22 files changed, 1082 insertions, 255 deletions
diff --git a/ISSUES b/ISSUES
index e7248b1..ecac928 100644
--- a/ISSUES
+++ b/ISSUES
@@ -1,44 +1,37 @@
-set:
+general crypto implementation:
- * generation collection and other stuff in set is implemented now
+ * key generation problem (setting/clearing bits) has been fixed in libgcrypt, but what about NaCl incompatibility?
-  * some structural changes were necessary to implement everything
+   (NaCl uses Curve25519/montgomery coordinates for ECDH, Ed25519/twisted edwards coordinates for EdDSA;
+    GNUnet with libgcrypt uses Ed25519 coordinates for everything; also in NaCl ecdhe pubkeys are just the x-coordinate)
+ * libgcrypt does not use montgomery x-addition (=> slower)
+  * MPI_EC_MONTGOMERY exists, but is not implemented yet
+ * reasons for not using NaCl and its optimized crypto-code?
+  * I guess (unclear) licensing?
+ * I _think_ the 
- * GNUNET_CONTAINER_HashMapIterator vs GNUNET_CONTAINER_MultiHashMapIterator
+java crypto implementation:
-  * very confusing name clash
+ implementing crypto is INCREDIBLY frustrating
- * there's now also an external iterator for multihashmap32
+ * original ed25519 java implementation had a pretty nice bug that occured with p=1/256 ...
- * documentation: I'll meet with cfuchs on wednesday
+ * 'gnunet-ecc -E' generates some random reference values
+ * gnunet-java now "implements" all three pk cryptosystems in pure java
+  * all but ECDSA pass sanity checks
+  * I'm relatively confident in Ed25519, it gives the same results as the python ref implementation
+  * aB key generation does not give the same results as GNUnet?
-doxygen:
+set documentation:
- * would it be possible to remove e.g. the call graphs to make
+https://gnunet.org/content/gnunets-set-subsystem
-   the doxygen on gnunet.org more accessible?
-  * see e.g. https://gnunet.org/doxygen/de/d22/crypto__hkdf_8c.html
+embeding curve points / using ECC for secret sharing:
+ * problem: with the usual message-embeding injections we lose homomorphic properties
+ * I found (=read somewhere ;) a scheme for elgamal with ecc, but i'm not 100%
+   sure all the ZKPs will still work ...
 secretsharing:
- * if you want a shorter name: vss (verifyable secret sharing)
+ * see document I mailed you ...
- * discuss api
- * how should shares be serialized
-  * ... and should they contain the list of peers?
-  * => maybe a configuration file / string?
- * Should broadcast steps in the secret sharing protocol
-  be replaced by a consensus on signed commitments?
-  * this way all peers will have the same result
- * what if one of the authorities does not send some of the signed share parts s_{i,j}? who / how to blame?
-  * one idea is to use consensus with encrypted signeds{i,j}, so only the receiver can open it and
-    it can be known who sent their share parts 
-  * but: what if the encrypted value is wrong? there's no way to demonstrate this without revealing the
-    private key => can we somehow use ecdh+key derivation for that, so that the key can still
-    be revealed to blame somebody?
-  * round1: each peer puts a freshly generated, signed ecdh key in consensus
-  * in the share part exchange round: if a share part is wrong (signature verification or F_{i,j} verification fails),
-    the authority that finds out puts a complaint element in the consensus, revealing its private ecdh key
-  * the other authorities check the complaint for validity
-   * if the complaint is valid, the offending authority is excluded
-   * if the complaint is invalid, the complainer is excluded
- * what parameters should be the default?
-  * q (where q divides (p-1)) determines the size of the group, so how large do we want it?
-    (for practical purposes and security)
diff --git a/src/main/java/org/gnunet/util/HashCode.java b/src/main/java/org/gnunet/util/HashCode.java
index 389217f..a93a867 100644
--- a/src/main/java/org/gnunet/util/HashCode.java
+++ b/src/main/java/org/gnunet/util/HashCode.java
@@ -39,12 +39,48 @@ public class HashCode implements Message {
    @FixedSizeIntegerArray(length = 64, signed = false, bitSize = 8)
    public byte[] data; // should be immutable, final, can't be due to construct
+    /**
+     * Create a hash code initialized to zero.
+     */
    public HashCode() {
        data = new byte[64];
    }
-    public HashCode(byte[] hash) {
+    /**
+     * Create a HashCode from an existing SHA-512 hash code value.
+     *
+     * @param hash SHA-512 hash code value
+     * @return a HashCode
+     */
+    public static HashCode fromHashCode(byte[] hash) {
+        return new HashCode(hash);
+    }
+    /**
+     * Create a HashCode from data to be hashed.
+     *
+     * @param data data to hash
+     * @return a HashCode
+     */
+    public static HashCode hash(byte[] data) {
+        MessageDigest digest;
+        try {
+            digest = MessageDigest.getInstance("SHA-512");
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException("crypto algorithm 'SHA-512' required but not provided");
+        }
+        byte[] hb = digest.digest(data);
+        HashCode h = new HashCode(hb);
+        return h;
+    }
+    /**
+     * Private constructor for HashCode from the hash code value.  Made
+     * private because there are two ways to create hash codes from byte arrays.
+     *
+     * @param hash hash code value to store in the HashCode
+     */
+    private HashCode(byte[] hash) {
        if (hash.length != 64) {
            throw new AssertionError("HashCode has to have length 64");
        }
diff --git a/src/main/java/org/gnunet/util/crypto/Curve25519.java b/src/main/java/org/gnunet/util/crypto/Curve25519.java
deleted file mode 100644
index 86e6949..0000000
--- a/src/main/java/org/gnunet/util/crypto/Curve25519.java
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
- This file is part of GNUnet.
-  (C) 2012, 2013 Christian Grothoff (and other contributing authors)
-  GNUnet is free software; you can redistribute it and/or modify
-  it under the terms of the GNU General Public License as published
-  by the Free Software Foundation; either version 3, or (at your
-  option) any later version.
-  GNUnet is distributed in the hope that it will be useful, but
-  WITHOUT ANY WARRANTY; without even the implied warranty of
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-  General Public License for more details.
-  You should have received a copy of the GNU General Public License
-  along with GNUnet; see the file COPYING.  If not, write to the
-  Free Software Foundation, Inc., 59 Temple Place - Suite 330,
-  Boston, MA 02111-1307, USA.
- */
-package org.gnunet.util.crypto;
-import java.math.BigInteger;
-/**
- * Java-only implementation of arithmetic on DJBs Curve25519.
- * The curve is a Montgomery curve, and we use coordinates in
- * Montgomery form.
- * Very, very slow.
- */
-public class Curve25519 {
-    private BigInteger X;
-    private BigInteger Z;
-    private BigInteger B = new BigInteger("486662");
-    // curve parameter q =  255^(-19)
-    private static final BigInteger q = new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564819949");
-    public Curve25519(BigInteger X, BigInteger Z) {
-        this.X = X;
-        this.Z = Z;
-    }
-    public Curve25519 scalarmult(BigInteger e) {
-        if (e.equals(BigInteger.ZERO)) {
-            return new Curve25519(BigInteger.ZERO, BigInteger.ONE);
-        }
-        Curve25519 Q = scalarmult(e.shiftRight(1));
-        Q = Q.add(Q);
-        if (e.testBit(0)) Q = Q.add(this);
-        return Q;
-    }
-    /**
-     * Addition law for montgomery curve in montgomery coordinates.
-     *
-     * @param other
-     * @return
-     */
-    public Curve25519 add(Curve25519 other) {
-        return null;
-    }
-}
diff --git a/src/main/java/org/gnunet/util/crypto/DsaPrng.java b/src/main/java/org/gnunet/util/crypto/DsaPrng.java
index c26848e..259aaa6 100644
--- a/src/main/java/org/gnunet/util/crypto/DsaPrng.java
+++ b/src/main/java/org/gnunet/util/crypto/DsaPrng.java
@@ -32,15 +32,21 @@ import java.util.Arrays;
 /**
 * Deterministic generator for the 'k'-value of DSA, conforming to RFC 6979.
- * SHA-1 is used as H.
+ * SHA-512 is used as H.
 */
 public class DsaPrng {
-    private static final int qlen = 32;
    private Mac mac;
    private byte[] V = new byte[64];
    private byte[] K = new byte[64];
+    private static final int qlen = 32;
-    public byte[] hmacK(byte[]... args) {
+    /**
+     * Compute the HMAC of the fiven data with our current K-value.
+     *
+     * @param args data
+     * @return result of the hmac
+     */
+    private byte[] hmacK(byte[]... args) {
        try {
            mac.init(new SecretKeySpec(K, "HmacSHA1"));
        } catch (InvalidKeyException e) {
@@ -52,6 +58,12 @@ public class DsaPrng {
        return mac.doFinal();
    }
+    /**
+     * Create an instance of the deterministic random number generator for the DSA 'k' vale.
+     *
+     * @param key private key
+     * @param message message
+     */
    public DsaPrng(byte[] key, byte[] message) {
        try {
            mac = Mac.getInstance("HmacSHA1");
@@ -73,6 +85,12 @@ public class DsaPrng {
        V = hmacK(V);
    }
+    /**
+     * Get the next deterministically generated candidate for
+     * the k value used in DSA.
+     *
+     * @return the next candidate value for 'k'
+     */
    public BigInteger nextK() {
        byte[] T = new byte[0];
        while (T.length < qlen) {
diff --git a/src/main/java/org/gnunet/util/crypto/EcdhePrivateKey.java b/src/main/java/org/gnunet/util/crypto/EcdhePrivateKey.java
index e3cd861..9f4672e 100644
--- a/src/main/java/org/gnunet/util/crypto/EcdhePrivateKey.java
+++ b/src/main/java/org/gnunet/util/crypto/EcdhePrivateKey.java
@@ -1,4 +1,89 @@
+/*
+ This file is part of GNUnet.
+  (C) 2012, 2013 Christian Grothoff (and other contributing authors)
+  GNUnet is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published
+  by the Free Software Foundation; either version 3, or (at your
+  option) any later version.
+  GNUnet is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  General Public License for more details.
+  You should have received a copy of the GNU General Public License
+  along with GNUnet; see the file COPYING.  If not, write to the
+  Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+  Boston, MA 02111-1307, USA.
+ */
 package org.gnunet.util.crypto;
-public class EcdhePrivateKey {
+import org.gnunet.construct.FixedSizeIntegerArray;
+import org.gnunet.construct.Message;
+import org.gnunet.util.HashCode;
+import java.math.BigInteger;
+import java.security.SecureRandom;
+/**
+ * Private key for elliptic curve Diffie Hellman exchange.
+ */
+public class EcdhePrivateKey implements Message {
+    /**
+     * Private key byte string, in little endian form.
+     */
+    @FixedSizeIntegerArray(bitSize = 8, signed = false, length = 32)
+    public byte[] d;
+    /**
+     * Create an ecdh private key without allocating the key data.
+     */
+    public EcdhePrivateKey() {
+        // empty constructor for org.gnunet.construct.*
+    }
+    /**
+     * Get the public key for this private key.
+     *
+     * @return the public key for this private key
+     */
+    public EcdhePublicKey getPublicKey() {
+        BigInteger dCoeff = Ed25519.decodeScalar(d);
+        Ed25519 A = Ed25519.B.scalarmult(dCoeff);
+        return new EcdhePublicKey(A);
+    }
+    /*
+     * Derive key material from the give public key and a this private ECDHE key.
+     *
+     * @param publicKey public key to use for the ECDH
+     * @return key material
+     */
+    public HashCode ecdh(EcdhePublicKey publicKey) {
+        BigInteger dCoeff = Ed25519.decodeScalar(d);
+        Ed25519 Q = publicKey.asPoint().scalarmult(dCoeff);
+        // hash big endian representation of the x-coordinate.
+        return HashCode.hash(Q.P0.toByteArray());
+    }
+    /**
+     * Create a random private key.
+     *
+     * @return a random private key
+     */
+    public static EcdhePrivateKey createRandom() {
+        SecureRandom sr = new SecureRandom();
+        EcdhePrivateKey privateKey = new EcdhePrivateKey();
+        privateKey.d = new byte[32];
+        sr.nextBytes(privateKey.d);
+        // clear bits so that d mod 8 = 0
+        privateKey.d[0] &= (byte) 248;
+        // make sure the key fits in 255 bits
+        privateKey.d[31] &= (byte) 127;
+        // make sure key does not have lots of leading zeros
+        privateKey.d[31] |= (byte) 64;
+        return privateKey;
+    }
 }
diff --git a/src/main/java/org/gnunet/util/crypto/EcdhePublicKey.java b/src/main/java/org/gnunet/util/crypto/EcdhePublicKey.java
index 3943137..844bddf 100644
--- a/src/main/java/org/gnunet/util/crypto/EcdhePublicKey.java
+++ b/src/main/java/org/gnunet/util/crypto/EcdhePublicKey.java
@@ -1,20 +1,83 @@
+/*
+ This file is part of GNUnet.
+  (C) 2012, 2013 Christian Grothoff (and other contributing authors)
+  GNUnet is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published
+  by the Free Software Foundation; either version 3, or (at your
+  option) any later version.
+  GNUnet is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  General Public License for more details.
+  You should have received a copy of the GNU General Public License
+  along with GNUnet; see the file COPYING.  If not, write to the
+  Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+  Boston, MA 02111-1307, USA.
+ */
 package org.gnunet.util.crypto;
 import org.gnunet.construct.FixedSizeIntegerArray;
+import org.gnunet.util.Strings;
+/**
+ * Public key for elliptic curve diffie hellman exchange.
+ */
 public class EcdhePublicKey {
    /**
-     * x-coordinate of the point on the curve.
+     * Point on the curve, in Ed25519-compressed form.
-     * The number is stored as little endian.
     */
    @FixedSizeIntegerArray(bitSize = 8, signed = false, length = 32)
-    public byte[] x;
+    public byte[] y;
    /**
-     * y-coordinate of the point on the curve.
+     * Create a public key without allocating the key's data.
-     * The number is stored as little endian.
+     * Necessary for constructing the key with 'org.gnunet.construct.*'.
     */
-    @FixedSizeIntegerArray(bitSize = 8, signed = false, length = 32)
+    public EcdhePublicKey() {
-    public byte[] y;
+        // empty
+    }
+    /**
+     * Create a public key from the given point on the Ed25519 curve.
+     *
+     * @param a point to create the public key from
+     */
+    public EcdhePublicKey(Ed25519 a) {
+        y = a.encode();
+    }
+    /**
+     * Convert the public key to a point on the Ed25519 curve.
+     *
+     * @return point corresponding to this public key
+     */
+    public Ed25519 asPoint() {
+        return Ed25519.decode(y);
+    }
+    /**
+     * Get a GNUnet-style string representation of this key.
+     *
+     * @return the GNUnet-style string representation of this key.
+     */
+    @Override
+    public String toString() {
+        return Strings.dataToString(y);
+    }
+    /**
+     * Load an ECDHE key from a string.
+     *
+     * @param s string with the key data
+     * @return a public key
+     */
+    public EcdhePublicKey fromString(String s) {
+        EcdhePublicKey publicKey = new EcdhePublicKey();
+        Strings.stringToData(s, publicKey.y);
+        return publicKey;
+    }
 }
diff --git a/src/main/java/org/gnunet/util/crypto/EcdsaPrivateKey.java b/src/main/java/org/gnunet/util/crypto/EcdsaPrivateKey.java
index 43bd55a..2ac3fa8 100644
--- a/src/main/java/org/gnunet/util/crypto/EcdsaPrivateKey.java
+++ b/src/main/java/org/gnunet/util/crypto/EcdsaPrivateKey.java
@@ -1,41 +1,121 @@
+/*
+ This file is part of GNUnet.
+  (C) 2012, 2013 Christian Grothoff (and other contributing authors)
+  GNUnet is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published
+  by the Free Software Foundation; either version 3, or (at your
+  option) any later version.
+  GNUnet is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  General Public License for more details.
+  You should have received a copy of the GNU General Public License
+  along with GNUnet; see the file COPYING.  If not, write to the
+  Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+  Boston, MA 02111-1307, USA.
+ */
 package org.gnunet.util.crypto;
 import org.gnunet.construct.FixedSizeIntegerArray;
 import org.gnunet.construct.Message;
+import org.gnunet.util.HashCode;
+import java.math.BigInteger;
 import java.security.SecureRandom;
+/**
+ * Private key for elliptic curve DSA.
+ */
 public class EcdsaPrivateKey implements Message {
+    /**
+     * Private key byte string, in little endian form.
+     */
    @FixedSizeIntegerArray(bitSize = 8, signed = false, length = 32)
    public byte[] d;
+    /**
+     * Create a private key without allocating the key data.
+     */
+    public EcdsaPrivateKey() {
+        // empty, needed by org.gnunet.construct.*
+    }
+    /**
+     * Get the anonymous private key.  Corresponds to '1'.
+     *
+     * @return the anonymous private ECDSA key
+     */
    public static EcdsaPrivateKey getAnonymous() {
-        return null;
+        EcdsaPrivateKey privateKey = new EcdsaPrivateKey();
+        privateKey.d = new byte[32];
+        privateKey.d[31] = 1;
+        return privateKey;
    }
+    /**
+     * Sign the given data with this private key.  Must include a purpose to mitigate
+     * replay / copy and paste attacks.
+     *
+     * @param purpose purpose for the signature
+     * @param data data to sign
+     * @return the signature over both the data and the purpose
+     */
    public EcdsaSignature sign(int purpose, byte[] data) {
-        EcdsaSignature signature = new EcdsaSignature();
+        return sign(getPublicKey(), purpose, data);
-        return signature;
    }
-    public static EcdsaPrivateKey fromFile(String privKeyFilename) {
+    /**
-        return null;
+     * Sign the given data with this private key.  Must include a purpose to mitigate
+     * replay / copy and paste attacks.
+     *
+     * @param publicKey public key corresponding to this private key, supplying this parameter
+     *                  leads to better performance as the public key does not have to be derived
+     * @param purpose purpose for the signature
+     * @param data data to sign
+     * @return the signature over both the data and the purpose
+     */
+    public EcdsaSignature sign(EcdsaPublicKey publicKey, int purpose, byte[] data) {
+        EcdsaSignature signature = new EcdsaSignature();
+        DsaPrng prng = new DsaPrng(d, data);
+        HashCode h = HashCode.hash(data);
+        byte[] zData = new byte[32];
+        System.arraycopy(h.data, 0, zData, 0, 32);
+        BigInteger z = new BigInteger(1, zData);
+        BigInteger dCoeff = Ed25519.decodeScalar(d);
+        while (true) {
+            BigInteger k = prng.nextK();
+            Ed25519 P = Ed25519.B.scalarmult(k);
+            BigInteger r = P.P0.mod(Ed25519.q);
+            if (r.equals(BigInteger.ZERO))
+                continue;
+            BigInteger s = k.modInverse(Ed25519.q).multiply(z.add(r.multiply(dCoeff)));
+            if (!r.equals(BigInteger.ZERO)) {
+                signature.r = Ed25519.encodeScalar(r);
+                signature.s = Ed25519.encodeScalar(s);
+                return signature;
+            }
+        }
    }
+    /**
+     * Get the public key for this private key.
+     *
+     * @return the public key for this private key
+     */
    public EcdsaPublicKey getPublicKey() {
-        // FIXME: this is not the real implementation,
+        Ed25519 A = Ed25519.B.scalarmult(Ed25519.decodeScalar(d));
-        // beware that this dummy implementation leaks the key!
+        return new EcdsaPublicKey(A);
-        EcdsaPublicKey publicKey = new EcdsaPublicKey();
-        byte[] v = new byte[32];
-        System.arraycopy(d, 0, v, 0, 8);
-        System.arraycopy(d, 0, v, 8, 8);
-        System.arraycopy(d, 0, v, 16, 8);
-        System.arraycopy(d, 0, v, 24, 8);
-        System.arraycopy(v, 0, publicKey.x, 0, 32);
-        System.arraycopy(v, 0, publicKey.y, 0, 32);
-        return publicKey;
    }
+    /**
+     * Create a randomly generated private ecdsa key.
+     *
+     * @return a freshly generated key
+     */
    public static EcdsaPrivateKey createRandom() {
        SecureRandom sr = new SecureRandom();
        EcdsaPrivateKey privateKey = new EcdsaPrivateKey();
diff --git a/src/main/java/org/gnunet/util/crypto/EcdsaPublicKey.java b/src/main/java/org/gnunet/util/crypto/EcdsaPublicKey.java
index 7468109..ce0c981 100644
--- a/src/main/java/org/gnunet/util/crypto/EcdsaPublicKey.java
+++ b/src/main/java/org/gnunet/util/crypto/EcdsaPublicKey.java
@@ -1,3 +1,23 @@
+/*
+ This file is part of GNUnet.
+  (C) 2012, 2013 Christian Grothoff (and other contributing authors)
+  GNUnet is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published
+  by the Free Software Foundation; either version 3, or (at your
+  option) any later version.
+  GNUnet is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  General Public License for more details.
+  You should have received a copy of the GNU General Public License
+  along with GNUnet; see the file COPYING.  If not, write to the
+  Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+  Boston, MA 02111-1307, USA.
+ */
 package org.gnunet.util.crypto;
 import org.gnunet.construct.FixedSizeIntegerArray;
@@ -12,12 +32,6 @@ import java.util.Arrays;
 public class EcdsaPublicKey implements Message {
    private static final Logger logger = LoggerFactory
            .getLogger(EcdsaPublicKey.class);
-    /**
-     * x-coordinate of the point on the curve.
-     * The number is stored as little endian.
-     */
-    @FixedSizeIntegerArray(bitSize = 8, signed = false, length = 32)
-    public byte[] x;
    /**
     * y-coordinate of the point on the curve.
@@ -26,28 +40,32 @@ public class EcdsaPublicKey implements Message {
    @FixedSizeIntegerArray(bitSize = 8, signed = false, length = 32)
    public byte[] y;
+    /**
+     * Create an ECDSA public key from a curve point.
+     *
+     * @param a curve point.
+     */
    public EcdsaPublicKey(Ed25519 a) {
+        y = a.encode();
    }
+    /**
+     * Create a public key without allocating space for the key data.
+     * Necessary for constructing this class with org.gnunet.construct.*
+     */
    public EcdsaPublicKey() {
-        x = new byte[32];
+        // empty
-        y = new byte[32];
    }
-    public static EcdsaPublicKey fromStringUncompressed(String s) {
+    /**
-        if (s.length() != org.gnunet.util.Strings.getEncodedStringLength(64)) {
+     * Load an ECDSA key from a string.
-            logger.debug("invalid key length");
+     *
-            return null;
+     * @param s string with the key data
-        }
+     * @return a public key
-        byte[] data = new byte[64];
+     */
-        if (!Strings.stringToData(s, data)) {
+    public static EcdsaPublicKey fromString(String s) {
-            logger.debug("invalid key format");
-            return null;
-        }
        EcdsaPublicKey publicKey = new EcdsaPublicKey();
-        System.arraycopy(data, 0, publicKey.x, 0, 32);
+        Strings.stringToData(s, publicKey.y);
-        System.arraycopy(data, 32, publicKey.y, 0, 32);
        return publicKey;
    }
@@ -60,17 +78,13 @@ public class EcdsaPublicKey implements Message {
    public static EcdsaPublicKey random() {
        SecureRandom sr = new SecureRandom();
        EcdsaPublicKey publicKey = new EcdsaPublicKey();
-        sr.nextBytes(publicKey.x);
        sr.nextBytes(publicKey.y);
        return publicKey;
    }
    @Override
    public String toString() {
-        byte[] keyData = new byte[64];
+        return Strings.dataToString(y);
-        System.arraycopy(x, 0, keyData, 0, 32);
-        System.arraycopy(y, 0, keyData, 32, 32);
-        return Strings.dataToString(keyData);
    }
    @Override
@@ -80,7 +94,6 @@ public class EcdsaPublicKey implements Message {
        EcdsaPublicKey publicKey = (EcdsaPublicKey) o;
-        if (!Arrays.equals(x, publicKey.x)) return false;
        if (!Arrays.equals(y, publicKey.y)) return false;
        return true;
@@ -88,8 +101,8 @@ public class EcdsaPublicKey implements Message {
    @Override
    public int hashCode() {
-        int result = Arrays.hashCode(x);
+        int result = Arrays.hashCode(y);
-        result = 31 * result + Arrays.hashCode(y);
        return result;
    }
 }
diff --git a/src/main/java/org/gnunet/util/crypto/EcdsaSignature.java b/src/main/java/org/gnunet/util/crypto/EcdsaSignature.java
index b668a3f..76a5e22 100644
--- a/src/main/java/org/gnunet/util/crypto/EcdsaSignature.java
+++ b/src/main/java/org/gnunet/util/crypto/EcdsaSignature.java
@@ -23,11 +23,15 @@ package org.gnunet.util.crypto;
 import org.gnunet.construct.FixedSizeIntegerArray;
 import org.gnunet.construct.Message;
+import org.gnunet.util.HashCode;
 import org.gnunet.util.Strings;
 import java.math.BigInteger;
-import java.nio.ByteBuffer;
+import java.security.SecureRandom;
+/**
+ * ECDSA Signature.
+ */
 public class EcdsaSignature implements Message {
    /**
     * R value of the signature in compressed form.
@@ -48,13 +52,38 @@ public class EcdsaSignature implements Message {
        this.s = new byte[32];
    }
+    /**
+     * Verify that this signature has been created by the given public key and signs the
+     * given data and purpose.
+     *
+     * @param m message that was signed
+     * @param purpose purpose of the signature
+     * @param publicKey public key to check for
+     * @return whether the signature is valid
+     */
    public boolean verify(byte[] m, int purpose, EcdsaPublicKey publicKey) {
-        return false;
+        HashCode h = HashCode.hash(m);
+        byte[] zData = new byte[32];
+        System.arraycopy(h.data, 0, zData, 0, 32);
+        BigInteger z = new BigInteger(1, zData);
+        BigInteger sCoeff = Ed25519.decodeScalar(s);
+        BigInteger rCoeff = Ed25519.decodeScalar(r);
+        BigInteger w = sCoeff.modInverse(Ed25519.q);
+        BigInteger u1 = z.multiply(w).mod(Ed25519.q);
+        BigInteger u2 = rCoeff.multiply(w).mod(Ed25519.q);
+        Ed25519 P = Ed25519.B.scalarmult(u1).add(Ed25519.B.scalarmult(u2));
+        return P.P0.equals(rCoeff.mod(Ed25519.q));
    }
+    /**
+     * Load a signature from a string.
+     *
+     * @param value serialized signature
+     * @return signature
+     */
    public static EcdsaSignature fromString(String value) {
        byte[] data = new byte[64];
-        if (!Strings.stringToData(value, data)) {
+        if (! Strings.stringToData(value, data)) {
            throw new AssertionError();
        }
        EcdsaSignature sig = new EcdsaSignature();
@@ -63,6 +92,12 @@ public class EcdsaSignature implements Message {
        return sig;
    }
+    /**
+     * Serialize the signature to a string.
+     *
+     * @return serialized signature
+     */
    @Override
    public String toString() {
        byte[] sigData = new byte[64];
@@ -72,4 +107,16 @@ public class EcdsaSignature implements Message {
    }
+    /**
+     * Return a signature that is invalid with very, very high probability.
+     *
+     * @return signature with random garbage
+     */
+    public static EcdsaSignature randomGarbage() {
+        EcdsaSignature sig = new EcdsaSignature();
+        SecureRandom r = new SecureRandom();
+        r.nextBytes(sig.r);
+        r.nextBytes(sig.s);
+        return sig;
+    }
 }
diff --git a/src/main/java/org/gnunet/util/crypto/EcdsaSignedMessage.java b/src/main/java/org/gnunet/util/crypto/EcdsaSignedMessage.java
index 0cb293a..bfc3fe4 100644
--- a/src/main/java/org/gnunet/util/crypto/EcdsaSignedMessage.java
+++ b/src/main/java/org/gnunet/util/crypto/EcdsaSignedMessage.java
@@ -26,7 +26,7 @@ import org.gnunet.construct.NestedMessage;
 import org.gnunet.construct.UInt32;
 /**
- * A message together with a signature on the message and it's purpose.
+ * A message together with a signature on the message and its purpose.
 */
 public class EcdsaSignedMessage<M extends Message> implements Message {
    @NestedMessage
diff --git a/src/main/java/org/gnunet/util/crypto/Ed25519.java b/src/main/java/org/gnunet/util/crypto/Ed25519.java
index 0947de4..caa2ec8 100644
--- a/src/main/java/org/gnunet/util/crypto/Ed25519.java
+++ b/src/main/java/org/gnunet/util/crypto/Ed25519.java
@@ -1,48 +1,148 @@
+/*
+ This file is part of GNUnet.
+  (C) 2012, 2013 Christian Grothoff (and other contributing authors)
+  GNUnet is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published
+  by the Free Software Foundation; either version 3, or (at your
+  option) any later version.
+  GNUnet is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  General Public License for more details.
+  You should have received a copy of the GNU General Public License
+  along with GNUnet; see the file COPYING.  If not, write to the
+  Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+  Boston, MA 02111-1307, USA.
+ */
 package org.gnunet.util.crypto;
 import java.math.BigInteger;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
 /**
 * Java-only implementation of arithmetic on DJBs Ed25519.
 * Very, very slow.
 */
 public class Ed25519 {
-    // curve parameter b
+    /**
-    static final int b = 256;
+     * curve parameter b
-    // curve parameter q =  255^(-19)
+     */
-    private static final BigInteger q = new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564819949");
+    public static final int b = 256;
-    // q-3
+    /**
-    private static final BigInteger qm2 = new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564819947");
+     * curve parameter q =  2^255-19
-    // q-3
+     */
-    private static final BigInteger qp3 = new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564819952");
+    public static final BigInteger q = new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564819949");
+    /**
+     * q-2
+     */
+    private static final BigInteger qm2 = q.subtract(BigInteger.valueOf(2));
+    /**
+     * q+3
+     */
+    private static final BigInteger qp3 = q.add(BigInteger.valueOf(3));
+    /**
+     * ???
+     */
    static final BigInteger l = new BigInteger("7237005577332262213973186563042994240857116359379907606001950938285454250989");
+    /**
+     * ???
+     */
    private static final BigInteger d = new BigInteger("-4513249062541557337682894930092624173785641285191125241628941591882900924598840740");
+    /**
+     * ???
+     */
    private static final BigInteger I = new BigInteger("19681161376707505956807079304988542015446066515923890162744021073123829784752");
-    private static final BigInteger By = new BigInteger("46316835694926478169428394003475163141307993866256225615783033603165251855960");
+    /**
+     * x-coordinate of the base point
+     */
    private static final BigInteger Bx = new BigInteger("15112221349535400772501151409588531511454012693041857206046113283949847762202");
-    static final Ed25519 B = new Ed25519(Bx.mod(q),By.mod(q));
+    /**
-    // 2^255
+     * x-coordinate of the base point.
-    private static final BigInteger un = new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564819967");
+     * Corresponds to '9' on Curve25519 in montgomery form
+     */
+    private static final BigInteger By = new BigInteger("46316835694926478169428394003475163141307993866256225615783033603165251855960");
+    /**
+     * base point
+     */
+    public static final Ed25519 B = new Ed25519(Bx.mod(q),By.mod(q));
+    /**
+     * Mask where only the first 255 bits are set.
+     */
+    private static final BigInteger mask255 = BigInteger.ONE.shiftLeft(255).subtract(BigInteger.ONE);
+    /**
+     * First coordinate (x) of this point.
+     */
    BigInteger P0;
+    /**
+     * Second coordinate (y) of this point.
+     */
    BigInteger P1;
+    /**
+     * Create a curve point from its coordinates.
+     * @param P0 x-coordinate
+     * @param P1 y-coordinate
+     */
    public Ed25519(BigInteger P0, BigInteger P1) {
        this.P0 = P0;
        this.P1 = P1;
    }
-    public static Ed25519 decompress(BigInteger y) {
+    /**
+     * Create a curve point from its string representation
+     *
+     * @param s the string representation
+     * @return a curve point corresponsing to 's'
+     */
+    public static Ed25519 decode(byte[] s) {
+        BigInteger y = decodeScalar(s);
+        BigInteger x = recoverX(y);
+        if ((x.testBit(0)?1:0) != bit(s, b-1)) {
+            x = q.subtract(x);
+        }
+        Ed25519 v = new Ed25519(x, y);
+        if (!v.isOnCurve()) {
+            throw new AssertionError("not on curve");
+        }
+        return v;
+    }
+    /**
+     * Get the i'th bit of a byte array
+     *
+     * @param h byte array
+     * @param i bit index
+     * @return value of the i'th bit in h
+     */
+    private static int bit(byte[] h, int i) {
+        return h[i/8] >> (i%8) & 1;
+    }
+    /**
+     * Recover the (positive) x-coordinate from y.
+     *
+     * @param y the y coordinate
+     * @return positive x-coordinate
+     */
+    public static BigInteger recoverX(BigInteger y) {
        BigInteger y2 = y.multiply(y);
        BigInteger xx = (y2.subtract(BigInteger.ONE)).multiply(inv(d.multiply(y2).add(BigInteger.ONE)));
        BigInteger x = xx.modPow(qp3.divide(BigInteger.valueOf(8)), q);
-        if (!x.multiply(x).subtract(xx).mod(q).equals(BigInteger.ZERO)) x = (x.multiply(I).mod(q));
+        if (!x.multiply(x).subtract(xx).mod(q).equals(BigInteger.ZERO))
-        if (!x.mod(BigInteger.valueOf(2)).equals(BigInteger.ZERO)) x = q.subtract(x);
+            x = (x.multiply(I).mod(q));
-        return new Ed25519(x, y);
+        if (!x.mod(BigInteger.valueOf(2)).equals(BigInteger.ZERO))
+            x = q.subtract(x);
+        return x;
    }
    /**
@@ -72,6 +172,12 @@ public class Ed25519 {
        return new Ed25519(x3.mod(q), y3.mod(q));
    }
+    /**
+     * Multiply this point by a scalar value.
+     *
+     * @param e scalar factor
+     * @return this*e
+     */
    public Ed25519 scalarmult(BigInteger e) {
        if (e.equals(BigInteger.ZERO)) {
            return new Ed25519(BigInteger.ZERO, BigInteger.ONE);
@@ -82,32 +188,59 @@ public class Ed25519 {
        return Q;
    }
+    /**
+     * Decode an integer from it's little endian byte array form.
+     * Takes a 32-byte array. The highest order bit is masked out.
+     *
+     * @param s string representation of a scalar
+     * @return scalar represented by 's'
+     */
    public static BigInteger decodeScalar(byte[] s) {
+        if (s.length != 32) {
+            throw new AssertionError();
+        }
+        // convert 's' to big endian
        byte[] out = new byte[s.length];
        for (int i=0; i < s.length;i++) {
            out[i] = s[s.length-1-i];
        }
-        return new BigInteger(out).and(un);
+        return new BigInteger(1, out).and(mask255);
    }
+    /**
+     * Encode a scalar to little endian byte array form.
+     * The resulting array is always 32 bytes large.
+     *
+     * @param n scalar to encode
+     * @return byte representation of 'n'
+     */
    public static byte[] encodeScalar(BigInteger n) {
-        byte[] in = n.toByteArray();
+        byte[] in = n.and(mask255).toByteArray();
-        // reverse the array
+        if (in.length > 32) {
-        for (int i = 0; i < in.length / 2; i++) {
+            throw new AssertionError("size too big: " + in.length);
-            byte tmp = in[i];
+        }
-            in[i] = in[in.length - i - 1];
+        byte[] full = new byte[32];
-            in[in.length - i - 1] = tmp;
+        // reverse 'in' and copy to the beginning of 'full'
+        for (int i = 0; i < in.length; i++) {
+            full[in.length - i - 1] = in[i];
        }
-        return in;
+        return full;
    }
+    /**
+     * Compress end encode a point on the curve.
+     *
+     * @return compressed and encoded point
+     */
    public byte[] encode() {
        byte[] out = encodeScalar(P1);
-        out[out.length-1] |= (P0.testBit(0) ? 0x80 : 0);
+        System.out.println("encodeScalar " + P1);
+        System.out.println("out1 " + Arrays.toString(out));
+        out[out.length-1] |= (P0.testBit(0) ? (byte) 0x80 : 0);
+        System.out.println("out2 " + Arrays.toString(out));
        return out;
    }
    /**
     * Hash the data in m and return 2^h(m)
     *
@@ -122,6 +255,7 @@ public class Ed25519 {
            throw new RuntimeException("crypto algorithm required but not provided");
        }
        final byte[] h = sha512.digest(m);
+        // reverse h
        for (int i = 0; i < 32; i++) {
            byte tmp = h[i];
            h[i] = h[63 - i];
@@ -130,4 +264,42 @@ public class Ed25519 {
        return new BigInteger(1, h);
    }
+    /**
+     * Check whether this point is on the curve, and thus valid.
+     *
+     * @return whether is point is on the curve
+     */
+    public boolean isOnCurve() {
+        BigInteger x = P0;
+        BigInteger y = P1;
+        BigInteger xx = x.multiply(x);
+        BigInteger yy = y.multiply(y);
+        BigInteger dxxyy = d.multiply(yy).multiply(xx);
+        return xx.negate().add(yy).subtract(BigInteger.ONE).subtract(dxxyy).mod(q).equals(BigInteger.ZERO);
+    }
+    @Override
+    public String toString() {
+        return "(" + P0.toString() + ", " + P1.toString() + ")";
+    }
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        Ed25519 ed25519 = (Ed25519) o;
+        if (!P0.equals(ed25519.P0)) return false;
+        if (!P1.equals(ed25519.P1)) return false;
+        return true;
+    }
+    @Override
+    public int hashCode() {
+        int result = P0.hashCode();
+        result = 31 * result + P1.hashCode();
+        return result;
+    }
 }
diff --git a/src/main/java/org/gnunet/util/crypto/EddsaPrivateKey.java b/src/main/java/org/gnunet/util/crypto/EddsaPrivateKey.java
index 21aa647..2d1dbcb 100644
--- a/src/main/java/org/gnunet/util/crypto/EddsaPrivateKey.java
+++ b/src/main/java/org/gnunet/util/crypto/EddsaPrivateKey.java
@@ -1,3 +1,22 @@
+/*
+ This file is part of GNUnet.
+  (C) 2012, 2013 Christian Grothoff (and other contributing authors)
+  GNUnet is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published
+  by the Free Software Foundation; either version 3, or (at your
+  option) any later version.
+  GNUnet is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  General Public License for more details.
+  You should have received a copy of the GNU General Public License
+  along with GNUnet; see the file COPYING.  If not, write to the
+  Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+  Boston, MA 02111-1307, USA.
+ */
 package org.gnunet.util.crypto;
 import org.gnunet.construct.FixedSizeIntegerArray;
@@ -17,7 +36,21 @@ public class EddsaPrivateKey implements Message {
        return sign(getPublicKey(), purpose, m);
    }
+    /**
+     * Sign the given data with this private key.  Must include a purpose to mitigate
+     * replay / copy and paste attacks.
+     *
+     * @param publicKey public key corresponding to this private key, supplying this parameter
+     *                  leads to better performance as the public key does not have to be derived
+     * @param purpose purpose for the signature
+     * @param m data to sign
+     * @return the signature over both the data and the purpose
+     */
    public EddsaSignature sign(EddsaPublicKey publicKey, int purpose, byte[] m) {
+        if (!publicKey.asPoint().isOnCurve()) {
+            throw new AssertionError();
+        }
        MessageDigest sha512;
        try {
            sha512 = MessageDigest.getInstance("SHA-512");
@@ -40,6 +73,12 @@ public class EddsaPrivateKey implements Message {
        BigInteger S = r.add(Ed25519.Hint(buf.array()).multiply(a)).mod(Ed25519.l);
+        if (!R.isOnCurve()) {
+            throw new AssertionError();
+        }
+        if (!publicKey.asPoint().isOnCurve()) {
+            throw new AssertionError();
+        }
        return new EddsaSignature(R, S);
    }
@@ -55,6 +94,12 @@ public class EddsaPrivateKey implements Message {
    }
+    /**
+     * Compute the coefficient that is used to derive the public key.
+     * See 'Daniel J. Bernstein et al, High-speed high-security signatures' for details.
+     *
+     * @return the public key coefficient
+     */
    private BigInteger computePublicKeyCoefficient() {
        MessageDigest sha512;
        try {
@@ -71,12 +116,30 @@ public class EddsaPrivateKey implements Message {
        return a;
    }
+    /**
+     * Get the public key for this private key.
+     *
+     * @return the public key for this private key
+     */
    public EddsaPublicKey getPublicKey() {
        BigInteger a = computePublicKeyCoefficient();
        Ed25519 A = Ed25519.B.scalarmult(a);
-        return new EddsaPublicKey(A);
+        if (!A.isOnCurve()) {
+            throw new AssertionError();
+        }
+        EddsaPublicKey publicKey = new EddsaPublicKey(A);
+        if (!A.equals(publicKey.asPoint())) {
+            throw new AssertionError();
+        }
+        return publicKey;
    }
+    /**
+     * Create a random private key.
+     *
+     * @return a random private key
+     */
    public static EddsaPrivateKey createRandom() {
        SecureRandom sr = new SecureRandom();
        EddsaPrivateKey privateKey = new EddsaPrivateKey();
diff --git a/src/main/java/org/gnunet/util/crypto/EddsaPublicKey.java b/src/main/java/org/gnunet/util/crypto/EddsaPublicKey.java
index b548cf7..aa43a0b 100644
--- a/src/main/java/org/gnunet/util/crypto/EddsaPublicKey.java
+++ b/src/main/java/org/gnunet/util/crypto/EddsaPublicKey.java
@@ -1,33 +1,114 @@
+/*
+ This file is part of GNUnet.
+  (C) 2012, 2013 Christian Grothoff (and other contributing authors)
+  GNUnet is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published
+  by the Free Software Foundation; either version 3, or (at your
+  option) any later version.
+  GNUnet is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  General Public License for more details.
+  You should have received a copy of the GNU General Public License
+  along with GNUnet; see the file COPYING.  If not, write to the
+  Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+  Boston, MA 02111-1307, USA.
+ */
 package org.gnunet.util.crypto;
 import org.gnunet.construct.FixedSizeIntegerArray;
 import org.gnunet.construct.Message;
+import org.gnunet.util.Strings;
+import java.security.SecureRandom;
+import java.util.Arrays;
+/**
+ * EdDSA public key.
+ */
 public class EddsaPublicKey implements Message {
    /**
-     * x-coordinate of the point on the curve.
+     * y-coordinate of the point on the curve, in Ed25519-compressed form.
     * The number is stored as little endian.
     */
    @FixedSizeIntegerArray(bitSize = 8, signed = false, length = 32)
-    public byte[] x;
+    public byte[] y;
    /**
-     * y-coordinate of the point on the curve.
+     * Create a public key without allocating space for the key data.
-     * The number is stored as little endian.
+     * Necessary for constructing this class with org.gnunet.construct.*
     */
-    @FixedSizeIntegerArray(bitSize = 8, signed = false, length = 32)
-    public byte[] y;
    public EddsaPublicKey() {
        // default constructor for Construct
    }
    public EddsaPublicKey(Ed25519 a) {
-        x = Ed25519.encodeScalar(a.P0);
+        y = a.encode();
-        y = Ed25519.encodeScalar(a.P1);
+    }
+    /**
+     * Convert this public key to a point on the Ed25519 curve.
+     *
+     * @return a point corresponding to this key
+     */
+    Ed25519 asPoint() {
+        return Ed25519.decode(y);
+    }
+    /**
+     * Load an ECDSA key from a string.
+     *
+     * @param s string with the key data
+     * @return a public key
+     */
+    public EcdhePublicKey fromString(String s) {
+        EcdhePublicKey publicKey = new EcdhePublicKey();
+        Strings.stringToData(s, publicKey.y);
+        return publicKey;
+    }
+    /**
+     * Create a random public key.  The generated key might not even be valid
+     * (i.e. not on the curve), thus this method should only be used for testing.
+     *
+     * @return a random, possibly invalid public key
+     */
+    public static EcdsaPublicKey random() {
+        SecureRandom sr = new SecureRandom();
+        EcdsaPublicKey publicKey = new EcdsaPublicKey();
+        sr.nextBytes(publicKey.y);
+        return publicKey;
+    }
+    /**
+     * Converrt this public key to a string
+     *
+     * @return a string representing this public key
+     */
+    @Override
+    public String toString() {
+        return Strings.dataToString(y);
+    }
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        EcdsaPublicKey publicKey = (EcdsaPublicKey) o;
+        if (!Arrays.equals(y, publicKey.y)) return false;
+        return true;
    }
-    public Ed25519 asPoint() {
+    @Override
-        return new Ed25519(Ed25519.decodeScalar(x), Ed25519.decodeScalar(y));
+    public int hashCode() {
+        int result = Arrays.hashCode(y);
+        return result;
    }
 }
diff --git a/src/main/java/org/gnunet/util/crypto/EddsaSignature.java b/src/main/java/org/gnunet/util/crypto/EddsaSignature.java
index 25eea34..fa16a9c 100644
--- a/src/main/java/org/gnunet/util/crypto/EddsaSignature.java
+++ b/src/main/java/org/gnunet/util/crypto/EddsaSignature.java
@@ -18,26 +18,6 @@
  Boston, MA 02111-1307, USA.
 */
-/*
- This file is part of GNUnet.
-  (C) 2012, 2013 Christian Grothoff (and other contributing authors)
-  GNUnet is free software; you can redistribute it and/or modify
-  it under the terms of the GNU General Public License as published
-  by the Free Software Foundation; either version 3, or (at your
-  option) any later version.
-  GNUnet is distributed in the hope that it will be useful, but
-  WITHOUT ANY WARRANTY; without even the implied warranty of
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-  General Public License for more details.
-  You should have received a copy of the GNU General Public License
-  along with GNUnet; see the file COPYING.  If not, write to the
-  Free Software Foundation, Inc., 59 Temple Place - Suite 330,
-  Boston, MA 02111-1307, USA.
- */
 package org.gnunet.util.crypto;
@@ -75,7 +55,7 @@ public class EddsaSignature implements Message {
    }
    public boolean verify(byte[] m, int purpose, EddsaPublicKey publicKey) {
-        Ed25519 R = Ed25519.decompress(Ed25519.decodeScalar(r));
+        Ed25519 R = Ed25519.decode(r);
        Ed25519 A = publicKey.asPoint();
        BigInteger S = Ed25519.decodeScalar(s);
        ByteBuffer Stemp = ByteBuffer.allocate(32 + 32 + m.length);
@@ -83,7 +63,19 @@ public class EddsaSignature implements Message {
        BigInteger h = Ed25519.Hint(Stemp.array());
        Ed25519 ra = Ed25519.B.scalarmult(S);
        Ed25519 rb = R.add(A.scalarmult(h));
-        return rb.equals(rb);
+        if (!A.isOnCurve()) {
+            throw new AssertionError();
+        }
+        if (!R.isOnCurve()) {
+            throw new AssertionError();
+        }
+        if (!ra.isOnCurve()) {
+            throw new AssertionError();
+        }
+        if (!rb.isOnCurve()) {
+            throw new AssertionError();
+        }
+        return ra.equals(rb);
    }
    public static EddsaSignature fromString(String value) {
diff --git a/src/main/java/org/gnunet/util/crypto/EddsaSignedMessage.java b/src/main/java/org/gnunet/util/crypto/EddsaSignedMessage.java
index 27f969a..01f0ea1 100644
--- a/src/main/java/org/gnunet/util/crypto/EddsaSignedMessage.java
+++ b/src/main/java/org/gnunet/util/crypto/EddsaSignedMessage.java
@@ -18,26 +18,6 @@
  Boston, MA 02111-1307, USA.
 */
-/*
- This file is part of GNUnet.
-  (C) 2012, 2013 Christian Grothoff (and other contributing authors)
-  GNUnet is free software; you can redistribute it and/or modify
-  it under the terms of the GNU General Public License as published
-  by the Free Software Foundation; either version 3, or (at your
-  option) any later version.
-  GNUnet is distributed in the hope that it will be useful, but
-  WITHOUT ANY WARRANTY; without even the implied warranty of
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-  General Public License for more details.
-  You should have received a copy of the GNU General Public License
-  along with GNUnet; see the file COPYING.  If not, write to the
-  Free Software Foundation, Inc., 59 Temple Place - Suite 330,
-  Boston, MA 02111-1307, USA.
- */
 package org.gnunet.util.crypto;
 import org.gnunet.construct.Construct;
diff --git a/src/main/java/org/gnunet/voting/Ballot.java b/src/main/java/org/gnunet/voting/Ballot.java
index 72d444f..e300010 100644
--- a/src/main/java/org/gnunet/voting/Ballot.java
+++ b/src/main/java/org/gnunet/voting/Ballot.java
@@ -180,13 +180,13 @@ public class Ballot {
        if (!optCaPub.isPresent()) {
            throw new InvalidBallotException("no CA pub key given");
        }
-        caPub = EcdsaPublicKey.fromStringUncompressed(optCaPub.get());
+        caPub = EcdsaPublicKey.fromString(optCaPub.get());
        if (null == caPub) {
            throw new InvalidBallotException("CA pub key invalid");
        }
        Optional<String> optIssuerPub = cfg.getValueString("election", "ISSUER_PUB");
        if (optIssuerPub.isPresent()) {
-            issuerPub = EcdsaPublicKey.fromStringUncompressed(optIssuerPub.get());
+            issuerPub = EcdsaPublicKey.fromString(optIssuerPub.get());
            Optional<String> optIssuerSig = cfg.getValueString("election", "ISSUER_SIG");
            if (!optIssuerSig.isPresent()) {
                throw new InvalidBallotException("issuer public key present, but no signature");
@@ -227,7 +227,7 @@ public class Ballot {
        Optional<String> optVoterPub = cfg.getValueString("vote", "VOTER_PUB");
        if (optVoterPub.isPresent()) {
-            voterPub = EcdsaPublicKey.fromStringUncompressed(optVoterPub.get());
+            voterPub = EcdsaPublicKey.fromString(optVoterPub.get());
            if (null == voterPub) {
                throw new InvalidBallotException("voter public key present but invalid");
            }
@@ -268,15 +268,13 @@ public class Ballot {
            digest.update(x.getKey().getBytes());
            digest.update(x.getValue().data);
        }
-        digest.update(issuerPub.x);
        digest.update(issuerPub.y);
-        digest.update(caPub.x);
        digest.update(caPub.y);
        digest.update(Longs.toByteArray(startTime.getSeconds()));
        digest.update(Longs.toByteArray(endTime.getSeconds()));
        digest.update(Longs.toByteArray(closingTime.getSeconds()));
        digest.update(Longs.toByteArray(queryTime.getSeconds()));
-        return new HashCode(digest.digest());
+        return HashCode.fromHashCode(digest.digest());
    }
    /**
diff --git a/src/main/java/org/gnunet/voting/CertifyGroupTool.java b/src/main/java/org/gnunet/voting/CertifyGroupTool.java
index b8d267a..ec82eba 100644
--- a/src/main/java/org/gnunet/voting/CertifyGroupTool.java
+++ b/src/main/java/org/gnunet/voting/CertifyGroupTool.java
@@ -109,7 +109,7 @@ public class CertifyGroupTool extends Program {
            setReturnValue(1);
            return;
        }
-        final EcdsaPublicKey memberPubKey = EcdsaPublicKey.fromStringUncompressed(memberPubKeyString);
+        final EcdsaPublicKey memberPubKey = EcdsaPublicKey.fromString(memberPubKeyString);
        if (null == memberPubKey) {
            System.err.println("not a valid pubkey: '" + memberPubKeyString + "'");
            setReturnValue(1);
diff --git a/src/main/java/org/gnunet/voting/GroupCert.java b/src/main/java/org/gnunet/voting/GroupCert.java
index 2e64101..296aae7 100644
--- a/src/main/java/org/gnunet/voting/GroupCert.java
+++ b/src/main/java/org/gnunet/voting/GroupCert.java
@@ -114,11 +114,11 @@ public class GroupCert {
            throw new InvalidGroupCertException("invalid signature in group cert");
        }
        groupCert.expiration = AbsoluteTime.fromSeconds(optExpiration.get());
-        groupCert.signerPublicKey = EcdsaPublicKey.fromStringUncompressed(optCa.get());
+        groupCert.signerPublicKey = EcdsaPublicKey.fromString(optCa.get());
        if (null == groupCert.signerPublicKey) {
            throw new InvalidGroupCertException("invalid CA in group cert");
        }
-        groupCert.member = EcdsaPublicKey.fromStringUncompressed(optMember.get());
+        groupCert.member = EcdsaPublicKey.fromString(optMember.get());
        if (null == groupCert.member) {
            throw new InvalidGroupCertException("invalid member in group cert");
        }
diff --git a/src/test/java/org/gnunet/util/EcdheTest.java b/src/test/java/org/gnunet/util/EcdheTest.java
new file mode 100644
index 0000000..4d789e2
--- /dev/null
+++ b/src/test/java/org/gnunet/util/EcdheTest.java
@@ -0,0 +1,79 @@
+/*
+ This file is part of GNUnet.
+  (C) 2012, 2013 Christian Grothoff (and other contributing authors)
+  GNUnet is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published
+  by the Free Software Foundation; either version 3, or (at your
+  option) any later version.
+  GNUnet is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  General Public License for more details.
+  You should have received a copy of the GNU General Public License
+  along with GNUnet; see the file COPYING.  If not, write to the
+  Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+  Boston, MA 02111-1307, USA.
+ */
+package org.gnunet.util;
+import org.gnunet.util.crypto.EcdhePrivateKey;
+import org.gnunet.util.crypto.EcdhePublicKey;
+import org.junit.Assert;
+import org.junit.Test;
+/**
+ * Test ECDHE.
+ */
+public class EcdheTest {
+    /**
+     * Test whether the key is correctly restored when serializing it.
+     */
+    @Test
+    public void test_compress() {
+        EcdhePrivateKey privKey1 = EcdhePrivateKey.createRandom();
+        EcdhePublicKey pubKey1 = privKey1.getPublicKey();
+        EcdhePublicKey pubKey2 = new EcdhePublicKey(pubKey1.asPoint());
+        Assert.assertArrayEquals(pubKey1.y, pubKey2.y);
+    }
+    /**
+     * Test a single ecdh operation.
+     */
+    @Test
+    public void test_simple() {
+        EcdhePrivateKey privKey1 = EcdhePrivateKey.createRandom();
+        EcdhePrivateKey privKey2 = EcdhePrivateKey.createRandom();
+        EcdhePublicKey pubKey1 = privKey1.getPublicKey();
+        EcdhePublicKey pubKey2 = privKey2.getPublicKey();
+        HashCode h1 = privKey1.ecdh(pubKey2);
+        HashCode h2 = privKey2.ecdh(pubKey1);
+        Assert.assertArrayEquals(h1.data, h2.data);
+    }
+    /**
+     * Test with values from the C GNUnet implementation.
+     * Generated with 'gnunet-ecc -E'
+     */
+    @Test
+    public void test_gnunet_values() {
+        EcdhePrivateKey privKey1 = new EcdhePrivateKey();
+        privKey1.d = new byte[32];
+        EcdhePrivateKey privKey2 = new EcdhePrivateKey();
+        privKey2.d = new byte[32];
+        Strings.stringToData("FH7DONLOP82RMELK26NDEP8655HQFU9LUO36LNO1ENOJ5KOSRR00", privKey1.d);
+        Strings.stringToData("LAJES5PBR68MJQP067I7DLJO3RUGG0EUHSOAVOFIDF24KBDE0SEG", privKey2.d);
+        EcdhePublicKey pubKey1 = privKey1.getPublicKey();
+        EcdhePublicKey pubKey2 = privKey2.getPublicKey();
+        Assert.assertEquals("VU5U4KNC3OH5RUL6M5T6BPH52BFBICEG5Q60A43V97HQV1VD3AG0", pubKey1.toString());
+        Assert.assertEquals("8DSB6D0OKS1SD71BKRTVT8OK18Q73Q7MUALJ76V9DQJO6J0170RG", pubKey2.toString());
+    }
+}
diff --git a/src/test/java/org/gnunet/util/EcdsaTest.java b/src/test/java/org/gnunet/util/EcdsaTest.java
new file mode 100644
index 0000000..898bc9a
--- /dev/null
+++ b/src/test/java/org/gnunet/util/EcdsaTest.java
@@ -0,0 +1,45 @@
+/*
+ This file is part of GNUnet.
+  (C) 2012, 2013 Christian Grothoff (and other contributing authors)
+  GNUnet is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published
+  by the Free Software Foundation; either version 3, or (at your
+  option) any later version.
+  GNUnet is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  General Public License for more details.
+  You should have received a copy of the GNU General Public License
+  along with GNUnet; see the file COPYING.  If not, write to the
+  Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+  Boston, MA 02111-1307, USA.
+ */
+package org.gnunet.util;
+import org.gnunet.util.crypto.*;
+import org.junit.Assert;
+import org.junit.Test;
+public class EcdsaTest {
+    @Test
+    public void test_sign_success() {
+        byte[] data = "GNUnet".getBytes();
+        EcdsaPrivateKey privateKey = EcdsaPrivateKey.createRandom();
+        EcdsaPublicKey publicKey = privateKey.getPublicKey();
+        EcdsaSignature signature = privateKey.sign(publicKey, 0, data);
+        Assert.assertTrue(signature.verify(data, 0, publicKey));
+    }
+    @Test
+    public void test_sign_failure() {
+        byte[] data = "GNUnet".getBytes();
+        EcdsaPrivateKey privateKey = EcdsaPrivateKey.createRandom();
+        EcdsaPublicKey publicKey = privateKey.getPublicKey();
+        EcdsaSignature signature = EcdsaSignature.randomGarbage();
+        Assert.assertFalse(signature.verify(data, 0, publicKey));
+    }
+}
diff --git a/src/test/java/org/gnunet/util/Ed25519Test.java b/src/test/java/org/gnunet/util/Ed25519Test.java
new file mode 100644
index 0000000..4ae39a7
--- /dev/null
+++ b/src/test/java/org/gnunet/util/Ed25519Test.java
@@ -0,0 +1,142 @@
+/*
+ This file is part of GNUnet.
+  (C) 2012, 2013 Christian Grothoff (and other contributing authors)
+  GNUnet is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published
+  by the Free Software Foundation; either version 3, or (at your
+  option) any later version.
+  GNUnet is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  General Public License for more details.
+  You should have received a copy of the GNU General Public License
+  along with GNUnet; see the file COPYING.  If not, write to the
+  Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+  Boston, MA 02111-1307, USA.
+ */
+package org.gnunet.util;
+import org.gnunet.util.crypto.Ed25519;
+import org.junit.Assert;
+import org.junit.Test;
+import java.math.BigInteger;
+import java.util.Random;
+public class Ed25519Test {
+    /**
+     * Simple test for commutativity.
+     */
+    @Test
+    public void test_commutative() {
+        Ed25519 p1 = Ed25519.B.scalarmult(BigInteger.valueOf(42)).scalarmult(BigInteger.valueOf(100));
+        Ed25519 p2 = Ed25519.B.scalarmult(BigInteger.valueOf(100)).scalarmult(BigInteger.valueOf(42));
+        byte[] data1 = p1.encode();
+        byte[] data2 = p2.encode();
+        Assert.assertArrayEquals(data1, data2);
+    }
+    /**
+     * Raw ECDH check.
+     */
+    //@Test
+    public void test_ecdh() {
+        for (int i = 0; i < 5; ++i) {
+            System.out.println("try " + i);
+            byte[] d1 = new byte[32];
+            byte[] d2 = new byte[32];
+            Random r = new Random();
+            r.nextBytes(d1);
+            r.nextBytes(d2);
+            d1[0] &= 248;
+            d1[31] &= 127;
+            d1[31] |= 64;
+            d2[0] &= 248;
+            d2[31] &= 127;
+            d2[31] |= 64;
+            Ed25519 pk1 = Ed25519.B.scalarmult(Ed25519.decodeScalar(d1));
+            Ed25519 pk2 = Ed25519.B.scalarmult(Ed25519.decodeScalar(d2));
+            byte[] pk1Data = pk1.encode();
+            byte[] pk2Data = pk2.encode();
+            Assert.assertEquals(pk1, Ed25519.decode(pk1Data));
+            Assert.assertEquals(pk2, Ed25519.decode(pk2Data));
+            byte[] data1 = Ed25519.decode(pk1Data).scalarmult(Ed25519.decodeScalar(d2)).encode();
+            byte[] data2 = Ed25519.decode(pk2Data).scalarmult(Ed25519.decodeScalar(d1)).encode();
+            /*
+            Ed25519 p1 = Ed25519.B.scalarmult(Ed25519.decodeScalar(d1)).scalarmult(Ed25519.decodeScalar(d2));
+            Ed25519 p2 = Ed25519.B.scalarmult(Ed25519.decodeScalar(d2)).scalarmult(Ed25519.decodeScalar(d1));
+            byte[] data1 = p1.encode();
+            byte[] data2 = p2.encode();
+            */
+            Assert.assertArrayEquals(data1, data2);
+        }
+    }
+    /**
+     * Test if decode is the inverse of encode.
+     */
+    //@Test
+    public void test_encode_inverse() {
+        Random r = new Random();
+        for (int i = 0; i < 100; i++) {
+            byte[] d1 = new byte[32];
+            r.nextBytes(d1);
+            d1[31] &= 127;
+            Ed25519 p1 = Ed25519.B.scalarmult(Ed25519.decodeScalar(d1));
+            // encode and decode the same value!
+            byte[] data1 = p1.encode();
+            Ed25519 p2 = Ed25519.decode(data1);
+            Assert.assertEquals(p1, p2);
+            Assert.assertArrayEquals(p1.encode(), p2.encode());
+        }
+    }
+    @Test
+    public void test_encode_inverse_simple() {
+        Ed25519 p1 = Ed25519.B;
+        // encode and decode the same value!
+        byte[] data1 = p1.encode();
+        for (int i = 0; i < 32; i++) {
+            System.out.print(data1[i] + " ");
+        }
+        System.out.println();
+        Ed25519 p2 = Ed25519.decode(data1);
+        Assert.assertArrayEquals(p1.encode(), p2.encode());
+        Assert.assertEquals(p1, p2);
+    }
+    /**
+     *
+     */
+    @Test
+    public void test_encode_scalar() {
+        Random r = new Random();
+        for (int i = 0; i < 10; i++) {
+            byte[] d1 = new byte[32];
+            r.nextBytes(d1);
+            d1[31] &= 127;
+            BigInteger s1 = Ed25519.decodeScalar(d1);
+            byte[] d2 = Ed25519.encodeScalar(s1);
+            BigInteger s2 = Ed25519.decodeScalar(d2);
+            Assert.assertEquals(s1, s2);
+            Assert.assertArrayEquals(d1, d2);
+        }
+    }
+}
diff --git a/src/test/java/org/gnunet/util/EddsaTest.java b/src/test/java/org/gnunet/util/EddsaTest.java
index 302751b..4296440 100644
--- a/src/test/java/org/gnunet/util/EddsaTest.java
+++ b/src/test/java/org/gnunet/util/EddsaTest.java
@@ -30,10 +30,19 @@ import org.junit.Test;
 public class EddsaTest {
    @Test
    public void test_eddsa_sign_success() {
-        byte[] data = "foo".getBytes();
+        byte[] data = "GNUnet".getBytes();
        EddsaPrivateKey privateKey = EddsaPrivateKey.createRandom();
        EddsaPublicKey publicKey = privateKey.getPublicKey();
        EddsaSignature signature = privateKey.sign(publicKey, 0, data);
        Assert.assertTrue(signature.verify(data, 0, publicKey));
    }
+    @Test
+    public void test_eddsa_sign_failure() {
+        byte[] data = "GNUnet".getBytes();
+        EddsaPrivateKey privateKey = EddsaPrivateKey.createRandom();
+        EddsaPublicKey publicKey = privateKey.getPublicKey();
+        EddsaSignature signature = EddsaSignature.randomGarbage();
+        Assert.assertFalse(signature.verify(data, 0, publicKey));
+    }
 }