summaryrefslogtreecommitdiff
path: root/doc/cs/content/appendix/crypto_implementation.tex
diff options
context:
space:
mode:
Diffstat (limited to 'doc/cs/content/appendix/crypto_implementation.tex')
-rw-r--r--doc/cs/content/appendix/crypto_implementation.tex279
1 files changed, 279 insertions, 0 deletions
diff --git a/doc/cs/content/appendix/crypto_implementation.tex b/doc/cs/content/appendix/crypto_implementation.tex
new file mode 100644
index 000000000..9ae9b5865
--- /dev/null
+++ b/doc/cs/content/appendix/crypto_implementation.tex
@@ -0,0 +1,279 @@
+\begin{lstlisting}[style=bfh-c,language=C,, caption={Crypto Implementation API}, label={lst:cryptoapi}]
+ #include <sodium.h>
+
+ /**
+ * IMPLEMENTATION NOTICE:
+ *
+ * This is an implementation of the Schnorr, Blind Schnorr and
+ * Clause Blind Schnorr Signature Scheme using Curve25519.
+ * We use libsodium wherever possible.
+ *
+ * Blind Schnorr: The Blind Schnorr Signature Scheme is BROKEN!
+ * Use the Clause Blind Schnorr Signature Scheme instead.
+ *
+ * Clause Blind Schnorr Signature Scheme:
+ * This is a variation of the Blind Schnorr Signature Scheme where all operations
+ * before the signature creation are performed twice.
+ * The signer randomly chooses one of the two sessions and only creates the signature for this session.
+ * Note that the Clause part needs to be implemented by whoever uses this API.
+ * Further details about the Clause Blind Schnorr Signature Scheme can be found here:
+ * https://eprint.iacr.org/2019/877.pdf
+ */
+
+
+ /**
+ * Curve25519 Scalar
+ */
+ struct GNUNET_CRYPTO_Cs25519Scalar
+ {
+ /**
+ * 32 byte scalar
+ */
+ unsigned char d[crypto_core_ed25519_SCALARBYTES];
+ };
+
+
+ /**
+ * Curve25519 point
+ */
+ struct GNUNET_CRYPTO_Cs25519Point
+ {
+ /**
+ * This is a point on the Curve25519.
+ * The x coordinate can be restored using the y coordinate
+ */
+ unsigned char y[crypto_core_ed25519_BYTES];
+ };
+
+
+ /**
+ * The private information of an Schnorr key pair.
+ */
+ struct GNUNET_CRYPTO_CsPrivateKey
+ {
+ struct GNUNET_CRYPTO_Cs25519Scalar scalar;
+ };
+
+
+ /**
+ * The public information of an Schnorr key pair.
+ */
+ struct GNUNET_CRYPTO_CsPublicKey
+ {
+ struct GNUNET_CRYPTO_Cs25519Point point;
+ };
+
+
+ /**
+ * Secret used for blinding (alpha and beta).
+ */
+ struct GNUNET_CRYPTO_CsBlindingSecret
+ {
+ struct GNUNET_CRYPTO_Cs25519Scalar alpha;
+ struct GNUNET_CRYPTO_Cs25519Scalar beta;
+ };
+
+
+ /**
+ * the private r used in the signature
+ */
+ struct GNUNET_CRYPTO_CsRSecret
+ {
+ struct GNUNET_CRYPTO_Cs25519Scalar scalar;
+ };
+
+
+ /**
+ * the public R (derived from r) used in c
+ */
+ struct GNUNET_CRYPTO_CsRPublic
+ {
+ struct GNUNET_CRYPTO_Cs25519Point point;
+ };
+
+ /**
+ * Schnorr c to be signed
+ */
+ struct GNUNET_CRYPTO_CsC
+ {
+ struct GNUNET_CRYPTO_Cs25519Scalar scalar;
+ };
+
+ /**
+ * s in the signature
+ */
+ struct GNUNET_CRYPTO_CsS
+ {
+ struct GNUNET_CRYPTO_Cs25519Scalar scalar;
+ };
+
+ /**
+ * blinded s in the signature
+ */
+ struct GNUNET_CRYPTO_CsBlindS
+ {
+ struct GNUNET_CRYPTO_Cs25519Scalar scalar;
+ };
+
+ /**
+ * CS Signtature containing scalar s and point R
+ */
+ struct GNUNET_CRYPTO_CsSignature
+ {
+ /**
+ * Schnorr signatures are composed of a scalar s and a curve point
+ */
+ struct GNUNET_CRYPTO_CsS s_scalar;
+ struct GNUNET_CRYPTO_Cs25519Point r_point;
+ };
+
+ /**
+ * Nonce
+ */
+ struct GNUNET_CRYPTO_CsNonce
+ {
+ /*a nonce*/
+ unsigned char nonce[256 / 8];
+ };
+
+
+ /**
+ * Create a new random private key.
+ *
+ * @param[out] priv where to write the fresh private key
+ */
+ void
+ GNUNET_CRYPTO_cs_private_key_generate (struct GNUNET_CRYPTO_CsPrivateKey *priv);
+
+
+ /**
+ * Extract the public key of the given private key.
+ *
+ * @param priv the private key
+ * @param[out] pub where to write the public key
+ */
+ void
+ GNUNET_CRYPTO_cs_private_key_get_public (const struct GNUNET_CRYPTO_CsPrivateKey *priv,
+ struct GNUNET_CRYPTO_CsPublicKey *pub);
+
+
+ /**
+ * Derive a new secret r pair r0 and r1.
+ * In original papers r is generated randomly
+ * To provide abort-idempotency, r needs to be derived but still needs to be UNPREDICTABLE
+ * To ensure unpredictability a new nonce should be used when a new r needs to be derived.
+ * Uses HKDF internally.
+ * Comment: Can be done in one HKDF shot and split output.
+ *
+ * @param nonce is a random nonce
+ * @param lts is a long-term-secret in form of a private key
+ * @param[out] r array containing derived secrets r0 and r1
+ */
+ void
+ GNUNET_CRYPTO_cs_r_derive (const struct GNUNET_CRYPTO_CsNonce *nonce,
+ const struct GNUNET_CRYPTO_CsPrivateKey *lts,
+ struct GNUNET_CRYPTO_CsRSecret r[2]);
+
+
+ /**
+ * Extract the public R of the given secret r.
+ *
+ * @param r_priv the private key
+ * @param[out] r_pub where to write the public key
+ */
+ void
+ GNUNET_CRYPTO_cs_r_get_public (const struct GNUNET_CRYPTO_CsRSecret *r_priv,
+ struct GNUNET_CRYPTO_CsRPublic *r_pub);
+
+
+ /**
+ * Derives new random blinding factors.
+ * In original papers blinding factors are generated randomly
+ * To provide abort-idempotency, blinding factors need to be derived but still need to be UNPREDICTABLE
+ * To ensure unpredictability a new nonce has to be used.
+ * Uses HKDF internally
+ *
+ * @param secret is secret to derive blinding factors
+ * @param secret_len secret length
+ * @param[out] bs array containing the two derivedGNUNET_CRYPTO_CsBlindingSecret
+ */
+ void
+ GNUNET_CRYPTO_cs_blinding_secrets_derive (const struct GNUNET_CRYPTO_CsNonce *blind_seed,
+ struct GNUNET_CRYPTO_CsBlindingSecret bs[2]);
+
+
+ /**
+ * Calculate two blinded c's
+ * Comment: One would be insecure due to Wagner's algorithm solving ROS
+ *
+ * @param bs array of the two blinding factor structs each containing alpha and beta
+ * @param r_pub array of the two signer's nonce R
+ * @param pub the public key of the signer
+ * @param msg the message to blind in preparation for signing
+ * @param msg_len length of message msg
+ * @param[out] blinded_c array of the two blinded c's
+ */
+ void
+ GNUNET_CRYPTO_cs_calc_blinded_c (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
+ const struct GNUNET_CRYPTO_CsRPublic r_pub[2],
+ const struct GNUNET_CRYPTO_CsPublicKey *pub,
+ const void *msg,
+ size_t msg_len,
+ struct GNUNET_CRYPTO_CsC blinded_c[2]);
+
+
+ /**
+ * Sign a blinded c
+ * This function derives b from a nonce and a longterm secret
+ * In original papers b is generated randomly
+ * To provide abort-idempotency, b needs to be derived but still need to be UNPREDICTABLE.
+ * To ensure unpredictability a new nonce has to be used for every signature
+ * HKDF is used internally for derivation
+ * r0 and r1 can be derived prior by using GNUNET_CRYPTO_cs_r_derive
+ *
+ * @param priv private key to use for the signing and as LTS in HKDF
+ * @param r array of the two secret nonce from the signer
+ * @param c array of the two blinded c to sign c_b
+ * @param nonce is a random nonce
+ * @param[out] blinded_signature_scalar where to write the signature
+ * @return 0 or 1 for b (see Clause Blind Signature Scheme)
+ */
+ int
+ GNUNET_CRYPTO_cs_sign_derive(const struct GNUNET_CRYPTO_CsPrivateKey *priv,
+ const struct GNUNET_CRYPTO_CsRSecret r[2],
+ const struct GNUNET_CRYPTO_CsC c[2],
+ const struct GNUNET_CRYPTO_CsNonce *nonce,
+ struct GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar
+ );
+
+
+ /**
+ * Unblind a blind-signed signature using a c that was blinded
+ *
+ * @param blinded_signature_scalar the signature made on the blinded c
+ * @param bs the blinding factors used in the blinding
+ * @param[out] signature_scalar where to write the unblinded signature
+ */
+ void
+ GNUNET_CRYPTO_cs_unblind (const struct GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar,
+ const struct GNUNET_CRYPTO_CsBlindingSecret *bs,
+ struct GNUNET_CRYPTO_CsS *signature_scalar);
+
+
+ /**
+ * Verify whether the given message corresponds to the given signature and the
+ * signature is valid with respect to the given public key.
+ *
+ * @param sig signature that is being validated
+ * @param pub public key of the signer
+ * @param msg is the message that should be signed by @a sig (message is used to calculate c)
+ * @param msg_len is the message length
+ * @returns #GNUNET_YES on success, #GNUNET_SYSERR if key parameter(s) invalid #GNUNET_NO if signature invalid
+ */
+ enum GNUNET_GenericReturnValue
+ GNUNET_CRYPTO_cs_verify (const struct GNUNET_CRYPTO_CsSignature *sig,
+ const struct GNUNET_CRYPTO_CsPublicKey *pub,
+ const void *msg,
+ size_t msg_len);
+
+\end{lstlisting} \ No newline at end of file