You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@milagro.apache.org by sa...@apache.org on 2020/02/13 11:00:42 UTC
[incubator-milagro-MPC] 03/05: review mta and mpc code
This is an automated email from the ASF dual-hosted git repository.
sandreoli pushed a commit to branch review
in repository https://gitbox.apache.org/repos/asf/incubator-milagro-MPC.git
commit bf499d6aa50ff402a71ec234d17dddc77fdb373f
Author: Samuele Andreoli <sa...@yahoo.it>
AuthorDate: Mon Feb 10 12:31:22 2020 +0000
review mta and mpc code
---
src/mpc.c | 118 +++++++++++++++++++++++------------------------------
src/mta.c | 128 ++++++++++++++++++++++------------------------------------
src/schnorr.c | 2 +-
3 files changed, 100 insertions(+), 148 deletions(-)
diff --git a/src/mpc.c b/src/mpc.c
index 82216f4..cc3e2d7 100644
--- a/src/mpc.c
+++ b/src/mpc.c
@@ -167,24 +167,22 @@ void MPC_INVKGAMMA(octet *KGAMMA1, octet *KGAMMA2, octet *INVKGAMMA)
BIG_256_56 q;
// Curve order
- BIG_256_56_rcopy(q,CURVE_Order_SECP256K1);
+ BIG_256_56_rcopy(q, CURVE_Order_SECP256K1);
// Load values
- BIG_256_56_fromBytes(kgamma1,KGAMMA1->val);
- BIG_256_56_fromBytes(kgamma2,KGAMMA2->val);
-
- // kgamma = kgamma1 + kgamma2
- BIG_256_56_add(kgamma,kgamma1,kgamma2);
+ BIG_256_56_fromBytes(kgamma1, KGAMMA1->val);
+ BIG_256_56_fromBytes(kgamma2, KGAMMA2->val);
- // kgamma = kgamma mod q
- BIG_256_56_mod(kgamma,q);
+ // kgamma = kgamma1 + kgamma2 mod q
+ BIG_256_56_add(kgamma, kgamma1, kgamma2);
+ BIG_256_56_mod(kgamma, q);
// invkgamma = kgamma^{-1}
- BIG_256_56_invmodp(invkgamma,kgamma,q);
+ BIG_256_56_invmodp(invkgamma, kgamma, q);
// Output result
- INVKGAMMA->len=EGS_SECP256K1;
- BIG_256_56_toBytes(INVKGAMMA->val,invkgamma);
+ INVKGAMMA->len = EGS_SECP256K1;
+ BIG_256_56_toBytes(INVKGAMMA->val, invkgamma);
}
@@ -194,43 +192,43 @@ int MPC_R(octet *INVKGAMMA, octet *GAMMAPT1, octet *GAMMAPT2, octet *R)
BIG_256_56 invkgamma;
BIG_256_56 q;
BIG_256_56 rx;
- BIG_256_56 r;
ECP_SECP256K1 gammapt1;
ECP_SECP256K1 gammapt2;
// Curve order
- BIG_256_56_rcopy(q,CURVE_Order_SECP256K1);
+ BIG_256_56_rcopy(q, CURVE_Order_SECP256K1);
// Load values
- BIG_256_56_fromBytes(invkgamma,INVKGAMMA->val);
- if (!ECP_SECP256K1_fromOctet(&gammapt1,GAMMAPT1))
+ BIG_256_56_fromBytes(invkgamma, INVKGAMMA->val);
+
+ if (!ECP_SECP256K1_fromOctet(&gammapt1, GAMMAPT1))
{
return 1;
}
- if (!ECP_SECP256K1_fromOctet(&gammapt2,GAMMAPT2))
+
+ if (!ECP_SECP256K1_fromOctet(&gammapt2, GAMMAPT2))
{
return 1;
}
// gammapt1 + gammapt2
- ECP_SECP256K1_add(&gammapt1,&gammapt2);
+ ECP_SECP256K1_add(&gammapt1, &gammapt2);
// rx, ry = k^{-1}.G
- ECP_SECP256K1_mul(&gammapt1,invkgamma);
- ECP_SECP256K1_get(rx,rx,&gammapt1);
+ ECP_SECP256K1_mul(&gammapt1, invkgamma);
+ ECP_SECP256K1_get(rx, rx, &gammapt1);
// r = rx mod q
- BIG_256_56_copy(r,rx);
- BIG_256_56_mod(r,q);
- if (BIG_256_56_iszilch(r))
+ BIG_256_56_mod(rx, q);
+ if (BIG_256_56_iszilch(rx))
{
return 1;
}
// Output result
- R->len=EGS_SECP256K1;
- BIG_256_56_toBytes(R->val,r);
+ R->len = EGS_SECP256K1;
+ BIG_256_56_toBytes(R->val, rx);
return 0;
}
@@ -238,20 +236,7 @@ int MPC_R(octet *INVKGAMMA, octet *GAMMAPT1, octet *GAMMAPT2, octet *R)
// Hash the message
void MPC_HASH(int sha, octet *M, octet *HM)
{
- char h[128];
- octet H = {0,sizeof(h),h};
-
- BIG_256_56 z;
-
- // z = hash(M)
- ehashit(sha,M,-1,NULL,&H,sha);
- int hlen=H.len;
- if (H.len>MODBYTES_256_56) hlen=MODBYTES_256_56;
- BIG_256_56_fromBytesLen(z,H.val,hlen);
-
- // Output result
- HM->len=MODBYTES_256_56;
- BIG_256_56_toBytes(HM->val,z);
+ ehashit(sha, M, -1, NULL, HM, MODBYTES_256_56);
}
// Calculate the s component of the signature
@@ -267,31 +252,31 @@ int MPC_S(octet *HM, octet *R, octet *K, octet *SIGMA, octet *S)
BIG_256_56 s;
// Curve order
- BIG_256_56_rcopy(q,CURVE_Order_SECP256K1);
+ BIG_256_56_rcopy(q, CURVE_Order_SECP256K1);
// Load values
- BIG_256_56_fromBytes(z,HM->val);
- BIG_256_56_fromBytes(r,R->val);
- BIG_256_56_fromBytes(k,K->val);
- BIG_256_56_fromBytes(sigma,SIGMA->val);
+ BIG_256_56_fromBytes(z, HM->val);
+ BIG_256_56_fromBytes(r, R->val);
+ BIG_256_56_fromBytes(k, K->val);
+ BIG_256_56_fromBytes(sigma, SIGMA->val);
// kz = k.z mod q
- BIG_256_56_modmul(kz,k,z,q);
+ BIG_256_56_modmul(kz, k, z, q);
// rsigma = r.sigma mod q
- BIG_256_56_modmul(rsigma,r,sigma,q);
+ BIG_256_56_modmul(rsigma, r, sigma, q);
// s = kz + rsigma mod q
- BIG_256_56_add(s,kz,rsigma);
- BIG_256_56_mod(s,q);
+ BIG_256_56_add(s, kz, rsigma);
+ BIG_256_56_mod(s, q);
if (BIG_256_56_iszilch(s))
{
return 1;
}
// Output result
- S->len=EGS_SECP256K1;
- BIG_256_56_toBytes(S->val,s);
+ S->len = EGS_SECP256K1;
+ BIG_256_56_toBytes(S->val, s);
return 0;
}
@@ -305,21 +290,19 @@ void MPC_SUM_S(octet *S1, octet *S2, octet *S)
BIG_256_56 q;
// Curve order
- BIG_256_56_rcopy(q,CURVE_Order_SECP256K1);
+ BIG_256_56_rcopy(q, CURVE_Order_SECP256K1);
// Load values
- BIG_256_56_fromBytes(s1,S1->val);
- BIG_256_56_fromBytes(s2,S2->val);
+ BIG_256_56_fromBytes(s1, S1->val);
+ BIG_256_56_fromBytes(s2, S2->val);
- // s = s1 + s2
- BIG_256_56_add(s,s1,s2);
-
- // s = s mod q
- BIG_256_56_mod(s,q);
+ // s = s1 + s2 mod q
+ BIG_256_56_add(s, s1, s2);
+ BIG_256_56_mod(s, q);
// Output result
- S->len=EGS_SECP256K1;
- BIG_256_56_toBytes(S->val,s);
+ S->len = EGS_SECP256K1;
+ BIG_256_56_toBytes(S->val, s);
}
// Add the ECDSA public keys shares
@@ -329,20 +312,21 @@ int MPC_SUM_PK(octet *PK1, octet *PK2, octet *PK)
ECP_SECP256K1 pk2;
// Load values
- if (!ECP_SECP256K1_fromOctet(&pk1,PK1))
+ if (!ECP_SECP256K1_fromOctet(&pk1, PK1))
{
return 1;
}
- if (!ECP_SECP256K1_fromOctet(&pk2,PK2))
+
+ if (!ECP_SECP256K1_fromOctet(&pk2, PK2))
{
return 1;
}
// pk1 + pk2
- ECP_SECP256K1_add(&pk1,&pk2);
+ ECP_SECP256K1_add(&pk1, &pk2);
// Output result
- ECP_SECP256K1_toOctet(PK,&pk1,false);
+ ECP_SECP256K1_toOctet(PK, &pk1, false);
return 0;
}
@@ -508,16 +492,16 @@ int MPC_PHASE5_verify(octet *U[2], octet *T[2])
// Write Paillier public key to octets
void MPC_DUMP_PAILLIER_PK(PAILLIER_public_key *PUB, octet *N, octet *G, octet *N2)
{
- FF_4096_toOctet(N, PUB->n, FFLEN_4096);
- FF_4096_toOctet(G, PUB->g, FFLEN_4096);
+ FF_4096_toOctet(N, PUB->n, FFLEN_4096);
+ FF_4096_toOctet(G, PUB->g, FFLEN_4096);
FF_4096_toOctet(N2, PUB->n2, FFLEN_4096);
}
// Load Paillier public key from octets
void MPC_LOAD_PAILLIER_PK(PAILLIER_public_key *PUB, octet *N, octet *G, octet *N2)
{
- FF_4096_fromOctet(PUB->n, N, FFLEN_4096);
- FF_4096_fromOctet(PUB->g, G, FFLEN_4096);
+ FF_4096_fromOctet(PUB->n, N, FFLEN_4096);
+ FF_4096_fromOctet(PUB->g, G, FFLEN_4096);
FF_4096_fromOctet(PUB->n2, N2, FFLEN_4096);
}
diff --git a/src/mta.c b/src/mta.c
index 1a7cd4c..3b8d6ed 100644
--- a/src/mta.c
+++ b/src/mta.c
@@ -38,27 +38,6 @@ void OCT_hash(hash256 *sha, octet *O)
}
}
-// Truncates an octet string
-void OCT_truncate(octet *y,octet *x)
-{
- /* y < x */
- int i=0;
- int j=0;
- if (x==NULL) return;
- if (y==NULL) return;
-
- for (i=0; i<y->len; i++)
- {
- j=x->len+i;
- if (i>=y->max)
- {
- y->len=y->max;
- return;
- }
- y->val[i]=x->val[j];
- }
-}
-
/* FF manipulation utilities
*
* These might be nice additions to milagro-crypto-c ff API
@@ -172,60 +151,55 @@ void hash_ZK_commitment(hash256 *sha, MTA_ZK_commitment *c)
// Client MTA first pass
void MPC_MTA_CLIENT1(csprng *RNG, PAILLIER_public_key *PUB, octet *A, octet *CA, octet *R)
{
- // Read A
char a1[FS_2048];
octet A1 = {0,sizeof(a1),a1};
- OCT_clear(&A1);
- A1.len = FS_2048 - EGS_SECP256K1;
- OCT_joctet(&A1,A);
+
+ OCT_copy(&A1, A);
+ OCT_pad(&A1, FS_2048);
PAILLIER_ENCRYPT(RNG, PUB, &A1, CA, R);
+
+ // Clean memory
+ OCT_clear(&A1);
}
// Client MtA second pass
void MPC_MTA_CLIENT2(PAILLIER_private_key *PRIV, octet *CB, octet *ALPHA)
{
- BIG_512_60 q[FFLEN_4096];
- BIG_512_60 alpha[FFLEN_4096];
-
- char co[EGS_SECP256K1];
- octet CO = {0,sizeof(co),co};
+ BIG_1024_58 q[HFLEN_2048];
+ BIG_1024_58 alpha[HFLEN_2048];
char t[FS_2048];
octet T = {0,sizeof(t),t};
// Curve order
- OCT_fromHex(&CO,curve_order_hex);
- FF_4096_zero(q, FFLEN_4096);
- BIG_512_60_fromBytesLen(q[0],CO.val,CO.len);
+ OCT_fromHex(&T, curve_order_hex);
+ OCT_pad(&T, HFS_2048);
+ FF_2048_fromOctet(q, &T, HFLEN_2048);
PAILLIER_DECRYPT(PRIV, CB, &T);
- FF_4096_zero(alpha, FFLEN_4096);
- FF_4096_fromOctet(alpha,&T,HFLEN_4096);
+ // alpha < q^3
+ OCT_shl(&T, HFS_2048);
+ FF_2048_fromOctet(alpha, &T, HFLEN_2048);
// alpha = alpha mod q
- FF_4096_mod(alpha, q, FFLEN_4096);
+ FF_2048_mod(alpha, q, HFLEN_2048);
// Output alpha
- char alpha1[FS_4096];
- octet ALPHA1 = {0,sizeof(alpha1),alpha1};
- FF_4096_toOctet(&ALPHA1, alpha, FFLEN_4096);
- OCT_clear(ALPHA);
- ALPHA->len = EGS_SECP256K1;
- ALPHA1.len = FS_4096 - EGS_SECP256K1;
- OCT_truncate(ALPHA,&ALPHA1);
+ FF_2048_toOctet(&T, alpha, HFLEN_2048);
+ OCT_chop(&T, ALPHA, HFS_2048 - EGS_SECP256K1);
+
+ // Clean memory
+ FF_2048_zero(alpha, FFLEN_2048);
+ OCT_clear(&T);
}
// MtA server
void MPC_MTA_SERVER(csprng *RNG, PAILLIER_public_key *PUB, octet *B, octet *CA, octet *ZO, octet *R, octet *CB, octet *BETA)
{
- BIG_512_60 q[FFLEN_4096];
- BIG_512_60 z[FFLEN_4096];
- BIG_512_60 beta[FFLEN_4096];
-
- char co[EGS_SECP256K1];
- octet CO = {0,sizeof(co),co};
+ BIG_256_56 q;
+ BIG_256_56 z;
char zb[FS_2048];
octet Z = {0,sizeof(zb),zb};
@@ -240,36 +214,30 @@ void MPC_MTA_SERVER(csprng *RNG, PAILLIER_public_key *PUB, octet *B, octet *CA,
octet B1 = {0,sizeof(b1),b1};
// Curve order
- OCT_fromHex(&CO,curve_order_hex);
- FF_4096_zero(q, FFLEN_4096);
- BIG_512_60_fromBytesLen(q[0],CO.val,CO.len);
+ BIG_256_56_rcopy(q, CURVE_Order_SECP256K1);
// Read B
- OCT_clear(&B1);
- B1.len = FS_2048 - EGS_SECP256K1;
- OCT_joctet(&B1,B);
+ OCT_copy(&B1, B);
+ OCT_pad(&B1, FS_2048);
// Random z value
if (RNG!=NULL)
{
- FF_4096_random(z,RNG,FFLEN_4096);
- FF_4096_mod(z,q,FFLEN_4096);
+ BIG_256_56_randomnum(z, q, RNG);
+
+ BIG_256_56_toBytes(Z.val, z);
+ Z.len = EGS_SECP256K1;
}
else
{
- char z1[FS_4096];
- octet Z1 = {0,sizeof(z1),z1};
- OCT_clear(&Z1);
- Z1.len = FS_4096 - EGS_SECP256K1;
- ZO->len = EGS_SECP256K1;
- OCT_joctet(&Z1,ZO);
- FF_4096_zero(z, FFLEN_4096);
- FF_4096_fromOctet(z,&Z1,FFLEN_4096);
+ BIG_256_56_fromBytesLen(z, ZO->val, ZO->len);
+ OCT_copy(&Z, ZO);
}
- FF_4096_toOctet(&Z, z, HFLEN_4096);
+
+ OCT_pad(&Z, FS_2048);
// beta = -z mod q
- FF_4096_sub(beta, q, z, FFLEN_4096);
+ BIG_256_56_sub(z, q, z);
// CT = E_A(a.b)
PAILLIER_MULT(PUB, CA, &B1, &CT);
@@ -283,23 +251,16 @@ void MPC_MTA_SERVER(csprng *RNG, PAILLIER_public_key *PUB, octet *B, octet *CA,
// Output Z for Debug
if (ZO!=NULL)
{
- char z1[FS_4096];
- octet Z1 = {0,sizeof(z1),z1};
- FF_4096_toOctet(&Z1, z, FFLEN_4096);
- OCT_clear(ZO);
- ZO->len = EGS_SECP256K1;
- Z1.len = FS_4096 - EGS_SECP256K1;
- OCT_truncate(ZO,&Z1);
+ OCT_chop(&Z, ZO, FS_2048 - EGS_SECP256K1);
}
// Output beta
- char beta1[FS_4096];
- octet BETA1 = {0,sizeof(beta1),beta1};
- FF_4096_toOctet(&BETA1, beta, FFLEN_4096);
- OCT_clear(BETA);
+ BIG_256_56_toBytes(BETA->val, z);
BETA->len = EGS_SECP256K1;
- BETA1.len = FS_4096 - EGS_SECP256K1;
- OCT_truncate(BETA,&BETA1);
+
+ // Clean memory
+ BIG_256_56_zero(z);
+ OCT_clear(&B1);
}
/* sum = a1.b1 + alpha + beta */
@@ -334,6 +295,13 @@ void MPC_SUM_MTA(octet *A, octet *B, octet *ALPHA, octet *BETA, octet *SUM)
// Output result
SUM->len=EGS_SECP256K1;
BIG_256_56_toBytes(SUM->val,sum);
+
+ // Clean memory
+ BIG_256_56_zero(a);
+ BIG_256_56_zero(b);
+ BIG_256_56_zero(alpha);
+ BIG_256_56_zero(beta);
+ BIG_256_56_zero(sum);
}
void MTA_ZK_random_challenge(csprng *RNG, octet *E)
diff --git a/src/schnorr.c b/src/schnorr.c
index 0d2a96f..03435dc 100644
--- a/src/schnorr.c
+++ b/src/schnorr.c
@@ -66,7 +66,7 @@ void SCHNORR_commit(csprng *RNG, octet *R, octet *C)
// Generate commitment r.G
ECP_SECP256K1_generator(&G);
- ECP_SECP256K1_mul(&G,r);
+ ECP_SECP256K1_mul(&G, r);
// Output C compressed
ECP_SECP256K1_toOctet(C, &G, 1);