GNUnet 0.28.0-dev.3-7-g31e20e2e6
 
Loading...
Searching...
No Matches
crypto_ecc_dlog.c
Go to the documentation of this file.
1/*
2 This file is part of GNUnet.
3 Copyright (C) 2012, 2013, 2015 GNUnet e.V.
4
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
9
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
14
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
17
18 SPDX-License-Identifier: AGPL3.0-or-later
19 */
20
29#include "platform.h"
30#include "gnunet_util_lib.h"
31
32
36struct GNUNET_CRYPTO_EccDlogContext
37{
41 unsigned int max;
42
46 unsigned int mem;
47
54 struct GNUNET_CONTAINER_MultiPeerMap *map;
55
56};
57
58
59struct GNUNET_CRYPTO_EccDlogContext *
60GNUNET_CRYPTO_ecc_dlog_prepare (unsigned int max,
61 unsigned int mem)
62{
63 struct GNUNET_CRYPTO_EccDlogContext *edc;
64 int K = ((max + (mem - 1)) / mem);
65
66 GNUNET_assert (max < INT32_MAX);
67 GNUNET_assert (mem <= UINT32_MAX / 2);
68 edc = GNUNET_new (struct GNUNET_CRYPTO_EccDlogContext);
69 edc->max = max;
70 edc->mem = mem;
71 edc->map = GNUNET_CONTAINER_multipeermap_create (mem * 2,
72 GNUNET_NO);
73 for (int i = -(int) mem; i <= (int) mem; i++)
74 {
75 struct GNUNET_CRYPTO_EccScalar Ki;
76 struct GNUNET_PeerIdentity key;
77
78 GNUNET_CRYPTO_ecc_scalar_from_int (K * i,
79 &Ki);
80 if (0 == i) /* libsodium does not like to multiply with zero */
81 GNUNET_assert (
82 0 ==
83 crypto_core_ed25519_sub ((unsigned char *) &key,
84 (unsigned char *) &key,
85 (unsigned char *) &key));
86 else
87 GNUNET_assert (
88 0 ==
89 crypto_scalarmult_ed25519_base_noclamp ((unsigned char*) &key,
90 Ki.v));
91 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
92 "K*i: %d (mem=%u, i=%d) => %s\n",
93 K * i,
94 mem,
95 i,
96 GNUNET_i2s (&key));
97 GNUNET_assert (GNUNET_OK ==
98 GNUNET_CONTAINER_multipeermap_put (edc->map,
99 &key,
100 (void *) (long) i + max,
101 GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
102 }
103 return edc;
104}
105
106
107int
108GNUNET_CRYPTO_ecc_dlog (struct GNUNET_CRYPTO_EccDlogContext *edc,
109 const struct GNUNET_CRYPTO_EccPoint *input)
110{
111 unsigned int K = ((edc->max + (edc->mem - 1)) / edc->mem);
112 int res;
113 struct GNUNET_CRYPTO_EccPoint g;
114 struct GNUNET_CRYPTO_EccPoint q;
115 struct GNUNET_CRYPTO_EccPoint nq;
116
117 {
118 struct GNUNET_CRYPTO_EccScalar fact;
119
120 memset (&fact,
121 0,
122 sizeof (fact));
123 sodium_increment (fact.v,
124 sizeof (fact.v));
125 GNUNET_assert (0 ==
126 crypto_scalarmult_ed25519_base_noclamp (g.v,
127 fact.v));
128 }
129 /* make compiler happy: initialize q and nq, technically not needed! */
130 memset (&q,
131 0,
132 sizeof (q));
133 memset (&nq,
134 0,
135 sizeof (nq));
136 res = INT_MAX;
137 for (unsigned int i = 0; i <= edc->max / edc->mem; i++)
138 {
139 struct GNUNET_PeerIdentity key;
140 void *retp;
141
142 GNUNET_assert (sizeof (key) == crypto_scalarmult_BYTES);
143 if (0 == i)
144 {
145 memcpy (&key,
146 input,
147 sizeof (key));
148 }
149 else
150 {
151 memcpy (&key,
152 &q,
153 sizeof (key));
154 }
155 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
156 "Trying offset i=%u): %s\n",
157 i,
158 GNUNET_i2s (&key));
159 retp = GNUNET_CONTAINER_multipeermap_get (edc->map,
160 &key);
161 if (NULL != retp)
162 {
163 res = (((long) retp) - edc->max) * K - i;
164 /* we continue the loop here to make the implementation
165 "constant-time". If we do not care about this, we could just
166 'break' here and do fewer operations... */
167 }
168 if (i == edc->max / edc->mem)
169 break;
170 /* q = q + g */
171 if (0 == i)
172 {
173 GNUNET_assert (0 ==
174 crypto_core_ed25519_add (q.v,
175 input->v,
176 g.v));
177 }
178 else
179 {
180 GNUNET_assert (0 ==
181 crypto_core_ed25519_add (q.v,
182 q.v,
183 g.v));
184 }
185 }
186 return res;
187}
188
189
190void
191GNUNET_CRYPTO_ecc_random_mod_n (struct GNUNET_CRYPTO_EccScalar *r)
192{
193 crypto_core_ed25519_scalar_random (r->v);
194}
195
196
197void
203
204
205void
206GNUNET_CRYPTO_ecc_dexp (int val,
207 struct GNUNET_CRYPTO_EccPoint *r)
208{
209 struct GNUNET_CRYPTO_EccScalar fact;
210
211 GNUNET_CRYPTO_ecc_scalar_from_int (val,
212 &fact);
213 crypto_scalarmult_ed25519_base_noclamp (r->v,
214 fact.v);
215}
216
217
218enum GNUNET_GenericReturnValue
219GNUNET_CRYPTO_ecc_dexp_mpi (const struct GNUNET_CRYPTO_EccScalar *val,
220 struct GNUNET_CRYPTO_EccPoint *r)
221{
222 if (0 ==
223 crypto_scalarmult_ed25519_base_noclamp (r->v,
224 val->v))
225 return GNUNET_OK;
226 return GNUNET_SYSERR;
227}
228
229
230enum GNUNET_GenericReturnValue
231GNUNET_CRYPTO_ecc_add (const struct GNUNET_CRYPTO_EccPoint *a,
232 const struct GNUNET_CRYPTO_EccPoint *b,
233 struct GNUNET_CRYPTO_EccPoint *r)
234{
235 if (0 ==
236 crypto_core_ed25519_add (r->v,
237 a->v,
238 b->v))
239 return GNUNET_OK;
240 return GNUNET_SYSERR;
241}
242
243
244enum GNUNET_GenericReturnValue
245GNUNET_CRYPTO_ecc_pmul_mpi (const struct GNUNET_CRYPTO_EccPoint *p,
246 const struct GNUNET_CRYPTO_EccScalar *val,
247 struct GNUNET_CRYPTO_EccPoint *r)
248{
249 if (0 ==
250 crypto_scalarmult_ed25519_noclamp (r->v,
251 val->v,
252 p->v))
253 return GNUNET_OK;
254 return GNUNET_SYSERR;
255}
256
257
258enum GNUNET_GenericReturnValue
259GNUNET_CRYPTO_ecc_rnd (struct GNUNET_CRYPTO_EccPoint *r,
260 struct GNUNET_CRYPTO_EccPoint *r_inv)
261{
262 struct GNUNET_CRYPTO_EccScalar s;
263 unsigned char inv_s[crypto_scalarmult_ed25519_SCALARBYTES];
264
265 GNUNET_CRYPTO_ecc_random_mod_n (&s);
266 if (0 !=
267 crypto_scalarmult_ed25519_base_noclamp (r->v,
268 s.v))
269 return GNUNET_SYSERR;
270 crypto_core_ed25519_scalar_negate (inv_s,
271 s.v);
272 if (0 !=
273 crypto_scalarmult_ed25519_base_noclamp (r_inv->v,
274 inv_s))
275 return GNUNET_SYSERR;
276 return GNUNET_OK;
277}
278
279
280void
281GNUNET_CRYPTO_ecc_rnd_mpi (struct GNUNET_CRYPTO_EccScalar *r,
282 struct GNUNET_CRYPTO_EccScalar *r_neg)
283{
284 GNUNET_CRYPTO_ecc_random_mod_n (r);
285 crypto_core_ed25519_scalar_negate (r_neg->v,
286 r->v);
287}
288
289
290void
291GNUNET_CRYPTO_ecc_scalar_from_int (int64_t val,
292 struct GNUNET_CRYPTO_EccScalar *r)
293{
294 unsigned char fact[crypto_scalarmult_ed25519_SCALARBYTES];
295 uint64_t valBe;
296
297 GNUNET_assert (sizeof (*r) == sizeof (fact));
298 if (val < 0)
299 {
300 if (INT64_MIN == val)
301 valBe = GNUNET_htonll ((uint64_t) INT64_MAX);
302 else
303 valBe = GNUNET_htonll ((uint64_t) (-val));
304 }
305 else
306 {
307 valBe = GNUNET_htonll ((uint64_t) val);
308 }
309 memset (fact,
310 0,
311 sizeof (fact));
312 for (unsigned int i = 0; i < sizeof (val); i++)
313 fact[i] = ((unsigned char*) &valBe)[sizeof (val) - 1 - i];
314 if (val < 0)
315 {
316 if (INT64_MIN == val)
317 /* See above: fact is one too small, increment now that we can */
318 sodium_increment (fact,
319 sizeof (fact));
320 crypto_core_ed25519_scalar_negate (r->v,
321 fact);
322 }
323 else
324 {
325 memcpy (r,
326 fact,
327 sizeof (fact));
328 }
329}
330
331
332/* end of crypto_ecc_dlog.c */
INT_MAX
#define INT_MAX
Definition common_allocation.c:43
key
struct GNUNET_HashCode key
The key used in the DHT.
Definition gnunet-dht-put.c:37
res
static char * res
Currently read line or NULL on EOF.
Definition gnunet-namestore-zonefile.c:256
q
static struct GNUNET_REVOCATION_Query * q
Handle for revocation query.
Definition gnunet-revocation.c:69
edc
static struct GNUNET_CRYPTO_EccDlogContext * edc
Context for DLOG operations on a curve.
Definition gnunet-service-scalarproduct-ecc_alice.c:187
p
static struct GNUNET_Process * p
Helper process we started.
Definition gnunet-uri.c:38
gnunet_util_lib.h
GNUNET_CONTAINER_multipeermap_get
void * GNUNET_CONTAINER_multipeermap_get(const struct GNUNET_CONTAINER_MultiPeerMap *map, const struct GNUNET_PeerIdentity *key)
Given a key find a value in the map matching the key.
Definition container_multipeermap.c:268
GNUNET_CONTAINER_multipeermap_destroy
void GNUNET_CONTAINER_multipeermap_destroy(struct GNUNET_CONTAINER_MultiPeerMap *map)
Destroy a hash map.
Definition container_multipeermap.c:199
GNUNET_CONTAINER_multipeermap_create
struct GNUNET_CONTAINER_MultiPeerMap * GNUNET_CONTAINER_multipeermap_create(unsigned int len, int do_not_copy_keys)
Create a multi peer map (hash map for public keys of peers).
Definition container_multipeermap.c:179
GNUNET_CONTAINER_multipeermap_put
int GNUNET_CONTAINER_multipeermap_put(struct GNUNET_CONTAINER_MultiPeerMap *map, const struct GNUNET_PeerIdentity *key, void *value, enum GNUNET_CONTAINER_MultiHashMapOption opt)
Store a key-value pair in the map.
Definition container_multipeermap.c:632
GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY
@ GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY
There must only be one value per key; storing a value should fail if a value under the same key alrea...
Definition gnunet_container_lib.h:378
GNUNET_CRYPTO_ecc_rnd_mpi
void GNUNET_CRYPTO_ecc_rnd_mpi(struct GNUNET_CRYPTO_EccScalar *r, struct GNUNET_CRYPTO_EccScalar *r_neg)
Obtain a random scalar for point multiplication on the curve and its additive inverse.
Definition crypto_ecc_dlog.c:281
GNUNET_log
#define GNUNET_log(kind,...)
Definition gnunet_common.h:551
GNUNET_CRYPTO_ecc_dexp_mpi
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecc_dexp_mpi(const struct GNUNET_CRYPTO_EccScalar *val, struct GNUNET_CRYPTO_EccPoint *r)
Multiply the generator g of the elliptic curve by val to obtain the point on the curve representing v...
Definition crypto_ecc_dlog.c:219
GNUNET_CRYPTO_ecc_pmul_mpi
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecc_pmul_mpi(const struct GNUNET_CRYPTO_EccPoint *p, const struct GNUNET_CRYPTO_EccScalar *val, struct GNUNET_CRYPTO_EccPoint *r)
Multiply the point p on the elliptic curve by val.
Definition crypto_ecc_dlog.c:245
GNUNET_CRYPTO_ecc_dlog
int GNUNET_CRYPTO_ecc_dlog(struct GNUNET_CRYPTO_EccDlogContext *edc, const struct GNUNET_CRYPTO_EccPoint *input)
Calculate ECC discrete logarithm for small factors.
Definition crypto_ecc_dlog.c:108
GNUNET_CRYPTO_ecc_scalar_from_int
void GNUNET_CRYPTO_ecc_scalar_from_int(int64_t val, struct GNUNET_CRYPTO_EccScalar *r)
Create a scalar from int value.
Definition crypto_ecc_dlog.c:291
GNUNET_htonll
uint64_t GNUNET_htonll(uint64_t n)
Convert unsigned 64-bit integer to network byte order.
Definition common_endian.c:37
GNUNET_CRYPTO_ecc_dexp
void GNUNET_CRYPTO_ecc_dexp(int val, struct GNUNET_CRYPTO_EccPoint *r)
Multiply the generator g of the elliptic curve by val to obtain the point on the curve representing v...
Definition crypto_ecc_dlog.c:206
GNUNET_CRYPTO_ecc_dlog_release
void GNUNET_CRYPTO_ecc_dlog_release(struct GNUNET_CRYPTO_EccDlogContext *edc)
Release precalculated values.
Definition crypto_ecc_dlog.c:198
GNUNET_CRYPTO_ecc_dlog_prepare
struct GNUNET_CRYPTO_EccDlogContext * GNUNET_CRYPTO_ecc_dlog_prepare(unsigned int max, unsigned int mem)
Do pre-calculation for ECC discrete logarithm for small factors.
Definition crypto_ecc_dlog.c:60
GNUNET_CRYPTO_ecc_rnd
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecc_rnd(struct GNUNET_CRYPTO_EccPoint *r, struct GNUNET_CRYPTO_EccPoint *r_inv)
Obtain a random point on the curve and its additive inverse.
Definition crypto_ecc_dlog.c:259
GNUNET_CRYPTO_ecc_random_mod_n
void GNUNET_CRYPTO_ecc_random_mod_n(struct GNUNET_CRYPTO_EccScalar *r)
Generate a random value mod n.
Definition crypto_ecc_dlog.c:191
GNUNET_GenericReturnValue
GNUNET_GenericReturnValue
Named constants for return values.
Definition gnunet_common.h:111
GNUNET_CRYPTO_ecc_add
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecc_add(const struct GNUNET_CRYPTO_EccPoint *a, const struct GNUNET_CRYPTO_EccPoint *b, struct GNUNET_CRYPTO_EccPoint *r)
Add two points on the elliptic curve.
Definition crypto_ecc_dlog.c:231
GNUNET_OK
@ GNUNET_OK
Definition gnunet_common.h:114
GNUNET_NO
@ GNUNET_NO
Definition gnunet_common.h:113
GNUNET_SYSERR
@ GNUNET_SYSERR
Definition gnunet_common.h:112
GNUNET_i2s
const char * GNUNET_i2s(const struct GNUNET_PeerIdentity *pid)
Convert a peer identity to a string (for printing debug messages).
Definition common_logging.c:1373
GNUNET_assert
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.
Definition gnunet_common.h:960
GNUNET_ERROR_TYPE_DEBUG
@ GNUNET_ERROR_TYPE_DEBUG
Definition gnunet_common.h:424
GNUNET_new
#define GNUNET_new(type)
Allocate a struct or union of the given type.
Definition gnunet_common.h:1240
GNUNET_free
#define GNUNET_free(ptr)
Wrapper around free.
Definition gnunet_common.h:1415
max
#define max(x, y)
Definition messenger_api_message.c:593
GNUNET_CONTAINER_MultiPeerMap
Internal representation of the hash map.
Definition container_multipeermap.c:106
GNUNET_CRYPTO_EccDlogContext
Internal structure used to cache pre-calculated values for DLOG calculation.
Definition crypto_ecc_dlog.c:37
GNUNET_CRYPTO_EccDlogContext::map
struct GNUNET_CONTAINER_MultiPeerMap * map
Map mapping points (here "interpreted" as EdDSA public keys) to a "void * = long" which corresponds t...
Definition crypto_ecc_dlog.c:54
GNUNET_CRYPTO_EccDlogContext::mem
unsigned int mem
How much memory should we use (relates to the number of entries in the map).
Definition crypto_ecc_dlog.c:46
GNUNET_CRYPTO_EccDlogContext::max
unsigned int max
Maximum absolute value the calculation supports.
Definition crypto_ecc_dlog.c:41
GNUNET_CRYPTO_EccPoint
Point on a curve (always for Curve25519) encoded in a format suitable for network transmission (ECDH)...
Definition gnunet_crypto_lib.h:2068
GNUNET_CRYPTO_EccPoint::v
unsigned char v[256/8]
Q consists of an x- and a y-value, each mod p (256 bits), given here in affine coordinates and Ed2551...
Definition gnunet_crypto_lib.h:2073
GNUNET_CRYPTO_EccScalar
A ECC scalar for use in point multiplications.
Definition gnunet_crypto_lib.h:2080
GNUNET_CRYPTO_EccScalar::v
unsigned char v[256/8]
Definition gnunet_crypto_lib.h:2081
GNUNET_PeerIdentity
The identity of the host (wraps the signing key of the peer).
Definition gnunet_crypto_lib.h:208