/* Verifies that a blameProof proves a share to be maliciously constructed. * * Arguments * i = the index of the share subject to blame * proof = blameProof that alleges the Dealer to have constructed a bad share. * * Return * an error if the blame is unjustified or nil if the blame is justified. */ func (p *Deal) verifyBlame(i int, bproof *blameProof) error { // Basic sanity checks if i < 0 || i >= p.n { return errors.New("Invalid index. Expected 0 <= i < n") } if err := p.verifySignature(i, &bproof.signature, sigBlameMsg); err != nil { return err } // Verify the Diffie-Hellman shared secret was constructed properly pval := map[string]abstract.Point{"D": bproof.diffieKey, "P": p.pubKey} pred := proof.Rep("D", "x", "P") verifier := pred.Verifier(p.suite, pval) err := proof.HashVerify(p.suite, protocolName, verifier, bproof.proof) if err != nil { return err } // Verify the share is bad. diffieSecret := p.diffieHellmanSecret(bproof.diffieKey) share := p.suite.Secret().Sub(p.secrets[i], diffieSecret) if p.pubPoly.Check(i, share) { return errors.New("Unjustified blame. The share checks out okay.") } return nil }
///////////////////////////////// //Misc //////////////////////////////// func (s *Server) verifyShuffle(ik InternalKey, aux AuxKeyProof) bool { Xss := aux.OrigXss Yss := aux.OrigYss Xbarss := ik.Xss Ybarss := ik.Ybarss prfss := ik.Proofs for i := range Xss { pk := UnmarshalPoint(s.suite, ik.Keys[i]) Xs := make([]abstract.Point, len(Xss[i])) Ys := make([]abstract.Point, len(Yss[i])) Xbars := make([]abstract.Point, len(Xbarss[i])) Ybars := make([]abstract.Point, len(Ybarss[i])) for j := range Xss[i] { Xs[j] = UnmarshalPoint(s.suite, Xss[i][j]) Ys[j] = UnmarshalPoint(s.suite, Yss[i][j]) Xbars[j] = UnmarshalPoint(s.suite, Xbarss[i][j]) Ybars[j] = UnmarshalPoint(s.suite, Ybarss[i][j]) } v := shuffle.Verifier(s.suite, nil, pk, Xs, Ys, Xbars, Ybars) err := proof.HashVerify(s.suite, "PairShuffle", v, prfss[i]) if err != nil { log.Println("Shuffle verify failed: ", err) return false } } return true }
// VerifyProof verifies a decryption proof against a given public key, cipher text and plaintext // - that is, check if the proof indeed shows that the ciphertext was an encryption // to the public key of the plaintext. func (pk *PubKey) VerifyProof(ciphertext *CipherText, plaintext abstract.Point, prf []byte, nonce string) error { c2m := pk.Suite.Point().Sub(ciphertext.C2, plaintext) public := map[string]abstract.Point{"h": pk.Key, "g": pk.Base, "c2/m": c2m, "c1": ciphertext.C1} verifier := getProofPredicate().Verifier(pk.Suite, public) err := proof.HashVerify(pk.Suite, "ElGamalDecryption"+nonce, verifier, prf) return err }
func TestShuffle(suite abstract.Suite, k int, N int) { rand := suite.Cipher(abstract.RandomKey) // Create a "server" private/public keypair h := suite.Scalar().Pick(rand) H := suite.Point().Mul(nil, h) // Create a set of ephemeral "client" keypairs to shuffle c := make([]abstract.Scalar, k) C := make([]abstract.Point, k) // fmt.Println("\nclient keys:") for i := 0; i < k; i++ { c[i] = suite.Scalar().Pick(rand) C[i] = suite.Point().Mul(nil, c[i]) // fmt.Println(" "+C[i].String()) } // ElGamal-encrypt all these keypairs with the "server" key X := make([]abstract.Point, k) Y := make([]abstract.Point, k) r := suite.Scalar() // temporary for i := 0; i < k; i++ { r.Pick(rand) X[i] = suite.Point().Mul(nil, r) Y[i] = suite.Point().Mul(H, r) // ElGamal blinding factor Y[i].Add(Y[i], C[i]) // Encrypted client public key } // Repeat only the actual shuffle portion for test purposes. for i := 0; i < N; i++ { // Do a key-shuffle Xbar, Ybar, prover := Shuffle(suite, nil, H, X, Y, rand) prf, err := proof.HashProve(suite, "PairShuffle", rand, prover) if err != nil { panic("Shuffle proof failed: " + err.Error()) } //fmt.Printf("proof:\n%s\n",hex.Dump(prf)) // Check it verifier := Verifier(suite, nil, H, X, Y, Xbar, Ybar) err = proof.HashVerify(suite, "PairShuffle", verifier, prf) if err != nil { panic("Shuffle verify failed: " + err.Error()) } } }
func (s *shuffler) signStateVector(state *stateVector) ([]byte, error) { rand := s.suite.Cipher(abstract.RandomKey) st := state.States for i := 1; i < len(st); i++ { S, Sbar := st[i-1], st[i] X, Y := S.X, S.Dec Xbar, Ybar := Sbar.X, Sbar.Y H, prf := Sbar.G, Sbar.Prf // Verify the shuffle. verifier := shuffle.Verifier(s.suite, nil, H, X, Y, Xbar, Ybar) err := proof.HashVerify(s.suite, "PairShuffle", verifier, prf) if err != nil { panic("verify failed") return nil, err } // Verify the decryption. seed := abstract.Sum(s.suite, prf) verRand := s.suite.Cipher(seed) dec, decPrf := Sbar.Dec, Sbar.DecPrf // Scratch space for calculations. pair, c := s.suite.Point(), s.suite.Secret() zp := s.suite.Point() for j := range dec { pair.Sub(Ybar[j], dec[j]) c.Pick(verRand) T := decPrf[j].T ss := decPrf[j].S if !zp.Mul(Xbar[j], ss).Equal(T.Add(T, pair.Mul(pair, c))) { return nil, errors.New("invalid decryption proof") } } } bytes, _ := protobuf.Encode(state) return anon.Sign(s.suite, rand, bytes, anon.Set{s.H}, nil, 0, s.h), nil }
func verifyNeffShuffle(params map[string]interface{}) { if _, shuffled := params["shuffled"]; shuffled { // get all the necessary parameters xbarList := util.ProtobufDecodePointList(params["xbar"].([]byte)) ybarList := util.ProtobufDecodePointList(params["ybar"].([]byte)) prevKeyList := util.ProtobufDecodePointList(params["prev_keys"].([]byte)) prevValList := util.ProtobufDecodePointList(params["prev_vals"].([]byte)) prePublicKey := anonServer.Suite.Point() prePublicKey.UnmarshalBinary(params["public_key"].([]byte)) // verify the shuffle verifier := shuffle.Verifier(anonServer.Suite, nil, prePublicKey, prevKeyList, prevValList, xbarList, ybarList) err := proof.HashVerify(anonServer.Suite, "PairShuffle", verifier, params["proof"].([]byte)) if err != nil { panic("Shuffle verify failed: " + err.Error()) } } }
// Verify verifies this Verdict notary ciphertext func (c *NotaryCipherText) Verify(data *Data) error { var suite = crypto.Suite amount := len(c.Points) pred := getNotaryPredicate(amount) R := suite.Point().Null() for _, ar := range data.Commitments { R.Add(R, ar[c.Index]) } public := map[string]abstract.Point{"R_j": R, "g_hat": crypto.Generator} for l := 0; l < amount; l++ { public["S_j,"+strconv.Itoa(l)] = c.Points[l] public["-g_"+strconv.Itoa(l)] = suite.Point().Neg(data.getGenerator(l)) } verifier := pred.Verifier(suite, public) return proof.HashVerify(suite, "VerdictNotaryCipher"+data.Nonce, verifier, c.Proof) }
// Verify verifies a Verdict user ciphertext func (c *UserCipherText) Verify(data *Data) error { var suite = crypto.Suite amount := len(c.Points) pred := GetUserPredicate(amount) R := suite.Point().Null() for _, el := range data.Commitments[c.Index] { R.Add(R, el) } public := map[string]abstract.Point{"R_i": R, "g_hat": crypto.Generator, "Y": data.SlotKeys[c.Slot], "g": crypto.Suite.Point().Base()} for l := range c.Points { public["C_i,"+strconv.Itoa(l)] = c.Points[l] public["g_"+strconv.Itoa(l)] = data.getGenerator(l) } verifier := pred.Verifier(suite, public) return proof.HashVerify(suite, "VerdictUserCipher"+data.Nonce, verifier, c.Proof) }
// Verify that this shuffle is a valid shuffle of the specified ciphertexts, // with respect to the given public keys func (s *VerifiableShuffle) Verify(ciphers []*elgamal.CipherText, pks []*elgamal.PubKey, nonce string, position int) error { c1, c2 := elgamal.Unpack(ciphers) shufC1, shufC2 := elgamal.Unpack(s.Shuffled) sumpk := elgamal.SumKeys(pks[position:]) // Check the shuffle proof verifier := shuffle.Verifier(pks[0].Suite, pks[0].Base, sumpk.Key, c1, c2, shufC1, shufC2) err := proof.HashVerify(pks[0].Suite, "ElGamalShuffle"+nonce, verifier, s.ShuffleProof) if err != nil { return err } // Check the decryption proofs for i := range ciphers { err = pks[position].VerifyProof(s.Shuffled[i], s.Decrypted[i].C2, s.DecryptionProofs[i], nonce) if err != nil { return err } } return nil }