Cradicle Explorer
liboprf
/ src / mpmult.h
mpmult.h
  1  /**
  2   * @file dkg_mult.h
  3   * @brief API for the Distributed Key Generation (DKG) Multiplication
  4   *        Protocols
  5   *
  6   * SPDX-FileCopyrightText: 2025, Marsiske Stefan
  7   * SPDX-License-Identifier: LGPL-3.0-or-later
  8   * 
  9   * Implements a secure multiplication protocol that, given sharings of
 10   * secret `a` and secret `b`, generates a sharing of the product `a*b`
 11   * without revealing either secret.
 12   *
 13   * The interfaces in this header provide access to functions
 14   * implementing the Simple-Mult protocol defined in Fig. 2 from
 15   * R. Gennaro, M. O. Rabin, and T. Rabin. "Simplified VSS and
 16   * fast-track multiparty computations with applications to threshold
 17   * cryptography". In B. A. Coan and Y. Afek, editors, 17th ACM PODC,
 18   * pages 101–111. ACM, June / July 1998.
 19   *
 20   * Also implements the Fast-Track Multiplication (FT-Mult) protocol
 21   * defined in Fig. 5 of the same paper, which allows for faster
 22   * multiparty computations.
 23   *
 24   **/
 25  
 26  #ifndef THMULT_H
 27  #define THMULT_H
 28  
 29  #include <stdint.h>
 30  #include <sodium.h>
 31  #include "toprf.h"
 32  #include "dkg.h"
 33  
 34  /**
 35   * @brief Computes the inverse of a Vandermonde matrix
 36   *
 37   * Given a list of dealer indices, this function generates the
 38   * corresponding Vandermonde matrix and computes its inverse, storing
 39   * the result in `inverted`.
 40   *
 41   * @param[in] dealers Number of dealers (matrix dimension)
 42   * @param[in] indexes Array of indices corresponding to each dealer
 43   * @param[out] inverted Output inverted Vandermonde matrix
 44   */
 45  void invertedVDMmatrix(const uint8_t dealers,
 46                         const uint8_t indexes[dealers],
 47                         uint8_t inverted[dealers][dealers][crypto_core_ristretto255_SCALARBYTES]);
 48  
 49  /**
 50   * @brief Phase 1 of multiparty threshold multiplication.
 51   *
 52   * Performs the  multiplication of two shares, `a` and `b`.
 53   *
 54   * @param[in] a One share held by the dealer contributing to the
 55   *            multiplication
 56   * @param[in] b Another share held by the dealer contributing to
 57   *            the multiplication
 58   * @param[in] peers The number of peers participating in the
 59   *            computation. This should equal the number of peers
 60   *            holding shares of `a` and `b`.
 61   * @param[in] threshold The number of peers minimum necessary to
 62   *            reconstruct either of the input or the result
 63   *            shares. Should equal the threshold for the `a` and `b`
 64   *            values.
 65   * @param[out] shares Output array of shares of a*b, one for each peer
 66   *
 67   * @return 0 on success, non-zero on error
 68   */
 69  int toprf_mpc_mul_start(const uint8_t _a[TOPRF_Share_BYTES],
 70                          const uint8_t _b[TOPRF_Share_BYTES],
 71                          const uint8_t peers, const uint8_t threshold,
 72                          uint8_t shares[peers][TOPRF_Share_BYTES]);
 73  
 74  /**
 75   * @brief Phase 2 of multiparty threshold multiplication.
 76   *
 77   * Each peer calls this function to finalize their share of a*b,
 78   * using all shares from phase 1 and the inverted Vandermonde matrix.
 79   *
 80   * @param[in] dealers Number of dealers
 81   * @param[in] indexes Indices of the participating dealers
 82   * @param[in] peer Index of the current peer computing their share
 83   * @param[in] shares All shares from phase 1 for this participant
 84   * @param[out] share Output share of a*b for this participant
 85   */
 86  void toprf_mpc_mul_finish(const uint8_t dealers,
 87                            const uint8_t indexes[dealers],
 88                            const uint8_t peer,
 89                            const uint8_t shares[dealers][TOPRF_Share_BYTES],
 90                            uint8_t _share[TOPRF_Share_BYTES]);
 91  
 92  /**
 93   * @brief Checks the correctness of a set of commitments
 94   *
 95   * @param[in] t Degree of the polynomials + 1 (threshold)
 96   * @param[in] A Array of commitments to check
 97   *
 98   * @return 0 if the check passes, non-zero otherwise
 99   */
100  int toprf_mpc_vsps_check(const uint8_t t,
101                           const uint8_t A[t*2][crypto_core_ristretto255_BYTES]);
102  
103  /**
104   * @brief Step 1 of the Fast-Track Multiplication (FT-Mult) protocol
105   *
106   * Each player shares a value (λ_iα_iβ_i) using VSS, producing shares and commitments
107   * for the next phase. FT-Mult is defined in Fig. 5 of "Simplified VSS and Fast-track
108   * Multiparty Computations  with Applications to Threshold Cryptography" by R. Gennaro, M. O.
109   * Rabin, and T. Rabin, PODC 1998.
110   *
111   * @param[in] dealers Number of participants acting as dealers (always 2t+1)
112   * @param[in] n Number of parties receiving shares (must be more or equal 2t+1)
113   * @param[in] t Threshold for reconstruction
114   * @param[in] self Index of the current participant
115   * @param[in] alpha Share of secret `a` (and its blinding factor)
116   * @param[in] beta Share of secret `b` (and its blinding factor)
117   * @param[in] lambdas Lagrange coefficients
118   * @param[out] ci_shares Output array of shares for each participant
119   * @param[out] ci_commitments Output array of commitments
120   * @param[out] ci_tau Output blinding factor for the commitment
121   *
122   * @return 0 on success, non-zero on error
123   */
124  int toprf_mpc_ftmult_step1(const uint8_t dealers, const uint8_t n, const uint8_t t, const uint8_t self,
125                             const TOPRF_Share alpha[2], const TOPRF_Share beta[2],
126                             const uint8_t lambdas[dealers][crypto_core_ristretto255_SCALARBYTES],
127                             TOPRF_Share ci_shares[n][2],
128                             uint8_t ci_commitments[n][crypto_core_ristretto255_BYTES],
129                             uint8_t ci_tau[crypto_core_ristretto255_SCALARBYTES]);
130  
131  /**
132   * @brief Computes zero-knowledge (ZK) commitments for fast-track
133   *        multiplication
134   *
135   * Generates commitments for use in the zero-knowledge proof of correct
136   * multiplication.
137   *
138   * @param[in] B_i Commitment to the value being proved
139   * @param[out] d Random scalar for the proof
140   * @param[out] s Random scalar for the proof
141   * @param[out] x Random scalar for the proof
142   * @param[out] s_1 Random scalar for the proof
143   * @param[out] s_2 Random scalar for the proof
144   * @param[out] zk_commitments Output array of three commitments
145   *
146   * @return 0 on success, non-zero on error
147   */
148  int toprf_mpc_ftmult_zk_commitments(const uint8_t B_i[crypto_core_ristretto255_BYTES],
149                                      uint8_t d[crypto_scalarmult_ristretto255_SCALARBYTES],
150                                      uint8_t s[crypto_scalarmult_ristretto255_SCALARBYTES],
151                                      uint8_t x[crypto_scalarmult_ristretto255_SCALARBYTES],
152                                      uint8_t s_1[crypto_scalarmult_ristretto255_SCALARBYTES],
153                                      uint8_t s_2[crypto_scalarmult_ristretto255_SCALARBYTES],
154                                      uint8_t zk_commitments[3][crypto_scalarmult_ristretto255_BYTES]);
155  
156  #endif // THMULT_H