1 files changed, 463 insertions, 0 deletions
diff --git a/src/lib/util/crypto_paillier.c b/src/lib/util/crypto_paillier.c
new file mode 100644
index 000000000..169d1e49e
--- /dev/null
+++ b/src/lib/util/crypto_paillier.c
@@ -0,0 +1,463 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2014 GNUnet e.V.
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file util/crypto_paillier.c
+ * @brief implementation of the paillier crypto system with libgcrypt
+ * @author Florian Dold
+ * @author Christian Fuchs
+ */
+#include "platform.h"
+#include <gcrypt.h>
+#include "gnunet_util_lib.h"
+/**
+ * Create a freshly generated paillier public key.
+ *
+ * @param[out] public_key Where to store the public key?
+ * @param[out] private_key Where to store the private key?
+ */
+void
+GNUNET_CRYPTO_paillier_create (struct
+                               GNUNET_CRYPTO_PaillierPublicKey *public_key,
+                               struct GNUNET_CRYPTO_PaillierPrivateKey *
+                               private_key)
+{
+  gcry_mpi_t p;
+  gcry_mpi_t q;
+  gcry_mpi_t phi;
+  gcry_mpi_t mu;
+  gcry_mpi_t n;
+  /* Generate two distinct primes.  The probability that the loop body
+     is executed more than once is very very low... */
+  p = NULL;
+  q = NULL;
+  do
+  {
+    if (NULL != p)
+      gcry_mpi_release (p);
+    if (NULL != q)
+      gcry_mpi_release (q);
+    GNUNET_assert (0 ==
+                   gcry_prime_generate (&p,
+                                        GNUNET_CRYPTO_PAILLIER_BITS / 2,
+                                        0, NULL, NULL, NULL,
+                                        GCRY_STRONG_RANDOM, 0));
+    GNUNET_assert (0 ==
+                   gcry_prime_generate (&q,
+                                        GNUNET_CRYPTO_PAILLIER_BITS / 2,
+                                        0, NULL, NULL, NULL,
+                                        GCRY_STRONG_RANDOM, 0));
+  }
+  while (0 == gcry_mpi_cmp (p, q));
+  /* n = p * q */
+  GNUNET_assert (NULL != (n = gcry_mpi_new (0)));
+  gcry_mpi_mul (n,
+                p,
+                q);
+  GNUNET_CRYPTO_mpi_print_unsigned (public_key,
+                                    sizeof(struct
+                                           GNUNET_CRYPTO_PaillierPublicKey),
+                                    n);
+  /* compute phi(n) = (p-1)(q-1) */
+  GNUNET_assert (NULL != (phi = gcry_mpi_new (0)));
+  gcry_mpi_sub_ui (p, p, 1);
+  gcry_mpi_sub_ui (q, q, 1);
+  gcry_mpi_mul (phi, p, q);
+  gcry_mpi_release (p);
+  gcry_mpi_release (q);
+  /* lambda equals phi(n) in the simplified key generation */
+  GNUNET_CRYPTO_mpi_print_unsigned (private_key->lambda,
+                                    GNUNET_CRYPTO_PAILLIER_BITS / 8,
+                                    phi);
+  /* mu = phi^{-1} mod n, as we use g = n + 1 */
+  GNUNET_assert (NULL != (mu = gcry_mpi_new (0)));
+  GNUNET_assert (0 != gcry_mpi_invm (mu,
+                                     phi,
+                                     n));
+  gcry_mpi_release (phi);
+  gcry_mpi_release (n);
+  GNUNET_CRYPTO_mpi_print_unsigned (private_key->mu,
+                                    GNUNET_CRYPTO_PAILLIER_BITS / 8,
+                                    mu);
+  gcry_mpi_release (mu);
+}
+/**
+ * Encrypt a plaintext with a paillier public key.
+ *
+ * @param public_key Public key to use.
+ * @param m Plaintext to encrypt.
+ * @param desired_ops How many homomorphic ops the caller intends to use
+ * @param[out] ciphertext Encryption of @a plaintext with @a public_key.
+ * @return guaranteed number of supported homomorphic operations >= 1,
+ *         or desired_ops, in case that is lower,
+ *         or -1 if less than one homomorphic operation is possible
+ */
+int
+GNUNET_CRYPTO_paillier_encrypt1 (const struct
+                                 GNUNET_CRYPTO_PaillierPublicKey *public_key,
+                                 const gcry_mpi_t m,
+                                 int desired_ops,
+                                 struct GNUNET_CRYPTO_PaillierCiphertext *
+                                 ciphertext)
+{
+  int possible_opts;
+  gcry_mpi_t n_square;
+  gcry_mpi_t r;
+  gcry_mpi_t c;
+  gcry_mpi_t n;
+  gcry_mpi_t tmp1;
+  gcry_mpi_t tmp2;
+  unsigned int highbit;
+  /* determine how many operations we could allow, if the other number
+     has the same length. */
+  GNUNET_assert (NULL != (tmp1 = gcry_mpi_set_ui (NULL, 1)));
+  GNUNET_assert (NULL != (tmp2 = gcry_mpi_set_ui (NULL, 2)));
+  gcry_mpi_mul_2exp (tmp1, tmp1, GNUNET_CRYPTO_PAILLIER_BITS);
+  /* count number of possible operations
+     this would be nicer with gcry_mpi_get_nbits, however it does not return
+     the BITLENGTH of the given MPI's value, but the bits required
+     to represent the number as MPI. */
+  for (possible_opts = -2; gcry_mpi_cmp (tmp1, m) > 0; possible_opts++)
+    gcry_mpi_div (tmp1, NULL, tmp1, tmp2, 0);
+  gcry_mpi_release (tmp1);
+  gcry_mpi_release (tmp2);
+  if (possible_opts < 1)
+    possible_opts = 0;
+  /* soft-cap by caller */
+  possible_opts = (desired_ops < possible_opts) ? desired_ops : possible_opts;
+  ciphertext->remaining_ops = htonl (possible_opts);
+  GNUNET_CRYPTO_mpi_scan_unsigned (&n,
+                                   public_key,
+                                   sizeof(struct
+                                          GNUNET_CRYPTO_PaillierPublicKey));
+  highbit = GNUNET_CRYPTO_PAILLIER_BITS - 1;
+  while ((! gcry_mpi_test_bit (n, highbit)) &&
+         (0 != highbit))
+    highbit--;
+  if (0 == highbit)
+  {
+    /* invalid public key */
+    GNUNET_break_op (0);
+    gcry_mpi_release (n);
+    return GNUNET_SYSERR;
+  }
+  GNUNET_assert (0 != (n_square = gcry_mpi_new (0)));
+  GNUNET_assert (0 != (r = gcry_mpi_new (0)));
+  GNUNET_assert (0 != (c = gcry_mpi_new (0)));
+  gcry_mpi_mul (n_square, n, n);
+  /* generate r < n (without bias) */
+  do
+  {
+    gcry_mpi_randomize (r, highbit + 1, GCRY_STRONG_RANDOM);
+  }
+  while (gcry_mpi_cmp (r, n) >= 0);
+  /* c = (n+1)^m mod n^2 */
+  /* c = n + 1 */
+  gcry_mpi_add_ui (c, n, 1);
+  /* c = (n+1)^m mod n^2 */
+  gcry_mpi_powm (c, c, m, n_square);
+  /* r <- r^n mod n^2 */
+  gcry_mpi_powm (r, r, n, n_square);
+  /* c <- r*c mod n^2 */
+  gcry_mpi_mulm (c, r, c, n_square);
+  GNUNET_CRYPTO_mpi_print_unsigned (ciphertext->bits,
+                                    sizeof ciphertext->bits,
+                                    c);
+  gcry_mpi_release (n_square);
+  gcry_mpi_release (n);
+  gcry_mpi_release (r);
+  gcry_mpi_release (c);
+  return possible_opts;
+}
+/**
+ * Encrypt a plaintext with a paillier public key.
+ *
+ * @param public_key Public key to use.
+ * @param m Plaintext to encrypt.
+ * @param desired_ops How many homomorphic ops the caller intends to use
+ * @param[out] ciphertext Encryption of @a plaintext with @a public_key.
+ * @return guaranteed number of supported homomorphic operations >= 1,
+ *         or desired_ops, in case that is lower,
+ *         or -1 if less than one homomorphic operation is possible
+ */
+int
+GNUNET_CRYPTO_paillier_encrypt (const struct
+                                GNUNET_CRYPTO_PaillierPublicKey *public_key,
+                                const gcry_mpi_t m,
+                                int desired_ops,
+                                struct GNUNET_CRYPTO_PaillierCiphertext *
+                                ciphertext)
+{
+  int possible_opts;
+  gcry_mpi_t n_square;
+  gcry_mpi_t r;
+  gcry_mpi_t rn;
+  gcry_mpi_t g;
+  gcry_mpi_t gm;
+  gcry_mpi_t c;
+  gcry_mpi_t n;
+  gcry_mpi_t max_num;
+  unsigned int highbit;
+  /* set max_num = 2^{GNUNET_CRYPTO_PAILLIER_BITS}, the largest
+     number we can have as a result */
+  GNUNET_assert (NULL != (max_num = gcry_mpi_set_ui (NULL, 1)));
+  gcry_mpi_mul_2exp (max_num,
+                     max_num,
+                     GNUNET_CRYPTO_PAILLIER_BITS);
+  /* Determine how many operations we could allow, assuming the other
+     number has the same length (or is smaller), by counting the
+     number of possible operations.  We essentially divide max_num by
+     2 until the result is no longer larger than 'm', incrementing the
+     maximum number of operations in each round, starting at -2 */for (possible_opts = -2; gcry_mpi_cmp (max_num, m) > 0; possible_opts++)
+    gcry_mpi_div (max_num,
+                  NULL,
+                  max_num,
+                  GCRYMPI_CONST_TWO,
+                  0);
+  gcry_mpi_release (max_num);
+  if (possible_opts < 1)
+    possible_opts = 0;
+  /* Enforce soft-cap by caller */
+  possible_opts = GNUNET_MIN (desired_ops, possible_opts);
+  ciphertext->remaining_ops = htonl (possible_opts);
+  GNUNET_CRYPTO_mpi_scan_unsigned (&n,
+                                   public_key,
+                                   sizeof(struct
+                                          GNUNET_CRYPTO_PaillierPublicKey));
+  /* check public key for number of bits, bail out if key is all zeros */
+  highbit = GNUNET_CRYPTO_PAILLIER_BITS - 1;
+  while ((! gcry_mpi_test_bit (n, highbit)) &&
+         (0 != highbit))
+    highbit--;
+  if (0 == highbit)
+  {
+    /* invalid public key */
+    GNUNET_break_op (0);
+    gcry_mpi_release (n);
+    return GNUNET_SYSERR;
+  }
+  /* generate r < n (without bias) */
+  GNUNET_assert (NULL != (r = gcry_mpi_new (0)));
+  do
+  {
+    gcry_mpi_randomize (r, highbit + 1, GCRY_STRONG_RANDOM);
+  }
+  while (gcry_mpi_cmp (r, n) >= 0);
+  /* g = n + 1 */
+  GNUNET_assert (0 != (g = gcry_mpi_new (0)));
+  gcry_mpi_add_ui (g, n, 1);
+  /* n_square = n^2 */
+  GNUNET_assert (0 != (n_square = gcry_mpi_new (0)));
+  gcry_mpi_mul (n_square,
+                n,
+                n);
+  /* gm = g^m mod n^2 */
+  GNUNET_assert (0 != (gm = gcry_mpi_new (0)));
+  gcry_mpi_powm (gm, g, m, n_square);
+  gcry_mpi_release (g);
+  /* rn <- r^n mod n^2 */
+  GNUNET_assert (0 != (rn = gcry_mpi_new (0)));
+  gcry_mpi_powm (rn, r, n, n_square);
+  gcry_mpi_release (r);
+  gcry_mpi_release (n);
+  /* c <- rn * gm mod n^2 */
+  GNUNET_assert (0 != (c = gcry_mpi_new (0)));
+  gcry_mpi_mulm (c, rn, gm, n_square);
+  gcry_mpi_release (n_square);
+  gcry_mpi_release (gm);
+  gcry_mpi_release (rn);
+  GNUNET_CRYPTO_mpi_print_unsigned (ciphertext->bits,
+                                    sizeof(ciphertext->bits),
+                                    c);
+  gcry_mpi_release (c);
+  return possible_opts;
+}
+void
+GNUNET_CRYPTO_paillier_decrypt (const struct
+                                GNUNET_CRYPTO_PaillierPrivateKey *private_key,
+                                const struct
+                                GNUNET_CRYPTO_PaillierPublicKey *public_key,
+                                const struct
+                                GNUNET_CRYPTO_PaillierCiphertext *ciphertext,
+                                gcry_mpi_t m)
+{
+  gcry_mpi_t mu;
+  gcry_mpi_t lambda;
+  gcry_mpi_t n;
+  gcry_mpi_t n_square;
+  gcry_mpi_t c;
+  gcry_mpi_t cmu;
+  gcry_mpi_t cmum1;
+  gcry_mpi_t mod;
+  GNUNET_CRYPTO_mpi_scan_unsigned (&lambda,
+                                   private_key->lambda,
+                                   sizeof(private_key->lambda));
+  GNUNET_CRYPTO_mpi_scan_unsigned (&mu,
+                                   private_key->mu,
+                                   sizeof(private_key->mu));
+  GNUNET_CRYPTO_mpi_scan_unsigned (&n,
+                                   public_key,
+                                   sizeof(struct
+                                          GNUNET_CRYPTO_PaillierPublicKey));
+  GNUNET_CRYPTO_mpi_scan_unsigned (&c,
+                                   ciphertext->bits,
+                                   sizeof(ciphertext->bits));
+  /* n_square = n * n */
+  GNUNET_assert (0 != (n_square = gcry_mpi_new (0)));
+  gcry_mpi_mul (n_square, n, n);
+  /* cmu = c^lambda mod n^2 */
+  GNUNET_assert (0 != (cmu = gcry_mpi_new (0)));
+  gcry_mpi_powm (cmu,
+                 c,
+                 lambda,
+                 n_square);
+  gcry_mpi_release (n_square);
+  gcry_mpi_release (lambda);
+  gcry_mpi_release (c);
+  /* cmum1 = cmu - 1 */
+  GNUNET_assert (0 != (cmum1 = gcry_mpi_new (0)));
+  gcry_mpi_sub_ui (cmum1, cmu, 1);
+  gcry_mpi_release (cmu);
+  /* mod = cmum1 / n (mod n) */
+  GNUNET_assert (0 != (mod = gcry_mpi_new (0)));
+  gcry_mpi_div (mod, NULL, cmum1, n, 0);
+  gcry_mpi_release (cmum1);
+  /* m = mod * mu mod n */
+  gcry_mpi_mulm (m, mod, mu, n);
+  gcry_mpi_release (mod);
+  gcry_mpi_release (mu);
+  gcry_mpi_release (n);
+}
+int
+GNUNET_CRYPTO_paillier_hom_add (const struct
+                                GNUNET_CRYPTO_PaillierPublicKey *public_key,
+                                const struct
+                                GNUNET_CRYPTO_PaillierCiphertext *c1,
+                                const struct
+                                GNUNET_CRYPTO_PaillierCiphertext *c2,
+                                struct GNUNET_CRYPTO_PaillierCiphertext *result)
+{
+  gcry_mpi_t a;
+  gcry_mpi_t b;
+  gcry_mpi_t c;
+  gcry_mpi_t n;
+  gcry_mpi_t n_square;
+  int32_t o1;
+  int32_t o2;
+  o1 = (int32_t) ntohl (c1->remaining_ops);
+  o2 = (int32_t) ntohl (c2->remaining_ops);
+  if ((0 >= o1) || (0 >= o2))
+  {
+    GNUNET_break_op (0);
+    return GNUNET_SYSERR;
+  }
+  GNUNET_CRYPTO_mpi_scan_unsigned (&a,
+                                   c1->bits,
+                                   sizeof(c1->bits));
+  GNUNET_CRYPTO_mpi_scan_unsigned (&b,
+                                   c2->bits,
+                                   sizeof(c2->bits));
+  GNUNET_CRYPTO_mpi_scan_unsigned (&n,
+                                   public_key,
+                                   sizeof(struct
+                                          GNUNET_CRYPTO_PaillierPublicKey));
+  /* n_square = n * n */
+  GNUNET_assert (0 != (n_square = gcry_mpi_new (0)));
+  gcry_mpi_mul (n_square, n, n);
+  gcry_mpi_release (n);
+  /* c = a * b mod n_square */
+  GNUNET_assert (0 != (c = gcry_mpi_new (0)));
+  gcry_mpi_mulm (c, a, b, n_square);
+  gcry_mpi_release (n_square);
+  gcry_mpi_release (a);
+  gcry_mpi_release (b);
+  result->remaining_ops = htonl (GNUNET_MIN (o1, o2) - 1);
+  GNUNET_CRYPTO_mpi_print_unsigned (result->bits,
+                                    sizeof(result->bits),
+                                    c);
+  gcry_mpi_release (c);
+  return ntohl (result->remaining_ops);
+}
+/**
+ * Get the number of remaining supported homomorphic operations.
+ *
+ * @param c Paillier cipher text.
+ * @return the number of remaining homomorphic operations
+ */
+int
+GNUNET_CRYPTO_paillier_hom_get_remaining (const struct
+                                          GNUNET_CRYPTO_PaillierCiphertext *c)
+{
+  GNUNET_assert (NULL != c);
+  return ntohl (c->remaining_ops);
+}
+/* end of crypto_paillier.c */

diff --git a/src/lib/util/crypto_paillier.c b/src/lib/util/crypto_paillier.c new file mode 100644 index 000000000..169d1e49e --- /dev/null +++ b/src/lib/util/crypto_paillier.c
@@ -0,0 +1,463 @@
	1	/*
	2	This file is part of GNUnet.
	3	Copyright (C) 2014 GNUnet e.V.
	4
	5	GNUnet is free software: you can redistribute it and/or modify it
	6	under the terms of the GNU Affero General Public License as published
	7	by the Free Software Foundation, either version 3 of the License,
	8	or (at your option) any later version.
	9
	10	GNUnet is distributed in the hope that it will be useful, but
	11	WITHOUT ANY WARRANTY; without even the implied warranty of
	12	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	13	Affero General Public License for more details.
	14
	15	You should have received a copy of the GNU Affero General Public License
	16	along with this program. If not, see <http://www.gnu.org/licenses/>.
	17
	18	SPDX-License-Identifier: AGPL3.0-or-later
	19	*/
	20
	21	/**
	22	* @file util/crypto_paillier.c
	23	* @brief implementation of the paillier crypto system with libgcrypt
	24	* @author Florian Dold
	25	* @author Christian Fuchs
	26	*/
	27
	28	#include "platform.h"
	29	#include <gcrypt.h>
	30	#include "gnunet_util_lib.h"
	31
	32
	33	/**
	34	* Create a freshly generated paillier public key.
	35	*
	36	* @param[out] public_key Where to store the public key?
	37	* @param[out] private_key Where to store the private key?
	38	*/
	39	void
	40	GNUNET_CRYPTO_paillier_create (struct
	41	GNUNET_CRYPTO_PaillierPublicKey *public_key,
	42	struct GNUNET_CRYPTO_PaillierPrivateKey *
	43	private_key)
	44	{
	45	gcry_mpi_t p;
	46	gcry_mpi_t q;
	47	gcry_mpi_t phi;
	48	gcry_mpi_t mu;
	49	gcry_mpi_t n;
	50
	51	/* Generate two distinct primes. The probability that the loop body
	52	is executed more than once is very very low... */
	53	p = NULL;
	54	q = NULL;
	55	do
	56	{
	57	if (NULL != p)
	58	gcry_mpi_release (p);
	59	if (NULL != q)
	60	gcry_mpi_release (q);
	61	GNUNET_assert (0 ==
	62	gcry_prime_generate (&p,
	63	GNUNET_CRYPTO_PAILLIER_BITS / 2,
	64	0, NULL, NULL, NULL,
	65	GCRY_STRONG_RANDOM, 0));
	66	GNUNET_assert (0 ==
	67	gcry_prime_generate (&q,
	68	GNUNET_CRYPTO_PAILLIER_BITS / 2,
	69	0, NULL, NULL, NULL,
	70	GCRY_STRONG_RANDOM, 0));
	71	}
	72	while (0 == gcry_mpi_cmp (p, q));
	73	/* n = p * q */
	74	GNUNET_assert (NULL != (n = gcry_mpi_new (0)));
	75	gcry_mpi_mul (n,
	76	p,
	77	q);
	78	GNUNET_CRYPTO_mpi_print_unsigned (public_key,
	79	sizeof(struct
	80	GNUNET_CRYPTO_PaillierPublicKey),
	81	n);
	82
	83	/* compute phi(n) = (p-1)(q-1) */
	84	GNUNET_assert (NULL != (phi = gcry_mpi_new (0)));
	85	gcry_mpi_sub_ui (p, p, 1);
	86	gcry_mpi_sub_ui (q, q, 1);
	87	gcry_mpi_mul (phi, p, q);
	88	gcry_mpi_release (p);
	89	gcry_mpi_release (q);
	90
	91	/* lambda equals phi(n) in the simplified key generation */
	92	GNUNET_CRYPTO_mpi_print_unsigned (private_key->lambda,
	93	GNUNET_CRYPTO_PAILLIER_BITS / 8,
	94	phi);
	95	/* mu = phi^{-1} mod n, as we use g = n + 1 */
	96	GNUNET_assert (NULL != (mu = gcry_mpi_new (0)));
	97	GNUNET_assert (0 != gcry_mpi_invm (mu,
	98	phi,
	99	n));
	100	gcry_mpi_release (phi);
	101	gcry_mpi_release (n);
	102	GNUNET_CRYPTO_mpi_print_unsigned (private_key->mu,
	103	GNUNET_CRYPTO_PAILLIER_BITS / 8,
	104	mu);
	105	gcry_mpi_release (mu);
	106	}
	107
	108
	109	/**
	110	* Encrypt a plaintext with a paillier public key.
	111	*
	112	* @param public_key Public key to use.
	113	* @param m Plaintext to encrypt.
	114	* @param desired_ops How many homomorphic ops the caller intends to use
	115	* @param[out] ciphertext Encryption of @a plaintext with @a public_key.
	116	* @return guaranteed number of supported homomorphic operations >= 1,
	117	* or desired_ops, in case that is lower,
	118	* or -1 if less than one homomorphic operation is possible
	119	*/
	120	int
	121	GNUNET_CRYPTO_paillier_encrypt1 (const struct
	122	GNUNET_CRYPTO_PaillierPublicKey *public_key,
	123	const gcry_mpi_t m,
	124	int desired_ops,
	125	struct GNUNET_CRYPTO_PaillierCiphertext *
	126	ciphertext)
	127	{
	128	int possible_opts;
	129	gcry_mpi_t n_square;
	130	gcry_mpi_t r;
	131	gcry_mpi_t c;
	132	gcry_mpi_t n;
	133	gcry_mpi_t tmp1;
	134	gcry_mpi_t tmp2;
	135	unsigned int highbit;
	136
	137	/* determine how many operations we could allow, if the other number
	138	has the same length. */
	139	GNUNET_assert (NULL != (tmp1 = gcry_mpi_set_ui (NULL, 1)));
	140	GNUNET_assert (NULL != (tmp2 = gcry_mpi_set_ui (NULL, 2)));
	141	gcry_mpi_mul_2exp (tmp1, tmp1, GNUNET_CRYPTO_PAILLIER_BITS);
	142
	143	/* count number of possible operations
	144	this would be nicer with gcry_mpi_get_nbits, however it does not return
	145	the BITLENGTH of the given MPI's value, but the bits required
	146	to represent the number as MPI. */
	147	for (possible_opts = -2; gcry_mpi_cmp (tmp1, m) > 0; possible_opts++)
	148	gcry_mpi_div (tmp1, NULL, tmp1, tmp2, 0);
	149	gcry_mpi_release (tmp1);
	150	gcry_mpi_release (tmp2);
	151
	152	if (possible_opts < 1)
	153	possible_opts = 0;
	154	/* soft-cap by caller */
	155	possible_opts = (desired_ops < possible_opts) ? desired_ops : possible_opts;
	156
	157	ciphertext->remaining_ops = htonl (possible_opts);
	158
	159	GNUNET_CRYPTO_mpi_scan_unsigned (&n,
	160	public_key,
	161	sizeof(struct
	162	GNUNET_CRYPTO_PaillierPublicKey));
	163	highbit = GNUNET_CRYPTO_PAILLIER_BITS - 1;
	164	while ((! gcry_mpi_test_bit (n, highbit)) &&
	165	(0 != highbit))
	166	highbit--;
	167	if (0 == highbit)
	168	{
	169	/* invalid public key */
	170	GNUNET_break_op (0);
	171	gcry_mpi_release (n);
	172	return GNUNET_SYSERR;
	173	}
	174	GNUNET_assert (0 != (n_square = gcry_mpi_new (0)));
	175	GNUNET_assert (0 != (r = gcry_mpi_new (0)));
	176	GNUNET_assert (0 != (c = gcry_mpi_new (0)));
	177	gcry_mpi_mul (n_square, n, n);
	178
	179	/* generate r < n (without bias) */
	180	do
	181	{
	182	gcry_mpi_randomize (r, highbit + 1, GCRY_STRONG_RANDOM);
	183	}
	184	while (gcry_mpi_cmp (r, n) >= 0);
	185
	186	/* c = (n+1)^m mod n^2 */
	187	/* c = n + 1 */
	188	gcry_mpi_add_ui (c, n, 1);
	189	/* c = (n+1)^m mod n^2 */
	190	gcry_mpi_powm (c, c, m, n_square);
	191	/* r <- r^n mod n^2 */
	192	gcry_mpi_powm (r, r, n, n_square);
	193	/* c <- rc mod n^2 /
	194	gcry_mpi_mulm (c, r, c, n_square);
	195
	196	GNUNET_CRYPTO_mpi_print_unsigned (ciphertext->bits,
	197	sizeof ciphertext->bits,
	198	c);
	199
	200	gcry_mpi_release (n_square);
	201	gcry_mpi_release (n);
	202	gcry_mpi_release (r);
	203	gcry_mpi_release (c);
	204
	205	return possible_opts;
	206	}
	207
	208
	209	/**
	210	* Encrypt a plaintext with a paillier public key.
	211	*
	212	* @param public_key Public key to use.
	213	* @param m Plaintext to encrypt.
	214	* @param desired_ops How many homomorphic ops the caller intends to use
	215	* @param[out] ciphertext Encryption of @a plaintext with @a public_key.
	216	* @return guaranteed number of supported homomorphic operations >= 1,
	217	* or desired_ops, in case that is lower,
	218	* or -1 if less than one homomorphic operation is possible
	219	*/
	220	int
	221	GNUNET_CRYPTO_paillier_encrypt (const struct
	222	GNUNET_CRYPTO_PaillierPublicKey *public_key,
	223	const gcry_mpi_t m,
	224	int desired_ops,
	225	struct GNUNET_CRYPTO_PaillierCiphertext *
	226	ciphertext)
	227	{
	228	int possible_opts;
	229	gcry_mpi_t n_square;
	230	gcry_mpi_t r;
	231	gcry_mpi_t rn;
	232	gcry_mpi_t g;
	233	gcry_mpi_t gm;
	234	gcry_mpi_t c;
	235	gcry_mpi_t n;
	236	gcry_mpi_t max_num;
	237	unsigned int highbit;
	238
	239	/* set max_num = 2^{GNUNET_CRYPTO_PAILLIER_BITS}, the largest
	240	number we can have as a result */
	241	GNUNET_assert (NULL != (max_num = gcry_mpi_set_ui (NULL, 1)));
	242	gcry_mpi_mul_2exp (max_num,
	243	max_num,
	244	GNUNET_CRYPTO_PAILLIER_BITS);
	245
	246	/* Determine how many operations we could allow, assuming the other
	247	number has the same length (or is smaller), by counting the
	248	number of possible operations. We essentially divide max_num by
	249	2 until the result is no longer larger than 'm', incrementing the
	250	maximum number of operations in each round, starting at -2 */for (possible_opts = -2; gcry_mpi_cmp (max_num, m) > 0; possible_opts++)
	251	gcry_mpi_div (max_num,
	252	NULL,
	253	max_num,
	254	GCRYMPI_CONST_TWO,
	255	0);
	256	gcry_mpi_release (max_num);
	257
	258	if (possible_opts < 1)
	259	possible_opts = 0;
	260	/* Enforce soft-cap by caller */
	261	possible_opts = GNUNET_MIN (desired_ops, possible_opts);
	262	ciphertext->remaining_ops = htonl (possible_opts);
	263
	264	GNUNET_CRYPTO_mpi_scan_unsigned (&n,
	265	public_key,
	266	sizeof(struct
	267	GNUNET_CRYPTO_PaillierPublicKey));
	268
	269	/* check public key for number of bits, bail out if key is all zeros */
	270	highbit = GNUNET_CRYPTO_PAILLIER_BITS - 1;
	271	while ((! gcry_mpi_test_bit (n, highbit)) &&
	272	(0 != highbit))
	273	highbit--;
	274	if (0 == highbit)
	275	{
	276	/* invalid public key */
	277	GNUNET_break_op (0);
	278	gcry_mpi_release (n);
	279	return GNUNET_SYSERR;
	280	}
	281
	282	/* generate r < n (without bias) */
	283	GNUNET_assert (NULL != (r = gcry_mpi_new (0)));
	284	do
	285	{
	286	gcry_mpi_randomize (r, highbit + 1, GCRY_STRONG_RANDOM);
	287	}
	288	while (gcry_mpi_cmp (r, n) >= 0);
	289
	290	/* g = n + 1 */
	291	GNUNET_assert (0 != (g = gcry_mpi_new (0)));
	292	gcry_mpi_add_ui (g, n, 1);
	293
	294	/* n_square = n^2 */
	295	GNUNET_assert (0 != (n_square = gcry_mpi_new (0)));
	296	gcry_mpi_mul (n_square,
	297	n,
	298	n);
	299
	300	/* gm = g^m mod n^2 */
	301	GNUNET_assert (0 != (gm = gcry_mpi_new (0)));
	302	gcry_mpi_powm (gm, g, m, n_square);
	303	gcry_mpi_release (g);
	304
	305	/* rn <- r^n mod n^2 */
	306	GNUNET_assert (0 != (rn = gcry_mpi_new (0)));
	307	gcry_mpi_powm (rn, r, n, n_square);
	308	gcry_mpi_release (r);
	309	gcry_mpi_release (n);
	310
	311	/* c <- rn * gm mod n^2 */
	312	GNUNET_assert (0 != (c = gcry_mpi_new (0)));
	313	gcry_mpi_mulm (c, rn, gm, n_square);
	314	gcry_mpi_release (n_square);
	315	gcry_mpi_release (gm);
	316	gcry_mpi_release (rn);
	317
	318	GNUNET_CRYPTO_mpi_print_unsigned (ciphertext->bits,
	319	sizeof(ciphertext->bits),
	320	c);
	321	gcry_mpi_release (c);
	322
	323	return possible_opts;
	324	}
	325
	326
	327	void
	328	GNUNET_CRYPTO_paillier_decrypt (const struct
	329	GNUNET_CRYPTO_PaillierPrivateKey *private_key,
	330	const struct
	331	GNUNET_CRYPTO_PaillierPublicKey *public_key,
	332	const struct
	333	GNUNET_CRYPTO_PaillierCiphertext *ciphertext,
	334	gcry_mpi_t m)
	335	{
	336	gcry_mpi_t mu;
	337	gcry_mpi_t lambda;
	338	gcry_mpi_t n;
	339	gcry_mpi_t n_square;
	340	gcry_mpi_t c;
	341	gcry_mpi_t cmu;
	342	gcry_mpi_t cmum1;
	343	gcry_mpi_t mod;
	344
	345	GNUNET_CRYPTO_mpi_scan_unsigned (&lambda,
	346	private_key->lambda,
	347	sizeof(private_key->lambda));
	348	GNUNET_CRYPTO_mpi_scan_unsigned (&mu,
	349	private_key->mu,
	350	sizeof(private_key->mu));
	351	GNUNET_CRYPTO_mpi_scan_unsigned (&n,
	352	public_key,
	353	sizeof(struct
	354	GNUNET_CRYPTO_PaillierPublicKey));
	355	GNUNET_CRYPTO_mpi_scan_unsigned (&c,
	356	ciphertext->bits,
	357	sizeof(ciphertext->bits));
	358
	359	/* n_square = n * n */
	360	GNUNET_assert (0 != (n_square = gcry_mpi_new (0)));
	361	gcry_mpi_mul (n_square, n, n);
	362
	363	/* cmu = c^lambda mod n^2 */
	364	GNUNET_assert (0 != (cmu = gcry_mpi_new (0)));
	365	gcry_mpi_powm (cmu,
	366	c,
	367	lambda,
	368	n_square);
	369	gcry_mpi_release (n_square);
	370	gcry_mpi_release (lambda);
	371	gcry_mpi_release (c);
	372
	373	/* cmum1 = cmu - 1 */
	374	GNUNET_assert (0 != (cmum1 = gcry_mpi_new (0)));
	375	gcry_mpi_sub_ui (cmum1, cmu, 1);
	376	gcry_mpi_release (cmu);
	377
	378	/* mod = cmum1 / n (mod n) */
	379	GNUNET_assert (0 != (mod = gcry_mpi_new (0)));
	380	gcry_mpi_div (mod, NULL, cmum1, n, 0);
	381	gcry_mpi_release (cmum1);
	382
	383	/* m = mod * mu mod n */
	384	gcry_mpi_mulm (m, mod, mu, n);
	385	gcry_mpi_release (mod);
	386	gcry_mpi_release (mu);
	387	gcry_mpi_release (n);
	388	}
	389
	390
	391	int
	392	GNUNET_CRYPTO_paillier_hom_add (const struct
	393	GNUNET_CRYPTO_PaillierPublicKey *public_key,
	394	const struct
	395	GNUNET_CRYPTO_PaillierCiphertext *c1,
	396	const struct
	397	GNUNET_CRYPTO_PaillierCiphertext *c2,
	398	struct GNUNET_CRYPTO_PaillierCiphertext *result)
	399	{
	400	gcry_mpi_t a;
	401	gcry_mpi_t b;
	402	gcry_mpi_t c;
	403	gcry_mpi_t n;
	404	gcry_mpi_t n_square;
	405	int32_t o1;
	406	int32_t o2;
	407
	408	o1 = (int32_t) ntohl (c1->remaining_ops);
	409	o2 = (int32_t) ntohl (c2->remaining_ops);
	410	if ((0 >= o1) \|\| (0 >= o2))
	411	{
	412	GNUNET_break_op (0);
	413	return GNUNET_SYSERR;
	414	}
	415
	416	GNUNET_CRYPTO_mpi_scan_unsigned (&a,
	417	c1->bits,
	418	sizeof(c1->bits));
	419	GNUNET_CRYPTO_mpi_scan_unsigned (&b,
	420	c2->bits,
	421	sizeof(c2->bits));
	422	GNUNET_CRYPTO_mpi_scan_unsigned (&n,
	423	public_key,
	424	sizeof(struct
	425	GNUNET_CRYPTO_PaillierPublicKey));
	426
	427	/* n_square = n * n */
	428	GNUNET_assert (0 != (n_square = gcry_mpi_new (0)));
	429	gcry_mpi_mul (n_square, n, n);
	430	gcry_mpi_release (n);
	431
	432	/* c = a * b mod n_square */
	433	GNUNET_assert (0 != (c = gcry_mpi_new (0)));
	434	gcry_mpi_mulm (c, a, b, n_square);
	435	gcry_mpi_release (n_square);
	436	gcry_mpi_release (a);
	437	gcry_mpi_release (b);
	438
	439	result->remaining_ops = htonl (GNUNET_MIN (o1, o2) - 1);
	440	GNUNET_CRYPTO_mpi_print_unsigned (result->bits,
	441	sizeof(result->bits),
	442	c);
	443	gcry_mpi_release (c);
	444	return ntohl (result->remaining_ops);
	445	}
	446
	447
	448	/**
	449	* Get the number of remaining supported homomorphic operations.
	450	*
	451	* @param c Paillier cipher text.
	452	* @return the number of remaining homomorphic operations
	453	*/
	454	int
	455	GNUNET_CRYPTO_paillier_hom_get_remaining (const struct
	456	GNUNET_CRYPTO_PaillierCiphertext *c)
	457	{
	458	GNUNET_assert (NULL != c);
	459	return ntohl (c->remaining_ops);
	460	}
	461
	462
	463	/* end of crypto_paillier.c */