1 files changed, 2158 insertions, 101 deletions

diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h
index ae73c9d40..50937324d 100644
--- a/src/include/gnunet_crypto_lib.h
+++ b/src/include/gnunet_crypto_lib.h
@@ -1,6 +1,6 @@
 /*
      This file is part of GNUnet.
-     Copyright (C) 2001-2013 GNUnet e.V.
+     Copyright (C) 2001-2023 GNUnet e.V.
 
      GNUnet is free software: you can redistribute it and/or modify it
      under the terms of the GNU Affero General Public License as published
@@ -19,6 +19,10 @@
  */
 
 /**
+ * @addtogroup libgnunetutil
+ * Multi-function utilities library for GNUnet programs
+ * @{
+ *
  * @file include/gnunet_crypto_lib.h
  * @brief cryptographic primitives for GNUnet
  *
@@ -40,6 +44,10 @@
  * @see [Documentation](https://gnunet.org/crypto-api)
  */
 
+#if ! defined (__GNUNET_UTIL_LIB_H_INSIDE__)
+#error "Only <gnunet_util_lib.h> can be included directly."
+#endif
+
 #ifndef GNUNET_CRYPTO_LIB_H
 #define GNUNET_CRYPTO_LIB_H
 
@@ -50,6 +58,8 @@ extern "C" {
 #endif
 #endif
 
+
+#include <stdbool.h>
 #include <sodium.h>
 
 /**
@@ -57,7 +67,6 @@ extern "C" {
  */
 struct GNUNET_PeerIdentity;
 
-#include "gnunet_common.h"
 #include <gcrypt.h>
 
 
@@ -286,6 +295,170 @@ struct GNUNET_CRYPTO_EddsaPrivateScalar
   unsigned char s[512 / 8];
 };
 
+/**
+ * Private ECC key material encoded for transmission.  To be used only for
+ * Edx25519 signatures.  An initial key corresponds to data from the key
+ * expansion and clamping in the EdDSA key generation.
+ */
+struct GNUNET_CRYPTO_Edx25519PrivateKey
+{
+  /**
+   * a is a value mod n, where n has at most 256 bits.  It is the first half of
+   * the seed-expansion of EdDSA and will be clamped.
+   */
+  unsigned char a[256 / 8];
+
+  /**
+   * b consists of 32 bytes which where originally the lower 32bytes of the key
+   * expansion.  Subsequent calls to derive_private will change this value, too.
+   */
+  unsigned char b[256 / 8];
+};
+
+
+/**
+ * Public ECC key (always for curve Ed25519) encoded in a format suitable for
+ * network transmission and Edx25519 (same as EdDSA) signatures.  Refer to
+ * section 5.1.3 of rfc8032, for a thorough explanation of how this value maps
+ * to the x- and y-coordinates.
+ */
+struct GNUNET_CRYPTO_Edx25519PublicKey
+{
+  /**
+   * Point Q consists of a y-value mod p (256 bits); the x-value is
+   * always positive. The point is stored in Ed25519 standard
+   * compact format.
+   */
+  unsigned char q_y[256 / 8];
+};
+
+/**
+ * @brief an ECC signature using Edx25519 (same as in EdDSA).
+ */
+struct GNUNET_CRYPTO_Edx25519Signature
+{
+  /**
+   * R value.
+   */
+  unsigned char r[256 / 8];
+
+  /**
+   * S value.
+   */
+  unsigned char s[256 / 8];
+};
+
+/**
+ * Elligator representative (always for Curve25519)
+ */
+struct GNUNET_CRYPTO_ElligatorRepresentative
+{
+  /**
+   * Represents an element of Curve25519 finite field.
+   * Always smaller than 2 ^ 254 - 10 -> Needs to be serialized into a random-looking byte stream before transmission.
+   */
+  unsigned char r[256 / 8];
+};
+
+/**
+ * Key type for the generic public key union
+ */
+enum GNUNET_CRYPTO_KeyType
+{
+  /**
+   * The identity type. The value is the same as the
+   * PKEY record type.
+   */
+  GNUNET_PUBLIC_KEY_TYPE_ECDSA = 65536,
+
+  /**
+   * EDDSA identity. The value is the same as the EDKEY
+   * record type.
+   */
+  GNUNET_PUBLIC_KEY_TYPE_EDDSA = 65556
+};
+
+/**
+ * A private key for an identity as per LSD0001.
+ * Note that these types are NOT packed and MUST NOT be used in RPC
+ * messages. Use the respective serialization functions.
+ */
+struct GNUNET_CRYPTO_PrivateKey
+{
+  /**
+   * Type of public key.
+   * Defined by the GNS zone type value.
+   * In NBO.
+   */
+  uint32_t type;
+
+  union
+  {
+    /**
+     * An ECDSA identity key.
+     */
+    struct GNUNET_CRYPTO_EcdsaPrivateKey ecdsa_key;
+
+    /**
+     * AN EdDSA identtiy key
+     */
+    struct GNUNET_CRYPTO_EddsaPrivateKey eddsa_key;
+  };
+};
+
+
+/**
+ * An identity key as per LSD0001.
+ */
+struct GNUNET_CRYPTO_PublicKey
+{
+  /**
+   * Type of public key.
+   * Defined by the GNS zone type value.
+   * In NBO.
+   */
+  uint32_t type;
+
+  union
+  {
+    /**
+     * An ECDSA identity key.
+     */
+    struct GNUNET_CRYPTO_EcdsaPublicKey ecdsa_key;
+
+    /**
+     * AN EdDSA identtiy key
+     */
+    struct GNUNET_CRYPTO_EddsaPublicKey eddsa_key;
+  };
+};
+
+
+/**
+ * An identity signature as per LSD0001.
+ */
+struct GNUNET_CRYPTO_Signature
+{
+  /**
+   * Type of signature.
+   * Defined by the GNS zone type value.
+   * In NBO.
+   */
+  uint32_t type;
+
+  union
+  {
+    /**
+     * An ECDSA signature
+     */
+    struct GNUNET_CRYPTO_EcdsaSignature ecdsa_signature;
+
+    /**
+     * AN EdDSA signature
+     */
+    struct GNUNET_CRYPTO_EddsaSignature eddsa_signature;
+  };
+};
 
 /**
  * @brief type for session keys
@@ -306,7 +479,7 @@ struct GNUNET_CRYPTO_SymmetricSessionKey
 /**
  * Type of a nonce used for challenges.
  */
-struct ChallengeNonceP
+struct GNUNET_CRYPTO_ChallengeNonceP
 {
   /**
    * The value of the nonce.  Note that this is NOT a hash.
@@ -392,6 +565,143 @@ struct GNUNET_CRYPTO_PaillierCiphertext
 };
 
 
+/**
+ * Curve25519 Scalar
+ */
+struct GNUNET_CRYPTO_Cs25519Scalar
+{
+  /**
+   * 32 byte scalar
+   */
+  unsigned char d[crypto_core_ed25519_SCALARBYTES];
+};
+
+
+/**
+ * Curve25519 point
+ */
+struct GNUNET_CRYPTO_Cs25519Point
+{
+  /**
+   * This is a point on the Curve25519.
+   * The x coordinate can be restored using the y coordinate
+   */
+  unsigned char y[crypto_core_ed25519_BYTES];
+};
+
+
+/**
+ * The private information of an Schnorr key pair.
+ */
+struct GNUNET_CRYPTO_CsPrivateKey
+{
+  struct GNUNET_CRYPTO_Cs25519Scalar scalar;
+};
+
+
+/**
+ * The public information of an Schnorr key pair.
+ */
+struct GNUNET_CRYPTO_CsPublicKey
+{
+  struct GNUNET_CRYPTO_Cs25519Point point;
+};
+
+
+/**
+ * Secret used for blinding (alpha and beta).
+ */
+struct GNUNET_CRYPTO_CsBlindingSecret
+{
+  struct GNUNET_CRYPTO_Cs25519Scalar alpha;
+  struct GNUNET_CRYPTO_Cs25519Scalar beta;
+};
+
+
+/**
+ * the private r used in the signature
+ */
+struct GNUNET_CRYPTO_CsRSecret
+{
+  struct GNUNET_CRYPTO_Cs25519Scalar scalar;
+};
+
+
+/**
+ * the public R (derived from r) used in c
+ */
+struct GNUNET_CRYPTO_CsRPublic
+{
+  struct GNUNET_CRYPTO_Cs25519Point point;
+};
+
+
+/**
+ * Schnorr c to be signed
+ */
+struct GNUNET_CRYPTO_CsC
+{
+  struct GNUNET_CRYPTO_Cs25519Scalar scalar;
+};
+
+
+/**
+ * s in the signature
+ */
+struct GNUNET_CRYPTO_CsS
+{
+  struct GNUNET_CRYPTO_Cs25519Scalar scalar;
+};
+
+
+/**
+ * blinded s in the signature
+ */
+struct GNUNET_CRYPTO_CsBlindS
+{
+  struct GNUNET_CRYPTO_Cs25519Scalar scalar;
+};
+
+
+/**
+ * CS Signtature containing scalar s and point R
+ */
+struct GNUNET_CRYPTO_CsSignature
+{
+  /**
+   * Schnorr signatures are composed of a scalar s and a curve point
+   */
+  struct GNUNET_CRYPTO_CsS s_scalar;
+
+  /**
+   * Curve point of the Schnorr signature.
+   */
+  struct GNUNET_CRYPTO_CsRPublic r_point;
+};
+
+
+/**
+ * Nonce for the session, picked by client,
+ * shared with the signer.
+ */
+struct GNUNET_CRYPTO_CsSessionNonce
+{
+  /*a nonce*/
+  unsigned char snonce[256 / 8];
+};
+
+
+/**
+ * Nonce for computing blinding factors. Not
+ * shared with the signer.
+ */
+struct GNUNET_CRYPTO_CsBlindingNonce
+{
+  /*a nonce*/
+  unsigned char bnonce[256 / 8];
+};
+
+
 /* **************** Functions and Macros ************* */
 
 /**
@@ -480,7 +790,7 @@ GNUNET_CRYPTO_zero_keys (void *buffer, size_t length);
  * Fill block with a random values.
  *
  * @param mode desired quality of the random number
- * @param buffer the buffer to fill
+ * @param[out] buffer the buffer to fill
  * @param length buffer length
  */
 void
@@ -497,7 +807,7 @@ GNUNET_CRYPTO_random_block (enum GNUNET_CRYPTO_Quality mode,
  * here is not a completely random number.
  *
  * @param mode desired quality of the random number
- * @param uuid the value to fill
+ * @param[out] uuid the value to fill
  */
 void
 GNUNET_CRYPTO_random_timeflake (enum GNUNET_CRYPTO_Quality mode,
@@ -518,7 +828,7 @@ GNUNET_CRYPTO_random_u32 (enum GNUNET_CRYPTO_Quality mode, uint32_t i);
 
 /**
  * @ingroup crypto
- * Random on unsigned 64-bit values.
+ * Generate a random unsigned 64-bit value.
  *
  * @param mode desired quality of the random number
  * @param max value returned will be in range [0,@a max) (exclusive)
@@ -781,7 +1091,7 @@ GNUNET_CRYPTO_hash_context_abort (struct GNUNET_HashContext *hc);
 
 /**
  * Calculate HMAC of a message (RFC 2104)
- * TODO: Shouldn' this be the standard hmac function and
+ * TODO: Shouldn't this be the standard hmac function and
  * the above be renamed?
  *
  * @param key secret key
@@ -821,7 +1131,8 @@ GNUNET_CRYPTO_hmac (const struct GNUNET_CRYPTO_AuthKey *key,
  * @param cls closure
  * @param res resulting hash, NULL on error
  */
-typedef void (*GNUNET_CRYPTO_HashCompletedCallback) (
+typedef void
+(*GNUNET_CRYPTO_HashCompletedCallback) (
   void *cls,
   const struct GNUNET_HashCode *res);
 
@@ -915,61 +1226,38 @@ GNUNET_CRYPTO_hash_xor (const struct GNUNET_HashCode *a,
 
 
 /**
- * @ingroup hash
- * Convert a hashcode into a key.
+ * Count the number of leading 0 bits in @a h.
  *
- * @param hc hash code that serves to generate the key
- * @param skey set to a valid session key
- * @param iv set to a valid initialization vector
+ * @param h a hash
+ * @return number of leading 0 bits in @a h
  */
-void
-GNUNET_CRYPTO_hash_to_aes_key (
-  const struct GNUNET_HashCode *hc,
-  struct GNUNET_CRYPTO_SymmetricSessionKey *skey,
-  struct GNUNET_CRYPTO_SymmetricInitializationVector *iv);
+unsigned int
+GNUNET_CRYPTO_hash_count_leading_zeros (const struct GNUNET_HashCode *h);
 
 
 /**
- * @ingroup hash
- * Obtain a bit from a hashcode.
+ * Count the number of tailing 0 bits in @a h.
  *
- * @param code the `struct GNUNET_HashCode` to index bit-wise
- * @param bit index into the hashcode, [0...159] where 0 is the leftmost bit
- *        (bytes in code interpreted big endian)
- * @return Bit \a bit from hashcode \a code, -1 for invalid index
- */
-int
-GNUNET_CRYPTO_hash_get_bit_ltr (const struct GNUNET_HashCode *code,
-                                unsigned int bit);
-
-
-/**
- * Obtain a bit from a hashcode.
- * @param code the GNUNET_CRYPTO_hash to index bit-wise
- * @param bit index into the hashcode, [0...511] where 0 is the rightmost bit
- *        (bytes in code interpreted little endian)
- * @return Bit \a bit from hashcode \a code, -1 for invalid index
+ * @param h a hash
+ * @return number of tailing 0 bits in @a h
  */
-int
-GNUNET_CRYPTO_hash_get_bit_rtl (const struct GNUNET_HashCode *code,
-                                unsigned int bit);
+unsigned int
+GNUNET_CRYPTO_hash_count_tailing_zeros (const struct GNUNET_HashCode *h);
 
 
 /**
  * @ingroup hash
- * Determine how many low order bits match in two
- * `struct GNUNET_HashCodes`.  e.g. - 010011 and 011111 share
- * the first two lowest order bits, and therefore the
- * return value is two (NOT XOR distance, nor how many
- * bits match absolutely!).
+ * Convert a hashcode into a key.
  *
- * @param first the first hashcode
- * @param second the hashcode to compare first to
- * @return the number of bits that match
+ * @param hc hash code that serves to generate the key
+ * @param skey set to a valid session key
+ * @param iv set to a valid initialization vector
  */
-unsigned int
-GNUNET_CRYPTO_hash_matching_bits (const struct GNUNET_HashCode *first,
-                                  const struct GNUNET_HashCode *second);
+void
+GNUNET_CRYPTO_hash_to_aes_key (
+  const struct GNUNET_HashCode *hc,
+  struct GNUNET_CRYPTO_SymmetricSessionKey *skey,
+  struct GNUNET_CRYPTO_SymmetricInitializationVector *iv);
 
 
 /**
@@ -1179,6 +1467,17 @@ GNUNET_CRYPTO_eddsa_key_get_public (
   const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
   struct GNUNET_CRYPTO_EddsaPublicKey *pub);
 
+/**
+ * @ingroup crypto
+ * Extract the public key for the given private key.
+ *
+ * @param priv the private key
+ * @param pub where to write the public key
+ */
+void
+GNUNET_CRYPTO_edx25519_key_get_public (
+  const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv,
+  struct GNUNET_CRYPTO_Edx25519PublicKey *pub);
 
 /**
  * @ingroup crypto
@@ -1259,11 +1558,11 @@ GNUNET_CRYPTO_ecdsa_public_key_from_string (
  * @param priv where to store the private key
  * @return #GNUNET_OK on success
  */
-int
+enum GNUNET_GenericReturnValue
 GNUNET_CRYPTO_eddsa_private_key_from_string (
   const char *enc,
   size_t enclen,
-  struct GNUNET_CRYPTO_EddsaPrivateKey *pub);
+  struct GNUNET_CRYPTO_EddsaPrivateKey *priv);
 
 
 /**
@@ -1317,7 +1616,7 @@ GNUNET_CRYPTO_ecdsa_key_from_file (const char *filename,
  * @return #GNUNET_OK on success, #GNUNET_NO if @a do_create was set but
  *         we found an existing file, #GNUNET_SYSERR on failure
  */
-int
+enum GNUNET_GenericReturnValue
 GNUNET_CRYPTO_eddsa_key_from_file (const char *filename,
                                    int do_create,
                                    struct GNUNET_CRYPTO_EddsaPrivateKey *pkey);
@@ -1365,7 +1664,34 @@ GNUNET_CRYPTO_eddsa_key_create (struct GNUNET_CRYPTO_EddsaPrivateKey *pk);
 
 /**
  * @ingroup crypto
+ * Create a new private key.
+ *
+ * @param[out] pk private key to initialize
+ */
+void
+GNUNET_CRYPTO_edx25519_key_create (struct GNUNET_CRYPTO_Edx25519PrivateKey *pk);
+
+/**
+ * @ingroup crypto
+ * Create a new private key for Edx25519 from a given seed.  After expanding
+ * the seed, the first half of the key will be clamped according to EdDSA.
+ *
+ * @param seed seed input
+ * @param seedsize size of the seed in bytes
+ * @param[out] pk private key to initialize
+ */
+void
+GNUNET_CRYPTO_edx25519_key_create_from_seed (
+  const void *seed,
+  size_t seedsize,
+  struct GNUNET_CRYPTO_Edx25519PrivateKey *pk);
+
+/**
+ * @ingroup crypto
  * Create a new private key.  Clear with #GNUNET_CRYPTO_ecdhe_key_clear().
+ * This is X25519 DH (RFC 7748 Section 5) and corresponds to
+ * X25519(a,9).
+ * See #GNUNET_CRYPTO_ecc_ecdh for the DH function.
  *
  * @param[out] pk set to fresh private key;
  */
@@ -1392,6 +1718,14 @@ GNUNET_CRYPTO_eddsa_key_clear (struct GNUNET_CRYPTO_EddsaPrivateKey *pk);
 void
 GNUNET_CRYPTO_ecdsa_key_clear (struct GNUNET_CRYPTO_EcdsaPrivateKey *pk);
 
+/**
+ * @ingroup crypto
+ * Clear memory that was used to store a private key.
+ *
+ * @param pk location of the key
+ */
+void
+GNUNET_CRYPTO_edx25519_key_clear (struct GNUNET_CRYPTO_Edx25519PrivateKey *pk);
 
 /**
  * @ingroup crypto
@@ -1435,12 +1769,49 @@ GNUNET_CRYPTO_eddsa_setup_hostkey (const char *cfg_name);
  * @return #GNUNET_OK on success, #GNUNET_SYSERR if the identity
  *         could not be retrieved
  */
-int
+enum GNUNET_GenericReturnValue
 GNUNET_CRYPTO_get_peer_identity (const struct GNUNET_CONFIGURATION_Handle *cfg,
                                  struct GNUNET_PeerIdentity *dst);
 
 
 /**
+ * @ingroup crypto
+ * Sign a given block with a specific purpose using the host's peer identity.
+ *
+ * @param cfg configuration to use
+ * @param purpose what to sign (size, purpose)
+ * @param sig where to write the signature
+ * @return #GNUNET_OK on success, #GNUNET_SYSERR if the identity
+ *         could not be retrieved
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_sign_by_peer_identity (const struct
+                                     GNUNET_CONFIGURATION_Handle *cfg,
+                                     const struct
+                                     GNUNET_CRYPTO_EccSignaturePurpose *purpose,
+                                     struct GNUNET_CRYPTO_EddsaSignature *sig);
+
+
+/**
+ * @ingroup crypto
+ * Verify a given signature with a peer's identity.
+ *
+ * @param purpose what is the purpose that the signature should have?
+ * @param validate block to validate (size, purpose, data)
+ * @param sig signature that is being validated
+ * @param identity the peer's identity to verify
+ * @return #GNUNET_OK if ok, #GNUNET_SYSERR if invalid
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_verify_peer_identity (uint32_t purpose,
+                                    const struct
+                                    GNUNET_CRYPTO_EccSignaturePurpose *validate,
+                                    const struct
+                                    GNUNET_CRYPTO_EddsaSignature *sig,
+                                    const struct GNUNET_PeerIdentity *identity);
+
+
+/**
  * Internal structure used to cache pre-calculated values for DLOG calculation.
  */
 struct GNUNET_CRYPTO_EccDlogContext;
@@ -1483,7 +1854,7 @@ GNUNET_CRYPTO_ecc_dlog_prepare (unsigned int max,
  * Calculate ECC discrete logarithm for small factors.
  * Opposite of #GNUNET_CRYPTO_ecc_dexp().
  *
- * @param dlc precalculated values, determine range of factors
+ * @param edc precalculated values, determine range of factors
  * @param input point on the curve to factor
  * @return INT_MAX if dlog failed, otherwise the factor
  */
@@ -1606,6 +1977,9 @@ GNUNET_CRYPTO_ecc_scalar_from_int (int64_t val,
 /**
  * @ingroup crypto
  * Derive key material from a public and a private ECC key.
+ * This is X25519 DH (RFC 7748 Section 5) and corresponds to
+ * H(X25519(b,X25519(a,9))) where b := priv, pub := X25519(a,9),
+ * and a := #GNUNET_CRYPTO_ecdhe_key_create().
  *
  * @param priv private key to use for the ECDH (x)
  * @param pub public key to use for the ECDH (yG)
@@ -1622,6 +1996,10 @@ GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
  * @ingroup crypto
  * Derive key material from a ECDH public key and a private EdDSA key.
  * Dual to #GNUNET_CRRYPTO_ecdh_eddsa.
+ * This uses the Ed25519 private seed as X25519 seed.
+ * As such, this also is a X25519 DH (see #GNUNET_CRYPTO_ecc_ecdh).
+ * NOTE: Whenever you can get away with it, use separate key pairs
+ * for signing and encryption (DH)!
  *
  * @param priv private key from EdDSA to use for the ECDH (x)
  * @param pub public key to use for the ECDH (yG)
@@ -1633,6 +2011,122 @@ GNUNET_CRYPTO_eddsa_ecdh (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
                           const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
                           struct GNUNET_HashCode *key_material);
 
+/**
+ * @ingroup crypto
+ * Decapsulate a key for a private EdDSA key.
+ * Dual to #GNUNET_CRRYPTO_eddsa_kem_encaps.
+ *
+ * @param priv private key from EdDSA to use for the ECDH (x)
+ * @param c the encapsulated key
+ * @param key_material where to write the key material H(h(x)yG)
+ * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_eddsa_kem_decaps (const struct
+                                GNUNET_CRYPTO_EddsaPrivateKey *priv,
+                                const struct GNUNET_CRYPTO_EcdhePublicKey *c,
+                                struct GNUNET_HashCode *key_material);
+
+/**
+ * @ingroup crypto
+ * Encapsulate key material for a EdDSA public key.
+ * Dual to #GNUNET_CRRYPTO_eddsa_kem_decaps.
+ *
+ * @param priv private key to use for the ECDH (y)
+ * @param c public key from EdDSA to use for the ECDH (X=h(x)G)
+ * @param key_material where to write the key material H(yX)=H(h(x)yG)
+ * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_eddsa_kem_encaps (const struct GNUNET_CRYPTO_EddsaPublicKey *pub,
+                                struct GNUNET_CRYPTO_EcdhePublicKey *c,
+                                struct GNUNET_HashCode *key_material);
+
+/**
+ * This is the encapsulated key of our FO-KEM.
+ */
+struct GNUNET_CRYPTO_FoKemC
+{
+  /* The output of the FO-OWTF F(x) */
+  struct GNUNET_HashCode y;
+
+  /* The ephemeral public key from the DH in the KEM */
+  struct GNUNET_CRYPTO_EcdhePublicKey pub;
+};
+
+/**
+ * @ingroup crypto
+ * Encapsulate key material using a CCA-secure KEM.
+ * The KEM is using a OWTF with image oracle constructed from
+ * a Fujusaki-Okamoto transformation using ElGamal (DH plus XOR OTP).
+ * Dual to #GNUNET_CRRYPTO_eddsa_fo_kem_decaps.
+ *
+ * @param pub public key to encapsulated for
+ * @param[out] c the encapsulation
+ * @param[out] key_material the encapsulated key
+ * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_eddsa_fo_kem_encaps (
+  const struct GNUNET_CRYPTO_EddsaPublicKey *pub,
+  struct GNUNET_CRYPTO_FoKemC *c,
+  struct GNUNET_HashCode *key_material);
+
+
+/**
+ * @ingroup crypto
+ * Decapsulate key material using a CCA-secure KEM.
+ * The KEM is using a OWTF with image oracle constructed from
+ * a Fujusaki-Okamoto transformation using ElGamal (DH plus XOR OTP).
+ * Dual to #GNUNET_CRRYPTO_eddsa_fo_kem_encaps.
+ *
+ * @param priv private key this encapsulation is for
+ * @param c the encapsulation
+ * @param[out] key_material the encapsulated key
+ * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_eddsa_fo_kem_decaps (const struct
+                                   GNUNET_CRYPTO_EddsaPrivateKey *priv,
+                                   const struct GNUNET_CRYPTO_FoKemC *c,
+                                   struct GNUNET_HashCode *key_material);
+
+/**
+ * @ingroup crypto
+ * Encapsulate key material using a CCA-secure KEM.
+ * The KEM is using a OWTF with image oracle constructed from
+ * a Fujusaki-Okamoto transformation using ElGamal (DH plus XOR OTP).
+ * Dual to #GNUNET_CRRYPTO_eddsa_fo_kem_decaps.
+ *
+ * @param pub public key to encapsulated for
+ * @param[out] c the encapsulation
+ * @param[out] key_material the encapsulated key
+ * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_ecdsa_fo_kem_encaps (const struct
+                                   GNUNET_CRYPTO_EcdsaPublicKey *pub,
+                                   struct GNUNET_CRYPTO_FoKemC *c,
+                                   struct GNUNET_HashCode *key_material);
+
+
+/**
+ * @ingroup crypto
+ * Decapsulate key material using a CCA-secure KEM.
+ * The KEM is using a OWTF with image oracle constructed from
+ * a Fujusaki-Okamoto transformation using ElGamal (DH plus XOR OTP).
+ * Dual to #GNUNET_CRRYPTO_eddsa_fo_kem_encaps.
+ *
+ * @param priv private key this encapsulation is for
+ * @param c the encapsulation
+ * @param[out] key_material the encapsulated key
+ * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_ecdsa_fo_kem_decaps (const struct
+                                   GNUNET_CRYPTO_EcdsaPrivateKey *priv,
+                                   struct GNUNET_CRYPTO_FoKemC *c,
+                                   struct GNUNET_HashCode *key_material);
 
 /**
  * @ingroup crypto
@@ -1654,6 +2148,10 @@ GNUNET_CRYPTO_ecdsa_ecdh (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
  * @ingroup crypto
  * Derive key material from a EdDSA public key and a private ECDH key.
  * Dual to #GNUNET_CRRYPTO_eddsa_ecdh.
+ * This converts the Edwards25519 public key @a pub to a Curve25519
+ * public key before computing a X25519 DH (see #GNUNET_CRYPTO_ecc_ecdh).
+ * NOTE: Whenever you can get away with it, use separate key pairs
+ * for signing and encryption (DH)!
  *
  * @param priv private key to use for the ECDH (y)
  * @param pub public key from EdDSA to use for the ECDH (X=h(x)G)
@@ -1665,6 +2163,7 @@ GNUNET_CRYPTO_ecdh_eddsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
                           const struct GNUNET_CRYPTO_EddsaPublicKey *pub,
                           struct GNUNET_HashCode *key_material);
 
+
 /**
  * @ingroup crypto
  * Derive key material from a EcDSA public key and a private ECDH key.
@@ -1749,6 +2248,21 @@ GNUNET_CRYPTO_ecdsa_sign_ (
   const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
   struct GNUNET_CRYPTO_EcdsaSignature *sig);
 
+/**
+ * @brief
+ *
+ * @param priv
+ * @param data
+ * @param size
+ * @param sig
+ * @return enum GNUNET_GenericReturnValue
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_eddsa_sign_raw (
+  const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
+  void *data,
+  size_t size,
+  struct GNUNET_CRYPTO_EddsaSignature *sig);
 
 /**
  * @ingroup crypto
@@ -1774,6 +2288,53 @@ GNUNET_CRYPTO_ecdsa_sign_ (
                                               sig));               \
 } while (0)
 
+/**
+ * @ingroup crypto
+ * @brief Edx25519 sign a given block.
+ *
+ * The @a purpose data is the beginning of the data of which the signature is
+ * to be created. The `size` field in @a purpose must correctly indicate the
+ * number of bytes of the data structure, including its header.  If possible,
+ * use #GNUNET_CRYPTO_edx25519_sign() instead of this function (only if @a
+ * validate is not fixed-size, you must use this function directly).
+ *
+ * @param priv private key to use for the signing
+ * @param purpose what to sign (size, purpose)
+ * @param[out] sig where to write the signature
+ * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_edx25519_sign_ (
+  const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv,
+  const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
+  struct GNUNET_CRYPTO_Edx25519Signature *sig);
+
+
+/**
+ * @ingroup crypto
+ * @brief Edx25519 sign a given block.  The resulting signature is compatible
+ * with EdDSA.
+ *
+ * The @a ps data must be a fixed-size struct for which the signature is to be
+ * created. The `size` field in @a ps->purpose must correctly indicate the
+ * number of bytes of the data structure, including its header.
+ *
+ * @param priv private key to use for the signing
+ * @param ps packed struct with what to sign, MUST begin with a purpose
+ * @param[out] sig where to write the signature
+ */
+#define GNUNET_CRYPTO_edx25519_sign(priv,ps,sig) do {              \
+    /* check size is set correctly */                              \
+    GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps)));  \
+    /* check 'ps' begins with the purpose */                       \
+    GNUNET_static_assert (((void*) (ps)) ==                        \
+                          ((void*) &(ps)->purpose));               \
+    GNUNET_assert (GNUNET_OK ==                                    \
+                   GNUNET_CRYPTO_edx25519_sign_ (priv,             \
+                                                 &(ps)->purpose,   \
+                                                 sig));            \
+} while (0)
+
 
 /**
  * @ingroup crypto
@@ -1793,7 +2354,7 @@ GNUNET_CRYPTO_ecdsa_sign_ (
  * @param pub public key of the signer
  * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid
  */
-int
+enum GNUNET_GenericReturnValue
 GNUNET_CRYPTO_eddsa_verify_ (
   uint32_t purpose,
   const struct GNUNET_CRYPTO_EccSignaturePurpose *validate,
@@ -1817,7 +2378,7 @@ GNUNET_CRYPTO_eddsa_verify_ (
  */
 #define GNUNET_CRYPTO_eddsa_verify(purp,ps,sig,pub) ({             \
     /* check size is set correctly */                              \
-    GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \
+    GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps)));  \
     /* check 'ps' begins with the purpose */                       \
     GNUNET_static_assert (((void*) (ps)) ==                        \
                           ((void*) &(ps)->purpose));               \
@@ -1827,7 +2388,6 @@ GNUNET_CRYPTO_eddsa_verify_ (
                                  pub);                             \
   })
 
-
 /**
  * @ingroup crypto
  * @brief Verify ECDSA signature.
@@ -1846,7 +2406,7 @@ GNUNET_CRYPTO_eddsa_verify_ (
  * @param pub public key of the signer
  * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid
  */
-int
+enum GNUNET_GenericReturnValue
 GNUNET_CRYPTO_ecdsa_verify_ (
   uint32_t purpose,
   const struct GNUNET_CRYPTO_EccSignaturePurpose *validate,
@@ -1882,6 +2442,58 @@ GNUNET_CRYPTO_ecdsa_verify_ (
 
 /**
  * @ingroup crypto
+ * @brief Verify Edx25519 signature.
+ *
+ * The @a validate data is the beginning of the data of which the signature
+ * is to be verified. The `size` field in @a validate must correctly indicate
+ * the number of bytes of the data structure, including its header.  If @a
+ * purpose does not match the purpose given in @a validate (the latter must be
+ * in big endian), signature verification fails.  If possible, use
+ * #GNUNET_CRYPTO_edx25519_verify() instead of this function (only if @a
+ * validate is not fixed-size, you must use this function directly).
+ *
+ * @param purpose what is the purpose that the signature should have?
+ * @param validate block to validate (size, purpose, data)
+ * @param sig signature that is being validated
+ * @param pub public key of the signer
+ * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_edx25519_verify_ (
+  uint32_t purpose,
+  const struct GNUNET_CRYPTO_EccSignaturePurpose *validate,
+  const struct GNUNET_CRYPTO_Edx25519Signature *sig,
+  const struct GNUNET_CRYPTO_Edx25519PublicKey *pub);
+
+
+/**
+ * @ingroup crypto
+ * @brief Verify Edx25519 signature.
+ *
+ * The @a ps data must be a fixed-size struct for which the signature is to be
+ * created. The `size` field in @a ps->purpose must correctly indicate the
+ * number of bytes of the data structure, including its header.
+ *
+ * @param purp purpose of the signature, must match 'ps->purpose.purpose'
+ *              (except in host byte order)
+ * @param priv private key to use for the signing
+ * @param ps packed struct with what to sign, MUST begin with a purpose
+ * @param sig where to write the signature
+ */
+#define GNUNET_CRYPTO_edx25519_verify(purp,ps,sig,pub) ({         \
+    /* check size is set correctly */                             \
+    GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \
+    /* check 'ps' begins with the purpose */                      \
+    GNUNET_static_assert (((void*) (ps)) ==                       \
+                          ((void*) &(ps)->purpose));              \
+    GNUNET_CRYPTO_edx25519_verify_ (purp,                         \
+                                    &(ps)->purpose,               \
+                                    sig,                          \
+                                    pub);                         \
+  })
+
+/**
+ * @ingroup crypto
  * Derive a private key from a given private key and a label.
  * Essentially calculates a private key 'h = H(l,P) * d mod n'
  * where n is the size of the ECC group and P is the public
@@ -1918,6 +2530,26 @@ GNUNET_CRYPTO_ecdsa_public_key_derive (
   const char *context,
   struct GNUNET_CRYPTO_EcdsaPublicKey *result);
 
+/**
+ * This is a signature function for ECDSA which takes a
+ * private key, derives/blinds it and signs the message.
+ *
+ * @param pkey original private key
+ * @param label label to use for key deriviation
+ * @param context additional context to use for HKDF of 'h';
+ *        typically the name of the subsystem/application
+ * @param purpose the signature purpose
+ * @param sig the resulting signature
+ * @return GNUNET_OK on success
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_ecdsa_sign_derived (
+  const struct GNUNET_CRYPTO_EcdsaPrivateKey *pkey,
+  const char *label,
+  const char *context,
+  const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
+  struct GNUNET_CRYPTO_EcdsaSignature *sig);
+
 
 /**
  * @ingroup crypto
@@ -1963,23 +2595,23 @@ GNUNET_CRYPTO_eddsa_public_key_derive (
 
 
 /**
- * This is a signature function for EdDSA which takes the
- * secret scalar sk instead of the private seed which is
- * usually the case for crypto APIs. We require this functionality
- * in order to use derived private keys for signatures we
- * cannot calculate the inverse of a sk to find the seed
- * efficiently.
- *
- * The resulting signature is a standard EdDSA signature
- * which can be verified using the usual APIs.
+ * This is a signature function for EdDSA which takes a
+ * private key and derives it using the label and context
+ * before signing.
  *
- * @param sk the secret scalar
- * @param purp the signature purpose
+ * @param pkey original private key
+ * @param label label to use for key deriviation
+ * @param context additional context to use for HKDF of 'h';
+ *        typically the name of the subsystem/application
+ * @param purpose the signature purpose
  * @param sig the resulting signature
+ * @return GNUNET_OK on success
  */
-void
-GNUNET_CRYPTO_eddsa_sign_with_scalar (
-  const struct GNUNET_CRYPTO_EddsaPrivateScalar *priv,
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_eddsa_sign_derived (
+  const struct GNUNET_CRYPTO_EddsaPrivateKey *pkey,
+  const char *label,
+  const char *context,
   const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
   struct GNUNET_CRYPTO_EddsaSignature *sig);
 
@@ -1995,6 +2627,134 @@ GNUNET_CRYPTO_eddsa_key_get_public_from_scalar (
   const struct GNUNET_CRYPTO_EddsaPrivateScalar *s,
   struct GNUNET_CRYPTO_EddsaPublicKey *pkey);
 
+/**
+ * @ingroup crypto
+ * Derive a private scalar from a given private key and a label.
+ * Essentially calculates a private key 'h = H(l,P) * d mod n'
+ * where n is the size of the ECC group and P is the public
+ * key associated with the private key 'd'.
+ *
+ * @param priv original private key
+ * @param seed input seed
+ * @param seedsize size of the seed
+ * @param result derived private key
+ */
+void
+GNUNET_CRYPTO_edx25519_private_key_derive (
+  const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv,
+  const void *seed,
+  size_t seedsize,
+  struct GNUNET_CRYPTO_Edx25519PrivateKey *result);
+
+
+/**
+ * @ingroup crypto
+ * Derive a public key from a given public key and a label.
+ * Essentially calculates a public key 'V = H(l,P) * P'.
+ *
+ * @param pub original public key
+ * @param seed input seed
+ * @param seedsize size of the seed
+ * @param result where to write the derived public key
+ */
+void
+GNUNET_CRYPTO_edx25519_public_key_derive (
+  const struct GNUNET_CRYPTO_Edx25519PublicKey *pub,
+  const void *seed,
+  size_t seedsize,
+  struct GNUNET_CRYPTO_Edx25519PublicKey *result);
+
+
+/**
+ * @ingroup crypto
+ * Clears the most significant bit and second most significant bit of the serialized representaive before applying elligator direct map.
+ *
+ * @param representative serialized elligator representative of an element of Curves25519's finite field
+ * @param point destination for the calculated point on the curve
+ * @param high_y bool pointed to will be set to 'true' if corresponding y-coordinate is > 2 ^ 254 - 10, otherwise 0. Can be set to NULL if not needed.
+ */
+void
+GNUNET_CRYPTO_ecdhe_elligator_decoding (
+  struct GNUNET_CRYPTO_EcdhePublicKey *point,
+  bool *high_y,
+  const struct GNUNET_CRYPTO_ElligatorRepresentative *representative);
+
+/**
+ * @ingroup crypto
+ * Encodes a point on Curve25519 to a an element of the underlying finite field.
+ * This transformation is deterministic.
+ *
+ * @param r storage for the calculated representative
+ * @param pub a point on the curve
+ * @param high_y encodes if y-coordinate is > 2 ^254 - 10, which determines the representative value out of two
+ * @return 'true' if the given point can be encoded into a representative. Otherwise 'false' is returned and the content of the representative storage is undefined
+ */
+bool
+GNUNET_CRYPTO_ecdhe_elligator_encoding (
+  struct GNUNET_CRYPTO_ElligatorRepresentative *r,
+  const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
+  bool high_y);
+
+
+/**
+ * @ingroup crypto
+ * Generates a valid public key for elligator's inverse map by adding a lower order point to a prime order point.
+ * Following Method 1 in description https://elligator.org/key-exchange section Step 2: Generate a “special” public key.
+ *
+ * @param pub valid public key for elligator inverse map
+ * @param pk private key for generating valid public key
+ * @return GNUNET_OK on success
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_ecdhe_elligator_generate_public_key (
+  struct GNUNET_CRYPTO_EcdhePublicKey *pub,
+  struct GNUNET_CRYPTO_EcdhePrivateKey *pk);
+
+
+/**
+ * @ingroup crypto
+ * Generates a private key for Curve25519 and the elligator representative of the corresponding public key.
+ *
+ * @param repr representative of the public key
+ * @param pk Curve25519 private key
+ */
+void
+GNUNET_CRYPTO_ecdhe_elligator_key_create (
+  struct GNUNET_CRYPTO_ElligatorRepresentative *repr,
+  struct GNUNET_CRYPTO_EcdhePrivateKey *pk);
+
+/**
+ * @ingroup crypto
+ * Carries out ecdh encapsulation with given public key and the private key from a freshly created ephemeral key pair.
+ * Following the terminology in https://eprint.iacr.org/2021/509.pdf.
+ *
+ * @param pub given edwards curve public key (X)
+ * @param r representative of ephemeral public key A to use for the ECDH (direct_map(r)=A=aG)
+ * @param key_material where to write the key material H(aX)=H(x(aG))
+ * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_eddsa_elligator_kem_encaps (
+  const struct GNUNET_CRYPTO_EddsaPublicKey *pub,
+  struct GNUNET_CRYPTO_ElligatorRepresentative *r,
+  struct GNUNET_HashCode *key_material);
+
+/**
+ * @ingroup crypto
+ * Carries out ecdh decapsulation with own private key and the representative of the received public key.
+ * Following the terminology in https://eprint.iacr.org/2021/509.pdf.
+ *
+ * @param priv own private key (x)
+ * @param r received representative r, from which we can obtain the public key A (direct_map(r)=A=aG)
+ * @param key_material where to write the key material H(xA)=H(a(xG))
+ * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_eddsa_elligator_kem_decaps (
+  const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
+  const struct GNUNET_CRYPTO_ElligatorRepresentative *r,
+  struct GNUNET_HashCode *key_material);
+
 
 /**
  * Output the given MPI value to the given buffer in network
@@ -2062,7 +2822,7 @@ GNUNET_CRYPTO_paillier_encrypt (
  * @param private_key Private key to use for decryption.
  * @param public_key Public key to use for decryption.
  * @param ciphertext Ciphertext to decrypt.
- * @param[out] m Decryption of @a ciphertext with @private_key.
+ * @param[out] m Decryption of @a ciphertext with @a private_key.
  */
 void
 GNUNET_CRYPTO_paillier_decrypt (
@@ -2073,7 +2833,8 @@ GNUNET_CRYPTO_paillier_decrypt (
 
 
 /**
- * Compute a ciphertext that represents the sum of the plaintext in @a x1 and @a x2
+ * Compute a ciphertext that represents the sum of the plaintext in @a c1
+ * and @a c2
  *
  * Note that this operation can only be done a finite number of times
  * before an overflow occurs.
@@ -2210,11 +2971,21 @@ GNUNET_CRYPTO_rsa_private_key_get_public (
  * @param hc where to store the hash code
  */
 void
-GNUNET_CRYPTO_rsa_public_key_hash (const struct GNUNET_CRYPTO_RsaPublicKey *key,
-                                   struct GNUNET_HashCode *hc);
+GNUNET_CRYPTO_rsa_public_key_hash (
+  const struct GNUNET_CRYPTO_RsaPublicKey *key,
+  struct GNUNET_HashCode *hc);
 
 
 /**
+ * Check if @a key is well-formed.
+ *
+ * @return true if @a key is well-formed.
+ */
+bool
+GNUNET_CRYPTO_rsa_public_key_check (
+  const struct GNUNET_CRYPTO_RsaPublicKey *key);
+
+/**
  * Obtain the length of the RSA key in bits.
  *
  * @param key the public key to introspect
@@ -2256,7 +3027,8 @@ GNUNET_CRYPTO_rsa_public_key_encode (
  * @return NULL on error
  */
 struct GNUNET_CRYPTO_RsaPublicKey *
-GNUNET_CRYPTO_rsa_public_key_decode (const char *buf, size_t len);
+GNUNET_CRYPTO_rsa_public_key_decode (const char *buf,
+                                     size_t len);
 
 
 /**
@@ -2288,9 +3060,9 @@ GNUNET_CRYPTO_rsa_signature_cmp (const struct GNUNET_CRYPTO_RsaSignature *s1,
  * @return 0 if the two are equal
  */
 int
-GNUNET_CRYPTO_rsa_private_key_cmp (const struct GNUNET_CRYPTO_RsaPrivateKey *p1,
-                                   const struct
-                                   GNUNET_CRYPTO_RsaPrivateKey *p2);
+GNUNET_CRYPTO_rsa_private_key_cmp (
+  const struct GNUNET_CRYPTO_RsaPrivateKey *p1,
+  const struct GNUNET_CRYPTO_RsaPrivateKey *p2);
 
 
 /**
@@ -2306,53 +3078,83 @@ GNUNET_CRYPTO_rsa_public_key_cmp (const struct GNUNET_CRYPTO_RsaPublicKey *p1,
 
 
 /**
+ * @brief RSA Parameters to create blinded signature
+ */
+struct GNUNET_CRYPTO_RsaBlindedMessage
+{
+  /**
+   * Blinded message to be signed
+   * Note: is malloc()'ed!
+   */
+  void *blinded_msg;
+
+  /**
+   * Size of the @e blinded_msg to be signed.
+   */
+  size_t blinded_msg_size;
+};
+
+
+/**
  * Blinds the given message with the given blinding key
  *
- * @param hash hash of the message to sign
- * @param bkey the blinding key
+ * @param message the message to sign
+ * @param message_size number of bytes in @a message
+ * @param bks the blinding key
  * @param pkey the public key of the signer
- * @param[out] buf set to a buffer with the blinded message to be signed
- * @param[out] buf_size number of bytes stored in @a buf
+ * @param[out] bm set to the blinded message
  * @return #GNUNET_YES if successful, #GNUNET_NO if RSA key is malicious
  */
-int
-GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash,
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_rsa_blind (const void *message,
+                         size_t message_size,
                          const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks,
                          struct GNUNET_CRYPTO_RsaPublicKey *pkey,
-                         void **buf,
-                         size_t *buf_size);
+                         struct GNUNET_CRYPTO_RsaBlindedMessage *bm);
 
 
 /**
  * Sign a blinded value, which must be a full domain hash of a message.
  *
  * @param key private key to use for the signing
- * @param msg the (blinded) message to sign
- * @param msg_len number of bytes in @a msg to sign
+ * @param bm the (blinded) message to sign
  * @return NULL on error, signature on success
  */
 struct GNUNET_CRYPTO_RsaSignature *
 GNUNET_CRYPTO_rsa_sign_blinded (const struct GNUNET_CRYPTO_RsaPrivateKey *key,
-                                const void *msg,
-                                size_t msg_len);
+                                const struct
+                                GNUNET_CRYPTO_RsaBlindedMessage *bm);
 
 
 /**
  * Create and sign a full domain hash of a message.
  *
  * @param key private key to use for the signing
- * @param hash the hash of the message to sign
+ * @param message the message to sign
+ * @param message_size number of bytes in @a message
  * @return NULL on error, including a malicious RSA key, signature on success
  */
 struct GNUNET_CRYPTO_RsaSignature *
 GNUNET_CRYPTO_rsa_sign_fdh (const struct GNUNET_CRYPTO_RsaPrivateKey *key,
-                            const struct GNUNET_HashCode *hash);
+                            const void *message,
+                            size_t message_size);
+
+
+/**
+ * Free memory occupied by blinded message. Only frees contents, not
+ * @a bm itself.
+ *
+ * @param[in] bm memory to free
+ */
+void
+GNUNET_CRYPTO_rsa_blinded_message_free (
+  struct GNUNET_CRYPTO_RsaBlindedMessage *bm);
 
 
 /**
  * Free memory occupied by signature.
  *
- * @param sig memory to free
+ * @param[in] sig memory to free
  */
 void
 GNUNET_CRYPTO_rsa_signature_free (struct GNUNET_CRYPTO_RsaSignature *sig);
@@ -2380,8 +3182,9 @@ GNUNET_CRYPTO_rsa_signature_encode (
  * @return NULL on error
  */
 struct GNUNET_CRYPTO_RsaSignature *
-GNUNET_CRYPTO_rsa_signature_decode (const void *buf,
-                                    size_t buf_size);
+GNUNET_CRYPTO_rsa_signature_decode (
+  const void *buf,
+  size_t buf_size);
 
 
 /**
@@ -2391,7 +3194,8 @@ GNUNET_CRYPTO_rsa_signature_decode (const void *buf,
  * @return the duplicate key; NULL upon error
  */
 struct GNUNET_CRYPTO_RsaSignature *
-GNUNET_CRYPTO_rsa_signature_dup (const struct GNUNET_CRYPTO_RsaSignature *sig);
+GNUNET_CRYPTO_rsa_signature_dup (
+  const struct GNUNET_CRYPTO_RsaSignature *sig);
 
 
 /**
@@ -2414,17 +3218,1267 @@ GNUNET_CRYPTO_rsa_unblind (const struct GNUNET_CRYPTO_RsaSignature *sig,
  * Verify whether the given hash corresponds to the given signature and the
  * signature is valid with respect to the given public key.
  *
- * @param hash the message to verify to match the @a sig
+ * @param message the message to sign
+ * @param message_size number of bytes in @a message
  * @param sig signature that is being validated
  * @param public_key public key of the signer
  * @returns #GNUNET_YES if ok, #GNUNET_NO if RSA key is malicious, #GNUNET_SYSERR if signature
  */
 enum GNUNET_GenericReturnValue
-GNUNET_CRYPTO_rsa_verify (const struct GNUNET_HashCode *hash,
+GNUNET_CRYPTO_rsa_verify (const void *message,
+                          size_t message_size,
                           const struct GNUNET_CRYPTO_RsaSignature *sig,
                           const struct GNUNET_CRYPTO_RsaPublicKey *public_key);
 
 
+/**
+ * Create a new random private key.
+ *
+ * @param[out] priv where to write the fresh private key
+ */
+void
+GNUNET_CRYPTO_cs_private_key_generate (struct GNUNET_CRYPTO_CsPrivateKey *priv);
+
+
+/**
+ * Extract the public key of the given private key.
+ *
+ * @param priv the private key
+ * @param[out] pub where to write the public key
+ */
+void
+GNUNET_CRYPTO_cs_private_key_get_public (
+  const struct GNUNET_CRYPTO_CsPrivateKey *priv,
+  struct GNUNET_CRYPTO_CsPublicKey *pub);
+
+
+/**
+ * Derive a new secret r pair r0 and r1.
+ * In original papers r is generated randomly
+ * To provide abort-idempotency, r needs to be derived but still needs to be UNPREDICTABLE
+ * To ensure unpredictability a new nonce should be used when a new r needs to be derived.
+ * Uses HKDF internally.
+ * Comment: Can be done in one HKDF shot and split output.
+ *
+ * @param nonce is a random nonce
+ * @param seed seed to use in derivation
+ * @param lts is a long-term-secret in form of a private key
+ * @param[out] r array containing derived secrets r0 and r1
+ */
+void
+GNUNET_CRYPTO_cs_r_derive (
+  const struct GNUNET_CRYPTO_CsSessionNonce *nonce,
+  const char *seed,
+  const struct GNUNET_CRYPTO_CsPrivateKey *lts,
+  struct GNUNET_CRYPTO_CsRSecret r[2]);
+
+
+/**
+ * Extract the public R of the given secret r.
+ *
+ * @param r_priv the private key
+ * @param[out] r_pub where to write the public key
+ */
+void
+GNUNET_CRYPTO_cs_r_get_public (
+  const struct GNUNET_CRYPTO_CsRSecret *r_priv,
+  struct GNUNET_CRYPTO_CsRPublic *r_pub);
+
+
+/**
+ * Derives new random blinding factors.
+ * In original papers blinding factors are generated randomly
+ * To provide abort-idempotency, blinding factors need to be derived but still need to be UNPREDICTABLE.
+ * To ensure unpredictability a new nonce has to be used.
+ * Uses HKDF internally.
+ *
+ * @param blind_seed is the blinding seed to derive blinding factors
+ * @param[out] bs array containing the two derived blinding secrets
+ */
+void
+GNUNET_CRYPTO_cs_blinding_secrets_derive (
+  const struct GNUNET_CRYPTO_CsBlindingNonce *blind_seed,
+  struct GNUNET_CRYPTO_CsBlindingSecret bs[2]);
+
+
+/**
+ * @brief CS Parameters derived from the message
+ * during blinding to create blinded signature
+ */
+struct GNUNET_CRYPTO_CsBlindedMessage
+{
+  /**
+   * The Clause Schnorr c_0 and c_1 containing the blinded message
+   */
+  struct GNUNET_CRYPTO_CsC c[2];
+
+  /**
+   * Nonce used in initial request.
+   */
+  struct GNUNET_CRYPTO_CsSessionNonce nonce;
+
+};
+
+
+/**
+ * Pair of Public R values for Cs denominations
+ */
+struct GNUNET_CRYPTO_CSPublicRPairP
+{
+  struct GNUNET_CRYPTO_CsRPublic r_pub[2];
+};
+
+
+/**
+ * Calculate two blinded c's.
+ * Comment: One would be insecure due to Wagner's algorithm solving ROS
+ *
+ * @param bs array of the two blinding factor structs each containing alpha and beta
+ * @param r_pub array of the two signer's nonce R
+ * @param pub the public key of the signer
+ * @param msg the message to blind in preparation for signing
+ * @param msg_len length of message msg
+ * @param[out] blinded_c array of the two blinded c's
+ * @param[out] r_pub_blind array of the two blinded R
+ */
+void
+GNUNET_CRYPTO_cs_calc_blinded_c (
+  const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
+  const struct GNUNET_CRYPTO_CsRPublic r_pub[2],
+  const struct GNUNET_CRYPTO_CsPublicKey *pub,
+  const void *msg,
+  size_t msg_len,
+  struct GNUNET_CRYPTO_CsC blinded_c[2],
+  struct GNUNET_CRYPTO_CSPublicRPairP *r_pub_blind);
+
+
+/**
+ * The Sign Answer for Clause Blind Schnorr signature.
+ * The sign operation returns a parameter @param b and the signature
+ * scalar @param s_scalar.
+ */
+struct GNUNET_CRYPTO_CsBlindSignature
+{
+  /**
+   * To make ROS problem harder, the signer chooses an unpredictable b and
+   * only calculates signature of c_b
+   */
+  unsigned int b;
+
+  /**
+   * The blinded s scalar calculated from c_b
+   */
+  struct GNUNET_CRYPTO_CsBlindS s_scalar;
+};
+
+
+/**
+ * Sign a blinded @a c.
+ * This function derives b from a nonce and a longterm secret.
+ * In the original papers b is generated randomly.
+ * To provide abort-idempotency, b needs to be derived but still need to be UNPREDICTABLE.
+ * To ensure unpredictability a new nonce has to be used for every signature.
+ * HKDF is used internally for derivation.
+ * r0 and r1 can be derived prior by using GNUNET_CRYPTO_cs_r_derive.
+ *
+ * @param priv private key to use for the signing and as LTS in HKDF
+ * @param r array of the two secret inputs from the signer
+ * @param bm blinded message, including array of the two blinded c to sign c_b and the random nonce
+ * @param[out] cs_blind_sig where to write the blind signature
+ */
+void
+GNUNET_CRYPTO_cs_sign_derive (
+  const struct GNUNET_CRYPTO_CsPrivateKey *priv,
+  const struct GNUNET_CRYPTO_CsRSecret r[2],
+  const struct GNUNET_CRYPTO_CsBlindedMessage *bm,
+  struct GNUNET_CRYPTO_CsBlindSignature *cs_blind_sig);
+
+
+/**
+ * Unblind a blind-signed signature using a c that was blinded
+ *
+ * @param blinded_signature_scalar the signature made on the blinded c
+ * @param bs the blinding factors used in the blinding
+ * @param[out] signature_scalar where to write the unblinded signature
+ */
+void
+GNUNET_CRYPTO_cs_unblind (
+  const struct GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar,
+  const struct GNUNET_CRYPTO_CsBlindingSecret *bs,
+  struct GNUNET_CRYPTO_CsS *signature_scalar);
+
+
+/**
+ * Verify whether the given message corresponds to the given signature and the
+ * signature is valid with respect to the given public key.
+ *
+ * @param sig signature that is being validated
+ * @param pub public key of the signer
+ * @param msg is the message that should be signed by @a sig  (message is used to calculate c)
+ * @param msg_len is the message length
+ * @returns #GNUNET_YES on success, #GNUNET_SYSERR if signature invalid
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_cs_verify (
+  const struct GNUNET_CRYPTO_CsSignature *sig,
+  const struct GNUNET_CRYPTO_CsPublicKey *pub,
+  const void *msg,
+  size_t msg_len);
+
+
+/**
+ * Types of public keys used for blind signatures.
+ */
+enum GNUNET_CRYPTO_BlindSignatureAlgorithm
+{
+
+  /**
+   * Invalid type of signature.
+   */
+  GNUNET_CRYPTO_BSA_INVALID = 0,
+
+  /**
+   * RSA blind signature.
+   */
+  GNUNET_CRYPTO_BSA_RSA = 1,
+
+  /**
+   * Clause Blind Schnorr signature.
+   */
+  GNUNET_CRYPTO_BSA_CS = 2
+};
+
+
+/**
+ * @brief Type of (unblinded) signatures.
+ */
+struct GNUNET_CRYPTO_UnblindedSignature
+{
+
+  /**
+   * Type of the signature.
+   */
+  enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher;
+
+  /**
+   * Reference counter.
+   */
+  unsigned int rc;
+
+  /**
+   * Details, depending on @e cipher.
+   */
+  union
+  {
+    /**
+     * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher.
+     */
+    struct GNUNET_CRYPTO_CsSignature cs_signature;
+
+    /**
+     * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher.
+     */
+    struct GNUNET_CRYPTO_RsaSignature *rsa_signature;
+
+  } details;
+
+};
+
+
+/**
+ * @brief Type for *blinded* signatures.
+ * Must be unblinded before it becomes valid.
+ */
+struct GNUNET_CRYPTO_BlindedSignature
+{
+
+  /**
+   * Type of the signature.
+   */
+  enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher;
+
+  /**
+   * Reference counter.
+   */
+  unsigned int rc;
+
+  /**
+   * Details, depending on @e cipher.
+   */
+  union
+  {
+    /**
+     * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher.
+     * At this point only the blinded s scalar is used.
+     * The final signature consisting of r,s is built after unblinding.
+     */
+    struct GNUNET_CRYPTO_CsBlindSignature blinded_cs_answer;
+
+    /**
+     * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher.
+     */
+    struct GNUNET_CRYPTO_RsaSignature *blinded_rsa_signature;
+
+  } details;
+
+};
+
+
+/**
+ * @brief Type of public signing keys for blind signatures.
+ */
+struct GNUNET_CRYPTO_BlindSignPublicKey
+{
+
+  /**
+   * Type of the public key.
+   */
+  enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher;
+
+  /**
+   * Reference counter.
+   */
+  unsigned int rc;
+
+  /**
+   * Hash of the public key.
+   */
+  struct GNUNET_HashCode pub_key_hash;
+
+  /**
+   * Details, depending on @e cipher.
+   */
+  union
+  {
+    /**
+     * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher.
+     */
+    struct GNUNET_CRYPTO_CsPublicKey cs_public_key;
+
+    /**
+     * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher.
+     */
+    struct GNUNET_CRYPTO_RsaPublicKey *rsa_public_key;
+
+  } details;
+};
+
+
+/**
+ * @brief Type of private signing keys for blind signing.
+ */
+struct GNUNET_CRYPTO_BlindSignPrivateKey
+{
+
+  /**
+   * Type of the public key.
+   */
+  enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher;
+
+  /**
+   * Reference counter.
+   */
+  unsigned int rc;
+
+  /**
+   * Details, depending on @e cipher.
+   */
+  union
+  {
+    /**
+     * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher.
+     */
+    struct GNUNET_CRYPTO_CsPrivateKey cs_private_key;
+
+    /**
+     * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher.
+     */
+    struct GNUNET_CRYPTO_RsaPrivateKey *rsa_private_key;
+
+  } details;
+};
+
+
+/**
+ * @brief Blinded message ready for blind signing.
+ */
+struct GNUNET_CRYPTO_BlindedMessage
+{
+  /**
+   * Type of the sign blinded message
+   */
+  enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher;
+
+  /**
+   * Reference counter.
+   */
+  unsigned int rc;
+
+  /**
+   * Details, depending on @e cipher.
+   */
+  union
+  {
+    /**
+     * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher.
+     */
+    struct GNUNET_CRYPTO_CsBlindedMessage cs_blinded_message;
+
+    /**
+     * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher.
+     */
+    struct GNUNET_CRYPTO_RsaBlindedMessage rsa_blinded_message;
+
+  } details;
+};
+
+
+/**
+ * Secret r for Cs denominations
+ */
+struct GNUNET_CRYPTO_CSPrivateRPairP
+{
+  struct GNUNET_CRYPTO_CsRSecret r[2];
+};
+
+
+/**
+ * @brief Input needed for blinding a message.
+ */
+struct GNUNET_CRYPTO_BlindingInputValues
+{
+
+  /**
+   * Type of the signature.
+   */
+  enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher;
+
+  /**
+   * Reference counter.
+   */
+  unsigned int rc;
+
+  /**
+   * Details, depending on @e cipher.
+   */
+  union
+  {
+    /**
+     * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher.
+     */
+    struct GNUNET_CRYPTO_CSPublicRPairP cs_values;
+
+  } details;
+
+};
+
+
+/**
+ * Nonce used to deterministiacally derive input values
+ * used in multi-round blind signature protocols.
+ */
+union GNUNET_CRYPTO_BlindSessionNonce
+{
+  /**
+   * Nonce used when signing with CS.
+   */
+  struct GNUNET_CRYPTO_CsSessionNonce cs_nonce;
+};
+
+
+/**
+ * Compute blinding input values for a given @a nonce and
+ * @a salt.
+ *
+ * @param bsign_priv private key to compute input values for
+ * @param nonce session nonce to derive input values from
+ * @param salt salt to include in derivation logic
+ * @return blinding input values
+ */
+struct GNUNET_CRYPTO_BlindingInputValues *
+GNUNET_CRYPTO_get_blinding_input_values (
+  const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv,
+  const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
+  const char *salt);
+
+
+/**
+ * Decrement reference counter of a @a bsign_pub, and free it if it reaches zero.
+ *
+ * @param[in] bsign_pub key to free
+ */
+void
+GNUNET_CRYPTO_blind_sign_pub_decref (
+  struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub);
+
+
+/**
+ * Decrement reference counter of a @a bsign_priv, and free it if it reaches zero.
+ *
+ * @param[in] bsign_priv key to free
+ */
+void
+GNUNET_CRYPTO_blind_sign_priv_decref (
+  struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv);
+
+
+/**
+ * Decrement reference counter of a @a ub_sig, and free it if it reaches zero.
+ *
+ * @param[in] ub_sig signature to free
+ */
+void
+GNUNET_CRYPTO_unblinded_sig_decref (
+  struct GNUNET_CRYPTO_UnblindedSignature *ub_sig);
+
+
+/**
+ * Decrement reference counter of a @a blind_sig, and free it if it reaches zero.
+ *
+ * @param[in] blind_sig signature to free
+ */
+void
+GNUNET_CRYPTO_blinded_sig_decref (
+  struct GNUNET_CRYPTO_BlindedSignature *blind_sig);
+
+
+/**
+ * Decrement reference counter of a @a bm, and free it if it reaches zero.
+ *
+ * @param[in] bm blinded message to free
+ */
+void
+GNUNET_CRYPTO_blinded_message_decref (
+  struct GNUNET_CRYPTO_BlindedMessage *bm);
+
+
+/**
+ * Increment reference counter of the given @a bm.
+ *
+ * @param[in,out] bm blinded message to increment reference counter for
+ * @return alias of @a bm with RC incremented
+ */
+struct GNUNET_CRYPTO_BlindedMessage *
+GNUNET_CRYPTO_blinded_message_incref (
+  struct GNUNET_CRYPTO_BlindedMessage *bm);
+
+
+/**
+ * Increment reference counter of the given @a bi.
+ *
+ * @param[in,out] bi blinding input values to increment reference counter for
+ * @return alias of @a bi with RC incremented
+ */
+struct GNUNET_CRYPTO_BlindingInputValues *
+GNUNET_CRYPTO_blinding_input_values_incref (
+  struct GNUNET_CRYPTO_BlindingInputValues *bm);
+
+
+/**
+ * Decrement reference counter of the given @a bi, and free it if it reaches
+ * zero.
+ *
+ * @param[in,out] bi blinding input values to decrement reference counter for
+ */
+void
+GNUNET_CRYPTO_blinding_input_values_decref (
+  struct GNUNET_CRYPTO_BlindingInputValues *bm);
+
+
+/**
+ * Increment reference counter of the given @a bsign_pub.
+ *
+ * @param[in,out] bsign_pub public key to increment reference counter for
+ * @return alias of @a bsign_pub with RC incremented
+ */
+struct GNUNET_CRYPTO_BlindSignPublicKey *
+GNUNET_CRYPTO_bsign_pub_incref (
+  struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub);
+
+
+/**
+ * Increment reference counter of the given @a bsign_priv.
+ *
+ * @param[in,out] bsign_priv private key to increment reference counter for
+ * @return alias of @a bsign_priv with RC incremented
+ */
+struct GNUNET_CRYPTO_BlindSignPrivateKey *
+GNUNET_CRYPTO_bsign_priv_incref (
+  struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv);
+
+
+/**
+ * Increment reference counter of the given @a ub_sig.
+ *
+ * @param[in,out] ub_sig signature to increment reference counter for
+ * @return alias of @a ub_sig with RC incremented
+ */
+struct GNUNET_CRYPTO_UnblindedSignature *
+GNUNET_CRYPTO_ub_sig_incref (struct GNUNET_CRYPTO_UnblindedSignature *ub_sig);
+
+
+/**
+ * Increment reference counter of the given @a blind_sig.
+ *
+ * @param[in,out] blind_sig signature to increment reference counter for
+ * @return alias of @a blind_sig with RC incremented
+ */
+struct GNUNET_CRYPTO_BlindedSignature *
+GNUNET_CRYPTO_blind_sig_incref (
+  struct GNUNET_CRYPTO_BlindedSignature *blind_sig);
+
+
+/**
+ * Compare two denomination public keys.
+ *
+ * @param bp1 first key
+ * @param bp2 second key
+ * @return 0 if the keys are equal, otherwise -1 or 1
+ */
+int
+GNUNET_CRYPTO_bsign_pub_cmp (
+  const struct GNUNET_CRYPTO_BlindSignPublicKey *bp1,
+  const struct GNUNET_CRYPTO_BlindSignPublicKey *bp2);
+
+
+/**
+ * Compare two denomination signatures.
+ *
+ * @param sig1 first signature
+ * @param sig2 second signature
+ * @return 0 if the keys are equal, otherwise -1 or 1
+ */
+int
+GNUNET_CRYPTO_ub_sig_cmp (const struct GNUNET_CRYPTO_UnblindedSignature *sig1,
+                          const struct GNUNET_CRYPTO_UnblindedSignature *sig2);
+
+
+/**
+ * Compare two blinded denomination signatures.
+ *
+ * @param sig1 first signature
+ * @param sig2 second signature
+ * @return 0 if the keys are equal, otherwise -1 or 1
+ */
+int
+GNUNET_CRYPTO_blind_sig_cmp (
+  const struct GNUNET_CRYPTO_BlindedSignature *sig1,
+  const struct GNUNET_CRYPTO_BlindedSignature *sig2);
+
+
+/**
+ * Compare two blinded messages.
+ *
+ * @param bp1 first blinded message
+ * @param bp2 second blinded message
+ * @return 0 if the keys are equal, otherwise -1 or 1
+ */
+int
+GNUNET_CRYPTO_blinded_message_cmp (
+  const struct GNUNET_CRYPTO_BlindedMessage *bp1,
+  const struct GNUNET_CRYPTO_BlindedMessage *bp2);
+
+
+/**
+ * Initialize public-private key pair for blind signatures.
+ *
+ * For #GNUNET_CRYPTO_BSA_RSA, an additional "unsigned int"
+ * argument with the number of bits for 'n' (e.g. 2048) must
+ * be passed.
+ *
+ * @param[out] bsign_priv where to write the private key with RC 1
+ * @param[out] bsign_pub where to write the public key with RC 1
+ * @param cipher which type of cipher to use
+ * @param ... RSA key size (eg. 2048/3072/4096)
+ * @return #GNUNET_OK on success, #GNUNET_NO if parameterst were invalid
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_blind_sign_keys_create (
+  struct GNUNET_CRYPTO_BlindSignPrivateKey **bsign_priv,
+  struct GNUNET_CRYPTO_BlindSignPublicKey **bsign_pub,
+  enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher,
+  ...);
+
+
+/**
+ * Initialize public-private key pair for blind signatures.
+ *
+ * For #GNUNET_CRYPTO_BSA_RSA, an additional "unsigned int"
+ * argument with the number of bits for 'n' (e.g. 2048) must
+ * be passed.
+ *
+ * @param[out] bsign_priv where to write the private key with RC 1
+ * @param[out] bsign_pub where to write the public key with RC 1
+ * @param cipher which type of cipher to use
+ * @param ap RSA key size (eg. 2048/3072/4096)
+ * @return #GNUNET_OK on success, #GNUNET_NO if parameterst were invalid
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_blind_sign_keys_create_va (
+  struct GNUNET_CRYPTO_BlindSignPrivateKey **bsign_priv,
+  struct GNUNET_CRYPTO_BlindSignPublicKey **bsign_pub,
+  enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher,
+  va_list ap);
+
+
+/**
+ * @brief Type of blinding secrets.  Must be exactly 32 bytes (DB).
+ */
+union GNUNET_CRYPTO_BlindingSecretP
+{
+  /**
+   * Clause Schnorr nonce.
+   */
+  struct GNUNET_CRYPTO_CsBlindingNonce nonce;
+
+  /**
+   * Variant for RSA for blind signatures.
+   */
+  struct GNUNET_CRYPTO_RsaBlindingKeySecret rsa_bks;
+};
+
+
+/**
+ * Blind message for blind signing with @a dk using blinding secret @a coin_bks.
+ *
+ * @param bsign_pub public key to blind for
+ * @param bks blinding secret to use
+ * @param nonce nonce used to obtain @a alg_values
+ *        can be NULL if input values are not used for the cipher
+ * @param message message to sign
+ * @param message_size number of bytes in @a message
+ * @param alg_values algorithm specific values to blind the @a message
+ * @return blinded message to give to signer, NULL on error
+ */
+struct GNUNET_CRYPTO_BlindedMessage *
+GNUNET_CRYPTO_message_blind_to_sign (
+  const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub,
+  const union GNUNET_CRYPTO_BlindingSecretP *bks,
+  const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
+  const void *message,
+  size_t message_size,
+  const struct GNUNET_CRYPTO_BlindingInputValues *alg_values);
+
+
+/**
+ * Create blind signature.
+ *
+ * @param bsign_priv private key to use for signing
+ * @param salt salt value to use for the HKDF,
+ *        can be NULL if input values are not used for the cipher
+ * @param blinded_message the already blinded message to sign
+ * @return blind signature with RC=1, NULL on failure
+ */
+struct GNUNET_CRYPTO_BlindedSignature *
+GNUNET_CRYPTO_blind_sign (
+  const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv,
+  const char *salt,
+  const struct GNUNET_CRYPTO_BlindedMessage *blinded_message);
+
+
+/**
+ * Unblind blind signature.
+ *
+ * @param blinded_sig the blind signature
+ * @param bks blinding secret to use
+ * @param message message that was supposedly signed
+ * @param message_size number of bytes in @a message
+ * @param alg_values algorithm specific values
+ * @param bsign_pub public key used for signing
+ * @return unblinded signature with RC=1, NULL on error
+ */
+struct GNUNET_CRYPTO_UnblindedSignature *
+GNUNET_CRYPTO_blind_sig_unblind (
+  const struct GNUNET_CRYPTO_BlindedSignature *blinded_sig,
+  const union GNUNET_CRYPTO_BlindingSecretP *bks,
+  const void *message,
+  size_t message_size,
+  const struct GNUNET_CRYPTO_BlindingInputValues *alg_values,
+  const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub);
+
+
+/**
+ * Verify signature made blindly.
+ *
+ * @param bsign_pub public key
+ * @param ub_sig signature made blindly with the private key
+ * @param message message that was supposedly signed
+ * @param message_size number of bytes in @a message
+ * @return #GNUNET_OK if the signature is valid
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_blind_sig_verify (
+  const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub,
+  const struct GNUNET_CRYPTO_UnblindedSignature *ub_sig,
+  const void *message,
+  size_t message_size);
+
+
+/**
+ * Get the compacted length of a #GNUNET_CRYPTO_PublicKey.
+ * Compacted means that it returns the minimum number of bytes this
+ * key is long, as opposed to the union structure inside
+ * #GNUNET_CRYPTO_PublicKey.
+ * Useful for compact serializations.
+ *
+ * @param key the key.
+ * @return -1 on error, else the compacted length of the key.
+ */
+ssize_t
+GNUNET_CRYPTO_public_key_get_length (const struct
+                                     GNUNET_CRYPTO_PublicKey *key);
+
+/**
+ * Reads a #GNUNET_CRYPTO_PublicKey from a compact buffer.
+ * The buffer has to contain at least the compacted length of
+ * a #GNUNET_CRYPTO_PublicKey in bytes.
+ * If the buffer is too small, the function returns -1 as error.
+ * If the buffer does not contain a valid key, it returns -2 as error.
+ *
+ * @param buffer the buffer
+ * @param len the length of buffer
+ * @param key the key
+ * @param the amount of bytes read from the buffer
+ * @return #GNUNET_SYSERR on error
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_read_public_key_from_buffer (
+  const void *buffer,
+  size_t len,
+  struct GNUNET_CRYPTO_PublicKey *key,
+  size_t *read);
+
+/**
+ * Get the compacted length of a #GNUNET_CRYPTO_PrivateKey.
+ * Compacted means that it returns the minimum number of bytes this
+ * key is long, as opposed to the union structure inside
+ * #GNUNET_CRYPTO_PrivateKey.
+ * Useful for compact serializations.
+ *
+ * @param key the key.
+ * @return -1 on error, else the compacted length of the key.
+ */
+ssize_t
+GNUNET_CRYPTO_private_key_get_length (
+  const struct GNUNET_CRYPTO_PrivateKey *key);
+
+
+/**
+ * Writes a #GNUNET_CRYPTO_PublicKey to a compact buffer.
+ * The buffer requires space for at least the compacted length of
+ * a #GNUNET_CRYPTO_PublicKey in bytes.
+ * If the buffer is too small, the function returns -1 as error.
+ * If the key is not valid, it returns -2 as error.
+ *
+ * @param key the key
+ * @param buffer the buffer
+ * @param len the length of buffer
+ * @return -1 or -2 on error, else the amount of bytes written to the buffer
+ */
+ssize_t
+GNUNET_CRYPTO_write_public_key_to_buffer (const struct
+                                          GNUNET_CRYPTO_PublicKey *key,
+                                          void*buffer,
+                                          size_t len);
+
+
+/**
+ * Reads a #GNUNET_CRYPTO_PrivateKey from a compact buffer.
+ * The buffer has to contain at least the compacted length of
+ * a #GNUNET_CRYPTO_PrivateKey in bytes.
+ * If the buffer is too small, the function returns GNUNET_SYSERR as error.
+ *
+ * @param buffer the buffer
+ * @param len the length of buffer
+ * @param key the key
+ * @param the amount of bytes read from the buffer
+ * @return #GNUNET_SYSERR on error
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_read_private_key_from_buffer (
+  const void*buffer,
+  size_t len,
+  struct GNUNET_CRYPTO_PrivateKey *key,
+  size_t *read);
+
+
+/**
+ * Writes a #GNUNET_CRYPTO_PrivateKey to a compact buffer.
+ * The buffer requires space for at least the compacted length of
+ * a #GNUNET_CRYPTO_PrivateKey in bytes.
+ * If the buffer is too small, the function returns -1 as error.
+ * If the key is not valid, it returns -2 as error.
+ *
+ * @param key the key
+ * @param buffer the buffer
+ * @param len the length of buffer
+ * @return -1 or -2 on error, else the amount of bytes written to the buffer
+ */
+ssize_t
+GNUNET_CRYPTO_write_private_key_to_buffer (
+  const struct GNUNET_CRYPTO_PrivateKey *key,
+  void*buffer,
+  size_t len);
+
+
+/**
+ * Get the compacted length of a #GNUNET_CRYPTO_Signature.
+ * Compacted means that it returns the minimum number of bytes this
+ * signature is long, as opposed to the union structure inside
+ * #GNUNET_CRYPTO_Signature.
+ * Useful for compact serializations.
+ *
+ * @param sig the signature.
+ * @return -1 on error, else the compacted length of the signature.
+ */
+ssize_t
+GNUNET_CRYPTO_signature_get_length (
+  const struct GNUNET_CRYPTO_Signature *sig);
+
+
+/**
+ * Get the compacted length of a signature by type.
+ * Compacted means that it returns the minimum number of bytes this
+ * signature is long, as opposed to the union structure inside
+ * #GNUNET_CRYPTO_Signature.
+ * Useful for compact serializations.
+ *
+ * @param sig the signature.
+ * @return -1 on error, else the compacted length of the signature.
+ */
+ssize_t
+GNUNET_CRYPTO_signature_get_raw_length_by_type (uint32_t type);
+
+
+/**
+ * Reads a #GNUNET_CRYPTO_Signature from a compact buffer.
+ * The buffer has to contain at least the compacted length of
+ * a #GNUNET_CRYPTO_Signature in bytes.
+ * If the buffer is too small, the function returns -1 as error.
+ * If the buffer does not contain a valid key, it returns -2 as error.
+ *
+ * @param sig the signature
+ * @param buffer the buffer
+ * @param len the length of buffer
+ * @return -1 or -2 on error, else the amount of bytes read from the buffer
+ */
+ssize_t
+GNUNET_CRYPTO_read_signature_from_buffer (
+  struct GNUNET_CRYPTO_Signature *sig,
+  const void*buffer,
+  size_t len);
+
+
+/**
+ * Writes a #GNUNET_CRYPTO_Signature to a compact buffer.
+ * The buffer requires space for at least the compacted length of
+ * a #GNUNET_CRYPTO_Signature in bytes.
+ * If the buffer is too small, the function returns -1 as error.
+ * If the key is not valid, it returns -2 as error.
+ *
+ * @param sig the signature
+ * @param buffer the buffer
+ * @param len the length of buffer
+ * @return -1 or -2 on error, else the amount of bytes written to the buffer
+ */
+ssize_t
+GNUNET_CRYPTO_write_signature_to_buffer (
+  const struct GNUNET_CRYPTO_Signature *sig,
+  void*buffer,
+  size_t len);
+
+
+/**
+ * @brief Sign a given block.
+ *
+ * The @a purpose data is the beginning of the data of which the signature is
+ * to be created. The `size` field in @a purpose must correctly indicate the
+ * number of bytes of the data structure, including its header. If possible,
+ * use #GNUNET_CRYPTO_sign() instead of this function.
+ *
+ * @param priv private key to use for the signing
+ * @param purpose what to sign (size, purpose)
+ * @param[out] sig where to write the signature
+ * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_sign_ (
+  const struct GNUNET_CRYPTO_PrivateKey *priv,
+  const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
+  struct GNUNET_CRYPTO_Signature *sig);
+
+/**
+ * @brief Sign a given block.
+ *
+ * The @a purpose data is the beginning of the data of which the signature is
+ * to be created. The `size` field in @a purpose must correctly indicate the
+ * number of bytes of the data structure, including its header.
+ * The signature payload and length depends on the key type.
+ *
+ * @param priv private key to use for the signing
+ * @param purpose what to sign (size, purpose)
+ * @param[out] sig where to write the signature
+ * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_sign_raw_ (
+  const struct GNUNET_CRYPTO_PrivateKey *priv,
+  const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
+  unsigned char *sig);
+
+
+/**
+ * @brief Sign a given block with #GNUNET_CRYPTO_PrivateKey.
+ *
+ * The @a ps data must be a fixed-size struct for which the signature is to be
+ * created. The `size` field in @a ps->purpose must correctly indicate the
+ * number of bytes of the data structure, including its header.
+ *
+ * @param priv private key to use for the signing
+ * @param ps packed struct with what to sign, MUST begin with a purpose
+ * @param[out] sig where to write the signature
+ */
+#define GNUNET_CRYPTO_sign(priv,ps,sig) do {                \
+    /* check size is set correctly */                                     \
+    GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps)));         \
+    /* check 'ps' begins with the purpose */                              \
+    GNUNET_static_assert (((void*) (ps)) ==                               \
+                          ((void*) &(ps)->purpose));                      \
+    GNUNET_assert (GNUNET_OK ==                                           \
+                   GNUNET_CRYPTO_sign_ (priv,               \
+                                        &(ps)->purpose,             \
+                                        sig));                      \
+} while (0)
+
+
+/**
+ * @brief Verify a given signature.
+ *
+ * The @a validate data is the beginning of the data of which the signature
+ * is to be verified. The `size` field in @a validate must correctly indicate
+ * the number of bytes of the data structure, including its header.  If @a
+ * purpose does not match the purpose given in @a validate (the latter must be
+ * in big endian), signature verification fails.  If possible,
+ * use #GNUNET_CRYPTO_signature_verify() instead of this function (only if @a validate
+ * is not fixed-size, you must use this function directly).
+ *
+ * @param purpose what is the purpose that the signature should have?
+ * @param validate block to validate (size, purpose, data)
+ * @param sig signature that is being validated
+ * @param pub public key of the signer
+ * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_signature_verify_ (
+  uint32_t purpose,
+  const struct GNUNET_CRYPTO_EccSignaturePurpose *validate,
+  const struct GNUNET_CRYPTO_Signature *sig,
+  const struct GNUNET_CRYPTO_PublicKey *pub);
+
+/**
+ * @brief Verify a given signature.
+ *
+ * The @a validate data is the beginning of the data of which the signature
+ * is to be verified. The `size` field in @a validate must correctly indicate
+ * the number of bytes of the data structure, including its header.  If @a
+ * purpose does not match the purpose given in @a validate (the latter must be
+ * in big endian), signature verification fails.
+ *
+ * @param purpose what is the purpose that the signature should have?
+ * @param validate block to validate (size, purpose, data)
+ * @param sig signature that is being validated
+ * @param pub public key of the signer
+ * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_signature_verify_raw_ (
+  uint32_t purpose,
+  const struct GNUNET_CRYPTO_EccSignaturePurpose *validate,
+  const unsigned char *sig,
+  const struct GNUNET_CRYPTO_PublicKey *pub);
+
+
+/**
+ * @brief Verify a given signature with #GNUNET_CRYPTO_PublicKey.
+ *
+ * The @a ps data must be a fixed-size struct for which the signature is to be
+ * created. The `size` field in @a ps->purpose must correctly indicate the
+ * number of bytes of the data structure, including its header.
+ *
+ * @param purp purpose of the signature, must match 'ps->purpose.purpose'
+ *              (except in host byte order)
+ * @param ps packed struct with what to sign, MUST begin with a purpose
+ * @param sig where to read the signature from
+ * @param pub public key to use for the verifying
+ */
+#define GNUNET_CRYPTO_signature_verify(purp,ps,sig,pub) ({             \
+    /* check size is set correctly */                                     \
+    GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps)));         \
+    /* check 'ps' begins with the purpose */                              \
+    GNUNET_static_assert (((void*) (ps)) ==                               \
+                          ((void*) &(ps)->purpose));                      \
+    GNUNET_CRYPTO_signature_verify_ (purp,                              \
+                                     &(ps)->purpose,                    \
+                                     sig,                               \
+                                     pub);                              \
+  })
+
+
+/**
+ * Encrypt a block with #GNUNET_CRYPTO_PublicKey and derives a
+ * #GNUNET_CRYPTO_EcdhePublicKey which is required for decryption
+ * using ecdh to derive a symmetric key.
+ *
+ * @param block the block to encrypt
+ * @param size the size of the @a block
+ * @param pub public key to use for ecdh
+ * @param ecc where to write the ecc public key
+ * @param result the output parameter in which to store the encrypted result
+ *               can be the same or overlap with @c block
+ * @returns the size of the encrypted block, -1 for errors.
+ *          Due to the use of CFB and therefore an effective stream cipher,
+ *          this size should be the same as @c len.
+ */
+ssize_t
+GNUNET_CRYPTO_encrypt_old (const void *block,
+                           size_t size,
+                           const struct GNUNET_CRYPTO_PublicKey *pub,
+                           struct GNUNET_CRYPTO_EcdhePublicKey *ecc,
+                           void *result);
+
+
+/**
+ * Decrypt a given block with #GNUNET_CRYPTO_PrivateKey and a given
+ * #GNUNET_CRYPTO_EcdhePublicKey using ecdh to derive a symmetric key.
+ *
+ * @param block the data to decrypt, encoded as returned by encrypt
+ * @param size the size of the @a block to decrypt
+ * @param priv private key to use for ecdh
+ * @param ecc the ecc public key
+ * @param result address to store the result at
+ *               can be the same or overlap with @c block
+ * @return -1 on failure, size of decrypted block on success.
+ *         Due to the use of CFB and therefore an effective stream cipher,
+ *         this size should be the same as @c size.
+ */
+ssize_t
+GNUNET_CRYPTO_decrypt_old (
+  const void *block,
+  size_t size,
+  const struct GNUNET_CRYPTO_PrivateKey *priv,
+  const struct GNUNET_CRYPTO_EcdhePublicKey *ecc,
+  void *result);
+
+#define GNUNET_CRYPTO_ENCRYPT_OVERHEAD_BYTES (crypto_secretbox_MACBYTES \
+                                              + sizeof (struct \
+                                                        GNUNET_CRYPTO_FoKemC))
+
+/**
+ * Encrypt a block with #GNUNET_CRYPTO_PublicKey and derives a
+ * #GNUNET_CRYPTO_EcdhePublicKey which is required for decryption
+ * using ecdh to derive a symmetric key.
+ *
+ * Note that the result buffer for the ciphertext must be the length of
+ * the message to encrypt plus #GNUNET_CRYPTO_ENCRYPT_OVERHEAD_BYTES.
+ *
+ * @param block the block to encrypt
+ * @param size the size of the @a block
+ * @param pub public key to encrypt for
+ * @param result the output parameter in which to store the encrypted result
+ *               can be the same or overlap with @c block
+ * @returns GNUNET_OK on success.
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_encrypt (const void *block,
+                       size_t size,
+                       const struct GNUNET_CRYPTO_PublicKey *pub,
+                       void *result,
+                       size_t result_size);
+
+
+/**
+ * Decrypt a given block with #GNUNET_CRYPTO_PrivateKey and a given
+ * #GNUNET_CRYPTO_EcdhePublicKey using ecdh to derive a symmetric key.
+ *
+ * @param block the data to decrypt, encoded as returned by encrypt
+ * @param size the size of the @a block to decrypt
+ * @param priv private key to use for ecdh
+ * @param result address to store the result at
+ *               can be the same or overlap with @c block
+ * @returns GNUNET_OK on success.
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_decrypt (const void *block,
+                       size_t size,
+                       const struct GNUNET_CRYPTO_PrivateKey *priv,
+                       void *result,
+                       size_t result_size);
+
+
+/**
+ * Creates a (Base32) string representation of the public key.
+ * The resulting string encodes a compacted representation of the key.
+ * See also #GNUNET_CRYPTO_key_get_length.
+ *
+ * @param key the key.
+ * @return the string representation of the key, or NULL on error.
+ */
+char *
+GNUNET_CRYPTO_public_key_to_string (
+  const struct GNUNET_CRYPTO_PublicKey *key);
+
+
+/**
+ * Creates a (Base32) string representation of the private key.
+ * The resulting string encodes a compacted representation of the key.
+ * See also #GNUNET_CRYPTO_key_get_length.
+ *
+ * @param key the key.
+ * @return the string representation of the key, or NULL on error.
+ */
+char *
+GNUNET_CRYPTO_private_key_to_string (
+  const struct GNUNET_CRYPTO_PrivateKey *key);
+
+
+/**
+ * Parses a (Base32) string representation of the public key.
+ * See also #GNUNET_CRYPTO_public_key_to_string.
+ *
+ * @param str the encoded key.
+ * @param key where to write the key.
+ * @return GNUNET_SYSERR on error.
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_public_key_from_string (const char*str,
+                                      struct GNUNET_CRYPTO_PublicKey *key);
+
+
+/**
+ * Parses a (Base32) string representation of the private key.
+ * See also #GNUNET_CRYPTO_private_key_to_string.
+ *
+ * @param str the encoded key.
+ * @param key where to write the key.
+ * @return GNUNET_SYSERR on error.
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_private_key_from_string (const char*str,
+                                       struct GNUNET_CRYPTO_PrivateKey *key);
+
+
+/**
+ * Retrieves the public key representation of a private key.
+ *
+ * @param privkey the private key.
+ * @param key the public key result.
+ * @return GNUNET_SYSERR on error.
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_key_get_public (const struct
+                              GNUNET_CRYPTO_PrivateKey *privkey,
+                              struct GNUNET_CRYPTO_PublicKey *key);
+
 #if 0 /* keep Emacsens' auto-indent happy */
 {
 #endif
@@ -2435,4 +4489,7 @@ GNUNET_CRYPTO_rsa_verify (const struct GNUNET_HashCode *hash,
 
 /* ifndef GNUNET_CRYPTO_LIB_H */
 #endif
+
+/** @} */ /* end of group addition */
+
 /* end of gnunet_crypto_lib.h */