330 zeroize

Cargo.toml

@@ -21,6 +21,7 @@ displaydoc = { version = "0.2", default-features = false }
 flame = { version = "0.2", optional = true }
 flamer = { version = "0.3", optional = true }
 generic-array = "0.14"
+#gmp-mpfr-sys = { version = "1.4", features = ["use-system-libs"] }
 hex = "0.4"
 k256 = { version = "0.13", features = ["arithmetic", "sha256", "ecdsa", "serde"] }
 lazy_static = "1"

src/paillier.rs

@@ -9,6 +9,8 @@ use crate::{
     parameters::PRIME_BITS,
     utils::{modpow, random_bn_in_z_star, CRYPTOGRAPHIC_RETRY_MAX},
 };
+//use crate::presign::round_three::SecretBigNumber;
+//use crate::presign::round_one::SecretNonce;
 use libpaillier::unknown_order::BigNumber;
 use rand::{CryptoRng, RngCore};
 use serde::{Deserialize, Serialize};
@@ -134,6 +136,7 @@ impl EncryptionKey {
         // `encrypt_with_nonce`.
         let nonce =
             random_bn_in_z_star(rng, self.modulus()).map_err(|_| PaillierError::RetryFailed)?;
+        //let secretnonce = SecretBigNumber::from_number(nonce);
         let c = self.encrypt_with_nonce(x, &MaskedNonce(nonce.clone()))?;
         Ok((c, Nonce(nonce)))
     }

src/presign/mod.rs

@@ -19,8 +19,8 @@
 mod input;
 mod participant;
 mod record;
-mod round_one;
-mod round_three;
+pub(crate) mod round_one;
+pub(crate) mod round_three;
 mod round_two;
 
 pub use input::Input;

src/presign/participant.rs

@@ -20,7 +20,11 @@ use crate::{
     presign::{
         input::Input,
         record::{PresignRecord, RecordPair},
-        round_one, round_three, round_two,
+        round_one,
+        round_one::SecretNonce,
+        round_three,
+        round_three::SecretScalar,
+        round_two,
     },
     protocol::{ParticipantIdentifier, ProtocolType, SharedContext},
     run_only_once,
@@ -926,10 +930,10 @@ impl PresignKeyShareAndInfo {
         };
 
         let r1_private = round_one::Private {
-            k,
-            rho,
+            k: SecretBigNumber::from_number(k),
+            rho: SecretNonce::from_nonce(rho),
             gamma,
-            nu,
+            nu: SecretNonce::from_nonce(nu),
             G,
             K,
         };
@@ -1037,7 +1041,8 @@ impl PresignKeyShareAndInfo {
             rng,
         )?;
         let mut transcript = Transcript::new(b"PiLogProof");
-        let secret = ProverSecret::new(&sender_r1_priv.gamma, &sender_r1_priv.nu);
+        let nonce_clone = &sender_r1_priv.nu.get_nonce_secret().clone();
+        let secret = ProverSecret::new(&sender_r1_priv.gamma, nonce_clone);
         let psi_prime = PiLogProof::prove(
             CommonInput::new(
                 &sender_r1_priv.G,
@@ -1053,7 +1058,10 @@ impl PresignKeyShareAndInfo {
         )?;
 
         Ok((
-            round_two::Private { beta, beta_hat },
+            round_two::Private {
+                beta: SecretBigNumber::from_number(beta),
+                beta_hat: SecretBigNumber::from_number(beta_hat),
+            },
             round_two::Public {
                 D,
                 D_hat,
@@ -1082,11 +1090,13 @@ impl PresignKeyShareAndInfo {
         let order = k256_order();
         let g = CurvePoint::GENERATOR;
 
-        let mut delta: BigNumber = sender_r1_priv.gamma.modmul(&sender_r1_priv.k, &order);
+        let mut delta: BigNumber = sender_r1_priv
+            .gamma
+            .modmul(sender_r1_priv.k.get_bignumber_secret(), &order);
         let mut chi: BigNumber = self
             .keyshare_private
             .as_ref()
-            .modmul(&sender_r1_priv.k, &order);
+            .modmul(sender_r1_priv.k.get_bignumber_secret(), &order);
         let mut Gamma = g.multiply_by_bignum(&sender_r1_priv.gamma)?;
 
         for round_three_input in other_participant_inputs.values() {
@@ -1120,12 +1130,18 @@ impl PresignKeyShareAndInfo {
             // in round two we did _not_ encrypt the negation of these as
             // specified in the protocol. See comment in `round_two` for the
             // reasoning.
-            delta = delta.modadd(&alpha.modsub(&r2_priv_j.beta, &order), &order);
-            chi = chi.modadd(&alpha_hat.modsub(&r2_priv_j.beta_hat, &order), &order);
+            delta = delta.modadd(
+                &alpha.modsub(r2_priv_j.beta.get_bignumber_secret(), &order),
+                &order,
+            );
+            chi = chi.modadd(
+                &alpha_hat.modsub(r2_priv_j.beta_hat.get_bignumber_secret(), &order),
+                &order,
+            );
             Gamma = Gamma + r2_pub_j.Gamma;
         }
 
-        let Delta = Gamma.multiply_by_bignum(&sender_r1_priv.k)?;
+        let Delta = Gamma.multiply_by_bignum(sender_r1_priv.k.get_bignumber_secret())?;
 
         let delta_scalar = bn_to_scalar(&delta)?;
         let chi_scalar = bn_to_scalar(&chi)?;
@@ -1141,7 +1157,10 @@ impl PresignKeyShareAndInfo {
                     self.aux_info_public.pk(),
                     &Gamma,
                 ),
-                ProverSecret::new(&sender_r1_priv.k, &sender_r1_priv.rho),
+                ProverSecret::new(
+                    &sender_r1_priv.k.get_bignumber_secret().clone(),
+                    &sender_r1_priv.rho.get_nonce_secret().clone(),
+                ),
                 context,
                 &mut transcript,
                 rng,
@@ -1157,11 +1176,11 @@ impl PresignKeyShareAndInfo {
 
         let private = round_three::Private {
             k: sender_r1_priv.k.clone(),
-            chi: chi_scalar,
+            chi: SecretScalar::from_scalar(chi_scalar),
             Gamma,
             // These last two fields can be public, but for convenience
             // are stored in this party's private component
-            delta: delta_scalar,
+            delta: SecretScalar::from_scalar(delta_scalar),
             Delta,
         };
 
@@ -1173,6 +1192,8 @@ use crate::participant::Status;
 #[cfg(test)]
 pub(super) use test::presign_record_set_is_valid;
 
+use super::round_three::SecretBigNumber;
+
 #[cfg(test)]
 mod test {
     use std::{collections::HashMap, iter::zip};

src/presign/record.rs

@@ -12,7 +12,9 @@ use crate::{
         InternalError::{InternalInvariantFailed, ProtocolError},
         Result,
     },
-    presign::round_three::{Private as RoundThreePrivate, Public as RoundThreePublic},
+    presign::round_three::{
+        Private as RoundThreePrivate, Public as RoundThreePublic, SecretScalar,
+    },
     utils::{bn_to_scalar, CurvePoint, ParseBytes},
 };
 use k256::{elliptic_curve::PrimeField, Scalar};
@@ -79,26 +81,28 @@ impl TryFrom<RecordPair> for PresignRecord {
         let mut delta = private.delta;
         let mut Delta = private.Delta;
         for p in publics {
-            delta += &p.delta;
+            delta += &SecretScalar::from_scalar(p.delta);
             Delta = Delta + p.Delta;
         }
 
         let g = CurvePoint::GENERATOR;
-        if g.multiply_by_scalar(&delta) != Delta {
+        if g.multiply_by_scalar(delta.get_scalar_secret()) != Delta {
             error!("Could not create PresignRecord: mismatch between calculated private and public deltas");
             return Err(ProtocolError(None));
         }
 
-        let delta_inv = Option::<Scalar>::from(delta.invert()).ok_or_else(|| {
+        let delta_inv: SecretScalar = Option::from(delta.clone().invert()).ok_or_else(|| {
             error!("Could not invert delta as it is 0. Either you got profoundly unlucky or more likely there's a bug");
             InternalInvariantFailed
         })?;
-        let R = private.Gamma.multiply_by_scalar(&delta_inv);
+        let R = private
+            .Gamma
+            .multiply_by_scalar(delta_inv.get_scalar_secret());
 
         Ok(PresignRecord {
             R,
-            k: bn_to_scalar(&private.k)?,
-            chi: private.chi,
+            k: bn_to_scalar(private.k.get_bignumber_secret())?,
+            chi: *private.chi.get_scalar_secret(),
         })
     }
 }

src/presign/round_one.rs

@@ -22,16 +22,32 @@ use serde::{Deserialize, Serialize};
 use std::fmt::Debug;
 use zeroize::ZeroizeOnDrop;
 
+use super::round_three::SecretBigNumber;
+
+#[derive(Clone, ZeroizeOnDrop)]
+pub(crate) struct SecretNonce(Nonce);
+
+impl SecretNonce {
+    pub fn from_nonce(nonce: Nonce) -> SecretNonce {
+        SecretNonce(nonce)
+    }
+    /// This method gives you access to the underlying secret nonce. We should
+    /// be careful about cloning the returned reference.
+    pub fn get_nonce_secret(&self) -> &Nonce {
+        &self.0
+    }
+}
+
 /// Private data used in round one of the presign protocol.
-#[derive(ZeroizeOnDrop)]
+//#[derive(ZeroizeOnDrop)]
 pub(crate) struct Private {
-    pub k: BigNumber,
-    pub rho: Nonce,
+    pub k: SecretBigNumber,
+    pub rho: SecretNonce,
     pub gamma: BigNumber,
-    pub nu: Nonce,
-    #[zeroize(skip)]
+    pub nu: SecretNonce,
+    //#[zeroize(skip)]
     pub G: Ciphertext, // Technically can be public but is only one per party
-    #[zeroize(skip)]
+    //#[zeroize(skip)]
     pub K: Ciphertext, // Technically can be public but is only one per party
 }
 

src/presign/round_three.rs

@@ -20,25 +20,65 @@ use crate::{
         Proof, ProofContext,
     },
 };
-use k256::{elliptic_curve::PrimeField, Scalar};
+use k256::{
+    elliptic_curve::{subtle::CtOption, PrimeField},
+    Scalar,
+};
 use libpaillier::unknown_order::BigNumber;
 use merlin::Transcript;
 use serde::{Deserialize, Serialize};
-use std::fmt::Debug;
+use std::{fmt::Debug, ops::AddAssign};
 use tracing::error;
 use zeroize::ZeroizeOnDrop;
 
-#[derive(Clone, ZeroizeOnDrop)]
+#[derive(Clone)]
 pub(crate) struct Private {
-    pub k: BigNumber,
-    pub chi: Scalar,
-    #[zeroize(skip)]
+    pub k: SecretBigNumber,
+    pub chi: SecretScalar,
+    /// Gamma is not secret and does not need to be zeroized.
     pub Gamma: CurvePoint,
-    #[zeroize(skip)]
-    pub delta: Scalar,
-    #[zeroize(skip)]
+    pub delta: SecretScalar,
+    /// Delta is not secret and does not need to be zeroized.
     pub Delta: CurvePoint,
 }
+#[derive(Clone, ZeroizeOnDrop)]
+pub(crate) struct SecretBigNumber(BigNumber);
+
+impl SecretBigNumber {
+    pub fn from_number(bn: BigNumber) -> SecretBigNumber {
+        SecretBigNumber(bn)
+    }
+    /// This method gives you access to the underlying secret bignumber. We
+    /// should be careful about cloning the returned reference.
+    pub fn get_bignumber_secret(&self) -> &BigNumber {
+        &self.0
+    }
+}
+
+#[derive(Clone, ZeroizeOnDrop, Debug)]
+pub(crate) struct SecretScalar(Scalar);
+
+impl SecretScalar {
+    pub fn from_scalar(scalar: Scalar) -> SecretScalar {
+        SecretScalar(scalar)
+    }
+
+    pub fn invert(&self) -> CtOption<SecretScalar> {
+        self.get_scalar_secret().invert().map(SecretScalar)
+    }
+
+    /// This method gives you access to the underlying secret scalar. We should
+    /// be careful about cloning the returned reference.
+    pub fn get_scalar_secret(&self) -> &Scalar {
+        &self.0
+    }
+}
+
+impl AddAssign<&SecretScalar> for SecretScalar {
+    fn add_assign(&mut self, other: &SecretScalar) {
+        self.0 += &other.0;
+    }
+}
 
 impl Debug for Private {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {

src/presign/round_two.rs

@@ -20,16 +20,18 @@ use crate::{
         Proof, ProofContext,
     },
 };
-use libpaillier::unknown_order::BigNumber;
+//use libpaillier::unknown_order::BigNumber;
 use merlin::Transcript;
 use serde::{Deserialize, Serialize};
 use std::fmt::Debug;
 use zeroize::ZeroizeOnDrop;
 
+use super::round_three::SecretBigNumber;
+
 #[derive(Clone, ZeroizeOnDrop)]
 pub(crate) struct Private {
-    pub beta: BigNumber,
-    pub beta_hat: BigNumber,
+    pub beta: SecretBigNumber,
+    pub beta_hat: SecretBigNumber,
 }
 
 impl Debug for Private {