This is an automated email from the ASF dual-hosted git repository. sandreoli pushed a commit to branch review in repository https://gitbox.apache.org/repos/asf/incubator-milagro-MPC.git
commit bf499d6aa50ff402a71ec234d17dddc77fdb373f Author: Samuele Andreoli <[email protected]> AuthorDate: Mon Feb 10 12:31:22 2020 +0000 review mta and mpc code --- src/mpc.c | 118 +++++++++++++++++++++++------------------------------ src/mta.c | 128 ++++++++++++++++++++++------------------------------------ src/schnorr.c | 2 +- 3 files changed, 100 insertions(+), 148 deletions(-) diff --git a/src/mpc.c b/src/mpc.c index 82216f4..cc3e2d7 100644 --- a/src/mpc.c +++ b/src/mpc.c @@ -167,24 +167,22 @@ void MPC_INVKGAMMA(octet *KGAMMA1, octet *KGAMMA2, octet *INVKGAMMA) BIG_256_56 q; // Curve order - BIG_256_56_rcopy(q,CURVE_Order_SECP256K1); + BIG_256_56_rcopy(q, CURVE_Order_SECP256K1); // Load values - BIG_256_56_fromBytes(kgamma1,KGAMMA1->val); - BIG_256_56_fromBytes(kgamma2,KGAMMA2->val); - - // kgamma = kgamma1 + kgamma2 - BIG_256_56_add(kgamma,kgamma1,kgamma2); + BIG_256_56_fromBytes(kgamma1, KGAMMA1->val); + BIG_256_56_fromBytes(kgamma2, KGAMMA2->val); - // kgamma = kgamma mod q - BIG_256_56_mod(kgamma,q); + // kgamma = kgamma1 + kgamma2 mod q + BIG_256_56_add(kgamma, kgamma1, kgamma2); + BIG_256_56_mod(kgamma, q); // invkgamma = kgamma^{-1} - BIG_256_56_invmodp(invkgamma,kgamma,q); + BIG_256_56_invmodp(invkgamma, kgamma, q); // Output result - INVKGAMMA->len=EGS_SECP256K1; - BIG_256_56_toBytes(INVKGAMMA->val,invkgamma); + INVKGAMMA->len = EGS_SECP256K1; + BIG_256_56_toBytes(INVKGAMMA->val, invkgamma); } @@ -194,43 +192,43 @@ int MPC_R(octet *INVKGAMMA, octet *GAMMAPT1, octet *GAMMAPT2, octet *R) BIG_256_56 invkgamma; BIG_256_56 q; BIG_256_56 rx; - BIG_256_56 r; ECP_SECP256K1 gammapt1; ECP_SECP256K1 gammapt2; // Curve order - BIG_256_56_rcopy(q,CURVE_Order_SECP256K1); + BIG_256_56_rcopy(q, CURVE_Order_SECP256K1); // Load values - BIG_256_56_fromBytes(invkgamma,INVKGAMMA->val); - if (!ECP_SECP256K1_fromOctet(&gammapt1,GAMMAPT1)) + BIG_256_56_fromBytes(invkgamma, INVKGAMMA->val); + + if (!ECP_SECP256K1_fromOctet(&gammapt1, GAMMAPT1)) { return 1; } - if (!ECP_SECP256K1_fromOctet(&gammapt2,GAMMAPT2)) + + if (!ECP_SECP256K1_fromOctet(&gammapt2, GAMMAPT2)) { return 1; } // gammapt1 + gammapt2 - ECP_SECP256K1_add(&gammapt1,&gammapt2); + ECP_SECP256K1_add(&gammapt1, &gammapt2); // rx, ry = k^{-1}.G - ECP_SECP256K1_mul(&gammapt1,invkgamma); - ECP_SECP256K1_get(rx,rx,&gammapt1); + ECP_SECP256K1_mul(&gammapt1, invkgamma); + ECP_SECP256K1_get(rx, rx, &gammapt1); // r = rx mod q - BIG_256_56_copy(r,rx); - BIG_256_56_mod(r,q); - if (BIG_256_56_iszilch(r)) + BIG_256_56_mod(rx, q); + if (BIG_256_56_iszilch(rx)) { return 1; } // Output result - R->len=EGS_SECP256K1; - BIG_256_56_toBytes(R->val,r); + R->len = EGS_SECP256K1; + BIG_256_56_toBytes(R->val, rx); return 0; } @@ -238,20 +236,7 @@ int MPC_R(octet *INVKGAMMA, octet *GAMMAPT1, octet *GAMMAPT2, octet *R) // Hash the message void MPC_HASH(int sha, octet *M, octet *HM) { - char h[128]; - octet H = {0,sizeof(h),h}; - - BIG_256_56 z; - - // z = hash(M) - ehashit(sha,M,-1,NULL,&H,sha); - int hlen=H.len; - if (H.len>MODBYTES_256_56) hlen=MODBYTES_256_56; - BIG_256_56_fromBytesLen(z,H.val,hlen); - - // Output result - HM->len=MODBYTES_256_56; - BIG_256_56_toBytes(HM->val,z); + ehashit(sha, M, -1, NULL, HM, MODBYTES_256_56); } // Calculate the s component of the signature @@ -267,31 +252,31 @@ int MPC_S(octet *HM, octet *R, octet *K, octet *SIGMA, octet *S) BIG_256_56 s; // Curve order - BIG_256_56_rcopy(q,CURVE_Order_SECP256K1); + BIG_256_56_rcopy(q, CURVE_Order_SECP256K1); // Load values - BIG_256_56_fromBytes(z,HM->val); - BIG_256_56_fromBytes(r,R->val); - BIG_256_56_fromBytes(k,K->val); - BIG_256_56_fromBytes(sigma,SIGMA->val); + BIG_256_56_fromBytes(z, HM->val); + BIG_256_56_fromBytes(r, R->val); + BIG_256_56_fromBytes(k, K->val); + BIG_256_56_fromBytes(sigma, SIGMA->val); // kz = k.z mod q - BIG_256_56_modmul(kz,k,z,q); + BIG_256_56_modmul(kz, k, z, q); // rsigma = r.sigma mod q - BIG_256_56_modmul(rsigma,r,sigma,q); + BIG_256_56_modmul(rsigma, r, sigma, q); // s = kz + rsigma mod q - BIG_256_56_add(s,kz,rsigma); - BIG_256_56_mod(s,q); + BIG_256_56_add(s, kz, rsigma); + BIG_256_56_mod(s, q); if (BIG_256_56_iszilch(s)) { return 1; } // Output result - S->len=EGS_SECP256K1; - BIG_256_56_toBytes(S->val,s); + S->len = EGS_SECP256K1; + BIG_256_56_toBytes(S->val, s); return 0; } @@ -305,21 +290,19 @@ void MPC_SUM_S(octet *S1, octet *S2, octet *S) BIG_256_56 q; // Curve order - BIG_256_56_rcopy(q,CURVE_Order_SECP256K1); + BIG_256_56_rcopy(q, CURVE_Order_SECP256K1); // Load values - BIG_256_56_fromBytes(s1,S1->val); - BIG_256_56_fromBytes(s2,S2->val); + BIG_256_56_fromBytes(s1, S1->val); + BIG_256_56_fromBytes(s2, S2->val); - // s = s1 + s2 - BIG_256_56_add(s,s1,s2); - - // s = s mod q - BIG_256_56_mod(s,q); + // s = s1 + s2 mod q + BIG_256_56_add(s, s1, s2); + BIG_256_56_mod(s, q); // Output result - S->len=EGS_SECP256K1; - BIG_256_56_toBytes(S->val,s); + S->len = EGS_SECP256K1; + BIG_256_56_toBytes(S->val, s); } // Add the ECDSA public keys shares @@ -329,20 +312,21 @@ int MPC_SUM_PK(octet *PK1, octet *PK2, octet *PK) ECP_SECP256K1 pk2; // Load values - if (!ECP_SECP256K1_fromOctet(&pk1,PK1)) + if (!ECP_SECP256K1_fromOctet(&pk1, PK1)) { return 1; } - if (!ECP_SECP256K1_fromOctet(&pk2,PK2)) + + if (!ECP_SECP256K1_fromOctet(&pk2, PK2)) { return 1; } // pk1 + pk2 - ECP_SECP256K1_add(&pk1,&pk2); + ECP_SECP256K1_add(&pk1, &pk2); // Output result - ECP_SECP256K1_toOctet(PK,&pk1,false); + ECP_SECP256K1_toOctet(PK, &pk1, false); return 0; } @@ -508,16 +492,16 @@ int MPC_PHASE5_verify(octet *U[2], octet *T[2]) // Write Paillier public key to octets void MPC_DUMP_PAILLIER_PK(PAILLIER_public_key *PUB, octet *N, octet *G, octet *N2) { - FF_4096_toOctet(N, PUB->n, FFLEN_4096); - FF_4096_toOctet(G, PUB->g, FFLEN_4096); + FF_4096_toOctet(N, PUB->n, FFLEN_4096); + FF_4096_toOctet(G, PUB->g, FFLEN_4096); FF_4096_toOctet(N2, PUB->n2, FFLEN_4096); } // Load Paillier public key from octets void MPC_LOAD_PAILLIER_PK(PAILLIER_public_key *PUB, octet *N, octet *G, octet *N2) { - FF_4096_fromOctet(PUB->n, N, FFLEN_4096); - FF_4096_fromOctet(PUB->g, G, FFLEN_4096); + FF_4096_fromOctet(PUB->n, N, FFLEN_4096); + FF_4096_fromOctet(PUB->g, G, FFLEN_4096); FF_4096_fromOctet(PUB->n2, N2, FFLEN_4096); } diff --git a/src/mta.c b/src/mta.c index 1a7cd4c..3b8d6ed 100644 --- a/src/mta.c +++ b/src/mta.c @@ -38,27 +38,6 @@ void OCT_hash(hash256 *sha, octet *O) } } -// Truncates an octet string -void OCT_truncate(octet *y,octet *x) -{ - /* y < x */ - int i=0; - int j=0; - if (x==NULL) return; - if (y==NULL) return; - - for (i=0; i<y->len; i++) - { - j=x->len+i; - if (i>=y->max) - { - y->len=y->max; - return; - } - y->val[i]=x->val[j]; - } -} - /* FF manipulation utilities * * These might be nice additions to milagro-crypto-c ff API @@ -172,60 +151,55 @@ void hash_ZK_commitment(hash256 *sha, MTA_ZK_commitment *c) // Client MTA first pass void MPC_MTA_CLIENT1(csprng *RNG, PAILLIER_public_key *PUB, octet *A, octet *CA, octet *R) { - // Read A char a1[FS_2048]; octet A1 = {0,sizeof(a1),a1}; - OCT_clear(&A1); - A1.len = FS_2048 - EGS_SECP256K1; - OCT_joctet(&A1,A); + + OCT_copy(&A1, A); + OCT_pad(&A1, FS_2048); PAILLIER_ENCRYPT(RNG, PUB, &A1, CA, R); + + // Clean memory + OCT_clear(&A1); } // Client MtA second pass void MPC_MTA_CLIENT2(PAILLIER_private_key *PRIV, octet *CB, octet *ALPHA) { - BIG_512_60 q[FFLEN_4096]; - BIG_512_60 alpha[FFLEN_4096]; - - char co[EGS_SECP256K1]; - octet CO = {0,sizeof(co),co}; + BIG_1024_58 q[HFLEN_2048]; + BIG_1024_58 alpha[HFLEN_2048]; char t[FS_2048]; octet T = {0,sizeof(t),t}; // Curve order - OCT_fromHex(&CO,curve_order_hex); - FF_4096_zero(q, FFLEN_4096); - BIG_512_60_fromBytesLen(q[0],CO.val,CO.len); + OCT_fromHex(&T, curve_order_hex); + OCT_pad(&T, HFS_2048); + FF_2048_fromOctet(q, &T, HFLEN_2048); PAILLIER_DECRYPT(PRIV, CB, &T); - FF_4096_zero(alpha, FFLEN_4096); - FF_4096_fromOctet(alpha,&T,HFLEN_4096); + // alpha < q^3 + OCT_shl(&T, HFS_2048); + FF_2048_fromOctet(alpha, &T, HFLEN_2048); // alpha = alpha mod q - FF_4096_mod(alpha, q, FFLEN_4096); + FF_2048_mod(alpha, q, HFLEN_2048); // Output alpha - char alpha1[FS_4096]; - octet ALPHA1 = {0,sizeof(alpha1),alpha1}; - FF_4096_toOctet(&ALPHA1, alpha, FFLEN_4096); - OCT_clear(ALPHA); - ALPHA->len = EGS_SECP256K1; - ALPHA1.len = FS_4096 - EGS_SECP256K1; - OCT_truncate(ALPHA,&ALPHA1); + FF_2048_toOctet(&T, alpha, HFLEN_2048); + OCT_chop(&T, ALPHA, HFS_2048 - EGS_SECP256K1); + + // Clean memory + FF_2048_zero(alpha, FFLEN_2048); + OCT_clear(&T); } // MtA server void MPC_MTA_SERVER(csprng *RNG, PAILLIER_public_key *PUB, octet *B, octet *CA, octet *ZO, octet *R, octet *CB, octet *BETA) { - BIG_512_60 q[FFLEN_4096]; - BIG_512_60 z[FFLEN_4096]; - BIG_512_60 beta[FFLEN_4096]; - - char co[EGS_SECP256K1]; - octet CO = {0,sizeof(co),co}; + BIG_256_56 q; + BIG_256_56 z; char zb[FS_2048]; octet Z = {0,sizeof(zb),zb}; @@ -240,36 +214,30 @@ void MPC_MTA_SERVER(csprng *RNG, PAILLIER_public_key *PUB, octet *B, octet *CA, octet B1 = {0,sizeof(b1),b1}; // Curve order - OCT_fromHex(&CO,curve_order_hex); - FF_4096_zero(q, FFLEN_4096); - BIG_512_60_fromBytesLen(q[0],CO.val,CO.len); + BIG_256_56_rcopy(q, CURVE_Order_SECP256K1); // Read B - OCT_clear(&B1); - B1.len = FS_2048 - EGS_SECP256K1; - OCT_joctet(&B1,B); + OCT_copy(&B1, B); + OCT_pad(&B1, FS_2048); // Random z value if (RNG!=NULL) { - FF_4096_random(z,RNG,FFLEN_4096); - FF_4096_mod(z,q,FFLEN_4096); + BIG_256_56_randomnum(z, q, RNG); + + BIG_256_56_toBytes(Z.val, z); + Z.len = EGS_SECP256K1; } else { - char z1[FS_4096]; - octet Z1 = {0,sizeof(z1),z1}; - OCT_clear(&Z1); - Z1.len = FS_4096 - EGS_SECP256K1; - ZO->len = EGS_SECP256K1; - OCT_joctet(&Z1,ZO); - FF_4096_zero(z, FFLEN_4096); - FF_4096_fromOctet(z,&Z1,FFLEN_4096); + BIG_256_56_fromBytesLen(z, ZO->val, ZO->len); + OCT_copy(&Z, ZO); } - FF_4096_toOctet(&Z, z, HFLEN_4096); + + OCT_pad(&Z, FS_2048); // beta = -z mod q - FF_4096_sub(beta, q, z, FFLEN_4096); + BIG_256_56_sub(z, q, z); // CT = E_A(a.b) PAILLIER_MULT(PUB, CA, &B1, &CT); @@ -283,23 +251,16 @@ void MPC_MTA_SERVER(csprng *RNG, PAILLIER_public_key *PUB, octet *B, octet *CA, // Output Z for Debug if (ZO!=NULL) { - char z1[FS_4096]; - octet Z1 = {0,sizeof(z1),z1}; - FF_4096_toOctet(&Z1, z, FFLEN_4096); - OCT_clear(ZO); - ZO->len = EGS_SECP256K1; - Z1.len = FS_4096 - EGS_SECP256K1; - OCT_truncate(ZO,&Z1); + OCT_chop(&Z, ZO, FS_2048 - EGS_SECP256K1); } // Output beta - char beta1[FS_4096]; - octet BETA1 = {0,sizeof(beta1),beta1}; - FF_4096_toOctet(&BETA1, beta, FFLEN_4096); - OCT_clear(BETA); + BIG_256_56_toBytes(BETA->val, z); BETA->len = EGS_SECP256K1; - BETA1.len = FS_4096 - EGS_SECP256K1; - OCT_truncate(BETA,&BETA1); + + // Clean memory + BIG_256_56_zero(z); + OCT_clear(&B1); } /* sum = a1.b1 + alpha + beta */ @@ -334,6 +295,13 @@ void MPC_SUM_MTA(octet *A, octet *B, octet *ALPHA, octet *BETA, octet *SUM) // Output result SUM->len=EGS_SECP256K1; BIG_256_56_toBytes(SUM->val,sum); + + // Clean memory + BIG_256_56_zero(a); + BIG_256_56_zero(b); + BIG_256_56_zero(alpha); + BIG_256_56_zero(beta); + BIG_256_56_zero(sum); } void MTA_ZK_random_challenge(csprng *RNG, octet *E) diff --git a/src/schnorr.c b/src/schnorr.c index 0d2a96f..03435dc 100644 --- a/src/schnorr.c +++ b/src/schnorr.c @@ -66,7 +66,7 @@ void SCHNORR_commit(csprng *RNG, octet *R, octet *C) // Generate commitment r.G ECP_SECP256K1_generator(&G); - ECP_SECP256K1_mul(&G,r); + ECP_SECP256K1_mul(&G, r); // Output C compressed ECP_SECP256K1_toOctet(C, &G, 1);
