🛡 Guardian including Keys, Backups, and Verifiers (#65)

* ✨  Create Guardian Backup

- Create Guardian backups
- Create models folder
- Change generate keys to a guardian call

* ✅  Add serialize changes

* 🧹 Model Cleanup

* ✨  Backups, Challenges and Verifier

* ✅. Update tests for Guardian


Test


Test

* 📁 Refactor Models folder

Author: keithrfung

app/api/v1/api.py

@@ -1,10 +1,11 @@
 from fastapi import APIRouter
 
-from app.api.v1.endpoints import ballot, election, key, ping, tally
+from app.api.v1.endpoints import ballot, election, guardian, key, ping, tally
 
 api_router = APIRouter()
-api_router.include_router(ping.router, prefix="/ping", tags=["ping"])
-api_router.include_router(election.router, prefix="/election", tags=["election"])
 api_router.include_router(ballot.router, prefix="/ballot", tags=["ballot"])
+api_router.include_router(election.router, prefix="/election", tags=["election"])
+api_router.include_router(guardian.router, prefix="/guardian", tags=["guardian"])
 api_router.include_router(key.router, prefix="/key", tags=["key"])
+api_router.include_router(ping.router, prefix="/ping", tags=["ping"])
 api_router.include_router(tally.router, prefix="/tally", tags=["tally"])

app/api/v1/endpoints/ballot.py

@@ -7,16 +7,11 @@
 )
 from electionguard.ballot_store import BallotStore
 from fastapi import APIRouter, Body, HTTPException
-from pydantic import BaseModel
 from typing import Any
 
-router = APIRouter()
-
+from ..models import AcceptBallotRequest
 
-class AcceptBallotRequest(BaseModel):
-    ballot: Any
-    description: Any
-    context: Any
+router = APIRouter()
 
 
 @router.post("/cast")

app/api/v1/endpoints/guardian.py

@@ -0,0 +1,153 @@
+from electionguard.auxiliary import AuxiliaryPublicKey
+from electionguard.election_polynomial import ElectionPolynomial
+from electionguard.group import int_to_q_unchecked
+from electionguard.key_ceremony import (
+    ElectionPartialKeyBackup,
+    ElectionPartialKeyChallenge,
+    generate_election_key_pair,
+    generate_rsa_auxiliary_key_pair,
+    generate_election_partial_key_backup,
+    generate_election_partial_key_challenge,
+    verify_election_partial_key_backup,
+    verify_election_partial_key_challenge,
+)
+from electionguard.rsa import rsa_decrypt, rsa_encrypt
+from electionguard.serializable import write_json_object
+from fastapi import APIRouter, HTTPException
+from typing import Any, List
+
+from ..models import (
+    AuxiliaryKeyPair,
+    BackupChallengeRequest,
+    BackupVerificationRequest,
+    ChallengeVerificationRequest,
+    ElectionKeyPair,
+    Guardian,
+    GuardianRequest,
+    GuardianBackup,
+    GuardianBackupRequest,
+)
+from app.utils import read_json_object
+from ..tags import GUARDIAN_ONLY
+
+router = APIRouter()
+
+identity = lambda message, key: message
+
+
+@router.post("", response_model=Guardian, tags=[GUARDIAN_ONLY])
+def create_guardian(request: GuardianRequest) -> Guardian:
+    """
+    Create a guardian for the election process with the associated keys
+    """
+    election_keys = generate_election_key_pair(
+        request.quorum,
+        int_to_q_unchecked(request.nonce) if request.nonce is not None else None,
+    )
+    if request.auxiliary_key_pair is None:
+        auxiliary_keys = generate_rsa_auxiliary_key_pair()
+    else:
+        auxiliary_keys = request.auxiliary_key_pair
+    if not election_keys:
+        raise HTTPException(
+            status_code=500,
+            detail="Election keys failed to be generated",
+        )
+    if not auxiliary_keys:
+        raise HTTPException(
+            status_code=500, detail="Auxiliary keys failed to be generated"
+        )
+    return Guardian(
+        id=request.id,
+        sequence_order=request.sequence_order,
+        number_of_guardians=request.number_of_guardians,
+        quorum=request.quorum,
+        election_key_pair=ElectionKeyPair(
+            public_key=str(election_keys.key_pair.public_key),
+            secret_key=str(election_keys.key_pair.secret_key),
+            proof=write_json_object(election_keys.proof),
+            polynomial=write_json_object(election_keys.polynomial),
+        ),
+        auxiliary_key_pair=AuxiliaryKeyPair(
+            public_key=auxiliary_keys.public_key, secret_key=auxiliary_keys.secret_key
+        ),
+    )
+
+
+@router.post("/backup", response_model=GuardianBackup, tags=[GUARDIAN_ONLY])
+def create_guardian_backup(request: GuardianBackupRequest) -> GuardianBackup:
+    """
+    Generate all election partial key backups based on existing public keys
+    :param request: Guardian backup request
+    :return: Guardian backup
+    """
+    encrypt = identity if request.override_rsa else rsa_encrypt
+    backups: List[Any] = []
+    for auxiliary_public_key in request.auxiliary_public_keys:
+        backup = generate_election_partial_key_backup(
+            request.guardian_id,
+            read_json_object(request.election_polynomial, ElectionPolynomial),
+            AuxiliaryPublicKey(
+                auxiliary_public_key.owner_id,
+                auxiliary_public_key.sequence_order,
+                auxiliary_public_key.key,
+            ),
+            encrypt,
+        )
+        if not backup:
+            raise HTTPException(status_code=500, detail="Backup failed to be generated")
+        backups.append(write_json_object(backup))
+
+    return GuardianBackup(
+        id=request.guardian_id,
+        election_partial_key_backups=backups,
+    )
+
+
+@router.post("/backup/verify", tags=[GUARDIAN_ONLY])
+def verify_backup(request: BackupVerificationRequest) -> Any:
+    decrypt = identity if request.override_rsa else rsa_decrypt
+    verification = verify_election_partial_key_backup(
+        request.verifier_id,
+        read_json_object(request.election_partial_key_backup, ElectionPartialKeyBackup),
+        read_json_object(request.auxiliary_key_pair, AuxiliaryKeyPair),
+        decrypt,
+    )
+    if not verification:
+        raise HTTPException(
+            status_code=500, detail="Backup verification process failed"
+        )
+    return write_json_object(verification)
+
+
+@router.post("/challenge", tags=[GUARDIAN_ONLY])
+def create_backup_challenge(request: BackupChallengeRequest) -> Any:
+    challenge = generate_election_partial_key_challenge(
+        read_json_object(request.election_partial_key_backup, ElectionPartialKeyBackup),
+        read_json_object(request.election_polynomial, ElectionPolynomial),
+    )
+    if not challenge:
+        raise HTTPException(
+            status_code=500, detail="Backup challenge generation failed"
+        )
+    # FIXME Challenge value is ElementModQ converted to int that is too large
+    challenge._replace(value=str(challenge.value))
+    return write_json_object(challenge)
+
+
+@router.post(
+    "/challenge/verify",
+    tags=[GUARDIAN_ONLY],
+)
+def verify_challenge(request: ChallengeVerificationRequest) -> Any:
+    verification = verify_election_partial_key_challenge(
+        request.verifier_id,
+        read_json_object(
+            request.election_partial_key_challenge, ElectionPartialKeyChallenge
+        ),
+    )
+    if not verification:
+        raise HTTPException(
+            status_code=500, detail="Challenge verification process failed"
+        )
+    return write_json_object(verification)

app/api/v1/endpoints/key.py

@@ -2,76 +2,29 @@
     generate_election_key_pair,
     generate_rsa_auxiliary_key_pair,
 )
+from electionguard.elgamal import elgamal_combine_public_keys
 from electionguard.serializable import write_json_object
-from electionguard.group import int_to_q_unchecked
+from electionguard.group import int_to_q_unchecked, int_to_p_unchecked
 from fastapi import APIRouter, HTTPException
-from pydantic import BaseModel
-from typing import Optional, Any
+from ..models import (
+    AuxiliaryKeyPair,
+    ElectionKeyPair,
+    ElectionKeyPairRequest,
+    ElectionJointKey,
+    CombineElectionKeysRequest,
+)
 
 router = APIRouter()
 
 
-class ElectionKeyPairRequest(BaseModel):
-    quorum: int
-    nonce: Optional[str] = None
-
-
-class ElectionKeyPairResponse(BaseModel):
-    secret_key: str
-    public_key: str
-    proof: Any
-    polynomial: Any
-
-
-class AuxiliaryKeyPairResponse(BaseModel):
-    secret_key: str
-    public_key: str
-
-
-GuardianKeysRequest = ElectionKeyPairRequest
-
-
-class GuardianKeysResponse(BaseModel):
-    election: ElectionKeyPairResponse
-    auxiliary: AuxiliaryKeyPairResponse
-
-
-@router.post("/generate", response_model=GuardianKeysResponse)
-def generate_keys(request: GuardianKeysRequest) -> GuardianKeysResponse:
-    """
-    Generate election key pairs for use in election process
-    """
-    election_keys = generate_election_key_pair(
-        request.quorum,
-        int_to_q_unchecked(request.nonce) if request.nonce is not None else None,
-    )
-    auxiliary_keys = generate_rsa_auxiliary_key_pair()
-    if not election_keys:
-        raise HTTPException(
-            status_code=500,
-            detail="Election keys failed to be generated",
-        )
-    if not auxiliary_keys:
-        raise HTTPException(
-            status_code=500, detail="Auxiliary keys failed to be generated"
-        )
-    return GuardianKeysResponse(
-        election=ElectionKeyPairResponse(
-            public_key=str(election_keys.key_pair.public_key),
-            secret_key=str(election_keys.key_pair.secret_key),
-            proof=write_json_object(election_keys.proof),
-            polynomial=write_json_object(election_keys.polynomial),
-        ),
-        auxiliary=AuxiliaryKeyPairResponse(
-            public_key=auxiliary_keys.public_key, secret_key=auxiliary_keys.secret_key
-        ),
-    )
-
-
-@router.post("/election/generate", response_model=ElectionKeyPairResponse)
-def generate_election_keys(request: ElectionKeyPairRequest) -> ElectionKeyPairResponse:
+@router.post(
+    "/election/generate", response_model=ElectionKeyPair, tags=["Guardian Only"]
+)
+def generate_election_keys(request: ElectionKeyPairRequest) -> ElectionKeyPair:
     """
     Generate election key pairs for use in election process
+    :param request: Election key pair request
+    :return: Election key pair
     """
     keys = generate_election_key_pair(
         request.quorum,
@@ -82,24 +35,38 @@ def generate_election_keys(request: ElectionKeyPairRequest) -> ElectionKeyPairRe
             status_code=500,
             detail="Election keys failed to be generated",
         )
-    return ElectionKeyPairResponse(
+    return ElectionKeyPair(
         public_key=str(keys.key_pair.public_key),
         secret_key=str(keys.key_pair.secret_key),
         proof=write_json_object(keys.proof),
         polynomial=write_json_object(keys.polynomial),
     )
 
 
-@router.post("/auxiliary/generate", response_model=AuxiliaryKeyPairResponse)
-def generate_auxiliary_keys() -> AuxiliaryKeyPairResponse:
+@router.post(
+    "/auxiliary/generate", response_model=AuxiliaryKeyPair, tags=["Guardian Only"]
+)
+def generate_auxiliary_keys() -> AuxiliaryKeyPair:
     """
     Generate auxiliary key pair for auxiliary uses during process
+    :return: Auxiliary key pair
     """
     keys = generate_rsa_auxiliary_key_pair()
     if not keys:
         raise HTTPException(
             status_code=500, detail="Auxiliary keys failed to be generated"
         )
-    return AuxiliaryKeyPairResponse(
-        public_key=keys.public_key, secret_key=keys.secret_key
-    )
+    return AuxiliaryKeyPair(public_key=keys.public_key, secret_key=keys.secret_key)
+
+
+@router.post("/election/combine", response_model=ElectionJointKey)
+def combine_election_keys(request: CombineElectionKeysRequest) -> ElectionJointKey:
+    """
+    Combine public election keys into a final one
+    :return: Combine Election key
+    """
+    public_keys = []
+    for key in request.election_public_keys:
+        public_keys.append(int_to_p_unchecked(key))
+    joint_key = elgamal_combine_public_keys(public_keys)
+    return ElectionJointKey(joint_key=write_json_object(joint_key))

app/api/v1/endpoints/tally.py

@@ -10,20 +10,12 @@
     PublishedCiphertextTally,
 )
 from fastapi import APIRouter, Body, HTTPException
-from pydantic import BaseModel
 from typing import Any, List, Tuple
 
-router = APIRouter()
-
 
-class StartTallyRequest(BaseModel):
-    ballots: List[Any]
-    description: Any
-    context: Any
+from ..models import StartTallyRequest, AppendTallyRequest
 
-
-class AppendTallyRequest(StartTallyRequest):
-    encrypted_tally: Any
+router = APIRouter()
 
 
 @router.post("")

app/api/v1/models/__init__.py

@@ -0,0 +1,5 @@
+from .ballot import *
+from .base import *
+from .guardian import *
+from .key import *
+from .tally import *

app/api/v1/models/ballot.py

@@ -0,0 +1,9 @@
+from typing import Any
+
+from .base import Base
+
+
+class AcceptBallotRequest(Base):
+    ballot: Any
+    description: Any
+    context: Any

app/api/v1/models/base.py

@@ -0,0 +1,5 @@
+from pydantic import BaseModel
+
+
+class Base(BaseModel):
+    pass