Merge pull request #124 from dalek-cryptography/errors

Add failure-based error types.

Author: hdevalence

Cargo.toml

@@ -20,6 +20,7 @@ byteorder = "1.2.1"
 serde = "1"
 serde_derive = "1"
 tiny-keccak = "1.4.1"
+failure = "0.1"
 
 [dev-dependencies]
 hex = "^0.3"

src/errors.rs

@@ -0,0 +1,87 @@
+//! Errors related to proving and verifying proofs.
+
+/// Represents an error in proof creation, verification, or parsing.
+#[derive(Fail, Clone, Debug, Eq, PartialEq)]
+pub enum ProofError {
+    /// This error occurs when a proof failed to verify.
+    #[fail(display = "Proof verification failed.")]
+    VerificationError,
+    /// This error occurs when the proof encoding is malformed.
+    #[fail(display = "Proof data could not be parsed.")]
+    FormatError,
+    /// This error occurs during proving if the number of blinding
+    /// factors does not match the number of values.
+    #[fail(display = "Wrong number of blinding factors supplied.")]
+    WrongNumBlindingFactors,
+    /// This error occurs when attempting to create a proof with
+    /// bitsize other than \\(8\\), \\(16\\), \\(32\\), or \\(64\\).
+    #[fail(display = "Invalid bitsize, must have n = 8,16,32,64")]
+    InvalidBitsize,
+    /// This error occurs when attempting to create an aggregated
+    /// proof with non-power-of-two aggregation size.
+    #[fail(display = "Invalid aggregation size, m must be a power of 2")]
+    InvalidAggregation,
+    /// This error results from an internal error during proving.
+    ///
+    /// The single-party prover is implemented by performing
+    /// multiparty computation with ourselves.  However, because the
+    /// MPC protocol is not exposed by the single-party API, we
+    /// consider its errors to be internal errors.
+    #[fail(display = "Internal error during proof creation: {}", _0)]
+    ProvingError(MPCError),
+}
+
+impl From<MPCError> for ProofError {
+    fn from(e: MPCError) -> ProofError {
+        match e {
+            MPCError::InvalidBitsize => ProofError::InvalidBitsize,
+            MPCError::InvalidAggregation => ProofError::InvalidAggregation,
+            _ => ProofError::ProvingError(e),
+        }
+    }
+}
+
+/// Represents an error during the multiparty computation protocol for
+/// proof aggregation.
+///
+/// This is a separate type from the `ProofError` to allow a layered
+/// API: although the MPC protocol is used internally for single-party
+/// proving, its API should not expose the complexity of the MPC
+/// protocol.
+#[derive(Fail, Clone, Debug, Eq, PartialEq)]
+pub enum MPCError {
+    /// This error occurs when the dealer gives a zero challenge,
+    /// which would annihilate the blinding factors.
+    #[fail(display = "Dealer gave a malicious challenge value.")]
+    MaliciousDealer,
+    /// This error occurs when attempting to create a proof with
+    /// bitsize other than \\(8\\), \\(16\\), \\(32\\), or \\(64\\).
+    #[fail(display = "Invalid bitsize, must have n = 8,16,32,64")]
+    InvalidBitsize,
+    /// This error occurs when attempting to create an aggregated
+    /// proof with non-power-of-two aggregation size.
+    #[fail(display = "Invalid aggregation size, m must be a power of 2")]
+    InvalidAggregation,
+    /// This error occurs when the dealer is given the wrong number of
+    /// value commitments.
+    #[fail(display = "Wrong number of value commitments")]
+    WrongNumValueCommitments,
+    /// This error occurs when the dealer is given the wrong number of
+    /// polynomial commitments.
+    #[fail(display = "Wrong number of value commitments")]
+    WrongNumPolyCommitments,
+    /// This error occurs when the dealer is given the wrong number of
+    /// proof shares.
+    #[fail(display = "Wrong number of proof shares")]
+    WrongNumProofShares,
+    /// This error occurs when one or more parties submit malformed
+    /// proof shares.
+    #[fail(
+        display = "Malformed proof shares from parties {:?}",
+        bad_shares
+    )]
+    MalformedProofShares {
+        /// A vector with the indexes of the parties whose shares were malformed.
+        bad_shares: Vec<usize>,
+    },
+}

src/inner_product_proof.rs

@@ -11,6 +11,8 @@ use curve25519_dalek::traits::VartimeMultiscalarMul;
 
 use proof_transcript::ProofTranscript;
 
+use errors::ProofError;
+
 #[derive(Clone, Debug)]
 pub struct InnerProductProof {
     pub(crate) L_vec: Vec<CompressedRistretto>,
@@ -185,7 +187,7 @@ impl InnerProductProof {
         Q: &RistrettoPoint,
         G: &[RistrettoPoint],
         H: &[RistrettoPoint],
-    ) -> Result<(), &'static str>
+    ) -> Result<(), ProofError>
     where
         I: IntoIterator,
         I::Item: Borrow<Scalar>,
@@ -208,13 +210,13 @@ impl InnerProductProof {
         let Ls = self
             .L_vec
             .iter()
-            .map(|p| p.decompress().ok_or("InnerProductProof L point is invalid"))
+            .map(|p| p.decompress().ok_or(ProofError::VerificationError))
             .collect::<Result<Vec<_>, _>>()?;
 
         let Rs = self
             .R_vec
             .iter()
-            .map(|p| p.decompress().ok_or("InnerProductProof R point is invalid"))
+            .map(|p| p.decompress().ok_or(ProofError::VerificationError))
             .collect::<Result<Vec<_>, _>>()?;
 
         let expect_P = RistrettoPoint::vartime_multiscalar_mul(
@@ -233,7 +235,7 @@ impl InnerProductProof {
         if expect_P == *P {
             Ok(())
         } else {
-            Err("InnerProductProof is invalid")
+            Err(ProofError::VerificationError)
         }
     }
 
@@ -267,21 +269,21 @@ impl InnerProductProof {
     /// * \\(n\\) is larger or equal to 32 (proof is too big),
     /// * any of \\(2n\\) points are not valid compressed Ristretto points,
     /// * any of 2 scalars are not canonical scalars modulo Ristretto group order.
-    pub fn from_bytes(slice: &[u8]) -> Result<InnerProductProof, &'static str> {
+    pub fn from_bytes(slice: &[u8]) -> Result<InnerProductProof, ProofError> {
         let b = slice.len();
         if b % 32 != 0 {
-            return Err("InnerProductProof size is not divisible by 32");
+            return Err(ProofError::FormatError);
         }
         let num_elements = b / 32;
         if num_elements < 2 {
-            return Err("InnerProductProof must contain at least two 32-byte elements");
+            return Err(ProofError::FormatError);
         }
         if (num_elements - 2) % 2 != 0 {
-            return Err("InnerProductProof must contain even number of points");
+            return Err(ProofError::FormatError);
         }
         let lg_n = (num_elements - 2) / 2;
         if lg_n >= 32 {
-            return Err("InnerProductProof contains too many points");
+            return Err(ProofError::FormatError);
         }
 
         use util::read32;
@@ -295,10 +297,9 @@ impl InnerProductProof {
         }
 
         let pos = 2 * lg_n * 32;
-        let a = Scalar::from_canonical_bytes(read32(&slice[pos..]))
-            .ok_or("InnerProductProof.a is not a canonical scalar")?;
+        let a = Scalar::from_canonical_bytes(read32(&slice[pos..])).ok_or(ProofError::FormatError)?;
         let b = Scalar::from_canonical_bytes(read32(&slice[pos + 32..]))
-            .ok_or("InnerProductProof.b is not a canonical scalar")?;
+            .ok_or(ProofError::FormatError)?;
 
         Ok(InnerProductProof { L_vec, R_vec, a, b })
     }

src/lib.rs

@@ -11,36 +11,39 @@
 extern crate byteorder;
 extern crate core;
 extern crate curve25519_dalek;
+#[macro_use]
+extern crate failure;
 extern crate rand;
 extern crate sha2;
 extern crate subtle;
 extern crate tiny_keccak;
-
 #[macro_use]
 extern crate serde_derive;
 extern crate serde;
 
-#[cfg(test)]
-extern crate test;
-
 #[cfg(test)]
 extern crate bincode;
+#[cfg(test)]
+extern crate test;
 
 mod util;
 
 #[doc(include = "../docs/notes.md")]
 mod notes {}
+mod errors;
 mod generators;
 mod inner_product_proof;
 mod proof_transcript;
 mod range_proof;
 
+pub use errors::ProofError;
 pub use generators::{Generators, GeneratorsView, PedersenGenerators};
 pub use proof_transcript::ProofTranscript;
 pub use range_proof::RangeProof;
 
 #[doc(include = "../docs/aggregation-api.md")]
 pub mod aggregation {
+    pub use errors::MPCError;
     pub use range_proof::dealer;
     pub use range_proof::messages;
     pub use range_proof::party;

src/range_proof/dealer.rs

@@ -9,6 +9,7 @@ use rand::{CryptoRng, Rng};
 use curve25519_dalek::ristretto::RistrettoPoint;
 use curve25519_dalek::scalar::Scalar;
 
+use errors::MPCError;
 use generators::Generators;
 use inner_product_proof;
 use proof_transcript::ProofTranscript;
@@ -28,12 +29,12 @@ impl Dealer {
         n: usize,
         m: usize,
         transcript: &'a mut ProofTranscript,
-    ) -> Result<DealerAwaitingValueCommitments<'a, 'b>, &'static str> {
-        if !n.is_power_of_two() || n > 64 {
-            return Err("n is not valid: must be a power of 2, and less than or equal to 64");
+    ) -> Result<DealerAwaitingValueCommitments<'a, 'b>, MPCError> {
+        if !(n == 8 || n == 16 || n == 32 || n == 64) {
+            return Err(MPCError::InvalidBitsize);
         }
         if !m.is_power_of_two() {
-            return Err("m is not valid: must be a power of 2");
+            return Err(MPCError::InvalidAggregation);
         }
 
         // At the end of the protocol, the dealer will attempt to
@@ -81,9 +82,9 @@ impl<'a, 'b> DealerAwaitingValueCommitments<'a, 'b> {
     pub fn receive_value_commitments(
         self,
         value_commitments: Vec<ValueCommitment>,
-    ) -> Result<(DealerAwaitingPolyCommitments<'a, 'b>, ValueChallenge), &'static str> {
+    ) -> Result<(DealerAwaitingPolyCommitments<'a, 'b>, ValueChallenge), MPCError> {
         if self.m != value_commitments.len() {
-            return Err("Length of value commitments doesn't match expected length m");
+            return Err(MPCError::WrongNumValueCommitments);
         }
 
         // Commit each V_j individually
@@ -137,9 +138,9 @@ impl<'a, 'b> DealerAwaitingPolyCommitments<'a, 'b> {
     pub fn receive_poly_commitments(
         self,
         poly_commitments: Vec<PolyCommitment>,
-    ) -> Result<(DealerAwaitingProofShares<'a, 'b>, PolyChallenge), &'static str> {
+    ) -> Result<(DealerAwaitingProofShares<'a, 'b>, PolyChallenge), MPCError> {
         if self.m != poly_commitments.len() {
-            return Err("Length of poly commitments doesn't match expected length m");
+            return Err(MPCError::WrongNumPolyCommitments);
         }
 
         // Commit sums of T_1_j's and T_2_j's
@@ -195,9 +196,9 @@ impl<'a, 'b> DealerAwaitingProofShares<'a, 'b> {
     /// Used as a helper function by `receive_trusted_shares` (which
     /// just hands back the result) and `receive_shares` (which
     /// validates the proof shares.
-    fn assemble_shares(&mut self, proof_shares: &[ProofShare]) -> Result<RangeProof, &'static str> {
+    fn assemble_shares(&mut self, proof_shares: &[ProofShare]) -> Result<RangeProof, MPCError> {
         if self.m != proof_shares.len() {
-            return Err("Length of proof shares doesn't match expected length m");
+            return Err(MPCError::WrongNumProofShares);
         }
 
         let t_x: Scalar = proof_shares.iter().map(|ps| ps.t_x).sum();
@@ -255,19 +256,17 @@ impl<'a, 'b> DealerAwaitingProofShares<'a, 'b> {
         mut self,
         rng: &mut R,
         proof_shares: &[ProofShare],
-    ) -> Result<RangeProof, &'static str> {
+    ) -> Result<RangeProof, MPCError> {
         let proof = self.assemble_shares(proof_shares)?;
 
         let V: Vec<_> = self.value_commitments.iter().map(|vc| vc.V_j).collect();
 
         // See comment in `Dealer::new` for why we use `initial_transcript`
-        if proof
-            .verify(&V, self.gens, &mut self.initial_transcript, rng, self.n)
-            .is_ok()
-        {
+        let transcript = &mut self.initial_transcript;
+        if proof.verify(&V, self.gens, transcript, rng, self.n).is_ok() {
             Ok(proof)
         } else {
-            // Create a list of bad shares
+            // Proof verification failed. Now audit the parties:
             let mut bad_shares = Vec::new();
             for j in 0..self.m {
                 match proof_shares[j].audit_share(
@@ -279,13 +278,10 @@ impl<'a, 'b> DealerAwaitingProofShares<'a, 'b> {
                     &self.poly_challenge,
                 ) {
                     Ok(_) => {}
-                    // XXX pass errors upwards
                     Err(_) => bad_shares.push(j),
                 }
             }
-            // XXX pass this upwards
-            println!("bad shares: {:?}", bad_shares);
-            Err("proof failed to verify")
+            Err(MPCError::MalformedProofShares { bad_shares })
         }
     }
 
@@ -305,7 +301,7 @@ impl<'a, 'b> DealerAwaitingProofShares<'a, 'b> {
     pub fn receive_trusted_shares(
         mut self,
         proof_shares: &[ProofShare],
-    ) -> Result<RangeProof, &'static str> {
+    ) -> Result<RangeProof, MPCError> {
         self.assemble_shares(proof_shares)
     }
 }

src/range_proof/messages.rs

@@ -55,7 +55,7 @@ impl ProofShare {
         value_challenge: &ValueChallenge,
         poly_commitment: &PolyCommitment,
         poly_challenge: &PolyChallenge,
-    ) -> Result<(), &'static str> {
+    ) -> Result<(), ()> {
         use std::iter;
 
         use curve25519_dalek::traits::{IsIdentity, VartimeMultiscalarMul};
@@ -76,7 +76,7 @@ impl ProofShare {
         let y_inv = y.invert(); // y^(-1)
 
         if self.t_x != inner_product(&self.l_vec, &self.r_vec) {
-            return Err("Inner product of l_vec and r_vec is not equal to t_x");
+            return Err(());
         }
 
         let g = self.l_vec.iter().map(|l_i| minus_z - l_i);
@@ -102,7 +102,7 @@ impl ProofShare {
                 .chain(gens.share(j).H.iter()),
         );
         if !P_check.is_identity() {
-            return Err("P check is not equal to zero");
+            return Err(());
         }
 
         let sum_of_powers_y = util::sum_of_powers(&y, n);
@@ -120,10 +120,11 @@ impl ProofShare {
                 .chain(iter::once(&gens.pedersen_generators.B))
                 .chain(iter::once(&gens.pedersen_generators.B_blinding)),
         );
-        if !t_check.is_identity() {
-            return Err("t check is not equal to zero");
-        }
 
-        Ok(())
+        if t_check.is_identity() {
+            Ok(())
+        } else {
+            Err(())
+        }
     }
 }