| Age | Commit message (Collapse) | Author |
|---|
|
Add some documentation
Rename "derive" -> "blind"
Check for failure on randombytes().
|
|
|
|
Our integer-definition headers apparently suck in a definition for
select(2), which interferes with the select() in ge_scalarmult_base.c
|
|
This implementation allows somebody to add a blinding factor to a
secret key, and a corresponding blinding factor to the public key.
Robert Ransom came up with this idea, I believe. Nick Hopper proved a
scheme like this secure. The bugs are my own.
|
|
For proposal 228, we need to cross-certify our identity with our
curve25519 key, so that we can prove at descriptor-generation time
that we own that key. But how can we sign something with a key that
is only for doing Diffie-Hellman? By converting it to the
corresponding ed25519 point.
See the ALL-CAPS warning in the documentation. According to djb
(IIUC), it is safe to use these keys in the ways that ntor and prop228
are using them, but it might not be safe if we start providing crazy
oracle access.
(Unit tests included. What kind of a monster do you take me for?)
|
|
This will be needed/helpful for the key blinding of prop224, I
believe.
|
|
This is another case where DJB likes sticking the whole signature
prepended to the message, and I don't think that's the hottest idea.
The unit tests still pass.
|
|
Unit tests still pass.
|
|
|
|
|
|
|
|
Apparently, ref10 likes implicit conversions from int64 to int32 more
than our warnings do.
|
|
We might use libsodium or ed25519-donna later on, but for now, let's
see whether this is fast enough. We should use it in all cases when
performance doesn't matter.
|
