Werner Koch wrote:

Hi,

find attach the patch which makes all 3 test cases work with Ed25519.
There are some minor hacks in the test cases to allow enabling of
Libgcrypt debugging and also some minor output style changes.

There is one FIXME in the code:

  /* FIXME: mpi_print creates an unsigned integer - is that intended
     or should we convert it to a signed integer (2-compl)?  */
  mpi_print (xbuf, sizeof (xbuf), result_x);

X may be positive or negative but GCRYMPI_FMT_USG ignores the sign.
Thus this is not what we actually want.  Should we change it to 2-comp
(GCRYMPI_FMT_STD) so that we have a proper value?  Given that the curve
is 255 bit this should alwas fit int the 256 bit buffer.  Another option
would be to use the EdDSA method for the sign but that is optimized to
easily recover x and would be more work.  Or we store the sign in the
high bit.  t all depends on what you want to write into the protocol
specs.

I would also like to revert the way we distinguish between Ed25519 with
and without ECDSA:  The way we do it right now is by assuming the
Ed25519 is always used with EdDSA unless a flag has been set.  This is a
bit surprising and requiring the "(flags eddsa)" would be a less
surprising interface.


Salam-Shalom,

   Werner

6 files changed, 134 insertions, 335 deletions

diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h
index 980710b19..c65c9223a 100644
--- a/src/include/gnunet_crypto_lib.h
+++ b/src/include/gnunet_crypto_lib.h
@@ -194,16 +194,8 @@ struct GNUNET_CRYPTO_EcdsaSignature
 struct GNUNET_CRYPTO_EddsaPublicKey
 {
   /**
-   * Q consists of an x- and a y-value, each mod p (256 bits),
-   * given here in affine coordinates.
-   *
-   * FIXME: this coordinate will be removed in the future (compressed point!).
-   */
-  unsigned char q_x[256 / 8];
-
-  /**
-   * Q consists of an x- and a y-value, each mod p (256 bits),
-   * given here in affine coordinates.
+   * Q consists of an x- and a y-value, each mod p (256 bits), given
+   * here in affine coordinates and Ed25519 standard compact format.
    */
   unsigned char q_y[256 / 8];
 
@@ -217,16 +209,10 @@ struct GNUNET_CRYPTO_EddsaPublicKey
 struct GNUNET_CRYPTO_EcdsaPublicKey
 {
   /**
-   * Q consists of an x- and a y-value, each mod p (256 bits),
-   * given here in affine coordinates.
-   *
-   * FIXME: this coordinate will be removed in the future (compressed point!).
-   */
-  unsigned char q_x[256 / 8];
-
-  /**
-   * Q consists of an x- and a y-value, each mod p (256 bits),
-   * given here in affine coordinates.
+   * Q consists of an x- and a y-value, each mod p (256 bits), given
+   * here in affine coordinates.  For the Ed25519 curve we need to
+   * convey the y-value along with the sign.  The compact format used
+   * is the same as with EdDSA (little endian).
    */
   unsigned char q_y[256 / 8];
 
@@ -250,19 +236,10 @@ struct GNUNET_PeerIdentity
 struct GNUNET_CRYPTO_EcdhePublicKey
 {
   /**
-   * Q consists of an x- and a y-value, each mod p (256 bits),
-   * given here in affine coordinates.
-   */
-  unsigned char q_x[256 / 8];
-
-  /**
-   * Q consists of an x- and a y-value, each mod p (256 bits),
-   * given here in affine coordinates.
-   *
-   * FIXME: this coordinate will be removed in the future (compressed point!).
+   * Q consists of an x- and a y-value, each mod p (256 bits), given
+   * here in affine coordinates and Ed25519 standard compact format.
    */
   unsigned char q_y[256 / 8];
-
 };
 
 
diff --git a/src/include/gnunet_plugin_lib.h b/src/include/gnunet_plugin_lib.h
index daf1b4cca..0fccd3f97 100644
--- a/src/include/gnunet_plugin_lib.h
+++ b/src/include/gnunet_plugin_lib.h
@@ -57,7 +57,7 @@ typedef void *(*GNUNET_PLUGIN_Callback) (void *arg);
  * "library_name_init" for the test to succeed.
  *
  * @param library_name name of the plugin to test if it is installed
- * @return GNUNET_YES if the plugin exists, GNUNET_NO if not
+ * @return #GNUNET_YES if the plugin exists, #GNUNET_NO if not
  */
 int
 GNUNET_PLUGIN_test (const char *library_name);
diff --git a/src/util/crypto_ecc.c b/src/util/crypto_ecc.c
index 9728084c9..2bd89c402 100644
--- a/src/util/crypto_ecc.c
+++ b/src/util/crypto_ecc.c
@@ -34,10 +34,8 @@
  * structs that use 256 bits, so using a bigger curve will require
  * changes that break stuff badly.  The name of the curve given here
  * must be agreed by all peers and be supported by libgcrypt.
- *
- * NOTE: this will change to Curve25519 before GNUnet 0.10.0.
  */
-#define CURVE "NIST P-256"
+#define CURVE "Ed25519"
 
 #define LOG(kind,...) GNUNET_log_from (kind, "util", __VA_ARGS__)
 
@@ -148,11 +146,31 @@ mpi_print (unsigned char *buf,
 {
   size_t rsize;
 
-  rsize = size;
-  GNUNET_assert (0 ==
-                 gcry_mpi_print (GCRYMPI_FMT_USG, buf, rsize, &rsize,
-                                 val));
-  adjust (buf, rsize, size);
+  if (gcry_mpi_get_flag (val, GCRYMPI_FLAG_OPAQUE))
+    {
+      /* Store opaque MPIs left aligned into the buffer.  */
+      unsigned int nbits;
+      const void *p;
+
+      p = gcry_mpi_get_opaque (val, &nbits);
+      GNUNET_assert (p);
+      rsize = (nbits+7)/8;
+      if (rsize > size)
+        rsize = size;
+      memcpy (buf, p, rsize);
+      if (rsize < size)
+        memset (buf+rsize, 0, size - rsize);
+    }
+  else
+    {
+      /* Store regular MPIs as unsigned integers right aligned into
+         the buffer.  */
+      rsize = size;
+      GNUNET_assert (0 ==
+                     gcry_mpi_print (GCRYMPI_FMT_USG, buf, rsize, &rsize,
+                                     val));
+      adjust (buf, rsize, size);
+    }
 }
 
 
@@ -191,16 +209,12 @@ static gcry_sexp_t
 decode_private_ecdsa_key (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv)
 {
   gcry_sexp_t result;
-  gcry_mpi_t d;
   int rc;
 
-  mpi_scan (&d,
-            priv->d,
-            sizeof (priv->d));
   rc = gcry_sexp_build (&result, NULL,
-                        "(private-key(ecdsa(curve \"" CURVE "\")(d %m)))",
-                        d);
-  gcry_mpi_release (d);
+                        "(private-key(ecc(curve \"" CURVE "\")"
+                        "(flags ecdsa)(d %b)))",
+                        (int)sizeof (priv->d), priv->d);
   if (0 != rc)
   {
     LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
@@ -228,16 +242,12 @@ static gcry_sexp_t
 decode_private_eddsa_key (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv)
 {
   gcry_sexp_t result;
-  gcry_mpi_t d;
   int rc;
 
-  mpi_scan (&d,
-            priv->d,
-            sizeof (priv->d));
   rc = gcry_sexp_build (&result, NULL,
-                        "(private-key(ecdsa(curve \"" CURVE "\")(d %m)))", // FIXME: eddsa soon!
-                        d);
-  gcry_mpi_release (d);
+                        "(private-key(ecc(curve \"" CURVE "\")"
+                        "(d %b)))",
+                        (int)sizeof (priv->d), priv->d);
   if (0 != rc)
   {
     LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
@@ -265,16 +275,12 @@ static gcry_sexp_t
 decode_private_ecdhe_key (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv)
 {
   gcry_sexp_t result;
-  gcry_mpi_t d;
   int rc;
 
-  mpi_scan (&d,
-            priv->d,
-            sizeof (priv->d));
   rc = gcry_sexp_build (&result, NULL,
-                        "(private-key(ecdsa(curve \"" CURVE "\")(d %m)))", // FIXME: ecdh here?
-                        d);
-  gcry_mpi_release (d);
+                        "(private-key(ecc(curve \"" CURVE "\")"
+                        "(flags ecdsa)(d %b)))",
+                        (int)sizeof (priv->d), priv->d);
   if (0 != rc)
   {
     LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
@@ -292,99 +298,6 @@ decode_private_ecdhe_key (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv)
 
 
 /**
- * Initialize public key struct from the respective point
- * on the curve.
- *
- * @param q point on curve
- * @param pub public key struct to initialize
- * @param ctx context to use for ECC operations
- */
-static void
-point_to_public_ecdsa_key (gcry_mpi_point_t q,
-                           gcry_ctx_t ctx,
-                           struct GNUNET_CRYPTO_EcdsaPublicKey *pub)
-{
-  gcry_mpi_t q_x;
-  gcry_mpi_t q_y;
-
-  q_x = gcry_mpi_new (256);
-  q_y = gcry_mpi_new (256);
-  if (gcry_mpi_ec_get_affine (q_x, q_y, q, ctx))
-  {
-    LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "get_affine failed", 0);
-    return;
-  }
-
-  mpi_print (pub->q_x, sizeof (pub->q_x), q_x);
-  mpi_print (pub->q_y, sizeof (pub->q_y), q_y);
-  gcry_mpi_release (q_x);
-  gcry_mpi_release (q_y);
-}
-
-
-/**
- * Initialize public key struct from the respective point
- * on the curve.
- *
- * @param q point on curve
- * @param pub public key struct to initialize
- * @param ctx context to use for ECC operations
- */
-static void
-point_to_public_eddsa_key (gcry_mpi_point_t q,
-                           gcry_ctx_t ctx,
-                           struct GNUNET_CRYPTO_EddsaPublicKey *pub)
-{
-  gcry_mpi_t q_x;
-  gcry_mpi_t q_y;
-
-  q_x = gcry_mpi_new (256);
-  q_y = gcry_mpi_new (256);
-  if (gcry_mpi_ec_get_affine (q_x, q_y, q, ctx))
-  {
-    LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "get_affine failed", 0);
-    return;
-  }
-
-  mpi_print (pub->q_x, sizeof (pub->q_x), q_x);
-  mpi_print (pub->q_y, sizeof (pub->q_y), q_y);
-  gcry_mpi_release (q_x);
-  gcry_mpi_release (q_y);
-}
-
-
-/**
- * Initialize public key struct from the respective point
- * on the curve.
- *
- * @param q point on curve
- * @param pub public key struct to initialize
- * @param ctx context to use for ECC operations
- */
-static void
-point_to_public_ecdhe_key (gcry_mpi_point_t q,
-                           gcry_ctx_t ctx,
-                           struct GNUNET_CRYPTO_EcdhePublicKey *pub)
-{
-  gcry_mpi_t q_x;
-  gcry_mpi_t q_y;
-
-  q_x = gcry_mpi_new (256);
-  q_y = gcry_mpi_new (256);
-  if (gcry_mpi_ec_get_affine (q_x, q_y, q, ctx))
-  {
-    LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "get_affine failed", 0);
-    return;
-  }
-
-  mpi_print (pub->q_x, sizeof (pub->q_x), q_x);
-  mpi_print (pub->q_y, sizeof (pub->q_y), q_y);
-  gcry_mpi_release (q_x);
-  gcry_mpi_release (q_y);
-}
-
-
-/**
  * Extract the public key for the given private key.
  *
  * @param priv the private key
@@ -396,16 +309,17 @@ GNUNET_CRYPTO_ecdsa_key_get_public (const struct GNUNET_CRYPTO_EcdsaPrivateKey *
 {
   gcry_sexp_t sexp;
   gcry_ctx_t ctx;
-  gcry_mpi_point_t q;
+  gcry_mpi_t q;
 
   sexp = decode_private_ecdsa_key (priv);
   GNUNET_assert (NULL != sexp);
   GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, sexp, NULL));
   gcry_sexp_release (sexp);
-  q = gcry_mpi_ec_get_point ("q", ctx, 0);
-  point_to_public_ecdsa_key (q, ctx, pub);
+  q = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0);
+  GNUNET_assert (q);
+  mpi_print (pub->q_y, sizeof (pub->q_y), q);
+  gcry_mpi_release (q);
   gcry_ctx_release (ctx);
-  gcry_mpi_point_release (q);
 }
 
 
@@ -421,16 +335,17 @@ GNUNET_CRYPTO_eddsa_key_get_public (const struct GNUNET_CRYPTO_EddsaPrivateKey *
 {
   gcry_sexp_t sexp;
   gcry_ctx_t ctx;
-  gcry_mpi_point_t q;
+  gcry_mpi_t q;
 
   sexp = decode_private_eddsa_key (priv);
   GNUNET_assert (NULL != sexp);
   GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, sexp, NULL));
   gcry_sexp_release (sexp);
-  q = gcry_mpi_ec_get_point ("q", ctx, 0);
-  point_to_public_eddsa_key (q, ctx, pub);
+  q = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0);
+  GNUNET_assert (q);
+  mpi_print (pub->q_y, sizeof (pub->q_y), q);
+  gcry_mpi_release (q);
   gcry_ctx_release (ctx);
-  gcry_mpi_point_release (q);
 }
 
 
@@ -446,16 +361,17 @@ GNUNET_CRYPTO_ecdhe_key_get_public (const struct GNUNET_CRYPTO_EcdhePrivateKey *
 {
   gcry_sexp_t sexp;
   gcry_ctx_t ctx;
-  gcry_mpi_point_t q;
+  gcry_mpi_t q;
 
   sexp = decode_private_ecdhe_key (priv);
   GNUNET_assert (NULL != sexp);
   GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, sexp, NULL));
   gcry_sexp_release (sexp);
-  q = gcry_mpi_ec_get_point ("q", ctx, 0);
-  point_to_public_ecdhe_key (q, ctx, pub);
+  q = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0);
+  GNUNET_assert (q);
+  mpi_print (pub->q_y, sizeof (pub->q_y), q);
+  gcry_mpi_release (q);
   gcry_ctx_release (ctx);
-  gcry_mpi_point_release (q);
 }
 
 
@@ -580,76 +496,6 @@ GNUNET_CRYPTO_eddsa_public_key_from_string (const char *enc,
 
 
 /**
- * Convert the given public key from the network format to the
- * S-expression that can be used by libgcrypt.
- *
- * @param pub public key to decode
- * @return NULL on error
- */
-static gcry_sexp_t
-decode_public_ecdsa_key (const struct GNUNET_CRYPTO_EcdsaPublicKey *pub)
-{
-  gcry_sexp_t pub_sexp;
-  gcry_mpi_t q_x;
-  gcry_mpi_t q_y;
-  gcry_mpi_point_t q;
-  gcry_ctx_t ctx;
-
-  mpi_scan (&q_x, pub->q_x, sizeof (pub->q_x));
-  mpi_scan (&q_y, pub->q_y, sizeof (pub->q_y));
-  q = gcry_mpi_point_new (256);
-  gcry_mpi_point_set (q, q_x, q_y, GCRYMPI_CONST_ONE);
-  gcry_mpi_release (q_x);
-  gcry_mpi_release (q_y);
-
-  /* initialize 'ctx' with 'q' */
-  GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE)); // FIXME: need to say ECDSA?
-  gcry_mpi_ec_set_point ("q", q, ctx);
-  gcry_mpi_point_release (q);
-
-  /* convert 'ctx' to 'sexp' */
-  GNUNET_assert (0 == gcry_pubkey_get_sexp (&pub_sexp, GCRY_PK_GET_PUBKEY, ctx));
-  gcry_ctx_release (ctx);
-  return pub_sexp;
-}
-
-
-/**
- * Convert the given public key from the network format to the
- * S-expression that can be used by libgcrypt.
- *
- * @param pub public key to decode
- * @return NULL on error
- */
-static gcry_sexp_t
-decode_public_eddsa_key (const struct GNUNET_CRYPTO_EddsaPublicKey *pub)
-{
-  gcry_sexp_t pub_sexp;
-  gcry_mpi_t q_x;
-  gcry_mpi_t q_y;
-  gcry_mpi_point_t q;
-  gcry_ctx_t ctx;
-
-  mpi_scan (&q_x, pub->q_x, sizeof (pub->q_x));
-  mpi_scan (&q_y, pub->q_y, sizeof (pub->q_y));
-  q = gcry_mpi_point_new (256);
-  gcry_mpi_point_set (q, q_x, q_y, GCRYMPI_CONST_ONE);
-  gcry_mpi_release (q_x);
-  gcry_mpi_release (q_y);
-
-  /* initialize 'ctx' with 'q' */
-  GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE)); // FIXME: need to say EdDSA?
-  gcry_mpi_ec_set_point ("q", q, ctx);
-  gcry_mpi_point_release (q);
-
-  /* convert 'ctx' to 'sexp' */
-  GNUNET_assert (0 == gcry_pubkey_get_sexp (&pub_sexp, GCRY_PK_GET_PUBKEY, ctx));
-  gcry_ctx_release (ctx);
-  return pub_sexp;
-}
-
-
-/**
  * @ingroup crypto
  * Clear memory that was used to store a private key.
  *
@@ -703,7 +549,8 @@ GNUNET_CRYPTO_ecdhe_key_create ()
   int rc;
 
   if (0 != (rc = gcry_sexp_build (&s_keyparam, NULL,
-                                  "(genkey(ecdsa(curve \"" CURVE "\")))"))) // FIXME: ECDHE?
+                                  "(genkey(ecc(curve \"" CURVE "\")"
+                                  "(flags noparam ecdsa)))")))
   {
     LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
     return NULL;
@@ -752,7 +599,8 @@ GNUNET_CRYPTO_ecdsa_key_create ()
   int rc;
 
   if (0 != (rc = gcry_sexp_build (&s_keyparam, NULL,
-                                  "(genkey(ecdsa(curve \"" CURVE "\")))")))
+                                  "(genkey(ecc(curve \"" CURVE "\")"
+                                  "(flags noparam ecdsa)))")))
   {
     LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
     return NULL;
@@ -800,7 +648,8 @@ GNUNET_CRYPTO_eddsa_key_create ()
   int rc;
 
   if (0 != (rc = gcry_sexp_build (&s_keyparam, NULL,
-                                  "(genkey(ecdsa(curve \"" CURVE "\")))"))) // FIXME: EdDSA?
+                                  "(genkey(ecc(curve \"" CURVE "\")"
+                                  "(flags noparam)))")))
   {
     LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
     return NULL;
@@ -1276,10 +1125,9 @@ data_to_eddsa_value (const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose)
 
   GNUNET_CRYPTO_hash (purpose, ntohl (purpose->size), &hc);
   if (0 != (rc = gcry_sexp_build (&data, NULL,
-                                  "(data(flags rfc6979)(hash %s %b))", // FIXME: use EdDSA encoding!
+                                  "(data(flags eddsa)(hash-algo %s)(value %b))",
                                   "sha512",
-                                  sizeof (hc),
-                                  &hc)))
+                                  (int)sizeof (hc), &hc)))
   {
     LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
     return NULL;
@@ -1304,10 +1152,9 @@ data_to_ecdsa_value (const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose)
 
   GNUNET_CRYPTO_hash (purpose, ntohl (purpose->size), &hc);
   if (0 != (rc = gcry_sexp_build (&data, NULL,
-                                  "(data(flags rfc6979)(hash %s %b))",
+                                  "(data(flags ecdsa rfc6979)(hash %s %b))",
                                   "sha512",
-                                  sizeof (hc),
-                                  &hc)))
+                                  (int)sizeof (hc), &hc)))
   {
     LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
     return NULL;
@@ -1435,28 +1282,23 @@ GNUNET_CRYPTO_ecdsa_verify (uint32_t purpose,
   gcry_sexp_t sig_sexpr;
   gcry_sexp_t pub_sexpr;
   int rc;
-  gcry_mpi_t r;
-  gcry_mpi_t s;
 
   if (purpose != ntohl (validate->purpose))
     return GNUNET_SYSERR;       /* purpose mismatch */
 
   /* build s-expression for signature */
-  mpi_scan (&r, sig->r, sizeof (sig->r));
-  mpi_scan (&s, sig->s, sizeof (sig->s));
   if (0 != (rc = gcry_sexp_build (&sig_sexpr, NULL,
-                                  "(sig-val(ecdsa(r %m)(s %m)))",
-                                  r, s)))
+                                  "(sig-val(ecdsa(r %b)(s %b)))",
+                                  (int)sizeof (sig->r), sig->r,
+                                  (int)sizeof (sig->s), sig->s)))
   {
     LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
-    gcry_mpi_release (r);
-    gcry_mpi_release (s);
     return GNUNET_SYSERR;
   }
-  gcry_mpi_release (r);
-  gcry_mpi_release (s);
   data = data_to_ecdsa_value (validate);
-  if (! (pub_sexpr = decode_public_ecdsa_key (pub)))
+  if (0 != (rc = gcry_sexp_build (&pub_sexpr, NULL,
+                            "(public-key(ecc(curve " CURVE ")(q %b)))",
+                                  (int)sizeof (pub->q_y), pub->q_y)))
   {
     gcry_sexp_release (data);
     gcry_sexp_release (sig_sexpr);
@@ -1497,28 +1339,23 @@ GNUNET_CRYPTO_eddsa_verify (uint32_t purpose,
   gcry_sexp_t sig_sexpr;
   gcry_sexp_t pub_sexpr;
   int rc;
-  gcry_mpi_t r;
-  gcry_mpi_t s;
 
   if (purpose != ntohl (validate->purpose))
     return GNUNET_SYSERR;       /* purpose mismatch */
 
   /* build s-expression for signature */
-  mpi_scan (&r, sig->r, sizeof (sig->r));
-  mpi_scan (&s, sig->s, sizeof (sig->s));
   if (0 != (rc = gcry_sexp_build (&sig_sexpr, NULL,
-                                  "(sig-val(ecdsa(r %m)(s %m)))", // FIXME: eddsa soon...
-                                  r, s)))
+                                  "(sig-val(eddsa(r %b)(s %b)))",
+                                  (int)sizeof (sig->r), sig->r,
+                                  (int)sizeof (sig->s), sig->s)))
   {
     LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
-    gcry_mpi_release (r);
-    gcry_mpi_release (s);
     return GNUNET_SYSERR;
   }
-  gcry_mpi_release (r);
-  gcry_mpi_release (s);
   data = data_to_eddsa_value (validate);
-  if (! (pub_sexpr = decode_public_eddsa_key (pub)))
+  if (0 != (rc = gcry_sexp_build (&pub_sexpr, NULL,
+                                  "(public-key(ecc(curve " CURVE ")(q %b)))",
+                                  (int)sizeof (pub->q_y), pub->q_y)))
   {
     gcry_sexp_release (data);
     gcry_sexp_release (sig_sexpr);
@@ -1540,41 +1377,6 @@ GNUNET_CRYPTO_eddsa_verify (uint32_t purpose,
 
 
 /**
- * Convert the given public key from the network format to the
- * S-expression that can be used by libgcrypt.
- *
- * @param pub public key to decode
- * @return NULL on error
- */
-static gcry_sexp_t
-decode_public_ecdhe_key (const struct GNUNET_CRYPTO_EcdhePublicKey *pub)
-{
-  gcry_sexp_t pub_sexp;
-  gcry_mpi_t q_x;
-  gcry_mpi_t q_y;
-  gcry_mpi_point_t q;
-  gcry_ctx_t ctx;
-
-  mpi_scan (&q_x, pub->q_x, sizeof (pub->q_x));
-  mpi_scan (&q_y, pub->q_y, sizeof (pub->q_y));
-  q = gcry_mpi_point_new (256);
-  gcry_mpi_point_set (q, q_x, q_y, GCRYMPI_CONST_ONE);
-  gcry_mpi_release (q_x);
-  gcry_mpi_release (q_y);
-
-  /* initialize 'ctx' with 'q' */
-  GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE));
-  gcry_mpi_ec_set_point ("q", q, ctx);
-  gcry_mpi_point_release (q);
-
-  /* convert 'ctx' to 'sexp' */
-  GNUNET_assert (0 == gcry_pubkey_get_sexp (&pub_sexp, GCRY_PK_GET_PUBKEY, ctx));
-  gcry_ctx_release (ctx);
-  return pub_sexp;
-}
-
-
-/**
  * Derive key material from a public and a private ECDHE key.
  *
  * @param priv private key to use for the ECDH (x)
@@ -1593,11 +1395,12 @@ GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
   gcry_ctx_t ctx;
   gcry_sexp_t pub_sexpr;
   gcry_mpi_t result_x;
-  gcry_mpi_t result_y;
   unsigned char xbuf[256 / 8];
 
   /* first, extract the q = dP value from the public key */
-  if (! (pub_sexpr = decode_public_ecdhe_key (pub)))
+  if (0 != gcry_sexp_build (&pub_sexpr, NULL,
+                            "(public-key(ecc(curve " CURVE ")(q %b)))",
+                            (int)sizeof (pub->q_y), pub->q_y))
     return GNUNET_SYSERR;
   GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, pub_sexpr, NULL));
   gcry_sexp_release (pub_sexpr);
@@ -1614,8 +1417,7 @@ GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
 
   /* finally, convert point to string for hashing */
   result_x = gcry_mpi_new (256);
-  result_y = gcry_mpi_new (256);
-  if (gcry_mpi_ec_get_affine (result_x, result_y, result, ctx))
+  if (gcry_mpi_ec_get_affine (result_x, NULL, result, ctx))
   {
     LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "get_affine failed", 0);
     gcry_mpi_point_release (result);
@@ -1625,10 +1427,11 @@ GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
   gcry_mpi_point_release (result);
   gcry_ctx_release (ctx);
 
+  /* FIXME: mpi_print creates an unsigned integer - is that intended
+     or should we convert it to a signed integer (2-compl)?  */
   mpi_print (xbuf, sizeof (xbuf), result_x);
   GNUNET_CRYPTO_hash (xbuf, sizeof (xbuf), key_material);
   gcry_mpi_release (result_x);
-  gcry_mpi_release (result_y);
   return GNUNET_OK;
 }
 
@@ -1688,8 +1491,10 @@ GNUNET_CRYPTO_ecdsa_private_key_derive (const struct GNUNET_CRYPTO_EcdsaPrivateK
   gcry_ctx_t ctx;
 
   GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE));
+
   n = gcry_mpi_ec_get_mpi ("n", ctx, 1);
   GNUNET_CRYPTO_ecdsa_key_get_public (priv, &pub);
+
   h = derive_h (&pub, label, context);
   mpi_scan (&x, priv->d, sizeof (priv->d));
   d = gcry_mpi_new (256);
@@ -1722,24 +1527,24 @@ GNUNET_CRYPTO_ecdsa_public_key_derive (const struct GNUNET_CRYPTO_EcdsaPublicKey
                                        struct GNUNET_CRYPTO_EcdsaPublicKey *result)
 {
   gcry_ctx_t ctx;
+  gcry_mpi_t q_y;
   gcry_mpi_t h;
   gcry_mpi_t n;
   gcry_mpi_t h_mod_n;
-  gcry_mpi_t q_x;
-  gcry_mpi_t q_y;
   gcry_mpi_point_t q;
   gcry_mpi_point_t v;
 
   GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE));
 
-  /* obtain point 'q' from original public key */
-  mpi_scan (&q_x, pub->q_x, sizeof (pub->q_x));
-  mpi_scan (&q_y, pub->q_y, sizeof (pub->q_y));
-
-  q = gcry_mpi_point_new (0);
-  gcry_mpi_point_set (q, q_x, q_y, GCRYMPI_CONST_ONE);
-  gcry_mpi_release (q_x);
+  /* obtain point 'q' from original public key.  The provided 'q' is
+     compressed thus we first store it in the context and then get it
+     back as a (decompresssed) point.  */
+  q_y = gcry_mpi_set_opaque_copy (NULL, pub->q_y, 8*sizeof (pub->q_y));
+  GNUNET_assert (q_y);
+  GNUNET_assert (0 == gcry_mpi_ec_set_mpi ("q", q_y, ctx));
   gcry_mpi_release (q_y);
+  q = gcry_mpi_ec_get_point ("q", ctx, 0);
+  GNUNET_assert (q);
 
   /* calulcate h_mod_n = h % n */
   h = derive_h (pub, label, context);
@@ -1753,9 +1558,14 @@ GNUNET_CRYPTO_ecdsa_public_key_derive (const struct GNUNET_CRYPTO_EcdsaPublicKey
   gcry_mpi_release (h);
   gcry_mpi_release (n);
   gcry_mpi_point_release (q);
+
   /* convert point 'v' to public key that we return */
-  point_to_public_ecdsa_key (v, ctx, result);
+  GNUNET_assert (0 == gcry_mpi_ec_set_point ("q", v, ctx));
   gcry_mpi_point_release (v);
+  q_y = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0);
+  GNUNET_assert (q_y);
+  mpi_print (result->q_y, sizeof result->q_y, q_y);
+  gcry_mpi_release (q_y);
   gcry_ctx_release (ctx);
 }
 
diff --git a/src/util/test_crypto_ecdhe.c b/src/util/test_crypto_ecdhe.c
index a6f96d9f1..dd017897e 100644
--- a/src/util/test_crypto_ecdhe.c
+++ b/src/util/test_crypto_ecdhe.c
@@ -38,14 +38,16 @@ main (int argc, char *argv[])
   struct GNUNET_HashCode ecdh1;
   struct GNUNET_HashCode ecdh2;
 
-  if (! gcry_check_version ("1.5.0"))
+  if (! gcry_check_version ("1.6.0"))
   {
     FPRINTF (stderr,
              _
              ("libgcrypt has not the expected version (version %s is required).\n"),
-             "1.5.0");
+             "1.6.0");
     return 0;
   }
+  if (getenv ("GNUNET_GCRYPT_DEBUG"))
+    gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0);
   GNUNET_log_setup ("test-crypto-ecdhe", "WARNING", NULL);
 
   priv1 = GNUNET_CRYPTO_ecdhe_key_create ();
diff --git a/src/util/test_crypto_ecdsa.c b/src/util/test_crypto_ecdsa.c
index 27c0fb137..bf5fcf571 100644
--- a/src/util/test_crypto_ecdsa.c
+++ b/src/util/test_crypto_ecdsa.c
@@ -30,7 +30,7 @@
 
 #define ITER 25
 
-#define PERF GNUNET_YES
+#define PERF GNUNET_NO
 
 
 static struct GNUNET_CRYPTO_EcdsaPrivateKey *key;
@@ -54,7 +54,7 @@ testSignVerify ()
 
   for (i = 0; i < ITER; i++)
   {
-    FPRINTF (stderr, "%s",  ".");
+    FPRINTF (stderr, "%s",  "."); fflush (stderr);
     if (GNUNET_SYSERR == GNUNET_CRYPTO_ecdsa_sign (key, &purp, &sig))
     {
       FPRINTF (stderr,
@@ -156,7 +156,7 @@ testSignPerformance ()
   start = GNUNET_TIME_absolute_get ();
   for (i = 0; i < ITER; i++)
   {
-    FPRINTF (stderr, "%s",  ".");
+    FPRINTF (stderr, "%s",  "."); fflush (stderr);
     if (GNUNET_SYSERR == GNUNET_CRYPTO_ecdsa_sign (key, &purp, &sig))
     {
       FPRINTF (stderr, "%s",
@@ -180,15 +180,18 @@ perf_keygen ()
   struct GNUNET_CRYPTO_EcdsaPrivateKey *pk;
   int i;
 
+  FPRINTF (stderr, "%s",  "W");
   start = GNUNET_TIME_absolute_get ();
   for (i=0;i<10;i++)
   {
-    fprintf (stderr, ".");
+    fprintf (stderr, "."); fflush (stderr);
     pk = GNUNET_CRYPTO_ecdsa_key_create ();
     GNUNET_free (pk);
   }
-  fprintf (stderr, "\n");
-  printf ("Creating 10 ECDSA keys took %s\n",
+  for (;i<25;i++)
+    fprintf (stderr, ".");
+  fflush (stderr);
+  printf ("10 ECDSA keys created in %s\n",
           GNUNET_STRINGS_relative_time_to_string (GNUNET_TIME_absolute_get_duration (start), GNUNET_YES));
 }
 
@@ -198,14 +201,16 @@ main (int argc, char *argv[])
 {
   int failure_count = 0;
 
-  if (! gcry_check_version ("1.5.0"))
+  if (! gcry_check_version ("1.6.0"))
   {
     FPRINTF (stderr,
              _
              ("libgcrypt has not the expected version (version %s is required).\n"),
-             "1.5.0");
+             "1.6.0");
     return 0;
   }
+  if (getenv ("GNUNET_GCRYPT_DEBUG"))
+    gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0);
   GNUNET_log_setup ("test-crypto-ecc", "WARNING", NULL);
   key = GNUNET_CRYPTO_ecdsa_key_create ();
   if (GNUNET_OK != testDeriveSignVerify ())
diff --git a/src/util/test_crypto_eddsa.c b/src/util/test_crypto_eddsa.c
index 209eea5c6..eda285af8 100644
--- a/src/util/test_crypto_eddsa.c
+++ b/src/util/test_crypto_eddsa.c
@@ -56,7 +56,7 @@ testSignVerify ()
 
   for (i = 0; i < ITER; i++)
   {
-    FPRINTF (stderr, "%s",  ".");
+    FPRINTF (stderr, "%s",  "."); fflush (stderr);
     if (GNUNET_SYSERR == GNUNET_CRYPTO_eddsa_sign (key, &purp, &sig))
     {
       FPRINTF (stderr, "%s",  "GNUNET_CRYPTO_eddsa_sign returned SYSERR\n");
@@ -80,7 +80,7 @@ testSignVerify ()
       continue;
     }
   }
-  printf ("%d ECC sign/verify operations %s\n", ITER,
+  printf ("%d EdDSA sign/verify operations %s\n", ITER,
           GNUNET_STRINGS_relative_time_to_string (GNUNET_TIME_absolute_get_duration (start), GNUNET_YES));
   return ok;
 }
@@ -104,7 +104,7 @@ testSignPerformance ()
   start = GNUNET_TIME_absolute_get ();
   for (i = 0; i < ITER; i++)
   {
-    FPRINTF (stderr, "%s",  ".");
+    FPRINTF (stderr, "%s",  "."); fflush (stderr);
     if (GNUNET_SYSERR == GNUNET_CRYPTO_eddsa_sign (key, &purp, &sig))
     {
       FPRINTF (stderr, "%s",  "GNUNET_CRYPTO_eddsa_sign returned SYSERR\n");
@@ -152,15 +152,18 @@ perf_keygen ()
   struct GNUNET_CRYPTO_EddsaPrivateKey *pk;
   int i;
 
+  FPRINTF (stderr, "%s",  "W");
   start = GNUNET_TIME_absolute_get ();
   for (i=0;i<10;i++)
   {
-    fprintf (stderr, ".");
+    fprintf (stderr, "."); fflush (stderr);
     pk = GNUNET_CRYPTO_eddsa_key_create ();
     GNUNET_free (pk);
   }
-  fprintf (stderr, "\n");
-  printf ("Creating 10 EdDSA keys took %s\n",
+  for (;i<25;i++)
+    fprintf (stderr, ".");
+  fflush (stderr);
+  printf ("10 EdDSA keys created in %s\n",
           GNUNET_STRINGS_relative_time_to_string (GNUNET_TIME_absolute_get_duration (start), GNUNET_YES));
 }
 
@@ -170,13 +173,15 @@ main (int argc, char *argv[])
 {
   int failure_count = 0;
 
-  if (! gcry_check_version ("1.5.0"))
+  if (! gcry_check_version ("1.6.0"))
   {
     FPRINTF (stderr,
              _("libgcrypt has not the expected version (version %s is required).\n"),
-             "1.5.0");
+             "1.6.0");
     return 0;
   }
+  if (getenv ("GNUNET_GCRYPT_DEBUG"))
+    gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u , 0);
   GNUNET_log_setup ("test-crypto-eddsa", "WARNING", NULL);
   key = GNUNET_CRYPTO_eddsa_key_create ();
 #if PERF