README
¶
RSA Threshold Signatures
This is an implementation of "Practical Threshold Signatures" by Victor Shoup. Protocol 1 is implemented.
Threshold Primer
Let l be the total number of players, t be the number of corrupted players, and k be the threshold. The idea of threshold signatures is that at least k players need to participate to form a valid signature.
Setup consists of a dealer generating l key shares from a key pair and "dealing" them to the players. In this implementation the dealer is trusted.
During the signing phase, at least k players use their key share and the message to generate a signature share. Finally, the k signature shares are combined to form a valid signature for the message.
Modifications
- Our implementation is not robust. That is, the corrupted players can prevent a valid signature from being formed by the non-corrupted players. As such, we remove all verification.
- The paper requires p and q to be safe primes. We do not.
Documentation
¶
Overview ¶
Package rsa provides RSA threshold signature scheme.
This package implements the Protocol 1 of "Practical Threshold Signatures" by Victor Shoup [1].
References ¶
[1] https://www.iacr.org/archive/eurocrypt2000/1807/18070209-new.pdf
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GenerateKey ¶
GenerateKey generates a RSA keypair for its use in RSA threshold signatures. Internally, the modulus is the product of two safe primes. The time consumed by this function is relatively longer than the regular GenerateKey function from the crypto/rsa package.
Types ¶
type KeyShare ¶
type KeyShare struct {
// contains filtered or unexported fields
}
KeyShare represents a portion of the key. It can only be used to generate SignShare's. During the dealing phase (when Deal is called), one KeyShare is generated per player.
func Deal ¶
func Deal(randSource io.Reader, players, threshold uint, key *rsa.PrivateKey, cache bool) ([]KeyShare, error)
Deal takes in an existing RSA private key generated elsewhere. If cache is true, cached values are stored in KeyShare taking up more memory by reducing Sign time. See KeyShare documentation. Multi-prime RSA keys are unsupported.
func (*KeyShare) MarshalBinary ¶
MarshalBinary encodes a KeyShare into a byte array in a format readable by UnmarshalBinary. Note: Only Index's up to math.MaxUint16 are supported
func (*KeyShare) Sign ¶
func (kshare *KeyShare) Sign(randSource io.Reader, pub *rsa.PublicKey, digest []byte, parallel bool) (SignShare, error)
Sign msg using a KeyShare. msg MUST be padded and hashed. Call PadHash before this method.
If rand is not nil then blinding will be used to avoid timing side-channel attacks.
parallel indicates whether the blinding operations should use go routines to operate in parallel. If parallel is false, blinding will take about 2x longer than nonbinding, otherwise it will take about the same time (see benchmarks). If randSource is nil, parallel has no effect. parallel should almost always be set to true.
func (*KeyShare) UnmarshalBinary ¶
UnmarshalBinary recovers a KeyShare from a slice of bytes, or returns an error if the encoding is invalid.
type PKCS1v15Padder ¶
type PKCS1v15Padder struct{}
type PSSPadder ¶
type PSSPadder struct {
Rand io.Reader
Opts *rsa.PSSOptions
}
PSSPadder is a padder for RSA Probabilistic Padding Scheme (RSA-PSS) used in TLS 1.3
Note: If the salt length is non-zero, PSS padding is not deterministic. TLS 1.3 mandates that the salt length is the same as the hash output length. As such, each player cannot pad the message individually, otherwise they will produce unique messages and the signature will not be valid. Instead, one party should generate a random saltLen byte string. When requesting signatures from the rest of the parties they should send along the same random string to be used as `rand` here.
For TLS, rsa.PSSOptions.SaltLength should be PSSSaltLengthEqualsHash.
type SignShare ¶
type SignShare struct {
// contains filtered or unexported fields
}
SignShare represents a portion of a signature. It is generated when a message is signed by a KeyShare. t SignShare's are then combined by calling CombineSignShares, where t is the Threshold.
func (*SignShare) MarshalBinary ¶
MarshalBinary encodes SignShare into a byte array in a format readable by UnmarshalBinary. Note: Only Index's up to math.MaxUint16 are supported
func (*SignShare) UnmarshalBinary ¶
UnmarshalBinary converts a byte array outputted from Marshall into a SignShare or returns an error if the value is invalid
Source Files
Directories