| Commit message (Collapse) | Author | Age |
|---|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Edx25519 is a variant of EdDSA on curve25519 which allows for repeated
derivation of private and public keys, independently. The private keys
in Edx25519 initially correspond to the data after expansion and
clamping in EdDSA. However, this correspondence is lost after deriving
further keys from existing ones. The public keys and signature
verification are compatible with EdDSA.
The ability to repeatedly derive key material is used for example in the
context of age restriction in GNU Taler.
The scheme that has been implemented is as follows:
/* Private keys in Edx25519 are pairs (a, b) of 32 byte each.
* Initially they correspond to the result of the expansion
* and clamping in EdDSA.
*/
Edx25519_generate_private(seed) {
/* EdDSA expand and clamp */
dh := SHA-512(seed)
a := dh[0..31]
b := dh[32..64]
a[0] &= 0b11111000
a[31] &= 0b01111111
a[31] |= 0b01000000
return (a, b)
}
Edx25519_public_from_private(private) {
/* Public keys are the same as in EdDSA */
(a, _) := private
return [a] * G
}
Edx25519_blinding_factor(P, seed) {
/* This is a helper function used in the derivation of
* private/public keys from existing ones. */
h1 := HKDF_32(P, seed)
/* Ensure that h == h % L */
h := h1 % L
/* Optionally: Make sure that we don't create weak keys. */
P' := [h] * P
if !( (h!=1) && (h!=0) && (P'!=E) ) {
return Edx25519_blinding_factor(P, seed+1)
}
return h
}
Edx25519_derive_private(private, seed) {
/* This is based on the definition in
* GNUNET_CRYPTO_eddsa_private_key_derive. But it accepts
* and returns a private pair (a, b) and allows for iteration.
*/
(a, b) := private
P := Edx25519_public_key_from_private(private)
h := Edx25519_blinding_factor(P, seed)
/* Carefully calculate the new value for a */
a1 := a / 8;
a2 := (h * a1) % L
a' := (a2 * 8) % L
/* Update b as well, binding it to h.
This is an additional step compared to GNS. */
b' := SHA256(b ∥ h)
return (a', b')
}
Edx25519_derive_public(P, seed) {
h := Edx25519_blinding_factor(P, seed)
return [h]*P
}
Edx25519_sign(private, message) {
/* As in Ed25519, except for the origin of b */
(d, b) := private
P := Edx25519_public_from_private(private)
r := SHA-512(b ∥ message)
R := [r] * G
s := r + SHA-512(R ∥ P ∥ message) * d % L
return (R,s)
}
Edx25519_verify(P, message, signature) {
/* Identical to Ed25519 */
(R, s) := signature
return [s] * G == R + [SHA-512(R ∥ P ∥ message)] * P
}
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |\ |
|
| | |
| |
| |
| | |
Signed-off-by: TheJackiMonster <thejackimonster@gmail.com>
|
| |/ |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Without this, GNUNET_DEFAULT_INTERFACE is empty, which leads to a
compilation-time error on at least NetBSD due to the resulting
syntax error.
lo0 definitely exists, it is up to the individual package maintainers and/or
system administrators after installation to set this to usable devices. We can
not predict the default device names on those *BSD systems, as there are no
default names.
Signed-off-by: Martin Schanzenbach <schanzen@gnunet.org>
|
| | |
|
| |\ |
|
| | |\ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- Fixed small bug in UDP communicator.
- Fixed bug in DV circle test case
- Introduced a default value to wait for a reliability ack.
- Introduced a FC retransmission threshold together with a retransmission count.
- Introduced a original size value for TransportDVBoxMessage
- Checking if we have the root pending messge, when removing the pending message from virtual link.
- Added delay value to schedule_transmit_on_queue to wait for retransmitting.
- Checking for confirmed virtual link, before routing.
- Allow unconfirmed queues or DV routes when doing dv encapsulation for control traffic.
- Changed check_vl_transmission to also check window size for DV next hop peer.
- Fixed fragment box handling to also handle reliability boxed message which needed to be fragmented.
- Fixed completing a message which was not only fragmented but also DV boxed.
- Added logic to notify core about a new virtual link using distance vector without having validated next neighbour.
- Added logic to create a virtual link to handle flow control messages.
- fixed several smaller bugs in fragmentation logic.
- Changed logic for adding the next_attempt value of PendingMessage.
|
| | |/
|/| |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
New API that allows the caller to reserve
the mofification of a record set under a label.
The record set cannot be modified by other clients
until released.
|
| | | |
|
| | |
| |
| |
| | |
Signed-off-by: TheJackiMonster <thejackimonster@gmail.com>
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
verify
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
is unknown
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
