You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@milagro.apache.org by sa...@apache.org on 2020/05/14 22:46:01 UTC
[incubator-milagro-MPC] 03/06: Add ID and additional data from
RFC8235
This is an automated email from the ASF dual-hosted git repository.
sandreoli pushed a commit to branch review-ncc
in repository https://gitbox.apache.org/repos/asf/incubator-milagro-MPC.git
commit 9fbae7bf555a7569903cbf0bf088607885ca37e5
Author: Samuele Andreoli <sa...@yahoo.it>
AuthorDate: Thu May 14 23:42:56 2020 +0100
Add ID and additional data from RFC8235
---
include/amcl/factoring_zk.h | 8 ++++++--
include/amcl/schnorr.h | 10 +++++++---
src/factoring_zk.c | 24 +++++++++++++++++++-----
src/schnorr.c | 22 ++++++++++++++++++----
4 files changed, 50 insertions(+), 14 deletions(-)
diff --git a/include/amcl/factoring_zk.h b/include/amcl/factoring_zk.h
index d4db1ac..4ae7a39 100644
--- a/include/amcl/factoring_zk.h
+++ b/include/amcl/factoring_zk.h
@@ -55,11 +55,13 @@ extern "C"
* @param RNG Cryptographically secure PRNG
* @param P First prime of the factorization
* @param Q Second prime of the factorization
+ * @param ID Prover unique identifier
+ * @param AD Additional data to bind in the proof - Optional
* @param R Random value used in the proof. If RNG is NULL this is read
* @param E First component of the ZK proof
* @param Y Second component of the ZK proof
*/
-void FACTORING_ZK_prove(csprng *RNG, octet *P, octet *Q, octet *R, octet *E, octet *Y);
+void FACTORING_ZK_prove(csprng *RNG, octet *P, octet *Q, octet *ID, octet *AD, octet *R, octet *E, octet *Y);
/** \brief Verify ZK proof of knowledge of factoring of N
*
@@ -68,9 +70,11 @@ void FACTORING_ZK_prove(csprng *RNG, octet *P, octet *Q, octet *R, octet *E, oct
* @param N Public integer, the RSA modulus
* @param E Fisrt component of the ZK proof
* @param Y Second component of the ZK proof
+ * @param ID Prover unique identifier
+ * @param AD Additional data to bind in the proof - Optional
* @return 1 if the proof is valid, 0 otherwise
*/
-int FACTORING_ZK_verify(octet *N, octet *E, octet *Y);
+int FACTORING_ZK_verify(octet *N, octet *E, octet *Y, octet *ID, octet *AD);
#ifdef __cplusplus
}
diff --git a/include/amcl/schnorr.h b/include/amcl/schnorr.h
index 74529b7..8ab93a8 100644
--- a/include/amcl/schnorr.h
+++ b/include/amcl/schnorr.h
@@ -68,9 +68,11 @@ extern void SCHNORR_commit(csprng *RNG, octet *R, octet *C);
*
* @param V Public ECP of the DLOG. V = x.G. Compressed form
* @param C Public commitment value. Compressed form
+ * @param ID Prover unique identifier
+ * @param AD Additional data to bind in the challenge - Optional
* @param E Challenge generated
*/
-extern void SCHNORR_challenge(const octet *V, const octet *C, octet *E);
+extern void SCHNORR_challenge(const octet *V, const octet *C, octet *ID, octet *AD, octet *E);
/*! \brief Generate the proof for the given commitment and challenge
*
@@ -111,14 +113,16 @@ extern int SCHNORR_D_commit(csprng *RNG, octet *R, octet *A, octet *B, octet *C)
*
* Compute the challenge for the proof. RFC8235#section-3.3 can not be applied
* here, but we try to follow closely by treating R like a secondary generator.
- * Returns H(G, R, C, V)
+ * Returns H(G, R, C, V, ID[, AD])
*
* @param V Public ECP result of the DLOG. V = s.R + l.G. Compressed form
* @param R Public ECP base of the DLOG. Compressed form
* @param C Public commitment value. Compressed form
+ * @param ID Prover unique identifier
+ * @param AD Additional data to bind in the challenge - Optional
* @param E Challenge generated
*/
-extern void SCHNORR_D_challenge(const octet *R, const octet *V, const octet *C, octet *E);
+extern void SCHNORR_D_challenge(const octet *R, const octet *V, const octet *C, octet* ID, octet *AD, octet *E);
/*! \brief Generate the proof for the given commitment and challenge
*
diff --git a/src/factoring_zk.c b/src/factoring_zk.c
index 7578733..d8d24e9 100644
--- a/src/factoring_zk.c
+++ b/src/factoring_zk.c
@@ -90,10 +90,10 @@ void generator(hash256 *sha, int k, octet *O)
/*
* Zi = MGF_SHA256(N, i)
* X = H(Z1^r, Z2^r)
- * e = H'(N, Z1, Z2, X)
+ * e = H'(N, Z1, Z2, X, ID, AD)
* y = r + (N - phi(N)) * e
*/
-void FACTORING_ZK_prove(csprng *RNG, octet *P, octet *Q, octet *R, octet *E, octet *Y)
+void FACTORING_ZK_prove(csprng *RNG, octet *P, octet *Q, octet *ID, octet *AD, octet *R, octet *E, octet *Y)
{
int i;
@@ -188,8 +188,15 @@ void FACTORING_ZK_prove(csprng *RNG, octet *P, octet *Q, octet *R, octet *E, oct
HASH256_hash(&sha_x, W.val);
W.len = SHA256;
- // Compute e = H(N, Z1, Z2, X)
+ // Compute e = H(N, Z1, Z2, X, ID, AD)
hash_oct(&sha_prime, &W);
+ hash_oct(&sha_prime, ID);
+
+ if (AD != NULL)
+ {
+ hash_oct(&sha_prime, AD);
+ }
+
HASH256_hash(&sha_prime, W.val);
W.len = FACTORING_ZK_B;
@@ -222,7 +229,7 @@ void FACTORING_ZK_prove(csprng *RNG, octet *P, octet *Q, octet *R, octet *E, oct
FF_2048_zero(hws, HFLEN_2048);
}
-int FACTORING_ZK_verify(octet *N, octet *E, octet *Y)
+int FACTORING_ZK_verify(octet *N, octet *E, octet *Y, octet *ID, octet *AD)
{
int i;
@@ -303,8 +310,15 @@ int FACTORING_ZK_verify(octet *N, octet *E, octet *Y)
HASH256_hash(&sha_x, W.val);
W.len = SHA256;
- // Compute e = H(N, Z1, Z2, X)
+ // Compute e = H(N, Z1, Z2, X, ID, AD)
hash_oct(&sha_prime, &W);
+ hash_oct(&sha_prime, ID);
+
+ if (AD != NULL)
+ {
+ hash_oct(&sha_prime, AD);
+ }
+
HASH256_hash(&sha_prime, W.val);
W.len = FACTORING_ZK_B;
diff --git a/src/schnorr.c b/src/schnorr.c
index 7d20095..f5082ce 100644
--- a/src/schnorr.c
+++ b/src/schnorr.c
@@ -75,7 +75,7 @@ void SCHNORR_commit(csprng *RNG, octet *R, octet *C)
BIG_256_56_zero(r);
}
-void SCHNORR_challenge(const octet *V, const octet *C, octet *E)
+void SCHNORR_challenge(const octet *V, const octet *C, octet *ID, octet *AD, octet *E)
{
hash256 sha;
@@ -91,11 +91,18 @@ void SCHNORR_challenge(const octet *V, const octet *C, octet *E)
ECP_SECP256K1_generator(&G);
ECP_SECP256K1_toOctet(&O, &G, true);
- // e = H(G,C,V) mod q
+ // e = H(G,C,V,ID,AD) mod q
HASH256_init(&sha);
hash_octet(&sha, &O);
hash_octet(&sha, C);
hash_octet(&sha, V);
+ hash_octet(&sha, ID);
+
+ if (AD != NULL)
+ {
+ hash_octet(&sha, AD);
+ }
+
HASH256_hash(&sha, o);
BIG_256_56_fromBytesLen(e, o, SHA256);
@@ -219,7 +226,7 @@ int SCHNORR_D_commit(csprng *RNG, octet *R, octet *A, octet *B, octet *C)
return SCHNORR_OK;
}
-void SCHNORR_D_challenge(const octet *R, const octet *V, const octet *C, octet *E)
+void SCHNORR_D_challenge(const octet *R, const octet *V, const octet *C, octet *ID, octet *AD, octet *E)
{
hash256 sha;
@@ -235,12 +242,19 @@ void SCHNORR_D_challenge(const octet *R, const octet *V, const octet *C, octet *
ECP_SECP256K1_generator(&G);
ECP_SECP256K1_toOctet(&O, &G, true);
- // e = H(G,R,C,V) mod q
+ // e = H(G,R,C,V,ID,AD) mod q
HASH256_init(&sha);
hash_octet(&sha, &O);
hash_octet(&sha, R);
hash_octet(&sha, C);
hash_octet(&sha, V);
+ hash_octet(&sha, ID);
+
+ if (AD != NULL)
+ {
+ hash_octet(&sha, AD);
+ }
+
HASH256_hash(&sha, o);
BIG_256_56_fromBytesLen(e, o, SHA256);