diff options
author | Christian Grothoff <grothoff@gnunet.org> | 2023-10-18 23:34:03 +0200 |
---|---|---|
committer | Christian Grothoff <grothoff@gnunet.org> | 2023-10-27 20:08:34 +0200 |
commit | 198cc94844665c2ffbe3fcb5ea848e6d1e8334d4 (patch) | |
tree | 7375b34f02de2e0ad88da5b94af863cbc76d7393 /src/include | |
parent | 23853f2d7c027adaf61fc172b49d81dcecce0e58 (diff) | |
download | gnunet-198cc94844665c2ffbe3fcb5ea848e6d1e8334d4.tar.gz gnunet-198cc94844665c2ffbe3fcb5ea848e6d1e8334d4.zip |
NEWS: major revision of blind signature API
Diffstat (limited to 'src/include')
-rw-r--r-- | src/include/gnunet_crypto_lib.h | 662 |
1 files changed, 618 insertions, 44 deletions
diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h index f3ea3ed25..5286bb418 100644 --- a/src/include/gnunet_crypto_lib.h +++ b/src/include/gnunet_crypto_lib.h | |||
@@ -660,6 +660,10 @@ struct GNUNET_CRYPTO_CsSignature | |||
660 | * Schnorr signatures are composed of a scalar s and a curve point | 660 | * Schnorr signatures are composed of a scalar s and a curve point |
661 | */ | 661 | */ |
662 | struct GNUNET_CRYPTO_CsS s_scalar; | 662 | struct GNUNET_CRYPTO_CsS s_scalar; |
663 | |||
664 | /** | ||
665 | * Curve point of the Schnorr signature. | ||
666 | */ | ||
663 | struct GNUNET_CRYPTO_CsRPublic r_point; | 667 | struct GNUNET_CRYPTO_CsRPublic r_point; |
664 | }; | 668 | }; |
665 | 669 | ||
@@ -2801,8 +2805,9 @@ GNUNET_CRYPTO_rsa_private_key_get_public ( | |||
2801 | * @param hc where to store the hash code | 2805 | * @param hc where to store the hash code |
2802 | */ | 2806 | */ |
2803 | void | 2807 | void |
2804 | GNUNET_CRYPTO_rsa_public_key_hash (const struct GNUNET_CRYPTO_RsaPublicKey *key, | 2808 | GNUNET_CRYPTO_rsa_public_key_hash ( |
2805 | struct GNUNET_HashCode *hc); | 2809 | const struct GNUNET_CRYPTO_RsaPublicKey *key, |
2810 | struct GNUNET_HashCode *hc); | ||
2806 | 2811 | ||
2807 | 2812 | ||
2808 | /** | 2813 | /** |
@@ -2907,35 +2912,51 @@ GNUNET_CRYPTO_rsa_public_key_cmp (const struct GNUNET_CRYPTO_RsaPublicKey *p1, | |||
2907 | 2912 | ||
2908 | 2913 | ||
2909 | /** | 2914 | /** |
2915 | * @brief RSA Parameters to create blinded signature | ||
2916 | */ | ||
2917 | struct GNUNET_CRYPTO_RsaBlindedMessage | ||
2918 | { | ||
2919 | /** | ||
2920 | * Blinded message to be signed | ||
2921 | * Note: is malloc()'ed! | ||
2922 | */ | ||
2923 | void *blinded_msg; | ||
2924 | |||
2925 | /** | ||
2926 | * Size of the @e blinded_msg to be signed. | ||
2927 | */ | ||
2928 | size_t blinded_msg_size; | ||
2929 | }; | ||
2930 | |||
2931 | |||
2932 | /** | ||
2910 | * Blinds the given message with the given blinding key | 2933 | * Blinds the given message with the given blinding key |
2911 | * | 2934 | * |
2912 | * @param hash hash of the message to sign | 2935 | * @param message the message to sign |
2936 | * @param message_size number of bytes in @a message | ||
2913 | * @param bks the blinding key | 2937 | * @param bks the blinding key |
2914 | * @param pkey the public key of the signer | 2938 | * @param pkey the public key of the signer |
2915 | * @param[out] buf set to a buffer with the blinded message to be signed | 2939 | * @param[out] bm set to the blinded message |
2916 | * @param[out] buf_size number of bytes stored in @a buf | ||
2917 | * @return #GNUNET_YES if successful, #GNUNET_NO if RSA key is malicious | 2940 | * @return #GNUNET_YES if successful, #GNUNET_NO if RSA key is malicious |
2918 | */ | 2941 | */ |
2919 | enum GNUNET_GenericReturnValue | 2942 | enum GNUNET_GenericReturnValue |
2920 | GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash, | 2943 | GNUNET_CRYPTO_rsa_blind (const void *message, |
2944 | size_t message_size, | ||
2921 | const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks, | 2945 | const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks, |
2922 | struct GNUNET_CRYPTO_RsaPublicKey *pkey, | 2946 | struct GNUNET_CRYPTO_RsaPublicKey *pkey, |
2923 | void **buf, | 2947 | struct GNUNET_CRYPTO_RsaBlindedMessage *bm); |
2924 | size_t *buf_size); | ||
2925 | 2948 | ||
2926 | 2949 | ||
2927 | /** | 2950 | /** |
2928 | * Sign a blinded value, which must be a full domain hash of a message. | 2951 | * Sign a blinded value, which must be a full domain hash of a message. |
2929 | * | 2952 | * |
2930 | * @param key private key to use for the signing | 2953 | * @param key private key to use for the signing |
2931 | * @param msg the (blinded) message to sign | 2954 | * @param bm the (blinded) message to sign |
2932 | * @param msg_len number of bytes in @a msg to sign | ||
2933 | * @return NULL on error, signature on success | 2955 | * @return NULL on error, signature on success |
2934 | */ | 2956 | */ |
2935 | struct GNUNET_CRYPTO_RsaSignature * | 2957 | struct GNUNET_CRYPTO_RsaSignature * |
2936 | GNUNET_CRYPTO_rsa_sign_blinded (const struct GNUNET_CRYPTO_RsaPrivateKey *key, | 2958 | GNUNET_CRYPTO_rsa_sign_blinded (const struct GNUNET_CRYPTO_RsaPrivateKey *key, |
2937 | const void *msg, | 2959 | const struct GNUNET_CRYPTO_RsaBlindedMessage *bm); |
2938 | size_t msg_len); | ||
2939 | 2960 | ||
2940 | 2961 | ||
2941 | /** | 2962 | /** |
@@ -2951,9 +2972,20 @@ GNUNET_CRYPTO_rsa_sign_fdh (const struct GNUNET_CRYPTO_RsaPrivateKey *key, | |||
2951 | 2972 | ||
2952 | 2973 | ||
2953 | /** | 2974 | /** |
2975 | * Free memory occupied by blinded message. Only frees contents, not | ||
2976 | * @a bm itself. | ||
2977 | * | ||
2978 | * @param[in] bm memory to free | ||
2979 | */ | ||
2980 | void | ||
2981 | GNUNET_CRYPTO_rsa_blinded_message_free ( | ||
2982 | struct GNUNET_CRYPTO_RsaBlindedMessage *bm); | ||
2983 | |||
2984 | |||
2985 | /** | ||
2954 | * Free memory occupied by signature. | 2986 | * Free memory occupied by signature. |
2955 | * | 2987 | * |
2956 | * @param sig memory to free | 2988 | * @param[in] sig memory to free |
2957 | */ | 2989 | */ |
2958 | void | 2990 | void |
2959 | GNUNET_CRYPTO_rsa_signature_free (struct GNUNET_CRYPTO_RsaSignature *sig); | 2991 | GNUNET_CRYPTO_rsa_signature_free (struct GNUNET_CRYPTO_RsaSignature *sig); |
@@ -2981,8 +3013,9 @@ GNUNET_CRYPTO_rsa_signature_encode ( | |||
2981 | * @return NULL on error | 3013 | * @return NULL on error |
2982 | */ | 3014 | */ |
2983 | struct GNUNET_CRYPTO_RsaSignature * | 3015 | struct GNUNET_CRYPTO_RsaSignature * |
2984 | GNUNET_CRYPTO_rsa_signature_decode (const void *buf, | 3016 | GNUNET_CRYPTO_rsa_signature_decode ( |
2985 | size_t buf_size); | 3017 | const void *buf, |
3018 | size_t buf_size); | ||
2986 | 3019 | ||
2987 | 3020 | ||
2988 | /** | 3021 | /** |
@@ -2992,7 +3025,8 @@ GNUNET_CRYPTO_rsa_signature_decode (const void *buf, | |||
2992 | * @return the duplicate key; NULL upon error | 3025 | * @return the duplicate key; NULL upon error |
2993 | */ | 3026 | */ |
2994 | struct GNUNET_CRYPTO_RsaSignature * | 3027 | struct GNUNET_CRYPTO_RsaSignature * |
2995 | GNUNET_CRYPTO_rsa_signature_dup (const struct GNUNET_CRYPTO_RsaSignature *sig); | 3028 | GNUNET_CRYPTO_rsa_signature_dup ( |
3029 | const struct GNUNET_CRYPTO_RsaSignature *sig); | ||
2996 | 3030 | ||
2997 | 3031 | ||
2998 | /** | 3032 | /** |
@@ -3015,13 +3049,15 @@ GNUNET_CRYPTO_rsa_unblind (const struct GNUNET_CRYPTO_RsaSignature *sig, | |||
3015 | * Verify whether the given hash corresponds to the given signature and the | 3049 | * Verify whether the given hash corresponds to the given signature and the |
3016 | * signature is valid with respect to the given public key. | 3050 | * signature is valid with respect to the given public key. |
3017 | * | 3051 | * |
3018 | * @param hash the message to verify to match the @a sig | 3052 | * @param message the message to sign |
3053 | * @param message_size number of bytes in @a message | ||
3019 | * @param sig signature that is being validated | 3054 | * @param sig signature that is being validated |
3020 | * @param public_key public key of the signer | 3055 | * @param public_key public key of the signer |
3021 | * @returns #GNUNET_YES if ok, #GNUNET_NO if RSA key is malicious, #GNUNET_SYSERR if signature | 3056 | * @returns #GNUNET_YES if ok, #GNUNET_NO if RSA key is malicious, #GNUNET_SYSERR if signature |
3022 | */ | 3057 | */ |
3023 | enum GNUNET_GenericReturnValue | 3058 | enum GNUNET_GenericReturnValue |
3024 | GNUNET_CRYPTO_rsa_verify (const struct GNUNET_HashCode *hash, | 3059 | GNUNET_CRYPTO_rsa_verify (const void *message, |
3060 | size_t message_size, | ||
3025 | const struct GNUNET_CRYPTO_RsaSignature *sig, | 3061 | const struct GNUNET_CRYPTO_RsaSignature *sig, |
3026 | const struct GNUNET_CRYPTO_RsaPublicKey *public_key); | 3062 | const struct GNUNET_CRYPTO_RsaPublicKey *public_key); |
3027 | 3063 | ||
@@ -3061,10 +3097,11 @@ GNUNET_CRYPTO_cs_private_key_get_public ( | |||
3061 | * @param[out] r array containing derived secrets r0 and r1 | 3097 | * @param[out] r array containing derived secrets r0 and r1 |
3062 | */ | 3098 | */ |
3063 | void | 3099 | void |
3064 | GNUNET_CRYPTO_cs_r_derive (const struct GNUNET_CRYPTO_CsNonce *nonce, | 3100 | GNUNET_CRYPTO_cs_r_derive ( |
3065 | const char *seed, | 3101 | const struct GNUNET_CRYPTO_CsNonce *nonce, |
3066 | const struct GNUNET_CRYPTO_CsPrivateKey *lts, | 3102 | const char *seed, |
3067 | struct GNUNET_CRYPTO_CsRSecret r[2]); | 3103 | const struct GNUNET_CRYPTO_CsPrivateKey *lts, |
3104 | struct GNUNET_CRYPTO_CsRSecret r[2]); | ||
3068 | 3105 | ||
3069 | 3106 | ||
3070 | /** | 3107 | /** |
@@ -3074,8 +3111,10 @@ GNUNET_CRYPTO_cs_r_derive (const struct GNUNET_CRYPTO_CsNonce *nonce, | |||
3074 | * @param[out] r_pub where to write the public key | 3111 | * @param[out] r_pub where to write the public key |
3075 | */ | 3112 | */ |
3076 | void | 3113 | void |
3077 | GNUNET_CRYPTO_cs_r_get_public (const struct GNUNET_CRYPTO_CsRSecret *r_priv, | 3114 | GNUNET_CRYPTO_cs_r_get_public ( |
3078 | struct GNUNET_CRYPTO_CsRPublic *r_pub); | 3115 | const struct GNUNET_CRYPTO_CsRSecret *r_priv, |
3116 | struct GNUNET_CRYPTO_CsRPublic *r_pub); | ||
3117 | |||
3079 | 3118 | ||
3080 | /** | 3119 | /** |
3081 | * Derives new random blinding factors. | 3120 | * Derives new random blinding factors. |
@@ -3094,7 +3133,25 @@ GNUNET_CRYPTO_cs_blinding_secrets_derive ( | |||
3094 | 3133 | ||
3095 | 3134 | ||
3096 | /** | 3135 | /** |
3097 | * Calculate two blinded c's | 3136 | * @brief CS Parameters derived from the message |
3137 | * during blinding to create blinded signature | ||
3138 | */ | ||
3139 | struct GNUNET_CRYPTO_CsBlindedMessage | ||
3140 | { | ||
3141 | /** | ||
3142 | * The Clause Schnorr c_0 and c_1 containing the blinded message | ||
3143 | */ | ||
3144 | struct GNUNET_CRYPTO_CsC c[2]; | ||
3145 | |||
3146 | /** | ||
3147 | * Public nonce. | ||
3148 | */ | ||
3149 | struct GNUNET_CRYPTO_CsNonce nonce; | ||
3150 | }; | ||
3151 | |||
3152 | |||
3153 | /** | ||
3154 | * Calculate two blinded c's. | ||
3098 | * Comment: One would be insecure due to Wagner's algorithm solving ROS | 3155 | * Comment: One would be insecure due to Wagner's algorithm solving ROS |
3099 | * | 3156 | * |
3100 | * @param bs array of the two blinding factor structs each containing alpha and beta | 3157 | * @param bs array of the two blinding factor structs each containing alpha and beta |
@@ -3105,6 +3162,7 @@ GNUNET_CRYPTO_cs_blinding_secrets_derive ( | |||
3105 | * @param[out] blinded_c array of the two blinded c's | 3162 | * @param[out] blinded_c array of the two blinded c's |
3106 | * @param[out] blinded_r_pub array of the two blinded R | 3163 | * @param[out] blinded_r_pub array of the two blinded R |
3107 | */ | 3164 | */ |
3165 | // FIXME: function signature can probably be improved... | ||
3108 | void | 3166 | void |
3109 | GNUNET_CRYPTO_cs_calc_blinded_c ( | 3167 | GNUNET_CRYPTO_cs_calc_blinded_c ( |
3110 | const struct GNUNET_CRYPTO_CsBlindingSecret bs[2], | 3168 | const struct GNUNET_CRYPTO_CsBlindingSecret bs[2], |
@@ -3117,28 +3175,45 @@ GNUNET_CRYPTO_cs_calc_blinded_c ( | |||
3117 | 3175 | ||
3118 | 3176 | ||
3119 | /** | 3177 | /** |
3120 | * Sign a blinded c | 3178 | * The Sign Answer for Clause Blind Schnorr signature. |
3121 | * This function derives b from a nonce and a longterm secret | 3179 | * The sign operation returns a parameter @param b and the signature |
3122 | * In original papers b is generated randomly | 3180 | * scalar @param s_scalar. |
3181 | */ | ||
3182 | struct GNUNET_CRYPTO_CsBlindSignature | ||
3183 | { | ||
3184 | /** | ||
3185 | * To make ROS problem harder, the signer chooses an unpredictable b and | ||
3186 | * only calculates signature of c_b | ||
3187 | */ | ||
3188 | unsigned int b; | ||
3189 | |||
3190 | /** | ||
3191 | * The blinded s scalar calculated from c_b | ||
3192 | */ | ||
3193 | struct GNUNET_CRYPTO_CsBlindS s_scalar; | ||
3194 | }; | ||
3195 | |||
3196 | |||
3197 | /** | ||
3198 | * Sign a blinded @a c. | ||
3199 | * This function derives b from a nonce and a longterm secret. | ||
3200 | * In the original papers b is generated randomly. | ||
3123 | * To provide abort-idempotency, b needs to be derived but still need to be UNPREDICTABLE. | 3201 | * To provide abort-idempotency, b needs to be derived but still need to be UNPREDICTABLE. |
3124 | * To ensure unpredictability a new nonce has to be used for every signature | 3202 | * To ensure unpredictability a new nonce has to be used for every signature. |
3125 | * HKDF is used internally for derivation | 3203 | * HKDF is used internally for derivation. |
3126 | * r0 and r1 can be derived prior by using GNUNET_CRYPTO_cs_r_derive | 3204 | * r0 and r1 can be derived prior by using GNUNET_CRYPTO_cs_r_derive. |
3127 | * | 3205 | * |
3128 | * @param priv private key to use for the signing and as LTS in HKDF | 3206 | * @param priv private key to use for the signing and as LTS in HKDF |
3129 | * @param r array of the two secret nonce from the signer | 3207 | * @param r array of the two secret inputs from the signer |
3130 | * @param c array of the two blinded c to sign c_b | 3208 | * @param bm blinded message, including array of the two blinded c to sign c_b and the random nonce |
3131 | * @param nonce is a random nonce | 3209 | * @param[out] cs_blind_sig where to write the blind signature |
3132 | * @param[out] blinded_signature_scalar where to write the signature | ||
3133 | * @return 0 or 1 for b (see Clause Blind Signature Scheme) | ||
3134 | */ | 3210 | */ |
3135 | unsigned int | 3211 | void |
3136 | GNUNET_CRYPTO_cs_sign_derive ( | 3212 | GNUNET_CRYPTO_cs_sign_derive ( |
3137 | const struct GNUNET_CRYPTO_CsPrivateKey *priv, | 3213 | const struct GNUNET_CRYPTO_CsPrivateKey *priv, |
3138 | const struct GNUNET_CRYPTO_CsRSecret r[2], | 3214 | const struct GNUNET_CRYPTO_CsRSecret r[2], |
3139 | const struct GNUNET_CRYPTO_CsC c[2], | 3215 | const struct GNUNET_CRYPTO_CsBlindedMessage *bm, |
3140 | const struct GNUNET_CRYPTO_CsNonce *nonce, | 3216 | struct GNUNET_CRYPTO_CsBlindSignature *cs_blind_sig); |
3141 | struct GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar); | ||
3142 | 3217 | ||
3143 | 3218 | ||
3144 | /** | 3219 | /** |
@@ -3166,10 +3241,509 @@ GNUNET_CRYPTO_cs_unblind ( | |||
3166 | * @returns #GNUNET_YES on success, #GNUNET_SYSERR if signature invalid | 3241 | * @returns #GNUNET_YES on success, #GNUNET_SYSERR if signature invalid |
3167 | */ | 3242 | */ |
3168 | enum GNUNET_GenericReturnValue | 3243 | enum GNUNET_GenericReturnValue |
3169 | GNUNET_CRYPTO_cs_verify (const struct GNUNET_CRYPTO_CsSignature *sig, | 3244 | GNUNET_CRYPTO_cs_verify ( |
3170 | const struct GNUNET_CRYPTO_CsPublicKey *pub, | 3245 | const struct GNUNET_CRYPTO_CsSignature *sig, |
3171 | const void *msg, | 3246 | const struct GNUNET_CRYPTO_CsPublicKey *pub, |
3172 | size_t msg_len); | 3247 | const void *msg, |
3248 | size_t msg_len); | ||
3249 | |||
3250 | |||
3251 | |||
3252 | /** | ||
3253 | * Types of public keys used for blind signatures. | ||
3254 | */ | ||
3255 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm | ||
3256 | { | ||
3257 | |||
3258 | /** | ||
3259 | * Invalid type of signature. | ||
3260 | */ | ||
3261 | GNUNET_CRYPTO_BSA_INVALID = 0, | ||
3262 | |||
3263 | /** | ||
3264 | * RSA blind signature. | ||
3265 | */ | ||
3266 | GNUNET_CRYPTO_BSA_RSA = 1, | ||
3267 | |||
3268 | /** | ||
3269 | * Clause Blind Schnorr signature. | ||
3270 | */ | ||
3271 | GNUNET_CRYPTO_BSA_CS = 2 | ||
3272 | }; | ||
3273 | |||
3274 | |||
3275 | /** | ||
3276 | * @brief Type of (unblinded) signatures. | ||
3277 | */ | ||
3278 | struct GNUNET_CRYPTO_UnblindedSignature | ||
3279 | { | ||
3280 | |||
3281 | /** | ||
3282 | * Type of the signature. | ||
3283 | */ | ||
3284 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3285 | |||
3286 | /** | ||
3287 | * Reference counter. | ||
3288 | */ | ||
3289 | unsigned int rc; | ||
3290 | |||
3291 | /** | ||
3292 | * Details, depending on @e cipher. | ||
3293 | */ | ||
3294 | union | ||
3295 | { | ||
3296 | /** | ||
3297 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3298 | */ | ||
3299 | struct GNUNET_CRYPTO_CsSignature cs_signature; | ||
3300 | |||
3301 | /** | ||
3302 | * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. | ||
3303 | */ | ||
3304 | struct GNUNET_CRYPTO_RsaSignature *rsa_signature; | ||
3305 | |||
3306 | } details; | ||
3307 | |||
3308 | }; | ||
3309 | |||
3310 | |||
3311 | /** | ||
3312 | * @brief Type for *blinded* signatures. | ||
3313 | * Must be unblinded before it becomes valid. | ||
3314 | */ | ||
3315 | struct GNUNET_CRYPTO_BlindedSignature | ||
3316 | { | ||
3317 | |||
3318 | /** | ||
3319 | * Type of the signature. | ||
3320 | */ | ||
3321 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3322 | |||
3323 | /** | ||
3324 | * Reference counter. | ||
3325 | */ | ||
3326 | unsigned int rc; | ||
3327 | |||
3328 | /** | ||
3329 | * Details, depending on @e cipher. | ||
3330 | */ | ||
3331 | union | ||
3332 | { | ||
3333 | /** | ||
3334 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3335 | * At this point only the blinded s scalar is used. | ||
3336 | * The final signature consisting of r,s is built after unblinding. | ||
3337 | */ | ||
3338 | struct GNUNET_CRYPTO_CsBlindSignature blinded_cs_answer; | ||
3339 | |||
3340 | /** | ||
3341 | * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. | ||
3342 | */ | ||
3343 | struct GNUNET_CRYPTO_RsaSignature *blinded_rsa_signature; | ||
3344 | |||
3345 | } details; | ||
3346 | |||
3347 | }; | ||
3348 | |||
3349 | |||
3350 | /** | ||
3351 | * @brief Type of public signing keys for blind signatures. | ||
3352 | */ | ||
3353 | struct GNUNET_CRYPTO_BlindSignPublicKey | ||
3354 | { | ||
3355 | |||
3356 | /** | ||
3357 | * Type of the public key. | ||
3358 | */ | ||
3359 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3360 | |||
3361 | /** | ||
3362 | * Reference counter. | ||
3363 | */ | ||
3364 | unsigned int rc; | ||
3365 | |||
3366 | /** | ||
3367 | * Hash of the public key. | ||
3368 | */ | ||
3369 | struct GNUNET_HashCode pub_key_hash; | ||
3370 | |||
3371 | /** | ||
3372 | * Details, depending on @e cipher. | ||
3373 | */ | ||
3374 | union | ||
3375 | { | ||
3376 | /** | ||
3377 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3378 | */ | ||
3379 | struct GNUNET_CRYPTO_CsPublicKey cs_public_key; | ||
3380 | |||
3381 | /** | ||
3382 | * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. | ||
3383 | */ | ||
3384 | struct GNUNET_CRYPTO_RsaPublicKey *rsa_public_key; | ||
3385 | |||
3386 | } details; | ||
3387 | }; | ||
3388 | |||
3389 | |||
3390 | /** | ||
3391 | * @brief Type of private signing keys for blind signing. | ||
3392 | */ | ||
3393 | struct GNUNET_CRYPTO_BlindSignPrivateKey | ||
3394 | { | ||
3395 | |||
3396 | /** | ||
3397 | * Type of the public key. | ||
3398 | */ | ||
3399 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3400 | |||
3401 | /** | ||
3402 | * Reference counter. | ||
3403 | */ | ||
3404 | unsigned int rc; | ||
3405 | |||
3406 | /** | ||
3407 | * Details, depending on @e cipher. | ||
3408 | */ | ||
3409 | union | ||
3410 | { | ||
3411 | /** | ||
3412 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3413 | */ | ||
3414 | struct GNUNET_CRYPTO_CsPrivateKey cs_private_key; | ||
3415 | |||
3416 | /** | ||
3417 | * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. | ||
3418 | */ | ||
3419 | struct GNUNET_CRYPTO_RsaPrivateKey *rsa_private_key; | ||
3420 | |||
3421 | } details; | ||
3422 | }; | ||
3423 | |||
3424 | |||
3425 | /** | ||
3426 | * @brief Blinded message ready for blind signing. | ||
3427 | */ | ||
3428 | struct GNUNET_CRYPTO_BlindedMessage | ||
3429 | { | ||
3430 | /** | ||
3431 | * Type of the sign blinded message | ||
3432 | */ | ||
3433 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3434 | |||
3435 | /** | ||
3436 | * Reference counter. | ||
3437 | */ | ||
3438 | unsigned int rc; | ||
3439 | |||
3440 | /** | ||
3441 | * Details, depending on @e cipher. | ||
3442 | */ | ||
3443 | union | ||
3444 | { | ||
3445 | /** | ||
3446 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3447 | */ | ||
3448 | struct GNUNET_CRYPTO_CsBlindedMessage cs_blinded_message; | ||
3449 | |||
3450 | /** | ||
3451 | * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. | ||
3452 | */ | ||
3453 | struct GNUNET_CRYPTO_RsaBlindedMessage rsa_blinded_message; | ||
3454 | |||
3455 | } details; | ||
3456 | }; | ||
3457 | |||
3458 | |||
3459 | /** | ||
3460 | * Pair of Public R values for Cs denominations | ||
3461 | */ | ||
3462 | struct GNUNET_CRYPTO_CSPublicRPairP | ||
3463 | { | ||
3464 | struct GNUNET_CRYPTO_CsRPublic r_pub[2]; | ||
3465 | }; | ||
3466 | |||
3467 | |||
3468 | /** | ||
3469 | * Secret r for Cs denominations | ||
3470 | */ | ||
3471 | struct GNUNET_CRYPTO_CSPrivateRPairP | ||
3472 | { | ||
3473 | struct GNUNET_CRYPTO_CsRSecret r[2]; | ||
3474 | }; | ||
3475 | |||
3476 | |||
3477 | /** | ||
3478 | * @brief Input needed for blinding a message. | ||
3479 | */ | ||
3480 | struct GNUNET_CRYPTO_BlindingInputValues | ||
3481 | { | ||
3482 | |||
3483 | /** | ||
3484 | * Type of the signature. | ||
3485 | */ | ||
3486 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3487 | |||
3488 | /** | ||
3489 | * Reference counter. | ||
3490 | */ | ||
3491 | unsigned int rc; | ||
3492 | |||
3493 | /** | ||
3494 | * Details, depending on @e cipher. | ||
3495 | */ | ||
3496 | union | ||
3497 | { | ||
3498 | /** | ||
3499 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3500 | */ | ||
3501 | struct GNUNET_CRYPTO_CSPublicRPairP cs_values; | ||
3502 | |||
3503 | } details; | ||
3504 | |||
3505 | }; | ||
3506 | |||
3507 | |||
3508 | /** | ||
3509 | * Decrement reference counter of a @a bsign_pub, and free it if it reaches zero. | ||
3510 | * | ||
3511 | * @param[in] bsign_pub key to free | ||
3512 | */ | ||
3513 | void | ||
3514 | GNUNET_CRYPTO_blind_sign_pub_decref (struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub); | ||
3515 | |||
3516 | |||
3517 | /** | ||
3518 | * Decrement reference counter of a @a bsign_priv, and free it if it reaches zero. | ||
3519 | * | ||
3520 | * @param[in] bsign_priv key to free | ||
3521 | */ | ||
3522 | void | ||
3523 | GNUNET_CRYPTO_blind_sign_priv_decref (struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv); | ||
3524 | |||
3525 | |||
3526 | /** | ||
3527 | * Decrement reference counter of a @a ub_sig, and free it if it reaches zero. | ||
3528 | * | ||
3529 | * @param[in] ub_sig signature to free | ||
3530 | */ | ||
3531 | void | ||
3532 | GNUNET_CRYPTO_unblinded_sig_decref (struct GNUNET_CRYPTO_UnblindedSignature *ub_sig); | ||
3533 | |||
3534 | |||
3535 | /** | ||
3536 | * Decrement reference counter of a @a blind_sig, and free it if it reaches zero. | ||
3537 | * | ||
3538 | * @param[in] blind_sig signature to free | ||
3539 | */ | ||
3540 | void | ||
3541 | GNUNET_CRYPTO_blinded_sig_decref ( | ||
3542 | struct GNUNET_CRYPTO_BlindedSignature *blind_sig); | ||
3543 | |||
3544 | |||
3545 | /** | ||
3546 | * Increment reference counter of the given @a bsign_pub. | ||
3547 | * | ||
3548 | * @param[in,out] bsign_pub public key to increment reference counter for | ||
3549 | * @return alias of @a bsign_pub with RC incremented | ||
3550 | */ | ||
3551 | struct GNUNET_CRYPTO_BlindSignPublicKey * | ||
3552 | GNUNET_CRYPTO_bsign_pub_incref (struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub); | ||
3553 | |||
3554 | |||
3555 | /** | ||
3556 | * Increment reference counter of the given @a bsign_priv. | ||
3557 | * | ||
3558 | * @param[in,out] bsign_priv private key to increment reference counter for | ||
3559 | * @return alias of @a bsign_priv with RC incremented | ||
3560 | */ | ||
3561 | struct GNUNET_CRYPTO_BlindSignPrivateKey * | ||
3562 | GNUNET_CRYPTO_bsign_priv_incref (struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv); | ||
3563 | |||
3564 | |||
3565 | /** | ||
3566 | * Increment reference counter of the given @a ub_sig. | ||
3567 | * | ||
3568 | * @param[in,out] ub_sig signature to increment reference counter for | ||
3569 | * @return alias of @a ub_sig with RC incremented | ||
3570 | */ | ||
3571 | struct GNUNET_CRYPTO_UnblindedSignature * | ||
3572 | GNUNET_CRYPTO_ub_sig_incref (struct GNUNET_CRYPTO_UnblindedSignature *ub_sig); | ||
3573 | |||
3574 | |||
3575 | /** | ||
3576 | * Increment reference counter of the given @a blind_sig. | ||
3577 | * | ||
3578 | * @param[in,out] blind_sig signature to increment reference counter for | ||
3579 | * @return alias of @a blind_sig with RC incremented | ||
3580 | */ | ||
3581 | struct GNUNET_CRYPTO_BlindedSignature * | ||
3582 | GNUNET_CRYPTO_blind_sig_incref ( | ||
3583 | struct GNUNET_CRYPTO_BlindedSignature *blind_sig); | ||
3584 | |||
3585 | |||
3586 | /** | ||
3587 | * Compare two denomination public keys. | ||
3588 | * | ||
3589 | * @param bp1 first key | ||
3590 | * @param bp2 second key | ||
3591 | * @return 0 if the keys are equal, otherwise -1 or 1 | ||
3592 | */ | ||
3593 | int | ||
3594 | GNUNET_CRYPTO_bsign_pub_cmp ( | ||
3595 | const struct GNUNET_CRYPTO_BlindSignPublicKey *bp1, | ||
3596 | const struct GNUNET_CRYPTO_BlindSignPublicKey *bp2); | ||
3597 | |||
3598 | |||
3599 | /** | ||
3600 | * Compare two denomination signatures. | ||
3601 | * | ||
3602 | * @param sig1 first signature | ||
3603 | * @param sig2 second signature | ||
3604 | * @return 0 if the keys are equal, otherwise -1 or 1 | ||
3605 | */ | ||
3606 | int | ||
3607 | GNUNET_CRYPTO_ub_sig_cmp (const struct GNUNET_CRYPTO_UnblindedSignature *sig1, | ||
3608 | const struct GNUNET_CRYPTO_UnblindedSignature *sig2); | ||
3609 | |||
3610 | |||
3611 | /** | ||
3612 | * Compare two blinded denomination signatures. | ||
3613 | * | ||
3614 | * @param sig1 first signature | ||
3615 | * @param sig2 second signature | ||
3616 | * @return 0 if the keys are equal, otherwise -1 or 1 | ||
3617 | */ | ||
3618 | int | ||
3619 | GNUNET_blind_sig_cmp ( | ||
3620 | const struct GNUNET_CRYPTO_BlindedSignature *sig1, | ||
3621 | const struct GNUNET_CRYPTO_BlindedSignature *sig2); | ||
3622 | |||
3623 | |||
3624 | /** | ||
3625 | * Compare two blinded messages. | ||
3626 | * | ||
3627 | * @param bp1 first blinded message | ||
3628 | * @param bp2 second blinded message | ||
3629 | * @return 0 if the keys are equal, otherwise -1 or 1 | ||
3630 | */ | ||
3631 | int | ||
3632 | GNUNET_CRYPTO_blinded_message_cmp ( | ||
3633 | const struct GNUNET_CRYPTO_BlindedMessage *bp1, | ||
3634 | const struct GNUNET_CRYPTO_BlindedMessage *bp2); | ||
3635 | |||
3636 | |||
3637 | /** | ||
3638 | * Initialize public-private key pair for blind signatures. | ||
3639 | * | ||
3640 | * For #GNUNET_CRYPTO_BSA_RSA, an additional "unsigned int" | ||
3641 | * argument with the number of bits for 'n' (e.g. 2048) must | ||
3642 | * be passed. | ||
3643 | * | ||
3644 | * @param[out] denom_priv where to write the private key with RC 1 | ||
3645 | * @param[out] denom_pub where to write the public key with RC 1 | ||
3646 | * @param cipher which type of cipher to use | ||
3647 | * @param ... RSA key size (eg. 2048/3072/4096) | ||
3648 | * @return #GNUNET_OK on success, #GNUNET_NO if parameters were invalid | ||
3649 | */ | ||
3650 | enum GNUNET_GenericReturnValue | ||
3651 | GNUNET_CRYPTO_blind_sign_keys_create ( | ||
3652 | struct GNUNET_CRYPTO_BlindSignPrivateKey **denom_priv, | ||
3653 | struct GNUNET_CRYPTO_BlindSignPublicKey **denom_pub, | ||
3654 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher, | ||
3655 | ...); | ||
3656 | |||
3657 | |||
3658 | /** | ||
3659 | * @brief Type of blinding secrets. Must be exactly 32 bytes (DB). | ||
3660 | */ | ||
3661 | union GNUNET_CRYPTO_BlindingSecretP | ||
3662 | { | ||
3663 | /** | ||
3664 | * Clause Schnorr nonce. FIXME: probably should have | ||
3665 | * a different type than the nonce we send over the | ||
3666 | * network!!! | ||
3667 | */ | ||
3668 | struct GNUNET_CRYPTO_CsNonce nonce; | ||
3669 | |||
3670 | /** | ||
3671 | * Variant for RSA for blind signatures. | ||
3672 | */ | ||
3673 | struct GNUNET_CRYPTO_RsaBlindingKeySecret rsa_bks; | ||
3674 | }; | ||
3675 | |||
3676 | |||
3677 | /** | ||
3678 | * Blind message for blind signing with @a dk using blinding secret @a coin_bks. | ||
3679 | * | ||
3680 | * @param bsign_pub public key to blind for | ||
3681 | * @param bks blinding secret to use | ||
3682 | * @param message message to sign | ||
3683 | * @param message_size number of bytes in @a message | ||
3684 | * @param alg_values algorithm specific values to blind the @a message | ||
3685 | * @return blinded message to give to signer, NULL on error | ||
3686 | */ | ||
3687 | struct GNUNET_CRYPTO_BlindedMessage * | ||
3688 | GNUNET_CRYPTO_message_blind_to_sign ( | ||
3689 | const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub, | ||
3690 | const union GNUNET_CRYPTO_BlindingSecretP *bks, | ||
3691 | const void *message, | ||
3692 | size_t message_size, | ||
3693 | const struct GNUNET_CRYPTO_BlindingInputValues *alg_values); | ||
3694 | |||
3695 | |||
3696 | /** | ||
3697 | * Create blind signature. | ||
3698 | * | ||
3699 | * @param bsign_priv private key to use for signing | ||
3700 | * @param salt salt value to use for the HKDF | ||
3701 | * @param blinded_message the already blinded message to sign | ||
3702 | * @return blind signature with RC=1, NULL on failure | ||
3703 | */ | ||
3704 | struct GNUNET_CRYPTO_BlindedSignature * | ||
3705 | GNUNET_CRYPTO_blind_sign ( | ||
3706 | const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv, | ||
3707 | const char *salt, | ||
3708 | const struct GNUNET_CRYPTO_BlindedMessage *blinded_message); | ||
3709 | |||
3710 | |||
3711 | /** | ||
3712 | * Unblind blind signature. | ||
3713 | * | ||
3714 | * @param blinded_sig the blind signature | ||
3715 | * @param bks blinding secret to use | ||
3716 | * @param message message that was supposedly signed | ||
3717 | * @param message_size number of bytes in @a message | ||
3718 | * @param alg_values algorithm specific values | ||
3719 | * @param bsign_pub public key used for signing | ||
3720 | * @return unblinded signature with RC=1, NULL on error | ||
3721 | */ | ||
3722 | struct GNUNET_CRYPTO_UnblindedSignature * | ||
3723 | GNUNET_CRYPTO_blind_sig_unblind ( | ||
3724 | const struct GNUNET_CRYPTO_BlindedSignature *blinded_sig, | ||
3725 | const union GNUNET_CRYPTO_BlindingSecretP *bks, | ||
3726 | const void *message, | ||
3727 | size_t message_size, | ||
3728 | const struct GNUNET_CRYPTO_BlindingInputValues *alg_values, | ||
3729 | const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub); | ||
3730 | |||
3731 | |||
3732 | /** | ||
3733 | * Verify signature made blindly. | ||
3734 | * | ||
3735 | * @param bsign_pub public key | ||
3736 | * @param ub_sig signature made blindly with the private key | ||
3737 | * @param message message that was supposedly signed | ||
3738 | * @param message_size number of bytes in @a message | ||
3739 | * @return #GNUNET_OK if the signature is valid | ||
3740 | */ | ||
3741 | enum GNUNET_GenericReturnValue | ||
3742 | GNUNET_CRYPTO_blind_sig_verify ( | ||
3743 | const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub, | ||
3744 | const struct GNUNET_CRYPTO_UnblindedSignature *ub_sig, | ||
3745 | const void *message, | ||
3746 | size_t message_size); | ||
3173 | 3747 | ||
3174 | 3748 | ||
3175 | /** | 3749 | /** |