From a2386abadba4c211a00879f54ff030a86e491418 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96zg=C3=BCr=20Kesim?= Date: Mon, 28 Mar 2022 11:04:00 +0200 Subject: [PATCH] [age restriction] progress 19/19 (final) - Use Edx25519 for crypto We switch from EcDSA to Edx25519 for the underlying signature scheme. Edx25519 is implemented in gnunet, starting with (gnunet-)commit ce38d1f6c9bd7857a1c3bc2094a0ee9752b86c32. --- src/include/taler_crypto_lib.h | 18 +++++++++ src/util/age_restriction.c | 73 ++++++++++++++++++++++++++-------- 2 files changed, 74 insertions(+), 17 deletions(-) diff --git a/src/include/taler_crypto_lib.h b/src/include/taler_crypto_lib.h index 7117c67fe..ef5096405 100644 --- a/src/include/taler_crypto_lib.h +++ b/src/include/taler_crypto_lib.h @@ -386,10 +386,17 @@ struct TALER_CoinSpendSignatureP */ struct TALER_AgeCommitmentPrivateKeyP { +#ifdef AGE_RESTRICTION_WITH_ECDSA /** * Taler uses EcDSA for coins when signing age verification attestation. */ struct GNUNET_CRYPTO_EcdsaPrivateKey priv; +#else + /** + * Taler uses Edx25519 for coins when signing age verification attestation. + */ + struct GNUNET_CRYPTO_Edx25519PrivateKey priv; +#endif }; @@ -398,10 +405,17 @@ struct TALER_AgeCommitmentPrivateKeyP */ struct TALER_AgeCommitmentPublicKeyP { +#ifdef AGE_RESTRICTION_WITH_ECDSA /** * Taler uses EcDSA for coins when signing age verification attestation. */ struct GNUNET_CRYPTO_EcdsaPublicKey pub; +#else + /** + * Taler uses Edx25519 for coins when signing age verification attestation. + */ + struct GNUNET_CRYPTO_Edx25519PublicKey pub; +#endif }; @@ -1174,7 +1188,11 @@ struct TALER_AgeCommitmentHash */ struct TALER_AgeAttestation { +#ifdef AGE_RESTRICTION_WITH_ECDSA struct GNUNET_CRYPTO_EcdsaSignature signature; +#else + struct GNUNET_CRYPTO_Edx25519Signature signature; +#endif }; extern const struct TALER_AgeCommitmentHash TALER_ZeroAgeCommitmentHash; diff --git a/src/util/age_restriction.c b/src/util/age_restriction.c index a9e066c85..3f382ab79 100644 --- a/src/util/age_restriction.c +++ b/src/util/age_restriction.c @@ -47,8 +47,7 @@ TALER_age_commitment_hash ( { GNUNET_CRYPTO_hash_context_read (hash_context, &commitment->keys[i], - sizeof(struct - GNUNET_CRYPTO_EcdsaPublicKey)); + sizeof(commitment->keys[i])); } GNUNET_CRYPTO_hash_context_finish (hash_context, @@ -128,13 +127,23 @@ TALER_age_restriction_commit ( if (i < num_priv) pkey = &new->proof.keys[i]; +#ifndef AGE_RESTRICTION_WITH_ECDSA + GNUNET_CRYPTO_edx25519_key_create_from_seed (&salti, + sizeof(salti), + &pkey->priv); + GNUNET_CRYPTO_edx25519_key_get_public (&pkey->priv, + &new->commitment.keys[i].pub); + } + + return GNUNET_OK; +#else if (GNUNET_OK != GNUNET_CRYPTO_kdf (pkey, sizeof (*pkey), &salti, sizeof (salti), "age commitment", - strlen ("age derivation"), + strlen ("age commitment"), NULL, 0)) goto FAIL; @@ -154,6 +163,7 @@ FAIL: if (NULL != new->proof.keys) GNUNET_free (new->proof.keys); return GNUNET_SYSERR; +#endif } @@ -163,8 +173,6 @@ TALER_age_commitment_derive ( const uint64_t salt, struct TALER_AgeCommitmentProof *new) { - char label[sizeof(uint64_t) + 1] = {0}; - GNUNET_assert (NULL != new); GNUNET_assert (orig->proof.num <= orig->commitment.num); @@ -184,13 +192,34 @@ TALER_age_commitment_derive ( new->proof.num, struct TALER_AgeCommitmentPrivateKeyP); +#ifndef AGE_RESTRICTION_WITH_ECDSA + /* 1. Derive the public keys */ + for (size_t i = 0; i < orig->commitment.num; i++) { - /* Because GNUNET_CRYPTO_ecdsa_public_key_derive expects char * (and calls - * strlen on it), we must avoid 0's in the label. */ - uint64_t nz_salt = salt | 0x8040201008040201; - memcpy (label, &nz_salt, sizeof(nz_salt)); + GNUNET_CRYPTO_edx25519_public_key_derive ( + &orig->commitment.keys[i].pub, + &salt, + sizeof(salt), + &new->commitment.keys[i].pub); } + /* 2. Derive the private keys */ + for (size_t i = 0; i < orig->proof.num; i++) + { + GNUNET_CRYPTO_edx25519_private_key_derive ( + &orig->proof.keys[i].priv, + &salt, + sizeof(salt), + &new->proof.keys[i].priv); + } +#else + char label[sizeof(uint64_t) + 1] = {0}; + + /* Because GNUNET_CRYPTO_ecdsa_public_key_derive expects char * (and calls + * strlen on it), we must avoid 0's in the label. */ + uint64_t nz_salt = salt | 0x8040201008040201; + memcpy (label, &nz_salt, sizeof(nz_salt)); + /* 1. Derive the public keys */ for (size_t i = 0; i < orig->commitment.num; i++) { @@ -212,6 +241,7 @@ TALER_age_commitment_derive ( new->proof.keys[i].priv = *priv; GNUNET_free (priv); } +#endif return GNUNET_OK; } @@ -276,9 +306,14 @@ TALER_age_commitment_attest ( .age = age }; - GNUNET_CRYPTO_ecdsa_sign (&cp->proof.keys[group - 1].priv, - &at, - &attest->signature); +#ifndef AGE_RESTRICTION_WITH_ECDSA + #define sign(a,b,c) GNUNET_CRYPTO_edx25519_sign (a,b,c) +#else + #define sign(a,b,c) GNUNET_CRYPTO_ecdsa_sign (a,b,c) +#endif + sign (&cp->proof.keys[group - 1].priv, + &at, + &attest->signature); } return GNUNET_OK; @@ -316,11 +351,15 @@ TALER_age_commitment_verify ( .age = age, }; - return - GNUNET_CRYPTO_ecdsa_verify (TALER_SIGNATURE_WALLET_AGE_ATTESTATION, - &at, - &attest->signature, - &comm->keys[group - 1].pub); +#ifndef AGE_RESTRICTION_WITH_ECDSA + #define verify(a,b,c,d) GNUNET_CRYPTO_edx25519_verify (a,b,c,d) +#else + #define verify(a,b,c,d) GNUNET_CRYPTO_ecdsa_verify (a,b,c,d) +#endif + return verify (TALER_SIGNATURE_WALLET_AGE_ATTESTATION, + &at, + &attest->signature, + &comm->keys[group - 1].pub); } }