NextGraph
/
threshold_crypto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #28 from poanetwork/try-prefixed-constructors

Browse Source 
Added 'try_' constructors to secret types.
master
Vladimir Komendantskiy 7 years ago committed by GitHub
parent f7d9c26b9a 72d1c607f8
commit a2fa8a4b8f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 390 additions and 181 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 6
      benches/bench.rs
  2. 4
      examples/threshold_enc.rs
  3. 4
      examples/threshold_sig.rs
  4. 293
      src/lib.rs
  5. 264
      src/poly.rs

6
benches/bench.rs
Unescape View File

@ -19,8 +19,8 @@ mod poly_benches {
"Polynomial multiplication",
move |b, &&deg| {
let rand_factors = || {
let lhs = Poly::random(deg, &mut rng).unwrap();
let rhs = Poly::random(deg, &mut rng).unwrap();
let lhs = Poly::random(deg, &mut rng);
let rhs = Poly::random(deg, &mut rng);
(lhs, rhs)
};
b.iter_with_setup(rand_factors, |(lhs, rhs)| &lhs * &rhs)
@ -36,7 +36,7 @@ mod poly_benches {
"Polynomial interpolation",
move |b, &&deg| {
let rand_samples = || (0..=deg).map(|i| (i, rng.gen::<Fr>())).collect::<Vec<_>>();
b.iter_with_setup(rand_samples, |samples| Poly::interpolate(samples).unwrap())
b.iter_with_setup(rand_samples, Poly::interpolate)
},
&[5, 10, 20, 40],
);

4
examples/threshold_enc.rs
Unescape View File

@ -27,12 +27,12 @@ impl SecretSociety {
// decrypt a message must exceed this `threshold`.
fn new(n_actors: usize, threshold: usize) -> Self {
let mut rng = rand::thread_rng();
let sk_set = SecretKeySet::random(threshold, &mut rng).unwrap();
let sk_set = SecretKeySet::random(threshold, &mut rng);
let pk_set = sk_set.public_keys();
let actors = (0..n_actors)
.map(|id| {
let sk_share = sk_set.secret_key_share(id).unwrap();
let sk_share = sk_set.secret_key_share(id);
let pk_share = pk_set.public_key_share(id);
Actor::new(id, sk_share, pk_share)
}).collect();

4
examples/threshold_sig.rs
Unescape View File

@ -45,12 +45,12 @@ impl ChatNetwork {
// before it can be added to the `chat_log`.
fn new(n_nodes: usize, threshold: usize) -> Self {
let mut rng = rand::thread_rng();
let sk_set = SecretKeySet::random(threshold, &mut rng).unwrap();
let sk_set = SecretKeySet::random(threshold, &mut rng);
let pk_set = sk_set.public_keys();
let nodes = (0..n_nodes)
.map(|id| {
let sk_share = sk_set.secret_key_share(id).unwrap();
let sk_share = sk_set.secret_key_share(id);
let pk_share = pk_set.public_key_share(id);
Node::new(id, sk_share, pk_share)
}).collect();

293
src/lib.rs
Unescape View File

@ -31,8 +31,8 @@ pub mod serde_impl;
use std::env;
use std::fmt;
use std::hash::{Hash, Hasher};
use std::mem::size_of_val;
use std::ptr::{copy_nonoverlapping, write_volatile};
use std::mem::{size_of, size_of_val};
use std::ptr::copy_nonoverlapping;
use byteorder::{BigEndian, ByteOrder};
use errno::errno;
@ -62,6 +62,14 @@ lazy_static! {
Ok(s) => s.parse().unwrap_or(true),
_ => true,
};
// The size in bytes of a single `Fr` field element.
static ref FR_SIZE: usize = size_of::<Fr>();
}
// Overwrites a single field element with zeros.
pub(crate) fn clear_fr(fr_ptr: *mut u8) {
unsafe { memzero(fr_ptr, *FR_SIZE) };
}
/// Marks a type as containing one or more secret prime field elements.
@ -256,55 +264,50 @@ pub struct SecretKey(Box<Fr>);
///
/// # Panics
///
/// Panics if we have hit the system's locked memory limit when `mlock`ing the new instance of
/// `SecretKey`.`
/// Panics if we have reached the system's locked memory limit when locking the secret field
/// element in RAM.
impl Default for SecretKey {
fn default() -> Self {
let mut fr = Fr::zero();
match SecretKey::from_mut_ptr(&mut fr as *mut Fr) {
Ok(sk) => sk,
Err(e) => panic!("Failed to create default `SecretKey`: {}", e),
}
SecretKey::try_from_mut(&mut fr)
.unwrap_or_else(|e| panic!("Failed to create default `SecretKey`: {}", e))
}
}
/// Creates a random `SecretKey`.
/// Creates a random `SecretKey` from a given RNG. If you do not need to specify your own RNG, you
/// should use `SecretKey::random()` or `SecretKey::try_random()` as your constructor instead.
///
/// # Panics
///
/// Panics if we have hit the system's locked memory limit when `mlock`ing the new instance of
/// `SecretKey`.
/// Panics if we have reached the system's locked memory limit when locking the secret field
/// element in RAM.
impl Rand for SecretKey {
fn rand<R: Rng>(rng: &mut R) -> Self {
let mut fr = Fr::rand(rng);
match SecretKey::from_mut_ptr(&mut fr as *mut Fr) {
Ok(sk) => sk,
Err(e) => panic!("Failed to create random `SecretKey`: {}", e),
}
SecretKey::try_from_mut(&mut fr)
.unwrap_or_else(|e| panic!("Failed to create random `SecretKey`: {}", e))
}
}
/// Creates a new `SecretKey` by cloning another key's prime field element.
/// Creates a new `SecretKey` by cloning another `SecretKey`'s prime field element.
///
/// # Panics
///
/// Panics if we have hit the system's locked memory limit when `mlock`ing the new instance of
/// `SecretKey`.
/// Panics if we have reached the system's locked memory limit when locking the secret field
/// element into RAM.
impl Clone for SecretKey {
fn clone(&self) -> Self {
let mut fr = *self.0;
match SecretKey::from_mut_ptr(&mut fr as *mut Fr) {
Ok(sk) => sk,
Err(e) => panic!("Failed to clone a new `SecretKey`: {}", e),
}
SecretKey::try_from_mut(&mut fr)
.unwrap_or_else(|e| panic!("Failed to clone `SecretKey`: {}", e))
}
}
// A volatile overwrite of the prime field element's memory.
// Zeroes out and unlocks the memory allocated from the `SecretKey`'s field element.
//
// # Panics
//
// Panics if we were unable to `munlock` the prime field element memory after it has been cleared.
// Panics if we fail to unlock the memory containing the field element.
impl Drop for SecretKey {
fn drop(&mut self) {
self.zero_secret_memory();
@ -362,52 +365,100 @@ impl ContainsSecret for SecretKey {
fn zero_secret_memory(&self) {
let ptr = &*self.0 as *const Fr as *mut u8;
let n_bytes = size_of_val(&*self.0);
unsafe {
memzero(ptr, n_bytes);
}
clear_fr(ptr);
}
}
impl SecretKey {
/// Creates a new `SecretKey` given a mutable raw pointer to a prime
/// field element. This constructor takes a pointer to avoid any
/// unnecessary stack copying/moving of secrets. The field element will
/// be copied bytewise onto the heap, the resulting `Box` is then
/// stored in the `SecretKey`.
/// Creates a new `SecretKey` from a mutable reference to a field element. This constructor
/// takes a reference to avoid any unnecessary stack copying/moving of secrets (i.e. the field
/// element). The field element is copied bytewise onto the heap, the resulting `Box` is
/// stored in the returned `SecretKey`.
///
/// This constructor is identical to `SecretKey::try_from_mut()` in every way except that this
/// constructor will panic if locking memory into RAM fails, whereas
/// `SecretKey::try_from_mut()` returns an `Err`.
///
/// *WARNING* this constructor will overwrite the pointed to `Fr` element
/// with zeros after it has been copied onto the heap.
/// *WARNING* this constructor will overwrite the referenced `Fr` element with zeros after it
/// has been copied onto the heap.
///
/// # Panics
///
/// Panics if we reach the system's locked memory limit when locking the secret field element
/// into RAM.
pub fn from_mut(fr: &mut Fr) -> Self {
SecretKey::try_from_mut(fr)
.unwrap_or_else(|e| panic!("Falied to create `SecretKey`: {}", e))
}
/// Creates a new `SecretKey` from a mutable reference to a field element. This constructor
/// takes a reference to avoid any unnecessary stack copying/moving of secrets (i.e. the field
/// element). The field element is copied bytewise onto the heap, the resulting `Box` is
/// stored in the returned `SecretKey`.
///
/// This constructor is identical to `SecretKey::from_mut()` in every way except that this
/// constructor will return an `Err` if locking memory into RAM fails, whereas
/// `SecretKey::from_mut()` will panic.
///
/// *WARNING* this constructor will overwrite the referenced `Fr` element with zeros after it
/// has been copied onto the heap.
///
/// # Errors
///
/// Returns an `Error::MlockFailed` if we have reached the systems's
/// locked memory limit.
#[cfg_attr(feature = "cargo-clippy", allow(not_unsafe_ptr_arg_deref))]
pub fn from_mut_ptr(fr_ptr: *mut Fr) -> Result<Self> {
/// Returns an `Error::MlockFailed` if we reached the system's locked memory limit when locking
/// the secret field element into RAM.
pub fn try_from_mut(fr: &mut Fr) -> Result<Self> {
let fr_ptr = fr as *mut Fr;
let mut boxed_fr = Box::new(Fr::zero());
unsafe {
copy_nonoverlapping(fr_ptr, &mut *boxed_fr as *mut Fr, 1);
write_volatile(fr_ptr, Fr::zero());
}
clear_fr(fr_ptr as *mut u8);
let sk = SecretKey(boxed_fr);
sk.mlock_secret_memory()?;
Ok(sk)
}
/// Creates a new random instance of `SecretKey`. This is used
/// as a wrapper around: `let sk: SecretKey = rand::random();`.
/// Creates a new random instance of `SecretKey`. If you want to use/define your own random
/// number generator, you should use the constructor: `SecretKey::rand()`. If you do not need
/// to specify your own RNG, you should use the `SecretKey::random()` and
/// `SecretKey::try_random()` constructors, which use
/// [`rand::thead_rng()`](https://docs.rs/rand/0.4.3/rand/fn.thread_rng.html) internally as
/// their RNG.
///
/// This constructor panics if it is unable to lock `SecretKey` memory into RAM, otherwise it
/// is identical to the constructor: `SecretKey::try_random()` (which instead of panicing
/// returns an `Err`).
///
/// # Panics
///
/// Panics if we have hit the system's locked memory limit when
/// `mlock`ing the new instance of `SecretKey`.
/// Panics if we have hit the system's locked memory limit when `mlock`ing the new instance of
/// `SecretKey`.
pub fn random() -> Self {
use rand::thread_rng;
let mut rng = thread_rng();
let mut rng = rand::thread_rng();
SecretKey::rand(&mut rng)
}
/// Creates a new random instance of `SecretKey`. If you want to use/define your own random
/// number generator, you should use the constructor: `SecretKey::rand()`. If you do not need
/// to specify your own RNG, you should use the `SecretKey::random()` and
/// `SecretKey::try_random()` constructors, which use
/// [`rand::thead_rng()`](https://docs.rs/rand/0.4.3/rand/fn.thread_rng.html) internally as
/// their RNG.
///
/// This constructor returns an `Err` if it is unable to lock `SecretKey` memory into RAM,
/// otherwise it is identical to the constructor: `SecretKey::random()` (which will panic
/// instead of returning an `Err`).
///
/// # Errors
///
/// Returns an `Error::MlockFailed` if we have reached the systems's locked memory limit.
pub fn try_random() -> Result<Self> {
let mut rng = rand::thread_rng();
let mut fr = Fr::rand(&mut rng);
SecretKey::try_from_mut(&mut fr)
}
/// Returns the matching public key.
pub fn public_key(&self) -> PublicKey {
PublicKey(G1Affine::one().mul(*self.0))
@ -454,21 +505,48 @@ impl fmt::Debug for SecretKeyShare {
}
impl SecretKeyShare {
/// Creates a secret key share from an existing value. This constructor
/// takes a pointer to avoid any unnecessary stack copying/moving of
/// secrets. The field element will be copied bytewise onto the heap,
/// the resulting `Box` is then stored in the `SecretKey` which is then
/// wrapped in a `SecretKeyShare`.
/// Creates a new `SecretKeyShare` from a mutable reference to a field element. This
/// constructor takes a reference to avoid any unnecessary stack copying/moving of secrets
/// field elements. The field element will be copied bytewise onto the heap, the resulting
/// `Box` is stored in the `SecretKey` which is then wrapped in a `SecretKeyShare`.
///
/// *WARNING* this constructor will overwrite the pointed to `Fr` element
/// with zeros once it has been copied into a new `SecretKeyShare`.
/// This constructor is identical to `SecretKeyShare::try_from_mut()` in every way except that
/// this constructor will panic if locking memory into RAM fails, whereas
/// `SecretKeyShare::try_from_mut()` will return an `Err`.
///
/// *WARNING* this constructor will overwrite the pointed to `Fr` element with zeros once it
/// has been copied into a new `SecretKeyShare`.
///
/// # Panics
///
/// Panics if we reach the systems locked memory limit.
pub fn from_mut(fr: &mut Fr) -> Self {
match SecretKey::try_from_mut(fr) {
Ok(sk) => SecretKeyShare(sk),
Err(e) => panic!(
"Failed to create `SecretKeyShare` from field element: {}",
e
),
}
}
/// Creates a new `SecretKeyShare` from a mutable reference to a field element. This
/// constructor takes a reference to avoid any unnecessary stack copying/moving of secrets
/// field elements. The field element will be copied bytewise onto the heap, the resulting
/// `Box` is stored in the `SecretKey` which is then wrapped in a `SecretKeyShare`.
///
/// This constructor is identical to `SecretKeyShare::from_mut()` in every way except that this
/// constructor will return an `Err` if locking memory into RAM fails, whereas
/// `SecretKeyShare::from_mut()` will panic.
///
/// *WARNING* this constructor will overwrite the pointed to `Fr` element with zeros once it
/// has been copied into a new `SecretKeyShare`.
///
/// # Errors
///
/// Returns an `Error::MlockFailed` if we have reached the systems's
/// locked memory limit.
pub fn from_mut_ptr(fr_ptr: *mut Fr) -> Result<Self> {
SecretKey::from_mut_ptr(fr_ptr).map(SecretKeyShare)
/// Returns an `Error::MlockFailed` if we have reached the systems's locked memory limit.
pub fn try_from_mut(fr: &mut Fr) -> Result<Self> {
SecretKey::try_from_mut(fr).map(SecretKeyShare)
}
/// Returns the matching public key share.
@ -621,10 +699,26 @@ impl From<Poly> for SecretKeySet {
impl SecretKeySet {
/// Creates a set of secret key shares, where any `threshold + 1` of them can collaboratively
/// sign and decrypt.
pub fn random<R: Rng>(threshold: usize, rng: &mut R) -> Result<Self> {
let poly = Poly::random(threshold, rng)?;
Ok(SecretKeySet { poly })
/// sign and decrypt. This constuctor is identical to the `SecretKey::try_random()` in every
/// way except that this constructor panics if locking secret values into RAM fails.
///
/// # Panics
///
/// Panics if we reach the system's locked memory limit.
pub fn random<R: Rng>(threshold: usize, rng: &mut R) -> Self {
SecretKeySet::try_random(threshold, rng)
.unwrap_or_else(|e| panic!("Failed to create random `SecretKeySet`: {}", e))
}
/// Creates a set of secret key shares, where any `threshold + 1` of them can collaboratively
/// sign and decrypt. This constuctor is identical to the `SecretKey::random()` in every
/// way except that this constructor return an `Err` if locking secret values into RAM fails.
///
/// # Errors
///
/// Returns an `Error::MlockFailed` if we have reached the systems's locked memory limit.
pub fn try_random<R: Rng>(threshold: usize, rng: &mut R) -> Result<Self> {
Poly::try_random(threshold, rng).map(SecretKeySet::from)
}
/// Returns the threshold `t`: any set of `t + 1` signature shares can be combined into a full
@ -633,10 +727,30 @@ impl SecretKeySet {
self.poly.degree()
}
/// Returns the `i`-th secret key share.
pub fn secret_key_share<T: IntoFr>(&self, i: T) -> Result<SecretKeyShare> {
/// Returns the `i`-th secret key share. This method is identical to the
/// `.try_secret_key_share()` in every way except that this method panics if
/// locking secret values into memory fails, whereas `.try_secret_key_share()`
/// returns an `Err`.
///
/// # Panics
///
/// Panics if we reach the system's locked memory limit.
pub fn secret_key_share<T: IntoFr>(&self, i: T) -> SecretKeyShare {
self.try_secret_key_share(i)
.unwrap_or_else(|e| panic!("Failed to create `SecretKeyShare`: {}", e))
}
/// Returns the `i`-th secret key share. This method is identical to the method
/// `.secret_key_share()` in every way except that this method returns an `Err` if
/// locking secret values into memory fails, whereas `.secret_key_share()` will
/// panic.
///
/// # Errors
///
/// Returns an `Error::MlockFailed` if we have reached the systems's locked memory limit.
pub fn try_secret_key_share<T: IntoFr>(&self, i: T) -> Result<SecretKeyShare> {
let mut fr = self.poly.evaluate(into_fr_plus_1(i));
SecretKeyShare::from_mut_ptr(&mut fr as *mut Fr)
SecretKeyShare::try_from_mut(&mut fr)
}
/// Returns the corresponding public key set. That information can be shared publicly.
@ -646,11 +760,16 @@ impl SecretKeySet {
}
}
/// Returns the secret master key.
/// Returns the secret master key. Panics if mlocking fails.
///
/// # Panics
///
/// Panics if we have hit the system's locked memory limit when `mlock`ing the new instance of
/// `SecretKey`.
#[cfg(test)]
fn secret_key(&self) -> Result<SecretKey> {
fn secret_key(&self) -> SecretKey {
let mut fr = self.poly.evaluate(0);
SecretKey::from_mut_ptr(&mut fr as *mut Fr)
SecretKey::from_mut(&mut fr)
}
}
@ -757,7 +876,7 @@ mod tests {
#[test]
fn test_threshold_sig() {
let mut rng = rand::thread_rng();
let sk_set = SecretKeySet::random(3, &mut rng).expect("Failed to create `SecretKeySet`");
let sk_set = SecretKeySet::random(3, &mut rng);
let pk_set = sk_set.public_keys();
let pk_master = pk_set.public_key();
@ -767,21 +886,10 @@ mod tests {
assert_ne!(pk_master, pk_set.public_key_share(2).0);
// Make sure we don't hand out the main secret key to anyone.
let sk_master = sk_set
.secret_key()
.expect("Failed to create master `SecretKey`");
let sk_share_0 = sk_set
.secret_key_share(0)
.expect("Failed to create first `SecretKeyShare`")
.0;
let sk_share_1 = sk_set
.secret_key_share(1)
.expect("Failed to create second `SecretKeyShare`")
.0;
let sk_share_2 = sk_set
.secret_key_share(2)
.expect("Failed to create third `SecretKeyShare`")
.0;
let sk_master = sk_set.secret_key();
let sk_share_0 = sk_set.secret_key_share(0).0;
let sk_share_1 = sk_set.secret_key_share(1).0;
let sk_share_2 = sk_set.secret_key_share(2).0;
assert_ne!(sk_master, sk_share_0);
assert_ne!(sk_master, sk_share_1);
assert_ne!(sk_master, sk_share_2);
@ -792,10 +900,7 @@ mod tests {
let sigs: BTreeMap<_, _> = [5, 8, 7, 10]
.iter()
.map(|&i| {
let sig = sk_set
.secret_key_share(i)
.unwrap_or_else(|_| panic!("Failed to create `SecretKeyShare` #{}", i))
.sign(msg);
let sig = sk_set.secret_key_share(i).sign(msg);
(i, sig)
}).collect();
@ -812,10 +917,7 @@ mod tests {
let sigs2: BTreeMap<_, _> = [42, 43, 44, 45]
.iter()
.map(|&i| {
let sig = sk_set
.secret_key_share(i)
.unwrap_or_else(|_| panic!("Failed to create `SecretKeyShare` #{}", i))
.sign(msg);
let sig = sk_set.secret_key_share(i).sign(msg);
(i, sig)
}).collect();
let sig2 = pk_set.combine_signatures(&sigs2).expect("signatures match");
@ -832,11 +934,11 @@ mod tests {
assert!(ciphertext.verify());
// Bob can decrypt the message.
let decrypted = sk_bob.decrypt(&ciphertext).expect("valid ciphertext");
let decrypted = sk_bob.decrypt(&ciphertext).expect("invalid ciphertext");
assert_eq!(msg[..], decrypted[..]);
// Eve can't.
let decrypted_eve = sk_eve.decrypt(&ciphertext).expect("valid ciphertext");
let decrypted_eve = sk_eve.decrypt(&ciphertext).expect("invalid ciphertext");
assert_ne!(msg[..], decrypted_eve[..]);
// Eve tries to trick Bob into decrypting `msg` xor `v`, but it doesn't validate.
@ -849,7 +951,7 @@ mod tests {
#[test]
fn test_threshold_enc() {
let mut rng = rand::thread_rng();
let sk_set = SecretKeySet::random(3, &mut rng).expect("Failed to create to `SecretKeySet`");
let sk_set = SecretKeySet::random(3, &mut rng);
let pk_set = sk_set.public_keys();
let msg = b"Totally real news";
let ciphertext = pk_set.public_key().encrypt(&msg[..]);
@ -860,9 +962,8 @@ mod tests {
.map(|&i| {
let dec_share = sk_set
.secret_key_share(i)
.unwrap_or_else(|_| panic!("Failed to create `SecretKeyShare` #{}", i))
.decrypt_share(&ciphertext)
.expect("ciphertext is valid");
.expect("ciphertext is invalid");
(i, dec_share)
}).collect();

264
src/poly.rs
Unescape View File

@ -19,7 +19,7 @@
use std::borrow::Borrow;
use std::fmt::{self, Debug, Formatter};
use std::hash::{Hash, Hasher};
use std::mem::{size_of, size_of_val};
use std::mem::size_of_val;
use std::{cmp, iter, ops};
use errno::errno;
@ -28,7 +28,7 @@ use pairing::bls12_381::{Fr, G1Affine, G1};
use pairing::{CurveAffine, CurveProjective, Field};
use rand::Rng;
use super::{ContainsSecret, Error, IntoFr, Result, SHOULD_MLOCK_SECRETS};
use super::{clear_fr, ContainsSecret, Error, IntoFr, Result, FR_SIZE, SHOULD_MLOCK_SECRETS};
/// A univariate polynomial in the prime field.
#[derive(Serialize, Deserialize, PartialEq, Eq)]
@ -46,10 +46,8 @@ pub struct Poly {
/// `Poly`.
impl Clone for Poly {
fn clone(&self) -> Self {
match Poly::new(self.coeff.clone()) {
Ok(poly) => poly,
Err(e) => panic!("Failed to clone `Poly`: {}", e),
}
Poly::try_from(self.coeff.clone())
.unwrap_or_else(|e| panic!("Failed to clone `Poly`: {}", e))
}
}
@ -213,7 +211,7 @@ impl<'a, B: Borrow<Poly>> ops::Mul<B> for &'a Poly {
fn mul(self, rhs: B) -> Self::Output {
let rhs = rhs.borrow();
if rhs.coeff.is_empty() || self.coeff.is_empty() {
return Poly::zero().expect("failed to create zero Poly");
return Poly::zero();
}
let mut coeff = vec![Fr::zero(); self.coeff.len() + rhs.borrow().coeff.len() - 1];
let mut s; // TODO: Mlock and zero on drop.
@ -224,9 +222,8 @@ impl<'a, B: Borrow<Poly>> ops::Mul<B> for &'a Poly {
coeff[i + j].add_assign(&s);
}
}
Poly::new(coeff).unwrap_or_else(|e| {
panic!("Failed to create a new `Poly` during muliplication: {}", e);
})
Poly::try_from(coeff)
.unwrap_or_else(|e| panic!("Failed to create a new `Poly` during muliplication: {}", e))
}
}
@ -247,7 +244,7 @@ impl<B: Borrow<Self>> ops::MulAssign<B> for Poly {
impl ops::MulAssign<Fr> for Poly {
fn mul_assign(&mut self, rhs: Fr) {
if rhs.is_zero() {
*self = Poly::zero().expect("failed to create zero Poly");
*self = Poly::zero();
} else {
for c in &mut self.coeff {
c.mul_assign(&rhs);
@ -322,6 +319,19 @@ impl Drop for Poly {
}
}
/// Creates a new `Poly` instance from a vector of prime field elements representing the
/// coefficients of the polynomial. We lock the region of the heap where the polynomial
/// coefficients are allocated.
///
/// # Panics
///
/// Panics if we have reached the system's locked memory limit.
impl From<Vec<Fr>> for Poly {
fn from(coeffs: Vec<Fr>) -> Self {
Poly::try_from(coeffs).unwrap_or_else(|e| panic!("Failed to create `Poly`: {}", e))
}
}
impl ContainsSecret for Poly {
fn mlock_secret_memory(&self) -> Result<()> {
if !*SHOULD_MLOCK_SECRETS {
@ -378,80 +388,167 @@ impl ContainsSecret for Poly {
impl Poly {
/// Creates a new `Poly` instance from a vector of prime field elements representing the
/// coefficients of the polynomial. The `mlock` system call is applied to the region of the
/// heap where the field elements are allocated.
/// coefficients of the polynomial. We lock the region of the heap where the polynomial
/// coefficients are allocated.
///
/// # Errors
///
/// Returns an `Error::MlockFailed` if we have reached the systems's locked memory limit.
pub fn new(coeff: Vec<Fr>) -> Result<Self> {
pub fn try_from(coeff: Vec<Fr>) -> Result<Self> {
let poly = Poly { coeff };
poly.mlock_secret_memory()?;
Ok(poly)
}
/// Creates a random polynomial.
/// Creates a random polynomial. This constructor is identical to the `Poly::try_random()`
/// constructor in every way except that this constructor will panic if locking the polynomial
/// coefficients into RAM fails.
///
/// # Panics
///
/// Panics if we have reached the system's locked memory limit.
pub fn random<R: Rng>(degree: usize, rng: &mut R) -> Self {
Poly::try_random(degree, rng)
.unwrap_or_else(|e| panic!("Failed to create random `Poly`: {}", e))
}
/// Creates a random polynomial. This constructor is identical to the `Poly::random()`
/// constructor in every way except that this constructor will return an `Err` if locking the
/// polynomial coefficients into RAM fails.
///
/// # Errors
///
/// Returns an `Error::MlockFailed` if we have reached the systems's locked memory limit.
pub fn random<R: Rng>(degree: usize, rng: &mut R) -> Result<Self> {
pub fn try_random<R: Rng>(degree: usize, rng: &mut R) -> Result<Self> {
let coeff: Vec<Fr> = (0..=degree).map(|_| rng.gen()).collect();
Poly::new(coeff)
Poly::try_from(coeff)
}
/// Returns the polynomial with constant value `0`.
///
/// # Errors
/// This constructor does not return a `Result` because the polynomial's `coeff` vector is
/// empty, which does not require memory locking. Memory locking will occur when the first
/// coefficient is added to the `coeff` vector.
pub fn zero() -> Self {
Poly { coeff: vec![] }
}
/// Returns the polynomial with constant value `1`. This constructor is identical to
/// `Poly::try_one()` in every way except that this constructor panics if locking the `coeff`
/// vector into RAM fails, whereas `Poly::try_one()` returns an `Err`.
///
/// Returns an `Error::MlockFailed` if we have reached the systems's locked memory limit.
pub fn zero() -> Result<Self> {
Poly::new(vec![])
/// # Panics
///
/// Panics if we have reached the system's locked memory limit.
pub fn one() -> Self {
Poly::try_one()
.unwrap_or_else(|e| panic!("Failed to create constant `Poly` of value 1: {}", e))
}
/// Returns the polynomial with constant value `1`.
/// Returns the polynomial with constant value `1`. This constructor is identical to
/// `Poly::one()` in every way except that this constructor returns `Err` if locking the
/// `coeff` vector into RAM fails, whereas `Poly::one()` panics.
///
/// # Errors
///
/// Returns an `Error::MlockFailed` if we have reached the systems's locked memory limit.
pub fn one() -> Result<Self> {
Self::monomial(0)
pub fn try_one() -> Result<Self> {
Poly::try_constant(Fr::one())
}
/// Returns the polynomial with constant value `c`. Panics if memory locking fails.
///
/// # Panics
///
/// Panics if we have reached the systems's locked memory limit.
pub fn constant(c: Fr) -> Self {
// We create a raw pointer to the field element within this method's stack frame so we can
// overwrite that portion of memory with zeros once we have copied the element onto the
// heap as part of the vector of polynomial coefficients.
let fr_ptr = &c as *const Fr as *mut u8;
let poly = Poly::try_from(vec![c])
.unwrap_or_else(|e| panic!("Failed to create constant `Poly`: {}", e));
clear_fr(fr_ptr);
poly
}
/// Returns the polynomial with constant value `c`.
/// Returns the polynomial with constant value `c`. This constructor is identical to
/// `Poly::constant()` in every way except that this constructor returns an `Err` if locking
/// the polynomial coefficients into RAM fails.
///
/// # Errors
///
/// Returns an `Error::MlockFailed` if we have reached the systems's locked memory limit.
pub fn constant(c: Fr) -> Result<Self> {
let ptr = &c as *const Fr as *mut u8;
let res = Poly::new(vec![c]);
unsafe {
memzero(ptr, size_of::<Fr>());
}
pub fn try_constant(c: Fr) -> Result<Self> {
// We create a raw pointer to the field element within this method's stack frame so we can
// overwrite that portion of memory with zeros once we have copied the element onto the
// heap as part of polynomials `coeff` vector.
let fr_ptr = &c as *const Fr as *mut u8;
let res = Poly::try_from(vec![c]);
clear_fr(fr_ptr);
res
}
/// Returns the identity function, i.e. the polynomial "`x`".
/// Returns the identity function, i.e. the polynomial "`x`". Panics if mlocking fails.
///
/// # Panics
///
/// Panics if we have reached the system's locked memory limit.
pub fn identity() -> Self {
Poly::monomial(1)
}
/// Returns the identity function, i.e. the polynomial `x`. Returns an `Err` if mlocking
/// fails.
///
/// # Errors
///
/// Returns an `Error::MlockFailed` if we have reached the systems's locked memory limit.
pub fn identity() -> Result<Self> {
Self::monomial(1)
pub fn try_identity() -> Result<Self> {
Poly::try_monomial(1)
}
/// Returns the (monic) monomial "`x.pow(degree)`"
/// Returns the (monic) monomial: `x.pow(degree)`. Panics if mlocking fails.
///
/// # Panics
///
/// Panics if we have reached the systems's locked memory limit.
pub fn monomial(degree: usize) -> Self {
Poly::try_monomial(degree).unwrap_or_else(|e| {
panic!(
"Failed to create monomial `Poly` of degree {}: {}",
degree, e
)
})
}
/// Returns the (monic) monomial: `x.pow(degree)`. Returns an `Err` if mlocking fails.
///
/// # Errors
///
/// Returns an `Error::MlockFailed` if we have reached the systems's locked memory limit.
pub fn monomial(degree: usize) -> Result<Self> {
pub fn try_monomial(degree: usize) -> Result<Self> {
let coeff: Vec<Fr> = iter::repeat(Fr::zero())
.take(degree)
.chain(iter::once(Fr::one()))
.collect();
Poly::new(coeff)
Poly::try_from(coeff)
}
/// Returns the unique polynomial `f` of degree `samples.len() - 1` with the given values
/// `(x, f(x))`.
///
/// # Panics
///
/// Panics if we have reached the systems's locked memory limit.
pub fn interpolate<T, U, I>(samples_repr: I) -> Self
where
I: IntoIterator<Item = (T, U)>,
T: IntoFr,
U: IntoFr,
{
Poly::try_interpolate(samples_repr)
.unwrap_or_else(|e| panic!("Failed to interpolate `Poly`: {}", e))
}
/// Returns the unique polynomial `f` of degree `samples.len() - 1` with the given values
@ -460,7 +557,7 @@ impl Poly {
/// # Errors
///
/// Returns an `Error::MlockFailed` if we have reached the systems's locked memory limit.
pub fn interpolate<T, U, I>(samples_repr: I) -> Result<Self>
pub fn try_interpolate<T, U, I>(samples_repr: I) -> Result<Self>
where
I: IntoIterator<Item = (T, U)>,
T: IntoFr,
@ -468,7 +565,7 @@ impl Poly {
{
let convert = |(x, y): (T, U)| (x.into_fr(), y.into_fr());
let samples: Vec<(Fr, Fr)> = samples_repr.into_iter().map(convert).collect();
Self::compute_interpolation(&samples)
Poly::compute_interpolation(&samples)
}
/// Returns the degree.
@ -516,19 +613,17 @@ impl Poly {
///
/// # Errors
///
/// Returns an `Error::MlockFailed` if we hit the system's locked memory limit and failed to
/// `mlock` the new `Poly` instance.
/// Returns an `Error::MlockFailed` if we hit the system's locked memory limit.
fn compute_interpolation(samples: &[(Fr, Fr)]) -> Result<Self> {
let mut poly; // Interpolates on the first `i` samples.
let mut base; // Is zero on the first `i` samples.
if samples.is_empty() {
return Poly::zero();
} else {
poly = Poly::constant(samples[0].1)?;
let mut minus_s0 = samples[0].0;
minus_s0.negate();
base = Poly::new(vec![minus_s0, Fr::one()])?;
return Ok(Poly::zero());
}
// Interpolates on the first `i` samples.
let mut poly = Poly::try_constant(samples[0].1)?;
let mut minus_s0 = samples[0].0;
minus_s0.negate();
// Is zero on the first `i` samples.
let mut base = Poly::try_from(vec![minus_s0, Fr::one()])?;
// We update `base` so that it is always zero on all previous samples, and `poly` so that
// it has the correct values on the previous samples.
@ -545,7 +640,7 @@ impl Poly {
// Finally, multiply `base` by X - x, so that it is zero at `x`, too, now.
let mut minus_x = *x;
minus_x.negate();
base *= Poly::new(vec![minus_x, Fr::one()])?;
base *= Poly::try_from(vec![minus_x, Fr::one()])?;
}
Ok(poly)
}
@ -555,7 +650,7 @@ impl Poly {
if !*SHOULD_MLOCK_SECRETS {
return Ok(());
}
let n_bytes_truncated = len * size_of::<Fr>();
let n_bytes_truncated = *FR_SIZE * len;
if n_bytes_truncated == 0 {
return Ok(());
}
@ -580,7 +675,7 @@ impl Poly {
if !*SHOULD_MLOCK_SECRETS {
return Ok(());
}
let n_bytes_extended = len * size_of::<Fr>();
let n_bytes_extended = *FR_SIZE * len;
if n_bytes_extended == 0 {
return Ok(());
}
@ -788,12 +883,26 @@ impl ContainsSecret for BivarPoly {
}
impl BivarPoly {
/// Creates a random polynomial.
///
/// # Panics
///
/// Panics if we have hit the system's locked memory limit.
pub fn random<R: Rng>(degree: usize, rng: &mut R) -> Self {
BivarPoly::try_random(degree, rng).unwrap_or_else(|e| {
panic!(
"Failed to create random `BivarPoly` of degree {}: {}",
degree, e
)
})
}
/// Creates a random polynomial.
///
/// # Errors
///
/// Returns an `Error::MlockFailed` if we have reached the systems's locked memory limit.
pub fn random<R: Rng>(degree: usize, rng: &mut R) -> Result<Self> {
pub fn try_random<R: Rng>(degree: usize, rng: &mut R) -> Result<Self> {
let poly = BivarPoly {
degree,
coeff: (0..coeff_pos(degree + 1, 0)).map(|_| rng.gen()).collect(),
@ -824,13 +933,23 @@ impl BivarPoly {
result
}
/// Returns the `x`-th row, as a univariate polynomial.
///
/// # Panics
///
/// Panics if we have reached the system's locked memory limit.
pub fn row<T: IntoFr>(&self, x: T) -> Poly {
self.try_row(x)
.unwrap_or_else(|e| panic!("Failed to create `Poly` from row of `BivarPoly: {}`", e))
}
/// Returns the `x`-th row, as a univariate polynomial.
///
/// # Errors
///
/// Returns an `Error::MlockFailed` if we have reached the systems's locked memory limit when
/// creating the new `Poly` instance.
pub fn row<T: IntoFr>(&self, x: T) -> Result<Poly> {
pub fn try_row<T: IntoFr>(&self, x: T) -> Result<Poly> {
let x_pow = self.powers(x);
let coeff: Vec<Fr> = (0..=self.degree)
.map(|i| {
@ -843,7 +962,7 @@ impl BivarPoly {
}
result
}).collect();
Poly::new(coeff)
Poly::try_from(coeff)
}
/// Returns the corresponding commitment. That information can be shared publicly.
@ -985,8 +1104,8 @@ mod tests {
#[test]
fn poly() {
// The polynomial 5 X³ + X - 2.
let x_pow_3 = Poly::monomial(3).expect("Failed to create monic polynomial of degree 3");
let x_pow_1 = Poly::monomial(1).expect("Failed to create monic polynomial of degree 1");
let x_pow_3 = Poly::monomial(3);
let x_pow_1 = Poly::monomial(1);
let poly = x_pow_3 * 5 + x_pow_1 - 2;
let coeff: Vec<_> = [-2, 1, 0, 5].into_iter().map(IntoFr::into_fr).collect();
@ -995,7 +1114,7 @@ mod tests {
for &(x, y) in &samples {
assert_eq!(y.into_fr(), poly.evaluate(x));
}
let interp = Poly::interpolate(samples).expect("Failed to interpolate `Poly`");
let interp = Poly::interpolate(samples);
assert_eq!(interp, poly);
}
@ -1010,10 +1129,8 @@ mod tests {
// generates random bivariate polynomials and publicly commits to them. In partice, the
// dealers can e.g. be any `faulty_num + 1` nodes.
let bi_polys: Vec<BivarPoly> = (0..dealer_num)
.map(|_| {
BivarPoly::random(faulty_num, &mut rng)
.expect("Failed to create random `BivarPoly`")
}).collect();
.map(|_| BivarPoly::random(faulty_num, &mut rng))
.collect();
let pub_bi_commits: Vec<_> = bi_polys.iter().map(BivarPoly::commitment).collect();
let mut sec_keys = vec![Fr::zero(); node_num];
@ -1024,9 +1141,7 @@ mod tests {
for (bi_poly, bi_commit) in bi_polys.iter().zip(&pub_bi_commits) {
for m in 1..=node_num {
// Node `m` receives its row and verifies it.
let row_poly = bi_poly
.row(m)
.unwrap_or_else(|_| panic!("Failed to create row #{}", m));
let row_poly = bi_poly.row(m);
let row_commit = bi_commit.row(m);
assert_eq!(row_poly.commitment(), row_commit);
// Node `s` receives the `s`-th value and verifies it.
@ -1039,10 +1154,8 @@ mod tests {
}
// A cheating dealer who modified the polynomial would be detected.
let x_pow_2 =
Poly::monomial(2).expect("Failed to create monic polynomial of degree 2");
let five = Poly::constant(5.into_fr())
.expect("Failed to create polynomial with constant 5");
let x_pow_2 = Poly::monomial(2);
let five = Poly::constant(5.into_fr());
let wrong_poly = row_poly.clone() + x_pow_2 * five;
assert_ne!(wrong_poly.commitment(), row_commit);
@ -1057,8 +1170,7 @@ mod tests {
.iter()
.map(|&i| (i, bi_poly.evaluate(m, i)))
.collect();
let my_row =
Poly::interpolate(received).expect("Failed to create `Poly` via interpolation");
let my_row = Poly::interpolate(received);
assert_eq!(bi_poly.evaluate(m, 0), my_row.evaluate(0));
assert_eq!(row_poly, my_row);
@ -1073,11 +1185,9 @@ mod tests {
// The whole first column never gets added up in practice, because nobody has all the
// information. We do it anyway here; entry `0` is the secret key that is not known to
// anyone, neither a dealer, nor a node:
let mut sec_key_set = Poly::zero().expect("Failed to create empty `Poly`");
let mut sec_key_set = Poly::zero();
for bi_poly in &bi_polys {
sec_key_set += bi_poly
.row(0)
.expect("Failed to create `Poly` from row #0 for `BivarPoly`");
sec_key_set += bi_poly.row(0);
}
for m in 1..=node_num {
assert_eq!(sec_key_set.evaluate(m), sec_keys[m - 1]);
@ -1085,9 +1195,7 @@ mod tests {
// The sum of the first rows of the public commitments is the commitment to the secret key
// set.
let mut sum_commit = Poly::zero()
.expect("Failed to create empty `Poly`")
.commitment();
let mut sum_commit = Poly::zero().commitment();
for bi_commit in &pub_bi_commits {
sum_commit += bi_commit.row(0);
}

Write Preview
Loading…
Cancel
Save