GNUnet 0.21.1
gnunet-service-secretsharing.c
Go to the documentation of this file.
1/*
2 This file is part of GNUnet.
3 Copyright (C) 2013 GNUnet e.V.
4
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
9
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
14
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
17
18 SPDX-License-Identifier: AGPL3.0-or-later
19 */
20
26#include "platform.h"
27#include "gnunet_util_lib.h"
28#include "gnunet_time_lib.h"
29#include "gnunet_signatures.h"
30#include "gnunet_consensus_service.h"
31#include "secretsharing.h"
32#include "secretsharing_protocol.h"
33#include <gcrypt.h>
34
35
36#define EXTRA_CHECKS 1
37
38
42struct KeygenPeerInfo
43{
47 struct GNUNET_PeerIdentity peer;
48
53 struct GNUNET_CRYPTO_PaillierPublicKey paillier_public_key;
54
58 gcry_mpi_t presecret_commitment;
59
64 gcry_mpi_t preshare_commitment;
65
69 gcry_mpi_t sigma;
70
75 int round1_valid;
76
81 int round2_valid;
82};
83
84
88struct DecryptPeerInfo
89{
93 struct GNUNET_PeerIdentity peer;
94
99 unsigned int original_index;
100
107 gcry_mpi_t partial_decryption;
108};
109
110
114struct ClientState;
115
116
120struct KeygenSession
121{
125 struct GNUNET_CONSENSUS_Handle *consensus;
126
130 struct ClientState *cs;
131
141 gcry_mpi_t *presecret_polynomial;
142
148 unsigned int threshold;
149
153 unsigned int num_peers;
154
158 unsigned int local_peer;
159
164 struct KeygenPeerInfo *info;
165
169 struct GNUNET_PeerIdentity *peers;
170
174 struct GNUNET_HashCode session_id;
175
179 struct GNUNET_CRYPTO_PaillierPrivateKey paillier_private_key;
180
184 struct GNUNET_TIME_Absolute deadline;
185
190 struct GNUNET_TIME_Absolute start_time;
191
196 unsigned int local_peer_idx;
197
202 gcry_mpi_t my_share;
203
207 gcry_mpi_t public_key;
208};
209
210
214struct DecryptSession
215{
219 struct GNUNET_CONSENSUS_Handle *consensus;
220
224 struct ClientState *cs;
225
229 struct GNUNET_TIME_Absolute start;
230
235 struct GNUNET_TIME_Absolute deadline;
236
240 struct GNUNET_SECRETSHARING_Ciphertext ciphertext;
241
247 struct GNUNET_SECRETSHARING_Share *share;
248
252 struct DecryptPeerInfo *info;
253};
254
255
259struct ClientState
260{
264 struct DecryptSession *decrypt_session;
265
269 struct KeygenSession *keygen_session;
270
274 struct GNUNET_SERVICE_Client *client;
275
279 struct GNUNET_MQ_Handle *mq;
280};
281
282
287static gcry_mpi_t elgamal_q;
288
293static gcry_mpi_t elgamal_p;
294
299static gcry_mpi_t elgamal_g;
300
304static struct GNUNET_PeerIdentity my_peer;
305
309static struct GNUNET_CRYPTO_EddsaPrivateKey *my_peer_private_key;
310
314static const struct GNUNET_CONFIGURATION_Handle *cfg;
315
316
324static struct KeygenPeerInfo *
325get_keygen_peer_info (const struct KeygenSession *ks,
326 const struct GNUNET_PeerIdentity *peer)
327{
328 unsigned int i;
329
330 for (i = 0; i < ks->num_peers; i++)
331 if (0 == GNUNET_memcmp (peer, &ks->info[i].peer))
332 return &ks->info[i];
333 return NULL;
334}
335
336
344static struct DecryptPeerInfo *
345get_decrypt_peer_info (const struct DecryptSession *ds,
346 const struct GNUNET_PeerIdentity *peer)
347{
348 unsigned int i;
349
350 for (i = 0; i < ds->share->num_peers; i++)
351 if (0 == GNUNET_memcmp (peer, &ds->info[i].peer))
352 return &ds->info[i];
353 return NULL;
354}
355
356
365static struct GNUNET_TIME_Absolute
366time_between (struct GNUNET_TIME_Absolute start,
367 struct GNUNET_TIME_Absolute end,
368 int num, int denum)
369{
370 struct GNUNET_TIME_Absolute result;
371 uint64_t diff;
372
373 GNUNET_assert (start.abs_value_us <= end.abs_value_us);
374 diff = end.abs_value_us - start.abs_value_us;
375 result.abs_value_us = start.abs_value_us + ((diff * num) / denum);
376
377 return result;
378}
379
380
388static int
389peer_id_cmp (const void *p1, const void *p2)
390{
391 return memcmp (p1,
392 p2,
393 sizeof(struct GNUNET_PeerIdentity));
394}
395
396
406static int
407peer_find (const struct GNUNET_PeerIdentity *haystack, unsigned int n,
408 const struct GNUNET_PeerIdentity *needle)
409{
410 unsigned int i;
411
412 for (i = 0; i < n; i++)
413 if (0 == GNUNET_memcmp (&haystack[i],
414 needle))
415 return i;
416 return -1;
417}
418
419
430static struct GNUNET_PeerIdentity *
431normalize_peers (struct GNUNET_PeerIdentity *listed,
432 unsigned int num_listed,
433 unsigned int *num_normalized,
434 unsigned int *my_peer_idx)
435{
436 unsigned int local_peer_in_list;
437 /* number of peers in the normalized list */
438 unsigned int n;
439 struct GNUNET_PeerIdentity *normalized;
440
441 local_peer_in_list = GNUNET_YES;
442 n = num_listed;
443 if (peer_find (listed, num_listed, &my_peer) < 0)
444 {
445 local_peer_in_list = GNUNET_NO;
446 n += 1;
447 }
448
449 normalized = GNUNET_new_array (n,
450 struct GNUNET_PeerIdentity);
451
452 if (GNUNET_NO == local_peer_in_list)
453 normalized[n - 1] = my_peer;
454
455 GNUNET_memcpy (normalized,
456 listed,
457 num_listed * sizeof(struct GNUNET_PeerIdentity));
458 qsort (normalized,
459 n,
460 sizeof(struct GNUNET_PeerIdentity),
461 &peer_id_cmp);
462
463 if (NULL != my_peer_idx)
464 *my_peer_idx = peer_find (normalized, n, &my_peer);
465 if (NULL != num_normalized)
466 *num_normalized = n;
467
468 return normalized;
469}
470
471
480static void
481compute_lagrange_coefficient (gcry_mpi_t coeff, unsigned int j,
482 unsigned int *indices,
483 unsigned int num)
484{
485 unsigned int i;
486 /* numerator */
487 gcry_mpi_t n;
488 /* denominator */
489 gcry_mpi_t d;
490 /* temp value for l-j */
491 gcry_mpi_t tmp;
492
493 GNUNET_assert (0 != coeff);
494
495 GNUNET_assert (0 != (n = gcry_mpi_new (0)));
496 GNUNET_assert (0 != (d = gcry_mpi_new (0)));
497 GNUNET_assert (0 != (tmp = gcry_mpi_new (0)));
498
499 gcry_mpi_set_ui (n, 1);
500 gcry_mpi_set_ui (d, 1);
501
502 for (i = 0; i < num; i++)
503 {
504 unsigned int l = indices[i];
505 if (l == j)
506 continue;
507 gcry_mpi_mul_ui (n, n, l + 1);
508 // d <- d * (l-j)
509 gcry_mpi_set_ui (tmp, l + 1);
510 gcry_mpi_sub_ui (tmp, tmp, j + 1);
511 gcry_mpi_mul (d, d, tmp);
512 }
513
514 // gcry_mpi_invm does not like negative numbers ...
515 gcry_mpi_mod (d, d, elgamal_q);
516
517 GNUNET_assert (gcry_mpi_cmp_ui (d, 0) > 0);
518
519 // now we do the actual division, with everything mod q, as we
520 // are not operating on elements from <g>, but on exponents
521 GNUNET_assert (0 != gcry_mpi_invm (d, d, elgamal_q));
522
523 gcry_mpi_mulm (coeff, n, d, elgamal_q);
524
525 gcry_mpi_release (n);
526 gcry_mpi_release (d);
527 gcry_mpi_release (tmp);
528}
529
530
537static void
538decrypt_session_destroy (struct DecryptSession *ds)
539{
540 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
541 "destroying decrypt session\n");
542 if (NULL != ds->cs)
543 {
544 ds->cs->decrypt_session = NULL;
545 ds->cs = NULL;
546 }
547 if (NULL != ds->consensus)
548 {
549 GNUNET_CONSENSUS_destroy (ds->consensus);
550 ds->consensus = NULL;
551 }
552
553 if (NULL != ds->info)
554 {
555 for (unsigned int i = 0; i < ds->share->num_peers; i++)
556 {
557 if (NULL != ds->info[i].partial_decryption)
558 {
559 gcry_mpi_release (ds->info[i].partial_decryption);
560 ds->info[i].partial_decryption = NULL;
561 }
562 }
563 GNUNET_free (ds->info);
564 ds->info = NULL;
565 }
566 if (NULL != ds->share)
567 {
568 GNUNET_SECRETSHARING_share_destroy (ds->share);
569 ds->share = NULL;
570 }
571
572 GNUNET_free (ds);
573}
574
575
576static void
577keygen_info_destroy (struct KeygenPeerInfo *info)
578{
579 if (NULL != info->sigma)
580 {
581 gcry_mpi_release (info->sigma);
582 info->sigma = NULL;
583 }
584 if (NULL != info->presecret_commitment)
585 {
586 gcry_mpi_release (info->presecret_commitment);
587 info->presecret_commitment = NULL;
588 }
589 if (NULL != info->preshare_commitment)
590 {
591 gcry_mpi_release (info->preshare_commitment);
592 info->preshare_commitment = NULL;
593 }
594}
595
596
597static void
598keygen_session_destroy (struct KeygenSession *ks)
599{
600 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
601 "destroying keygen session\n");
602
603 if (NULL != ks->cs)
604 {
605 ks->cs->keygen_session = NULL;
606 ks->cs = NULL;
607 }
608 if (NULL != ks->info)
609 {
610 for (unsigned int i = 0; i < ks->num_peers; i++)
611 keygen_info_destroy (&ks->info[i]);
612 GNUNET_free (ks->info);
613 ks->info = NULL;
614 }
615
616 if (NULL != ks->consensus)
617 {
618 GNUNET_CONSENSUS_destroy (ks->consensus);
619 ks->consensus = NULL;
620 }
621
622 if (NULL != ks->presecret_polynomial)
623 {
624 for (unsigned int i = 0; i < ks->threshold; i++)
625 {
626 GNUNET_assert (NULL != ks->presecret_polynomial[i]);
627 gcry_mpi_release (ks->presecret_polynomial[i]);
628 ks->presecret_polynomial[i] = NULL;
629 }
630 GNUNET_free (ks->presecret_polynomial);
631 ks->presecret_polynomial = NULL;
632 }
633 if (NULL != ks->my_share)
634 {
635 gcry_mpi_release (ks->my_share);
636 ks->my_share = NULL;
637 }
638 if (NULL != ks->public_key)
639 {
640 gcry_mpi_release (ks->public_key);
641 ks->public_key = NULL;
642 }
643 if (NULL != ks->peers)
644 {
645 GNUNET_free (ks->peers);
646 ks->peers = NULL;
647 }
648 GNUNET_free (ks);
649}
650
651
657static void
658cleanup_task (void *cls)
659{
660 /* Nothing to do! */
661}
662
663
669static void
670generate_presecret_polynomial (struct KeygenSession *ks)
671{
672 int i;
673 gcry_mpi_t v;
674
675 GNUNET_assert (NULL == ks->presecret_polynomial);
676 ks->presecret_polynomial = GNUNET_new_array (ks->threshold,
677 gcry_mpi_t);
678 for (i = 0; i < ks->threshold; i++)
679 {
680 v = ks->presecret_polynomial[i] = gcry_mpi_new (
681 GNUNET_SECRETSHARING_ELGAMAL_BITS);
682 GNUNET_assert (NULL != v);
683 // Randomize v such that 0 < v < elgamal_q.
684 // The '- 1' is necessary as bitlength(q) = bitlength(p) - 1.
685 do
686 {
687 gcry_mpi_randomize (v, GNUNET_SECRETSHARING_ELGAMAL_BITS - 1,
688 GCRY_WEAK_RANDOM);
689 }
690 while ((gcry_mpi_cmp_ui (v, 0) == 0) || (gcry_mpi_cmp (v, elgamal_q) >= 0));
691 }
692}
693
694
703static void
704keygen_round1_new_element (void *cls,
705 const struct GNUNET_SET_Element *element)
706{
707 const struct GNUNET_SECRETSHARING_KeygenCommitData *d;
708 struct KeygenSession *ks = cls;
709 struct KeygenPeerInfo *info;
710
711 if (NULL == element)
712 {
713 GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "round1 consensus failed\n");
714 return;
715 }
716
717 /* elements have fixed size */
718 if (element->size != sizeof(struct GNUNET_SECRETSHARING_KeygenCommitData))
719 {
720 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
721 "keygen commit data with wrong size (%u) in consensus, %u expected\n",
722 (unsigned int) element->size,
723 (unsigned int) sizeof(struct
724 GNUNET_SECRETSHARING_KeygenCommitData));
725 return;
726 }
727
728 GNUNET_log (GNUNET_ERROR_TYPE_INFO, "got round1 element\n");
729
730 d = element->data;
731 info = get_keygen_peer_info (ks, &d->peer);
732
733 if (NULL == info)
734 {
735 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
736 "keygen commit data with wrong peer identity (%s) in consensus\n",
737 GNUNET_i2s (&d->peer));
738 return;
739 }
740
741 /* Check that the right amount of data has been signed. */
742 if (d->purpose.size !=
743 htonl (element->size - offsetof (struct
744 GNUNET_SECRETSHARING_KeygenCommitData,
745 purpose)))
746 {
747 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
748 "keygen commit data with wrong signature purpose size in consensus\n");
749 return;
750 }
751
752 if (GNUNET_OK != GNUNET_CRYPTO_eddsa_verify_ (
753 GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG1,
754 &d->purpose, &d->signature,
755 &d->peer.public_key))
756 {
757 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
758 "keygen commit data with invalid signature in consensus\n");
759 return;
760 }
761 info->paillier_public_key = d->pubkey;
762 GNUNET_CRYPTO_mpi_scan_unsigned (&info->presecret_commitment, &d->commitment,
763 512 / 8);
764 info->round1_valid = GNUNET_YES;
765}
766
767
778static void
779horner_eval (gcry_mpi_t z, gcry_mpi_t *coeff, unsigned int num_coeff, gcry_mpi_t
780 x, gcry_mpi_t m)
781{
782 unsigned int i;
783
784 gcry_mpi_set_ui (z, 0);
785 for (i = 0; i < num_coeff; i++)
786 {
787 // z <- zx + c
788 gcry_mpi_mul (z, z, x);
789 gcry_mpi_addm (z, z, coeff[num_coeff - i - 1], m);
790 }
791}
792
793
794static void
795keygen_round2_conclude (void *cls)
796{
797 struct KeygenSession *ks = cls;
798 struct GNUNET_SECRETSHARING_SecretReadyMessage *m;
799 struct GNUNET_MQ_Envelope *ev;
800 size_t share_size;
801 unsigned int i;
802 unsigned int j;
803 struct GNUNET_SECRETSHARING_Share *share;
804
805 GNUNET_log (GNUNET_ERROR_TYPE_INFO, "round2 conclude\n");
806
807 GNUNET_CONSENSUS_destroy (ks->consensus);
808 ks->consensus = NULL;
809
810 share = GNUNET_new (struct GNUNET_SECRETSHARING_Share);
811
812 share->num_peers = 0;
813
814 for (i = 0; i < ks->num_peers; i++)
815 if (GNUNET_YES == ks->info[i].round2_valid)
816 share->num_peers++;
817
818 share->peers = GNUNET_new_array (share->num_peers,
819 struct GNUNET_PeerIdentity);
820 share->sigmas =
821 GNUNET_new_array (share->num_peers,
822 struct GNUNET_SECRETSHARING_FieldElement);
823 share->original_indices = GNUNET_new_array (share->num_peers,
824 uint16_t);
825
826 /* maybe we're not even in the list of peers? */
827 share->my_peer = share->num_peers;
828
829 j = 0; /* running index of valid peers */
830 for (i = 0; i < ks->num_peers; i++)
831 {
832 if (GNUNET_YES == ks->info[i].round2_valid)
833 {
834 share->peers[j] = ks->info[i].peer;
835 GNUNET_CRYPTO_mpi_print_unsigned (&share->sigmas[j],
836 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
837 ks->info[i].sigma);
838 share->original_indices[i] = j;
839 if (0 == GNUNET_memcmp (&share->peers[i], &my_peer))
840 share->my_peer = j;
841 j += 1;
842 }
843 }
844
845 if (share->my_peer == share->num_peers)
846 {
847 GNUNET_log (GNUNET_ERROR_TYPE_INFO, "P%u: peer identity not in share\n",
848 ks->local_peer_idx);
849 }
850
851 GNUNET_CRYPTO_mpi_print_unsigned (&share->my_share,
852 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
853 ks->my_share);
854 GNUNET_CRYPTO_mpi_print_unsigned (&share->public_key,
855 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
856 ks->public_key);
857
858 GNUNET_log (GNUNET_ERROR_TYPE_INFO, "keygen completed with %u peers\n",
859 share->num_peers);
860
861 /* Write the share. If 0 peers completed the dkg, an empty
862 * share will be sent. */
863
864 GNUNET_assert (GNUNET_OK == GNUNET_SECRETSHARING_share_write (share, NULL, 0,
865 &share_size));
866
867 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "writing share of size %u\n",
868 (unsigned int) share_size);
869
870 ev = GNUNET_MQ_msg_extra (m, share_size,
871 GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_SECRET_READY);
872
873 GNUNET_assert (GNUNET_OK == GNUNET_SECRETSHARING_share_write (share, &m[1],
874 share_size,
875 NULL));
876
877 GNUNET_SECRETSHARING_share_destroy (share);
878 share = NULL;
879
880 GNUNET_MQ_send (ks->cs->mq,
881 ev);
882}
883
884
885static void
886restore_fair (const struct GNUNET_CRYPTO_PaillierPublicKey *ppub,
887 const struct GNUNET_SECRETSHARING_FairEncryption *fe,
888 gcry_mpi_t x, gcry_mpi_t xres)
889{
890 gcry_mpi_t a_1;
891 gcry_mpi_t a_2;
892 gcry_mpi_t b_1;
893 gcry_mpi_t b_2;
894 gcry_mpi_t big_a;
895 gcry_mpi_t big_b;
896 gcry_mpi_t big_t;
897 gcry_mpi_t n;
898 gcry_mpi_t t_1;
899 gcry_mpi_t t_2;
900 gcry_mpi_t t;
901 gcry_mpi_t r;
902 gcry_mpi_t v;
903
904
905 GNUNET_assert (NULL != (n = gcry_mpi_new (0)));
906 GNUNET_assert (NULL != (t = gcry_mpi_new (0)));
907 GNUNET_assert (NULL != (t_1 = gcry_mpi_new (0)));
908 GNUNET_assert (NULL != (t_2 = gcry_mpi_new (0)));
909 GNUNET_assert (NULL != (r = gcry_mpi_new (0)));
910 GNUNET_assert (NULL != (big_t = gcry_mpi_new (0)));
911 GNUNET_assert (NULL != (v = gcry_mpi_new (0)));
912 GNUNET_assert (NULL != (big_a = gcry_mpi_new (0)));
913 GNUNET_assert (NULL != (big_b = gcry_mpi_new (0)));
914
915 // a = (N,0)^T
916 GNUNET_CRYPTO_mpi_scan_unsigned (&a_1,
917 ppub,
918 sizeof(struct
919 GNUNET_CRYPTO_PaillierPublicKey));
920 GNUNET_assert (NULL != (a_2 = gcry_mpi_new (0)));
921 gcry_mpi_set_ui (a_2, 0);
922 // b = (x,1)^T
923 GNUNET_assert (NULL != (b_1 = gcry_mpi_new (0)));
924 gcry_mpi_set (b_1, x);
925 GNUNET_assert (NULL != (b_2 = gcry_mpi_new (0)));
926 gcry_mpi_set_ui (b_2, 1);
927
928 // A = a DOT a
929 gcry_mpi_mul (t, a_1, a_1);
930 gcry_mpi_mul (big_a, a_2, a_2);
931 gcry_mpi_add (big_a, big_a, t);
932
933 // B = b DOT b
934 gcry_mpi_mul (t, b_1, b_1);
935 gcry_mpi_mul (big_b, b_2, b_2);
936 gcry_mpi_add (big_b, big_b, t);
937
938 while (1)
939 {
940 // n = a DOT b
941 gcry_mpi_mul (t, a_1, b_1);
942 gcry_mpi_mul (n, a_2, b_2);
943 gcry_mpi_add (n, n, t);
944
945 // r = nearest(n/B)
946 gcry_mpi_div (r, NULL, n, big_b, 0);
947
948 // T := A - 2rn + rrB
949 gcry_mpi_mul (v, r, n);
950 gcry_mpi_mul_ui (v, v, 2);
951 gcry_mpi_sub (big_t, big_a, v);
952 gcry_mpi_mul (v, r, r);
953 gcry_mpi_mul (v, v, big_b);
954 gcry_mpi_add (big_t, big_t, v);
955
956 if (gcry_mpi_cmp (big_t, big_b) >= 0)
957 {
958 break;
959 }
960
961 // t = a - rb
962 gcry_mpi_mul (v, r, b_1);
963 gcry_mpi_sub (t_1, a_1, v);
964 gcry_mpi_mul (v, r, b_2);
965 gcry_mpi_sub (t_2, a_2, v);
966
967 // a = b
968 gcry_mpi_set (a_1, b_1);
969 gcry_mpi_set (a_2, b_2);
970 // b = t
971 gcry_mpi_set (b_1, t_1);
972 gcry_mpi_set (b_2, t_2);
973
974 gcry_mpi_set (big_a, big_b);
975 gcry_mpi_set (big_b, big_t);
976 }
977
978 gcry_mpi_set (xres, b_2);
979 gcry_mpi_invm (xres, xres, elgamal_q);
980 gcry_mpi_mulm (xres, xres, b_1, elgamal_q);
981
982 gcry_mpi_release (a_1);
983 gcry_mpi_release (a_2);
984 gcry_mpi_release (b_1);
985 gcry_mpi_release (b_2);
986 gcry_mpi_release (big_a);
987 gcry_mpi_release (big_b);
988 gcry_mpi_release (big_t);
989 gcry_mpi_release (n);
990 gcry_mpi_release (t_1);
991 gcry_mpi_release (t_2);
992 gcry_mpi_release (t);
993 gcry_mpi_release (r);
994 gcry_mpi_release (v);
995}
996
997
998static void
999get_fair_encryption_challenge (const struct
1000 GNUNET_SECRETSHARING_FairEncryption *fe,
1001 gcry_mpi_t *e)
1002{
1003 struct
1004 {
1005 struct GNUNET_CRYPTO_PaillierCiphertext c;
1006 char h[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8];
1007 char t1[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8];
1008 char t2[GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8];
1009 } hash_data;
1010 struct GNUNET_HashCode e_hash;
1011
1012 memset (&hash_data,
1013 0,
1014 sizeof(hash_data));
1015 GNUNET_memcpy (&hash_data.c, &fe->c, sizeof(struct
1016 GNUNET_CRYPTO_PaillierCiphertext));
1017 GNUNET_memcpy (&hash_data.h, &fe->h, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
1018 GNUNET_memcpy (&hash_data.t1, &fe->t1, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
1019 GNUNET_memcpy (&hash_data.t2, &fe->t2, GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8);
1020 GNUNET_CRYPTO_hash (&hash_data,
1021 sizeof(hash_data),
1022 &e_hash);
1023 /* This allocates "e" */
1024 GNUNET_CRYPTO_mpi_scan_unsigned (e,
1025 &e_hash,
1026 sizeof(struct GNUNET_HashCode));
1027 gcry_mpi_mod (*e, *e, elgamal_q);
1028}
1029
1030
1031static int
1032verify_fair (const struct GNUNET_CRYPTO_PaillierPublicKey *ppub,
1033 const struct GNUNET_SECRETSHARING_FairEncryption *fe)
1034{
1035 gcry_mpi_t n;
1036 gcry_mpi_t n_sq;
1037 gcry_mpi_t z;
1038 gcry_mpi_t t1;
1039 gcry_mpi_t t2;
1040 gcry_mpi_t e;
1041 gcry_mpi_t w;
1042 gcry_mpi_t tmp1;
1043 gcry_mpi_t tmp2;
1044 gcry_mpi_t y;
1045 gcry_mpi_t big_y;
1046 int res;
1047
1048 GNUNET_assert (NULL != (n_sq = gcry_mpi_new (0)));
1049 GNUNET_assert (NULL != (tmp1 = gcry_mpi_new (0)));
1050 GNUNET_assert (NULL != (tmp2 = gcry_mpi_new (0)));
1051
1052 get_fair_encryption_challenge (fe,
1053 &e /* this allocates e */);
1054
1055 GNUNET_CRYPTO_mpi_scan_unsigned (&n,
1056 ppub,
1057 sizeof(struct
1058 GNUNET_CRYPTO_PaillierPublicKey));
1059 GNUNET_CRYPTO_mpi_scan_unsigned (&t1, fe->t1, GNUNET_CRYPTO_PAILLIER_BITS
1060 / 8);
1061 GNUNET_CRYPTO_mpi_scan_unsigned (&z, fe->z,
1062 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
1063 GNUNET_CRYPTO_mpi_scan_unsigned (&y, fe->h,
1064 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
1065 GNUNET_CRYPTO_mpi_scan_unsigned (&w, fe->w, GNUNET_CRYPTO_PAILLIER_BITS / 8);
1066 GNUNET_CRYPTO_mpi_scan_unsigned (&big_y, fe->c.bits,
1067 GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8);
1068 GNUNET_CRYPTO_mpi_scan_unsigned (&t2, fe->t2, GNUNET_CRYPTO_PAILLIER_BITS
1069 * 2 / 8);
1070 gcry_mpi_mul (n_sq, n, n);
1071
1072 // tmp1 = g^z
1073 gcry_mpi_powm (tmp1, elgamal_g, z, elgamal_p);
1074 // tmp2 = y^{-e}
1075 gcry_mpi_powm (tmp1, y, e, elgamal_p);
1076 gcry_mpi_invm (tmp1, tmp1, elgamal_p);
1077 // tmp1 = tmp1 * tmp2
1078 gcry_mpi_mulm (tmp1, tmp1, tmp2, elgamal_p);
1079
1080 if (0 == gcry_mpi_cmp (t1, tmp1))
1081 {
1082 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "fair encryption invalid (t1)\n");
1083 res = GNUNET_NO;
1084 goto cleanup;
1085 }
1086
1087 gcry_mpi_powm (big_y, big_y, e, n_sq);
1088 gcry_mpi_invm (big_y, big_y, n_sq);
1089
1090 gcry_mpi_add_ui (tmp1, n, 1);
1091 gcry_mpi_powm (tmp1, tmp1, z, n_sq);
1092
1093 gcry_mpi_powm (tmp2, w, n, n_sq);
1094
1095 gcry_mpi_mulm (tmp1, tmp1, tmp2, n_sq);
1096 gcry_mpi_mulm (tmp1, tmp1, big_y, n_sq);
1097
1098
1099 if (0 == gcry_mpi_cmp (t2, tmp1))
1100 {
1101 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "fair encryption invalid (t2)\n");
1102 res = GNUNET_NO;
1103 goto cleanup;
1104 }
1105
1106 res = GNUNET_YES;
1107
1108cleanup:
1109
1110 gcry_mpi_release (n);
1111 gcry_mpi_release (n_sq);
1112 gcry_mpi_release (z);
1113 gcry_mpi_release (t1);
1114 gcry_mpi_release (t2);
1115 gcry_mpi_release (e);
1116 gcry_mpi_release (w);
1117 gcry_mpi_release (tmp1);
1118 gcry_mpi_release (tmp2);
1119 gcry_mpi_release (y);
1120 gcry_mpi_release (big_y);
1121 return res;
1122}
1123
1124
1131static void
1132encrypt_fair (gcry_mpi_t v,
1133 const struct GNUNET_CRYPTO_PaillierPublicKey *ppub,
1134 struct GNUNET_SECRETSHARING_FairEncryption *fe)
1135{
1136 gcry_mpi_t r;
1137 gcry_mpi_t s;
1138 gcry_mpi_t t1;
1139 gcry_mpi_t t2;
1140 gcry_mpi_t z;
1141 gcry_mpi_t w;
1142 gcry_mpi_t n;
1143 gcry_mpi_t e;
1144 gcry_mpi_t n_sq;
1145 gcry_mpi_t u;
1146 gcry_mpi_t Y;
1147 gcry_mpi_t G;
1148 gcry_mpi_t h;
1149
1150 GNUNET_assert (NULL != (r = gcry_mpi_new (0)));
1151 GNUNET_assert (NULL != (s = gcry_mpi_new (0)));
1152 GNUNET_assert (NULL != (t1 = gcry_mpi_new (0)));
1153 GNUNET_assert (NULL != (t2 = gcry_mpi_new (0)));
1154 GNUNET_assert (NULL != (z = gcry_mpi_new (0)));
1155 GNUNET_assert (NULL != (w = gcry_mpi_new (0)));
1156 GNUNET_assert (NULL != (n_sq = gcry_mpi_new (0)));
1157 GNUNET_assert (NULL != (u = gcry_mpi_new (0)));
1158 GNUNET_assert (NULL != (Y = gcry_mpi_new (0)));
1159 GNUNET_assert (NULL != (G = gcry_mpi_new (0)));
1160 GNUNET_assert (NULL != (h = gcry_mpi_new (0)));
1161
1162 GNUNET_CRYPTO_mpi_scan_unsigned (&n,
1163 ppub,
1164 sizeof(struct
1165 GNUNET_CRYPTO_PaillierPublicKey));
1166 gcry_mpi_mul (n_sq, n, n);
1167 gcry_mpi_add_ui (G, n, 1);
1168
1169 do
1170 {
1171 gcry_mpi_randomize (u, GNUNET_CRYPTO_PAILLIER_BITS, GCRY_WEAK_RANDOM);
1172 }
1173 while (gcry_mpi_cmp (u, n) >= 0);
1174
1175 gcry_mpi_powm (t1, G, v, n_sq);
1176 gcry_mpi_powm (t2, u, n, n_sq);
1177 gcry_mpi_mulm (Y, t1, t2, n_sq);
1178
1179 GNUNET_CRYPTO_mpi_print_unsigned (fe->c.bits,
1180 sizeof fe->c.bits,
1181 Y);
1182
1183
1184 gcry_mpi_randomize (r, 2048, GCRY_WEAK_RANDOM);
1185 do
1186 {
1187 gcry_mpi_randomize (s, GNUNET_CRYPTO_PAILLIER_BITS, GCRY_WEAK_RANDOM);
1188 }
1189 while (gcry_mpi_cmp (s, n) >= 0);
1190
1191 // compute t1
1192 gcry_mpi_mulm (t1, elgamal_g, r, elgamal_p);
1193 // compute t2 (use z and w as temp)
1194 gcry_mpi_powm (z, G, r, n_sq);
1195 gcry_mpi_powm (w, s, n, n_sq);
1196 gcry_mpi_mulm (t2, z, w, n_sq);
1197
1198
1199 gcry_mpi_powm (h, elgamal_g, v, elgamal_p);
1200
1201 GNUNET_CRYPTO_mpi_print_unsigned (fe->h,
1202 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
1203 h);
1204
1205 GNUNET_CRYPTO_mpi_print_unsigned (fe->t1,
1206 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
1207 t1);
1208
1209 GNUNET_CRYPTO_mpi_print_unsigned (fe->t2,
1210 GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8,
1211 t2);
1212
1213 get_fair_encryption_challenge (fe,
1214 &e /* This allocates "e" */);
1215
1216 // compute z
1217 gcry_mpi_mul (z, e, v);
1218 gcry_mpi_addm (z, z, r, elgamal_q);
1219 // compute w
1220 gcry_mpi_powm (w, u, e, n);
1221 gcry_mpi_mulm (w, w, s, n);
1222
1223 GNUNET_CRYPTO_mpi_print_unsigned (fe->z,
1224 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
1225 z);
1226
1227 GNUNET_CRYPTO_mpi_print_unsigned (fe->w,
1228 GNUNET_CRYPTO_PAILLIER_BITS / 8,
1229 w);
1230
1231 gcry_mpi_release (n);
1232 gcry_mpi_release (r);
1233 gcry_mpi_release (s);
1234 gcry_mpi_release (t1);
1235 gcry_mpi_release (t2);
1236 gcry_mpi_release (z);
1237 gcry_mpi_release (w);
1238 gcry_mpi_release (e);
1239 gcry_mpi_release (n_sq);
1240 gcry_mpi_release (u);
1241 gcry_mpi_release (Y);
1242 gcry_mpi_release (G);
1243 gcry_mpi_release (h);
1244}
1245
1246
1257static void
1258insert_round2_element (struct KeygenSession *ks)
1259{
1260 struct GNUNET_SET_Element *element;
1261 struct GNUNET_SECRETSHARING_KeygenRevealData *d;
1262 unsigned char *pos;
1263 unsigned char *last_pos;
1264 size_t element_size;
1265 unsigned int i;
1266 gcry_mpi_t idx;
1267 gcry_mpi_t v;
1268
1269 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Inserting round2 element\n",
1270 ks->local_peer_idx);
1271
1272 GNUNET_assert (NULL != (v = gcry_mpi_new (
1273 GNUNET_SECRETSHARING_ELGAMAL_BITS)));
1274 GNUNET_assert (NULL != (idx = gcry_mpi_new (
1275 GNUNET_SECRETSHARING_ELGAMAL_BITS)));
1276
1277 element_size = (sizeof(struct GNUNET_SECRETSHARING_KeygenRevealData)
1278 + sizeof(struct GNUNET_SECRETSHARING_FairEncryption)
1279 * ks->num_peers
1280 + GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * ks->threshold);
1281
1282 element = GNUNET_malloc (sizeof(struct GNUNET_SET_Element) + element_size);
1283 element->size = element_size;
1284 element->data = (void *) &element[1];
1285
1286 d = (void *) element->data;
1287 d->peer = my_peer;
1288
1289 // start inserting vector elements
1290 // after the fixed part of the element's data
1291 pos = (void *) &d[1];
1292 last_pos = pos + element_size;
1293
1294 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed exp preshares\n",
1295 ks->local_peer_idx);
1296
1297 // encrypted pre-shares
1298 // and fair encryption proof
1299 {
1300 for (i = 0; i < ks->num_peers; i++)
1301 {
1302 ptrdiff_t remaining = last_pos - pos;
1303 struct GNUNET_SECRETSHARING_FairEncryption *fe = (void *) pos;
1304
1305 GNUNET_assert (remaining > 0);
1306 memset (fe, 0, sizeof *fe);
1307 if (GNUNET_YES == ks->info[i].round1_valid)
1308 {
1309 gcry_mpi_set_ui (idx, i + 1);
1310 // evaluate the polynomial
1311 horner_eval (v, ks->presecret_polynomial, ks->threshold, idx,
1312 elgamal_q);
1313 // encrypt the result
1314 encrypt_fair (v, &ks->info[i].paillier_public_key, fe);
1315 }
1316 pos += sizeof *fe;
1317 }
1318 }
1319
1320 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed enc preshares\n",
1321 ks->local_peer_idx);
1322
1323 // exponentiated coefficients
1324 for (i = 0; i < ks->threshold; i++)
1325 {
1326 ptrdiff_t remaining = last_pos - pos;
1327 GNUNET_assert (remaining > 0);
1328 gcry_mpi_powm (v, elgamal_g, ks->presecret_polynomial[i], elgamal_p);
1329 GNUNET_CRYPTO_mpi_print_unsigned (pos, GNUNET_SECRETSHARING_ELGAMAL_BITS
1330 / 8, v);
1331 pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8;
1332 }
1333
1334 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: computed exp coefficients\n",
1335 ks->local_peer_idx);
1336
1337
1338 d->purpose.size = htonl (element_size - offsetof (struct
1339 GNUNET_SECRETSHARING_KeygenRevealData,
1340 purpose));
1341 d->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG2);
1342 GNUNET_assert (GNUNET_OK ==
1343 GNUNET_CRYPTO_eddsa_sign_ (my_peer_private_key,
1344 &d->purpose,
1345 &d->signature));
1346
1347 GNUNET_CONSENSUS_insert (ks->consensus, element, NULL, NULL);
1348 GNUNET_free (element); /* FIXME: maybe stack-allocate instead? */
1349
1350 gcry_mpi_release (v);
1351 gcry_mpi_release (idx);
1352}
1353
1354
1355static gcry_mpi_t
1356keygen_reveal_get_exp_coeff (struct KeygenSession *ks,
1357 const struct
1358 GNUNET_SECRETSHARING_KeygenRevealData *d,
1359 unsigned int idx)
1360{
1361 unsigned char *pos;
1362 gcry_mpi_t exp_coeff;
1363
1364 GNUNET_assert (idx < ks->threshold);
1365
1366 pos = (void *) &d[1];
1367 // skip encrypted pre-shares
1368 pos += sizeof(struct GNUNET_SECRETSHARING_FairEncryption) * ks->num_peers;
1369 // skip exp. coeffs we are not interested in
1370 pos += GNUNET_SECRETSHARING_ELGAMAL_BITS / 8 * idx;
1371 // the first exponentiated coefficient is the public key share
1372 GNUNET_CRYPTO_mpi_scan_unsigned (&exp_coeff, pos,
1373 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
1374 return exp_coeff;
1375}
1376
1377
1378static struct GNUNET_SECRETSHARING_FairEncryption *
1379keygen_reveal_get_enc_preshare (struct KeygenSession *ks,
1380 const struct
1381 GNUNET_SECRETSHARING_KeygenRevealData *d,
1382 unsigned int idx)
1383{
1384 unsigned char *pos;
1385
1386 GNUNET_assert (idx < ks->num_peers);
1387
1388 pos = (void *) &d[1];
1389 // skip encrypted pre-shares we're not interested in
1390 pos += sizeof(struct GNUNET_SECRETSHARING_FairEncryption) * idx;
1391 return (struct GNUNET_SECRETSHARING_FairEncryption *) pos;
1392}
1393
1394
1395static gcry_mpi_t
1396keygen_reveal_get_exp_preshare (struct KeygenSession *ks,
1397 const struct
1398 GNUNET_SECRETSHARING_KeygenRevealData *d,
1399 unsigned int idx)
1400{
1401 gcry_mpi_t exp_preshare;
1402 struct GNUNET_SECRETSHARING_FairEncryption *fe;
1403
1404 GNUNET_assert (idx < ks->num_peers);
1405 fe = keygen_reveal_get_enc_preshare (ks, d, idx);
1406 GNUNET_CRYPTO_mpi_scan_unsigned (&exp_preshare, fe->h,
1407 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
1408 return exp_preshare;
1409}
1410
1411
1412static void
1413keygen_round2_new_element (void *cls,
1414 const struct GNUNET_SET_Element *element)
1415{
1416 struct KeygenSession *ks = cls;
1417 const struct GNUNET_SECRETSHARING_KeygenRevealData *d;
1418 struct KeygenPeerInfo *info;
1419 size_t expected_element_size;
1420 unsigned int j;
1421 int cmp_result;
1422 gcry_mpi_t tmp;
1423 gcry_mpi_t public_key_share;
1424 gcry_mpi_t preshare;
1425
1426 if (NULL == element)
1427 {
1428 GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "round2 consensus failed\n");
1429 return;
1430 }
1431
1432 expected_element_size = (sizeof(struct GNUNET_SECRETSHARING_KeygenRevealData)
1433 + sizeof(struct
1434 GNUNET_SECRETSHARING_FairEncryption)
1435 * ks->num_peers
1436 + GNUNET_SECRETSHARING_ELGAMAL_BITS / 8
1437 * ks->threshold);
1438
1439 if (element->size != expected_element_size)
1440 {
1441 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1442 "keygen round2 data with wrong size (%u) in consensus, %u expected\n",
1443 (unsigned int) element->size,
1444 (unsigned int) expected_element_size);
1445 return;
1446 }
1447
1448 d = (const void *) element->data;
1449
1450 info = get_keygen_peer_info (ks, &d->peer);
1451
1452 if (NULL == info)
1453 {
1454 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1455 "keygen commit data with wrong peer identity (%s) in consensus\n",
1456 GNUNET_i2s (&d->peer));
1457 return;
1458 }
1459
1460 if (GNUNET_NO == info->round1_valid)
1461 {
1462 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1463 "ignoring round2 element from peer with invalid round1 element (%s)\n",
1464 GNUNET_i2s (&d->peer));
1465 return;
1466 }
1467
1468 if (GNUNET_YES == info->round2_valid)
1469 {
1470 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1471 "ignoring duplicate round2 element (%s)\n",
1472 GNUNET_i2s (&d->peer));
1473 return;
1474 }
1475
1476 GNUNET_log (GNUNET_ERROR_TYPE_INFO, "got round2 element\n");
1477
1478 if (ntohl (d->purpose.size) !=
1479 element->size - offsetof (struct GNUNET_SECRETSHARING_KeygenRevealData,
1480 purpose))
1481 {
1482 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1483 "keygen reveal data with wrong signature purpose size in consensus\n");
1484 return;
1485 }
1486
1487 if (GNUNET_OK != GNUNET_CRYPTO_eddsa_verify_ (
1488 GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG2,
1489 &d->purpose, &d->signature,
1490 &d->peer.public_key))
1491 {
1492 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1493 "keygen reveal data with invalid signature in consensus\n");
1494 return;
1495 }
1496
1497 public_key_share = keygen_reveal_get_exp_coeff (ks, d, 0);
1498 info->preshare_commitment = keygen_reveal_get_exp_preshare (ks, d,
1499 ks->local_peer_idx);
1500
1501 if (NULL == ks->public_key)
1502 {
1503 GNUNET_assert (NULL != (ks->public_key = gcry_mpi_new (0)));
1504 gcry_mpi_set_ui (ks->public_key, 1);
1505 }
1506 gcry_mpi_mulm (ks->public_key, ks->public_key, public_key_share, elgamal_p);
1507
1508 gcry_mpi_release (public_key_share);
1509 public_key_share = NULL;
1510
1511 {
1512 struct GNUNET_SECRETSHARING_FairEncryption *fe =
1513 keygen_reveal_get_enc_preshare (ks, d, ks->local_peer_idx);
1514 GNUNET_assert (NULL != (preshare = gcry_mpi_new (0)));
1515 GNUNET_CRYPTO_paillier_decrypt (&ks->paillier_private_key,
1516 &ks->info[ks->local_peer_idx].
1517 paillier_public_key,
1518 &fe->c,
1519 preshare);
1520
1521 // FIXME: not doing the restoration is less expensive
1522 restore_fair (&ks->info[ks->local_peer_idx].paillier_public_key,
1523 fe,
1524 preshare,
1525 preshare);
1526 }
1527
1528 GNUNET_assert (NULL != (tmp = gcry_mpi_new (0)));
1529 gcry_mpi_powm (tmp, elgamal_g, preshare, elgamal_p);
1530
1531 cmp_result = gcry_mpi_cmp (tmp, info->preshare_commitment);
1532 gcry_mpi_release (tmp);
1533 tmp = NULL;
1534 if (0 != cmp_result)
1535 {
1536 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1537 "P%u: Got invalid presecret from P%u\n",
1538 (unsigned int) ks->local_peer_idx, (unsigned int) (info
1539 - ks->info));
1540 return;
1541 }
1542
1543 if (NULL == ks->my_share)
1544 {
1545 GNUNET_assert (NULL != (ks->my_share = gcry_mpi_new (0)));
1546 }
1547 gcry_mpi_addm (ks->my_share, ks->my_share, preshare, elgamal_q);
1548
1549 for (j = 0; j < ks->num_peers; j++)
1550 {
1551 gcry_mpi_t presigma;
1552 if (NULL == ks->info[j].sigma)
1553 {
1554 GNUNET_assert (NULL != (ks->info[j].sigma = gcry_mpi_new (0)));
1555 gcry_mpi_set_ui (ks->info[j].sigma, 1);
1556 }
1557 presigma = keygen_reveal_get_exp_preshare (ks, d, j);
1558 gcry_mpi_mulm (ks->info[j].sigma, ks->info[j].sigma, presigma, elgamal_p);
1559 gcry_mpi_release (presigma);
1560 }
1561
1562 gcry_mpi_t prod;
1563 GNUNET_assert (NULL != (prod = gcry_mpi_new (0)));
1564 gcry_mpi_t j_to_k;
1565 GNUNET_assert (NULL != (j_to_k = gcry_mpi_new (0)));
1566 // validate that the polynomial sharing matches the additive sharing
1567 for (j = 0; j < ks->num_peers; j++)
1568 {
1569 unsigned int k;
1570 int cmp_result;
1571 gcry_mpi_t exp_preshare;
1572 gcry_mpi_set_ui (prod, 1);
1573 for (k = 0; k < ks->threshold; k++)
1574 {
1575 // Using pow(double,double) is a bit sketchy.
1576 // We count players from 1, but shares from 0.
1577 gcry_mpi_t tmp;
1578 gcry_mpi_set_ui (j_to_k, (unsigned int) pow (j + 1, k));
1579 tmp = keygen_reveal_get_exp_coeff (ks, d, k);
1580 gcry_mpi_powm (tmp, tmp, j_to_k, elgamal_p);
1581 gcry_mpi_mulm (prod, prod, tmp, elgamal_p);
1582 gcry_mpi_release (tmp);
1583 }
1584 exp_preshare = keygen_reveal_get_exp_preshare (ks, d, j);
1585 gcry_mpi_mod (exp_preshare, exp_preshare, elgamal_p);
1586 cmp_result = gcry_mpi_cmp (prod, exp_preshare);
1587 gcry_mpi_release (exp_preshare);
1588 exp_preshare = NULL;
1589 if (0 != cmp_result)
1590 {
1591 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1592 "P%u: reveal data from P%u incorrect\n",
1593 ks->local_peer_idx, j);
1594 /* no need for further verification, round2 stays invalid ... */
1595 return;
1596 }
1597 }
1598
1599 // TODO: verify proof of fair encryption (once implemented)
1600 for (j = 0; j < ks->num_peers; j++)
1601 {
1602 struct GNUNET_SECRETSHARING_FairEncryption *fe =
1603 keygen_reveal_get_enc_preshare (ks, d, j);
1604 if (GNUNET_YES != verify_fair (&ks->info[j].paillier_public_key, fe))
1605 {
1606 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1607 "P%u: reveal data from P%u incorrect (fair encryption)\n",
1608 ks->local_peer_idx, j);
1609 return;
1610 }
1611 }
1612
1613 info->round2_valid = GNUNET_YES;
1614
1615 gcry_mpi_release (preshare);
1616 gcry_mpi_release (prod);
1617 gcry_mpi_release (j_to_k);
1618}
1619
1620
1627static void
1628keygen_round1_conclude (void *cls)
1629{
1630 struct KeygenSession *ks = cls;
1631
1632 GNUNET_CONSENSUS_destroy (ks->consensus);
1633
1634 ks->consensus = GNUNET_CONSENSUS_create (cfg, ks->num_peers, ks->peers,
1635 &ks->session_id,
1636 time_between (ks->start_time,
1637 ks->deadline, 1, 2),
1638 ks->deadline,
1639 keygen_round2_new_element, ks);
1640
1641 insert_round2_element (ks);
1642
1643 GNUNET_CONSENSUS_conclude (ks->consensus,
1644 keygen_round2_conclude,
1645 ks);
1646}
1647
1648
1655static void
1656insert_round1_element (struct KeygenSession *ks)
1657{
1658 struct GNUNET_SET_Element *element;
1659 struct GNUNET_SECRETSHARING_KeygenCommitData *d;
1660 // g^a_{i,0}
1661 gcry_mpi_t v;
1662 // big-endian representation of 'v'
1663 unsigned char v_data[GNUNET_SECRETSHARING_ELGAMAL_BITS / 8];
1664
1665 element = GNUNET_malloc (sizeof *element + sizeof *d);
1666 d = (void *) &element[1];
1667 element->data = d;
1668 element->size = sizeof *d;
1669
1670 d->peer = my_peer;
1671
1672 GNUNET_assert (0 != (v = gcry_mpi_new (GNUNET_SECRETSHARING_ELGAMAL_BITS)));
1673
1674 gcry_mpi_powm (v, elgamal_g, ks->presecret_polynomial[0], elgamal_p);
1675
1676 GNUNET_CRYPTO_mpi_print_unsigned (v_data, GNUNET_SECRETSHARING_ELGAMAL_BITS
1677 / 8, v);
1678
1679 GNUNET_CRYPTO_hash (v_data, GNUNET_SECRETSHARING_ELGAMAL_BITS / 8,
1680 &d->commitment);
1681
1682 d->pubkey = ks->info[ks->local_peer_idx].paillier_public_key;
1683
1684 d->purpose.size = htonl ((sizeof *d) - offsetof (struct
1685 GNUNET_SECRETSHARING_KeygenCommitData,
1686 purpose));
1687 d->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG1);
1688 GNUNET_assert (GNUNET_OK ==
1689 GNUNET_CRYPTO_eddsa_sign_ (my_peer_private_key,
1690 &d->purpose,
1691 &d->signature));
1692
1693 GNUNET_CONSENSUS_insert (ks->consensus, element, NULL, NULL);
1694
1695 gcry_mpi_release (v);
1696 GNUNET_free (element);
1697}
1698
1699
1707static int
1708check_client_keygen (void *cls,
1709 const struct GNUNET_SECRETSHARING_CreateMessage *msg)
1710{
1711 unsigned int num_peers = ntohs (msg->num_peers);
1712
1713 if (ntohs (msg->header.size) - sizeof(*msg) !=
1714 num_peers * sizeof(struct GNUNET_PeerIdentity))
1715 {
1716 GNUNET_break (0);
1717 return GNUNET_SYSERR;
1718 }
1719 return GNUNET_OK;
1720}
1721
1722
1730static void
1731handle_client_keygen (void *cls,
1732 const struct GNUNET_SECRETSHARING_CreateMessage *msg)
1733{
1734 struct ClientState *cs = cls;
1735 struct KeygenSession *ks;
1736
1737 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
1738 "client requested key generation\n");
1739 if (NULL != cs->keygen_session)
1740 {
1741 GNUNET_break (0);
1742 GNUNET_SERVICE_client_drop (cs->client);
1743 return;
1744 }
1745 ks = GNUNET_new (struct KeygenSession);
1746 ks->cs = cs;
1747 cs->keygen_session = ks;
1748 ks->deadline = GNUNET_TIME_absolute_ntoh (msg->deadline);
1749 ks->threshold = ntohs (msg->threshold);
1750 ks->num_peers = ntohs (msg->num_peers);
1751
1752 ks->peers = normalize_peers ((struct GNUNET_PeerIdentity *) &msg[1],
1753 ks->num_peers,
1754 &ks->num_peers,
1755 &ks->local_peer_idx);
1756
1757
1758 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
1759 "first round of consensus with %u peers\n",
1760 ks->num_peers);
1761 ks->consensus = GNUNET_CONSENSUS_create (cfg,
1762 ks->num_peers,
1763 ks->peers,
1764 &msg->session_id,
1765 GNUNET_TIME_absolute_ntoh (
1766 msg->start),
1767 GNUNET_TIME_absolute_ntoh (
1768 msg->deadline),
1769 keygen_round1_new_element,
1770 ks);
1771
1772 ks->info = GNUNET_new_array (ks->num_peers,
1773 struct KeygenPeerInfo);
1774
1775 for (unsigned int i = 0; i < ks->num_peers; i++)
1776 ks->info[i].peer = ks->peers[i];
1777
1778 GNUNET_CRYPTO_paillier_create (
1779 &ks->info[ks->local_peer_idx].paillier_public_key,
1780 &ks->paillier_private_key);
1781
1782 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1783 "P%u: Generated paillier key pair\n",
1784 ks->local_peer_idx);
1785 generate_presecret_polynomial (ks);
1786 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1787 "P%u: Generated presecret polynomial\n",
1788 ks->local_peer_idx);
1789 insert_round1_element (ks);
1790 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1791 "P%u: Concluding for round 1\n",
1792 ks->local_peer_idx);
1793 GNUNET_CONSENSUS_conclude (ks->consensus,
1794 keygen_round1_conclude,
1795 ks);
1796 GNUNET_SERVICE_client_continue (cs->client);
1797 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1798 "P%u: Waiting for round 1 elements ...\n",
1799 ks->local_peer_idx);
1800}
1801
1802
1806static void
1807decrypt_conclude (void *cls)
1808{
1809 struct DecryptSession *ds = cls;
1810 struct GNUNET_SECRETSHARING_DecryptResponseMessage *msg;
1811 struct GNUNET_MQ_Envelope *ev;
1812 gcry_mpi_t lagrange;
1813 gcry_mpi_t m;
1814 gcry_mpi_t tmp;
1815 gcry_mpi_t c_2;
1816 gcry_mpi_t prod;
1817 unsigned int *indices;
1818 unsigned int num;
1819 unsigned int i;
1820 unsigned int j;
1821
1822 GNUNET_CONSENSUS_destroy (ds->consensus);
1823 ds->consensus = NULL;
1824
1825 GNUNET_assert (0 != (lagrange = gcry_mpi_new (0)));
1826 GNUNET_assert (0 != (m = gcry_mpi_new (0)));
1827 GNUNET_assert (0 != (tmp = gcry_mpi_new (0)));
1828 GNUNET_assert (0 != (prod = gcry_mpi_new (0)));
1829
1830 num = 0;
1831 for (i = 0; i < ds->share->num_peers; i++)
1832 if (NULL != ds->info[i].partial_decryption)
1833 num++;
1834
1835 indices = GNUNET_new_array (num,
1836 unsigned int);
1837 j = 0;
1838 for (i = 0; i < ds->share->num_peers; i++)
1839 if (NULL != ds->info[i].partial_decryption)
1840 indices[j++] = ds->info[i].original_index;
1841
1842 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
1843 "P%u: decrypt conclude, with %u peers\n",
1844 ds->share->my_peer,
1845 num);
1846
1847 gcry_mpi_set_ui (prod, 1);
1848 for (i = 0; i < num; i++)
1849 {
1850 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
1851 "P%u: index of %u: %u\n",
1852 ds->share->my_peer, i, indices[i]);
1853 compute_lagrange_coefficient (lagrange, indices[i], indices, num);
1854 // w_i^{\lambda_i}
1855 gcry_mpi_powm (tmp, ds->info[indices[i]].partial_decryption, lagrange,
1856 elgamal_p);
1857
1858 // product of all exponentiated partiel decryptions ...
1859 gcry_mpi_mulm (prod, prod, tmp, elgamal_p);
1860 }
1861
1862 GNUNET_CRYPTO_mpi_scan_unsigned (&c_2, ds->ciphertext.c2_bits,
1863 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
1864
1865 GNUNET_assert (0 != gcry_mpi_invm (prod, prod, elgamal_p));
1866 gcry_mpi_mulm (m, c_2, prod, elgamal_p);
1867 ev = GNUNET_MQ_msg (msg,
1868 GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT_DONE);
1869 GNUNET_CRYPTO_mpi_print_unsigned (&msg->plaintext,
1870 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, m);
1871 msg->success = htonl (1);
1872 GNUNET_MQ_send (ds->cs->mq,
1873 ev);
1874
1875 GNUNET_log (GNUNET_ERROR_TYPE_INFO, "sent decrypt done to client\n");
1876
1877 GNUNET_free (indices);
1878
1879 gcry_mpi_release (lagrange);
1880 gcry_mpi_release (m);
1881 gcry_mpi_release (tmp);
1882 gcry_mpi_release (prod);
1883 gcry_mpi_release (c_2);
1884
1885 // FIXME: what if not enough peers participated?
1886}
1887
1888
1896static char *
1897mpi_to_str (gcry_mpi_t mpi)
1898{
1899 unsigned char *buf;
1900
1901 GNUNET_assert (0 == gcry_mpi_aprint (GCRYMPI_FMT_HEX, &buf, NULL, mpi));
1902 return (char *) buf;
1903}
1904
1905
1909static void
1910decrypt_new_element (void *cls,
1911 const struct GNUNET_SET_Element *element)
1912{
1913 struct DecryptSession *session = cls;
1914 const struct GNUNET_SECRETSHARING_DecryptData *d;
1915 struct DecryptPeerInfo *info;
1916 struct GNUNET_HashCode challenge_hash;
1917
1918 /* nizk response */
1919 gcry_mpi_t r;
1920 /* nizk challenge */
1921 gcry_mpi_t challenge;
1922 /* nizk commit1, g^\beta */
1923 gcry_mpi_t commit1;
1924 /* nizk commit2, c_1^\beta */
1925 gcry_mpi_t commit2;
1926 /* homomorphic commitment to the peer's share,
1927 * public key share */
1928 gcry_mpi_t sigma;
1929 /* partial decryption we received */
1930 gcry_mpi_t w;
1931 /* ciphertext component #1 */
1932 gcry_mpi_t c1;
1933 /* temporary variable (for comparison) #1 */
1934 gcry_mpi_t tmp1;
1935 /* temporary variable (for comparison) #2 */
1936 gcry_mpi_t tmp2;
1937
1938 if (NULL == element)
1939 {
1940 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "decryption failed\n");
1941 /* FIXME: destroy */
1942 return;
1943 }
1944
1945 if (element->size != sizeof *d)
1946 {
1947 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1948 "element of wrong size in decrypt consensus\n");
1949 return;
1950 }
1951
1952 d = element->data;
1953
1954 info = get_decrypt_peer_info (session, &d->peer);
1955
1956 if (NULL == info)
1957 {
1958 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1959 "decrypt element from invalid peer (%s)\n",
1960 GNUNET_i2s (&d->peer));
1961 return;
1962 }
1963
1964 if (NULL != info->partial_decryption)
1965 {
1966 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "decrypt element duplicate\n");
1967 return;
1968 }
1969
1970 if (0 != GNUNET_memcmp (&d->ciphertext, &session->ciphertext))
1971 {
1972 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1973 "P%u: got decrypt element with non-matching ciphertext from P%u\n",
1974 (unsigned int) session->share->my_peer, (unsigned int) (info
1975 -
1976 session
1977 ->info));
1978
1979 return;
1980 }
1981
1982
1983 GNUNET_CRYPTO_hash (offsetof (struct GNUNET_SECRETSHARING_DecryptData,
1984 ciphertext) + (char *) d,
1985 offsetof (struct GNUNET_SECRETSHARING_DecryptData,
1986 nizk_response)
1987 - offsetof (struct GNUNET_SECRETSHARING_DecryptData,
1988 ciphertext),
1989 &challenge_hash);
1990
1991 GNUNET_CRYPTO_mpi_scan_unsigned (&challenge, &challenge_hash,
1992 sizeof(struct GNUNET_HashCode));
1993
1994 GNUNET_CRYPTO_mpi_scan_unsigned (&sigma, &session->share->sigmas[info
1995 - session->
1996 info],
1997 sizeof(struct
1998 GNUNET_SECRETSHARING_FieldElement));
1999
2000 GNUNET_CRYPTO_mpi_scan_unsigned (&c1, session->ciphertext.c1_bits,
2001 sizeof(struct
2002 GNUNET_SECRETSHARING_FieldElement));
2003
2004 GNUNET_CRYPTO_mpi_scan_unsigned (&commit1, &d->nizk_commit1,
2005 sizeof(struct
2006 GNUNET_SECRETSHARING_FieldElement));
2007
2008 GNUNET_CRYPTO_mpi_scan_unsigned (&commit2, &d->nizk_commit2,
2009 sizeof(struct
2010 GNUNET_SECRETSHARING_FieldElement));
2011
2012 GNUNET_CRYPTO_mpi_scan_unsigned (&r, &d->nizk_response,
2013 sizeof(struct
2014 GNUNET_SECRETSHARING_FieldElement));
2015
2016 GNUNET_CRYPTO_mpi_scan_unsigned (&w, &d->partial_decryption,
2017 sizeof(struct
2018 GNUNET_SECRETSHARING_FieldElement));
2019
2020 GNUNET_assert (NULL != (tmp1 = gcry_mpi_new (0)));
2021 GNUNET_assert (NULL != (tmp2 = gcry_mpi_new (0)));
2022
2023 // tmp1 = g^r
2024 gcry_mpi_powm (tmp1, elgamal_g, r, elgamal_p);
2025
2026 // tmp2 = g^\beta * \sigma^challenge
2027 gcry_mpi_powm (tmp2, sigma, challenge, elgamal_p);
2028 gcry_mpi_mulm (tmp2, tmp2, commit1, elgamal_p);
2029
2030 if (0 != gcry_mpi_cmp (tmp1, tmp2))
2031 {
2032 char *tmp1_str;
2033 char *tmp2_str;
2034
2035 tmp1_str = mpi_to_str (tmp1);
2036 tmp2_str = mpi_to_str (tmp2);
2037 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
2038 "P%u: Received invalid partial decryption from P%u (eqn 1), expected %s got %s\n",
2039 session->share->my_peer,
2040 (unsigned int) (info - session->info),
2041 tmp1_str,
2042 tmp2_str);
2043 GNUNET_free (tmp1_str);
2044 GNUNET_free (tmp2_str);
2045 goto cleanup;
2046 }
2047
2048
2049 gcry_mpi_powm (tmp1, c1, r, elgamal_p);
2050
2051 gcry_mpi_powm (tmp2, w, challenge, elgamal_p);
2052 gcry_mpi_mulm (tmp2, tmp2, commit2, elgamal_p);
2053
2054
2055 if (0 != gcry_mpi_cmp (tmp1, tmp2))
2056 {
2057 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
2058 "P%u: Received invalid partial decryption from P%u (eqn 2)\n",
2059 session->share->my_peer,
2060 (unsigned int) (info - session->info));
2061 goto cleanup;
2062 }
2063
2064
2065 GNUNET_CRYPTO_mpi_scan_unsigned (&info->partial_decryption,
2066 &d->partial_decryption,
2067 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
2068cleanup:
2069 gcry_mpi_release (tmp1);
2070 gcry_mpi_release (tmp2);
2071 gcry_mpi_release (sigma);
2072 gcry_mpi_release (commit1);
2073 gcry_mpi_release (commit2);
2074 gcry_mpi_release (r);
2075 gcry_mpi_release (w);
2076 gcry_mpi_release (challenge);
2077 gcry_mpi_release (c1);
2078}
2079
2080
2081static void
2082insert_decrypt_element (struct DecryptSession *ds)
2083{
2084 struct GNUNET_SECRETSHARING_DecryptData d;
2085 struct GNUNET_SET_Element element;
2086 /* our share */
2087 gcry_mpi_t s;
2088 /* partial decryption with our share */
2089 gcry_mpi_t w;
2090 /* first component of the elgamal ciphertext */
2091 gcry_mpi_t c1;
2092 /* nonce for dlog zkp */
2093 gcry_mpi_t beta;
2094 gcry_mpi_t tmp;
2095 gcry_mpi_t challenge;
2096 gcry_mpi_t sigma;
2097 struct GNUNET_HashCode challenge_hash;
2098
2099 /* make vagrind happy until we implement the real deal ... */
2100 memset (&d, 0, sizeof d);
2101
2102 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "P%u: Inserting decrypt element\n",
2103 ds->share->my_peer);
2104
2105 GNUNET_assert (ds->share->my_peer < ds->share->num_peers);
2106
2107 GNUNET_CRYPTO_mpi_scan_unsigned (&c1, &ds->ciphertext.c1_bits,
2108 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
2109 GNUNET_CRYPTO_mpi_scan_unsigned (&s, &ds->share->my_share,
2110 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
2111 GNUNET_CRYPTO_mpi_scan_unsigned (&sigma,
2112 &ds->share->sigmas[ds->share->my_peer],
2113 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8);
2114
2115 GNUNET_assert (NULL != (w = gcry_mpi_new (0)));
2116 GNUNET_assert (NULL != (beta = gcry_mpi_new (0)));
2117 GNUNET_assert (NULL != (tmp = gcry_mpi_new (0)));
2118
2119 // FIXME: unnecessary, remove once crypto works
2120 gcry_mpi_powm (tmp, elgamal_g, s, elgamal_p);
2121 if (0 != gcry_mpi_cmp (tmp, sigma))
2122 {
2123 char *sigma_str = mpi_to_str (sigma);
2124 char *tmp_str = mpi_to_str (tmp);
2125 char *s_str = mpi_to_str (s);
2126 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2127 "Share of P%u is invalid, ref sigma %s, "
2128 "computed sigma %s, s %s\n",
2129 ds->share->my_peer,
2130 sigma_str, tmp_str, s_str);
2131 GNUNET_free (sigma_str);
2132 GNUNET_free (tmp_str);
2133 GNUNET_free (s_str);
2134 }
2135
2136 gcry_mpi_powm (w, c1, s, elgamal_p);
2137
2138 element.data = (void *) &d;
2139 element.size = sizeof(struct GNUNET_SECRETSHARING_DecryptData);
2140 element.element_type = 0;
2141
2142 d.ciphertext = ds->ciphertext;
2143 d.peer = my_peer;
2144 GNUNET_CRYPTO_mpi_print_unsigned (&d.partial_decryption,
2145 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, w);
2146
2147 // create the zero knowledge proof
2148 // randomly choose beta such that 0 < beta < q
2149 do
2150 {
2151 gcry_mpi_randomize (beta, GNUNET_SECRETSHARING_ELGAMAL_BITS - 1,
2152 GCRY_WEAK_RANDOM);
2153 }
2154 while ((gcry_mpi_cmp_ui (beta, 0) == 0) || (gcry_mpi_cmp (beta, elgamal_q) >=
2155 0));
2156 // tmp = g^beta
2157 gcry_mpi_powm (tmp, elgamal_g, beta, elgamal_p);
2158 GNUNET_CRYPTO_mpi_print_unsigned (&d.nizk_commit1,
2159 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, tmp);
2160 // tmp = (c_1)^beta
2161 gcry_mpi_powm (tmp, c1, beta, elgamal_p);
2162 GNUNET_CRYPTO_mpi_print_unsigned (&d.nizk_commit2,
2163 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, tmp);
2164
2165 // the challenge is the hash of everything up to the response
2166 GNUNET_CRYPTO_hash (offsetof (struct GNUNET_SECRETSHARING_DecryptData,
2167 ciphertext) + (char *) &d,
2168 offsetof (struct GNUNET_SECRETSHARING_DecryptData,
2169 nizk_response)
2170 - offsetof (struct GNUNET_SECRETSHARING_DecryptData,
2171 ciphertext),
2172 &challenge_hash);
2173
2174 GNUNET_CRYPTO_mpi_scan_unsigned (&challenge, &challenge_hash,
2175 sizeof(struct GNUNET_HashCode));
2176
2177 // compute the response in tmp,
2178 // tmp = (c * s + beta) mod q
2179 gcry_mpi_mulm (tmp, challenge, s, elgamal_q);
2180 gcry_mpi_addm (tmp, tmp, beta, elgamal_q);
2181
2182 GNUNET_CRYPTO_mpi_print_unsigned (&d.nizk_response,
2183 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, tmp);
2184
2185 d.purpose.size = htonl (element.size - offsetof (struct
2186 GNUNET_SECRETSHARING_DecryptData,
2187 purpose));
2188 d.purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DECRYPTION);
2189
2190 GNUNET_assert (GNUNET_OK ==
2191 GNUNET_CRYPTO_eddsa_sign_ (my_peer_private_key,
2192 &d.purpose,
2193 &d.signature));
2194
2195 GNUNET_CONSENSUS_insert (ds->consensus, &element, NULL, NULL);
2196 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2197 "P%u: Inserting decrypt element done!\n",
2198 ds->share->my_peer);
2199
2200 gcry_mpi_release (s);
2201 gcry_mpi_release (w);
2202 gcry_mpi_release (c1);
2203 gcry_mpi_release (beta);
2204 gcry_mpi_release (tmp);
2205 gcry_mpi_release (challenge);
2206 gcry_mpi_release (sigma);
2207}
2208
2209
2217static int
2218check_client_decrypt (void *cls,
2219 const struct
2220 GNUNET_SECRETSHARING_DecryptRequestMessage *msg)
2221{
2222 /* we check later, it's complicated */
2223 return GNUNET_OK;
2224}
2225
2226
2234static void
2235handle_client_decrypt (void *cls,
2236 const struct
2237 GNUNET_SECRETSHARING_DecryptRequestMessage *msg)
2238{
2239 struct ClientState *cs = cls;
2240 struct DecryptSession *ds;
2241 struct GNUNET_HashCode session_id;
2242
2243 if (NULL != cs->decrypt_session)
2244 {
2245 GNUNET_break (0);
2246 GNUNET_SERVICE_client_drop (cs->client);
2247 return;
2248 }
2249 ds = GNUNET_new (struct DecryptSession);
2250 cs->decrypt_session = ds;
2251 ds->cs = cs;
2252 ds->start = GNUNET_TIME_absolute_ntoh (msg->start);
2253 ds->deadline = GNUNET_TIME_absolute_ntoh (msg->deadline);
2254 ds->ciphertext = msg->ciphertext;
2255
2256 ds->share = GNUNET_SECRETSHARING_share_read (&msg[1],
2257 ntohs (msg->header.size)
2258 - sizeof(*msg),
2259 NULL);
2260 if (NULL == ds->share)
2261 {
2262 GNUNET_break (0);
2263 GNUNET_SERVICE_client_drop (cs->client);
2264 return;
2265 }
2266
2267 /* FIXME: this is probably sufficient, but kdf/hash with all values would be nicer ... */
2268 GNUNET_CRYPTO_hash (&msg->ciphertext,
2269 sizeof(struct GNUNET_SECRETSHARING_Ciphertext),
2270 &session_id);
2271 ds->consensus = GNUNET_CONSENSUS_create (cfg,
2272 ds->share->num_peers,
2273 ds->share->peers,
2274 &session_id,
2275 ds->start,
2276 ds->deadline,
2277 &decrypt_new_element,
2278 ds);
2279
2280
2281 ds->info = GNUNET_new_array (ds->share->num_peers,
2282 struct DecryptPeerInfo);
2283 for (unsigned int i = 0; i < ds->share->num_peers; i++)
2284 {
2285 ds->info[i].peer = ds->share->peers[i];
2286 ds->info[i].original_index = ds->share->original_indices[i];
2287 }
2288 insert_decrypt_element (ds);
2289 GNUNET_CONSENSUS_conclude (ds->consensus,
2290 decrypt_conclude,
2291 ds);
2292 GNUNET_SERVICE_client_continue (cs->client);
2293 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
2294 "decrypting with %u peers\n",
2295 ds->share->num_peers);
2296}
2297
2298
2299static void
2300init_crypto_constants (void)
2301{
2302 GNUNET_assert (0 == gcry_mpi_scan (&elgamal_q, GCRYMPI_FMT_HEX,
2303 GNUNET_SECRETSHARING_ELGAMAL_Q_HEX, 0,
2304 NULL));
2305 GNUNET_assert (0 == gcry_mpi_scan (&elgamal_p, GCRYMPI_FMT_HEX,
2306 GNUNET_SECRETSHARING_ELGAMAL_P_HEX, 0,
2307 NULL));
2308 GNUNET_assert (0 == gcry_mpi_scan (&elgamal_g, GCRYMPI_FMT_HEX,
2309 GNUNET_SECRETSHARING_ELGAMAL_G_HEX, 0,
2310 NULL));
2311}
2312
2313
2321static void
2322run (void *cls,
2323 const struct GNUNET_CONFIGURATION_Handle *c,
2324 struct GNUNET_SERVICE_Handle *service)
2325{
2326 cfg = c;
2327 my_peer_private_key = GNUNET_CRYPTO_eddsa_key_create_from_configuration (c);
2328 if (NULL == my_peer_private_key)
2329 {
2330 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2331 "could not access host private key\n");
2332 GNUNET_break (0);
2333 GNUNET_SCHEDULER_shutdown ();
2334 return;
2335 }
2336 init_crypto_constants ();
2337 if (GNUNET_OK !=
2338 GNUNET_CRYPTO_get_peer_identity (cfg,
2339 &my_peer))
2340 {
2341 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2342 "could not retrieve host identity\n");
2343 GNUNET_break (0);
2344 GNUNET_SCHEDULER_shutdown ();
2345 return;
2346 }
2347 GNUNET_SCHEDULER_add_shutdown (&cleanup_task,
2348 NULL);
2349}
2350
2351
2360static void *
2361client_connect_cb (void *cls,
2362 struct GNUNET_SERVICE_Client *c,
2363 struct GNUNET_MQ_Handle *mq)
2364{
2365 struct ClientState *cs = GNUNET_new (struct ClientState);;
2366
2367 cs->client = c;
2368 cs->mq = mq;
2369 return cs;
2370}
2371
2372
2380static void
2381client_disconnect_cb (void *cls,
2382 struct GNUNET_SERVICE_Client *c,
2383 void *internal_cls)
2384{
2385 struct ClientState *cs = internal_cls;
2386
2387 if (NULL != cs->keygen_session)
2388 keygen_session_destroy (cs->keygen_session);
2389
2390 if (NULL != cs->decrypt_session)
2391 decrypt_session_destroy (cs->decrypt_session);
2392 GNUNET_free (cs);
2393}
2394
2395
2399GNUNET_SERVICE_MAIN
2400 ("secretsharing",
2401 GNUNET_SERVICE_OPTION_NONE,
2402 &run,
2403 &client_connect_cb,
2404 &client_disconnect_cb,
2405 NULL,
2406 GNUNET_MQ_hd_var_size (client_keygen,
2407 GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_GENERATE,
2408 struct GNUNET_SECRETSHARING_CreateMessage,
2409 NULL),
2410 GNUNET_MQ_hd_var_size (client_decrypt,
2411 GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT,
2412 struct GNUNET_SECRETSHARING_DecryptRequestMessage,
2413 NULL),
2414 GNUNET_MQ_handler_end ());
mq
struct GNUNET_MQ_Handle * mq
Definition: 003.c:5
msg
struct GNUNET_MessageHeader * msg
Definition: 005.c:2
d
static mp_limb_t d[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
Definition: crypto_elligator.c:192
u
static mp_limb_t u[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
Definition: crypto_elligator.c:190
m
static struct GNUNET_ARM_MonitorHandle * m
Monitor connection with ARM.
Definition: gnunet-arm.c:104
h
static struct GNUNET_ARM_Handle * h
Connection with ARM.
Definition: gnunet-arm.c:99
start
static int start
Set if we are to start default services (including ARM).
Definition: gnunet-arm.c:39
end
static int end
Set if we are to shutdown all services (including ARM).
Definition: gnunet-arm.c:34
cleanup
static void cleanup(void *cls)
Disconnect and shutdown.
Definition: gnunet-did.c:131
res
static char * res
Currently read line or NULL on EOF.
Definition: gnunet-namestore-zonefile.c:76
ds
static struct GNUNET_FS_DirScanner * ds
Handle to the directory scanner (for recursive insertions).
Definition: gnunet-publish.c:131
result
static int result
Global testing status.
Definition: gnunet-regex-profiler.c:240
info
#define info
service
static struct GNUNET_SERVICE_Handle * service
Handle to our service instance.
Definition: gnunet-service-arm.c:274
beta
static float beta
Percentage of total peer number in the view to send random PULLs to.
Definition: gnunet-service-rps.c:494
check_client_decrypt
static int check_client_decrypt(void *cls, const struct GNUNET_SECRETSHARING_DecryptRequestMessage *msg)
Check that msg is well-formed.
Definition: gnunet-service-secretsharing.c:2218
keygen_round2_new_element
static void keygen_round2_new_element(void *cls, const struct GNUNET_SET_Element *element)
Definition: gnunet-service-secretsharing.c:1413
keygen_session_destroy
static void keygen_session_destroy(struct KeygenSession *ks)
Definition: gnunet-service-secretsharing.c:598
restore_fair
static void restore_fair(const struct GNUNET_CRYPTO_PaillierPublicKey *ppub, const struct GNUNET_SECRETSHARING_FairEncryption *fe, gcry_mpi_t x, gcry_mpi_t xres)
Definition: gnunet-service-secretsharing.c:886
horner_eval
static void horner_eval(gcry_mpi_t z, gcry_mpi_t *coeff, unsigned int num_coeff, gcry_mpi_t x, gcry_mpi_t m)
Evaluate the polynomial with coefficients coeff at x.
Definition: gnunet-service-secretsharing.c:779
get_decrypt_peer_info
static struct DecryptPeerInfo * get_decrypt_peer_info(const struct DecryptSession *ds, const struct GNUNET_PeerIdentity *peer)
Get the peer info belonging to a peer identity in a decrypt session.
Definition: gnunet-service-secretsharing.c:345
insert_decrypt_element
static void insert_decrypt_element(struct DecryptSession *ds)
Definition: gnunet-service-secretsharing.c:2082
keygen_round1_conclude
static void keygen_round1_conclude(void *cls)
Called when the first consensus round has concluded.
Definition: gnunet-service-secretsharing.c:1628
decrypt_conclude
static void decrypt_conclude(void *cls)
Called when the partial decryption consensus concludes.
Definition: gnunet-service-secretsharing.c:1807
handle_client_keygen
static void handle_client_keygen(void *cls, const struct GNUNET_SECRETSHARING_CreateMessage *msg)
Functions with this signature are called whenever a message is received.
Definition: gnunet-service-secretsharing.c:1731
check_client_keygen
static int check_client_keygen(void *cls, const struct GNUNET_SECRETSHARING_CreateMessage *msg)
Check that msg is well-formed.
Definition: gnunet-service-secretsharing.c:1708
insert_round2_element
static void insert_round2_element(struct KeygenSession *ks)
Insert round 2 element in the consensus, consisting of (1) The exponentiated pre-share polynomial coe...
Definition: gnunet-service-secretsharing.c:1258
my_peer_private_key
static struct GNUNET_CRYPTO_EddsaPrivateKey * my_peer_private_key
Peer that runs this service.
Definition: gnunet-service-secretsharing.c:309
elgamal_q
static gcry_mpi_t elgamal_q
The ElGamal prime field order as libgcrypt mpi.
Definition: gnunet-service-secretsharing.c:287
GNUNET_SERVICE_MAIN
GNUNET_SERVICE_MAIN("secretsharing", GNUNET_SERVICE_OPTION_NONE, &run, &client_connect_cb, &client_disconnect_cb, NULL, GNUNET_MQ_hd_var_size(client_keygen, GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_GENERATE, struct GNUNET_SECRETSHARING_CreateMessage, NULL), GNUNET_MQ_hd_var_size(client_decrypt, GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT, struct GNUNET_SECRETSHARING_DecryptRequestMessage, NULL), GNUNET_MQ_handler_end())
Define "main" method using service macro.
handle_client_decrypt
static void handle_client_decrypt(void *cls, const struct GNUNET_SECRETSHARING_DecryptRequestMessage *msg)
Functions with this signature are called whenever a message is received.
Definition: gnunet-service-secretsharing.c:2235
keygen_info_destroy
static void keygen_info_destroy(struct KeygenPeerInfo *info)
Definition: gnunet-service-secretsharing.c:577
cfg
static const struct GNUNET_CONFIGURATION_Handle * cfg
Configuration of this service.
Definition: gnunet-service-secretsharing.c:314
peer_id_cmp
static int peer_id_cmp(const void *p1, const void *p2)
Compare two peer identities.
Definition: gnunet-service-secretsharing.c:389
normalize_peers
static struct GNUNET_PeerIdentity * normalize_peers(struct GNUNET_PeerIdentity *listed, unsigned int num_listed, unsigned int *num_normalized, unsigned int *my_peer_idx)
Normalize the given list of peers, by including the local peer (if it is missing) and sorting the pee...
Definition: gnunet-service-secretsharing.c:431
time_between
static struct GNUNET_TIME_Absolute time_between(struct GNUNET_TIME_Absolute start, struct GNUNET_TIME_Absolute end, int num, int denum)
Interpolate between two points in time.
Definition: gnunet-service-secretsharing.c:366
cleanup_task
static void cleanup_task(void *cls)
Task run during shutdown.
Definition: gnunet-service-secretsharing.c:658
peer_find
static int peer_find(const struct GNUNET_PeerIdentity *haystack, unsigned int n, const struct GNUNET_PeerIdentity *needle)
Get the index of a peer in an array of peers.
Definition: gnunet-service-secretsharing.c:407
generate_presecret_polynomial
static void generate_presecret_polynomial(struct KeygenSession *ks)
Generate the random coefficients of our pre-secret polynomial.
Definition: gnunet-service-secretsharing.c:670
keygen_reveal_get_exp_coeff
static gcry_mpi_t keygen_reveal_get_exp_coeff(struct KeygenSession *ks, const struct GNUNET_SECRETSHARING_KeygenRevealData *d, unsigned int idx)
Definition: gnunet-service-secretsharing.c:1356
get_keygen_peer_info
static struct KeygenPeerInfo * get_keygen_peer_info(const struct KeygenSession *ks, const struct GNUNET_PeerIdentity *peer)
Get the peer info belonging to a peer identity in a keygen session.
Definition: gnunet-service-secretsharing.c:325
decrypt_new_element
static void decrypt_new_element(void *cls, const struct GNUNET_SET_Element *element)
Called when a new partial decryption arrives.
Definition: gnunet-service-secretsharing.c:1910
run
static void run(void *cls, const struct GNUNET_CONFIGURATION_Handle *c, struct GNUNET_SERVICE_Handle *service)
Initialize secretsharing service.
Definition: gnunet-service-secretsharing.c:2322
elgamal_g
static gcry_mpi_t elgamal_g
Generator for prime field of order 'elgamal_q'.
Definition: gnunet-service-secretsharing.c:299
elgamal_p
static gcry_mpi_t elgamal_p
Modulus of the prime field used for ElGamal.
Definition: gnunet-service-secretsharing.c:293
insert_round1_element
static void insert_round1_element(struct KeygenSession *ks)
Insert the ephemeral key and the presecret commitment of this peer in the consensus of the given sess...
Definition: gnunet-service-secretsharing.c:1656
keygen_reveal_get_exp_preshare
static gcry_mpi_t keygen_reveal_get_exp_preshare(struct KeygenSession *ks, const struct GNUNET_SECRETSHARING_KeygenRevealData *d, unsigned int idx)
Definition: gnunet-service-secretsharing.c:1396
compute_lagrange_coefficient
static void compute_lagrange_coefficient(gcry_mpi_t coeff, unsigned int j, unsigned int *indices, unsigned int num)
Get a the j-th lagrange coefficient for a set of indices.
Definition: gnunet-service-secretsharing.c:481
decrypt_session_destroy
static void decrypt_session_destroy(struct DecryptSession *ds)
Destroy a decrypt session, removing it from the linked list of decrypt sessions.
Definition: gnunet-service-secretsharing.c:538
client_connect_cb
static void * client_connect_cb(void *cls, struct GNUNET_SERVICE_Client *c, struct GNUNET_MQ_Handle *mq)
Callback called when a client connects to the service.
Definition: gnunet-service-secretsharing.c:2361
client_disconnect_cb
static void client_disconnect_cb(void *cls, struct GNUNET_SERVICE_Client *c, void *internal_cls)
Callback called when a client disconnected from the service.
Definition: gnunet-service-secretsharing.c:2381
init_crypto_constants
static void init_crypto_constants(void)
Definition: gnunet-service-secretsharing.c:2300
keygen_round1_new_element
static void keygen_round1_new_element(void *cls, const struct GNUNET_SET_Element *element)
Consensus element handler for round one.
Definition: gnunet-service-secretsharing.c:704
mpi_to_str
static char * mpi_to_str(gcry_mpi_t mpi)
Get a string representation of an MPI.
Definition: gnunet-service-secretsharing.c:1897
keygen_reveal_get_enc_preshare
static struct GNUNET_SECRETSHARING_FairEncryption * keygen_reveal_get_enc_preshare(struct KeygenSession *ks, const struct GNUNET_SECRETSHARING_KeygenRevealData *d, unsigned int idx)
Definition: gnunet-service-secretsharing.c:1379
encrypt_fair
static void encrypt_fair(gcry_mpi_t v, const struct GNUNET_CRYPTO_PaillierPublicKey *ppub, struct GNUNET_SECRETSHARING_FairEncryption *fe)
Create a fair Paillier encryption of then given ciphertext.
Definition: gnunet-service-secretsharing.c:1132
keygen_round2_conclude
static void keygen_round2_conclude(void *cls)
Definition: gnunet-service-secretsharing.c:795
my_peer
static struct GNUNET_PeerIdentity my_peer
Peer that runs this service.
Definition: gnunet-service-secretsharing.c:304
verify_fair
static int verify_fair(const struct GNUNET_CRYPTO_PaillierPublicKey *ppub, const struct GNUNET_SECRETSHARING_FairEncryption *fe)
Definition: gnunet-service-secretsharing.c:1032
get_fair_encryption_challenge
static void get_fair_encryption_challenge(const struct GNUNET_SECRETSHARING_FairEncryption *fe, gcry_mpi_t *e)
Definition: gnunet-service-secretsharing.c:999
t
static struct GNUNET_SCHEDULER_Task * t
Main task.
Definition: gnunet-zoneimport.c:293
gnunet_consensus_service.h
Multi-peer set reconciliation.
num_peers
static unsigned int num_peers
Number of peers.
Definition: gnunet_dht_profiler.c:168
gnunet_time_lib.h
Functions related to time.
gnunet_util_lib.h
GNUNET_CONSENSUS_destroy
void GNUNET_CONSENSUS_destroy(struct GNUNET_CONSENSUS_Handle *consensus)
Destroy a consensus handle (free all state associated with it, no longer call any of the callbacks).
Definition: consensus_api.c:335
GNUNET_CONSENSUS_insert
void GNUNET_CONSENSUS_insert(struct GNUNET_CONSENSUS_Handle *consensus, const struct GNUNET_SET_Element *element, GNUNET_CONSENSUS_InsertDoneCallback idc, void *idc_cls)
Insert an element in the set being reconsiled.
Definition: consensus_api.c:273
GNUNET_CONSENSUS_create
struct GNUNET_CONSENSUS_Handle * GNUNET_CONSENSUS_create(const struct GNUNET_CONFIGURATION_Handle *cfg, unsigned int num_peers, const struct GNUNET_PeerIdentity *peers, const struct GNUNET_HashCode *session_id, struct GNUNET_TIME_Absolute start, struct GNUNET_TIME_Absolute deadline, GNUNET_CONSENSUS_ElementCallback new_element_cb, void *new_element_cls)
Create a consensus session.
Definition: consensus_api.c:196
GNUNET_CONSENSUS_conclude
void GNUNET_CONSENSUS_conclude(struct GNUNET_CONSENSUS_Handle *consensus, GNUNET_CONSENSUS_ConcludeCallback conclude, void *conclude_cls)
We are done with inserting new elements into the consensus; try to conclude the consensus within a gi...
Definition: consensus_api.c:311
GNUNET_CRYPTO_eddsa_sign_
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_sign_(const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, struct GNUNET_CRYPTO_EddsaSignature *sig)
EdDSA sign a given block.
Definition: crypto_ecc.c:607
GNUNET_CRYPTO_eddsa_verify_
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_verify_(uint32_t purpose, const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, const struct GNUNET_CRYPTO_EddsaSignature *sig, const struct GNUNET_CRYPTO_EddsaPublicKey *pub)
Verify EdDSA signature.
Definition: crypto_ecc.c:690
GNUNET_CRYPTO_get_peer_identity
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_get_peer_identity(const struct GNUNET_CONFIGURATION_Handle *cfg, struct GNUNET_PeerIdentity *dst)
Retrieve the identity of the host's peer.
Definition: crypto_ecc_setup.c:274
GNUNET_CRYPTO_eddsa_key_create_from_configuration
struct GNUNET_CRYPTO_EddsaPrivateKey * GNUNET_CRYPTO_eddsa_key_create_from_configuration(const struct GNUNET_CONFIGURATION_Handle *cfg)
Create a new private key by reading our peer's key from the file specified in the configuration.
Definition: crypto_ecc_setup.c:247
GNUNET_CRYPTO_hash
void GNUNET_CRYPTO_hash(const void *block, size_t size, struct GNUNET_HashCode *ret)
Compute hash of a given block.
Definition: crypto_hash.c:41
GNUNET_CRYPTO_mpi_scan_unsigned
void GNUNET_CRYPTO_mpi_scan_unsigned(gcry_mpi_t *result, const void *data, size_t size)
Convert data buffer into MPI value.
Definition: crypto_mpi.c:132
GNUNET_log
#define GNUNET_log(kind,...)
Definition: gnunet_common.h:562
GNUNET_CRYPTO_PAILLIER_BITS
#define GNUNET_CRYPTO_PAILLIER_BITS
Size of paillier plain texts and public keys.
Definition: gnunet_crypto_lib.h:519
GNUNET_CRYPTO_mpi_print_unsigned
void GNUNET_CRYPTO_mpi_print_unsigned(void *buf, size_t size, gcry_mpi_t val)
Output the given MPI value to the given buffer in network byte order.
Definition: crypto_mpi.c:79
GNUNET_CRYPTO_paillier_create
void GNUNET_CRYPTO_paillier_create(struct GNUNET_CRYPTO_PaillierPublicKey *public_key, struct GNUNET_CRYPTO_PaillierPrivateKey *private_key)
Create a freshly generated paillier public key.
Definition: crypto_paillier.c:40
GNUNET_memcmp
#define GNUNET_memcmp(a, b)
Compare memory in a and b, where both must be of the same pointer type.
Definition: gnunet_common.h:1218
GNUNET_memcpy
#define GNUNET_memcpy(dst, src, n)
Call memcpy() but check for n being 0 first.
Definition: gnunet_common.h:1288
GNUNET_CRYPTO_paillier_decrypt
void GNUNET_CRYPTO_paillier_decrypt(const struct GNUNET_CRYPTO_PaillierPrivateKey *private_key, const struct GNUNET_CRYPTO_PaillierPublicKey *public_key, const struct GNUNET_CRYPTO_PaillierCiphertext *ciphertext, gcry_mpi_t m)
Decrypt a paillier ciphertext with a private key.
Definition: crypto_paillier.c:328
GNUNET_OK
@ GNUNET_OK
Definition: gnunet_common.h:109
GNUNET_YES
@ GNUNET_YES
Definition: gnunet_common.h:111
GNUNET_NO
@ GNUNET_NO
Definition: gnunet_common.h:108
GNUNET_SYSERR
@ GNUNET_SYSERR
Definition: gnunet_common.h:107
GNUNET_i2s
const char * GNUNET_i2s(const struct GNUNET_PeerIdentity *pid)
Convert a peer identity to a string (for printing debug messages).
Definition: common_logging.c:1307
GNUNET_assert
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.
Definition: gnunet_common.h:937
GNUNET_break
#define GNUNET_break(cond)
Use this for internal assertion violations that are not fatal (can be handled) but should not occur.
Definition: gnunet_common.h:1018
GNUNET_ERROR_TYPE_WARNING
@ GNUNET_ERROR_TYPE_WARNING
Definition: gnunet_common.h:432
GNUNET_ERROR_TYPE_ERROR
@ GNUNET_ERROR_TYPE_ERROR
Definition: gnunet_common.h:431
GNUNET_ERROR_TYPE_DEBUG
@ GNUNET_ERROR_TYPE_DEBUG
Definition: gnunet_common.h:438
GNUNET_ERROR_TYPE_INFO
@ GNUNET_ERROR_TYPE_INFO
Definition: gnunet_common.h:437
GNUNET_new
#define GNUNET_new(type)
Allocate a struct or union of the given type.
Definition: gnunet_common.h:1208
GNUNET_malloc
#define GNUNET_malloc(size)
Wrapper around malloc.
Definition: gnunet_common.h:1346
GNUNET_new_array
#define GNUNET_new_array(n, type)
Allocate a size n array with structs or unions of the given type.
Definition: gnunet_common.h:1307
GNUNET_free
#define GNUNET_free(ptr)
Wrapper around free.
Definition: gnunet_common.h:1406
GNUNET_MQ_send
void GNUNET_MQ_send(struct GNUNET_MQ_Handle *mq, struct GNUNET_MQ_Envelope *ev)
Send a message with the given message queue.
Definition: mq.c:304
GNUNET_MQ_handler_end
#define GNUNET_MQ_handler_end()
End-marker for the handlers array.
Definition: gnunet_mq_lib.h:532
GNUNET_MQ_msg_extra
#define GNUNET_MQ_msg_extra(mvar, esize, type)
Allocate an envelope, with extra space allocated after the space needed by the message struct.
Definition: gnunet_mq_lib.h:63
GNUNET_MQ_msg
#define GNUNET_MQ_msg(mvar, type)
Allocate a GNUNET_MQ_Envelope.
Definition: gnunet_mq_lib.h:78
GNUNET_MQ_hd_var_size
#define GNUNET_MQ_hd_var_size(name, code, str, ctx)
Definition: gnunet_mq_lib.h:618
GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_SECRET_READY
#define GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_SECRET_READY
The cryptosystem has been established.
Definition: gnunet_protocols.h:2589
GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT
#define GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT
Request the decryption of a ciphertext.
Definition: gnunet_protocols.h:2578
GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT_DONE
#define GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT_DONE
The service succeeded in decrypting a ciphertext.
Definition: gnunet_protocols.h:2583
GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_GENERATE
#define GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_GENERATE
Establish a new session.
Definition: gnunet_protocols.h:2573
GNUNET_SCHEDULER_shutdown
void GNUNET_SCHEDULER_shutdown(void)
Request the shutdown of a scheduler.
Definition: scheduler.c:567
GNUNET_SCHEDULER_add_shutdown
struct GNUNET_SCHEDULER_Task * GNUNET_SCHEDULER_add_shutdown(GNUNET_SCHEDULER_TaskCallback task, void *task_cls)
Schedule a new task to be run on shutdown, that is when a CTRL-C signal is received,...
Definition: scheduler.c:1340
GNUNET_SECRETSHARING_ELGAMAL_BITS
#define GNUNET_SECRETSHARING_ELGAMAL_BITS
Number of bits for secretsharing elements.
Definition: gnunet_secretsharing_service.h:57
GNUNET_SECRETSHARING_share_destroy
void GNUNET_SECRETSHARING_share_destroy(struct GNUNET_SECRETSHARING_Share *share)
Definition: secretsharing_common.c:150
GNUNET_SECRETSHARING_share_read
struct GNUNET_SECRETSHARING_Share * GNUNET_SECRETSHARING_share_read(const void *data, size_t len, size_t *readlen)
Read a share from its binary representation.
Definition: secretsharing_common.c:34
GNUNET_SECRETSHARING_ELGAMAL_P_HEX
#define GNUNET_SECRETSHARING_ELGAMAL_P_HEX
The q-parameter for ElGamal encryption, a 1024-bit safe prime.
Definition: gnunet_secretsharing_service.h:63
GNUNET_SECRETSHARING_ELGAMAL_Q_HEX
#define GNUNET_SECRETSHARING_ELGAMAL_Q_HEX
The q-parameter for ElGamal encryption, a 1023-bit Sophie Germain prime, q = (p-1)/2.
Definition: gnunet_secretsharing_service.h:76
GNUNET_SECRETSHARING_ELGAMAL_G_HEX
#define GNUNET_SECRETSHARING_ELGAMAL_G_HEX
The g-parameter for ElGamal encryption, a generator of the unique size q subgroup of Z_p^*.
Definition: gnunet_secretsharing_service.h:89
GNUNET_SECRETSHARING_share_write
int GNUNET_SECRETSHARING_share_write(const struct GNUNET_SECRETSHARING_Share *share, void *buf, size_t buflen, size_t *writelen)
Convert a share to its binary representation.
Definition: secretsharing_common.c:96
GNUNET_SERVICE_client_drop
void GNUNET_SERVICE_client_drop(struct GNUNET_SERVICE_Client *c)
Ask the server to disconnect from the given client.
Definition: service.c:2489
GNUNET_SERVICE_client_continue
void GNUNET_SERVICE_client_continue(struct GNUNET_SERVICE_Client *c)
Continue receiving further messages from the given client.
Definition: service.c:2408
GNUNET_SERVICE_OPTION_NONE
@ GNUNET_SERVICE_OPTION_NONE
Use defaults.
Definition: gnunet_service_lib.h:71
GNUNET_TIME_absolute_ntoh
struct GNUNET_TIME_Absolute GNUNET_TIME_absolute_ntoh(struct GNUNET_TIME_AbsoluteNBO a)
Convert absolute time from network byte order.
Definition: time.c:737
secretsharing.h
messages used for the secretsharing api
secretsharing_protocol.h
p2p message definitions for secretsharing
GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG2
#define GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG2
Signature for the second round of distributed key generation.
Definition: gnunet_signatures.h:160
GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG1
#define GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DKG1
Signature for the first round of distributed key generation.
Definition: gnunet_signatures.h:154
GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DECRYPTION
#define GNUNET_SIGNATURE_PURPOSE_SECRETSHARING_DECRYPTION
Signature for the cooperative decryption.
Definition: gnunet_signatures.h:166
ClientState
State we keep per client.
Definition: gnunet-service-secretsharing.c:260
ClientState::mq
struct GNUNET_MQ_Handle * mq
MQ to talk to client.
Definition: gnunet-service-secretsharing.c:279
ClientState::keygen_session
struct KeygenSession * keygen_session
Keygen session of the client, if any.
Definition: gnunet-service-secretsharing.c:269
ClientState::client
struct GNUNET_SERVICE_Client * client
Client this is about.
Definition: gnunet-service-secretsharing.c:274
ClientState::decrypt_session
struct DecryptSession * decrypt_session
Decrypt session of the client, if any.
Definition: gnunet-service-secretsharing.c:264
DecryptPeerInfo
Information about a peer in a decrypt session.
Definition: gnunet-service-secretsharing.c:89
DecryptPeerInfo::original_index
unsigned int original_index
Original index in the key generation round.
Definition: gnunet-service-secretsharing.c:99
DecryptPeerInfo::peer
struct GNUNET_PeerIdentity peer
Identity of the peer.
Definition: gnunet-service-secretsharing.c:93
DecryptPeerInfo::partial_decryption
gcry_mpi_t partial_decryption
Set to the partial decryption of this peer, or NULL if we did not receive a partial decryption from t...
Definition: gnunet-service-secretsharing.c:107
DecryptSession
Session to cooperatively decrypt a value.
Definition: gnunet-service-secretsharing.c:215
DecryptSession::start
struct GNUNET_TIME_Absolute start
When should we start communicating for decryption?
Definition: gnunet-service-secretsharing.c:229
DecryptSession::info
struct DecryptPeerInfo * info
State information about other peers.
Definition: gnunet-service-secretsharing.c:252
DecryptSession::share
struct GNUNET_SECRETSHARING_Share * share
Share of the local peer.
Definition: gnunet-service-secretsharing.c:247
DecryptSession::cs
struct ClientState * cs
Which client is this for?
Definition: gnunet-service-secretsharing.c:224
DecryptSession::deadline
struct GNUNET_TIME_Absolute deadline
When would we like the ciphertext to be decrypted?
Definition: gnunet-service-secretsharing.c:235
DecryptSession::consensus
struct GNUNET_CONSENSUS_Handle * consensus
Handle to the consensus over partial decryptions.
Definition: gnunet-service-secretsharing.c:219
DecryptSession::ciphertext
struct GNUNET_SECRETSHARING_Ciphertext ciphertext
Ciphertext we want to decrypt.
Definition: gnunet-service-secretsharing.c:240
GNUNET_CONFIGURATION_Handle
configuration data
Definition: configuration.c:149
GNUNET_CONSENSUS_Handle
Handle for the service.
Definition: consensus_api.c:40
GNUNET_CRYPTO_EddsaPrivateKey
Private ECC key encoded for transmission.
Definition: gnunet_crypto_lib.h:278
GNUNET_CRYPTO_PaillierCiphertext
Paillier ciphertext.
Definition: gnunet_crypto_lib.h:554
GNUNET_CRYPTO_PaillierCiphertext::bits
unsigned char bits[2048 *2/8]
The bits of the ciphertext.
Definition: gnunet_crypto_lib.h:564
GNUNET_CRYPTO_PaillierPrivateKey
Paillier private key.
Definition: gnunet_crypto_lib.h:538
GNUNET_CRYPTO_PaillierPublicKey
Paillier public key.
Definition: gnunet_crypto_lib.h:526
GNUNET_HashCode
A 512-bit hashcode.
Definition: gnunet_common.h:278
GNUNET_MQ_Envelope
Definition: mq.c:34
GNUNET_MQ_Handle
Handle to a message queue.
Definition: mq.c:87
GNUNET_MessageHeader::size
uint16_t size
The length of the struct (in bytes, including the length field itself), in big-endian format.
Definition: gnunet_common.h:319
GNUNET_PeerIdentity
The identity of the host (wraps the signing key of the peer).
Definition: gnunet_crypto_lib.h:229
GNUNET_SECRETSHARING_Ciphertext
Encrypted field element.
Definition: gnunet_secretsharing_service.h:132
GNUNET_SECRETSHARING_Ciphertext::c1_bits
uint32_t c1_bits[1024/8/sizeof(uint32_t)]
Definition: gnunet_secretsharing_service.h:133
GNUNET_SECRETSHARING_CreateMessage
Definition: secretsharing.h:48
GNUNET_SECRETSHARING_DecryptData
Data of then element put in consensus for decrypting a value.
Definition: secretsharing_protocol.h:93
GNUNET_SECRETSHARING_DecryptData::purpose
struct GNUNET_CRYPTO_EccSignaturePurpose purpose
Definition: secretsharing_protocol.h:101
GNUNET_SECRETSHARING_DecryptData::ciphertext
struct GNUNET_SECRETSHARING_Ciphertext ciphertext
Ciphertext we want to decrypt.
Definition: secretsharing_protocol.h:105
GNUNET_SECRETSHARING_DecryptData::nizk_response
struct GNUNET_SECRETSHARING_FieldElement nizk_response
Response to the challenge computed from the protocol transcript.
Definition: secretsharing_protocol.h:128
GNUNET_SECRETSHARING_DecryptRequestMessage
Definition: secretsharing.h:130
GNUNET_SECRETSHARING_DecryptResponseMessage
Definition: secretsharing.h:156
GNUNET_SECRETSHARING_FairEncryption
Definition: secretsharing_protocol.h:133
GNUNET_SECRETSHARING_FairEncryption::t1
char t1[GNUNET_SECRETSHARING_ELGAMAL_BITS/8]
Definition: secretsharing_protocol.h:139
GNUNET_SECRETSHARING_FairEncryption::z
char z[GNUNET_SECRETSHARING_ELGAMAL_BITS/8]
Definition: secretsharing_protocol.h:141
GNUNET_SECRETSHARING_FairEncryption::w
char w[GNUNET_CRYPTO_PAILLIER_BITS/8]
Definition: secretsharing_protocol.h:142
GNUNET_SECRETSHARING_FairEncryption::c
struct GNUNET_CRYPTO_PaillierCiphertext c
Definition: secretsharing_protocol.h:134
GNUNET_SECRETSHARING_FairEncryption::h
char h[GNUNET_SECRETSHARING_ELGAMAL_BITS/8]
h = g^x, where x is the fairly encrypted secret.
Definition: secretsharing_protocol.h:138
GNUNET_SECRETSHARING_FairEncryption::t2
char t2[GNUNET_CRYPTO_PAILLIER_BITS *2/8]
Definition: secretsharing_protocol.h:140
GNUNET_SECRETSHARING_FieldElement
Definition: secretsharing.h:39
GNUNET_SECRETSHARING_KeygenCommitData
Consensus element data used in the first round of key generation.
Definition: secretsharing_protocol.h:44
GNUNET_SECRETSHARING_KeygenCommitData::purpose
struct GNUNET_CRYPTO_EccSignaturePurpose purpose
Signature purpose for signing the keygen commit data.
Definition: secretsharing_protocol.h:52
GNUNET_SECRETSHARING_KeygenRevealData
Definition: secretsharing_protocol.h:70
GNUNET_SECRETSHARING_KeygenRevealData::purpose
struct GNUNET_CRYPTO_EccSignaturePurpose purpose
Definition: secretsharing_protocol.h:78
GNUNET_SECRETSHARING_SecretReadyMessage
Notify the client that then threshold secret has been established.
Definition: secretsharing.h:119
GNUNET_SECRETSHARING_Share
A share, with all values in in host byte order.
Definition: secretsharing.h:182
GNUNET_SECRETSHARING_Share::num_peers
uint16_t num_peers
Peers that have the share.
Definition: secretsharing.h:191
GNUNET_SECRETSHARING_Share::my_share
struct GNUNET_SECRETSHARING_FieldElement my_share
Share of 'my_peer'.
Definition: secretsharing.h:207
GNUNET_SECRETSHARING_Share::public_key
struct GNUNET_SECRETSHARING_PublicKey public_key
Public key.
Definition: secretsharing.h:202
GNUNET_SECRETSHARING_Share::peers
struct GNUNET_PeerIdentity * peers
Peer identities (includes 'my_peer')
Definition: secretsharing.h:212
GNUNET_SECRETSHARING_Share::my_peer
uint16_t my_peer
Index of our peer in the list.
Definition: secretsharing.h:196
GNUNET_SECRETSHARING_Share::sigmas
struct GNUNET_SECRETSHARING_FieldElement * sigmas
Definition: secretsharing.h:218
GNUNET_SECRETSHARING_Share::original_indices
uint16_t * original_indices
Definition: secretsharing.h:223
GNUNET_SERVICE_Client
Handle to a client that is connected to a service.
Definition: service.c:252
GNUNET_SERVICE_Handle
Handle to a service.
Definition: service.c:118
GNUNET_SET_Element
Element stored in a set.
Definition: gnunet_set_service.h:200
GNUNET_SET_Element::size
uint16_t size
Number of bytes in the buffer pointed to by data.
Definition: gnunet_set_service.h:204
GNUNET_SET_Element::data
const void * data
Actual data of the element.
Definition: gnunet_set_service.h:214
GNUNET_SET_Element::element_type
uint16_t element_type
Application-specific element type.
Definition: gnunet_set_service.h:209
GNUNET_TIME_Absolute
Time for absolute times used by GNUnet, in microseconds.
Definition: gnunet_time_lib.h:54
KeygenPeerInfo
Info about a peer in a key generation session.
Definition: gnunet-service-secretsharing.c:43
KeygenPeerInfo::round1_valid
int round1_valid
Did we successfully receive the round1 element of the peer?
Definition: gnunet-service-secretsharing.c:75
KeygenPeerInfo::round2_valid
int round2_valid
Did we successfully receive the round2 element of the peer?
Definition: gnunet-service-secretsharing.c:81
KeygenPeerInfo::paillier_public_key
struct GNUNET_CRYPTO_PaillierPublicKey paillier_public_key
The peer's paillier public key.
Definition: gnunet-service-secretsharing.c:53
KeygenPeerInfo::sigma
gcry_mpi_t sigma
Sigma (exponentiated share) for this peer.
Definition: gnunet-service-secretsharing.c:69
KeygenPeerInfo::preshare_commitment
gcry_mpi_t preshare_commitment
Commitment to the preshare that is intended for our peer.
Definition: gnunet-service-secretsharing.c:64
KeygenPeerInfo::presecret_commitment
gcry_mpi_t presecret_commitment
The peer's commitment to its presecret.
Definition: gnunet-service-secretsharing.c:58
KeygenPeerInfo::peer
struct GNUNET_PeerIdentity peer
Peer identity of the peer.
Definition: gnunet-service-secretsharing.c:47
KeygenSession
Session to establish a threshold-shared secret.
Definition: gnunet-service-secretsharing.c:121
KeygenSession::deadline
struct GNUNET_TIME_Absolute deadline
When would we like the key to be established?
Definition: gnunet-service-secretsharing.c:184
KeygenSession::cs
struct ClientState * cs
Which client is this for?
Definition: gnunet-service-secretsharing.c:130
KeygenSession::my_share
gcry_mpi_t my_share
Share of our peer.
Definition: gnunet-service-secretsharing.c:202
KeygenSession::public_key
gcry_mpi_t public_key
Public key, will be updated when a round2 element arrives.
Definition: gnunet-service-secretsharing.c:207
KeygenSession::local_peer
unsigned int local_peer
Index of the local peer.
Definition: gnunet-service-secretsharing.c:158
KeygenSession::start_time
struct GNUNET_TIME_Absolute start_time
When does the DKG start? Necessary to compute fractions of the operation's desired time interval.
Definition: gnunet-service-secretsharing.c:190
KeygenSession::consensus
struct GNUNET_CONSENSUS_Handle * consensus
Current consensus, used for both DKG rounds.
Definition: gnunet-service-secretsharing.c:125
KeygenSession::presecret_polynomial
gcry_mpi_t * presecret_polynomial
Randomly generated coefficients of the polynomial for sharing our pre-secret, where 'preshares[0]' is...
Definition: gnunet-service-secretsharing.c:141
KeygenSession::peers
struct GNUNET_PeerIdentity * peers
List of all peers involved in the secret sharing session.
Definition: gnunet-service-secretsharing.c:169
KeygenSession::paillier_private_key
struct GNUNET_CRYPTO_PaillierPrivateKey paillier_private_key
Paillier private key of our peer.
Definition: gnunet-service-secretsharing.c:179
KeygenSession::num_peers
unsigned int num_peers
Total number of peers.
Definition: gnunet-service-secretsharing.c:153
KeygenSession::info
struct KeygenPeerInfo * info
Information about all participating peers.
Definition: gnunet-service-secretsharing.c:164
KeygenSession::local_peer_idx
unsigned int local_peer_idx
Index of the local peer in the ordered list of peers in the session.
Definition: gnunet-service-secretsharing.c:196
KeygenSession::threshold
unsigned int threshold
Minimum number of shares required to restore the secret.
Definition: gnunet-service-secretsharing.c:148
KeygenSession::session_id
struct GNUNET_HashCode session_id
Identifier for this session.
Definition: gnunet-service-secretsharing.c:174