diff options
author | Martin Schanzenbach <mschanzenbach@posteo.de> | 2021-05-03 08:50:40 +0200 |
---|---|---|
committer | Martin Schanzenbach <mschanzenbach@posteo.de> | 2021-05-03 08:50:40 +0200 |
commit | cddd56b6c733d996e872783e7c54acf17135d11d (patch) | |
tree | 7f1002d42dcea0c09b38336c899ffb6c1aa6ae5a /src/util/crypto_ecc_gnsrecord.c | |
parent | ae33e8ca07ba8cb72d9823b5137aeeb93bd2056c (diff) | |
download | gnunet-cddd56b6c733d996e872783e7c54acf17135d11d.tar.gz gnunet-cddd56b6c733d996e872783e7c54acf17135d11d.zip |
-more comments on EDKEY signature
Diffstat (limited to 'src/util/crypto_ecc_gnsrecord.c')
-rw-r--r-- | src/util/crypto_ecc_gnsrecord.c | 94 |
1 files changed, 68 insertions, 26 deletions
diff --git a/src/util/crypto_ecc_gnsrecord.c b/src/util/crypto_ecc_gnsrecord.c index 6689a21f1..bab0ce44a 100644 --- a/src/util/crypto_ecc_gnsrecord.c +++ b/src/util/crypto_ecc_gnsrecord.c | |||
@@ -94,52 +94,94 @@ GNUNET_CRYPTO_eddsa_sign_with_scalar ( | |||
94 | { | 94 | { |
95 | 95 | ||
96 | crypto_hash_sha512_state hs; | 96 | crypto_hash_sha512_state hs; |
97 | unsigned char az[64]; | 97 | unsigned char sk[64]; |
98 | unsigned char nonce[64]; | 98 | unsigned char r[64]; |
99 | unsigned char hram[64]; | 99 | unsigned char hram[64]; |
100 | unsigned char R[32]; | 100 | unsigned char R[32]; |
101 | unsigned char pk[32]; | 101 | unsigned char zk[32]; |
102 | unsigned char tmp[32]; | ||
102 | 103 | ||
103 | crypto_hash_sha512_init (&hs); | 104 | crypto_hash_sha512_init (&hs); |
104 | 105 | ||
105 | // crypto_hash_sha512 (az, sk, 32); DO NOT EXPAND, WE HAVE A KEY | 106 | /** |
106 | memcpy (az, priv->s, 64); | 107 | * Instead of expanding the private here, we already |
107 | crypto_scalarmult_ed25519_base_noclamp (pk, | 108 | * have the secret scalar as input. Use it. |
109 | * Note that sk is not plain SHA512 (d). | ||
110 | * sk[0..31] contains the derived private scalar | ||
111 | * sk[0..31] = h * SHA512 (d)[0..31] | ||
112 | * sk[32..63] = SHA512 (d)[32..63] | ||
113 | */ | ||
114 | memcpy (sk, priv->s, 64); | ||
115 | |||
116 | /** | ||
117 | * Calculate the derived zone key zk' from the | ||
118 | * derived private scalar. | ||
119 | */ | ||
120 | crypto_scalarmult_ed25519_base_noclamp (zk, | ||
108 | priv->s); | 121 | priv->s); |
109 | crypto_hash_sha512_update (&hs, az + 32, 32); | ||
110 | 122 | ||
123 | /** | ||
124 | * Calculate r: | ||
125 | * r = SHA512 (sk[32..63] | M) | ||
126 | * where M is our message (purpose). | ||
127 | * Note that sk[32..63] is the other half of the | ||
128 | * expansion from the original, non-derived private key | ||
129 | * "d". | ||
130 | */ | ||
131 | crypto_hash_sha512_update (&hs, sk + 32, 32); | ||
111 | crypto_hash_sha512_update (&hs, (uint8_t*) purpose, ntohl (purpose->size)); | 132 | crypto_hash_sha512_update (&hs, (uint8_t*) purpose, ntohl (purpose->size)); |
112 | crypto_hash_sha512_final (&hs, nonce); | 133 | crypto_hash_sha512_final (&hs, r); |
113 | 134 | ||
114 | // This effectively creates R || A in sig | 135 | /** |
115 | memcpy (sig->s, pk, 32); | 136 | * Temporarily put zk into S |
116 | 137 | */ | |
117 | unsigned char nonce_mod[64]; | 138 | memcpy (sig->s, zk, 32); |
118 | crypto_core_ed25519_scalar_reduce (nonce_mod, nonce); | 139 | |
119 | // nonce == r; r * G == R | 140 | /** |
120 | crypto_scalarmult_ed25519_base_noclamp (R, nonce_mod); | 141 | * Reduce the scalar value r |
142 | */ | ||
143 | unsigned char r_mod[64]; | ||
144 | crypto_core_ed25519_scalar_reduce (r_mod, r); | ||
145 | |||
146 | /** | ||
147 | * Calculate R := r * G of the signature | ||
148 | */ | ||
149 | crypto_scalarmult_ed25519_base_noclamp (R, r_mod); | ||
121 | memcpy (sig->r, R, sizeof (R)); | 150 | memcpy (sig->r, R, sizeof (R)); |
122 | 151 | ||
123 | // SHA512 (R | A | M) == k | 152 | /** |
153 | * Calculate | ||
154 | * hram := SHA512 (R | zk' | M) | ||
155 | */ | ||
124 | crypto_hash_sha512_init (&hs); | 156 | crypto_hash_sha512_init (&hs); |
125 | crypto_hash_sha512_update (&hs, (uint8_t*) sig, 64); | 157 | crypto_hash_sha512_update (&hs, (uint8_t*) sig, 64); |
126 | crypto_hash_sha512_update (&hs, (uint8_t*) purpose, | 158 | crypto_hash_sha512_update (&hs, (uint8_t*) purpose, |
127 | ntohl (purpose->size)); | 159 | ntohl (purpose->size)); |
128 | crypto_hash_sha512_final (&hs, hram); | 160 | crypto_hash_sha512_final (&hs, hram); |
129 | 161 | ||
162 | /** | ||
163 | * Reduce the resulting scalar value | ||
164 | */ | ||
130 | unsigned char hram_mod[64]; | 165 | unsigned char hram_mod[64]; |
131 | crypto_core_ed25519_scalar_reduce (hram_mod, hram); | 166 | crypto_core_ed25519_scalar_reduce (hram_mod, hram); |
132 | az[0] &= 248; | ||
133 | az[31] &= 127; | ||
134 | az[31] |= 64; | ||
135 | 167 | ||
136 | unsigned char tmp[32]; | 168 | /** |
137 | // r + k * s mod L == S | 169 | * Clamp the private scalar |
138 | crypto_core_ed25519_scalar_mul (tmp, hram_mod, az); | 170 | */ |
139 | crypto_core_ed25519_scalar_add (sig->s, tmp, nonce_mod); | 171 | sk[0] &= 248; |
172 | sk[31] &= 127; | ||
173 | sk[31] |= 64; | ||
174 | |||
175 | /** | ||
176 | * Calculate | ||
177 | * S := r + hram * s mod L | ||
178 | */ | ||
179 | crypto_core_ed25519_scalar_mul (tmp, hram_mod, sk); | ||
180 | crypto_core_ed25519_scalar_add (sig->s, tmp, r_mod); | ||
140 | 181 | ||
141 | sodium_memzero (az, sizeof az); | 182 | sodium_memzero (sk, sizeof (sk)); |
142 | sodium_memzero (nonce, sizeof nonce); | 183 | sodium_memzero (r, sizeof (r)); |
184 | sodium_memzero (r_mod, sizeof (r_mod)); | ||
143 | } | 185 | } |
144 | 186 | ||
145 | 187 | ||