From cddd56b6c733d996e872783e7c54acf17135d11d Mon Sep 17 00:00:00 2001 From: Martin Schanzenbach Date: Mon, 3 May 2021 08:50:40 +0200 Subject: -more comments on EDKEY signature --- src/util/crypto_ecc_gnsrecord.c | 94 +++++++++++++++++++++++++++++------------ 1 file changed, 68 insertions(+), 26 deletions(-) diff --git a/src/util/crypto_ecc_gnsrecord.c b/src/util/crypto_ecc_gnsrecord.c index 6689a21f1..bab0ce44a 100644 --- a/src/util/crypto_ecc_gnsrecord.c +++ b/src/util/crypto_ecc_gnsrecord.c @@ -94,52 +94,94 @@ GNUNET_CRYPTO_eddsa_sign_with_scalar ( { crypto_hash_sha512_state hs; - unsigned char az[64]; - unsigned char nonce[64]; + unsigned char sk[64]; + unsigned char r[64]; unsigned char hram[64]; unsigned char R[32]; - unsigned char pk[32]; + unsigned char zk[32]; + unsigned char tmp[32]; crypto_hash_sha512_init (&hs); - // crypto_hash_sha512 (az, sk, 32); DO NOT EXPAND, WE HAVE A KEY - memcpy (az, priv->s, 64); - crypto_scalarmult_ed25519_base_noclamp (pk, + /** + * Instead of expanding the private here, we already + * have the secret scalar as input. Use it. + * Note that sk is not plain SHA512 (d). + * sk[0..31] contains the derived private scalar + * sk[0..31] = h * SHA512 (d)[0..31] + * sk[32..63] = SHA512 (d)[32..63] + */ + memcpy (sk, priv->s, 64); + + /** + * Calculate the derived zone key zk' from the + * derived private scalar. + */ + crypto_scalarmult_ed25519_base_noclamp (zk, priv->s); - crypto_hash_sha512_update (&hs, az + 32, 32); + /** + * Calculate r: + * r = SHA512 (sk[32..63] | M) + * where M is our message (purpose). + * Note that sk[32..63] is the other half of the + * expansion from the original, non-derived private key + * "d". + */ + crypto_hash_sha512_update (&hs, sk + 32, 32); crypto_hash_sha512_update (&hs, (uint8_t*) purpose, ntohl (purpose->size)); - crypto_hash_sha512_final (&hs, nonce); - - // This effectively creates R || A in sig - memcpy (sig->s, pk, 32); - - unsigned char nonce_mod[64]; - crypto_core_ed25519_scalar_reduce (nonce_mod, nonce); - // nonce == r; r * G == R - crypto_scalarmult_ed25519_base_noclamp (R, nonce_mod); + crypto_hash_sha512_final (&hs, r); + + /** + * Temporarily put zk into S + */ + memcpy (sig->s, zk, 32); + + /** + * Reduce the scalar value r + */ + unsigned char r_mod[64]; + crypto_core_ed25519_scalar_reduce (r_mod, r); + + /** + * Calculate R := r * G of the signature + */ + crypto_scalarmult_ed25519_base_noclamp (R, r_mod); memcpy (sig->r, R, sizeof (R)); - // SHA512 (R | A | M) == k + /** + * Calculate + * hram := SHA512 (R | zk' | M) + */ crypto_hash_sha512_init (&hs); crypto_hash_sha512_update (&hs, (uint8_t*) sig, 64); crypto_hash_sha512_update (&hs, (uint8_t*) purpose, ntohl (purpose->size)); crypto_hash_sha512_final (&hs, hram); + /** + * Reduce the resulting scalar value + */ unsigned char hram_mod[64]; crypto_core_ed25519_scalar_reduce (hram_mod, hram); - az[0] &= 248; - az[31] &= 127; - az[31] |= 64; - unsigned char tmp[32]; - // r + k * s mod L == S - crypto_core_ed25519_scalar_mul (tmp, hram_mod, az); - crypto_core_ed25519_scalar_add (sig->s, tmp, nonce_mod); + /** + * Clamp the private scalar + */ + sk[0] &= 248; + sk[31] &= 127; + sk[31] |= 64; + + /** + * Calculate + * S := r + hram * s mod L + */ + crypto_core_ed25519_scalar_mul (tmp, hram_mod, sk); + crypto_core_ed25519_scalar_add (sig->s, tmp, r_mod); - sodium_memzero (az, sizeof az); - sodium_memzero (nonce, sizeof nonce); + sodium_memzero (sk, sizeof (sk)); + sodium_memzero (r, sizeof (r)); + sodium_memzero (r_mod, sizeof (r_mod)); } -- cgit v1.2.3