Documentation ¶
Overview ¶
Package vss implements the verifiable secret sharing scheme from "Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing" by Torben Pryds Pedersen. https://link.springer.com/content/pdf/10.1007/3-540-46766-1_9.pdf
Index ¶
- Constants
- Variables
- func MinimumT(n int) int
- func RecoverSecret(suite suites.Suite, deals []*Deal, n, t int) (kyber.Scalar, error)
- type Deal
- type Dealer
- func (d *Dealer) Commits() []kyber.Point
- func (a Dealer) DealCertified() bool
- func (d *Dealer) EncryptedDeal(i int) (*EncryptedDeal, error)
- func (d *Dealer) EncryptedDeals() ([]*EncryptedDeal, error)
- func (a Dealer) EnoughApprovals() bool
- func (d *Dealer) Key() (secret kyber.Scalar, public kyber.Point)
- func (d *Dealer) PlaintextDeal(i int) (*Deal, error)
- func (d *Dealer) PrivatePoly() *share.PriPoly
- func (d *Dealer) ProcessResponse(r *Response) (*Justification, error)
- func (d *Dealer) SecretCommit() kyber.Point
- func (d *Dealer) SessionID() []byte
- func (d *Dealer) SetTimeout()
- func (a Dealer) VerifyDeal(d *Deal, inclusion bool) error
- type EncryptedDeal
- func (*EncryptedDeal) Descriptor() ([]byte, []int)
- func (m *EncryptedDeal) GetCipher() []byte
- func (m *EncryptedDeal) GetDHKey() []byte
- func (m *EncryptedDeal) GetNonce() []byte
- func (m *EncryptedDeal) GetSignature() []byte
- func (*EncryptedDeal) ProtoMessage()
- func (m *EncryptedDeal) Reset()
- func (m *EncryptedDeal) String() string
- func (m *EncryptedDeal) XXX_DiscardUnknown()
- func (m *EncryptedDeal) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (dst *EncryptedDeal) XXX_Merge(src proto.Message)
- func (m *EncryptedDeal) XXX_Size() int
- func (m *EncryptedDeal) XXX_Unmarshal(b []byte) error
- type EncryptedDeals
- func (*EncryptedDeals) Descriptor() ([]byte, []int)
- func (m *EncryptedDeals) GetDeals() []*EncryptedDeal
- func (*EncryptedDeals) ProtoMessage()
- func (m *EncryptedDeals) Reset()
- func (m *EncryptedDeals) String() string
- func (m *EncryptedDeals) XXX_DiscardUnknown()
- func (m *EncryptedDeals) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (dst *EncryptedDeals) XXX_Merge(src proto.Message)
- func (m *EncryptedDeals) XXX_Size() int
- func (m *EncryptedDeals) XXX_Unmarshal(b []byte) error
- type Justification
- type PublicKey
- func (*PublicKey) Descriptor() ([]byte, []int)
- func (m *PublicKey) GetBinary() []byte
- func (m *PublicKey) GetSenderId() []byte
- func (*PublicKey) ProtoMessage()
- func (m *PublicKey) Reset()
- func (m *PublicKey) String() string
- func (m *PublicKey) XXX_DiscardUnknown()
- func (m *PublicKey) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (dst *PublicKey) XXX_Merge(src proto.Message)
- func (m *PublicKey) XXX_Size() int
- func (m *PublicKey) XXX_Unmarshal(b []byte) error
- type PublicKeys
- func (*PublicKeys) Descriptor() ([]byte, []int)
- func (m *PublicKeys) GetKeys() []*PublicKey
- func (*PublicKeys) ProtoMessage()
- func (m *PublicKeys) Reset()
- func (m *PublicKeys) String() string
- func (m *PublicKeys) XXX_DiscardUnknown()
- func (m *PublicKeys) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (dst *PublicKeys) XXX_Merge(src proto.Message)
- func (m *PublicKeys) XXX_Size() int
- func (m *PublicKeys) XXX_Unmarshal(b []byte) error
- type Response
- func (*Response) Descriptor() ([]byte, []int)
- func (m *Response) GetIndex() uint32
- func (m *Response) GetSessionID() []byte
- func (m *Response) GetSignature() []byte
- func (m *Response) GetStatus() bool
- func (r *Response) Hash(s suites.Suite) []byte
- func (*Response) ProtoMessage()
- func (m *Response) Reset()
- func (m *Response) String() string
- func (m *Response) XXX_DiscardUnknown()
- func (m *Response) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (dst *Response) XXX_Merge(src proto.Message)
- func (m *Response) XXX_Size() int
- func (m *Response) XXX_Unmarshal(b []byte) error
- type Responses
- func (*Responses) Descriptor() ([]byte, []int)
- func (m *Responses) GetResponses() []*Response
- func (*Responses) ProtoMessage()
- func (m *Responses) Reset()
- func (m *Responses) String() string
- func (m *Responses) XXX_DiscardUnknown()
- func (m *Responses) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (dst *Responses) XXX_Merge(src proto.Message)
- func (m *Responses) XXX_Size() int
- func (m *Responses) XXX_Unmarshal(b []byte) error
- type Signature
- func (*Signature) Descriptor() ([]byte, []int)
- func (m *Signature) GetContent() []byte
- func (m *Signature) GetIndex() uint32
- func (m *Signature) GetNonce() []byte
- func (m *Signature) GetRequestId() []byte
- func (m *Signature) GetSignature() []byte
- func (*Signature) ProtoMessage()
- func (m *Signature) Reset()
- func (m *Signature) String() string
- func (m *Signature) ToBigInt() (x, y *big.Int)
- func (m *Signature) XXX_DiscardUnknown()
- func (m *Signature) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (dst *Signature) XXX_Merge(src proto.Message)
- func (m *Signature) XXX_Size() int
- func (m *Signature) XXX_Unmarshal(b []byte) error
- type Verifier
- func (v *Verifier) Deal() *Deal
- func (a Verifier) DealCertified() bool
- func (a Verifier) EnoughApprovals() bool
- func (v *Verifier) Index() int
- func (v *Verifier) Key() (kyber.Scalar, kyber.Point)
- func (v *Verifier) ProcessEncryptedDeal(e *EncryptedDeal) (*Response, error)
- func (v *Verifier) ProcessJustification(dr *Justification) error
- func (v *Verifier) ProcessResponse(resp *Response) error
- func (v *Verifier) SessionID() []byte
- func (v *Verifier) SetTimeout()
- func (v *Verifier) UnsafeSetResponseDKG(idx uint32, approval bool)
- func (a Verifier) VerifyDeal(d *Deal, inclusion bool) error
Constants ¶
const ( // StatusComplaint is a constant value meaning that a verifier issues // a Complaint against its Dealer. StatusComplaint bool = false // StatusApproval is a constant value meaning that a verifier agrees with // the share it received. StatusApproval bool = true )
Variables ¶
var ErrNoDealBeforeResponse = errors.New("verfier: need to receive deal before response")
ErrNoDealBeforeResponse is an error returned if a verifier receives a deal before having received any responses. For the moment, the caller must be sure to have dispatched a deal before.
Functions ¶
func MinimumT ¶
MinimumT returns the minimum safe T that is proven to be secure with this protocol. It expects n, the total number of participants. WARNING: Setting a lower T could make the whole protocol insecure. Setting a higher T only makes it harder to reconstruct the secret.
func RecoverSecret ¶
RecoverSecret recovers the secret shared by a Dealer by gathering at least t Deals from the verifiers. It returns an error if there is not enough Deals or if all Deals don't have the same SessionID.
Types ¶
type Deal ¶
type Deal struct { // Unique session identifier for this protocol run SessionID []byte SecShare *share.PriShare // Threshold used for this secret sharing run T uint32 // Commitments are the coefficients used to verify the shares against Commitments []kyber.Point }
Deal encapsulates the verifiable secret share and is sent by the dealer to a verifier.
func (*Deal) MarshalBinary ¶
MarshalBinary returns the binary representations of a Deal. The encryption of a deal operates on this binary representation.
type Dealer ¶
type Dealer struct {
// contains filtered or unexported fields
}
Dealer encapsulates for creating and distributing the shares and for replying to any Responses.
func NewDealer ¶
func NewDealer(suite suites.Suite, longterm, secret kyber.Scalar, verifiers []kyber.Point, t int) (*Dealer, error)
NewDealer returns a Dealer capable of leading the secret sharing scheme. It does not have to be trusted by other Verifiers. The security parameter t is the number of shares required to reconstruct the secret. It is HIGHLY RECOMMENDED to use a threshold higher or equal than what the method MinimumT() returns, otherwise it breaks the security assumptions of the whole scheme. It returns an error if the t is less than or equal to 2.
func (*Dealer) Commits ¶
Commits returns the commitments of the coefficient of the secret polynomial the Dealer is sharing.
func (Dealer) DealCertified ¶
func (a Dealer) DealCertified() bool
DealCertified returns true if there has been less than t complaints, all Justifications were correct and if EnoughApprovals() returns true.
func (*Dealer) EncryptedDeal ¶
func (d *Dealer) EncryptedDeal(i int) (*EncryptedDeal, error)
EncryptedDeal returns the encryption of the deal that must be given to the verifier at index i. The dealer first generates a temporary Diffie Hellman key, signs it using its longterm key, and computes the shared key depending on its longterm and ephemeral key and the verifier's public key. This shared key is then fed into a HKDF whose output is the key to a AEAD (AES256-GCM) scheme to encrypt the deal.
func (*Dealer) EncryptedDeals ¶
func (d *Dealer) EncryptedDeals() ([]*EncryptedDeal, error)
EncryptedDeals calls `EncryptedDeal` for each index of the verifier and returns the list of encrypted deals. Each index in the returned slice corresponds to the index in the list of verifiers.
func (Dealer) EnoughApprovals ¶
func (a Dealer) EnoughApprovals() bool
EnoughApprovals returns true if enough verifiers have sent their approval for the deal they received.
func (*Dealer) PlaintextDeal ¶
PlaintextDeal returns the plaintext version of the deal destined for peer i. Use this only for testing.
func (*Dealer) PrivatePoly ¶
PrivatePoly returns the private polynomial used to generate the deal. This private polynomial can be saved and then later on used to generate new shares. This information SHOULD STAY PRIVATE and thus MUST never be given to any third party.
func (*Dealer) ProcessResponse ¶
func (d *Dealer) ProcessResponse(r *Response) (*Justification, error)
ProcessResponse analyzes the given Response. If it's a valid complaint, then it returns a Justification. This Justification must be broadcasted to every participants. If it's an invalid complaint, it returns an error about the complaint. The verifiers will also ignore an invalid Complaint.
func (*Dealer) SecretCommit ¶
SecretCommit returns the commitment of the secret being shared by this dealer. This function is only to be called once the deal has enough approvals and is verified otherwise it returns nil.
func (*Dealer) SessionID ¶
SessionID returns the current sessionID generated by this dealer for this protocol run.
func (*Dealer) SetTimeout ¶
func (d *Dealer) SetTimeout()
SetTimeout marks the end of a round, invalidating any missing (or future) response for this DKG protocol round. The caller is expected to call this after a long timeout so each DKG node can still compute its share if enough Deals are valid.
func (Dealer) VerifyDeal ¶
VerifyDeal analyzes the deal and returns an error if it's incorrect. If inclusion is true, it also returns an error if it is the second time this struct analyzes a Deal.
type EncryptedDeal ¶
type EncryptedDeal struct { DHKey []byte `protobuf:"bytes,1,opt,name=dHKey,proto3" json:"dHKey,omitempty"` Signature []byte `protobuf:"bytes,2,opt,name=signature,proto3" json:"signature,omitempty"` Nonce []byte `protobuf:"bytes,3,opt,name=nonce,proto3" json:"nonce,omitempty"` Cipher []byte `protobuf:"bytes,4,opt,name=cipher,proto3" json:"cipher,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*EncryptedDeal) Descriptor ¶
func (*EncryptedDeal) Descriptor() ([]byte, []int)
func (*EncryptedDeal) GetCipher ¶
func (m *EncryptedDeal) GetCipher() []byte
func (*EncryptedDeal) GetDHKey ¶
func (m *EncryptedDeal) GetDHKey() []byte
func (*EncryptedDeal) GetNonce ¶
func (m *EncryptedDeal) GetNonce() []byte
func (*EncryptedDeal) GetSignature ¶
func (m *EncryptedDeal) GetSignature() []byte
func (*EncryptedDeal) ProtoMessage ¶
func (*EncryptedDeal) ProtoMessage()
func (*EncryptedDeal) Reset ¶
func (m *EncryptedDeal) Reset()
func (*EncryptedDeal) String ¶
func (m *EncryptedDeal) String() string
func (*EncryptedDeal) XXX_DiscardUnknown ¶
func (m *EncryptedDeal) XXX_DiscardUnknown()
func (*EncryptedDeal) XXX_Marshal ¶
func (m *EncryptedDeal) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*EncryptedDeal) XXX_Merge ¶
func (dst *EncryptedDeal) XXX_Merge(src proto.Message)
func (*EncryptedDeal) XXX_Size ¶
func (m *EncryptedDeal) XXX_Size() int
func (*EncryptedDeal) XXX_Unmarshal ¶
func (m *EncryptedDeal) XXX_Unmarshal(b []byte) error
type EncryptedDeals ¶
type EncryptedDeals struct { Deals []*EncryptedDeal `protobuf:"bytes,1,rep,name=deals,proto3" json:"deals,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*EncryptedDeals) Descriptor ¶
func (*EncryptedDeals) Descriptor() ([]byte, []int)
func (*EncryptedDeals) GetDeals ¶
func (m *EncryptedDeals) GetDeals() []*EncryptedDeal
func (*EncryptedDeals) ProtoMessage ¶
func (*EncryptedDeals) ProtoMessage()
func (*EncryptedDeals) Reset ¶
func (m *EncryptedDeals) Reset()
func (*EncryptedDeals) String ¶
func (m *EncryptedDeals) String() string
func (*EncryptedDeals) XXX_DiscardUnknown ¶
func (m *EncryptedDeals) XXX_DiscardUnknown()
func (*EncryptedDeals) XXX_Marshal ¶
func (m *EncryptedDeals) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*EncryptedDeals) XXX_Merge ¶
func (dst *EncryptedDeals) XXX_Merge(src proto.Message)
func (*EncryptedDeals) XXX_Size ¶
func (m *EncryptedDeals) XXX_Size() int
func (*EncryptedDeals) XXX_Unmarshal ¶
func (m *EncryptedDeals) XXX_Unmarshal(b []byte) error
type Justification ¶
type Justification struct { // SessionID related to the current run of the protocol SessionID []byte // Index of the verifier who issued the Complaint,i.e. index of this Deal Index uint32 // Deal in cleartext Deal *Deal // Signature over the whole packet Signature []byte }
Justification is a message that is broadcasted by the Dealer in response to a Complaint. It contains the original Complaint as well as the shares distributed to the complainer.
type PublicKey ¶
type PublicKey struct { Binary []byte `protobuf:"bytes,1,opt,name=binary,proto3" json:"binary,omitempty"` SenderId []byte `protobuf:"bytes,2,opt,name=senderId,proto3" json:"senderId,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*PublicKey) Descriptor ¶
func (*PublicKey) GetSenderId ¶
func (*PublicKey) ProtoMessage ¶
func (*PublicKey) ProtoMessage()
func (*PublicKey) XXX_DiscardUnknown ¶
func (m *PublicKey) XXX_DiscardUnknown()
func (*PublicKey) XXX_Marshal ¶
func (*PublicKey) XXX_Unmarshal ¶
type PublicKeys ¶
type PublicKeys struct { Keys []*PublicKey `protobuf:"bytes,1,rep,name=keys,proto3" json:"keys,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*PublicKeys) Descriptor ¶
func (*PublicKeys) Descriptor() ([]byte, []int)
func (*PublicKeys) GetKeys ¶
func (m *PublicKeys) GetKeys() []*PublicKey
func (*PublicKeys) ProtoMessage ¶
func (*PublicKeys) ProtoMessage()
func (*PublicKeys) Reset ¶
func (m *PublicKeys) Reset()
func (*PublicKeys) String ¶
func (m *PublicKeys) String() string
func (*PublicKeys) XXX_DiscardUnknown ¶
func (m *PublicKeys) XXX_DiscardUnknown()
func (*PublicKeys) XXX_Marshal ¶
func (m *PublicKeys) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*PublicKeys) XXX_Merge ¶
func (dst *PublicKeys) XXX_Merge(src proto.Message)
func (*PublicKeys) XXX_Size ¶
func (m *PublicKeys) XXX_Size() int
func (*PublicKeys) XXX_Unmarshal ¶
func (m *PublicKeys) XXX_Unmarshal(b []byte) error
type Response ¶
type Response struct { SessionID []byte `protobuf:"bytes,1,opt,name=sessionID,proto3" json:"sessionID,omitempty"` Index uint32 `protobuf:"varint,2,opt,name=index,proto3" json:"index,omitempty"` Status bool `protobuf:"varint,3,opt,name=status,proto3" json:"status,omitempty"` Signature []byte `protobuf:"bytes,4,opt,name=signature,proto3" json:"signature,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*Response) Descriptor ¶
func (*Response) GetSessionID ¶
func (*Response) GetSignature ¶
func (*Response) ProtoMessage ¶
func (*Response) ProtoMessage()
func (*Response) XXX_DiscardUnknown ¶
func (m *Response) XXX_DiscardUnknown()
func (*Response) XXX_Marshal ¶
func (*Response) XXX_Unmarshal ¶
type Responses ¶
type Responses struct { Responses []*Response `protobuf:"bytes,1,rep,name=responses,proto3" json:"responses,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*Responses) Descriptor ¶
func (*Responses) GetResponses ¶
func (*Responses) ProtoMessage ¶
func (*Responses) ProtoMessage()
func (*Responses) XXX_DiscardUnknown ¶
func (m *Responses) XXX_DiscardUnknown()
func (*Responses) XXX_Marshal ¶
func (*Responses) XXX_Unmarshal ¶
type Signature ¶
type Signature struct { Index uint32 `protobuf:"varint,1,opt,name=index,proto3" json:"index,omitempty"` RequestId []byte `protobuf:"bytes,2,opt,name=requestId,proto3" json:"requestId,omitempty"` Nonce []byte `protobuf:"bytes,3,opt,name=nonce,proto3" json:"nonce,omitempty"` Content []byte `protobuf:"bytes,4,opt,name=content,proto3" json:"content,omitempty"` Signature []byte `protobuf:"bytes,5,opt,name=signature,proto3" json:"signature,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*Signature) Descriptor ¶
func (*Signature) GetContent ¶
func (*Signature) GetRequestId ¶
func (*Signature) GetSignature ¶
func (*Signature) ProtoMessage ¶
func (*Signature) ProtoMessage()
func (*Signature) XXX_DiscardUnknown ¶
func (m *Signature) XXX_DiscardUnknown()
func (*Signature) XXX_Marshal ¶
func (*Signature) XXX_Unmarshal ¶
type Verifier ¶
type Verifier struct {
// contains filtered or unexported fields
}
Verifier receives a Deal from a Dealer, can reply with a Complaint, and can collaborate with other Verifiers to reconstruct a secret.
func NewVerifier ¶
func NewVerifier(suite suites.Suite, longterm kyber.Scalar, dealerKey kyber.Point, verifiers []kyber.Point) (*Verifier, error)
NewVerifier returns a Verifier out of:
- its longterm secret key
- the longterm dealer public key
- the list of public key of verifiers. The list MUST include the public key of this Verifier also.
The security parameter t of the secret sharing scheme is automatically set to a default safe value. If a different t value is required, it is possible to set it with `verifier.SetT()`.
func (*Verifier) Deal ¶
Deal returns the Deal that this verifier has received. It returns nil if the deal is not certified or there is not enough approvals.
func (Verifier) DealCertified ¶
func (a Verifier) DealCertified() bool
DealCertified returns true if there has been less than t complaints, all Justifications were correct and if EnoughApprovals() returns true.
func (Verifier) EnoughApprovals ¶
func (a Verifier) EnoughApprovals() bool
EnoughApprovals returns true if enough verifiers have sent their approval for the deal they received.
func (*Verifier) Index ¶
Index returns the index of the verifier in the list of participants used during this run of the protocol.
func (*Verifier) Key ¶
Key returns the longterm key pair this verifier is using during this protocol run.
func (*Verifier) ProcessEncryptedDeal ¶
func (v *Verifier) ProcessEncryptedDeal(e *EncryptedDeal) (*Response, error)
ProcessEncryptedDeal decrypt the deal received from the Dealer. If the deal is valid, i.e. the verifier can verify its shares against the public coefficients and the signature is valid, an approval response is returned and must be broadcasted to every participants including the dealer. If the deal itself is invalid, it returns a complaint response that must be broadcasted to every other participants including the dealer. If the deal has already been received, or the signature generation of the response failed, it returns an error without any responses.
func (*Verifier) ProcessJustification ¶
func (v *Verifier) ProcessJustification(dr *Justification) error
ProcessJustification takes a DealerResponse and returns an error if something went wrong during the verification. If it is the case, that probably means the Dealer is acting maliciously. In order to be sure, call `v.EnoughApprovals()` and if true, `v.DealCertified()`.
func (*Verifier) ProcessResponse ¶
ProcessResponse analyzes the given response. If it's a valid complaint, the verifier should expect to see a Justification from the Dealer. It returns an error if it's not a valid response. Call `v.DealCertified()` to check if the whole protocol is finished.
func (*Verifier) SessionID ¶
SessionID returns the session id generated by the Dealer. It returns an nil slice if the verifier has not received the Deal yet.
func (*Verifier) SetTimeout ¶
func (v *Verifier) SetTimeout()
SetTimeout marks the end of a round, invalidating any missing (or future) response for this DKG protocol round. The caller is expected to call this after a long timeout so each DKG node can still compute its share if enough Deals are valid.
func (*Verifier) UnsafeSetResponseDKG ¶
UnsafeSetResponseDKG is an UNSAFE bypass method to allow DKG to use VSS that works on basis of approval only.
func (Verifier) VerifyDeal ¶
VerifyDeal analyzes the deal and returns an error if it's incorrect. If inclusion is true, it also returns an error if it is the second time this struct analyzes a Deal.