/*
This file is part of GNUnet.
- (C) 2013 Christian Grothoff (and other contributing authors)
+ Copyright (C) 2013 GNUnet e.V.
GNUnet is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published
You should have received a copy of the GNU General Public License
along with GNUnet; see the file COPYING. If not, write to the
- Free Software Foundation, Inc., 59 Temple Place - Suite 330,
- Boston, MA 02111-1307, USA.
+ Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ Boston, MA 02110-1301, USA.
*/
/**
static int
peer_id_cmp (const void *p1, const void *p2)
{
- return memcmp (p1, p2, sizeof (struct GNUNET_PeerIdentity));
+ return memcmp (p1,
+ p2,
+ sizeof (struct GNUNET_PeerIdentity));
}
const struct GNUNET_PeerIdentity *needle)
{
unsigned int i;
+
for (i = 0; i < n; i++)
- if (0 == memcmp (&haystack[i], needle, sizeof (struct GNUNET_PeerIdentity)))
+ if (0 == memcmp (&haystack[i],
+ needle,
+ sizeof (struct GNUNET_PeerIdentity)))
return i;
return -1;
}
if (GNUNET_NO == local_peer_in_list)
normalized[n - 1] = my_peer;
- memcpy (normalized, listed, num_listed * sizeof (struct GNUNET_PeerIdentity));
- qsort (normalized, n, sizeof (struct GNUNET_PeerIdentity), &peer_id_cmp);
+ memcpy (normalized,
+ listed,
+ num_listed * sizeof (struct GNUNET_PeerIdentity));
+ qsort (normalized,
+ n,
+ sizeof (struct GNUNET_PeerIdentity),
+ &peer_id_cmp);
if (NULL != my_peer_idx)
*my_peer_idx = peer_find (normalized, n, &my_peer);
}
+/**
+ * Destroy a decrypt session, removing it from
+ * the linked list of decrypt sessions.
+ *
+ * @param ds decrypt session to destroy
+ */
static void
decrypt_session_destroy (struct DecryptSession *ds)
{
GNUNET_CONTAINER_DLL_remove (decrypt_sessions_head, decrypt_sessions_tail, ds);
+ if (NULL != ds->consensus)
+ {
+ GNUNET_CONSENSUS_destroy (ds->consensus);
+ ds->consensus = NULL;
+ }
+
+ if (NULL != ds->info)
+ {
+ unsigned int i;
+ for (i = 0; i < ds->share->num_peers; i++)
+ {
+ if (NULL != ds->info[i].partial_decryption)
+ {
+ gcry_mpi_release (ds->info[i].partial_decryption);
+ ds->info[i].partial_decryption = NULL;
+ }
+ }
+ GNUNET_free (ds->info);
+ ds->info = NULL;
+ }
+
+ if (NULL != ds->share)
+ {
+ GNUNET_SECRETSHARING_share_destroy (ds->share);
+ ds->share = NULL;
+ }
+
if (NULL != ds->client_mq)
{
GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "destroying decrypt MQ\n");
GNUNET_free (ds);
}
+static void
+keygen_info_destroy (struct KeygenPeerInfo *info)
+{
+ if (NULL != info->sigma)
+ {
+ gcry_mpi_release (info->sigma);
+ info->sigma = NULL;
+ }
+ if (NULL != info->presecret_commitment)
+ {
+ gcry_mpi_release (info->presecret_commitment);
+ info->presecret_commitment = NULL;
+ }
+ if (NULL != info->preshare_commitment)
+ {
+ gcry_mpi_release (info->preshare_commitment);
+ info->presecret_commitment = NULL;
+ }
+}
+
static void
keygen_session_destroy (struct KeygenSession *ks)
GNUNET_CONTAINER_DLL_remove (keygen_sessions_head, keygen_sessions_tail, ks);
+ if (NULL != ks->info)
+ {
+ unsigned int i;
+ for (i = 0; i < ks->num_peers; i++)
+ keygen_info_destroy (&ks->info[i]);
+ GNUNET_free (ks->info);
+ ks->info = NULL;
+ }
+
+ if (NULL != ks->consensus)
+ {
+ GNUNET_CONSENSUS_destroy (ks->consensus);
+ ks->consensus = NULL;
+ }
+
+ if (NULL != ks->presecret_polynomial)
+ {
+ unsigned int i;
+ for (i = 0; i < ks->threshold; i++)
+ {
+ GNUNET_assert (NULL != ks->presecret_polynomial[i]);
+ gcry_mpi_release (ks->presecret_polynomial[i]);
+ ks->presecret_polynomial[i] = NULL;
+ }
+ GNUNET_free (ks->presecret_polynomial);
+ ks->presecret_polynomial = NULL;
+ }
+
if (NULL != ks->client_mq)
{
GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "destroying keygen MQ\n");
ks->client_mq = NULL;
}
+ if (NULL != ks->my_share)
+ {
+ gcry_mpi_release (ks->my_share);
+ ks->my_share = NULL;
+ }
+
+ if (NULL != ks->public_key)
+ {
+ gcry_mpi_release (ks->public_key);
+ ks->public_key = NULL;
+ }
+
+ if (NULL != ks->peers)
+ {
+ GNUNET_free (ks->peers);
+ ks->peers = NULL;
+ }
+
if (NULL != ks->client)
{
GNUNET_SERVER_client_disconnect (ks->client);
* @param tc unused
*/
static void
-cleanup_task (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
+cleanup_task (void *cls)
{
while (NULL != decrypt_sessions_head)
decrypt_session_destroy (decrypt_sessions_head);
GNUNET_assert (NULL != v);
// Randomize v such that 0 < v < elgamal_q.
// The '- 1' is necessary as bitlength(q) = bitlength(p) - 1.
- do
+ do
{
gcry_mpi_randomize (v, GNUNET_SECRETSHARING_ELGAMAL_BITS - 1, GCRY_WEAK_RANDOM);
} while ((gcry_mpi_cmp_ui (v, 0) == 0) || (gcry_mpi_cmp (v, elgamal_q) >= 0));
{
GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
"keygen commit data with wrong size (%u) in consensus, "
- " %u expected\n",
+ " %lu expected\n",
element->size, sizeof (struct GNUNET_SECRETSHARING_KeygenCommitData));
return;
}
GNUNET_log (GNUNET_ERROR_TYPE_INFO, "round2 conclude\n");
+ GNUNET_CONSENSUS_destroy (ks->consensus);
+ ks->consensus = NULL;
+
share = GNUNET_new (struct GNUNET_SECRETSHARING_Share);
share->num_peers = 0;
/* Write the share. If 0 peers completed the dkg, an empty
* share will be sent. */
- m = GNUNET_malloc (sizeof (struct GNUNET_SECRETSHARING_SecretReadyMessage) +
- ks->num_peers * sizeof (struct GNUNET_PeerIdentity));
-
GNUNET_assert (GNUNET_OK == GNUNET_SECRETSHARING_share_write (share, NULL, 0, &share_size));
GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "writing share of size %u\n",
GNUNET_assert (GNUNET_OK == GNUNET_SECRETSHARING_share_write (share, &m[1], share_size, NULL));
+ GNUNET_SECRETSHARING_share_destroy (share);
+ share = NULL;
+
GNUNET_MQ_send (ks->client_mq, ev);
}
+
+static void
+restore_fair (const struct GNUNET_CRYPTO_PaillierPublicKey *ppub,
+ const struct GNUNET_SECRETSHARING_FairEncryption *fe,
+ gcry_mpi_t x, gcry_mpi_t xres)
+{
+ gcry_mpi_t a_1;
+ gcry_mpi_t a_2;
+ gcry_mpi_t b_1;
+ gcry_mpi_t b_2;
+ gcry_mpi_t big_a;
+ gcry_mpi_t big_b;
+ gcry_mpi_t big_t;
+ gcry_mpi_t n;
+ gcry_mpi_t t_1;
+ gcry_mpi_t t_2;
+ gcry_mpi_t t;
+ gcry_mpi_t r;
+ gcry_mpi_t v;
+
+
+ GNUNET_assert (NULL != (n = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (t = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (t_1 = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (t_2 = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (r = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (big_t = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (v = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (big_a = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (big_b = gcry_mpi_new (0)));
+
+ // a = (N,0)^T
+ GNUNET_CRYPTO_mpi_scan_unsigned (&a_1, ppub, sizeof (struct GNUNET_CRYPTO_PaillierPublicKey));
+ GNUNET_assert (NULL != (a_2 = gcry_mpi_new (0)));
+ gcry_mpi_set_ui (a_2, 0);
+ // b = (x,1)^T
+ GNUNET_assert (NULL != (b_1 = gcry_mpi_new (0)));
+ gcry_mpi_set (b_1, x);
+ GNUNET_assert (NULL != (b_2 = gcry_mpi_new (0)));
+ gcry_mpi_set_ui (b_2, 1);
+
+ // A = a DOT a
+ gcry_mpi_mul (t, a_1, a_1);
+ gcry_mpi_mul (big_a, a_2, a_2);
+ gcry_mpi_add (big_a, big_a, t);
+
+ // B = b DOT b
+ gcry_mpi_mul (t, b_1, b_1);
+ gcry_mpi_mul (big_b, b_2, b_2);
+ gcry_mpi_add (big_b, big_b, t);
+
+ while (1)
+ {
+ // n = a DOT b
+ gcry_mpi_mul (t, a_1, b_1);
+ gcry_mpi_mul (n, a_2, b_2);
+ gcry_mpi_add (n, n, t);
+
+ // r = nearest(n/B)
+ gcry_mpi_div (r, NULL, n, big_b, 0);
+
+ // T := A - 2rn + rrB
+ gcry_mpi_mul (v, r, n);
+ gcry_mpi_mul_ui (v, v, 2);
+ gcry_mpi_sub (big_t, big_a, v);
+ gcry_mpi_mul (v, r, r);
+ gcry_mpi_mul (v, v, big_b);
+ gcry_mpi_add (big_t, big_t, v);
+
+ if (gcry_mpi_cmp (big_t, big_b) >= 0)
+ {
+ break;
+ }
+
+ // t = a - rb
+ gcry_mpi_mul (v, r, b_1);
+ gcry_mpi_sub (t_1, a_1, v);
+ gcry_mpi_mul (v, r, b_2);
+ gcry_mpi_sub (t_2, a_2, v);
+
+ // a = b
+ gcry_mpi_set (a_1, b_1);
+ gcry_mpi_set (a_2, b_2);
+ // b = t
+ gcry_mpi_set (b_1, t_1);
+ gcry_mpi_set (b_2, t_2);
+
+ gcry_mpi_set (big_a, big_b);
+ gcry_mpi_set (big_b, big_t);
+ }
+
+ {
+ gcry_mpi_t paillier_n;
+
+ GNUNET_CRYPTO_mpi_scan_unsigned (&paillier_n, ppub, sizeof (struct GNUNET_CRYPTO_PaillierPublicKey));
+
+ gcry_mpi_set (xres, b_2);
+ gcry_mpi_invm (xres, xres, elgamal_q);
+ gcry_mpi_mulm (xres, xres, b_1, elgamal_q);
+ }
+
+ gcry_mpi_release (a_1);
+ gcry_mpi_release (a_2);
+ gcry_mpi_release (b_1);
+ gcry_mpi_release (b_2);
+ gcry_mpi_release (big_a);
+ gcry_mpi_release (big_b);
+ gcry_mpi_release (big_t);
+ gcry_mpi_release (n);
+ gcry_mpi_release (t_1);
+ gcry_mpi_release (t_2);
+ gcry_mpi_release (t);
+ gcry_mpi_release (r);
+ gcry_mpi_release (v);
+}
+
+
+static void
+get_fair_encryption_challenge (const struct GNUNET_SECRETSHARING_FairEncryption *fe, gcry_mpi_t e)
+{
+ struct {
+ struct GNUNET_CRYPTO_PaillierCiphertext c;
+ char h[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8];
+ char t1[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8];
+ char t2[GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8];
+ } hash_data;
+ struct GNUNET_HashCode e_hash;
+
+ memcpy (&hash_data.c, &fe->c, sizeof (struct GNUNET_CRYPTO_PaillierCiphertext));
+ memcpy (&hash_data.h, &fe->h, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
+ memcpy (&hash_data.t1, &fe->t1, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
+ memcpy (&hash_data.t2, &fe->t2, GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8);
+
+ GNUNET_CRYPTO_mpi_scan_unsigned (&e, &e_hash, sizeof (struct GNUNET_HashCode));
+ gcry_mpi_mod (e, e, elgamal_q);
+}
+
+
+static int
+verify_fair (const struct GNUNET_CRYPTO_PaillierPublicKey *ppub, const struct GNUNET_SECRETSHARING_FairEncryption *fe)
+{
+ gcry_mpi_t n;
+ gcry_mpi_t n_sq;
+ gcry_mpi_t z;
+ gcry_mpi_t t1;
+ gcry_mpi_t t2;
+ gcry_mpi_t e;
+ gcry_mpi_t w;
+ gcry_mpi_t tmp1;
+ gcry_mpi_t tmp2;
+ gcry_mpi_t y;
+ gcry_mpi_t big_y;
+ int res;
+
+ GNUNET_assert (NULL != (n_sq = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (tmp1 = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (tmp2 = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (e = gcry_mpi_new (0)));
+
+ get_fair_encryption_challenge (fe, e);
+
+ GNUNET_CRYPTO_mpi_scan_unsigned (&n, ppub, sizeof (struct GNUNET_CRYPTO_PaillierPublicKey));
+ GNUNET_CRYPTO_mpi_scan_unsigned (&t1, fe->t1, GNUNET_CRYPTO_PAILLIER_BITS / 8);
+ GNUNET_CRYPTO_mpi_scan_unsigned (&z, fe->z, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
+ GNUNET_CRYPTO_mpi_scan_unsigned (&y, fe->h, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
+ GNUNET_CRYPTO_mpi_scan_unsigned (&w, fe->w, GNUNET_CRYPTO_PAILLIER_BITS / 8);
+ GNUNET_CRYPTO_mpi_scan_unsigned (&big_y, fe->c.bits, GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8);
+ GNUNET_CRYPTO_mpi_scan_unsigned (&t2, fe->t2, GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8);
+ gcry_mpi_mul (n_sq, n, n);
+
+ // tmp1 = g^z
+ gcry_mpi_powm (tmp1, elgamal_g, z, elgamal_p);
+ // tmp2 = y^{-e}
+ gcry_mpi_powm (tmp1, y, e, elgamal_p);
+ gcry_mpi_invm (tmp1, tmp1, elgamal_p);
+ // tmp1 = tmp1 * tmp2
+ gcry_mpi_mulm (tmp1, tmp1, tmp2, elgamal_p);
+
+ if (0 == gcry_mpi_cmp (t1, tmp1))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "fair encryption invalid (t1)\n");
+ res = GNUNET_NO;
+ goto cleanup;
+ }
+
+ gcry_mpi_powm (big_y, big_y, e, n_sq);
+ gcry_mpi_invm (big_y, big_y, n_sq);
+
+ gcry_mpi_add_ui (tmp1, n, 1);
+ gcry_mpi_powm (tmp1, tmp1, z, n_sq);
+
+ gcry_mpi_powm (tmp2, w, n, n_sq);
+
+ gcry_mpi_mulm (tmp1, tmp1, tmp2, n_sq);
+ gcry_mpi_mulm (tmp1, tmp1, big_y, n_sq);
+
+
+ if (0 == gcry_mpi_cmp (t2, tmp1))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "fair encryption invalid (t2)\n");
+ res = GNUNET_NO;
+ goto cleanup;
+ }
+
+ res = GNUNET_YES;
+
+cleanup:
+
+ gcry_mpi_release (n);
+ gcry_mpi_release (n_sq);
+ gcry_mpi_release (z);
+ gcry_mpi_release (t1);
+ gcry_mpi_release (t2);
+ gcry_mpi_release (e);
+ gcry_mpi_release (w);
+ gcry_mpi_release (tmp1);
+ gcry_mpi_release (tmp2);
+ gcry_mpi_release (y);
+ gcry_mpi_release (big_y);
+ return res;
+}
+
+
+/**
+ * Create a fair Paillier encryption of then given ciphertext.
+ *
+ * @param v the ciphertext
+ * @param[out] fe the fair encryption
+ */
+static void
+encrypt_fair (gcry_mpi_t v, const struct GNUNET_CRYPTO_PaillierPublicKey *ppub, struct GNUNET_SECRETSHARING_FairEncryption *fe)
+{
+ gcry_mpi_t r;
+ gcry_mpi_t s;
+ gcry_mpi_t t1;
+ gcry_mpi_t t2;
+ gcry_mpi_t z;
+ gcry_mpi_t w;
+ gcry_mpi_t n;
+ gcry_mpi_t e;
+ gcry_mpi_t n_sq;
+ gcry_mpi_t u;
+ gcry_mpi_t Y;
+ gcry_mpi_t G;
+ gcry_mpi_t h;
+ GNUNET_assert (NULL != (r = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (s = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (t1 = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (t2 = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (z = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (w = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (n_sq = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (e = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (u = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (Y = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (G = gcry_mpi_new (0)));
+ GNUNET_assert (NULL != (h = gcry_mpi_new (0)));
+
+ GNUNET_CRYPTO_mpi_scan_unsigned (&n, ppub, sizeof (struct GNUNET_CRYPTO_PaillierPublicKey));
+ gcry_mpi_mul (n_sq, n, n);
+ gcry_mpi_add_ui (G, n, 1);
+
+ do {
+ gcry_mpi_randomize (u, GNUNET_CRYPTO_PAILLIER_BITS, GCRY_WEAK_RANDOM);
+ }
+ while (gcry_mpi_cmp (u, n) >= 0);
+
+ gcry_mpi_powm (t1, G, v, n_sq);
+ gcry_mpi_powm (t2, u, n, n_sq);
+ gcry_mpi_mulm (Y, t1, t2, n_sq);
+
+ GNUNET_CRYPTO_mpi_print_unsigned (fe->c.bits,
+ sizeof fe->c.bits,
+ Y);
+
+
+ gcry_mpi_randomize (r, 2048, GCRY_WEAK_RANDOM);
+ do {
+ gcry_mpi_randomize (s, GNUNET_CRYPTO_PAILLIER_BITS, GCRY_WEAK_RANDOM);
+ }
+ while (gcry_mpi_cmp (s, n) >= 0);
+
+ // compute t1
+ gcry_mpi_mulm (t1, elgamal_g, r, elgamal_p);
+ // compute t2 (use z and w as temp)
+ gcry_mpi_powm (z, G, r, n_sq);
+ gcry_mpi_powm (w, s, n, n_sq);
+ gcry_mpi_mulm (t2, z, w, n_sq);
+
+
+ gcry_mpi_powm (h, elgamal_g, v, elgamal_p);
+
+ GNUNET_CRYPTO_mpi_print_unsigned (fe->h,
+ GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
+ h);
+
+ GNUNET_CRYPTO_mpi_print_unsigned (fe->t1,
+ GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
+ t1);
+
+ GNUNET_CRYPTO_mpi_print_unsigned (fe->t2,
+ GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8,
+ t2);
+
+
+ get_fair_encryption_challenge (fe, e);
+
+ // compute z
+ gcry_mpi_mul (z, e, v);
+ gcry_mpi_addm (z, z, r, elgamal_q);
+ // compute w
+ gcry_mpi_powm (w, u, e, n);
+ gcry_mpi_mulm (w, w, s, n);
+
+ GNUNET_CRYPTO_mpi_print_unsigned (fe->z,
+ GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
+ z);
+
+ GNUNET_CRYPTO_mpi_print_unsigned (fe->w,
+ GNUNET_CRYPTO_PAILLIER_BITS / 8,
+ w);
+
+ gcry_mpi_release (n);
+ gcry_mpi_release (r);
+ gcry_mpi_release (s);
+ gcry_mpi_release (t1);
+ gcry_mpi_release (t2);
+ gcry_mpi_release (z);
+ gcry_mpi_release (w);
+ gcry_mpi_release (e);
+ gcry_mpi_release (n_sq);
+ gcry_mpi_release (u);
+ gcry_mpi_release (Y);
+ gcry_mpi_release (G);
+ gcry_mpi_release (h);
+}
+
+
/**
* Insert round 2 element in the consensus, consisting of
* (1) The exponentiated pre-share polynomial coefficients A_{i,l}=g^{a_{i,l}}
unsigned int i;
gcry_mpi_t idx;
gcry_mpi_t v;
- gcry_mpi_t c;
GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Inserting round2 element\n",
ks->local_peer_idx);
GNUNET_assert (NULL != (v = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS)));
GNUNET_assert (NULL != (idx = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS)));
- GNUNET_assert (NULL != (c = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS)));
element_size = (sizeof (struct GNUNET_SECRETSHARING_KeygenRevealData) +
- GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->num_peers +
- sizeof (struct GNUNET_CRYPTO_PaillierCiphertext) * ks->num_peers +
+ sizeof (struct GNUNET_SECRETSHARING_FairEncryption) * ks->num_peers +
GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->threshold);
element = GNUNET_malloc (sizeof (struct GNUNET_SET_Element) + element_size);
pos = (void *) &d[1];
last_pos = pos + element_size;
- // exponentiated pre-shares
- for (i = 0; i < ks->num_peers; i++)
- {
- ptrdiff_t remaining = last_pos - pos;
- GNUNET_assert (remaining > 0);
- gcry_mpi_set_ui (idx, i + 1);
- // evaluate the polynomial
- horner_eval (v, ks->presecret_polynomial, ks->threshold, idx, elgamal_q);
- // take g to the result
- gcry_mpi_powm (v, elgamal_g, v, elgamal_p);
- GNUNET_CRYPTO_mpi_print_unsigned (pos, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, v);
- pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8;
- }
-
GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed exp preshares\n",
ks->local_peer_idx);
// encrypted pre-shares
- for (i = 0; i < ks->num_peers; i++)
+ // and fair encryption proof
{
- ptrdiff_t remaining = last_pos - pos;
- struct GNUNET_CRYPTO_PaillierCiphertext *ciphertext;
-
- GNUNET_assert (remaining > 0);
- ciphertext = (void *) pos;
- memset (ciphertext, 0, sizeof *ciphertext);
- if (GNUNET_YES == ks->info[i].round1_valid)
+ for (i = 0; i < ks->num_peers; i++)
{
- gcry_mpi_set_ui (idx, i + 1);
- // evaluate the polynomial
- horner_eval (v, ks->presecret_polynomial, ks->threshold, idx, elgamal_q);
- // encrypt the result
- GNUNET_CRYPTO_paillier_encrypt (&ks->info[i].paillier_public_key, v, 0, ciphertext);
+ ptrdiff_t remaining = last_pos - pos;
+ struct GNUNET_SECRETSHARING_FairEncryption *fe = (void *) pos;
+
+ GNUNET_assert (remaining > 0);
+ memset (fe, 0, sizeof *fe);
+ if (GNUNET_YES == ks->info[i].round1_valid)
+ {
+ gcry_mpi_set_ui (idx, i + 1);
+ // evaluate the polynomial
+ horner_eval (v, ks->presecret_polynomial, ks->threshold, idx, elgamal_q);
+ // encrypt the result
+ encrypt_fair (v, &ks->info[i].paillier_public_key, fe);
+ }
+ pos += sizeof *fe;
}
- pos += sizeof *ciphertext;
}
GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed enc preshares\n",
GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed exp coefficients\n",
ks->local_peer_idx);
+
d->purpose.size = htonl (element_size - offsetof (struct GNUNET_SECRETSHARING_KeygenRevealData, purpose));
d->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG2);
- GNUNET_CRYPTO_eddsa_sign (my_peer_private_key, &d->purpose, &d->signature);
+ GNUNET_assert (GNUNET_OK ==
+ GNUNET_CRYPTO_eddsa_sign (my_peer_private_key,
+ &d->purpose,
+ &d->signature));
GNUNET_CONSENSUS_insert (ks->consensus, element, NULL, NULL);
GNUNET_free (element); /* FIXME: maybe stack-allocate instead? */
}
-static gcry_mpi_t
-keygen_reveal_get_exp_preshare (struct KeygenSession *ks,
- const struct GNUNET_SECRETSHARING_KeygenRevealData *d,
- unsigned int idx)
-{
- unsigned char *pos;
- gcry_mpi_t exp_preshare;
-
- GNUNET_assert (idx < ks->num_peers);
-
- GNUNET_assert (NULL != (exp_preshare = gcry_mpi_new (0)));
-
- pos = (void *) &d[1];
- // skip exponentiated pre-shares we don't want
- pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * idx;
- GNUNET_CRYPTO_mpi_scan_unsigned (&exp_preshare, pos, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
- return exp_preshare;
-}
-
static gcry_mpi_t
keygen_reveal_get_exp_coeff (struct KeygenSession *ks,
const struct GNUNET_SECRETSHARING_KeygenRevealData *d,
gcry_mpi_t exp_coeff;
GNUNET_assert (idx < ks->threshold);
- GNUNET_assert (NULL != (exp_coeff = gcry_mpi_new (0)));
pos = (void *) &d[1];
- // skip exponentiated pre-shares
- pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->num_peers;
// skip encrypted pre-shares
- pos += sizeof (struct GNUNET_CRYPTO_PaillierCiphertext) * ks->num_peers;
+ pos += sizeof (struct GNUNET_SECRETSHARING_FairEncryption) * ks->num_peers;
// skip exp. coeffs we are not interested in
pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * idx;
// the first exponentiated coefficient is the public key share
}
-static struct GNUNET_CRYPTO_PaillierCiphertext *
+static struct GNUNET_SECRETSHARING_FairEncryption *
keygen_reveal_get_enc_preshare (struct KeygenSession *ks,
const struct GNUNET_SECRETSHARING_KeygenRevealData *d,
unsigned int idx)
GNUNET_assert (idx < ks->num_peers);
pos = (void *) &d[1];
- // skip exponentiated pre-shares
- pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->num_peers;
// skip encrypted pre-shares we're not interested in
- pos += sizeof (struct GNUNET_CRYPTO_PaillierCiphertext) * idx;
- return (struct GNUNET_CRYPTO_PaillierCiphertext *) pos;
+ pos += sizeof (struct GNUNET_SECRETSHARING_FairEncryption) * idx;
+ return (struct GNUNET_SECRETSHARING_FairEncryption *) pos;
+}
+
+
+static gcry_mpi_t
+keygen_reveal_get_exp_preshare (struct KeygenSession *ks,
+ const struct GNUNET_SECRETSHARING_KeygenRevealData *d,
+ unsigned int idx)
+{
+ gcry_mpi_t exp_preshare;
+ struct GNUNET_SECRETSHARING_FairEncryption *fe;
+
+ GNUNET_assert (idx < ks->num_peers);
+ fe = keygen_reveal_get_enc_preshare (ks, d, idx);
+ GNUNET_CRYPTO_mpi_scan_unsigned (&exp_preshare, fe->h, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
+ return exp_preshare;
}
struct KeygenPeerInfo *info;
size_t expected_element_size;
unsigned int j;
+ int cmp_result;
gcry_mpi_t tmp;
gcry_mpi_t public_key_share;
gcry_mpi_t preshare;
}
expected_element_size = (sizeof (struct GNUNET_SECRETSHARING_KeygenRevealData) +
- GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->num_peers +
- sizeof (struct GNUNET_CRYPTO_PaillierCiphertext) * ks->num_peers +
+ sizeof (struct GNUNET_SECRETSHARING_FairEncryption) * ks->num_peers +
GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->threshold);
if (element->size != expected_element_size)
{
GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
"keygen round2 data with wrong size (%u) in consensus, "
- " %u expected\n",
+ " %lu expected\n",
element->size, expected_element_size);
return;
}
}
gcry_mpi_mulm (ks->public_key, ks->public_key, public_key_share, elgamal_p);
- GNUNET_assert (NULL != (preshare = gcry_mpi_new (0)));
- GNUNET_CRYPTO_paillier_decrypt (&ks->paillier_private_key,
- &ks->info[ks->local_peer_idx].paillier_public_key,
- keygen_reveal_get_enc_preshare (ks, d, ks->local_peer_idx),
- preshare);
+ gcry_mpi_release (public_key_share);
+ public_key_share = NULL;
+
+ {
+ struct GNUNET_SECRETSHARING_FairEncryption *fe = keygen_reveal_get_enc_preshare (ks, d, ks->local_peer_idx);
+ GNUNET_assert (NULL != (preshare = gcry_mpi_new (0)));
+ GNUNET_CRYPTO_paillier_decrypt (&ks->paillier_private_key,
+ &ks->info[ks->local_peer_idx].paillier_public_key,
+ &fe->c,
+ preshare);
+
+ // FIXME: not doing the restoration is less expensive
+ restore_fair (&ks->info[ks->local_peer_idx].paillier_public_key,
+ fe,
+ preshare,
+ preshare);
+ }
GNUNET_assert (NULL != (tmp = gcry_mpi_new (0)));
gcry_mpi_powm (tmp, elgamal_g, preshare, elgamal_p);
- // TODO: restore a valid secret from the decryption (the hard part, solving SVP with gauss)
- if (0 != gcry_mpi_cmp (tmp, info->preshare_commitment))
+ cmp_result = gcry_mpi_cmp (tmp, info->preshare_commitment);
+ gcry_mpi_release (tmp);
+ tmp = NULL;
+ if (0 != cmp_result)
{
GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "P%u: Got invalid presecret from P%u\n",
(unsigned int) ks->local_peer_idx, (unsigned int) (info - ks->info));
}
presigma = keygen_reveal_get_exp_preshare (ks, d, j);
gcry_mpi_mulm (ks->info[j].sigma, ks->info[j].sigma, presigma, elgamal_p);
+ gcry_mpi_release (presigma);
}
gcry_mpi_t prod;
for (j = 0; j < ks->num_peers; j++)
{
unsigned int k;
- gcry_mpi_t tmp;
+ int cmp_result;
gcry_mpi_t exp_preshare;
gcry_mpi_set_ui (prod, 1);
for (k = 0; k < ks->threshold; k++)
{
// Using pow(double,double) is a bit sketchy.
// We count players from 1, but shares from 0.
- gcry_mpi_set_ui (j_to_k, (unsigned int) pow(j+1, k));
+ gcry_mpi_t tmp;
+ gcry_mpi_set_ui (j_to_k, (unsigned int) pow(j+1, k));
tmp = keygen_reveal_get_exp_coeff (ks, d, k);
gcry_mpi_powm (tmp, tmp, j_to_k, elgamal_p);
gcry_mpi_mulm (prod, prod, tmp, elgamal_p);
+ gcry_mpi_release (tmp);
}
exp_preshare = keygen_reveal_get_exp_preshare (ks, d, j);
gcry_mpi_mod (exp_preshare, exp_preshare, elgamal_p);
- if (0 != gcry_mpi_cmp (prod, exp_preshare))
+ cmp_result = gcry_mpi_cmp (prod, exp_preshare);
+ gcry_mpi_release (exp_preshare);
+ exp_preshare = NULL;
+ if (0 != cmp_result)
{
GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "P%u: reveal data from P%u incorrect\n",
ks->local_peer_idx, j);
}
// TODO: verify proof of fair encryption (once implemented)
-
+ for (j = 0; j < ks->num_peers; j++)
+ {
+ struct GNUNET_SECRETSHARING_FairEncryption *fe = keygen_reveal_get_enc_preshare (ks, d, j);
+ if (GNUNET_YES != verify_fair (&ks->info[j].paillier_public_key, fe))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "P%u: reveal data from P%u incorrect (fair encryption)\n",
+ ks->local_peer_idx, j);
+ return;
+ }
+
+ }
+
info->round2_valid = GNUNET_YES;
+
+ gcry_mpi_release (preshare);
+ gcry_mpi_release (prod);
+ gcry_mpi_release (j_to_k);
}
d->purpose.size = htonl ((sizeof *d) - offsetof (struct GNUNET_SECRETSHARING_KeygenCommitData, purpose));
d->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG1);
- GNUNET_assert (GNUNET_OK == GNUNET_CRYPTO_eddsa_sign (my_peer_private_key, &d->purpose, &d->signature));
+ GNUNET_assert (GNUNET_OK ==
+ GNUNET_CRYPTO_eddsa_sign (my_peer_private_key,
+ &d->purpose,
+ &d->signature));
GNUNET_CONSENSUS_insert (ks->consensus, element, NULL, NULL);
unsigned int i;
unsigned int j;
+ GNUNET_CONSENSUS_destroy (ds->consensus);
+ ds->consensus = NULL;
+
GNUNET_assert (0 != (lagrange = gcry_mpi_new (0)));
GNUNET_assert (0 != (m = gcry_mpi_new (0)));
GNUNET_assert (0 != (tmp = gcry_mpi_new (0)));
GNUNET_log (GNUNET_ERROR_TYPE_INFO, "sent decrypt done to client\n");
+ GNUNET_free (indices);
+
+ gcry_mpi_release(lagrange);
+ gcry_mpi_release(m);
+ gcry_mpi_release(tmp);
+ gcry_mpi_release(prod);
+ gcry_mpi_release(c_2);
+
// FIXME: what if not enough peers participated?
}
d = element->data;
info = get_decrypt_peer_info (session, &d->peer);
-
+
if (NULL == info)
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "decrypt element from invalid peer (%s)\n",
if (NULL != info->partial_decryption)
{
- GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "decrypt element duplicate\n",
- GNUNET_i2s (&d->peer));
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "decrypt element duplicate\n");
return;
}
GNUNET_CRYPTO_hash (offsetof (struct GNUNET_SECRETSHARING_DecryptData, ciphertext) + (char *) d,
- offsetof (struct GNUNET_SECRETSHARING_DecryptData, nizk_response) -
+ offsetof (struct GNUNET_SECRETSHARING_DecryptData, nizk_response) -
offsetof (struct GNUNET_SECRETSHARING_DecryptData, ciphertext),
&challenge_hash);
char *tmp2_str;
tmp1_str = mpi_to_str (tmp1);
tmp2_str = mpi_to_str (tmp2);
- GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "P%u: Received invalid partial decryption from P%u (eqn 1), expected %s got %s\n",
+ GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "P%u: Received invalid partial decryption from P%ld (eqn 1), expected %s got %s\n",
session->share->my_peer, info - session->info, tmp1_str, tmp2_str);
GNUNET_free (tmp1_str);
GNUNET_free (tmp2_str);
- // return;
+ goto cleanup;
}
if (0 != gcry_mpi_cmp (tmp1, tmp2))
{
- GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "P%u: Received invalid partial decryption from P%u (eqn 2)\n",
+ GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "P%u: Received invalid partial decryption from P%ld (eqn 2)\n",
session->share->my_peer, info - session->info);
- // return;
+ goto cleanup;
}
GNUNET_CRYPTO_mpi_scan_unsigned (&info->partial_decryption, &d->partial_decryption,
GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
+cleanup:
+ gcry_mpi_release (tmp1);
+ gcry_mpi_release (tmp2);
+ gcry_mpi_release (sigma);
+ gcry_mpi_release (commit1);
+ gcry_mpi_release (commit2);
+ gcry_mpi_release (r);
+ gcry_mpi_release (w);
+ gcry_mpi_release (challenge);
+ gcry_mpi_release (c1);
}
element.data = (void *) &d;
element.size = sizeof (struct GNUNET_SECRETSHARING_DecryptData);
- element.type = 0;
+ element.element_type = 0;
d.ciphertext = ds->ciphertext;
d.peer = my_peer;
// create the zero knowledge proof
// randomly choose beta such that 0 < beta < q
- do
+ do
{
gcry_mpi_randomize (beta, GNUNET_SECRETSHARING_ELGAMAL_BITS - 1, GCRY_WEAK_RANDOM);
} while ((gcry_mpi_cmp_ui (beta, 0) == 0) || (gcry_mpi_cmp (beta, elgamal_q) >= 0));
// the challenge is the hash of everything up to the response
GNUNET_CRYPTO_hash (offsetof (struct GNUNET_SECRETSHARING_DecryptData, ciphertext) + (char *) &d,
- offsetof (struct GNUNET_SECRETSHARING_DecryptData, nizk_response) -
+ offsetof (struct GNUNET_SECRETSHARING_DecryptData, nizk_response) -
offsetof (struct GNUNET_SECRETSHARING_DecryptData, ciphertext),
&challenge_hash);
d.purpose.size = htonl (element.size - offsetof (struct GNUNET_SECRETSHARING_DecryptData, purpose));
d.purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DECRYPTION);
-
- GNUNET_CRYPTO_eddsa_sign (my_peer_private_key, &d.purpose, &d.signature);
+
+ GNUNET_assert (GNUNET_OK ==
+ GNUNET_CRYPTO_eddsa_sign (my_peer_private_key,
+ &d.purpose,
+ &d.signature));
GNUNET_CONSENSUS_insert (ds->consensus, &element, NULL, NULL);
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Inserting decrypt element done!\n",
+ GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+ "P%u: Inserting decrypt element done!\n",
ds->share->my_peer);
+
+ gcry_mpi_release (s);
+ gcry_mpi_release (w);
+ gcry_mpi_release (c1);
+ gcry_mpi_release (beta);
+ gcry_mpi_release (tmp);
+ gcry_mpi_release (challenge);
+ gcry_mpi_release (sigma);
}
}
GNUNET_SERVER_add_handlers (server, handlers);
GNUNET_SERVER_disconnect_notify (server, &handle_client_disconnect, NULL);
- GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_FOREVER_REL, &cleanup_task,
- NULL);
+ GNUNET_SCHEDULER_add_shutdown (&cleanup_task,
+ NULL);
}
GNUNET_SERVICE_run (argc, argv, "secretsharing",
GNUNET_SERVICE_OPTION_NONE, &run, NULL)) ? 0 : 1;
}
-
projects / oweals / gnunet.git / blobdiff