From 547536564fb6d20ccf2e7b4d1fa5362df66d904c Mon Sep 17 00:00:00 2001 From: lauener Date: Tue, 20 Feb 2024 12:50:58 +0100 Subject: [PATCH] Correct capitalization --- group/curve25519/curve.go | 18 +-- group/curve25519/ext.go | 223 +++++++++++++------------- group/curve25519/proj.go | 213 ++++++++++++------------ group/edwards25519/ge.go | 2 + group/edwards25519/ge_mult_vartime.go | 10 +- group/edwards25519/point.go | 132 +++++++-------- group/edwards25519/point_vartime.go | 4 +- proof/dleq/dleq.go | 61 +++---- share/pvss/pvss.go | 64 ++++---- shuffle/biffle.go | 18 +-- shuffle/biffle_test.go | 4 +- shuffle/sequences.go | 60 +++---- shuffle/shuffle_test.go | 20 +-- shuffle/simple.go | 38 ++--- sign/anon/enc.go | 15 +- sign/bls/bls.go | 8 +- sign/dss/dss.go | 4 +- 17 files changed, 447 insertions(+), 447 deletions(-) diff --git a/group/curve25519/curve.go b/group/curve25519/curve.go index 4333cf92d..8248ad1a7 100644 --- a/group/curve25519/curve.go +++ b/group/curve25519/curve.go @@ -239,7 +239,6 @@ func (c *curve) decodePoint(bb []byte, x, y *mod.Int) error { // // Returns true on success, // false if there is no x-coordinate corresponding to the chosen y-coordinate. -// func (c *curve) solveForX(x, y *mod.Int) bool { var yy, t1, t2 mod.Int @@ -254,7 +253,6 @@ func (c *curve) solveForX(x, y *mod.Int) bool { // by checking the characteristic equation for Edwards curves: // // a*x^2 + y^2 = 1 + d*x^2*y^2 -// func (c *curve) onCurve(x, y *mod.Int) bool { var xx, yy, l, r mod.Int @@ -269,17 +267,17 @@ func (c *curve) onCurve(x, y *mod.Int) bool { // Sanity-check a point to ensure that it is on the curve // and within the appropriate subgroup. -func (c *curve) validPoint(P point) bool { +func (c *curve) validPoint(p point) bool { // Check on-curve - x, y := P.getXY() + x, y := p.getXY() if !c.onCurve(x, y) { return false } // Check in-subgroup by multiplying by subgroup order Q := c.self.Point() - Q.Mul(&c.order, P) + Q.Mul(&c.order, p) if !Q.Equal(c.null) { return false } @@ -297,7 +295,7 @@ func (c *curve) embedLen() int { // Pick a [pseudo-]random curve point with optional embedded data, // filling in the point's x,y coordinates -func (c *curve) embed(P point, data []byte, rand cipher.Stream) { +func (c *curve) embed(p point, data []byte, rand cipher.Stream) { // How much data to embed? dl := c.embedLen() @@ -336,7 +334,7 @@ func (c *curve) embed(P point, data []byte, rand cipher.Stream) { } // Initialize the point - P.initXY(&x.V, &y.V, c.self) + p.initXY(&x.V, &y.V, c.self) if c.full { // If we're using the full group, // we just need any point on the curve, so we're done. @@ -349,8 +347,8 @@ func (c *curve) embed(P point, data []byte, rand cipher.Stream) { // we can convert our point into one in the subgroup // simply by multiplying it by the cofactor. if data == nil { - P.Mul(&c.cofact, P) // multiply by cofactor - if P.Equal(c.null) { + p.Mul(&c.cofact, p) // multiply by cofactor + if p.Equal(c.null) { continue // unlucky; try again } return @@ -362,7 +360,7 @@ func (c *curve) embed(P point, data []byte, rand cipher.Stream) { if Q == nil { Q = c.self.Point() } - Q.Mul(&c.order, P) + Q.Mul(&c.order, p) if Q.Equal(c.null) { return } diff --git a/group/curve25519/ext.go b/group/curve25519/ext.go index c3bd0d17a..2f1af3058 100644 --- a/group/curve25519/ext.go +++ b/group/curve25519/ext.go @@ -16,50 +16,50 @@ type extPoint struct { c *ExtendedCurve } -func (P *extPoint) initXY(x, y *big.Int, c kyber.Group) { - P.c = c.(*ExtendedCurve) - P.X.Init(x, &P.c.P) - P.Y.Init(y, &P.c.P) - P.Z.Init64(1, &P.c.P) - P.T.Mul(&P.X, &P.Y) +func (p *extPoint) initXY(x, y *big.Int, c kyber.Group) { + p.c = c.(*ExtendedCurve) + p.X.Init(x, &p.c.P) + p.Y.Init(y, &p.c.P) + p.Z.Init64(1, &p.c.P) + p.T.Mul(&p.X, &p.Y) } -func (P *extPoint) getXY() (x, y *mod.Int) { - P.normalize() - return &P.X, &P.Y +func (p *extPoint) getXY() (x, y *mod.Int) { + p.normalize() + return &p.X, &p.Y } -func (P *extPoint) String() string { - P.normalize() - //return P.c.pointString(&P.X,&P.Y) - buf, _ := P.MarshalBinary() +func (p *extPoint) String() string { + p.normalize() + //return p.c.pointString(&p.X,&p.Y) + buf, _ := p.MarshalBinary() return hex.EncodeToString(buf) } -func (P *extPoint) MarshalSize() int { - return P.c.PointLen() +func (p *extPoint) MarshalSize() int { + return p.c.PointLen() } -func (P *extPoint) MarshalBinary() ([]byte, error) { - P.normalize() - return P.c.encodePoint(&P.X, &P.Y), nil +func (p *extPoint) MarshalBinary() ([]byte, error) { + p.normalize() + return p.c.encodePoint(&p.X, &p.Y), nil } -func (P *extPoint) UnmarshalBinary(b []byte) error { - if err := P.c.decodePoint(b, &P.X, &P.Y); err != nil { +func (p *extPoint) UnmarshalBinary(b []byte) error { + if err := p.c.decodePoint(b, &p.X, &p.Y); err != nil { return err } - P.Z.Init64(1, &P.c.P) - P.T.Mul(&P.X, &P.Y) + p.Z.Init64(1, &p.c.P) + p.T.Mul(&p.X, &p.Y) return nil } -func (P *extPoint) MarshalTo(w io.Writer) (int, error) { - return marshalling.PointMarshalTo(P, w) +func (p *extPoint) MarshalTo(w io.Writer) (int, error) { + return marshalling.PointMarshalTo(p, w) } -func (P *extPoint) UnmarshalFrom(r io.Reader) (int, error) { - return marshalling.PointUnmarshalFrom(P, r) +func (p *extPoint) UnmarshalFrom(r io.Reader) (int, error) { + return marshalling.PointUnmarshalFrom(p, r) } // Equality test for two Points on the same curve. @@ -68,153 +68,152 @@ func (P *extPoint) UnmarshalFrom(r io.Reader) (int, error) { // (X1/Z1,Y1/Z1) == (X2/Z2,Y2/Z2) // iff // (X1*Z2,Y1*Z2) == (X2*Z1,Y2*Z1) -// -func (P *extPoint) Equal(CP2 kyber.Point) bool { - P2 := CP2.(*extPoint) +func (p *extPoint) Equal(cp2 kyber.Point) bool { + p2 := cp2.(*extPoint) var t1, t2 mod.Int - xeq := t1.Mul(&P.X, &P2.Z).Equal(t2.Mul(&P2.X, &P.Z)) - yeq := t1.Mul(&P.Y, &P2.Z).Equal(t2.Mul(&P2.Y, &P.Z)) + xeq := t1.Mul(&p.X, &p2.Z).Equal(t2.Mul(&p2.X, &p.Z)) + yeq := t1.Mul(&p.Y, &p2.Z).Equal(t2.Mul(&p2.Y, &p.Z)) return xeq && yeq } -func (P *extPoint) Set(CP2 kyber.Point) kyber.Point { - P2 := CP2.(*extPoint) - P.c = P2.c - P.X.Set(&P2.X) - P.Y.Set(&P2.Y) - P.Z.Set(&P2.Z) - P.T.Set(&P2.T) - return P +func (p *extPoint) Set(cp2 kyber.Point) kyber.Point { + p2 := cp2.(*extPoint) + p.c = p2.c + p.X.Set(&p2.X) + p.Y.Set(&p2.Y) + p.Z.Set(&p2.Z) + p.T.Set(&p2.T) + return p } -func (P *extPoint) Clone() kyber.Point { - P2 := extPoint{} - P2.c = P.c - P2.X.Set(&P.X) - P2.Y.Set(&P.Y) - P2.Z.Set(&P.Z) - P2.T.Set(&P.T) - return &P2 +func (p *extPoint) Clone() kyber.Point { + p2 := extPoint{} + p2.c = p.c + p2.X.Set(&p.X) + p2.Y.Set(&p.Y) + p2.Z.Set(&p.Z) + p2.T.Set(&p.T) + return &p2 } -func (P *extPoint) Null() kyber.Point { - P.Set(&P.c.null) - return P +func (p *extPoint) Null() kyber.Point { + p.Set(&p.c.null) + return p } -func (P *extPoint) Base() kyber.Point { - P.Set(&P.c.base) - return P +func (p *extPoint) Base() kyber.Point { + p.Set(&p.c.base) + return p } -func (P *extPoint) EmbedLen() int { - return P.c.embedLen() +func (p *extPoint) EmbedLen() int { + return p.c.embedLen() } // Normalize the point's representation to Z=1. -func (P *extPoint) normalize() { - P.Z.Inv(&P.Z) - P.X.Mul(&P.X, &P.Z) - P.Y.Mul(&P.Y, &P.Z) - P.Z.V.SetInt64(1) - P.T.Mul(&P.X, &P.Y) +func (p *extPoint) normalize() { + p.Z.Inv(&p.Z) + p.X.Mul(&p.X, &p.Z) + p.Y.Mul(&p.Y, &p.Z) + p.Z.V.SetInt64(1) + p.T.Mul(&p.X, &p.Y) } // Check the validity of the T coordinate -func (P *extPoint) checkT() { +func (p *extPoint) checkT() { var t1, t2 mod.Int - if !t1.Mul(&P.X, &P.Y).Equal(t2.Mul(&P.Z, &P.T)) { + if !t1.Mul(&p.X, &p.Y).Equal(t2.Mul(&p.Z, &p.T)) { panic("oops") } } -func (P *extPoint) Embed(data []byte, rand cipher.Stream) kyber.Point { - P.c.embed(P, data, rand) - return P +func (p *extPoint) Embed(data []byte, rand cipher.Stream) kyber.Point { + p.c.embed(p, data, rand) + return p } -func (P *extPoint) Pick(rand cipher.Stream) kyber.Point { - P.c.embed(P, nil, rand) - return P +func (p *extPoint) Pick(rand cipher.Stream) kyber.Point { + p.c.embed(p, nil, rand) + return p } // Extract embedded data from a point group element -func (P *extPoint) Data() ([]byte, error) { - P.normalize() - return P.c.data(&P.X, &P.Y) +func (p *extPoint) Data() ([]byte, error) { + p.normalize() + return p.c.data(&p.X, &p.Y) } // Add two points using optimized extended coordinate addition formulas. -func (P *extPoint) Add(CP1, CP2 kyber.Point) kyber.Point { - P1 := CP1.(*extPoint) - P2 := CP2.(*extPoint) - X1, Y1, Z1, T1 := &P1.X, &P1.Y, &P1.Z, &P1.T - X2, Y2, Z2, T2 := &P2.X, &P2.Y, &P2.Z, &P2.T - X3, Y3, Z3, T3 := &P.X, &P.Y, &P.Z, &P.T +func (p *extPoint) Add(cp1, cp2 kyber.Point) kyber.Point { + p1 := cp1.(*extPoint) + p2 := cp2.(*extPoint) + X1, Y1, Z1, T1 := &p1.X, &p1.Y, &p1.Z, &p1.T + X2, Y2, Z2, T2 := &p2.X, &p2.Y, &p2.Z, &p2.T + X3, Y3, Z3, T3 := &p.X, &p.Y, &p.Z, &p.T var A, B, C, D, E, F, G, H mod.Int A.Mul(X1, X2) B.Mul(Y1, Y2) - C.Mul(T1, T2).Mul(&C, &P.c.d) + C.Mul(T1, T2).Mul(&C, &p.c.d) D.Mul(Z1, Z2) E.Add(X1, Y1).Mul(&E, F.Add(X2, Y2)).Sub(&E, &A).Sub(&E, &B) F.Sub(&D, &C) G.Add(&D, &C) - H.Mul(&P.c.a, &A).Sub(&B, &H) + H.Mul(&p.c.a, &A).Sub(&B, &H) X3.Mul(&E, &F) Y3.Mul(&G, &H) T3.Mul(&E, &H) Z3.Mul(&F, &G) - return P + return p } // Subtract points. -func (P *extPoint) Sub(CP1, CP2 kyber.Point) kyber.Point { - P1 := CP1.(*extPoint) - P2 := CP2.(*extPoint) - X1, Y1, Z1, T1 := &P1.X, &P1.Y, &P1.Z, &P1.T - X2, Y2, Z2, T2 := &P2.X, &P2.Y, &P2.Z, &P2.T - X3, Y3, Z3, T3 := &P.X, &P.Y, &P.Z, &P.T +func (p *extPoint) Sub(cp1, cp2 kyber.Point) kyber.Point { + p1 := cp1.(*extPoint) + p2 := cp2.(*extPoint) + X1, Y1, Z1, T1 := &p1.X, &p1.Y, &p1.Z, &p1.T + X2, Y2, Z2, T2 := &p2.X, &p2.Y, &p2.Z, &p2.T + X3, Y3, Z3, T3 := &p.X, &p.Y, &p.Z, &p.T var A, B, C, D, E, F, G, H mod.Int A.Mul(X1, X2) B.Mul(Y1, Y2) - C.Mul(T1, T2).Mul(&C, &P.c.d) + C.Mul(T1, T2).Mul(&C, &p.c.d) D.Mul(Z1, Z2) E.Add(X1, Y1).Mul(&E, F.Sub(Y2, X2)).Add(&E, &A).Sub(&E, &B) F.Add(&D, &C) G.Sub(&D, &C) - H.Mul(&P.c.a, &A).Add(&B, &H) + H.Mul(&p.c.a, &A).Add(&B, &H) X3.Mul(&E, &F) Y3.Mul(&G, &H) T3.Mul(&E, &H) Z3.Mul(&F, &G) - return P + return p } // Find the negative of point A. // For Edwards curves, the negative of (x,y) is (-x,y). -func (P *extPoint) Neg(CA kyber.Point) kyber.Point { - A := CA.(*extPoint) - P.c = A.c - P.X.Neg(&A.X) - P.Y.Set(&A.Y) - P.Z.Set(&A.Z) - P.T.Neg(&A.T) - return P +func (p *extPoint) Neg(ca kyber.Point) kyber.Point { + A := ca.(*extPoint) + p.c = A.c + p.X.Neg(&A.X) + p.Y.Set(&A.Y) + p.Z.Set(&A.Z) + p.T.Neg(&A.T) + return p } // Optimized point doubling for use in scalar multiplication. // Uses the formulae in section 3.3 of: // https://www.iacr.org/archive/asiacrypt2008/53500329/53500329.pdf -func (P *extPoint) double() { - X1, Y1, Z1, T1 := &P.X, &P.Y, &P.Z, &P.T +func (p *extPoint) double() { + X1, Y1, Z1, T1 := &p.X, &p.Y, &p.Z, &p.T var A, B, C, D, E, F, G, H mod.Int A.Mul(X1, X1) B.Mul(Y1, Y1) C.Mul(Z1, Z1).Add(&C, &C) - D.Mul(&P.c.a, &A) + D.Mul(&p.c.a, &A) E.Add(X1, Y1).Mul(&E, &E).Sub(&E, &A).Sub(&E, &B) G.Add(&D, &B) F.Sub(&G, &C) @@ -230,27 +229,26 @@ func (P *extPoint) double() { // Currently doesn't implement the optimization of // switching between projective and extended coordinates during // scalar multiplication. -// -func (P *extPoint) Mul(s kyber.Scalar, G kyber.Point) kyber.Point { +func (p *extPoint) Mul(s kyber.Scalar, g kyber.Point) kyber.Point { v := s.(*mod.Int).V - if G == nil { - return P.Base().Mul(s, P) + if g == nil { + return p.Base().Mul(s, p) } - T := P - if G == P { // Must use temporary for in-place multiply + T := p + if g == p { // Must use temporary for in-place multiply T = &extPoint{} } - T.Set(&P.c.null) // Initialize to identity element (0,1) + T.Set(&p.c.null) // Initialize to identity element (0,1) for i := v.BitLen() - 1; i >= 0; i-- { T.double() if v.Bit(i) != 0 { - T.Add(T, G) + T.Add(T, g) } } - if T != P { - P.Set(T) + if T != p { + p.Set(T) } - return P + return p } // ExtendedCurve implements Twisted Edwards curves @@ -272,7 +270,6 @@ func (P *extPoint) Mul(s kyber.Scalar, G kyber.Point) kyber.Point { // special case with curve parameter a=-1. // We leave the task of hyperoptimization to curve-specific implementations // such as the ed25519 package. -// type ExtendedCurve struct { curve // generic Edwards curve functionality null extPoint // Constant identity/null point (0,1) diff --git a/group/curve25519/proj.go b/group/curve25519/proj.go index 4efee7f6c..c68d17d67 100644 --- a/group/curve25519/proj.go +++ b/group/curve25519/proj.go @@ -15,43 +15,43 @@ type projPoint struct { c *ProjectiveCurve } -func (P *projPoint) initXY(x, y *big.Int, c kyber.Group) { - P.c = c.(*ProjectiveCurve) - P.X.Init(x, &P.c.P) - P.Y.Init(y, &P.c.P) - P.Z.Init64(1, &P.c.P) +func (p *projPoint) initXY(x, y *big.Int, c kyber.Group) { + p.c = c.(*ProjectiveCurve) + p.X.Init(x, &p.c.P) + p.Y.Init(y, &p.c.P) + p.Z.Init64(1, &p.c.P) } -func (P *projPoint) getXY() (x, y *mod.Int) { - P.normalize() - return &P.X, &P.Y +func (p *projPoint) getXY() (x, y *mod.Int) { + p.normalize() + return &p.X, &p.Y } -func (P *projPoint) String() string { - P.normalize() - return P.c.pointString(&P.X, &P.Y) +func (p *projPoint) String() string { + p.normalize() + return p.c.pointString(&p.X, &p.Y) } -func (P *projPoint) MarshalSize() int { - return P.c.PointLen() +func (p *projPoint) MarshalSize() int { + return p.c.PointLen() } -func (P *projPoint) MarshalBinary() ([]byte, error) { - P.normalize() - return P.c.encodePoint(&P.X, &P.Y), nil +func (p *projPoint) MarshalBinary() ([]byte, error) { + p.normalize() + return p.c.encodePoint(&p.X, &p.Y), nil } -func (P *projPoint) UnmarshalBinary(b []byte) error { - P.Z.Init64(1, &P.c.P) - return P.c.decodePoint(b, &P.X, &P.Y) +func (p *projPoint) UnmarshalBinary(b []byte) error { + p.Z.Init64(1, &p.c.P) + return p.c.decodePoint(b, &p.X, &p.Y) } -func (P *projPoint) MarshalTo(w io.Writer) (int, error) { - return marshalling.PointMarshalTo(P, w) +func (p *projPoint) MarshalTo(w io.Writer) (int, error) { + return marshalling.PointMarshalTo(p, w) } -func (P *projPoint) UnmarshalFrom(r io.Reader) (int, error) { - return marshalling.PointUnmarshalFrom(P, r) +func (p *projPoint) UnmarshalFrom(r io.Reader) (int, error) { + return marshalling.PointUnmarshalFrom(p, r) } // Equality test for two Points on the same curve. @@ -60,68 +60,67 @@ func (P *projPoint) UnmarshalFrom(r io.Reader) (int, error) { // (X1/Z1,Y1/Z1) == (X2/Z2,Y2/Z2) // iff // (X1*Z2,Y1*Z2) == (X2*Z1,Y2*Z1) -// -func (P *projPoint) Equal(CP2 kyber.Point) bool { - P2 := CP2.(*projPoint) +func (p *projPoint) Equal(cp2 kyber.Point) bool { + P2 := cp2.(*projPoint) var t1, t2 mod.Int - xeq := t1.Mul(&P.X, &P2.Z).Equal(t2.Mul(&P2.X, &P.Z)) - yeq := t1.Mul(&P.Y, &P2.Z).Equal(t2.Mul(&P2.Y, &P.Z)) + xeq := t1.Mul(&p.X, &P2.Z).Equal(t2.Mul(&P2.X, &p.Z)) + yeq := t1.Mul(&p.Y, &P2.Z).Equal(t2.Mul(&P2.Y, &p.Z)) return xeq && yeq } -func (P *projPoint) Set(CP2 kyber.Point) kyber.Point { - P2 := CP2.(*projPoint) - P.c = P2.c - P.X.Set(&P2.X) - P.Y.Set(&P2.Y) - P.Z.Set(&P2.Z) - return P +func (p *projPoint) Set(cp2 kyber.Point) kyber.Point { + P2 := cp2.(*projPoint) + p.c = P2.c + p.X.Set(&P2.X) + p.Y.Set(&P2.Y) + p.Z.Set(&P2.Z) + return p } -func (P *projPoint) Clone() kyber.Point { +func (p *projPoint) Clone() kyber.Point { P2 := projPoint{} - P2.c = P.c - P2.X.Set(&P.X) - P2.Y.Set(&P.Y) - P2.Z.Set(&P.Z) + P2.c = p.c + P2.X.Set(&p.X) + P2.Y.Set(&p.Y) + P2.Z.Set(&p.Z) return &P2 } -func (P *projPoint) Null() kyber.Point { - P.Set(&P.c.null) - return P +func (p *projPoint) Null() kyber.Point { + p.Set(&p.c.null) + return p } -func (P *projPoint) Base() kyber.Point { - P.Set(&P.c.base) - return P +func (p *projPoint) Base() kyber.Point { + p.Set(&p.c.base) + return p } -func (P *projPoint) EmbedLen() int { - return P.c.embedLen() +func (p *projPoint) EmbedLen() int { + return p.c.embedLen() } // Normalize the point's representation to Z=1. -func (P *projPoint) normalize() { - P.Z.Inv(&P.Z) - P.X.Mul(&P.X, &P.Z) - P.Y.Mul(&P.Y, &P.Z) - P.Z.V.SetInt64(1) +func (p *projPoint) normalize() { + p.Z.Inv(&p.Z) + p.X.Mul(&p.X, &p.Z) + p.Y.Mul(&p.Y, &p.Z) + p.Z.V.SetInt64(1) } -func (P *projPoint) Embed(data []byte, rand cipher.Stream) kyber.Point { - P.c.embed(P, data, rand) - return P +func (p *projPoint) Embed(data []byte, rand cipher.Stream) kyber.Point { + p.c.embed(p, data, rand) + return p } -func (P *projPoint) Pick(rand cipher.Stream) kyber.Point { - return P.Embed(nil, rand) +func (p *projPoint) Pick(rand cipher.Stream) kyber.Point { + return p.Embed(nil, rand) } // Extract embedded data from a point group element -func (P *projPoint) Data() ([]byte, error) { - P.normalize() - return P.c.data(&P.X, &P.Y) +func (p *projPoint) Data() ([]byte, error) { + p.normalize() + return p.c.data(&p.X, &p.Y) } // Add two points using optimized projective coordinate addition formulas. @@ -129,10 +128,9 @@ func (P *projPoint) Data() ([]byte, error) { // // http://eprint.iacr.org/2008/013.pdf // https://hyperelliptic.org/EFD/g1p/auto-twisted-projective.html -// -func (P *projPoint) Add(CP1, CP2 kyber.Point) kyber.Point { - P1 := CP1.(*projPoint) - P2 := CP2.(*projPoint) +func (p *projPoint) Add(cp1, cp2 kyber.Point) kyber.Point { + P1 := cp1.(*projPoint) + P2 := cp2.(*projPoint) X1, Y1, Z1 := &P1.X, &P1.Y, &P1.Z X2, Y2, Z2 := &P2.X, &P2.Y, &P2.Z var A, B, C, D, E, F, G, X3, Y3, Z3 mod.Int @@ -141,25 +139,25 @@ func (P *projPoint) Add(CP1, CP2 kyber.Point) kyber.Point { B.Mul(&A, &A) C.Mul(X1, X2) D.Mul(Y1, Y2) - E.Mul(&C, &D).Mul(&P.c.d, &E) + E.Mul(&C, &D).Mul(&p.c.d, &E) F.Sub(&B, &E) G.Add(&B, &E) X3.Add(X1, Y1).Mul(&X3, Z3.Add(X2, Y2)).Sub(&X3, &C).Sub(&X3, &D). Mul(&F, &X3).Mul(&A, &X3) - Y3.Mul(&P.c.a, &C).Sub(&D, &Y3).Mul(&G, &Y3).Mul(&A, &Y3) + Y3.Mul(&p.c.a, &C).Sub(&D, &Y3).Mul(&G, &Y3).Mul(&A, &Y3) Z3.Mul(&F, &G) - P.c = P1.c - P.X.Set(&X3) - P.Y.Set(&Y3) - P.Z.Set(&Z3) - return P + p.c = P1.c + p.X.Set(&X3) + p.Y.Set(&Y3) + p.Z.Set(&Z3) + return p } // Subtract points so that their scalars subtract homomorphically -func (P *projPoint) Sub(CP1, CP2 kyber.Point) kyber.Point { - P1 := CP1.(*projPoint) - P2 := CP2.(*projPoint) +func (p *projPoint) Sub(cp1, cp2 kyber.Point) kyber.Point { + P1 := cp1.(*projPoint) + P2 := cp2.(*projPoint) X1, Y1, Z1 := &P1.X, &P1.Y, &P1.Z X2, Y2, Z2 := &P2.X, &P2.Y, &P2.Z var A, B, C, D, E, F, G, X3, Y3, Z3 mod.Int @@ -168,69 +166,69 @@ func (P *projPoint) Sub(CP1, CP2 kyber.Point) kyber.Point { B.Mul(&A, &A) C.Mul(X1, X2) D.Mul(Y1, Y2) - E.Mul(&C, &D).Mul(&P.c.d, &E) + E.Mul(&C, &D).Mul(&p.c.d, &E) F.Add(&B, &E) G.Sub(&B, &E) X3.Add(X1, Y1).Mul(&X3, Z3.Sub(Y2, X2)).Add(&X3, &C).Sub(&X3, &D). Mul(&F, &X3).Mul(&A, &X3) - Y3.Mul(&P.c.a, &C).Add(&D, &Y3).Mul(&G, &Y3).Mul(&A, &Y3) + Y3.Mul(&p.c.a, &C).Add(&D, &Y3).Mul(&G, &Y3).Mul(&A, &Y3) Z3.Mul(&F, &G) - P.c = P1.c - P.X.Set(&X3) - P.Y.Set(&Y3) - P.Z.Set(&Z3) - return P + p.c = P1.c + p.X.Set(&X3) + p.Y.Set(&Y3) + p.Z.Set(&Z3) + return p } // Find the negative of point A. // For Edwards curves, the negative of (x,y) is (-x,y). -func (P *projPoint) Neg(CA kyber.Point) kyber.Point { +func (p *projPoint) Neg(CA kyber.Point) kyber.Point { A := CA.(*projPoint) - P.c = A.c - P.X.Neg(&A.X) - P.Y.Set(&A.Y) - P.Z.Set(&A.Z) - return P + p.c = A.c + p.X.Neg(&A.X) + p.Y.Set(&A.Y) + p.Z.Set(&A.Z) + return p } // Optimized point doubling for use in scalar multiplication. -func (P *projPoint) double() { +func (p *projPoint) double() { var B, C, D, E, F, H, J mod.Int - B.Add(&P.X, &P.Y).Mul(&B, &B) - C.Mul(&P.X, &P.X) - D.Mul(&P.Y, &P.Y) - E.Mul(&P.c.a, &C) + B.Add(&p.X, &p.Y).Mul(&B, &B) + C.Mul(&p.X, &p.X) + D.Mul(&p.Y, &p.Y) + E.Mul(&p.c.a, &C) F.Add(&E, &D) - H.Mul(&P.Z, &P.Z) + H.Mul(&p.Z, &p.Z) J.Add(&H, &H).Sub(&F, &J) - P.X.Sub(&B, &C).Sub(&P.X, &D).Mul(&P.X, &J) - P.Y.Sub(&E, &D).Mul(&F, &P.Y) - P.Z.Mul(&F, &J) + p.X.Sub(&B, &C).Sub(&p.X, &D).Mul(&p.X, &J) + p.Y.Sub(&E, &D).Mul(&F, &p.Y) + p.Z.Mul(&F, &J) } // Multiply point p by scalar s using the repeated doubling method. -func (P *projPoint) Mul(s kyber.Scalar, G kyber.Point) kyber.Point { +func (p *projPoint) Mul(s kyber.Scalar, g kyber.Point) kyber.Point { v := s.(*mod.Int).V - if G == nil { - return P.Base().Mul(s, P) + if g == nil { + return p.Base().Mul(s, p) } - T := P - if G == P { // Must use temporary for in-place multiply + T := p + if g == p { // Must use temporary for in-place multiply T = &projPoint{} } - T.Set(&P.c.null) // Initialize to identity element (0,1) + T.Set(&p.c.null) // Initialize to identity element (0,1) for i := v.BitLen() - 1; i >= 0; i-- { T.double() if v.Bit(i) != 0 { - T.Add(T, G) + T.Add(T, g) } } - if T != P { - P.Set(T) + if T != p { + p.Set(T) } - return P + return p } // ProjectiveCurve implements Twisted Edwards curves @@ -240,7 +238,6 @@ func (P *projPoint) Mul(s kyber.Scalar, G kyber.Point) kyber.Point { // and avoids expensive modular inversions on the critical paths. // Uses the projective arithmetic formulas in: // http://cr.yp.to/newelliptic/newelliptic-20070906.pdf -// type ProjectiveCurve struct { curve // generic Edwards curve functionality null projPoint // Constant identity/null point (0,1) diff --git a/group/edwards25519/ge.go b/group/edwards25519/ge.go index 5d46eb226..7cbc281c1 100644 --- a/group/edwards25519/ge.go +++ b/group/edwards25519/ge.go @@ -432,6 +432,8 @@ func selectCached(c *cachedGroupElement, Ai *[8]cachedGroupElement, b int32) { // Preconditions: // // a[31] <= 127 +// +//nolint:gocritic func geScalarMult(h *extendedGroupElement, a *[32]byte, A *extendedGroupElement) { diff --git a/group/edwards25519/ge_mult_vartime.go b/group/edwards25519/ge_mult_vartime.go index 9ddd61fdf..572c7825e 100644 --- a/group/edwards25519/ge_mult_vartime.go +++ b/group/edwards25519/ge_mult_vartime.go @@ -1,11 +1,15 @@ package edwards25519 // geScalarMultVartime computes h = a*B, where -// a = a[0]+256*a[1]+...+256^31 a[31] -// B is the Ed25519 base point (x,4/5) with x positive. +// +// a = a[0]+256*a[1]+...+256^31 a[31] +// B is the Ed25519 base point (x,4/5) with x positive. // // Preconditions: -// a[31] <= 127 +// +// a[31] <= 127 +// +//nolint:gocritic func geScalarMultVartime(h *extendedGroupElement, a *[32]byte, A *extendedGroupElement) { diff --git a/group/edwards25519/point.go b/group/edwards25519/point.go index 191450ee0..9575bc48b 100644 --- a/group/edwards25519/point.go +++ b/group/edwards25519/point.go @@ -31,48 +31,48 @@ type point struct { varTime bool } -func (P *point) String() string { +func (p *point) String() string { var b [32]byte - P.ge.ToBytes(&b) + p.ge.ToBytes(&b) return hex.EncodeToString(b[:]) } -func (P *point) MarshalSize() int { +func (p *point) MarshalSize() int { return 32 } -func (P *point) MarshalBinary() ([]byte, error) { +func (p *point) MarshalBinary() ([]byte, error) { var b [32]byte - P.ge.ToBytes(&b) + p.ge.ToBytes(&b) return b[:], nil } // MarshalID returns the type tag used in encoding/decoding -func (P *point) MarshalID() [8]byte { +func (p *point) MarshalID() [8]byte { return marshalPointID } -func (P *point) UnmarshalBinary(b []byte) error { - if !P.ge.FromBytes(b) { +func (p *point) UnmarshalBinary(b []byte) error { + if !p.ge.FromBytes(b) { return errors.New("invalid Ed25519 curve point") } return nil } -func (P *point) MarshalTo(w io.Writer) (int, error) { - return marshalling.PointMarshalTo(P, w) +func (p *point) MarshalTo(w io.Writer) (int, error) { + return marshalling.PointMarshalTo(p, w) } -func (P *point) UnmarshalFrom(r io.Reader) (int, error) { - return marshalling.PointUnmarshalFrom(P, r) +func (p *point) UnmarshalFrom(r io.Reader) (int, error) { + return marshalling.PointUnmarshalFrom(p, r) } // Equality test for two Points on the same curve -func (P *point) Equal(P2 kyber.Point) bool { +func (p *point) Equal(p2 kyber.Point) bool { var b1, b2 [32]byte - P.ge.ToBytes(&b1) - P2.(*point).ge.ToBytes(&b2) + p.ge.ToBytes(&b1) + p2.(*point).ge.ToBytes(&b2) for i := range b1 { if b1[i] != b2[i] { return false @@ -81,40 +81,40 @@ func (P *point) Equal(P2 kyber.Point) bool { return true } -// Set point to be equal to P2. -func (P *point) Set(P2 kyber.Point) kyber.Point { - P.ge = P2.(*point).ge - return P +// Set point to be equal to p2. +func (p *point) Set(p2 kyber.Point) kyber.Point { + p.ge = p2.(*point).ge + return p } -// Set point to be equal to P2. -func (P *point) Clone() kyber.Point { - return &point{ge: P.ge} +// Set point to be equal to p2. +func (p *point) Clone() kyber.Point { + return &point{ge: p.ge} } // Set to the neutral element, which is (0,1) for twisted Edwards curves. -func (P *point) Null() kyber.Point { - P.ge.Zero() - return P +func (p *point) Null() kyber.Point { + p.ge.Zero() + return p } // Set to the standard base point for this curve -func (P *point) Base() kyber.Point { - P.ge = baseext - return P +func (p *point) Base() kyber.Point { + p.ge = baseext + return p } -func (P *point) EmbedLen() int { +func (p *point) EmbedLen() int { // Reserve the most-significant 8 bits for pseudo-randomness. // Reserve the least-significant 8 bits for embedded data length. // (Hopefully it's unlikely we'll need >=2048-bit curves soon.) return (255 - 8 - 8) / 8 } -func (P *point) Embed(data []byte, rand cipher.Stream) kyber.Point { +func (p *point) Embed(data []byte, rand cipher.Stream) kyber.Point { // How many bytes to embed? - dl := P.EmbedLen() + dl := p.EmbedLen() if dl > len(data) { dl = len(data) } @@ -127,14 +127,14 @@ func (P *point) Embed(data []byte, rand cipher.Stream) kyber.Point { b[0] = byte(dl) // Encode length in low 8 bits copy(b[1:1+dl], data) // Copy in data to embed } - if !P.ge.FromBytes(b[:]) { // Try to decode + if !p.ge.FromBytes(b[:]) { // Try to decode continue // invalid point, retry } // If we're using the full group, // we just need any point on the curve, so we're done. // if c.full { - // return P,data[dl:] + // return p,data[dl:] // } // We're using the prime-order subgroup, @@ -143,91 +143,91 @@ func (P *point) Embed(data []byte, rand cipher.Stream) kyber.Point { // we can convert our point into one in the subgroup // simply by multiplying it by the cofactor. if data == nil { - P.Mul(cofactorScalar, P) // multiply by cofactor - if P.Equal(nullPoint) { + p.Mul(cofactorScalar, p) // multiply by cofactor + if p.Equal(nullPoint) { continue // unlucky; try again } - return P // success + return p // success } // Since we need the point's y-coordinate to hold our data, // we must simply check if the point is in the subgroup // and retry point generation until it is. var Q point - Q.Mul(primeOrderScalar, P) + Q.Mul(primeOrderScalar, p) if Q.Equal(nullPoint) { - return P // success + return p // success } // Keep trying... } } -func (P *point) Pick(rand cipher.Stream) kyber.Point { - return P.Embed(nil, rand) +func (p *point) Pick(rand cipher.Stream) kyber.Point { + return p.Embed(nil, rand) } // Extract embedded data from a point group element -func (P *point) Data() ([]byte, error) { +func (p *point) Data() ([]byte, error) { var b [32]byte - P.ge.ToBytes(&b) + p.ge.ToBytes(&b) dl := int(b[0]) // extract length byte - if dl > P.EmbedLen() { + if dl > p.EmbedLen() { return nil, errors.New("invalid embedded data length") } return b[1 : 1+dl], nil } -func (P *point) Add(P1, P2 kyber.Point) kyber.Point { - E1 := P1.(*point) - E2 := P2.(*point) +func (p *point) Add(p1, p2 kyber.Point) kyber.Point { + E1 := p1.(*point) + E2 := p2.(*point) var t2 cachedGroupElement var r completedGroupElement E2.ge.ToCached(&t2) r.Add(&E1.ge, &t2) - r.ToExtended(&P.ge) + r.ToExtended(&p.ge) - return P + return p } -func (P *point) Sub(P1, P2 kyber.Point) kyber.Point { - E1 := P1.(*point) - E2 := P2.(*point) +func (p *point) Sub(p1, p2 kyber.Point) kyber.Point { + E1 := p1.(*point) + E2 := p2.(*point) var t2 cachedGroupElement var r completedGroupElement E2.ge.ToCached(&t2) r.Sub(&E1.ge, &t2) - r.ToExtended(&P.ge) + r.ToExtended(&p.ge) - return P + return p } // Neg finds the negative of point A. // For Edwards curves, the negative of (x,y) is (-x,y). -func (P *point) Neg(A kyber.Point) kyber.Point { - P.ge.Neg(&A.(*point).ge) - return P +func (p *point) Neg(a kyber.Point) kyber.Point { + p.ge.Neg(&a.(*point).ge) + return p } // Mul multiplies point p by scalar s using the repeated doubling method. -func (P *point) Mul(s kyber.Scalar, A kyber.Point) kyber.Point { +func (p *point) Mul(s kyber.Scalar, b kyber.Point) kyber.Point { a := &s.(*scalar).v - if A == nil { - geScalarMultBase(&P.ge, a) + if b == nil { + geScalarMultBase(&p.ge, a) } else { - if P.varTime { - geScalarMultVartime(&P.ge, a, &A.(*point).ge) + if p.varTime { + geScalarMultVartime(&p.ge, a, &b.(*point).ge) } else { - geScalarMult(&P.ge, a, &A.(*point).ge) + geScalarMult(&p.ge, a, &b.(*point).ge) } } - return P + return p } // HasSmallOrder determines whether the group element has small order @@ -238,8 +238,8 @@ func (P *point) Mul(s kyber.Scalar, A kyber.Point) kyber.Point { // // This is the same code as in // https://github.com/jedisct1/libsodium/blob/4744636721d2e420f8bbe2d563f31b1f5e682229/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c#L1170 -func (P *point) HasSmallOrder() bool { - s, err := P.MarshalBinary() +func (p *point) HasSmallOrder() bool { + s, err := p.MarshalBinary() if err != nil { return false } @@ -274,7 +274,7 @@ func (P *point) HasSmallOrder() bool { // // The method accepts a buffer instead of calling `MarshalBinary` on the receiver // because that always returns a value modulo `prime`. -func (P *point) IsCanonical(s []byte) bool { +func (p *point) IsCanonical(s []byte) bool { if len(s) != 32 { return false } diff --git a/group/edwards25519/point_vartime.go b/group/edwards25519/point_vartime.go index 4bf742fc7..d3a67f8fa 100644 --- a/group/edwards25519/point_vartime.go +++ b/group/edwards25519/point_vartime.go @@ -4,6 +4,6 @@ package edwards25519 // but variable time implementation can be used. Set this only on Points // which represent public information. Using variable time algorithms to // operate on private information can result in timing side-channels. -func (P *point) AllowVarTime(varTime bool) { - P.varTime = varTime +func (p *point) AllowVarTime(varTime bool) { + p.varTime = varTime } diff --git a/proof/dleq/dleq.go b/proof/dleq/dleq.go index 40d9a37f4..b54b4f227 100644 --- a/proof/dleq/dleq.go +++ b/proof/dleq/dleq.go @@ -1,7 +1,9 @@ // Package dleq provides functionality to create and verify non-interactive // zero-knowledge (NIZK) proofs for the equality (EQ) of discrete logarithms (DL). // This means, for two values xG and xH one can check that -// log_{G}(xG) == log_{H}(xH) +// +// log_{G}(xG) == log_{H}(xH) +// // without revealing the secret value x. package dleq @@ -35,39 +37,39 @@ type Proof struct { // and then computes the challenge c = H(xG,xH,vG,vH) and response r = v - cx. // Besides the proof, this function also returns the encrypted base points xG // and xH. -func NewDLEQProof(suite Suite, G kyber.Point, H kyber.Point, x kyber.Scalar) (proof *Proof, xG kyber.Point, xH kyber.Point, err error) { +func NewDLEQProof(suite Suite, g kyber.Point, h kyber.Point, x kyber.Scalar) (proof *Proof, xG kyber.Point, xH kyber.Point, err error) { // Encrypt base points with secret - xG = suite.Point().Mul(x, G) - xH = suite.Point().Mul(x, H) + xG = suite.Point().Mul(x, g) + xH = suite.Point().Mul(x, h) // Commitment v := suite.Scalar().Pick(suite.RandomStream()) - vG := suite.Point().Mul(v, G) - vH := suite.Point().Mul(v, H) + vG := suite.Point().Mul(v, g) + vH := suite.Point().Mul(v, h) // Challenge - h := suite.Hash() - _, err = xG.MarshalTo(h) + hSuite := suite.Hash() + _, err = xG.MarshalTo(hSuite) if err != nil { return nil, nil, nil, err } - _, err = xH.MarshalTo(h) + _, err = xH.MarshalTo(hSuite) if err != nil { return nil, nil, nil, err } - _, err = vG.MarshalTo(h) + _, err = vG.MarshalTo(hSuite) if err != nil { return nil, nil, nil, err } - _, err = vH.MarshalTo(h) + _, err = vH.MarshalTo(hSuite) if err != nil { return nil, nil, nil, err } - cb := h.Sum(nil) + cb := hSuite.Sum(nil) c := suite.Scalar().Pick(suite.XOF(cb)) // Response @@ -80,8 +82,8 @@ func NewDLEQProof(suite Suite, G kyber.Point, H kyber.Point, x kyber.Scalar) (pr // NewDLEQProofBatch computes lists of NIZK dlog-equality proofs and of // encrypted base points xG and xH. Note that the challenge is computed over all // input values. -func NewDLEQProofBatch(suite Suite, G []kyber.Point, H []kyber.Point, secrets []kyber.Scalar) (proof []*Proof, xG []kyber.Point, xH []kyber.Point, err error) { - if len(G) != len(H) || len(H) != len(secrets) { +func NewDLEQProofBatch(suite Suite, g []kyber.Point, h []kyber.Point, secrets []kyber.Scalar) (proof []*Proof, xG []kyber.Point, xH []kyber.Point, err error) { + if len(g) != len(h) || len(h) != len(secrets) { return nil, nil, nil, errorDifferentLengths } @@ -95,30 +97,30 @@ func NewDLEQProofBatch(suite Suite, G []kyber.Point, H []kyber.Point, secrets [] for i, x := range secrets { // Encrypt base points with secrets - xG[i] = suite.Point().Mul(x, G[i]) - xH[i] = suite.Point().Mul(x, H[i]) + xG[i] = suite.Point().Mul(x, g[i]) + xH[i] = suite.Point().Mul(x, h[i]) // Commitments v[i] = suite.Scalar().Pick(suite.RandomStream()) - vG[i] = suite.Point().Mul(v[i], G[i]) - vH[i] = suite.Point().Mul(v[i], H[i]) + vG[i] = suite.Point().Mul(v[i], g[i]) + vH[i] = suite.Point().Mul(v[i], h[i]) } // Collective challenge - h := suite.Hash() + hSuite := suite.Hash() for _, x := range xG { - x.MarshalTo(h) + x.MarshalTo(hSuite) } for _, x := range xH { - x.MarshalTo(h) + x.MarshalTo(hSuite) } for _, x := range vG { - x.MarshalTo(h) + x.MarshalTo(hSuite) } for _, x := range vH { - x.MarshalTo(h) + x.MarshalTo(hSuite) } - cb := h.Sum(nil) + cb := hSuite.Sum(nil) c := suite.Scalar().Pick(suite.XOF(cb)) @@ -134,11 +136,12 @@ func NewDLEQProofBatch(suite Suite, G []kyber.Point, H []kyber.Point, secrets [] // Verify examines the validity of the NIZK dlog-equality proof. // The proof is valid if the following two conditions hold: -// vG == rG + c(xG) -// vH == rH + c(xH) -func (p *Proof) Verify(suite Suite, G kyber.Point, H kyber.Point, xG kyber.Point, xH kyber.Point) error { - rG := suite.Point().Mul(p.R, G) - rH := suite.Point().Mul(p.R, H) +// +// vG == rG + c(xG) +// vH == rH + c(xH) +func (p *Proof) Verify(suite Suite, g kyber.Point, h kyber.Point, xG kyber.Point, xH kyber.Point) error { + rG := suite.Point().Mul(p.R, g) + rH := suite.Point().Mul(p.R, h) cxG := suite.Point().Mul(p.C, xG) cxH := suite.Point().Mul(p.C, xH) a := suite.Point().Add(rG, cxG) diff --git a/share/pvss/pvss.go b/share/pvss/pvss.go index 8c8fc8cfe..dbef4dd10 100644 --- a/share/pvss/pvss.go +++ b/share/pvss/pvss.go @@ -44,10 +44,10 @@ type PubVerShare struct { // EncShares creates a list of encrypted publicly verifiable PVSS shares for // the given secret and the list of public keys X using the sharing threshold -// t and the base point H. The function returns the list of shares and the +// t and the base point h. The function returns the list of shares and the // public commitment polynomial. -func EncShares(suite Suite, H kyber.Point, X []kyber.Point, secret kyber.Scalar, t int) (shares []*PubVerShare, commit *share.PubPoly, err error) { - n := len(X) +func EncShares(suite Suite, h kyber.Point, x []kyber.Point, secret kyber.Scalar, t int) (shares []*PubVerShare, commit *share.PubPoly, err error) { + n := len(x) encShares := make([]*PubVerShare, n) // Create secret sharing polynomial @@ -56,8 +56,8 @@ func EncShares(suite Suite, H kyber.Point, X []kyber.Point, secret kyber.Scalar, // Create secret set of shares priShares := priPoly.Shares(n) - // Create public polynomial commitments with respect to basis H - pubPoly := priPoly.Commit(H) + // Create public polynomial commitments with respect to basis h + pubPoly := priPoly.Commit(h) // Prepare data for encryption consistency proofs ... indices := make([]int, n) @@ -66,11 +66,11 @@ func EncShares(suite Suite, H kyber.Point, X []kyber.Point, secret kyber.Scalar, for i := 0; i < n; i++ { indices[i] = priShares[i].I values[i] = priShares[i].V - HS[i] = H + HS[i] = h } // Create NIZK discrete-logarithm equality proofs - proofs, _, sX, err := dleq.NewDLEQProofBatch(suite, HS, X, values) + proofs, _, sX, err := dleq.NewDLEQProofBatch(suite, HS, x, values) if err != nil { return nil, nil, err } @@ -84,10 +84,10 @@ func EncShares(suite Suite, H kyber.Point, X []kyber.Point, secret kyber.Scalar, } // VerifyEncShare checks that the encrypted share sX satisfies -// log_{H}(sH) == log_{X}(sX) where sH is the public commitment computed by +// log_{h}(sH) == log_{X}(sX) where sH is the public commitment computed by // evaluating the public commitment polynomial at the encrypted share's index i. -func VerifyEncShare(suite Suite, H kyber.Point, X kyber.Point, sH kyber.Point, encShare *PubVerShare) error { - if err := encShare.P.Verify(suite, H, X, sH, encShare.S.V); err != nil { +func VerifyEncShare(suite Suite, h kyber.Point, x kyber.Point, sH kyber.Point, encShare *PubVerShare) error { + if err := encShare.P.Verify(suite, h, x, sH, encShare.S.V); err != nil { return errorEncVerification } return nil @@ -96,15 +96,15 @@ func VerifyEncShare(suite Suite, H kyber.Point, X kyber.Point, sH kyber.Point, e // VerifyEncShareBatch provides the same functionality as VerifyEncShare but for // slices of encrypted shares. The function returns the valid encrypted shares // together with the corresponding public keys. -func VerifyEncShareBatch(suite Suite, H kyber.Point, X []kyber.Point, sH []kyber.Point, encShares []*PubVerShare) ([]kyber.Point, []*PubVerShare, error) { - if len(X) != len(sH) || len(sH) != len(encShares) { +func VerifyEncShareBatch(suite Suite, h kyber.Point, x []kyber.Point, sH []kyber.Point, encShares []*PubVerShare) ([]kyber.Point, []*PubVerShare, error) { + if len(x) != len(sH) || len(sH) != len(encShares) { return nil, nil, errorDifferentLengths } var K []kyber.Point // good public keys var E []*PubVerShare // good encrypted shares - for i := 0; i < len(X); i++ { - if err := VerifyEncShare(suite, H, X[i], sH[i], encShares[i]); err == nil { - K = append(K, X[i]) + for i := 0; i < len(x); i++ { + if err := VerifyEncShare(suite, h, x[i], sH[i], encShares[i]); err == nil { + K = append(K, x[i]) E = append(E, encShares[i]) } } @@ -114,14 +114,14 @@ func VerifyEncShareBatch(suite Suite, H kyber.Point, X []kyber.Point, sH []kyber // DecShare first verifies the encrypted share against the encryption // consistency proof and, if valid, decrypts it and creates a decryption // consistency proof. -func DecShare(suite Suite, H kyber.Point, X kyber.Point, sH kyber.Point, x kyber.Scalar, encShare *PubVerShare) (*PubVerShare, error) { - if err := VerifyEncShare(suite, H, X, sH, encShare); err != nil { +func DecShare(suite Suite, h kyber.Point, x kyber.Point, sH kyber.Point, s kyber.Scalar, encShare *PubVerShare) (*PubVerShare, error) { + if err := VerifyEncShare(suite, h, x, sH, encShare); err != nil { return nil, err } G := suite.Point().Base() - V := suite.Point().Mul(suite.Scalar().Inv(x), encShare.S.V) // decryption: x^{-1} * (xS) + V := suite.Point().Mul(suite.Scalar().Inv(s), encShare.S.V) // decryption: s^{-1} * (xS) ps := &share.PubShare{I: encShare.S.I, V: V} - P, _, _, err := dleq.NewDLEQProof(suite, G, V, x) + P, _, _, err := dleq.NewDLEQProof(suite, G, V, s) if err != nil { return nil, err } @@ -131,16 +131,16 @@ func DecShare(suite Suite, H kyber.Point, X kyber.Point, sH kyber.Point, x kyber // DecShareBatch provides the same functionality as DecShare but for slices of // encrypted shares. The function returns the valid encrypted and decrypted // shares as well as the corresponding public keys. -func DecShareBatch(suite Suite, H kyber.Point, X []kyber.Point, sH []kyber.Point, x kyber.Scalar, encShares []*PubVerShare) ([]kyber.Point, []*PubVerShare, []*PubVerShare, error) { - if len(X) != len(sH) || len(sH) != len(encShares) { +func DecShareBatch(suite Suite, h kyber.Point, x []kyber.Point, sH []kyber.Point, s kyber.Scalar, encShares []*PubVerShare) ([]kyber.Point, []*PubVerShare, []*PubVerShare, error) { + if len(x) != len(sH) || len(sH) != len(encShares) { return nil, nil, nil, errorDifferentLengths } var K []kyber.Point // good public keys var E []*PubVerShare // good encrypted shares var D []*PubVerShare // good decrypted shares for i := 0; i < len(encShares); i++ { - if ds, err := DecShare(suite, H, X[i], sH[i], x, encShares[i]); err == nil { - K = append(K, X[i]) + if ds, err := DecShare(suite, h, x[i], sH[i], s, encShares[i]); err == nil { + K = append(K, x[i]) E = append(E, encShares[i]) D = append(D, ds) } @@ -150,22 +150,22 @@ func DecShareBatch(suite Suite, H kyber.Point, X []kyber.Point, sH []kyber.Point // VerifyDecShare checks that the decrypted share sG satisfies // log_{G}(X) == log_{sG}(sX). Note that X = xG and sX = s(xG) = x(sG). -func VerifyDecShare(suite Suite, G kyber.Point, X kyber.Point, encShare *PubVerShare, decShare *PubVerShare) error { - if err := decShare.P.Verify(suite, G, decShare.S.V, X, encShare.S.V); err != nil { +func VerifyDecShare(suite Suite, g kyber.Point, x kyber.Point, encShare *PubVerShare, decShare *PubVerShare) error { + if err := decShare.P.Verify(suite, g, decShare.S.V, x, encShare.S.V); err != nil { return errorDecVerification } return nil } // VerifyDecShareBatch provides the same functionality as VerifyDecShare but for -// slices of decrypted shares. The function returns the the valid decrypted shares. -func VerifyDecShareBatch(suite Suite, G kyber.Point, X []kyber.Point, encShares []*PubVerShare, decShares []*PubVerShare) ([]*PubVerShare, error) { - if len(X) != len(encShares) || len(encShares) != len(decShares) { +// slices of decrypted shares. The function returns the valid decrypted shares. +func VerifyDecShareBatch(suite Suite, g kyber.Point, x []kyber.Point, encShares []*PubVerShare, decShares []*PubVerShare) ([]*PubVerShare, error) { + if len(x) != len(encShares) || len(encShares) != len(decShares) { return nil, errorDifferentLengths } var D []*PubVerShare // good decrypted shares - for i := 0; i < len(X); i++ { - if err := VerifyDecShare(suite, G, X[i], encShares[i], decShares[i]); err == nil { + for i := 0; i < len(x); i++ { + if err := VerifyDecShare(suite, g, x[i], encShares[i], decShares[i]); err == nil { D = append(D, decShares[i]) } } @@ -174,8 +174,8 @@ func VerifyDecShareBatch(suite Suite, G kyber.Point, X []kyber.Point, encShares // RecoverSecret first verifies the given decrypted shares against their // decryption consistency proofs and then tries to recover the shared secret. -func RecoverSecret(suite Suite, G kyber.Point, X []kyber.Point, encShares []*PubVerShare, decShares []*PubVerShare, t int, n int) (kyber.Point, error) { - D, err := VerifyDecShareBatch(suite, G, X, encShares, decShares) +func RecoverSecret(suite Suite, g kyber.Point, x []kyber.Point, encShares []*PubVerShare, decShares []*PubVerShare, t int, n int) (kyber.Point, error) { + D, err := VerifyDecShareBatch(suite, g, x, encShares, decShares) if err != nil { return nil, err } diff --git a/shuffle/biffle.go b/shuffle/biffle.go index af0ec72d3..c4aa9a663 100644 --- a/shuffle/biffle.go +++ b/shuffle/biffle.go @@ -29,12 +29,12 @@ func bifflePred() proof.Predicate { return or } -func bifflePoints(suite Suite, G, H kyber.Point, +func bifflePoints(suite Suite, g, h kyber.Point, X, Y, Xbar, Ybar [2]kyber.Point) map[string]kyber.Point { return map[string]kyber.Point{ - "G": G, - "H": H, + "G": g, + "H": h, "Xbar0-X0": suite.Point().Sub(Xbar[0], X[0]), "Ybar0-Y0": suite.Point().Sub(Ybar[0], Y[0]), "Xbar1-X1": suite.Point().Sub(Xbar[1], X[1]), @@ -46,7 +46,7 @@ func bifflePoints(suite Suite, G, H kyber.Point, } // Biffle is a binary shuffle ("biffle") for 2 ciphertexts based on general ZKPs. -func Biffle(suite Suite, G, H kyber.Point, +func Biffle(suite Suite, g, h kyber.Point, X, Y [2]kyber.Point, rand cipher.Stream) ( Xbar, Ybar [2]kyber.Point, prover proof.Prover) { @@ -64,9 +64,9 @@ func Biffle(suite Suite, G, H kyber.Point, // Create the output pair vectors for i := 0; i < 2; i++ { piI := i ^ bit - Xbar[i] = suite.Point().Mul(beta[piI], G) + Xbar[i] = suite.Point().Mul(beta[piI], g) Xbar[i].Add(Xbar[i], X[piI]) - Ybar[i] = suite.Point().Mul(beta[piI], H) + Ybar[i] = suite.Point().Mul(beta[piI], h) Ybar[i].Add(Ybar[i], Y[piI]) } @@ -74,18 +74,18 @@ func Biffle(suite Suite, G, H kyber.Point, secrets := map[string]kyber.Scalar{ "beta0": beta[0], "beta1": beta[1]} - points := bifflePoints(suite, G, H, X, Y, Xbar, Ybar) + points := bifflePoints(suite, g, h, X, Y, Xbar, Ybar) choice := map[proof.Predicate]int{or: bit} prover = or.Prover(suite, secrets, points, choice) return } // BiffleVerifier returns a verifier of the biffle -func BiffleVerifier(suite Suite, G, H kyber.Point, +func BiffleVerifier(suite Suite, g, h kyber.Point, X, Y, Xbar, Ybar [2]kyber.Point) ( verifier proof.Verifier) { or := bifflePred() - points := bifflePoints(suite, G, H, X, Y, Xbar, Ybar) + points := bifflePoints(suite, g, h, X, Y, Xbar, Ybar) return or.Verifier(suite, points) } diff --git a/shuffle/biffle_test.go b/shuffle/biffle_test.go index 2b73cde33..b724e4083 100644 --- a/shuffle/biffle_test.go +++ b/shuffle/biffle_test.go @@ -15,7 +15,7 @@ func TestBiffle(t *testing.T) { biffleTest(s, N) } -func biffleTest(suite Suite, N int) { +func biffleTest(suite Suite, n int) { rand := suite.RandomStream() // Create a "server" private/public keypair @@ -43,7 +43,7 @@ func biffleTest(suite Suite, N int) { } // Repeat only the actual shuffle portion for test purposes. - for i := 0; i < N; i++ { + for i := 0; i < n; i++ { // Do a key-shuffle Xbar, Ybar, prover := Biffle(suite, nil, H, X, Y, rand) diff --git a/shuffle/sequences.go b/shuffle/sequences.go index 9519f22ad..6f7cf5e0c 100644 --- a/shuffle/sequences.go +++ b/shuffle/sequences.go @@ -33,17 +33,17 @@ import ( // Last coordinate is (NQ-1, k-1) // // Variable names are as representative to the paper as possible. -func SequencesShuffle(group kyber.Group, g, h kyber.Point, X, Y [][]kyber.Point, +func SequencesShuffle(group kyber.Group, g, h kyber.Point, x, y [][]kyber.Point, rand cipher.Stream) (Xbar, Ybar [][]kyber.Point, getProver func(e []kyber.Scalar) ( proof.Prover, error)) { - err := assertXY(X, Y) + err := assertXY(x, y) if err != nil { panic(fmt.Sprintf("invalid data: %v", err)) } - NQ := len(X) - k := len(X[0]) + NQ := len(x) + k := len(x[0]) // Pick a random permutation used in ALL k ElGamal sequences. The permutation // (π) of an ElGamal pair at index i always outputs to the same index @@ -80,10 +80,10 @@ func SequencesShuffle(group kyber.Group, g, h kyber.Point, X, Y [][]kyber.Point, for i := 0; i < k; i++ { Xbar[j][i] = group.Point().Mul(beta[j][pi[i]], g) - Xbar[j][i].Add(Xbar[j][i], X[j][pi[i]]) + Xbar[j][i].Add(Xbar[j][i], x[j][pi[i]]) Ybar[j][i] = group.Point().Mul(beta[j][pi[i]], h) - Ybar[j][i].Add(Ybar[j][i], Y[j][pi[i]]) + Ybar[j][i].Add(Ybar[j][i], y[j][pi[i]]) } } @@ -111,7 +111,7 @@ func SequencesShuffle(group kyber.Group, g, h kyber.Point, X, Y [][]kyber.Point, } } - XUp, YUp, _, _ := GetSequenceVerifiable(group, X, Y, Xbar, Ybar, e) + XUp, YUp, _, _ := GetSequenceVerifiable(group, x, y, Xbar, Ybar, e) return ps.Prove(pi, g, h, beta2, XUp, YUp, rand, ctx) }, nil @@ -120,27 +120,27 @@ func SequencesShuffle(group kyber.Group, g, h kyber.Point, X, Y [][]kyber.Point, return Xbar, Ybar, getProver } -// assertXY checks that X, Y have the same dimensions and at least one element -func assertXY(X, Y [][]kyber.Point) error { - if len(X) == 0 || len(X[0]) == 0 { +// assertXY checks that x, y have the same dimensions and at least one element +func assertXY(x, y [][]kyber.Point) error { + if len(x) == 0 || len(x[0]) == 0 { return errors.New("X is empty") } - if len(Y) == 0 || len(Y[0]) == 0 { + if len(y) == 0 || len(y[0]) == 0 { return errors.New("Y is empty") } - if len(X) != len(Y) { - return fmt.Errorf("X and Y have a different size: %d != %d", len(X), len(Y)) + if len(x) != len(y) { + return fmt.Errorf("X and Y have a different size: %d != %d", len(x), len(y)) } - expected := len(X[0]) + expected := len(x[0]) - for i := range X { - if len(X[i]) != expected { - return fmt.Errorf("X[%d] has unexpected size: %d != %d", i, expected, len(X[i])) + for i := range x { + if len(x[i]) != expected { + return fmt.Errorf("X[%d] has unexpected size: %d != %d", i, expected, len(x[i])) } - if len(Y[i]) != expected { - return fmt.Errorf("Y[%d] has unexpected size: %d != %d", i, expected, len(Y[i])) + if len(y[i]) != expected { + return fmt.Errorf("Y[%d] has unexpected size: %d != %d", i, expected, len(y[i])) } } @@ -149,12 +149,12 @@ func assertXY(X, Y [][]kyber.Point) error { // GetSequenceVerifiable returns the consolidated input and output of sequence // shuffling elements. Needed by the prover and verifier. -func GetSequenceVerifiable(group kyber.Group, X, Y, Xbar, Ybar [][]kyber.Point, e []kyber.Scalar) ( +func GetSequenceVerifiable(group kyber.Group, x, y, xBar, yBar [][]kyber.Point, e []kyber.Scalar) ( XUp, YUp, XDown, YDown []kyber.Point) { // EGAR1 (Verifier) - Consolidate input and output - NQ := len(X) - k := len(X[0]) + NQ := len(x) + k := len(x[0]) XUp = make([]kyber.Point, k) YUp = make([]kyber.Point, k) @@ -164,22 +164,22 @@ func GetSequenceVerifiable(group kyber.Group, X, Y, Xbar, Ybar [][]kyber.Point, for i := 0; i < k; i++ { // No modification could be made for e[0] -> e[0] = 1 if one wanted - // Remark 7 in the paper - XUp[i] = group.Point().Mul(e[0], X[0][i]) - YUp[i] = group.Point().Mul(e[0], Y[0][i]) + XUp[i] = group.Point().Mul(e[0], x[0][i]) + YUp[i] = group.Point().Mul(e[0], y[0][i]) - XDown[i] = group.Point().Mul(e[0], Xbar[0][i]) - YDown[i] = group.Point().Mul(e[0], Ybar[0][i]) + XDown[i] = group.Point().Mul(e[0], xBar[0][i]) + YDown[i] = group.Point().Mul(e[0], yBar[0][i]) for j := 1; j < NQ; j++ { XUp[i] = group.Point().Add(XUp[i], - group.Point().Mul(e[j], X[j][i])) + group.Point().Mul(e[j], x[j][i])) YUp[i] = group.Point().Add(YUp[i], - group.Point().Mul(e[j], Y[j][i])) + group.Point().Mul(e[j], y[j][i])) XDown[i] = group.Point().Add(XDown[i], - group.Point().Mul(e[j], Xbar[j][i])) + group.Point().Mul(e[j], xBar[j][i])) YDown[i] = group.Point().Add(YDown[i], - group.Point().Mul(e[j], Ybar[j][i])) + group.Point().Mul(e[j], yBar[j][i])) } } diff --git a/shuffle/shuffle_test.go b/shuffle/shuffle_test.go index 8eafc2466..ad253eecc 100644 --- a/shuffle/shuffle_test.go +++ b/shuffle/shuffle_test.go @@ -23,7 +23,7 @@ func TestShuffleSequence(t *testing.T) { sequenceShuffleTest(s, k, NQ, N) } -func pairShuffleTest(suite Suite, k, N int) { +func pairShuffleTest(suite Suite, k, n int) { rand := suite.RandomStream() // Create a "server" private/public keypair @@ -52,7 +52,7 @@ func pairShuffleTest(suite Suite, k, N int) { } // Repeat only the actual shuffle portion for test purposes. - for i := 0; i < N; i++ { + for i := 0; i < n; i++ { // Do a key-shuffle Xbar, Ybar, prover := Shuffle(suite, nil, H, X, Y, rand) @@ -71,7 +71,7 @@ func pairShuffleTest(suite Suite, k, N int) { } } -func sequenceShuffleTest(suite Suite, k, NQ, N int) { +func sequenceShuffleTest(suite Suite, k, nq, n int) { rand := suite.RandomStream() // Create a "server" private/public keypair @@ -87,11 +87,11 @@ func sequenceShuffleTest(suite Suite, k, NQ, N int) { C[i] = suite.Point().Mul(c[i], nil) } - X := make([][]kyber.Point, NQ) - Y := make([][]kyber.Point, NQ) + X := make([][]kyber.Point, nq) + Y := make([][]kyber.Point, nq) // generate random sequences - for i := 0; i < NQ; i++ { + for i := 0; i < nq; i++ { xs := make([]kyber.Point, k) ys := make([]kyber.Point, k) @@ -106,7 +106,7 @@ func sequenceShuffleTest(suite Suite, k, NQ, N int) { // ElGamal-encrypt all these keypairs with the "server" key r := suite.Scalar() // temporary - for j := 0; j < NQ; j++ { + for j := 0; j < nq; j++ { for i := 0; i < k; i++ { r.Pick(rand) X[j][i] = suite.Point().Mul(r, nil) @@ -116,13 +116,13 @@ func sequenceShuffleTest(suite Suite, k, NQ, N int) { } // Repeat only the actual shuffle portion for test purposes. - for i := 0; i < N; i++ { + for i := 0; i < n; i++ { // Do a key-shuffle XX, YY, getProver := SequencesShuffle(suite, nil, H, X, Y, rand) - e := make([]kyber.Scalar, NQ) - for j := 0; j < NQ; j++ { + e := make([]kyber.Scalar, nq) + for j := 0; j < nq; j++ { e[j] = suite.Scalar().Pick(suite.RandomStream()) } diff --git a/shuffle/simple.go b/shuffle/simple.go index 7f7149815..087edf923 100644 --- a/shuffle/simple.go +++ b/shuffle/simple.go @@ -50,7 +50,7 @@ type SimpleShuffle struct { } // Simple helper to compute G^{ab-cd} for Theta vector computation. -func thenc(grp kyber.Group, G kyber.Point, +func thenc(grp kyber.Group, g kyber.Point, a, b, c, d kyber.Scalar) kyber.Point { var ab, cd kyber.Scalar @@ -68,7 +68,7 @@ func thenc(grp kyber.Group, G kyber.Point, } else { cd = grp.Scalar().Zero() } - return grp.Point().Mul(ab.Sub(ab, cd), G) + return grp.Point().Mul(ab.Sub(ab, cd), g) } // Init initializes the simple shuffle with the given group and the k parameter @@ -86,7 +86,7 @@ func (ss *SimpleShuffle) Init(grp kyber.Group, k int) *SimpleShuffle { // Neff, "Verifiable Mixing (Shuffling) of ElGamal Pairs", 2004. // The Scalar vector y must be a permutation of Scalar vector x // but with all elements multiplied by common Scalar gamma. -func (ss *SimpleShuffle) Prove(G kyber.Point, gamma kyber.Scalar, +func (ss *SimpleShuffle) Prove(g kyber.Point, gamma kyber.Scalar, x, y []kyber.Scalar, rand cipher.Stream, ctx proof.ProverContext) error { @@ -110,8 +110,8 @@ func (ss *SimpleShuffle) Prove(G kyber.Point, gamma kyber.Scalar, // Step 0: inputs for i := 0; i < k; i++ { // (4) - ss.p0.X[i] = grp.Point().Mul(x[i], G) - ss.p0.Y[i] = grp.Point().Mul(y[i], G) + ss.p0.X[i] = grp.Point().Mul(x[i], g) + ss.p0.Y[i] = grp.Point().Mul(y[i], g) } if err := ctx.Put(ss.p0); err != nil { return err @@ -135,16 +135,16 @@ func (ss *SimpleShuffle) Prove(G kyber.Point, gamma kyber.Scalar, theta := make([]kyber.Scalar, thlen) ctx.PriRand(theta) Theta := make([]kyber.Point, thlen+1) - Theta[0] = thenc(grp, G, nil, nil, theta[0], yhat[0]) + Theta[0] = thenc(grp, g, nil, nil, theta[0], yhat[0]) for i := 1; i < k; i++ { - Theta[i] = thenc(grp, G, theta[i-1], xhat[i], + Theta[i] = thenc(grp, g, theta[i-1], xhat[i], theta[i], yhat[i]) } for i := k; i < thlen; i++ { - Theta[i] = thenc(grp, G, theta[i-1], gamma, + Theta[i] = thenc(grp, g, theta[i-1], gamma, theta[i], nil) } - Theta[thlen] = thenc(grp, G, theta[thlen-1], gamma, nil, nil) + Theta[thlen] = thenc(grp, g, theta[thlen-1], gamma, nil, nil) ss.p2.Theta = Theta if err := ctx.Put(ss.p2); err != nil { return err @@ -177,15 +177,15 @@ func (ss *SimpleShuffle) Prove(G kyber.Point, gamma kyber.Scalar, // Simple helper to verify Theta elements, // by checking whether A^a*B^-b = T. // P,Q,s are simply "scratch" kyber.Point/Scalars reused for efficiency. -func thver(A, B, T, P, Q kyber.Point, a, b, s kyber.Scalar) bool { - P.Mul(a, A) - Q.Mul(s.Neg(b), B) - P.Add(P, Q) - return P.Equal(T) +func thver(a, b, t, p, q kyber.Point, aS, bS, s kyber.Scalar) bool { + p.Mul(aS, a) + q.Mul(s.Neg(bS), b) + p.Add(p, q) + return p.Equal(t) } // Verify for Neff simple k-shuffle proofs. -func (ss *SimpleShuffle) Verify(G, Gamma kyber.Point, +func (ss *SimpleShuffle) Verify(g, gamma kyber.Point, ctx proof.VerifierContext) error { grp := ss.grp @@ -225,8 +225,8 @@ func (ss *SimpleShuffle) Verify(G, Gamma kyber.Point, // Verifier step 5 negt := grp.Scalar().Neg(t) - U := grp.Point().Mul(negt, G) - W := grp.Point().Mul(negt, Gamma) + U := grp.Point().Mul(negt, g) + W := grp.Point().Mul(negt, gamma) Xhat := make([]kyber.Point, k) Yhat := make([]kyber.Point, k) for i := 0; i < k; i++ { @@ -243,10 +243,10 @@ func (ss *SimpleShuffle) Verify(G, Gamma kyber.Point, alpha[i-1], alpha[i], s) } for i := k; i < thlen; i++ { - good = good && thver(Gamma, G, Theta[i], P, Q, + good = good && thver(gamma, g, Theta[i], P, Q, alpha[i-1], alpha[i], s) } - good = good && thver(Gamma, G, Theta[thlen], P, Q, + good = good && thver(gamma, g, Theta[thlen], P, Q, alpha[thlen-1], c, s) if !good { return errors.New("incorrect SimpleShuffleProof") diff --git a/sign/anon/enc.go b/sign/anon/enc.go index dc1d4f674..c5217f562 100644 --- a/sign/anon/enc.go +++ b/sign/anon/enc.go @@ -8,22 +8,22 @@ import ( "go.dedis.ch/kyber/v3/util/key" ) -func header(suite Suite, X kyber.Point, x kyber.Scalar, - Xb, xb []byte, anonymitySet Set) []byte { +func header(suite Suite, _ kyber.Point, x kyber.Scalar, + xb1, xb2 []byte, anonymitySet Set) []byte { - //fmt.Printf("Xb %s\nxb %s\n", - // hex.EncodeToString(Xb),hex.EncodeToString(xb)) + //fmt.Printf("xb1 %s\nxb %s\n", + // hex.EncodeToString(xb1),hex.EncodeToString(xb2)) // Encrypt the master scalar key with each public key in the set S := suite.Point() - hdr := Xb + hdr := xb1 for i := range anonymitySet { Y := anonymitySet[i] S.Mul(x, Y) // compute DH shared secret seed, _ := S.MarshalBinary() xof := suite.XOF(seed) - xc := make([]byte, len(xb)) - xof.XORKeyStream(xc, xb) + xc := make([]byte, len(xb2)) + xof.XORKeyStream(xc, xb2) hdr = append(hdr, xc...) } return hdr @@ -156,7 +156,6 @@ func Encrypt(suite Suite, message []byte, // As a side-effect, this verification also ensures plaintext-awareness: // that is, it is infeasible for a sender to construct any ciphertext // that will be accepted by the receiver without knowing the plaintext. -// func Decrypt(suite Suite, ciphertext []byte, anonymitySet Set, mine int, privateKey kyber.Scalar) ([]byte, error) { // Decrypt and check the encrypted key-header. xb, hdrlen, err := decryptKey(suite, ciphertext, anonymitySet, diff --git a/sign/bls/bls.go b/sign/bls/bls.go index f2abb3c0a..6930278bf 100644 --- a/sign/bls/bls.go +++ b/sign/bls/bls.go @@ -65,9 +65,9 @@ func AggregateSignatures(suite pairing.Suite, sigs ...[]byte) ([]byte, error) { // AggregatePublicKeys takes a slice of public G2 points and returns // the sum of those points. This is used to verify multisignatures. -func AggregatePublicKeys(suite pairing.Suite, Xs ...kyber.Point) kyber.Point { +func AggregatePublicKeys(suite pairing.Suite, xs ...kyber.Point) kyber.Point { aggregated := suite.G2().Point() - for _, X := range Xs { + for _, X := range xs { aggregated.Add(aggregated, X) } return aggregated @@ -116,13 +116,13 @@ func BatchVerify(suite pairing.Suite, publics []kyber.Point, msgs [][]byte, sig // key X by verifying that the equality e(H(m), X) == e(H(m), x*B2) == // e(x*H(m), B2) == e(S, B2) holds where e is the pairing operation and B2 is // the base point from curve G2. -func Verify(suite pairing.Suite, X kyber.Point, msg, sig []byte) error { +func Verify(suite pairing.Suite, x kyber.Point, msg, sig []byte) error { hashable, ok := suite.G1().Point().(hashablePoint) if !ok { return errors.New("bls: point needs to implement hashablePoint") } HM := hashable.Hash(msg) - left := suite.Pair(HM, X) + left := suite.Pair(HM, x) s := suite.G1().Point() if err := s.UnmarshalBinary(sig); err != nil { return err diff --git a/sign/dss/dss.go b/sign/dss/dss.go index 4a899d5b7..6adfd35f4 100644 --- a/sign/dss/dss.go +++ b/sign/dss/dss.go @@ -74,7 +74,7 @@ type PartialSig struct { // threshold. It returns an error if the public key of the secret can't be found // in the list of participants. func NewDSS(suite Suite, secret kyber.Scalar, participants []kyber.Point, - long, random DistKeyShare, msg []byte, T int) (*DSS, error) { + long, random DistKeyShare, msg []byte, t int) (*DSS, error) { public := suite.Point().Mul(secret, nil) var i int var found bool @@ -99,7 +99,7 @@ func NewDSS(suite Suite, secret kyber.Scalar, participants []kyber.Point, random: random, randomPoly: share.NewPubPoly(suite, suite.Point().Base(), random.Commitments()), msg: msg, - T: T, + T: t, partialsIdx: make(map[int]bool), sessionID: sessionID(suite, long, random), }, nil