47 crypto_core_ed25519_scalar_random (priv->
scalar.
d);
57 crypto_scalarmult_ed25519_base_noclamp (
pub->point.y,
101 crypto_scalarmult_ed25519_base_noclamp (r_pub->
point.
y,
117 strlen (
"alphabeta"),
119 sizeof(*blind_seed)));
134 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
135 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0xde, 0xf9, 0xde, 0xa2, 0xf7,
136 0x9c, 0xd6, 0x58, 0x12, 0x63, 0x1a, 0x5c, 0xf5, 0xd3, 0xed
158 unsigned char c_big_endian[256 / 8];
160 char r_m_concat[r_m_concat_len];
185 gcry_mpi_release (l_mpi);
189 sizeof(c_big_endian),
191 gcry_mpi_release (c_mpi);
192 for (
size_t i = 0; i<32; i++)
193 c->
scalar.
d[i] = c_big_endian[31 - i];
216 crypto_scalarmult_ed25519_base_noclamp (
220 crypto_scalarmult_ed25519_noclamp (
225 alpha_mul_base_plus_beta_mul_pub.
y,
229 crypto_core_ed25519_add (
232 alpha_mul_base_plus_beta_mul_pub.
y));
252 &r_pub_blind->
r_pub[0]);
256 &r_pub_blind->
r_pub[1]);
271 crypto_core_ed25519_scalar_add (blinded_c[0].
scalar.
d,
274 crypto_core_ed25519_scalar_add (blinded_c[1].
scalar.
d,
300 cs_blind_sig->
b = hkdf_out % 2;
303 crypto_core_ed25519_scalar_mul (c_b_mul_priv.
d,
318 crypto_core_ed25519_scalar_add (signature_scalar->
scalar.
d,
319 blinded_signature_scalar->
scalar.
d,
344 crypto_scalarmult_ed25519_base_noclamp (
347 GNUNET_assert (0 == crypto_scalarmult_ed25519_noclamp (c_dash_mul_pub.
y,
350 GNUNET_assert (0 == crypto_core_ed25519_add (R_add_c_dash_mul_pub.
y,
355 &R_add_c_dash_mul_pub)
struct GNUNET_MessageHeader * msg
static const unsigned char L_BIG_ENDIAN[32]
static void map_to_scalar_subgroup(struct GNUNET_CRYPTO_Cs25519Scalar *scalar)
Maps 32 random bytes to a scalar.
static void calc_r_dash(const struct GNUNET_CRYPTO_CsBlindingSecret *bs, const struct GNUNET_CRYPTO_CsRPublic *r_pub, const struct GNUNET_CRYPTO_CsPublicKey *pub, struct GNUNET_CRYPTO_CsRPublic *blinded_r_pub)
calculate R'
static void cs_full_domain_hash(const struct GNUNET_CRYPTO_CsRPublic *r_dash, const void *msg, size_t msg_len, const struct GNUNET_CRYPTO_CsPublicKey *pub, struct GNUNET_CRYPTO_CsC *c)
Computes a Hash of (R', m) mapped to a Curve25519 scalar.
static struct GNUNET_CRYPTO_EddsaPublicKey pub
static float beta
Percentage of total peer number in the view to send random PULLs to.
static float alpha
Percentage of total peer number in the view to send random PUSHes to.
void GNUNET_CRYPTO_hash(const void *block, size_t size, struct GNUNET_HashCode *ret)
Compute hash of a given block.
#define GNUNET_CRYPTO_hkdf_gnunet(result, out_len, xts, xts_len, skm, skm_len,...)
A peculiar HKDF instantiation that tried to mimic Truncated NMAC.
void GNUNET_CRYPTO_mpi_scan_unsigned(gcry_mpi_t *result, const void *data, size_t size)
Convert data buffer into MPI value.
void GNUNET_CRYPTO_cs_r_get_public(const struct GNUNET_CRYPTO_CsRSecret *r_priv, struct GNUNET_CRYPTO_CsRPublic *r_pub)
Extract the public R of the given secret r.
void GNUNET_CRYPTO_kdf_mod_mpi(gcry_mpi_t *r, gcry_mpi_t n, const void *xts, size_t xts_len, const void *skm, size_t skm_len, const char *ctx)
Deterministically generate a pseudo-random number uniformly from the integers modulo a libgcrypt mpi.
void GNUNET_CRYPTO_cs_r_derive(const struct GNUNET_CRYPTO_CsSessionNonce *nonce, const char *seed, const struct GNUNET_CRYPTO_CsPrivateKey *lts, struct GNUNET_CRYPTO_CsRSecret r[2])
Derive a new secret r pair r0 and r1.
void GNUNET_CRYPTO_cs_private_key_get_public(const struct GNUNET_CRYPTO_CsPrivateKey *priv, struct GNUNET_CRYPTO_CsPublicKey *pub)
Extract the public key of the given private key.
void GNUNET_CRYPTO_cs_unblind(const struct GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar, const struct GNUNET_CRYPTO_CsBlindingSecret *bs, struct GNUNET_CRYPTO_CsS *signature_scalar)
Unblind a blind-signed signature using a c that was blinded.
void GNUNET_CRYPTO_mpi_print_unsigned(void *buf, size_t size, gcry_mpi_t val)
Output the given MPI value to the given buffer in network byte order.
void GNUNET_CRYPTO_cs_calc_blinded_c(const struct GNUNET_CRYPTO_CsBlindingSecret bs[2], const struct GNUNET_CRYPTO_CsRPublic r_pub[2], const struct GNUNET_CRYPTO_CsPublicKey *pub, const void *msg, size_t msg_len, struct GNUNET_CRYPTO_CsC blinded_c[2], struct GNUNET_CRYPTO_CSPublicRPairP *r_pub_blind)
Calculate two blinded c's.
#define GNUNET_memcmp(a, b)
Compare memory in a and b, where both must be of the same pointer type.
#define GNUNET_CRYPTO_kdf_arg_auto(d)
#define GNUNET_CRYPTO_kdf_arg(d, s)
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_cs_verify(const struct GNUNET_CRYPTO_CsSignature *sig, const struct GNUNET_CRYPTO_CsPublicKey *pub, const void *msg, size_t msg_len)
Verify whether the given message corresponds to the given signature and the signature is valid with r...
GNUNET_GenericReturnValue
Named constants for return values.
void GNUNET_CRYPTO_cs_sign_derive(const struct GNUNET_CRYPTO_CsPrivateKey *priv, const struct GNUNET_CRYPTO_CsRSecret r[2], const struct GNUNET_CRYPTO_CsBlindedMessage *bm, struct GNUNET_CRYPTO_CsBlindSignature *cs_blind_sig)
Sign a blinded c.
void GNUNET_CRYPTO_cs_private_key_generate(struct GNUNET_CRYPTO_CsPrivateKey *priv)
IMPLEMENTATION NOTICE:
void GNUNET_CRYPTO_cs_blinding_secrets_derive(const struct GNUNET_CRYPTO_CsBlindingNonce *blind_seed, struct GNUNET_CRYPTO_CsBlindingSecret bs[2])
Derives new random blinding factors.
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.
Pair of Public R values for Cs denominations.
struct GNUNET_CRYPTO_CsRPublic r_pub[2]
unsigned char y[crypto_core_ed25519_BYTES]
This is a point on the Curve25519.
unsigned char d[crypto_core_ed25519_SCALARBYTES]
32 byte scalar
blinded s in the signature
struct GNUNET_CRYPTO_Cs25519Scalar scalar
The Sign Answer for Clause Blind Schnorr signature.
struct GNUNET_CRYPTO_CsBlindS s_scalar
The blinded s scalar calculated from c_b.
unsigned int b
To make ROS problem harder, the signer chooses an unpredictable b and only calculates signature of c_...
CS Parameters derived from the message during blinding to create blinded signature.
struct GNUNET_CRYPTO_CsC c[2]
The Clause Schnorr c_0 and c_1 containing the blinded message.
struct GNUNET_CRYPTO_CsSessionNonce nonce
Nonce used in initial request.
Nonce for computing blinding factors.
Secret used for blinding (alpha and beta).
struct GNUNET_CRYPTO_Cs25519Scalar alpha
struct GNUNET_CRYPTO_Cs25519Scalar beta
struct GNUNET_CRYPTO_Cs25519Scalar scalar
The private information of an Schnorr key pair.
struct GNUNET_CRYPTO_Cs25519Scalar scalar
The public information of an Schnorr key pair.
the public R (derived from r) used in c
struct GNUNET_CRYPTO_Cs25519Point point
the private r used in the signature
struct GNUNET_CRYPTO_Cs25519Scalar scalar
struct GNUNET_CRYPTO_Cs25519Scalar scalar
Nonce for the session, picked by client, shared with the signer.
CS Signtature containing scalar s and point R.
struct GNUNET_CRYPTO_CsS s_scalar
Schnorr signatures are composed of a scalar s and a curve point.
struct GNUNET_CRYPTO_CsRPublic r_point
Curve point of the Schnorr signature.
1.9.8