/* Verifies that a blameProof proves a share to be maliciously constructed.
*
* Arguments
* i = the index of the share subject to blame
* proof = blameProof that alleges the Dealer to have constructed a bad share.
*
* Return
* an error if the blame is unjustified or nil if the blame is justified.
*/
func (p *Deal) verifyBlame(i int, bproof *blameProof) error {
// Basic sanity checks
if i < 0 || i >= p.n {
return errors.New("Invalid index. Expected 0 <= i < n")
}
if err := p.verifySignature(i, &bproof.signature, sigBlameMsg); err != nil {
return err
}
// Verify the Diffie-Hellman shared secret was constructed properly
pval := map[string]abstract.Point{"D": bproof.diffieKey, "P": p.pubKey}
pred := proof.Rep("D", "x", "P")
verifier := pred.Verifier(p.suite, pval)
err := proof.HashVerify(p.suite, protocolName, verifier,
bproof.proof)
if err != nil {
return err
}
// Verify the share is bad.
diffieSecret := p.diffieHellmanSecret(bproof.diffieKey)
share := p.suite.Secret().Sub(p.secrets[i], diffieSecret)
if p.pubPoly.Check(i, share) {
return errors.New("Unjustified blame. The share checks out okay.")
}
return nil
}
/////////////////////////////////
//Misc
////////////////////////////////
func (s *Server) verifyShuffle(ik InternalKey, aux AuxKeyProof) bool {
Xss := aux.OrigXss
Yss := aux.OrigYss
Xbarss := ik.Xss
Ybarss := ik.Ybarss
prfss := ik.Proofs
for i := range Xss {
pk := UnmarshalPoint(s.suite, ik.Keys[i])
Xs := make([]abstract.Point, len(Xss[i]))
Ys := make([]abstract.Point, len(Yss[i]))
Xbars := make([]abstract.Point, len(Xbarss[i]))
Ybars := make([]abstract.Point, len(Ybarss[i]))
for j := range Xss[i] {
Xs[j] = UnmarshalPoint(s.suite, Xss[i][j])
Ys[j] = UnmarshalPoint(s.suite, Yss[i][j])
Xbars[j] = UnmarshalPoint(s.suite, Xbarss[i][j])
Ybars[j] = UnmarshalPoint(s.suite, Ybarss[i][j])
}
v := shuffle.Verifier(s.suite, nil, pk, Xs, Ys, Xbars, Ybars)
err := proof.HashVerify(s.suite, "PairShuffle", v, prfss[i])
if err != nil {
log.Println("Shuffle verify failed: ", err)
return false
}
}
return true
}
// VerifyProof verifies a decryption proof against a given public key, cipher text and plaintext
// - that is, check if the proof indeed shows that the ciphertext was an encryption
// to the public key of the plaintext.
func (pk *PubKey) VerifyProof(ciphertext *CipherText, plaintext abstract.Point, prf []byte, nonce string) error {
c2m := pk.Suite.Point().Sub(ciphertext.C2, plaintext)
public := map[string]abstract.Point{"h": pk.Key, "g": pk.Base, "c2/m": c2m, "c1": ciphertext.C1}
verifier := getProofPredicate().Verifier(pk.Suite, public)
err := proof.HashVerify(pk.Suite, "ElGamalDecryption"+nonce, verifier, prf)
return err
}
func TestShuffle(suite abstract.Suite, k int, N int) {
rand := suite.Cipher(abstract.RandomKey)
// Create a "server" private/public keypair
h := suite.Scalar().Pick(rand)
H := suite.Point().Mul(nil, h)
// Create a set of ephemeral "client" keypairs to shuffle
c := make([]abstract.Scalar, k)
C := make([]abstract.Point, k)
// fmt.Println("\nclient keys:")
for i := 0; i < k; i++ {
c[i] = suite.Scalar().Pick(rand)
C[i] = suite.Point().Mul(nil, c[i])
// fmt.Println(" "+C[i].String())
}
// ElGamal-encrypt all these keypairs with the "server" key
X := make([]abstract.Point, k)
Y := make([]abstract.Point, k)
r := suite.Scalar() // temporary
for i := 0; i < k; i++ {
r.Pick(rand)
X[i] = suite.Point().Mul(nil, r)
Y[i] = suite.Point().Mul(H, r) // ElGamal blinding factor
Y[i].Add(Y[i], C[i]) // Encrypted client public key
}
// Repeat only the actual shuffle portion for test purposes.
for i := 0; i < N; i++ {
// Do a key-shuffle
Xbar, Ybar, prover := Shuffle(suite, nil, H, X, Y, rand)
prf, err := proof.HashProve(suite, "PairShuffle", rand, prover)
if err != nil {
panic("Shuffle proof failed: " + err.Error())
}
//fmt.Printf("proof:\n%s\n",hex.Dump(prf))
// Check it
verifier := Verifier(suite, nil, H, X, Y, Xbar, Ybar)
err = proof.HashVerify(suite, "PairShuffle", verifier, prf)
if err != nil {
panic("Shuffle verify failed: " + err.Error())
}
}
}
func (s *shuffler) signStateVector(state *stateVector) ([]byte, error) {
rand := s.suite.Cipher(abstract.RandomKey)
st := state.States
for i := 1; i < len(st); i++ {
S, Sbar := st[i-1], st[i]
X, Y := S.X, S.Dec
Xbar, Ybar := Sbar.X, Sbar.Y
H, prf := Sbar.G, Sbar.Prf
// Verify the shuffle.
verifier := shuffle.Verifier(s.suite, nil, H, X, Y, Xbar, Ybar)
err := proof.HashVerify(s.suite, "PairShuffle", verifier, prf)
if err != nil {
panic("verify failed")
return nil, err
}
// Verify the decryption.
seed := abstract.Sum(s.suite, prf)
verRand := s.suite.Cipher(seed)
dec, decPrf := Sbar.Dec, Sbar.DecPrf
// Scratch space for calculations.
pair, c := s.suite.Point(), s.suite.Secret()
zp := s.suite.Point()
for j := range dec {
pair.Sub(Ybar[j], dec[j])
c.Pick(verRand)
T := decPrf[j].T
ss := decPrf[j].S
if !zp.Mul(Xbar[j], ss).Equal(T.Add(T, pair.Mul(pair, c))) {
return nil, errors.New("invalid decryption proof")
}
}
}
bytes, _ := protobuf.Encode(state)
return anon.Sign(s.suite, rand, bytes, anon.Set{s.H}, nil, 0, s.h), nil
}
func verifyNeffShuffle(params map[string]interface{}) {
if _, shuffled := params["shuffled"]; shuffled {
// get all the necessary parameters
xbarList := util.ProtobufDecodePointList(params["xbar"].([]byte))
ybarList := util.ProtobufDecodePointList(params["ybar"].([]byte))
prevKeyList := util.ProtobufDecodePointList(params["prev_keys"].([]byte))
prevValList := util.ProtobufDecodePointList(params["prev_vals"].([]byte))
prePublicKey := anonServer.Suite.Point()
prePublicKey.UnmarshalBinary(params["public_key"].([]byte))
// verify the shuffle
verifier := shuffle.Verifier(anonServer.Suite, nil, prePublicKey, prevKeyList,
prevValList, xbarList, ybarList)
err := proof.HashVerify(anonServer.Suite, "PairShuffle", verifier, params["proof"].([]byte))
if err != nil {
panic("Shuffle verify failed: " + err.Error())
}
}
}
// Verify verifies this Verdict notary ciphertext
func (c *NotaryCipherText) Verify(data *Data) error {
var suite = crypto.Suite
amount := len(c.Points)
pred := getNotaryPredicate(amount)
R := suite.Point().Null()
for _, ar := range data.Commitments {
R.Add(R, ar[c.Index])
}
public := map[string]abstract.Point{"R_j": R, "g_hat": crypto.Generator}
for l := 0; l < amount; l++ {
public["S_j,"+strconv.Itoa(l)] = c.Points[l]
public["-g_"+strconv.Itoa(l)] = suite.Point().Neg(data.getGenerator(l))
}
verifier := pred.Verifier(suite, public)
return proof.HashVerify(suite, "VerdictNotaryCipher"+data.Nonce, verifier, c.Proof)
}
// Verify verifies a Verdict user ciphertext
func (c *UserCipherText) Verify(data *Data) error {
var suite = crypto.Suite
amount := len(c.Points)
pred := GetUserPredicate(amount)
R := suite.Point().Null()
for _, el := range data.Commitments[c.Index] {
R.Add(R, el)
}
public := map[string]abstract.Point{"R_i": R, "g_hat": crypto.Generator,
"Y": data.SlotKeys[c.Slot], "g": crypto.Suite.Point().Base()}
for l := range c.Points {
public["C_i,"+strconv.Itoa(l)] = c.Points[l]
public["g_"+strconv.Itoa(l)] = data.getGenerator(l)
}
verifier := pred.Verifier(suite, public)
return proof.HashVerify(suite, "VerdictUserCipher"+data.Nonce, verifier, c.Proof)
}
// Verify that this shuffle is a valid shuffle of the specified ciphertexts,
// with respect to the given public keys
func (s *VerifiableShuffle) Verify(ciphers []*elgamal.CipherText, pks []*elgamal.PubKey, nonce string, position int) error {
c1, c2 := elgamal.Unpack(ciphers)
shufC1, shufC2 := elgamal.Unpack(s.Shuffled)
sumpk := elgamal.SumKeys(pks[position:])
// Check the shuffle proof
verifier := shuffle.Verifier(pks[0].Suite, pks[0].Base, sumpk.Key, c1, c2, shufC1, shufC2)
err := proof.HashVerify(pks[0].Suite, "ElGamalShuffle"+nonce, verifier, s.ShuffleProof)
if err != nil {
return err
}
// Check the decryption proofs
for i := range ciphers {
err = pks[position].VerifyProof(s.Shuffled[i], s.Decrypted[i].C2, s.DecryptionProofs[i], nonce)
if err != nil {
return err
}
}
return nil
}
