microsoft
/
electionguard-c
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

zero knowledge proof implementation

This commit is contained in:
Joey Dodds 2019-09-24 06:52:45 -07:00
Родитель e666de2826
Коммит 02477e733b
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: D135B87AB5B74652
37 изменённых файлов: 2781 добавлений и 265 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

8
.gitignore поставляемый
Просмотреть файл

@ -9,3 +9,11 @@ doxygen
result
build
/src/electionguard/random_source.h
.vs/
.vscode/
Debug/
Testing/
*/a.out
test_Debug/
tally-*
voting_results*

1
.gitmodules поставляемый
Просмотреть файл

@ -1,3 +1,4 @@
[submodule "docs/sphinx-typlog-theme"]
path = docs/sphinx-typlog-theme
url = https://github.com/jbaum98/sphinx-typlog-theme

10
CMakeLists.txt
Просмотреть файл

@ -41,6 +41,9 @@ add_library(electionguard
${PROJECT_SOURCE_DIR}/src/electionguard/keyceremony/message_reps.h
${PROJECT_SOURCE_DIR}/src/electionguard/keyceremony/trustee.c
${PROJECT_SOURCE_DIR}/src/electionguard/uint4096.c
${PROJECT_SOURCE_DIR}/src/electionguard/bignum.c
${PROJECT_SOURCE_DIR}/src/electionguard/sha2-openbsd.c
${PROJECT_SOURCE_DIR}/src/electionguard/sha2-openbsd.h
${PROJECT_SOURCE_DIR}/src/electionguard/crypto.c
${PROJECT_SOURCE_DIR}/src/electionguard/random_source.h
${PROJECT_SOURCE_DIR}/src/electionguard/random_source.c
@ -62,13 +65,13 @@ add_library(electionguard
# Compiler flags
if(CMAKE_CXX_COMPILER_ID MATCHES "Clang|GNU")
target_compile_options(electionguard PRIVATE -Wall -Wextra -pedantic -pedantic-errors -Wunreachable-code -Wmissing-field-initializers)
target_compile_options(electionguard PUBLIC -Werror -Wall -Wextra -pedantic -pedantic-errors -Wunreachable-code -Wmissing-field-initializers -lgmp)
endif()
if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
target_compile_options(electionguard PRIVATE -Wgnu-empty-initializer)
target_compile_options(electionguard PUBLIC -Werror --fsanitize=address -Wgnu-empty-initializer)
endif()
if(CMAKE_CXX_COMPILER_ID MATCHES "GNU")
target_compile_options(electionguard PRIVATE -Wenum-compare)
target_compile_options(electionguard PUBLIC -Werror -Wenum-compare)
endif()
# Set the public include directory depending on if the target is being exported
@ -112,6 +115,7 @@ add_subdirectory(docs)
file(MAKE_DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}/simple_build")
add_test(NAME build_simple
COMMAND "${CMAKE_COMMAND}"
-DCMAKE_BUILD_TYPE=Deubg
-E env ElectionGuard_DIR=${CMAKE_CURRENT_BINARY_DIR}/ElectionGuard
"${CMAKE_CTEST_COMMAND}"
--build-and-test "${PROJECT_SOURCE_DIR}/examples/simple" "${CMAKE_CURRENT_BINARY_DIR}/simple_build"

7
cmake/FindGMP.cmake Normal file
Просмотреть файл

@ -0,0 +1,7 @@
find_path(GMP_INCLUDE_DIR NAMES gmp.h)
find_library(GMP_LIBRARY NAMES gmp libgmp)
include(FindPackageHandleStandardArgs)
find_package_handle_standard_args(GMP DEFAULT_MSG
GMP_INCLUDE_DIR
GMP_LIBRARY)
mark_as_advanced(GMP_INCLUDE_DIR GMP_LIBRARY)

14
examples/simple/CMakeLists.txt
Просмотреть файл

@ -8,6 +8,11 @@ set(CMAKE_C_STANDARD 11)
set(CMAKE_C_STANDARD_REQUIRED ON)
set(CMAKE_C_EXTENSIONS ON)
set(CMAKE_MODULE_PATH
${CMAKE_CURRENT_LIST_DIR}/../../cmake
${CMAKE_MODULE_PATH}
)
add_executable(simple
${PROJECT_SOURCE_DIR}/main_params.h
${PROJECT_SOURCE_DIR}/main_voting.h
@ -19,8 +24,15 @@ add_executable(simple
${PROJECT_SOURCE_DIR}/main_decryption.h
)
find_package(ElectionGuard REQUIRED)
target_link_libraries(simple electionguard)
find_package(GMP REQUIRED)
message(STATUS "GMP library found.")
message(STATUS "GMP include dir is: ${GMP_INCLUDE_DIR}")
message(STATUS "GMP library is: ${GMP_LIBRARY}")
target_link_libraries(simple electionguard gmp)
add_test(NAME simple COMMAND simple)

18
examples/simple/main.c
Просмотреть файл

@ -17,11 +17,22 @@
static FILE *fmkstemps(char const *template, const char *mode);
// Election Parameters
uint32_t const NUM_TRUSTEES = 5;
uint32_t const THRESHOLD = 4;
uint32_t const NUM_TRUSTEES = 2;
uint32_t const THRESHOLD = 2;
uint32_t const NUM_ENCRYPTERS = 3;
uint32_t const NUM_SELECTIONS = 3;
// This is a temporary placeholder. In a real election, this should be
// initialized by hashing:
// 1. p (from bignum.h)
// 2. The subgroup order (not yet named in the current implementation)
// 3. generator (from bignum.h)
// 4. NUM_TRUSTEES
// 5. THRESHOLD
// 6. The date of the election
// 7. Jurisdictional information for the election
raw_hash BASE_HASH_CODE = {0,0xff,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
int main()
{
// Seed the RNG that we use to generate arbitrary ballots. This
@ -29,6 +40,7 @@ int main()
// cryptography does not rely on the built in RNG.
srand(100);
Crypto_parameters_new();
bool ok = true;
// Outputs of the key ceremony
@ -94,6 +106,8 @@ int main()
joint_key.bytes = NULL;
}
Crypto_parameters_free();
if (ok)
return EXIT_SUCCESS;
else

2
examples/simple/main_decryption.c
Просмотреть файл

@ -113,7 +113,7 @@ bool initialize_trustees(struct trustee_state *trustee_states)
for (uint32_t i = 0; i < NUM_TRUSTEES && ok; i++)
{
struct Decryption_Trustee_new_r result = Decryption_Trustee_new(
NUM_TRUSTEES, THRESHOLD, NUM_SELECTIONS, trustee_states[i]);
NUM_TRUSTEES, THRESHOLD, NUM_SELECTIONS, trustee_states[i], BASE_HASH_CODE);
if (result.status != DECRYPTION_TRUSTEE_SUCCESS)
ok = false;

2
examples/simple/main_keyceremony.c
Просмотреть файл

@ -157,7 +157,7 @@ bool generate_keys(void)
{
struct KeyCeremony_Trustee_generate_key_r result =
KeyCeremony_Trustee_generate_key(trustees[i]);
KeyCeremony_Trustee_generate_key(trustees[i], BASE_HASH_CODE);
if (result.status != KEYCEREMONY_TRUSTEE_SUCCESS)
ok = false;

2
examples/simple/main_params.h
Просмотреть файл

@ -2,10 +2,12 @@
#define __MAIN_PARAMS_H__
#include <stdint.h>
#include <electionguard/crypto.h>
extern uint32_t const NUM_TRUSTEES;
extern uint32_t const THRESHOLD;
extern uint32_t const NUM_ENCRYPTERS;
extern uint32_t const NUM_SELECTIONS;
extern raw_hash BASE_HASH_CODE;
#endif /* __MAIN_PARAMS_H__ */

18
examples/simple/main_voting.c
Просмотреть файл

@ -34,7 +34,7 @@ bool voting(struct joint_public_key joint_key, FILE *out)
if (ok)
{
for (uint32_t i = 0; i < NUM_ENCRYPTERS && ok; i++)
ok = simulate_random_votes(i, 10);
ok = simulate_random_votes(i, 2);
}
if (ok)
@ -81,7 +81,7 @@ bool initialize_encrypters(struct joint_public_key joint_key)
{
id_buf[0] = i;
struct Voting_Encrypter_new_r result =
Voting_Encrypter_new(uid, joint_key, NUM_SELECTIONS);
Voting_Encrypter_new(uid, joint_key, NUM_SELECTIONS, BASE_HASH_CODE);
if (result.status != VOTING_ENCRYPTER_SUCCESS)
ok = false;
@ -111,8 +111,18 @@ static bool random_bit() { return 1 & rand(); }
static void fill_random_ballot(bool *selections)
{
for (uint32_t i = 0; i < NUM_SELECTIONS; i++)
selections[i] = random_bit();
bool selected = false;
for (uint32_t i = 0; i < NUM_SELECTIONS; i++){
if(!selected){
selections[i] = random_bit();
}
else{
selections[i]=false;
}
if(selections[i]){
selected=true;
}
}
}
bool simulate_random_votes(uint32_t encrypter_ix, uint64_t num_ballots)

21
include/electionguard/crypto.h
Просмотреть файл

@ -2,6 +2,7 @@
#define __CRYPTO_H__
#include <stddef.h>
#include <gmp.h>
#include <electionguard/max_values.h>
@ -33,4 +34,24 @@ struct joint_public_key
uint8_t const *bytes;
};
enum HASH_DIGEST_SIZE_BYTES_e
{
HASH_DIGEST_SIZE_BYTES = 32,
};
/* This typedef and struct are used to differentiate between raw hashes and
* hashes reduced mod the generator. We use uint8_t[]'s for raw hashes, and
* struct hash's for things reduced mod the generator. */
typedef uint8_t raw_hash[HASH_DIGEST_SIZE_BYTES];
struct hash {
mpz_t digest;
};
/** You must call this before any of the other SDK functions. */
void Crypto_parameters_new();
/** After calling this, you should not call any other SDK functions (until you
* re-initialize the parameters, at least). */
void Crypto_parameters_free();
#endif /* __CRYPTO__H__ */

5
include/electionguard/decryption/trustee.h
Просмотреть файл

@ -6,6 +6,7 @@
#include <electionguard/decryption/messages.h>
#include <electionguard/trustee_state.h>
#include <electionguard/crypto.h>
typedef struct Decryption_Trustee_s *Decryption_Trustee;
@ -33,7 +34,9 @@ enum Decryption_Trustee_status
/** Create a new trustee. Does not free the trustee state. */
struct Decryption_Trustee_new_r
Decryption_Trustee_new(uint32_t num_trustees, uint32_t threshold,
uint32_t num_selections, struct trustee_state state);
uint32_t num_selections, struct trustee_state message,
raw_hash base_hash);
struct Decryption_Trustee_new_r
{

2
include/electionguard/keyceremony/trustee.h
Просмотреть файл

@ -45,7 +45,7 @@ void KeyCeremony_Trustee_free(KeyCeremony_Trustee t);
* Generate a key pair and return the key_generated_message to be
* passed to the coordinator. */
struct KeyCeremony_Trustee_generate_key_r
KeyCeremony_Trustee_generate_key(KeyCeremony_Trustee t);
KeyCeremony_Trustee_generate_key(KeyCeremony_Trustee t, raw_hash base_hash_code);
struct KeyCeremony_Trustee_generate_key_r
{

2
include/electionguard/voting/encrypter.h
Просмотреть файл

@ -32,7 +32,7 @@ struct uid
* key, but creates and allocates a new copy. */
struct Voting_Encrypter_new_r
Voting_Encrypter_new(struct uid uid, struct joint_public_key joint_key,
uint32_t num_selections);
uint32_t num_selections, raw_hash base_hash);
struct Voting_Encrypter_new_r
{

Двоичные данные
src/electionguard/a.out Normal file
Просмотреть файл

Двоичный файл не отображается.

169
src/electionguard/bignum.c Normal file
Просмотреть файл

@ -0,0 +1,169 @@
#include <gmp.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
#include "uint4096.h"
uint64_t p_array[64] = {
0xFFFFFFFFFFFFFFFF, 0xC90FDAA22168C234, 0xC4C6628B80DC1CD1,
0x29024E088A67CC74, 0x020BBEA63B139B22, 0x514A08798E3404DD,
0xEF9519B3CD3A431B, 0x302B0A6DF25F1437, 0x4FE1356D6D51C245,
0xE485B576625E7EC6, 0xF44C42E9A637ED6B, 0x0BFF5CB6F406B7ED,
0xEE386BFB5A899FA5, 0xAE9F24117C4B1FE6, 0x49286651ECE45B3D,
0xC2007CB8A163BF05, 0x98DA48361C55D39A, 0x69163FA8FD24CF5F,
0x83655D23DCA3AD96, 0x1C62F356208552BB, 0x9ED529077096966D,
0x670C354E4ABC9804, 0xF1746C08CA18217C, 0x32905E462E36CE3B,
0xE39E772C180E8603, 0x9B2783A2EC07A28F, 0xB5C55DF06F4C52C9,
0xDE2BCBF695581718, 0x3995497CEA956AE5, 0x15D2261898FA0510,
0x15728E5A8AAAC42D, 0xAD33170D04507A33, 0xA85521ABDF1CBA64,
0xECFB850458DBEF0A, 0x8AEA71575D060C7D, 0xB3970F85A6E1E4C7,
0xABF5AE8CDB0933D7, 0x1E8C94E04A25619D, 0xCEE3D2261AD2EE6B,
0xF12FFA06D98A0864, 0xD87602733EC86A64, 0x521F2B18177B200C,
0xBBE117577A615D6C, 0x770988C0BAD946E2, 0x08E24FA074E5AB31,
0x43DB5BFCE0FD108E, 0x4B82D120A9210801, 0x1A723C12A787E6D7,
0x88719A10BDBA5B26, 0x99C327186AF4E23C, 0x1A946834B6150BDA,
0x2583E9CA2AD44CE8, 0xDBBBC2DB04DE8EF9, 0x2E8EFC141FBECAA6,
0x287C59474E6BC05D, 0x99B2964FA090C3A2, 0x233BA186515BE7ED,
0x1F612970CEE2D7AF, 0xB81BDD762170481C, 0xD0069127D5B05AA9,
0x93B4EA988D8FDDC1, 0x86FFB7DC90A6C08F, 0x4DF435C934063199,
0xFFFFFFFFFFFFFFFF};
mpz_t p;
mpz_t q;
mpz_t generator;
mpz_t bignum_one;
void Crypto_parameters_new(){
mpz_init(p);
mpz_init(q);
mpz_init(generator);
mpz_init(bignum_one);
mpz_set_ui(generator, 2);
mpz_set_ui(bignum_one, 1);
mpz_import(p, 64, 1, 8, 0, 0, p_array);
// In the v0.8 spec this is much smaller -- a 256-bit number instead.
mpz_sub(q, p, bignum_one);
}
void Crypto_parameters_free(){
mpz_clear(p);
mpz_clear(generator);
}
void print_base16(const mpz_t z){
char *resStr = mpz_get_str(NULL, 16, z);
printf("%.20s...\n", resStr);
//printf("%s\n", resStr);
free(resStr);
}
void pow_mod_p(mpz_t res, const mpz_t base, const mpz_t exp)
{
mpz_powm(res, base, exp, p);
#ifdef DEBUG_PRINT
printf("Performing operation powmod (base^exp)%%p");
printf("\nbase = ");
print_base16(base);
printf("\nexp = ");
print_base16(exp);
printf("\np = ");
print_base16(p);
printf("\nresult = ");
print_base16(res);
printf("\n");
#endif
}
void mul_mod_p(mpz_t res, const mpz_t a, const mpz_t b){
mpz_mul(res, a, b);
mpz_mod(res, res, p);
}
void log_generator_mod_p(mpz_t result, mpz_t a) {
mpz_set_ui(result, 0);
mpz_t powmod;
mpz_init(powmod);
mpz_set_ui(powmod, 1);
while(!(0 == mpz_cmp(powmod, a))) {
mpz_add_ui(result, result,1);
mul_mod_p(powmod, powmod, generator);
#ifdef DEBUG_PRINT
print_base16(powmod);
#endif
}
}
void mod_q(mpz_t res, const mpz_t a) {
mpz_mod(res, a, q);
}
void add_mod_q(mpz_t res, const mpz_t l, const mpz_t r){
mpz_add(res, l, r);
mod_q(res, res);
}
void sub_mod_q(mpz_t res, const mpz_t l, const mpz_t r){
mpz_sub(res, l, r);
mod_q(res, res);
}
void mul_mod_q(mpz_t res, const mpz_t l, const mpz_t r){
mpz_mul(res, l, r);
mod_q(res, res);
}
void div_mod_p(mpz_t res, const mpz_t num, const mpz_t den){
mpz_t inverse;
mpz_init(inverse);
mpz_invert(inverse, den, p);
mul_mod_p(res, num, inverse);
mpz_clear(inverse);
}
uint64_t *export_to_256(mpz_t v){
uint64_t* result = malloc(sizeof(uint64_t) * 4);
size_t written;
// print_base16(v);
mpz_export(result, &written, 1, 8, 0, 0, v);
assert(written==4);
return result;
}
uint4096 export_to_uint4096(mpz_t v)
{
uint4096 result = malloc(sizeof(struct uint4096_s));
size_t written;
mpz_export(&result->words, &written, 1, 8, 0, 0, v);
assert(written==64);
#ifdef DEBUG_PRINT
printf("Exporting %zu bits", outsize);
printf("\nExported to bits\n");
print_base16(v);
printf("\n");
#endif
return result;
}
void import_uint4096(mpz_t op, uint4096 v)
{
mpz_import(op, 64, 1, 8, 0, 0, v->words);
#ifdef DEBUG_PRINT
printf("\nImported from bits\n");
print_base16(op);
printf("\n");
#endif
}

24
src/electionguard/bignum.h Normal file
Просмотреть файл

@ -0,0 +1,24 @@
#pragma once
#include <gmp.h>
#include "uint4096.h"
void pow_mod_p(mpz_t res, const mpz_t base, const mpz_t exp);
void mul_mod_p(mpz_t res, const mpz_t a, const mpz_t b);
void div_mod_p(mpz_t res, const mpz_t num, const mpz_t den);
void log_generator_mod_p(mpz_t result, mpz_t a);
void mod_q(mpz_t res, const mpz_t a);
void add_mod_q(mpz_t res, const mpz_t l, const mpz_t r);
void mul_mod_q(mpz_t res, const mpz_t l, const mpz_t r);
void sub_mod_q(mpz_t res, const mpz_t l, const mpz_t r);
void import_uint4096(mpz_t op, uint4096 v);
uint64_t *export_to_256(mpz_t v);
uint4096 export_to_uint4096(const mpz_t op);
extern mpz_t p, q, generator, bignum_one;
void print_base16(const mpz_t z);

807
src/electionguard/crypto.c
Просмотреть файл

@ -1,10 +1,35 @@
#include <assert.h>
#include <stdlib.h>
#include <string.h>
#include <electionguard/crypto.h>
#include "random_source.h"
#include "crypto_reps.h"
#include "random_source.h"
#include "serialize/crypto.h"
#include "sha2-openbsd.h"
//#define DEBUG_PRINT =0
void Crypto_hash_final(struct hash *out, SHA2_CTX *context)
{
uint8_t bytes[HASH_DIGEST_SIZE_BYTES];
SHA256Final(bytes, context);
Crypto_hash_reduce(out, bytes);
}
void Crypto_hash_reduce(struct hash *out, raw_hash bytes)
{
//mpz_init(out->digest);
mpz_import(out->digest, HASH_DIGEST_SIZE_BYTES / 8, 1, 8, 0, 0, bytes);
mod_q(out->digest, out->digest);
}
void Crypto_hash_update_bignum(SHA2_CTX *context, mpz_t num)
{
uint8_t *serialized_buffer = Serialize_reserve_write_bignum(num);
SHA256Update(context, serialized_buffer, 4096 / 8);
free(serialized_buffer);
}
bool Crypto_public_key_equal(struct public_key const *key1,
struct public_key const *key2)
@ -15,23 +40,64 @@ bool Crypto_public_key_equal(struct public_key const *key1,
ok = false;
for (uint32_t i = 0; i < key1->threshold && ok; i++)
ok = ok && uint4096_eq(&key1->coef_commitments[i],
&key2->coef_commitments[i]);
{
ok = ok && (0 == mpz_cmp(key1->coef_commitments[i],
key2->coef_commitments[i]));
#ifdef DEBUG_PRINT
printf("Checking\n");
print_base16(key1->coef_commitments[i]);
printf("=");
print_base16(key2->coef_commitments[i]);
#endif
}
return ok;
}
enum Crypto_status Crypto_RandomSource_status_convert(enum RandomSource_status status) {
switch(status) {
case RANDOM_SOURCE_SUCCESS: return CRYPTO_SUCCESS;
case RANDOM_SOURCE_INSUFFICIENT_MEMORY: return CRYPTO_INSUFFICIENT_MEMORY;
case RANDOM_SOURCE_IO_ERROR: return CRYPTO_IO_ERROR;
// should never happen
default: return CRYPTO_UNKNOWN_ERROR;
enum Crypto_status
Crypto_RandomSource_status_convert(enum RandomSource_status status)
{
switch (status)
{
case RANDOM_SOURCE_SUCCESS:
return CRYPTO_SUCCESS;
case RANDOM_SOURCE_INSUFFICIENT_MEMORY:
return CRYPTO_INSUFFICIENT_MEMORY;
case RANDOM_SOURCE_IO_ERROR:
return CRYPTO_IO_ERROR;
// should never happen
default:
return CRYPTO_UNKNOWN_ERROR;
}
}
struct Crypto_gen_keypair_r Crypto_gen_keypair(uint32_t num_coefficients)
bool Crypto_check_keypair_proof(struct public_key key, raw_hash base_hash_code)
{
mpz_t gu;
mpz_t hkc;
mpz_init(gu);
mpz_init(hkc);
//TODO check the hash
for (int i = 0; i < key.proof.threshold; i++)
{
// printf("commitment %d\n", i);
// print_base16(key.coef_commitments[i]);
// printf("response\n");
// print_base16(key.proof.challenge_responses[i]);
// printf("challenge\n");
// print_base16(key.proof.challenge.digest);
pow_mod_p(gu, generator, key.proof.challenge_responses[i]);
pow_mod_p(hkc, key.coef_commitments[i], key.proof.challenge.digest);
mul_mod_p(hkc, key.proof.commitments[i], hkc);
assert(0 == mpz_cmp(gu, hkc));
}
mpz_clear(gu);
mpz_clear(hkc);
}
struct Crypto_gen_keypair_r Crypto_gen_keypair(uint32_t num_coefficients,
raw_hash base_hash_code)
{
struct Crypto_gen_keypair_r result;
result.status = CRYPTO_SUCCESS;
@ -39,49 +105,133 @@ struct Crypto_gen_keypair_r Crypto_gen_keypair(uint32_t num_coefficients)
result.private_key.threshold = num_coefficients;
result.public_key.threshold = num_coefficients;
Crypto_private_key_init(&result.private_key, num_coefficients);
Crypto_public_key_new(&result.public_key, num_coefficients);
RandomSource source;
if(CRYPTO_SUCCESS == result.status) {
if (CRYPTO_SUCCESS == result.status)
{
struct RandomSource_new_r source_r = RandomSource_new();
source = source_r.source;
result.status = Crypto_RandomSource_status_convert(source_r.status);
}
// Set all bytes to a non-zero value to help catch bugs. Before I
// did this, I had a couple of bugs related to actually copying
// the keys around, but because everything was zeroes nothing
// broke.
for (uint32_t i = 0; i < num_coefficients; i++)
{
if(CRYPTO_SUCCESS == result.status) {
result.status = Crypto_RandomSource_status_convert(RandomSource_uniform_o(source, &result.private_key.coefficients[i]));
if(CRYPTO_SUCCESS != result.status) {
if (CRYPTO_SUCCESS == result.status)
{
result.status = Crypto_RandomSource_status_convert(
RandomSource_uniform_bignum_o(
result.private_key.coefficients[i], source));
if (CRYPTO_SUCCESS != result.status)
{
RandomSource_free(source);
}
}
if(CRYPTO_SUCCESS == result.status) {
uint4096_powmod_o
( &result.public_key.coef_commitments[i]
, uint4096_generator_default
, &result.private_key.coefficients[i]
, Modulus4096_modulus_default
);
if (CRYPTO_SUCCESS == result.status)
{
pow_mod_p(result.public_key.coef_commitments[i], generator,
result.private_key.coefficients[i]);
}
}
if(CRYPTO_SUCCESS == result.status) {
if (CRYPTO_SUCCESS == result.status)
{
result.public_key.proof.threshold = num_coefficients;
SHA2_CTX context;
SHA256Init(&context);
SHA256Update(&context, base_hash_code, HASH_DIGEST_SIZE_BYTES);
for (uint32_t i = 0; i < num_coefficients; i++)
{
Crypto_hash_update_bignum(&context,
result.public_key.coef_commitments[i]);
}
for (uint32_t i = 0;
i < num_coefficients && CRYPTO_SUCCESS == result.status; i++)
{
result.status = Crypto_RandomSource_status_convert(
RandomSource_uniform_bignum_o(
result.public_key.proof.challenge_responses[i], source));
if (CRYPTO_SUCCESS == result.status)
{
pow_mod_p(result.public_key.proof.commitments[i], generator,
result.public_key.proof.challenge_responses[i]);
Crypto_hash_update_bignum(
&context, result.public_key.proof.challenge_responses[i]);
}
}
if (CRYPTO_SUCCESS == result.status)
{
mpz_t product;
mpz_init(product);
Crypto_hash_final(&result.public_key.proof.challenge, &context);
for (uint32_t i = 0; i < num_coefficients; i++)
{
mul_mod_q(product, result.public_key.proof.challenge.digest,
result.private_key.coefficients[i]);
add_mod_q(result.public_key.proof.challenge_responses[i],
result.public_key.proof.challenge_responses[i],
product);
}
mpz_clear(product);
}
}
if (CRYPTO_SUCCESS == result.status)
{
RandomSource_free(source);
}
if (CRYPTO_SUCCESS != result.status)
{
Crypto_private_key_free(&result.private_key, num_coefficients);
Crypto_public_key_free(&result.public_key, num_coefficients);
}
return result;
}
//Making threshold an argument to be sure it's provided
void Crypto_private_key_init(struct private_key *dst, int threshold)
{
for (uint32_t i = 0; i < threshold; i++)
mpz_init(dst->coefficients[i]);
}
void Crypto_private_key_free(struct private_key *dst, int threshold)
{
for (uint32_t i = 0; i < threshold; i++)
mpz_clear(dst->coefficients[i]);
}
void Crypto_private_key_copy(struct private_key *dst,
struct private_key const *src)
{
assert(src->threshold <= MAX_TRUSTEES);
dst->threshold = src->threshold;
for (uint32_t i = 0; i < src->threshold; i++)
uint4096_copy_o(&dst->coefficients[i], &src->coefficients[i]);
mpz_set(dst->coefficients[i], src->coefficients[i]);
}
void Crypto_public_key_free(struct public_key *dst, int threshold)
{
for (uint32_t i = 0; i < threshold; i++)
mpz_clear(dst->coef_commitments[i]);
Crypto_schnorr_proof_new(&dst->proof, threshold);
}
void Crypto_public_key_new(struct public_key *dst, int threshold)
{
for (uint32_t i = 0; i < threshold; i++)
mpz_init(dst->coef_commitments[i]);
Crypto_schnorr_proof_new(&dst->proof, threshold);
}
void Crypto_public_key_copy(struct public_key *dst,
@ -89,7 +239,54 @@ void Crypto_public_key_copy(struct public_key *dst,
{
dst->threshold = src->threshold;
for (uint32_t i = 0; i < src->threshold; i++)
uint4096_copy_o(&dst->coef_commitments[i], &src->coef_commitments[i]);
mpz_set(dst->coef_commitments[i], src->coef_commitments[i]);
Crypto_schnorr_proof_copy(&dst->proof, &src->proof);
}
void Crypto_schnorr_proof_new(struct schnorr_proof *dst, int threshold)
{
for (int i = 0; i < threshold; i++)
{
mpz_init(dst->commitments[i]);
mpz_init(dst->challenge_responses[i]);
}
mpz_init(dst->challenge.digest);
}
void Crypto_schnorr_proof_free(struct schnorr_proof *dst, int threshold)
{
for (int i = 0; i < threshold; i++)
{
mpz_clear(dst->commitments[i]);
mpz_clear(dst->challenge_responses[i]);
}
mpz_init(dst->challenge.digest);
}
void Crypto_schnorr_proof_copy(struct schnorr_proof *dst,
struct schnorr_proof const *src)
{
dst->threshold = src->threshold;
for (int i = 0; i < dst->threshold; i++)
{
mpz_set(dst->commitments[i], src->commitments[i]);
mpz_set(dst->challenge_responses[i], src->challenge_responses[i]);
}
mpz_set(dst->challenge.digest, src->challenge.digest);
}
void Crypto_encrypted_key_share_init(struct encrypted_key_share *dst,
int threshold)
{
Crypto_private_key_init(&dst->private_key, threshold);
Crypto_public_key_new(&dst->recipient_public_key, threshold);
}
void Crypto_encrypted_key_share_free(struct encrypted_key_share *dst,
int threshold)
{
Crypto_private_key_free(&dst->private_key, threshold);
Crypto_public_key_free(&dst->recipient_public_key, threshold);
}
void Crypto_encrypted_key_share_copy(struct encrypted_key_share *dst,
@ -100,11 +297,21 @@ void Crypto_encrypted_key_share_copy(struct encrypted_key_share *dst,
&src->recipient_public_key);
}
void Crypto_joint_public_key_init(struct joint_public_key_rep *dst)
{
mpz_init(dst->public_key);
}
void Crypto_joint_public_key_free(struct joint_public_key_rep *dst)
{
mpz_clear(dst->public_key);
}
void Crypto_joint_public_key_copy(struct joint_public_key_rep *dst,
struct joint_public_key_rep const *src)
{
dst->num_trustees = src->num_trustees;
uint4096_copy_o(&dst->public_key, &src->public_key);
mpz_set(dst->public_key, src->public_key);
}
void Crypto_generate_joint_public_key(struct joint_public_key_rep *dst,
@ -112,51 +319,539 @@ void Crypto_generate_joint_public_key(struct joint_public_key_rep *dst,
uint32_t num_keys)
{
dst->num_trustees = num_keys;
uint4096_zext_o(&dst->public_key, (uint8_t[]){1}, 1);
mpz_set_ui(
dst->public_key,
1); //Start with the public key as one, so the first multiplication is identity
for (uint32_t i = 0; i < num_keys; i++)
uint4096_multmod_o(&dst->public_key, &dst->public_key, &public_keys[i].coef_commitments[0], Modulus4096_modulus_default);
{
//If there's a problem, double check that mul_mod_p works in place
mul_mod_p(dst->public_key, dst->public_key,
public_keys[i].coef_commitments[0]);
}
}
void Crypto_encrypt(struct encryption_rep *out, RandomSource source, const struct joint_public_key_rep *key, const_uint4096 message) {
struct uint4096_s r;
RandomSource_uniform_o(source, &r);
uint4096_powmod_o(&out->nonce_encoding, uint4096_generator_default, &r, Modulus4096_modulus_default);
uint4096_powmod_o(&out->message_encoding, &key->public_key, &r, Modulus4096_modulus_default);
uint4096_multmod_o(&out->message_encoding, &out->message_encoding, message, Modulus4096_modulus_default);
void Crypto_cp_proof_commit(struct encryption_rep *commitment_out,
struct encryption_rep encryption, mpz_t u)
{
// commitment a in the documents
pow_mod_p(commitment_out->nonce_encoding, encryption.nonce_encoding, u);
// commitment b in the documents
pow_mod_p(commitment_out->message_encoding, encryption.message_encoding, u);
}
void Crypto_encryption_homomorphic_zero(struct encryption_rep *out) {
uint4096_zext_o(&out->nonce_encoding, (uint8_t[]){1}, 1);
uint4096_zext_o(&out->message_encoding, (uint8_t[]){1}, 1);
void Crypto_cp_proof_challenge(struct hash *challenge_out,
struct encryption_rep encryption,
struct encryption_rep commitment,
struct hash base_hash)
{
SHA2_CTX context;
//Serialize the base hash
uint8_t *base_serial = Serialize_reserve_write_hash(base_hash);
//Generate the challenge
SHA256Init(&context);
SHA256Update(&context, base_serial, SHA256_DIGEST_LENGTH);
Crypto_hash_update_bignum(&context, encryption.nonce_encoding);
Crypto_hash_update_bignum(&context, encryption.message_encoding);
Crypto_hash_update_bignum(&context, commitment.nonce_encoding);
Crypto_hash_update_bignum(&context, commitment.message_encoding);
Crypto_hash_final(challenge_out, &context);
}
void Crypto_encryption_homomorphic_add(struct encryption_rep *out, const struct encryption_rep *a, const struct encryption_rep *b) {
uint4096_multmod_o(&out->nonce_encoding, &a->nonce_encoding, &b->nonce_encoding, Modulus4096_modulus_default);
uint4096_multmod_o(&out->message_encoding, &a->message_encoding, &b->message_encoding, Modulus4096_modulus_default);
void Crypto_generate_decryption_cp_proof(
struct cp_proof_rep *result, mpz_t secret_key, mpz_t partial_decryption,
struct encryption_rep aggregate_encryption, struct hash base_hash)
{
//The random value for the proof, we reuse letters from the spec document
mpz_t u;
mpz_init(u);
//TODO: Save one of these in the trustee
RandomSource source;
struct RandomSource_new_r source_r = RandomSource_new();
source = source_r.source;
//TODO If we change the exponent prime, this will be wrong
RandomSource_uniform_bignum_o(u, source);
// commitment a in the documents
pow_mod_p(result->commitment.nonce_encoding, generator, u);
// commitment b in the documents
pow_mod_p(result->commitment.message_encoding,
aggregate_encryption.nonce_encoding, u);
mpz_init(result->challenge.digest);
SHA2_CTX context;
//Serialize the base hash
uint8_t *base_serial = Serialize_reserve_write_hash(base_hash);
//Generate the challenge
SHA256Init(&context);
SHA256Update(&context, base_serial, SHA256_DIGEST_LENGTH);
Crypto_hash_update_bignum(&context, aggregate_encryption.nonce_encoding);
Crypto_hash_update_bignum(&context, aggregate_encryption.message_encoding);
Crypto_hash_update_bignum(&context, result->commitment.nonce_encoding);
Crypto_hash_update_bignum(&context, result->commitment.message_encoding);
Crypto_hash_update_bignum(&context, partial_decryption);
Crypto_hash_final(&result->challenge, &context);
// CR in the doc
mul_mod_q(result->response, result->challenge.digest, secret_key);
add_mod_q(result->response, u, result->response);
mpz_clear(u);
RandomSource_free(source);
}
bool Crypto_encryption_fprint(FILE *out, const struct encryption_rep *rep) {
void Crypto_check_decryption_cp_proof(
struct cp_proof_rep proof, mpz_t public_key, mpz_t partial_decryption,
struct encryption_rep aggregate_encryption, struct hash base_hash){
mpz_t gv, av, akc, bbc;
mpz_init(gv);
mpz_init(akc);
mpz_init(av);
mpz_init(bbc);
pow_mod_p(gv, generator, proof.response);
pow_mod_p(akc, public_key, proof.challenge.digest);
mul_mod_p(akc, proof.commitment.nonce_encoding, akc);
assert(0 == mpz_cmp(gv, akc));
//A^v
pow_mod_p(av, aggregate_encryption.nonce_encoding, proof.response);
//M^c
pow_mod_p(bbc, partial_decryption, proof.challenge.digest);
//b*Beta^c
mul_mod_p(bbc, proof.commitment.message_encoding, bbc);
assert(0 == mpz_cmp(av, bbc));
mpz_clear(gv);
mpz_clear(akc);
mpz_clear(av);
mpz_clear(bbc);
}
_Bool Crypto_check_aggregate_cp_proof(struct cp_proof_rep proof,
struct encryption_rep encryption,
struct hash base_hash, mpz_t public_key)
{
//TODO check ranges of values
SHA2_CTX context;
struct hash my_C;
mpz_init(my_C.digest);
//Serialize the base hash
uint8_t *base_serial = Serialize_reserve_write_hash(base_hash);
//Generate the challenge
SHA256Init(&context);
SHA256Update(&context, base_serial, SHA256_DIGEST_LENGTH);
Crypto_hash_update_bignum(&context, encryption.nonce_encoding);
Crypto_hash_update_bignum(&context, encryption.message_encoding);
Crypto_hash_update_bignum(&context, proof.commitment.nonce_encoding);
Crypto_hash_update_bignum(&context, proof.commitment.message_encoding);
Crypto_hash_final(&my_C, &context);
assert(0 == mpz_cmp(my_C.digest, proof.challenge.digest));
mpz_t gv, aac, glc, glckv, bbc;
mpz_init(gv);
mpz_init(aac);
mpz_init(glc);
mpz_init(glckv);
mpz_init(bbc);
pow_mod_p(gv, generator, proof.response);
pow_mod_p(aac, encryption.nonce_encoding, my_C.digest);
mul_mod_p(aac, proof.commitment.nonce_encoding, aac);
assert(0 == mpz_cmp(gv, aac));
//L is 1 for now, so this is g^LC when this multiplication happens it should be mod q
pow_mod_p(glc, generator, my_C.digest);
// K^v
pow_mod_p(glckv, public_key, proof.response);
// g^LC * K^v
mul_mod_p(glckv, glc, glckv);
//Beta^c
pow_mod_p(bbc, encryption.message_encoding, my_C.digest);
//b*Beta^c
mul_mod_p(bbc, proof.commitment.message_encoding, bbc);
assert(0 == mpz_cmp(glckv, bbc));
mpz_clear(gv);
mpz_clear(aac);
mpz_clear(glc);
mpz_clear(glckv);
mpz_clear(bbc);
mpz_clear(my_C.digest);
return 1;
}
void Crypto_generate_aggregate_cp_proof(struct cp_proof_rep *result,
RandomSource source, mpz_t nonce,
struct encryption_rep encryption,
struct hash base_hash, mpz_t public_key)
{
//The random value for the proof, we reuse letters from the spec document
mpz_t u;
mpz_init(u);
//TODO If we change the exponent prime, this will be wrong
RandomSource_uniform_bignum_o(u, source);
// commitment a in the documents
pow_mod_p(result->commitment.nonce_encoding, generator, u);
// commitment b in the documents
pow_mod_p(result->commitment.message_encoding, public_key, u);
mpz_init(result->challenge.digest);
Crypto_cp_proof_challenge(&result->challenge, encryption,
result->commitment, base_hash);
// CR in the doc
mul_mod_q(result->response, result->challenge.digest, nonce);
add_mod_q(result->response, u, result->response);
mpz_clear(u);
}
void Crypto_generate_dis_proof(struct dis_proof_rep *result,
RandomSource source, struct hash base_hash,
bool selected, mpz_t public_key,
struct encryption_rep encryption, mpz_t nonce)
{
mpz_t fake_challenge;
mpz_t real_challenge;
mpz_t fake_response;
mpz_t real_response;
mpz_t u;
mpz_t scratch;
struct encryption_rep real_commitment;
struct encryption_rep fake_commitment;
Crypto_encryption_rep_new(&real_commitment);
Crypto_encryption_rep_new(&fake_commitment);
mpz_init(fake_challenge);
mpz_init(fake_response);
mpz_init(real_challenge);
mpz_init(real_response);
mpz_init(scratch);
mpz_init(u);
// Generate the randomness and the fake proof
RandomSource_uniform_bignum_o(u, source);
RandomSource_uniform_bignum_o(fake_challenge, source);
RandomSource_uniform_bignum_o(fake_response, source);
//Generate the real commitments
pow_mod_p(real_commitment.nonce_encoding, generator, u);
pow_mod_p(real_commitment.message_encoding, public_key, u);
//Generate the fake commitments
pow_mod_p(scratch, generator, fake_response);
pow_mod_p(fake_commitment.nonce_encoding, encryption.nonce_encoding,
fake_challenge);
div_mod_p(fake_commitment.nonce_encoding, scratch,
fake_commitment.nonce_encoding);
pow_mod_p(scratch, public_key, fake_response);
if (!selected)
{
//using message encoding temporarily
pow_mod_p(fake_commitment.message_encoding, generator, fake_challenge);
mul_mod_p(scratch, scratch, fake_commitment.message_encoding);
}
pow_mod_p(fake_commitment.message_encoding, encryption.message_encoding,
fake_challenge);
div_mod_p(fake_commitment.message_encoding, scratch,
fake_commitment.message_encoding);
//Generate the main challenge
SHA2_CTX context;
//Serialize the base hash
uint8_t *base_serial = Serialize_reserve_write_hash(base_hash);
SHA256Init(&context);
SHA256Update(&context, base_serial, SHA256_DIGEST_LENGTH);
Crypto_hash_update_bignum(&context, encryption.nonce_encoding);
Crypto_hash_update_bignum(&context, encryption.message_encoding);
if (selected)
{
Crypto_hash_update_bignum(&context, fake_commitment.nonce_encoding);
Crypto_hash_update_bignum(&context, fake_commitment.message_encoding);
Crypto_hash_update_bignum(&context, real_commitment.nonce_encoding);
Crypto_hash_update_bignum(&context, real_commitment.message_encoding);
}
else
{
Crypto_hash_update_bignum(&context, real_commitment.nonce_encoding);
Crypto_hash_update_bignum(&context, real_commitment.message_encoding);
Crypto_hash_update_bignum(&context, fake_commitment.nonce_encoding);
Crypto_hash_update_bignum(&context, fake_commitment.message_encoding);
}
Crypto_hash_final(&result->challenge, &context);
sub_mod_q(real_challenge, result->challenge.digest, fake_challenge);
mul_mod_q(real_response, real_challenge, nonce);
add_mod_q(real_response, u, real_response);
if (selected)
{
Crypto_encryption_rep_copy(&result->commitment0, &fake_commitment);
Crypto_encryption_rep_copy(&result->commitment1, &real_commitment);
mpz_set(result->challenge0, fake_challenge);
mpz_set(result->challenge1, real_challenge);
mpz_set(result->response0, fake_response);
mpz_set(result->response1, real_response);
}
else
{
Crypto_encryption_rep_copy(&result->commitment0, &real_commitment);
Crypto_encryption_rep_copy(&result->commitment1, &fake_commitment);
mpz_set(result->challenge0, real_challenge);
mpz_set(result->challenge1, fake_challenge);
mpz_set(result->response0, real_response);
mpz_set(result->response1, fake_response);
}
Crypto_encryption_rep_free(&real_commitment);
Crypto_encryption_rep_free(&fake_commitment);
mpz_clear(fake_challenge);
mpz_clear(fake_response);
mpz_clear(u);
mpz_clear(real_challenge);
mpz_clear(real_response);
mpz_clear(scratch);
//TODO
}
bool Crypto_check_dis_proof(struct dis_proof_rep proof,
struct encryption_rep encryption,
struct hash base_hash, mpz_t public_key)
{
mpz_t my_challenge;
mpz_init(my_challenge);
add_mod_q(my_challenge, proof.challenge0, proof.challenge1);
//Check c = c0 + c1 mod q
assert(0 == mpz_cmp(proof.challenge.digest, my_challenge));
//TODO we can probably share some code with the disjunctive and decryption proofs here
mpz_t gv, aac, glc, glckv, bbc;
mpz_init(gv);
mpz_init(aac);
mpz_init(glc);
mpz_init(glckv);
mpz_init(bbc);
pow_mod_p(gv, generator, proof.response0);
pow_mod_p(aac, encryption.nonce_encoding, proof.challenge0);
mul_mod_p(aac, proof.commitment0.nonce_encoding, aac);
assert(0 == mpz_cmp(gv, aac));
pow_mod_p(gv, generator, proof.response1);
pow_mod_p(aac, encryption.nonce_encoding, proof.challenge1);
mul_mod_p(aac, proof.commitment1.nonce_encoding, aac);
assert(0 == mpz_cmp(gv, aac));
// K^v
pow_mod_p(glckv, public_key, proof.response0);
//Beta^c
pow_mod_p(bbc, encryption.message_encoding, proof.challenge0);
//b*Beta^c
mul_mod_p(bbc, proof.commitment0.message_encoding, bbc);
assert(0 == mpz_cmp(glckv, bbc));
//g^c1
pow_mod_p(glc, generator, proof.challenge1);
// K^v
pow_mod_p(glckv, public_key, proof.response1);
mul_mod_p(glckv, glc, glckv);
//Beta^c
pow_mod_p(bbc, encryption.message_encoding, proof.challenge1);
//b*Beta^c
mul_mod_p(bbc, proof.commitment1.message_encoding, bbc);
assert(0 == mpz_cmp(glckv, bbc));
mpz_clear(gv);
mpz_clear(aac);
mpz_clear(glc);
mpz_clear(glckv);
mpz_clear(bbc);
mpz_clear(my_challenge);
}
//Encrypt a message mapped onto the group (e.g. g^message % p)
void Crypto_encrypt(struct encryption_rep *out, mpz_t out_nonce,
RandomSource source, const struct joint_public_key_rep *key,
mpz_t message)
{
RandomSource_uniform_bignum_o(out_nonce, source);
pow_mod_p(out->nonce_encoding, generator, out_nonce);
pow_mod_p(out->message_encoding, key->public_key, out_nonce);
mul_mod_p(out->message_encoding, out->message_encoding, message);
}
void Crypto_encryption_rep_new(struct encryption_rep *dst)
{
mpz_init(dst->nonce_encoding);
mpz_init(dst->message_encoding);
}
void Crypto_encryption_rep_free(struct encryption_rep *dst)
{
mpz_clear(dst->nonce_encoding);
mpz_clear(dst->message_encoding);
}
void Crypto_encryption_rep_copy(struct encryption_rep *dst,
struct encryption_rep *src)
{
mpz_set(dst->nonce_encoding, src->nonce_encoding);
mpz_set(dst->message_encoding, src->message_encoding);
}
void Crypto_dis_proof_new(struct dis_proof_rep *dst)
{
Crypto_encryption_rep_new(&dst->commitment0);
Crypto_encryption_rep_new(&dst->commitment1);
mpz_init(dst->challenge.digest);
mpz_init(dst->challenge0);
mpz_init(dst->challenge1);
mpz_init(dst->response0);
mpz_init(dst->response1);
}
void Crypto_dis_proof_free(struct dis_proof_rep *dst)
{
Crypto_encryption_rep_free(&dst->commitment0);
Crypto_encryption_rep_free(&dst->commitment1);
mpz_clear(dst->challenge.digest);
mpz_clear(dst->challenge0);
mpz_clear(dst->challenge1);
mpz_clear(dst->response0);
mpz_clear(dst->response1);
}
void Crypto_cp_proof_new(struct cp_proof_rep *dst)
{
Crypto_encryption_rep_new(&dst->commitment);
mpz_init(dst->response);
}
void Crypto_cp_proof_free(struct cp_proof_rep *dst)
{
Crypto_encryption_rep_free(&dst->commitment);
mpz_clear(dst->response);
}
void Crypto_encryption_homomorphic_zero(struct encryption_rep *out)
{
mpz_set_ui(out->nonce_encoding, 1);
mpz_set_ui(out->message_encoding, 1);
}
void Crypto_encryption_homomorphic_add(struct encryption_rep *out,
const struct encryption_rep *a,
const struct encryption_rep *b)
{
mul_mod_p(out->nonce_encoding, a->nonce_encoding, b->nonce_encoding);
mul_mod_p(out->message_encoding, a->message_encoding, b->message_encoding);
}
//Read a uint4096 as a mpz_t
int mpz_t_fscan(FILE *in, mpz_t out)
{
uint4096 tmp = malloc(sizeof(struct uint4096_s));
int res = uint4096_fscan(in, tmp);
import_uint4096(out, tmp);
free(tmp);
return res;
}
int mpz_t_fprint(FILE *out, const mpz_t z)
{
uint4096 tmp = export_to_uint4096(z);
int ret = uint4096_fprint(out, tmp);
free(tmp);
return ret;
}
bool Crypto_encryption_fprint(FILE *out, const struct encryption_rep *rep)
{
bool ok = true;
if(ok) ok = fprintf(out, "(") == 1;
if(ok) ok = uint4096_fprint(out, &rep->nonce_encoding);
if(ok) ok = fprintf(out, ",") == 1;
if(ok) ok = uint4096_fprint(out, &rep->message_encoding);
if(ok) ok = fprintf(out, ")") == 1;
if (ok)
ok = fprintf(out, "(") == 1;
if (ok)
ok = mpz_t_fprint(out, rep->nonce_encoding);
if (ok)
ok = fprintf(out, ",") == 1;
if (ok)
ok = mpz_t_fprint(out, rep->message_encoding);
if (ok)
ok = fprintf(out, ")") == 1;
return ok;
}
struct Crypto_encrypted_ballot_new_r Crypto_encrypted_ballot_new(uint32_t num_selections, uint64_t id) {
struct Crypto_encrypted_ballot_new_r
Crypto_encrypted_ballot_new(uint32_t num_selections, uint64_t id)
{
struct Crypto_encrypted_ballot_new_r result;
result.result.id = id;
result.result.num_selections = num_selections;
result.result.selections = malloc(num_selections * sizeof(*result.result.selections));
if(NULL == result.result.selections)
result.status = CRYPTO_INSUFFICIENT_MEMORY;
result.result.selections =
malloc(num_selections * sizeof(*result.result.selections));
result.result.dis_proof =
malloc(num_selections * sizeof(*result.result.dis_proof));
for (int i = 0; i < num_selections; i++)
{
Crypto_encryption_rep_new(&result.result.selections[i]);
Crypto_dis_proof_new(&result.result.dis_proof[i]);
}
Crypto_cp_proof_new(&result.result.cp_proof);
result.status = CRYPTO_SUCCESS;
return result;
}
void Crypto_encrypted_ballot_free(struct encrypted_ballot_rep *ballot) {
void Crypto_encrypted_ballot_free(struct encrypted_ballot_rep *ballot)
{
for (int i = 0; i < ballot->num_selections; i++)
{
Crypto_encryption_rep_free(&ballot->selections[i]);
}
free(ballot->selections);
Crypto_cp_proof_free(&ballot->cp_proof);
}

135
src/electionguard/crypto_reps.h
Просмотреть файл

@ -1,14 +1,17 @@
#ifndef __CRYPTO_REPS_H__
#define __CRYPTO_REPS_H__
#include <gmp.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include "bignum.h"
#include "random_source.h"
#include "sha2-openbsd.h"
#include "uint4096.h"
#include <electionguard/crypto.h>
#include <electionguard/max_values.h>
#include "random_source.h"
#include "uint4096.h"
enum Crypto_status
{
@ -23,28 +26,59 @@ enum Crypto_status
struct private_key
{
uint32_t threshold;
struct uint4096_s coefficients[MAX_TRUSTEES];
mpz_t coefficients[MAX_TRUSTEES]; //There are threshold of these
};
void Crypto_private_key_init(struct private_key *dst, int threshold);
void Crypto_private_key_free(struct private_key *dst, int threshold);
void Crypto_private_key_copy(struct private_key *dst,
struct private_key const *src);
/* Like SHA256Final, but reduce the result mod the right generator. The mpz_t
* in the output hash will be initialized for you. */
void Crypto_hash_final(struct hash *out, SHA2_CTX *context);
void Crypto_hash_reduce(struct hash *out, raw_hash bytes);
void Crypto_hash_update_bignum(SHA2_CTX *context, mpz_t num);
/* A NIZKP of knowledge of the secrets associated with a public key */
struct schnorr_proof
{
uint32_t threshold;
// The commitments and challenge_responses are both of length threshold.
mpz_t commitments[MAX_TRUSTEES];
struct hash challenge;
mpz_t challenge_responses[MAX_TRUSTEES];
};
/* A public key, including coefficient commitments */
struct public_key
{
uint32_t threshold;
struct uint4096_s coef_commitments[MAX_TRUSTEES];
struct schnorr_proof proof;
mpz_t coef_commitments[MAX_TRUSTEES]; //There are threshold of these
};
/* Check if two public keys are equal. */
bool Crypto_public_key_equal(struct public_key const *,
struct public_key const *);
void Crypto_public_key_new(struct public_key *dst, int threshold);
void Crypto_public_key_free(struct public_key *dst, int threshold);
void Crypto_public_key_copy(struct public_key *dst,
struct public_key const *src);
void Crypto_schnorr_proof_new(struct schnorr_proof *dst, int threshold);
void Crypto_schnorr_proof_free(struct schnorr_proof *dst, int threshold);
void Crypto_schnorr_proof_copy(struct schnorr_proof *dst,
struct schnorr_proof const *src);
bool Crypto_check_keypair_proof(struct public_key key, raw_hash base_hash_code);
/* Generate a random keypair and return the public and private keys */
struct Crypto_gen_keypair_r Crypto_gen_keypair(uint32_t num_coefficients);
struct Crypto_gen_keypair_r Crypto_gen_keypair(uint32_t num_coefficients,
raw_hash base_hash_code);
struct Crypto_gen_keypair_r
{
@ -64,15 +98,23 @@ struct encrypted_key_share
struct public_key recipient_public_key;
};
void Crypto_encrypted_key_share_init(struct encrypted_key_share *dst,
int threshold);
void Crypto_encrypted_key_share_free(struct encrypted_key_share *dst,
int threshold);
void Crypto_encrypted_key_share_copy(struct encrypted_key_share *dst,
struct encrypted_key_share const *src);
struct joint_public_key_rep
{
uint32_t num_trustees;
struct uint4096_s public_key;
mpz_t public_key;
};
void Crypto_joint_public_key_init(struct joint_public_key_rep *dst);
void Crypto_joint_public_key_free(struct joint_public_key_rep *dst);
void Crypto_joint_public_key_copy(struct joint_public_key_rep *dst,
struct joint_public_key_rep const *src);
@ -84,29 +126,98 @@ void Crypto_generate_joint_public_key(struct joint_public_key_rep *dst,
struct encryption_rep
{
struct uint4096_s nonce_encoding;
struct uint4096_s message_encoding;
mpz_t nonce_encoding;
mpz_t message_encoding;
};
void Crypto_encrypt(struct encryption_rep *out, RandomSource source, const struct joint_public_key_rep *key, const_uint4096 message);
void Crypto_encrypt(struct encryption_rep *out, mpz_t out_nonce,
RandomSource source, const struct joint_public_key_rep *key,
mpz_t message);
void Crypto_encryption_homomorphic_zero(struct encryption_rep *out);
void Crypto_encryption_homomorphic_add(struct encryption_rep *out, const struct encryption_rep *a, const struct encryption_rep *b);
void Crypto_encryption_homomorphic_add(struct encryption_rep *out,
const struct encryption_rep *a,
const struct encryption_rep *b);
bool Crypto_encryption_fprint(FILE *out, const struct encryption_rep *rep);
struct cp_proof_rep
{
struct encryption_rep commitment;
struct hash challenge;
mpz_t response;
};
struct dis_proof_rep
{
//TODO if we use arrays for commitments and challenges we can clean
//up quite a bit of code in the proof work
struct encryption_rep commitment0;
struct encryption_rep commitment1;
struct hash challenge;
mpz_t challenge0;
mpz_t challenge1;
mpz_t response0;
mpz_t response1;
};
void Crypto_dis_proof_new(struct dis_proof_rep *dst);
void Crypto_dis_proof_free(struct dis_proof_rep *dst);
_Bool Crypto_check_aggregate_cp_proof(struct cp_proof_rep proof,
struct encryption_rep encryption,
struct hash base_hash, mpz_t public_key);
void Crypto_generate_aggregate_cp_proof(struct cp_proof_rep *result,
RandomSource source, mpz_t nonce,
struct encryption_rep encryption,
struct hash base_hash,
mpz_t public_key);
void Crypto_generate_decryption_cp_proof(
struct cp_proof_rep *result, mpz_t secret_key,
mpz_t partial_decryption, struct encryption_rep aggregate_encryption,
struct hash base_hash);
void Crypto_generate_dis_proof(struct dis_proof_rep *result,
RandomSource source, struct hash base_hash,
bool selected, mpz_t public_key,
struct encryption_rep encryption, mpz_t nonce);
void Crypto_check_decryption_cp_proof(
struct cp_proof_rep proof, mpz_t public_key, mpz_t partial_decryption,
struct encryption_rep aggregate_encryption, struct hash base_hash);
bool Crypto_check_dis_proof(struct dis_proof_rep proof,
struct encryption_rep encryption,
struct hash base_hash, mpz_t public_key);
void Crypto_cp_proof_new(struct cp_proof_rep *dst);
void Crypto_cp_proof_free(struct cp_proof_rep *dst);
struct encrypted_ballot_rep
{
uint64_t id;
uint32_t num_selections;
struct encryption_rep *selections;
struct dis_proof_rep *dis_proof;
struct cp_proof_rep cp_proof;
};
struct Crypto_encrypted_ballot_new_r {
struct Crypto_encrypted_ballot_new_r
{
enum Crypto_status status;
struct encrypted_ballot_rep result;
};
struct Crypto_encrypted_ballot_new_r Crypto_encrypted_ballot_new(uint32_t num_selections, uint64_t id);
int mpz_t_fscan(FILE *in, mpz_t out);
void Crypto_encryption_rep_new(struct encryption_rep *dst);
void Crypto_encryption_rep_free(struct encryption_rep *dst);
void Crypto_encryption_rep_copy(struct encryption_rep *dst,
struct encryption_rep *src);
struct Crypto_encrypted_ballot_new_r
Crypto_encrypted_ballot_new(uint32_t num_selections, uint64_t id);
void Crypto_encrypted_ballot_free(struct encrypted_ballot_rep *ballot);
#endif /* __CRYPTO_REPS_H__ */

80
src/electionguard/decryption/coordinator.c
Просмотреть файл

@ -72,6 +72,11 @@ Decryption_Coordinator_receive_share(Decryption_Coordinator c,
struct decryption_share_rep share_rep;
for (int i = 0; i < MAX_SELECTIONS; i++)
{
Crypto_encryption_rep_new(&share_rep.tally_share[i]);
}
// Deserialize the input
{
struct serialize_state state = {
@ -96,22 +101,44 @@ Decryption_Coordinator_receive_share(Decryption_Coordinator c,
status = DECRYPTION_COORDINATOR_DUPLICATE_TRUSTEE_INDEX;
}
if (status == DECRYPTION_COORDINATOR_SUCCESS) {
if (status == DECRYPTION_COORDINATOR_SUCCESS)
{
c->anounced[share_rep.trustee_index] = true;
if(c->tallies_initialized) {
if(share_rep.num_tallies != c->num_tallies) {
// We check to see if this is the first time through
if (c->tallies_initialized)
{
// If it is, we add in the shares for the new tally
if (share_rep.num_tallies != c->num_tallies)
{
status = DECRYPTION_COORDINATOR_CONFUSED_DECRYPTION_TRUSTEE;
}
for(size_t i = 0; i < share_rep.num_tallies && DECRYPTION_COORDINATOR_SUCCESS == status; i++) {
uint4096_multmod_o(&c->tallies[i].nonce_encoding, &c->tallies[i].nonce_encoding, &share_rep.tally_share[i].nonce_encoding, Modulus4096_modulus_default);
if(!uint4096_eq(&c->tallies[i].message_encoding, &share_rep.tally_share[i].message_encoding))
for (size_t i = 0; i < share_rep.num_tallies &&
DECRYPTION_COORDINATOR_SUCCESS == status;
i++)
{
mul_mod_p(c->tallies[i].nonce_encoding,
c->tallies[i].nonce_encoding,
share_rep.tally_share[i].nonce_encoding);
if (!(0 == mpz_cmp(c->tallies[i].message_encoding,
share_rep.tally_share[i].message_encoding)))
status = DECRYPTION_COORDINATOR_CONFUSED_DECRYPTION_TRUSTEE;
// printf("Comparing message encodings\n");
// print_base16(c->tallies[i].message_encoding);
// print_base16(share_rep.tally_share[i].message_encoding);
}
} else {
}
else
{
//If this is the first one, we just copy them over
c->num_tallies = share_rep.num_tallies;
for(size_t i = 0; i < share_rep.num_tallies; i++) {
uint4096_copy_o(&c->tallies[i].nonce_encoding, &share_rep.tally_share[i].nonce_encoding);
uint4096_copy_o(&c->tallies[i].message_encoding, &share_rep.tally_share[i].message_encoding);
for (size_t i = 0; i < share_rep.num_tallies; i++)
{
Crypto_encryption_rep_new(&c->tallies[i]);
mpz_set(c->tallies[i].nonce_encoding,
share_rep.tally_share[i].nonce_encoding);
mpz_set(c->tallies[i].message_encoding,
share_rep.tally_share[i].message_encoding);
}
c->tallies_initialized = true;
}
@ -312,21 +339,42 @@ Decryption_Coordinator_all_fragments_received(Decryption_Coordinator c,
for (uint64_t i = 0;
i < c->num_tallies && status == DECRYPTION_COORDINATOR_SUCCESS; i++)
{
// TODO: the division and discrete log parts of the decryption
mpz_t M, decrypted_tally;
mpz_init(M);
mpz_init(decrypted_tally);
// At this point, the message encoding is the same for all
// of the trustees (confirmed, B in the document), and
// the nonce encoding has been accumulated by product
// as messages have come from trustees. Each trustee
// sent their nonce encoding raised to their secret key
div_mod_p(M, c->tallies[i].message_encoding, c->tallies[i].nonce_encoding);
//This M should be equal to g^tally
log_generator_mod_p(decrypted_tally, M);
printf("Tally %lu \n", mpz_get_ui(decrypted_tally));
const char *preamble_format = "tally %" PRIu64 ": ";
const int expected_len = snprintf(NULL, 0, preamble_format, i);
if(fprintf(out, preamble_format, i) < expected_len)
if (fprintf(out, preamble_format, i) < expected_len)
status = DECRYPTION_COORDINATOR_IO_ERROR;
if(DECRYPTION_COORDINATOR_SUCCESS == status) {
if(!Crypto_encryption_fprint(out, &c->tallies[i])) {
if (DECRYPTION_COORDINATOR_SUCCESS == status)
{
if (!Crypto_encryption_fprint(out, &c->tallies[i]))
{
status = DECRYPTION_COORDINATOR_IO_ERROR;
}
}
if(DECRYPTION_COORDINATOR_SUCCESS == status) {
if(fprintf(out, "\n") < 1) {
if (DECRYPTION_COORDINATOR_SUCCESS == status)
{
if (fprintf(out, "\n") < 1)
{
status = DECRYPTION_COORDINATOR_IO_ERROR;
}
}

1
src/electionguard/decryption/message_reps.h
Просмотреть файл

@ -12,6 +12,7 @@ struct decryption_share_rep
uint32_t trustee_index;
uint64_t num_tallies;
struct encryption_rep tally_share[MAX_SELECTIONS];
struct cp_proof_rep cp_proofs[MAX_SELECTIONS];
};
struct decryption_fragments_request_rep

101
src/electionguard/decryption/trustee.c
Просмотреть файл

@ -19,11 +19,13 @@ struct Decryption_Trustee_s
struct encryption_rep tallies[MAX_SELECTIONS];
//@secret the private key must not be leaked from the system
struct private_key private_key;
struct hash base_hash;
};
struct Decryption_Trustee_new_r
Decryption_Trustee_new(uint32_t num_trustees, uint32_t threshold,
uint32_t num_selections, struct trustee_state message)
uint32_t num_selections, struct trustee_state message,
raw_hash base_hash)
{
struct Decryption_Trustee_new_r result;
result.status = DECRYPTION_TRUSTEE_SUCCESS;
@ -34,6 +36,7 @@ Decryption_Trustee_new(uint32_t num_trustees, uint32_t threshold,
struct trustee_state_rep state_rep;
Crypto_private_key_init(&state_rep.private_key, threshold);
// Deserialize the input
{
struct serialize_state state = {
@ -57,6 +60,12 @@ Decryption_Trustee_new(uint32_t num_trustees, uint32_t threshold,
result.status = DECRYPTION_TRUSTEE_INSUFFICIENT_MEMORY;
}
if (result.status == DECRYPTION_TRUSTEE_SUCCESS)
{
mpz_init(result.decryptor->base_hash.digest);
Crypto_hash_reduce(&result.decryptor->base_hash, base_hash);
}
// Initialize the trustee
if (result.status == DECRYPTION_TRUSTEE_SUCCESS)
{
@ -64,9 +73,12 @@ Decryption_Trustee_new(uint32_t num_trustees, uint32_t threshold,
result.decryptor->threshold = threshold;
result.decryptor->num_selections = num_selections;
result.decryptor->index = state_rep.index;
for(size_t i = 0; i < MAX_SELECTIONS; i++) {
for (size_t i = 0; i < MAX_SELECTIONS; i++)
{
Crypto_encryption_rep_new(&result.decryptor->tallies[i]);
Crypto_encryption_homomorphic_zero(&result.decryptor->tallies[i]);
}
Crypto_private_key_init(&result.decryptor->private_key, threshold);
Crypto_private_key_copy(&result.decryptor->private_key,
&state_rep.private_key);
}
@ -74,11 +86,22 @@ Decryption_Trustee_new(uint32_t num_trustees, uint32_t threshold,
return result;
}
void Decryption_Trustee_free(Decryption_Trustee d) { free(d); }
void Decryption_Trustee_free(Decryption_Trustee d)
{
for (size_t i = 0; i < MAX_SELECTIONS; i++)
{
Crypto_encryption_rep_free(&d->tallies[i]);
}
Crypto_private_key_free(&d->private_key, d->threshold);
mpz_clear(d->base_hash.digest);
free(d);
}
static enum Decryption_Trustee_status
Decryption_Trustee_read_ballot(FILE *in, uint64_t *ballot_id, bool *cast,
uint32_t num_selections, struct encryption_rep *selections)
uint32_t num_selections,
struct encryption_rep *selections)
{
enum Decryption_Trustee_status status = DECRYPTION_TRUSTEE_SUCCESS;
@ -98,24 +121,30 @@ Decryption_Trustee_read_ballot(FILE *in, uint64_t *ballot_id, bool *cast,
if (0 != num_read) // can this actually happen????
status = DECRYPTION_TRUSTEE_IO_ERROR;
if(DECRYPTION_TRUSTEE_SUCCESS == status) {
if(!uint4096_fscan(in, &selections[i].nonce_encoding))
if (DECRYPTION_TRUSTEE_SUCCESS == status)
{
if (!mpz_t_fscan(in, selections[i].nonce_encoding))
status = DECRYPTION_TRUSTEE_IO_ERROR;
}
if(DECRYPTION_TRUSTEE_SUCCESS == status) {
if (DECRYPTION_TRUSTEE_SUCCESS == status)
{
num_read = fscanf(in, ",");
if(0 != num_read) status = DECRYPTION_TRUSTEE_IO_ERROR;
}
if(DECRYPTION_TRUSTEE_SUCCESS == status) {
if(!uint4096_fscan(in, &selections[i].message_encoding))
if (0 != num_read)
status = DECRYPTION_TRUSTEE_IO_ERROR;
}
if(DECRYPTION_TRUSTEE_SUCCESS == status) {
if (DECRYPTION_TRUSTEE_SUCCESS == status)
{
if (!mpz_t_fscan(in, selections[i].message_encoding))
status = DECRYPTION_TRUSTEE_IO_ERROR;
}
if (DECRYPTION_TRUSTEE_SUCCESS == status)
{
num_read = fscanf(in, ")");
if(0 != num_read) status = DECRYPTION_TRUSTEE_IO_ERROR;
if (0 != num_read)
status = DECRYPTION_TRUSTEE_IO_ERROR;
}
}
@ -126,7 +155,8 @@ static void Decryption_Trustee_accum_tally(Decryption_Trustee d,
struct encryption_rep *selections)
{
for (size_t i = 0; i < d->num_selections; i++)
Crypto_encryption_homomorphic_add(&d->tallies[i], &d->tallies[i], &selections[i]);
Crypto_encryption_homomorphic_add(&d->tallies[i], &d->tallies[i],
&selections[i]);
}
enum Decryption_Trustee_status
@ -157,6 +187,11 @@ Decryption_Trustee_tally_voting_record(Decryption_Trustee d, FILE *in)
bool cast;
struct encryption_rep selections[MAX_SELECTIONS];
for (int j = 0; j < MAX_SELECTIONS; j++)
{
Crypto_encryption_rep_new(&selections[j]);
}
status = Decryption_Trustee_read_ballot(in, &ballot_id, &cast,
d->num_selections, selections);
@ -178,11 +213,36 @@ Decryption_Trustee_compute_share(Decryption_Trustee d)
struct decryption_share_rep share_rep;
share_rep.trustee_index = d->index;
share_rep.num_tallies = d->num_selections;
for(size_t i = 0; i < d->num_selections; i++) {
uint4096_powmod_o(&share_rep.tally_share[i].nonce_encoding, &d->tallies[i].nonce_encoding, &d->private_key.coefficients[0], Modulus4096_modulus_default);
uint4096_copy_o(&share_rep.tally_share[i].message_encoding, &d->tallies[i].message_encoding);
for (size_t i = 0; i < d->num_selections; i++)
{
Crypto_encryption_rep_new(&share_rep.tally_share[i]);
pow_mod_p(share_rep.tally_share[i].nonce_encoding,
d->tallies[i].nonce_encoding,
d->private_key.coefficients[0]);
mpz_set(share_rep.tally_share[i].message_encoding,
d->tallies[i].message_encoding);
//Generate the proof
Crypto_cp_proof_new(&share_rep.cp_proofs[i]);
Crypto_generate_decryption_cp_proof(
&share_rep.cp_proofs[i], d->private_key.coefficients[0],
share_rep.tally_share[i].nonce_encoding, d->tallies[i],
d->base_hash);
//Reconstruct the public key to sanity check the proof
mpz_t public_key;
mpz_init(public_key);
pow_mod_p(public_key, generator, d->private_key.coefficients[0]);
Crypto_check_decryption_cp_proof(
share_rep.cp_proofs[i], public_key,
share_rep.tally_share[i].nonce_encoding, d->tallies[i],
d->base_hash);
mpz_clear(public_key);
}
//printf("Trustee %d sending 0th\n", d->index);
// print_base16(share_rep.tally_share[0].nonce_encoding);
// print_base16(share_rep.tally_share[0].message_encoding);
// Serialize the message
struct serialize_state state = {
.status = SERIALIZE_STATE_RESERVING,
@ -204,6 +264,11 @@ Decryption_Trustee_compute_share(Decryption_Trustee d)
.bytes = state.buf,
};
}
for (size_t i = 0; i < d->num_selections; i++)
{
Crypto_encryption_rep_free(&share_rep.tally_share[i]);
}
}
return result;

59
src/electionguard/keyceremony/coordinator.c
Просмотреть файл

@ -82,12 +82,26 @@ KeyCeremony_Coordinator_new(uint32_t num_trustees, uint32_t threshold)
result.coordinator->threshold = threshold;
KeyCeremony_Coordinator_clear_seen(result.coordinator);
}
for(int i=0; i<num_trustees; i++){
Crypto_public_key_new(&result.coordinator->public_keys[i], threshold);
for(int j=0; j < num_trustees; j++){
Crypto_encrypted_key_share_init(&result.coordinator->shares[i][j], threshold);
}
}
}
return result;
}
void KeyCeremony_Coordinator_free(KeyCeremony_Coordinator c) { free(c); }
void KeyCeremony_Coordinator_free(KeyCeremony_Coordinator c) {
for(int i=0; i<c->threshold; i++){
Crypto_public_key_free(&c->public_keys[i],c->threshold);
for(int j=0; j < c->num_trustees; j++){
Crypto_encrypted_key_share_free(&c->shares[i][j], c->threshold);
}
}
free(c);
}
enum KeyCeremony_Coordinator_status
KeyCeremony_Coordinator_receive_key_generated(
@ -106,6 +120,8 @@ KeyCeremony_Coordinator_receive_key_generated(
.buf = (uint8_t *)message.bytes,
};
message_rep.public_key.threshold = c->threshold;
Crypto_public_key_new(&message_rep.public_key, c->threshold);
Serialize_read_key_generated(&state, &message_rep);
if (state.status != SERIALIZE_STATE_READING)
@ -117,12 +133,21 @@ KeyCeremony_Coordinator_receive_key_generated(
status = KeyCeremony_Coordinator_assert_index_unseen(
c, message_rep.trustee_index);
// Check the schnorr proof
if (status == KEYCEREMONY_COORDINATOR_SUCCESS){
//We'll need to pass the base hash once that function checks
//the hash
Crypto_check_keypair_proof(message_rep.public_key, NULL);
}
// Mark message->trustee_index as seen and store the public key
if (status == KEYCEREMONY_COORDINATOR_SUCCESS)
{
c->seen[message_rep.trustee_index] = true;
Crypto_public_key_copy(&c->public_keys[message_rep.trustee_index],
&message_rep.public_key);
Crypto_public_key_free(&message_rep.public_key,c->threshold); //TODO paradigm for freeing on failure
}
return status;
@ -147,9 +172,12 @@ KeyCeremony_Coordinator_all_keys_received(KeyCeremony_Coordinator c)
struct all_keys_received_rep message_rep;
message_rep.num_trustees = c->num_trustees;
for (uint32_t i = 0; i < c->num_trustees; i++)
for (uint32_t i = 0; i < c->num_trustees; i++){
message_rep.public_keys[i].threshold = c->threshold;
Crypto_public_key_new(&message_rep.public_keys[i],c->threshold);
Crypto_public_key_copy(&message_rep.public_keys[i],
&c->public_keys[i]);
}
// Serialize the message
struct serialize_state state = {
@ -172,6 +200,9 @@ KeyCeremony_Coordinator_all_keys_received(KeyCeremony_Coordinator c)
.bytes = state.buf,
};
}
for (uint32_t i = 0; i < c->num_trustees; i++){
Crypto_public_key_free(&message_rep.public_keys[i], c->threshold);
}
}
return result;
@ -209,10 +240,11 @@ KeyCeremony_Coordinator_receive_shares_generated(
{
c->seen[message_rep.trustee_index] = true;
for (uint32_t i = 0; i < c->num_trustees; i++)
Crypto_encrypted_key_share_copy(
&c->shares[message_rep.trustee_index][i],
&message_rep.shares[i]);
// Not doing thresholding
// for (uint32_t i = 0; i < c->num_trustees; i++)
// Crypto_encrypted_key_share_copy(
// &c->shares[message_rep.trustee_index][i],
// &message_rep.shares[i]);
}
return status;
@ -237,10 +269,13 @@ KeyCeremony_Coordinator_all_shares_received(KeyCeremony_Coordinator c)
struct all_shares_received_rep message_rep;
message_rep.num_trustees = c->num_trustees;
for (uint32_t i = 0; i < c->num_trustees; i++)
for (uint32_t j = 0; j < c->num_trustees; j++)
/*for (uint32_t i = 0; i < c->num_trustees; i++){
for (uint32_t j = 0; j < c->num_trustees; j++){
Crypto_encrypted_key_share_init(&message_rep.shares[i][j], c->threshold);
Crypto_encrypted_key_share_copy(&message_rep.shares[i][j],
&c->shares[i][j]);
}
}*/
// Serialize the message
struct serialize_state state = {
@ -264,7 +299,7 @@ KeyCeremony_Coordinator_all_shares_received(KeyCeremony_Coordinator c)
};
}
}
//TODO Free message rep
return result;
}
@ -321,7 +356,7 @@ KeyCeremony_Coordinator_publish_joint_key(KeyCeremony_Coordinator c)
{
// Build the message
struct joint_public_key_rep joint_key;
Crypto_joint_public_key_init(&joint_key);
Crypto_generate_joint_public_key(&joint_key, c->public_keys,
c->num_trustees);
@ -346,6 +381,8 @@ KeyCeremony_Coordinator_publish_joint_key(KeyCeremony_Coordinator c)
.bytes = state.buf,
};
}
Crypto_joint_public_key_free(&joint_key);
}
return result;

5
src/electionguard/keyceremony/message_reps.h
Просмотреть файл

@ -21,13 +21,14 @@ struct shares_generated_rep
{
uint32_t trustee_index;
uint32_t num_trustees;
struct encrypted_key_share shares[MAX_TRUSTEES];
//struct encrypted_key_share shares[MAX_TRUSTEES]; TODO this needs to
//be back for thresholding
};
struct all_shares_received_rep
{
uint32_t num_trustees;
struct encrypted_key_share shares[MAX_TRUSTEES][MAX_TRUSTEES];
//struct encrypted_key_share shares[MAX_TRUSTEES][MAX_TRUSTEES];
};
struct shares_verified_rep

70
src/electionguard/keyceremony/trustee.c
Просмотреть файл

@ -47,22 +47,35 @@ struct KeyCeremony_Trustee_new_r KeyCeremony_Trustee_new(uint32_t num_trustees,
result.trustee->num_trustees = num_trustees;
result.trustee->threshold = threshold;
result.trustee->index = index;
Crypto_private_key_init(&result.trustee->private_key, threshold);
for(int i=0; i<threshold; i++){
Crypto_public_key_new(&result.trustee->public_keys[i], threshold);
}
}
return result;
}
void KeyCeremony_Trustee_free(KeyCeremony_Trustee t) { free(t); }
void KeyCeremony_Trustee_free(KeyCeremony_Trustee t) {
Crypto_private_key_free(&t->private_key, t->threshold);
for(int i=0; i<t->threshold; i++){
Crypto_public_key_free(&t->public_keys[i], t->threshold);
}
free(t);
}
struct KeyCeremony_Trustee_generate_key_r
KeyCeremony_Trustee_generate_key(KeyCeremony_Trustee t)
KeyCeremony_Trustee_generate_key(KeyCeremony_Trustee t, raw_hash base_hash_code)
{
struct KeyCeremony_Trustee_generate_key_r result;
result.status = KEYCEREMONY_TRUSTEE_SUCCESS;
// Generate the keypair
struct Crypto_gen_keypair_r crypto_result =
Crypto_gen_keypair(t->threshold);
Crypto_gen_keypair(t->threshold, base_hash_code);
// check that we generated good proofs (right now this call crashes if the proofs fail)
Crypto_check_keypair_proof(crypto_result.public_key, base_hash_code);
switch (crypto_result.status)
{
case CRYPTO_INSUFFICIENT_MEMORY:
@ -80,6 +93,11 @@ KeyCeremony_Trustee_generate_key(KeyCeremony_Trustee t)
Crypto_private_key_copy(&t->private_key, &crypto_result.private_key);
Crypto_public_key_copy(&t->public_keys[t->index],
&crypto_result.public_key);
printf("Trustee %d generated public key:\n", t->index);
print_base16(t->public_keys[t->index].coef_commitments[0]);
// printf("Trustee %d generated private key:\n", t->index);
// print_base16(t->private_key.coefficients[0]);
}
if (result.status == KEYCEREMONY_TRUSTEE_SUCCESS)
@ -88,6 +106,8 @@ KeyCeremony_Trustee_generate_key(KeyCeremony_Trustee t)
struct key_generated_rep message_rep;
message_rep.trustee_index = t->index;
message_rep.public_key.threshold = t->threshold;
Crypto_public_key_new(&message_rep.public_key,t->threshold);
Crypto_public_key_copy(&message_rep.public_key,
&t->public_keys[t->index]);
@ -103,6 +123,7 @@ KeyCeremony_Trustee_generate_key(KeyCeremony_Trustee t)
Serialize_allocate(&state);
Serialize_write_key_generated(&state, &message_rep);
Crypto_public_key_free(&message_rep.public_key, t->threshold);
if (state.status != SERIALIZE_STATE_WRITING)
result.status = KEYCEREMONY_TRUSTEE_SERIALIZE_ERROR;
else
@ -135,6 +156,9 @@ KeyCeremony_Trustee_generate_shares(KeyCeremony_Trustee t,
.buf = (uint8_t *)in_message.bytes,
};
for(int i=0; i<t->num_trustees; i++){
Crypto_public_key_new(&in_message_rep.public_keys[i],t->threshold);
}
Serialize_read_all_keys_received(&state, &in_message_rep);
if (state.status != SERIALIZE_STATE_READING)
@ -149,9 +173,11 @@ KeyCeremony_Trustee_generate_shares(KeyCeremony_Trustee t,
// Copy other public keys into my state
if (result.status == KEYCEREMONY_TRUSTEE_SUCCESS)
for (uint32_t i = 0; i < t->num_trustees; i++)
for (uint32_t i = 0; i < t->num_trustees; i++){
Crypto_public_key_copy(&t->public_keys[i],
&in_message_rep.public_keys[i]);
Crypto_public_key_free(&in_message_rep.public_keys[i], t->threshold);
}
if (result.status == KEYCEREMONY_TRUSTEE_SUCCESS)
{
@ -160,14 +186,17 @@ KeyCeremony_Trustee_generate_shares(KeyCeremony_Trustee t,
out_message_rep.trustee_index = t->index;
out_message_rep.num_trustees = t->num_trustees;
for (uint32_t i = 0; i < t->num_trustees; i++)
{
Crypto_private_key_copy(&out_message_rep.shares[i].private_key,
&t->private_key);
Crypto_public_key_copy(
&out_message_rep.shares[i].recipient_public_key,
&t->public_keys[i]);
}
//re-add for thresholding
//for (uint32_t i = 0; i < t->num_trustees; i++)
// {
// Crypto_private_key_init(&out_message_rep.shares[i].private_key, t->threshold);
// Crypto_private_key_copy(&out_message_rep.shares[i].private_key,
// &t->private_key);
// Crypto_public_key_init(&out_message_rep.shares[i].recipient_public_key, t->threshold);
// Crypto_public_key_copy(
// &out_message_rep.shares[i].recipient_public_key,
// &t->public_keys[i]);
// }
// Serialize the message
struct serialize_state state = {
@ -191,7 +220,6 @@ KeyCeremony_Trustee_generate_shares(KeyCeremony_Trustee t,
};
}
}
return result;
}
@ -214,6 +242,11 @@ KeyCeremony_Trustee_verify_shares(KeyCeremony_Trustee t,
.buf = (uint8_t *)in_message.bytes,
};
// for(int i=0; i<t->num_trustees; i++){
// for(int j=0; j<t->num_trustees; j++){
// Crypto_encrypted_key_share_init(&in_message_rep.shares[i][j], t->threshold);
// }
// }
Serialize_read_all_shares_received(&state, &in_message_rep);
if (state.status != SERIALIZE_STATE_READING)
@ -224,11 +257,12 @@ KeyCeremony_Trustee_verify_shares(KeyCeremony_Trustee t,
// previously received
for (uint32_t i = 0; i < t->threshold; i++)
{
/* Disabled since we aren't using shares for now
struct encrypted_key_share share = in_message_rep.shares[t->index][i];
if (!Crypto_public_key_equal(&share.recipient_public_key,
&t->public_keys[i]))
result.status = KEYCEREMONY_TRUSTEE_INVALID_KEY_SHARE;
*/
}
if (result.status == KEYCEREMONY_TRUSTEE_SUCCESS)
@ -260,6 +294,11 @@ KeyCeremony_Trustee_verify_shares(KeyCeremony_Trustee t,
.bytes = state.buf,
};
}
// for(int i=0; i<t->num_trustees; i++){
// for(int j=0; j<t->num_trustees; j++){
// Crypto_encrypted_key_share_free(&in_message_rep.shares[i][j], t->threshold);
// }
// }
}
return result;
@ -274,6 +313,7 @@ KeyCeremony_Trustee_export_state(KeyCeremony_Trustee t)
{
struct trustee_state_rep rep;
rep.index = t->index;
Crypto_private_key_init(&rep.private_key,t->threshold);
Crypto_private_key_copy(&rep.private_key, &t->private_key);
// Serialize the message
@ -297,6 +337,8 @@ KeyCeremony_Trustee_export_state(KeyCeremony_Trustee t)
.bytes = state.buf,
};
}
Crypto_private_key_free(&rep.private_key, t->threshold);
}
return result;

12
src/electionguard/random_source.c
Просмотреть файл

@ -99,3 +99,15 @@ struct RandomSource_uniform_r RandomSource_uniform(RandomSource source) {
return result;
}
//4096 random bits into a mpz_t
enum RandomSource_status RandomSource_uniform_bignum_o(mpz_t out, RandomSource source){
struct RandomSource_uniform_r result = RandomSource_uniform(source);
if(RANDOM_SOURCE_SUCCESS == result.status){
import_uint4096(out, result.result);
free(result.result);
}
return result.status;
}

2
src/electionguard/random_source.h.in
Просмотреть файл

@ -1,6 +1,7 @@
#pragma once
#include "uint4096.h"
#include "bignum.h"
#cmakedefine HAVE_BCRYPTGENRANDOM
@ -30,3 +31,4 @@ struct RandomSource_uniform_r {
// inclusive.
struct RandomSource_uniform_r RandomSource_uniform(RandomSource source);
enum RandomSource_status RandomSource_uniform_o(RandomSource source, uint4096 out);
enum RandomSource_status RandomSource_uniform_bignum_o(mpz_t out, RandomSource source);

191
src/electionguard/serialize/crypto.c
Просмотреть файл

@ -1,24 +1,93 @@
#include <stdlib.h>
#include "serialize/crypto.h"
#include "serialize/builtins.h"
#include <assert.h>
#include <stdlib.h>
void Serialize_reserve_uint4096(struct serialize_state *state, const_uint4096 data)
void Serialize_reserve_uint4096(struct serialize_state *state,
const_uint4096 data)
{
for (uint32_t i = 0; i < UINT4096_WORD_COUNT; i++)
Serialize_reserve_uint64(state, &data->words[i]);
Serialize_reserve_uint64(state, NULL);
}
void Serialize_write_uint4096(struct serialize_state *state, const_uint4096 data)
void Serialize_write_uint4096(struct serialize_state *state, const mpz_t data)
{
uint4096 tmp = export_to_uint4096(data);
for (uint32_t i = 0; i < UINT4096_WORD_COUNT; i++)
Serialize_write_uint64(state, &data->words[i]);
{
Serialize_write_uint64(state, &tmp->words[i]);
}
free(tmp);
}
void Serialize_read_uint4096(struct serialize_state *state, uint4096 data)
void Serialize_reserve_hash(struct serialize_state *state)
{
//Divide by 8 because were going to do this in 64s
for (uint32_t i = 0; i < SHA256_DIGEST_LENGTH / 8; i++)
Serialize_reserve_uint64(state, NULL);
}
void Serialize_write_hash(struct serialize_state *state, struct hash data)
{
uint64_t *tmp = export_to_256(data.digest);
for (uint32_t i = 0; i < SHA256_DIGEST_LENGTH / 8; i++)
{
Serialize_write_uint64(state, &tmp[i]);
}
free(tmp);
}
void Serialize_read_hash(struct serialize_state *state, struct hash *data)
{
uint8_t *tmp = malloc(sizeof(uint8_t) * 32);
for (uint32_t i = 0; i < SHA256_DIGEST_LENGTH; i++)
{
Serialize_read_uint8(state, &tmp[i]);
}
Crypto_hash_reduce(data, tmp);
free(tmp);
}
uint8_t *Serialize_reserve_write_hash(struct hash in)
{
struct serialize_state state = {.status = SERIALIZE_STATE_RESERVING,
.len = 0,
.offset = 0,
.buf = NULL};
Serialize_reserve_hash(&state);
Serialize_allocate(&state);
Serialize_write_hash(&state, in);
assert(state.len == 32);
return state.buf;
}
uint8_t *Serialize_reserve_write_bignum(mpz_t in)
{
struct serialize_state state = {.status = SERIALIZE_STATE_RESERVING,
.len = 0,
.offset = 0,
.buf = NULL};
Serialize_reserve_uint4096(&state, NULL);
Serialize_allocate(&state);
Serialize_write_uint4096(&state, in);
assert(state.len == 512);
return state.buf;
}
void Serialize_read_uint4096(struct serialize_state *state, mpz_t data)
{
uint4096 tmp = malloc(sizeof(struct uint4096_s));
for (uint32_t i = 0; i < UINT4096_WORD_COUNT; i++)
Serialize_read_uint64(state, &data->words[i]);
// TODO: check that the key is in the right range??
{
Serialize_read_uint64(state, &tmp->words[i]);
}
import_uint4096(data, tmp);
free(tmp);
// TODO: check that the value is in the right range??
}
void Serialize_reserve_private_key(struct serialize_state *state,
@ -26,7 +95,7 @@ void Serialize_reserve_private_key(struct serialize_state *state,
{
Serialize_reserve_uint32(state, &data->threshold);
for (uint32_t i = 0; i < data->threshold; i++)
Serialize_reserve_uint4096(state, &data->coefficients[i]);
Serialize_reserve_uint4096(state, NULL);
}
void Serialize_write_private_key(struct serialize_state *state,
@ -34,7 +103,9 @@ void Serialize_write_private_key(struct serialize_state *state,
{
Serialize_write_uint32(state, &data->threshold);
for (uint32_t i = 0; i < data->threshold; i++)
Serialize_write_uint4096(state, &data->coefficients[i]);
{
Serialize_write_uint4096(state, data->coefficients[i]);
}
}
void Serialize_read_private_key(struct serialize_state *state,
@ -42,7 +113,59 @@ void Serialize_read_private_key(struct serialize_state *state,
{
Serialize_read_uint32(state, &data->threshold);
for (uint32_t i = 0; i < data->threshold; i++)
Serialize_read_uint4096(state, &data->coefficients[i]);
{
Serialize_read_uint4096(state, data->coefficients[i]);
}
}
void Serialize_reserve_schnorr_proof(struct serialize_state *state,
struct schnorr_proof const *data)
{
Serialize_reserve_uint32(state, NULL); //threshold
for (int i = 0; i < data->threshold; i++)
{
Serialize_reserve_uint4096(state, NULL); //commitments
}
Serialize_reserve_hash(state); //challenge
for (int i = 0; i < data->threshold; i++)
{
Serialize_reserve_uint4096(state, NULL); //challenge_responses
}
}
void Serialize_write_schnorr_proof(struct serialize_state *state,
struct schnorr_proof const *data)
{
Serialize_write_uint32(state, &data->threshold);
for (int i = 0; i < data->threshold; i++)
{
Serialize_write_uint4096(state, data->commitments[i]);
}
Serialize_write_hash(state, data->challenge);
for (int i = 0; i < data->threshold; i++)
{
Serialize_write_uint4096(
state, data->challenge_responses[i]); //challenge_responses
}
}
void Serialize_read_schnorr_proof(struct serialize_state *state,
struct schnorr_proof *data)
{
Serialize_read_uint32(state, &data->threshold);
for (int i = 0; i < data->threshold; i++)
{
Serialize_read_uint4096(state, data->commitments[i]);
}
Serialize_read_hash(state, &data->challenge);
for (int i = 0; i < data->threshold; i++)
{
Serialize_read_uint4096(
state, data->challenge_responses[i]); //challenge_responses
}
}
void Serialize_reserve_public_key(struct serialize_state *state,
@ -50,7 +173,8 @@ void Serialize_reserve_public_key(struct serialize_state *state,
{
Serialize_reserve_uint32(state, &data->threshold);
for (uint32_t i = 0; i < data->threshold; i++)
Serialize_reserve_uint4096(state, &data->coef_commitments[i]);
Serialize_reserve_uint4096(state, NULL);
Serialize_reserve_schnorr_proof(state, &data->proof);
}
void Serialize_write_public_key(struct serialize_state *state,
@ -58,7 +182,10 @@ void Serialize_write_public_key(struct serialize_state *state,
{
Serialize_write_uint32(state, &data->threshold);
for (uint32_t i = 0; i < data->threshold; i++)
Serialize_write_uint4096(state, &data->coef_commitments[i]);
{
Serialize_write_uint4096(state, data->coef_commitments[i]);
}
Serialize_write_schnorr_proof(state, &data->proof);
}
void Serialize_read_public_key(struct serialize_state *state,
@ -66,7 +193,10 @@ void Serialize_read_public_key(struct serialize_state *state,
{
Serialize_read_uint32(state, &data->threshold);
for (uint32_t i = 0; i < data->threshold; i++)
Serialize_read_uint4096(state, &data->coef_commitments[i]);
{
Serialize_read_uint4096(state, data->coef_commitments[i]);
}
Serialize_read_schnorr_proof(state, &data->proof);
}
void Serialize_reserve_encrypted_key_share(
@ -94,42 +224,42 @@ void Serialize_reserve_joint_public_key(struct serialize_state *state,
struct joint_public_key_rep const *data)
{
Serialize_reserve_uint32(state, &data->num_trustees);
Serialize_reserve_uint4096(state, &data->public_key);
Serialize_reserve_uint4096(state, NULL);
}
void Serialize_write_joint_public_key(struct serialize_state *state,
struct joint_public_key_rep const *data)
{
Serialize_write_uint32(state, &data->num_trustees);
Serialize_write_uint4096(state, &data->public_key);
Serialize_write_uint4096(state, data->public_key);
}
void Serialize_read_joint_public_key(struct serialize_state *state,
struct joint_public_key_rep *data)
{
Serialize_read_uint32(state, &data->num_trustees);
Serialize_read_uint4096(state, &data->public_key);
Serialize_read_uint4096(state, data->public_key);
}
void Serialize_reserve_encryption(struct serialize_state *state,
struct encryption_rep const *data)
{
Serialize_reserve_uint4096(state, &data->nonce_encoding);
Serialize_reserve_uint4096(state, &data->message_encoding);
Serialize_reserve_uint4096(state, NULL);
Serialize_reserve_uint4096(state, NULL);
}
void Serialize_write_encryption(struct serialize_state *state,
struct encryption_rep const *data)
{
Serialize_write_uint4096(state, &data->nonce_encoding);
Serialize_write_uint4096(state, &data->message_encoding);
Serialize_write_uint4096(state, data->nonce_encoding);
Serialize_write_uint4096(state, data->message_encoding);
}
void Serialize_read_encryption(struct serialize_state *state,
struct encryption_rep *data)
{
Serialize_read_uint4096(state, &data->nonce_encoding);
Serialize_read_uint4096(state, &data->message_encoding);
Serialize_read_uint4096(state, data->nonce_encoding);
Serialize_read_uint4096(state, data->message_encoding);
}
void Serialize_reserve_encrypted_ballot(struct serialize_state *state,
@ -137,7 +267,8 @@ void Serialize_reserve_encrypted_ballot(struct serialize_state *state,
{
Serialize_reserve_uint64(state, &data->id);
Serialize_reserve_uint32(state, &data->num_selections);
for(uint32_t i = 0; i < data->num_selections; i++) {
for (uint32_t i = 0; i < data->num_selections; i++)
{
Serialize_reserve_encryption(state, &data->selections[i]);
}
}
@ -147,7 +278,8 @@ void Serialize_write_encrypted_ballot(struct serialize_state *state,
{
Serialize_write_uint64(state, &data->id);
Serialize_write_uint32(state, &data->num_selections);
for(uint32_t i = 0; i < data->num_selections; i++) {
for (uint32_t i = 0; i < data->num_selections; i++)
{
Serialize_write_encryption(state, &data->selections[i]);
}
}
@ -158,11 +290,16 @@ void Serialize_read_encrypted_ballot(struct serialize_state *state,
Serialize_read_uint64(state, &data->id);
Serialize_read_uint32(state, &data->num_selections);
data->selections = malloc(data->num_selections * sizeof(*data->selections));
if(NULL == data->selections) {
if (NULL == data->selections)
{
state->status = SERIALIZE_STATE_INSUFFICIENT_MEMORY;
}
for(uint32_t i = 0; i < data->num_selections && SERIALIZE_STATE_READING == state->status; i++) {
for (uint32_t i = 0;
i < data->num_selections && SERIALIZE_STATE_READING == state->status;
i++)
{
Crypto_encryption_rep_new(&data->selections[i]);
Serialize_read_encryption(state, &data->selections[i]);
}
}

22
src/electionguard/serialize/crypto.h
Просмотреть файл

@ -8,9 +8,17 @@
void Serialize_reserve_uint4096(struct serialize_state *state, const_uint4096 data);
void Serialize_write_uint4096(struct serialize_state *state, const_uint4096 data);
void Serialize_write_uint4096(struct serialize_state *state, const mpz_t data);
void Serialize_read_uint4096(struct serialize_state *state, mpz_t data);
void Serialize_reserve_hash(struct serialize_state *state);
void Serialize_write_hash(struct serialize_state *state, struct hash data);
uint8_t* Serialize_reserve_write_hash(struct hash in);
uint8_t *Serialize_reserve_write_bignum(mpz_t in);
void Serialize_read_uint4096(struct serialize_state *state, uint4096 data);
void Serialize_reserve_private_key(struct serialize_state *state,
struct private_key const *data);
@ -30,6 +38,16 @@ void Serialize_write_public_key(struct serialize_state *state,
void Serialize_read_public_key(struct serialize_state *state,
struct public_key *data);
void Serialize_reserve_schnorr_proof(struct serialize_state *state,
struct schnorr_proof const *data);
void Serialize_write_schnorr_proof(struct serialize_state *state,
struct schnorr_proof const *data);
void Serialize_read_schnorr_proof(struct serialize_state *state,
struct schnorr_proof *data);
void Serialize_reserve_encrypted_key_share(
struct serialize_state *state, struct encrypted_key_share const *data);

34
src/electionguard/serialize/keyceremony.c
Просмотреть файл

@ -52,8 +52,10 @@ void Serialize_reserve_shares_generated(struct serialize_state *state,
{
Serialize_reserve_uint32(state, &data->num_trustees);
Serialize_reserve_uint32(state, &data->trustee_index);
for (uint32_t i = 0; i < data->num_trustees; i++)
Serialize_reserve_encrypted_key_share(state, &data->shares[i]);
//disabled: no thresholding
// for (uint32_t i = 0; i < data->num_trustees; i++){
// Serialize_reserve_encrypted_key_share(state, &data->shares[i]);
// }
}
void Serialize_write_shares_generated(struct serialize_state *state,
@ -61,8 +63,9 @@ void Serialize_write_shares_generated(struct serialize_state *state,
{
Serialize_write_uint32(state, &data->num_trustees);
Serialize_write_uint32(state, &data->trustee_index);
for (uint32_t i = 0; i < data->num_trustees; i++)
Serialize_write_encrypted_key_share(state, &data->shares[i]);
// Not doing thresholding
// for (uint32_t i = 0; i < data->num_trustees; i++)
// Serialize_write_encrypted_key_share(state, &data->shares[i]);
}
void Serialize_read_shares_generated(struct serialize_state *state,
@ -70,35 +73,36 @@ void Serialize_read_shares_generated(struct serialize_state *state,
{
Serialize_read_uint32(state, &data->num_trustees);
Serialize_read_uint32(state, &data->trustee_index);
for (uint32_t i = 0; i < data->num_trustees; i++)
Serialize_read_encrypted_key_share(state, &data->shares[i]);
// not doing thresholding
// for (uint32_t i = 0; i < data->num_trustees; i++)
// Serialize_read_encrypted_key_share(state, &data->shares[i]);
}
void Serialize_reserve_all_shares_received(
struct serialize_state *state, struct all_shares_received_rep const *data)
{
Serialize_reserve_uint32(state, &data->num_trustees);
for (uint32_t i = 0; i < data->num_trustees; i++)
for (uint32_t j = 0; j < data->num_trustees; j++)
Serialize_reserve_encrypted_key_share(state, &data->shares[i][j]);
// for (uint32_t i = 0; i < data->num_trustees; i++)
// for (uint32_t j = 0; j < data->num_trustees; j++)
// Serialize_reserve_encrypted_key_share(state, &data->shares[i][j]);
}
void Serialize_write_all_shares_received(
struct serialize_state *state, struct all_shares_received_rep const *data)
{
Serialize_write_uint32(state, &data->num_trustees);
for (uint32_t i = 0; i < data->num_trustees; i++)
for (uint32_t j = 0; j < data->num_trustees; j++)
Serialize_write_encrypted_key_share(state, &data->shares[i][j]);
// for (uint32_t i = 0; i < data->num_trustees; i++)
// for (uint32_t j = 0; j < data->num_trustees; j++)
// Serialize_write_encrypted_key_share(state, &data->shares[i][j]);
}
void Serialize_read_all_shares_received(struct serialize_state *state,
struct all_shares_received_rep *data)
{
Serialize_read_uint32(state, &data->num_trustees);
for (uint32_t i = 0; i < data->num_trustees; i++)
for (uint32_t j = 0; j < data->num_trustees; j++)
Serialize_read_encrypted_key_share(state, &data->shares[i][j]);
// for (uint32_t i = 0; i < data->num_trustees; i++)
// for (uint32_t j = 0; j < data->num_trustees; j++)
// Serialize_read_encrypted_key_share(state, &data->shares[i][j]);
}
void Serialize_reserve_shares_verified(struct serialize_state *state,

908
src/electionguard/sha2-openbsd.c Normal file
Просмотреть файл

@ -0,0 +1,908 @@
/* $OpenBSD: sha2.c,v 1.8 2011/01/11 15:42:05 deraadt Exp $ */
/*
* FILE: sha2.c
* AUTHOR: Aaron D. Gifford <me@aarongifford.com>
*
* Copyright (c) 2000-2001, Aaron D. Gifford
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the copyright holder nor the names of contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
*/
//#include <sys/time.h>
//#include <sys/systm.h>
//#include <crypto/sha2.h>
#include "sha2-openbsd.h"
#ifdef NO_MEMSET_S
// See https://llvm.org/bugs/show_bug.cgi?id=15495
void force_memset(void *ptr, size_t len) {
memset(ptr, 0, len);
__asm__ __volatile__("" : : "g"(&ptr) : "memory");
}
#endif
/*
* UNROLLED TRANSFORM LOOP NOTE:
* You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
* loop version for the hash transform rounds (defined using macros
* later in this file). Either define on the command line, for example:
*
* cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
*
* or define below:
*
* #define SHA2_UNROLL_TRANSFORM
*
*/
/*** SHA-256/384/512 Machine Architecture Definitions *****************/
/*
* BYTE_ORDER NOTE:
*
* Please make sure that your system defines BYTE_ORDER. If your
* architecture is little-endian, make sure it also defines
* LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
* equivilent.
*
* If your system does not define the above, then you can do so by
* hand like this:
*
* #define LITTLE_ENDIAN 1234
* #define BIG_ENDIAN 4321
*
* And for little-endian machines, add:
*
* #define BYTE_ORDER LITTLE_ENDIAN
*
* Or for big-endian machines:
*
* #define BYTE_ORDER BIG_ENDIAN
*
* The FreeBSD machine this was written on defines BYTE_ORDER
* appropriately by including <sys/types.h> (which in turn includes
* <machine/endian.h> where the appropriate definitions are actually
* made).
*/
#define BYTE_ORDER LITTLE_ENDIAN
#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
#endif
/*** SHA-256/384/512 Various Length Definitions ***********************/
/* NOTE: Most of these are in sha2.h */
#define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
#define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
#define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
/*** ENDIAN REVERSAL MACROS *******************************************/
#if BYTE_ORDER == LITTLE_ENDIAN
#define REVERSE32(w,x) { \
uint32_t tmp = (w); \
tmp = (tmp >> 16) | (tmp << 16); \
(x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
}
#define REVERSE64(w,x) { \
uint64_t tmp = (w); \
tmp = (tmp >> 32) | (tmp << 32); \
tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
((tmp & 0x00ff00ff00ff00ffULL) << 8); \
(x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
((tmp & 0x0000ffff0000ffffULL) << 16); \
}
#endif /* BYTE_ORDER == LITTLE_ENDIAN */
/*
* Macro for incrementally adding the unsigned 64-bit integer n to the
* unsigned 128-bit integer (represented using a two-element array of
* 64-bit words):
*/
#define ADDINC128(w,n) { \
(w)[0] += (uint64_t)(n); \
if ((w)[0] < (n)) { \
(w)[1]++; \
} \
}
/*** THE SIX LOGICAL FUNCTIONS ****************************************/
/*
* Bit shifting and rotation (used by the six SHA-XYZ logical functions:
*
* NOTE: The naming of R and S appears backwards here (R is a SHIFT and
* S is a ROTATION) because the SHA-256/384/512 description document
* (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
* same "backwards" definition.
*/
/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
#define R(b,x) ((x) >> (b))
/* 32-bit Rotate-right (used in SHA-256): */
#define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
#define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
/* Four of six logical functions used in SHA-256: */
#define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
#define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
#define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
#define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
/* Four of six logical functions used in SHA-384 and SHA-512: */
#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
/*** INTERNAL FUNCTION PROTOTYPES *************************************/
/* NOTE: These should not be accessed directly from outside this
* library -- they are intended for private internal visibility/use
* only.
*/
void SHA512Last(SHA2_CTX *);
void SHA256Transform(SHA2_CTX *, const uint8_t *);
void SHA512Transform(SHA2_CTX *, const uint8_t *);
/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
/* Hash constant words K for SHA-256: */
static const uint32_t K256[64] = {
0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
};
/* Initial hash value H for SHA-256: */
static const uint32_t sha256_initial_hash_value[8] = {
0x6a09e667UL,
0xbb67ae85UL,
0x3c6ef372UL,
0xa54ff53aUL,
0x510e527fUL,
0x9b05688cUL,
0x1f83d9abUL,
0x5be0cd19UL
};
/* Hash constant words K for SHA-384 and SHA-512: */
static const uint64_t K512[80] = {
0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
};
/* Initial hash value H for SHA-384 */
static const uint64_t sha384_initial_hash_value[8] = {
0xcbbb9d5dc1059ed8ULL,
0x629a292a367cd507ULL,
0x9159015a3070dd17ULL,
0x152fecd8f70e5939ULL,
0x67332667ffc00b31ULL,
0x8eb44a8768581511ULL,
0xdb0c2e0d64f98fa7ULL,
0x47b5481dbefa4fa4ULL
};
/* Initial hash value H for SHA-512 */
static const uint64_t sha512_initial_hash_value[8] = {
0x6a09e667f3bcc908ULL,
0xbb67ae8584caa73bULL,
0x3c6ef372fe94f82bULL,
0xa54ff53a5f1d36f1ULL,
0x510e527fade682d1ULL,
0x9b05688c2b3e6c1fULL,
0x1f83d9abfb41bd6bULL,
0x5be0cd19137e2179ULL
};
/*** SHA-256: *********************************************************/
void
SHA256Init(SHA2_CTX *context)
{
if (context == NULL)
return;
bcopy(sha256_initial_hash_value, context->state.st32,
SHA256_DIGEST_LENGTH);
bzero(context->buffer, SHA256_BLOCK_LENGTH);
context->bitcount[0] = 0;
}
#ifdef SHA2_UNROLL_TRANSFORM
/* Unrolled SHA-256 round macros: */
#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \
W256[j] = (uint32_t)data[3] | ((uint32_t)data[2] << 8) | \
((uint32_t)data[1] << 16) | ((uint32_t)data[0] << 24); \
data += 4; \
T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
(d) += T1; \
(h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
j++; \
} while(0)
#define ROUND256(a,b,c,d,e,f,g,h) do { \
s0 = W256[(j+1)&0x0f]; \
s0 = sigma0_256(s0); \
s1 = W256[(j+14)&0x0f]; \
s1 = sigma1_256(s1); \
T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \
(W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
(d) += T1; \
(h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
j++; \
} while(0)
void
SHA256Transform(SHA2_CTX *context, const uint8_t *data)
{
uint32_t a, b, c, d, e, f, g, h, s0, s1;
uint32_t T1, *W256;
int j;
W256 = (uint32_t *)context->buffer;
/* Initialize registers with the prev. intermediate value */
a = context->state.st32[0];
b = context->state.st32[1];
c = context->state.st32[2];
d = context->state.st32[3];
e = context->state.st32[4];
f = context->state.st32[5];
g = context->state.st32[6];
h = context->state.st32[7];
j = 0;
do {
/* Rounds 0 to 15 (unrolled): */
ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
} while (j < 16);
/* Now for the remaining rounds to 64: */
do {
ROUND256(a,b,c,d,e,f,g,h);
ROUND256(h,a,b,c,d,e,f,g);
ROUND256(g,h,a,b,c,d,e,f);
ROUND256(f,g,h,a,b,c,d,e);
ROUND256(e,f,g,h,a,b,c,d);
ROUND256(d,e,f,g,h,a,b,c);
ROUND256(c,d,e,f,g,h,a,b);
ROUND256(b,c,d,e,f,g,h,a);
} while (j < 64);
/* Compute the current intermediate hash value */
context->state.st32[0] += a;
context->state.st32[1] += b;
context->state.st32[2] += c;
context->state.st32[3] += d;
context->state.st32[4] += e;
context->state.st32[5] += f;
context->state.st32[6] += g;
context->state.st32[7] += h;
/* Clean up */
a = b = c = d = e = f = g = h = T1 = 0;
}
#else /* SHA2_UNROLL_TRANSFORM */
void
SHA256Transform(SHA2_CTX *context, const uint8_t *data)
{
uint32_t a, b, c, d, e, f, g, h, s0, s1;
uint32_t T1, T2, *W256;
int j;
// @mpodhradsky Supress warnings in GCC
#pragma GCC diagnostic ignored "-Wcast-align"
W256 = (uint32_t *)context->buffer;
/* Initialize registers with the prev. intermediate value */
a = context->state.st32[0];
b = context->state.st32[1];
c = context->state.st32[2];
d = context->state.st32[3];
e = context->state.st32[4];
f = context->state.st32[5];
g = context->state.st32[6];
h = context->state.st32[7];
j = 0;
do {
W256[j] = (uint32_t)data[3] | ((uint32_t)data[2] << 8) |
((uint32_t)data[1] << 16) | ((uint32_t)data[0] << 24);
data += 4;
/* Apply the SHA-256 compression function to update a..h */
T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
T2 = Sigma0_256(a) + Maj(a, b, c);
h = g;
g = f;
f = e;
e = d + T1;
d = c;
c = b;
b = a;
a = T1 + T2;
j++;
} while (j < 16);
do {
/* Part of the message block expansion: */
s0 = W256[(j+1)&0x0f];
s0 = sigma0_256(s0);
s1 = W256[(j+14)&0x0f];
s1 = sigma1_256(s1);
/* Apply the SHA-256 compression function to update a..h */
T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
(W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
T2 = Sigma0_256(a) + Maj(a, b, c);
h = g;
g = f;
f = e;
e = d + T1;
d = c;
c = b;
b = a;
a = T1 + T2;
j++;
} while (j < 64);
/* Compute the current intermediate hash value */
context->state.st32[0] += a;
context->state.st32[1] += b;
context->state.st32[2] += c;
context->state.st32[3] += d;
context->state.st32[4] += e;
context->state.st32[5] += f;
context->state.st32[6] += g;
context->state.st32[7] += h;
/* Clean up */
a = b = c = d = e = f = g = h = T1 = T2 = 0;
}
#endif /* SHA2_UNROLL_TRANSFORM */
void
SHA256Update(SHA2_CTX *context, const uint8_t *data, size_t len)
{
size_t freespace, usedspace;
/* Calling with no data is valid (we do nothing) */
if (len == 0)
return;
usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH;
if (usedspace > 0) {
/* Calculate how much free space is available in the buffer */
freespace = SHA256_BLOCK_LENGTH - usedspace;
if (len >= freespace) {
/* Fill the buffer completely and process it */
bcopy(data, &context->buffer[usedspace], freespace);
context->bitcount[0] += freespace << 3;
len -= freespace;
data += freespace;
SHA256Transform(context, context->buffer);
} else {
/* The buffer is not yet full */
bcopy(data, &context->buffer[usedspace], len);
context->bitcount[0] += len << 3;
/* Clean up: */
usedspace = freespace = 0;
return;
}
}
while (len >= SHA256_BLOCK_LENGTH) {
/* Process as many complete blocks as we can */
SHA256Transform(context, data);
context->bitcount[0] += SHA256_BLOCK_LENGTH << 3;
len -= SHA256_BLOCK_LENGTH;
data += SHA256_BLOCK_LENGTH;
}
if (len > 0) {
/* There's left-overs, so save 'em */
bcopy(data, context->buffer, len);
context->bitcount[0] += len << 3;
}
/* Clean up: */
usedspace = freespace = 0;
}
void
SHA256Final(uint8_t digest[], SHA2_CTX *context)
{
uint32_t *d = (uint32_t *)digest;
unsigned int usedspace;
/* If no digest buffer is passed, we don't bother doing this: */
if (digest != NULL) {
usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH;
#if BYTE_ORDER == LITTLE_ENDIAN
/* Convert FROM host byte order */
REVERSE64(context->bitcount[0], context->bitcount[0]);
#endif
if (usedspace > 0) {
/* Begin padding with a 1 bit: */
context->buffer[usedspace++] = 0x80;
if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
/* Set-up for the last transform: */
bzero(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace);
} else {
if (usedspace < SHA256_BLOCK_LENGTH) {
bzero(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace);
}
/* Do second-to-last transform: */
SHA256Transform(context, context->buffer);
/* And set-up for the last transform: */
bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
}
} else {
/* Set-up for the last transform: */
bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
/* Begin padding with a 1 bit: */
*context->buffer = 0x80;
}
/* Set the bit count: */
*(uint64_t *)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount[0];
/* Final transform: */
SHA256Transform(context, context->buffer);
#if BYTE_ORDER == LITTLE_ENDIAN
{
/* Convert TO host byte order */
int j;
for (j = 0; j < 8; j++) {
REVERSE32(context->state.st32[j],
context->state.st32[j]);
*d++ = context->state.st32[j];
}
}
#else
bcopy(context->state.st32, d, SHA256_DIGEST_LENGTH);
#endif
}
/* Clean up state data: */
explicit_bzero(context, sizeof(*context));
usedspace = 0;
}
/*** SHA-512: *********************************************************/
void
SHA512Init(SHA2_CTX *context)
{
if (context == NULL)
return;
bcopy(sha512_initial_hash_value, context->state.st64,
SHA512_DIGEST_LENGTH);
bzero(context->buffer, SHA512_BLOCK_LENGTH);
context->bitcount[0] = context->bitcount[1] = 0;
}
#ifdef SHA2_UNROLL_TRANSFORM
/* Unrolled SHA-512 round macros: */
#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \
W512[j] = (uint64_t)data[7] | ((uint64_t)data[6] << 8) | \
((uint64_t)data[5] << 16) | ((uint64_t)data[4] << 24) | \
((uint64_t)data[3] << 32) | ((uint64_t)data[2] << 40) | \
((uint64_t)data[1] << 48) | ((uint64_t)data[0] << 56); \
data += 8; \
T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
(d) += T1; \
(h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
j++; \
} while(0)
#define ROUND512(a,b,c,d,e,f,g,h) do { \
s0 = W512[(j+1)&0x0f]; \
s0 = sigma0_512(s0); \
s1 = W512[(j+14)&0x0f]; \
s1 = sigma1_512(s1); \
T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \
(W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
(d) += T1; \
(h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
j++; \
} while(0)
void
SHA512Transform(SHA2_CTX *context, const uint8_t *data)
{
uint64_t a, b, c, d, e, f, g, h, s0, s1;
uint64_t T1, *W512 = (uint64_t *)context->buffer;
int j;
/* Initialize registers with the prev. intermediate value */
a = context->state.st64[0];
b = context->state.st64[1];
c = context->state.st64[2];
d = context->state.st64[3];
e = context->state.st64[4];
f = context->state.st64[5];
g = context->state.st64[6];
h = context->state.st64[7];
j = 0;
do {
ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
} while (j < 16);
/* Now for the remaining rounds up to 79: */
do {
ROUND512(a,b,c,d,e,f,g,h);
ROUND512(h,a,b,c,d,e,f,g);
ROUND512(g,h,a,b,c,d,e,f);
ROUND512(f,g,h,a,b,c,d,e);
ROUND512(e,f,g,h,a,b,c,d);
ROUND512(d,e,f,g,h,a,b,c);
ROUND512(c,d,e,f,g,h,a,b);
ROUND512(b,c,d,e,f,g,h,a);
} while (j < 80);
/* Compute the current intermediate hash value */
context->state.st64[0] += a;
context->state.st64[1] += b;
context->state.st64[2] += c;
context->state.st64[3] += d;
context->state.st64[4] += e;
context->state.st64[5] += f;
context->state.st64[6] += g;
context->state.st64[7] += h;
/* Clean up */
a = b = c = d = e = f = g = h = T1 = 0;
}
#else /* SHA2_UNROLL_TRANSFORM */
void
SHA512Transform(SHA2_CTX *context, const uint8_t *data)
{
uint64_t a, b, c, d, e, f, g, h, s0, s1;
uint64_t T1, T2, *W512 = (uint64_t *)context->buffer;
int j;
/* Initialize registers with the prev. intermediate value */
a = context->state.st64[0];
b = context->state.st64[1];
c = context->state.st64[2];
d = context->state.st64[3];
e = context->state.st64[4];
f = context->state.st64[5];
g = context->state.st64[6];
h = context->state.st64[7];
j = 0;
do {
W512[j] = (uint64_t)data[7] | ((uint64_t)data[6] << 8) |
((uint64_t)data[5] << 16) | ((uint64_t)data[4] << 24) |
((uint64_t)data[3] << 32) | ((uint64_t)data[2] << 40) |
((uint64_t)data[1] << 48) | ((uint64_t)data[0] << 56);
data += 8;
/* Apply the SHA-512 compression function to update a..h */
T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
T2 = Sigma0_512(a) + Maj(a, b, c);
h = g;
g = f;
f = e;
e = d + T1;
d = c;
c = b;
b = a;
a = T1 + T2;
j++;
} while (j < 16);
do {
/* Part of the message block expansion: */
s0 = W512[(j+1)&0x0f];
s0 = sigma0_512(s0);
s1 = W512[(j+14)&0x0f];
s1 = sigma1_512(s1);
/* Apply the SHA-512 compression function to update a..h */
T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
(W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
T2 = Sigma0_512(a) + Maj(a, b, c);
h = g;
g = f;
f = e;
e = d + T1;
d = c;
c = b;
b = a;
a = T1 + T2;
j++;
} while (j < 80);
/* Compute the current intermediate hash value */
context->state.st64[0] += a;
context->state.st64[1] += b;
context->state.st64[2] += c;
context->state.st64[3] += d;
context->state.st64[4] += e;
context->state.st64[5] += f;
context->state.st64[6] += g;
context->state.st64[7] += h;
/* Clean up */
a = b = c = d = e = f = g = h = T1 = T2 = 0;
}
#endif /* SHA2_UNROLL_TRANSFORM */
void
SHA512Update(SHA2_CTX *context, const uint8_t *data, size_t len)
{
size_t freespace, usedspace;
/* Calling with no data is valid (we do nothing) */
if (len == 0)
return;
usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
if (usedspace > 0) {
/* Calculate how much free space is available in the buffer */
freespace = SHA512_BLOCK_LENGTH - usedspace;
if (len >= freespace) {
/* Fill the buffer completely and process it */
bcopy(data, &context->buffer[usedspace], freespace);
ADDINC128(context->bitcount, freespace << 3);
len -= freespace;
data += freespace;
SHA512Transform(context, context->buffer);
} else {
/* The buffer is not yet full */
bcopy(data, &context->buffer[usedspace], len);
ADDINC128(context->bitcount, len << 3);
/* Clean up: */
usedspace = freespace = 0;
return;
}
}
while (len >= SHA512_BLOCK_LENGTH) {
/* Process as many complete blocks as we can */
SHA512Transform(context, data);
ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
len -= SHA512_BLOCK_LENGTH;
data += SHA512_BLOCK_LENGTH;
}
if (len > 0) {
/* There's left-overs, so save 'em */
bcopy(data, context->buffer, len);
ADDINC128(context->bitcount, len << 3);
}
/* Clean up: */
usedspace = freespace = 0;
}
void
SHA512Last(SHA2_CTX *context)
{
unsigned int usedspace;
usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
#if BYTE_ORDER == LITTLE_ENDIAN
/* Convert FROM host byte order */
REVERSE64(context->bitcount[0],context->bitcount[0]);
REVERSE64(context->bitcount[1],context->bitcount[1]);
#endif
if (usedspace > 0) {
/* Begin padding with a 1 bit: */
context->buffer[usedspace++] = 0x80;
if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
/* Set-up for the last transform: */
bzero(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
} else {
if (usedspace < SHA512_BLOCK_LENGTH) {
bzero(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
}
/* Do second-to-last transform: */
SHA512Transform(context, context->buffer);
/* And set-up for the last transform: */
bzero(context->buffer, SHA512_BLOCK_LENGTH - 2);
}
} else {
/* Prepare for final transform: */
bzero(context->buffer, SHA512_SHORT_BLOCK_LENGTH);
/* Begin padding with a 1 bit: */
*context->buffer = 0x80;
}
/* Store the length of input data (in bits): */
*(uint64_t *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
*(uint64_t *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
/* Final transform: */
SHA512Transform(context, context->buffer);
}
void
SHA512Final(uint8_t digest[], SHA2_CTX *context)
{
uint64_t *d = (uint64_t *)digest;
/* If no digest buffer is passed, we don't bother doing this: */
if (digest != NULL) {
SHA512Last(context);
/* Save the hash data for output: */
#if BYTE_ORDER == LITTLE_ENDIAN
{
/* Convert TO host byte order */
int j;
for (j = 0; j < 8; j++) {
REVERSE64(context->state.st64[j],
context->state.st64[j]);
*d++ = context->state.st64[j];
}
}
#else
bcopy(context->state.st64, d, SHA512_DIGEST_LENGTH);
#endif
}
/* Zero out state data */
explicit_bzero(context, sizeof(*context));
}
/*** SHA-384: *********************************************************/
void
SHA384Init(SHA2_CTX *context)
{
if (context == NULL)
return;
bcopy(sha384_initial_hash_value, context->state.st64,
SHA512_DIGEST_LENGTH);
bzero(context->buffer, SHA384_BLOCK_LENGTH);
context->bitcount[0] = context->bitcount[1] = 0;
}
void
SHA384Update(SHA2_CTX *context, const uint8_t *data, size_t len)
{
SHA512Update((SHA2_CTX *)context, data, len);
}
void
SHA384Final(uint8_t digest[], SHA2_CTX *context)
{
uint64_t *d = (uint64_t *)digest;
/* If no digest buffer is passed, we don't bother doing this: */
if (digest != NULL) {
SHA512Last((SHA2_CTX *)context);
/* Save the hash data for output: */
#if BYTE_ORDER == LITTLE_ENDIAN
{
/* Convert TO host byte order */
int j;
for (j = 0; j < 6; j++) {
REVERSE64(context->state.st64[j],
context->state.st64[j]);
*d++ = context->state.st64[j];
}
}
#else
bcopy(context->state.st64, d, SHA384_DIGEST_LENGTH);
#endif
}
/* Zero out state data */
explicit_bzero(context, sizeof(*context));
}

97
src/electionguard/sha2-openbsd.h Normal file
Просмотреть файл

@ -0,0 +1,97 @@
/* $OpenBSD: sha2.h,v 1.4 2012/12/05 23:20:15 deraadt Exp $ */
/*
* FILE: sha2.h
* AUTHOR: Aaron D. Gifford <me@aarongifford.com>
*
* Copyright (c) 2000-2001, Aaron D. Gifford
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the copyright holder nor the names of contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $From: sha2.h,v 1.1 2001/11/08 00:02:01 adg Exp adg $
*/
#ifndef _SHA2_H
#define _SHA2_H
#include <sys/param.h>
#include <string.h>
#include <stdint.h>
#define bzero(s, n) memset((s), 0, (n))
#define bcopy(s1, s2, n) memcpy((s2), (s1), (n))
#define NO_MEMSET_S true
#ifndef NO_MEMSET_S
#define explicit_bzero(s, n) memset_s((s), (n), 0, (n))
#else
#define explicit_bzero(s, n) force_memset((s), (n))
void force_memset(void *ptr, size_t len);
#endif
/*** SHA-256/384/512 Various Length Definitions ***********************/
#define SHA256_BLOCK_LENGTH 64
#define SHA256_DIGEST_LENGTH 32
#define SHA256_DIGEST_STRING_LENGTH (SHA256_DIGEST_LENGTH * 2 + 1)
#define SHA384_BLOCK_LENGTH 128
#define SHA384_DIGEST_LENGTH 48
#define SHA384_DIGEST_STRING_LENGTH (SHA384_DIGEST_LENGTH * 2 + 1)
#define SHA512_BLOCK_LENGTH 128
#define SHA512_DIGEST_LENGTH 64
#define SHA512_DIGEST_STRING_LENGTH (SHA512_DIGEST_LENGTH * 2 + 1)
/*** SHA-256/384/512 Context Structure *******************************/
typedef struct _SHA2_CTX {
union {
uint32_t st32[8];
uint64_t st64[8];
} state;
uint64_t bitcount[2];
uint8_t buffer[SHA512_BLOCK_LENGTH];
} SHA2_CTX;
__BEGIN_DECLS
void SHA256Init(SHA2_CTX *);
#pragma GCC diagnostic ignored "-Wattributes"
void SHA256Update(SHA2_CTX *, const uint8_t *, size_t)
__attribute__((__bounded__(__string__,2,3)));
void SHA256Final(uint8_t[SHA256_DIGEST_LENGTH], SHA2_CTX *)
__attribute__((__bounded__(__minbytes__,1,SHA256_DIGEST_LENGTH)));
void SHA384Init(SHA2_CTX *);
void SHA384Update(SHA2_CTX *, const uint8_t *, size_t)
__attribute__((__bounded__(__string__,2,3)));
void SHA384Final(uint8_t[SHA384_DIGEST_LENGTH], SHA2_CTX *)
__attribute__((__bounded__(__minbytes__,1,SHA384_DIGEST_LENGTH)));
void SHA512Init(SHA2_CTX *);
void SHA512Update(SHA2_CTX *, const uint8_t *, size_t)
__attribute__((__bounded__(__string__,2,3)));
void SHA512Final(uint8_t[SHA512_DIGEST_LENGTH], SHA2_CTX *)
__attribute__((__bounded__(__minbytes__,1,SHA512_DIGEST_LENGTH)));
__END_DECLS
#endif /* _SHA2_H */

6
src/electionguard/uint4096.c
Просмотреть файл

@ -326,7 +326,7 @@ uint4096 uint4096_copy(const_uint4096 src) {
//
// =============================================================================
struct Modulus4096_s p = {
struct Modulus4096_s p_4 = {
.modulus = {
.words = {
0xFFFFFFFFFFFFFFFF, 0xC90FDAA22168C234, 0xC4C6628B80DC1CD1, 0x29024E088A67CC74,
@ -384,8 +384,8 @@ struct Modulus4096_s p = {
}
}
};
Modulus4096 Modulus4096_modulus_default = &p;
const_uint4096 uint4096_modulus_default = &p.modulus;
Modulus4096 Modulus4096_modulus_default = &p_4;
const_uint4096 uint4096_modulus_default = &p_4.modulus;
struct uint4096_s g = {
.words = {

Двоичные данные
src/electionguard/uint4096.h.gch Normal file
Просмотреть файл

Двоичный файл не отображается.

Двоичные данные
src/electionguard/voting/a.out Normal file
Просмотреть файл

Двоичный файл не отображается.

7
src/electionguard/voting/coordinator.c
Просмотреть файл

@ -50,8 +50,11 @@ struct Voting_Coordinator_new_r Voting_Coordinator_new(uint32_t num_selections)
void Voting_Coordinator_free(Voting_Coordinator ballot_box)
{
for(size_t i = 0; i < MAX_BALLOTS; i++)
if(ballot_box->registered[i])
free(ballot_box->selections[i]);
if(ballot_box->registered[i]){
for(int j=0; j<ballot_box->num_selections; j++){
Crypto_encryption_rep_free(&ballot_box->selections[i][j]);
}
}
free(ballot_box);
}

204
src/electionguard/voting/encrypter.c
Просмотреть файл

@ -9,6 +9,7 @@
#include "serialize/crypto.h"
#include "serialize/state.h"
#include "serialize/voting.h"
#include "sha2-openbsd.h"
#include "voting/message_reps.h"
#include "voting/num_ballots.h"
@ -19,30 +20,45 @@ struct Voting_Encrypter_s
struct uid uid;
struct joint_public_key_rep joint_key;
uint32_t num_selections;
struct hash base_hash;
RandomSource source;
};
enum Voting_Encrypter_status Voting_Encrypter_RandomSource_status_convert(enum RandomSource_status status) {
switch(status) {
case RANDOM_SOURCE_SUCCESS: return VOTING_ENCRYPTER_SUCCESS;
case RANDOM_SOURCE_INSUFFICIENT_MEMORY: return VOTING_ENCRYPTER_INSUFFICIENT_MEMORY;
case RANDOM_SOURCE_IO_ERROR: return VOTING_ENCRYPTER_IO_ERROR;
default: return VOTING_ENCRYPTER_UNKNOWN_ERROR;
enum Voting_Encrypter_status
Voting_Encrypter_RandomSource_status_convert(enum RandomSource_status status)
{
switch (status)
{
case RANDOM_SOURCE_SUCCESS:
return VOTING_ENCRYPTER_SUCCESS;
case RANDOM_SOURCE_INSUFFICIENT_MEMORY:
return VOTING_ENCRYPTER_INSUFFICIENT_MEMORY;
case RANDOM_SOURCE_IO_ERROR:
return VOTING_ENCRYPTER_IO_ERROR;
default:
return VOTING_ENCRYPTER_UNKNOWN_ERROR;
}
}
enum Voting_Encrypter_status Voting_Encrypter_serialize_read_status_convert(enum serialize_status status) {
switch(status) {
case SERIALIZE_STATE_READING: return VOTING_ENCRYPTER_SUCCESS;
case SERIALIZE_STATE_INSUFFICIENT_MEMORY: return VOTING_ENCRYPTER_INSUFFICIENT_MEMORY;
case SERIALIZE_STATE_BUFFER_TOO_SMALL: return VOTING_ENCRYPTER_DESERIALIZE_ERROR;
default: return VOTING_ENCRYPTER_UNKNOWN_ERROR;
enum Voting_Encrypter_status
Voting_Encrypter_serialize_read_status_convert(enum serialize_status status)
{
switch (status)
{
case SERIALIZE_STATE_READING:
return VOTING_ENCRYPTER_SUCCESS;
case SERIALIZE_STATE_INSUFFICIENT_MEMORY:
return VOTING_ENCRYPTER_INSUFFICIENT_MEMORY;
case SERIALIZE_STATE_BUFFER_TOO_SMALL:
return VOTING_ENCRYPTER_DESERIALIZE_ERROR;
default:
return VOTING_ENCRYPTER_UNKNOWN_ERROR;
}
}
struct Voting_Encrypter_new_r
Voting_Encrypter_new(struct uid uid, struct joint_public_key joint_key,
uint32_t num_selections)
uint32_t num_selections, raw_hash base_hash)
{
struct Voting_Encrypter_new_r result;
result.encrypter = NULL;
@ -72,34 +88,46 @@ Voting_Encrypter_new(struct uid uid, struct joint_public_key joint_key,
// Clone the joint key
if (result.status == VOTING_ENCRYPTER_SUCCESS)
{
struct serialize_state state =
{ .status = SERIALIZE_STATE_READING
, .len = joint_key.len
, .offset = 0
, .buf = (uint8_t *)joint_key.bytes // discard const-ness and pray
};
struct serialize_state state = {
.status = SERIALIZE_STATE_READING,
.len = joint_key.len,
.offset = 0,
.buf = (uint8_t *)joint_key.bytes // discard const-ness and pray
};
Crypto_joint_public_key_init(&result.encrypter->joint_key);
Serialize_read_joint_public_key(&state, &result.encrypter->joint_key);
result.status = Voting_Encrypter_serialize_read_status_convert(state.status);
result.status =
Voting_Encrypter_serialize_read_status_convert(state.status);
}
// Get a random source
RandomSource source = NULL;
if (result.status == VOTING_ENCRYPTER_SUCCESS) {
if (result.status == VOTING_ENCRYPTER_SUCCESS)
{
struct RandomSource_new_r rs = RandomSource_new();
result.status = Voting_Encrypter_RandomSource_status_convert(rs.status);
if(VOTING_ENCRYPTER_SUCCESS == result.status) {
if (VOTING_ENCRYPTER_SUCCESS == result.status)
{
source = rs.source;
result.encrypter->source = rs.source;
}
}
if (result.status == VOTING_ENCRYPTER_SUCCESS)
{
result.encrypter->num_selections = num_selections;
mpz_init(result.encrypter->base_hash.digest);
Crypto_hash_reduce(&result.encrypter->base_hash, base_hash);
}
if (VOTING_ENCRYPTER_SUCCESS != result.status) {
if (NULL != source) RandomSource_free(source);
if (NULL != uid_buf) free(uid_buf);
if (NULL != result.encrypter) free(result.encrypter);
if (VOTING_ENCRYPTER_SUCCESS != result.status)
{
if (NULL != source)
RandomSource_free(source);
if (NULL != uid_buf)
free(uid_buf);
if (NULL != result.encrypter)
free(result.encrypter);
}
return result;
@ -109,15 +137,23 @@ void Voting_Encrypter_free(Voting_Encrypter encrypter)
{
free((void *)encrypter->uid.bytes);
RandomSource_free(encrypter->source);
Crypto_joint_public_key_free(&encrypter->joint_key);
free((void *)encrypter);
}
enum Voting_Encrypter_status Voting_Encrypter_Crypto_status_convert(enum Crypto_status status) {
switch(status) {
case CRYPTO_SUCCESS: return VOTING_ENCRYPTER_SUCCESS;
case CRYPTO_INSUFFICIENT_MEMORY: return VOTING_ENCRYPTER_INSUFFICIENT_MEMORY;
case CRYPTO_IO_ERROR: return VOTING_ENCRYPTER_IO_ERROR;
default: return VOTING_ENCRYPTER_UNKNOWN_ERROR;
enum Voting_Encrypter_status
Voting_Encrypter_Crypto_status_convert(enum Crypto_status status)
{
switch (status)
{
case CRYPTO_SUCCESS:
return VOTING_ENCRYPTER_SUCCESS;
case CRYPTO_INSUFFICIENT_MEMORY:
return VOTING_ENCRYPTER_INSUFFICIENT_MEMORY;
case CRYPTO_IO_ERROR:
return VOTING_ENCRYPTER_IO_ERROR;
default:
return VOTING_ENCRYPTER_UNKNOWN_ERROR;
}
}
@ -154,59 +190,66 @@ Voting_Encrypter_encrypt_ballot(Voting_Encrypter encrypter,
}
}
// Construct the ballot tracker
if (result.status == VOTING_ENCRYPTER_SUCCESS)
{
struct ballot_tracker_rep rep = {.id = Voting_num_ballots};
struct serialize_state state = {
.status = SERIALIZE_STATE_RESERVING,
.len = 0,
.offset = 0,
.buf = NULL,
};
Serialize_reserve_ballot_tracker(&state, &rep);
Serialize_allocate(&state);
Serialize_write_ballot_tracker(&state, &rep);
if (state.status != SERIALIZE_STATE_WRITING)
result.status = VOTING_ENCRYPTER_SERIALIZE_ERROR;
else
{
result.tracker = (struct ballot_tracker){
.len = state.len,
.bytes = state.buf,
};
}
}
// Construct the message
struct encrypted_ballot_rep encrypted_ballot;
if (result.status == VOTING_ENCRYPTER_SUCCESS)
{
struct Crypto_encrypted_ballot_new_r result = Crypto_encrypted_ballot_new(encrypter->num_selections, Voting_num_ballots);
struct Crypto_encrypted_ballot_new_r result =
Crypto_encrypted_ballot_new(encrypter->num_selections,
Voting_num_ballots);
encrypted_ballot = result.result;
result.status = Voting_Encrypter_Crypto_status_convert(result.status);
}
if (result.status == VOTING_ENCRYPTER_SUCCESS)
{
struct uint4096_s uint4096_false_s;
uint4096_zext_o(&uint4096_false_s, (uint8_t[]){1}, 1);
const_uint4096 uint4096_true = uint4096_generator_default, uint4096_false = &uint4096_false_s;
struct encryption_rep tally;
Crypto_encryption_rep_new(&tally);
Crypto_encryption_homomorphic_zero(&tally);
for(uint32_t i = 0; i < encrypter->num_selections; i++) {
Crypto_encrypt(&encrypted_ballot.selections[i], encrypter->source, &encrypter->joint_key,
selections[i] ? uint4096_true : uint4096_false);
mpz_t nonce, aggregate_nonce;
mpz_init(nonce);
mpz_init(aggregate_nonce);
for (uint32_t i = 0; i < encrypter->num_selections; i++)
{
Crypto_encrypt(
&encrypted_ballot.selections[i], nonce, encrypter->source,
&encrypter->joint_key,
selections[i] ? generator /*g^1*/ : bignum_one /*g^0*/);
Crypto_encryption_homomorphic_add(&tally, &tally,
&encrypted_ballot.selections[i]);
if (i == 0)
{
mpz_set(aggregate_nonce, nonce);
}
else
{
add_mod_q(aggregate_nonce, aggregate_nonce, nonce);
}
Crypto_generate_dis_proof(&encrypted_ballot.dis_proof[i],
encrypter->source, encrypter->base_hash,
selections[i],
encrypter->joint_key.public_key,
encrypted_ballot.selections[i], nonce);
Crypto_check_dis_proof(
encrypted_ballot.dis_proof[i], encrypted_ballot.selections[i],
encrypter->base_hash, encrypter->joint_key.public_key);
}
Crypto_generate_aggregate_cp_proof(
&encrypted_ballot.cp_proof, encrypter->source, aggregate_nonce,
tally, encrypter->base_hash, encrypter->joint_key.public_key);
Crypto_check_aggregate_cp_proof(encrypted_ballot.cp_proof, tally,
encrypter->base_hash,
encrypter->joint_key.public_key);
struct serialize_state state =
{ .status = SERIALIZE_STATE_RESERVING
, .len = 0
, .offset = 0
, .buf = NULL
};
mpz_clear(nonce);
mpz_clear(aggregate_nonce);
Crypto_encryption_rep_free(&tally);
struct serialize_state state = {.status = SERIALIZE_STATE_RESERVING,
.len = 0,
.offset = 0,
.buf = NULL};
Serialize_reserve_encrypted_ballot(&state, &encrypted_ballot);
Serialize_allocate(&state);
Serialize_write_encrypted_ballot(&state, &encrypted_ballot);
@ -220,6 +263,23 @@ Voting_Encrypter_encrypt_ballot(Voting_Encrypter encrypter,
.bytes = state.buf,
};
}
//TODO clear proofs and encrypted ballot
}
// Construct the ballot tracker
if (result.status == VOTING_ENCRYPTER_SUCCESS)
{
SHA2_CTX context;
uint8_t *digest_buffer = malloc(sizeof(uint8_t) * SHA256_DIGEST_LENGTH);
SHA256Init(&context);
SHA256Update(&context, result.message.bytes, result.message.len);
SHA256Final(digest_buffer, &context);
result.tracker = (struct ballot_tracker){
.len = SHA256_DIGEST_LENGTH,
.bytes = digest_buffer,
};
}
if (result.status == VOTING_ENCRYPTER_SUCCESS)