-
Notifications
You must be signed in to change notification settings - Fork 0
/
JohnsonMerkleSignature.go
445 lines (390 loc) · 14.5 KB
/
JohnsonMerkleSignature.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
package redactionschemes
import (
"crypto"
"crypto/ecdsa"
"crypto/rand"
"crypto/sha256"
"crypto/x509"
"encoding/base64"
"encoding/json"
"fmt"
_ "image/png"
"math/bits"
"sort"
"strconv"
"github.com/maruel/fortuna"
)
//As introduced in "Homomorphic Signature Schemes" from Johnson et al.
type JohnsonMerkleSignature struct {
BaseSignature []byte
PublicKey ecdsa.PublicKey
Key []byte // This is only visible before the redaction
RedactedKeys map[string]redactedProperty // And this afterwards, these are the conodes keys
RedactedHash map[string]redactedProperty // and these the hashes of the parents of the redacted nodes
}
type johnsonNode struct {
Children map[int]*johnsonNode
Parent *johnsonNode
Key []byte
Hash []byte
Position string
Deleted bool
}
type redactedProperty struct {
Key []byte
Hash []byte
Position string
}
// Length-doubling pseudorandom generator
func G(InputBytes []byte) []byte {
prn := make([]byte, len(InputBytes)*2)
fortuna.NewGenerator(sha256.New(), InputBytes).Read(prn)
return prn
}
func bitStringToIndex(bitstring string) int {
i, _ := strconv.ParseInt(bitstring, 2, 64)
return int(i)
}
func isLowestLevel(bitstring string, length int) bool {
bit_length := bits.Len(uint(length))
return (length == 1 && len(bitstring) == 0) || bit_length == len(bitstring)
}
// generateRedactionTree recursively generates the redaction tree
func generateRedactionTree(parent *johnsonNode, data *PartitionedData) *johnsonNode {
// if depth is lowest (does not necessarily need to be 0)
if isLowestLevel(parent.Position, len(*data)) {
// we are now at the leaf node and go back up the tree, so we set the data to the leafs
index := bitStringToIndex(parent.Position)
if index >= len(*data) {
//this is the case when the data is not of length 2^n and we need padding
parent.Hash = H(append([]byte{0}, append(parent.Key, []byte{}...)...))
return parent
} else {
parent.Hash = H(append([]byte{0}, append(parent.Key, (*data)[index]...)...))
return parent
}
}
new_seed := G(parent.Key)
left_position := parent.Position + "0"
left_node := johnsonNode{
Key: new_seed[:len(parent.Key)],
Parent: parent,
Position: left_position}
left := generateRedactionTree(&left_node,
data)
right_position := parent.Position + "1"
right_node := johnsonNode{
Key: new_seed[len(parent.Key):],
Parent: parent,
Position: right_position}
right := generateRedactionTree(&right_node,
data)
parent.Children = map[int]*johnsonNode{0: left, 1: right}
// Now we can calculate the hash value of the leafs merkle-tree-style
parent.Hash = H(append([]byte{1}, append(left.Hash, right.Hash...)...))
return parent
}
// calculateHashes recursively calculates the hashes of a tree with partial information
func calculateHashes(node_bitstring string, redactedKeys map[string]redactedProperty, redactedHash map[string]redactedProperty, data *PartitionedData) {
if _, ok := redactedHash[node_bitstring]; ok {
//The node was redacted and we already have the hash
return
}
if isLowestLevel(node_bitstring, len(*data)) {
//We are at the lowest level and need to calculate the leaf hash from the data and key
prop := redactedKeys[node_bitstring]
index := bitStringToIndex(node_bitstring)
if index >= len(*data) {
prop.Hash = H(append([]byte{0},
append(redactedKeys[node_bitstring].Key, []byte{}...)...))
} else {
prop.Hash = H(append([]byte{0},
append(redactedKeys[node_bitstring].Key, (*data)[index]...)...))
}
redactedHash[node_bitstring] = prop
return
}
//Do this for all child nodes
calculateHashes(node_bitstring+"0", redactedKeys, redactedHash, data)
calculateHashes(node_bitstring+"1", redactedKeys, redactedHash, data)
//Else, we just calculate the hash normally using the possibly two child nodes
prop := redactedKeys[node_bitstring]
prop.Hash = H(append([]byte{1},
append(redactedHash[node_bitstring+"0"].Hash,
redactedHash[node_bitstring+"1"].Hash...)...))
redactedHash[node_bitstring] = prop
}
// Verifies if a given signature matches the supplied data
// This rebuilds the tree by regenerating the co-node-trees, as well as using the supplied hashes to retrieve the root node hash
func (sig *JohnsonMerkleSignature) Verify(data *PartitionedData) error {
//This is the case when the signature is initial, so we have the root key included and can simply verify everything
if sig.Key != nil && len(sig.Key) > 0 {
main_node := johnsonNode{
Key: sig.Key,
Position: ""}
tree := generateRedactionTree(&main_node, data)
if !ecdsa.VerifyASN1(&sig.PublicKey, tree.Hash, sig.BaseSignature) {
return fmt.Errorf("verification failed! (initial signature)")
} else {
return nil
}
}
//Else, we need to build the partial tree by using RedactedKeys and RedactedHash
//First, check if redacted hashes are actually redacted:
for k, _ := range sig.RedactedHash {
index := bitStringToIndex(k)
if index <= len(*data) && isLowestLevel(k, len(*data)) && len((*data)[index]) != 0 {
//check if data is actually empty
return fmt.Errorf("redacted datapoint not acutally redacted")
}
}
//First step: sig.RedactedKeys contains all relevant co-nodes, which we need to compute in order from lowest depth to highest, so we sort it:
positions := make([]string, 0, len(sig.RedactedKeys))
for k := range sig.RedactedKeys {
positions = append(positions, k)
}
//Our positions slice is sorted by depth, and we need to start at the lowest depth, so we need to reverse it
sort.Slice(positions, func(i, j int) bool {
return len(positions[i]) > len(positions[j])
})
//Second step: Calculate the hashes of the co-nodes by building the partial redaction tree
for _, v := range positions {
cur_key := sig.RedactedKeys[v]
//co-nodes have a full partial tree, so calculate it first
cur_node := johnsonNode{
Key: cur_key.Key,
Position: cur_key.Position}
tree := generateRedactionTree(&cur_node, data)
cur_key.Hash = tree.Hash
sig.RedactedHash[v] = cur_key
}
//Recursively retrive the hash of the other node. We should have all the relevant info at this point
calculateHashes("", sig.RedactedKeys, sig.RedactedHash, data)
//Third step: Verify signature
if !ecdsa.VerifyASN1(&sig.PublicKey, sig.RedactedHash[""].Hash, sig.BaseSignature) {
return fmt.Errorf("verification failed! (rebuild tree)")
} else {
return nil
}
}
// pruneRedactionTree adds all relevant tree nodes needed for the redaction to redactedHashes based on if they are pruned
func pruneRedactionTree(mismatches map[int]bool, node *johnsonNode, redactedHashes map[string]*johnsonNode, data_length int) {
lowest_level := isLowestLevel(node.Position, data_length)
if lowest_level && mismatches[int(bitStringToIndex(node.Position))] {
redactedHashes[node.Position] = node
return
}
for _, v := range node.Children {
pruneRedactionTree(mismatches, v, redactedHashes, data_length)
}
if !lowest_level {
_, leftChildIn := redactedHashes[node.Children[0].Position]
_, rightChildIn := redactedHashes[node.Children[1].Position]
if leftChildIn && rightChildIn {
redactedHashes[node.Position] = node
delete(redactedHashes, node.Children[0].Position)
delete(redactedHashes, node.Children[1].Position)
}
}
}
// Redacts an existing signature based on data.
// When redacting, k_epsilon is not publicsed, as with it we could just calculate all the hashes
// and possibly get access to the redacted data by bruteforcing or similar.
// Instead, we just publicise the co-nodes keys, as well as the parent node of the redacted leaf
func (orig_signature *JohnsonMerkleSignature) Redact(redacted_indices []int, data *PartitionedData) (RedactableSignature, error) {
something_is_redacted := len(redacted_indices) > 0
if !something_is_redacted {
return orig_signature, nil
}
if orig_signature.Key == nil || len(orig_signature.Key) == 0 {
return nil, fmt.Errorf("CURRENTLY REDACTING REDACTED SIGNATURES IS NOT SUPPORTED! Key empty")
}
err := orig_signature.Verify(data)
if err != nil {
return nil, fmt.Errorf("data does not match the orig_signature! %s", err)
}
node := johnsonNode{
Key: orig_signature.Key,
Position: ""}
tree := generateRedactionTree(&node, data)
if orig_signature.RedactedHash != nil && len(orig_signature.RedactedHash) > 0 {
//TODO: It should be possible to further redact a redaction
return nil, fmt.Errorf("CURRENTLY REDACTING REDACTED SIGNATURES IS NOT SUPPORTED! Redacted Hash not empty")
}
redactedKeys := make(map[string]redactedProperty)
redactedHash := make(map[string]redactedProperty)
redactedNodes := make(map[string]*johnsonNode)
redacted_chunks := make(map[int]bool)
for _, v := range redacted_indices {
redacted_chunks[v] = true
}
//Check for consecutive redactions:
//If all children of a node are redacted, we just give the hash of the parent.
//We do this by pruning the nodes from the tree, starting at the lowest level.
pruneRedactionTree(redacted_chunks, tree, redactedNodes, len(*data))
//Retrive Conodes by going up the tree
for _, node := range redactedNodes {
if node.Hash == nil || len(node.Hash) == 0 {
return nil, fmt.Errorf("some redacted node's hash seems to be empty")
}
//Prepare final datastructure
redactedHash[node.Position] = redactedProperty{Hash: node.Hash, Position: node.Position}
//Go up the tree and retrive the co-nodes
cur := node
for cur.Parent != nil {
pos, _ := strconv.Atoi(cur.Position[len(cur.Position)-1:])
pos = 1 - pos
redactedKeys[cur.Parent.Children[pos].Position] = redactedProperty{
Key: cur.Parent.Children[pos].Key,
Position: cur.Parent.Children[pos].Position}
cur = cur.Parent
}
}
//Remove the keys of the nodes which are already included as hashes
for v := range redactedHash {
delete(redactedKeys, v)
}
//Remove the redundant co-nodes which include all necessary hashes in their children, i.e. one of their prefixes is also in redactkeys
//As we modify the map while we iterate over it, we create a copy beforehand
redactedKeysCopy := make(map[string]redactedProperty)
for k, v := range redactedKeys {
redactedKeysCopy[k] = v
}
for v := range redactedKeysCopy {
_, ok0 := redactedKeysCopy[v+"0"]
_, ok1 := redactedKeysCopy[v+"1"]
if ok0 || ok1 {
delete(redactedKeys, v)
}
}
out := JohnsonMerkleSignature{
BaseSignature: orig_signature.BaseSignature,
PublicKey: orig_signature.PublicKey,
RedactedKeys: redactedKeys,
RedactedHash: redactedHash}
return &out, nil
}
// Sign uses the private_key to sign data redactably.
func (sig *JohnsonMerkleSignature) Sign(data *PartitionedData, private_key *crypto.PrivateKey) error {
ecdsa_private_key, ok := (*private_key).(*ecdsa.PrivateKey)
if !ok {
return fmt.Errorf("only ECDSA supported atm")
}
prn := data.Hash()
node := johnsonNode{
Key: prn,
Position: ""}
tree := generateRedactionTree(&node, data)
signature, _ := ecdsa.SignASN1(rand.Reader, ecdsa_private_key, tree.Hash)
sig.BaseSignature = signature
sig.PublicKey = ecdsa_private_key.PublicKey
sig.Key = prn
sig.RedactedHash = nil
sig.RedactedKeys = nil
return nil
}
type redactedPropertySerialized struct {
Key string
Hash string
Position string
}
type johnsonRedactableSignatureSerialized struct {
BaseSignature string
PublicKey string
Key string
RedactedKeys map[string]redactedPropertySerialized
RedactedHash map[string]redactedPropertySerialized
}
func (sig *JohnsonMerkleSignature) Marshal() (string, error) {
redacted_keys := make(map[string]redactedPropertySerialized)
for k, v := range sig.RedactedKeys {
redacted_keys[k] = redactedPropertySerialized{
Key: base64.StdEncoding.EncodeToString(v.Key),
Hash: base64.StdEncoding.EncodeToString(v.Hash),
Position: v.Position,
}
}
redacted_hash := make(map[string]redactedPropertySerialized)
for k, v := range sig.RedactedHash {
redacted_hash[k] = redactedPropertySerialized{
Key: base64.StdEncoding.EncodeToString(v.Key),
Hash: base64.StdEncoding.EncodeToString(v.Hash),
Position: v.Position,
}
}
marsh_pub_key, _ := x509.MarshalPKIXPublicKey(&sig.PublicKey)
out := johnsonRedactableSignatureSerialized{
BaseSignature: base64.StdEncoding.EncodeToString(sig.BaseSignature),
PublicKey: base64.StdEncoding.EncodeToString(marsh_pub_key),
Key: base64.StdEncoding.EncodeToString(sig.Key),
RedactedKeys: redacted_keys,
RedactedHash: redacted_hash,
}
out_bytes, err := json.Marshal(out)
return string(out_bytes), err
}
func (sig *JohnsonMerkleSignature) Unmarshal(input string) error {
var sig_serialized johnsonRedactableSignatureSerialized
err := json.Unmarshal([]byte(input), &sig_serialized)
if err != nil {
sig_string_unquote, _ := strconv.Unquote(input)
err := json.Unmarshal([]byte(sig_string_unquote), &sig_serialized)
if err != nil {
return fmt.Errorf("error while unmarshaling serialized Signature: %s: %s", err, input)
}
}
redacted_keys := make(map[string]redactedProperty)
for k, v := range sig_serialized.RedactedKeys {
key, err := base64.StdEncoding.DecodeString(v.Key)
if err != nil {
return fmt.Errorf("error while decoding Key: %s", err)
}
hash, err := base64.StdEncoding.DecodeString(v.Hash)
if err != nil {
return fmt.Errorf("error while decoding Hash: %s", err)
}
redacted_keys[k] = redactedProperty{
Key: key,
Hash: hash,
Position: v.Position,
}
}
redacted_hash := make(map[string]redactedProperty)
for k, v := range sig_serialized.RedactedHash {
key, err := base64.StdEncoding.DecodeString(v.Key)
if err != nil {
return fmt.Errorf("error while decoding Key: %s", err)
}
hash, err := base64.StdEncoding.DecodeString(v.Hash)
if err != nil {
return fmt.Errorf("error while decoding Hash: %s", err)
}
redacted_hash[k] = redactedProperty{
Key: key,
Hash: hash,
Position: v.Position,
}
}
base_sig, err := base64.StdEncoding.DecodeString(sig_serialized.BaseSignature)
if err != nil {
return fmt.Errorf("error while decoding BaseSignature: %s", err)
}
pub_bytes, err := base64.StdEncoding.DecodeString(sig_serialized.PublicKey)
if err != nil {
return fmt.Errorf("error while decoding PublicKey bytes: %s", err)
}
pub, err := x509.ParsePKIXPublicKey(pub_bytes)
if err != nil {
return fmt.Errorf("error while parsing PublicKey: %s", err)
}
key, err := base64.StdEncoding.DecodeString(sig_serialized.Key)
if err != nil {
return fmt.Errorf("error while decoding Key: %s", err)
}
sig.BaseSignature = base_sig
sig.PublicKey = *pub.(*ecdsa.PublicKey)
sig.Key = key
sig.RedactedKeys = redacted_keys
sig.RedactedHash = redacted_hash
return nil
}