
     NotABaseOTSender(ParticipantId),
     NotABaseOTReceiver(ParticipantId),
     AlreadyHaveSenderPubkeyFrom(ParticipantId),

bbs_plus/src/threshold/base_ot_phase.rs

@@ -3,6 +3,7 @@
 
 use crate::error::BBSPlusError;
 use ark_ec::AffineRepr;
+use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use ark_std::{
     collections::{BTreeMap, BTreeSet},
     rand::RngCore,
@@ -18,10 +19,14 @@ use oblivious_transfer_protocols::{
     },
     Bit, ParticipantId,
 };
+use serde::{Deserialize, Serialize};
 
 /// The participant runs an independent base OT with each participant and stores each OT's state. If
 /// its id is less than other's then it acts as an OT sender else it acts as a receiver
-#[derive(Clone, Debug, PartialEq)]
+#[derive(
+    Clone, Debug, PartialEq, CanonicalSerialize, CanonicalDeserialize, Serialize, Deserialize,
+)]
+#[serde(bound = "")]
 pub struct BaseOTPhase<G: AffineRepr> {
     pub id: ParticipantId,
     /// Number of base OTs to perform
@@ -36,35 +41,37 @@ pub struct BaseOTPhase<G: AffineRepr> {
     pub receiver_responder: BTreeMap<ParticipantId, VSROTResponder>,
 }
 
-#[derive(Clone, Debug, PartialEq)]
+#[derive(
+    Clone, Debug, PartialEq, CanonicalSerialize, CanonicalDeserialize, Serialize, Deserialize,
+)]
 pub struct BaseOTPhaseOutput {
     pub id: ParticipantId,
     pub sender_keys: BTreeMap<ParticipantId, OneOfTwoROTSenderKeys>,
     pub receiver: BTreeMap<ParticipantId, (Vec<Bit>, ROTReceiverKeys)>,
 }
 
+#[derive(
+    Clone, Debug, PartialEq, CanonicalSerialize, CanonicalDeserialize, Serialize, Deserialize,
+)]
+#[serde(bound = "")]
+pub struct SenderPubKeyAndProof<G: AffineRepr>(SenderPubKey<G>, SecretKnowledgeProof<G>);
+
 impl<G: AffineRepr> BaseOTPhase<G> {
     pub fn init<R: RngCore, D: Digest>(
         rng: &mut R,
         id: ParticipantId,
         others: BTreeSet<ParticipantId>,
         num_base_ot: u16,
         B: &G,
-    ) -> Result<
-        (
-            Self,
-            BTreeMap<ParticipantId, (SenderPubKey<G>, SecretKnowledgeProof<G>)>,
-        ),
-        BBSPlusError,
-    > {
+    ) -> Result<(Self, BTreeMap<ParticipantId, SenderPubKeyAndProof<G>>), BBSPlusError> {
         let mut base_ot_sender_setup = BTreeMap::new();
         let mut base_ot_receiver_choices = BTreeMap::new();
         let mut base_ot_s = BTreeMap::new();
         for other in others {
             if id < other {
                 let (setup, S, proof) =
                     ROTSenderSetup::new_verifiable::<R, D>(rng, num_base_ot, B)?;
-                base_ot_s.insert(other, (S, proof));
+                base_ot_s.insert(other, SenderPubKeyAndProof(S, proof));
                 base_ot_sender_setup.insert(other, setup);
             } else {
                 let base_ot_choices = (0..num_base_ot)
@@ -92,8 +99,7 @@ impl<G: AffineRepr> BaseOTPhase<G> {
         &mut self,
         rng: &mut R,
         sender_id: ParticipantId,
-        S: SenderPubKey<G>,
-        proof: SecretKnowledgeProof<G>,
+        sender_pk_and_proof: SenderPubKeyAndProof<G>,
         B: &G,
     ) -> Result<ReceiverPubKeys<G>, BBSPlusError> {
         if self.id == sender_id {
@@ -108,6 +114,7 @@ impl<G: AffineRepr> BaseOTPhase<G> {
         if self.receiver_keys.contains_key(&sender_id) {
             return Err(BBSPlusError::AlreadyHaveSenderPubkeyFrom(sender_id));
         }
+        let SenderPubKeyAndProof(S, proof) = sender_pk_and_proof;
         let (receiver_keys, pub_key) = ROTReceiverKeys::new_verifiable::<_, _, D, KEY_SIZE>(
             rng,
             self.count,
@@ -276,9 +283,9 @@ pub mod tests {
         }
 
         for (sender_id, pks) in sender_pks {
-            for (id, (pk, proof)) in pks {
+            for (id, pk) in pks {
                 let recv_pk = base_ots[id as usize - 1]
-                    .receive_sender_pubkey::<_, Blake2b512, KEY_SIZE>(rng, sender_id, pk, proof, &B)
+                    .receive_sender_pubkey::<_, Blake2b512, KEY_SIZE>(rng, sender_id, pk, &B)
                     .unwrap();
                 receiver_pks.insert((id, sender_id), recv_pk);
             }

bbs_plus/src/threshold/cointoss.rs

@@ -28,7 +28,7 @@ pub struct Party<F: PrimeField, const SALT_SIZE: usize> {
     // pub own_shares_and_salts: Vec<(F, [u8; 2*SECURITY_PARAM])>,
     /// Stores commitments to shares received from other parties and used to verify against the
     /// shares received from them in a future round
-    pub commitments: BTreeMap<ParticipantId, Commitments>,
+    pub other_commitments: BTreeMap<ParticipantId, Commitments>,
     /// Stores shares received from other parties and used to compute the joint randomness
     pub other_shares: BTreeMap<ParticipantId, Vec<F>>,
 }
@@ -56,7 +56,7 @@ impl<F: PrimeField, const SALT_SIZE: usize> Party<F, SALT_SIZE> {
                 id,
                 protocol_id,
                 own_shares_and_salts: shares_and_salts,
-                commitments: Default::default(),
+                other_commitments: Default::default(),
                 other_shares: Default::default(),
             },
             Commitments(commitments),
@@ -72,7 +72,7 @@ impl<F: PrimeField, const SALT_SIZE: usize> Party<F, SALT_SIZE> {
         if self.id == sender_id {
             return Err(BBSPlusError::SenderIdCannotBeSameAsSelf(sender_id, self.id));
         }
-        if self.commitments.contains_key(&sender_id) {
+        if self.other_commitments.contains_key(&sender_id) {
             return Err(BBSPlusError::AlreadyHaveCommitmentFromParticipant(
                 sender_id,
             ));
@@ -83,7 +83,7 @@ impl<F: PrimeField, const SALT_SIZE: usize> Party<F, SALT_SIZE> {
                 commitments.0.len(),
             ));
         }
-        self.commitments.insert(sender_id, commitments);
+        self.other_commitments.insert(sender_id, commitments);
         Ok(())
     }
 
@@ -97,7 +97,7 @@ impl<F: PrimeField, const SALT_SIZE: usize> Party<F, SALT_SIZE> {
         if self.id == sender_id {
             return Err(BBSPlusError::SenderIdCannotBeSameAsSelf(sender_id, self.id));
         }
-        if !self.commitments.contains_key(&sender_id) {
+        if !self.other_commitments.contains_key(&sender_id) {
             return Err(BBSPlusError::MissingCommitmentFromParticipant(sender_id));
         }
         if self.other_shares.contains_key(&sender_id) {
@@ -110,7 +110,7 @@ impl<F: PrimeField, const SALT_SIZE: usize> Party<F, SALT_SIZE> {
             ));
         }
         let expected_commitments = Self::compute_commitments(&shares_and_salts, &self.protocol_id);
-        if expected_commitments != self.commitments.get(&sender_id).unwrap().0 {
+        if expected_commitments != self.other_commitments.get(&sender_id).unwrap().0 {
             return Err(BBSPlusError::IncorrectCommitment);
         }
         self.other_shares.insert(
@@ -134,13 +134,18 @@ impl<F: PrimeField, const SALT_SIZE: usize> Party<F, SALT_SIZE> {
     }
 
     pub fn has_commitment_from(&self, id: &ParticipantId) -> bool {
-        self.commitments.contains_key(id)
+        self.other_commitments.contains_key(id)
     }
 
     pub fn has_shares_from(&self, id: &ParticipantId) -> bool {
         self.other_shares.contains_key(id)
     }
 
+    /// Returns true if it has got shares from all other participants that sent commitments.
+    pub fn has_shares_from_all_who_committed(&self) -> bool {
+        self.other_shares.len() == self.other_commitments.len()
+    }
+
     // pub const fn salt_size() -> usize {
     //     2 * SECURITY_PARAM
     // }
@@ -211,16 +216,23 @@ pub mod tests {
 
             // All parties send their shares to others
             let start = Instant::now();
-            for i in 1..=num_parties {
-                for j in 1..=num_parties {
-                    if i != j {
-                        let share = parties[j as usize - 1].own_shares_and_salts.clone();
-                        parties[i as usize - 1].receive_shares(j, share).unwrap();
+            for receiver_id in 1..=num_parties {
+                for sender_id in 1..=num_parties {
+                    if receiver_id != sender_id {
+                        assert!(
+                            !parties[receiver_id as usize - 1].has_shares_from_all_who_committed()
+                        );
+                        let share = parties[sender_id as usize - 1].own_shares_and_salts.clone();
+                        parties[receiver_id as usize - 1]
+                            .receive_shares(sender_id, share)
+                            .unwrap();
                     }
                 }
+                assert!(parties[receiver_id as usize - 1].has_shares_from_all_who_committed());
             }
             let process_shares_time = start.elapsed();
 
+            // Shares are received correctly
             for i in 1..=num_parties {
                 for j in 1..=num_parties {
                     if i != j {
@@ -237,6 +249,10 @@ pub mod tests {
                 }
             }
 
+            for i in 0..num_parties as usize {
+                assert!(parties[i].has_shares_from_all_who_committed());
+            }
+
             // All parties compute the joint randomness
             let start = Instant::now();
             let mut joint_randomness = vec![];

bbs_plus/src/threshold/multiplication_phase.rs

@@ -2,6 +2,7 @@
 
 use crate::{error::BBSPlusError, threshold::base_ot_phase::BaseOTPhaseOutput};
 use ark_ff::PrimeField;
+use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
 use ark_std::{
     collections::{BTreeMap, BTreeSet},
     rand::RngCore,
@@ -20,25 +21,35 @@ use oblivious_transfer_protocols::{
 };
 
 /// The participant will acts as
-///     - a receiver in OT extension where its id is less than other participant
-///     - a sender in OT extension where its id is greater than other participant
-#[derive(Clone)]
+///     - a receiver in OT extension, also called Party2 in multiplication protocol, and its id is less than other participant
+///     - a sender in OT extension, also called Party1 in multiplication protocol, and its id is greater than other participant
+#[derive(Clone, CanonicalSerialize, CanonicalDeserialize)]
 pub struct Phase2<F: PrimeField, const KAPPA: u16, const STATISTICAL_SECURITY_PARAMETER: u16> {
     pub id: ParticipantId,
     /// Number of threshold signatures being generated in a single batch.
     pub batch_size: usize,
     /// Transcripts to record protocol interactions with each participant and later used to generate random challenges
     pub transcripts: BTreeMap<ParticipantId, Merlin>,
     pub ote_params: MultiplicationOTEParams<KAPPA, STATISTICAL_SECURITY_PARAMETER>,
+    /// Map where this participant plays the role of sender, i.e Party1
     pub multiplication_party1:
         BTreeMap<ParticipantId, Party1<F, KAPPA, STATISTICAL_SECURITY_PARAMETER>>,
+    /// Map where this participant plays the role of receiver, i.e Party2
     pub multiplication_party2:
         BTreeMap<ParticipantId, Party2<F, KAPPA, STATISTICAL_SECURITY_PARAMETER>>,
     pub z_A: BTreeMap<ParticipantId, (Vec<F>, Vec<F>)>,
     pub z_B: BTreeMap<ParticipantId, (Vec<F>, Vec<F>)>,
 }
 
-#[derive(Clone, Debug, PartialEq)]
+/// Message sent from Party2 to Party1 of multiplication protocol
+#[derive(Clone, Debug, PartialEq, CanonicalSerialize, CanonicalDeserialize)]
+pub struct Message1<F: PrimeField>(BitMatrix, KOSRLC, MaskedInputs<F>);
+
+/// Message sent from Party1 to Party2 of multiplication protocol. This message is created after Part1 processes `Message1`
+#[derive(Clone, Debug, PartialEq, CanonicalSerialize, CanonicalDeserialize)]
+pub struct Message2<F: PrimeField>(CorrelationTag<F>, RLC<F>, MaskedInputs<F>);
+
+#[derive(Clone, Debug, PartialEq, CanonicalSerialize, CanonicalDeserialize)]
 pub struct Phase2Output<F: PrimeField> {
     pub z_A: BTreeMap<ParticipantId, (Vec<F>, Vec<F>)>,
     pub z_B: BTreeMap<ParticipantId, (Vec<F>, Vec<F>)>,
@@ -56,13 +67,7 @@ impl<F: PrimeField, const KAPPA: u16, const STATISTICAL_SECURITY_PARAMETER: u16>
         others: BTreeSet<ParticipantId>,
         ote_params: MultiplicationOTEParams<KAPPA, STATISTICAL_SECURITY_PARAMETER>,
         gadget_vector: &GadgetVector<F, KAPPA, STATISTICAL_SECURITY_PARAMETER>,
-    ) -> Result<
-        (
-            Self,
-            BTreeMap<ParticipantId, (BitMatrix, KOSRLC, MaskedInputs<F>)>,
-        ),
-        BBSPlusError,
-    > {
+    ) -> Result<(Self, BTreeMap<ParticipantId, Message1<F>>), BBSPlusError> {
         assert_eq!(masked_signing_key_share.len(), masked_r.len());
         let batch_size = masked_signing_key_share.len();
 
@@ -108,7 +113,7 @@ impl<F: PrimeField, const KAPPA: u16, const STATISTICAL_SECURITY_PARAMETER: u16>
                         &gadget_vector,
                     )?;
                     multiplication_party2.insert(other, party2);
-                    Us.insert(other, (U, rlc, gamma));
+                    Us.insert(other, Message1(U, rlc, gamma));
                 } else {
                     return Err(BBSPlusError::MissingOTSenderFor(other));
                 }
@@ -130,20 +135,20 @@ impl<F: PrimeField, const KAPPA: u16, const STATISTICAL_SECURITY_PARAMETER: u16>
         ))
     }
 
-    pub fn receive_u<D: Default + DynDigest + Clone>(
+    /// Process received message from Party2 of multiplication protocol
+    pub fn receive_message1<D: Default + DynDigest + Clone>(
         &mut self,
         sender_id: ParticipantId,
-        U: BitMatrix,
-        rlc: KOSRLC,
-        gamma: MaskedInputs<F>,
+        message: Message1<F>,
         gadget_vector: &GadgetVector<F, KAPPA, STATISTICAL_SECURITY_PARAMETER>,
-    ) -> Result<(CorrelationTag<F>, RLC<F>, MaskedInputs<F>), BBSPlusError> {
+    ) -> Result<Message2<F>, BBSPlusError> {
         if self.multiplication_party2.contains_key(&sender_id) {
             return Err(BBSPlusError::NotAMultiplicationParty2(sender_id));
         }
         if !self.multiplication_party1.contains_key(&sender_id) {
             return Err(BBSPlusError::NotAMultiplicationParty1(sender_id));
         }
+        let Message1(U, rlc, gamma) = message;
         let party1 = self.multiplication_party1.remove(&sender_id).unwrap();
         let trans = self.transcripts.get_mut(&sender_id).unwrap();
 
@@ -160,15 +165,14 @@ impl<F: PrimeField, const KAPPA: u16, const STATISTICAL_SECURITY_PARAMETER: u16>
             }
         }
         self.z_A.insert(sender_id, (z_A_0, z_A_1));
-        Ok((tau, r, gamma_a))
+        Ok(Message2(tau, r, gamma_a))
     }
 
-    pub fn receive_tau<D: Default + DynDigest + Clone>(
+    /// Process received message from Party1 of multiplication protocol
+    pub fn receive_message2<D: Default + DynDigest + Clone>(
         &mut self,
         sender_id: ParticipantId,
-        tau: CorrelationTag<F>,
-        rlc: RLC<F>,
-        gamma: MaskedInputs<F>,
+        message: Message2<F>,
         gadget_vector: &GadgetVector<F, KAPPA, STATISTICAL_SECURITY_PARAMETER>,
     ) -> Result<(), BBSPlusError> {
         if self.multiplication_party1.contains_key(&sender_id) {
@@ -177,7 +181,7 @@ impl<F: PrimeField, const KAPPA: u16, const STATISTICAL_SECURITY_PARAMETER: u16>
         if !self.multiplication_party2.contains_key(&sender_id) {
             return Err(BBSPlusError::NotAMultiplicationParty2(sender_id));
         }
-
+        let Message2(tau, rlc, gamma) = message;
         let party2 = self.multiplication_party2.remove(&sender_id).unwrap();
         let trans = self.transcripts.get_mut(&sender_id).unwrap();
         let shares = party2.receive::<D>(tau, rlc, gamma, trans, &gadget_vector)?;