From 92f9ab0f715b757e55a8aa9708efd332c8cc29ce Mon Sep 17 00:00:00 2001 From: lauener Date: Fri, 16 Feb 2024 14:15:33 +0100 Subject: [PATCH 01/49] Add golangci-lint --- .github/workflows/go_lint.yml | 4 +++- Makefile | 5 +---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/go_lint.yml b/.github/workflows/go_lint.yml index d9d9d5128..721d00351 100644 --- a/.github/workflows/go_lint.yml +++ b/.github/workflows/go_lint.yml @@ -26,7 +26,9 @@ jobs: run: go mod tidy && [ -z "$(git status -s)" ] - name: Lint - run: make lint + run: | + go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.56.2 + make lint - name: Vet run: make vet diff --git a/Makefile b/Makefile index 720452255..dcbd3d743 100644 --- a/Makefile +++ b/Makefile @@ -7,10 +7,7 @@ generate: tidy # Coding style static check. lint: tidy - @echo "Please setup a linter!" - #golangci-lint run - #staticcheck go list ./... - + golangci-lint run vet: tidy go vet ./... From bf910d7bb813ac748311e6603a0cdc05d504ba74 Mon Sep 17 00:00:00 2001 From: lauener Date: Fri, 16 Feb 2024 14:21:56 +0100 Subject: [PATCH 02/49] Add golangci-lint install in Makefile --- .github/workflows/go_lint.yml | 4 +--- Makefile | 2 ++ 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/go_lint.yml b/.github/workflows/go_lint.yml index 721d00351..d9d9d5128 100644 --- a/.github/workflows/go_lint.yml +++ b/.github/workflows/go_lint.yml @@ -26,9 +26,7 @@ jobs: run: go mod tidy && [ -z "$(git status -s)" ] - name: Lint - run: | - go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.56.2 - make lint + run: make lint - name: Vet run: make vet diff --git a/Makefile b/Makefile index dcbd3d743..7c429e74a 100644 --- a/Makefile +++ b/Makefile @@ -7,6 +7,8 @@ generate: tidy # Coding style static check. lint: tidy + go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.56.2 + go mod tidy golangci-lint run vet: tidy From 67e5ba2480bae99bfe8a3325b447edcf48640256 Mon Sep 17 00:00:00 2001 From: lauener Date: Fri, 16 Feb 2024 14:26:31 +0100 Subject: [PATCH 03/49] Hide golangci install command in logs --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 7c429e74a..b6be21aef 100644 --- a/Makefile +++ b/Makefile @@ -7,8 +7,8 @@ generate: tidy # Coding style static check. lint: tidy - go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.56.2 - go mod tidy + @go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.56.2 + @go mod tidy golangci-lint run vet: tidy From 5ab92003fca3a7128c647d350fd96c367bb1064f Mon Sep 17 00:00:00 2001 From: lauener Date: Mon, 19 Feb 2024 09:23:20 +0100 Subject: [PATCH 04/49] Enable golangci-lint contextcheck --- .golangci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.golangci.yml b/.golangci.yml index e1ca03702..9686c03df 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -109,7 +109,7 @@ linters: - asciicheck # checks that your code does not contain non-ASCII identifiers - bidichk # checks for dangerous unicode character sequences - bodyclose # checks whether HTTP response body is closed successfully - #- contextcheck # checks the function whether use a non-inherited context # TODO: enable after golangci-lint uses https://github.com/sylvia7788/contextcheck/releases/tag/v1.0.7 + - contextcheck # checks the function whether use a non-inherited context - cyclop # checks function and package cyclomatic complexity - dupl # tool for code clone detection - durationcheck # checks for two durations multiplied together From 544ec0f09bd15428276db3e5518fe8b37899e5f8 Mon Sep 17 00:00:00 2001 From: lauener Date: Mon, 19 Feb 2024 09:24:57 +0100 Subject: [PATCH 05/49] Add missing error handling --- proof/dleq/dleq.go | 24 ++++++++++++++++++++---- util/encoding/encoding.go | 7 ++++++- 2 files changed, 26 insertions(+), 5 deletions(-) diff --git a/proof/dleq/dleq.go b/proof/dleq/dleq.go index 92fcde75d..112daf072 100644 --- a/proof/dleq/dleq.go +++ b/proof/dleq/dleq.go @@ -49,10 +49,26 @@ func NewDLEQProof(suite Suite, G kyber.Point, H kyber.Point, x kyber.Scalar) (pr // Challenge h := suite.Hash() - xG.MarshalTo(h) - xH.MarshalTo(h) - vG.MarshalTo(h) - vH.MarshalTo(h) + _, err = xG.MarshalTo(h) + if err != nil { + return nil, nil, nil, err + } + + _, err = xH.MarshalTo(h) + if err != nil { + return nil, nil, nil, err + } + + _, err = vG.MarshalTo(h) + if err != nil { + return nil, nil, nil, err + } + + _, err = vH.MarshalTo(h) + if err != nil { + return nil, nil, nil, err + } + cb := h.Sum(nil) c := suite.Scalar().Pick(suite.XOF(cb)) diff --git a/util/encoding/encoding.go b/util/encoding/encoding.go index f1f86b6d1..dbc3a89e5 100644 --- a/util/encoding/encoding.go +++ b/util/encoding/encoding.go @@ -41,7 +41,12 @@ func ReadHexScalar(group kyber.Group, r io.Reader) (kyber.Scalar, error) { if err != nil { return nil, err } - s.UnmarshalBinary(buf) + + err = s.UnmarshalBinary(buf) + if err != nil { + return nil, err + } + return s, nil } From 8dcd61d016c2dc9a4dcc3ede1041edf8d8fd780a Mon Sep 17 00:00:00 2001 From: lauener Date: Mon, 19 Feb 2024 09:27:04 +0100 Subject: [PATCH 06/49] Rename unused parameters --- util/encoding/encoding.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/util/encoding/encoding.go b/util/encoding/encoding.go index dbc3a89e5..aa377df27 100644 --- a/util/encoding/encoding.go +++ b/util/encoding/encoding.go @@ -51,7 +51,7 @@ func ReadHexScalar(group kyber.Group, r io.Reader) (kyber.Scalar, error) { } // WriteHexScalar converts a scalar key to a hex-string -func WriteHexScalar(group kyber.Group, w io.Writer, scalar kyber.Scalar) error { +func WriteHexScalar(_ kyber.Group, w io.Writer, scalar kyber.Scalar) error { buf, err := scalar.MarshalBinary() if err != nil { return err @@ -62,7 +62,7 @@ func WriteHexScalar(group kyber.Group, w io.Writer, scalar kyber.Scalar) error { } // PointToStringHex converts a point to a hexadecimal representation -func PointToStringHex(group kyber.Group, point kyber.Point) (string, error) { +func PointToStringHex(_ kyber.Group, point kyber.Point) (string, error) { pbuf, err := point.MarshalBinary() return hex.EncodeToString(pbuf), err } @@ -73,7 +73,7 @@ func StringHexToPoint(group kyber.Group, s string) (kyber.Point, error) { } // ScalarToStringHex encodes a scalar to hexadecimal. -func ScalarToStringHex(group kyber.Group, scalar kyber.Scalar) (string, error) { +func ScalarToStringHex(_ kyber.Group, scalar kyber.Scalar) (string, error) { sbuf, err := scalar.MarshalBinary() return hex.EncodeToString(sbuf), err } From 342d3c514bdad3fbafceb3da3dc09907d511a710 Mon Sep 17 00:00:00 2001 From: lauener Date: Mon, 19 Feb 2024 11:54:34 +0100 Subject: [PATCH 07/49] ignore IDE .idea --- .gitignore | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 48a3c84bb..f06b923d6 100644 --- a/.gitignore +++ b/.gitignore @@ -16,4 +16,5 @@ exit_tunnel .DS_Store *.cov profile.tmp -Coding/ \ No newline at end of file +Coding/ +.idea/ From 282feb4d52b2d420b56bd1819e6c5ac9d566e748 Mon Sep 17 00:00:00 2001 From: lauener Date: Mon, 19 Feb 2024 14:35:18 +0100 Subject: [PATCH 08/49] Ignore interface bloat in group.go --- .golangci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.golangci.yml b/.golangci.yml index 9686c03df..afa1238d9 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -247,3 +247,6 @@ issues: - govet text: "shadow: declaration of \"err\" shadows declaration" - path: ".*_decl.go" + - path: 'group.go' + linters: + - interfacebloat From 9f82f49e22f4e14850b5daaadc9a280321bc98de Mon Sep 17 00:00:00 2001 From: lauener Date: Mon, 19 Feb 2024 14:36:33 +0100 Subject: [PATCH 09/49] Fix some formatting --- pairing/bn256/constants.go | 41 ++++++++++++++++++++++++++++++------- pairing/bn256/optate.go | 7 ++++++- pairing/bn256/suite_test.go | 2 +- util/random/rand_test.go | 4 ++-- 4 files changed, 43 insertions(+), 11 deletions(-) diff --git a/pairing/bn256/constants.go b/pairing/bn256/constants.go index 943751a07..ae1c99997 100644 --- a/pairing/bn256/constants.go +++ b/pairing/bn256/constants.go @@ -20,25 +20,52 @@ var p = bigFromBase10("650005496956466037327964387423599057428253581076230035718 var Order = bigFromBase10("65000549695646603732796438742359905742570406053903786389881062969044166799969") // xiToPMinus1Over6 is ξ^((p-1)/6) where ξ = i+3. -var xiToPMinus1Over6 = &gfP2{gfP{0x25af52988477cdb7, 0x3d81a455ddced86a, 0x227d012e872c2431, 0x179198d3ea65d05}, gfP{0x7407634dd9cca958, 0x36d5bd6c7afb8f26, 0xf4b1c32cebd880fa, 0x6aa7869306f455f}} +var xiToPMinus1Over6 = &gfP2{ + gfP{0x25af52988477cdb7, 0x3d81a455ddced86a, 0x227d012e872c2431, 0x179198d3ea65d05}, + gfP{0x7407634dd9cca958, 0x36d5bd6c7afb8f26, 0xf4b1c32cebd880fa, 0x6aa7869306f455f}, +} // xiToPMinus1Over3 is ξ^((p-1)/3) where ξ = i+3. -var xiToPMinus1Over3 = &gfP2{gfP{0x4f59e37c01832e57, 0xae6be39ac2bbbfe4, 0xe04ea1bb697512f8, 0x3097caa8fc40e10e}, gfP{0xf8606916d3816f2c, 0x1e5c0d7926de927e, 0xbc45f3946d81185e, 0x80752a25aa738091}} +var xiToPMinus1Over3 = &gfP2{ + gfP{0x4f59e37c01832e57, 0xae6be39ac2bbbfe4, 0xe04ea1bb697512f8, 0x3097caa8fc40e10e}, + gfP{0xf8606916d3816f2c, 0x1e5c0d7926de927e, 0xbc45f3946d81185e, 0x80752a25aa738091}, +} // xiToPMinus1Over2 is ξ^((p-1)/2) where ξ = i+3. -var xiToPMinus1Over2 = &gfP2{gfP{0x19da71333653ee20, 0x7eaaf34fc6ed6019, 0xc4ba3a29a60cdd1d, 0x75281311bcc9df79}, gfP{0x18dbee03fb7708fa, 0x1e7601a602c843c7, 0x5dde0688cdb231cb, 0x86db5cf2c605a524}} +var xiToPMinus1Over2 = &gfP2{ + gfP{0x19da71333653ee20, 0x7eaaf34fc6ed6019, 0xc4ba3a29a60cdd1d, 0x75281311bcc9df79}, + gfP{0x18dbee03fb7708fa, 0x1e7601a602c843c7, 0x5dde0688cdb231cb, 0x86db5cf2c605a524}, +} // xiToPSquaredMinus1Over3 is ξ^((p²-1)/3) where ξ = i+3. -var xiToPSquaredMinus1Over3 = &gfP{0x12d3cef5e1ada57d, 0xe2eca1463753babb, 0xca41e40ddccf750, 0x551337060397e04c} +var xiToPSquaredMinus1Over3 = &gfP{ + 0x12d3cef5e1ada57d, + 0xe2eca1463753babb, + 0xca41e40ddccf750, + 0x551337060397e04c, +} // xiTo2PSquaredMinus2Over3 is ξ^((2p²-2)/3) where ξ = i+3 (a cubic root of unity, mod p). -var xiTo2PSquaredMinus2Over3 = &gfP{0x3642364f386c1db8, 0xe825f92d2acd661f, 0xf2aba7e846c19d14, 0x5a0bcea3dc52b7a0} +var xiTo2PSquaredMinus2Over3 = &gfP{ + 0x3642364f386c1db8, + 0xe825f92d2acd661f, + 0xf2aba7e846c19d14, + 0x5a0bcea3dc52b7a0, +} // xiToPSquaredMinus1Over6 is ξ^((1p²-1)/6) where ξ = i+3 (a cubic root of -1, mod p). -var xiToPSquaredMinus1Over6 = &gfP{0xe21a761d259c78af, 0x6358fa3f5e84f7e, 0xb7c444d01ac33f0d, 0x35a9333f6e50d058} +var xiToPSquaredMinus1Over6 = &gfP{ + 0xe21a761d259c78af, + 0x6358fa3f5e84f7e, + 0xb7c444d01ac33f0d, + 0x35a9333f6e50d058, +} // xiTo2PMinus2Over3 is ξ^((2p-2)/3) where ξ = i+3. -var xiTo2PMinus2Over3 = &gfP2{gfP{0x51678e7469b3c52a, 0x4fb98f8b13319fc9, 0x29b2254db3f1df75, 0x1c044935a3d22fb2}, gfP{0x4d2ea218872f3d2c, 0x2fcb27fc4abe7b69, 0xd31d972f0e88ced9, 0x53adc04a00a73b15}} +var xiTo2PMinus2Over3 = &gfP2{ + gfP{0x51678e7469b3c52a, 0x4fb98f8b13319fc9, 0x29b2254db3f1df75, 0x1c044935a3d22fb2}, + gfP{0x4d2ea218872f3d2c, 0x2fcb27fc4abe7b69, 0xd31d972f0e88ced9, 0x53adc04a00a73b15}, +} // p2 is p, represented as little-endian 64-bit words. var p2 = [4]uint64{0x185cac6c5e089667, 0xee5b88d120b5b59e, 0xaa6fecb86184dc21, 0x8fb501e34aa387f9} diff --git a/pairing/bn256/optate.go b/pairing/bn256/optate.go index 126c64ca6..a6e178083 100644 --- a/pairing/bn256/optate.go +++ b/pairing/bn256/optate.go @@ -112,7 +112,12 @@ func mulLine(ret *gfP12, a, b, c *gfP2) { } // sixuPlus2NAF is 6u+2 in non-adjacent form. -var sixuPlus2NAF = []int8{0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, -1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, -1, 0, 1, 0, 0, 0, 1, 0, -1, 0, 0, 0, -1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, -1, 0, -1, 0, 0, 0, 0, 1, 0, 0, 0, 1} +var sixuPlus2NAF = []int8{ + 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, -1, 0, 1, 0, + 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, -1, 0, 1, 0, 0, 0, 1, 0, -1, + 0, 0, 0, -1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, -1, 0, -1, 0, 0, 0, + 0, 1, 0, 0, 0, 1, +} // miller implements the Miller loop for calculating the Optimal Ate pairing. // See algorithm 1 from http://cryptojedi.org/papers/dclxvi-20100714.pdf diff --git a/pairing/bn256/suite_test.go b/pairing/bn256/suite_test.go index 991744de9..bd7b61b7d 100644 --- a/pairing/bn256/suite_test.go +++ b/pairing/bn256/suite_test.go @@ -333,7 +333,7 @@ type tsrPoint struct { } func TestSuiteProtobuf(t *testing.T) { - //bn := suites.MustFind("bn256.adapter") + // bn := suites.MustFind("bn256.adapter") bn1 := NewSuiteG1() bn2 := NewSuiteG2() bnT := NewSuiteGT() diff --git a/util/random/rand_test.go b/util/random/rand_test.go index 36f62f76e..05c39b46e 100644 --- a/util/random/rand_test.go +++ b/util/random/rand_test.go @@ -32,7 +32,7 @@ func TestMixedEntropy(t *testing.T) { } func TestEmptyReader(t *testing.T) { - //expecting a panic + // expecting a panic defer func() { if r := recover(); r == nil { t.Fatal("code did not panicked but should have") @@ -75,7 +75,7 @@ func TestUserOnly(t *testing.T) { } func TestIncorrectSize(t *testing.T) { - //expecting a panic + // expecting a panic defer func() { if r := recover(); r == nil { t.Fatal("code did not panicked but should have") From 43864ca60aedb1a2fb6f6048d3900e0ea5203441 Mon Sep 17 00:00:00 2001 From: lauener Date: Mon, 19 Feb 2024 14:36:45 +0100 Subject: [PATCH 10/49] Add error handling --- pairing/bn256/point.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/pairing/bn256/point.go b/pairing/bn256/point.go index 45210d804..a563ec9e1 100644 --- a/pairing/bn256/point.go +++ b/pairing/bn256/point.go @@ -146,7 +146,10 @@ func (p *pointG1) Mul(s kyber.Scalar, q kyber.Point) kyber.Point { func (p *pointG1) MarshalBinary() ([]byte, error) { // Clone is required as we change the point - p = p.Clone().(*pointG1) + p, ok := p.Clone().(*pointG1) + if !ok { + return nil, errors.New("invalid type cast") + } n := p.ElementSize() // Take a copy so that p is not written to, so calls to MarshalBinary @@ -373,8 +376,10 @@ func (p *pointG2) Mul(s kyber.Scalar, q kyber.Point) kyber.Point { func (p *pointG2) MarshalBinary() ([]byte, error) { // Clone is required as we change the point during the operation - p = p.Clone().(*pointG2) - + p, ok := p.Clone().(*pointG2) + if !ok { + return nil, errors.New("invalid type cast") + } n := p.ElementSize() if p.g == nil { p.g = &twistPoint{} From 5f6afd7de21637527edc5272fe97a862b13c480c Mon Sep 17 00:00:00 2001 From: lauener Date: Mon, 19 Feb 2024 16:14:29 +0100 Subject: [PATCH 11/49] Fix asalint --- group/curve25519/suite.go | 4 ++-- group/edwards25519/suite.go | 2 +- group/nist/qrsuite.go | 4 ++-- group/nist/suite.go | 4 ++-- pairing/bn256/suite.go | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/group/curve25519/suite.go b/group/curve25519/suite.go index 4b0249e1d..994afdb18 100644 --- a/group/curve25519/suite.go +++ b/group/curve25519/suite.go @@ -30,11 +30,11 @@ func (s *SuiteCurve25519) XOF(seed []byte) kyber.XOF { } func (s *SuiteCurve25519) Read(r io.Reader, objs ...interface{}) error { - return fixbuf.Read(r, s, objs) + return fixbuf.Read(r, s, objs...) } func (s *SuiteCurve25519) Write(w io.Writer, objs ...interface{}) error { - return fixbuf.Write(w, objs) + return fixbuf.Write(w, objs...) } // New implements the kyber.encoding interface diff --git a/group/edwards25519/suite.go b/group/edwards25519/suite.go index aadf8ffdd..12e626d05 100644 --- a/group/edwards25519/suite.go +++ b/group/edwards25519/suite.go @@ -36,7 +36,7 @@ func (s *SuiteEd25519) Read(r io.Reader, objs ...interface{}) error { } func (s *SuiteEd25519) Write(w io.Writer, objs ...interface{}) error { - return fixbuf.Write(w, objs) + return fixbuf.Write(w, objs...) } // New implements the kyber.Encoding interface diff --git a/group/nist/qrsuite.go b/group/nist/qrsuite.go index 2b1fc9107..e340b4f17 100644 --- a/group/nist/qrsuite.go +++ b/group/nist/qrsuite.go @@ -37,11 +37,11 @@ func (s QrSuite) RandomStream() cipher.Stream { } func (s *QrSuite) Read(r io.Reader, objs ...interface{}) error { - return fixbuf.Read(r, s, objs) + return fixbuf.Read(r, s, objs...) } func (s *QrSuite) Write(w io.Writer, objs ...interface{}) error { - return fixbuf.Write(w, objs) + return fixbuf.Write(w, objs...) } // New implements the kyber.encoding interface diff --git a/group/nist/suite.go b/group/nist/suite.go index 04f6bdd83..0b4324751 100644 --- a/group/nist/suite.go +++ b/group/nist/suite.go @@ -36,11 +36,11 @@ func (s *Suite128) RandomStream() cipher.Stream { } func (s *Suite128) Read(r io.Reader, objs ...interface{}) error { - return fixbuf.Read(r, s, objs) + return fixbuf.Read(r, s, objs...) } func (s *Suite128) Write(w io.Writer, objs ...interface{}) error { - return fixbuf.Write(w, objs) + return fixbuf.Write(w, objs...) } // New implements the kyber.encoding interface diff --git a/pairing/bn256/suite.go b/pairing/bn256/suite.go index 048d981e9..52afbf49d 100644 --- a/pairing/bn256/suite.go +++ b/pairing/bn256/suite.go @@ -151,7 +151,7 @@ func (c *commonSuite) Read(r io.Reader, objs ...interface{}) error { // Write is the default implementation of kyber.Encoding interface Write. func (c *commonSuite) Write(w io.Writer, objs ...interface{}) error { - return fixbuf.Write(w, objs) + return fixbuf.Write(w, objs...) } // Hash returns a newly instantiated sha256 hash function. From 1fe15275268471fed3ab080b931b0cd01ef46f9d Mon Sep 17 00:00:00 2001 From: lauener Date: Mon, 19 Feb 2024 16:16:06 +0100 Subject: [PATCH 12/49] minor fixes --- group/edwards25519/curve.go | 2 +- group/edwards25519/fe.go | 55 ++++++++++++++++++++++--------------- group/edwards25519/ge.go | 23 ++++++++++------ group/nist/curve.go | 6 ++-- group/nist/qrsuite.go | 2 ++ group/nist/residue.go | 19 ++++--------- pairing/bn256/point.go | 2 +- 7 files changed, 60 insertions(+), 49 deletions(-) diff --git a/group/edwards25519/curve.go b/group/edwards25519/curve.go index 379801ab3..75e26f98f 100644 --- a/group/edwards25519/curve.go +++ b/group/edwards25519/curve.go @@ -49,7 +49,7 @@ func (c *Curve) Point() kyber.Point { // requiring it to be a multiple of 8). It also returns the input and the digest used // to generate the key. func (c *Curve) NewKeyAndSeedWithInput(buffer []byte) (kyber.Scalar, []byte, []byte) { - digest := sha512.Sum512(buffer[:]) + digest := sha512.Sum512(buffer) digest[0] &= 0xf8 digest[31] &= 0x7f digest[31] |= 0x40 diff --git a/group/edwards25519/fe.go b/group/edwards25519/fe.go index 53565ad0b..15c0d9de6 100644 --- a/group/edwards25519/fe.go +++ b/group/edwards25519/fe.go @@ -77,7 +77,7 @@ func load4(in []byte) int64 { } func feFromBytes(dst *fieldElement, src []byte) { - h0 := load4(src[:]) + h0 := load4(src) h1 := load3(src[4:]) << 6 h2 := load3(src[7:]) << 5 h3 := load3(src[10:]) << 3 @@ -135,27 +135,29 @@ func feFromBytes(dst *fieldElement, src []byte) { // feToBytes marshals h to s. // Preconditions: -// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. +// +// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. // // Write p=2^255-19; q=floor(h/p). // Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))). // // Proof: -// Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4. -// Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4. // -// Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9). -// Then 0 1000 { print(".") @@ -282,23 +281,18 @@ func (g *ResidueGroup) QuadraticResidueGroup(bitlen uint, rand cipher.Stream) { b := random.Bits(bitlen-1, true, rand) b[len(b)-1] |= 1 // must be odd g.Q = new(big.Int).SetBytes(b) - //println("q?",hex.EncodeToString(g.Q.Bytes())) if !isPrime(g.Q) { continue } - // Does the corresponding P come out prime too? + // TODO:Does the corresponding P come out prime too? g.P = new(big.Int) g.P.Mul(g.Q, two) g.P.Add(g.P, one) - //println("p?",hex.EncodeToString(g.P.Bytes())) if uint(g.P.BitLen()) == bitlen && isPrime(g.P) { break } } - println() - println("p", g.P.String()) - println("q", g.Q.String()) // pick standard generator G h := new(big.Int).Set(two) @@ -310,5 +304,4 @@ func (g *ResidueGroup) QuadraticResidueGroup(bitlen uint, rand cipher.Stream) { } h.Add(h, one) } - println("g", g.G.String()) } diff --git a/pairing/bn256/point.go b/pairing/bn256/point.go index a563ec9e1..038cfb1eb 100644 --- a/pairing/bn256/point.go +++ b/pairing/bn256/point.go @@ -338,7 +338,7 @@ func (p *pointG2) EmbedLen() int { panic("bn256.G2: unsupported operation") } -func (p *pointG2) Embed(data []byte, rand cipher.Stream) kyber.Point { +func (p *pointG2) Embed(_ []byte, _ cipher.Stream) kyber.Point { panic("bn256.G2: unsupported operation") } From c144a8e926bba50643ae42421515852139ddf8cb Mon Sep 17 00:00:00 2001 From: lauener Date: Tue, 20 Feb 2024 11:40:20 +0100 Subject: [PATCH 13/49] Add false-positive exception --- .golangci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.golangci.yml b/.golangci.yml index afa1238d9..49bd4a50e 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -250,3 +250,6 @@ issues: - path: 'group.go' linters: - interfacebloat + - path: 'group/edwards25519/scalar.go' + linters: + - ineffassign From 56874b37d31635568f953d298c433a67d14d5be1 Mon Sep 17 00:00:00 2001 From: lauener Date: Tue, 20 Feb 2024 12:32:11 +0100 Subject: [PATCH 14/49] Add line length exception --- .golangci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.golangci.yml b/.golangci.yml index 49bd4a50e..b2d293e83 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -253,3 +253,6 @@ issues: - path: 'group/edwards25519/scalar.go' linters: - ineffassign + - path: 'group/edwards25519/const.go' + linters: + - lll From 3149ecf35ccbbe19cb6cc533b5e68a53537a7fe4 Mon Sep 17 00:00:00 2001 From: lauener Date: Tue, 20 Feb 2024 12:50:58 +0100 Subject: [PATCH 15/49] Correct capitalization --- group/curve25519/curve.go | 16 ++-- group/edwards25519/ge.go | 2 + group/edwards25519/ge_mult_vartime.go | 10 +- group/edwards25519/point.go | 132 +++++++++++++------------- group/edwards25519/point_vartime.go | 4 +- share/pvss/pvss.go | 64 ++++++------- shuffle/biffle.go | 18 ++-- shuffle/biffle_test.go | 6 +- shuffle/sequences.go | 60 ++++++------ shuffle/simple.go | 38 ++++---- sign/anon/enc.go | 14 +-- sign/dss/dss.go | 4 +- 12 files changed, 187 insertions(+), 181 deletions(-) diff --git a/group/curve25519/curve.go b/group/curve25519/curve.go index 1a690afdb..8248ad1a7 100644 --- a/group/curve25519/curve.go +++ b/group/curve25519/curve.go @@ -267,17 +267,17 @@ func (c *curve) onCurve(x, y *mod.Int) bool { // Sanity-check a point to ensure that it is on the curve // and within the appropriate subgroup. -func (c *curve) validPoint(P point) bool { +func (c *curve) validPoint(p point) bool { // Check on-curve - x, y := P.getXY() + x, y := p.getXY() if !c.onCurve(x, y) { return false } // Check in-subgroup by multiplying by subgroup order Q := c.self.Point() - Q.Mul(&c.order, P) + Q.Mul(&c.order, p) if !Q.Equal(c.null) { return false } @@ -295,7 +295,7 @@ func (c *curve) embedLen() int { // Pick a [pseudo-]random curve point with optional embedded data, // filling in the point's x,y coordinates -func (c *curve) embed(P point, data []byte, rand cipher.Stream) { +func (c *curve) embed(p point, data []byte, rand cipher.Stream) { // How much data to embed? dl := c.embedLen() @@ -334,7 +334,7 @@ func (c *curve) embed(P point, data []byte, rand cipher.Stream) { } // Initialize the point - P.initXY(&x.V, &y.V, c.self) + p.initXY(&x.V, &y.V, c.self) if c.full { // If we're using the full group, // we just need any point on the curve, so we're done. @@ -347,8 +347,8 @@ func (c *curve) embed(P point, data []byte, rand cipher.Stream) { // we can convert our point into one in the subgroup // simply by multiplying it by the cofactor. if data == nil { - P.Mul(&c.cofact, P) // multiply by cofactor - if P.Equal(c.null) { + p.Mul(&c.cofact, p) // multiply by cofactor + if p.Equal(c.null) { continue // unlucky; try again } return @@ -360,7 +360,7 @@ func (c *curve) embed(P point, data []byte, rand cipher.Stream) { if Q == nil { Q = c.self.Point() } - Q.Mul(&c.order, P) + Q.Mul(&c.order, p) if Q.Equal(c.null) { return } diff --git a/group/edwards25519/ge.go b/group/edwards25519/ge.go index 5d46eb226..7cbc281c1 100644 --- a/group/edwards25519/ge.go +++ b/group/edwards25519/ge.go @@ -432,6 +432,8 @@ func selectCached(c *cachedGroupElement, Ai *[8]cachedGroupElement, b int32) { // Preconditions: // // a[31] <= 127 +// +//nolint:gocritic func geScalarMult(h *extendedGroupElement, a *[32]byte, A *extendedGroupElement) { diff --git a/group/edwards25519/ge_mult_vartime.go b/group/edwards25519/ge_mult_vartime.go index 9ddd61fdf..572c7825e 100644 --- a/group/edwards25519/ge_mult_vartime.go +++ b/group/edwards25519/ge_mult_vartime.go @@ -1,11 +1,15 @@ package edwards25519 // geScalarMultVartime computes h = a*B, where -// a = a[0]+256*a[1]+...+256^31 a[31] -// B is the Ed25519 base point (x,4/5) with x positive. +// +// a = a[0]+256*a[1]+...+256^31 a[31] +// B is the Ed25519 base point (x,4/5) with x positive. // // Preconditions: -// a[31] <= 127 +// +// a[31] <= 127 +// +//nolint:gocritic func geScalarMultVartime(h *extendedGroupElement, a *[32]byte, A *extendedGroupElement) { diff --git a/group/edwards25519/point.go b/group/edwards25519/point.go index 191450ee0..9575bc48b 100644 --- a/group/edwards25519/point.go +++ b/group/edwards25519/point.go @@ -31,48 +31,48 @@ type point struct { varTime bool } -func (P *point) String() string { +func (p *point) String() string { var b [32]byte - P.ge.ToBytes(&b) + p.ge.ToBytes(&b) return hex.EncodeToString(b[:]) } -func (P *point) MarshalSize() int { +func (p *point) MarshalSize() int { return 32 } -func (P *point) MarshalBinary() ([]byte, error) { +func (p *point) MarshalBinary() ([]byte, error) { var b [32]byte - P.ge.ToBytes(&b) + p.ge.ToBytes(&b) return b[:], nil } // MarshalID returns the type tag used in encoding/decoding -func (P *point) MarshalID() [8]byte { +func (p *point) MarshalID() [8]byte { return marshalPointID } -func (P *point) UnmarshalBinary(b []byte) error { - if !P.ge.FromBytes(b) { +func (p *point) UnmarshalBinary(b []byte) error { + if !p.ge.FromBytes(b) { return errors.New("invalid Ed25519 curve point") } return nil } -func (P *point) MarshalTo(w io.Writer) (int, error) { - return marshalling.PointMarshalTo(P, w) +func (p *point) MarshalTo(w io.Writer) (int, error) { + return marshalling.PointMarshalTo(p, w) } -func (P *point) UnmarshalFrom(r io.Reader) (int, error) { - return marshalling.PointUnmarshalFrom(P, r) +func (p *point) UnmarshalFrom(r io.Reader) (int, error) { + return marshalling.PointUnmarshalFrom(p, r) } // Equality test for two Points on the same curve -func (P *point) Equal(P2 kyber.Point) bool { +func (p *point) Equal(p2 kyber.Point) bool { var b1, b2 [32]byte - P.ge.ToBytes(&b1) - P2.(*point).ge.ToBytes(&b2) + p.ge.ToBytes(&b1) + p2.(*point).ge.ToBytes(&b2) for i := range b1 { if b1[i] != b2[i] { return false @@ -81,40 +81,40 @@ func (P *point) Equal(P2 kyber.Point) bool { return true } -// Set point to be equal to P2. -func (P *point) Set(P2 kyber.Point) kyber.Point { - P.ge = P2.(*point).ge - return P +// Set point to be equal to p2. +func (p *point) Set(p2 kyber.Point) kyber.Point { + p.ge = p2.(*point).ge + return p } -// Set point to be equal to P2. -func (P *point) Clone() kyber.Point { - return &point{ge: P.ge} +// Set point to be equal to p2. +func (p *point) Clone() kyber.Point { + return &point{ge: p.ge} } // Set to the neutral element, which is (0,1) for twisted Edwards curves. -func (P *point) Null() kyber.Point { - P.ge.Zero() - return P +func (p *point) Null() kyber.Point { + p.ge.Zero() + return p } // Set to the standard base point for this curve -func (P *point) Base() kyber.Point { - P.ge = baseext - return P +func (p *point) Base() kyber.Point { + p.ge = baseext + return p } -func (P *point) EmbedLen() int { +func (p *point) EmbedLen() int { // Reserve the most-significant 8 bits for pseudo-randomness. // Reserve the least-significant 8 bits for embedded data length. // (Hopefully it's unlikely we'll need >=2048-bit curves soon.) return (255 - 8 - 8) / 8 } -func (P *point) Embed(data []byte, rand cipher.Stream) kyber.Point { +func (p *point) Embed(data []byte, rand cipher.Stream) kyber.Point { // How many bytes to embed? - dl := P.EmbedLen() + dl := p.EmbedLen() if dl > len(data) { dl = len(data) } @@ -127,14 +127,14 @@ func (P *point) Embed(data []byte, rand cipher.Stream) kyber.Point { b[0] = byte(dl) // Encode length in low 8 bits copy(b[1:1+dl], data) // Copy in data to embed } - if !P.ge.FromBytes(b[:]) { // Try to decode + if !p.ge.FromBytes(b[:]) { // Try to decode continue // invalid point, retry } // If we're using the full group, // we just need any point on the curve, so we're done. // if c.full { - // return P,data[dl:] + // return p,data[dl:] // } // We're using the prime-order subgroup, @@ -143,91 +143,91 @@ func (P *point) Embed(data []byte, rand cipher.Stream) kyber.Point { // we can convert our point into one in the subgroup // simply by multiplying it by the cofactor. if data == nil { - P.Mul(cofactorScalar, P) // multiply by cofactor - if P.Equal(nullPoint) { + p.Mul(cofactorScalar, p) // multiply by cofactor + if p.Equal(nullPoint) { continue // unlucky; try again } - return P // success + return p // success } // Since we need the point's y-coordinate to hold our data, // we must simply check if the point is in the subgroup // and retry point generation until it is. var Q point - Q.Mul(primeOrderScalar, P) + Q.Mul(primeOrderScalar, p) if Q.Equal(nullPoint) { - return P // success + return p // success } // Keep trying... } } -func (P *point) Pick(rand cipher.Stream) kyber.Point { - return P.Embed(nil, rand) +func (p *point) Pick(rand cipher.Stream) kyber.Point { + return p.Embed(nil, rand) } // Extract embedded data from a point group element -func (P *point) Data() ([]byte, error) { +func (p *point) Data() ([]byte, error) { var b [32]byte - P.ge.ToBytes(&b) + p.ge.ToBytes(&b) dl := int(b[0]) // extract length byte - if dl > P.EmbedLen() { + if dl > p.EmbedLen() { return nil, errors.New("invalid embedded data length") } return b[1 : 1+dl], nil } -func (P *point) Add(P1, P2 kyber.Point) kyber.Point { - E1 := P1.(*point) - E2 := P2.(*point) +func (p *point) Add(p1, p2 kyber.Point) kyber.Point { + E1 := p1.(*point) + E2 := p2.(*point) var t2 cachedGroupElement var r completedGroupElement E2.ge.ToCached(&t2) r.Add(&E1.ge, &t2) - r.ToExtended(&P.ge) + r.ToExtended(&p.ge) - return P + return p } -func (P *point) Sub(P1, P2 kyber.Point) kyber.Point { - E1 := P1.(*point) - E2 := P2.(*point) +func (p *point) Sub(p1, p2 kyber.Point) kyber.Point { + E1 := p1.(*point) + E2 := p2.(*point) var t2 cachedGroupElement var r completedGroupElement E2.ge.ToCached(&t2) r.Sub(&E1.ge, &t2) - r.ToExtended(&P.ge) + r.ToExtended(&p.ge) - return P + return p } // Neg finds the negative of point A. // For Edwards curves, the negative of (x,y) is (-x,y). -func (P *point) Neg(A kyber.Point) kyber.Point { - P.ge.Neg(&A.(*point).ge) - return P +func (p *point) Neg(a kyber.Point) kyber.Point { + p.ge.Neg(&a.(*point).ge) + return p } // Mul multiplies point p by scalar s using the repeated doubling method. -func (P *point) Mul(s kyber.Scalar, A kyber.Point) kyber.Point { +func (p *point) Mul(s kyber.Scalar, b kyber.Point) kyber.Point { a := &s.(*scalar).v - if A == nil { - geScalarMultBase(&P.ge, a) + if b == nil { + geScalarMultBase(&p.ge, a) } else { - if P.varTime { - geScalarMultVartime(&P.ge, a, &A.(*point).ge) + if p.varTime { + geScalarMultVartime(&p.ge, a, &b.(*point).ge) } else { - geScalarMult(&P.ge, a, &A.(*point).ge) + geScalarMult(&p.ge, a, &b.(*point).ge) } } - return P + return p } // HasSmallOrder determines whether the group element has small order @@ -238,8 +238,8 @@ func (P *point) Mul(s kyber.Scalar, A kyber.Point) kyber.Point { // // This is the same code as in // https://github.com/jedisct1/libsodium/blob/4744636721d2e420f8bbe2d563f31b1f5e682229/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c#L1170 -func (P *point) HasSmallOrder() bool { - s, err := P.MarshalBinary() +func (p *point) HasSmallOrder() bool { + s, err := p.MarshalBinary() if err != nil { return false } @@ -274,7 +274,7 @@ func (P *point) HasSmallOrder() bool { // // The method accepts a buffer instead of calling `MarshalBinary` on the receiver // because that always returns a value modulo `prime`. -func (P *point) IsCanonical(s []byte) bool { +func (p *point) IsCanonical(s []byte) bool { if len(s) != 32 { return false } diff --git a/group/edwards25519/point_vartime.go b/group/edwards25519/point_vartime.go index 4bf742fc7..d3a67f8fa 100644 --- a/group/edwards25519/point_vartime.go +++ b/group/edwards25519/point_vartime.go @@ -4,6 +4,6 @@ package edwards25519 // but variable time implementation can be used. Set this only on Points // which represent public information. Using variable time algorithms to // operate on private information can result in timing side-channels. -func (P *point) AllowVarTime(varTime bool) { - P.varTime = varTime +func (p *point) AllowVarTime(varTime bool) { + p.varTime = varTime } diff --git a/share/pvss/pvss.go b/share/pvss/pvss.go index 8c8fc8cfe..dbef4dd10 100644 --- a/share/pvss/pvss.go +++ b/share/pvss/pvss.go @@ -44,10 +44,10 @@ type PubVerShare struct { // EncShares creates a list of encrypted publicly verifiable PVSS shares for // the given secret and the list of public keys X using the sharing threshold -// t and the base point H. The function returns the list of shares and the +// t and the base point h. The function returns the list of shares and the // public commitment polynomial. -func EncShares(suite Suite, H kyber.Point, X []kyber.Point, secret kyber.Scalar, t int) (shares []*PubVerShare, commit *share.PubPoly, err error) { - n := len(X) +func EncShares(suite Suite, h kyber.Point, x []kyber.Point, secret kyber.Scalar, t int) (shares []*PubVerShare, commit *share.PubPoly, err error) { + n := len(x) encShares := make([]*PubVerShare, n) // Create secret sharing polynomial @@ -56,8 +56,8 @@ func EncShares(suite Suite, H kyber.Point, X []kyber.Point, secret kyber.Scalar, // Create secret set of shares priShares := priPoly.Shares(n) - // Create public polynomial commitments with respect to basis H - pubPoly := priPoly.Commit(H) + // Create public polynomial commitments with respect to basis h + pubPoly := priPoly.Commit(h) // Prepare data for encryption consistency proofs ... indices := make([]int, n) @@ -66,11 +66,11 @@ func EncShares(suite Suite, H kyber.Point, X []kyber.Point, secret kyber.Scalar, for i := 0; i < n; i++ { indices[i] = priShares[i].I values[i] = priShares[i].V - HS[i] = H + HS[i] = h } // Create NIZK discrete-logarithm equality proofs - proofs, _, sX, err := dleq.NewDLEQProofBatch(suite, HS, X, values) + proofs, _, sX, err := dleq.NewDLEQProofBatch(suite, HS, x, values) if err != nil { return nil, nil, err } @@ -84,10 +84,10 @@ func EncShares(suite Suite, H kyber.Point, X []kyber.Point, secret kyber.Scalar, } // VerifyEncShare checks that the encrypted share sX satisfies -// log_{H}(sH) == log_{X}(sX) where sH is the public commitment computed by +// log_{h}(sH) == log_{X}(sX) where sH is the public commitment computed by // evaluating the public commitment polynomial at the encrypted share's index i. -func VerifyEncShare(suite Suite, H kyber.Point, X kyber.Point, sH kyber.Point, encShare *PubVerShare) error { - if err := encShare.P.Verify(suite, H, X, sH, encShare.S.V); err != nil { +func VerifyEncShare(suite Suite, h kyber.Point, x kyber.Point, sH kyber.Point, encShare *PubVerShare) error { + if err := encShare.P.Verify(suite, h, x, sH, encShare.S.V); err != nil { return errorEncVerification } return nil @@ -96,15 +96,15 @@ func VerifyEncShare(suite Suite, H kyber.Point, X kyber.Point, sH kyber.Point, e // VerifyEncShareBatch provides the same functionality as VerifyEncShare but for // slices of encrypted shares. The function returns the valid encrypted shares // together with the corresponding public keys. -func VerifyEncShareBatch(suite Suite, H kyber.Point, X []kyber.Point, sH []kyber.Point, encShares []*PubVerShare) ([]kyber.Point, []*PubVerShare, error) { - if len(X) != len(sH) || len(sH) != len(encShares) { +func VerifyEncShareBatch(suite Suite, h kyber.Point, x []kyber.Point, sH []kyber.Point, encShares []*PubVerShare) ([]kyber.Point, []*PubVerShare, error) { + if len(x) != len(sH) || len(sH) != len(encShares) { return nil, nil, errorDifferentLengths } var K []kyber.Point // good public keys var E []*PubVerShare // good encrypted shares - for i := 0; i < len(X); i++ { - if err := VerifyEncShare(suite, H, X[i], sH[i], encShares[i]); err == nil { - K = append(K, X[i]) + for i := 0; i < len(x); i++ { + if err := VerifyEncShare(suite, h, x[i], sH[i], encShares[i]); err == nil { + K = append(K, x[i]) E = append(E, encShares[i]) } } @@ -114,14 +114,14 @@ func VerifyEncShareBatch(suite Suite, H kyber.Point, X []kyber.Point, sH []kyber // DecShare first verifies the encrypted share against the encryption // consistency proof and, if valid, decrypts it and creates a decryption // consistency proof. -func DecShare(suite Suite, H kyber.Point, X kyber.Point, sH kyber.Point, x kyber.Scalar, encShare *PubVerShare) (*PubVerShare, error) { - if err := VerifyEncShare(suite, H, X, sH, encShare); err != nil { +func DecShare(suite Suite, h kyber.Point, x kyber.Point, sH kyber.Point, s kyber.Scalar, encShare *PubVerShare) (*PubVerShare, error) { + if err := VerifyEncShare(suite, h, x, sH, encShare); err != nil { return nil, err } G := suite.Point().Base() - V := suite.Point().Mul(suite.Scalar().Inv(x), encShare.S.V) // decryption: x^{-1} * (xS) + V := suite.Point().Mul(suite.Scalar().Inv(s), encShare.S.V) // decryption: s^{-1} * (xS) ps := &share.PubShare{I: encShare.S.I, V: V} - P, _, _, err := dleq.NewDLEQProof(suite, G, V, x) + P, _, _, err := dleq.NewDLEQProof(suite, G, V, s) if err != nil { return nil, err } @@ -131,16 +131,16 @@ func DecShare(suite Suite, H kyber.Point, X kyber.Point, sH kyber.Point, x kyber // DecShareBatch provides the same functionality as DecShare but for slices of // encrypted shares. The function returns the valid encrypted and decrypted // shares as well as the corresponding public keys. -func DecShareBatch(suite Suite, H kyber.Point, X []kyber.Point, sH []kyber.Point, x kyber.Scalar, encShares []*PubVerShare) ([]kyber.Point, []*PubVerShare, []*PubVerShare, error) { - if len(X) != len(sH) || len(sH) != len(encShares) { +func DecShareBatch(suite Suite, h kyber.Point, x []kyber.Point, sH []kyber.Point, s kyber.Scalar, encShares []*PubVerShare) ([]kyber.Point, []*PubVerShare, []*PubVerShare, error) { + if len(x) != len(sH) || len(sH) != len(encShares) { return nil, nil, nil, errorDifferentLengths } var K []kyber.Point // good public keys var E []*PubVerShare // good encrypted shares var D []*PubVerShare // good decrypted shares for i := 0; i < len(encShares); i++ { - if ds, err := DecShare(suite, H, X[i], sH[i], x, encShares[i]); err == nil { - K = append(K, X[i]) + if ds, err := DecShare(suite, h, x[i], sH[i], s, encShares[i]); err == nil { + K = append(K, x[i]) E = append(E, encShares[i]) D = append(D, ds) } @@ -150,22 +150,22 @@ func DecShareBatch(suite Suite, H kyber.Point, X []kyber.Point, sH []kyber.Point // VerifyDecShare checks that the decrypted share sG satisfies // log_{G}(X) == log_{sG}(sX). Note that X = xG and sX = s(xG) = x(sG). -func VerifyDecShare(suite Suite, G kyber.Point, X kyber.Point, encShare *PubVerShare, decShare *PubVerShare) error { - if err := decShare.P.Verify(suite, G, decShare.S.V, X, encShare.S.V); err != nil { +func VerifyDecShare(suite Suite, g kyber.Point, x kyber.Point, encShare *PubVerShare, decShare *PubVerShare) error { + if err := decShare.P.Verify(suite, g, decShare.S.V, x, encShare.S.V); err != nil { return errorDecVerification } return nil } // VerifyDecShareBatch provides the same functionality as VerifyDecShare but for -// slices of decrypted shares. The function returns the the valid decrypted shares. -func VerifyDecShareBatch(suite Suite, G kyber.Point, X []kyber.Point, encShares []*PubVerShare, decShares []*PubVerShare) ([]*PubVerShare, error) { - if len(X) != len(encShares) || len(encShares) != len(decShares) { +// slices of decrypted shares. The function returns the valid decrypted shares. +func VerifyDecShareBatch(suite Suite, g kyber.Point, x []kyber.Point, encShares []*PubVerShare, decShares []*PubVerShare) ([]*PubVerShare, error) { + if len(x) != len(encShares) || len(encShares) != len(decShares) { return nil, errorDifferentLengths } var D []*PubVerShare // good decrypted shares - for i := 0; i < len(X); i++ { - if err := VerifyDecShare(suite, G, X[i], encShares[i], decShares[i]); err == nil { + for i := 0; i < len(x); i++ { + if err := VerifyDecShare(suite, g, x[i], encShares[i], decShares[i]); err == nil { D = append(D, decShares[i]) } } @@ -174,8 +174,8 @@ func VerifyDecShareBatch(suite Suite, G kyber.Point, X []kyber.Point, encShares // RecoverSecret first verifies the given decrypted shares against their // decryption consistency proofs and then tries to recover the shared secret. -func RecoverSecret(suite Suite, G kyber.Point, X []kyber.Point, encShares []*PubVerShare, decShares []*PubVerShare, t int, n int) (kyber.Point, error) { - D, err := VerifyDecShareBatch(suite, G, X, encShares, decShares) +func RecoverSecret(suite Suite, g kyber.Point, x []kyber.Point, encShares []*PubVerShare, decShares []*PubVerShare, t int, n int) (kyber.Point, error) { + D, err := VerifyDecShareBatch(suite, g, x, encShares, decShares) if err != nil { return nil, err } diff --git a/shuffle/biffle.go b/shuffle/biffle.go index af0ec72d3..c4aa9a663 100644 --- a/shuffle/biffle.go +++ b/shuffle/biffle.go @@ -29,12 +29,12 @@ func bifflePred() proof.Predicate { return or } -func bifflePoints(suite Suite, G, H kyber.Point, +func bifflePoints(suite Suite, g, h kyber.Point, X, Y, Xbar, Ybar [2]kyber.Point) map[string]kyber.Point { return map[string]kyber.Point{ - "G": G, - "H": H, + "G": g, + "H": h, "Xbar0-X0": suite.Point().Sub(Xbar[0], X[0]), "Ybar0-Y0": suite.Point().Sub(Ybar[0], Y[0]), "Xbar1-X1": suite.Point().Sub(Xbar[1], X[1]), @@ -46,7 +46,7 @@ func bifflePoints(suite Suite, G, H kyber.Point, } // Biffle is a binary shuffle ("biffle") for 2 ciphertexts based on general ZKPs. -func Biffle(suite Suite, G, H kyber.Point, +func Biffle(suite Suite, g, h kyber.Point, X, Y [2]kyber.Point, rand cipher.Stream) ( Xbar, Ybar [2]kyber.Point, prover proof.Prover) { @@ -64,9 +64,9 @@ func Biffle(suite Suite, G, H kyber.Point, // Create the output pair vectors for i := 0; i < 2; i++ { piI := i ^ bit - Xbar[i] = suite.Point().Mul(beta[piI], G) + Xbar[i] = suite.Point().Mul(beta[piI], g) Xbar[i].Add(Xbar[i], X[piI]) - Ybar[i] = suite.Point().Mul(beta[piI], H) + Ybar[i] = suite.Point().Mul(beta[piI], h) Ybar[i].Add(Ybar[i], Y[piI]) } @@ -74,18 +74,18 @@ func Biffle(suite Suite, G, H kyber.Point, secrets := map[string]kyber.Scalar{ "beta0": beta[0], "beta1": beta[1]} - points := bifflePoints(suite, G, H, X, Y, Xbar, Ybar) + points := bifflePoints(suite, g, h, X, Y, Xbar, Ybar) choice := map[proof.Predicate]int{or: bit} prover = or.Prover(suite, secrets, points, choice) return } // BiffleVerifier returns a verifier of the biffle -func BiffleVerifier(suite Suite, G, H kyber.Point, +func BiffleVerifier(suite Suite, g, h kyber.Point, X, Y, Xbar, Ybar [2]kyber.Point) ( verifier proof.Verifier) { or := bifflePred() - points := bifflePoints(suite, G, H, X, Y, Xbar, Ybar) + points := bifflePoints(suite, g, h, X, Y, Xbar, Ybar) return or.Verifier(suite, points) } diff --git a/shuffle/biffle_test.go b/shuffle/biffle_test.go index c4150eaa6..26038d24d 100644 --- a/shuffle/biffle_test.go +++ b/shuffle/biffle_test.go @@ -21,7 +21,7 @@ func TestInvalidBiffle(t *testing.T) { biffleInvalidTest(s) } -func biffleTest(suite Suite, N int) { +func biffleTest(suite Suite, n int) { rand := suite.RandomStream() h, c := setShuffleKeyPairs(rand, suite, 2) @@ -35,8 +35,8 @@ func biffleTest(suite Suite, N int) { Y[i].Add(Y[i], c[i]) // Encrypted client public key } - // Repeat only the actual shuffle portion for benchmark purposes. - for i := 0; i < N; i++ { + // Repeat only the actual shuffle portion for test purposes. + for i := 0; i < n; i++ { // Do a key-shuffle Xbar, Ybar, prover := Biffle(suite, nil, h, X, Y, rand) diff --git a/shuffle/sequences.go b/shuffle/sequences.go index 9519f22ad..6f7cf5e0c 100644 --- a/shuffle/sequences.go +++ b/shuffle/sequences.go @@ -33,17 +33,17 @@ import ( // Last coordinate is (NQ-1, k-1) // // Variable names are as representative to the paper as possible. -func SequencesShuffle(group kyber.Group, g, h kyber.Point, X, Y [][]kyber.Point, +func SequencesShuffle(group kyber.Group, g, h kyber.Point, x, y [][]kyber.Point, rand cipher.Stream) (Xbar, Ybar [][]kyber.Point, getProver func(e []kyber.Scalar) ( proof.Prover, error)) { - err := assertXY(X, Y) + err := assertXY(x, y) if err != nil { panic(fmt.Sprintf("invalid data: %v", err)) } - NQ := len(X) - k := len(X[0]) + NQ := len(x) + k := len(x[0]) // Pick a random permutation used in ALL k ElGamal sequences. The permutation // (π) of an ElGamal pair at index i always outputs to the same index @@ -80,10 +80,10 @@ func SequencesShuffle(group kyber.Group, g, h kyber.Point, X, Y [][]kyber.Point, for i := 0; i < k; i++ { Xbar[j][i] = group.Point().Mul(beta[j][pi[i]], g) - Xbar[j][i].Add(Xbar[j][i], X[j][pi[i]]) + Xbar[j][i].Add(Xbar[j][i], x[j][pi[i]]) Ybar[j][i] = group.Point().Mul(beta[j][pi[i]], h) - Ybar[j][i].Add(Ybar[j][i], Y[j][pi[i]]) + Ybar[j][i].Add(Ybar[j][i], y[j][pi[i]]) } } @@ -111,7 +111,7 @@ func SequencesShuffle(group kyber.Group, g, h kyber.Point, X, Y [][]kyber.Point, } } - XUp, YUp, _, _ := GetSequenceVerifiable(group, X, Y, Xbar, Ybar, e) + XUp, YUp, _, _ := GetSequenceVerifiable(group, x, y, Xbar, Ybar, e) return ps.Prove(pi, g, h, beta2, XUp, YUp, rand, ctx) }, nil @@ -120,27 +120,27 @@ func SequencesShuffle(group kyber.Group, g, h kyber.Point, X, Y [][]kyber.Point, return Xbar, Ybar, getProver } -// assertXY checks that X, Y have the same dimensions and at least one element -func assertXY(X, Y [][]kyber.Point) error { - if len(X) == 0 || len(X[0]) == 0 { +// assertXY checks that x, y have the same dimensions and at least one element +func assertXY(x, y [][]kyber.Point) error { + if len(x) == 0 || len(x[0]) == 0 { return errors.New("X is empty") } - if len(Y) == 0 || len(Y[0]) == 0 { + if len(y) == 0 || len(y[0]) == 0 { return errors.New("Y is empty") } - if len(X) != len(Y) { - return fmt.Errorf("X and Y have a different size: %d != %d", len(X), len(Y)) + if len(x) != len(y) { + return fmt.Errorf("X and Y have a different size: %d != %d", len(x), len(y)) } - expected := len(X[0]) + expected := len(x[0]) - for i := range X { - if len(X[i]) != expected { - return fmt.Errorf("X[%d] has unexpected size: %d != %d", i, expected, len(X[i])) + for i := range x { + if len(x[i]) != expected { + return fmt.Errorf("X[%d] has unexpected size: %d != %d", i, expected, len(x[i])) } - if len(Y[i]) != expected { - return fmt.Errorf("Y[%d] has unexpected size: %d != %d", i, expected, len(Y[i])) + if len(y[i]) != expected { + return fmt.Errorf("Y[%d] has unexpected size: %d != %d", i, expected, len(y[i])) } } @@ -149,12 +149,12 @@ func assertXY(X, Y [][]kyber.Point) error { // GetSequenceVerifiable returns the consolidated input and output of sequence // shuffling elements. Needed by the prover and verifier. -func GetSequenceVerifiable(group kyber.Group, X, Y, Xbar, Ybar [][]kyber.Point, e []kyber.Scalar) ( +func GetSequenceVerifiable(group kyber.Group, x, y, xBar, yBar [][]kyber.Point, e []kyber.Scalar) ( XUp, YUp, XDown, YDown []kyber.Point) { // EGAR1 (Verifier) - Consolidate input and output - NQ := len(X) - k := len(X[0]) + NQ := len(x) + k := len(x[0]) XUp = make([]kyber.Point, k) YUp = make([]kyber.Point, k) @@ -164,22 +164,22 @@ func GetSequenceVerifiable(group kyber.Group, X, Y, Xbar, Ybar [][]kyber.Point, for i := 0; i < k; i++ { // No modification could be made for e[0] -> e[0] = 1 if one wanted - // Remark 7 in the paper - XUp[i] = group.Point().Mul(e[0], X[0][i]) - YUp[i] = group.Point().Mul(e[0], Y[0][i]) + XUp[i] = group.Point().Mul(e[0], x[0][i]) + YUp[i] = group.Point().Mul(e[0], y[0][i]) - XDown[i] = group.Point().Mul(e[0], Xbar[0][i]) - YDown[i] = group.Point().Mul(e[0], Ybar[0][i]) + XDown[i] = group.Point().Mul(e[0], xBar[0][i]) + YDown[i] = group.Point().Mul(e[0], yBar[0][i]) for j := 1; j < NQ; j++ { XUp[i] = group.Point().Add(XUp[i], - group.Point().Mul(e[j], X[j][i])) + group.Point().Mul(e[j], x[j][i])) YUp[i] = group.Point().Add(YUp[i], - group.Point().Mul(e[j], Y[j][i])) + group.Point().Mul(e[j], y[j][i])) XDown[i] = group.Point().Add(XDown[i], - group.Point().Mul(e[j], Xbar[j][i])) + group.Point().Mul(e[j], xBar[j][i])) YDown[i] = group.Point().Add(YDown[i], - group.Point().Mul(e[j], Ybar[j][i])) + group.Point().Mul(e[j], yBar[j][i])) } } diff --git a/shuffle/simple.go b/shuffle/simple.go index 7f7149815..087edf923 100644 --- a/shuffle/simple.go +++ b/shuffle/simple.go @@ -50,7 +50,7 @@ type SimpleShuffle struct { } // Simple helper to compute G^{ab-cd} for Theta vector computation. -func thenc(grp kyber.Group, G kyber.Point, +func thenc(grp kyber.Group, g kyber.Point, a, b, c, d kyber.Scalar) kyber.Point { var ab, cd kyber.Scalar @@ -68,7 +68,7 @@ func thenc(grp kyber.Group, G kyber.Point, } else { cd = grp.Scalar().Zero() } - return grp.Point().Mul(ab.Sub(ab, cd), G) + return grp.Point().Mul(ab.Sub(ab, cd), g) } // Init initializes the simple shuffle with the given group and the k parameter @@ -86,7 +86,7 @@ func (ss *SimpleShuffle) Init(grp kyber.Group, k int) *SimpleShuffle { // Neff, "Verifiable Mixing (Shuffling) of ElGamal Pairs", 2004. // The Scalar vector y must be a permutation of Scalar vector x // but with all elements multiplied by common Scalar gamma. -func (ss *SimpleShuffle) Prove(G kyber.Point, gamma kyber.Scalar, +func (ss *SimpleShuffle) Prove(g kyber.Point, gamma kyber.Scalar, x, y []kyber.Scalar, rand cipher.Stream, ctx proof.ProverContext) error { @@ -110,8 +110,8 @@ func (ss *SimpleShuffle) Prove(G kyber.Point, gamma kyber.Scalar, // Step 0: inputs for i := 0; i < k; i++ { // (4) - ss.p0.X[i] = grp.Point().Mul(x[i], G) - ss.p0.Y[i] = grp.Point().Mul(y[i], G) + ss.p0.X[i] = grp.Point().Mul(x[i], g) + ss.p0.Y[i] = grp.Point().Mul(y[i], g) } if err := ctx.Put(ss.p0); err != nil { return err @@ -135,16 +135,16 @@ func (ss *SimpleShuffle) Prove(G kyber.Point, gamma kyber.Scalar, theta := make([]kyber.Scalar, thlen) ctx.PriRand(theta) Theta := make([]kyber.Point, thlen+1) - Theta[0] = thenc(grp, G, nil, nil, theta[0], yhat[0]) + Theta[0] = thenc(grp, g, nil, nil, theta[0], yhat[0]) for i := 1; i < k; i++ { - Theta[i] = thenc(grp, G, theta[i-1], xhat[i], + Theta[i] = thenc(grp, g, theta[i-1], xhat[i], theta[i], yhat[i]) } for i := k; i < thlen; i++ { - Theta[i] = thenc(grp, G, theta[i-1], gamma, + Theta[i] = thenc(grp, g, theta[i-1], gamma, theta[i], nil) } - Theta[thlen] = thenc(grp, G, theta[thlen-1], gamma, nil, nil) + Theta[thlen] = thenc(grp, g, theta[thlen-1], gamma, nil, nil) ss.p2.Theta = Theta if err := ctx.Put(ss.p2); err != nil { return err @@ -177,15 +177,15 @@ func (ss *SimpleShuffle) Prove(G kyber.Point, gamma kyber.Scalar, // Simple helper to verify Theta elements, // by checking whether A^a*B^-b = T. // P,Q,s are simply "scratch" kyber.Point/Scalars reused for efficiency. -func thver(A, B, T, P, Q kyber.Point, a, b, s kyber.Scalar) bool { - P.Mul(a, A) - Q.Mul(s.Neg(b), B) - P.Add(P, Q) - return P.Equal(T) +func thver(a, b, t, p, q kyber.Point, aS, bS, s kyber.Scalar) bool { + p.Mul(aS, a) + q.Mul(s.Neg(bS), b) + p.Add(p, q) + return p.Equal(t) } // Verify for Neff simple k-shuffle proofs. -func (ss *SimpleShuffle) Verify(G, Gamma kyber.Point, +func (ss *SimpleShuffle) Verify(g, gamma kyber.Point, ctx proof.VerifierContext) error { grp := ss.grp @@ -225,8 +225,8 @@ func (ss *SimpleShuffle) Verify(G, Gamma kyber.Point, // Verifier step 5 negt := grp.Scalar().Neg(t) - U := grp.Point().Mul(negt, G) - W := grp.Point().Mul(negt, Gamma) + U := grp.Point().Mul(negt, g) + W := grp.Point().Mul(negt, gamma) Xhat := make([]kyber.Point, k) Yhat := make([]kyber.Point, k) for i := 0; i < k; i++ { @@ -243,10 +243,10 @@ func (ss *SimpleShuffle) Verify(G, Gamma kyber.Point, alpha[i-1], alpha[i], s) } for i := k; i < thlen; i++ { - good = good && thver(Gamma, G, Theta[i], P, Q, + good = good && thver(gamma, g, Theta[i], P, Q, alpha[i-1], alpha[i], s) } - good = good && thver(Gamma, G, Theta[thlen], P, Q, + good = good && thver(gamma, g, Theta[thlen], P, Q, alpha[thlen-1], c, s) if !good { return errors.New("incorrect SimpleShuffleProof") diff --git a/sign/anon/enc.go b/sign/anon/enc.go index b7fb16350..c5217f562 100644 --- a/sign/anon/enc.go +++ b/sign/anon/enc.go @@ -8,22 +8,22 @@ import ( "go.dedis.ch/kyber/v3/util/key" ) -func header(suite Suite, X kyber.Point, x kyber.Scalar, - Xb, xb []byte, anonymitySet Set) []byte { +func header(suite Suite, _ kyber.Point, x kyber.Scalar, + xb1, xb2 []byte, anonymitySet Set) []byte { - //fmt.Printf("Xb %s\nxb %s\n", - // hex.EncodeToString(Xb),hex.EncodeToString(xb)) + //fmt.Printf("xb1 %s\nxb %s\n", + // hex.EncodeToString(xb1),hex.EncodeToString(xb2)) // Encrypt the master scalar key with each public key in the set S := suite.Point() - hdr := Xb + hdr := xb1 for i := range anonymitySet { Y := anonymitySet[i] S.Mul(x, Y) // compute DH shared secret seed, _ := S.MarshalBinary() xof := suite.XOF(seed) - xc := make([]byte, len(xb)) - xof.XORKeyStream(xc, xb) + xc := make([]byte, len(xb2)) + xof.XORKeyStream(xc, xb2) hdr = append(hdr, xc...) } return hdr diff --git a/sign/dss/dss.go b/sign/dss/dss.go index 4a899d5b7..6adfd35f4 100644 --- a/sign/dss/dss.go +++ b/sign/dss/dss.go @@ -74,7 +74,7 @@ type PartialSig struct { // threshold. It returns an error if the public key of the secret can't be found // in the list of participants. func NewDSS(suite Suite, secret kyber.Scalar, participants []kyber.Point, - long, random DistKeyShare, msg []byte, T int) (*DSS, error) { + long, random DistKeyShare, msg []byte, t int) (*DSS, error) { public := suite.Point().Mul(secret, nil) var i int var found bool @@ -99,7 +99,7 @@ func NewDSS(suite Suite, secret kyber.Scalar, participants []kyber.Point, random: random, randomPoly: share.NewPubPoly(suite, suite.Point().Base(), random.Commitments()), msg: msg, - T: T, + T: t, partialsIdx: make(map[int]bool), sessionID: sessionID(suite, long, random), }, nil From fae7ebfe44d4bab3307cf638156ffd11e4883a73 Mon Sep 17 00:00:00 2001 From: lauener Date: Wed, 21 Feb 2024 12:22:22 +0100 Subject: [PATCH 16/49] Fix lint issues package bn256 --- pairing/bn256/constants.go | 4 ++++ pairing/bn256/gfp12.go | 4 ++-- pairing/bn256/gfp_decl.go | 1 + pairing/bn256/optate.go | 7 +++---- pairing/bn256/point.go | 2 +- 5 files changed, 11 insertions(+), 7 deletions(-) diff --git a/pairing/bn256/constants.go b/pairing/bn256/constants.go index ae1c99997..358e242d3 100644 --- a/pairing/bn256/constants.go +++ b/pairing/bn256/constants.go @@ -68,9 +68,13 @@ var xiTo2PMinus2Over3 = &gfP2{ } // p2 is p, represented as little-endian 64-bit words. +// +//nolint:unused // False positive var p2 = [4]uint64{0x185cac6c5e089667, 0xee5b88d120b5b59e, 0xaa6fecb86184dc21, 0x8fb501e34aa387f9} // np is the negative inverse of p, mod 2^256. +// +//nolint:unused // False positive var np = [4]uint64{0x2387f9007f17daa9, 0x734b3343ab8513c8, 0x2524282f48054c12, 0x38997ae661c3ef3c} // rN1 is R^-1 where R = 2^256 mod p. diff --git a/pairing/bn256/gfp12.go b/pairing/bn256/gfp12.go index 8835d11ec..28e640dec 100644 --- a/pairing/bn256/gfp12.go +++ b/pairing/bn256/gfp12.go @@ -166,7 +166,7 @@ func (e *gfP12) Mul(a, b *gfP12) *gfP12 { return e } -func (e *gfP12) MulScalar(a *gfP12, b *gfP6) *gfP12 { +func (e *gfP12) MulScalar(b *gfP6) *gfP12 { e.x.Mul(&e.x, b) e.y.Mul(&e.y, b) return e @@ -217,7 +217,7 @@ func (e *gfP12) Invert(a *gfP12) *gfP12 { e.x.Neg(&a.x) e.y.Set(&a.y) - e.MulScalar(e, t2) + e.MulScalar(t2) return e } diff --git a/pairing/bn256/gfp_decl.go b/pairing/bn256/gfp_decl.go index bdb6a8915..79642cbe1 100644 --- a/pairing/bn256/gfp_decl.go +++ b/pairing/bn256/gfp_decl.go @@ -10,6 +10,7 @@ import ( "golang.org/x/sys/cpu" ) +//nolint:unused // False positive var hasBMI2 = cpu.X86.HasBMI2 //go:noescape diff --git a/pairing/bn256/optate.go b/pairing/bn256/optate.go index a6e178083..0f5d6553b 100644 --- a/pairing/bn256/optate.go +++ b/pairing/bn256/optate.go @@ -46,7 +46,7 @@ func lineFunctionAdd(r, p *twistPoint, q *curvePoint, r2 *gfP2) (a, b, c *gfP2, b = (&gfP2{}).Neg(L1) b.MulScalar(b, &q.x).Add(b, b) - return + return a, b, c, rOut } func lineFunctionDouble(r *twistPoint, q *curvePoint) (a, b, c *gfP2, rOut *twistPoint) { @@ -88,7 +88,7 @@ func lineFunctionDouble(r *twistPoint, q *curvePoint) (a, b, c *gfP2, rOut *twis c = (&gfP2{}).Mul(&rOut.z, &r.t) c.Add(c, c).MulScalar(c, &q.y) - return + return a, b, c, rOut } func mulLine(ret *gfP12, a, b, c *gfP2) { @@ -201,9 +201,8 @@ func miller(q *twistPoint, p *curvePoint) *gfP12 { r = newR r2.Square(&minusQ2.y) - a, b, c, newR = lineFunctionAdd(r, minusQ2, bAffine, r2) + a, b, c, _ = lineFunctionAdd(r, minusQ2, bAffine, r2) mulLine(ret, a, b, c) - r = newR return ret } diff --git a/pairing/bn256/point.go b/pairing/bn256/point.go index 038cfb1eb..904c6f530 100644 --- a/pairing/bn256/point.go +++ b/pairing/bn256/point.go @@ -522,7 +522,7 @@ func (p *pointGT) EmbedLen() int { panic("bn256.GT: unsupported operation") } -func (p *pointGT) Embed(data []byte, rand cipher.Stream) kyber.Point { +func (p *pointGT) Embed(_ []byte, _ cipher.Stream) kyber.Point { panic("bn256.GT: unsupported operation") } From 72e815735dfdb700078476fe9e40fb063d0d8e8e Mon Sep 17 00:00:00 2001 From: lauener Date: Wed, 21 Feb 2024 12:35:24 +0100 Subject: [PATCH 17/49] Fix lint issues package eddsa --- sign/eddsa/eddsa.go | 24 ++++++++++++------------ sign/eddsa/eddsa_test.go | 20 ++++++++++---------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/sign/eddsa/eddsa.go b/sign/eddsa/eddsa.go index 0e8c9633f..2b348b246 100644 --- a/sign/eddsa/eddsa.go +++ b/sign/eddsa/eddsa.go @@ -142,20 +142,20 @@ func VerifyWithChecks(pub, msg, sig []byte) error { IsCanonical(b []byte) bool } - R := group.Point() - if !R.(pointCanCheckCanonicalAndSmallOrder).IsCanonical(sig[:32]) { - return fmt.Errorf("R is not canonical") + r := group.Point() + if !r.(pointCanCheckCanonicalAndSmallOrder).IsCanonical(sig[:32]) { + return fmt.Errorf("r is not canonical") } - if err := R.UnmarshalBinary(sig[:32]); err != nil { - return fmt.Errorf("got R invalid point: %s", err) + if err := r.UnmarshalBinary(sig[:32]); err != nil { + return fmt.Errorf("got r invalid point: %w", err) } - if R.(pointCanCheckCanonicalAndSmallOrder).HasSmallOrder() { - return fmt.Errorf("R has small order") + if r.(pointCanCheckCanonicalAndSmallOrder).HasSmallOrder() { + return fmt.Errorf("r has small order") } s := group.Scalar() if err := s.UnmarshalBinary(sig[32:]); err != nil { - return fmt.Errorf("schnorr: s invalid scalar %s", err) + return fmt.Errorf("schnorr: s invalid scalar %w", err) } public := group.Point() @@ -163,23 +163,23 @@ func VerifyWithChecks(pub, msg, sig []byte) error { return fmt.Errorf("public key is not canonical") } if err := public.UnmarshalBinary(pub); err != nil { - return fmt.Errorf("invalid public key: %s", err) + return fmt.Errorf("invalid public key: %w", err) } if public.(pointCanCheckCanonicalAndSmallOrder).HasSmallOrder() { return fmt.Errorf("public key has small order") } - // reconstruct h = H(R || Public || Msg) + // reconstruct h = H(r || Public || Msg) hash := sha512.New() _, _ = hash.Write(sig[:32]) _, _ = hash.Write(pub) _, _ = hash.Write(msg) h := group.Scalar().SetBytes(hash.Sum(nil)) - // reconstruct S == k*A + R + // reconstruct S == k*A + r S := group.Point().Mul(s, nil) hA := group.Point().Mul(h, public) - RhA := group.Point().Add(R, hA) + RhA := group.Point().Add(r, hA) if !RhA.Equal(S) { return errors.New("reconstructed S is not equal to signature") diff --git a/sign/eddsa/eddsa_test.go b/sign/eddsa/eddsa_test.go index cac2f4747..5da88c20a 100644 --- a/sign/eddsa/eddsa_test.go +++ b/sign/eddsa/eddsa_test.go @@ -106,10 +106,10 @@ func TestEdDSASigning(t *testing.T) { // Test signature malleability func TestEdDSAVerifyMalleability(t *testing.T) { /* l = 2^252+27742317777372353535851937790883648493, prime order of the base point */ - var L []uint16 = []uint16{0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, + L := []uint16{0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10} - var c uint16 = 0 + var c uint16 suite := edwards25519.NewBlakeSHA256Ed25519() randomStream := suite.RandomStream() @@ -153,7 +153,7 @@ func TestEdDSAVerifyMalleability(t *testing.T) { // Test non-canonical R func TestEdDSAVerifyNonCanonicalR(t *testing.T) { - var nonCanonicalR []byte = []byte{0xef, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + nonCanonicalR := []byte{0xef, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff} @@ -171,12 +171,12 @@ func TestEdDSAVerifyNonCanonicalR(t *testing.T) { sig[i] = nonCanonicalR[i] } err = Verify(ed.Public, msg, sig) - require.EqualError(t, err, "R is not canonical") + require.EqualError(t, err, "r is not canonical") } // Test non-canonical keys func TestEdDSAVerifyNonCanonicalPK(t *testing.T) { - var nonCanonicalPk []byte = []byte{0xef, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + nonCanonicalPk := []byte{0xef, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff} @@ -196,7 +196,7 @@ func TestEdDSAVerifyNonCanonicalPK(t *testing.T) { // Test for small order R func TestEdDSAVerifySmallOrderR(t *testing.T) { - var smallOrderR []byte = []byte{0xc7, 0x17, 0x6a, 0x70, 0x3d, 0x4d, 0xd8, 0x4f, 0xba, 0x3c, 0x0b, + smallOrderR := []byte{0xc7, 0x17, 0x6a, 0x70, 0x3d, 0x4d, 0xd8, 0x4f, 0xba, 0x3c, 0x0b, 0x76, 0x0d, 0x10, 0x67, 0x0f, 0x2a, 0x20, 0x53, 0xfa, 0x2c, 0x39, 0xcc, 0xc6, 0x4e, 0xc7, 0xfd, 0x77, 0x92, 0xac, 0x03, 0x7a} @@ -215,12 +215,12 @@ func TestEdDSAVerifySmallOrderR(t *testing.T) { } err = Verify(ed.Public, msg, sig) - require.EqualError(t, err, "R has small order") + require.EqualError(t, err, "r has small order") } // Test for small order public key func TestEdDSAVerifySmallOrderPK(t *testing.T) { - var smallOrderPk []byte = []byte{0xc7, 0x17, 0x6a, 0x70, 0x3d, 0x4d, 0xd8, 0x4f, 0xba, 0x3c, 0x0b, + smallOrderPk := []byte{0xc7, 0x17, 0x6a, 0x70, 0x3d, 0x4d, 0xd8, 0x4f, 0xba, 0x3c, 0x0b, 0x76, 0x0d, 0x10, 0x67, 0x0f, 0x2a, 0x20, 0x53, 0xfa, 0x2c, 0x39, 0xcc, 0xc6, 0x4e, 0xc7, 0xfd, 0x77, 0x92, 0xac, 0x03, 0x7a} @@ -274,7 +274,7 @@ func ConstantStream(buff []byte) cipher.Stream { } // XORKexStream implements the cipher.Stream interface -func (cs *constantStream) XORKeyStream(dst, src []byte) { +func (cs *constantStream) XORKeyStream(dst, _ []byte) { copy(dst, cs.seed) } @@ -336,7 +336,7 @@ func TestGolden(t *testing.T) { sig2, err := ed.Sign(msg) assert.Nil(t, err) - if !bytes.Equal(sig, sig2[:]) { + if !bytes.Equal(sig, sig2) { t.Errorf("different signature result on line %d: %x vs %x", lineNo, sig, sig2) } From 6959397c96f12ad3580157c1a0bf3c648969ae3f Mon Sep 17 00:00:00 2001 From: lauener Date: Wed, 21 Feb 2024 12:50:03 +0100 Subject: [PATCH 18/49] Fix lint issues package pvss --- share/pvss/pvss.go | 80 ++++++++++++++++++++++++++++++++--------- share/pvss/pvss_test.go | 2 +- 2 files changed, 64 insertions(+), 18 deletions(-) diff --git a/share/pvss/pvss.go b/share/pvss/pvss.go index dbef4dd10..16aeb203b 100644 --- a/share/pvss/pvss.go +++ b/share/pvss/pvss.go @@ -31,10 +31,10 @@ type Suite interface { } // Some error definitions. -var errorTooFewShares = errors.New("not enough shares to recover secret") -var errorDifferentLengths = errors.New("inputs of different lengths") -var errorEncVerification = errors.New("verification of encrypted share failed") -var errorDecVerification = errors.New("verification of decrypted share failed") +var errTooFewShares = errors.New("not enough shares to recover secret") +var errDifferentLengths = errors.New("inputs of different lengths") +var errEncVerification = errors.New("verification of encrypted share failed") +var errDecVerification = errors.New("verification of decrypted share failed") // PubVerShare is a public verifiable share. type PubVerShare struct { @@ -46,7 +46,13 @@ type PubVerShare struct { // the given secret and the list of public keys X using the sharing threshold // t and the base point h. The function returns the list of shares and the // public commitment polynomial. -func EncShares(suite Suite, h kyber.Point, x []kyber.Point, secret kyber.Scalar, t int) (shares []*PubVerShare, commit *share.PubPoly, err error) { +func EncShares( + suite Suite, + h kyber.Point, + x []kyber.Point, + secret kyber.Scalar, + t int, +) (shares []*PubVerShare, commit *share.PubPoly, err error) { n := len(x) encShares := make([]*PubVerShare, n) @@ -86,9 +92,15 @@ func EncShares(suite Suite, h kyber.Point, x []kyber.Point, secret kyber.Scalar, // VerifyEncShare checks that the encrypted share sX satisfies // log_{h}(sH) == log_{X}(sX) where sH is the public commitment computed by // evaluating the public commitment polynomial at the encrypted share's index i. -func VerifyEncShare(suite Suite, h kyber.Point, x kyber.Point, sH kyber.Point, encShare *PubVerShare) error { +func VerifyEncShare( + suite Suite, + h kyber.Point, + x kyber.Point, + sH kyber.Point, + encShare *PubVerShare, +) error { if err := encShare.P.Verify(suite, h, x, sH, encShare.S.V); err != nil { - return errorEncVerification + return errEncVerification } return nil } @@ -96,9 +108,15 @@ func VerifyEncShare(suite Suite, h kyber.Point, x kyber.Point, sH kyber.Point, e // VerifyEncShareBatch provides the same functionality as VerifyEncShare but for // slices of encrypted shares. The function returns the valid encrypted shares // together with the corresponding public keys. -func VerifyEncShareBatch(suite Suite, h kyber.Point, x []kyber.Point, sH []kyber.Point, encShares []*PubVerShare) ([]kyber.Point, []*PubVerShare, error) { +func VerifyEncShareBatch( + suite Suite, + h kyber.Point, + x []kyber.Point, + sH []kyber.Point, + encShares []*PubVerShare, +) ([]kyber.Point, []*PubVerShare, error) { if len(x) != len(sH) || len(sH) != len(encShares) { - return nil, nil, errorDifferentLengths + return nil, nil, errDifferentLengths } var K []kyber.Point // good public keys var E []*PubVerShare // good encrypted shares @@ -114,7 +132,14 @@ func VerifyEncShareBatch(suite Suite, h kyber.Point, x []kyber.Point, sH []kyber // DecShare first verifies the encrypted share against the encryption // consistency proof and, if valid, decrypts it and creates a decryption // consistency proof. -func DecShare(suite Suite, h kyber.Point, x kyber.Point, sH kyber.Point, s kyber.Scalar, encShare *PubVerShare) (*PubVerShare, error) { +func DecShare( + suite Suite, + h kyber.Point, + x kyber.Point, + sH kyber.Point, + s kyber.Scalar, + encShare *PubVerShare, +) (*PubVerShare, error) { if err := VerifyEncShare(suite, h, x, sH, encShare); err != nil { return nil, err } @@ -131,9 +156,16 @@ func DecShare(suite Suite, h kyber.Point, x kyber.Point, sH kyber.Point, s kyber // DecShareBatch provides the same functionality as DecShare but for slices of // encrypted shares. The function returns the valid encrypted and decrypted // shares as well as the corresponding public keys. -func DecShareBatch(suite Suite, h kyber.Point, x []kyber.Point, sH []kyber.Point, s kyber.Scalar, encShares []*PubVerShare) ([]kyber.Point, []*PubVerShare, []*PubVerShare, error) { +func DecShareBatch( + suite Suite, + h kyber.Point, + x []kyber.Point, + sH []kyber.Point, + s kyber.Scalar, + encShares []*PubVerShare, +) ([]kyber.Point, []*PubVerShare, []*PubVerShare, error) { if len(x) != len(sH) || len(sH) != len(encShares) { - return nil, nil, nil, errorDifferentLengths + return nil, nil, nil, errDifferentLengths } var K []kyber.Point // good public keys var E []*PubVerShare // good encrypted shares @@ -152,16 +184,22 @@ func DecShareBatch(suite Suite, h kyber.Point, x []kyber.Point, sH []kyber.Point // log_{G}(X) == log_{sG}(sX). Note that X = xG and sX = s(xG) = x(sG). func VerifyDecShare(suite Suite, g kyber.Point, x kyber.Point, encShare *PubVerShare, decShare *PubVerShare) error { if err := decShare.P.Verify(suite, g, decShare.S.V, x, encShare.S.V); err != nil { - return errorDecVerification + return errDecVerification } return nil } // VerifyDecShareBatch provides the same functionality as VerifyDecShare but for // slices of decrypted shares. The function returns the valid decrypted shares. -func VerifyDecShareBatch(suite Suite, g kyber.Point, x []kyber.Point, encShares []*PubVerShare, decShares []*PubVerShare) ([]*PubVerShare, error) { +func VerifyDecShareBatch( + suite Suite, + g kyber.Point, + x []kyber.Point, + encShares []*PubVerShare, + decShares []*PubVerShare, +) ([]*PubVerShare, error) { if len(x) != len(encShares) || len(encShares) != len(decShares) { - return nil, errorDifferentLengths + return nil, errDifferentLengths } var D []*PubVerShare // good decrypted shares for i := 0; i < len(x); i++ { @@ -174,13 +212,21 @@ func VerifyDecShareBatch(suite Suite, g kyber.Point, x []kyber.Point, encShares // RecoverSecret first verifies the given decrypted shares against their // decryption consistency proofs and then tries to recover the shared secret. -func RecoverSecret(suite Suite, g kyber.Point, x []kyber.Point, encShares []*PubVerShare, decShares []*PubVerShare, t int, n int) (kyber.Point, error) { +func RecoverSecret( + suite Suite, + g kyber.Point, + x []kyber.Point, + encShares []*PubVerShare, + decShares []*PubVerShare, + t int, + n int, +) (kyber.Point, error) { D, err := VerifyDecShareBatch(suite, g, x, encShares, decShares) if err != nil { return nil, err } if len(D) < t { - return nil, errorTooFewShares + return nil, errTooFewShares } var shares []*share.PubShare for _, s := range D { diff --git a/share/pvss/pvss_test.go b/share/pvss/pvss_test.go index e9dfe32b5..f06b0b068 100644 --- a/share/pvss/pvss_test.go +++ b/share/pvss/pvss_test.go @@ -151,7 +151,7 @@ func TestPVSSDeleteFail(test *testing.T) { // (3) Check decrypted shares and recover secret if possible (dealer/3rd party) _, err = RecoverSecret(suite, G, K, E, D, t, n) - require.Equal(test, err, errorTooFewShares) // this test is supposed to fail + require.Equal(test, err, errTooFewShares) // this test is supposed to fail } func TestPVSSBatch(test *testing.T) { From 0dabcf61087f56d4142256e4916ef3738a93c86d Mon Sep 17 00:00:00 2001 From: lauener Date: Thu, 22 Feb 2024 14:31:35 +0100 Subject: [PATCH 19/49] Fix lint issues package util --- util/encoding/encoding.go | 2 +- util/encoding/encoding_test.go | 4 ++-- util/key/key_test.go | 2 +- util/test/test.go | 20 +++++++------------- 4 files changed, 11 insertions(+), 17 deletions(-) diff --git a/util/encoding/encoding.go b/util/encoding/encoding.go index aa377df27..aae817a3d 100644 --- a/util/encoding/encoding.go +++ b/util/encoding/encoding.go @@ -23,7 +23,7 @@ func ReadHexPoint(group kyber.Group, r io.Reader) (kyber.Point, error) { } // WriteHexPoint writes a point in hex representation to w. -func WriteHexPoint(group kyber.Group, w io.Writer, point kyber.Point) error { +func WriteHexPoint(w io.Writer, point kyber.Point) error { buf, err := point.MarshalBinary() if err != nil { return err diff --git a/util/encoding/encoding_test.go b/util/encoding/encoding_test.go index a7d230a64..04e9a2388 100644 --- a/util/encoding/encoding_test.go +++ b/util/encoding/encoding_test.go @@ -21,8 +21,8 @@ func ErrFatal(err error) { func TestPubHexStream(t *testing.T) { b := &bytes.Buffer{} p := s.Point().Pick(s.RandomStream()) - ErrFatal(WriteHexPoint(s, b, p)) - ErrFatal(WriteHexPoint(s, b, p)) + ErrFatal(WriteHexPoint(b, p)) + ErrFatal(WriteHexPoint(b, p)) p2, err := ReadHexPoint(s, b) ErrFatal(err) require.Equal(t, p.String(), p2.String()) diff --git a/util/key/key_test.go b/util/key/key_test.go index 406032d7b..99ed90c14 100644 --- a/util/key/key_test.go +++ b/util/key/key_test.go @@ -21,7 +21,7 @@ func TestNewKeyPair(t *testing.T) { // A type to test interface Generator by intentionally creating a fixed private key. type fixedPrivSuiteEd25519 edwards25519.SuiteEd25519 -func (s *fixedPrivSuiteEd25519) NewKey(stream cipher.Stream) kyber.Scalar { +func (s *fixedPrivSuiteEd25519) NewKey(_ cipher.Stream) kyber.Scalar { return s.Scalar().SetInt64(33) } diff --git a/util/test/test.go b/util/test/test.go index 87a5d643e..2ffb4d48d 100644 --- a/util/test/test.go +++ b/util/test/test.go @@ -3,6 +3,7 @@ package test import ( "bytes" "crypto/cipher" + "github.com/stretchr/testify/require" "testing" "go.dedis.ch/kyber/v3" @@ -44,13 +45,11 @@ func testEmbed(t *testing.T, g kyber.Group, rand cipher.Stream, points *[]kyber. if err != nil { t.Errorf("Point extraction failed for %v: %v", p, err) } - //println("extracted data (", len(x), " bytes): ", string(x)) - //println("EmbedLen(): ", g.Point().EmbedLen()) - max := g.Point().EmbedLen() - if max > len(b) { - max = len(b) + maxLen := g.Point().EmbedLen() + if maxLen > len(b) { + maxLen = len(b) } - if !bytes.Equal(append(x, b[max:]...), b) { + if !bytes.Equal(append(x, b[maxLen:]...), b) { t.Errorf("Point embedding corrupted the data") } @@ -232,7 +231,6 @@ func testGroup(t *testing.T, g kyber.Group, rand cipher.Stream) []kyber.Point { } // Zero and One identity secrets - //println("dh1^0 = ",ptmp.Mul(dh1, szero).String()) if !ptmp.Mul(szero, dh1).Equal(pzero) { t.Errorf("Encryption with secret=0 didn't work: %v (x) %v == %v != %v", szero, dh1, ptmp, pzero) } @@ -393,12 +391,9 @@ func SuiteTest(t *testing.T, suite suite) { // Try hashing something h := suite.Hash() l := h.Size() - //println("HashLen: ", l) _, _ = h.Write([]byte("abc")) hb := h.Sum(nil) - //println("Hash:") - //println(hex.Dump(hb)) if h.Size() != l || len(hb) != l { t.Errorf("inconsistent hash output length: %v vs %v vs %v", l, h.Size(), len(hb)) } @@ -406,9 +401,8 @@ func SuiteTest(t *testing.T, suite suite) { // Generate some pseudorandom bits x := suite.XOF(hb) sb := make([]byte, 128) - x.Read(sb) - //fmt.Println("Stream:") - //fmt.Println(hex.Dump(sb)) + _, err := x.Read(sb) + require.NoError(t, err) // Test if it generates two fresh keys p1 := key.NewKeyPair(suite) From e4793002e5b93d327d890bd608ee99701de8c792 Mon Sep 17 00:00:00 2001 From: lauener Date: Thu, 22 Feb 2024 15:42:24 +0100 Subject: [PATCH 20/49] Fix lint issues package keccak --- xof/keccak/keccak.go | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/xof/keccak/keccak.go b/xof/keccak/keccak.go index f1f7c51aa..317b1e8de 100644 --- a/xof/keccak/keccak.go +++ b/xof/keccak/keccak.go @@ -34,9 +34,15 @@ func (x *xof) Reseed() { } else { x.key = x.key[0:128] } - x.Read(x.key) + _, err := x.Read(x.key) + if err != nil { + panic("xof error getting key: " + err.Error()) + } x.sh = sha3.NewShake256() - x.sh.Write(x.key) + _, err = x.sh.Write(x.key) + if err != nil { + panic("xof error writing key: " + err.Error()) + } } func (x *xof) Reset() { From 41aa5528b6f00e1c4141fa1fbf4a2f95592377e9 Mon Sep 17 00:00:00 2001 From: lauener Date: Thu, 22 Feb 2024 15:55:25 +0100 Subject: [PATCH 21/49] Fix lint issues package int --- group/mod/int.go | 93 +++++++++++++++++++++++++++++++++---------- group/mod/int_test.go | 1 + 2 files changed, 74 insertions(+), 20 deletions(-) diff --git a/group/mod/int.go b/group/mod/int.go index ba898f2fd..e4722d637 100644 --- a/group/mod/int.go +++ b/group/mod/int.go @@ -14,8 +14,6 @@ import ( "go.dedis.ch/kyber/v3/util/random" ) -var one = big.NewInt(1) -var two = big.NewInt(2) var marshalScalarID = [8]byte{'m', 'o', 'd', '.', 'i', 'n', 't', ' '} // ByteOrder denotes the endianness of the operation. @@ -58,8 +56,8 @@ func NewInt(v *big.Int, m *big.Int) *Int { } // NewInt64 creates a new Int with a given int64 value and big.Int modulus. -func NewInt64(v int64, M *big.Int) *Int { - return new(Int).Init64(v, M) +func NewInt64(v int64, m *big.Int) *Int { + return new(Int).Init64(v, m) } // NewIntBytes creates a new Int with a given slice of bytes and a big.Int @@ -76,10 +74,10 @@ func NewIntString(n, d string, base int, m *big.Int) *Int { // Init a Int with a given big.Int value and modulus pointer. // Note that the value is copied; the modulus is not. -func (i *Int) Init(V *big.Int, m *big.Int) *Int { +func (i *Int) Init(v *big.Int, m *big.Int) *Int { i.M = m i.BO = BigEndian - i.V.Set(V).Mod(&i.V, m) + i.V.Set(v).Mod(&i.V, m) return i } @@ -153,7 +151,11 @@ func (i *Int) Nonzero() bool { // Since this method copies the modulus as well, // it may be used as an alternative to Init(). func (i *Int) Set(a kyber.Scalar) kyber.Scalar { - ai := a.(*Int) + ai, ok := a.(*Int) + if !ok { + panic("invalid scalar casting to Int") + } + i.V.Set(&ai.V) i.M = ai.M return i @@ -206,8 +208,16 @@ func (i *Int) Uint64() uint64 { // Add sets the target to a + b mod M, where M is a's modulus.. func (i *Int) Add(a, b kyber.Scalar) kyber.Scalar { - ai := a.(*Int) - bi := b.(*Int) + ai, ok := a.(*Int) + if !ok { + panic("invalid scalar casting to Int") + } + + bi, ok := b.(*Int) + if !ok { + panic("invalid scalar casting to Int") + } + i.M = ai.M i.V.Add(&ai.V, &bi.V).Mod(&i.V, i.M) return i @@ -216,8 +226,16 @@ func (i *Int) Add(a, b kyber.Scalar) kyber.Scalar { // Sub sets the target to a - b mod M. // Target receives a's modulus. func (i *Int) Sub(a, b kyber.Scalar) kyber.Scalar { - ai := a.(*Int) - bi := b.(*Int) + ai, ok := a.(*Int) + if !ok { + panic("invalid scalar casting to Int") + } + + bi, ok := b.(*Int) + if !ok { + panic("invalid scalar casting to Int") + } + i.M = ai.M i.V.Sub(&ai.V, &bi.V).Mod(&i.V, i.M) return i @@ -225,7 +243,11 @@ func (i *Int) Sub(a, b kyber.Scalar) kyber.Scalar { // Neg sets the target to -a mod M. func (i *Int) Neg(a kyber.Scalar) kyber.Scalar { - ai := a.(*Int) + ai, ok := a.(*Int) + if !ok { + panic("invalid scalar casting to Int") + } + i.M = ai.M if ai.V.Sign() > 0 { i.V.Sub(i.M, &ai.V) @@ -238,8 +260,16 @@ func (i *Int) Neg(a kyber.Scalar) kyber.Scalar { // Mul sets the target to a * b mod M. // Target receives a's modulus. func (i *Int) Mul(a, b kyber.Scalar) kyber.Scalar { - ai := a.(*Int) - bi := b.(*Int) + ai, ok := a.(*Int) + if !ok { + panic("invalid scalar casting to Int") + } + + bi, ok := b.(*Int) + if !ok { + panic("invalid scalar casting to Int") + } + i.M = ai.M i.V.Mul(&ai.V, &bi.V).Mod(&i.V, i.M) return i @@ -247,8 +277,15 @@ func (i *Int) Mul(a, b kyber.Scalar) kyber.Scalar { // Div sets the target to a * b^-1 mod M, where b^-1 is the modular inverse of b. func (i *Int) Div(a, b kyber.Scalar) kyber.Scalar { - ai := a.(*Int) - bi := b.(*Int) + ai, ok := a.(*Int) + if !ok { + panic("invalid scalar casting to Int") + } + + bi, ok := b.(*Int) + if !ok { + panic("invalid scalar casting to Int") + } var t big.Int i.M = ai.M i.V.Mul(&ai.V, t.ModInverse(&bi.V, i.M)) @@ -258,7 +295,11 @@ func (i *Int) Div(a, b kyber.Scalar) kyber.Scalar { // Inv sets the target to the modular inverse of a with respect to modulus M. func (i *Int) Inv(a kyber.Scalar) kyber.Scalar { - ai := a.(*Int) + ai, ok := a.(*Int) + if !ok { + panic("invalid scalar casting to Int") + } + i.M = ai.M i.V.ModInverse(&a.(*Int).V, i.M) return i @@ -267,7 +308,11 @@ func (i *Int) Inv(a kyber.Scalar) kyber.Scalar { // Exp sets the target to a^e mod M, // where e is an arbitrary big.Int exponent (not necessarily 0 <= e < M). func (i *Int) Exp(a kyber.Scalar, e *big.Int) kyber.Scalar { - ai := a.(*Int) + ai, ok := a.(*Int) + if !ok { + panic("invalid scalar casting to Int") + } + i.M = ai.M // to protect against golang/go#22830 var tmp big.Int @@ -279,7 +324,11 @@ func (i *Int) Exp(a kyber.Scalar, e *big.Int) kyber.Scalar { // Jacobi computes the Jacobi symbol of (a/M), which indicates whether a is // zero (0), a positive square in M (1), or a non-square in M (-1). func (i *Int) Jacobi(as kyber.Scalar) kyber.Scalar { - ai := as.(*Int) + ai, ok := as.(*Int) + if !ok { + panic("invalid scalar casting to Int") + } + i.M = ai.M i.V.SetInt64(int64(big.Jacobi(&ai.V, i.M))) return i @@ -289,7 +338,11 @@ func (i *Int) Jacobi(as kyber.Scalar) kyber.Scalar { // Assumes the modulus M is an odd prime. // Returns true on success, false if input a is not a square. func (i *Int) Sqrt(as kyber.Scalar) bool { - ai := as.(*Int) + ai, ok := as.(*Int) + if !ok { + panic("invalid scalar casting to Int") + } + out := i.V.ModSqrt(&ai.V, ai.M) i.M = ai.M return out != nil diff --git a/group/mod/int_test.go b/group/mod/int_test.go index 5a8b3be44..02578e7cd 100644 --- a/group/mod/int_test.go +++ b/group/mod/int_test.go @@ -27,6 +27,7 @@ func TestIntEndianness(t *testing.T) { // Let's change endianness and check the result i.BO = LittleEndian buff3, err := i.MarshalBinary() + assert.Nil(t, err) assert.NotEqual(t, buff2, buff3) // let's try LittleEndian function From 3bc58d486760ceb439d5247e7e998da8357eb296 Mon Sep 17 00:00:00 2001 From: lauener Date: Thu, 22 Feb 2024 16:03:28 +0100 Subject: [PATCH 22/49] Fix lint issues package blake2x[s, b] --- xof/blake2xb/blake.go | 6 +++++- xof/blake2xs/blake.go | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/xof/blake2xb/blake.go b/xof/blake2xb/blake.go index 9fcf11cc0..81cfabef7 100644 --- a/xof/blake2xb/blake.go +++ b/xof/blake2xb/blake.go @@ -59,7 +59,11 @@ func (x *xof) Reseed() { } else { x.key = x.key[0:128] } - x.Read(x.key) + _, err := x.Read(x.key) + if err != nil { + panic("blake xof error: " + err.Error()) + } + y := New(x.key) // Steal the XOF implementation, and put it inside of x. x.impl = y.(*xof).impl diff --git a/xof/blake2xs/blake.go b/xof/blake2xs/blake.go index e246c541e..e9136fe52 100644 --- a/xof/blake2xs/blake.go +++ b/xof/blake2xs/blake.go @@ -59,7 +59,11 @@ func (x *xof) Reseed() { } else { x.key = x.key[0:128] } - x.Read(x.key) + _, err := x.Read(x.key) + if err != nil { + panic("blake xof error: " + err.Error()) + } + y := New(x.key) // Steal the XOF implementation, and put it inside of x. x.impl = y.(*xof).impl From e58a5ff36ba6d9b633dd8edf00196b20aa4250bc Mon Sep 17 00:00:00 2001 From: lauener Date: Thu, 22 Feb 2024 16:23:21 +0100 Subject: [PATCH 23/49] Fix lint issues package curve25519 --- group/curve25519/curve.go | 12 +- group/curve25519/ext.go | 224 +++++++++++++++++++------------------- group/curve25519/param.go | 6 + group/curve25519/proj.go | 216 ++++++++++++++++++------------------ 4 files changed, 234 insertions(+), 224 deletions(-) diff --git a/group/curve25519/curve.go b/group/curve25519/curve.go index 8248ad1a7..6c1c0322f 100644 --- a/group/curve25519/curve.go +++ b/group/curve25519/curve.go @@ -101,10 +101,10 @@ func (c *curve) init(self kyber.Group, p *Param, fullGroup bool, // Note that we do NOT initialize c.order with Init(), // as that would normalize to the modulus, resulting in zero. // Just to be sure it's never used, we leave c.order.M set to nil. - // We want it to be in a ModInt so we can pass it to P.Mul(), + // We want it to be in a ModInt, so we can pass it to P.Mul(), // but the scalar's modulus isn't needed for point multiplication. if fullGroup { - // Scalar modulus is prime-order times the ccofactor + // Scalar modulus is prime-order times the cofactor c.order.V.SetInt64(int64(p.R)).Mul(&c.order.V, &p.Q) } else { c.order.V.Set(&p.Q) // Prime-order subgroup @@ -146,8 +146,7 @@ func (c *curve) init(self kyber.Group, p *Param, fullGroup bool, break // got one } } - //println("BX: "+x.V.String()) - //println("BY: "+y.V.String()) + bx, by = &x.V, &y.V } base.initXY(bx, by, self) @@ -278,11 +277,8 @@ func (c *curve) validPoint(p point) bool { // Check in-subgroup by multiplying by subgroup order Q := c.self.Point() Q.Mul(&c.order, p) - if !Q.Equal(c.null) { - return false - } - return true + return Q.Equal(c.null) } // Return number of bytes that can be embedded into points on this curve. diff --git a/group/curve25519/ext.go b/group/curve25519/ext.go index d6d4fdf1a..cabb0c83c 100644 --- a/group/curve25519/ext.go +++ b/group/curve25519/ext.go @@ -16,50 +16,50 @@ type extPoint struct { c *ExtendedCurve } -func (P *extPoint) initXY(x, y *big.Int, c kyber.Group) { - P.c = c.(*ExtendedCurve) - P.X.Init(x, &P.c.P) - P.Y.Init(y, &P.c.P) - P.Z.Init64(1, &P.c.P) - P.T.Mul(&P.X, &P.Y) +func (p *extPoint) initXY(x, y *big.Int, c kyber.Group) { + p.c = c.(*ExtendedCurve) + p.X.Init(x, &p.c.P) + p.Y.Init(y, &p.c.P) + p.Z.Init64(1, &p.c.P) + p.T.Mul(&p.X, &p.Y) } -func (P *extPoint) getXY() (x, y *mod.Int) { - P.normalize() - return &P.X, &P.Y +func (p *extPoint) getXY() (x, y *mod.Int) { + p.normalize() + return &p.X, &p.Y } -func (P *extPoint) String() string { - P.normalize() - //return P.c.pointString(&P.X,&P.Y) - buf, _ := P.MarshalBinary() +func (p *extPoint) String() string { + p.normalize() + //return p.c.pointString(&p.X,&p.Y) + buf, _ := p.MarshalBinary() return hex.EncodeToString(buf) } -func (P *extPoint) MarshalSize() int { - return P.c.PointLen() +func (p *extPoint) MarshalSize() int { + return p.c.PointLen() } -func (P *extPoint) MarshalBinary() ([]byte, error) { - P.normalize() - return P.c.encodePoint(&P.X, &P.Y), nil +func (p *extPoint) MarshalBinary() ([]byte, error) { + p.normalize() + return p.c.encodePoint(&p.X, &p.Y), nil } -func (P *extPoint) UnmarshalBinary(b []byte) error { - if err := P.c.decodePoint(b, &P.X, &P.Y); err != nil { +func (p *extPoint) UnmarshalBinary(b []byte) error { + if err := p.c.decodePoint(b, &p.X, &p.Y); err != nil { return err } - P.Z.Init64(1, &P.c.P) - P.T.Mul(&P.X, &P.Y) + p.Z.Init64(1, &p.c.P) + p.T.Mul(&p.X, &p.Y) return nil } -func (P *extPoint) MarshalTo(w io.Writer) (int, error) { - return marshalling.PointMarshalTo(P, w) +func (p *extPoint) MarshalTo(w io.Writer) (int, error) { + return marshalling.PointMarshalTo(p, w) } -func (P *extPoint) UnmarshalFrom(r io.Reader) (int, error) { - return marshalling.PointUnmarshalFrom(P, r) +func (p *extPoint) UnmarshalFrom(r io.Reader) (int, error) { + return marshalling.PointUnmarshalFrom(p, r) } // Equality test for two Points on the same curve. @@ -68,152 +68,156 @@ func (P *extPoint) UnmarshalFrom(r io.Reader) (int, error) { // (X1/Z1,Y1/Z1) == (X2/Z2,Y2/Z2) // iff // (X1*Z2,Y1*Z2) == (X2*Z1,Y2*Z1) -func (P *extPoint) Equal(CP2 kyber.Point) bool { - P2 := CP2.(*extPoint) +func (p *extPoint) Equal(cp2 kyber.Point) bool { + p2 := cp2.(*extPoint) var t1, t2 mod.Int - xeq := t1.Mul(&P.X, &P2.Z).Equal(t2.Mul(&P2.X, &P.Z)) - yeq := t1.Mul(&P.Y, &P2.Z).Equal(t2.Mul(&P2.Y, &P.Z)) + xeq := t1.Mul(&p.X, &p2.Z).Equal(t2.Mul(&p2.X, &p.Z)) + yeq := t1.Mul(&p.Y, &p2.Z).Equal(t2.Mul(&p2.Y, &p.Z)) return xeq && yeq } -func (P *extPoint) Set(CP2 kyber.Point) kyber.Point { - P2 := CP2.(*extPoint) - P.c = P2.c - P.X.Set(&P2.X) - P.Y.Set(&P2.Y) - P.Z.Set(&P2.Z) - P.T.Set(&P2.T) - return P +func (p *extPoint) Set(cp2 kyber.Point) kyber.Point { + p2 := cp2.(*extPoint) + p.c = p2.c + p.X.Set(&p2.X) + p.Y.Set(&p2.Y) + p.Z.Set(&p2.Z) + p.T.Set(&p2.T) + return p } -func (P *extPoint) Clone() kyber.Point { - P2 := extPoint{} - P2.c = P.c - P2.X.Set(&P.X) - P2.Y.Set(&P.Y) - P2.Z.Set(&P.Z) - P2.T.Set(&P.T) - return &P2 +func (p *extPoint) Clone() kyber.Point { + p2 := extPoint{} + p2.c = p.c + p2.X.Set(&p.X) + p2.Y.Set(&p.Y) + p2.Z.Set(&p.Z) + p2.T.Set(&p.T) + return &p2 } -func (P *extPoint) Null() kyber.Point { - P.Set(&P.c.null) - return P +func (p *extPoint) Null() kyber.Point { + p.Set(&p.c.null) + return p } -func (P *extPoint) Base() kyber.Point { - P.Set(&P.c.base) - return P +func (p *extPoint) Base() kyber.Point { + p.Set(&p.c.base) + return p } -func (P *extPoint) EmbedLen() int { - return P.c.embedLen() +func (p *extPoint) EmbedLen() int { + return p.c.embedLen() } // Normalize the point's representation to Z=1. -func (P *extPoint) normalize() { - P.Z.Inv(&P.Z) - P.X.Mul(&P.X, &P.Z) - P.Y.Mul(&P.Y, &P.Z) - P.Z.V.SetInt64(1) - P.T.Mul(&P.X, &P.Y) +func (p *extPoint) normalize() { + p.Z.Inv(&p.Z) + p.X.Mul(&p.X, &p.Z) + p.Y.Mul(&p.Y, &p.Z) + p.Z.V.SetInt64(1) + p.T.Mul(&p.X, &p.Y) } // Check the validity of the T coordinate -func (P *extPoint) checkT() { +func (p *extPoint) checkT() { var t1, t2 mod.Int - if !t1.Mul(&P.X, &P.Y).Equal(t2.Mul(&P.Z, &P.T)) { + if !t1.Mul(&p.X, &p.Y).Equal(t2.Mul(&p.Z, &p.T)) { panic("oops") } } -func (P *extPoint) Embed(data []byte, rand cipher.Stream) kyber.Point { - P.c.embed(P, data, rand) - return P +func (p *extPoint) Embed(data []byte, rand cipher.Stream) kyber.Point { + p.c.embed(p, data, rand) + return p } -func (P *extPoint) Pick(rand cipher.Stream) kyber.Point { - P.c.embed(P, nil, rand) - return P +func (p *extPoint) Pick(rand cipher.Stream) kyber.Point { + p.c.embed(p, nil, rand) + return p } // Extract embedded data from a point group element -func (P *extPoint) Data() ([]byte, error) { - P.normalize() - return P.c.data(&P.X, &P.Y) +func (p *extPoint) Data() ([]byte, error) { + p.normalize() + return p.c.data(&p.X, &p.Y) } // Add two points using optimized extended coordinate addition formulas. -func (P *extPoint) Add(CP1, CP2 kyber.Point) kyber.Point { - P1 := CP1.(*extPoint) - P2 := CP2.(*extPoint) - X1, Y1, Z1, T1 := &P1.X, &P1.Y, &P1.Z, &P1.T - X2, Y2, Z2, T2 := &P2.X, &P2.Y, &P2.Z, &P2.T - X3, Y3, Z3, T3 := &P.X, &P.Y, &P.Z, &P.T +// +//nolint:dupl //Doesn't make sense to extract part of Add(), Sub(), double() +func (p *extPoint) Add(cp1, cp2 kyber.Point) kyber.Point { + p1 := cp1.(*extPoint) + p2 := cp2.(*extPoint) + X1, Y1, Z1, T1 := &p1.X, &p1.Y, &p1.Z, &p1.T + X2, Y2, Z2, T2 := &p2.X, &p2.Y, &p2.Z, &p2.T + X3, Y3, Z3, T3 := &p.X, &p.Y, &p.Z, &p.T var A, B, C, D, E, F, G, H mod.Int A.Mul(X1, X2) B.Mul(Y1, Y2) - C.Mul(T1, T2).Mul(&C, &P.c.d) + C.Mul(T1, T2).Mul(&C, &p.c.d) D.Mul(Z1, Z2) E.Add(X1, Y1).Mul(&E, F.Add(X2, Y2)).Sub(&E, &A).Sub(&E, &B) F.Sub(&D, &C) G.Add(&D, &C) - H.Mul(&P.c.a, &A).Sub(&B, &H) + H.Mul(&p.c.a, &A).Sub(&B, &H) X3.Mul(&E, &F) Y3.Mul(&G, &H) T3.Mul(&E, &H) Z3.Mul(&F, &G) - return P + return p } // Subtract points. -func (P *extPoint) Sub(CP1, CP2 kyber.Point) kyber.Point { - P1 := CP1.(*extPoint) - P2 := CP2.(*extPoint) - X1, Y1, Z1, T1 := &P1.X, &P1.Y, &P1.Z, &P1.T - X2, Y2, Z2, T2 := &P2.X, &P2.Y, &P2.Z, &P2.T - X3, Y3, Z3, T3 := &P.X, &P.Y, &P.Z, &P.T +// +//nolint:dupl //Doesn't make sense to extract part of Add(), Sub(), double() +func (p *extPoint) Sub(cp1, cp2 kyber.Point) kyber.Point { + p1 := cp1.(*extPoint) + p2 := cp2.(*extPoint) + X1, Y1, Z1, T1 := &p1.X, &p1.Y, &p1.Z, &p1.T + X2, Y2, Z2, T2 := &p2.X, &p2.Y, &p2.Z, &p2.T + X3, Y3, Z3, T3 := &p.X, &p.Y, &p.Z, &p.T var A, B, C, D, E, F, G, H mod.Int A.Mul(X1, X2) B.Mul(Y1, Y2) - C.Mul(T1, T2).Mul(&C, &P.c.d) + C.Mul(T1, T2).Mul(&C, &p.c.d) D.Mul(Z1, Z2) E.Add(X1, Y1).Mul(&E, F.Sub(Y2, X2)).Add(&E, &A).Sub(&E, &B) F.Add(&D, &C) G.Sub(&D, &C) - H.Mul(&P.c.a, &A).Add(&B, &H) + H.Mul(&p.c.a, &A).Add(&B, &H) X3.Mul(&E, &F) Y3.Mul(&G, &H) T3.Mul(&E, &H) Z3.Mul(&F, &G) - return P + return p } // Find the negative of point A. // For Edwards curves, the negative of (x,y) is (-x,y). -func (P *extPoint) Neg(CA kyber.Point) kyber.Point { - A := CA.(*extPoint) - P.c = A.c - P.X.Neg(&A.X) - P.Y.Set(&A.Y) - P.Z.Set(&A.Z) - P.T.Neg(&A.T) - return P +func (p *extPoint) Neg(ca kyber.Point) kyber.Point { + A := ca.(*extPoint) + p.c = A.c + p.X.Neg(&A.X) + p.Y.Set(&A.Y) + p.Z.Set(&A.Z) + p.T.Neg(&A.T) + return p } // Optimized point doubling for use in scalar multiplication. // Uses the formulae in section 3.3 of: // https://www.iacr.org/archive/asiacrypt2008/53500329/53500329.pdf -func (P *extPoint) double() { - X1, Y1, Z1, T1 := &P.X, &P.Y, &P.Z, &P.T +func (p *extPoint) double() { + X1, Y1, Z1, T1 := &p.X, &p.Y, &p.Z, &p.T var A, B, C, D, E, F, G, H mod.Int A.Mul(X1, X1) B.Mul(Y1, Y1) C.Mul(Z1, Z1).Add(&C, &C) - D.Mul(&P.c.a, &A) + D.Mul(&p.c.a, &A) E.Add(X1, Y1).Mul(&E, &E).Sub(&E, &A).Sub(&E, &B) G.Add(&D, &B) F.Sub(&G, &C) @@ -229,26 +233,26 @@ func (P *extPoint) double() { // Currently doesn't implement the optimization of // switching between projective and extended coordinates during // scalar multiplication. -func (P *extPoint) Mul(s kyber.Scalar, G kyber.Point) kyber.Point { +func (p *extPoint) Mul(s kyber.Scalar, g kyber.Point) kyber.Point { v := s.(*mod.Int).V - if G == nil { - return P.Base().Mul(s, P) + if g == nil { + return p.Base().Mul(s, p) } - T := P - if G == P { // Must use temporary for in-place multiply + T := p + if g == p { // Must use temporary for in-place multiply T = &extPoint{} } - T.Set(&P.c.null) // Initialize to identity element (0,1) + T.Set(&p.c.null) // Initialize to identity element (0,1) for i := v.BitLen() - 1; i >= 0; i-- { T.double() if v.Bit(i) != 0 { - T.Add(T, G) + T.Add(T, g) } } - if T != P { - P.Set(T) + if T != p { + p.Set(T) } - return P + return p } // ExtendedCurve implements Twisted Edwards curves diff --git a/group/curve25519/param.go b/group/curve25519/param.go index 1d460b97d..99ad24a3c 100644 --- a/group/curve25519/param.go +++ b/group/curve25519/param.go @@ -110,6 +110,8 @@ func ParamE382() *Param { p.R = 8 p.A.SetInt64(1) p.D.SetInt64(-67254) + + //nolint:lll // Line not breakable p.PBX.SetString("3914921414754292646847594472454013487047137431784830634731377862923477302047857640522480241298429278603678181725699", 10) p.PBY.SetString("17", 10) return &p @@ -128,6 +130,8 @@ func Param41417() *Param { p.R = 8 p.A.SetInt64(1) p.D.SetInt64(3617) + + //nolint:lll // Line not breakable p.PBX.SetString("17319886477121189177719202498822615443556957307604340815256226171904769976866975908866528699294134494857887698432266169206165", 10) p.PBY.SetString("34", 10) return &p @@ -150,6 +154,8 @@ func ParamE521() *Param { p.R = 8 p.A.SetInt64(1) p.D.SetInt64(-376014) + + //nolint:lll // Line not breakable p.PBX.SetString("1571054894184995387535939749894317568645297350402905821437625181152304994381188529632591196067604100772673927915114267193389905003276673749012051148356041324", 10) p.PBY.SetString("12", 10) return &p diff --git a/group/curve25519/proj.go b/group/curve25519/proj.go index d0ea04da2..13a2a4d9b 100644 --- a/group/curve25519/proj.go +++ b/group/curve25519/proj.go @@ -15,43 +15,43 @@ type projPoint struct { c *ProjectiveCurve } -func (P *projPoint) initXY(x, y *big.Int, c kyber.Group) { - P.c = c.(*ProjectiveCurve) - P.X.Init(x, &P.c.P) - P.Y.Init(y, &P.c.P) - P.Z.Init64(1, &P.c.P) +func (p *projPoint) initXY(x, y *big.Int, c kyber.Group) { + p.c = c.(*ProjectiveCurve) + p.X.Init(x, &p.c.P) + p.Y.Init(y, &p.c.P) + p.Z.Init64(1, &p.c.P) } -func (P *projPoint) getXY() (x, y *mod.Int) { - P.normalize() - return &P.X, &P.Y +func (p *projPoint) getXY() (x, y *mod.Int) { + p.normalize() + return &p.X, &p.Y } -func (P *projPoint) String() string { - P.normalize() - return P.c.pointString(&P.X, &P.Y) +func (p *projPoint) String() string { + p.normalize() + return p.c.pointString(&p.X, &p.Y) } -func (P *projPoint) MarshalSize() int { - return P.c.PointLen() +func (p *projPoint) MarshalSize() int { + return p.c.PointLen() } -func (P *projPoint) MarshalBinary() ([]byte, error) { - P.normalize() - return P.c.encodePoint(&P.X, &P.Y), nil +func (p *projPoint) MarshalBinary() ([]byte, error) { + p.normalize() + return p.c.encodePoint(&p.X, &p.Y), nil } -func (P *projPoint) UnmarshalBinary(b []byte) error { - P.Z.Init64(1, &P.c.P) - return P.c.decodePoint(b, &P.X, &P.Y) +func (p *projPoint) UnmarshalBinary(b []byte) error { + p.Z.Init64(1, &p.c.P) + return p.c.decodePoint(b, &p.X, &p.Y) } -func (P *projPoint) MarshalTo(w io.Writer) (int, error) { - return marshalling.PointMarshalTo(P, w) +func (p *projPoint) MarshalTo(w io.Writer) (int, error) { + return marshalling.PointMarshalTo(p, w) } -func (P *projPoint) UnmarshalFrom(r io.Reader) (int, error) { - return marshalling.PointUnmarshalFrom(P, r) +func (p *projPoint) UnmarshalFrom(r io.Reader) (int, error) { + return marshalling.PointUnmarshalFrom(p, r) } // Equality test for two Points on the same curve. @@ -60,67 +60,67 @@ func (P *projPoint) UnmarshalFrom(r io.Reader) (int, error) { // (X1/Z1,Y1/Z1) == (X2/Z2,Y2/Z2) // iff // (X1*Z2,Y1*Z2) == (X2*Z1,Y2*Z1) -func (P *projPoint) Equal(CP2 kyber.Point) bool { - P2 := CP2.(*projPoint) +func (p *projPoint) Equal(cp2 kyber.Point) bool { + P2 := cp2.(*projPoint) var t1, t2 mod.Int - xeq := t1.Mul(&P.X, &P2.Z).Equal(t2.Mul(&P2.X, &P.Z)) - yeq := t1.Mul(&P.Y, &P2.Z).Equal(t2.Mul(&P2.Y, &P.Z)) + xeq := t1.Mul(&p.X, &P2.Z).Equal(t2.Mul(&P2.X, &p.Z)) + yeq := t1.Mul(&p.Y, &P2.Z).Equal(t2.Mul(&P2.Y, &p.Z)) return xeq && yeq } -func (P *projPoint) Set(CP2 kyber.Point) kyber.Point { - P2 := CP2.(*projPoint) - P.c = P2.c - P.X.Set(&P2.X) - P.Y.Set(&P2.Y) - P.Z.Set(&P2.Z) - return P +func (p *projPoint) Set(cp2 kyber.Point) kyber.Point { + P2 := cp2.(*projPoint) + p.c = P2.c + p.X.Set(&P2.X) + p.Y.Set(&P2.Y) + p.Z.Set(&P2.Z) + return p } -func (P *projPoint) Clone() kyber.Point { +func (p *projPoint) Clone() kyber.Point { P2 := projPoint{} - P2.c = P.c - P2.X.Set(&P.X) - P2.Y.Set(&P.Y) - P2.Z.Set(&P.Z) + P2.c = p.c + P2.X.Set(&p.X) + P2.Y.Set(&p.Y) + P2.Z.Set(&p.Z) return &P2 } -func (P *projPoint) Null() kyber.Point { - P.Set(&P.c.null) - return P +func (p *projPoint) Null() kyber.Point { + p.Set(&p.c.null) + return p } -func (P *projPoint) Base() kyber.Point { - P.Set(&P.c.base) - return P +func (p *projPoint) Base() kyber.Point { + p.Set(&p.c.base) + return p } -func (P *projPoint) EmbedLen() int { - return P.c.embedLen() +func (p *projPoint) EmbedLen() int { + return p.c.embedLen() } // Normalize the point's representation to Z=1. -func (P *projPoint) normalize() { - P.Z.Inv(&P.Z) - P.X.Mul(&P.X, &P.Z) - P.Y.Mul(&P.Y, &P.Z) - P.Z.V.SetInt64(1) +func (p *projPoint) normalize() { + p.Z.Inv(&p.Z) + p.X.Mul(&p.X, &p.Z) + p.Y.Mul(&p.Y, &p.Z) + p.Z.V.SetInt64(1) } -func (P *projPoint) Embed(data []byte, rand cipher.Stream) kyber.Point { - P.c.embed(P, data, rand) - return P +func (p *projPoint) Embed(data []byte, rand cipher.Stream) kyber.Point { + p.c.embed(p, data, rand) + return p } -func (P *projPoint) Pick(rand cipher.Stream) kyber.Point { - return P.Embed(nil, rand) +func (p *projPoint) Pick(rand cipher.Stream) kyber.Point { + return p.Embed(nil, rand) } // Extract embedded data from a point group element -func (P *projPoint) Data() ([]byte, error) { - P.normalize() - return P.c.data(&P.X, &P.Y) +func (p *projPoint) Data() ([]byte, error) { + p.normalize() + return p.c.data(&p.X, &p.Y) } // Add two points using optimized projective coordinate addition formulas. @@ -128,9 +128,11 @@ func (P *projPoint) Data() ([]byte, error) { // // http://eprint.iacr.org/2008/013.pdf // https://hyperelliptic.org/EFD/g1p/auto-twisted-projective.html -func (P *projPoint) Add(CP1, CP2 kyber.Point) kyber.Point { - P1 := CP1.(*projPoint) - P2 := CP2.(*projPoint) +// +//nolint:dupl //Doesn't make sense to extract part of Add(), Sub() +func (p *projPoint) Add(cp1, cp2 kyber.Point) kyber.Point { + P1 := cp1.(*projPoint) + P2 := cp2.(*projPoint) X1, Y1, Z1 := &P1.X, &P1.Y, &P1.Z X2, Y2, Z2 := &P2.X, &P2.Y, &P2.Z var A, B, C, D, E, F, G, X3, Y3, Z3 mod.Int @@ -139,25 +141,27 @@ func (P *projPoint) Add(CP1, CP2 kyber.Point) kyber.Point { B.Mul(&A, &A) C.Mul(X1, X2) D.Mul(Y1, Y2) - E.Mul(&C, &D).Mul(&P.c.d, &E) + E.Mul(&C, &D).Mul(&p.c.d, &E) F.Sub(&B, &E) G.Add(&B, &E) X3.Add(X1, Y1).Mul(&X3, Z3.Add(X2, Y2)).Sub(&X3, &C).Sub(&X3, &D). Mul(&F, &X3).Mul(&A, &X3) - Y3.Mul(&P.c.a, &C).Sub(&D, &Y3).Mul(&G, &Y3).Mul(&A, &Y3) + Y3.Mul(&p.c.a, &C).Sub(&D, &Y3).Mul(&G, &Y3).Mul(&A, &Y3) Z3.Mul(&F, &G) - P.c = P1.c - P.X.Set(&X3) - P.Y.Set(&Y3) - P.Z.Set(&Z3) - return P + p.c = P1.c + p.X.Set(&X3) + p.Y.Set(&Y3) + p.Z.Set(&Z3) + return p } // Subtract points so that their scalars subtract homomorphically -func (P *projPoint) Sub(CP1, CP2 kyber.Point) kyber.Point { - P1 := CP1.(*projPoint) - P2 := CP2.(*projPoint) +// +//nolint:dupl //Doesn't make sense to extract part of Add(), Sub(), double() +func (p *projPoint) Sub(cp1, cp2 kyber.Point) kyber.Point { + P1 := cp1.(*projPoint) + P2 := cp2.(*projPoint) X1, Y1, Z1 := &P1.X, &P1.Y, &P1.Z X2, Y2, Z2 := &P2.X, &P2.Y, &P2.Z var A, B, C, D, E, F, G, X3, Y3, Z3 mod.Int @@ -166,69 +170,69 @@ func (P *projPoint) Sub(CP1, CP2 kyber.Point) kyber.Point { B.Mul(&A, &A) C.Mul(X1, X2) D.Mul(Y1, Y2) - E.Mul(&C, &D).Mul(&P.c.d, &E) + E.Mul(&C, &D).Mul(&p.c.d, &E) F.Add(&B, &E) G.Sub(&B, &E) X3.Add(X1, Y1).Mul(&X3, Z3.Sub(Y2, X2)).Add(&X3, &C).Sub(&X3, &D). Mul(&F, &X3).Mul(&A, &X3) - Y3.Mul(&P.c.a, &C).Add(&D, &Y3).Mul(&G, &Y3).Mul(&A, &Y3) + Y3.Mul(&p.c.a, &C).Add(&D, &Y3).Mul(&G, &Y3).Mul(&A, &Y3) Z3.Mul(&F, &G) - P.c = P1.c - P.X.Set(&X3) - P.Y.Set(&Y3) - P.Z.Set(&Z3) - return P + p.c = P1.c + p.X.Set(&X3) + p.Y.Set(&Y3) + p.Z.Set(&Z3) + return p } // Find the negative of point A. // For Edwards curves, the negative of (x,y) is (-x,y). -func (P *projPoint) Neg(CA kyber.Point) kyber.Point { - A := CA.(*projPoint) - P.c = A.c - P.X.Neg(&A.X) - P.Y.Set(&A.Y) - P.Z.Set(&A.Z) - return P +func (p *projPoint) Neg(ca kyber.Point) kyber.Point { + A := ca.(*projPoint) + p.c = A.c + p.X.Neg(&A.X) + p.Y.Set(&A.Y) + p.Z.Set(&A.Z) + return p } // Optimized point doubling for use in scalar multiplication. -func (P *projPoint) double() { +func (p *projPoint) double() { var B, C, D, E, F, H, J mod.Int - B.Add(&P.X, &P.Y).Mul(&B, &B) - C.Mul(&P.X, &P.X) - D.Mul(&P.Y, &P.Y) - E.Mul(&P.c.a, &C) + B.Add(&p.X, &p.Y).Mul(&B, &B) + C.Mul(&p.X, &p.X) + D.Mul(&p.Y, &p.Y) + E.Mul(&p.c.a, &C) F.Add(&E, &D) - H.Mul(&P.Z, &P.Z) + H.Mul(&p.Z, &p.Z) J.Add(&H, &H).Sub(&F, &J) - P.X.Sub(&B, &C).Sub(&P.X, &D).Mul(&P.X, &J) - P.Y.Sub(&E, &D).Mul(&F, &P.Y) - P.Z.Mul(&F, &J) + p.X.Sub(&B, &C).Sub(&p.X, &D).Mul(&p.X, &J) + p.Y.Sub(&E, &D).Mul(&F, &p.Y) + p.Z.Mul(&F, &J) } // Multiply point p by scalar s using the repeated doubling method. -func (P *projPoint) Mul(s kyber.Scalar, G kyber.Point) kyber.Point { +func (p *projPoint) Mul(s kyber.Scalar, g kyber.Point) kyber.Point { v := s.(*mod.Int).V - if G == nil { - return P.Base().Mul(s, P) + if g == nil { + return p.Base().Mul(s, p) } - T := P - if G == P { // Must use temporary for in-place multiply + T := p + if g == p { // Must use temporary for in-place multiply T = &projPoint{} } - T.Set(&P.c.null) // Initialize to identity element (0,1) + T.Set(&p.c.null) // Initialize to identity element (0,1) for i := v.BitLen() - 1; i >= 0; i-- { T.double() if v.Bit(i) != 0 { - T.Add(T, G) + T.Add(T, g) } } - if T != P { - P.Set(T) + if T != p { + p.Set(T) } - return P + return p } // ProjectiveCurve implements Twisted Edwards curves From a69ac4c87ba46561eea4af28fc5f459208705fd6 Mon Sep 17 00:00:00 2001 From: lauener Date: Fri, 23 Feb 2024 13:08:18 +0100 Subject: [PATCH 24/49] Fix lint issues package shuffle --- shuffle/biffle.go | 38 +++++++++++----------- shuffle/pair.go | 53 ++++++++++++++++--------------- shuffle/sequence_test.go | 14 ++++----- shuffle/sequences.go | 68 +++++++++++++++++++++------------------- shuffle/simple.go | 8 +++-- 5 files changed, 94 insertions(+), 87 deletions(-) diff --git a/shuffle/biffle.go b/shuffle/biffle.go index c4aa9a663..ecbbe4dcd 100644 --- a/shuffle/biffle.go +++ b/shuffle/biffle.go @@ -30,25 +30,25 @@ func bifflePred() proof.Predicate { } func bifflePoints(suite Suite, g, h kyber.Point, - X, Y, Xbar, Ybar [2]kyber.Point) map[string]kyber.Point { + x, y, xbar, ybar [2]kyber.Point) map[string]kyber.Point { return map[string]kyber.Point{ "G": g, "H": h, - "Xbar0-X0": suite.Point().Sub(Xbar[0], X[0]), - "Ybar0-Y0": suite.Point().Sub(Ybar[0], Y[0]), - "Xbar1-X1": suite.Point().Sub(Xbar[1], X[1]), - "Ybar1-Y1": suite.Point().Sub(Ybar[1], Y[1]), - "Xbar0-X1": suite.Point().Sub(Xbar[0], X[1]), - "Ybar0-Y1": suite.Point().Sub(Ybar[0], Y[1]), - "Xbar1-X0": suite.Point().Sub(Xbar[1], X[0]), - "Ybar1-Y0": suite.Point().Sub(Ybar[1], Y[0])} + "Xbar0-X0": suite.Point().Sub(xbar[0], x[0]), + "Ybar0-Y0": suite.Point().Sub(ybar[0], y[0]), + "Xbar1-X1": suite.Point().Sub(xbar[1], x[1]), + "Ybar1-Y1": suite.Point().Sub(ybar[1], y[1]), + "Xbar0-X1": suite.Point().Sub(xbar[0], x[1]), + "Ybar0-Y1": suite.Point().Sub(ybar[0], y[1]), + "Xbar1-X0": suite.Point().Sub(xbar[1], x[0]), + "Ybar1-Y0": suite.Point().Sub(ybar[1], y[0])} } // Biffle is a binary shuffle ("biffle") for 2 ciphertexts based on general ZKPs. func Biffle(suite Suite, g, h kyber.Point, - X, Y [2]kyber.Point, rand cipher.Stream) ( - Xbar, Ybar [2]kyber.Point, prover proof.Prover) { + x, y [2]kyber.Point, rand cipher.Stream) ( + xBar, yBar [2]kyber.Point, prover proof.Prover) { // Pick the single-bit permutation. var buf [1]byte @@ -64,28 +64,28 @@ func Biffle(suite Suite, g, h kyber.Point, // Create the output pair vectors for i := 0; i < 2; i++ { piI := i ^ bit - Xbar[i] = suite.Point().Mul(beta[piI], g) - Xbar[i].Add(Xbar[i], X[piI]) - Ybar[i] = suite.Point().Mul(beta[piI], h) - Ybar[i].Add(Ybar[i], Y[piI]) + xBar[i] = suite.Point().Mul(beta[piI], g) + xBar[i].Add(xBar[i], x[piI]) + yBar[i] = suite.Point().Mul(beta[piI], h) + yBar[i].Add(yBar[i], y[piI]) } or := bifflePred() secrets := map[string]kyber.Scalar{ "beta0": beta[0], "beta1": beta[1]} - points := bifflePoints(suite, g, h, X, Y, Xbar, Ybar) + points := bifflePoints(suite, g, h, x, y, xBar, yBar) choice := map[proof.Predicate]int{or: bit} prover = or.Prover(suite, secrets, points, choice) - return + return xBar, yBar, prover } // BiffleVerifier returns a verifier of the biffle func BiffleVerifier(suite Suite, g, h kyber.Point, - X, Y, Xbar, Ybar [2]kyber.Point) ( + x, y, xBar, yBar [2]kyber.Point) ( verifier proof.Verifier) { or := bifflePred() - points := bifflePoints(suite, g, h, X, Y, Xbar, Ybar) + points := bifflePoints(suite, g, h, x, y, xBar, yBar) return or.Verifier(suite, points) } diff --git a/shuffle/pair.go b/shuffle/pair.go index 9be69550f..8fa2861ea 100644 --- a/shuffle/pair.go +++ b/shuffle/pair.go @@ -68,6 +68,8 @@ type ega5 struct { } // P and V, step 5: simple k-shuffle proof +// +//nolint:unused // may be useful later type ega6 struct { SimpleShuffle } @@ -124,7 +126,7 @@ func (ps *PairShuffle) Init(grp kyber.Group, k int) *PairShuffle { // Prove returns an error if the shuffle is not correct. func (ps *PairShuffle) Prove( pi []int, g, h kyber.Point, beta []kyber.Scalar, - X, Y []kyber.Point, rand cipher.Stream, + x, y []kyber.Point, rand cipher.Stream, ctx proof.ProverContext) error { grp := ps.grp @@ -148,7 +150,10 @@ func (ps *PairShuffle) Prove( w := make([]kyber.Scalar, k) a := make([]kyber.Scalar, k) var tau0, nu, gamma kyber.Scalar - ctx.PriRand(u, w, a, &tau0, &nu, &gamma) + err := ctx.PriRand(u, w, a, &tau0, &nu, &gamma) + if err != nil { + return err + } // compute public commits p1.Gamma = grp.Point().Mul(gamma, g) @@ -164,8 +169,8 @@ func (ps *PairShuffle) Prove( p1.U[i] = grp.Point().Mul(u[i], g) p1.W[i] = grp.Point().Mul(z.Mul(gamma, w[i]), g) wbetasum.Add(wbetasum, wbeta.Mul(w[i], beta[pi[i]])) - p1.Lambda1.Add(p1.Lambda1, XY.Mul(wu.Sub(w[piinv[i]], u[i]), X[i])) - p1.Lambda2.Add(p1.Lambda2, XY.Mul(wu.Sub(w[piinv[i]], u[i]), Y[i])) + p1.Lambda1.Add(p1.Lambda1, XY.Mul(wu.Sub(w[piinv[i]], u[i]), x[i])) + p1.Lambda2.Add(p1.Lambda2, XY.Mul(wu.Sub(w[piinv[i]], u[i]), y[i])) } p1.Lambda1.Add(p1.Lambda1, XY.Mul(wbetasum, g)) p1.Lambda2.Add(p1.Lambda2, XY.Mul(wbetasum, h)) @@ -230,13 +235,13 @@ func (ps *PairShuffle) Prove( // Verify ElGamal Pair Shuffle proofs. func (ps *PairShuffle) Verify( - g, h kyber.Point, X, Y, Xbar, Ybar []kyber.Point, + g, h kyber.Point, x, y, xBar, yBar []kyber.Point, ctx proof.VerifierContext) error { // Validate all vector lengths grp := ps.grp k := ps.k - if len(X) != k || len(Y) != k || len(Xbar) != k || len(Ybar) != k { + if len(x) != k || len(y) != k || len(xBar) != k || len(yBar) != k { panic("mismatched vector lengths") } @@ -286,10 +291,10 @@ func (ps *PairShuffle) Verify( P := grp.Point() // scratch Q := grp.Point() // scratch for i := 0; i < k; i++ { - Phi1 = Phi1.Add(Phi1, P.Mul(p5.Zsigma[i], Xbar[i])) // (31) - Phi1 = Phi1.Sub(Phi1, P.Mul(v2.Zrho[i], X[i])) - Phi2 = Phi2.Add(Phi2, P.Mul(p5.Zsigma[i], Ybar[i])) // (32) - Phi2 = Phi2.Sub(Phi2, P.Mul(v2.Zrho[i], Y[i])) + Phi1 = Phi1.Add(Phi1, P.Mul(p5.Zsigma[i], xBar[i])) // (31) + Phi1 = Phi1.Sub(Phi1, P.Mul(v2.Zrho[i], x[i])) + Phi2 = Phi2.Add(Phi2, P.Mul(p5.Zsigma[i], yBar[i])) // (32) + Phi2 = Phi2.Sub(Phi2, P.Mul(v2.Zrho[i], y[i])) // println("i",i) if !P.Mul(p5.Zsigma[i], p1.Gamma).Equal( // (33) Q.Add(p1.W[i], p3.D[i])) { @@ -313,12 +318,12 @@ func (ps *PairShuffle) Verify( // producing a correctness proof in the process. // Returns (Xbar,Ybar), the shuffled and randomized pairs. // If g or h is nil, the standard base point is used. -func Shuffle(group kyber.Group, g, h kyber.Point, X, Y []kyber.Point, - rand cipher.Stream) (XX, YY []kyber.Point, P proof.Prover) { +func Shuffle(group kyber.Group, g, h kyber.Point, x, y []kyber.Point, + rand cipher.Stream) (xx, yy []kyber.Point, p proof.Prover) { - k := len(X) - if k != len(Y) { - panic("X,Y vectors have inconsistent length") + k := len(x) + if k != len(y) { + panic("x,y vectors have inconsistent length") } ps := PairShuffle{} @@ -332,9 +337,7 @@ func Shuffle(group kyber.Group, g, h kyber.Point, X, Y []kyber.Point, for i := k - 1; i > 0; i-- { // Shuffle by random swaps j := int(randUint64(rand) % uint64(i+1)) if j != i { - t := pi[j] - pi[j] = pi[i] - pi[i] = t + pi[j], pi[i] = pi[i], pi[j] } } @@ -349,13 +352,13 @@ func Shuffle(group kyber.Group, g, h kyber.Point, X, Y []kyber.Point, Ybar := make([]kyber.Point, k) for i := 0; i < k; i++ { Xbar[i] = ps.grp.Point().Mul(beta[pi[i]], g) - Xbar[i].Add(Xbar[i], X[pi[i]]) + Xbar[i].Add(Xbar[i], x[pi[i]]) Ybar[i] = ps.grp.Point().Mul(beta[pi[i]], h) - Ybar[i].Add(Ybar[i], Y[pi[i]]) + Ybar[i].Add(Ybar[i], y[pi[i]]) } prover := func(ctx proof.ProverContext) error { - return ps.Prove(pi, g, h, beta, X, Y, rand, ctx) + return ps.Prove(pi, g, h, beta, x, y, rand, ctx) } return Xbar, Ybar, prover } @@ -367,13 +370,11 @@ func randUint64(rand cipher.Stream) uint64 { } // Verifier produces a Sigma-protocol verifier to check the correctness of a shuffle. -func Verifier(group kyber.Group, g, h kyber.Point, - X, Y, Xbar, Ybar []kyber.Point) proof.Verifier { - +func Verifier(group kyber.Group, g, h kyber.Point, x, y, xBar, yBar []kyber.Point) proof.Verifier { ps := PairShuffle{} - ps.Init(group, len(X)) + ps.Init(group, len(x)) verifier := func(ctx proof.VerifierContext) error { - return ps.Verify(g, h, X, Y, Xbar, Ybar, ctx) + return ps.Verify(g, h, x, y, xBar, yBar, ctx) } return verifier } diff --git a/shuffle/sequence_test.go b/shuffle/sequence_test.go index 2daaea940..85c7ea101 100644 --- a/shuffle/sequence_test.go +++ b/shuffle/sequence_test.go @@ -20,37 +20,37 @@ func TestAssertXY(t *testing.T) { { x: nil, y: nil, - errStr: "X is empty", + errStr: "x is empty", }, { x: [][]kyber.Point{{}}, y: [][]kyber.Point{{}}, - errStr: "X is empty", + errStr: "x is empty", }, { x: [][]kyber.Point{make([]kyber.Point, 1)}, y: [][]kyber.Point{{}}, - errStr: "Y is empty", + errStr: "y is empty", }, { x: [][]kyber.Point{make([]kyber.Point, 1)}, y: nil, - errStr: "Y is empty", + errStr: "y is empty", }, { x: [][]kyber.Point{make([]kyber.Point, 1), make([]kyber.Point, 2)}, y: [][]kyber.Point{make([]kyber.Point, 1)}, - errStr: "X and Y have a different size: 2 != 1", + errStr: "x and y have a different size: 2 != 1", }, { x: [][]kyber.Point{make([]kyber.Point, 1)}, y: [][]kyber.Point{make([]kyber.Point, 2)}, - errStr: "Y[0] has unexpected size: 1 != 2", + errStr: "y[0] has unexpected size: 1 != 2", }, { x: [][]kyber.Point{make([]kyber.Point, 1), make([]kyber.Point, 2)}, y: [][]kyber.Point{make([]kyber.Point, 1), make([]kyber.Point, 1)}, - errStr: "X[1] has unexpected size: 1 != 2", + errStr: "x[1] has unexpected size: 1 != 2", }, } diff --git a/shuffle/sequences.go b/shuffle/sequences.go index 6f7cf5e0c..a1d7304d5 100644 --- a/shuffle/sequences.go +++ b/shuffle/sequences.go @@ -33,9 +33,11 @@ import ( // Last coordinate is (NQ-1, k-1) // // Variable names are as representative to the paper as possible. -func SequencesShuffle(group kyber.Group, g, h kyber.Point, x, y [][]kyber.Point, - rand cipher.Stream) (Xbar, Ybar [][]kyber.Point, getProver func(e []kyber.Scalar) ( - proof.Prover, error)) { +func SequencesShuffle( + group kyber.Group, + g, h kyber.Point, + x, y [][]kyber.Point, + rand cipher.Stream) (xBar, yBar [][]kyber.Point, getProver func(e []kyber.Scalar) (proof.Prover, error)) { err := assertXY(x, y) if err != nil { @@ -71,25 +73,25 @@ func SequencesShuffle(group kyber.Group, g, h kyber.Point, x, y [][]kyber.Point, } // Perform the Shuffle - Xbar = make([][]kyber.Point, NQ) - Ybar = make([][]kyber.Point, NQ) + xBar = make([][]kyber.Point, NQ) + yBar = make([][]kyber.Point, NQ) for j := 0; j < NQ; j++ { - Xbar[j] = make([]kyber.Point, k) - Ybar[j] = make([]kyber.Point, k) + xBar[j] = make([]kyber.Point, k) + yBar[j] = make([]kyber.Point, k) for i := 0; i < k; i++ { - Xbar[j][i] = group.Point().Mul(beta[j][pi[i]], g) - Xbar[j][i].Add(Xbar[j][i], x[j][pi[i]]) + xBar[j][i] = group.Point().Mul(beta[j][pi[i]], g) + xBar[j][i].Add(xBar[j][i], x[j][pi[i]]) - Ybar[j][i] = group.Point().Mul(beta[j][pi[i]], h) - Ybar[j][i].Add(Ybar[j][i], y[j][pi[i]]) + yBar[j][i] = group.Point().Mul(beta[j][pi[i]], h) + yBar[j][i].Add(yBar[j][i], y[j][pi[i]]) } } getProver = func(e []kyber.Scalar) (proof.Prover, error) { // EGAR 2 (Prover) - Standard ElGamal k-shuffle proof: Knowledge of - // (XUp, YUp), (XDown, YDown) and e[j] + // (xUp, yUp), (xDown, yDown) and e[j] ps := PairShuffle{} ps.Init(group, k) @@ -111,36 +113,36 @@ func SequencesShuffle(group kyber.Group, g, h kyber.Point, x, y [][]kyber.Point, } } - XUp, YUp, _, _ := GetSequenceVerifiable(group, x, y, Xbar, Ybar, e) + XUp, YUp, _, _ := GetSequenceVerifiable(group, x, y, xBar, yBar, e) return ps.Prove(pi, g, h, beta2, XUp, YUp, rand, ctx) }, nil } - return Xbar, Ybar, getProver + return xBar, yBar, getProver } // assertXY checks that x, y have the same dimensions and at least one element func assertXY(x, y [][]kyber.Point) error { if len(x) == 0 || len(x[0]) == 0 { - return errors.New("X is empty") + return errors.New("x is empty") } if len(y) == 0 || len(y[0]) == 0 { - return errors.New("Y is empty") + return errors.New("y is empty") } if len(x) != len(y) { - return fmt.Errorf("X and Y have a different size: %d != %d", len(x), len(y)) + return fmt.Errorf("x and y have a different size: %d != %d", len(x), len(y)) } expected := len(x[0]) for i := range x { if len(x[i]) != expected { - return fmt.Errorf("X[%d] has unexpected size: %d != %d", i, expected, len(x[i])) + return fmt.Errorf("x[%d] has unexpected size: %d != %d", i, expected, len(x[i])) } if len(y[i]) != expected { - return fmt.Errorf("Y[%d] has unexpected size: %d != %d", i, expected, len(y[i])) + return fmt.Errorf("y[%d] has unexpected size: %d != %d", i, expected, len(y[i])) } } @@ -150,38 +152,38 @@ func assertXY(x, y [][]kyber.Point) error { // GetSequenceVerifiable returns the consolidated input and output of sequence // shuffling elements. Needed by the prover and verifier. func GetSequenceVerifiable(group kyber.Group, x, y, xBar, yBar [][]kyber.Point, e []kyber.Scalar) ( - XUp, YUp, XDown, YDown []kyber.Point) { + xUp, yUp, xDown, yDown []kyber.Point) { // EGAR1 (Verifier) - Consolidate input and output NQ := len(x) k := len(x[0]) - XUp = make([]kyber.Point, k) - YUp = make([]kyber.Point, k) - XDown = make([]kyber.Point, k) - YDown = make([]kyber.Point, k) + xUp = make([]kyber.Point, k) + yUp = make([]kyber.Point, k) + xDown = make([]kyber.Point, k) + yDown = make([]kyber.Point, k) for i := 0; i < k; i++ { // No modification could be made for e[0] -> e[0] = 1 if one wanted - // Remark 7 in the paper - XUp[i] = group.Point().Mul(e[0], x[0][i]) - YUp[i] = group.Point().Mul(e[0], y[0][i]) + xUp[i] = group.Point().Mul(e[0], x[0][i]) + yUp[i] = group.Point().Mul(e[0], y[0][i]) - XDown[i] = group.Point().Mul(e[0], xBar[0][i]) - YDown[i] = group.Point().Mul(e[0], yBar[0][i]) + xDown[i] = group.Point().Mul(e[0], xBar[0][i]) + yDown[i] = group.Point().Mul(e[0], yBar[0][i]) for j := 1; j < NQ; j++ { - XUp[i] = group.Point().Add(XUp[i], + xUp[i] = group.Point().Add(xUp[i], group.Point().Mul(e[j], x[j][i])) - YUp[i] = group.Point().Add(YUp[i], + yUp[i] = group.Point().Add(yUp[i], group.Point().Mul(e[j], y[j][i])) - XDown[i] = group.Point().Add(XDown[i], + xDown[i] = group.Point().Add(xDown[i], group.Point().Mul(e[j], xBar[j][i])) - YDown[i] = group.Point().Add(YDown[i], + yDown[i] = group.Point().Add(yDown[i], group.Point().Mul(e[j], yBar[j][i])) } } - return XUp, YUp, XDown, YDown + return xUp, yUp, xDown, yDown } diff --git a/shuffle/simple.go b/shuffle/simple.go index 087edf923..1573fe135 100644 --- a/shuffle/simple.go +++ b/shuffle/simple.go @@ -87,7 +87,7 @@ func (ss *SimpleShuffle) Init(grp kyber.Group, k int) *SimpleShuffle { // The Scalar vector y must be a permutation of Scalar vector x // but with all elements multiplied by common Scalar gamma. func (ss *SimpleShuffle) Prove(g kyber.Point, gamma kyber.Scalar, - x, y []kyber.Scalar, rand cipher.Stream, + x, y []kyber.Scalar, _ cipher.Stream, ctx proof.ProverContext) error { grp := ss.grp @@ -133,7 +133,11 @@ func (ss *SimpleShuffle) Prove(g kyber.Point, gamma kyber.Scalar, } thlen := 2*k - 1 // (7) theta and Theta vectors theta := make([]kyber.Scalar, thlen) - ctx.PriRand(theta) + err := ctx.PriRand(theta) + if err != nil { + return err + } + Theta := make([]kyber.Point, thlen+1) Theta[0] = thenc(grp, g, nil, nil, theta[0], yhat[0]) for i := 1; i < k; i++ { From da388593ee96b6a2581de4b9aaa3391e4241a6dc Mon Sep 17 00:00:00 2001 From: lauener Date: Fri, 23 Feb 2024 13:14:59 +0100 Subject: [PATCH 25/49] Fix lint issues package dleq --- proof/dleq/dleq.go | 82 ++++++++++++++++++++++++++--------------- proof/dleq/dleq_test.go | 2 +- 2 files changed, 53 insertions(+), 31 deletions(-) diff --git a/proof/dleq/dleq.go b/proof/dleq/dleq.go index 112daf072..656c357b6 100644 --- a/proof/dleq/dleq.go +++ b/proof/dleq/dleq.go @@ -21,8 +21,8 @@ type Suite interface { kyber.Random } -var errorDifferentLengths = errors.New("inputs of different lengths") -var errorInvalidProof = errors.New("invalid proof") +var errDifferentLengths = errors.New("inputs of different lengths") +var errInvalidProof = errors.New("invalid proof") // Proof represents a NIZK dlog-equality proof. type Proof struct { @@ -37,39 +37,44 @@ type Proof struct { // and then computes the challenge c = H(xG,xH,vG,vH) and response r = v - cx. // Besides the proof, this function also returns the encrypted base points xG // and xH. -func NewDLEQProof(suite Suite, G kyber.Point, H kyber.Point, x kyber.Scalar) (proof *Proof, xG kyber.Point, xH kyber.Point, err error) { +func NewDLEQProof( + suite Suite, + g kyber.Point, + h kyber.Point, + x kyber.Scalar, +) (proof *Proof, xG kyber.Point, xH kyber.Point, err error) { // Encrypt base points with secret - xG = suite.Point().Mul(x, G) - xH = suite.Point().Mul(x, H) + xG = suite.Point().Mul(x, g) + xH = suite.Point().Mul(x, h) // Commitment v := suite.Scalar().Pick(suite.RandomStream()) - vG := suite.Point().Mul(v, G) - vH := suite.Point().Mul(v, H) + vG := suite.Point().Mul(v, g) + vH := suite.Point().Mul(v, h) // Challenge - h := suite.Hash() - _, err = xG.MarshalTo(h) + hSuite := suite.Hash() + _, err = xG.MarshalTo(hSuite) if err != nil { return nil, nil, nil, err } - _, err = xH.MarshalTo(h) + _, err = xH.MarshalTo(hSuite) if err != nil { return nil, nil, nil, err } - _, err = vG.MarshalTo(h) + _, err = vG.MarshalTo(hSuite) if err != nil { return nil, nil, nil, err } - _, err = vH.MarshalTo(h) + _, err = vH.MarshalTo(hSuite) if err != nil { return nil, nil, nil, err } - cb := h.Sum(nil) + cb := hSuite.Sum(nil) c := suite.Scalar().Pick(suite.XOF(cb)) // Response @@ -82,9 +87,14 @@ func NewDLEQProof(suite Suite, G kyber.Point, H kyber.Point, x kyber.Scalar) (pr // NewDLEQProofBatch computes lists of NIZK dlog-equality proofs and of // encrypted base points xG and xH. Note that the challenge is computed over all // input values. -func NewDLEQProofBatch(suite Suite, G []kyber.Point, H []kyber.Point, secrets []kyber.Scalar) (proof []*Proof, xG []kyber.Point, xH []kyber.Point, err error) { - if len(G) != len(H) || len(H) != len(secrets) { - return nil, nil, nil, errorDifferentLengths +func NewDLEQProofBatch( + suite Suite, + g []kyber.Point, + h []kyber.Point, + secrets []kyber.Scalar, +) (proof []*Proof, xG []kyber.Point, xH []kyber.Point, err error) { + if len(g) != len(h) || len(h) != len(secrets) { + return nil, nil, nil, errDifferentLengths } n := len(secrets) @@ -97,30 +107,42 @@ func NewDLEQProofBatch(suite Suite, G []kyber.Point, H []kyber.Point, secrets [] for i, x := range secrets { // Encrypt base points with secrets - xG[i] = suite.Point().Mul(x, G[i]) - xH[i] = suite.Point().Mul(x, H[i]) + xG[i] = suite.Point().Mul(x, g[i]) + xH[i] = suite.Point().Mul(x, h[i]) // Commitments v[i] = suite.Scalar().Pick(suite.RandomStream()) - vG[i] = suite.Point().Mul(v[i], G[i]) - vH[i] = suite.Point().Mul(v[i], H[i]) + vG[i] = suite.Point().Mul(v[i], g[i]) + vH[i] = suite.Point().Mul(v[i], h[i]) } // Collective challenge - h := suite.Hash() + hSuite := suite.Hash() for _, x := range xG { - x.MarshalTo(h) + _, err := x.MarshalTo(hSuite) + if err != nil { + return nil, nil, nil, err + } } for _, x := range xH { - x.MarshalTo(h) + _, err := x.MarshalTo(hSuite) + if err != nil { + return nil, nil, nil, err + } } for _, x := range vG { - x.MarshalTo(h) + _, err := x.MarshalTo(hSuite) + if err != nil { + return nil, nil, nil, err + } } for _, x := range vH { - x.MarshalTo(h) + _, err := x.MarshalTo(hSuite) + if err != nil { + return nil, nil, nil, err + } } - cb := h.Sum(nil) + cb := hSuite.Sum(nil) c := suite.Scalar().Pick(suite.XOF(cb)) @@ -139,15 +161,15 @@ func NewDLEQProofBatch(suite Suite, G []kyber.Point, H []kyber.Point, secrets [] // // vG == rG + c(xG) // vH == rH + c(xH) -func (p *Proof) Verify(suite Suite, G kyber.Point, H kyber.Point, xG kyber.Point, xH kyber.Point) error { - rG := suite.Point().Mul(p.R, G) - rH := suite.Point().Mul(p.R, H) +func (p *Proof) Verify(suite Suite, g kyber.Point, h kyber.Point, xG kyber.Point, xH kyber.Point) error { + rG := suite.Point().Mul(p.R, g) + rH := suite.Point().Mul(p.R, h) cxG := suite.Point().Mul(p.C, xG) cxH := suite.Point().Mul(p.C, xH) a := suite.Point().Add(rG, cxG) b := suite.Point().Add(rH, cxH) if !(p.VG.Equal(a) && p.VH.Equal(b)) { - return errorInvalidProof + return errInvalidProof } return nil } diff --git a/proof/dleq/dleq_test.go b/proof/dleq/dleq_test.go index e6683aa37..c7e806def 100644 --- a/proof/dleq/dleq_test.go +++ b/proof/dleq/dleq_test.go @@ -57,5 +57,5 @@ func TestDLEQLengths(t *testing.T) { // Remove an element to make the test fail x = append(x[:5], x[6:]...) _, _, _, err := NewDLEQProofBatch(suite, g, h, x) - require.Equal(t, err, errorDifferentLengths) + require.Equal(t, err, errDifferentLengths) } From b82af931fcbf9af7edd5dd304ac11e16be69520e Mon Sep 17 00:00:00 2001 From: lauener Date: Fri, 23 Feb 2024 13:46:12 +0100 Subject: [PATCH 26/49] Fix lint issues package share --- share/poly.go | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/share/poly.go b/share/poly.go index 101fd3a3a..c560b1328 100644 --- a/share/poly.go +++ b/share/poly.go @@ -22,8 +22,8 @@ import ( ) // Some error definitions -var errorGroups = errors.New("non-matching groups") -var errorCoeffs = errors.New("different number of coefficients") +var errGroups = errors.New("non-matching groups") +var errCoeffs = errors.New("different number of coefficients") // PriShare represents a private share. type PriShare struct { @@ -35,6 +35,7 @@ type PriShare struct { func (p *PriShare) Hash(s kyber.HashFactory) []byte { h := s.Hash() _, _ = p.V.MarshalTo(h) + //nolint:staticcheck // TODO: SA1003 fixed with https://github.com/dedis/kyber/issues/492 _ = binary.Write(h, binary.LittleEndian, p.I) return h.Sum(nil) } @@ -104,10 +105,10 @@ func (p *PriPoly) Shares(n int) []*PriShare { // as a new polynomial. func (p *PriPoly) Add(q *PriPoly) (*PriPoly, error) { if p.g.String() != q.g.String() { - return nil, errorGroups + return nil, errGroups } if p.Threshold() != q.Threshold() { - return nil, errorCoeffs + return nil, errCoeffs } coeffs := make([]kyber.Scalar, p.Threshold()) for i := range coeffs { @@ -263,7 +264,6 @@ func RecoverPriPoly(g kyber.Group, shares []*PriShare, t, n int) (*PriPoly, erro var accPoly *PriPoly var err error - //den := g.Scalar() // Notations follow the Wikipedia article on Lagrange interpolation // https://en.wikipedia.org/wiki/Lagrange_polynomial for j := range x { @@ -304,6 +304,7 @@ type PubShare struct { func (p *PubShare) Hash(s kyber.HashFactory) []byte { h := s.Hash() _, _ = p.V.MarshalTo(h) + //nolint:staticcheck // TODO: SA1003 fixed with https://github.com/dedis/kyber/issues/492 _ = binary.Write(h, binary.LittleEndian, p.I) return h.Sum(nil) } @@ -363,11 +364,11 @@ func (p *PubPoly) Shares(n int) []*PubShare { // base point and thus should not be used in further computations. func (p *PubPoly) Add(q *PubPoly) (*PubPoly, error) { if p.g.String() != q.g.String() { - return nil, errorGroups + return nil, errGroups } if p.Threshold() != q.Threshold() { - return nil, errorCoeffs + return nil, errCoeffs } commits := make([]kyber.Point, p.Threshold()) From 9827768ca4493a281c7cba94c95a4a1c667d393c Mon Sep 17 00:00:00 2001 From: lauener Date: Fri, 23 Feb 2024 14:38:34 +0100 Subject: [PATCH 27/49] Fix lint issues package curve25519 --- group/curve25519/curve.go | 5 +---- group/curve25519/ext.go | 43 +++++++++++++++++++++++++++++++-------- 2 files changed, 35 insertions(+), 13 deletions(-) diff --git a/group/curve25519/curve.go b/group/curve25519/curve.go index 6c1c0322f..1d866e5d9 100644 --- a/group/curve25519/curve.go +++ b/group/curve25519/curve.go @@ -128,7 +128,6 @@ func (c *curve) init(self kyber.Group, p *Param, fullGroup bool, if by.Sign() == 0 { // No standard base point was defined, so pick one. // Find the lowest-numbered y-coordinate that works. - //println("Picking base point:") var x, y mod.Int for y.Init64(2, &c.P); ; y.Add(&y, &c.one) { if !c.solveForX(&x, &y) { @@ -208,7 +207,6 @@ func (c *curve) encodePoint(x, y *mod.Int) []byte { func (c *curve) decodePoint(bb []byte, x, y *mod.Int) error { // Convert from little-endian - //fmt.Printf("decoding:\n%s\n", hex.Dump(bb)) b := make([]byte, len(bb)) reverse(b, bb) @@ -379,12 +377,11 @@ func (c *curve) data(x, y *mod.Int) ([]byte, error) { // reverse copies src into dst in byte-reversed order and returns dst, // such that src[0] goes into dst[len-1] and vice versa. // dst and src may be the same slice but otherwise must not overlap. -func reverse(dst, src []byte) []byte { +func reverse(dst, src []byte) { l := len(dst) for i, j := 0, l-1; i < (l+1)/2; { dst[i], dst[j] = src[j], src[i] i++ j-- } - return dst } diff --git a/group/curve25519/ext.go b/group/curve25519/ext.go index cabb0c83c..ba9ccbdf4 100644 --- a/group/curve25519/ext.go +++ b/group/curve25519/ext.go @@ -17,7 +17,12 @@ type extPoint struct { } func (p *extPoint) initXY(x, y *big.Int, c kyber.Group) { - p.c = c.(*ExtendedCurve) + var ok bool + p.c, ok = c.(*ExtendedCurve) + if !ok { + panic("invalid casting to *ExtendedCurve") + } + p.X.Init(x, &p.c.P) p.Y.Init(y, &p.c.P) p.Z.Init64(1, &p.c.P) @@ -31,7 +36,6 @@ func (p *extPoint) getXY() (x, y *mod.Int) { func (p *extPoint) String() string { p.normalize() - //return p.c.pointString(&p.X,&p.Y) buf, _ := p.MarshalBinary() return hex.EncodeToString(buf) } @@ -69,7 +73,10 @@ func (p *extPoint) UnmarshalFrom(r io.Reader) (int, error) { // iff // (X1*Z2,Y1*Z2) == (X2*Z1,Y2*Z1) func (p *extPoint) Equal(cp2 kyber.Point) bool { - p2 := cp2.(*extPoint) + p2, ok := cp2.(*extPoint) + if !ok { + panic("invalid casting to *extPoint") + } var t1, t2 mod.Int xeq := t1.Mul(&p.X, &p2.Z).Equal(t2.Mul(&p2.X, &p.Z)) yeq := t1.Mul(&p.Y, &p2.Z).Equal(t2.Mul(&p2.Y, &p.Z)) @@ -77,7 +84,10 @@ func (p *extPoint) Equal(cp2 kyber.Point) bool { } func (p *extPoint) Set(cp2 kyber.Point) kyber.Point { - p2 := cp2.(*extPoint) + p2, ok := cp2.(*extPoint) + if !ok { + panic("invalid casting to *extPoint") + } p.c = p2.c p.X.Set(&p2.X) p.Y.Set(&p2.Y) @@ -147,8 +157,14 @@ func (p *extPoint) Data() ([]byte, error) { // //nolint:dupl //Doesn't make sense to extract part of Add(), Sub(), double() func (p *extPoint) Add(cp1, cp2 kyber.Point) kyber.Point { - p1 := cp1.(*extPoint) - p2 := cp2.(*extPoint) + p1, ok := cp1.(*extPoint) + if !ok { + panic("invalid casting to *extPoint") + } + p2, ok := cp2.(*extPoint) + if !ok { + panic("invalid casting to *extPoint") + } X1, Y1, Z1, T1 := &p1.X, &p1.Y, &p1.Z, &p1.T X2, Y2, Z2, T2 := &p2.X, &p2.Y, &p2.Z, &p2.T X3, Y3, Z3, T3 := &p.X, &p.Y, &p.Z, &p.T @@ -173,8 +189,14 @@ func (p *extPoint) Add(cp1, cp2 kyber.Point) kyber.Point { // //nolint:dupl //Doesn't make sense to extract part of Add(), Sub(), double() func (p *extPoint) Sub(cp1, cp2 kyber.Point) kyber.Point { - p1 := cp1.(*extPoint) - p2 := cp2.(*extPoint) + p1, ok := cp1.(*extPoint) + if !ok { + panic("invalid casting to *extPoint") + } + p2, ok := cp2.(*extPoint) + if !ok { + panic("invalid casting to *extPoint") + } X1, Y1, Z1, T1 := &p1.X, &p1.Y, &p1.Z, &p1.T X2, Y2, Z2, T2 := &p2.X, &p2.Y, &p2.Z, &p2.T X3, Y3, Z3, T3 := &p.X, &p.Y, &p.Z, &p.T @@ -198,7 +220,10 @@ func (p *extPoint) Sub(cp1, cp2 kyber.Point) kyber.Point { // Find the negative of point A. // For Edwards curves, the negative of (x,y) is (-x,y). func (p *extPoint) Neg(ca kyber.Point) kyber.Point { - A := ca.(*extPoint) + A, ok := ca.(*extPoint) + if !ok { + panic("invalid casting to *extPoint") + } p.c = A.c p.X.Neg(&A.X) p.Y.Set(&A.Y) From b1504e12caabd4a72b201fe2a94573ec57120d37 Mon Sep 17 00:00:00 2001 From: lauener Date: Fri, 23 Feb 2024 16:39:36 +0100 Subject: [PATCH 28/49] Fix lint issues package anon --- sign/anon/enc.go | 20 +++++++++++++------- sign/anon/enc_test.go | 10 ++++++++-- sign/anon/sig.go | 12 +++++------- 3 files changed, 26 insertions(+), 16 deletions(-) diff --git a/sign/anon/enc.go b/sign/anon/enc.go index c5217f562..aeb32d816 100644 --- a/sign/anon/enc.go +++ b/sign/anon/enc.go @@ -11,9 +11,6 @@ import ( func header(suite Suite, _ kyber.Point, x kyber.Scalar, xb1, xb2 []byte, anonymitySet Set) []byte { - //fmt.Printf("xb1 %s\nxb %s\n", - // hex.EncodeToString(xb1),hex.EncodeToString(xb2)) - // Encrypt the master scalar key with each public key in the set S := suite.Point() hdr := xb1 @@ -44,7 +41,13 @@ func encryptKey(suite Suite, anonymitySet Set) (k, c []byte) { // Decrypt and verify a key encrypted via encryptKey. // On success, returns the key and the length of the decrypted header. -func decryptKey(suite Suite, ciphertext []byte, anonymitySet Set, mine int, privateKey kyber.Scalar) ([]byte, int, error) { +func decryptKey( + suite Suite, + ciphertext []byte, + anonymitySet Set, + mine int, + privateKey kyber.Scalar, +) ([]byte, int, error) { // Decode the (supposed) ephemeral public key from the front X := suite.Point() var Xb []byte @@ -118,7 +121,7 @@ const macSize = 16 // If the provided set contains only one public key, // this reduces to conventional single-receiver public-key encryption. func Encrypt(suite Suite, message []byte, - anonymitySet Set) []byte { + anonymitySet Set) ([]byte, error) { xb, hdr := encryptKey(suite, anonymitySet) xof := suite.XOF(xb) @@ -136,9 +139,12 @@ func Encrypt(suite Suite, message []byte, xof.XORKeyStream(ctx, message) xof = suite.XOF(ctx) - xof.Read(mac) + _, err := xof.Read(mac) + if err != nil { + return nil, err + } - return ciphertext + return ciphertext, nil } // Decrypt a message encrypted for a particular anonymity set. diff --git a/sign/anon/enc_test.go b/sign/anon/enc_test.go index 7c3fbe4fa..11a741518 100644 --- a/sign/anon/enc_test.go +++ b/sign/anon/enc_test.go @@ -24,7 +24,10 @@ func ExampleEncrypt_one() { // Encrypt a message with the public key M := []byte("Hello World!") - C := Encrypt(suite, M, Set(X)) + C, err := Encrypt(suite, M, Set(X)) + if err != nil { + panic(err.Error()) + } fmt.Printf("Encryption of '%s':\n%s", string(M), hex.Dump(C)) // Decrypt the ciphertext with the private key @@ -67,7 +70,10 @@ func ExampleEncrypt_anonSet() { // Encrypt a message with all the public keys M := []byte("Hello World!") // message to encrypt - C := Encrypt(suite, M, Set(X)) + C, err := Encrypt(suite, M, Set(X)) + if err != nil { + panic(err.Error()) + } fmt.Printf("Encryption of '%s':\n%s", string(M), hex.Dump(C)) // Decrypt the ciphertext with the known private key diff --git a/sign/anon/sig.go b/sign/anon/sig.go index 8cb4586c4..8c1ea9a1b 100644 --- a/sign/anon/sig.go +++ b/sign/anon/sig.go @@ -31,12 +31,12 @@ func signH1pre(suite Suite, linkScope []byte, linkTag kyber.Point, return H1pre } -func signH1(suite Suite, H1pre kyber.XOF, PG, PH kyber.Point) kyber.Scalar { - H1 := H1pre.Clone() - PGb, _ := PG.MarshalBinary() +func signH1(suite Suite, h1pre kyber.XOF, pg, ph kyber.Point) kyber.Scalar { + H1 := h1pre.Clone() + PGb, _ := pg.MarshalBinary() _, _ = H1.Write(PGb) - if PH != nil { - PHb, _ := PH.MarshalBinary() + if ph != nil { + PHb, _ := ph.MarshalBinary() _, _ = H1.Write(PHb) } return suite.Scalar().Pick(H1) @@ -163,8 +163,6 @@ func Sign(suite Suite, message []byte, PH.Add(PH.Mul(s[i], linkBase), P.Mul(c[i], linkTag)) } c[(i+1)%n] = signH1(suite, H1pre, PG, PH) - //fmt.Printf("s%d %s\n",i,s[i].String()) - //fmt.Printf("c%d %s\n",(i+1)%n,c[(i+1)%n].String()) } s[pi] = suite.Scalar() s[pi].Mul(privateKey, c[pi]).Sub(u, s[pi]) // s_pi = u - x_pi c_pi From c1b4c4062a649b84acc89c497e8d7806d43c569c Mon Sep 17 00:00:00 2001 From: lauener Date: Sat, 24 Feb 2024 11:08:27 +0100 Subject: [PATCH 29/49] Fix lint issues package cosi --- sign/cosi/cosi.go | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/sign/cosi/cosi.go b/sign/cosi/cosi.go index 4b19c62a7..81efabe59 100644 --- a/sign/cosi/cosi.go +++ b/sign/cosi/cosi.go @@ -55,7 +55,7 @@ import ( // Commit returns a random scalar v, generated from the given suite, // and a corresponding commitment V = [v]G. If the given cipher stream is nil, // a random stream is used. -func Commit(suite Suite) (v kyber.Scalar, V kyber.Point) { +func Commit(suite Suite) (v kyber.Scalar, vp kyber.Point) { random := suite.Scalar().Pick(suite.RandomStream()) commitment := suite.Point().Mul(random, nil) return random, commitment @@ -63,7 +63,11 @@ func Commit(suite Suite) (v kyber.Scalar, V kyber.Point) { // AggregateCommitments returns the sum of the given commitments and the // bitwise OR of the corresponding masks. -func AggregateCommitments(suite Suite, commitments []kyber.Point, masks [][]byte) (sum kyber.Point, commits []byte, err error) { +func AggregateCommitments( + suite Suite, + commitments []kyber.Point, + masks [][]byte, +) (sum kyber.Point, commits []byte, err error) { if len(commitments) != len(masks) { return nil, nil, errors.New("mismatching lengths of commitment and mask slices") } @@ -153,7 +157,7 @@ func Sign(suite Suite, commitment kyber.Point, response kyber.Scalar, mask *Mask return nil, errors.New("marshalling of signature failed") } sig := make([]byte, lenSig+mask.Len()) - copy(sig[:], VB) + copy(sig, VB) copy(sig[lenV:lenSig], RB) copy(sig[lenSig:], mask.mask) return sig, nil @@ -198,7 +202,10 @@ func Verify(suite Suite, publics []kyber.Point, message, sig []byte, policy Poli if err != nil { return err } - mask.SetMask(sig[lenRes:]) + err = mask.SetMask(sig[lenRes:]) + if err != nil { + return err + } A := mask.AggregatePublic ABuff, err := A.MarshalBinary() if err != nil { @@ -261,7 +268,10 @@ func NewMask(suite Suite, publics []kyber.Point, myKey kyber.Point) (*Mask, erro found := false for i, key := range publics { if key.Equal(myKey) { - m.SetBit(i, true) + err := m.SetBit(i, true) + if err != nil { + return nil, err + } found = true break } @@ -276,7 +286,7 @@ func NewMask(suite Suite, publics []kyber.Point, myKey kyber.Point) (*Mask, erro // Mask returns a copy of the participation bitmask. func (m *Mask) Mask() []byte { clone := make([]byte, len(m.mask)) - copy(clone[:], m.mask) + copy(clone, m.mask) return clone } From dfb7d27d49ac1210d666c9ba86b3f14d626d29ee Mon Sep 17 00:00:00 2001 From: lauener Date: Sat, 24 Feb 2024 11:14:01 +0100 Subject: [PATCH 30/49] Fix lint issues package ecies --- encrypt/ecies/ecies.go | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/encrypt/ecies/ecies.go b/encrypt/ecies/ecies.go index 16bca0714..1a0f485c2 100644 --- a/encrypt/ecies/ecies.go +++ b/encrypt/ecies/ecies.go @@ -36,13 +36,13 @@ func Encrypt(group kyber.Group, public kyber.Point, message []byte, hash func() // ephemeral key for every ECIES encryption and thus have a fresh // HKDF-derived key for AES-GCM, the nonce for AES-GCM can be an arbitrary // (even static) value. We derive it here simply via HKDF as well.) - len := 32 + 12 - buf, err := deriveKey(hash, dh, len) + l := 32 + 12 + buf, err := deriveKey(hash, dh, l) if err != nil { return nil, err } key := buf[:32] - nonce := buf[32:len] + nonce := buf[32:l] // Encrypt message using AES-GCM aes, err := aes.NewCipher(key) @@ -91,13 +91,13 @@ func Decrypt(group kyber.Group, private kyber.Scalar, ctx []byte, hash func() ha // Compute shared DH key and derive the symmetric key and nonce via HKDF dh := group.Point().Mul(private, R) - len := 32 + 12 - buf, err := deriveKey(hash, dh, len) + length := 32 + 12 + buf, err := deriveKey(hash, dh, length) if err != nil { return nil, err } key := buf[:32] - nonce := buf[32:len] + nonce := buf[32:length] // Decrypt message using AES-GCM aes, err := aes.NewCipher(key) @@ -111,18 +111,18 @@ func Decrypt(group kyber.Group, private kyber.Scalar, ctx []byte, hash func() ha return aesgcm.Open(nil, nonce, ctx[l:], nil) } -func deriveKey(hash func() hash.Hash, dh kyber.Point, len int) ([]byte, error) { +func deriveKey(hash func() hash.Hash, dh kyber.Point, l int) ([]byte, error) { dhb, err := dh.MarshalBinary() if err != nil { return nil, err } hkdf := hkdf.New(hash, dhb, nil, nil) - key := make([]byte, len, len) + key := make([]byte, l) n, err := hkdf.Read(key) if err != nil { return nil, err } - if n < len { + if n < l { return nil, errors.New("ecies: hkdf-derived key too short") } return key, nil From 891fbf04e6b536cd929fe1cd28d807875364c283 Mon Sep 17 00:00:00 2001 From: lauener Date: Sat, 24 Feb 2024 11:43:48 +0100 Subject: [PATCH 31/49] Fix lint issues dkg-rabin --- share/dkg/rabin/dkg.go | 64 +++++++++++++++++++++---------------- share/dkg/rabin/dkg_test.go | 11 +++---- 2 files changed, 41 insertions(+), 34 deletions(-) diff --git a/share/dkg/rabin/dkg.go b/share/dkg/rabin/dkg.go index 969044b1e..87715af92 100644 --- a/share/dkg/rabin/dkg.go +++ b/share/dkg/rabin/dkg.go @@ -10,29 +10,29 @@ // // The protocol works as follow: // -// 1. Each participant instantiates a DistKeyShare (DKS) struct. -// 2. Then each participant runs an instance of the VSS protocol: +// 1. Each participant instantiates a DistKeyShare (DKS) struct. +// 2. Then each participant runs an instance of the VSS protocol: // - each participant generates their deals with the method `Deals()` and then -// sends them to the right recipient. +// sends them to the right recipient. // - each participant processes the received deal with `ProcessDeal()` and -// broadcasts the resulting response. +// broadcasts the resulting response. // - each participant processes the response with `ProcessResponse()`. If a -// justification is returned, it must be broadcasted. -// 3. Each participant can check if step 2. is done by calling -// `Certified()`.Those participants where Certified() returned true, belong to -// the set of "qualified" participants who will generate the distributed -// secret. To get the list of qualified participants, use QUAL(). -// 4. Each QUAL participant generates their secret commitments calling -// `SecretCommits()` and broadcasts them to the QUAL set. -// 5. Each QUAL participant processes the received secret commitments using -// `SecretCommits()`. If there is an error, it can return a commitment complaint -// (ComplaintCommits) that must be broadcasted to the QUAL set. -// 6. Each QUAL participant receiving a complaint can process it with -// `ProcessComplaintCommits()` which returns the secret share -// (ReconstructCommits) given from the malicious participant. This structure -// must be broadcasted to all the QUAL participant. -// 7. At this point, every QUAL participant can issue the distributed key by -// calling `DistKeyShare()`. +// justification is returned, it must be broadcasted. +// 3. Each participant can check if step 2. is done by calling +// `Certified()`.Those participants where Certified() returned true, belong to +// the set of "qualified" participants who will generate the distributed +// secret. To get the list of qualified participants, use QUAL(). +// 4. Each QUAL participant generates their secret commitments calling +// `SecretCommits()` and broadcasts them to the QUAL set. +// 5. Each QUAL participant processes the received secret commitments using +// `SecretCommits()`. If there is an error, it can return a commitment complaint +// (ComplaintCommits) that must be broadcasted to the QUAL set. +// 6. Each QUAL participant receiving a complaint can process it with +// `ProcessComplaintCommits()` which returns the secret share +// (ReconstructCommits) given from the malicious participant. This structure +// must be broadcasted to all the QUAL participant. +// 7. At this point, every QUAL participant can issue the distributed key by +// calling `DistKeyShare()`. package dkg import ( @@ -79,8 +79,9 @@ func (d *DistKeyShare) Commitments() []kyber.Point { // Deal holds the Deal for one participant as well as the index of the issuing // Dealer. -// NOTE: Doing that in vss.go would be possible but then the Dealer is always -// assumed to be a member of the participants. It's only the case here. +// +// NOTE: Doing that in vss.go would be possible but then the Dealer is always +// assumed to be a member of the participants. It's only the case here. type Deal struct { // Index of the Dealer in the list of participants Index uint32 @@ -178,7 +179,12 @@ type DistKeyGenerator struct { // the longterm secret key, the list of participants, and the // threshold t parameter. It returns an error if the secret key's // commitment can't be found in the list of participants. -func NewDistKeyGenerator(suite Suite, longterm kyber.Scalar, participants []kyber.Point, t int) (*DistKeyGenerator, error) { +func NewDistKeyGenerator( + suite Suite, + longterm kyber.Scalar, + participants []kyber.Point, + t int, +) (*DistKeyGenerator, error) { pub := suite.Point().Mul(longterm, nil) // find our index var found bool @@ -222,9 +228,9 @@ func NewDistKeyGenerator(suite Suite, longterm kyber.Scalar, participants []kybe // to which participant a deal belongs to, loop over the keys as indices in // the list of participants: // -// for i,dd := range distDeals { -// sendTo(participants[i],dd) -// } +// for i,dd := range distDeals { +// sendTo(participants[i],dd) +// } // // This method panics if it can't process its own deal. func (d *DistKeyGenerator) Deals() (map[int]*Deal, error) { @@ -314,6 +320,7 @@ func (d *DistKeyGenerator) ProcessResponse(resp *Response) (*Justification, erro } if resp.Index != uint32(d.index) { + //nolint:nilnil // Expected behavior return nil, nil } @@ -322,6 +329,7 @@ func (d *DistKeyGenerator) ProcessResponse(resp *Response) (*Justification, erro return nil, err } if j == nil { + //nolint:nilnil // Expected behavior return nil, nil } // a justification for our own deal, are we cheating !? @@ -466,6 +474,8 @@ func (d *DistKeyGenerator) ProcessSecretCommits(sc *SecretCommits) (*ComplaintCo } // commitments are fine d.commitments[sc.Index] = poly + + //nolint:nilnil // Expected behavior return nil, nil } @@ -495,7 +505,7 @@ func (d *DistKeyGenerator) ProcessComplaintCommits(cc *ComplaintCommits) (*Recon // the verification should pass for the deal, and not with the secret // commits. Verification 4) in DKG Rabin's paper. if err := v.VerifyDeal(cc.Deal, false); err != nil { - return nil, fmt.Errorf("dkg: verifying deal: %s", err) + return nil, fmt.Errorf("dkg: verifying deal: %w", err) } secretCommits, ok := d.commitments[cc.DealerIndex] diff --git a/share/dkg/rabin/dkg_test.go b/share/dkg/rabin/dkg_test.go index 5a5ecb976..15e6ce6b6 100644 --- a/share/dkg/rabin/dkg_test.go +++ b/share/dkg/rabin/dkg_test.go @@ -144,8 +144,6 @@ func TestDKGProcessResponse(t *testing.T) { require.NotNil(t, resp) assert.Equal(t, false, resp.Response.Approved) deal.RndShare.V = goodSecret - dd, _ = dkg.Deals() - encD = dd[idxRec] // no verifier tied to Response v, ok := dkg.verifiers[0] @@ -174,9 +172,8 @@ func TestDKGProcessResponse(t *testing.T) { // valid complaint from another deal from another peer dkg2 := dkgs[2] require.Nil(t, err) + // fake a wrong deal - //deal20, err := dkg2.dealer.PlaintextDeal(0) - //require.Nil(t, err) deal21, err := dkg2.dealer.PlaintextDeal(1) require.Nil(t, err) goodRnd21 := deal21.RndShare.V @@ -185,7 +182,8 @@ func TestDKGProcessResponse(t *testing.T) { require.Nil(t, err) resp12, err := rec.ProcessDeal(deals2[idxRec]) - assert.NotNil(t, resp) + assert.NotNil(t, resp12) + assert.Nil(t, err) assert.Equal(t, false, resp12.Response.Approved) deal21.RndShare.V = goodRnd21 @@ -210,7 +208,7 @@ func TestDKGProcessResponse(t *testing.T) { assert.NotNil(t, j) // hack because all is local, and resp has been modified locally by dkg2's - // dealer, the status has became "justified" + // dealer, the status has become "justified" resp12.Response.Approved = false err = dkg.ProcessJustification(j) assert.Nil(t, err) @@ -310,7 +308,6 @@ func TestDKGComplaintCommits(t *testing.T) { wrongSc.SessionID = scs[0].SessionID wrongSc.Commitments = make([]kyber.Point, len(scs[0].Commitments)) copy(wrongSc.Commitments, scs[0].Commitments) - //goodScCommit := scs[0].Commitments[0] wrongSc.Commitments[0] = suite.Point().Null() msg := wrongSc.Hash(suite) wrongSc.Signature, _ = schnorr.Sign(suite, dkgs[0].long, msg) From 5daa04b6c10800b81968513a6bad10a8bcf6f90d Mon Sep 17 00:00:00 2001 From: lauener Date: Sat, 24 Feb 2024 12:20:49 +0100 Subject: [PATCH 32/49] Fix most lint issues package proof --- proof/deniable.go | 30 +++++++++++++++++++++++------- proof/deniable_test.go | 2 +- proof/hash.go | 40 +++++++++++++++++++++++++++++----------- proof/proof.go | 34 ++++++++++++++++++++-------------- 4 files changed, 73 insertions(+), 33 deletions(-) diff --git a/proof/deniable.go b/proof/deniable.go index 0208a393d..ec34b3459 100644 --- a/proof/deniable.go +++ b/proof/deniable.go @@ -76,7 +76,12 @@ func (dp *deniableProver) run(suite Suite, self int, prv Prover, } // Run the prover, which will also drive the verifiers. - dp.initStep() + err := dp.initStep() + if err != nil { + dp.err[self] = err + return dp.err + } + if err := (func(ProverContext) error)(prv)(dp); err != nil { dp.err[self] = err } @@ -105,17 +110,24 @@ func (dp *deniableProver) run(suite Suite, self int, prv Prover, const keySize = 128 // Start the message buffer off in each step with a randomness commitment -func (dp *deniableProver) initStep() { +func (dp *deniableProver) initStep() error { key := make([]byte, keySize) // secret random key - _, _ = dp.prirand.Read(key) + _, err := dp.prirand.Read(key) + if err != nil { + return err + } dp.key = key msg := make([]byte, keySize) // send commitment to it xof := dp.suite.XOF(key) - xof.Read(msg) + _, err = xof.Read(msg) + if err != nil { + return err + } dp.msg = bytes.NewBuffer(msg) // The Sigma-Prover will now append its proof content to dp.msg... + return nil } func (dp *deniableProver) proofStep() (bool, error) { @@ -179,7 +191,11 @@ func (dp *deniableProver) challengeStep() error { continue // ignore participants who dropped out } chk := make([]byte, keySize) - dp.suite.XOF(key).Read(chk) + _, err := dp.suite.XOF(key).Read(chk) + if err != nil { + return err + } + if !bytes.Equal(com, chk) { return errors.New("wrong key for commit") } @@ -203,8 +219,8 @@ func (dp *deniableProver) challengeStep() error { } // Setup for the next proof step - dp.initStep() - return nil + err = dp.initStep() + return err } func (dp *deniableProver) Put(message interface{}) error { diff --git a/proof/deniable_test.go b/proof/deniable_test.go index d654baef9..59334df36 100644 --- a/proof/deniable_test.go +++ b/proof/deniable_test.go @@ -105,7 +105,7 @@ func TestDeniable(t *testing.T) { msgs[i] = <-n.outbox if n.done { - t.Log(string(n.log.Bytes())) + t.Log(n.log.Bytes()) nodes[i] = nil } } diff --git a/proof/hash.go b/proof/hash.go index 8f1aa508e..eeaabd818 100644 --- a/proof/hash.go +++ b/proof/hash.go @@ -43,23 +43,31 @@ func (c *hashProver) Put(message interface{}) error { return c.suite.Write(&c.msg, message) } -func (c *hashProver) consumeMsg() { +func (c *hashProver) consumeMsg() error { if c.msg.Len() > 0 { - // Stir the message into the public randomness pool buf := c.msg.Bytes() c.pubrand.Reseed() - c.pubrand.Write(buf) + _, err := c.pubrand.Write(buf) + if err != nil { + return err + } // Append the current message data to the proof c.proof.Write(buf) c.msg.Reset() } + + return nil } // Get public randomness that depends on every bit in the proof so far. func (c *hashProver) PubRand(data ...interface{}) error { - c.consumeMsg() + err := c.consumeMsg() + if err != nil { + return err + } + return c.suite.Read(c.pubrand, data...) } @@ -72,9 +80,9 @@ func (c *hashProver) PriRand(data ...interface{}) error { } // Obtain the encoded proof once the Sigma protocol is complete. -func (c *hashProver) Proof() []byte { - c.consumeMsg() - return c.proof.Bytes() +func (c *hashProver) Proof() ([]byte, error) { + err := c.consumeMsg() + return c.proof.Bytes(), err } // Noninteractive Sigma-protocol verifier context @@ -97,16 +105,21 @@ func newHashVerifier(suite Suite, protoName string, return &c, nil } -func (c *hashVerifier) consumeMsg() { +func (c *hashVerifier) consumeMsg() error { l := len(c.prbuf) - c.proof.Len() // How many bytes read? if l > 0 { // Stir consumed bytes into the public randomness pool buf := c.prbuf[:l] c.pubrand.Reseed() - c.pubrand.Write(buf) + _, err := c.pubrand.Write(buf) + if err != nil { + return err + } c.prbuf = c.proof.Bytes() // Reset to remaining bytes } + + return nil } // Read structured data from the proof @@ -116,7 +129,12 @@ func (c *hashVerifier) Get(message interface{}) error { // Get public randomness that depends on every bit in the proof so far. func (c *hashVerifier) PubRand(data ...interface{}) error { - c.consumeMsg() // Stir in newly-read data + // Stir in newly-read data + err := c.consumeMsg() + if err != nil { + return err + } + return c.suite.Read(c.pubrand, data...) } @@ -138,7 +156,7 @@ func HashProve(suite Suite, protocolName string, prover Prover) ([]byte, error) if e := (func(ProverContext) error)(prover)(ctx); e != nil { return nil, e } - return ctx.Proof(), nil + return ctx.Proof() } // HashVerify computes a hash-based noninteractive proof generated with HashProve. diff --git a/proof/proof.go b/proof/proof.go index 4d3258d8e..2d25961a6 100644 --- a/proof/proof.go +++ b/proof/proof.go @@ -157,16 +157,16 @@ type repPred struct { // A Rep statement of the form Rep(P,x1,B1,...,xn,Bn) // indicates that the prover knows secrets x1,...,xn // such that point P is the sum x1*B1+...+xn*Bn. -func Rep(P string, SB ...string) Predicate { - if len(SB)&1 != 0 { +func Rep(p string, sb ...string) Predicate { + if len(sb)&1 != 0 { panic("mismatched Scalar") } - t := make([]term, len(SB)/2) + t := make([]term, len(sb)/2) for i := range t { - t[i].S = SB[i*2] - t[i].B = SB[i*2+1] + t[i].S = sb[i*2] + t[i].B = sb[i*2+1] } - return &repPred{P, t} + return &repPred{p, t} } // Return a string representation of this proof-of-representation predicate, @@ -175,7 +175,7 @@ func (rp *repPred) String() string { return rp.precString(precNone) } -func (rp *repPred) precString(prec int) string { +func (rp *repPred) precString(_ int) string { s := rp.P + "=" for i := range rp.T { if i > 0 { @@ -220,7 +220,10 @@ func (rp *repPred) commit(prf *proof, w kyber.Scalar, pv []kyber.Scalar) error { // we encounter each variable if v[s] == nil { v[s] = prf.s.Scalar() - prf.pc.PriRand(v[s]) + err := prf.pc.PriRand(v[s]) + if err != nil { + return err + } } P.Mul(v[s], prf.pval[t.B]) V.Add(V, P) @@ -366,8 +369,6 @@ func (ap *andPred) commit(prf *proof, w kyber.Scalar, pv []kyber.Scalar) error { // Create per-predicate prover state v := prf.makeScalars(pv) - //pp := proverPred{w,v,nil} - //prf.pp[ap] = pp // Recursively generate commitments for i := 0; i < len(sub); i++ { @@ -381,7 +382,6 @@ func (ap *andPred) commit(prf *proof, w kyber.Scalar, pv []kyber.Scalar) error { func (ap *andPred) respond(prf *proof, c kyber.Scalar, pr []kyber.Scalar) error { sub := []Predicate(*ap) - //pp := prf.pp[ap] // Recursively compute responses in all sub-predicates r := prf.makeScalars(pr) @@ -495,7 +495,10 @@ func (op *orPred) commit(prf *proof, w kyber.Scalar, pv []kyber.Scalar) error { for i := 0; i < len(sub); i++ { if i != choice { wi[i] = prf.s.Scalar() - prf.pc.PriRand(wi[i]) + err := prf.pc.PriRand(wi[i]) + if err != nil { + return err + } } // else wi[i] == nil for proof-obligated sub } } else { @@ -506,7 +509,10 @@ func (op *orPred) commit(prf *proof, w kyber.Scalar, pv []kyber.Scalar) error { wl := prf.s.Scalar().Set(w) for i := 0; i < last; i++ { // choose all but last wi[i] = prf.s.Scalar() - prf.pc.PriRand(wi[i]) + err := prf.pc.PriRand(wi[i]) + if err != nil { + return err + } wl.Sub(wl, wi[i]) } wi[last] = wl @@ -561,7 +567,7 @@ func (op *orPred) respond(prf *proof, c kyber.Scalar, pr []kyber.Scalar) error { } // Get from the verifier all the commitments needed for this predicate -func (op *orPred) getCommits(prf *proof, pr []kyber.Scalar) error { +func (op *orPred) getCommits(prf *proof, _ []kyber.Scalar) error { sub := []Predicate(*op) for i := range sub { if e := sub[i].getCommits(prf, nil); e != nil { From be595d30d97bee3be750a1f61bc2ba3993677f7d Mon Sep 17 00:00:00 2001 From: lauener Date: Sat, 24 Feb 2024 15:01:49 +0100 Subject: [PATCH 33/49] Fix most lint issues package nist --- group/nist/curve.go | 17 +++++++---------- group/nist/residue.go | 1 - 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/group/nist/curve.go b/group/nist/curve.go index fb301dd33..071f5b888 100644 --- a/group/nist/curve.go +++ b/group/nist/curve.go @@ -23,7 +23,7 @@ func (p *curvePoint) String() string { } func (p *curvePoint) Equal(p2 kyber.Point) bool { - cp2 := p2.(*curvePoint) + cp2 := p2.(*curvePoint) //nolint:errcheck // curvePoint implements kyber.Point // Make sure both coordinates are normalized. // Apparently Go's elliptic curve code doesn't always ensure this. @@ -58,7 +58,6 @@ func (p *curvePoint) Valid() bool { // Try to generate a point on this curve from a chosen x-coordinate, // with a random sign. func (p *curvePoint) genPoint(x *big.Int, rand cipher.Stream) bool { - // Compute the corresponding Y coordinate, if any y2 := new(big.Int).Mul(x, x) y2.Mul(y2, x) @@ -99,10 +98,9 @@ func (p *curvePoint) Pick(rand cipher.Stream) kyber.Point { return p.Embed(nil, rand) } -// Pick a curve point containing a variable amount of embedded data. +// Embed pick a curve point containing a variable amount of embedded data. // Remaining bits comprising the point are chosen randomly. func (p *curvePoint) Embed(data []byte, rand cipher.Stream) kyber.Point { - l := p.c.coordLen() dl := p.EmbedLen() if dl > len(data) { @@ -121,7 +119,7 @@ func (p *curvePoint) Embed(data []byte, rand cipher.Stream) kyber.Point { } } -// Extract embedded data from a curve point +// Data extract embedded data from a curve point func (p *curvePoint) Data() ([]byte, error) { b := p.x.Bytes() l := p.c.coordLen() @@ -136,15 +134,15 @@ func (p *curvePoint) Data() ([]byte, error) { } func (p *curvePoint) Add(a, b kyber.Point) kyber.Point { - ca := a.(*curvePoint) - cb := b.(*curvePoint) + ca := a.(*curvePoint) //nolint:errcheck // curvePoint implements kyber.Point + cb := b.(*curvePoint) //nolint:errcheck // curvePoint implements kyber.Point p.x, p.y = p.c.Add(ca.x, ca.y, cb.x, cb.y) return p } func (p *curvePoint) Sub(a, b kyber.Point) kyber.Point { - ca := a.(*curvePoint) - cb := b.(*curvePoint) + ca := a.(*curvePoint) //nolint:errcheck // curvePoint implements kyber.Point + cb := b.(*curvePoint) //nolint:errcheck // curvePoint implements kyber.Point cbn := p.c.Point().Neg(cb).(*curvePoint) p.x, p.y = p.c.Add(ca.x, ca.y, cbn.x, cbn.y) @@ -152,7 +150,6 @@ func (p *curvePoint) Sub(a, b kyber.Point) kyber.Point { } func (p *curvePoint) Neg(a kyber.Point) kyber.Point { - s := p.c.Scalar().One() s.Neg(s) return p.Mul(s, a).(*curvePoint) diff --git a/group/nist/residue.go b/group/nist/residue.go index 618fa409a..a9b04c269 100644 --- a/group/nist/residue.go +++ b/group/nist/residue.go @@ -273,7 +273,6 @@ func (g *ResidueGroup) QuadraticResidueGroup(bitlen uint, rand cipher.Stream) { // pick primes p,q such that p = 2q+1 for i := 0; ; i++ { if i > 1000 { - print(".") i = 0 } From 11c203b48e45cb5b9740789e9e75bf76edff96a5 Mon Sep 17 00:00:00 2001 From: lauener Date: Sat, 24 Feb 2024 15:19:30 +0100 Subject: [PATCH 34/49] Fix lint issues sign --- sign/bdn/bdn_test.go | 13 ++++++++----- sign/dss/dss_test.go | 4 +--- sign/eddsa/eddsa.go | 2 +- sign/mask.go | 9 ++++----- sign/mask_test.go | 12 ++++++------ sign/schnorr/schnorr.go | 22 +++++++++++----------- sign/schnorr/schnorr_test.go | 8 ++++---- 7 files changed, 35 insertions(+), 35 deletions(-) diff --git a/sign/bdn/bdn_test.go b/sign/bdn/bdn_test.go index 03c64446d..d8dfbf8f2 100644 --- a/sign/bdn/bdn_test.go +++ b/sign/bdn/bdn_test.go @@ -30,7 +30,7 @@ func TestBDN_HashPointToR_BN256(t *testing.T) { require.Equal(t, "933f6013eb3f654f9489d6d45ad04eaf", coefs[2].String()) require.Equal(t, 16, coefs[0].MarshalSize()) - mask, _ := sign.NewMask(suite, []kyber.Point{p1, p2, p3}, nil) + mask, _ := sign.NewMask([]kyber.Point{p1, p2, p3}, nil) mask.SetBit(0, true) mask.SetBit(1, true) mask.SetBit(2, true) @@ -54,7 +54,7 @@ func TestBDN_AggregateSignatures(t *testing.T) { sig2, err := Sign(suite, private2, msg) require.NoError(t, err) - mask, _ := sign.NewMask(suite, []kyber.Point{public1, public2}, nil) + mask, _ := sign.NewMask([]kyber.Point{public1, public2}, nil) mask.SetBit(0, true) mask.SetBit(1, true) @@ -65,6 +65,7 @@ func TestBDN_AggregateSignatures(t *testing.T) { require.NoError(t, err) aggregatedKey, err := AggregatePublicKeys(suite, mask) + require.NoError(t, err) sig, err := aggregatedSig.MarshalBinary() require.NoError(t, err) @@ -74,6 +75,7 @@ func TestBDN_AggregateSignatures(t *testing.T) { mask.SetBit(1, false) aggregatedKey, err = AggregatePublicKeys(suite, mask) + require.NoError(t, err) err = Verify(suite, aggregatedKey, msg, sig) require.Error(t, err) @@ -90,7 +92,7 @@ func TestBDN_SubsetSignature(t *testing.T) { sig2, err := Sign(suite, private2, msg) require.NoError(t, err) - mask, _ := sign.NewMask(suite, []kyber.Point{public1, public3, public2}, nil) + mask, _ := sign.NewMask([]kyber.Point{public1, public3, public2}, nil) mask.SetBit(0, true) mask.SetBit(2, true) @@ -98,6 +100,7 @@ func TestBDN_SubsetSignature(t *testing.T) { require.NoError(t, err) aggregatedKey, err := AggregatePublicKeys(suite, mask) + require.NoError(t, err) sig, err := aggregatedSig.MarshalBinary() require.NoError(t, err) @@ -128,7 +131,7 @@ func TestBDN_RogueAttack(t *testing.T) { require.NoError(t, scheme.Verify(agg, msg, sig)) // New scheme that should detect - mask, _ := sign.NewMask(suite, pubs, nil) + mask, _ := sign.NewMask(pubs, nil) mask.SetBit(0, true) mask.SetBit(1, true) agg, err = AggregatePublicKeys(suite, mask) @@ -146,7 +149,7 @@ func Benchmark_BDN_AggregateSigs(b *testing.B) { sig2, err := Sign(suite, private2, msg) require.Nil(b, err) - mask, _ := sign.NewMask(suite, []kyber.Point{public1, public2}, nil) + mask, _ := sign.NewMask([]kyber.Point{public1, public2}, nil) mask.SetBit(0, true) mask.SetBit(1, false) diff --git a/sign/dss/dss_test.go b/sign/dss/dss_test.go index 4dc891a13..ee76bd90e 100644 --- a/sign/dss/dss_test.go +++ b/sign/dss/dss_test.go @@ -24,8 +24,6 @@ var partSec []kyber.Scalar var longterms []*dkg.DistKeyShare var randoms []*dkg.DistKeyShare -var dss []*DSS - func init() { partPubs = make([]kyber.Point, nbParticipants) partSec = make([]kyber.Scalar, nbParticipants) @@ -220,6 +218,6 @@ func genPair() (kyber.Scalar, kyber.Point) { func randomBytes(n int) []byte { var buff = make([]byte, n) - _, _ = rand.Read(buff[:]) + _, _ = rand.Read(buff) return buff } diff --git a/sign/eddsa/eddsa.go b/sign/eddsa/eddsa.go index 2b348b246..cdc06fad5 100644 --- a/sign/eddsa/eddsa.go +++ b/sign/eddsa/eddsa.go @@ -192,7 +192,7 @@ func VerifyWithChecks(pub, msg, sig []byte) error { func Verify(public kyber.Point, msg, sig []byte) error { PBuf, err := public.MarshalBinary() if err != nil { - return fmt.Errorf("error unmarshalling public key: %s", err) + return fmt.Errorf("error unmarshalling public key: %w", err) } return VerifyWithChecks(PBuf, msg, sig) } diff --git a/sign/mask.go b/sign/mask.go index 51a0b2f44..683cf213c 100644 --- a/sign/mask.go +++ b/sign/mask.go @@ -6,7 +6,6 @@ import ( "fmt" "go.dedis.ch/kyber/v3" - "go.dedis.ch/kyber/v3/pairing" ) // Mask is a bitmask of the participation to a collective signature. @@ -17,7 +16,7 @@ type Mask struct { // NewMask creates a new mask from a list of public keys. If a key is provided, it // will set the bit of the key to 1 or return an error if it is not found. -func NewMask(suite pairing.Suite, publics []kyber.Point, myKey kyber.Point) (*Mask, error) { +func NewMask(publics []kyber.Point, myKey kyber.Point) (*Mask, error) { m := &Mask{ publics: publics, } @@ -26,8 +25,8 @@ func NewMask(suite pairing.Suite, publics []kyber.Point, myKey kyber.Point) (*Ma if myKey != nil { for i, key := range publics { if key.Equal(myKey) { - m.SetBit(i, true) - return m, nil + err := m.SetBit(i, true) + return m, err } } @@ -40,7 +39,7 @@ func NewMask(suite pairing.Suite, publics []kyber.Point, myKey kyber.Point) (*Ma // Mask returns the bitmask as a byte array. func (m *Mask) Mask() []byte { clone := make([]byte, len(m.mask)) - copy(clone[:], m.mask) + copy(clone, m.mask) return clone } diff --git a/sign/mask_test.go b/sign/mask_test.go index 84a4d24eb..dc6fd5a28 100644 --- a/sign/mask_test.go +++ b/sign/mask_test.go @@ -25,7 +25,7 @@ func init() { } func TestMask_CreateMask(t *testing.T) { - mask, err := NewMask(suite, publics, nil) + mask, err := NewMask(publics, nil) require.NoError(t, err) require.Equal(t, len(publics), len(mask.Publics())) @@ -34,19 +34,19 @@ func TestMask_CreateMask(t *testing.T) { require.Equal(t, n/8+1, mask.Len()) require.Equal(t, uint8(0), mask.Mask()[0]) - mask, err = NewMask(suite, publics, publics[2]) + mask, err = NewMask(publics, publics[2]) require.NoError(t, err) require.Equal(t, len(publics), len(mask.Publics())) require.Equal(t, 1, mask.CountEnabled()) require.Equal(t, uint8(0x4), mask.Mask()[0]) - mask, err = NewMask(suite, publics, suite.G1().Point()) + _, err = NewMask(publics, suite.G1().Point()) require.Error(t, err) } func TestMask_SetBit(t *testing.T) { - mask, err := NewMask(suite, publics, publics[2]) + mask, err := NewMask(publics, publics[2]) require.NoError(t, err) err = mask.SetBit(1, true) @@ -72,7 +72,7 @@ func TestMask_SetBit(t *testing.T) { } func TestMask_SetAndMerge(t *testing.T) { - mask, err := NewMask(suite, publics, publics[2]) + mask, err := NewMask(publics, publics[2]) require.NoError(t, err) err = mask.SetMask([]byte{}) @@ -90,7 +90,7 @@ func TestMask_SetAndMerge(t *testing.T) { } func TestMask_PositionalQueries(t *testing.T) { - mask, err := NewMask(suite, publics, publics[2]) + mask, err := NewMask(publics, publics[2]) require.NoError(t, err) for i := 0; i < 10000; i++ { diff --git a/sign/schnorr/schnorr.go b/sign/schnorr/schnorr.go index 0dbc0749c..7aaafa6fd 100644 --- a/sign/schnorr/schnorr.go +++ b/sign/schnorr/schnorr.go @@ -96,23 +96,23 @@ func VerifyWithChecks(g kyber.Group, pub, msg, sig []byte) error { IsCanonical(b []byte) bool } - R := g.Point() + r := g.Point() s := g.Scalar() - pointSize := R.MarshalSize() + pointSize := r.MarshalSize() scalarSize := s.MarshalSize() sigSize := scalarSize + pointSize if len(sig) != sigSize { return fmt.Errorf("schnorr: signature of invalid length %d instead of %d", len(sig), sigSize) } - if err := R.UnmarshalBinary(sig[:pointSize]); err != nil { + if err := r.UnmarshalBinary(sig[:pointSize]); err != nil { return err } - if p, ok := R.(pointCanCheckCanonicalAndSmallOrder); ok { + if p, ok := r.(pointCanCheckCanonicalAndSmallOrder); ok { if !p.IsCanonical(sig[:pointSize]) { - return fmt.Errorf("R is not canonical") + return fmt.Errorf("r is not canonical") } if p.HasSmallOrder() { - return fmt.Errorf("R has small order") + return fmt.Errorf("r has small order") } } if s, ok := g.Scalar().(scalarCanCheckCanonical); ok && !s.IsCanonical(sig[pointSize:]) { @@ -138,17 +138,17 @@ func VerifyWithChecks(g kyber.Group, pub, msg, sig []byte) error { return fmt.Errorf("public key has small order") } } - // recompute hash(public || R || msg) - h, err := hash(g, public, R, msg) + // recompute hash(public || r || msg) + h, err := hash(g, public, r, msg) if err != nil { return err } // compute S = g^s S := g.Point().Mul(s, nil) - // compute RAh = R + A^h + // compute RAh = r + A^h Ah := g.Point().Mul(h, public) - RAs := g.Point().Add(R, Ah) + RAs := g.Point().Add(r, Ah) if !S.Equal(RAs) { return errors.New("schnorr: invalid signature") @@ -163,7 +163,7 @@ func VerifyWithChecks(g kyber.Group, pub, msg, sig []byte) error { func Verify(g kyber.Group, public kyber.Point, msg, sig []byte) error { PBuf, err := public.MarshalBinary() if err != nil { - return fmt.Errorf("error unmarshalling public key: %s", err) + return fmt.Errorf("error unmarshalling public key: %w", err) } return VerifyWithChecks(g, PBuf, msg, sig) } diff --git a/sign/schnorr/schnorr_test.go b/sign/schnorr/schnorr_test.go index f1a5cead8..43487dbb6 100644 --- a/sign/schnorr/schnorr_test.go +++ b/sign/schnorr/schnorr_test.go @@ -72,11 +72,11 @@ type quickstream struct { rand *rand.Rand } -func (s *quickstream) XORKeyStream(dst, src []byte) { +func (s *quickstream) XORKeyStream(dst, _ []byte) { s.rand.Read(dst) } -func (s *quickstream) Generate(rand *rand.Rand, size int) reflect.Value { +func (s *quickstream) Generate(rand *rand.Rand, _ int) reflect.Value { return reflect.ValueOf(&quickstream{rand: rand}) } @@ -100,10 +100,10 @@ func TestQuickSchnorrSignature(t *testing.T) { func TestSchnorrMalleability(t *testing.T) { /* l = 2^252+27742317777372353535851937790883648493, prime order of the base point */ - var L []uint16 = []uint16{0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, + L := []uint16{0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10} - var c uint16 = 0 + var c uint16 msg := []byte("Hello Schnorr") suite := edwards25519.NewBlakeSHA256Ed25519() From 440649dd8c6d34ad692e1ba8b8b12b6b4ec96f5d Mon Sep 17 00:00:00 2001 From: lauener Date: Sat, 24 Feb 2024 16:06:38 +0100 Subject: [PATCH 35/49] Fix most lint issues share --- share/vss/pedersen/vss.go | 77 ++++++++++++++++++---------------- share/vss/pedersen/vss_test.go | 41 +++++++++--------- share/vss/rabin/dh.go | 23 +++++++--- share/vss/rabin/vss.go | 49 +++++++++++++++------- share/vss/rabin/vss_test.go | 5 +-- 5 files changed, 117 insertions(+), 78 deletions(-) diff --git a/share/vss/pedersen/vss.go b/share/vss/pedersen/vss.go index 27384a999..e01ff57a6 100644 --- a/share/vss/pedersen/vss.go +++ b/share/vss/pedersen/vss.go @@ -6,7 +6,6 @@ package vss import ( "bytes" - "crypto/cipher" "encoding/binary" "errors" "fmt" @@ -29,8 +28,7 @@ type Suite interface { // Dealer encapsulates for creating and distributing the shares and for // replying to any Responses. type Dealer struct { - suite Suite - reader cipher.Stream + suite Suite // long is the longterm key of the Dealer long kyber.Scalar pub kyber.Point @@ -83,7 +81,7 @@ type Response struct { // Index of the verifier issuing this Response from the new set of nodes Index uint32 // false = NO APPROVAL == Complaint , true = APPROVAL - Status bool + StatusApproved bool // Signature over the whole packet Signature []byte } @@ -227,14 +225,15 @@ func (d *Dealer) EncryptedDeals() ([]*EncryptedDeal, error) { } // ProcessResponse analyzes the given Response. If it's a valid complaint, then -// it returns a Justification. This Justification must be broadcasted to every -// participants. If it's an invalid complaint, it returns an error about the +// it returns a Justification. This Justification must be broadcast to every +// participant. If it's an invalid complaint, it returns an error about the // complaint. The verifiers will also ignore an invalid Complaint. func (d *Dealer) ProcessResponse(r *Response) (*Justification, error) { if err := d.verifyResponse(r); err != nil { return nil, err } - if r.Status == StatusApproval { + if r.StatusApproved { + //nolint:nilnil // Expected behavior return nil, nil } @@ -370,12 +369,12 @@ func (v *Verifier) ProcessEncryptedDeal(e *EncryptedDeal) (*Response, error) { } r := &Response{ - SessionID: sid, - Index: uint32(v.index), - Status: StatusApproval, + SessionID: sid, + Index: uint32(v.index), + StatusApproved: StatusApproval, } if err = v.VerifyDeal(d, true); err != nil { - r.Status = StatusComplaint + r.StatusApproved = StatusComplaint } if errors.Is(err, errDealAlreadyProcessed) { @@ -503,11 +502,12 @@ func (v *Verifier) SetTimeout() { // that works on basis of approval only. func (v *Verifier) UnsafeSetResponseDKG(idx uint32, approval bool) { r := &Response{ - SessionID: v.Aggregator.sid, - Index: uint32(idx), - Status: approval, + SessionID: v.Aggregator.sid, + Index: uint32(idx), + StatusApproved: approval, } + //nolint:errcheck // Unsafe function v.Aggregator.addResponse(r) } @@ -527,7 +527,14 @@ type Aggregator struct { timeout bool } -func newAggregator(suite Suite, dealer kyber.Point, verifiers, commitments []kyber.Point, t int, sid []byte) *Aggregator { +func newAggregator( + suite Suite, + dealer kyber.Point, + verifiers, + commitments []kyber.Point, + t int, + sid []byte, +) *Aggregator { agg := &Aggregator{ suite: suite, dealer: dealer, @@ -636,7 +643,7 @@ func (a *Aggregator) verifyJustification(j *Justification) error { if !ok { return errors.New("vss: no complaints received for this justification") } - if r.Status != StatusComplaint { + if r.StatusApproved { return errors.New("vss: justification received for an approval") } @@ -645,7 +652,7 @@ func (a *Aggregator) verifyJustification(j *Justification) error { a.badDealer = true return err } - r.Status = StatusApproval + r.StatusApproved = StatusApproval return nil } @@ -688,10 +695,10 @@ func (a *Aggregator) DealCertified() bool { for i := range a.verifiers { if r, ok := a.responses[uint32(i)]; !ok { absentVerifiers++ - } else if r.Status == StatusComplaint { - isComplaint = true - } else if r.Status == StatusApproval { + } else if r.StatusApproved { approvals++ + } else { + isComplaint = true } } enoughApprovals := approvals >= a.t @@ -727,15 +734,6 @@ func validT(t int, verifiers []kyber.Point) bool { return t >= 2 && t <= len(verifiers) && int(uint32(t)) == t } -func deriveH(suite Suite, verifiers []kyber.Point) kyber.Point { - var b bytes.Buffer - for _, v := range verifiers { - _, _ = v.MarshalTo(&b) - } - base := suite.Point().Pick(suite.XOF(b.Bytes())) - return base -} - func findPub(verifiers []kyber.Point, idx uint32) (kyber.Point, bool) { iidx := int(idx) if iidx >= len(verifiers) { @@ -746,18 +744,27 @@ func findPub(verifiers []kyber.Point, idx uint32) (kyber.Point, bool) { func sessionID(suite Suite, dealer kyber.Point, verifiers, commitments []kyber.Point, t int) ([]byte, error) { h := suite.Hash() - _, _ = dealer.MarshalTo(h) + _, err := dealer.MarshalTo(h) + if err != nil { + return nil, err + } for _, v := range verifiers { - _, _ = v.MarshalTo(h) + _, err = v.MarshalTo(h) + if err != nil { + return nil, err + } } for _, c := range commitments { - _, _ = c.MarshalTo(h) + _, err = c.MarshalTo(h) + if err != nil { + return nil, err + } } - _ = binary.Write(h, binary.LittleEndian, uint32(t)) - return h.Sum(nil), nil + err = binary.Write(h, binary.LittleEndian, uint32(t)) + return h.Sum(nil), err } // Hash returns the Hash representation of the Response @@ -766,7 +773,7 @@ func (r *Response) Hash(s Suite) []byte { _, _ = h.Write([]byte("response")) _, _ = h.Write(r.SessionID) _ = binary.Write(h, binary.LittleEndian, r.Index) - _ = binary.Write(h, binary.LittleEndian, r.Status) + _ = binary.Write(h, binary.LittleEndian, r.StatusApproved) return h.Sum(nil) } diff --git a/share/vss/pedersen/vss_test.go b/share/vss/pedersen/vss_test.go index f5443e69a..5259319be 100644 --- a/share/vss/pedersen/vss_test.go +++ b/share/vss/pedersen/vss_test.go @@ -144,18 +144,18 @@ func TestVSSShare(t *testing.T) { resp, err := ver.ProcessEncryptedDeal(deal) require.NotNil(t, resp) - require.Equal(t, StatusApproval, resp.Status) + require.Equal(t, StatusApproval, resp.StatusApproved) require.Nil(t, err) aggr := ver.Aggregator for i := 1; i < aggr.t-1; i++ { - aggr.responses[uint32(i)] = &Response{Status: StatusApproval} + aggr.responses[uint32(i)] = &Response{StatusApproved: StatusApproval} } // not enough approvals assert.Nil(t, ver.Deal()) - aggr.responses[uint32(aggr.t)] = &Response{Status: StatusApproval} + aggr.responses[uint32(aggr.t)] = &Response{StatusApproved: StatusApproval} // Timeout all other (i>t) verifiers ver.SetTimeout() @@ -174,7 +174,7 @@ func TestVSSAggregatorDealCertified(t *testing.T) { aggr := dealer.Aggregator for i := 0; i < aggr.t; i++ { - aggr.responses[uint32(i)] = &Response{Status: StatusApproval} + aggr.responses[uint32(i)] = &Response{StatusApproved: StatusApproval} } // Mark remaining verifiers as timed-out @@ -193,7 +193,7 @@ func TestVSSAggregatorDealCertified(t *testing.T) { // inconsistent state on purpose // too much complaints for i := 0; i < aggr.t; i++ { - aggr.responses[uint32(i)] = &Response{Status: StatusComplaint} + aggr.responses[uint32(i)] = &Response{StatusApproved: StatusComplaint} } assert.False(t, aggr.DealCertified()) } @@ -249,7 +249,7 @@ func TestVSSVerifierReceiveDeal(t *testing.T) { // correct deal resp, err := v.ProcessEncryptedDeal(encD) require.NotNil(t, resp) - assert.Equal(t, StatusApproval, resp.Status) + assert.Equal(t, StatusApproval, resp.StatusApproved) assert.Nil(t, err) assert.Equal(t, v.index, int(resp.Index)) assert.Equal(t, dealer.sid, resp.SessionID) @@ -289,7 +289,7 @@ func TestVSSVerifierReceiveDeal(t *testing.T) { v.Aggregator.deal = nil // approval already existing from same origin, should never happen right ? - v.Aggregator.responses[uint32(v.index)] = &Response{Status: StatusApproval} + v.Aggregator.responses[uint32(v.index)] = &Response{StatusApproved: StatusApproval} d.Commitments[0] = suite.Point().Pick(rng) resp, err = v.ProcessEncryptedDeal(encD) assert.Nil(t, resp) @@ -302,7 +302,7 @@ func TestVSSVerifierReceiveDeal(t *testing.T) { //d.RndShare.V = suite.Scalar().SetBytes(randomBytes(32)) resp, err = v.ProcessEncryptedDeal(encD) assert.NotNil(t, resp) - assert.Equal(t, StatusComplaint, resp.Status) + assert.Equal(t, StatusComplaint, resp.StatusApproved) assert.Nil(t, err) } @@ -317,13 +317,14 @@ func TestVSSAggregatorVerifyJustification(t *testing.T) { encD, _ := dealer.EncryptedDeal(0) resp, err := v.ProcessEncryptedDeal(encD) assert.NotNil(t, resp) - assert.Equal(t, StatusComplaint, resp.Status) + assert.Equal(t, StatusComplaint, resp.StatusApproved) assert.Nil(t, err) assert.Equal(t, v.responses[uint32(v.index)], resp) // in tests, pointers point to the same underlying share.. d.SecShare.V = goodV j, err := dealer.ProcessResponse(resp) + assert.Nil(t, err) // invalid deal justified goodV = j.Deal.SecShare.V @@ -363,12 +364,12 @@ func TestVSSAggregatorVerifyResponseDuplicate(t *testing.T) { resp1, err := v1.ProcessEncryptedDeal(encD1) assert.Nil(t, err) assert.NotNil(t, resp1) - assert.Equal(t, StatusApproval, resp1.Status) + assert.Equal(t, StatusApproval, resp1.StatusApproved) resp2, err := v2.ProcessEncryptedDeal(encD2) assert.Nil(t, err) assert.NotNil(t, resp2) - assert.Equal(t, StatusApproval, resp2.Status) + assert.Equal(t, StatusApproval, resp2.StatusApproved) err = v1.ProcessResponse(resp2) assert.Nil(t, err) @@ -380,7 +381,7 @@ func TestVSSAggregatorVerifyResponseDuplicate(t *testing.T) { assert.Error(t, err) delete(v1.Aggregator.responses, uint32(v2.index)) - v1.Aggregator.responses[uint32(v2.index)] = &Response{Status: StatusApproval} + v1.Aggregator.responses[uint32(v2.index)] = &Response{StatusApproved: StatusApproval} err = v1.ProcessResponse(resp2) assert.Error(t, err) } @@ -397,14 +398,14 @@ func TestVSSAggregatorVerifyResponse(t *testing.T) { resp, err := v.ProcessEncryptedDeal(encD) assert.Nil(t, err) assert.NotNil(t, resp) - assert.Equal(t, StatusComplaint, resp.Status) + assert.Equal(t, StatusComplaint, resp.StatusApproved) assert.NotNil(t, v.Aggregator) assert.Equal(t, resp.SessionID, dealer.sid) aggr := v.Aggregator r, ok := aggr.responses[uint32(v.index)] assert.True(t, ok) - assert.Equal(t, StatusComplaint, r.Status) + assert.Equal(t, StatusComplaint, r.StatusApproved) // wrong index resp.Index = uint32(len(verifiersPub)) @@ -433,12 +434,12 @@ func TestVSSAggregatorAllResponses(t *testing.T) { aggr := dealer.Aggregator for i := 0; i < aggr.t; i++ { - aggr.responses[uint32(i)] = &Response{Status: StatusApproval} + aggr.responses[uint32(i)] = &Response{StatusApproved: StatusApproval} } assert.False(t, aggr.DealCertified()) for i := aggr.t; i < nbVerifiers; i++ { - aggr.responses[uint32(i)] = &Response{Status: StatusApproval} + aggr.responses[uint32(i)] = &Response{StatusApproved: StatusApproval} } assert.True(t, aggr.DealCertified()) @@ -450,7 +451,7 @@ func TestVSSDealerTimeout(t *testing.T) { aggr := dealer.Aggregator for i := 0; i < aggr.t; i++ { - aggr.responses[uint32(i)] = &Response{Status: StatusApproval} + aggr.responses[uint32(i)] = &Response{StatusApproved: StatusApproval} } require.False(t, aggr.DealCertified()) @@ -479,7 +480,7 @@ func TestVSSVerifierTimeout(t *testing.T) { // Add t responses for i := 0; i < aggr.t; i++ { - aggr.responses[uint32(i)] = &Response{Status: StatusApproval} + aggr.responses[uint32(i)] = &Response{StatusApproved: StatusApproval} } assert.False(t, aggr.DealCertified()) @@ -544,8 +545,8 @@ func TestVSSAggregatorAddComplaint(t *testing.T) { var idx uint32 = 1 c := &Response{ - Index: idx, - Status: StatusComplaint, + Index: idx, + StatusApproved: StatusComplaint, } // ok assert.Nil(t, aggr.addResponse(c)) diff --git a/share/vss/rabin/dh.go b/share/vss/rabin/dh.go index 345c397d1..bcbf52a8f 100644 --- a/share/vss/rabin/dh.go +++ b/share/vss/rabin/dh.go @@ -43,14 +43,25 @@ func newAEAD(fn func() hash.Hash, preSharedKey kyber.Point, context []byte) (cip const keySize = 128 // context returns the context slice to be used when encrypting a share -func context(suite Suite, dealer kyber.Point, verifiers []kyber.Point) []byte { +func context(suite Suite, dealer kyber.Point, verifiers []kyber.Point) ([]byte, error) { h := suite.XOF([]byte("vss-dealer")) - _, _ = dealer.MarshalTo(h) - _, _ = h.Write([]byte("vss-verifiers")) + _, err := dealer.MarshalTo(h) + if err != nil { + return nil, err + } + _, err = h.Write([]byte("vss-verifiers")) + if err != nil { + return nil, err + } + for _, v := range verifiers { - _, _ = v.MarshalTo(h) + _, err = v.MarshalTo(h) + if err != nil { + return nil, err + } } + sum := make([]byte, keySize) - h.Read(sum) - return sum + _, err = h.Read(sum) + return sum, err } diff --git a/share/vss/rabin/vss.go b/share/vss/rabin/vss.go index 9de4b3980..d5e0439b9 100644 --- a/share/vss/rabin/vss.go +++ b/share/vss/rabin/vss.go @@ -32,7 +32,6 @@ package vss import ( "bytes" - "crypto/cipher" "encoding/binary" "errors" "fmt" @@ -55,8 +54,8 @@ type Suite interface { // Dealer encapsulates for creating and distributing the shares and for // replying to any Responses. type Dealer struct { - suite Suite - reader cipher.Stream + suite Suite + // long is the longterm key of the Dealer long kyber.Scalar pub kyber.Point @@ -133,7 +132,7 @@ type Justification struct { // does not have to be trusted by other Verifiers. The security parameter t is // the number of shares required to reconstruct the secret. MinimumT() provides // a middle ground between robustness and secrecy. Increasing t will increase -// the secrecy at the cost of the decreased robustness and vice versa. It +// the secrecy at the cost of the decreased robustness and vice versa. It // returns an error if the t is inferior or equal to 2. func NewDealer(suite Suite, longterm, secret kyber.Scalar, verifiers []kyber.Point, t int) (*Dealer, error) { d := &Dealer{ @@ -182,8 +181,8 @@ func NewDealer(suite Suite, longterm, secret kyber.Scalar, verifiers []kyber.Poi T: uint32(d.t), } } - d.hkdfContext = context(suite, d.pub, verifiers) - return d, nil + d.hkdfContext, err = context(suite, d.pub, verifiers) + return d, err } // PlaintextDeal returns the plaintext version of the deal destined for peer i. @@ -261,7 +260,7 @@ func (d *Dealer) ProcessResponse(r *Response) (*Justification, error) { return nil, err } if r.Approved { - return nil, nil + return nil, nil //nolint:nilnil // Expected behavior } j := &Justification{ @@ -352,6 +351,10 @@ func NewVerifier(suite Suite, longterm kyber.Scalar, dealerKey kyber.Point, if !ok { return nil, errors.New("vss: public key not found in the list of verifiers") } + hkdfContext, err := context(suite, dealerKey, verifiers) + if err != nil { + return nil, err + } v := &Verifier{ suite: suite, longterm: longterm, @@ -359,8 +362,9 @@ func NewVerifier(suite Suite, longterm kyber.Scalar, dealerKey kyber.Point, verifiers: verifiers, pub: pub, index: index, - hkdfContext: context(suite, dealerKey, verifiers), + hkdfContext: hkdfContext, } + return v, nil } @@ -522,7 +526,14 @@ type aggregator struct { badDealer bool } -func newAggregator(suite Suite, dealer kyber.Point, verifiers, commitments []kyber.Point, t int, sid []byte) *aggregator { +func newAggregator( + suite Suite, + dealer kyber.Point, + verifiers, + commitments []kyber.Point, + t int, + sid []byte, +) *aggregator { agg := &aggregator{ suite: suite, dealer: dealer, @@ -687,6 +698,7 @@ func (a *aggregator) UnsafeSetResponseDKG(idx uint32, approval bool) { Approved: approval, } + //nolint:errcheck // Unsafe function a.addResponse(r) } @@ -722,18 +734,27 @@ func findPub(verifiers []kyber.Point, idx uint32) (kyber.Point, bool) { func sessionID(suite Suite, dealer kyber.Point, verifiers, commitments []kyber.Point, t int) ([]byte, error) { h := suite.Hash() - _, _ = dealer.MarshalTo(h) + _, err := dealer.MarshalTo(h) + if err != nil { + return nil, err + } for _, v := range verifiers { - _, _ = v.MarshalTo(h) + _, err = v.MarshalTo(h) + if err != nil { + return nil, err + } } for _, c := range commitments { - _, _ = c.MarshalTo(h) + _, err = c.MarshalTo(h) + if err != nil { + return nil, err + } } - _ = binary.Write(h, binary.LittleEndian, uint32(t)) - return h.Sum(nil), nil + err = binary.Write(h, binary.LittleEndian, uint32(t)) + return h.Sum(nil), err } // Hash returns the Hash representation of the Response diff --git a/share/vss/rabin/vss_test.go b/share/vss/rabin/vss_test.go index 1f33cb7f1..95443c681 100644 --- a/share/vss/rabin/vss_test.go +++ b/share/vss/rabin/vss_test.go @@ -335,8 +335,6 @@ func TestVSSAggregatorVerifyResponseDuplicate(t *testing.T) { dealer, verifiers := genAll() v1 := verifiers[0] v2 := verifiers[1] - //d1 := dealer.deals[0] - //d2 := dealer.deals[1] encD1, _ := dealer.EncryptedDeal(0) encD2, _ := dealer.EncryptedDeal(1) @@ -567,7 +565,8 @@ func TestVSSDHExchange(t *testing.T) { } func TestVSSContext(t *testing.T) { - c := context(suite, dealerPub, verifiersPub) + c, err := context(suite, dealerPub, verifiersPub) + assert.Nil(t, err) assert.Len(t, c, keySize) } From 5149a1f90711a4c633c494ee2bf9a4b833bf5cb6 Mon Sep 17 00:00:00 2001 From: lauener Date: Sun, 25 Feb 2024 14:37:22 +0100 Subject: [PATCH 36/49] Fix lint issues share --- share/vss/pedersen/vss_test.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/share/vss/pedersen/vss_test.go b/share/vss/pedersen/vss_test.go index 5259319be..1f21b51ab 100644 --- a/share/vss/pedersen/vss_test.go +++ b/share/vss/pedersen/vss_test.go @@ -299,7 +299,6 @@ func TestVSSVerifierReceiveDeal(t *testing.T) { // valid complaint v.Aggregator.deal = nil delete(v.Aggregator.responses, uint32(v.index)) - //d.RndShare.V = suite.Scalar().SetBytes(randomBytes(32)) resp, err = v.ProcessEncryptedDeal(encD) assert.NotNil(t, resp) assert.Equal(t, StatusComplaint, resp.StatusApproved) @@ -356,8 +355,6 @@ func TestVSSAggregatorVerifyResponseDuplicate(t *testing.T) { dealer, verifiers := genAll() v1 := verifiers[0] v2 := verifiers[1] - //d1 := dealer.deals[0] - //d2 := dealer.deals[1] encD1, _ := dealer.EncryptedDeal(0) encD2, _ := dealer.EncryptedDeal(1) @@ -390,7 +387,6 @@ func TestVSSAggregatorVerifyResponse(t *testing.T) { dealer, verifiers := genAll() v := verifiers[0] deal := dealer.deals[0] - //goodSec := deal.SecShare.V wrongSec, _ := genPair() deal.SecShare.V = wrongSec encD, _ := dealer.EncryptedDeal(0) From d551b656a5b4988777b8267f7e8ec05bcfe4d300 Mon Sep 17 00:00:00 2001 From: lauener Date: Sun, 25 Feb 2024 16:12:21 +0100 Subject: [PATCH 37/49] Reduce cogn. complexity --- group/curve25519/curve.go | 67 +++++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 31 deletions(-) diff --git a/group/curve25519/curve.go b/group/curve25519/curve.go index 1d866e5d9..873cff601 100644 --- a/group/curve25519/curve.go +++ b/group/curve25519/curve.go @@ -81,6 +81,41 @@ func (c *curve) NewKey(stream cipher.Stream) kyber.Scalar { return secret } +func initBasePoint(c *curve, self kyber.Group, p *Param, fullGroup bool, base point) { + var bx, by *big.Int + if fullGroup { + bx, by = &p.FBX, &p.FBY + base.initXY(&p.FBX, &p.FBY, self) + } else { + bx, by = &p.PBX, &p.PBY + } + + if by.Sign() == 0 { + // No standard base point was defined, so pick one. + // Find the lowest-numbered y-coordinate that works. + var x, y mod.Int + for y.Init64(2, &c.P); ; y.Add(&y, &c.one) { + if !c.solveForX(&x, &y) { + continue // try another y + } + if c.coordSign(&x) != 0 { + x.Neg(&x) // try positive x first + } + base.initXY(&x.V, &y.V, self) + if c.validPoint(base) { + break // got one + } + x.Neg(&x) // try -bx + if c.validPoint(base) { + break // got one + } + } + + bx, by = &x.V, &y.V + } + base.initXY(bx, by, self) +} + // Initialize a twisted Edwards curve with given parameters. // Caller passes pointers to null and base point prototypes to be initialized. func (c *curve) init(self kyber.Group, p *Param, fullGroup bool, @@ -118,37 +153,7 @@ func (c *curve) init(self kyber.Group, p *Param, fullGroup bool, null.initXY(zero, one, self) // Base point B - var bx, by *big.Int - if !fullGroup { - bx, by = &p.PBX, &p.PBY - } else { - bx, by = &p.FBX, &p.FBY - base.initXY(&p.FBX, &p.FBY, self) - } - if by.Sign() == 0 { - // No standard base point was defined, so pick one. - // Find the lowest-numbered y-coordinate that works. - var x, y mod.Int - for y.Init64(2, &c.P); ; y.Add(&y, &c.one) { - if !c.solveForX(&x, &y) { - continue // try another y - } - if c.coordSign(&x) != 0 { - x.Neg(&x) // try positive x first - } - base.initXY(&x.V, &y.V, self) - if c.validPoint(base) { - break // got one - } - x.Neg(&x) // try -bx - if c.validPoint(base) { - break // got one - } - } - - bx, by = &x.V, &y.V - } - base.initXY(bx, by, self) + initBasePoint(c, self, p, fullGroup, base) // Sanity checks if !c.validPoint(null) { From 755961d8a82b7b5047dcdf3bff61c79b705dceae Mon Sep 17 00:00:00 2001 From: lauener Date: Sun, 25 Feb 2024 16:55:44 +0100 Subject: [PATCH 38/49] Fix linter issues package edwards25519 --- group/edwards25519/const.go | 2 + group/edwards25519/ge.go | 33 +++++++++------- group/edwards25519/ge_mult_vartime.go | 14 +++---- group/edwards25519/point.go | 4 ++ group/edwards25519/scalar.go | 52 ++++++++++++++++---------- group/edwards25519/scalar_test.go | 54 ++++++++++++--------------- 6 files changed, 86 insertions(+), 73 deletions(-) diff --git a/group/edwards25519/const.go b/group/edwards25519/const.go index a9c8c5ce2..35cb3291b 100644 --- a/group/edwards25519/const.go +++ b/group/edwards25519/const.go @@ -44,6 +44,7 @@ var sqrtM1 = fieldElement{ -32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482, } +//nolint:unused // May be used later var paramA = fieldElement{ 486662, 0, 0, 0, 0, 0, 0, 0, 0, 0, } @@ -55,6 +56,7 @@ var baseext = extendedGroupElement{ fieldElement{6966464, -2456167, 7033433, 6781840, 28785542, 12262365, -2659449, 13959020, -21013759, -5262166}, } +//nolint:unused // May be used later var bi = [8]preComputedGroupElement{ { fieldElement{25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605}, diff --git a/group/edwards25519/ge.go b/group/edwards25519/ge.go index 7cbc281c1..17afe8d53 100644 --- a/group/edwards25519/ge.go +++ b/group/edwards25519/ge.go @@ -178,6 +178,7 @@ func (p *preComputedGroupElement) Zero() { feZero(&p.xy2d) } +//nolint:dupl // Extracting common parts makes little sense func (c *completedGroupElement) Add(p *extendedGroupElement, q *cachedGroupElement) { var t0 fieldElement @@ -194,6 +195,7 @@ func (c *completedGroupElement) Add(p *extendedGroupElement, q *cachedGroupEleme feSub(&c.T, &t0, &c.T) } +//nolint:dupl // Extracting common parts makes little sense func (c *completedGroupElement) Sub(p *extendedGroupElement, q *cachedGroupElement) { var t0 fieldElement @@ -210,6 +212,7 @@ func (c *completedGroupElement) Sub(p *extendedGroupElement, q *cachedGroupEleme feAdd(&c.T, &t0, &c.T) } +//nolint:dupl // Extracting common parts makes little sense func (c *completedGroupElement) MixedAdd(p *extendedGroupElement, q *preComputedGroupElement) { var t0 fieldElement @@ -225,6 +228,7 @@ func (c *completedGroupElement) MixedAdd(p *extendedGroupElement, q *preComputed feSub(&c.T, &t0, &c.T) } +//nolint:dupl // Extracting common parts makes little sense func (c *completedGroupElement) MixedSub(p *extendedGroupElement, q *preComputedGroupElement) { var t0 fieldElement @@ -288,8 +292,9 @@ func (r *cachedGroupElement) Neg(t *cachedGroupElement) { // each multiplier is either zero or an odd number between -15 and 15. // Assumes the target array r has been preinitialized with zeros // in case the input slice a is less than 32 bytes. +// +//nolint:gocognit func slide(r *[256]int8, a *[32]byte) { - // Explode the exponent a into a little-endian array, one bit per byte for i := range a { ai := int8(a[i]) @@ -306,12 +311,14 @@ func slide(r *[256]int8, a *[32]byte) { // 1-bit encountered in a clump, and that first bit always remains 1. for i := range r { if r[i] != 0 { + innerLoop: for b := 1; b <= 6 && i+b < 256; b++ { if r[i+b] != 0 { - if r[i]+(r[i+b]<= -15 { + case r[i]-(r[i+b]<= -15: r[i] -= r[i+b] << uint(b) for k := i + b; k < 256; k++ { if r[k] == 0 { @@ -320,8 +327,8 @@ func slide(r *[256]int8, a *[32]byte) { } r[k] = 0 } - } else { - break + default: + break innerLoop } } } @@ -408,14 +415,14 @@ func geScalarMultBase(h *extendedGroupElement, a *[32]byte) { } } -func selectCached(c *cachedGroupElement, Ai *[8]cachedGroupElement, b int32) { +func selectCached(c *cachedGroupElement, ai *[8]cachedGroupElement, b int32) { bNegative := negative(b) bAbs := b - (((-bNegative) & b) << 1) // in constant-time pick cached multiplier for exponent 0 through 8 c.Zero() for i := int32(0); i < 8; i++ { - c.CMove(&Ai[i], equal(bAbs, i+1)) + c.CMove(&ai[i], equal(bAbs, i+1)) } // in constant-time compute negated version, conditionally use it @@ -432,10 +439,8 @@ func selectCached(c *cachedGroupElement, Ai *[8]cachedGroupElement, b int32) { // Preconditions: // // a[31] <= 127 -// -//nolint:gocritic func geScalarMult(h *extendedGroupElement, a *[32]byte, - A *extendedGroupElement) { + b *extendedGroupElement) { var t completedGroupElement var u extendedGroupElement @@ -460,11 +465,11 @@ func geScalarMult(h *extendedGroupElement, a *[32]byte, e[63] += carry // each e[i] is between -8 and 8. - // compute cached array of multiples of A from 1A through 8A - var Ai [8]cachedGroupElement // A,1A,2A,3A,4A,5A,6A,7A - A.ToCached(&Ai[0]) + // compute cached array of multiples of b from 1A through 8A + var Ai [8]cachedGroupElement // b,1A,2A,3A,4A,5A,6A,7A + b.ToCached(&Ai[0]) for i := 0; i < 7; i++ { - t.Add(A, &Ai[i]) + t.Add(b, &Ai[i]) t.ToExtended(&u) u.ToCached(&Ai[i+1]) } diff --git a/group/edwards25519/ge_mult_vartime.go b/group/edwards25519/ge_mult_vartime.go index 572c7825e..3eedfb33f 100644 --- a/group/edwards25519/ge_mult_vartime.go +++ b/group/edwards25519/ge_mult_vartime.go @@ -8,13 +8,11 @@ package edwards25519 // Preconditions: // // a[31] <= 127 -// -//nolint:gocritic func geScalarMultVartime(h *extendedGroupElement, a *[32]byte, - A *extendedGroupElement) { + b *extendedGroupElement) { var aSlide [256]int8 - var Ai [8]cachedGroupElement // A,3A,5A,7A,9A,11A,13A,15A + var Ai [8]cachedGroupElement // b,3A,5A,7A,9A,11A,13A,15A var t completedGroupElement var u, A2 extendedGroupElement var r projectiveGroupElement @@ -24,12 +22,12 @@ func geScalarMultVartime(h *extendedGroupElement, a *[32]byte, // resulting in only zero or odd multipliers between -15 and 15. slide(&aSlide, a) - // Form an array of odd multiples of A from 1A through 15A, + // Form an array of odd multiples of b from 1A through 15A, // in addition-ready cached group element form. - // We only need odd multiples of A because slide() + // We only need odd multiples of b because slide() // produces only odd-multiple clumps of bits. - A.ToCached(&Ai[0]) - A.Double(&t) + b.ToCached(&Ai[0]) + b.Double(&t) t.ToExtended(&A2) for i := 0; i < 7; i++ { t.Add(&A2, &Ai[i]) diff --git a/group/edwards25519/point.go b/group/edwards25519/point.go index 9575bc48b..a6dbe1848 100644 --- a/group/edwards25519/point.go +++ b/group/edwards25519/point.go @@ -238,6 +238,8 @@ func (p *point) Mul(s kyber.Scalar, b kyber.Point) kyber.Point { // // This is the same code as in // https://github.com/jedisct1/libsodium/blob/4744636721d2e420f8bbe2d563f31b1f5e682229/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c#L1170 +// +//nolint:lll // Url above func (p *point) HasSmallOrder() bool { s, err := p.MarshalBinary() if err != nil { @@ -274,6 +276,8 @@ func (p *point) HasSmallOrder() bool { // // The method accepts a buffer instead of calling `MarshalBinary` on the receiver // because that always returns a value modulo `prime`. +// +//nolint:lll // Url above func (p *point) IsCanonical(s []byte) bool { if len(s) != 32 { return false diff --git a/group/edwards25519/scalar.go b/group/edwards25519/scalar.go index cd5195294..b57937508 100644 --- a/group/edwards25519/scalar.go +++ b/group/edwards25519/scalar.go @@ -195,13 +195,15 @@ func newScalarInt(i *big.Int) *scalar { } // Input: -// a[0]+256*a[1]+...+256^31*a[31] = a -// b[0]+256*b[1]+...+256^31*b[31] = b -// c[0]+256*c[1]+...+256^31*c[31] = c +// +// a[0]+256*a[1]+...+256^31*a[31] = a +// b[0]+256*b[1]+...+256^31*b[31] = b +// c[0]+256*c[1]+...+256^31*c[31] = c // // Output: -// s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l -// where l = 2^252 + 27742317777372353535851937790883648493. +// +// s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l +// where l = 2^252 + 27742317777372353535851937790883648493. func scMulAdd(s, a, b, c *[32]byte) { a0 := 2097151 & load3(a[:]) a1 := 2097151 & (load4(a[2:]) >> 5) @@ -630,13 +632,14 @@ func scMulAdd(s, a, b, c *[32]byte) { // Hacky scAdd cobbled together rather sub-optimally from scMulAdd. // // Input: -// a[0]+256*a[1]+...+256^31*a[31] = a -// c[0]+256*c[1]+...+256^31*c[31] = c +// +// a[0]+256*a[1]+...+256^31*a[31] = a +// c[0]+256*c[1]+...+256^31*c[31] = c // // Output: -// s[0]+256*s[1]+...+256^31*s[31] = (a+c) mod l -// where l = 2^252 + 27742317777372353535851937790883648493. // +// s[0]+256*s[1]+...+256^31*s[31] = (a+c) mod l +// where l = 2^252 + 27742317777372353535851937790883648493. func scAdd(s, a, c *[32]byte) { a0 := 2097151 & load3(a[:]) a1 := 2097151 & (load4(a[2:]) >> 5) @@ -1053,13 +1056,14 @@ func scAdd(s, a, c *[32]byte) { // Hacky scSub cobbled together rather sub-optimally from scMulAdd. // // Input: -// a[0]+256*a[1]+...+256^31*a[31] = a -// c[0]+256*c[1]+...+256^31*c[31] = c +// +// a[0]+256*a[1]+...+256^31*a[31] = a +// c[0]+256*c[1]+...+256^31*c[31] = c // // Output: -// s[0]+256*s[1]+...+256^31*s[31] = (a-c) mod l -// where l = 2^252 + 27742317777372353535851937790883648493. // +// s[0]+256*s[1]+...+256^31*s[31] = (a-c) mod l +// where l = 2^252 + 27742317777372353535851937790883648493. func scSub(s, a, c *[32]byte) { a0 := 2097151 & load3(a[:]) a1 := 2097151 & (load4(a[2:]) >> 5) @@ -1476,12 +1480,14 @@ func scSub(s, a, c *[32]byte) { // Hacky scMul cobbled together rather sub-optimally from scMulAdd. // // Input: -// a[0]+256*a[1]+...+256^31*a[31] = a -// b[0]+256*b[1]+...+256^31*b[31] = b +// +// a[0]+256*a[1]+...+256^31*a[31] = a +// b[0]+256*b[1]+...+256^31*b[31] = b // // Output: -// s[0]+256*s[1]+...+256^31*s[31] = (ab) mod l -// where l = 2^252 + 27742317777372353535851937790883648493. +// +// s[0]+256*s[1]+...+256^31*s[31] = (ab) mod l +// where l = 2^252 + 27742317777372353535851937790883648493. func scMul(s, a, b *[32]byte) { a0 := 2097151 & load3(a[:]) a1 := 2097151 & (load4(a[2:]) >> 5) @@ -1908,11 +1914,15 @@ func scMul(s, a, b *[32]byte) { } // Input: -// s[0]+256*s[1]+...+256^63*s[63] = s +// +// s[0]+256*s[1]+...+256^63*s[63] = s // // Output: -// s[0]+256*s[1]+...+256^31*s[31] = s mod l -// where l = 2^252 + 27742317777372353535851937790883648493. +// +// s[0]+256*s[1]+...+256^31*s[31] = s mod l +// where l = 2^252 + 27742317777372353535851937790883648493. +// +//nolint:unused // May be used later func scReduce(out *[32]byte, s *[64]byte) { s0 := 2097151 & load3(s[:]) s1 := 2097151 & (load4(s[2:]) >> 5) @@ -2238,6 +2248,8 @@ func scReduce(out *[32]byte, s *[64]byte) { // for a reference. // The method accepts a buffer instead of calling `MarshalBinary` on the receiver since that // always returns values modulo `primeOrder`. +// +//nolint:lll // Url above func (s *scalar) IsCanonical(sb []byte) bool { if len(sb) != 32 { return false diff --git a/group/edwards25519/scalar_test.go b/group/edwards25519/scalar_test.go index 5c50864a6..c9b67258f 100644 --- a/group/edwards25519/scalar_test.go +++ b/group/edwards25519/scalar_test.go @@ -70,21 +70,21 @@ func newFactoredScalar() kyber.Scalar { func (s *factoredScalar) Add(s1, s2 kyber.Scalar) kyber.Scalar { sf1 := s1.(*factoredScalar) sf2 := s2.(*factoredScalar) - scAddFact(&s.v, &sf1.v, &sf2.v) + scAddFact(&sf1.v, &sf2.v) return s } func (s *factoredScalar) Mul(s1, s2 kyber.Scalar) kyber.Scalar { sf1 := s1.(*factoredScalar) sf2 := s2.(*factoredScalar) - scMulFact(&s.v, &sf1.v, &sf2.v) + scMulFact(&sf1.v, &sf2.v) return s } func (s *factoredScalar) Sub(s1, s2 kyber.Scalar) kyber.Scalar { sf1 := s1.(*factoredScalar) sf2 := s2.(*factoredScalar) - scSubFact(&s.v, &sf1.v, &sf2.v) + scSubFact(&sf1.v, &sf2.v) return s } @@ -123,14 +123,14 @@ func TestSetBytesLE(t *testing.T) { } } -func testSimple(t *testing.T, new func() kyber.Scalar) { - s1 := new() - s2 := new() - s3 := new() +func testSimple(t *testing.T, f func() kyber.Scalar) { + s1 := f() + s2 := f() + s3 := f() s1.SetInt64(2) s2.Pick(random.New()) - s22 := new().Add(s2, s2) + s22 := f().Add(s2, s2) if !s3.Mul(s1, s2).Equal(s22) { t.Fail() @@ -138,11 +138,11 @@ func testSimple(t *testing.T, new func() kyber.Scalar) { } -func benchScalarAdd(b *testing.B, new func() kyber.Scalar) { +func benchScalarAdd(b *testing.B, f func() kyber.Scalar) { var seed = tSuite.XOF([]byte("hello world")) - s1 := new() - s2 := new() - s3 := new() + s1 := f() + s2 := f() + s3 := f() s1.Pick(seed) s2.Pick(seed) @@ -151,11 +151,11 @@ func benchScalarAdd(b *testing.B, new func() kyber.Scalar) { } } -func benchScalarMul(b *testing.B, new func() kyber.Scalar) { +func benchScalarMul(b *testing.B, f func() kyber.Scalar) { var seed = tSuite.XOF([]byte("hello world")) - s1 := new() - s2 := new() - s3 := new() + s1 := f() + s2 := f() + s3 := f() s1.Pick(seed) s2.Pick(seed) @@ -164,11 +164,11 @@ func benchScalarMul(b *testing.B, new func() kyber.Scalar) { } } -func benchScalarSub(b *testing.B, new func() kyber.Scalar) { +func benchScalarSub(b *testing.B, f func() kyber.Scalar) { var seed = tSuite.XOF([]byte("hello world")) - s1 := new() - s2 := new() - s3 := new() + s1 := f() + s2 := f() + s3 := f() s1.Pick(seed) s2.Pick(seed) @@ -226,11 +226,9 @@ func doReduction(limbs [24]int64, i int) { } func scReduceLimbs(limbs [24]int64) { - //for i in 0..23 { for i := 0; i < 23; i++ { doCarryCentered(limbs, i) } - //for i in (0..23).filter(|x| x % 2 == 1) { for i := 1; i < 23; i += 2 { doCarryCentered(limbs, i) } @@ -242,12 +240,10 @@ func scReduceLimbs(limbs [24]int64) { doReduction(limbs, 19) doReduction(limbs, 18) - //for i in (6..18).filter(|x| x % 2 == 0) { for i := 6; i < 18; i += 2 { doCarryCentered(limbs, i) } - // for i in (6..16).filter(|x| x % 2 == 1) { for i := 7; i < 16; i += 2 { doCarryCentered(limbs, i) } @@ -258,31 +254,27 @@ func scReduceLimbs(limbs [24]int64) { doReduction(limbs, 13) doReduction(limbs, 12) - //for i in (0..12).filter(|x| x % 2 == 0) { for i := 0; i < 12; i += 2 { doCarryCentered(limbs, i) } - //for i in (0..12).filter(|x| x % 2 == 1) { for i := 1; i < 12; i += 2 { doCarryCentered(limbs, i) } doReduction(limbs, 12) - //for i in 0..12 { for i := 0; i < 12; i++ { doCarryUncentered(limbs, i) } doReduction(limbs, 12) - //for i in 0..11 { for i := 0; i < 11; i++ { doCarryUncentered(limbs, i) } } -func scAddFact(s, a, c *[32]byte) { +func scAddFact(a, c *[32]byte) { a0 := 2097151 & load3(a[:]) a1 := 2097151 & (load4(a[2:]) >> 5) a2 := 2097151 & (load3(a[5:]) >> 2) @@ -337,7 +329,7 @@ func scAddFact(s, a, c *[32]byte) { scReduceLimbs(limbs) } -func scMulFact(s, a, b *[32]byte) { +func scMulFact(a, b *[32]byte) { a0 := 2097151 & load3(a[:]) a1 := 2097151 & (load4(a[2:]) >> 5) a2 := 2097151 & (load3(a[5:]) >> 2) @@ -404,7 +396,7 @@ func scMulFact(s, a, b *[32]byte) { scReduceLimbs(limbs) } -func scSubFact(s, a, c *[32]byte) { +func scSubFact(a, c *[32]byte) { a0 := 2097151 & load3(a[:]) a1 := 2097151 & (load4(a[2:]) >> 5) a2 := 2097151 & (load3(a[5:]) >> 2) From 225d36ca7587aa8044b24edd728eef81717062eb Mon Sep 17 00:00:00 2001 From: lauener Date: Sun, 25 Feb 2024 16:56:41 +0100 Subject: [PATCH 39/49] relax golangci rules --- .golangci.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index b2d293e83..b02429ce7 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -8,6 +8,10 @@ run: # This file contains only configs which differ from defaults. # All possible options can be found here https://github.com/golangci/golangci-lint/blob/master/.golangci.reference.yml linters-settings: + staticcheck: + checks: + - all + - '-SA1019' # Ignore deprecated for now cyclop: # The maximal code complexity to report. # Default: 10 @@ -163,7 +167,7 @@ linters: #- decorder # checks declaration order and count of types, constants, variables and functions #- exhaustruct # checks if all structure fields are initialized #- gci # controls golang package import order and makes it always deterministic - - godox # detects FIXME, TODO and other comment keywords + #- godox # detects FIXME, TODO and other comment keywords #- goheader # checks is file header matches to pattern - interfacebloat # checks the number of methods inside an interface #- ireturn # accept interfaces, return concrete types @@ -208,7 +212,7 @@ issues: # Maximum count of issues with the same text. # Set to 0 to disable. # Default: 3 - max-same-issues: 50 + #max-same-issues: 50 exclude-rules: - source: "^//\\s*go:generate\\s" @@ -253,6 +257,10 @@ issues: - path: 'group/edwards25519/scalar.go' linters: - ineffassign + - funlen - path: 'group/edwards25519/const.go' linters: - lll + - path: 'group/edwards25519/fe.go' + linters: + - funlen \ No newline at end of file From 4db0c5696eb70e120109adc002338bf58428d87f Mon Sep 17 00:00:00 2001 From: lauener Date: Sun, 25 Feb 2024 17:21:59 +0100 Subject: [PATCH 40/49] Fix last linter error in group --- group/curve25519/ext.go | 43 +++++---------------- group/curve25519/proj.go | 18 ++++----- group/edwards25519/curve.go | 2 +- group/edwards25519/point.go | 8 ++-- group/edwards25519/scalar.go | 2 +- group/mod/int.go | 75 +++++++----------------------------- group/nist/curve.go | 16 ++++---- 7 files changed, 46 insertions(+), 118 deletions(-) diff --git a/group/curve25519/ext.go b/group/curve25519/ext.go index ba9ccbdf4..7fe739d13 100644 --- a/group/curve25519/ext.go +++ b/group/curve25519/ext.go @@ -17,11 +17,7 @@ type extPoint struct { } func (p *extPoint) initXY(x, y *big.Int, c kyber.Group) { - var ok bool - p.c, ok = c.(*ExtendedCurve) - if !ok { - panic("invalid casting to *ExtendedCurve") - } + p.c = c.(*ExtendedCurve) //nolint:errcheck // V4 may bring better error handling p.X.Init(x, &p.c.P) p.Y.Init(y, &p.c.P) @@ -73,10 +69,7 @@ func (p *extPoint) UnmarshalFrom(r io.Reader) (int, error) { // iff // (X1*Z2,Y1*Z2) == (X2*Z1,Y2*Z1) func (p *extPoint) Equal(cp2 kyber.Point) bool { - p2, ok := cp2.(*extPoint) - if !ok { - panic("invalid casting to *extPoint") - } + p2 := cp2.(*extPoint) //nolint:errcheck // V4 may bring better error handling var t1, t2 mod.Int xeq := t1.Mul(&p.X, &p2.Z).Equal(t2.Mul(&p2.X, &p.Z)) yeq := t1.Mul(&p.Y, &p2.Z).Equal(t2.Mul(&p2.Y, &p.Z)) @@ -84,10 +77,7 @@ func (p *extPoint) Equal(cp2 kyber.Point) bool { } func (p *extPoint) Set(cp2 kyber.Point) kyber.Point { - p2, ok := cp2.(*extPoint) - if !ok { - panic("invalid casting to *extPoint") - } + p2 := cp2.(*extPoint) //nolint:errcheck // V4 may bring better error handling p.c = p2.c p.X.Set(&p2.X) p.Y.Set(&p2.Y) @@ -157,14 +147,8 @@ func (p *extPoint) Data() ([]byte, error) { // //nolint:dupl //Doesn't make sense to extract part of Add(), Sub(), double() func (p *extPoint) Add(cp1, cp2 kyber.Point) kyber.Point { - p1, ok := cp1.(*extPoint) - if !ok { - panic("invalid casting to *extPoint") - } - p2, ok := cp2.(*extPoint) - if !ok { - panic("invalid casting to *extPoint") - } + p1 := cp1.(*extPoint) //nolint:errcheck // V4 may bring better error handling + p2 := cp2.(*extPoint) //nolint:errcheck // V4 may bring better error handling X1, Y1, Z1, T1 := &p1.X, &p1.Y, &p1.Z, &p1.T X2, Y2, Z2, T2 := &p2.X, &p2.Y, &p2.Z, &p2.T X3, Y3, Z3, T3 := &p.X, &p.Y, &p.Z, &p.T @@ -189,14 +173,8 @@ func (p *extPoint) Add(cp1, cp2 kyber.Point) kyber.Point { // //nolint:dupl //Doesn't make sense to extract part of Add(), Sub(), double() func (p *extPoint) Sub(cp1, cp2 kyber.Point) kyber.Point { - p1, ok := cp1.(*extPoint) - if !ok { - panic("invalid casting to *extPoint") - } - p2, ok := cp2.(*extPoint) - if !ok { - panic("invalid casting to *extPoint") - } + p1 := cp1.(*extPoint) //nolint:errcheck // V4 may bring better error handling + p2 := cp2.(*extPoint) //nolint:errcheck // V4 may bring better error handling X1, Y1, Z1, T1 := &p1.X, &p1.Y, &p1.Z, &p1.T X2, Y2, Z2, T2 := &p2.X, &p2.Y, &p2.Z, &p2.T X3, Y3, Z3, T3 := &p.X, &p.Y, &p.Z, &p.T @@ -220,10 +198,7 @@ func (p *extPoint) Sub(cp1, cp2 kyber.Point) kyber.Point { // Find the negative of point A. // For Edwards curves, the negative of (x,y) is (-x,y). func (p *extPoint) Neg(ca kyber.Point) kyber.Point { - A, ok := ca.(*extPoint) - if !ok { - panic("invalid casting to *extPoint") - } + A := ca.(*extPoint) //nolint:errcheck // V4 may bring better error handling p.c = A.c p.X.Neg(&A.X) p.Y.Set(&A.Y) @@ -309,7 +284,7 @@ type ExtendedCurve struct { func (c *ExtendedCurve) Point() kyber.Point { P := new(extPoint) P.c = c - //P.Set(&c.null) + return P } diff --git a/group/curve25519/proj.go b/group/curve25519/proj.go index 13a2a4d9b..3cd90bb0c 100644 --- a/group/curve25519/proj.go +++ b/group/curve25519/proj.go @@ -16,7 +16,7 @@ type projPoint struct { } func (p *projPoint) initXY(x, y *big.Int, c kyber.Group) { - p.c = c.(*ProjectiveCurve) + p.c = c.(*ProjectiveCurve) //nolint:errcheck // V4 may bring better error handling p.X.Init(x, &p.c.P) p.Y.Init(y, &p.c.P) p.Z.Init64(1, &p.c.P) @@ -61,7 +61,7 @@ func (p *projPoint) UnmarshalFrom(r io.Reader) (int, error) { // iff // (X1*Z2,Y1*Z2) == (X2*Z1,Y2*Z1) func (p *projPoint) Equal(cp2 kyber.Point) bool { - P2 := cp2.(*projPoint) + P2 := cp2.(*projPoint) //nolint:errcheck // V4 may bring better error handling var t1, t2 mod.Int xeq := t1.Mul(&p.X, &P2.Z).Equal(t2.Mul(&P2.X, &p.Z)) yeq := t1.Mul(&p.Y, &P2.Z).Equal(t2.Mul(&P2.Y, &p.Z)) @@ -69,7 +69,7 @@ func (p *projPoint) Equal(cp2 kyber.Point) bool { } func (p *projPoint) Set(cp2 kyber.Point) kyber.Point { - P2 := cp2.(*projPoint) + P2 := cp2.(*projPoint) //nolint:errcheck // V4 may bring better error handling p.c = P2.c p.X.Set(&P2.X) p.Y.Set(&P2.Y) @@ -131,8 +131,8 @@ func (p *projPoint) Data() ([]byte, error) { // //nolint:dupl //Doesn't make sense to extract part of Add(), Sub() func (p *projPoint) Add(cp1, cp2 kyber.Point) kyber.Point { - P1 := cp1.(*projPoint) - P2 := cp2.(*projPoint) + P1 := cp1.(*projPoint) //nolint:errcheck // V4 may bring better error handling + P2 := cp2.(*projPoint) //nolint:errcheck // V4 may bring better error handling X1, Y1, Z1 := &P1.X, &P1.Y, &P1.Z X2, Y2, Z2 := &P2.X, &P2.Y, &P2.Z var A, B, C, D, E, F, G, X3, Y3, Z3 mod.Int @@ -160,8 +160,8 @@ func (p *projPoint) Add(cp1, cp2 kyber.Point) kyber.Point { // //nolint:dupl //Doesn't make sense to extract part of Add(), Sub(), double() func (p *projPoint) Sub(cp1, cp2 kyber.Point) kyber.Point { - P1 := cp1.(*projPoint) - P2 := cp2.(*projPoint) + P1 := cp1.(*projPoint) //nolint:errcheck // V4 may bring better error handling + P2 := cp2.(*projPoint) //nolint:errcheck // V4 may bring better error handling X1, Y1, Z1 := &P1.X, &P1.Y, &P1.Z X2, Y2, Z2 := &P2.X, &P2.Y, &P2.Z var A, B, C, D, E, F, G, X3, Y3, Z3 mod.Int @@ -188,7 +188,7 @@ func (p *projPoint) Sub(cp1, cp2 kyber.Point) kyber.Point { // Find the negative of point A. // For Edwards curves, the negative of (x,y) is (-x,y). func (p *projPoint) Neg(ca kyber.Point) kyber.Point { - A := ca.(*projPoint) + A := ca.(*projPoint) //nolint:errcheck // V4 may bring better error handling p.c = A.c p.X.Neg(&A.X) p.Y.Set(&A.Y) @@ -252,7 +252,7 @@ type ProjectiveCurve struct { func (c *ProjectiveCurve) Point() kyber.Point { P := new(projPoint) P.c = c - //P.Set(&c.null) + return P } diff --git a/group/edwards25519/curve.go b/group/edwards25519/curve.go index 75e26f98f..2e5e02c8f 100644 --- a/group/edwards25519/curve.go +++ b/group/edwards25519/curve.go @@ -54,7 +54,7 @@ func (c *Curve) NewKeyAndSeedWithInput(buffer []byte) (kyber.Scalar, []byte, []b digest[31] &= 0x7f digest[31] |= 0x40 - secret := c.Scalar().(*scalar) + secret := c.Scalar().(*scalar) //nolint:errcheck // V4 may bring better error handling copy(secret.v[:], digest[:]) return secret, buffer, digest[32:] } diff --git a/group/edwards25519/point.go b/group/edwards25519/point.go index a6dbe1848..770a19ca2 100644 --- a/group/edwards25519/point.go +++ b/group/edwards25519/point.go @@ -178,8 +178,8 @@ func (p *point) Data() ([]byte, error) { } func (p *point) Add(p1, p2 kyber.Point) kyber.Point { - E1 := p1.(*point) - E2 := p2.(*point) + E1 := p1.(*point) //nolint:errcheck // V4 may bring better error handling + E2 := p2.(*point) //nolint:errcheck // V4 may bring better error handling var t2 cachedGroupElement var r completedGroupElement @@ -192,8 +192,8 @@ func (p *point) Add(p1, p2 kyber.Point) kyber.Point { } func (p *point) Sub(p1, p2 kyber.Point) kyber.Point { - E1 := p1.(*point) - E2 := p2.(*point) + E1 := p1.(*point) //nolint:errcheck // V4 may bring better error handling + E2 := p2.(*point) //nolint:errcheck // V4 may bring better error handling var t2 cachedGroupElement var r completedGroupElement diff --git a/group/edwards25519/scalar.go b/group/edwards25519/scalar.go index b57937508..a5ab1887e 100644 --- a/group/edwards25519/scalar.go +++ b/group/edwards25519/scalar.go @@ -113,7 +113,7 @@ func (s *scalar) Div(a, b kyber.Scalar) kyber.Scalar { func (s *scalar) Inv(a kyber.Scalar) kyber.Scalar { var res scalar res.One() - ac := a.(*scalar) + ac := a.(*scalar) //nolint:errcheck // V4 may bring better error handling // Modular inversion in a multiplicative group is a^(phi(m)-1) = a^-1 mod m // Since m is prime, phi(m) = m - 1 => a^(m-2) = a^-1 mod m. // The inverse is computed using the exponentation-and-square algorithm. diff --git a/group/mod/int.go b/group/mod/int.go index e4722d637..7c8e8aef3 100644 --- a/group/mod/int.go +++ b/group/mod/int.go @@ -151,10 +151,7 @@ func (i *Int) Nonzero() bool { // Since this method copies the modulus as well, // it may be used as an alternative to Init(). func (i *Int) Set(a kyber.Scalar) kyber.Scalar { - ai, ok := a.(*Int) - if !ok { - panic("invalid scalar casting to Int") - } + ai := a.(*Int) //nolint:errcheck // V4 may bring better error handling i.V.Set(&ai.V) i.M = ai.M @@ -208,15 +205,8 @@ func (i *Int) Uint64() uint64 { // Add sets the target to a + b mod M, where M is a's modulus.. func (i *Int) Add(a, b kyber.Scalar) kyber.Scalar { - ai, ok := a.(*Int) - if !ok { - panic("invalid scalar casting to Int") - } - - bi, ok := b.(*Int) - if !ok { - panic("invalid scalar casting to Int") - } + ai := a.(*Int) //nolint:errcheck // V4 may bring better error handling + bi := b.(*Int) //nolint:errcheck // V4 may bring better error handling i.M = ai.M i.V.Add(&ai.V, &bi.V).Mod(&i.V, i.M) @@ -226,15 +216,8 @@ func (i *Int) Add(a, b kyber.Scalar) kyber.Scalar { // Sub sets the target to a - b mod M. // Target receives a's modulus. func (i *Int) Sub(a, b kyber.Scalar) kyber.Scalar { - ai, ok := a.(*Int) - if !ok { - panic("invalid scalar casting to Int") - } - - bi, ok := b.(*Int) - if !ok { - panic("invalid scalar casting to Int") - } + ai := a.(*Int) //nolint:errcheck // V4 may bring better error handling + bi := b.(*Int) //nolint:errcheck // V4 may bring better error handling i.M = ai.M i.V.Sub(&ai.V, &bi.V).Mod(&i.V, i.M) @@ -243,10 +226,7 @@ func (i *Int) Sub(a, b kyber.Scalar) kyber.Scalar { // Neg sets the target to -a mod M. func (i *Int) Neg(a kyber.Scalar) kyber.Scalar { - ai, ok := a.(*Int) - if !ok { - panic("invalid scalar casting to Int") - } + ai := a.(*Int) //nolint:errcheck // V4 may bring better error handling i.M = ai.M if ai.V.Sign() > 0 { @@ -260,15 +240,8 @@ func (i *Int) Neg(a kyber.Scalar) kyber.Scalar { // Mul sets the target to a * b mod M. // Target receives a's modulus. func (i *Int) Mul(a, b kyber.Scalar) kyber.Scalar { - ai, ok := a.(*Int) - if !ok { - panic("invalid scalar casting to Int") - } - - bi, ok := b.(*Int) - if !ok { - panic("invalid scalar casting to Int") - } + ai := a.(*Int) //nolint:errcheck // V4 may bring better error handling + bi := b.(*Int) //nolint:errcheck // V4 may bring better error handling i.M = ai.M i.V.Mul(&ai.V, &bi.V).Mod(&i.V, i.M) @@ -277,15 +250,8 @@ func (i *Int) Mul(a, b kyber.Scalar) kyber.Scalar { // Div sets the target to a * b^-1 mod M, where b^-1 is the modular inverse of b. func (i *Int) Div(a, b kyber.Scalar) kyber.Scalar { - ai, ok := a.(*Int) - if !ok { - panic("invalid scalar casting to Int") - } - - bi, ok := b.(*Int) - if !ok { - panic("invalid scalar casting to Int") - } + ai := a.(*Int) //nolint:errcheck // V4 may bring better error handling + bi := b.(*Int) //nolint:errcheck // V4 may bring better error handling var t big.Int i.M = ai.M i.V.Mul(&ai.V, t.ModInverse(&bi.V, i.M)) @@ -295,10 +261,7 @@ func (i *Int) Div(a, b kyber.Scalar) kyber.Scalar { // Inv sets the target to the modular inverse of a with respect to modulus M. func (i *Int) Inv(a kyber.Scalar) kyber.Scalar { - ai, ok := a.(*Int) - if !ok { - panic("invalid scalar casting to Int") - } + ai := a.(*Int) //nolint:errcheck // V4 may bring better error handling i.M = ai.M i.V.ModInverse(&a.(*Int).V, i.M) @@ -308,10 +271,7 @@ func (i *Int) Inv(a kyber.Scalar) kyber.Scalar { // Exp sets the target to a^e mod M, // where e is an arbitrary big.Int exponent (not necessarily 0 <= e < M). func (i *Int) Exp(a kyber.Scalar, e *big.Int) kyber.Scalar { - ai, ok := a.(*Int) - if !ok { - panic("invalid scalar casting to Int") - } + ai := a.(*Int) //nolint:errcheck // V4 may bring better error handling i.M = ai.M // to protect against golang/go#22830 @@ -324,10 +284,7 @@ func (i *Int) Exp(a kyber.Scalar, e *big.Int) kyber.Scalar { // Jacobi computes the Jacobi symbol of (a/M), which indicates whether a is // zero (0), a positive square in M (1), or a non-square in M (-1). func (i *Int) Jacobi(as kyber.Scalar) kyber.Scalar { - ai, ok := as.(*Int) - if !ok { - panic("invalid scalar casting to Int") - } + ai := as.(*Int) //nolint:errcheck // V4 may bring better error handling i.M = ai.M i.V.SetInt64(int64(big.Jacobi(&ai.V, i.M))) @@ -338,11 +295,7 @@ func (i *Int) Jacobi(as kyber.Scalar) kyber.Scalar { // Assumes the modulus M is an odd prime. // Returns true on success, false if input a is not a square. func (i *Int) Sqrt(as kyber.Scalar) bool { - ai, ok := as.(*Int) - if !ok { - panic("invalid scalar casting to Int") - } - + ai := as.(*Int) //nolint:errcheck // V4 may bring better error handling out := i.V.ModSqrt(&ai.V, ai.M) i.M = ai.M return out != nil diff --git a/group/nist/curve.go b/group/nist/curve.go index 071f5b888..c1bd88aad 100644 --- a/group/nist/curve.go +++ b/group/nist/curve.go @@ -23,7 +23,7 @@ func (p *curvePoint) String() string { } func (p *curvePoint) Equal(p2 kyber.Point) bool { - cp2 := p2.(*curvePoint) //nolint:errcheck // curvePoint implements kyber.Point + cp2 := p2.(*curvePoint) //nolint:errcheck // V4 may bring better error handling // Make sure both coordinates are normalized. // Apparently Go's elliptic curve code doesn't always ensure this. @@ -134,17 +134,17 @@ func (p *curvePoint) Data() ([]byte, error) { } func (p *curvePoint) Add(a, b kyber.Point) kyber.Point { - ca := a.(*curvePoint) //nolint:errcheck // curvePoint implements kyber.Point - cb := b.(*curvePoint) //nolint:errcheck // curvePoint implements kyber.Point + ca := a.(*curvePoint) //nolint:errcheck // V4 may bring better error handling + cb := b.(*curvePoint) //nolint:errcheck // V4 may bring better error handling p.x, p.y = p.c.Add(ca.x, ca.y, cb.x, cb.y) return p } func (p *curvePoint) Sub(a, b kyber.Point) kyber.Point { - ca := a.(*curvePoint) //nolint:errcheck // curvePoint implements kyber.Point - cb := b.(*curvePoint) //nolint:errcheck // curvePoint implements kyber.Point + ca := a.(*curvePoint) //nolint:errcheck // V4 may bring better error handling + cb := b.(*curvePoint) //nolint:errcheck // V4 may bring better error handling - cbn := p.c.Point().Neg(cb).(*curvePoint) + cbn := p.c.Point().Neg(cb).(*curvePoint) //nolint:errcheck // V4 may bring better error handling p.x, p.y = p.c.Add(ca.x, ca.y, cbn.x, cbn.y) return p } @@ -156,9 +156,9 @@ func (p *curvePoint) Neg(a kyber.Point) kyber.Point { } func (p *curvePoint) Mul(s kyber.Scalar, b kyber.Point) kyber.Point { - cs := s.(*mod.Int) + cs := s.(*mod.Int) //nolint:errcheck // V4 may bring better error handling if b != nil { - cb := b.(*curvePoint) + cb := b.(*curvePoint) //nolint:errcheck // V4 may bring better error handling p.x, p.y = p.c.ScalarMult(cb.x, cb.y, cs.V.Bytes()) } else { p.x, p.y = p.c.ScalarBaseMult(cs.V.Bytes()) From ee2f9c70106cfb10fce01328cf5e5c1102868c83 Mon Sep 17 00:00:00 2001 From: lauener Date: Mon, 26 Feb 2024 10:28:34 +0100 Subject: [PATCH 41/49] More linter fix --- proof/proof.go | 14 ++++++++++---- share/vss/rabin/vss_test.go | 1 - shuffle/pair.go | 2 ++ shuffle/simple.go | 10 ++-------- suites/suites.go | 5 ++++- 5 files changed, 18 insertions(+), 14 deletions(-) diff --git a/proof/proof.go b/proof/proof.go index 2d25961a6..3d7646cfc 100644 --- a/proof/proof.go +++ b/proof/proof.go @@ -484,7 +484,8 @@ func (op *orPred) commit(prf *proof, w kyber.Scalar, pv []kyber.Scalar) error { prf.pp[op] = pp // Choose pre-challenges for our subs. - if w == nil { + switch { + case w == nil: // We're on a proof-obligated branch; // choose random pre-challenges for only non-obligated subs. choice, ok := prf.choice[op] @@ -501,7 +502,7 @@ func (op *orPred) commit(prf *proof, w kyber.Scalar, pv []kyber.Scalar) error { } } // else wi[i] == nil for proof-obligated sub } - } else { + default: // Since w != nil, we're in a non-obligated branch, // so choose random pre-challenges for all subs // such that they add up to the master pre-challenge w. @@ -515,14 +516,19 @@ func (op *orPred) commit(prf *proof, w kyber.Scalar, pv []kyber.Scalar) error { } wl.Sub(wl, wi[i]) } + wi[last] = wl } + return commitmentProducer(prf, wi, sub) +} + +func commitmentProducer(prf *proof, wi []kyber.Scalar, sub []Predicate) error { // Now recursively choose commitments within each sub for i := 0; i < len(sub); i++ { // Fresh variable-blinding secrets for each pre-commitment - if e := sub[i].commit(prf, wi[i], nil); e != nil { - return e + if err := sub[i].commit(prf, wi[i], nil); err != nil { + return err } } diff --git a/share/vss/rabin/vss_test.go b/share/vss/rabin/vss_test.go index 95443c681..544541211 100644 --- a/share/vss/rabin/vss_test.go +++ b/share/vss/rabin/vss_test.go @@ -367,7 +367,6 @@ func TestVSSAggregatorVerifyResponse(t *testing.T) { dealer, verifiers := genAll() v := verifiers[0] deal := dealer.deals[0] - //goodSec := deal.SecShare.V wrongSec, _ := genPair() deal.SecShare.V = wrongSec encD, _ := dealer.EncryptedDeal(0) diff --git a/shuffle/pair.go b/shuffle/pair.go index 8fa2861ea..61733b243 100644 --- a/shuffle/pair.go +++ b/shuffle/pair.go @@ -124,6 +124,8 @@ func (ps *PairShuffle) Init(grp kyber.Group, k int) *PairShuffle { } // Prove returns an error if the shuffle is not correct. +// +//nolint:funlen func (ps *PairShuffle) Prove( pi []int, g, h kyber.Point, beta []kyber.Scalar, x, y []kyber.Point, rand cipher.Stream, diff --git a/shuffle/simple.go b/shuffle/simple.go index 1573fe135..535e6a44c 100644 --- a/shuffle/simple.go +++ b/shuffle/simple.go @@ -86,6 +86,8 @@ func (ss *SimpleShuffle) Init(grp kyber.Group, k int) *SimpleShuffle { // Neff, "Verifiable Mixing (Shuffling) of ElGamal Pairs", 2004. // The Scalar vector y must be a permutation of Scalar vector x // but with all elements multiplied by common Scalar gamma. +// +//nolint:funlen // 51 statement instead of authorized 50 func (ss *SimpleShuffle) Prove(g kyber.Point, gamma kyber.Scalar, x, y []kyber.Scalar, _ cipher.Stream, ctx proof.ProverContext) error { @@ -100,14 +102,6 @@ func (ss *SimpleShuffle) Prove(g kyber.Point, gamma kyber.Scalar, panic("mismatched vector lengths") } - // // Dump input vectors to show their correspondences - // for i := 0; i < k; i++ { - // println("x",grp.Scalar().Mul(gamma,x[i]).String()) - // } - // for i := 0; i < k; i++ { - // println("y",y[i].String()) - // } - // Step 0: inputs for i := 0; i < k; i++ { // (4) ss.p0.X[i] = grp.Point().Mul(x[i], g) diff --git a/suites/suites.go b/suites/suites.go index 9f9edaeb2..4e7997b6a 100644 --- a/suites/suites.go +++ b/suites/suites.go @@ -37,7 +37,10 @@ var ErrUnknownSuite = errors.New("unknown suite") func Find(name string) (Suite, error) { if s, ok := suites[strings.ToLower(name)]; ok { if requireConstTime && strings.ToLower(s.String()) != "ed25519" { - return nil, errors.New("requested suite exists but is not implemented with constant time algorithms as required by suites.RequireConstantTime") + return nil, errors.New( + "requested suite exists but is not implemented " + + "with constant time algorithms as required by " + + "suites.RequireConstantTime") } return s, nil } From f05993e95eeba372f915ecafb725a28d62b9a1ac Mon Sep 17 00:00:00 2001 From: lauener Date: Mon, 26 Feb 2024 10:33:36 +0100 Subject: [PATCH 42/49] Rename unused parameters --- .golangci.yml | 2 +- share/dkg/rabin/dkg.go | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index b02429ce7..73e219015 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -212,7 +212,7 @@ issues: # Maximum count of issues with the same text. # Set to 0 to disable. # Default: 3 - #max-same-issues: 50 + max-same-issues: 50 exclude-rules: - source: "^//\\s*go:generate\\s" diff --git a/share/dkg/rabin/dkg.go b/share/dkg/rabin/dkg.go index 87715af92..267e0b9f7 100644 --- a/share/dkg/rabin/dkg.go +++ b/share/dkg/rabin/dkg.go @@ -375,7 +375,7 @@ func (d *DistKeyGenerator) Certified() bool { // the distributed public key with SecretCommits() and ProcessSecretCommits(). func (d *DistKeyGenerator) QUAL() []int { var good []int - d.qualIter(func(i uint32, v *vss.Verifier) bool { + d.qualIter(func(i uint32, _ *vss.Verifier) bool { good = append(good, int(i)) return true }) @@ -384,7 +384,7 @@ func (d *DistKeyGenerator) QUAL() []int { func (d *DistKeyGenerator) isInQUAL(idx uint32) bool { var found bool - d.qualIter(func(i uint32, v *vss.Verifier) bool { + d.qualIter(func(i uint32, _ *vss.Verifier) bool { if i == idx { found = true return false @@ -603,7 +603,7 @@ func (d *DistKeyGenerator) ProcessReconstructCommits(rs *ReconstructCommits) err func (d *DistKeyGenerator) Finished() bool { var ret = true var nb = 0 - d.qualIter(func(idx uint32, v *vss.Verifier) bool { + d.qualIter(func(idx uint32, _ *vss.Verifier) bool { nb++ // ALL QUAL members should have their commitments by now either given or // reconstructed. From f9fa3571fb3f4bd7073237046147ce12539991e4 Mon Sep 17 00:00:00 2001 From: lauener Date: Tue, 27 Feb 2024 08:02:13 +0100 Subject: [PATCH 43/49] Setup golangci action --- .github/workflows/go_lint.yml | 32 ----------------- .github/workflows/golangci-lint.yml | 54 +++++++++++++++++++++++++++++ Makefile | 2 -- 3 files changed, 54 insertions(+), 34 deletions(-) delete mode 100644 .github/workflows/go_lint.yml create mode 100644 .github/workflows/golangci-lint.yml diff --git a/.github/workflows/go_lint.yml b/.github/workflows/go_lint.yml deleted file mode 100644 index d9d9d5128..000000000 --- a/.github/workflows/go_lint.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: Go lint - -on: - push: - branches: [ master ] - pull_request_target: - types: [opened, synchronize, reopened] - -jobs: - - lint: - runs-on: ubuntu-latest - steps: - - name: Set up Go ^1.20 - uses: actions/setup-go@v3 - with: - go-version: ^1.20 - - - name: Check out code into the Go module directory - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - fetch-depth: 0 - - - name: Tidy - run: go mod tidy && [ -z "$(git status -s)" ] - - - name: Lint - run: make lint - - - name: Vet - run: make vet diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml new file mode 100644 index 000000000..a18fe8de3 --- /dev/null +++ b/.github/workflows/golangci-lint.yml @@ -0,0 +1,54 @@ +name: Lint +on: + push: + branches: [ master ] + pull_request: + types: [opened, synchronize, reopened] + +permissions: + contents: read + # Optional: allow read access to pull request. Use with `only-new-issues` option. + # pull-requests: read + +jobs: + golangci: + name: lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-go@v3 + with: + go-version: '1.20' + cache: false + - name: golangci-lint + uses: golangci/golangci-lint-action@v4 + with: + # Require: The version of golangci-lint to use. + # When `install-mode` is `binary` (default) the value can be v1.2 or v1.2.3 or `latest` to use the latest version. + # When `install-mode` is `goinstall` the value can be v1.2.3, `latest`, or the hash of a commit. + version: v1.56.2 + + # Optional: working directory, useful for monorepos + # working-directory: somedir + + # Optional: golangci-lint command line arguments. + # + # Note: By default, the `.golangci.yml` file should be at the root of the repository. + # The location of the configuration file can be changed by using `--config=` + # args: --timeout=30m --config=/my/path/.golangci.yml --issues-exit-code=0 + + # Optional: show only new issues if it's a pull request. The default value is `false`. + # only-new-issues: true + + # Optional: if set to true, then all caching functionality will be completely disabled, + # takes precedence over all other caching options. + # skip-cache: true + + # Optional: if set to true, then the action won't cache or restore ~/go/pkg. + # skip-pkg-cache: true + + # Optional: if set to true, then the action won't cache or restore ~/.cache/go-build. + # skip-build-cache: true + + # Optional: The mode to install golangci-lint. It can be 'binary' or 'goinstall'. + # install-mode: "goinstall" \ No newline at end of file diff --git a/Makefile b/Makefile index b6be21aef..dcbd3d743 100644 --- a/Makefile +++ b/Makefile @@ -7,8 +7,6 @@ generate: tidy # Coding style static check. lint: tidy - @go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.56.2 - @go mod tidy golangci-lint run vet: tidy From 1f7b472249416e1d00f3c9322ae87647ba2f2689 Mon Sep 17 00:00:00 2001 From: lauener Date: Tue, 27 Feb 2024 16:57:37 +0100 Subject: [PATCH 44/49] Divide large test --- util/test/test.go | 152 +++++++++++++++++++++++++++++----------------- 1 file changed, 97 insertions(+), 55 deletions(-) diff --git a/util/test/test.go b/util/test/test.go index 2ffb4d48d..7195d0eac 100644 --- a/util/test/test.go +++ b/util/test/test.go @@ -131,40 +131,15 @@ func testScalarClone(t *testing.T, g kyber.Group, rand cipher.Stream) { } } -// Apply a generic set of validation tests to a cryptographic Group, -// using a given source of [pseudo-]randomness. -// -// Returns a log of the pseudorandom Points produced in the test, -// for comparison across alternative implementations -// that are supposed to be equivalent. -func testGroup(t *testing.T, g kyber.Group, rand cipher.Stream) []kyber.Point { - t.Logf("\nTesting group '%s': %d-byte Point, %d-byte Scalar\n", - g.String(), g.PointLen(), g.ScalarLen()) - - points := make([]kyber.Point, 0) - ptmp := g.Point() - stmp := g.Scalar() - pzero := g.Point().Null() - szero := g.Scalar().Zero() - sone := g.Scalar().One() - - // Do a simple Diffie-Hellman test - s1 := g.Scalar().Pick(rand) - s2 := g.Scalar().Pick(rand) - if s1.Equal(szero) { - t.Errorf("first secret is scalar zero %v", s1) - } - if s2.Equal(szero) { - t.Errorf("second secret is scalar zero %v", s2) - } - if s1.Equal(s2) { - t.Errorf("not getting unique secrets: picked %s twice", s1) - } - - gen := g.Point().Base() - points = append(points, gen) - +func testSanityCheck( + t *testing.T, + points []kyber.Point, + g kyber.Group, + stmp, s1, s2 kyber.Scalar, + gen, ptmp kyber.Point, +) ([]kyber.Point, kyber.Point, kyber.Point, kyber.Point, bool) { // Sanity-check relationship between addition and multiplication + pzero := g.Point().Null() p1 := g.Point().Add(gen, gen) p2 := g.Point().Mul(stmp.SetInt64(2), nil) if !p1.Equal(p2) { @@ -222,22 +197,15 @@ func testGroup(t *testing.T, g kyber.Group, rand cipher.Stream) []kyber.Point { points = append(points, dh1) t.Logf("shared secret = %v", dh1) - // Test secret inverse to get from dh1 back to p1 - if primeOrder { - ptmp.Mul(g.Scalar().Inv(s2), dh1) - if !ptmp.Equal(p1) { - t.Errorf("Scalar inverse didn't work: %v != (-)%v (x) %v == %v", p1, s2, dh1, ptmp) - } - } - - // Zero and One identity secrets - if !ptmp.Mul(szero, dh1).Equal(pzero) { - t.Errorf("Encryption with secret=0 didn't work: %v (x) %v == %v != %v", szero, dh1, ptmp, pzero) - } - if !ptmp.Mul(sone, dh1).Equal(dh1) { - t.Errorf("Encryption with secret=1 didn't work: %v (x) %v == %v != %[2]v", sone, dh1, ptmp) - } + return points, dh1, p1, p2, primeOrder +} +func testHomomorphicIdentities( + t *testing.T, + primeOrder bool, + g kyber.Group, + gen, ptmp, p1, p2, dh1 kyber.Point, + stmp, s1, s2 kyber.Scalar) { // Additive homomorphic identities ptmp.Add(p1, p2) stmp.Add(s1, s2) @@ -284,8 +252,18 @@ func testGroup(t *testing.T, g kyber.Group, rand cipher.Stream) []kyber.Point { stmp, s2, st2, s1) } } +} - // Test randomly picked points +func testRandomlyPickedPoint( + t *testing.T, + primeOrder bool, + points []kyber.Point, + g kyber.Group, + gen, ptmp kyber.Point, + stmp kyber.Scalar, + rand cipher.Stream, +) []kyber.Point { + pzero := g.Point().Null() last := gen for i := 0; i < 5; i++ { rgen := g.Point().Pick(rand) @@ -310,13 +288,10 @@ func testGroup(t *testing.T, g kyber.Group, rand cipher.Stream) []kyber.Point { points = append(points, rgen) } - // Test embedding data - testEmbed(t, g, rand, &points, "Hi!") - testEmbed(t, g, rand, &points, "The quick brown fox jumps over the lazy dog") - - // Test verifiable secret sharing + return points +} - // Test encoding and decoding +func testEncodingDecoding(t *testing.T, g kyber.Group, ptmp kyber.Point, stmp kyber.Scalar, rand cipher.Stream) { buf := new(bytes.Buffer) for i := 0; i < 5; i++ { buf.Reset() @@ -343,6 +318,73 @@ func testGroup(t *testing.T, g kyber.Group, rand cipher.Stream) []kyber.Point { t.Errorf("decoding produces different point than encoded") } } +} + +// Apply a generic set of validation tests to a cryptographic Group, +// using a given source of [pseudo-]randomness. +// +// Returns a log of the pseudorandom Points produced in the test, +// for comparison across alternative implementations +// that are supposed to be equivalent. +func testGroup(t *testing.T, g kyber.Group, rand cipher.Stream) []kyber.Point { + t.Logf("\nTesting group '%s': %d-byte Point, %d-byte Scalar\n", + g.String(), g.PointLen(), g.ScalarLen()) + + points := make([]kyber.Point, 0) + ptmp := g.Point() + stmp := g.Scalar() + pzero := g.Point().Null() + szero := g.Scalar().Zero() + sone := g.Scalar().One() + + // Do a simple Diffie-Hellman test + s1 := g.Scalar().Pick(rand) + s2 := g.Scalar().Pick(rand) + if s1.Equal(szero) { + t.Errorf("first secret is scalar zero %v", s1) + } + if s2.Equal(szero) { + t.Errorf("second secret is scalar zero %v", s2) + } + if s1.Equal(s2) { + t.Errorf("not getting unique secrets: picked %s twice", s1) + } + + gen := g.Point().Base() + points = append(points, gen) + + // Sanity-check relationship between addition and multiplication + points, dh1, p1, p2, primeOrder := testSanityCheck(t, points, g, stmp, s1, s2, gen, ptmp) + + // Test secret inverse to get from dh1 back to p1 + if primeOrder { + ptmp.Mul(g.Scalar().Inv(s2), dh1) + if !ptmp.Equal(p1) { + t.Errorf("Scalar inverse didn't work: %v != (-)%v (x) %v == %v", p1, s2, dh1, ptmp) + } + } + + // Zero and One identity secrets + if !ptmp.Mul(szero, dh1).Equal(pzero) { + t.Errorf("Encryption with secret=0 didn't work: %v (x) %v == %v != %v", szero, dh1, ptmp, pzero) + } + if !ptmp.Mul(sone, dh1).Equal(dh1) { + t.Errorf("Encryption with secret=1 didn't work: %v (x) %v == %v != %[2]v", sone, dh1, ptmp) + } + + // homomorphic identities + testHomomorphicIdentities(t, primeOrder, g, gen, ptmp, p1, p2, dh1, stmp, s1, s2) + + // Test randomly picked points + points = testRandomlyPickedPoint(t, primeOrder, points, g, gen, ptmp, stmp, rand) + + // Test embedding data + testEmbed(t, g, rand, &points, "Hi!") + testEmbed(t, g, rand, &points, "The quick brown fox jumps over the lazy dog") + + // Test verifiable secret sharing + // Test encoding and decoding + testEncodingDecoding(t, g, ptmp, stmp, rand) // Test that we can marshal/ unmarshal null point pzero = g.Point().Null() From f5fcf0e4d2f3f0ee73363915555036fba72e15e0 Mon Sep 17 00:00:00 2001 From: lauener Date: Thu, 21 Mar 2024 19:04:05 +0100 Subject: [PATCH 45/49] Fix new lint error shuffle --- shuffle/biffle_test.go | 5 ++--- shuffle/shuffle_test.go | 18 +++++++++--------- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/shuffle/biffle_test.go b/shuffle/biffle_test.go index 26038d24d..a8c5716d0 100644 --- a/shuffle/biffle_test.go +++ b/shuffle/biffle_test.go @@ -9,13 +9,13 @@ import ( "go.dedis.ch/kyber/v3/xof/blake2xb" ) -func TestBiffle(t *testing.T) { +func TestBiffle(_ *testing.T) { rand := blake2xb.New(nil) s := edwards25519.NewBlakeSHA256Ed25519WithRand(rand) biffleTest(s, N) } -func TestInvalidBiffle(t *testing.T) { +func TestInvalidBiffle(_ *testing.T) { rand := blake2xb.New(nil) s := edwards25519.NewBlakeSHA256Ed25519WithRand(rand) biffleInvalidTest(s) @@ -44,7 +44,6 @@ func biffleTest(suite Suite, n int) { if err != nil { panic("Biffle proof failed: " + err.Error()) } - //fmt.Printf("proof:\n%s\n",hex.Dump(prf)) // Check it verifier := BiffleVerifier(suite, nil, h, X, Y, Xbar, Ybar) diff --git a/shuffle/shuffle_test.go b/shuffle/shuffle_test.go index 822f31e30..b80c37791 100644 --- a/shuffle/shuffle_test.go +++ b/shuffle/shuffle_test.go @@ -15,7 +15,7 @@ var k = 5 var NQ = 6 var N = 1 -func TestShufflePair(t *testing.T) { +func TestShufflePair(_ *testing.T) { s := edwards25519.NewBlakeSHA256Ed25519WithRand(blake2xb.New(nil)) pairShuffleTest(s, k, N) } @@ -25,7 +25,7 @@ func TestShuffleInvalidPair(t *testing.T) { pairInvalidShuffleTest(t, s, k) } -func TestShuffleSequence(t *testing.T) { +func TestShuffleSequence(_ *testing.T) { s := edwards25519.NewBlakeSHA256Ed25519WithRand(blake2xb.New(nil)) sequenceShuffleTest(s, k, NQ, N) } @@ -151,19 +151,19 @@ func generateAndEncryptRandomSequences( return X, Y } -func sequenceShuffleTest(suite Suite, k, NQ, N int) { +func sequenceShuffleTest(suite Suite, k, nq, n int) { rand := suite.RandomStream() h, c := setShuffleKeyPairs(rand, suite, k) X, Y := generateAndEncryptRandomSequences(rand, suite, h, c, k) // Repeat only the actual shuffle portion for benchmark purposes. - for i := 0; i < N; i++ { + for i := 0; i < n; i++ { // Do a key-shuffle XX, YY, getProver := SequencesShuffle(suite, nil, h, X, Y, rand) - e := make([]kyber.Scalar, NQ) - for j := 0; j < NQ; j++ { + e := make([]kyber.Scalar, nq) + for j := 0; j < nq; j++ { e[j] = suite.Scalar().Pick(suite.RandomStream()) } @@ -189,7 +189,7 @@ func sequenceShuffleTest(suite Suite, k, NQ, N int) { } } -func sequenceInvalidShuffleTest(t *testing.T, suite Suite, k, NQ int) { +func sequenceInvalidShuffleTest(t *testing.T, suite Suite, k, nq int) { rand := suite.RandomStream() h, c := setShuffleKeyPairs(rand, suite, k) X, Y := generateAndEncryptRandomSequences(rand, suite, h, c, k) @@ -200,8 +200,8 @@ func sequenceInvalidShuffleTest(t *testing.T, suite Suite, k, NQ int) { // Corrupt original inputs X[0][0], Y[0][0] = X[0][1], Y[0][1] - e := make([]kyber.Scalar, NQ) - for j := 0; j < NQ; j++ { + e := make([]kyber.Scalar, nq) + for j := 0; j < nq; j++ { e[j] = suite.Scalar().Pick(suite.RandomStream()) } From 67df27bc9a3458889d8930650d79c8a43bd52e8f Mon Sep 17 00:00:00 2001 From: lauener Date: Thu, 21 Mar 2024 19:04:18 +0100 Subject: [PATCH 46/49] Fix lint error encoding --- util/encoding/encoding_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/encoding/encoding_test.go b/util/encoding/encoding_test.go index 04e9a2388..b8f9d0344 100644 --- a/util/encoding/encoding_test.go +++ b/util/encoding/encoding_test.go @@ -73,7 +73,7 @@ type MockEmptyReader struct { func (m *MockFailingReader) Read(p []byte) (n int, err error) { return copy(p, m.data), io.EOF } -func (m *MockEmptyReader) Read(p []byte) (n int, err error) { +func (m *MockEmptyReader) Read(_ []byte) (n int, err error) { return 0, nil } From 798e66af9fb0e33110a3a4f2f1e1e4824d9b3943 Mon Sep 17 00:00:00 2001 From: lauener Date: Thu, 21 Mar 2024 19:06:36 +0100 Subject: [PATCH 47/49] Make initBasePoint() a method of curve25519 --- group/curve25519/curve.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group/curve25519/curve.go b/group/curve25519/curve.go index 873cff601..1fd859d4c 100644 --- a/group/curve25519/curve.go +++ b/group/curve25519/curve.go @@ -81,7 +81,7 @@ func (c *curve) NewKey(stream cipher.Stream) kyber.Scalar { return secret } -func initBasePoint(c *curve, self kyber.Group, p *Param, fullGroup bool, base point) { +func (c *curve) initBasePoint(self kyber.Group, p *Param, fullGroup bool, base point) { var bx, by *big.Int if fullGroup { bx, by = &p.FBX, &p.FBY @@ -153,7 +153,7 @@ func (c *curve) init(self kyber.Group, p *Param, fullGroup bool, null.initXY(zero, one, self) // Base point B - initBasePoint(c, self, p, fullGroup, base) + c.initBasePoint(self, p, fullGroup, base) // Sanity checks if !c.validPoint(null) { From 0adfea002f779b61c0a374347767b459bbc99764 Mon Sep 17 00:00:00 2001 From: lauener Date: Fri, 24 May 2024 11:35:47 +0200 Subject: [PATCH 48/49] Fix forgotten conflict --- sign/schnorr/schnorr.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sign/schnorr/schnorr.go b/sign/schnorr/schnorr.go index 7aaafa6fd..130890df4 100644 --- a/sign/schnorr/schnorr.go +++ b/sign/schnorr/schnorr.go @@ -118,7 +118,7 @@ func VerifyWithChecks(g kyber.Group, pub, msg, sig []byte) error { if s, ok := g.Scalar().(scalarCanCheckCanonical); ok && !s.IsCanonical(sig[pointSize:]) { return fmt.Errorf("signature is not canonical") } - if sub, ok := R.(kyber.SubGroupElement); ok && !sub.IsInCorrectGroup() { + if sub, ok := r.(kyber.SubGroupElement); ok && !sub.IsInCorrectGroup() { return fmt.Errorf("schnorr: point not in correct group") } if err := s.UnmarshalBinary(sig[pointSize:]); err != nil { From 7cd82b7ab111e90a510880531497d9bb2495e59a Mon Sep 17 00:00:00 2001 From: lauener Date: Fri, 24 May 2024 11:37:36 +0200 Subject: [PATCH 49/49] Add back golangci rules --- .golangci.yml | 22 ++-------------------- 1 file changed, 2 insertions(+), 20 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index 73e219015..e2a66021d 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -8,10 +8,6 @@ run: # This file contains only configs which differ from defaults. # All possible options can be found here https://github.com/golangci/golangci-lint/blob/master/.golangci.reference.yml linters-settings: - staticcheck: - checks: - - all - - '-SA1019' # Ignore deprecated for now cyclop: # The maximal code complexity to report. # Default: 10 @@ -113,7 +109,7 @@ linters: - asciicheck # checks that your code does not contain non-ASCII identifiers - bidichk # checks for dangerous unicode character sequences - bodyclose # checks whether HTTP response body is closed successfully - - contextcheck # checks the function whether use a non-inherited context + #- contextcheck # checks the function whether use a non-inherited context # TODO: enable after golangci-lint uses https://github.com/sylvia7788/contextcheck/releases/tag/v1.0.7 - cyclop # checks function and package cyclomatic complexity - dupl # tool for code clone detection - durationcheck # checks for two durations multiplied together @@ -167,7 +163,7 @@ linters: #- decorder # checks declaration order and count of types, constants, variables and functions #- exhaustruct # checks if all structure fields are initialized #- gci # controls golang package import order and makes it always deterministic - #- godox # detects FIXME, TODO and other comment keywords + - godox # detects FIXME, TODO and other comment keywords #- goheader # checks is file header matches to pattern - interfacebloat # checks the number of methods inside an interface #- ireturn # accept interfaces, return concrete types @@ -250,17 +246,3 @@ issues: - linters: - govet text: "shadow: declaration of \"err\" shadows declaration" - - path: ".*_decl.go" - - path: 'group.go' - linters: - - interfacebloat - - path: 'group/edwards25519/scalar.go' - linters: - - ineffassign - - funlen - - path: 'group/edwards25519/const.go' - linters: - - lll - - path: 'group/edwards25519/fe.go' - linters: - - funlen \ No newline at end of file