diff options
Diffstat (limited to 'src/include/gnunet_crypto_lib.h')
-rw-r--r-- | src/include/gnunet_crypto_lib.h | 270 |
1 files changed, 270 insertions, 0 deletions
diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h index edb4bb230..9166f822b 100644 --- a/src/include/gnunet_crypto_lib.h +++ b/src/include/gnunet_crypto_lib.h | |||
@@ -392,6 +392,127 @@ struct GNUNET_CRYPTO_PaillierCiphertext | |||
392 | }; | 392 | }; |
393 | 393 | ||
394 | 394 | ||
395 | /** | ||
396 | * Curve25519 Scalar | ||
397 | */ | ||
398 | struct GNUNET_CRYPTO_Cs25519Scalar | ||
399 | { | ||
400 | /** | ||
401 | * 32 byte scalar | ||
402 | */ | ||
403 | unsigned char d[crypto_core_ed25519_SCALARBYTES]; | ||
404 | }; | ||
405 | |||
406 | |||
407 | /** | ||
408 | * Curve25519 point | ||
409 | */ | ||
410 | struct GNUNET_CRYPTO_Cs25519Point | ||
411 | { | ||
412 | /** | ||
413 | * This is a point on the Curve25519. | ||
414 | * The x coordinate can be restored using the y coordinate | ||
415 | */ | ||
416 | unsigned char y[crypto_core_ed25519_BYTES]; | ||
417 | }; | ||
418 | |||
419 | |||
420 | /** | ||
421 | * The private information of an Schnorr key pair. | ||
422 | */ | ||
423 | struct GNUNET_CRYPTO_CsPrivateKey | ||
424 | { | ||
425 | struct GNUNET_CRYPTO_Cs25519Scalar scalar; | ||
426 | }; | ||
427 | |||
428 | |||
429 | /** | ||
430 | * The public information of an Schnorr key pair. | ||
431 | */ | ||
432 | struct GNUNET_CRYPTO_CsPublicKey | ||
433 | { | ||
434 | struct GNUNET_CRYPTO_Cs25519Point point; | ||
435 | }; | ||
436 | |||
437 | |||
438 | /** | ||
439 | * Secret used for blinding (alpha and beta). | ||
440 | */ | ||
441 | struct GNUNET_CRYPTO_CsBlindingSecret | ||
442 | { | ||
443 | struct GNUNET_CRYPTO_Cs25519Scalar alpha; | ||
444 | struct GNUNET_CRYPTO_Cs25519Scalar beta; | ||
445 | }; | ||
446 | |||
447 | |||
448 | /** | ||
449 | * the private r used in the signature | ||
450 | */ | ||
451 | struct GNUNET_CRYPTO_CsRSecret | ||
452 | { | ||
453 | struct GNUNET_CRYPTO_Cs25519Scalar scalar; | ||
454 | }; | ||
455 | |||
456 | |||
457 | /** | ||
458 | * the public R (derived from r) used in c | ||
459 | */ | ||
460 | struct GNUNET_CRYPTO_CsRPublic | ||
461 | { | ||
462 | struct GNUNET_CRYPTO_Cs25519Point point; | ||
463 | }; | ||
464 | |||
465 | |||
466 | /** | ||
467 | * Schnorr c to be signed | ||
468 | */ | ||
469 | struct GNUNET_CRYPTO_CsC | ||
470 | { | ||
471 | struct GNUNET_CRYPTO_Cs25519Scalar scalar; | ||
472 | }; | ||
473 | |||
474 | |||
475 | /** | ||
476 | * s in the signature | ||
477 | */ | ||
478 | struct GNUNET_CRYPTO_CsS | ||
479 | { | ||
480 | struct GNUNET_CRYPTO_Cs25519Scalar scalar; | ||
481 | }; | ||
482 | |||
483 | |||
484 | /** | ||
485 | * blinded s in the signature | ||
486 | */ | ||
487 | struct GNUNET_CRYPTO_CsBlindS | ||
488 | { | ||
489 | struct GNUNET_CRYPTO_Cs25519Scalar scalar; | ||
490 | }; | ||
491 | |||
492 | |||
493 | /** | ||
494 | * CS Signtature containing scalar s and point R | ||
495 | */ | ||
496 | struct GNUNET_CRYPTO_CsSignature | ||
497 | { | ||
498 | /** | ||
499 | * Schnorr signatures are composed of a scalar s and a curve point | ||
500 | */ | ||
501 | struct GNUNET_CRYPTO_CsS s_scalar; | ||
502 | struct GNUNET_CRYPTO_CsRPublic r_point; | ||
503 | }; | ||
504 | |||
505 | |||
506 | /** | ||
507 | * Nonce | ||
508 | */ | ||
509 | struct GNUNET_CRYPTO_CsNonce | ||
510 | { | ||
511 | /*a nonce*/ | ||
512 | unsigned char nonce[256 / 8]; | ||
513 | }; | ||
514 | |||
515 | |||
395 | /* **************** Functions and Macros ************* */ | 516 | /* **************** Functions and Macros ************* */ |
396 | 517 | ||
397 | /** | 518 | /** |
@@ -2436,6 +2557,155 @@ GNUNET_CRYPTO_rsa_verify (const struct GNUNET_HashCode *hash, | |||
2436 | const struct GNUNET_CRYPTO_RsaPublicKey *public_key); | 2557 | const struct GNUNET_CRYPTO_RsaPublicKey *public_key); |
2437 | 2558 | ||
2438 | 2559 | ||
2560 | /** | ||
2561 | * Create a new random private key. | ||
2562 | * | ||
2563 | * @param[out] priv where to write the fresh private key | ||
2564 | */ | ||
2565 | void | ||
2566 | GNUNET_CRYPTO_cs_private_key_generate (struct GNUNET_CRYPTO_CsPrivateKey *priv); | ||
2567 | |||
2568 | |||
2569 | /** | ||
2570 | * Extract the public key of the given private key. | ||
2571 | * | ||
2572 | * @param priv the private key | ||
2573 | * @param[out] pub where to write the public key | ||
2574 | */ | ||
2575 | void | ||
2576 | GNUNET_CRYPTO_cs_private_key_get_public (const struct | ||
2577 | GNUNET_CRYPTO_CsPrivateKey *priv, | ||
2578 | struct GNUNET_CRYPTO_CsPublicKey *pub); | ||
2579 | |||
2580 | |||
2581 | /** | ||
2582 | * Derive a new secret r pair r0 and r1. | ||
2583 | * In original papers r is generated randomly | ||
2584 | * To provide abort-idempotency, r needs to be derived but still needs to be UNPREDICTABLE | ||
2585 | * To ensure unpredictability a new nonce should be used when a new r needs to be derived. | ||
2586 | * Uses HKDF internally. | ||
2587 | * Comment: Can be done in one HKDF shot and split output. | ||
2588 | * | ||
2589 | * @param nonce is a random nonce | ||
2590 | * @param lts is a long-term-secret in form of a private key | ||
2591 | * @param[out] r array containing derived secrets r0 and r1 | ||
2592 | */ | ||
2593 | void | ||
2594 | GNUNET_CRYPTO_cs_r_derive (const struct GNUNET_CRYPTO_CsNonce *nonce, | ||
2595 | const struct GNUNET_CRYPTO_CsPrivateKey *lts, | ||
2596 | struct GNUNET_CRYPTO_CsRSecret r[2]); | ||
2597 | |||
2598 | |||
2599 | /** | ||
2600 | * Extract the public R of the given secret r. | ||
2601 | * | ||
2602 | * @param r_priv the private key | ||
2603 | * @param[out] r_pub where to write the public key | ||
2604 | */ | ||
2605 | void | ||
2606 | GNUNET_CRYPTO_cs_r_get_public (const struct GNUNET_CRYPTO_CsRSecret *r_priv, | ||
2607 | struct GNUNET_CRYPTO_CsRPublic *r_pub); | ||
2608 | |||
2609 | |||
2610 | /** | ||
2611 | * Derives new random blinding factors. | ||
2612 | * In original papers blinding factors are generated randomly | ||
2613 | * To provide abort-idempotency, blinding factors need to be derived but still need to be UNPREDICTABLE | ||
2614 | * To ensure unpredictability a new nonce has to be used. | ||
2615 | * Uses HKDF internally | ||
2616 | * | ||
2617 | * @param secret is secret to derive blinding factors | ||
2618 | * @param secret_len secret length | ||
2619 | * @param[out] bs array containing the two derived blinding secrets | ||
2620 | */ | ||
2621 | void | ||
2622 | GNUNET_CRYPTO_cs_blinding_secrets_derive (const void *secret, | ||
2623 | size_t secret_len, | ||
2624 | struct GNUNET_CRYPTO_CsBlindingSecret | ||
2625 | bs[2]); | ||
2626 | |||
2627 | |||
2628 | /** | ||
2629 | * Calculate two blinded c's | ||
2630 | * Comment: One would be insecure due to Wagner's algorithm solving ROS | ||
2631 | * | ||
2632 | * @param bs array of the two blinding factor structs each containing alpha and beta | ||
2633 | * @param r_pub array of the two signer's nonce R | ||
2634 | * @param pub the public key of the signer | ||
2635 | * @param msg the message to blind in preparation for signing | ||
2636 | * @param msg_len length of message msg | ||
2637 | * @param[out] blinded_c array of the two blinded c's | ||
2638 | * @param[out] blinded_r_pub array of the two blinded R | ||
2639 | */ | ||
2640 | void | ||
2641 | GNUNET_CRYPTO_cs_calc_blinded_c (const struct GNUNET_CRYPTO_CsBlindingSecret | ||
2642 | bs[2], | ||
2643 | const struct GNUNET_CRYPTO_CsRPublic r_pub[2], | ||
2644 | const struct GNUNET_CRYPTO_CsPublicKey *pub, | ||
2645 | const void *msg, | ||
2646 | size_t msg_len, | ||
2647 | struct GNUNET_CRYPTO_CsC blinded_c[2], | ||
2648 | struct GNUNET_CRYPTO_CsRPublic | ||
2649 | blinded_r_pub[2]); | ||
2650 | |||
2651 | |||
2652 | /** | ||
2653 | * Sign a blinded c | ||
2654 | * This function derives b from a nonce and a longterm secret | ||
2655 | * In original papers b is generated randomly | ||
2656 | * To provide abort-idempotency, b needs to be derived but still need to be UNPREDICTABLE. | ||
2657 | * To ensure unpredictability a new nonce has to be used for every signature | ||
2658 | * HKDF is used internally for derivation | ||
2659 | * r0 and r1 can be derived prior by using GNUNET_CRYPTO_cs_r_derive | ||
2660 | * | ||
2661 | * @param priv private key to use for the signing and as LTS in HKDF | ||
2662 | * @param r array of the two secret nonce from the signer | ||
2663 | * @param c array of the two blinded c to sign c_b | ||
2664 | * @param nonce is a random nonce | ||
2665 | * @param[out] blinded_signature_scalar where to write the signature | ||
2666 | * @return 0 or 1 for b (see Clause Blind Signature Scheme) | ||
2667 | */ | ||
2668 | unsigned int | ||
2669 | GNUNET_CRYPTO_cs_sign_derive (const struct GNUNET_CRYPTO_CsPrivateKey *priv, | ||
2670 | const struct GNUNET_CRYPTO_CsRSecret r[2], | ||
2671 | const struct GNUNET_CRYPTO_CsC c[2], | ||
2672 | const struct GNUNET_CRYPTO_CsNonce *nonce, | ||
2673 | struct GNUNET_CRYPTO_CsBlindS * | ||
2674 | blinded_signature_scalar | ||
2675 | ); | ||
2676 | |||
2677 | |||
2678 | /** | ||
2679 | * Unblind a blind-signed signature using a c that was blinded | ||
2680 | * | ||
2681 | * @param blinded_signature_scalar the signature made on the blinded c | ||
2682 | * @param bs the blinding factors used in the blinding | ||
2683 | * @param[out] signature_scalar where to write the unblinded signature | ||
2684 | */ | ||
2685 | void | ||
2686 | GNUNET_CRYPTO_cs_unblind (const struct | ||
2687 | GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar, | ||
2688 | const struct GNUNET_CRYPTO_CsBlindingSecret *bs, | ||
2689 | struct GNUNET_CRYPTO_CsS *signature_scalar); | ||
2690 | |||
2691 | |||
2692 | /** | ||
2693 | * Verify whether the given message corresponds to the given signature and the | ||
2694 | * signature is valid with respect to the given public key. | ||
2695 | * | ||
2696 | * @param sig signature that is being validated | ||
2697 | * @param pub public key of the signer | ||
2698 | * @param msg is the message that should be signed by @a sig (message is used to calculate c) | ||
2699 | * @param msg_len is the message length | ||
2700 | * @returns #GNUNET_YES on success, #GNUNET_SYSERR if signature invalid | ||
2701 | */ | ||
2702 | enum GNUNET_GenericReturnValue | ||
2703 | GNUNET_CRYPTO_cs_verify (const struct GNUNET_CRYPTO_CsSignature *sig, | ||
2704 | const struct GNUNET_CRYPTO_CsPublicKey *pub, | ||
2705 | const void *msg, | ||
2706 | size_t msg_len); | ||
2707 | |||
2708 | |||
2439 | #if 0 /* keep Emacsens' auto-indent happy */ | 2709 | #if 0 /* keep Emacsens' auto-indent happy */ |
2440 | { | 2710 | { |
2441 | #endif | 2711 | #endif |