use hash to generate challange in ZKPs

1 files changed, 136 insertions, 54 deletions

diff --git a/crypto.c b/crypto.c
index f892e7d..d3da75d 100644
--- a/crypto.c
+++ b/crypto.c
@@ -30,6 +30,32 @@
 #define CURVE "Ed25519"
 
 
+struct zkp_challenge_dl {
+        struct ec_mpi g;
+        struct ec_mpi v;
+        struct ec_mpi a;
+};
+
+struct zkp_challenge_2dle {
+        struct ec_mpi g1;
+        struct ec_mpi g2;
+        struct ec_mpi v;
+        struct ec_mpi w;
+        struct ec_mpi a;
+        struct ec_mpi b;
+};
+
+struct zkp_challenge_0og {
+        struct ec_mpi g;
+        struct ec_mpi alpha;
+        struct ec_mpi beta;
+        struct ec_mpi a1;
+        struct ec_mpi a2;
+        struct ec_mpi b1;
+        struct ec_mpi b2;
+};
+
+
 static gcry_ctx_t       ec_ctx;
 static gcry_mpi_point_t ec_gen;
 static gcry_mpi_point_t ec_zero;
@@ -534,7 +560,6 @@ smc_gen_keyshare (struct AuctionData *ad)
  * @param a2 TODO
  * @param b1 TODO
  * @param b2 TODO
- * @param c TODO
  * @param d1 TODO
  * @param d2 TODO
  * @param r1 TODO
@@ -547,14 +572,13 @@ smc_encrypt_bid (struct AuctionData *ad,
                  gcry_mpi_point_t   a2,
                  gcry_mpi_point_t   b1,
                  gcry_mpi_point_t   b2,
-                 gcry_mpi_t         c,
                  gcry_mpi_t         d1,
                  gcry_mpi_t         d2,
                  gcry_mpi_t         r1,
                  gcry_mpi_t         r2)
 {
         smc_zkp_0og (ad->alpha[ad->i][j], (j == ad->b ? ec_gen : ec_zero), ad->Y,
-                     ad->beta[ad->i][j], a1, a2, b1, b2, c, d1, d2, r1, r2);
+                     ad->beta[ad->i][j], a1, a2, b1, b2, d1, d2, r1, r2);
 }
 
 
@@ -586,7 +610,6 @@ smc_compute_outcome (struct AuctionData *ad)
  * @param g \todo
  * @param x \todo
  * @param a \todo
- * @param c \todo
  * @param r \todo
  */
 void
@@ -594,22 +617,27 @@ smc_zkp_dl (const gcry_mpi_point_t v,
             const gcry_mpi_point_t g,
             const gcry_mpi_t       x,
             const gcry_mpi_point_t a,
-            gcry_mpi_t             c,
             gcry_mpi_t             r)
 {
-        gcry_mpi_t z = gcry_mpi_new (0);
+        struct zkp_challenge_dl challenge;
+        struct brandt_hash_code challhash;
+        gcry_mpi_t              c = gcry_mpi_new (0);
+        gcry_mpi_t              z = gcry_mpi_new (0);
 
         ec_keypair_create_base (a, z, g);
 
-        /* compute challange c */
-        /**\todo: generate c from HASH(g,v,a) and don't output it */
-//      brandt_hash (const void *block, size_t size, struct brandt_hash_code *ret)
-        ec_skey_create (c);
+        /* compute challenge c */
+        ec_point_serialize (&challenge.g, ec_gen);
+        ec_point_serialize (&challenge.v, v);
+        ec_point_serialize (&challenge.a, a);
+        brandt_hash (&challenge, sizeof (struct zkp_challenge_dl), &challhash);
+        mpi_parse (c, (struct ec_mpi *)&challhash);
         gcry_mpi_mod (c, c, ec_n);
 
         gcry_mpi_mulm (r, c, x, ec_n);
         gcry_mpi_addm (r, r, z, ec_n);
 
+        gcry_mpi_release (c);
         gcry_mpi_release (z);
 }
 
@@ -620,7 +648,6 @@ smc_zkp_dl (const gcry_mpi_point_t v,
  * @param v \todo
  * @param g \todo
  * @param a \todo
- * @param c \todo
  * @param r \todo
  * @return 0 if the proof is correct, something else otherwise
  */
@@ -628,18 +655,29 @@ int
 smc_zkp_dl_check (const gcry_mpi_point_t v,
                   const gcry_mpi_point_t g,
                   const gcry_mpi_point_t a,
-                  const gcry_mpi_t       c,
                   const gcry_mpi_t       r)
 {
-        int              ret;
-        gcry_mpi_point_t left = gcry_mpi_point_new (0);
-        gcry_mpi_point_t right = gcry_mpi_point_new (0);
+        int                     ret;
+        struct zkp_challenge_dl challenge;
+        struct brandt_hash_code challhash;
+        gcry_mpi_t              c = gcry_mpi_new (0);
+        gcry_mpi_point_t        left = gcry_mpi_point_new (0);
+        gcry_mpi_point_t        right = gcry_mpi_point_new (0);
+
+        /* compute challenge c */
+        ec_point_serialize (&challenge.g, ec_gen);
+        ec_point_serialize (&challenge.v, v);
+        ec_point_serialize (&challenge.a, a);
+        brandt_hash (&challenge, sizeof (struct zkp_challenge_dl), &challhash);
+        mpi_parse (c, (struct ec_mpi *)&challhash);
+        gcry_mpi_mod (c, c, ec_n);
 
         gcry_mpi_ec_mul (left, r, g, ec_ctx);
         gcry_mpi_ec_mul (right, c, v, ec_ctx);
         gcry_mpi_ec_add (right, a, right, ec_ctx);
 
         ret = ec_point_cmp (left, right);
+        gcry_mpi_release (c);
         gcry_mpi_point_release (left);
         gcry_mpi_point_release (right);
 
@@ -657,7 +695,6 @@ smc_zkp_dl_check (const gcry_mpi_point_t v,
  * @param x TODO
  * @param a TODO
  * @param b TODO
- * @param c TODO
  * @param r TODO
  */
 void
@@ -668,22 +705,31 @@ smc_zkp_2dle (const gcry_mpi_point_t v,
               const gcry_mpi_t       x,
               gcry_mpi_point_t       a,
               gcry_mpi_point_t       b,
-              gcry_mpi_t             c,
               gcry_mpi_t             r)
 {
-        gcry_mpi_t z = gcry_mpi_new (0);
+        struct zkp_challenge_2dle challenge;
+        struct brandt_hash_code   challhash;
+        gcry_mpi_t                c = gcry_mpi_new (0);
+        gcry_mpi_t                z = gcry_mpi_new (0);
 
         ec_keypair_create_base (a, z, g1);
         gcry_mpi_ec_mul (b, z, g2, ec_ctx);
 
-        /* compute challange c */
-        /* \todo: generate c from HASH(g1,g2,v,w,a,b) and don't output it */
-        ec_skey_create (c);
+        /* compute challenge c */
+        ec_point_serialize (&challenge.g1, g1);
+        ec_point_serialize (&challenge.g2, g2);
+        ec_point_serialize (&challenge.v, v);
+        ec_point_serialize (&challenge.w, w);
+        ec_point_serialize (&challenge.a, a);
+        ec_point_serialize (&challenge.b, b);
+        brandt_hash (&challenge, sizeof (struct zkp_challenge_dl), &challhash);
+        mpi_parse (c, (struct ec_mpi *)&challhash);
         gcry_mpi_mod (c, c, ec_n);
 
         gcry_mpi_mulm (r, c, x, ec_n);
         gcry_mpi_addm (r, r, z, ec_n);
 
+        gcry_mpi_release (c);
         gcry_mpi_release (z);
 }
 
@@ -697,7 +743,6 @@ smc_zkp_2dle (const gcry_mpi_point_t v,
  * @param g2 TODO
  * @param a TODO
  * @param b TODO
- * @param c TODO
  * @param r TODO
  * @return TODO
  */
@@ -708,12 +753,25 @@ smc_zkp_2dle_check (const gcry_mpi_point_t v,
                     const gcry_mpi_point_t g2,
                     const gcry_mpi_point_t a,
                     const gcry_mpi_point_t b,
-                    const gcry_mpi_t       c,
                     const gcry_mpi_t       r)
 {
-        int              ret;
-        gcry_mpi_point_t left = gcry_mpi_point_new (0);
-        gcry_mpi_point_t right = gcry_mpi_point_new (0);
+        int                       ret;
+        struct zkp_challenge_2dle challenge;
+        struct brandt_hash_code   challhash;
+        gcry_mpi_t                c = gcry_mpi_new (0);
+        gcry_mpi_point_t          left = gcry_mpi_point_new (0);
+        gcry_mpi_point_t          right = gcry_mpi_point_new (0);
+
+        /* compute challenge c */
+        ec_point_serialize (&challenge.g1, g1);
+        ec_point_serialize (&challenge.g2, g2);
+        ec_point_serialize (&challenge.v, v);
+        ec_point_serialize (&challenge.w, w);
+        ec_point_serialize (&challenge.a, a);
+        ec_point_serialize (&challenge.b, b);
+        brandt_hash (&challenge, sizeof (struct zkp_challenge_dl), &challhash);
+        mpi_parse (c, (struct ec_mpi *)&challhash);
+        gcry_mpi_mod (c, c, ec_n);
 
         gcry_mpi_ec_mul (left, r, g1, ec_ctx);
         gcry_mpi_ec_mul (right, c, v, ec_ctx);
@@ -725,6 +783,7 @@ smc_zkp_2dle_check (const gcry_mpi_point_t v,
         gcry_mpi_ec_add (right, b, right, ec_ctx);
         ret |= ec_point_cmp (left, right);
 
+        gcry_mpi_release (c);
         gcry_mpi_point_release (left);
         gcry_mpi_point_release (right);
 
@@ -743,7 +802,6 @@ smc_zkp_2dle_check (const gcry_mpi_point_t v,
  * @param a2 TODO
  * @param b1 TODO
  * @param b2 TODO
- * @param c TODO
  * @param d1 TODO
  * @param d2 TODO
  * @param r1 TODO
@@ -758,16 +816,18 @@ smc_zkp_0og (gcry_mpi_point_t       alpha,
              gcry_mpi_point_t       a2,
              gcry_mpi_point_t       b1,
              gcry_mpi_point_t       b2,
-             gcry_mpi_t             c,
              gcry_mpi_t             d1,
              gcry_mpi_t             d2,
              gcry_mpi_t             r1,
              gcry_mpi_t             r2)
 {
-        gcry_mpi_t r = gcry_mpi_new (0);
-        gcry_mpi_t w = gcry_mpi_new (0);
-        int        eq0 = !ec_point_cmp (m, ec_zero);
-        int        eqg = !ec_point_cmp (m, ec_gen);
+        struct zkp_challenge_0og challenge;
+        struct brandt_hash_code  challhash;
+        gcry_mpi_t               c = gcry_mpi_new (0);
+        gcry_mpi_t               r = gcry_mpi_new (0);
+        gcry_mpi_t               w = gcry_mpi_new (0);
+        int                      eq0 = !ec_point_cmp (m, ec_zero);
+        int                      eqg = !ec_point_cmp (m, ec_gen);
 
         if (!(eq0 ^ eqg))
                 eprintf ("zero knowledge proof: m is neither 0 nor g");
@@ -802,18 +862,6 @@ smc_zkp_0og (gcry_mpi_point_t       alpha,
 
                 /* b2 = w * y */
                 gcry_mpi_ec_mul (b2, w, y, ec_ctx);
-
-                /* compute challange c */
-                /* \todo: generate c from HASH(alpha,beta,a1,b1,a2,b2) and don't output it */
-                ec_skey_create (c);
-                gcry_mpi_mod (c, c, ec_n);
-
-                /* d2 = c - d1 */
-                gcry_mpi_subm (d2, c, d1, ec_n);
-
-                /* r2 = w - r*d2 */
-                gcry_mpi_mulm (r2, r, d2, ec_n);
-                gcry_mpi_subm (r2, w, r2, ec_n);
         }
         else
         {   /* m == g */
@@ -838,12 +886,31 @@ smc_zkp_0og (gcry_mpi_point_t       alpha,
 
                 /* b1 = w * y */
                 gcry_mpi_ec_mul (b1, w, y, ec_ctx);
+        }
 
-                /* compute challange c */
-                /* \todo: generate c from HASH(alpha,beta,a1,b1,a2,b2) and don't output it */
-                ec_skey_create (c);
-                gcry_mpi_mod (c, c, ec_n);
+        /* compute challenge c */
+        ec_point_serialize (&challenge.g, ec_gen);
+        ec_point_serialize (&challenge.alpha, alpha);
+        ec_point_serialize (&challenge.beta, beta);
+        ec_point_serialize (&challenge.a1, a1);
+        ec_point_serialize (&challenge.a2, a2);
+        ec_point_serialize (&challenge.b1, b1);
+        ec_point_serialize (&challenge.b2, b2);
+        brandt_hash (&challenge, sizeof (struct zkp_challenge_dl), &challhash);
+        mpi_parse (c, (struct ec_mpi *)&challhash);
+        gcry_mpi_mod (c, c, ec_n);
 
+        if (eq0)
+        {   /* m == 0 */
+                /* d2 = c - d1 */
+                gcry_mpi_subm (d2, c, d1, ec_n);
+
+                /* r2 = w - r*d2 */
+                gcry_mpi_mulm (r2, r, d2, ec_n);
+                gcry_mpi_subm (r2, w, r2, ec_n);
+        }
+        else
+        {   /* m == g */
                 /* d1 = c - d2 */
                 gcry_mpi_subm (d1, c, d2, ec_n);
 
@@ -852,6 +919,7 @@ smc_zkp_0og (gcry_mpi_point_t       alpha,
                 gcry_mpi_subm (r1, w, r1, ec_n);
         }
 
+        gcry_mpi_release (c);
         gcry_mpi_release (r);
         gcry_mpi_release (w);
 }
@@ -867,7 +935,6 @@ smc_zkp_0og (gcry_mpi_point_t       alpha,
  * @param a2 TODO
  * @param b1 TODO
  * @param b2 TODO
- * @param c TODO
  * @param d1 TODO
  * @param d2 TODO
  * @param r1 TODO
@@ -882,16 +949,30 @@ smc_zkp_0og_check (const gcry_mpi_point_t alpha,
                    const gcry_mpi_point_t a2,
                    const gcry_mpi_point_t b1,
                    const gcry_mpi_point_t b2,
-                   const gcry_mpi_t       c,
                    const gcry_mpi_t       d1,
                    const gcry_mpi_t       d2,
                    const gcry_mpi_t       r1,
                    const gcry_mpi_t       r2)
 {
-        int              ret;
-        gcry_mpi_t       sum = gcry_mpi_new (0);
-        gcry_mpi_point_t right = gcry_mpi_point_new (0);
-        gcry_mpi_point_t tmp = gcry_mpi_point_new (0);
+        int                      ret;
+        struct zkp_challenge_0og challenge;
+        struct brandt_hash_code  challhash;
+        gcry_mpi_t               c = gcry_mpi_new (0);
+        gcry_mpi_t               sum = gcry_mpi_new (0);
+        gcry_mpi_point_t         right = gcry_mpi_point_new (0);
+        gcry_mpi_point_t         tmp = gcry_mpi_point_new (0);
+
+        /* compute challenge c */
+        ec_point_serialize (&challenge.g, ec_gen);
+        ec_point_serialize (&challenge.alpha, alpha);
+        ec_point_serialize (&challenge.beta, beta);
+        ec_point_serialize (&challenge.a1, a1);
+        ec_point_serialize (&challenge.a2, a2);
+        ec_point_serialize (&challenge.b1, b1);
+        ec_point_serialize (&challenge.b2, b2);
+        brandt_hash (&challenge, sizeof (struct zkp_challenge_dl), &challhash);
+        mpi_parse (c, (struct ec_mpi *)&challhash);
+        gcry_mpi_mod (c, c, ec_n);
 
         /* c == d1 + d2 */
         gcry_mpi_addm (sum, d1, d2, ec_n);
@@ -922,6 +1003,7 @@ smc_zkp_0og_check (const gcry_mpi_point_t alpha,
         gcry_mpi_ec_add (right, right, tmp, ec_ctx);
         ret |= ec_point_cmp (b2, right) << 4;
 
+        gcry_mpi_release (c);
         gcry_mpi_release (sum);
         gcry_mpi_point_release (right);
         gcry_mpi_point_release (tmp);