mirror of
https://github.com/serai-dex/serai.git
synced 2025-12-10 21:19:24 +00:00
e4e4245ee3
* Upstream GBP, divisor, circuit abstraction, and EC gadgets from FCMP++ * Initial eVRF implementation Not quite done yet. It needs to communicate the resulting points and proofs to extract them from the Pedersen Commitments in order to return those, and then be tested. * Add the openings of the PCs to the eVRF as necessary * Add implementation of secq256k1 * Make DKG Encryption a bit more flexible No longer requires the use of an EncryptionKeyMessage, and allows pre-defined keys for encryption. * Make NUM_BITS an argument for the field macro * Have the eVRF take a Zeroizing private key * Initial eVRF-based DKG * Add embedwards25519 curve * Inline the eVRF into the DKG library Due to how we're handling share encryption, we'd either need two circuits or to dedicate this circuit to the DKG. The latter makes sense at this time. * Add documentation to the eVRF-based DKG * Add paragraph claiming robustness * Update to the new eVRF proof * Finish routing the eVRF functionality Still needs errors and serialization, along with a few other TODOs. * Add initial eVRF DKG test * Improve eVRF DKG Updates how we calculcate verification shares, improves performance when extracting multiple sets of keys, and adds more to the test for it. * Start using a proper error for the eVRF DKG * Resolve various TODOs Supports recovering multiple key shares from the eVRF DKG. Inlines two loops to save 2**16 iterations. Adds support for creating a constant time representation of scalars < NUM_BITS. * Ban zero ECDH keys, document non-zero requirements * Implement eVRF traits, all the way up to the DKG, for secp256k1/ed25519 * Add Ristretto eVRF trait impls * Support participating multiple times in the eVRF DKG * Only participate once per key, not once per key share * Rewrite processor key-gen around the eVRF DKG Still a WIP. * Finish routing the new key gen in the processor Doesn't touch the tests, coordinator, nor Substrate yet. `cargo +nightly fmt && cargo +nightly-2024-07-01 clippy --all-features -p serai-processor` does pass. * Deduplicate and better document in processor key_gen * Update serai-processor tests to the new key gen * Correct amount of yx coefficients, get processor key gen test to pass * Add embedded elliptic curve keys to Substrate * Update processor key gen tests to the eVRF DKG * Have set_keys take signature_participants, not removed_participants Now no one is removed from the DKG. Only `t` people publish the key however. Uses a BitVec for an efficient encoding of the participants. * Update the coordinator binary for the new DKG This does not yet update any tests. * Add sensible Debug to key_gen::[Processor, Coordinator]Message * Have the DKG explicitly declare how to interpolate its shares Removes the hack for MuSig where we multiply keys by the inverse of their lagrange interpolation factor. * Replace Interpolation::None with Interpolation::Constant Allows the MuSig DKG to keep the secret share as the original private key, enabling deriving FROST nonces consistently regardless of the MuSig context. * Get coordinator tests to pass * Update spec to the new DKG * Get clippy to pass across the repo * cargo machete * Add an extra sleep to ensure expected ordering of `Participation`s * Update orchestration * Remove bad panic in coordinator It expected ConfirmationShare to be n-of-n, not t-of-n. * Improve documentation on functions * Update TX size limit We now no longer have to support the ridiculous case of having 49 DKG participations within a 101-of-150 DKG. It does remain quite high due to needing to _sign_ so many times. It'd may be optimal for parties with multiple key shares to independently send their preprocesses/shares (despite the overhead that'll cause with signatures and the transaction structure). * Correct error in the Processor spec document * Update a few comments in the validator-sets pallet * Send/Recv Participation one at a time Sending all, then attempting to receive all in an expected order, wasn't working even with notable delays between sending messages. This points to the mempool not working as expected... * Correct ThresholdKeys serialization in modular-frost test * Updating existing TX size limit test for the new DKG parameters * Increase time allowed for the DKG on the GH CI * Correct construction of signature_participants in serai-client tests Fault identified by akil. * Further contextualize DkgConfirmer by ValidatorSet Caught by a safety check we wouldn't reuse preprocesses across messages. That raises the question of we were prior reusing preprocesses (reusing keys)? Except that'd have caused a variety of signing failures (suggesting we had some staggered timing avoiding it in practice but yes, this was possible in theory). * Add necessary calls to set_embedded_elliptic_curve_key in coordinator set rotation tests * Correct shimmed setting of a secq256k1 key * cargo fmt * Don't use `[0; 32]` for the embedded keys in the coordinator rotation test The key_gen function expects the random values already decided. * Big-endian secq256k1 scalars Also restores the prior, safer, Encryption::register function.
507 lines
16 KiB
Rust
507 lines
16 KiB
Rust
use core::{ops::Deref, fmt};
|
|
use std::{io, collections::HashMap};
|
|
|
|
use thiserror::Error;
|
|
|
|
use zeroize::{Zeroize, Zeroizing};
|
|
use rand_core::{RngCore, CryptoRng};
|
|
|
|
use chacha20::{
|
|
cipher::{crypto_common::KeyIvInit, StreamCipher},
|
|
Key as Cc20Key, Nonce as Cc20Iv, ChaCha20,
|
|
};
|
|
|
|
use transcript::{Transcript, RecommendedTranscript};
|
|
|
|
#[cfg(test)]
|
|
use ciphersuite::group::ff::Field;
|
|
use ciphersuite::{group::GroupEncoding, Ciphersuite};
|
|
use multiexp::BatchVerifier;
|
|
|
|
use schnorr::SchnorrSignature;
|
|
use dleq::DLEqProof;
|
|
|
|
use crate::{Participant, ThresholdParams};
|
|
|
|
mod sealed {
|
|
use super::*;
|
|
|
|
pub trait ReadWrite: Sized {
|
|
fn read<R: io::Read>(reader: &mut R, params: ThresholdParams) -> io::Result<Self>;
|
|
fn write<W: io::Write>(&self, writer: &mut W) -> io::Result<()>;
|
|
|
|
fn serialize(&self) -> Vec<u8> {
|
|
let mut buf = vec![];
|
|
self.write(&mut buf).unwrap();
|
|
buf
|
|
}
|
|
}
|
|
|
|
pub trait Message: Clone + PartialEq + Eq + fmt::Debug + Zeroize + ReadWrite {}
|
|
impl<M: Clone + PartialEq + Eq + fmt::Debug + Zeroize + ReadWrite> Message for M {}
|
|
|
|
pub trait Encryptable: Clone + AsRef<[u8]> + AsMut<[u8]> + Zeroize + ReadWrite {}
|
|
impl<E: Clone + AsRef<[u8]> + AsMut<[u8]> + Zeroize + ReadWrite> Encryptable for E {}
|
|
}
|
|
pub(crate) use sealed::*;
|
|
|
|
/// Wraps a message with a key to use for encryption in the future.
|
|
#[derive(Clone, PartialEq, Eq, Debug, Zeroize)]
|
|
pub struct EncryptionKeyMessage<C: Ciphersuite, M: Message> {
|
|
msg: M,
|
|
enc_key: C::G,
|
|
}
|
|
|
|
// Doesn't impl ReadWrite so that doesn't need to be imported
|
|
impl<C: Ciphersuite, M: Message> EncryptionKeyMessage<C, M> {
|
|
pub fn read<R: io::Read>(reader: &mut R, params: ThresholdParams) -> io::Result<Self> {
|
|
Ok(Self { msg: M::read(reader, params)?, enc_key: C::read_G(reader)? })
|
|
}
|
|
|
|
pub fn write<W: io::Write>(&self, writer: &mut W) -> io::Result<()> {
|
|
self.msg.write(writer)?;
|
|
writer.write_all(self.enc_key.to_bytes().as_ref())
|
|
}
|
|
|
|
pub fn serialize(&self) -> Vec<u8> {
|
|
let mut buf = vec![];
|
|
self.write(&mut buf).unwrap();
|
|
buf
|
|
}
|
|
|
|
#[cfg(any(test, feature = "tests"))]
|
|
pub(crate) fn enc_key(&self) -> C::G {
|
|
self.enc_key
|
|
}
|
|
}
|
|
|
|
/// An encrypted message, with a per-message encryption key enabling revealing specific messages
|
|
/// without side effects.
|
|
#[derive(Clone, Zeroize)]
|
|
pub struct EncryptedMessage<C: Ciphersuite, E: Encryptable> {
|
|
key: C::G,
|
|
// Also include a proof-of-possession for the key.
|
|
// If this proof-of-possession wasn't here, Eve could observe Alice encrypt to Bob with key X,
|
|
// then send Bob a message also claiming to use X.
|
|
// While Eve's message would fail to meaningfully decrypt, Bob would then use this to create a
|
|
// blame argument against Eve. When they do, they'd reveal bX, revealing Alice's message to Bob.
|
|
// This is a massive side effect which could break some protocols, in the worst case.
|
|
// While Eve can still reuse their own keys, causing Bob to leak all messages by revealing for
|
|
// any single one, that's effectively Eve revealing themselves, and not considered relevant.
|
|
pop: SchnorrSignature<C>,
|
|
msg: Zeroizing<E>,
|
|
}
|
|
|
|
fn ecdh<C: Ciphersuite>(private: &Zeroizing<C::F>, public: C::G) -> Zeroizing<C::G> {
|
|
Zeroizing::new(public * private.deref())
|
|
}
|
|
|
|
// Each ecdh must be distinct. Reuse of an ecdh for multiple ciphers will cause the messages to be
|
|
// leaked.
|
|
fn cipher<C: Ciphersuite>(context: [u8; 32], ecdh: &Zeroizing<C::G>) -> ChaCha20 {
|
|
// Ideally, we'd box this transcript with ZAlloc, yet that's only possible on nightly
|
|
// TODO: https://github.com/serai-dex/serai/issues/151
|
|
let mut transcript = RecommendedTranscript::new(b"DKG Encryption v0.2");
|
|
transcript.append_message(b"context", context);
|
|
|
|
transcript.domain_separate(b"encryption_key");
|
|
|
|
let mut ecdh = ecdh.to_bytes();
|
|
transcript.append_message(b"shared_key", ecdh.as_ref());
|
|
ecdh.as_mut().zeroize();
|
|
|
|
let zeroize = |buf: &mut [u8]| buf.zeroize();
|
|
|
|
let mut key = Cc20Key::default();
|
|
let mut challenge = transcript.challenge(b"key");
|
|
key.copy_from_slice(&challenge[.. 32]);
|
|
zeroize(challenge.as_mut());
|
|
|
|
// Since the key is single-use, it doesn't matter what we use for the IV
|
|
// The issue is key + IV reuse. If we never reuse the key, we can't have the opportunity to
|
|
// reuse a nonce
|
|
// Use a static IV in acknowledgement of this
|
|
let mut iv = Cc20Iv::default();
|
|
// The \0 is to satisfy the length requirement (12), not to be null terminated
|
|
iv.copy_from_slice(b"DKG IV v0.2\0");
|
|
|
|
// ChaCha20 has the same commentary as the transcript regarding ZAlloc
|
|
// TODO: https://github.com/serai-dex/serai/issues/151
|
|
let res = ChaCha20::new(&key, &iv);
|
|
zeroize(key.as_mut());
|
|
res
|
|
}
|
|
|
|
fn encrypt<R: RngCore + CryptoRng, C: Ciphersuite, E: Encryptable>(
|
|
rng: &mut R,
|
|
context: [u8; 32],
|
|
from: Participant,
|
|
to: C::G,
|
|
mut msg: Zeroizing<E>,
|
|
) -> EncryptedMessage<C, E> {
|
|
/*
|
|
The following code could be used to replace the requirement on an RNG here.
|
|
It's just currently not an issue to require taking in an RNG here.
|
|
let last = self.last_enc_key.to_bytes();
|
|
self.last_enc_key = C::hash_to_F(b"encryption_base", last.as_ref());
|
|
let key = C::hash_to_F(b"encryption_key", last.as_ref());
|
|
last.as_mut().zeroize();
|
|
*/
|
|
|
|
// Generate a new key for this message, satisfying cipher's requirement of distinct keys per
|
|
// message, and enabling revealing this message without revealing any others
|
|
let key = Zeroizing::new(C::random_nonzero_F(rng));
|
|
cipher::<C>(context, &ecdh::<C>(&key, to)).apply_keystream(msg.as_mut().as_mut());
|
|
|
|
let pub_key = C::generator() * key.deref();
|
|
let nonce = Zeroizing::new(C::random_nonzero_F(rng));
|
|
let pub_nonce = C::generator() * nonce.deref();
|
|
EncryptedMessage {
|
|
key: pub_key,
|
|
pop: SchnorrSignature::sign(
|
|
&key,
|
|
nonce,
|
|
pop_challenge::<C>(context, pub_nonce, pub_key, from, msg.deref().as_ref()),
|
|
),
|
|
msg,
|
|
}
|
|
}
|
|
|
|
impl<C: Ciphersuite, E: Encryptable> EncryptedMessage<C, E> {
|
|
pub fn read<R: io::Read>(reader: &mut R, params: ThresholdParams) -> io::Result<Self> {
|
|
Ok(Self {
|
|
key: C::read_G(reader)?,
|
|
pop: SchnorrSignature::<C>::read(reader)?,
|
|
msg: Zeroizing::new(E::read(reader, params)?),
|
|
})
|
|
}
|
|
|
|
pub fn write<W: io::Write>(&self, writer: &mut W) -> io::Result<()> {
|
|
writer.write_all(self.key.to_bytes().as_ref())?;
|
|
self.pop.write(writer)?;
|
|
self.msg.write(writer)
|
|
}
|
|
|
|
pub fn serialize(&self) -> Vec<u8> {
|
|
let mut buf = vec![];
|
|
self.write(&mut buf).unwrap();
|
|
buf
|
|
}
|
|
|
|
#[cfg(test)]
|
|
pub(crate) fn invalidate_pop(&mut self) {
|
|
self.pop.s += C::F::ONE;
|
|
}
|
|
|
|
#[cfg(test)]
|
|
pub(crate) fn invalidate_msg<R: RngCore + CryptoRng>(
|
|
&mut self,
|
|
rng: &mut R,
|
|
context: [u8; 32],
|
|
from: Participant,
|
|
) {
|
|
// Invalidate the message by specifying a new key/Schnorr PoP
|
|
// This will cause all initial checks to pass, yet a decrypt to gibberish
|
|
let key = Zeroizing::new(C::random_nonzero_F(rng));
|
|
let pub_key = C::generator() * key.deref();
|
|
let nonce = Zeroizing::new(C::random_nonzero_F(rng));
|
|
let pub_nonce = C::generator() * nonce.deref();
|
|
self.key = pub_key;
|
|
self.pop = SchnorrSignature::sign(
|
|
&key,
|
|
nonce,
|
|
pop_challenge::<C>(context, pub_nonce, pub_key, from, self.msg.deref().as_ref()),
|
|
);
|
|
}
|
|
|
|
// Assumes the encrypted message is a secret share.
|
|
#[cfg(test)]
|
|
pub(crate) fn invalidate_share_serialization<R: RngCore + CryptoRng>(
|
|
&mut self,
|
|
rng: &mut R,
|
|
context: [u8; 32],
|
|
from: Participant,
|
|
to: C::G,
|
|
) {
|
|
use ciphersuite::group::ff::PrimeField;
|
|
|
|
let mut repr = <C::F as PrimeField>::Repr::default();
|
|
for b in repr.as_mut() {
|
|
*b = 255;
|
|
}
|
|
// Tries to guarantee the above assumption.
|
|
assert_eq!(repr.as_ref().len(), self.msg.as_ref().len());
|
|
// Checks that this isn't over a field where this is somehow valid
|
|
assert!(!bool::from(C::F::from_repr(repr).is_some()));
|
|
|
|
self.msg.as_mut().as_mut().copy_from_slice(repr.as_ref());
|
|
*self = encrypt(rng, context, from, to, self.msg.clone());
|
|
}
|
|
|
|
// Assumes the encrypted message is a secret share.
|
|
#[cfg(test)]
|
|
pub(crate) fn invalidate_share_value<R: RngCore + CryptoRng>(
|
|
&mut self,
|
|
rng: &mut R,
|
|
context: [u8; 32],
|
|
from: Participant,
|
|
to: C::G,
|
|
) {
|
|
use ciphersuite::group::ff::PrimeField;
|
|
|
|
// Assumes the share isn't randomly 1
|
|
let repr = C::F::ONE.to_repr();
|
|
self.msg.as_mut().as_mut().copy_from_slice(repr.as_ref());
|
|
*self = encrypt(rng, context, from, to, self.msg.clone());
|
|
}
|
|
}
|
|
|
|
/// A proof that the provided encryption key is a legitimately derived shared key for some message.
|
|
#[derive(Clone, PartialEq, Eq, Debug, Zeroize)]
|
|
pub struct EncryptionKeyProof<C: Ciphersuite> {
|
|
key: Zeroizing<C::G>,
|
|
dleq: DLEqProof<C::G>,
|
|
}
|
|
|
|
impl<C: Ciphersuite> EncryptionKeyProof<C> {
|
|
pub fn read<R: io::Read>(reader: &mut R) -> io::Result<Self> {
|
|
Ok(Self { key: Zeroizing::new(C::read_G(reader)?), dleq: DLEqProof::read(reader)? })
|
|
}
|
|
|
|
pub fn write<W: io::Write>(&self, writer: &mut W) -> io::Result<()> {
|
|
writer.write_all(self.key.to_bytes().as_ref())?;
|
|
self.dleq.write(writer)
|
|
}
|
|
|
|
pub fn serialize(&self) -> Vec<u8> {
|
|
let mut buf = vec![];
|
|
self.write(&mut buf).unwrap();
|
|
buf
|
|
}
|
|
|
|
#[cfg(test)]
|
|
pub(crate) fn invalidate_key(&mut self) {
|
|
*self.key += C::generator();
|
|
}
|
|
|
|
#[cfg(test)]
|
|
pub(crate) fn invalidate_dleq(&mut self) {
|
|
let mut buf = vec![];
|
|
self.dleq.write(&mut buf).unwrap();
|
|
// Adds one to c since this is serialized c, s
|
|
// Adding one to c will leave a validly serialized c
|
|
// Adding one to s may leave an invalidly serialized s
|
|
buf[0] = buf[0].wrapping_add(1);
|
|
self.dleq = DLEqProof::read::<&[u8]>(&mut buf.as_ref()).unwrap();
|
|
}
|
|
}
|
|
|
|
// This doesn't need to take the msg. It just doesn't hurt as an extra layer.
|
|
// This still doesn't mean the DKG offers an authenticated channel. The per-message keys have no
|
|
// root of trust other than their existence in the assumed-to-exist external authenticated channel.
|
|
fn pop_challenge<C: Ciphersuite>(
|
|
context: [u8; 32],
|
|
nonce: C::G,
|
|
key: C::G,
|
|
sender: Participant,
|
|
msg: &[u8],
|
|
) -> C::F {
|
|
let mut transcript = RecommendedTranscript::new(b"DKG Encryption Key Proof of Possession v0.2");
|
|
transcript.append_message(b"context", context);
|
|
|
|
transcript.domain_separate(b"proof_of_possession");
|
|
|
|
transcript.append_message(b"nonce", nonce.to_bytes());
|
|
transcript.append_message(b"key", key.to_bytes());
|
|
// This is sufficient to prevent the attack this is meant to stop
|
|
transcript.append_message(b"sender", sender.to_bytes());
|
|
// This, as written above, doesn't hurt
|
|
transcript.append_message(b"message", msg);
|
|
// While this is a PoK and a PoP, it's called a PoP here since the important part is its owner
|
|
// Elsewhere, where we use the term PoK, the important part is that it isn't some inverse, with
|
|
// an unknown to anyone discrete log, breaking the system
|
|
C::hash_to_F(b"DKG-encryption-proof_of_possession", &transcript.challenge(b"schnorr"))
|
|
}
|
|
|
|
fn encryption_key_transcript(context: [u8; 32]) -> RecommendedTranscript {
|
|
let mut transcript = RecommendedTranscript::new(b"DKG Encryption Key Correctness Proof v0.2");
|
|
transcript.append_message(b"context", context);
|
|
transcript
|
|
}
|
|
|
|
#[derive(Clone, Copy, PartialEq, Eq, Debug, Error)]
|
|
pub(crate) enum DecryptionError {
|
|
#[error("accused provided an invalid signature")]
|
|
InvalidSignature,
|
|
#[error("accuser provided an invalid decryption key")]
|
|
InvalidProof,
|
|
}
|
|
|
|
// A simple box for managing decryption.
|
|
#[derive(Clone, Debug)]
|
|
pub(crate) struct Decryption<C: Ciphersuite> {
|
|
context: [u8; 32],
|
|
enc_keys: HashMap<Participant, C::G>,
|
|
}
|
|
|
|
impl<C: Ciphersuite> Decryption<C> {
|
|
pub(crate) fn new(context: [u8; 32]) -> Self {
|
|
Self { context, enc_keys: HashMap::new() }
|
|
}
|
|
pub(crate) fn register<M: Message>(
|
|
&mut self,
|
|
participant: Participant,
|
|
msg: EncryptionKeyMessage<C, M>,
|
|
) -> M {
|
|
assert!(
|
|
!self.enc_keys.contains_key(&participant),
|
|
"Re-registering encryption key for a participant"
|
|
);
|
|
self.enc_keys.insert(participant, msg.enc_key);
|
|
msg.msg
|
|
}
|
|
|
|
// Given a message, and the intended decryptor, and a proof for its key, decrypt the message.
|
|
// Returns None if the key was wrong.
|
|
pub(crate) fn decrypt_with_proof<E: Encryptable>(
|
|
&self,
|
|
from: Participant,
|
|
decryptor: Participant,
|
|
mut msg: EncryptedMessage<C, E>,
|
|
// There's no encryption key proof if the accusation is of an invalid signature
|
|
proof: Option<EncryptionKeyProof<C>>,
|
|
) -> Result<Zeroizing<E>, DecryptionError> {
|
|
if !msg.pop.verify(
|
|
msg.key,
|
|
pop_challenge::<C>(self.context, msg.pop.R, msg.key, from, msg.msg.deref().as_ref()),
|
|
) {
|
|
Err(DecryptionError::InvalidSignature)?;
|
|
}
|
|
|
|
if let Some(proof) = proof {
|
|
// Verify this is the decryption key for this message
|
|
proof
|
|
.dleq
|
|
.verify(
|
|
&mut encryption_key_transcript(self.context),
|
|
&[C::generator(), msg.key],
|
|
&[self.enc_keys[&decryptor], *proof.key],
|
|
)
|
|
.map_err(|_| DecryptionError::InvalidProof)?;
|
|
|
|
cipher::<C>(self.context, &proof.key).apply_keystream(msg.msg.as_mut().as_mut());
|
|
Ok(msg.msg)
|
|
} else {
|
|
Err(DecryptionError::InvalidProof)
|
|
}
|
|
}
|
|
}
|
|
|
|
// A simple box for managing encryption.
|
|
#[derive(Clone)]
|
|
pub(crate) struct Encryption<C: Ciphersuite> {
|
|
context: [u8; 32],
|
|
i: Participant,
|
|
enc_key: Zeroizing<C::F>,
|
|
enc_pub_key: C::G,
|
|
decryption: Decryption<C>,
|
|
}
|
|
|
|
impl<C: Ciphersuite> fmt::Debug for Encryption<C> {
|
|
fn fmt(&self, fmt: &mut fmt::Formatter<'_>) -> fmt::Result {
|
|
fmt
|
|
.debug_struct("Encryption")
|
|
.field("context", &self.context)
|
|
.field("i", &self.i)
|
|
.field("enc_pub_key", &self.enc_pub_key)
|
|
.field("decryption", &self.decryption)
|
|
.finish_non_exhaustive()
|
|
}
|
|
}
|
|
|
|
impl<C: Ciphersuite> Zeroize for Encryption<C> {
|
|
fn zeroize(&mut self) {
|
|
self.enc_key.zeroize();
|
|
self.enc_pub_key.zeroize();
|
|
for (_, mut value) in self.decryption.enc_keys.drain() {
|
|
value.zeroize();
|
|
}
|
|
}
|
|
}
|
|
|
|
impl<C: Ciphersuite> Encryption<C> {
|
|
pub(crate) fn new<R: RngCore + CryptoRng>(
|
|
context: [u8; 32],
|
|
i: Participant,
|
|
rng: &mut R,
|
|
) -> Self {
|
|
let enc_key = Zeroizing::new(C::random_nonzero_F(rng));
|
|
Self {
|
|
context,
|
|
i,
|
|
enc_pub_key: C::generator() * enc_key.deref(),
|
|
enc_key,
|
|
decryption: Decryption::new(context),
|
|
}
|
|
}
|
|
|
|
pub(crate) fn registration<M: Message>(&self, msg: M) -> EncryptionKeyMessage<C, M> {
|
|
EncryptionKeyMessage { msg, enc_key: self.enc_pub_key }
|
|
}
|
|
|
|
pub(crate) fn register<M: Message>(
|
|
&mut self,
|
|
participant: Participant,
|
|
msg: EncryptionKeyMessage<C, M>,
|
|
) -> M {
|
|
self.decryption.register(participant, msg)
|
|
}
|
|
|
|
pub(crate) fn encrypt<R: RngCore + CryptoRng, E: Encryptable>(
|
|
&self,
|
|
rng: &mut R,
|
|
participant: Participant,
|
|
msg: Zeroizing<E>,
|
|
) -> EncryptedMessage<C, E> {
|
|
encrypt(rng, self.context, self.i, self.decryption.enc_keys[&participant], msg)
|
|
}
|
|
|
|
pub(crate) fn decrypt<R: RngCore + CryptoRng, I: Copy + Zeroize, E: Encryptable>(
|
|
&self,
|
|
rng: &mut R,
|
|
batch: &mut BatchVerifier<I, C::G>,
|
|
// Uses a distinct batch ID so if this batch verifier is reused, we know its the PoP aspect
|
|
// which failed, and therefore to use None for the blame
|
|
batch_id: I,
|
|
from: Participant,
|
|
mut msg: EncryptedMessage<C, E>,
|
|
) -> (Zeroizing<E>, EncryptionKeyProof<C>) {
|
|
msg.pop.batch_verify(
|
|
rng,
|
|
batch,
|
|
batch_id,
|
|
msg.key,
|
|
pop_challenge::<C>(self.context, msg.pop.R, msg.key, from, msg.msg.deref().as_ref()),
|
|
);
|
|
|
|
let key = ecdh::<C>(&self.enc_key, msg.key);
|
|
cipher::<C>(self.context, &key).apply_keystream(msg.msg.as_mut().as_mut());
|
|
(
|
|
msg.msg,
|
|
EncryptionKeyProof {
|
|
key,
|
|
dleq: DLEqProof::prove(
|
|
rng,
|
|
&mut encryption_key_transcript(self.context),
|
|
&[C::generator(), msg.key],
|
|
&self.enc_key,
|
|
),
|
|
},
|
|
)
|
|
}
|
|
|
|
pub(crate) fn into_decryption(self) -> Decryption<C> {
|
|
self.decryption
|
|
}
|
|
}
|