diff options
| author | Nick Mathewson <nickm@torproject.org> | 2014-08-27 00:18:26 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2014-09-25 15:08:31 -0400 |
| commit | 4caa6fad4c71391ab41e92a32aa58b10b6febe7f (patch) | |
| tree | 5a4a92ea93940837470b28c52cbecb780687fd27 /src/ext/ed25519/ref10 | |
| parent | ed48b0fe56df2f719cd7cd274c664f7037f98b75 (diff) | |
| download | tor-4caa6fad4c71391ab41e92a32aa58b10b6febe7f.tar.gz tor-4caa6fad4c71391ab41e92a32aa58b10b6febe7f.zip | |
Add curve25519->ed25519 key conversion per proposal 228
For proposal 228, we need to cross-certify our identity with our
curve25519 key, so that we can prove at descriptor-generation time
that we own that key. But how can we sign something with a key that
is only for doing Diffie-Hellman? By converting it to the
corresponding ed25519 point.
See the ALL-CAPS warning in the documentation. According to djb
(IIUC), it is safe to use these keys in the ways that ntor and prop228
are using them, but it might not be safe if we start providing crazy
oracle access.
(Unit tests included. What kind of a monster do you take me for?)
Diffstat (limited to 'src/ext/ed25519/ref10')
| -rw-r--r-- | src/ext/ed25519/ref10/ed25519_ref10.h | 5 | ||||
| -rw-r--r-- | src/ext/ed25519/ref10/keyconv.c | 37 |
2 files changed, 42 insertions, 0 deletions
diff --git a/src/ext/ed25519/ref10/ed25519_ref10.h b/src/ext/ed25519/ref10/ed25519_ref10.h index cd0244f306..da8cea19f0 100644 --- a/src/ext/ed25519/ref10/ed25519_ref10.h +++ b/src/ext/ed25519/ref10/ed25519_ref10.h @@ -16,4 +16,9 @@ int ed25519_ref10_sign( const unsigned char *m,uint64_t mlen, const unsigned char *sk, const unsigned char *pk); +/* Added in Tor */ +int ed25519_ref10_pubkey_from_curve25519_pubkey(unsigned char *out, + const unsigned char *inp, + int signbit); + #endif diff --git a/src/ext/ed25519/ref10/keyconv.c b/src/ext/ed25519/ref10/keyconv.c new file mode 100644 index 0000000000..854b150d69 --- /dev/null +++ b/src/ext/ed25519/ref10/keyconv.c @@ -0,0 +1,37 @@ +/* Added to ref10 for Tor. We place this in the public domain. Alternatively, + * you may have it under the Creative Commons 0 "CC0" license. */ +#include "fe.h" +#include "ed25519_ref10.h" + +int ed25519_ref10_pubkey_from_curve25519_pubkey(unsigned char *out, + const unsigned char *inp, + int signbit) +{ + fe u; + fe one; + fe y; + fe uplus1; + fe uminus1; + fe inv_uplus1; + + /* From prop228: + + Given a curve25519 x-coordinate (u), we can get the y coordinate + of the ed25519 key using + + y = (u-1)/(u+1) + */ + fe_frombytes(u, inp); + fe_1(one); + fe_sub(uminus1, u, one); + fe_add(uplus1, u, one); + fe_invert(inv_uplus1, uplus1); + fe_mul(y, uminus1, inv_uplus1); + + fe_tobytes(out, y); + + /* propagate sign. */ + out[31] |= (!!signbit) << 7; + + return 0; +} |