Documentation
¶
Overview ¶
This implements a non-interactive version of the common-exponent batch Schnorr proof from Ryan Henry's thesis. This specifically applies to the case where a set of group elements shares a common discrete log with regard to a set of generators. Slightly more formally, the case:
(G, q, g_1,...,g_n) and (h_1,...,h_n) ∈ (G)^n with h_i = (g_i)^x for i = 1,...,n
Inspired by an observation of Ian Goldberg's that this "common-exponent" case is drastically simpler than a general batch proof. The general idea is that we can produce a linear combination of the elements and perform a Chaum-Pedersen proof on the resulting composite elements.
See Section 3.2.3.3 for the interactive protocol: https://uwspace.uwaterloo.ca/bitstream/handle/10012/8621/Henry_Ryan.pdf
An implementation of the widely-used (honest-verifier) NIZK proof of discrete logarithm equality originally described in the Chaum and Pedersen paper "Wallet Databases with Observers", using Go's standard crypto/elliptic package.
This implementation potentially minimizes the amount of data that needs to be sent to the verifier by including the intermediate proof values (called a, b in the paper) in the Fiat-Shamir hash step and using hash comparison to determine proof validity instead of group element equality.
An implementation of an oblivious VRF due to Jarecki et al.
Index ¶
- Constants
- Variables
- func BatchMarshalPoints(points []*Point) ([][]byte, error)
- func CheckRequestBinding(hash crypto.Hash, key []byte, supplied []byte, observed [][]byte) bool
- func ComputeComposites(hash crypto.Hash, curve elliptic.Curve, G, Y *Point, P, Q []*Point) (*Point, *Point, [][]byte, error)
- func CreateRequestBinding(hash crypto.Hash, key []byte, data [][]byte) []byte
- func DeriveKey(hash crypto.Hash, N *Point, token []byte) []byte
- func HandleTest(t *testing.T, h2cMethod string, testToRun func(t *testing.T, obj H2CObject))
- func ParseCommitmentFile(genFilePath string) ([]byte, []byte, error)
- func ParseKeyFile(keyFilePath string, signingKey bool) ([]elliptic.Curve, [][]byte, error)
- func RetrieveCommPoints(GBytes, HBytes, key []byte) (*Point, *Point, error)
- type Base64Proof
- type BatchProof
- type Commitment
- type CurveParams
- type H2CObject
- type P256SHA256Increment
- type P256SHA256SWU
- type Point
- func BatchUnmarshalPoints(curve elliptic.Curve, data [][]byte) ([]*Point, error)
- func BlindPoint(p *Point) (*Point, []byte)
- func CreateBlindToken(h2cObj H2CObject) (token []byte, blindPoint *Point, blindFactor []byte, err error)
- func NewPoint(curve elliptic.Curve, x, y *big.Int) (*Point, error)
- func NewRandomPoint(h2cObj H2CObject) ([]byte, *Point, error)
- func SignPoint(P *Point, secret []byte) *Point
- func UnblindPoint(p *Point, blind []byte) *Point
- type Proof
Constants ¶
const ( INC_ITER = 20 H2C_SWU = h2cMethod("swu") H2C_INC = h2cMethod("increment") )
Variables ¶
var ( ErrUnequalPointCounts = errors.New("batch proof had unequal numbers of points") BATCH_PROOF_RESP_STR = "batch-proof=" )
var ( ErrInvalidPoint = errors.New("marshaled point was invalid") ErrNoPointFound = errors.New("hash_to_curve failed to find a point") ErrPointOffCurve = errors.New("point is not on curve") ErrUnspecifiedCurve = errors.New("must specify an elliptic curve") ErrCommSanityCheck = errors.New("commitment does not match key") )
var (
ErrIncompatibleCurveParams = errors.New("Incompatible curve parameters chosen")
)
var (
ErrInconsistentCurves = errors.New("points are on different curves")
)
Functions ¶
func BatchMarshalPoints ¶
BatchMarshalPoints encodes a slice of crypto.Point objects in the form specified in section 4.3.6 of ANSI X9.62.
func CheckRequestBinding ¶
func ComputeComposites ¶
func CreateRequestBinding ¶
func HandleTest ¶
Runs the tests for each of the different H2C methods
func ParseCommitmentFile ¶
Load the commitment to a generator that is currently in use as well.
func ParseKeyFile ¶
ParseKeyFile decodes a PEM-encoded EC PRIVATE KEY to a big-endian byte slice representing the secret scalar, which is the format expected by most curve math functions in Go crypto/elliptic.
func RetrieveCommPoints ¶
RetrieveCommPoints loads commitments in from file as part of enabling DLEQ proof batching and returns as a point representation. Perform this sanity check to make sure that commitments work properly.
This function only supports commitments from P256-SHA256 for now
Types ¶
type Base64Proof ¶
func (*Base64Proof) DecodeProof ¶
func (ep *Base64Proof) DecodeProof(curve elliptic.Curve) (*Proof, error)
Decode base64 proofs
type BatchProof ¶
We used to send G,H with BP but may as well just use them in P
func NewBatchProof ¶
func (*BatchProof) IsComplete ¶
func (b *BatchProof) IsComplete() bool
func (*BatchProof) IsSane ¶
func (b *BatchProof) IsSane() bool
func (*BatchProof) MarshalForResp ¶
func (b *BatchProof) MarshalForResp() ([]byte, error)
Marshal a proof to be sent to a client
func (*BatchProof) Verify ¶
func (b *BatchProof) Verify() bool
type Commitment ¶
A JSON structure for marshaling the public commitment values
type CurveParams ¶
type CurveParams struct {
Curve string `json:"curve"`
Hash string `json:"hash"`
Method string `json:"method"`
}
func (*CurveParams) GetH2CObj ¶
func (curveParams *CurveParams) GetH2CObj() (H2CObject, error)
GetH2CObj parses a map of curve parameters for the correct settings
type P256SHA256Increment ¶
type P256SHA256Increment struct {
// contains filtered or unexported fields
}
P256SHA256Increment (DEPRECATED). This method is compatible with the v1.0 of Privacy Pass. It will be replaced in newer versions > v1.0
This method uses a probabilistic encoding for hashing bytes to a curve. It repeatedly hashes (up to INC_ITER times) and attempts to construct a curve point from the result.
func (*P256SHA256Increment) HashToCurve ¶
func (obj *P256SHA256Increment) HashToCurve(data []byte) (*Point, error)
func (*P256SHA256Increment) Method ¶
func (obj *P256SHA256Increment) Method() string
type P256SHA256SWU ¶
type P256SHA256SWU struct {
// contains filtered or unexported fields
}
P256SHA256SWU calculates the Simplified SWU encoding by Brier et al. given in "Efficient Indifferentiable Hashing into Ordinary Elliptic Curves". It assumes that curve is one of the NIST curves; thus a=-3 and p=3 mod 4. Compatible with Privacy Pass > v1.0.
func (*P256SHA256SWU) HashToCurve ¶
func (obj *P256SHA256SWU) HashToCurve(data []byte) (*Point, error)
func (*P256SHA256SWU) Method ¶
func (obj *P256SHA256SWU) Method() string
type Point ¶
func BatchUnmarshalPoints ¶
BatchUnmarshalPoints takes a slice of P-256 curve points in the form specified in section 4.3.6 of ANSI X9.62 (see Go crypto/elliptic) and returns a slice of crypto.Point instances.
func BlindPoint ¶
BlindPoint generates a random blinding factor, scalar multiplies it to the supplied point, and returns both the new point and the blinding factor.
func CreateBlindToken ¶
func CreateBlindToken(h2cObj H2CObject) (token []byte, blindPoint *Point, blindFactor []byte, err error)
Creates t, T=H(t), and blinding factor r Turns out key generation is helpfully congruent to token generation and projection.
func NewRandomPoint ¶
NewRandomPoint: Generates a new random point on the curve specified in curveParams.
func SignPoint ¶
This just executes a scalar mult and returns both the new point and its byte encoding. It essentially "signs" a point with the given key.
func UnblindPoint ¶
UnblindPoint removes the given blinding factor from the point.
func (*Point) Marshal ¶
Marshal calls through to elliptic.Marshal using the Curve field of the receiving Point. This produces an uncompressed marshaling as specified in SEC1 2.3.3.
func (*Point) MarshalJSON ¶
func (*Point) Unmarshal ¶
Unmarshal interprets SEC1 2.3.4 compressed points in addition to the raw points supported by elliptic.Unmarshal. It assumes a NIST curve, and specifically that a = -3. It's faster when p = 3 mod 4 because of how ModSqrt works.
func (*Point) UnmarshalJSON ¶
type Proof ¶
type Proof struct {
G, M *Point // generators known by both parties
H, Z *Point // "public keys" we want to compare
R *big.Int // response value
C *big.Int // hash of intermediate proof values to streamline equality checks
// contains filtered or unexported fields
}
func NewProof ¶
Given g, h, m, z such that g, m are generators and h = g^x, z = m^x, compute a proof that log_g(h) == log_m(z). If (g, h, m, z) are already known to the verifier, then (c, r) is sufficient to check the proof.
func UnmarshalBatchProof ¶
Takes the batch proof marshaled above and unmarshals it (hardcoded SHA256) Can be used with either the BATCH_PROOF_RESP_STR attached or not
func (*Proof) EncodeProof ¶
func (pr *Proof) EncodeProof() *Base64Proof
Base64 encode the fields of the DLEQ proof for sending back to client
Source Files