[age restriction] progress 19/19 (final) - Use Edx25519 for crypto

We switch from EcDSA to Edx25519 for the underlying signature scheme. Edx25519 is implemented in gnunet, starting with (gnunet-)commit ce38d1f6c9bd7857a1c3bc2094a0ee9752b86c32.
2022-03-28 11:04:00 +02:00 · 2022-03-28 11:04:00 +02:00 · a2386abadb
commit a2386abadb
parent d61a19c275
2 changed files with 74 additions and 17 deletions
--- a/src/include/taler_crypto_lib.h
+++ b/src/include/taler_crypto_lib.h
@ -386,10 +386,17 @@ struct TALER_CoinSpendSignatureP
 */
 struct TALER_AgeCommitmentPrivateKeyP
 {
+#ifdef AGE_RESTRICTION_WITH_ECDSA
  /**
   * Taler uses EcDSA for coins when signing age verification attestation.
   */
  struct GNUNET_CRYPTO_EcdsaPrivateKey priv;
+#else
+  /**
+   * Taler uses Edx25519 for coins when signing age verification attestation.
+   */
+  struct GNUNET_CRYPTO_Edx25519PrivateKey priv;
+#endif
 };


@ -398,10 +405,17 @@ struct TALER_AgeCommitmentPrivateKeyP
 */
 struct TALER_AgeCommitmentPublicKeyP
 {
+#ifdef AGE_RESTRICTION_WITH_ECDSA
  /**
   * Taler uses EcDSA for coins when signing age verification attestation.
   */
  struct GNUNET_CRYPTO_EcdsaPublicKey pub;
+#else
+  /**
+   * Taler uses Edx25519 for coins when signing age verification attestation.
+   */
+  struct GNUNET_CRYPTO_Edx25519PublicKey pub;
+#endif
 };


@ -1174,7 +1188,11 @@ struct TALER_AgeCommitmentHash
 */
 struct TALER_AgeAttestation
 {
+#ifdef AGE_RESTRICTION_WITH_ECDSA
  struct GNUNET_CRYPTO_EcdsaSignature signature;
+#else
+  struct GNUNET_CRYPTO_Edx25519Signature signature;
+#endif
 };

 extern const struct TALER_AgeCommitmentHash TALER_ZeroAgeCommitmentHash;
--- a/src/util/age_restriction.c
+++ b/src/util/age_restriction.c
@ -47,8 +47,7 @@ TALER_age_commitment_hash (
  {
    GNUNET_CRYPTO_hash_context_read (hash_context,
                                     &commitment->keys[i],
-                                     sizeof(struct
-                                            GNUNET_CRYPTO_EcdsaPublicKey));
+                                     sizeof(commitment->keys[i]));
  }

  GNUNET_CRYPTO_hash_context_finish (hash_context,
@ -128,13 +127,23 @@ TALER_age_restriction_commit (
    if (i < num_priv)
      pkey = &new->proof.keys[i];

+#ifndef AGE_RESTRICTION_WITH_ECDSA
+    GNUNET_CRYPTO_edx25519_key_create_from_seed (&salti,
+                                                 sizeof(salti),
+                                                 &pkey->priv);
+    GNUNET_CRYPTO_edx25519_key_get_public (&pkey->priv,
+                                           &new->commitment.keys[i].pub);
+  }
+
+  return GNUNET_OK;
+#else
    if  (GNUNET_OK !=
         GNUNET_CRYPTO_kdf (pkey,
                            sizeof (*pkey),
                            &salti,
                            sizeof (salti),
                            "age commitment",
-                            strlen ("age derivation"),
+                            strlen ("age commitment"),
                            NULL, 0))
      goto FAIL;

@ -154,6 +163,7 @@ FAIL:
  if (NULL != new->proof.keys)
    GNUNET_free (new->proof.keys);
  return GNUNET_SYSERR;
+#endif
 }


@ -163,8 +173,6 @@ TALER_age_commitment_derive (
  const uint64_t salt,
  struct TALER_AgeCommitmentProof *new)
 {
-  char label[sizeof(uint64_t) + 1] = {0};
-
  GNUNET_assert (NULL != new);
  GNUNET_assert (orig->proof.num <=
                 orig->commitment.num);
@ -184,13 +192,34 @@ TALER_age_commitment_derive (
      new->proof.num,
      struct TALER_AgeCommitmentPrivateKeyP);

+#ifndef AGE_RESTRICTION_WITH_ECDSA
+  /* 1. Derive the public keys */
+  for (size_t i = 0; i < orig->commitment.num; i++)
  {
-    /* Because GNUNET_CRYPTO_ecdsa_public_key_derive expects char * (and calls
-     * strlen on it), we must avoid 0's in the label.  */
-    uint64_t nz_salt = salt | 0x8040201008040201;
-    memcpy (label, &nz_salt, sizeof(nz_salt));
+    GNUNET_CRYPTO_edx25519_public_key_derive (
+      &orig->commitment.keys[i].pub,
+      &salt,
+      sizeof(salt),
+      &new->commitment.keys[i].pub);
  }

+  /* 2. Derive the private keys */
+  for (size_t i = 0; i < orig->proof.num; i++)
+  {
+    GNUNET_CRYPTO_edx25519_private_key_derive (
+      &orig->proof.keys[i].priv,
+      &salt,
+      sizeof(salt),
+      &new->proof.keys[i].priv);
+  }
+#else
+  char label[sizeof(uint64_t) + 1] = {0};
+
+  /* Because GNUNET_CRYPTO_ecdsa_public_key_derive expects char * (and calls
+   * strlen on it), we must avoid 0's in the label.  */
+  uint64_t nz_salt = salt | 0x8040201008040201;
+  memcpy (label, &nz_salt, sizeof(nz_salt));
+
  /* 1. Derive the public keys */
  for (size_t i = 0; i < orig->commitment.num; i++)
  {
@ -212,6 +241,7 @@ TALER_age_commitment_derive (
    new->proof.keys[i].priv = *priv;
    GNUNET_free (priv);
  }
+#endif

  return GNUNET_OK;
 }
@ -276,9 +306,14 @@ TALER_age_commitment_attest (
      .age = age
    };

-    GNUNET_CRYPTO_ecdsa_sign (&cp->proof.keys[group - 1].priv,
-                              &at,
-                              &attest->signature);
+#ifndef AGE_RESTRICTION_WITH_ECDSA
+  #define sign(a,b,c)  GNUNET_CRYPTO_edx25519_sign (a,b,c)
+#else
+  #define sign(a,b,c)  GNUNET_CRYPTO_ecdsa_sign (a,b,c)
+#endif
+    sign (&cp->proof.keys[group - 1].priv,
+          &at,
+          &attest->signature);
  }

  return GNUNET_OK;
@ -316,11 +351,15 @@ TALER_age_commitment_verify (
      .age = age,
    };

-    return
-      GNUNET_CRYPTO_ecdsa_verify (TALER_SIGNATURE_WALLET_AGE_ATTESTATION,
-                                  &at,
-                                  &attest->signature,
-                                  &comm->keys[group - 1].pub);
+#ifndef AGE_RESTRICTION_WITH_ECDSA
+  #define verify(a,b,c,d)      GNUNET_CRYPTO_edx25519_verify (a,b,c,d)
+#else
+  #define verify(a,b,c,d)      GNUNET_CRYPTO_ecdsa_verify (a,b,c,d)
+#endif
+    return verify (TALER_SIGNATURE_WALLET_AGE_ATTESTATION,
+                   &at,
+                   &attest->signature,
+                   &comm->keys[group - 1].pub);
  }
 }