/
step4_resolution.go
155 lines (133 loc) · 4.32 KB
/
step4_resolution.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
package resharing
import (
"github.com/shaih/go-yosovss/msgpack"
"github.com/shaih/go-yosovss/primitives/curve25519"
log "github.com/sirupsen/logrus"
)
type TripleIJL struct {
i int // corresponding to dealer D_i, i in [0,n-1]
j int // corresponding to verifier V_j, j in [0,n-1]
l int // corresponding to new holder P_{l+1} / 0, l in [0,n]
}
// CheckDealingMessages check if msg is valid
// If not, print an info log message
// This function only do cheap tests that are necessary for
// taking care of resolution messages
// The function checkDealerQualified is actually doing the heavy-work
// checking the dealer
func CheckDealingMessages(pub *PublicInput, msg DealingMessage, i int, dbg *PartyDebugParams) bool {
n := pub.N
// Check dealer message are valid and disqualify if invalid
if (!dbg.SkipDealingFutureBroadcast && len(msg.EncResM) != n) ||
(!dbg.SkipDealingFutureBroadcast && len(msg.HashEps) != n) ||
len(msg.EncVerM) != n ||
len(msg.ComC) != n+1 {
log.Infof("dealer %d disqualified as it sent incorrect message", i)
return false
}
if !dbg.SkipDealingFutureBroadcast {
for k := 0; k < n; k++ {
if len(msg.HashEps) != n {
log.Infof("dealer %d disqualified as it sent incorrect message", i)
return false
}
}
}
return true
}
// ResolveComplaints find all the complaints by verification committees,
// reconstruct the eps keys from the resolution committee members broadcast
// decrypt the EncResM messages and verify shares match the Pedersen commitments
// if decryption fails or if it leads to incorrect shares, it make the dealer disqualified
// (disqualifiedDealers[i] = true)
// otherwise it stores the relevant shares in resolvedSharesS (for sigma) and resolvedSharesR (for rho)
func ResolveComplaints(
pub *PublicInput,
dealingMessages []DealingMessage,
verificationMessages []VerificationMessage,
resolutionMessages []ResolutionMessage,
dbg *PartyDebugParams,
) (
resolvedSharesSR map[TripleIJL]curve25519.Scalar,
disqualifiedDealers map[int]bool,
err error,
) {
n := pub.N
resolvedSharesSR = map[TripleIJL]curve25519.Scalar{}
disqualifiedDealers = map[int]bool{}
for i := 0; i < n; i++ {
if !CheckDealingMessages(pub, dealingMessages[i], i, dbg) {
disqualifiedDealers[i] = true
continue
}
for j := 0; j < n; j++ {
if len(verificationMessages[j].Complaints) == n && verificationMessages[j].Complaints[i] {
// Vj complained against dealer i
// Recovering all epsShares (eps_{i+1,j+1,k+1}) we can
epsShares := make([]*curve25519.Scalar, n)
for k := 0; k < n; k++ {
epsIJK, ok := resolutionMessages[k].EpsShares[PairIJ{i, j}]
if ok {
epsShares[k] = &epsIJK
}
}
// Get the M[j] by reconstructing the key and decrypting it
// also verify shares are valid
mj := getAndVerifyResolutionMJ(pub, &dealingMessages[i], epsShares, i, j)
if mj == nil {
// impossible to get a correct MK, reject
disqualifiedDealers[i] = true
break
}
// Store the shares
for l := 0; l < 2*n; l++ {
resolvedSharesSR[TripleIJL{i, j, l}] = mj.SR[l]
}
}
}
}
return
}
func getAndVerifyResolutionMJ(
pub *PublicInput,
msg *DealingMessage,
epsShares []*curve25519.Scalar,
i int,
j int,
) *VerificationMJ {
n := pub.N
// Reconstructing the key
epsKey, err := ReconstructEpsKey(n, pub.T, epsShares, msg.HashEps[j])
if err != nil {
log.Infof("dealer %d provided incorrect shares to resolution committee: %v", i, err)
return nil
}
// Decrypting the message M[j]
zeroNonce := curve25519.Nonce{}
mkMsg, err := curve25519.SymmetricDecrypt(epsKey, zeroNonce, msg.EncResM[j])
if err != nil {
log.Infof("dealer %d provided incorrect encryption of M[j] to resolution committee: %v", i, err)
return nil
}
// Decoding of M[j]
mj := VerificationMJ{}
err = msgpack.Decode(mkMsg, &mj)
if err != nil {
log.Infof("dealer %d provided incorrect encoding of M[j] to resolution committee: %v", i, err)
return nil
}
// Verify Mj lists are the correct length
if len(mj.SR) != pub.N*2 {
log.Infof("dealer %d provided incorrect M[j] - wrong list length", i)
return nil
}
// Verify Mj contains valid shares
err = VerifyMJ(&pub.VCParams, &msg.ComC[j+1], &mj)
if err != nil {
// invalid dealer
log.Infof("dealer %d provided a commitment/share that make the verifcation returns an error: %v",
i, err)
return nil
}
return &mj
}