[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] r37215 - gnunet/src/util
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] r37215 - gnunet/src/util |
|
Date: |
Mon, 30 May 2016 18:08:03 +0200 |
Author: burdges
Date: 2016-05-30 18:08:03 +0200 (Mon, 30 May 2016)
New Revision: 37215
Added:
gnunet/src/util/test_crypto_kdf.c
Modified:
gnunet/src/util/Makefile.am
gnunet/src/util/crypto_rsa.c
Log:
Testcases for KDF mod n
Currently just that the result is smaller than n, maybe should do more.
Modified: gnunet/src/util/Makefile.am
===================================================================
--- gnunet/src/util/Makefile.am 2016-05-30 15:54:56 UTC (rev 37214)
+++ gnunet/src/util/Makefile.am 2016-05-30 16:08:03 UTC (rev 37215)
@@ -283,6 +283,7 @@
test_crypto_hash \
test_crypto_hash_context \
test_crypto_hkdf \
+ test_crypto_kdf \
test_crypto_paillier \
test_crypto_random \
test_crypto_rsa \
@@ -468,6 +469,11 @@
test_crypto_hkdf_LDADD = \
libgnunetutil.la
+test_crypto_kdf_SOURCES = \
+ test_crypto_kdf.c
+test_crypto_kdf_LDADD = \
+ libgnunetutil.la -lgcrypt
+
test_crypto_paillier_SOURCES = \
test_crypto_paillier.c
test_crypto_paillier_LDADD = \
Modified: gnunet/src/util/crypto_rsa.c
===================================================================
--- gnunet/src/util/crypto_rsa.c 2016-05-30 15:54:56 UTC (rev 37214)
+++ gnunet/src/util/crypto_rsa.c 2016-05-30 16:08:03 UTC (rev 37215)
@@ -422,6 +422,49 @@
}
+/*
+We originally added GNUNET_CRYPTO_kdf_mod_mpi for the benifit of the
+previous routine.
+
+There was previously a call to GNUNET_CRYPTO_kdf in
+ bkey = rsa_blinding_key_derive (len, bks);
+that gives exactly len bits where
+ len = GNUNET_CRYPTO_rsa_public_key_len (pkey);
+
+Now r = 2^(len-1)/pkey.n is the probability that a set high bit being
+okay, meaning bkey < pkey.n. It follows that (1-r)/2 of the time bkey >
+pkey.n making the effective bkey be
+ bkey mod pkey.n = bkey - pkey.n
+so the effective bkey has its high bit set with probability r/2.
+
+We expect r to be close to 1/2 if the exchange is honest, but the
+exchange can choose r otherwise.
+
+In blind signing, the exchange sees
+ B = bkey * S mod pkey.n
+On deposit, the exchange sees S so they can compute bkey' = B/S mod
+pkey.n for all B they recorded to see if bkey' has it's high bit set.
+Also, note the exchange can compute 1/S efficiently since they know the
+factors of pkey.n.
+
+I suppose that happens with probability r/(1+r) if its the wrong B, not
+completely sure. If otoh we've the right B, then we've the probability
+r/2 of a set high bit in the effective bkey.
+
+Interestingly, r^2-r has a maximum at the default r=1/2 anyways, giving
+the wrong and right probabilities 1/3 and 1/4, respectively.
+
+I feared this gives the exchange a meaningful fraction of a bit of
+information per coin involved in the transaction. It sounds damaging if
+numerous coins were involved. And it could run across transactions in
+some scenarios.
+
+We fixed this by using a more uniform deterministic pseudo-random number
+generator for blinding factors. I do not believe this to be a problem
+for the rsa_full_domain_hash routine, but better safe than sorry.
+*/
+
+
/**
* Compare the values of two signatures.
*
Added: gnunet/src/util/test_crypto_kdf.c
===================================================================
--- gnunet/src/util/test_crypto_kdf.c (rev 0)
+++ gnunet/src/util/test_crypto_kdf.c 2016-05-30 16:08:03 UTC (rev 37215)
@@ -0,0 +1,70 @@
+/*
+ Copyright (c) 2010 Jeffrey Burdges
+
+ Permission is hereby granted, free of charge, to any person obtaining a
copy
+ of this software and associated documentation files (the "Software"), to
deal
+ in the Software without restriction, including without limitation the
rights
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ copies of the Software, and to permit persons to whom the Software is
+ furnished to do so, subject to the following conditions:
+
+ The above copyright notice and this permission notice shall be included in
+ all copies or substantial portions of the Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM,
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ THE SOFTWARE.
+*/
+
+/**
+ * @file src/util/test_crypt_kdf.c
+ * @brief Testcases for KDF mod n
+ * @author Jeffrey Burdges <address@hidden>
+ */
+
+#include <gcrypt.h>
+
+#include "platform.h"
+#include "gnunet_crypto_lib.h"
+
+
+int
+main ()
+{
+#define RND_BLK_SIZE 4096
+ unsigned char rnd_blk[RND_BLK_SIZE];
+ int i;
+ gcry_mpi_t r,n;
+
+ GNUNET_log_setup ("test-crypto-kdf", "WARNING", NULL);
+
+ GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK,
+ rnd_blk,
+ RND_BLK_SIZE);
+
+ /* test full domain hash size */
+ for (i=0; i<100; i++) {
+ gcry_mpi_scan (&n,
+ GCRYMPI_FMT_USG,
+ rnd_blk, RND_BLK_SIZE,
+ NULL);
+ GNUNET_CRYPTO_kdf_mod_mpi (&r, n,
+ "", 0,
+ "", 0,
+ "");
+ GNUNET_assert( 0 > gcry_mpi_cmp(r,n) );
+
+ /* Is it worth checking that it's not too small? */
+ /* GNUNET_assert (gcry_mpi_get_nbits(r) > 3*RND_BLK_SIZE/4); */
+ /* This test necessarily randomly fails with probability 2^(3 -
RND_BLK_SIZE/4) */
+
+ gcry_mpi_release(n);
+ gcry_mpi_release(r);
+ }
+
+ return 0;
+}
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [GNUnet-SVN] r37215 - gnunet/src/util,
gnunet <=