Fix part of the bugs according to <bliss-audit-1.0.pdf>.

Problems remains to be fixed: Random Oracle Implementation, Cache Attack on Bernoulli Sampler.
LoCCS · Jan 27, 2018 · 20f1bd8 · 20f1bd8
1 parent ff6e5ed
commit 20f1bd8
Show file tree

Hide file tree

Showing 5 changed files with 62 additions and 30 deletions.
diff --git a/key.go b/key.go
@@ -2,10 +2,10 @@ package bliss
 
 import (
 	"fmt"
+	"github.com/LoCCS/bliss/huffman"
 	"github.com/LoCCS/bliss/params"
 	"github.com/LoCCS/bliss/poly"
 	"github.com/LoCCS/bliss/sampler"
-	"github.com/LoCCS/bliss/huffman"
 )
 
 type PrivateKey struct {
@@ -70,6 +70,16 @@ func (privateKey *PrivateKey) Param() *params.BlissBParam {
 	return privateKey.s1.Param()
 }
 
+func (privateKey *PrivateKey) Destroy() {
+	n := privateKey.Param().N
+	s1data := privateKey.s1.GetData()
+	s2data := privateKey.s2.GetData()
+	for i := 0; i < int(n); i++ {
+		s1data[i] = 0
+		s2data[i] = 0
+	}
+}
+
 func (publicKey *PublicKey) Param() *params.BlissBParam {
 	return publicKey.a.Param()
 }
@@ -276,4 +286,4 @@ func DeserializePublicKey(data []byte) (*PublicKey, error) {
 		adata[i] = int32(bits)
 	}
 	return &PublicKey{a}, nil
-}
+}
diff --git a/key_test.go b/key_test.go
@@ -65,6 +65,8 @@ func TestGeneratePrivateKey(t *testing.T) {
 				t.Errorf("Wrong a at %d: expect %d, got %d", j, tmp, s3[j])
 			}
 		}
+
+		key.Destroy()
 	}
 }
 
@@ -107,6 +109,8 @@ func TestKeyEncodeDecode(t *testing.T) {
 					i, key.String(), tmp.String())
 			}
 		}
+
+		key.Destroy()
 	}
 }
 
@@ -151,5 +155,7 @@ func TestKeySerialization(t *testing.T) {
 					i, key.String(), tmp.String())
 			}
 		}
+
+		key.Destroy()
 	}
 }
diff --git a/sampler/entropy.go b/sampler/entropy.go
@@ -7,43 +7,43 @@ import (
 
 const (
 	SHA_512_DIGEST_LENGTH uint32 = 64
-	EPOOL_HASH_COUNT = 10
-	CHAR_POOL_SIZE = SHA_512_DIGEST_LENGTH * EPOOL_HASH_COUNT
-	INT16_POOL_SIZE = SHA_512_DIGEST_LENGTH/2*EPOOL_HASH_COUNT
-	INT64_POOL_SIZE = SHA_512_DIGEST_LENGTH/8*EPOOL_HASH_COUNT
+	EPOOL_HASH_COUNT             = 10
+	CHAR_POOL_SIZE               = SHA_512_DIGEST_LENGTH * EPOOL_HASH_COUNT
+	INT16_POOL_SIZE              = SHA_512_DIGEST_LENGTH / 2 * EPOOL_HASH_COUNT
+	INT64_POOL_SIZE              = SHA_512_DIGEST_LENGTH / 8 * EPOOL_HASH_COUNT
 )
 
 type Entropy struct {
-	bitpool uint64
-	charpool []uint8
+	bitpool   uint64
+	charpool  []uint8
 	int16pool []uint16
 	int64pool []uint64
-	seed []uint8
+	seed      []uint8
 
-	bitp uint32
-	charp uint32
+	bitp   uint32
+	charp  uint32
 	int16p uint32
 	int64p uint32
 }
 
-func NewEntropy(seed []uint8) (*Entropy,error) {
+func NewEntropy(seed []uint8) (*Entropy, error) {
 	if len(seed) < int(SHA_512_DIGEST_LENGTH) {
-		return nil,fmt.Errorf("Insufficient seed length, need %d, got %d",
-			SHA_512_DIGEST_LENGTH,len(seed))
+		return nil, fmt.Errorf("Insufficient seed length, need %d, got %d",
+			SHA_512_DIGEST_LENGTH, len(seed))
 	}
-	entropy := Entropy{0,[]uint8{},[]uint16{},[]uint64{},[]uint8{},0,0,0,0}
-	entropy.charpool = make([]uint8,CHAR_POOL_SIZE)
-	entropy.int16pool = make([]uint16,INT16_POOL_SIZE)
-	entropy.int64pool = make([]uint64,INT64_POOL_SIZE)
-	entropy.seed = make([]uint8,SHA_512_DIGEST_LENGTH)
+	entropy := Entropy{0, []uint8{}, []uint16{}, []uint64{}, []uint8{}, 0, 0, 0, 0}
+	entropy.charpool = make([]uint8, CHAR_POOL_SIZE)
+	entropy.int16pool = make([]uint16, INT16_POOL_SIZE)
+	entropy.int64pool = make([]uint64, INT64_POOL_SIZE)
+	entropy.seed = make([]uint8, SHA_512_DIGEST_LENGTH)
 	for i := 0; i < int(SHA_512_DIGEST_LENGTH); i++ {
 		entropy.seed[i] = seed[i]
 	}
 	entropy.refreshCharPool()
 	entropy.refreshInt16Pool()
 	entropy.refreshInt64Pool()
 	entropy.refreshBitPool()
-	return &entropy,nil
+	return &entropy, nil
 }
 
 func (entropy *Entropy) incrementSeed() {
@@ -57,7 +57,7 @@ func (entropy *Entropy) incrementSeed() {
 
 func (entropy *Entropy) refreshCharPool() {
 	for i := 0; i < int(EPOOL_HASH_COUNT); i++ {
-		offset := i*int(SHA_512_DIGEST_LENGTH)
+		offset := i * int(SHA_512_DIGEST_LENGTH)
 		sha := sha3.Sum512([]byte(entropy.seed))
 		for j := 0; j < int(SHA_512_DIGEST_LENGTH); j++ {
 			entropy.charpool[offset+j] = uint8(sha[j])
@@ -69,10 +69,10 @@ func (entropy *Entropy) refreshCharPool() {
 
 func (entropy *Entropy) refreshInt16Pool() {
 	for i := 0; i < int(EPOOL_HASH_COUNT); i++ {
-		offset := i*int(SHA_512_DIGEST_LENGTH)/2
+		offset := i * int(SHA_512_DIGEST_LENGTH) / 2
 		sha := sha3.Sum512([]byte(entropy.seed))
 		for j := 0; j < int(SHA_512_DIGEST_LENGTH)/2; j++ {
-			entropy.int16pool[offset+j] = combineUint16(sha[:],j*2)
+			entropy.int16pool[offset+j] = combineUint16(sha[:], j*2)
 		}
 		entropy.incrementSeed()
 	}
@@ -81,10 +81,10 @@ func (entropy *Entropy) refreshInt16Pool() {
 
 func (entropy *Entropy) refreshInt64Pool() {
 	for i := 0; i < int(EPOOL_HASH_COUNT); i++ {
-		offset := i*int(SHA_512_DIGEST_LENGTH)/8
+		offset := i * int(SHA_512_DIGEST_LENGTH) / 8
 		sha := sha3.Sum512([]byte(entropy.seed))
 		for j := 0; j < int(SHA_512_DIGEST_LENGTH)/8; j++ {
-			entropy.int64pool[offset+j] = combineUint64(sha[:],j*8)
+			entropy.int64pool[offset+j] = combineUint64(sha[:], j*8)
 		}
 		entropy.incrementSeed()
 	}
@@ -123,23 +123,25 @@ func (entropy *Entropy) Char() uint8 {
 	return ret
 }
 
-func (entropy *Entropy) Bit() bool {
+func (entropy *Entropy) UintBit() uint64 {
 	if entropy.bitp >= 64 {
 		entropy.refreshBitPool()
 	}
 	bit := entropy.bitpool & 1
 	entropy.bitpool >>= 1
 	entropy.bitp++
-	return bit == 1
+	return bit
+}
+
+func (entropy *Entropy) Bit() bool {
+	return entropy.UintBit() == 1
 }
 
 func (entropy *Entropy) Bits(n int) uint32 {
 	ret := uint32(0)
 	for n > 0 {
 		ret <<= 1
-		if entropy.Bit() {
-			ret |= 1
-		}
+		ret |= uint32(1 & entropy.UintBit())
 		n--
 	}
 	return ret

diff --git a/sign.go b/sign.go
@@ -192,6 +192,9 @@ restart:
 	y1beta := poly.GaussPolyBeta(version, sampler)
 	y2beta := poly.GaussPolyBeta(version, sampler)
 	valpha, err := y1alpha.MultiplyNTT(key.a)
+	if err != nil {
+		return nil, err
+	}
 	vbeta, err := y1beta.MultiplyNTT(key.a)
 	if err != nil {
 		return nil, err

diff --git a/sign_test.go b/sign_test.go
@@ -37,6 +37,8 @@ func TestSignVerify(t *testing.T) {
 		if err != nil {
 			t.Errorf("Failed to verify signature for version %d: %s", i, err.Error())
 		}
+
+		key.Destroy()
 	}
 }
 
@@ -66,6 +68,8 @@ func TestSignVerifyAgainstChannel(t *testing.T) {
 		if err != nil {
 			t.Errorf("Failed to verify signature for version %d: %s", i, err.Error())
 		}
+
+		key.Destroy()
 	}
 }
 
@@ -99,6 +103,8 @@ func TestSignatureEncodeDecode(t *testing.T) {
 			t.Errorf("Different signature decoded for version %d!\nOriginal:\n%s\ngot:\n%s\n",
 				i, sig.String(), tmp.String())
 		}
+
+		key.Destroy()
 	}
 }
 
@@ -121,6 +127,8 @@ func benchSign(b *testing.B, version int) {
 	for i := 0; i < b.N; i++ {
 		key.Sign(msg, entropy)
 	}
+
+	key.Destroy()
 }
 
 func benchSignAgainstSideChannel(b *testing.B, version int) {
@@ -142,6 +150,7 @@ func benchSignAgainstSideChannel(b *testing.B, version int) {
 	for i := 0; i < b.N; i++ {
 		key.SignAgainstSideChannel(msg, entropy)
 	}
+	key.Destroy()
 }
 
 func BenchmarkSignBliss0(b *testing.B) {
@@ -205,6 +214,7 @@ func benchVerify(b *testing.B, version int) {
 	for i := 0; i < b.N; i++ {
 		pub.Verify(msg, sig)
 	}
+	key.Destroy()
 }
 
 func BenchmarkVerifyBliss0(b *testing.B) {
@@ -263,5 +273,6 @@ func TestSignatureSerializeDeserialize(t *testing.T) {
 			t.Errorf("Different signature decoded for version %d!\nOriginal:\n%s\ngot:\n%s\n",
 				i, sig.String(), tmp.String())
 		}
+		key.Destroy()
 	}
 }