Esempio n. 1
0
// saltgen is a function that generates all the keys and salts given a length
// and an initial salt.
func saltgen(salt []byte, count int) [][]byte {
	salts := make([][]byte, count)
	for i := 0; i < count; i++ {
		salts[i] = salt
		salt = abstract.Sum(network.Suite, salt)
	}
	return salts
}
Esempio n. 2
0
func (v *stateVector) addShuffle(suite abstract.Suite, shuf *shuffler,
	rand abstract.Cipher) error {

	// Get the previous shuffle state.
	i := len(v.States)
	prev := v.States[i-1]
	X, Y := prev.X, prev.Dec

	// Compute the new base using the public keys of the remaining
	// servers.
	H := suite.Point().Null()
	for j := i - 1; j < shuf.N; j++ {
		H = suite.Point().Add(H, shuf.HH[j])
	}

	// Do a key-shuffle.
	Xbar, Ybar, prover := shuffle.Shuffle(suite, nil, H, X, Y, rand)
	prf, err := proof.HashProve(suite, "PairShuffle", rand, prover)
	if err != nil {
		return err
	}

	// Seeded random for the decryption proof.
	seed := abstract.Sum(suite, prf)
	prfRand := suite.Cipher(seed)

	// Scratch space for calculations.
	zs := suite.Secret()
	zp := suite.Point()

	// Peel off a layer of encryption.
	dec := make([]abstract.Point, len(Xbar))
	decPrf := make([]*decryptionProof, len(Xbar))
	for j := range Xbar {
		// Decryption.
		zp.Mul(Xbar[j], shuf.h)
		dec[j] = suite.Point().Sub(Ybar[j], zp)

		// Decryption proof.
		t := suite.Secret().Pick(rand)
		T := suite.Point().Mul(Xbar[j], t)
		c := suite.Secret().Pick(prfRand)
		s := suite.Secret().Add(t, zs.Mul(c, shuf.h))
		decPrf[j] = &decryptionProof{T, s}
	}

	// Append the new state to the state vector.
	state := &shuffleState{H, Xbar, Ybar, dec, prf, decPrf}
	v.States = append(v.States, state)
	return nil
}
Esempio n. 3
0
func (s *shuffler) signStateVector(state *stateVector) ([]byte, error) {
	rand := s.suite.Cipher(abstract.RandomKey)

	st := state.States
	for i := 1; i < len(st); i++ {
		S, Sbar := st[i-1], st[i]

		X, Y := S.X, S.Dec
		Xbar, Ybar := Sbar.X, Sbar.Y
		H, prf := Sbar.G, Sbar.Prf

		// Verify the shuffle.
		verifier := shuffle.Verifier(s.suite, nil, H, X, Y, Xbar, Ybar)
		err := proof.HashVerify(s.suite, "PairShuffle", verifier, prf)
		if err != nil {
			panic("verify failed")
			return nil, err
		}

		// Verify the decryption.
		seed := abstract.Sum(s.suite, prf)
		verRand := s.suite.Cipher(seed)

		dec, decPrf := Sbar.Dec, Sbar.DecPrf

		// Scratch space for calculations.
		pair, c := s.suite.Point(), s.suite.Secret()
		zp := s.suite.Point()

		for j := range dec {
			pair.Sub(Ybar[j], dec[j])
			c.Pick(verRand)

			T := decPrf[j].T
			ss := decPrf[j].S
			if !zp.Mul(Xbar[j], ss).Equal(T.Add(T, pair.Mul(pair, c))) {
				return nil, errors.New("invalid decryption proof")
			}
		}
	}

	bytes, _ := protobuf.Encode(state)
	return anon.Sign(s.suite, rand, bytes, anon.Set{s.H}, nil, 0, s.h), nil
}
Esempio n. 4
0
// PubId returns the base64-encoded HashId for this KeyPair's public key.
func (p *KeyPair) PubId() string {
	buf, _ := p.Public.MarshalBinary()
	hash := abstract.Sum(p.Suite, buf)
	return base64.RawURLEncoding.EncodeToString(hash)
}
Esempio n. 5
0
func (rh *RandHound) hash(bytes ...[]byte) []byte {
	return abstract.Sum(rh.Suite(), bytes...)
}
Esempio n. 6
0
// getpass contacts the guard servers, then gets the passwords and
// reconstructs the secret keys.
func getpass(c *cli.Context, uid []byte, epoch []byte, pass string) {
	if getuser(uid) == nil {
		log.Fatal("Wrong username")
	}

	keys := make([]string, len(db.Cothority.List))
	blind := make([]byte, 12)
	_, err := rand.Read(blind)
	log.ErrFatal(err)
	blinds := saltgen(blind, len(db.Cothority.List))
	iv := getuser(uid).Iv
	// pwhash is the password hash that will be sent to the guard servers
	// with Gu and bi.
	pwhash := abstract.Sum(network.Suite, []byte(pass), getuser(uid).Salt)
	GuHash := abstract.Sum(network.Suite, uid, epoch)
	// creating stream for Scalar.Pick from the hash
	blocky, err := aes.NewCipher(iv)
	log.ErrFatal(err)
	GuStream := cipher.NewCTR(blocky, iv)
	gupoint := network.Suite.Point()
	Gu, _ := gupoint.Pick(GuHash, GuStream)

	for i, si := range db.Cothority.List {
		cl := guard.NewClient()
		// blankpoints needed for computations.
		blankpoint := network.Suite.Point()
		blankscalar := network.Suite.Scalar()
		// pwbytes and blindbytes are actually scalars that are
		// initialized to the values of the bytes.
		pwbytes := network.Suite.Scalar()
		pwbytes.SetBytes(pwhash)
		blindbytes := network.Suite.Scalar()
		blindbytes.SetBytes(blinds[i])
		// The following sections of the code perform the computations
		// to Create Xi, here called sendy.
		blankscalar.Add(pwbytes, blindbytes).MarshalBinary()
		_, err := blankpoint.Mul(Gu, blankscalar.Mul(pwbytes, blindbytes)).MarshalBinary()
		sendy := blankpoint.Mul(Gu, blankscalar.Mul(pwbytes, blindbytes))
		rep, cerr := cl.SendToGuard(si, uid, epoch, sendy)
		log.ErrFatal(cerr)
		// This section of the program removes the blinding factor from
		// the Zi for storage.
		reply, err := blankpoint.Mul(rep.Msg, blankscalar.Inv(blindbytes)).MarshalBinary()
		log.ErrFatal(err)
		// This section Xors the data with the response.
		block, err := aes.NewCipher(reply)
		stream := cipher.NewCTR(block, getuser(uid).Iv)
		msg := make([]byte, len([]byte(getuser(uid).Keys[i])))
		stream.XORKeyStream(msg, []byte(getuser(uid).Keys[i]))
		keys[i] = string(msg)
	}
	k := s.Combine(keys)
	if len(k) == 0 {
		log.Fatal("You entered the wrong password")
	}
	block, err := aes.NewCipher([]byte(k))
	log.ErrFatal(err)
	aesgcm, err := cipher.NewGCM(block)
	log.ErrFatal(err)
	plaintext, err := aesgcm.Open(nil, getuser(uid).Salt, getuser(uid).Data, nil)
	log.ErrFatal(err)
	log.Print(string(plaintext))
}
Esempio n. 7
0
func set(c *cli.Context, uid []byte, epoch []byte, password string, userdata []byte) {
	mastersalt := make([]byte, 12)
	_, err := rand.Read(mastersalt)
	log.ErrFatal(err)
	k := make([]byte, 32)
	_, err = rand.Read(k)
	log.ErrFatal(err)
	// secretkeys is the Shamir Secret share of the keys.
	secretkeys := s.Create(2, len(db.Cothority.List), string(k))
	blind := make([]byte, 12)
	_, err = rand.Read(blind)
	log.ErrFatal(err)
	blinds := saltgen(blind, len(db.Cothority.List))
	iv := make([]byte, 16)
	_, err = rand.Read(iv)
	log.ErrFatal(err)
	// pwhash is the password hash that will be sent to the guard servers
	// with Gu and bi.
	pwhash := abstract.Sum(network.Suite, []byte(password), mastersalt)
	GuHash := abstract.Sum(network.Suite, uid, epoch)
	// creating stream for Scalar.Pick from the hash.
	blocky, err := aes.NewCipher(iv)
	log.ErrFatal(err)
	GuStream := cipher.NewCTR(blocky, iv)
	gupoint := network.Suite.Point()
	Gu, _ := gupoint.Pick(GuHash, GuStream)
	responses := make([][]byte, len(db.Cothority.List))
	keys := make([][]byte, len(db.Cothority.List))
	for i, si := range db.Cothority.List {
		cl := guard.NewClient()
		// blankpoints needed to call the functions.
		blankpoint := network.Suite.Point()
		blankscalar := network.Suite.Scalar()
		// Initializing the variables pwbytes and blindbytes, which are
		// scalars with the values of pwhash and blinds[i].
		pwbytes := network.Suite.Scalar()
		pwbytes.SetBytes(pwhash)
		blindbytes := network.Suite.Scalar()
		blindbytes.SetBytes(blinds[i])
		// this next part performs all necessary computations to create
		// Xi, here called sendy.
		blankscalar.Add(pwbytes, blindbytes).Bytes()
		sendy := blankpoint.Mul(Gu, blankscalar.Mul(pwbytes, blindbytes))
		rep, cerr := cl.SendToGuard(si, uid, epoch, sendy)
		log.ErrFatal(cerr)
		reply := blankpoint.Mul(rep.Msg, blankscalar.Inv(blindbytes))
		responses[i], err = reply.MarshalBinary()
		log.ErrFatal(err)
		block, err := aes.NewCipher(responses[i])
		log.ErrFatal(err)
		stream := cipher.NewCTR(block, iv)
		msg := make([]byte, 88)
		stream.XORKeyStream(msg, []byte(secretkeys[i]))
		keys[i] = msg

	}
	// This is the code that seals the user data using the master key
	// and saves it to the db.
	block, _ := aes.NewCipher(k)
	aesgcm, _ := cipher.NewGCM(block)
	ciphertext := aesgcm.Seal(nil, mastersalt, userdata, nil)
	db.Users = append(db.Users, User{uid, mastersalt, keys, ciphertext, iv})
}