[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnunet] 05/06: more work on new blind signing API
|
From: |
gnunet |
|
Subject: |
[gnunet] 05/06: more work on new blind signing API |
|
Date: |
Fri, 27 Oct 2023 20:08:44 +0200 |
This is an automated email from the git hooks/post-receive script.
grothoff pushed a commit to branch master
in repository gnunet.
commit 32af9c7dbb76672a86520b1b3aa8f7e6c48c58e4
Author: Christian Grothoff <grothoff@gnunet.org>
AuthorDate: Wed Oct 25 22:55:05 2023 +0200
more work on new blind signing API
---
src/include/gnunet_crypto_lib.h | 63 ++++++++++++++++++++++++++++++----------
src/lib/util/crypto_blind_sign.c | 54 +++++++++++++++++++++++++++++++---
src/lib/util/crypto_cs.c | 57 ++++++++++++++++++++++++------------
src/lib/util/test_crypto_blind.c | 23 +++++----------
src/lib/util/test_crypto_cs.c | 45 ++++++++++++++--------------
5 files changed, 165 insertions(+), 77 deletions(-)
diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h
index 31472f7a1..44db5f466 100644
--- a/src/include/gnunet_crypto_lib.h
+++ b/src/include/gnunet_crypto_lib.h
@@ -3158,9 +3158,19 @@ struct GNUNET_CRYPTO_CsBlindedMessage
struct GNUNET_CRYPTO_CsC c[2];
/**
- * Public nonce used to generate the R-values.
+ * Nonce used in initial request.
*/
struct GNUNET_CRYPTO_CsSessionNonce nonce;
+
+};
+
+
+/**
+ * Pair of Public R values for Cs denominations
+ */
+struct GNUNET_CRYPTO_CSPublicRPairP
+{
+ struct GNUNET_CRYPTO_CsRPublic r_pub[2];
};
@@ -3174,9 +3184,8 @@ struct GNUNET_CRYPTO_CsBlindedMessage
* @param msg the message to blind in preparation for signing
* @param msg_len length of message msg
* @param[out] blinded_c array of the two blinded c's
- * @param[out] blinded_r_pub array of the two blinded R
+ * @param[out] r_pub_blind array of the two blinded R
*/
-// FIXME: function signature can probably be improved...
void
GNUNET_CRYPTO_cs_calc_blinded_c (
const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
@@ -3185,7 +3194,7 @@ GNUNET_CRYPTO_cs_calc_blinded_c (
const void *msg,
size_t msg_len,
struct GNUNET_CRYPTO_CsC blinded_c[2],
- struct GNUNET_CRYPTO_CsRPublic blinded_r_pub[2]);
+ struct GNUNET_CRYPTO_CSPublicRPairP *r_pub_blind);
/**
@@ -3470,15 +3479,6 @@ struct GNUNET_CRYPTO_BlindedMessage
};
-/**
- * Pair of Public R values for Cs denominations
- */
-struct GNUNET_CRYPTO_CSPublicRPairP
-{
- struct GNUNET_CRYPTO_CsRPublic r_pub[2];
-};
-
-
/**
* Secret r for Cs denominations
*/
@@ -3519,6 +3519,35 @@ struct GNUNET_CRYPTO_BlindingInputValues
};
+/**
+ * Nonce used to deterministiacally derive input values
+ * used in multi-round blind signature protocols.
+ */
+union GNUNET_CRYPTO_BlindSessionNonce
+{
+ /**
+ * Nonce used when signing with CS.
+ */
+ struct GNUNET_CRYPTO_CsSessionNonce cs_nonce;
+};
+
+
+/**
+ * Compute blinding input values for a given @a nonce and
+ * @a salt.
+ *
+ * @param bsign_priv private key to compute input values for
+ * @param nonce session nonce to derive input values from
+ * @param salt salt to include in derivation logic
+ * @return blinding input values
+ */
+struct GNUNET_CRYPTO_BlindingInputValues *
+GNUNET_CRYPTO_get_blinding_input_values (
+ const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv,
+ const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
+ const char *salt);
+
+
/**
* Decrement reference counter of a @a bsign_pub, and free it if it reaches
zero.
*
@@ -3585,8 +3614,6 @@ GNUNET_CRYPTO_blinded_message_incref (
*/
struct GNUNET_CRYPTO_BlindSignPublicKey *
GNUNET_CRYPTO_bsign_pub_incref (struct GNUNET_CRYPTO_BlindSignPublicKey
*bsign_pub);
-
-
/**
* Increment reference counter of the given @a bsign_priv.
*
@@ -3733,6 +3760,8 @@ union GNUNET_CRYPTO_BlindingSecretP
*
* @param bsign_pub public key to blind for
* @param bks blinding secret to use
+ * @param nonce nonce used to obtain @a alg_values
+ * can be NULL if input values are not used for the cipher
* @param message message to sign
* @param message_size number of bytes in @a message
* @param alg_values algorithm specific values to blind the @a message
@@ -3742,6 +3771,7 @@ struct GNUNET_CRYPTO_BlindedMessage *
GNUNET_CRYPTO_message_blind_to_sign (
const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub,
const union GNUNET_CRYPTO_BlindingSecretP *bks,
+ const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
const void *message,
size_t message_size,
const struct GNUNET_CRYPTO_BlindingInputValues *alg_values);
@@ -3751,7 +3781,8 @@ GNUNET_CRYPTO_message_blind_to_sign (
* Create blind signature.
*
* @param bsign_priv private key to use for signing
- * @param salt salt value to use for the HKDF
+ * @param salt salt value to use for the HKDF,
+ * can be NULL if input values are not used for the cipher
* @param blinded_message the already blinded message to sign
* @return blind signature with RC=1, NULL on failure
*/
diff --git a/src/lib/util/crypto_blind_sign.c b/src/lib/util/crypto_blind_sign.c
index bf6fbc119..469f6f5b8 100644
--- a/src/lib/util/crypto_blind_sign.c
+++ b/src/lib/util/crypto_blind_sign.c
@@ -388,10 +388,51 @@ GNUNET_CRYPTO_blind_sign_keys_create_va (
}
+struct GNUNET_CRYPTO_BlindingInputValues *
+GNUNET_CRYPTO_get_blinding_input_values (
+ const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv,
+ const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
+ const char *salt)
+{
+ struct GNUNET_CRYPTO_BlindingInputValues *biv;
+
+ biv = GNUNET_new (struct GNUNET_CRYPTO_BlindingInputValues);
+ biv->cipher = bsign_priv->cipher;
+ biv->rc = 1;
+ switch (bsign_priv->cipher)
+ {
+ case GNUNET_CRYPTO_BSA_INVALID:
+ GNUNET_break (0);
+ GNUNET_free (biv);
+ return NULL;
+ case GNUNET_CRYPTO_BSA_RSA:
+ return biv;
+ case GNUNET_CRYPTO_BSA_CS:
+ {
+ struct GNUNET_CRYPTO_CsRSecret cspriv[2];
+
+ GNUNET_CRYPTO_cs_r_derive (&nonce->cs_nonce,
+ salt,
+ &bsign_priv->details.cs_private_key,
+ cspriv);
+ GNUNET_CRYPTO_cs_r_get_public (&cspriv[0],
+ &biv->details.cs_values.r_pub[0]);
+ GNUNET_CRYPTO_cs_r_get_public (&cspriv[1],
+ &biv->details.cs_values.r_pub[1]);
+ return biv;
+ }
+ }
+ GNUNET_break (0);
+ GNUNET_free (biv);
+ return NULL;
+}
+
+
struct GNUNET_CRYPTO_BlindedMessage *
GNUNET_CRYPTO_message_blind_to_sign (
const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub,
const union GNUNET_CRYPTO_BlindingSecretP *bks,
+ const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
const void *message,
size_t message_size,
const struct GNUNET_CRYPTO_BlindingInputValues *alg_values)
@@ -426,6 +467,12 @@ GNUNET_CRYPTO_message_blind_to_sign (
struct GNUNET_CRYPTO_CSPublicRPairP blinded_r_pub;
struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
+ if (NULL == nonce)
+ {
+ GNUNET_break_op (0);
+ GNUNET_free (bm);
+ return NULL;
+ }
GNUNET_CRYPTO_cs_blinding_secrets_derive (&bks->nonce,
bs);
GNUNET_CRYPTO_cs_calc_blinded_c (
@@ -435,10 +482,9 @@ GNUNET_CRYPTO_message_blind_to_sign (
message,
message_size,
bm->details.cs_blinded_message.c,
- blinded_r_pub.r_pub);
+ &blinded_r_pub);
+ bm->details.cs_blinded_message.nonce = nonce->cs_nonce;
(void) blinded_r_pub;
- // FIXME: bs->details.cs_blinded_message.nonce
- // is NOT initialized here. Not elegant!
return bm;
}
}
@@ -562,7 +608,7 @@ GNUNET_CRYPTO_blind_sig_unblind (
message,
message_size,
c,
- r_pub_blind.r_pub);
+ &r_pub_blind);
b = blinded_sig->details.blinded_cs_answer.b;
ub_sig->details.cs_signature.r_point
= r_pub_blind.r_pub[b];
diff --git a/src/lib/util/crypto_cs.c b/src/lib/util/crypto_cs.c
index 2ff7c70ce..049f63062 100644
--- a/src/lib/util/crypto_cs.c
+++ b/src/lib/util/crypto_cs.c
@@ -158,8 +158,12 @@ cs_full_domain_hash (const struct GNUNET_CRYPTO_CsRPublic
*r_dash,
// SHA-512 hash of R' and message
size_t r_m_concat_len = sizeof(struct GNUNET_CRYPTO_CsRPublic) + msg_len;
char r_m_concat[r_m_concat_len];
- memcpy (r_m_concat, r_dash, sizeof(struct GNUNET_CRYPTO_CsRPublic));
- memcpy (r_m_concat + sizeof(struct GNUNET_CRYPTO_CsRPublic), msg, msg_len);
+ memcpy (r_m_concat,
+ r_dash,
+ sizeof(struct GNUNET_CRYPTO_CsRPublic));
+ memcpy (r_m_concat + sizeof(struct GNUNET_CRYPTO_CsRPublic),
+ msg,
+ msg_len);
struct GNUNET_HashCode prehash;
GNUNET_CRYPTO_hash (r_m_concat,
@@ -215,18 +219,21 @@ calc_r_dash (const struct GNUNET_CRYPTO_CsBlindingSecret
*bs,
alpha_mul_base.y,
bs->alpha.d));
struct GNUNET_CRYPTO_Cs25519Point beta_mul_pub;
- GNUNET_assert (0 == crypto_scalarmult_ed25519_noclamp (beta_mul_pub.y,
- bs->beta.d,
- pub->point.y));
+ GNUNET_assert (0 ==
+ crypto_scalarmult_ed25519_noclamp (
+ beta_mul_pub.y,
+ bs->beta.d,
+ pub->point.y));
struct GNUNET_CRYPTO_Cs25519Point alpha_mul_base_plus_beta_mul_pub;
GNUNET_assert (0 == crypto_core_ed25519_add (
alpha_mul_base_plus_beta_mul_pub.y,
alpha_mul_base.y,
beta_mul_pub.y));
- GNUNET_assert (0 == crypto_core_ed25519_add (blinded_r_pub->point.y,
- r_pub->point.y,
-
alpha_mul_base_plus_beta_mul_pub.
- y));
+ GNUNET_assert (0 ==
+ crypto_core_ed25519_add (
+ blinded_r_pub->point.y,
+ r_pub->point.y,
+ alpha_mul_base_plus_beta_mul_pub.y));
}
@@ -238,19 +245,33 @@ GNUNET_CRYPTO_cs_calc_blinded_c (
const void *msg,
size_t msg_len,
struct GNUNET_CRYPTO_CsC blinded_c[2],
- struct GNUNET_CRYPTO_CsRPublic blinded_r_pub[2])
+ struct GNUNET_CRYPTO_CSPublicRPairP *r_pub_blind)
{
- // for i 0/1: R'i = Ri + alpha i*G + beta i*pub
- calc_r_dash (&bs[0], &r_pub[0], pub, &blinded_r_pub[0]);
- calc_r_dash (&bs[1], &r_pub[1], pub, &blinded_r_pub[1]);
-
- // for i 0/1: c'i = H(R'i, msg)
+ /* for i 0/1: R'i = Ri + alpha i*G + beta i*pub */
+ calc_r_dash (&bs[0],
+ &r_pub[0],
+ pub,
+ &r_pub_blind->r_pub[0]);
+ calc_r_dash (&bs[1],
+ &r_pub[1],
+ pub,
+ &r_pub_blind->r_pub[1]);
+
+ /* for i 0/1: c'i = H(R'i, msg) */
struct GNUNET_CRYPTO_CsC c_dash_0;
struct GNUNET_CRYPTO_CsC c_dash_1;
- cs_full_domain_hash (&blinded_r_pub[0], msg, msg_len, pub, &c_dash_0);
- cs_full_domain_hash (&blinded_r_pub[1], msg, msg_len, pub, &c_dash_1);
+ cs_full_domain_hash (&r_pub_blind->r_pub[0],
+ msg,
+ msg_len,
+ pub,
+ &c_dash_0);
+ cs_full_domain_hash (&r_pub_blind->r_pub[1],
+ msg,
+ msg_len,
+ pub,
+ &c_dash_1);
- // for i 0/1: ci = c'i + beta i mod p
+ /* for i 0/1: ci = c'i + beta i mod p */
crypto_core_ed25519_scalar_add (blinded_c[0].scalar.d,
c_dash_0.scalar.d,
bs[0].beta.d);
diff --git a/src/lib/util/test_crypto_blind.c b/src/lib/util/test_crypto_blind.c
index 726516bc2..d7efd79ea 100644
--- a/src/lib/util/test_crypto_blind.c
+++ b/src/lib/util/test_crypto_blind.c
@@ -34,13 +34,12 @@ main (int argc,
{
struct GNUNET_CRYPTO_BlindSignPrivateKey *priv;
struct GNUNET_CRYPTO_BlindSignPublicKey *pub;
- struct GNUNET_CRYPTO_BlindingInputValues biv;
+ struct GNUNET_CRYPTO_BlindingInputValues *biv;
struct GNUNET_CRYPTO_BlindedMessage *bm;
struct GNUNET_CRYPTO_BlindedSignature *bsig;
struct GNUNET_CRYPTO_UnblindedSignature *sig;
union GNUNET_CRYPTO_BlindingSecretP bsec;
- struct GNUNET_CRYPTO_CsSessionNonce nonce;
- struct GNUNET_CRYPTO_CsRSecret cspriv[2];
+ union GNUNET_CRYPTO_BlindSessionNonce nonce;
GNUNET_log_setup ("test-crypto-blind",
"WARNING",
@@ -55,21 +54,15 @@ main (int argc,
GNUNET_CRYPTO_blind_sign_keys_create (&priv,
&pub,
GNUNET_CRYPTO_BSA_CS));
- biv.cipher = GNUNET_CRYPTO_BSA_CS;
- GNUNET_CRYPTO_cs_r_derive (&nonce,
- "salt",
- &priv->details.cs_private_key,
- cspriv);
- GNUNET_CRYPTO_cs_r_get_public (&cspriv[0],
- &biv.details.cs_values.r_pub[0]);
- GNUNET_CRYPTO_cs_r_get_public (&cspriv[1],
- &biv.details.cs_values.r_pub[1]);
+ biv = GNUNET_CRYPTO_get_blinding_input_values (priv,
+ &nonce,
+ "salt");
bm = GNUNET_CRYPTO_message_blind_to_sign (pub,
&bsec,
+ &nonce,
"hello",
5,
- &biv);
- bm->details.cs_blinded_message.nonce = nonce; // FIXME: ugly!
+ biv);
bsig = GNUNET_CRYPTO_blind_sign (priv,
"salt",
bm);
@@ -77,7 +70,7 @@ main (int argc,
&bsec,
"hello",
5,
- &biv,
+ biv,
pub);
GNUNET_assert (GNUNET_OK ==
GNUNET_CRYPTO_blind_sig_verify (pub,
diff --git a/src/lib/util/test_crypto_cs.c b/src/lib/util/test_crypto_cs.c
index 5b3aac778..ee68db72f 100644
--- a/src/lib/util/test_crypto_cs.c
+++ b/src/lib/util/test_crypto_cs.c
@@ -216,7 +216,7 @@ test_calc_blindedc (const struct
GNUNET_CRYPTO_CsBlindingSecret bs[2],
const void *msg,
size_t msg_len,
struct GNUNET_CRYPTO_CsC blinded_cs[2],
- struct GNUNET_CRYPTO_CsRPublic blinded_r_pub[2])
+ struct GNUNET_CRYPTO_CSPublicRPairP *blinded_r_pub)
{
/* TEST 1
* Check that the blinded c's and blinded r's
@@ -227,10 +227,8 @@ test_calc_blindedc (const struct
GNUNET_CRYPTO_CsBlindingSecret bs[2],
&blinded_cs[0],
sizeof(struct GNUNET_CRYPTO_CsC) * 2);
- struct GNUNET_CRYPTO_CsRPublic other_blinded_r_pub[2];
- memcpy (&other_blinded_r_pub[0],
- &blinded_r_pub[0],
- sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2);
+ struct GNUNET_CRYPTO_CSPublicRPairP other_blinded_pub;
+ other_blinded_pub = *blinded_r_pub;
GNUNET_CRYPTO_cs_calc_blinded_c (bs,
r_pub,
@@ -243,9 +241,9 @@ test_calc_blindedc (const struct
GNUNET_CRYPTO_CsBlindingSecret bs[2],
GNUNET_assert (0 != memcmp (&other_blinded_c[0],
&blinded_cs[0],
sizeof(struct GNUNET_CRYPTO_CsC) * 2));
- GNUNET_assert (0 != memcmp (&other_blinded_r_pub[0],
- &blinded_r_pub[0],
- sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2));
+ GNUNET_assert (0 !=
+ GNUNET_memcmp (&other_blinded_pub,
+ blinded_r_pub));
/* TEST 2
* Check if R' - aG -bX = R for b = 0
@@ -270,7 +268,7 @@ test_calc_blindedc (const struct
GNUNET_CRYPTO_CsBlindingSecret bs[2],
GNUNET_assert (0 ==
crypto_core_ed25519_sub (
r_min_aG.y,
- blinded_r_pub[b].point.y,
+ blinded_r_pub->r_pub[b].point.y,
aG.y));
GNUNET_assert (0 == crypto_core_ed25519_sub (
res.point.y,
@@ -289,10 +287,10 @@ test_calc_blindedc (const struct
GNUNET_CRYPTO_CsBlindingSecret bs[2],
*/
GNUNET_assert (1 ==
crypto_core_ed25519_is_valid_point (
- blinded_r_pub[0].point.y));
+ blinded_r_pub->r_pub[0].point.y));
GNUNET_assert (1 ==
crypto_core_ed25519_is_valid_point (
- blinded_r_pub[1].point.y));
+ blinded_r_pub->r_pub[1].point.y));
/* TEST 4
* Check if function gives the same result for the same input.
@@ -300,9 +298,7 @@ test_calc_blindedc (const struct
GNUNET_CRYPTO_CsBlindingSecret bs[2],
memcpy (&other_blinded_c[0],
&blinded_cs[0],
sizeof(struct GNUNET_CRYPTO_CsC) * 2);
- memcpy (&other_blinded_r_pub[0],
- &blinded_r_pub[0],
- sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2);
+ other_blinded_pub = *blinded_r_pub;
for (unsigned int i = 0; i<ITER; i++)
{
@@ -313,12 +309,13 @@ test_calc_blindedc (const struct
GNUNET_CRYPTO_CsBlindingSecret bs[2],
msg_len,
blinded_cs,
blinded_r_pub);
- GNUNET_assert (0 == memcmp (&other_blinded_c[0],
- &blinded_cs[0],
- sizeof(struct GNUNET_CRYPTO_CsC) * 2));
- GNUNET_assert (0 == memcmp (&other_blinded_r_pub[0],
- &blinded_r_pub[0],
- sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2));
+ GNUNET_assert (0 ==
+ memcmp (&other_blinded_c[0],
+ &blinded_cs[0],
+ sizeof(struct GNUNET_CRYPTO_CsC) * 2));
+ GNUNET_assert (0 ==
+ GNUNET_memcmp (&other_blinded_pub,
+ blinded_r_pub));
}
}
@@ -563,12 +560,12 @@ main (int argc,
// calculate blinded c's
struct GNUNET_CRYPTO_CsBlindedMessage bm;
struct GNUNET_CRYPTO_CsC blinded_cs[2];
- struct GNUNET_CRYPTO_CsRPublic blinded_r_pubs[2];
+ struct GNUNET_CRYPTO_CSPublicRPairP blinded_r_pubs;
memset (blinded_cs,
42,
sizeof (blinded_cs));
- memset (blinded_r_pubs,
+ memset (&blinded_r_pubs,
42,
sizeof (blinded_r_pubs));
test_calc_blindedc (blindingsecrets,
@@ -577,7 +574,7 @@ main (int argc,
message,
message_len,
blinded_cs,
- blinded_r_pubs);
+ &blinded_r_pubs);
// ---------- actions performed by signer
// sign blinded c's and get b and s in return
@@ -614,7 +611,7 @@ main (int argc,
// verify unblinded signature
struct GNUNET_CRYPTO_CsSignature signature;
- signature.r_point = blinded_r_pubs[blinded_s.b];
+ signature.r_point = blinded_r_pubs.r_pub[blinded_s.b];
signature.s_scalar = sig_scalar;
test_verify (&signature,
&pub,
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
- [gnunet] branch master updated (23853f2d7 -> db1ea2c6e), gnunet, 2023/10/27
- [gnunet] 03/06: distinguish blinding and session nonces, gnunet, 2023/10/27
- [gnunet] 04/06: more work on new blind signature API and implementation, gnunet, 2023/10/27
- [gnunet] 01/06: NEWS: major revision of blind signature API, gnunet, 2023/10/27
- [gnunet] 06/06: -fix memory leak, gnunet, 2023/10/27
- [gnunet] 02/06: new blind signing logic, gnunet, 2023/10/27
- [gnunet] 05/06: more work on new blind signing API,
gnunet <=