vecna
/
lox
mirror of https://gitlab.torproject.org/vecna/lox.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

The complete check blockage protocol

This commit is contained in:
Ian Goldberg 2021-05-05 16:28:56 -04:00
parent 27773123a3
commit 74bae2cf8e
5 changed files with 438 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
crates/lox-library/src/cred.rs
View File

@ -11,10 +11,10 @@ use curve25519_dalek::scalar::Scalar;
/// ///
/// This credential authorizes the holder of the Lox credential with the /// This credential authorizes the holder of the Lox credential with the
/// given id to switch from bucket from_bucket to bucket to_bucket. The /// given id to switch from bucket from_bucket to bucket to_bucket. The
/// mig_type attribute is 0 for trust upgrade migrations (moving from a /// migration_type attribute is 0 for trust upgrade migrations (moving
/// 1-bridge untrusted bucket to a 3-bridge trusted bucket) and 1 for /// from a 1-bridge untrusted bucket to a 3-bridge trusted bucket) and 1
/// blockage migrations (moving buckets because the from_bucket has been /// for blockage migrations (moving buckets because the from_bucket has
/// blocked). /// been blocked).
#[derive(Debug)] #[derive(Debug)]
pub struct Migration { pub struct Migration {
pub P: RistrettoPoint, pub P: RistrettoPoint,
@ -22,7 +22,7 @@ pub struct Migration {
pub lox_id: Scalar, pub lox_id: Scalar,
pub from_bucket: Scalar, pub from_bucket: Scalar,
pub to_bucket: Scalar, pub to_bucket: Scalar,
pub mig_type: Scalar, pub migration_type: Scalar,
} }
/// The main user credential in the Lox system. /// The main user credential in the Lox system.

1
crates/lox-library/src/lib.rs
View File

@ -536,6 +536,7 @@ pub fn pt_dbl(P: &RistrettoPoint) -> RistrettoPoint {
/// Response. It also adds a handle_* function to the BridgeAuth struct /// Response. It also adds a handle_* function to the BridgeAuth struct
/// that consumes a Request and produces a Result<Response, ProofError>. /// that consumes a Request and produces a Result<Response, ProofError>.
pub mod proto { pub mod proto {
pub mod check_blockage;
pub mod issue_invite; pub mod issue_invite;
pub mod level_up; pub mod level_up;
pub mod migration; pub mod migration;

12
crates/lox-library/src/migration_table.rs
View File

@ -79,7 +79,7 @@ pub fn encrypt_cred(
id: &Scalar, id: &Scalar,
from_bucket: &Scalar, from_bucket: &Scalar,
to_bucket: &Scalar, to_bucket: &Scalar,
mig_type: &Scalar, migration_type: &Scalar,
Pktable: &RistrettoBasepointTable, Pktable: &RistrettoBasepointTable,
migration_priv: &IssuerPrivKey, migration_priv: &IssuerPrivKey,
migrationkey_priv: &IssuerPrivKey, migrationkey_priv: &IssuerPrivKey,
@ -102,7 +102,7 @@ pub fn encrypt_cred(
+ migration_priv.x[1] * id + migration_priv.x[1] * id
+ migration_priv.x[2] * from_bucket + migration_priv.x[2] * from_bucket
+ migration_priv.x[3] * to_bucket + migration_priv.x[3] * to_bucket
+ migration_priv.x[4] * mig_type)) + migration_priv.x[4] * migration_type))
* Btable; * Btable;
// Serialize (to_bucket, P, Q) // Serialize (to_bucket, P, Q)
@ -150,7 +150,7 @@ pub fn encrypt_cred_ids(
id: &Scalar, id: &Scalar,
from_id: u32, from_id: u32,
to_id: u32, to_id: u32,
mig_type: &Scalar, migration_type: &Scalar,
bridgetable: &bridge_table::BridgeTable, bridgetable: &bridge_table::BridgeTable,
Pktable: &RistrettoBasepointTable, Pktable: &RistrettoBasepointTable,
migration_priv: &IssuerPrivKey, migration_priv: &IssuerPrivKey,
@ -163,7 +163,7 @@ pub fn encrypt_cred_ids(
id, id,
&bridge_table::to_scalar(from_id, fromkey), &bridge_table::to_scalar(from_id, fromkey),
&bridge_table::to_scalar(to_id, tokey), &bridge_table::to_scalar(to_id, tokey),
mig_type, migration_type,
Pktable, Pktable,
migration_priv, migration_priv,
migrationkey_priv, migrationkey_priv,
@ -216,7 +216,7 @@ pub fn decrypt_cred(
Qk: &RistrettoPoint, Qk: &RistrettoPoint,
lox_id: &Scalar, lox_id: &Scalar,
from_bucket: &Scalar, from_bucket: &Scalar,
mig_type: MigrationType, migration_type: MigrationType,
enc_migration_table: &HashMap<[u8; 16], [u8; ENC_MIGRATION_BYTES]>, enc_migration_table: &HashMap<[u8; 16], [u8; ENC_MIGRATION_BYTES]>,
) -> Option<Migration> { ) -> Option<Migration> {
// Compute the hash of (id, from_bucket, Qk) // Compute the hash of (id, from_bucket, Qk)
@ -256,6 +256,6 @@ pub fn decrypt_cred(
lox_id: *lox_id, lox_id: *lox_id,
from_bucket: *from_bucket, from_bucket: *from_bucket,
to_bucket, to_bucket,
mig_type: mig_type.into(), migration_type: migration_type.into(),
}) })
} }

355
crates/lox-library/src/proto/check_blockage.rs Normal file
View File

@ -0,0 +1,355 @@
/*! A module for the protocol for the user to check for the availability
of a migration credential they can use in order to move to a new bucket
if theirs has been blocked.
The user presents their current Lox credential:
- id: revealed
- bucket: blinded
- trust_level: revealed to be 3 or above
- level_since: blinded
- invites_remaining: blinded
- blockages: blinded
They are allowed to to this as long as they are level 3 or above. If
they have too many blockages (but are level 3 or above), they will be
allowed to perform this migration, but will not be able to advance to
level 3 in their new bucket, so this will be their last allowed
migration without rejoining the system either with a new invitation or
an open invitation.
They will receive in return the encrypted MAC (Pk, EncQk) for their
implicit Migration Key credential with attributes id and bucket,
along with a HashMap of encrypted Migration credentials. For each
(from_i, to_i) in the BA's migration list, there will be an entry in
the HashMap with key H1(id, from_attr_i, Qk_i) and value
Enc_{H2(id, from_attr_i, Qk_i)}(to_attr_i, P_i, Q_i). Here H1 and H2
are the first 16 bytes and the second 16 bytes respectively of the
SHA256 hash of the input, P_i and Q_i are a MAC on the Migration
credential with attributes id, from_attr_i, and to_attr_i. Qk_i is the
value EncQk would decrypt to if bucket were equal to from_attr_i. */
use curve25519_dalek::ristretto::RistrettoBasepointTable;
use curve25519_dalek::ristretto::RistrettoPoint;
use curve25519_dalek::scalar::Scalar;
use curve25519_dalek::traits::IsIdentity;
use zkp::CompactProof;
use zkp::ProofError;
use zkp::Transcript;
use std::collections::HashMap;
use super::super::cred;
use super::super::dup_filter::SeenType;
use super::super::migration_table;
use super::super::scalar_u32;
use super::super::{BridgeAuth, IssuerPubKey};
use super::super::{CMZ_A, CMZ_A_TABLE, CMZ_B, CMZ_B_TABLE};
/// The minimum trust level a Lox credential must have to be allowed to
/// perform this protocol.
pub const MIN_TRUST_LEVEL: u32 = 3;
pub struct Request {
// Fields for blind showing the Lox credential
P: RistrettoPoint,
id: Scalar,
CBucket: RistrettoPoint,
level: Scalar,
CSince: RistrettoPoint,
CInvRemain: RistrettoPoint,
CBlockages: RistrettoPoint,
CQ: RistrettoPoint,
// Fields for user blinding of the Migration Key credential
D: RistrettoPoint,
EncBucket: (RistrettoPoint, RistrettoPoint),
// The combined ZKP
piUser: CompactProof,
}
#[derive(Debug)]
pub struct State {
d: Scalar,
D: RistrettoPoint,
EncBucket: (RistrettoPoint, RistrettoPoint),
id: Scalar,
bucket: Scalar,
}
#[derive(Debug)]
pub struct Response {
// The encrypted MAC for the Migration Key credential
Pk: RistrettoPoint,
EncQk: (RistrettoPoint, RistrettoPoint),
// A table of encrypted Migration credentials; the encryption keys
// are formed from the possible values of Qk (the decrypted form of
// EncQk)
enc_migration_table: HashMap<[u8; 16], [u8; migration_table::ENC_MIGRATION_BYTES]>,
}
define_proof! {
requestproof,
"Check Blockage Request",
(bucket, since, invremain, blockages, zbucket, zsince, zinvremain,
zblockages, negzQ,
d, ebucket),
(P, CBucket, CSince, CInvRemain, CBlockages, V, Xbucket, Xsince,
Xinvremain, Xblockages,
D, EncBucket0, EncBucket1),
(A, B):
// Blind showing of the Lox credential
CBucket = (bucket*P + zbucket*A),
CSince = (since*P + zsince*A),
CInvRemain = (invremain*P + zinvremain*A),
CBlockages = (blockages*P + zblockages*A),
V = (zbucket*Xbucket + zsince*Xsince + zinvremain*Xinvremain
+ zblockages*Xblockages + negzQ*A),
// User blinding of the Migration Key credential
D = (d*B),
EncBucket0 = (ebucket*B),
EncBucket1 = (bucket*B + ebucket*D)
}
pub fn request(
lox_cred: &cred::Lox,
lox_pub: &IssuerPubKey,
) -> Result<(Request, State), ProofError> {
let A: &RistrettoPoint = &CMZ_A;
let B: &RistrettoPoint = &CMZ_B;
let Atable: &RistrettoBasepointTable = &CMZ_A_TABLE;
let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE;
// Ensure the credential can be correctly shown: it must be the case
// that trust_level >= MIN_TRUST_LEVEL
let level: u32 = match scalar_u32(&lox_cred.trust_level) {
Some(v) => v,
None => return Err(ProofError::VerificationFailure),
};
if level < MIN_TRUST_LEVEL {
return Err(ProofError::VerificationFailure);
}
// Blind showing the Lox credential
// Reblind P and Q
let mut rng = rand::thread_rng();
let t = Scalar::random(&mut rng);
let P = t * lox_cred.P;
let Q = t * lox_cred.Q;
// Form Pedersen commitments to the blinded attributes
let zbucket = Scalar::random(&mut rng);
let zsince = Scalar::random(&mut rng);
let zinvremain = Scalar::random(&mut rng);
let zblockages = Scalar::random(&mut rng);
let CBucket = lox_cred.bucket * P + &zbucket * Atable;
let CSince = lox_cred.level_since * P + &zsince * Atable;
let CInvRemain = lox_cred.invites_remaining * P + &zinvremain * Atable;
let CBlockages = lox_cred.blockages * P + &zblockages * Atable;
// Form a Pedersen commitment to the MAC Q
// We flip the sign of zQ from that of the Hyphae paper so that
// the ZKP has a "+" instead of a "-", as that's what the zkp
// macro supports.
let negzQ = Scalar::random(&mut rng);
let CQ = Q - &negzQ * Atable;
// Compute the "error factor"
let V = zbucket * lox_pub.X[2]
+ zsince * lox_pub.X[4]
+ zinvremain * lox_pub.X[5]
+ zblockages * lox_pub.X[6]
+ &negzQ * Atable;
// User blinding the Migration Key credential
// Pick an ElGamal keypair
let d = Scalar::random(&mut rng);
let D = &d * Btable;
// Encrypt the attributes to be blinded (each times the
// basepoint B) to the public key we just created
let ebucket = Scalar::random(&mut rng);
let EncBucket = (&ebucket * Btable, &lox_cred.bucket * Btable + ebucket * D);
// Construct the proof
let mut transcript = Transcript::new(b"check blockage request");
let piUser = requestproof::prove_compact(
&mut transcript,
requestproof::ProveAssignments {
A: &A,
B: &B,
P: &P,
CBucket: &CBucket,
CSince: &CSince,
CInvRemain: &CInvRemain,
CBlockages: &CBlockages,
V: &V,
Xbucket: &lox_pub.X[2],
Xsince: &lox_pub.X[4],
Xinvremain: &lox_pub.X[5],
Xblockages: &lox_pub.X[6],
D: &D,
EncBucket0: &EncBucket.0,
EncBucket1: &EncBucket.1,
bucket: &lox_cred.bucket,
since: &lox_cred.level_since,
invremain: &lox_cred.invites_remaining,
blockages: &lox_cred.blockages,
zbucket: &zbucket,
zsince: &zsince,
zinvremain: &zinvremain,
zblockages: &zblockages,
negzQ: &negzQ,
d: &d,
ebucket: &ebucket,
},
)
.0;
Ok((
Request {
P,
id: lox_cred.id,
CBucket,
level: lox_cred.trust_level,
CSince,
CInvRemain,
CBlockages,
CQ,
D,
EncBucket,
piUser,
},
State {
d,
D,
EncBucket,
id: lox_cred.id,
bucket: lox_cred.bucket,
},
))
}
impl BridgeAuth {
/// Receive a check blockage request
pub fn handle_check_blockage(&mut self, req: Request) -> Result<Response, ProofError> {
let A: &RistrettoPoint = &CMZ_A;
let B: &RistrettoPoint = &CMZ_B;
let Btable: &RistrettoBasepointTable = &CMZ_B_TABLE;
let level: u32 = match scalar_u32(&req.level) {
Some(v) => v,
None => return Err(ProofError::VerificationFailure),
};
if req.P.is_identity() || level < MIN_TRUST_LEVEL {
return Err(ProofError::VerificationFailure);
}
// Recompute the "error factor" using knowledge of our own
// (the issuer's) private key instead of knowledge of the
// hidden attributes
let Vprime =
(self.lox_priv.x[0] + self.lox_priv.x[1] * req.id + self.lox_priv.x[3] * req.level)
* req.P
+ self.lox_priv.x[2] * req.CBucket
+ self.lox_priv.x[4] * req.CSince
+ self.lox_priv.x[5] * req.CInvRemain
+ self.lox_priv.x[6] * req.CBlockages
- req.CQ;
// Verify the ZKP
let mut transcript = Transcript::new(b"check blockage request");
requestproof::verify_compact(
&req.piUser,
&mut transcript,
requestproof::VerifyAssignments {
A: &A.compress(),
B: &B.compress(),
P: &req.P.compress(),
CBucket: &req.CBucket.compress(),
CSince: &req.CSince.compress(),
CInvRemain: &req.CInvRemain.compress(),
CBlockages: &req.CBlockages.compress(),
V: &Vprime.compress(),
Xbucket: &self.lox_pub.X[2].compress(),
Xsince: &self.lox_pub.X[4].compress(),
Xinvremain: &self.lox_pub.X[5].compress(),
Xblockages: &self.lox_pub.X[6].compress(),
D: &req.D.compress(),
EncBucket0: &req.EncBucket.0.compress(),
EncBucket1: &req.EncBucket.1.compress(),
},
)?;
// Ensure the id has not been seen before in the general id
// filter, but do not add it, so that the user can potentially
// run this protocol multiple times.
if self.id_filter.check(&req.id) == SeenType::Seen {
return Err(ProofError::VerificationFailure);
}
// Compute the encrypted MAC (Pk, EncQk) for the Migration Key
// credential.
// Compute the MAC on the visible attributes
let mut rng = rand::thread_rng();
let b = Scalar::random(&mut rng);
let Pk = &b * Btable;
let Pktable = RistrettoBasepointTable::create(&Pk);
let Qid = &(self.migrationkey_priv.x[0] + self.migrationkey_priv.x[1] * req.id) * &Pktable;
// El Gamal encrypt it to the public key req.D
let s = Scalar::random(&mut rng);
let EncQkid = (&s * Btable, Qid + s * req.D);
// Homomorphically compute the part of the MAC corresponding to
// the blinded attributes
let tbucket = self.migrationkey_priv.x[2] * b;
let EncQkBucket = (tbucket * req.EncBucket.0, tbucket * req.EncBucket.1);
let EncQk = (EncQkid.0 + EncQkBucket.0, EncQkid.1 + EncQkBucket.1);
Ok(Response {
Pk,
EncQk,
enc_migration_table: self.blockage_migration_table.encrypt_table(
&req.id,
&self.bridge_table,
&Pktable,
&self.migration_priv,
&self.migrationkey_priv,
),
})
}
}
/// Handle the response to the request, producing a Migration credential
/// if successful.
///
/// The Migration credential can then be used in the migration protocol
/// to actually change buckets
pub fn handle_response(state: State, resp: Response) -> Result<cred::Migration, ProofError> {
if resp.Pk.is_identity() {
return Err(ProofError::VerificationFailure);
}
// Decrypt the MAC on the Migration Key credential
let Qk = resp.EncQk.1 - (state.d * resp.EncQk.0);
// Use Qk to locate and decrypt the Migration credential
match migration_table::decrypt_cred(
&Qk,
&state.id,
&state.bucket,
migration_table::MigrationType::Blockage,
&resp.enc_migration_table,
) {
Some(m) => Ok(m),
None => Err(ProofError::VerificationFailure),
}
}

71
crates/lox-library/src/tests.rs
View File

@ -120,6 +120,12 @@ impl TestHarness {
let resp = self.ba.handle_redeem_invite(req).unwrap(); let resp = self.ba.handle_redeem_invite(req).unwrap();
redeem_invite::handle_response(state, resp, &self.ba.lox_pub).unwrap() redeem_invite::handle_response(state, resp, &self.ba.lox_pub).unwrap()
} }
fn check_blockage(&mut self, cred: &cred::Lox) -> cred::Migration {
let (req, state) = check_blockage::request(&cred, &self.ba.lox_pub).unwrap();
let resp = self.ba.handle_check_blockage(req).unwrap();
check_blockage::handle_response(state, resp).unwrap()
}
} }
#[test] #[test]
@ -350,3 +356,68 @@ fn test_mark_unreachable() {
println!("bmig = {:?}", th.ba.blockage_migration_table.table); println!("bmig = {:?}", th.ba.blockage_migration_table.table);
println!("openinv = {:?}\n", th.bdb.openinv_buckets); println!("openinv = {:?}\n", th.bdb.openinv_buckets);
} }
#[test]
fn test_check_blockage() {
let mut th = TestHarness::new();
// Join an untrusted user
let cred = th.open_invite();
// Time passes
th.advance_days(47);
// Go up to level 1
let migcred = th.trust_promotion(&cred);
let cred1 = th.level0_migration(&cred, &migcred);
assert!(scalar_u32(&cred1.trust_level).unwrap() == 1);
// Time passes
th.advance_days(20);
// Go up to level 2
let cred2 = th.level_up(&cred1);
assert!(scalar_u32(&cred2.trust_level).unwrap() == 2);
println!("cred2 = {:?}", cred2);
assert!(th.ba.verify_lox(&cred2));
// Time passes
th.advance_days(29);
// Go up to level 3
let cred3 = th.level_up(&cred2);
assert!(scalar_u32(&cred3.trust_level).unwrap() == 3);
println!("cred3 = {:?}", cred3);
assert!(th.ba.verify_lox(&cred3));
// Get our bridges
let (id, key) = bridge_table::from_scalar(cred3.bucket).unwrap();
let encbuckets = th.ba.enc_bridge_table();
let bucket =
bridge_table::BridgeTable::decrypt_bucket(id, &key, &encbuckets[id as usize]).unwrap();
// We should have a Bridge Reachability credential
assert!(bucket.1.is_some());
// Oh, no! Two of our bridges are blocked!
th.ba.bridge_unreachable(&bucket.0[0], &mut th.bdb);
th.ba.bridge_unreachable(&bucket.0[2], &mut th.bdb);
println!("spares = {:?}", th.ba.bridge_table.spares);
println!("tmig = {:?}", th.ba.trustup_migration_table.table);
println!("bmig = {:?}", th.ba.blockage_migration_table.table);
println!("openinv = {:?}\n", th.bdb.openinv_buckets);
// Time passes
th.advance_days(1);
let encbuckets2 = th.ba.enc_bridge_table();
let bucket2 =
bridge_table::BridgeTable::decrypt_bucket(id, &key, &encbuckets2[id as usize]).unwrap();
// We should no longer have a Bridge Reachability credential
assert!(bucket2.1.is_none());
// See about getting a Migration credential for the blockage
let migration = th.check_blockage(&cred3);
println!("migration = {:?}", migration);
}