secret sharing service More...

#include "platform.h"
#include "gnunet_util_lib.h"
#include "gnunet_time_lib.h"
#include "gnunet_signatures.h"
#include "gnunet_consensus_service.h"
#include "secretsharing.h"
#include "secretsharing_protocol.h"
#include <gcrypt.h>

Include dependency graph for gnunet-service-secretsharing.c:

Data Structures
struct	KeygenPeerInfo
	Info about a peer in a key generation session. More...

struct	DecryptPeerInfo
	Information about a peer in a decrypt session. More...

struct	KeygenSession
	Session to establish a threshold-shared secret. More...

struct	DecryptSession
	Session to cooperatively decrypt a value. More...

struct	ClientState
	State we keep per client. More...

Macros
#define	EXTRA_CHECKS 1

Functions
static struct KeygenPeerInfo *	get_keygen_peer_info (const struct KeygenSession ks, const struct GNUNET_PeerIdentity peer)
	Get the peer info belonging to a peer identity in a keygen session. More...

static struct DecryptPeerInfo *	get_decrypt_peer_info (const struct DecryptSession ds, const struct GNUNET_PeerIdentity peer)
	Get the peer info belonging to a peer identity in a decrypt session. More...

static struct GNUNET_TIME_Absolute	time_between (struct GNUNET_TIME_Absolute start, struct GNUNET_TIME_Absolute end, int num, int denum)
	Interpolate between two points in time. More...

static int	peer_id_cmp (const void p1, const void p2)
	Compare two peer identities. More...

static int	peer_find (const struct GNUNET_PeerIdentity haystack, unsigned int n, const struct GNUNET_PeerIdentity needle)
	Get the index of a peer in an array of peers. More...

static struct GNUNET_PeerIdentity *	normalize_peers (struct GNUNET_PeerIdentity listed, unsigned int num_listed, unsigned int num_normalized, unsigned int *my_peer_idx)
	Normalize the given list of peers, by including the local peer (if it is missing) and sorting the peers by their identity. More...

static void	compute_lagrange_coefficient (gcry_mpi_t coeff, unsigned int j, unsigned int *indices, unsigned int num)
	Get a the j-th lagrange coefficient for a set of indices. More...

static void	decrypt_session_destroy (struct DecryptSession *ds)
	Destroy a decrypt session, removing it from the linked list of decrypt sessions. More...

static void	keygen_info_destroy (struct KeygenPeerInfo *info)

static void	keygen_session_destroy (struct KeygenSession *ks)

static void	cleanup_task (void *cls)
	Task run during shutdown. More...

static void	generate_presecret_polynomial (struct KeygenSession *ks)
	Generate the random coefficients of our pre-secret polynomial. More...

static void	keygen_round1_new_element (void cls, const struct GNUNET_SET_Element element)
	Consensus element handler for round one. More...

static void	horner_eval (gcry_mpi_t z, gcry_mpi_t *coeff, unsigned int num_coeff, gcry_mpi_t x, gcry_mpi_t m)
	Evaluate the polynomial with coefficients coeff at x. More...

static void	keygen_round2_conclude (void *cls)

static void	restore_fair (const struct GNUNET_CRYPTO_PaillierPublicKey ppub, const struct GNUNET_SECRETSHARING_FairEncryption fe, gcry_mpi_t x, gcry_mpi_t xres)

static void	get_fair_encryption_challenge (const struct GNUNET_SECRETSHARING_FairEncryption fe, gcry_mpi_t e)

static int	verify_fair (const struct GNUNET_CRYPTO_PaillierPublicKey ppub, const struct GNUNET_SECRETSHARING_FairEncryption fe)

static void	encrypt_fair (gcry_mpi_t v, const struct GNUNET_CRYPTO_PaillierPublicKey ppub, struct GNUNET_SECRETSHARING_FairEncryption fe)
	Create a fair Paillier encryption of then given ciphertext. More...

static void	insert_round2_element (struct KeygenSession *ks)
	Insert round 2 element in the consensus, consisting of (1) The exponentiated pre-share polynomial coefficients A_{i,l}=g^{a_{i,l}} (2) The exponentiated pre-shares y_{i,j}=g^{s_{i,j}} (3) The encrypted pre-shares Y_{i,j} (4) The zero knowledge proof for fairness of the encryption. More...

static gcry_mpi_t	keygen_reveal_get_exp_coeff (struct KeygenSession ks, const struct GNUNET_SECRETSHARING_KeygenRevealData d, unsigned int idx)

static struct GNUNET_SECRETSHARING_FairEncryption *	keygen_reveal_get_enc_preshare (struct KeygenSession ks, const struct GNUNET_SECRETSHARING_KeygenRevealData d, unsigned int idx)

static gcry_mpi_t	keygen_reveal_get_exp_preshare (struct KeygenSession ks, const struct GNUNET_SECRETSHARING_KeygenRevealData d, unsigned int idx)

static void	keygen_round2_new_element (void cls, const struct GNUNET_SET_Element element)

static void	keygen_round1_conclude (void *cls)
	Called when the first consensus round has concluded. More...

static void	insert_round1_element (struct KeygenSession *ks)
	Insert the ephemeral key and the presecret commitment of this peer in the consensus of the given session. More...

static int	check_client_keygen (void cls, const struct GNUNET_SECRETSHARING_CreateMessage msg)
	Check that msg is well-formed. More...

static void	handle_client_keygen (void cls, const struct GNUNET_SECRETSHARING_CreateMessage msg)
	Functions with this signature are called whenever a message is received. More...

static void	decrypt_conclude (void *cls)
	Called when the partial decryption consensus concludes. More...

static char *	mpi_to_str (gcry_mpi_t mpi)
	Get a string representation of an MPI. More...

static void	decrypt_new_element (void cls, const struct GNUNET_SET_Element element)
	Called when a new partial decryption arrives. More...

static void	insert_decrypt_element (struct DecryptSession *ds)

static int	check_client_decrypt (void cls, const struct GNUNET_SECRETSHARING_DecryptRequestMessage msg)
	Check that msg is well-formed. More...

static void	handle_client_decrypt (void cls, const struct GNUNET_SECRETSHARING_DecryptRequestMessage msg)
	Functions with this signature are called whenever a message is received. More...

static void	init_crypto_constants (void)

static void	run (void cls, const struct GNUNET_CONFIGURATION_Handle c, struct GNUNET_SERVICE_Handle *service)
	Initialize secretsharing service. More...

static void *	client_connect_cb (void cls, struct GNUNET_SERVICE_Client c, struct GNUNET_MQ_Handle *mq)
	Callback called when a client connects to the service. More...

static void	client_disconnect_cb (void cls, struct GNUNET_SERVICE_Client c, void *internal_cls)
	Callback called when a client disconnected from the service. More...

	GNUNET_SERVICE_MAIN ("secretsharing", GNUNET_SERVICE_OPTION_NONE, &run, &client_connect_cb, &client_disconnect_cb, NULL, GNUNET_MQ_hd_var_size(client_keygen, GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_GENERATE, struct GNUNET_SECRETSHARING_CreateMessage, NULL), GNUNET_MQ_hd_var_size(client_decrypt, GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT, struct GNUNET_SECRETSHARING_DecryptRequestMessage, NULL), GNUNET_MQ_handler_end())
	Define "main" method using service macro. More...

Variables
static gcry_mpi_t	elgamal_q
	The ElGamal prime field order as libgcrypt mpi. More...

static gcry_mpi_t	elgamal_p
	Modulus of the prime field used for ElGamal. More...

static gcry_mpi_t	elgamal_g
	Generator for prime field of order 'elgamal_q'. More...

static struct GNUNET_PeerIdentity	my_peer
	Peer that runs this service. More...

static struct GNUNET_CRYPTO_EddsaPrivateKey *	my_peer_private_key
	Peer that runs this service. More...

static const struct GNUNET_CONFIGURATION_Handle *	cfg
	Configuration of this service. More...

Detailed Description

secret sharing service

Author: Florian Dold

Definition in file gnunet-service-secretsharing.c.

Macro Definition Documentation

◆ EXTRA_CHECKS

#define EXTRA_CHECKS 1

Definition at line 36 of file gnunet-service-secretsharing.c.

Function Documentation

◆ get_keygen_peer_info()

static struct KeygenPeerInfo* get_keygen_peer_info	(	const struct KeygenSession *	ks,
		const struct GNUNET_PeerIdentity *	peer
	)

static

Get the peer info belonging to a peer identity in a keygen session.

Parameters

ks	The keygen session.
peer	The peer identity.

Returns: The Keygen peer info, or NULL if the peer could not be found.

Definition at line 325 of file gnunet-service-secretsharing.c.

References GNUNET_memcmp, KeygenSession::info, KeygenSession::num_peers, and KeygenPeerInfo::peer.

Referenced by keygen_round1_new_element(), and keygen_round2_new_element().

 {
   unsigned int i;
 
   for (i = 0; i < ks->num_peers; i++)
     if (0 == GNUNET_memcmp (peer, &ks->info[i].peer))
       return &ks->info[i];
   return NULL;
 }

Here is the caller graph for this function:

◆ get_decrypt_peer_info()

static struct DecryptPeerInfo* get_decrypt_peer_info	(	const struct DecryptSession *	ds,
		const struct GNUNET_PeerIdentity *	peer
	)

static

Get the peer info belonging to a peer identity in a decrypt session.

Parameters

ds	The decrypt session.
peer	The peer identity.

Returns: The decrypt peer info, or NULL if the peer could not be found.

Definition at line 345 of file gnunet-service-secretsharing.c.

References GNUNET_memcmp, DecryptSession::info, GNUNET_SECRETSHARING_Share::num_peers, DecryptPeerInfo::peer, and DecryptSession::share.

Referenced by decrypt_new_element().

 {
   unsigned int i;
 
   for (i = 0; i < ds->share->num_peers; i++)
     if (0 == GNUNET_memcmp (peer, &ds->info[i].peer))
       return &ds->info[i];
   return NULL;
 }

Here is the caller graph for this function:

◆ time_between()

static struct GNUNET_TIME_Absolute time_between	(	struct GNUNET_TIME_Absolute	start,
		struct GNUNET_TIME_Absolute	end,
		int	num,
		int	denum
	)

static

Interpolate between two points in time.

Parameters

start	start time
end	end time
num	numerator of the scale factor
denum	denumerator of the scale factor

Definition at line 366 of file gnunet-service-secretsharing.c.

References GNUNET_TIME_Absolute::abs_value_us, end, GNUNET_assert, result, and start.

Referenced by keygen_round1_conclude().

 {
   struct GNUNET_TIME_Absolute result;
   uint64_t diff;
 
   GNUNET_assert (start.abs_value_us <= end.abs_value_us);
   diff = end.abs_value_us - start.abs_value_us;
   result.abs_value_us = start.abs_value_us + ((diff * num) / denum);
 
   return result;
 }

Here is the caller graph for this function:

◆ peer_id_cmp()

static int peer_id_cmp	(	const void *	p1,
		const void *	p2
	)

static

Compare two peer identities.

Indended to be used with qsort or bsearch.

Parameters

p1	Some peer identity.
p2	Some peer identity.

Returns: 1 if p1 > p2, -1 if p1 < p2 and 0 if p1 == p2.

Definition at line 389 of file gnunet-service-secretsharing.c.

Referenced by normalize_peers().

 {
   return memcmp (p1,
                  p2,
                  sizeof(struct GNUNET_PeerIdentity));
 }

Here is the caller graph for this function:

◆ peer_find()

static int peer_find	(	const struct GNUNET_PeerIdentity *	haystack,
		unsigned int	n,
		const struct GNUNET_PeerIdentity *	needle
	)

static

Get the index of a peer in an array of peers.

Parameters

haystack	Array of peers.
n	Size of haystack.
needle	Peer to find

Returns: Index of needle in haystack, or -1 if peer is not in the list.

Definition at line 407 of file gnunet-service-secretsharing.c.

References GNUNET_memcmp.

Referenced by normalize_peers().

 {
   unsigned int i;
 
   for (i = 0; i < n; i++)
     if (0 == GNUNET_memcmp (&haystack[i],
                             needle))
       return i;
   return -1;
 }

Here is the caller graph for this function:

◆ normalize_peers()

static struct GNUNET_PeerIdentity* normalize_peers	(	struct GNUNET_PeerIdentity *	listed,
		unsigned int	num_listed,
		unsigned int *	num_normalized,
		unsigned int *	my_peer_idx
	)

static

Normalize the given list of peers, by including the local peer (if it is missing) and sorting the peers by their identity.

Parameters

	listed	Peers in the unnormalized list.
	num_listed	Peers in the un-normalized list.
[out]	num_normalized	Number of peers in the normalized list.
[out]	my_peer_idx	Index of the local peer in the normalized list.

Returns: Normalized list, must be free'd by the caller.

Definition at line 431 of file gnunet-service-secretsharing.c.

References GNUNET_memcpy, GNUNET_new_array, GNUNET_NO, GNUNET_YES, my_peer, peer_find(), and peer_id_cmp().

Referenced by handle_client_keygen().

 {
   unsigned int local_peer_in_list;
   /* number of peers in the normalized list */
   unsigned int n;
   struct GNUNET_PeerIdentity *normalized;
 
   local_peer_in_list = GNUNET_YES;
   n = num_listed;
   if (peer_find (listed, num_listed, &my_peer) < 0)
   {
     local_peer_in_list = GNUNET_NO;
     n += 1;
   }
 
   normalized = GNUNET_new_array (n,
                                  struct GNUNET_PeerIdentity);
 
   if (GNUNET_NO == local_peer_in_list)
     normalized[n - 1] = my_peer;
 
   GNUNET_memcpy (normalized,
                  listed,
                  num_listed * sizeof(struct GNUNET_PeerIdentity));
   qsort (normalized,
          n,
          sizeof(struct GNUNET_PeerIdentity),
          &peer_id_cmp);
 
   if (NULL != my_peer_idx)
     *my_peer_idx = peer_find (normalized, n, &my_peer);
   if (NULL != num_normalized)
     *num_normalized = n;
 
   return normalized;
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ compute_lagrange_coefficient()

static void compute_lagrange_coefficient	(	gcry_mpi_t	coeff,
		unsigned int	j,
		unsigned int *	indices,
		unsigned int	num
	)

static

Get a the j-th lagrange coefficient for a set of indices.

Parameters

[out]	coeff	the lagrange coefficient
	j	lagrange coefficient we want to compute
	indices	indices
	num	number of indices in indices

Definition at line 481 of file gnunet-service-secretsharing.c.

References elgamal_q, GNUNET_assert, and l.

Referenced by decrypt_conclude().

 {
   unsigned int i;
   /* numerator */
   gcry_mpi_t n;
   /* denominator */
   gcry_mpi_t d;
   /* temp value for l-j */
   gcry_mpi_t tmp;
 
   GNUNET_assert (0 != coeff);
 
   GNUNET_assert (0 != (n = gcry_mpi_new (0)));
   GNUNET_assert (0 != (d = gcry_mpi_new (0)));
   GNUNET_assert (0 != (tmp = gcry_mpi_new (0)));
 
   gcry_mpi_set_ui (n, 1);
   gcry_mpi_set_ui (d, 1);
 
   for (i = 0; i < num; i++)
   {
     unsigned int l = indices[i];
     if (l == j)
       continue;
     gcry_mpi_mul_ui (n, n, l + 1);
     // d <- d * (l-j)
     gcry_mpi_set_ui (tmp, l + 1);
     gcry_mpi_sub_ui (tmp, tmp, j + 1);
     gcry_mpi_mul (d, d, tmp);
   }
 
   // gcry_mpi_invm does not like negative numbers ...
   gcry_mpi_mod (d, d, elgamal_q);
 
   GNUNET_assert (gcry_mpi_cmp_ui (d, 0) > 0);
 
   // now we do the actual division, with everything mod q, as we
   // are not operating on elements from <g>, but on exponents
   GNUNET_assert (0 != gcry_mpi_invm (d, d, elgamal_q));
 
   gcry_mpi_mulm (coeff, n, d, elgamal_q);
 
   gcry_mpi_release (n);
   gcry_mpi_release (d);
   gcry_mpi_release (tmp);
 }

Here is the caller graph for this function:

◆ decrypt_session_destroy()

static void decrypt_session_destroy ( struct DecryptSession * ds )

static

Destroy a decrypt session, removing it from the linked list of decrypt sessions.

Parameters

ds	decrypt session to destroy

Definition at line 538 of file gnunet-service-secretsharing.c.

References DecryptSession::consensus, DecryptSession::cs, ClientState::decrypt_session, GNUNET_CONSENSUS_destroy(), GNUNET_ERROR_TYPE_DEBUG, GNUNET_free, GNUNET_log, GNUNET_SECRETSHARING_share_destroy(), DecryptSession::info, GNUNET_SECRETSHARING_Share::num_peers, DecryptPeerInfo::partial_decryption, and DecryptSession::share.

Referenced by client_disconnect_cb().

 {
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
               "destroying decrypt session\n");
   if (NULL != ds->cs)
   {
     ds->cs->decrypt_session = NULL;
     ds->cs = NULL;
   }
   if (NULL != ds->consensus)
   {
     GNUNET_CONSENSUS_destroy (ds->consensus);
     ds->consensus = NULL;
   }
 
   if (NULL != ds->info)
   {
     for (unsigned int i = 0; i < ds->share->num_peers; i++)
     {
       if (NULL != ds->info[i].partial_decryption)
       {
         gcry_mpi_release (ds->info[i].partial_decryption);
         ds->info[i].partial_decryption = NULL;
       }
     }
     GNUNET_free (ds->info);
     ds->info = NULL;
   }
   if (NULL != ds->share)
   {
     GNUNET_SECRETSHARING_share_destroy (ds->share);
     ds->share = NULL;
   }
 
   GNUNET_free (ds);
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ keygen_info_destroy()

static void keygen_info_destroy ( struct KeygenPeerInfo * info )

static

Definition at line 577 of file gnunet-service-secretsharing.c.

References KeygenPeerInfo::presecret_commitment, KeygenPeerInfo::preshare_commitment, and KeygenPeerInfo::sigma.

Referenced by keygen_session_destroy().

 {
   if (NULL != info->sigma)
   {
     gcry_mpi_release (info->sigma);
     info->sigma = NULL;
   }
   if (NULL != info->presecret_commitment)
   {
     gcry_mpi_release (info->presecret_commitment);
     info->presecret_commitment = NULL;
   }
   if (NULL != info->preshare_commitment)
   {
     gcry_mpi_release (info->preshare_commitment);
     info->preshare_commitment = NULL;
   }
 }

Here is the caller graph for this function:

◆ keygen_session_destroy()

static void keygen_session_destroy ( struct KeygenSession * ks )

static

Definition at line 598 of file gnunet-service-secretsharing.c.

References KeygenSession::consensus, KeygenSession::cs, GNUNET_assert, GNUNET_CONSENSUS_destroy(), GNUNET_ERROR_TYPE_DEBUG, GNUNET_free, GNUNET_log, KeygenSession::info, keygen_info_destroy(), ClientState::keygen_session, KeygenSession::my_share, KeygenSession::num_peers, KeygenSession::peers, KeygenSession::presecret_polynomial, KeygenSession::public_key, and KeygenSession::threshold.

Referenced by client_disconnect_cb().

 {
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
               "destroying keygen session\n");
 
   if (NULL != ks->cs)
   {
     ks->cs->keygen_session = NULL;
     ks->cs = NULL;
   }
   if (NULL != ks->info)
   {
     for (unsigned int i = 0; i < ks->num_peers; i++)
       keygen_info_destroy (&ks->info[i]);
     GNUNET_free (ks->info);
     ks->info = NULL;
   }
 
   if (NULL != ks->consensus)
   {
     GNUNET_CONSENSUS_destroy (ks->consensus);
     ks->consensus = NULL;
   }
 
   if (NULL != ks->presecret_polynomial)
   {
     for (unsigned int i = 0; i < ks->threshold; i++)
     {
       GNUNET_assert (NULL != ks->presecret_polynomial[i]);
       gcry_mpi_release (ks->presecret_polynomial[i]);
       ks->presecret_polynomial[i] = NULL;
     }
     GNUNET_free (ks->presecret_polynomial);
     ks->presecret_polynomial = NULL;
   }
   if (NULL != ks->my_share)
   {
     gcry_mpi_release (ks->my_share);
     ks->my_share = NULL;
   }
   if (NULL != ks->public_key)
   {
     gcry_mpi_release (ks->public_key);
     ks->public_key = NULL;
   }
   if (NULL != ks->peers)
   {
     GNUNET_free (ks->peers);
     ks->peers = NULL;
   }
   GNUNET_free (ks);
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ cleanup_task()

static void cleanup_task ( void * cls )

static

Task run during shutdown.

Parameters

cls	unused
tc	unused

Definition at line 659 of file gnunet-service-secretsharing.c.

Referenced by run().

 {
   /* Nothing to do! */
 }

Here is the caller graph for this function:

◆ generate_presecret_polynomial()

static void generate_presecret_polynomial ( struct KeygenSession * ks )

static

Generate the random coefficients of our pre-secret polynomial.

Parameters

ks	the session

Definition at line 671 of file gnunet-service-secretsharing.c.

References elgamal_q, GNUNET_assert, GNUNET_new_array, GNUNET_SECRETSHARING_ELGAMAL_BITS, KeygenSession::presecret_polynomial, and KeygenSession::threshold.

Referenced by handle_client_keygen().

 {
   int i;
   gcry_mpi_t v;
 
   GNUNET_assert (NULL == ks->presecret_polynomial);
   ks->presecret_polynomial = GNUNET_new_array (ks->threshold,
                                                gcry_mpi_t);
   for (i = 0; i < ks->threshold; i++)
   {
     v = ks->presecret_polynomial[i] = gcry_mpi_new (
       GNUNET_SECRETSHARING_ELGAMAL_BITS);
     GNUNET_assert (NULL != v);
     // Randomize v such that 0 < v < elgamal_q.
     // The '- 1' is necessary as bitlength(q) = bitlength(p) - 1.
     do
     {
       gcry_mpi_randomize (v, GNUNET_SECRETSHARING_ELGAMAL_BITS - 1,
                           GCRY_WEAK_RANDOM);
     }
     while ((gcry_mpi_cmp_ui (v, 0) == 0) || (gcry_mpi_cmp (v, elgamal_q) >= 0));
   }
 }

Here is the caller graph for this function:

◆ keygen_round1_new_element()

static void keygen_round1_new_element	(	void *	cls,
		const struct GNUNET_SET_Element *	element
	)

static

Consensus element handler for round one.

We should get one ephemeral key for each peer.

Parameters

cls	Closure (keygen session).
element	The element from consensus, or NULL if consensus failed.

Definition at line 705 of file gnunet-service-secretsharing.c.

References GNUNET_SECRETSHARING_KeygenCommitData::commitment, GNUNET_SET_Element::data, get_keygen_peer_info(), GNUNET_CRYPTO_eddsa_verify_(), GNUNET_CRYPTO_mpi_scan_unsigned(), GNUNET_ERROR_TYPE_INFO, GNUNET_ERROR_TYPE_WARNING, GNUNET_i2s(), GNUNET_log, GNUNET_OK, GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG1, GNUNET_YES, KeygenPeerInfo::paillier_public_key, GNUNET_SECRETSHARING_KeygenCommitData::peer, KeygenPeerInfo::presecret_commitment, GNUNET_SECRETSHARING_KeygenCommitData::pubkey, GNUNET_PeerIdentity::public_key, GNUNET_SECRETSHARING_KeygenCommitData::purpose, KeygenPeerInfo::round1_valid, GNUNET_SECRETSHARING_KeygenCommitData::signature, GNUNET_CRYPTO_EccSignaturePurpose::size, and GNUNET_SET_Element::size.

Referenced by handle_client_keygen().

 {
   const struct GNUNET_SECRETSHARING_KeygenCommitData *d;
   struct KeygenSession *ks = cls;
   struct KeygenPeerInfo *info;
 
   if (NULL == element)
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "round1 consensus failed\n");
     return;
   }
 
   /* elements have fixed size */
   if (element->size != sizeof(struct GNUNET_SECRETSHARING_KeygenCommitData))
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
                 "keygen commit data with wrong size (%u) in consensus, %u expected\n",
                 (unsigned int) element->size,
                 (unsigned int) sizeof(struct
                                       GNUNET_SECRETSHARING_KeygenCommitData));
     return;
   }
 
   GNUNET_log (GNUNET_ERROR_TYPE_INFO, "got round1 element\n");
 
   d = element->data;
   info = get_keygen_peer_info (ks, &d->peer);
 
   if (NULL == info)
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
                 "keygen commit data with wrong peer identity (%s) in consensus\n",
                 GNUNET_i2s (&d->peer));
     return;
   }
 
   /* Check that the right amount of data has been signed. */
   if (d->purpose.size !=
       htonl (element->size - offsetof (struct
                                        GNUNET_SECRETSHARING_KeygenCommitData,
                                        purpose)))
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
                 "keygen commit data with wrong signature purpose size in consensus\n");
     return;
   }
 
   if (GNUNET_OK != GNUNET_CRYPTO_eddsa_verify_ (
         GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG1,
         &d->purpose, &d->signature,
         &d->peer.public_key))
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
                 "keygen commit data with invalid signature in consensus\n");
     return;
   }
   info->paillier_public_key = d->pubkey;
   GNUNET_CRYPTO_mpi_scan_unsigned (&info->presecret_commitment, &d->commitment,
                                    512 / 8);
   info->round1_valid = GNUNET_YES;
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ horner_eval()

static void horner_eval	(	gcry_mpi_t	z,
		gcry_mpi_t *	coeff,
		unsigned int	num_coeff,
		gcry_mpi_t	x,
		gcry_mpi_t	m
	)

static

Evaluate the polynomial with coefficients coeff at x.

The i-th element in coeff corresponds to the coefficient of x^i.

Parameters

[out]	z	result of the evaluation
	coeff	array of coefficients
	num_coeff	number of coefficients
	x	where to evaluate the polynomial
	m	what group are we operating in?

Definition at line 780 of file gnunet-service-secretsharing.c.

Referenced by insert_round2_element().

 {
   unsigned int i;
 
   gcry_mpi_set_ui (z, 0);
   for (i = 0; i < num_coeff; i++)
   {
     // z <- zx + c
     gcry_mpi_mul (z, z, x);
     gcry_mpi_addm (z, z, coeff[num_coeff - i - 1], m);
   }
 }

Here is the caller graph for this function:

◆ keygen_round2_conclude()

static void keygen_round2_conclude ( void * cls )

static

Definition at line 796 of file gnunet-service-secretsharing.c.

Referenced by keygen_round1_conclude().

 {
   struct KeygenSession *ks = cls;
   struct GNUNET_SECRETSHARING_SecretReadyMessage *m;
   struct GNUNET_MQ_Envelope *ev;
   size_t share_size;
   unsigned int i;
   unsigned int j;
   struct GNUNET_SECRETSHARING_Share *share;
 
   GNUNET_log (GNUNET_ERROR_TYPE_INFO, "round2 conclude\n");
 
   GNUNET_CONSENSUS_destroy (ks->consensus);
   ks->consensus = NULL;
 
   share = GNUNET_new (struct GNUNET_SECRETSHARING_Share);
 
   share->num_peers = 0;
 
   for (i = 0; i < ks->num_peers; i++)
     if (GNUNET_YES == ks->info[i].round2_valid)
       share->num_peers++;
 
   share->peers = GNUNET_new_array (share->num_peers,
                                    struct GNUNET_PeerIdentity);
   share->sigmas =
     GNUNET_new_array (share->num_peers,
                       struct GNUNET_SECRETSHARING_FieldElement);
   share->original_indices = GNUNET_new_array (share->num_peers,
                                               uint16_t);
 
   /* maybe we're not even in the list of peers? */
   share->my_peer = share->num_peers;
 
   j = 0; /* running index of valid peers */
   for (i = 0; i < ks->num_peers; i++)
   {
     if (GNUNET_YES == ks->info[i].round2_valid)
     {
       share->peers[j] = ks->info[i].peer;
       GNUNET_CRYPTO_mpi_print_unsigned (&share->sigmas[j],
                                         GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
                                         ks->info[i].sigma);
       share->original_indices[i] = j;
       if (0 == GNUNET_memcmp (&share->peers[i], &my_peer))
         share->my_peer = j;
       j += 1;
     }
   }
 
   if (share->my_peer == share->num_peers)
   {
     GNUNET_log (GNUNET_ERROR_TYPE_INFO, "P%u: peer identity not in share\n",
                 ks->local_peer_idx);
   }
 
   GNUNET_CRYPTO_mpi_print_unsigned (&share->my_share,
                                     GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
                                     ks->my_share);
   GNUNET_CRYPTO_mpi_print_unsigned (&share->public_key,
                                     GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
                                     ks->public_key);
 
   GNUNET_log (GNUNET_ERROR_TYPE_INFO, "keygen completed with %u peers\n",
               share->num_peers);
 
   /* Write the share. If 0 peers completed the dkg, an empty
    * share will be sent. */
 
   GNUNET_assert (GNUNET_OK == GNUNET_SECRETSHARING_share_write (share, NULL, 0,
                                                                 &share_size));
 
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "writing share of size %u\n",
               (unsigned int) share_size);
 
   ev = GNUNET_MQ_msg_extra (m, share_size,
                             GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_SECRET_READY);
 
   GNUNET_assert (GNUNET_OK == GNUNET_SECRETSHARING_share_write (share, &m[1],
                                                                 share_size,
                                                                 NULL));
 
   GNUNET_SECRETSHARING_share_destroy (share);
   share = NULL;
 
   GNUNET_MQ_send (ks->cs->mq,
                   ev);
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ restore_fair()

static void restore_fair	(	const struct GNUNET_CRYPTO_PaillierPublicKey *	ppub,
		const struct GNUNET_SECRETSHARING_FairEncryption *	fe,
		gcry_mpi_t	x,
		gcry_mpi_t	xres
	)

static

Definition at line 887 of file gnunet-service-secretsharing.c.

References elgamal_q, GNUNET_assert, GNUNET_CRYPTO_mpi_scan_unsigned(), and t.

Referenced by keygen_round2_new_element().

 {
   gcry_mpi_t a_1;
   gcry_mpi_t a_2;
   gcry_mpi_t b_1;
   gcry_mpi_t b_2;
   gcry_mpi_t big_a;
   gcry_mpi_t big_b;
   gcry_mpi_t big_t;
   gcry_mpi_t n;
   gcry_mpi_t t_1;
   gcry_mpi_t t_2;
   gcry_mpi_t t;
   gcry_mpi_t r;
   gcry_mpi_t v;
 
 
   GNUNET_assert (NULL != (n = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (t = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (t_1 = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (t_2 = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (r = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (big_t = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (v = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (big_a = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (big_b = gcry_mpi_new (0)));
 
   // a = (N,0)^T
   GNUNET_CRYPTO_mpi_scan_unsigned (&a_1,
                                    ppub,
                                    sizeof(struct
                                           GNUNET_CRYPTO_PaillierPublicKey));
   GNUNET_assert (NULL != (a_2 = gcry_mpi_new (0)));
   gcry_mpi_set_ui (a_2, 0);
   // b = (x,1)^T
   GNUNET_assert (NULL != (b_1 = gcry_mpi_new (0)));
   gcry_mpi_set (b_1, x);
   GNUNET_assert (NULL != (b_2 = gcry_mpi_new (0)));
   gcry_mpi_set_ui (b_2, 1);
 
   // A = a DOT a
   gcry_mpi_mul (t, a_1, a_1);
   gcry_mpi_mul (big_a, a_2, a_2);
   gcry_mpi_add (big_a, big_a, t);
 
   // B = b DOT b
   gcry_mpi_mul (t, b_1, b_1);
   gcry_mpi_mul (big_b, b_2, b_2);
   gcry_mpi_add (big_b, big_b, t);
 
   while (1)
   {
     // n = a DOT b
     gcry_mpi_mul (t, a_1, b_1);
     gcry_mpi_mul (n, a_2, b_2);
     gcry_mpi_add (n, n, t);
 
     // r = nearest(n/B)
     gcry_mpi_div (r, NULL, n, big_b, 0);
 
     // T := A - 2rn + rrB
     gcry_mpi_mul (v, r, n);
     gcry_mpi_mul_ui (v, v, 2);
     gcry_mpi_sub (big_t, big_a, v);
     gcry_mpi_mul (v, r, r);
     gcry_mpi_mul (v, v, big_b);
     gcry_mpi_add (big_t, big_t, v);
 
     if (gcry_mpi_cmp (big_t, big_b) >= 0)
     {
       break;
     }
 
     // t = a - rb
     gcry_mpi_mul (v, r, b_1);
     gcry_mpi_sub (t_1, a_1, v);
     gcry_mpi_mul (v, r, b_2);
     gcry_mpi_sub (t_2, a_2, v);
 
     // a = b
     gcry_mpi_set (a_1, b_1);
     gcry_mpi_set (a_2, b_2);
     // b = t
     gcry_mpi_set (b_1, t_1);
     gcry_mpi_set (b_2, t_2);
 
     gcry_mpi_set (big_a, big_b);
     gcry_mpi_set (big_b, big_t);
   }
 
   gcry_mpi_set (xres, b_2);
   gcry_mpi_invm (xres, xres, elgamal_q);
   gcry_mpi_mulm (xres, xres, b_1, elgamal_q);
 
   gcry_mpi_release (a_1);
   gcry_mpi_release (a_2);
   gcry_mpi_release (b_1);
   gcry_mpi_release (b_2);
   gcry_mpi_release (big_a);
   gcry_mpi_release (big_b);
   gcry_mpi_release (big_t);
   gcry_mpi_release (n);
   gcry_mpi_release (t_1);
   gcry_mpi_release (t_2);
   gcry_mpi_release (t);
   gcry_mpi_release (r);
   gcry_mpi_release (v);
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ get_fair_encryption_challenge()

static void get_fair_encryption_challenge	(	const struct GNUNET_SECRETSHARING_FairEncryption *	fe,
		gcry_mpi_t *	e
	)

static

Definition at line 1000 of file gnunet-service-secretsharing.c.

References GNUNET_SECRETSHARING_FairEncryption::c, elgamal_q, GNUNET_CRYPTO_hash(), GNUNET_CRYPTO_mpi_scan_unsigned(), GNUNET_CRYPTO_PAILLIER_BITS, GNUNET_memcpy, GNUNET_SECRETSHARING_ELGAMAL_BITS, h, GNUNET_SECRETSHARING_FairEncryption::h, GNUNET_SECRETSHARING_FairEncryption::t1, and GNUNET_SECRETSHARING_FairEncryption::t2.

Referenced by encrypt_fair(), and verify_fair().

 {
   struct
   {
     struct GNUNET_CRYPTO_PaillierCiphertext c;
     char h[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8];
     char t1[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8];
     char t2[GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8];
   } hash_data;
   struct GNUNET_HashCode e_hash;
 
   memset (&hash_data,
           0,
           sizeof(hash_data));
   GNUNET_memcpy (&hash_data.c, &fe->c, sizeof(struct
                                               GNUNET_CRYPTO_PaillierCiphertext));
   GNUNET_memcpy (&hash_data.h, &fe->h, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
   GNUNET_memcpy (&hash_data.t1, &fe->t1, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
   GNUNET_memcpy (&hash_data.t2, &fe->t2, GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8);
   GNUNET_CRYPTO_hash (&hash_data,
                       sizeof(hash_data),
                       &e_hash);
   /* This allocates "e" */
   GNUNET_CRYPTO_mpi_scan_unsigned (e,
                                    &e_hash,
                                    sizeof(struct GNUNET_HashCode));
   gcry_mpi_mod (*e, *e, elgamal_q);
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ verify_fair()

static int verify_fair	(	const struct GNUNET_CRYPTO_PaillierPublicKey *	ppub,
		const struct GNUNET_SECRETSHARING_FairEncryption *	fe
	)

static

Definition at line 1033 of file gnunet-service-secretsharing.c.

References GNUNET_CRYPTO_PaillierCiphertext::bits, GNUNET_SECRETSHARING_FairEncryption::c, cleanup(), e, elgamal_g, elgamal_p, get_fair_encryption_challenge(), GNUNET_assert, GNUNET_CRYPTO_mpi_scan_unsigned(), GNUNET_CRYPTO_PAILLIER_BITS, GNUNET_ERROR_TYPE_ERROR, GNUNET_log, GNUNET_NO, GNUNET_SECRETSHARING_ELGAMAL_BITS, GNUNET_YES, GNUNET_SECRETSHARING_FairEncryption::h, res, GNUNET_SECRETSHARING_FairEncryption::t1, GNUNET_SECRETSHARING_FairEncryption::t2, GNUNET_SECRETSHARING_FairEncryption::w, and GNUNET_SECRETSHARING_FairEncryption::z.

Referenced by keygen_round2_new_element().

 {
   gcry_mpi_t n;
   gcry_mpi_t n_sq;
   gcry_mpi_t z;
   gcry_mpi_t t1;
   gcry_mpi_t t2;
   gcry_mpi_t e;
   gcry_mpi_t w;
   gcry_mpi_t tmp1;
   gcry_mpi_t tmp2;
   gcry_mpi_t y;
   gcry_mpi_t big_y;
   int res;
 
   GNUNET_assert (NULL != (n_sq = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (tmp1 = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (tmp2 = gcry_mpi_new (0)));
 
   get_fair_encryption_challenge (fe,
                                  &e /* this allocates e */);
 
   GNUNET_CRYPTO_mpi_scan_unsigned (&n,
                                    ppub,
                                    sizeof(struct
                                           GNUNET_CRYPTO_PaillierPublicKey));
   GNUNET_CRYPTO_mpi_scan_unsigned (&t1, fe->t1, GNUNET_CRYPTO_PAILLIER_BITS
                                    / 8);
   GNUNET_CRYPTO_mpi_scan_unsigned (&z, fe->z,
                                    GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
   GNUNET_CRYPTO_mpi_scan_unsigned (&y, fe->h,
                                    GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
   GNUNET_CRYPTO_mpi_scan_unsigned (&w, fe->w, GNUNET_CRYPTO_PAILLIER_BITS / 8);
   GNUNET_CRYPTO_mpi_scan_unsigned (&big_y, fe->c.bits,
                                    GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8);
   GNUNET_CRYPTO_mpi_scan_unsigned (&t2, fe->t2, GNUNET_CRYPTO_PAILLIER_BITS
                                    * 2 / 8);
   gcry_mpi_mul (n_sq, n, n);
 
   // tmp1 = g^z
   gcry_mpi_powm (tmp1, elgamal_g, z, elgamal_p);
   // tmp2 = y^{-e}
   gcry_mpi_powm (tmp1, y, e, elgamal_p);
   gcry_mpi_invm (tmp1, tmp1, elgamal_p);
   // tmp1 = tmp1 * tmp2
   gcry_mpi_mulm (tmp1, tmp1, tmp2, elgamal_p);
 
   if (0 == gcry_mpi_cmp (t1, tmp1))
   {
     GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "fair encryption invalid (t1)\n");
     res = GNUNET_NO;
     goto cleanup;
   }
 
   gcry_mpi_powm (big_y, big_y, e, n_sq);
   gcry_mpi_invm (big_y, big_y, n_sq);
 
   gcry_mpi_add_ui (tmp1, n, 1);
   gcry_mpi_powm (tmp1, tmp1, z, n_sq);
 
   gcry_mpi_powm (tmp2, w, n, n_sq);
 
   gcry_mpi_mulm (tmp1, tmp1, tmp2, n_sq);
   gcry_mpi_mulm (tmp1, tmp1, big_y, n_sq);
 
 
   if (0 == gcry_mpi_cmp (t2, tmp1))
   {
     GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "fair encryption invalid (t2)\n");
     res = GNUNET_NO;
     goto cleanup;
   }
 
   res = GNUNET_YES;
 
 cleanup:
 
   gcry_mpi_release (n);
   gcry_mpi_release (n_sq);
   gcry_mpi_release (z);
   gcry_mpi_release (t1);
   gcry_mpi_release (t2);
   gcry_mpi_release (e);
   gcry_mpi_release (w);
   gcry_mpi_release (tmp1);
   gcry_mpi_release (tmp2);
   gcry_mpi_release (y);
   gcry_mpi_release (big_y);
   return res;
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ encrypt_fair()

static void encrypt_fair	(	gcry_mpi_t	v,
		const struct GNUNET_CRYPTO_PaillierPublicKey *	ppub,
		struct GNUNET_SECRETSHARING_FairEncryption *	fe
	)

static

Create a fair Paillier encryption of then given ciphertext.

Parameters

	v	the ciphertext
[out]	fe	the fair encryption

Definition at line 1133 of file gnunet-service-secretsharing.c.

References GNUNET_CRYPTO_PaillierCiphertext::bits, GNUNET_SECRETSHARING_FairEncryption::c, e, elgamal_g, elgamal_p, elgamal_q, get_fair_encryption_challenge(), GNUNET_assert, GNUNET_CRYPTO_mpi_print_unsigned(), GNUNET_CRYPTO_mpi_scan_unsigned(), GNUNET_CRYPTO_PAILLIER_BITS, GNUNET_SECRETSHARING_ELGAMAL_BITS, h, GNUNET_SECRETSHARING_FairEncryption::h, GNUNET_SECRETSHARING_FairEncryption::t1, GNUNET_SECRETSHARING_FairEncryption::t2, GNUNET_SECRETSHARING_FairEncryption::w, and GNUNET_SECRETSHARING_FairEncryption::z.

Referenced by insert_round2_element().

 {
   gcry_mpi_t r;
   gcry_mpi_t s;
   gcry_mpi_t t1;
   gcry_mpi_t t2;
   gcry_mpi_t z;
   gcry_mpi_t w;
   gcry_mpi_t n;
   gcry_mpi_t e;
   gcry_mpi_t n_sq;
   gcry_mpi_t u;
   gcry_mpi_t Y;
   gcry_mpi_t G;
   gcry_mpi_t h;
 
   GNUNET_assert (NULL != (r = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (s = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (t1 = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (t2 = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (z = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (w = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (n_sq = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (u = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (Y = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (G = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (h = gcry_mpi_new (0)));
 
   GNUNET_CRYPTO_mpi_scan_unsigned (&n,
                                    ppub,
                                    sizeof(struct
                                           GNUNET_CRYPTO_PaillierPublicKey));
   gcry_mpi_mul (n_sq, n, n);
   gcry_mpi_add_ui (G, n, 1);
 
   do
   {
     gcry_mpi_randomize (u, GNUNET_CRYPTO_PAILLIER_BITS, GCRY_WEAK_RANDOM);
   }
   while (gcry_mpi_cmp (u, n) >= 0);
 
   gcry_mpi_powm (t1, G, v, n_sq);
   gcry_mpi_powm (t2, u, n, n_sq);
   gcry_mpi_mulm (Y, t1, t2, n_sq);
 
   GNUNET_CRYPTO_mpi_print_unsigned (fe->c.bits,
                                     sizeof fe->c.bits,
                                     Y);
 
 
   gcry_mpi_randomize (r, 2048, GCRY_WEAK_RANDOM);
   do
   {
     gcry_mpi_randomize (s, GNUNET_CRYPTO_PAILLIER_BITS, GCRY_WEAK_RANDOM);
   }
   while (gcry_mpi_cmp (s, n) >= 0);
 
   // compute t1
   gcry_mpi_mulm (t1, elgamal_g, r, elgamal_p);
   // compute t2 (use z and w as temp)
   gcry_mpi_powm (z, G, r, n_sq);
   gcry_mpi_powm (w, s, n, n_sq);
   gcry_mpi_mulm (t2, z, w, n_sq);
 
 
   gcry_mpi_powm (h, elgamal_g, v, elgamal_p);
 
   GNUNET_CRYPTO_mpi_print_unsigned (fe->h,
                                     GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
                                     h);
 
   GNUNET_CRYPTO_mpi_print_unsigned (fe->t1,
                                     GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
                                     t1);
 
   GNUNET_CRYPTO_mpi_print_unsigned (fe->t2,
                                     GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8,
                                     t2);
 
   get_fair_encryption_challenge (fe,
                                  &e /* This allocates "e" */);
 
   // compute z
   gcry_mpi_mul (z, e, v);
   gcry_mpi_addm (z, z, r, elgamal_q);
   // compute w
   gcry_mpi_powm (w, u, e, n);
   gcry_mpi_mulm (w, w, s, n);
 
   GNUNET_CRYPTO_mpi_print_unsigned (fe->z,
                                     GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
                                     z);
 
   GNUNET_CRYPTO_mpi_print_unsigned (fe->w,
                                     GNUNET_CRYPTO_PAILLIER_BITS / 8,
                                     w);
 
   gcry_mpi_release (n);
   gcry_mpi_release (r);
   gcry_mpi_release (s);
   gcry_mpi_release (t1);
   gcry_mpi_release (t2);
   gcry_mpi_release (z);
   gcry_mpi_release (w);
   gcry_mpi_release (e);
   gcry_mpi_release (n_sq);
   gcry_mpi_release (u);
   gcry_mpi_release (Y);
   gcry_mpi_release (G);
   gcry_mpi_release (h);
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ insert_round2_element()

static void insert_round2_element ( struct KeygenSession * ks )

static

Insert round 2 element in the consensus, consisting of (1) The exponentiated pre-share polynomial coefficients A_{i,l}=g^{a_{i,l}} (2) The exponentiated pre-shares y_{i,j}=g^{s_{i,j}} (3) The encrypted pre-shares Y_{i,j} (4) The zero knowledge proof for fairness of the encryption.

Parameters

ks	session to use

Definition at line 1259 of file gnunet-service-secretsharing.c.

References KeygenSession::consensus, GNUNET_SET_Element::data, element_size, elgamal_g, elgamal_p, elgamal_q, encrypt_fair(), GNUNET_assert, GNUNET_CONSENSUS_insert(), GNUNET_CRYPTO_eddsa_sign_(), GNUNET_CRYPTO_mpi_print_unsigned(), GNUNET_ERROR_TYPE_DEBUG, GNUNET_free, GNUNET_log, GNUNET_malloc, GNUNET_OK, GNUNET_SECRETSHARING_ELGAMAL_BITS, GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG2, GNUNET_YES, horner_eval(), KeygenSession::info, KeygenSession::local_peer_idx, my_peer, KeygenSession::num_peers, KeygenPeerInfo::paillier_public_key, GNUNET_SECRETSHARING_KeygenRevealData::peer, KeygenSession::presecret_polynomial, GNUNET_SECRETSHARING_KeygenRevealData::purpose, GNUNET_CRYPTO_EccSignaturePurpose::purpose, KeygenPeerInfo::round1_valid, GNUNET_SECRETSHARING_KeygenRevealData::signature, GNUNET_CRYPTO_EccSignaturePurpose::size, GNUNET_SET_Element::size, and KeygenSession::threshold.

Referenced by keygen_round1_conclude().

 {
   struct GNUNET_SET_Element *element;
   struct GNUNET_SECRETSHARING_KeygenRevealData *d;
   unsigned char *pos;
   unsigned char *last_pos;
   size_t element_size;
   unsigned int i;
   gcry_mpi_t idx;
   gcry_mpi_t v;
 
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Inserting round2 element\n",
               ks->local_peer_idx);
 
   GNUNET_assert (NULL != (v = gcry_mpi_new (
                             GNUNET_SECRETSHARING_ELGAMAL_BITS)));
   GNUNET_assert (NULL != (idx = gcry_mpi_new (
                             GNUNET_SECRETSHARING_ELGAMAL_BITS)));
 
   element_size = (sizeof(struct GNUNET_SECRETSHARING_KeygenRevealData)
                   + sizeof(struct GNUNET_SECRETSHARING_FairEncryption)
                   * ks->num_peers
                   + GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->threshold);
 
   element = GNUNET_malloc (sizeof(struct GNUNET_SET_Element) + element_size);
   element->size = element_size;
   element->data = (void *) &element[1];
 
   d = (void *) element->data;
   d->peer = my_peer;
 
   // start inserting vector elements
   // after the fixed part of the element's data
   pos = (void *) &d[1];
   last_pos = pos + element_size;
 
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed exp preshares\n",
               ks->local_peer_idx);
 
   // encrypted pre-shares
   // and fair encryption proof
   {
     for (i = 0; i < ks->num_peers; i++)
     {
       ptrdiff_t remaining = last_pos - pos;
       struct GNUNET_SECRETSHARING_FairEncryption *fe = (void *) pos;
 
       GNUNET_assert (remaining > 0);
       memset (fe, 0, sizeof *fe);
       if (GNUNET_YES == ks->info[i].round1_valid)
       {
         gcry_mpi_set_ui (idx, i + 1);
         // evaluate the polynomial
         horner_eval (v, ks->presecret_polynomial, ks->threshold, idx,
                      elgamal_q);
         // encrypt the result
         encrypt_fair (v, &ks->info[i].paillier_public_key, fe);
       }
       pos += sizeof *fe;
     }
   }
 
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed enc preshares\n",
               ks->local_peer_idx);
 
   // exponentiated coefficients
   for (i = 0; i < ks->threshold; i++)
   {
     ptrdiff_t remaining = last_pos - pos;
     GNUNET_assert (remaining > 0);
     gcry_mpi_powm (v, elgamal_g, ks->presecret_polynomial[i], elgamal_p);
     GNUNET_CRYPTO_mpi_print_unsigned (pos, GNUNET_SECRETSHARING_ELGAMAL_BITS
                                       / 8, v);
     pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8;
   }
 
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed exp coefficients\n",
               ks->local_peer_idx);
 
 
   d->purpose.size = htonl (element_size - offsetof (struct
                                                     GNUNET_SECRETSHARING_KeygenRevealData,
                                                     purpose));
   d->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG2);
   GNUNET_assert (GNUNET_OK ==
                  GNUNET_CRYPTO_eddsa_sign_ (my_peer_private_key,
                                             &d->purpose,
                                             &d->signature));
 
   GNUNET_CONSENSUS_insert (ks->consensus, element, NULL, NULL);
   GNUNET_free (element);  /* FIXME: maybe stack-allocate instead? */
 
   gcry_mpi_release (v);
   gcry_mpi_release (idx);
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ keygen_reveal_get_exp_coeff()

static gcry_mpi_t keygen_reveal_get_exp_coeff	(	struct KeygenSession *	ks,
		const struct GNUNET_SECRETSHARING_KeygenRevealData *	d,
		unsigned int	idx
	)

static

Definition at line 1357 of file gnunet-service-secretsharing.c.

References GNUNET_assert, GNUNET_CRYPTO_mpi_scan_unsigned(), GNUNET_SECRETSHARING_ELGAMAL_BITS, KeygenSession::num_peers, and threshold.

Referenced by keygen_round2_new_element().

 {
   unsigned char *pos;
   gcry_mpi_t exp_coeff;
 
   GNUNET_assert (idx < ks->threshold);
 
   pos = (void *) &d[1];
   // skip encrypted pre-shares
   pos += sizeof(struct GNUNET_SECRETSHARING_FairEncryption) * ks->num_peers;
   // skip exp. coeffs we are not interested in
   pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * idx;
   // the first exponentiated coefficient is the public key share
   GNUNET_CRYPTO_mpi_scan_unsigned (&exp_coeff, pos,
                                    GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
   return exp_coeff;
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ keygen_reveal_get_enc_preshare()

static struct GNUNET_SECRETSHARING_FairEncryption* keygen_reveal_get_enc_preshare	(	struct KeygenSession *	ks,
		const struct GNUNET_SECRETSHARING_KeygenRevealData *	d,
		unsigned int	idx
	)

static

Definition at line 1380 of file gnunet-service-secretsharing.c.

References GNUNET_assert, and num_peers.

Referenced by keygen_reveal_get_exp_preshare(), and keygen_round2_new_element().

 {
   unsigned char *pos;
 
   GNUNET_assert (idx < ks->num_peers);
 
   pos = (void *) &d[1];
   // skip encrypted pre-shares we're not interested in
   pos += sizeof(struct GNUNET_SECRETSHARING_FairEncryption) * idx;
   return (struct GNUNET_SECRETSHARING_FairEncryption *) pos;
 }

Here is the caller graph for this function:

◆ keygen_reveal_get_exp_preshare()

static gcry_mpi_t keygen_reveal_get_exp_preshare	(	struct KeygenSession *	ks,
		const struct GNUNET_SECRETSHARING_KeygenRevealData *	d,
		unsigned int	idx
	)

static

Definition at line 1397 of file gnunet-service-secretsharing.c.

References GNUNET_assert, GNUNET_CRYPTO_mpi_scan_unsigned(), GNUNET_SECRETSHARING_ELGAMAL_BITS, GNUNET_SECRETSHARING_FairEncryption::h, keygen_reveal_get_enc_preshare(), and num_peers.

Referenced by keygen_round2_new_element().

 {
   gcry_mpi_t exp_preshare;
   struct GNUNET_SECRETSHARING_FairEncryption *fe;
 
   GNUNET_assert (idx < ks->num_peers);
   fe = keygen_reveal_get_enc_preshare (ks, d, idx);
   GNUNET_CRYPTO_mpi_scan_unsigned (&exp_preshare, fe->h,
                                    GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
   return exp_preshare;
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ keygen_round2_new_element()

static void keygen_round2_new_element	(	void *	cls,
		const struct GNUNET_SET_Element *	element
	)

static

Definition at line 1414 of file gnunet-service-secretsharing.c.

References GNUNET_SECRETSHARING_FairEncryption::c, GNUNET_SET_Element::data, elgamal_g, elgamal_p, elgamal_q, get_keygen_peer_info(), GNUNET_assert, GNUNET_CRYPTO_eddsa_verify_(), GNUNET_CRYPTO_paillier_decrypt(), GNUNET_ERROR_TYPE_INFO, GNUNET_ERROR_TYPE_WARNING, GNUNET_i2s(), GNUNET_log, GNUNET_NO, GNUNET_OK, GNUNET_SECRETSHARING_ELGAMAL_BITS, GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG2, GNUNET_YES, KeygenSession::info, keygen_reveal_get_enc_preshare(), keygen_reveal_get_exp_coeff(), keygen_reveal_get_exp_preshare(), KeygenSession::local_peer_idx, KeygenSession::my_share, KeygenSession::num_peers, KeygenSession::paillier_private_key, KeygenPeerInfo::paillier_public_key, GNUNET_SECRETSHARING_KeygenRevealData::peer, KeygenPeerInfo::preshare_commitment, KeygenSession::public_key, GNUNET_PeerIdentity::public_key, GNUNET_SECRETSHARING_KeygenRevealData::purpose, restore_fair(), KeygenPeerInfo::round1_valid, KeygenPeerInfo::round2_valid, KeygenPeerInfo::sigma, GNUNET_SECRETSHARING_KeygenRevealData::signature, GNUNET_CRYPTO_EccSignaturePurpose::size, GNUNET_SET_Element::size, KeygenSession::threshold, and verify_fair().

Referenced by keygen_round1_conclude().

 {
   struct KeygenSession *ks = cls;
   const struct GNUNET_SECRETSHARING_KeygenRevealData *d;
   struct KeygenPeerInfo *info;
   size_t expected_element_size;
   unsigned int j;
   int cmp_result;
   gcry_mpi_t tmp;
   gcry_mpi_t public_key_share;
   gcry_mpi_t preshare;
 
   if (NULL == element)
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "round2 consensus failed\n");
     return;
   }
 
   expected_element_size = (sizeof(struct GNUNET_SECRETSHARING_KeygenRevealData)
                            + sizeof(struct
                                     GNUNET_SECRETSHARING_FairEncryption)
                            * ks->num_peers
                            + GNUNET_SECRETSHARING_ELGAMAL_BITS / 8
                            * ks->threshold);
 
   if (element->size != expected_element_size)
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
                 "keygen round2 data with wrong size (%u) in consensus, %u expected\n",
                 (unsigned int) element->size,
                 (unsigned int) expected_element_size);
     return;
   }
 
   d = (const void *) element->data;
 
   info = get_keygen_peer_info (ks, &d->peer);
 
   if (NULL == info)
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
                 "keygen commit data with wrong peer identity (%s) in consensus\n",
                 GNUNET_i2s (&d->peer));
     return;
   }
 
   if (GNUNET_NO == info->round1_valid)
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
                 "ignoring round2 element from peer with invalid round1 element (%s)\n",
                 GNUNET_i2s (&d->peer));
     return;
   }
 
   if (GNUNET_YES == info->round2_valid)
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
                 "ignoring duplicate round2 element (%s)\n",
                 GNUNET_i2s (&d->peer));
     return;
   }
 
   GNUNET_log (GNUNET_ERROR_TYPE_INFO, "got round2 element\n");
 
   if (ntohl (d->purpose.size) !=
       element->size - offsetof (struct GNUNET_SECRETSHARING_KeygenRevealData,
                                 purpose))
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
                 "keygen reveal data with wrong signature purpose size in consensus\n");
     return;
   }
 
   if (GNUNET_OK != GNUNET_CRYPTO_eddsa_verify_ (
         GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG2,
         &d->purpose, &d->signature,
         &d->peer.public_key))
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
                 "keygen reveal data with invalid signature in consensus\n");
     return;
   }
 
   public_key_share = keygen_reveal_get_exp_coeff (ks, d, 0);
   info->preshare_commitment = keygen_reveal_get_exp_preshare (ks, d,
                                                               ks->local_peer_idx);
 
   if (NULL == ks->public_key)
   {
     GNUNET_assert (NULL != (ks->public_key = gcry_mpi_new (0)));
     gcry_mpi_set_ui (ks->public_key, 1);
   }
   gcry_mpi_mulm (ks->public_key, ks->public_key, public_key_share, elgamal_p);
 
   gcry_mpi_release (public_key_share);
   public_key_share = NULL;
 
   {
     struct GNUNET_SECRETSHARING_FairEncryption *fe =
       keygen_reveal_get_enc_preshare (ks, d, ks->local_peer_idx);
     GNUNET_assert (NULL != (preshare = gcry_mpi_new (0)));
     GNUNET_CRYPTO_paillier_decrypt (&ks->paillier_private_key,
                                     &ks->info[ks->local_peer_idx].
                                     paillier_public_key,
                                     &fe->c,
                                     preshare);
 
     // FIXME: not doing the restoration is less expensive
     restore_fair (&ks->info[ks->local_peer_idx].paillier_public_key,
                   fe,
                   preshare,
                   preshare);
   }
 
   GNUNET_assert (NULL != (tmp = gcry_mpi_new (0)));
   gcry_mpi_powm (tmp, elgamal_g, preshare, elgamal_p);
 
   cmp_result = gcry_mpi_cmp (tmp, info->preshare_commitment);
   gcry_mpi_release (tmp);
   tmp = NULL;
   if (0 != cmp_result)
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
                 "P%u: Got invalid presecret from P%u\n",
                 (unsigned int) ks->local_peer_idx, (unsigned int) (info
                                                                    - ks->info));
     return;
   }
 
   if (NULL == ks->my_share)
   {
     GNUNET_assert (NULL != (ks->my_share = gcry_mpi_new (0)));
   }
   gcry_mpi_addm (ks->my_share, ks->my_share, preshare, elgamal_q);
 
   for (j = 0; j < ks->num_peers; j++)
   {
     gcry_mpi_t presigma;
     if (NULL == ks->info[j].sigma)
     {
       GNUNET_assert (NULL != (ks->info[j].sigma = gcry_mpi_new (0)));
       gcry_mpi_set_ui (ks->info[j].sigma, 1);
     }
     presigma = keygen_reveal_get_exp_preshare (ks, d, j);
     gcry_mpi_mulm (ks->info[j].sigma, ks->info[j].sigma, presigma, elgamal_p);
     gcry_mpi_release (presigma);
   }
 
   gcry_mpi_t prod;
   GNUNET_assert (NULL != (prod = gcry_mpi_new (0)));
   gcry_mpi_t j_to_k;
   GNUNET_assert (NULL != (j_to_k = gcry_mpi_new (0)));
   // validate that the polynomial sharing matches the additive sharing
   for (j = 0; j < ks->num_peers; j++)
   {
     unsigned int k;
     int cmp_result;
     gcry_mpi_t exp_preshare;
     gcry_mpi_set_ui (prod, 1);
     for (k = 0; k < ks->threshold; k++)
     {
       // Using pow(double,double) is a bit sketchy.
       // We count players from 1, but shares from 0.
       gcry_mpi_t tmp;
       gcry_mpi_set_ui (j_to_k, (unsigned int) pow (j + 1, k));
       tmp = keygen_reveal_get_exp_coeff (ks, d, k);
       gcry_mpi_powm (tmp, tmp, j_to_k, elgamal_p);
       gcry_mpi_mulm (prod, prod, tmp, elgamal_p);
       gcry_mpi_release (tmp);
     }
     exp_preshare = keygen_reveal_get_exp_preshare (ks, d, j);
     gcry_mpi_mod (exp_preshare, exp_preshare, elgamal_p);
     cmp_result = gcry_mpi_cmp (prod, exp_preshare);
     gcry_mpi_release (exp_preshare);
     exp_preshare = NULL;
     if (0 != cmp_result)
     {
       GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
                   "P%u: reveal data from P%u incorrect\n",
                   ks->local_peer_idx, j);
       /* no need for further verification, round2 stays invalid ... */
       return;
     }
   }
 
   // TODO: verify proof of fair encryption (once implemented)
   for (j = 0; j < ks->num_peers; j++)
   {
     struct GNUNET_SECRETSHARING_FairEncryption *fe =
       keygen_reveal_get_enc_preshare (ks, d, j);
     if (GNUNET_YES != verify_fair (&ks->info[j].paillier_public_key, fe))
     {
       GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
                   "P%u: reveal data from P%u incorrect (fair encryption)\n",
                   ks->local_peer_idx, j);
       return;
     }
   }
 
   info->round2_valid = GNUNET_YES;
 
   gcry_mpi_release (preshare);
   gcry_mpi_release (prod);
   gcry_mpi_release (j_to_k);
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ keygen_round1_conclude()

static void keygen_round1_conclude ( void * cls )

static

Called when the first consensus round has concluded.

Will initiate the second round.

Parameters

cls closure

Definition at line 1629 of file gnunet-service-secretsharing.c.

References KeygenSession::consensus, KeygenSession::deadline, GNUNET_CONSENSUS_conclude(), GNUNET_CONSENSUS_create(), GNUNET_CONSENSUS_destroy(), insert_round2_element(), keygen_round2_conclude(), keygen_round2_new_element(), KeygenSession::num_peers, KeygenSession::peers, KeygenSession::session_id, KeygenSession::start_time, and time_between().

Referenced by handle_client_keygen().

 {
   struct KeygenSession *ks = cls;
 
   GNUNET_CONSENSUS_destroy (ks->consensus);
 
   ks->consensus = GNUNET_CONSENSUS_create (cfg, ks->num_peers, ks->peers,
                                            &ks->session_id,
                                            time_between (ks->start_time,
                                                          ks->deadline, 1, 2),
                                            ks->deadline,
                                            keygen_round2_new_element, ks);
 
   insert_round2_element (ks);
 
   GNUNET_CONSENSUS_conclude (ks->consensus,
                              keygen_round2_conclude,
                              ks);
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ insert_round1_element()

static void insert_round1_element ( struct KeygenSession * ks )

static

Insert the ephemeral key and the presecret commitment of this peer in the consensus of the given session.

Parameters

ks	session to use

Definition at line 1657 of file gnunet-service-secretsharing.c.

References GNUNET_SECRETSHARING_KeygenCommitData::commitment, KeygenSession::consensus, GNUNET_SET_Element::data, elgamal_g, elgamal_p, GNUNET_assert, GNUNET_CONSENSUS_insert(), GNUNET_CRYPTO_eddsa_sign_(), GNUNET_CRYPTO_hash(), GNUNET_CRYPTO_mpi_print_unsigned(), GNUNET_free, GNUNET_malloc, GNUNET_OK, GNUNET_SECRETSHARING_ELGAMAL_BITS, GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG1, KeygenSession::info, KeygenSession::local_peer_idx, my_peer, KeygenPeerInfo::paillier_public_key, GNUNET_SECRETSHARING_KeygenCommitData::peer, KeygenSession::presecret_polynomial, GNUNET_SECRETSHARING_KeygenCommitData::pubkey, GNUNET_SECRETSHARING_KeygenCommitData::purpose, GNUNET_CRYPTO_EccSignaturePurpose::purpose, GNUNET_SECRETSHARING_KeygenCommitData::signature, GNUNET_CRYPTO_EccSignaturePurpose::size, and GNUNET_SET_Element::size.

Referenced by handle_client_keygen().

 {
   struct GNUNET_SET_Element *element;
   struct GNUNET_SECRETSHARING_KeygenCommitData *d;
   // g^a_{i,0}
   gcry_mpi_t v;
   // big-endian representation of 'v'
   unsigned char v_data[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8];
 
   element = GNUNET_malloc (sizeof *element + sizeof *d);
   d = (void *) &element[1];
   element->data = d;
   element->size = sizeof *d;
 
   d->peer = my_peer;
 
   GNUNET_assert (0 != (v = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS)));
 
   gcry_mpi_powm (v, elgamal_g, ks->presecret_polynomial[0], elgamal_p);
 
   GNUNET_CRYPTO_mpi_print_unsigned (v_data, GNUNET_SECRETSHARING_ELGAMAL_BITS
                                     / 8, v);
 
   GNUNET_CRYPTO_hash (v_data, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
                       &d->commitment);
 
   d->pubkey = ks->info[ks->local_peer_idx].paillier_public_key;
 
   d->purpose.size = htonl ((sizeof *d) - offsetof (struct
                                                    GNUNET_SECRETSHARING_KeygenCommitData,
                                                    purpose));
   d->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG1);
   GNUNET_assert (GNUNET_OK ==
                  GNUNET_CRYPTO_eddsa_sign_ (my_peer_private_key,
                                             &d->purpose,
                                             &d->signature));
 
   GNUNET_CONSENSUS_insert (ks->consensus, element, NULL, NULL);
 
   gcry_mpi_release (v);
   GNUNET_free (element);
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ check_client_keygen()

static int check_client_keygen	(	void *	cls,
		const struct GNUNET_SECRETSHARING_CreateMessage *	msg
	)

static

Check that msg is well-formed.

Parameters

cls	identification of the client
msg	the actual message

Returns: GNUNET_OK if msg is well-formed

Definition at line 1709 of file gnunet-service-secretsharing.c.

References GNUNET_break, GNUNET_OK, GNUNET_SYSERR, GNUNET_SECRETSHARING_CreateMessage::header, num_peers, GNUNET_SECRETSHARING_CreateMessage::num_peers, and GNUNET_MessageHeader::size.

 {
   unsigned int num_peers = ntohs (msg->num_peers);
 
   if (ntohs (msg->header.size) - sizeof(*msg) !=
       num_peers * sizeof(struct GNUNET_PeerIdentity))
   {
     GNUNET_break (0);
     return GNUNET_SYSERR;
   }
   return GNUNET_OK;
 }

◆ handle_client_keygen()

static void handle_client_keygen	(	void *	cls,
		const struct GNUNET_SECRETSHARING_CreateMessage *	msg
	)

static

Functions with this signature are called whenever a message is received.

Parameters

cls	identification of the client
msg	the actual message

Definition at line 1732 of file gnunet-service-secretsharing.c.

References ClientState::client, KeygenSession::consensus, KeygenSession::cs, GNUNET_SECRETSHARING_CreateMessage::deadline, KeygenSession::deadline, generate_presecret_polynomial(), GNUNET_break, GNUNET_CONSENSUS_conclude(), GNUNET_CONSENSUS_create(), GNUNET_CRYPTO_paillier_create(), GNUNET_ERROR_TYPE_DEBUG, GNUNET_ERROR_TYPE_INFO, GNUNET_log, GNUNET_new, GNUNET_new_array, GNUNET_SERVICE_client_continue(), GNUNET_SERVICE_client_drop(), GNUNET_TIME_absolute_ntoh(), KeygenSession::info, insert_round1_element(), keygen_round1_conclude(), keygen_round1_new_element(), ClientState::keygen_session, KeygenSession::local_peer_idx, normalize_peers(), GNUNET_SECRETSHARING_CreateMessage::num_peers, KeygenSession::num_peers, KeygenSession::paillier_private_key, KeygenPeerInfo::paillier_public_key, KeygenPeerInfo::peer, KeygenSession::peers, GNUNET_SECRETSHARING_CreateMessage::threshold, and KeygenSession::threshold.

 {
   struct ClientState *cs = cls;
   struct KeygenSession *ks;
 
   GNUNET_log (GNUNET_ERROR_TYPE_INFO,
               "client requested key generation\n");
   if (NULL != cs->keygen_session)
   {
     GNUNET_break (0);
     GNUNET_SERVICE_client_drop (cs->client);
     return;
   }
   ks = GNUNET_new (struct KeygenSession);
   ks->cs = cs;
   cs->keygen_session = ks;
   ks->deadline = GNUNET_TIME_absolute_ntoh (msg->deadline);
   ks->threshold = ntohs (msg->threshold);
   ks->num_peers = ntohs (msg->num_peers);
 
   ks->peers = normalize_peers ((struct GNUNET_PeerIdentity *) &msg[1],
                                ks->num_peers,
                                &ks->num_peers,
                                &ks->local_peer_idx);
 
 
   GNUNET_log (GNUNET_ERROR_TYPE_INFO,
               "first round of consensus with %u peers\n",
               ks->num_peers);
   ks->consensus = GNUNET_CONSENSUS_create (cfg,
                                            ks->num_peers,
                                            ks->peers,
                                            &msg->session_id,
                                            GNUNET_TIME_absolute_ntoh (
                                              msg->start),
                                            GNUNET_TIME_absolute_ntoh (
                                              msg->deadline),
                                            keygen_round1_new_element,
                                            ks);
 
   ks->info = GNUNET_new_array (ks->num_peers,
                                struct KeygenPeerInfo);
 
   for (unsigned int i = 0; i < ks->num_peers; i++)
     ks->info[i].peer = ks->peers[i];
 
   GNUNET_CRYPTO_paillier_create (
     &ks->info[ks->local_peer_idx].paillier_public_key,
     &ks->paillier_private_key);
 
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
               "P%u: Generated paillier key pair\n",
               ks->local_peer_idx);
   generate_presecret_polynomial (ks);
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
               "P%u: Generated presecret polynomial\n",
               ks->local_peer_idx);
   insert_round1_element (ks);
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
               "P%u: Concluding for round 1\n",
               ks->local_peer_idx);
   GNUNET_CONSENSUS_conclude (ks->consensus,
                              keygen_round1_conclude,
                              ks);
   GNUNET_SERVICE_client_continue (cs->client);
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
               "P%u: Waiting for round 1 elements ...\n",
               ks->local_peer_idx);
 }

Here is the call graph for this function:

◆ decrypt_conclude()

static void decrypt_conclude ( void * cls )

static

Called when the partial decryption consensus concludes.

Definition at line 1808 of file gnunet-service-secretsharing.c.

References GNUNET_SECRETSHARING_Ciphertext::c2_bits, DecryptSession::ciphertext, compute_lagrange_coefficient(), DecryptSession::consensus, DecryptSession::cs, ds, elgamal_p, GNUNET_assert, GNUNET_CONSENSUS_destroy(), GNUNET_CRYPTO_mpi_print_unsigned(), GNUNET_CRYPTO_mpi_scan_unsigned(), GNUNET_ERROR_TYPE_INFO, GNUNET_free, GNUNET_log, GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT_DONE, GNUNET_MQ_msg, GNUNET_MQ_send(), GNUNET_new_array, GNUNET_SECRETSHARING_ELGAMAL_BITS, DecryptSession::info, m, ClientState::mq, msg, GNUNET_SECRETSHARING_Share::my_peer, GNUNET_SECRETSHARING_Share::num_peers, DecryptPeerInfo::original_index, DecryptPeerInfo::partial_decryption, GNUNET_SECRETSHARING_DecryptResponseMessage::plaintext, DecryptSession::share, and GNUNET_SECRETSHARING_DecryptResponseMessage::success.

Referenced by handle_client_decrypt().

 {
   struct DecryptSession *ds = cls;
   struct GNUNET_SECRETSHARING_DecryptResponseMessage *msg;
   struct GNUNET_MQ_Envelope *ev;
   gcry_mpi_t lagrange;
   gcry_mpi_t m;
   gcry_mpi_t tmp;
   gcry_mpi_t c_2;
   gcry_mpi_t prod;
   unsigned int *indices;
   unsigned int num;
   unsigned int i;
   unsigned int j;
 
   GNUNET_CONSENSUS_destroy (ds->consensus);
   ds->consensus = NULL;
 
   GNUNET_assert (0 != (lagrange = gcry_mpi_new (0)));
   GNUNET_assert (0 != (m = gcry_mpi_new (0)));
   GNUNET_assert (0 != (tmp = gcry_mpi_new (0)));
   GNUNET_assert (0 != (prod = gcry_mpi_new (0)));
 
   num = 0;
   for (i = 0; i < ds->share->num_peers; i++)
     if (NULL != ds->info[i].partial_decryption)
       num++;
 
   indices = GNUNET_new_array (num,
                               unsigned int);
   j = 0;
   for (i = 0; i < ds->share->num_peers; i++)
     if (NULL != ds->info[i].partial_decryption)
       indices[j++] = ds->info[i].original_index;
 
   GNUNET_log (GNUNET_ERROR_TYPE_INFO,
               "P%u: decrypt conclude, with %u peers\n",
               ds->share->my_peer,
               num);
 
   gcry_mpi_set_ui (prod, 1);
   for (i = 0; i < num; i++)
   {
     GNUNET_log (GNUNET_ERROR_TYPE_INFO,
                 "P%u: index of %u: %u\n",
                 ds->share->my_peer, i, indices[i]);
     compute_lagrange_coefficient (lagrange, indices[i], indices, num);
     // w_i^{\lambda_i}
     gcry_mpi_powm (tmp, ds->info[indices[i]].partial_decryption, lagrange,
                    elgamal_p);
 
     // product of all exponentiated partiel decryptions ...
     gcry_mpi_mulm (prod, prod, tmp, elgamal_p);
   }
 
   GNUNET_CRYPTO_mpi_scan_unsigned (&c_2, ds->ciphertext.c2_bits,
                                    GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
 
   GNUNET_assert (0 != gcry_mpi_invm (prod, prod, elgamal_p));
   gcry_mpi_mulm (m, c_2, prod, elgamal_p);
   ev = GNUNET_MQ_msg (msg,
                       GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT_DONE);
   GNUNET_CRYPTO_mpi_print_unsigned (&msg->plaintext,
                                     GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, m);
   msg->success = htonl (1);
   GNUNET_MQ_send (ds->cs->mq,
                   ev);
 
   GNUNET_log (GNUNET_ERROR_TYPE_INFO, "sent decrypt done to client\n");
 
   GNUNET_free (indices);
 
   gcry_mpi_release (lagrange);
   gcry_mpi_release (m);
   gcry_mpi_release (tmp);
   gcry_mpi_release (prod);
   gcry_mpi_release (c_2);
 
   // FIXME: what if not enough peers participated?
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ mpi_to_str()

static char* mpi_to_str ( gcry_mpi_t mpi )

static

Get a string representation of an MPI.

The caller must free the returned string.

Parameters

mpi	mpi to convert to a string

Returns: string representation of mpi, must be free'd by the caller

Definition at line 1898 of file gnunet-service-secretsharing.c.

References buf, and GNUNET_assert.

Referenced by decrypt_new_element(), and insert_decrypt_element().

 {
   unsigned char *buf;
 
   GNUNET_assert (0 == gcry_mpi_aprint (GCRYMPI_FMT_HEX, &buf, NULL, mpi));
   return (char *) buf;
 }

Here is the caller graph for this function:

◆ decrypt_new_element()

static void decrypt_new_element	(	void *	cls,
		const struct GNUNET_SET_Element *	element
	)

static

Called when a new partial decryption arrives.

Definition at line 1911 of file gnunet-service-secretsharing.c.

References GNUNET_SECRETSHARING_Ciphertext::c1_bits, ciphertext, GNUNET_SECRETSHARING_DecryptData::ciphertext, DecryptSession::ciphertext, cleanup(), GNUNET_SET_Element::data, elgamal_g, elgamal_p, get_decrypt_peer_info(), GNUNET_assert, GNUNET_CRYPTO_hash(), GNUNET_CRYPTO_mpi_scan_unsigned(), GNUNET_ERROR_TYPE_ERROR, GNUNET_ERROR_TYPE_WARNING, GNUNET_free, GNUNET_i2s(), GNUNET_log, GNUNET_memcmp, GNUNET_SECRETSHARING_ELGAMAL_BITS, DecryptSession::info, mpi_to_str(), GNUNET_SECRETSHARING_Share::my_peer, DecryptPeerInfo::partial_decryption, GNUNET_SECRETSHARING_DecryptData::peer, DecryptSession::share, KeygenPeerInfo::sigma, GNUNET_SECRETSHARING_Share::sigmas, and GNUNET_SET_Element::size.

Referenced by handle_client_decrypt().

 {
   struct DecryptSession *session = cls;
   const struct GNUNET_SECRETSHARING_DecryptData *d;
   struct DecryptPeerInfo *info;
   struct GNUNET_HashCode challenge_hash;
 
   /* nizk response */
   gcry_mpi_t r;
   /* nizk challenge */
   gcry_mpi_t challenge;
   /* nizk commit1, g^\beta */
   gcry_mpi_t commit1;
   /* nizk commit2, c_1^\beta */
   gcry_mpi_t commit2;
   /* homomorphic commitment to the peer's share,
    * public key share */
   gcry_mpi_t sigma;
   /* partial decryption we received */
   gcry_mpi_t w;
   /* ciphertext component #1 */
   gcry_mpi_t c1;
   /* temporary variable (for comparision) #1 */
   gcry_mpi_t tmp1;
   /* temporary variable (for comparision) #2 */
   gcry_mpi_t tmp2;
 
   if (NULL == element)
   {
     GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "decryption failed\n");
     /* FIXME: destroy */
     return;
   }
 
   if (element->size != sizeof *d)
   {
     GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
                 "element of wrong size in decrypt consensus\n");
     return;
   }
 
   d = element->data;
 
   info = get_decrypt_peer_info (session, &d->peer);
 
   if (NULL == info)
   {
     GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
                 "decrypt element from invalid peer (%s)\n",
                 GNUNET_i2s (&d->peer));
     return;
   }
 
   if (NULL != info->partial_decryption)
   {
     GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "decrypt element duplicate\n");
     return;
   }
 
   if (0 != GNUNET_memcmp (&d->ciphertext, &session->ciphertext))
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
                 "P%u: got decrypt element with non-matching ciphertext from P%u\n",
                 (unsigned int) session->share->my_peer, (unsigned int) (info
                                                                         -
                                                                         session
                                                                         ->info));
 
     return;
   }
 
 
   GNUNET_CRYPTO_hash (offsetof (struct GNUNET_SECRETSHARING_DecryptData,
                                 ciphertext) + (char *) d,
                       offsetof (struct GNUNET_SECRETSHARING_DecryptData,
                                 nizk_response)
                       - offsetof (struct GNUNET_SECRETSHARING_DecryptData,
                                   ciphertext),
                       &challenge_hash);
 
   GNUNET_CRYPTO_mpi_scan_unsigned (&challenge, &challenge_hash,
                                    sizeof(struct GNUNET_HashCode));
 
   GNUNET_CRYPTO_mpi_scan_unsigned (&sigma, &session->share->sigmas[info
                                                                    - session->
                                                                    info],
                                    sizeof(struct
                                           GNUNET_SECRETSHARING_FieldElement));
 
   GNUNET_CRYPTO_mpi_scan_unsigned (&c1, session->ciphertext.c1_bits,
                                    sizeof(struct
                                           GNUNET_SECRETSHARING_FieldElement));
 
   GNUNET_CRYPTO_mpi_scan_unsigned (&commit1, &d->nizk_commit1,
                                    sizeof(struct
                                           GNUNET_SECRETSHARING_FieldElement));
 
   GNUNET_CRYPTO_mpi_scan_unsigned (&commit2, &d->nizk_commit2,
                                    sizeof(struct
                                           GNUNET_SECRETSHARING_FieldElement));
 
   GNUNET_CRYPTO_mpi_scan_unsigned (&r, &d->nizk_response,
                                    sizeof(struct
                                           GNUNET_SECRETSHARING_FieldElement));
 
   GNUNET_CRYPTO_mpi_scan_unsigned (&w, &d->partial_decryption,
                                    sizeof(struct
                                           GNUNET_SECRETSHARING_FieldElement));
 
   GNUNET_assert (NULL != (tmp1 = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (tmp2 = gcry_mpi_new (0)));
 
   // tmp1 = g^r
   gcry_mpi_powm (tmp1, elgamal_g, r, elgamal_p);
 
   // tmp2 = g^\beta * \sigma^challenge
   gcry_mpi_powm (tmp2, sigma, challenge, elgamal_p);
   gcry_mpi_mulm (tmp2, tmp2, commit1, elgamal_p);
 
   if (0 != gcry_mpi_cmp (tmp1, tmp2))
   {
     char *tmp1_str;
     char *tmp2_str;
 
     tmp1_str = mpi_to_str (tmp1);
     tmp2_str = mpi_to_str (tmp2);
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
                 "P%u: Received invalid partial decryption from P%u (eqn 1), expected %s got %s\n",
                 session->share->my_peer,
                 (unsigned int) (info - session->info),
                 tmp1_str,
                 tmp2_str);
     GNUNET_free (tmp1_str);
     GNUNET_free (tmp2_str);
     goto cleanup;
   }
 
 
   gcry_mpi_powm (tmp1, c1, r, elgamal_p);
 
   gcry_mpi_powm (tmp2, w, challenge, elgamal_p);
   gcry_mpi_mulm (tmp2, tmp2, commit2, elgamal_p);
 
 
   if (0 != gcry_mpi_cmp (tmp1, tmp2))
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
                 "P%u: Received invalid partial decryption from P%u (eqn 2)\n",
                 session->share->my_peer,
                 (unsigned int) (info - session->info));
     goto cleanup;
   }
 
 
   GNUNET_CRYPTO_mpi_scan_unsigned (&info->partial_decryption,
                                    &d->partial_decryption,
                                    GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
 cleanup:
   gcry_mpi_release (tmp1);
   gcry_mpi_release (tmp2);
   gcry_mpi_release (sigma);
   gcry_mpi_release (commit1);
   gcry_mpi_release (commit2);
   gcry_mpi_release (r);
   gcry_mpi_release (w);
   gcry_mpi_release (challenge);
   gcry_mpi_release (c1);
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ insert_decrypt_element()

static void insert_decrypt_element ( struct DecryptSession * ds )

static

Definition at line 2083 of file gnunet-service-secretsharing.c.

Referenced by handle_client_decrypt().

 {
   struct GNUNET_SECRETSHARING_DecryptData d;
   struct GNUNET_SET_Element element;
   /* our share */
   gcry_mpi_t s;
   /* partial decryption with our share */
   gcry_mpi_t w;
   /* first component of the elgamal ciphertext */
   gcry_mpi_t c1;
   /* nonce for dlog zkp */
   gcry_mpi_t beta;
   gcry_mpi_t tmp;
   gcry_mpi_t challenge;
   gcry_mpi_t sigma;
   struct GNUNET_HashCode challenge_hash;
 
   /* make vagrind happy until we implement the real deal ... */
   memset (&d, 0, sizeof d);
 
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Inserting decrypt element\n",
               ds->share->my_peer);
 
   GNUNET_assert (ds->share->my_peer < ds->share->num_peers);
 
   GNUNET_CRYPTO_mpi_scan_unsigned (&c1, &ds->ciphertext.c1_bits,
                                    GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
   GNUNET_CRYPTO_mpi_scan_unsigned (&s, &ds->share->my_share,
                                    GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
   GNUNET_CRYPTO_mpi_scan_unsigned (&sigma,
                                    &ds->share->sigmas[ds->share->my_peer],
                                    GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
 
   GNUNET_assert (NULL != (w = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (beta = gcry_mpi_new (0)));
   GNUNET_assert (NULL != (tmp = gcry_mpi_new (0)));
 
   // FIXME: unnecessary, remove once crypto works
   gcry_mpi_powm (tmp, elgamal_g, s, elgamal_p);
   if (0 != gcry_mpi_cmp (tmp, sigma))
   {
     char *sigma_str = mpi_to_str (sigma);
     char *tmp_str = mpi_to_str (tmp);
     char *s_str = mpi_to_str (s);
     GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
                 "Share of P%u is invalid, ref sigma %s, "
                 "computed sigma %s, s %s\n",
                 ds->share->my_peer,
                 sigma_str, tmp_str, s_str);
     GNUNET_free (sigma_str);
     GNUNET_free (tmp_str);
     GNUNET_free (s_str);
   }
 
   gcry_mpi_powm (w, c1, s, elgamal_p);
 
   element.data = (void *) &d;
   element.size = sizeof(struct GNUNET_SECRETSHARING_DecryptData);
   element.element_type = 0;
 
   d.ciphertext = ds->ciphertext;
   d.peer = my_peer;
   GNUNET_CRYPTO_mpi_print_unsigned (&d.partial_decryption,
                                     GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, w);
 
   // create the zero knowledge proof
   // randomly choose beta such that 0 < beta < q
   do
   {
     gcry_mpi_randomize (beta, GNUNET_SECRETSHARING_ELGAMAL_BITS - 1,
                         GCRY_WEAK_RANDOM);
   }
   while ((gcry_mpi_cmp_ui (beta, 0) == 0) || (gcry_mpi_cmp (beta, elgamal_q) >=
                                               0));
   // tmp = g^beta
   gcry_mpi_powm (tmp, elgamal_g, beta, elgamal_p);
   GNUNET_CRYPTO_mpi_print_unsigned (&d.nizk_commit1,
                                     GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, tmp);
   // tmp = (c_1)^beta
   gcry_mpi_powm (tmp, c1, beta, elgamal_p);
   GNUNET_CRYPTO_mpi_print_unsigned (&d.nizk_commit2,
                                     GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, tmp);
 
   // the challenge is the hash of everything up to the response
   GNUNET_CRYPTO_hash (offsetof (struct GNUNET_SECRETSHARING_DecryptData,
                                 ciphertext) + (char *) &d,
                       offsetof (struct GNUNET_SECRETSHARING_DecryptData,
                                 nizk_response)
                       - offsetof (struct GNUNET_SECRETSHARING_DecryptData,
                                   ciphertext),
                       &challenge_hash);
 
   GNUNET_CRYPTO_mpi_scan_unsigned (&challenge, &challenge_hash,
                                    sizeof(struct GNUNET_HashCode));
 
   // compute the response in tmp,
   // tmp = (c * s + beta) mod q
   gcry_mpi_mulm (tmp, challenge, s, elgamal_q);
   gcry_mpi_addm (tmp, tmp, beta, elgamal_q);
 
   GNUNET_CRYPTO_mpi_print_unsigned (&d.nizk_response,
                                     GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, tmp);
 
   d.purpose.size = htonl (element.size - offsetof (struct
                                                    GNUNET_SECRETSHARING_DecryptData,
                                                    purpose));
   d.purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DECRYPTION);
 
   GNUNET_assert (GNUNET_OK ==
                  GNUNET_CRYPTO_eddsa_sign_ (my_peer_private_key,
                                             &d.purpose,
                                             &d.signature));
 
   GNUNET_CONSENSUS_insert (ds->consensus, &element, NULL, NULL);
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
               "P%u: Inserting decrypt element done!\n",
               ds->share->my_peer);
 
   gcry_mpi_release (s);
   gcry_mpi_release (w);
   gcry_mpi_release (c1);
   gcry_mpi_release (beta);
   gcry_mpi_release (tmp);
   gcry_mpi_release (challenge);
   gcry_mpi_release (sigma);
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ check_client_decrypt()

static int check_client_decrypt	(	void *	cls,
		const struct GNUNET_SECRETSHARING_DecryptRequestMessage *	msg
	)

static

Check that msg is well-formed.

Parameters

cls	identification of the client
msg	the actual message

Returns: GNUNET_OK (check deferred a bit)

Definition at line 2219 of file gnunet-service-secretsharing.c.

References GNUNET_OK.

 {
   /* we check later, it's complicated */
   return GNUNET_OK;
 }

◆ handle_client_decrypt()

static void handle_client_decrypt	(	void *	cls,
		const struct GNUNET_SECRETSHARING_DecryptRequestMessage *	msg
	)

static

Functions with this signature are called whenever a message is received.

Parameters

cls	identification of the client
msg	the actual message

Definition at line 2236 of file gnunet-service-secretsharing.c.

 {
   struct ClientState *cs = cls;
   struct DecryptSession *ds;
   struct GNUNET_HashCode session_id;
 
   if (NULL != cs->decrypt_session)
   {
     GNUNET_break (0);
     GNUNET_SERVICE_client_drop (cs->client);
     return;
   }
   ds = GNUNET_new (struct DecryptSession);
   cs->decrypt_session = ds;
   ds->cs = cs;
   ds->start = GNUNET_TIME_absolute_ntoh (msg->start);
   ds->deadline = GNUNET_TIME_absolute_ntoh (msg->deadline);
   ds->ciphertext = msg->ciphertext;
 
   ds->share = GNUNET_SECRETSHARING_share_read (&msg[1],
                                                ntohs (msg->header.size)
                                                - sizeof(*msg),
                                                NULL);
   if (NULL == ds->share)
   {
     GNUNET_break (0);
     GNUNET_SERVICE_client_drop (cs->client);
     return;
   }
 
   /* FIXME: this is probably sufficient, but kdf/hash with all values would be nicer ... */
   GNUNET_CRYPTO_hash (&msg->ciphertext,
                       sizeof(struct GNUNET_SECRETSHARING_Ciphertext),
                       &session_id);
   ds->consensus = GNUNET_CONSENSUS_create (cfg,
                                            ds->share->num_peers,
                                            ds->share->peers,
                                            &session_id,
                                            ds->start,
                                            ds->deadline,
                                            &decrypt_new_element,
                                            ds);
 
 
   ds->info = GNUNET_new_array (ds->share->num_peers,
                                struct DecryptPeerInfo);
   for (unsigned int i = 0; i < ds->share->num_peers; i++)
   {
     ds->info[i].peer = ds->share->peers[i];
     ds->info[i].original_index = ds->share->original_indices[i];
   }
   insert_decrypt_element (ds);
   GNUNET_CONSENSUS_conclude (ds->consensus,
                              decrypt_conclude,
                              ds);
   GNUNET_SERVICE_client_continue (cs->client);
   GNUNET_log (GNUNET_ERROR_TYPE_INFO,
               "decrypting with %u peers\n",
               ds->share->num_peers);
 }

Here is the call graph for this function:

◆ init_crypto_constants()

static void init_crypto_constants ( void )

static

Definition at line 2301 of file gnunet-service-secretsharing.c.

References elgamal_g, elgamal_p, elgamal_q, GNUNET_assert, GNUNET_SECRETSHARING_ELGAMAL_G_HEX, GNUNET_SECRETSHARING_ELGAMAL_P_HEX, and GNUNET_SECRETSHARING_ELGAMAL_Q_HEX.

Referenced by run().

 {
   GNUNET_assert (0 == gcry_mpi_scan (&elgamal_q, GCRYMPI_FMT_HEX,
                                      GNUNET_SECRETSHARING_ELGAMAL_Q_HEX, 0,
                                      NULL));
   GNUNET_assert (0 == gcry_mpi_scan (&elgamal_p, GCRYMPI_FMT_HEX,
                                      GNUNET_SECRETSHARING_ELGAMAL_P_HEX, 0,
                                      NULL));
   GNUNET_assert (0 == gcry_mpi_scan (&elgamal_g, GCRYMPI_FMT_HEX,
                                      GNUNET_SECRETSHARING_ELGAMAL_G_HEX, 0,
                                      NULL));
 }

Here is the caller graph for this function:

◆ run()

static void run	(	void *	cls,
		const struct GNUNET_CONFIGURATION_Handle *	c,
		struct GNUNET_SERVICE_Handle *	service
	)

static

Initialize secretsharing service.

Parameters

cls	closure
c	configuration to use
service	the initialized service

Definition at line 2323 of file gnunet-service-secretsharing.c.

References cleanup_task(), GNUNET_break, GNUNET_CRYPTO_eddsa_key_create_from_configuration(), GNUNET_CRYPTO_get_peer_identity(), GNUNET_ERROR_TYPE_ERROR, GNUNET_log, GNUNET_OK, GNUNET_SCHEDULER_add_shutdown(), GNUNET_SCHEDULER_shutdown(), init_crypto_constants(), and my_peer.

Referenced by client_disconnect_cb().

 {
   cfg = c;
   my_peer_private_key = GNUNET_CRYPTO_eddsa_key_create_from_configuration (c);
   if (NULL == my_peer_private_key)
   {
     GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
                 "could not access host private key\n");
     GNUNET_break (0);
     GNUNET_SCHEDULER_shutdown ();
     return;
   }
   init_crypto_constants ();
   if (GNUNET_OK !=
       GNUNET_CRYPTO_get_peer_identity (cfg,
                                        &my_peer))
   {
     GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
                 "could not retrieve host identity\n");
     GNUNET_break (0);
     GNUNET_SCHEDULER_shutdown ();
     return;
   }
   GNUNET_SCHEDULER_add_shutdown (&cleanup_task,
                                  NULL);
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ client_connect_cb()

static void* client_connect_cb	(	void *	cls,
		struct GNUNET_SERVICE_Client *	c,
		struct GNUNET_MQ_Handle *	mq
	)

static

Callback called when a client connects to the service.

Parameters

cls	closure for the service
c	the new client that connected to the service
mq	the message queue used to send messages to the client

Returns: c

Definition at line 2362 of file gnunet-service-secretsharing.c.

References ClientState::client, GNUNET_new, mq, and ClientState::mq.

Referenced by client_disconnect_cb().

 {
   struct ClientState *cs = GNUNET_new (struct ClientState);;
 
   cs->client = c;
   cs->mq = mq;
   return cs;
 }

Here is the caller graph for this function:

◆ client_disconnect_cb()

static void client_disconnect_cb	(	void *	cls,
		struct GNUNET_SERVICE_Client *	c,
		void *	internal_cls
	)

static

Callback called when a client disconnected from the service.

Parameters

cls	closure for the service
c	the client that disconnected
internal_cls	should be equal to c

Definition at line 2382 of file gnunet-service-secretsharing.c.

References client_connect_cb(), ClientState::decrypt_session, decrypt_session_destroy(), GNUNET_free, GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT, GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_GENERATE, GNUNET_MQ_handler_end, GNUNET_MQ_hd_var_size, GNUNET_SERVICE_MAIN(), GNUNET_SERVICE_OPTION_NONE, ClientState::keygen_session, keygen_session_destroy(), and run().

 {
   struct ClientState *cs = internal_cls;
 
   if (NULL != cs->keygen_session)
     keygen_session_destroy (cs->keygen_session);
 
   if (NULL != cs->decrypt_session)
     decrypt_session_destroy (cs->decrypt_session);
   GNUNET_free (cs);
 }

Here is the call graph for this function:

◆ GNUNET_SERVICE_MAIN()

GNUNET_SERVICE_MAIN	(	"secretsharing"	,
		GNUNET_SERVICE_OPTION_NONE	,
		&	run,
		&	client_connect_cb,
		&	client_disconnect_cb,
		NULL	,
		GNUNET_MQ_hd_var_size(client_keygen, GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_GENERATE, struct GNUNET_SECRETSHARING_CreateMessage, NULL)	,
		GNUNET_MQ_hd_var_size(client_decrypt, GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT, struct GNUNET_SECRETSHARING_DecryptRequestMessage, NULL)	,
		GNUNET_MQ_handler_end()
	)