Adding csadmin

Dockerfile

@@ -11,10 +11,12 @@ RUN go build -ldflags="$LDFLAGS" ./cmd/full
 WORKDIR /byzcoin/pkg/cothority
 RUN go build -ldflags="$LDFLAGS" ./byzcoin/bcadmin
 RUN go build -ldflags="$LDFLAGS" ./personhood/phapp
+RUN go build -ldflags="$LDFLAGS" ./calypso/csadmin
 RUN cd scmgr && go build -ldflags="$LDFLAGS" .
 WORKDIR /byzcoin
 RUN cp  /byzcoin/pkg/cothority/bcadmin /byzcoin/pkg/cothority/phapp \
-        /byzcoin/pkg/cothority/scmgr/scmgr /byzcoin
+        /byzcoin/pkg/cothority/scmgr/scmgr \
+        /byzcoin/pkg/cothority/csadmin /byzcoin
 COPY docker/byzcoin.sh archive/setup_demo_chain.sh ./
 RUN ./setup_demo_chain.sh
 
@@ -61,7 +63,7 @@ RUN ln -s /byzcoin .local/share/conode
 RUN ln -s /byzcoin .config/conode
 COPY --from=builder-byzcoin /byzcoin/byzcoin /byzcoin/full \
                     /byzcoin/bcadmin /byzcoin/phapp \
-                    /byzcoin/scmgr /root/
+                    /byzcoin/scmgr /byzcoin/csadmin /root/
 COPY --from=builder-byzcoin /byzcoin/nodes/ /root/nodes/
 COPY docker/byzcoin.sh /root/
 

archive/index.html

@@ -31,19 +31,7 @@ <h1>OmniLedger demo archive</h1>
         Now you are ready to look at the different services offered by this demo.
     </p>
 
-    <h2>Troubleshooting</h2>
-    <p>If you're stuck and things don't work anymore, it's best to start from scratch.
-        You need the following to do so:
-    <ol>
-        <li>On the <a href="/login">login page</a>, you need to
-            <a href="https://www.leadshook.com/help/how-to-clear-local-storage-in-google-chrome-browser/">delete all
-                local storage</a></li>
-        <li>Stop docker compose: <code>docker compose down</code></li>
-        <li>Delete the data from the nodes: <code>rm -rf nodes</code></li>
-        <li>Start the nodes again: <code>docker compose up</code></li>
-        <li>Re-create the login with the link on this page</li>
-    </ol>
-    </p>
+    <h2>Services</h2>
 
     <div class="row">
         <div class="sm-12 md-6 col card" style="width: 20rem;">
@@ -111,6 +99,21 @@ <h5 class="card-subtitle">Blockchain explorer for humans</h5>
             </div>
         </div>
     </div>
+
+    <h2>Troubleshooting</h2>
+    <p>If you're stuck and things don't work anymore, it's best to start from scratch.
+        You need the following to do so:
+    <ol>
+        <li>On the <a href="/login">login page</a>, you need to
+            <a href="https://www.leadshook.com/help/how-to-clear-local-storage-in-google-chrome-browser/">delete all
+                local storage</a></li>
+        <li>Stop docker compose: <code>docker compose down</code></li>
+        <li>Delete the data from the nodes: <code>rm -rf nodes</code></li>
+        <li>Start the nodes again: <code>docker compose up</code></li>
+        <li>Re-create the login with the link on this page</li>
+    </ol>
+    </p>
+
 </div>
 </body>
 </html>

archive/setup_demo_chain.sh

@@ -1,19 +1,19 @@
-#!/bin/zsh
+#!/bin/zsh -e
 
 NODES_DIR=/byzcoin/nodes
 mkdir -p $NODES_DIR/node-{1,2,3,4}
 export BYZCOIN=./full \
- DEBUG_LVL=2 \
- DEBUG_COLOR=false \
- DEBUG_TIME=true
-for node in $( seq 4 ); do
-  PORT_N=$(( 7770 + node * 2 ))
-  PORT_W=$(( PORT_N + 1 ))
+  DEBUG_LVL=2 \
+  DEBUG_COLOR=false \
+  DEBUG_TIME=true
+for node in $(seq 4); do
+  PORT_N=$((7770 + node * 2))
+  PORT_W=$((PORT_N + 1))
   ADDRESS_NODE=tls://localhost:$PORT_N \
-         ADDRESS_WS=http://localhost:$PORT_W \
-         DESCRIPTION="Local Node $node" \
-         DATA_DIR=$NODES_DIR/node-$node \
-         ./byzcoin.sh &
+    ADDRESS_WS=http://localhost:$PORT_W \
+    DESCRIPTION="Local Node $node" \
+    DATA_DIR=$NODES_DIR/node-$node \
+    ./byzcoin.sh &
 done
 
 # Waiting for the nodes to come up
@@ -23,24 +23,35 @@ done
 while [[ "$(echo $(ls nodes/node*/*.db | wc -l))" != 4 ]]; do sleep 1; done
 sleep 1
 for node in nodes/node*; do
-  echo -e "\n[[servers]]" >> nodes/group.toml
-  sed -e "s/Services/servers.Services/" $node/public.toml >> nodes/group.toml
+  echo -e "\n[[servers]]" >>nodes/group.toml
+  sed -e "s/Services/servers.Services/" $node/public.toml >>nodes/group.toml
 done
 
-# Initializing a new byzcoin chain and creating a user
+# Initializing a new byzcoin chain
 ./bcadmin -c $NODES_DIR/ create $NODES_DIR/group.toml
 sleep 1
-BC=/$( ls $NODES_DIR/bc*.cfg )
-KEY=/$( ls $NODES_DIR/key*.cfg )
+BC=/$(ls $NODES_DIR/bc*.cfg)
+BYZCOIN_ID="${BC//(\/$NODES_DIR\/bc-|.cfg)/}"
+KEY=/$(ls $NODES_DIR/key*.cfg)
+
+# Add an LTS configuration
+for node in $(seq 4); do
+  ./csadmin authorize nodes/node-$node/private.toml $BYZCOIN_ID
+done
+./csadmin -c nodes contract lts spawn --bc $BC | tail -n 1 >ltsid.hex
+LTS_ID=$(cat ltsid.hex)
+./csadmin -c nodes dkg start --instid $LTS_ID --bc $BC | tail -n 1 | cut -d ' ' -f 3 >ltsx.hex
+LTS_X=$(cat ltsx.hex)
+
+# Creating a new user
 URL=http://localhost:8080/login/register/device
-./phapp user "$BC" "$KEY" $URL demo | tee login.tmp
-tail -n 1 login.tmp | sed -e "s/.*is: //" > signup.link
+./phapp user "$BC" "$KEY" $URL demo --ltsid $LTS_ID --ltsx $LTS_X | tee login.tmp
+tail -n 1 login.tmp | sed -e "s/.*is: //" >signup.link
 rm login.tmp
 
 # Create configuration files
-echo -e "\nByzCoinID = \"${BC//(\/$NODES_DIR\/bc-|.cfg)/}\"" > nodes/config.toml
-# TODO: add a real LTS
-echo -e "LTSID = \"${BC//(\/$NODES_DIR\/bc-|.cfg)/}\"\n" >> nodes/config.toml
-cat nodes/group.toml >> nodes/config.toml
-pkill full
-ls -R $NODES_DIR
+echo "ByzCoinID = \"$BYZCOIN_ID\"" >nodes/config.toml
+echo "LTSID = \"$LTS_ID\"" >>nodes/config.toml
+# This is currently not read - but might come in handy for debugging
+echo -e "LTSX = \"$LTS_X\"\n" >>nodes/config.toml
+cat nodes/group.toml >>nodes/config.toml

docker-compose.yml

@@ -45,7 +45,7 @@ services:
       - ./nodes/node-4:/byzcoin
     network_mode: "service:node-1"
 
-  login:
+  web:
     image: ghcr.io/c4dt/byzcoin-web:latest
     platform: linux/amd64
     build:

pkg.base/cothority/personhood/phapp/main.go

@@ -131,6 +131,16 @@ var cmds = cli.Commands{
 		Usage:     "create a new user",
 		ArgsUsage: "bc-xxx.cfg key-xxx.cfg baseURL alias",
 		Action:    createUser,
+		Flags: []cli.Flag{
+			cli.StringFlag{
+				Name:  "ltsid",
+				Usage: "store the ID of the LTS contract to use",
+			},
+			cli.StringFlag{
+				Name:  "ltsx",
+				Usage: "store the public key of the LTS contract",
+			},
+		},
 	},
 	{
 		Name:  "email",
@@ -855,6 +865,29 @@ func createUser(c *cli.Context) error {
 		return xerrors.Errorf("couldn't create user builder: %v", err)
 	}
 	ub.SetView(user.ACVAdmin)
+
+	ltsIDStr := c.String("ltsid")
+	if ltsIDStr != "" {
+		ltsID, err := hex.DecodeString(ltsIDStr)
+		if err != nil {
+			return xerrors.Errorf("While parsing LTSID: %v", err)
+		}
+		ub.SetLtsID(byzcoin.NewInstanceID(ltsID))
+	}
+
+	ltsXStr := c.String("ltsx")
+	if ltsXStr != "" {
+		ltsXBuf, err := hex.DecodeString(ltsXStr)
+		if err != nil {
+			return xerrors.Errorf("While parsing LTSX: %v", err)
+		}
+		ltsX := cothority.Suite.Point()
+		if err := ltsX.UnmarshalBinary(ltsXBuf); err != nil {
+			return xerrors.Errorf("While converting LTSX: %v", err)
+		}
+		ub.SetLtsX(ltsX)
+	}
+
 	newUser, err := ub.CreateFromDarc(cl, cfg.AdminDarc.GetBaseID(), *signer)
 	if err != nil {
 		return xerrors.Errorf("couldn't create user: %v", err)

pkg.base/cothority/personhood/user/builder.go

@@ -6,9 +6,11 @@ import (
 	"go.dedis.ch/cothority/v3/darc"
 	"go.dedis.ch/cothority/v3/darc/expression"
 	"go.dedis.ch/cothority/v3/personhood/contracts"
+	"go.dedis.ch/kyber/v3"
 	"go.dedis.ch/kyber/v3/util/random"
 	"go.dedis.ch/protobuf"
 	"golang.org/x/xerrors"
+	"log"
 )
 
 // Builder allows to create a new user either directly from a DARC with
@@ -284,6 +286,20 @@ func (ub *Builder) SetAlias(alias string) {
 	ub.credentialStruct.SetPublic(contracts.APAlias, []byte(alias))
 }
 
+// SetLtsID sets the LTS_ID that the user can use
+func (ub *Builder) SetLtsID(ltsID byzcoin.InstanceID) {
+	ub.credentialStruct.SetConfig(contracts.ACLtsID, ltsID[:])
+}
+
+// SetLtsX sets the public key of the LTS
+func (ub *Builder) SetLtsX(pub kyber.Point) {
+	pubBuf, err := pub.MarshalBinary()
+	if err != nil {
+		log.Panicf("While marshalling point: %v", err)
+	}
+	ub.credentialStruct.SetConfig(contracts.ACLtsX, pubBuf)
+}
+
 // SetCoinID sets the coinID of the user in the credential.
 func (ub *Builder) SetCoinID(coinID byzcoin.InstanceID) {
 	ub.coinID = coinID

pkg.files

@@ -19,10 +19,7 @@ cothority/byzcoin/trie
 cothority/byzcoin/viewchange
 cothority/byzcoinx/*.go
 cothority/byzcoinx/*.md
-cothority/calypso/contracts.go
-cothority/calypso/proto.go
-cothority/calypso/struct.go
-cothority/calypso/protocol
+cothority/calypso
 cothority/darc
 cothority/dkg/pedersen
 cothority/messaging

pkg/cothority/calypso/README.md

@@ -0,0 +1,115 @@
+Navigation: [DEDIS](https://github.com/dedis/doc/tree/master/README.md) ::
+[Cothority](../README.md) ::
+[Applications](../doc/Applications.md) ::
+Calypso
+
+# Calypso
+
+Calypso is the implementation of the upcoming "Calypso - Auditable Sharing of
+Private Data over Blockchains". The paper can be found
+[here](https://eprint.iacr.org/2018/209).
+
+In short, Calypso allows to store symmetric keys in ByzCoin, protected by a
+sharded key, and controls access to this symmetric keys using Darcs,
+Distributed Access Rights Control.
+
+It implements both the access-control cothority and the secret-management
+cothority:
+- The access-control cothority is implemented using ByzCoin with two
+  contracts, `calypsoWrite` and `calypsoRead`
+- The secret-management cothority uses an onet service with methods to set up a
+  Long Term Secret (LTS) distributed key and to request a re-encryption
+
+The workflow is the following:
+1. secret-management: Administrator sets up a new LTS for all his clients. It
+   does so by calling the `CreateLTS` service endpoint. The resulting `LTSID`
+   will be used by all clients.
+2. access-control: Administrator gives document creation rights to a writer
+3. access-control: Writer creates new Darcs for customers and for documents.
+4. access-control: Writer spawns a `Write` instance from a document Darc
+5. access-control: Reader requests that a `Read` instance is spawned from a
+   `Write` instance
+6. secret-management: Reader requests a re-encryption to the `DecryptKey`
+   service endpoint.
+
+![Workflow Overview](CalypsoByzCoin.png?raw=true "Workflow Overview")
+
+## Darcs, Instances, Instructions and Contracts
+
+Here is a very short overview of the three most important elements of
+ByzCoin. For a more thorough documentation, refer to
+[ByzCoin](../byzcoin/README.md) documentation.
+
+The current ByzCoin service is a batching implementation of the previous
+skipchain service. It has a global state that holds _Instances_, where every
+instance is tied to a _Contract_ and holds a blob of data. The contract defines
+how the data is to be interpreted and allows different _Instructions_ sent from
+the user.
+
+Access control is done using _Darcs_, which define what public keys can verify
+an action. Each instruction received by ByzCoin is mapped to an action and
+then verified if the given signature is correct. Also, every instance is linked
+to one darc that defines what actions are allowed to be done to that instance.
+
+All instructions sent to ByzCoin are batched in a new block that is created
+every `blockInterval` seconds.
+
+## CreateLTS
+
+The CreateLTS endpoint is only usable when connecting to the conode
+via localhost. It is possible to relax this restriction, but it should
+only be done in testing environments; see `service.go`'s `init()` function
+for how.
+
+The client that initiates `CreateLTS` should hold two rosters. One roster for
+storing the secret shares of LTS (long term secret), the other for a ByzCoin
+instance for storing the LTS roster (using the LTS contract).
+
+If the LTS roster does not exist on ByzCoin, the client is responsible for
+creating it. Which can be done by sending a ByzCoin transaction. The
+transaction should spawn a new LTS instance.
+
+After the LTS roster is on ByzCoin but before the creation of LTS shares. The
+client should make a `CreateLTS` request to a node in the LTS roster. The
+request should contain the instance ID that contains the LTS roster. Then,
+every Calypso node should check that the instance ID that holds the LTS roster
+exists before starting the DKG. For this operation, all nodes must be online.
+By default, a threshold of 2/3 of the nodes must be present for the
+decryption.
+
+The CreateLTS service endpoint returns a `LTSID` in the form of a 32 byte
+slice. This ID represents the group that created the distributed key. Any node
+can participate in as many DKGs as you want and will get a random `LTSID`
+assigned.
+
+## Write Contract
+
+The write contract verifies that the request has been correctly created, so
+that no malicious writer can send an encrypted key without knowing the secret.
+It then creates a new write-instance that contains the write request.
+
+A read request must also be sent to the write contract, which will forward it
+to the read contract. This is so that every instruction sent to ByzCoin has
+as a target an existing instance.
+
+## Read Contract
+
+The read contract verifies that the request is valid and points to the write
+instance. It stores the reader's public key in the instance, so that the
+secret-management cothority can re-encrypt to this reader's public key.
+
+## Resharing LTS
+
+It is possible that the roster might change and the LTS shares must be
+re-distributed but without changing the LTS itself. We accomplish this in two
+steps.
+
+1. The authorised client(s) must update the LTS roster in the blockchain (an
+   instance of the LTS smart contract).
+2. Then, the client instructs the calypso conodes to run the resharing
+   protocol. The nodes in the new roster find and check the proof of
+   roster-change in ByzCoin, and then start the protocol to reshare the secret
+   between themselves.
+
+For this operation, all nodes must be online. By default, a threshold of 2/3 of
+the nodes must be present for the decryption.