User manual - Verificatum
Contents
1. HashfunctionHeuristic is instantiated or an instance of com verificatum crypto Hashfunction Random oracles with various output lengths are then implemented using the given hashfunction in com verificatum crypto RandomOracle WARNING Do not change the default unless you know exactly what you are doing Output the XML schema definition of private or protocol files Legal values are private and protocol lt value gt lt value gt lt value gt lt value gt lt value gt Seed file for pseudo random generator of this party Session identifier of this protocol execution This must be globally unique Pair of public and private signature keys instance of com verificatum crypto SignatureKeyPair Sorting attribute used to sort parties with respect to their roles in the protocol This is used to assign roles in protocols where different parties play different roles Statistical distance from uniform of objects sampled in 26 thres vbitlen vbitlenro version width lt va lt va lt va lt va lue gt tuez lue gt lue gt protocols or in proofs of security Threshold number of parties needed to violate the privacy of the protocol i e this is the number of parties needed to decrypt Bit length of challenges in interactive proofs Bit length of challenges in non interactive random oracle proofs Print the package version Default width of ciphertexts process2. Step O cd mydemo 02 xts plaintexts Ht Executed by Operator 2 tkHTEEETE EEE EE AE dE EH FE HEH HH Generate stub file Swedish SessionID Election vmni prot sid nopart 3 t Ht Step 1 name hres 2 Generate private info and protocol info files vmni party nam http http loca hint localhost 4 Copy protocol i cp localProtInfo cp protInfo02 xml cp protInfo02 xml Ht Step 2 I i vmni merge prot vmn keygen publ FEEF Step 3 HE Step 4 vmn mix cipherte HEE TE AE AE TE HEE HEE E Ht Step O cd mydemo 03 Mix server 02 lhost 8042 042 nfo files using out of bound channel xml protInfo02 xml 01 sa 037 Merge protocol files and generate public key nfo xml cKey Wait for demo ciphertexts generated by Operator 1 Mix the ciphertexts xts plaintexts EHEH 3 AEE AEAEE TE EEE AE AE FE AE FE HEE EE HEH HEE Executed by Operator Generate stub file vmni prot sid nopart 3 t t Step 1 Swedish SessionID Election hres 2 name Generate private info and protocol info files vmni party nam http http loca hint localhost 4 Copy protocol i cp localProtInfo cp protInfo03 xml cp protInfo03 xml HH Step 2 vmni merge protI vmn keygen publi FEEF Step 3 Ht Step 4 Mix server 03 lhost 8043 043 nfo files
3. lt ip address gt lt port gt where our hint server listens for connections which may be different from the address used to access it e g if it is behind a NAT http lt value gt URL to the HTTP server of this party httpdir lt value gt Root directory of HTTP server 25 httpl lt value gt URL where the HTTP server of this party listens for connections which may be different from the HTTP address used to access it e g if it is behind a NAT httptyp keygen keywidth maxciph merge lt value gt Decides if an internal or external HTTP server is used Legal values are internal or external lt value gt lt value gt lt value gt Determines the key generation algorithm used to generat keys for the CCA2 secure cryptosystem with labels used in subprotocols An instance of com verificatum crypto CryptoKeyGen Width of El Gamal keys If equal to one the standard El Gamal cryptosystem is used but if it is greater than one then the natural generalization over a product group of the given width is used This corresponds to letting each party holding multiple standard public keys aximal number of ciphertexts for which precomputation is performed Pre computation can still be forced for a different number of ciphertexts for a given session using the maxciph option during pre computation erge several protocol info files with identical joint parameters into a single p
4. of ciphertexts or concatenate lists of ciphertexts Furthermore public keys keys may have different key widths The command can extract components of public keys and combine these components into new public keys The command provides the corresponding functionality for ciphertexts encrypted using the original public keys This command can e g be used to 1 let two distinct sets of mix servers run two mix nets that generate two public keys 2 combine them into a new single public key 3 encrypt messages using the combined public key 4 shuffle the combined ciphertexts 5 extract the components of each ciphertext encrypted using the first public key and 6 decrypt the extracted components This is only one example the command vre is very powerful and the best way to understand the functionality is reading the usage information and try it out The usage information is found in Appendix 3 5 4 Object Generator Some of the option parameters passed to vmni can be complex objects i e a provably secure pseudo random generator may be based on a computational assumption that must be part of the encoding The object generator vog is used to generate representations of such objects Before any objects are generated the source of randomness of the object generator must be initialized but we postpone the discussion of this to Section 4 2 4 1 Listing and Generating Objects The main usage of vog is to list all suitable subclasses of some cla
5. session identifier of the mixing shuffling de cryption session by default this it is named default since this is the default auxiliary session identifier The contents of this directory can then be verified by anybody who has the necessary knowledge to implement a verification algorithm Thus VMN is said to be universally verifiable 11 6 1 Verificatum Mix Net Verifier Let prot Info xml bea protocol info file and let default be a directory containing an inter mediate values and non interactive zero knowledge proof Then the following commands can be used to verify the correctness of proofs of mixing shuffling decryption The command vmnv is completely silent by default and halt with exit status 0 upon success and otherwise halt with a non zero exit status The v option can be used to turn on verbose output displaying progress and the verifications performed Syntax errors or incorrect usage gives error messages even if the v option is not used Proof of Mixing The validity of a proof of a mixing can be verified using the following com mand vmnv mix protInfo xml default This command gives a usage error if the proof is not even a proof of a mixing The nopos option turns off verification of proofs of shuffles The nodec option turns off verification of the proof of decryption This allows verifying a part of a proof If pre computation was used during the execution of the mix net then the noposc option can be
6. this command roughly at the same time 1 Generate public key The operators execute the joint key generation phase of the protocol which outputs a joint public key to a file publ icKey to be used by senders when comput ing their ciphertexts vmn keygen privinfo xml protiInfo xml publicKkKey 2 Mix ciphertexts To start the mixing phase with a file ciphertexts containing cipher texts to produce a file plaintexts containing plaintexts the operator uses the following command vmn mix privinfo xml protInfo xml ciphertexts plaintexts If the info files were generated in a directory as explained in Section 2 2 and the above commands are executed in the same directory then the names of the info files can be dropped here and below Deleting a session If there is a fatal error during the execution or if an operator interrupts an ex ecution by mistake then all operators can execute the following command to delete all information about the current mixing session vmn delete privinfo xml protInfo xml Note that this only deletes the mixing data and not any information about the distributed key generation Changing the set of active parties For distributed bulletin boards there is no practical way to determine if a party will deliver a message or if it simply delays messages since the expected delays differ depending on the role of the mix server its hardware its network connection etc Thus the ap
7. used to turn off verification of proofs of shuffles of commitments and the ccpos option can be used to turn off verification of the commitment consistent proofs of shuffles These options gives a usage error if pre computation was not used during the execution producing the proof It is quite natural to use noccpos and nodecr to verify that the pre computation phase was performed correctly but nothing else and then later using noposc to verify the commitment consistent proofs of shuffles and the decryption but not the proofs of shuffles of commitments Proof of Shuffling If the mix net only shuffled the ciphertexts without decrypting then the proofs of shuffles can be verified using the following command vmnv shuffle protiInfo xml default If pre computation was used then the options noposc and noccpos can be used as above These options gives a usage error if the proof is not the result of an execution with pre computation Proof of Decryption If the mix net was only used to decrypt a list of ciphertexts then the corresponding proof can be verified using the following command vmnv decrypt protiInfo xml default Sloppy Verification It is also possible to verify the correctness of a proof of a mixing shuf fling decryption without stating which or the auxiliary session identifier or actual width as de scribed below This option should not be used in real applications since it is dangerous to not explici
8. value gt srtbyrole lt value gt lt protiInfolIn gt lt priviInfo gt lt protInfoOut gt vmni merge cerr e lt protiInfoIn gt lt protInfoOut gt vmni digest hash lt value gt lt file gt vmni schema lt type gt vmni version Description This command is used to generate the configuration file of a protocol in three simple steps 1 Each party generates a stub protocol info file with the global parameters 2 Each party generates private and protocol info files 3 Each party merges all protocol info files into a single protocol info file The options prot party and merge must appear as the first option Use prot to generate the global stub file containing only the global parameters that all parties agree on For example vmni prot sid SID name Execution nopart 3 thres 2 stub xml Use party to generate i a private info file containing your private parameters e g your secret signing key and ii a new protocol info file based on the input protocol info stub file where all your public information has been added For example vmni party name Santa Claus stub xml priviInfol xml protInfol xml If you use a PRG as the rand random source then use the seed option as well and specify a seed file or device containing a seed of suitable length Use merge to generate a single protocol info file from several protocol info files wi
9. 3 x Z263 is represented as 00 00000002 00 00000003 01 00000002 0001 100000002 0002 01 00000002 0003 00 00000003 O 01 00000002 0004 01 00000002 0005 01 00000002 0006 B 4 Multiplicative Groups Modulo Primes Group A subgroup G of prime order q of the multiplicative group Z where p gt 3 is prime with standard generator g is represented by the byte tree node P q g bytes e where the integer e encoded as four bytes determines how a string is encoded into a group element and can be ignored for the purpose of this document We stress that g is the byte tree representation of g viewed as a group element as defined below Group element An element a G where Gy is a subgroup of prime order q of Z for a prime p is represented by leaf bytes a where a is identified with its integer representative in 0 p 1 and k is the smallest integer such that p can be represented as bytes p Example 14 Let G be the subgroup of order q 131 in Z5 5 Then 258 G4 is represented by 0100000002 0102 Example 15 Let G be the subgroup of order q 131 in Z5 3 Then 3 Gg is represented by 01 00000002 0003 17 B 5 Standard Elliptic Curves over Prime Order Fields Group A standard elliptic curve group named FooCurve is represented by the byte tree leaf FooCurve Example 16 The group P 256 from FIPS 186 3 1 is represented by leaf P 256 The following curves are currently implemented by VMN e
10. F into the corresponding array of bytes 15 B Representations of Arithmetic Objects Every arithmetic object in VMN is represented as a byte tree In this section we pin down the details of these representations We describe how to represent elements in product rings and product groups as well as arrays of such elements These products are basically lists of elements and operations are applied element wise B 1 Basic Objects Integers A multi precision integer n is represented by leaf bytes n for the smallest possible integer k Example 4 263 is represented by 01 00000002 0107 Example 5 263 is represented by 01 00000002 FEF9 Arrays of booleans An array a1 a of booleans is represented as leaf b where b is an array b1 b1 of bytes where b equals 01 if a is true and 00 otherwise Example 6 The array true false true is represented by leaf 01 00 01 Example 7 The array true true false is represented by leaf 01 01 00 B 2 Prime Order Fields Field element An element a in a prime order field Z is represented by leaf bytes a where a is identified with its integer representative in 0 q 1 and k is the smallest possible k such that q can be represented as bytes q In other words field elements are represented using fixed size byte trees where the fixed size only depends on the order of the field Example 8 258 Z63 is represented by 01 00000002 0102 Example 9 5 Z 63 is rep
11. Meriricatum User Manual for the Verificatum Mix Net Version 1 4 1 2015 05 11 The Verificatum mix net is an implementation of a provably secure El Gamal based mix net This document describes how to use the mix net For information about the design and implementation please visit http www verificatum org Help us improve this document The most recent version of this document can be found at http www verificatum com Report errors omissions and suggestions to docs verificatum com Copyright 2008 2009 2010 2011 2012 2013 2014 2015 Verificatum AB Contents N a a o a wp amp p Fr A s Introduction Info File Generator Mix Net Object Generator Demonstrator Universally Verifiable Proof of Correctness Converting Public Keys Ciphertexts and Plaintexts Acknowledgments Byte Trees Representations of Arithmetic Objects Raw Format Alternative Formats Additional Command Line Tools Worked Example with Three Mix Servers sage Information for vmni sage Information for vmn sage Information for vog sage Information for vmnv U U U U Usage Information for vmnc U sage Information for vre 11 11 13 14 15 16 19 19 20 21 24 28 31 33 35 36 1 Introduction The Verificatum mix net VMN is an implementation of an El Gamal based re encryption mix net It can be configured in many ways but all values have sensible defaults The reader is expected to understand what an El Gamal based m
12. ROUGHLY IT MAY CHANGE OR EVEN DISAPPEAR FROM FUTURE VERSIONS HEPEEEE HEHE HH Re arranges Using the new public new key of components The followi plaintexts 1 Using t by providin 2 Using t 3 Using t product co 4 Using t product co level Combining t arranged in Parameters HERE EE EH HEE E EHH HEE FE FE AE EE HE EH EE EE EEE inputs and outputs of the mix net in various ways pkeys option components of public keys can be combined to form keys e g two public keys of widths 2 and 3 can be used form a width 4 consisting of the first public key and the first two of the second public key dropping the third ng functionality is available for either arrays of ciphertexts or depending on if the ciphs or plain flag is used he sub option subarrays can be extracted from a source array g intervals of indexes he cat option arrays can be concatenated he shallow option arrays can be formed by taking the direct ncatenating components of other arrays element wise he deep option arrays can be formed by taking the direct ncatenating components of other arrays element wise at the deep he above commands arrays of plaintexts or ciphertexts can be re all possible ways that are needed to be processed by the mix net 36 lt file gt lt pkey gt O
13. ach defining the order of the underly ing field the curve equation the order of the group and the standard generator P 192 brainpoolpl92r primel92vl secp192k1 P 224 brainpoolp224r primel92v2 secpl192rl1 P 256 brainpoolp256rl primel92v3 secp224k1 P 384 brainpoolp320r prime239vl secp224ri P 521 brainpoolp384r prime239v2 secp256k 1 brainpoolp512r prime239v3 secp256rl1l prime256vl secp384rl secp521rl1 Group element Let the curve be defined over a prime order field Zp and let k be the smallest integer such that p can be represented as bytes p Then an affine point P x y on the curve is represented by node leaf bytes x leaf bytes y and the point at infinity is represented by node leaf bytes 1 leaf bytes 1 Note that a fixed size representation of 1 is used B 6 Arrays of Group Elements and Product Groups Array of group elements An array a1 ar of group elements is represented by a byte tree node a ar where a is the byte tree representation of a Product group element An element a a a in a product group is represented by node aj where q is the byte tree representation of a Array of product group elements An array a1 a of elements in a product group where aj di 1 Qik is represented by node b b where b is the array a1 a 1 and b is its representation as a byte tree B 7 Marshal
14. ave different widths The letter x is used to indicate taking the direct product of components concatenation e g the following denotes the concatenation of the 2nd component of the 1st input file and the 3rd component from the 4th input file 0 1 x 3 2 To simplify notation multiple sources indexes may be denoted as s e where s is the starting index inclusive and e is the ending index exclusive The descriptions of the contents of the output files are separated by colons e g the format 0 0 2 0 1 4 states that there are two output files with contents formed as explained above The number of input files and output files must match the total number of files given as command line arguments Print usage information Colon separated list of descriptions of intervals i e expressions of the form s e where s gt 0 is the inclusive starting index and e gt s is the exclusive ending index Number of input public keys Re arrange public keys Re arrange plaintexts Re arrange input arrays according to the given format One of the options ciphs or plain is required Split input array into one or more subarrays One of the options ciphs or plain is required Print the package version Working directory used for file based arrays This defaults to a uniquely named subdirectory of tmp com 37 width lt value gt widths lt string gt verificatum Width that specifies a number of c
15. catum protocol com BullBoardBasic cerr Print error messages as clean strings without any error prefix or newlines cert lt value gt Certainty with which probabilistically checked parameters are verified i e the probability of an error is bounded by 2 cert corr lt value gt Determines if the proofs of correctness of an execution are interactive or non interactive Legal valus are interactive or noninteractive descr lt value gt Description of this protocol execution This is merely a longer description than the name of the protocol execution digest Compute hexadecimal encoded digest of file dir lt value gt Working directory of this protocol instance e Print exception trace upon error ebitlen lt value gt Bit length of each component in random vectors used for batching ebitlenro lt value gt Bit length of each component in random vectors used for batching in non interactive random oracle proofs h Display usage information hash lt value gt Name of an algorithm from the SHA 2 family i e SHA 256 SHA 384 or SHA 512 Default is SHA 256 used to compute a digest of an info file hint lt value gt Socket address given as lt hostname gt lt port gt or lt ip address gt lt port gt to our hint server A hint server is a simple UDP server that reduces latency and traffic on the HTTP servers hintl lt value gt Socket address given as lt hostname gt lt port gt or
16. ciphertexts plaintexts To hide this functionality during basic usage the auxiliary session identifier defaults to default Le the following is equivalent to not specifying any auxiliary session identifier vmn mix auxsid default privInfo xml protInfo xml ciphertexts plaintexts 3 4 Changing the width of ciphertexts The default width of ciphertexts in the protocol info file can be overridden by using the width option This may be useful if the width is not known when the keys are generated or if different widths are used in different sessions For example to change the width to 3 in the execution of the mix net use the following command vmn mix width 3 privInfo xml protInfo xml ciphertexts plaintexts Similarly to override the default width during pre computation use the following command vmn precomp width 3 privinfo xml protInfo xml Note that all mix servers must use the same width 3 5 Rearranging public keys and ciphertexts Consider a set of ciphertexts of a given width It may be useful e g to only decrypt the first component of each ciphertext The mix net already supports decrypting ciphertexts of different widths but a tool is needed to extract the first component The command vre provides this functionality and much more It allows combining components of ciphertexts from multiple lists of ciphertexts The command can also extract subsets of a list
17. dth as described in Section 3 4 this turns the mix net into a blackbox that provides all the functionality needed in virtually all electronic voting systems Pre computation Pre computation can be used to speed up the mixing phase of the mix net but all mix servers must agree on the number of ciphertexts for which pre computation is per formed If the maxciph option was used when generating the protocol info stub file then there is a default number of ciphertexts for which pre computation is performed and pre computation followed by the mixing can be executed using the following commands vmn precomp privinfo xml protiInfo xml vmn mix privinfo xml protiInfo xml ciphertexts plaintexts The default number of ciphertexts for which pre computation is performed can be overridden by using the maxciph option and this is necessary if the default was not set to a positive value as outlined above All mix servers must of course use the same value We stress that the the mix servers execute a protocol during the pre computation phase Thus all of the operators must execute this command roughly at the same time Shuffling without decrypting In some applications it is useful to shuffle the ciphertexts without decrypting Use the following command to achieve this vmn shuffle priviInfo xml protInfo xml ciphertexts ciphertextsout Decrypting without shuffling In other applications it is useful to simply dec
18. e combined source Combining a hardware gener ator dev urandom and PRG should satisfy the requirements of any auditor Using a different bulletin board The default bulletin board uses a stripped down version of HTTP with mutual signatures but it is easy to replace the default bulletin board by another bulletin board The simplest way to replace the bulletin board is to merely use any existing HTTP server and use the httptype external flag to vmni to indicate that an external HTTP server is serving 4 the files published as part of the existing bulletin board protocol The rest of the protocol would then be intact Alternatively a subclass of the abstract class com verificatum com BullBoardBasic can be implemented This class must contain the abstract methods start stop publish unpublish and waitFor These functions must behave as expected They are used to start stop the bulletin board and to publish or wait for something to be published by another party Please consult the VMN source code for more details Thus it is easy to write a wrapper for an existing bulletin board implementation If a bulletin board is implemented in a class FooBul1Board then there must also exist a subclass of com verificatum com BullBoardBasicGen named FooBullBoardGen that specifies the configuration data needed by the bulletin board If a wrapper is implemented then the configuration data can of course consist of a single field that specifies an
19. ed by the mix net A different width can still be forced for a given session by using the width option 27 H Usage Information for vmn Usage vmn h vmn keygen cerr e s lt privinfo gt lt protInfo gt lt publicKey gt vmn mix auxsid lt sid gt cerr e maxciph lt value gt s width lt value gt lt privInfo gt lt protInfo gt lt ciphertexts gt lt plaintexts gt vmn delete auxsid lt sid gt cerr e f s lt privInfo gt lt protInfo gt vmn lact lt privInfo gt lt protInfo gt vmn sact lt privInfo gt lt protInfo gt lt indices gt vmn precomp auxsid lt sid gt cerr e maxciph lt value gt s width lt value gt lt privInfo gt lt protInfo gt vmn setpk cerr e lt priviInfo gt lt protInfo gt lt publickey gt vmn shuffle auxsid lt sid gt cerr e s width lt value gt lt priviInfo gt lt protInfo gt lt ciphertexts gt lt ciphertextsout gt n vmn decrypt auxsid lt sid gt cerr e s width lt value gt lt privInfo gt lt protInfo gt lt ciphertexts gt lt plaintexts gt vmn version Description Executes the various phases of a mix net In all commands info file names can be dropped in which case they are assumed to be privInfo xml and protInfo xml and exist in the current working directory Use keygen to execute the joint key generatio
20. ely delete data about a session WARNING This removes all data permanently There is no way to recover deleted data You can not keep the pre computed data for the shuffling since this is not necessarily secure to re use Use lact to print the set of indices of currently active mix servers Use sact to set the list of indices of currently active mix servers This may be necessary in the case of network or hardware errors The width option can be used to set the width of a session and otherwise it defaults to the width from the protocol info file The maxciph option can be used to set the number of ciphertexts for which pre computation is performed and otherwise it defaults to the corresponding value in the protocol info file Unless the s option is used each invocation of the protocol prints logging information not only to the log file in the working directory of the mix server but also to stdout The tim ntries of each line in the log file must be interpreted with great care since certain operations take place at the same time in separate threads and some operations are pre computed in this way Thr time measurements are printed at the end of the logging information The first is the total running time of the command the second is the time used to publish and read messages of the other mix servers and the third is the time spent waiting for other mix servers to complete computations or waiting for the n
21. emains 8040 Similarly hint and hintl options are used to define the socket address of the hint server Below we give an example but Appendix F also illustrates the use of these options vmni party name Mix Server 1 http http server example com 8040 hint server example com 4040 privinfo xml localProtiInfo xml 3 Mix Net When the info files of all mix servers have been generated the mix net can be executed in two or three simple steps generate a public key optionally perform pre computation and process a list of ciphertexts to produce a list of plaintexts The formats used to represent the public key the ciphertexts and the plaintexts are detailed in Appendix C Before we continue we warn the user WARNING On its own the mix net provides no protection against Pfitzmann s attack malleability attack Only use this software under the supervison of somebody that understand this warning The reason why such protection is not provided is that it is inherently application dependent The warning is meant to be a reminder and not an explanation If you do not understand the warning or this remark you need to ask a cryptographer for help before deploying the mix net 3 1 Basic Usage We complete the example from Section 2 by describing the sequence of commands executed by the operator to actually run the mix net We stress that each command invokes a protocol so all operators must execute
22. erver as a stand alone server This is mostly used to test the ability of the mix net to use an external mix server as its basis of a bulletin board vtest Command used to unit test basic classes vdemo Command used to run demos for subprotocols where accompanying demo class exists This is used for debugging subprotocols vspt Lists safe primes in a given interval of integers F Worked Example with Three Mix Servers HHEHHEEPHEEPHEEPEEEH HE Set up directories AA AEI HAE Ht HH EH HH EH HEE HH HEH HEE mkdir p mydemo 01 mkdir p mydemo 02 mkdir p mydemo 03 HHEHHHEREEEREEEPEEERHE Executed by Operator 1 A AA AE A iE AAE EE EEE HHH HEHE Step 0 Generate stub file cd mydemo 01 vmni prot sid SessionID name Swedish Election nopart 3 thres 2 Step 1 Generate private info and protocol info files vmni party name Mix server 01 http http localhost 8041 hint localhost 4041 Copy protocol info files using out of bound channel cp localProtInfo xml protInfo01 xml cp protInfo0l xml 02 cp protInfo0l xml 03 Step 2 Merge protocol files and generate public key vmni merge protInfo xml vmn keygen publicKkKey Step 3 Generate demo ciphertexts in reality by senders vmnd ciphs publicKey 100 ciphertexts cp ciphertexts 02 cp ciphertexts 03 Step 4 Mix the ciphertexts 21 vmn mix cipherte HEHEHE THEE HHH EHH FEFE
23. etwork to allow publishing or reading messages Parameters lt ciphertexts gt Ciphertexts to be mixed lt ciphertextsout gt Mixed ciphertexts lt indices gt The value must be a set described as a braced comma separated list of distinct indices where an index i is an integer 1 lt i lt k and k is the total number of parties lt plaintexts gt Resulting plaintexts from mixnet lt privinfo gt Private info file lt protiInfo gt Protocol info file lt publickey gt Destination of public key Options auxsid lt sid gt Auxiliary session identifier used to distinguish different sessions of the mix net This must consist of letters a z A Z and digits 0 9 If this option is not used then the auxiliary session identifier defaults to default Thus there is a session identifier for every execution cerr Print error messages as clean strings without any error prefix or newlines decrypt Decrypt the input ciphertexts without mixing delete Delete the given session WARNING There is no way to 29 e f h keygen lact maxciph lt value gt mix precomp S Sact setpk shuffle version width lt value gt recover the data once it has been deleted Print exception trace upon error Force an interactive option without query Print usage information Execute joint key generation List indices of currently active servers aximal number of cipher
24. ever the usage information for the above commands are given as appendices Appendix G Appendix K Worked example Appendix F contains a complete description of the commands executed by the respective operators in an execution with three mix servers including how to generate demo ciphertexts using the vmnd command described in Appendix E 2 Info File Generator Before the mix net is executed the operators of the mix servers must agree on a set of common parameters generate their private and public parameters and share their public parameters 2 1 Basic Usage The info file generator is used in three steps Below we walk through an example with three mix servers where we describe the view of the operator of the first mix server The other operators execute corresponding commands 1 Agree on common parameters The operators agree on the name and session identifier of the execution and then generate a stub of a protocol file To do that each operator invokes vmni as follows vmni prot sid SessionID name Swedish Election nopart 3 thres 2 stub xml The command produces a protocol info stub file stub xm1 The parties can then verify that they hold identical protocol info stub files by computing digests as described below The session identifier which should be globally unique can be used to separate multiple executions that logically should have the same name In the example the number of mix servers is 3
25. external config uration file of the underlying bulletin board Given a custom bulletin board FooBul1lBoard the mix net can be instructed to use it by the following command vmni party name Mix Server 1 bullboard FooBullBoard privinfo xml localProtInfo xml Note that if you use this option when printing usage info then information about the configuration of your own bulletin board will be printed as well Use the following to try this vmni h bullboard FooBullBoard Running multiple mix servers on a single computer When the default bulletin board is used for communication between the mix servers each mix server allocates two ports for communica tion one for its HTTP server and one for its hint server The hint servers are used to optimistically reduce the need for servers to poll each other By default these port numbers are 8040 and 4040 and this typically works well when running a single mix server However if there is a need to run several mix servers on the same computer e g when trying out VMN then the mix servers must be assigned distinct port numbers The http and http1 options are used to define the external and local URL s for the HTTP server These can be distinct e g if port forwarding is used behind a NAT If only http is given then the local port number defaults to the same value If only httpl is given then the external port number r
26. h ciphertext without any addi tional delimiters The output file of plaintexts is constructed exactly like in the native format D 3 Custom Format The custom format of the mix net is captured by a subclass of ProtocolElGamalInterface found in the com verificatum protocol package This class requires every subclass to implement the following methods Method Description writePublicKkey Writes a public key to file including the underlying group in marshalled form readPublickey Reads a public key from file including the underlying group in marshalled form writeCiphertexts Writes ciphertexts to file readCiphertexts Reads ciphertexts from file decodePlaintexts Decodes plaintext group elements and writes the result to file standardRandomSource Creates a source of randomness which is needed to be able to check the correctness of some inputs probabilistically Please consider the source of e g ProtocolElGamalInterfaceNative in the same package for an example of a subclass E Additional Command Line Tools VMN comes with a number of additional tools used for debugging the mix net itself or a stand alone verifier Use each command with the h flag for more information 20 Command Description vmnd Generates plaintext group elements vbt Command used to print a byte tree on file as a recursive JSON array with data printed as hexadecimal strings vhttp Command used to run the built in HTTP s
27. hertexts be Ck Mpx x Mpx and the space of randomness be R Za We can then define operations componentwise i e if a b E M and e R then ab a1b a b and a aj a amp We say that an element g Mx is a generator if the map f Re gt Mx defined by f e g is a bijection With these conventions in place we may generalize El Gamal in the natural way A generator g E Mx is given A secret key is x E R is randomly chosen and the public key is then defined as g y where y g A plaintext m M is encrypted as g ym Decryption of a ciphertext u v is simply defined as u v Changing the default width of ciphertexts A long plaintext that can not be embedded into a single group element can be split up and embedded into a list of group elements A slight generalization of the already generalized version of El Gamal can then be used to encrypt the resulting list of group elements More precisely we let the set of plaintexts be Mx w MY the set of ciphertexts be Cy Miu x Mx and the space of randomness be Ry RX and define encryption of a message m E Mk w using a public key g y and randomness r E Ryu by u v g gg AO y mMw By extending our notation we can even write this as u v g y m We say that the width of plaintexts and ciphertexts is w The mix net can process a list of ciphertexts of any width assuming of course that all ciphertexts have the
28. ig endian byte order where n is given in decimal notation We also use hexadecimal notation for constants e g OA means bytes 10 A byte tree is represented by an array of bytes as follows e A leaf leaf d is represented by the concatenation of a single byte 01 to indicate that it is a leaf four bytes bytes 1 where l is the number of bytes in d and the data bytes d e A node node bi is represented by the concatenation of a single byte 00 to in dicate that it is a node four bytes bytes representing the number of children l and bytes b bytes b2 bytes b where denotes concatenation and bytes b de notes the representation of the byte tree b as an array of bytes Example 2 Example 1 contd The byte tree is represented as the following array of bytes 00 00000002 00 00000002 01 00000001 AF 01 00000002 03E1 0100000002 2D52 A 3 ASCII Strings ASCII strings are identified with the corresponding byte arrays No ending symbol is used to indicate the length of the string since the length of the string is stored in the leaf Example 3 The string ABCD is represented by leaf 65666768 A 4 Hexadecimal Encodings Sometimes we store byte trees as the hexadecimal encoding of their representation as an array of bytes We denote by hex a the hexadecimal encoding of an array of bytes a We denote by unhex s the reverse operation that converts an ASCII string s of an even number of digits 0 9 and A
29. ile named stub xml1 in the working directory and then creates a private info file privInfo xml and a protocol info file localProtInfo xml vmni party name Mix Server 1 3 Merge protocol info files The following creates a protocol info file prot Info xml vmni merge localProtInfo xml protInfo2 xml protInfo3 xml 2 3 Additional Configuration Options The command vmni used to generate info files accepts a large number of options which allows defining various parameters of the mix net In our example we have simply used the default values but we discuss a few of the important options below For a complete usage description use the following command or generate info files as above and inspect the resulting files A comprehensive comment is generated for each value vmni h Pre computation The maxciph option can be passed to vmni to invoke a pre computation phase as explained in Section 3 2 For example to configure the mix net to process 10000 cipher texts with pre computation the option below can be used This is only used as a default and can be overridden for individual mixing sessions vmni prot sid SessionID name Swedish Election nopart 3 thres 2 maxciph 10000 stub xml Changing the default key width In some settings it is useful to have kx gt 1 public keys in which case we say that the keywidth is k Let the set of plaintexts be M G the set of cip
30. iphertexts plaintexts considered as a single block in the input Comma separated list of widths e g 2 1 5 Each width specifies a number of ciphertexts plaintexts considered as a Single block in one of the input arrays The number of input files is determined from the number of entries in the list of widths 38
31. ix net is but there is no need to understand the inner workings of the mix net Throughout the document we mark advanced sections by an asterix These are sections that target programmers or power users that must use special configurations These sections can safely be ignored in a first reading or if these features are not needed Components All that is needed to execute the mix net is to run a few commands in the right sequence Thus we hope that VMN is easy to use even for people who have limited knowledge of cryptography The following are the basic commands Command Description vmni Info file generator used to generate configuration files for the mix net Some optional configuration parameters are outputs from the object generator vog de scribed below vmn Mix server executing the VMN The execution is parametrized by configuration files output from vmni vog Object generator of primitive cryptographic objects such as hash functions keys and pseudo random generators These can then using vmni be used to replace the default values vmnv Verifier of universally verifiable non interactive zero knowledge proofs correct execution based on the Fiat Shamir heuristic vmnc Tool used to convert public keys ciphertexts and plaintexts to from an application dependent format from to the raw format used internally in VMN Usage information Usage information for each command can be printed by passing h as an option to it How
32. lasses the parameters passed to vog must in turn be generated using vog itself e g PRGHeuristic optionally takes the representation of a hash function as input as illustrated in the following vog gen PRGHeuristic S vog gen HashfunctionHeuristic SHA 256 This approach of constructing parametrized complex objects is quite powerful We can for ex ample construct an instance of PRGCombiner that combines a random device and two pseudo random generators using the following command vog gen PRGCombiner S vog gen RandomDevice dev urandom x S vog gen PRGE1Gamal fixed 1024 vog gen PRGHeuristic S vog gen HashfunctionHeuristic SHA 256 y 4 2 Initializing the Random Source Before vog is used to generate any objects its source of randomness must be initialized This is only done once The syntax is almost identical to the syntax to generate an instance of a subclass of RandomSource except that it is mandatory to provide a seed if a pseudo random generator is used We give two examples The first example initializes the random source to be the random device dev urandom Any device can of course be used e g a hardware random generator mounted as a device To avoid accidental reuse of randomness this option should never be used with a normal file vog rndinit RandomDevice dev urandom The second example shows how to initialize the random source as a pseudo random generator
33. le to be available at the start of parsing the file It also decodes the output plaintext group elements into strings accord ing to the encoding scheme of the underlying group More precisely hex node marshal M pk is output on the public key file where pk denotes the public key in C For each line in the file of input ciphertexts an attempt is made to interpret it as hex w for some ciphertext w C Lines for which this fails are ignored The array m of plaintext group elements in M is decoded element wise into strings using the decoding scheme of the underlying group Any occurrence of a newline or carriage return character in a string is deleted before the strings are output on file separated by newline characters 19 D 2 JSON Format The JSON format assumes that a subgroup of a multiplicative group modulo a prime is used and that k w 1 i e that the underlying group is represented in VMN as an instance of com verificatum arithm ModPGroup and that each plaintext is a single group element The format of the public key file is best explained by an example Suppose that p 23 q 11 and that G4 is the subgroup of order q in ZF Let g y 3 13 be a public key in Gy x Gy Then the public key is represented as Sr near Gis Lo urea nie arial ei Ua ALE alec i Similarly a ciphertext 12 16 G4 x G4 is represented as alpha 12 beta 16 and the input file of ciphertexts contains a single such line for eac
34. ling Groups When objects are converted to byte trees in VMN they do not store the name of the Java class of which they are instances Thus to recover an object from such a representation additional in formation must be available Java serialization would not be language independent Furthermore only a few objects must be converted so we use a simplified scheme where a group Gq represented by an instance of a Java class PGroupClass in VMN is marshalled into a byte tree node leaf PGroupClass G This byte tree in turn is converted into a byte array which is coded into hexadecimal and prepended with an ASCII comment The comment and the hexadecimal coding of the byte array are separated by double colons The resulting ASCII string is denoted by s marshal G and the group Gg recovered from s by removing the comment and colons converting the hexadecimal string to a byte array converting the byte array into a byte tree and converting the byte tree into a group Gy is denoted by Gg unmarshal s 18 Groups in VMN Currently there are two implementations of groups in VMN Implementation Description com verificatum arithm ModPGroup Multiplicative groups com verificatum arithm ECqPGroup Standard elliptic curve groups over prime order fields Example 17 The standard NIST curve P 256 1 is marshalled into node leaf com verificatum arithm ECgPGroup leaf P 256 C Raw Format The internal represen
35. n phase of the mix net This results in a joint public key All other invocations of the mix net are tied to a particular session as determined by the auxsid option or lack thereof Use precomp to pre compute as much as possible of the shuffling Note that this requires interacting with the other mix servers so all operators must do this simultaneously Use mix to shuffle and decrypt the input ciphertexts i e the output is a list of randomly permuted plaintexts Use shuffle to shuffle the input ciphertexts without decrypting i e the output is a list of re encrypted and permuted ciphertexts If pre computation was used then these commands invoke the faster process using the pre computed values Use decrypt to only execute the decryption phase of the mix net i e no mixing takes place and the output is a list of plaintexts 28 The shuffling and decryption options can also be used to separate the two phases of the mixing process Together with the delete option described below this gives a way to implement milestones after the pre computation and after shuffling to avoid redundant processing in the event of a failure or corruption of a mix server WARNING If the mix net is used in this way then the user must ensure by other means that the input to the decryption phase is shuffled by mix srvers of which a sufficient number are guaranteed to be uncorrupted Use delete to complet
36. ns etc The two most important options are list which lists for a given class all its sub classes interfaces and gen which invokes the generator of the given class For such a class the option h should give a usage description For example the following describes the possible ways of generating subgroups of multiplicative groups vog gen ModPGroup h Some classes requires an instance of another class as input Using shell quoting it is possible to write any such invokation as a single shell command In Bash you can quote with and and generate a instance of Pedersen s collision free hash function as follows vog gen HashfunctionPedersen width 2 S vog gen ModPGroup fixed 2048 The rndinit option can only be used once It initializes the source of randomness used by this tool in all future invokations If this option has not been used at all then the calls that needs a random source complains but all other calls complete without errors The following which uses the dev urandom device as a source of bits is usually a reasonable default but please make sure that this is the case on your platform before you use ehis vog rndinit RandomDevice dev urandom Some usag xamples vog list PRG Sub classes interfaces of PRG vog gen PRGHeuristic SHA 2 with counter vog gen ModPGroup fixed 1024 Squares modulo safe prime Parameters lt classname gt Name of class that all
37. odified compatibility usage information Check proof of mixing Turn off verification of commitment consistent proofs of shuffles This is only possible if pre computation was 33 nodec nopos noposc shuffle sloppy t lt names gt th v version wd lt dir gt width lt value gt used during execution Turn off verification of proof of decryption Turn off verification of proofs of shuffles If pre computation is used this turns off verification of both proofs of shuffles of commitments and commitment consistent proofs of shuffles Turn off verification of proofs of shuffles of commitments This is only possible if pre computation was used during execution Check proof of shuffle Check proof of mixing shuffle decryption depending on what is specified in the proof itself using the auxiliary session identifier and width specified in the proof itself Print the given comma separated test vectors The th option can be used to list the available test vectors List the available test vectors The names are chosen to be easily related to the notation used in the document that describes the non interactive zero knowledge proof of correctness In particular for programmers that are familiar with LaTeX Verbose output i e turn on output Print the package version Directory for temporary files default is a unique subdirectory of tmp com verificatum This directory is deleted on exit Verify
38. of which 2 are needed to decrypt ciphertexts encrypted with the joint public key produced during the key generation phase 2 Generate individual info files Using the protocol info stub file stub xml as a starting point each operator generates its own private info file and protocol info file by invoking vmni as in the following example vmni party name Mix Server 1 stub xml privinfo xml localProtiInfo xml The command produces two files a private info file privInfo xml and an updated pro tocol info file LocalProtInfo xml The former contains private data such as private signature keys The latter defines the public parameters of a party e g its IP address and public signature key Each party must share its local protocol info file with the other mix servers using an authenticated channel The protocol info stub file stub xm1 can now be deleted 3 Merge protocol info files The operator now holds three protocol info files its local file localProtInfo xml and the local files protInfo2 xml and prot Info3 xml of the other parties It merges these files using the following command vmni merge localProtInfo xml protInfo2 xml protInfo3 xml protinfo xml This produces a single joint protocol info file prot Info xm1 containing all the common parameters and the public information about all parties The output file does not depend on the order of the input protocol info files The generated config
39. ows generation 31 lt parameters gt lt shellcmd gt Options cerr e gen H list pkgs rndinit lt names gt Parameters of generator of class named lt classname gt Shell command turned into template Print error messages as clean strings without any error prefix or newlines Print exception trace upon error Invoke generator of class lt classname gt Print usage information List subclasses of class lt classname gt with descriptions Packages searched Given as a colon separated list of full class names one class interface contained in each package to be searched Initialize the random source used by this command seed tem version lt file gt File containing truly random bits master seed ake a template for the given parameters a shell command only for debugging Print package version i e 32 J Usage Information for vmnv Usage vmnv h vmnv c vmnv th vmnv mix a lt value gt auxsid lt value gt e noccpos nodec nopos noposc t lt names gt v wd lt dir gt width lt value gt lt protiInfo gt lt nizkp gt vmnv shuffle a lt value gt auxsid lt value gt e noccpos noposc t lt names gt v wd lt dir gt width lt value gt lt protInfo gt lt nizkp gt vmnv decrypt a lt value gt auxsid lt value gt e t lt names gt v wd lt dir gt width lt val
40. proach of VMN is to simply let each mix server wait indefinitely for each message If all mix servers end up waiting for the same mix server then the operators may decide to interrupt and delete the session and then deactivate the mix server If a mix server is deactivated then from the other mix servers point of view it is as if it always publishes a fixed message whenever it is expected to publish a message Thus deactivated mix servers emulate a particular type of corrupted mix server and are handled as such in the subprotocols The following two commands can be used to display and define the set of active parties vmn lact privinfo xml protiInfo xml vmn sact privinfo xml protiInfo xml 1 3 The latter command sets the set of active servers to the first and third mix servers Both commands can be executed without explicitly giving the info files if previous commands were used in the same way 3 2 Other Ways to Use the Mix Net The mix net can be used to do more than simply mixing Pre computation can be used to speed up the shuffling phase of the mix net ciphertexts can be shuffled without decrypting and ciphertexts can be decrypted without shuffling A public key can be imported to the mix net and used to shuffle ciphertexts without decrypting them In combination with the session handling described in Section 3 3 and the ability to override the keywidth as described in Section 2 3 and the wi
41. ptions cat Celet ciphs deep e format lt string gt inter lt string gt noin lt value gt pkeys plain shallow sub version wd lt string gt Input files and output files in that order Each file contains a public key a list of ciphertexts or a list of plaintexts depending on which usage form is executed Marshalled public key used to determine the group to which ciphertexts or plaintexts belongs Concatenate input arrays This requires that all input arrays are defined relative the same group and width One of the options ciphs or plain is required Print error messages as clean strings without any error prefix or newlines Re arrange ciphertexts Re arrange input arrays according to the given format at the deep level One of the options ciphs or plain is required and the width number of elements or ciphertexts processed in parallel must be the same for all inputs Print stack trace for exceptions Describes which components of the objects stored on the input files should be chosen and how they are combined to form the elements written to the output files The number of input files is derived from the widths option The combination of the input files is viewed as a single two dimensional array i e the content of the ith input file is viewed as the ith source row The jth component column in the ith source is denoted by i j The sources may h
42. resented by 01 00000002 0005 Array of field elements An array a1 a of field elements is represented by a byte tree node a ar where a is the byte tree representation of a Example 10 The array 1 2 3 of elements in Z263 is represented by 00 00000003 0100000002 0001 01 00000002 0002 01 00000002 0003 B 3 Product Rings Product ring element An element a a1 a in a product ring is represented by a byte tree node j where G is the byte tree representation of the component a Note that this representation keeps information about the order in which a product group is formed intact see the second example below Example 11 The element 258 5 Z263 x Z263 is represented by 00 00000002 01 00000002 0102 01 00000002 0005 16 Example 12 The element 258 6 5 Z263 x Z263 x Z263 is represented by 00 00000002 00 00000002 01 00000002 0102 01 00000002 0006 0100000002 0005 Array of product ring elements An array a a of elements in a product ring where ai Gi 1 Qik is represented by node bi b where b is the array a1 ag and b is its representation as a byte tree Thus the structure of the representation of an array of ring elements mirrors the representation of a single ring element This seemingly contrived representation turns out to be convenient in implementations Example 13 The array 1 4 2 5 3 6 of elements in Z26
43. rotocol info file nam nizkp nopart party pgroup pkey prg prot rand rohash schema seed sid skey srtbyrole statdist lt value gt lt value gt lt value gt lt value gt lt value gt lt value gt lt value gt lt value gt lt type gt ame of this protocol execution This is a short descriptive name that is NOT necessarily unique Destination directory for non interactive proof Paths are relative to the working directory or absolute Number of parties taking part in the protocol execution Generate private and protocol info files based on the given protocol info stub file Group over which the protocol is executed An instance of a subclass of com verificatum arithm PGroup Public signature key instance of subclasses of com verificatum crypto SignaturePKey Pseudo random generator used to derive random vectors for batchingfrom jointly generated seeds This can be SHA 256 SHA 384 or SHA 512 in which case com verificatum crypto PRGHeuristic is instantiated based on this hashfunction or it can be an instance of com verificatum crypto PRG Generate protocol info stub file containing only joint parameters Source of randomness instance of com verificatum crypto RandomSource Hashfunction used to implement random oracles It can be one of the strings SHA 256 SHA 384 or SHA 512 in which case com verificatum crypto
44. rypt ciphertexts Strictly speaking this is not a mix net functionality but it is a natural functionality if we view the mix net as a blackbox used to implement electronic voting systems Use the following command to run the mix net in this way vmn decrypt privinfo xml protInfo xml ciphertexts plaintexts Importing a public key If protocols for key generation and decryption have already been im plemented and the user prefers to use these then the mix net can still be used to shuffle ciphertexts without decrypting them To use the mix net in this way the user simply sets the public key of the mix net using the command below instead of first running the key generation protocol After this the mix net can of course only be used to shuffle ciphertexts as described above but not to mix or decrypt ciphertexts vmn setpk priviInfo xml protInfo xml publicKkey 3 3 Multiple Sessions In some applications it is useful to be able to run the key generation phase only once and then re use the same public key for multiple executions of the mix net Each session is identified by an auxiliary session identifier which must consist only of letters A Z a z and digits 0 9 Use the auxsid option to specify a given auxiliary session identifier For example to simply mix a list of ciphertexts in a session with auxiliary session identifier abc123 you can use the following vmn mix auxsid abcl23 priviInfo xml protiInfo xml
45. s to verify the overall correctness of an execution in an application it must be ensured that the representations are consistent There is obviously no general way to do this since the formats used are inherently application dependent However one possibility is to use the vmnc as explained in Section 7 to convert the objects and then simply use diff to compare the output with the expected result in the proof directory 6 3 Independent Stand alone Mix Net Verifiers Universal verifiability is of course more interesting if independent parties implement stand alone verifiers These verifiers should preferably share no code with VMN itself We suggest that the reader takes a moment to consider the depth of this requirement In a companion document 2 targeting programmers of such verifiers the formats of the files in a proof directory and the algorithms that must be implemented are described in detail Independent verifiers must of course implement a conversion tool for completing the verification independently as explained in Section 6 2 7 Converting Public Keys Ciphertexts and Plaintexts The public key resulting from the key generation phase the input ciphertexts and the output plaintexts or output ciphertexts are represented using the internal format of VMN This format is detailed in Appendix C In practice the public key and the input ciphertexts may be represented in different ways in different applications and the output plainte
46. same width The width option can be passed to the vmni command to change the default width for individual sessions For example the following changes the key width to 2 and the default width to 3 vmni prot sid SessionID name Swedish Election nopart 3 thres 2 keywidth 2 width 3 stub xml Secure source of randomness The default source of randomness is the dev urandom de vice This is often a reasonable choice but on machines with few system events this may not give sufficient entropy The rand option can be used to either use a different device e g a hard ware random generator mounted as a device or a pseudo random generator In the latter case the seed option must also be used to provide the name of a file containing a relatively short truly random seed Use the vog tool described in Section 4 to generate a hexadecimal encoded instance of a random source that can be used as a value with rand Below we give two examples vmni party name Mix Server 1 rand S vog gen RandomDevice dev urandom privinfo xml localProtiInfo xml vmni party name Mix Server 1 rand S vog gen PRGElGamal fixed 2048 seed dev urandom privInfo xml localProtInfo xml Note that multiple sources can be combined into a single source using the combiner class named com verificatum crypto RandomSourceCombiner such that the security of the com bined sources is as strong as the strongest of th
47. ss specified as a valid parameter to vmni and then to generate an instance of such a class Browse Library Consider an option to vmni that is parametrized by instance of a subclass of a class AbstractClass Then the set of subclasses of Abst ractClass that can be instantiated using vog can be listed using the following command vog list AbstractClass For example the source of randomness used by a protocol can be chosen by passing an instance of a subclass of com verificatum crypto RandomSource to vmni using the rand option Use vmni h to find out which type of object can be passed as a parameter with each option To list all suitable subclasses the following command can be used vog list RandomSource As illustrated by the example it suffices to give the unqualified class name when this is not am biguous Generate Object To generate an instance of ConcreteClass the gen option is used along with the name of the class but each class requires its own set of parameters To determine the correct set of parameters the following command can be used vog gen ConcreteClass h This prints usage information as if vog gen ConcreteClass was a command on its own An instance is then generated by passing the correct parameters e g to generate an instance of HashfunctionHeuristic that represents SHA 512 the following command can be used vog gen HashfunctionHeuristic SHA 512 For some c
48. tation of groups and group elements is used to represent the public key with an embedded representation of the underlying group the input ciphertexts and output plaintext group elements These objects depend on the underlying group G of order q the key width x and the ciphertext width w Let M Gg be the underlying group let M M be the plaintext group let Cx M x M be the public key group and let Ck MY x M be the ciphertext group The public key file contains node marshal M pk where pk C is the public key in the product group Note that the public key does not depend on the width of the ciphertexts The array Lo of input ciphertexts in Cw is represented on file as Lo and the array m of output plaintext group elements in M w is represented on file as m We stress that the output group elements are not decoded into strings The vbt command can be used to display the contents of a byte tree in a structured way D Alternative Formats The vmnc tool can be used to convert public keys and ciphertexts to and from an application dependent format as well as decoding plaintext group elements in an application dependent way There are a few built in format but it is also easy to implement a custom format and use it with vine D 1 Native Format The native format converts the binary objects of the raw format to their hexadecimal representation as ASCII strings and does not require the number of ciphertexts in the input fi
49. texts for which pre computation is performed This defaults to the value given in the protocol info file ix the input ciphertexts using the given session If pre computation was used previously then the pre computed values are used to speed up the mixing Perform joint pre computation for a given session Silent mode i e do not print any output on stdout Set the set of active mix servers Set an externally generated public key to be used during shuffling without decrypting The key must be given in the raw format for the group specified in the info file and with the proper key width Shuffle the input ciphertexts without decrypting If pre computation was used previously then the pre computed values are used to speed up the shuffling Print the package version Number of ciphertexts shuffled as a single block This defaults to the value in the protocol info file 30 I Usage Information for vog Usage vog h vog list pkgs lt names gt lt classname gt vog gen cerr e pkgs lt names gt lt classname gt lt parameters gt vog tem lt shellcmd gt vog rndinit seed lt file gt lt classname gt lt parameters gt vog version Description This command provides a uniform interface to all objects that can be generated and used in initialization files of protocols or as inputs to other calls to this tool e g cryptographic keys collision free hash functio
50. th identical joint parameters Assuming that the ith party names its info files as above 24 vmni merge protInfol xml protInfo2 xml protInfo3 xml protiInfo xml All optional values have reasonable defaults i e you can actually use the above commands provided that dev urandom contains good randomness Please generate dummy files to investigate exactly what these defaults are It is unwise to touch the defaults unless you know exactly what you are doing The stub filename can be dropped when the prot option is used in which case it defaults to Stub xml Similarly the filenames can be dropped when using the party option in which case they default to stub xml priviInfo xml and localProtInfo xml The name of the output joint protocol info file can also be dropped when using the merge option in which case it defaults to protInfo xml Parameters lt file gt Info file lt privinfo gt Private info output file lt protiInfolIn gt Protocol info file containing joint parameters and possibly some party info entries lt protInfoOut gt Protocol info output file Options arrays lt value gt Determines if arrays of group field elements and integers are stored in possibly virtual RAM or on file The latter is only slighly slower and can accomodate larger arrays ram or file bullboard lt value gt Name of bulletin board implementation used i e a subclass of com verifi
51. that the given width matches that in the proof This is required when the width in the proof is different from the width in the protocol info file 34 K Usage Information for vmnc Usage vmne h vmne pkey cerr ini lt name gt outi lt name gt wd lt value gt lt protiInfo gt lt in gt lt out gt vmne ciphs CETE ini lt name gt outi lt name gt wd lt value gt width lt value gt lt protInfo gt lt in gt lt out gt vmne plain cerr outi lt name gt wd lt value gt width lt value gt lt protiInfo gt lt in gt lt out gt vmnce version Description Converts public keys ciphertexts and plaintexts from one representation to another The input and output representations are determined by the ini and outi options Possible values of the input and output interfaces are are raw native json and krd or the name of a subclass of com verificatum protocol ProtocolE1lGamalinterface Parameters lt in gt Source file containing object to convert lt out gt Destination of converted object lt protiInfo gt Protocol info file Options cerr Print error messages as clean strings without any error prefix or newlines ciphs Convert ciphertexts e Print stack trace for exceptions H Print usage information ini lt name gt ix net interface used to represent the input This defaults to the ra
52. this document References 1 Digital signature standard DSS Digital signature standard DSS Na tional Institute of Standards and Technology Washington 2000 URL http csrce nist gov publications fips Note Federal Information Processing Standard 186 2 2 D Wikstr m How to implement a stand alone verifier for the Verificatum mix net http www verificatum org October 2011 If you want to try out your own format in the demo you can instead implement your own subclass of com verificatum protocol ProtocolElGamalInterfaceDemo This merely adds functionality for generating demo ciphertexts using your format 14 A Byte Trees We use a byte oriented format to represent objects on file and to turn them into arrays of bytes The goal of this format is to be as simple as possible A l Definition A byte tree is either a leaf containing an array of bytes or a node containing other byte trees We write leaf d for a leaf with a byte array d and we write node b b for a node with children b 6 Complex byte trees are then easy to describe Example 1 The byte tree containing the data AF 03E1 and 2D52 written in hexadecimal in three leaves where the first two leaves are siblings but the third is not is node node leaf AF leaf 03E1 leaf 2D52 A 2 Representation as an Array of Bytes We use bytes n as a short hand to denote the 8k bit two s complement representation of n in b
53. tly state the expected type of proof vmnv sloppy protiInfo xml default 12 Non default Parameters For a given mixing shuffling decryption session both the auxiliary session identifier that specifies the session as well as the width of ciphertexts can be changed To verify a proof of such a session these values must be given explicitly to the verifier SPECIFYING THE AUXILIARY SESSION IDENTIFIER The auxiliary session identifier is default by default in the above calls it is not derived from the file name To use a given session identifier abc123 use the following command instead and similarly for verifying only shuffling or only decryption vmnv mix auxsid abcl123 protiInfo xml abcl123 CHANGING THE WIDTH OF CIPHERTEXTS If the default width of ciphertexts specified in the protocol info file was overridden when executing the mix net then the width must be passed to the verifier as well For example use the following to verify the default session with a non default width equal to 3 vmnv mix width 3 protInfo xml default 6 2 Completing a Verification Using the Verificatum Verifier The formats of the public key file handed to senders the file containing the input ciphertexts and the output file containing decoded plaintexts or output file containing ciphertexts may be different from VMN s internal format used to represent the corresponding objects as files in the proof directory Thu
54. ue gt lt protiInfo gt lt nizkp gt vmnv sloppy a lt value gt e t lt names gt v wd lt dir gt lt protiInfo gt lt nizkp gt vmnv mc lt command gt lt flags gt vmnv version Description Verifies th results and th overall correctness of an execution using th intermediat zero knowledge proofs of correctness using the Fiat Shamir heuristic in the given proof directory Parameters lt command gt lt flags gt lt nizkp gt lt protiInfo gt Options Command name of independent verifier Th contain any name may not characters A comma separated list of option flags to be removed from the compatibility usage information The following flags are available nopr mix shuffl decrypt nopos nodec noposc noccpos Directory containing the non interactive zero knowledg proof of correctness using the Fiat Shamir heuristic Protocol info file width a lt value gt auxsid lt value gt Fe decrypt e h mc mix noccpos Determines if file based arrays are used or not Legal values are file or ram and the default is file Verify that the given auxiliary session identifier matches that in the proof This is required when th auxiliary session identifier in the proof is not default Print compatibility usage information Check proof of decryption Show stack trace of an exception Print usage information Print m
55. uration files are write protected to avoid accidental modifications In practice the operators could organize a physical meeting to which they bring their laptops and execute the above steps in a way that is secure against side channel attacks to not leak their secret keys Alternatively a simple protocol could be implemented using any PKI to perform the above tasks Computing digests of info files For convenience hexadecimal encoded hash digests of files can be computed using vmni to allow all parties to check that they hold identical protocol info files at the end In our example a SHA 256 hexadecimal encoded digest of the joint protocol info file can be computed as follows vmni digest protiInfo xml 2 2 Execution in a Directory In a typical application each operator creates a directory and executes the above commands in this directory For convenience the vmni command allows the operator to drop many info file name parameters when executing the commands in this way in which case the file names default to the file names used above A similar convention is later used for the vmn command described in Section 3 More precisely the commands below are equivalent to the above 1 Agree on common parameters The following creates a stub info file stub xml vmni prot sid SessionID name Swedish Election nopart 3 thres 2 2 Generate individual info files The following assumes that there is a stub f
56. using out of bound channel xml protInfo03 xml 01 oat O2 Merge protocol files and generate public key nfo xml cKey Wait for demo ciphertexts generated by Operator 1 Mix the ciphertexts 22 vmn mix ciphertexts plaintexts HHEEHHHEHEPEHHEEHHHE Verify Zero Knowledge Proof HHHEFEEEEE EEE EHH EHF Verify internal consistency of Fiat Shamir proof and correspondence with public key input ciphertexts and ouput plaintexts vmnv mix protInfo xml dir nizkp default 23 G Usage Information for vmni Usage vmni h bullboard lt value gt vmni prot sid lt value gt name lt value gt nopart lt value gt thres lt value gt bullboard lt value gt cerr corr lt value gt descr lt value gt e ebitlen lt value gt ebitlenro lt value gt keywidth lt value gt maxciph lt value gt pgroup lt value gt prg lt value gt rohash lt value gt statdist lt value gt vbitlen lt value gt vbitlenro lt value gt width lt value gt lt protInfoOut gt vmni party name lt value gt arrays lt value gt cerr cert lt value gt descr lt value gt dir lt value gt e hint lt value gt hintl lt value gt http lt value gt httpdir lt value gt httpl lt value gt httptype lt value gt keygen lt value gt nizkp lt value gt pkey lt value gt rand lt value gt seed lt value gt skey lt
57. vog aware of such custom classes 1 a colon separated list of classes can be provided as a parameter with the pkgs option or 2 the environment vari able VERIFICATUM_VOG can be initialized to such a list Each class identifies a package to be considered by vog so it suffices to provide a single class from each package to be considered 5 Demonstrator The demo directory of the VMN package contains a number of demo scripts The following simple command runs the demo with the default options demo The demo can be configured to illustrate many options of the mix net It is also easy to configure it to remotely orchestrate an execution on other servers For more information we refer the reader to the README file and the configuration file conf found in the demo directory Concrete Example Appendix F also contains a simple worked example of the commands exe cuted by the operators including how to generate demo ciphertexts using the vmnd command 6 Universally Verifiable Proof of Correctness By default vmni generates a protocol info stub file such that all zero knowledge proofs computed during the execution of vmn are made non interactive using the Fiat Shamir heuristic When vmn is executed in this mode it stores all the relevant intermediate results along with the non interactive zero knowledge proofs in a subdirectory of the nizkp subdirectory of the working directory of vmn The subdirectory is named using the auxiliary
58. w interface outi lt name gt ix net interface used to represent the output This defaults to the raw interface pkey Convert public key plain Decode plaintexts version Print the package version wd lt value gt Working directory used for file based arrays This defaults to a uniquely named subdirectory of tmp com verificatum width lt value gt Number of ciphertexts considered as a single block This option overrides the corresponding value in the protocol info file 35 L Usage Information for vre Usage vre h vre pkeys noin lt value gt format lt string gt cerr wd lt string gt lt pkey gt vre sub inter lt string gt v e cat vre deep erYr ciphs e plain wd lt string gt lt p Key gt lt Gerr ciphs plain wd lt string gt cerr ciphs e plain wd lt string gt width lt value gt lt pkey gt lt file gt cerr iphs e plain wd lt string gt width lt value gt lt pkey gt lt file gt vre shallow widths lt string gt format lt string gt i sly noin lt value gt width lt value gt format lt string gt lt pkey gt lt file gt vre version Description FE EAE TE EFE EE HEE FE EAE FE EAE TE HEE AE FE HEE HEE HHH FE EAE FE AE AE FE EAE FE AE FE HEE HEE WARNING THIS IS CURRENTLY AN EXPERIMENTAL COMMAND IT HAS NO YET BEEN TESTED THO
59. where the seed is read directly from dev urandom vog seed dev urandom rndinit PRGHeuristic vog gen HashfunctionHeuristic SHA 256 10 A representation of the random source is stored in the file verificatum_random_source in the home directory of the user If the environment variable VERIF ICATUM_RANDOM_SOURCE is defined then it is taken to be the name of a file to be used instead If the random source is a pseudo random generator i e a subclass of com verificatum crypto PRG then the hexadecimal encoding of its seed is stored in the file verificatum_random_seed or if the environment variable VERIF ICATUM_RANDOM_SEED is defined it is interpreted as a file name to be used instead Note that the seed is automatically replaced with part of the output of the pseudo random generator in each invocation to avoid accidental reuse of the seed T 4 3 Custom Objects To allow vog to instantiate a custom subclass CustomClass e g of PGroup a separate sub class CustomClassGen of com verificatum ui gen Generator must also be imple mented Please note the naming convention where Gen is added as a suffix to the class name The generator class provides the command line interface to CustomClass i e it prints usage infor mation and interprets command line parameters and returns an instance of CustomClass See the source for HashfunctionHeuristicGen for a simple example There are two ways to make
60. xts our outputs are typically decoded into strings somehow VMN comes with the tool vmnc that can be used to perform the needed conversion 13 or decoding to from these formats A custom format can be used by implementing a subclass of com verificatum protocol ProtocolElGamalInterface but there are also a few pre defined formats described in Appendix D The mix net outputs a public key or accepts an externally generated public key as input it accepts ciphertexts as input and may also output ciphertexts but it only outputs plaintexts Thus it is possible to specify the input and output formats when converting public keys and ciphertexts but only the output format when decoding plaintexts The default value of each interface is raw which is the internal format of VMN For example use the following commands to 1 convert a public key output by the mix net to native format 2 convert input ciphertexts in native format to ciphertexts in raw format for the mix net and 3 decode plaintext group elements from the mix net in raw format to plaintexts in native format vmne pkey outi native protiInfo xml publickKey publicKeyNative vmne ciphs ini native protInfo xml ciphertextsNative ciphertexts vmne plain outi native protInfo xml plaintexts plaintextsNative 8 Acknowledgments The suggestions of Torbj rn Granlund Shahram Khazaei and Gunnar Kreitz have improved
Download Pdf Manuals
Related Search