gnunet.git - GNUnet core repository

	Commit message (Collapse)	Author	Age
*	NEWS: Refactoring components under src/ into lib/, plugin/, cli/ and service/	Martin Schanzenbach	2023-10-18
\| \| \| \| \|	This also includes a necessary API refactoring of crypto from IDENTITY to UTIL.
*	UTIL: Allow only inlcusion of util glib-style.	Martin Schanzenbach	2022-12-04
\|
*	BUILD: Attempt to disentable platform.h, gnunet_common.h and ↵	Martin Schanzenbach	2022-12-04
\| \| \| \|	gnunet_private_config.h insanity
*	BUILD: Improve platform-specific includes	Martin Schanzenbach	2022-12-01
\| \| \| \| \| \| \| \| \| \| \|	This change allows third party programs to use gnunet either with the platform header from the sources used to build to gnunet, or use their own platform header by defining GNUNET_CUSTOM_PLATFORM_H which will be included in its stead. This also means that programs no longer must include "platform.h" (or similar) manually. The change (should be) backwards compatible to some degree. Fixes #4615
*	fixed typo in salt	Özgür Kesim	2022-07-21
\|
*	-oops, fix wrong size of unreduced scalar	Florian Dold	2022-04-27
\|
*	-only need to copy 32 bytes	Florian Dold	2022-04-26
\|
*	edx25519: use SHA512/256 instead of SHA256	Florian Dold	2022-04-26
\|
*	edx25519: KDF call	Florian Dold	2022-04-19
\|
*	edx25519: use libsodium, tweak KDF call	Florian Dold	2022-04-19
\|
*	-fix bogus free bugs	Christian Grothoff	2022-03-30
\|
*	-fix leak in edx25519	Özgür Kesim	2022-03-28
\|
*	Edx25519 implemented	Özgür Kesim	2022-03-27
	Edx25519 is a variant of EdDSA on curve25519 which allows for repeated derivation of private and public keys, independently. The private keys in Edx25519 initially correspond to the data after expansion and clamping in EdDSA. However, this correspondence is lost after deriving further keys from existing ones. The public keys and signature verification are compatible with EdDSA. The ability to repeatedly derive key material is used for example in the context of age restriction in GNU Taler. The scheme that has been implemented is as follows: /* Private keys in Edx25519 are pairs (a, b) of 32 byte each. * Initially they correspond to the result of the expansion * and clamping in EdDSA. / Edx25519_generate_private(seed) { / EdDSA expand and clamp / dh := SHA-512(seed) a := dh[0..31] b := dh[32..64] a[0] &= 0b11111000 a[31] &= 0b01111111 a[31] \|= 0b01000000 return (a, b) } Edx25519_public_from_private(private) { / Public keys are the same as in EdDSA / (a, _) := private return [a] G } Edx25519_blinding_factor(P, seed) { /* This is a helper function used in the derivation of * private/public keys from existing ones. / h1 := HKDF_32(P, seed) / Ensure that h == h % L / h := h1 % L / Optionally: Make sure that we don't create weak keys. / P' := [h] P if !( (h!=1) && (h!=0) && (P'!=E) ) { return Edx25519_blinding_factor(P, seed+1) } return h } Edx25519_derive_private(private, seed) { /* This is based on the definition in * GNUNET_CRYPTO_eddsa_private_key_derive. But it accepts * and returns a private pair (a, b) and allows for iteration. / (a, b) := private P := Edx25519_public_key_from_private(private) h := Edx25519_blinding_factor(P, seed) / Carefully calculate the new value for a / a1 := a / 8; a2 := (h a1) % L a' := (a2 * 8) % L /* Update b as well, binding it to h. This is an additional step compared to GNS. / b' := SHA256(b ∥ h) return (a', b') } Edx25519_derive_public(P, seed) { h := Edx25519_blinding_factor(P, seed) return [h]P } Edx25519_sign(private, message) { /* As in Ed25519, except for the origin of b / (d, b) := private P := Edx25519_public_from_private(private) r := SHA-512(b ∥ message) R := [r] G s := r + SHA-512(R ∥ P ∥ message) * d % L return (R,s) } Edx25519_verify(P, message, signature) { /* Identical to Ed25519 / (R, s) := signature return [s] G == R + [SHA-512(R ∥ P ∥ message)] * P }