GNUnet  0.11.x
Macros | Functions
crypto_ecc_gnsrecord.c File Reference

public key cryptography (ECC) for GNS records (LSD0001) More...

#include "platform.h"
#include <gcrypt.h>
#include <sodium.h>
#include "gnunet_crypto_lib.h"
#include "gnunet_strings_lib.h"
Include dependency graph for crypto_ecc_gnsrecord.c:

Go to the source code of this file.

Macros

#define CURVE   "Ed25519"
 

Functions

void derive_h (const void *pub, size_t pubsize, const char *label, const char *context, struct GNUNET_HashCode *hc)
 Derive the 'h' value for key derivation, where 'h = H(l,P)'. More...
 
void GNUNET_CRYPTO_eddsa_sign_with_scalar (const struct GNUNET_CRYPTO_EddsaPrivateScalar *priv, const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, struct GNUNET_CRYPTO_EddsaSignature *sig)
 This is a signature function for EdDSA which takes the secret scalar sk instead of the private seed which is usually the case for crypto APIs. More...
 
struct GNUNET_CRYPTO_EcdsaPrivateKeyGNUNET_CRYPTO_ecdsa_private_key_derive (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, const char *label, const char *context)
 Derive a private key from a given private key and a label. More...
 
void GNUNET_CRYPTO_ecdsa_public_key_derive (const struct GNUNET_CRYPTO_EcdsaPublicKey *pub, const char *label, const char *context, struct GNUNET_CRYPTO_EcdsaPublicKey *result)
 Derive a public key from a given public key and a label. More...
 
void GNUNET_CRYPTO_eddsa_private_key_derive (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, const char *label, const char *context, struct GNUNET_CRYPTO_EddsaPrivateScalar *result)
 Derive a private scalar from a given private key and a label. More...
 
void GNUNET_CRYPTO_eddsa_public_key_derive (const struct GNUNET_CRYPTO_EddsaPublicKey *pub, const char *label, const char *context, struct GNUNET_CRYPTO_EddsaPublicKey *result)
 Derive a public key from a given public key and a label. More...
 
void GNUNET_CRYPTO_eddsa_key_get_public_from_scalar (const struct GNUNET_CRYPTO_EddsaPrivateScalar *priv, struct GNUNET_CRYPTO_EddsaPublicKey *pkey)
 Extract the public key of the given private scalar. More...
 

Detailed Description

public key cryptography (ECC) for GNS records (LSD0001)

Author
Christian Grothoff
Florian Dold
Martin Schanzenbach

Definition in file crypto_ecc_gnsrecord.c.

Macro Definition Documentation

◆ CURVE

#define CURVE   "Ed25519"

Function Documentation

◆ derive_h()

void derive_h ( const void *  pub,
size_t  pubsize,
const char *  label,
const char *  context,
struct GNUNET_HashCode hc 
)

Derive the 'h' value for key derivation, where 'h = H(l,P)'.

Parameters
pubpublic key for deriviation
pubsizethe size of the public key
labellabel for deriviation
contextadditional context to use for HKDF of 'h'; typically the name of the subsystem/application
hcwhere to write the result

Definition at line 48 of file crypto_ecc_gnsrecord.c.

References GNUNET_CRYPTO_kdf(), and salt.

Referenced by GNUNET_CRYPTO_ecdsa_private_key_derive(), GNUNET_CRYPTO_ecdsa_public_key_derive(), GNUNET_CRYPTO_eddsa_private_key_derive(), and GNUNET_CRYPTO_eddsa_public_key_derive().

53 {
54  static const char *const salt = "key-derivation";
55 
57  sizeof(*hc),
58  salt,
59  strlen (salt),
60  pub,
61  pubsize,
62  label,
63  strlen (label),
64  context,
65  strlen (context),
66  NULL,
67  0);
68 }
static pa_context * context
Pulseaudio context.
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_kdf(void *result, size_t out_len, const void *xts, size_t xts_len, const void *skm, size_t skm_len,...)
Derive key.
Definition: crypto_kdf.c:90
static struct GNUNET_CRYPTO_PowSalt salt
Salt for PoW calcualations.
static struct GNUNET_CRYPTO_EddsaPublicKey pub
Definition: gnunet-scrypt.c:46
Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_eddsa_sign_with_scalar()

void GNUNET_CRYPTO_eddsa_sign_with_scalar ( const struct GNUNET_CRYPTO_EddsaPrivateScalar priv,
const struct GNUNET_CRYPTO_EccSignaturePurpose purpose,
struct GNUNET_CRYPTO_EddsaSignature sig 
)

This is a signature function for EdDSA which takes the secret scalar sk instead of the private seed which is usually the case for crypto APIs.

We require this functionality in order to use derived private keys for signatures we cannot calculate the inverse of a sk to find the seed efficiently.

The resulting signature is a standard EdDSA signature which can be verified using the usual APIs.

Parameters
skthe secret scalar
purpthe signature purpose
sigthe resulting signature

Instead of expanding the private here, we already have the secret scalar as input. Use it. Note that sk is not plain SHA512 (d). sk[0..31] contains the derived private scalar sk[0..31] = h * SHA512 (d)[0..31] sk[32..63] = SHA512 (d)[32..63]

Calculate the derived zone key zk' from the derived private scalar.

Calculate r: r = SHA512 (sk[32..63] | M) where M is our message (purpose). Note that sk[32..63] is the other half of the expansion from the original, non-derived private key "d".

Temporarily put zk into S

Reduce the scalar value r

Calculate R := r * G of the signature

Calculate hram := SHA512 (R | zk' | M)

Reduce the resulting scalar value

Calculate S := r + hram * s mod L

Definition at line 87 of file crypto_ecc_gnsrecord.c.

References GNUNET_CRYPTO_EddsaSignature::r, GNUNET_CRYPTO_EddsaSignature::s, and GNUNET_CRYPTO_EddsaPrivateScalar::s.

Referenced by block_create_eddsa().

91 {
92 
93  crypto_hash_sha512_state hs;
94  unsigned char sk[64];
95  unsigned char r[64];
96  unsigned char hram[64];
97  unsigned char R[32];
98  unsigned char zk[32];
99  unsigned char tmp[32];
100 
101  crypto_hash_sha512_init (&hs);
102 
111  memcpy (sk, priv->s, 64);
112 
117  crypto_scalarmult_ed25519_base_noclamp (zk,
118  sk);
119 
128  crypto_hash_sha512_update (&hs, sk + 32, 32);
129  crypto_hash_sha512_update (&hs, (uint8_t*) purpose, ntohl (purpose->size));
130  crypto_hash_sha512_final (&hs, r);
131 
135  memcpy (sig->s, zk, 32);
136 
140  unsigned char r_mod[64];
141  crypto_core_ed25519_scalar_reduce (r_mod, r);
142 
146  crypto_scalarmult_ed25519_base_noclamp (R, r_mod);
147  memcpy (sig->r, R, sizeof (R));
148 
153  crypto_hash_sha512_init (&hs);
154  crypto_hash_sha512_update (&hs, (uint8_t*) sig, 64);
155  crypto_hash_sha512_update (&hs, (uint8_t*) purpose,
156  ntohl (purpose->size));
157  crypto_hash_sha512_final (&hs, hram);
158 
162  unsigned char hram_mod[64];
163  crypto_core_ed25519_scalar_reduce (hram_mod, hram);
164 
169  crypto_core_ed25519_scalar_mul (tmp, hram_mod, sk);
170  crypto_core_ed25519_scalar_add (sig->s, tmp, r_mod);
171 
172  sodium_memzero (sk, sizeof (sk));
173  sodium_memzero (r, sizeof (r));
174  sodium_memzero (r_mod, sizeof (r_mod));
175 }
unsigned char r[256/8]
R value.
unsigned char s[256/8]
S value.
unsigned char s[512/8]
s is the expandedprivate 512-bit scalar of a private key.
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_eddsa_key_get_public_from_scalar()

void GNUNET_CRYPTO_eddsa_key_get_public_from_scalar ( const struct GNUNET_CRYPTO_EddsaPrivateScalar s,
struct GNUNET_CRYPTO_EddsaPublicKey pkey 
)

Extract the public key of the given private scalar.

Parameters
sthe private scalar
pkeythe resulting public key

Calculate the derived zone key zk' from the derived private scalar.

Definition at line 426 of file crypto_ecc_gnsrecord.c.

References GNUNET_CRYPTO_EddsaPublicKey::q_y, and GNUNET_CRYPTO_EddsaPrivateScalar::s.

Referenced by block_create_eddsa().

429 {
430  unsigned char sk[32];
431 
432  memcpy (sk, priv->s, 32);
433 
438  crypto_scalarmult_ed25519_base_noclamp (pkey->q_y,
439  sk);
440 }
unsigned char q_y[256/8]
Point Q consists of a y-value mod p (256 bits); the x-value is always positive.
unsigned char s[512/8]
s is the expandedprivate 512-bit scalar of a private key.
Here is the caller graph for this function: