Beispiel #1
0
func GetSuite(suite string) abstract.Suite {
	var s abstract.Suite
	switch {
	case suite == "nist256":
		s = nist.NewAES128SHA256P256()
	case suite == "nist512":
		s = nist.NewAES128SHA256QR512()
	case suite == "ed25519":
		s = ed25519.NewAES128SHA256Ed25519(true)
	default:
		s = nist.NewAES128SHA256P256()
	}
	return s
}
Beispiel #2
0
// Example of using Schnorr
func ExampleSchnorr() {
	// Crypto setup
	suite := nist.NewAES128SHA256P256()
	rand := suite.Cipher([]byte("example"))

	// Create a public/private keypair (X,x)
	x := suite.Scalar().Pick(rand) // create a private key x
	X := suite.Point().Mul(nil, x) // corresponding public key X

	// Generate the signature
	M := []byte("Hello World!") // message we want to sign
	sig := SchnorrSign(suite, rand, M, x)
	fmt.Print("Signature:\n" + hex.Dump(sig))

	// Verify the signature against the correct message
	err := SchnorrVerify(suite, M, X, sig)
	if err != nil {
		panic(err.Error())
	}
	fmt.Println("Signature verified against correct message.")

	// Output:
	// Signature:
	// 00000000  c1 7a 91 74 06 48 5d 53  d4 92 27 71 58 07 eb d5  |.z.t.H]S..'qX...|
	// 00000010  75 a5 89 92 78 67 fc b1  eb 36 55 63 d1 32 12 20  |u...xg...6Uc.2. |
	// 00000020  2c 78 84 81 04 0d 2a a8  fa 80 d0 e8 c3 14 65 e3  |,x....*.......e.|
	// 00000030  7f f2 7c 55 c5 d2 c6 70  51 89 40 cd 63 50 bf c6  |..|[email protected]..|
	// Signature verified against correct message.
}
Beispiel #3
0
/*
This example illustrates how to use the crypto toolkit's abstract group API
to perform basic Diffie-Hellman key exchange calculations,
using the NIST-standard P256 elliptic curve in this case.
Any other suitable elliptic curve or other cryptographic group may be used
simply by changing the first line that picks the suite.
*/
func Example_diffieHellman() {

	// Crypto setup: NIST-standardized P256 curve with AES-128 and SHA-256
	suite := nist.NewAES128SHA256P256()

	// Alice's public/private keypair
	a := suite.Scalar().Pick(random.Stream) // Alice's private key
	A := suite.Point().Mul(nil, a)          // Alice's public key

	// Bob's public/private keypair
	b := suite.Scalar().Pick(random.Stream) // Alice's private key
	B := suite.Point().Mul(nil, b)          // Alice's public key

	// Assume Alice and Bob have securely obtained each other's public keys.

	// Alice computes their shared secret using Bob's public key.
	SA := suite.Point().Mul(B, a)

	// Bob computes their shared secret using Alice's public key.
	SB := suite.Point().Mul(A, b)

	// They had better be the same!
	if !SA.Equal(SB) {
		panic("Diffie-Hellman key exchange didn't work")
	}
	println("Shared secret: " + SA.String())

	// Output:
}
Beispiel #4
0
/*
This example illustrates how the crypto toolkit may be used
to perform "pure" ElGamal encryption,
in which the message to be encrypted is small enough to be embedded
directly within a group element (e.g., in an elliptic curve point).
For basic background on ElGamal encryption see for example
http://en.wikipedia.org/wiki/ElGamal_encryption.

Most public-key crypto libraries tend not to support embedding data in points,
in part because for "vanilla" public-key encryption you don't need it:
one would normally just generate an ephemeral Diffie-Hellman secret
and use that to seed a symmetric-key crypto algorithm such as AES,
which is much more efficient per bit and works for arbitrary-length messages.
However, in many advanced public-key crypto algorithms it is often useful
to be able to embedded data directly into points and compute with them:
as just one of many examples,
the proactively verifiable anonymous messaging scheme prototyped in Verdict
(see http://dedis.cs.yale.edu/dissent/papers/verdict-abs).

For fancier versions of ElGamal encryption implemented in this toolkit
see for example anon.Encrypt, which encrypts a message for
one of several possible receivers forming an explicit anonymity set.
*/
func Example_elGamalEncryption() {
	suite := nist.NewAES128SHA256P256()

	// Create a public/private keypair
	a := suite.Secret().Pick(random.Stream) // Alice's private key
	A := suite.Point().Mul(nil, a)          // Alice's public key

	// ElGamal-encrypt a message using the public key.
	m := []byte("The quick brown fox")
	K, C, _ := ElGamalEncrypt(suite, A, m)

	// Decrypt it using the corresponding private key.
	mm, err := ElGamalDecrypt(suite, a, K, C)

	// Make sure it worked!
	if err != nil {
		panic("decryption failed: " + err.Error())
	}
	if string(mm) != string(m) {
		panic("decryption produced wrong output: " + string(mm))
	}
	println("Decryption succeeded: " + string(mm))

	// Output:
}
Beispiel #5
0
// Generateparams will return a curve and and its random associated
// Use random bytes of length RandomByteLength
func GenerateP256(buf []byte) P256Params {
	// Curve generation
	suite := nist.NewAES128SHA256P256()
	rand := suite.Cipher(buf)

	return P256Params{Suite: suite, Rand: rand}
}
Beispiel #6
0
func benchGenSigOpenSSL(nkeys int) []byte {
	suite := nist.NewAES128SHA256P256()
	rand := suite.Cipher([]byte("example"))
	return Sign(suite, rand, benchMessage,
		Set(benchPubOpenSSL[:nkeys]), nil,
		0, benchPriOpenSSL)
}
Beispiel #7
0
// Test for Marshalling and Unmarshalling Comit Messages
// Important: when making empty HashIds len should be set to HASH_SIZE
func TestMUCommit(t *testing.T) {
	var err error
	suite := nist.NewAES128SHA256P256()
	rand := suite.Cipher([]byte("exampfsdjkhujgkjsgfjgle"))
	rand2 := suite.Cipher([]byte("examplsfhsjedgjhsge2"))

	cm := &sign.CommitmentMessage{}
	cm.V, _ = suite.Point().Pick(nil, rand)
	cm.V_hat, _ = suite.Point().Pick(nil, rand2)

	cm.MTRoot = make([]byte, hashid.Size)
	sm := sign.SigningMessage{Type: sign.Commitment, Com: cm}
	smBytes, err := sm.MarshalBinary()
	if err != nil {
		t.Error(err)
	}

	messg := &sign.SigningMessage{}
	err = messg.UnmarshalBinary(smBytes)
	cm2 := messg.Com

	// test for equality after marshal and unmarshal
	if !cm2.V.Equal(cm.V) ||
		!cm2.V_hat.Equal(cm.V_hat) ||
		bytes.Compare(cm2.MTRoot, cm.MTRoot) != 0 {
		t.Error("commit message MU failed")
	}

}
Beispiel #8
0
// Test for Marshalling and Unmarshalling Challenge Messages
// Important: when making empty HashIds len should be set to HASH_SIZE
func TestMUChallenge(t *testing.T) {
	nHashIds := 3

	var err error
	suite := nist.NewAES128SHA256P256()
	rand := suite.Cipher([]byte("example"))

	cm := &sign.ChallengeMessage{}
	cm.C = suite.Secret().Pick(rand)
	cm.MTRoot = make([]byte, hashid.Size)
	cm.Proof = proof.Proof(make([]hashid.HashId, nHashIds))
	for i := 0; i < nHashIds; i++ {
		cm.Proof[i] = make([]byte, hashid.Size)
	}
	sm := &sign.SigningMessage{Type: sign.Challenge, Chm: cm}
	smBytes, err := sm.MarshalBinary()
	if err != nil {
		t.Error(err)
	}

	messg := &sign.SigningMessage{}
	err = messg.UnmarshalBinary(smBytes)
	cm2 := messg.Chm

	// test for equality after marshal and unmarshal
	if !cm2.C.Equal(cm.C) ||
		bytes.Compare(cm2.MTRoot, cm.MTRoot) != 0 ||
		!byteArrayEqual(cm2.Proof, cm.Proof) {
		t.Error("challenge message MU failed")
	}
}
Beispiel #9
0
// Configuration file data/exconf.json
//       0
//      / \
//     1   4
//    / \   \
//   2   3   5
func TestSmallConfigHealthy(t *testing.T) {
	suite := nist.NewAES128SHA256P256()
	RoundsPerView := 100
	if err := runTreeSmallConfig(sign.MerkleTree, RoundsPerView, suite, 0); err != nil {
		t.Fatal(err)
	}
}
Beispiel #10
0
// This code shows how to create and verify Or-predicate proofs,
// such as the one above.
// In this case, we know a secret x such that X=x*B,
// but we don't know a secret y such that Y=y*B,
// because we simply pick Y as a random point
// instead of generating it by scalar multiplication.
// (And if the group is cryptographically secure
// we won't find be able to find such a y.)
func ExampleOr_2() {
	// Create an Or predicate.
	pred := Or(Rep("X", "x", "B"), Rep("Y", "y", "B"))
	fmt.Println("Predicate: " + pred.String())

	// Crypto setup
	suite := nist.NewAES128SHA256P256()
	rand := suite.Cipher([]byte("example"))
	B := suite.Point().Base() // standard base point

	// Create a public/private keypair (X,x) and a random point Y
	x := suite.Scalar().Pick(rand)        // create a private key x
	X := suite.Point().Mul(nil, x)        // corresponding public key X
	Y, _ := suite.Point().Pick(nil, rand) // pick a random point Y

	// We'll need to tell the prover which Or clause is actually true.
	// In this case clause 0, the first sub-predicate, is true:
	// i.e., we know a secret x such that X=x*B.
	choice := make(map[Predicate]int)
	choice[pred] = 0

	// Generate a proof that we know the discrete logarithm of X or Y.
	sval := map[string]abstract.Scalar{"x": x}
	pval := map[string]abstract.Point{"B": B, "X": X, "Y": Y}
	prover := pred.Prover(suite, sval, pval, choice)
	proof, _ := HashProve(suite, "TEST", rand, prover)
	fmt.Print("Proof:\n" + hex.Dump(proof))

	// Verify this knowledge proof.
	// The verifier doesn't need the secret values or choice map, of course.
	verifier := pred.Verifier(suite, pval)
	err := HashVerify(suite, "TEST", verifier, proof)
	if err != nil {
		panic("proof failed to verify!")
	}
	fmt.Println("Proof verified.")

	// Output:
	// Predicate: X=x*B || Y=y*B
	// Proof:
	// 00000000  04 af 84 ed e5 86 04 cf  81 e4 18 17 84 0c 39 ab  |..............9.|
	// 00000010  fe 5c bc cc 00 85 e0 a2  ee aa d5 22 18 dd c4 a1  |.\........."....|
	// 00000020  5b 85 52 d4 dd 72 9b d2  2b e2 02 d2 5f 6f cb 10  |[.R..r..+..._o..|
	// 00000030  b5 1b 18 c3 02 1e 2f dd  50 54 9d 4c 19 aa 30 80  |....../.PT.L..0.|
	// 00000040  4a 04 f8 26 2f 55 ed b3  00 ad 38 ba f9 0f d6 fb  |J..&/U....8.....|
	// 00000050  0a d1 0e 56 be dd 71 7d  1d a9 36 2f 1f 20 b8 98  |...V..q}..6/. ..|
	// 00000060  a6 3f d0 fa dc 52 ca 57  8d 7e 37 aa ac e5 8c 4c  |.?...R.W.~7....L|
	// 00000070  2a eb d9 5c 0c 68 c8 e8  ac 99 7f b4 96 56 cf 59  |*..\.h.......V.Y|
	// 00000080  79 6f c5 c2 0a 9f 1f 3b  34 61 0f 9b b7 50 00 b7  |yo.....;4a...P..|
	// 00000090  29 02 8e d5 41 9a 92 95  6b 4e 18 5b 89 a5 93 1e  |)...A...kN.[....|
	// 000000a0  42 cd 32 17 7d 53 c5 e4  48 79 49 b2 3e 1e e2 62  |B.2.}S..HyI.>..b|
	// 000000b0  39 08 13 d5 2e f8 c5 e9  c1 28 09 91 7a 95 c9 12  |9........(..z...|
	// 000000c0  17 85 49 9e b0 3c fe fc  5d 5b 73 b1 d2 bf f9 59  |..I..<..][s....Y|
	// 000000d0  5b 5f 10 12 cb 9c d0 c6  bc 2c 75 fb 52 9c 66 c5  |[_.......,u.R.f.|
	// 000000e0  17 cb 93 8b c6 f6 34 12  83 a0 32 2e 82 2c 4b fb  |......4...2..,K.|
	// 000000f0  b3 0c a1 4b a5 e3 27 43  b6 2f ed fa ca 4f 93 83  |...K..'C./...O..|
	// 00000100  fd 56                                             |.V|
	// Proof verified.
}
Beispiel #11
0
// All Returns a map of all suites
func All() Suites {
	s := make(Suites)
	s.add(nist.NewAES128SHA256P256())
	s.add(nist.NewAES128SHA256QR512())
	s.add(ed25519.NewAES128SHA256Ed25519(false))
	s.add(edwards.NewAES128SHA256Ed25519(false))
	return s
}
Beispiel #12
0
func (v *Vote) UnmarshalBinary(data []byte) error {
	var cons = make(protobuf.Constructors)
	var point abstract.Point
	var secret abstract.Secret
	var suite = nist.NewAES128SHA256P256()
	cons[reflect.TypeOf(&point).Elem()] = func() interface{} { return suite.Point() }
	cons[reflect.TypeOf(&secret).Elem()] = func() interface{} { return suite.Secret() }
	return protobuf.DecodeWithConstructors(data, v, cons)
}
Beispiel #13
0
func TestSmallConfigFaulty(t *testing.T) {
	faultyNodes := make([]int, 0)
	faultyNodes = append(faultyNodes, 2, 5)
	suite := nist.NewAES128SHA256P256()
	RoundsPerView := 100
	if err := runTreeSmallConfig(sign.MerkleTree, RoundsPerView, suite, 1, faultyNodes...); err != nil {
		t.Fatal(err)
	}
}
Beispiel #14
0
func TestRep(t *testing.T) {
	suite := nist.NewAES128SHA256P256()
	rand := suite.Cipher(abstract.RandomKey)

	x := suite.Scalar().Pick(rand)
	y := suite.Scalar().Pick(rand)
	B := suite.Point().Base()
	X := suite.Point().Mul(nil, x)
	Y := suite.Point().Mul(X, y)
	R := suite.Point().Add(X, Y)

	choice := make(map[Predicate]int)

	// Simple single-secret predicate: prove X=x*B
	log := Rep("X", "x", "B")

	// Two-secret representation: prove R=x*B+y*X
	rep := Rep("R", "x", "B", "y", "X")

	// Make an and-predicate
	and := And(log, rep)
	andx := And(and)

	// Make up a couple incorrect facts
	falseLog := Rep("Y", "x", "B")
	falseRep := Rep("R", "x", "B", "y", "B")

	falseAnd := And(falseLog, falseRep)

	or1 := Or(falseAnd, andx)
	choice[or1] = 1
	or1x := Or(or1) // test trivial case
	choice[or1x] = 0

	or2a := Rep("B", "y", "X")
	or2b := Rep("R", "x", "R")
	or2 := Or(or2a, or2b)
	or2x := Or(or2) // test trivial case

	pred := Or(or1x, or2x)
	choice[pred] = 0

	sval := map[string]abstract.Scalar{"x": x, "y": y}
	pval := map[string]abstract.Point{"B": B, "X": X, "Y": Y, "R": R}
	prover := pred.Prover(suite, sval, pval, choice)
	proof, err := HashProve(suite, "TEST", rand, prover)
	if err != nil {
		panic("prover: " + err.Error())
	}

	verifier := pred.Verifier(suite, pval)
	if err := HashVerify(suite, "TEST", verifier, proof); err != nil {
		panic("verify: " + err.Error())
	}
}
Beispiel #15
0
// This example demonstrates how to create unlinkable anonymity-set signatures,
// and to verify them,
// using a small anonymity set containing three public keys.
func ExampleSign_anonSet() {

	// Crypto setup
	suite := nist.NewAES128SHA256P256()
	rand := suite.Cipher([]byte("example"))

	// Create an anonymity set of random "public keys"
	X := make([]abstract.Point, 3)
	for i := range X { // pick random points
		X[i], _ = suite.Point().Pick(nil, rand)
	}

	// Make just one of them an actual public/private keypair (X[mine],x)
	mine := 1                           // only the signer knows this
	x := suite.Secret().Pick(rand)      // create a private key x
	X[mine] = suite.Point().Mul(nil, x) // corresponding public key X

	// Generate the signature
	M := []byte("Hello World!") // message we want to sign
	sig := Sign(suite, rand, M, Set(X), nil, mine, x)
	fmt.Print("Signature:\n" + hex.Dump(sig))

	// Verify the signature against the correct message
	tag, err := Verify(suite, M, Set(X), nil, sig)
	if err != nil {
		panic(err.Error())
	}
	if tag == nil || len(tag) != 0 {
		panic("Verify returned wrong tag")
	}
	fmt.Println("Signature verified against correct message.")

	// Verify the signature against the wrong message
	BAD := []byte("Goodbye world!")
	tag, err = Verify(suite, BAD, Set(X), nil, sig)
	if err == nil || tag != nil {
		panic("Signature verified against wrong message!?")
	}
	fmt.Println("Verifying against wrong message: " + err.Error())

	// Output:
	// Signature:
	// 00000000  eb 16 0d c9 1e 19 f5 da  f7 9b 77 7d 52 0b f1 82  |..........w}R...|
	// 00000010  4b e3 dd 6c 44 f3 6f fe  c3 c1 1a 6e 1f a8 43 26  |K..lD.o....n..C&|
	// 00000020  63 d3 5a 0e 97 78 e6 74  ce a0 24 34 c1 66 7d af  |c.Z..x.t..$4.f}.|
	// 00000030  32 9e 59 22 f2 9a 67 3c  ea e5 4f 54 6d 3e 07 f1  |2.Y"..g<..OTm>..|
	// 00000040  63 10 77 96 09 a3 c1 e4  85 f8 d9 97 0c 47 dc 73  |c.w..........G.s|
	// 00000050  da 6c d8 11 8a 2e 00 a7  f2 01 45 e0 91 4e 28 d6  |.l........E..N(.|
	// 00000060  b2 b5 3a e1 c8 8c f7 29  8a 13 75 59 98 ea ce f4  |..:....)..uY....|
	// 00000070  6d d5 d0 62 85 51 8e fe  d9 4a 02 1f 35 03 33 d3  |m..b.Q...J..5.3.|
	// Signature verified against correct message.
	// Verifying against wrong message: invalid signature
}
Beispiel #16
0
func ExampleEncrypt_anonSet() {

	// Crypto setup
	suite := nist.NewAES128SHA256P256()
	rand := suite.Cipher([]byte("example"))

	// Create an anonymity set of random "public keys"
	X := make([]abstract.Point, 3)
	for i := range X { // pick random points
		X[i], _ = suite.Point().Pick(nil, rand)
	}

	// Make just one of them an actual public/private keypair (X[mine],x)
	mine := 1                           // only the signer knows this
	x := suite.Secret().Pick(rand)      // create a private key x
	X[mine] = suite.Point().Mul(nil, x) // corresponding public key X

	// Encrypt a message with all the public keys
	M := []byte("Hello World!") // message to encrypt
	C := Encrypt(suite, rand, M, Set(X), false)
	fmt.Printf("Encryption of '%s':\n%s", string(M), hex.Dump(C))

	// Decrypt the ciphertext with the known private key
	MM, err := Decrypt(suite, C, Set(X), mine, x, false)
	if err != nil {
		panic(err.Error())
	}
	if !bytes.Equal(M, MM) {
		panic("Decryption failed to reproduce message")
	}
	fmt.Printf("Decrypted: '%s'\n", string(MM))

	// Output:
	// Encryption of 'Hello World!':
	// 00000000  04 a4 2a cf e6 41 38 3f  d4 df 6e f4 70 05 a8 ec  |..*..A8?..n.p...|
	// 00000010  55 8a a5 a4 73 7f 34 ae  1c 50 69 fe af e4 71 01  |U...s.4..Pi...q.|
	// 00000020  51 33 a7 89 e2 f0 85 81  ce e9 bc d2 49 cb aa 9a  |Q3..........I...|
	// 00000030  55 c5 99 ad 5c a5 e4 36  e4 71 c8 c1 58 4c f7 aa  |U...\..6.q..XL..|
	// 00000040  2f 3f d2 9a ec 4b fd 85  5e 1b 7f 08 3b 82 12 75  |/?...K..^...;..u|
	// 00000050  76 e5 b2 0a 48 d1 d1 9a  5f 45 eb 57 e6 5b 4c 81  |v...H..._E.W.[L.|
	// 00000060  10 d7 98 e0 f4 ce 98 9f  94 66 28 8d c4 ff 61 3f  |.........f(...a?|
	// 00000070  2a 61 c1 31 f8 b5 60 b7  82 05 64 e4 cd 86 66 43  |*a.1..`...d...fC|
	// 00000080  f1 c1 de 23 d5 ea 19 ba  dd 27 fa 4c 66 d8 a0 19  |...#.....'.Lf...|
	// 00000090  1e 6c ea 70 b7 71 8f b5  cd 3a 49 6d c3 03 08 e0  |.l.p.q...:Im....|
	// 000000a0  4d d6 67 9c 02 67 38 c2  d8 78 0d fd 97 f2 2b 8b  |M.g..g8..x....+.|
	// 000000b0  b3 b2 ae 0d f1 2b 1c 1b  13 9d 71 75 b8           |.....+....qu.|
	// Decrypted: 'Hello World!'
}
Beispiel #17
0
func main() {
	flag.Parse()
	if flag.NArg() < 3 {
		panic("usage: main.go id k N")
	}
	id, _ := strconv.Atoi(flag.Arg(0))
	k, _ := strconv.Atoi(flag.Arg(1))
	N, _ := strconv.Atoi(flag.Arg(2))

	suite := nist.NewAES128SHA256P256()
	s := NewShuffler(suite, id, k, N)

	if id == 0 {
		go s.initiateShuffle()
	}
	s.ListenAndServe()
}
Beispiel #18
0
// This example shows how to build classic ElGamal-style digital signatures
// using the Camenisch/Stadler proof framework and HashProver.
func ExampleHashProve_1() {

	// Crypto setup
	suite := nist.NewAES128SHA256P256()
	rand := suite.Cipher([]byte("example"))
	B := suite.Point().Base() // standard base point

	// Create a public/private keypair (X,x)
	x := suite.Scalar().Pick(rand) // create a private key x
	X := suite.Point().Mul(nil, x) // corresponding public key X

	// Generate a proof that we know the discrete logarithm of X.
	M := "Hello World!" // message we want to sign
	rep := Rep("X", "x", "B")
	sec := map[string]abstract.Scalar{"x": x}
	pub := map[string]abstract.Point{"B": B, "X": X}
	prover := rep.Prover(suite, sec, pub, nil)
	proof, _ := HashProve(suite, M, rand, prover)
	fmt.Print("Signature:\n" + hex.Dump(proof))

	// Verify the signature against the correct message M.
	verifier := rep.Verifier(suite, pub)
	err := HashVerify(suite, M, verifier, proof)
	if err != nil {
		panic("signature failed to verify!")
	}
	fmt.Println("Signature verified against correct message M.")

	// Now verify the signature against the WRONG message.
	BAD := "Goodbye World!"
	verifier = rep.Verifier(suite, pub)
	err = HashVerify(suite, BAD, verifier, proof)
	fmt.Println("Signature verify against wrong message: " + err.Error())

	// Output:
	// Signature:
	// 00000000  04 23 62 b1 f9 cb f4 a2  6d 7f 3e 69 cb b6 77 ab  |.#b.....m.>i..w.|
	// 00000010  90 fc 7c db a0 c6 e8 12  f2 0a d4 40 a4 b6 c4 de  |..|........@....|
	// 00000020  9e e8 61 88 5e 50 fd 03  a9 ff 9c a3 c4 29 f7 18  |..a.^P.......)..|
	// 00000030  49 ad 31 0e f9 17 15 1e  3b 8d 0e 2f b2 c4 28 32  |I.1.....;../..(2|
	// 00000040  4a 5c 64 ca 04 eb 33 db  a9 75 9b 01 6b 12 01 ae  |J\d...3..u..k...|
	// 00000050  4e de 7c 6b 53 85 f8 a5  76 ba eb 7e 2e 61 2c a5  |N.|kS...v..~.a,.|
	// 00000060  e8                                                |.|
	// Signature verified against correct message M.
	// Signature verify against wrong message: invalid proof: commit mismatch
}
Beispiel #19
0
// This example demonstrates signing and signature verification
// using a trivial "anonymity set" of size 1, i.e., no anonymity.
// In this special case the signing scheme devolves to
// producing traditional ElGamal signatures:
// the resulting signatures are exactly the same length
// and represent essentially the same computational cost.
func ExampleSign_1() {

	// Crypto setup
	suite := nist.NewAES128SHA256P256()
	rand := suite.Cipher([]byte("example"))

	// Create a public/private keypair (X[mine],x)
	X := make([]abstract.Point, 1)
	mine := 0                           // which public key is mine
	x := suite.Secret().Pick(rand)      // create a private key x
	X[mine] = suite.Point().Mul(nil, x) // corresponding public key X

	// Generate the signature
	M := []byte("Hello World!") // message we want to sign
	sig := Sign(suite, rand, M, Set(X), nil, mine, x)
	fmt.Print("Signature:\n" + hex.Dump(sig))

	// Verify the signature against the correct message
	tag, err := Verify(suite, M, Set(X), nil, sig)
	if err != nil {
		panic(err.Error())
	}
	if tag == nil || len(tag) != 0 {
		panic("Verify returned wrong tag")
	}
	fmt.Println("Signature verified against correct message.")

	// Verify the signature against the wrong message
	BAD := []byte("Goodbye world!")
	tag, err = Verify(suite, BAD, Set(X), nil, sig)
	if err == nil || tag != nil {
		panic("Signature verified against wrong message!?")
	}
	fmt.Println("Verifying against wrong message: " + err.Error())

	// Output:
	// Signature:
	// 00000000  0d 3a d5 66 4d cd 8a bc  ee ae 4a 92 12 e7 63 68  |.:.fM.....J...ch|
	// 00000010  c3 61 9f b0 65 ce f1 d9  83 a7 40 4f e0 7b 58 f5  |.a..e.....@O.{X.|
	// 00000020  5c 64 ca 04 eb 33 db a9  75 9b 01 6b 12 01 ae 4e  |\d...3..u..k...N|
	// 00000030  de 7c 6b 53 85 f8 a5 76  ba eb 7e 2e 61 2c a5 e8  |.|kS...v..~.a,..|
	// Signature verified against correct message.
	// Verifying against wrong message: invalid signature
}
Beispiel #20
0
func TestTreeFromRandomGraph(t *testing.T) {
	//defer profile.Start(profile.CPUProfile, profile.ProfilePath(".")).Stop()
	hc, err := loadGraph("../data/wax.dat", nist.NewAES128SHA256P256(), random.Stream)
	if err != nil || hc == nil {
		fmt.Println("run data/gen.py to generate graphs")
		return
	}
	// if err := ioutil.WriteFile("data/wax.json", []byte(hc.String()), 0666); err != nil {
	// 	fmt.Println(err)
	// }
	//fmt.Println(hc.String())

	// Have root node initiate the signing protocol
	// via a simple annoucement
	hc.SNodes[0].LogTest = []byte("Hello World")
	//fmt.Println(hc.SNodes[0].NChildren())
	//fmt.Println(hc.SNodes[0].Peers())
	hc.SNodes[0].Announce(0, &sign.AnnouncementMessage{LogTest: hc.SNodes[0].LogTest})
}
Beispiel #21
0
// This example shows how to generate and verify noninteractive proofs
// of the statement in the example above, i.e.,
// a proof of ownership of public key X.
func ExampleRep_2() {
	pred := Rep("X", "x", "B")
	fmt.Println(pred.String())

	// Crypto setup
	suite := nist.NewAES128SHA256P256()
	rand := suite.Cipher([]byte("example"))
	B := suite.Point().Base() // standard base point

	// Create a public/private keypair (X,x)
	x := suite.Scalar().Pick(rand) // create a private key x
	X := suite.Point().Mul(nil, x) // corresponding public key X

	// Generate a proof that we know the discrete logarithm of X.
	sval := map[string]abstract.Scalar{"x": x}
	pval := map[string]abstract.Point{"B": B, "X": X}
	prover := pred.Prover(suite, sval, pval, nil)
	proof, _ := HashProve(suite, "TEST", rand, prover)
	fmt.Print("Proof:\n" + hex.Dump(proof))

	// Verify this knowledge proof.
	verifier := pred.Verifier(suite, pval)
	err := HashVerify(suite, "TEST", verifier, proof)
	if err != nil {
		panic("proof failed to verify!")
	}
	fmt.Println("Proof verified.")

	// Output:
	// X=x*B
	// Proof:
	// 00000000  04 23 62 b1 f9 cb f4 a2  6d 7f 3e 69 cb b6 77 ab  |.#b.....m.>i..w.|
	// 00000010  90 fc 7c db a0 c6 e8 12  f2 0a d4 40 a4 b6 c4 de  |..|........@....|
	// 00000020  9e e8 61 88 5e 50 fd 03  a9 ff 9c a3 c4 29 f7 18  |..a.^P.......)..|
	// 00000030  49 ad 31 0e f9 17 15 1e  3b 8d 0e 2f b2 c4 28 32  |I.1.....;../..(2|
	// 00000040  4a 20 ba b2 9d 3a 40 ae  0f 28 16 a2 ad 44 76 d2  |J ...:@..(...Dv.|
	// 00000050  83 f2 09 4d b8 a5 d0 f6  5e 5d ff 6e b7 9a 0f 1b  |...M....^].n....|
	// 00000060  9a                                                |.|
	// Proof verified.
}
Beispiel #22
0
func ExampleEncrypt_1() {

	// Crypto setup
	suite := nist.NewAES128SHA256P256()
	rand := suite.Cipher([]byte("example"))

	// Create a public/private keypair (X[mine],x)
	X := make([]abstract.Point, 1)
	mine := 0                           // which public key is mine
	x := suite.Secret().Pick(rand)      // create a private key x
	X[mine] = suite.Point().Mul(nil, x) // corresponding public key X

	// Encrypt a message with the public key
	M := []byte("Hello World!") // message to encrypt
	C := Encrypt(suite, rand, M, Set(X), false)
	fmt.Printf("Encryption of '%s':\n%s", string(M), hex.Dump(C))

	// Decrypt the ciphertext with the private key
	MM, err := Decrypt(suite, C, Set(X), mine, x, false)
	if err != nil {
		panic(err.Error())
	}
	if !bytes.Equal(M, MM) {
		panic("Decryption failed to reproduce message")
	}
	fmt.Printf("Decrypted: '%s'\n", string(MM))

	// Output:
	// Encryption of 'Hello World!':
	// 00000000  04 23 62 b1 f9 cb f4 a2  6d 7f 3e 69 cb b6 77 ab  |.#b.....m.>i..w.|
	// 00000010  90 fc 7c db a0 c6 e8 12  f2 0a d4 40 a4 b6 c4 de  |..|........@....|
	// 00000020  9e e8 61 88 5e 50 fd 03  a9 ff 9c a3 c4 29 f7 18  |..a.^P.......)..|
	// 00000030  49 ad 31 0e f9 17 15 1e  3b 8d 0e 2f b2 c4 28 32  |I.1.....;../..(2|
	// 00000040  4a a4 16 00 51 da 5e d5  3a df f3 02 fe 77 0d 11  |J...Q.^.:....w..|
	// 00000050  27 7b 29 b4 a0 47 7a 82  8f 0a 98 4f fe fe 1e 5d  |'{)..Gz....O...]|
	// 00000060  cf d2 08 9a e5 f0 d9 3c  6b 0d 83 35 6d 15 b1 93  |.......<k..5m...|
	// 00000070  af 1d a2 17 df db 3c 2b  89 32 1b 62 1b           |......<+.2.b.|
	// Decrypted: 'Hello World!'
}
Beispiel #23
0
func BenchmarkVerify100OpenSSL(b *testing.B) {
	benchVerify(nist.NewAES128SHA256P256(),
		benchPubOpenSSL[:100], benchSig100OpenSSL, b.N)
}
Beispiel #24
0
func BenchmarkSign100OpenSSL(b *testing.B) {
	benchSign(nist.NewAES128SHA256P256(),
		benchPubOpenSSL[:100], benchPriOpenSSL, b.N)
}
Beispiel #25
0
func benchGenKeysOpenSSL(nkeys int) ([]abstract.Point, abstract.Secret) {
	return benchGenKeys(nist.NewAES128SHA256P256(), nkeys)
}
Beispiel #26
0
// This example demonstrates the creation of linkable anonymity set signatures,
// and verification, using an anonymity set containing three public keys.
// We produce four signatures, two from each of two private key-holders,
// demonstrating how the resulting verifiable tags distinguish
// signatures by the same key-holder from signatures by different key-holders.
func ExampleSign_linkable() {

	// Crypto setup
	suite := nist.NewAES128SHA256P256()
	rand := suite.Cipher([]byte("example"))

	// Create an anonymity set of random "public keys"
	X := make([]abstract.Point, 3)
	for i := range X { // pick random points
		X[i], _ = suite.Point().Pick(nil, rand)
	}

	// Make two actual public/private keypairs (X[mine],x)
	mine1 := 1 // only the signer knows this
	mine2 := 2
	x1 := suite.Secret().Pick(rand) // create a private key x
	x2 := suite.Secret().Pick(rand)
	X[mine1] = suite.Point().Mul(nil, x1) // corresponding public key X
	X[mine2] = suite.Point().Mul(nil, x2)

	// Generate two signatures using x1 and two using x2
	M := []byte("Hello World!")     // message we want to sign
	S := []byte("My Linkage Scope") // scope for linkage tags
	var sig [4][]byte
	sig[0] = Sign(suite, rand, M, Set(X), S, mine1, x1)
	sig[1] = Sign(suite, rand, M, Set(X), S, mine1, x1)
	sig[2] = Sign(suite, rand, M, Set(X), S, mine2, x2)
	sig[3] = Sign(suite, rand, M, Set(X), S, mine2, x2)
	for i := range sig {
		fmt.Printf("Signature %d:\n%s", i, hex.Dump(sig[i]))
	}

	// Verify the signatures against the correct message
	var tag [4][]byte
	for i := range sig {
		goodtag, err := Verify(suite, M, Set(X), S, sig[i])
		if err != nil {
			panic(err.Error())
		}
		tag[i] = goodtag
		if tag[i] == nil || len(tag[i]) != suite.PointLen() {
			panic("Verify returned invalid tag")
		}
		fmt.Printf("Sig%d tag: %s\n", i,
			hex.EncodeToString(tag[i]))

		// Verify the signature against the wrong message
		BAD := []byte("Goodbye world!")
		badtag, err := Verify(suite, BAD, Set(X), S, sig[i])
		if err == nil || badtag != nil {
			panic("Signature verified against wrong message!?")
		}
	}
	if !bytes.Equal(tag[0], tag[1]) || !bytes.Equal(tag[2], tag[3]) ||
		bytes.Equal(tag[0], tag[2]) {
		panic("tags aren't coming out right!")
	}

	// Output:
	// Signature 0:
	// 00000000  c6 e9 27 a5 00 5d 22 40  d2 a2 5d 08 44 2b ec 2e  |..'..]"@..].D+..|
	// 00000010  e2 01 a6 85 70 70 b4 73  2c 18 24 f1 46 44 22 09  |....pp.s,.$.FD".|
	// 00000020  1e 6d 18 7f 8b 95 e3 c4  b9 33 ad 94 69 b5 b4 13  |.m.......3..i...|
	// 00000030  b8 51 2f 24 a7 98 e4 06  f4 b2 f3 ee e8 73 de 78  |.Q/$.........s.x|
	// 00000040  a3 9d 4b 1c 74 6f 3a 50  89 c9 10 cc bb b0 5c a7  |..K.to:P......\.|
	// 00000050  09 a9 23 47 0f 36 08 a4  f3 46 ad 14 2d f0 9d c1  |..#G.6...F..-...|
	// 00000060  63 d3 5a 0e 97 78 e6 74  ce a0 24 34 c1 66 7d af  |c.Z..x.t..$4.f}.|
	// 00000070  32 9e 59 22 f2 9a 67 3c  ea e5 4f 54 6d 3e 07 f1  |2.Y"..g<..OTm>..|
	// 00000080  04 00 33 42 ee 88 9f 5d  fa 2e be 6a 72 fd 67 22  |..3B...]...jr.g"|
	// 00000090  c1 e0 ed 35 69 d7 e4 67  df 92 e7 ca 75 2f e6 72  |...5i..g....u/.r|
	// 000000a0  79 3a 32 e2 8b 45 61 e8  7d e5 95 5b 0a 30 35 e9  |y:2..Ea.}..[.05.|
	// 000000b0  af 3c 41 48 59 d9 e2 73  68 77 31 f3 36 cc ee 78  |.<AHY..shw1.6..x|
	// 000000c0  ab                                                |.|
	// Signature 1:
	// 00000000  69 4c 29 32 cb 9c f6 ca  80 72 f6 25 e0 ef 44 0b  |iL)2.....r.%..D.|
	// 00000010  f2 0b e3 ab 98 c4 62 a3  10 13 09 02 9a f1 f1 00  |......b.........|
	// 00000020  7f 03 ca 4f 75 84 fe 06  2c 9c 64 0e 99 c6 f1 91  |...Ou...,.d.....|
	// 00000030  62 43 48 b6 f8 20 41 2b  fa 59 e7 35 be f8 4c 1b  |bCH.. A+.Y.5..L.|
	// 00000040  f0 d8 af 83 ad 9a 87 55  ca be 46 f9 42 a2 dd 18  |.......U..F.B...|
	// 00000050  18 83 f1 f5 6d 82 e5 38  49 bf 24 9e 80 a4 12 eb  |....m..8I.$.....|
	// 00000060  56 c5 3f 08 bb 99 6d 7d  0a f8 ac c5 29 e8 94 54  |V.?...m}....)..T|
	// 00000070  3e 4d fb ca b5 1d 9a 29  56 a0 09 f9 ec 6d b5 28  |>M.....)V....m.(|
	// 00000080  04 00 33 42 ee 88 9f 5d  fa 2e be 6a 72 fd 67 22  |..3B...]...jr.g"|
	// 00000090  c1 e0 ed 35 69 d7 e4 67  df 92 e7 ca 75 2f e6 72  |...5i..g....u/.r|
	// 000000a0  79 3a 32 e2 8b 45 61 e8  7d e5 95 5b 0a 30 35 e9  |y:2..Ea.}..[.05.|
	// 000000b0  af 3c 41 48 59 d9 e2 73  68 77 31 f3 36 cc ee 78  |.<AHY..shw1.6..x|
	// 000000c0  ab                                                |.|
	// Signature 2:
	// 00000000  94 d0 51 98 05 a1 79 6c  16 4e 7f f2 58 c8 09 b8  |..Q...yl.N..X...|
	// 00000010  32 12 a5 dc be f3 cf 08  a8 77 8f 7e a7 32 dd 2b  |2........w.~.2.+|
	// 00000020  8b 48 7e 5a 4f eb 1d 1f  c8 6c 96 e6 38 86 a9 50  |.H~ZO....l..8..P|
	// 00000030  dc 69 e8 2d c9 ed 41 51  38 9d 5c 5f 9b e6 93 aa  |.i.-..AQ8.\_....|
	// 00000040  1c f7 7d 2f d1 ad 5c cd  4d ab 3a ed 2f 29 08 81  |..}/..\.M.:./)..|
	// 00000050  55 61 40 8d 86 88 cd e6  62 be 28 b4 90 9c ae 69  |[email protected].(....i|
	// 00000060  54 1a 20 09 f3 84 ad 29  dc a8 64 cf c6 ec 92 f0  |T. ....)..d.....|
	// 00000070  76 0f 36 28 66 88 81 2b  59 43 0c 69 6f f2 7a 8e  |v.6(f..+YC.io.z.|
	// 00000080  04 80 18 09 20 80 e9 9b  39 bc 17 47 55 13 8f c9  |.... ...9..GU...|
	// 00000090  b4 9d 11 78 7b 56 0f f6  db 38 5f b4 f1 4f 3f 93  |...x{V...8_..O?.|
	// 000000a0  63 9c 33 ea 86 f6 e1 54  79 c9 14 9f 45 b6 88 59  |c.3....Ty...E..Y|
	// 000000b0  49 b6 76 99 c7 0c 84 6d  1a 9e 05 b0 30 c1 48 f2  |I.v....m....0.H.|
	// 000000c0  9a                                                |.|
	// Signature 3:
	// 00000000  1a 64 49 4a ff 66 bc 88  93 54 30 e9 96 89 34 76  |.dIJ.f...T0...4v|
	// 00000010  f6 95 e0 a9 84 8a a2 6e  f4 5e 7f db 58 d9 8a 48  |.......n.^..X..H|
	// 00000020  84 bd 96 a9 6b 6e c2 47  03 9f 18 33 73 a5 2b ee  |....kn.G...3s.+.|
	// 00000030  11 e1 99 36 bf 44 42 26  5e f8 cc 25 1e 8a 97 2b  |...6.DB&^..%...+|
	// 00000040  7f 57 93 33 c5 fb 27 9f  24 e9 d4 3f 1c 16 67 4c  |.W.3..'.$..?..gL|
	// 00000050  50 0b d1 0b 08 9b 0f 3f  cb ac 96 e8 92 3c a5 3d  |P......?.....<.=|
	// 00000060  d4 83 2c dd c6 6d e4 68  67 b7 dc 39 68 77 de 3d  |..,..m.hg..9hw.=|
	// 00000070  8c 83 0d b2 24 4b d6 17  e4 ce 78 7a 63 b7 f0 bb  |....$K....xzc...|
	// 00000080  04 80 18 09 20 80 e9 9b  39 bc 17 47 55 13 8f c9  |.... ...9..GU...|
	// 00000090  b4 9d 11 78 7b 56 0f f6  db 38 5f b4 f1 4f 3f 93  |...x{V...8_..O?.|
	// 000000a0  63 9c 33 ea 86 f6 e1 54  79 c9 14 9f 45 b6 88 59  |c.3....Ty...E..Y|
	// 000000b0  49 b6 76 99 c7 0c 84 6d  1a 9e 05 b0 30 c1 48 f2  |I.v....m....0.H.|
	// 000000c0  9a                                                |.|
	// Sig0 tag: 04003342ee889f5dfa2ebe6a72fd6722c1e0ed3569d7e467df92e7ca752fe672793a32e28b4561e87de5955b0a3035e9af3c414859d9e273687731f336ccee78ab
	// Sig1 tag: 04003342ee889f5dfa2ebe6a72fd6722c1e0ed3569d7e467df92e7ca752fe672793a32e28b4561e87de5955b0a3035e9af3c414859d9e273687731f336ccee78ab
	// Sig2 tag: 048018092080e99b39bc174755138fc9b49d11787b560ff6db385fb4f14f3f93639c33ea86f6e15479c9149f45b6885949b67699c70c846d1a9e05b030c148f29a
	// Sig3 tag: 048018092080e99b39bc174755138fc9b49d11787b560ff6db385fb4f14f3f93639c33ea86f6e15479c9149f45b6885949b67699c70c846d1a9e05b030c148f29a
}
Beispiel #27
0
func TestSimple(t *testing.T) {
	TestCellCoder(t, nist.NewAES128SHA256P256(), SimpleCoderFactory)
}
Beispiel #28
0
func TestOwned(t *testing.T) {
	TestCellCoder(t, nist.NewAES128SHA256P256(), OwnedCoderFactory)
}
Beispiel #29
0
package insure

import (
	"github.com/dedis/crypto/abstract"
	"github.com/dedis/crypto/edwards"
	"github.com/dedis/crypto/nist"
)

const (
	// The minimum number of private shares needed in order to reconstruct
	// the private secret. This parameter must be known in order to properly
	// decode public polynomial commits.
	TSHARES int = 10
)

// The group to be used for all shares and should be constant.
var INSURE_GROUP abstract.Group = new(edwards.ExtendedCurve).Init(
	edwards.Param25519(), false)

// The group to be used for all public/private key pairs and should be constant.
var KEY_SUITE abstract.Suite = nist.NewAES128SHA256P256()
Beispiel #30
0
package tree

import (
	"bufio"
	"fmt"
	"math"
	"math/rand"
	"os"
	"testing"

	"github.com/dedis/crypto/nist"
	"github.com/dedis/crypto/random"
)

var testSuite = nist.NewAES128SHA256P256()
var testRand = random.Stream

/*
func build(suite abstract.Suite, rand cipher.Stream,
		parent *node, depth, arity int) {

	for i := 0; i < arity; i++ {
		n := newNode(suite, rand, parent.pub)
		parent.addChild(n.pub)

		if depth > 0 {
			build(suite, rand, n, depth-1, arity)
		}
	}
}
*/