Merge branch 'master' of ssh://git.gnunet.org/gnunet

6 files changed, 1427 insertions, 82 deletions

diff --git a/src/curl/curl.c b/src/curl/curl.c
index 30c2f8c01..684610101 100644
--- a/src/curl/curl.c
+++ b/src/curl/curl.c
@@ -858,85 +858,6 @@ GNUNET_CURL_append_header (struct GNUNET_CURL_Context *ctx,
 }
 
 
-#if ENABLE_BENCHMARK
-static void
-do_benchmark (CURLMsg *cmsg)
-{
-  char *url = NULL;
-  double total_as_double = 0;
-  struct GNUNET_TIME_Relative total;
-  struct UrlRequestData *urd;
-  /* Some care required, as curl is using data types (long vs curl_off_t vs
-   * double) inconsistently to store byte count. */
-  curl_off_t size_curl = 0;
-  long size_long = 0;
-  uint64_t bytes_sent = 0;
-  uint64_t bytes_received = 0;
-
-  GNUNET_break (CURLE_OK ==
-                curl_easy_getinfo (cmsg->easy_handle,
-                                   CURLINFO_TOTAL_TIME,
-                                   &total_as_double));
-  total.rel_value_us = total_as_double * 1000 * 1000;
-
-  GNUNET_break (CURLE_OK ==
-                curl_easy_getinfo (cmsg->easy_handle,
-                                   CURLINFO_EFFECTIVE_URL,
-                                   &url));
-
-  /* HEADER_SIZE + SIZE_DOWNLOAD_T is hopefully the total
-     number of bytes received, not clear from curl docs. */
-
-  GNUNET_break (CURLE_OK ==
-                curl_easy_getinfo (cmsg->easy_handle,
-                                   CURLINFO_HEADER_SIZE,
-                                   &size_long));
-  bytes_received += size_long;
-
-  GNUNET_break (CURLE_OK ==
-                curl_easy_getinfo (cmsg->easy_handle,
-                                   CURLINFO_SIZE_DOWNLOAD_T,
-                                   &size_curl));
-  bytes_received += size_curl;
-
-  /* REQUEST_SIZE + SIZE_UPLOAD_T is hopefully the total number of bytes
-     sent, again docs are not completely clear. */
-
-  GNUNET_break (CURLE_OK ==
-                curl_easy_getinfo (cmsg->easy_handle,
-                                   CURLINFO_REQUEST_SIZE,
-                                   &size_long));
-  bytes_sent += size_long;
-
-  /* We obtain this value to check an invariant, but never use it otherwise. */
-  GNUNET_break (CURLE_OK ==
-                curl_easy_getinfo (cmsg->easy_handle,
-                                   CURLINFO_SIZE_UPLOAD_T,
-                                   &size_curl));
-
-  /* CURLINFO_SIZE_UPLOAD_T <= CURLINFO_REQUEST_SIZE should
-     be an invariant.
-     As verified with
-     curl -w "foo%{size_request} -XPOST --data "ABC" $URL
-     the CURLINFO_REQUEST_SIZE should be the whole size of the request
-     including headers and body.
-  */
-  GNUNET_break (size_curl <= size_long);
-
-  urd = get_url_benchmark_data (url, (unsigned int) response_code);
-  urd->count++;
-  urd->time = GNUNET_TIME_relative_add (urd->time,
-                                        total);
-  urd->time_max = GNUNET_TIME_relative_max (total,
-                                            urd->time_max);
-  urd->bytes_sent += bytes_sent;
-  urd->bytes_received += bytes_received;
-}
-
-
-#endif
-
-
 /**
  * Run the main event loop for the HTTP interaction.
  *
@@ -994,9 +915,6 @@ GNUNET_CURL_perform2 (struct GNUNET_CURL_Context *ctx,
                 response);
       rc (response);
     }
-#if ENABLE_BENCHMARK
-    do_benchmark (cmsg);
-#endif
     GNUNET_CURL_job_cancel (job);
   }
 }
diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h
index edb4bb230..9166f822b 100644
--- a/src/include/gnunet_crypto_lib.h
+++ b/src/include/gnunet_crypto_lib.h
@@ -392,6 +392,127 @@ struct GNUNET_CRYPTO_PaillierCiphertext
 };
 
 
+/**
+ * Curve25519 Scalar
+ */
+struct GNUNET_CRYPTO_Cs25519Scalar
+{
+  /**
+   * 32 byte scalar
+   */
+  unsigned char d[crypto_core_ed25519_SCALARBYTES];
+};
+
+
+/**
+ * Curve25519 point
+ */
+struct GNUNET_CRYPTO_Cs25519Point
+{
+  /**
+   * This is a point on the Curve25519.
+   * The x coordinate can be restored using the y coordinate
+   */
+  unsigned char y[crypto_core_ed25519_BYTES];
+};
+
+
+/**
+ * The private information of an Schnorr key pair.
+ */
+struct GNUNET_CRYPTO_CsPrivateKey
+{
+  struct GNUNET_CRYPTO_Cs25519Scalar scalar;
+};
+
+
+/**
+ * The public information of an Schnorr key pair.
+ */
+struct GNUNET_CRYPTO_CsPublicKey
+{
+  struct GNUNET_CRYPTO_Cs25519Point point;
+};
+
+
+/**
+ * Secret used for blinding (alpha and beta).
+ */
+struct GNUNET_CRYPTO_CsBlindingSecret
+{
+  struct GNUNET_CRYPTO_Cs25519Scalar alpha;
+  struct GNUNET_CRYPTO_Cs25519Scalar beta;
+};
+
+
+/**
+ * the private r used in the signature
+ */
+struct GNUNET_CRYPTO_CsRSecret
+{
+  struct GNUNET_CRYPTO_Cs25519Scalar scalar;
+};
+
+
+/**
+ * the public R (derived from r) used in c
+ */
+struct GNUNET_CRYPTO_CsRPublic
+{
+  struct GNUNET_CRYPTO_Cs25519Point point;
+};
+
+
+/**
+ * Schnorr c to be signed
+ */
+struct GNUNET_CRYPTO_CsC
+{
+  struct GNUNET_CRYPTO_Cs25519Scalar scalar;
+};
+
+
+/**
+ * s in the signature
+ */
+struct GNUNET_CRYPTO_CsS
+{
+  struct GNUNET_CRYPTO_Cs25519Scalar scalar;
+};
+
+
+/**
+ * blinded s in the signature
+ */
+struct GNUNET_CRYPTO_CsBlindS
+{
+  struct GNUNET_CRYPTO_Cs25519Scalar scalar;
+};
+
+
+/**
+ * CS Signtature containing scalar s and point R
+ */
+struct GNUNET_CRYPTO_CsSignature
+{
+  /**
+   * Schnorr signatures are composed of a scalar s and a curve point
+   */
+  struct GNUNET_CRYPTO_CsS s_scalar;
+  struct GNUNET_CRYPTO_CsRPublic r_point;
+};
+
+
+/**
+ * Nonce
+ */
+struct GNUNET_CRYPTO_CsNonce
+{
+  /*a nonce*/
+  unsigned char nonce[256 / 8];
+};
+
+
 /* **************** Functions and Macros ************* */
 
 /**
@@ -2436,6 +2557,155 @@ GNUNET_CRYPTO_rsa_verify (const struct GNUNET_HashCode *hash,
                           const struct GNUNET_CRYPTO_RsaPublicKey *public_key);
 
 
+/**
+ * Create a new random private key.
+ *
+ * @param[out] priv where to write the fresh private key
+ */
+void
+GNUNET_CRYPTO_cs_private_key_generate (struct GNUNET_CRYPTO_CsPrivateKey *priv);
+
+
+/**
+ * Extract the public key of the given private key.
+ *
+ * @param priv the private key
+ * @param[out] pub where to write the public key
+ */
+void
+GNUNET_CRYPTO_cs_private_key_get_public (const struct
+                                         GNUNET_CRYPTO_CsPrivateKey *priv,
+                                         struct GNUNET_CRYPTO_CsPublicKey *pub);
+
+
+/**
+ * Derive a new secret r pair r0 and r1.
+ * In original papers r is generated randomly
+ * To provide abort-idempotency, r needs to be derived but still needs to be UNPREDICTABLE
+ * To ensure unpredictability a new nonce should be used when a new r needs to be derived.
+ * Uses HKDF internally.
+ * Comment: Can be done in one HKDF shot and split output.
+ *
+ * @param nonce is a random nonce
+ * @param lts is a long-term-secret in form of a private key
+ * @param[out] r array containing derived secrets r0 and r1
+ */
+void
+GNUNET_CRYPTO_cs_r_derive (const struct GNUNET_CRYPTO_CsNonce *nonce,
+                           const struct GNUNET_CRYPTO_CsPrivateKey *lts,
+                           struct GNUNET_CRYPTO_CsRSecret r[2]);
+
+
+/**
+ * Extract the public R of the given secret r.
+ *
+ * @param r_priv the private key
+ * @param[out] r_pub where to write the public key
+ */
+void
+GNUNET_CRYPTO_cs_r_get_public (const struct GNUNET_CRYPTO_CsRSecret *r_priv,
+                               struct GNUNET_CRYPTO_CsRPublic *r_pub);
+
+
+/**
+ * Derives new random blinding factors.
+ * In original papers blinding factors are generated randomly
+ * To provide abort-idempotency, blinding factors need to be derived but still need to be UNPREDICTABLE
+ * To ensure unpredictability a new nonce has to be used.
+ * Uses HKDF internally
+ *
+ * @param secret is secret to derive blinding factors
+ * @param secret_len secret length
+ * @param[out] bs array containing the two derived blinding secrets
+ */
+void
+GNUNET_CRYPTO_cs_blinding_secrets_derive (const void *secret,
+                                          size_t secret_len,
+                                          struct GNUNET_CRYPTO_CsBlindingSecret
+                                          bs[2]);
+
+
+/**
+ * Calculate two blinded c's
+ * Comment: One would be insecure due to Wagner's algorithm solving ROS
+ *
+ * @param bs array of the two blinding factor structs each containing alpha and beta
+ * @param r_pub array of the two signer's nonce R
+ * @param pub the public key of the signer
+ * @param msg the message to blind in preparation for signing
+ * @param msg_len length of message msg
+ * @param[out] blinded_c array of the two blinded c's
+ * @param[out] blinded_r_pub array of the two blinded R
+ */
+void
+GNUNET_CRYPTO_cs_calc_blinded_c (const struct GNUNET_CRYPTO_CsBlindingSecret
+                                 bs[2],
+                                 const struct GNUNET_CRYPTO_CsRPublic r_pub[2],
+                                 const struct GNUNET_CRYPTO_CsPublicKey *pub,
+                                 const void *msg,
+                                 size_t msg_len,
+                                 struct GNUNET_CRYPTO_CsC blinded_c[2],
+                                 struct GNUNET_CRYPTO_CsRPublic
+                                 blinded_r_pub[2]);
+
+
+/**
+ * Sign a blinded c
+ * This function derives b from a nonce and a longterm secret
+ * In original papers b is generated randomly
+ * To provide abort-idempotency, b needs to be derived but still need to be UNPREDICTABLE.
+ * To ensure unpredictability a new nonce has to be used for every signature
+ * HKDF is used internally for derivation
+ * r0 and r1 can be derived prior by using GNUNET_CRYPTO_cs_r_derive
+ *
+ * @param priv private key to use for the signing and as LTS in HKDF
+ * @param r array of the two secret nonce from the signer
+ * @param c array of the two blinded c to sign c_b
+ * @param nonce is a random nonce
+ * @param[out] blinded_signature_scalar where to write the signature
+ * @return 0 or 1 for b (see Clause Blind Signature Scheme)
+ */
+unsigned int
+GNUNET_CRYPTO_cs_sign_derive (const struct GNUNET_CRYPTO_CsPrivateKey *priv,
+                              const struct GNUNET_CRYPTO_CsRSecret r[2],
+                              const struct GNUNET_CRYPTO_CsC c[2],
+                              const struct GNUNET_CRYPTO_CsNonce *nonce,
+                              struct GNUNET_CRYPTO_CsBlindS *
+                              blinded_signature_scalar
+                              );
+
+
+/**
+ * Unblind a blind-signed signature using a c that was blinded
+ *
+ * @param blinded_signature_scalar the signature made on the blinded c
+ * @param bs the blinding factors used in the blinding
+ * @param[out] signature_scalar where to write the unblinded signature
+ */
+void
+GNUNET_CRYPTO_cs_unblind (const struct
+                          GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar,
+                          const struct GNUNET_CRYPTO_CsBlindingSecret *bs,
+                          struct GNUNET_CRYPTO_CsS *signature_scalar);
+
+
+/**
+ * Verify whether the given message corresponds to the given signature and the
+ * signature is valid with respect to the given public key.
+ *
+ * @param sig signature that is being validated
+ * @param pub public key of the signer
+ * @param msg is the message that should be signed by @a sig  (message is used to calculate c)
+ * @param msg_len is the message length
+ * @returns #GNUNET_YES on success, #GNUNET_SYSERR if signature invalid
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_cs_verify (const struct GNUNET_CRYPTO_CsSignature *sig,
+                         const struct GNUNET_CRYPTO_CsPublicKey *pub,
+                         const void *msg,
+                         size_t msg_len);
+
+
 #if 0 /* keep Emacsens' auto-indent happy */
 {
 #endif
diff --git a/src/util/Makefile.am b/src/util/Makefile.am
index d21ac5e86..9fda40f51 100644
--- a/src/util/Makefile.am
+++ b/src/util/Makefile.am
@@ -61,6 +61,7 @@ libgnunetutil_la_SOURCES = \
   container_multihashmap32.c \
   crypto_symmetric.c \
   crypto_crc.c \
+  crypto_cs.c \
   crypto_ecc.c \
   crypto_ecc_gnsrecord.c \
   $(DLOG) \
@@ -253,6 +254,7 @@ libgnunet_plugin_utiltest_la_LDFLAGS = \
 
 if HAVE_BENCHMARKS
  BENCHMARKS = \
+  perf_crypto_cs \
   perf_crypto_hash \
   perf_crypto_rsa \
   perf_crypto_paillier \
@@ -289,6 +291,7 @@ check_PROGRAMS = \
  test_container_heap \
  test_crypto_symmetric \
  test_crypto_crc \
+ test_crypto_cs \
  test_crypto_ecdsa \
  test_crypto_eddsa \
  test_crypto_ecdhe \
@@ -449,6 +452,12 @@ test_crypto_crc_SOURCES = \
 test_crypto_crc_LDADD = \
  libgnunetutil.la
 
+test_crypto_cs_SOURCES = \
+ test_crypto_cs.c
+test_crypto_cs_LDADD = \
+ libgnunetutil.la \
+ -lsodium
+
 test_crypto_ecdsa_SOURCES = \
  test_crypto_ecdsa.c
 test_crypto_ecdsa_LDADD = \
@@ -604,6 +613,11 @@ test_uri_SOURCES = \
 test_uri_LDADD = \
  libgnunetutil.la
 
+perf_crypto_cs_SOURCES = \
+ perf_crypto_cs.c
+perf_crypto_cs_LDADD = \
+ libgnunetutil.la
+
 perf_crypto_hash_SOURCES = \
  perf_crypto_hash.c
 perf_crypto_hash_LDADD = \
diff --git a/src/util/crypto_cs.c b/src/util/crypto_cs.c
new file mode 100644
index 000000000..5c441b669
--- /dev/null
+++ b/src/util/crypto_cs.c
@@ -0,0 +1,425 @@
+/*
+   This file is part of GNUnet
+   Copyright (C) 2014,2016,2019 GNUnet e.V.
+
+   GNUnet is free software: you can redistribute it and/or modify it
+   under the terms of the GNU Affero General Public License as published
+   by the Free Software Foundation, either version 3 of the License,
+   or (at your option) any later version.
+
+   GNUnet is distributed in the hope that it will be useful, but
+   WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file util/crypto_cs.c
+ * @brief Clause Blind Schnorr signatures using Curve25519
+ * @author Lucien Heuzeveldt <lucienclaude.heuzeveldt@students.bfh.ch>
+ * @author Gian Demarmels <gian@demarmels.org>
+ */
+#include "platform.h"
+#include "gnunet_crypto_lib.h"
+#include <sodium.h>
+#include <gcrypt.h>
+
+/**
+ * IMPLEMENTATION NOTICE:
+ *
+ * This is an implementation of the Clause Blind Schnorr Signature Scheme using Curve25519.
+ * Further details about the Clause Blind Schnorr Signature Scheme can be found here:
+ * https://eprint.iacr.org/2019/877.pdf
+ *
+ * We use libsodium wherever possible.
+ */
+
+
+/**
+ * Create a new random private key.
+ *
+ * @param[out] priv where to write the fresh private key
+ */
+void
+GNUNET_CRYPTO_cs_private_key_generate (struct GNUNET_CRYPTO_CsPrivateKey *priv)
+{
+  crypto_core_ed25519_scalar_random (priv->scalar.d);
+}
+
+
+/**
+ * Extract the public key of the given private key.
+ *
+ * @param priv the private key
+ * @param[out] pub where to write the public key
+ */
+void
+GNUNET_CRYPTO_cs_private_key_get_public (const struct
+                                         GNUNET_CRYPTO_CsPrivateKey *priv,
+                                         struct GNUNET_CRYPTO_CsPublicKey *pub)
+{
+  GNUNET_assert (0 == crypto_scalarmult_ed25519_base_noclamp (pub->point.y,
+                                                              priv->scalar.d));
+}
+
+
+/**
+ * maps 32 random bytes to a scalar
+ * this is necessary because libsodium expects scalar to be in the prime order subgroup
+ * @param[out] scalar containing 32 byte char array, is modified to be in prime order subgroup
+ */
+static void
+map_to_scalar_subgroup (struct GNUNET_CRYPTO_Cs25519Scalar *scalar)
+{
+  // perform clamping as described in RFC7748
+  scalar->d[0] &= 248;
+  scalar->d[31] &= 127;
+  scalar->d[31] |= 64;
+}
+
+
+/**
+ * Derive a new secret r pair r0 and r1.
+ * In original papers r is generated randomly
+ * To provide abort-idempotency, r needs to be derived but still needs to be UNPREDICTABLE
+ * To ensure unpredictability a new nonce should be used when a new r needs to be derived.
+ * Uses HKDF internally.
+ * Comment: Can be done in one HKDF shot and split output.
+ *
+ * @param nonce is a random nonce
+ * @param lts is a long-term-secret in form of a private key
+ * @param[out] r array containing derived secrets r0 and r1
+ */
+void
+GNUNET_CRYPTO_cs_r_derive (const struct GNUNET_CRYPTO_CsNonce *nonce,
+                           const struct GNUNET_CRYPTO_CsPrivateKey *lts,
+                           struct GNUNET_CRYPTO_CsRSecret r[2])
+{
+  GNUNET_assert (GNUNET_YES ==
+                 GNUNET_CRYPTO_hkdf (r,
+                                     sizeof (struct GNUNET_CRYPTO_CsRSecret)
+                                     * 2,
+                                     GCRY_MD_SHA512,
+                                     GCRY_MD_SHA256,
+                                     "r",
+                                     strlen ("r"),
+                                     lts,
+                                     sizeof (*lts),
+                                     nonce,
+                                     sizeof (*nonce),
+                                     NULL,
+                                     0));
+
+  map_to_scalar_subgroup (&r[0].scalar);
+  map_to_scalar_subgroup (&r[1].scalar);
+}
+
+
+/**
+ * Extract the public R of the given secret r.
+ *
+ * @param r_priv the private key
+ * @param[out] r_pub where to write the public key
+ */
+void
+GNUNET_CRYPTO_cs_r_get_public (const struct GNUNET_CRYPTO_CsRSecret *r_priv,
+                               struct GNUNET_CRYPTO_CsRPublic *r_pub)
+{
+  GNUNET_assert (0 == crypto_scalarmult_ed25519_base_noclamp (r_pub->point.y,
+                                                              r_priv->scalar.d));
+}
+
+
+/**
+ * Derives new random blinding factors.
+ * In original papers blinding factors are generated randomly
+ * To provide abort-idempotency, blinding factors need to be derived but still need to be UNPREDICTABLE
+ * To ensure unpredictability a new nonce has to be used.
+ * Uses HKDF internally
+ *
+ * @param secret is secret to derive blinding factors
+ * @param secret_len secret length
+ * @param[out] bs array containing the two derived blinding secrets
+ */
+void
+GNUNET_CRYPTO_cs_blinding_secrets_derive (const void *secret,
+                                          size_t secret_len,
+                                          struct GNUNET_CRYPTO_CsBlindingSecret
+                                          bs[2])
+{
+  GNUNET_assert (GNUNET_YES ==
+                 GNUNET_CRYPTO_hkdf (bs,
+                                     sizeof (struct
+                                             GNUNET_CRYPTO_CsBlindingSecret)
+                                     * 2,
+                                     GCRY_MD_SHA512,
+                                     GCRY_MD_SHA256,
+                                     "alphabeta",
+                                     strlen ("alphabeta"),
+                                     secret,
+                                     secret_len,
+                                     NULL,
+                                     0));
+  map_to_scalar_subgroup (&bs[0].alpha);
+  map_to_scalar_subgroup (&bs[0].beta);
+  map_to_scalar_subgroup (&bs[1].alpha);
+  map_to_scalar_subgroup (&bs[1].beta);
+}
+
+
+/*
+order of subgroup required for scalars by libsodium
+2^252 + 27742317777372353535851937790883648493
+copied from https://github.com/jedisct1/libsodium/blob/master/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c
+and converted to big endian
+*/
+static const unsigned char L_BIG_ENDIAN[32] = {
+  0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0xde, 0xf9, 0xde, 0xa2, 0xf7,
+  0x9c, 0xd6, 0x58, 0x12, 0x63, 0x1a, 0x5c, 0xf5, 0xd3, 0xed
+};
+
+
+/**
+ * Computes a Hash of (R', m) mapped to a Curve25519 scalar
+ *
+ * @param hash initial hash of the message to be signed
+ * @param pub denomination public key (used as salt)
+ * @param[out] c C containing scalar
+ */
+static void
+cs_full_domain_hash (const struct GNUNET_CRYPTO_CsRPublic *r_dash,
+                     const void *msg,
+                     size_t msg_len,
+                     const struct GNUNET_CRYPTO_CsPublicKey *pub,
+                     struct GNUNET_CRYPTO_CsC *c)
+{
+  // SHA-512 hash of R' and message
+  size_t r_m_concat_len = sizeof(struct GNUNET_CRYPTO_CsRPublic) + msg_len;
+  char r_m_concat[r_m_concat_len];
+  memcpy (r_m_concat, r_dash, sizeof(struct GNUNET_CRYPTO_CsRPublic));
+  memcpy (r_m_concat + sizeof(struct GNUNET_CRYPTO_CsRPublic), msg, msg_len);
+  struct GNUNET_HashCode prehash;
+  GNUNET_CRYPTO_hash (r_m_concat, r_m_concat_len, &prehash);
+
+  // modulus converted to MPI representation
+  gcry_mpi_t l_mpi;
+  GNUNET_CRYPTO_mpi_scan_unsigned (&l_mpi, L_BIG_ENDIAN, sizeof(L_BIG_ENDIAN));
+
+  // calculate full domain hash
+  gcry_mpi_t c_mpi;
+  GNUNET_CRYPTO_kdf_mod_mpi (&c_mpi,
+                             l_mpi,
+                             pub,
+                             sizeof(struct GNUNET_CRYPTO_CsPublicKey),
+                             &prehash,
+                             sizeof(struct GNUNET_HashCode),
+                             "Curve25519FDH");
+  gcry_mpi_release (l_mpi);
+
+  // convert c from mpi
+  unsigned char c_big_endian[256 / 8];
+  GNUNET_CRYPTO_mpi_print_unsigned (c_big_endian, sizeof(c_big_endian), c_mpi);
+  gcry_mpi_release (c_mpi);
+  for (size_t i = 0; i<32; i++)
+    c->scalar.d[i] = c_big_endian[31 - i];
+}
+
+
+/**
+ * calculate R'
+ *
+ * @param bs blinding secret
+ * @param r_pub R
+ * @param pub public key
+ * @param[out] blinded_r_pub R'
+ */
+static void
+calc_r_dash (const struct GNUNET_CRYPTO_CsBlindingSecret *bs,
+             const struct GNUNET_CRYPTO_CsRPublic *r_pub,
+             const struct GNUNET_CRYPTO_CsPublicKey *pub,
+             struct GNUNET_CRYPTO_CsRPublic *blinded_r_pub)
+{
+  // R'i = Ri + alpha i*G + beta i*pub
+  struct GNUNET_CRYPTO_Cs25519Point alpha_mul_base;
+  GNUNET_assert (0 == crypto_scalarmult_ed25519_base_noclamp (
+                   alpha_mul_base.y,
+                   bs->alpha.d));
+  struct GNUNET_CRYPTO_Cs25519Point beta_mul_pub;
+  GNUNET_assert (0 == crypto_scalarmult_ed25519_noclamp (beta_mul_pub.y,
+                                                         bs->beta.d,
+                                                         pub->point.y));
+  struct GNUNET_CRYPTO_Cs25519Point alpha_mul_base_plus_beta_mul_pub;
+  GNUNET_assert (0 == crypto_core_ed25519_add (
+                   alpha_mul_base_plus_beta_mul_pub.y,
+                   alpha_mul_base.y,
+                   beta_mul_pub.y));
+  GNUNET_assert (0 == crypto_core_ed25519_add (blinded_r_pub->point.y,
+                                               r_pub->point.y,
+                                               alpha_mul_base_plus_beta_mul_pub.
+                                               y));
+}
+
+
+/**
+ * Calculate two blinded c's
+ * Comment: One would be insecure due to Wagner's algorithm solving ROS
+ *
+ * @param bs array of the two blinding factor structs each containing alpha and beta
+ * @param r_pub array of the two signer's nonce R
+ * @param pub the public key of the signer
+ * @param msg the message to blind in preparation for signing
+ * @param msg_len length of message msg
+ * @param[out] blinded_c array of the two blinded c's
+ * @param[out] blinded_r_pub array of the two blinded R
+ */
+void
+GNUNET_CRYPTO_cs_calc_blinded_c (const struct GNUNET_CRYPTO_CsBlindingSecret
+                                 bs[2],
+                                 const struct GNUNET_CRYPTO_CsRPublic r_pub[2],
+                                 const struct GNUNET_CRYPTO_CsPublicKey *pub,
+                                 const void *msg,
+                                 size_t msg_len,
+                                 struct GNUNET_CRYPTO_CsC blinded_c[2],
+                                 struct GNUNET_CRYPTO_CsRPublic
+                                 blinded_r_pub[2])
+{
+  // for i 0/1: R'i = Ri + alpha i*G + beta i*pub
+  calc_r_dash (&bs[0], &r_pub[0], pub, &blinded_r_pub[0]);
+  calc_r_dash (&bs[1], &r_pub[1], pub, &blinded_r_pub[1]);
+
+  // for i 0/1: c'i = H(R'i, msg)
+  struct GNUNET_CRYPTO_CsC c_dash_0;
+  struct GNUNET_CRYPTO_CsC c_dash_1;
+  cs_full_domain_hash (&blinded_r_pub[0], msg, msg_len, pub, &c_dash_0);
+  cs_full_domain_hash (&blinded_r_pub[1], msg, msg_len, pub, &c_dash_1);
+
+  // for i 0/1: ci = c'i + beta i mod p
+  crypto_core_ed25519_scalar_add (blinded_c[0].scalar.d,
+                                  c_dash_0.scalar.d,
+                                  bs[0].beta.d);
+  crypto_core_ed25519_scalar_add (blinded_c[1].scalar.d,
+                                  c_dash_1.scalar.d,
+                                  bs[1].beta.d);
+}
+
+
+/**
+ * Sign a blinded c
+ * This function derives b from a nonce and a longterm secret
+ * In original papers b is generated randomly
+ * To provide abort-idempotency, b needs to be derived but still need to be UNPREDICTABLE.
+ * To ensure unpredictability a new nonce has to be used for every signature
+ * HKDF is used internally for derivation
+ * r0 and r1 can be derived prior by using GNUNET_CRYPTO_cs_r_derive
+ *
+ * @param priv private key to use for the signing and as LTS in HKDF
+ * @param r array of the two secret nonce from the signer
+ * @param c array of the two blinded c to sign c_b
+ * @param nonce is a random nonce
+ * @param[out] blinded_signature_scalar where to write the signature
+ * @return 0 or 1 for b (see Clause Blind Signature Scheme)
+ */
+unsigned int
+GNUNET_CRYPTO_cs_sign_derive (const struct GNUNET_CRYPTO_CsPrivateKey *priv,
+                              const struct GNUNET_CRYPTO_CsRSecret r[2],
+                              const struct GNUNET_CRYPTO_CsC c[2],
+                              const struct GNUNET_CRYPTO_CsNonce *nonce,
+                              struct GNUNET_CRYPTO_CsBlindS *
+                              blinded_signature_scalar
+                              )
+{
+  uint32_t hkdf_out;
+
+  // derive clause session identifier b (random bit)
+  GNUNET_assert (GNUNET_YES ==
+                 GNUNET_CRYPTO_hkdf (&hkdf_out,
+                                     sizeof (hkdf_out),
+                                     GCRY_MD_SHA512,
+                                     GCRY_MD_SHA256,
+                                     "b",
+                                     strlen ("b"),
+                                     priv,
+                                     sizeof (*priv),
+                                     nonce,
+                                     sizeof (*nonce),
+                                     NULL,
+                                     0));
+  unsigned int b = hkdf_out % 2;
+
+  // s = r_b + c_b priv
+  struct GNUNET_CRYPTO_Cs25519Scalar c_b_mul_priv;
+  crypto_core_ed25519_scalar_mul (c_b_mul_priv.d,
+                                  c[b].scalar.d,
+                                  priv->scalar.d);
+  crypto_core_ed25519_scalar_add (blinded_signature_scalar->scalar.d,
+                                  r[b].scalar.d,
+                                  c_b_mul_priv.d);
+
+  return b;
+}
+
+
+/**
+ * Unblind a blind-signed signature using a c that was blinded
+ *
+ * @param blinded_signature_scalar the signature made on the blinded c
+ * @param bs the blinding factors used in the blinding
+ * @param[out] signature_scalar where to write the unblinded signature
+ */
+void
+GNUNET_CRYPTO_cs_unblind (const struct
+                          GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar,
+                          const struct GNUNET_CRYPTO_CsBlindingSecret *bs,
+                          struct GNUNET_CRYPTO_CsS *signature_scalar)
+{
+  crypto_core_ed25519_scalar_add (signature_scalar->scalar.d,
+                                  blinded_signature_scalar->scalar.d,
+                                  bs->alpha.d);
+}
+
+
+/**
+ * Verify whether the given message corresponds to the given signature and the
+ * signature is valid with respect to the given public key.
+ *
+ * @param sig signature that is being validated
+ * @param pub public key of the signer
+ * @param msg is the message that should be signed by @a sig  (message is used to calculate c)
+ * @param msg_len is the message length
+ * @returns #GNUNET_YES on success, #GNUNET_SYSERR if signature invalid
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_cs_verify (const struct GNUNET_CRYPTO_CsSignature *sig,
+                         const struct GNUNET_CRYPTO_CsPublicKey *pub,
+                         const void *msg,
+                         size_t msg_len)
+{
+  // calculate c' = H(R, m)
+  struct GNUNET_CRYPTO_CsC c_dash;
+  cs_full_domain_hash (&sig->r_point, msg, msg_len, pub, &c_dash);
+
+  // s'G ?= R' + c' pub
+  struct GNUNET_CRYPTO_Cs25519Point sig_scal_mul_base;
+  GNUNET_assert (0 == crypto_scalarmult_ed25519_base_noclamp (
+                   sig_scal_mul_base.y,
+                   sig->s_scalar.scalar.d));
+  struct GNUNET_CRYPTO_Cs25519Point c_dash_mul_pub;
+  GNUNET_assert (0 == crypto_scalarmult_ed25519_noclamp (c_dash_mul_pub.y,
+                                                         c_dash.scalar.d,
+                                                         pub->point.y));
+  struct GNUNET_CRYPTO_Cs25519Point R_add_c_dash_mul_pub;
+  GNUNET_assert (0 == crypto_core_ed25519_add (R_add_c_dash_mul_pub.y,
+                                               sig->r_point.point.y,
+                                               c_dash_mul_pub.y));
+
+  return 0 == GNUNET_memcmp (&sig_scal_mul_base,
+                             &R_add_c_dash_mul_pub)
+    ? GNUNET_OK
+    : GNUNET_SYSERR;
+}
diff --git a/src/util/perf_crypto_cs.c b/src/util/perf_crypto_cs.c
new file mode 100644
index 000000000..a8c72052b
--- /dev/null
+++ b/src/util/perf_crypto_cs.c
@@ -0,0 +1,185 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2014 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @author Lucien Heuzeveldt <lucienclaude.heuzeveldt@students.bfh.ch>
+ * @author Gian Demarmels <gian@demarmels.org>
+ * @file util/perf_crypto_cs.c
+ * @brief measure performance of Clause Blind Schnorr Signatures
+ */
+
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include <gauger.h>
+
+#define ITER 10
+
+/**
+ * Evaluate Clause Blind Schnorr Signature performance.
+ *
+ */
+static void
+eval ()
+{
+  struct GNUNET_TIME_Absolute start;
+  unsigned int i;
+
+  struct GNUNET_CRYPTO_CsPrivateKey priv;
+  struct GNUNET_CRYPTO_CsPublicKey pub;
+
+  struct GNUNET_CRYPTO_CsRSecret r_priv[2];
+  struct GNUNET_CRYPTO_CsRPublic r_pub[2];
+
+  char message[] = "test message";
+  size_t message_len = strlen ("test message");
+
+  // derive a test nonce
+  struct GNUNET_CRYPTO_CsNonce nonce;
+  GNUNET_assert (GNUNET_YES == GNUNET_CRYPTO_hkdf (nonce.nonce,
+                                                   sizeof(nonce.nonce),
+                                                   GCRY_MD_SHA512,
+                                                   GCRY_MD_SHA256,
+                                                   "nonce",
+                                                   strlen ("nonce"),
+                                                   "nonce_secret",
+                                                   strlen ("nonce_secret"),
+                                                   NULL,
+                                                   0));
+
+  struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
+  struct GNUNET_CRYPTO_CsC blinded_cs[2];
+  struct GNUNET_CRYPTO_CsRPublic blinded_r_pub[2];
+  struct GNUNET_CRYPTO_CsBlindS blinded_s;
+  struct GNUNET_CRYPTO_CsS signature_scalar;
+  struct GNUNET_CRYPTO_CsSignature sig;
+
+  // BENCHMARK keygen
+  start = GNUNET_TIME_absolute_get ();
+
+  for (i = 0; i < ITER; i++)
+  {
+    GNUNET_CRYPTO_cs_private_key_generate (&priv);
+    GNUNET_CRYPTO_cs_private_key_get_public (&priv, &pub);
+  }
+  printf ("10x key generation took %s\n",
+          GNUNET_STRINGS_relative_time_to_string (
+            GNUNET_TIME_absolute_get_duration (start),
+            GNUNET_YES));
+
+
+  // BENCHMARK r derive and calc R pub
+  start = GNUNET_TIME_absolute_get ();
+  for (i = 0; i < ITER; i++)
+  {
+    GNUNET_CRYPTO_cs_r_derive (&nonce, &priv, r_priv);
+    GNUNET_CRYPTO_cs_r_get_public (&r_priv[0], &r_pub[0]);
+    GNUNET_CRYPTO_cs_r_get_public (&r_priv[1], &r_pub[1]);
+  }
+  printf ("10x r0, r1 derive and R1,R2 calculation took %s\n",
+          GNUNET_STRINGS_relative_time_to_string (
+            GNUNET_TIME_absolute_get_duration (start),
+            GNUNET_YES));
+
+
+  // BENCHMARK derive blinding secrets
+  start = GNUNET_TIME_absolute_get ();
+  for (i = 0; i < ITER; i++)
+  {
+    GNUNET_CRYPTO_cs_blinding_secrets_derive (&nonce,
+                                              sizeof(struct
+                                                     GNUNET_CRYPTO_CsNonce),
+                                              bs);
+  }
+  printf ("10x derive blinding secrets took %s\n",
+          GNUNET_STRINGS_relative_time_to_string (
+            GNUNET_TIME_absolute_get_duration (start),
+            GNUNET_YES));
+
+
+  // BENCHMARK calculating C
+  start = GNUNET_TIME_absolute_get ();
+  for (i = 0; i < ITER; i++)
+  {
+    GNUNET_CRYPTO_cs_calc_blinded_c (bs,
+                                     r_pub,
+                                     &pub,
+                                     message,
+                                     message_len,
+                                     blinded_cs,
+                                     blinded_r_pub);
+  }
+  printf ("10x calculating the blinded c took %s\n",
+          GNUNET_STRINGS_relative_time_to_string (
+            GNUNET_TIME_absolute_get_duration (start),
+            GNUNET_YES));
+
+
+  // BENCHMARK sign derive
+  unsigned int b;
+  start = GNUNET_TIME_absolute_get ();
+  for (i = 0; i < ITER; i++)
+  {
+    b = GNUNET_CRYPTO_cs_sign_derive (&priv,
+                                      r_priv,
+                                      blinded_cs,
+                                      &nonce,
+                                      &blinded_s);
+  }
+  printf ("10x signing blinded c took %s\n",
+          GNUNET_STRINGS_relative_time_to_string (
+            GNUNET_TIME_absolute_get_duration (start),
+            GNUNET_YES));
+
+
+  // BENCHMARK unblind signature
+  start = GNUNET_TIME_absolute_get ();
+
+  for (i = 0; i < ITER; i++)
+  {
+    GNUNET_CRYPTO_cs_unblind (&blinded_s, &bs[b], &signature_scalar);
+    sig.r_point = blinded_r_pub[b];
+    sig.s_scalar = signature_scalar;
+  }
+  printf ("10x unblinding s took %s\n",
+          GNUNET_STRINGS_relative_time_to_string (
+            GNUNET_TIME_absolute_get_duration (start),
+            GNUNET_YES));
+
+  // BENCHMARK verify signature
+  start = GNUNET_TIME_absolute_get ();
+  for (i = 0; i < ITER; i++)
+  {
+    GNUNET_CRYPTO_cs_verify (&sig,
+                                   &pub,
+                                   message,
+                                   message_len);
+  }
+  printf ("10x verifying signatures took %s\n",
+          GNUNET_STRINGS_relative_time_to_string (
+            GNUNET_TIME_absolute_get_duration (start),
+            GNUNET_YES));
+}
+
+int
+main (int argc, char *argv[])
+{
+  eval ();
+  return 0;
+}
diff --git a/src/util/test_crypto_cs.c b/src/util/test_crypto_cs.c
new file mode 100644
index 000000000..2978fec0a
--- /dev/null
+++ b/src/util/test_crypto_cs.c
@@ -0,0 +1,533 @@
+/*
+   This file is part of GNUnet
+   Copyright (C) 2014,2015 GNUnet e.V.
+
+   GNUnet is free software: you can redistribute it and/or modify it
+   under the terms of the GNU Affero General Public License as published
+   by the Free Software Foundation, either version 3 of the License,
+   or (at your option) any later version.
+
+   GNUnet is distributed in the hope that it will be useful, but
+   WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file util/test_crypto_cs.c
+ * @brief testcase for utility functions for clause blind schnorr signature scheme cryptography
+ * @author Lucien Heuzeveldt <lucienclaude.heuzeveldt@students.bfh.ch>
+ * @author Gian Demarmels <gian@demarmels.org>
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include <sodium.h>
+
+#define ITER 25
+
+void
+test_create_priv (struct GNUNET_CRYPTO_CsPrivateKey *priv)
+{
+  /* TEST 1
+   * Check that privkey is set
+   */
+  struct GNUNET_CRYPTO_CsPrivateKey other_priv;
+  memcpy (&other_priv.scalar, &priv->scalar, sizeof(other_priv.scalar));
+
+  GNUNET_CRYPTO_cs_private_key_generate (priv);
+
+  GNUNET_assert (0 != memcmp (&other_priv.scalar,
+                              &priv->scalar,
+                              sizeof(other_priv.scalar)));
+}
+
+
+void
+test_generate_pub (const struct GNUNET_CRYPTO_CsPrivateKey *priv,
+                       struct GNUNET_CRYPTO_CsPublicKey *pub)
+{
+  /* TEST 1
+   * Check that pubkey is set
+   */
+  struct GNUNET_CRYPTO_CsPublicKey other_pub;
+  memcpy (&other_pub.point, &pub->point, sizeof(other_pub.point));
+
+  GNUNET_CRYPTO_cs_private_key_get_public (priv, pub);
+
+  GNUNET_assert (0 != memcmp (&other_pub.point,
+                              &pub->point,
+                              sizeof(other_pub.point)));
+
+  /* TEST 2
+   * Check that pubkey is a valid point
+   */
+  GNUNET_assert (1 == crypto_core_ed25519_is_valid_point (pub->point.y));
+
+  /* TEST 3
+   * Check if function gives the same result for the same output
+   */
+  memcpy (&other_pub.point, &pub->point, sizeof(other_pub.point));
+
+  for (int i = 0; i<ITER; i++) {
+    GNUNET_CRYPTO_cs_private_key_get_public (priv, pub);
+    GNUNET_assert (0 == memcmp (&other_pub.point,
+                                &pub->point,
+                                sizeof(other_pub.point)));
+  }
+}
+
+
+void
+test_derive_rsecret (const struct GNUNET_CRYPTO_CsNonce *nonce,
+                   const struct GNUNET_CRYPTO_CsPrivateKey *priv,
+                   struct GNUNET_CRYPTO_CsRSecret r[2])
+{
+  /* TEST 1
+   * Check that r are set
+   */
+  struct GNUNET_CRYPTO_CsPrivateKey other_r[2];
+  memcpy (&other_r[0], &r[0], sizeof(struct GNUNET_CRYPTO_CsPrivateKey) * 2);
+
+  GNUNET_CRYPTO_cs_r_derive (nonce, priv, r);
+
+  GNUNET_assert (0 != memcmp (&other_r[0],
+                              &r[0],
+                              sizeof(struct GNUNET_CRYPTO_CsPrivateKey) * 2));
+
+  /* TEST 2
+   * Check if function gives the same result for the same input.
+   * This test ensures that the derivation is deterministic.
+   */
+  memcpy (&other_r[0], &r[0], sizeof(struct GNUNET_CRYPTO_CsPrivateKey) * 2);
+  for (int i = 0; i<ITER; i++) {
+    GNUNET_CRYPTO_cs_r_derive (nonce, priv, r);
+    GNUNET_assert (0 == memcmp (&other_r[0],
+                                &r[0],
+                                sizeof(struct GNUNET_CRYPTO_CsPrivateKey) * 2));
+  }
+}
+
+
+void
+test_generate_rpublic (const struct GNUNET_CRYPTO_CsRSecret *r_priv,
+                     struct GNUNET_CRYPTO_CsRPublic *r_pub)
+{
+  /* TEST 1
+   * Check that r_pub is set
+   */
+  struct GNUNET_CRYPTO_CsRPublic other_r_pub;
+  memcpy (&other_r_pub.point, &r_pub->point, sizeof(other_r_pub.point));
+
+  GNUNET_CRYPTO_cs_r_get_public (r_priv, r_pub);
+
+  GNUNET_assert (0 != memcmp (&other_r_pub.point,
+                              &r_pub->point,
+                              sizeof(other_r_pub.point)));
+
+  /* TEST 2
+   * Check that r_pub is a valid point
+   */
+  GNUNET_assert (1 == crypto_core_ed25519_is_valid_point (r_pub->point.y));
+
+  /* TEST 3
+   * Check if function gives the same result for the same output
+   */
+  memcpy (&other_r_pub.point, &r_pub->point, sizeof(other_r_pub.point));
+  for (int i = 0; i<ITER; i++) {
+    GNUNET_CRYPTO_cs_r_get_public (r_priv, r_pub);
+    GNUNET_assert (0 == memcmp (&other_r_pub.point,
+                                &r_pub->point,
+                                sizeof(other_r_pub.point)));
+  }
+}
+
+
+void
+test_derive_blindingsecrets (const void *secret,
+                           size_t secret_len,
+                           struct GNUNET_CRYPTO_CsBlindingSecret bs[2])
+{
+  /* TEST 1
+   * Check that blinding secrets are set
+   */
+  struct GNUNET_CRYPTO_CsBlindingSecret other_bs[2];
+  memcpy (&other_bs[0], &bs[0], sizeof(struct GNUNET_CRYPTO_CsBlindingSecret)
+          * 2);
+
+  GNUNET_CRYPTO_cs_blinding_secrets_derive (secret, secret_len, bs);
+
+  GNUNET_assert (0 != memcmp (&other_bs[0],
+                              &bs[0],
+                              sizeof(struct GNUNET_CRYPTO_CsBlindingSecret)
+                              * 2));
+
+  /* TEST 2
+   * Check if function gives the same result for the same input.
+   * This test ensures that the derivation is deterministic.
+   */
+  memcpy (&other_bs[0], &bs[0], sizeof(struct GNUNET_CRYPTO_CsBlindingSecret)
+          * 2);
+  for (int i = 0; i<ITER; i++) {
+    GNUNET_CRYPTO_cs_blinding_secrets_derive (secret, secret_len, bs);
+    GNUNET_assert (0 == memcmp (&other_bs[0],
+                                &bs[0],
+                                sizeof(struct GNUNET_CRYPTO_CsBlindingSecret)
+                                * 2));
+  }
+}
+
+
+void
+test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
+                  const struct GNUNET_CRYPTO_CsRPublic r_pub[2],
+                  const struct GNUNET_CRYPTO_CsPublicKey *pub,
+                  const void *msg,
+                  size_t msg_len,
+                  struct GNUNET_CRYPTO_CsC blinded_cs[2],
+                  struct GNUNET_CRYPTO_CsRPublic blinded_r_pub[2])
+{
+  /* TEST 1
+   * Check that the blinded c's and blinded r's
+   */
+  struct GNUNET_CRYPTO_CsC other_blinded_c[2];
+  memcpy (&other_blinded_c[0],
+          &blinded_cs[0],
+          sizeof(struct GNUNET_CRYPTO_CsC) * 2);
+
+  struct GNUNET_CRYPTO_CsRPublic other_blinded_r_pub[2];
+  memcpy (&other_blinded_r_pub[0],
+          &blinded_r_pub[0],
+          sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2);
+
+  GNUNET_CRYPTO_cs_calc_blinded_c (bs,
+                                   r_pub,
+                                   pub,
+                                   msg,
+                                   msg_len,
+                                   blinded_cs,
+                                   blinded_r_pub);
+
+  GNUNET_assert (0 != memcmp (&other_blinded_c[0],
+                              &blinded_cs[0],
+                              sizeof(struct GNUNET_CRYPTO_CsC) * 2));
+  GNUNET_assert (0 != memcmp (&other_blinded_r_pub[0],
+                              &blinded_r_pub[0],
+                              sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2));
+
+  /* TEST 2
+   * Check if R' - aG -bX = R for b = 0
+   * This test does the opposite operations and checks wether the equation is still correct.
+   */
+  for (unsigned int b = 0; b <= 1; b++) {
+    struct GNUNET_CRYPTO_Cs25519Point aG;
+    struct GNUNET_CRYPTO_Cs25519Point bX;
+    struct GNUNET_CRYPTO_Cs25519Point r_min_aG;
+    struct GNUNET_CRYPTO_CsRPublic res;
+
+    GNUNET_assert (0 == crypto_scalarmult_ed25519_base_noclamp (
+                     aG.y,
+                     bs[b].alpha.d));
+
+    GNUNET_assert (0 == crypto_scalarmult_ed25519_noclamp (
+                     bX.y,
+                     bs[b].beta.d,
+                     pub->point.y));
+
+    GNUNET_assert (0 == crypto_core_ed25519_sub (
+                     r_min_aG.y,
+                     blinded_r_pub[b].point.y,
+                     aG.y));
+
+    GNUNET_assert (0 == crypto_core_ed25519_sub (
+                     res.point.y,
+                     r_min_aG.y,
+                     bX.y));
+
+    GNUNET_assert (0 == memcmp (&res, &r_pub[b], sizeof(struct
+                                                        GNUNET_CRYPTO_CsRPublic)));
+  }
+
+
+
+  /* TEST 3
+   * Check that the blinded r_pubs' are valid points
+   */
+  GNUNET_assert (1 == crypto_core_ed25519_is_valid_point (
+                   blinded_r_pub[0].point.y));
+  GNUNET_assert (1 == crypto_core_ed25519_is_valid_point (
+                   blinded_r_pub[1].point.y));
+
+  /* TEST 4
+   * Check if function gives the same result for the same input.
+   */
+  memcpy (&other_blinded_c[0],
+          &blinded_cs[0],
+          sizeof(struct GNUNET_CRYPTO_CsC) * 2);
+  memcpy (&other_blinded_r_pub[0],
+          &blinded_r_pub[0],
+          sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2);
+
+  for (int i = 0; i<ITER; i++) {
+    GNUNET_CRYPTO_cs_calc_blinded_c (bs,
+                                     r_pub,
+                                     pub,
+                                     msg,
+                                     msg_len,
+                                     blinded_cs,
+                                     blinded_r_pub);
+    GNUNET_assert (0 == memcmp (&other_blinded_c[0],
+                                &blinded_cs[0],
+                                sizeof(struct GNUNET_CRYPTO_CsC) * 2));
+    GNUNET_assert (0 == memcmp (&other_blinded_r_pub[0],
+                                &blinded_r_pub[0],
+                                sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2));
+  }
+}
+
+
+void
+test_blind_sign (unsigned int *b,
+               const struct GNUNET_CRYPTO_CsPrivateKey *priv,
+               const struct GNUNET_CRYPTO_CsRSecret r[2],
+               const struct GNUNET_CRYPTO_CsC c[2],
+               const struct GNUNET_CRYPTO_CsNonce *nonce,
+               struct GNUNET_CRYPTO_CsBlindS *blinded_s)
+{
+  /* TEST 1
+   * Check that blinded_s is set
+   */
+  struct GNUNET_CRYPTO_CsC other_blinded_s;
+  memcpy (&other_blinded_s, blinded_s, sizeof(struct GNUNET_CRYPTO_CsBlindS));
+
+  *b = GNUNET_CRYPTO_cs_sign_derive (priv,
+                                     r,
+                                     c,
+                                     nonce,
+                                     blinded_s);
+
+  GNUNET_assert (0 == *b || 1 == *b);
+  GNUNET_assert (0 != memcmp (&other_blinded_s,
+                              blinded_s,
+                              sizeof(struct GNUNET_CRYPTO_CsBlindS)));
+
+  /* TEST 2
+   * Check if s := rb + cbX
+   * This test does the opposite operations and checks wether the equation is still correct.
+   */
+  struct GNUNET_CRYPTO_Cs25519Scalar cb_mul_x;
+  struct GNUNET_CRYPTO_Cs25519Scalar s_min_rb;
+
+  crypto_core_ed25519_scalar_mul (cb_mul_x.d,
+                                  c[*b].scalar.d,
+                                  priv->scalar.d);
+
+  crypto_core_ed25519_scalar_sub (s_min_rb.d,
+                                  blinded_s->scalar.d,
+                                  r[*b].scalar.d);
+
+  GNUNET_assert (0 == memcmp (&s_min_rb, &cb_mul_x, sizeof(struct
+                                                           GNUNET_CRYPTO_Cs25519Scalar)));
+
+  /* TEST 3
+   * Check if function gives the same result for the same input.
+   */
+  memcpy (&other_blinded_s, blinded_s, sizeof(struct GNUNET_CRYPTO_CsBlindS));
+  unsigned int other_b;
+  for (int i = 0; i<ITER; i++) {
+    other_b = GNUNET_CRYPTO_cs_sign_derive (priv, r, c, nonce, blinded_s);
+
+    GNUNET_assert (other_b == *b);
+    GNUNET_assert (0 == memcmp (&other_blinded_s,
+                                blinded_s,
+                                sizeof(struct GNUNET_CRYPTO_CsBlindS)));
+  }
+}
+
+
+void
+test_unblinds (const struct GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar,
+              const struct GNUNET_CRYPTO_CsBlindingSecret *bs,
+              struct GNUNET_CRYPTO_CsS *signature_scalar)
+{
+  /* TEST 1
+   * Check that signature_scalar is set
+   */
+  struct GNUNET_CRYPTO_CsS other_signature_scalar;
+  memcpy (&other_signature_scalar,
+          signature_scalar,
+          sizeof(struct GNUNET_CRYPTO_CsS));
+
+  GNUNET_CRYPTO_cs_unblind (blinded_signature_scalar, bs, signature_scalar);
+
+  GNUNET_assert (0 != memcmp (&other_signature_scalar,
+                              signature_scalar,
+                              sizeof(struct GNUNET_CRYPTO_CsS)));
+
+  /* TEST 2
+   * Check if s' := s + a mod p
+   * This test does the opposite operations and checks wether the equation is still correct.
+   */
+  struct GNUNET_CRYPTO_Cs25519Scalar s_min_a;
+
+  crypto_core_ed25519_scalar_sub (s_min_a.d,
+                                  signature_scalar->scalar.d,
+                                  bs->alpha.d);
+
+  GNUNET_assert (0 == memcmp (&s_min_a, &blinded_signature_scalar->scalar,
+                              sizeof(struct
+                                     GNUNET_CRYPTO_Cs25519Scalar)));
+
+  /* TEST 3
+   * Check if function gives the same result for the same input.
+   */
+  memcpy (&other_signature_scalar, signature_scalar,
+          sizeof(struct GNUNET_CRYPTO_CsS));
+
+  for (int i = 0; i<ITER; i++) {
+    GNUNET_CRYPTO_cs_unblind (blinded_signature_scalar, bs, signature_scalar);
+    GNUNET_assert (0 == memcmp (&other_signature_scalar,
+                                signature_scalar,
+                                sizeof(struct GNUNET_CRYPTO_CsS)));
+  }
+}
+
+
+void
+test_blind_verify (const struct GNUNET_CRYPTO_CsSignature *sig,
+                 const struct GNUNET_CRYPTO_CsPublicKey *pub,
+                 const struct GNUNET_CRYPTO_CsC *c)
+{
+  /* TEST 1
+   * Test verifies the blinded signature sG == Rb + cbX
+   */
+  struct GNUNET_CRYPTO_Cs25519Point sig_scal_mul_base;
+  GNUNET_assert (0 == crypto_scalarmult_ed25519_base_noclamp (
+                   sig_scal_mul_base.y,
+                   sig->s_scalar.scalar.d));
+
+  struct GNUNET_CRYPTO_Cs25519Point c_mul_pub;
+  GNUNET_assert (0 == crypto_scalarmult_ed25519_noclamp (c_mul_pub.y,
+                                                         c->scalar.d,
+                                                         pub->point.y));
+
+  struct GNUNET_CRYPTO_Cs25519Point r_add_c_mul_pub;
+  GNUNET_assert (0 == crypto_core_ed25519_add (r_add_c_mul_pub.y,
+                                               sig->r_point.point.y,
+                                               c_mul_pub.y));
+
+  GNUNET_assert (0 == memcmp (sig_scal_mul_base.y,
+                              r_add_c_mul_pub.y,
+                              sizeof(struct GNUNET_CRYPTO_Cs25519Point)));
+}
+
+
+void
+test_verify (const struct GNUNET_CRYPTO_CsSignature *sig,
+            const struct GNUNET_CRYPTO_CsPublicKey *pub,
+            const void *msg,
+            size_t msg_len)
+{
+  /* TEST 1
+   * Test simple verification
+   */
+  GNUNET_assert (GNUNET_YES == GNUNET_CRYPTO_cs_verify (sig,
+                                                        pub,
+                                                        msg,
+                                                        msg_len));
+  /* TEST 2
+   * Test verification of "wrong" message
+   */
+  char other_msg[] = "test massege";
+  size_t other_msg_len = strlen ("test massege");
+  GNUNET_assert (GNUNET_SYSERR == GNUNET_CRYPTO_cs_verify (sig,
+                                                       pub,
+                                                       other_msg,
+                                                       other_msg_len));
+}
+
+
+int
+main (int argc,
+      char *argv[])
+{
+  printf ("Test started\n");
+
+  // ---------- actions performed by signer
+  char message[] = "test message";
+  size_t message_len = strlen ("test message");
+
+  struct GNUNET_CRYPTO_CsPrivateKey priv;
+  test_create_priv (&priv);
+
+  struct GNUNET_CRYPTO_CsPublicKey pub;
+  test_generate_pub (&priv, &pub);
+
+  // derive nonce
+  struct GNUNET_CRYPTO_CsNonce nonce;
+  GNUNET_assert (GNUNET_YES == GNUNET_CRYPTO_hkdf (nonce.nonce,
+                                                   sizeof(nonce.nonce),
+                                                   GCRY_MD_SHA512,
+                                                   GCRY_MD_SHA256,
+                                                   "nonce",
+                                                   strlen ("nonce"),
+                                                   "nonce_secret",
+                                                   strlen ("nonce_secret"),
+                                                   NULL,
+                                                   0));
+
+  // generate r, R
+  struct GNUNET_CRYPTO_CsRSecret r_secrets[2];
+  test_derive_rsecret (&nonce, &priv, r_secrets);
+
+  struct GNUNET_CRYPTO_CsRPublic r_publics[2];
+  test_generate_rpublic (&r_secrets[0], &r_publics[0]);
+  test_generate_rpublic (&r_secrets[1], &r_publics[1]);
+
+  // ---------- actions performed by user
+
+  // generate blinding secrets
+  struct GNUNET_CRYPTO_CsBlindingSecret blindingsecrets[2];
+  test_derive_blindingsecrets (&nonce,
+                             sizeof(nonce),
+                             blindingsecrets);
+
+  // calculate blinded c's
+  struct GNUNET_CRYPTO_CsC blinded_cs[2];
+  struct GNUNET_CRYPTO_CsRPublic blinded_r_pubs[2];
+  test_calc_blindedc (blindingsecrets,
+                    r_publics,
+                    &pub,
+                    message,
+                    message_len,
+                    blinded_cs,
+                    blinded_r_pubs);
+
+  // ---------- actions performed by signer
+  // sign blinded c's and get b and s in return
+  unsigned int b;
+  struct GNUNET_CRYPTO_CsBlindS blinded_s;
+  test_blind_sign (&b, &priv, r_secrets, blinded_cs, &nonce, &blinded_s);
+
+  // verify blinded signature
+  struct GNUNET_CRYPTO_CsSignature blinded_signature;
+  blinded_signature.r_point = r_publics[b];
+  blinded_signature.s_scalar.scalar = blinded_s.scalar;
+  test_blind_verify (&blinded_signature, &pub, &blinded_cs[b]);
+
+  // ---------- actions performed by user
+    struct GNUNET_CRYPTO_CsS sig_scalar;
+  test_unblinds (&blinded_s, &blindingsecrets[b], &sig_scalar);
+
+  // verify unblinded signature
+  struct GNUNET_CRYPTO_CsSignature signature;
+  signature.r_point = blinded_r_pubs[b];
+  signature.s_scalar = sig_scalar;
+  test_verify (&signature, &pub, message, message_len);
+
+  return 0;
+}