vss

package

v0.0.0-...-189774c Latest Latest Go to latest Published: Nov 20, 2018 License: MPL-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

Documentation ¶

Overview ¶

Package vss implements the verifiable secret sharing scheme from the paper "Provably Secure Distributed Schnorr Signatures and a (t, n) Threshold Scheme for Implicit Certificates". VSS enables a dealer to share a secret securely and verifiably among n participants out of which at least t are required for its reconstruction. The verifiability of the process prevents a malicious dealer from influencing the outcome to his advantage as each verifier can check the validity of the received share. The protocol has the following steps:

The dealer send a Deal to every verifiers using `Deals()`. Each deal must be sent securely to one verifier whose public key is at the same index than the index of the Deal.
Each verifier processes the Deal with `ProcessDeal`. This function returns a Response which can be twofold: - an approval, to confirm a correct deal - a complaint to announce an incorrect deal notifying others that the dealer might be malicious. All Responses must be broadcasted to every verifiers and the dealer.
The dealer can respond to each complaint by a justification revealing the share he originally sent out to the accusing verifier. This is done by calling `ProcessResponse` on the `Dealer`.
The verifiers refuse the shared secret and abort the protocol if there are at least t complaints OR if a Justification is wrong. The verifiers accept the shared secret if there are at least t approvals at which point any t out of n verifiers can reveal their shares to reconstruct the shared secret.

Index ¶

func MinimumT(n int) int
func RecoverSecret(suite Suite, deals []*Deal, n, t int) (kyber.Scalar, error)
type Deal
type Dealer
- func NewDealer(suite Suite, longterm, secret kyber.Scalar, verifiers []kyber.Point, t int) (*Dealer, error)
type EncryptedDeal
type Justification
- func (j *Justification) Hash(s Suite) []byte
type Response
- func (r *Response) Hash(s Suite) []byte
type Suite
type Verifier
- func NewVerifier(suite Suite, longterm kyber.Scalar, dealerKey kyber.Point, ...) (*Verifier, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func MinimumT ¶

func MinimumT(n int) int

MinimumT returns the minimum safe T that is proven to be secure with this protocol. It expects n, the total number of participants. WARNING: Setting a lower T could make the whole protocol insecure. Setting a higher T only makes it harder to reconstruct the secret.

func RecoverSecret ¶

func RecoverSecret(suite Suite, deals []*Deal, n, t int) (kyber.Scalar, error)

RecoverSecret recovers the secret shared by a Dealer by gathering at least t Deals from the verifiers. It returns an error if there is not enough Deals or if all Deals don't have the same SessionID.

Types ¶

type Deal ¶

type Deal struct {
	// Unique session identifier for this protocol run
	SessionID []byte
	// Private share generated by the dealer
	SecShare *share.PriShare
	// Random share generated by the dealer
	RndShare *share.PriShare
	// Threshold used for this secret sharing run
	T uint32
	// Commitments are the coefficients used to verify the shares against
	Commitments []kyber.Point
}

Deal encapsulates the verifiable secret share and is sent by the dealer to a verifier.

type Dealer ¶

type Dealer struct {
	// contains filtered or unexported fields
}

Dealer encapsulates for creating and distributing the shares and for replying to any Responses.

func NewDealer ¶

func NewDealer(suite Suite, longterm, secret kyber.Scalar, verifiers []kyber.Point, t int) (*Dealer, error)

NewDealer returns a Dealer capable of leading the secret sharing scheme. It does not have to be trusted by other Verifiers. The security parameter t is the number of shares required to reconstruct the secret. It is HIGHLY RECOMMENDED to use a threshold higher or equal than what the method MinimumT() returns, otherwise it breaks the security assumptions of the whole scheme. It returns an error if the t is inferior or equal to 2.

func (*Dealer) Commits ¶

func (d *Dealer) Commits() []kyber.Point

Commits returns the commitments of the coefficient of the secret polynomial the Dealer is sharing.

func (Dealer) DealCertified ¶

func (a Dealer) DealCertified() bool

DealCertified returns true if there has been less than t complaints, all Justifications were correct and if EnoughApprovals() returns true.

func (*Dealer) EncryptedDeal ¶

func (d *Dealer) EncryptedDeal(i int) (*EncryptedDeal, error)

EncryptedDeal returns the encryption of the deal that must be given to the verifier at index i. The dealer first generates a temporary Diffie Hellman key, signs it using its longterm key, and computes the shared key depending on its longterm and ephemeral key and the verifier's public key. This shared key is then fed into a HKDF whose output is the key to a AEAD (AES256-GCM) scheme to encrypt the deal.

func (*Dealer) EncryptedDeals ¶

func (d *Dealer) EncryptedDeals() ([]*EncryptedDeal, error)

EncryptedDeals calls `EncryptedDeal` for each index of the verifier and returns the list of encrypted deals. Each index in the returned slice corresponds to the index in the list of verifiers.

func (Dealer) EnoughApprovals ¶

func (a Dealer) EnoughApprovals() bool

EnoughApprovals returns true if enough verifiers have sent their approval for the deal they received.

func (*Dealer) Key ¶

func (d *Dealer) Key() (secret kyber.Scalar, public kyber.Point)

Key returns the longterm key pair used by this Dealer.

func (*Dealer) PlaintextDeal ¶

func (d *Dealer) PlaintextDeal(i int) (*Deal, error)

PlaintextDeal returns the plaintext version of the deal destined for peer i. Use this only for testing.

func (*Dealer) ProcessResponse ¶

func (d *Dealer) ProcessResponse(r *Response) (*Justification, error)

ProcessResponse analyzes the given Response. If it's a valid complaint, then it returns a Justification. This Justification must be broadcasted to every participants. If it's an invalid complaint, it returns an error about the complaint. The verifiers will also ignore an invalid Complaint.

func (*Dealer) SecretCommit ¶

func (d *Dealer) SecretCommit() kyber.Point

SecretCommit returns the commitment of the secret being shared by this dealer. This function is only to be called once the deal has enough approvals and is verified otherwise it returns nil.

func (*Dealer) SessionID ¶

func (d *Dealer) SessionID() []byte

SessionID returns the current sessionID generated by this dealer for this protocol run.

func (*Dealer) SetTimeout ¶

func (d *Dealer) SetTimeout()

SetTimeout tells this dealer to consider this moment the maximum time limit. it calls cleanVerifiers which will take care of all Verifiers who have not responded until now.

func (Dealer) UnsafeSetResponseDKG ¶

func (a Dealer) UnsafeSetResponseDKG(idx uint32, approval bool)

UnsafeSetResponseDKG is an UNSAFE bypass method to allow DKG to use VSS that works on basis of approval only.

func (Dealer) VerifyDeal ¶

func (a Dealer) VerifyDeal(d *Deal, inclusion bool) error

VerifyDeal analyzes the deal and returns an error if it's incorrect. If inclusion is true, it also returns an error if it the second time this struct analyzes a Deal.

type EncryptedDeal ¶

type EncryptedDeal struct {
	// Ephemeral Diffie Hellman key
	DHKey kyber.Point
	// Signature of the DH key by the longterm key of the dealer
	Signature []byte
	// Nonce used for the encryption
	Nonce []byte
	// AEAD encryption of the deal marshalled by protobuf
	Cipher []byte
}

EncryptedDeal contains the deal in a encrypted form only decipherable by the correct recipient. The encryption is performed in a similar manner as what is done in TLS. The dealer generates a temporary key pair, signs it with its longterm secret key.

type Justification ¶

type Justification struct {
	// SessionID related to the current run of the protocol
	SessionID []byte
	// Index of the verifier who issued the Complaint,i.e. index of this Deal
	Index uint32
	// Deal in cleartext
	Deal *Deal
	// Signature over the whole packet
	Signature []byte
}

Justification is a message that is broadcasted by the Dealer in response to a Complaint. It contains the original Complaint as well as the shares distributed to the complainer.

func (*Justification) Hash ¶

func (j *Justification) Hash(s Suite) []byte

Hash returns the hash of a Justification.

type Response ¶

type Response struct {
	// SessionID related to this run of the protocol
	SessionID []byte
	// Index of the verifier issuing this Response
	Index uint32
	// Approved is true if the Response is valid
	Approved bool
	// Signature over the whole packet
	Signature []byte
}

Response is sent by the verifiers to all participants and holds each individual validation or refusal of a Deal.

func (*Response) Hash ¶

func (r *Response) Hash(s Suite) []byte

Hash returns the Hash representation of the Response

type Suite ¶

type Suite interface {
	kyber.Group
	kyber.HashFactory
	kyber.XOFFactory
	kyber.Random
}

Suite defines the capabilities required by the vss package.

type Verifier ¶

type Verifier struct {
	// contains filtered or unexported fields
}

Verifier receives a Deal from a Dealer, can reply with a Complaint, and can collaborate with other Verifiers to reconstruct a secret.

func NewVerifier ¶

func NewVerifier(suite Suite, longterm kyber.Scalar, dealerKey kyber.Point,
	verifiers []kyber.Point) (*Verifier, error)

NewVerifier returns a Verifier out of: - its longterm secret key - the longterm dealer public key - the list of public key of verifiers. The list MUST include the public key of this Verifier also. The security parameter t of the secret sharing scheme is automatically set to a default safe value. If a different t value is required, it is possible to set it with `verifier.SetT()`.

func (*Verifier) Deal ¶

func (v *Verifier) Deal() *Deal

Deal returns the Deal that this verifier has received. It returns nil if the deal is not certified or there is not enough approvals.

func (Verifier) DealCertified ¶

func (a Verifier) DealCertified() bool

DealCertified returns true if there has been less than t complaints, all Justifications were correct and if EnoughApprovals() returns true.

func (Verifier) EnoughApprovals ¶

func (a Verifier) EnoughApprovals() bool

EnoughApprovals returns true if enough verifiers have sent their approval for the deal they received.

func (*Verifier) Index ¶

func (v *Verifier) Index() int

Index returns the index of the verifier in the list of participants used during this run of the protocol.

func (*Verifier) Key ¶

func (v *Verifier) Key() (kyber.Scalar, kyber.Point)

Key returns the longterm key pair this verifier is using during this protocol run.

func (*Verifier) ProcessEncryptedDeal ¶

func (v *Verifier) ProcessEncryptedDeal(e *EncryptedDeal) (*Response, error)

ProcessEncryptedDeal decrypt the deal received from the Dealer. If the deal is valid, i.e. the verifier can verify its shares against the public coefficients and the signature is valid, an approval response is returned and must be broadcasted to every participants including the dealer. If the deal itself is invalid, it returns a complaint response that must be broadcasted to every other participants including the dealer. If the deal has already been received, or the signature generation of the response failed, it returns an error without any responses.

func (*Verifier) ProcessJustification ¶

func (v *Verifier) ProcessJustification(dr *Justification) error

ProcessJustification takes a DealerResponse and returns an error if something went wrong during the verification. If it is the case, that probably means the Dealer is acting maliciously. In order to be sure, call `v.EnoughApprovals()` and if true, `v.DealCertified()`.

func (*Verifier) ProcessResponse ¶

func (v *Verifier) ProcessResponse(resp *Response) error

ProcessResponse analyzes the given response. If it's a valid complaint, the verifier should expect to see a Justification from the Dealer. It returns an error if it's not a valid response. Call `v.DealCertified()` to check if the whole protocol is finished.

func (*Verifier) SessionID ¶

func (v *Verifier) SessionID() []byte

SessionID returns the session id generated by the Dealer. WARNING: it returns an nil slice if the verifier has not received the Deal yet !

func (*Verifier) SetTimeout ¶

func (v *Verifier) SetTimeout()

SetTimeout tells this verifier to consider this moment the maximum time limit. it calls cleanVerifiers which will take care of all Verifiers who have not responded until now.

func (Verifier) UnsafeSetResponseDKG ¶

func (a Verifier) UnsafeSetResponseDKG(idx uint32, approval bool)

UnsafeSetResponseDKG is an UNSAFE bypass method to allow DKG to use VSS that works on basis of approval only.

func (Verifier) VerifyDeal ¶

func (a Verifier) VerifyDeal(d *Deal, inclusion bool) error

VerifyDeal analyzes the deal and returns an error if it's incorrect. If inclusion is true, it also returns an error if it the second time this struct analyzes a Deal.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL