[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnunet] branch master updated: -more comments on EDKEY signature
From: |
gnunet |
Subject: |
[gnunet] branch master updated: -more comments on EDKEY signature |
Date: |
Mon, 03 May 2021 08:52:54 +0200 |
This is an automated email from the git hooks/post-receive script.
martin-schanzenbach pushed a commit to branch master
in repository gnunet.
The following commit(s) were added to refs/heads/master by this push:
new cddd56b6c -more comments on EDKEY signature
cddd56b6c is described below
commit cddd56b6c733d996e872783e7c54acf17135d11d
Author: Martin Schanzenbach <mschanzenbach@posteo.de>
AuthorDate: Mon May 3 08:50:40 2021 +0200
-more comments on EDKEY signature
---
src/util/crypto_ecc_gnsrecord.c | 94 +++++++++++++++++++++++++++++------------
1 file changed, 68 insertions(+), 26 deletions(-)
diff --git a/src/util/crypto_ecc_gnsrecord.c b/src/util/crypto_ecc_gnsrecord.c
index 6689a21f1..bab0ce44a 100644
--- a/src/util/crypto_ecc_gnsrecord.c
+++ b/src/util/crypto_ecc_gnsrecord.c
@@ -94,52 +94,94 @@ GNUNET_CRYPTO_eddsa_sign_with_scalar (
{
crypto_hash_sha512_state hs;
- unsigned char az[64];
- unsigned char nonce[64];
+ unsigned char sk[64];
+ unsigned char r[64];
unsigned char hram[64];
unsigned char R[32];
- unsigned char pk[32];
+ unsigned char zk[32];
+ unsigned char tmp[32];
crypto_hash_sha512_init (&hs);
- // crypto_hash_sha512 (az, sk, 32); DO NOT EXPAND, WE HAVE A KEY
- memcpy (az, priv->s, 64);
- crypto_scalarmult_ed25519_base_noclamp (pk,
+ /**
+ * Instead of expanding the private here, we already
+ * have the secret scalar as input. Use it.
+ * Note that sk is not plain SHA512 (d).
+ * sk[0..31] contains the derived private scalar
+ * sk[0..31] = h * SHA512 (d)[0..31]
+ * sk[32..63] = SHA512 (d)[32..63]
+ */
+ memcpy (sk, priv->s, 64);
+
+ /**
+ * Calculate the derived zone key zk' from the
+ * derived private scalar.
+ */
+ crypto_scalarmult_ed25519_base_noclamp (zk,
priv->s);
- crypto_hash_sha512_update (&hs, az + 32, 32);
+ /**
+ * Calculate r:
+ * r = SHA512 (sk[32..63] | M)
+ * where M is our message (purpose).
+ * Note that sk[32..63] is the other half of the
+ * expansion from the original, non-derived private key
+ * "d".
+ */
+ crypto_hash_sha512_update (&hs, sk + 32, 32);
crypto_hash_sha512_update (&hs, (uint8_t*) purpose, ntohl (purpose->size));
- crypto_hash_sha512_final (&hs, nonce);
-
- // This effectively creates R || A in sig
- memcpy (sig->s, pk, 32);
-
- unsigned char nonce_mod[64];
- crypto_core_ed25519_scalar_reduce (nonce_mod, nonce);
- // nonce == r; r * G == R
- crypto_scalarmult_ed25519_base_noclamp (R, nonce_mod);
+ crypto_hash_sha512_final (&hs, r);
+
+ /**
+ * Temporarily put zk into S
+ */
+ memcpy (sig->s, zk, 32);
+
+ /**
+ * Reduce the scalar value r
+ */
+ unsigned char r_mod[64];
+ crypto_core_ed25519_scalar_reduce (r_mod, r);
+
+ /**
+ * Calculate R := r * G of the signature
+ */
+ crypto_scalarmult_ed25519_base_noclamp (R, r_mod);
memcpy (sig->r, R, sizeof (R));
- // SHA512 (R | A | M) == k
+ /**
+ * Calculate
+ * hram := SHA512 (R | zk' | M)
+ */
crypto_hash_sha512_init (&hs);
crypto_hash_sha512_update (&hs, (uint8_t*) sig, 64);
crypto_hash_sha512_update (&hs, (uint8_t*) purpose,
ntohl (purpose->size));
crypto_hash_sha512_final (&hs, hram);
+ /**
+ * Reduce the resulting scalar value
+ */
unsigned char hram_mod[64];
crypto_core_ed25519_scalar_reduce (hram_mod, hram);
- az[0] &= 248;
- az[31] &= 127;
- az[31] |= 64;
- unsigned char tmp[32];
- // r + k * s mod L == S
- crypto_core_ed25519_scalar_mul (tmp, hram_mod, az);
- crypto_core_ed25519_scalar_add (sig->s, tmp, nonce_mod);
+ /**
+ * Clamp the private scalar
+ */
+ sk[0] &= 248;
+ sk[31] &= 127;
+ sk[31] |= 64;
+
+ /**
+ * Calculate
+ * S := r + hram * s mod L
+ */
+ crypto_core_ed25519_scalar_mul (tmp, hram_mod, sk);
+ crypto_core_ed25519_scalar_add (sig->s, tmp, r_mod);
- sodium_memzero (az, sizeof az);
- sodium_memzero (nonce, sizeof nonce);
+ sodium_memzero (sk, sizeof (sk));
+ sodium_memzero (r, sizeof (r));
+ sodium_memzero (r_mod, sizeof (r_mod));
}
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [gnunet] branch master updated: -more comments on EDKEY signature,
gnunet <=