diff options
author | Martin Schanzenbach <mschanzenbach@posteo.de> | 2021-03-30 00:04:31 +0200 |
---|---|---|
committer | Martin Schanzenbach <mschanzenbach@posteo.de> | 2021-03-30 00:04:31 +0200 |
commit | a33757b1e56920408f7da07c3e8ca2e1a48c8b06 (patch) | |
tree | 2dcac797cb5d8b9735a7d2d871d43e8c6dd73874 | |
parent | 3515b8cb39b2c240a6d4af298d83862fb7a502d0 (diff) |
-hacking dlog with libsodium; ftbfs
-rw-r--r-- | src/include/gnunet_crypto_lib.h | 41 | ||||
-rw-r--r-- | src/util/crypto_ecc_dlog.c | 339 | ||||
-rw-r--r-- | src/util/test_crypto_ecc_dlog.c | 65 |
3 files changed, 252 insertions, 193 deletions
diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h index d01457b4a..0804bcfa9 100644 --- a/src/include/gnunet_crypto_lib.h +++ b/src/include/gnunet_crypto_lib.h @@ -1443,9 +1443,16 @@ struct GNUNET_CRYPTO_EccPoint * Q consists of an x- and a y-value, each mod p (256 bits), given * here in affine coordinates and Ed25519 standard compact format. */ - unsigned char q_y[256 / 8]; + unsigned char v[256 / 8]; }; +/** + * A ECC scalar for use in point multiplications + */ +struct GNUNET_CRYPTO_EccScalar +{ + unsigned char v[256 / 8]; //TODO probably too small +}; /** * Do pre-calculation for ECC discrete logarithm for small factors. @@ -1468,7 +1475,7 @@ GNUNET_CRYPTO_ecc_dlog_prepare (unsigned int max, unsigned int mem); */ int GNUNET_CRYPTO_ecc_dlog (struct GNUNET_CRYPTO_EccDlogContext *edc, - gcry_mpi_point_t input); + const struct GNUNET_CRYPTO_EccPoint *input); /** @@ -1484,7 +1491,7 @@ GNUNET_CRYPTO_ecc_dlog (struct GNUNET_CRYPTO_EccDlogContext *edc, * @return representation of the value as an ECC point, * must be freed using #GNUNET_CRYPTO_ecc_free() */ -gcry_mpi_point_t +struct GNUNET_CRYPTO_EccPoint* GNUNET_CRYPTO_ecc_dexp (struct GNUNET_CRYPTO_EccDlogContext *edc, int val); @@ -1497,9 +1504,9 @@ GNUNET_CRYPTO_ecc_dexp (struct GNUNET_CRYPTO_EccDlogContext *edc, int val); * @return representation of the value as an ECC point, * must be freed using #GNUNET_CRYPTO_ecc_free() */ -gcry_mpi_point_t +struct GNUNET_CRYPTO_EccPoint* GNUNET_CRYPTO_ecc_dexp_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc, - gcry_mpi_t val); + const struct GNUNET_CRYPTO_EccScalar *val); /** @@ -1511,10 +1518,10 @@ GNUNET_CRYPTO_ecc_dexp_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc, * @return representation of the value as an ECC point, * must be freed using #GNUNET_CRYPTO_ecc_free() */ -gcry_mpi_point_t +struct GNUNET_CRYPTO_EccPoint* GNUNET_CRYPTO_ecc_pmul_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc, - gcry_mpi_point_t p, - gcry_mpi_t val); + const struct GNUNET_CRYPTO_EccPoint *p, + const struct GNUNET_CRYPTO_EccScalar *val); /** @@ -1550,10 +1557,10 @@ GNUNET_CRYPTO_ecc_bin_to_point (struct GNUNET_CRYPTO_EccDlogContext *edc, * @param b some value * @return @a a + @a b, must be freed using #GNUNET_CRYPTO_ecc_free() */ -gcry_mpi_point_t +struct GNUNET_CRYPTO_EccPoint* GNUNET_CRYPTO_ecc_add (struct GNUNET_CRYPTO_EccDlogContext *edc, - gcry_mpi_point_t a, - gcry_mpi_point_t b); + const struct GNUNET_CRYPTO_EccPoint *a, + const struct GNUNET_CRYPTO_EccPoint *b); /** @@ -1567,8 +1574,8 @@ GNUNET_CRYPTO_ecc_add (struct GNUNET_CRYPTO_EccDlogContext *edc, */ void GNUNET_CRYPTO_ecc_rnd (struct GNUNET_CRYPTO_EccDlogContext *edc, - gcry_mpi_point_t *r, - gcry_mpi_point_t *r_inv); + struct GNUNET_CRYPTO_EccPoint **r, + struct GNUNET_CRYPTO_EccPoint **r_inv); /** @@ -1581,8 +1588,8 @@ GNUNET_CRYPTO_ecc_rnd (struct GNUNET_CRYPTO_EccDlogContext *edc, */ void GNUNET_CRYPTO_ecc_rnd_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc, - gcry_mpi_t *r, - gcry_mpi_t *r_inv); + struct GNUNET_CRYPTO_EccScalar **r, + struct GNUNET_CRYPTO_EccScalar **r_inv); /** @@ -1591,7 +1598,7 @@ GNUNET_CRYPTO_ecc_rnd_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc, * @param edc ECC context * @return random value mod n. */ -gcry_mpi_t +struct GNUNET_CRYPTO_EccScalar* GNUNET_CRYPTO_ecc_random_mod_n (struct GNUNET_CRYPTO_EccDlogContext *edc); @@ -1601,7 +1608,7 @@ GNUNET_CRYPTO_ecc_random_mod_n (struct GNUNET_CRYPTO_EccDlogContext *edc); * @param p point to free */ void -GNUNET_CRYPTO_ecc_free (gcry_mpi_point_t p); +GNUNET_CRYPTO_ecc_free (struct GNUNET_CRYPTO_EccPoint* p); /** diff --git a/src/util/crypto_ecc_dlog.c b/src/util/crypto_ecc_dlog.c index 408d64e58..33fc3f0e4 100644 --- a/src/util/crypto_ecc_dlog.c +++ b/src/util/crypto_ecc_dlog.c @@ -91,62 +91,6 @@ struct GNUNET_CRYPTO_EccDlogContext /** - * Convert point value to binary representation. - * - * @param edc calculation context for ECC operations - * @param point computational point representation - * @param[out] bin binary point representation - */ -void -GNUNET_CRYPTO_ecc_point_to_bin (struct GNUNET_CRYPTO_EccDlogContext *edc, - gcry_mpi_point_t point, - struct GNUNET_CRYPTO_EccPoint *bin) -{ - gcry_mpi_t q_y; - - GNUNET_assert (0 == gcry_mpi_ec_set_point ("q", point, edc->ctx)); - q_y = gcry_mpi_ec_get_mpi ("q@eddsa", edc->ctx, 0); - GNUNET_assert (q_y); - GNUNET_CRYPTO_mpi_print_unsigned (bin->q_y, - sizeof(bin->q_y), - q_y); - gcry_mpi_release (q_y); -} - - -/** - * Convert binary representation of a point to computational representation. - * - * @param edc calculation context for ECC operations - * @param bin binary point representation - * @return computational representation - */ -gcry_mpi_point_t -GNUNET_CRYPTO_ecc_bin_to_point (struct GNUNET_CRYPTO_EccDlogContext *edc, - const struct GNUNET_CRYPTO_EccPoint *bin) -{ - gcry_sexp_t pub_sexpr; - gcry_ctx_t ctx; - gcry_mpi_point_t q; - - (void) edc; - if (0 != gcry_sexp_build (&pub_sexpr, NULL, - "(public-key(ecc(curve " CURVE ")(q %b)))", - (int) sizeof(bin->q_y), - bin->q_y)) - { - GNUNET_break (0); - return NULL; - } - GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, pub_sexpr, NULL)); - gcry_sexp_release (pub_sexpr); - q = gcry_mpi_ec_get_point ("q", ctx, 0); - gcry_ctx_release (ctx); - return q; -} - - -/** * Do pre-calculation for ECC discrete logarithm for small factors. * * @param max maximum value the factor can be @@ -159,11 +103,11 @@ GNUNET_CRYPTO_ecc_dlog_prepare (unsigned int max, { struct GNUNET_CRYPTO_EccDlogContext *edc; unsigned int K = ((max + (mem - 1)) / mem); - gcry_mpi_point_t g; + // gcry_mpi_point_t g; struct GNUNET_PeerIdentity key; - gcry_mpi_point_t gKi; - gcry_mpi_t fact; - gcry_mpi_t n; + // gcry_mpi_point_t gKi; + // gcry_mpi_t fact; + // gcry_mpi_t n; unsigned int i; GNUNET_assert (max < INT32_MAX); @@ -174,18 +118,38 @@ GNUNET_CRYPTO_ecc_dlog_prepare (unsigned int max, edc->map = GNUNET_CONTAINER_multipeermap_create (mem * 2, GNUNET_NO); - GNUNET_assert (0 == gcry_mpi_ec_new (&edc->ctx, + /*GNUNET_assert (0 == gcry_mpi_ec_new (&edc->ctx, NULL, CURVE)); g = gcry_mpi_ec_get_point ("g", edc->ctx, 0); GNUNET_assert (NULL != g); fact = gcry_mpi_new (0); - gKi = gcry_mpi_point_new (0); - for (i = 0; i <= mem; i++) + gKi = gcry_mpi_point_new (0);*/ + unsigned char fact[crypto_core_ed25519_NONREDUCEDSCALARBYTES]; + unsigned char Ki[crypto_scalarmult_ed25519_SCALARBYTES]; + unsigned char nKi[crypto_scalarmult_ed25519_SCALARBYTES]; + unsigned int Kle = htonl (K); + unsigned char Kles[crypto_core_ed25519_NONREDUCEDSCALARBYTES]; + memset (fact, 0, sizeof (fact)); + memset (Ki, 0, sizeof (Ki)); + memset (nKi, 0, sizeof (nKi)); + memset (Kles, 0, sizeof (Kles)); + // memcpy (Kles, &Kle, sizeof (Kle)); + for (i = 0; i < K; i++) + sodium_increment (Kles, sizeof (Kles)); + for (i = 1; i <= mem; i++) { - gcry_mpi_set_ui (fact, i * K); + sodium_increment (fact, sizeof (fact)); + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "Calculating #%u\n", i); + memset (Ki, 0, sizeof (Ki)); + crypto_core_ed25519_scalar_mul (Ki, fact, Kles); + GNUNET_assert (0 == + crypto_scalarmult_ed25519_base_noclamp ((unsigned + char*) &key, Ki)); + /*gcry_mpi_set_ui (fact, i * K); gcry_mpi_ec_mul (gKi, fact, g, edc->ctx); - extract_pk (gKi, edc->ctx, &key); + extract_pk (gKi, edc->ctx, &key);*/ GNUNET_assert (GNUNET_OK == GNUNET_CONTAINER_multipeermap_put (edc->map, &key, @@ -193,23 +157,30 @@ GNUNET_CRYPTO_ecc_dlog_prepare (unsigned int max, GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY)); } /* negative values */ - n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1); + // n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1); + memset (fact, 0, sizeof (fact)); for (i = 1; i < mem; i++) { - gcry_mpi_set_ui (fact, i * K); + sodium_increment (fact, sizeof (fact)); + memset (Ki, 0, sizeof (Ki)); + memset (nKi, 0, sizeof (nKi)); + crypto_core_ed25519_scalar_mul (Ki, fact, Kles); + crypto_core_ed25519_scalar_negate (nKi, Ki); + crypto_scalarmult_ed25519_base_noclamp ((unsigned char*) &key, nKi); + /*gcry_mpi_set_ui (fact, i * K); gcry_mpi_sub (fact, n, fact); gcry_mpi_ec_mul (gKi, fact, g, edc->ctx); - extract_pk (gKi, edc->ctx, &key); + extract_pk (gKi, edc->ctx, &key);*/ GNUNET_assert (GNUNET_OK == GNUNET_CONTAINER_multipeermap_put (edc->map, &key, (void *) (long) max - i, GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY)); } - gcry_mpi_release (fact); + /*gcry_mpi_release (fact); gcry_mpi_release (n); gcry_mpi_point_release (gKi); - gcry_mpi_point_release (g); + gcry_mpi_point_release (g);*/ return edc; } @@ -223,27 +194,41 @@ GNUNET_CRYPTO_ecc_dlog_prepare (unsigned int max, */ int GNUNET_CRYPTO_ecc_dlog (struct GNUNET_CRYPTO_EccDlogContext *edc, - gcry_mpi_point_t input) + const struct GNUNET_CRYPTO_EccPoint *input) { unsigned int K = ((edc->max + (edc->mem - 1)) / edc->mem); - gcry_mpi_point_t g; + // gcry_mpi_point_t g; struct GNUNET_PeerIdentity key; - gcry_mpi_point_t q; + // gcry_mpi_point_t q; unsigned int i; int res; void *retp; - g = gcry_mpi_ec_get_point ("g", edc->ctx, 0); + unsigned char g[crypto_scalarmult_BYTES]; + unsigned char q[crypto_scalarmult_BYTES]; + unsigned char fact[crypto_scalarmult_BYTES]; + memset (g, 0, crypto_scalarmult_BYTES); + memset (q, 0, crypto_scalarmult_BYTES); + memset (fact, 0, crypto_scalarmult_BYTES); + sodium_increment (fact, sizeof (fact)); + crypto_scalarmult_ed25519_base_noclamp (g, fact); + /*g = gcry_mpi_ec_get_point ("g", edc->ctx, 0); GNUNET_assert (NULL != g); - q = gcry_mpi_point_new (0); + q = gcry_mpi_point_new (0);*/ + // unsigned char key[crypto_scalarmult_BYTES]; + memset (&key, 0, crypto_scalarmult_BYTES); res = INT_MAX; for (i = 0; i <= edc->max / edc->mem; i++) { - if (0 == i) + /*if (0 == i) extract_pk (input, edc->ctx, &key); else - extract_pk (q, edc->ctx, &key); + extract_pk (q, edc->ctx, &key);*/ + if (0 == i) + memcpy (&key, input, crypto_scalarmult_BYTES); + else + memcpy (&key, q, crypto_scalarmult_BYTES); retp = GNUNET_CONTAINER_multipeermap_get (edc->map, &key); if (NULL != retp) @@ -256,13 +241,17 @@ GNUNET_CRYPTO_ecc_dlog (struct GNUNET_CRYPTO_EccDlogContext *edc, if (i == edc->max / edc->mem) break; /* q = q + g */ - if (0 == i) + /*if (0 == i) gcry_mpi_ec_add (q, input, g, edc->ctx); else - gcry_mpi_ec_add (q, q, g, edc->ctx); + gcry_mpi_ec_add (q, q, g, edc->ctx);*/ + if (0 == i) + crypto_core_ed25519_add (q, input->v, g); + else + crypto_core_ed25519_add (q, q, g); } - gcry_mpi_point_release (g); - gcry_mpi_point_release (q); + // gcry_mpi_point_release (g); + // gcry_mpi_point_release (q); return res; } @@ -274,24 +263,28 @@ GNUNET_CRYPTO_ecc_dlog (struct GNUNET_CRYPTO_EccDlogContext *edc, * @param edc ECC context * @return random value mod n. */ -gcry_mpi_t +struct GNUNET_CRYPTO_EccScalar* GNUNET_CRYPTO_ecc_random_mod_n (struct GNUNET_CRYPTO_EccDlogContext *edc) { - gcry_mpi_t n; + /*gcry_mpi_t n; unsigned int highbit; - gcry_mpi_t r; + gcry_mpi_t r;*/ + struct GNUNET_CRYPTO_EccScalar *res; - n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1); + res = GNUNET_new (struct GNUNET_CRYPTO_EccScalar); + crypto_core_ed25519_scalar_random (res->v); + return res; + // n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1); /* check public key for number of bits, bail out if key is all zeros */ - highbit = 256; /* Curve25519 */ - while ((! gcry_mpi_test_bit (n, highbit)) && - (0 != highbit)) - highbit--; - GNUNET_assert (0 != highbit); + // highbit = 256; /* Curve25519 */ + // while ((! gcry_mpi_test_bit (n, highbit)) && + // (0 != highbit)) + // highbit--; + // GNUNET_assert (0 != highbit); /* generate fact < n (without bias) */ - GNUNET_assert (NULL != (r = gcry_mpi_new (0))); - do + // GNUNET_assert (NULL != (r = gcry_mpi_new (0))); + /*do { gcry_mpi_randomize (r, highbit + 1, @@ -299,7 +292,7 @@ GNUNET_CRYPTO_ecc_random_mod_n (struct GNUNET_CRYPTO_EccDlogContext *edc) } while (gcry_mpi_cmp (r, n) >= 0); gcry_mpi_release (n); - return r; + return r;*/ } @@ -311,7 +304,7 @@ GNUNET_CRYPTO_ecc_random_mod_n (struct GNUNET_CRYPTO_EccDlogContext *edc) void GNUNET_CRYPTO_ecc_dlog_release (struct GNUNET_CRYPTO_EccDlogContext *edc) { - gcry_ctx_release (edc->ctx); + // gcry_ctx_release (edc->ctx); GNUNET_CONTAINER_multipeermap_destroy (edc->map); GNUNET_free (edc); } @@ -330,34 +323,51 @@ GNUNET_CRYPTO_ecc_dlog_release (struct GNUNET_CRYPTO_EccDlogContext *edc) * @return representation of the value as an ECC point, * must be freed using #GNUNET_CRYPTO_ecc_free() */ -gcry_mpi_point_t +struct GNUNET_CRYPTO_EccPoint* GNUNET_CRYPTO_ecc_dexp (struct GNUNET_CRYPTO_EccDlogContext *edc, int val) { - gcry_mpi_t fact; + /*gcry_mpi_t fact; gcry_mpi_t n; gcry_mpi_point_t g; gcry_mpi_point_t r; g = gcry_mpi_ec_get_point ("g", edc->ctx, 0); GNUNET_assert (NULL != g); - fact = gcry_mpi_new (0); + fact = gcry_mpi_new (0);*/ + struct GNUNET_CRYPTO_EccPoint *r; + r = GNUNET_new (struct GNUNET_CRYPTO_EccPoint); + unsigned char fact[crypto_scalarmult_ed25519_SCALARBYTES]; + unsigned char nFact[crypto_scalarmult_ed25519_SCALARBYTES]; + unsigned int valLe = htonl (val); // little-endian + memset (fact, 0, sizeof (fact)); + memset (nFact, 0, sizeof (fact)); + // memcpy (fact, &valLe, sizeof (valLe)); if (val < 0) { - n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1); + for (int i = 0; i < -val; i++) + sodium_increment (fact, sizeof (fact)); + crypto_core_ed25519_scalar_negate (nFact, fact); + crypto_scalarmult_ed25519_base_noclamp (r->v, nFact); + + /* = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1); gcry_mpi_set_ui (fact, -val); gcry_mpi_sub (fact, n, fact); - gcry_mpi_release (n); + gcry_mpi_release (n);*/ } else { - gcry_mpi_set_ui (fact, val); + for (int i = 0; i < val; i++) + sodium_increment (fact, sizeof (fact)); + crypto_scalarmult_ed25519_base_noclamp (r->v, fact); + /*gcry_mpi_set_ui (fact, val);*/ } - r = gcry_mpi_point_new (0); + return r; + /*r = gcry_mpi_point_new (0); gcry_mpi_ec_mul (r, fact, g, edc->ctx); gcry_mpi_release (fact); gcry_mpi_point_release (g); - return r; + return r;*/ } @@ -370,19 +380,22 @@ GNUNET_CRYPTO_ecc_dexp (struct GNUNET_CRYPTO_EccDlogContext *edc, * @return representation of the value as an ECC point, * must be freed using #GNUNET_CRYPTO_ecc_free() */ -gcry_mpi_point_t +struct GNUNET_CRYPTO_EccPoint* GNUNET_CRYPTO_ecc_dexp_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc, - gcry_mpi_t val) + const struct GNUNET_CRYPTO_EccScalar *val) { - gcry_mpi_point_t g; - gcry_mpi_point_t r; + // gcry_mpi_point_t g; + // gcry_mpi_point_t r; + struct GNUNET_CRYPTO_EccPoint *r = GNUNET_new (struct GNUNET_CRYPTO_EccPoint); + GNUNET_assert (0 == crypto_scalarmult_ed25519_base_noclamp (r->v, val->v)); + return r; - g = gcry_mpi_ec_get_point ("g", edc->ctx, 0); + /*g = gcry_mpi_ec_get_point ("g", edc->ctx, 0); GNUNET_assert (NULL != g); r = gcry_mpi_point_new (0); gcry_mpi_ec_mul (r, val, g, edc->ctx); gcry_mpi_point_release (g); - return r; + return r;*/ } @@ -394,16 +407,18 @@ GNUNET_CRYPTO_ecc_dexp_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc, * @param b some value * @return @a a + @a b, must be freed using #GNUNET_CRYPTO_ecc_free() */ -gcry_mpi_point_t +struct GNUNET_CRYPTO_EccPoint* GNUNET_CRYPTO_ecc_add (struct GNUNET_CRYPTO_EccDlogContext *edc, - gcry_mpi_point_t a, - gcry_mpi_point_t b) + const struct GNUNET_CRYPTO_EccPoint *a, + const struct GNUNET_CRYPTO_EccPoint *b) { - gcry_mpi_point_t r; - - r = gcry_mpi_point_new (0); - gcry_mpi_ec_add (r, a, b, edc->ctx); + // gcry_mpi_point_t r; + struct GNUNET_CRYPTO_EccPoint *r = GNUNET_new (struct GNUNET_CRYPTO_EccPoint); + crypto_core_ed25519_add (r->v, a->v, b->v); return r; + /*r = gcry_mpi_point_new (0); + gcry_mpi_ec_add (r, a, b, edc->ctx); + return r;*/ } @@ -416,16 +431,20 @@ GNUNET_CRYPTO_ecc_add (struct GNUNET_CRYPTO_EccDlogContext *edc, * @return representation of the value as an ECC point, * must be freed using #GNUNET_CRYPTO_ecc_free() */ -gcry_mpi_point_t +struct GNUNET_CRYPTO_EccPoint* GNUNET_CRYPTO_ecc_pmul_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc, - gcry_mpi_point_t p, - gcry_mpi_t val) + const struct GNUNET_CRYPTO_EccPoint *p, + const struct GNUNET_CRYPTO_EccScalar *val) { - gcry_mpi_point_t r; + struct GNUNET_CRYPTO_EccPoint *r = GNUNET_new (struct GNUNET_CRYPTO_EccPoint); + GNUNET_assert (0 == + crypto_scalarmult_ed25519_noclamp (r->v, val->v, p->v)); + return r; + /*gcry_mpi_point_t r; r = gcry_mpi_point_new (0); gcry_mpi_ec_mul (r, val, p, edc->ctx); - return r; + return r;*/ } @@ -440,30 +459,39 @@ GNUNET_CRYPTO_ecc_pmul_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc, */ void GNUNET_CRYPTO_ecc_rnd (struct GNUNET_CRYPTO_EccDlogContext *edc, - gcry_mpi_point_t *r, - gcry_mpi_point_t *r_inv) + struct GNUNET_CRYPTO_EccPoint **r, + struct GNUNET_CRYPTO_EccPoint **r_inv) { - gcry_mpi_t fact; + /*gcry_mpi_t fact; gcry_mpi_t n; - gcry_mpi_point_t g; - - fact = GNUNET_CRYPTO_ecc_random_mod_n (edc); + gcry_mpi_point_t g;*/ + + struct GNUNET_CRYPTO_EccScalar *s = GNUNET_CRYPTO_ecc_random_mod_n (edc); + *r = GNUNET_new (struct GNUNET_CRYPTO_EccPoint); + GNUNET_assert (0 == + crypto_scalarmult_ed25519_base_noclamp ((*r)->v, s->v)); + *r_inv = GNUNET_new (struct GNUNET_CRYPTO_EccPoint); + unsigned char inv_s[crypto_scalarmult_ed25519_SCALARBYTES]; + crypto_core_ed25519_scalar_negate (inv_s, s->v); + GNUNET_assert (0 == + crypto_scalarmult_ed25519_base_noclamp ((*r_inv)->v, inv_s)); + GNUNET_free (s); /* calculate 'r' */ - g = gcry_mpi_ec_get_point ("g", edc->ctx, 0); + /*g = gcry_mpi_ec_get_point ("g", edc->ctx, 0); GNUNET_assert (NULL != g); *r = gcry_mpi_point_new (0); gcry_mpi_ec_mul (*r, fact, g, edc->ctx); - +*/ /* calculate 'r_inv' */ - n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1); - gcry_mpi_sub (fact, n, fact); /* fact = n - fact = - fact */ - *r_inv = gcry_mpi_point_new (0); - gcry_mpi_ec_mul (*r_inv, fact, g, edc->ctx); - - gcry_mpi_release (n); - gcry_mpi_release (fact); - gcry_mpi_point_release (g); + // n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1); + // gcry_mpi_sub (fact, n, fact); /* fact = n - fact = - fact */ + // *r_inv = gcry_mpi_point_new (0); + // gcry_mpi_ec_mul (*r_inv, fact, g, edc->ctx); + + // gcry_mpi_release (n); + // gcry_mpi_release (fact); + // gcry_mpi_point_release (g); } @@ -477,16 +505,13 @@ GNUNET_CRYPTO_ecc_rnd (struct GNUNET_CRYPTO_EccDlogContext *edc, */ void GNUNET_CRYPTO_ecc_rnd_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc, - gcry_mpi_t *r, - gcry_mpi_t *r_inv) + struct GNUNET_CRYPTO_EccScalar **r, + struct GNUNET_CRYPTO_EccScalar **r_inv) { - gcry_mpi_t n; *r = GNUNET_CRYPTO_ecc_random_mod_n (edc); - /* r_inv = n - r = - r */ - *r_inv = gcry_mpi_new (0); - n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1); - gcry_mpi_sub (*r_inv, n, *r); + *r_inv = GNUNET_CRYPTO_ecc_random_mod_n (edc); + crypto_core_ed25519_scalar_invert ((*r_inv)->v, (*r)->v); } @@ -496,9 +521,33 @@ GNUNET_CRYPTO_ecc_rnd_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc, * @param p point to free */ void -GNUNET_CRYPTO_ecc_free (gcry_mpi_point_t p) +GNUNET_CRYPTO_ecc_free (struct GNUNET_CRYPTO_EccPoint *p) +{ + GNUNET_free (p); +} + +struct GNUNET_CRYPTO_EccScalar* +GNUNET_CRYPTO_ecc_scalar_from_int (int val) { - gcry_mpi_point_release (p); + struct GNUNET_CRYPTO_EccScalar *ret; + + ret = GNUNET_new (struct GNUNET_CRYPTO_EccScalar); + unsigned char fact[crypto_scalarmult_ed25519_SCALARBYTES]; + memset (fact, 0, sizeof (fact)); + + if (val < 0) + { + for (int i = 0; i < -val; i++) + sodium_increment (fact, sizeof (fact)); + crypto_core_ed25519_scalar_negate (ret->v, fact); + } + else + { + for (int i = 0; i < val; i++) + sodium_increment (fact, sizeof (fact)); + crypto_scalarmult_ed25519_base_noclamp (ret->v, fact); + } + return ret; } diff --git a/src/util/test_crypto_ecc_dlog.c b/src/util/test_crypto_ecc_dlog.c index a2c02a94e..2b0c7433c 100644 --- a/src/util/test_crypto_ecc_dlog.c +++ b/src/util/test_crypto_ecc_dlog.c @@ -44,7 +44,7 @@ /** * Maximum memory to use, sqrt(MAX_FACT) is a good choice. */ -#define MAX_MEM 10 +#define MAX_MEM 100 /** * How many values do we test? @@ -65,38 +65,38 @@ static void test_dlog (struct GNUNET_CRYPTO_EccDlogContext *edc) { - gcry_mpi_t fact; - gcry_mpi_t n; - gcry_ctx_t ctx; - gcry_mpi_point_t q; - gcry_mpi_point_t g; + struct GNUNET_CRYPTO_EccScalar* fact; + struct GNUNET_CRYPTO_EccScalar* n; + struct GNUNET_CRYPTO_EccPoint* q; unsigned int i; int x; int iret; - GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE)); - g = gcry_mpi_ec_get_point ("g", ctx, 0); - GNUNET_assert (NULL != g); - n = gcry_mpi_ec_get_mpi ("n", ctx, 0); - q = gcry_mpi_point_new (0); - fact = gcry_mpi_new (0); for (i = 0; i < TEST_ITER; i++) { fprintf (stderr, "."); x = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_WEAK, MAX_FACT); + n = GNUNET_new (struct GNUNET_CRYPTO_EccScalar); + for (i = 0; i < x; i++) + sodium_increment (n->v, sizeof (n->v)); + //memcpy (n->v, &x, sizeof (x)); if (0 == GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_WEAK, 2)) { - gcry_mpi_set_ui (fact, x); - gcry_mpi_sub (fact, n, fact); + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "Trying negative %d\n", -x); + fact = GNUNET_new (struct GNUNET_CRYPTO_EccScalar); + crypto_core_ed25519_scalar_negate (fact->v, n->v); x = -x; + GNUNET_free (n); } else { - gcry_mpi_set_ui (fact, x); + fact = n; } - gcry_mpi_ec_mul (q, fact, g, ctx); + q = GNUNET_new (struct GNUNET_CRYPTO_EccPoint); + crypto_scalarmult_ed25519_base_noclamp (q->v, fact->v); if (x != (iret = GNUNET_CRYPTO_ecc_dlog (edc, q))) @@ -108,11 +108,8 @@ test_dlog (struct GNUNET_CRYPTO_EccDlogContext *edc) GNUNET_assert (0); } } - gcry_mpi_release (fact); - gcry_mpi_release (n); - gcry_mpi_point_release (g); - gcry_mpi_point_release (q); - gcry_ctx_release (ctx); + GNUNET_free (fact); + GNUNET_free (q); fprintf (stderr, "\n"); } @@ -127,13 +124,13 @@ test_math (struct GNUNET_CRYPTO_EccDlogContext *edc) { int i; int j; - gcry_mpi_point_t ip; - gcry_mpi_point_t jp; - gcry_mpi_point_t r; - gcry_mpi_point_t ir; - gcry_mpi_point_t irj; - gcry_mpi_point_t r_inv; - gcry_mpi_point_t sum; + struct GNUNET_CRYPTO_EccPoint* ip; + struct GNUNET_CRYPTO_EccPoint* jp; + struct GNUNET_CRYPTO_EccPoint* r; + struct GNUNET_CRYPTO_EccPoint* ir; + struct GNUNET_CRYPTO_EccPoint* irj; + struct GNUNET_CRYPTO_EccPoint* r_inv; + struct GNUNET_CRYPTO_EccPoint* sum; for (i = -MATH_MAX; i < MATH_MAX; i++) { @@ -141,6 +138,8 @@ test_math (struct GNUNET_CRYPTO_EccDlogContext *edc) for (j = -MATH_MAX; j < MATH_MAX; j++) { fprintf (stderr, "."); + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "%d + %d\n", i, j); jp = GNUNET_CRYPTO_ecc_dexp (edc, j); GNUNET_CRYPTO_ecc_rnd (edc, &r, @@ -148,9 +147,13 @@ test_math (struct GNUNET_CRYPTO_EccDlogContext *edc) ir = GNUNET_CRYPTO_ecc_add (edc, ip, r); irj = GNUNET_CRYPTO_ecc_add (edc, ir, jp); sum = GNUNET_CRYPTO_ecc_add (edc, irj, r_inv); - GNUNET_assert (i + j == - GNUNET_CRYPTO_ecc_dlog (edc, - sum)); + int res = GNUNET_CRYPTO_ecc_dlog (edc, sum); + if (i + j != res) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "Got %d, expected %d\n", res, i+j); + GNUNET_assert (0); + } GNUNET_CRYPTO_ecc_free (jp); GNUNET_CRYPTO_ecc_free (ir); GNUNET_CRYPTO_ecc_free (irj); |