http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/70e3a3a3/cs/FP12.cs ---------------------------------------------------------------------- diff --git a/cs/FP12.cs b/cs/FP12.cs deleted file mode 100644 index 2574aa8..0000000 --- a/cs/FP12.cs +++ /dev/null @@ -1,769 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/* AMCL Fp^12 functions */ -/* FP12 elements are of the form a+i.b+i^2.c */ - -public sealed class FP12 -{ - private readonly FP4 a; - private readonly FP4 b; - private readonly FP4 c; -/* reduce all components of this mod Modulus */ - public void reduce() - { - a.reduce(); - b.reduce(); - c.reduce(); - } -/* normalise all components of this */ - public void norm() - { - a.norm(); - b.norm(); - c.norm(); - } -/* test x==0 ? */ - public bool iszilch() - { - reduce(); - return (a.iszilch() && b.iszilch() && c.iszilch()); - } -/* test x==1 ? */ - public bool isunity() - { - FP4 one = new FP4(1); - return (a.Equals(one) && b.iszilch() && c.iszilch()); - } -/* return 1 if x==y, else 0 */ - public bool Equals(FP12 x) - { - return (a.Equals(x.a) && b.Equals(x.b) && c.Equals(x.c)); - } -/* extract a from this */ - public FP4 geta() - { - return a; - } -/* extract b */ - public FP4 getb() - { - return b; - } -/* extract c */ - public FP4 getc() - { - return c; - } -/* copy this=x */ - public void copy(FP12 x) - { - a.copy(x.a); - b.copy(x.b); - c.copy(x.c); - } -/* set this=1 */ - public void one() - { - a.one(); - b.zero(); - c.zero(); - } -/* this=conj(this) */ - public void conj() - { - a.conj(); - b.nconj(); - c.conj(); - } -/* Constructors */ - public FP12(FP4 d) - { - a = new FP4(d); - b = new FP4(0); - c = new FP4(0); - } - - public FP12(int d) - { - a = new FP4(d); - b = new FP4(0); - c = new FP4(0); - } - - public FP12(FP4 d, FP4 e, FP4 f) - { - a = new FP4(d); - b = new FP4(e); - c = new FP4(f); - } - - public FP12(FP12 x) - { - a = new FP4(x.a); - b = new FP4(x.b); - c = new FP4(x.c); - } - -/* Granger-Scott Unitary Squaring */ - public void usqr() - { - FP4 A = new FP4(a); - FP4 B = new FP4(c); - FP4 C = new FP4(b); - FP4 D = new FP4(0); - - a.sqr(); - D.copy(a); - D.add(a); - a.add(D); - -// a.norm(); - A.nconj(); - - A.add(A); - a.add(A); - B.sqr(); - B.times_i(); - - D.copy(B); - D.add(B); - B.add(D); -// B.norm(); - - C.sqr(); - D.copy(C); - D.add(C); - C.add(D); -// C.norm(); - - b.conj(); - b.add(b); - c.nconj(); - - c.add(c); - b.add(B); - c.add(C); - reduce(); - - } - -/* Chung-Hasan SQR2 method from http://cacr.uwaterloo.ca/techreports/2006/cacr2006-24.pdf */ - public void sqr() - { - FP4 A = new FP4(a); - FP4 B = new FP4(b); - FP4 C = new FP4(c); - FP4 D = new FP4(a); - - A.sqr(); - B.mul(c); - B.add(B); - C.sqr(); - D.mul(b); - D.add(D); - - c.add(a); - c.add(b); - c.sqr(); - - a.copy(A); - - A.add(B); -// A.norm(); - A.add(C); - A.add(D); -// A.norm(); - - A.neg(); - B.times_i(); - C.times_i(); - - a.add(B); - - b.copy(C); - b.add(D); - c.add(A); - norm(); - } - -/* FP12 full multiplication this=this*y */ - public void mul(FP12 y) - { - FP4 z0 = new FP4(a); - FP4 z1 = new FP4(0); - FP4 z2 = new FP4(b); - FP4 z3 = new FP4(0); - FP4 t0 = new FP4(a); - FP4 t1 = new FP4(y.a); - - z0.mul(y.a); - z2.mul(y.b); - - t0.add(b); - t1.add(y.b); - - z1.copy(t0); - z1.mul(t1); - t0.copy(b); - t0.add(c); - - t1.copy(y.b); - t1.add(y.c); - z3.copy(t0); - z3.mul(t1); - - t0.copy(z0); - t0.neg(); - t1.copy(z2); - t1.neg(); - - z1.add(t0); -// z1.norm(); - b.copy(z1); - b.add(t1); - - z3.add(t1); - z2.add(t0); - - t0.copy(a); - t0.add(c); - t1.copy(y.a); - t1.add(y.c); - t0.mul(t1); - z2.add(t0); - - t0.copy(c); - t0.mul(y.c); - t1.copy(t0); - t1.neg(); - -// z2.norm(); -// z3.norm(); -// b.norm(); - - c.copy(z2); - c.add(t1); - z3.add(t1); - t0.times_i(); - b.add(t0); - - z3.times_i(); - a.copy(z0); - a.add(z3); - norm(); - } - -/* Special case of multiplication arises from special form of ATE pairing line function */ - public void smul(FP12 y) - { - FP4 z0 = new FP4(a); - FP4 z2 = new FP4(b); - FP4 z3 = new FP4(b); - FP4 t0 = new FP4(0); - FP4 t1 = new FP4(y.a); - - z0.mul(y.a); - z2.pmul(y.b.real()); - b.add(a); - t1.real().add(y.b.real()); - - b.mul(t1); - z3.add(c); - z3.pmul(y.b.real()); - - t0.copy(z0); - t0.neg(); - t1.copy(z2); - t1.neg(); - - b.add(t0); -// b.norm(); - - b.add(t1); - z3.add(t1); - z2.add(t0); - - t0.copy(a); - t0.add(c); - t0.mul(y.a); - c.copy(z2); - c.add(t0); - - z3.times_i(); - a.copy(z0); - a.add(z3); - - norm(); - } - -/* this=1/this */ - public void inverse() - { - FP4 f0 = new FP4(a); - FP4 f1 = new FP4(b); - FP4 f2 = new FP4(a); - FP4 f3 = new FP4(0); - - norm(); - f0.sqr(); - f1.mul(c); - f1.times_i(); - f0.sub(f1); - - f1.copy(c); - f1.sqr(); - f1.times_i(); - f2.mul(b); - f1.sub(f2); - - f2.copy(b); - f2.sqr(); - f3.copy(a); - f3.mul(c); - f2.sub(f3); - - f3.copy(b); - f3.mul(f2); - f3.times_i(); - a.mul(f0); - f3.add(a); - c.mul(f1); - c.times_i(); - - f3.add(c); - f3.inverse(); - a.copy(f0); - a.mul(f3); - b.copy(f1); - b.mul(f3); - c.copy(f2); - c.mul(f3); - } - -/* this=this^p using Frobenius */ - public void frob(FP2 f) - { - FP2 f2 = new FP2(f); - FP2 f3 = new FP2(f); - - f2.sqr(); - f3.mul(f2); - - a.frob(f3); - b.frob(f3); - c.frob(f3); - - b.pmul(f); - c.pmul(f2); - } - -/* trace function */ - public FP4 trace() - { - FP4 t = new FP4(0); - t.copy(a); - t.imul(3); - t.reduce(); - return t; - } - -/* convert from byte array to FP12 */ - public static FP12 fromBytes(sbyte[] w) - { - BIG a, b; - FP2 c, d; - FP4 e, f, g; - sbyte[] t = new sbyte[ROM.MODBYTES]; - - for (int i = 0;i < ROM.MODBYTES;i++) - { - t[i] = w[i]; - } - a = BIG.fromBytes(t); - for (int i = 0;i < ROM.MODBYTES;i++) - { - t[i] = w[i + ROM.MODBYTES]; - } - b = BIG.fromBytes(t); - c = new FP2(a,b); - - for (int i = 0;i < ROM.MODBYTES;i++) - { - t[i] = w[i + 2 * ROM.MODBYTES]; - } - a = BIG.fromBytes(t); - for (int i = 0;i < ROM.MODBYTES;i++) - { - t[i] = w[i + 3 * ROM.MODBYTES]; - } - b = BIG.fromBytes(t); - d = new FP2(a,b); - - e = new FP4(c,d); - - - for (int i = 0;i < ROM.MODBYTES;i++) - { - t[i] = w[i + 4 * ROM.MODBYTES]; - } - a = BIG.fromBytes(t); - for (int i = 0;i < ROM.MODBYTES;i++) - { - t[i] = w[i + 5 * ROM.MODBYTES]; - } - b = BIG.fromBytes(t); - c = new FP2(a,b); - - for (int i = 0;i < ROM.MODBYTES;i++) - { - t[i] = w[i + 6 * ROM.MODBYTES]; - } - a = BIG.fromBytes(t); - for (int i = 0;i < ROM.MODBYTES;i++) - { - t[i] = w[i + 7 * ROM.MODBYTES]; - } - b = BIG.fromBytes(t); - d = new FP2(a,b); - - f = new FP4(c,d); - - - for (int i = 0;i < ROM.MODBYTES;i++) - { - t[i] = w[i + 8 * ROM.MODBYTES]; - } - a = BIG.fromBytes(t); - for (int i = 0;i < ROM.MODBYTES;i++) - { - t[i] = w[i + 9 * ROM.MODBYTES]; - } - b = BIG.fromBytes(t); - c = new FP2(a,b); - - for (int i = 0;i < ROM.MODBYTES;i++) - { - t[i] = w[i + 10 * ROM.MODBYTES]; - } - a = BIG.fromBytes(t); - for (int i = 0;i < ROM.MODBYTES;i++) - { - t[i] = w[i + 11 * ROM.MODBYTES]; - } - b = BIG.fromBytes(t); - d = new FP2(a,b); - - g = new FP4(c,d); - - return new FP12(e,f,g); - } - -/* convert this to byte array */ - public void toBytes(sbyte[] w) - { - sbyte[] t = new sbyte[ROM.MODBYTES]; - a.geta().A.toBytes(t); - for (int i = 0;i < ROM.MODBYTES;i++) - { - w[i] = t[i]; - } - a.geta().B.toBytes(t); - for (int i = 0;i < ROM.MODBYTES;i++) - { - w[i + ROM.MODBYTES] = t[i]; - } - a.getb().A.toBytes(t); - for (int i = 0;i < ROM.MODBYTES;i++) - { - w[i + 2 * ROM.MODBYTES] = t[i]; - } - a.getb().B.toBytes(t); - for (int i = 0;i < ROM.MODBYTES;i++) - { - w[i + 3 * ROM.MODBYTES] = t[i]; - } - - b.geta().A.toBytes(t); - for (int i = 0;i < ROM.MODBYTES;i++) - { - w[i + 4 * ROM.MODBYTES] = t[i]; - } - b.geta().B.toBytes(t); - for (int i = 0;i < ROM.MODBYTES;i++) - { - w[i + 5 * ROM.MODBYTES] = t[i]; - } - b.getb().A.toBytes(t); - for (int i = 0;i < ROM.MODBYTES;i++) - { - w[i + 6 * ROM.MODBYTES] = t[i]; - } - b.getb().B.toBytes(t); - for (int i = 0;i < ROM.MODBYTES;i++) - { - w[i + 7 * ROM.MODBYTES] = t[i]; - } - - c.geta().A.toBytes(t); - for (int i = 0;i < ROM.MODBYTES;i++) - { - w[i + 8 * ROM.MODBYTES] = t[i]; - } - c.geta().B.toBytes(t); - for (int i = 0;i < ROM.MODBYTES;i++) - { - w[i + 9 * ROM.MODBYTES] = t[i]; - } - c.getb().A.toBytes(t); - for (int i = 0;i < ROM.MODBYTES;i++) - { - w[i + 10 * ROM.MODBYTES] = t[i]; - } - c.getb().B.toBytes(t); - for (int i = 0;i < ROM.MODBYTES;i++) - { - w[i + 11 * ROM.MODBYTES] = t[i]; - } - } - -/* convert to hex string */ - public override string ToString() - { - return ("[" + a.ToString() + "," + b.ToString() + "," + c.ToString() + "]"); - } - -/* this=this^e */ - public FP12 pow(BIG e) - { - norm(); - e.norm(); - FP12 w = new FP12(this); - BIG z = new BIG(e); - FP12 r = new FP12(1); - - while (true) - { - int bt = z.parity(); - z.fshr(1); - if (bt == 1) - { - r.mul(w); - } - if (z.iszilch()) - { - break; - } - w.usqr(); - } - r.reduce(); - return r; - } - -/* constant time powering by small integer of max length bts */ - public void pinpow(int e, int bts) - { - int i, b; - FP12[] R = new FP12[2]; - R[0] = new FP12(1); - R[1] = new FP12(this); - for (i = bts - 1;i >= 0;i--) - { - b = (e >> i) & 1; - R[1 - b].mul(R[b]); - R[b].usqr(); - } - this.copy(R[0]); - } - -/* p=q0^u0.q1^u1.q2^u2.q3^u3 */ -/* Timing attack secure, but not cache attack secure */ - - public static FP12 pow4(FP12[] q, BIG[] u) - { - int i, j, nb, m; - int[] a = new int[4]; - FP12[] g = new FP12[8]; - FP12[] s = new FP12[2]; - FP12 c = new FP12(1); - FP12 p = new FP12(0); - BIG[] t = new BIG[4]; - BIG mt = new BIG(0); - sbyte[] w = new sbyte[ROM.NLEN * ROM.BASEBITS + 1]; - - for (i = 0;i < 4;i++) - { - t[i] = new BIG(u[i]); - } - - s[0] = new FP12(0); - s[1] = new FP12(0); - - g[0] = new FP12(q[0]); - s[0].copy(q[1]); - s[0].conj(); - g[0].mul(s[0]); - g[1] = new FP12(g[0]); - g[2] = new FP12(g[0]); - g[3] = new FP12(g[0]); - g[4] = new FP12(q[0]); - g[4].mul(q[1]); - g[5] = new FP12(g[4]); - g[6] = new FP12(g[4]); - g[7] = new FP12(g[4]); - - s[1].copy(q[2]); - s[0].copy(q[3]); - s[0].conj(); - s[1].mul(s[0]); - s[0].copy(s[1]); - s[0].conj(); - g[1].mul(s[0]); - g[2].mul(s[1]); - g[5].mul(s[0]); - g[6].mul(s[1]); - s[1].copy(q[2]); - s[1].mul(q[3]); - s[0].copy(s[1]); - s[0].conj(); - g[0].mul(s[0]); - g[3].mul(s[1]); - g[4].mul(s[0]); - g[7].mul(s[1]); - -/* if power is even add 1 to power, and add q to correction */ - - for (i = 0;i < 4;i++) - { - if (t[i].parity() == 0) - { - t[i].inc(1); - t[i].norm(); - c.mul(q[i]); - } - mt.add(t[i]); - mt.norm(); - } - c.conj(); - nb = 1 + mt.nbits(); - -/* convert exponent to signed 1-bit window */ - for (j = 0;j < nb;j++) - { - for (i = 0;i < 4;i++) - { - a[i] = (t[i].lastbits(2) - 2); - t[i].dec(a[i]); - t[i].norm(); - t[i].fshr(1); - } - w[j] = (sbyte)(8 * a[0] + 4 * a[1] + 2 * a[2] + a[3]); - } - w[nb] = (sbyte)(8 * t[0].lastbits(2) + 4 * t[1].lastbits(2) + 2 * t[2].lastbits(2) + t[3].lastbits(2)); - p.copy(g[(w[nb] - 1) / 2]); - - for (i = nb - 1;i >= 0;i--) - { - m = w[i] >> 7; - j = (w[i] ^ m) - m; // j=abs(w[i]) - j = (j - 1) / 2; - s[0].copy(g[j]); - s[1].copy(g[j]); - s[1].conj(); - p.usqr(); - p.mul(s[m & 1]); - } - p.mul(c); // apply correction - p.reduce(); - return p; - } - -/* - public static void main(String[] args) { - BIG p=new BIG(ROM.Modulus); - FP2 w0,w1; - BIG a=new BIG(0); - BIG b=new BIG(0); - - a.zero(); b.zero(); a.inc(1); b.inc(2); - w0=new FP2(a,b); - a.zero(); b.zero(); a.inc(3); b.inc(4); - w1=new FP2(a,b); - FP4 t0=new FP4(w0,w1); - - a.zero(); b.zero(); a.inc(5); b.inc(6); - w0=new FP2(a,b); - a.zero(); b.zero(); a.inc(7); b.inc(8); - w1=new FP2(a,b); - FP4 t1=new FP4(w0,w1); - - a.zero(); b.zero(); a.inc(9); b.inc(10); - w0=new FP2(a,b); - a.zero(); b.zero(); a.inc(11); b.inc(12); - w1=new FP2(a,b); - FP4 t2=new FP4(w0,w1); - - FP12 w=new FP12(t0,t1,t2); - FP12 t=new FP12(w); - - System.out.println("w= "+w.toString()); - - a=new BIG(ROM.CURVE_Fra); - b=new BIG(ROM.CURVE_Frb); - - FP2 f=new FP2(a,b); - - w.frob(f); - System.out.println("w= "+w.toString()); - - w=t.pow(p); - - System.out.println("w= "+w.toString()); - - w.inverse(); - - System.out.println("1/w= "+w.toString()); - - w.inverse(); - - System.out.println("w= "+w.toString()); - - t.copy(w); - w.conj(); - t.inverse(); - w.mul(t); - - System.out.println("w^(p^6-1)= "+w.toString()); - - t.copy(w); - w.frob(f); - w.frob(f); - w.mul(t); - - System.out.println("w^(p^6-1)(p^2+1)= "+w.toString()); - - t.copy(w); - - t.inverse(); - w.conj(); - - System.out.println("w= "+w.toString()); - System.out.println("t= "+t.toString()); - } */ -}
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/70e3a3a3/cs/FP2.cs ---------------------------------------------------------------------- diff --git a/cs/FP2.cs b/cs/FP2.cs deleted file mode 100644 index f5c8d16..0000000 --- a/cs/FP2.cs +++ /dev/null @@ -1,428 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/* Finite Field arithmetic Fp^2 functions */ - -/* FP2 elements are of the form a+ib, where i is sqrt(-1) */ - -public sealed class FP2 -{ - private readonly FP a; - private readonly FP b; - -/* reduce components mod Modulus */ - public void reduce() - { - a.reduce(); - b.reduce(); - } - -/* normalise components of w */ - public void norm() - { - a.norm(); - b.norm(); - } - -/* test this=0 ? */ - public bool iszilch() - { - reduce(); - return (a.iszilch() && b.iszilch()); - } - - public void cmove(FP2 g, int d) - { - a.cmove(g.a,d); - b.cmove(g.b,d); - } - -/* test this=1 ? */ - public bool isunity() - { - FP one = new FP(1); - return (a.Equals(one) && b.iszilch()); - } - -/* test this=x */ - public bool Equals(FP2 x) - { - return (a.Equals(x.a) && b.Equals(x.b)); - } - -/* Constructors */ - public FP2(int c) - { - a = new FP(c); - b = new FP(0); - } - - public FP2(FP2 x) - { - a = new FP(x.a); - b = new FP(x.b); - } - - public FP2(FP c, FP d) - { - a = new FP(c); - b = new FP(d); - } - - public FP2(BIG c, BIG d) - { - a = new FP(c); - b = new FP(d); - } - - public FP2(FP c) - { - a = new FP(c); - b = new FP(0); - } - - public FP2(BIG c) - { - a = new FP(c); - b = new FP(0); - } - -/* extract a */ - public BIG A - { - get - { - return a.redc(); - } - } - -/* extract b */ - public BIG B - { - get - { - return b.redc(); - } - } - -/* copy this=x */ - public void copy(FP2 x) - { - a.copy(x.a); - b.copy(x.b); - } - -/* set this=0 */ - public void zero() - { - a.zero(); - b.zero(); - } - -/* set this=1 */ - public void one() - { - a.one(); - b.zero(); - } - -/* negate this mod Modulus */ - public void neg() - { - norm(); - FP m = new FP(a); - FP t = new FP(0); - - m.add(b); - m.neg(); - m.norm(); - t.copy(m); - t.add(b); - b.copy(m); - b.add(a); - a.copy(t); - } - -/* set to a-ib */ - public void conj() - { - b.neg(); - } - -/* this+=a */ - public void add(FP2 x) - { - a.add(x.a); - b.add(x.b); - } - -/* this-=a */ - public void sub(FP2 x) - { - FP2 m = new FP2(x); - m.neg(); - add(m); - } - -/* this*=s, where s is an FP */ - public void pmul(FP s) - { - a.mul(s); - b.mul(s); - } - -/* this*=i, where i is an int */ - public void imul(int c) - { - a.imul(c); - b.imul(c); - } - -/* this*=this */ - public void sqr() - { - norm(); - FP w1 = new FP(a); - FP w3 = new FP(a); - FP mb = new FP(b); - - w3.mul(b); - w1.add(b); - mb.neg(); - a.add(mb); - a.mul(w1); - b.copy(w3); - b.add(w3); -// reduce(); - norm(); - } - -/* this*=y */ - public void mul(FP2 y) - { - norm(); // This is needed here as {a,b} is not normed before additions - - FP w1 = new FP(a); - FP w2 = new FP(b); - FP w5 = new FP(a); - FP mw = new FP(0); - - w1.mul(y.a); // w1=a*y.a - this norms w1 and y.a, NOT a - w2.mul(y.b); // w2=b*y.b - this norms w2 and y.b, NOT b - w5.add(b); // w5=a+b - b.copy(y.a); - b.add(y.b); // b=y.a+y.b - - b.mul(w5); - mw.copy(w1); - mw.add(w2); - mw.neg(); - - b.add(mw); - mw.add(w1); - a.copy(w1); - a.add(mw); - -// reduce(); - norm(); - } - - -/* sqrt(a+ib) = sqrt(a+sqrt(a*a-n*b*b)/2)+ib/(2*sqrt(a+sqrt(a*a-n*b*b)/2)) */ -/* returns true if this is QR */ - public bool sqrt() - { - if (iszilch()) - { - return true; - } - FP w1 = new FP(b); - FP w2 = new FP(a); - w1.sqr(); - w2.sqr(); - w1.add(w2); - if (w1.jacobi() != 1) - { - zero(); - return false; - } - w1 = w1.sqrt(); - w2.copy(a); - w2.add(w1); - w2.div2(); - if (w2.jacobi() != 1) - { - w2.copy(a); - w2.sub(w1); - w2.div2(); - if (w2.jacobi() != 1) - { - zero(); - return false; - } - } - w2 = w2.sqrt(); - a.copy(w2); - w2.add(w2); - w2.inverse(); - b.mul(w2); - return true; - } - -/* output to hex string */ - public override string ToString() - { - return ("[" + a.ToString() + "," + b.ToString() + "]"); - } - - public string toRawString() - { - return ("[" + a.toRawString() + "," + b.toRawString() + "]"); - } - -/* this=1/this */ - public void inverse() - { - norm(); - FP w1 = new FP(a); - FP w2 = new FP(b); - - w1.sqr(); - w2.sqr(); - w1.add(w2); - w1.inverse(); - a.mul(w1); - w1.neg(); - b.mul(w1); - } - -/* this/=2 */ - public void div2() - { - a.div2(); - b.div2(); - } - -/* this*=sqrt(-1) */ - public void times_i() - { - // a.norm(); - FP z = new FP(a); - a.copy(b); - a.neg(); - b.copy(z); - } - -/* w*=(1+sqrt(-1)) */ -/* where X*2-(1+sqrt(-1)) is irreducible for FP4, assumes p=3 mod 8 */ - public void mul_ip() - { - norm(); - FP2 t = new FP2(this); - FP z = new FP(a); - a.copy(b); - a.neg(); - b.copy(z); - add(t); - norm(); - } - -/* w/=(1+sqrt(-1)) */ - public void div_ip() - { - FP2 t = new FP2(0); - norm(); - t.a.copy(a); - t.a.add(b); - t.b.copy(b); - t.b.sub(a); - copy(t); - div2(); - } -/* - public FP2 pow(BIG e) - { - int bt; - FP2 r=new FP2(1); - e.norm(); - norm(); - while (true) - { - bt=e.parity(); - e.fshr(1); - if (bt==1) r.mul(this); - if (e.iszilch()) break; - sqr(); - } - - r.reduce(); - return r; - } - - public static void main(String[] args) { - BIG m=new BIG(ROM.Modulus); - BIG x=new BIG(3); - BIG e=new BIG(27); - BIG pp1=new BIG(m); - BIG pm1=new BIG(m); - BIG a=new BIG(1); - BIG b=new BIG(1); - FP2 w=new FP2(a,b); - FP2 z=new FP2(w); - - byte[] RAW=new byte[100]; - - RAND rng=new RAND(); - for (int i=0;i<100;i++) RAW[i]=(byte)(i); - - rng.seed(100,RAW); - - // for (int i=0;i<100;i++) - // { - a.randomnum(rng); - b.randomnum(rng); - - w=new FP2(a,b); - System.out.println("w="+w.toString()); - - z=new FP2(w); - z.inverse(); - System.out.println("z="+z.toString()); - - z.inverse(); - if (!z.equals(w)) System.out.println("Error"); - // } - -// System.out.println("m="+m.toString()); -// w.sqr(); -// w.mul(z); - - System.out.println("w="+w.toString()); - - - pp1.inc(1); pp1.norm(); - pm1.dec(1); pm1.norm(); - System.out.println("p+1="+pp1.toString()); - System.out.println("p-1="+pm1.toString()); - w=w.pow(pp1); - w=w.pow(pm1); - System.out.println("w="+w.toString()); - } -*/ -} http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/70e3a3a3/cs/FP4.cs ---------------------------------------------------------------------- diff --git a/cs/FP4.cs b/cs/FP4.cs deleted file mode 100644 index 317a07c..0000000 --- a/cs/FP4.cs +++ /dev/null @@ -1,633 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/* Finite Field arithmetic Fp^4 functions */ - -/* FP4 elements are of the form a+ib, where i is sqrt(-1+sqrt(-1)) */ - -public sealed class FP4 -{ - private readonly FP2 a; - private readonly FP2 b; -/* reduce all components of this mod Modulus */ - public void reduce() - { - a.reduce(); - b.reduce(); - } -/* normalise all components of this mod Modulus */ - public void norm() - { - a.norm(); - b.norm(); - } -/* test this==0 ? */ - public bool iszilch() - { - reduce(); - return (a.iszilch() && b.iszilch()); - } -/* test this==1 ? */ - public bool isunity() - { - FP2 one = new FP2(1); - return (a.Equals(one) && b.iszilch()); - } - -/* test is w real? That is in a+ib test b is zero */ - public bool isreal() - { - return b.iszilch(); - } -/* extract real part a */ - public FP2 real() - { - return a; - } - - public FP2 geta() - { - return a; - } -/* extract imaginary part b */ - public FP2 getb() - { - return b; - } -/* test this=x? */ - public bool Equals(FP4 x) - { - return (a.Equals(x.a) && b.Equals(x.b)); - } -/* constructors */ - public FP4(int c) - { - a = new FP2(c); - b = new FP2(0); - } - - public FP4(FP4 x) - { - a = new FP2(x.a); - b = new FP2(x.b); - } - - public FP4(FP2 c, FP2 d) - { - a = new FP2(c); - b = new FP2(d); - } - - public FP4(FP2 c) - { - a = new FP2(c); - b = new FP2(0); - } -/* copy this=x */ - public void copy(FP4 x) - { - a.copy(x.a); - b.copy(x.b); - } -/* set this=0 */ - public void zero() - { - a.zero(); - b.zero(); - } -/* set this=1 */ - public void one() - { - a.one(); - b.zero(); - } -/* set this=-this */ - public void neg() - { - FP2 m = new FP2(a); - FP2 t = new FP2(0); - m.add(b); - m.neg(); - m.norm(); - t.copy(m); - t.add(b); - b.copy(m); - b.add(a); - a.copy(t); - } -/* this=conjugate(this) */ - public void conj() - { - b.neg(); - b.norm(); - } -/* this=-conjugate(this) */ - public void nconj() - { - a.neg(); - a.norm(); - } -/* this+=x */ - public void add(FP4 x) - { - a.add(x.a); - b.add(x.b); - } -/* this-=x */ - public void sub(FP4 x) - { - FP4 m = new FP4(x); - m.neg(); - add(m); - } - -/* this*=s where s is FP2 */ - public void pmul(FP2 s) - { - a.mul(s); - b.mul(s); - } -/* this*=c where c is int */ - public void imul(int c) - { - a.imul(c); - b.imul(c); - } -/* this*=this */ - public void sqr() - { - norm(); - - FP2 t1 = new FP2(a); - FP2 t2 = new FP2(b); - FP2 t3 = new FP2(a); - - t3.mul(b); - t1.add(b); - t2.mul_ip(); - - t2.add(a); - a.copy(t1); - - a.mul(t2); - - t2.copy(t3); - t2.mul_ip(); - t2.add(t3); - t2.neg(); - a.add(t2); - - b.copy(t3); - b.add(t3); - - norm(); - } -/* this*=y */ - public void mul(FP4 y) - { - norm(); - - FP2 t1 = new FP2(a); - FP2 t2 = new FP2(b); - FP2 t3 = new FP2(0); - FP2 t4 = new FP2(b); - - t1.mul(y.a); - t2.mul(y.b); - t3.copy(y.b); - t3.add(y.a); - t4.add(a); - - t4.mul(t3); - t4.sub(t1); -// t4.norm(); - - b.copy(t4); - b.sub(t2); - t2.mul_ip(); - a.copy(t2); - a.add(t1); - - norm(); - } -/* convert this to hex string */ - public override string ToString() - { - return ("[" + a.ToString() + "," + b.ToString() + "]"); - } - - public string toRawString() - { - return ("[" + a.toRawString() + "," + b.toRawString() + "]"); - } - -/* this=1/this */ - public void inverse() - { - norm(); - - FP2 t1 = new FP2(a); - FP2 t2 = new FP2(b); - - t1.sqr(); - t2.sqr(); - t2.mul_ip(); - t1.sub(t2); - t1.inverse(); - a.mul(t1); - t1.neg(); - b.mul(t1); - } - - -/* this*=i where i = sqrt(-1+sqrt(-1)) */ - public void times_i() - { - norm(); - FP2 s = new FP2(b); - FP2 t = new FP2(b); - s.times_i(); - t.add(s); -// t.norm(); - b.copy(a); - a.copy(t); - } - -/* this=this^p using Frobenius */ - public void frob(FP2 f) - { - a.conj(); - b.conj(); - b.mul(f); - } - -/* this=this^e */ - public FP4 pow(BIG e) - { - norm(); - e.norm(); - FP4 w = new FP4(this); - BIG z = new BIG(e); - FP4 r = new FP4(1); - while (true) - { - int bt = z.parity(); - z.fshr(1); - if (bt == 1) - { - r.mul(w); - } - if (z.iszilch()) - { - break; - } - w.sqr(); - } - r.reduce(); - return r; - } -/* XTR xtr_a function */ - public void xtr_A(FP4 w, FP4 y, FP4 z) - { - FP4 r = new FP4(w); - FP4 t = new FP4(w); - r.sub(y); - r.pmul(a); - t.add(y); - t.pmul(b); - t.times_i(); - - copy(r); - add(t); - add(z); - - norm(); - } - -/* XTR xtr_d function */ - public void xtr_D() - { - FP4 w = new FP4(this); - sqr(); - w.conj(); - w.add(w); - sub(w); - reduce(); - } - -/* r=x^n using XTR method on traces of FP12s */ - public FP4 xtr_pow(BIG n) - { - FP4 a = new FP4(3); - FP4 b = new FP4(this); - FP4 c = new FP4(b); - c.xtr_D(); - FP4 t = new FP4(0); - FP4 r = new FP4(0); - - n.norm(); - int par = n.parity(); - BIG v = new BIG(n); - v.fshr(1); - if (par == 0) - { - v.dec(1); - v.norm(); - } - - int nb = v.nbits(); - for (int i = nb - 1;i >= 0;i--) - { - if (v.bit(i) != 1) - { - t.copy(b); - conj(); - c.conj(); - b.xtr_A(a,this,c); - conj(); - c.copy(t); - c.xtr_D(); - a.xtr_D(); - } - else - { - t.copy(a); - t.conj(); - a.copy(b); - a.xtr_D(); - b.xtr_A(c,this,t); - c.xtr_D(); - } - } - if (par == 0) - { - r.copy(c); - } - else - { - r.copy(b); - } - r.reduce(); - return r; - } - -/* r=ck^a.cl^n using XTR double exponentiation method on traces of FP12s. See Stam thesis. */ - public FP4 xtr_pow2(FP4 ck, FP4 ckml, FP4 ckm2l, BIG a, BIG b) - { - a.norm(); - b.norm(); - BIG e = new BIG(a); - BIG d = new BIG(b); - BIG w = new BIG(0); - - FP4 cu = new FP4(ck); // can probably be passed in w/o copying - FP4 cv = new FP4(this); - FP4 cumv = new FP4(ckml); - FP4 cum2v = new FP4(ckm2l); - FP4 r = new FP4(0); - FP4 t = new FP4(0); - - int f2 = 0; - while (d.parity() == 0 && e.parity() == 0) - { - d.fshr(1); - e.fshr(1); - f2++; - } - - while (BIG.comp(d,e) != 0) - { - if (BIG.comp(d,e) > 0) - { - w.copy(e); - w.imul(4); - w.norm(); - if (BIG.comp(d,w) <= 0) - { - w.copy(d); - d.copy(e); - e.rsub(w); - e.norm(); - - t.copy(cv); - t.xtr_A(cu,cumv,cum2v); - cum2v.copy(cumv); - cum2v.conj(); - cumv.copy(cv); - cv.copy(cu); - cu.copy(t); - - } - else if (d.parity() == 0) - { - d.fshr(1); - r.copy(cum2v); - r.conj(); - t.copy(cumv); - t.xtr_A(cu,cv,r); - cum2v.copy(cumv); - cum2v.xtr_D(); - cumv.copy(t); - cu.xtr_D(); - } - else if (e.parity() == 1) - { - d.sub(e); - d.norm(); - d.fshr(1); - t.copy(cv); - t.xtr_A(cu,cumv,cum2v); - cu.xtr_D(); - cum2v.copy(cv); - cum2v.xtr_D(); - cum2v.conj(); - cv.copy(t); - } - else - { - w.copy(d); - d.copy(e); - d.fshr(1); - e.copy(w); - t.copy(cumv); - t.xtr_D(); - cumv.copy(cum2v); - cumv.conj(); - cum2v.copy(t); - cum2v.conj(); - t.copy(cv); - t.xtr_D(); - cv.copy(cu); - cu.copy(t); - } - } - if (BIG.comp(d,e) < 0) - { - w.copy(d); - w.imul(4); - w.norm(); - if (BIG.comp(e,w) <= 0) - { - e.sub(d); - e.norm(); - t.copy(cv); - t.xtr_A(cu,cumv,cum2v); - cum2v.copy(cumv); - cumv.copy(cu); - cu.copy(t); - } - else if (e.parity() == 0) - { - w.copy(d); - d.copy(e); - d.fshr(1); - e.copy(w); - t.copy(cumv); - t.xtr_D(); - cumv.copy(cum2v); - cumv.conj(); - cum2v.copy(t); - cum2v.conj(); - t.copy(cv); - t.xtr_D(); - cv.copy(cu); - cu.copy(t); - } - else if (d.parity() == 1) - { - w.copy(e); - e.copy(d); - w.sub(d); - w.norm(); - d.copy(w); - d.fshr(1); - t.copy(cv); - t.xtr_A(cu,cumv,cum2v); - cumv.conj(); - cum2v.copy(cu); - cum2v.xtr_D(); - cum2v.conj(); - cu.copy(cv); - cu.xtr_D(); - cv.copy(t); - } - else - { - d.fshr(1); - r.copy(cum2v); - r.conj(); - t.copy(cumv); - t.xtr_A(cu,cv,r); - cum2v.copy(cumv); - cum2v.xtr_D(); - cumv.copy(t); - cu.xtr_D(); - } - } - } - r.copy(cv); - r.xtr_A(cu,cumv,cum2v); - for (int i = 0;i < f2;i++) - { - r.xtr_D(); - } - r = r.xtr_pow(d); - return r; - } - -/* - - public static void main(String[] args) { - BIG m=new BIG(ROM.Modulus); - BIG e=new BIG(12); - BIG a=new BIG(0); - BIG b=new BIG(0); - - a.inc(27); b.inc(45); - - FP2 w0=new FP2(a,b); - - a.zero(); b.zero(); - a.inc(33); b.inc(54); - - FP2 w1=new FP2(a,b); - - - FP4 w=new FP4(w0,w1); - FP4 t=new FP4(w); - - a=new BIG(ROM.CURVE_Fra); - b=new BIG(ROM.CURVE_Frb); - - FP2 f=new FP2(a,b); - - System.out.println("w= "+w.toString()); - - w=w.pow(m); - - System.out.println("w^p= "+w.toString()); - - t.frob(f); - - - System.out.println("w^p= "+t.toString()); - - w=w.pow(m); - w=w.pow(m); - w=w.pow(m); - System.out.println("w^p4= "+w.toString()); - - - System.out.println("Test Inversion"); - - w=new FP4(w0,w1); - - w.inverse(); - - System.out.println("1/w mod p^4 = "+w.toString()); - - w.inverse(); - - System.out.println("1/(1/w) mod p^4 = "+w.toString()); - - FP4 ww=new FP4(w); - - w=w.xtr_pow(e); - System.out.println("w^e= "+w.toString()); - - - a.zero(); b.zero(); - a.inc(37); b.inc(17); - w0=new FP2(a,b); - a.zero(); b.zero(); - a.inc(49); b.inc(31); - w1=new FP2(a,b); - - FP4 c1=new FP4(w0,w1); - FP4 c2=new FP4(w0,w1); - FP4 c3=new FP4(w0,w1); - - BIG e1=new BIG(3331); - BIG e2=new BIG(3372); - - FP4 cr=w.xtr_pow2(c1,c2,c3,e1,e2); - - System.out.println("c^e= "+cr.toString()); - } */ -} http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/70e3a3a3/cs/GCM.cs ---------------------------------------------------------------------- diff --git a/cs/GCM.cs b/cs/GCM.cs deleted file mode 100644 index 5ddd706..0000000 --- a/cs/GCM.cs +++ /dev/null @@ -1,500 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - - - -/* - * Implementation of the AES-GCM Encryption/Authentication - * - * Some restrictions.. - * 1. Only for use with AES - * 2. Returned tag is always 128-bits. Truncate at your own risk. - * 3. The order of function calls must follow some rules - * - * Typical sequence of calls.. - * 1. call GCM_init - * 2. call GCM_add_header any number of times, as long as length of header is multiple of 16 bytes (block size) - * 3. call GCM_add_header one last time with any length of header - * 4. call GCM_add_cipher any number of times, as long as length of cipher/plaintext is multiple of 16 bytes - * 5. call GCM_add_cipher one last time with any length of cipher/plaintext - * 6. call GCM_finish to extract the tag. - * - * See http://www.mindspring.com/~dmcgrew/gcm-nist-6.pdf - */ - -public class GCM -{ - public const int NB = 4; - public const int GCM_ACCEPTING_HEADER = 0; - public const int GCM_ACCEPTING_CIPHER = 1; - public const int GCM_NOT_ACCEPTING_MORE = 2; - public const int GCM_FINISHED = 3; - public const int GCM_ENCRYPTING = 0; - public const int GCM_DECRYPTING = 1; - -//JAVA TO C# CONVERTER NOTE: The following call to the 'RectangularArrays' helper class reproduces the rectangular array initialization that is automatic in Java: -//ORIGINAL LINE: private int[][] table = new int[128][4]; // 2k bytes - private int[][] table = RectangularArrays.ReturnRectangularIntArray(128, 4); // 2k bytes - private sbyte[] stateX = new sbyte[16]; - private sbyte[] Y_0 = new sbyte[16]; - private int counter; - private int[] lenA = new int[2]; - private int[] lenC = new int[2]; - private int status; - private AES a = new AES(); - - private static int pack(sbyte[] b) - { // pack bytes into a 32-bit Word - return ((((int)b[0]) & 0xff) << 24) | (((int)b[1] & 0xff) << 16) | (((int)b[2] & 0xff) << 8) | ((int)b[3] & 0xff); - } - - private static sbyte[] unpack(int a) - { // unpack bytes from a word - sbyte[] b = new sbyte[4]; - b[3] = (sbyte)(a); - b[2] = (sbyte)((int)((uint)a >> 8)); - b[1] = (sbyte)((int)((uint)a >> 16)); - b[0] = (sbyte)((int)((uint)a >> 24)); - return b; - } - - private void precompute(sbyte[] H) - { - int i, j, c; - sbyte[] b = new sbyte[4]; - - for (i = j = 0;i < NB;i++,j += 4) - { - b[0] = H[j]; - b[1] = H[j + 1]; - b[2] = H[j + 2]; - b[3] = H[j + 3]; - table[0][i] = pack(b); - } - for (i = 1;i < 128;i++) - { - c = 0; - for (j = 0;j < NB;j++) - { - table[i][j] = c | (int)((uint)(table[i - 1][j]) >> 1); - c = table[i - 1][j] << 31; - } - if (c != 0) - { - table[i][0] ^= unchecked((int)0xE1000000); // irreducible polynomial - } - } - } - - private void gf2mul() - { // gf2m mul - Z=H*X mod 2^128 - int i, j, m, k; - int[] P = new int[4]; - int c; - sbyte[] b; //=new byte[4]; - - P[0] = P[1] = P[2] = P[3] = 0; - j = 8; - m = 0; - for (i = 0;i < 128;i++) - { - c = ((int)((uint)stateX[m] >> (--j))) & 1; - if (c != 0) - { - for (k = 0;k < NB;k++) - { - P[k] ^= table[i][k]; - } - } - if (j == 0) - { - j = 8; - m++; - if (m == 16) - { - break; - } - } - } - for (i = j = 0;i < NB;i++,j += 4) - { - b = unpack(P[i]); - stateX[j] = b[0]; - stateX[j + 1] = b[1]; - stateX[j + 2] = b[2]; - stateX[j + 3] = b[3]; - } - } - - private void wrap() - { // Finish off GHASH - int i, j; - int[] F = new int[4]; - sbyte[] L = new sbyte[16]; - sbyte[] b; //=new byte[4]; - -/* convert lengths from bytes to bits */ - F[0] = (lenA[0] << 3) | (int)((uint)(lenA[1] & 0xE0000000)>>29); - F[1] = lenA[1] << 3; - F[2] = (lenC[0] << 3) | (int)((uint)(lenC[1] & 0xE0000000)>>29); - F[3] = lenC[1] << 3; - for (i = j = 0;i < NB;i++,j += 4) - { - b = unpack(F[i]); - L[j] = b[0]; - L[j + 1] = b[1]; - L[j + 2] = b[2]; - L[j + 3] = b[3]; - } - for (i = 0;i < 16;i++) - { - stateX[i] ^= L[i]; - } - gf2mul(); - } - -/* Initialize GCM mode */ - public virtual void init(sbyte[] key, int niv, sbyte[] iv) - { // iv size niv is usually 12 bytes (96 bits). AES key size nk can be 16,24 or 32 bytes - int i; - sbyte[] H = new sbyte[16]; - sbyte[] b; //=new byte[4]; - - for (i = 0;i < 16;i++) - { - H[i] = 0; - stateX[i] = 0; - } - - a.init(AES.ECB,key,iv); - a.ecb_encrypt(H); // E(K,0) - precompute(H); - - lenA[0] = lenC[0] = lenA[1] = lenC[1] = 0; - if (niv == 12) - { - for (i = 0;i < 12;i++) - { - a.f[i] = iv[i]; - } - b = unpack((int)1); - a.f[12] = b[0]; - a.f[13] = b[1]; - a.f[14] = b[2]; - a.f[15] = b[3]; // initialise IV - for (i = 0;i < 16;i++) - { - Y_0[i] = a.f[i]; - } - } - else - { - status = GCM_ACCEPTING_CIPHER; - ghash(iv,niv); // GHASH(H,0,IV) - wrap(); - for (i = 0;i < 16;i++) - { - a.f[i] = stateX[i]; - Y_0[i] = a.f[i]; - stateX[i] = 0; - } - lenA[0] = lenC[0] = lenA[1] = lenC[1] = 0; - } - status = GCM_ACCEPTING_HEADER; - } - -/* Add Header data - included but not encrypted */ - public virtual bool add_header(sbyte[] header, int len) - { // Add some header. Won't be encrypted, but will be authenticated. len is length of header - int i , j = 0; - if (status != GCM_ACCEPTING_HEADER) - { - return false; - } - - while (j < len) - { - for (i = 0;i < 16 && j < len;i++) - { - stateX[i] ^= header[j++]; - lenA[1]++; - if (lenA[1] == 0) - { - lenA[0]++; - } - } - gf2mul(); - } - if (len % 16 != 0) - { - status = GCM_ACCEPTING_CIPHER; - } - return true; - } - - private bool ghash(sbyte[] plain, int len) - { - int i , j = 0; - int counter; - // byte[] B=new byte[16]; - // byte[] b=new byte[4]; - - if (status == GCM_ACCEPTING_HEADER) - { - status = GCM_ACCEPTING_CIPHER; - } - if (status != GCM_ACCEPTING_CIPHER) - { - return false; - } - - while (j < len) - { - for (i = 0;i < 16 && j < len;i++) - { - stateX[i] ^= plain[j++]; - lenC[1]++; - if (lenC[1] == 0) - { - lenC[0]++; - } - } - gf2mul(); - } - if (len % 16 != 0) - { - status = GCM_NOT_ACCEPTING_MORE; - } - return true; - } - -/* Add Plaintext - included and encrypted */ - public virtual sbyte[] add_plain(sbyte[] plain, int len) - { - int i , j = 0; - int counter; - sbyte[] B = new sbyte[16]; - sbyte[] b = new sbyte[4]; - sbyte[] cipher = new sbyte[len]; - - if (status == GCM_ACCEPTING_HEADER) - { - status = GCM_ACCEPTING_CIPHER; - } - if (status != GCM_ACCEPTING_CIPHER) - { - return new sbyte[0]; - } - - while (j < len) - { - - b[0] = a.f[12]; - b[1] = a.f[13]; - b[2] = a.f[14]; - b[3] = a.f[15]; - counter = pack(b); - counter++; - b = unpack(counter); - a.f[12] = b[0]; - a.f[13] = b[1]; - a.f[14] = b[2]; - a.f[15] = b[3]; // increment counter - for (i = 0;i < 16;i++) - { - B[i] = a.f[i]; - } - a.ecb_encrypt(B); // encrypt it - - for (i = 0;i < 16 && j < len;i++) - { - cipher[j] = (sbyte)(plain[j] ^ B[i]); - stateX[i] ^= cipher[j++]; - lenC[1]++; - if (lenC[1] == 0) - { - lenC[0]++; - } - } - gf2mul(); - } - if (len % 16 != 0) - { - status = GCM_NOT_ACCEPTING_MORE; - } - return cipher; - } - -/* Add Ciphertext - decrypts to plaintext */ - public virtual sbyte[] add_cipher(sbyte[] cipher, int len) - { - int i , j = 0; - int counter; - sbyte[] B = new sbyte[16]; - sbyte[] b = new sbyte[4]; - sbyte[] plain = new sbyte[len]; - - if (status == GCM_ACCEPTING_HEADER) - { - status = GCM_ACCEPTING_CIPHER; - } - if (status != GCM_ACCEPTING_CIPHER) - { - return new sbyte[0]; - } - - while (j < len) - { - - b[0] = a.f[12]; - b[1] = a.f[13]; - b[2] = a.f[14]; - b[3] = a.f[15]; - counter = pack(b); - counter++; - b = unpack(counter); - a.f[12] = b[0]; - a.f[13] = b[1]; - a.f[14] = b[2]; - a.f[15] = b[3]; // increment counter - for (i = 0;i < 16;i++) - { - B[i] = a.f[i]; - } - a.ecb_encrypt(B); // encrypt it - for (i = 0;i < 16 && j < len;i++) - { - plain[j] = (sbyte)(cipher[j] ^ B[i]); - stateX[i] ^= cipher[j++]; - lenC[1]++; - if (lenC[1] == 0) - { - lenC[0]++; - } - } - gf2mul(); - } - if (len % 16 != 0) - { - status = GCM_NOT_ACCEPTING_MORE; - } - return plain; - } - -/* Finish and extract Tag */ - public virtual sbyte[] finish(bool extract) - { // Finish off GHASH and extract tag (MAC) - int i; - sbyte[] tag = new sbyte[16]; - - wrap(); -/* extract tag */ - if (extract) - { - a.ecb_encrypt(Y_0); // E(K,Y0) - for (i = 0;i < 16;i++) - { - Y_0[i] ^= stateX[i]; - } - for (i = 0;i < 16;i++) - { - tag[i] = Y_0[i]; - Y_0[i] = stateX[i] = 0; - } - } - status = GCM_FINISHED; - a.end(); - return tag; - } - - public static sbyte[] hex2bytes(string s) - { - int len = s.Length; - sbyte[] data = new sbyte[len / 2]; - for (int i = 0; i < len; i += 2) - { - data[i / 2] = (sbyte)((char.digit(s[i], 16) << 4) + char.digit(s[i + 1], 16)); - } - return data; - } - -/* - public static void main(String[] args) { - int i; - - String KT="feffe9928665731c6d6a8f9467308308"; - String MT="d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39"; - String HT="feedfacedeadbeeffeedfacedeadbeefabaddad2"; -// char* NT="cafebabefacedbaddecaf888"; -// Tag should be 5bc94fbc3221a5db94fae95ae7121a47 - String NT="9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b"; -// Tag should be 619cc5aefffe0bfa462af43c1699d050 - - - byte[] T=new byte[16]; // Tag - byte[] K=new byte[16]; // AES Key - byte[] H=new byte[64]; // Header - to be included in Authentication, but not encrypted - byte[] N=new byte[100]; // IV - Initialisation vector - byte[] M=new byte[100]; // Plaintext to be encrypted/authenticated - byte[] C=new byte[100]; // Ciphertext - byte[] P=new byte[100]; // Recovered Plaintext - - GCM g=new GCM(); - - M=hex2bytes(MT); - H=hex2bytes(HT); - N=hex2bytes(NT); - K=hex2bytes(KT); - - int len=M.length; - int lenH=H.length; - int lenK=K.length; - int lenIV=N.length; - - System.out.format("Plaintext=\n"); - for (i=0;i<len;i++) System.out.format("%02x",M[i]); - System.out.format("\n"); - - g.init(K,lenIV,N); - g.add_header(H,lenH); - C=g.add_plain(M,len); - T=g.finish(true); - - System.out.format("Ciphertext=\n"); - for (i=0;i<len;i++) System.out.format("%02x",C[i]); - System.out.format("\n"); - - System.out.format("Tag=\n"); - for (i=0;i<16;i++) System.out.format("%02x",T[i]); - System.out.format("\n"); - - g.init(K,lenIV,N); - g.add_header(H,lenH); - P=g.add_cipher(C,len); - T=g.finish(true); - - System.out.format("Plaintext=\n"); - for (i=0;i<len;i++) System.out.format("%02x",P[i]); - System.out.format("\n"); - - System.out.format("Tag=\n"); - for (i=0;i<16;i++) System.out.format("%02x",T[i]); - System.out.format("\n"); - } */ -} http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/70e3a3a3/cs/HASH.cs ---------------------------------------------------------------------- diff --git a/cs/HASH.cs b/cs/HASH.cs deleted file mode 100644 index 50d4427..0000000 --- a/cs/HASH.cs +++ /dev/null @@ -1,240 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/* - * Implementation of the Secure Hashing Algorithm (SHA-256) - * - * Generates a 256 bit message digest. It should be impossible to come - * come up with two messages that hash to the same value ("collision free"). - * - * For use with byte-oriented messages only. - */ - -public class HASH -{ - private int[] length = new int[2]; - private int[] h = new int[8]; - private int[] w = new int[64]; - - public const int H0 = 0x6A09E667; - public const int H1 = unchecked((int)0xBB67AE85); - public const int H2 = 0x3C6EF372; - public const int H3 = unchecked((int)0xA54FF53A); - public const int H4 = 0x510E527F; - public const int H5 = unchecked((int)0x9B05688C); - public const int H6 = 0x1F83D9AB; - public const int H7 = 0x5BE0CD19; - - public const int len = 32; - - public static readonly int[] K = new int[] {0x428a2f98, 0x71374491, unchecked((int)0xb5c0fbcf), unchecked((int)0xe9b5dba5), 0x3956c25b, 0x59f111f1, unchecked((int)0x923f82a4), unchecked((int)0xab1c5ed5), unchecked((int)0xd807aa98), 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, unchecked((int)0x80deb1fe), unchecked((int)0x9bdc06a7), unchecked((int)0xc19bf174), unchecked((int)0xe49b69c1), unchecked((int)0xefbe4786), 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, unchecked((int)0x983e5152), unchecked((int)0xa831c66d), unchecked((int)0xb00327c8), unchecked((int)0xbf597fc7), unchecked((int)0xc6e00bf3), unchecked((int)0xd5a79147), 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, unchecked((int)0x81c2c92e), unchecked((int)0x92722c85), unchecked((int)0xa2bfe8a1), unchecked((int)0xa81a664b), unchecked((int)0xc24b8b70), unchecked((int)0xc76c51a3), unchecked((int)0xd192e819), unchecked((int)0xd6990624), unchecked((int)0 xf40e3585), 0x106aa070, 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, unchecked((int)0x84c87814), unchecked((int)0x8cc70208), unchecked((int)0x90befffa), unchecked((int)0xa4506ceb), unchecked((int)0xbef9a3f7), unchecked((int)0xc67178f2)}; - - -/* functions */ - private static int S(int n, int x) - { - return (((int)((uint)(x) >> n)) | ((x) << (32 - n))); - } - - private static int R(int n, int x) - { - return ((int)((uint)(x) >> n)); - } - - private static int Ch(int x, int y, int z) - { - return ((x & y) ^ (~(x) & z)); - } - - private static int Maj(int x, int y, int z) - { - return ((x & y) ^ (x & z) ^ (y & z)); - } - - private static int Sig0(int x) - { - return (S(2,x) ^ S(13,x) ^ S(22,x)); - } - - private static int Sig1(int x) - { - return (S(6,x) ^ S(11,x) ^ S(25,x)); - } - - private static int theta0(int x) - { - return (S(7,x) ^ S(18,x) ^ R(3,x)); - } - - private static int theta1(int x) - { - return (S(17,x) ^ S(19,x) ^ R(10,x)); - } - - - private void transform() - { // basic transformation step - int a, b, c, d, e, f, g, hh, t1, t2; - int j; - for (j = 16;j < 64;j++) - { - w[j] = theta1(w[j - 2]) + w[j - 7] + theta0(w[j - 15]) + w[j - 16]; - } - a = h[0]; - b = h[1]; - c = h[2]; - d = h[3]; - e = h[4]; - f = h[5]; - g = h[6]; - hh = h[7]; - - for (j = 0;j < 64;j++) - { // 64 times - mush it up - t1 = hh + Sig1(e) + Ch(e,f,g) + K[j] + w[j]; - t2 = Sig0(a) + Maj(a,b,c); - hh = g; - g = f; - f = e; - e = d + t1; - d = c; - c = b; - b = a; - a = t1 + t2; - - } - h[0] += a; - h[1] += b; - h[2] += c; - h[3] += d; - h[4] += e; - h[5] += f; - h[6] += g; - h[7] += hh; - } - -/* Initialise Hash function */ - public virtual void init() - { // initialise - int i; - for (i = 0;i < 64;i++) - { - w[i] = 0; - } - length[0] = length[1] = 0; - h[0] = H0; - h[1] = H1; - h[2] = H2; - h[3] = H3; - h[4] = H4; - h[5] = H5; - h[6] = H6; - h[7] = H7; - } - -/* Constructor */ - public HASH() - { - init(); - } - -/* process a single byte */ - public virtual void process(int byt) - { // process the next message byte - int cnt; - cnt = (length[0] / 32) % 16; - - w[cnt] <<= 8; - w[cnt] |= (byt & 0xFF); - length[0] += 8; - if (length[0] == 0) - { - length[1]++; - length[0] = 0; - } - if ((length[0] % 512) == 0) - { - transform(); - } - } - -/* process an array of bytes */ - public virtual void process_array(sbyte[] b) - { - for (int i = 0;i < b.Length;i++) - { - process((int)b[i]); - } - } - -/* process a 32-bit integer */ - public virtual void process_num(int n) - { - process((n >> 24) & 0xff); - process((n >> 16) & 0xff); - process((n >> 8) & 0xff); - process(n & 0xff); - } - -/* Generate 32-byte Hash */ - public virtual sbyte[] hash() - { // pad message and finish - supply digest - int i; - sbyte[] digest = new sbyte[32]; - int len0, len1; - len0 = length[0]; - len1 = length[1]; - process(0x80); - while ((length[0] % 512) != 448) - { - process(0); - } - w[14] = len1; - w[15] = len0; - transform(); - for (i = 0;i < len;i++) - { // convert to bytes - digest[i] = unchecked((sbyte)((h[i / 4] >> (8 * (3 - i % 4))) & 0xff)); - } - init(); - return digest; - } - -/* test program: should produce digest */ - -//248d6a61 d20638b8 e5c02693 0c3e6039 a33ce459 64ff2167 f6ecedd4 19db06c1 -/* - public static void main(String[] args) { - byte[] test="abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq".getBytes(); - byte[] digest; - int i; - HASH sh=new HASH(); - - for (i=0;i<test.length;i++) - sh.process(test[i]); - - digest=sh.hash(); - for (i=0;i<32;i++) System.out.format("%02x",digest[i]); - - // for (i=0;i<32;i++) System.out.format("%d ",digest[i]); - - System.out.println(""); - } */ -} - http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/70e3a3a3/cs/MPIN.cs ---------------------------------------------------------------------- diff --git a/cs/MPIN.cs b/cs/MPIN.cs deleted file mode 100644 index f8ae051..0000000 --- a/cs/MPIN.cs +++ /dev/null @@ -1,916 +0,0 @@ -using System; - -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/* MPIN API Functions */ - -public class MPIN -{ - public static readonly int EFS = ROM.MODBYTES; - public static readonly int EGS = ROM.MODBYTES; - public const int PAS = 16; - public const int BAD_PARAMS = -11; - public const int INVALID_POINT = -14; - public const int WRONG_ORDER = -18; - public const int BAD_PIN = -19; - -/* Configure your PIN here */ - - public const int MAXPIN = 10000; // PIN less than this - public const int PBLEN = 14; // Number of bits in PIN - public const int TS = 10; // 10 for 4 digit PIN, 14 for 6-digit PIN - 2^TS/TS approx = sqrt(MAXPIN) - public const int TRAP = 200; // 200 for 4 digit PIN, 2000 for 6-digit PIN - approx 2*sqrt(MAXPIN) - -/* Hash number (optional) and string to point on curve */ - - public static sbyte[] hashit(int n, sbyte[] ID) - { - HASH H = new HASH(); - if (n != 0) - { - H.process_num(n); - } - H.process_array(ID); - sbyte[] h = H.hash(); - return h; - } - - public static ECP mapit(sbyte[] h) - { - BIG q = new BIG(ROM.Modulus); - BIG x = BIG.fromBytes(h); - x.mod(q); - ECP P; - while (true) - { - P = new ECP(x,0); - if (!P.is_infinity()) - { - break; - } - x.inc(1); - x.norm(); - } - return P; - } - -/* needed for SOK */ - public static ECP2 mapit2(sbyte[] h) - { - BIG q = new BIG(ROM.Modulus); - BIG x = BIG.fromBytes(h); - BIG one = new BIG(1); - FP2 X; - ECP2 Q, T, K; - x.mod(q); - while (true) - { - X = new FP2(one,x); - Q = new ECP2(X); - if (!Q.is_infinity()) - { - break; - } - x.inc(1); - x.norm(); - } -/* Fast Hashing to G2 - Fuentes-Castaneda, Knapp and Rodriguez-Henriquez */ - BIG Fra = new BIG(ROM.CURVE_Fra); - BIG Frb = new BIG(ROM.CURVE_Frb); - X = new FP2(Fra,Frb); - x = new BIG(ROM.CURVE_Bnx); - - T = new ECP2(); - T.copy(Q); - T.mul(x); - T.neg(); - K = new ECP2(); - K.copy(T); - K.dbl(); - K.add(T); - K.affine(); - - K.frob(X); - Q.frob(X); - Q.frob(X); - Q.frob(X); - Q.add(T); - Q.add(K); - T.frob(X); - T.frob(X); - Q.add(T); - Q.affine(); - return Q; - } - -/* return time in slots since epoch */ - public static int today() - { - TimeSpan t = DateTime.Now- new DateTime(1970,1,1); - return (int)(t.TotalSeconds / (60 * 1440)); - } - -/* these next two functions help to implement elligator squared - http://eprint.iacr.org/2014/043 */ -/* maps a random u to a point on the curve */ - public static ECP map(BIG u, int cb) - { - ECP P; - BIG x = new BIG(u); - BIG p = new BIG(ROM.Modulus); - x.mod(p); - while (true) - { - P = new ECP(x,cb); - if (!P.is_infinity()) - { - break; - } - x.inc(1); - x.norm(); - } - return P; - } - -/* returns u derived from P. Random value in range 1 to return value should then be added to u */ - public static int unmap(BIG u, ECP P) - { - int s = P.S; - ECP R; - int r = 0; - BIG x = P.X; - u.copy(x); - while (true) - { - u.dec(1); - u.norm(); - r++; - R = new ECP(u,s); - if (!R.is_infinity()) - { - break; - } - } - return r; - } - - public static sbyte[] HASH_ID(sbyte[] ID) - { - return hashit(0,ID); - } - - -/* these next two functions implement elligator squared - http://eprint.iacr.org/2014/043 */ -/* Elliptic curve point E in format (0x04,x,y} is converted to form {0x0-,u,v} */ -/* Note that u and v are indistinguisible from random strings */ - public static int ENCODING(RAND rng, sbyte[] E) - { - int rn, m, su, sv; - sbyte[] T = new sbyte[EFS]; - - for (int i = 0;i < EFS;i++) - { - T[i] = E[i + 1]; - } - BIG u = BIG.fromBytes(T); - for (int i = 0;i < EFS;i++) - { - T[i] = E[i + EFS + 1]; - } - BIG v = BIG.fromBytes(T); - - ECP P = new ECP(u,v); - if (P.is_infinity()) - { - return INVALID_POINT; - } - - BIG p = new BIG(ROM.Modulus); - u = BIG.randomnum(p,rng); - - su = rng.Byte; //if (su<0) su=-su; - su %= 2; - - ECP W = map(u,su); - P.sub(W); - sv = P.S; - rn = unmap(v,P); - m = rng.Byte; //if (m<0) m=-m; - m %= rn; - v.inc(m + 1); - E[0] = (sbyte)(su + 2 * sv); - u.toBytes(T); - for (int i = 0;i < EFS;i++) - { - E[i + 1] = T[i]; - } - v.toBytes(T); - for (int i = 0;i < EFS;i++) - { - E[i + EFS + 1] = T[i]; - } - - return 0; - } - - public static int DECODING(sbyte[] D) - { - int su, sv; - sbyte[] T = new sbyte[EFS]; - - if ((D[0] & 0x04) != 0) - { - return INVALID_POINT; - } - - for (int i = 0;i < EFS;i++) - { - T[i] = D[i + 1]; - } - BIG u = BIG.fromBytes(T); - for (int i = 0;i < EFS;i++) - { - T[i] = D[i + EFS + 1]; - } - BIG v = BIG.fromBytes(T); - - su = D[0] & 1; - sv = (D[0] >> 1) & 1; - ECP W = map(u,su); - ECP P = map(v,sv); - P.add(W); - u = P.X; - v = P.Y; - D[0] = 0x04; - u.toBytes(T); - for (int i = 0;i < EFS;i++) - { - D[i + 1] = T[i]; - } - v.toBytes(T); - for (int i = 0;i < EFS;i++) - { - D[i + EFS + 1] = T[i]; - } - - return 0; - } - -/* R=R1+R2 in group G1 */ - public static int RECOMBINE_G1(sbyte[] R1, sbyte[] R2, sbyte[] R) - { - ECP P = ECP.fromBytes(R1); - ECP Q = ECP.fromBytes(R2); - - if (P.is_infinity() || Q.is_infinity()) - { - return INVALID_POINT; - } - - P.add(Q); - - P.toBytes(R); - return 0; - } - -/* W=W1+W2 in group G2 */ - public static int RECOMBINE_G2(sbyte[] W1, sbyte[] W2, sbyte[] W) - { - ECP2 P = ECP2.fromBytes(W1); - ECP2 Q = ECP2.fromBytes(W2); - - if (P.is_infinity() || Q.is_infinity()) - { - return INVALID_POINT; - } - - P.add(Q); - - P.toBytes(W); - return 0; - } - -/* create random secret S */ - public static int RANDOM_GENERATE(RAND rng, sbyte[] S) - { - BIG s; - BIG r = new BIG(ROM.CURVE_Order); - s = BIG.randomnum(r,rng); - - s.toBytes(S); - return 0; - } - -/* Extract PIN from TOKEN for identity CID */ - public static int EXTRACT_PIN(sbyte[] CID, int pin, sbyte[] TOKEN) - { - ECP P = ECP.fromBytes(TOKEN); - if (P.is_infinity()) - { - return INVALID_POINT; - } - sbyte[] h = hashit(0,CID); - ECP R = mapit(h); - - - pin %= MAXPIN; - - R = R.pinmul(pin,PBLEN); - P.sub(R); - - P.toBytes(TOKEN); - - return 0; - } - -/* Implement step 2 on client side of MPin protocol */ - public static int CLIENT_2(sbyte[] X, sbyte[] Y, sbyte[] SEC) - { - BIG r = new BIG(ROM.CURVE_Order); - ECP P = ECP.fromBytes(SEC); - if (P.is_infinity()) - { - return INVALID_POINT; - } - - BIG px = BIG.fromBytes(X); - BIG py = BIG.fromBytes(Y); - px.add(py); - px.mod(r); - px.rsub(r); - - PAIR.G1mul(P,px).toBytes(SEC); - return 0; - } - -/* Implement step 1 on client side of MPin protocol */ - public static int CLIENT_1(int date, sbyte[] CLIENT_ID, RAND rng, sbyte[] X, int pin, sbyte[] TOKEN, sbyte[] SEC, sbyte[] xID, sbyte[] xCID, sbyte[] PERMIT) - { - BIG r = new BIG(ROM.CURVE_Order); -// BIG q=new BIG(ROM.Modulus); - BIG x; -// BIG m=new BIG(0); - if (rng != null) - { - x = BIG.randomnum(r,rng); - x.toBytes(X); - } - else - { - x = BIG.fromBytes(X); - } - ECP P, T, W; - BIG px; -// byte[] t=new byte[EFS]; - - sbyte[] h = hashit(0,CLIENT_ID); - P = mapit(h); - - T = ECP.fromBytes(TOKEN); - if (T.is_infinity()) - { - return INVALID_POINT; - } - - pin %= MAXPIN; - W = P.pinmul(pin,PBLEN); - T.add(W); - if (date != 0) - { - W = ECP.fromBytes(PERMIT); - if (W.is_infinity()) - { - return INVALID_POINT; - } - T.add(W); - h = hashit(date,h); - W = mapit(h); - if (xID != null) - { - P = PAIR.G1mul(P,x); - P.toBytes(xID); - W = PAIR.G1mul(W,x); - P.add(W); - } - else - { - P.add(W); - P = PAIR.G1mul(P,x); - } - if (xCID != null) - { - P.toBytes(xCID); - } - } - else - { - if (xID != null) - { - P = PAIR.G1mul(P,x); - P.toBytes(xID); - } - } - - - T.toBytes(SEC); - return 0; - } - -/* Extract Server Secret SST=S*Q where Q is fixed generator in G2 and S is master secret */ - public static int GET_SERVER_SECRET(sbyte[] S, sbyte[] SST) - { - ECP2 Q = new ECP2(new FP2(new BIG(ROM.CURVE_Pxa),new BIG(ROM.CURVE_Pxb)),new FP2(new BIG(ROM.CURVE_Pya),new BIG(ROM.CURVE_Pyb))); - - BIG s = BIG.fromBytes(S); - Q = PAIR.G2mul(Q,s); - Q.toBytes(SST); - return 0; - } - -/* - W=x*H(G); - if RNG == NULL then X is passed in - if RNG != NULL the X is passed out - if type=0 W=x*G where G is point on the curve, else W=x*M(G), where M(G) is mapping of octet G to point on the curve -*/ - public static int GET_G1_MULTIPLE(RAND rng, int type, sbyte[] X, sbyte[] G, sbyte[] W) - { - BIG x; - BIG r = new BIG(ROM.CURVE_Order); - if (rng != null) - { - x = BIG.randomnum(r,rng); - x.toBytes(X); - } - else - { - x = BIG.fromBytes(X); - } - ECP P; - if (type == 0) - { - P = ECP.fromBytes(G); - if (P.is_infinity()) - { - return INVALID_POINT; - } - } - else - { - P = mapit(G); - } - - PAIR.G1mul(P,x).toBytes(W); - return 0; - } - -/* Client secret CST=S*H(CID) where CID is client ID and S is master secret */ -/* CID is hashed externally */ - public static int GET_CLIENT_SECRET(sbyte[] S, sbyte[] CID, sbyte[] CST) - { - return GET_G1_MULTIPLE(null,1,S,CID,CST); - } - -/* Time Permit CTT=S*(date|H(CID)) where S is master secret */ - public static int GET_CLIENT_PERMIT(int date, sbyte[] S, sbyte[] CID, sbyte[] CTT) - { - sbyte[] h = hashit(date,CID); - ECP P = mapit(h); - - BIG s = BIG.fromBytes(S); - PAIR.G1mul(P,s).toBytes(CTT); - return 0; - } - -/* Outputs H(CID) and H(T|H(CID)) for time permits. If no time permits set HID=HTID */ - public static void SERVER_1(int date, sbyte[] CID, sbyte[] HID, sbyte[] HTID) - { - sbyte[] h = hashit(0,CID); - ECP R , P = mapit(h); - - if (date != 0) - { - if (HID != null) - { - P.toBytes(HID); - } - h = hashit(date,h); - R = mapit(h); - P.add(R); - P.toBytes(HTID); - } - else - { - P.toBytes(HID); - } - } - -/* Implement step 2 of MPin protocol on server side */ - public static int SERVER_2(int date, sbyte[] HID, sbyte[] HTID, sbyte[] Y, sbyte[] SST, sbyte[] xID, sbyte[] xCID, sbyte[] mSEC, sbyte[] E, sbyte[] F) - { - BIG q = new BIG(ROM.Modulus); - ECP2 Q = new ECP2(new FP2(new BIG(ROM.CURVE_Pxa),new BIG(ROM.CURVE_Pxb)),new FP2(new BIG(ROM.CURVE_Pya),new BIG(ROM.CURVE_Pyb))); - ECP2 sQ = ECP2.fromBytes(SST); - if (sQ.is_infinity()) - { - return INVALID_POINT; - } - - ECP R; - if (date != 0) - { - R = ECP.fromBytes(xCID); - } - else - { - if (xID == null) - { - return BAD_PARAMS; - } - R = ECP.fromBytes(xID); - } - if (R.is_infinity()) - { - return INVALID_POINT; - } - - BIG y = BIG.fromBytes(Y); - ECP P; - if (date != 0) - { - P = ECP.fromBytes(HTID); - } - else - { - if (HID == null) - { - return BAD_PARAMS; - } - P = ECP.fromBytes(HID); - } - - if (P.is_infinity()) - { - return INVALID_POINT; - } - - P = PAIR.G1mul(P,y); - P.add(R); - R = ECP.fromBytes(mSEC); - if (R.is_infinity()) - { - return INVALID_POINT; - } - - FP12 g; -// FP12 g1=new FP12(0); - - g = PAIR.ate2(Q,R,sQ,P); - g = PAIR.fexp(g); - - if (!g.isunity()) - { - if (HID != null && xID != null && E != null && F != null) - { - g.toBytes(E); - if (date != 0) - { - P = ECP.fromBytes(HID); - if (P.is_infinity()) - { - return INVALID_POINT; - } - R = ECP.fromBytes(xID); - if (R.is_infinity()) - { - return INVALID_POINT; - } - - P = PAIR.G1mul(P,y); - P.add(R); - } - g = PAIR.ate(Q,P); - g = PAIR.fexp(g); - g.toBytes(F); - } - return BAD_PIN; - } - - return 0; - } - -/* Pollards kangaroos used to return PIN error */ - public static int KANGAROO(sbyte[] E, sbyte[] F) - { - FP12 ge = FP12.fromBytes(E); - FP12 gf = FP12.fromBytes(F); - int[] distance = new int[TS]; - FP12 t = new FP12(gf); - FP12[] table = new FP12[TS]; - int i, j, m, s, dn, dm, res, steps; - - s = 1; - for (m = 0;m < TS;m++) - { - distance[m] = s; - table[m] = new FP12(t); - s *= 2; - t.usqr(); - } - t.one(); - dn = 0; - for (j = 0;j < TRAP;j++) - { - i = t.geta().geta().A.lastbits(8) % TS; - t.mul(table[i]); - dn += distance[i]; - } - gf.copy(t); - gf.conj(); - steps = 0; - dm = 0; - res = 0; - while (dm - dn < MAXPIN) - { - steps++; - if (steps > 4 * TRAP) - { - break; - } - i = ge.geta().geta().A.lastbits(8) % TS; - ge.mul(table[i]); - dm += distance[i]; - if (ge.Equals(t)) - { - res = dm - dn; - break; - } - if (ge.Equals(gf)) - { - res = dn - dm; - break; - } - - } - if (steps > 4 * TRAP || dm - dn >= MAXPIN) - { - res = 0; - } // Trap Failed - probable invalid token - return res; - } - -/* Functions to support M-Pin Full */ - - public static int PRECOMPUTE(sbyte[] TOKEN, sbyte[] CID, sbyte[] G1, sbyte[] G2) - { - ECP P, T; - FP12 g; - - T = ECP.fromBytes(TOKEN); - if (T.is_infinity()) - { - return INVALID_POINT; - } - - P = mapit(CID); - - ECP2 Q = new ECP2(new FP2(new BIG(ROM.CURVE_Pxa),new BIG(ROM.CURVE_Pxb)),new FP2(new BIG(ROM.CURVE_Pya),new BIG(ROM.CURVE_Pyb))); - - g = PAIR.ate(Q,T); - g = PAIR.fexp(g); - g.toBytes(G1); - - g = PAIR.ate(Q,P); - g = PAIR.fexp(g); - g.toBytes(G2); - - return 0; - } - -/* calculate common key on client side */ -/* wCID = w.(A+AT) */ - public static int CLIENT_KEY(sbyte[] G1, sbyte[] G2, int pin, sbyte[] R, sbyte[] X, sbyte[] wCID, sbyte[] CK) - { - HASH H = new HASH(); - sbyte[] t = new sbyte[EFS]; - - FP12 g1 = FP12.fromBytes(G1); - FP12 g2 = FP12.fromBytes(G2); - BIG z = BIG.fromBytes(R); - BIG x = BIG.fromBytes(X); - - ECP W = ECP.fromBytes(wCID); - if (W.is_infinity()) - { - return INVALID_POINT; - } - - W = PAIR.G1mul(W,x); - - FP2 f = new FP2(new BIG(ROM.CURVE_Fra),new BIG(ROM.CURVE_Frb)); - BIG r = new BIG(ROM.CURVE_Order); - BIG q = new BIG(ROM.Modulus); - - BIG m = new BIG(q); - m.mod(r); - - BIG a = new BIG(z); - a.mod(m); - - BIG b = new BIG(z); - b.div(m); - - g2.pinpow(pin,PBLEN); - g1.mul(g2); - - FP4 c = g1.trace(); - g2.copy(g1); - g2.frob(f); - FP4 cp = g2.trace(); - g1.conj(); - g2.mul(g1); - FP4 cpm1 = g2.trace(); - g2.mul(g1); - FP4 cpm2 = g2.trace(); - - c = c.xtr_pow2(cp,cpm1,cpm2,a,b); - - c.geta().A.toBytes(t); - H.process_array(t); - c.geta().B.toBytes(t); - H.process_array(t); - c.getb().A.toBytes(t); - H.process_array(t); - c.getb().B.toBytes(t); - H.process_array(t); - - W.X.toBytes(t); - H.process_array(t); - W.Y.toBytes(t); - H.process_array(t); - - t = H.hash(); - for (int i = 0;i < PAS;i++) - { - CK[i] = t[i]; - } - - return 0; - } - -/* calculate common key on server side */ -/* Z=r.A - no time permits involved */ - - public static int SERVER_KEY(sbyte[] Z, sbyte[] SST, sbyte[] W, sbyte[] xID, sbyte[] xCID, sbyte[] SK) - { - HASH H = new HASH(); - sbyte[] t = new sbyte[EFS]; - - ECP2 sQ = ECP2.fromBytes(SST); - if (sQ.is_infinity()) - { - return INVALID_POINT; - } - ECP R = ECP.fromBytes(Z); - if (R.is_infinity()) - { - return INVALID_POINT; - } - - ECP U; - if (xCID != null) - { - U = ECP.fromBytes(xCID); - } - else - { - U = ECP.fromBytes(xID); - } - if (U.is_infinity()) - { - return INVALID_POINT; - } - - BIG w = BIG.fromBytes(W); - U = PAIR.G1mul(U,w); - FP12 g = PAIR.ate(sQ,R); - g = PAIR.fexp(g); - - FP4 c = g.trace(); - c.geta().A.toBytes(t); - H.process_array(t); - c.geta().B.toBytes(t); - H.process_array(t); - c.getb().A.toBytes(t); - H.process_array(t); - c.getb().B.toBytes(t); - H.process_array(t); - - U.X.toBytes(t); - H.process_array(t); - U.Y.toBytes(t); - H.process_array(t); - - t = H.hash(); - for (int i = 0;i < PAS;i++) - { - SK[i] = t[i]; - } - - return 0; - } - -/* return time since epoch */ - public static int GET_TIME() - { - DateTime date = DateTime.Now; - return (int)(date.Ticks / 1000); - } - -/* Generate Y = H(epoch, xCID/xID) */ - public static void GET_Y(int TimeValue, sbyte[] xCID, sbyte[] Y) - { - sbyte[] h = hashit(TimeValue,xCID); - BIG y = BIG.fromBytes(h); - BIG q = new BIG(ROM.CURVE_Order); - y.mod(q); - y.toBytes(Y); - } - -/* One pass MPIN Client */ - public static int CLIENT(int date, sbyte[] CLIENT_ID, RAND RNG, sbyte[] X, int pin, sbyte[] TOKEN, sbyte[] SEC, sbyte[] xID, sbyte[] xCID, sbyte[] PERMIT, int TimeValue, sbyte[] Y) - { - int rtn = 0; - - sbyte[] pID; - if (date == 0) - { - pID = xID; - } - else - { - pID = xCID; - } - - rtn = CLIENT_1(date,CLIENT_ID,RNG,X,pin,TOKEN,SEC,xID,xCID,PERMIT); - if (rtn != 0) - { - return rtn; - } - - GET_Y(TimeValue,pID,Y); - - rtn = CLIENT_2(X,Y,SEC); - if (rtn != 0) - { - return rtn; - } - - return 0; - } - -/* One pass MPIN Server */ - public static int SERVER(int date, sbyte[] HID, sbyte[] HTID, sbyte[] Y, sbyte[] SST, sbyte[] xID, sbyte[] xCID, sbyte[] SEC, sbyte[] E, sbyte[] F, sbyte[] CID, int TimeValue) - { - int rtn = 0; - - sbyte[] pID; - if (date == 0) - { - pID = xID; - } - else - { - pID = xCID; - } - - SERVER_1(date,CID,HID,HTID); - - GET_Y(TimeValue,pID,Y); - - rtn = SERVER_2(date,HID,HTID,Y,SST,xID,xCID,SEC,E,F); - if (rtn != 0) - { - return rtn; - } - - return 0; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/70e3a3a3/cs/PAIR.cs ---------------------------------------------------------------------- diff --git a/cs/PAIR.cs b/cs/PAIR.cs deleted file mode 100644 index 14bd6db..0000000 --- a/cs/PAIR.cs +++ /dev/null @@ -1,586 +0,0 @@ -using System; - -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/* AMCL BN Curve Pairing functions */ - -public sealed class PAIR -{ - -/* Line function */ - public static FP12 line(ECP2 A, ECP2 B, FP Qx, FP Qy) - { - ECP2 P = new ECP2(); - - FP4 a, b, c; - P.copy(A); - FP2 ZZ = new FP2(P.getz()); - ZZ.sqr(); - int D; - if (A == B) - { - D = A.dbl(); // Check this return value in amcl_ec2.c - } - else - { - D = A.add(B); - } - if (D < 0) - { - return new FP12(1); - } - FP2 Z3 = new FP2(A.getz()); - c = new FP4(0); - if (D == 0) - { // Addition - FP2 X = new FP2(B.getx()); - FP2 Y = new FP2(B.gety()); - FP2 T = new FP2(P.getz()); - T.mul(Y); - ZZ.mul(T); - - FP2 NY = new FP2(P.gety()); - NY.neg(); - ZZ.add(NY); - Z3.pmul(Qy); - T.mul(P.getx()); - X.mul(NY); - T.add(X); - a = new FP4(Z3,T); - ZZ.neg(); - ZZ.pmul(Qx); - b = new FP4(ZZ); - } - else - { // Doubling - FP2 X = new FP2(P.getx()); - FP2 Y = new FP2(P.gety()); - FP2 T = new FP2(P.getx()); - T.sqr(); - T.imul(3); - - Y.sqr(); - Y.add(Y); - Z3.mul(ZZ); - Z3.pmul(Qy); - - X.mul(T); - X.sub(Y); - a = new FP4(Z3,X); - T.neg(); - ZZ.mul(T); - ZZ.pmul(Qx); - b = new FP4(ZZ); - } - return new FP12(a,b,c); - } - -/* Optimal R-ate pairing */ - public static FP12 ate(ECP2 P, ECP Q) - { - FP2 f = new FP2(new BIG(ROM.CURVE_Fra),new BIG(ROM.CURVE_Frb)); - BIG x = new BIG(ROM.CURVE_Bnx); - BIG n = new BIG(x); - ECP2 K = new ECP2(); - FP12 lv; - n.pmul(6); - n.dec(2); - n.norm(); - P.affine(); - Q.affine(); - FP Qx = new FP(Q.getx()); - FP Qy = new FP(Q.gety()); - - ECP2 A = new ECP2(); - FP12 r = new FP12(1); - - A.copy(P); - int nb = n.nbits(); - - for (int i = nb - 2;i >= 1;i--) - { - lv = line(A,A,Qx,Qy); - r.smul(lv); - - if (n.bit(i) == 1) - { - lv = line(A,P,Qx,Qy); - - r.smul(lv); - } - r.sqr(); - } - - lv = line(A,A,Qx,Qy); - r.smul(lv); - -/* R-ate fixup */ - - r.conj(); - - K.copy(P); - K.frob(f); - A.neg(); - lv = line(A,K,Qx,Qy); - r.smul(lv); - K.frob(f); - K.neg(); - lv = line(A,K,Qx,Qy); - r.smul(lv); - - return r; - } - -/* Optimal R-ate double pairing e(P,Q).e(R,S) */ - public static FP12 ate2(ECP2 P, ECP Q, ECP2 R, ECP S) - { - FP2 f = new FP2(new BIG(ROM.CURVE_Fra),new BIG(ROM.CURVE_Frb)); - BIG x = new BIG(ROM.CURVE_Bnx); - BIG n = new BIG(x); - ECP2 K = new ECP2(); - FP12 lv; - n.pmul(6); - n.dec(2); - n.norm(); - P.affine(); - Q.affine(); - R.affine(); - S.affine(); - - FP Qx = new FP(Q.getx()); - FP Qy = new FP(Q.gety()); - FP Sx = new FP(S.getx()); - FP Sy = new FP(S.gety()); - - ECP2 A = new ECP2(); - ECP2 B = new ECP2(); - FP12 r = new FP12(1); - - A.copy(P); - B.copy(R); - int nb = n.nbits(); - - for (int i = nb - 2;i >= 1;i--) - { - lv = line(A,A,Qx,Qy); - r.smul(lv); - lv = line(B,B,Sx,Sy); - r.smul(lv); - - if (n.bit(i) == 1) - { - lv = line(A,P,Qx,Qy); - r.smul(lv); - lv = line(B,R,Sx,Sy); - r.smul(lv); - } - r.sqr(); - } - - lv = line(A,A,Qx,Qy); - r.smul(lv); - - lv = line(B,B,Sx,Sy); - r.smul(lv); - -/* R-ate fixup */ - r.conj(); - - K.copy(P); - K.frob(f); - A.neg(); - lv = line(A,K,Qx,Qy); - r.smul(lv); - K.frob(f); - K.neg(); - lv = line(A,K,Qx,Qy); - r.smul(lv); - - K.copy(R); - K.frob(f); - B.neg(); - lv = line(B,K,Sx,Sy); - r.smul(lv); - K.frob(f); - K.neg(); - lv = line(B,K,Sx,Sy); - r.smul(lv); - - return r; - } - -/* final exponentiation - keep separate for multi-pairings and to avoid thrashing stack */ - public static FP12 fexp(FP12 m) - { - FP2 f = new FP2(new BIG(ROM.CURVE_Fra),new BIG(ROM.CURVE_Frb)); - BIG x = new BIG(ROM.CURVE_Bnx); - FP12 r = new FP12(m); - FP12 x0, x1, x2, x3, x4, x5; - -/* Easy part of final exp */ - FP12 lv = new FP12(r); - lv.inverse(); - r.conj(); - - r.mul(lv); - lv.copy(r); - r.frob(f); - r.frob(f); - r.mul(lv); -/* Hard part of final exp */ - lv.copy(r); - lv.frob(f); - x0 = new FP12(lv); - x0.frob(f); - lv.mul(r); - x0.mul(lv); - x0.frob(f); - x1 = new FP12(r); - x1.conj(); - x4 = r.pow(x); - - x3 = new FP12(x4); - x3.frob(f); - - x2 = x4.pow(x); - - x5 = new FP12(x2); - x5.conj(); - lv = x2.pow(x); - - x2.frob(f); - r.copy(x2); - r.conj(); - - x4.mul(r); - x2.frob(f); - - r.copy(lv); - r.frob(f); - lv.mul(r); - - lv.usqr(); - lv.mul(x4); - lv.mul(x5); - r.copy(x3); - r.mul(x5); - r.mul(lv); - lv.mul(x2); - r.usqr(); - r.mul(lv); - r.usqr(); - lv.copy(r); - lv.mul(x1); - r.mul(x0); - lv.usqr(); - r.mul(lv); - r.reduce(); - return r; - } - -/* GLV method */ - public static BIG[] glv(BIG e) - { - int i, j; - BIG t = new BIG(0); - BIG q = new BIG(ROM.CURVE_Order); - BIG[] u = new BIG[2]; - BIG[] v = new BIG[2]; - for (i = 0;i < 2;i++) - { - t.copy(new BIG(ROM.CURVE_W[i])); // why not just t=new BIG(ROM.CURVE_W[i]); - DBIG d = BIG.mul(t,e); - v[i] = new BIG(d.div(q)); - u[i] = new BIG(0); - } - u[0].copy(e); - for (i = 0;i < 2;i++) - { - for (j = 0;j < 2;j++) - { - t.copy(new BIG(ROM.CURVE_SB[j][i])); - t.copy(BIG.modmul(v[j],t,q)); - u[i].add(q); - u[i].sub(t); - u[i].mod(q); - } - } - return u; - } - -/* Galbraith & Scott Method */ - public static BIG[] gs(BIG e) - { - int i, j; - BIG t = new BIG(0); - BIG q = new BIG(ROM.CURVE_Order); - BIG[] u = new BIG[4]; - BIG[] v = new BIG[4]; - for (i = 0;i < 4;i++) - { - t.copy(new BIG(ROM.CURVE_WB[i])); - DBIG d = BIG.mul(t,e); - v[i] = new BIG(d.div(q)); - u[i] = new BIG(0); - } - u[0].copy(e); - for (i = 0;i < 4;i++) - { - for (j = 0;j < 4;j++) - { - t.copy(new BIG(ROM.CURVE_BB[j][i])); - t.copy(BIG.modmul(v[j],t,q)); - u[i].add(q); - u[i].sub(t); - u[i].mod(q); - } - } - return u; - } - -/* Multiply P by e in group G1 */ - public static ECP G1mul(ECP P, BIG e) - { - ECP R; - if (ROM.USE_GLV) - { - P.affine(); - R = new ECP(); - R.copy(P); - int i, np, nn; - ECP Q = new ECP(); - Q.copy(P); - BIG q = new BIG(ROM.CURVE_Order); - FP cru = new FP(new BIG(ROM.CURVE_Cru)); - BIG t = new BIG(0); - BIG[] u = glv(e); - Q.getx().mul(cru); - - np = u[0].nbits(); - t.copy(BIG.modneg(u[0],q)); - nn = t.nbits(); - if (nn < np) - { - u[0].copy(t); - R.neg(); - } - - np = u[1].nbits(); - t.copy(BIG.modneg(u[1],q)); - nn = t.nbits(); - if (nn < np) - { - u[1].copy(t); - Q.neg(); - } - - R = R.mul2(u[0],Q,u[1]); - - } - else - { - R = P.mul(e); - } - return R; - } - -/* Multiply P by e in group G2 */ - public static ECP2 G2mul(ECP2 P, BIG e) - { - ECP2 R; - if (ROM.USE_GS_G2) - { - ECP2[] Q = new ECP2[4]; - FP2 f = new FP2(new BIG(ROM.CURVE_Fra),new BIG(ROM.CURVE_Frb)); - BIG q = new BIG(ROM.CURVE_Order); - BIG[] u = gs(e); - - BIG t = new BIG(0); - int i, np, nn; - P.affine(); - Q[0] = new ECP2(); - Q[0].copy(P); - for (i = 1;i < 4;i++) - { - Q[i] = new ECP2(); - Q[i].copy(Q[i - 1]); - Q[i].frob(f); - } - for (i = 0;i < 4;i++) - { - np = u[i].nbits(); - t.copy(BIG.modneg(u[i],q)); - nn = t.nbits(); - if (nn < np) - { - u[i].copy(t); - Q[i].neg(); - } - } - R = ECP2.mul4(Q,u); - - } - else - { - R = P.mul(e); - } - return R; - } - -/* f=f^e */ -/* Note that this method requires a lot of RAM! Better to use compressed XTR method, see FP4.java */ - public static FP12 GTpow(FP12 d, BIG e) - { - FP12 r; - if (ROM.USE_GS_GT) - { - FP12[] g = new FP12[4]; - FP2 f = new FP2(new BIG(ROM.CURVE_Fra),new BIG(ROM.CURVE_Frb)); - BIG q = new BIG(ROM.CURVE_Order); - BIG t = new BIG(0); - int i, np, nn; - BIG[] u = gs(e); - - g[0] = new FP12(d); - for (i = 1;i < 4;i++) - { - g[i] = new FP12(0); - g[i].copy(g[i - 1]); - g[i].frob(f); - } - for (i = 0;i < 4;i++) - { - np = u[i].nbits(); - t.copy(BIG.modneg(u[i],q)); - nn = t.nbits(); - if (nn < np) - { - u[i].copy(t); - g[i].conj(); - } - } - r = FP12.pow4(g,u); - } - else - { - r = d.pow(e); - } - return r; - } - -/* test group membership */ -/* with GT-Strong curve, now only check that m!=1, conj(m)*m==1, and m.m^{p^4}=m^{p^2} */ - public static bool GTmember(FP12 m) - { - if (m.isunity()) - { - return false; - } - FP12 r = new FP12(m); - r.conj(); - r.mul(m); - if (!r.isunity()) - { - return false; - } - - FP2 f = new FP2(new BIG(ROM.CURVE_Fra),new BIG(ROM.CURVE_Frb)); - - r.copy(m); - r.frob(f); - r.frob(f); - FP12 w = new FP12(r); - w.frob(f); - w.frob(f); - w.mul(m); - if (!ROM.GT_STRONG) - { - if (!w.Equals(r)) - { - return false; - } - BIG x = new BIG(ROM.CURVE_Bnx); - r.copy(m); - w = r.pow(x); - w = w.pow(x); - r.copy(w); - r.sqr(); - r.mul(w); - r.sqr(); - w.copy(m); - w.frob(f); - } - return w.Equals(r); - } -} -/* - public static void Main(string[] args) - { - ECP Q = new ECP(new BIG(ROM.CURVE_Gx),new BIG(ROM.CURVE_Gy)); - ECP2 P = new ECP2(new FP2(new BIG(ROM.CURVE_Pxa),new BIG(ROM.CURVE_Pxb)),new FP2(new BIG(ROM.CURVE_Pya),new BIG(ROM.CURVE_Pyb))); - - BIG r = new BIG(ROM.CURVE_Order); - BIG xa = new BIG(ROM.CURVE_Pxa); - - Console.WriteLine("P= " + P.ToString()); - Console.WriteLine("Q= " + Q.ToString()); - - BIG m = new BIG(17); - - FP12 e = ate(P,Q); - Console.WriteLine("\ne= " + e.ToString()); - - e = fexp(e); - // e=GTpow(e,m); - - Console.WriteLine("\ne= " + e.ToString()); - - BIG[] GLV = glv(r); - - Console.WriteLine("GLV[0]= " + GLV[0].ToString()); - Console.WriteLine("GLV[0]= " + GLV[1].ToString()); - - ECP G = new ECP(); - G.copy(Q); - ECP2 R = new ECP2(); - R.copy(P); - - - e = ate(R,Q); - e = fexp(e); - - e = GTpow(e,xa); - Console.WriteLine("\ne= " + e.ToString()); - - - R = G2mul(R,xa); - e = ate(R,G); - e = fexp(e); - - Console.WriteLine("\ne= " + e.ToString()); - - G = G1mul(G,xa); - e = ate(P,G); - e = fexp(e); - Console.WriteLine("\ne= " + e.ToString()); - } -} - -*/ http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/70e3a3a3/cs/RAND.cs ---------------------------------------------------------------------- diff --git a/cs/RAND.cs b/cs/RAND.cs deleted file mode 100644 index 0c74885..0000000 --- a/cs/RAND.cs +++ /dev/null @@ -1,200 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/* - * Cryptographic strong random number generator - * - * Unguessable seed -> SHA -> PRNG internal state -> SHA -> random numbers - * Slow - but secure - * - * See ftp://ftp.rsasecurity.com/pub/pdfs/bull-1.pdf for a justification - */ - -/* Marsaglia & Zaman Random number generator constants */ - - -public class RAND -{ -/* Cryptographically strong pseudo-random number generator */ - - private const int NK = 21; - private const int NJ = 6; - private const int NV = 8; - private int[] ira = new int[NK]; // random number... - private int rndptr; // ...array & pointer - private int borrow; - private int pool_ptr; - private sbyte[] pool = new sbyte[32]; // random pool - - public RAND() - { - clean(); - } - - private int sbrand() - { // Marsaglia & Zaman random number generator - int i, k; - long pdiff, t; - - rndptr++; - if (rndptr < NK) - { - return ira[rndptr]; - } - rndptr = 0; - for (i = 0,k = NK - NJ;i < NK;i++,k++) - { // calculate next NK values - if (k == NK) - { - k = 0; - } - t = ((long)ira[k]) & 0xffffffffL; - pdiff = (t - (((long)ira[i]) & 0xffffffffL) - (long)borrow) & 0xffffffffL; - if (pdiff < t) - { - borrow = 0; - } - if (pdiff > t) - { - borrow = 1; - } - ira[i] = unchecked((int)(pdiff & 0xffffffffL)); - } - - return ira[0]; - } - - public virtual void sirand(int seed) - { - int i, @in; - int t , m = 1; - borrow = 0; - rndptr = 0; - ira[0] ^= seed; - for (i = 1;i < NK;i++) - { // fill initialisation vector - @in = (NV * i) % NK; - ira[@in] ^= m; // note XOR - t = m; - m = seed - m; - seed = t; - } - for (i = 0;i < 10000;i++) - { - sbrand(); // "warm-up" & stir the generator - } - } - - private void fill_pool() - { - HASH sh = new HASH(); - for (int i = 0;i < 128;i++) - { - sh.process(sbrand()); - } - pool = sh.hash(); - pool_ptr = 0; - } - - private static int pack(sbyte[] b) - { // pack 4 bytes into a 32-bit Word - return ((((int)b[3]) & 0xff) << 24) | (((int)b[2] & 0xff) << 16) | (((int)b[1] & 0xff) << 8) | ((int)b[0] & 0xff); - } - -/* Initialize RNG with some real entropy from some external source */ - public virtual void seed(int rawlen, sbyte[] raw) - { // initialise from at least 128 byte string of raw random entropy - int i; - sbyte[] digest; - sbyte[] b = new sbyte[4]; - HASH sh = new HASH(); - pool_ptr = 0; - for (i = 0;i < NK;i++) - { - ira[i] = 0; - } - if (rawlen > 0) - { - for (i = 0;i < rawlen;i++) - { - sh.process(raw[i]); - } - digest = sh.hash(); - -/* initialise PRNG from distilled randomness */ - - for (i = 0;i < 8;i++) - { - b[0] = digest[4 * i]; - b[1] = digest[4 * i + 1]; - b[2] = digest[4 * i + 2]; - b[3] = digest[4 * i + 3]; - sirand(pack(b)); - } - } - fill_pool(); - } - -/* Terminate and clean up */ - public virtual void clean() - { // kill internal state - int i; - pool_ptr = rndptr = 0; - for (i = 0;i < 32;i++) - { - pool[i] = 0; - } - for (i = 0;i < NK;i++) - { - ira[i] = 0; - } - borrow = 0; - } - -/* get random byte */ - public virtual int Byte - { - get - { - int r; - r = pool[pool_ptr++]; - if (pool_ptr >= 32) - { - fill_pool(); - } - return (r & 0xff); - } - } - -/* test main program */ -/* - public static void main(String[] args) { - int i; - byte[] raw=new byte[100]; - RAND rng=new RAND(); - - rng.clean(); - for (i=0;i<100;i++) raw[i]=(byte)i; - - rng.seed(100,raw); - - for (i=0;i<1000;i++) - System.out.format("%03d ",rng.getByte()); - } */ -}
