aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--crypto.c190
-rw-r--r--crypto.h17
-rw-r--r--test_crypto.c26
3 files changed, 157 insertions, 76 deletions
diff --git a/crypto.c b/crypto.c
index f892e7d..d3da75d 100644
--- a/crypto.c
+++ b/crypto.c
@@ -30,6 +30,32 @@
#define CURVE "Ed25519"
+struct zkp_challenge_dl {
+ struct ec_mpi g;
+ struct ec_mpi v;
+ struct ec_mpi a;
+};
+
+struct zkp_challenge_2dle {
+ struct ec_mpi g1;
+ struct ec_mpi g2;
+ struct ec_mpi v;
+ struct ec_mpi w;
+ struct ec_mpi a;
+ struct ec_mpi b;
+};
+
+struct zkp_challenge_0og {
+ struct ec_mpi g;
+ struct ec_mpi alpha;
+ struct ec_mpi beta;
+ struct ec_mpi a1;
+ struct ec_mpi a2;
+ struct ec_mpi b1;
+ struct ec_mpi b2;
+};
+
+
static gcry_ctx_t ec_ctx;
static gcry_mpi_point_t ec_gen;
static gcry_mpi_point_t ec_zero;
@@ -534,7 +560,6 @@ smc_gen_keyshare (struct AuctionData *ad)
* @param a2 TODO
* @param b1 TODO
* @param b2 TODO
- * @param c TODO
* @param d1 TODO
* @param d2 TODO
* @param r1 TODO
@@ -547,14 +572,13 @@ smc_encrypt_bid (struct AuctionData *ad,
gcry_mpi_point_t a2,
gcry_mpi_point_t b1,
gcry_mpi_point_t b2,
- gcry_mpi_t c,
gcry_mpi_t d1,
gcry_mpi_t d2,
gcry_mpi_t r1,
gcry_mpi_t r2)
{
smc_zkp_0og (ad->alpha[ad->i][j], (j == ad->b ? ec_gen : ec_zero), ad->Y,
- ad->beta[ad->i][j], a1, a2, b1, b2, c, d1, d2, r1, r2);
+ ad->beta[ad->i][j], a1, a2, b1, b2, d1, d2, r1, r2);
}
@@ -586,7 +610,6 @@ smc_compute_outcome (struct AuctionData *ad)
* @param g \todo
* @param x \todo
* @param a \todo
- * @param c \todo
* @param r \todo
*/
void
@@ -594,22 +617,27 @@ smc_zkp_dl (const gcry_mpi_point_t v,
const gcry_mpi_point_t g,
const gcry_mpi_t x,
const gcry_mpi_point_t a,
- gcry_mpi_t c,
gcry_mpi_t r)
{
- gcry_mpi_t z = gcry_mpi_new (0);
+ struct zkp_challenge_dl challenge;
+ struct brandt_hash_code challhash;
+ gcry_mpi_t c = gcry_mpi_new (0);
+ gcry_mpi_t z = gcry_mpi_new (0);
ec_keypair_create_base (a, z, g);
- /* compute challange c */
- /**\todo: generate c from HASH(g,v,a) and don't output it */
-// brandt_hash (const void *block, size_t size, struct brandt_hash_code *ret)
- ec_skey_create (c);
+ /* compute challenge c */
+ ec_point_serialize (&challenge.g, ec_gen);
+ ec_point_serialize (&challenge.v, v);
+ ec_point_serialize (&challenge.a, a);
+ brandt_hash (&challenge, sizeof (struct zkp_challenge_dl), &challhash);
+ mpi_parse (c, (struct ec_mpi *)&challhash);
gcry_mpi_mod (c, c, ec_n);
gcry_mpi_mulm (r, c, x, ec_n);
gcry_mpi_addm (r, r, z, ec_n);
+ gcry_mpi_release (c);
gcry_mpi_release (z);
}
@@ -620,7 +648,6 @@ smc_zkp_dl (const gcry_mpi_point_t v,
* @param v \todo
* @param g \todo
* @param a \todo
- * @param c \todo
* @param r \todo
* @return 0 if the proof is correct, something else otherwise
*/
@@ -628,18 +655,29 @@ int
smc_zkp_dl_check (const gcry_mpi_point_t v,
const gcry_mpi_point_t g,
const gcry_mpi_point_t a,
- const gcry_mpi_t c,
const gcry_mpi_t r)
{
- int ret;
- gcry_mpi_point_t left = gcry_mpi_point_new (0);
- gcry_mpi_point_t right = gcry_mpi_point_new (0);
+ int ret;
+ struct zkp_challenge_dl challenge;
+ struct brandt_hash_code challhash;
+ gcry_mpi_t c = gcry_mpi_new (0);
+ gcry_mpi_point_t left = gcry_mpi_point_new (0);
+ gcry_mpi_point_t right = gcry_mpi_point_new (0);
+
+ /* compute challenge c */
+ ec_point_serialize (&challenge.g, ec_gen);
+ ec_point_serialize (&challenge.v, v);
+ ec_point_serialize (&challenge.a, a);
+ brandt_hash (&challenge, sizeof (struct zkp_challenge_dl), &challhash);
+ mpi_parse (c, (struct ec_mpi *)&challhash);
+ gcry_mpi_mod (c, c, ec_n);
gcry_mpi_ec_mul (left, r, g, ec_ctx);
gcry_mpi_ec_mul (right, c, v, ec_ctx);
gcry_mpi_ec_add (right, a, right, ec_ctx);
ret = ec_point_cmp (left, right);
+ gcry_mpi_release (c);
gcry_mpi_point_release (left);
gcry_mpi_point_release (right);
@@ -657,7 +695,6 @@ smc_zkp_dl_check (const gcry_mpi_point_t v,
* @param x TODO
* @param a TODO
* @param b TODO
- * @param c TODO
* @param r TODO
*/
void
@@ -668,22 +705,31 @@ smc_zkp_2dle (const gcry_mpi_point_t v,
const gcry_mpi_t x,
gcry_mpi_point_t a,
gcry_mpi_point_t b,
- gcry_mpi_t c,
gcry_mpi_t r)
{
- gcry_mpi_t z = gcry_mpi_new (0);
+ struct zkp_challenge_2dle challenge;
+ struct brandt_hash_code challhash;
+ gcry_mpi_t c = gcry_mpi_new (0);
+ gcry_mpi_t z = gcry_mpi_new (0);
ec_keypair_create_base (a, z, g1);
gcry_mpi_ec_mul (b, z, g2, ec_ctx);
- /* compute challange c */
- /* \todo: generate c from HASH(g1,g2,v,w,a,b) and don't output it */
- ec_skey_create (c);
+ /* compute challenge c */
+ ec_point_serialize (&challenge.g1, g1);
+ ec_point_serialize (&challenge.g2, g2);
+ ec_point_serialize (&challenge.v, v);
+ ec_point_serialize (&challenge.w, w);
+ ec_point_serialize (&challenge.a, a);
+ ec_point_serialize (&challenge.b, b);
+ brandt_hash (&challenge, sizeof (struct zkp_challenge_dl), &challhash);
+ mpi_parse (c, (struct ec_mpi *)&challhash);
gcry_mpi_mod (c, c, ec_n);
gcry_mpi_mulm (r, c, x, ec_n);
gcry_mpi_addm (r, r, z, ec_n);
+ gcry_mpi_release (c);
gcry_mpi_release (z);
}
@@ -697,7 +743,6 @@ smc_zkp_2dle (const gcry_mpi_point_t v,
* @param g2 TODO
* @param a TODO
* @param b TODO
- * @param c TODO
* @param r TODO
* @return TODO
*/
@@ -708,12 +753,25 @@ smc_zkp_2dle_check (const gcry_mpi_point_t v,
const gcry_mpi_point_t g2,
const gcry_mpi_point_t a,
const gcry_mpi_point_t b,
- const gcry_mpi_t c,
const gcry_mpi_t r)
{
- int ret;
- gcry_mpi_point_t left = gcry_mpi_point_new (0);
- gcry_mpi_point_t right = gcry_mpi_point_new (0);
+ int ret;
+ struct zkp_challenge_2dle challenge;
+ struct brandt_hash_code challhash;
+ gcry_mpi_t c = gcry_mpi_new (0);
+ gcry_mpi_point_t left = gcry_mpi_point_new (0);
+ gcry_mpi_point_t right = gcry_mpi_point_new (0);
+
+ /* compute challenge c */
+ ec_point_serialize (&challenge.g1, g1);
+ ec_point_serialize (&challenge.g2, g2);
+ ec_point_serialize (&challenge.v, v);
+ ec_point_serialize (&challenge.w, w);
+ ec_point_serialize (&challenge.a, a);
+ ec_point_serialize (&challenge.b, b);
+ brandt_hash (&challenge, sizeof (struct zkp_challenge_dl), &challhash);
+ mpi_parse (c, (struct ec_mpi *)&challhash);
+ gcry_mpi_mod (c, c, ec_n);
gcry_mpi_ec_mul (left, r, g1, ec_ctx);
gcry_mpi_ec_mul (right, c, v, ec_ctx);
@@ -725,6 +783,7 @@ smc_zkp_2dle_check (const gcry_mpi_point_t v,
gcry_mpi_ec_add (right, b, right, ec_ctx);
ret |= ec_point_cmp (left, right);
+ gcry_mpi_release (c);
gcry_mpi_point_release (left);
gcry_mpi_point_release (right);
@@ -743,7 +802,6 @@ smc_zkp_2dle_check (const gcry_mpi_point_t v,
* @param a2 TODO
* @param b1 TODO
* @param b2 TODO
- * @param c TODO
* @param d1 TODO
* @param d2 TODO
* @param r1 TODO
@@ -758,16 +816,18 @@ smc_zkp_0og (gcry_mpi_point_t alpha,
gcry_mpi_point_t a2,
gcry_mpi_point_t b1,
gcry_mpi_point_t b2,
- gcry_mpi_t c,
gcry_mpi_t d1,
gcry_mpi_t d2,
gcry_mpi_t r1,
gcry_mpi_t r2)
{
- gcry_mpi_t r = gcry_mpi_new (0);
- gcry_mpi_t w = gcry_mpi_new (0);
- int eq0 = !ec_point_cmp (m, ec_zero);
- int eqg = !ec_point_cmp (m, ec_gen);
+ struct zkp_challenge_0og challenge;
+ struct brandt_hash_code challhash;
+ gcry_mpi_t c = gcry_mpi_new (0);
+ gcry_mpi_t r = gcry_mpi_new (0);
+ gcry_mpi_t w = gcry_mpi_new (0);
+ int eq0 = !ec_point_cmp (m, ec_zero);
+ int eqg = !ec_point_cmp (m, ec_gen);
if (!(eq0 ^ eqg))
eprintf ("zero knowledge proof: m is neither 0 nor g");
@@ -802,18 +862,6 @@ smc_zkp_0og (gcry_mpi_point_t alpha,
/* b2 = w * y */
gcry_mpi_ec_mul (b2, w, y, ec_ctx);
-
- /* compute challange c */
- /* \todo: generate c from HASH(alpha,beta,a1,b1,a2,b2) and don't output it */
- ec_skey_create (c);
- gcry_mpi_mod (c, c, ec_n);
-
- /* d2 = c - d1 */
- gcry_mpi_subm (d2, c, d1, ec_n);
-
- /* r2 = w - r*d2 */
- gcry_mpi_mulm (r2, r, d2, ec_n);
- gcry_mpi_subm (r2, w, r2, ec_n);
}
else
{ /* m == g */
@@ -838,12 +886,31 @@ smc_zkp_0og (gcry_mpi_point_t alpha,
/* b1 = w * y */
gcry_mpi_ec_mul (b1, w, y, ec_ctx);
+ }
- /* compute challange c */
- /* \todo: generate c from HASH(alpha,beta,a1,b1,a2,b2) and don't output it */
- ec_skey_create (c);
- gcry_mpi_mod (c, c, ec_n);
+ /* compute challenge c */
+ ec_point_serialize (&challenge.g, ec_gen);
+ ec_point_serialize (&challenge.alpha, alpha);
+ ec_point_serialize (&challenge.beta, beta);
+ ec_point_serialize (&challenge.a1, a1);
+ ec_point_serialize (&challenge.a2, a2);
+ ec_point_serialize (&challenge.b1, b1);
+ ec_point_serialize (&challenge.b2, b2);
+ brandt_hash (&challenge, sizeof (struct zkp_challenge_dl), &challhash);
+ mpi_parse (c, (struct ec_mpi *)&challhash);
+ gcry_mpi_mod (c, c, ec_n);
+ if (eq0)
+ { /* m == 0 */
+ /* d2 = c - d1 */
+ gcry_mpi_subm (d2, c, d1, ec_n);
+
+ /* r2 = w - r*d2 */
+ gcry_mpi_mulm (r2, r, d2, ec_n);
+ gcry_mpi_subm (r2, w, r2, ec_n);
+ }
+ else
+ { /* m == g */
/* d1 = c - d2 */
gcry_mpi_subm (d1, c, d2, ec_n);
@@ -852,6 +919,7 @@ smc_zkp_0og (gcry_mpi_point_t alpha,
gcry_mpi_subm (r1, w, r1, ec_n);
}
+ gcry_mpi_release (c);
gcry_mpi_release (r);
gcry_mpi_release (w);
}
@@ -867,7 +935,6 @@ smc_zkp_0og (gcry_mpi_point_t alpha,
* @param a2 TODO
* @param b1 TODO
* @param b2 TODO
- * @param c TODO
* @param d1 TODO
* @param d2 TODO
* @param r1 TODO
@@ -882,16 +949,30 @@ smc_zkp_0og_check (const gcry_mpi_point_t alpha,
const gcry_mpi_point_t a2,
const gcry_mpi_point_t b1,
const gcry_mpi_point_t b2,
- const gcry_mpi_t c,
const gcry_mpi_t d1,
const gcry_mpi_t d2,
const gcry_mpi_t r1,
const gcry_mpi_t r2)
{
- int ret;
- gcry_mpi_t sum = gcry_mpi_new (0);
- gcry_mpi_point_t right = gcry_mpi_point_new (0);
- gcry_mpi_point_t tmp = gcry_mpi_point_new (0);
+ int ret;
+ struct zkp_challenge_0og challenge;
+ struct brandt_hash_code challhash;
+ gcry_mpi_t c = gcry_mpi_new (0);
+ gcry_mpi_t sum = gcry_mpi_new (0);
+ gcry_mpi_point_t right = gcry_mpi_point_new (0);
+ gcry_mpi_point_t tmp = gcry_mpi_point_new (0);
+
+ /* compute challenge c */
+ ec_point_serialize (&challenge.g, ec_gen);
+ ec_point_serialize (&challenge.alpha, alpha);
+ ec_point_serialize (&challenge.beta, beta);
+ ec_point_serialize (&challenge.a1, a1);
+ ec_point_serialize (&challenge.a2, a2);
+ ec_point_serialize (&challenge.b1, b1);
+ ec_point_serialize (&challenge.b2, b2);
+ brandt_hash (&challenge, sizeof (struct zkp_challenge_dl), &challhash);
+ mpi_parse (c, (struct ec_mpi *)&challhash);
+ gcry_mpi_mod (c, c, ec_n);
/* c == d1 + d2 */
gcry_mpi_addm (sum, d1, d2, ec_n);
@@ -922,6 +1003,7 @@ smc_zkp_0og_check (const gcry_mpi_point_t alpha,
gcry_mpi_ec_add (right, right, tmp, ec_ctx);
ret |= ec_point_cmp (b2, right) << 4;
+ gcry_mpi_release (c);
gcry_mpi_release (sum);
gcry_mpi_point_release (right);
gcry_mpi_point_release (tmp);
diff --git a/crypto.h b/crypto.h
index 4ccd1ca..87e4c65 100644
--- a/crypto.h
+++ b/crypto.h
@@ -62,16 +62,25 @@ void ec_keypair_create_base (gcry_mpi_point_t pkey,
/* --- Zero knowledge proofs --- */
+struct proof_dl {
+ struct ec_mpi r;
+ struct ec_mpi a;
+};
+
+struct proof_2dle {
+ struct ec_mpi r;
+ struct ec_mpi a;
+ struct ec_mpi b;
+};
+
void smc_zkp_dl (const gcry_mpi_point_t v,
const gcry_mpi_point_t g,
const gcry_mpi_t x,
const gcry_mpi_point_t a,
- gcry_mpi_t c,
gcry_mpi_t r);
int smc_zkp_dl_check (const gcry_mpi_point_t v,
const gcry_mpi_point_t g,
const gcry_mpi_point_t a,
- const gcry_mpi_t c,
const gcry_mpi_t r);
void smc_zkp_2dle (const gcry_mpi_point_t v,
@@ -81,7 +90,6 @@ void smc_zkp_2dle (const gcry_mpi_point_t v,
const gcry_mpi_t x,
gcry_mpi_point_t a,
gcry_mpi_point_t b,
- gcry_mpi_t c,
gcry_mpi_t r);
int smc_zkp_2dle_check (const gcry_mpi_point_t v,
const gcry_mpi_point_t w,
@@ -89,7 +97,6 @@ int smc_zkp_2dle_check (const gcry_mpi_point_t v,
const gcry_mpi_point_t g2,
const gcry_mpi_point_t a,
const gcry_mpi_point_t b,
- const gcry_mpi_t c,
const gcry_mpi_t r);
void smc_zkp_0og (gcry_mpi_point_t alpha,
@@ -100,7 +107,6 @@ void smc_zkp_0og (gcry_mpi_point_t alpha,
gcry_mpi_point_t a2,
gcry_mpi_point_t b1,
gcry_mpi_point_t b2,
- gcry_mpi_t c,
gcry_mpi_t d1,
gcry_mpi_t d2,
gcry_mpi_t r1,
@@ -112,7 +118,6 @@ int smc_zkp_0og_check (const gcry_mpi_point_t alpha,
const gcry_mpi_point_t a2,
const gcry_mpi_point_t b1,
const gcry_mpi_point_t b2,
- const gcry_mpi_t c,
const gcry_mpi_t d1,
const gcry_mpi_t d2,
const gcry_mpi_t r1,
diff --git a/test_crypto.c b/test_crypto.c
index 5f72c71..93f1cb4 100644
--- a/test_crypto.c
+++ b/test_crypto.c
@@ -98,14 +98,13 @@ test_serialization ()
int
test_smc_zkp_dl ()
{
- gcry_mpi_t c = gcry_mpi_new (0);
gcry_mpi_t r = gcry_mpi_new (0);
gcry_mpi_t x = gcry_mpi_new (0);
gcry_mpi_point_t a = gcry_mpi_point_new (0);
gcry_mpi_point_t g = gcry_mpi_point_new (0);
gcry_mpi_point_t v = gcry_mpi_point_new (0);
- ec_keypair_create (g, c);
+ ec_keypair_create (g, r);
if (0 == tests_run)
{
@@ -115,14 +114,13 @@ test_smc_zkp_dl ()
ec_keypair_create_base (v, x, g);
- smc_zkp_dl (v, g, x, a, c, r);
- check (!smc_zkp_dl_check (v, g, a, c, r), "zkp dl wrong");
+ smc_zkp_dl (v, g, x, a, r);
+ check (!smc_zkp_dl_check (v, g, a, r), "zkp dl wrong");
check (gcry_mpi_ec_curve_point (a, ec_ctx), "not on curve");
check (gcry_mpi_ec_curve_point (g, ec_ctx), "not on curve");
check (gcry_mpi_ec_curve_point (v, ec_ctx), "not on curve");
- gcry_mpi_release (c);
gcry_mpi_release (r);
gcry_mpi_release (x);
gcry_mpi_point_release (a);
@@ -134,7 +132,6 @@ test_smc_zkp_dl ()
int
test_smc_zkp_2dle ()
{
- gcry_mpi_t c = gcry_mpi_new (0);
gcry_mpi_t r = gcry_mpi_new (0);
gcry_mpi_t x = gcry_mpi_new (0);
gcry_mpi_point_t a = gcry_mpi_point_new (0);
@@ -144,8 +141,8 @@ test_smc_zkp_2dle ()
gcry_mpi_point_t v = gcry_mpi_point_new (0);
gcry_mpi_point_t w = gcry_mpi_point_new (0);
- ec_keypair_create (g1, c);
- ec_keypair_create (g2, c);
+ ec_keypair_create (g1, r);
+ ec_keypair_create (g2, r);
if (0 == tests_run)
{
@@ -157,8 +154,8 @@ test_smc_zkp_2dle ()
ec_keypair_create_base (v, x, g1);
gcry_mpi_ec_mul (w, x, g2, ec_ctx);
- smc_zkp_2dle (v, w, g1, g2, x, a, b, c, r);
- check (!smc_zkp_2dle_check (v, w, g1, g2, a, b, c, r), "zkp 2dle wrong");
+ smc_zkp_2dle (v, w, g1, g2, x, a, b, r);
+ check (!smc_zkp_2dle_check (v, w, g1, g2, a, b, r), "zkp 2dle wrong");
check (gcry_mpi_ec_curve_point (a, ec_ctx), "not on curve");
check (gcry_mpi_ec_curve_point (b, ec_ctx), "not on curve");
@@ -167,7 +164,6 @@ test_smc_zkp_2dle ()
check (gcry_mpi_ec_curve_point (v, ec_ctx), "not on curve");
check (gcry_mpi_ec_curve_point (w, ec_ctx), "not on curve");
- gcry_mpi_release (c);
gcry_mpi_release (r);
gcry_mpi_release (x);
gcry_mpi_point_release (a);
@@ -182,7 +178,6 @@ test_smc_zkp_2dle ()
int
test_smc_zkp_0og ()
{
- gcry_mpi_t c = gcry_mpi_new (0);
gcry_mpi_t d1 = gcry_mpi_new (0);
gcry_mpi_t d2 = gcry_mpi_new (0);
gcry_mpi_t r1 = gcry_mpi_new (0);
@@ -195,11 +190,11 @@ test_smc_zkp_0og ()
gcry_mpi_point_t b1 = gcry_mpi_point_new (0);
gcry_mpi_point_t b2 = gcry_mpi_point_new (0);
- ec_keypair_create (y, c);
+ ec_keypair_create (y, r1);
smc_zkp_0og (alpha, (tests_run % 2 ? ec_zero : ec_gen), y, beta, a1, a2, b1,
- b2, c, d1, d2, r1, r2);
- check (!smc_zkp_0og_check (alpha, y, beta, a1, a2, b1, b2, c, d1, d2, r1,
+ b2, d1, d2, r1, r2);
+ check (!smc_zkp_0og_check (alpha, y, beta, a1, a2, b1, b2, d1, d2, r1,
r2), "zkp 0og is wrong");
check (gcry_mpi_ec_curve_point (y, ec_ctx), "not on curve");
@@ -210,7 +205,6 @@ test_smc_zkp_0og ()
check (gcry_mpi_ec_curve_point (b1, ec_ctx), "not on curve");
check (gcry_mpi_ec_curve_point (b2, ec_ctx), "not on curve");
- gcry_mpi_release (c);
gcry_mpi_release (d1);
gcry_mpi_release (d2);
gcry_mpi_release (r1);
generated by cgit v1.2.3 (git 2.39.1) at 2025-09-11 16:09:54 +0000