1 files changed, 401 insertions, 0 deletions
diff --git a/src/util/gnunet-crypto-tvg.c b/src/util/gnunet-crypto-tvg.c
index 28e44e28b..6b2a7f472 100644
--- a/src/util/gnunet-crypto-tvg.c
+++ b/src/util/gnunet-crypto-tvg.c
@@ -672,6 +672,263 @@ checkvec (const char *operation,
    GNUNET_free (sig_enc_data);
    GNUNET_free (skey);
  }
+  else if (0 == strcmp (operation, "cs_blind_signing"))
+  {
+    struct GNUNET_CRYPTO_CsPrivateKey priv;
+    struct GNUNET_CRYPTO_CsPublicKey pub;
+    struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
+    struct GNUNET_CRYPTO_CsRSecret r_priv[2];
+    struct GNUNET_CRYPTO_CsRPublic r_pub[2];
+    struct GNUNET_CRYPTO_CsRPublic r_pub_blind[2];
+    struct GNUNET_CRYPTO_CsC c[2];
+    struct GNUNET_CRYPTO_CsS signature_scalar;
+    struct GNUNET_CRYPTO_CsBlindS blinded_s;
+    struct GNUNET_CRYPTO_CsSignature sig;
+    struct GNUNET_CRYPTO_CsNonce nonce;
+    struct GNUNET_HashCode message_hash;
+    unsigned int b;
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "message_hash",
+                                        &message_hash,
+                                        sizeof (message_hash)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_public_key",
+                                        &pub,
+                                        sizeof (pub)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_private_key",
+                                        &priv,
+                                        sizeof (priv)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_nonce",
+                                        &nonce,
+                                        sizeof (nonce)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_r_priv_0",
+                                        &r_priv[0],
+                                        sizeof (r_priv[0])))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_r_priv_1",
+                                        &r_priv[1],
+                                        sizeof (r_priv[1])))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_r_pub_0",
+                                        &r_pub[0],
+                                        sizeof (r_pub[0])))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_r_pub_1",
+                                        &r_pub[1],
+                                        sizeof (r_pub[1])))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_bs_alpha_0",
+                                        &bs[0].alpha,
+                                        sizeof (bs[0].alpha)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_bs_alpha_1",
+                                        &bs[1].alpha,
+                                        sizeof (bs[1].alpha)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_bs_beta_0",
+                                        &bs[0].beta,
+                                        sizeof (bs[0].beta)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_bs_beta_1",
+                                        &bs[1].beta,
+                                        sizeof (bs[1].beta)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_r_pub_blind_0",
+                                        &r_pub_blind[0],
+                                        sizeof (r_pub_blind[0])))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_r_pub_blind_1",
+                                        &r_pub_blind[1],
+                                        sizeof (r_pub_blind[1])))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_c_0",
+                                        &c[0],
+                                        sizeof (c[0])))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_c_1",
+                                        &c[1],
+                                        sizeof (c[1])))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_blind_s",
+                                        &blinded_s,
+                                        sizeof (blinded_s)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_b",
+                                        &b,
+                                        sizeof (b)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_sig_s",
+                                        &signature_scalar,
+                                        sizeof (signature_scalar)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    sig.s_scalar = signature_scalar;
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_sig_R",
+                                        &sig.r_point,
+                                        sizeof (sig.r_point)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if ((b != 1)&& (b != 0))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    struct GNUNET_CRYPTO_CsRSecret r_priv_comp[2];
+    struct GNUNET_CRYPTO_CsRPublic r_pub_comp[2];
+    struct GNUNET_CRYPTO_CsBlindingSecret bs_comp[2];
+    struct GNUNET_CRYPTO_CsC c_comp[2];
+    struct GNUNET_CRYPTO_CsRPublic r_pub_blind_comp[2];
+    struct GNUNET_CRYPTO_CsBlindS blinded_s_comp;
+    struct GNUNET_CRYPTO_CsS signature_scalar_comp;
+    struct GNUNET_CRYPTO_CsSignature sig_comp;
+    unsigned int b_comp;
+    GNUNET_CRYPTO_cs_r_derive (&nonce, &priv, r_priv_comp);
+    GNUNET_CRYPTO_cs_r_get_public (&r_priv_comp[0], &r_pub_comp[0]);
+    GNUNET_CRYPTO_cs_r_get_public (&r_priv_comp[1], &r_pub_comp[1]);
+    GNUNET_assert (0 == memcmp (&r_priv_comp,
+                                &r_priv,
+                                sizeof(struct GNUNET_CRYPTO_CsRSecret) * 2));
+    GNUNET_assert (0 == memcmp (&r_pub_comp,
+                                &r_pub,
+                                sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2));
+    GNUNET_CRYPTO_cs_blinding_secrets_derive (&nonce,
+                                              bs_comp);
+    GNUNET_assert (0 == memcmp (&bs_comp,
+                                &bs,
+                                sizeof(struct GNUNET_CRYPTO_CsBlindingSecret)
+                                * 2));
+    GNUNET_CRYPTO_cs_calc_blinded_c (bs_comp,
+                                     r_pub_comp,
+                                     &pub,
+                                     &message_hash,
+                                     sizeof(message_hash),
+                                     c_comp,
+                                     r_pub_blind_comp);
+    GNUNET_assert (0 == memcmp (&c_comp,
+                                &c,
+                                sizeof(struct GNUNET_CRYPTO_CsC) * 2));
+    GNUNET_assert (0 == memcmp (&r_pub_blind_comp,
+                                &r_pub_blind,
+                                sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2));
+    b_comp = GNUNET_CRYPTO_cs_sign_derive (&priv,
+                                           r_priv_comp,
+                                           c_comp,
+                                           &nonce,
+                                           &blinded_s_comp);
+    GNUNET_assert (0 == memcmp (&blinded_s_comp,
+                                &blinded_s,
+                                sizeof(blinded_s)));
+    GNUNET_assert (0 == memcmp (&b_comp,
+                                &b,
+                                sizeof(b)));
+    GNUNET_CRYPTO_cs_unblind (&blinded_s_comp,
+                              &bs_comp[b_comp],
+                              &signature_scalar_comp);
+    GNUNET_assert (0 == memcmp (&signature_scalar_comp,
+                                &signature_scalar,
+                                sizeof(signature_scalar_comp)));
+    sig_comp.r_point = r_pub_blind_comp[b_comp];
+    sig_comp.s_scalar = signature_scalar_comp;
+    GNUNET_assert (0 == memcmp (&sig_comp,
+                                &sig,
+                                sizeof(sig_comp)));
+    if (GNUNET_OK != GNUNET_CRYPTO_cs_verify (&sig_comp,
+                                              &pub,
+                                              &message_hash,
+                                              sizeof(message_hash)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+  }
  else
  {
    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
@@ -1025,6 +1282,150 @@ output_vectors ()
    GNUNET_free (secret_enc_data);
  }
+  {
+    json_t *vec = vec_for (vecs, "cs_blind_signing");
+    struct GNUNET_CRYPTO_CsPrivateKey priv;
+    struct GNUNET_CRYPTO_CsPublicKey pub;
+    struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
+    struct GNUNET_CRYPTO_CsRSecret r_priv[2];
+    struct GNUNET_CRYPTO_CsRPublic r_pub[2];
+    struct GNUNET_CRYPTO_CsRPublic r_pub_blind[2];
+    struct GNUNET_CRYPTO_CsC c[2];
+    struct GNUNET_CRYPTO_CsS signature_scalar;
+    struct GNUNET_CRYPTO_CsBlindS blinded_s;
+    struct GNUNET_CRYPTO_CsSignature sig;
+    struct GNUNET_CRYPTO_CsNonce nonce;
+    unsigned int b;
+    struct GNUNET_HashCode message_hash;
+    GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK,
+                                &message_hash,
+                                sizeof (struct GNUNET_HashCode));
+    GNUNET_CRYPTO_cs_private_key_generate (&priv);
+    GNUNET_CRYPTO_cs_private_key_get_public (&priv, &pub);
+    GNUNET_assert (GNUNET_YES == GNUNET_CRYPTO_hkdf (nonce.nonce,
+                                                     sizeof(nonce.nonce),
+                                                     GCRY_MD_SHA512,
+                                                     GCRY_MD_SHA256,
+                                                     "nonce",
+                                                     strlen ("nonce"),
+                                                     "nonce_secret",
+                                                     strlen ("nonce_secret"),
+                                                     NULL,
+                                                     0));
+    GNUNET_CRYPTO_cs_r_derive (&nonce, &priv, r_priv);
+    GNUNET_CRYPTO_cs_r_get_public (&r_priv[0], &r_pub[0]);
+    GNUNET_CRYPTO_cs_r_get_public (&r_priv[1], &r_pub[1]);
+    GNUNET_CRYPTO_cs_blinding_secrets_derive (&nonce,
+                                              bs);
+    GNUNET_CRYPTO_cs_calc_blinded_c (bs,
+                                     r_pub,
+                                     &pub,
+                                     &message_hash,
+                                     sizeof(message_hash),
+                                     c,
+                                     r_pub_blind);
+    b = GNUNET_CRYPTO_cs_sign_derive (&priv,
+                                      r_priv,
+                                      c,
+                                      &nonce,
+                                      &blinded_s);
+    GNUNET_CRYPTO_cs_unblind (&blinded_s, &bs[b], &signature_scalar);
+    sig.r_point = r_pub_blind[b];
+    sig.s_scalar = signature_scalar;
+    if (GNUNET_OK != GNUNET_CRYPTO_cs_verify (&sig,
+                                              &pub,
+                                              &message_hash,
+                                              sizeof(message_hash)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    d2j (vec,
+         "message_hash",
+         &message_hash,
+         sizeof (struct GNUNET_HashCode));
+    d2j (vec,
+         "cs_public_key",
+         &pub,
+         sizeof(pub));
+    d2j (vec,
+         "cs_private_key",
+         &priv,
+         sizeof(priv));
+    d2j (vec,
+         "cs_nonce",
+         &nonce,
+         sizeof(nonce));
+    d2j (vec,
+         "cs_r_priv_0",
+         &r_priv[0],
+         sizeof(r_priv[0]));
+    d2j (vec,
+         "cs_r_priv_1",
+         &r_priv[1],
+         sizeof(r_priv[1]));
+    d2j (vec,
+         "cs_r_pub_0",
+         &r_pub[0],
+         sizeof(r_pub[0]));
+    d2j (vec,
+         "cs_r_pub_1",
+         &r_pub[1],
+         sizeof(r_pub[1]));
+    d2j (vec,
+         "cs_bs_alpha_0",
+         &bs[0].alpha,
+         sizeof(bs[0].alpha));
+    d2j (vec,
+         "cs_bs_alpha_1",
+         &bs[1].alpha,
+         sizeof(bs[1].alpha));
+    d2j (vec,
+         "cs_bs_beta_0",
+         &bs[0].beta,
+         sizeof(bs[0].beta));
+    d2j (vec,
+         "cs_bs_beta_1",
+         &bs[1].beta,
+         sizeof(bs[1].beta));
+    d2j (vec,
+         "cs_r_pub_blind_0",
+         &r_pub_blind[0],
+         sizeof(r_pub_blind[0]));
+    d2j (vec,
+         "cs_r_pub_blind_1",
+         &r_pub_blind[1],
+         sizeof(r_pub_blind[1]));
+    d2j (vec,
+         "cs_c_0",
+         &c[0],
+         sizeof(c[0]));
+    d2j (vec,
+         "cs_c_1",
+         &c[1],
+         sizeof(c[1]));
+    d2j (vec,
+         "cs_blind_s",
+         &blinded_s,
+         sizeof(blinded_s));
+    d2j (vec,
+         "cs_b",
+         &b,
+         sizeof(b));
+    d2j (vec,
+         "cs_sig_s",
+         &signature_scalar,
+         sizeof(signature_scalar));
+    d2j (vec,
+         "cs_sig_R",
+         &r_pub_blind[b],
+         sizeof(r_pub_blind[b]));
+  }
  json_dumpf (vecfile, stdout, JSON_INDENT (2));
  json_decref (vecfile);
  printf ("\n");

diff --git a/src/util/gnunet-crypto-tvg.c b/src/util/gnunet-crypto-tvg.c index 28e44e28b..6b2a7f472 100644 --- a/src/util/gnunet-crypto-tvg.c +++ b/src/util/gnunet-crypto-tvg.c
@@ -672,6 +672,263 @@ checkvec (const char *operation,
672	GNUNET_free (sig_enc_data);	672	GNUNET_free (sig_enc_data);
673	GNUNET_free (skey);	673	GNUNET_free (skey);
674	}	674	}
		675	else if (0 == strcmp (operation, "cs_blind_signing"))
		676	{
		677	struct GNUNET_CRYPTO_CsPrivateKey priv;
		678	struct GNUNET_CRYPTO_CsPublicKey pub;
		679	struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
		680	struct GNUNET_CRYPTO_CsRSecret r_priv[2];
		681	struct GNUNET_CRYPTO_CsRPublic r_pub[2];
		682	struct GNUNET_CRYPTO_CsRPublic r_pub_blind[2];
		683	struct GNUNET_CRYPTO_CsC c[2];
		684	struct GNUNET_CRYPTO_CsS signature_scalar;
		685	struct GNUNET_CRYPTO_CsBlindS blinded_s;
		686	struct GNUNET_CRYPTO_CsSignature sig;
		687	struct GNUNET_CRYPTO_CsNonce nonce;
		688	struct GNUNET_HashCode message_hash;
		689	unsigned int b;
		690
		691	if (GNUNET_OK != expect_data_fixed (vec,
		692	"message_hash",
		693	&message_hash,
		694	sizeof (message_hash)))
		695	{
		696	GNUNET_break (0);
		697	return GNUNET_SYSERR;
		698	}
		699	if (GNUNET_OK != expect_data_fixed (vec,
		700	"cs_public_key",
		701	&pub,
		702	sizeof (pub)))
		703	{
		704	GNUNET_break (0);
		705	return GNUNET_SYSERR;
		706	}
		707
		708	if (GNUNET_OK != expect_data_fixed (vec,
		709	"cs_private_key",
		710	&priv,
		711	sizeof (priv)))
		712	{
		713	GNUNET_break (0);
		714	return GNUNET_SYSERR;
		715	}
		716	if (GNUNET_OK != expect_data_fixed (vec,
		717	"cs_nonce",
		718	&nonce,
		719	sizeof (nonce)))
		720	{
		721	GNUNET_break (0);
		722	return GNUNET_SYSERR;
		723	}
		724	if (GNUNET_OK != expect_data_fixed (vec,
		725	"cs_r_priv_0",
		726	&r_priv[0],
		727	sizeof (r_priv[0])))
		728	{
		729	GNUNET_break (0);
		730	return GNUNET_SYSERR;
		731	}
		732	if (GNUNET_OK != expect_data_fixed (vec,
		733	"cs_r_priv_1",
		734	&r_priv[1],
		735	sizeof (r_priv[1])))
		736	{
		737	GNUNET_break (0);
		738	return GNUNET_SYSERR;
		739	}
		740	if (GNUNET_OK != expect_data_fixed (vec,
		741	"cs_r_pub_0",
		742	&r_pub[0],
		743	sizeof (r_pub[0])))
		744	{
		745	GNUNET_break (0);
		746	return GNUNET_SYSERR;
		747	}
		748	if (GNUNET_OK != expect_data_fixed (vec,
		749	"cs_r_pub_1",
		750	&r_pub[1],
		751	sizeof (r_pub[1])))
		752	{
		753	GNUNET_break (0);
		754	return GNUNET_SYSERR;
		755	}
		756
		757	if (GNUNET_OK != expect_data_fixed (vec,
		758	"cs_bs_alpha_0",
		759	&bs[0].alpha,
		760	sizeof (bs[0].alpha)))
		761	{
		762	GNUNET_break (0);
		763	return GNUNET_SYSERR;
		764	}
		765	if (GNUNET_OK != expect_data_fixed (vec,
		766	"cs_bs_alpha_1",
		767	&bs[1].alpha,
		768	sizeof (bs[1].alpha)))
		769	{
		770	GNUNET_break (0);
		771	return GNUNET_SYSERR;
		772	}
		773	if (GNUNET_OK != expect_data_fixed (vec,
		774	"cs_bs_beta_0",
		775	&bs[0].beta,
		776	sizeof (bs[0].beta)))
		777	{
		778	GNUNET_break (0);
		779	return GNUNET_SYSERR;
		780	}
		781	if (GNUNET_OK != expect_data_fixed (vec,
		782	"cs_bs_beta_1",
		783	&bs[1].beta,
		784	sizeof (bs[1].beta)))
		785	{
		786	GNUNET_break (0);
		787	return GNUNET_SYSERR;
		788	}
		789	if (GNUNET_OK != expect_data_fixed (vec,
		790	"cs_r_pub_blind_0",
		791	&r_pub_blind[0],
		792	sizeof (r_pub_blind[0])))
		793	{
		794	GNUNET_break (0);
		795	return GNUNET_SYSERR;
		796	}
		797	if (GNUNET_OK != expect_data_fixed (vec,
		798	"cs_r_pub_blind_1",
		799	&r_pub_blind[1],
		800	sizeof (r_pub_blind[1])))
		801	{
		802	GNUNET_break (0);
		803	return GNUNET_SYSERR;
		804	}
		805	if (GNUNET_OK != expect_data_fixed (vec,
		806	"cs_c_0",
		807	&c[0],
		808	sizeof (c[0])))
		809	{
		810	GNUNET_break (0);
		811	return GNUNET_SYSERR;
		812	}
		813	if (GNUNET_OK != expect_data_fixed (vec,
		814	"cs_c_1",
		815	&c[1],
		816	sizeof (c[1])))
		817	{
		818	GNUNET_break (0);
		819	return GNUNET_SYSERR;
		820	}
		821	if (GNUNET_OK != expect_data_fixed (vec,
		822	"cs_blind_s",
		823	&blinded_s,
		824	sizeof (blinded_s)))
		825	{
		826	GNUNET_break (0);
		827	return GNUNET_SYSERR;
		828	}
		829	if (GNUNET_OK != expect_data_fixed (vec,
		830	"cs_b",
		831	&b,
		832	sizeof (b)))
		833	{
		834	GNUNET_break (0);
		835	return GNUNET_SYSERR;
		836	}
		837	if (GNUNET_OK != expect_data_fixed (vec,
		838	"cs_sig_s",
		839	&signature_scalar,
		840	sizeof (signature_scalar)))
		841	{
		842	GNUNET_break (0);
		843	return GNUNET_SYSERR;
		844	}
		845	sig.s_scalar = signature_scalar;
		846	if (GNUNET_OK != expect_data_fixed (vec,
		847	"cs_sig_R",
		848	&sig.r_point,
		849	sizeof (sig.r_point)))
		850	{
		851	GNUNET_break (0);
		852	return GNUNET_SYSERR;
		853	}
		854
		855	if ((b != 1)&& (b != 0))
		856	{
		857	GNUNET_break (0);
		858	return GNUNET_SYSERR;
		859	}
		860
		861	struct GNUNET_CRYPTO_CsRSecret r_priv_comp[2];
		862	struct GNUNET_CRYPTO_CsRPublic r_pub_comp[2];
		863	struct GNUNET_CRYPTO_CsBlindingSecret bs_comp[2];
		864	struct GNUNET_CRYPTO_CsC c_comp[2];
		865	struct GNUNET_CRYPTO_CsRPublic r_pub_blind_comp[2];
		866	struct GNUNET_CRYPTO_CsBlindS blinded_s_comp;
		867	struct GNUNET_CRYPTO_CsS signature_scalar_comp;
		868	struct GNUNET_CRYPTO_CsSignature sig_comp;
		869	unsigned int b_comp;
		870
		871
		872	GNUNET_CRYPTO_cs_r_derive (&nonce, &priv, r_priv_comp);
		873	GNUNET_CRYPTO_cs_r_get_public (&r_priv_comp[0], &r_pub_comp[0]);
		874	GNUNET_CRYPTO_cs_r_get_public (&r_priv_comp[1], &r_pub_comp[1]);
		875	GNUNET_assert (0 == memcmp (&r_priv_comp,
		876	&r_priv,
		877	sizeof(struct GNUNET_CRYPTO_CsRSecret) * 2));
		878	GNUNET_assert (0 == memcmp (&r_pub_comp,
		879	&r_pub,
		880	sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2));
		881
		882	GNUNET_CRYPTO_cs_blinding_secrets_derive (&nonce,
		883	bs_comp);
		884	GNUNET_assert (0 == memcmp (&bs_comp,
		885	&bs,
		886	sizeof(struct GNUNET_CRYPTO_CsBlindingSecret)
		887	* 2));
		888	GNUNET_CRYPTO_cs_calc_blinded_c (bs_comp,
		889	r_pub_comp,
		890	&pub,
		891	&message_hash,
		892	sizeof(message_hash),
		893	c_comp,
		894	r_pub_blind_comp);
		895	GNUNET_assert (0 == memcmp (&c_comp,
		896	&c,
		897	sizeof(struct GNUNET_CRYPTO_CsC) * 2));
		898	GNUNET_assert (0 == memcmp (&r_pub_blind_comp,
		899	&r_pub_blind,
		900	sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2));
		901	b_comp = GNUNET_CRYPTO_cs_sign_derive (&priv,
		902	r_priv_comp,
		903	c_comp,
		904	&nonce,
		905	&blinded_s_comp);
		906	GNUNET_assert (0 == memcmp (&blinded_s_comp,
		907	&blinded_s,
		908	sizeof(blinded_s)));
		909	GNUNET_assert (0 == memcmp (&b_comp,
		910	&b,
		911	sizeof(b)));
		912	GNUNET_CRYPTO_cs_unblind (&blinded_s_comp,
		913	&bs_comp[b_comp],
		914	&signature_scalar_comp);
		915	GNUNET_assert (0 == memcmp (&signature_scalar_comp,
		916	&signature_scalar,
		917	sizeof(signature_scalar_comp)));
		918	sig_comp.r_point = r_pub_blind_comp[b_comp];
		919	sig_comp.s_scalar = signature_scalar_comp;
		920	GNUNET_assert (0 == memcmp (&sig_comp,
		921	&sig,
		922	sizeof(sig_comp)));
		923	if (GNUNET_OK != GNUNET_CRYPTO_cs_verify (&sig_comp,
		924	&pub,
		925	&message_hash,
		926	sizeof(message_hash)))
		927	{
		928	GNUNET_break (0);
		929	return GNUNET_SYSERR;
		930	}
		931	}
675	else	932	else
676	{	933	{
677	GNUNET_log (GNUNET_ERROR_TYPE_ERROR,	934	GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
@@ -1025,6 +1282,150 @@ output_vectors ()
1025	GNUNET_free (secret_enc_data);	1282	GNUNET_free (secret_enc_data);
1026	}	1283	}
1027		1284
		1285	{
		1286	json_t *vec = vec_for (vecs, "cs_blind_signing");
		1287
		1288	struct GNUNET_CRYPTO_CsPrivateKey priv;
		1289	struct GNUNET_CRYPTO_CsPublicKey pub;
		1290	struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
		1291	struct GNUNET_CRYPTO_CsRSecret r_priv[2];
		1292	struct GNUNET_CRYPTO_CsRPublic r_pub[2];
		1293	struct GNUNET_CRYPTO_CsRPublic r_pub_blind[2];
		1294	struct GNUNET_CRYPTO_CsC c[2];
		1295	struct GNUNET_CRYPTO_CsS signature_scalar;
		1296	struct GNUNET_CRYPTO_CsBlindS blinded_s;
		1297	struct GNUNET_CRYPTO_CsSignature sig;
		1298	struct GNUNET_CRYPTO_CsNonce nonce;
		1299	unsigned int b;
		1300	struct GNUNET_HashCode message_hash;
		1301
		1302	GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK,
		1303	&message_hash,
		1304	sizeof (struct GNUNET_HashCode));
		1305
		1306	GNUNET_CRYPTO_cs_private_key_generate (&priv);
		1307	GNUNET_CRYPTO_cs_private_key_get_public (&priv, &pub);
		1308
		1309	GNUNET_assert (GNUNET_YES == GNUNET_CRYPTO_hkdf (nonce.nonce,
		1310	sizeof(nonce.nonce),
		1311	GCRY_MD_SHA512,
		1312	GCRY_MD_SHA256,
		1313	"nonce",
		1314	strlen ("nonce"),
		1315	"nonce_secret",
		1316	strlen ("nonce_secret"),
		1317	NULL,
		1318	0));
		1319	GNUNET_CRYPTO_cs_r_derive (&nonce, &priv, r_priv);
		1320	GNUNET_CRYPTO_cs_r_get_public (&r_priv[0], &r_pub[0]);
		1321	GNUNET_CRYPTO_cs_r_get_public (&r_priv[1], &r_pub[1]);
		1322	GNUNET_CRYPTO_cs_blinding_secrets_derive (&nonce,
		1323	bs);
		1324	GNUNET_CRYPTO_cs_calc_blinded_c (bs,
		1325	r_pub,
		1326	&pub,
		1327	&message_hash,
		1328	sizeof(message_hash),
		1329	c,
		1330	r_pub_blind);
		1331	b = GNUNET_CRYPTO_cs_sign_derive (&priv,
		1332	r_priv,
		1333	c,
		1334	&nonce,
		1335	&blinded_s);
		1336	GNUNET_CRYPTO_cs_unblind (&blinded_s, &bs[b], &signature_scalar);
		1337	sig.r_point = r_pub_blind[b];
		1338	sig.s_scalar = signature_scalar;
		1339	if (GNUNET_OK != GNUNET_CRYPTO_cs_verify (&sig,
		1340	&pub,
		1341	&message_hash,
		1342	sizeof(message_hash)))
		1343	{
		1344	GNUNET_break (0);
		1345	return GNUNET_SYSERR;
		1346	}
		1347	d2j (vec,
		1348	"message_hash",
		1349	&message_hash,
		1350	sizeof (struct GNUNET_HashCode));
		1351	d2j (vec,
		1352	"cs_public_key",
		1353	&pub,
		1354	sizeof(pub));
		1355	d2j (vec,
		1356	"cs_private_key",
		1357	&priv,
		1358	sizeof(priv));
		1359	d2j (vec,
		1360	"cs_nonce",
		1361	&nonce,
		1362	sizeof(nonce));
		1363	d2j (vec,
		1364	"cs_r_priv_0",
		1365	&r_priv[0],
		1366	sizeof(r_priv[0]));
		1367	d2j (vec,
		1368	"cs_r_priv_1",
		1369	&r_priv[1],
		1370	sizeof(r_priv[1]));
		1371	d2j (vec,
		1372	"cs_r_pub_0",
		1373	&r_pub[0],
		1374	sizeof(r_pub[0]));
		1375	d2j (vec,
		1376	"cs_r_pub_1",
		1377	&r_pub[1],
		1378	sizeof(r_pub[1]));
		1379	d2j (vec,
		1380	"cs_bs_alpha_0",
		1381	&bs[0].alpha,
		1382	sizeof(bs[0].alpha));
		1383	d2j (vec,
		1384	"cs_bs_alpha_1",
		1385	&bs[1].alpha,
		1386	sizeof(bs[1].alpha));
		1387	d2j (vec,
		1388	"cs_bs_beta_0",
		1389	&bs[0].beta,
		1390	sizeof(bs[0].beta));
		1391	d2j (vec,
		1392	"cs_bs_beta_1",
		1393	&bs[1].beta,
		1394	sizeof(bs[1].beta));
		1395	d2j (vec,
		1396	"cs_r_pub_blind_0",
		1397	&r_pub_blind[0],
		1398	sizeof(r_pub_blind[0]));
		1399	d2j (vec,
		1400	"cs_r_pub_blind_1",
		1401	&r_pub_blind[1],
		1402	sizeof(r_pub_blind[1]));
		1403	d2j (vec,
		1404	"cs_c_0",
		1405	&c[0],
		1406	sizeof(c[0]));
		1407	d2j (vec,
		1408	"cs_c_1",
		1409	&c[1],
		1410	sizeof(c[1]));
		1411	d2j (vec,
		1412	"cs_blind_s",
		1413	&blinded_s,
		1414	sizeof(blinded_s));
		1415	d2j (vec,
		1416	"cs_b",
		1417	&b,
		1418	sizeof(b));
		1419	d2j (vec,
		1420	"cs_sig_s",
		1421	&signature_scalar,
		1422	sizeof(signature_scalar));
		1423	d2j (vec,
		1424	"cs_sig_R",
		1425	&r_pub_blind[b],
		1426	sizeof(r_pub_blind[b]));
		1427	}
		1428
1028	json_dumpf (vecfile, stdout, JSON_INDENT (2));	1429	json_dumpf (vecfile, stdout, JSON_INDENT (2));
1029	json_decref (vecfile);	1430	json_decref (vecfile);
1030	printf ("\n");	1431	printf ("\n");