func GetSuite(suite string) abstract.Suite {
var s abstract.Suite
switch {
case suite == "nist256":
s = nist.NewAES128SHA256P256()
case suite == "nist512":
s = nist.NewAES128SHA256QR512()
case suite == "ed25519":
s = ed25519.NewAES128SHA256Ed25519(true)
default:
s = nist.NewAES128SHA256P256()
}
return s
}
// Example of using Schnorr
func ExampleSchnorr() {
// Crypto setup
suite := nist.NewAES128SHA256P256()
rand := suite.Cipher([]byte("example"))
// Create a public/private keypair (X,x)
x := suite.Scalar().Pick(rand) // create a private key x
X := suite.Point().Mul(nil, x) // corresponding public key X
// Generate the signature
M := []byte("Hello World!") // message we want to sign
sig := SchnorrSign(suite, rand, M, x)
fmt.Print("Signature:\n" + hex.Dump(sig))
// Verify the signature against the correct message
err := SchnorrVerify(suite, M, X, sig)
if err != nil {
panic(err.Error())
}
fmt.Println("Signature verified against correct message.")
// Output:
// Signature:
// 00000000 c1 7a 91 74 06 48 5d 53 d4 92 27 71 58 07 eb d5 |.z.t.H]S..'qX...|
// 00000010 75 a5 89 92 78 67 fc b1 eb 36 55 63 d1 32 12 20 |u...xg...6Uc.2. |
// 00000020 2c 78 84 81 04 0d 2a a8 fa 80 d0 e8 c3 14 65 e3 |,x....*.......e.|
// 00000030 7f f2 7c 55 c5 d2 c6 70 51 89 40 cd 63 50 bf c6 |..|[email protected]..|
// Signature verified against correct message.
}
/*
This example illustrates how to use the crypto toolkit's abstract group API
to perform basic Diffie-Hellman key exchange calculations,
using the NIST-standard P256 elliptic curve in this case.
Any other suitable elliptic curve or other cryptographic group may be used
simply by changing the first line that picks the suite.
*/
func Example_diffieHellman() {
// Crypto setup: NIST-standardized P256 curve with AES-128 and SHA-256
suite := nist.NewAES128SHA256P256()
// Alice's public/private keypair
a := suite.Scalar().Pick(random.Stream) // Alice's private key
A := suite.Point().Mul(nil, a) // Alice's public key
// Bob's public/private keypair
b := suite.Scalar().Pick(random.Stream) // Alice's private key
B := suite.Point().Mul(nil, b) // Alice's public key
// Assume Alice and Bob have securely obtained each other's public keys.
// Alice computes their shared secret using Bob's public key.
SA := suite.Point().Mul(B, a)
// Bob computes their shared secret using Alice's public key.
SB := suite.Point().Mul(A, b)
// They had better be the same!
if !SA.Equal(SB) {
panic("Diffie-Hellman key exchange didn't work")
}
println("Shared secret: " + SA.String())
// Output:
}
/*
This example illustrates how the crypto toolkit may be used
to perform "pure" ElGamal encryption,
in which the message to be encrypted is small enough to be embedded
directly within a group element (e.g., in an elliptic curve point).
For basic background on ElGamal encryption see for example
http://en.wikipedia.org/wiki/ElGamal_encryption.
Most public-key crypto libraries tend not to support embedding data in points,
in part because for "vanilla" public-key encryption you don't need it:
one would normally just generate an ephemeral Diffie-Hellman secret
and use that to seed a symmetric-key crypto algorithm such as AES,
which is much more efficient per bit and works for arbitrary-length messages.
However, in many advanced public-key crypto algorithms it is often useful
to be able to embedded data directly into points and compute with them:
as just one of many examples,
the proactively verifiable anonymous messaging scheme prototyped in Verdict
(see http://dedis.cs.yale.edu/dissent/papers/verdict-abs).
For fancier versions of ElGamal encryption implemented in this toolkit
see for example anon.Encrypt, which encrypts a message for
one of several possible receivers forming an explicit anonymity set.
*/
func Example_elGamalEncryption() {
suite := nist.NewAES128SHA256P256()
// Create a public/private keypair
a := suite.Secret().Pick(random.Stream) // Alice's private key
A := suite.Point().Mul(nil, a) // Alice's public key
// ElGamal-encrypt a message using the public key.
m := []byte("The quick brown fox")
K, C, _ := ElGamalEncrypt(suite, A, m)
// Decrypt it using the corresponding private key.
mm, err := ElGamalDecrypt(suite, a, K, C)
// Make sure it worked!
if err != nil {
panic("decryption failed: " + err.Error())
}
if string(mm) != string(m) {
panic("decryption produced wrong output: " + string(mm))
}
println("Decryption succeeded: " + string(mm))
// Output:
}
// Generateparams will return a curve and and its random associated
// Use random bytes of length RandomByteLength
func GenerateP256(buf []byte) P256Params {
// Curve generation
suite := nist.NewAES128SHA256P256()
rand := suite.Cipher(buf)
return P256Params{Suite: suite, Rand: rand}
}
func benchGenSigOpenSSL(nkeys int) []byte {
suite := nist.NewAES128SHA256P256()
rand := suite.Cipher([]byte("example"))
return Sign(suite, rand, benchMessage,
Set(benchPubOpenSSL[:nkeys]), nil,
0, benchPriOpenSSL)
}
// Test for Marshalling and Unmarshalling Comit Messages
// Important: when making empty HashIds len should be set to HASH_SIZE
func TestMUCommit(t *testing.T) {
var err error
suite := nist.NewAES128SHA256P256()
rand := suite.Cipher([]byte("exampfsdjkhujgkjsgfjgle"))
rand2 := suite.Cipher([]byte("examplsfhsjedgjhsge2"))
cm := &sign.CommitmentMessage{}
cm.V, _ = suite.Point().Pick(nil, rand)
cm.V_hat, _ = suite.Point().Pick(nil, rand2)
cm.MTRoot = make([]byte, hashid.Size)
sm := sign.SigningMessage{Type: sign.Commitment, Com: cm}
smBytes, err := sm.MarshalBinary()
if err != nil {
t.Error(err)
}
messg := &sign.SigningMessage{}
err = messg.UnmarshalBinary(smBytes)
cm2 := messg.Com
// test for equality after marshal and unmarshal
if !cm2.V.Equal(cm.V) ||
!cm2.V_hat.Equal(cm.V_hat) ||
bytes.Compare(cm2.MTRoot, cm.MTRoot) != 0 {
t.Error("commit message MU failed")
}
}
// Test for Marshalling and Unmarshalling Challenge Messages
// Important: when making empty HashIds len should be set to HASH_SIZE
func TestMUChallenge(t *testing.T) {
nHashIds := 3
var err error
suite := nist.NewAES128SHA256P256()
rand := suite.Cipher([]byte("example"))
cm := &sign.ChallengeMessage{}
cm.C = suite.Secret().Pick(rand)
cm.MTRoot = make([]byte, hashid.Size)
cm.Proof = proof.Proof(make([]hashid.HashId, nHashIds))
for i := 0; i < nHashIds; i++ {
cm.Proof[i] = make([]byte, hashid.Size)
}
sm := &sign.SigningMessage{Type: sign.Challenge, Chm: cm}
smBytes, err := sm.MarshalBinary()
if err != nil {
t.Error(err)
}
messg := &sign.SigningMessage{}
err = messg.UnmarshalBinary(smBytes)
cm2 := messg.Chm
// test for equality after marshal and unmarshal
if !cm2.C.Equal(cm.C) ||
bytes.Compare(cm2.MTRoot, cm.MTRoot) != 0 ||
!byteArrayEqual(cm2.Proof, cm.Proof) {
t.Error("challenge message MU failed")
}
}
// Configuration file data/exconf.json
// 0
// / \
// 1 4
// / \ \
// 2 3 5
func TestSmallConfigHealthy(t *testing.T) {
suite := nist.NewAES128SHA256P256()
RoundsPerView := 100
if err := runTreeSmallConfig(sign.MerkleTree, RoundsPerView, suite, 0); err != nil {
t.Fatal(err)
}
}
// This code shows how to create and verify Or-predicate proofs,
// such as the one above.
// In this case, we know a secret x such that X=x*B,
// but we don't know a secret y such that Y=y*B,
// because we simply pick Y as a random point
// instead of generating it by scalar multiplication.
// (And if the group is cryptographically secure
// we won't find be able to find such a y.)
func ExampleOr_2() {
// Create an Or predicate.
pred := Or(Rep("X", "x", "B"), Rep("Y", "y", "B"))
fmt.Println("Predicate: " + pred.String())
// Crypto setup
suite := nist.NewAES128SHA256P256()
rand := suite.Cipher([]byte("example"))
B := suite.Point().Base() // standard base point
// Create a public/private keypair (X,x) and a random point Y
x := suite.Scalar().Pick(rand) // create a private key x
X := suite.Point().Mul(nil, x) // corresponding public key X
Y, _ := suite.Point().Pick(nil, rand) // pick a random point Y
// We'll need to tell the prover which Or clause is actually true.
// In this case clause 0, the first sub-predicate, is true:
// i.e., we know a secret x such that X=x*B.
choice := make(map[Predicate]int)
choice[pred] = 0
// Generate a proof that we know the discrete logarithm of X or Y.
sval := map[string]abstract.Scalar{"x": x}
pval := map[string]abstract.Point{"B": B, "X": X, "Y": Y}
prover := pred.Prover(suite, sval, pval, choice)
proof, _ := HashProve(suite, "TEST", rand, prover)
fmt.Print("Proof:\n" + hex.Dump(proof))
// Verify this knowledge proof.
// The verifier doesn't need the secret values or choice map, of course.
verifier := pred.Verifier(suite, pval)
err := HashVerify(suite, "TEST", verifier, proof)
if err != nil {
panic("proof failed to verify!")
}
fmt.Println("Proof verified.")
// Output:
// Predicate: X=x*B || Y=y*B
// Proof:
// 00000000 04 af 84 ed e5 86 04 cf 81 e4 18 17 84 0c 39 ab |..............9.|
// 00000010 fe 5c bc cc 00 85 e0 a2 ee aa d5 22 18 dd c4 a1 |.\........."....|
// 00000020 5b 85 52 d4 dd 72 9b d2 2b e2 02 d2 5f 6f cb 10 |[.R..r..+..._o..|
// 00000030 b5 1b 18 c3 02 1e 2f dd 50 54 9d 4c 19 aa 30 80 |....../.PT.L..0.|
// 00000040 4a 04 f8 26 2f 55 ed b3 00 ad 38 ba f9 0f d6 fb |J..&/U....8.....|
// 00000050 0a d1 0e 56 be dd 71 7d 1d a9 36 2f 1f 20 b8 98 |...V..q}..6/. ..|
// 00000060 a6 3f d0 fa dc 52 ca 57 8d 7e 37 aa ac e5 8c 4c |.?...R.W.~7....L|
// 00000070 2a eb d9 5c 0c 68 c8 e8 ac 99 7f b4 96 56 cf 59 |*..\.h.......V.Y|
// 00000080 79 6f c5 c2 0a 9f 1f 3b 34 61 0f 9b b7 50 00 b7 |yo.....;4a...P..|
// 00000090 29 02 8e d5 41 9a 92 95 6b 4e 18 5b 89 a5 93 1e |)...A...kN.[....|
// 000000a0 42 cd 32 17 7d 53 c5 e4 48 79 49 b2 3e 1e e2 62 |B.2.}S..HyI.>..b|
// 000000b0 39 08 13 d5 2e f8 c5 e9 c1 28 09 91 7a 95 c9 12 |9........(..z...|
// 000000c0 17 85 49 9e b0 3c fe fc 5d 5b 73 b1 d2 bf f9 59 |..I..<..][s....Y|
// 000000d0 5b 5f 10 12 cb 9c d0 c6 bc 2c 75 fb 52 9c 66 c5 |[_.......,u.R.f.|
// 000000e0 17 cb 93 8b c6 f6 34 12 83 a0 32 2e 82 2c 4b fb |......4...2..,K.|
// 000000f0 b3 0c a1 4b a5 e3 27 43 b6 2f ed fa ca 4f 93 83 |...K..'C./...O..|
// 00000100 fd 56 |.V|
// Proof verified.
}
// All Returns a map of all suites
func All() Suites {
s := make(Suites)
s.add(nist.NewAES128SHA256P256())
s.add(nist.NewAES128SHA256QR512())
s.add(ed25519.NewAES128SHA256Ed25519(false))
s.add(edwards.NewAES128SHA256Ed25519(false))
return s
}
func (v *Vote) UnmarshalBinary(data []byte) error {
var cons = make(protobuf.Constructors)
var point abstract.Point
var secret abstract.Secret
var suite = nist.NewAES128SHA256P256()
cons[reflect.TypeOf(&point).Elem()] = func() interface{} { return suite.Point() }
cons[reflect.TypeOf(&secret).Elem()] = func() interface{} { return suite.Secret() }
return protobuf.DecodeWithConstructors(data, v, cons)
}
func TestSmallConfigFaulty(t *testing.T) {
faultyNodes := make([]int, 0)
faultyNodes = append(faultyNodes, 2, 5)
suite := nist.NewAES128SHA256P256()
RoundsPerView := 100
if err := runTreeSmallConfig(sign.MerkleTree, RoundsPerView, suite, 1, faultyNodes...); err != nil {
t.Fatal(err)
}
}
func TestRep(t *testing.T) {
suite := nist.NewAES128SHA256P256()
rand := suite.Cipher(abstract.RandomKey)
x := suite.Scalar().Pick(rand)
y := suite.Scalar().Pick(rand)
B := suite.Point().Base()
X := suite.Point().Mul(nil, x)
Y := suite.Point().Mul(X, y)
R := suite.Point().Add(X, Y)
choice := make(map[Predicate]int)
// Simple single-secret predicate: prove X=x*B
log := Rep("X", "x", "B")
// Two-secret representation: prove R=x*B+y*X
rep := Rep("R", "x", "B", "y", "X")
// Make an and-predicate
and := And(log, rep)
andx := And(and)
// Make up a couple incorrect facts
falseLog := Rep("Y", "x", "B")
falseRep := Rep("R", "x", "B", "y", "B")
falseAnd := And(falseLog, falseRep)
or1 := Or(falseAnd, andx)
choice[or1] = 1
or1x := Or(or1) // test trivial case
choice[or1x] = 0
or2a := Rep("B", "y", "X")
or2b := Rep("R", "x", "R")
or2 := Or(or2a, or2b)
or2x := Or(or2) // test trivial case
pred := Or(or1x, or2x)
choice[pred] = 0
sval := map[string]abstract.Scalar{"x": x, "y": y}
pval := map[string]abstract.Point{"B": B, "X": X, "Y": Y, "R": R}
prover := pred.Prover(suite, sval, pval, choice)
proof, err := HashProve(suite, "TEST", rand, prover)
if err != nil {
panic("prover: " + err.Error())
}
verifier := pred.Verifier(suite, pval)
if err := HashVerify(suite, "TEST", verifier, proof); err != nil {
panic("verify: " + err.Error())
}
}
// This example demonstrates how to create unlinkable anonymity-set signatures,
// and to verify them,
// using a small anonymity set containing three public keys.
func ExampleSign_anonSet() {
// Crypto setup
suite := nist.NewAES128SHA256P256()
rand := suite.Cipher([]byte("example"))
// Create an anonymity set of random "public keys"
X := make([]abstract.Point, 3)
for i := range X { // pick random points
X[i], _ = suite.Point().Pick(nil, rand)
}
// Make just one of them an actual public/private keypair (X[mine],x)
mine := 1 // only the signer knows this
x := suite.Secret().Pick(rand) // create a private key x
X[mine] = suite.Point().Mul(nil, x) // corresponding public key X
// Generate the signature
M := []byte("Hello World!") // message we want to sign
sig := Sign(suite, rand, M, Set(X), nil, mine, x)
fmt.Print("Signature:\n" + hex.Dump(sig))
// Verify the signature against the correct message
tag, err := Verify(suite, M, Set(X), nil, sig)
if err != nil {
panic(err.Error())
}
if tag == nil || len(tag) != 0 {
panic("Verify returned wrong tag")
}
fmt.Println("Signature verified against correct message.")
// Verify the signature against the wrong message
BAD := []byte("Goodbye world!")
tag, err = Verify(suite, BAD, Set(X), nil, sig)
if err == nil || tag != nil {
panic("Signature verified against wrong message!?")
}
fmt.Println("Verifying against wrong message: " + err.Error())
// Output:
// Signature:
// 00000000 eb 16 0d c9 1e 19 f5 da f7 9b 77 7d 52 0b f1 82 |..........w}R...|
// 00000010 4b e3 dd 6c 44 f3 6f fe c3 c1 1a 6e 1f a8 43 26 |K..lD.o....n..C&|
// 00000020 63 d3 5a 0e 97 78 e6 74 ce a0 24 34 c1 66 7d af |c.Z..x.t..$4.f}.|
// 00000030 32 9e 59 22 f2 9a 67 3c ea e5 4f 54 6d 3e 07 f1 |2.Y"..g<..OTm>..|
// 00000040 63 10 77 96 09 a3 c1 e4 85 f8 d9 97 0c 47 dc 73 |c.w..........G.s|
// 00000050 da 6c d8 11 8a 2e 00 a7 f2 01 45 e0 91 4e 28 d6 |.l........E..N(.|
// 00000060 b2 b5 3a e1 c8 8c f7 29 8a 13 75 59 98 ea ce f4 |..:....)..uY....|
// 00000070 6d d5 d0 62 85 51 8e fe d9 4a 02 1f 35 03 33 d3 |m..b.Q...J..5.3.|
// Signature verified against correct message.
// Verifying against wrong message: invalid signature
}
func ExampleEncrypt_anonSet() {
// Crypto setup
suite := nist.NewAES128SHA256P256()
rand := suite.Cipher([]byte("example"))
// Create an anonymity set of random "public keys"
X := make([]abstract.Point, 3)
for i := range X { // pick random points
X[i], _ = suite.Point().Pick(nil, rand)
}
// Make just one of them an actual public/private keypair (X[mine],x)
mine := 1 // only the signer knows this
x := suite.Secret().Pick(rand) // create a private key x
X[mine] = suite.Point().Mul(nil, x) // corresponding public key X
// Encrypt a message with all the public keys
M := []byte("Hello World!") // message to encrypt
C := Encrypt(suite, rand, M, Set(X), false)
fmt.Printf("Encryption of '%s':\n%s", string(M), hex.Dump(C))
// Decrypt the ciphertext with the known private key
MM, err := Decrypt(suite, C, Set(X), mine, x, false)
if err != nil {
panic(err.Error())
}
if !bytes.Equal(M, MM) {
panic("Decryption failed to reproduce message")
}
fmt.Printf("Decrypted: '%s'\n", string(MM))
// Output:
// Encryption of 'Hello World!':
// 00000000 04 a4 2a cf e6 41 38 3f d4 df 6e f4 70 05 a8 ec |..*..A8?..n.p...|
// 00000010 55 8a a5 a4 73 7f 34 ae 1c 50 69 fe af e4 71 01 |U...s.4..Pi...q.|
// 00000020 51 33 a7 89 e2 f0 85 81 ce e9 bc d2 49 cb aa 9a |Q3..........I...|
// 00000030 55 c5 99 ad 5c a5 e4 36 e4 71 c8 c1 58 4c f7 aa |U...\..6.q..XL..|
// 00000040 2f 3f d2 9a ec 4b fd 85 5e 1b 7f 08 3b 82 12 75 |/?...K..^...;..u|
// 00000050 76 e5 b2 0a 48 d1 d1 9a 5f 45 eb 57 e6 5b 4c 81 |v...H..._E.W.[L.|
// 00000060 10 d7 98 e0 f4 ce 98 9f 94 66 28 8d c4 ff 61 3f |.........f(...a?|
// 00000070 2a 61 c1 31 f8 b5 60 b7 82 05 64 e4 cd 86 66 43 |*a.1..`...d...fC|
// 00000080 f1 c1 de 23 d5 ea 19 ba dd 27 fa 4c 66 d8 a0 19 |...#.....'.Lf...|
// 00000090 1e 6c ea 70 b7 71 8f b5 cd 3a 49 6d c3 03 08 e0 |.l.p.q...:Im....|
// 000000a0 4d d6 67 9c 02 67 38 c2 d8 78 0d fd 97 f2 2b 8b |M.g..g8..x....+.|
// 000000b0 b3 b2 ae 0d f1 2b 1c 1b 13 9d 71 75 b8 |.....+....qu.|
// Decrypted: 'Hello World!'
}
func main() {
flag.Parse()
if flag.NArg() < 3 {
panic("usage: main.go id k N")
}
id, _ := strconv.Atoi(flag.Arg(0))
k, _ := strconv.Atoi(flag.Arg(1))
N, _ := strconv.Atoi(flag.Arg(2))
suite := nist.NewAES128SHA256P256()
s := NewShuffler(suite, id, k, N)
if id == 0 {
go s.initiateShuffle()
}
s.ListenAndServe()
}
// This example shows how to build classic ElGamal-style digital signatures
// using the Camenisch/Stadler proof framework and HashProver.
func ExampleHashProve_1() {
// Crypto setup
suite := nist.NewAES128SHA256P256()
rand := suite.Cipher([]byte("example"))
B := suite.Point().Base() // standard base point
// Create a public/private keypair (X,x)
x := suite.Scalar().Pick(rand) // create a private key x
X := suite.Point().Mul(nil, x) // corresponding public key X
// Generate a proof that we know the discrete logarithm of X.
M := "Hello World!" // message we want to sign
rep := Rep("X", "x", "B")
sec := map[string]abstract.Scalar{"x": x}
pub := map[string]abstract.Point{"B": B, "X": X}
prover := rep.Prover(suite, sec, pub, nil)
proof, _ := HashProve(suite, M, rand, prover)
fmt.Print("Signature:\n" + hex.Dump(proof))
// Verify the signature against the correct message M.
verifier := rep.Verifier(suite, pub)
err := HashVerify(suite, M, verifier, proof)
if err != nil {
panic("signature failed to verify!")
}
fmt.Println("Signature verified against correct message M.")
// Now verify the signature against the WRONG message.
BAD := "Goodbye World!"
verifier = rep.Verifier(suite, pub)
err = HashVerify(suite, BAD, verifier, proof)
fmt.Println("Signature verify against wrong message: " + err.Error())
// Output:
// Signature:
// 00000000 04 23 62 b1 f9 cb f4 a2 6d 7f 3e 69 cb b6 77 ab |.#b.....m.>i..w.|
// 00000010 90 fc 7c db a0 c6 e8 12 f2 0a d4 40 a4 b6 c4 de |..|........@....|
// 00000020 9e e8 61 88 5e 50 fd 03 a9 ff 9c a3 c4 29 f7 18 |..a.^P.......)..|
// 00000030 49 ad 31 0e f9 17 15 1e 3b 8d 0e 2f b2 c4 28 32 |I.1.....;../..(2|
// 00000040 4a 5c 64 ca 04 eb 33 db a9 75 9b 01 6b 12 01 ae |J\d...3..u..k...|
// 00000050 4e de 7c 6b 53 85 f8 a5 76 ba eb 7e 2e 61 2c a5 |N.|kS...v..~.a,.|
// 00000060 e8 |.|
// Signature verified against correct message M.
// Signature verify against wrong message: invalid proof: commit mismatch
}
// This example demonstrates signing and signature verification
// using a trivial "anonymity set" of size 1, i.e., no anonymity.
// In this special case the signing scheme devolves to
// producing traditional ElGamal signatures:
// the resulting signatures are exactly the same length
// and represent essentially the same computational cost.
func ExampleSign_1() {
// Crypto setup
suite := nist.NewAES128SHA256P256()
rand := suite.Cipher([]byte("example"))
// Create a public/private keypair (X[mine],x)
X := make([]abstract.Point, 1)
mine := 0 // which public key is mine
x := suite.Secret().Pick(rand) // create a private key x
X[mine] = suite.Point().Mul(nil, x) // corresponding public key X
// Generate the signature
M := []byte("Hello World!") // message we want to sign
sig := Sign(suite, rand, M, Set(X), nil, mine, x)
fmt.Print("Signature:\n" + hex.Dump(sig))
// Verify the signature against the correct message
tag, err := Verify(suite, M, Set(X), nil, sig)
if err != nil {
panic(err.Error())
}
if tag == nil || len(tag) != 0 {
panic("Verify returned wrong tag")
}
fmt.Println("Signature verified against correct message.")
// Verify the signature against the wrong message
BAD := []byte("Goodbye world!")
tag, err = Verify(suite, BAD, Set(X), nil, sig)
if err == nil || tag != nil {
panic("Signature verified against wrong message!?")
}
fmt.Println("Verifying against wrong message: " + err.Error())
// Output:
// Signature:
// 00000000 0d 3a d5 66 4d cd 8a bc ee ae 4a 92 12 e7 63 68 |.:.fM.....J...ch|
// 00000010 c3 61 9f b0 65 ce f1 d9 83 a7 40 4f e0 7b 58 f5 |.a..e.....@O.{X.|
// 00000020 5c 64 ca 04 eb 33 db a9 75 9b 01 6b 12 01 ae 4e |\d...3..u..k...N|
// 00000030 de 7c 6b 53 85 f8 a5 76 ba eb 7e 2e 61 2c a5 e8 |.|kS...v..~.a,..|
// Signature verified against correct message.
// Verifying against wrong message: invalid signature
}
func TestTreeFromRandomGraph(t *testing.T) {
//defer profile.Start(profile.CPUProfile, profile.ProfilePath(".")).Stop()
hc, err := loadGraph("../data/wax.dat", nist.NewAES128SHA256P256(), random.Stream)
if err != nil || hc == nil {
fmt.Println("run data/gen.py to generate graphs")
return
}
// if err := ioutil.WriteFile("data/wax.json", []byte(hc.String()), 0666); err != nil {
// fmt.Println(err)
// }
//fmt.Println(hc.String())
// Have root node initiate the signing protocol
// via a simple annoucement
hc.SNodes[0].LogTest = []byte("Hello World")
//fmt.Println(hc.SNodes[0].NChildren())
//fmt.Println(hc.SNodes[0].Peers())
hc.SNodes[0].Announce(0, &sign.AnnouncementMessage{LogTest: hc.SNodes[0].LogTest})
}
// This example shows how to generate and verify noninteractive proofs
// of the statement in the example above, i.e.,
// a proof of ownership of public key X.
func ExampleRep_2() {
pred := Rep("X", "x", "B")
fmt.Println(pred.String())
// Crypto setup
suite := nist.NewAES128SHA256P256()
rand := suite.Cipher([]byte("example"))
B := suite.Point().Base() // standard base point
// Create a public/private keypair (X,x)
x := suite.Scalar().Pick(rand) // create a private key x
X := suite.Point().Mul(nil, x) // corresponding public key X
// Generate a proof that we know the discrete logarithm of X.
sval := map[string]abstract.Scalar{"x": x}
pval := map[string]abstract.Point{"B": B, "X": X}
prover := pred.Prover(suite, sval, pval, nil)
proof, _ := HashProve(suite, "TEST", rand, prover)
fmt.Print("Proof:\n" + hex.Dump(proof))
// Verify this knowledge proof.
verifier := pred.Verifier(suite, pval)
err := HashVerify(suite, "TEST", verifier, proof)
if err != nil {
panic("proof failed to verify!")
}
fmt.Println("Proof verified.")
// Output:
// X=x*B
// Proof:
// 00000000 04 23 62 b1 f9 cb f4 a2 6d 7f 3e 69 cb b6 77 ab |.#b.....m.>i..w.|
// 00000010 90 fc 7c db a0 c6 e8 12 f2 0a d4 40 a4 b6 c4 de |..|........@....|
// 00000020 9e e8 61 88 5e 50 fd 03 a9 ff 9c a3 c4 29 f7 18 |..a.^P.......)..|
// 00000030 49 ad 31 0e f9 17 15 1e 3b 8d 0e 2f b2 c4 28 32 |I.1.....;../..(2|
// 00000040 4a 20 ba b2 9d 3a 40 ae 0f 28 16 a2 ad 44 76 d2 |J ...:@..(...Dv.|
// 00000050 83 f2 09 4d b8 a5 d0 f6 5e 5d ff 6e b7 9a 0f 1b |...M....^].n....|
// 00000060 9a |.|
// Proof verified.
}
func ExampleEncrypt_1() {
// Crypto setup
suite := nist.NewAES128SHA256P256()
rand := suite.Cipher([]byte("example"))
// Create a public/private keypair (X[mine],x)
X := make([]abstract.Point, 1)
mine := 0 // which public key is mine
x := suite.Secret().Pick(rand) // create a private key x
X[mine] = suite.Point().Mul(nil, x) // corresponding public key X
// Encrypt a message with the public key
M := []byte("Hello World!") // message to encrypt
C := Encrypt(suite, rand, M, Set(X), false)
fmt.Printf("Encryption of '%s':\n%s", string(M), hex.Dump(C))
// Decrypt the ciphertext with the private key
MM, err := Decrypt(suite, C, Set(X), mine, x, false)
if err != nil {
panic(err.Error())
}
if !bytes.Equal(M, MM) {
panic("Decryption failed to reproduce message")
}
fmt.Printf("Decrypted: '%s'\n", string(MM))
// Output:
// Encryption of 'Hello World!':
// 00000000 04 23 62 b1 f9 cb f4 a2 6d 7f 3e 69 cb b6 77 ab |.#b.....m.>i..w.|
// 00000010 90 fc 7c db a0 c6 e8 12 f2 0a d4 40 a4 b6 c4 de |..|........@....|
// 00000020 9e e8 61 88 5e 50 fd 03 a9 ff 9c a3 c4 29 f7 18 |..a.^P.......)..|
// 00000030 49 ad 31 0e f9 17 15 1e 3b 8d 0e 2f b2 c4 28 32 |I.1.....;../..(2|
// 00000040 4a a4 16 00 51 da 5e d5 3a df f3 02 fe 77 0d 11 |J...Q.^.:....w..|
// 00000050 27 7b 29 b4 a0 47 7a 82 8f 0a 98 4f fe fe 1e 5d |'{)..Gz....O...]|
// 00000060 cf d2 08 9a e5 f0 d9 3c 6b 0d 83 35 6d 15 b1 93 |.......<k..5m...|
// 00000070 af 1d a2 17 df db 3c 2b 89 32 1b 62 1b |......<+.2.b.|
// Decrypted: 'Hello World!'
}
func BenchmarkVerify100OpenSSL(b *testing.B) {
benchVerify(nist.NewAES128SHA256P256(),
benchPubOpenSSL[:100], benchSig100OpenSSL, b.N)
}
func BenchmarkSign100OpenSSL(b *testing.B) {
benchSign(nist.NewAES128SHA256P256(),
benchPubOpenSSL[:100], benchPriOpenSSL, b.N)
}
func benchGenKeysOpenSSL(nkeys int) ([]abstract.Point, abstract.Secret) {
return benchGenKeys(nist.NewAES128SHA256P256(), nkeys)
}
// This example demonstrates the creation of linkable anonymity set signatures,
// and verification, using an anonymity set containing three public keys.
// We produce four signatures, two from each of two private key-holders,
// demonstrating how the resulting verifiable tags distinguish
// signatures by the same key-holder from signatures by different key-holders.
func ExampleSign_linkable() {
// Crypto setup
suite := nist.NewAES128SHA256P256()
rand := suite.Cipher([]byte("example"))
// Create an anonymity set of random "public keys"
X := make([]abstract.Point, 3)
for i := range X { // pick random points
X[i], _ = suite.Point().Pick(nil, rand)
}
// Make two actual public/private keypairs (X[mine],x)
mine1 := 1 // only the signer knows this
mine2 := 2
x1 := suite.Secret().Pick(rand) // create a private key x
x2 := suite.Secret().Pick(rand)
X[mine1] = suite.Point().Mul(nil, x1) // corresponding public key X
X[mine2] = suite.Point().Mul(nil, x2)
// Generate two signatures using x1 and two using x2
M := []byte("Hello World!") // message we want to sign
S := []byte("My Linkage Scope") // scope for linkage tags
var sig [4][]byte
sig[0] = Sign(suite, rand, M, Set(X), S, mine1, x1)
sig[1] = Sign(suite, rand, M, Set(X), S, mine1, x1)
sig[2] = Sign(suite, rand, M, Set(X), S, mine2, x2)
sig[3] = Sign(suite, rand, M, Set(X), S, mine2, x2)
for i := range sig {
fmt.Printf("Signature %d:\n%s", i, hex.Dump(sig[i]))
}
// Verify the signatures against the correct message
var tag [4][]byte
for i := range sig {
goodtag, err := Verify(suite, M, Set(X), S, sig[i])
if err != nil {
panic(err.Error())
}
tag[i] = goodtag
if tag[i] == nil || len(tag[i]) != suite.PointLen() {
panic("Verify returned invalid tag")
}
fmt.Printf("Sig%d tag: %s\n", i,
hex.EncodeToString(tag[i]))
// Verify the signature against the wrong message
BAD := []byte("Goodbye world!")
badtag, err := Verify(suite, BAD, Set(X), S, sig[i])
if err == nil || badtag != nil {
panic("Signature verified against wrong message!?")
}
}
if !bytes.Equal(tag[0], tag[1]) || !bytes.Equal(tag[2], tag[3]) ||
bytes.Equal(tag[0], tag[2]) {
panic("tags aren't coming out right!")
}
// Output:
// Signature 0:
// 00000000 c6 e9 27 a5 00 5d 22 40 d2 a2 5d 08 44 2b ec 2e |..'..]"@..].D+..|
// 00000010 e2 01 a6 85 70 70 b4 73 2c 18 24 f1 46 44 22 09 |....pp.s,.$.FD".|
// 00000020 1e 6d 18 7f 8b 95 e3 c4 b9 33 ad 94 69 b5 b4 13 |.m.......3..i...|
// 00000030 b8 51 2f 24 a7 98 e4 06 f4 b2 f3 ee e8 73 de 78 |.Q/$.........s.x|
// 00000040 a3 9d 4b 1c 74 6f 3a 50 89 c9 10 cc bb b0 5c a7 |..K.to:P......\.|
// 00000050 09 a9 23 47 0f 36 08 a4 f3 46 ad 14 2d f0 9d c1 |..#G.6...F..-...|
// 00000060 63 d3 5a 0e 97 78 e6 74 ce a0 24 34 c1 66 7d af |c.Z..x.t..$4.f}.|
// 00000070 32 9e 59 22 f2 9a 67 3c ea e5 4f 54 6d 3e 07 f1 |2.Y"..g<..OTm>..|
// 00000080 04 00 33 42 ee 88 9f 5d fa 2e be 6a 72 fd 67 22 |..3B...]...jr.g"|
// 00000090 c1 e0 ed 35 69 d7 e4 67 df 92 e7 ca 75 2f e6 72 |...5i..g....u/.r|
// 000000a0 79 3a 32 e2 8b 45 61 e8 7d e5 95 5b 0a 30 35 e9 |y:2..Ea.}..[.05.|
// 000000b0 af 3c 41 48 59 d9 e2 73 68 77 31 f3 36 cc ee 78 |.<AHY..shw1.6..x|
// 000000c0 ab |.|
// Signature 1:
// 00000000 69 4c 29 32 cb 9c f6 ca 80 72 f6 25 e0 ef 44 0b |iL)2.....r.%..D.|
// 00000010 f2 0b e3 ab 98 c4 62 a3 10 13 09 02 9a f1 f1 00 |......b.........|
// 00000020 7f 03 ca 4f 75 84 fe 06 2c 9c 64 0e 99 c6 f1 91 |...Ou...,.d.....|
// 00000030 62 43 48 b6 f8 20 41 2b fa 59 e7 35 be f8 4c 1b |bCH.. A+.Y.5..L.|
// 00000040 f0 d8 af 83 ad 9a 87 55 ca be 46 f9 42 a2 dd 18 |.......U..F.B...|
// 00000050 18 83 f1 f5 6d 82 e5 38 49 bf 24 9e 80 a4 12 eb |....m..8I.$.....|
// 00000060 56 c5 3f 08 bb 99 6d 7d 0a f8 ac c5 29 e8 94 54 |V.?...m}....)..T|
// 00000070 3e 4d fb ca b5 1d 9a 29 56 a0 09 f9 ec 6d b5 28 |>M.....)V....m.(|
// 00000080 04 00 33 42 ee 88 9f 5d fa 2e be 6a 72 fd 67 22 |..3B...]...jr.g"|
// 00000090 c1 e0 ed 35 69 d7 e4 67 df 92 e7 ca 75 2f e6 72 |...5i..g....u/.r|
// 000000a0 79 3a 32 e2 8b 45 61 e8 7d e5 95 5b 0a 30 35 e9 |y:2..Ea.}..[.05.|
// 000000b0 af 3c 41 48 59 d9 e2 73 68 77 31 f3 36 cc ee 78 |.<AHY..shw1.6..x|
// 000000c0 ab |.|
// Signature 2:
// 00000000 94 d0 51 98 05 a1 79 6c 16 4e 7f f2 58 c8 09 b8 |..Q...yl.N..X...|
// 00000010 32 12 a5 dc be f3 cf 08 a8 77 8f 7e a7 32 dd 2b |2........w.~.2.+|
// 00000020 8b 48 7e 5a 4f eb 1d 1f c8 6c 96 e6 38 86 a9 50 |.H~ZO....l..8..P|
// 00000030 dc 69 e8 2d c9 ed 41 51 38 9d 5c 5f 9b e6 93 aa |.i.-..AQ8.\_....|
// 00000040 1c f7 7d 2f d1 ad 5c cd 4d ab 3a ed 2f 29 08 81 |..}/..\.M.:./)..|
// 00000050 55 61 40 8d 86 88 cd e6 62 be 28 b4 90 9c ae 69 |[email protected].(....i|
// 00000060 54 1a 20 09 f3 84 ad 29 dc a8 64 cf c6 ec 92 f0 |T. ....)..d.....|
// 00000070 76 0f 36 28 66 88 81 2b 59 43 0c 69 6f f2 7a 8e |v.6(f..+YC.io.z.|
// 00000080 04 80 18 09 20 80 e9 9b 39 bc 17 47 55 13 8f c9 |.... ...9..GU...|
// 00000090 b4 9d 11 78 7b 56 0f f6 db 38 5f b4 f1 4f 3f 93 |...x{V...8_..O?.|
// 000000a0 63 9c 33 ea 86 f6 e1 54 79 c9 14 9f 45 b6 88 59 |c.3....Ty...E..Y|
// 000000b0 49 b6 76 99 c7 0c 84 6d 1a 9e 05 b0 30 c1 48 f2 |I.v....m....0.H.|
// 000000c0 9a |.|
// Signature 3:
// 00000000 1a 64 49 4a ff 66 bc 88 93 54 30 e9 96 89 34 76 |.dIJ.f...T0...4v|
// 00000010 f6 95 e0 a9 84 8a a2 6e f4 5e 7f db 58 d9 8a 48 |.......n.^..X..H|
// 00000020 84 bd 96 a9 6b 6e c2 47 03 9f 18 33 73 a5 2b ee |....kn.G...3s.+.|
// 00000030 11 e1 99 36 bf 44 42 26 5e f8 cc 25 1e 8a 97 2b |...6.DB&^..%...+|
// 00000040 7f 57 93 33 c5 fb 27 9f 24 e9 d4 3f 1c 16 67 4c |.W.3..'.$..?..gL|
// 00000050 50 0b d1 0b 08 9b 0f 3f cb ac 96 e8 92 3c a5 3d |P......?.....<.=|
// 00000060 d4 83 2c dd c6 6d e4 68 67 b7 dc 39 68 77 de 3d |..,..m.hg..9hw.=|
// 00000070 8c 83 0d b2 24 4b d6 17 e4 ce 78 7a 63 b7 f0 bb |....$K....xzc...|
// 00000080 04 80 18 09 20 80 e9 9b 39 bc 17 47 55 13 8f c9 |.... ...9..GU...|
// 00000090 b4 9d 11 78 7b 56 0f f6 db 38 5f b4 f1 4f 3f 93 |...x{V...8_..O?.|
// 000000a0 63 9c 33 ea 86 f6 e1 54 79 c9 14 9f 45 b6 88 59 |c.3....Ty...E..Y|
// 000000b0 49 b6 76 99 c7 0c 84 6d 1a 9e 05 b0 30 c1 48 f2 |I.v....m....0.H.|
// 000000c0 9a |.|
// Sig0 tag: 04003342ee889f5dfa2ebe6a72fd6722c1e0ed3569d7e467df92e7ca752fe672793a32e28b4561e87de5955b0a3035e9af3c414859d9e273687731f336ccee78ab
// Sig1 tag: 04003342ee889f5dfa2ebe6a72fd6722c1e0ed3569d7e467df92e7ca752fe672793a32e28b4561e87de5955b0a3035e9af3c414859d9e273687731f336ccee78ab
// Sig2 tag: 048018092080e99b39bc174755138fc9b49d11787b560ff6db385fb4f14f3f93639c33ea86f6e15479c9149f45b6885949b67699c70c846d1a9e05b030c148f29a
// Sig3 tag: 048018092080e99b39bc174755138fc9b49d11787b560ff6db385fb4f14f3f93639c33ea86f6e15479c9149f45b6885949b67699c70c846d1a9e05b030c148f29a
}
func TestSimple(t *testing.T) {
TestCellCoder(t, nist.NewAES128SHA256P256(), SimpleCoderFactory)
}
func TestOwned(t *testing.T) {
TestCellCoder(t, nist.NewAES128SHA256P256(), OwnedCoderFactory)
}
package insure import ( "github.com/dedis/crypto/abstract" "github.com/dedis/crypto/edwards" "github.com/dedis/crypto/nist" ) const ( // The minimum number of private shares needed in order to reconstruct // the private secret. This parameter must be known in order to properly // decode public polynomial commits. TSHARES int = 10 ) // The group to be used for all shares and should be constant. var INSURE_GROUP abstract.Group = new(edwards.ExtendedCurve).Init( edwards.Param25519(), false) // The group to be used for all public/private key pairs and should be constant. var KEY_SUITE abstract.Suite = nist.NewAES128SHA256P256()
package tree
import (
"bufio"
"fmt"
"math"
"math/rand"
"os"
"testing"
"github.com/dedis/crypto/nist"
"github.com/dedis/crypto/random"
)
var testSuite = nist.NewAES128SHA256P256()
var testRand = random.Stream
/*
func build(suite abstract.Suite, rand cipher.Stream,
parent *node, depth, arity int) {
for i := 0; i < arity; i++ {
n := newNode(suite, rand, parent.pub)
parent.addChild(n.pub)
if depth > 0 {
build(suite, rand, n, depth-1, arity)
}
}
}
*/