diff options
-rw-r--r-- | src/util/Makefile.am | 6 | ||||
-rw-r--r-- | src/util/crypto_rsa.c | 43 | ||||
-rw-r--r-- | src/util/test_crypto_kdf.c | 70 |
3 files changed, 119 insertions, 0 deletions
diff --git a/src/util/Makefile.am b/src/util/Makefile.am index 22471ffda..fe8ab01ea 100644 --- a/src/util/Makefile.am +++ b/src/util/Makefile.am | |||
@@ -283,6 +283,7 @@ check_PROGRAMS = \ | |||
283 | test_crypto_hash \ | 283 | test_crypto_hash \ |
284 | test_crypto_hash_context \ | 284 | test_crypto_hash_context \ |
285 | test_crypto_hkdf \ | 285 | test_crypto_hkdf \ |
286 | test_crypto_kdf \ | ||
286 | test_crypto_paillier \ | 287 | test_crypto_paillier \ |
287 | test_crypto_random \ | 288 | test_crypto_random \ |
288 | test_crypto_rsa \ | 289 | test_crypto_rsa \ |
@@ -468,6 +469,11 @@ test_crypto_hkdf_SOURCES = \ | |||
468 | test_crypto_hkdf_LDADD = \ | 469 | test_crypto_hkdf_LDADD = \ |
469 | libgnunetutil.la | 470 | libgnunetutil.la |
470 | 471 | ||
472 | test_crypto_kdf_SOURCES = \ | ||
473 | test_crypto_kdf.c | ||
474 | test_crypto_kdf_LDADD = \ | ||
475 | libgnunetutil.la -lgcrypt | ||
476 | |||
471 | test_crypto_paillier_SOURCES = \ | 477 | test_crypto_paillier_SOURCES = \ |
472 | test_crypto_paillier.c | 478 | test_crypto_paillier.c |
473 | test_crypto_paillier_LDADD = \ | 479 | test_crypto_paillier_LDADD = \ |
diff --git a/src/util/crypto_rsa.c b/src/util/crypto_rsa.c index 4415f20f6..ae96a99ad 100644 --- a/src/util/crypto_rsa.c +++ b/src/util/crypto_rsa.c | |||
@@ -422,6 +422,49 @@ rsa_blinding_key_derive (const struct GNUNET_CRYPTO_RsaPublicKey *pkey, | |||
422 | } | 422 | } |
423 | 423 | ||
424 | 424 | ||
425 | /* | ||
426 | We originally added GNUNET_CRYPTO_kdf_mod_mpi for the benifit of the | ||
427 | previous routine. | ||
428 | |||
429 | There was previously a call to GNUNET_CRYPTO_kdf in | ||
430 | bkey = rsa_blinding_key_derive (len, bks); | ||
431 | that gives exactly len bits where | ||
432 | len = GNUNET_CRYPTO_rsa_public_key_len (pkey); | ||
433 | |||
434 | Now r = 2^(len-1)/pkey.n is the probability that a set high bit being | ||
435 | okay, meaning bkey < pkey.n. It follows that (1-r)/2 of the time bkey > | ||
436 | pkey.n making the effective bkey be | ||
437 | bkey mod pkey.n = bkey - pkey.n | ||
438 | so the effective bkey has its high bit set with probability r/2. | ||
439 | |||
440 | We expect r to be close to 1/2 if the exchange is honest, but the | ||
441 | exchange can choose r otherwise. | ||
442 | |||
443 | In blind signing, the exchange sees | ||
444 | B = bkey * S mod pkey.n | ||
445 | On deposit, the exchange sees S so they can compute bkey' = B/S mod | ||
446 | pkey.n for all B they recorded to see if bkey' has it's high bit set. | ||
447 | Also, note the exchange can compute 1/S efficiently since they know the | ||
448 | factors of pkey.n. | ||
449 | |||
450 | I suppose that happens with probability r/(1+r) if its the wrong B, not | ||
451 | completely sure. If otoh we've the right B, then we've the probability | ||
452 | r/2 of a set high bit in the effective bkey. | ||
453 | |||
454 | Interestingly, r^2-r has a maximum at the default r=1/2 anyways, giving | ||
455 | the wrong and right probabilities 1/3 and 1/4, respectively. | ||
456 | |||
457 | I feared this gives the exchange a meaningful fraction of a bit of | ||
458 | information per coin involved in the transaction. It sounds damaging if | ||
459 | numerous coins were involved. And it could run across transactions in | ||
460 | some scenarios. | ||
461 | |||
462 | We fixed this by using a more uniform deterministic pseudo-random number | ||
463 | generator for blinding factors. I do not believe this to be a problem | ||
464 | for the rsa_full_domain_hash routine, but better safe than sorry. | ||
465 | */ | ||
466 | |||
467 | |||
425 | /** | 468 | /** |
426 | * Compare the values of two signatures. | 469 | * Compare the values of two signatures. |
427 | * | 470 | * |
diff --git a/src/util/test_crypto_kdf.c b/src/util/test_crypto_kdf.c new file mode 100644 index 000000000..f75bafbb1 --- /dev/null +++ b/src/util/test_crypto_kdf.c | |||
@@ -0,0 +1,70 @@ | |||
1 | /* | ||
2 | Copyright (c) 2010 Jeffrey Burdges | ||
3 | |||
4 | Permission is hereby granted, free of charge, to any person obtaining a copy | ||
5 | of this software and associated documentation files (the "Software"), to deal | ||
6 | in the Software without restriction, including without limitation the rights | ||
7 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
8 | copies of the Software, and to permit persons to whom the Software is | ||
9 | furnished to do so, subject to the following conditions: | ||
10 | |||
11 | The above copyright notice and this permission notice shall be included in | ||
12 | all copies or substantial portions of the Software. | ||
13 | |||
14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
15 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
16 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
17 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
18 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
19 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN | ||
20 | THE SOFTWARE. | ||
21 | */ | ||
22 | |||
23 | /** | ||
24 | * @file src/util/test_crypt_kdf.c | ||
25 | * @brief Testcases for KDF mod n | ||
26 | * @author Jeffrey Burdges <burdges@gnunet.org> | ||
27 | */ | ||
28 | |||
29 | #include <gcrypt.h> | ||
30 | |||
31 | #include "platform.h" | ||
32 | #include "gnunet_crypto_lib.h" | ||
33 | |||
34 | |||
35 | int | ||
36 | main () | ||
37 | { | ||
38 | #define RND_BLK_SIZE 4096 | ||
39 | unsigned char rnd_blk[RND_BLK_SIZE]; | ||
40 | int i; | ||
41 | gcry_mpi_t r,n; | ||
42 | |||
43 | GNUNET_log_setup ("test-crypto-kdf", "WARNING", NULL); | ||
44 | |||
45 | GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK, | ||
46 | rnd_blk, | ||
47 | RND_BLK_SIZE); | ||
48 | |||
49 | /* test full domain hash size */ | ||
50 | for (i=0; i<100; i++) { | ||
51 | gcry_mpi_scan (&n, | ||
52 | GCRYMPI_FMT_USG, | ||
53 | rnd_blk, RND_BLK_SIZE, | ||
54 | NULL); | ||
55 | GNUNET_CRYPTO_kdf_mod_mpi (&r, n, | ||
56 | "", 0, | ||
57 | "", 0, | ||
58 | ""); | ||
59 | GNUNET_assert( 0 > gcry_mpi_cmp(r,n) ); | ||
60 | |||
61 | /* Is it worth checking that it's not too small? */ | ||
62 | /* GNUNET_assert (gcry_mpi_get_nbits(r) > 3*RND_BLK_SIZE/4); */ | ||
63 | /* This test necessarily randomly fails with probability 2^(3 - RND_BLK_SIZE/4) */ | ||
64 | |||
65 | gcry_mpi_release(n); | ||
66 | gcry_mpi_release(r); | ||
67 | } | ||
68 | |||
69 | return 0; | ||
70 | } | ||