resharing

package
v0.0.0-...-8ef2c5f Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 10, 2022 License: MIT Imports: 23 Imported by: 0

README

YOSO proactive resharing protocol

Indices

Indices:

  • i: dealer in 0,...,n-1 contrary to paper!
  • l: index of the first-level of sharing of the secret s[i] of the dealer i. Match next holding committee member j.
  • j: verification committee member
  • k: resolution committee member

Contrary to the paper, the indices of the committee members start at 0 and not at 1.

Parameters

At the level of the protocol:

  • n: number of parties per committee
  • t: maximum number of malicious parties

n = 2t+1

However, for VSS / Secret Sharing, t usually represents the reconstruction threshold, which is degree d + 1. And d = t from the protocol.

Steps of the protocol

  1. Dealing (step1_dealing.go) performed by each dealer
  2. Verification = Accusation (step2_verification.go) performed by each verifier
  3. Resolution = Response (step3_resolution.go) performed by each resolution committee member/responder
  4. Refreshing = two parts:
    1. For all users = disqualification (include step4_resolution.go and part of step4_refreshing.go) and refreshing of the commitments
    2. For new holding committee members = refreshing of the shares

Organization

Main files:

  • protocol.go: the actual protocol

  • protocol_test.go: test of the full protocol

  • protocol_bench_test.go: test for benchmarking performances. See below.

  • step*.go: for each round/step of the protocol. Step 4 is split in two parts files.

Pieces of the protocol:

  • nizk_*.go: for the internal NIZK
  • verifier_proof.go: for the proof made by the verifier V_j
  • eps.go: for things related to the future broadcast/resolution encryption

Other tools:

  • codecgen.go: used to have faster encoding/decoding. Generate gen-codecgen.go
  • inputs.go: structure of the public and private inputs
  • receive.go: generate gen-receive.go
  • test_tools*.go: tools for testing

Benchmark

For large values n/t, simulating the whole protocol is too slow, so we use TestResharingProtocolBenchmarkManualParty0:

YOSO_BENCH_TEST_T=32 go test -timeout=2h -bench -v -run TestResharingProtocolBenchmarkManualParty0

Documentation

Index

Constants

View Source 
const (
	// HashLength is the length of hashes we use in bytes
	HashLength = 32
)

Variables

This section is empty.

Functions

func CheckDealingMessages 

func CheckDealingMessages(pub *PublicInput, msg DealingMessage, i int, dbg *PartyDebugParams) bool

CheckDealingMessages check if msg is valid If not, print an info log message This function only do cheap tests that are necessary for taking care of resolution messages The function checkDealerQualified is actually doing the heavy-work checking the dealer

func ComputeQualifiedDealers 

func ComputeQualifiedDealers(
	pub *PublicInput,
	disqualifiedDealersByComplaints map[int]bool,
	dealingMessages []DealingMessage,
) (
	qualifiedDealers []int,
	lagrangeCoeffs []curve25519.Scalar,
	err error,
)

ComputeQualifiedDealers returns the list of the first t+1 qualified dealers whose shares will be used for refreshing (qualifiedDealers[x] is a dealer index in 0,...,n-1) and the corresponding Lagrange coefficients disqualifiedDealersByComplaints is an output of ResolveComplaints

func ComputeRefreshedCommitments 

func ComputeRefreshedCommitments(
	pub *PublicInput,
	dealingMessages []DealingMessage,
	qualifiedDealers []int, lagrangeCoeffs []curve25519.Scalar,
) (
	commitments []pedersen.Commitment,
	err error,
)

ComputeRefreshedCommitments returns the new commitments of the new holding committee Executed by all parties in the YOSO protocol

func ComputeRefreshedShare 

func ComputeRefreshedShare(
	pub *PublicInput, prv *PrivateInput, l int,
	dealingMessages []DealingMessage, verificationMessages []VerificationMessage,
	qualifiedDealers []int, lagrangeCoeffs []curve25519.Scalar,
	resolvedSharesSR map[TripleIJL]curve25519.Scalar,
) (
	share *vss.Share,
	err error,
)

ComputeRefreshedShare returns the fresh share of a party l in the new holding committee resolvedSharesS, resolvedSharesR come from ResolveComplaints (i.e., via future broadcast)

func ComputeShareIL 

func ComputeShareIL(
	pub *PublicInput, i int, l int,
	verSentShares []VerSentShares,
	resolvedSharesSR map[TripleIJL]curve25519.Scalar,
) (
	sIL *curve25519.Scalar,
	rIL *curve25519.Scalar,
	err error,
)

ComputeShareIL computes sigma_{i+1,l+1} = sigma_{i+1,0,l+1} from shares from verification committee and future broadcast resolvedSharesS, resolvedSharesR come from ResolveComplaints (i.e., via future broadcast) l in [0,n-1] verSentShares[j].S should be nil for invalid verifier which means all non-nil shares are valid

func DLChHash 

func DLChHash(dchi DLChHashIn) (chal curve25519.Scalar)

func DLVerify 

func DLVerify(stmt DLStatement, proof DLProof) error

func DblDLEqChHash 

func DblDLEqChHash(in DblDLEqHashIn) (chal curve25519.Scalar)

func DblDLEqVerify 

func DblDLEqVerify(stmt DblDLEqStatement, proof DblDLEqProof) error

func GenerateDealerSharesCommitments 

func GenerateDealerSharesCommitments(
	vssParams *vss.Params, vcParams *feldman.VCParams, s *curve25519.Scalar, r *curve25519.Scalar,
) (
	sigmaRho [][]curve25519.Scalar, comC []feldman.VC, err error,
)

GenerateDealerSharesCommitments generate sigmaRho and comC for secret s and randomness r for dealer D_i where sigmaRho[j][l] is a (n+1)*2n matrix, see ComC in DealingMessage 

sigmaRho[j][l]   = sigma_{i+1,j,l+1} for j in [0,n], l in [0,n-1]

and sigmaRho[j][l+n] = rho_{i+1,j,l+1} for j in [0,n], l in [0,n-1] sigma_{i+1,l+1} = sigma_{i+1,0,l+1} (for l in [0,n-1]) is a sharing of s same for rho

func GenerateEpsKeyShares 

func GenerateEpsKeyShares(
	n int,
	d int,
	eps *curve25519.Scalar,
) (
	epsKey curve25519.Key,
	epsShares []curve25519.Scalar,
	err error,
)

GenerateEpsKeyShares generates a fresh key for resolution/future broadcast as follows: secret share its input eps (that is supposed to be uniformly random) into epsShares and make the key epsKey be HKDF(eps) using KeyFromEps function d is the degree of Shamir's polynomial

func PerformRefresh 

func PerformRefresh(
	pub *PublicInput,
	prv *PrivateInput,
	dealingMessages []DealingMessage,
	verificationMessages []VerificationMessage,
	resolutionMessages []ResolutionMessage,
	indexNext int,
	dbg *PartyDebugParams,
) (
	[]pedersen.Commitment,
	*vss.Share,
	error,
)

func ReconstructEpsKey 

func ReconstructEpsKey(
	n, d int,
	epsShares []*curve25519.Scalar,
	hashEps [][HashLength]byte,
) (
	epsKey curve25519.Key,
	err error,
)

ReconstructEpsKey takes as input an array of potential shares epsShares and the hash of the shares epsShares[i] is either nil (share not provided), the valid (i+1)-th share (i.e., matching hashEps[i]), or an invalid share If there are at least d+1 valid shares, ReconstructEpsKey reconstructs the epsKey and returns it otherwise it returns an error

func ResolveComplaints 

func ResolveComplaints(
	pub *PublicInput,
	dealingMessages []DealingMessage,
	verificationMessages []VerificationMessage,
	resolutionMessages []ResolutionMessage,
	dbg *PartyDebugParams,
) (
	resolvedSharesSR map[TripleIJL]curve25519.Scalar,
	disqualifiedDealers map[int]bool,
	err error,
)

ResolveComplaints find all the complaints by verification committees, reconstruct the eps keys from the resolution committee members broadcast decrypt the EncResM messages and verify shares match the Pedersen commitments if decryption fails or if it leads to incorrect shares, it make the dealer disqualified 

(disqualifiedDealers[i] = true)

otherwise it stores the relevant shares in resolvedSharesS (for sigma) and resolvedSharesR (for rho)

func StartCommitteeParty 

func StartCommitteeParty(
	pub *PublicInput,
	prv *PrivateInput,
	dbg *PartyDebugParams,
) (
	nextShare *vss.Share,
	nextCommitments []pedersen.Commitment,
	err error,
)

StartCommitteeParty initiates the protocol for a party participating in a t-of-n Pedersen VSS protocol using the new protocol with batching It does one full refresh and returns the next commitments and (if the party if a next-committee member) its new share (or nil otherwise)

func SymmetricKeyFromEps 

func SymmetricKeyFromEps(eps *curve25519.Scalar) (epsKey curve25519.Key, err error)

SymmetricKeyFromEps converts the eps scalar that is shared into the symmetric key that is used to encrypt ciphertexts of M[j] for future broadcast

func VPComputeHashE 

func VPComputeHashE(in VPHashEIn, m int) (e []curve25519.Scalar)

VPComputeHashE computes the elements e_{j,0}, ..., e_{j, m-1} as output of hash of the input

func VPComputeHashL 

func VPComputeHashL(in VPHashLIn) (hashL [HashLength]byte)

func VPVerify 

func VPVerify(vcParams feldman.VCParams, l int, comC []curve25519.PointXY,
	vpcp VPCommitProof, sigmaRhoL []curve25519.Scalar) error

VPVerify verifies a VP proof for a WARNING: comC must only have the commitments of the qualified dealers (from Verifier j point of view) so it may have less than n commitments l is in range [0,N-1]

func VPVerifyGenericL 

func VPVerifyGenericL(vcParams feldman.VCParams, comC []curve25519.PointXY,
	vpcp VPCommitProof) error

VPVerifyGenericL is like VPVerify doing only the generic part of the check See VPVerifySpecificL

func VPVerifySpecificL 

func VPVerifySpecificL(vcParams feldman.VCParams, l int, comC []curve25519.PointXY,
	vpcp VPCommitProof, sigmaRhoL []curve25519.Scalar) error

VPVerifySpecificL is like VPVerify except it only verifies what is specific to l and sigmaRhoL. Must be called AFTER VPVerifyGenericL This separation is to obtain higher performance when checking for multiple l

func VerifyMJ 

func VerifyMJ(vcParams *feldman.VCParams, comCIJ *feldman.VC, mj *VerificationMJ) error

Types

type CommitteeIndices 

type CommitteeIndices struct {
	Hold int
	Ver  int
	Res  int
	Next int
}

CommitteeIndices is a struct that contains for a participant in the protocol their index in each of the committees for a round of resharing. If an index is -1, that means that the party is not a part of the committee for the round. Otherwise, indices range from 1 to n. Note that these indices represent a party's index with respect to the committee specifically, not the id of the party with respect to the entire protocol.

type Committees 

type Committees struct {
	Hold []int // previous holding committee = dealers
	Ver  []int // verification committee
	Res  []int // resolution committee = future broadcast
	Next []int // next holding committee
}

Committees contains the list of committee members for a round of resharing Contrary to basic and futurebroadcast protocols, the next committee is included there

func (*Committees) Indices 

func (c *Committees) Indices(id int) CommitteeIndices

Indices return the committees indices of the committees for a given party id

type DLChHashIn 

type DLChHashIn struct {
	Stmt DLStatement          `codec:"s"`
	Com  []curve25519.PointXY `codec:"c"`
}

DLChHashIn is the input to the hash function used to compute the challenge

func (*DLChHashIn) CodecDecodeSelf 

func (x *DLChHashIn) CodecDecodeSelf(d *codec1978.Decoder)

func (*DLChHashIn) CodecEncodeSelf 

func (x *DLChHashIn) CodecEncodeSelf(e *codec1978.Encoder)

func (*DLChHashIn) IsCodecEmpty 

func (x *DLChHashIn) IsCodecEmpty() bool

type DLProof 

type DLProof struct {
	Com  []curve25519.PointXY `codec:"c"` // Com is the commtiments
	Resp []curve25519.Scalar  `codec:"r"` // Resp
}

DLProof is an actual proof For batching the proof contain com and resp instead of ch and resp which is more compact but not possible to batch

func DLProve 

func DLProve(stmt DLStatement, wit DLWitness) (DLProof, error)

DLProve generates a NIZK PoK for the statement stmt using witness wit Does not verify the validity of the witness

func (*DLProof) CodecDecodeSelf 

func (x *DLProof) CodecDecodeSelf(d *codec1978.Decoder)

func (*DLProof) CodecEncodeSelf 

func (x *DLProof) CodecEncodeSelf(e *codec1978.Encoder)

func (*DLProof) IsCodecEmpty 

func (x *DLProof) IsCodecEmpty() bool

type DLStatement 

type DLStatement struct {
	G []curve25519.PointXY `codec:"G"`
	X []curve25519.PointXY `codec:"X"`
}

DLStatement describes a statement, see comment top of file

func (*DLStatement) CodecDecodeSelf 

func (x *DLStatement) CodecDecodeSelf(d *codec1978.Decoder)

func (*DLStatement) CodecEncodeSelf 

func (x *DLStatement) CodecEncodeSelf(e *codec1978.Encoder)

func (*DLStatement) IsCodecEmpty 

func (x *DLStatement) IsCodecEmpty() bool

type DLWitness 

type DLWitness struct {
	XLog []curve25519.Scalar `codec:"x"` // XLog[i] = x_i = discrete logarithm of X[i] in base G[i]
}

DLWitness describes a witness for a statement

func (*DLWitness) CodecDecodeSelf 

func (x *DLWitness) CodecDecodeSelf(d *codec1978.Decoder)

func (*DLWitness) CodecEncodeSelf 

func (x *DLWitness) CodecEncodeSelf(e *codec1978.Encoder)

func (*DLWitness) IsCodecEmpty 

func (x *DLWitness) IsCodecEmpty() bool

type DblDLEqHashIn 

type DblDLEqHashIn struct {
	Stmt     DblDLEqStatement     `codec:"s"`
	Com      []curve25519.PointXY `codec:"g"`
	ComPrime []curve25519.PointXY `codec:"h"`
}

func (*DblDLEqHashIn) CodecDecodeSelf 

func (x *DblDLEqHashIn) CodecDecodeSelf(d *codec1978.Decoder)

func (*DblDLEqHashIn) CodecEncodeSelf 

func (x *DblDLEqHashIn) CodecEncodeSelf(e *codec1978.Encoder)

func (*DblDLEqHashIn) IsCodecEmpty 

func (x *DblDLEqHashIn) IsCodecEmpty() bool

type DblDLEqProof 

type DblDLEqProof struct {
	Com      []curve25519.PointXY `codec:"g"`
	ComPrime []curve25519.PointXY `codec:"h"`
	RespG    []curve25519.Scalar  `codec:"G"`
	RespH    []curve25519.Scalar  `codec:"H"`
}

func DblDLEqProve 

func DblDLEqProve(stmt DblDLEqStatement, wit DblDLEqWitness) (DblDLEqProof, error)

DblDLEqProve generates a NIZK PoK for the statement stmt using witness wit Does not verify the validity of the witness

func (*DblDLEqProof) CodecDecodeSelf 

func (x *DblDLEqProof) CodecDecodeSelf(d *codec1978.Decoder)

func (*DblDLEqProof) CodecEncodeSelf 

func (x *DblDLEqProof) CodecEncodeSelf(e *codec1978.Encoder)

func (*DblDLEqProof) IsCodecEmpty 

func (x *DblDLEqProof) IsCodecEmpty() bool

type DblDLEqStatement 

type DblDLEqStatement struct {
	G      []curve25519.PointXY `codec:"G"`
	H      []curve25519.PointXY `codec:"H"`
	Z      []curve25519.PointXY `codec:"Z"`
	ZPrime []curve25519.PointXY `codec:"Z"`
}

DblDLEqStatement describes a statement, see comment top of file

func (*DblDLEqStatement) CodecDecodeSelf 

func (x *DblDLEqStatement) CodecDecodeSelf(d *codec1978.Decoder)

func (*DblDLEqStatement) CodecEncodeSelf 

func (x *DblDLEqStatement) CodecEncodeSelf(e *codec1978.Encoder)

func (*DblDLEqStatement) IsCodecEmpty 

func (x *DblDLEqStatement) IsCodecEmpty() bool

type DblDLEqWitness 

type DblDLEqWitness struct {
	X []curve25519.Scalar `codec:"x"`
	Y []curve25519.Scalar `codec:"y"`
}

func (*DblDLEqWitness) CodecDecodeSelf 

func (x *DblDLEqWitness) CodecDecodeSelf(d *codec1978.Decoder)

func (*DblDLEqWitness) CodecEncodeSelf 

func (x *DblDLEqWitness) CodecEncodeSelf(e *codec1978.Encoder)

func (*DblDLEqWitness) IsCodecEmpty 

func (x *DblDLEqWitness) IsCodecEmpty() bool

type DealingMessage 

type DealingMessage struct {
	ComC []feldman.VC `codec:"C"` // ComC[j] is a vector commitment to sigma_{i+1,j+1,l+1}, rho_{i+1,j+1,l+1}
	// for l in [0,n-1],
	// where sigma_{i+1,j+1,l+1} is the (j+1)-th share of sigma_{i+1,0,l+1}=sigma_{i+1,l+1},
	// where sigma_{i+1,l+1} for l in [0,n-1] is a sharing of sigma_{i+1}
	// and similar for rho with regards to the randomness r
	// comC[j] = sum_l sigma_{i+1,j,l+1} G_l + sum_l rho_{i+1,j,l+1} G_{l+n}
	// j in 0,...,n
	ComZ []pedersen.Commitment `codec:"Z"` // ComZ[l] = Z_{l+1} = sigma_{i+1,0,l} G + rho_{i+1,0,l+1} H
	// where G and H are the two fixed bases
	// l in 0,...,n-1
	ComZPrime []curve25519.PointXY `codec:"z"` // ComZPrime[l] = Z'_{l+1} = sigma_{i+1,0,l} G_l + rho_{i+1,0,l+1} H_l
	// l in 0,...,n-1
	DblDLEqProof DblDLEqProof `codec:"p"` // DblDLEqProof proves that ComZ and ComZPrime
	// commit to the same values
	EncVerM []curve25519.Ciphertext `codec:"V"` // EncVerM[j] is an encryption under the verification
	// committee member j's key of message M[j] (type VerificationMJ)
	EncResM []curve25519.SymmetricCiphertext `codec:"R"` // EncResM[j] is a symmetric encryption of M[j]
	// under a fresh symmetric key K generated as follows:
	// generate a random scalar eps_{j+1} that is secret-shared into eps_{j+1,1},...,eps_{j+1,n}
	// K = HKDF(eps_{j+1})
	// j in 0,...,n-1
	EncEpsK []curve25519.Ciphertext `codec:"e"` // EncEpsK[j] is an encryption under the resolution
	// committee member j's key of message EpsK described below
	// j in 0,...,n-1
	HashEps [][][HashLength]byte `codec:"h"` // HashEps[j][j] is the hash of eps_{j+1,j+1}
	// contains filtered or unexported fields
}

DealingMessage is the message dealers send during dealing round Notations below are for dealer i in [0,n-1]

func PerformDealing 

func PerformDealing(
	pub *PublicInput,
	prv *PrivateInput,
	dbg *PartyDebugParams,
) (*DealingMessage, error)

PerformDealing executes what a dealer does in the dealing round and returns the message it should broadcast

func ReceiveDealingMessages 

func ReceiveDealingMessages(bc communication.BroadcastChannel, parties []int) ([]DealingMessage, error)

ReceiveDealingMessages receives and parse the messages sent by dealers in the dealing round parties is the list of parties in the round

func (*DealingMessage) CodecDecodeSelf 

func (x *DealingMessage) CodecDecodeSelf(d *codec1978.Decoder)

func (*DealingMessage) CodecEncodeSelf 

func (x *DealingMessage) CodecEncodeSelf(e *codec1978.Encoder)

func (*DealingMessage) IsCodecEmpty 

func (x *DealingMessage) IsCodecEmpty() bool

type EpsK 

type EpsK struct {
	Eps []curve25519.Scalar // eps_{i,1,j+1},...,eps_{i,n,j+1}

}

EpsK is the message for resolution committee member j

func DecryptEpsK 

func DecryptEpsK(
	pub *PublicInput,
	prv *PrivateInput,
	k int,
	dealingMessages []DealingMessage,
	i int,
	myLog *log.Entry,
) *EpsK

func GenerateAllEps 

func GenerateAllEps(n int, t int) (epsKeys []curve25519.Key, epsK []EpsK, hashEps [][][HashLength]byte, err error)

GenerateAllEps generate all the epsKeys, epsL structures, and corresponding hashes for all resolution committee members

func (*EpsK) CodecDecodeSelf 

func (x *EpsK) CodecDecodeSelf(d *codec1978.Decoder)

func (*EpsK) CodecEncodeSelf 

func (x *EpsK) CodecEncodeSelf(e *codec1978.Encoder)

func (*EpsK) IsCodecEmpty 

func (x *EpsK) IsCodecEmpty() bool

type MessageType 

type MessageType generic.Type

func ReceiveMessageTypes 

func ReceiveMessageTypes(bc communication.BroadcastChannel, parties []int) ([]MessageType, error)

ReceiveMessageTypes receives and parse the messages sent by dealers in the dealing round parties is the list of parties in the round

type PairIJ 

type PairIJ struct {
	// contains filtered or unexported fields
}

PairIJ is a pair of two integers i and j i,j in 0,...,n-1 and represent a dealer i and a verification member committee j (Vk) respectively

func (*PairIJ) CodecDecodeSelf 

func (x *PairIJ) CodecDecodeSelf(d *codec1978.Decoder)

func (*PairIJ) CodecEncodeSelf 

func (x *PairIJ) CodecEncodeSelf(e *codec1978.Encoder)

func (*PairIJ) IsCodecEmpty 

func (x *PairIJ) IsCodecEmpty() bool

type PartyDebugParams 

type PartyDebugParams struct {
	SkipRefreshing              bool // skip the refreshing part and return empty nextShares/nextCommitments
	SkipVerificationVerifyShare bool // skip verification of VSS shares in verification
	SkipDealingFutureBroadcast  bool // skip generating anything related to future broadcast when dealing

}

PartyDebugParams is used to have some control on the way the code of the party is executed

type PrivateInput 

type PrivateInput struct {
	BC    communication.BroadcastChannel
	EncSK curve25519.PrivateKey
	SigSK curve25519.PrivateSignKey
	Share *vss.Share // if the party is not a dealer (i.e., not in the original holding committe), it's nil
	ID    int
}

type PublicInput 

type PublicInput struct {
	VCParams    feldman.VCParams           // vector commitment params
	EncPKs      []curve25519.PublicKey     // encryption public keys
	SigPKs      []curve25519.PublicSignKey // signature public keys - NOT USED
	VSSParams   vss.Params                 // parameters for the VSS
	T           int                        // max number of malicious parties (=VSSParams.D)
	N           int                        // size of the committee (=VSSParams.N)
	Committees  Committees                 // list of committees
	Commitments []pedersen.Commitment      // list of N+1 Feldman commitments to the secret and the secret shared

}

PublicInput contain the public common inputs that are used in the resharing protocol Note that to simplify implementation we assume it contains all the committees In the real-world, it would not and additional logic should be used for committee selection

type ResolutionMessage 

type ResolutionMessage struct {
	EpsShares map[PairIJ]curve25519.Scalar `codec:"E"`
	// contains filtered or unexported fields
}

ResolutionMessage is the message resolution committee members send during resolution round Below we assume the committee member is l

func PerformResolution 

func PerformResolution(
	pub *PublicInput, prv *PrivateInput, l int,
	dealingMessages []DealingMessage, verificationMessages []VerificationMessage,
) (
	*ResolutionMessage, error,
)

PerformResolution implements the role of party ell in the resolution (future broadcast) committee, and returns the message that it should broadcast. ell is the index of the party in the resolution committee

func ReceiveResolutionMessages 

func ReceiveResolutionMessages(bc communication.BroadcastChannel, parties []int) ([]ResolutionMessage, error)

ReceiveResolutionMessages receives and parse the messages sent by dealers in the dealing round parties is the list of parties in the round

func (*ResolutionMessage) CodecDecodeSelf 

func (x *ResolutionMessage) CodecDecodeSelf(d *codec1978.Decoder)

func (*ResolutionMessage) CodecEncodeSelf 

func (x *ResolutionMessage) CodecEncodeSelf(e *codec1978.Encoder)

func (*ResolutionMessage) IsCodecEmpty 

func (x *ResolutionMessage) IsCodecEmpty() bool

type TripleIJL 

type TripleIJL struct {
	// contains filtered or unexported fields
}

func (*TripleIJL) CodecDecodeSelf 

func (x *TripleIJL) CodecDecodeSelf(d *codec1978.Decoder)

func (*TripleIJL) CodecEncodeSelf 

func (x *TripleIJL) CodecEncodeSelf(e *codec1978.Encoder)

func (*TripleIJL) IsCodecEmpty 

func (x *TripleIJL) IsCodecEmpty() bool

type VPCommitProof 

type VPCommitProof struct {
	ComR     []curve25519.PointXY `codec:"c"` // ComR[l] = sum_i e_ij sigmaRho_ijl G_l, l in [0,N-1]
	DLProofR DLProof              `codec:"p"` // DLProofR is a proof that ComR[l] = alpha'_l G_l, l in [0,N-1]
	HashL    [][HashLength]byte   `codec:"h"` // HashL = Hash(sigma_ijl for l in [0,N-1])

}

func VPCommitAndProve 

func VPCommitAndProve(vcParams *feldman.VCParams, sigmaRho [][]curve25519.Scalar) (
	vpcp VPCommitProof, err error)

VPCommitAndProve generates a commitment vpcp.comR and a proof of validity of this commitment for sigmaRho defined as sigmaRho[i][l] = sigmaRho_ijl where j is the index of the verifier making the call and i is in 0,...,m-1 See comment at top of file

func (*VPCommitProof) CodecDecodeSelf 

func (x *VPCommitProof) CodecDecodeSelf(d *codec1978.Decoder)

func (*VPCommitProof) CodecEncodeSelf 

func (x *VPCommitProof) CodecEncodeSelf(e *codec1978.Encoder)

func (*VPCommitProof) IsCodecEmpty 

func (x *VPCommitProof) IsCodecEmpty() bool

type VPHashEIn 

type VPHashEIn struct {
	HashL [][HashLength]byte `codec:"h"`
}

func (*VPHashEIn) CodecDecodeSelf 

func (x *VPHashEIn) CodecDecodeSelf(d *codec1978.Decoder)

func (*VPHashEIn) CodecEncodeSelf 

func (x *VPHashEIn) CodecEncodeSelf(e *codec1978.Encoder)

func (*VPHashEIn) IsCodecEmpty 

func (x *VPHashEIn) IsCodecEmpty() bool

type VPHashLIn 

type VPHashLIn struct {
	SigmaL []curve25519.Scalar `codec:"s"` // SigmaL[i] = sigma_ijl, where l is fixed - size = m scalars
}

func (*VPHashLIn) CodecDecodeSelf 

func (x *VPHashLIn) CodecDecodeSelf(d *codec1978.Decoder)

func (*VPHashLIn) CodecEncodeSelf 

func (x *VPHashLIn) CodecEncodeSelf(e *codec1978.Encoder)

func (*VPHashLIn) IsCodecEmpty 

func (x *VPHashLIn) IsCodecEmpty() bool

type VerSentShares 

type VerSentShares struct {
	S []*curve25519.Scalar // sigma_{1,j+1,l},..., sigma_{n,j+1,l}
	R []*curve25519.Scalar // same for rho
}

VerSentShares for verification committee member j+1 and holding committeee member l+1 contains the shares sigma_{i+1,j+1,l}/rho_{i+1,j+1,l}, for i in [0,n-1] (i+1 corresponding to the dealer) with nil for every dealer i that has incorrect shares

func DecryptVerSentShares 

func DecryptVerSentShares(
	pub *PublicInput, prv *PrivateInput, l int,
	verificationMessages []VerificationMessage,
) (
	verSentShares []VerSentShares,
)

func (*VerSentShares) CodecDecodeSelf 

func (x *VerSentShares) CodecDecodeSelf(d *codec1978.Decoder)

func (*VerSentShares) CodecEncodeSelf 

func (x *VerSentShares) CodecEncodeSelf(e *codec1978.Encoder)

func (*VerSentShares) IsCodecEmpty 

func (x *VerSentShares) IsCodecEmpty() bool

type VerificationMJ 

type VerificationMJ struct {
	SR []curve25519.Scalar // sigma_ij0,..., sigma_ijn-1, rho_ij0, ... (size = 2n)
}

VerificationMJ is the message M[j] for verification committee member j+1

func (*VerificationMJ) CodecDecodeSelf 

func (x *VerificationMJ) CodecDecodeSelf(d *codec1978.Decoder)

func (*VerificationMJ) CodecEncodeSelf 

func (x *VerificationMJ) CodecEncodeSelf(e *codec1978.Encoder)

func (*VerificationMJ) IsCodecEmpty 

func (x *VerificationMJ) IsCodecEmpty() bool

type VerificationMessage 

type VerificationMessage struct {
	Complaints []bool                  `codec:"C"`  // Complaints[i] == true iff complaint against dealer i+1
	EncShares  []curve25519.Ciphertext `codec:"SR"` // EncShares[l] contains an encryption of VerSentShare
	// for new holding committee member l+1 (type = VerSentShares)
	VPComProof VPCommitProof `codec:"V"` // VPComProof is a re-commitment and proof that the shares are valid
	// contains filtered or unexported fields
}

VerificationMessage is the message verification committee members send during verification round Below we assume the committee member is j

func PerformVerification 

func PerformVerification(
	pub *PublicInput, prv *PrivateInput, j int,
	dealingMessages []DealingMessage,
	dbg *PartyDebugParams,
) (
	*VerificationMessage, error,
)

PerformVerification executes what a verification committee member j does in the dealing round and returns the messages/complaints that it should broadcast. It decrypts all the shares sent to its index (i.e. j), and checks them. If the check succeeds then the verifier forwards the shares-of-shares to the next holding committee. Else is zeros-out the shares from that dealer and adds a complaint about it. j is in [0,n-1]

func ReceiveVerificationMessages 

func ReceiveVerificationMessages(bc communication.BroadcastChannel, parties []int) ([]VerificationMessage, error)

ReceiveVerificationMessages receives and parse the messages sent by dealers in the dealing round parties is the list of parties in the round

func (*VerificationMessage) CodecDecodeSelf 

func (x *VerificationMessage) CodecDecodeSelf(d *codec1978.Decoder)

func (*VerificationMessage) CodecEncodeSelf 

func (x *VerificationMessage) CodecEncodeSelf(e *codec1978.Encoder)

func (*VerificationMessage) IsCodecEmpty 

func (x *VerificationMessage) IsCodecEmpty() bool

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.