Bug 1491289 - re-vendor libprio to pick up fixes for using system NSS r=glandium

Differential Revision: https://phabricator.services.mozilla.com/D6082

extra : moz-landing-system : lando
This commit is contained in:
Robert Helmer 2018-09-18 04:36:49 +00:00
parent 8d7a1df18a
commit 88ee2451ac
50 changed files with 9546 additions and 13050 deletions

@ -1,6 +1,6 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
@ -21,7 +21,7 @@
#include "util.h"
// Let the points of data_in be [x1, x2, x3, ... ].
// We construct the polynomial f such that
// We construct the polynomial f such that
// (a) f(0) = random,
// (b) f(i) = x_i for all i >= 1,
// (c) degree(f)+1 is a power of two.
@ -30,10 +30,10 @@
// and we return f(0) as `const_term`.
static SECStatus
data_polynomial_evals(const_PrioConfig cfg, const_MPArray data_in,
MPArray evals_out, mp_int *const_term)
MPArray evals_out, mp_int* const_term)
SECStatus rv = SECSuccess;
const mp_int *mod = &cfg->modulus;
const mp_int* mod = &cfg->modulus;
MPArray points_f = NULL;
MPArray poly_f = NULL;
@ -43,88 +43,87 @@ data_polynomial_evals(const_PrioConfig cfg, const_MPArray data_in,
// Little n is the number of points on the polynomials.
// The constant term is randomized, so it's (mul_gates + 1).
const int n = mul_gates + 1;
// Big N is n rounded up to a power of two.
const int N = next_power_of_two (n);
P_CHECKA (points_f = MPArray_new (N));
P_CHECKA (poly_f = MPArray_new (N));
// Big N is n rounded up to a power of two.
const int N = next_power_of_two(n);
P_CHECKA(points_f = MPArray_new(N));
P_CHECKA(poly_f = MPArray_new(N));
// Set constant term f(0) to random
P_CHECKC (rand_int (&points_f->data[0], mod));
MP_CHECKC (mp_copy (&points_f->data[0], const_term));
P_CHECKC(rand_int(&points_f->data[0], mod));
MP_CHECKC(mp_copy(&points_f->data[0], const_term));
// Set other values of f(x)
for (int i=1; i<n; i++) {
MP_CHECKC (mp_copy (&data_in->data[i-1], &points_f->data[i]));
for (int i = 1; i < n; i++) {
MP_CHECKC(mp_copy(&data_in->data[i - 1], &points_f->data[i]));
// Interpolate through the Nth roots of unity
P_CHECKC (poly_fft(poly_f, points_f, cfg, true));
P_CHECKC(poly_fft(poly_f, points_f, cfg, true));
// Evaluate at all 2N-th roots of unity.
// Evaluate at all 2N-th roots of unity.
// To do so, first resize the eval arrays and fill upper
// values with zeros.
P_CHECKC (MPArray_resize (poly_f, 2*N));
P_CHECKC (MPArray_resize (evals_out, 2*N));
P_CHECKC(MPArray_resize(poly_f, 2 * N));
P_CHECKC(MPArray_resize(evals_out, 2 * N));
// Evaluate at the 2N-th roots of unity
P_CHECKC (poly_fft(evals_out, poly_f, cfg, false));
P_CHECKC(poly_fft(evals_out, poly_f, cfg, false));
MPArray_clear (points_f);
MPArray_clear (poly_f);
return rv;
static SECStatus
share_polynomials (const_PrioConfig cfg, const_MPArray data_in,
PrioPacketClient pA, PrioPacketClient pB, PRG prgB)
share_polynomials(const_PrioConfig cfg, const_MPArray data_in,
PrioPacketClient pA, PrioPacketClient pB, PRG prgB)
SECStatus rv = SECSuccess;
const mp_int *mod = &cfg->modulus;
const mp_int* mod = &cfg->modulus;
const_MPArray points_f = data_in;
mp_int f0, g0;
MPArray points_g = NULL;
MPArray evals_f_2N = NULL;
MPArray evals_g_2N = NULL;
P_CHECKA (points_g = MPArray_dup (points_f));
P_CHECKA (evals_f_2N = MPArray_new (0));
P_CHECKA (evals_g_2N = MPArray_new (0));
MP_CHECKC (mp_init (&f0));
MP_CHECKC (mp_init (&g0));
P_CHECKA(points_g = MPArray_dup(points_f));
P_CHECKA(evals_f_2N = MPArray_new(0));
P_CHECKA(evals_g_2N = MPArray_new(0));
for (int i=0; i<points_f->len; i++) {
for (int i = 0; i < points_f->len; i++) {
// For each input value x_i, we compute x_i * (x_i-1).
// f(i) = x_i
// g(i) = x_i - 1
MP_CHECKC (mp_sub_d (&points_g->data[i], 1, &points_g->data[i]));
MP_CHECKC (mp_mod (&points_g->data[i], mod, &points_g->data[i]));
MP_CHECKC(mp_sub_d(&points_g->data[i], 1, &points_g->data[i]));
MP_CHECKC(mp_mod(&points_g->data[i], mod, &points_g->data[i]));
P_CHECKC (data_polynomial_evals(cfg, points_f, evals_f_2N, &f0));
P_CHECKC (data_polynomial_evals(cfg, points_g, evals_g_2N, &g0));
P_CHECKC(data_polynomial_evals(cfg, points_f, evals_f_2N, &f0));
P_CHECKC(data_polynomial_evals(cfg, points_g, evals_g_2N, &g0));
// The values f(0) and g(0) are set to random values.
// We must send to each server a share of the points
// f(0), g(0), and h(0) = f(0)*g(0)
P_CHECKC (share_int (cfg, &f0, &pA->f0_share, &pB->f0_share));
P_CHECKC (share_int (cfg, &g0, &pA->g0_share, &pB->g0_share));
P_CHECKC(share_int(cfg, &f0, &pA->f0_share, &pB->f0_share));
P_CHECKC(share_int(cfg, &g0, &pA->g0_share, &pB->g0_share));
// Compute h(0) = f(0)*g(0).
MP_CHECKC (mp_mulmod (&f0, &g0, mod, &f0));
MP_CHECKC(mp_mulmod(&f0, &g0, mod, &f0));
// Give one share of h(0) to each server.
P_CHECKC (share_int (cfg, &f0, &pA->h0_share, &pB->h0_share));
P_CHECKC(share_int(cfg, &f0, &pA->h0_share, &pB->h0_share));
//const int lenN = (evals_f_2N->len/2);
//P_CHECKC (MPArray_resize (pA->shares.A.h_points, lenN));
// const int lenN = (evals_f_2N->len/2);
// P_CHECKC (MPArray_resize (pA->shares.A.h_points, lenN));
// We need to send to the servers the evaluations of
// f(r) * g(r)
@ -135,34 +134,35 @@ share_polynomials (const_PrioConfig cfg, const_MPArray data_in,
// send a share of this value to each server.
int j = 0;
for (int i = 1; i < evals_f_2N->len; i += 2) {
MP_CHECKC (mp_mulmod (&evals_f_2N->data[i], &evals_g_2N->data[i], mod, &f0));
P_CHECKC (PRG_share_int (prgB, &pA->shares.A.h_points->data[j], &f0, cfg));
MP_CHECKC(mp_mulmod(&evals_f_2N->data[i], &evals_g_2N->data[i], mod, &f0));
P_CHECKC(PRG_share_int(prgB, &pA->shares.A.h_points->data[j], &f0, cfg));
MPArray_clear (evals_f_2N);
MPArray_clear (evals_g_2N);
MPArray_clear (points_g);
mp_clear (&f0);
mp_clear (&g0);
return rv;
PrioPacketClient_new (const_PrioConfig cfg, PrioServerId for_server)
PrioPacketClient_new(const_PrioConfig cfg, PrioServerId for_server)
SECStatus rv = SECSuccess;
SECStatus rv = SECSuccess;
const int data_len = cfg->num_data_fields;
PrioPacketClient p = NULL;
p = malloc (sizeof (*p));
if (!p) return NULL;
p = malloc(sizeof(*p));
if (!p)
return NULL;
p->for_server = for_server;
p->triple = NULL;
MP_DIGITS (&p->f0_share) = NULL;
MP_DIGITS (&p->g0_share) = NULL;
MP_DIGITS (&p->h0_share) = NULL;
MP_DIGITS(&p->f0_share) = NULL;
MP_DIGITS(&p->g0_share) = NULL;
MP_DIGITS(&p->h0_share) = NULL;
switch (p->for_server) {
@ -170,7 +170,7 @@ PrioPacketClient_new (const_PrioConfig cfg, PrioServerId for_server)
p->shares.A.h_points = NULL;
memset (p->shares.B.seed, 0, PRG_SEED_LENGTH);
memset(p->shares.B.seed, 0, PRG_SEED_LENGTH);
// Should never get here
@ -178,20 +178,20 @@ PrioPacketClient_new (const_PrioConfig cfg, PrioServerId for_server)
goto cleanup;
MP_CHECKC (mp_init (&p->f0_share));
MP_CHECKC (mp_init (&p->g0_share));
MP_CHECKC (mp_init (&p->h0_share));
P_CHECKA (p->triple = BeaverTriple_new ());
P_CHECKA(p->triple = BeaverTriple_new());
if (p->for_server == PRIO_SERVER_A) {
const int num_h_points = PrioConfig_hPoints (cfg);
P_CHECKA (p->shares.A.data_shares = MPArray_new (data_len));
P_CHECKA (p->shares.A.h_points = MPArray_new (num_h_points));
const int num_h_points = PrioConfig_hPoints(cfg);
P_CHECKA(p->shares.A.data_shares = MPArray_new(data_len));
P_CHECKA(p->shares.A.h_points = MPArray_new(num_h_points));
if (rv != SECSuccess) {
PrioPacketClient_clear (p);
return NULL;
@ -199,69 +199,74 @@ cleanup:
PrioPacketClient_set_data (const_PrioConfig cfg, const bool *data_in,
PrioPacketClient pA, PrioPacketClient pB)
PrioPacketClient_set_data(const_PrioConfig cfg, const bool* data_in,
PrioPacketClient pA, PrioPacketClient pB)
MPArray client_data = NULL;
PRG prgB = NULL;
SECStatus rv = SECSuccess;
const int data_len = cfg->num_data_fields;
if (!data_in) return SECFailure;
if (!data_in)
return SECFailure;
P_CHECKC (PrioPRGSeed_randomize (&pB->shares.B.seed));
P_CHECKA (prgB = PRG_new (pB->shares.B.seed));
P_CHECKA(prgB = PRG_new(pB->shares.B.seed));
P_CHECKC (BeaverTriple_set_rand (cfg, pA->triple, pB->triple));
P_CHECKA (client_data = MPArray_new_bool (data_len, data_in));
P_CHECKC (PRG_share_array (prgB, pA->shares.A.data_shares,
client_data, cfg));
P_CHECKC (share_polynomials (cfg, client_data, pA, pB, prgB));
P_CHECKC(BeaverTriple_set_rand(cfg, pA->triple, pB->triple));
P_CHECKA(client_data = MPArray_new_bool(data_len, data_in));
P_CHECKC(PRG_share_array(prgB, pA->shares.A.data_shares, client_data, cfg));
P_CHECKC(share_polynomials(cfg, client_data, pA, pB, prgB));
MPArray_clear (client_data);
PRG_clear (prgB);
return rv;
PrioPacketClient_clear (PrioPacketClient p)
PrioPacketClient_clear(PrioPacketClient p)
if (p == NULL) return;
if (p == NULL)
if (p->for_server == PRIO_SERVER_A) {
MPArray_clear (p->shares.A.h_points);
MPArray_clear (p->shares.A.data_shares);
BeaverTriple_clear (p->triple);
mp_clear (&p->f0_share);
mp_clear (&p->g0_share);
mp_clear (&p->h0_share);
free (p);
PrioPacketClient_areEqual (const_PrioPacketClient p1,
const_PrioPacketClient p2)
PrioPacketClient_areEqual(const_PrioPacketClient p1, const_PrioPacketClient p2)
if (!BeaverTriple_areEqual (p1->triple, p2->triple)) return false;
if (mp_cmp (&p1->f0_share, &p2->f0_share)) return false;
if (mp_cmp (&p1->g0_share, &p2->g0_share)) return false;
if (mp_cmp (&p1->h0_share, &p2->h0_share)) return false;
if (p1->for_server != p2->for_server) return false;
if (!BeaverTriple_areEqual(p1->triple, p2->triple))
return false;
if (mp_cmp(&p1->f0_share, &p2->f0_share))
return false;
if (mp_cmp(&p1->g0_share, &p2->g0_share))
return false;
if (mp_cmp(&p1->h0_share, &p2->h0_share))
return false;
if (p1->for_server != p2->for_server)
return false;
switch (p1->for_server) {
if (!MPArray_areEqual (p1->shares.A.data_shares,
p2->shares.A.data_shares)) return false;
if (!MPArray_areEqual (p1->shares.A.h_points,
p2->shares.A.h_points)) return false;
if (!MPArray_areEqual(p1->shares.A.data_shares, p2->shares.A.data_shares))
return false;
if (!MPArray_areEqual(p1->shares.A.h_points, p2->shares.A.h_points))
return false;
if (memcmp (p1->shares.B.seed, p2->shares.B.seed,
PRG_SEED_LENGTH)) return false;
if (memcmp(p1->shares.B.seed, p2->shares.B.seed, PRG_SEED_LENGTH))
return false;
// Should never get here.
@ -271,83 +276,85 @@ PrioPacketClient_areEqual (const_PrioPacketClient p1,
return true;
PrioClient_encode (const_PrioConfig cfg, const bool *data_in,
unsigned char **for_server_a, unsigned int *aLen,
unsigned char **for_server_b, unsigned int *bLen)
PrioClient_encode(const_PrioConfig cfg, const bool* data_in,
unsigned char** for_server_a, unsigned int* aLen,
unsigned char** for_server_b, unsigned int* bLen)
SECStatus rv = SECSuccess;
PrioPacketClient pA = NULL;
PrioPacketClient pB = NULL;
*for_server_a = NULL;
*for_server_b = NULL;
P_CHECKA (pA = PrioPacketClient_new (cfg, PRIO_SERVER_A));
P_CHECKA (pB = PrioPacketClient_new (cfg, PRIO_SERVER_B));
P_CHECKA(pA = PrioPacketClient_new(cfg, PRIO_SERVER_A));
P_CHECKA(pB = PrioPacketClient_new(cfg, PRIO_SERVER_B));
msgpack_sbuffer sbufA, sbufB;
msgpack_packer packerA, packerB;
msgpack_sbuffer_init (&sbufA);
msgpack_sbuffer_init (&sbufB);
msgpack_packer_init (&packerA, &sbufA, msgpack_sbuffer_write);
msgpack_packer_init (&packerB, &sbufB, msgpack_sbuffer_write);
msgpack_packer_init(&packerA, &sbufA, msgpack_sbuffer_write);
msgpack_packer_init(&packerB, &sbufB, msgpack_sbuffer_write);
P_CHECKC (PrioPacketClient_set_data (cfg, data_in, pA, pB));
P_CHECKC (serial_write_packet_client (&packerA, pA, cfg));
P_CHECKC (serial_write_packet_client (&packerB, pB, cfg));
P_CHECKC(PrioPacketClient_set_data(cfg, data_in, pA, pB));
P_CHECKC(serial_write_packet_client(&packerA, pA, cfg));
P_CHECKC(serial_write_packet_client(&packerB, pB, cfg));
P_CHECKC (PublicKey_encryptSize (sbufA.size, aLen));
P_CHECKC (PublicKey_encryptSize (sbufB.size, bLen));
P_CHECKC(PublicKey_encryptSize(sbufA.size, aLen));
P_CHECKC(PublicKey_encryptSize(sbufB.size, bLen));
P_CHECKA (*for_server_a = malloc (*aLen));
P_CHECKA (*for_server_b = malloc (*bLen));
P_CHECKA(*for_server_a = malloc(*aLen));
P_CHECKA(*for_server_b = malloc(*bLen));
unsigned int writtenA;
unsigned int writtenB;
P_CHECKC (PublicKey_encrypt (cfg->server_a_pub, *for_server_a, &writtenA, *aLen,
(unsigned char *)sbufA.data, sbufA.size));
P_CHECKC (PublicKey_encrypt (cfg->server_b_pub, *for_server_b, &writtenB, *bLen,
(unsigned char *)sbufB.data, sbufB.size));
P_CHECKC(PublicKey_encrypt(cfg->server_a_pub, *for_server_a, &writtenA, *aLen,
(unsigned char*)sbufA.data, sbufA.size));
P_CHECKC(PublicKey_encrypt(cfg->server_b_pub, *for_server_b, &writtenB, *bLen,
(unsigned char*)sbufB.data, sbufB.size));
P_CHECKCB (writtenA == *aLen);
P_CHECKCB (writtenB == *bLen);
P_CHECKCB(writtenA == *aLen);
P_CHECKCB(writtenB == *bLen);
if (rv != SECSuccess) {
if (*for_server_a) free (*for_server_a);
if (*for_server_b) free (*for_server_b);
if (*for_server_a)
if (*for_server_b)
*for_server_a = NULL;
*for_server_b = NULL;
PrioPacketClient_clear (pA);
PrioPacketClient_clear (pB);
msgpack_sbuffer_destroy (&sbufA);
msgpack_sbuffer_destroy (&sbufB);
return rv;
PrioPacketClient_decrypt (PrioPacketClient p, const_PrioConfig cfg,
PrivateKey server_priv, const unsigned char *data_in, unsigned int data_len)
PrioPacketClient_decrypt(PrioPacketClient p, const_PrioConfig cfg,
PrivateKey server_priv, const unsigned char* data_in,
unsigned int data_len)
SECStatus rv = SECSuccess;
msgpack_unpacker upk;
P_CHECKCB (msgpack_unpacker_init (&upk, data_len));
P_CHECKCB(msgpack_unpacker_init(&upk, data_len));
// Decrypt the ciphertext into dec_buf
unsigned int bytes_decrypted;
P_CHECKC (PrivateKey_decrypt (server_priv,
(unsigned char *)msgpack_unpacker_buffer (&upk), &bytes_decrypted,
data_len, data_in, data_len));
msgpack_unpacker_buffer_consumed (&upk, bytes_decrypted);
(unsigned char*)msgpack_unpacker_buffer(&upk),
&bytes_decrypted, data_len, data_in, data_len));
msgpack_unpacker_buffer_consumed(&upk, bytes_decrypted);
P_CHECKC (serial_read_packet_client (&upk, p, cfg));
P_CHECKC(serial_read_packet_client(&upk, p, cfg));
msgpack_unpacker_destroy (&upk);
return rv;

View File

@ -1,9 +1,9 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#ifndef __CLIENT_H__
@ -13,23 +13,24 @@
#include "prg.h"
#include "share.h"
* The PrioPacketClient object holds the encoded client data.
* The client sends one packet to server A and one packet to
* server B. The `for_server` parameter determines which server
* the packet is for.
typedef struct prio_packet_client *PrioPacketClient;
typedef const struct prio_packet_client *const_PrioPacketClient;
typedef struct prio_packet_client* PrioPacketClient;
typedef const struct prio_packet_client* const_PrioPacketClient;
struct server_a_data {
struct server_a_data
// These values are only set for server A.
MPArray data_shares;
MPArray h_points;
struct server_b_data {
struct server_b_data
// This value is only used for server B.
// We use a pseudo-random generator to compress the secret-shared data
@ -39,9 +40,10 @@ struct server_b_data {
* The data that a Prio client sends to each server.
* The data that a Prio client sends to each server.
struct prio_packet_client {
struct prio_packet_client
// TODO: Can also use a PRG to avoid need for sending Beaver triple shares.
// Since this optimization only saves ~30 bytes of communication, we haven't
// bothered implementing it yet.
@ -50,25 +52,26 @@ struct prio_packet_client {
mp_int f0_share, g0_share, h0_share;
PrioServerId for_server;
union {
struct server_a_data A;
struct server_b_data B;
} shares;
PrioPacketClient PrioPacketClient_new(const_PrioConfig cfg,
PrioServerId for_server);
void PrioPacketClient_clear(PrioPacketClient p);
SECStatus PrioPacketClient_set_data(const_PrioConfig cfg, const bool* data_in,
PrioPacketClient for_server_a,
PrioPacketClient for_server_b);
PrioPacketClient PrioPacketClient_new (const_PrioConfig cfg, PrioServerId for_server);
void PrioPacketClient_clear (PrioPacketClient p);
SECStatus PrioPacketClient_set_data (const_PrioConfig cfg, const bool *data_in,
PrioPacketClient for_server_a, PrioPacketClient for_server_b);
SECStatus PrioPacketClient_decrypt (PrioPacketClient p,
const_PrioConfig cfg, PrivateKey server_priv,
const unsigned char *data_in, unsigned int data_len);
bool PrioPacketClient_areEqual (const_PrioPacketClient p1,
const_PrioPacketClient p2);
SECStatus PrioPacketClient_decrypt(PrioPacketClient p, const_PrioConfig cfg,
PrivateKey server_priv,
const unsigned char* data_in,
unsigned int data_len);
bool PrioPacketClient_areEqual(const_PrioPacketClient p1,
const_PrioPacketClient p2);
#endif /* __CLIENT_H__ */

View File

@ -1,47 +1,47 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#include <mprio.h>
#include <stdlib.h>
#include "config.h"
#include "params.h"
#include "mparray.h"
#include "params.h"
#include "rand.h"
#include "util.h"
// The PrioConfig object stores "2^k-th roots of unity" modulo
// the prime modulus we use for all arithmetic. We use
// these roots to perform fast FFT-style polynomial
// the prime modulus we use for all arithmetic. We use
// these roots to perform fast FFT-style polynomial
// interpolation and evaluation.
// In particular, we use a prime modulus p such that
// In particular, we use a prime modulus p such that
// p = (2^k)q + 1.
// The roots are integers such that r^{2^k} = 1 mod p.
static SECStatus
initialize_roots (MPArray arr, const char *values[])
initialize_roots(MPArray arr, const char* values[])
// TODO: Read in only the number of roots of unity we need.
// Right now we read in all 4096 roots whether or not we use
// them all.
for (int i=0; i < arr->len; i++) {
MP_CHECK (mp_read_radix (&arr->data[i], values[i], 16));
for (int i = 0; i < arr->len; i++) {
MP_CHECK(mp_read_radix(&arr->data[i], values[i], 16));
return SECSuccess;
PrioConfig_new (int n_fields, PublicKey server_a, PublicKey server_b,
const unsigned char *batch_id, unsigned int batch_id_len)
PrioConfig_new(int n_fields, PublicKey server_a, PublicKey server_b,
const unsigned char* batch_id, unsigned int batch_id_len)
SECStatus rv = SECSuccess;
PrioConfig cfg = malloc (sizeof (*cfg));
PrioConfig cfg = malloc(sizeof(*cfg));
if (!cfg)
return NULL;
@ -61,72 +61,73 @@ PrioConfig_new (int n_fields, PublicKey server_a, PublicKey server_b,
goto cleanup;
P_CHECKA (cfg->batch_id = malloc (batch_id_len));
strncpy ((char *)cfg->batch_id, (char *)batch_id, batch_id_len);
P_CHECKA(cfg->batch_id = malloc(batch_id_len));
strncpy((char*)cfg->batch_id, (char*)batch_id, batch_id_len);
MP_CHECKC (mp_init (&cfg->modulus));
MP_CHECKC (mp_read_radix (&cfg->modulus, Modulus, 16));
MP_CHECKC(mp_read_radix(&cfg->modulus, Modulus, 16));
// Compute 2^{-1} modulo M
MP_CHECKC (mp_init (&cfg->inv2));
mp_set (&cfg->inv2, 2);
MP_CHECKC (mp_invmod (&cfg->inv2, &cfg->modulus, &cfg->inv2));
mp_set(&cfg->inv2, 2);
MP_CHECKC(mp_invmod(&cfg->inv2, &cfg->modulus, &cfg->inv2));
P_CHECKA (cfg->roots = MPArray_new (cfg->n_roots));
P_CHECKA (cfg->rootsInv = MPArray_new (cfg->n_roots));
MP_CHECKC (initialize_roots (cfg->roots, Roots));
MP_CHECKC (initialize_roots (cfg->rootsInv, RootsInv));
P_CHECKA(cfg->roots = MPArray_new(cfg->n_roots));
P_CHECKA(cfg->rootsInv = MPArray_new(cfg->n_roots));
MP_CHECKC(initialize_roots(cfg->roots, Roots));
MP_CHECKC(initialize_roots(cfg->rootsInv, RootsInv));
if (rv != SECSuccess) {
PrioConfig_clear (cfg);
return NULL;
return cfg;
PrioConfig_newTest (int nFields)
PrioConfig_newTest(int nFields)
return PrioConfig_new (nFields, NULL, NULL,
(unsigned char *)"testBatch", 9);
PrioConfig_clear (PrioConfig cfg)
if (!cfg) return;
if (cfg->batch_id) free (cfg->batch_id);
MPArray_clear (cfg->roots);
MPArray_clear (cfg->rootsInv);
mp_clear (&cfg->modulus);
mp_clear (&cfg->inv2);
free (cfg);
PrioConfig_numDataFields (const_PrioConfig cfg)
return cfg->num_data_fields;
Prio_init (void)
return rand_init ();
return PrioConfig_new(nFields, NULL, NULL, (unsigned char*)"testBatch", 9);
Prio_clear (void)
PrioConfig_clear(PrioConfig cfg)
rand_clear ();
if (!cfg)
if (cfg->batch_id)
int PrioConfig_hPoints (const_PrioConfig cfg)
PrioConfig_numDataFields(const_PrioConfig cfg)
return cfg->num_data_fields;
return rand_init();
PrioConfig_hPoints(const_PrioConfig cfg)
const int mul_gates = cfg->num_data_fields + 1;
const int N = next_power_of_two (mul_gates);
const int N = next_power_of_two(mul_gates);
return N;

View File

@ -1,9 +1,9 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#ifndef __CONFIG_H__
@ -13,12 +13,12 @@
#include "mparray.h"
struct prio_config {
struct prio_config
int num_data_fields;
unsigned char *batch_id;
unsigned char* batch_id;
unsigned int batch_id_len;
PublicKey server_a_pub;
PublicKey server_b_pub;
@ -30,7 +30,6 @@ struct prio_config {
MPArray rootsInv;
int PrioConfig_hPoints (const_PrioConfig cfg);
int PrioConfig_hPoints(const_PrioConfig cfg);
#endif /* __CONFIG_H__ */

View File

@ -1,9 +1,9 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#ifndef __DEBUG_H__
@ -12,10 +12,12 @@
#include <stdio.h>
#ifdef DEBUG
#define PRIO_DEBUG(msg) do { fprintf(stderr, "Error: %s\n", msg); } while(false);
#define PRIO_DEBUG(msg) \
do { \
fprintf(stderr, "Error: %s\n", msg); \
} while (false);
#define PRIO_DEBUG(msg) ;
#endif /* __DEBUG_H__ */

View File

@ -1,14 +1,14 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#include <nss/keyhi.h>
#include <nss/keythi.h>
#include <nss/pk11pub.h>
#include <keyhi.h>
#include <keythi.h>
#include <pk11pub.h>
#include <prerror.h>
#include "encrypt.h"
@ -24,222 +24,251 @@
#define GCM_TAG_LEN_BYTES 16
#define PRIO_TAG "PrioPacket"
#define AAD_LEN (strlen (PRIO_TAG) + CURVE25519_KEY_LEN + GCM_IV_LEN_BYTES)
#define AAD_LEN (strlen(PRIO_TAG) + CURVE25519_KEY_LEN + GCM_IV_LEN_BYTES)
// The all-zeros curve25519 public key, as DER-encoded SKPI blob.
static const uint8_t curve25519_spki_zeros[] = {
0x30, 0x39, 0x30, 0x14, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x09, 0x2b,
0x06, 0x01, 0x04, 0x01, 0xda, 0x47, 0x0f, 0x01, 0x03, 0x21,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x30, 0x39, 0x30, 0x14, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
0x01, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xda, 0x47, 0x0f, 0x01,
0x03, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
static inline uint8_t
hex_to_int (char h)
// Note that we do not use isxdigit because it is locale-dependent
// See: https://github.com/mozilla/libprio/issues/20
static inline char
is_hex_digit(char c)
return (h > '9') ? toupper (h) - 'A' + 10 : (h - '0');
return ('0' <= c && c <= '9') || ('a' <= c && c <= 'f') ||
('A' <= c && c <= 'F');
static inline unsigned char
int_to_hex (uint8_t i)
// Note that we do not use toupper because it is locale-dependent
// See: https://github.com/mozilla/libprio/issues/20
static inline char
to_upper(char c)
if (c >= 'a' && c <= 'z') {
return c - 0x20;
} else {
return c;
static inline uint8_t
hex_to_int(char h)
return (h > '9') ? to_upper(h) - 'A' + 10 : (h - '0');
static inline unsigned char
int_to_hex(uint8_t i)
return (i > 0x09) ? ((i - 10) + 'A') : i + '0';
static SECStatus
derive_dh_secret (PK11SymKey **shared_secret, PrivateKey priv, PublicKey pub)
static SECStatus
derive_dh_secret(PK11SymKey** shared_secret, PrivateKey priv, PublicKey pub)
if (priv == NULL) return SECFailure;
if (pub == NULL) return SECFailure;
if (shared_secret == NULL) return SECFailure;
if (priv == NULL)
return SECFailure;
if (pub == NULL)
return SECFailure;
if (shared_secret == NULL)
return SECFailure;
SECStatus rv = SECSuccess;
*shared_secret = NULL;
P_CHECKA (*shared_secret = PK11_PubDeriveWithKDF (priv, pub, PR_FALSE,
P_CHECKA(*shared_secret = PK11_PubDeriveWithKDF(
return rv;
PublicKey_import (PublicKey *pk, const unsigned char *data, unsigned int dataLen)
PublicKey_import(PublicKey* pk, const unsigned char* data, unsigned int dataLen)
SECStatus rv = SECSuccess;
CERTSubjectPublicKeyInfo *pkinfo = NULL;
CERTSubjectPublicKeyInfo* pkinfo = NULL;
*pk = NULL;
if (dataLen != CURVE25519_KEY_LEN)
return SECFailure;
unsigned char key_bytes[dataLen];
memcpy (key_bytes, data, dataLen);
memcpy(key_bytes, data, dataLen);
const int spki_len = sizeof (curve25519_spki_zeros);
const int spki_len = sizeof(curve25519_spki_zeros);
uint8_t spki_data[spki_len];
memcpy (spki_data, curve25519_spki_zeros, spki_len);
memcpy(spki_data, curve25519_spki_zeros, spki_len);
SECItem spki_item = { siBuffer, spki_data, spki_len };
// Import the all-zeros curve25519 public key.
P_CHECKA (pkinfo = SECKEY_DecodeDERSubjectPublicKeyInfo (&spki_item));
P_CHECKA (*pk = SECKEY_ExtractPublicKey (pkinfo));
// Import the all-zeros curve25519 public key.
P_CHECKA(pkinfo = SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_item));
P_CHECKA(*pk = SECKEY_ExtractPublicKey(pkinfo));
// Overwrite the all-zeros public key with the 32-byte curve25519 public key
// given as input.
memcpy ((*pk)->u.ec.publicValue.data, data, CURVE25519_KEY_LEN);
memcpy((*pk)->u.ec.publicValue.data, data, CURVE25519_KEY_LEN);
if (pkinfo)
SECKEY_DestroySubjectPublicKeyInfo (pkinfo);
if (pkinfo)
if (rv != SECSuccess)
PublicKey_clear (*pk);
return rv;
PublicKey_import_hex (PublicKey *pk, const unsigned char *hex_data, unsigned int dataLen)
PublicKey_import_hex(PublicKey* pk, const unsigned char* hex_data,
unsigned int dataLen)
unsigned char raw_bytes[CURVE25519_KEY_LEN];
if (dataLen != CURVE25519_KEY_LEN_HEX)
return SECFailure;
for (unsigned int i=0; i<dataLen; i++) {
if (!isxdigit (hex_data[i]))
for (unsigned int i = 0; i < dataLen; i++) {
if (!is_hex_digit(hex_data[i]))
return SECFailure;
const unsigned char *p = hex_data;
for (unsigned int i=0; i<CURVE25519_KEY_LEN; i++) {
uint8_t d0 = hex_to_int (p[0]);
uint8_t d1 = hex_to_int (p[1]);
const unsigned char* p = hex_data;
for (unsigned int i = 0; i < CURVE25519_KEY_LEN; i++) {
uint8_t d0 = hex_to_int(p[0]);
uint8_t d1 = hex_to_int(p[1]);
raw_bytes[i] = (d0 << 4) | d1;
p += 2;
return PublicKey_import (pk, raw_bytes, CURVE25519_KEY_LEN);
return PublicKey_import(pk, raw_bytes, CURVE25519_KEY_LEN);
PublicKey_export (const_PublicKey pk, unsigned char data[CURVE25519_KEY_LEN])
PublicKey_export(const_PublicKey pk, unsigned char data[CURVE25519_KEY_LEN])
if (pk == NULL) return SECFailure;
if (pk == NULL)
return SECFailure;
memcpy (data, pk->u.ec.publicValue.data, CURVE25519_KEY_LEN);
memcpy(data, pk->u.ec.publicValue.data, CURVE25519_KEY_LEN);
return SECSuccess;
PublicKey_export_hex (const_PublicKey pk, unsigned char data[(2*CURVE25519_KEY_LEN)+1])
PublicKey_export_hex(const_PublicKey pk,
unsigned char data[(2 * CURVE25519_KEY_LEN) + 1])
unsigned char raw_data[CURVE25519_KEY_LEN];
if (PublicKey_export (pk, raw_data) != SECSuccess)
if (PublicKey_export(pk, raw_data) != SECSuccess)
return SECFailure;
const unsigned char *p = raw_data;
for (unsigned int i=0; i<CURVE25519_KEY_LEN; i++) {
const unsigned char* p = raw_data;
for (unsigned int i = 0; i < CURVE25519_KEY_LEN; i++) {
unsigned char bytel = p[0] & 0x0f;
unsigned char byteu = (p[0] & 0xf0) >> 4;
data[2*i] = int_to_hex (byteu);
data[2*i + 1] = int_to_hex (bytel);
data[2 * i] = int_to_hex(byteu);
data[2 * i + 1] = int_to_hex(bytel);
data[2*CURVE25519_KEY_LEN] = '\0';
data[2 * CURVE25519_KEY_LEN] = '\0';
return SECSuccess;
Keypair_new (PrivateKey *pvtkey, PublicKey *pubkey)
Keypair_new(PrivateKey* pvtkey, PublicKey* pubkey)
if (pvtkey == NULL) return SECFailure;
if (pubkey == NULL) return SECFailure;
if (pvtkey == NULL)
return SECFailure;
if (pubkey == NULL)
return SECFailure;
SECStatus rv = SECSuccess;
SECOidData *oid_data = NULL;
SECOidData* oid_data = NULL;
*pubkey = NULL;
*pvtkey = NULL;
SECKEYECParams ecp;
ecp.data = NULL;
PK11SlotInfo *slot = NULL;
PK11SlotInfo* slot = NULL;
const int oid_struct_len = 2 + oid_data->oid.len;
P_CHECKA (ecp.data = malloc (oid_struct_len));
P_CHECKA(ecp.data = malloc(oid_struct_len));
ecp.len = oid_struct_len;
ecp.type = siDEROID;
ecp.data[0] = SEC_ASN1_OBJECT_ID;
ecp.data[1] = oid_data->oid.len;
memcpy (&ecp.data[2], oid_data->oid.data, oid_data->oid.len);
memcpy(&ecp.data[2], oid_data->oid.data, oid_data->oid.len);
P_CHECKA (slot = PK11_GetInternalSlot ());
P_CHECKA (*pvtkey = PK11_GenerateKeyPair(slot, CKM_EC_KEY_PAIR_GEN, &ecp,
(SECKEYPublicKey **)pubkey, PR_FALSE, PR_FALSE, NULL));
PK11_FreeSlot (slot);
P_CHECKA(slot = PK11_GetInternalSlot());
P_CHECKA(*pvtkey = PK11_GenerateKeyPair(slot, CKM_EC_KEY_PAIR_GEN, &ecp,
(SECKEYPublicKey**)pubkey, PR_FALSE,
if (ecp.data)
free (ecp.data);
if (rv != SECSuccess) {
PublicKey_clear (*pubkey);
PrivateKey_clear (*pvtkey);
return rv;
PublicKey_clear (PublicKey pubkey)
PublicKey_clear(PublicKey pubkey)
if (pubkey)
if (pubkey)
PrivateKey_clear (PrivateKey pvtkey)
PrivateKey_clear(PrivateKey pvtkey)
if (pvtkey)
if (pvtkey)
const SECItem *
PublicKey_toBytes (const_PublicKey pubkey)
const SECItem*
PublicKey_toBytes(const_PublicKey pubkey)
return &pubkey->u.ec.publicValue;
PublicKey_encryptSize (unsigned int inputLen, unsigned int *outputLen)
PublicKey_encryptSize(unsigned int inputLen, unsigned int* outputLen)
if (outputLen == NULL || inputLen >= MAX_ENCRYPT_LEN)
return SECFailure;
// public key, IV, tag, and input
*outputLen = CURVE25519_KEY_LEN + GCM_IV_LEN_BYTES + GCM_TAG_LEN_BYTES + inputLen;
*outputLen =
return SECSuccess;
static void
set_gcm_params (SECItem *paramItem, CK_GCM_PARAMS *param, unsigned char *nonce,
const_PublicKey pubkey, unsigned char *aadBuf)
static void
set_gcm_params(SECItem* paramItem, CK_GCM_PARAMS* param, unsigned char* nonce,
const_PublicKey pubkey, unsigned char* aadBuf)
int offset = 0;
memcpy (aadBuf, PRIO_TAG, strlen (PRIO_TAG));
offset += strlen (PRIO_TAG);
memcpy (aadBuf + offset, PublicKey_toBytes (pubkey)->data, CURVE25519_KEY_LEN);
memcpy(aadBuf, PRIO_TAG, strlen(PRIO_TAG));
offset += strlen(PRIO_TAG);
memcpy(aadBuf + offset, PublicKey_toBytes(pubkey)->data, CURVE25519_KEY_LEN);
offset += CURVE25519_KEY_LEN;
memcpy (aadBuf + offset, nonce, GCM_IV_LEN_BYTES);
memcpy(aadBuf + offset, nonce, GCM_IV_LEN_BYTES);
param->pIv = nonce;
param->ulIvLen = GCM_IV_LEN_BYTES;
param->pAAD = aadBuf;
@ -247,17 +276,14 @@ set_gcm_params (SECItem *paramItem, CK_GCM_PARAMS *param, unsigned char *nonce,
param->ulTagBits = GCM_TAG_LEN_BYTES * 8;
paramItem->type = siBuffer;
paramItem->data = (void *)param;
paramItem->len = sizeof (*param);
paramItem->data = (void*)param;
paramItem->len = sizeof(*param);
PublicKey_encrypt (PublicKey pubkey,
unsigned char *output,
unsigned int *outputLen,
unsigned int maxOutputLen,
const unsigned char *input, unsigned int inputLen)
PublicKey_encrypt(PublicKey pubkey, unsigned char* output,
unsigned int* outputLen, unsigned int maxOutputLen,
const unsigned char* input, unsigned int inputLen)
if (pubkey == NULL)
return SECFailure;
@ -266,55 +292,53 @@ PublicKey_encrypt (PublicKey pubkey,
return SECFailure;
unsigned int needLen;
if (PublicKey_encryptSize (inputLen, &needLen) != SECSuccess)
if (PublicKey_encryptSize(inputLen, &needLen) != SECSuccess)
return SECFailure;
if (maxOutputLen < needLen)
if (maxOutputLen < needLen)
return SECFailure;
SECStatus rv = SECSuccess;
PublicKey eph_pub = NULL;
PrivateKey eph_priv = NULL;
PK11SymKey *aes_key = NULL;
PublicKey eph_pub = NULL;
PrivateKey eph_priv = NULL;
PK11SymKey* aes_key = NULL;
unsigned char nonce[GCM_IV_LEN_BYTES];
unsigned char aadBuf[AAD_LEN];
P_CHECKC (rand_bytes (nonce, GCM_IV_LEN_BYTES));
P_CHECKC(rand_bytes(nonce, GCM_IV_LEN_BYTES));
P_CHECKC (Keypair_new (&eph_priv, &eph_pub));
P_CHECKC (derive_dh_secret (&aes_key, eph_priv, pubkey));
P_CHECKC(Keypair_new(&eph_priv, &eph_pub));
P_CHECKC(derive_dh_secret(&aes_key, eph_priv, pubkey));
SECItem paramItem;
set_gcm_params (&paramItem, &param, nonce, eph_pub, aadBuf);
set_gcm_params(&paramItem, &param, nonce, eph_pub, aadBuf);
const SECItem *pk = PublicKey_toBytes (eph_pub);
P_CHECKCB (pk->len == CURVE25519_KEY_LEN);
memcpy (output, pk->data, pk->len);
memcpy (output + CURVE25519_KEY_LEN, param.pIv, param.ulIvLen);
const SECItem* pk = PublicKey_toBytes(eph_pub);
P_CHECKCB(pk->len == CURVE25519_KEY_LEN);
memcpy(output, pk->data, pk->len);
memcpy(output + CURVE25519_KEY_LEN, param.pIv, param.ulIvLen);
const int offset = CURVE25519_KEY_LEN + param.ulIvLen;
P_CHECKC (PK11_Encrypt (aes_key, CKM_AES_GCM, &paramItem, output + offset,
outputLen, maxOutputLen - offset, input, inputLen));
P_CHECKC(PK11_Encrypt(aes_key, CKM_AES_GCM, &paramItem, output + offset,
outputLen, maxOutputLen - offset, input, inputLen));
*outputLen = *outputLen + CURVE25519_KEY_LEN + GCM_IV_LEN_BYTES;
PublicKey_clear (eph_pub);
PrivateKey_clear (eph_priv);
if (aes_key)
PK11_FreeSymKey (aes_key);
if (aes_key)
return rv;
PrivateKey_decrypt (PrivateKey privkey,
unsigned char *output,
unsigned int *outputLen,
unsigned int maxOutputLen,
const unsigned char *input, unsigned int inputLen)
PrivateKey_decrypt(PrivateKey privkey, unsigned char* output,
unsigned int* outputLen, unsigned int maxOutputLen,
const unsigned char* input, unsigned int inputLen)
PK11SymKey *aes_key = NULL;
PK11SymKey* aes_key = NULL;
PublicKey eph_pub = NULL;
unsigned char aad_buf[AAD_LEN];
@ -323,34 +347,33 @@ PrivateKey_decrypt (PrivateKey privkey,
SECStatus rv = SECSuccess;
unsigned int headerLen;
if (PublicKey_encryptSize (0, &headerLen) != SECSuccess)
if (PublicKey_encryptSize(0, &headerLen) != SECSuccess)
return SECFailure;
if (inputLen < headerLen)
if (inputLen < headerLen)
return SECFailure;
const unsigned int msglen = inputLen - headerLen;
if (maxOutputLen < msglen || msglen >= MAX_ENCRYPT_LEN)
return SECFailure;
P_CHECKC (PublicKey_import (&eph_pub, input, CURVE25519_KEY_LEN));
P_CHECKC(PublicKey_import(&eph_pub, input, CURVE25519_KEY_LEN));
unsigned char nonce[GCM_IV_LEN_BYTES];
memcpy (nonce, input + CURVE25519_KEY_LEN, GCM_IV_LEN_BYTES);
memcpy(nonce, input + CURVE25519_KEY_LEN, GCM_IV_LEN_BYTES);
SECItem paramItem;
set_gcm_params (&paramItem, &param, nonce, eph_pub, aad_buf);
P_CHECKC (derive_dh_secret (&aes_key, privkey, eph_pub));
set_gcm_params(&paramItem, &param, nonce, eph_pub, aad_buf);
P_CHECKC(derive_dh_secret(&aes_key, privkey, eph_pub));
const int offset = CURVE25519_KEY_LEN + GCM_IV_LEN_BYTES;
P_CHECKC (PK11_Decrypt (aes_key, CKM_AES_GCM, &paramItem, output,
outputLen, maxOutputLen, input + offset, inputLen - offset));
P_CHECKC(PK11_Decrypt(aes_key, CKM_AES_GCM, &paramItem, output, outputLen,
maxOutputLen, input + offset, inputLen - offset));
PublicKey_clear (eph_pub);
if (aes_key)
PK11_FreeSymKey (aes_key);
if (aes_key)
return rv;

View File

@ -1,12 +1,11 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#ifndef __ENCRYPT_H__
#define __ENCRYPT_H__
@ -15,7 +14,7 @@
* These functions attempt to implement CCA-secure public-key encryption using
* the NSS library. We use hashed-ElGamal encryption with Curve25519 as the
* the NSS library. We use hashed-ElGamal encryption with Curve25519 as the
* underlying group and AES128-GCM as the bulk encryption mode of operation.
* I make no guarantees that I am using NSS correctly or that this encryption
@ -25,7 +24,7 @@
* to implement these functions.
* Messages encrypted using this library must be smaller than MAX_ENCRYPT_LEN.
* Enforcing this length limit helps avoid integer overflow.
@ -38,12 +37,12 @@
* is too large (larger than `MAX_ENCRYPT_LEN`), this function returns
* an error.
SECStatus PublicKey_encryptSize (unsigned int inputLen, unsigned int *outputLen);
SECStatus PublicKey_encryptSize(unsigned int inputLen, unsigned int* outputLen);
* Generate a new keypair for public-key encryption.
SECStatus Keypair_new (PrivateKey *pvtkey, PublicKey *pubkey);
SECStatus Keypair_new(PrivateKey* pvtkey, PublicKey* pubkey);
* Encrypt an arbitrary bitstring to the specified public key. The buffer
@ -53,22 +52,17 @@ SECStatus Keypair_new (PrivateKey *pvtkey, PublicKey *pubkey);
* The value `inputLen` must be smaller than `MAX_ENCRYPT_LEN`.
SECStatus PublicKey_encrypt (PublicKey pubkey,
unsigned char *output,
unsigned int *outputLen,
unsigned int maxOutputLen,
const unsigned char *input, unsigned int inputLen);
SECStatus PublicKey_encrypt(PublicKey pubkey, unsigned char* output,
unsigned int* outputLen, unsigned int maxOutputLen,
const unsigned char* input, unsigned int inputLen);
* Decrypt an arbitrary bitstring using the specified private key. The output
* buffer should be at least 16 bytes larger than the plaintext you expect. If
* `outputLen` >= `inputLen`, you should be safe.
SECStatus PrivateKey_decrypt (PrivateKey privkey,
unsigned char *output,
unsigned int *outputLen,
unsigned int maxOutputLen,
const unsigned char *input, unsigned int inputLen);
SECStatus PrivateKey_decrypt(PrivateKey privkey, unsigned char* output,
unsigned int* outputLen, unsigned int maxOutputLen,
const unsigned char* input, unsigned int inputLen);
#endif /* __ENCRYPT_H__ */

View File

@ -1,9 +1,9 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#include <mprio.h>
@ -15,31 +15,31 @@
#include "util.h"
MPArray_new (int len)
MPArray_new(int len)
SECStatus rv = SECSuccess;
MPArray arr = malloc (sizeof *arr);
if (!arr)
MPArray arr = malloc(sizeof *arr);
if (!arr)
return NULL;
arr->data = NULL;
arr->len = len;
P_CHECKA(arr->data = calloc (len, sizeof (mp_int)));
P_CHECKA(arr->data = calloc(len, sizeof(mp_int)));
// Initialize these to NULL so that we can figure
// out which allocations failed (if any)
for (int i=0; i<len; i++) {
MP_DIGITS (&arr->data[i]) = NULL;
for (int i = 0; i < len; i++) {
MP_DIGITS(&arr->data[i]) = NULL;
for (int i=0; i<len; i++) {
MP_CHECKC (mp_init(&arr->data[i]));
for (int i = 0; i < len; i++) {
if (rv != SECSuccess) {
MPArray_clear (arr);
return NULL;
@ -47,87 +47,89 @@ cleanup:
MPArray_new_bool (int len, const bool *data_in)
MPArray_new_bool(int len, const bool* data_in)
MPArray arr = MPArray_new (len);
if (arr == NULL) return NULL;
MPArray arr = MPArray_new(len);
if (arr == NULL)
return NULL;
for (int i=0; i<len; i++) {
mp_set (&arr->data[i], data_in[i]);
for (int i = 0; i < len; i++) {
mp_set(&arr->data[i], data_in[i]);
return arr;
MPArray_resize (MPArray arr, int newlen)
MPArray_resize(MPArray arr, int newlen)
SECStatus rv = SECSuccess;
const int oldlen = arr->len;
if (oldlen == newlen)
return rv;
return rv;
// TODO: Use realloc for this?
mp_int *newdata = calloc (newlen, sizeof (mp_int));
mp_int* newdata = calloc(newlen, sizeof(mp_int));
if (newdata == NULL)
return SECFailure;
for (int i = 0; i < newlen; i++) {
MP_DIGITS (&newdata[i]) = NULL;
MP_DIGITS(&newdata[i]) = NULL;
// Initialize new array
for (int i = 0; i < newlen; i++) {
MP_CHECKC (mp_init (&newdata[i]));
// Copy old data into new array
for (int i = 0; i < newlen && i < oldlen; i++) {
MP_CHECKC (mp_copy (&arr->data[i], &newdata[i]));
MP_CHECKC(mp_copy(&arr->data[i], &newdata[i]));
// Free old data
for (int i = 0; i < oldlen; i++) {
mp_clear (&arr->data[i]);
free (arr->data);
arr->data = newdata;
arr->len = newlen;
if (rv != SECSuccess) {
for (int i=0; i < newlen; i++) {
mp_clear (&newdata[i]);
for (int i = 0; i < newlen; i++) {
free (newdata);
return rv;
MPArray_dup (const_MPArray src)
MPArray_dup(const_MPArray src)
MPArray dst = MPArray_new (src->len);
if (!dst) return NULL;
MPArray dst = MPArray_new(src->len);
if (!dst)
return NULL;
SECStatus rv = MPArray_copy (dst, src);
SECStatus rv = MPArray_copy(dst, src);
if (rv == SECSuccess) {
return dst;
} else {
MPArray_clear (dst);
return NULL;
MPArray_copy (MPArray dst, const_MPArray src)
MPArray_copy(MPArray dst, const_MPArray src)
if (dst->len != src->len)
return SECFailure;
for (int i=0; i<src->len; i++) {
for (int i = 0; i < src->len; i++) {
if (mp_copy(&src->data[i], &dst->data[i]) != MP_OKAY) {
return SECFailure;
@ -136,10 +138,9 @@ MPArray_copy (MPArray dst, const_MPArray src)
return SECSuccess;
MPArray_set_share (MPArray arrA, MPArray arrB,
const_MPArray src, const_PrioConfig cfg)
MPArray_set_share(MPArray arrA, MPArray arrB, const_MPArray src,
const_PrioConfig cfg)
SECStatus rv = SECSuccess;
if (arrA->len != src->len || arrB->len != src->len)
@ -147,48 +148,49 @@ MPArray_set_share (MPArray arrA, MPArray arrB,
const int len = src->len;
for (int i=0; i < len; i++) {
P_CHECK(share_int (cfg, &src->data[i], &arrA->data[i], &arrB->data[i]));
for (int i = 0; i < len; i++) {
P_CHECK(share_int(cfg, &src->data[i], &arrA->data[i], &arrB->data[i]));
return rv;
MPArray_clear (MPArray arr)
MPArray_clear(MPArray arr)
if (arr == NULL) return;
if (arr == NULL)
if (arr->data != NULL) {
for (int i=0; i<arr->len; i++) {
for (int i = 0; i < arr->len; i++) {
free (arr->data);
free (arr);
MPArray_addmod (MPArray dst, const_MPArray to_add, const mp_int *mod)
MPArray_addmod(MPArray dst, const_MPArray to_add, const mp_int* mod)
if (dst->len != to_add->len)
return SECFailure;
for (int i=0; i<dst->len; i++) {
MP_CHECK (mp_addmod (&dst->data[i], &to_add->data[i], mod, &dst->data[i]));
for (int i = 0; i < dst->len; i++) {
MP_CHECK(mp_addmod(&dst->data[i], &to_add->data[i], mod, &dst->data[i]));
return SECSuccess;
MPArray_areEqual (const_MPArray arr1, const_MPArray arr2)
MPArray_areEqual(const_MPArray arr1, const_MPArray arr2)
if (arr1->len != arr2->len) return false;
if (arr1->len != arr2->len)
return false;
for (int i=0; i<arr1->len; i++) {
if (mp_cmp (&arr1->data[i], &arr2->data[i]))
for (int i = 0; i < arr1->len; i++) {
if (mp_cmp(&arr1->data[i], &arr2->data[i]))
return false;

View File

@ -1,9 +1,9 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#ifndef __MPARRAY_H__
@ -12,60 +12,59 @@
#include <mpi.h>
#include <mprio.h>
struct mparray {
struct mparray
int len;
mp_int *data;
mp_int* data;
typedef struct mparray *MPArray;
typedef const struct mparray *const_MPArray;
typedef struct mparray* MPArray;
typedef const struct mparray* const_MPArray;
* Initialize an array of `mp_int`s of the given length.
MPArray MPArray_new (int len);
void MPArray_clear (MPArray arr);
MPArray MPArray_new(int len);
void MPArray_clear(MPArray arr);
* Copies secret sharing of data from src into arrays
* arrA and arrB. The lengths of the three input arrays
* must be identical.
SECStatus MPArray_set_share (MPArray arrA, MPArray arrB,
const_MPArray src, const_PrioConfig cfg);
SECStatus MPArray_set_share(MPArray arrA, MPArray arrB, const_MPArray src,
const_PrioConfig cfg);
* Initializes array with 0/1 values specified in boolean array `data_in`
MPArray MPArray_new_bool (int len, const bool *data_in);
MPArray MPArray_new_bool(int len, const bool* data_in);
* Expands or shrinks the MPArray to the desired size. If shrinking,
* will clear the values on the end of array.
SECStatus MPArray_resize (MPArray arr, int newlen);
SECStatus MPArray_resize(MPArray arr, int newlen);
* Initializes dst and creates a duplicate of the array in src.
* Initializes dst and creates a duplicate of the array in src.
MPArray MPArray_dup (const_MPArray src);
MPArray MPArray_dup(const_MPArray src);
* Copies array from src to dst. Arrays must have the same length.
SECStatus MPArray_copy (MPArray dst, const_MPArray src);
SECStatus MPArray_copy(MPArray dst, const_MPArray src);
/* For each index i into the array, set:
* dst[i] = dst[i] + to_add[i] (modulo mod)
SECStatus MPArray_addmod (MPArray dst, const_MPArray to_add,
const mp_int *mod);
SECStatus MPArray_addmod(MPArray dst, const_MPArray to_add, const mp_int* mod);
* Return true iff the two arrays are equal in length
* and contents. This comparison is NOT constant time.
bool MPArray_areEqual (const_MPArray arr1, const_MPArray arr2);
bool MPArray_areEqual(const_MPArray arr1, const_MPArray arr2);
#endif /* __MPARRAY_H__ */

@ -1,9 +1,9 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#include <mprio.h>
@ -16,109 +16,110 @@
* A nice exposition of the recursive FFT/DFT algorithm we implement
* is in the book:
* "Modern Computer Algebra"
* by Von zur Gathen and Gerhard.
* "Modern Computer Algebra"
* by Von zur Gathen and Gerhard.
* Cambridge University Press, 2013.
* They present this algorithm as Algorithm 8.14.
static SECStatus
fft_recurse (mp_int *out, const mp_int *mod, int n,
const mp_int *roots, const mp_int *ys,
mp_int *tmp, mp_int *ySub, mp_int *rootsSub)
fft_recurse(mp_int* out, const mp_int* mod, int n, const mp_int* roots,
const mp_int* ys, mp_int* tmp, mp_int* ySub, mp_int* rootsSub)
if (n == 1) {
MP_CHECK (mp_copy (&ys[0], &out[0]));
MP_CHECK(mp_copy(&ys[0], &out[0]));
return SECSuccess;
// Recurse on the first half
for (int i=0; i<n/2; i++) {
MP_CHECK (mp_addmod (&ys[i], &ys[i+(n/2)], mod, &ySub[i]));
MP_CHECK (mp_copy (&roots[2*i], &rootsSub[i]));
// Recurse on the first half
for (int i = 0; i < n / 2; i++) {
MP_CHECK(mp_addmod(&ys[i], &ys[i + (n / 2)], mod, &ySub[i]));
MP_CHECK(mp_copy(&roots[2 * i], &rootsSub[i]));
MP_CHECK (fft_recurse (tmp, mod, n/2, rootsSub, ySub, &tmp[n/2], &ySub[n/2], &rootsSub[n/2]));
for (int i=0; i<n/2; i++) {
MP_CHECK (mp_copy (&tmp[i], &out[2*i]));
MP_CHECK(fft_recurse(tmp, mod, n / 2, rootsSub, ySub, &tmp[n / 2],
&ySub[n / 2], &rootsSub[n / 2]));
for (int i = 0; i < n / 2; i++) {
MP_CHECK(mp_copy(&tmp[i], &out[2 * i]));
// Recurse on the second half
for (int i=0; i<n/2; i++) {
MP_CHECK (mp_submod (&ys[i], &ys[i+(n/2)], mod, &ySub[i]));
MP_CHECK (mp_mulmod (&ySub[i], &roots[i], mod, &ySub[i]));
// Recurse on the second half
for (int i = 0; i < n / 2; i++) {
MP_CHECK(mp_submod(&ys[i], &ys[i + (n / 2)], mod, &ySub[i]));
MP_CHECK(mp_mulmod(&ySub[i], &roots[i], mod, &ySub[i]));
MP_CHECK (fft_recurse (tmp, mod, n/2, rootsSub, ySub, &tmp[n/2], &ySub[n/2], &rootsSub[n/2]));
for (int i=0; i<n/2; i++) {
MP_CHECK (mp_copy (&tmp[i], &out[2*i + 1]));
MP_CHECK(fft_recurse(tmp, mod, n / 2, rootsSub, ySub, &tmp[n / 2],
&ySub[n / 2], &rootsSub[n / 2]));
for (int i = 0; i < n / 2; i++) {
MP_CHECK(mp_copy(&tmp[i], &out[2 * i + 1]));
return SECSuccess;
static SECStatus
fft_interpolate_raw (mp_int *out,
const mp_int *ys, int nPoints, const mp_int *roots,
const mp_int *mod, bool invert)
fft_interpolate_raw(mp_int* out, const mp_int* ys, int nPoints,
const mp_int* roots, const mp_int* mod, bool invert)
SECStatus rv = SECSuccess;
mp_int tmp[nPoints];
mp_int ySub[nPoints];
mp_int rootsSub[nPoints];
for (int i=0; i<nPoints;i++) {
MP_DIGITS (&tmp[i]) = NULL;
MP_DIGITS (&ySub[i]) = NULL;
MP_DIGITS (&rootsSub[i]) = NULL;
for (int i = 0; i < nPoints; i++) {
MP_DIGITS(&tmp[i]) = NULL;
MP_DIGITS(&ySub[i]) = NULL;
MP_DIGITS(&rootsSub[i]) = NULL;
mp_int n_inverse;
MP_DIGITS (&n_inverse) = NULL;
MP_DIGITS(&n_inverse) = NULL;
for (int i=0; i<nPoints;i++) {
MP_CHECKC (mp_init (&tmp[i]));
MP_CHECKC (mp_init (&ySub[i]));
MP_CHECKC (mp_init (&rootsSub[i]));
for (int i = 0; i < nPoints; i++) {
MP_CHECK (fft_recurse(out, mod, nPoints, roots, ys, tmp, ySub, rootsSub));
MP_CHECK(fft_recurse(out, mod, nPoints, roots, ys, tmp, ySub, rootsSub));
if (invert) {
MP_CHECKC (mp_init (&n_inverse));
mp_set (&n_inverse, nPoints);
MP_CHECKC (mp_invmod (&n_inverse, mod, &n_inverse));
for (int i=0; i<nPoints;i++) {
MP_CHECKC (mp_mulmod(&out[i], &n_inverse, mod, &out[i]));
mp_set(&n_inverse, nPoints);
MP_CHECKC(mp_invmod(&n_inverse, mod, &n_inverse));
for (int i = 0; i < nPoints; i++) {
MP_CHECKC(mp_mulmod(&out[i], &n_inverse, mod, &out[i]));
mp_clear (&n_inverse);
for (int i=0; i<nPoints;i++) {
for (int i = 0; i < nPoints; i++) {
return rv;
* The PrioConfig object has a list of N-th roots of unity for large N.
* This routine returns the n-th roots of unity for n < N, where n is
* This routine returns the n-th roots of unity for n < N, where n is
* a power of two. If the `invert` flag is set, it returns the inverses
* of the n-th roots of unity.
poly_fft_get_roots (mp_int *roots_out, int n_points, const_PrioConfig cfg, bool invert)
poly_fft_get_roots(mp_int* roots_out, int n_points, const_PrioConfig cfg,
bool invert)
if (n_points > cfg->n_roots)
if (n_points > cfg->n_roots)
return SECFailure;
const mp_int *roots_in = invert ? cfg->rootsInv->data : cfg->roots->data;
const mp_int* roots_in = invert ? cfg->rootsInv->data : cfg->roots->data;
const int step_size = cfg->n_roots / n_points;
for (int i=0; i < n_points; i++) {
for (int i = 0; i < n_points; i++) {
roots_out[i] = roots_in[i * step_size];
@ -126,63 +127,62 @@ poly_fft_get_roots (mp_int *roots_out, int n_points, const_PrioConfig cfg, bool
poly_fft (MPArray points_out, const_MPArray points_in,
const_PrioConfig cfg, bool invert)
poly_fft(MPArray points_out, const_MPArray points_in, const_PrioConfig cfg,
bool invert)
SECStatus rv = SECSuccess;
const int n_points = points_in->len;
if (points_out->len != points_in->len)
return SECFailure;
if (n_points > cfg->n_roots)
if (n_points > cfg->n_roots)
return SECFailure;
if (cfg->n_roots % n_points != 0)
if (cfg->n_roots % n_points != 0)
return SECFailure;
mp_int scaled_roots[n_points];
P_CHECK (poly_fft_get_roots (scaled_roots, n_points, cfg, invert));
P_CHECK(poly_fft_get_roots(scaled_roots, n_points, cfg, invert));
MP_CHECK (fft_interpolate_raw (points_out->data, points_in->data, n_points,
scaled_roots, &cfg->modulus, invert));
MP_CHECK(fft_interpolate_raw(points_out->data, points_in->data, n_points,
scaled_roots, &cfg->modulus, invert));
return SECSuccess;
poly_eval (mp_int *value, const_MPArray coeffs, const mp_int *eval_at,
const_PrioConfig cfg)
poly_eval(mp_int* value, const_MPArray coeffs, const mp_int* eval_at,
const_PrioConfig cfg)
SECStatus rv = SECSuccess;
const int n = coeffs->len;
// Use Horner's method to evaluate the polynomial at the point
// `eval_at`
mp_copy (&coeffs->data[n-1], value);
for (int i=n-2; i >= 0; i--) {
MP_CHECK (mp_mulmod (value, eval_at, &cfg->modulus, value));
MP_CHECK (mp_addmod (value, &coeffs->data[i], &cfg->modulus, value));
mp_copy(&coeffs->data[n - 1], value);
for (int i = n - 2; i >= 0; i--) {
MP_CHECK(mp_mulmod(value, eval_at, &cfg->modulus, value));
MP_CHECK(mp_addmod(value, &coeffs->data[i], &cfg->modulus, value));
return rv;
poly_interp_evaluate (mp_int *value, const_MPArray poly_points,
const mp_int *eval_at, const_PrioConfig cfg)
poly_interp_evaluate(mp_int* value, const_MPArray poly_points,
const mp_int* eval_at, const_PrioConfig cfg)
SECStatus rv;
MPArray coeffs = NULL;
const int N = poly_points->len;
mp_int roots[N];
P_CHECKA (coeffs = MPArray_new (N));
P_CHECKC (poly_fft_get_roots (roots, N, cfg, false));
P_CHECKA(coeffs = MPArray_new(N));
P_CHECKC(poly_fft_get_roots(roots, N, cfg, false));
// Interpolate polynomial through roots of unity
P_CHECKC (poly_fft (coeffs, poly_points, cfg, true))
P_CHECKC (poly_eval (value, coeffs, eval_at, cfg));
P_CHECKC(poly_fft(coeffs, poly_points, cfg, true))
P_CHECKC(poly_eval(value, coeffs, eval_at, cfg));
MPArray_clear (coeffs);
return rv;

View File

@ -1,9 +1,9 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#ifndef _FFT__H
@ -21,39 +21,36 @@
* of two and must be no longer than the number of precomputed
* roots in the PrioConfig object passed in.
SECStatus poly_fft(MPArray points_out, const_MPArray points_in,
const_PrioConfig cfg, bool invert);
SECStatus poly_fft(MPArray points_out, const_MPArray points_in,
const_PrioConfig cfg, bool invert);
* Get an array
* (r^0, r^1, r^2, ... )
* (r^0, r^1, r^2, ... )
* where r is an n-th root of unity, for n a power of two
* less than cfg->n_roots.
* Do NOT mp_clear() the mp_ints stored in roots_out.
* Do NOT mp_clear() the mp_ints stored in roots_out.
* These are owned by the PrioConfig object.
SECStatus poly_fft_get_roots (mp_int *roots_out, int n_points,
const_PrioConfig cfg, bool invert);
SECStatus poly_fft_get_roots(mp_int* roots_out, int n_points,
const_PrioConfig cfg, bool invert);
* Evaluate the polynomial specified by the coefficients
* at the point `eval_at` and return the result as `value`.
SECStatus poly_eval (mp_int *value, const_MPArray coeffs,
const mp_int *eval_at, const_PrioConfig cfg);
SECStatus poly_eval(mp_int* value, const_MPArray coeffs, const mp_int* eval_at,
const_PrioConfig cfg);
* Interpolate the polynomial through the points
* Interpolate the polynomial through the points
* (x_1, y_1), ..., (x_N, y_N),
* where x_i is an N-th root of unity and the y_i values are
* specified by `poly_points`. Evaluate the resulting polynomial
* specified by `poly_points`. Evaluate the resulting polynomial
* at the point `eval_at`. Return the result as `value`.
SECStatus poly_interp_evaluate (mp_int *value, const_MPArray poly_points,
const mp_int *eval_at, const_PrioConfig cfg);
SECStatus poly_interp_evaluate(mp_int* value, const_MPArray poly_points,
const mp_int* eval_at, const_PrioConfig cfg);

View File

@ -1,14 +1,14 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#include <blapit.h>
#include <mprio.h>
#include <nss/blapit.h>
#include <nss/pk11pub.h>
#include <pk11pub.h>
#include <string.h>
#include "prg.h"
@ -16,23 +16,25 @@
#include "share.h"
#include "util.h"
struct prg {
PK11SlotInfo *slot;
PK11SymKey *key;
PK11Context *ctx;
struct prg
PK11SlotInfo* slot;
PK11SymKey* key;
PK11Context* ctx;
PrioPRGSeed_randomize (PrioPRGSeed *key)
PrioPRGSeed_randomize(PrioPRGSeed* key)
return rand_bytes ((unsigned char *)key, PRG_SEED_LENGTH);
return rand_bytes((unsigned char*)key, PRG_SEED_LENGTH);
PRG_new (const PrioPRGSeed key_in)
PRG_new(const PrioPRGSeed key_in)
PRG prg = malloc (sizeof (struct prg));
if (!prg) return NULL;
PRG prg = malloc(sizeof(struct prg));
if (!prg)
return NULL;
prg->slot = NULL;
prg->key = NULL;
prg->ctx = NULL;
@ -40,106 +42,104 @@ PRG_new (const PrioPRGSeed key_in)
SECStatus rv = SECSuccess;
P_CHECKA (prg->slot = PK11_GetInternalSlot ());
P_CHECKA(prg->slot = PK11_GetInternalSlot());
// Create a mutable copy of the key.
PrioPRGSeed key_mut;
memcpy (key_mut, key_in, PRG_SEED_LENGTH);
memcpy(key_mut, key_in, PRG_SEED_LENGTH);
SECItem keyItem = {siBuffer, key_mut, PRG_SEED_LENGTH};
SECItem keyItem = { siBuffer, key_mut, PRG_SEED_LENGTH };
// The IV can be all zeros since we only encrypt once with
// each AES key.
CK_AES_CTR_PARAMS param = {128, {}};
SECItem paramItem = {siBuffer, (void *)&param, sizeof(CK_AES_CTR_PARAMS)};
CK_AES_CTR_PARAMS param = { 128, {} };
SECItem paramItem = { siBuffer, (void*)&param, sizeof(CK_AES_CTR_PARAMS) };
P_CHECKA (prg->key = PK11_ImportSymKey (prg->slot, cipher, PK11_OriginUnwrap,
CKA_ENCRYPT, &keyItem, NULL));
P_CHECKA(prg->key = PK11_ImportSymKey(prg->slot, cipher, PK11_OriginUnwrap,
CKA_ENCRYPT, &keyItem, NULL));
P_CHECKA (prg->ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT,
prg->key, &paramItem));
P_CHECKA(prg->ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, prg->key,
if (rv != SECSuccess) {
PRG_clear (prg);
prg = NULL;
return prg;
PRG_clear (PRG prg)
PRG_clear(PRG prg)
if (!prg) return;
if (!prg)
if (prg->key)
PK11_FreeSymKey (prg->key);
if (prg->slot)
PK11_FreeSlot (prg->slot);
if (prg->ctx)
PK11_DestroyContext (prg->ctx, PR_TRUE);
PK11_DestroyContext(prg->ctx, PR_TRUE);
free (prg);
static SECStatus
PRG_get_bytes_internal (void *prg_vp, unsigned char *bytes, size_t len)
static SECStatus
PRG_get_bytes_internal(void* prg_vp, unsigned char* bytes, size_t len)
PRG prg = (PRG)prg_vp;
unsigned char in[len];
memset (in, 0, len);
memset(in, 0, len);
int outlen;
SECStatus rv = PK11_CipherOp (prg->ctx, bytes, &outlen, len, in, len);
return (rv != SECSuccess || (size_t)outlen != len) ? SECFailure: SECSuccess;
PRG_get_bytes (PRG prg, unsigned char *bytes, size_t len)
return PRG_get_bytes_internal ((void *)prg, bytes, len);
PRG_get_int (PRG prg, mp_int *out, const mp_int *max)
return rand_int_rng (out, max, &PRG_get_bytes_internal, (void *)prg);
SECStatus rv = PK11_CipherOp(prg->ctx, bytes, &outlen, len, in, len);
return (rv != SECSuccess || (size_t)outlen != len) ? SECFailure : SECSuccess;
PRG_get_array (PRG prg, MPArray dst, const mp_int *mod)
PRG_get_bytes(PRG prg, unsigned char* bytes, size_t len)
return PRG_get_bytes_internal((void*)prg, bytes, len);
PRG_get_int(PRG prg, mp_int* out, const mp_int* max)
return rand_int_rng(out, max, &PRG_get_bytes_internal, (void*)prg);
PRG_get_array(PRG prg, MPArray dst, const mp_int* mod)
SECStatus rv;
for (int i=0; i<dst->len; i++) {
P_CHECK (PRG_get_int (prg, &dst->data[i], mod));
for (int i = 0; i < dst->len; i++) {
P_CHECK(PRG_get_int(prg, &dst->data[i], mod));
return SECSuccess;
PRG_share_int (PRG prgB, mp_int *shareA, const mp_int *src, const_PrioConfig cfg)
PRG_share_int(PRG prgB, mp_int* shareA, const mp_int* src, const_PrioConfig cfg)
SECStatus rv = SECSuccess;
mp_int tmp;
MP_DIGITS (&tmp) = NULL;
MP_CHECKC (mp_init (&tmp));
P_CHECKC (PRG_get_int (prgB, &tmp, &cfg->modulus));
MP_CHECKC (mp_submod (src, &tmp, &cfg->modulus, shareA));
P_CHECKC(PRG_get_int(prgB, &tmp, &cfg->modulus));
MP_CHECKC(mp_submod(src, &tmp, &cfg->modulus, shareA));
mp_clear (&tmp);
return rv;
PRG_share_array (PRG prgB, MPArray arrA,
const_MPArray src, const_PrioConfig cfg)
PRG_share_array(PRG prgB, MPArray arrA, const_MPArray src, const_PrioConfig cfg)
SECStatus rv = SECSuccess;
if (arrA->len != src->len)
@ -147,10 +147,9 @@ PRG_share_array (PRG prgB, MPArray arrA,
const int len = src->len;
for (int i=0; i < len; i++) {
P_CHECK(PRG_share_int (prgB, &arrA->data[i], &src->data[i], cfg));
for (int i = 0; i < len; i++) {
P_CHECK(PRG_share_int(prgB, &arrA->data[i], &src->data[i], cfg));
return rv;

View File

@ -1,62 +1,60 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#ifndef __PRG_H__
#define __PRG_H__
#include <blapit.h>
#include <mpi.h>
#include <nss/blapit.h>
#include <stdlib.h>
#include "config.h"
typedef struct prg *PRG;
typedef const struct prg *const_PRG;
typedef struct prg* PRG;
typedef const struct prg* const_PRG;
* Initialize or destroy a pseudo-random generator.
PRG PRG_new (const PrioPRGSeed key);
void PRG_clear (PRG prg);
PRG PRG_new(const PrioPRGSeed key);
void PRG_clear(PRG prg);
* Produce the next bytes of output from the PRG.
SECStatus PRG_get_bytes (PRG prg, unsigned char *bytes, size_t len);
SECStatus PRG_get_bytes(PRG prg, unsigned char* bytes, size_t len);
* Use the PRG output to sample a big integer x in the range
* 0 <= x < max.
SECStatus PRG_get_int (PRG prg, mp_int *out, const mp_int *max);
SECStatus PRG_get_int(PRG prg, mp_int* out, const mp_int* max);
* Use secret sharing to split the int src into two shares.
* Use PRG to generate the value `shareB`.
* The mp_ints must be initialized.
SECStatus PRG_share_int (PRG prg, mp_int *shareA, const mp_int *src,
const_PrioConfig cfg);
SECStatus PRG_share_int(PRG prg, mp_int* shareA, const mp_int* src,
const_PrioConfig cfg);
* Set each item in the array to a pseudorandom value in the range
* [0, mod), where the values are generated using the PRG.
SECStatus PRG_get_array (PRG prg, MPArray arr, const mp_int *mod);
SECStatus PRG_get_array(PRG prg, MPArray arr, const mp_int* mod);
* Secret shares the array in `src` into `arrA` using randomness
* provided by `prgB`. The arrays `src` and `arrA` must be the same
* length.
SECStatus PRG_share_array (PRG prgB, MPArray arrA,
const_MPArray src, const_PrioConfig cfg);
SECStatus PRG_share_array(PRG prgB, MPArray arrA, const_MPArray src,
const_PrioConfig cfg);
#endif /* __PRG_H__ */

View File

@ -1,16 +1,16 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#include <limits.h>
#include <mprio.h>
#include <nss/nss.h>
#include <nss/pk11pub.h>
#include <nspr/prinit.h>
#include <nss.h>
#include <pk11pub.h>
#include <prinit.h>
#include "debug.h"
#include "rand.h"
@ -18,44 +18,41 @@
#define CHUNK_SIZE 8192
static NSSInitContext *prioGlobalContext = NULL;
static NSSInitContext* prioGlobalContext = NULL;
rand_init (void)
if (prioGlobalContext)
if (prioGlobalContext)
return SECSuccess;
prioGlobalContext = NSS_InitContext ("", "", "", "", NULL,
prioGlobalContext =
NSS_InitContext("", "", "", "", NULL,
return (prioGlobalContext != NULL) ? SECSuccess : SECFailure;
static SECStatus
rand_bytes_internal (void *user_data, unsigned char *out, size_t n_bytes)
static SECStatus
rand_bytes_internal(void* user_data, unsigned char* out, size_t n_bytes)
// No pointer should ever be passed in.
if (user_data != NULL)
return SECFailure;
if (!NSS_IsInitialized ()) {
PRIO_DEBUG ("NSS not initialized. Call rand_init() first.");
if (!NSS_IsInitialized()) {
PRIO_DEBUG("NSS not initialized. Call rand_init() first.");
return SECFailure;
SECStatus rv = SECFailure;
int to_go = n_bytes;
unsigned char *cp = out;
unsigned char* cp = out;
while (to_go) {
int to_gen = MIN (CHUNK_SIZE, to_go);
if ((rv = PK11_GenerateRandom (cp, to_gen)) != SECSuccess)
PRIO_DEBUG ("Error calling PK11_GenerateRandom");
int to_gen = MIN(CHUNK_SIZE, to_go);
if ((rv = PK11_GenerateRandom(cp, to_gen)) != SECSuccess) {
PRIO_DEBUG("Error calling PK11_GenerateRandom");
return SECFailure;
@ -66,67 +63,67 @@ rand_bytes_internal (void *user_data, unsigned char *out, size_t n_bytes)
return rv;
rand_bytes (unsigned char *out, size_t n_bytes)
rand_bytes(unsigned char* out, size_t n_bytes)
return rand_bytes_internal (NULL, out, n_bytes);
return rand_bytes_internal(NULL, out, n_bytes);
rand_int (mp_int *out, const mp_int *max)
rand_int(mp_int* out, const mp_int* max)
return rand_int_rng (out, max, &rand_bytes_internal, NULL);
return rand_int_rng(out, max, &rand_bytes_internal, NULL);
rand_int_rng (mp_int *out, const mp_int *max,
RandBytesFunc rng_func, void *user_data)
rand_int_rng(mp_int* out, const mp_int* max, RandBytesFunc rng_func,
void* user_data)
SECStatus rv = SECSuccess;
// Ensure max value is > 0
if (mp_cmp_z (max) == 0)
if (mp_cmp_z(max) == 0)
return SECFailure;
// Compute max-1, which tells us the largest
// value we will ever need to generate.
MP_CHECK (mp_sub_d (max, 1, out));
MP_CHECK(mp_sub_d(max, 1, out));
const int nbytes = mp_unsigned_octet_size (out);
const int nbytes = mp_unsigned_octet_size(out);
// Figure out how many MSBs we need to get in the
// most-significant byte.
// Figure out how many MSBs we need to get in the
// most-significant byte.
unsigned char max_bytes[nbytes];
MP_CHECK (mp_to_fixlen_octets (out, max_bytes, nbytes));
const unsigned char mask = msb_mask (max_bytes[0]);
MP_CHECK(mp_to_fixlen_octets(out, max_bytes, nbytes));
const unsigned char mask = msb_mask(max_bytes[0]);
// Buffer to store the pseudo-random bytes
unsigned char buf[nbytes];
do {
// Use rejection sampling to find a value strictly less than max.
P_CHECK (rng_func (user_data, buf, nbytes));
P_CHECK(rng_func(user_data, buf, nbytes));
// Mask off high-order bits that we will never need.
P_CHECK (rng_func (user_data, &buf[0], 1));
if (mask) buf[0] &= mask;
P_CHECK(rng_func(user_data, &buf[0], 1));
if (mask)
buf[0] &= mask;
MP_CHECK (mp_read_unsigned_octets (out, buf, nbytes));
} while (mp_cmp (out, max) != -1);
MP_CHECK(mp_read_unsigned_octets(out, buf, nbytes));
} while (mp_cmp(out, max) != -1);
return 0;
rand_clear (void)
if (prioGlobalContext) {
NSS_ShutdownContext (prioGlobalContext);
PR_Cleanup ();
prioGlobalContext = NULL;

@ -1,43 +1,44 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#ifndef __RAND_H__
#define __RAND_H__
#include <mpi.h>
#include <nss/seccomon.h>
#include <seccomon.h>
#include <stdlib.h>
* Typedef for function pointer. A function pointer of type RandBytesFunc
* points to a function that fills the buffer `out` of with `len` random bytes.
typedef SECStatus (*RandBytesFunc) (void *user_data, unsigned char *out, size_t len);
typedef SECStatus (*RandBytesFunc)(void* user_data, unsigned char* out,
size_t len);
* Initialize or cleanup the global random number generator
* state that NSS uses.
SECStatus rand_init (void);
void rand_clear (void);
SECStatus rand_init(void);
void rand_clear(void);
* Generate the specified number of random bytes using the
* NSS random number generator.
SECStatus rand_bytes (unsigned char *out, size_t n_bytes);
SECStatus rand_bytes(unsigned char* out, size_t n_bytes);
* Generate a random number x such that
* 0 <= x < max
* using the NSS random number generator.
SECStatus rand_int (mp_int *out, const mp_int *max);
SECStatus rand_int(mp_int* out, const mp_int* max);
* Generate a random number x such that
@ -47,8 +48,7 @@ SECStatus rand_int (mp_int *out, const mp_int *max);
* The pointer user_data is passed to RandBytesFung `rng` as a first
* argument.
SECStatus rand_int_rng (mp_int *out, const mp_int *max,
RandBytesFunc rng, void *user_data);
SECStatus rand_int_rng(mp_int* out, const mp_int* max, RandBytesFunc rng,
void* user_data);
#endif /* __RAND_H__ */

@ -1,9 +1,9 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#include <mprio.h>
@ -17,277 +17,277 @@
#define MSGPACK_OK 0
static SECStatus
serial_write_mp_int (msgpack_packer *pk, const mp_int *n)
static SECStatus
serial_write_mp_int(msgpack_packer* pk, const mp_int* n)
SECStatus rv = SECSuccess;
unsigned int n_size = mp_unsigned_octet_size (n);
unsigned int n_size = mp_unsigned_octet_size(n);
unsigned char data[n_size];
MP_CHECK (mp_to_fixlen_octets (n, data, n_size));
MP_CHECK(mp_to_fixlen_octets(n, data, n_size));
P_CHECK (msgpack_pack_str (pk, n_size));
P_CHECK (msgpack_pack_str_body (pk, data, n_size));
P_CHECK(msgpack_pack_str(pk, n_size));
P_CHECK(msgpack_pack_str_body(pk, data, n_size));
return rv;
static SECStatus
object_to_mp_int (msgpack_object *obj, mp_int *n, const mp_int *max)
object_to_mp_int(msgpack_object* obj, mp_int* n, const mp_int* max)
SECStatus rv = SECSuccess;
P_CHECKCB (obj != NULL);
msgpack_object_str s = obj->via.str;
P_CHECKCB (s.ptr != NULL);
MP_CHECKC (mp_read_unsigned_octets (n, (unsigned char *)s.ptr, s.size));
P_CHECKCB(s.ptr != NULL);
MP_CHECKC(mp_read_unsigned_octets(n, (unsigned char*)s.ptr, s.size));
P_CHECKCB (mp_cmp_z (n) >= 0);
P_CHECKCB (mp_cmp (n, max) < 0);
P_CHECKCB(mp_cmp_z(n) >= 0);
P_CHECKCB(mp_cmp(n, max) < 0);
return rv;
static SECStatus
static SECStatus
serial_read_mp_int(msgpack_unpacker* upk, mp_int* n, const mp_int* max)
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
P_CHECKCB (max != NULL);
msgpack_unpacked res;
msgpack_unpacked_init (&res);
UP_CHECK (msgpack_unpacker_next (upk, &res))
UP_CHECK(msgpack_unpacker_next(upk, &res))
msgpack_object obj = res.data;
P_CHECKC (object_to_mp_int (&obj, n, max));
P_CHECKC(object_to_mp_int(&obj, n, max));
msgpack_unpacked_destroy (&res);
return rv;
static SECStatus
serial_read_int (msgpack_unpacker *upk, int *n)
static SECStatus
serial_read_int(msgpack_unpacker* upk, int* n)
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
msgpack_unpacked res;
msgpack_unpacked_init (&res);
UP_CHECK (msgpack_unpacker_next (upk, &res))
UP_CHECK(msgpack_unpacker_next(upk, &res))
msgpack_object obj = res.data;
*n = obj.via.i64;
msgpack_unpacked_destroy (&res);
return rv;
static SECStatus
serial_write_mp_array (msgpack_packer *pk, const_MPArray arr)
static SECStatus
serial_write_mp_array(msgpack_packer* pk, const_MPArray arr)
SECStatus rv = SECSuccess;
P_CHECKCB (arr != NULL);
P_CHECK (msgpack_pack_array (pk, arr->len));
P_CHECK(msgpack_pack_array(pk, arr->len));
for (int i = 0; i < arr->len; i++) {
P_CHECK (serial_write_mp_int (pk, &arr->data[i]));
return rv;
static SECStatus
serial_read_mp_array (msgpack_unpacker *upk, MPArray arr, size_t len, const mp_int
static SECStatus
serial_read_mp_array(msgpack_unpacker* upk, MPArray arr, size_t len,
const mp_int* max)
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
P_CHECKCB (arr != NULL);
P_CHECKCB (max != NULL);
msgpack_unpacked res;
msgpack_unpacked_init (&res);
UP_CHECK (msgpack_unpacker_next (upk, &res))
UP_CHECK(msgpack_unpacker_next(upk, &res))
msgpack_object obj = res.data;
msgpack_object_array objarr = obj.via.array;
P_CHECKCB (objarr.size == len);
P_CHECKCB(objarr.size == len);
P_CHECKC (MPArray_resize (arr, len));
for (unsigned int i=0; i<len; i++) {
P_CHECKC (object_to_mp_int (&objarr.ptr[i], &arr->data[i], max));
P_CHECKC(MPArray_resize(arr, len));
for (unsigned int i = 0; i < len; i++) {
P_CHECKC(object_to_mp_int(&objarr.ptr[i], &arr->data[i], max));
msgpack_unpacked_destroy (&res);
return rv;
static SECStatus
serial_write_beaver_triple (msgpack_packer *pk, const_BeaverTriple t)
static SECStatus
serial_write_beaver_triple(msgpack_packer* pk, const_BeaverTriple t)
SECStatus rv = SECSuccess;
P_CHECK (serial_write_mp_int (pk, &t->a));
P_CHECK (serial_write_mp_int (pk, &t->b));
P_CHECK (serial_write_mp_int (pk, &t->c));
P_CHECK(serial_write_mp_int(pk, &t->a));
P_CHECK(serial_write_mp_int(pk, &t->b));
P_CHECK(serial_write_mp_int(pk, &t->c));
return rv;
static SECStatus
serial_read_beaver_triple (msgpack_unpacker *pk, BeaverTriple t, const mp_int *max)
static SECStatus
serial_read_beaver_triple(msgpack_unpacker* pk, BeaverTriple t,
const mp_int* max)
SECStatus rv = SECSuccess;
P_CHECKCB (max != NULL);
P_CHECK (serial_read_mp_int (pk, &t->a, max));
P_CHECK (serial_read_mp_int (pk, &t->b, max));
P_CHECK (serial_read_mp_int (pk, &t->c, max));
P_CHECK(serial_read_mp_int(pk, &t->a, max));
P_CHECK(serial_read_mp_int(pk, &t->b, max));
P_CHECK(serial_read_mp_int(pk, &t->c, max));
return rv;
static SECStatus
serial_write_server_a_data (msgpack_packer *pk, const struct server_a_data *A)
static SECStatus
serial_write_server_a_data(msgpack_packer* pk, const struct server_a_data* A)
SECStatus rv = SECSuccess;
P_CHECK (serial_write_mp_array (pk, A->data_shares));
P_CHECK (serial_write_mp_array (pk, A->h_points));
P_CHECK(serial_write_mp_array(pk, A->data_shares));
P_CHECK(serial_write_mp_array(pk, A->h_points));
return rv;
static SECStatus
serial_read_server_a_data (msgpack_unpacker *upk, struct server_a_data *A,
const_PrioConfig cfg)
static SECStatus
serial_read_server_a_data(msgpack_unpacker* upk, struct server_a_data* A,
const_PrioConfig cfg)
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
P_CHECK (serial_read_mp_array (upk, A->data_shares, cfg->num_data_fields,
P_CHECK (serial_read_mp_array (upk, A->h_points, PrioConfig_hPoints (cfg),
P_CHECK(serial_read_mp_array(upk, A->data_shares, cfg->num_data_fields,
P_CHECK(serial_read_mp_array(upk, A->h_points, PrioConfig_hPoints(cfg),
return rv;
static SECStatus
serial_write_prg_seed (msgpack_packer *pk, const PrioPRGSeed *seed)
static SECStatus
serial_write_prg_seed(msgpack_packer* pk, const PrioPRGSeed* seed)
SECStatus rv = SECSuccess;
P_CHECKCB (seed != NULL);
P_CHECKCB(seed != NULL);
P_CHECK (msgpack_pack_str (pk, PRG_SEED_LENGTH));
P_CHECK (msgpack_pack_str_body (pk, seed, PRG_SEED_LENGTH));
P_CHECK(msgpack_pack_str(pk, PRG_SEED_LENGTH));
P_CHECK(msgpack_pack_str_body(pk, seed, PRG_SEED_LENGTH));
return rv;
static SECStatus
serial_read_prg_seed (msgpack_unpacker *upk, PrioPRGSeed *seed)
static SECStatus
serial_read_prg_seed(msgpack_unpacker* upk, PrioPRGSeed* seed)
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
P_CHECKCB (seed != NULL);
P_CHECKCB(seed != NULL);
msgpack_unpacked res;
msgpack_unpacked_init (&res);
UP_CHECK (msgpack_unpacker_next (upk, &res))
UP_CHECK(msgpack_unpacker_next(upk, &res))
msgpack_object obj = res.data;
msgpack_object_str s = obj.via.str;
memcpy (seed, s.ptr, PRG_SEED_LENGTH);
memcpy(seed, s.ptr, PRG_SEED_LENGTH);
msgpack_unpacked_destroy (&res);
return rv;
static SECStatus
serial_write_server_b_data (msgpack_packer *pk, const struct server_b_data *B)
static SECStatus
serial_write_server_b_data(msgpack_packer* pk, const struct server_b_data* B)
SECStatus rv = SECSuccess;
rv = serial_write_prg_seed (pk, &B->seed);
rv = serial_write_prg_seed(pk, &B->seed);
return rv;
static SECStatus
serial_read_server_b_data (msgpack_unpacker *upk, struct server_b_data *B)
static SECStatus
serial_read_server_b_data(msgpack_unpacker* upk, struct server_b_data* B)
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
rv =serial_read_prg_seed (upk, &B->seed);
rv = serial_read_prg_seed(upk, &B->seed);
return rv;
serial_write_packet_client (msgpack_packer *pk, const_PrioPacketClient p,
const_PrioConfig cfg)
serial_write_packet_client(msgpack_packer* pk, const_PrioPacketClient p,
const_PrioConfig cfg)
SECStatus rv = SECSuccess;
P_CHECK (msgpack_pack_str (pk, cfg->batch_id_len));
P_CHECK (msgpack_pack_str_body (pk, cfg->batch_id, cfg->batch_id_len));
P_CHECK(msgpack_pack_str(pk, cfg->batch_id_len));
P_CHECK(msgpack_pack_str_body(pk, cfg->batch_id, cfg->batch_id_len));
P_CHECK (serial_write_beaver_triple (pk, p->triple));
P_CHECK(serial_write_beaver_triple(pk, p->triple));
P_CHECK (serial_write_mp_int (pk, &p->f0_share));
P_CHECK (serial_write_mp_int (pk, &p->g0_share));
P_CHECK (serial_write_mp_int (pk, &p->h0_share));
P_CHECK(serial_write_mp_int(pk, &p->f0_share));
P_CHECK(serial_write_mp_int(pk, &p->g0_share));
P_CHECK(serial_write_mp_int(pk, &p->h0_share));
P_CHECK (msgpack_pack_int (pk, p->for_server));
P_CHECK(msgpack_pack_int(pk, p->for_server));
switch (p->for_server) {
P_CHECK (serial_write_server_a_data (pk, &p->shares.A));
P_CHECK(serial_write_server_a_data(pk, &p->shares.A));
P_CHECK (serial_write_server_b_data (pk, &p->shares.B));
P_CHECK(serial_write_server_b_data(pk, &p->shares.B));
return SECFailure;
@ -297,146 +297,144 @@ cleanup:
return rv;
serial_read_server_id (msgpack_unpacker *upk, PrioServerId *s)
serial_read_server_id(msgpack_unpacker* upk, PrioServerId* s)
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
int serv;
P_CHECK (serial_read_int (upk, &serv));
P_CHECK(serial_read_int(upk, &serv));
*s = serv;
return rv;
serial_read_packet_client (msgpack_unpacker *upk, PrioPacketClient p,
const_PrioConfig cfg)
serial_read_packet_client(msgpack_unpacker* upk, PrioPacketClient p,
const_PrioConfig cfg)
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
msgpack_unpacked res;
msgpack_unpacked_init (&res);
UP_CHECK (msgpack_unpacker_next (upk, &res))
UP_CHECK(msgpack_unpacker_next(upk, &res))
msgpack_object obj = res.data;
msgpack_object_str s = obj.via.str;
P_CHECKCB (s.size == cfg->batch_id_len);
P_CHECKCB (!memcmp (s.ptr, (char *)cfg->batch_id, cfg->batch_id_len));
P_CHECKCB(s.size == cfg->batch_id_len);
P_CHECKCB(!memcmp(s.ptr, (char*)cfg->batch_id, cfg->batch_id_len));
P_CHECK (serial_read_beaver_triple (upk, p->triple, &cfg->modulus));
P_CHECK(serial_read_beaver_triple(upk, p->triple, &cfg->modulus));
P_CHECK (serial_read_mp_int (upk, &p->f0_share, &cfg->modulus));
P_CHECK (serial_read_mp_int (upk, &p->g0_share, &cfg->modulus));
P_CHECK (serial_read_mp_int (upk, &p->h0_share, &cfg->modulus));
P_CHECK(serial_read_mp_int(upk, &p->f0_share, &cfg->modulus));
P_CHECK(serial_read_mp_int(upk, &p->g0_share, &cfg->modulus));
P_CHECK(serial_read_mp_int(upk, &p->h0_share, &cfg->modulus));
P_CHECK (serial_read_server_id (upk, &p->for_server));
P_CHECK(serial_read_server_id(upk, &p->for_server));
switch (p->for_server) {
P_CHECK (serial_read_server_a_data (upk, &p->shares.A, cfg));
P_CHECK(serial_read_server_a_data(upk, &p->shares.A, cfg));
P_CHECK (serial_read_server_b_data (upk, &p->shares.B));
P_CHECK(serial_read_server_b_data(upk, &p->shares.B));
return SECFailure;
msgpack_unpacked_destroy (&res);
return rv;
PrioPacketVerify1_write (const_PrioPacketVerify1 p, msgpack_packer *pk)
PrioPacketVerify1_write(const_PrioPacketVerify1 p, msgpack_packer* pk)
SECStatus rv = SECSuccess;
P_CHECK (serial_write_mp_int (pk, &p->share_d));
P_CHECK (serial_write_mp_int (pk, &p->share_e));
P_CHECK(serial_write_mp_int(pk, &p->share_d));
P_CHECK(serial_write_mp_int(pk, &p->share_e));
return rv;
PrioPacketVerify1_read (PrioPacketVerify1 p, msgpack_unpacker *upk,
const_PrioConfig cfg)
PrioPacketVerify1_read(PrioPacketVerify1 p, msgpack_unpacker* upk,
const_PrioConfig cfg)
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
P_CHECK (serial_read_mp_int (upk, &p->share_d, &cfg->modulus));
P_CHECK (serial_read_mp_int (upk, &p->share_e, &cfg->modulus));
P_CHECK(serial_read_mp_int(upk, &p->share_d, &cfg->modulus));
P_CHECK(serial_read_mp_int(upk, &p->share_e, &cfg->modulus));
return rv;
PrioPacketVerify2_write (const_PrioPacketVerify2 p, msgpack_packer *pk)
PrioPacketVerify2_write(const_PrioPacketVerify2 p, msgpack_packer* pk)
SECStatus rv = SECSuccess;
P_CHECK (serial_write_mp_int (pk, &p->share_out));
P_CHECK(serial_write_mp_int(pk, &p->share_out));
return rv;
PrioPacketVerify2_read (PrioPacketVerify2 p, msgpack_unpacker *upk,
const_PrioConfig cfg)
PrioPacketVerify2_read(PrioPacketVerify2 p, msgpack_unpacker* upk,
const_PrioConfig cfg)
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
P_CHECK (serial_read_mp_int (upk, &p->share_out, &cfg->modulus));
P_CHECK(serial_read_mp_int(upk, &p->share_out, &cfg->modulus));
return rv;
PrioTotalShare_write (const_PrioTotalShare t, msgpack_packer *pk)
PrioTotalShare_write(const_PrioTotalShare t, msgpack_packer* pk)
SECStatus rv = SECSuccess;
P_CHECK (msgpack_pack_int (pk, t->idx));
P_CHECK (serial_write_mp_array (pk, t->data_shares));
P_CHECK(msgpack_pack_int(pk, t->idx));
P_CHECK(serial_write_mp_array(pk, t->data_shares));
return rv;
PrioTotalShare_read (PrioTotalShare t, msgpack_unpacker *upk,
const_PrioConfig cfg)
PrioTotalShare_read(PrioTotalShare t, msgpack_unpacker* upk,
const_PrioConfig cfg)
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
P_CHECK (serial_read_server_id (upk, &t->idx));
P_CHECK (serial_read_mp_array (upk, t->data_shares, cfg->num_data_fields,
P_CHECK(serial_read_server_id(upk, &t->idx));
P_CHECK(serial_read_mp_array(upk, t->data_shares, cfg->num_data_fields,
return rv;

@ -1,9 +1,9 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#ifndef __SERIAL_H__
@ -11,11 +11,11 @@
#include <mprio.h>
SECStatus serial_write_packet_client (msgpack_packer *pk, const_PrioPacketClient p,
const_PrioConfig cfg);
SECStatus serial_write_packet_client(msgpack_packer* pk,
const_PrioPacketClient p,
const_PrioConfig cfg);
SECStatus serial_read_packet_client (msgpack_unpacker *upk, PrioPacketClient p,
const_PrioConfig cfg);
SECStatus serial_read_packet_client(msgpack_unpacker* upk, PrioPacketClient p,
const_PrioConfig cfg);
#endif /* __SERIAL_H__ */

@ -1,9 +1,9 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#include <mpi.h>
@ -12,49 +12,51 @@
#include <stdlib.h>
#include "client.h"
#include "prg.h"
#include "poly.h"
#include "mparray.h"
#include "poly.h"
#include "prg.h"
#include "server.h"
#include "util.h"
PrioServer_new (const_PrioConfig cfg, PrioServerId server_idx,
PrivateKey server_priv, const PrioPRGSeed seed)
PrioServer_new(const_PrioConfig cfg, PrioServerId server_idx,
PrivateKey server_priv, const PrioPRGSeed seed)
SECStatus rv = SECSuccess;
PrioServer s = malloc (sizeof (*s));
if (!s) return NULL;
PrioServer s = malloc(sizeof(*s));
if (!s)
return NULL;
s->cfg = cfg;
s->idx = server_idx;
s->priv_key = server_priv;
s->data_shares = NULL;
s->prg = NULL;
P_CHECKA (s->data_shares = MPArray_new (s->cfg->num_data_fields));
P_CHECKA (s->prg = PRG_new (seed));
P_CHECKA(s->data_shares = MPArray_new(s->cfg->num_data_fields));
P_CHECKA(s->prg = PRG_new(seed));
if (rv != SECSuccess) {
PrioServer_clear (s);
return NULL;
return s;
PrioServer_clear (PrioServer s)
PrioServer_clear(PrioServer s)
if (!s) return;
if (!s)
PRG_clear (s->prg);
MPArray_clear (s->data_shares);
PrioServer_aggregate (PrioServer s, PrioVerifier v)
PrioServer_aggregate(PrioServer s, PrioVerifier v)
MPArray arr = NULL;
switch (s->idx) {
@ -69,48 +71,49 @@ PrioServer_aggregate (PrioServer s, PrioVerifier v)
return SECFailure;
return MPArray_addmod (s->data_shares, arr, &s->cfg->modulus);
return MPArray_addmod(s->data_shares, arr, &s->cfg->modulus);
PrioTotalShare_new (void)
PrioTotalShare t = malloc (sizeof (*t));
if (!t) return NULL;
PrioTotalShare t = malloc(sizeof(*t));
if (!t)
return NULL;
t->data_shares = MPArray_new (0);
t->data_shares = MPArray_new(0);
if (!t->data_shares) {
free (t);
return NULL;
return t;
PrioTotalShare_clear (PrioTotalShare t)
PrioTotalShare_clear(PrioTotalShare t)
if (!t) return;
MPArray_clear (t->data_shares);
free (t);
if (!t)
PrioTotalShare_set_data (PrioTotalShare t, const_PrioServer s)
PrioTotalShare_set_data(PrioTotalShare t, const_PrioServer s)
t->idx = s->idx;
SECStatus rv = SECSuccess;
P_CHECK (MPArray_resize (t->data_shares, s->data_shares->len));
P_CHECK (MPArray_copy (t->data_shares, s->data_shares));
P_CHECK(MPArray_resize(t->data_shares, s->data_shares->len));
P_CHECK(MPArray_copy(t->data_shares, s->data_shares));
return rv;
PrioTotalShare_final (const_PrioConfig cfg,
unsigned long *output,
const_PrioTotalShare tA, const_PrioTotalShare tB)
PrioTotalShare_final(const_PrioConfig cfg, unsigned long* output,
const_PrioTotalShare tA, const_PrioTotalShare tB)
if (tA->data_shares->len != cfg->num_data_fields)
return SECFailure;
@ -122,24 +125,24 @@ PrioTotalShare_final (const_PrioConfig cfg,
SECStatus rv = SECSuccess;
mp_int tmp;
MP_DIGITS (&tmp) = NULL;
MP_CHECKC (mp_init (&tmp));
for (int i=0; i<cfg->num_data_fields; i++) {
MP_CHECKC (mp_addmod(&tA->data_shares->data[i], &tB->data_shares->data[i],
&cfg->modulus, &tmp));
for (int i = 0; i < cfg->num_data_fields; i++) {
MP_CHECKC(mp_addmod(&tA->data_shares->data[i], &tB->data_shares->data[i],
&cfg->modulus, &tmp));
output[i] = tmp.dp[0];
mp_clear (&tmp);
return rv;
inline static mp_int *
get_data_share (const_PrioVerifier v, int i) {
inline static mp_int*
get_data_share(const_PrioVerifier v, int i)
switch (v->s->idx) {
return &v->clientp->shares.A.data_shares->data[i];
@ -150,8 +153,9 @@ get_data_share (const_PrioVerifier v, int i) {
return NULL;
inline static mp_int *
get_h_share (const_PrioVerifier v, int i) {
inline static mp_int*
get_h_share(const_PrioVerifier v, int i)
switch (v->s->idx) {
return &v->clientp->shares.A.h_points->data[i];
@ -168,118 +172,122 @@ get_h_share (const_PrioVerifier v, int i) {
* by the shared secret. Store the evaluations in the verifier object.
static SECStatus
compute_shares (PrioVerifier v, const_PrioPacketClient p)
compute_shares(PrioVerifier v, const_PrioPacketClient p)
SECStatus rv;
const int n = v->s->cfg->num_data_fields + 1;
const int N = next_power_of_two (n);
const int N = next_power_of_two(n);
mp_int eval_at;
MP_DIGITS (&eval_at) = NULL;
MP_DIGITS(&eval_at) = NULL;
MPArray points_f = NULL;
MPArray points_g = NULL;
MPArray points_h = NULL;
MP_CHECKC (mp_init (&eval_at));
P_CHECKA (points_f = MPArray_new (N));
P_CHECKA (points_g = MPArray_new (N));
P_CHECKA (points_h = MPArray_new (2*N));
P_CHECKA(points_f = MPArray_new(N));
P_CHECKA(points_g = MPArray_new(N));
P_CHECKA(points_h = MPArray_new(2 * N));
// Use PRG to generate random point
MP_CHECKC (PRG_get_int (v->s->prg, &eval_at, &v->s->cfg->modulus));
// Reduce value into the field we're using. This
MP_CHECKC(PRG_get_int(v->s->prg, &eval_at, &v->s->cfg->modulus));
// Reduce value into the field we're using. This
// doesn't yield exactly a uniformly random point,
// but for values this large, it will be close
// enough.
MP_CHECKC (mp_mod (&eval_at, &v->s->cfg->modulus, &eval_at));
MP_CHECKC(mp_mod(&eval_at, &v->s->cfg->modulus, &eval_at));
// Client sends us the values of f(0) and g(0)
MP_CHECKC (mp_copy(&p->f0_share, &points_f->data[0]));
MP_CHECKC (mp_copy(&p->g0_share, &points_g->data[0]));
MP_CHECKC (mp_copy(&p->h0_share, &points_h->data[0]));
MP_CHECKC(mp_copy(&p->f0_share, &points_f->data[0]));
MP_CHECKC(mp_copy(&p->g0_share, &points_g->data[0]));
MP_CHECKC(mp_copy(&p->h0_share, &points_h->data[0]));
for (int i=1; i<n; i++) {
for (int i = 1; i < n; i++) {
// [f](i) = i-th data share
const mp_int *data_i_minus_1 = get_data_share(v, i-1);
MP_CHECKC (mp_copy(data_i_minus_1, &points_f->data[i]));
const mp_int* data_i_minus_1 = get_data_share(v, i - 1);
MP_CHECKC(mp_copy(data_i_minus_1, &points_f->data[i]));
// [g](i) = i-th data share minus 1
// Only need to shift the share for 0-th server
MP_CHECKC (mp_copy(&points_f->data[i], &points_g->data[i]));
MP_CHECKC(mp_copy(&points_f->data[i], &points_g->data[i]));
if (!v->s->idx) {
MP_CHECKC (mp_sub_d(&points_g->data[i], 1, &points_g->data[i]));
MP_CHECKC (mp_mod(&points_g->data[i], &v->s->cfg->modulus, &points_g->data[i]));
MP_CHECKC(mp_sub_d(&points_g->data[i], 1, &points_g->data[i]));
mp_mod(&points_g->data[i], &v->s->cfg->modulus, &points_g->data[i]));
int j = 0;
for (int i=1; i<2*N; i+=2) {
const mp_int *h_point_j = get_h_share (v, j++);
MP_CHECKC (mp_copy(h_point_j, &points_h->data[i]));
for (int i = 1; i < 2 * N; i += 2) {
const mp_int* h_point_j = get_h_share(v, j++);
MP_CHECKC(mp_copy(h_point_j, &points_h->data[i]));
P_CHECKC (poly_interp_evaluate (&v->share_fR, points_f, &eval_at, v->s->cfg));
P_CHECKC (poly_interp_evaluate (&v->share_gR, points_g, &eval_at, v->s->cfg));
P_CHECKC (poly_interp_evaluate (&v->share_hR, points_h, &eval_at, v->s->cfg));
P_CHECKC(poly_interp_evaluate(&v->share_fR, points_f, &eval_at, v->s->cfg));
P_CHECKC(poly_interp_evaluate(&v->share_gR, points_g, &eval_at, v->s->cfg));
P_CHECKC(poly_interp_evaluate(&v->share_hR, points_h, &eval_at, v->s->cfg));
MPArray_clear (points_f);
MPArray_clear (points_g);
MPArray_clear (points_h);
mp_clear (&eval_at);
return rv;
PrioVerifier PrioVerifier_new (PrioServer s)
PrioVerifier_new(PrioServer s)
SECStatus rv = SECSuccess;
PrioVerifier v = malloc (sizeof *v);
if (!v) return NULL;
PrioVerifier v = malloc(sizeof *v);
if (!v)
return NULL;
v->s = s;
v->clientp = NULL;
v->data_sharesB = NULL;
v->h_pointsB = NULL;
MP_DIGITS (&v->share_fR) = NULL;
MP_DIGITS (&v->share_gR) = NULL;
MP_DIGITS (&v->share_hR) = NULL;
MP_DIGITS(&v->share_fR) = NULL;
MP_DIGITS(&v->share_gR) = NULL;
MP_DIGITS(&v->share_hR) = NULL;
MP_CHECKC (mp_init (&v->share_fR));
MP_CHECKC (mp_init (&v->share_gR));
MP_CHECKC (mp_init (&v->share_hR));
P_CHECKA (v->clientp = PrioPacketClient_new (s->cfg, s->idx));
P_CHECKA(v->clientp = PrioPacketClient_new(s->cfg, s->idx));
const int N = next_power_of_two (s->cfg->num_data_fields + 1);
const int N = next_power_of_two(s->cfg->num_data_fields + 1);
if (v->s->idx == PRIO_SERVER_B) {
P_CHECKA (v->data_sharesB = MPArray_new (v->s->cfg->num_data_fields));
P_CHECKA (v->h_pointsB = MPArray_new (N));
P_CHECKA(v->data_sharesB = MPArray_new(v->s->cfg->num_data_fields));
P_CHECKA(v->h_pointsB = MPArray_new(N));
if (rv != SECSuccess) {
PrioVerifier_clear (v);
return NULL;
return v;
PrioVerifier_set_data (PrioVerifier v, unsigned char *data, unsigned int data_len)
PrioVerifier_set_data(PrioVerifier v, unsigned char* data,
unsigned int data_len)
SECStatus rv = SECSuccess;
PRG prgB = NULL;
P_CHECKC (PrioPacketClient_decrypt (v->clientp, v->s->cfg,
v->s->priv_key, data, data_len));
P_CHECKC(PrioPacketClient_decrypt(v->clientp, v->s->cfg, v->s->priv_key, data,
PrioPacketClient p = v->clientp;
if (p->for_server != v->s->idx)
return SECFailure;
const int N = next_power_of_two (v->s->cfg->num_data_fields + 1);
const int N = next_power_of_two(v->s->cfg->num_data_fields + 1);
if (v->s->idx == PRIO_SERVER_A) {
// Check that packet has the correct number of data fields
if (p->shares.A.data_shares->len != v->s->cfg->num_data_fields)
@ -289,70 +297,73 @@ PrioVerifier_set_data (PrioVerifier v, unsigned char *data, unsigned int data_le
if (v->s->idx == PRIO_SERVER_B) {
P_CHECKA (prgB = PRG_new (v->clientp->shares.B.seed));
P_CHECKC (PRG_get_array (prgB, v->data_sharesB, &v->s->cfg->modulus));
P_CHECKC (PRG_get_array (prgB, v->h_pointsB, &v->s->cfg->modulus));
P_CHECKA(prgB = PRG_new(v->clientp->shares.B.seed));
P_CHECKC(PRG_get_array(prgB, v->data_sharesB, &v->s->cfg->modulus));
P_CHECKC(PRG_get_array(prgB, v->h_pointsB, &v->s->cfg->modulus));
// TODO: This can be done much faster by using the combined
// interpolate-and-evaluate optimization described in the
// interpolate-and-evaluate optimization described in the
// Prio paper.
// Compute share of f(r), g(r), h(r)
P_CHECKC (compute_shares (v, p));
P_CHECKC(compute_shares(v, p));
PRG_clear (prgB);
return rv;
void PrioVerifier_clear (PrioVerifier v)
PrioVerifier_clear(PrioVerifier v)
if (v == NULL) return;
PrioPacketClient_clear (v->clientp);
MPArray_clear (v->data_sharesB);
MPArray_clear (v->h_pointsB);
mp_clear (&v->share_fR);
mp_clear (&v->share_gR);
mp_clear (&v->share_hR);
free (v);
if (v == NULL)
PrioPacketVerify1_new (void)
SECStatus rv = SECSuccess;
PrioPacketVerify1 p = malloc (sizeof *p);
if (!p) return NULL;
PrioPacketVerify1 p = malloc(sizeof *p);
if (!p)
return NULL;
MP_DIGITS (&p->share_d) = NULL;
MP_DIGITS (&p->share_e) = NULL;
MP_DIGITS(&p->share_d) = NULL;
MP_DIGITS(&p->share_e) = NULL;
MP_CHECKC (mp_init (&p->share_d));
MP_CHECKC (mp_init (&p->share_e));
if (rv != SECSuccess) {
PrioPacketVerify1_clear (p);
return NULL;
return p;
PrioPacketVerify1_clear (PrioPacketVerify1 p)
PrioPacketVerify1_clear(PrioPacketVerify1 p)
if (!p) return;
mp_clear (&p->share_d);
mp_clear (&p->share_e);
free (p);
if (!p)
PrioPacketVerify1_set_data (PrioPacketVerify1 p1, const_PrioVerifier v)
PrioPacketVerify1_set_data(PrioPacketVerify1 p1, const_PrioVerifier v)
// See the Prio paper for details on how this works.
// Appendix C descrives the MPC protocol used here.
@ -361,121 +372,121 @@ PrioPacketVerify1_set_data (PrioPacketVerify1 p1, const_PrioVerifier v)
// Compute corrections.
// [d] = [f(r)] - [a]
MP_CHECK (mp_sub (&v->share_fR, &v->clientp->triple->a, &p1->share_d));
MP_CHECK (mp_mod (&p1->share_d, &v->s->cfg->modulus, &p1->share_d));
MP_CHECK(mp_sub(&v->share_fR, &v->clientp->triple->a, &p1->share_d));
MP_CHECK(mp_mod(&p1->share_d, &v->s->cfg->modulus, &p1->share_d));
// [e] = [g(r)] - [b]
MP_CHECK (mp_sub (&v->share_gR, &v->clientp->triple->b, &p1->share_e));
MP_CHECK (mp_mod (&p1->share_e, &v->s->cfg->modulus, &p1->share_e));
MP_CHECK(mp_sub(&v->share_gR, &v->clientp->triple->b, &p1->share_e));
MP_CHECK(mp_mod(&p1->share_e, &v->s->cfg->modulus, &p1->share_e));
return rv;
PrioPacketVerify2_new (void)
SECStatus rv = SECSuccess;
PrioPacketVerify2 p = malloc (sizeof *p);
if (!p) return NULL;
PrioPacketVerify2 p = malloc(sizeof *p);
if (!p)
return NULL;
MP_DIGITS (&p->share_out) = NULL;
MP_CHECKC (mp_init (&p->share_out));
MP_DIGITS(&p->share_out) = NULL;
if (rv != SECSuccess) {
PrioPacketVerify2_clear (p);
return NULL;
return p;
PrioPacketVerify2_clear (PrioPacketVerify2 p)
PrioPacketVerify2_clear(PrioPacketVerify2 p)
if (!p) return;
mp_clear (&p->share_out);
free (p);
if (!p)
PrioPacketVerify2_set_data (PrioPacketVerify2 p2, const_PrioVerifier v,
const_PrioPacketVerify1 p1A, const_PrioPacketVerify1 p1B)
PrioPacketVerify2_set_data(PrioPacketVerify2 p2, const_PrioVerifier v,
const_PrioPacketVerify1 p1A,
const_PrioPacketVerify1 p1B)
SECStatus rv = SECSuccess;
mp_int d, e, tmp;
MP_DIGITS (&tmp) = NULL;
MP_CHECKC (mp_init (&d));
MP_CHECKC (mp_init (&e));
MP_CHECKC (mp_init (&tmp));
const mp_int *mod = &v->s->cfg->modulus;
const mp_int* mod = &v->s->cfg->modulus;
// Compute share of f(r)*g(r)
// [f(r)*g(r)] = [d*e/2] + d[b] + e[a] + [c]
// Compute d
MP_CHECKC (mp_addmod (&p1A->share_d, &p1B->share_d, mod, &d));
// Compute d
MP_CHECKC(mp_addmod(&p1A->share_d, &p1B->share_d, mod, &d));
// Compute e
MP_CHECKC (mp_addmod (&p1A->share_e, &p1B->share_e, mod, &e));
MP_CHECKC(mp_addmod(&p1A->share_e, &p1B->share_e, mod, &e));
// Compute d*e
MP_CHECKC (mp_mulmod (&d, &e, mod, &p2->share_out));
MP_CHECKC(mp_mulmod(&d, &e, mod, &p2->share_out));
// out = d*e/2
MP_CHECKC (mp_mulmod (&p2->share_out, &v->s->cfg->inv2,
mod, &p2->share_out));
MP_CHECKC(mp_mulmod(&p2->share_out, &v->s->cfg->inv2, mod, &p2->share_out));
// Compute d[b]
MP_CHECKC (mp_mulmod (&d, &v->clientp->triple->b, mod, &tmp));
// out = d*e/2 + d[b]
MP_CHECKC (mp_addmod (&p2->share_out, &tmp, mod, &p2->share_out));
// Compute d[b]
MP_CHECKC(mp_mulmod(&d, &v->clientp->triple->b, mod, &tmp));
// out = d*e/2 + d[b]
MP_CHECKC(mp_addmod(&p2->share_out, &tmp, mod, &p2->share_out));
// Compute e[a]
MP_CHECKC (mp_mulmod (&e, &v->clientp->triple->a, mod, &tmp));
// Compute e[a]
MP_CHECKC(mp_mulmod(&e, &v->clientp->triple->a, mod, &tmp));
// out = d*e/2 + d[b] + e[a]
MP_CHECKC (mp_addmod (&p2->share_out, &tmp, mod, &p2->share_out));
MP_CHECKC(mp_addmod(&p2->share_out, &tmp, mod, &p2->share_out));
// out = d*e/2 + d[b] + e[a] + [c]
MP_CHECKC (mp_addmod (&p2->share_out, &v->clientp->triple->c, mod, &p2->share_out));
mp_addmod(&p2->share_out, &v->clientp->triple->c, mod, &p2->share_out));
// We want to compute f(r)*g(r) - h(r),
// so subtract off [h(r)]:
// out = d*e/2 + d[b] + e[a] + [c] - [h(r)]
MP_CHECKC (mp_sub (&p2->share_out, &v->share_hR, &p2->share_out));
MP_CHECKC (mp_mod (&p2->share_out, mod, &p2->share_out));
MP_CHECKC(mp_sub(&p2->share_out, &v->share_hR, &p2->share_out));
MP_CHECKC(mp_mod(&p2->share_out, mod, &p2->share_out));
mp_clear (&d);
mp_clear (&e);
mp_clear (&tmp);
return rv;
PrioVerifier_isValid (const_PrioVerifier v,
const_PrioPacketVerify2 pA, const_PrioPacketVerify2 pB)
PrioVerifier_isValid(const_PrioVerifier v, const_PrioPacketVerify2 pA,
const_PrioPacketVerify2 pB)
SECStatus rv = SECSuccess;
mp_int res;
MP_DIGITS (&res) = NULL;
MP_CHECKC (mp_init (&res));
// Add up the shares of the output wire value and
// Add up the shares of the output wire value and
// ensure that the sum is equal to zero, which indicates
// that
// f(r) * g(r) == h(r).
MP_CHECKC (mp_addmod (&pA->share_out, &pB->share_out,
&v->s->cfg->modulus, &res));
mp_addmod(&pA->share_out, &pB->share_out, &v->s->cfg->modulus, &res));
rv = (mp_cmp_d (&res, 0) == 0) ? SECSuccess : SECFailure;
rv = (mp_cmp_d(&res, 0) == 0) ? SECSuccess : SECFailure;
mp_clear (&res);
return rv;

@ -1,9 +1,9 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#ifndef __SERVER_H__
@ -13,12 +13,14 @@
#include "prg.h"
#include "share.h"
struct prio_total_share {
struct prio_total_share
PrioServerId idx;
MPArray data_shares;
struct prio_server {
struct prio_server
const_PrioConfig cfg;
PrioServerId idx;
@ -34,7 +36,8 @@ struct prio_server {
PRG prg;
struct prio_verifier {
struct prio_verifier
PrioServer s;
PrioPacketClient clientp;
@ -47,14 +50,15 @@ struct prio_verifier {
mp_int share_out;
struct prio_packet_verify1 {
struct prio_packet_verify1
mp_int share_d;
mp_int share_e;
struct prio_packet_verify2 {
struct prio_packet_verify2
mp_int share_out;
#endif /* __SERVER_H__ */

View File

@ -1,9 +1,9 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#include <mprio.h>
@ -12,86 +12,85 @@
#include "share.h"
#include "util.h"
share_int (const struct prio_config *cfg, const mp_int *src,
mp_int *shareA, mp_int *shareB)
share_int(const struct prio_config* cfg, const mp_int* src, mp_int* shareA,
mp_int* shareB)
SECStatus rv;
P_CHECK (rand_int (shareA, &cfg->modulus));
MP_CHECK (mp_submod (src, shareA, &cfg->modulus, shareB));
P_CHECK(rand_int(shareA, &cfg->modulus));
MP_CHECK(mp_submod(src, shareA, &cfg->modulus, shareB));
return rv;
BeaverTriple_new (void)
BeaverTriple triple = malloc (sizeof *triple);
BeaverTriple triple = malloc(sizeof *triple);
if (!triple)
return NULL;
MP_DIGITS (&triple->a) = NULL;
MP_DIGITS (&triple->b) = NULL;
MP_DIGITS (&triple->c) = NULL;
MP_DIGITS(&triple->a) = NULL;
MP_DIGITS(&triple->b) = NULL;
MP_DIGITS(&triple->c) = NULL;
SECStatus rv = SECSuccess;
MP_CHECKC (mp_init (&triple->a));
MP_CHECKC (mp_init (&triple->b));
MP_CHECKC (mp_init (&triple->c));
if (rv != SECSuccess) {
BeaverTriple_clear (triple);
return NULL;
return triple;
BeaverTriple_clear (BeaverTriple triple)
BeaverTriple_clear(BeaverTriple triple)
if (!triple) return;
mp_clear (&triple->a);
mp_clear (&triple->b);
mp_clear (&triple->c);
free (triple);
if (!triple)
BeaverTriple_set_rand (const struct prio_config *cfg,
struct beaver_triple *triple_1,
struct beaver_triple *triple_2)
BeaverTriple_set_rand(const struct prio_config* cfg,
struct beaver_triple* triple_1,
struct beaver_triple* triple_2)
SECStatus rv = SECSuccess;
// TODO: Can shorten this code using share_int()
// We need that
// (a1 + a2)(b1 + b2) = c1 + c2 (mod p)
P_CHECK (rand_int (&triple_1->a, &cfg->modulus));
P_CHECK (rand_int (&triple_1->b, &cfg->modulus));
P_CHECK (rand_int (&triple_2->a, &cfg->modulus));
P_CHECK (rand_int (&triple_2->b, &cfg->modulus));
// (a1 + a2)(b1 + b2) = c1 + c2 (mod p)
P_CHECK(rand_int(&triple_1->a, &cfg->modulus));
P_CHECK(rand_int(&triple_1->b, &cfg->modulus));
P_CHECK(rand_int(&triple_2->a, &cfg->modulus));
P_CHECK(rand_int(&triple_2->b, &cfg->modulus));
// We are trying to be a little clever here to avoid the use of temp
// variables.
// c1 = a1 + a2
MP_CHECK (mp_addmod (&triple_1->a, &triple_2->a, &cfg->modulus, &triple_1->c));
MP_CHECK(mp_addmod(&triple_1->a, &triple_2->a, &cfg->modulus, &triple_1->c));
// c2 = b1 + b2
MP_CHECK (mp_addmod (&triple_1->b, &triple_2->b, &cfg->modulus, &triple_2->c));
MP_CHECK(mp_addmod(&triple_1->b, &triple_2->b, &cfg->modulus, &triple_2->c));
// c1 = c1 * c2 = (a1 + a2) (b1 + b2)
MP_CHECK (mp_mulmod (&triple_1->c, &triple_2->c, &cfg->modulus, &triple_1->c));
MP_CHECK(mp_mulmod(&triple_1->c, &triple_2->c, &cfg->modulus, &triple_1->c));
// Set c2 to random blinding value
MP_CHECK (rand_int (&triple_2->c, &cfg->modulus));
MP_CHECK(rand_int(&triple_2->c, &cfg->modulus));
// c1 = c1 - c2
MP_CHECK (mp_submod (&triple_1->c, &triple_2->c, &cfg->modulus, &triple_1->c));
MP_CHECK(mp_submod(&triple_1->c, &triple_2->c, &cfg->modulus, &triple_1->c));
// Now we should have random tuples satisfying:
// (a1 + a2) (b1 + b2) = c1 + c2
@ -99,10 +98,9 @@ BeaverTriple_set_rand (const struct prio_config *cfg,
return rv;
BeaverTriple_areEqual (const_BeaverTriple t1, const_BeaverTriple t2)
BeaverTriple_areEqual(const_BeaverTriple t1, const_BeaverTriple t2)
return (mp_cmp (&t1->a, &t2->a) == 0 &&
mp_cmp (&t1->b, &t2->b) == 0 &&
mp_cmp (&t1->c, &t2->c) == 0);
return (mp_cmp(&t1->a, &t2->a) == 0 && mp_cmp(&t1->b, &t2->b) == 0 &&
mp_cmp(&t1->c, &t2->c) == 0);

View File

@ -1,12 +1,11 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#ifndef __SHARE_H__
#define __SHARE_H__
@ -14,23 +13,22 @@
#include "config.h"
struct beaver_triple {
struct beaver_triple
mp_int a;
mp_int b;
mp_int c;
typedef struct beaver_triple *BeaverTriple;
typedef const struct beaver_triple *const_BeaverTriple;
typedef struct beaver_triple* BeaverTriple;
typedef const struct beaver_triple* const_BeaverTriple;
* Use secret sharing to split the int src into two shares.
* The mp_ints must be initialized.
SECStatus share_int (const_PrioConfig cfg, const mp_int *src,
mp_int *shareA, mp_int *shareB);
SECStatus share_int(const_PrioConfig cfg, const mp_int* src, mp_int* shareA,
mp_int* shareB);
* Prio uses Beaver triples to implement one step of the
@ -38,14 +36,12 @@ SECStatus share_int (const_PrioConfig cfg, const mp_int *src,
* a sharing of random values a, b, c such that
* a * b = c
BeaverTriple BeaverTriple_new (void);
void BeaverTriple_clear (BeaverTriple t);
BeaverTriple BeaverTriple_new(void);
void BeaverTriple_clear(BeaverTriple t);
SECStatus BeaverTriple_set_rand (const_PrioConfig cfg,
BeaverTriple triple_a,
BeaverTriple triple_b);
SECStatus BeaverTriple_set_rand(const_PrioConfig cfg, BeaverTriple triple_a,
BeaverTriple triple_b);
bool BeaverTriple_areEqual (const_BeaverTriple t1, const_BeaverTriple t2);
bool BeaverTriple_areEqual(const_BeaverTriple t1, const_BeaverTriple t2);
#endif /* __SHARE_H__ */

@ -1,9 +1,9 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#ifndef __UTIL_H__
@ -16,80 +16,88 @@
#define MIN(a, b) ((a) < (b) ? (a) : (b))
// Check a Prio error code and return failure if the call fails.
#define P_CHECK(s) \
do { \
if((rv = (s)) != SECSuccess) \
return rv; \
} while(0);
#define P_CHECK(s) \
do { \
if ((rv = (s)) != SECSuccess) \
return rv; \
} while (0);
// Check an allocation that should not return NULL. If the allocation returns
// NULL, set the return value and jump to the cleanup label to free memory.
#define P_CHECKA(s) \
do { \
if((s) == NULL) {\
rv = SECFailure;\
goto cleanup;\
} while(0);
// NULL, set the return value and jump to the cleanup label to free memory.
#define P_CHECKA(s) \
do { \
if ((s) == NULL) { \
rv = SECFailure; \
goto cleanup; \
} \
} while (0);
// Check a Prio library call that should return SECSuccess. If it doesn't,
// jump to the cleanup label.
#define P_CHECKC(s) \
do { \
if((rv = (s)) != SECSuccess) { \
goto cleanup; \
} while(0);
#define P_CHECKC(s) \
do { \
if ((rv = (s)) != SECSuccess) { \
goto cleanup; \
} \
} while (0);
// Check a boolean that should be true. If it not,
// jump to the cleanup label.
#define P_CHECKCB(s) \
do { \
if(!(s)) { \
rv = SECFailure; \
goto cleanup; \
} while(0);
#define P_CHECKCB(s) \
do { \
if (!(s)) { \
rv = SECFailure; \
goto cleanup; \
} \
} while (0);
// Check an MPI library call and return failure if it fails.
#define MP_CHECK(s) do { if((s) != MP_OKAY) return SECFailure; } while(0);
#define MP_CHECK(s) \
do { \
if ((s) != MP_OKAY) \
return SECFailure; \
} while (0);
// Check a msgpack object unpacked correctly
#define UP_CHECK(s) do { int r = (s); if(r != MSGPACK_UNPACK_SUCCESS &&\
#define UP_CHECK(s) \
do { \
int r = (s); \
return SECFailure; \
} while (0);
// Check an MPI library call. If it fails, set the return code and jump
// to the cleanup label.
#define MP_CHECKC(s) \
do { \
if((s) != MP_OKAY) { \
rv = SECFailure; \
goto cleanup; \
} while(0);
#define MP_CHECKC(s) \
do { \
if ((s) != MP_OKAY) { \
rv = SECFailure; \
goto cleanup; \
} \
} while (0);
static inline int
next_power_of_two (int val)
next_power_of_two(int val)
int i = val;
int out = 0;
for ( ; i > 0; i >>= 1) {
for (; i > 0; i >>= 1) {
int pow = 1 << out;
return (pow > 1 && pow/2 == val) ? val : pow;
return (pow > 1 && pow / 2 == val) ? val : pow;
* Return a mask that masks out all of the zero bits
static inline unsigned char
msb_mask (unsigned char val)
msb_mask(unsigned char val)
unsigned char mask;
for (mask = 0x00; (val & mask) != val; mask = (mask << 1) + 1);
for (mask = 0x00; (val & mask) != val; mask = (mask << 1) + 1)
return mask;
@ -99,4 +107,3 @@ msb_mask (unsigned char val)
#define UNUSED(x) (void)(x)
View File

@ -1,30 +0,0 @@
I don't like licenses, because I don't like having to worry about all this
legal stuff just for a simple piece of software I don't really mind anyone
using. But I also believe that it's important that people share and give back;
so I'm placing this work under the following license.
BOLA - Buena Onda License Agreement (v1.0)
This work is provided 'as-is', without any express or implied warranty. In no
event will the authors be held liable for any damages arising from the use of
this work.
To all effects and purposes, this work is to be considered Public Domain.
However, if you want to be "Buena onda", you should:
1. Not take credit for it, and give proper recognition to the authors.
2. Share your modifications, so everybody benefits from them.
4. Do something nice for the authors.
5. Help someone who needs it: sign up for some volunteer work or help your
neighbour paint the house.
6. Don't waste. Anything, but specially energy that comes from natural
non-renewable resources. Extra points if you discover or invent something
to replace them.
7. Be tolerant. Everything that's good in nature comes from cooperation.
The order is important, and the further you go the more "Buena onda" you are.
Make the world a better place: be "Buena onda".

@ -1,44 +0,0 @@
import sys
prio_env = env.Clone()
test_srcs = [
libs = [
# Run the mutest script to generate the test harness code
bld = Builder(action = 'ptest/mkmutest ptest/mutest.h $SOURCES | $CC -c -xc -o $TARGET -')
prio_env.Append(BUILDERS = {'MkMutest' : bld})
prio_env.Append(LIBS = libs)
# Enable mpi print
prio_env.Append(CFLAGS = ['-DMP_IOFUNC'])
# Copy the mutest scripts to the build dir
test_objs = prio_env.Object(test_srcs)
test_main = prio_env.MkMutest(test_objs)
prio_env.Program("ptest", [test_main] + test_objs)

@ -1,160 +0,0 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#include <mprio.h>
#include "prio/client.h"
#include "prio/server.h"
#include "prio/util.h"
#include "mutest.h"
mu_test_client__new (void)
SECStatus rv = SECSuccess;
PrioConfig cfg = NULL;
PrioPacketClient pA = NULL;
PrioPacketClient pB = NULL;
P_CHECKA (cfg = PrioConfig_newTest(23));
P_CHECKA (pA = PrioPacketClient_new (cfg, PRIO_SERVER_A));
P_CHECKA (pB = PrioPacketClient_new (cfg, PRIO_SERVER_B));
const int ndata = PrioConfig_numDataFields (cfg);
bool data_items[ndata];
for (int i=0; i < ndata; i++) {
// Arbitrary data
data_items[i] = (i % 3 == 1) || (i % 5 == 3);
P_CHECKC (PrioPacketClient_set_data (cfg, data_items, pA, pB));
mu_check (rv == SECSuccess);
PrioPacketClient_clear (pA);
PrioPacketClient_clear (pB);
PrioConfig_clear (cfg);
test_client_agg (int nclients)
SECStatus rv = SECSuccess;
PublicKey pkA = NULL;
PublicKey pkB = NULL;
PrivateKey skA = NULL;
PrivateKey skB = NULL;
PrioConfig cfg = NULL;
PrioServer sA = NULL;
PrioServer sB = NULL;
PrioTotalShare tA = NULL;
PrioTotalShare tB = NULL;
PrioVerifier vA = NULL;
PrioVerifier vB = NULL;
unsigned char *for_a = NULL;
unsigned char *for_b = NULL;
const unsigned char *batch_id = (unsigned char *)"test_batch";
unsigned int batch_id_len = strlen ((char *)batch_id);
PrioPRGSeed seed;
P_CHECKC (PrioPRGSeed_randomize (&seed));
P_CHECKC (Keypair_new (&skA, &pkA));
P_CHECKC (Keypair_new (&skB, &pkB));
P_CHECKA (cfg = PrioConfig_new (133, pkA, pkB, batch_id, batch_id_len));
P_CHECKA (sA = PrioServer_new (cfg, 0, skA, seed));
P_CHECKA (sB = PrioServer_new (cfg, 1, skB, seed));
P_CHECKA (tA = PrioTotalShare_new ());
P_CHECKA (tB = PrioTotalShare_new ());
P_CHECKA (vA = PrioVerifier_new (sA));
P_CHECKA (vB = PrioVerifier_new (sB));
const int ndata = PrioConfig_numDataFields (cfg);
bool data_items[ndata];
for (int i=0; i < ndata; i++) {
// Arbitrary data
data_items[i] = (i % 3 == 1) || (i % 5 == 3);
for (int i=0; i < nclients; i++) {
unsigned int aLen, bLen;
P_CHECKC (PrioClient_encode (cfg, data_items, &for_a, &aLen,
&for_b, &bLen));
P_CHECKC (PrioVerifier_set_data (vA, for_a, aLen));
P_CHECKC (PrioVerifier_set_data (vB, for_b, bLen));
mu_check (PrioServer_aggregate (sA, vA) == SECSuccess);
mu_check (PrioServer_aggregate (sB, vB) == SECSuccess);
free (for_a);
free (for_b);
for_a = NULL;
for_b = NULL;
mu_check (PrioTotalShare_set_data (tA, sA) == SECSuccess);
mu_check (PrioTotalShare_set_data (tB, sB) == SECSuccess);
unsigned long output[ndata];
mu_check (PrioTotalShare_final (cfg, output, tA, tB) == SECSuccess);
for (int i=0; i < ndata; i++) {
unsigned long v = ((i % 3 == 1) || (i % 5 == 3));
mu_check (output[i] == v*nclients);
//rv = SECFailure;
//goto cleanup;
mu_check (rv == SECSuccess);
if (for_a) free (for_a);
if (for_b) free (for_b);
PublicKey_clear (pkA);
PublicKey_clear (pkB);
PrivateKey_clear (skA);
PrivateKey_clear (skB);
PrioVerifier_clear (vA);
PrioVerifier_clear (vB);
PrioTotalShare_clear (tA);
PrioTotalShare_clear (tB);
PrioServer_clear (sA);
PrioServer_clear (sB);
PrioConfig_clear (cfg);
mu_test_client__agg_1 (void)
test_client_agg (1);
mu_test_client__agg_2 (void)
test_client_agg (2);
mu_test_client__agg_10 (void)
test_client_agg (10);

@ -1,228 +0,0 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#include <nspr.h>
#include <nss/nss.h>
#include <nss/secoidt.h>
#include <nss/keyhi.h>
#include <nss/pk11pub.h>
#include <nss/cert.h>
#include "mutest.h"
#include "prio/encrypt.h"
#include "prio/rand.h"
#include "prio/util.h"
mu_test_keygen (void)
SECStatus rv = SECSuccess;
PublicKey pubkey = NULL;
PrivateKey pvtkey = NULL;
P_CHECKC (Keypair_new (&pvtkey, &pubkey));
mu_check (SECKEY_PublicKeyStrength (pubkey) == 32);
mu_check (rv == SECSuccess);
PublicKey_clear (pubkey);
PrivateKey_clear (pvtkey);
test_encrypt_once (int bad, unsigned int inlen)
SECStatus rv = SECSuccess;
PublicKey pubkey = NULL;
PrivateKey pvtkey = NULL;
PublicKey pubkey2 = NULL;
PrivateKey pvtkey2 = NULL;
unsigned char *bytes_in = NULL;
unsigned char *bytes_enc = NULL;
unsigned char *bytes_dec = NULL;
unsigned int enclen;
P_CHECKC (PublicKey_encryptSize (inlen, &enclen));
unsigned int declen = enclen;
P_CHECKA (bytes_in = malloc (inlen));
P_CHECKA (bytes_enc = malloc (enclen));
P_CHECKA (bytes_dec= malloc (enclen));
P_CHECKC (rand_bytes (bytes_in, inlen));
memset (bytes_dec, 0, declen);
unsigned int encryptedBytes;
P_CHECKC (Keypair_new (&pvtkey, &pubkey));
P_CHECKC (Keypair_new (&pvtkey2, &pubkey2));
P_CHECKC (PublicKey_encrypt (pubkey, bytes_enc,
&encryptedBytes, enclen,
bytes_in, inlen));
mu_check (encryptedBytes == enclen);
if (bad == 1)
enclen = 30;
if (bad == 2) {
bytes_enc[4] = 6;
bytes_enc[5] = 0;
if (bad == 3) {
bytes_enc[40] = 6;
bytes_enc[41] = 0;
unsigned int decryptedBytes;
PrivateKey key_to_use = (bad == 4) ? pvtkey2 : pvtkey;
P_CHECKC (PrivateKey_decrypt (key_to_use, bytes_dec, &decryptedBytes, declen,
bytes_enc, enclen));
mu_check (decryptedBytes == inlen);
mu_check (!strncmp ((char *)bytes_in, (char *)bytes_dec, inlen));
mu_check (bad ? (rv == SECFailure) : (rv == SECSuccess));
if (bytes_in) free (bytes_in);
if (bytes_enc) free (bytes_enc);
if (bytes_dec) free (bytes_dec);
PublicKey_clear (pubkey);
PrivateKey_clear (pvtkey);
PublicKey_clear (pubkey2);
PrivateKey_clear (pvtkey2);
mu_test_encrypt_good (void)
test_encrypt_once (0, 100);
mu_test_encrypt_good_long (void)
test_encrypt_once (0, 1000000);
mu_test_encrypt_too_short (void)
test_encrypt_once (1, 87);
mu_test_encrypt_garbage (void)
test_encrypt_once (2, 10023);
mu_test_encrypt_garbage2 (void)
test_encrypt_once (3, 8123);
mu_test_decrypt_wrong_key (void)
test_encrypt_once (4, 81230);
mu_test_export (void)
SECStatus rv = SECSuccess;
PublicKey pubkey = NULL;
unsigned char raw_bytes[CURVE25519_KEY_LEN];
unsigned char raw_bytes2[CURVE25519_KEY_LEN];
for (int i=0; i< CURVE25519_KEY_LEN; i++) {
raw_bytes[i] = (3*i+7) % 0xFF;
P_CHECKC (PublicKey_import (&pubkey, raw_bytes, CURVE25519_KEY_LEN));
P_CHECKC (PublicKey_export (pubkey, raw_bytes2));
for (int i=0; i< CURVE25519_KEY_LEN; i++) {
mu_check (raw_bytes[i] == raw_bytes2[i]);
mu_check (rv == SECSuccess);
PublicKey_clear (pubkey);
mu_test_export_hex (void)
SECStatus rv = SECSuccess;
PublicKey pubkey = NULL;
const unsigned char hex_bytes[2*CURVE25519_KEY_LEN] = \
const unsigned char hex_bytesl[2*CURVE25519_KEY_LEN] = \
const unsigned char raw_bytes_should[CURVE25519_KEY_LEN] = {
0x10, 0x20, 0x30, 0x40, 0x50, 0x60, 0x70, 0x80,
0x90, 0xA0, 0xB0, 0xC0, 0xD0, 0xE0, 0xF0, 0x00,
0x00, 0xFF, 0xEE, 0xDD, 0xCC, 0xBB, 0xAA, 0x99,
0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
unsigned char raw_bytes[CURVE25519_KEY_LEN];
unsigned char hex_bytes2[2*CURVE25519_KEY_LEN+1];
// Make sure that invalid lengths are rejected.
mu_check (PublicKey_import_hex (&pubkey, hex_bytes,
2*CURVE25519_KEY_LEN-1) == SECFailure);
mu_check (PublicKey_import_hex (&pubkey, hex_bytes,
2*CURVE25519_KEY_LEN+1) == SECFailure);
// Import a key in upper-case hex
P_CHECKC (PublicKey_import_hex (&pubkey, hex_bytes, 2*CURVE25519_KEY_LEN));
P_CHECKC (PublicKey_export (pubkey, raw_bytes));
PublicKey_clear (pubkey);
pubkey = NULL;
for (int i=0; i<CURVE25519_KEY_LEN; i++) {
mu_check (raw_bytes[i] == raw_bytes_should[i]);
// Import a key in mixed-case hex
P_CHECKC (PublicKey_import_hex (&pubkey, hex_bytesl, 2*CURVE25519_KEY_LEN));
P_CHECKC (PublicKey_export (pubkey, raw_bytes));
PublicKey_clear (pubkey);
pubkey = NULL;
for (int i=0; i<CURVE25519_KEY_LEN; i++) {
mu_check (raw_bytes[i] == raw_bytes_should[i]);
mu_check (PublicKey_import (&pubkey, raw_bytes_should,
CURVE25519_KEY_LEN-1) == SECFailure);
mu_check (PublicKey_import (&pubkey, raw_bytes_should,
CURVE25519_KEY_LEN+1) == SECFailure);
// Import a raw key and export as hex
P_CHECKC (PublicKey_import (&pubkey, raw_bytes_should, CURVE25519_KEY_LEN));
P_CHECKC (PublicKey_export_hex (pubkey, hex_bytes2));
for (int i=0; i<2*CURVE25519_KEY_LEN; i++) {
mu_check (hex_bytes[i] == hex_bytes2[i]);
mu_ensure (hex_bytes2[2*CURVE25519_KEY_LEN] == '\0');
mu_check (rv == SECSuccess);
PublicKey_clear (pubkey);

@ -1,21 +0,0 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
//#include <stdio.h>
#include "mutest.h"
mu_test_example (void)
mu_check (1);

View File

* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#include <mpi.h>
#include <mprio.h>
#include <stdio.h>
#include "mutest.h"
#include "prio/config.h"
#include "prio/mparray.h"
#include "prio/poly.h"
#include "prio/util.h"
mu_test__fft_one (void)
SECStatus rv = SECSuccess;
PrioConfig cfg = NULL;
MPArray points_in = NULL;
MPArray points_out = NULL;
P_CHECKA (cfg = PrioConfig_newTest (123));
P_CHECKA (points_in = MPArray_new (1));
P_CHECKA (points_out = MPArray_new (1));
mp_set (&points_in->data[0], 3);
mu_check (poly_fft (points_out, points_in, cfg, false) == SECSuccess);
mu_check (mp_cmp_d(&points_in->data[0], 3) == 0);
mu_check (mp_cmp_d(&points_out->data[0], 3) == 0);
mu_check (rv == SECSuccess);
MPArray_clear (points_in);
MPArray_clear (points_out);
PrioConfig_clear (cfg);
mu_test__fft_roots (void)
SECStatus rv = SECSuccess;
PrioConfig cfg = NULL;
mp_int tmp;
MP_DIGITS (&tmp) = NULL;
P_CHECKA (cfg = PrioConfig_newTest (90));
MP_CHECKC (mp_init (&tmp));
mp_int roots[4];
poly_fft_get_roots (roots, 4, cfg, false);
for (int i=0; i<4; i++) {
mp_exptmod_d(&roots[i], 4, &cfg->modulus, &tmp);
mu_check (mp_cmp_d( &tmp, 1) == 0);
mu_check (rv == SECSuccess);
mp_clear (&tmp);
PrioConfig_clear (cfg);
mu_test__fft_simple (void)
SECStatus rv = SECSuccess;
const int nPoints = 4;
PrioConfig cfg = NULL;
MPArray points_in = NULL;
MPArray points_out = NULL;
mp_int should_be, tmp;
mp_int roots[nPoints];
MP_DIGITS (&should_be) = NULL;
MP_DIGITS (&tmp) = NULL;
for (int i=0; i<nPoints; i++) {
MP_DIGITS (&roots[i]) = NULL;
P_CHECKA (cfg = PrioConfig_newTest (140));
P_CHECKA (points_in = MPArray_new (nPoints));
P_CHECKA (points_out = MPArray_new (nPoints));
MP_CHECKC (mp_init (&should_be));
MP_CHECKC (mp_init (&tmp));
poly_fft_get_roots (roots, nPoints, cfg, false);
mp_set (&points_in->data[0], 3);
mp_set (&points_in->data[1], 8);
mp_set (&points_in->data[2], 7);
mp_set (&points_in->data[3], 9);
mu_check (poly_fft (points_out, points_in, cfg, false) == SECSuccess);
for (int i=0; i<nPoints; i++) {
mp_set (&should_be, 0);
for (int j=0; j<nPoints; j++) {
mu_check (mp_exptmod_d(&roots[i], j, &cfg->modulus, &tmp) == MP_OKAY);
mu_check (mp_mulmod(&tmp, &points_in->data[j], &cfg->modulus, &tmp) == MP_OKAY);
mu_check (mp_addmod(&should_be, &tmp, &cfg->modulus, &should_be) == MP_OKAY);
puts("Should be:");
mp_print(&should_be, stdout);
mp_print(&points_out[i], stdout);
mu_check (mp_cmp (&should_be, &points_out->data[i]) == 0);
mu_check (rv == SECSuccess);
mp_clear (&tmp);
mp_clear (&should_be);
MPArray_clear (points_in);
MPArray_clear (points_out);
PrioConfig_clear (cfg);
mu_test__fft_invert (void)
SECStatus rv = SECSuccess;
const int nPoints = 8;
PrioConfig cfg = NULL;
MPArray points_in = NULL;
MPArray points_out = NULL;
MPArray points_out2 = NULL;
mp_int roots[nPoints];
P_CHECKA (cfg = PrioConfig_newTest (91));
P_CHECKA (points_in = MPArray_new (nPoints));
P_CHECKA (points_out = MPArray_new (nPoints));
P_CHECKA (points_out2 = MPArray_new (nPoints));
poly_fft_get_roots (roots, nPoints, cfg, false);
mp_set (&points_in->data[0], 3);
mp_set (&points_in->data[1], 8);
mp_set (&points_in->data[2], 7);
mp_set (&points_in->data[3], 9);
mp_set (&points_in->data[4], 123);
mp_set (&points_in->data[5], 123123987);
mp_set (&points_in->data[6], 2);
mp_set (&points_in->data[7], 0);
mu_check (poly_fft(points_out, points_in, cfg, false) == SECSuccess);
mu_check (poly_fft(points_out2, points_out, cfg, true) == SECSuccess);
for (int i=0; i<nPoints; i++) {
mu_check (mp_cmp (&points_out2->data[i], &points_in->data[i]) == 0);
mu_check (rv == SECSuccess);
MPArray_clear (points_in);
MPArray_clear (points_out);
MPArray_clear (points_out2);
PrioConfig_clear (cfg);

@ -1,65 +0,0 @@
#!/usr/bin/env bash
# This file is part of mutest, a simple micro unit testing framework for C.
# mutest was written by Leandro Lucarella <llucax@gmail.com> and is released
# under the BOLA license, please see the LICENSE file or visit:
# http://blitiri.com.ar/p/bola/
# This is a simple script to generate a C file that runs all the test suites
# present in .o files passed as arguments.
# Please, read the README file for more details.
# the trick here is getting all the test cases present in an object file using
# nm. All the tests must take and return void, start with "mutest_" and, of
# course, should not be static, which leads to a small limitation: all test
# cases must have unique names, even across test suites.
# the first argument should be mutest.h
if [ -z "$1" ]
echo "Too few arguments" >&2
echo "Usage: $0 mutest_h_location [object files...]" >&2
exit 1
echo "#include \"$mutest_h\""
echo "void mu_run_suites() {"
for file in "$@"
pr_file=`echo "$file" | sed 's/\"/\\\\\"/g'`
suite=`basename "$file" .o | sed 's/\"/\\\\\"/g'`
#symbols=`nm "$file" | egrep '^[[:xdigit:]]{8} T mu_\w+$' | cut -c12-`
symbols=`nm "$file" | egrep ' T _mu_\w+$' | cut -c21-`
symbols+=`nm "$file" | egrep ' T mu_\w+$' | cut -c20-`
tests=`echo "$symbols" | egrep '^mu_test'`
inits=`echo "$symbols" | egrep '^mu_init'`
terms=`echo "$symbols" | egrep '^mu_term'`
echo -e '\tdo {'
echo -e '\t\tmutest_suite_name = "'"$suite"'";'
echo -e '\t\tmu_print(MU_SUITE, "\\nRunning suite '"'$suite'"'\\n");'
for init in $inits
echo -e "\\t\\tmu_run_init($init);"
for testcase in $tests
echo -e "\t\tmu_run_case($testcase);"
for term in $terms
echo -e "\t\tmu_run_term($term);"
echo -e "\t\tif (mutest_suite_failed) ++mutest_failed_suites;"
echo -e "\t\telse ++mutest_passed_suites;"
echo -e "\t\tmutest_suite_failed = 0;"
echo -e '\t} while (0);'
echo "}"

@ -1,38 +0,0 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#include <mpi.h>
#include "mutest.h"
mu_test_mpi__add (void)
mp_int a;
mp_int b;
mp_int c;
mu_check (mp_init (&a) == MP_OKAY);
mu_check (mp_init (&b) == MP_OKAY);
mu_check (mp_init (&c) == MP_OKAY);
mp_set (&a, 10);
mp_set (&b, 7);
mp_add (&a, &b, &c);
mp_set (&a, 17);
mu_check (mp_cmp (&a, &c) == 0);
mp_clear (&a);
mp_clear (&b);
mp_clear (&c);

@ -1,94 +0,0 @@
* This file is part of mutest, a simple micro unit testing framework for C.
* mutest was written by Leandro Lucarella <llucax@gmail.com> and is released
* under the BOLA license, please see the LICENSE file or visit:
* http://blitiri.com.ar/p/bola/
* This is the main program, it runs all the test suites and shows the
* results. The main work (of running the test suite) is done by the (usually)
* synthesized mu_run_suites() function, which can be generated using the
* mkmutest script (or written manually).
* Please, read the README file for more details.
#include <mprio.h>
#include <stdio.h> /* printf(), fprintf() */
#include <string.h> /* strncmp() */
#include "mutest.h" /* MU_* constants, mu_print() */
* note that all global variables are public because they need to be accessed
* from other modules, like the test suites or the module implementing
* mu_run_suites()
/* globals for managing test suites */
const char* mutest_suite_name;
int mutest_failed_suites;
int mutest_passed_suites;
int mutest_skipped_suites;
int mutest_suite_failed;
/* globals for managing test cases */
const char* mutest_case_name;
int mutest_failed_cases;
int mutest_passed_cases;
int mutest_case_failed;
/* globals for managing checks */
int mutest_failed_checks;
int mutest_passed_checks;
/* verbosity level, see mutest.h */
int mutest_verbose_level = 1; /* exported for use in test suites */
* only -v is supported right now, both "-v -v" and "-vv" are accepted for
* increasing the verbosity by 2.
void parse_args(__attribute__((unused)) int argc, char* argv[]) {
while (*++argv) {
if (strncmp(*argv, "-v", 2) == 0) {
char* c = (*argv) + 1;
while (*++c) {
if (*c != 'v')
int main(int argc, char* argv[]) {
Prio_init ();
parse_args(argc, argv);
Prio_clear ();
mu_print(MU_SUMMARY, "\n"
"Tests done:\n"
"\t%d test suite(s) passed, %d failed, %d skipped.\n"
"\t%d test case(s) passed, %d failed.\n"
"\t%d check(s) passed, %d failed.\n"
mutest_passed_suites, mutest_failed_suites,
mutest_passed_cases, mutest_failed_cases,
mutest_passed_checks, mutest_failed_checks);
return (mutest_failed_suites + mutest_skipped_suites) ? 1 : 0;

@ -1,248 +0,0 @@
* This file is part of mutest, a simple micro unit testing framework for C.
* mutest was written by Leandro Lucarella <llucax@gmail.com> and is released
* under the BOLA license, please see the LICENSE file or visit:
* http://blitiri.com.ar/p/bola/
* This header file should be included in the source files that will make up
* a test suite. It's used for both C and Python implementation, but when
* using the Python implementation you should define the MUTEST_PY macro.
* If you implement your mu_run_suites() function yourself, you probably will
* need to include this header too (see mkmutest).
* Please, read the README file for more details.
#include <stdio.h> /* fprintf() */
#ifdef __cplusplus
extern "C" {
/* verbosity level (each level shows all the previous levels too) */
enum {
MU_QUIET = 0, /* be completely quiet */
MU_ERROR, /* shows errors only */
MU_SUMMARY, /* shows a summary */
MU_SUITE, /* shows test suites progress */
MU_CASE, /* shows test cases progress */
MU_CHECK /* shows the current running check */
/* print a message according to the verbosity level */
#define mu_print(level, ...) \
do { \
if (mutest_verbose_level >= level) { \
if (mutest_verbose_level == MU_ERROR) \
fprintf(stderr, __VA_ARGS__); \
else \
fprintf(stdout, __VA_ARGS__); \
} \
} while (0)
/* print an error message */
#define mu_printerr(name, action) \
mu_print(MU_ERROR, __FILE__ ":%d: " name " failed, "\
action " test case\n", __LINE__);
/* modify the internal state so a failure gets counted */
#define mutest_count_err ++mutest_failed_checks; mutest_case_failed = 1;
/* modify the internal state so a success gets counted */
#define mutest_count_suc ++mutest_passed_checks;
#ifdef __cplusplus
#include <exception>
/* print an error message triggered by a C++ exception */
#define mu_printex(name, action, ex) \
mu_print(MU_ERROR, __FILE__ ":%d: " name " failed, " \
"exception thrown (%s), " action \
" test case\n", __LINE__, ex);
#define mutest_try try {
#define mutest_catch(name, action, final) \
} catch (const std::exception& e) { \
mutest_count_err \
mu_printex(name, action, e.what()); \
final; \
} catch (...) { \
mutest_count_err \
mu_printex(name, action, "[unknown]"); \
final; \
#else /* !__cplusplus */
#define mutest_try
#define mutest_catch(name, action, exp)
#endif /* __cplusplus */
/* check that an expression evaluates to true, continue if the check fails */
#define mu_check_base(exp, name, action, final) \
do { \
mu_print(MU_CHECK, "\t\t* Checking " name "(" #exp ")...\n"); \
mutest_try \
if (exp) mutest_count_suc \
else { \
mutest_count_err \
mu_printerr(name "(" #exp ")", action); \
final; \
} \
mutest_catch(name, action, final) \
} while (0)
/* check that an expression evaluates to true, continue if the check fails */
#define mu_check(exp) mu_check_base(exp, "mu_check", "resuming", continue)
* ensure that an expression evaluates to true, abort the current test
* case if the check fails
#define mu_ensure(exp) mu_check_base(exp, "mu_ensure", "aborting", return)
#ifdef __cplusplus
#define mu_echeck_base(ex, exp, name, action, final) \
do { \
mu_print(MU_CHECK, "\t\t* Checking " name "(" #ex ", " #exp \
")...\n"); \
try { \
exp; \
mutest_count_err \
mu_printerr(name "(" #ex ", " #exp ")", \
"no exception thrown, " action); \
final; \
} catch (const ex& e) { \
mutest_count_suc \
} catch (const std::exception& e) { \
mutest_count_err \
mu_printex(name "(" #ex ", " #exp ")", action, \
e.what()); \
final; \
} catch (...) { \
mutest_count_err \
mu_printex(name "(" #ex ", " #exp ")", action, \
"[unknown]"); \
final; \
} \
} while (0)
* check that an expression throws a particular exception, continue if the
* check fails
#define mu_echeck(ex, exp) \
mu_echeck_base(ex, exp, "mu_echeck", "resuming", continue)
* ensure that an expression throws a particular exception, abort the current
* test case if the check fails
#define mu_eensure(ex, exp) \
mu_echeck_base(ex, exp, "mu_eensure", "aborting", return)
#endif /* __cplusplus */
#ifndef MUTEST_PY /* we are using the C implementation */
* this function implements the test suites execution, you should generate
* a module with this function using mkmutest, or take a look to that script
* if you want to implement your own customized version */
void mu_run_suites();
/* macro for running a single initialization function */
#ifndef mu_run_init
#define mu_run_init(name) \
{ \
int name(); \
int r; \
mu_print(MU_CASE, "\t+ Executing initialization function " \
"'" #name "'...\n"); \
if ((r = name())) { \
mu_print(MU_ERROR, "%s:" #name ": initialization " \
"function failed (returned %d), " \
"skipping test suite...\n", \
mutest_suite_name, r); \
++mutest_skipped_suites; \
break; \
} \
} do { } while (0)
#endif /* mu_run_init */
/* macro for running a single test case */
#ifndef mu_run_case
#define mu_run_case(name) \
do { \
mu_print(MU_CASE, "\t* Executing test case '" #name "'...\n");\
mutest_case_name = #name; \
void name(); \
name(); \
if (mutest_case_failed) { \
++mutest_failed_cases; \
mutest_suite_failed = 1; \
} else ++mutest_passed_cases; \
mutest_case_failed = 0; \
} while (0)
#endif /* mu_run_case */
/* macro for running a single termination function */
#ifndef mu_run_term
#define mu_run_term(name) \
do { \
mu_print(MU_CASE, "\t- Executing termination function '" \
#name "'...\n"); \
void name(); \
name(); \
} while (0)
#endif /* mu_run_term */
* mutest exported variables for internal use, do not use directly unless you
* know what you're doing.
extern const char* mutest_suite_name;
extern int mutest_failed_suites;
extern int mutest_passed_suites;
extern int mutest_skipped_suites;
extern int mutest_suite_failed;
/* test cases */
extern const char* mutest_case_name;
extern int mutest_failed_cases;
extern int mutest_passed_cases;
extern int mutest_case_failed;
/* checks */
extern int mutest_failed_checks;
extern int mutest_passed_checks;
/* verbosity */
extern int mutest_verbose_level;
#else /* MUTEST_PY is defined, using the Python implementation */
/* this increments when the "API" changes, it's just for sanity check */
int mutest_api_version = 1;
int mutest_case_failed; /* unused, for C implementation compatibility */
int mutest_passed_checks;
int mutest_failed_checks;
void mutest_reset_counters() {
mutest_passed_checks = 0;
mutest_failed_checks = 0;
int mutest_verbose_level = MU_ERROR;
void mutest_set_verbose_level(int val) {
mutest_verbose_level = val;
#endif /* MUTEST_PY */
#ifdef __cplusplus

@ -1,345 +0,0 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#include <mpi.h>
#include "mutest.h"
#include "prio/prg.h"
#include "prio/util.h"
mu_test__prg_simple (void)
SECStatus rv = SECSuccess;
PrioPRGSeed key;
PRG prg = NULL;
P_CHECKC (PrioPRGSeed_randomize (&key));
P_CHECKA (prg = PRG_new (key));
mu_check (rv == SECSuccess);
PRG_clear (prg);
mu_test__prg_repeat (void)
SECStatus rv = SECSuccess;
const int buflen = 10000;
unsigned char buf1[buflen];
unsigned char buf2[buflen];
PrioPRGSeed key;
PRG prg1 = NULL;
PRG prg2 = NULL;
buf1[3] = 'a';
buf2[3] = 'b';
P_CHECKC (PrioPRGSeed_randomize (&key));
P_CHECKA (prg1 = PRG_new (key));
P_CHECKA (prg2 = PRG_new (key));
P_CHECKC (PRG_get_bytes (prg1, buf1, buflen));
P_CHECKC (PRG_get_bytes (prg2, buf2, buflen));
bool all_zero = true;
for (int i=0; i<buflen; i++) {
mu_check (buf1[i] == buf2[i]);
if (buf1[i]) all_zero = false;
mu_check (!all_zero);
mu_check (rv == SECSuccess);
PRG_clear (prg1);
PRG_clear (prg2);
mu_test__prg_repeat_int (void)
SECStatus rv = SECSuccess;
const int tries = 10000;
mp_int max;
mp_int out1;
mp_int out2;
MP_DIGITS (&max) = NULL;
MP_DIGITS (&out1) = NULL;
MP_DIGITS (&out2) = NULL;
PrioPRGSeed key;
PRG prg1 = NULL;
PRG prg2 = NULL;
P_CHECKC (PrioPRGSeed_randomize (&key));
P_CHECKA (prg1 = PRG_new (key));
P_CHECKA (prg2 = PRG_new (key));
MP_CHECKC (mp_init (&max));
MP_CHECKC (mp_init (&out1));
MP_CHECKC (mp_init (&out2));
for (int i=0; i<tries; i++) {
mp_set (&max, i+1);
P_CHECKC (PRG_get_int (prg1, &out1, &max));
P_CHECKC (PRG_get_int (prg2, &out2, &max));
mu_check (mp_cmp (&out1, &out2) == 0);
mu_check (rv == SECSuccess);
PRG_clear (prg1);
PRG_clear (prg2);
mp_clear (&max);
mp_clear (&out1);
mp_clear (&out2);
test_prg_once (int limit)
SECStatus rv = SECSuccess;
PrioPRGSeed key;
mp_int max;
mp_int out;
PRG prg = NULL;
MP_DIGITS (&max) = NULL;
MP_DIGITS (&out) = NULL;
P_CHECKC (PrioPRGSeed_randomize (&key));
P_CHECKA (prg = PRG_new (key));
MP_CHECKC (mp_init (&max));
MP_CHECKC (mp_init (&out));
mp_set (&max, limit);
P_CHECKC (PRG_get_int (prg, &out, &max));
mu_check (mp_cmp_d (&out, limit) == -1);
mu_check (mp_cmp_z (&out) > -1);
mu_check (rv == SECSuccess);
mp_clear (&max);
mp_clear (&out);
PRG_clear (prg);
mu_test_prg__multiple_of_8 (void)
test_prg_once (256);
test_prg_once (256*256);
mu_test_prg__near_multiple_of_8 (void)
test_prg_once (256+1);
test_prg_once (256*256+1);
mu_test_prg__odd (void)
test_prg_once (39);
test_prg_once (123);
test_prg_once (993123);
mu_test_prg__large (void)
test_prg_once (1231239933);
test_prg_once (1);
for (int i = 0; i < 100; i++)
test_prg_once (2);
test_prg_distribution (int limit)
int bins[limit];
SECStatus rv = SECSuccess;
PrioPRGSeed key;
mp_int max;
mp_int out;
PRG prg = NULL;
MP_DIGITS (&max) = NULL;
MP_DIGITS (&out) = NULL;
P_CHECKC (PrioPRGSeed_randomize (&key));
P_CHECKA (prg = PRG_new (key));
MP_CHECKC (mp_init (&max));
MP_CHECKC (mp_init (&out));
mp_set (&max, limit);
for (int i = 0; i < limit; i++) {
bins[i] = 0;
for (int i = 0; i < limit*limit; i++) {
P_CHECKC (PRG_get_int (prg, &out, &max));
mu_check (mp_cmp_d (&out, limit) == -1);
mu_check (mp_cmp_z (&out) > -1);
unsigned char ival[2] = {0x00, 0x00};
MP_CHECKC (mp_to_fixlen_octets (&out, ival, 2));
if (ival[1] + 256*ival[0] < limit) {
bins[ival[1] + 256*ival[0]] += 1;
} else {
mu_check (false);
for (int i = 0; i < limit; i++) {
mu_check (bins[i] > limit/2);
mu_check (rv == SECSuccess);
mp_clear (&max);
mp_clear (&out);
PRG_clear (prg);
mu_test__prg_distribution123 (void)
mu_test__prg_distribution257 (void)
mu_test__prg_distribution259 (void)
test_prg_distribution_large (mp_int *max)
const int limit = 16;
int bins[limit];
SECStatus rv = SECSuccess;
PrioPRGSeed key;
mp_int out;
PRG prg = NULL;
MP_DIGITS (&out) = NULL;
P_CHECKC (PrioPRGSeed_randomize (&key));
P_CHECKA (prg = PRG_new (key));
MP_CHECKC (mp_init (&out));
for (int i = 0; i < limit; i++) {
bins[i] = 0;
for (int i = 0; i < 100*limit*limit; i++) {
MP_CHECKC (PRG_get_int (prg, &out, max));
mu_check (mp_cmp (&out, max) == -1);
mu_check (mp_cmp_z (&out) > -1);
unsigned long res;
MP_CHECKC (mp_mod_d (&out, limit, &res));
bins[res] += 1;
for (int i = 0; i < limit; i++) {
mu_check (bins[i] > limit/2);
mu_check (rv == SECSuccess);
mp_clear (&out);
PRG_clear (prg);
mu_test__prg_distribution_large (void)
SECStatus rv = SECSuccess;
mp_int max;
MP_DIGITS (&max) = NULL;
MP_CHECKC (mp_init (&max));
char bytes[] = "FF1230985198451798EDC8123";
MP_CHECKC (mp_read_radix (&max, bytes, 16));
test_prg_distribution_large (&max);
mu_check (rv == SECSuccess);
mp_clear (&max);
mu_test__prg_share_arr (void)
SECStatus rv = SECSuccess;
PrioConfig cfg = NULL;
MPArray arr = NULL;
MPArray arr_share = NULL;
PRG prg = NULL;
PrioPRGSeed seed;
P_CHECKA (cfg = PrioConfig_newTest (72));
P_CHECKC (PrioPRGSeed_randomize (&seed));
P_CHECKA (arr = MPArray_new (10));
P_CHECKA (arr_share = MPArray_new (10));
P_CHECKA (prg = PRG_new (seed));
for (int i=0; i<10; i++) {
mp_set (&arr->data[i], i);
P_CHECKC (PRG_share_array (prg, arr_share, arr, cfg));
// Reset PRG
PRG_clear (prg);
P_CHECKA (prg = PRG_new (seed));
// Read pseudorandom values into arr
P_CHECKC (PRG_get_array (prg, arr, &cfg->modulus));
for (int i=0; i<10; i++) {
MP_CHECKC (mp_addmod (&arr->data[i], &arr_share->data[i],
&cfg->modulus, &arr->data[i]));
mu_check (mp_cmp_d (&arr->data[i], i) == 0);
mu_check (rv == SECSuccess);
PRG_clear (prg);
MPArray_clear (arr);
MPArray_clear (arr_share);
PrioConfig_clear (cfg);

@ -1,194 +0,0 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#include <mpi.h>
#include "mutest.h"
#include "prio/rand.h"
#include "prio/util.h"
mu_test__util_msb_mast (void)
mu_check (msb_mask (0x01) == 0x01);
mu_check (msb_mask (0x02) == 0x03);
mu_check (msb_mask (0x0C) == 0x0F);
mu_check (msb_mask (0x1C) == 0x1F);
mu_check (msb_mask (0xFF) == 0xFF);
test_rand_once (int limit)
mp_int max;
mp_int out;
mu_check (mp_init (&max) == MP_OKAY);
mu_check (mp_init (&out) == MP_OKAY);
mp_set (&max, limit);
mu_check (rand_int (&out, &max) == MP_OKAY);
mu_check (mp_cmp_d (&out, limit) == -1);
mu_check (mp_cmp_z (&out) > -1);
mp_clear (&max);
mp_clear (&out);
mu_test_rand__multiple_of_8 (void)
test_rand_once (256);
test_rand_once (256*256);
mu_test_rand__near_multiple_of_8 (void)
test_rand_once (256+1);
test_rand_once (256*256+1);
mu_test_rand__odd (void)
test_rand_once (39);
test_rand_once (123);
test_rand_once (993123);
mu_test_rand__large (void)
test_rand_once (1231239933);
test_rand_once (1);
for (int i = 0; i < 100; i++)
test_rand_once (2);
test_rand_distribution (int limit)
SECStatus rv = SECSuccess;
int bins[limit];
mp_int max;
mp_int out;
MP_DIGITS (&max) = NULL;
MP_DIGITS (&out) = NULL;
MP_CHECKC (mp_init (&max));
MP_CHECKC (mp_init (&out));
mp_set (&max, limit);
for (int i = 0; i < limit; i++) {
bins[i] = 0;
for (int i = 0; i < limit*limit; i++) {
mu_check (rand_int (&out, &max) == MP_OKAY);
mu_check (mp_cmp_d (&out, limit) == -1);
mu_check (mp_cmp_z (&out) > -1);
unsigned char ival[2] = {0x00, 0x00};
MP_CHECKC (mp_to_fixlen_octets (&out, ival, 2));
if (ival[1] + 256*ival[0] < limit) {
bins[ival[1] + 256*ival[0]] += 1;
} else {
mu_check (false);
for (int i = 0; i < limit; i++) {
mu_check (bins[i] > limit/2);
mu_check (rv == SECSuccess);
mp_clear (&max);
mp_clear (&out);
mu_test__rand_distribution123 (void)
mu_test__rand_distribution257 (void)
mu_test__rand_distribution259 (void)
test_rand_distribution_large (mp_int *max)
SECStatus rv = SECSuccess;
int limit = 16;
int bins[limit];
mp_int out;
MP_DIGITS (&out) = NULL;
MP_CHECKC (mp_init (&out));
for (int i = 0; i < limit; i++) {
bins[i] = 0;
for (int i = 0; i < 100*limit*limit; i++) {
MP_CHECKC (rand_int (&out, max));
mu_check (mp_cmp (&out, max) == -1);
mu_check (mp_cmp_z (&out) > -1);
unsigned long res;
MP_CHECKC (mp_mod_d (&out, limit, &res));
bins[res] += 1;
for (int i = 0; i < limit; i++) {
mu_check (bins[i] > limit/2);
mu_check (rv == SECSuccess);
mp_clear (&out);
mu_test__rand_distribution_large (void)
SECStatus rv = SECSuccess;
mp_int max;
MP_DIGITS (&max) = NULL;
MP_CHECKC (mp_init (&max));
char bytes[] = "FF1230985198451798EDC8123";
MP_CHECKC (mp_read_radix (&max, bytes, 16));
test_rand_distribution_large (&max);
mu_check (rv == SECSuccess);
mp_clear (&max);

@ -1,319 +0,0 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#include <mprio.h>
#include <msgpack.h>
#include <string.h>
#include "mutest.h"
#include "prio/client.h"
#include "prio/config.h"
#include "prio/serial.h"
#include "prio/server.h"
#include "prio/util.h"
gen_client_packets (const_PrioConfig cfg, PrioPacketClient pA, PrioPacketClient pB)
SECStatus rv = SECSuccess;
const int ndata = cfg->num_data_fields;
bool data_items[ndata];
for (int i=0; i < ndata; i++) {
data_items[i] = (i % 3 == 1) || (i % 5 == 3);
P_CHECKC (PrioPacketClient_set_data (cfg, data_items, pA, pB));
return rv;
void serial_client (int bad)
SECStatus rv = SECSuccess;
PrioConfig cfg = NULL;
PrioConfig cfg2 = NULL;
PrioPacketClient pA = NULL;
PrioPacketClient pB = NULL;
PrioPacketClient qA = NULL;
PrioPacketClient qB = NULL;
const unsigned char *batch_id1 = (unsigned char *)"my_test_prio_batch1";
const unsigned char *batch_id2 = (unsigned char *)"my_test_prio_batch2";
const unsigned int batch_id_len = strlen ((char *)batch_id1);
msgpack_sbuffer sbufA, sbufB;
msgpack_packer pkA, pkB;
msgpack_unpacker upkA, upkB;
msgpack_sbuffer_init (&sbufA);
msgpack_packer_init (&pkA, &sbufA, msgpack_sbuffer_write);
msgpack_sbuffer_init (&sbufB);
msgpack_packer_init (&pkB, &sbufB, msgpack_sbuffer_write);
P_CHECKA (cfg = PrioConfig_new (100, NULL, NULL, batch_id1, batch_id_len));
P_CHECKA (cfg2 = PrioConfig_new (100, NULL, NULL, batch_id2, batch_id_len));
P_CHECKA (pA = PrioPacketClient_new (cfg, PRIO_SERVER_A));
P_CHECKA (pB = PrioPacketClient_new (cfg, PRIO_SERVER_B));
P_CHECKA (qA = PrioPacketClient_new (cfg, PRIO_SERVER_A));
P_CHECKA (qB = PrioPacketClient_new (cfg, PRIO_SERVER_B));
P_CHECKC (gen_client_packets (cfg, pA, pB));
P_CHECKC (serial_write_packet_client (&pkA, pA, cfg));
P_CHECKC (serial_write_packet_client (&pkB, pB, cfg));
if (bad == 1) {
sbufA.size = 1;
if (bad == 2) {
memset (sbufA.data, 0, sbufA.size);
const int size_a = sbufA.size;
const int size_b = sbufB.size;
P_CHECKCB (msgpack_unpacker_init (&upkA, 0));
P_CHECKCB (msgpack_unpacker_init (&upkB, 0));
P_CHECKCB (msgpack_unpacker_reserve_buffer (&upkA, size_a));
P_CHECKCB (msgpack_unpacker_reserve_buffer (&upkB, size_b));
memcpy (msgpack_unpacker_buffer (&upkA), sbufA.data, size_a);
memcpy (msgpack_unpacker_buffer (&upkB), sbufB.data, size_b);
msgpack_unpacker_buffer_consumed (&upkA, size_a);
msgpack_unpacker_buffer_consumed (&upkB, size_b);
P_CHECKC (serial_read_packet_client (&upkA, qA, cfg));
P_CHECKC (serial_read_packet_client (&upkB, qB, (bad == 3) ? cfg2 : cfg));
if (!bad) {
mu_check (PrioPacketClient_areEqual (pA, qA));
mu_check (PrioPacketClient_areEqual (pB, qB));
mu_check (!PrioPacketClient_areEqual (pB, qA));
mu_check (!PrioPacketClient_areEqual (pA, qB));
PrioPacketClient_clear (pA);
PrioPacketClient_clear (pB);
PrioPacketClient_clear (qA);
PrioPacketClient_clear (qB);
PrioConfig_clear (cfg);
PrioConfig_clear (cfg2);
msgpack_sbuffer_destroy (&sbufA);
msgpack_sbuffer_destroy (&sbufB);
msgpack_unpacker_destroy (&upkA);
msgpack_unpacker_destroy (&upkB);
mu_check (bad ? rv == SECFailure : rv == SECSuccess);
void mu_test__serial_client (void)
serial_client (0);
void mu_test__serial_client_bad1 (void)
serial_client (1);
void mu_test__serial_client_bad2 (void)
serial_client (2);
void mu_test__serial_client_bad3 (void)
serial_client (3);
void test_verify1 (int bad)
SECStatus rv = SECSuccess;
PrioPacketVerify1 v1 = NULL;
PrioPacketVerify1 v2 = NULL;
PrioConfig cfg = NULL;
P_CHECKA (cfg = PrioConfig_newTest (1));
P_CHECKA (v1 = PrioPacketVerify1_new());
P_CHECKA (v2 = PrioPacketVerify1_new());
mp_set (&v1->share_d, 4);
mp_set (&v1->share_e, 10);
msgpack_sbuffer sbuf;
msgpack_packer pk;
msgpack_unpacker upk;
msgpack_sbuffer_init (&sbuf);
msgpack_packer_init (&pk, &sbuf, msgpack_sbuffer_write);
P_CHECKC (PrioPacketVerify1_write (v1, &pk));
if (bad == 1) {
mp_set (&cfg->modulus, 6);
P_CHECKCB (msgpack_unpacker_init (&upk, 0));
P_CHECKCB (msgpack_unpacker_reserve_buffer (&upk, sbuf.size));
memcpy (msgpack_unpacker_buffer (&upk), sbuf.data, sbuf.size);
msgpack_unpacker_buffer_consumed (&upk, sbuf.size);
P_CHECKC (PrioPacketVerify1_read (v2, &upk, cfg));
mu_check (!mp_cmp (&v1->share_d, &v2->share_d));
mu_check (!mp_cmp (&v1->share_e, &v2->share_e));
mu_check (!mp_cmp_d (&v2->share_d, 4));
mu_check (!mp_cmp_d (&v2->share_e, 10));
mu_check (bad ? rv == SECFailure : rv == SECSuccess);
PrioConfig_clear (cfg);
PrioPacketVerify1_clear (v1);
PrioPacketVerify1_clear (v2);
msgpack_unpacker_destroy (&upk);
msgpack_sbuffer_destroy (&sbuf);
void mu_test_verify1_good (void)
test_verify1 (0);
void mu_test_verify1_bad (void)
test_verify1 (1);
void test_verify2 (int bad)
SECStatus rv = SECSuccess;
PrioPacketVerify2 v1 = NULL;
PrioPacketVerify2 v2 = NULL;
PrioConfig cfg = NULL;
P_CHECKA (cfg = PrioConfig_newTest (1));
P_CHECKA (v1 = PrioPacketVerify2_new());
P_CHECKA (v2 = PrioPacketVerify2_new());
mp_set (&v1->share_out, 4);
msgpack_sbuffer sbuf;
msgpack_packer pk;
msgpack_unpacker upk;
msgpack_sbuffer_init (&sbuf);
msgpack_packer_init (&pk, &sbuf, msgpack_sbuffer_write);
P_CHECKC (PrioPacketVerify2_write (v1, &pk));
if (bad == 1) {
mp_set (&cfg->modulus, 4);
P_CHECKCB (msgpack_unpacker_init (&upk, 0));
P_CHECKCB (msgpack_unpacker_reserve_buffer (&upk, sbuf.size));
memcpy (msgpack_unpacker_buffer (&upk), sbuf.data, sbuf.size);
msgpack_unpacker_buffer_consumed (&upk, sbuf.size);
P_CHECKC (PrioPacketVerify2_read (v2, &upk, cfg));
mu_check (!mp_cmp (&v1->share_out, &v2->share_out));
mu_check (!mp_cmp_d (&v2->share_out, 4));
mu_check (bad ? rv == SECFailure : rv == SECSuccess);
PrioConfig_clear (cfg);
PrioPacketVerify2_clear (v1);
PrioPacketVerify2_clear (v2);
msgpack_unpacker_destroy (&upk);
msgpack_sbuffer_destroy (&sbuf);
void mu_test_verify2_good (void)
test_verify2 (0);
void mu_test_verify2_bad (void)
test_verify2 (1);
void test_total_share (int bad)
SECStatus rv = SECSuccess;
PrioTotalShare t1 = NULL;
PrioTotalShare t2 = NULL;
PrioConfig cfg = NULL;
P_CHECKA (cfg = PrioConfig_newTest ((bad == 2 ? 4 : 3)));
P_CHECKA (t1 = PrioTotalShare_new ());
P_CHECKA (t2 = PrioTotalShare_new ());
t1->idx = PRIO_SERVER_A;
P_CHECKC (MPArray_resize (t1->data_shares, 3));
mp_set (&t1->data_shares->data[0], 10);
mp_set (&t1->data_shares->data[1], 20);
mp_set (&t1->data_shares->data[2], 30);
msgpack_sbuffer sbuf;
msgpack_packer pk;
msgpack_unpacker upk;
msgpack_sbuffer_init (&sbuf);
msgpack_packer_init (&pk, &sbuf, msgpack_sbuffer_write);
P_CHECKC (PrioTotalShare_write (t1, &pk));
if (bad == 1) {
mp_set (&cfg->modulus, 4);
P_CHECKCB (msgpack_unpacker_init (&upk, 0));
P_CHECKCB (msgpack_unpacker_reserve_buffer (&upk, sbuf.size));
memcpy (msgpack_unpacker_buffer (&upk), sbuf.data, sbuf.size);
msgpack_unpacker_buffer_consumed (&upk, sbuf.size);
P_CHECKC (PrioTotalShare_read (t2, &upk, cfg));
mu_check (t1->idx == t2->idx);
mu_check (MPArray_areEqual (t1->data_shares, t2->data_shares));
mu_check (bad ? rv == SECFailure : rv == SECSuccess);
PrioConfig_clear (cfg);
PrioTotalShare_clear (t1);
PrioTotalShare_clear (t2);
msgpack_unpacker_destroy (&upk);
msgpack_sbuffer_destroy (&sbuf);
void mu_test_total_good (void)
test_total_share (0);
void mu_test_total_bad1 (void)
test_total_share (1);
void mu_test_total_bad2 (void)
test_total_share (2);

@ -1,298 +0,0 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#include <mpi.h>
#include <mprio.h>
#include "mutest.h"
#include "prio/client.h"
#include "prio/server.h"
#include "prio/server.c"
void mu_test__eval_poly (void)
SECStatus rv = SECSuccess;
PrioConfig cfg = NULL;
MPArray coeffs = NULL;
mp_int eval_at, out;
MP_DIGITS (&eval_at) = NULL;
MP_DIGITS (&out) = NULL;
P_CHECKA (cfg = PrioConfig_newTest (54));
P_CHECKA (coeffs = MPArray_new (3));
mp_set (&coeffs->data[0], 2);
mp_set (&coeffs->data[1], 8);
mp_set (&coeffs->data[2], 3);
MP_CHECKC (mp_init (&eval_at));
MP_CHECKC (mp_init (&out));
mp_set (&eval_at, 7);
const int val = 3*7*7 + 8*7 + 2;
mu_check (poly_eval (&out, coeffs, &eval_at, cfg) == SECSuccess);
mu_check (mp_cmp_d (&out, val) == 0);
mu_check (rv == SECSuccess);
mp_clear (&out);
mp_clear (&eval_at);
MPArray_clear (coeffs);
PrioConfig_clear (cfg);
mu_test__verify_new (void)
SECStatus rv = SECSuccess;
PublicKey pkA = NULL;
PublicKey pkB = NULL;
PrivateKey skA = NULL;
PrivateKey skB = NULL;
PrioConfig cfg = NULL;
PrioServer sA = NULL;
PrioServer sB = NULL;
PrioVerifier vA = NULL;
PrioVerifier vB = NULL;
unsigned char *for_a = NULL;
unsigned char *for_b = NULL;
mp_int fR, gR, hR;
PrioPRGSeed seed;
P_CHECKC (PrioPRGSeed_randomize (&seed));
P_CHECKC (Keypair_new (&skA, &pkA));
P_CHECKC (Keypair_new (&skB, &pkB));
P_CHECKA (cfg = PrioConfig_new (214, pkA, pkB,
(unsigned char *)"testbatch", 9));
const int ndata = PrioConfig_numDataFields (cfg);
bool data_items[ndata];
for (int i=0; i < ndata; i++) {
// Arbitrary data
data_items[i] = (i % 3 == 1) || (i % 5 == 3);
P_CHECKA (sA = PrioServer_new (cfg, 0, skA, seed));
P_CHECKA (sB = PrioServer_new (cfg, 1, skB, seed));
unsigned int aLen, bLen;
P_CHECKC (PrioClient_encode (cfg, data_items, &for_a, &aLen, &for_b, &bLen));
MP_CHECKC (mp_init (&fR));
MP_CHECKC (mp_init (&gR));
MP_CHECKC (mp_init (&hR));
P_CHECKA (vA = PrioVerifier_new (sA));
P_CHECKA (vB = PrioVerifier_new (sB));
P_CHECKC (PrioVerifier_set_data (vA, for_a, aLen));
P_CHECKC (PrioVerifier_set_data (vB, for_b, bLen));
PrioPacketClient pA = vA->clientp;
PrioPacketClient pB = vB->clientp;
MP_CHECKC (mp_addmod (&pA->f0_share, &pB->f0_share, &cfg->modulus, &fR));
MP_CHECKC (mp_addmod (&pA->g0_share, &pB->g0_share, &cfg->modulus, &gR));
MP_CHECKC (mp_addmod (&pA->h0_share, &pB->h0_share, &cfg->modulus, &hR));
MP_CHECKC (mp_mulmod (&fR, &gR, &cfg->modulus, &fR));
mu_check (mp_cmp (&fR, &hR) == 0);
MP_CHECKC (mp_addmod (&vA->share_fR, &vB->share_fR, &cfg->modulus, &fR));
MP_CHECKC (mp_addmod (&vA->share_gR, &vB->share_gR, &cfg->modulus, &gR));
MP_CHECKC (mp_addmod (&vA->share_hR, &vB->share_hR, &cfg->modulus, &hR));
MP_CHECKC (mp_mulmod (&fR, &gR, &cfg->modulus, &fR));
//puts ("fR");
//mp_print (&fR, stdout);
//puts ("hR");
//mp_print (&hR, stdout);
mu_check (mp_cmp (&fR, &hR) == 0);
mu_check (rv == SECSuccess);
if (for_a) free (for_a);
if (for_b) free (for_b);
mp_clear (&fR);
mp_clear (&gR);
mp_clear (&hR);
PrioVerifier_clear (vA);
PrioVerifier_clear (vB);
PrioServer_clear (sA);
PrioServer_clear (sB);
PrioConfig_clear (cfg);
PublicKey_clear (pkA);
PublicKey_clear (pkB);
PrivateKey_clear (skA);
PrivateKey_clear (skB);
verify_full (int tweak)
SECStatus rv = SECSuccess;
PublicKey pkA = NULL;
PublicKey pkB = NULL;
PrivateKey skA = NULL;
PrivateKey skB = NULL;
PrioConfig cfg = NULL;
PrioServer sA = NULL;
PrioServer sB = NULL;
PrioVerifier vA = NULL;
PrioVerifier vB = NULL;
PrioPacketVerify1 p1A = NULL;
PrioPacketVerify1 p1B = NULL;
PrioPacketVerify2 p2A = NULL;
PrioPacketVerify2 p2B = NULL;
unsigned char *for_a = NULL;
unsigned char *for_b = NULL;
mp_int fR, gR, hR;
PrioPRGSeed seed;
P_CHECKC (PrioPRGSeed_randomize (&seed));
P_CHECKC (Keypair_new (&skA, &pkA));
P_CHECKC (Keypair_new (&skB, &pkB));
P_CHECKA (cfg = PrioConfig_new (47, pkA, pkB, (unsigned char *)"test4", 5));
const int ndata = PrioConfig_numDataFields (cfg);
bool data_items[ndata];
for (int i=0; i < ndata; i++) {
// Arbitrary data
data_items[i] = (i % 3 == 1) || (i % 5 == 3);
P_CHECKA (sA = PrioServer_new (cfg, 0, skA, seed));
P_CHECKA (sB = PrioServer_new (cfg, 1, skB, seed));
unsigned int aLen, bLen;
P_CHECKC (PrioClient_encode (cfg, data_items, &for_a, &aLen, &for_b, &bLen));
if (tweak == 5) {
for_a[3] = 3;
for_a[4] = 4;
P_CHECKA (vA = PrioVerifier_new (sA));
P_CHECKA (vB = PrioVerifier_new (sB));
P_CHECKC (PrioVerifier_set_data (vA, for_a, aLen));
P_CHECKC (PrioVerifier_set_data (vB, for_b, bLen));
if (tweak == 3) {
mp_add_d (&vA->share_fR, 1, &vA->share_fR);
if (tweak == 4) {
mp_add_d (&vB->share_gR, 1, &vB->share_gR);
P_CHECKA (p1A = PrioPacketVerify1_new ());
P_CHECKA (p1B = PrioPacketVerify1_new ());
P_CHECKC (PrioPacketVerify1_set_data (p1A, vA));
P_CHECKC (PrioPacketVerify1_set_data (p1B, vB));
if (tweak == 1) {
mp_add_d (&p1B->share_d, 1, &p1B->share_d);
P_CHECKA (p2A = PrioPacketVerify2_new ());
P_CHECKA (p2B = PrioPacketVerify2_new ());
P_CHECKC (PrioPacketVerify2_set_data (p2A, vA, p1A, p1B));
P_CHECKC (PrioPacketVerify2_set_data (p2B, vB, p1A, p1B));
if (tweak == 2) {
mp_add_d (&p2A->share_out, 1, &p2B->share_out);
int shouldBe = tweak ? SECFailure : SECSuccess;
mu_check (PrioVerifier_isValid (vA, p2A, p2B) == shouldBe);
mu_check (PrioVerifier_isValid (vB, p2A, p2B) == shouldBe);
if (!tweak) {
mu_check (rv == SECSuccess);
if (for_a) free (for_a);
if (for_b) free (for_b);
PrioPacketVerify2_clear (p2A);
PrioPacketVerify2_clear (p2B);
PrioPacketVerify1_clear (p1A);
PrioPacketVerify1_clear (p1B);
PrioVerifier_clear (vA);
PrioVerifier_clear (vB);
PrioServer_clear (sA);
PrioServer_clear (sB);
PrioConfig_clear (cfg);
PublicKey_clear (pkA);
PublicKey_clear (pkB);
PrivateKey_clear (skA);
PrivateKey_clear (skB);
mu_test__verify_full_good (void)
verify_full (0);
mu_test__verify_full_bad1 (void)
verify_full (1);
mu_test__verify_full_bad2 (void)
verify_full (2);
mu_test__verify_full_bad3 (void)
verify_full (3);
mu_test__verify_full_bad4 (void)
verify_full (4);
mu_test__verify_full_bad5 (void)
verify_full (5);

@ -1,91 +0,0 @@
* Copyright (c) 2018, Henry Corrigan-Gibbs
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
#include <mpi.h>
#include <mprio.h>
#include "prio/client.h"
#include "prio/config.h"
#include "prio/mparray.h"
#include "prio/share.h"
#include "prio/util.h"
#include "mutest.h"
mu_test_share (void)
SECStatus rv = SECSuccess;
PrioConfig cfg = NULL;
mp_int a, b, c;
BeaverTriple t1 = NULL, t2 = NULL;
P_CHECKA (cfg = PrioConfig_newTest (93));
P_CHECKA (t1 = BeaverTriple_new ());
P_CHECKA (t2 = BeaverTriple_new ());
mu_check (BeaverTriple_set_rand (cfg, t1, t2) == SECSuccess);
MP_CHECKC (mp_init (&a));
MP_CHECKC (mp_init (&b));
MP_CHECKC (mp_init (&c));
mu_check (mp_addmod (&t1->a, &t2->a, &cfg->modulus, &a) == MP_OKAY);
mu_check (mp_addmod (&t1->b, &t2->b, &cfg->modulus, &b) == MP_OKAY);
mu_check (mp_addmod (&t1->c, &t2->c, &cfg->modulus, &c) == MP_OKAY);
mu_check (mp_mulmod (&a, &b, &cfg->modulus, &a) == MP_OKAY);
mu_check (mp_cmp (&a, &c) == 0);
mu_check (rv == SECSuccess);
mp_clear (&a);
mp_clear (&b);
mp_clear (&c);
PrioConfig_clear (cfg);
BeaverTriple_clear (t1);
BeaverTriple_clear (t2);
mu_test_arr (void)
SECStatus rv = SECSuccess;
MPArray arr = NULL;
MPArray arr2 = NULL;
P_CHECKA (arr = MPArray_new (10));
P_CHECKA (arr2 = MPArray_new (7));
for (int i=0; i<10; i++) {
mp_set (&arr->data[i], i);
P_CHECKC (MPArray_resize (arr, 15));
for (int i=10; i<15; i++) {
mu_check (mp_cmp_d (&arr->data[i], 0) == 0);
mp_set (&arr->data[i], i);
P_CHECKC (MPArray_resize (arr, 7));
for (int i=10; i<7; i++) {
mu_check (mp_cmp_d (&arr->data[i], i) == 0);
P_CHECKC (MPArray_copy (arr2, arr));
for (int i=10; i<7; i++) {
mu_check (mp_cmp (&arr->data[i], &arr2->data[i]) == 0);
mu_check (rv == SECSuccess);
MPArray_clear (arr);
MPArray_clear (arr2);

@ -1,20 +1,18 @@
# Script to update the mozilla in-tree copy of the Prio library.
# Run this within the /third_party/prio directory of the source tree.
# Script to update the mozilla in-tree copy of the libprio library.
# Run this within the /third_party/libprio directory of the source tree.
MY_TEMP_DIR=`mktemp -d -t libprio_update.XXXXXX` || exit 1
git clone https://github.com/mozilla/libprio ${MY_TEMP_DIR}/libprio
git -C ${MY_TEMP_DIR}/libprio checkout ${VERSION}
git clone -n https://github.com/mozilla/libprio ${MY_TEMP_DIR}/libprio
git -C ${MY_TEMP_DIR}/libprio checkout ${COMMIT}
COMMIT=$(git -C ${MY_TEMP_DIR}/libprio rev-parse HEAD)
perl -p -i -e "s/(\d+\.)(\d+\.)(\d+)/${VERSION}/" README-mozilla;
perl -p -i -e "s/\[commit [0-9a-f]{40}\]/[commit ${COMMIT}]/" README-mozilla;
FILES="LICENSE README.md SConstruct browser-test include pclient prio ptest"
FILES="include prio"
VERSION=$(git -C ${MY_TEMP_DIR}/libprio describe --tags)
perl -p -i -e "s/Current version: \S+ \[commit [0-9a-f]{40}\]/Current version: ${VERSION} [commit ${COMMIT}]/" README-mozilla
for f in $FILES; do
rm -rf $f
@ -24,9 +22,9 @@ done
rm -rf ${MY_TEMP_DIR}
hg revert -r . moz.build
hg addremove
hg addremove .
echo "###"
echo "### Updated Prio to $COMMIT."
echo "### Updated libprio to $COMMIT."
echo "### Remember to verify and commit the changes to source control!"
echo "###"