Пример #1
0
/* Verifies that a blameProof proves a share to be maliciously constructed.
 *
 * Arguments
 *    i     = the index of the share subject to blame
 *    proof = blameProof that alleges the Dealer to have constructed a bad share.
 *
 * Return
 *   an error if the blame is unjustified or nil if the blame is justified.
 */
func (p *Deal) verifyBlame(i int, bproof *blameProof) error {
	// Basic sanity checks
	if i < 0 || i >= p.n {
		return errors.New("Invalid index. Expected 0 <= i < n")
	}
	if err := p.verifySignature(i, &bproof.signature, sigBlameMsg); err != nil {
		return err
	}

	// Verify the Diffie-Hellman shared secret was constructed properly
	pval := map[string]abstract.Point{"D": bproof.diffieKey, "P": p.pubKey}
	pred := proof.Rep("D", "x", "P")
	verifier := pred.Verifier(p.suite, pval)
	err := proof.HashVerify(p.suite, protocolName, verifier,
		bproof.proof)
	if err != nil {
		return err
	}

	// Verify the share is bad.
	diffieSecret := p.diffieHellmanSecret(bproof.diffieKey)
	share := p.suite.Secret().Sub(p.secrets[i], diffieSecret)
	if p.pubPoly.Check(i, share) {
		return errors.New("Unjustified blame. The share checks out okay.")
	}
	return nil
}
Пример #2
0
/////////////////////////////////
//Misc
////////////////////////////////
func (s *Server) verifyShuffle(ik InternalKey, aux AuxKeyProof) bool {
	Xss := aux.OrigXss
	Yss := aux.OrigYss
	Xbarss := ik.Xss
	Ybarss := ik.Ybarss
	prfss := ik.Proofs

	for i := range Xss {
		pk := UnmarshalPoint(s.suite, ik.Keys[i])
		Xs := make([]abstract.Point, len(Xss[i]))
		Ys := make([]abstract.Point, len(Yss[i]))
		Xbars := make([]abstract.Point, len(Xbarss[i]))
		Ybars := make([]abstract.Point, len(Ybarss[i]))
		for j := range Xss[i] {
			Xs[j] = UnmarshalPoint(s.suite, Xss[i][j])
			Ys[j] = UnmarshalPoint(s.suite, Yss[i][j])
			Xbars[j] = UnmarshalPoint(s.suite, Xbarss[i][j])
			Ybars[j] = UnmarshalPoint(s.suite, Ybarss[i][j])
		}
		v := shuffle.Verifier(s.suite, nil, pk, Xs, Ys, Xbars, Ybars)
		err := proof.HashVerify(s.suite, "PairShuffle", v, prfss[i])
		if err != nil {
			log.Println("Shuffle verify failed: ", err)
			return false
		}
	}
	return true
}
Пример #3
0
// VerifyProof verifies a decryption proof against a given public key, cipher text and plaintext
// - that is, check if the proof indeed shows that the ciphertext was an encryption
//  to the public key of the plaintext.
func (pk *PubKey) VerifyProof(ciphertext *CipherText, plaintext abstract.Point, prf []byte, nonce string) error {
	c2m := pk.Suite.Point().Sub(ciphertext.C2, plaintext)

	public := map[string]abstract.Point{"h": pk.Key, "g": pk.Base, "c2/m": c2m, "c1": ciphertext.C1}
	verifier := getProofPredicate().Verifier(pk.Suite, public)
	err := proof.HashVerify(pk.Suite, "ElGamalDecryption"+nonce, verifier, prf)

	return err
}
Пример #4
0
func TestShuffle(suite abstract.Suite, k int, N int) {

	rand := suite.Cipher(abstract.RandomKey)

	// Create a "server" private/public keypair
	h := suite.Scalar().Pick(rand)
	H := suite.Point().Mul(nil, h)

	// Create a set of ephemeral "client" keypairs to shuffle
	c := make([]abstract.Scalar, k)
	C := make([]abstract.Point, k)
	//	fmt.Println("\nclient keys:")
	for i := 0; i < k; i++ {
		c[i] = suite.Scalar().Pick(rand)
		C[i] = suite.Point().Mul(nil, c[i])
		//		fmt.Println(" "+C[i].String())
	}

	// ElGamal-encrypt all these keypairs with the "server" key
	X := make([]abstract.Point, k)
	Y := make([]abstract.Point, k)
	r := suite.Scalar() // temporary
	for i := 0; i < k; i++ {
		r.Pick(rand)
		X[i] = suite.Point().Mul(nil, r)
		Y[i] = suite.Point().Mul(H, r) // ElGamal blinding factor
		Y[i].Add(Y[i], C[i])           // Encrypted client public key
	}

	// Repeat only the actual shuffle portion for test purposes.
	for i := 0; i < N; i++ {

		// Do a key-shuffle
		Xbar, Ybar, prover := Shuffle(suite, nil, H, X, Y, rand)
		prf, err := proof.HashProve(suite, "PairShuffle", rand, prover)
		if err != nil {
			panic("Shuffle proof failed: " + err.Error())
		}
		//fmt.Printf("proof:\n%s\n",hex.Dump(prf))

		// Check it
		verifier := Verifier(suite, nil, H, X, Y, Xbar, Ybar)
		err = proof.HashVerify(suite, "PairShuffle", verifier, prf)
		if err != nil {
			panic("Shuffle verify failed: " + err.Error())
		}
	}
}
Пример #5
0
func (s *shuffler) signStateVector(state *stateVector) ([]byte, error) {
	rand := s.suite.Cipher(abstract.RandomKey)

	st := state.States
	for i := 1; i < len(st); i++ {
		S, Sbar := st[i-1], st[i]

		X, Y := S.X, S.Dec
		Xbar, Ybar := Sbar.X, Sbar.Y
		H, prf := Sbar.G, Sbar.Prf

		// Verify the shuffle.
		verifier := shuffle.Verifier(s.suite, nil, H, X, Y, Xbar, Ybar)
		err := proof.HashVerify(s.suite, "PairShuffle", verifier, prf)
		if err != nil {
			panic("verify failed")
			return nil, err
		}

		// Verify the decryption.
		seed := abstract.Sum(s.suite, prf)
		verRand := s.suite.Cipher(seed)

		dec, decPrf := Sbar.Dec, Sbar.DecPrf

		// Scratch space for calculations.
		pair, c := s.suite.Point(), s.suite.Secret()
		zp := s.suite.Point()

		for j := range dec {
			pair.Sub(Ybar[j], dec[j])
			c.Pick(verRand)

			T := decPrf[j].T
			ss := decPrf[j].S
			if !zp.Mul(Xbar[j], ss).Equal(T.Add(T, pair.Mul(pair, c))) {
				return nil, errors.New("invalid decryption proof")
			}
		}
	}

	bytes, _ := protobuf.Encode(state)
	return anon.Sign(s.suite, rand, bytes, anon.Set{s.H}, nil, 0, s.h), nil
}
Пример #6
0
func verifyNeffShuffle(params map[string]interface{}) {
	if _, shuffled := params["shuffled"]; shuffled {
		// get all the necessary parameters
		xbarList := util.ProtobufDecodePointList(params["xbar"].([]byte))
		ybarList := util.ProtobufDecodePointList(params["ybar"].([]byte))
		prevKeyList := util.ProtobufDecodePointList(params["prev_keys"].([]byte))
		prevValList := util.ProtobufDecodePointList(params["prev_vals"].([]byte))
		prePublicKey := anonServer.Suite.Point()
		prePublicKey.UnmarshalBinary(params["public_key"].([]byte))

		// verify the shuffle
		verifier := shuffle.Verifier(anonServer.Suite, nil, prePublicKey, prevKeyList,
			prevValList, xbarList, ybarList)
		err := proof.HashVerify(anonServer.Suite, "PairShuffle", verifier, params["proof"].([]byte))
		if err != nil {
			panic("Shuffle verify failed: " + err.Error())
		}
	}
}
Пример #7
0
// Verify verifies this Verdict notary ciphertext
func (c *NotaryCipherText) Verify(data *Data) error {
	var suite = crypto.Suite
	amount := len(c.Points)
	pred := getNotaryPredicate(amount)

	R := suite.Point().Null()
	for _, ar := range data.Commitments {
		R.Add(R, ar[c.Index])
	}

	public := map[string]abstract.Point{"R_j": R, "g_hat": crypto.Generator}
	for l := 0; l < amount; l++ {
		public["S_j,"+strconv.Itoa(l)] = c.Points[l]
		public["-g_"+strconv.Itoa(l)] = suite.Point().Neg(data.getGenerator(l))
	}

	verifier := pred.Verifier(suite, public)
	return proof.HashVerify(suite, "VerdictNotaryCipher"+data.Nonce, verifier, c.Proof)
}
Пример #8
0
// Verify verifies a Verdict user ciphertext
func (c *UserCipherText) Verify(data *Data) error {
	var suite = crypto.Suite
	amount := len(c.Points)
	pred := GetUserPredicate(amount)

	R := suite.Point().Null()
	for _, el := range data.Commitments[c.Index] {
		R.Add(R, el)
	}

	public := map[string]abstract.Point{"R_i": R, "g_hat": crypto.Generator,
		"Y": data.SlotKeys[c.Slot], "g": crypto.Suite.Point().Base()}
	for l := range c.Points {
		public["C_i,"+strconv.Itoa(l)] = c.Points[l]
		public["g_"+strconv.Itoa(l)] = data.getGenerator(l)
	}

	verifier := pred.Verifier(suite, public)
	return proof.HashVerify(suite, "VerdictUserCipher"+data.Nonce, verifier, c.Proof)
}
Пример #9
0
// Verify that this shuffle is a valid shuffle of the specified ciphertexts,
// with respect to the given public keys
func (s *VerifiableShuffle) Verify(ciphers []*elgamal.CipherText, pks []*elgamal.PubKey, nonce string, position int) error {
	c1, c2 := elgamal.Unpack(ciphers)
	shufC1, shufC2 := elgamal.Unpack(s.Shuffled)
	sumpk := elgamal.SumKeys(pks[position:])

	// Check the shuffle proof
	verifier := shuffle.Verifier(pks[0].Suite, pks[0].Base, sumpk.Key, c1, c2, shufC1, shufC2)
	err := proof.HashVerify(pks[0].Suite, "ElGamalShuffle"+nonce, verifier, s.ShuffleProof)
	if err != nil {
		return err
	}

	// Check the decryption proofs
	for i := range ciphers {
		err = pks[position].VerifyProof(s.Shuffled[i], s.Decrypted[i].C2, s.DecryptionProofs[i], nonce)
		if err != nil {
			return err
		}
	}

	return nil
}