GNUnet  0.11.x
gnunet-service-secretsharing.c
Go to the documentation of this file.
1 /*
2  This file is part of GNUnet.
3  Copyright (C) 2013 GNUnet e.V.
4 
5  GNUnet is free software: you can redistribute it and/or modify it
6  under the terms of the GNU Affero General Public License as published
7  by the Free Software Foundation, either version 3 of the License,
8  or (at your option) any later version.
9 
10  GNUnet is distributed in the hope that it will be useful, but
11  WITHOUT ANY WARRANTY; without even the implied warranty of
12  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13  Affero General Public License for more details.
14 
15  You should have received a copy of the GNU Affero General Public License
16  along with this program. If not, see <http://www.gnu.org/licenses/>.
17 
18  SPDX-License-Identifier: AGPL3.0-or-later
19  */
20 
26 #include "platform.h"
27 #include "gnunet_util_lib.h"
28 #include "gnunet_time_lib.h"
29 #include "gnunet_signatures.h"
31 #include "secretsharing.h"
32 #include "secretsharing_protocol.h"
33 #include <gcrypt.h>
34 
35 
36 #define EXTRA_CHECKS 1
37 
38 
43 {
48 
54 
59 
64  gcry_mpi_t preshare_commitment;
65 
69  gcry_mpi_t sigma;
70 
76 
82 };
83 
84 
89 {
94 
99  unsigned int original_index;
100 
107  gcry_mpi_t partial_decryption;
108 };
109 
110 
114 struct ClientState;
115 
116 
121 {
126 
130  struct ClientState *cs;
131 
141  gcry_mpi_t *presecret_polynomial;
142 
148  unsigned int threshold;
149 
153  unsigned int num_peers;
154 
158  unsigned int local_peer;
159 
165 
170 
175 
179  struct GNUNET_CRYPTO_PaillierPrivateKey paillier_private_key;
180 
185 
191 
196  unsigned int local_peer_idx;
197 
202  gcry_mpi_t my_share;
203 
207  gcry_mpi_t public_key;
208 };
209 
210 
215 {
220 
224  struct ClientState *cs;
225 
230 
236 
241 
248 
253 };
254 
255 
260 {
265 
270 
275 
280 };
281 
282 
287 static gcry_mpi_t elgamal_q;
288 
293 static gcry_mpi_t elgamal_p;
294 
299 static gcry_mpi_t elgamal_g;
300 
305 
310 
314 static const struct GNUNET_CONFIGURATION_Handle *cfg;
315 
316 
324 static struct KeygenPeerInfo *
326  const struct GNUNET_PeerIdentity *peer)
327 {
328  unsigned int i;
329 
330  for (i = 0; i < ks->num_peers; i++)
331  if (0 == GNUNET_memcmp (peer, &ks->info[i].peer))
332  return &ks->info[i];
333  return NULL;
334 }
335 
336 
344 static struct DecryptPeerInfo *
346  const struct GNUNET_PeerIdentity *peer)
347 {
348  unsigned int i;
349 
350  for (i = 0; i < ds->share->num_peers; i++)
351  if (0 == GNUNET_memcmp (peer, &ds->info[i].peer))
352  return &ds->info[i];
353  return NULL;
354 }
355 
356 
365 static struct GNUNET_TIME_Absolute
367  struct GNUNET_TIME_Absolute end,
368  int num, int denum)
369 {
370  struct GNUNET_TIME_Absolute result;
371  uint64_t diff;
372 
373  GNUNET_assert (start.abs_value_us <= end.abs_value_us);
374  diff = end.abs_value_us - start.abs_value_us;
375  result.abs_value_us = start.abs_value_us + ((diff * num) / denum);
376 
377  return result;
378 }
379 
380 
388 static int
389 peer_id_cmp (const void *p1, const void *p2)
390 {
391  return memcmp (p1,
392  p2,
393  sizeof(struct GNUNET_PeerIdentity));
394 }
395 
396 
406 static int
407 peer_find (const struct GNUNET_PeerIdentity *haystack, unsigned int n,
408  const struct GNUNET_PeerIdentity *needle)
409 {
410  unsigned int i;
411 
412  for (i = 0; i < n; i++)
413  if (0 == GNUNET_memcmp (&haystack[i],
414  needle))
415  return i;
416  return -1;
417 }
418 
419 
430 static struct GNUNET_PeerIdentity *
432  unsigned int num_listed,
433  unsigned int *num_normalized,
434  unsigned int *my_peer_idx)
435 {
436  unsigned int local_peer_in_list;
437  /* number of peers in the normalized list */
438  unsigned int n;
439  struct GNUNET_PeerIdentity *normalized;
440 
441  local_peer_in_list = GNUNET_YES;
442  n = num_listed;
443  if (peer_find (listed, num_listed, &my_peer) < 0)
444  {
445  local_peer_in_list = GNUNET_NO;
446  n += 1;
447  }
448 
449  normalized = GNUNET_new_array (n,
450  struct GNUNET_PeerIdentity);
451 
452  if (GNUNET_NO == local_peer_in_list)
453  normalized[n - 1] = my_peer;
454 
455  GNUNET_memcpy (normalized,
456  listed,
457  num_listed * sizeof(struct GNUNET_PeerIdentity));
458  qsort (normalized,
459  n,
460  sizeof(struct GNUNET_PeerIdentity),
461  &peer_id_cmp);
462 
463  if (NULL != my_peer_idx)
464  *my_peer_idx = peer_find (normalized, n, &my_peer);
465  if (NULL != num_normalized)
466  *num_normalized = n;
467 
468  return normalized;
469 }
470 
471 
480 static void
481 compute_lagrange_coefficient (gcry_mpi_t coeff, unsigned int j,
482  unsigned int *indices,
483  unsigned int num)
484 {
485  unsigned int i;
486  /* numerator */
487  gcry_mpi_t n;
488  /* denominator */
489  gcry_mpi_t d;
490  /* temp value for l-j */
491  gcry_mpi_t tmp;
492 
493  GNUNET_assert (0 != coeff);
494 
495  GNUNET_assert (0 != (n = gcry_mpi_new (0)));
496  GNUNET_assert (0 != (d = gcry_mpi_new (0)));
497  GNUNET_assert (0 != (tmp = gcry_mpi_new (0)));
498 
499  gcry_mpi_set_ui (n, 1);
500  gcry_mpi_set_ui (d, 1);
501 
502  for (i = 0; i < num; i++)
503  {
504  unsigned int l = indices[i];
505  if (l == j)
506  continue;
507  gcry_mpi_mul_ui (n, n, l + 1);
508  // d <- d * (l-j)
509  gcry_mpi_set_ui (tmp, l + 1);
510  gcry_mpi_sub_ui (tmp, tmp, j + 1);
511  gcry_mpi_mul (d, d, tmp);
512  }
513 
514  // gcry_mpi_invm does not like negative numbers ...
515  gcry_mpi_mod (d, d, elgamal_q);
516 
517  GNUNET_assert (gcry_mpi_cmp_ui (d, 0) > 0);
518 
519  // now we do the actual division, with everything mod q, as we
520  // are not operating on elements from <g>, but on exponents
521  GNUNET_assert (0 != gcry_mpi_invm (d, d, elgamal_q));
522 
523  gcry_mpi_mulm (coeff, n, d, elgamal_q);
524 
525  gcry_mpi_release (n);
526  gcry_mpi_release (d);
527  gcry_mpi_release (tmp);
528 }
529 
530 
537 static void
539 {
541  "destroying decrypt session\n");
542  if (NULL != ds->cs)
543  {
544  ds->cs->decrypt_session = NULL;
545  ds->cs = NULL;
546  }
547  if (NULL != ds->consensus)
548  {
550  ds->consensus = NULL;
551  }
552 
553  if (NULL != ds->info)
554  {
555  for (unsigned int i = 0; i < ds->share->num_peers; i++)
556  {
557  if (NULL != ds->info[i].partial_decryption)
558  {
559  gcry_mpi_release (ds->info[i].partial_decryption);
560  ds->info[i].partial_decryption = NULL;
561  }
562  }
563  GNUNET_free (ds->info);
564  ds->info = NULL;
565  }
566  if (NULL != ds->share)
567  {
569  ds->share = NULL;
570  }
571 
572  GNUNET_free (ds);
573 }
574 
575 
576 static void
578 {
579  if (NULL != info->sigma)
580  {
581  gcry_mpi_release (info->sigma);
582  info->sigma = NULL;
583  }
584  if (NULL != info->presecret_commitment)
585  {
586  gcry_mpi_release (info->presecret_commitment);
587  info->presecret_commitment = NULL;
588  }
589  if (NULL != info->preshare_commitment)
590  {
591  gcry_mpi_release (info->preshare_commitment);
592  info->preshare_commitment = NULL;
593  }
594 }
595 
596 
597 static void
599 {
601  "destroying keygen session\n");
602 
603  if (NULL != ks->cs)
604  {
605  ks->cs->keygen_session = NULL;
606  ks->cs = NULL;
607  }
608  if (NULL != ks->info)
609  {
610  for (unsigned int i = 0; i < ks->num_peers; i++)
611  keygen_info_destroy (&ks->info[i]);
612  GNUNET_free (ks->info);
613  ks->info = NULL;
614  }
615 
616  if (NULL != ks->consensus)
617  {
619  ks->consensus = NULL;
620  }
621 
622  if (NULL != ks->presecret_polynomial)
623  {
624  for (unsigned int i = 0; i < ks->threshold; i++)
625  {
626  GNUNET_assert (NULL != ks->presecret_polynomial[i]);
627  gcry_mpi_release (ks->presecret_polynomial[i]);
628  ks->presecret_polynomial[i] = NULL;
629  }
631  ks->presecret_polynomial = NULL;
632  }
633  if (NULL != ks->my_share)
634  {
635  gcry_mpi_release (ks->my_share);
636  ks->my_share = NULL;
637  }
638  if (NULL != ks->public_key)
639  {
640  gcry_mpi_release (ks->public_key);
641  ks->public_key = NULL;
642  }
643  if (NULL != ks->peers)
644  {
645  GNUNET_free (ks->peers);
646  ks->peers = NULL;
647  }
648  GNUNET_free (ks);
649 }
650 
651 
658 static void
659 cleanup_task (void *cls)
660 {
661  /* Nothing to do! */
662 }
663 
664 
670 static void
672 {
673  int i;
674  gcry_mpi_t v;
675 
676  GNUNET_assert (NULL == ks->presecret_polynomial);
678  gcry_mpi_t);
679  for (i = 0; i < ks->threshold; i++)
680  {
681  v = ks->presecret_polynomial[i] = gcry_mpi_new (
683  GNUNET_assert (NULL != v);
684  // Randomize v such that 0 < v < elgamal_q.
685  // The '- 1' is necessary as bitlength(q) = bitlength(p) - 1.
686  do
687  {
688  gcry_mpi_randomize (v, GNUNET_SECRETSHARING_ELGAMAL_BITS - 1,
689  GCRY_WEAK_RANDOM);
690  }
691  while ((gcry_mpi_cmp_ui (v, 0) == 0) || (gcry_mpi_cmp (v, elgamal_q) >= 0));
692  }
693 }
694 
695 
704 static void
706  const struct GNUNET_SET_Element *element)
707 {
709  struct KeygenSession *ks = cls;
710  struct KeygenPeerInfo *info;
711 
712  if (NULL == element)
713  {
714  GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "round1 consensus failed\n");
715  return;
716  }
717 
718  /* elements have fixed size */
719  if (element->size != sizeof(struct GNUNET_SECRETSHARING_KeygenCommitData))
720  {
722  "keygen commit data with wrong size (%u) in consensus, %u expected\n",
723  (unsigned int) element->size,
724  (unsigned int) sizeof(struct
726  return;
727  }
728 
729  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "got round1 element\n");
730 
731  d = element->data;
732  info = get_keygen_peer_info (ks, &d->peer);
733 
734  if (NULL == info)
735  {
737  "keygen commit data with wrong peer identity (%s) in consensus\n",
738  GNUNET_i2s (&d->peer));
739  return;
740  }
741 
742  /* Check that the right amount of data has been signed. */
743  if (d->purpose.size !=
744  htonl (element->size - offsetof (struct
746  purpose)))
747  {
749  "keygen commit data with wrong signature purpose size in consensus\n");
750  return;
751  }
752 
755  &d->purpose, &d->signature,
756  &d->peer.public_key))
757  {
759  "keygen commit data with invalid signature in consensus\n");
760  return;
761  }
762  info->paillier_public_key = d->pubkey;
764  512 / 8);
765  info->round1_valid = GNUNET_YES;
766 }
767 
768 
779 static void
780 horner_eval (gcry_mpi_t z, gcry_mpi_t *coeff, unsigned int num_coeff, gcry_mpi_t
781  x, gcry_mpi_t m)
782 {
783  unsigned int i;
784 
785  gcry_mpi_set_ui (z, 0);
786  for (i = 0; i < num_coeff; i++)
787  {
788  // z <- zx + c
789  gcry_mpi_mul (z, z, x);
790  gcry_mpi_addm (z, z, coeff[num_coeff - i - 1], m);
791  }
792 }
793 
794 
795 static void
797 {
798  struct KeygenSession *ks = cls;
800  struct GNUNET_MQ_Envelope *ev;
801  size_t share_size;
802  unsigned int i;
803  unsigned int j;
804  struct GNUNET_SECRETSHARING_Share *share;
805 
806  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "round2 conclude\n");
807 
809  ks->consensus = NULL;
810 
811  share = GNUNET_new (struct GNUNET_SECRETSHARING_Share);
812 
813  share->num_peers = 0;
814 
815  for (i = 0; i < ks->num_peers; i++)
816  if (GNUNET_YES == ks->info[i].round2_valid)
817  share->num_peers++;
818 
819  share->peers = GNUNET_new_array (share->num_peers,
820  struct GNUNET_PeerIdentity);
821  share->sigmas =
822  GNUNET_new_array (share->num_peers,
825  uint16_t);
826 
827  /* maybe we're not even in the list of peers? */
828  share->my_peer = share->num_peers;
829 
830  j = 0; /* running index of valid peers */
831  for (i = 0; i < ks->num_peers; i++)
832  {
833  if (GNUNET_YES == ks->info[i].round2_valid)
834  {
835  share->peers[j] = ks->info[i].peer;
838  ks->info[i].sigma);
839  share->original_indices[i] = j;
840  if (0 == GNUNET_memcmp (&share->peers[i], &my_peer))
841  share->my_peer = j;
842  j += 1;
843  }
844  }
845 
846  if (share->my_peer == share->num_peers)
847  {
848  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "P%u: peer identity not in share\n",
849  ks->local_peer_idx);
850  }
851 
854  ks->my_share);
857  ks->public_key);
858 
859  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "keygen completed with %u peers\n",
860  share->num_peers);
861 
862  /* Write the share. If 0 peers completed the dkg, an empty
863  * share will be sent. */
864 
866  &share_size));
867 
868  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "writing share of size %u\n",
869  (unsigned int) share_size);
870 
871  ev = GNUNET_MQ_msg_extra (m, share_size,
873 
875  share_size,
876  NULL));
877 
879  share = NULL;
880 
881  GNUNET_MQ_send (ks->cs->mq,
882  ev);
883 }
884 
885 
886 static void
888  const struct GNUNET_SECRETSHARING_FairEncryption *fe,
889  gcry_mpi_t x, gcry_mpi_t xres)
890 {
891  gcry_mpi_t a_1;
892  gcry_mpi_t a_2;
893  gcry_mpi_t b_1;
894  gcry_mpi_t b_2;
895  gcry_mpi_t big_a;
896  gcry_mpi_t big_b;
897  gcry_mpi_t big_t;
898  gcry_mpi_t n;
899  gcry_mpi_t t_1;
900  gcry_mpi_t t_2;
901  gcry_mpi_t t;
902  gcry_mpi_t r;
903  gcry_mpi_t v;
904 
905 
906  GNUNET_assert (NULL != (n = gcry_mpi_new (0)));
907  GNUNET_assert (NULL != (t = gcry_mpi_new (0)));
908  GNUNET_assert (NULL != (t_1 = gcry_mpi_new (0)));
909  GNUNET_assert (NULL != (t_2 = gcry_mpi_new (0)));
910  GNUNET_assert (NULL != (r = gcry_mpi_new (0)));
911  GNUNET_assert (NULL != (big_t = gcry_mpi_new (0)));
912  GNUNET_assert (NULL != (v = gcry_mpi_new (0)));
913  GNUNET_assert (NULL != (big_a = gcry_mpi_new (0)));
914  GNUNET_assert (NULL != (big_b = gcry_mpi_new (0)));
915 
916  // a = (N,0)^T
918  ppub,
919  sizeof(struct
921  GNUNET_assert (NULL != (a_2 = gcry_mpi_new (0)));
922  gcry_mpi_set_ui (a_2, 0);
923  // b = (x,1)^T
924  GNUNET_assert (NULL != (b_1 = gcry_mpi_new (0)));
925  gcry_mpi_set (b_1, x);
926  GNUNET_assert (NULL != (b_2 = gcry_mpi_new (0)));
927  gcry_mpi_set_ui (b_2, 1);
928 
929  // A = a DOT a
930  gcry_mpi_mul (t, a_1, a_1);
931  gcry_mpi_mul (big_a, a_2, a_2);
932  gcry_mpi_add (big_a, big_a, t);
933 
934  // B = b DOT b
935  gcry_mpi_mul (t, b_1, b_1);
936  gcry_mpi_mul (big_b, b_2, b_2);
937  gcry_mpi_add (big_b, big_b, t);
938 
939  while (1)
940  {
941  // n = a DOT b
942  gcry_mpi_mul (t, a_1, b_1);
943  gcry_mpi_mul (n, a_2, b_2);
944  gcry_mpi_add (n, n, t);
945 
946  // r = nearest(n/B)
947  gcry_mpi_div (r, NULL, n, big_b, 0);
948 
949  // T := A - 2rn + rrB
950  gcry_mpi_mul (v, r, n);
951  gcry_mpi_mul_ui (v, v, 2);
952  gcry_mpi_sub (big_t, big_a, v);
953  gcry_mpi_mul (v, r, r);
954  gcry_mpi_mul (v, v, big_b);
955  gcry_mpi_add (big_t, big_t, v);
956 
957  if (gcry_mpi_cmp (big_t, big_b) >= 0)
958  {
959  break;
960  }
961 
962  // t = a - rb
963  gcry_mpi_mul (v, r, b_1);
964  gcry_mpi_sub (t_1, a_1, v);
965  gcry_mpi_mul (v, r, b_2);
966  gcry_mpi_sub (t_2, a_2, v);
967 
968  // a = b
969  gcry_mpi_set (a_1, b_1);
970  gcry_mpi_set (a_2, b_2);
971  // b = t
972  gcry_mpi_set (b_1, t_1);
973  gcry_mpi_set (b_2, t_2);
974 
975  gcry_mpi_set (big_a, big_b);
976  gcry_mpi_set (big_b, big_t);
977  }
978 
979  gcry_mpi_set (xres, b_2);
980  gcry_mpi_invm (xres, xres, elgamal_q);
981  gcry_mpi_mulm (xres, xres, b_1, elgamal_q);
982 
983  gcry_mpi_release (a_1);
984  gcry_mpi_release (a_2);
985  gcry_mpi_release (b_1);
986  gcry_mpi_release (b_2);
987  gcry_mpi_release (big_a);
988  gcry_mpi_release (big_b);
989  gcry_mpi_release (big_t);
990  gcry_mpi_release (n);
991  gcry_mpi_release (t_1);
992  gcry_mpi_release (t_2);
993  gcry_mpi_release (t);
994  gcry_mpi_release (r);
995  gcry_mpi_release (v);
996 }
997 
998 
999 static void
1002  gcry_mpi_t *e)
1003 {
1004  struct
1005  {
1008  char t1[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8];
1009  char t2[GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8];
1010  } hash_data;
1011  struct GNUNET_HashCode e_hash;
1012 
1013  memset (&hash_data,
1014  0,
1015  sizeof(hash_data));
1016  GNUNET_memcpy (&hash_data.c, &fe->c, sizeof(struct
1018  GNUNET_memcpy (&hash_data.h, &fe->h, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
1019  GNUNET_memcpy (&hash_data.t1, &fe->t1, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
1020  GNUNET_memcpy (&hash_data.t2, &fe->t2, GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8);
1021  GNUNET_CRYPTO_hash (&hash_data,
1022  sizeof(hash_data),
1023  &e_hash);
1024  /* This allocates "e" */
1026  &e_hash,
1027  sizeof(struct GNUNET_HashCode));
1028  gcry_mpi_mod (*e, *e, elgamal_q);
1029 }
1030 
1031 
1032 static int
1034  const struct GNUNET_SECRETSHARING_FairEncryption *fe)
1035 {
1036  gcry_mpi_t n;
1037  gcry_mpi_t n_sq;
1038  gcry_mpi_t z;
1039  gcry_mpi_t t1;
1040  gcry_mpi_t t2;
1041  gcry_mpi_t e;
1042  gcry_mpi_t w;
1043  gcry_mpi_t tmp1;
1044  gcry_mpi_t tmp2;
1045  gcry_mpi_t y;
1046  gcry_mpi_t big_y;
1047  int res;
1048 
1049  GNUNET_assert (NULL != (n_sq = gcry_mpi_new (0)));
1050  GNUNET_assert (NULL != (tmp1 = gcry_mpi_new (0)));
1051  GNUNET_assert (NULL != (tmp2 = gcry_mpi_new (0)));
1052 
1054  &e /* this allocates e */);
1055 
1057  ppub,
1058  sizeof(struct
1061  / 8);
1067  GNUNET_CRYPTO_mpi_scan_unsigned (&big_y, fe->c.bits,
1068  GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8);
1070  * 2 / 8);
1071  gcry_mpi_mul (n_sq, n, n);
1072 
1073  // tmp1 = g^z
1074  gcry_mpi_powm (tmp1, elgamal_g, z, elgamal_p);
1075  // tmp2 = y^{-e}
1076  gcry_mpi_powm (tmp1, y, e, elgamal_p);
1077  gcry_mpi_invm (tmp1, tmp1, elgamal_p);
1078  // tmp1 = tmp1 * tmp2
1079  gcry_mpi_mulm (tmp1, tmp1, tmp2, elgamal_p);
1080 
1081  if (0 == gcry_mpi_cmp (t1, tmp1))
1082  {
1083  GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "fair encryption invalid (t1)\n");
1084  res = GNUNET_NO;
1085  goto cleanup;
1086  }
1087 
1088  gcry_mpi_powm (big_y, big_y, e, n_sq);
1089  gcry_mpi_invm (big_y, big_y, n_sq);
1090 
1091  gcry_mpi_add_ui (tmp1, n, 1);
1092  gcry_mpi_powm (tmp1, tmp1, z, n_sq);
1093 
1094  gcry_mpi_powm (tmp2, w, n, n_sq);
1095 
1096  gcry_mpi_mulm (tmp1, tmp1, tmp2, n_sq);
1097  gcry_mpi_mulm (tmp1, tmp1, big_y, n_sq);
1098 
1099 
1100  if (0 == gcry_mpi_cmp (t2, tmp1))
1101  {
1102  GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "fair encryption invalid (t2)\n");
1103  res = GNUNET_NO;
1104  goto cleanup;
1105  }
1106 
1107  res = GNUNET_YES;
1108 
1109 cleanup:
1110 
1111  gcry_mpi_release (n);
1112  gcry_mpi_release (n_sq);
1113  gcry_mpi_release (z);
1114  gcry_mpi_release (t1);
1115  gcry_mpi_release (t2);
1116  gcry_mpi_release (e);
1117  gcry_mpi_release (w);
1118  gcry_mpi_release (tmp1);
1119  gcry_mpi_release (tmp2);
1120  gcry_mpi_release (y);
1121  gcry_mpi_release (big_y);
1122  return res;
1123 }
1124 
1125 
1132 static void
1133 encrypt_fair (gcry_mpi_t v,
1134  const struct GNUNET_CRYPTO_PaillierPublicKey *ppub,
1136 {
1137  gcry_mpi_t r;
1138  gcry_mpi_t s;
1139  gcry_mpi_t t1;
1140  gcry_mpi_t t2;
1141  gcry_mpi_t z;
1142  gcry_mpi_t w;
1143  gcry_mpi_t n;
1144  gcry_mpi_t e;
1145  gcry_mpi_t n_sq;
1146  gcry_mpi_t u;
1147  gcry_mpi_t Y;
1148  gcry_mpi_t G;
1149  gcry_mpi_t h;
1150 
1151  GNUNET_assert (NULL != (r = gcry_mpi_new (0)));
1152  GNUNET_assert (NULL != (s = gcry_mpi_new (0)));
1153  GNUNET_assert (NULL != (t1 = gcry_mpi_new (0)));
1154  GNUNET_assert (NULL != (t2 = gcry_mpi_new (0)));
1155  GNUNET_assert (NULL != (z = gcry_mpi_new (0)));
1156  GNUNET_assert (NULL != (w = gcry_mpi_new (0)));
1157  GNUNET_assert (NULL != (n_sq = gcry_mpi_new (0)));
1158  GNUNET_assert (NULL != (u = gcry_mpi_new (0)));
1159  GNUNET_assert (NULL != (Y = gcry_mpi_new (0)));
1160  GNUNET_assert (NULL != (G = gcry_mpi_new (0)));
1161  GNUNET_assert (NULL != (h = gcry_mpi_new (0)));
1162 
1164  ppub,
1165  sizeof(struct
1167  gcry_mpi_mul (n_sq, n, n);
1168  gcry_mpi_add_ui (G, n, 1);
1169 
1170  do
1171  {
1172  gcry_mpi_randomize (u, GNUNET_CRYPTO_PAILLIER_BITS, GCRY_WEAK_RANDOM);
1173  }
1174  while (gcry_mpi_cmp (u, n) >= 0);
1175 
1176  gcry_mpi_powm (t1, G, v, n_sq);
1177  gcry_mpi_powm (t2, u, n, n_sq);
1178  gcry_mpi_mulm (Y, t1, t2, n_sq);
1179 
1181  sizeof fe->c.bits,
1182  Y);
1183 
1184 
1185  gcry_mpi_randomize (r, 2048, GCRY_WEAK_RANDOM);
1186  do
1187  {
1188  gcry_mpi_randomize (s, GNUNET_CRYPTO_PAILLIER_BITS, GCRY_WEAK_RANDOM);
1189  }
1190  while (gcry_mpi_cmp (s, n) >= 0);
1191 
1192  // compute t1
1193  gcry_mpi_mulm (t1, elgamal_g, r, elgamal_p);
1194  // compute t2 (use z and w as temp)
1195  gcry_mpi_powm (z, G, r, n_sq);
1196  gcry_mpi_powm (w, s, n, n_sq);
1197  gcry_mpi_mulm (t2, z, w, n_sq);
1198 
1199 
1200  gcry_mpi_powm (h, elgamal_g, v, elgamal_p);
1201 
1204  h);
1205 
1208  t1);
1209 
1212  t2);
1213 
1215  &e /* This allocates "e" */);
1216 
1217  // compute z
1218  gcry_mpi_mul (z, e, v);
1219  gcry_mpi_addm (z, z, r, elgamal_q);
1220  // compute w
1221  gcry_mpi_powm (w, u, e, n);
1222  gcry_mpi_mulm (w, w, s, n);
1223 
1226  z);
1227 
1230  w);
1231 
1232  gcry_mpi_release (n);
1233  gcry_mpi_release (r);
1234  gcry_mpi_release (s);
1235  gcry_mpi_release (t1);
1236  gcry_mpi_release (t2);
1237  gcry_mpi_release (z);
1238  gcry_mpi_release (w);
1239  gcry_mpi_release (e);
1240  gcry_mpi_release (n_sq);
1241  gcry_mpi_release (u);
1242  gcry_mpi_release (Y);
1243  gcry_mpi_release (G);
1244  gcry_mpi_release (h);
1245 }
1246 
1247 
1258 static void
1260 {
1261  struct GNUNET_SET_Element *element;
1263  unsigned char *pos;
1264  unsigned char *last_pos;
1265  size_t element_size;
1266  unsigned int i;
1267  gcry_mpi_t idx;
1268  gcry_mpi_t v;
1269 
1270  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Inserting round2 element\n",
1271  ks->local_peer_idx);
1272 
1273  GNUNET_assert (NULL != (v = gcry_mpi_new (
1275  GNUNET_assert (NULL != (idx = gcry_mpi_new (
1277 
1278  element_size = (sizeof(struct GNUNET_SECRETSHARING_KeygenRevealData)
1279  + sizeof(struct GNUNET_SECRETSHARING_FairEncryption)
1280  * ks->num_peers
1282 
1283  element = GNUNET_malloc (sizeof(struct GNUNET_SET_Element) + element_size);
1284  element->size = element_size;
1285  element->data = (void *) &element[1];
1286 
1287  d = (void *) element->data;
1288  d->peer = my_peer;
1289 
1290  // start inserting vector elements
1291  // after the fixed part of the element's data
1292  pos = (void *) &d[1];
1293  last_pos = pos + element_size;
1294 
1295  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed exp preshares\n",
1296  ks->local_peer_idx);
1297 
1298  // encrypted pre-shares
1299  // and fair encryption proof
1300  {
1301  for (i = 0; i < ks->num_peers; i++)
1302  {
1303  ptrdiff_t remaining = last_pos - pos;
1304  struct GNUNET_SECRETSHARING_FairEncryption *fe = (void *) pos;
1305 
1306  GNUNET_assert (remaining > 0);
1307  memset (fe, 0, sizeof *fe);
1308  if (GNUNET_YES == ks->info[i].round1_valid)
1309  {
1310  gcry_mpi_set_ui (idx, i + 1);
1311  // evaluate the polynomial
1312  horner_eval (v, ks->presecret_polynomial, ks->threshold, idx,
1313  elgamal_q);
1314  // encrypt the result
1315  encrypt_fair (v, &ks->info[i].paillier_public_key, fe);
1316  }
1317  pos += sizeof *fe;
1318  }
1319  }
1320 
1321  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed enc preshares\n",
1322  ks->local_peer_idx);
1323 
1324  // exponentiated coefficients
1325  for (i = 0; i < ks->threshold; i++)
1326  {
1327  ptrdiff_t remaining = last_pos - pos;
1328  GNUNET_assert (remaining > 0);
1329  gcry_mpi_powm (v, elgamal_g, ks->presecret_polynomial[i], elgamal_p);
1331  / 8, v);
1333  }
1334 
1335  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed exp coefficients\n",
1336  ks->local_peer_idx);
1337 
1338 
1339  d->purpose.size = htonl (element_size - offsetof (struct
1341  purpose));
1344  GNUNET_CRYPTO_eddsa_sign (my_peer_private_key,
1345  &d->purpose,
1346  &d->signature));
1347 
1348  GNUNET_CONSENSUS_insert (ks->consensus, element, NULL, NULL);
1349  GNUNET_free (element); /* FIXME: maybe stack-allocate instead? */
1350 
1351  gcry_mpi_release (v);
1352  gcry_mpi_release (idx);
1353 }
1354 
1355 
1356 static gcry_mpi_t
1358  const struct
1360  unsigned int idx)
1361 {
1362  unsigned char *pos;
1363  gcry_mpi_t exp_coeff;
1364 
1365  GNUNET_assert (idx < ks->threshold);
1366 
1367  pos = (void *) &d[1];
1368  // skip encrypted pre-shares
1369  pos += sizeof(struct GNUNET_SECRETSHARING_FairEncryption) * ks->num_peers;
1370  // skip exp. coeffs we are not interested in
1371  pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * idx;
1372  // the first exponentiated coefficient is the public key share
1373  GNUNET_CRYPTO_mpi_scan_unsigned (&exp_coeff, pos,
1375  return exp_coeff;
1376 }
1377 
1378 
1381  const struct
1383  unsigned int idx)
1384 {
1385  unsigned char *pos;
1386 
1387  GNUNET_assert (idx < ks->num_peers);
1388 
1389  pos = (void *) &d[1];
1390  // skip encrypted pre-shares we're not interested in
1391  pos += sizeof(struct GNUNET_SECRETSHARING_FairEncryption) * idx;
1392  return (struct GNUNET_SECRETSHARING_FairEncryption *) pos;
1393 }
1394 
1395 
1396 static gcry_mpi_t
1398  const struct
1400  unsigned int idx)
1401 {
1402  gcry_mpi_t exp_preshare;
1404 
1405  GNUNET_assert (idx < ks->num_peers);
1406  fe = keygen_reveal_get_enc_preshare (ks, d, idx);
1407  GNUNET_CRYPTO_mpi_scan_unsigned (&exp_preshare, fe->h,
1409  return exp_preshare;
1410 }
1411 
1412 
1413 static void
1415  const struct GNUNET_SET_Element *element)
1416 {
1417  struct KeygenSession *ks = cls;
1418  const struct GNUNET_SECRETSHARING_KeygenRevealData *d;
1419  struct KeygenPeerInfo *info;
1420  size_t expected_element_size;
1421  unsigned int j;
1422  int cmp_result;
1423  gcry_mpi_t tmp;
1424  gcry_mpi_t public_key_share;
1425  gcry_mpi_t preshare;
1426 
1427  if (NULL == element)
1428  {
1429  GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "round2 consensus failed\n");
1430  return;
1431  }
1432 
1433  expected_element_size = (sizeof(struct GNUNET_SECRETSHARING_KeygenRevealData)
1434  + sizeof(struct
1435  GNUNET_SECRETSHARING_FairEncryption)
1436  * ks->num_peers
1438  * ks->threshold);
1439 
1440  if (element->size != expected_element_size)
1441  {
1443  "keygen round2 data with wrong size (%u) in consensus, %u expected\n",
1444  (unsigned int) element->size,
1445  (unsigned int) expected_element_size);
1446  return;
1447  }
1448 
1449  d = (const void *) element->data;
1450 
1451  info = get_keygen_peer_info (ks, &d->peer);
1452 
1453  if (NULL == info)
1454  {
1456  "keygen commit data with wrong peer identity (%s) in consensus\n",
1457  GNUNET_i2s (&d->peer));
1458  return;
1459  }
1460 
1461  if (GNUNET_NO == info->round1_valid)
1462  {
1464  "ignoring round2 element from peer with invalid round1 element (%s)\n",
1465  GNUNET_i2s (&d->peer));
1466  return;
1467  }
1468 
1469  if (GNUNET_YES == info->round2_valid)
1470  {
1472  "ignoring duplicate round2 element (%s)\n",
1473  GNUNET_i2s (&d->peer));
1474  return;
1475  }
1476 
1477  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "got round2 element\n");
1478 
1479  if (ntohl (d->purpose.size) !=
1480  element->size - offsetof (struct GNUNET_SECRETSHARING_KeygenRevealData,
1481  purpose))
1482  {
1484  "keygen reveal data with wrong signature purpose size in consensus\n");
1485  return;
1486  }
1487 
1490  &d->purpose, &d->signature,
1491  &d->peer.public_key))
1492  {
1494  "keygen reveal data with invalid signature in consensus\n");
1495  return;
1496  }
1497 
1498  public_key_share = keygen_reveal_get_exp_coeff (ks, d, 0);
1500  ks->local_peer_idx);
1501 
1502  if (NULL == ks->public_key)
1503  {
1504  GNUNET_assert (NULL != (ks->public_key = gcry_mpi_new (0)));
1505  gcry_mpi_set_ui (ks->public_key, 1);
1506  }
1507  gcry_mpi_mulm (ks->public_key, ks->public_key, public_key_share, elgamal_p);
1508 
1509  gcry_mpi_release (public_key_share);
1510  public_key_share = NULL;
1511 
1512  {
1513  struct GNUNET_SECRETSHARING_FairEncryption *fe =
1515  GNUNET_assert (NULL != (preshare = gcry_mpi_new (0)));
1517  &ks->info[ks->local_peer_idx].
1519  &fe->c,
1520  preshare);
1521 
1522  // FIXME: not doing the restoration is less expensive
1524  fe,
1525  preshare,
1526  preshare);
1527  }
1528 
1529  GNUNET_assert (NULL != (tmp = gcry_mpi_new (0)));
1530  gcry_mpi_powm (tmp, elgamal_g, preshare, elgamal_p);
1531 
1532  cmp_result = gcry_mpi_cmp (tmp, info->preshare_commitment);
1533  gcry_mpi_release (tmp);
1534  tmp = NULL;
1535  if (0 != cmp_result)
1536  {
1538  "P%u: Got invalid presecret from P%u\n",
1539  (unsigned int) ks->local_peer_idx, (unsigned int) (info
1540  - ks->info));
1541  return;
1542  }
1543 
1544  if (NULL == ks->my_share)
1545  {
1546  GNUNET_assert (NULL != (ks->my_share = gcry_mpi_new (0)));
1547  }
1548  gcry_mpi_addm (ks->my_share, ks->my_share, preshare, elgamal_q);
1549 
1550  for (j = 0; j < ks->num_peers; j++)
1551  {
1552  gcry_mpi_t presigma;
1553  if (NULL == ks->info[j].sigma)
1554  {
1555  GNUNET_assert (NULL != (ks->info[j].sigma = gcry_mpi_new (0)));
1556  gcry_mpi_set_ui (ks->info[j].sigma, 1);
1557  }
1558  presigma = keygen_reveal_get_exp_preshare (ks, d, j);
1559  gcry_mpi_mulm (ks->info[j].sigma, ks->info[j].sigma, presigma, elgamal_p);
1560  gcry_mpi_release (presigma);
1561  }
1562 
1563  gcry_mpi_t prod;
1564  GNUNET_assert (NULL != (prod = gcry_mpi_new (0)));
1565  gcry_mpi_t j_to_k;
1566  GNUNET_assert (NULL != (j_to_k = gcry_mpi_new (0)));
1567  // validate that the polynomial sharing matches the additive sharing
1568  for (j = 0; j < ks->num_peers; j++)
1569  {
1570  unsigned int k;
1571  int cmp_result;
1572  gcry_mpi_t exp_preshare;
1573  gcry_mpi_set_ui (prod, 1);
1574  for (k = 0; k < ks->threshold; k++)
1575  {
1576  // Using pow(double,double) is a bit sketchy.
1577  // We count players from 1, but shares from 0.
1578  gcry_mpi_t tmp;
1579  gcry_mpi_set_ui (j_to_k, (unsigned int) pow (j + 1, k));
1580  tmp = keygen_reveal_get_exp_coeff (ks, d, k);
1581  gcry_mpi_powm (tmp, tmp, j_to_k, elgamal_p);
1582  gcry_mpi_mulm (prod, prod, tmp, elgamal_p);
1583  gcry_mpi_release (tmp);
1584  }
1585  exp_preshare = keygen_reveal_get_exp_preshare (ks, d, j);
1586  gcry_mpi_mod (exp_preshare, exp_preshare, elgamal_p);
1587  cmp_result = gcry_mpi_cmp (prod, exp_preshare);
1588  gcry_mpi_release (exp_preshare);
1589  exp_preshare = NULL;
1590  if (0 != cmp_result)
1591  {
1593  "P%u: reveal data from P%u incorrect\n",
1594  ks->local_peer_idx, j);
1595  /* no need for further verification, round2 stays invalid ... */
1596  return;
1597  }
1598  }
1599 
1600  // TODO: verify proof of fair encryption (once implemented)
1601  for (j = 0; j < ks->num_peers; j++)
1602  {
1603  struct GNUNET_SECRETSHARING_FairEncryption *fe =
1604  keygen_reveal_get_enc_preshare (ks, d, j);
1605  if (GNUNET_YES != verify_fair (&ks->info[j].paillier_public_key, fe))
1606  {
1608  "P%u: reveal data from P%u incorrect (fair encryption)\n",
1609  ks->local_peer_idx, j);
1610  return;
1611  }
1612  }
1613 
1614  info->round2_valid = GNUNET_YES;
1615 
1616  gcry_mpi_release (preshare);
1617  gcry_mpi_release (prod);
1618  gcry_mpi_release (j_to_k);
1619 }
1620 
1621 
1628 static void
1630 {
1631  struct KeygenSession *ks = cls;
1632 
1634 
1635  ks->consensus = GNUNET_CONSENSUS_create (cfg, ks->num_peers, ks->peers,
1636  &ks->session_id,
1637  time_between (ks->start_time,
1638  ks->deadline, 1, 2),
1639  ks->deadline,
1641 
1642  insert_round2_element (ks);
1643 
1646  ks);
1647 }
1648 
1649 
1656 static void
1658 {
1659  struct GNUNET_SET_Element *element;
1661  // g^a_{i,0}
1662  gcry_mpi_t v;
1663  // big-endian representation of 'v'
1664  unsigned char v_data[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8];
1665 
1666  element = GNUNET_malloc (sizeof *element + sizeof *d);
1667  d = (void *) &element[1];
1668  element->data = d;
1669  element->size = sizeof *d;
1670 
1671  d->peer = my_peer;
1672 
1673  GNUNET_assert (0 != (v = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS)));
1674 
1675  gcry_mpi_powm (v, elgamal_g, ks->presecret_polynomial[0], elgamal_p);
1676 
1678  / 8, v);
1679 
1681  &d->commitment);
1682 
1684 
1685  d->purpose.size = htonl ((sizeof *d) - offsetof (struct
1687  purpose));
1690  GNUNET_CRYPTO_eddsa_sign (my_peer_private_key,
1691  &d->purpose,
1692  &d->signature));
1693 
1694  GNUNET_CONSENSUS_insert (ks->consensus, element, NULL, NULL);
1695 
1696  gcry_mpi_release (v);
1697  GNUNET_free (element);
1698 }
1699 
1700 
1708 static int
1711 {
1712  unsigned int num_peers = ntohs (msg->num_peers);
1713 
1714  if (ntohs (msg->header.size) - sizeof(*msg) !=
1715  num_peers * sizeof(struct GNUNET_PeerIdentity))
1716  {
1717  GNUNET_break (0);
1718  return GNUNET_SYSERR;
1719  }
1720  return GNUNET_OK;
1721 }
1722 
1723 
1731 static void
1734 {
1735  struct ClientState *cs = cls;
1736  struct KeygenSession *ks;
1737 
1739  "client requested key generation\n");
1740  if (NULL != cs->keygen_session)
1741  {
1742  GNUNET_break (0);
1744  return;
1745  }
1746  ks = GNUNET_new (struct KeygenSession);
1747  ks->cs = cs;
1748  cs->keygen_session = ks;
1750  ks->threshold = ntohs (msg->threshold);
1751  ks->num_peers = ntohs (msg->num_peers);
1752 
1753  ks->peers = normalize_peers ((struct GNUNET_PeerIdentity *) &msg[1],
1754  ks->num_peers,
1755  &ks->num_peers,
1756  &ks->local_peer_idx);
1757 
1758 
1760  "first round of consensus with %u peers\n",
1761  ks->num_peers);
1763  ks->num_peers,
1764  ks->peers,
1765  &msg->session_id,
1767  msg->start),
1769  msg->deadline),
1771  ks);
1772 
1773  ks->info = GNUNET_new_array (ks->num_peers,
1774  struct KeygenPeerInfo);
1775 
1776  for (unsigned int i = 0; i < ks->num_peers; i++)
1777  ks->info[i].peer = ks->peers[i];
1778 
1781  &ks->paillier_private_key);
1782 
1784  "P%u: Generated paillier key pair\n",
1785  ks->local_peer_idx);
1788  "P%u: Generated presecret polynomial\n",
1789  ks->local_peer_idx);
1790  insert_round1_element (ks);
1792  "P%u: Concluding for round 1\n",
1793  ks->local_peer_idx);
1796  ks);
1799  "P%u: Waiting for round 1 elements ...\n",
1800  ks->local_peer_idx);
1801 }
1802 
1803 
1807 static void
1808 decrypt_conclude (void *cls)
1809 {
1810  struct DecryptSession *ds = cls;
1812  struct GNUNET_MQ_Envelope *ev;
1813  gcry_mpi_t lagrange;
1814  gcry_mpi_t m;
1815  gcry_mpi_t tmp;
1816  gcry_mpi_t c_2;
1817  gcry_mpi_t prod;
1818  unsigned int *indices;
1819  unsigned int num;
1820  unsigned int i;
1821  unsigned int j;
1822 
1824  ds->consensus = NULL;
1825 
1826  GNUNET_assert (0 != (lagrange = gcry_mpi_new (0)));
1827  GNUNET_assert (0 != (m = gcry_mpi_new (0)));
1828  GNUNET_assert (0 != (tmp = gcry_mpi_new (0)));
1829  GNUNET_assert (0 != (prod = gcry_mpi_new (0)));
1830 
1831  num = 0;
1832  for (i = 0; i < ds->share->num_peers; i++)
1833  if (NULL != ds->info[i].partial_decryption)
1834  num++;
1835 
1836  indices = GNUNET_new_array (num,
1837  unsigned int);
1838  j = 0;
1839  for (i = 0; i < ds->share->num_peers; i++)
1840  if (NULL != ds->info[i].partial_decryption)
1841  indices[j++] = ds->info[i].original_index;
1842 
1844  "P%u: decrypt conclude, with %u peers\n",
1845  ds->share->my_peer,
1846  num);
1847 
1848  gcry_mpi_set_ui (prod, 1);
1849  for (i = 0; i < num; i++)
1850  {
1852  "P%u: index of %u: %u\n",
1853  ds->share->my_peer, i, indices[i]);
1854  compute_lagrange_coefficient (lagrange, indices[i], indices, num);
1855  // w_i^{\lambda_i}
1856  gcry_mpi_powm (tmp, ds->info[indices[i]].partial_decryption, lagrange,
1857  elgamal_p);
1858 
1859  // product of all exponentiated partiel decryptions ...
1860  gcry_mpi_mulm (prod, prod, tmp, elgamal_p);
1861  }
1862 
1865 
1866  GNUNET_assert (0 != gcry_mpi_invm (prod, prod, elgamal_p));
1867  gcry_mpi_mulm (m, c_2, prod, elgamal_p);
1868  ev = GNUNET_MQ_msg (msg,
1872  msg->success = htonl (1);
1873  GNUNET_MQ_send (ds->cs->mq,
1874  ev);
1875 
1876  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "sent decrypt done to client\n");
1877 
1878  GNUNET_free (indices);
1879 
1880  gcry_mpi_release (lagrange);
1881  gcry_mpi_release (m);
1882  gcry_mpi_release (tmp);
1883  gcry_mpi_release (prod);
1884  gcry_mpi_release (c_2);
1885 
1886  // FIXME: what if not enough peers participated?
1887 }
1888 
1889 
1897 static char *
1898 mpi_to_str (gcry_mpi_t mpi)
1899 {
1900  unsigned char *buf;
1901 
1902  GNUNET_assert (0 == gcry_mpi_aprint (GCRYMPI_FMT_HEX, &buf, NULL, mpi));
1903  return (char *) buf;
1904 }
1905 
1906 
1910 static void
1912  const struct GNUNET_SET_Element *element)
1913 {
1914  struct DecryptSession *session = cls;
1915  const struct GNUNET_SECRETSHARING_DecryptData *d;
1916  struct DecryptPeerInfo *info;
1917  struct GNUNET_HashCode challenge_hash;
1918 
1919  /* nizk response */
1920  gcry_mpi_t r;
1921  /* nizk challenge */
1922  gcry_mpi_t challenge;
1923  /* nizk commit1, g^\beta */
1924  gcry_mpi_t commit1;
1925  /* nizk commit2, c_1^\beta */
1926  gcry_mpi_t commit2;
1927  /* homomorphic commitment to the peer's share,
1928  * public key share */
1929  gcry_mpi_t sigma;
1930  /* partial decryption we received */
1931  gcry_mpi_t w;
1932  /* ciphertext component #1 */
1933  gcry_mpi_t c1;
1934  /* temporary variable (for comparision) #1 */
1935  gcry_mpi_t tmp1;
1936  /* temporary variable (for comparision) #2 */
1937  gcry_mpi_t tmp2;
1938 
1939  if (NULL == element)
1940  {
1941  GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "decryption failed\n");
1942  /* FIXME: destroy */
1943  return;
1944  }
1945 
1946  if (element->size != sizeof *d)
1947  {
1949  "element of wrong size in decrypt consensus\n");
1950  return;
1951  }
1952 
1953  d = element->data;
1954 
1955  info = get_decrypt_peer_info (session, &d->peer);
1956 
1957  if (NULL == info)
1958  {
1960  "decrypt element from invalid peer (%s)\n",
1961  GNUNET_i2s (&d->peer));
1962  return;
1963  }
1964 
1965  if (NULL != info->partial_decryption)
1966  {
1967  GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "decrypt element duplicate\n");
1968  return;
1969  }
1970 
1971  if (0 != GNUNET_memcmp (&d->ciphertext, &session->ciphertext))
1972  {
1974  "P%u: got decrypt element with non-matching ciphertext from P%u\n",
1975  (unsigned int) session->share->my_peer, (unsigned int) (info
1976  -
1977  session
1978  ->info));
1979 
1980  return;
1981  }
1982 
1983 
1985  ciphertext) + (char *) d,
1986  offsetof (struct GNUNET_SECRETSHARING_DecryptData,
1987  nizk_response)
1988  - offsetof (struct GNUNET_SECRETSHARING_DecryptData,
1989  ciphertext),
1990  &challenge_hash);
1991 
1992  GNUNET_CRYPTO_mpi_scan_unsigned (&challenge, &challenge_hash,
1993  sizeof(struct GNUNET_HashCode));
1994 
1995  GNUNET_CRYPTO_mpi_scan_unsigned (&sigma, &session->share->sigmas[info
1996  - session->
1997  info],
1998  sizeof(struct
2000 
2002  sizeof(struct
2004 
2005  GNUNET_CRYPTO_mpi_scan_unsigned (&commit1, &d->nizk_commit1,
2006  sizeof(struct
2008 
2009  GNUNET_CRYPTO_mpi_scan_unsigned (&commit2, &d->nizk_commit2,
2010  sizeof(struct
2012 
2013  GNUNET_CRYPTO_mpi_scan_unsigned (&r, &d->nizk_response,
2014  sizeof(struct
2016 
2017  GNUNET_CRYPTO_mpi_scan_unsigned (&w, &d->partial_decryption,
2018  sizeof(struct
2020 
2021  GNUNET_assert (NULL != (tmp1 = gcry_mpi_new (0)));
2022  GNUNET_assert (NULL != (tmp2 = gcry_mpi_new (0)));
2023 
2024  // tmp1 = g^r
2025  gcry_mpi_powm (tmp1, elgamal_g, r, elgamal_p);
2026 
2027  // tmp2 = g^\beta * \sigma^challenge
2028  gcry_mpi_powm (tmp2, sigma, challenge, elgamal_p);
2029  gcry_mpi_mulm (tmp2, tmp2, commit1, elgamal_p);
2030 
2031  if (0 != gcry_mpi_cmp (tmp1, tmp2))
2032  {
2033  char *tmp1_str;
2034  char *tmp2_str;
2035 
2036  tmp1_str = mpi_to_str (tmp1);
2037  tmp2_str = mpi_to_str (tmp2);
2039  "P%u: Received invalid partial decryption from P%u (eqn 1), expected %s got %s\n",
2040  session->share->my_peer,
2041  (unsigned int) (info - session->info),
2042  tmp1_str,
2043  tmp2_str);
2044  GNUNET_free (tmp1_str);
2045  GNUNET_free (tmp2_str);
2046  goto cleanup;
2047  }
2048 
2049 
2050  gcry_mpi_powm (tmp1, c1, r, elgamal_p);
2051 
2052  gcry_mpi_powm (tmp2, w, challenge, elgamal_p);
2053  gcry_mpi_mulm (tmp2, tmp2, commit2, elgamal_p);
2054 
2055 
2056  if (0 != gcry_mpi_cmp (tmp1, tmp2))
2057  {
2059  "P%u: Received invalid partial decryption from P%u (eqn 2)\n",
2060  session->share->my_peer,
2061  (unsigned int) (info - session->info));
2062  goto cleanup;
2063  }
2064 
2065 
2067  &d->partial_decryption,
2069 cleanup:
2070  gcry_mpi_release (tmp1);
2071  gcry_mpi_release (tmp2);
2072  gcry_mpi_release (sigma);
2073  gcry_mpi_release (commit1);
2074  gcry_mpi_release (commit2);
2075  gcry_mpi_release (r);
2076  gcry_mpi_release (w);
2077  gcry_mpi_release (challenge);
2078  gcry_mpi_release (c1);
2079 }
2080 
2081 
2082 static void
2084 {
2086  struct GNUNET_SET_Element element;
2087  /* our share */
2088  gcry_mpi_t s;
2089  /* partial decryption with our share */
2090  gcry_mpi_t w;
2091  /* first component of the elgamal ciphertext */
2092  gcry_mpi_t c1;
2093  /* nonce for dlog zkp */
2094  gcry_mpi_t beta;
2095  gcry_mpi_t tmp;
2096  gcry_mpi_t challenge;
2097  gcry_mpi_t sigma;
2098  struct GNUNET_HashCode challenge_hash;
2099 
2100  /* make vagrind happy until we implement the real deal ... */
2101  memset (&d, 0, sizeof d);
2102 
2103  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Inserting decrypt element\n",
2104  ds->share->my_peer);
2105 
2106  GNUNET_assert (ds->share->my_peer < ds->share->num_peers);
2107 
2113  &ds->share->sigmas[ds->share->my_peer],
2115 
2116  GNUNET_assert (NULL != (w = gcry_mpi_new (0)));
2117  GNUNET_assert (NULL != (beta = gcry_mpi_new (0)));
2118  GNUNET_assert (NULL != (tmp = gcry_mpi_new (0)));
2119 
2120  // FIXME: unnecessary, remove once crypto works
2121  gcry_mpi_powm (tmp, elgamal_g, s, elgamal_p);
2122  if (0 != gcry_mpi_cmp (tmp, sigma))
2123  {
2124  char *sigma_str = mpi_to_str (sigma);
2125  char *tmp_str = mpi_to_str (tmp);
2126  char *s_str = mpi_to_str (s);
2128  "Share of P%u is invalid, ref sigma %s, "
2129  "computed sigma %s, s %s\n",
2130  ds->share->my_peer,
2131  sigma_str, tmp_str, s_str);
2132  GNUNET_free (sigma_str);
2133  GNUNET_free (tmp_str);
2134  GNUNET_free (s_str);
2135  }
2136 
2137  gcry_mpi_powm (w, c1, s, elgamal_p);
2138 
2139  element.data = (void *) &d;
2140  element.size = sizeof(struct GNUNET_SECRETSHARING_DecryptData);
2141  element.element_type = 0;
2142 
2143  d.ciphertext = ds->ciphertext;
2144  d.peer = my_peer;
2147 
2148  // create the zero knowledge proof
2149  // randomly choose beta such that 0 < beta < q
2150  do
2151  {
2152  gcry_mpi_randomize (beta, GNUNET_SECRETSHARING_ELGAMAL_BITS - 1,
2153  GCRY_WEAK_RANDOM);
2154  }
2155  while ((gcry_mpi_cmp_ui (beta, 0) == 0) || (gcry_mpi_cmp (beta, elgamal_q) >=
2156  0));
2157  // tmp = g^beta
2158  gcry_mpi_powm (tmp, elgamal_g, beta, elgamal_p);
2161  // tmp = (c_1)^beta
2162  gcry_mpi_powm (tmp, c1, beta, elgamal_p);
2165 
2166  // the challenge is the hash of everything up to the response
2168  ciphertext) + (char *) &d,
2169  offsetof (struct GNUNET_SECRETSHARING_DecryptData,
2170  nizk_response)
2171  - offsetof (struct GNUNET_SECRETSHARING_DecryptData,
2172  ciphertext),
2173  &challenge_hash);
2174 
2175  GNUNET_CRYPTO_mpi_scan_unsigned (&challenge, &challenge_hash,
2176  sizeof(struct GNUNET_HashCode));
2177 
2178  // compute the response in tmp,
2179  // tmp = (c * s + beta) mod q
2180  gcry_mpi_mulm (tmp, challenge, s, elgamal_q);
2181  gcry_mpi_addm (tmp, tmp, beta, elgamal_q);
2182 
2183  GNUNET_CRYPTO_mpi_print_unsigned (&d.nizk_response,
2185 
2186  d.purpose.size = htonl (element.size - offsetof (struct
2188  purpose));
2189  d.purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DECRYPTION);
2190 
2192  GNUNET_CRYPTO_eddsa_sign (my_peer_private_key,
2193  &d.purpose,
2194  &d.signature));
2195 
2196  GNUNET_CONSENSUS_insert (ds->consensus, &element, NULL, NULL);
2198  "P%u: Inserting decrypt element done!\n",
2199  ds->share->my_peer);
2200 
2201  gcry_mpi_release (s);
2202  gcry_mpi_release (w);
2203  gcry_mpi_release (c1);
2204  gcry_mpi_release (beta);
2205  gcry_mpi_release (tmp);
2206  gcry_mpi_release (challenge);
2207  gcry_mpi_release (sigma);
2208 }
2209 
2210 
2218 static int
2220  const struct
2222 {
2223  /* we check later, it's complicated */
2224  return GNUNET_OK;
2225 }
2226 
2227 
2235 static void
2237  const struct
2239 {
2240  struct ClientState *cs = cls;
2241  struct DecryptSession *ds;
2242  struct GNUNET_HashCode session_id;
2243 
2244  if (NULL != cs->decrypt_session)
2245  {
2246  GNUNET_break (0);
2248  return;
2249  }
2250  ds = GNUNET_new (struct DecryptSession);
2251  cs->decrypt_session = ds;
2252  ds->cs = cs;
2253  ds->start = GNUNET_TIME_absolute_ntoh (msg->start);
2255  ds->ciphertext = msg->ciphertext;
2256 
2257  ds->share = GNUNET_SECRETSHARING_share_read (&msg[1],
2258  ntohs (msg->header.size)
2259  - sizeof(*msg),
2260  NULL);
2261  if (NULL == ds->share)
2262  {
2263  GNUNET_break (0);
2265  return;
2266  }
2267 
2268  /* FIXME: this is probably sufficient, but kdf/hash with all values would be nicer ... */
2270  sizeof(struct GNUNET_SECRETSHARING_Ciphertext),
2271  &session_id);
2273  ds->share->num_peers,
2274  ds->share->peers,
2275  &session_id,
2276  ds->start,
2277  ds->deadline,
2279  ds);
2280 
2281 
2282  ds->info = GNUNET_new_array (ds->share->num_peers,
2283  struct DecryptPeerInfo);
2284  for (unsigned int i = 0; i < ds->share->num_peers; i++)
2285  {
2286  ds->info[i].peer = ds->share->peers[i];
2287  ds->info[i].original_index = ds->share->original_indices[i];
2288  }
2292  ds);
2295  "decrypting with %u peers\n",
2296  ds->share->num_peers);
2297 }
2298 
2299 
2300 static void
2302 {
2303  GNUNET_assert (0 == gcry_mpi_scan (&elgamal_q, GCRYMPI_FMT_HEX,
2305  NULL));
2306  GNUNET_assert (0 == gcry_mpi_scan (&elgamal_p, GCRYMPI_FMT_HEX,
2308  NULL));
2309  GNUNET_assert (0 == gcry_mpi_scan (&elgamal_g, GCRYMPI_FMT_HEX,
2311  NULL));
2312 }
2313 
2314 
2322 static void
2323 run (void *cls,
2324  const struct GNUNET_CONFIGURATION_Handle *c,
2326 {
2327  cfg = c;
2328  my_peer_private_key = GNUNET_CRYPTO_eddsa_key_create_from_configuration (c);
2329  if (NULL == my_peer_private_key)
2330  {
2332  "could not access host private key\n");
2333  GNUNET_break (0);
2335  return;
2336  }
2338  if (GNUNET_OK !=
2340  &my_peer))
2341  {
2343  "could not retrieve host identity\n");
2344  GNUNET_break (0);
2346  return;
2347  }
2349  NULL);
2350 }
2351 
2352 
2361 static void *
2363  struct GNUNET_SERVICE_Client *c,
2364  struct GNUNET_MQ_Handle *mq)
2365 {
2366  struct ClientState *cs = GNUNET_new (struct ClientState);;
2367 
2368  cs->client = c;
2369  cs->mq = mq;
2370  return cs;
2371 }
2372 
2373 
2381 static void
2383  struct GNUNET_SERVICE_Client *c,
2384  void *internal_cls)
2385 {
2386  struct ClientState *cs = internal_cls;
2387 
2388  if (NULL != cs->keygen_session)
2390 
2391  if (NULL != cs->decrypt_session)
2393  GNUNET_free (cs);
2394 }
2395 
2396 
2401  ("secretsharing",
2403  &run,
2406  NULL,
2407  GNUNET_MQ_hd_var_size (client_keygen,
2410  NULL),
2411  GNUNET_MQ_hd_var_size (client_decrypt,
2414  NULL),
static char * mpi_to_str(gcry_mpi_t mpi)
Get a string representation of an MPI.
static int peer_id_cmp(const void *p1, const void *p2)
Compare two peer identities.
static unsigned int threshold
What should the threshold for then key be?
static void insert_round1_element(struct KeygenSession *ks)
Insert the ephemeral key and the presecret commitment of this peer in the consensus of the given sess...
struct GNUNET_CRYPTO_EddsaSignature signature
Signature over the rest of the message.
static int peer_find(const struct GNUNET_PeerIdentity *haystack, unsigned int n, const struct GNUNET_PeerIdentity *needle)
Get the index of a peer in an array of peers.
#define GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG1
Signature for the first round of distributed key generation.
static void keygen_round1_conclude(void *cls)
Called when the first consensus round has concluded.
Information about a peer in a decrypt session.
static gcry_mpi_t keygen_reveal_get_exp_preshare(struct KeygenSession *ks, const struct GNUNET_SECRETSHARING_KeygenRevealData *d, unsigned int idx)
static struct GNUNET_SERVICE_Handle * service
Handle to our service instance.
struct GNUNET_PeerIdentity peer
Peer that inserts this element.
static const struct GNUNET_CONFIGURATION_Handle * cfg
Configuration of this service.
void GNUNET_CONSENSUS_destroy(struct GNUNET_CONSENSUS_Handle *consensus)
Destroy a consensus handle (free all state associated with it, no longer call any of the callbacks)...
struct GNUNET_MessageHeader * msg
Definition: 005.c:2
static void insert_round2_element(struct KeygenSession *ks)
Insert round 2 element in the consensus, consisting of (1) The exponentiated pre-share polynomial coe...
struct GNUNET_SECRETSHARING_Share * GNUNET_SECRETSHARING_share_read(const void *data, size_t len, size_t *readlen)
Read a share from its binary representation.
State we keep per client.
struct GNUNET_TIME_Absolute GNUNET_TIME_absolute_ntoh(struct GNUNET_TIME_AbsoluteNBO a)
Convert absolute time from network byte order.
Definition: time.c:673
gcry_mpi_t preshare_commitment
Commitment to the preshare that is intended for our peer.
static unsigned int element_size
static int end
Set if we are to shutdown all services (including ARM).
Definition: gnunet-arm.c:34
struct GNUNET_SECRETSHARING_FieldElement my_share
Share of &#39;my_peer&#39;.
p2p message definitions for secretsharing
#define GNUNET_SECRETSHARING_ELGAMAL_G_HEX
The g-parameter for ElGamal encryption, a generator of the unique size q subgroup of Z_p^*...
int round1_valid
Did we successfully receive the round1 element of the peer?
struct GNUNET_PeerIdentity peer
Peer that inserts this element.
uint32_t purpose
What does this signature vouch for? This must contain a GNUNET_SIGNATURE_PURPOSE_XXX constant (from g...
Handle to a service.
Definition: service.c:116
struct GNUNET_SECRETSHARING_FieldElement plaintext
Decrypted plaintext.
struct GNUNET_MQ_Handle * mq
MQ to talk to client.
void GNUNET_SECRETSHARING_share_destroy(struct GNUNET_SECRETSHARING_Share *share)
struct GNUNET_SECRETSHARING_Share * share
Share of the local peer.
static void decrypt_conclude(void *cls)
Called when the partial decryption consensus concludes.
struct GNUNET_SCHEDULER_Task * GNUNET_SCHEDULER_add_shutdown(GNUNET_SCHEDULER_TaskCallback task, void *task_cls)
Schedule a new task to be run on shutdown, that is when a CTRL-C signal is received, or when GNUNET_SCHEDULER_shutdown() is being invoked.
Definition: scheduler.c:1300
Element stored in a set.
struct GNUNET_PeerIdentity * peers
Peer identities (includes &#39;my_peer&#39;)
static void keygen_round2_conclude(void *cls)
static struct DecryptPeerInfo * get_decrypt_peer_info(const struct DecryptSession *ds, const struct GNUNET_PeerIdentity *peer)
Get the peer info belonging to a peer identity in a decrypt session.
static int start
Set if we are to start default services (including ARM).
Definition: gnunet-arm.c:39
static void generate_presecret_polynomial(struct KeygenSession *ks)
Generate the random coefficients of our pre-secret polynomial.
char h[GNUNET_SECRETSHARING_ELGAMAL_BITS/8]
h = g^x, where x is the fairly encrypte secret.
static struct KeygenPeerInfo * get_keygen_peer_info(const struct KeygenSession *ks, const struct GNUNET_PeerIdentity *peer)
Get the peer info belonging to a peer identity in a keygen session.
static void keygen_info_destroy(struct KeygenPeerInfo *info)
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.
struct GNUNET_CRYPTO_EddsaSignature signature
Signature over rest of the message.
messages used for the secretsharing api
static gcry_mpi_t keygen_reveal_get_exp_coeff(struct KeygenSession *ks, const struct GNUNET_SECRETSHARING_KeygenRevealData *d, unsigned int idx)
int GNUNET_CRYPTO_eddsa_sign(const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, struct GNUNET_CRYPTO_EddsaSignature *sig)
EdDSA sign a given block.
Definition: crypto_ecc.c:987
#define GNUNET_SECRETSHARING_ELGAMAL_Q_HEX
The q-parameter for ElGamal encryption, a 1023-bit Sophie Germain prime, q = (p-1)/2.
void GNUNET_CRYPTO_mpi_print_unsigned(void *buf, size_t size, gcry_mpi_t val)
Output the given MPI value to the given buffer in network byte order.
Definition: crypto_mpi.c:78
#define GNUNET_memcpy(dst, src, n)
Call memcpy() but check for n being 0 first.
#define GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT
Request the decryption of a ciphertext.
struct GNUNET_SECRETSHARING_Ciphertext ciphertext
Ciphertext we want to decrypt.
#define GNUNET_MQ_msg(mvar, type)
Allocate a GNUNET_MQ_Envelope.
Definition: gnunet_mq_lib.h:67
static struct Experiment * e
struct GNUNET_CRYPTO_PaillierPublicKey pubkey
Ephemeral paillier public key used by &#39;peer&#39; for this session.
A share, with all values in in host byte order.
struct GNUNET_PeerIdentity peer
Identity of the peer.
gcry_mpi_t my_share
Share of our peer.
static struct GNUNET_HashCode session_id
#define GNUNET_NO
Definition: gnunet_common.h:78
#define GNUNET_OK
Named constants for return values.
Definition: gnunet_common.h:75
static void decrypt_new_element(void *cls, const struct GNUNET_SET_Element *element)
Called when a new partial decryption arrives.
struct GNUNET_TIME_Absolute start_time
When does the DKG start? Necessary to compute fractions of the operation&#39;s desired time interval...
char t1[GNUNET_SECRETSHARING_ELGAMAL_BITS/8]
Data of then element put in consensus for decrypting a value.
#define GNUNET_new(type)
Allocate a struct or union of the given type.
unsigned int threshold
Minimum number of shares required to restore the secret.
struct GNUNET_MessageHeader header
Type: GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT_REQUEST.
void GNUNET_CONSENSUS_insert(struct GNUNET_CONSENSUS_Handle *consensus, const struct GNUNET_SET_Element *element, GNUNET_CONSENSUS_InsertDoneCallback idc, void *idc_cls)
Insert an element in the set being reconsiled.
static struct GNUNET_SCHEDULER_Task * t
Main task.
uint16_t size
The length of the struct (in bytes, including the length field itself), in big-endian format...
static void init_crypto_constants(void)
void GNUNET_SCHEDULER_shutdown(void)
Request the shutdown of a scheduler.
Definition: scheduler.c:526
struct GNUNET_SECRETSHARING_FieldElement nizk_commit1
Commitment for the non-interactive zero knowledge proof.
uint64_t abs_value_us
The actual value.
gcry_mpi_t partial_decryption
Set to the partial decryption of this peer, or NULL if we did not receive a partial decryption from t...
#define GNUNET_break(cond)
Use this for internal assertion violations that are not fatal (can be handled) but should not occur...
static struct GNUNET_ARM_Handle * h
Connection with ARM.
Definition: gnunet-arm.c:99
const void * data
Actual data of the element.
struct GNUNET_CRYPTO_EccSignaturePurpose purpose
void GNUNET_CRYPTO_paillier_create(struct GNUNET_CRYPTO_PaillierPublicKey *public_key, struct GNUNET_CRYPTO_PaillierPrivateKey *private_key)
Create a freshly generated paillier public key.
unsigned int local_peer
Index of the local peer.
struct GNUNET_SECRETSHARING_Ciphertext ciphertext
Ciphertext we want to decrypt.
Handle to a client that is connected to a service.
Definition: service.c:250
int round2_valid
Did we successfully receive the round2 element of the peer?
static void get_fair_encryption_challenge(const struct GNUNET_SECRETSHARING_FairEncryption *fe, gcry_mpi_t *e)
#define GNUNET_SECRETSHARING_ELGAMAL_P_HEX
The q-parameter for ElGamal encryption, a 1024-bit safe prime.
static struct GNUNET_ARM_MonitorHandle * m
Monitor connection with ARM.
Definition: gnunet-arm.c:104
static void insert_decrypt_element(struct DecryptSession *ds)
static struct LoggingHandle * l
unsigned char bits[2048 *2/8]
The bits of the ciphertext.
gcry_mpi_t public_key
Public key, will be updated when a round2 element arrives.
#define GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT_DONE
The service succeeded in decrypting a ciphertext.
#define GNUNET_MQ_msg_extra(mvar, esize, type)
Allocate an envelope, with extra space allocated after the space needed by the message struct...
Definition: gnunet_mq_lib.h:52
struct GNUNET_CONSENSUS_Handle * consensus
Current consensus, used for both DKG rounds.
int GNUNET_CRYPTO_eddsa_verify(uint32_t purpose, const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, const struct GNUNET_CRYPTO_EddsaSignature *sig, const struct GNUNET_CRYPTO_EddsaPublicKey *pub)
Verify EdDSA signature.
Definition: crypto_ecc.c:1114
struct GNUNET_TIME_AbsoluteNBO deadline
Deadline for the establishment of the crypto system.
Definition: secretsharing.h:67
static void client_disconnect_cb(void *cls, struct GNUNET_SERVICE_Client *c, void *internal_cls)
Callback called when a client disconnected from the service.
static void decrypt_session_destroy(struct DecryptSession *ds)
Destroy a decrypt session, removing it from the linked list of decrypt sessions.
#define GNUNET_MQ_hd_var_size(name, code, str, ctx)
void GNUNET_CRYPTO_hash(const void *block, size_t size, struct GNUNET_HashCode *ret)
Compute hash of a given block.
Definition: crypto_hash.c:48
struct DecryptSession * decrypt_session
Decrypt session of the client, if any.
static struct GNUNET_PeerIdentity my_peer
Peer that runs this service.
static void compute_lagrange_coefficient(gcry_mpi_t coeff, unsigned int j, unsigned int *indices, unsigned int num)
Get a the j-th lagrange coefficient for a set of indices.
static gcry_mpi_t elgamal_g
Generator for prime field of order &#39;elgamal_q&#39;.
static int verify_fair(const struct GNUNET_CRYPTO_PaillierPublicKey *ppub, const struct GNUNET_SECRETSHARING_FairEncryption *fe)
Session to establish a threshold-shared secret.
static char buf[2048]
#define GNUNET_new_array(n, type)
Allocate a size n array with structs or unions of the given type.
static void cleanup(void *cls)
Function scheduled as very last function, cleans up after us.
struct GNUNET_HashCode session_id
Identifier for this session.
gcry_mpi_t presecret_commitment
The peer&#39;s commitment to its presecret.
static struct GNUNET_PeerIdentity * normalize_peers(struct GNUNET_PeerIdentity *listed, unsigned int num_listed, unsigned int *num_normalized, unsigned int *my_peer_idx)
Normalize the given list of peers, by including the local peer (if it is missing) and sorting the pee...
static int result
Global testing status.
struct GNUNET_MessageHeader header
Type: GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_GENERATE.
Definition: secretsharing.h:52
static struct GNUNET_CRYPTO_EddsaPrivateKey * my_peer_private_key
Peer that runs this service.
static void handle_client_keygen(void *cls, const struct GNUNET_SECRETSHARING_CreateMessage *msg)
Functions with this signature are called whenever a message is received.
void GNUNET_CRYPTO_paillier_decrypt(const struct GNUNET_CRYPTO_PaillierPrivateKey *private_key, const struct GNUNET_CRYPTO_PaillierPublicKey *public_key, const struct GNUNET_CRYPTO_PaillierCiphertext *ciphertext, gcry_mpi_t m)
Decrypt a paillier ciphertext with a private key.
int GNUNET_SECRETSHARING_share_write(const struct GNUNET_SECRETSHARING_Share *share, void *buf, size_t buflen, size_t *writelen)
Convert a share to its binary representation.
uint32_t size
How many bytes does this signature sign? (including this purpose header); in network byte order (!)...
static struct GNUNET_SECRETSHARING_Ciphertext ciphertext
static gcry_mpi_t elgamal_p
Modulus of the prime field used for ElGamal.
unsigned int local_peer_idx
Index of the local peer in the ordered list of peers in the session.
struct GNUNET_HashCode commitment
Commitment of &#39;peer&#39; to its presecret.
A 512-bit hashcode.
void GNUNET_SERVICE_client_drop(struct GNUNET_SERVICE_Client *c)
Ask the server to disconnect from the given client.
Definition: service.c:2324
struct GNUNET_TIME_AbsoluteNBO deadline
Until when should the decryption be finished?
char t2[GNUNET_CRYPTO_PAILLIER_BITS *2/8]
uint16_t threshold
Mininum number of cooperating peers to decrypt a value.
Definition: secretsharing.h:73
static int res
uint32_t c1_bits[1024/8/sizeof(uint32_t)]
struct GNUNET_CRYPTO_PaillierPublicKey paillier_public_key
The peer&#39;s paillier public key.
static void restore_fair(const struct GNUNET_CRYPTO_PaillierPublicKey *ppub, const struct GNUNET_SECRETSHARING_FairEncryption *fe, gcry_mpi_t x, gcry_mpi_t xres)
void GNUNET_CRYPTO_mpi_scan_unsigned(gcry_mpi_t *result, const void *data, size_t size)
Convert data buffer into MPI value.
Definition: crypto_mpi.c:131
static struct GNUNET_TIME_Absolute start_time
Start time of the current round; used to determine how long one iteration takes (which influences how...
static void keygen_session_destroy(struct KeygenSession *ks)
struct GNUNET_CRYPTO_EccSignaturePurpose purpose
Signature purpose for signing the keygen commit data.
unsigned int num_peers
Total number of peers.
#define GNUNET_SYSERR
Definition: gnunet_common.h:76
struct KeygenSession * keygen_session
Keygen session of the client, if any.
static void keygen_round2_new_element(void *cls, const struct GNUNET_SET_Element *element)
struct GNUNET_CRYPTO_PaillierPrivateKey paillier_private_key
Paillier private key of our peer.
struct DecryptPeerInfo * info
State information about other peers.
struct ClientState * cs
Which client is this for?
struct GNUNET_SECRETSHARING_FieldElement nizk_response
Reponse to the challenge computed from the protocol transcript.
struct GNUNET_TIME_AbsoluteNBO start
Until when should the decryption start?
struct GNUNET_CONSENSUS_Handle * consensus
Handle to the consensus over partial decryptions.
static struct GNUNET_SECRETSHARING_FairEncryption * keygen_reveal_get_enc_preshare(struct KeygenSession *ks, const struct GNUNET_SECRETSHARING_KeygenRevealData *d, unsigned int idx)
static void encrypt_fair(gcry_mpi_t v, const struct GNUNET_CRYPTO_PaillierPublicKey *ppub, struct GNUNET_SECRETSHARING_FairEncryption *fe)
Create a fair Paillier encryption of then given ciphertext.
static unsigned int num_peers
struct KeygenPeerInfo * info
Information about all participating peers.
static int check_client_decrypt(void *cls, const struct GNUNET_SECRETSHARING_DecryptRequestMessage *msg)
Check that msg is well-formed.
#define GNUNET_memcmp(a, b)
Compare memory in a and b, where both must be of the same pointer type.
Info about a peer in a key generation session.
static void run(void *cls, const struct GNUNET_CONFIGURATION_Handle *c, struct GNUNET_SERVICE_Handle *service)
Initialize secretsharing service.
static struct GNUNET_TIME_Absolute time_between(struct GNUNET_TIME_Absolute start, struct GNUNET_TIME_Absolute end, int num, int denum)
Interpolate between two points in time.
char z[GNUNET_SECRETSHARING_ELGAMAL_BITS/8]
struct GNUNET_TIME_Absolute deadline
When would we like the key to be established?
Handle to a message queue.
Definition: mq.c:85
unsigned int original_index
Original index in the key generation round.
Private ECC key encoded for transmission.
struct GNUNET_TIME_Absolute deadline
When would we like the ciphertext to be decrypted?
static void handle_client_decrypt(void *cls, const struct GNUNET_SECRETSHARING_DecryptRequestMessage *msg)
Functions with this signature are called whenever a message is received.
The identity of the host (wraps the signing key of the peer).
static void keygen_round1_new_element(void *cls, const struct GNUNET_SET_Element *element)
Consensus element handler for round one.
uint32_t success
Zero if decryption failed, non-zero if decryption succeeded.
struct GNUNET_SECRETSHARING_Ciphertext ciphertext
Ciphertext we want to decrypt.
configuration data
Definition: configuration.c:85
struct GNUNET_PeerIdentity peer
Peer that inserts this element.
struct GNUNET_SERVICE_Client * client
Client this is about.
gcry_mpi_t * presecret_polynomial
Randomly generated coefficients of the polynomial for sharing our pre-secret, where &#39;preshares[0]&#39; is...
struct GNUNET_SECRETSHARING_FieldElement * sigmas
uint16_t my_peer
Index of our peer in the list.
uint16_t size
Number of bytes in the buffer pointed to by data.
struct GNUNET_PeerIdentity * peers
List of all peers involved in the secret sharing session.
struct GNUNET_MQ_Handle * mq
Definition: 003.c:5
#define GNUNET_log(kind,...)
void GNUNET_CONSENSUS_conclude(struct GNUNET_CONSENSUS_Handle *consensus, GNUNET_CONSENSUS_ConcludeCallback conclude, void *conclude_cls)
We are done with inserting new elements into the consensus; try to conclude the consensus within a gi...
struct GNUNET_PeerIdentity peer
Peer identity of the peer.
int GNUNET_CRYPTO_get_peer_identity(const struct GNUNET_CONFIGURATION_Handle *cfg, struct GNUNET_PeerIdentity *dst)
Retrieve the identity of the host&#39;s peer.
#define GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DECRYPTION
Signature for cooperatice decryption.
struct GNUNET_CRYPTO_EddsaPrivateKey * GNUNET_CRYPTO_eddsa_key_create_from_configuration(const struct GNUNET_CONFIGURATION_Handle *cfg)
Create a new private key by reading our peer&#39;s key from the file specified in the configuration...
uint16_t num_peers
Number of peers at the end of this message.
Definition: secretsharing.h:78
Handle for the service.
Definition: consensus_api.c:40
static struct GNUNET_TIME_Absolute deadline
Deadline for all consensuses.
Time for absolute times used by GNUnet, in microseconds.
#define GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_SECRET_READY
The cryptosystem has been established.
#define GNUNET_YES
Definition: gnunet_common.h:77
static struct GNUNET_FS_DirScanner * ds
Handle to the directory scanner (for recursive insertions).
void GNUNET_MQ_send(struct GNUNET_MQ_Handle *mq, struct GNUNET_MQ_Envelope *ev)
Send a message with the given message queue.
Definition: mq.c:353
struct GNUNET_CONSENSUS_Handle * GNUNET_CONSENSUS_create(const struct GNUNET_CONFIGURATION_Handle *cfg, unsigned int num_peers, const struct GNUNET_PeerIdentity *peers, const struct GNUNET_HashCode *session_id, struct GNUNET_TIME_Absolute start, struct GNUNET_TIME_Absolute deadline, GNUNET_CONSENSUS_ElementCallback new_element_cb, void *new_element_cls)
Create a consensus session.
gcry_mpi_t sigma
Sigma (exponentiated share) for this peer.
char w[GNUNET_CRYPTO_PAILLIER_BITS/8]
static float beta
Percentage of total peer number in the view to send random PULLs to.
#define GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_GENERATE
Establish a new session.
struct GNUNET_TIME_Absolute start
When should we start communicating for decryption?
uint16_t num_peers
Peers that have the share.
static gcry_mpi_t elgamal_q
The ElGamal prime field order as libgcrypt mpi.
struct GNUNET_SECRETSHARING_PublicKey public_key
Public key.
#define GNUNET_CRYPTO_PAILLIER_BITS
Size of paillier plain texts and public keys.
struct GNUNET_CRYPTO_EccSignaturePurpose purpose
uint32_t c2_bits[1024/8/sizeof(uint32_t)]
static void cleanup_task(void *cls)
Task run during shutdown.
static void * client_connect_cb(void *cls, struct GNUNET_SERVICE_Client *c, struct GNUNET_MQ_Handle *mq)
Callback called when a client connects to the service.
GNUNET_SERVICE_MAIN("secretsharing", GNUNET_SERVICE_OPTION_NONE, &run, &client_connect_cb, &client_disconnect_cb, NULL, GNUNET_MQ_hd_var_size(client_keygen, GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_GENERATE, struct GNUNET_SECRETSHARING_CreateMessage, NULL), GNUNET_MQ_hd_var_size(client_decrypt, GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT, struct GNUNET_SECRETSHARING_DecryptRequestMessage, NULL), GNUNET_MQ_handler_end())
Define "main" method using service macro.
const char * GNUNET_i2s(const struct GNUNET_PeerIdentity *pid)
Convert a peer identity to a string (for printing debug messages).
#define GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG2
Signature for the second round of distributed key generation.
void GNUNET_SERVICE_client_continue(struct GNUNET_SERVICE_Client *c)
Continue receiving further messages from the given client.
Definition: service.c:2243
struct ClientState * cs
Which client is this for?
struct GNUNET_SECRETSHARING_FieldElement partial_decryption
Partial decryption, computed as c_1^{s_i}.
static void horner_eval(gcry_mpi_t z, gcry_mpi_t *coeff, unsigned int num_coeff, gcry_mpi_t x, gcry_mpi_t m)
Evaluate the polynomial with coefficients coeff at x.
#define GNUNET_MQ_handler_end()
End-marker for the handlers array.
#define GNUNET_malloc(size)
Wrapper around malloc.
Notify the client that then threshold secret has been established.
struct GNUNET_SECRETSHARING_FieldElement nizk_commit2
Commitment for the non-interactive zero knowledge proof.
Session to cooperatively decrypt a value.
#define GNUNET_free(ptr)
Wrapper around free.
static int check_client_keygen(void *cls, const struct GNUNET_SECRETSHARING_CreateMessage *msg)
Check that msg is well-formed.
Consensus element data used in the first round of key generation.
uint16_t element_type
Application-specific element type.
struct GNUNET_CRYPTO_PaillierCiphertext c
struct GNUNET_CRYPTO_EddsaPublicKey public_key
#define GNUNET_SECRETSHARING_ELGAMAL_BITS
Number of bits for secretsharing elements.