http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/70e3a3a3/js/FF.js ---------------------------------------------------------------------- diff --git a/js/FF.js b/js/FF.js deleted file mode 100755 index 5a1aba0..0000000 --- a/js/FF.js +++ /dev/null @@ -1,928 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/* AMCL FF number class */ - -/* General purpose Constructor */ -var FF = function(n) { - this.v=new Array(n); - this.length=n; - for (var i=0;i<n;i++) - this.v[i]=new BIG(0); -}; - -FF.prototype={ -/* set to zero */ - - P_EXCESS: function() - { - return ((this.v[this.length-1].get(ROM.NLEN-1)&FF.P_OMASK)>>(FF.P_MB)); - }, - - zero: function() - { - for (var i=0;i<this.length;i++) this.v[i].zero(); - return this; - }, - - getlen: function() - { - return this.length; - }, - -/* set to integer */ - set: function(m) - { - this.zero(); - this.v[0].set(0,(m&ROM.MASK)); - this.v[0].set(1,(m>>ROM.BASEBITS)); - }, -/* copy from FF b */ - copy: function(b) - { - for (var i=0;i<this.length;i++) - { - this.v[i].copy(b.v[i]); - } - }, -/* copy from FF b */ - rcopy: function(b) - { - for (var i=0;i<this.length;i++) - { - this.v[i].rcopy(b[i]); - } - }, -/* x=y<<n */ - dsucopy: function(b) - { - for (var i=0;i<b.length;i++) - { - this.v[b.length+i].copy(b.v[i]); - this.v[i].zero(); - } - }, -/* x=y */ - dscopy: function(b) - { - for (var i=0;i<b.length;i++) - { - this.v[i].copy(b.v[i]); - this.v[b.length+i].zero(); - } - }, - -/* x=y>>n */ - sducopy: function(b) - { - for (var i=0;i<this.length;i++) - { - this.v[i].copy(b.v[this.length+i]); - } - }, - one: function() - { - this.v[0].one(); - for (var i=1;i<this.length;i++) - { - this.v[i].zero(); - } - }, -/* test equals 0 */ - iszilch: function() - { - for (var i=0;i<this.length;i++) - { - if (!this.v[i].iszilch()) return false; - } - return true; - }, -/* shift right by 256-bit words */ - shrw: function(n) - { - for (var i=0;i<n;i++) - { - this.v[i].copy(this.v[i+n]); - this.v[i+n].zero(); - } - }, - -/* shift left by 256-bit words */ - shlw: function(n) - { - for (var i=0;i<n;i++) - { - this.v[n+i].copy(this.v[i]); - this.v[i].zero(); - } - }, -/* extract last bit */ - parity: function() - { - return this.v[0].parity(); - }, - - lastbits: function(m) - { - return this.v[0].lastbits(m); - }, - - -/* recursive add */ - radd: function(vp,x,xp,y,yp,n) - { - for (var i=0;i<n;i++) - { - this.v[vp+i].copy(x.v[xp+i]); - this.v[vp+i].add(y.v[yp+i]); - } - }, - -/* recursive inc */ - rinc: function(vp,y,yp,n) - { - for (var i=0;i<n;i++) - { - this.v[vp+i].add(y.v[yp+i]); - } - }, - -/* recursive sub */ - rsub: function(vp,x,xp,y,yp,n) - { - for (var i=0;i<n;i++) - { - this.v[vp+i].copy(x.v[xp+i]); - this.v[vp+i].sub(y.v[yp+i]); - } - }, - -/* recursive dec */ - rdec: function(vp,y,yp,n) - { - for (var i=0;i<n;i++) - { - this.v[vp+i].sub(y.v[yp+i]); - } - }, - -/* simple add */ - add: function(b) - { - for (var i=0;i<this.length;i++) - this.v[i].add(b.v[i]); - }, - -/* simple sub */ - sub: function(b) - { - for (var i=0;i<this.length;i++) - this.v[i].sub(b.v[i]); - }, - -/* reverse sub */ - revsub: function(b) - { - for (var i=0;i<this.length;i++) - this.v[i].rsub(b.v[i]); - }, - -/* increment/decrement by a small integer */ - inc: function(m) - { - this.v[0].inc(m); - this.norm(); - }, - - dec: function(m) - { - this.v[0].dec(m); - this.norm(); - }, - - /* normalise - but hold any overflow in top part unless n<0 */ - rnorm: function(vp,n) - { - var trunc=false; - var i,carry; - if (n<0) - { /* -v n signals to do truncation */ - n=-n; - trunc=true; - } - for (i=0;i<n-1;i++) - { - carry=this.v[vp+i].norm(); - this.v[vp+i].xortop(carry<<FF.P_TBITS); - this.v[vp+i+1].inc(carry); - } - carry=this.v[vp+n-1].norm(); - if (trunc) - this.v[vp+n-1].xortop(carry<<FF.P_TBITS); - return this; - }, - norm: function() - { - this.rnorm(0,this.length); - }, - -/* shift left by one bit */ - shl: function() - { - var i,carry,delay_carry=0; - for (i=0;i<this.length-1;i++) - { - carry=this.v[i].fshl(1); - this.v[i].inc(delay_carry); - this.v[i].xortop(carry<<FF.P_TBITS); - delay_carry=carry; - } - this.v[this.length-1].fshl(1); - this.v[this.length-1].inc(delay_carry); - }, - -/* shift right by one bit */ - shr: function() - { - var i,carry; - for (i=this.length-1;i>0;i--) - { - carry=this.v[i].fshr(1); - this.v[i-1].ortop(carry<<FF.P_TBITS); - } - this.v[0].fshr(1); - }, - -/* Convert to Hex String */ - toString: function() - { - this.norm(); - var s=""; - - for (var i=this.length-1;i>=0;i--) - { - s+=this.v[i].toString(); - } - return s; - }, -/* Convert FFs to/from byte arrays */ - toBytes: function(b) - { - for (var i=0;i<this.length;i++) - { - this.v[i].tobytearray(b,(this.length-i-1)*ROM.MODBYTES); - } - }, - -/* z=x*y, t is workspace */ - karmul: function(vp,x,xp,y,yp,t,tp,n) - { - var nd2; - if (n==1) - { - var d=BIG.mul(x.v[xp],y.v[yp]); - this.v[vp+1]=d.split(8*ROM.MODBYTES); - this.v[vp].copy(d); - return; - } - nd2=n/2; - this.radd(vp,x,xp,x,xp+nd2,nd2); - this.radd(vp+nd2,y,yp,y,yp+nd2,nd2); - t.karmul(tp,this,vp,this,vp+nd2,t,tp+n,nd2); - this.karmul(vp,x,xp,y,yp,t,tp+n,nd2); - this.karmul(vp+n,x,xp+nd2,y,yp+nd2,t,tp+n,nd2); - t.rdec(tp,this,vp,n); - t.rdec(tp,this,vp+n,n); - this.rinc(vp+nd2,t,tp,n); - this.rnorm(vp,2*n); - }, - - karsqr: function(vp,x,xp,t,tp,n) - { - var nd2; - if (n==1) - { - var d=BIG.sqr(x.v[xp]); - this.v[vp+1].copy(d.split(8*ROM.MODBYTES)); - this.v[vp].copy(d); - return; - } - - nd2=n/2; - this.karsqr(vp,x,xp,t,tp+n,nd2); - this.karsqr(vp+n,x,xp+nd2,t,tp+n,nd2); - t.karmul(tp,x,xp,x,xp+nd2,t,tp+n,nd2); - this.rinc(vp+nd2,t,tp,n); - this.rinc(vp+nd2,t,tp,n); - this.rnorm(vp+nd2,n); - }, - - karmul_lower: function(vp,x,xp,y,yp,t,tp,n) - { /* Calculates Least Significant bottom half of x*y */ - var nd2; - if (n==1) - { /* only calculate bottom half of product */ - this.v[vp].copy(BIG.smul(x.v[xp],y.v[yp])); - return; - } - nd2=n/2; - - this.karmul(vp,x,xp,y,yp,t,tp+n,nd2); - t.karmul_lower(tp,x,xp+nd2,y,yp,t,tp+n,nd2); - this.rinc(vp+nd2,t,tp,nd2); - t.karmul_lower(tp,x,xp,y,yp+nd2,t,tp+n,nd2); - this.rinc(vp+nd2,t,tp,nd2); - this.rnorm(vp+nd2,-nd2); /* truncate it */ - }, - - karmul_upper: function(x,y,t,n) - { /* Calculates Most Significant upper half of x*y, given lower part */ - var nd2; - - nd2=n/2; - this.radd(n,x,0,x,nd2,nd2); - this.radd(n+nd2,y,0,y,nd2,nd2); - - t.karmul(0,this,n+nd2,this,n,t,n,nd2); /* t = (a0+a1)(b0+b1) */ - this.karmul(n,x,nd2,y,nd2,t,n,nd2); /* z[n]= a1*b1 */ - /* z[0-nd2]=l(a0b0) z[nd2-n]= h(a0b0)+l(t)-l(a0b0)-l(a1b1) */ - t.rdec(0,this,n,n); /* t=t-a1b1 */ - this.rinc(nd2,this,0,nd2); /* z[nd2-n]+=l(a0b0) = h(a0b0)+l(t)-l(a1b1) */ - this.rdec(nd2,t,0,nd2); /* z[nd2-n]=h(a0b0)+l(t)-l(a1b1)-l(t-a1b1)=h(a0b0) */ - this.rnorm(0,-n); /* a0b0 now in z - truncate it */ - t.rdec(0,this,0,n); /* (a0+a1)(b0+b1) - a0b0 */ - this.rinc(nd2,t,0,n); - - this.rnorm(nd2,n); - }, - -/* return low part of product this*y */ - lmul: function(y) - { - var n=this.length; - var t=new FF(2*n); - var x=new FF(n); x.copy(this); - this.karmul_lower(0,x,0,y,0,t,0,n); - }, - -/* Set b=b mod c */ - mod: function(c) - { - var k=0; - - this.norm(); - if (FF.comp(this,c)<0) - return; - do - { - c.shl(); - k++; - } while (FF.comp(this,c)>=0); - - while (k>0) - { - c.shr(); - if (FF.comp(this,c)>=0) - { - this.sub(c); - this.norm(); - } - k--; - } - }, - -/* return This mod modulus, N is modulus, ND is Montgomery Constant */ - reduce: function(N,ND) - { /* fast karatsuba Montgomery reduction */ - var n=N.length; - var t=new FF(2*n); - var r=new FF(n); - var m=new FF(n); - - r.sducopy(this); - m.karmul_lower(0,this,0,ND,0,t,0,n); - this.karmul_upper(N,m,t,n); - m.sducopy(this); - - r.add(N); - r.sub(m); - r.norm(); - - return r; - - }, - -/* Set r=this mod b */ -/* this is of length - 2*n */ -/* r,b is of length - n */ - dmod: function(b) - { - var k,n=b.length; - var m=new FF(2*n); - var x=new FF(2*n); - var r=new FF(n); - - x.copy(this); - x.norm(); - m.dsucopy(b); k=256*n; - - while (k>0) - { - m.shr(); - - if (FF.comp(x,m)>=0) - { - x.sub(m); - x.norm(); - } - k--; - } - - r.copy(x); - r.mod(b); - return r; - }, - -/* Set return=1/this mod p. Binary method - a<p on entry */ - invmodp: function(p) - { - var n=p.length; - - var u=new FF(n); - var v=new FF(n); - var x1=new FF(n); - var x2=new FF(n); - var t=new FF(n); - var one=new FF(n); - - one.one(); - u.copy(this); - v.copy(p); - x1.copy(one); - x2.zero(); - - // reduce n in here as well! - while (FF.comp(u,one)!==0 && FF.comp(v,one)!==0) - { - while (u.parity()===0) - { - u.shr(); - if (x1.parity()!==0) - { - x1.add(p); - x1.norm(); - } - x1.shr(); - } - while (v.parity()===0) - { - v.shr(); - if (x2.parity()!==0) - { - x2.add(p); - x2.norm(); - } - x2.shr(); - } - if (FF.comp(u,v)>=0) - { - - u.sub(v); - u.norm(); - if (FF.comp(x1,x2)>=0) x1.sub(x2); - else - { - t.copy(p); - t.sub(x2); - x1.add(t); - } - x1.norm(); - } - else - { - v.sub(u); - v.norm(); - if (FF.comp(x2,x1)>=0) x2.sub(x1); - else - { - t.copy(p); - t.sub(x1); - x2.add(t); - } - x2.norm(); - } - } - if (FF.comp(u,one)===0) - this.copy(x1); - else - this.copy(x2); - }, - -/* nresidue mod m */ - nres: function(m) - { - var n=m.length; - var d=new FF(2*n); - d.dsucopy(this); - this.copy(d.dmod(m)); - }, - - redc: function(m,ND) - { - var n=m.length; - var d=new FF(2*n); - this.mod(m); - d.dscopy(this); - this.copy(d.reduce(m,ND)); - this.mod(m); - }, - - mod2m: function(m) - { - for (var i=m;i<this.length;i++) - this.v[i].zero(); - }, - - /* U=1/a mod 2^m - Arazi & Qi */ - invmod2m: function() - { - var i,n=this.length; - - var b=new FF(n); - var c=new FF(n); - var U=new FF(n); - - var t; - - U.zero(); - U.v[0].copy(this.v[0]); - U.v[0].invmod2m(); - - for (i=1;i<n;i<<=1) - { - b.copy(this); b.mod2m(i); - t=FF.mul(U,b); t.shrw(i); b.copy(t); - c.copy(this); c.shrw(i); c.mod2m(i); - c.lmul(U); c.mod2m(i); - - b.add(c); b.norm(); - b.lmul(U); b.mod2m(i); - - c.one(); c.shlw(i); b.revsub(c); b.norm(); - b.shlw(i); - U.add(b); - } - U.norm(); - return U; - }, - - random: function(rng) - { - var n=this.length; - for (var i=0;i<n;i++) - { - this.v[i].copy(BIG.random(rng)); - } - /* make sure top bit is 1 */ - while (this.v[n-1].nbits()<ROM.MODBYTES*8) this.v[n-1].copy(BIG.random(rng)); - - }, - - /* generate random x */ - randomnum: function(p,rng) - { - var n=this.length; - var d=new FF(2*n); - - for (var i=0;i<2*n;i++) - { - d.v[i].copy(BIG.random(rng)); - } - this.copy(d.dmod(p)); - }, - - /* this*=y mod p */ - modmul: function(y,p,nd) - { - var ex=this.P_EXCESS(); - var ey=y.P_EXCESS(); - if ((ex+1)*(ey+1)+1>=FF.P_FEXCESS) this.mod(p); - var d=FF.mul(this,y); - this.copy(d.reduce(p,nd)); - }, - - /* this*=y mod p */ - modsqr: function(p,nd) - { - var ex=this.P_EXCESS(); - if ((ex+1)*(ex+1)+1>=FF.P_FEXCESS) this.mod(p); - var d=FF.sqr(this); - this.copy(d.reduce(p,nd)); - }, - - /* this=this^e mod p using side-channel resistant Montgomery Ladder, for large e */ - skpow: function(e,p) - { - var i,b,n=p.length; - var R0=new FF(n); - var R1=new FF(n); - var ND=p.invmod2m(); - - this.mod(p); - R0.one(); - R1.copy(this); - R0.nres(p); - R1.nres(p); - - for (i=8*ROM.MODBYTES*n-1;i>=0;i--) - { - - b=e.v[Math.floor(i/256)].bit(i%256); - - this.copy(R0); - this.modmul(R1,p,ND); - - FF.cswap(R0,R1,b); - R0.modsqr(p,ND); - - R1.copy(this); - FF.cswap(R0,R1,b); - - } - - this.copy(R0); - this.redc(p,ND); - }, - - /* this =this^e mod p using side-channel resistant Montgomery Ladder, for short e */ - skspow: function(e,p) - { - var i,b,n=p.length; - var R0=new FF(n); - var R1=new FF(n); - var ND=p.invmod2m(); - - this.mod(p); - R0.one(); - R1.copy(this); - R0.nres(p); - R1.nres(p); - - for (i=8*ROM.MODBYTES-1;i>=0;i--) - { - b=e.bit(i); - this.copy(R0); - this.modmul(R1,p,ND); - - FF.cswap(R0,R1,b); - R0.modsqr(p,ND); - - R1.copy(this); - FF.cswap(R0,R1,b); - } - this.copy(R0); - this.redc(p,ND); - }, - - /* raise to an integer power - right-to-left method */ - power: function(e,p) - { - var n=p.length; - var f=true; - var w=new FF(n); - var ND=p.invmod2m(); - - w.copy(this); - w.nres(p); - - if (e==2) - { - this.copy(w); - this.modsqr(p,ND); - } - else for (; ; ) - { - if (e%2==1) - { - if (f) this.copy(w); - else this.modmul(w,p,ND); - f=false; - } - e>>=1; - if (e===0) break; - w.modsqr(p,ND); - } - this.redc(p,ND); - }, - - /* this=this^e mod p, faster but not side channel resistant */ - pow: function(e,p) - { - var i,b,n=p.length; - var w=new FF(n); - var ND=p.invmod2m(); - - w.copy(this); - this.one(); - this.nres(p); - w.nres(p); - for (i=8*ROM.MODBYTES*n-1;i>=0;i--) - { - this.modsqr(p,ND); - b=e.v[Math.floor(i/256)].bit(i%256); - if (b==1) this.modmul(w,p,ND); - } - this.redc(p,ND); - }, - - /* double exponentiation r=x^e.y^f mod p */ - pow2: function(e,y,f,p) - { - var i,eb,fb,n=p.length; - var xn=new FF(n); - var yn=new FF(n); - var xy=new FF(n); - var ND=p.invmod2m(); - - xn.copy(this); - yn.copy(y); - xn.nres(p); - yn.nres(p); - xy.copy(xn); xy.modmul(yn,p,ND); - this.one(); - this.nres(p); - - for (i=8*ROM.MODBYTES-1;i>=0;i--) - { - eb=e.bit(i); - fb=f.bit(i); - this.modsqr(p,ND); - if (eb==1) - { - if (fb==1) this.modmul(xy,p,ND); - else this.modmul(xn,p,ND); - } - else - { - if (fb==1) this.modmul(yn,p,ND); - } - } - this.redc(p,ND); - }, - - /* quick and dirty check for common factor with n */ - cfactor: function(s) - { - var r,n=this.length; - var g; - - var x=new FF(n); - var y=new FF(n); - y.set(s); - - x.copy(this); - x.norm(); - - do - { - x.sub(y); - x.norm(); - while (!x.iszilch() && x.parity()===0) x.shr(); - } - while (FF.comp(x,y)>0); - - g=x.v[0].get(0); - r=FF.igcd(s,g); - if (r>1) return true; - return false; - } - - -}; - -FF.P_MBITS=ROM.MODBYTES*8; -FF.P_MB=(FF.P_MBITS%ROM.BASEBITS); -FF.P_OMASK=((-1)<<(FF.P_MBITS%ROM.BASEBITS)); -FF.P_FEXCESS=(1<<(ROM.BASEBITS*ROM.NLEN-FF.P_MBITS)); -FF.P_TBITS=(FF.P_MBITS%ROM.BASEBITS); - - -/* compare x and y - must be normalised, and of same length */ -FF.comp=function(a,b) -{ - var i,j; - for (i=a.length-1;i>=0;i--) - { - j=BIG.comp(a.v[i],b.v[i]); - if (j!==0) return j; - } - return 0; -}; - -FF.fromBytes=function(x,b) -{ - for (var i=0;i<x.length;i++) - { - x.v[i]=BIG.frombytearray(b,(x.length-i-1)*ROM.MODBYTES); - } -}; - -/* in-place swapping using xor - side channel resistant - lengths must be the same */ -FF.cswap=function(a,b,d) -{ - for (var i=0;i<a.length;i++) - { - // BIG.cswap(a.v[i],b.v[i],d); - a.v[i].cswap(b.v[i],d); - } -}; - - /* z=x*y. Assumes x and y are of same length. */ -FF.mul=function(x,y) -{ - var n=x.length; - var z=new FF(2*n); - var t=new FF(2*n); - z.karmul(0,x,0,y,0,t,0,n); - return z; -}; - - /* z=x^2 */ -FF.sqr=function(x) -{ - var n=x.length; - var z=new FF(2*n); - var t=new FF(2*n); - z.karsqr(0,x,0,t,0,n); - return z; -}; - -FF.igcd=function(x,y) -{ /* integer GCD, returns GCD of x and y */ - var r; - if (y===0) return x; - while ((r=x%y)!==0) - {x=y;y=r;} - return y; -}; - -/* Miller-Rabin test for primality. Slow. */ -FF.prime=function(p,rng) -{ - var i,j,s=0,n=p.length; - var loop; - var d=new FF(n); - var x=new FF(n); - var unity=new FF(n); - var nm1=new FF(n); - - var sf=4849845; /* 3*5*.. *19 */ - p.norm(); - - if (p.cfactor(sf)) return false; - unity.one(); - nm1.copy(p); - nm1.sub(unity); - nm1.norm(); - d.copy(nm1); - - while (d.parity()===0) - { - d.shr(); - s++; - } - if (s===0) return false; - - for (i=0;i<10;i++) - { - x.randomnum(p,rng); - x.pow(d,p); - if (FF.comp(x,unity)===0 || FF.comp(x,nm1)===0) continue; - loop=false; - for (j=1;j<s;j++) - { - x.power(2,p); - if (FF.comp(x,unity)===0) return false; - if (FF.comp(x,nm1)===0) {loop=true; break;} - } - if (loop) continue; - return false; - } - return true; -};
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/70e3a3a3/js/FP.js ---------------------------------------------------------------------- diff --git a/js/FP.js b/js/FP.js deleted file mode 100755 index 37aa5de..0000000 --- a/js/FP.js +++ /dev/null @@ -1,329 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/* Finite Field arithmetic */ -/* AMCL mod p functions */ - -/* General purpose COnstructor */ -var FP = function(x) { - if (x instanceof FP) - { - this.f=new BIG(x.f); - } - else - { - this.f=new BIG(x); - this.nres(); - } -}; - -FP.prototype={ -/* set this=0 */ - zero: function() - { - return this.f.zero(); - }, - -/* copy from a BIG in ROM */ - rcopy: function(y) - { - this.f.rcopy(y); - this.nres(); - }, - -/* copy from another BIG */ - bcopy: function(y) - { - this.f.copy(y); - this.nres(); - }, - -/* copy from another FP */ - copy: function(y) - { - return this.f.copy(y.f); - }, - -/* conditional swap of a and b depending on d */ - cswap: function(b,d) - { - this.f.cswap(b.f,d); - }, - -/* conditional copy of b to a depending on d */ - cmove: function(b,d) - { - this.f.cmove(b.f,d); - }, - -/* convert to Montgomery n-residue form */ - nres: function() - { - if (ROM.MODTYPE!=ROM.PSEUDO_MERSENNE) - { - var p=new BIG(); - p.rcopy(ROM.Modulus); - var d=new DBIG(0); - d.hcopy(this.f); - d.norm(); - d.shl(ROM.NLEN*ROM.BASEBITS); - this.f.copy(d.mod(p)); - - } - return this; - }, - -/* convert back to regular form */ - redc: function() - { - var r=new BIG(0); - r.copy(this.f); - if (ROM.MODTYPE!=ROM.PSEUDO_MERSENNE) - { - var d=new DBIG(0); - d.hcopy(this.f); - r.copy(BIG.mod(d)); - } - - return r; - }, - -/* convert this to string */ - toString: function() - { - var s=this.redc().toString(); - return s; - }, - -/* test this=0 */ - iszilch: function() - { - this.reduce(); - return this.f.iszilch(); - }, - -/* reduce this mod Modulus */ - reduce: function() - { - var p=new BIG(0); - p.rcopy(ROM.Modulus); - return this.f.mod(p); - }, - -/* set this=1 */ - one: function() - { - this.f.one(); - return this.nres(); - }, - -/* normalise this */ - norm: function() - { - return this.f.norm(); - }, - -/* this*=b mod Modulus */ - mul: function(b) - { - var ea=BIG.EXCESS(this.f); - var eb=BIG.EXCESS(b.f); - if ((ea+1)*(eb+1)+1>=ROM.FEXCESS) this.reduce(); - var d=BIG.mul(this.f,b.f); - this.f.copy(BIG.mod(d)); - return this; - }, - -/* this*=c mod Modulus where c is an int */ - imul: function(c) - { - var s=false; - this.norm(); - if (c<0) - { - c=-c; - s=true; - } - - var afx=(BIG.EXCESS(this.f)+1)*(c+1)+1; - if (c<ROM.NEXCESS && afx<ROM.FEXCESS) - { - this.f.imul(c); - } - else - { - if (afx<ROM.FEXCESS) this.f.pmul(c); - else - { - var p=new BIG(0); - p.rcopy(ROM.Modulus); - var d=this.f.pxmul(c); - this.f.copy(d.mod(p)); - } - } - if (s) this.neg(); - return this.norm(); - }, - -/* this*=this mod Modulus */ - sqr: function() - { - var d; - var ea=BIG.EXCESS(this.f); - if ((ea+1)*(ea+1)+1>=ROM.FEXCESS) this.reduce(); - d=BIG.sqr(this.f); - var t=BIG.mod(d); - this.f.copy(t); - return this; - }, - -/* this+=b */ - add: function(b) - { - this.f.add(b.f); - if (BIG.EXCESS(this.f)+2>=ROM.FEXCESS) this.reduce(); - return this; - }, -/* this=-this mod Modulus */ - neg: function() - { - var sb,ov; - var m=new BIG(0); - m.rcopy(ROM.Modulus); - - this.norm(); - ov=BIG.EXCESS(this.f); - sb=1; while(ov!==0) {sb++;ov>>=1;} - - m.fshl(sb); - this.f.rsub(m); - if (BIG.EXCESS(this.f)>=ROM.FEXCESS) this.reduce(); - return this; - }, - -/* this-=b */ - sub: function(b) - { - var n=new FP(0); - n.copy(b); - n.neg(); - this.add(n); - return this; - }, - -/* this/=2 mod Modulus */ - div2: function() - { - this.norm(); - if (this.f.parity()===0) - this.f.fshr(1); - else - { - var p=new BIG(0); - p.rcopy(ROM.Modulus); - - this.f.add(p); - this.f.norm(); - this.f.fshr(1); - } - return this; - }, - -/* this=1/this mod Modulus */ - inverse: function() - { - var p=new BIG(0); - p.rcopy(ROM.Modulus); - var r=this.redc(); - r.invmodp(p); - this.f.copy(r); - return this.nres(); - }, - -/* return TRUE if this==a */ - equals: function(a) - { - a.reduce(); - this.reduce(); - if (BIG.comp(a.f,this.f)===0) return true; - return false; - }, - -/* return this^e mod Modulus */ - pow: function(e) - { - var bt; - var r=new FP(1); - e.norm(); - this.norm(); - var m=new FP(0); - m.copy(this); - while (true) - { - bt=e.parity(); - e.fshr(1); - if (bt==1) r.mul(m); - if (e.iszilch()) break; - m.sqr(); - } - - r.reduce(); - return r; - }, - -/* return jacobi symbol (this/Modulus) */ - jacobi: function() - { - var p=new BIG(0); - p.rcopy(ROM.Modulus); - var w=this.redc(); - return w.jacobi(p); - }, - -/* return sqrt(this) mod Modulus */ - sqrt: function() - { - this.reduce(); - var b=new BIG(0); - b.rcopy(ROM.Modulus); - if (ROM.MOD8==5) - { - b.dec(5); b.norm(); b.shr(3); - var i=new FP(0); - i.copy(this); - i.f.shl(1); - var v=i.pow(b); - i.mul(v); i.mul(v); - i.f.dec(1); - var r=new FP(0); - r.copy(this); - r.mul(v); r.mul(i); - r.reduce(); - return r; - } - else - { - b.inc(1); b.norm(); b.shr(2); - return this.pow(b); - } - } - -}; - - http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/70e3a3a3/js/FP12.js ---------------------------------------------------------------------- diff --git a/js/FP12.js b/js/FP12.js deleted file mode 100755 index 938e727..0000000 --- a/js/FP12.js +++ /dev/null @@ -1,558 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/* AMCL Fp^12 functions */ - -/* FP12 elements are of the form a+i.b+i^2.c */ - -/* general purpose constructor */ -var FP12= function(d,e,f) -{ - if (d instanceof FP12) - { - this.a=new FP4(d.a); - this.b=new FP4(d.b); - this.c=new FP4(d.c); - } - else - { - this.a=new FP4(d); - this.b=new FP4(e); - this.c=new FP4(f); - } -}; - -FP12.prototype={ -/* reduce all components of this mod Modulus */ - reduce: function() - { - this.a.reduce(); - this.b.reduce(); - this.c.reduce(); - }, -/* normalize all components of this mod Modulus */ - norm: function() - { - this.a.norm(); - this.b.norm(); - this.c.norm(); - }, -/* test x==0 ? */ - iszilch: function() - { - this.reduce(); - return (this.a.iszilch() && this.b.iszilch() && this.c.iszilch()); - }, -/* test x==1 ? */ - isunity: function() - { - var one=new FP4(1); - return (this.a.equals(one) && this.b.iszilch() && this.b.iszilch()); - }, -/* extract a from this */ - geta: function() - { - return this.a; - }, -/* extract b */ - getb: function() - { - return this.b; - }, -/* extract c */ - getc: function() - { - return this.c; - }, -/* return 1 if x==y, else 0 */ - equals: function(x) - { - return (this.a.equals(x.a) && this.b.equals(x.b)&& this.c.equals(x.c)); - }, -/* copy this=x */ - copy: function(x) - { - this.a.copy(x.a); - this.b.copy(x.b); - this.c.copy(x.c); - }, -/* set this=1 */ - one: function() - { - this.a.one(); - this.b.zero(); - this.c.zero(); - }, -/* this=conj(this) */ - conj: function() - { - this.a.conj(); - this.b.nconj(); - this.c.conj(); - }, - -/* set this from 3 FP4s */ - set: function(d,e,f) - { - this.a.copy(d); - this.b.copy(e); - this.c.copy(f); - }, -/* set this from one FP4 */ - seta: function(d) - { - this.a.copy(d); - this.b.zero(); - this.c.zero(); - }, - -/* Granger-Scott Unitary Squaring */ - usqr: function() - { - var A=new FP4(this.a); //A.copy(this.a); - var B=new FP4(this.c); //B.copy(this.c); - var C=new FP4(this.b); //C.copy(this.b); - var D=new FP4(0); - - this.a.sqr(); - D.copy(this.a); D.add(this.a); - this.a.add(D); - - A.nconj(); - - A.add(A); - this.a.add(A); - B.sqr(); - B.times_i(); - - D.copy(B); D.add(B); - B.add(D); - - C.sqr(); - D.copy(C); D.add(C); - C.add(D); - - this.b.conj(); - this.b.add(this.b); - this.c.nconj(); - - this.c.add(this.c); - this.b.add(B); - this.c.add(C); - this.reduce(); - }, - -/* Chung-Hasan SQR2 method from http://cacr.uwaterloo.ca/techreports/2006/cacr2006-24.pdf */ - sqr: function() - { - var A=new FP4(this.a); //A.copy(this.a); - var B=new FP4(this.b); //B.copy(this.b); - var C=new FP4(this.c); //C.copy(this.c); - var D=new FP4(this.a); //D.copy(this.a); - - A.sqr(); - B.mul(this.c); - B.add(B); - C.sqr(); - D.mul(this.b); - D.add(D); - - this.c.add(this.a); - this.c.add(this.b); - this.c.sqr(); - - this.a.copy(A); - - A.add(B); - A.add(C); - A.add(D); - A.neg(); - B.times_i(); - C.times_i(); - - this.a.add(B); - this.b.copy(C); this.b.add(D); - this.c.add(A); - - this.norm(); - }, - -/* FP12 full multiplication this=this*y */ - mul: function(y) - { - var z0=new FP4(this.a); //z0.copy(this.a); - var z1=new FP4(0); - var z2=new FP4(this.b); //z2.copy(this.b); - var z3=new FP4(0); - var t0=new FP4(this.a); //t0.copy(this.a); - var t1=new FP4(y.a); //t1.copy(y.a); - - z0.mul(y.a); - z2.mul(y.b); - - t0.add(this.b); - t1.add(y.b); - - z1.copy(t0); z1.mul(t1); - t0.copy(this.b); t0.add(this.c); - - t1.copy(y.b); t1.add(y.c); - z3.copy(t0); z3.mul(t1); - - t0.copy(z0); t0.neg(); - t1.copy(z2); t1.neg(); - - z1.add(t0); - this.b.copy(z1); this.b.add(t1); - - z3.add(t1); - z2.add(t0); - - t0.copy(this.a); t0.add(this.c); - t1.copy(y.a); t1.add(y.c); - t0.mul(t1); - z2.add(t0); - - t0.copy(this.c); t0.mul(y.c); - t1.copy(t0); t1.neg(); - - this.c.copy(z2); this.c.add(t1); - z3.add(t1); - t0.times_i(); - this.b.add(t0); - - z3.times_i(); - this.a.copy(z0); this.a.add(z3); - - this.norm(); - }, - -/* Special case this*=y that arises from special form of ATE pairing line function */ - smul: function(y) - { - var z0=new FP4(this.a); //z0.copy(this.a); - var z2=new FP4(this.b); //z2.copy(this.b); - var z3=new FP4(this.b); //z3.copy(this.b); - var t0=new FP4(0); - var t1=new FP4(y.a); //t1.copy(y.a); - - z0.mul(y.a); - z2.pmul(y.b.real()); - this.b.add(this.a); - t1.real().add(y.b.real()); - - this.b.mul(t1); - z3.add(this.c); - z3.pmul(y.b.real()); - - t0.copy(z0); t0.neg(); - t1.copy(z2); t1.neg(); - - this.b.add(t0); - - this.b.add(t1); - z3.add(t1); - z2.add(t0); - - t0.copy(this.a); t0.add(this.c); - t0.mul(y.a); - this.c.copy(z2); this.c.add(t0); - - z3.times_i(); - this.a.copy(z0); this.a.add(z3); - - this.norm(); - }, - -/* this=1/this */ - inverse: function() - { - var f0=new FP4(this.a); //f0.copy(this.a); - var f1=new FP4(this.b); //f1.copy(this.b); - var f2=new FP4(this.a); //f2.copy(this.a); - var f3=new FP4(0); - - f0.sqr(); - f1.mul(this.c); - f1.times_i(); - f0.sub(f1); - - f1.copy(this.c); f1.sqr(); - f1.times_i(); - f2.mul(this.b); - f1.sub(f2); - - f2.copy(this.b); f2.sqr(); - f3.copy(this.a); f3.mul(this.c); - f2.sub(f3); - - f3.copy(this.b); f3.mul(f2); - f3.times_i(); - this.a.mul(f0); - f3.add(this.a); - this.c.mul(f1); - this.c.times_i(); - - f3.add(this.c); - f3.inverse(); - this.a.copy(f0); this.a.mul(f3); - this.b.copy(f1); this.b.mul(f3); - this.c.copy(f2); this.c.mul(f3); - }, - -/* this=this^p, where p=Modulus, using Frobenius */ - frob: function(f) - { - var f2=new FP2(f); - var f3=new FP2(f); - - f2.sqr(); - f3.mul(f2); - - this.a.frob(f3); - this.b.frob(f3); - this.c.frob(f3); - - this.b.pmul(f); - this.c.pmul(f2); - }, - -/* trace function */ - trace: function() - { - var t=new FP4(0); - t.copy(this.a); - t.imul(3); - t.reduce(); - return t; - }, -/* convert this to hex string */ - toString: function() - { - return ("["+this.a.toString()+","+this.b.toString()+","+this.c.toString()+"]"); - }, -/* convert this to byte array */ - toBytes: function(w) - { - var i; - var t=[]; - this.a.geta().getA().toBytes(t); - for (i=0;i<ROM.MODBYTES;i++) w[i]=t[i]; - this.a.geta().getB().toBytes(t); - for (i=0;i<ROM.MODBYTES;i++) w[i+ROM.MODBYTES]=t[i]; - this.a.getb().getA().toBytes(t); - for (i=0;i<ROM.MODBYTES;i++) w[i+2*ROM.MODBYTES]=t[i]; - this.a.getb().getB().toBytes(t); - for (i=0;i<ROM.MODBYTES;i++) w[i+3*ROM.MODBYTES]=t[i]; - - this.b.geta().getA().toBytes(t); - for (i=0;i<ROM.MODBYTES;i++) w[i+4*ROM.MODBYTES]=t[i]; - this.b.geta().getB().toBytes(t); - for (i=0;i<ROM.MODBYTES;i++) w[i+5*ROM.MODBYTES]=t[i]; - this.b.getb().getA().toBytes(t); - for (i=0;i<ROM.MODBYTES;i++) w[i+6*ROM.MODBYTES]=t[i]; - this.b.getb().getB().toBytes(t); - for (i=0;i<ROM.MODBYTES;i++) w[i+7*ROM.MODBYTES]=t[i]; - - this.c.geta().getA().toBytes(t); - for (i=0;i<ROM.MODBYTES;i++) w[i+8*ROM.MODBYTES]=t[i]; - this.c.geta().getB().toBytes(t); - for (i=0;i<ROM.MODBYTES;i++) w[i+9*ROM.MODBYTES]=t[i]; - this.c.getb().getA().toBytes(t); - for (i=0;i<ROM.MODBYTES;i++) w[i+10*ROM.MODBYTES]=t[i]; - this.c.getb().getB().toBytes(t); - for (i=0;i<ROM.MODBYTES;i++) w[i+11*ROM.MODBYTES]=t[i]; - }, - -/* set this=this^e */ - pow: function(e) - { - this.norm(); - e.norm(); - var w=new FP12(this); //w.copy(this); - var z=new BIG(e); //z.copy(e); - var r=new FP12(1); - - while (true) - { - var bt=z.parity(); - z.fshr(1); - if (bt==1) r.mul(w); - if (z.iszilch()) break; - w.usqr(); - } - r.reduce(); - return r; - }, - -/* constant time powering by small integer of max length bts */ - pinpow: function(e,bts) - { - var i,b; - var R=[]; - R[0]=new FP12(1); - R[1]=new FP12(this); - for (i=bts-1;i>=0;i--) - { - b=(e>>i)&1; - R[1-b].mul(R[b]); - R[b].usqr(); - } - this.copy(R[0]); - } -}; - -/* convert from byte array to FP12 */ -FP12.fromBytes= function(w) -{ - var i,a,b,c,d,e,f,g; - var t=[]; - - for (i=0;i<ROM.MODBYTES;i++) t[i]=w[i]; - a=BIG.fromBytes(t); - for (i=0;i<ROM.MODBYTES;i++) t[i]=w[i+ROM.MODBYTES]; - b=BIG.fromBytes(t); - c=new FP2(a,b); //c.bset(a,b); - - for (i=0;i<ROM.MODBYTES;i++) t[i]=w[i+2*ROM.MODBYTES]; - a=BIG.fromBytes(t); - for (i=0;i<ROM.MODBYTES;i++) t[i]=w[i+3*ROM.MODBYTES]; - b=BIG.fromBytes(t); - d=new FP2(a,b); //d.bset(a,b); - - e=new FP4(c,d); //e.set(c,d); - - for (i=0;i<ROM.MODBYTES;i++) t[i]=w[i+4*ROM.MODBYTES]; - a=BIG.fromBytes(t); - for (i=0;i<ROM.MODBYTES;i++) t[i]=w[i+5*ROM.MODBYTES]; - b=BIG.fromBytes(t); - c=new FP2(a,b); //c.bset(a,b); - - for (i=0;i<ROM.MODBYTES;i++) t[i]=w[i+6*ROM.MODBYTES]; - a=BIG.fromBytes(t); - for (i=0;i<ROM.MODBYTES;i++) t[i]=w[i+7*ROM.MODBYTES]; - b=BIG.fromBytes(t); - d=new FP2(a,b); - - f=new FP4(c,d); //f.set(c,d); - - for (i=0;i<ROM.MODBYTES;i++) t[i]=w[i+8*ROM.MODBYTES]; - a=BIG.fromBytes(t); - for (i=0;i<ROM.MODBYTES;i++) t[i]=w[i+9*ROM.MODBYTES]; - b=BIG.fromBytes(t); - c=new FP2(a,b); //c.bset(a,b); - - for (i=0;i<ROM.MODBYTES;i++) t[i]=w[i+10*ROM.MODBYTES]; - a=BIG.fromBytes(t); - for (i=0;i<ROM.MODBYTES;i++) t[i]=w[i+11*ROM.MODBYTES]; - b=BIG.fromBytes(t); - d=new FP2(a,b); //d.bset(a,b); - - g=new FP4(c,d); //g.set(c,d); - - var r=new FP12(e,f,g); //r.set(e,f,g); - - return r; -}; - -/* p=q0^u0.q1^u1.q2^u2.q3^u3 */ -/* Timing attack secure, but not cache attack secure */ - -FP12.pow4= function(q,u) -{ - var i,j,nb,m; - var a=[]; - var g=[]; - var s=[]; - - var c=new FP12(1); - var p=new FP12(0); - var t=[]; - - var mt=new BIG(0); - var w=[]; - - for (i=0;i<4;i++) - t[i]=new BIG(u[i]); - - s[0]=new FP12(0); - s[1]=new FP12(0); - - g[0]=new FP12(q[0]); s[0].copy(q[1]); s[0].conj(); g[0].mul(s[0]); - g[1]=new FP12(g[0]); - g[2]=new FP12(g[0]); - g[3]=new FP12(g[0]); - g[4]=new FP12(q[0]); g[4].mul(q[1]); - g[5]=new FP12(g[4]); - g[6]=new FP12(g[4]); - g[7]=new FP12(g[4]); - - s[1].copy(q[2]); s[0].copy(q[3]); s[0].conj(); s[1].mul(s[0]); - s[0].copy(s[1]); s[0].conj(); g[1].mul(s[0]); - g[2].mul(s[1]); - g[5].mul(s[0]); - g[6].mul(s[1]); - s[1].copy(q[2]); s[1].mul(q[3]); - s[0].copy(s[1]); s[0].conj(); g[0].mul(s[0]); - g[3].mul(s[1]); - g[4].mul(s[0]); - g[7].mul(s[1]); - -/* if power is even add 1 to power, and add q to correction */ - - for (i=0;i<4;i++) - { - if (t[i].parity()==0) - { - t[i].inc(1); t[i].norm(); - c.mul(q[i]); - } - mt.add(t[i]); mt.norm(); - } - c.conj(); - nb=1+mt.nbits(); - -/* convert exponent to signed 1-bit window */ - for (j=0;j<nb;j++) - { - for (i=0;i<4;i++) - { - a[i]=(t[i].lastbits(2)-2); - t[i].dec(a[i]); t[i].norm(); - t[i].fshr(1); - } - w[j]=(8*a[0]+4*a[1]+2*a[2]+a[3]); - } - w[nb]=(8*t[0].lastbits(2)+4*t[1].lastbits(2)+2*t[2].lastbits(2)+t[3].lastbits(2)); - p.copy(g[Math.floor((w[nb]-1)/2)]); - - for (i=nb-1;i>=0;i--) - { - m=w[i]>>31; - j=(w[i]^m)-m; /* j=abs(w[i]) */ - j=(j-1)/2; - s[0].copy(g[j]); s[1].copy(g[j]); s[1].conj(); - p.usqr(); - p.mul(s[m&1]); - } - p.mul(c); /* apply correction */ - p.reduce(); - return p; -}; - http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/70e3a3a3/js/FP2.js ---------------------------------------------------------------------- diff --git a/js/FP2.js b/js/FP2.js deleted file mode 100755 index b9b9942..0000000 --- a/js/FP2.js +++ /dev/null @@ -1,321 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/* Finite Field arithmetic Fp^2 functions */ - -/* FP2 elements are of the form a+ib, where i is sqrt(-1) */ - -/* general purpose constructor */ -var FP2 =function(c,d) -{ - if (c instanceof FP2) - { - this.a=new FP(c.a); - this.b=new FP(c.b); - } - else - { - this.a=new FP(c); - this.b=new FP(d); - } -}; - -FP2.prototype={ -/* reduce components mod Modulus */ - reduce: function() - { - this.a.reduce(); - this.b.reduce(); - }, -/* normalise components of w */ - norm: function() - { - this.a.norm(); - this.b.norm(); - }, -/* test this=0 ? */ - iszilch: function() - { - this.reduce(); - return (this.a.iszilch() && this.b.iszilch()); - }, -/* test this=1 ? */ - isunity: function() - { - var one=new FP(1); - return (this.a.equals(one) && this.b.iszilch()); - }, -/* conditional copy of g to this depending on d */ - cmove:function(g,d) - { - this.a.cmove(g.a,d); - this.b.cmove(g.b,d); - }, - -/* test this=x */ - equals: function(x) { - return (this.a.equals(x.a) && this.b.equals(x.b)); - }, -/* extract a */ - getA: function() - { - return this.a.redc(); - }, -/* extract b */ - getB: function() - { - return this.b.redc(); - }, - -/* set from pair of FPs */ - set: function(c,d) - { - this.a.copy(c); - this.b.copy(d); - }, -/* set a */ - seta: function(c) - { - this.a.copy(c); - this.b.zero(); - }, - -/* set from two BIGs */ - bset: function(c,d) - { - this.a.bcopy(c); - this.b.bcopy(d); - }, - -/* set from one BIG */ - bseta: function(c) - { - this.a.bcopy(c); - this.b.zero(); - }, -/* copy this=x */ - copy: function(x) - { - this.a.copy(x.a); - this.b.copy(x.b); - }, -/* set this=0 */ - zero: function() - { - this.a.zero(); - this.b.zero(); - }, -/* set this=1 */ - one: function() - { - this.a.one(); - this.b.zero(); - }, -/* negate this */ - neg: function() - { - this.norm(); - var m=new FP(this.a); - var t=new FP(0); - - m.add(this.b); - m.neg(); - m.norm(); - t.copy(m); t.add(this.b); - this.b.copy(m); - this.b.add(this.a); - this.a.copy(t); - //this.norm(); - }, -/* conjugate this */ - conj: function() - { - this.b.neg(); - }, -/* this+=a */ - add: function(x) - { - this.a.add(x.a); - this.b.add(x.b); - }, -/* this-=x */ - sub: function(x) - { - var m=new FP2(x); //var m=new FP2(0); m.copy(x); - m.neg(); - this.add(m); - }, -/* this*=s, where s is FP */ - pmul: function(s) - { - this.a.mul(s); - this.b.mul(s); - }, -/* this*=c, where s is int */ - imul: function(c) - { - this.a.imul(c); - this.b.imul(c); - }, -/* this*=this */ - sqr: function() - { - this.norm(); - - var w1=new FP(this.a); - var w3=new FP(this.a); - var mb=new FP(this.b); - - w3.mul(this.b); - w1.add(this.b); - mb.neg(); - this.a.add(mb); - this.a.mul(w1); - this.b.copy(w3); this.b.add(w3); - this.norm(); - }, -/* this*=y */ - mul: function(y) - { - this.norm(); // This is needed here as {a,b} is not normed before additions - - var w1=new FP(this.a); - var w2=new FP(this.b); - var w5=new FP(this.a); - var mw=new FP(0); - - w1.mul(y.a); // w1=a*y.a - this norms w1 and y.a, NOT a - w2.mul(y.b); // w2=b*y.b - this norms w2 and y.b, NOT b - w5.add(this.b); // w5=a+b - this.b.copy(y.a); this.b.add(y.b); // b=y.a+y.b - - this.b.mul(w5); - mw.copy(w1); mw.add(w2); mw.neg(); - - this.b.add(mw); mw.add(w1); - this.a.copy(w1); this.a.add(mw); - - this.norm(); - }, - -/* sqrt(a+ib) = sqrt(a+sqrt(a*a-n*b*b)/2)+ib/(2*sqrt(a+sqrt(a*a-n*b*b)/2)) */ -/* returns true if this is QR */ - sqrt: function() - { - if (this.iszilch()) return true; - var w1=new FP(this.b); - var w2=new FP(this.a); - - w1.sqr(); w2.sqr(); w1.add(w2); - if (w1.jacobi()!=1) { this.zero(); return false; } - w1=w1.sqrt(); - w2.copy(this.a); w2.add(w1); w2.div2(); - if (w2.jacobi()!=1) - { - w2.copy(this.a); w2.sub(w1); w2.div2(); - if (w2.jacobi()!=1) { this.zero(); return false; } - } - w2=w2.sqrt(); - this.a.copy(w2); - w2.add(w2); - w2.inverse(); - this.b.mul(w2); - return true; - }, - -/* convert this to hex string */ - toString: function() - { - return ("["+this.a.toString()+","+this.b.toString()+"]"); - }, -/* this=1/this */ - inverse: function() - { - this.norm(); - var w1=new FP(this.a); - var w2=new FP(this.b); - w1.sqr(); - w2.sqr(); - w1.add(w2); - w1.inverse(); - this.a.mul(w1); - w1.neg(); - this.b.mul(w1); - }, -/* this/=2 */ - div2: function() - { - this.a.div2(); - this.b.div2(); - }, -/* this*=sqrt(-1) */ - times_i: function() - { - var z=new FP(this.a); //z.copy(this.a); - this.a.copy(this.b); this.a.neg(); - this.b.copy(z); - }, - -/* w*=(1+sqrt(-1)) */ -/* where X*2-(1+sqrt(-1)) is irreducible for FP4, assumes p=3 mod 8 */ - mul_ip: function() - { - this.norm(); - var t=new FP2(this);// t.copy(this); - var z=new FP(this.a); //z.copy(this.a); - this.a.copy(this.b); - this.a.neg(); - this.b.copy(z); - this.add(t); - this.norm(); - }, - -/* w/=(1+sqrt(-1)) */ - div_ip: function() - { - var t=new FP2(0); - this.norm(); - t.a.copy(this.a); t.a.add(this.b); - t.b.copy(this.b); t.b.sub(this.a); - this.copy(t); - this.div2(); - }, -/* this=this^e */ - pow: function(e) - { - var bt; - var r=new FP2(1); - this.norm(); - var x=new FP2(this); //x.copy(this); - e.norm(); - while (true) - { - bt=e.parity(); - e.fshr(1); - if (bt==1) r.mul(x); - if (e.iszilch()) break; - x.sqr(); - } - - r.reduce(); - return r; - } - -}; - http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/70e3a3a3/js/FP4.js ---------------------------------------------------------------------- diff --git a/js/FP4.js b/js/FP4.js deleted file mode 100755 index 35dddfa..0000000 --- a/js/FP4.js +++ /dev/null @@ -1,501 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/* Finite Field arithmetic Fp^4 functions */ - -/* FP4 elements are of the form a+ib, where i is sqrt(-1+sqrt(-1)) */ - -/* general purpose constructor */ -var FP4=function(c,d) -{ - if (c instanceof FP4) - { - this.a=new FP2(c.a); - this.b=new FP2(c.b); - } - else - { - this.a=new FP2(c); - this.b=new FP2(d); - } -}; - -FP4.prototype={ -/* reduce all components of this mod Modulus */ - reduce: function() - { - this.a.reduce(); - this.b.reduce(); - }, -/* normalise all components of this mod Modulus */ - norm: function() - { - this.a.norm(); - this.b.norm(); - }, -/* test this==0 ? */ - iszilch: function() - { - this.reduce(); - return (this.a.iszilch() && this.b.iszilch()); - }, -/* test this==1 ? */ - isunity: function() - { - var one=new FP2(1); - return (this.a.equals(one) && this.b.iszilch()); - }, -/* test is w real? That is in a+ib test b is zero */ - isreal: function() - { - return this.b.iszilch(); - }, -/* extract real part a */ - real: function() - { - return this.a; - }, - - geta: function() - { - return this.a; - }, -/* extract imaginary part b */ - getb: function() - { - return this.b; - }, -/* test this=x? */ - equals: function(x) - { - return (this.a.equals(x.a) && this.b.equals(x.b)); - }, -/* copy this=x */ - copy: function(x) - { - this.a.copy(x.a); - this.b.copy(x.b); - }, -/* this=0 */ - zero: function() - { - this.a.zero(); - this.b.zero(); - }, -/* this=1 */ - one: function() - { - this.a.one(); - this.b.zero(); - }, - -/* set from two FP2s */ - set: function(c,d) - { - this.a.copy(c); - this.b.copy(d); - }, -/* set a */ - seta: function(c) - { - this.a.copy(c); - this.b.zero(); - }, -/* this=-this */ - neg: function() - { - var m=new FP2(this.a); //m.copy(this.a); - var t=new FP2(0); - m.add(this.b); - m.neg(); - m.norm(); - t.copy(m); t.add(this.b); - this.b.copy(m); - this.b.add(this.a); - this.a.copy(t); - }, -/* this=conjugate(this) */ - conj: function() - { - this.b.neg(); this.b.norm(); - }, -/* this=-conjugate(this) */ - nconj: function() - { - this.a.neg(); this.a.norm(); - }, -/* this+=x */ - add: function(x) - { - this.a.add(x.a); - this.b.add(x.b); - }, -/* this-=x */ - sub: function(x) - { - var m=new FP4(x); // m.copy(x); - m.neg(); - this.add(m); - }, -/* this*=s where s is FP2 */ - pmul: function(s) - { - this.a.mul(s); - this.b.mul(s); - }, -/* this*=c where s is int */ - imul: function(c) - { - this.a.imul(c); - this.b.imul(c); - }, -/* this*=this */ - sqr: function() - { - this.norm(); - - var t1=new FP2(this.a); //t1.copy(this.a); - var t2=new FP2(this.b); //t2.copy(this.b); - var t3=new FP2(this.a); //t3.copy(this.a); - - t3.mul(this.b); - t1.add(this.b); - t2.mul_ip(); - - t2.add(this.a); - this.a.copy(t1); - - this.a.mul(t2); - - t2.copy(t3); - t2.mul_ip(); - t2.add(t3); - - t2.neg(); - - this.a.add(t2); - - this.b.copy(t3); - this.b.add(t3); - - this.norm(); - }, -/* this*=y */ - mul: function(y) - { - this.norm(); - - var t1=new FP2(this.a); //t1.copy(this.a); - var t2=new FP2(this.b); //t2.copy(this.b); - var t3=new FP2(0); - var t4=new FP2(this.b); //t4.copy(this.b); - - t1.mul(y.a); - t2.mul(y.b); - t3.copy(y.b); - t3.add(y.a); - t4.add(this.a); - - t4.mul(t3); - t4.sub(t1); - - this.b.copy(t4); - this.b.sub(t2); - t2.mul_ip(); - this.a.copy(t2); - this.a.add(t1); - - this.norm(); - }, -/* convert to hex string */ - toString: function() - { - return ("["+this.a.toString()+","+this.b.toString()+"]"); - }, -/* this=1/this */ - inverse: function() - { - this.norm(); - - var t1=new FP2(this.a); //t1.copy(this.a); - var t2=new FP2(this.b);// t2.copy(this.b); - - t1.sqr(); - t2.sqr(); - t2.mul_ip(); - t1.sub(t2); - t1.inverse(); - this.a.mul(t1); - t1.neg(); - this.b.mul(t1); - }, - -/* this*=i where i = sqrt(-1+sqrt(-1)) */ - times_i: function() - { - var s=new FP2(this.b); //s.copy(this.b); - var t=new FP2(this.b); //t.copy(this.b); - s.times_i(); - t.add(s); - this.b.copy(this.a); - this.a.copy(t); - }, - -/* this=this^q using Frobenius, where q is Modulus */ - frob: function(f) - { - this.a.conj(); - this.b.conj(); - this.b.mul(f); - }, - -/* this=this^e */ - pow: function(e) - { - this.norm(); - e.norm(); - var w=new FP4(this); //w.copy(this); - var z=new BIG(e); //z.copy(e); - var r=new FP4(1); - while (true) - { - var bt=z.parity(); - z.fshr(1); - if (bt==1) r.mul(w); - if (z.iszilch()) break; - w.sqr(); - } - r.reduce(); - return r; - }, - -/* XTR xtr_a function */ - xtr_A: function(w,y,z) - { - var r=new FP4(w); //r.copy(w); - var t=new FP4(w); //t.copy(w); - r.sub(y); - r.pmul(this.a); - t.add(y); - t.pmul(this.b); - t.times_i(); - - this.copy(r); - this.add(t); - this.add(z); - - this.norm(); - }, -/* XTR xtr_d function */ - xtr_D: function() - { - var w=new FP4(this); //w.copy(this); - this.sqr(); w.conj(); - w.add(w); - this.sub(w); - this.reduce(); - }, -/* r=x^n using XTR method on traces of FP12s */ - xtr_pow: function(n) - { - var a=new FP4(3); - var b=new FP4(this); - var c=new FP4(b); - c.xtr_D(); - var t=new FP4(0); - var r=new FP4(0); - - n.norm(); - var par=n.parity(); - var v=new BIG(n); v.fshr(1); - if (par===0) {v.dec(1); v.norm();} - - var nb=v.nbits(); - for (var i=nb-1;i>=0;i--) - { - if (v.bit(i)!=1) - { - t.copy(b); - this.conj(); - c.conj(); - b.xtr_A(a,this,c); - this.conj(); - c.copy(t); - c.xtr_D(); - a.xtr_D(); - } - else - { - t.copy(a); t.conj(); - a.copy(b); - a.xtr_D(); - b.xtr_A(c,this,t); - c.xtr_D(); - } - } - if (par===0) r.copy(c); - else r.copy(b); - r.reduce(); - return r; - }, - -/* r=ck^a.cl^n using XTR double exponentiation method on traces of FP12s. See Stam thesis. */ - xtr_pow2: function(ck,ckml,ckm2l,a,b) - { - a.norm(); b.norm(); - var e=new BIG(a); //e.copy(a); - var d=new BIG(b); //d.copy(b); - var w=new BIG(0); - - var cu=new FP4(ck); //cu.copy(ck); // can probably be passed in w/o copying - var cv=new FP4(this); //cv.copy(this); - var cumv=new FP4(ckml); //cumv.copy(ckml); - var cum2v=new FP4(ckm2l); //cum2v.copy(ckm2l); - var r=new FP4(0); - var t=new FP4(0); - - var f2=0; - while (d.parity()===0 && e.parity()===0) - { - d.fshr(1); - e.fshr(1); - f2++; - } - - while (BIG.comp(d,e)!==0) - { - if (BIG.comp(d,e)>0) - { - w.copy(e); w.imul(4); w.norm(); - if (BIG.comp(d,w)<=0) - { - w.copy(d); d.copy(e); - e.rsub(w); e.norm(); - - t.copy(cv); - t.xtr_A(cu,cumv,cum2v); - cum2v.copy(cumv); - cum2v.conj(); - cumv.copy(cv); - cv.copy(cu); - cu.copy(t); - - } - else if (d.parity()===0) - { - d.fshr(1); - r.copy(cum2v); r.conj(); - t.copy(cumv); - t.xtr_A(cu,cv,r); - cum2v.copy(cumv); - cum2v.xtr_D(); - cumv.copy(t); - cu.xtr_D(); - } - else if (e.parity()==1) - { - d.sub(e); d.norm(); - d.fshr(1); - t.copy(cv); - t.xtr_A(cu,cumv,cum2v); - cu.xtr_D(); - cum2v.copy(cv); - cum2v.xtr_D(); - cum2v.conj(); - cv.copy(t); - } - else - { - w.copy(d); - d.copy(e); d.fshr(1); - e.copy(w); - t.copy(cumv); - t.xtr_D(); - cumv.copy(cum2v); cumv.conj(); - cum2v.copy(t); cum2v.conj(); - t.copy(cv); - t.xtr_D(); - cv.copy(cu); - cu.copy(t); - } - } - if (BIG.comp(d,e)<0) - { - w.copy(d); w.imul(4); w.norm(); - if (BIG.comp(e,w)<=0) - { - e.sub(d); e.norm(); - t.copy(cv); - t.xtr_A(cu,cumv,cum2v); - cum2v.copy(cumv); - cumv.copy(cu); - cu.copy(t); - } - else if (e.parity()===0) - { - w.copy(d); - d.copy(e); d.fshr(1); - e.copy(w); - t.copy(cumv); - t.xtr_D(); - cumv.copy(cum2v); cumv.conj(); - cum2v.copy(t); cum2v.conj(); - t.copy(cv); - t.xtr_D(); - cv.copy(cu); - cu.copy(t); - } - else if (d.parity()==1) - { - w.copy(e); - e.copy(d); - w.sub(d); w.norm(); - d.copy(w); d.fshr(1); - t.copy(cv); - t.xtr_A(cu,cumv,cum2v); - cumv.conj(); - cum2v.copy(cu); - cum2v.xtr_D(); - cum2v.conj(); - cu.copy(cv); - cu.xtr_D(); - cv.copy(t); - } - else - { - d.fshr(1); - r.copy(cum2v); r.conj(); - t.copy(cumv); - t.xtr_A(cu,cv,r); - cum2v.copy(cumv); - cum2v.xtr_D(); - cumv.copy(t); - cu.xtr_D(); - } - } - } - r.copy(cv); - r.xtr_A(cu,cumv,cum2v); - for (var i=0;i<f2;i++) - r.xtr_D(); - r=r.xtr_pow(d); - return r; - } - -}; http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/70e3a3a3/js/GCM.js ---------------------------------------------------------------------- diff --git a/js/GCM.js b/js/GCM.js deleted file mode 100755 index f0fdfc5..0000000 --- a/js/GCM.js +++ /dev/null @@ -1,304 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/* - * Implementation of the AES-GCM Encryption/Authentication - * - * Some restrictions.. - * 1. Only for use with AES - * 2. Returned tag is always 128-bits. Truncate at your own risk. - * 3. The order of function calls must follow some rules - * - * Typical sequence of calls.. - * 1. call GCM_init - * 2. call GCM_add_header any number of times, as long as length of header is multiple of 16 bytes (block size) - * 3. call GCM_add_header one last time with any length of header - * 4. call GCM_add_cipher any number of times, as long as length of cipher/plaintext is multiple of 16 bytes - * 5. call GCM_add_cipher one last time with any length of cipher/plaintext - * 6. call GCM_finish to extract the tag. - * - * See http://www.mindspring.com/~dmcgrew/gcm-nist-6.pdf - */ - -var GCM = function() { - this.table=new Array(128); - for (var i=0;i<128;i++) - this.table[i]=new Array(4); /* 2k bytes */ - this.stateX=[]; - this.Y_0=[]; - this.counter=0; - this.lenA=[]; - this.lenC=[]; - this.status=0; - this.a=new AES(); -}; - -GCM.prototype={ - - precompute: function(H) - { - var i,j,c; - var b=[]; - - for (i=j=0;i<4;i++,j+=4) - { - b[0]=H[j]; b[1]=H[j+1]; b[2]=H[j+2]; b[3]=H[j+3]; - this.table[0][i]=GCM.pack(b); - } - for (i=1;i<128;i++) - { - c=0; - for (j=0;j<4;j++) - { - this.table[i][j]=c|(this.table[i-1][j])>>>1; - c=this.table[i-1][j]<<31; - } - if (c!==0) this.table[i][0]^=0xE1000000; /* irreducible polynomial */ - } - }, - - gf2mul: function() - { /* gf2m mul - Z=H*X mod 2^128 */ - var i,j,m,k; - var P=[]; - var c; - var b=[]; - - P[0]=P[1]=P[2]=P[3]=0; - j=8; m=0; - for (i=0;i<128;i++) - { - c=(this.stateX[m]>>>(--j))&1; - if (c!==0) for (k=0;k<4;k++) P[k]^=this.table[i][k]; - if (j===0) - { - j=8; m++; - if (m==16) break; - } - } - for (i=j=0;i<4;i++,j+=4) - { - b=GCM.unpack(P[i]); - this.stateX[j]=b[0]; this.stateX[j+1]=b[1]; this.stateX[j+2]=b[2]; this.stateX[j+3]=b[3]; - } - }, - - wrap: function() - { /* Finish off GHASH */ - var i,j; - var F=[]; - var L=[]; - var b=[]; - -/* convert lengths from bytes to bits */ - F[0]=(this.lenA[0]<<3)|(this.lenA[1]&0xE0000000)>>>29; - F[1]=this.lenA[1]<<3; - F[2]=(this.lenC[0]<<3)|(this.lenC[1]&0xE0000000)>>>29; - F[3]=this.lenC[1]<<3; - for (i=j=0;i<4;i++,j+=4) - { - b=GCM.unpack(F[i]); - L[j]=b[0]; L[j+1]=b[1]; L[j+2]=b[2]; L[j+3]=b[3]; - } - for (i=0;i<16;i++) this.stateX[i]^=L[i]; - this.gf2mul(); - }, - -/* Initialize GCM mode */ - init: function(key,niv,iv) - { /* iv size niv is usually 12 bytes (96 bits). AES key size nk can be 16,24 or 32 bytes */ - var i; - var H=[]; - var b=[]; - - for (i=0;i<16;i++) {H[i]=0; this.stateX[i]=0;} - - this.a.init(ROM.ECB,key,iv); - this.a.ecb_encrypt(H); /* E(K,0) */ - this.precompute(H); - - this.lenA[0]=this.lenC[0]=this.lenA[1]=this.lenC[1]=0; - if (niv==12) - { - for (i=0;i<12;i++) this.a.f[i]=iv[i]; - b=GCM.unpack(1); - this.a.f[12]=b[0]; this.a.f[13]=b[1]; this.a.f[14]=b[2]; this.a.f[15]=b[3]; /* initialise IV */ - for (i=0;i<16;i++) this.Y_0[i]=this.a.f[i]; - } - else - { - this.status=ROM.GCM_ACCEPTING_CIPHER; - this.ghash(iv,niv); /* GHASH(H,0,IV) */ - this.wrap(); - for (i=0;i<16;i++) {this.a.f[i]=this.stateX[i];this.Y_0[i]=this.a.f[i];this.stateX[i]=0;} - this.lenA[0]=this.lenC[0]=this.lenA[1]=this.lenC[1]=0; - } - this.status=ROM.GCM_ACCEPTING_HEADER; - }, - -/* Add Header data - included but not encrypted */ - add_header: function(header,len) - { /* Add some header. Won't be encrypted, but will be authenticated. len is length of header */ - var i,j=0; - if (this.status!=ROM.GCM_ACCEPTING_HEADER) return false; - - while (j<len) - { - for (i=0;i<16 && j<len;i++) - { - this.stateX[i]^=header[j++]; - this.lenA[1]++; this.lenA[1]|=0; if (this.lenA[1]===0) this.lenA[0]++; - } - this.gf2mul(); - } - if (len%16!==0) this.status=ROM.GCM_ACCEPTING_CIPHER; - return true; - }, - - ghash: function(plain,len) - { - var i,j=0; - - if (this.status==ROM.GCM_ACCEPTING_HEADER) this.status=ROM.GCM_ACCEPTING_CIPHER; - if (this.status!=ROM.GCM_ACCEPTING_CIPHER) return false; - - while (j<len) - { - for (i=0;i<16 && j<len;i++) - { - this.stateX[i]^=plain[j++]; - this.lenC[1]++; this.lenC[1]|=0; if (this.lenC[1]===0) this.lenC[0]++; - } - this.gf2mul(); - } - if (len%16!==0) this.status=ROM.GCM_NOT_ACCEPTING_MORE; - return true; - }, - -/* Add Plaintext - included and encrypted */ - add_plain: function(plain,len) - { - var i,j=0; - var B=[]; - var b=[]; - var cipher=[]; - - if (this.status==ROM.GCM_ACCEPTING_HEADER) this.status=ROM.GCM_ACCEPTING_CIPHER; - if (this.status!=ROM.GCM_ACCEPTING_CIPHER) return cipher; - - while (j<len) - { - - b[0]=this.a.f[12]; b[1]=this.a.f[13]; b[2]=this.a.f[14]; b[3]=this.a.f[15]; - this.counter=GCM.pack(b); - this.counter++; - b=GCM.unpack(this.counter); - this.a.f[12]=b[0]; this.a.f[13]=b[1]; this.a.f[14]=b[2]; this.a.f[15]=b[3]; /* increment counter */ - for (i=0;i<16;i++) B[i]=this.a.f[i]; - this.a.ecb_encrypt(B); /* encrypt it */ - - for (i=0;i<16 && j<len;i++) - { - cipher[j]=(plain[j]^B[i]); - this.stateX[i]^=cipher[j++]; - this.lenC[1]++; this.lenC[1]|=0; if (this.lenC[1]===0) this.lenC[0]++; - } - this.gf2mul(); - } - if (len%16!==0) this.status=ROM.GCM_NOT_ACCEPTING_MORE; - return cipher; - }, - -/* Add Ciphertext - decrypts to plaintext */ - add_cipher: function(cipher,len) - { - var i,j=0; - var B=[]; - var b=[]; - var plain=[]; - - if (this.status==ROM.GCM_ACCEPTING_HEADER) this.status=ROM.GCM_ACCEPTING_CIPHER; - if (this.status!=ROM.GCM_ACCEPTING_CIPHER) return plain; - - while (j<len) - { - b[0]=this.a.f[12]; b[1]=this.a.f[13]; b[2]=this.a.f[14]; b[3]=this.a.f[15]; - this.counter=GCM.pack(b); - this.counter++; - b=GCM.unpack(this.counter); - this.a.f[12]=b[0]; this.a.f[13]=b[1]; this.a.f[14]=b[2]; this.a.f[15]=b[3]; /* increment counter */ - for (i=0;i<16;i++) B[i]=this.a.f[i]; - this.a.ecb_encrypt(B); /* encrypt it */ - for (i=0;i<16 && j<len;i++) - { - plain[j]=(cipher[j]^B[i]); - this.stateX[i]^=cipher[j++]; - this.lenC[1]++; this.lenC[1]|=0; if (this.lenC[1]===0) this.lenC[0]++; - } - this.gf2mul(); - } - if (len%16!==0) this.status=ROM.GCM_NOT_ACCEPTING_MORE; - return plain; - }, - -/* Finish and extract Tag */ - finish: function(extract) - { /* Finish off GHASH and extract tag (MAC) */ - var i; - var tag=[]; - - this.wrap(); -/* extract tag */ - if (extract) - { - this.a.ecb_encrypt(this.Y_0); /* E(K,Y0) */ - for (i=0;i<16;i++) this.Y_0[i]^=this.stateX[i]; - for (i=0;i<16;i++) {tag[i]=this.Y_0[i];this.Y_0[i]=this.stateX[i]=0;} - } - this.status=ROM.GCM_FINISHED; - this.a.end(); - return tag; - } - -}; - -GCM.pack= function(b) -{ /* pack 4 bytes into a 32-bit Word */ - return (((b[0])&0xff)<<24)|((b[1]&0xff)<<16)|((b[2]&0xff)<<8)|(b[3]&0xff); -}; - -GCM.unpack=function(a) -{ /* unpack bytes from a word */ - var b=[]; - b[3]=(a&0xff); - b[2]=((a>>>8)&0xff); - b[1]=((a>>>16)&0xff); - b[0]=((a>>>24)&0xff); - return b; -}; - -GCM.hex2bytes=function(s) -{ - var len = s.length; - var data = []; - for (var i = 0; i < len; i += 2) - data[i / 2] = parseInt(s.substr(i,2),16); - - return data; -}; http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/70e3a3a3/js/HASH.js ---------------------------------------------------------------------- diff --git a/js/HASH.js b/js/HASH.js deleted file mode 100755 index a5a82f8..0000000 --- a/js/HASH.js +++ /dev/null @@ -1,174 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -var HASH = function() { - this.length=[]; - this.h=[]; - this.w=[]; - this.init(); -}; - -HASH.prototype={ - - len: 32, - /* functions */ - S: function(n,x) - { - return (((x)>>>n) | ((x)<<(32-n))); - }, - - R: function(n,x) - { - return ((x)>>>n); - }, - - Ch: function(x,y,z) - { - return ((x&y)^(~(x)&z)); - }, - - Maj: function(x,y,z) - { - return ((x&y)^(x&z)^(y&z)); - }, - - Sig0: function(x) - { - return (this.S(2,x)^this.S(13,x)^this.S(22,x)); - }, - - Sig1: function(x) - { - return (this.S(6,x)^this.S(11,x)^this.S(25,x)); - }, - - theta0: function(x) - { - return (this.S(7,x)^this.S(18,x)^this.R(3,x)); - }, - - theta1: function(x) - { - return (this.S(17,x)^this.S(19,x)^this.R(10,x)); - }, - - transform: function() - { /* basic transformation step */ - var a,b,c,d,e,f,g,hh,t1,t2; - var j; - for (j=16;j<64;j++) - this.w[j]=(this.theta1(this.w[j-2])+this.w[j-7]+this.theta0(this.w[j-15])+this.w[j-16])|0; - - a=this.h[0]; b=this.h[1]; c=this.h[2]; d=this.h[3]; - e=this.h[4]; f=this.h[5]; g=this.h[6]; hh=this.h[7]; - - for (j=0;j<64;j++) - { /* 64 times - mush it up */ - t1=(hh+this.Sig1(e)+this.Ch(e,f,g)+ROM.HK[j]+this.w[j])|0; - t2=(this.Sig0(a)+this.Maj(a,b,c))|0; - hh=g; g=f; f=e; - e=(d+t1)|0; // Need to knock these back down to prevent 52-bit overflow - d=c; - c=b; - b=a; - a=(t1+t2)|0; - - } - this.h[0]+=a; this.h[1]+=b; this.h[2]+=c; this.h[3]+=d; - this.h[4]+=e; this.h[5]+=f; this.h[6]+=g; this.h[7]+=hh; - - this.h[0]|=0; - this.h[1]|=0; - this.h[2]|=0; - this.h[3]|=0; - this.h[4]|=0; - this.h[5]|=0; - this.h[6]|=0; - this.h[7]|=0; - }, - -/* Initialise Hash function */ - init: function() - { /* initialise */ - var i; - for (i=0;i<64;i++) this.w[i]=0; - this.length[0]=this.length[1]=0; - this.h[0]=ROM.H0; - this.h[1]=ROM.H1; - this.h[2]=ROM.H2; - this.h[3]=ROM.H3; - this.h[4]=ROM.H4; - this.h[5]=ROM.H5; - this.h[6]=ROM.H6; - this.h[7]=ROM.H7; - }, - -/* process a single byte */ - process: function(byt) - { /* process the next message byte */ - var cnt; - - cnt=(this.length[0]>>>5)%16; - this.w[cnt]<<=8; - this.w[cnt]|=(byt&0xFF); - this.length[0]+=8; - if ((this.length[0]&0xffffffff)===0) { this.length[1]++; this.length[0]=0; } - if ((this.length[0]%512)===0) this.transform(); - }, - -/* process an array of bytes */ - process_array: function(b) - { - for (var i=0;i<b.length;i++) this.process(b[i]); - }, - -/* process a 32-bit integer */ - process_num: function(n) - { - this.process((n>>24)&0xff); - this.process((n>>16)&0xff); - this.process((n>>8)&0xff); - this.process(n&0xff); - }, - - hash: function() - { /* pad message and finish - supply digest */ - var i; - var digest=[]; - var len0,len1; - len0=this.length[0]; - len1=this.length[1]; - this.process(0x80); - while ((this.length[0]%512)!=448) this.process(0); - - this.w[14]=len1; - this.w[15]=len0; - this.transform(); - - for (i=0;i<32;i++) - { /* convert to bytes */ - digest[i]=((this.h[i>>>2]>>(8*(3-i%4))) & 0xff); - } - this.init(); - return digest; - } - -}; - - http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/70e3a3a3/js/MPIN.js ---------------------------------------------------------------------- diff --git a/js/MPIN.js b/js/MPIN.js deleted file mode 100755 index 837b4fd..0000000 --- a/js/MPIN.js +++ /dev/null @@ -1,800 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/* MPIN API Functions */ - -var MPIN = { - BAD_PARAMS:-11, - INVALID_POINT:-14, - WRONG_ORDER:-18, - BAD_PIN:-19, -/* configure PIN here */ - MAXPIN:10000, /* max PIN */ - PBLEN:14, /* MAXPIN length in bits */ - TS:10, /* 10 for 4 digit PIN, 14 for 6-digit PIN - 2^TS/TS approx = sqrt(MAXPIN) */ - TRAP:200, /* 200 for 4 digit PIN, 2000 for 6-digit PIN - approx 2*sqrt(MAXPIN) */ - EFS:ROM.MODBYTES, - EGS:ROM.MODBYTES, - PAS:16, - -/* return time in slots since epoch */ - today: function() { - var now=new Date(); - return Math.floor(now.getTime()/(60000*1440)); // for daily tokens - }, - - bytestostring: function(b) - { - var s=""; - var len=b.length; - var ch; - - for (var i=0;i<len;i++) - { - ch=b[i]; - s+=((ch>>>4)&15).toString(16); - s+=(ch&15).toString(16); - - } - return s; - }, - - stringtobytes: function(s) - { - var b=[]; - for (var i=0;i<s.length;i++) - b.push(s.charCodeAt(i)); - return b; - }, - - comparebytes: function(a,b) - { - if (a.length!=b.length) return false; - for (var i=0;i<a.length;i++) - { - if (a[i]!=b[i]) return false; - } - return true; - }, - - -/* Hash number (optional) and string to point on curve */ - - hashit: function(n,ID) - { - var H=new HASH(); - if (n!==0) H.process_num(n); - H.process_array(ID); - return H.hash(); - }, - - mapit: function(h) - { - var q=new BIG(0); q.rcopy(ROM.Modulus); - var x=BIG.fromBytes(h); - x.mod(q); - var P=new ECP(); - while (true) - { - P.setxi(x,0); - if (!P.is_infinity()) break; - x.inc(1); x.norm(); - } - return P; - }, - -/* needed for SOK */ - mapit2: function(h) - { - var q=new BIG(0); q.rcopy(ROM.Modulus); - var x=BIG.fromBytes(h); - var one=new BIG(1); - x.mod(q); - var Q,T,K,X; - while (true) - { - X=new FP2(one,x); - Q=new ECP2(); Q.setx(X); - if (!Q.is_infinity()) break; - x.inc(1); x.norm(); - } -/* Fast Hashing to G2 - Fuentes-Castaneda, Knapp and Rodriguez-Henriquez */ - - var Fa=new BIG(0); Fa.rcopy(ROM.CURVE_Fra); - var Fb=new BIG(0); Fb.rcopy(ROM.CURVE_Frb); - X=new FP2(Fa,Fb); - x=new BIG(0); x.rcopy(ROM.CURVE_Bnx); - - T=new ECP2(); T.copy(Q); - T.mul(x); T.neg(); - K=new ECP2(); K.copy(T); - K.dbl(); K.add(T); K.affine(); - - K.frob(X); - Q.frob(X); Q.frob(X); Q.frob(X); - Q.add(T); Q.add(K); - T.frob(X); T.frob(X); - Q.add(T); - Q.affine(); - return Q; - - }, - -/* these next two functions help to implement elligator squared - http://eprint.iacr.org/2014/043 */ -/* maps a random u to a point on the curve */ - map: function(u,cb) - { - var P=new ECP(); - var x=new BIG(u); - var p=new BIG(0); p.rcopy(ROM.Modulus); - x.mod(p); - while (true) - { - P.setxi(x,cb); - if (!P.is_infinity()) break; - x.inc(1); x.norm(); - } - return P; - }, - -/* returns u derived from P. Random value in range 1 to return value should then be added to u */ - unmap: function(u,P) - { - var s=P.getS(); - var R=new ECP(); - var r=0; - var x=P.getX(); - u.copy(x); - while (true) - { - u.dec(1); u.norm(); - r++; - R.setxi(u,s); //=new ECP(u,s); - if (!R.is_infinity()) break; - } - return r; - }, - -/* these next two functions implement elligator squared - http://eprint.iacr.org/2014/043 */ -/* Elliptic curve point E in format (0x04,x,y} is converted to form {0x0-,u,v} */ -/* Note that u and v are indistinguisible from random strings */ - ENCODING: function(rng,E) - { - var i,rn,m,su,sv; - var T=[]; - - for (i=0;i<this.EFS;i++) T[i]=E[i+1]; - var u=BIG.fromBytes(T); - for (i=0;i<this.EFS;i++) T[i]=E[i+this.EFS+1]; - var v=BIG.fromBytes(T); - - var P=new ECP(0); P.setxy(u,v); - if (P.is_infinity()) return this.INVALID_POINT; - - var p=new BIG(0); p.rcopy(ROM.Modulus); - u=BIG.randomnum(p,rng); - - su=rng.getByte(); if (su<0) su=-su; su%=2; - - var W=this.map(u,su); - P.sub(W); - sv=P.getS(); - rn=this.unmap(v,P); - m=rng.getByte(); if (m<0) m=-m; m%=rn; - v.inc(m+1); - E[0]=(su+2*sv); - u.toBytes(T); - for (i=0;i<this.EFS;i++) E[i+1]=T[i]; - v.toBytes(T); - for (i=0;i<this.EFS;i++) E[i+this.EFS+1]=T[i]; - - return 0; - }, - - DECODING: function(D) - { - var i,su,sv; - var T=[]; - - if ((D[0]&0x04)!==0) return this.INVALID_POINT; - - for (i=0;i<this.EFS;i++) T[i]=D[i+1]; - var u=BIG.fromBytes(T); - for (i=0;i<this.EFS;i++) T[i]=D[i+this.EFS+1]; - var v=BIG.fromBytes(T); - - su=D[0]&1; - sv=(D[0]>>1)&1; - var W=this.map(u,su); - var P=this.map(v,sv); - P.add(W); - u=P.getX(); - v=P.getY(); - D[0]=0x04; - u.toBytes(T); - for (i=0;i<this.EFS;i++) D[i+1]=T[i]; - v.toBytes(T); - for (i=0;i<this.EFS;i++) D[i+this.EFS+1]=T[i]; - - return 0; - }, - -/* R=R1+R2 in group G1 */ - RECOMBINE_G1: function(R1,R2,R) - { - var P=ECP.fromBytes(R1); - var Q=ECP.fromBytes(R2); - - if (P.is_infinity() || Q.is_infinity()) return this.INVALID_POINT; - - P.add(Q); - - P.toBytes(R); - return 0; - }, - -/* W=W1+W2 in group G2 */ - RECOMBINE_G2: function(W1,W2,W) - { - var P=ECP2.fromBytes(W1); - var Q=ECP2.fromBytes(W2); - - if (P.is_infinity() || Q.is_infinity()) return this.INVALID_POINT; - - P.add(Q); - - P.toBytes(W); - return 0; - }, - - HASH_ID: function(ID) - { - return this.hashit(0,ID); - }, - -/* create random secret S */ - RANDOM_GENERATE: function(rng,S) - { - var r=new BIG(0); r.rcopy(ROM.CURVE_Order); - var s=BIG.randomnum(r,rng); - - s.toBytes(S); - return 0; - }, - -/* Extract PIN from TOKEN for identity CID */ - EXTRACT_PIN: function(CID,pin,TOKEN) - { - var P=ECP.fromBytes(TOKEN); - if (P.is_infinity()) return this.INVALID_POINT; - var h=this.hashit(0,CID); - var R=this.mapit(h); - - pin%=this.MAXPIN; - - R=R.pinmul(pin,this.PBLEN); - P.sub(R); - - P.toBytes(TOKEN); - - return 0; - }, - -/* Extract Server Secret SST=S*Q where Q is fixed generator in G2 and S is master secret */ - GET_SERVER_SECRET: function(S,SST) - { - - var A=new BIG(0); - var B=new BIG(0); - A.rcopy(ROM.CURVE_Pxa); B.rcopy(ROM.CURVE_Pxb); - var QX=new FP2(0); QX.bset(A,B); - A.rcopy(ROM.CURVE_Pya); B.rcopy(ROM.CURVE_Pyb); - var QY=new FP2(0); QY.bset(A,B); - - var Q=new ECP2(); - Q.setxy(QX,QY); - - var s=BIG.fromBytes(S); - Q=PAIR.G2mul(Q,s); - Q.toBytes(SST); - return 0; - }, - - -/* - W=x*H(G); - if RNG == NULL then X is passed in - if RNG != NULL the X is passed out - if type=0 W=x*G where G is point on the curve, else W=x*M(G), where M(G) is mapping of octet G to point on the curve -*/ - GET_G1_MULTIPLE: function(rng,type,X,G,W) - { - var x; - var r=new BIG(0); r.rcopy(ROM.CURVE_Order); - - if (rng!=null) - { - x=BIG.randomnum(r,rng); - x.toBytes(X); - } - else - { - x=BIG.fromBytes(X); - } - var P; - if (type==0) - { - P=ECP.fromBytes(G); - if (P.is_infinity()) return INVALID_POINT; - } - else - P=this.mapit(G); - - PAIR.G1mul(P,x).toBytes(W); - return 0; - }, - - -/* Client secret CST=S*H(CID) where CID is client ID and S is master secret */ - GET_CLIENT_SECRET: function(S,CID,CST) - { - return this.GET_G1_MULTIPLE(null,1,S,CID,CST); - }, - -/* Time Permit CTT=S*(date|H(CID)) where S is master secret */ - GET_CLIENT_PERMIT: function(date,S,CID,CTT) - { - var h=this.hashit(date,CID); - var P=this.mapit(h); - - var s=BIG.fromBytes(S); - P=PAIR.G1mul(P,s); - P.toBytes(CTT); - return 0; - }, - -/* Implement step 1 on client side of MPin protocol */ - CLIENT_1: function(date,CLIENT_ID,rng,X,pin,TOKEN,SEC,xID,xCID,PERMIT) - { - var r=new BIG(0); r.rcopy(ROM.CURVE_Order); - // var q=new BIG(0); q.rcopy(ROM.Modulus); - var x; - if (rng!==null) - { - x=BIG.randomnum(r,rng); - x.toBytes(X); - } - else - { - x=BIG.fromBytes(X); - } - var P,T,W; - - var h=this.hashit(0,CLIENT_ID); - P=this.mapit(h); - T=ECP.fromBytes(TOKEN); - if (T.is_infinity()) return this.INVALID_POINT; - - pin%=this.MAXPIN; - W=P.pinmul(pin,this.PBLEN); - T.add(W); - - if (date!=0) - { - W=ECP.fromBytes(PERMIT); - if (W.is_infinity()) return this.INVALID_POINT; - T.add(W); - h=this.hashit(date,h); - W=this.mapit(h); - if (xID!=null) - { - P=PAIR.G1mul(P,x); - P.toBytes(xID); - W=PAIR.G1mul(W,x); - P.add(W); - } - else - { - P.add(W); - P=PAIR.G1mul(P,x); - } - if (xCID!=null) P.toBytes(xCID); - } - else - { - if (xID!=null) - { - P=PAIR.G1mul(P,x); - P.toBytes(xID); - } - } - - T.toBytes(SEC); - return 0; - }, - -/* Implement step 2 on client side of MPin protocol */ - CLIENT_2: function(X,Y,SEC) - { - var r=new BIG(0); r.rcopy(ROM.CURVE_Order); - var P=ECP.fromBytes(SEC); - if (P.is_infinity()) return this.INVALID_POINT; - - var px=BIG.fromBytes(X); - var py=BIG.fromBytes(Y); - px.add(py); - px.mod(r); - px.rsub(r); - - PAIR.G1mul(P,px).toBytes(SEC); - return 0; - }, - -/* Outputs H(CID) and H(T|H(CID)) for time permits. If no time permits set HID=HTID */ - SERVER_1: function(date,CID,HID,HTID) - { - var h=this.hashit(0,CID); - var R,P=this.mapit(h); - - if (date!==0) - { - if (HID!=null) P.toBytes(HID); - h=this.hashit(date,h); - R=this.mapit(h); - P.add(R); - P.toBytes(HTID); - } - else P.toBytes(HID); - }, - -/* Implement step 1 of MPin protocol on server side */ - SERVER_2: function(date,HID,HTID,Y,SST,xID,xCID,mSEC,E,F) - { - var A=new BIG(0); - var B=new BIG(0); - A.rcopy(ROM.CURVE_Pxa); B.rcopy(ROM.CURVE_Pxb); - var QX=new FP2(0); QX.bset(A,B); - A.rcopy(ROM.CURVE_Pya); B.rcopy(ROM.CURVE_Pyb); - var QY=new FP2(0); QY.bset(A,B); - - var Q=new ECP2(); - Q.setxy(QX,QY); - - var sQ=ECP2.fromBytes(SST); - if (sQ.is_infinity()) return this.INVALID_POINT; - - var R; - if (date!==0) - R=ECP.fromBytes(xCID); - else - { - if (xID==null) return this.BAD_PARAMS; - R=ECP.fromBytes(xID); - } - if (R.is_infinity()) return this.INVALID_POINT; - - var y=BIG.fromBytes(Y); - var P; - - if (date!=0) P=ECP.fromBytes(HTID); - else - { - if (HID==null) return this.BAD_PARAMS; - P=ECP.fromBytes(HID); - } - if (P.is_infinity()) return this.INVALID_POINT; - - P=PAIR.G1mul(P,y); - P.add(R); - R=ECP.fromBytes(mSEC); - if (R.is_infinity()) return this.INVALID_POINT; - - var g=PAIR.ate2(Q,R,sQ,P); - g=PAIR.fexp(g); - - if (!g.isunity()) - { - if (HID!=null && xID!=null && E!=null && F!=null) - { - g.toBytes(E); - if (date!==0) - { - P=ECP.fromBytes(HID); - if (P.is_infinity()) return this.INVALID_POINT; - R=ECP.fromBytes(xID); - if (R.is_infinity()) return this.INVALID_POINT; - - P=PAIR.G1mul(P,y); - P.add(R); - } - g=PAIR.ate(Q,P); - g=PAIR.fexp(g); - - g.toBytes(F); - } - return this.BAD_PIN; - } - return 0; - }, - -/* Pollards kangaroos used to return PIN error */ - KANGAROO: function(E,F) - { - var ge=FP12.fromBytes(E); - var gf=FP12.fromBytes(F); - var distance = []; - var t=new FP12(gf); - var table=[]; - var i,j,m,s,dn,dm,res,steps; - - s=1; - for (m=0;m<this.TS;m++) - { - distance[m]=s; - table[m]=new FP12(t); - s*=2; - t.usqr(); - } - t.one(); - dn=0; - for (j=0;j<this.TRAP;j++) - { - i=t.geta().geta().getA().lastbits(8)%this.TS; - t.mul(table[i]); - dn+=distance[i]; - } - gf.copy(t); gf.conj(); - steps=0; dm=0; - res=0; - while (dm-dn<this.MAXPIN) - { - steps++; - if (steps>4*this.TRAP) break; - i=ge.geta().geta().getA().lastbits(8)%this.TS; - ge.mul(table[i]); - dm+=distance[i]; - if (ge.equals(t)) - { - res=dm-dn; - break; - } - if (ge.equals(gf)) - { - res=dn-dm; - break; - } - - } - if (steps>4*this.TRAP || dm-dn>=this.MAXPIN) {res=0; } // Trap Failed - probable invalid token - return res; - }, - - /* return time since epoch */ - GET_TIME: function() { - var now=new Date(); - return Math.floor(now.getTime()/(1000)); - }, - - /* y = H(time,xCID) */ - GET_Y: function(TimeValue,xCID,Y) - { - var q=new BIG(0); - q.rcopy(ROM.CURVE_Order); - var h=this.hashit(TimeValue,xCID); - var y=BIG.fromBytes(h); - y.mod(q); - y.toBytes(Y); - return 0; - }, - - /* One pass MPIN Client */ - CLIENT: function(date,CLIENT_ID,rng,X,pin,TOKEN,SEC,xID,xCID,PERMIT,TimeValue,Y) - { - - var rtn=0; - var pID; - if (date == 0) { - pID = xID; - } else { - pID = xCID; - xID = null; - } - - rtn = this.CLIENT_1(date,CLIENT_ID,rng,X,pin,TOKEN,SEC,xID,xCID,PERMIT); - if (rtn != 0) - return rtn; - - this.GET_Y(TimeValue,pID,Y); - - rtn = this.CLIENT_2(X,Y,SEC); - if (rtn != 0) - return rtn; - - return 0; - }, - - /* One pass MPIN Server */ - SERVER: function(date,HID,HTID,Y,SST,xID,xCID,mSEC,E,F,CID,TimeValue) - { - var rtn=0; - var pID; - if (date == 0) { - pID = xID; - } else { - pID = xCID; - } - - this.SERVER_1(date,CID,HID,HTID); - - this.GET_Y(TimeValue,pID,Y); - - rtn = this.SERVER_2(date,HID,HTID,Y,SST,xID,xCID,mSEC,E,F); - if (rtn != 0) - return rtn; - - return 0; - }, - -/* Functions to support M-Pin Full */ - - PRECOMPUTE: function(TOKEN,CID,G1,G2) - { - var P,T; - var g; - - T=ECP.fromBytes(TOKEN); - if (T.is_infinity()) return INVALID_POINT; - - P=this.mapit(CID); - - var A=new BIG(0); - var B=new BIG(0); - A.rcopy(ROM.CURVE_Pxa); B.rcopy(ROM.CURVE_Pxb); - var QX=new FP2(0); QX.bset(A,B); - A.rcopy(ROM.CURVE_Pya); B.rcopy(ROM.CURVE_Pyb); - var QY=new FP2(0); QY.bset(A,B); - - var Q=new ECP2(); - Q.setxy(QX,QY); - - g=PAIR.ate(Q,T); - g=PAIR.fexp(g); - g.toBytes(G1); - - g=PAIR.ate(Q,P); - g=PAIR.fexp(g); - g.toBytes(G2); - - return 0; - }, - -/* calculate common key on client side */ -/* wCID = w.(A+AT) */ - CLIENT_KEY: function(G1,G2,pin,R,X,wCID,CK) - { - var H=new HASH(); - var t=[]; - - var g1=FP12.fromBytes(G1); - var g2=FP12.fromBytes(G2); - var z=BIG.fromBytes(R); - var x=BIG.fromBytes(X); - - var W=ECP.fromBytes(wCID); - if (W.is_infinity()) return INVALID_POINT; - - W=PAIR.G1mul(W,x); - - var fa=new BIG(0); fa.rcopy(ROM.CURVE_Fra); - var fb=new BIG(0); fb.rcopy(ROM.CURVE_Frb); - var f=new FP2(fa,fb); //f.bset(fa,fb); - - var r=new BIG(0); r.rcopy(ROM.CURVE_Order); - var q=new BIG(0); q.rcopy(ROM.Modulus); - - var m=new BIG(q); - m.mod(r); - - var a=new BIG(z); - a.mod(m); - - var b=new BIG(z); - b.div(m); - - g2.pinpow(pin,this.PBLEN); - g1.mul(g2); - - var c=g1.trace(); - g2.copy(g1); - g2.frob(f); - var cp=g2.trace(); - g1.conj(); - g2.mul(g1); - var cpm1=g2.trace(); - g2.mul(g1); - var cpm2=g2.trace(); - - c=c.xtr_pow2(cp,cpm1,cpm2,a,b); - - c.geta().getA().toBytes(t); - H.process_array(t); - c.geta().getB().toBytes(t); - H.process_array(t); - c.getb().getA().toBytes(t); - H.process_array(t); - c.getb().getB().toBytes(t); - H.process_array(t); - - W.getX().toBytes(t); - H.process_array(t); - W.getY().toBytes(t); - H.process_array(t); - - t=H.hash(); - for (var i=0;i<this.PAS;i++) CK[i]=t[i]; - - return 0; - }, - -/* calculate common key on server side */ -/* Z=r.A - no time permits involved */ - - SERVER_KEY: function(Z,SST,W,xID,xCID,SK) - { - var H=new HASH(); - var t=[]; - - var sQ=ECP2.fromBytes(SST); - if (sQ.is_infinity()) return INVALID_POINT; - var R=ECP.fromBytes(Z); - if (R.is_infinity()) return INVALID_POINT; - - var U; - if (xCID!=null) - U=ECP.fromBytes(xCID); - else - U=ECP.fromBytes(xID); - if (U.is_infinity()) return INVALID_POINT; - - var w=BIG.fromBytes(W); - U=PAIR.G1mul(U,w); - var g=PAIR.ate(sQ,R); - g=PAIR.fexp(g); - - var c=g.trace(); - c.geta().getA().toBytes(t); - H.process_array(t); - c.geta().getB().toBytes(t); - H.process_array(t); - c.getb().getA().toBytes(t); - H.process_array(t); - c.getb().getB().toBytes(t); - H.process_array(t); - - U.getX().toBytes(t); - H.process_array(t); - U.getY().toBytes(t); - H.process_array(t); - - t=H.hash(); - for (var i=0;i<this.PAS;i++) SK[i]=t[i]; - - return 0; - } -};
