vss

package
v3.7.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 8, 2022 License: MPL-2.0 Imports: 14 Imported by: 0

Documentation

Overview

Package vss implements the verifiable secret sharing scheme from "Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing" by Torben Pryds Pedersen. https://link.springer.com/content/pdf/10.1007/3-540-46766-1_9.pdf

Index

Constants

View Source
const (
	// StatusComplaint is a constant value meaning that a verifier issues
	// a Complaint against its Dealer.
	StatusComplaint bool = false
	// StatusApproval is a constant value meaning that a verifier agrees with
	// the share it received.
	StatusApproval bool = true
)

Variables

View Source
var ErrNoDealBeforeResponse = errors.New("verifier: need to receive deal before response")

ErrNoDealBeforeResponse is an error returned if a verifier receives a deal before having received any responses. For the moment, the caller must be sure to have dispatched a deal before.

Functions

func MinimumT

func MinimumT(n int) int

MinimumT returns the minimum safe T that is proven to be secure with this protocol. It expects n, the total number of participants. WARNING: Setting a lower T could make the whole protocol insecure. Setting a higher T only makes it harder to reconstruct the secret.

func RecoverSecret

func RecoverSecret(suite Suite, deals []*Deal, n, t int) (kyber.Scalar, error)

RecoverSecret recovers the secret shared by a Dealer by gathering at least t Deals from the verifiers. It returns an error if there is not enough Deals or if all Deals don't have the same SessionID.

Types

type Aggregator

type Aggregator struct {
	// contains filtered or unexported fields
}

Aggregator is used to collect all deals, and responses for one protocol run. It brings common functionalities for both Dealer and Verifier structs.

func NewEmptyAggregator

func NewEmptyAggregator(suite Suite, verifiers []kyber.Point) *Aggregator

NewEmptyAggregator returns a structure capable of storing Responses about a deal and check if the deal is certified or not.

func (*Aggregator) DealCertified

func (a *Aggregator) DealCertified() bool

DealCertified returns true if the deal is certified. For a deal to be certified, it needs to comply to the following conditions in two different cases, since we are not working with the synchrony assumptions from Feldman's VSS: Before the timeout (i.e. before the "period" ends): 1. there is at least t approvals 2. all complaints must be justified (a complaint becomes an approval when justified) -> no complaints 3. there must not be absent responses After the timeout, when the "period" ended, we replace the third condition: 3. there must not be more than n-t missing responses (otherwise it is not possible to retrieve the secret). If the caller previously called `SetTimeout` and `DealCertified()` returns false, the protocol MUST abort as the deal is not and never will be validated.

func (*Aggregator) DecodeMsg

func (z *Aggregator) DecodeMsg(dc *msgp.Reader) (err error)

DecodeMsg implements msgp.Decodable

func (Aggregator) EncodeMsg

func (z Aggregator) EncodeMsg(en *msgp.Writer) (err error)

EncodeMsg implements msgp.Encodable

func (Aggregator) MarshalMsg

func (z Aggregator) MarshalMsg(b []byte) (o []byte, err error)

MarshalMsg implements msgp.Marshaler

func (*Aggregator) MissingResponses

func (a *Aggregator) MissingResponses() []int

MissingResponses returns the indexes of the expected but missing responses.

func (Aggregator) Msgsize

func (z Aggregator) Msgsize() (s int)

Msgsize returns an upper bound estimate of the number of bytes occupied by the serialized message

func (*Aggregator) ProcessResponse

func (a *Aggregator) ProcessResponse(r *Response) error

ProcessResponse verifies the validity of the given response and stores it internall. It is the public version of verifyResponse created this way to allow higher-level package to use these functionalities.

func (*Aggregator) Responses

func (a *Aggregator) Responses() map[uint32]*Response

Responses returns the list of responses received and processed by this aggregator

func (*Aggregator) SetThreshold

func (a *Aggregator) SetThreshold(t int)

SetThreshold is used to specify the expected threshold *before* the verifier receives anything. Sometimes, a verifier knows the treshold in advance and should make sure the one it receives from the dealer is consistent. If this method is not called, the first threshold received is considered as the "truth".

func (*Aggregator) UnmarshalMsg

func (z *Aggregator) UnmarshalMsg(bts []byte) (o []byte, err error)

UnmarshalMsg implements msgp.Unmarshaler

func (*Aggregator) VerifyDeal

func (a *Aggregator) VerifyDeal(d *Deal, inclusion bool) error

VerifyDeal analyzes the deal and returns an error if it's incorrect. If inclusion is true, it also returns an error if it is the second time this struct analyzes a Deal.

type Deal

type Deal struct {
	// Unique session identifier for this protocol run
	SessionID []byte
	// Private share generated by the dealer
	SecShare *share.PriShare `msg:"-"`
	// Threshold used for this secret sharing run
	T uint32
	// Commitments are the coefficients used to verify the shares against
	Commitments []kyber.Point `msg:"-"`
}

Deal encapsulates the verifiable secret share and is sent by the dealer to a verifier.

func (*Deal) DecodeMsg

func (z *Deal) DecodeMsg(dc *msgp.Reader) (err error)

DecodeMsg implements msgp.Decodable

func (*Deal) EncodeMsg

func (z *Deal) EncodeMsg(en *msgp.Writer) (err error)

EncodeMsg implements msgp.Encodable

func (*Deal) MarshalMsg

func (z *Deal) MarshalMsg(b []byte) (o []byte, err error)

MarshalMsg implements msgp.Marshaler

func (*Deal) Msgsize

func (z *Deal) Msgsize() (s int)

Msgsize returns an upper bound estimate of the number of bytes occupied by the serialized message

func (*Deal) UnmarshalMsg

func (z *Deal) UnmarshalMsg(bts []byte) (o []byte, err error)

UnmarshalMsg implements msgp.Unmarshaler

type Dealer

type Dealer struct {
	*Aggregator
	// contains filtered or unexported fields
}

Dealer encapsulates for creating and distributing the shares and for replying to any Responses.

func NewDealer

func NewDealer(suite Suite, longterm, secret kyber.Scalar, verifiers []kyber.Point, t int) (*Dealer, error)

NewDealer returns a Dealer capable of leading the secret sharing scheme. It does not have to be trusted by other Verifiers. The security parameter t is the number of shares required to reconstruct the secret. It is HIGHLY RECOMMENDED to use a threshold higher or equal than what the method MinimumT() returns, otherwise it breaks the security assumptions of the whole scheme. It returns an error if the t is less than or equal to 2.

func (*Dealer) Commits

func (d *Dealer) Commits() []kyber.Point

Commits returns the commitments of the coefficient of the secret polynomial the Dealer is sharing.

func (*Dealer) DecodeMsg

func (z *Dealer) DecodeMsg(dc *msgp.Reader) (err error)

DecodeMsg implements msgp.Decodable

func (*Dealer) EncodeMsg

func (z *Dealer) EncodeMsg(en *msgp.Writer) (err error)

EncodeMsg implements msgp.Encodable

func (*Dealer) EncryptedDeal

func (d *Dealer) EncryptedDeal(i int) (*EncryptedDeal, error)

EncryptedDeal returns the encryption of the deal that must be given to the verifier at index i. The dealer first generates a temporary Diffie Hellman key, signs it using its longterm key, and computes the shared key depending on its longterm and ephemeral key and the verifier's public key. This shared key is then fed into a HKDF whose output is the key to a AEAD (AES256-GCM) scheme to encrypt the deal.

func (*Dealer) EncryptedDeals

func (d *Dealer) EncryptedDeals() ([]*EncryptedDeal, error)

EncryptedDeals calls `EncryptedDeal` for each index of the verifier and returns the list of encrypted deals. Each index in the returned slice corresponds to the index in the list of verifiers.

func (*Dealer) Key

func (d *Dealer) Key() (secret kyber.Scalar, public kyber.Point)

Key returns the longterm key pair used by this Dealer.

func (*Dealer) MarshalMsg

func (z *Dealer) MarshalMsg(b []byte) (o []byte, err error)

MarshalMsg implements msgp.Marshaler

func (*Dealer) Msgsize

func (z *Dealer) Msgsize() (s int)

Msgsize returns an upper bound estimate of the number of bytes occupied by the serialized message

func (*Dealer) PlaintextDeal

func (d *Dealer) PlaintextDeal(i int) (*Deal, error)

PlaintextDeal returns the plaintext version of the deal destined for peer i. Use this only for testing.

func (*Dealer) PrivatePoly

func (d *Dealer) PrivatePoly() *share.PriPoly

PrivatePoly returns the private polynomial used to generate the deal. This private polynomial can be saved and then later on used to generate new shares. This information SHOULD STAY PRIVATE and thus MUST never be given to any third party.

func (*Dealer) ProcessResponse

func (d *Dealer) ProcessResponse(r *Response) (*Justification, error)

ProcessResponse analyzes the given Response. If it's a valid complaint, then it returns a Justification. This Justification must be broadcasted to every participants. If it's an invalid complaint, it returns an error about the complaint. The verifiers will also ignore an invalid Complaint.

func (*Dealer) SecretCommit

func (d *Dealer) SecretCommit() kyber.Point

SecretCommit returns the commitment of the secret being shared by this dealer. This function is only to be called once the deal has enough approvals and is verified otherwise it returns nil.

func (*Dealer) SessionID

func (d *Dealer) SessionID() []byte

SessionID returns the current sessionID generated by this dealer for this protocol run.

func (*Dealer) SetTimeout

func (d *Dealer) SetTimeout()

SetTimeout marks the end of a round, invalidating any missing (or future) response for this DKG protocol round. The caller is expected to call this after a long timeout so each DKG node can still compute its share if enough Deals are valid.

func (*Dealer) UnmarshalMsg

func (z *Dealer) UnmarshalMsg(bts []byte) (o []byte, err error)

UnmarshalMsg implements msgp.Unmarshaler

type EncryptedDeal

type EncryptedDeal struct {
	// Ephemeral Diffie Hellman key
	DHKey []byte
	// Signature of the DH key by the longterm key of the dealer
	Signature []byte
	// Nonce used for the encryption
	Nonce []byte
	// AEAD encryption of the deal marshalled by protobuf
	Cipher []byte
}

EncryptedDeal contains the deal in a encrypted form only decipherable by the correct recipient. The encryption is performed in a similar manner as what is done in TLS. The dealer generates a temporary key pair, signs it with its longterm secret key.

func (*EncryptedDeal) DecodeMsg

func (z *EncryptedDeal) DecodeMsg(dc *msgp.Reader) (err error)

DecodeMsg implements msgp.Decodable

func (*EncryptedDeal) EncodeMsg

func (z *EncryptedDeal) EncodeMsg(en *msgp.Writer) (err error)

EncodeMsg implements msgp.Encodable

func (*EncryptedDeal) MarshalMsg

func (z *EncryptedDeal) MarshalMsg(b []byte) (o []byte, err error)

MarshalMsg implements msgp.Marshaler

func (*EncryptedDeal) Msgsize

func (z *EncryptedDeal) Msgsize() (s int)

Msgsize returns an upper bound estimate of the number of bytes occupied by the serialized message

func (*EncryptedDeal) UnmarshalMsg

func (z *EncryptedDeal) UnmarshalMsg(bts []byte) (o []byte, err error)

UnmarshalMsg implements msgp.Unmarshaler

type Justification

type Justification struct {
	// SessionID related to the current run of the protocol
	SessionID []byte
	// Index of the verifier who issued the Complaint,i.e. index of this Deal
	Index uint32
	// Deal in cleartext
	Deal *Deal
	// Signature over the whole packet
	Signature []byte
}

Justification is a message that is broadcasted by the Dealer in response to a Complaint. It contains the original Complaint as well as the shares distributed to the complainer.

func (*Justification) DecodeMsg

func (z *Justification) DecodeMsg(dc *msgp.Reader) (err error)

DecodeMsg implements msgp.Decodable

func (*Justification) EncodeMsg

func (z *Justification) EncodeMsg(en *msgp.Writer) (err error)

EncodeMsg implements msgp.Encodable

func (*Justification) Hash

func (j *Justification) Hash(s Suite) []byte

Hash returns the hash of a Justification.

func (*Justification) MarshalMsg

func (z *Justification) MarshalMsg(b []byte) (o []byte, err error)

MarshalMsg implements msgp.Marshaler

func (*Justification) Msgsize

func (z *Justification) Msgsize() (s int)

Msgsize returns an upper bound estimate of the number of bytes occupied by the serialized message

func (*Justification) UnmarshalMsg

func (z *Justification) UnmarshalMsg(bts []byte) (o []byte, err error)

UnmarshalMsg implements msgp.Unmarshaler

type Response

type Response struct {
	// SessionID related to this run of the protocol
	SessionID []byte
	// Index of the verifier issuing this Response from the new set of nodes
	Index uint32
	// false = NO APPROVAL == Complaint , true = APPROVAL
	Status bool
	// Signature over the whole packet
	Signature []byte
}

Response is sent by the verifiers to all participants and holds each individual validation or refusal of a Deal.

func (*Response) DecodeMsg

func (z *Response) DecodeMsg(dc *msgp.Reader) (err error)

DecodeMsg implements msgp.Decodable

func (*Response) EncodeMsg

func (z *Response) EncodeMsg(en *msgp.Writer) (err error)

EncodeMsg implements msgp.Encodable

func (*Response) Hash

func (r *Response) Hash(s Suite) []byte

Hash returns the Hash representation of the Response

func (*Response) MarshalMsg

func (z *Response) MarshalMsg(b []byte) (o []byte, err error)

MarshalMsg implements msgp.Marshaler

func (*Response) Msgsize

func (z *Response) Msgsize() (s int)

Msgsize returns an upper bound estimate of the number of bytes occupied by the serialized message

func (*Response) UnmarshalMsg

func (z *Response) UnmarshalMsg(bts []byte) (o []byte, err error)

UnmarshalMsg implements msgp.Unmarshaler

type Suite

type Suite interface {
	kyber.Group
	kyber.HashFactory
	kyber.XOFFactory
	kyber.Random
}

Suite defines the capabilities required by the vss package.

type Verifier

type Verifier struct {
	*Aggregator
	// contains filtered or unexported fields
}

Verifier receives a Deal from a Dealer, can reply with a Complaint, and can collaborate with other Verifiers to reconstruct a secret.

func NewVerifier

func NewVerifier(suite Suite, longterm kyber.Scalar, dealerKey kyber.Point,
	verifiers []kyber.Point) (*Verifier, error)

NewVerifier returns a Verifier out of:

  • its longterm secret key
  • the longterm dealer public key
  • the list of public key of verifiers. The list MUST include the public key of this Verifier also.

The security parameter t of the secret sharing scheme is automatically set to a default safe value. If a different t value is required, it is possible to set it with `verifier.SetT()`.

func (*Verifier) Commits

func (v *Verifier) Commits() []kyber.Point

Commits returns the commitments of the coefficients of the polynomial contained in the Deal received. It is public information. The private information in the deal must be retrieved through Deal().

func (*Verifier) Deal

func (v *Verifier) Deal() *Deal

Deal returns the Deal that this verifier has received. It returns nil if the deal is not certified or there is not enough approvals.

func (*Verifier) DecodeMsg

func (z *Verifier) DecodeMsg(dc *msgp.Reader) (err error)

DecodeMsg implements msgp.Decodable

func (*Verifier) EncodeMsg

func (z *Verifier) EncodeMsg(en *msgp.Writer) (err error)

EncodeMsg implements msgp.Encodable

func (*Verifier) Index

func (v *Verifier) Index() int

Index returns the index of the verifier in the list of participants used during this run of the protocol.

func (*Verifier) Key

func (v *Verifier) Key() (kyber.Scalar, kyber.Point)

Key returns the longterm key pair this verifier is using during this protocol run.

func (*Verifier) MarshalMsg

func (z *Verifier) MarshalMsg(b []byte) (o []byte, err error)

MarshalMsg implements msgp.Marshaler

func (*Verifier) Msgsize

func (z *Verifier) Msgsize() (s int)

Msgsize returns an upper bound estimate of the number of bytes occupied by the serialized message

func (*Verifier) ProcessEncryptedDeal

func (v *Verifier) ProcessEncryptedDeal(e *EncryptedDeal) (*Response, error)

ProcessEncryptedDeal decrypt the deal received from the Dealer. If the deal is valid, i.e. the verifier can verify its shares against the public coefficients and the signature is valid, an approval response is returned and must be broadcasted to every participants including the dealer. If the deal itself is invalid, it returns a complaint response that must be broadcasted to every other participants including the dealer. If the deal has already been received, or the signature generation of the response failed, it returns an error without any responses.

func (*Verifier) ProcessJustification

func (v *Verifier) ProcessJustification(dr *Justification) error

ProcessJustification takes a DealerResponse and returns an error if something went wrong during the verification. If it is the case, that probably means the Dealer is acting maliciously. In order to be sure, call `v.DealCertified()`.

func (*Verifier) ProcessResponse

func (v *Verifier) ProcessResponse(resp *Response) error

ProcessResponse analyzes the given response. If it's a valid complaint, the verifier should expect to see a Justification from the Dealer. It returns an error if it's not a valid response. Call `v.DealCertified()` to check if the whole protocol is finished.

func (*Verifier) SessionID

func (v *Verifier) SessionID() []byte

SessionID returns the session id generated by the Dealer. It returns an nil slice if the verifier has not received the Deal yet.

func (*Verifier) SetTimeout

func (v *Verifier) SetTimeout()

SetTimeout marks the end of the protocol. The caller is expected to call this after a long timeout so each verifier can still deem its share valid if enough deals were approved. One should call `DealCertified()` after this method in order to know if the deal is valid or the protocol should abort.

func (*Verifier) UnmarshalMsg

func (z *Verifier) UnmarshalMsg(bts []byte) (o []byte, err error)

UnmarshalMsg implements msgp.Unmarshaler

func (*Verifier) UnsafeSetResponseDKG

func (v *Verifier) UnsafeSetResponseDKG(idx uint32, approval bool)

UnsafeSetResponseDKG is an UNSAFE bypass method to allow DKG to use VSS that works on basis of approval only.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL