http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto-c/blob/8d28d2c3/include/fp24.h.in ---------------------------------------------------------------------- diff --git a/include/fp24.h.in b/include/fp24.h.in new file mode 100644 index 0000000..122aad5 --- /dev/null +++ b/include/fp24.h.in @@ -0,0 +1,222 @@ +/* + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +*/ + +/** + * @file fp24_YYY.h + * @author Mike Scott + * @brief FP24 Header File + * + */ + +#ifndef FP24_YYY_H +#define FP24_YYY_H + +#include "fp8_YYY.h" + +/** + @brief FP24 Structure - towered over three FP8 +*/ + +typedef struct +{ + FP8_YYY a; /**< first part of FP12 */ + FP8_YYY b; /**< second part of FP12 */ + FP8_YYY c; /**< third part of FP12 */ +} FP24_YYY; + +extern const BIG_XXX Fra_YYY; /**< real part of BN curve Frobenius Constant */ +extern const BIG_XXX Frb_YYY; /**< imaginary part of BN curve Frobenius Constant */ + +/* FP24 prototypes */ +/** @brief Tests for FP24 equal to zero + * + @param x FP24 number to be tested + @return 1 if zero, else returns 0 + */ +extern int FP24_YYY_iszilch(FP24_YYY *x); +/** @brief Tests for FP24 equal to unity + * + @param x FP24 number to be tested + @return 1 if unity, else returns 0 + */ +extern int FP24_YYY_isunity(FP24_YYY *x); +/** @brief Copy FP24 to another FP24 + * + @param x FP24 instance, on exit = y + @param y FP24 instance to be copied + */ +extern void FP24_YYY_copy(FP24_YYY *x,FP24_YYY *y); +/** @brief Set FP24 to unity + * + @param x FP24 instance to be set to one + */ +extern void FP24_YYY_one(FP24_YYY *x); +/** @brief Tests for equality of two FP24s + * + @param x FP24 instance to be compared + @param y FP24 instance to be compared + @return 1 if x=y, else returns 0 + */ +extern int FP24_YYY_equals(FP24_YYY *x,FP24_YYY *y); +/** @brief Conjugation of FP24 + * + If y=(a,b,c) (where a,b,c are its three FP8 components) on exit x=(conj(a),-conj(b),conj(c)) + @param x FP24 instance, on exit = conj(y) + @param y FP24 instance + */ +extern void FP24_YYY_conj(FP24_YYY *x,FP24_YYY *y); +/** @brief Initialise FP24 from single FP8 + * + Sets first FP8 component of an FP24, other components set to zero + @param x FP24 instance to be initialised + @param a FP8 to form first part of FP8 + */ +extern void FP24_YYY_from_FP8(FP24_YYY *x,FP8_YYY *a); +/** @brief Initialise FP24 from three FP8s + * + @param x FP24 instance to be initialised + @param a FP8 to form first part of FP24 + @param b FP8 to form second part of FP24 + @param c FP8 to form third part of FP24 + */ +extern void FP24_YYY_from_FP8s(FP24_YYY *x,FP8_YYY *a,FP8_YYY* b,FP8_YYY *c); +/** @brief Fast Squaring of an FP24 in "unitary" form + * + @param x FP24 instance, on exit = y^2 + @param y FP8 instance, must be unitary + */ +extern void FP24_YYY_usqr(FP24_YYY *x,FP24_YYY *y); +/** @brief Squaring an FP24 + * + @param x FP24 instance, on exit = y^2 + @param y FP24 instance + */ +extern void FP24_YYY_sqr(FP24_YYY *x,FP24_YYY *y); +/** @brief Fast multiplication of an FP24 by an FP24 that arises from an ATE pairing line function + * + Here the multiplier has a special form that can be exploited + @param x FP24 instance, on exit = x*y + @param y FP24 instance, of special form + @param t D_TYPE or M_TYPE twist + */ +extern void FP24_YYY_smul(FP24_YYY *x,FP24_YYY *y,int t); +/** @brief Multiplication of two FP24s + * + @param x FP24 instance, on exit = x*y + @param y FP24 instance, the multiplier + */ +extern void FP24_YYY_mul(FP24_YYY *x,FP24_YYY *y); +/** @brief Inverting an FP24 + * + @param x FP24 instance, on exit = 1/y + @param y FP24 instance + */ +extern void FP24_YYY_inv(FP24_YYY *x,FP24_YYY *y); +/** @brief Raises an FP24 to the power of a BIG + * + @param r FP24 instance, on exit = y^b + @param x FP24 instance + @param b BIG number + */ +extern void FP24_YYY_pow(FP24_YYY *r,FP24_YYY *x,BIG_XXX b); + +//extern void FP24_ppow(FP24 *r,FP24 *x,BIG b); + +/** @brief Raises an FP24 instance x to a small integer power, side-channel resistant + * + @param x FP24 instance, on exit = x^i + @param i small integer exponent + @param b maximum number of bits in exponent + */ +extern void FP24_YYY_pinpow(FP24_YYY *x,int i,int b); + +/** @brief Raises an FP24 instance x to a BIG power, compressed to FP8 + * + @param c FP8 instance, on exit = x^(e mod r) as FP8 + @param x FP24 input + @param e BIG exponent + @param r BIG group order + */ +extern void FP24_YYY_compow(FP8_YYY *c,FP24_YYY *x,BIG_XXX e,BIG_XXX r); + +/** @brief Calculate Pi x[i]^b[i] for i=0 to 7, side-channel resistant + * + @param r FP24 instance, on exit = Pi x[i]^b[i] for i=0 to 7 + @param x FP24 array with 8 FP24s + @param b BIG array of 4 exponents + */ +extern void FP24_YYY_pow8(FP24_YYY *r,FP24_YYY *x,BIG_XXX *b); + + +/** @brief Raises an FP24 to the power of the internal modulus p, using the Frobenius + * + @param x FP24 instance, on exit = x^p^n + @param f FP2 precalculated Frobenius constant + @param n power of p + */ +extern void FP24_YYY_frob(FP24_YYY *x,FP2_YYY *f,int n); + +/** @brief Reduces all components of possibly unreduced FP24 mod Modulus + * + @param x FP24 instance, on exit reduced mod Modulus + */ +extern void FP24_YYY_reduce(FP24_YYY *x); +/** @brief Normalises the components of an FP24 + * + @param x FP24 instance to be normalised + */ +extern void FP24_YYY_norm(FP24_YYY *x); +/** @brief Formats and outputs an FP24 to the console + * + @param x FP24 instance to be printed + */ +extern void FP24_YYY_output(FP24_YYY *x); +/** @brief Formats and outputs an FP24 instance to an octet string + * + Serializes the components of an FP24 to big-endian base 256 form. + @param S output octet string + @param x FP24 instance to be converted to an octet string + */ +extern void FP24_YYY_toOctet(octet *S,FP24_YYY *x); +/** @brief Creates an FP24 instance from an octet string + * + De-serializes the components of an FP24 to create an FP24 from big-endian base 256 components. + @param x FP24 instance to be created from an octet string + @param S input octet string + + */ +extern void FP24_YYY_fromOctet(FP24_YYY *x,octet *S); +/** @brief Calculate the trace of an FP24 + * + @param t FP8 trace of x, on exit = tr(x) + @param x FP24 instance + + */ +extern void FP24_YYY_trace(FP8_YYY *t,FP24_YYY *x); + +/** @brief Conditional copy of FP24_YYY number + * + Conditionally copies second parameter to the first (without branching) + @param x FP24_YYY instance, set to y if s!=0 + @param y another FP24_YYY instance + @param s copy only takes place if not equal to 0 + */ +extern void FP24_YYY_cmove(FP24_YYY *x,FP24_YYY *y,int s); + +#endif
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto-c/blob/8d28d2c3/include/fp4.h.in ---------------------------------------------------------------------- diff --git a/include/fp4.h.in b/include/fp4.h.in new file mode 100644 index 0000000..731afd0 --- /dev/null +++ b/include/fp4.h.in @@ -0,0 +1,304 @@ +/* + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +*/ + +/** + * @file fp4_YYY.h + * @author Mike Scott + * @brief FP4 Header File + * + */ + +#ifndef FP4_YYY_H +#define FP4_YYY_H + +#include "fp2_YYY.h" +#include "config_curve_ZZZ.h" + +/** + @brief FP4 Structure - towered over two FP2 +*/ + +typedef struct +{ + FP2_YYY a; /**< real part of FP4 */ + FP2_YYY b; /**< imaginary part of FP4 */ +} FP4_YYY; + + +/* FP4 prototypes */ +/** @brief Tests for FP4 equal to zero + * + @param x FP4 number to be tested + @return 1 if zero, else returns 0 + */ +extern int FP4_YYY_iszilch(FP4_YYY *x); +/** @brief Tests for FP4 equal to unity + * + @param x FP4 number to be tested + @return 1 if unity, else returns 0 + */ +extern int FP4_YYY_isunity(FP4_YYY *x); +/** @brief Tests for equality of two FP4s + * + @param x FP4 instance to be compared + @param y FP4 instance to be compared + @return 1 if x=y, else returns 0 + */ +extern int FP4_YYY_equals(FP4_YYY *x,FP4_YYY *y); +/** @brief Tests for FP4 having only a real part and no imaginary part + * + @param x FP4 number to be tested + @return 1 if real, else returns 0 + */ +extern int FP4_YYY_isreal(FP4_YYY *x); +/** @brief Initialise FP4 from two FP2s + * + @param x FP4 instance to be initialised + @param a FP2 to form real part of FP4 + @param b FP2 to form imaginary part of FP4 + */ +extern void FP4_YYY_from_FP2s(FP4_YYY *x,FP2_YYY *a,FP2_YYY *b); +/** @brief Initialise FP4 from single FP2 + * + Imaginary part is set to zero + @param x FP4 instance to be initialised + @param a FP2 to form real part of FP4 + */ +extern void FP4_YYY_from_FP2(FP4_YYY *x,FP2_YYY *a); + +/** @brief Initialise FP4 from single FP2 + * + real part is set to zero + @param x FP4 instance to be initialised + @param a FP2 to form imaginary part of FP4 + */ +extern void FP4_YYY_from_FP2H(FP4_YYY *x,FP2_YYY *a); + + +/** @brief Copy FP4 to another FP4 + * + @param x FP4 instance, on exit = y + @param y FP4 instance to be copied + */ +extern void FP4_YYY_copy(FP4_YYY *x,FP4_YYY *y); +/** @brief Set FP4 to zero + * + @param x FP4 instance to be set to zero + */ +extern void FP4_YYY_zero(FP4_YYY *x); +/** @brief Set FP4 to unity + * + @param x FP4 instance to be set to one + */ +extern void FP4_YYY_one(FP4_YYY *x); +/** @brief Negation of FP4 + * + @param x FP4 instance, on exit = -y + @param y FP4 instance + */ +extern void FP4_YYY_neg(FP4_YYY *x,FP4_YYY *y); +/** @brief Conjugation of FP4 + * + If y=(a,b) on exit x=(a,-b) + @param x FP4 instance, on exit = conj(y) + @param y FP4 instance + */ +extern void FP4_YYY_conj(FP4_YYY *x,FP4_YYY *y); +/** @brief Negative conjugation of FP4 + * + If y=(a,b) on exit x=(-a,b) + @param x FP4 instance, on exit = -conj(y) + @param y FP4 instance + */ +extern void FP4_YYY_nconj(FP4_YYY *x,FP4_YYY *y); +/** @brief addition of two FP4s + * + @param x FP4 instance, on exit = y+z + @param y FP4 instance + @param z FP4 instance + */ +extern void FP4_YYY_add(FP4_YYY *x,FP4_YYY *y,FP4_YYY *z); +/** @brief subtraction of two FP4s + * + @param x FP4 instance, on exit = y-z + @param y FP4 instance + @param z FP4 instance + */ +extern void FP4_YYY_sub(FP4_YYY *x,FP4_YYY *y,FP4_YYY *z); +/** @brief Multiplication of an FP4 by an FP2 + * + @param x FP4 instance, on exit = y*a + @param y FP4 instance + @param a FP2 multiplier + */ +extern void FP4_YYY_pmul(FP4_YYY *x,FP4_YYY *y,FP2_YYY *a); + +/** @brief Multiplication of an FP4 by an FP + * + @param x FP4 instance, on exit = y*a + @param y FP4 instance + @param a FP multiplier + */ +extern void FP4_YYY_qmul(FP4_YYY *x,FP4_YYY *y,FP_YYY *a); + +/** @brief Multiplication of an FP4 by a small integer + * + @param x FP4 instance, on exit = y*i + @param y FP4 instance + @param i an integer + */ +extern void FP4_YYY_imul(FP4_YYY *x,FP4_YYY *y,int i); +/** @brief Squaring an FP4 + * + @param x FP4 instance, on exit = y^2 + @param y FP4 instance + */ +extern void FP4_YYY_sqr(FP4_YYY *x,FP4_YYY *y); +/** @brief Multiplication of two FP4s + * + @param x FP4 instance, on exit = y*z + @param y FP4 instance + @param z FP4 instance + */ +extern void FP4_YYY_mul(FP4_YYY *x,FP4_YYY *y,FP4_YYY *z); +/** @brief Inverting an FP4 + * + @param x FP4 instance, on exit = 1/y + @param y FP4 instance + */ +extern void FP4_YYY_inv(FP4_YYY *x,FP4_YYY *y); +/** @brief Formats and outputs an FP4 to the console + * + @param x FP4 instance to be printed + */ +extern void FP4_YYY_output(FP4_YYY *x); +/** @brief Formats and outputs an FP4 to the console in raw form (for debugging) + * + @param x FP4 instance to be printed + */ +extern void FP4_YYY_rawoutput(FP4_YYY *x); +/** @brief multiplies an FP4 instance by irreducible polynomial sqrt(1+sqrt(-1)) + * + @param x FP4 instance, on exit = sqrt(1+sqrt(-1)*x + */ +extern void FP4_YYY_times_i(FP4_YYY *x); +/** @brief Normalises the components of an FP4 + * + @param x FP4 instance to be normalised + */ +extern void FP4_YYY_norm(FP4_YYY *x); +/** @brief Reduces all components of possibly unreduced FP4 mod Modulus + * + @param x FP4 instance, on exit reduced mod Modulus + */ +extern void FP4_YYY_reduce(FP4_YYY *x); +/** @brief Raises an FP4 to the power of a BIG + * + @param x FP4 instance, on exit = y^b + @param y FP4 instance + @param b BIG number + */ +extern void FP4_YYY_pow(FP4_YYY *x,FP4_YYY *y,BIG_XXX b); +/** @brief Raises an FP4 to the power of the internal modulus p, using the Frobenius + * + @param x FP4 instance, on exit = x^p + @param f FP2 precalculated Frobenius constant + */ +extern void FP4_YYY_frob(FP4_YYY *x,FP2_YYY *f); +/** @brief Calculates the XTR addition function r=w*x-conj(x)*y+z + * + @param r FP4 instance, on exit = w*x-conj(x)*y+z + @param w FP4 instance + @param x FP4 instance + @param y FP4 instance + @param z FP4 instance + */ +extern void FP4_YYY_xtr_A(FP4_YYY *r,FP4_YYY *w,FP4_YYY *x,FP4_YYY *y,FP4_YYY *z); +/** @brief Calculates the XTR doubling function r=x^2-2*conj(x) + * + @param r FP4 instance, on exit = x^2-2*conj(x) + @param x FP4 instance + */ +extern void FP4_YYY_xtr_D(FP4_YYY *r,FP4_YYY *x); +/** @brief Calculates FP4 trace of an FP12 raised to the power of a BIG number + * + XTR single exponentiation + @param r FP4 instance, on exit = trace(w^b) + @param x FP4 instance, trace of an FP12 w + @param b BIG number + */ +extern void FP4_YYY_xtr_pow(FP4_YYY *r,FP4_YYY *x,BIG_XXX b); +/** @brief Calculates FP4 trace of c^a.d^b, where c and d are derived from FP4 traces of FP12s + * + XTR double exponentiation + Assumes c=tr(x^m), d=tr(x^n), e=tr(x^(m-n)), f=tr(x^(m-2n)) + @param r FP4 instance, on exit = trace(c^a.d^b) + @param c FP4 instance, trace of an FP12 + @param d FP4 instance, trace of an FP12 + @param e FP4 instance, trace of an FP12 + @param f FP4 instance, trace of an FP12 + @param a BIG number + @param b BIG number + */ +extern void FP4_YYY_xtr_pow2(FP4_YYY *r,FP4_YYY *c,FP4_YYY *d,FP4_YYY *e,FP4_YYY *f,BIG_XXX a,BIG_XXX b); + +/** @brief Conditional copy of FP4 number + * + Conditionally copies second parameter to the first (without branching) + @param x FP4 instance, set to y if s!=0 + @param y another FP4 instance + @param s copy only takes place if not equal to 0 + */ +extern void FP4_YYY_cmove(FP4_YYY *x,FP4_YYY *y,int s); + + +/** @brief Calculate square root of an FP4 + * + Square root + @param r FP4 instance, on exit = sqrt(x) + @param x FP4 instance + @return 1 x is a QR, otherwise 0 + */ +extern int FP4_YYY_sqrt(FP4_YYY *r,FP4_YYY *x); + + +/** @brief Divide FP4 number by QNR + * + Divide FP4 by the QNR + @param x FP4 instance + */ +extern void FP4_YYY_div_i(FP4_YYY *x); + +/** @brief Divide an FP4 by QNR/2 + * + Divide FP4 by the QNR/2 + @param x FP4 instance + */ +extern void FP4_YYY_div_2i(FP4_YYY *x); + + + +/** @brief Divide an FP4 by 2 + * + @param x FP4 instance, on exit = y/2 + @param y FP4 instance + */ +extern void FP4_YYY_div2(FP4_YYY *x,FP4_YYY *y); + +#endif http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto-c/blob/8d28d2c3/include/fp48.h.in ---------------------------------------------------------------------- diff --git a/include/fp48.h.in b/include/fp48.h.in new file mode 100644 index 0000000..8bd05ad --- /dev/null +++ b/include/fp48.h.in @@ -0,0 +1,222 @@ +/* + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +*/ + +/** + * @file fp48_YYY.h + * @author Mike Scott + * @brief FP48 Header File + * + */ + +#ifndef FP48_YYY_H +#define FP48_YYY_H + +#include "fp16_YYY.h" + +/** + @brief FP48 Structure - towered over three FP12 +*/ + +typedef struct +{ + FP16_YYY a; /**< first part of FP12 */ + FP16_YYY b; /**< second part of FP12 */ + FP16_YYY c; /**< third part of FP12 */ +} FP48_YYY; + +extern const BIG_XXX Fra_YYY; /**< real part of BN curve Frobenius Constant */ +extern const BIG_XXX Frb_YYY; /**< imaginary part of BN curve Frobenius Constant */ + +/* FP48 prototypes */ +/** @brief Tests for FP48 equal to zero + * + @param x FP48 number to be tested + @return 1 if zero, else returns 0 + */ +extern int FP48_YYY_iszilch(FP48_YYY *x); +/** @brief Tests for FP48 equal to unity + * + @param x FP48 number to be tested + @return 1 if unity, else returns 0 + */ +extern int FP48_YYY_isunity(FP48_YYY *x); +/** @brief Copy FP48 to another FP48 + * + @param x FP48 instance, on exit = y + @param y FP48 instance to be copied + */ +extern void FP48_YYY_copy(FP48_YYY *x,FP48_YYY *y); +/** @brief Set FP48 to unity + * + @param x FP48 instance to be set to one + */ +extern void FP48_YYY_one(FP48_YYY *x); +/** @brief Tests for equality of two FP48s + * + @param x FP48 instance to be compared + @param y FP48 instance to be compared + @return 1 if x=y, else returns 0 + */ +extern int FP48_YYY_equals(FP48_YYY *x,FP48_YYY *y); +/** @brief Conjugation of FP48 + * + If y=(a,b,c) (where a,b,c are its three FP16 components) on exit x=(conj(a),-conj(b),conj(c)) + @param x FP48 instance, on exit = conj(y) + @param y FP48 instance + */ +extern void FP48_YYY_conj(FP48_YYY *x,FP48_YYY *y); +/** @brief Initialise FP48 from single FP16 + * + Sets first FP16 component of an FP48, other components set to zero + @param x FP48 instance to be initialised + @param a FP16 to form first part of FP48 + */ +extern void FP48_YYY_from_FP16(FP48_YYY *x,FP16_YYY *a); +/** @brief Initialise FP48 from three FP16s + * + @param x FP48 instance to be initialised + @param a FP16 to form first part of FP48 + @param b FP16 to form second part of FP48 + @param c FP16 to form third part of FP48 + */ +extern void FP48_YYY_from_FP16s(FP48_YYY *x,FP16_YYY *a,FP16_YYY* b,FP16_YYY *c); +/** @brief Fast Squaring of an FP48 in "unitary" form + * + @param x FP48 instance, on exit = y^2 + @param y FP16 instance, must be unitary + */ +extern void FP48_YYY_usqr(FP48_YYY *x,FP48_YYY *y); +/** @brief Squaring an FP48 + * + @param x FP48 instance, on exit = y^2 + @param y FP48 instance + */ +extern void FP48_YYY_sqr(FP48_YYY *x,FP48_YYY *y); +/** @brief Fast multiplication of an FP48 by an FP48 that arises from an ATE pairing line function + * + Here the multiplier has a special form that can be exploited + @param x FP48 instance, on exit = x*y + @param y FP48 instance, of special form + @param t D_TYPE or M_TYPE twist + */ +extern void FP48_YYY_smul(FP48_YYY *x,FP48_YYY *y,int t); +/** @brief Multiplication of two FP48s + * + @param x FP48 instance, on exit = x*y + @param y FP48 instance, the multiplier + */ +extern void FP48_YYY_mul(FP48_YYY *x,FP48_YYY *y); +/** @brief Inverting an FP48 + * + @param x FP48 instance, on exit = 1/y + @param y FP48 instance + */ +extern void FP48_YYY_inv(FP48_YYY *x,FP48_YYY *y); +/** @brief Raises an FP48 to the power of a BIG + * + @param r FP48 instance, on exit = y^b + @param x FP48 instance + @param b BIG number + */ +extern void FP48_YYY_pow(FP48_YYY *r,FP48_YYY *x,BIG_XXX b); + +//extern void FP48_ppow(FP48 *r,FP48 *x,BIG b); + +/** @brief Raises an FP48 instance x to a small integer power, side-channel resistant + * + @param x FP48 instance, on exit = x^i + @param i small integer exponent + @param b maximum number of bits in exponent + */ +extern void FP48_YYY_pinpow(FP48_YYY *x,int i,int b); + +/** @brief Raises an FP48 instance x to a BIG_XXX power, compressed to FP16 + * + @param c FP16 instance, on exit = x^(e mod r) as FP16 + @param x FP48 input + @param e BIG exponent + @param r BIG group order + */ +extern void FP48_YYY_compow(FP16_YYY *c,FP48_YYY *x,BIG_XXX e,BIG_XXX r); + +/** @brief Calculate Pi x[i]^b[i] for i=0 to 15, side-channel resistant + * + @param r FP48 instance, on exit = Pi x[i]^b[i] for i=0 to 15 + @param x FP48 array with 16 FP48s + @param b BIG array of 16 exponents + */ +extern void FP48_YYY_pow16(FP48_YYY *r,FP48_YYY *x,BIG_XXX *b); + + +/** @brief Raises an FP48 to the power of the internal modulus p, using the Frobenius + * + @param x FP48 instance, on exit = x^p^n + @param f FP2 precalculated Frobenius constant + @param n power of p + */ +extern void FP48_YYY_frob(FP48_YYY *x,FP2_YYY *f,int n); + +/** @brief Reduces all components of possibly unreduced FP48 mod Modulus + * + @param x FP48 instance, on exit reduced mod Modulus + */ +extern void FP48_YYY_reduce(FP48_YYY *x); +/** @brief Normalises the components of an FP48 + * + @param x FP48 instance to be normalised + */ +extern void FP48_YYY_norm(FP48_YYY *x); +/** @brief Formats and outputs an FP48 to the console + * + @param x FP48 instance to be printed + */ +extern void FP48_YYY_output(FP48_YYY *x); +/** @brief Formats and outputs an FP48 instance to an octet string + * + Serializes the components of an FP48 to big-endian base 256 form. + @param S output octet string + @param x FP48 instance to be converted to an octet string + */ +extern void FP48_YYY_toOctet(octet *S,FP48_YYY *x); +/** @brief Creates an FP48 instance from an octet string + * + De-serializes the components of an FP48 to create an FP48 from big-endian base 256 components. + @param x FP48 instance to be created from an octet string + @param S input octet string + + */ +extern void FP48_YYY_fromOctet(FP48_YYY *x,octet *S); +/** @brief Calculate the trace of an FP48 + * + @param t FP16 trace of x, on exit = tr(x) + @param x FP48 instance + + */ +extern void FP48_YYY_trace(FP16_YYY *t,FP48_YYY *x); + +/** @brief Conditional copy of FP48 number + * + Conditionally copies second parameter to the first (without branching) + @param x FP48 instance, set to y if s!=0 + @param y another FP48 instance + @param s copy only takes place if not equal to 0 + */ +extern void FP48_YYY_cmove(FP48_YYY *x,FP48_YYY *y,int s); + +#endif http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto-c/blob/8d28d2c3/include/fp8.h.in ---------------------------------------------------------------------- diff --git a/include/fp8.h.in b/include/fp8.h.in new file mode 100644 index 0000000..012208f --- /dev/null +++ b/include/fp8.h.in @@ -0,0 +1,320 @@ +/* + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +*/ + +/** + * @file fp8_YYY.h + * @author Mike Scott + * @brief FP8 Header File + * + */ + +#ifndef FP8_YYY_H +#define FP8_YYY_H + +#include "fp4_YYY.h" +#include "config_curve_ZZZ.h" + + +/** + @brief FP8 Structure - towered over two FP4 +*/ + +typedef struct +{ + FP4_YYY a; /**< real part of FP8 */ + FP4_YYY b; /**< imaginary part of FP8 */ +} FP8_YYY; + + +/* FP8 prototypes */ +/** @brief Tests for FP8 equal to zero + * + @param x FP8 number to be tested + @return 1 if zero, else returns 0 + */ +extern int FP8_YYY_iszilch(FP8_YYY *x); +/** @brief Tests for FP8 equal to unity + * + @param x FP8 number to be tested + @return 1 if unity, else returns 0 + */ +extern int FP8_YYY_isunity(FP8_YYY *x); +/** @brief Tests for equality of two FP8s + * + @param x FP8 instance to be compared + @param y FP8 instance to be compared + @return 1 if x=y, else returns 0 + */ +extern int FP8_YYY_equals(FP8_YYY *x,FP8_YYY *y); +/** @brief Tests for FP8 having only a real part and no imaginary part + * + @param x FP8 number to be tested + @return 1 if real, else returns 0 + */ +extern int FP8_YYY_isreal(FP8_YYY *x); +/** @brief Initialise FP8 from two FP4s + * + @param x FP8 instance to be initialised + @param a FP4 to form real part of FP8 + @param b FP4 to form imaginary part of FP8 + */ +extern void FP8_YYY_from_FP4s(FP8_YYY *x,FP4_YYY *a,FP4_YYY *b); +/** @brief Initialise FP8 from single FP4 + * + Imaginary part is set to zero + @param x FP8 instance to be initialised + @param a FP4 to form real part of FP8 + */ +extern void FP8_YYY_from_FP4(FP8_YYY *x,FP4_YYY *a); + +/** @brief Initialise FP8 from single FP4 + * + real part is set to zero + @param x FP8 instance to be initialised + @param a FP4 to form imaginary part of FP8 + */ +extern void FP8_YYY_from_FP4H(FP8_YYY *x,FP4_YYY *a); + + +/** @brief Copy FP8 to another FP8 + * + @param x FP8 instance, on exit = y + @param y FP8 instance to be copied + */ +extern void FP8_YYY_copy(FP8_YYY *x,FP8_YYY *y); +/** @brief Set FP8 to zero + * + @param x FP8 instance to be set to zero + */ +extern void FP8_YYY_zero(FP8_YYY *x); +/** @brief Set FP8 to unity + * + @param x FP8 instance to be set to one + */ +extern void FP8_YYY_one(FP8_YYY *x); +/** @brief Negation of FP8 + * + @param x FP8 instance, on exit = -y + @param y FP8 instance + */ +extern void FP8_YYY_neg(FP8_YYY *x,FP8_YYY *y); +/** @brief Conjugation of FP8 + * + If y=(a,b) on exit x=(a,-b) + @param x FP8 instance, on exit = conj(y) + @param y FP8 instance + */ +extern void FP8_YYY_conj(FP8_YYY *x,FP8_YYY *y); +/** @brief Negative conjugation of FP8 + * + If y=(a,b) on exit x=(-a,b) + @param x FP8 instance, on exit = -conj(y) + @param y FP8 instance + */ +extern void FP8_YYY_nconj(FP8_YYY *x,FP8_YYY *y); +/** @brief addition of two FP8s + * + @param x FP8 instance, on exit = y+z + @param y FP8 instance + @param z FP8 instance + */ +extern void FP8_YYY_add(FP8_YYY *x,FP8_YYY *y,FP8_YYY *z); +/** @brief subtraction of two FP8s + * + @param x FP8 instance, on exit = y-z + @param y FP8 instance + @param z FP8 instance + */ +extern void FP8_YYY_sub(FP8_YYY *x,FP8_YYY *y,FP8_YYY *z); +/** @brief Multiplication of an FP8 by an FP4 + * + @param x FP8 instance, on exit = y*a + @param y FP8 instance + @param a FP4 multiplier + */ +extern void FP8_YYY_pmul(FP8_YYY *x,FP8_YYY *y,FP4_YYY *a); + +/** @brief Multiplication of an FP8 by an FP2 + * + @param x FP8 instance, on exit = y*a + @param y FP8 instance + @param a FP2 multiplier + */ +extern void FP8_YYY_qmul(FP8_YYY *x,FP8_YYY *y,FP2_YYY *a); + +/** @brief Multiplication of an FP8 by an FP + * + @param x FP8 instance, on exit = y*a + @param y FP8 instance + @param a FP multiplier + */ +extern void FP8_YYY_tmul(FP8_YYY *x,FP8_YYY *y,FP_YYY *a); + +/** @brief Multiplication of an FP8 by a small integer + * + @param x FP8 instance, on exit = y*i + @param y FP8 instance + @param i an integer + */ +extern void FP8_YYY_imul(FP8_YYY *x,FP8_YYY *y,int i); +/** @brief Squaring an FP8 + * + @param x FP8 instance, on exit = y^2 + @param y FP8 instance + */ +extern void FP8_YYY_sqr(FP8_YYY *x,FP8_YYY *y); +/** @brief Multiplication of two FP8s + * + @param x FP8 instance, on exit = y*z + @param y FP8 instance + @param z FP8 instance + */ +extern void FP8_YYY_mul(FP8_YYY *x,FP8_YYY *y,FP8_YYY *z); +/** @brief Inverting an FP8 + * + @param x FP8 instance, on exit = 1/y + @param y FP8 instance + */ +extern void FP8_YYY_inv(FP8_YYY *x,FP8_YYY *y); +/** @brief Formats and outputs an FP8 to the console + * + @param x FP8 instance to be printed + */ +extern void FP8_YYY_output(FP8_YYY *x); +/** @brief Formats and outputs an FP8 to the console in raw form (for debugging) + * + @param x FP8 instance to be printed + */ +extern void FP8_YYY_rawoutput(FP8_YYY *x); +/** @brief multiplies an FP8 instance by irreducible polynomial sqrt(1+sqrt(-1)) + * + @param x FP8 instance, on exit = sqrt(1+sqrt(-1)*x + */ +extern void FP8_YYY_times_i(FP8_YYY *x); +/** @brief multiplies an FP8 instance by irreducible polynomial (1+sqrt(-1)) + * + @param x FP8 instance, on exit = (1+sqrt(-1)*x + */ +extern void FP8_YYY_times_i2(FP8_YYY *x); + +/** @brief Normalises the components of an FP8 + * + @param x FP8 instance to be normalised + */ +extern void FP8_YYY_norm(FP8_YYY *x); +/** @brief Reduces all components of possibly unreduced FP8 mod Modulus + * + @param x FP8 instance, on exit reduced mod Modulus + */ +extern void FP8_YYY_reduce(FP8_YYY *x); +/** @brief Raises an FP8 to the power of a BIG + * + @param x FP8 instance, on exit = y^b + @param y FP8 instance + @param b BIG number + */ +extern void FP8_YYY_pow(FP8_YYY *x,FP8_YYY *y,BIG_XXX b); +/** @brief Raises an FP8 to the power of the internal modulus p, using the Frobenius + * + @param x FP8 instance, on exit = x^p + @param f FP2 precalculated Frobenius constant + */ +extern void FP8_YYY_frob(FP8_YYY *x,FP2_YYY *f); +/** @brief Calculates the XTR addition function r=w*x-conj(x)*y+z + * + @param r FP8 instance, on exit = w*x-conj(x)*y+z + @param w FP8 instance + @param x FP8 instance + @param y FP8 instance + @param z FP8 instance + */ +extern void FP8_YYY_xtr_A(FP8_YYY *r,FP8_YYY *w,FP8_YYY *x,FP8_YYY *y,FP8_YYY *z); +/** @brief Calculates the XTR doubling function r=x^2-2*conj(x) + * + @param r FP8 instance, on exit = x^2-2*conj(x) + @param x FP8 instance + */ +extern void FP8_YYY_xtr_D(FP8_YYY *r,FP8_YYY *x); +/** @brief Calculates FP8 trace of an FP12 raised to the power of a BIG number + * + XTR single exponentiation + @param r FP8 instance, on exit = trace(w^b) + @param x FP8 instance, trace of an FP12 w + @param b BIG number + */ +extern void FP8_YYY_xtr_pow(FP8_YYY *r,FP8_YYY *x,BIG_XXX b); +/** @brief Calculates FP8 trace of c^a.d^b, where c and d are derived from FP8 traces of FP12s + * + XTR double exponentiation + Assumes c=tr(x^m), d=tr(x^n), e=tr(x^(m-n)), f=tr(x^(m-2n)) + @param r FP8 instance, on exit = trace(c^a.d^b) + @param c FP8 instance, trace of an FP12 + @param d FP8 instance, trace of an FP12 + @param e FP8 instance, trace of an FP12 + @param f FP8 instance, trace of an FP12 + @param a BIG number + @param b BIG number + */ +extern void FP8_YYY_xtr_pow2(FP8_YYY *r,FP8_YYY *c,FP8_YYY *d,FP8_YYY *e,FP8_YYY *f,BIG_XXX a,BIG_XXX b); + + +/** @brief Calculate square root of an FP8 + * + Square root + @param r FP8 instance, on exit = sqrt(x) + @param x FP8 instance + @return 1 x is a QR, otherwise 0 + */ +extern int FP8_YYY_sqrt(FP8_YYY *r,FP8_YYY *x); + + +/** @brief Conditional copy of FP8 number + * + Conditionally copies second parameter to the first (without branching) + @param x FP8 instance, set to y if s!=0 + @param y another FP8 instance + @param s copy only takes place if not equal to 0 + */ +extern void FP8_YYY_cmove(FP8_YYY *x,FP8_YYY *y,int s); + + +/** @brief Divide FP8 number by QNR + * + Divide FP8 by the QNR + @param x FP8 instance + */ +extern void FP8_YYY_div_i(FP8_YYY *x); + +/** @brief Divide FP8 number by QNR twice + * + Divide FP8 by the QNR twice + @param x FP8 instance + */ +extern void FP8_YYY_div_i2(FP8_YYY *x); + +/** @brief Divide FP8 number by QNR/2 + * + Divide FP8 by the QNR/2 + @param x FP8 instance + */ +extern void FP8_YYY_div_2i(FP8_YYY *x); + + +#endif + http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto-c/blob/8d28d2c3/include/mpin.h.in ---------------------------------------------------------------------- diff --git a/include/mpin.h.in b/include/mpin.h.in new file mode 100644 index 0000000..98ef7e6 --- /dev/null +++ b/include/mpin.h.in @@ -0,0 +1,357 @@ +/* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +*/ + +/** + * @file mpin_ZZZ.h + * @author Mike Scott + * @brief M-Pin Header file + * + * + */ + +#ifndef MPIN_ZZZ_H +#define MPIN_ZZZ_H + +#include "pair_ZZZ.h" +#include "pbc_support.h" + +/* Field size is assumed to be greater than or equal to group size */ + +#define PGS_ZZZ MODBYTES_XXX /**< MPIN Group Size */ +#define PFS_ZZZ MODBYTES_XXX /**< MPIN Field Size */ + +#define MPIN_OK 0 /**< Function completed without error */ +#define MPIN_INVALID_POINT -14 /**< Point is NOT on the curve */ +#define MPIN_BAD_PIN -19 /**< Bad PIN number entered */ + +#define MPIN_PAS 16 /**< MPIN Symmetric Key Size */ +#define MAXPIN @AMCL_MAXPIN@ /**< max PIN */ +#define PBLEN @AMCL_PBLEN@ /**< max length of PIN in bits */ + +#define MESSAGE_SIZE 256 /**< Signature message size */ +#define M_SIZE_ZZZ (MESSAGE_SIZE+2*PFS_ZZZ+1) /**< Signature message size and G1 size */ + +/* MPIN support functions */ + +/* MPIN primitives */ + + +/** @brief Generate Y=H(s,O), where s is epoch time, O is an octet, and H(.) is a hash function + * + @param h is the hash type + @param t is epoch time in seconds + @param O is an input octet + @param Y is the output octet +*/ +void MPIN_ZZZ_GET_Y(int h,int t,octet *O,octet *Y); + +/** @brief Extract a PIN number from a client secret + * + @param h is the hash type + @param ID is the input client identity + @param factor is an input factor + @param facbits is the number of bits in the factor + @param CS is the client secret from which the factor is to be extracted + @return 0 or an error code + */ +int MPIN_ZZZ_EXTRACT_FACTOR(int h,octet *ID,int factor,int facbits,octet *CS); + +/** @brief Extract a PIN number from a client secret + * + @param h is the hash type + @param ID is the input client identity + @param factor is an input factor + @param facbits is the number of bits in the factor + @param CS is the client secret to which the factor is to be added + @return 0 or an error code + */ +int MPIN_ZZZ_RESTORE_FACTOR(int h,octet *ID,int factor,int facbits,octet *CS); + + +/** @brief Extract a PIN number from a client secret + * + @param h is the hash type + @param ID is the input client identity + @param pin is an input PIN number + @param CS is the client secret from which the PIN is to be extracted + @return 0 or an error code + */ +int MPIN_ZZZ_EXTRACT_PIN(int h,octet *ID,int pin,octet *CS); + + + +/** @brief Perform client side of the one-pass version of the M-Pin protocol + * + If Time Permits are disabled, set d = 0, and UT is not generated and can be set to NULL. + If Time Permits are enabled, and PIN error detection is OFF, U is not generated and can be set to NULL. + If Time Permits are enabled, and PIN error detection is ON, U and UT are both generated. + @param h is the hash type + @param d is input date, in days since the epoch. Set to 0 if Time permits disabled + @param ID is the input client identity + @param R is a pointer to a cryptographically secure random number generator + @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input + @param pin is the input PIN number + @param T is the input M-Pin token (the client secret with PIN portion removed) + @param V is output = -(x+y)(CS+TP), where CS is the reconstructed client secret, and TP is the time permit + @param U is output = x.H(ID) + @param UT is output = x.(H(ID)+H(d|H(ID))) + @param TP is the input time permit + @param MESSAGE is the message to be signed + @param t is input epoch time in seconds - a timestamp + @param y is output H(t|U) or H(t|UT) if Time Permits enabled + @return 0 or an error code + */ +int MPIN_ZZZ_CLIENT(int h,int d,octet *ID,csprng *R,octet *x,int pin,octet *T,octet *V,octet *U,octet *UT,octet *TP, octet* MESSAGE, int t, octet *y); + +/** @brief Perform first pass of the client side of the 3-pass version of the M-Pin protocol + * + If Time Permits are disabled, set d = 0, and UT is not generated and can be set to NULL. + If Time Permits are enabled, and PIN error detection is OFF, U is not generated and can be set to NULL. + If Time Permits are enabled, and PIN error detection is ON, U and UT are both generated. + @param h is the hash type + @param d is input date, in days since the epoch. Set to 0 if Time permits disabled + @param ID is the input client identity + @param R is a pointer to a cryptographically secure random number generator + @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input + @param pin is the input PIN number + @param T is the input M-Pin token (the client secret with PIN portion removed) + @param S is output = CS+TP, where CS=is the reconstructed client secret, and TP is the time permit + @param U is output = x.H(ID) + @param UT is output = x.(H(ID)+H(d|H(ID))) + @param TP is the input time permit + @return 0 or an error code + */ +int MPIN_ZZZ_CLIENT_1(int h,int d,octet *ID,csprng *R,octet *x,int pin,octet *T,octet *S,octet *U,octet *UT,octet *TP); + +/** @brief Generate a random group element + * + @param R is a pointer to a cryptographically secure random number generator + @param S is the output random octet + @return 0 or an error code + */ +int MPIN_ZZZ_RANDOM_GENERATE(csprng *R,octet *S); + +/** @brief Perform second pass of the client side of the 3-pass version of the M-Pin protocol + * + @param x an input, a locally generated random number + @param y an input random challenge from the server + @param V on output = -(x+y).V + @return 0 or an error code + */ +int MPIN_ZZZ_CLIENT_2(octet *x,octet *y,octet *V); + +/** @brief Perform server side of the one-pass version of the M-Pin protocol + * + If Time Permits are disabled, set d = 0, and UT and HTID are not generated and can be set to NULL. + If Time Permits are enabled, and PIN error detection is OFF, U and HID are not needed and can be set to NULL. + If Time Permits are enabled, and PIN error detection is ON, U, UT, HID and HTID are all required. + @param h is the hash type + @param d is input date, in days since the epoch. Set to 0 if Time permits disabled + @param HID is output H(ID), a hash of the client ID + @param HTID is output H(ID)+H(d|H(ID)) + @param y is output H(t|U) or H(t|UT) if Time Permits enabled + @param SS is the input server secret + @param U is input from the client = x.H(ID) + @param UT is input from the client= x.(H(ID)+H(d|H(ID))) + @param V is an input from the client + @param E is an output to help the Kangaroos to find the PIN error, or NULL if not required + @param F is an output to help the Kangaroos to find the PIN error, or NULL if not required + @param ID is the input claimed client identity + @param MESSAGE is the message to be signed + @param t is input epoch time in seconds - a timestamp + @param Pa is input from the client z.Q or NULL if the key-escrow less scheme is not used + @return 0 or an error code + */ +int MPIN_ZZZ_SERVER(int h,int d,octet *HID,octet *HTID,octet *y,octet *SS,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *ID,octet *MESSAGE, int t, octet *Pa); + +/** @brief Perform first pass of the server side of the 3-pass version of the M-Pin protocol + * + @param h is the hash type + @param d is input date, in days since the epoch. Set to 0 if Time permits disabled + @param ID is the input claimed client identity + @param HID is output H(ID), a hash of the client ID + @param HTID is output H(ID)+H(d|H(ID)) + @return 0 or an error code + */ +void MPIN_ZZZ_SERVER_1(int h,int d,octet *ID,octet *HID,octet *HTID); + +/** @brief Perform third pass on the server side of the 3-pass version of the M-Pin protocol + * + If Time Permits are disabled, set d = 0, and UT and HTID are not needed and can be set to NULL. + If Time Permits are enabled, and PIN error detection is OFF, U and HID are not needed and can be set to NULL. + If Time Permits are enabled, and PIN error detection is ON, U, UT, HID and HTID are all required. + @param d is input date, in days since the epoch. Set to 0 if Time permits disabled + @param HID is input H(ID), a hash of the client ID + @param HTID is input H(ID)+H(d|H(ID)) + @param y is the input server's randomly generated challenge + @param SS is the input server secret + @param U is input from the client = x.H(ID) + @param UT is input from the client= x.(H(ID)+H(d|H(ID))) + @param V is an input from the client + @param E is an output to help the Kangaroos to find the PIN error, or NULL if not required + @param F is an output to help the Kangaroos to find the PIN error, or NULL if not required + @param Pa is the input public key from the client, z.Q or NULL if the client uses regular mpin + @return 0 or an error code + */ +int MPIN_ZZZ_SERVER_2(int d,octet *HID,octet *HTID,octet *y,octet *SS,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *Pa); + +/** @brief Add two members from the group G1 + * + @param Q1 an input member of G1 + @param Q2 an input member of G1 + @param Q an output member of G1 = Q1+Q2 + @return 0 or an error code + */ +int MPIN_ZZZ_RECOMBINE_G1(octet *Q1,octet *Q2,octet *Q); + +/** @brief Add two members from the group G2 + * + @param P1 an input member of G2 + @param P2 an input member of G2 + @param P an output member of G2 = P1+P2 + @return 0 or an error code + */ +int MPIN_ZZZ_RECOMBINE_G2(octet *P1,octet *P2,octet *P); + +/** @brief Use Kangaroos to find PIN error + * + @param E a member of the group GT + @param F a member of the group GT = E^e + @return 0 if Kangaroos failed, or the PIN error e + */ +int MPIN_ZZZ_KANGAROO(octet *E,octet *F); + +/** @brief Encoding of a Time Permit to make it indistinguishable from a random string + * + @param R is a pointer to a cryptographically secure random number generator + @param TP is the input time permit, obfuscated on output + @return 0 or an error code + */ +int MPIN_ZZZ_ENCODING(csprng *R,octet *TP); + +/** @brief Encoding of an obfuscated Time Permit + * + @param TP is the input obfuscated time permit, restored on output + @return 0 or an error code + */ +int MPIN_ZZZ_DECODING(octet *TP); + +/** @brief Find a random multiple of a point in G1 + * + @param R is a pointer to a cryptographically secure random number generator + @param type determines type of action to be taken + @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input + @param G if type=0 a point in G1, else an octet to be mapped to G1 + @param W the output =x.G or x.M(G), where M(.) is a mapping + @return 0 or an error code + */ +int MPIN_ZZZ_GET_G1_MULTIPLE(csprng *R,int type,octet *x,octet *G,octet *W); + +/** @brief Find a random multiple of a point in G1 + * + @param R is a pointer to a cryptographically secure random number generator + @param type determines type of action to betaken + @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input + @param G a point in G2 + @param W the output =x.G or (1/x).G + @return 0 or an error code + */ +int MPIN_ZZZ_GET_G2_MULTIPLE(csprng *R,int type,octet *x,octet *G,octet *W); + +/** @brief Create a client secret in G1 from a master secret and the client ID + * + @param S is an input master secret + @param ID is the input client identity + @param CS is the full client secret = s.H(ID) + @return 0 or an error code + */ +int MPIN_ZZZ_GET_CLIENT_SECRET(octet *S,octet *ID,octet *CS); + +/** @brief Create a Time Permit in G1 from a master secret and the client ID + * + @param h is the hash type + @param d is input date, in days since the epoch. + @param S is an input master secret + @param ID is the input client identity + @param TP is a Time Permit for the given date = s.H(d|H(ID)) + @return 0 or an error code + */ +int MPIN_ZZZ_GET_CLIENT_PERMIT(int h,int d,octet *S,octet *ID,octet *TP); + +/** @brief Create a server secret in G2 from a master secret + * + @param S is an input master secret + @param SS is the server secret = s.Q where Q is a fixed generator of G2 + @return 0 or an error code + */ +int MPIN_ZZZ_GET_SERVER_SECRET(octet *S,octet *SS); + +/* For M-Pin Full */ +/** @brief Precompute values for use by the client side of M-Pin Full + * + @param T is the input M-Pin token (the client secret with PIN portion removed) + @param ID is the input client identity + @param CP is Public Key (or NULL) + @param g1 precomputed output + @param g2 precomputed output + @return 0 or an error code + */ +int MPIN_ZZZ_PRECOMPUTE(octet *T,octet *ID,octet *CP,octet *g1,octet *g2); + +/** @brief Calculate Key on Server side for M-Pin Full + * + Uses UT internally for the key calculation, unless not available in which case U is used + @param h is the hash type + @param Z is the input Client-side Diffie-Hellman component + @param SS is the input server secret + @param w is an input random number generated by the server + @param p is an input, hash of the protocol transcript + @param I is the hashed input client ID = H(ID) + @param U is input from the client = x.H(ID) + @param UT is input from the client= x.(H(ID)+H(d|H(ID))) + @param K is the output calculated shared key + @return 0 or an error code + */ +int MPIN_ZZZ_SERVER_KEY(int h,octet *Z,octet *SS,octet *w,octet *p,octet *I,octet *U,octet *UT,octet *K); + +/** @brief Calculate Key on Client side for M-Pin Full + * + @param h is the hash type + @param g1 precomputed input + @param g2 precomputed input + @param pin is the input PIN number + @param r is an input, a locally generated random number + @param x is an input, a locally generated random number + @param p is an input, hash of the protocol transcript + @param T is the input Server-side Diffie-Hellman component + @param K is the output calculated shared key + @return 0 or an error code + */ +int MPIN_ZZZ_CLIENT_KEY(int h,octet *g1,octet *g2,int pin,octet *r,octet *x,octet *p,octet *T,octet *K); + +/** @brief Generates a random public key for the client z.Q + * + @param R is a pointer to a cryptographically secure random number generator + @param Z an output internally randomly generated if R!=NULL, otherwise it must be provided as an input + @param Pa the output public key for the client + */ +int MPIN_ZZZ_GET_DVS_KEYPAIR(csprng *R,octet *Z,octet *Pa); + +#endif + http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto-c/blob/8d28d2c3/include/mpin192.h.in ---------------------------------------------------------------------- diff --git a/include/mpin192.h.in b/include/mpin192.h.in new file mode 100644 index 0000000..dbb980a --- /dev/null +++ b/include/mpin192.h.in @@ -0,0 +1,358 @@ +/* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +*/ + +/** + * @file mpin192_ZZZ.h + * @author Mike Scott and Kealan McCusker + * @date 2nd June 2015 + * @brief M-Pin 192 Header file + * + * Allows some user configuration + * defines structures + * declares functions + * + */ + +#ifndef MPIN_ZZZ_H +#define MPIN_ZZZ_H + +#include "pair192_ZZZ.h" +#include "pbc_support.h" + +/* Field size is assumed to be greater than or equal to group size */ + +#define PGS_ZZZ MODBYTES_XXX /**< MPIN Group Size */ +#define PFS_ZZZ MODBYTES_XXX /**< MPIN Field Size */ + +#define MPIN_OK 0 /**< Function completed without error */ +#define MPIN_INVALID_POINT -14 /**< Point is NOT on the curve */ +#define MPIN_BAD_PIN -19 /**< Bad PIN number entered */ + +#define MAXPIN @AMCL_MAXPIN@ /**< max PIN */ +#define PBLEN @AMCL_PBLEN@ /**< max length of PIN in bits */ + +#define MESSAGE_SIZE 256 /**< Signature message size */ +#define M_SIZE_ZZZ (MESSAGE_SIZE+2*PFS_ZZZ+1) /**< Signature message size and G1 size */ + + +/* MPIN support functions */ + +/* MPIN primitives */ + +/** @brief Generate Y=H(t,O), where t is epoch time, O is an octet, and H(.) is a hash function + * + @param h is the hash type + @param t is epoch time in seconds + @param O is an input octet + @param Y is the output octet +*/ +void MPIN_ZZZ_GET_Y(int h,int t,octet *O,octet *Y); + +/** @brief Extract a PIN number from a client secret + * + @param h is the hash type + @param ID is the input client identity + @param factor is an input factor + @param facbits is the number of bits in the factor + @param CS is the client secret from which the factor is to be extracted + @return 0 or an error code + */ +int MPIN_ZZZ_EXTRACT_FACTOR(int h,octet *ID,int factor,int facbits,octet *CS); + +/** @brief Extract a PIN number from a client secret + * + @param h is the hash type + @param ID is the input client identity + @param factor is an input factor + @param facbits is the number of bits in the factor + @param CS is the client secret to which the factor is to be added + @return 0 or an error code + */ +int MPIN_ZZZ_RESTORE_FACTOR(int h,octet *ID,int factor,int facbits,octet *CS); + + +/** @brief Extract a PIN number from a client secret + * + @param h is the hash type + @param ID is the input client identity + @param pin is an input PIN number + @param CS is the client secret from which the PIN is to be extracted + @return 0 or an error code + */ +int MPIN_ZZZ_EXTRACT_PIN(int h,octet *ID,int pin,octet *CS); + +/** @brief Perform client side of the one-pass version of the M-Pin protocol + * + If Time Permits are disabled, set d = 0, and UT is not generated and can be set to NULL. + If Time Permits are enabled, and PIN error detection is OFF, U is not generated and can be set to NULL. + If Time Permits are enabled, and PIN error detection is ON, U and UT are both generated. + @param h is the hash type + @param d is input date, in days since the epoch. Set to 0 if Time permits disabled + @param ID is the input client identity + @param R is a pointer to a cryptographically secure random number generator + @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input + @param pin is the input PIN number + @param T is the input M-Pin token (the client secret with PIN portion removed) + @param V is output = -(x+y)(CS+TP), where CS is the reconstructed client secret, and TP is the time permit + @param U is output = x.H(ID) + @param UT is output = x.(H(ID)+H(d|H(ID))) + @param TP is the input time permit + @param MESSAGE is the message to be signed + @param t is input epoch time in seconds - a timestamp + @param y is output H(t|U) or H(t|UT) if Time Permits enabled + @return 0 or an error code + */ +int MPIN_ZZZ_CLIENT(int h,int d,octet *ID,csprng *R,octet *x,int pin,octet *T,octet *V,octet *U,octet *UT,octet *TP, octet* MESSAGE, int t, octet *y); + +/** @brief Perform first pass of the client side of the 3-pass version of the M-Pin protocol + * + If Time Permits are disabled, set d = 0, and UT is not generated and can be set to NULL. + If Time Permits are enabled, and PIN error detection is OFF, U is not generated and can be set to NULL. + If Time Permits are enabled, and PIN error detection is ON, U and UT are both generated. + @param h is the hash type + @param d is input date, in days since the epoch. Set to 0 if Time permits disabled + @param ID is the input client identity + @param R is a pointer to a cryptographically secure random number generator + @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input + @param pin is the input PIN number + @param T is the input M-Pin token (the client secret with PIN portion removed) + @param S is output = CS+TP, where CS=is the reconstructed client secret, and TP is the time permit + @param U is output = x.H(ID) + @param UT is output = x.(H(ID)+H(d|H(ID))) + @param TP is the input time permit + @return 0 or an error code + */ +int MPIN_ZZZ_CLIENT_1(int h,int d,octet *ID,csprng *R,octet *x,int pin,octet *T,octet *S,octet *U,octet *UT,octet *TP); + +/** @brief Generate a random group element + * + @param R is a pointer to a cryptographically secure random number generator + @param S is the output random octet + @return 0 or an error code + */ +int MPIN_ZZZ_RANDOM_GENERATE(csprng *R,octet *S); + +/** @brief Perform second pass of the client side of the 3-pass version of the M-Pin protocol + * + @param x an input, a locally generated random number + @param y an input random challenge from the server + @param V on output = -(x+y).V + @return 0 or an error code + */ +int MPIN_ZZZ_CLIENT_2(octet *x,octet *y,octet *V); + +/** @brief Perform server side of the one-pass version of the M-Pin protocol + * + If Time Permits are disabled, set d = 0, and UT and HTID are not generated and can be set to NULL. + If Time Permits are enabled, and PIN error detection is OFF, U and HID are not needed and can be set to NULL. + If Time Permits are enabled, and PIN error detection is ON, U, UT, HID and HTID are all required. + @param h is the hash type + @param d is input date, in days since the epoch. Set to 0 if Time permits disabled + @param HID is output H(ID), a hash of the client ID + @param HTID is output H(ID)+H(d|H(ID)) + @param y is output H(t|U) or H(t|UT) if Time Permits enabled + @param SS is the input server secret + @param U is input from the client = x.H(ID) + @param UT is input from the client= x.(H(ID)+H(d|H(ID))) + @param V is an input from the client + @param E is an output to help the Kangaroos to find the PIN error, or NULL if not required + @param F is an output to help the Kangaroos to find the PIN error, or NULL if not required + @param ID is the input claimed client identity + @param MESSAGE is the message to be signed + @param t is input epoch time in seconds - a timestamp + @param Pa is input from the client z.Q or NULL if the key-escrow less scheme is not used + @return 0 or an error code + */ +int MPIN_ZZZ_SERVER(int h,int d,octet *HID,octet *HTID,octet *y,octet *SS,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *ID,octet *MESSAGE, int t, octet *Pa); + +/** @brief Perform first pass of the server side of the 3-pass version of the M-Pin protocol + * + @param h is the hash type + @param d is input date, in days since the epoch. Set to 0 if Time permits disabled + @param ID is the input claimed client identity + @param HID is output H(ID), a hash of the client ID + @param HTID is output H(ID)+H(d|H(ID)) + @return 0 or an error code + */ +void MPIN_ZZZ_SERVER_1(int h,int d,octet *ID,octet *HID,octet *HTID); + +/** @brief Perform third pass on the server side of the 3-pass version of the M-Pin protocol + * + If Time Permits are disabled, set d = 0, and UT and HTID are not needed and can be set to NULL. + If Time Permits are enabled, and PIN error detection is OFF, U and HID are not needed and can be set to NULL. + If Time Permits are enabled, and PIN error detection is ON, U, UT, HID and HTID are all required. + @param d is input date, in days since the epoch. Set to 0 if Time permits disabled + @param HID is input H(ID), a hash of the client ID + @param HTID is input H(ID)+H(d|H(ID)) + @param y is the input server's randomly generated challenge + @param SS is the input server secret + @param U is input from the client = x.H(ID) + @param UT is input from the client= x.(H(ID)+H(d|H(ID))) + @param V is an input from the client + @param E is an output to help the Kangaroos to find the PIN error, or NULL if not required + @param F is an output to help the Kangaroos to find the PIN error, or NULL if not required + @param Pa is the input public key from the client, z.Q or NULL if the client uses regular mpin + @return 0 or an error code + */ +int MPIN_ZZZ_SERVER_2(int d,octet *HID,octet *HTID,octet *y,octet *SS,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *Pa); + +/** @brief Add two members from the group G1 + * + @param Q1 an input member of G1 + @param Q2 an input member of G1 + @param Q an output member of G1 = Q1+Q2 + @return 0 or an error code + */ +int MPIN_ZZZ_RECOMBINE_G1(octet *Q1,octet *Q2,octet *Q); + +/** @brief Add two members from the group G2 + * + @param P1 an input member of G2 + @param P2 an input member of G2 + @param P an output member of G2 = P1+P2 + @return 0 or an error code + */ +int MPIN_ZZZ_RECOMBINE_G2(octet *P1,octet *P2,octet *P); + +/** @brief Use Kangaroos to find PIN error + * + @param E a member of the group GT + @param F a member of the group GT = E^e + @return 0 if Kangaroos failed, or the PIN error e + */ +int MPIN_ZZZ_KANGAROO(octet *E,octet *F); + +/** @brief Encoding of a Time Permit to make it indistinguishable from a random string + * + @param R is a pointer to a cryptographically secure random number generator + @param TP is the input time permit, obfuscated on output + @return 0 or an error code + */ +int MPIN_ZZZ_ENCODING(csprng *R,octet *TP); + +/** @brief Encoding of an obfuscated Time Permit + * + @param TP is the input obfuscated time permit, restored on output + @return 0 or an error code + */ +int MPIN_ZZZ_DECODING(octet *TP); + +/** @brief Find a random multiple of a point in G1 + * + @param R is a pointer to a cryptographically secure random number generator + @param type determines type of action to be taken + @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input + @param G if type=0 a point in G1, else an octet to be mapped to G1 + @param W the output =x.G or x.M(G), where M(.) is a mapping + @return 0 or an error code + */ +int MPIN_ZZZ_GET_G1_MULTIPLE(csprng *R,int type,octet *x,octet *G,octet *W); + +/** @brief Find a random multiple of a point in G1 + * + @param R is a pointer to a cryptographically secure random number generator + @param type determines type of action to betaken + @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input + @param G a point in G2 + @param W the output =x.G or (1/x).G + @return 0 or an error code + */ +int MPIN_ZZZ_GET_G2_MULTIPLE(csprng *R,int type,octet *x,octet *G,octet *W); + +/** @brief Create a client secret in G1 from a master secret and the client ID + * + @param S is an input master secret + @param ID is the input client identity + @param CS is the full client secret = s.H(ID) + @return 0 or an error code + */ +int MPIN_ZZZ_GET_CLIENT_SECRET(octet *S,octet *ID,octet *CS); + +/** @brief Create a Time Permit in G1 from a master secret and the client ID + * + @param h is the hash type + @param d is input date, in days since the epoch. + @param S is an input master secret + @param ID is the input client identity + @param TP is a Time Permit for the given date = s.H(d|H(ID)) + @return 0 or an error code + */ +int MPIN_ZZZ_GET_CLIENT_PERMIT(int h,int d,octet *S,octet *ID,octet *TP); + +/** @brief Create a server secret in G2 from a master secret + * + @param S is an input master secret + @param SS is the server secret = s.Q where Q is a fixed generator of G2 + @return 0 or an error code + */ +int MPIN_ZZZ_GET_SERVER_SECRET(octet *S,octet *SS); + +/* For M-Pin Full */ +/** @brief Precompute values for use by the client side of M-Pin Full + * + @param T is the input M-Pin token (the client secret with PIN portion removed) + @param ID is the input client identity + @param CP is Public Key (or NULL) + @param g1 precomputed output + @param g2 precomputed output + @return 0 or an error code + */ +int MPIN_ZZZ_PRECOMPUTE(octet *T,octet *ID,octet *CP,octet *g1,octet *g2); + +/** @brief Calculate Key on Server side for M-Pin Full + * + Uses UT internally for the key calculation, unless not available in which case U is used + @param h is the hash type + @param Z is the input Client-side Diffie-Hellman component + @param SS is the input server secret + @param w is an input random number generated by the server + @param p is an input, hash of the protocol transcript + @param I is the hashed input client ID = H(ID) + @param U is input from the client = x.H(ID) + @param UT is input from the client= x.(H(ID)+H(d|H(ID))) + @param K is the output calculated shared key + @return 0 or an error code + */ +int MPIN_ZZZ_SERVER_KEY(int h,octet *Z,octet *SS,octet *w,octet *p,octet *I,octet *U,octet *UT,octet *K); + +/** @brief Calculate Key on Client side for M-Pin Full + * + @param h is the hash type + @param g1 precomputed input + @param g2 precomputed input + @param pin is the input PIN number + @param r is an input, a locally generated random number + @param x is an input, a locally generated random number + @param p is an input, hash of the protocol transcript + @param T is the input Server-side Diffie-Hellman component + @param K is the output calculated shared key + @return 0 or an error code + */ +int MPIN_ZZZ_CLIENT_KEY(int h,octet *g1,octet *g2,int pin,octet *r,octet *x,octet *p,octet *T,octet *K); + +/** @brief Generates a random public key for the client z.Q + * + @param R is a pointer to a cryptographically secure random number generator + @param Z an output internally randomly generated if R!=NULL, otherwise it must be provided as an input + @param Pa the output public key for the client + */ +int MPIN_ZZZ_GET_DVS_KEYPAIR(csprng *R,octet *Z,octet *Pa); + +#endif + http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto-c/blob/8d28d2c3/include/mpin256.h.in ---------------------------------------------------------------------- diff --git a/include/mpin256.h.in b/include/mpin256.h.in new file mode 100644 index 0000000..d66149a --- /dev/null +++ b/include/mpin256.h.in @@ -0,0 +1,358 @@ +/* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +*/ + +/** + * @file mpin256_ZZZ.h + * @author Mike Scott and Kealan McCusker + * @date 2nd June 2015 + * @brief M-Pin 256 Header file + * + * Allows some user configuration + * defines structures + * declares functions + * + */ + +#ifndef MPIN_ZZZ_H +#define MPIN_ZZZ_H + +#include "pair256_ZZZ.h" +#include "pbc_support.h" + + +/* Field size is assumed to be greater than or equal to group size */ + +#define PGS_ZZZ MODBYTES_XXX /**< MPIN Group Size */ +#define PFS_ZZZ MODBYTES_XXX /**< MPIN Field Size */ + +#define MPIN_OK 0 /**< Function completed without error */ +#define MPIN_INVALID_POINT -14 /**< Point is NOT on the curve */ +#define MPIN_BAD_PIN -19 /**< Bad PIN number entered */ + +#define MAXPIN @AMCL_MAXPIN@ /**< max PIN */ +#define PBLEN @AMCL_PBLEN@ /**< max length of PIN in bits */ + +#define MESSAGE_SIZE 256 /**< Signature message size */ +#define M_SIZE_ZZZ (MESSAGE_SIZE+2*PFS_ZZZ+1) /**< Signature message size and G1 size */ + +/* MPIN support functions */ + +/* MPIN primitives */ + +/** @brief Generate Y=H(t,O), where t is epoch time, O is an octet, and H(.) is a hash function + * + @param h is the hash type + @param t is epoch time in seconds + @param O is an input octet + @param Y is the output octet +*/ +void MPIN_ZZZ_GET_Y(int h,int t,octet *O,octet *Y); + +/** @brief Extract a PIN number from a client secret + * + @param h is the hash type + @param ID is the input client identity + @param factor is an input factor + @param facbits is the number of bits in the factor + @param CS is the client secret from which the factor is to be extracted + @return 0 or an error code + */ +int MPIN_ZZZ_EXTRACT_FACTOR(int h,octet *ID,int factor,int facbits,octet *CS); + +/** @brief Extract a PIN number from a client secret + * + @param h is the hash type + @param ID is the input client identity + @param factor is an input factor + @param facbits is the number of bits in the factor + @param CS is the client secret to which the factor is to be added + @return 0 or an error code + */ +int MPIN_ZZZ_RESTORE_FACTOR(int h,octet *ID,int factor,int facbits,octet *CS); + + +/** @brief Extract a PIN number from a client secret + * + @param h is the hash type + @param ID is the input client identity + @param pin is an input PIN number + @param CS is the client secret from which the PIN is to be extracted + @return 0 or an error code + */ +int MPIN_ZZZ_EXTRACT_PIN(int h,octet *ID,int pin,octet *CS); + +/** @brief Perform client side of the one-pass version of the M-Pin protocol + * + If Time Permits are disabled, set d = 0, and UT is not generated and can be set to NULL. + If Time Permits are enabled, and PIN error detection is OFF, U is not generated and can be set to NULL. + If Time Permits are enabled, and PIN error detection is ON, U and UT are both generated. + @param h is the hash type + @param d is input date, in days since the epoch. Set to 0 if Time permits disabled + @param ID is the input client identity + @param R is a pointer to a cryptographically secure random number generator + @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input + @param pin is the input PIN number + @param T is the input M-Pin token (the client secret with PIN portion removed) + @param V is output = -(x+y)(CS+TP), where CS is the reconstructed client secret, and TP is the time permit + @param U is output = x.H(ID) + @param UT is output = x.(H(ID)+H(d|H(ID))) + @param TP is the input time permit + @param MESSAGE is the message to be signed + @param t is input epoch time in seconds - a timestamp + @param y is output H(t|U) or H(t|UT) if Time Permits enabled + @return 0 or an error code + */ +int MPIN_ZZZ_CLIENT(int h,int d,octet *ID,csprng *R,octet *x,int pin,octet *T,octet *V,octet *U,octet *UT,octet *TP, octet* MESSAGE, int t, octet *y); + +/** @brief Perform first pass of the client side of the 3-pass version of the M-Pin protocol + * + If Time Permits are disabled, set d = 0, and UT is not generated and can be set to NULL. + If Time Permits are enabled, and PIN error detection is OFF, U is not generated and can be set to NULL. + If Time Permits are enabled, and PIN error detection is ON, U and UT are both generated. + @param h is the hash type + @param d is input date, in days since the epoch. Set to 0 if Time permits disabled + @param ID is the input client identity + @param R is a pointer to a cryptographically secure random number generator + @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input + @param pin is the input PIN number + @param T is the input M-Pin token (the client secret with PIN portion removed) + @param S is output = CS+TP, where CS=is the reconstructed client secret, and TP is the time permit + @param U is output = x.H(ID) + @param UT is output = x.(H(ID)+H(d|H(ID))) + @param TP is the input time permit + @return 0 or an error code + */ +int MPIN_ZZZ_CLIENT_1(int h,int d,octet *ID,csprng *R,octet *x,int pin,octet *T,octet *S,octet *U,octet *UT,octet *TP); + +/** @brief Generate a random group element + * + @param R is a pointer to a cryptographically secure random number generator + @param S is the output random octet + @return 0 or an error code + */ +int MPIN_ZZZ_RANDOM_GENERATE(csprng *R,octet *S); + +/** @brief Perform second pass of the client side of the 3-pass version of the M-Pin protocol + * + @param x an input, a locally generated random number + @param y an input random challenge from the server + @param V on output = -(x+y).V + @return 0 or an error code + */ +int MPIN_ZZZ_CLIENT_2(octet *x,octet *y,octet *V); + +/** @brief Perform server side of the one-pass version of the M-Pin protocol + * + If Time Permits are disabled, set d = 0, and UT and HTID are not generated and can be set to NULL. + If Time Permits are enabled, and PIN error detection is OFF, U and HID are not needed and can be set to NULL. + If Time Permits are enabled, and PIN error detection is ON, U, UT, HID and HTID are all required. + @param h is the hash type + @param d is input date, in days since the epoch. Set to 0 if Time permits disabled + @param HID is output H(ID), a hash of the client ID + @param HTID is output H(ID)+H(d|H(ID)) + @param y is output H(t|U) or H(t|UT) if Time Permits enabled + @param SS is the input server secret + @param U is input from the client = x.H(ID) + @param UT is input from the client= x.(H(ID)+H(d|H(ID))) + @param V is an input from the client + @param E is an output to help the Kangaroos to find the PIN error, or NULL if not required + @param F is an output to help the Kangaroos to find the PIN error, or NULL if not required + @param ID is the input claimed client identity + @param MESSAGE is the message to be signed + @param t is input epoch time in seconds - a timestamp + @param Pa is input from the client z.Q or NULL if the key-escrow less scheme is not used + @return 0 or an error code + */ +int MPIN_ZZZ_SERVER(int h,int d,octet *HID,octet *HTID,octet *y,octet *SS,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *ID,octet *MESSAGE, int t, octet *Pa); + +/** @brief Perform first pass of the server side of the 3-pass version of the M-Pin protocol + * + @param h is the hash type + @param d is input date, in days since the epoch. Set to 0 if Time permits disabled + @param ID is the input claimed client identity + @param HID is output H(ID), a hash of the client ID + @param HTID is output H(ID)+H(d|H(ID)) + @return 0 or an error code + */ +void MPIN_ZZZ_SERVER_1(int h,int d,octet *ID,octet *HID,octet *HTID); + +/** @brief Perform third pass on the server side of the 3-pass version of the M-Pin protocol + * + If Time Permits are disabled, set d = 0, and UT and HTID are not needed and can be set to NULL. + If Time Permits are enabled, and PIN error detection is OFF, U and HID are not needed and can be set to NULL. + If Time Permits are enabled, and PIN error detection is ON, U, UT, HID and HTID are all required. + @param d is input date, in days since the epoch. Set to 0 if Time permits disabled + @param HID is input H(ID), a hash of the client ID + @param HTID is input H(ID)+H(d|H(ID)) + @param y is the input server's randomly generated challenge + @param SS is the input server secret + @param U is input from the client = x.H(ID) + @param UT is input from the client= x.(H(ID)+H(d|H(ID))) + @param V is an input from the client + @param E is an output to help the Kangaroos to find the PIN error, or NULL if not required + @param F is an output to help the Kangaroos to find the PIN error, or NULL if not required + @param Pa is the input public key from the client, z.Q or NULL if the client uses regular mpin + @return 0 or an error code + */ +int MPIN_ZZZ_SERVER_2(int d,octet *HID,octet *HTID,octet *y,octet *SS,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *Pa); + +/** @brief Add two members from the group G1 + * + @param Q1 an input member of G1 + @param Q2 an input member of G1 + @param Q an output member of G1 = Q1+Q2 + @return 0 or an error code + */ +int MPIN_ZZZ_RECOMBINE_G1(octet *Q1,octet *Q2,octet *Q); + +/** @brief Add two members from the group G2 + * + @param P1 an input member of G2 + @param P2 an input member of G2 + @param P an output member of G2 = P1+P2 + @return 0 or an error code + */ +int MPIN_ZZZ_RECOMBINE_G2(octet *P1,octet *P2,octet *P); + +/** @brief Use Kangaroos to find PIN error + * + @param E a member of the group GT + @param F a member of the group GT = E^e + @return 0 if Kangaroos failed, or the PIN error e + */ +int MPIN_ZZZ_KANGAROO(octet *E,octet *F); + +/** @brief Encoding of a Time Permit to make it indistinguishable from a random string + * + @param R is a pointer to a cryptographically secure random number generator + @param TP is the input time permit, obfuscated on output + @return 0 or an error code + */ +int MPIN_ZZZ_ENCODING(csprng *R,octet *TP); + +/** @brief Encoding of an obfuscated Time Permit + * + @param TP is the input obfuscated time permit, restored on output + @return 0 or an error code + */ +int MPIN_ZZZ_DECODING(octet *TP); + +/** @brief Find a random multiple of a point in G1 + * + @param R is a pointer to a cryptographically secure random number generator + @param type determines type of action to be taken + @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input + @param G if type=0 a point in G1, else an octet to be mapped to G1 + @param W the output =x.G or x.M(G), where M(.) is a mapping + @return 0 or an error code + */ +int MPIN_ZZZ_GET_G1_MULTIPLE(csprng *R,int type,octet *x,octet *G,octet *W); + +/** @brief Find a random multiple of a point in G1 + * + @param R is a pointer to a cryptographically secure random number generator + @param type determines type of action to betaken + @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input + @param G a point in G2 + @param W the output =x.G or (1/x).G + @return 0 or an error code + */ +int MPIN_ZZZ_GET_G2_MULTIPLE(csprng *R,int type,octet *x,octet *G,octet *W); + +/** @brief Create a client secret in G1 from a master secret and the client ID + * + @param S is an input master secret + @param ID is the input client identity + @param CS is the full client secret = s.H(ID) + @return 0 or an error code + */ +int MPIN_ZZZ_GET_CLIENT_SECRET(octet *S,octet *ID,octet *CS); + +/** @brief Create a Time Permit in G1 from a master secret and the client ID + * + @param h is the hash type + @param d is input date, in days since the epoch. + @param S is an input master secret + @param ID is the input client identity + @param TP is a Time Permit for the given date = s.H(d|H(ID)) + @return 0 or an error code + */ +int MPIN_ZZZ_GET_CLIENT_PERMIT(int h,int d,octet *S,octet *ID,octet *TP); + +/** @brief Create a server secret in G2 from a master secret + * + @param S is an input master secret + @param SS is the server secret = s.Q where Q is a fixed generator of G2 + @return 0 or an error code + */ +int MPIN_ZZZ_GET_SERVER_SECRET(octet *S,octet *SS); + +/* For M-Pin Full */ +/** @brief Precompute values for use by the client side of M-Pin Full + * + @param T is the input M-Pin token (the client secret with PIN portion removed) + @param ID is the input client identity + @param CP is Public Key (or NULL) + @param g1 precomputed output + @param g2 precomputed output + @return 0 or an error code + */ +int MPIN_ZZZ_PRECOMPUTE(octet *T,octet *ID,octet *CP,octet *g1,octet *g2); + +/** @brief Calculate Key on Server side for M-Pin Full + * + Uses UT internally for the key calculation, unless not available in which case U is used + @param h is the hash type + @param Z is the input Client-side Diffie-Hellman component + @param SS is the input server secret + @param w is an input random number generated by the server + @param p is an input, hash of the protocol transcript + @param I is the hashed input client ID = H(ID) + @param U is input from the client = x.H(ID) + @param UT is input from the client= x.(H(ID)+H(d|H(ID))) + @param K is the output calculated shared key + @return 0 or an error code + */ +int MPIN_ZZZ_SERVER_KEY(int h,octet *Z,octet *SS,octet *w,octet *p,octet *I,octet *U,octet *UT,octet *K); + +/** @brief Calculate Key on Client side for M-Pin Full + * + @param h is the hash type + @param g1 precomputed input + @param g2 precomputed input + @param pin is the input PIN number + @param r is an input, a locally generated random number + @param x is an input, a locally generated random number + @param p is an input, hash of the protocol transcript + @param T is the input Server-side Diffie-Hellman component + @param K is the output calculated shared key + @return 0 or an error code + */ +int MPIN_ZZZ_CLIENT_KEY(int h,octet *g1,octet *g2,int pin,octet *r,octet *x,octet *p,octet *T,octet *K); + +/** @brief Generates a random public key for the client z.Q + * + @param R is a pointer to a cryptographically secure random number generator + @param Z an output internally randomly generated if R!=NULL, otherwise it must be provided as an input + @param Pa the output public key for the client + */ +int MPIN_ZZZ_GET_DVS_KEYPAIR(csprng *R,octet *Z,octet *Pa); + +#endif + http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto-c/blob/8d28d2c3/include/pair.h.in ---------------------------------------------------------------------- diff --git a/include/pair.h.in b/include/pair.h.in new file mode 100644 index 0000000..ef065e5 --- /dev/null +++ b/include/pair.h.in @@ -0,0 +1,103 @@ +/* + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +*/ + +/** + * @file pair_ZZZ.h + * @author Mike Scott + * @brief PAIR Header File + * + */ + +#ifndef PAIR_ZZZ_H +#define PAIR_ZZZ_H + +#include "fp12_YYY.h" +#include "ecp2_ZZZ.h" +#include "ecp_ZZZ.h" + +/* Pairing constants */ + +extern const BIG_XXX CURVE_Bnx_ZZZ; /**< BN curve x parameter */ +extern const BIG_XXX CURVE_Cru_ZZZ; /**< BN curve Cube Root of Unity */ + +extern const BIG_XXX CURVE_W_ZZZ[2]; /**< BN curve constant for GLV decomposition */ +extern const BIG_XXX CURVE_SB_ZZZ[2][2]; /**< BN curve constant for GLV decomposition */ +extern const BIG_XXX CURVE_WB_ZZZ[4]; /**< BN curve constant for GS decomposition */ +extern const BIG_XXX CURVE_BB_ZZZ[4][4]; /**< BN curve constant for GS decomposition */ + +/* Pairing function prototypes */ +/** @brief Calculate Miller loop for Optimal ATE pairing e(P,Q) + * + @param r FP12 result of the pairing calculation e(P,Q) + @param P ECP2 instance, an element of G2 + @param Q ECP instance, an element of G1 + + */ +extern void PAIR_ZZZ_ate(FP12_YYY *r,ECP2_ZZZ *P,ECP_ZZZ *Q); +/** @brief Calculate Miller loop for Optimal ATE double-pairing e(P,Q).e(R,S) + * + Faster than calculating two separate pairings + @param r FP12 result of the pairing calculation e(P,Q).e(R,S), an element of GT + @param P ECP2 instance, an element of G2 + @param Q ECP instance, an element of G1 + @param R ECP2 instance, an element of G2 + @param S ECP instance, an element of G1 + */ +extern void PAIR_ZZZ_double_ate(FP12_YYY *r,ECP2_ZZZ *P,ECP_ZZZ *Q,ECP2_ZZZ *R,ECP_ZZZ *S); +/** @brief Final exponentiation of pairing, converts output of Miller loop to element in GT + * + Here p is the internal modulus, and r is the group order + @param x FP12, on exit = x^((p^12-1)/r) + */ +extern void PAIR_ZZZ_fexp(FP12_YYY *x); +/** @brief Fast point multiplication of a member of the group G1 by a BIG number + * + May exploit endomorphism for speed. + @param Q ECP member of G1. + @param b BIG multiplier + + */ +extern void PAIR_ZZZ_G1mul(ECP_ZZZ *Q,BIG_XXX b); +/** @brief Fast point multiplication of a member of the group G2 by a BIG number + * + May exploit endomorphism for speed. + @param P ECP2 member of G1. + @param b BIG multiplier + + */ +extern void PAIR_ZZZ_G2mul(ECP2_ZZZ *P,BIG_XXX b); +/** @brief Fast raising of a member of GT to a BIG power + * + May exploit endomorphism for speed. + @param x FP12 member of GT. + @param b BIG exponent + + */ +extern void PAIR_ZZZ_GTpow(FP12_YYY *x,BIG_XXX b); +/** @brief Tests FP12 for membership of GT + * + @param x FP12 instance + @return 1 if x is in GT, else return 0 + + */ +extern int PAIR_ZZZ_GTmember(FP12_YYY *x); + + + +#endif http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto-c/blob/8d28d2c3/include/pair192.h.in ---------------------------------------------------------------------- diff --git a/include/pair192.h.in b/include/pair192.h.in new file mode 100644 index 0000000..2e50d51 --- /dev/null +++ b/include/pair192.h.in @@ -0,0 +1,77 @@ +#ifndef PAIR192_ZZZ_H +#define PAIR192_ZZZ_H + +#include "fp24_YYY.h" +#include "ecp4_ZZZ.h" +#include "ecp_ZZZ.h" + + +/* Pairing constants */ + +extern const BIG_XXX CURVE_Bnx_ZZZ; /**< BN curve x parameter */ +extern const BIG_XXX CURVE_Cru_ZZZ; /**< BN curve Cube Root of Unity */ + +extern const BIG_XXX CURVE_W_ZZZ[2]; /**< BN curve constant for GLV decomposition */ +extern const BIG_XXX CURVE_SB_ZZZ[2][2]; /**< BN curve constant for GLV decomposition */ +extern const BIG_XXX CURVE_WB_ZZZ[4]; /**< BN curve constant for GS decomposition */ +extern const BIG_XXX CURVE_BB_ZZZ[4][4]; /**< BN curve constant for GS decomposition */ + +/* Pairing function prototypes */ +/** @brief Calculate Miller loop for Optimal ATE pairing e(P,Q) + * + @param r FP24 result of the pairing calculation e(P,Q) + @param P ECP4 instance, an element of G2 + @param Q ECP instance, an element of G1 + + */ +extern void PAIR_ZZZ_ate(FP24_YYY *r,ECP4_ZZZ *P,ECP_ZZZ *Q); +/** @brief Calculate Miller loop for Optimal ATE double-pairing e(P,Q).e(R,S) + * + Faster than calculating two separate pairings + @param r FP24 result of the pairing calculation e(P,Q).e(R,S), an element of GT + @param P ECP4 instance, an element of G2 + @param Q ECP instance, an element of G1 + @param R ECP4 instance, an element of G2 + @param S ECP instance, an element of G1 + */ +extern void PAIR_ZZZ_double_ate(FP24_YYY *r,ECP4_ZZZ *P,ECP_ZZZ *Q,ECP4_ZZZ *R,ECP_ZZZ *S); +/** @brief Final exponentiation of pairing, converts output of Miller loop to element in GT + * + Here p is the internal modulus, and r is the group order + @param x FP24, on exit = x^((p^12-1)/r) + */ +extern void PAIR_ZZZ_fexp(FP24_YYY *x); +/** @brief Fast point multiplication of a member of the group G1 by a BIG number + * + May exploit endomorphism for speed. + @param Q ECP member of G1. + @param b BIG multiplier + + */ +extern void PAIR_ZZZ_G1mul(ECP_ZZZ *Q,BIG_XXX b); +/** @brief Fast point multiplication of a member of the group G2 by a BIG number + * + May exploit endomorphism for speed. + @param P ECP4 member of G1. + @param b BIG multiplier + + */ +extern void PAIR_ZZZ_G2mul(ECP4_ZZZ *P,BIG_XXX b); +/** @brief Fast raising of a member of GT to a BIG power + * + May exploit endomorphism for speed. + @param x FP24 member of GT. + @param b BIG exponent + + */ +extern void PAIR_ZZZ_GTpow(FP24_YYY *x,BIG_XXX b); +/** @brief Tests FP24 for membership of GT + * + @param x FP24 instance + @return 1 if x is in GT, else return 0 + + */ +extern int PAIR_ZZZ_GTmember(FP24_YYY *x); + + +#endif http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto-c/blob/8d28d2c3/include/pair256.h.in ---------------------------------------------------------------------- diff --git a/include/pair256.h.in b/include/pair256.h.in new file mode 100644 index 0000000..d270f76 --- /dev/null +++ b/include/pair256.h.in @@ -0,0 +1,77 @@ +#ifndef PAIR256_ZZZ_H +#define PAIR256_ZZZ_H + +#include "fp48_YYY.h" +#include "ecp8_ZZZ.h" +#include "ecp_ZZZ.h" + + +/* Pairing constants */ + +extern const BIG_XXX CURVE_Bnx_ZZZ; /**< BN curve x parameter */ +extern const BIG_XXX CURVE_Cru_ZZZ; /**< BN curve Cube Root of Unity */ + +extern const BIG_XXX CURVE_W_ZZZ[2]; /**< BN curve constant for GLV decomposition */ +extern const BIG_XXX CURVE_SB_ZZZ[2][2]; /**< BN curve constant for GLV decomposition */ +extern const BIG_XXX CURVE_WB_ZZZ[4]; /**< BN curve constant for GS decomposition */ +extern const BIG_XXX CURVE_BB_ZZZ[4][4]; /**< BN curve constant for GS decomposition */ + +/* Pairing function prototypes */ +/** @brief Calculate Miller loop for Optimal ATE pairing e(P,Q) + * + @param r FP48 result of the pairing calculation e(P,Q) + @param P ECP8 instance, an element of G2 + @param Q ECP instance, an element of G1 + + */ +extern void PAIR_ZZZ_ate(FP48_YYY *r,ECP8_ZZZ *P,ECP_ZZZ *Q); +/** @brief Calculate Miller loop for Optimal ATE double-pairing e(P,Q).e(R,S) + * + Faster than calculating two separate pairings + @param r FP48 result of the pairing calculation e(P,Q).e(R,S), an element of GT + @param P ECP8 instance, an element of G2 + @param Q ECP instance, an element of G1 + @param R ECP8 instance, an element of G2 + @param S ECP instance, an element of G1 + */ +extern void PAIR_ZZZ_double_ate(FP48_YYY *r,ECP8_ZZZ *P,ECP_ZZZ *Q,ECP8_ZZZ *R,ECP_ZZZ *S); +/** @brief Final exponentiation of pairing, converts output of Miller loop to element in GT + * + Here p is the internal modulus, and r is the group order + @param x FP48, on exit = x^((p^12-1)/r) + */ +extern void PAIR_ZZZ_fexp(FP48_YYY *x); +/** @brief Fast point multiplication of a member of the group G1 by a BIG number + * + May exploit endomorphism for speed. + @param Q ECP member of G1. + @param b BIG multiplier + + */ +extern void PAIR_ZZZ_G1mul(ECP_ZZZ *Q,BIG_XXX b); +/** @brief Fast point multiplication of a member of the group G2 by a BIG number + * + May exploit endomorphism for speed. + @param P ECP8 member of G1. + @param b BIG multiplier + + */ +extern void PAIR_ZZZ_G2mul(ECP8_ZZZ *P,BIG_XXX b); +/** @brief Fast raising of a member of GT to a BIG power + * + May exploit endomorphism for speed. + @param x FP48 member of GT. + @param b BIG exponent + + */ +extern void PAIR_ZZZ_GTpow(FP48_YYY *x,BIG_XXX b); +/** @brief Tests FP48 for membership of GT + * + @param x FP48 instance + @return 1 if x is in GT, else return 0 + + */ +extern int PAIR_ZZZ_GTmember(FP48_YYY *x); + + +#endif
