Replaced distributed PRF where both players get output with a distrib…

…uted PRF where only a single party gets the output. We thank Steven Goldfeder and Rosario Gennaro for pointing out an error in the implementation of the distributed PRF that mistakenly provided the output to both parties instead of to only one. �
rsempire · May 6, 2019 · f65a471 · f65a471
1 parent 0f078b7
commit f65a471
Show file tree

Hide file tree

Showing 6 changed files with 84 additions and 228 deletions.
diff --git a/src/mpc_crypto_eddsa.cpp b/src/mpc_crypto_eddsa.cpp
@@ -170,7 +170,7 @@ void mpc_eddsa_sign_t::convert(ub::converter_t& converter)
 error_t mpc_eddsa_sign_t::party1_step1(message1_t& out)
 {
   error_t rv = 0;
-  if (rv = ctx.peer1_step1(ctx.data_to_sign, true, share, out.sign_msg1)) return rv;
+  if (rv = ctx.peer1_step1(ctx.data_to_sign, share, out.sign_msg1)) return rv;
   out.refresh = refresh;
   out.data_to_sign = ctx.data_to_sign;
   return rv;
@@ -182,7 +182,7 @@ error_t mpc_eddsa_sign_t::party2_step1(const message1_t& in, message2_t& out)
   if (in.data_to_sign!=ctx.data_to_sign) return rv = ub::error(E_BADARG);
   if (in.refresh!=refresh) return rv = ub::error(E_BADARG);
 
-  if (rv = ctx.peer2_step1(in.data_to_sign, true, share, in.sign_msg1, out)) return rv;
+  if (rv = ctx.peer2_step1(in.data_to_sign, share, in.sign_msg1, out)) return rv;
   refresh = in.refresh;
   return rv;
 }
@@ -194,20 +194,6 @@ error_t mpc_eddsa_sign_t::party1_step2(const message2_t& in, message3_t& out)
   return rv;
 }
 
-error_t mpc_eddsa_sign_t::party2_step2(const message3_t& in, message4_t& out)
-{
-  error_t rv = 0;
-  if (rv = ctx.peer2_step2(share, in, out)) return rv;
-  return rv;
-}
-
-error_t mpc_eddsa_sign_t::party1_step3(const message4_t& in, message5_t& out)
-{
-  error_t rv = 0;
-  if (rv = ctx.peer1_step3(share, in, out)) return rv;
-  return rv;
-}
-
 static buf_t calc_mgf(mem_t seed, int size)
 {
   buf_t out(size);
@@ -235,10 +221,10 @@ static buf_t calc_mgf(mem_t seed, int size)
 }
 
 
-error_t mpc_eddsa_sign_t::party2_step3(const message5_t& in, message6_t& out)
+error_t mpc_eddsa_sign_t::party2_step2(const message3_t& in, message4_t& out)
 {
   error_t rv = 0;
-  if (rv = ctx.peer2_step3(share, in, out)) return rv;
+  if (rv = ctx.peer2_step2(share, in, out)) return rv;
 
   if (refresh)
   {
@@ -251,10 +237,10 @@ error_t mpc_eddsa_sign_t::party2_step3(const message5_t& in, message6_t& out)
   return rv;
 }
 
-error_t mpc_eddsa_sign_t::party1_step4(const message6_t& in, none_message_t& out)
+error_t mpc_eddsa_sign_t::party1_step3(const message4_t& in, none_message_t& out)
 {
   error_t rv = 0;
-  if (rv = ctx.peer1_step4(share, in, result)) return rv;
+  if (rv = ctx.peer1_step3(share, in, result)) return rv;
 
   if (refresh)
   {

diff --git a/src/mpc_crypto_eddsa.h b/src/mpc_crypto_eddsa.h
@@ -164,7 +164,7 @@ class mpc_eddsa_sign_t : public mpc_crypto_context_t
   void set_refresh(bool refresh) { this->refresh = refresh; }
   virtual mpc_crypto_key_e get_share_type() const override { return mpc_eddsa; }
 
-  virtual int get_messages_count() const override { return 6; }
+  virtual int get_messages_count() const override { return 4; }
   virtual bool changes_share() const override { return refresh; }
 
   struct message1_t
@@ -184,16 +184,12 @@ class mpc_eddsa_sign_t : public mpc_crypto_context_t
   typedef mpc::eddsa_sign_t::message2_t message2_t;
   typedef mpc::eddsa_sign_t::message3_t message3_t;
   typedef mpc::eddsa_sign_t::message4_t message4_t;
-  typedef mpc::eddsa_sign_t::message5_t message5_t;
-  typedef mpc::eddsa_sign_t::message6_t message6_t;
 
   error_t party1_step1(message1_t& out);
   error_t party2_step1(const message1_t& in, message2_t& out);
   error_t party1_step2(const message2_t& in, message3_t& out);
   error_t party2_step2(const message3_t& in, message4_t& out);
-  error_t party1_step3(const message4_t& in, message5_t& out);
-  error_t party2_step3(const message5_t& in, message6_t& out);
-  error_t party1_step4(const message6_t& in, none_message_t& out);
+  error_t party1_step3(const message4_t& in, none_message_t& out);
 
 private:
   bool refresh;

diff --git a/src/mpc_protocols/mpc_ecdh.cpp b/src/mpc_protocols/mpc_ecdh.cpp
@@ -157,78 +157,46 @@ error_t ecdh_generate_t::peer2_step2(
 
 // ----------------------------- derive -------------------------
 
-error_t ecdh_derive_t::peer1_init(
-  const ecc_point_t& PUB_KEY, 
-  bool prove_mode, 
-  mem_t session_id, 
+error_t ecdh_derive_t::peer1_step(
   const ecdh_share_t& share,
-  /*OUT*/ message1_t& out)
+    const ecc_point_t& PUB_KEY, 
+    mem_t session_id, 
+    /*OUT*/ message_t& msg)
 {
   ecurve_t curve = share.get_curve();
   if (!curve.check(PUB_KEY)) return error(E_CRYPTO);
 
-  this->PUB_KEY = PUB_KEY;
-  this->prove_mode = prove_mode;
-  this->session_id = session_id;
+  const ecc_generator_point_t& G = curve.generator();
+  msg.T1 = PUB_KEY * share.x;
 
-  out.T1 = PUB_KEY * share.x;
-  return 0;
-}
+  ecc_point_t Q_self = G * share.x;
+  msg.zk_ddh.p(curve, PUB_KEY, Q_self, msg.T1, share.x, session_id, 2);
 
-static buf_t get_ecdh_result(const ecc_point_t& P)
-{
-  ecurve_t curve = P.get_curve();
-  bn_t x; P.get_x(x);
-  return x.to_bin(curve.size());
+  return 0;
 }
 
-error_t ecdh_derive_t::peer2_exec(
-    const ecc_point_t& PUB_KEY, 
+error_t ecdh_derive_t::peer2_step(
     const ecdh_share_t& share,
-    bool prove_mode, 
+    const ecc_point_t& PUB_KEY, 
     mem_t session_id, 
-    const message1_t& in,
-    /*OUT*/ message2_t& out,
-    /*OUT*/ buf_t& result) const
+    const message_t& msg,
+    /*OUT*/ buf_t& result)
 {
   ecurve_t curve = share.get_curve();
   const ecc_generator_point_t& G = curve.generator();
 
-
   if (!curve.check(PUB_KEY)) return error(E_CRYPTO);
-  if (!curve.check(in.T1)) return error(E_CRYPTO);
+  if (!curve.check(msg.T1)) return error(E_CRYPTO);
 
-  out.T2 = PUB_KEY * share.x;
-  if (prove_mode)
-  {
-    ecc_point_t Q_self = G * share.x;
-    out.zk_ddh.p(curve, PUB_KEY, Q_self, out.T2, share.x, session_id, 2);
-  }
-
-  ecc_point_t T = in.T1 + out.T2;
-  result = get_ecdh_result(T);
-  return 0;
-}
-
-error_t ecdh_derive_t::peer1_final(
-  const ecdh_share_t& share,
-  const message2_t& in,     
-  /*OUT*/ buf_t& result) const
-{
-  ecurve_t curve = share.get_curve();
-  if (!curve.check(in.T2)) return error(E_CRYPTO);
-  const ecc_generator_point_t& G = curve.generator();
-
-  if (prove_mode) 
-  {
-    ecc_point_t Q_other = share.Q_full - G * share.x;
-    if (!in.zk_ddh.v(curve, PUB_KEY, Q_other, in.T2, session_id, 2)) return error(E_CRYPTO);
-  }
+  ecc_point_t T2 = PUB_KEY * share.x;
 
-  ecc_point_t T1 = PUB_KEY * share.x;
-  ecc_point_t T = T1 + in.T2;
+  ecc_point_t Q_self = G * share.x;
+  ecc_point_t Q_other = share.Q_full - G * share.x;
+  if (!msg.zk_ddh.v(curve, PUB_KEY, Q_other, msg.T1, session_id, 2)) return error(E_CRYPTO);
 
-  result = get_ecdh_result(T);
+  ecc_point_t T = msg.T1 + T2;
+  bn_t x; T.get_x(x);
+  result =  x.to_bin(curve.size());
   return 0;
 }
 

diff --git a/src/mpc_protocols/mpc_ecdh.h b/src/mpc_protocols/mpc_ecdh.h
@@ -131,58 +131,30 @@ struct ecdh_generate_t
 
 struct ecdh_derive_t
 {
-  bool prove_mode;
-  buf_t session_id;
-  ecc_point_t PUB_KEY;
-
-  void convert(ub::converter_t& converter)
+  struct message_t // 1 --> 2
   { 
-    converter.convert(prove_mode);
-    converter.convert(session_id);
-    converter.convert(PUB_KEY);
-  }
-
-  struct message1_t // 1 --> 2
-  {
     ecc_point_t T1;
-    void convert(ub::converter_t& converter)
-    { 
-      converter.convert(T1);
-    }
-  };
-
-  struct message2_t // 2 --> 1
-  { 
-    ecc_point_t T2;
     zk_ddh_t zk_ddh;
 
     void convert(ub::converter_t& converter)
     { 
-      converter.convert(T2);
+      converter.convert(T1);
       converter.convert(zk_ddh);
     }
   };
 
-  error_t peer1_init(
-    const ecc_point_t& PUB_KEY, 
-    bool prove_mode, 
-    mem_t session_id, 
+  static error_t peer1_step(
     const ecdh_share_t& share,
-    /*OUT*/ message1_t& out); 
-
-  error_t peer2_exec(
     const ecc_point_t& PUB_KEY, 
-    const ecdh_share_t& share,
-    bool prove_mode, 
     mem_t session_id, 
-    const message1_t& in,
-    /*OUT*/ message2_t& out,
-    /*OUT*/ buf_t& result) const;
+    /*OUT*/ message_t& msg); 
 
-  error_t peer1_final(
+  static error_t peer2_step(
     const ecdh_share_t& share,
-    const message2_t& in,     
-    /*OUT*/ buf_t& result) const; 
+    const ecc_point_t& PUB_KEY, 
+    mem_t session_id, 
+    const message_t& msg,
+    /*OUT*/ buf_t& result);
 };
 
 }