2 This file is part of GNUnet.
3 Copyright (C) 2013 GNUnet e.V.
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 SPDX-License-Identifier: AGPL3.0-or-later
22 * @file secretsharing/gnunet-service-secretsharing.c
23 * @brief secret sharing service
24 * @author Florian Dold
27 #include "gnunet_util_lib.h"
28 #include "gnunet_time_lib.h"
29 #include "gnunet_signatures.h"
30 #include "gnunet_consensus_service.h"
31 #include "secretsharing.h"
32 #include "secretsharing_protocol.h"
36 #define EXTRA_CHECKS 1
40 * Info about a peer in a key generation session.
45 * Peer identity of the peer.
47 struct GNUNET_PeerIdentity peer;
50 * The peer's paillier public key.
51 * Freshly generated for each keygen session.
53 struct GNUNET_CRYPTO_PaillierPublicKey paillier_public_key;
56 * The peer's commitment to its presecret.
58 gcry_mpi_t presecret_commitment;
61 * Commitment to the preshare that is
62 * intended for our peer.
64 gcry_mpi_t preshare_commitment;
67 * Sigma (exponentiated share) for this peer.
72 * Did we successfully receive the round1 element
78 * Did we successfully receive the round2 element
86 * Information about a peer in a decrypt session.
88 struct DecryptPeerInfo
91 * Identity of the peer.
93 struct GNUNET_PeerIdentity peer;
96 * Original index in the key generation round.
97 * Necessary for computing the lagrange coefficients.
99 unsigned int original_index;
102 * Set to the partial decryption of
103 * this peer, or NULL if we did not
104 * receive a partial decryption from this
105 * peer or the zero knowledge proof failed.
107 gcry_mpi_t partial_decryption;
112 * State we keep per client.
118 * Session to establish a threshold-shared secret.
123 * Current consensus, used for both DKG rounds.
125 struct GNUNET_CONSENSUS_Handle *consensus;
128 * Which client is this for?
130 struct ClientState *cs;
133 * Randomly generated coefficients of the polynomial for sharing our
134 * pre-secret, where 'preshares[0]' is our pre-secret. Contains 'threshold'
135 * elements, thus represents a polynomial of degree 'threshold-1', which can
136 * be interpolated with 'threshold' data points.
138 * The pre-secret-shares 'i=1,...,num_peers' are given by evaluating this
139 * polyomial at 'i' for share i.
141 gcry_mpi_t *presecret_polynomial;
144 * Minimum number of shares required to restore the secret.
145 * Also the number of coefficients for the polynomial representing
146 * the sharing. Obviously, the polynomial then has degree threshold-1.
148 unsigned int threshold;
151 * Total number of peers.
153 unsigned int num_peers;
156 * Index of the local peer.
158 unsigned int local_peer;
161 * Information about all participating peers.
162 * Array of size 'num_peers'.
164 struct KeygenPeerInfo *info;
167 * List of all peers involved in the secret sharing session.
169 struct GNUNET_PeerIdentity *peers;
172 * Identifier for this session.
174 struct GNUNET_HashCode session_id;
177 * Paillier private key of our peer.
179 struct GNUNET_CRYPTO_PaillierPrivateKey paillier_private_key;
182 * When would we like the key to be established?
184 struct GNUNET_TIME_Absolute deadline;
187 * When does the DKG start? Necessary to compute fractions of the
188 * operation's desired time interval.
190 struct GNUNET_TIME_Absolute start_time;
193 * Index of the local peer in the ordered list
194 * of peers in the session.
196 unsigned int local_peer_idx;
199 * Share of our peer. Once preshares from other peers are received, they
200 * will be added to 'my'share.
205 * Public key, will be updated when a round2 element arrives.
207 gcry_mpi_t public_key;
212 * Session to cooperatively decrypt a value.
214 struct DecryptSession
217 * Handle to the consensus over partial decryptions.
219 struct GNUNET_CONSENSUS_Handle *consensus;
222 * Which client is this for?
224 struct ClientState *cs;
227 * When should we start communicating for decryption?
229 struct GNUNET_TIME_Absolute start;
232 * When would we like the ciphertext to be
235 struct GNUNET_TIME_Absolute deadline;
238 * Ciphertext we want to decrypt.
240 struct GNUNET_SECRETSHARING_Ciphertext ciphertext;
243 * Share of the local peer.
244 * Containts other important information, such as
245 * the list of other peers.
247 struct GNUNET_SECRETSHARING_Share *share;
250 * State information about other peers.
252 struct DecryptPeerInfo *info;
257 * State we keep per client.
262 * Decrypt session of the client, if any.
264 struct DecryptSession *decrypt_session;
267 * Keygen session of the client, if any.
269 struct KeygenSession *keygen_session;
272 * Client this is about.
274 struct GNUNET_SERVICE_Client *client;
277 * MQ to talk to @a client.
279 struct GNUNET_MQ_Handle *mq;
284 * The ElGamal prime field order as libgcrypt mpi.
285 * Initialized in #init_crypto_constants.
287 static gcry_mpi_t elgamal_q;
290 * Modulus of the prime field used for ElGamal.
291 * Initialized in #init_crypto_constants.
293 static gcry_mpi_t elgamal_p;
296 * Generator for prime field of order 'elgamal_q'.
297 * Initialized in #init_crypto_constants.
299 static gcry_mpi_t elgamal_g;
302 * Peer that runs this service.
304 static struct GNUNET_PeerIdentity my_peer;
307 * Peer that runs this service.
309 static struct GNUNET_CRYPTO_EddsaPrivateKey *my_peer_private_key;
312 * Configuration of this service.
314 static const struct GNUNET_CONFIGURATION_Handle *cfg;
318 * Get the peer info belonging to a peer identity in a keygen session.
320 * @param ks The keygen session.
321 * @param peer The peer identity.
322 * @return The Keygen peer info, or NULL if the peer could not be found.
324 static struct KeygenPeerInfo *
325 get_keygen_peer_info (const struct KeygenSession *ks,
326 const struct GNUNET_PeerIdentity *peer)
330 for (i = 0; i < ks->num_peers; i++)
331 if (0 == GNUNET_memcmp (peer, &ks->info[i].peer))
338 * Get the peer info belonging to a peer identity in a decrypt session.
340 * @param ds The decrypt session.
341 * @param peer The peer identity.
342 * @return The decrypt peer info, or NULL if the peer could not be found.
344 static struct DecryptPeerInfo *
345 get_decrypt_peer_info (const struct DecryptSession *ds,
346 const struct GNUNET_PeerIdentity *peer)
350 for (i = 0; i < ds->share->num_peers; i++)
351 if (0 == GNUNET_memcmp (peer, &ds->info[i].peer))
358 * Interpolate between two points in time.
360 * @param start start time
361 * @param end end time
362 * @param num numerator of the scale factor
363 * @param denum denumerator of the scale factor
365 static struct GNUNET_TIME_Absolute
366 time_between (struct GNUNET_TIME_Absolute start,
367 struct GNUNET_TIME_Absolute end,
370 struct GNUNET_TIME_Absolute result;
373 GNUNET_assert (start.abs_value_us <= end.abs_value_us);
374 diff = end.abs_value_us - start.abs_value_us;
375 result.abs_value_us = start.abs_value_us + ((diff * num) / denum);
382 * Compare two peer identities. Indended to be used with qsort or bsearch.
384 * @param p1 Some peer identity.
385 * @param p2 Some peer identity.
386 * @return 1 if p1 > p2, -1 if p1 < p2 and 0 if p1 == p2.
389 peer_id_cmp (const void *p1, const void *p2)
393 sizeof(struct GNUNET_PeerIdentity));
398 * Get the index of a peer in an array of peers
400 * @param haystack Array of peers.
401 * @param n Size of @a haystack.
402 * @param needle Peer to find
403 * @return Index of @a needle in @a haystack, or -1 if peer
404 * is not in the list.
407 peer_find (const struct GNUNET_PeerIdentity *haystack, unsigned int n,
408 const struct GNUNET_PeerIdentity *needle)
412 for (i = 0; i < n; i++)
413 if (0 == GNUNET_memcmp (&haystack[i],
421 * Normalize the given list of peers, by including the local peer
422 * (if it is missing) and sorting the peers by their identity.
424 * @param listed Peers in the unnormalized list.
425 * @param num_listed Peers in the un-normalized list.
426 * @param[out] num_normalized Number of peers in the normalized list.
427 * @param[out] my_peer_idx Index of the local peer in the normalized list.
428 * @return Normalized list, must be free'd by the caller.
430 static struct GNUNET_PeerIdentity *
431 normalize_peers (struct GNUNET_PeerIdentity *listed,
432 unsigned int num_listed,
433 unsigned int *num_normalized,
434 unsigned int *my_peer_idx)
436 unsigned int local_peer_in_list;
437 /* number of peers in the normalized list */
439 struct GNUNET_PeerIdentity *normalized;
441 local_peer_in_list = GNUNET_YES;
443 if (peer_find (listed, num_listed, &my_peer) < 0)
445 local_peer_in_list = GNUNET_NO;
449 normalized = GNUNET_new_array (n,
450 struct GNUNET_PeerIdentity);
452 if (GNUNET_NO == local_peer_in_list)
453 normalized[n - 1] = my_peer;
455 GNUNET_memcpy (normalized,
457 num_listed * sizeof(struct GNUNET_PeerIdentity));
460 sizeof(struct GNUNET_PeerIdentity),
463 if (NULL != my_peer_idx)
464 *my_peer_idx = peer_find (normalized, n, &my_peer);
465 if (NULL != num_normalized)
473 * Get a the j-th lagrange coefficient for a set of indices.
475 * @param[out] coeff the lagrange coefficient
476 * @param j lagrange coefficient we want to compute
477 * @param indices indices
478 * @param num number of indices in @a indices
481 compute_lagrange_coefficient (gcry_mpi_t coeff, unsigned int j,
482 unsigned int *indices,
490 /* temp value for l-j */
493 GNUNET_assert (0 != coeff);
495 GNUNET_assert (0 != (n = gcry_mpi_new (0)));
496 GNUNET_assert (0 != (d = gcry_mpi_new (0)));
497 GNUNET_assert (0 != (tmp = gcry_mpi_new (0)));
499 gcry_mpi_set_ui (n, 1);
500 gcry_mpi_set_ui (d, 1);
502 for (i = 0; i < num; i++)
504 unsigned int l = indices[i];
507 gcry_mpi_mul_ui (n, n, l + 1);
509 gcry_mpi_set_ui (tmp, l + 1);
510 gcry_mpi_sub_ui (tmp, tmp, j + 1);
511 gcry_mpi_mul (d, d, tmp);
514 // gcry_mpi_invm does not like negative numbers ...
515 gcry_mpi_mod (d, d, elgamal_q);
517 GNUNET_assert (gcry_mpi_cmp_ui (d, 0) > 0);
519 // now we do the actual division, with everything mod q, as we
520 // are not operating on elements from <g>, but on exponents
521 GNUNET_assert (0 != gcry_mpi_invm (d, d, elgamal_q));
523 gcry_mpi_mulm (coeff, n, d, elgamal_q);
525 gcry_mpi_release (n);
526 gcry_mpi_release (d);
527 gcry_mpi_release (tmp);
532 * Destroy a decrypt session, removing it from
533 * the linked list of decrypt sessions.
535 * @param ds decrypt session to destroy
538 decrypt_session_destroy (struct DecryptSession *ds)
540 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
541 "destroying decrypt session\n");
544 ds->cs->decrypt_session = NULL;
547 if (NULL != ds->consensus)
549 GNUNET_CONSENSUS_destroy (ds->consensus);
550 ds->consensus = NULL;
553 if (NULL != ds->info)
555 for (unsigned int i = 0; i < ds->share->num_peers; i++)
557 if (NULL != ds->info[i].partial_decryption)
559 gcry_mpi_release (ds->info[i].partial_decryption);
560 ds->info[i].partial_decryption = NULL;
563 GNUNET_free (ds->info);
566 if (NULL != ds->share)
568 GNUNET_SECRETSHARING_share_destroy (ds->share);
577 keygen_info_destroy (struct KeygenPeerInfo *info)
579 if (NULL != info->sigma)
581 gcry_mpi_release (info->sigma);
584 if (NULL != info->presecret_commitment)
586 gcry_mpi_release (info->presecret_commitment);
587 info->presecret_commitment = NULL;
589 if (NULL != info->preshare_commitment)
591 gcry_mpi_release (info->preshare_commitment);
592 info->preshare_commitment = NULL;
598 keygen_session_destroy (struct KeygenSession *ks)
600 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
601 "destroying keygen session\n");
605 ks->cs->keygen_session = NULL;
608 if (NULL != ks->info)
610 for (unsigned int i = 0; i < ks->num_peers; i++)
611 keygen_info_destroy (&ks->info[i]);
612 GNUNET_free (ks->info);
616 if (NULL != ks->consensus)
618 GNUNET_CONSENSUS_destroy (ks->consensus);
619 ks->consensus = NULL;
622 if (NULL != ks->presecret_polynomial)
624 for (unsigned int i = 0; i < ks->threshold; i++)
626 GNUNET_assert (NULL != ks->presecret_polynomial[i]);
627 gcry_mpi_release (ks->presecret_polynomial[i]);
628 ks->presecret_polynomial[i] = NULL;
630 GNUNET_free (ks->presecret_polynomial);
631 ks->presecret_polynomial = NULL;
633 if (NULL != ks->my_share)
635 gcry_mpi_release (ks->my_share);
638 if (NULL != ks->public_key)
640 gcry_mpi_release (ks->public_key);
641 ks->public_key = NULL;
643 if (NULL != ks->peers)
645 GNUNET_free (ks->peers);
653 * Task run during shutdown.
659 cleanup_task (void *cls)
666 * Generate the random coefficients of our pre-secret polynomial
668 * @param ks the session
671 generate_presecret_polynomial (struct KeygenSession *ks)
676 GNUNET_assert (NULL == ks->presecret_polynomial);
677 ks->presecret_polynomial = GNUNET_new_array (ks->threshold,
679 for (i = 0; i < ks->threshold; i++)
681 v = ks->presecret_polynomial[i] = gcry_mpi_new (
682 GNUNET_SECRETSHARING_ELGAMAL_BITS);
683 GNUNET_assert (NULL != v);
684 // Randomize v such that 0 < v < elgamal_q.
685 // The '- 1' is necessary as bitlength(q) = bitlength(p) - 1.
688 gcry_mpi_randomize (v, GNUNET_SECRETSHARING_ELGAMAL_BITS - 1,
691 while ((gcry_mpi_cmp_ui (v, 0) == 0) || (gcry_mpi_cmp (v, elgamal_q) >= 0));
697 * Consensus element handler for round one.
698 * We should get one ephemeral key for each peer.
700 * @param cls Closure (keygen session).
701 * @param element The element from consensus, or
702 * NULL if consensus failed.
705 keygen_round1_new_element (void *cls,
706 const struct GNUNET_SET_Element *element)
708 const struct GNUNET_SECRETSHARING_KeygenCommitData *d;
709 struct KeygenSession *ks = cls;
710 struct KeygenPeerInfo *info;
714 GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "round1 consensus failed\n");
718 /* elements have fixed size */
719 if (element->size != sizeof(struct GNUNET_SECRETSHARING_KeygenCommitData))
721 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
722 "keygen commit data with wrong size (%u) in consensus, %u expected\n",
723 (unsigned int) element->size,
724 (unsigned int) sizeof(struct
725 GNUNET_SECRETSHARING_KeygenCommitData));
729 GNUNET_log (GNUNET_ERROR_TYPE_INFO, "got round1 element\n");
732 info = get_keygen_peer_info (ks, &d->peer);
736 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
737 "keygen commit data with wrong peer identity (%s) in consensus\n",
738 GNUNET_i2s (&d->peer));
742 /* Check that the right amount of data has been signed. */
743 if (d->purpose.size !=
744 htonl (element->size - offsetof (struct
745 GNUNET_SECRETSHARING_KeygenCommitData,
748 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
749 "keygen commit data with wrong signature purpose size in consensus\n");
753 if (GNUNET_OK != GNUNET_CRYPTO_eddsa_verify (
754 GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG1,
755 &d->purpose, &d->signature,
756 &d->peer.public_key))
758 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
759 "keygen commit data with invalid signature in consensus\n");
762 info->paillier_public_key = d->pubkey;
763 GNUNET_CRYPTO_mpi_scan_unsigned (&info->presecret_commitment, &d->commitment,
765 info->round1_valid = GNUNET_YES;
770 * Evaluate the polynomial with coefficients @a coeff at @a x.
771 * The i-th element in @a coeff corresponds to the coefficient of x^i.
773 * @param[out] z result of the evaluation
774 * @param coeff array of coefficients
775 * @param num_coeff number of coefficients
776 * @param x where to evaluate the polynomial
777 * @param m what group are we operating in?
780 horner_eval (gcry_mpi_t z, gcry_mpi_t *coeff, unsigned int num_coeff, gcry_mpi_t
785 gcry_mpi_set_ui (z, 0);
786 for (i = 0; i < num_coeff; i++)
789 gcry_mpi_mul (z, z, x);
790 gcry_mpi_addm (z, z, coeff[num_coeff - i - 1], m);
796 keygen_round2_conclude (void *cls)
798 struct KeygenSession *ks = cls;
799 struct GNUNET_SECRETSHARING_SecretReadyMessage *m;
800 struct GNUNET_MQ_Envelope *ev;
804 struct GNUNET_SECRETSHARING_Share *share;
806 GNUNET_log (GNUNET_ERROR_TYPE_INFO, "round2 conclude\n");
808 GNUNET_CONSENSUS_destroy (ks->consensus);
809 ks->consensus = NULL;
811 share = GNUNET_new (struct GNUNET_SECRETSHARING_Share);
813 share->num_peers = 0;
815 for (i = 0; i < ks->num_peers; i++)
816 if (GNUNET_YES == ks->info[i].round2_valid)
819 share->peers = GNUNET_new_array (share->num_peers,
820 struct GNUNET_PeerIdentity);
822 GNUNET_new_array (share->num_peers,
823 struct GNUNET_SECRETSHARING_FieldElement);
824 share->original_indices = GNUNET_new_array (share->num_peers,
827 /* maybe we're not even in the list of peers? */
828 share->my_peer = share->num_peers;
830 j = 0; /* running index of valid peers */
831 for (i = 0; i < ks->num_peers; i++)
833 if (GNUNET_YES == ks->info[i].round2_valid)
835 share->peers[j] = ks->info[i].peer;
836 GNUNET_CRYPTO_mpi_print_unsigned (&share->sigmas[j],
837 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
839 share->original_indices[i] = j;
840 if (0 == GNUNET_memcmp (&share->peers[i], &my_peer))
846 if (share->my_peer == share->num_peers)
848 GNUNET_log (GNUNET_ERROR_TYPE_INFO, "P%u: peer identity not in share\n",
852 GNUNET_CRYPTO_mpi_print_unsigned (&share->my_share,
853 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
855 GNUNET_CRYPTO_mpi_print_unsigned (&share->public_key,
856 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
859 GNUNET_log (GNUNET_ERROR_TYPE_INFO, "keygen completed with %u peers\n",
862 /* Write the share. If 0 peers completed the dkg, an empty
863 * share will be sent. */
865 GNUNET_assert (GNUNET_OK == GNUNET_SECRETSHARING_share_write (share, NULL, 0,
868 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "writing share of size %u\n",
869 (unsigned int) share_size);
871 ev = GNUNET_MQ_msg_extra (m, share_size,
872 GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_SECRET_READY);
874 GNUNET_assert (GNUNET_OK == GNUNET_SECRETSHARING_share_write (share, &m[1],
878 GNUNET_SECRETSHARING_share_destroy (share);
881 GNUNET_MQ_send (ks->cs->mq,
887 restore_fair (const struct GNUNET_CRYPTO_PaillierPublicKey *ppub,
888 const struct GNUNET_SECRETSHARING_FairEncryption *fe,
889 gcry_mpi_t x, gcry_mpi_t xres)
906 GNUNET_assert (NULL != (n = gcry_mpi_new (0)));
907 GNUNET_assert (NULL != (t = gcry_mpi_new (0)));
908 GNUNET_assert (NULL != (t_1 = gcry_mpi_new (0)));
909 GNUNET_assert (NULL != (t_2 = gcry_mpi_new (0)));
910 GNUNET_assert (NULL != (r = gcry_mpi_new (0)));
911 GNUNET_assert (NULL != (big_t = gcry_mpi_new (0)));
912 GNUNET_assert (NULL != (v = gcry_mpi_new (0)));
913 GNUNET_assert (NULL != (big_a = gcry_mpi_new (0)));
914 GNUNET_assert (NULL != (big_b = gcry_mpi_new (0)));
917 GNUNET_CRYPTO_mpi_scan_unsigned (&a_1,
920 GNUNET_CRYPTO_PaillierPublicKey));
921 GNUNET_assert (NULL != (a_2 = gcry_mpi_new (0)));
922 gcry_mpi_set_ui (a_2, 0);
924 GNUNET_assert (NULL != (b_1 = gcry_mpi_new (0)));
925 gcry_mpi_set (b_1, x);
926 GNUNET_assert (NULL != (b_2 = gcry_mpi_new (0)));
927 gcry_mpi_set_ui (b_2, 1);
930 gcry_mpi_mul (t, a_1, a_1);
931 gcry_mpi_mul (big_a, a_2, a_2);
932 gcry_mpi_add (big_a, big_a, t);
935 gcry_mpi_mul (t, b_1, b_1);
936 gcry_mpi_mul (big_b, b_2, b_2);
937 gcry_mpi_add (big_b, big_b, t);
942 gcry_mpi_mul (t, a_1, b_1);
943 gcry_mpi_mul (n, a_2, b_2);
944 gcry_mpi_add (n, n, t);
947 gcry_mpi_div (r, NULL, n, big_b, 0);
949 // T := A - 2rn + rrB
950 gcry_mpi_mul (v, r, n);
951 gcry_mpi_mul_ui (v, v, 2);
952 gcry_mpi_sub (big_t, big_a, v);
953 gcry_mpi_mul (v, r, r);
954 gcry_mpi_mul (v, v, big_b);
955 gcry_mpi_add (big_t, big_t, v);
957 if (gcry_mpi_cmp (big_t, big_b) >= 0)
963 gcry_mpi_mul (v, r, b_1);
964 gcry_mpi_sub (t_1, a_1, v);
965 gcry_mpi_mul (v, r, b_2);
966 gcry_mpi_sub (t_2, a_2, v);
969 gcry_mpi_set (a_1, b_1);
970 gcry_mpi_set (a_2, b_2);
972 gcry_mpi_set (b_1, t_1);
973 gcry_mpi_set (b_2, t_2);
975 gcry_mpi_set (big_a, big_b);
976 gcry_mpi_set (big_b, big_t);
979 gcry_mpi_set (xres, b_2);
980 gcry_mpi_invm (xres, xres, elgamal_q);
981 gcry_mpi_mulm (xres, xres, b_1, elgamal_q);
983 gcry_mpi_release (a_1);
984 gcry_mpi_release (a_2);
985 gcry_mpi_release (b_1);
986 gcry_mpi_release (b_2);
987 gcry_mpi_release (big_a);
988 gcry_mpi_release (big_b);
989 gcry_mpi_release (big_t);
990 gcry_mpi_release (n);
991 gcry_mpi_release (t_1);
992 gcry_mpi_release (t_2);
993 gcry_mpi_release (t);
994 gcry_mpi_release (r);
995 gcry_mpi_release (v);
1000 get_fair_encryption_challenge (const struct
1001 GNUNET_SECRETSHARING_FairEncryption *fe,
1006 struct GNUNET_CRYPTO_PaillierCiphertext c;
1007 char h[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8];
1008 char t1[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8];
1009 char t2[GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8];
1011 struct GNUNET_HashCode e_hash;
1016 GNUNET_memcpy (&hash_data.c, &fe->c, sizeof(struct
1017 GNUNET_CRYPTO_PaillierCiphertext));
1018 GNUNET_memcpy (&hash_data.h, &fe->h, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
1019 GNUNET_memcpy (&hash_data.t1, &fe->t1, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
1020 GNUNET_memcpy (&hash_data.t2, &fe->t2, GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8);
1021 GNUNET_CRYPTO_hash (&hash_data,
1024 /* This allocates "e" */
1025 GNUNET_CRYPTO_mpi_scan_unsigned (e,
1027 sizeof(struct GNUNET_HashCode));
1028 gcry_mpi_mod (*e, *e, elgamal_q);
1033 verify_fair (const struct GNUNET_CRYPTO_PaillierPublicKey *ppub,
1034 const struct GNUNET_SECRETSHARING_FairEncryption *fe)
1049 GNUNET_assert (NULL != (n_sq = gcry_mpi_new (0)));
1050 GNUNET_assert (NULL != (tmp1 = gcry_mpi_new (0)));
1051 GNUNET_assert (NULL != (tmp2 = gcry_mpi_new (0)));
1053 get_fair_encryption_challenge (fe,
1054 &e /* this allocates e */);
1056 GNUNET_CRYPTO_mpi_scan_unsigned (&n,
1059 GNUNET_CRYPTO_PaillierPublicKey));
1060 GNUNET_CRYPTO_mpi_scan_unsigned (&t1, fe->t1, GNUNET_CRYPTO_PAILLIER_BITS
1062 GNUNET_CRYPTO_mpi_scan_unsigned (&z, fe->z,
1063 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
1064 GNUNET_CRYPTO_mpi_scan_unsigned (&y, fe->h,
1065 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
1066 GNUNET_CRYPTO_mpi_scan_unsigned (&w, fe->w, GNUNET_CRYPTO_PAILLIER_BITS / 8);
1067 GNUNET_CRYPTO_mpi_scan_unsigned (&big_y, fe->c.bits,
1068 GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8);
1069 GNUNET_CRYPTO_mpi_scan_unsigned (&t2, fe->t2, GNUNET_CRYPTO_PAILLIER_BITS
1071 gcry_mpi_mul (n_sq, n, n);
1074 gcry_mpi_powm (tmp1, elgamal_g, z, elgamal_p);
1076 gcry_mpi_powm (tmp1, y, e, elgamal_p);
1077 gcry_mpi_invm (tmp1, tmp1, elgamal_p);
1078 // tmp1 = tmp1 * tmp2
1079 gcry_mpi_mulm (tmp1, tmp1, tmp2, elgamal_p);
1081 if (0 == gcry_mpi_cmp (t1, tmp1))
1083 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "fair encryption invalid (t1)\n");
1088 gcry_mpi_powm (big_y, big_y, e, n_sq);
1089 gcry_mpi_invm (big_y, big_y, n_sq);
1091 gcry_mpi_add_ui (tmp1, n, 1);
1092 gcry_mpi_powm (tmp1, tmp1, z, n_sq);
1094 gcry_mpi_powm (tmp2, w, n, n_sq);
1096 gcry_mpi_mulm (tmp1, tmp1, tmp2, n_sq);
1097 gcry_mpi_mulm (tmp1, tmp1, big_y, n_sq);
1100 if (0 == gcry_mpi_cmp (t2, tmp1))
1102 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "fair encryption invalid (t2)\n");
1111 gcry_mpi_release (n);
1112 gcry_mpi_release (n_sq);
1113 gcry_mpi_release (z);
1114 gcry_mpi_release (t1);
1115 gcry_mpi_release (t2);
1116 gcry_mpi_release (e);
1117 gcry_mpi_release (w);
1118 gcry_mpi_release (tmp1);
1119 gcry_mpi_release (tmp2);
1120 gcry_mpi_release (y);
1121 gcry_mpi_release (big_y);
1127 * Create a fair Paillier encryption of then given ciphertext.
1129 * @param v the ciphertext
1130 * @param[out] fe the fair encryption
1133 encrypt_fair (gcry_mpi_t v,
1134 const struct GNUNET_CRYPTO_PaillierPublicKey *ppub,
1135 struct GNUNET_SECRETSHARING_FairEncryption *fe)
1151 GNUNET_assert (NULL != (r = gcry_mpi_new (0)));
1152 GNUNET_assert (NULL != (s = gcry_mpi_new (0)));
1153 GNUNET_assert (NULL != (t1 = gcry_mpi_new (0)));
1154 GNUNET_assert (NULL != (t2 = gcry_mpi_new (0)));
1155 GNUNET_assert (NULL != (z = gcry_mpi_new (0)));
1156 GNUNET_assert (NULL != (w = gcry_mpi_new (0)));
1157 GNUNET_assert (NULL != (n_sq = gcry_mpi_new (0)));
1158 GNUNET_assert (NULL != (u = gcry_mpi_new (0)));
1159 GNUNET_assert (NULL != (Y = gcry_mpi_new (0)));
1160 GNUNET_assert (NULL != (G = gcry_mpi_new (0)));
1161 GNUNET_assert (NULL != (h = gcry_mpi_new (0)));
1163 GNUNET_CRYPTO_mpi_scan_unsigned (&n,
1166 GNUNET_CRYPTO_PaillierPublicKey));
1167 gcry_mpi_mul (n_sq, n, n);
1168 gcry_mpi_add_ui (G, n, 1);
1172 gcry_mpi_randomize (u, GNUNET_CRYPTO_PAILLIER_BITS, GCRY_WEAK_RANDOM);
1174 while (gcry_mpi_cmp (u, n) >= 0);
1176 gcry_mpi_powm (t1, G, v, n_sq);
1177 gcry_mpi_powm (t2, u, n, n_sq);
1178 gcry_mpi_mulm (Y, t1, t2, n_sq);
1180 GNUNET_CRYPTO_mpi_print_unsigned (fe->c.bits,
1185 gcry_mpi_randomize (r, 2048, GCRY_WEAK_RANDOM);
1188 gcry_mpi_randomize (s, GNUNET_CRYPTO_PAILLIER_BITS, GCRY_WEAK_RANDOM);
1190 while (gcry_mpi_cmp (s, n) >= 0);
1193 gcry_mpi_mulm (t1, elgamal_g, r, elgamal_p);
1194 // compute t2 (use z and w as temp)
1195 gcry_mpi_powm (z, G, r, n_sq);
1196 gcry_mpi_powm (w, s, n, n_sq);
1197 gcry_mpi_mulm (t2, z, w, n_sq);
1200 gcry_mpi_powm (h, elgamal_g, v, elgamal_p);
1202 GNUNET_CRYPTO_mpi_print_unsigned (fe->h,
1203 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
1206 GNUNET_CRYPTO_mpi_print_unsigned (fe->t1,
1207 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
1210 GNUNET_CRYPTO_mpi_print_unsigned (fe->t2,
1211 GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8,
1214 get_fair_encryption_challenge (fe,
1215 &e /* This allocates "e" */);
1218 gcry_mpi_mul (z, e, v);
1219 gcry_mpi_addm (z, z, r, elgamal_q);
1221 gcry_mpi_powm (w, u, e, n);
1222 gcry_mpi_mulm (w, w, s, n);
1224 GNUNET_CRYPTO_mpi_print_unsigned (fe->z,
1225 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
1228 GNUNET_CRYPTO_mpi_print_unsigned (fe->w,
1229 GNUNET_CRYPTO_PAILLIER_BITS / 8,
1232 gcry_mpi_release (n);
1233 gcry_mpi_release (r);
1234 gcry_mpi_release (s);
1235 gcry_mpi_release (t1);
1236 gcry_mpi_release (t2);
1237 gcry_mpi_release (z);
1238 gcry_mpi_release (w);
1239 gcry_mpi_release (e);
1240 gcry_mpi_release (n_sq);
1241 gcry_mpi_release (u);
1242 gcry_mpi_release (Y);
1243 gcry_mpi_release (G);
1244 gcry_mpi_release (h);
1249 * Insert round 2 element in the consensus, consisting of
1250 * (1) The exponentiated pre-share polynomial coefficients A_{i,l}=g^{a_{i,l}}
1251 * (2) The exponentiated pre-shares y_{i,j}=g^{s_{i,j}}
1252 * (3) The encrypted pre-shares Y_{i,j}
1253 * (4) The zero knowledge proof for fairness of
1256 * @param ks session to use
1259 insert_round2_element (struct KeygenSession *ks)
1261 struct GNUNET_SET_Element *element;
1262 struct GNUNET_SECRETSHARING_KeygenRevealData *d;
1264 unsigned char *last_pos;
1265 size_t element_size;
1270 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Inserting round2 element\n",
1271 ks->local_peer_idx);
1273 GNUNET_assert (NULL != (v = gcry_mpi_new (
1274 GNUNET_SECRETSHARING_ELGAMAL_BITS)));
1275 GNUNET_assert (NULL != (idx = gcry_mpi_new (
1276 GNUNET_SECRETSHARING_ELGAMAL_BITS)));
1278 element_size = (sizeof(struct GNUNET_SECRETSHARING_KeygenRevealData)
1279 + sizeof(struct GNUNET_SECRETSHARING_FairEncryption)
1281 + GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->threshold);
1283 element = GNUNET_malloc (sizeof(struct GNUNET_SET_Element) + element_size);
1284 element->size = element_size;
1285 element->data = (void *) &element[1];
1287 d = (void *) element->data;
1290 // start inserting vector elements
1291 // after the fixed part of the element's data
1292 pos = (void *) &d[1];
1293 last_pos = pos + element_size;
1295 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed exp preshares\n",
1296 ks->local_peer_idx);
1298 // encrypted pre-shares
1299 // and fair encryption proof
1301 for (i = 0; i < ks->num_peers; i++)
1303 ptrdiff_t remaining = last_pos - pos;
1304 struct GNUNET_SECRETSHARING_FairEncryption *fe = (void *) pos;
1306 GNUNET_assert (remaining > 0);
1307 memset (fe, 0, sizeof *fe);
1308 if (GNUNET_YES == ks->info[i].round1_valid)
1310 gcry_mpi_set_ui (idx, i + 1);
1311 // evaluate the polynomial
1312 horner_eval (v, ks->presecret_polynomial, ks->threshold, idx,
1314 // encrypt the result
1315 encrypt_fair (v, &ks->info[i].paillier_public_key, fe);
1321 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed enc preshares\n",
1322 ks->local_peer_idx);
1324 // exponentiated coefficients
1325 for (i = 0; i < ks->threshold; i++)
1327 ptrdiff_t remaining = last_pos - pos;
1328 GNUNET_assert (remaining > 0);
1329 gcry_mpi_powm (v, elgamal_g, ks->presecret_polynomial[i], elgamal_p);
1330 GNUNET_CRYPTO_mpi_print_unsigned (pos, GNUNET_SECRETSHARING_ELGAMAL_BITS
1332 pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8;
1335 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed exp coefficients\n",
1336 ks->local_peer_idx);
1339 d->purpose.size = htonl (element_size - offsetof (struct
1340 GNUNET_SECRETSHARING_KeygenRevealData,
1342 d->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG2);
1343 GNUNET_assert (GNUNET_OK ==
1344 GNUNET_CRYPTO_eddsa_sign (my_peer_private_key,
1348 GNUNET_CONSENSUS_insert (ks->consensus, element, NULL, NULL);
1349 GNUNET_free (element); /* FIXME: maybe stack-allocate instead? */
1351 gcry_mpi_release (v);
1352 gcry_mpi_release (idx);
1357 keygen_reveal_get_exp_coeff (struct KeygenSession *ks,
1359 GNUNET_SECRETSHARING_KeygenRevealData *d,
1363 gcry_mpi_t exp_coeff;
1365 GNUNET_assert (idx < ks->threshold);
1367 pos = (void *) &d[1];
1368 // skip encrypted pre-shares
1369 pos += sizeof(struct GNUNET_SECRETSHARING_FairEncryption) * ks->num_peers;
1370 // skip exp. coeffs we are not interested in
1371 pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * idx;
1372 // the first exponentiated coefficient is the public key share
1373 GNUNET_CRYPTO_mpi_scan_unsigned (&exp_coeff, pos,
1374 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
1379 static struct GNUNET_SECRETSHARING_FairEncryption *
1380 keygen_reveal_get_enc_preshare (struct KeygenSession *ks,
1382 GNUNET_SECRETSHARING_KeygenRevealData *d,
1387 GNUNET_assert (idx < ks->num_peers);
1389 pos = (void *) &d[1];
1390 // skip encrypted pre-shares we're not interested in
1391 pos += sizeof(struct GNUNET_SECRETSHARING_FairEncryption) * idx;
1392 return (struct GNUNET_SECRETSHARING_FairEncryption *) pos;
1397 keygen_reveal_get_exp_preshare (struct KeygenSession *ks,
1399 GNUNET_SECRETSHARING_KeygenRevealData *d,
1402 gcry_mpi_t exp_preshare;
1403 struct GNUNET_SECRETSHARING_FairEncryption *fe;
1405 GNUNET_assert (idx < ks->num_peers);
1406 fe = keygen_reveal_get_enc_preshare (ks, d, idx);
1407 GNUNET_CRYPTO_mpi_scan_unsigned (&exp_preshare, fe->h,
1408 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
1409 return exp_preshare;
1414 keygen_round2_new_element (void *cls,
1415 const struct GNUNET_SET_Element *element)
1417 struct KeygenSession *ks = cls;
1418 const struct GNUNET_SECRETSHARING_KeygenRevealData *d;
1419 struct KeygenPeerInfo *info;
1420 size_t expected_element_size;
1424 gcry_mpi_t public_key_share;
1425 gcry_mpi_t preshare;
1427 if (NULL == element)
1429 GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "round2 consensus failed\n");
1433 expected_element_size = (sizeof(struct GNUNET_SECRETSHARING_KeygenRevealData)
1435 GNUNET_SECRETSHARING_FairEncryption)
1437 + GNUNET_SECRETSHARING_ELGAMAL_BITS / 8
1440 if (element->size != expected_element_size)
1442 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1443 "keygen round2 data with wrong size (%u) in consensus, %u expected\n",
1444 (unsigned int) element->size,
1445 (unsigned int) expected_element_size);
1449 d = (const void *) element->data;
1451 info = get_keygen_peer_info (ks, &d->peer);
1455 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1456 "keygen commit data with wrong peer identity (%s) in consensus\n",
1457 GNUNET_i2s (&d->peer));
1461 if (GNUNET_NO == info->round1_valid)
1463 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1464 "ignoring round2 element from peer with invalid round1 element (%s)\n",
1465 GNUNET_i2s (&d->peer));
1469 if (GNUNET_YES == info->round2_valid)
1471 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1472 "ignoring duplicate round2 element (%s)\n",
1473 GNUNET_i2s (&d->peer));
1477 GNUNET_log (GNUNET_ERROR_TYPE_INFO, "got round2 element\n");
1479 if (ntohl (d->purpose.size) !=
1480 element->size - offsetof (struct GNUNET_SECRETSHARING_KeygenRevealData,
1483 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1484 "keygen reveal data with wrong signature purpose size in consensus\n");
1488 if (GNUNET_OK != GNUNET_CRYPTO_eddsa_verify (
1489 GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG2,
1490 &d->purpose, &d->signature,
1491 &d->peer.public_key))
1493 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1494 "keygen reveal data with invalid signature in consensus\n");
1498 public_key_share = keygen_reveal_get_exp_coeff (ks, d, 0);
1499 info->preshare_commitment = keygen_reveal_get_exp_preshare (ks, d,
1500 ks->local_peer_idx);
1502 if (NULL == ks->public_key)
1504 GNUNET_assert (NULL != (ks->public_key = gcry_mpi_new (0)));
1505 gcry_mpi_set_ui (ks->public_key, 1);
1507 gcry_mpi_mulm (ks->public_key, ks->public_key, public_key_share, elgamal_p);
1509 gcry_mpi_release (public_key_share);
1510 public_key_share = NULL;
1513 struct GNUNET_SECRETSHARING_FairEncryption *fe =
1514 keygen_reveal_get_enc_preshare (ks, d, ks->local_peer_idx);
1515 GNUNET_assert (NULL != (preshare = gcry_mpi_new (0)));
1516 GNUNET_CRYPTO_paillier_decrypt (&ks->paillier_private_key,
1517 &ks->info[ks->local_peer_idx].
1518 paillier_public_key,
1522 // FIXME: not doing the restoration is less expensive
1523 restore_fair (&ks->info[ks->local_peer_idx].paillier_public_key,
1529 GNUNET_assert (NULL != (tmp = gcry_mpi_new (0)));
1530 gcry_mpi_powm (tmp, elgamal_g, preshare, elgamal_p);
1532 cmp_result = gcry_mpi_cmp (tmp, info->preshare_commitment);
1533 gcry_mpi_release (tmp);
1535 if (0 != cmp_result)
1537 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1538 "P%u: Got invalid presecret from P%u\n",
1539 (unsigned int) ks->local_peer_idx, (unsigned int) (info
1544 if (NULL == ks->my_share)
1546 GNUNET_assert (NULL != (ks->my_share = gcry_mpi_new (0)));
1548 gcry_mpi_addm (ks->my_share, ks->my_share, preshare, elgamal_q);
1550 for (j = 0; j < ks->num_peers; j++)
1552 gcry_mpi_t presigma;
1553 if (NULL == ks->info[j].sigma)
1555 GNUNET_assert (NULL != (ks->info[j].sigma = gcry_mpi_new (0)));
1556 gcry_mpi_set_ui (ks->info[j].sigma, 1);
1558 presigma = keygen_reveal_get_exp_preshare (ks, d, j);
1559 gcry_mpi_mulm (ks->info[j].sigma, ks->info[j].sigma, presigma, elgamal_p);
1560 gcry_mpi_release (presigma);
1564 GNUNET_assert (NULL != (prod = gcry_mpi_new (0)));
1566 GNUNET_assert (NULL != (j_to_k = gcry_mpi_new (0)));
1567 // validate that the polynomial sharing matches the additive sharing
1568 for (j = 0; j < ks->num_peers; j++)
1572 gcry_mpi_t exp_preshare;
1573 gcry_mpi_set_ui (prod, 1);
1574 for (k = 0; k < ks->threshold; k++)
1576 // Using pow(double,double) is a bit sketchy.
1577 // We count players from 1, but shares from 0.
1579 gcry_mpi_set_ui (j_to_k, (unsigned int) pow (j + 1, k));
1580 tmp = keygen_reveal_get_exp_coeff (ks, d, k);
1581 gcry_mpi_powm (tmp, tmp, j_to_k, elgamal_p);
1582 gcry_mpi_mulm (prod, prod, tmp, elgamal_p);
1583 gcry_mpi_release (tmp);
1585 exp_preshare = keygen_reveal_get_exp_preshare (ks, d, j);
1586 gcry_mpi_mod (exp_preshare, exp_preshare, elgamal_p);
1587 cmp_result = gcry_mpi_cmp (prod, exp_preshare);
1588 gcry_mpi_release (exp_preshare);
1589 exp_preshare = NULL;
1590 if (0 != cmp_result)
1592 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1593 "P%u: reveal data from P%u incorrect\n",
1594 ks->local_peer_idx, j);
1595 /* no need for further verification, round2 stays invalid ... */
1600 // TODO: verify proof of fair encryption (once implemented)
1601 for (j = 0; j < ks->num_peers; j++)
1603 struct GNUNET_SECRETSHARING_FairEncryption *fe =
1604 keygen_reveal_get_enc_preshare (ks, d, j);
1605 if (GNUNET_YES != verify_fair (&ks->info[j].paillier_public_key, fe))
1607 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1608 "P%u: reveal data from P%u incorrect (fair encryption)\n",
1609 ks->local_peer_idx, j);
1614 info->round2_valid = GNUNET_YES;
1616 gcry_mpi_release (preshare);
1617 gcry_mpi_release (prod);
1618 gcry_mpi_release (j_to_k);
1623 * Called when the first consensus round has concluded.
1624 * Will initiate the second round.
1626 * @param cls closure
1629 keygen_round1_conclude (void *cls)
1631 struct KeygenSession *ks = cls;
1633 GNUNET_CONSENSUS_destroy (ks->consensus);
1635 ks->consensus = GNUNET_CONSENSUS_create (cfg, ks->num_peers, ks->peers,
1637 time_between (ks->start_time,
1638 ks->deadline, 1, 2),
1640 keygen_round2_new_element, ks);
1642 insert_round2_element (ks);
1644 GNUNET_CONSENSUS_conclude (ks->consensus,
1645 keygen_round2_conclude,
1651 * Insert the ephemeral key and the presecret commitment
1652 * of this peer in the consensus of the given session.
1654 * @param ks session to use
1657 insert_round1_element (struct KeygenSession *ks)
1659 struct GNUNET_SET_Element *element;
1660 struct GNUNET_SECRETSHARING_KeygenCommitData *d;
1663 // big-endian representation of 'v'
1664 unsigned char v_data[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8];
1666 element = GNUNET_malloc (sizeof *element + sizeof *d);
1667 d = (void *) &element[1];
1669 element->size = sizeof *d;
1673 GNUNET_assert (0 != (v = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS)));
1675 gcry_mpi_powm (v, elgamal_g, ks->presecret_polynomial[0], elgamal_p);
1677 GNUNET_CRYPTO_mpi_print_unsigned (v_data, GNUNET_SECRETSHARING_ELGAMAL_BITS
1680 GNUNET_CRYPTO_hash (v_data, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
1683 d->pubkey = ks->info[ks->local_peer_idx].paillier_public_key;
1685 d->purpose.size = htonl ((sizeof *d) - offsetof (struct
1686 GNUNET_SECRETSHARING_KeygenCommitData,
1688 d->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG1);
1689 GNUNET_assert (GNUNET_OK ==
1690 GNUNET_CRYPTO_eddsa_sign (my_peer_private_key,
1694 GNUNET_CONSENSUS_insert (ks->consensus, element, NULL, NULL);
1696 gcry_mpi_release (v);
1697 GNUNET_free (element);
1702 * Check that @a msg is well-formed.
1704 * @param cls identification of the client
1705 * @param msg the actual message
1706 * @return #GNUNET_OK if @a msg is well-formed
1709 check_client_keygen (void *cls,
1710 const struct GNUNET_SECRETSHARING_CreateMessage *msg)
1712 unsigned int num_peers = ntohs (msg->num_peers);
1714 if (ntohs (msg->header.size) - sizeof(*msg) !=
1715 num_peers * sizeof(struct GNUNET_PeerIdentity))
1718 return GNUNET_SYSERR;
1725 * Functions with this signature are called whenever a message is
1728 * @param cls identification of the client
1729 * @param msg the actual message
1732 handle_client_keygen (void *cls,
1733 const struct GNUNET_SECRETSHARING_CreateMessage *msg)
1735 struct ClientState *cs = cls;
1736 struct KeygenSession *ks;
1738 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
1739 "client requested key generation\n");
1740 if (NULL != cs->keygen_session)
1743 GNUNET_SERVICE_client_drop (cs->client);
1746 ks = GNUNET_new (struct KeygenSession);
1748 cs->keygen_session = ks;
1749 ks->deadline = GNUNET_TIME_absolute_ntoh (msg->deadline);
1750 ks->threshold = ntohs (msg->threshold);
1751 ks->num_peers = ntohs (msg->num_peers);
1753 ks->peers = normalize_peers ((struct GNUNET_PeerIdentity *) &msg[1],
1756 &ks->local_peer_idx);
1759 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
1760 "first round of consensus with %u peers\n",
1762 ks->consensus = GNUNET_CONSENSUS_create (cfg,
1766 GNUNET_TIME_absolute_ntoh (
1768 GNUNET_TIME_absolute_ntoh (
1770 keygen_round1_new_element,
1773 ks->info = GNUNET_new_array (ks->num_peers,
1774 struct KeygenPeerInfo);
1776 for (unsigned int i = 0; i < ks->num_peers; i++)
1777 ks->info[i].peer = ks->peers[i];
1779 GNUNET_CRYPTO_paillier_create (
1780 &ks->info[ks->local_peer_idx].paillier_public_key,
1781 &ks->paillier_private_key);
1783 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1784 "P%u: Generated paillier key pair\n",
1785 ks->local_peer_idx);
1786 generate_presecret_polynomial (ks);
1787 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1788 "P%u: Generated presecret polynomial\n",
1789 ks->local_peer_idx);
1790 insert_round1_element (ks);
1791 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1792 "P%u: Concluding for round 1\n",
1793 ks->local_peer_idx);
1794 GNUNET_CONSENSUS_conclude (ks->consensus,
1795 keygen_round1_conclude,
1797 GNUNET_SERVICE_client_continue (cs->client);
1798 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1799 "P%u: Waiting for round 1 elements ...\n",
1800 ks->local_peer_idx);
1805 * Called when the partial decryption consensus concludes.
1808 decrypt_conclude (void *cls)
1810 struct DecryptSession *ds = cls;
1811 struct GNUNET_SECRETSHARING_DecryptResponseMessage *msg;
1812 struct GNUNET_MQ_Envelope *ev;
1813 gcry_mpi_t lagrange;
1818 unsigned int *indices;
1823 GNUNET_CONSENSUS_destroy (ds->consensus);
1824 ds->consensus = NULL;
1826 GNUNET_assert (0 != (lagrange = gcry_mpi_new (0)));
1827 GNUNET_assert (0 != (m = gcry_mpi_new (0)));
1828 GNUNET_assert (0 != (tmp = gcry_mpi_new (0)));
1829 GNUNET_assert (0 != (prod = gcry_mpi_new (0)));
1832 for (i = 0; i < ds->share->num_peers; i++)
1833 if (NULL != ds->info[i].partial_decryption)
1836 indices = GNUNET_new_array (num,
1839 for (i = 0; i < ds->share->num_peers; i++)
1840 if (NULL != ds->info[i].partial_decryption)
1841 indices[j++] = ds->info[i].original_index;
1843 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
1844 "P%u: decrypt conclude, with %u peers\n",
1848 gcry_mpi_set_ui (prod, 1);
1849 for (i = 0; i < num; i++)
1851 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
1852 "P%u: index of %u: %u\n",
1853 ds->share->my_peer, i, indices[i]);
1854 compute_lagrange_coefficient (lagrange, indices[i], indices, num);
1856 gcry_mpi_powm (tmp, ds->info[indices[i]].partial_decryption, lagrange,
1859 // product of all exponentiated partiel decryptions ...
1860 gcry_mpi_mulm (prod, prod, tmp, elgamal_p);
1863 GNUNET_CRYPTO_mpi_scan_unsigned (&c_2, ds->ciphertext.c2_bits,
1864 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
1866 GNUNET_assert (0 != gcry_mpi_invm (prod, prod, elgamal_p));
1867 gcry_mpi_mulm (m, c_2, prod, elgamal_p);
1868 ev = GNUNET_MQ_msg (msg,
1869 GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT_DONE);
1870 GNUNET_CRYPTO_mpi_print_unsigned (&msg->plaintext,
1871 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, m);
1872 msg->success = htonl (1);
1873 GNUNET_MQ_send (ds->cs->mq,
1876 GNUNET_log (GNUNET_ERROR_TYPE_INFO, "sent decrypt done to client\n");
1878 GNUNET_free (indices);
1880 gcry_mpi_release (lagrange);
1881 gcry_mpi_release (m);
1882 gcry_mpi_release (tmp);
1883 gcry_mpi_release (prod);
1884 gcry_mpi_release (c_2);
1886 // FIXME: what if not enough peers participated?
1891 * Get a string representation of an MPI.
1892 * The caller must free the returned string.
1894 * @param mpi mpi to convert to a string
1895 * @return string representation of @a mpi, must be free'd by the caller
1898 mpi_to_str (gcry_mpi_t mpi)
1902 GNUNET_assert (0 == gcry_mpi_aprint (GCRYMPI_FMT_HEX, &buf, NULL, mpi));
1903 return (char *) buf;
1908 * Called when a new partial decryption arrives.
1911 decrypt_new_element (void *cls,
1912 const struct GNUNET_SET_Element *element)
1914 struct DecryptSession *session = cls;
1915 const struct GNUNET_SECRETSHARING_DecryptData *d;
1916 struct DecryptPeerInfo *info;
1917 struct GNUNET_HashCode challenge_hash;
1921 /* nizk challenge */
1922 gcry_mpi_t challenge;
1923 /* nizk commit1, g^\beta */
1925 /* nizk commit2, c_1^\beta */
1927 /* homomorphic commitment to the peer's share,
1928 * public key share */
1930 /* partial decryption we received */
1932 /* ciphertext component #1 */
1934 /* temporary variable (for comparision) #1 */
1936 /* temporary variable (for comparision) #2 */
1939 if (NULL == element)
1941 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "decryption failed\n");
1942 /* FIXME: destroy */
1946 if (element->size != sizeof *d)
1948 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1949 "element of wrong size in decrypt consensus\n");
1955 info = get_decrypt_peer_info (session, &d->peer);
1959 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1960 "decrypt element from invalid peer (%s)\n",
1961 GNUNET_i2s (&d->peer));
1965 if (NULL != info->partial_decryption)
1967 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "decrypt element duplicate\n");
1971 if (0 != GNUNET_memcmp (&d->ciphertext, &session->ciphertext))
1973 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1974 "P%u: got decrypt element with non-matching ciphertext from P%u\n",
1975 (unsigned int) session->share->my_peer, (unsigned int) (info
1984 GNUNET_CRYPTO_hash (offsetof (struct GNUNET_SECRETSHARING_DecryptData,
1985 ciphertext) + (char *) d,
1986 offsetof (struct GNUNET_SECRETSHARING_DecryptData,
1988 - offsetof (struct GNUNET_SECRETSHARING_DecryptData,
1992 GNUNET_CRYPTO_mpi_scan_unsigned (&challenge, &challenge_hash,
1993 sizeof(struct GNUNET_HashCode));
1995 GNUNET_CRYPTO_mpi_scan_unsigned (&sigma, &session->share->sigmas[info
1999 GNUNET_SECRETSHARING_FieldElement));
2001 GNUNET_CRYPTO_mpi_scan_unsigned (&c1, session->ciphertext.c1_bits,
2003 GNUNET_SECRETSHARING_FieldElement));
2005 GNUNET_CRYPTO_mpi_scan_unsigned (&commit1, &d->nizk_commit1,
2007 GNUNET_SECRETSHARING_FieldElement));
2009 GNUNET_CRYPTO_mpi_scan_unsigned (&commit2, &d->nizk_commit2,
2011 GNUNET_SECRETSHARING_FieldElement));
2013 GNUNET_CRYPTO_mpi_scan_unsigned (&r, &d->nizk_response,
2015 GNUNET_SECRETSHARING_FieldElement));
2017 GNUNET_CRYPTO_mpi_scan_unsigned (&w, &d->partial_decryption,
2019 GNUNET_SECRETSHARING_FieldElement));
2021 GNUNET_assert (NULL != (tmp1 = gcry_mpi_new (0)));
2022 GNUNET_assert (NULL != (tmp2 = gcry_mpi_new (0)));
2025 gcry_mpi_powm (tmp1, elgamal_g, r, elgamal_p);
2027 // tmp2 = g^\beta * \sigma^challenge
2028 gcry_mpi_powm (tmp2, sigma, challenge, elgamal_p);
2029 gcry_mpi_mulm (tmp2, tmp2, commit1, elgamal_p);
2031 if (0 != gcry_mpi_cmp (tmp1, tmp2))
2036 tmp1_str = mpi_to_str (tmp1);
2037 tmp2_str = mpi_to_str (tmp2);
2038 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
2039 "P%u: Received invalid partial decryption from P%u (eqn 1), expected %s got %s\n",
2040 session->share->my_peer,
2041 (unsigned int) (info - session->info),
2044 GNUNET_free (tmp1_str);
2045 GNUNET_free (tmp2_str);
2050 gcry_mpi_powm (tmp1, c1, r, elgamal_p);
2052 gcry_mpi_powm (tmp2, w, challenge, elgamal_p);
2053 gcry_mpi_mulm (tmp2, tmp2, commit2, elgamal_p);
2056 if (0 != gcry_mpi_cmp (tmp1, tmp2))
2058 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
2059 "P%u: Received invalid partial decryption from P%u (eqn 2)\n",
2060 session->share->my_peer,
2061 (unsigned int) (info - session->info));
2066 GNUNET_CRYPTO_mpi_scan_unsigned (&info->partial_decryption,
2067 &d->partial_decryption,
2068 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
2070 gcry_mpi_release (tmp1);
2071 gcry_mpi_release (tmp2);
2072 gcry_mpi_release (sigma);
2073 gcry_mpi_release (commit1);
2074 gcry_mpi_release (commit2);
2075 gcry_mpi_release (r);
2076 gcry_mpi_release (w);
2077 gcry_mpi_release (challenge);
2078 gcry_mpi_release (c1);
2083 insert_decrypt_element (struct DecryptSession *ds)
2085 struct GNUNET_SECRETSHARING_DecryptData d;
2086 struct GNUNET_SET_Element element;
2089 /* partial decryption with our share */
2091 /* first component of the elgamal ciphertext */
2093 /* nonce for dlog zkp */
2096 gcry_mpi_t challenge;
2098 struct GNUNET_HashCode challenge_hash;
2100 /* make vagrind happy until we implement the real deal ... */
2101 memset (&d, 0, sizeof d);
2103 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Inserting decrypt element\n",
2104 ds->share->my_peer);
2106 GNUNET_assert (ds->share->my_peer < ds->share->num_peers);
2108 GNUNET_CRYPTO_mpi_scan_unsigned (&c1, &ds->ciphertext.c1_bits,
2109 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
2110 GNUNET_CRYPTO_mpi_scan_unsigned (&s, &ds->share->my_share,
2111 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
2112 GNUNET_CRYPTO_mpi_scan_unsigned (&sigma,
2113 &ds->share->sigmas[ds->share->my_peer],
2114 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
2116 GNUNET_assert (NULL != (w = gcry_mpi_new (0)));
2117 GNUNET_assert (NULL != (beta = gcry_mpi_new (0)));
2118 GNUNET_assert (NULL != (tmp = gcry_mpi_new (0)));
2120 // FIXME: unnecessary, remove once crypto works
2121 gcry_mpi_powm (tmp, elgamal_g, s, elgamal_p);
2122 if (0 != gcry_mpi_cmp (tmp, sigma))
2124 char *sigma_str = mpi_to_str (sigma);
2125 char *tmp_str = mpi_to_str (tmp);
2126 char *s_str = mpi_to_str (s);
2127 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2128 "Share of P%u is invalid, ref sigma %s, "
2129 "computed sigma %s, s %s\n",
2131 sigma_str, tmp_str, s_str);
2132 GNUNET_free (sigma_str);
2133 GNUNET_free (tmp_str);
2134 GNUNET_free (s_str);
2137 gcry_mpi_powm (w, c1, s, elgamal_p);
2139 element.data = (void *) &d;
2140 element.size = sizeof(struct GNUNET_SECRETSHARING_DecryptData);
2141 element.element_type = 0;
2143 d.ciphertext = ds->ciphertext;
2145 GNUNET_CRYPTO_mpi_print_unsigned (&d.partial_decryption,
2146 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, w);
2148 // create the zero knowledge proof
2149 // randomly choose beta such that 0 < beta < q
2152 gcry_mpi_randomize (beta, GNUNET_SECRETSHARING_ELGAMAL_BITS - 1,
2155 while ((gcry_mpi_cmp_ui (beta, 0) == 0) || (gcry_mpi_cmp (beta, elgamal_q) >=
2158 gcry_mpi_powm (tmp, elgamal_g, beta, elgamal_p);
2159 GNUNET_CRYPTO_mpi_print_unsigned (&d.nizk_commit1,
2160 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, tmp);
2162 gcry_mpi_powm (tmp, c1, beta, elgamal_p);
2163 GNUNET_CRYPTO_mpi_print_unsigned (&d.nizk_commit2,
2164 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, tmp);
2166 // the challenge is the hash of everything up to the response
2167 GNUNET_CRYPTO_hash (offsetof (struct GNUNET_SECRETSHARING_DecryptData,
2168 ciphertext) + (char *) &d,
2169 offsetof (struct GNUNET_SECRETSHARING_DecryptData,
2171 - offsetof (struct GNUNET_SECRETSHARING_DecryptData,
2175 GNUNET_CRYPTO_mpi_scan_unsigned (&challenge, &challenge_hash,
2176 sizeof(struct GNUNET_HashCode));
2178 // compute the response in tmp,
2179 // tmp = (c * s + beta) mod q
2180 gcry_mpi_mulm (tmp, challenge, s, elgamal_q);
2181 gcry_mpi_addm (tmp, tmp, beta, elgamal_q);
2183 GNUNET_CRYPTO_mpi_print_unsigned (&d.nizk_response,
2184 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, tmp);
2186 d.purpose.size = htonl (element.size - offsetof (struct
2187 GNUNET_SECRETSHARING_DecryptData,
2189 d.purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DECRYPTION);
2191 GNUNET_assert (GNUNET_OK ==
2192 GNUNET_CRYPTO_eddsa_sign (my_peer_private_key,
2196 GNUNET_CONSENSUS_insert (ds->consensus, &element, NULL, NULL);
2197 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2198 "P%u: Inserting decrypt element done!\n",
2199 ds->share->my_peer);
2201 gcry_mpi_release (s);
2202 gcry_mpi_release (w);
2203 gcry_mpi_release (c1);
2204 gcry_mpi_release (beta);
2205 gcry_mpi_release (tmp);
2206 gcry_mpi_release (challenge);
2207 gcry_mpi_release (sigma);
2212 * Check that @a msg is well-formed.
2214 * @param cls identification of the client
2215 * @param msg the actual message
2216 * @return #GNUNET_OK (check deferred a bit)
2219 check_client_decrypt (void *cls,
2221 GNUNET_SECRETSHARING_DecryptRequestMessage *msg)
2223 /* we check later, it's complicated */
2229 * Functions with this signature are called whenever a message is
2232 * @param cls identification of the client
2233 * @param msg the actual message
2236 handle_client_decrypt (void *cls,
2238 GNUNET_SECRETSHARING_DecryptRequestMessage *msg)
2240 struct ClientState *cs = cls;
2241 struct DecryptSession *ds;
2242 struct GNUNET_HashCode session_id;
2244 if (NULL != cs->decrypt_session)
2247 GNUNET_SERVICE_client_drop (cs->client);
2250 ds = GNUNET_new (struct DecryptSession);
2251 cs->decrypt_session = ds;
2253 ds->start = GNUNET_TIME_absolute_ntoh (msg->start);
2254 ds->deadline = GNUNET_TIME_absolute_ntoh (msg->deadline);
2255 ds->ciphertext = msg->ciphertext;
2257 ds->share = GNUNET_SECRETSHARING_share_read (&msg[1],
2258 ntohs (msg->header.size)
2261 if (NULL == ds->share)
2264 GNUNET_SERVICE_client_drop (cs->client);
2268 /* FIXME: this is probably sufficient, but kdf/hash with all values would be nicer ... */
2269 GNUNET_CRYPTO_hash (&msg->ciphertext,
2270 sizeof(struct GNUNET_SECRETSHARING_Ciphertext),
2272 ds->consensus = GNUNET_CONSENSUS_create (cfg,
2273 ds->share->num_peers,
2278 &decrypt_new_element,
2282 ds->info = GNUNET_new_array (ds->share->num_peers,
2283 struct DecryptPeerInfo);
2284 for (unsigned int i = 0; i < ds->share->num_peers; i++)
2286 ds->info[i].peer = ds->share->peers[i];
2287 ds->info[i].original_index = ds->share->original_indices[i];
2289 insert_decrypt_element (ds);
2290 GNUNET_CONSENSUS_conclude (ds->consensus,
2293 GNUNET_SERVICE_client_continue (cs->client);
2294 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
2295 "decrypting with %u peers\n",
2296 ds->share->num_peers);
2301 init_crypto_constants (void)
2303 GNUNET_assert (0 == gcry_mpi_scan (&elgamal_q, GCRYMPI_FMT_HEX,
2304 GNUNET_SECRETSHARING_ELGAMAL_Q_HEX, 0,
2306 GNUNET_assert (0 == gcry_mpi_scan (&elgamal_p, GCRYMPI_FMT_HEX,
2307 GNUNET_SECRETSHARING_ELGAMAL_P_HEX, 0,
2309 GNUNET_assert (0 == gcry_mpi_scan (&elgamal_g, GCRYMPI_FMT_HEX,
2310 GNUNET_SECRETSHARING_ELGAMAL_G_HEX, 0,
2316 * Initialize secretsharing service.
2318 * @param cls closure
2319 * @param c configuration to use
2320 * @param service the initialized service
2324 const struct GNUNET_CONFIGURATION_Handle *c,
2325 struct GNUNET_SERVICE_Handle *service)
2328 my_peer_private_key = GNUNET_CRYPTO_eddsa_key_create_from_configuration (c);
2329 if (NULL == my_peer_private_key)
2331 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2332 "could not access host private key\n");
2334 GNUNET_SCHEDULER_shutdown ();
2337 init_crypto_constants ();
2339 GNUNET_CRYPTO_get_peer_identity (cfg,
2342 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2343 "could not retrieve host identity\n");
2345 GNUNET_SCHEDULER_shutdown ();
2348 GNUNET_SCHEDULER_add_shutdown (&cleanup_task,
2354 * Callback called when a client connects to the service.
2356 * @param cls closure for the service
2357 * @param c the new client that connected to the service
2358 * @param mq the message queue used to send messages to the client
2362 client_connect_cb (void *cls,
2363 struct GNUNET_SERVICE_Client *c,
2364 struct GNUNET_MQ_Handle *mq)
2366 struct ClientState *cs = GNUNET_new (struct ClientState);;
2375 * Callback called when a client disconnected from the service
2377 * @param cls closure for the service
2378 * @param c the client that disconnected
2379 * @param internal_cls should be equal to @a c
2382 client_disconnect_cb (void *cls,
2383 struct GNUNET_SERVICE_Client *c,
2386 struct ClientState *cs = internal_cls;
2388 if (NULL != cs->keygen_session)
2389 keygen_session_destroy (cs->keygen_session);
2391 if (NULL != cs->decrypt_session)
2392 decrypt_session_destroy (cs->decrypt_session);
2398 * Define "main" method using service macro.
2402 GNUNET_SERVICE_OPTION_NONE,
2405 &client_disconnect_cb,
2407 GNUNET_MQ_hd_var_size (client_keygen,
2408 GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_GENERATE,
2409 struct GNUNET_SECRETSHARING_CreateMessage,
2411 GNUNET_MQ_hd_var_size (client_decrypt,
2412 GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT,
2413 struct GNUNET_SECRETSHARING_DecryptRequestMessage,
2415 GNUNET_MQ_handler_end ());