2 files changed, 74 insertions, 17 deletions
diff --git a/src/include/taler_crypto_lib.h b/src/include/taler_crypto_lib.h
index 7117c67fe..ef5096405 100644
--- a/src/include/taler_crypto_lib.h
+++ b/src/include/taler_crypto_lib.h
@@ -386,10 +386,17 @@ struct TALER_CoinSpendSignatureP
  */
 struct TALER_AgeCommitmentPrivateKeyP
 {
+#ifdef AGE_RESTRICTION_WITH_ECDSA
   /**
    * Taler uses EcDSA for coins when signing age verification attestation.
    */
   struct GNUNET_CRYPTO_EcdsaPrivateKey priv;
+#else
+  /**
+   * Taler uses Edx25519 for coins when signing age verification attestation.
+   */
+  struct GNUNET_CRYPTO_Edx25519PrivateKey priv;
+#endif
 };
 
 
@@ -398,10 +405,17 @@ struct TALER_AgeCommitmentPrivateKeyP
  */
 struct TALER_AgeCommitmentPublicKeyP
 {
+#ifdef AGE_RESTRICTION_WITH_ECDSA
   /**
    * Taler uses EcDSA for coins when signing age verification attestation.
    */
   struct GNUNET_CRYPTO_EcdsaPublicKey pub;
+#else
+  /**
+   * Taler uses Edx25519 for coins when signing age verification attestation.
+   */
+  struct GNUNET_CRYPTO_Edx25519PublicKey pub;
+#endif
 };
 
 
@@ -1174,7 +1188,11 @@ struct TALER_AgeCommitmentHash
  */
 struct TALER_AgeAttestation
 {
+#ifdef AGE_RESTRICTION_WITH_ECDSA
   struct GNUNET_CRYPTO_EcdsaSignature signature;
+#else
+  struct GNUNET_CRYPTO_Edx25519Signature signature;
+#endif
 };
 
 extern const struct TALER_AgeCommitmentHash TALER_ZeroAgeCommitmentHash;
diff --git a/src/util/age_restriction.c b/src/util/age_restriction.c
index a9e066c85..3f382ab79 100644
--- a/src/util/age_restriction.c
+++ b/src/util/age_restriction.c
@@ -47,8 +47,7 @@ TALER_age_commitment_hash (
   {
     GNUNET_CRYPTO_hash_context_read (hash_context,
                                      &commitment->keys[i],
-                                     sizeof(struct
-                                            GNUNET_CRYPTO_EcdsaPublicKey));
+                                     sizeof(commitment->keys[i]));
   }
 
   GNUNET_CRYPTO_hash_context_finish (hash_context,
@@ -128,13 +127,23 @@ TALER_age_restriction_commit (
     if (i < num_priv)
       pkey = &new->proof.keys[i];
 
+#ifndef AGE_RESTRICTION_WITH_ECDSA
+    GNUNET_CRYPTO_edx25519_key_create_from_seed (&salti,
+                                                 sizeof(salti),
+                                                 &pkey->priv);
+    GNUNET_CRYPTO_edx25519_key_get_public (&pkey->priv,
+                                           &new->commitment.keys[i].pub);
+  }
+
+  return GNUNET_OK;
+#else
     if  (GNUNET_OK !=
          GNUNET_CRYPTO_kdf (pkey,
                             sizeof (*pkey),
                             &salti,
                             sizeof (salti),
                             "age commitment",
-                            strlen ("age derivation"),
+                            strlen ("age commitment"),
                             NULL, 0))
       goto FAIL;
 
@@ -154,6 +163,7 @@ FAIL:
   if (NULL != new->proof.keys)
     GNUNET_free (new->proof.keys);
   return GNUNET_SYSERR;
+#endif
 }
 
 
@@ -163,8 +173,6 @@ TALER_age_commitment_derive (
   const uint64_t salt,
   struct TALER_AgeCommitmentProof *new)
 {
-  char label[sizeof(uint64_t) + 1] = {0};
-
   GNUNET_assert (NULL != new);
   GNUNET_assert (orig->proof.num <=
                  orig->commitment.num);
@@ -184,13 +192,34 @@ TALER_age_commitment_derive (
       new->proof.num,
       struct TALER_AgeCommitmentPrivateKeyP);
 
+#ifndef AGE_RESTRICTION_WITH_ECDSA
+  /* 1. Derive the public keys */
+  for (size_t i = 0; i < orig->commitment.num; i++)
   {
-    /* Because GNUNET_CRYPTO_ecdsa_public_key_derive expects char * (and calls
-     * strlen on it), we must avoid 0's in the label.  */
-    uint64_t nz_salt = salt | 0x8040201008040201;
-    memcpy (label, &nz_salt, sizeof(nz_salt));
+    GNUNET_CRYPTO_edx25519_public_key_derive (
+      &orig->commitment.keys[i].pub,
+      &salt,
+      sizeof(salt),
+      &new->commitment.keys[i].pub);
   }
 
+  /* 2. Derive the private keys */
+  for (size_t i = 0; i < orig->proof.num; i++)
+  {
+    GNUNET_CRYPTO_edx25519_private_key_derive (
+      &orig->proof.keys[i].priv,
+      &salt,
+      sizeof(salt),
+      &new->proof.keys[i].priv);
+  }
+#else
+  char label[sizeof(uint64_t) + 1] = {0};
+
+  /* Because GNUNET_CRYPTO_ecdsa_public_key_derive expects char * (and calls
+   * strlen on it), we must avoid 0's in the label.  */
+  uint64_t nz_salt = salt | 0x8040201008040201;
+  memcpy (label, &nz_salt, sizeof(nz_salt));
+
   /* 1. Derive the public keys */
   for (size_t i = 0; i < orig->commitment.num; i++)
   {
@@ -212,6 +241,7 @@ TALER_age_commitment_derive (
     new->proof.keys[i].priv = *priv;
     GNUNET_free (priv);
   }
+#endif
 
   return GNUNET_OK;
 }
@@ -276,9 +306,14 @@ TALER_age_commitment_attest (
       .age = age
     };
 
-    GNUNET_CRYPTO_ecdsa_sign (&cp->proof.keys[group - 1].priv,
-                              &at,
-                              &attest->signature);
+#ifndef AGE_RESTRICTION_WITH_ECDSA
+  #define sign(a,b,c)  GNUNET_CRYPTO_edx25519_sign (a,b,c)
+#else
+  #define sign(a,b,c)  GNUNET_CRYPTO_ecdsa_sign (a,b,c)
+#endif
+    sign (&cp->proof.keys[group - 1].priv,
+          &at,
+          &attest->signature);
   }
 
   return GNUNET_OK;
@@ -316,11 +351,15 @@ TALER_age_commitment_verify (
       .age = age,
     };
 
-    return
-      GNUNET_CRYPTO_ecdsa_verify (TALER_SIGNATURE_WALLET_AGE_ATTESTATION,
-                                  &at,
-                                  &attest->signature,
-                                  &comm->keys[group - 1].pub);
+#ifndef AGE_RESTRICTION_WITH_ECDSA
+  #define verify(a,b,c,d)      GNUNET_CRYPTO_edx25519_verify (a,b,c,d)
+#else
+  #define verify(a,b,c,d)      GNUNET_CRYPTO_ecdsa_verify (a,b,c,d)
+#endif
+    return verify (TALER_SIGNATURE_WALLET_AGE_ATTESTATION,
+                   &at,
+                   &attest->signature,
+                   &comm->keys[group - 1].pub);
   }
 }