Werner Koch wrote:

Hi,

find attach the patch which makes all 3 test cases work with Ed25519.
There are some minor hacks in the test cases to allow enabling of
Libgcrypt debugging and also some minor output style changes.

There is one FIXME in the code:

  /* FIXME: mpi_print creates an unsigned integer - is that intended
     or should we convert it to a signed integer (2-compl)?  */
  mpi_print (xbuf, sizeof (xbuf), result_x);

X may be positive or negative but GCRYMPI_FMT_USG ignores the sign.
Thus this is not what we actually want.  Should we change it to 2-comp
(GCRYMPI_FMT_STD) so that we have a proper value?  Given that the curve
is 255 bit this should alwas fit int the 256 bit buffer.  Another option
would be to use the EdDSA method for the sign but that is optimized to
easily recover x and would be more work.  Or we store the sign in the
high bit.  t all depends on what you want to write into the protocol
specs.

I would also like to revert the way we distinguish between Ed25519 with
and without ECDSA:  The way we do it right now is by assuming the
Ed25519 is always used with EdDSA unless a flag has been set.  This is a
bit surprising and requiring the "(flags eddsa)" would be a less
surprising interface.


Salam-Shalom,

   Werner

1 files changed, 8 insertions, 31 deletions

diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h
index 980710b19..c65c9223a 100644
--- a/src/include/gnunet_crypto_lib.h
+++ b/src/include/gnunet_crypto_lib.h
@@ -194,16 +194,8 @@ struct GNUNET_CRYPTO_EcdsaSignature
 struct GNUNET_CRYPTO_EddsaPublicKey
 {
   /**
-   * Q consists of an x- and a y-value, each mod p (256 bits),
-   * given here in affine coordinates.
-   *
-   * FIXME: this coordinate will be removed in the future (compressed point!).
-   */
-  unsigned char q_x[256 / 8];
-
-  /**
-   * Q consists of an x- and a y-value, each mod p (256 bits),
-   * given here in affine coordinates.
+   * Q consists of an x- and a y-value, each mod p (256 bits), given
+   * here in affine coordinates and Ed25519 standard compact format.
    */
   unsigned char q_y[256 / 8];
 
@@ -217,16 +209,10 @@ struct GNUNET_CRYPTO_EddsaPublicKey
 struct GNUNET_CRYPTO_EcdsaPublicKey
 {
   /**
-   * Q consists of an x- and a y-value, each mod p (256 bits),
-   * given here in affine coordinates.
-   *
-   * FIXME: this coordinate will be removed in the future (compressed point!).
-   */
-  unsigned char q_x[256 / 8];
-
-  /**
-   * Q consists of an x- and a y-value, each mod p (256 bits),
-   * given here in affine coordinates.
+   * Q consists of an x- and a y-value, each mod p (256 bits), given
+   * here in affine coordinates.  For the Ed25519 curve we need to
+   * convey the y-value along with the sign.  The compact format used
+   * is the same as with EdDSA (little endian).
    */
   unsigned char q_y[256 / 8];
 
@@ -250,19 +236,10 @@ struct GNUNET_PeerIdentity
 struct GNUNET_CRYPTO_EcdhePublicKey
 {
   /**
-   * Q consists of an x- and a y-value, each mod p (256 bits),
-   * given here in affine coordinates.
-   */
-  unsigned char q_x[256 / 8];
-
-  /**
-   * Q consists of an x- and a y-value, each mod p (256 bits),
-   * given here in affine coordinates.
-   *
-   * FIXME: this coordinate will be removed in the future (compressed point!).
+   * Q consists of an x- and a y-value, each mod p (256 bits), given
+   * here in affine coordinates and Ed25519 standard compact format.
    */
   unsigned char q_y[256 / 8];
-
 };