feat: send post request with offset leaked

csirianni · Dec 9, 2023 · ceb434e · ceb434e
1 parent 70ba200
commit ceb434e
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 8 deletions.
diff --git a/frontend/app/page.tsx b/frontend/app/page.tsx
@@ -69,7 +69,7 @@ export default function SignUp() {
     ) => {
         event.preventDefault();
         setIsLoading(true);
-        const response = await checkSecurity(password); // makes an API call with the user's password
+        const response = await checkSecurity(password, 1); // makes an API call with the user's password
         setIsLoading(false);
 
         if (response.status == "success") {

diff --git a/frontend/app/psi.ts b/frontend/app/psi.ts
@@ -21,27 +21,32 @@ export function hashToPoint(input: string): Uint8Array {
  * @param input the string to be encrypted
  * @returns input with a secret key applied and the key's inverse
  */
-export function applySeed(input: string): [Uint8Array, Uint8Array] {
+export function applySeed(input: string, offset=0): [Uint8Array, Uint8Array] {
     // generate random seed
     const seed = sodium.crypto_core_ristretto255_scalar_random();
     // get seed inverse
     const seedInverse =
         sodium.crypto_core_ristretto255_scalar_invert(seed);
     const point = hashToPoint(input);
     // apply seed
+    const leakedBytes = point.subarray(0, offset);
     const seededPassword = sodium.crypto_scalarmult_ristretto255(
         seed,
         point
     );
-    return [seededPassword, seedInverse];
+    var leakedSeededPassword = new Uint8Array(offset + seededPassword.length);
+    leakedSeededPassword.set(leakedBytes, 0);
+    leakedSeededPassword.set(seededPassword, offset);
+    return [leakedSeededPassword, seedInverse];
 }
 
 function computeIntersection(
     data: ServerResponse,
-    aInverse: Uint8Array
+    aInverse: Uint8Array, 
+    offset = 0
 ): boolean {
     const userPassword = base64.parse(data.userPassword);
-    const breachedPasswords = new Set((data.breachedPasswords).map(function (element) { return base64.parse(element).join(""); }));
+    const breachedPasswords = new Set((data.breachedPasswords).map(function (element) { return base64.parse(element).subarray(offset).join(""); }));
 
     // Client phase 2 - applies inverse seed A to (user password)^ab
     // so now ((user password)^ab)^-a = (user password)^b
@@ -55,9 +60,9 @@ function computeIntersection(
 }
 
 // Make API call to server to check if password was found in breached dataset
-export async function checkSecurity(password: string) {
+export async function checkSecurity(password: string, offset = 0) {
     try {
-        const [seededPassword, keyInverse] = applySeed(password);
+        const [seededPassword, keyInverse] = applySeed(password, offset);
 
         const response = await fetch(
             "http://localhost:18080/breachedPasswords",
@@ -72,7 +77,7 @@ export async function checkSecurity(password: string) {
             }
         );
         const data = await response.json();
-        if (computeIntersection(data, keyInverse)) {
+        if (computeIntersection(data, keyInverse, offset)) {
             return { status: "fail" };
         } else {
             return { status: "success" };