summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMartin Schanzenbach <mschanzenbach@posteo.de>2021-05-03 08:50:40 +0200
committerMartin Schanzenbach <mschanzenbach@posteo.de>2021-05-03 08:50:40 +0200
commitcddd56b6c733d996e872783e7c54acf17135d11d (patch)
tree7f1002d42dcea0c09b38336c899ffb6c1aa6ae5a
parentae33e8ca07ba8cb72d9823b5137aeeb93bd2056c (diff)
-more comments on EDKEY signature
-rw-r--r--src/util/crypto_ecc_gnsrecord.c94
1 files changed, 68 insertions, 26 deletions
diff --git a/src/util/crypto_ecc_gnsrecord.c b/src/util/crypto_ecc_gnsrecord.c
index 6689a21f1..bab0ce44a 100644
--- a/src/util/crypto_ecc_gnsrecord.c
+++ b/src/util/crypto_ecc_gnsrecord.c
@@ -94,52 +94,94 @@ GNUNET_CRYPTO_eddsa_sign_with_scalar (
{
crypto_hash_sha512_state hs;
- unsigned char az[64];
- unsigned char nonce[64];
+ unsigned char sk[64];
+ unsigned char r[64];
unsigned char hram[64];
unsigned char R[32];
- unsigned char pk[32];
+ unsigned char zk[32];
+ unsigned char tmp[32];
crypto_hash_sha512_init (&hs);
- // crypto_hash_sha512 (az, sk, 32); DO NOT EXPAND, WE HAVE A KEY
- memcpy (az, priv->s, 64);
- crypto_scalarmult_ed25519_base_noclamp (pk,
+ /**
+ * Instead of expanding the private here, we already
+ * have the secret scalar as input. Use it.
+ * Note that sk is not plain SHA512 (d).
+ * sk[0..31] contains the derived private scalar
+ * sk[0..31] = h * SHA512 (d)[0..31]
+ * sk[32..63] = SHA512 (d)[32..63]
+ */
+ memcpy (sk, priv->s, 64);
+
+ /**
+ * Calculate the derived zone key zk' from the
+ * derived private scalar.
+ */
+ crypto_scalarmult_ed25519_base_noclamp (zk,
priv->s);
- crypto_hash_sha512_update (&hs, az + 32, 32);
+ /**
+ * Calculate r:
+ * r = SHA512 (sk[32..63] | M)
+ * where M is our message (purpose).
+ * Note that sk[32..63] is the other half of the
+ * expansion from the original, non-derived private key
+ * "d".
+ */
+ crypto_hash_sha512_update (&hs, sk + 32, 32);
crypto_hash_sha512_update (&hs, (uint8_t*) purpose, ntohl (purpose->size));
- crypto_hash_sha512_final (&hs, nonce);
-
- // This effectively creates R || A in sig
- memcpy (sig->s, pk, 32);
-
- unsigned char nonce_mod[64];
- crypto_core_ed25519_scalar_reduce (nonce_mod, nonce);
- // nonce == r; r * G == R
- crypto_scalarmult_ed25519_base_noclamp (R, nonce_mod);
+ crypto_hash_sha512_final (&hs, r);
+
+ /**
+ * Temporarily put zk into S
+ */
+ memcpy (sig->s, zk, 32);
+
+ /**
+ * Reduce the scalar value r
+ */
+ unsigned char r_mod[64];
+ crypto_core_ed25519_scalar_reduce (r_mod, r);
+
+ /**
+ * Calculate R := r * G of the signature
+ */
+ crypto_scalarmult_ed25519_base_noclamp (R, r_mod);
memcpy (sig->r, R, sizeof (R));
- // SHA512 (R | A | M) == k
+ /**
+ * Calculate
+ * hram := SHA512 (R | zk' | M)
+ */
crypto_hash_sha512_init (&hs);
crypto_hash_sha512_update (&hs, (uint8_t*) sig, 64);
crypto_hash_sha512_update (&hs, (uint8_t*) purpose,
ntohl (purpose->size));
crypto_hash_sha512_final (&hs, hram);
+ /**
+ * Reduce the resulting scalar value
+ */
unsigned char hram_mod[64];
crypto_core_ed25519_scalar_reduce (hram_mod, hram);
- az[0] &= 248;
- az[31] &= 127;
- az[31] |= 64;
- unsigned char tmp[32];
- // r + k * s mod L == S
- crypto_core_ed25519_scalar_mul (tmp, hram_mod, az);
- crypto_core_ed25519_scalar_add (sig->s, tmp, nonce_mod);
+ /**
+ * Clamp the private scalar
+ */
+ sk[0] &= 248;
+ sk[31] &= 127;
+ sk[31] |= 64;
+
+ /**
+ * Calculate
+ * S := r + hram * s mod L
+ */
+ crypto_core_ed25519_scalar_mul (tmp, hram_mod, sk);
+ crypto_core_ed25519_scalar_add (sig->s, tmp, r_mod);
- sodium_memzero (az, sizeof az);
- sodium_memzero (nonce, sizeof nonce);
+ sodium_memzero (sk, sizeof (sk));
+ sodium_memzero (r, sizeof (r));
+ sodium_memzero (r_mod, sizeof (r_mod));
}