1 files changed, 621 insertions, 0 deletions
diff --git a/src/lib/util/test_crypto_cs.c b/src/lib/util/test_crypto_cs.c
new file mode 100644
index 000000000..ee68db72f
--- /dev/null
+++ b/src/lib/util/test_crypto_cs.c
@@ -0,0 +1,621 @@
+/*
+   This file is part of GNUnet
+   Copyright (C) 2021,2022, 2023 GNUnet e.V.
+   GNUnet is free software: you can redistribute it and/or modify it
+   under the terms of the GNU Affero General Public License as published
+   by the Free Software Foundation, either version 3 of the License,
+   or (at your option) any later version.
+   GNUnet is distributed in the hope that it will be useful, but
+   WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Affero General Public License for more details.
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file util/test_crypto_cs.c
+ * @brief testcase for utility functions for clause blind schnorr signature scheme cryptography
+ * @author Lucien Heuzeveldt <lucienclaude.heuzeveldt@students.bfh.ch>
+ * @author Gian Demarmels <gian@demarmels.org>
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include <sodium.h>
+#define ITER 25
+static void
+test_create_priv (struct GNUNET_CRYPTO_CsPrivateKey *priv)
+{
+  /* TEST 1
+   * Check that privkey is set
+   */
+  struct GNUNET_CRYPTO_CsPrivateKey other_priv;
+  GNUNET_CRYPTO_cs_private_key_generate (priv);
+  memset (&other_priv,
+          42,
+          sizeof (other_priv));
+  GNUNET_assert (0 !=
+                 GNUNET_memcmp (&other_priv.scalar,
+                                &priv->scalar));
+}
+static void
+test_generate_pub (const struct GNUNET_CRYPTO_CsPrivateKey *priv,
+                   struct GNUNET_CRYPTO_CsPublicKey *pub)
+{
+  /* TEST 1
+   * Check that pubkey is set
+   */
+  struct GNUNET_CRYPTO_CsPublicKey other_pub;
+  GNUNET_CRYPTO_cs_private_key_get_public (priv,
+                                           pub);
+  memset (&other_pub,
+          42,
+          sizeof (other_pub));
+  GNUNET_assert (0 !=
+                 GNUNET_memcmp (&other_pub.point,
+                                &pub->point));
+  /* TEST 2
+   * Check that pubkey is a valid point
+   */
+  GNUNET_assert (1 ==
+                 crypto_core_ed25519_is_valid_point (pub->point.y));
+  /* TEST 3
+   * Check if function gives the same result for the same output
+   */
+  other_pub = *pub;
+  for (unsigned int i = 0; i<ITER; i++)
+  {
+    GNUNET_CRYPTO_cs_private_key_get_public (priv,
+                                             pub);
+    GNUNET_assert (0 ==
+                   GNUNET_memcmp (&other_pub.point,
+                                  &pub->point));
+  }
+}
+static void
+test_derive_rsecret (const struct GNUNET_CRYPTO_CsSessionNonce *nonce,
+                     const struct GNUNET_CRYPTO_CsPrivateKey *priv,
+                     struct GNUNET_CRYPTO_CsRSecret r[2])
+{
+  /* TEST 1
+   * Check that r are set
+   */
+  struct GNUNET_CRYPTO_CsPrivateKey other_r[2];
+  memcpy (other_r,
+          r,
+          sizeof(struct GNUNET_CRYPTO_CsPrivateKey) * 2);
+  GNUNET_CRYPTO_cs_r_derive (nonce,
+                             "nw",
+                             priv,
+                             r);
+  GNUNET_assert (0 !=
+                 memcmp (&other_r[0],
+                         &r[0],
+                         sizeof(struct GNUNET_CRYPTO_CsPrivateKey) * 2));
+  /* TEST 2
+   * Check if function gives the same result for the same input.
+   * This test ensures that the derivation is deterministic.
+   */
+  memcpy (other_r,
+          r,
+          sizeof(struct GNUNET_CRYPTO_CsPrivateKey) * 2);
+  for (unsigned int i = 0; i<ITER; i++)
+  {
+    GNUNET_CRYPTO_cs_r_derive (nonce,
+                               "nw",
+                               priv,
+                               r);
+    GNUNET_assert (0 ==
+                   memcmp (other_r,
+                           r,
+                           sizeof(struct GNUNET_CRYPTO_CsPrivateKey) * 2));
+  }
+}
+static void
+test_generate_rpublic (const struct GNUNET_CRYPTO_CsRSecret *r_priv,
+                       struct GNUNET_CRYPTO_CsRPublic *r_pub)
+{
+  /* TEST 1
+   * Check that r_pub is set
+   */
+  struct GNUNET_CRYPTO_CsRPublic other_r_pub;
+  other_r_pub = *r_pub;
+  GNUNET_CRYPTO_cs_r_get_public (r_priv,
+                                 r_pub);
+  GNUNET_assert (0 !=
+                 GNUNET_memcmp (&other_r_pub.point,
+                                &r_pub->point));
+  /* TEST 2
+   * Check that r_pub is a valid point
+   */
+  GNUNET_assert (1 ==
+                 crypto_core_ed25519_is_valid_point (r_pub->point.y));
+  /* TEST 3
+   * Check if function gives the same result for the same output
+   */
+  other_r_pub.point = r_pub->point;
+  for (int i = 0; i<ITER; i++)
+  {
+    GNUNET_CRYPTO_cs_r_get_public (r_priv,
+                                   r_pub);
+    GNUNET_assert (0 ==
+                   GNUNET_memcmp (&other_r_pub.point,
+                                  &r_pub->point));
+  }
+}
+static void
+test_derive_blindingsecrets (const struct GNUNET_CRYPTO_CsBlindingNonce *blind_seed,
+                             struct GNUNET_CRYPTO_CsBlindingSecret bs[2])
+{
+  /* TEST 1
+   * Check that blinding secrets are set
+   */
+  struct GNUNET_CRYPTO_CsBlindingSecret other_bs[2];
+  memcpy (other_bs,
+          bs,
+          sizeof(struct GNUNET_CRYPTO_CsBlindingSecret) * 2);
+  GNUNET_CRYPTO_cs_blinding_secrets_derive (blind_seed,
+                                            bs);
+  GNUNET_assert (0 !=
+                 memcmp (other_bs,
+                         bs,
+                         sizeof(struct GNUNET_CRYPTO_CsBlindingSecret)
+                         * 2));
+  /* TEST 2
+   * Check if function gives the same result for the same input.
+   * This test ensures that the derivation is deterministic.
+   */
+  memcpy (other_bs,
+          bs,
+          sizeof(struct GNUNET_CRYPTO_CsBlindingSecret) * 2);
+  for (unsigned int i = 0; i<ITER; i++)
+  {
+    GNUNET_CRYPTO_cs_blinding_secrets_derive (blind_seed,
+                                              bs);
+    GNUNET_assert (0 == memcmp (&other_bs[0],
+                                &bs[0],
+                                sizeof(struct GNUNET_CRYPTO_CsBlindingSecret)
+                                * 2));
+  }
+}
+static void
+test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
+                    const struct GNUNET_CRYPTO_CsRPublic r_pub[2],
+                    const struct GNUNET_CRYPTO_CsPublicKey *pub,
+                    const void *msg,
+                    size_t msg_len,
+                    struct GNUNET_CRYPTO_CsC blinded_cs[2],
+                    struct GNUNET_CRYPTO_CSPublicRPairP *blinded_r_pub)
+{
+  /* TEST 1
+   * Check that the blinded c's and blinded r's
+   */
+  struct GNUNET_CRYPTO_CsC other_blinded_c[2];
+  memcpy (&other_blinded_c[0],
+          &blinded_cs[0],
+          sizeof(struct GNUNET_CRYPTO_CsC) * 2);
+  struct GNUNET_CRYPTO_CSPublicRPairP other_blinded_pub;
+  other_blinded_pub = *blinded_r_pub;
+  GNUNET_CRYPTO_cs_calc_blinded_c (bs,
+                                   r_pub,
+                                   pub,
+                                   msg,
+                                   msg_len,
+                                   blinded_cs,
+                                   blinded_r_pub);
+  GNUNET_assert (0 != memcmp (&other_blinded_c[0],
+                              &blinded_cs[0],
+                              sizeof(struct GNUNET_CRYPTO_CsC) * 2));
+  GNUNET_assert (0 !=
+                 GNUNET_memcmp (&other_blinded_pub,
+                                blinded_r_pub));
+  /* TEST 2
+   * Check if R' - aG -bX = R for b = 0
+   * This test does the opposite operations and checks whether the equation is still correct.
+   */
+  for (unsigned int b = 0; b <= 1; b++)
+  {
+    struct GNUNET_CRYPTO_Cs25519Point aG;
+    struct GNUNET_CRYPTO_Cs25519Point bX;
+    struct GNUNET_CRYPTO_Cs25519Point r_min_aG;
+    struct GNUNET_CRYPTO_CsRPublic res;
+    GNUNET_assert (0 ==
+                   crypto_scalarmult_ed25519_base_noclamp (
+                     aG.y,
+                     bs[b].alpha.d));
+    GNUNET_assert (0 ==
+                   crypto_scalarmult_ed25519_noclamp (
+                     bX.y,
+                     bs[b].beta.d,
+                     pub->point.y));
+    GNUNET_assert (0 ==
+                   crypto_core_ed25519_sub (
+                     r_min_aG.y,
+                     blinded_r_pub->r_pub[b].point.y,
+                     aG.y));
+    GNUNET_assert (0 == crypto_core_ed25519_sub (
+                     res.point.y,
+                     r_min_aG.y,
+                     bX.y));
+    GNUNET_assert (0 ==
+                   memcmp (&res,
+                           &r_pub[b],
+                           sizeof(struct GNUNET_CRYPTO_CsRPublic)));
+  }
+  /* TEST 3
+   * Check that the blinded r_pubs' are valid points
+   */
+  GNUNET_assert (1 ==
+                 crypto_core_ed25519_is_valid_point (
+                   blinded_r_pub->r_pub[0].point.y));
+  GNUNET_assert (1 ==
+                 crypto_core_ed25519_is_valid_point (
+                   blinded_r_pub->r_pub[1].point.y));
+  /* TEST 4
+   * Check if function gives the same result for the same input.
+   */
+  memcpy (&other_blinded_c[0],
+          &blinded_cs[0],
+          sizeof(struct GNUNET_CRYPTO_CsC) * 2);
+  other_blinded_pub = *blinded_r_pub;
+  for (unsigned int i = 0; i<ITER; i++)
+  {
+    GNUNET_CRYPTO_cs_calc_blinded_c (bs,
+                                     r_pub,
+                                     pub,
+                                     msg,
+                                     msg_len,
+                                     blinded_cs,
+                                     blinded_r_pub);
+    GNUNET_assert (0 ==
+                   memcmp (&other_blinded_c[0],
+                           &blinded_cs[0],
+                           sizeof(struct GNUNET_CRYPTO_CsC) * 2));
+    GNUNET_assert (0 ==
+                   GNUNET_memcmp (&other_blinded_pub,
+                                  blinded_r_pub));
+  }
+}
+static void
+test_blind_sign (const struct GNUNET_CRYPTO_CsPrivateKey *priv,
+                 const struct GNUNET_CRYPTO_CsRSecret r[2],
+                 const struct GNUNET_CRYPTO_CsBlindedMessage *bm,
+                 struct GNUNET_CRYPTO_CsBlindSignature *cs_blind_sig)
+{
+  /* TEST 1
+   * Check that blinded_s is set
+   */
+  struct GNUNET_CRYPTO_CsBlindSignature other_blind_sig;
+  memset (&other_blind_sig,
+          44,
+          sizeof (other_blind_sig));
+  GNUNET_CRYPTO_cs_sign_derive (priv,
+                                r,
+                                bm,
+                                &other_blind_sig);
+  GNUNET_assert (0 == other_blind_sig.b ||
+                 1 == other_blind_sig.b);
+  /* TEST 2
+   * Check if s := rb + cbX
+   * This test does the opposite operations and checks whether the equation is still correct.
+   */
+  struct GNUNET_CRYPTO_Cs25519Scalar cb_mul_x;
+  struct GNUNET_CRYPTO_Cs25519Scalar s_min_rb;
+ 
+  crypto_core_ed25519_scalar_mul (cb_mul_x.d,
+                                  bm->c[other_blind_sig.b].scalar.d,
+                                  priv->scalar.d);
+  crypto_core_ed25519_scalar_sub (s_min_rb.d,
+                                  other_blind_sig.s_scalar.scalar.d,
+                                  r[other_blind_sig.b].scalar.d);
+  GNUNET_assert (0 ==
+                 GNUNET_memcmp (&s_min_rb,
+                                &cb_mul_x));
+  /* TEST 3
+   * Check if function gives the same result for the same input.
+   */
+  for (unsigned int i = 0; i<ITER; i++)
+  {
+    GNUNET_CRYPTO_cs_sign_derive (priv,
+                                  r,
+                                  bm,
+                                  cs_blind_sig);
+    GNUNET_assert (0 ==
+                   GNUNET_memcmp (&other_blind_sig,
+                                  cs_blind_sig));
+  }
+}
+static void
+test_unblinds (const struct GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar,
+               const struct GNUNET_CRYPTO_CsBlindingSecret *bs,
+               struct GNUNET_CRYPTO_CsS *signature_scalar)
+{
+  /* TEST 1
+   * Check that signature_scalar is set
+   */
+  struct GNUNET_CRYPTO_CsS other_signature_scalar;
+  memcpy (&other_signature_scalar,
+          signature_scalar,
+          sizeof(struct GNUNET_CRYPTO_CsS));
+  GNUNET_CRYPTO_cs_unblind (blinded_signature_scalar,
+                            bs,
+                            signature_scalar);
+  GNUNET_assert (0 != memcmp (&other_signature_scalar,
+                              signature_scalar,
+                              sizeof(struct GNUNET_CRYPTO_CsS)));
+  /* TEST 2
+   * Check if s' := s + a mod p
+   * This test does the opposite operations and checks whether the equation is still correct.
+   */
+  struct GNUNET_CRYPTO_Cs25519Scalar s_min_a;
+  crypto_core_ed25519_scalar_sub (s_min_a.d,
+                                  signature_scalar->scalar.d,
+                                  bs->alpha.d);
+  GNUNET_assert (0 == memcmp (&s_min_a, &blinded_signature_scalar->scalar,
+                              sizeof(struct
+                                     GNUNET_CRYPTO_Cs25519Scalar)));
+  /* TEST 3
+   * Check if function gives the same result for the same input.
+   */
+  memcpy (&other_signature_scalar, signature_scalar,
+          sizeof(struct GNUNET_CRYPTO_CsS));
+  for (unsigned int i = 0; i<ITER; i++)
+  {
+    GNUNET_CRYPTO_cs_unblind (blinded_signature_scalar, bs, signature_scalar);
+    GNUNET_assert (0 == memcmp (&other_signature_scalar,
+                                signature_scalar,
+                                sizeof(struct GNUNET_CRYPTO_CsS)));
+  }
+}
+static void
+test_blind_verify (const struct GNUNET_CRYPTO_CsSignature *sig,
+                   const struct GNUNET_CRYPTO_CsPublicKey *pub,
+                   const struct GNUNET_CRYPTO_CsC *c)
+{
+  /* TEST 1
+   * Test verifies the blinded signature sG == Rb + cbX
+   */
+  struct GNUNET_CRYPTO_Cs25519Point sig_scal_mul_base;
+  struct GNUNET_CRYPTO_Cs25519Point c_mul_pub;
+  struct GNUNET_CRYPTO_Cs25519Point r_add_c_mul_pub;
+  GNUNET_assert (0 ==
+                 crypto_scalarmult_ed25519_base_noclamp (
+                   sig_scal_mul_base.y,
+                   sig->s_scalar.scalar.d));
+  GNUNET_assert (0 ==
+                 crypto_scalarmult_ed25519_noclamp (c_mul_pub.y,
+                                                    c->scalar.d,
+                                                    pub->point.y));
+  GNUNET_assert (0 ==
+                 crypto_core_ed25519_add (r_add_c_mul_pub.y,
+                                          sig->r_point.point.y,
+                                          c_mul_pub.y));
+  GNUNET_assert (0 ==
+                 GNUNET_memcmp (sig_scal_mul_base.y,
+                                r_add_c_mul_pub.y));
+}
+static void
+test_verify (const struct GNUNET_CRYPTO_CsSignature *sig,
+             const struct GNUNET_CRYPTO_CsPublicKey *pub,
+             const void *msg,
+             size_t msg_len)
+{
+  /* TEST 1
+   * Test simple verification
+   */
+  GNUNET_assert (GNUNET_YES ==
+                 GNUNET_CRYPTO_cs_verify (sig,
+                                          pub,
+                                          msg,
+                                          msg_len));
+  /* TEST 2
+   * Test verification of "wrong" message
+   */
+  char other_msg[] = "test massege";
+  size_t other_msg_len = strlen ("test massege");
+  GNUNET_assert (GNUNET_SYSERR ==
+                 GNUNET_CRYPTO_cs_verify (sig,
+                                          pub,
+                                          other_msg,
+                                          other_msg_len));
+}
+int
+main (int argc,
+      char *argv[])
+{
+  printf ("Test started\n");
+  // ---------- actions performed by signer
+  char message[] = "test message";
+  size_t message_len = strlen ("test message");
+  struct GNUNET_CRYPTO_CsPrivateKey priv;
+  GNUNET_log_setup ("test-crypto-cs",
+                    "INFO",
+                    NULL);
+  memset (&priv,
+          42,
+          sizeof (priv));
+  test_create_priv (&priv);
+  struct GNUNET_CRYPTO_CsPublicKey pub;
+  memset (&pub,
+          42,
+          sizeof (pub));
+  test_generate_pub (&priv,
+                     &pub);
+  // set nonce
+  struct GNUNET_CRYPTO_CsSessionNonce nonce;
+  GNUNET_assert (GNUNET_YES ==
+                 GNUNET_CRYPTO_kdf (&nonce,
+                                    sizeof(nonce),
+                                    "nonce",
+                                    strlen ("nonce"),
+                                    "nonce_secret",
+                                    strlen ("nonce_secret"),
+                                    NULL,
+                                    0));
+  // generate r, R
+  struct GNUNET_CRYPTO_CsRSecret r_secrets[2];
+  memset (r_secrets,
+          42,
+          sizeof (r_secrets));
+  test_derive_rsecret (&nonce,
+                       &priv,
+                       r_secrets);
+  struct GNUNET_CRYPTO_CsRPublic r_publics[2];
+  memset (r_publics,
+          42,
+          sizeof (r_publics));
+  test_generate_rpublic (&r_secrets[0],
+                         &r_publics[0]);
+  test_generate_rpublic (&r_secrets[1],
+                         &r_publics[1]);
+  // ---------- actions performed by user
+  // generate blinding secrets
+  struct GNUNET_CRYPTO_CsBlindingSecret blindingsecrets[2];
+  struct GNUNET_CRYPTO_CsBlindingNonce bnonce;
+  memset (&bnonce,
+          42,
+          sizeof (bnonce));
+  memset (blindingsecrets,
+          42,
+          sizeof (blindingsecrets));
+  test_derive_blindingsecrets (&bnonce,
+                               blindingsecrets);
+  // calculate blinded c's
+  struct GNUNET_CRYPTO_CsBlindedMessage bm; 
+  struct GNUNET_CRYPTO_CsC blinded_cs[2];
+  struct GNUNET_CRYPTO_CSPublicRPairP blinded_r_pubs;
+  memset (blinded_cs,
+          42,
+          sizeof (blinded_cs));
+  memset (&blinded_r_pubs,
+          42,
+          sizeof (blinded_r_pubs));
+  test_calc_blindedc (blindingsecrets,
+                      r_publics,
+                      &pub,
+                      message,
+                      message_len,
+                      blinded_cs,
+                      &blinded_r_pubs);
+  // ---------- actions performed by signer
+  // sign blinded c's and get b and s in return
+  struct GNUNET_CRYPTO_CsBlindSignature blinded_s;
+  memset (&blinded_s,
+          42,
+          sizeof (blinded_s));
+  bm.c[0] = blinded_cs[0];
+  bm.c[1] = blinded_cs[1];
+  bm.nonce = nonce;
+  test_blind_sign (&priv,
+                   r_secrets,
+                   &bm,
+                   &blinded_s);
+  // verify blinded signature
+  struct GNUNET_CRYPTO_CsSignature blinded_signature;
+  blinded_signature.r_point = r_publics[blinded_s.b];
+  blinded_signature.s_scalar.scalar = blinded_s.s_scalar.scalar;
+  test_blind_verify (&blinded_signature,
+                     &pub,
+                     &blinded_cs[blinded_s.b]);
+  // ---------- actions performed by user
+  struct GNUNET_CRYPTO_CsS sig_scalar;
+  memset (&sig_scalar,
+          42,
+          sizeof (sig_scalar));
+  test_unblinds (&blinded_s.s_scalar,
+                 &blindingsecrets[blinded_s.b],
+                 &sig_scalar);
+  // verify unblinded signature
+  struct GNUNET_CRYPTO_CsSignature signature;
+  signature.r_point = blinded_r_pubs.r_pub[blinded_s.b];
+  signature.s_scalar = sig_scalar;
+  test_verify (&signature,
+               &pub,
+               message,
+               message_len);
+  return 0;
+}

diff --git a/src/lib/util/test_crypto_cs.c b/src/lib/util/test_crypto_cs.c new file mode 100644 index 000000000..ee68db72f --- /dev/null +++ b/src/lib/util/test_crypto_cs.c
@@ -0,0 +1,621 @@
	1	/*
	2	This file is part of GNUnet
	3	Copyright (C) 2021,2022, 2023 GNUnet e.V.
	4
	5	GNUnet is free software: you can redistribute it and/or modify it
	6	under the terms of the GNU Affero General Public License as published
	7	by the Free Software Foundation, either version 3 of the License,
	8	or (at your option) any later version.
	9
	10	GNUnet is distributed in the hope that it will be useful, but
	11	WITHOUT ANY WARRANTY; without even the implied warranty of
	12	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	13	Affero General Public License for more details.
	14
	15	You should have received a copy of the GNU Affero General Public License
	16	along with this program. If not, see <http://www.gnu.org/licenses/>.
	17
	18	SPDX-License-Identifier: AGPL3.0-or-later
	19	*/
	20
	21	/**
	22	* @file util/test_crypto_cs.c
	23	* @brief testcase for utility functions for clause blind schnorr signature scheme cryptography
	24	* @author Lucien Heuzeveldt <lucienclaude.heuzeveldt@students.bfh.ch>
	25	* @author Gian Demarmels <gian@demarmels.org>
	26	*/
	27
	28	#include "platform.h"
	29	#include "gnunet_util_lib.h"
	30	#include <sodium.h>
	31
	32	#define ITER 25
	33
	34
	35	static void
	36	test_create_priv (struct GNUNET_CRYPTO_CsPrivateKey *priv)
	37	{
	38	/* TEST 1
	39	* Check that privkey is set
	40	*/
	41	struct GNUNET_CRYPTO_CsPrivateKey other_priv;
	42
	43	GNUNET_CRYPTO_cs_private_key_generate (priv);
	44	memset (&other_priv,
	45	42,
	46	sizeof (other_priv));
	47	GNUNET_assert (0 !=
	48	GNUNET_memcmp (&other_priv.scalar,
	49	&priv->scalar));
	50	}
	51
	52
	53	static void
	54	test_generate_pub (const struct GNUNET_CRYPTO_CsPrivateKey *priv,
	55	struct GNUNET_CRYPTO_CsPublicKey *pub)
	56	{
	57	/* TEST 1
	58	* Check that pubkey is set
	59	*/
	60	struct GNUNET_CRYPTO_CsPublicKey other_pub;
	61
	62	GNUNET_CRYPTO_cs_private_key_get_public (priv,
	63	pub);
	64	memset (&other_pub,
	65	42,
	66	sizeof (other_pub));
	67	GNUNET_assert (0 !=
	68	GNUNET_memcmp (&other_pub.point,
	69	&pub->point));
	70
	71	/* TEST 2
	72	* Check that pubkey is a valid point
	73	*/
	74	GNUNET_assert (1 ==
	75	crypto_core_ed25519_is_valid_point (pub->point.y));
	76
	77	/* TEST 3
	78	* Check if function gives the same result for the same output
	79	*/
	80	other_pub = *pub;
	81	for (unsigned int i = 0; i<ITER; i++)
	82	{
	83	GNUNET_CRYPTO_cs_private_key_get_public (priv,
	84	pub);
	85	GNUNET_assert (0 ==
	86	GNUNET_memcmp (&other_pub.point,
	87	&pub->point));
	88	}
	89	}
	90
	91
	92	static void
	93	test_derive_rsecret (const struct GNUNET_CRYPTO_CsSessionNonce *nonce,
	94	const struct GNUNET_CRYPTO_CsPrivateKey *priv,
	95	struct GNUNET_CRYPTO_CsRSecret r[2])
	96	{
	97	/* TEST 1
	98	* Check that r are set
	99	*/
	100	struct GNUNET_CRYPTO_CsPrivateKey other_r[2];
	101
	102	memcpy (other_r,
	103	r,
	104	sizeof(struct GNUNET_CRYPTO_CsPrivateKey) * 2);
	105	GNUNET_CRYPTO_cs_r_derive (nonce,
	106	"nw",
	107	priv,
	108	r);
	109	GNUNET_assert (0 !=
	110	memcmp (&other_r[0],
	111	&r[0],
	112	sizeof(struct GNUNET_CRYPTO_CsPrivateKey) * 2));
	113
	114	/* TEST 2
	115	* Check if function gives the same result for the same input.
	116	* This test ensures that the derivation is deterministic.
	117	*/
	118	memcpy (other_r,
	119	r,
	120	sizeof(struct GNUNET_CRYPTO_CsPrivateKey) * 2);
	121	for (unsigned int i = 0; i<ITER; i++)
	122	{
	123	GNUNET_CRYPTO_cs_r_derive (nonce,
	124	"nw",
	125	priv,
	126	r);
	127	GNUNET_assert (0 ==
	128	memcmp (other_r,
	129	r,
	130	sizeof(struct GNUNET_CRYPTO_CsPrivateKey) * 2));
	131	}
	132	}
	133
	134
	135	static void
	136	test_generate_rpublic (const struct GNUNET_CRYPTO_CsRSecret *r_priv,
	137	struct GNUNET_CRYPTO_CsRPublic *r_pub)
	138	{
	139	/* TEST 1
	140	* Check that r_pub is set
	141	*/
	142	struct GNUNET_CRYPTO_CsRPublic other_r_pub;
	143
	144	other_r_pub = *r_pub;
	145	GNUNET_CRYPTO_cs_r_get_public (r_priv,
	146	r_pub);
	147	GNUNET_assert (0 !=
	148	GNUNET_memcmp (&other_r_pub.point,
	149	&r_pub->point));
	150	/* TEST 2
	151	* Check that r_pub is a valid point
	152	*/
	153	GNUNET_assert (1 ==
	154	crypto_core_ed25519_is_valid_point (r_pub->point.y));
	155
	156	/* TEST 3
	157	* Check if function gives the same result for the same output
	158	*/
	159	other_r_pub.point = r_pub->point;
	160	for (int i = 0; i<ITER; i++)
	161	{
	162	GNUNET_CRYPTO_cs_r_get_public (r_priv,
	163	r_pub);
	164	GNUNET_assert (0 ==
	165	GNUNET_memcmp (&other_r_pub.point,
	166	&r_pub->point));
	167	}
	168	}
	169
	170
	171	static void
	172	test_derive_blindingsecrets (const struct GNUNET_CRYPTO_CsBlindingNonce *blind_seed,
	173	struct GNUNET_CRYPTO_CsBlindingSecret bs[2])
	174	{
	175	/* TEST 1
	176	* Check that blinding secrets are set
	177	*/
	178	struct GNUNET_CRYPTO_CsBlindingSecret other_bs[2];
	179
	180	memcpy (other_bs,
	181	bs,
	182	sizeof(struct GNUNET_CRYPTO_CsBlindingSecret) * 2);
	183
	184	GNUNET_CRYPTO_cs_blinding_secrets_derive (blind_seed,
	185	bs);
	186
	187	GNUNET_assert (0 !=
	188	memcmp (other_bs,
	189	bs,
	190	sizeof(struct GNUNET_CRYPTO_CsBlindingSecret)
	191	* 2));
	192
	193	/* TEST 2
	194	* Check if function gives the same result for the same input.
	195	* This test ensures that the derivation is deterministic.
	196	*/
	197	memcpy (other_bs,
	198	bs,
	199	sizeof(struct GNUNET_CRYPTO_CsBlindingSecret) * 2);
	200	for (unsigned int i = 0; i<ITER; i++)
	201	{
	202	GNUNET_CRYPTO_cs_blinding_secrets_derive (blind_seed,
	203	bs);
	204	GNUNET_assert (0 == memcmp (&other_bs[0],
	205	&bs[0],
	206	sizeof(struct GNUNET_CRYPTO_CsBlindingSecret)
	207	* 2));
	208	}
	209	}
	210
	211
	212	static void
	213	test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
	214	const struct GNUNET_CRYPTO_CsRPublic r_pub[2],
	215	const struct GNUNET_CRYPTO_CsPublicKey *pub,
	216	const void *msg,
	217	size_t msg_len,
	218	struct GNUNET_CRYPTO_CsC blinded_cs[2],
	219	struct GNUNET_CRYPTO_CSPublicRPairP *blinded_r_pub)
	220	{
	221	/* TEST 1
	222	* Check that the blinded c's and blinded r's
	223	*/
	224	struct GNUNET_CRYPTO_CsC other_blinded_c[2];
	225
	226	memcpy (&other_blinded_c[0],
	227	&blinded_cs[0],
	228	sizeof(struct GNUNET_CRYPTO_CsC) * 2);
	229
	230	struct GNUNET_CRYPTO_CSPublicRPairP other_blinded_pub;
	231	other_blinded_pub = *blinded_r_pub;
	232
	233	GNUNET_CRYPTO_cs_calc_blinded_c (bs,
	234	r_pub,
	235	pub,
	236	msg,
	237	msg_len,
	238	blinded_cs,
	239	blinded_r_pub);
	240
	241	GNUNET_assert (0 != memcmp (&other_blinded_c[0],
	242	&blinded_cs[0],
	243	sizeof(struct GNUNET_CRYPTO_CsC) * 2));
	244	GNUNET_assert (0 !=
	245	GNUNET_memcmp (&other_blinded_pub,
	246	blinded_r_pub));
	247
	248	/* TEST 2
	249	* Check if R' - aG -bX = R for b = 0
	250	* This test does the opposite operations and checks whether the equation is still correct.
	251	*/
	252	for (unsigned int b = 0; b <= 1; b++)
	253	{
	254	struct GNUNET_CRYPTO_Cs25519Point aG;
	255	struct GNUNET_CRYPTO_Cs25519Point bX;
	256	struct GNUNET_CRYPTO_Cs25519Point r_min_aG;
	257	struct GNUNET_CRYPTO_CsRPublic res;
	258
	259	GNUNET_assert (0 ==
	260	crypto_scalarmult_ed25519_base_noclamp (
	261	aG.y,
	262	bs[b].alpha.d));
	263	GNUNET_assert (0 ==
	264	crypto_scalarmult_ed25519_noclamp (
	265	bX.y,
	266	bs[b].beta.d,
	267	pub->point.y));
	268	GNUNET_assert (0 ==
	269	crypto_core_ed25519_sub (
	270	r_min_aG.y,
	271	blinded_r_pub->r_pub[b].point.y,
	272	aG.y));
	273	GNUNET_assert (0 == crypto_core_ed25519_sub (
	274	res.point.y,
	275	r_min_aG.y,
	276	bX.y));
	277
	278	GNUNET_assert (0 ==
	279	memcmp (&res,
	280	&r_pub[b],
	281	sizeof(struct GNUNET_CRYPTO_CsRPublic)));
	282	}
	283
	284
	285	/* TEST 3
	286	* Check that the blinded r_pubs' are valid points
	287	*/
	288	GNUNET_assert (1 ==
	289	crypto_core_ed25519_is_valid_point (
	290	blinded_r_pub->r_pub[0].point.y));
	291	GNUNET_assert (1 ==
	292	crypto_core_ed25519_is_valid_point (
	293	blinded_r_pub->r_pub[1].point.y));
	294
	295	/* TEST 4
	296	* Check if function gives the same result for the same input.
	297	*/
	298	memcpy (&other_blinded_c[0],
	299	&blinded_cs[0],
	300	sizeof(struct GNUNET_CRYPTO_CsC) * 2);
	301	other_blinded_pub = *blinded_r_pub;
	302
	303	for (unsigned int i = 0; i<ITER; i++)
	304	{
	305	GNUNET_CRYPTO_cs_calc_blinded_c (bs,
	306	r_pub,
	307	pub,
	308	msg,
	309	msg_len,
	310	blinded_cs,
	311	blinded_r_pub);
	312	GNUNET_assert (0 ==
	313	memcmp (&other_blinded_c[0],
	314	&blinded_cs[0],
	315	sizeof(struct GNUNET_CRYPTO_CsC) * 2));
	316	GNUNET_assert (0 ==
	317	GNUNET_memcmp (&other_blinded_pub,
	318	blinded_r_pub));
	319	}
	320	}
	321
	322
	323	static void
	324	test_blind_sign (const struct GNUNET_CRYPTO_CsPrivateKey *priv,
	325	const struct GNUNET_CRYPTO_CsRSecret r[2],
	326	const struct GNUNET_CRYPTO_CsBlindedMessage *bm,
	327	struct GNUNET_CRYPTO_CsBlindSignature *cs_blind_sig)
	328	{
	329	/* TEST 1
	330	* Check that blinded_s is set
	331	*/
	332	struct GNUNET_CRYPTO_CsBlindSignature other_blind_sig;
	333
	334	memset (&other_blind_sig,
	335	44,
	336	sizeof (other_blind_sig));
	337	GNUNET_CRYPTO_cs_sign_derive (priv,
	338	r,
	339	bm,
	340	&other_blind_sig);
	341	GNUNET_assert (0 == other_blind_sig.b \|\|
	342	1 == other_blind_sig.b);
	343
	344	/* TEST 2
	345	* Check if s := rb + cbX
	346	* This test does the opposite operations and checks whether the equation is still correct.
	347	*/
	348	struct GNUNET_CRYPTO_Cs25519Scalar cb_mul_x;
	349	struct GNUNET_CRYPTO_Cs25519Scalar s_min_rb;
	350
	351	crypto_core_ed25519_scalar_mul (cb_mul_x.d,
	352	bm->c[other_blind_sig.b].scalar.d,
	353	priv->scalar.d);
	354	crypto_core_ed25519_scalar_sub (s_min_rb.d,
	355	other_blind_sig.s_scalar.scalar.d,
	356	r[other_blind_sig.b].scalar.d);
	357	GNUNET_assert (0 ==
	358	GNUNET_memcmp (&s_min_rb,
	359	&cb_mul_x));
	360
	361	/* TEST 3
	362	* Check if function gives the same result for the same input.
	363	*/
	364	for (unsigned int i = 0; i<ITER; i++)
	365	{
	366	GNUNET_CRYPTO_cs_sign_derive (priv,
	367	r,
	368	bm,
	369	cs_blind_sig);
	370	GNUNET_assert (0 ==
	371	GNUNET_memcmp (&other_blind_sig,
	372	cs_blind_sig));
	373	}
	374	}
	375
	376
	377	static void
	378	test_unblinds (const struct GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar,
	379	const struct GNUNET_CRYPTO_CsBlindingSecret *bs,
	380	struct GNUNET_CRYPTO_CsS *signature_scalar)
	381	{
	382	/* TEST 1
	383	* Check that signature_scalar is set
	384	*/
	385	struct GNUNET_CRYPTO_CsS other_signature_scalar;
	386	memcpy (&other_signature_scalar,
	387	signature_scalar,
	388	sizeof(struct GNUNET_CRYPTO_CsS));
	389
	390	GNUNET_CRYPTO_cs_unblind (blinded_signature_scalar,
	391	bs,
	392	signature_scalar);
	393
	394	GNUNET_assert (0 != memcmp (&other_signature_scalar,
	395	signature_scalar,
	396	sizeof(struct GNUNET_CRYPTO_CsS)));
	397
	398	/* TEST 2
	399	* Check if s' := s + a mod p
	400	* This test does the opposite operations and checks whether the equation is still correct.
	401	*/
	402	struct GNUNET_CRYPTO_Cs25519Scalar s_min_a;
	403
	404	crypto_core_ed25519_scalar_sub (s_min_a.d,
	405	signature_scalar->scalar.d,
	406	bs->alpha.d);
	407
	408	GNUNET_assert (0 == memcmp (&s_min_a, &blinded_signature_scalar->scalar,
	409	sizeof(struct
	410	GNUNET_CRYPTO_Cs25519Scalar)));
	411
	412	/* TEST 3
	413	* Check if function gives the same result for the same input.
	414	*/
	415	memcpy (&other_signature_scalar, signature_scalar,
	416	sizeof(struct GNUNET_CRYPTO_CsS));
	417
	418	for (unsigned int i = 0; i<ITER; i++)
	419	{
	420	GNUNET_CRYPTO_cs_unblind (blinded_signature_scalar, bs, signature_scalar);
	421	GNUNET_assert (0 == memcmp (&other_signature_scalar,
	422	signature_scalar,
	423	sizeof(struct GNUNET_CRYPTO_CsS)));
	424	}
	425	}
	426
	427
	428	static void
	429	test_blind_verify (const struct GNUNET_CRYPTO_CsSignature *sig,
	430	const struct GNUNET_CRYPTO_CsPublicKey *pub,
	431	const struct GNUNET_CRYPTO_CsC *c)
	432	{
	433	/* TEST 1
	434	* Test verifies the blinded signature sG == Rb + cbX
	435	*/
	436	struct GNUNET_CRYPTO_Cs25519Point sig_scal_mul_base;
	437	struct GNUNET_CRYPTO_Cs25519Point c_mul_pub;
	438	struct GNUNET_CRYPTO_Cs25519Point r_add_c_mul_pub;
	439
	440	GNUNET_assert (0 ==
	441	crypto_scalarmult_ed25519_base_noclamp (
	442	sig_scal_mul_base.y,
	443	sig->s_scalar.scalar.d));
	444	GNUNET_assert (0 ==
	445	crypto_scalarmult_ed25519_noclamp (c_mul_pub.y,
	446	c->scalar.d,
	447	pub->point.y));
	448	GNUNET_assert (0 ==
	449	crypto_core_ed25519_add (r_add_c_mul_pub.y,
	450	sig->r_point.point.y,
	451	c_mul_pub.y));
	452	GNUNET_assert (0 ==
	453	GNUNET_memcmp (sig_scal_mul_base.y,
	454	r_add_c_mul_pub.y));
	455	}
	456
	457
	458	static void
	459	test_verify (const struct GNUNET_CRYPTO_CsSignature *sig,
	460	const struct GNUNET_CRYPTO_CsPublicKey *pub,
	461	const void *msg,
	462	size_t msg_len)
	463	{
	464	/* TEST 1
	465	* Test simple verification
	466	*/
	467	GNUNET_assert (GNUNET_YES ==
	468	GNUNET_CRYPTO_cs_verify (sig,
	469	pub,
	470	msg,
	471	msg_len));
	472	/* TEST 2
	473	* Test verification of "wrong" message
	474	*/
	475	char other_msg[] = "test massege";
	476	size_t other_msg_len = strlen ("test massege");
	477	GNUNET_assert (GNUNET_SYSERR ==
	478	GNUNET_CRYPTO_cs_verify (sig,
	479	pub,
	480	other_msg,
	481	other_msg_len));
	482	}
	483
	484
	485	int
	486	main (int argc,
	487	char *argv[])
	488	{
	489	printf ("Test started\n");
	490
	491	// ---------- actions performed by signer
	492	char message[] = "test message";
	493	size_t message_len = strlen ("test message");
	494
	495	struct GNUNET_CRYPTO_CsPrivateKey priv;
	496
	497	GNUNET_log_setup ("test-crypto-cs",
	498	"INFO",
	499	NULL);
	500	memset (&priv,
	501	42,
	502	sizeof (priv));
	503	test_create_priv (&priv);
	504
	505	struct GNUNET_CRYPTO_CsPublicKey pub;
	506
	507	memset (&pub,
	508	42,
	509	sizeof (pub));
	510	test_generate_pub (&priv,
	511	&pub);
	512
	513	// set nonce
	514	struct GNUNET_CRYPTO_CsSessionNonce nonce;
	515	GNUNET_assert (GNUNET_YES ==
	516	GNUNET_CRYPTO_kdf (&nonce,
	517	sizeof(nonce),
	518	"nonce",
	519	strlen ("nonce"),
	520	"nonce_secret",
	521	strlen ("nonce_secret"),
	522	NULL,
	523	0));
	524
	525	// generate r, R
	526	struct GNUNET_CRYPTO_CsRSecret r_secrets[2];
	527
	528	memset (r_secrets,
	529	42,
	530	sizeof (r_secrets));
	531	test_derive_rsecret (&nonce,
	532	&priv,
	533	r_secrets);
	534
	535	struct GNUNET_CRYPTO_CsRPublic r_publics[2];
	536
	537	memset (r_publics,
	538	42,
	539	sizeof (r_publics));
	540	test_generate_rpublic (&r_secrets[0],
	541	&r_publics[0]);
	542	test_generate_rpublic (&r_secrets[1],
	543	&r_publics[1]);
	544
	545	// ---------- actions performed by user
	546
	547	// generate blinding secrets
	548	struct GNUNET_CRYPTO_CsBlindingSecret blindingsecrets[2];
	549	struct GNUNET_CRYPTO_CsBlindingNonce bnonce;
	550
	551	memset (&bnonce,
	552	42,
	553	sizeof (bnonce));
	554	memset (blindingsecrets,
	555	42,
	556	sizeof (blindingsecrets));
	557	test_derive_blindingsecrets (&bnonce,
	558	blindingsecrets);
	559
	560	// calculate blinded c's
	561	struct GNUNET_CRYPTO_CsBlindedMessage bm;
	562	struct GNUNET_CRYPTO_CsC blinded_cs[2];
	563	struct GNUNET_CRYPTO_CSPublicRPairP blinded_r_pubs;
	564
	565	memset (blinded_cs,
	566	42,
	567	sizeof (blinded_cs));
	568	memset (&blinded_r_pubs,
	569	42,
	570	sizeof (blinded_r_pubs));
	571	test_calc_blindedc (blindingsecrets,
	572	r_publics,
	573	&pub,
	574	message,
	575	message_len,
	576	blinded_cs,
	577	&blinded_r_pubs);
	578
	579	// ---------- actions performed by signer
	580	// sign blinded c's and get b and s in return
	581	struct GNUNET_CRYPTO_CsBlindSignature blinded_s;
	582
	583	memset (&blinded_s,
	584	42,
	585	sizeof (blinded_s));
	586	bm.c[0] = blinded_cs[0];
	587	bm.c[1] = blinded_cs[1];
	588	bm.nonce = nonce;
	589	test_blind_sign (&priv,
	590	r_secrets,
	591	&bm,
	592	&blinded_s);
	593	// verify blinded signature
	594	struct GNUNET_CRYPTO_CsSignature blinded_signature;
	595
	596	blinded_signature.r_point = r_publics[blinded_s.b];
	597	blinded_signature.s_scalar.scalar = blinded_s.s_scalar.scalar;
	598	test_blind_verify (&blinded_signature,
	599	&pub,
	600	&blinded_cs[blinded_s.b]);
	601
	602	// ---------- actions performed by user
	603	struct GNUNET_CRYPTO_CsS sig_scalar;
	604
	605	memset (&sig_scalar,
	606	42,
	607	sizeof (sig_scalar));
	608	test_unblinds (&blinded_s.s_scalar,
	609	&blindingsecrets[blinded_s.b],
	610	&sig_scalar);
	611
	612	// verify unblinded signature
	613	struct GNUNET_CRYPTO_CsSignature signature;
	614	signature.r_point = blinded_r_pubs.r_pub[blinded_s.b];
	615	signature.s_scalar = sig_scalar;
	616	test_verify (&signature,
	617	&pub,
	618	message,
	619	message_len);
	620	return 0;
	621	}