diff --git a/crypto.c b/crypto.c index f892e7d..d3da75d 100644 --- a/crypto.c +++ b/crypto.c @@ -30,6 +30,32 @@ #define CURVE "Ed25519" +struct zkp_challenge_dl { + struct ec_mpi g; + struct ec_mpi v; + struct ec_mpi a; +}; + +struct zkp_challenge_2dle { + struct ec_mpi g1; + struct ec_mpi g2; + struct ec_mpi v; + struct ec_mpi w; + struct ec_mpi a; + struct ec_mpi b; +}; + +struct zkp_challenge_0og { + struct ec_mpi g; + struct ec_mpi alpha; + struct ec_mpi beta; + struct ec_mpi a1; + struct ec_mpi a2; + struct ec_mpi b1; + struct ec_mpi b2; +}; + + static gcry_ctx_t ec_ctx; static gcry_mpi_point_t ec_gen; static gcry_mpi_point_t ec_zero; @@ -534,7 +560,6 @@ smc_gen_keyshare (struct AuctionData *ad) * @param a2 TODO * @param b1 TODO * @param b2 TODO - * @param c TODO * @param d1 TODO * @param d2 TODO * @param r1 TODO @@ -547,14 +572,13 @@ smc_encrypt_bid (struct AuctionData *ad, gcry_mpi_point_t a2, gcry_mpi_point_t b1, gcry_mpi_point_t b2, - gcry_mpi_t c, gcry_mpi_t d1, gcry_mpi_t d2, gcry_mpi_t r1, gcry_mpi_t r2) { smc_zkp_0og (ad->alpha[ad->i][j], (j == ad->b ? ec_gen : ec_zero), ad->Y, - ad->beta[ad->i][j], a1, a2, b1, b2, c, d1, d2, r1, r2); + ad->beta[ad->i][j], a1, a2, b1, b2, d1, d2, r1, r2); } @@ -586,7 +610,6 @@ smc_compute_outcome (struct AuctionData *ad) * @param g \todo * @param x \todo * @param a \todo - * @param c \todo * @param r \todo */ void @@ -594,22 +617,27 @@ smc_zkp_dl (const gcry_mpi_point_t v, const gcry_mpi_point_t g, const gcry_mpi_t x, const gcry_mpi_point_t a, - gcry_mpi_t c, gcry_mpi_t r) { - gcry_mpi_t z = gcry_mpi_new (0); + struct zkp_challenge_dl challenge; + struct brandt_hash_code challhash; + gcry_mpi_t c = gcry_mpi_new (0); + gcry_mpi_t z = gcry_mpi_new (0); ec_keypair_create_base (a, z, g); - /* compute challange c */ - /**\todo: generate c from HASH(g,v,a) and don't output it */ -// brandt_hash (const void *block, size_t size, struct brandt_hash_code *ret) - ec_skey_create (c); + /* compute challenge c */ + ec_point_serialize (&challenge.g, ec_gen); + ec_point_serialize (&challenge.v, v); + ec_point_serialize (&challenge.a, a); + brandt_hash (&challenge, sizeof (struct zkp_challenge_dl), &challhash); + mpi_parse (c, (struct ec_mpi *)&challhash); gcry_mpi_mod (c, c, ec_n); gcry_mpi_mulm (r, c, x, ec_n); gcry_mpi_addm (r, r, z, ec_n); + gcry_mpi_release (c); gcry_mpi_release (z); } @@ -620,7 +648,6 @@ smc_zkp_dl (const gcry_mpi_point_t v, * @param v \todo * @param g \todo * @param a \todo - * @param c \todo * @param r \todo * @return 0 if the proof is correct, something else otherwise */ @@ -628,18 +655,29 @@ int smc_zkp_dl_check (const gcry_mpi_point_t v, const gcry_mpi_point_t g, const gcry_mpi_point_t a, - const gcry_mpi_t c, const gcry_mpi_t r) { - int ret; - gcry_mpi_point_t left = gcry_mpi_point_new (0); - gcry_mpi_point_t right = gcry_mpi_point_new (0); + int ret; + struct zkp_challenge_dl challenge; + struct brandt_hash_code challhash; + gcry_mpi_t c = gcry_mpi_new (0); + gcry_mpi_point_t left = gcry_mpi_point_new (0); + gcry_mpi_point_t right = gcry_mpi_point_new (0); + + /* compute challenge c */ + ec_point_serialize (&challenge.g, ec_gen); + ec_point_serialize (&challenge.v, v); + ec_point_serialize (&challenge.a, a); + brandt_hash (&challenge, sizeof (struct zkp_challenge_dl), &challhash); + mpi_parse (c, (struct ec_mpi *)&challhash); + gcry_mpi_mod (c, c, ec_n); gcry_mpi_ec_mul (left, r, g, ec_ctx); gcry_mpi_ec_mul (right, c, v, ec_ctx); gcry_mpi_ec_add (right, a, right, ec_ctx); ret = ec_point_cmp (left, right); + gcry_mpi_release (c); gcry_mpi_point_release (left); gcry_mpi_point_release (right); @@ -657,7 +695,6 @@ smc_zkp_dl_check (const gcry_mpi_point_t v, * @param x TODO * @param a TODO * @param b TODO - * @param c TODO * @param r TODO */ void @@ -668,22 +705,31 @@ smc_zkp_2dle (const gcry_mpi_point_t v, const gcry_mpi_t x, gcry_mpi_point_t a, gcry_mpi_point_t b, - gcry_mpi_t c, gcry_mpi_t r) { - gcry_mpi_t z = gcry_mpi_new (0); + struct zkp_challenge_2dle challenge; + struct brandt_hash_code challhash; + gcry_mpi_t c = gcry_mpi_new (0); + gcry_mpi_t z = gcry_mpi_new (0); ec_keypair_create_base (a, z, g1); gcry_mpi_ec_mul (b, z, g2, ec_ctx); - /* compute challange c */ - /* \todo: generate c from HASH(g1,g2,v,w,a,b) and don't output it */ - ec_skey_create (c); + /* compute challenge c */ + ec_point_serialize (&challenge.g1, g1); + ec_point_serialize (&challenge.g2, g2); + ec_point_serialize (&challenge.v, v); + ec_point_serialize (&challenge.w, w); + ec_point_serialize (&challenge.a, a); + ec_point_serialize (&challenge.b, b); + brandt_hash (&challenge, sizeof (struct zkp_challenge_dl), &challhash); + mpi_parse (c, (struct ec_mpi *)&challhash); gcry_mpi_mod (c, c, ec_n); gcry_mpi_mulm (r, c, x, ec_n); gcry_mpi_addm (r, r, z, ec_n); + gcry_mpi_release (c); gcry_mpi_release (z); } @@ -697,7 +743,6 @@ smc_zkp_2dle (const gcry_mpi_point_t v, * @param g2 TODO * @param a TODO * @param b TODO - * @param c TODO * @param r TODO * @return TODO */ @@ -708,12 +753,25 @@ smc_zkp_2dle_check (const gcry_mpi_point_t v, const gcry_mpi_point_t g2, const gcry_mpi_point_t a, const gcry_mpi_point_t b, - const gcry_mpi_t c, const gcry_mpi_t r) { - int ret; - gcry_mpi_point_t left = gcry_mpi_point_new (0); - gcry_mpi_point_t right = gcry_mpi_point_new (0); + int ret; + struct zkp_challenge_2dle challenge; + struct brandt_hash_code challhash; + gcry_mpi_t c = gcry_mpi_new (0); + gcry_mpi_point_t left = gcry_mpi_point_new (0); + gcry_mpi_point_t right = gcry_mpi_point_new (0); + + /* compute challenge c */ + ec_point_serialize (&challenge.g1, g1); + ec_point_serialize (&challenge.g2, g2); + ec_point_serialize (&challenge.v, v); + ec_point_serialize (&challenge.w, w); + ec_point_serialize (&challenge.a, a); + ec_point_serialize (&challenge.b, b); + brandt_hash (&challenge, sizeof (struct zkp_challenge_dl), &challhash); + mpi_parse (c, (struct ec_mpi *)&challhash); + gcry_mpi_mod (c, c, ec_n); gcry_mpi_ec_mul (left, r, g1, ec_ctx); gcry_mpi_ec_mul (right, c, v, ec_ctx); @@ -725,6 +783,7 @@ smc_zkp_2dle_check (const gcry_mpi_point_t v, gcry_mpi_ec_add (right, b, right, ec_ctx); ret |= ec_point_cmp (left, right); + gcry_mpi_release (c); gcry_mpi_point_release (left); gcry_mpi_point_release (right); @@ -743,7 +802,6 @@ smc_zkp_2dle_check (const gcry_mpi_point_t v, * @param a2 TODO * @param b1 TODO * @param b2 TODO - * @param c TODO * @param d1 TODO * @param d2 TODO * @param r1 TODO @@ -758,16 +816,18 @@ smc_zkp_0og (gcry_mpi_point_t alpha, gcry_mpi_point_t a2, gcry_mpi_point_t b1, gcry_mpi_point_t b2, - gcry_mpi_t c, gcry_mpi_t d1, gcry_mpi_t d2, gcry_mpi_t r1, gcry_mpi_t r2) { - gcry_mpi_t r = gcry_mpi_new (0); - gcry_mpi_t w = gcry_mpi_new (0); - int eq0 = !ec_point_cmp (m, ec_zero); - int eqg = !ec_point_cmp (m, ec_gen); + struct zkp_challenge_0og challenge; + struct brandt_hash_code challhash; + gcry_mpi_t c = gcry_mpi_new (0); + gcry_mpi_t r = gcry_mpi_new (0); + gcry_mpi_t w = gcry_mpi_new (0); + int eq0 = !ec_point_cmp (m, ec_zero); + int eqg = !ec_point_cmp (m, ec_gen); if (!(eq0 ^ eqg)) eprintf ("zero knowledge proof: m is neither 0 nor g"); @@ -802,18 +862,6 @@ smc_zkp_0og (gcry_mpi_point_t alpha, /* b2 = w * y */ gcry_mpi_ec_mul (b2, w, y, ec_ctx); - - /* compute challange c */ - /* \todo: generate c from HASH(alpha,beta,a1,b1,a2,b2) and don't output it */ - ec_skey_create (c); - gcry_mpi_mod (c, c, ec_n); - - /* d2 = c - d1 */ - gcry_mpi_subm (d2, c, d1, ec_n); - - /* r2 = w - r*d2 */ - gcry_mpi_mulm (r2, r, d2, ec_n); - gcry_mpi_subm (r2, w, r2, ec_n); } else { /* m == g */ @@ -838,12 +886,31 @@ smc_zkp_0og (gcry_mpi_point_t alpha, /* b1 = w * y */ gcry_mpi_ec_mul (b1, w, y, ec_ctx); + } - /* compute challange c */ - /* \todo: generate c from HASH(alpha,beta,a1,b1,a2,b2) and don't output it */ - ec_skey_create (c); - gcry_mpi_mod (c, c, ec_n); + /* compute challenge c */ + ec_point_serialize (&challenge.g, ec_gen); + ec_point_serialize (&challenge.alpha, alpha); + ec_point_serialize (&challenge.beta, beta); + ec_point_serialize (&challenge.a1, a1); + ec_point_serialize (&challenge.a2, a2); + ec_point_serialize (&challenge.b1, b1); + ec_point_serialize (&challenge.b2, b2); + brandt_hash (&challenge, sizeof (struct zkp_challenge_dl), &challhash); + mpi_parse (c, (struct ec_mpi *)&challhash); + gcry_mpi_mod (c, c, ec_n); + if (eq0) + { /* m == 0 */ + /* d2 = c - d1 */ + gcry_mpi_subm (d2, c, d1, ec_n); + + /* r2 = w - r*d2 */ + gcry_mpi_mulm (r2, r, d2, ec_n); + gcry_mpi_subm (r2, w, r2, ec_n); + } + else + { /* m == g */ /* d1 = c - d2 */ gcry_mpi_subm (d1, c, d2, ec_n); @@ -852,6 +919,7 @@ smc_zkp_0og (gcry_mpi_point_t alpha, gcry_mpi_subm (r1, w, r1, ec_n); } + gcry_mpi_release (c); gcry_mpi_release (r); gcry_mpi_release (w); } @@ -867,7 +935,6 @@ smc_zkp_0og (gcry_mpi_point_t alpha, * @param a2 TODO * @param b1 TODO * @param b2 TODO - * @param c TODO * @param d1 TODO * @param d2 TODO * @param r1 TODO @@ -882,16 +949,30 @@ smc_zkp_0og_check (const gcry_mpi_point_t alpha, const gcry_mpi_point_t a2, const gcry_mpi_point_t b1, const gcry_mpi_point_t b2, - const gcry_mpi_t c, const gcry_mpi_t d1, const gcry_mpi_t d2, const gcry_mpi_t r1, const gcry_mpi_t r2) { - int ret; - gcry_mpi_t sum = gcry_mpi_new (0); - gcry_mpi_point_t right = gcry_mpi_point_new (0); - gcry_mpi_point_t tmp = gcry_mpi_point_new (0); + int ret; + struct zkp_challenge_0og challenge; + struct brandt_hash_code challhash; + gcry_mpi_t c = gcry_mpi_new (0); + gcry_mpi_t sum = gcry_mpi_new (0); + gcry_mpi_point_t right = gcry_mpi_point_new (0); + gcry_mpi_point_t tmp = gcry_mpi_point_new (0); + + /* compute challenge c */ + ec_point_serialize (&challenge.g, ec_gen); + ec_point_serialize (&challenge.alpha, alpha); + ec_point_serialize (&challenge.beta, beta); + ec_point_serialize (&challenge.a1, a1); + ec_point_serialize (&challenge.a2, a2); + ec_point_serialize (&challenge.b1, b1); + ec_point_serialize (&challenge.b2, b2); + brandt_hash (&challenge, sizeof (struct zkp_challenge_dl), &challhash); + mpi_parse (c, (struct ec_mpi *)&challhash); + gcry_mpi_mod (c, c, ec_n); /* c == d1 + d2 */ gcry_mpi_addm (sum, d1, d2, ec_n); @@ -922,6 +1003,7 @@ smc_zkp_0og_check (const gcry_mpi_point_t alpha, gcry_mpi_ec_add (right, right, tmp, ec_ctx); ret |= ec_point_cmp (b2, right) << 4; + gcry_mpi_release (c); gcry_mpi_release (sum); gcry_mpi_point_release (right); gcry_mpi_point_release (tmp); diff --git a/crypto.h b/crypto.h index 4ccd1ca..87e4c65 100644 --- a/crypto.h +++ b/crypto.h @@ -62,16 +62,25 @@ void ec_keypair_create_base (gcry_mpi_point_t pkey, /* --- Zero knowledge proofs --- */ +struct proof_dl { + struct ec_mpi r; + struct ec_mpi a; +}; + +struct proof_2dle { + struct ec_mpi r; + struct ec_mpi a; + struct ec_mpi b; +}; + void smc_zkp_dl (const gcry_mpi_point_t v, const gcry_mpi_point_t g, const gcry_mpi_t x, const gcry_mpi_point_t a, - gcry_mpi_t c, gcry_mpi_t r); int smc_zkp_dl_check (const gcry_mpi_point_t v, const gcry_mpi_point_t g, const gcry_mpi_point_t a, - const gcry_mpi_t c, const gcry_mpi_t r); void smc_zkp_2dle (const gcry_mpi_point_t v, @@ -81,7 +90,6 @@ void smc_zkp_2dle (const gcry_mpi_point_t v, const gcry_mpi_t x, gcry_mpi_point_t a, gcry_mpi_point_t b, - gcry_mpi_t c, gcry_mpi_t r); int smc_zkp_2dle_check (const gcry_mpi_point_t v, const gcry_mpi_point_t w, @@ -89,7 +97,6 @@ int smc_zkp_2dle_check (const gcry_mpi_point_t v, const gcry_mpi_point_t g2, const gcry_mpi_point_t a, const gcry_mpi_point_t b, - const gcry_mpi_t c, const gcry_mpi_t r); void smc_zkp_0og (gcry_mpi_point_t alpha, @@ -100,7 +107,6 @@ void smc_zkp_0og (gcry_mpi_point_t alpha, gcry_mpi_point_t a2, gcry_mpi_point_t b1, gcry_mpi_point_t b2, - gcry_mpi_t c, gcry_mpi_t d1, gcry_mpi_t d2, gcry_mpi_t r1, @@ -112,7 +118,6 @@ int smc_zkp_0og_check (const gcry_mpi_point_t alpha, const gcry_mpi_point_t a2, const gcry_mpi_point_t b1, const gcry_mpi_point_t b2, - const gcry_mpi_t c, const gcry_mpi_t d1, const gcry_mpi_t d2, const gcry_mpi_t r1, diff --git a/test_crypto.c b/test_crypto.c index 5f72c71..93f1cb4 100644 --- a/test_crypto.c +++ b/test_crypto.c @@ -98,14 +98,13 @@ test_serialization () int test_smc_zkp_dl () { - gcry_mpi_t c = gcry_mpi_new (0); gcry_mpi_t r = gcry_mpi_new (0); gcry_mpi_t x = gcry_mpi_new (0); gcry_mpi_point_t a = gcry_mpi_point_new (0); gcry_mpi_point_t g = gcry_mpi_point_new (0); gcry_mpi_point_t v = gcry_mpi_point_new (0); - ec_keypair_create (g, c); + ec_keypair_create (g, r); if (0 == tests_run) { @@ -115,14 +114,13 @@ test_smc_zkp_dl () ec_keypair_create_base (v, x, g); - smc_zkp_dl (v, g, x, a, c, r); - check (!smc_zkp_dl_check (v, g, a, c, r), "zkp dl wrong"); + smc_zkp_dl (v, g, x, a, r); + check (!smc_zkp_dl_check (v, g, a, r), "zkp dl wrong"); check (gcry_mpi_ec_curve_point (a, ec_ctx), "not on curve"); check (gcry_mpi_ec_curve_point (g, ec_ctx), "not on curve"); check (gcry_mpi_ec_curve_point (v, ec_ctx), "not on curve"); - gcry_mpi_release (c); gcry_mpi_release (r); gcry_mpi_release (x); gcry_mpi_point_release (a); @@ -134,7 +132,6 @@ test_smc_zkp_dl () int test_smc_zkp_2dle () { - gcry_mpi_t c = gcry_mpi_new (0); gcry_mpi_t r = gcry_mpi_new (0); gcry_mpi_t x = gcry_mpi_new (0); gcry_mpi_point_t a = gcry_mpi_point_new (0); @@ -144,8 +141,8 @@ test_smc_zkp_2dle () gcry_mpi_point_t v = gcry_mpi_point_new (0); gcry_mpi_point_t w = gcry_mpi_point_new (0); - ec_keypair_create (g1, c); - ec_keypair_create (g2, c); + ec_keypair_create (g1, r); + ec_keypair_create (g2, r); if (0 == tests_run) { @@ -157,8 +154,8 @@ test_smc_zkp_2dle () ec_keypair_create_base (v, x, g1); gcry_mpi_ec_mul (w, x, g2, ec_ctx); - smc_zkp_2dle (v, w, g1, g2, x, a, b, c, r); - check (!smc_zkp_2dle_check (v, w, g1, g2, a, b, c, r), "zkp 2dle wrong"); + smc_zkp_2dle (v, w, g1, g2, x, a, b, r); + check (!smc_zkp_2dle_check (v, w, g1, g2, a, b, r), "zkp 2dle wrong"); check (gcry_mpi_ec_curve_point (a, ec_ctx), "not on curve"); check (gcry_mpi_ec_curve_point (b, ec_ctx), "not on curve"); @@ -167,7 +164,6 @@ test_smc_zkp_2dle () check (gcry_mpi_ec_curve_point (v, ec_ctx), "not on curve"); check (gcry_mpi_ec_curve_point (w, ec_ctx), "not on curve"); - gcry_mpi_release (c); gcry_mpi_release (r); gcry_mpi_release (x); gcry_mpi_point_release (a); @@ -182,7 +178,6 @@ test_smc_zkp_2dle () int test_smc_zkp_0og () { - gcry_mpi_t c = gcry_mpi_new (0); gcry_mpi_t d1 = gcry_mpi_new (0); gcry_mpi_t d2 = gcry_mpi_new (0); gcry_mpi_t r1 = gcry_mpi_new (0); @@ -195,11 +190,11 @@ test_smc_zkp_0og () gcry_mpi_point_t b1 = gcry_mpi_point_new (0); gcry_mpi_point_t b2 = gcry_mpi_point_new (0); - ec_keypair_create (y, c); + ec_keypair_create (y, r1); smc_zkp_0og (alpha, (tests_run % 2 ? ec_zero : ec_gen), y, beta, a1, a2, b1, - b2, c, d1, d2, r1, r2); - check (!smc_zkp_0og_check (alpha, y, beta, a1, a2, b1, b2, c, d1, d2, r1, + b2, d1, d2, r1, r2); + check (!smc_zkp_0og_check (alpha, y, beta, a1, a2, b1, b2, d1, d2, r1, r2), "zkp 0og is wrong"); check (gcry_mpi_ec_curve_point (y, ec_ctx), "not on curve"); @@ -210,7 +205,6 @@ test_smc_zkp_0og () check (gcry_mpi_ec_curve_point (b1, ec_ctx), "not on curve"); check (gcry_mpi_ec_curve_point (b2, ec_ctx), "not on curve"); - gcry_mpi_release (c); gcry_mpi_release (d1); gcry_mpi_release (d2); gcry_mpi_release (r1);