Implement RPC mixnets

This commit is contained in:
Yingtong Li 2017-09-27 23:41:24 +10:00
parent 2ec44db65d
commit 863e5a706c
Signed by: RunasSudo
GPG Key ID: 7234E476BF21C61A
3 changed files with 150 additions and 18 deletions

3
.gitignore vendored
View File

@ -5,3 +5,6 @@
__javascript__
__pycache__
refs
\#*
.#*

View File

@ -16,6 +16,7 @@
from eos.core.bigint import *
from eos.core.objects import *
from eos.base.election import *
class CyclicGroup(EmbeddedObject):
p = EmbeddedObjectField(BigInt)
@ -93,6 +94,15 @@ class EGCiphertext(EmbeddedObject):
gamma = EmbeddedObjectField(BigInt) # G^k
delta = EmbeddedObjectField(BigInt) # M X^k
def reencrypt(self, k=None):
# Generate an encryption of one
if k is None:
k = BigInt.crypto_random(ONE, self.public_key.group.p - TWO)
gamma = pow(self.public_key.group.g, k, self.public_key.group.p)
delta = pow(self.public_key.X, k, self.public_key.group.p)
return EGCiphertext(public_key=self.public_key, gamma=((self.gamma * gamma) % self.public_key.group.p), delta=((self.delta * delta) % self.public_key.group.p)), k
# Signed ElGamal per Schnorr & Jakobssen
class SEGPublicKey(EGPublicKey):
def encrypt(self, message):
@ -119,25 +129,83 @@ class SEGPublicKey(EGPublicKey):
class SEGPrivateKey(EGPrivateKey):
pk_class = SEGPublicKey
def decrypt(self, ciphertext):
if (
ciphertext.gamma <= ZERO or ciphertext.gamma >= self.public_key.group.p or
ciphertext.delta <= ZERO or ciphertext.delta >= self.public_key.group.p
):
raise Exception('Ciphertext is malformed')
gs = (pow(self.public_key.group.g, ciphertext.z, self.public_key.group.p) * pow(ciphertext.gamma, self.public_key.group.p - ONE - ciphertext.c, self.public_key.group.p)) % self.public_key.group.p
_, c = EosObject.to_sha256(str(gs), str(ciphertext.gamma), str(ciphertext.delta))
if ciphertext.c != c:
raise Exception('Signature is invalid')
gamma_inv = pow(ciphertext.gamma, self.public_key.group.p - ONE - self.x, self.public_key.group.p)
pt = (gamma_inv * ciphertext.delta) % self.public_key.group.p
return pt - ONE
class SEGCiphertext(EGCiphertext):
public_key = EmbeddedObjectField(SEGPublicKey)
c = EmbeddedObjectField(BigInt)
z = EmbeddedObjectField(BigInt)
def is_signature_valid(self):
gs = (pow(self.public_key.group.g, self.z, self.public_key.group.p) * pow(self.gamma, self.public_key.group.p - ONE - self.c, self.public_key.group.p)) % self.public_key.group.p
_, c = EosObject.to_sha256(str(gs), str(self.gamma), str(self.delta))
return self.c == c
class BlockEncryptedAnswer(EncryptedAnswer):
blocks = EmbeddedObjectListField()
def decrypt(self):
# TODO
raise Exception('NYI')
class RPCMixnet:
def __init__(self):
self.params = []
def random_permutation(self, n):
permutation = list(range(n))
# Fisher-Yates shuffle
i = n
while i != 0:
rnd = BigInt.crypto_random(0, i - 1)
rnd = rnd.__int__()
i -= 1
permutation[rnd], permutation[i] = permutation[i], permutation[rnd]
return permutation
def shuffle(self, encrypted_answers):
shuffled_answers = [None] * len(encrypted_answers)
permutations = self.random_permutation(len(encrypted_answers))
permutations_and_reenc = []
for i in range(len(encrypted_answers)):
encrypted_answer = encrypted_answers[i]
# Reencrypt the answer
shuffled_blocks = []
block_reencryptions = []
for block in encrypted_answer.blocks:
block2, reenc = block.reencrypt()
shuffled_blocks.append(block2)
block_reencryptions.append(reenc)
# And shuffle it to the new position
shuffled_answers[permutations[i]] = BlockEncryptedAnswer(blocks=shuffled_blocks)
# Record the parameters
permutations_and_reenc.append([permutations[i], block_reencryptions, block.public_key.group.random_element(), block.public_key.group.random_element()])
commitments_left = []
for i in range(len(permutations_and_reenc)):
val = permutations_and_reenc[i]
val_json = [val[0], [str(x) for x in val[1]], str(val[2])]
commitments_left.append(EosObject.to_sha256(EosObject.to_json(val_json))[0])
commitments_right = []
for i in range(len(permutations_and_reenc)):
# Find the answer that went to 'i'
idx = next(idx for idx in range(len(permutations_and_reenc)) if permutations_and_reenc[idx][0] == i)
val = permutations_and_reenc[idx]
val_json = [idx, [str(x) for x in val[1]], str(val[3])]
commitments_right.append(EosObject.to_sha256(EosObject.to_json(val_json))[0])
self.params = permutations_and_reenc
return shuffled_answers, commitments_left, commitments_right
def challenge(self, i, is_left):
if is_left:
val = self.params[i]
return [val[0], val[1], val[2]]
else:
idx = next(idx for idx in range(len(self.params)) if self.params[idx][0] == i)
val = self.params[idx]
return [idx, val[1], val[3]]

View File

@ -33,9 +33,14 @@ class SEGTestCase(EosTestCase):
pt = DEFAULT_GROUP.random_element()
sk = SEGPrivateKey.generate()
ct = sk.public_key.encrypt(pt)
self.assertTrue(ct.is_signature_valid())
m = sk.decrypt(ct)
self.assertEqualJSON(pt, m)
ct2, _ = ct.reencrypt()
m2 = sk.decrypt(ct2)
self.assertEqualJSON(pt, m2)
class BitStreamTestCase(EosTestCase):
def test_bitstream(self):
bs = BitStream(BigInt('100101011011', 2))
@ -106,3 +111,59 @@ class BlockEGTestCase(EosTestCase):
m = bs2.read_string()
obj2 = EosObject.deserialise_and_unwrap(EosObject.from_json(m))
self.assertEqualJSON(obj, obj2)
class MixnetTestCase(EosTestCase):
@py_only
def test_mixnet(self):
# Generate key
sk = SEGPrivateKey.generate()
# Generate plaintexts
pts = []
for i in range(10):
pts.append(sk.public_key.group.random_element())
# Encrypt plaintexts
answers = []
for i in range(len(pts)):
bs = BitStream(pts[i])
bs.multiple_of(sk.public_key.group.p.nbits() - 1)
ct = bs.map(sk.public_key.encrypt, sk.public_key.group.p.nbits() - 1)
answers.append(BlockEncryptedAnswer(blocks=ct))
# Set up mixnet
mixnet = RPCMixnet()
# Mix answers
shuffled_answers, commitments_left, commitments_right = mixnet.shuffle(answers)
# Decrypt shuffle
msgs = []
for i in range(len(shuffled_answers)):
bs = BitStream.unmap(shuffled_answers[i].blocks, sk.decrypt, sk.public_key.group.p.nbits() - 1)
m = bs.read()
msgs.append(m)
# Check decryption
self.assertEqual(set(int(x) for x in pts), set(int(x) for x in msgs))
# Check commitments
def verify_shuffle(idx_left, idx_right, reencs):
claimed_blocks = shuffled_answers[idx_right].blocks
for j in range(len(answers[idx_left].blocks)):
reencrypted_block, _ = answers[idx_left].blocks[j].reencrypt(reencs[j])
self.assertEqual(claimed_blocks[j].gamma, reencrypted_block.gamma)
self.assertEqual(claimed_blocks[j].delta, reencrypted_block.delta)
for i in range(len(pts)):
# Left
perm, reencs, rand = mixnet.challenge(i, True)
val_json = [perm, [str(x) for x in reencs], str(rand)]
self.assertEqual(commitments_left[i], EosObject.to_sha256(EosObject.to_json(val_json))[0])
verify_shuffle(i, perm, reencs)
# Right
perm, reencs, rand = mixnet.challenge(i, False)
val_json = [perm, [str(x) for x in reencs], str(rand)]
self.assertEqual(commitments_right[i], EosObject.to_sha256(EosObject.to_json(val_json))[0])
verify_shuffle(perm, i, reencs)