GNUnet 0.22.2
crypto_edx25519.c
Go to the documentation of this file.
1/*
2 This file is part of GNUnet.
3 Copyright (C) 2022 GNUnet e.V.
4
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
9
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
14
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
17
18 SPDX-License-Identifier: AGPL3.0-or-later
19 */
20
30#include "platform.h"
31#include <gcrypt.h>
32#include <sodium.h>
33#include "gnunet_util_lib.h"
34
35#define CURVE "Ed25519"
36
37void
38GNUNET_CRYPTO_edx25519_key_clear (struct GNUNET_CRYPTO_Edx25519PrivateKey *pk)
39{
40 memset (pk, 0, sizeof(struct GNUNET_CRYPTO_Edx25519PrivateKey));
41}
42
43
44void
45GNUNET_CRYPTO_edx25519_key_create_from_seed (
46 const void *seed,
47 size_t seedsize,
48 struct GNUNET_CRYPTO_Edx25519PrivateKey *pk)
49{
50
51 GNUNET_static_assert (sizeof(*pk) == sizeof(struct GNUNET_HashCode));
52 GNUNET_CRYPTO_hash (seed,
53 seedsize,
54 (struct GNUNET_HashCode *) pk);
55
56 /* Clamp the first half of the key. The second half is used in the signature
57 * process. */
58 pk->a[0] &= 248;
59 pk->a[31] &= 127;
60 pk->a[31] |= 64;
61}
62
63
64void
65GNUNET_CRYPTO_edx25519_key_create (
66 struct GNUNET_CRYPTO_Edx25519PrivateKey *pk)
67{
68 char seed[256 / 8];
69 GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE,
70 seed,
71 sizeof (seed));
72 GNUNET_CRYPTO_edx25519_key_create_from_seed (seed,
73 sizeof(seed),
74 pk);
75}
76
77
78void
79GNUNET_CRYPTO_edx25519_key_get_public (
80 const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv,
81 struct GNUNET_CRYPTO_Edx25519PublicKey *pub)
82{
83 crypto_scalarmult_ed25519_base_noclamp (pub->q_y,
84 priv->a);
85}
86
87
102enum GNUNET_GenericReturnValue
103GNUNET_CRYPTO_edx25519_sign_ (
104 const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv,
105 const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
106 struct GNUNET_CRYPTO_Edx25519Signature *sig)
107{
108
109 crypto_hash_sha512_state hs;
110 unsigned char r[64];
111 unsigned char hram[64];
112 unsigned char P[32];
113 unsigned char r_mod[64];
114 unsigned char R[32];
115 unsigned char tmp[32];
116 unsigned char hram_mod[64];
117
118 crypto_hash_sha512_init (&hs);
119
123 crypto_scalarmult_ed25519_base_noclamp (P,
124 priv->a);
125
131 crypto_hash_sha512_update (&hs,
132 priv->b,
133 sizeof(priv->b));
134 crypto_hash_sha512_update (&hs,
135 (uint8_t*) purpose,
136 ntohl (purpose->size));
137 crypto_hash_sha512_final (&hs,
138 r);
139
143 memcpy (sig->s, P, 32);
144
148 crypto_core_ed25519_scalar_reduce (r_mod, r);
149
153 crypto_scalarmult_ed25519_base_noclamp (R, r_mod);
154 memcpy (sig->r, R, sizeof (R));
155
160 crypto_hash_sha512_init (&hs);
161 crypto_hash_sha512_update (&hs, (uint8_t*) sig, 64);
162 crypto_hash_sha512_update (&hs, (uint8_t*) purpose,
163 ntohl (purpose->size));
164 crypto_hash_sha512_final (&hs, hram);
165
169 crypto_core_ed25519_scalar_reduce (hram_mod, hram);
170
175 crypto_core_ed25519_scalar_mul (tmp, hram_mod, priv->a);
176 crypto_core_ed25519_scalar_add (sig->s, tmp, r_mod);
177
178 sodium_memzero (r, sizeof (r));
179 sodium_memzero (r_mod, sizeof (r_mod));
180
181 return GNUNET_OK;
182}
183
184
185enum GNUNET_GenericReturnValue
186GNUNET_CRYPTO_edx25519_verify_ (
187 uint32_t purpose,
188 const struct GNUNET_CRYPTO_EccSignaturePurpose *validate,
189 const struct GNUNET_CRYPTO_Edx25519Signature *sig,
190 const struct GNUNET_CRYPTO_Edx25519PublicKey *pub)
191{
192 const unsigned char *m = (const void *) validate;
193 size_t mlen = ntohl (validate->size);
194 const unsigned char *s = (const void *) sig;
195
196 int res;
197
198 if (purpose != ntohl (validate->purpose))
199 return GNUNET_SYSERR; /* purpose mismatch */
200
201 res = crypto_sign_verify_detached (s, m, mlen, pub->q_y);
202 return (res == 0) ? GNUNET_OK : GNUNET_SYSERR;
203}
204
205
216static void
217derive_h (
218 const struct GNUNET_CRYPTO_Edx25519PublicKey *pub,
219 const void *seed,
220 size_t seedsize,
221 struct GNUNET_HashCode *phc)
222{
229 static const char *const salt = "edx25519-derivation";
230
231 GNUNET_CRYPTO_kdf (/* output*/
232 phc, sizeof(*phc),
233 /* salt */
234 salt, strlen (salt),
235 /* ikm */
236 pub, sizeof(*pub),
237 /* ctx chunks*/
238 seed, seedsize,
239 NULL, 0);
240
241}
242
243
244void
245GNUNET_CRYPTO_edx25519_private_key_derive (
246 const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv,
247 const void *seed,
248 size_t seedsize,
249 struct GNUNET_CRYPTO_Edx25519PrivateKey *result)
250{
251 struct GNUNET_CRYPTO_Edx25519PublicKey pub;
252 struct GNUNET_HashCode hc;
253 uint8_t a[32];
254 uint8_t eight[32] = { 8 };
255 uint8_t eight_inv[32];
256 uint8_t h[64] = { 0 };
257
258 GNUNET_CRYPTO_edx25519_key_get_public (priv, &pub);
259
260 /* Get h mod n */
261 derive_h (&pub,
262 seed,
263 seedsize,
264 &hc);
265
266 memcpy (h, &hc, 64);
267 crypto_core_ed25519_scalar_reduce (h,
268 h);
269#ifdef CHECK_RARE_CASES
277 {
278 char zero[32] = { 0 };
279 char one[32] = { 1 };
280
281 GNUNET_assert (0 != memcmp (zero, h, 32));
282 GNUNET_assert (0 != memcmp (one, h, 32));
283 }
284#endif
285
295 GNUNET_assert (0 == crypto_core_ed25519_scalar_invert (eight_inv,
296 eight));
297
298 crypto_core_ed25519_scalar_mul (a, priv->a, eight_inv);
299 crypto_core_ed25519_scalar_mul (a, a, h);
300 crypto_core_ed25519_scalar_mul (a, a, eight);
301
302#ifdef CHECK_RARE_CASES
303 /* The likelihood for a' == 0 or a' == 1 is neglegible */
304 {
305 char zero[32] = { 0 };
306 char one[32] = { 1 };
307
308 GNUNET_assert (0 != memcmp (zero, a, 32));
309 GNUNET_assert (0 != memcmp (one, a, 32));
310 }
311#endif
312
313 /* We hash the derived "h" parameter with the other half of the expanded
314 * private key (that is: priv->b). This ensures that for signature
315 * generation, the "R" is derived from the same derivation path as "h" and is
316 * not reused. */
317 {
318 struct GNUNET_HashCode hcb;
319 struct GNUNET_HashContext *hctx;
320
321 hctx = GNUNET_CRYPTO_hash_context_start ();
322 GNUNET_CRYPTO_hash_context_read (hctx, priv->b, sizeof(priv->b));
323 GNUNET_CRYPTO_hash_context_read (hctx, (unsigned char*) &hc, sizeof (hc));
324 GNUNET_CRYPTO_hash_context_finish (hctx, &hcb);
325
326 /* Truncate result, effectively doing SHA512/256 */
327 for (size_t i = 0; i < 32; i++)
328 result->b[i] = ((unsigned char *) &hcb)[i];
329 }
330
331 for (size_t i = 0; i < 32; i++)
332 result->a[i] = a[i];
333
334 sodium_memzero (a, sizeof(a));
335}
336
337
338void
339GNUNET_CRYPTO_edx25519_public_key_derive (
340 const struct GNUNET_CRYPTO_Edx25519PublicKey *pub,
341 const void *seed,
342 size_t seedsize,
343 struct GNUNET_CRYPTO_Edx25519PublicKey *result)
344{
345 struct GNUNET_HashCode hc;
346 uint8_t h[64] = { 0 };
347
348 derive_h (pub,
349 seed,
350 seedsize,
351 &hc);
352 memcpy (h,
353 &hc,
354 64);
355 crypto_core_ed25519_scalar_reduce (h,
356 h);
357 GNUNET_assert (0 == crypto_scalarmult_ed25519_noclamp (result->q_y,
358 h,
359 pub->q_y));
360}
derive_h
static void derive_h(const struct GNUNET_CRYPTO_Edx25519PublicKey *pub, const void *seed, size_t seedsize, struct GNUNET_HashCode *phc)
Derive the 'h' value for key derivation, where 'h = H(P ∥ seed) mod n' and 'n' is the size of the cyc...
Definition: crypto_edx25519.c:217
m
static struct GNUNET_ARM_MonitorHandle * m
Monitor connection with ARM.
Definition: gnunet-arm.c:103
h
static struct GNUNET_ARM_Handle * h
Connection with ARM.
Definition: gnunet-arm.c:98
seed
static uint8_t seed
Definition: gnunet-elligator-tvg.c:32
pk
struct GNUNET_CRYPTO_PrivateKey pk
Private key from command line option, or NULL.
Definition: gnunet-identity.c:126
res
static char * res
Currently read line or NULL on EOF.
Definition: gnunet-namestore-zonefile.c:76
result
static int result
Global testing status.
Definition: gnunet-regex-profiler.c:240
pub
static struct GNUNET_CRYPTO_EddsaPublicKey pub
Definition: gnunet-scrypt.c:47
salt
static struct GNUNET_CRYPTO_PowSalt salt
Salt for PoW calculations.
Definition: gnunet-scrypt.c:34
zero
static const struct GNUNET_CRYPTO_PrivateKey zero
Public key of all zeros.
Definition: gnunet-service-namestore.c:331
gnunet_util_lib.h
GNUNET_CRYPTO_edx25519_key_get_public
void GNUNET_CRYPTO_edx25519_key_get_public(const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv, struct GNUNET_CRYPTO_Edx25519PublicKey *pub)
Extract the public key for the given private key.
Definition: crypto_edx25519.c:79
GNUNET_CRYPTO_edx25519_key_clear
void GNUNET_CRYPTO_edx25519_key_clear(struct GNUNET_CRYPTO_Edx25519PrivateKey *pk)
Clear memory that was used to store a private key.
Definition: crypto_edx25519.c:38
GNUNET_CRYPTO_edx25519_private_key_derive
void GNUNET_CRYPTO_edx25519_private_key_derive(const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv, const void *seed, size_t seedsize, struct GNUNET_CRYPTO_Edx25519PrivateKey *result)
Derive a private scalar from a given private key and a label.
Definition: crypto_edx25519.c:245
GNUNET_CRYPTO_edx25519_key_create_from_seed
void GNUNET_CRYPTO_edx25519_key_create_from_seed(const void *seed, size_t seedsize, struct GNUNET_CRYPTO_Edx25519PrivateKey *pk)
Create a new private key for Edx25519 from a given seed.
Definition: crypto_edx25519.c:45
GNUNET_CRYPTO_edx25519_public_key_derive
void GNUNET_CRYPTO_edx25519_public_key_derive(const struct GNUNET_CRYPTO_Edx25519PublicKey *pub, const void *seed, size_t seedsize, struct GNUNET_CRYPTO_Edx25519PublicKey *result)
Derive a public key from a given public key and a label.
Definition: crypto_edx25519.c:339
GNUNET_CRYPTO_random_block
void GNUNET_CRYPTO_random_block(enum GNUNET_CRYPTO_Quality mode, void *buffer, size_t length)
Fill block with a random values.
Definition: crypto_random.c:133
GNUNET_CRYPTO_edx25519_key_create
void GNUNET_CRYPTO_edx25519_key_create(struct GNUNET_CRYPTO_Edx25519PrivateKey *pk)
Create a new private key.
Definition: crypto_edx25519.c:65
GNUNET_CRYPTO_edx25519_verify_
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_edx25519_verify_(uint32_t purpose, const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, const struct GNUNET_CRYPTO_Edx25519Signature *sig, const struct GNUNET_CRYPTO_Edx25519PublicKey *pub)
Verify Edx25519 signature.
Definition: crypto_edx25519.c:186
GNUNET_CRYPTO_edx25519_sign_
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_edx25519_sign_(const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv, const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, struct GNUNET_CRYPTO_Edx25519Signature *sig)
This function operates the basically same way as the signature function for EdDSA.
Definition: crypto_edx25519.c:103
GNUNET_CRYPTO_QUALITY_NONCE
@ GNUNET_CRYPTO_QUALITY_NONCE
Randomness for IVs etc.
Definition: gnunet_crypto_lib.h:103
GNUNET_CRYPTO_hash
void GNUNET_CRYPTO_hash(const void *block, size_t size, struct GNUNET_HashCode *ret)
Compute hash of a given block.
Definition: crypto_hash.c:41
GNUNET_CRYPTO_kdf
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_kdf(void *result, size_t out_len, const void *xts, size_t xts_len, const void *skm, size_t skm_len,...)
Derive key.
Definition: crypto_kdf.c:62
GNUNET_CRYPTO_hash_context_read
void GNUNET_CRYPTO_hash_context_read(struct GNUNET_HashContext *hc, const void *buf, size_t size)
Add data to be hashed.
Definition: crypto_hash.c:363
GNUNET_CRYPTO_hash_context_finish
void GNUNET_CRYPTO_hash_context_finish(struct GNUNET_HashContext *hc, struct GNUNET_HashCode *r_hash)
Finish the hash computation.
Definition: crypto_hash.c:387
GNUNET_GenericReturnValue
GNUNET_GenericReturnValue
Named constants for return values.
Definition: gnunet_common.h:108
GNUNET_CRYPTO_hash_context_start
struct GNUNET_HashContext * GNUNET_CRYPTO_hash_context_start(void)
Start incremental hashing operation.
Definition: crypto_hash.c:347
GNUNET_static_assert
#define GNUNET_static_assert(cond)
Assertion to be checked (if supported by C compiler) at compile time, otherwise checked at runtime an...
Definition: gnunet_common.h:1032
GNUNET_OK
@ GNUNET_OK
Definition: gnunet_common.h:111
GNUNET_SYSERR
@ GNUNET_SYSERR
Definition: gnunet_common.h:109
GNUNET_assert
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.
Definition: gnunet_common.h:956
GNUNET_CRYPTO_EccSignaturePurpose
header of what an ECC signature signs this must be followed by "size - 8" bytes of the actual signed ...
Definition: gnunet_crypto_lib.h:141
GNUNET_CRYPTO_EccSignaturePurpose::size
uint32_t size
How many bytes does this signature sign? (including this purpose header); in network byte order (!...
Definition: gnunet_crypto_lib.h:147
GNUNET_CRYPTO_EccSignaturePurpose::purpose
uint32_t purpose
What does this signature vouch for? This must contain a GNUNET_SIGNATURE_PURPOSE_XXX constant (from g...
Definition: gnunet_crypto_lib.h:155
GNUNET_CRYPTO_EddsaPublicKey::q_y
unsigned char q_y[256/8]
Point Q consists of a y-value mod p (256 bits); the x-value is always positive.
Definition: gnunet_crypto_lib.h:207
GNUNET_CRYPTO_Edx25519PrivateKey
Private ECC key material encoded for transmission.
Definition: gnunet_crypto_lib.h:304
GNUNET_CRYPTO_Edx25519PrivateKey::b
unsigned char b[256/8]
b consists of 32 bytes which where originally the lower 32bytes of the key expansion.
Definition: gnunet_crypto_lib.h:315
GNUNET_CRYPTO_Edx25519PrivateKey::a
unsigned char a[256/8]
a is a value mod n, where n has at most 256 bits.
Definition: gnunet_crypto_lib.h:309
GNUNET_CRYPTO_Edx25519PublicKey
Public ECC key (always for curve Ed25519) encoded in a format suitable for network transmission and E...
Definition: gnunet_crypto_lib.h:326
GNUNET_CRYPTO_Edx25519Signature
an ECC signature using Edx25519 (same as in EdDSA).
Definition: gnunet_crypto_lib.h:339
GNUNET_CRYPTO_Edx25519Signature::s
unsigned char s[256/8]
S value.
Definition: gnunet_crypto_lib.h:348
GNUNET_CRYPTO_Edx25519Signature::r
unsigned char r[256/8]
R value.
Definition: gnunet_crypto_lib.h:343
GNUNET_HashCode
A 512-bit hashcode.
Definition: gnunet_common.h:284
GNUNET_HashContext
Definition: crypto_hash.c:338