diff options
Diffstat (limited to 'src/contrib/service/secretsharing/gnunet-service-secretsharing.c')
-rw-r--r-- | src/contrib/service/secretsharing/gnunet-service-secretsharing.c | 2414 |
1 files changed, 2414 insertions, 0 deletions
diff --git a/src/contrib/service/secretsharing/gnunet-service-secretsharing.c b/src/contrib/service/secretsharing/gnunet-service-secretsharing.c new file mode 100644 index 000000000..84338bd11 --- /dev/null +++ b/src/contrib/service/secretsharing/gnunet-service-secretsharing.c | |||
@@ -0,0 +1,2414 @@ | |||
1 | /* | ||
2 | This file is part of GNUnet. | ||
3 | Copyright (C) 2013 GNUnet e.V. | ||
4 | |||
5 | GNUnet is free software: you can redistribute it and/or modify it | ||
6 | under the terms of the GNU Affero General Public License as published | ||
7 | by the Free Software Foundation, either version 3 of the License, | ||
8 | or (at your option) any later version. | ||
9 | |||
10 | GNUnet is distributed in the hope that it will be useful, but | ||
11 | WITHOUT ANY WARRANTY; without even the implied warranty of | ||
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
13 | Affero General Public License for more details. | ||
14 | |||
15 | You should have received a copy of the GNU Affero General Public License | ||
16 | along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
17 | |||
18 | SPDX-License-Identifier: AGPL3.0-or-later | ||
19 | */ | ||
20 | |||
21 | /** | ||
22 | * @file secretsharing/gnunet-service-secretsharing.c | ||
23 | * @brief secret sharing service | ||
24 | * @author Florian Dold | ||
25 | */ | ||
26 | #include "platform.h" | ||
27 | #include "gnunet_util_lib.h" | ||
28 | #include "gnunet_time_lib.h" | ||
29 | #include "gnunet_signatures.h" | ||
30 | #include "gnunet_consensus_service.h" | ||
31 | #include "secretsharing.h" | ||
32 | #include "secretsharing_protocol.h" | ||
33 | #include <gcrypt.h> | ||
34 | |||
35 | |||
36 | #define EXTRA_CHECKS 1 | ||
37 | |||
38 | |||
39 | /** | ||
40 | * Info about a peer in a key generation session. | ||
41 | */ | ||
42 | struct KeygenPeerInfo | ||
43 | { | ||
44 | /** | ||
45 | * Peer identity of the peer. | ||
46 | */ | ||
47 | struct GNUNET_PeerIdentity peer; | ||
48 | |||
49 | /** | ||
50 | * The peer's paillier public key. | ||
51 | * Freshly generated for each keygen session. | ||
52 | */ | ||
53 | struct GNUNET_CRYPTO_PaillierPublicKey paillier_public_key; | ||
54 | |||
55 | /** | ||
56 | * The peer's commitment to its presecret. | ||
57 | */ | ||
58 | gcry_mpi_t presecret_commitment; | ||
59 | |||
60 | /** | ||
61 | * Commitment to the preshare that is | ||
62 | * intended for our peer. | ||
63 | */ | ||
64 | gcry_mpi_t preshare_commitment; | ||
65 | |||
66 | /** | ||
67 | * Sigma (exponentiated share) for this peer. | ||
68 | */ | ||
69 | gcry_mpi_t sigma; | ||
70 | |||
71 | /** | ||
72 | * Did we successfully receive the round1 element | ||
73 | * of the peer? | ||
74 | */ | ||
75 | int round1_valid; | ||
76 | |||
77 | /** | ||
78 | * Did we successfully receive the round2 element | ||
79 | * of the peer? | ||
80 | */ | ||
81 | int round2_valid; | ||
82 | }; | ||
83 | |||
84 | |||
85 | /** | ||
86 | * Information about a peer in a decrypt session. | ||
87 | */ | ||
88 | struct DecryptPeerInfo | ||
89 | { | ||
90 | /** | ||
91 | * Identity of the peer. | ||
92 | */ | ||
93 | struct GNUNET_PeerIdentity peer; | ||
94 | |||
95 | /** | ||
96 | * Original index in the key generation round. | ||
97 | * Necessary for computing the lagrange coefficients. | ||
98 | */ | ||
99 | unsigned int original_index; | ||
100 | |||
101 | /** | ||
102 | * Set to the partial decryption of | ||
103 | * this peer, or NULL if we did not | ||
104 | * receive a partial decryption from this | ||
105 | * peer or the zero knowledge proof failed. | ||
106 | */ | ||
107 | gcry_mpi_t partial_decryption; | ||
108 | }; | ||
109 | |||
110 | |||
111 | /** | ||
112 | * State we keep per client. | ||
113 | */ | ||
114 | struct ClientState; | ||
115 | |||
116 | |||
117 | /** | ||
118 | * Session to establish a threshold-shared secret. | ||
119 | */ | ||
120 | struct KeygenSession | ||
121 | { | ||
122 | /** | ||
123 | * Current consensus, used for both DKG rounds. | ||
124 | */ | ||
125 | struct GNUNET_CONSENSUS_Handle *consensus; | ||
126 | |||
127 | /** | ||
128 | * Which client is this for? | ||
129 | */ | ||
130 | struct ClientState *cs; | ||
131 | |||
132 | /** | ||
133 | * Randomly generated coefficients of the polynomial for sharing our | ||
134 | * pre-secret, where 'preshares[0]' is our pre-secret. Contains 'threshold' | ||
135 | * elements, thus represents a polynomial of degree 'threshold-1', which can | ||
136 | * be interpolated with 'threshold' data points. | ||
137 | * | ||
138 | * The pre-secret-shares 'i=1,...,num_peers' are given by evaluating this | ||
139 | * polyomial at 'i' for share i. | ||
140 | */ | ||
141 | gcry_mpi_t *presecret_polynomial; | ||
142 | |||
143 | /** | ||
144 | * Minimum number of shares required to restore the secret. | ||
145 | * Also the number of coefficients for the polynomial representing | ||
146 | * the sharing. Obviously, the polynomial then has degree threshold-1. | ||
147 | */ | ||
148 | unsigned int threshold; | ||
149 | |||
150 | /** | ||
151 | * Total number of peers. | ||
152 | */ | ||
153 | unsigned int num_peers; | ||
154 | |||
155 | /** | ||
156 | * Index of the local peer. | ||
157 | */ | ||
158 | unsigned int local_peer; | ||
159 | |||
160 | /** | ||
161 | * Information about all participating peers. | ||
162 | * Array of size 'num_peers'. | ||
163 | */ | ||
164 | struct KeygenPeerInfo *info; | ||
165 | |||
166 | /** | ||
167 | * List of all peers involved in the secret sharing session. | ||
168 | */ | ||
169 | struct GNUNET_PeerIdentity *peers; | ||
170 | |||
171 | /** | ||
172 | * Identifier for this session. | ||
173 | */ | ||
174 | struct GNUNET_HashCode session_id; | ||
175 | |||
176 | /** | ||
177 | * Paillier private key of our peer. | ||
178 | */ | ||
179 | struct GNUNET_CRYPTO_PaillierPrivateKey paillier_private_key; | ||
180 | |||
181 | /** | ||
182 | * When would we like the key to be established? | ||
183 | */ | ||
184 | struct GNUNET_TIME_Absolute deadline; | ||
185 | |||
186 | /** | ||
187 | * When does the DKG start? Necessary to compute fractions of the | ||
188 | * operation's desired time interval. | ||
189 | */ | ||
190 | struct GNUNET_TIME_Absolute start_time; | ||
191 | |||
192 | /** | ||
193 | * Index of the local peer in the ordered list | ||
194 | * of peers in the session. | ||
195 | */ | ||
196 | unsigned int local_peer_idx; | ||
197 | |||
198 | /** | ||
199 | * Share of our peer. Once preshares from other peers are received, they | ||
200 | * will be added to 'my'share. | ||
201 | */ | ||
202 | gcry_mpi_t my_share; | ||
203 | |||
204 | /** | ||
205 | * Public key, will be updated when a round2 element arrives. | ||
206 | */ | ||
207 | gcry_mpi_t public_key; | ||
208 | }; | ||
209 | |||
210 | |||
211 | /** | ||
212 | * Session to cooperatively decrypt a value. | ||
213 | */ | ||
214 | struct DecryptSession | ||
215 | { | ||
216 | /** | ||
217 | * Handle to the consensus over partial decryptions. | ||
218 | */ | ||
219 | struct GNUNET_CONSENSUS_Handle *consensus; | ||
220 | |||
221 | /** | ||
222 | * Which client is this for? | ||
223 | */ | ||
224 | struct ClientState *cs; | ||
225 | |||
226 | /** | ||
227 | * When should we start communicating for decryption? | ||
228 | */ | ||
229 | struct GNUNET_TIME_Absolute start; | ||
230 | |||
231 | /** | ||
232 | * When would we like the ciphertext to be | ||
233 | * decrypted? | ||
234 | */ | ||
235 | struct GNUNET_TIME_Absolute deadline; | ||
236 | |||
237 | /** | ||
238 | * Ciphertext we want to decrypt. | ||
239 | */ | ||
240 | struct GNUNET_SECRETSHARING_Ciphertext ciphertext; | ||
241 | |||
242 | /** | ||
243 | * Share of the local peer. | ||
244 | * Contains other important information, such as | ||
245 | * the list of other peers. | ||
246 | */ | ||
247 | struct GNUNET_SECRETSHARING_Share *share; | ||
248 | |||
249 | /** | ||
250 | * State information about other peers. | ||
251 | */ | ||
252 | struct DecryptPeerInfo *info; | ||
253 | }; | ||
254 | |||
255 | |||
256 | /** | ||
257 | * State we keep per client. | ||
258 | */ | ||
259 | struct ClientState | ||
260 | { | ||
261 | /** | ||
262 | * Decrypt session of the client, if any. | ||
263 | */ | ||
264 | struct DecryptSession *decrypt_session; | ||
265 | |||
266 | /** | ||
267 | * Keygen session of the client, if any. | ||
268 | */ | ||
269 | struct KeygenSession *keygen_session; | ||
270 | |||
271 | /** | ||
272 | * Client this is about. | ||
273 | */ | ||
274 | struct GNUNET_SERVICE_Client *client; | ||
275 | |||
276 | /** | ||
277 | * MQ to talk to @a client. | ||
278 | */ | ||
279 | struct GNUNET_MQ_Handle *mq; | ||
280 | }; | ||
281 | |||
282 | |||
283 | /** | ||
284 | * The ElGamal prime field order as libgcrypt mpi. | ||
285 | * Initialized in #init_crypto_constants. | ||
286 | */ | ||
287 | static gcry_mpi_t elgamal_q; | ||
288 | |||
289 | /** | ||
290 | * Modulus of the prime field used for ElGamal. | ||
291 | * Initialized in #init_crypto_constants. | ||
292 | */ | ||
293 | static gcry_mpi_t elgamal_p; | ||
294 | |||
295 | /** | ||
296 | * Generator for prime field of order 'elgamal_q'. | ||
297 | * Initialized in #init_crypto_constants. | ||
298 | */ | ||
299 | static gcry_mpi_t elgamal_g; | ||
300 | |||
301 | /** | ||
302 | * Peer that runs this service. | ||
303 | */ | ||
304 | static struct GNUNET_PeerIdentity my_peer; | ||
305 | |||
306 | /** | ||
307 | * Peer that runs this service. | ||
308 | */ | ||
309 | static struct GNUNET_CRYPTO_EddsaPrivateKey *my_peer_private_key; | ||
310 | |||
311 | /** | ||
312 | * Configuration of this service. | ||
313 | */ | ||
314 | static const struct GNUNET_CONFIGURATION_Handle *cfg; | ||
315 | |||
316 | |||
317 | /** | ||
318 | * Get the peer info belonging to a peer identity in a keygen session. | ||
319 | * | ||
320 | * @param ks The keygen session. | ||
321 | * @param peer The peer identity. | ||
322 | * @return The Keygen peer info, or NULL if the peer could not be found. | ||
323 | */ | ||
324 | static struct KeygenPeerInfo * | ||
325 | get_keygen_peer_info (const struct KeygenSession *ks, | ||
326 | const struct GNUNET_PeerIdentity *peer) | ||
327 | { | ||
328 | unsigned int i; | ||
329 | |||
330 | for (i = 0; i < ks->num_peers; i++) | ||
331 | if (0 == GNUNET_memcmp (peer, &ks->info[i].peer)) | ||
332 | return &ks->info[i]; | ||
333 | return NULL; | ||
334 | } | ||
335 | |||
336 | |||
337 | /** | ||
338 | * Get the peer info belonging to a peer identity in a decrypt session. | ||
339 | * | ||
340 | * @param ds The decrypt session. | ||
341 | * @param peer The peer identity. | ||
342 | * @return The decrypt peer info, or NULL if the peer could not be found. | ||
343 | */ | ||
344 | static struct DecryptPeerInfo * | ||
345 | get_decrypt_peer_info (const struct DecryptSession *ds, | ||
346 | const struct GNUNET_PeerIdentity *peer) | ||
347 | { | ||
348 | unsigned int i; | ||
349 | |||
350 | for (i = 0; i < ds->share->num_peers; i++) | ||
351 | if (0 == GNUNET_memcmp (peer, &ds->info[i].peer)) | ||
352 | return &ds->info[i]; | ||
353 | return NULL; | ||
354 | } | ||
355 | |||
356 | |||
357 | /** | ||
358 | * Interpolate between two points in time. | ||
359 | * | ||
360 | * @param start start time | ||
361 | * @param end end time | ||
362 | * @param num numerator of the scale factor | ||
363 | * @param denum denumerator of the scale factor | ||
364 | */ | ||
365 | static struct GNUNET_TIME_Absolute | ||
366 | time_between (struct GNUNET_TIME_Absolute start, | ||
367 | struct GNUNET_TIME_Absolute end, | ||
368 | int num, int denum) | ||
369 | { | ||
370 | struct GNUNET_TIME_Absolute result; | ||
371 | uint64_t diff; | ||
372 | |||
373 | GNUNET_assert (start.abs_value_us <= end.abs_value_us); | ||
374 | diff = end.abs_value_us - start.abs_value_us; | ||
375 | result.abs_value_us = start.abs_value_us + ((diff * num) / denum); | ||
376 | |||
377 | return result; | ||
378 | } | ||
379 | |||
380 | |||
381 | /** | ||
382 | * Compare two peer identities. Intended to be used with qsort or bsearch. | ||
383 | * | ||
384 | * @param p1 Some peer identity. | ||
385 | * @param p2 Some peer identity. | ||
386 | * @return 1 if p1 > p2, -1 if p1 < p2 and 0 if p1 == p2. | ||
387 | */ | ||
388 | static int | ||
389 | peer_id_cmp (const void *p1, const void *p2) | ||
390 | { | ||
391 | return memcmp (p1, | ||
392 | p2, | ||
393 | sizeof(struct GNUNET_PeerIdentity)); | ||
394 | } | ||
395 | |||
396 | |||
397 | /** | ||
398 | * Get the index of a peer in an array of peers | ||
399 | * | ||
400 | * @param haystack Array of peers. | ||
401 | * @param n Size of @a haystack. | ||
402 | * @param needle Peer to find | ||
403 | * @return Index of @a needle in @a haystack, or -1 if peer | ||
404 | * is not in the list. | ||
405 | */ | ||
406 | static int | ||
407 | peer_find (const struct GNUNET_PeerIdentity *haystack, unsigned int n, | ||
408 | const struct GNUNET_PeerIdentity *needle) | ||
409 | { | ||
410 | unsigned int i; | ||
411 | |||
412 | for (i = 0; i < n; i++) | ||
413 | if (0 == GNUNET_memcmp (&haystack[i], | ||
414 | needle)) | ||
415 | return i; | ||
416 | return -1; | ||
417 | } | ||
418 | |||
419 | |||
420 | /** | ||
421 | * Normalize the given list of peers, by including the local peer | ||
422 | * (if it is missing) and sorting the peers by their identity. | ||
423 | * | ||
424 | * @param listed Peers in the unnormalized list. | ||
425 | * @param num_listed Peers in the un-normalized list. | ||
426 | * @param[out] num_normalized Number of peers in the normalized list. | ||
427 | * @param[out] my_peer_idx Index of the local peer in the normalized list. | ||
428 | * @return Normalized list, must be free'd by the caller. | ||
429 | */ | ||
430 | static struct GNUNET_PeerIdentity * | ||
431 | normalize_peers (struct GNUNET_PeerIdentity *listed, | ||
432 | unsigned int num_listed, | ||
433 | unsigned int *num_normalized, | ||
434 | unsigned int *my_peer_idx) | ||
435 | { | ||
436 | unsigned int local_peer_in_list; | ||
437 | /* number of peers in the normalized list */ | ||
438 | unsigned int n; | ||
439 | struct GNUNET_PeerIdentity *normalized; | ||
440 | |||
441 | local_peer_in_list = GNUNET_YES; | ||
442 | n = num_listed; | ||
443 | if (peer_find (listed, num_listed, &my_peer) < 0) | ||
444 | { | ||
445 | local_peer_in_list = GNUNET_NO; | ||
446 | n += 1; | ||
447 | } | ||
448 | |||
449 | normalized = GNUNET_new_array (n, | ||
450 | struct GNUNET_PeerIdentity); | ||
451 | |||
452 | if (GNUNET_NO == local_peer_in_list) | ||
453 | normalized[n - 1] = my_peer; | ||
454 | |||
455 | GNUNET_memcpy (normalized, | ||
456 | listed, | ||
457 | num_listed * sizeof(struct GNUNET_PeerIdentity)); | ||
458 | qsort (normalized, | ||
459 | n, | ||
460 | sizeof(struct GNUNET_PeerIdentity), | ||
461 | &peer_id_cmp); | ||
462 | |||
463 | if (NULL != my_peer_idx) | ||
464 | *my_peer_idx = peer_find (normalized, n, &my_peer); | ||
465 | if (NULL != num_normalized) | ||
466 | *num_normalized = n; | ||
467 | |||
468 | return normalized; | ||
469 | } | ||
470 | |||
471 | |||
472 | /** | ||
473 | * Get a the j-th lagrange coefficient for a set of indices. | ||
474 | * | ||
475 | * @param[out] coeff the lagrange coefficient | ||
476 | * @param j lagrange coefficient we want to compute | ||
477 | * @param indices indices | ||
478 | * @param num number of indices in @a indices | ||
479 | */ | ||
480 | static void | ||
481 | compute_lagrange_coefficient (gcry_mpi_t coeff, unsigned int j, | ||
482 | unsigned int *indices, | ||
483 | unsigned int num) | ||
484 | { | ||
485 | unsigned int i; | ||
486 | /* numerator */ | ||
487 | gcry_mpi_t n; | ||
488 | /* denominator */ | ||
489 | gcry_mpi_t d; | ||
490 | /* temp value for l-j */ | ||
491 | gcry_mpi_t tmp; | ||
492 | |||
493 | GNUNET_assert (0 != coeff); | ||
494 | |||
495 | GNUNET_assert (0 != (n = gcry_mpi_new (0))); | ||
496 | GNUNET_assert (0 != (d = gcry_mpi_new (0))); | ||
497 | GNUNET_assert (0 != (tmp = gcry_mpi_new (0))); | ||
498 | |||
499 | gcry_mpi_set_ui (n, 1); | ||
500 | gcry_mpi_set_ui (d, 1); | ||
501 | |||
502 | for (i = 0; i < num; i++) | ||
503 | { | ||
504 | unsigned int l = indices[i]; | ||
505 | if (l == j) | ||
506 | continue; | ||
507 | gcry_mpi_mul_ui (n, n, l + 1); | ||
508 | // d <- d * (l-j) | ||
509 | gcry_mpi_set_ui (tmp, l + 1); | ||
510 | gcry_mpi_sub_ui (tmp, tmp, j + 1); | ||
511 | gcry_mpi_mul (d, d, tmp); | ||
512 | } | ||
513 | |||
514 | // gcry_mpi_invm does not like negative numbers ... | ||
515 | gcry_mpi_mod (d, d, elgamal_q); | ||
516 | |||
517 | GNUNET_assert (gcry_mpi_cmp_ui (d, 0) > 0); | ||
518 | |||
519 | // now we do the actual division, with everything mod q, as we | ||
520 | // are not operating on elements from <g>, but on exponents | ||
521 | GNUNET_assert (0 != gcry_mpi_invm (d, d, elgamal_q)); | ||
522 | |||
523 | gcry_mpi_mulm (coeff, n, d, elgamal_q); | ||
524 | |||
525 | gcry_mpi_release (n); | ||
526 | gcry_mpi_release (d); | ||
527 | gcry_mpi_release (tmp); | ||
528 | } | ||
529 | |||
530 | |||
531 | /** | ||
532 | * Destroy a decrypt session, removing it from | ||
533 | * the linked list of decrypt sessions. | ||
534 | * | ||
535 | * @param ds decrypt session to destroy | ||
536 | */ | ||
537 | static void | ||
538 | decrypt_session_destroy (struct DecryptSession *ds) | ||
539 | { | ||
540 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, | ||
541 | "destroying decrypt session\n"); | ||
542 | if (NULL != ds->cs) | ||
543 | { | ||
544 | ds->cs->decrypt_session = NULL; | ||
545 | ds->cs = NULL; | ||
546 | } | ||
547 | if (NULL != ds->consensus) | ||
548 | { | ||
549 | GNUNET_CONSENSUS_destroy (ds->consensus); | ||
550 | ds->consensus = NULL; | ||
551 | } | ||
552 | |||
553 | if (NULL != ds->info) | ||
554 | { | ||
555 | for (unsigned int i = 0; i < ds->share->num_peers; i++) | ||
556 | { | ||
557 | if (NULL != ds->info[i].partial_decryption) | ||
558 | { | ||
559 | gcry_mpi_release (ds->info[i].partial_decryption); | ||
560 | ds->info[i].partial_decryption = NULL; | ||
561 | } | ||
562 | } | ||
563 | GNUNET_free (ds->info); | ||
564 | ds->info = NULL; | ||
565 | } | ||
566 | if (NULL != ds->share) | ||
567 | { | ||
568 | GNUNET_SECRETSHARING_share_destroy (ds->share); | ||
569 | ds->share = NULL; | ||
570 | } | ||
571 | |||
572 | GNUNET_free (ds); | ||
573 | } | ||
574 | |||
575 | |||
576 | static void | ||
577 | keygen_info_destroy (struct KeygenPeerInfo *info) | ||
578 | { | ||
579 | if (NULL != info->sigma) | ||
580 | { | ||
581 | gcry_mpi_release (info->sigma); | ||
582 | info->sigma = NULL; | ||
583 | } | ||
584 | if (NULL != info->presecret_commitment) | ||
585 | { | ||
586 | gcry_mpi_release (info->presecret_commitment); | ||
587 | info->presecret_commitment = NULL; | ||
588 | } | ||
589 | if (NULL != info->preshare_commitment) | ||
590 | { | ||
591 | gcry_mpi_release (info->preshare_commitment); | ||
592 | info->preshare_commitment = NULL; | ||
593 | } | ||
594 | } | ||
595 | |||
596 | |||
597 | static void | ||
598 | keygen_session_destroy (struct KeygenSession *ks) | ||
599 | { | ||
600 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, | ||
601 | "destroying keygen session\n"); | ||
602 | |||
603 | if (NULL != ks->cs) | ||
604 | { | ||
605 | ks->cs->keygen_session = NULL; | ||
606 | ks->cs = NULL; | ||
607 | } | ||
608 | if (NULL != ks->info) | ||
609 | { | ||
610 | for (unsigned int i = 0; i < ks->num_peers; i++) | ||
611 | keygen_info_destroy (&ks->info[i]); | ||
612 | GNUNET_free (ks->info); | ||
613 | ks->info = NULL; | ||
614 | } | ||
615 | |||
616 | if (NULL != ks->consensus) | ||
617 | { | ||
618 | GNUNET_CONSENSUS_destroy (ks->consensus); | ||
619 | ks->consensus = NULL; | ||
620 | } | ||
621 | |||
622 | if (NULL != ks->presecret_polynomial) | ||
623 | { | ||
624 | for (unsigned int i = 0; i < ks->threshold; i++) | ||
625 | { | ||
626 | GNUNET_assert (NULL != ks->presecret_polynomial[i]); | ||
627 | gcry_mpi_release (ks->presecret_polynomial[i]); | ||
628 | ks->presecret_polynomial[i] = NULL; | ||
629 | } | ||
630 | GNUNET_free (ks->presecret_polynomial); | ||
631 | ks->presecret_polynomial = NULL; | ||
632 | } | ||
633 | if (NULL != ks->my_share) | ||
634 | { | ||
635 | gcry_mpi_release (ks->my_share); | ||
636 | ks->my_share = NULL; | ||
637 | } | ||
638 | if (NULL != ks->public_key) | ||
639 | { | ||
640 | gcry_mpi_release (ks->public_key); | ||
641 | ks->public_key = NULL; | ||
642 | } | ||
643 | if (NULL != ks->peers) | ||
644 | { | ||
645 | GNUNET_free (ks->peers); | ||
646 | ks->peers = NULL; | ||
647 | } | ||
648 | GNUNET_free (ks); | ||
649 | } | ||
650 | |||
651 | |||
652 | /** | ||
653 | * Task run during shutdown. | ||
654 | * | ||
655 | * @param cls unused | ||
656 | */ | ||
657 | static void | ||
658 | cleanup_task (void *cls) | ||
659 | { | ||
660 | /* Nothing to do! */ | ||
661 | } | ||
662 | |||
663 | |||
664 | /** | ||
665 | * Generate the random coefficients of our pre-secret polynomial | ||
666 | * | ||
667 | * @param ks the session | ||
668 | */ | ||
669 | static void | ||
670 | generate_presecret_polynomial (struct KeygenSession *ks) | ||
671 | { | ||
672 | int i; | ||
673 | gcry_mpi_t v; | ||
674 | |||
675 | GNUNET_assert (NULL == ks->presecret_polynomial); | ||
676 | ks->presecret_polynomial = GNUNET_new_array (ks->threshold, | ||
677 | gcry_mpi_t); | ||
678 | for (i = 0; i < ks->threshold; i++) | ||
679 | { | ||
680 | v = ks->presecret_polynomial[i] = gcry_mpi_new ( | ||
681 | GNUNET_SECRETSHARING_ELGAMAL_BITS); | ||
682 | GNUNET_assert (NULL != v); | ||
683 | // Randomize v such that 0 < v < elgamal_q. | ||
684 | // The '- 1' is necessary as bitlength(q) = bitlength(p) - 1. | ||
685 | do | ||
686 | { | ||
687 | gcry_mpi_randomize (v, GNUNET_SECRETSHARING_ELGAMAL_BITS - 1, | ||
688 | GCRY_WEAK_RANDOM); | ||
689 | } | ||
690 | while ((gcry_mpi_cmp_ui (v, 0) == 0) || (gcry_mpi_cmp (v, elgamal_q) >= 0)); | ||
691 | } | ||
692 | } | ||
693 | |||
694 | |||
695 | /** | ||
696 | * Consensus element handler for round one. | ||
697 | * We should get one ephemeral key for each peer. | ||
698 | * | ||
699 | * @param cls Closure (keygen session). | ||
700 | * @param element The element from consensus, or | ||
701 | * NULL if consensus failed. | ||
702 | */ | ||
703 | static void | ||
704 | keygen_round1_new_element (void *cls, | ||
705 | const struct GNUNET_SET_Element *element) | ||
706 | { | ||
707 | const struct GNUNET_SECRETSHARING_KeygenCommitData *d; | ||
708 | struct KeygenSession *ks = cls; | ||
709 | struct KeygenPeerInfo *info; | ||
710 | |||
711 | if (NULL == element) | ||
712 | { | ||
713 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "round1 consensus failed\n"); | ||
714 | return; | ||
715 | } | ||
716 | |||
717 | /* elements have fixed size */ | ||
718 | if (element->size != sizeof(struct GNUNET_SECRETSHARING_KeygenCommitData)) | ||
719 | { | ||
720 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
721 | "keygen commit data with wrong size (%u) in consensus, %u expected\n", | ||
722 | (unsigned int) element->size, | ||
723 | (unsigned int) sizeof(struct | ||
724 | GNUNET_SECRETSHARING_KeygenCommitData)); | ||
725 | return; | ||
726 | } | ||
727 | |||
728 | GNUNET_log (GNUNET_ERROR_TYPE_INFO, "got round1 element\n"); | ||
729 | |||
730 | d = element->data; | ||
731 | info = get_keygen_peer_info (ks, &d->peer); | ||
732 | |||
733 | if (NULL == info) | ||
734 | { | ||
735 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
736 | "keygen commit data with wrong peer identity (%s) in consensus\n", | ||
737 | GNUNET_i2s (&d->peer)); | ||
738 | return; | ||
739 | } | ||
740 | |||
741 | /* Check that the right amount of data has been signed. */ | ||
742 | if (d->purpose.size != | ||
743 | htonl (element->size - offsetof (struct | ||
744 | GNUNET_SECRETSHARING_KeygenCommitData, | ||
745 | purpose))) | ||
746 | { | ||
747 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
748 | "keygen commit data with wrong signature purpose size in consensus\n"); | ||
749 | return; | ||
750 | } | ||
751 | |||
752 | if (GNUNET_OK != GNUNET_CRYPTO_eddsa_verify_ ( | ||
753 | GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG1, | ||
754 | &d->purpose, &d->signature, | ||
755 | &d->peer.public_key)) | ||
756 | { | ||
757 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
758 | "keygen commit data with invalid signature in consensus\n"); | ||
759 | return; | ||
760 | } | ||
761 | info->paillier_public_key = d->pubkey; | ||
762 | GNUNET_CRYPTO_mpi_scan_unsigned (&info->presecret_commitment, &d->commitment, | ||
763 | 512 / 8); | ||
764 | info->round1_valid = GNUNET_YES; | ||
765 | } | ||
766 | |||
767 | |||
768 | /** | ||
769 | * Evaluate the polynomial with coefficients @a coeff at @a x. | ||
770 | * The i-th element in @a coeff corresponds to the coefficient of x^i. | ||
771 | * | ||
772 | * @param[out] z result of the evaluation | ||
773 | * @param coeff array of coefficients | ||
774 | * @param num_coeff number of coefficients | ||
775 | * @param x where to evaluate the polynomial | ||
776 | * @param m what group are we operating in? | ||
777 | */ | ||
778 | static void | ||
779 | horner_eval (gcry_mpi_t z, gcry_mpi_t *coeff, unsigned int num_coeff, gcry_mpi_t | ||
780 | x, gcry_mpi_t m) | ||
781 | { | ||
782 | unsigned int i; | ||
783 | |||
784 | gcry_mpi_set_ui (z, 0); | ||
785 | for (i = 0; i < num_coeff; i++) | ||
786 | { | ||
787 | // z <- zx + c | ||
788 | gcry_mpi_mul (z, z, x); | ||
789 | gcry_mpi_addm (z, z, coeff[num_coeff - i - 1], m); | ||
790 | } | ||
791 | } | ||
792 | |||
793 | |||
794 | static void | ||
795 | keygen_round2_conclude (void *cls) | ||
796 | { | ||
797 | struct KeygenSession *ks = cls; | ||
798 | struct GNUNET_SECRETSHARING_SecretReadyMessage *m; | ||
799 | struct GNUNET_MQ_Envelope *ev; | ||
800 | size_t share_size; | ||
801 | unsigned int i; | ||
802 | unsigned int j; | ||
803 | struct GNUNET_SECRETSHARING_Share *share; | ||
804 | |||
805 | GNUNET_log (GNUNET_ERROR_TYPE_INFO, "round2 conclude\n"); | ||
806 | |||
807 | GNUNET_CONSENSUS_destroy (ks->consensus); | ||
808 | ks->consensus = NULL; | ||
809 | |||
810 | share = GNUNET_new (struct GNUNET_SECRETSHARING_Share); | ||
811 | |||
812 | share->num_peers = 0; | ||
813 | |||
814 | for (i = 0; i < ks->num_peers; i++) | ||
815 | if (GNUNET_YES == ks->info[i].round2_valid) | ||
816 | share->num_peers++; | ||
817 | |||
818 | share->peers = GNUNET_new_array (share->num_peers, | ||
819 | struct GNUNET_PeerIdentity); | ||
820 | share->sigmas = | ||
821 | GNUNET_new_array (share->num_peers, | ||
822 | struct GNUNET_SECRETSHARING_FieldElement); | ||
823 | share->original_indices = GNUNET_new_array (share->num_peers, | ||
824 | uint16_t); | ||
825 | |||
826 | /* maybe we're not even in the list of peers? */ | ||
827 | share->my_peer = share->num_peers; | ||
828 | |||
829 | j = 0; /* running index of valid peers */ | ||
830 | for (i = 0; i < ks->num_peers; i++) | ||
831 | { | ||
832 | if (GNUNET_YES == ks->info[i].round2_valid) | ||
833 | { | ||
834 | share->peers[j] = ks->info[i].peer; | ||
835 | GNUNET_CRYPTO_mpi_print_unsigned (&share->sigmas[j], | ||
836 | GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, | ||
837 | ks->info[i].sigma); | ||
838 | share->original_indices[i] = j; | ||
839 | if (0 == GNUNET_memcmp (&share->peers[i], &my_peer)) | ||
840 | share->my_peer = j; | ||
841 | j += 1; | ||
842 | } | ||
843 | } | ||
844 | |||
845 | if (share->my_peer == share->num_peers) | ||
846 | { | ||
847 | GNUNET_log (GNUNET_ERROR_TYPE_INFO, "P%u: peer identity not in share\n", | ||
848 | ks->local_peer_idx); | ||
849 | } | ||
850 | |||
851 | GNUNET_CRYPTO_mpi_print_unsigned (&share->my_share, | ||
852 | GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, | ||
853 | ks->my_share); | ||
854 | GNUNET_CRYPTO_mpi_print_unsigned (&share->public_key, | ||
855 | GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, | ||
856 | ks->public_key); | ||
857 | |||
858 | GNUNET_log (GNUNET_ERROR_TYPE_INFO, "keygen completed with %u peers\n", | ||
859 | share->num_peers); | ||
860 | |||
861 | /* Write the share. If 0 peers completed the dkg, an empty | ||
862 | * share will be sent. */ | ||
863 | |||
864 | GNUNET_assert (GNUNET_OK == GNUNET_SECRETSHARING_share_write (share, NULL, 0, | ||
865 | &share_size)); | ||
866 | |||
867 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "writing share of size %u\n", | ||
868 | (unsigned int) share_size); | ||
869 | |||
870 | ev = GNUNET_MQ_msg_extra (m, share_size, | ||
871 | GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_SECRET_READY); | ||
872 | |||
873 | GNUNET_assert (GNUNET_OK == GNUNET_SECRETSHARING_share_write (share, &m[1], | ||
874 | share_size, | ||
875 | NULL)); | ||
876 | |||
877 | GNUNET_SECRETSHARING_share_destroy (share); | ||
878 | share = NULL; | ||
879 | |||
880 | GNUNET_MQ_send (ks->cs->mq, | ||
881 | ev); | ||
882 | } | ||
883 | |||
884 | |||
885 | static void | ||
886 | restore_fair (const struct GNUNET_CRYPTO_PaillierPublicKey *ppub, | ||
887 | const struct GNUNET_SECRETSHARING_FairEncryption *fe, | ||
888 | gcry_mpi_t x, gcry_mpi_t xres) | ||
889 | { | ||
890 | gcry_mpi_t a_1; | ||
891 | gcry_mpi_t a_2; | ||
892 | gcry_mpi_t b_1; | ||
893 | gcry_mpi_t b_2; | ||
894 | gcry_mpi_t big_a; | ||
895 | gcry_mpi_t big_b; | ||
896 | gcry_mpi_t big_t; | ||
897 | gcry_mpi_t n; | ||
898 | gcry_mpi_t t_1; | ||
899 | gcry_mpi_t t_2; | ||
900 | gcry_mpi_t t; | ||
901 | gcry_mpi_t r; | ||
902 | gcry_mpi_t v; | ||
903 | |||
904 | |||
905 | GNUNET_assert (NULL != (n = gcry_mpi_new (0))); | ||
906 | GNUNET_assert (NULL != (t = gcry_mpi_new (0))); | ||
907 | GNUNET_assert (NULL != (t_1 = gcry_mpi_new (0))); | ||
908 | GNUNET_assert (NULL != (t_2 = gcry_mpi_new (0))); | ||
909 | GNUNET_assert (NULL != (r = gcry_mpi_new (0))); | ||
910 | GNUNET_assert (NULL != (big_t = gcry_mpi_new (0))); | ||
911 | GNUNET_assert (NULL != (v = gcry_mpi_new (0))); | ||
912 | GNUNET_assert (NULL != (big_a = gcry_mpi_new (0))); | ||
913 | GNUNET_assert (NULL != (big_b = gcry_mpi_new (0))); | ||
914 | |||
915 | // a = (N,0)^T | ||
916 | GNUNET_CRYPTO_mpi_scan_unsigned (&a_1, | ||
917 | ppub, | ||
918 | sizeof(struct | ||
919 | GNUNET_CRYPTO_PaillierPublicKey)); | ||
920 | GNUNET_assert (NULL != (a_2 = gcry_mpi_new (0))); | ||
921 | gcry_mpi_set_ui (a_2, 0); | ||
922 | // b = (x,1)^T | ||
923 | GNUNET_assert (NULL != (b_1 = gcry_mpi_new (0))); | ||
924 | gcry_mpi_set (b_1, x); | ||
925 | GNUNET_assert (NULL != (b_2 = gcry_mpi_new (0))); | ||
926 | gcry_mpi_set_ui (b_2, 1); | ||
927 | |||
928 | // A = a DOT a | ||
929 | gcry_mpi_mul (t, a_1, a_1); | ||
930 | gcry_mpi_mul (big_a, a_2, a_2); | ||
931 | gcry_mpi_add (big_a, big_a, t); | ||
932 | |||
933 | // B = b DOT b | ||
934 | gcry_mpi_mul (t, b_1, b_1); | ||
935 | gcry_mpi_mul (big_b, b_2, b_2); | ||
936 | gcry_mpi_add (big_b, big_b, t); | ||
937 | |||
938 | while (1) | ||
939 | { | ||
940 | // n = a DOT b | ||
941 | gcry_mpi_mul (t, a_1, b_1); | ||
942 | gcry_mpi_mul (n, a_2, b_2); | ||
943 | gcry_mpi_add (n, n, t); | ||
944 | |||
945 | // r = nearest(n/B) | ||
946 | gcry_mpi_div (r, NULL, n, big_b, 0); | ||
947 | |||
948 | // T := A - 2rn + rrB | ||
949 | gcry_mpi_mul (v, r, n); | ||
950 | gcry_mpi_mul_ui (v, v, 2); | ||
951 | gcry_mpi_sub (big_t, big_a, v); | ||
952 | gcry_mpi_mul (v, r, r); | ||
953 | gcry_mpi_mul (v, v, big_b); | ||
954 | gcry_mpi_add (big_t, big_t, v); | ||
955 | |||
956 | if (gcry_mpi_cmp (big_t, big_b) >= 0) | ||
957 | { | ||
958 | break; | ||
959 | } | ||
960 | |||
961 | // t = a - rb | ||
962 | gcry_mpi_mul (v, r, b_1); | ||
963 | gcry_mpi_sub (t_1, a_1, v); | ||
964 | gcry_mpi_mul (v, r, b_2); | ||
965 | gcry_mpi_sub (t_2, a_2, v); | ||
966 | |||
967 | // a = b | ||
968 | gcry_mpi_set (a_1, b_1); | ||
969 | gcry_mpi_set (a_2, b_2); | ||
970 | // b = t | ||
971 | gcry_mpi_set (b_1, t_1); | ||
972 | gcry_mpi_set (b_2, t_2); | ||
973 | |||
974 | gcry_mpi_set (big_a, big_b); | ||
975 | gcry_mpi_set (big_b, big_t); | ||
976 | } | ||
977 | |||
978 | gcry_mpi_set (xres, b_2); | ||
979 | gcry_mpi_invm (xres, xres, elgamal_q); | ||
980 | gcry_mpi_mulm (xres, xres, b_1, elgamal_q); | ||
981 | |||
982 | gcry_mpi_release (a_1); | ||
983 | gcry_mpi_release (a_2); | ||
984 | gcry_mpi_release (b_1); | ||
985 | gcry_mpi_release (b_2); | ||
986 | gcry_mpi_release (big_a); | ||
987 | gcry_mpi_release (big_b); | ||
988 | gcry_mpi_release (big_t); | ||
989 | gcry_mpi_release (n); | ||
990 | gcry_mpi_release (t_1); | ||
991 | gcry_mpi_release (t_2); | ||
992 | gcry_mpi_release (t); | ||
993 | gcry_mpi_release (r); | ||
994 | gcry_mpi_release (v); | ||
995 | } | ||
996 | |||
997 | |||
998 | static void | ||
999 | get_fair_encryption_challenge (const struct | ||
1000 | GNUNET_SECRETSHARING_FairEncryption *fe, | ||
1001 | gcry_mpi_t *e) | ||
1002 | { | ||
1003 | struct | ||
1004 | { | ||
1005 | struct GNUNET_CRYPTO_PaillierCiphertext c; | ||
1006 | char h[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8]; | ||
1007 | char t1[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8]; | ||
1008 | char t2[GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8]; | ||
1009 | } hash_data; | ||
1010 | struct GNUNET_HashCode e_hash; | ||
1011 | |||
1012 | memset (&hash_data, | ||
1013 | 0, | ||
1014 | sizeof(hash_data)); | ||
1015 | GNUNET_memcpy (&hash_data.c, &fe->c, sizeof(struct | ||
1016 | GNUNET_CRYPTO_PaillierCiphertext)); | ||
1017 | GNUNET_memcpy (&hash_data.h, &fe->h, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8); | ||
1018 | GNUNET_memcpy (&hash_data.t1, &fe->t1, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8); | ||
1019 | GNUNET_memcpy (&hash_data.t2, &fe->t2, GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8); | ||
1020 | GNUNET_CRYPTO_hash (&hash_data, | ||
1021 | sizeof(hash_data), | ||
1022 | &e_hash); | ||
1023 | /* This allocates "e" */ | ||
1024 | GNUNET_CRYPTO_mpi_scan_unsigned (e, | ||
1025 | &e_hash, | ||
1026 | sizeof(struct GNUNET_HashCode)); | ||
1027 | gcry_mpi_mod (*e, *e, elgamal_q); | ||
1028 | } | ||
1029 | |||
1030 | |||
1031 | static int | ||
1032 | verify_fair (const struct GNUNET_CRYPTO_PaillierPublicKey *ppub, | ||
1033 | const struct GNUNET_SECRETSHARING_FairEncryption *fe) | ||
1034 | { | ||
1035 | gcry_mpi_t n; | ||
1036 | gcry_mpi_t n_sq; | ||
1037 | gcry_mpi_t z; | ||
1038 | gcry_mpi_t t1; | ||
1039 | gcry_mpi_t t2; | ||
1040 | gcry_mpi_t e; | ||
1041 | gcry_mpi_t w; | ||
1042 | gcry_mpi_t tmp1; | ||
1043 | gcry_mpi_t tmp2; | ||
1044 | gcry_mpi_t y; | ||
1045 | gcry_mpi_t big_y; | ||
1046 | int res; | ||
1047 | |||
1048 | GNUNET_assert (NULL != (n_sq = gcry_mpi_new (0))); | ||
1049 | GNUNET_assert (NULL != (tmp1 = gcry_mpi_new (0))); | ||
1050 | GNUNET_assert (NULL != (tmp2 = gcry_mpi_new (0))); | ||
1051 | |||
1052 | get_fair_encryption_challenge (fe, | ||
1053 | &e /* this allocates e */); | ||
1054 | |||
1055 | GNUNET_CRYPTO_mpi_scan_unsigned (&n, | ||
1056 | ppub, | ||
1057 | sizeof(struct | ||
1058 | GNUNET_CRYPTO_PaillierPublicKey)); | ||
1059 | GNUNET_CRYPTO_mpi_scan_unsigned (&t1, fe->t1, GNUNET_CRYPTO_PAILLIER_BITS | ||
1060 | / 8); | ||
1061 | GNUNET_CRYPTO_mpi_scan_unsigned (&z, fe->z, | ||
1062 | GNUNET_SECRETSHARING_ELGAMAL_BITS / 8); | ||
1063 | GNUNET_CRYPTO_mpi_scan_unsigned (&y, fe->h, | ||
1064 | GNUNET_SECRETSHARING_ELGAMAL_BITS / 8); | ||
1065 | GNUNET_CRYPTO_mpi_scan_unsigned (&w, fe->w, GNUNET_CRYPTO_PAILLIER_BITS / 8); | ||
1066 | GNUNET_CRYPTO_mpi_scan_unsigned (&big_y, fe->c.bits, | ||
1067 | GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8); | ||
1068 | GNUNET_CRYPTO_mpi_scan_unsigned (&t2, fe->t2, GNUNET_CRYPTO_PAILLIER_BITS | ||
1069 | * 2 / 8); | ||
1070 | gcry_mpi_mul (n_sq, n, n); | ||
1071 | |||
1072 | // tmp1 = g^z | ||
1073 | gcry_mpi_powm (tmp1, elgamal_g, z, elgamal_p); | ||
1074 | // tmp2 = y^{-e} | ||
1075 | gcry_mpi_powm (tmp1, y, e, elgamal_p); | ||
1076 | gcry_mpi_invm (tmp1, tmp1, elgamal_p); | ||
1077 | // tmp1 = tmp1 * tmp2 | ||
1078 | gcry_mpi_mulm (tmp1, tmp1, tmp2, elgamal_p); | ||
1079 | |||
1080 | if (0 == gcry_mpi_cmp (t1, tmp1)) | ||
1081 | { | ||
1082 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "fair encryption invalid (t1)\n"); | ||
1083 | res = GNUNET_NO; | ||
1084 | goto cleanup; | ||
1085 | } | ||
1086 | |||
1087 | gcry_mpi_powm (big_y, big_y, e, n_sq); | ||
1088 | gcry_mpi_invm (big_y, big_y, n_sq); | ||
1089 | |||
1090 | gcry_mpi_add_ui (tmp1, n, 1); | ||
1091 | gcry_mpi_powm (tmp1, tmp1, z, n_sq); | ||
1092 | |||
1093 | gcry_mpi_powm (tmp2, w, n, n_sq); | ||
1094 | |||
1095 | gcry_mpi_mulm (tmp1, tmp1, tmp2, n_sq); | ||
1096 | gcry_mpi_mulm (tmp1, tmp1, big_y, n_sq); | ||
1097 | |||
1098 | |||
1099 | if (0 == gcry_mpi_cmp (t2, tmp1)) | ||
1100 | { | ||
1101 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "fair encryption invalid (t2)\n"); | ||
1102 | res = GNUNET_NO; | ||
1103 | goto cleanup; | ||
1104 | } | ||
1105 | |||
1106 | res = GNUNET_YES; | ||
1107 | |||
1108 | cleanup: | ||
1109 | |||
1110 | gcry_mpi_release (n); | ||
1111 | gcry_mpi_release (n_sq); | ||
1112 | gcry_mpi_release (z); | ||
1113 | gcry_mpi_release (t1); | ||
1114 | gcry_mpi_release (t2); | ||
1115 | gcry_mpi_release (e); | ||
1116 | gcry_mpi_release (w); | ||
1117 | gcry_mpi_release (tmp1); | ||
1118 | gcry_mpi_release (tmp2); | ||
1119 | gcry_mpi_release (y); | ||
1120 | gcry_mpi_release (big_y); | ||
1121 | return res; | ||
1122 | } | ||
1123 | |||
1124 | |||
1125 | /** | ||
1126 | * Create a fair Paillier encryption of then given ciphertext. | ||
1127 | * | ||
1128 | * @param v the ciphertext | ||
1129 | * @param[out] fe the fair encryption | ||
1130 | */ | ||
1131 | static void | ||
1132 | encrypt_fair (gcry_mpi_t v, | ||
1133 | const struct GNUNET_CRYPTO_PaillierPublicKey *ppub, | ||
1134 | struct GNUNET_SECRETSHARING_FairEncryption *fe) | ||
1135 | { | ||
1136 | gcry_mpi_t r; | ||
1137 | gcry_mpi_t s; | ||
1138 | gcry_mpi_t t1; | ||
1139 | gcry_mpi_t t2; | ||
1140 | gcry_mpi_t z; | ||
1141 | gcry_mpi_t w; | ||
1142 | gcry_mpi_t n; | ||
1143 | gcry_mpi_t e; | ||
1144 | gcry_mpi_t n_sq; | ||
1145 | gcry_mpi_t u; | ||
1146 | gcry_mpi_t Y; | ||
1147 | gcry_mpi_t G; | ||
1148 | gcry_mpi_t h; | ||
1149 | |||
1150 | GNUNET_assert (NULL != (r = gcry_mpi_new (0))); | ||
1151 | GNUNET_assert (NULL != (s = gcry_mpi_new (0))); | ||
1152 | GNUNET_assert (NULL != (t1 = gcry_mpi_new (0))); | ||
1153 | GNUNET_assert (NULL != (t2 = gcry_mpi_new (0))); | ||
1154 | GNUNET_assert (NULL != (z = gcry_mpi_new (0))); | ||
1155 | GNUNET_assert (NULL != (w = gcry_mpi_new (0))); | ||
1156 | GNUNET_assert (NULL != (n_sq = gcry_mpi_new (0))); | ||
1157 | GNUNET_assert (NULL != (u = gcry_mpi_new (0))); | ||
1158 | GNUNET_assert (NULL != (Y = gcry_mpi_new (0))); | ||
1159 | GNUNET_assert (NULL != (G = gcry_mpi_new (0))); | ||
1160 | GNUNET_assert (NULL != (h = gcry_mpi_new (0))); | ||
1161 | |||
1162 | GNUNET_CRYPTO_mpi_scan_unsigned (&n, | ||
1163 | ppub, | ||
1164 | sizeof(struct | ||
1165 | GNUNET_CRYPTO_PaillierPublicKey)); | ||
1166 | gcry_mpi_mul (n_sq, n, n); | ||
1167 | gcry_mpi_add_ui (G, n, 1); | ||
1168 | |||
1169 | do | ||
1170 | { | ||
1171 | gcry_mpi_randomize (u, GNUNET_CRYPTO_PAILLIER_BITS, GCRY_WEAK_RANDOM); | ||
1172 | } | ||
1173 | while (gcry_mpi_cmp (u, n) >= 0); | ||
1174 | |||
1175 | gcry_mpi_powm (t1, G, v, n_sq); | ||
1176 | gcry_mpi_powm (t2, u, n, n_sq); | ||
1177 | gcry_mpi_mulm (Y, t1, t2, n_sq); | ||
1178 | |||
1179 | GNUNET_CRYPTO_mpi_print_unsigned (fe->c.bits, | ||
1180 | sizeof fe->c.bits, | ||
1181 | Y); | ||
1182 | |||
1183 | |||
1184 | gcry_mpi_randomize (r, 2048, GCRY_WEAK_RANDOM); | ||
1185 | do | ||
1186 | { | ||
1187 | gcry_mpi_randomize (s, GNUNET_CRYPTO_PAILLIER_BITS, GCRY_WEAK_RANDOM); | ||
1188 | } | ||
1189 | while (gcry_mpi_cmp (s, n) >= 0); | ||
1190 | |||
1191 | // compute t1 | ||
1192 | gcry_mpi_mulm (t1, elgamal_g, r, elgamal_p); | ||
1193 | // compute t2 (use z and w as temp) | ||
1194 | gcry_mpi_powm (z, G, r, n_sq); | ||
1195 | gcry_mpi_powm (w, s, n, n_sq); | ||
1196 | gcry_mpi_mulm (t2, z, w, n_sq); | ||
1197 | |||
1198 | |||
1199 | gcry_mpi_powm (h, elgamal_g, v, elgamal_p); | ||
1200 | |||
1201 | GNUNET_CRYPTO_mpi_print_unsigned (fe->h, | ||
1202 | GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, | ||
1203 | h); | ||
1204 | |||
1205 | GNUNET_CRYPTO_mpi_print_unsigned (fe->t1, | ||
1206 | GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, | ||
1207 | t1); | ||
1208 | |||
1209 | GNUNET_CRYPTO_mpi_print_unsigned (fe->t2, | ||
1210 | GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8, | ||
1211 | t2); | ||
1212 | |||
1213 | get_fair_encryption_challenge (fe, | ||
1214 | &e /* This allocates "e" */); | ||
1215 | |||
1216 | // compute z | ||
1217 | gcry_mpi_mul (z, e, v); | ||
1218 | gcry_mpi_addm (z, z, r, elgamal_q); | ||
1219 | // compute w | ||
1220 | gcry_mpi_powm (w, u, e, n); | ||
1221 | gcry_mpi_mulm (w, w, s, n); | ||
1222 | |||
1223 | GNUNET_CRYPTO_mpi_print_unsigned (fe->z, | ||
1224 | GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, | ||
1225 | z); | ||
1226 | |||
1227 | GNUNET_CRYPTO_mpi_print_unsigned (fe->w, | ||
1228 | GNUNET_CRYPTO_PAILLIER_BITS / 8, | ||
1229 | w); | ||
1230 | |||
1231 | gcry_mpi_release (n); | ||
1232 | gcry_mpi_release (r); | ||
1233 | gcry_mpi_release (s); | ||
1234 | gcry_mpi_release (t1); | ||
1235 | gcry_mpi_release (t2); | ||
1236 | gcry_mpi_release (z); | ||
1237 | gcry_mpi_release (w); | ||
1238 | gcry_mpi_release (e); | ||
1239 | gcry_mpi_release (n_sq); | ||
1240 | gcry_mpi_release (u); | ||
1241 | gcry_mpi_release (Y); | ||
1242 | gcry_mpi_release (G); | ||
1243 | gcry_mpi_release (h); | ||
1244 | } | ||
1245 | |||
1246 | |||
1247 | /** | ||
1248 | * Insert round 2 element in the consensus, consisting of | ||
1249 | * (1) The exponentiated pre-share polynomial coefficients A_{i,l}=g^{a_{i,l}} | ||
1250 | * (2) The exponentiated pre-shares y_{i,j}=g^{s_{i,j}} | ||
1251 | * (3) The encrypted pre-shares Y_{i,j} | ||
1252 | * (4) The zero knowledge proof for fairness of | ||
1253 | * the encryption | ||
1254 | * | ||
1255 | * @param ks session to use | ||
1256 | */ | ||
1257 | static void | ||
1258 | insert_round2_element (struct KeygenSession *ks) | ||
1259 | { | ||
1260 | struct GNUNET_SET_Element *element; | ||
1261 | struct GNUNET_SECRETSHARING_KeygenRevealData *d; | ||
1262 | unsigned char *pos; | ||
1263 | unsigned char *last_pos; | ||
1264 | size_t element_size; | ||
1265 | unsigned int i; | ||
1266 | gcry_mpi_t idx; | ||
1267 | gcry_mpi_t v; | ||
1268 | |||
1269 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Inserting round2 element\n", | ||
1270 | ks->local_peer_idx); | ||
1271 | |||
1272 | GNUNET_assert (NULL != (v = gcry_mpi_new ( | ||
1273 | GNUNET_SECRETSHARING_ELGAMAL_BITS))); | ||
1274 | GNUNET_assert (NULL != (idx = gcry_mpi_new ( | ||
1275 | GNUNET_SECRETSHARING_ELGAMAL_BITS))); | ||
1276 | |||
1277 | element_size = (sizeof(struct GNUNET_SECRETSHARING_KeygenRevealData) | ||
1278 | + sizeof(struct GNUNET_SECRETSHARING_FairEncryption) | ||
1279 | * ks->num_peers | ||
1280 | + GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->threshold); | ||
1281 | |||
1282 | element = GNUNET_malloc (sizeof(struct GNUNET_SET_Element) + element_size); | ||
1283 | element->size = element_size; | ||
1284 | element->data = (void *) &element[1]; | ||
1285 | |||
1286 | d = (void *) element->data; | ||
1287 | d->peer = my_peer; | ||
1288 | |||
1289 | // start inserting vector elements | ||
1290 | // after the fixed part of the element's data | ||
1291 | pos = (void *) &d[1]; | ||
1292 | last_pos = pos + element_size; | ||
1293 | |||
1294 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed exp preshares\n", | ||
1295 | ks->local_peer_idx); | ||
1296 | |||
1297 | // encrypted pre-shares | ||
1298 | // and fair encryption proof | ||
1299 | { | ||
1300 | for (i = 0; i < ks->num_peers; i++) | ||
1301 | { | ||
1302 | ptrdiff_t remaining = last_pos - pos; | ||
1303 | struct GNUNET_SECRETSHARING_FairEncryption *fe = (void *) pos; | ||
1304 | |||
1305 | GNUNET_assert (remaining > 0); | ||
1306 | memset (fe, 0, sizeof *fe); | ||
1307 | if (GNUNET_YES == ks->info[i].round1_valid) | ||
1308 | { | ||
1309 | gcry_mpi_set_ui (idx, i + 1); | ||
1310 | // evaluate the polynomial | ||
1311 | horner_eval (v, ks->presecret_polynomial, ks->threshold, idx, | ||
1312 | elgamal_q); | ||
1313 | // encrypt the result | ||
1314 | encrypt_fair (v, &ks->info[i].paillier_public_key, fe); | ||
1315 | } | ||
1316 | pos += sizeof *fe; | ||
1317 | } | ||
1318 | } | ||
1319 | |||
1320 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed enc preshares\n", | ||
1321 | ks->local_peer_idx); | ||
1322 | |||
1323 | // exponentiated coefficients | ||
1324 | for (i = 0; i < ks->threshold; i++) | ||
1325 | { | ||
1326 | ptrdiff_t remaining = last_pos - pos; | ||
1327 | GNUNET_assert (remaining > 0); | ||
1328 | gcry_mpi_powm (v, elgamal_g, ks->presecret_polynomial[i], elgamal_p); | ||
1329 | GNUNET_CRYPTO_mpi_print_unsigned (pos, GNUNET_SECRETSHARING_ELGAMAL_BITS | ||
1330 | / 8, v); | ||
1331 | pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8; | ||
1332 | } | ||
1333 | |||
1334 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed exp coefficients\n", | ||
1335 | ks->local_peer_idx); | ||
1336 | |||
1337 | |||
1338 | d->purpose.size = htonl (element_size - offsetof (struct | ||
1339 | GNUNET_SECRETSHARING_KeygenRevealData, | ||
1340 | purpose)); | ||
1341 | d->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG2); | ||
1342 | GNUNET_assert (GNUNET_OK == | ||
1343 | GNUNET_CRYPTO_eddsa_sign_ (my_peer_private_key, | ||
1344 | &d->purpose, | ||
1345 | &d->signature)); | ||
1346 | |||
1347 | GNUNET_CONSENSUS_insert (ks->consensus, element, NULL, NULL); | ||
1348 | GNUNET_free (element); /* FIXME: maybe stack-allocate instead? */ | ||
1349 | |||
1350 | gcry_mpi_release (v); | ||
1351 | gcry_mpi_release (idx); | ||
1352 | } | ||
1353 | |||
1354 | |||
1355 | static gcry_mpi_t | ||
1356 | keygen_reveal_get_exp_coeff (struct KeygenSession *ks, | ||
1357 | const struct | ||
1358 | GNUNET_SECRETSHARING_KeygenRevealData *d, | ||
1359 | unsigned int idx) | ||
1360 | { | ||
1361 | unsigned char *pos; | ||
1362 | gcry_mpi_t exp_coeff; | ||
1363 | |||
1364 | GNUNET_assert (idx < ks->threshold); | ||
1365 | |||
1366 | pos = (void *) &d[1]; | ||
1367 | // skip encrypted pre-shares | ||
1368 | pos += sizeof(struct GNUNET_SECRETSHARING_FairEncryption) * ks->num_peers; | ||
1369 | // skip exp. coeffs we are not interested in | ||
1370 | pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * idx; | ||
1371 | // the first exponentiated coefficient is the public key share | ||
1372 | GNUNET_CRYPTO_mpi_scan_unsigned (&exp_coeff, pos, | ||
1373 | GNUNET_SECRETSHARING_ELGAMAL_BITS / 8); | ||
1374 | return exp_coeff; | ||
1375 | } | ||
1376 | |||
1377 | |||
1378 | static struct GNUNET_SECRETSHARING_FairEncryption * | ||
1379 | keygen_reveal_get_enc_preshare (struct KeygenSession *ks, | ||
1380 | const struct | ||
1381 | GNUNET_SECRETSHARING_KeygenRevealData *d, | ||
1382 | unsigned int idx) | ||
1383 | { | ||
1384 | unsigned char *pos; | ||
1385 | |||
1386 | GNUNET_assert (idx < ks->num_peers); | ||
1387 | |||
1388 | pos = (void *) &d[1]; | ||
1389 | // skip encrypted pre-shares we're not interested in | ||
1390 | pos += sizeof(struct GNUNET_SECRETSHARING_FairEncryption) * idx; | ||
1391 | return (struct GNUNET_SECRETSHARING_FairEncryption *) pos; | ||
1392 | } | ||
1393 | |||
1394 | |||
1395 | static gcry_mpi_t | ||
1396 | keygen_reveal_get_exp_preshare (struct KeygenSession *ks, | ||
1397 | const struct | ||
1398 | GNUNET_SECRETSHARING_KeygenRevealData *d, | ||
1399 | unsigned int idx) | ||
1400 | { | ||
1401 | gcry_mpi_t exp_preshare; | ||
1402 | struct GNUNET_SECRETSHARING_FairEncryption *fe; | ||
1403 | |||
1404 | GNUNET_assert (idx < ks->num_peers); | ||
1405 | fe = keygen_reveal_get_enc_preshare (ks, d, idx); | ||
1406 | GNUNET_CRYPTO_mpi_scan_unsigned (&exp_preshare, fe->h, | ||
1407 | GNUNET_SECRETSHARING_ELGAMAL_BITS / 8); | ||
1408 | return exp_preshare; | ||
1409 | } | ||
1410 | |||
1411 | |||
1412 | static void | ||
1413 | keygen_round2_new_element (void *cls, | ||
1414 | const struct GNUNET_SET_Element *element) | ||
1415 | { | ||
1416 | struct KeygenSession *ks = cls; | ||
1417 | const struct GNUNET_SECRETSHARING_KeygenRevealData *d; | ||
1418 | struct KeygenPeerInfo *info; | ||
1419 | size_t expected_element_size; | ||
1420 | unsigned int j; | ||
1421 | int cmp_result; | ||
1422 | gcry_mpi_t tmp; | ||
1423 | gcry_mpi_t public_key_share; | ||
1424 | gcry_mpi_t preshare; | ||
1425 | |||
1426 | if (NULL == element) | ||
1427 | { | ||
1428 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "round2 consensus failed\n"); | ||
1429 | return; | ||
1430 | } | ||
1431 | |||
1432 | expected_element_size = (sizeof(struct GNUNET_SECRETSHARING_KeygenRevealData) | ||
1433 | + sizeof(struct | ||
1434 | GNUNET_SECRETSHARING_FairEncryption) | ||
1435 | * ks->num_peers | ||
1436 | + GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 | ||
1437 | * ks->threshold); | ||
1438 | |||
1439 | if (element->size != expected_element_size) | ||
1440 | { | ||
1441 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
1442 | "keygen round2 data with wrong size (%u) in consensus, %u expected\n", | ||
1443 | (unsigned int) element->size, | ||
1444 | (unsigned int) expected_element_size); | ||
1445 | return; | ||
1446 | } | ||
1447 | |||
1448 | d = (const void *) element->data; | ||
1449 | |||
1450 | info = get_keygen_peer_info (ks, &d->peer); | ||
1451 | |||
1452 | if (NULL == info) | ||
1453 | { | ||
1454 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
1455 | "keygen commit data with wrong peer identity (%s) in consensus\n", | ||
1456 | GNUNET_i2s (&d->peer)); | ||
1457 | return; | ||
1458 | } | ||
1459 | |||
1460 | if (GNUNET_NO == info->round1_valid) | ||
1461 | { | ||
1462 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
1463 | "ignoring round2 element from peer with invalid round1 element (%s)\n", | ||
1464 | GNUNET_i2s (&d->peer)); | ||
1465 | return; | ||
1466 | } | ||
1467 | |||
1468 | if (GNUNET_YES == info->round2_valid) | ||
1469 | { | ||
1470 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
1471 | "ignoring duplicate round2 element (%s)\n", | ||
1472 | GNUNET_i2s (&d->peer)); | ||
1473 | return; | ||
1474 | } | ||
1475 | |||
1476 | GNUNET_log (GNUNET_ERROR_TYPE_INFO, "got round2 element\n"); | ||
1477 | |||
1478 | if (ntohl (d->purpose.size) != | ||
1479 | element->size - offsetof (struct GNUNET_SECRETSHARING_KeygenRevealData, | ||
1480 | purpose)) | ||
1481 | { | ||
1482 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
1483 | "keygen reveal data with wrong signature purpose size in consensus\n"); | ||
1484 | return; | ||
1485 | } | ||
1486 | |||
1487 | if (GNUNET_OK != GNUNET_CRYPTO_eddsa_verify_ ( | ||
1488 | GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG2, | ||
1489 | &d->purpose, &d->signature, | ||
1490 | &d->peer.public_key)) | ||
1491 | { | ||
1492 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
1493 | "keygen reveal data with invalid signature in consensus\n"); | ||
1494 | return; | ||
1495 | } | ||
1496 | |||
1497 | public_key_share = keygen_reveal_get_exp_coeff (ks, d, 0); | ||
1498 | info->preshare_commitment = keygen_reveal_get_exp_preshare (ks, d, | ||
1499 | ks->local_peer_idx); | ||
1500 | |||
1501 | if (NULL == ks->public_key) | ||
1502 | { | ||
1503 | GNUNET_assert (NULL != (ks->public_key = gcry_mpi_new (0))); | ||
1504 | gcry_mpi_set_ui (ks->public_key, 1); | ||
1505 | } | ||
1506 | gcry_mpi_mulm (ks->public_key, ks->public_key, public_key_share, elgamal_p); | ||
1507 | |||
1508 | gcry_mpi_release (public_key_share); | ||
1509 | public_key_share = NULL; | ||
1510 | |||
1511 | { | ||
1512 | struct GNUNET_SECRETSHARING_FairEncryption *fe = | ||
1513 | keygen_reveal_get_enc_preshare (ks, d, ks->local_peer_idx); | ||
1514 | GNUNET_assert (NULL != (preshare = gcry_mpi_new (0))); | ||
1515 | GNUNET_CRYPTO_paillier_decrypt (&ks->paillier_private_key, | ||
1516 | &ks->info[ks->local_peer_idx]. | ||
1517 | paillier_public_key, | ||
1518 | &fe->c, | ||
1519 | preshare); | ||
1520 | |||
1521 | // FIXME: not doing the restoration is less expensive | ||
1522 | restore_fair (&ks->info[ks->local_peer_idx].paillier_public_key, | ||
1523 | fe, | ||
1524 | preshare, | ||
1525 | preshare); | ||
1526 | } | ||
1527 | |||
1528 | GNUNET_assert (NULL != (tmp = gcry_mpi_new (0))); | ||
1529 | gcry_mpi_powm (tmp, elgamal_g, preshare, elgamal_p); | ||
1530 | |||
1531 | cmp_result = gcry_mpi_cmp (tmp, info->preshare_commitment); | ||
1532 | gcry_mpi_release (tmp); | ||
1533 | tmp = NULL; | ||
1534 | if (0 != cmp_result) | ||
1535 | { | ||
1536 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
1537 | "P%u: Got invalid presecret from P%u\n", | ||
1538 | (unsigned int) ks->local_peer_idx, (unsigned int) (info | ||
1539 | - ks->info)); | ||
1540 | return; | ||
1541 | } | ||
1542 | |||
1543 | if (NULL == ks->my_share) | ||
1544 | { | ||
1545 | GNUNET_assert (NULL != (ks->my_share = gcry_mpi_new (0))); | ||
1546 | } | ||
1547 | gcry_mpi_addm (ks->my_share, ks->my_share, preshare, elgamal_q); | ||
1548 | |||
1549 | for (j = 0; j < ks->num_peers; j++) | ||
1550 | { | ||
1551 | gcry_mpi_t presigma; | ||
1552 | if (NULL == ks->info[j].sigma) | ||
1553 | { | ||
1554 | GNUNET_assert (NULL != (ks->info[j].sigma = gcry_mpi_new (0))); | ||
1555 | gcry_mpi_set_ui (ks->info[j].sigma, 1); | ||
1556 | } | ||
1557 | presigma = keygen_reveal_get_exp_preshare (ks, d, j); | ||
1558 | gcry_mpi_mulm (ks->info[j].sigma, ks->info[j].sigma, presigma, elgamal_p); | ||
1559 | gcry_mpi_release (presigma); | ||
1560 | } | ||
1561 | |||
1562 | gcry_mpi_t prod; | ||
1563 | GNUNET_assert (NULL != (prod = gcry_mpi_new (0))); | ||
1564 | gcry_mpi_t j_to_k; | ||
1565 | GNUNET_assert (NULL != (j_to_k = gcry_mpi_new (0))); | ||
1566 | // validate that the polynomial sharing matches the additive sharing | ||
1567 | for (j = 0; j < ks->num_peers; j++) | ||
1568 | { | ||
1569 | unsigned int k; | ||
1570 | int cmp_result; | ||
1571 | gcry_mpi_t exp_preshare; | ||
1572 | gcry_mpi_set_ui (prod, 1); | ||
1573 | for (k = 0; k < ks->threshold; k++) | ||
1574 | { | ||
1575 | // Using pow(double,double) is a bit sketchy. | ||
1576 | // We count players from 1, but shares from 0. | ||
1577 | gcry_mpi_t tmp; | ||
1578 | gcry_mpi_set_ui (j_to_k, (unsigned int) pow (j + 1, k)); | ||
1579 | tmp = keygen_reveal_get_exp_coeff (ks, d, k); | ||
1580 | gcry_mpi_powm (tmp, tmp, j_to_k, elgamal_p); | ||
1581 | gcry_mpi_mulm (prod, prod, tmp, elgamal_p); | ||
1582 | gcry_mpi_release (tmp); | ||
1583 | } | ||
1584 | exp_preshare = keygen_reveal_get_exp_preshare (ks, d, j); | ||
1585 | gcry_mpi_mod (exp_preshare, exp_preshare, elgamal_p); | ||
1586 | cmp_result = gcry_mpi_cmp (prod, exp_preshare); | ||
1587 | gcry_mpi_release (exp_preshare); | ||
1588 | exp_preshare = NULL; | ||
1589 | if (0 != cmp_result) | ||
1590 | { | ||
1591 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
1592 | "P%u: reveal data from P%u incorrect\n", | ||
1593 | ks->local_peer_idx, j); | ||
1594 | /* no need for further verification, round2 stays invalid ... */ | ||
1595 | return; | ||
1596 | } | ||
1597 | } | ||
1598 | |||
1599 | // TODO: verify proof of fair encryption (once implemented) | ||
1600 | for (j = 0; j < ks->num_peers; j++) | ||
1601 | { | ||
1602 | struct GNUNET_SECRETSHARING_FairEncryption *fe = | ||
1603 | keygen_reveal_get_enc_preshare (ks, d, j); | ||
1604 | if (GNUNET_YES != verify_fair (&ks->info[j].paillier_public_key, fe)) | ||
1605 | { | ||
1606 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
1607 | "P%u: reveal data from P%u incorrect (fair encryption)\n", | ||
1608 | ks->local_peer_idx, j); | ||
1609 | return; | ||
1610 | } | ||
1611 | } | ||
1612 | |||
1613 | info->round2_valid = GNUNET_YES; | ||
1614 | |||
1615 | gcry_mpi_release (preshare); | ||
1616 | gcry_mpi_release (prod); | ||
1617 | gcry_mpi_release (j_to_k); | ||
1618 | } | ||
1619 | |||
1620 | |||
1621 | /** | ||
1622 | * Called when the first consensus round has concluded. | ||
1623 | * Will initiate the second round. | ||
1624 | * | ||
1625 | * @param cls closure | ||
1626 | */ | ||
1627 | static void | ||
1628 | keygen_round1_conclude (void *cls) | ||
1629 | { | ||
1630 | struct KeygenSession *ks = cls; | ||
1631 | |||
1632 | GNUNET_CONSENSUS_destroy (ks->consensus); | ||
1633 | |||
1634 | ks->consensus = GNUNET_CONSENSUS_create (cfg, ks->num_peers, ks->peers, | ||
1635 | &ks->session_id, | ||
1636 | time_between (ks->start_time, | ||
1637 | ks->deadline, 1, 2), | ||
1638 | ks->deadline, | ||
1639 | keygen_round2_new_element, ks); | ||
1640 | |||
1641 | insert_round2_element (ks); | ||
1642 | |||
1643 | GNUNET_CONSENSUS_conclude (ks->consensus, | ||
1644 | keygen_round2_conclude, | ||
1645 | ks); | ||
1646 | } | ||
1647 | |||
1648 | |||
1649 | /** | ||
1650 | * Insert the ephemeral key and the presecret commitment | ||
1651 | * of this peer in the consensus of the given session. | ||
1652 | * | ||
1653 | * @param ks session to use | ||
1654 | */ | ||
1655 | static void | ||
1656 | insert_round1_element (struct KeygenSession *ks) | ||
1657 | { | ||
1658 | struct GNUNET_SET_Element *element; | ||
1659 | struct GNUNET_SECRETSHARING_KeygenCommitData *d; | ||
1660 | // g^a_{i,0} | ||
1661 | gcry_mpi_t v; | ||
1662 | // big-endian representation of 'v' | ||
1663 | unsigned char v_data[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8]; | ||
1664 | |||
1665 | element = GNUNET_malloc (sizeof *element + sizeof *d); | ||
1666 | d = (void *) &element[1]; | ||
1667 | element->data = d; | ||
1668 | element->size = sizeof *d; | ||
1669 | |||
1670 | d->peer = my_peer; | ||
1671 | |||
1672 | GNUNET_assert (0 != (v = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS))); | ||
1673 | |||
1674 | gcry_mpi_powm (v, elgamal_g, ks->presecret_polynomial[0], elgamal_p); | ||
1675 | |||
1676 | GNUNET_CRYPTO_mpi_print_unsigned (v_data, GNUNET_SECRETSHARING_ELGAMAL_BITS | ||
1677 | / 8, v); | ||
1678 | |||
1679 | GNUNET_CRYPTO_hash (v_data, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, | ||
1680 | &d->commitment); | ||
1681 | |||
1682 | d->pubkey = ks->info[ks->local_peer_idx].paillier_public_key; | ||
1683 | |||
1684 | d->purpose.size = htonl ((sizeof *d) - offsetof (struct | ||
1685 | GNUNET_SECRETSHARING_KeygenCommitData, | ||
1686 | purpose)); | ||
1687 | d->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG1); | ||
1688 | GNUNET_assert (GNUNET_OK == | ||
1689 | GNUNET_CRYPTO_eddsa_sign_ (my_peer_private_key, | ||
1690 | &d->purpose, | ||
1691 | &d->signature)); | ||
1692 | |||
1693 | GNUNET_CONSENSUS_insert (ks->consensus, element, NULL, NULL); | ||
1694 | |||
1695 | gcry_mpi_release (v); | ||
1696 | GNUNET_free (element); | ||
1697 | } | ||
1698 | |||
1699 | |||
1700 | /** | ||
1701 | * Check that @a msg is well-formed. | ||
1702 | * | ||
1703 | * @param cls identification of the client | ||
1704 | * @param msg the actual message | ||
1705 | * @return #GNUNET_OK if @a msg is well-formed | ||
1706 | */ | ||
1707 | static int | ||
1708 | check_client_keygen (void *cls, | ||
1709 | const struct GNUNET_SECRETSHARING_CreateMessage *msg) | ||
1710 | { | ||
1711 | unsigned int num_peers = ntohs (msg->num_peers); | ||
1712 | |||
1713 | if (ntohs (msg->header.size) - sizeof(*msg) != | ||
1714 | num_peers * sizeof(struct GNUNET_PeerIdentity)) | ||
1715 | { | ||
1716 | GNUNET_break (0); | ||
1717 | return GNUNET_SYSERR; | ||
1718 | } | ||
1719 | return GNUNET_OK; | ||
1720 | } | ||
1721 | |||
1722 | |||
1723 | /** | ||
1724 | * Functions with this signature are called whenever a message is | ||
1725 | * received. | ||
1726 | * | ||
1727 | * @param cls identification of the client | ||
1728 | * @param msg the actual message | ||
1729 | */ | ||
1730 | static void | ||
1731 | handle_client_keygen (void *cls, | ||
1732 | const struct GNUNET_SECRETSHARING_CreateMessage *msg) | ||
1733 | { | ||
1734 | struct ClientState *cs = cls; | ||
1735 | struct KeygenSession *ks; | ||
1736 | |||
1737 | GNUNET_log (GNUNET_ERROR_TYPE_INFO, | ||
1738 | "client requested key generation\n"); | ||
1739 | if (NULL != cs->keygen_session) | ||
1740 | { | ||
1741 | GNUNET_break (0); | ||
1742 | GNUNET_SERVICE_client_drop (cs->client); | ||
1743 | return; | ||
1744 | } | ||
1745 | ks = GNUNET_new (struct KeygenSession); | ||
1746 | ks->cs = cs; | ||
1747 | cs->keygen_session = ks; | ||
1748 | ks->deadline = GNUNET_TIME_absolute_ntoh (msg->deadline); | ||
1749 | ks->threshold = ntohs (msg->threshold); | ||
1750 | ks->num_peers = ntohs (msg->num_peers); | ||
1751 | |||
1752 | ks->peers = normalize_peers ((struct GNUNET_PeerIdentity *) &msg[1], | ||
1753 | ks->num_peers, | ||
1754 | &ks->num_peers, | ||
1755 | &ks->local_peer_idx); | ||
1756 | |||
1757 | |||
1758 | GNUNET_log (GNUNET_ERROR_TYPE_INFO, | ||
1759 | "first round of consensus with %u peers\n", | ||
1760 | ks->num_peers); | ||
1761 | ks->consensus = GNUNET_CONSENSUS_create (cfg, | ||
1762 | ks->num_peers, | ||
1763 | ks->peers, | ||
1764 | &msg->session_id, | ||
1765 | GNUNET_TIME_absolute_ntoh ( | ||
1766 | msg->start), | ||
1767 | GNUNET_TIME_absolute_ntoh ( | ||
1768 | msg->deadline), | ||
1769 | keygen_round1_new_element, | ||
1770 | ks); | ||
1771 | |||
1772 | ks->info = GNUNET_new_array (ks->num_peers, | ||
1773 | struct KeygenPeerInfo); | ||
1774 | |||
1775 | for (unsigned int i = 0; i < ks->num_peers; i++) | ||
1776 | ks->info[i].peer = ks->peers[i]; | ||
1777 | |||
1778 | GNUNET_CRYPTO_paillier_create ( | ||
1779 | &ks->info[ks->local_peer_idx].paillier_public_key, | ||
1780 | &ks->paillier_private_key); | ||
1781 | |||
1782 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, | ||
1783 | "P%u: Generated paillier key pair\n", | ||
1784 | ks->local_peer_idx); | ||
1785 | generate_presecret_polynomial (ks); | ||
1786 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, | ||
1787 | "P%u: Generated presecret polynomial\n", | ||
1788 | ks->local_peer_idx); | ||
1789 | insert_round1_element (ks); | ||
1790 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, | ||
1791 | "P%u: Concluding for round 1\n", | ||
1792 | ks->local_peer_idx); | ||
1793 | GNUNET_CONSENSUS_conclude (ks->consensus, | ||
1794 | keygen_round1_conclude, | ||
1795 | ks); | ||
1796 | GNUNET_SERVICE_client_continue (cs->client); | ||
1797 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, | ||
1798 | "P%u: Waiting for round 1 elements ...\n", | ||
1799 | ks->local_peer_idx); | ||
1800 | } | ||
1801 | |||
1802 | |||
1803 | /** | ||
1804 | * Called when the partial decryption consensus concludes. | ||
1805 | */ | ||
1806 | static void | ||
1807 | decrypt_conclude (void *cls) | ||
1808 | { | ||
1809 | struct DecryptSession *ds = cls; | ||
1810 | struct GNUNET_SECRETSHARING_DecryptResponseMessage *msg; | ||
1811 | struct GNUNET_MQ_Envelope *ev; | ||
1812 | gcry_mpi_t lagrange; | ||
1813 | gcry_mpi_t m; | ||
1814 | gcry_mpi_t tmp; | ||
1815 | gcry_mpi_t c_2; | ||
1816 | gcry_mpi_t prod; | ||
1817 | unsigned int *indices; | ||
1818 | unsigned int num; | ||
1819 | unsigned int i; | ||
1820 | unsigned int j; | ||
1821 | |||
1822 | GNUNET_CONSENSUS_destroy (ds->consensus); | ||
1823 | ds->consensus = NULL; | ||
1824 | |||
1825 | GNUNET_assert (0 != (lagrange = gcry_mpi_new (0))); | ||
1826 | GNUNET_assert (0 != (m = gcry_mpi_new (0))); | ||
1827 | GNUNET_assert (0 != (tmp = gcry_mpi_new (0))); | ||
1828 | GNUNET_assert (0 != (prod = gcry_mpi_new (0))); | ||
1829 | |||
1830 | num = 0; | ||
1831 | for (i = 0; i < ds->share->num_peers; i++) | ||
1832 | if (NULL != ds->info[i].partial_decryption) | ||
1833 | num++; | ||
1834 | |||
1835 | indices = GNUNET_new_array (num, | ||
1836 | unsigned int); | ||
1837 | j = 0; | ||
1838 | for (i = 0; i < ds->share->num_peers; i++) | ||
1839 | if (NULL != ds->info[i].partial_decryption) | ||
1840 | indices[j++] = ds->info[i].original_index; | ||
1841 | |||
1842 | GNUNET_log (GNUNET_ERROR_TYPE_INFO, | ||
1843 | "P%u: decrypt conclude, with %u peers\n", | ||
1844 | ds->share->my_peer, | ||
1845 | num); | ||
1846 | |||
1847 | gcry_mpi_set_ui (prod, 1); | ||
1848 | for (i = 0; i < num; i++) | ||
1849 | { | ||
1850 | GNUNET_log (GNUNET_ERROR_TYPE_INFO, | ||
1851 | "P%u: index of %u: %u\n", | ||
1852 | ds->share->my_peer, i, indices[i]); | ||
1853 | compute_lagrange_coefficient (lagrange, indices[i], indices, num); | ||
1854 | // w_i^{\lambda_i} | ||
1855 | gcry_mpi_powm (tmp, ds->info[indices[i]].partial_decryption, lagrange, | ||
1856 | elgamal_p); | ||
1857 | |||
1858 | // product of all exponentiated partiel decryptions ... | ||
1859 | gcry_mpi_mulm (prod, prod, tmp, elgamal_p); | ||
1860 | } | ||
1861 | |||
1862 | GNUNET_CRYPTO_mpi_scan_unsigned (&c_2, ds->ciphertext.c2_bits, | ||
1863 | GNUNET_SECRETSHARING_ELGAMAL_BITS / 8); | ||
1864 | |||
1865 | GNUNET_assert (0 != gcry_mpi_invm (prod, prod, elgamal_p)); | ||
1866 | gcry_mpi_mulm (m, c_2, prod, elgamal_p); | ||
1867 | ev = GNUNET_MQ_msg (msg, | ||
1868 | GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT_DONE); | ||
1869 | GNUNET_CRYPTO_mpi_print_unsigned (&msg->plaintext, | ||
1870 | GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, m); | ||
1871 | msg->success = htonl (1); | ||
1872 | GNUNET_MQ_send (ds->cs->mq, | ||
1873 | ev); | ||
1874 | |||
1875 | GNUNET_log (GNUNET_ERROR_TYPE_INFO, "sent decrypt done to client\n"); | ||
1876 | |||
1877 | GNUNET_free (indices); | ||
1878 | |||
1879 | gcry_mpi_release (lagrange); | ||
1880 | gcry_mpi_release (m); | ||
1881 | gcry_mpi_release (tmp); | ||
1882 | gcry_mpi_release (prod); | ||
1883 | gcry_mpi_release (c_2); | ||
1884 | |||
1885 | // FIXME: what if not enough peers participated? | ||
1886 | } | ||
1887 | |||
1888 | |||
1889 | /** | ||
1890 | * Get a string representation of an MPI. | ||
1891 | * The caller must free the returned string. | ||
1892 | * | ||
1893 | * @param mpi mpi to convert to a string | ||
1894 | * @return string representation of @a mpi, must be free'd by the caller | ||
1895 | */ | ||
1896 | static char * | ||
1897 | mpi_to_str (gcry_mpi_t mpi) | ||
1898 | { | ||
1899 | unsigned char *buf; | ||
1900 | |||
1901 | GNUNET_assert (0 == gcry_mpi_aprint (GCRYMPI_FMT_HEX, &buf, NULL, mpi)); | ||
1902 | return (char *) buf; | ||
1903 | } | ||
1904 | |||
1905 | |||
1906 | /** | ||
1907 | * Called when a new partial decryption arrives. | ||
1908 | */ | ||
1909 | static void | ||
1910 | decrypt_new_element (void *cls, | ||
1911 | const struct GNUNET_SET_Element *element) | ||
1912 | { | ||
1913 | struct DecryptSession *session = cls; | ||
1914 | const struct GNUNET_SECRETSHARING_DecryptData *d; | ||
1915 | struct DecryptPeerInfo *info; | ||
1916 | struct GNUNET_HashCode challenge_hash; | ||
1917 | |||
1918 | /* nizk response */ | ||
1919 | gcry_mpi_t r; | ||
1920 | /* nizk challenge */ | ||
1921 | gcry_mpi_t challenge; | ||
1922 | /* nizk commit1, g^\beta */ | ||
1923 | gcry_mpi_t commit1; | ||
1924 | /* nizk commit2, c_1^\beta */ | ||
1925 | gcry_mpi_t commit2; | ||
1926 | /* homomorphic commitment to the peer's share, | ||
1927 | * public key share */ | ||
1928 | gcry_mpi_t sigma; | ||
1929 | /* partial decryption we received */ | ||
1930 | gcry_mpi_t w; | ||
1931 | /* ciphertext component #1 */ | ||
1932 | gcry_mpi_t c1; | ||
1933 | /* temporary variable (for comparison) #1 */ | ||
1934 | gcry_mpi_t tmp1; | ||
1935 | /* temporary variable (for comparison) #2 */ | ||
1936 | gcry_mpi_t tmp2; | ||
1937 | |||
1938 | if (NULL == element) | ||
1939 | { | ||
1940 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "decryption failed\n"); | ||
1941 | /* FIXME: destroy */ | ||
1942 | return; | ||
1943 | } | ||
1944 | |||
1945 | if (element->size != sizeof *d) | ||
1946 | { | ||
1947 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
1948 | "element of wrong size in decrypt consensus\n"); | ||
1949 | return; | ||
1950 | } | ||
1951 | |||
1952 | d = element->data; | ||
1953 | |||
1954 | info = get_decrypt_peer_info (session, &d->peer); | ||
1955 | |||
1956 | if (NULL == info) | ||
1957 | { | ||
1958 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
1959 | "decrypt element from invalid peer (%s)\n", | ||
1960 | GNUNET_i2s (&d->peer)); | ||
1961 | return; | ||
1962 | } | ||
1963 | |||
1964 | if (NULL != info->partial_decryption) | ||
1965 | { | ||
1966 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "decrypt element duplicate\n"); | ||
1967 | return; | ||
1968 | } | ||
1969 | |||
1970 | if (0 != GNUNET_memcmp (&d->ciphertext, &session->ciphertext)) | ||
1971 | { | ||
1972 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
1973 | "P%u: got decrypt element with non-matching ciphertext from P%u\n", | ||
1974 | (unsigned int) session->share->my_peer, (unsigned int) (info | ||
1975 | - | ||
1976 | session | ||
1977 | ->info)); | ||
1978 | |||
1979 | return; | ||
1980 | } | ||
1981 | |||
1982 | |||
1983 | GNUNET_CRYPTO_hash (offsetof (struct GNUNET_SECRETSHARING_DecryptData, | ||
1984 | ciphertext) + (char *) d, | ||
1985 | offsetof (struct GNUNET_SECRETSHARING_DecryptData, | ||
1986 | nizk_response) | ||
1987 | - offsetof (struct GNUNET_SECRETSHARING_DecryptData, | ||
1988 | ciphertext), | ||
1989 | &challenge_hash); | ||
1990 | |||
1991 | GNUNET_CRYPTO_mpi_scan_unsigned (&challenge, &challenge_hash, | ||
1992 | sizeof(struct GNUNET_HashCode)); | ||
1993 | |||
1994 | GNUNET_CRYPTO_mpi_scan_unsigned (&sigma, &session->share->sigmas[info | ||
1995 | - session-> | ||
1996 | info], | ||
1997 | sizeof(struct | ||
1998 | GNUNET_SECRETSHARING_FieldElement)); | ||
1999 | |||
2000 | GNUNET_CRYPTO_mpi_scan_unsigned (&c1, session->ciphertext.c1_bits, | ||
2001 | sizeof(struct | ||
2002 | GNUNET_SECRETSHARING_FieldElement)); | ||
2003 | |||
2004 | GNUNET_CRYPTO_mpi_scan_unsigned (&commit1, &d->nizk_commit1, | ||
2005 | sizeof(struct | ||
2006 | GNUNET_SECRETSHARING_FieldElement)); | ||
2007 | |||
2008 | GNUNET_CRYPTO_mpi_scan_unsigned (&commit2, &d->nizk_commit2, | ||
2009 | sizeof(struct | ||
2010 | GNUNET_SECRETSHARING_FieldElement)); | ||
2011 | |||
2012 | GNUNET_CRYPTO_mpi_scan_unsigned (&r, &d->nizk_response, | ||
2013 | sizeof(struct | ||
2014 | GNUNET_SECRETSHARING_FieldElement)); | ||
2015 | |||
2016 | GNUNET_CRYPTO_mpi_scan_unsigned (&w, &d->partial_decryption, | ||
2017 | sizeof(struct | ||
2018 | GNUNET_SECRETSHARING_FieldElement)); | ||
2019 | |||
2020 | GNUNET_assert (NULL != (tmp1 = gcry_mpi_new (0))); | ||
2021 | GNUNET_assert (NULL != (tmp2 = gcry_mpi_new (0))); | ||
2022 | |||
2023 | // tmp1 = g^r | ||
2024 | gcry_mpi_powm (tmp1, elgamal_g, r, elgamal_p); | ||
2025 | |||
2026 | // tmp2 = g^\beta * \sigma^challenge | ||
2027 | gcry_mpi_powm (tmp2, sigma, challenge, elgamal_p); | ||
2028 | gcry_mpi_mulm (tmp2, tmp2, commit1, elgamal_p); | ||
2029 | |||
2030 | if (0 != gcry_mpi_cmp (tmp1, tmp2)) | ||
2031 | { | ||
2032 | char *tmp1_str; | ||
2033 | char *tmp2_str; | ||
2034 | |||
2035 | tmp1_str = mpi_to_str (tmp1); | ||
2036 | tmp2_str = mpi_to_str (tmp2); | ||
2037 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
2038 | "P%u: Received invalid partial decryption from P%u (eqn 1), expected %s got %s\n", | ||
2039 | session->share->my_peer, | ||
2040 | (unsigned int) (info - session->info), | ||
2041 | tmp1_str, | ||
2042 | tmp2_str); | ||
2043 | GNUNET_free (tmp1_str); | ||
2044 | GNUNET_free (tmp2_str); | ||
2045 | goto cleanup; | ||
2046 | } | ||
2047 | |||
2048 | |||
2049 | gcry_mpi_powm (tmp1, c1, r, elgamal_p); | ||
2050 | |||
2051 | gcry_mpi_powm (tmp2, w, challenge, elgamal_p); | ||
2052 | gcry_mpi_mulm (tmp2, tmp2, commit2, elgamal_p); | ||
2053 | |||
2054 | |||
2055 | if (0 != gcry_mpi_cmp (tmp1, tmp2)) | ||
2056 | { | ||
2057 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
2058 | "P%u: Received invalid partial decryption from P%u (eqn 2)\n", | ||
2059 | session->share->my_peer, | ||
2060 | (unsigned int) (info - session->info)); | ||
2061 | goto cleanup; | ||
2062 | } | ||
2063 | |||
2064 | |||
2065 | GNUNET_CRYPTO_mpi_scan_unsigned (&info->partial_decryption, | ||
2066 | &d->partial_decryption, | ||
2067 | GNUNET_SECRETSHARING_ELGAMAL_BITS / 8); | ||
2068 | cleanup: | ||
2069 | gcry_mpi_release (tmp1); | ||
2070 | gcry_mpi_release (tmp2); | ||
2071 | gcry_mpi_release (sigma); | ||
2072 | gcry_mpi_release (commit1); | ||
2073 | gcry_mpi_release (commit2); | ||
2074 | gcry_mpi_release (r); | ||
2075 | gcry_mpi_release (w); | ||
2076 | gcry_mpi_release (challenge); | ||
2077 | gcry_mpi_release (c1); | ||
2078 | } | ||
2079 | |||
2080 | |||
2081 | static void | ||
2082 | insert_decrypt_element (struct DecryptSession *ds) | ||
2083 | { | ||
2084 | struct GNUNET_SECRETSHARING_DecryptData d; | ||
2085 | struct GNUNET_SET_Element element; | ||
2086 | /* our share */ | ||
2087 | gcry_mpi_t s; | ||
2088 | /* partial decryption with our share */ | ||
2089 | gcry_mpi_t w; | ||
2090 | /* first component of the elgamal ciphertext */ | ||
2091 | gcry_mpi_t c1; | ||
2092 | /* nonce for dlog zkp */ | ||
2093 | gcry_mpi_t beta; | ||
2094 | gcry_mpi_t tmp; | ||
2095 | gcry_mpi_t challenge; | ||
2096 | gcry_mpi_t sigma; | ||
2097 | struct GNUNET_HashCode challenge_hash; | ||
2098 | |||
2099 | /* make vagrind happy until we implement the real deal ... */ | ||
2100 | memset (&d, 0, sizeof d); | ||
2101 | |||
2102 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Inserting decrypt element\n", | ||
2103 | ds->share->my_peer); | ||
2104 | |||
2105 | GNUNET_assert (ds->share->my_peer < ds->share->num_peers); | ||
2106 | |||
2107 | GNUNET_CRYPTO_mpi_scan_unsigned (&c1, &ds->ciphertext.c1_bits, | ||
2108 | GNUNET_SECRETSHARING_ELGAMAL_BITS / 8); | ||
2109 | GNUNET_CRYPTO_mpi_scan_unsigned (&s, &ds->share->my_share, | ||
2110 | GNUNET_SECRETSHARING_ELGAMAL_BITS / 8); | ||
2111 | GNUNET_CRYPTO_mpi_scan_unsigned (&sigma, | ||
2112 | &ds->share->sigmas[ds->share->my_peer], | ||
2113 | GNUNET_SECRETSHARING_ELGAMAL_BITS / 8); | ||
2114 | |||
2115 | GNUNET_assert (NULL != (w = gcry_mpi_new (0))); | ||
2116 | GNUNET_assert (NULL != (beta = gcry_mpi_new (0))); | ||
2117 | GNUNET_assert (NULL != (tmp = gcry_mpi_new (0))); | ||
2118 | |||
2119 | // FIXME: unnecessary, remove once crypto works | ||
2120 | gcry_mpi_powm (tmp, elgamal_g, s, elgamal_p); | ||
2121 | if (0 != gcry_mpi_cmp (tmp, sigma)) | ||
2122 | { | ||
2123 | char *sigma_str = mpi_to_str (sigma); | ||
2124 | char *tmp_str = mpi_to_str (tmp); | ||
2125 | char *s_str = mpi_to_str (s); | ||
2126 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
2127 | "Share of P%u is invalid, ref sigma %s, " | ||
2128 | "computed sigma %s, s %s\n", | ||
2129 | ds->share->my_peer, | ||
2130 | sigma_str, tmp_str, s_str); | ||
2131 | GNUNET_free (sigma_str); | ||
2132 | GNUNET_free (tmp_str); | ||
2133 | GNUNET_free (s_str); | ||
2134 | } | ||
2135 | |||
2136 | gcry_mpi_powm (w, c1, s, elgamal_p); | ||
2137 | |||
2138 | element.data = (void *) &d; | ||
2139 | element.size = sizeof(struct GNUNET_SECRETSHARING_DecryptData); | ||
2140 | element.element_type = 0; | ||
2141 | |||
2142 | d.ciphertext = ds->ciphertext; | ||
2143 | d.peer = my_peer; | ||
2144 | GNUNET_CRYPTO_mpi_print_unsigned (&d.partial_decryption, | ||
2145 | GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, w); | ||
2146 | |||
2147 | // create the zero knowledge proof | ||
2148 | // randomly choose beta such that 0 < beta < q | ||
2149 | do | ||
2150 | { | ||
2151 | gcry_mpi_randomize (beta, GNUNET_SECRETSHARING_ELGAMAL_BITS - 1, | ||
2152 | GCRY_WEAK_RANDOM); | ||
2153 | } | ||
2154 | while ((gcry_mpi_cmp_ui (beta, 0) == 0) || (gcry_mpi_cmp (beta, elgamal_q) >= | ||
2155 | 0)); | ||
2156 | // tmp = g^beta | ||
2157 | gcry_mpi_powm (tmp, elgamal_g, beta, elgamal_p); | ||
2158 | GNUNET_CRYPTO_mpi_print_unsigned (&d.nizk_commit1, | ||
2159 | GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, tmp); | ||
2160 | // tmp = (c_1)^beta | ||
2161 | gcry_mpi_powm (tmp, c1, beta, elgamal_p); | ||
2162 | GNUNET_CRYPTO_mpi_print_unsigned (&d.nizk_commit2, | ||
2163 | GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, tmp); | ||
2164 | |||
2165 | // the challenge is the hash of everything up to the response | ||
2166 | GNUNET_CRYPTO_hash (offsetof (struct GNUNET_SECRETSHARING_DecryptData, | ||
2167 | ciphertext) + (char *) &d, | ||
2168 | offsetof (struct GNUNET_SECRETSHARING_DecryptData, | ||
2169 | nizk_response) | ||
2170 | - offsetof (struct GNUNET_SECRETSHARING_DecryptData, | ||
2171 | ciphertext), | ||
2172 | &challenge_hash); | ||
2173 | |||
2174 | GNUNET_CRYPTO_mpi_scan_unsigned (&challenge, &challenge_hash, | ||
2175 | sizeof(struct GNUNET_HashCode)); | ||
2176 | |||
2177 | // compute the response in tmp, | ||
2178 | // tmp = (c * s + beta) mod q | ||
2179 | gcry_mpi_mulm (tmp, challenge, s, elgamal_q); | ||
2180 | gcry_mpi_addm (tmp, tmp, beta, elgamal_q); | ||
2181 | |||
2182 | GNUNET_CRYPTO_mpi_print_unsigned (&d.nizk_response, | ||
2183 | GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, tmp); | ||
2184 | |||
2185 | d.purpose.size = htonl (element.size - offsetof (struct | ||
2186 | GNUNET_SECRETSHARING_DecryptData, | ||
2187 | purpose)); | ||
2188 | d.purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DECRYPTION); | ||
2189 | |||
2190 | GNUNET_assert (GNUNET_OK == | ||
2191 | GNUNET_CRYPTO_eddsa_sign_ (my_peer_private_key, | ||
2192 | &d.purpose, | ||
2193 | &d.signature)); | ||
2194 | |||
2195 | GNUNET_CONSENSUS_insert (ds->consensus, &element, NULL, NULL); | ||
2196 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, | ||
2197 | "P%u: Inserting decrypt element done!\n", | ||
2198 | ds->share->my_peer); | ||
2199 | |||
2200 | gcry_mpi_release (s); | ||
2201 | gcry_mpi_release (w); | ||
2202 | gcry_mpi_release (c1); | ||
2203 | gcry_mpi_release (beta); | ||
2204 | gcry_mpi_release (tmp); | ||
2205 | gcry_mpi_release (challenge); | ||
2206 | gcry_mpi_release (sigma); | ||
2207 | } | ||
2208 | |||
2209 | |||
2210 | /** | ||
2211 | * Check that @a msg is well-formed. | ||
2212 | * | ||
2213 | * @param cls identification of the client | ||
2214 | * @param msg the actual message | ||
2215 | * @return #GNUNET_OK (check deferred a bit) | ||
2216 | */ | ||
2217 | static int | ||
2218 | check_client_decrypt (void *cls, | ||
2219 | const struct | ||
2220 | GNUNET_SECRETSHARING_DecryptRequestMessage *msg) | ||
2221 | { | ||
2222 | /* we check later, it's complicated */ | ||
2223 | return GNUNET_OK; | ||
2224 | } | ||
2225 | |||
2226 | |||
2227 | /** | ||
2228 | * Functions with this signature are called whenever a message is | ||
2229 | * received. | ||
2230 | * | ||
2231 | * @param cls identification of the client | ||
2232 | * @param msg the actual message | ||
2233 | */ | ||
2234 | static void | ||
2235 | handle_client_decrypt (void *cls, | ||
2236 | const struct | ||
2237 | GNUNET_SECRETSHARING_DecryptRequestMessage *msg) | ||
2238 | { | ||
2239 | struct ClientState *cs = cls; | ||
2240 | struct DecryptSession *ds; | ||
2241 | struct GNUNET_HashCode session_id; | ||
2242 | |||
2243 | if (NULL != cs->decrypt_session) | ||
2244 | { | ||
2245 | GNUNET_break (0); | ||
2246 | GNUNET_SERVICE_client_drop (cs->client); | ||
2247 | return; | ||
2248 | } | ||
2249 | ds = GNUNET_new (struct DecryptSession); | ||
2250 | cs->decrypt_session = ds; | ||
2251 | ds->cs = cs; | ||
2252 | ds->start = GNUNET_TIME_absolute_ntoh (msg->start); | ||
2253 | ds->deadline = GNUNET_TIME_absolute_ntoh (msg->deadline); | ||
2254 | ds->ciphertext = msg->ciphertext; | ||
2255 | |||
2256 | ds->share = GNUNET_SECRETSHARING_share_read (&msg[1], | ||
2257 | ntohs (msg->header.size) | ||
2258 | - sizeof(*msg), | ||
2259 | NULL); | ||
2260 | if (NULL == ds->share) | ||
2261 | { | ||
2262 | GNUNET_break (0); | ||
2263 | GNUNET_SERVICE_client_drop (cs->client); | ||
2264 | return; | ||
2265 | } | ||
2266 | |||
2267 | /* FIXME: this is probably sufficient, but kdf/hash with all values would be nicer ... */ | ||
2268 | GNUNET_CRYPTO_hash (&msg->ciphertext, | ||
2269 | sizeof(struct GNUNET_SECRETSHARING_Ciphertext), | ||
2270 | &session_id); | ||
2271 | ds->consensus = GNUNET_CONSENSUS_create (cfg, | ||
2272 | ds->share->num_peers, | ||
2273 | ds->share->peers, | ||
2274 | &session_id, | ||
2275 | ds->start, | ||
2276 | ds->deadline, | ||
2277 | &decrypt_new_element, | ||
2278 | ds); | ||
2279 | |||
2280 | |||
2281 | ds->info = GNUNET_new_array (ds->share->num_peers, | ||
2282 | struct DecryptPeerInfo); | ||
2283 | for (unsigned int i = 0; i < ds->share->num_peers; i++) | ||
2284 | { | ||
2285 | ds->info[i].peer = ds->share->peers[i]; | ||
2286 | ds->info[i].original_index = ds->share->original_indices[i]; | ||
2287 | } | ||
2288 | insert_decrypt_element (ds); | ||
2289 | GNUNET_CONSENSUS_conclude (ds->consensus, | ||
2290 | decrypt_conclude, | ||
2291 | ds); | ||
2292 | GNUNET_SERVICE_client_continue (cs->client); | ||
2293 | GNUNET_log (GNUNET_ERROR_TYPE_INFO, | ||
2294 | "decrypting with %u peers\n", | ||
2295 | ds->share->num_peers); | ||
2296 | } | ||
2297 | |||
2298 | |||
2299 | static void | ||
2300 | init_crypto_constants (void) | ||
2301 | { | ||
2302 | GNUNET_assert (0 == gcry_mpi_scan (&elgamal_q, GCRYMPI_FMT_HEX, | ||
2303 | GNUNET_SECRETSHARING_ELGAMAL_Q_HEX, 0, | ||
2304 | NULL)); | ||
2305 | GNUNET_assert (0 == gcry_mpi_scan (&elgamal_p, GCRYMPI_FMT_HEX, | ||
2306 | GNUNET_SECRETSHARING_ELGAMAL_P_HEX, 0, | ||
2307 | NULL)); | ||
2308 | GNUNET_assert (0 == gcry_mpi_scan (&elgamal_g, GCRYMPI_FMT_HEX, | ||
2309 | GNUNET_SECRETSHARING_ELGAMAL_G_HEX, 0, | ||
2310 | NULL)); | ||
2311 | } | ||
2312 | |||
2313 | |||
2314 | /** | ||
2315 | * Initialize secretsharing service. | ||
2316 | * | ||
2317 | * @param cls closure | ||
2318 | * @param c configuration to use | ||
2319 | * @param service the initialized service | ||
2320 | */ | ||
2321 | static void | ||
2322 | run (void *cls, | ||
2323 | const struct GNUNET_CONFIGURATION_Handle *c, | ||
2324 | struct GNUNET_SERVICE_Handle *service) | ||
2325 | { | ||
2326 | cfg = c; | ||
2327 | my_peer_private_key = GNUNET_CRYPTO_eddsa_key_create_from_configuration (c); | ||
2328 | if (NULL == my_peer_private_key) | ||
2329 | { | ||
2330 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
2331 | "could not access host private key\n"); | ||
2332 | GNUNET_break (0); | ||
2333 | GNUNET_SCHEDULER_shutdown (); | ||
2334 | return; | ||
2335 | } | ||
2336 | init_crypto_constants (); | ||
2337 | if (GNUNET_OK != | ||
2338 | GNUNET_CRYPTO_get_peer_identity (cfg, | ||
2339 | &my_peer)) | ||
2340 | { | ||
2341 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
2342 | "could not retrieve host identity\n"); | ||
2343 | GNUNET_break (0); | ||
2344 | GNUNET_SCHEDULER_shutdown (); | ||
2345 | return; | ||
2346 | } | ||
2347 | GNUNET_SCHEDULER_add_shutdown (&cleanup_task, | ||
2348 | NULL); | ||
2349 | } | ||
2350 | |||
2351 | |||
2352 | /** | ||
2353 | * Callback called when a client connects to the service. | ||
2354 | * | ||
2355 | * @param cls closure for the service | ||
2356 | * @param c the new client that connected to the service | ||
2357 | * @param mq the message queue used to send messages to the client | ||
2358 | * @return @a c | ||
2359 | */ | ||
2360 | static void * | ||
2361 | client_connect_cb (void *cls, | ||
2362 | struct GNUNET_SERVICE_Client *c, | ||
2363 | struct GNUNET_MQ_Handle *mq) | ||
2364 | { | ||
2365 | struct ClientState *cs = GNUNET_new (struct ClientState);; | ||
2366 | |||
2367 | cs->client = c; | ||
2368 | cs->mq = mq; | ||
2369 | return cs; | ||
2370 | } | ||
2371 | |||
2372 | |||
2373 | /** | ||
2374 | * Callback called when a client disconnected from the service | ||
2375 | * | ||
2376 | * @param cls closure for the service | ||
2377 | * @param c the client that disconnected | ||
2378 | * @param internal_cls should be equal to @a c | ||
2379 | */ | ||
2380 | static void | ||
2381 | client_disconnect_cb (void *cls, | ||
2382 | struct GNUNET_SERVICE_Client *c, | ||
2383 | void *internal_cls) | ||
2384 | { | ||
2385 | struct ClientState *cs = internal_cls; | ||
2386 | |||
2387 | if (NULL != cs->keygen_session) | ||
2388 | keygen_session_destroy (cs->keygen_session); | ||
2389 | |||
2390 | if (NULL != cs->decrypt_session) | ||
2391 | decrypt_session_destroy (cs->decrypt_session); | ||
2392 | GNUNET_free (cs); | ||
2393 | } | ||
2394 | |||
2395 | |||
2396 | /** | ||
2397 | * Define "main" method using service macro. | ||
2398 | */ | ||
2399 | GNUNET_SERVICE_MAIN | ||
2400 | ("secretsharing", | ||
2401 | GNUNET_SERVICE_OPTION_NONE, | ||
2402 | &run, | ||
2403 | &client_connect_cb, | ||
2404 | &client_disconnect_cb, | ||
2405 | NULL, | ||
2406 | GNUNET_MQ_hd_var_size (client_keygen, | ||
2407 | GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_GENERATE, | ||
2408 | struct GNUNET_SECRETSHARING_CreateMessage, | ||
2409 | NULL), | ||
2410 | GNUNET_MQ_hd_var_size (client_decrypt, | ||
2411 | GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT, | ||
2412 | struct GNUNET_SECRETSHARING_DecryptRequestMessage, | ||
2413 | NULL), | ||
2414 | GNUNET_MQ_handler_end ()); | ||