http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/1add7560/version3/c/fp8.h ---------------------------------------------------------------------- diff --git a/version3/c/fp8.h b/version3/c/fp8.h deleted file mode 100644 index 82b543d..0000000 --- a/version3/c/fp8.h +++ /dev/null @@ -1,294 +0,0 @@ -#ifndef FP8_YYY_H -#define FP8_YYY_H - -#include "fp4_YYY.h" -#include "config_curve_ZZZ.h" - - -/** - @brief FP8 Structure - towered over two FP4 -*/ - -typedef struct -{ - FP4_YYY a; /**< real part of FP8 */ - FP4_YYY b; /**< imaginary part of FP8 */ -} FP8_YYY; - - -/* FP8 prototypes */ -/** @brief Tests for FP8 equal to zero - * - @param x FP8 number to be tested - @return 1 if zero, else returns 0 - */ -extern int FP8_YYY_iszilch(FP8_YYY *x); -/** @brief Tests for FP8 equal to unity - * - @param x FP8 number to be tested - @return 1 if unity, else returns 0 - */ -extern int FP8_YYY_isunity(FP8_YYY *x); -/** @brief Tests for equality of two FP8s - * - @param x FP8 instance to be compared - @param y FP8 instance to be compared - @return 1 if x=y, else returns 0 - */ -extern int FP8_YYY_equals(FP8_YYY *x,FP8_YYY *y); -/** @brief Tests for FP8 having only a real part and no imaginary part - * - @param x FP8 number to be tested - @return 1 if real, else returns 0 - */ -extern int FP8_YYY_isreal(FP8_YYY *x); -/** @brief Initialise FP8 from two FP4s - * - @param x FP8 instance to be initialised - @param a FP4 to form real part of FP8 - @param b FP4 to form imaginary part of FP8 - */ -extern void FP8_YYY_from_FP4s(FP8_YYY *x,FP4_YYY *a,FP4_YYY *b); -/** @brief Initialise FP8 from single FP4 - * - Imaginary part is set to zero - @param x FP8 instance to be initialised - @param a FP4 to form real part of FP8 - */ -extern void FP8_YYY_from_FP4(FP8_YYY *x,FP4_YYY *a); - -/** @brief Initialise FP8 from single FP4 - * - real part is set to zero - @param x FP8 instance to be initialised - @param a FP4 to form imaginary part of FP8 - */ -extern void FP8_YYY_from_FP4H(FP8_YYY *x,FP4_YYY *a); - - -/** @brief Copy FP8 to another FP8 - * - @param x FP8 instance, on exit = y - @param y FP8 instance to be copied - */ -extern void FP8_YYY_copy(FP8_YYY *x,FP8_YYY *y); -/** @brief Set FP8 to zero - * - @param x FP8 instance to be set to zero - */ -extern void FP8_YYY_zero(FP8_YYY *x); -/** @brief Set FP8 to unity - * - @param x FP8 instance to be set to one - */ -extern void FP8_YYY_one(FP8_YYY *x); -/** @brief Negation of FP8 - * - @param x FP8 instance, on exit = -y - @param y FP8 instance - */ -extern void FP8_YYY_neg(FP8_YYY *x,FP8_YYY *y); -/** @brief Conjugation of FP8 - * - If y=(a,b) on exit x=(a,-b) - @param x FP8 instance, on exit = conj(y) - @param y FP8 instance - */ -extern void FP8_YYY_conj(FP8_YYY *x,FP8_YYY *y); -/** @brief Negative conjugation of FP8 - * - If y=(a,b) on exit x=(-a,b) - @param x FP8 instance, on exit = -conj(y) - @param y FP8 instance - */ -extern void FP8_YYY_nconj(FP8_YYY *x,FP8_YYY *y); -/** @brief addition of two FP8s - * - @param x FP8 instance, on exit = y+z - @param y FP8 instance - @param z FP8 instance - */ -extern void FP8_YYY_add(FP8_YYY *x,FP8_YYY *y,FP8_YYY *z); -/** @brief subtraction of two FP8s - * - @param x FP8 instance, on exit = y-z - @param y FP8 instance - @param z FP8 instance - */ -extern void FP8_YYY_sub(FP8_YYY *x,FP8_YYY *y,FP8_YYY *z); -/** @brief Multiplication of an FP8 by an FP4 - * - @param x FP8 instance, on exit = y*a - @param y FP8 instance - @param a FP4 multiplier - */ -extern void FP8_YYY_pmul(FP8_YYY *x,FP8_YYY *y,FP4_YYY *a); - -/** @brief Multiplication of an FP8 by an FP2 - * - @param x FP8 instance, on exit = y*a - @param y FP8 instance - @param a FP2 multiplier - */ -extern void FP8_YYY_qmul(FP8_YYY *x,FP8_YYY *y,FP2_YYY *a); - -/** @brief Multiplication of an FP8 by an FP - * - @param x FP8 instance, on exit = y*a - @param y FP8 instance - @param a FP multiplier - */ -extern void FP8_YYY_tmul(FP8_YYY *x,FP8_YYY *y,FP_YYY *a); - -/** @brief Multiplication of an FP8 by a small integer - * - @param x FP8 instance, on exit = y*i - @param y FP8 instance - @param i an integer - */ -extern void FP8_YYY_imul(FP8_YYY *x,FP8_YYY *y,int i); -/** @brief Squaring an FP8 - * - @param x FP8 instance, on exit = y^2 - @param y FP8 instance - */ -extern void FP8_YYY_sqr(FP8_YYY *x,FP8_YYY *y); -/** @brief Multiplication of two FP8s - * - @param x FP8 instance, on exit = y*z - @param y FP8 instance - @param z FP8 instance - */ -extern void FP8_YYY_mul(FP8_YYY *x,FP8_YYY *y,FP8_YYY *z); -/** @brief Inverting an FP8 - * - @param x FP8 instance, on exit = 1/y - @param y FP8 instance - */ -extern void FP8_YYY_inv(FP8_YYY *x,FP8_YYY *y); -/** @brief Formats and outputs an FP8 to the console - * - @param x FP8 instance to be printed - */ -extern void FP8_YYY_output(FP8_YYY *x); -/** @brief Formats and outputs an FP8 to the console in raw form (for debugging) - * - @param x FP8 instance to be printed - */ -extern void FP8_YYY_rawoutput(FP8_YYY *x); -/** @brief multiplies an FP8 instance by irreducible polynomial sqrt(1+sqrt(-1)) - * - @param x FP8 instance, on exit = sqrt(1+sqrt(-1)*x - */ -extern void FP8_YYY_times_i(FP8_YYY *x); -/** @brief multiplies an FP8 instance by irreducible polynomial (1+sqrt(-1)) - * - @param x FP8 instance, on exit = (1+sqrt(-1)*x - */ -extern void FP8_YYY_times_i2(FP8_YYY *x); - -/** @brief Normalises the components of an FP8 - * - @param x FP8 instance to be normalised - */ -extern void FP8_YYY_norm(FP8_YYY *x); -/** @brief Reduces all components of possibly unreduced FP8 mod Modulus - * - @param x FP8 instance, on exit reduced mod Modulus - */ -extern void FP8_YYY_reduce(FP8_YYY *x); -/** @brief Raises an FP8 to the power of a BIG - * - @param x FP8 instance, on exit = y^b - @param y FP8 instance - @param b BIG number - */ -extern void FP8_YYY_pow(FP8_YYY *x,FP8_YYY *y,BIG_XXX b); -/** @brief Raises an FP8 to the power of the internal modulus p, using the Frobenius - * - @param x FP8 instance, on exit = x^p - @param f FP2 precalculated Frobenius constant - */ -extern void FP8_YYY_frob(FP8_YYY *x,FP2_YYY *f); -/** @brief Calculates the XTR addition function r=w*x-conj(x)*y+z - * - @param r FP8 instance, on exit = w*x-conj(x)*y+z - @param w FP8 instance - @param x FP8 instance - @param y FP8 instance - @param z FP8 instance - */ -extern void FP8_YYY_xtr_A(FP8_YYY *r,FP8_YYY *w,FP8_YYY *x,FP8_YYY *y,FP8_YYY *z); -/** @brief Calculates the XTR doubling function r=x^2-2*conj(x) - * - @param r FP8 instance, on exit = x^2-2*conj(x) - @param x FP8 instance - */ -extern void FP8_YYY_xtr_D(FP8_YYY *r,FP8_YYY *x); -/** @brief Calculates FP8 trace of an FP12 raised to the power of a BIG number - * - XTR single exponentiation - @param r FP8 instance, on exit = trace(w^b) - @param x FP8 instance, trace of an FP12 w - @param b BIG number - */ -extern void FP8_YYY_xtr_pow(FP8_YYY *r,FP8_YYY *x,BIG_XXX b); -/** @brief Calculates FP8 trace of c^a.d^b, where c and d are derived from FP8 traces of FP12s - * - XTR double exponentiation - Assumes c=tr(x^m), d=tr(x^n), e=tr(x^(m-n)), f=tr(x^(m-2n)) - @param r FP8 instance, on exit = trace(c^a.d^b) - @param c FP8 instance, trace of an FP12 - @param d FP8 instance, trace of an FP12 - @param e FP8 instance, trace of an FP12 - @param f FP8 instance, trace of an FP12 - @param a BIG number - @param b BIG number - */ -extern void FP8_YYY_xtr_pow2(FP8_YYY *r,FP8_YYY *c,FP8_YYY *d,FP8_YYY *e,FP8_YYY *f,BIG_XXX a,BIG_XXX b); - - -/** @brief Calculate square root of an FP8 - * - Square root - @param r FP8 instance, on exit = sqrt(x) - @param x FP8 instance - @return 1 x is a QR, otherwise 0 - */ -extern int FP8_YYY_sqrt(FP8_YYY *r,FP8_YYY *x); - - -/** @brief Conditional copy of FP8 number - * - Conditionally copies second parameter to the first (without branching) - @param x FP8 instance, set to y if s!=0 - @param y another FP8 instance - @param s copy only takes place if not equal to 0 - */ -extern void FP8_YYY_cmove(FP8_YYY *x,FP8_YYY *y,int s); - - -/** @brief Divide FP8 number by QNR - * - Divide FP8 by the QNR - @param x FP8 instance - */ -extern void FP8_YYY_div_i(FP8_YYY *x); - -/** @brief Divide FP8 number by QNR twice - * - Divide FP8 by the QNR twice - @param x FP8 instance - */ -extern void FP8_YYY_div_i2(FP8_YYY *x); - -/** @brief Divide FP8 number by QNR/2 - * - Divide FP8 by the QNR/2 - @param x FP8 instance - */ -extern void FP8_YYY_div_2i(FP8_YYY *x); - - -#endif -
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/1add7560/version3/c/gcm.c ---------------------------------------------------------------------- diff --git a/version3/c/gcm.c b/version3/c/gcm.c deleted file mode 100644 index 3bd9b8d..0000000 --- a/version3/c/gcm.c +++ /dev/null @@ -1,411 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/* - * Implementation of the AES-GCM Encryption/Authentication - * - * Some restrictions.. - * 1. Only for use with AES - * 2. Returned tag is always 128-bits. Truncate at your own risk. - * 3. The order of function calls must follow some rules - * - * Typical sequence of calls.. - * 1. call GCM_init - * 2. call GCM_add_header any number of times, as long as length of header is multiple of 16 bytes (block size) - * 3. call GCM_add_header one last time with any length of header - * 4. call GCM_add_cipher any number of times, as long as length of cipher/plaintext is multiple of 16 bytes - * 5. call GCM_add_cipher one last time with any length of cipher/plaintext - * 6. call GCM_finish to extract the tag. - * - * See http://www.mindspring.com/~dmcgrew/gcm-nist-6.pdf - */ -/* SU=m, m is Stack Usage */ - -#include <stdlib.h> -#include <string.h> -#include "arch.h" -#include "amcl.h" - -#define NB 4 -#define MR_TOBYTE(x) ((uchar)((x))) - -static unsign32 pack(const uchar *b) -{ - /* pack bytes into a 32-bit Word */ - return ((unsign32)b[0]<<24)|((unsign32)b[1]<<16)|((unsign32)b[2]<<8)|(unsign32)b[3]; -} - -static void unpack(unsign32 a,uchar *b) -{ - /* unpack bytes from a word */ - b[3]=MR_TOBYTE(a); - b[2]=MR_TOBYTE(a>>8); - b[1]=MR_TOBYTE(a>>16); - b[0]=MR_TOBYTE(a>>24); -} - -static void precompute(gcm *g,uchar *H) -{ - /* precompute small 2k bytes gf2m table of x^n.H */ - int i,j; - unsign32 *last,*next,b; - - for (i=j=0; i<NB; i++,j+=4) g->table[0][i]=pack((uchar *)&H[j]); - - for (i=1; i<128; i++) - { - next=g->table[i]; - last=g->table[i-1]; - b=0; - for (j=0; j<NB; j++) - { - next[j]=b|(last[j])>>1; - b=last[j]<<31; - } - if (b) next[0]^=0xE1000000; /* irreducible polynomial */ - } -} - -/* SU= 32 */ -static void gf2mul(gcm *g) -{ - /* gf2m mul - Z=H*X mod 2^128 */ - int i,j,m,k; - unsign32 P[4]; - unsign32 b; - - P[0]=P[1]=P[2]=P[3]=0; - j=8; - m=0; - for (i=0; i<128; i++) - { - b=(unsign32)(g->stateX[m]>>(--j))&1; - b=~b+1; - for (k=0; k<NB; k++) P[k]^=(g->table[i][k]&b); - if (j==0) - { - j=8; - m++; - if (m==16) break; - } - } - for (i=j=0; i<NB; i++,j+=4) unpack(P[i],(uchar *)&g->stateX[j]); -} - -/* SU= 32 */ -static void GCM_wrap(gcm *g) -{ - /* Finish off GHASH */ - int i,j; - unsign32 F[4]; - uchar L[16]; - - /* convert lengths from bytes to bits */ - F[0]=(g->lenA[0]<<3)|(g->lenA[1]&0xE0000000)>>29; - F[1]=g->lenA[1]<<3; - F[2]=(g->lenC[0]<<3)|(g->lenC[1]&0xE0000000)>>29; - F[3]=g->lenC[1]<<3; - for (i=j=0; i<NB; i++,j+=4) unpack(F[i],(uchar *)&L[j]); - - for (i=0; i<16; i++) g->stateX[i]^=L[i]; - gf2mul(g); -} - -static int GCM_ghash(gcm *g,char *plain,int len) -{ - int i,j=0; - if (g->status==GCM_ACCEPTING_HEADER) g->status=GCM_ACCEPTING_CIPHER; - if (g->status!=GCM_ACCEPTING_CIPHER) return 0; - - while (j<len) - { - for (i=0; i<16 && j<len; i++) - { - g->stateX[i]^=plain[j++]; - g->lenC[1]++; - if (g->lenC[1]==0) g->lenC[0]++; - } - gf2mul(g); - } - if (len%16!=0) g->status=GCM_NOT_ACCEPTING_MORE; - return 1; -} - -/* SU= 48 */ -/* Initialize GCM mode */ -void GCM_init(gcm* g,int nk,char *key,int niv,char *iv) -{ - /* iv size niv is usually 12 bytes (96 bits). AES key size nk can be 16,24 or 32 bytes */ - int i; - uchar H[16]; - for (i=0; i<16; i++) - { - H[i]=0; - g->stateX[i]=0; - } - - AES_init(&(g->a),ECB,nk,key,iv); - AES_ecb_encrypt(&(g->a),H); /* E(K,0) */ - precompute(g,H); - - g->lenA[0]=g->lenC[0]=g->lenA[1]=g->lenC[1]=0; - if (niv==12) - { - for (i=0; i<12; i++) g->a.f[i]=iv[i]; - unpack((unsign32)1,(uchar *)&(g->a.f[12])); /* initialise IV */ - for (i=0; i<16; i++) g->Y_0[i]=g->a.f[i]; - } - else - { - g->status=GCM_ACCEPTING_CIPHER; - GCM_ghash(g,iv,niv); /* GHASH(H,0,IV) */ - GCM_wrap(g); - for (i=0; i<16; i++) - { - g->a.f[i]=g->stateX[i]; - g->Y_0[i]=g->a.f[i]; - g->stateX[i]=0; - } - g->lenA[0]=g->lenC[0]=g->lenA[1]=g->lenC[1]=0; - } - g->status=GCM_ACCEPTING_HEADER; -} - -/* SU= 24 */ -/* Add Header data - included but not encrypted */ -int GCM_add_header(gcm* g,char *header,int len) -{ - /* Add some header. Won't be encrypted, but will be authenticated. len is length of header */ - int i,j=0; - if (g->status!=GCM_ACCEPTING_HEADER) return 0; - - while (j<len) - { - for (i=0; i<16 && j<len; i++) - { - g->stateX[i]^=header[j++]; - g->lenA[1]++; - if (g->lenA[1]==0) g->lenA[0]++; - } - gf2mul(g); - } - if (len%16!=0) g->status=GCM_ACCEPTING_CIPHER; - return 1; -} - -/* SU= 48 */ -/* Add Plaintext - included and encrypted */ -int GCM_add_plain(gcm *g,char *cipher,char *plain,int len) -{ - /* Add plaintext to extract ciphertext, len is length of plaintext. */ - int i,j=0; - unsign32 counter; - uchar B[16]; - if (g->status==GCM_ACCEPTING_HEADER) g->status=GCM_ACCEPTING_CIPHER; - if (g->status!=GCM_ACCEPTING_CIPHER) return 0; - - while (j<len) - { - counter=pack((uchar *)&(g->a.f[12])); - counter++; - unpack(counter,(uchar *)&(g->a.f[12])); /* increment counter */ - for (i=0; i<16; i++) B[i]=g->a.f[i]; - AES_ecb_encrypt(&(g->a),B); /* encrypt it */ - - for (i=0; i<16 && j<len; i++) - { - cipher[j]=plain[j]^B[i]; - g->stateX[i]^=cipher[j++]; - g->lenC[1]++; - if (g->lenC[1]==0) g->lenC[0]++; - } - gf2mul(g); - } - if (len%16!=0) g->status=GCM_NOT_ACCEPTING_MORE; - return 1; -} - -/* SU= 48 */ -/* Add Ciphertext - decrypts to plaintext */ -int GCM_add_cipher(gcm *g,char *plain,char *cipher,int len) -{ - /* Add ciphertext to extract plaintext, len is length of ciphertext. */ - int i,j=0; - unsign32 counter; - char oc; - uchar B[16]; - if (g->status==GCM_ACCEPTING_HEADER) g->status=GCM_ACCEPTING_CIPHER; - if (g->status!=GCM_ACCEPTING_CIPHER) return 0; - - while (j<len) - { - counter=pack((uchar *)&(g->a.f[12])); - counter++; - unpack(counter,(uchar *)&(g->a.f[12])); /* increment counter */ - for (i=0; i<16; i++) B[i]=g->a.f[i]; - AES_ecb_encrypt(&(g->a),B); /* encrypt it */ - for (i=0; i<16 && j<len; i++) - { - oc=cipher[j]; - plain[j]=cipher[j]^B[i]; - g->stateX[i]^=oc; - j++; - g->lenC[1]++; - if (g->lenC[1]==0) g->lenC[0]++; - } - gf2mul(g); - } - if (len%16!=0) g->status=GCM_NOT_ACCEPTING_MORE; - return 1; -} - -/* SU= 16 */ -/* Finish and extract Tag */ -void GCM_finish(gcm *g,char *tag) -{ - /* Finish off GHASH and extract tag (MAC) */ - int i; - - GCM_wrap(g); - - /* extract tag */ - if (tag!=NULL) - { - AES_ecb_encrypt(&(g->a),g->Y_0); /* E(K,Y0) */ - for (i=0; i<16; i++) g->Y_0[i]^=g->stateX[i]; - for (i=0; i<16; i++) - { - tag[i]=g->Y_0[i]; - g->Y_0[i]=g->stateX[i]=0; - } - } - g->status=GCM_FINISHED; - AES_end(&(g->a)); -} - - -// Compile with -// gcc -O2 gcm.c aes.c -o gcm.exe -/* SU= 16 -*/ - -/* static void hex2bytes(char *hex,char *bin) */ -/* { */ -/* int i; */ -/* char v; */ -/* int len=strlen(hex); */ -/* for (i = 0; i < len/2; i++) { */ -/* char c = hex[2*i]; */ -/* if (c >= '0' && c <= '9') { */ -/* v = c - '0'; */ -/* } else if (c >= 'A' && c <= 'F') { */ -/* v = c - 'A' + 10; */ -/* } else if (c >= 'a' && c <= 'f') { */ -/* v = c - 'a' + 10; */ -/* } else { */ -/* v = 0; */ -/* } */ -/* v <<= 4; */ -/* c = hex[2*i + 1]; */ -/* if (c >= '0' && c <= '9') { */ -/* v += c - '0'; */ -/* } else if (c >= 'A' && c <= 'F') { */ -/* v += c - 'A' + 10; */ -/* } else if (c >= 'a' && c <= 'f') { */ -/* v += c - 'a' + 10; */ -/* } else { */ -/* v = 0; */ -/* } */ -/* bin[i] = v; */ -/* } */ -/* } */ - -/* -int main() -{ - int i; - -// char* KT="feffe9928665731c6d6a8f9467308308"; -// char* MT="d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39"; -// char* HT="feedfacedeadbeeffeedfacedeadbeefabaddad2"; -// char* NT="cafebabefacedbaddecaf888"; -// Tag should be 5bc94fbc3221a5db94fae95ae7121a47 -// char* NT="9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b"; -// Tag should be 619cc5aefffe0bfa462af43c1699d050 - - char* KT="6dfb5dc68af6ae2f3242e9184f100918"; - char* MT="47809d16c2c6ec685962c90e53fe1bba"; - char* HT="dd0fa6e494031139d71ee45f00d56fa4"; - char* NT="37d36f5c54d53479d4745dd1"; - - - int len=strlen(MT)/2; - int lenH=strlen(HT)/2; - int lenK=strlen(KT)/2; - int lenIV=strlen(NT)/2; - - char T[16]; // Tag - char K[16]; // AES Key - char H[64]; // Header - to be included in Authentication, but not encrypted - char N[100]; // IV - Initialisation vector - char M[100]; // Plaintext to be encrypted/authenticated - char C[100]; // Ciphertext - char P[100]; // Recovered Plaintext - - gcm g; - - hex2bytes(MT, M); - hex2bytes(HT, H); - hex2bytes(NT, N); - hex2bytes(KT, K); - - printf("lenK= %d\n",lenK); - - printf("Plaintext=\n"); - for (i=0;i<len;i++) printf("%02x",(unsigned char)M[i]); - printf("\n"); - - GCM_init(&g,16,K,lenIV,N); - GCM_add_header(&g,H,lenH); - GCM_add_plain(&g,C,M,len); - GCM_finish(&g,T); - - printf("Ciphertext=\n"); - for (i=0;i<len;i++) printf("%02x",(unsigned char)C[i]); - printf("\n"); - - printf("Tag=\n"); - for (i=0;i<16;i++) printf("%02x",(unsigned char)T[i]); - printf("\n"); - - GCM_init(&g,16,K,lenIV,N); - GCM_add_header(&g,H,lenH); - GCM_add_cipher(&g,P,C,len); - GCM_finish(&g,T); - - printf("Plaintext=\n"); - for (i=0;i<len;i++) printf("%02x",(unsigned char)P[i]); - printf("\n"); - - printf("Tag=\n"); - for (i=0;i<16;i++) printf("%02x",(unsigned char)T[i]); - printf("\n"); -} - -*/ http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/1add7560/version3/c/hash.c ---------------------------------------------------------------------- diff --git a/version3/c/hash.c b/version3/c/hash.c deleted file mode 100644 index b56123e..0000000 --- a/version3/c/hash.c +++ /dev/null @@ -1,607 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/* - * Implementation of the Secure Hashing Algorithm (SHA-256/384/512 and SHA3) - * - * Generates a message digest. It should be impossible to come - * come up with two messages that hash to the same value ("collision free"). - * - * For use with byte-oriented messages only. Could/Should be speeded - * up by unwinding loops in HASH_transform(), and assembly patches. - */ - -#include "arch.h" -#include "amcl.h" - - -#define H0_256 0x6A09E667L -#define H1_256 0xBB67AE85L -#define H2_256 0x3C6EF372L -#define H3_256 0xA54FF53AL -#define H4_256 0x510E527FL -#define H5_256 0x9B05688CL -#define H6_256 0x1F83D9ABL -#define H7_256 0x5BE0CD19L - -static const unsign32 K_256[64]= -{ - 0x428a2f98L,0x71374491L,0xb5c0fbcfL,0xe9b5dba5L,0x3956c25bL,0x59f111f1L,0x923f82a4L,0xab1c5ed5L, - 0xd807aa98L,0x12835b01L,0x243185beL,0x550c7dc3L,0x72be5d74L,0x80deb1feL,0x9bdc06a7L,0xc19bf174L, - 0xe49b69c1L,0xefbe4786L,0x0fc19dc6L,0x240ca1ccL,0x2de92c6fL,0x4a7484aaL,0x5cb0a9dcL,0x76f988daL, - 0x983e5152L,0xa831c66dL,0xb00327c8L,0xbf597fc7L,0xc6e00bf3L,0xd5a79147L,0x06ca6351L,0x14292967L, - 0x27b70a85L,0x2e1b2138L,0x4d2c6dfcL,0x53380d13L,0x650a7354L,0x766a0abbL,0x81c2c92eL,0x92722c85L, - 0xa2bfe8a1L,0xa81a664bL,0xc24b8b70L,0xc76c51a3L,0xd192e819L,0xd6990624L,0xf40e3585L,0x106aa070L, - 0x19a4c116L,0x1e376c08L,0x2748774cL,0x34b0bcb5L,0x391c0cb3L,0x4ed8aa4aL,0x5b9cca4fL,0x682e6ff3L, - 0x748f82eeL,0x78a5636fL,0x84c87814L,0x8cc70208L,0x90befffaL,0xa4506cebL,0xbef9a3f7L,0xc67178f2L -}; - -#define PAD 0x80 -#define ZERO 0 - -/* functions */ - -#define S(m,n,x) (((x)>>n) | ((x)<<(m-n))) -#define R(n,x) ((x)>>n) - -#define Ch(x,y,z) ((x&y)^(~(x)&z)) -#define Maj(x,y,z) ((x&y)^(x&z)^(y&z)) -#define Sig0_256(x) (S(32,2,x)^S(32,13,x)^S(32,22,x)) -#define Sig1_256(x) (S(32,6,x)^S(32,11,x)^S(32,25,x)) -#define theta0_256(x) (S(32,7,x)^S(32,18,x)^R(3,x)) -#define theta1_256(x) (S(32,17,x)^S(32,19,x)^R(10,x)) - -#define Sig0_512(x) (S(64,28,x)^S(64,34,x)^S(64,39,x)) -#define Sig1_512(x) (S(64,14,x)^S(64,18,x)^S(64,41,x)) -#define theta0_512(x) (S(64,1,x)^S(64,8,x)^R(7,x)) -#define theta1_512(x) (S(64,19,x)^S(64,61,x)^R(6,x)) - - -/* SU= 72 */ -static void HASH256_transform(hash256 *sh) -{ - /* basic transformation step */ - unsign32 a,b,c,d,e,f,g,h,t1,t2; - int j; - for (j=16; j<64; j++) - sh->w[j]=theta1_256(sh->w[j-2])+sh->w[j-7]+theta0_256(sh->w[j-15])+sh->w[j-16]; - - a=sh->h[0]; - b=sh->h[1]; - c=sh->h[2]; - d=sh->h[3]; - e=sh->h[4]; - f=sh->h[5]; - g=sh->h[6]; - h=sh->h[7]; - - for (j=0; j<64; j++) - { - /* 64 times - mush it up */ - t1=h+Sig1_256(e)+Ch(e,f,g)+K_256[j]+sh->w[j]; - t2=Sig0_256(a)+Maj(a,b,c); - h=g; - g=f; - f=e; - e=d+t1; - d=c; - c=b; - b=a; - a=t1+t2; - } - - sh->h[0]+=a; - sh->h[1]+=b; - sh->h[2]+=c; - sh->h[3]+=d; - sh->h[4]+=e; - sh->h[5]+=f; - sh->h[6]+=g; - sh->h[7]+=h; -} - -/* Initialise Hash function */ -void HASH256_init(hash256 *sh) -{ - /* re-initialise */ - int i; - for (i=0; i<64; i++) sh->w[i]=0L; - sh->length[0]=sh->length[1]=0L; - sh->h[0]=H0_256; - sh->h[1]=H1_256; - sh->h[2]=H2_256; - sh->h[3]=H3_256; - sh->h[4]=H4_256; - sh->h[5]=H5_256; - sh->h[6]=H6_256; - sh->h[7]=H7_256; - - sh->hlen=32; -} - -/* process a single byte */ -void HASH256_process(hash256 *sh,int byt) -{ - /* process the next message byte */ - int cnt; -//printf("byte= %x\n",byt); - cnt=(int)((sh->length[0]/32)%16); - - sh->w[cnt]<<=8; - sh->w[cnt]|=(unsign32)(byt&0xFF); - - sh->length[0]+=8; - if (sh->length[0]==0L) - { - sh->length[1]++; - sh->length[0]=0L; - } - if ((sh->length[0]%512)==0) HASH256_transform(sh); -} - -/* SU= 24 */ -/* Generate 32-byte Hash */ -void HASH256_hash(hash256 *sh,char *digest) -{ - /* pad message and finish - supply digest */ - int i; - unsign32 len0,len1; - len0=sh->length[0]; - len1=sh->length[1]; - HASH256_process(sh,PAD); - while ((sh->length[0]%512)!=448) HASH256_process(sh,ZERO); - sh->w[14]=len1; - sh->w[15]=len0; - HASH256_transform(sh); - for (i=0; i<sh->hlen; i++) - { - /* convert to bytes */ - digest[i]=(char)((sh->h[i/4]>>(8*(3-i%4))) & 0xffL); - } - HASH256_init(sh); -} - - -#define H0_512 0x6a09e667f3bcc908 -#define H1_512 0xbb67ae8584caa73b -#define H2_512 0x3c6ef372fe94f82b -#define H3_512 0xa54ff53a5f1d36f1 -#define H4_512 0x510e527fade682d1 -#define H5_512 0x9b05688c2b3e6c1f -#define H6_512 0x1f83d9abfb41bd6b -#define H7_512 0x5be0cd19137e2179 - -#define H8_512 0xcbbb9d5dc1059ed8 -#define H9_512 0x629a292a367cd507 -#define HA_512 0x9159015a3070dd17 -#define HB_512 0x152fecd8f70e5939 -#define HC_512 0x67332667ffc00b31 -#define HD_512 0x8eb44a8768581511 -#define HE_512 0xdb0c2e0d64f98fa7 -#define HF_512 0x47b5481dbefa4fa4 - -/* */ - -static const unsign64 K_512[80]= -{ - 0x428a2f98d728ae22,0x7137449123ef65cd,0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc, - 0x3956c25bf348b538,0x59f111f1b605d019,0x923f82a4af194f9b,0xab1c5ed5da6d8118, - 0xd807aa98a3030242,0x12835b0145706fbe,0x243185be4ee4b28c,0x550c7dc3d5ffb4e2, - 0x72be5d74f27b896f,0x80deb1fe3b1696b1,0x9bdc06a725c71235,0xc19bf174cf692694, - 0xe49b69c19ef14ad2,0xefbe4786384f25e3,0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65, - 0x2de92c6f592b0275,0x4a7484aa6ea6e483,0x5cb0a9dcbd41fbd4,0x76f988da831153b5, - 0x983e5152ee66dfab,0xa831c66d2db43210,0xb00327c898fb213f,0xbf597fc7beef0ee4, - 0xc6e00bf33da88fc2,0xd5a79147930aa725,0x06ca6351e003826f,0x142929670a0e6e70, - 0x27b70a8546d22ffc,0x2e1b21385c26c926,0x4d2c6dfc5ac42aed,0x53380d139d95b3df, - 0x650a73548baf63de,0x766a0abb3c77b2a8,0x81c2c92e47edaee6,0x92722c851482353b, - 0xa2bfe8a14cf10364,0xa81a664bbc423001,0xc24b8b70d0f89791,0xc76c51a30654be30, - 0xd192e819d6ef5218,0xd69906245565a910,0xf40e35855771202a,0x106aa07032bbd1b8, - 0x19a4c116b8d2d0c8,0x1e376c085141ab53,0x2748774cdf8eeb99,0x34b0bcb5e19b48a8, - 0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb,0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3, - 0x748f82ee5defb2fc,0x78a5636f43172f60,0x84c87814a1f0ab72,0x8cc702081a6439ec, - 0x90befffa23631e28,0xa4506cebde82bde9,0xbef9a3f7b2c67915,0xc67178f2e372532b, - 0xca273eceea26619c,0xd186b8c721c0c207,0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178, - 0x06f067aa72176fba,0x0a637dc5a2c898a6,0x113f9804bef90dae,0x1b710b35131c471b, - 0x28db77f523047d84,0x32caab7b40c72493,0x3c9ebe0a15c9bebc,0x431d67c49c100d4c, - 0x4cc5d4becb3e42b6,0x597f299cfc657e2a,0x5fcb6fab3ad6faec,0x6c44198c4a475817 -}; - - -static void HASH512_transform(hash512 *sh) -{ - /* basic transformation step */ - unsign64 a,b,c,d,e,f,g,h,t1,t2; - int j; - for (j=16; j<80; j++) - sh->w[j]=theta1_512(sh->w[j-2])+sh->w[j-7]+theta0_512(sh->w[j-15])+sh->w[j-16]; - - a=sh->h[0]; - b=sh->h[1]; - c=sh->h[2]; - d=sh->h[3]; - e=sh->h[4]; - f=sh->h[5]; - g=sh->h[6]; - h=sh->h[7]; - - for (j=0; j<80; j++) - { - /* 80 times - mush it up */ - t1=h+Sig1_512(e)+Ch(e,f,g)+K_512[j]+sh->w[j]; - t2=Sig0_512(a)+Maj(a,b,c); - h=g; - g=f; - f=e; - e=d+t1; - d=c; - c=b; - b=a; - a=t1+t2; - } - sh->h[0]+=a; - sh->h[1]+=b; - sh->h[2]+=c; - sh->h[3]+=d; - sh->h[4]+=e; - sh->h[5]+=f; - sh->h[6]+=g; - sh->h[7]+=h; -} - -void HASH384_init(hash384 *sh) -{ - /* re-initialise */ - int i; - for (i=0; i<80; i++) sh->w[i]=0; - sh->length[0]=sh->length[1]=0; - sh->h[0]=H8_512; - sh->h[1]=H9_512; - sh->h[2]=HA_512; - sh->h[3]=HB_512; - sh->h[4]=HC_512; - sh->h[5]=HD_512; - sh->h[6]=HE_512; - sh->h[7]=HF_512; - - sh->hlen=48; - -} - -void HASH384_process(hash384 *sh,int byt) -{ - /* process the next message byte */ - HASH512_process(sh,byt); -} - -void HASH384_hash(hash384 *sh,char *hash) -{ - /* pad message and finish - supply digest */ - HASH512_hash(sh,hash); -} - -void HASH512_init(hash512 *sh) -{ - /* re-initialise */ - int i; - - for (i=0; i<80; i++) sh->w[i]=0; - sh->length[0]=sh->length[1]=0; - sh->h[0]=H0_512; - sh->h[1]=H1_512; - sh->h[2]=H2_512; - sh->h[3]=H3_512; - sh->h[4]=H4_512; - sh->h[5]=H5_512; - sh->h[6]=H6_512; - sh->h[7]=H7_512; - - sh->hlen=64; -} - -void HASH512_process(hash512 *sh,int byt) -{ - /* process the next message byte */ - int cnt; - - cnt=(int)((sh->length[0]/64)%16); - - sh->w[cnt]<<=8; - sh->w[cnt]|=(unsign64)(byt&0xFF); - - sh->length[0]+=8; - if (sh->length[0]==0L) - { - sh->length[1]++; - sh->length[0]=0L; - } - if ((sh->length[0]%1024)==0) HASH512_transform(sh); -} - -void HASH512_hash(hash512 *sh,char *hash) -{ - /* pad message and finish - supply digest */ - int i; - unsign64 len0,len1; - len0=sh->length[0]; - len1=sh->length[1]; - HASH512_process(sh,PAD); - while ((sh->length[0]%1024)!=896) HASH512_process(sh,ZERO); - sh->w[14]=len1; - sh->w[15]=len0; - HASH512_transform(sh); - for (i=0; i<sh->hlen; i++) - { - /* convert to bytes */ - hash[i]=(char)((sh->h[i/8]>>(8*(7-i%8))) & 0xffL); - } - HASH512_init(sh); -} - - - -/* SHA3 */ - -#define SHA3_ROUNDS 24 -#define rotl(x,n) (((x)<<n) | ((x)>>(64-n))) - -/* round constants */ - -static const unsign64 RC[24]= -{ - 0x0000000000000001UL,0x0000000000008082UL,0x800000000000808AUL,0x8000000080008000UL, - 0x000000000000808BUL,0x0000000080000001UL,0x8000000080008081UL,0x8000000000008009UL, - 0x000000000000008AUL,0x0000000000000088UL,0x0000000080008009UL,0x000000008000000AUL, - 0x000000008000808BUL,0x800000000000008BUL,0x8000000000008089UL,0x8000000000008003UL, - 0x8000000000008002UL,0x8000000000000080UL,0x000000000000800AUL,0x800000008000000AUL, - 0x8000000080008081UL,0x8000000000008080UL,0x0000000080000001UL,0x8000000080008008UL -}; - -/* permutation */ - -static void SHA3_transform(sha3 *sh) -{ - int i,j,k; - unsign64 C[5],D[5],B[5][5]; - - for (k=0; k<SHA3_ROUNDS; k++) - { - C[0]=sh->S[0][0]^sh->S[0][1]^sh->S[0][2]^sh->S[0][3]^sh->S[0][4]; - C[1]=sh->S[1][0]^sh->S[1][1]^sh->S[1][2]^sh->S[1][3]^sh->S[1][4]; - C[2]=sh->S[2][0]^sh->S[2][1]^sh->S[2][2]^sh->S[2][3]^sh->S[2][4]; - C[3]=sh->S[3][0]^sh->S[3][1]^sh->S[3][2]^sh->S[3][3]^sh->S[3][4]; - C[4]=sh->S[4][0]^sh->S[4][1]^sh->S[4][2]^sh->S[4][3]^sh->S[4][4]; - - D[0]=C[4]^rotl(C[1],1); - D[1]=C[0]^rotl(C[2],1); - D[2]=C[1]^rotl(C[3],1); - D[3]=C[2]^rotl(C[4],1); - D[4]=C[3]^rotl(C[0],1); - - for (i=0; i<5; i++) - for (j=0; j<5; j++) - sh->S[i][j]^=D[i]; /* let the compiler unroll it! */ - - B[0][0]=sh->S[0][0]; - B[1][3]=rotl(sh->S[0][1],36); - B[2][1]=rotl(sh->S[0][2],3); - B[3][4]=rotl(sh->S[0][3],41); - B[4][2]=rotl(sh->S[0][4],18); - - B[0][2]=rotl(sh->S[1][0],1); - B[1][0]=rotl(sh->S[1][1],44); - B[2][3]=rotl(sh->S[1][2],10); - B[3][1]=rotl(sh->S[1][3],45); - B[4][4]=rotl(sh->S[1][4],2); - - B[0][4]=rotl(sh->S[2][0],62); - B[1][2]=rotl(sh->S[2][1],6); - B[2][0]=rotl(sh->S[2][2],43); - B[3][3]=rotl(sh->S[2][3],15); - B[4][1]=rotl(sh->S[2][4],61); - - B[0][1]=rotl(sh->S[3][0],28); - B[1][4]=rotl(sh->S[3][1],55); - B[2][2]=rotl(sh->S[3][2],25); - B[3][0]=rotl(sh->S[3][3],21); - B[4][3]=rotl(sh->S[3][4],56); - - B[0][3]=rotl(sh->S[4][0],27); - B[1][1]=rotl(sh->S[4][1],20); - B[2][4]=rotl(sh->S[4][2],39); - B[3][2]=rotl(sh->S[4][3],8); - B[4][0]=rotl(sh->S[4][4],14); - - for (i=0; i<5; i++) - for (j=0; j<5; j++) - sh->S[i][j]=B[i][j]^(~B[(i+1)%5][j]&B[(i+2)%5][j]); - - sh->S[0][0]^=RC[k]; - } -} - -/* Re-Initialize. olen is output length in bytes - - should be 28, 32, 48 or 64 (224, 256, 384, 512 bits resp.) */ - -void SHA3_init(sha3 *sh,int olen) -{ - int i,j; - for (i=0; i<5; i++) - for (j=0; j<5; j++) - sh->S[i][j]=0; /* 5x5x8 bytes = 200 bytes of state */ - sh->length=0; - sh->len=olen; - sh->rate=200-2*olen; /* number of bytes consumed in one gulp. Note that some bytes in the - state ("capacity") are not touched. Gulps are smaller for larger digests. - Important that olen<rate */ -} - -/* process a single byte */ -void SHA3_process(sha3 *sh,int byt) -{ - int cnt=(int)(sh->length%sh->rate); - int i,j,b=cnt%8; - cnt/=8; - i=cnt%5; - j=cnt/5; /* process by columns! */ - sh->S[i][j]^=((unsign64)byt<<(8*b)); - sh->length++; - if (sh->length%sh->rate==0) SHA3_transform(sh); -} - -/* squeeze the sponge */ -void SHA3_squeeze(sha3 *sh,char *buff,int len) -{ - int done,i,j,k,m=0; - unsign64 el; - /* extract by columns */ - done=0; - for (;;) - { - for (j=0; j<5; j++) - { - for (i=0; i<5; i++) - { - el=sh->S[i][j]; - for (k=0; k<8; k++) - { - buff[m++]=(el&0xff); - if (m>=len || m%sh->rate==0) - { - done=1; - break; - } - el>>=8; - } - if (done) break; - } - if (done) break; - } - if (m>=len) break; - done=0; - SHA3_transform(sh); - } -} - -void SHA3_hash(sha3 *sh,char *hash) -{ - /* generate a SHA3 hash of appropriate size */ - int q=sh->rate-(sh->length%sh->rate); - if (q==1) SHA3_process(sh,0x86); - else - { - SHA3_process(sh,0x06); /* 0x06 for SHA-3 */ - while ((int)sh->length%sh->rate!=sh->rate-1) SHA3_process(sh,0x00); - SHA3_process(sh,0x80); /* this will force a final transform */ - } - SHA3_squeeze(sh,hash,sh->len); -} - -void SHA3_shake(sha3 *sh,char *buff,int len) -{ - /* SHAKE out a buffer of variable length len */ - int q=sh->rate-(sh->length%sh->rate); - if (q==1) SHA3_process(sh,0x9f); - else - { - SHA3_process(sh,0x1f); // 0x06 for SHA-3 !!!! - while ((int) sh->length%sh->rate!=sh->rate-1) SHA3_process(sh,0x00); - SHA3_process(sh,0x80); /* this will force a final transform */ - } - SHA3_squeeze(sh,buff,len); -} - - -/* test program: should produce digest - -160 bit - -84983e44 1c3bd26e baae4aa1 f95129e5 e54670f1 - -256 bit - -248d6a61 d20638b8 e5c02693 0c3e6039 a33ce459 64ff2167 f6ecedd4 19db06c1 - -512 bit - -8e959b75dae313da 8cf4f72814fc143f 8f7779c6eb9f7fa1 7299aeadb6889018 -501d289e4900f7e4 331b99dec4b5433a c7d329eeb6dd2654 5e96e55b874be909 - -384 bit - -09330c33f71147e8 3d192fc782cd1b47 53111b173b3b05d2 2fa08086e3b0f712 -fcc7c71a557e2db9 66c3e9fa91746039 -*/ -/* -#include <stdio.h> - -char test160[]="abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"; -char test256[]="abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"; -char test512[]="abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu"; - -int main() -{ - char digest[100]; - int i; - - hash256 sh256; - hash384 sh384; - hash512 sh512; - sha3 SHA3; - - HASH256_init(&sh256); - for (i=0;test256[i]!=0;i++) HASH256_process(&sh256,test256[i]); - HASH256_hash(&sh256,digest); - for (i=0;i<32;i++) printf("%02x",(unsigned char)digest[i]); - printf("\n"); - - HASH384_init(&sh384); - for (i=0;test512[i]!=0;i++) HASH384_process(&sh384,test512[i]); - HASH384_hash(&sh384,digest); - for (i=0;i<48;i++) printf("%02x",(unsigned char)digest[i]); - printf("\n"); - - HASH512_init(&sh512); - for (i=0;test512[i]!=0;i++) HASH512_process(&sh512,test512[i]); - HASH512_hash(&sh512,digest); - for (i=0;i<64;i++) printf("%02x",(unsigned char)digest[i]); - printf("\n"); - - SHA3_init(&SHA3,SHA3_HASH256); - for (i=0;test512[i]!=0;i++) SHA3_process(&SHA3,test512[i]); - SHA3_hash(&sh512,digest); - for (i=0;i<32;i++) printf("%02x",(unsigned char)digest[i]); - printf("\n"); - - SHA3_init(&SHA3,SHA3_HASH512); - for (i=0;test512[i]!=0;i++) SHA3_process(&SHA3,test512[i]); - SHA3_hash(&sh512,digest); - for (i=0;i<64;i++) printf("%02x",(unsigned char)digest[i]); - printf("\n"); - - SHA3_init(&SHA3,SHAKE256); - for (i=0;test512[i]!=0;i++) SHA3_process(&SHA3,test512[i]); - SHA3_shake(&sh512,digest,72); - for (i=0;i<72;i++) printf("%02x",(unsigned char)digest[i]); - printf("\n"); - - - return 0; -} - -*/ http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/1add7560/version3/c/mpin.c ---------------------------------------------------------------------- diff --git a/version3/c/mpin.c b/version3/c/mpin.c deleted file mode 100644 index cb6c04f..0000000 --- a/version3/c/mpin.c +++ /dev/null @@ -1,995 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/* MPIN Functions */ - -/* Version 3.0 - supports Time Permits */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <time.h> -#include "mpin_ZZZ.h" - -#define ROUNDUP(a,b) ((a)-1)/(b)+1 - -/* Special mpin hashing */ -static void mpin_hash(int sha,FP4_YYY *f, ECP_ZZZ *P,octet *w) -{ - int i; - BIG_XXX x,y; - char h[64]; - hash256 sha256; - hash512 sha512; - char t[6*MODBYTES_XXX]; // to hold 6 BIGs - int hlen=sha; - - - FP_YYY_redc(x,&(f->a.a)); - BIG_XXX_toBytes(&t[0],x); - FP_YYY_redc(x,&(f->a.b)); - BIG_XXX_toBytes(&t[MODBYTES_XXX],x); - FP_YYY_redc(x,&(f->b.a)); - BIG_XXX_toBytes(&t[2*MODBYTES_XXX],x); - FP_YYY_redc(x,&(f->b.b)); - BIG_XXX_toBytes(&t[3*MODBYTES_XXX],x); - ECP_ZZZ_get(x,y,P); - BIG_XXX_toBytes(&t[4*MODBYTES_XXX],x); - BIG_XXX_toBytes(&t[5*MODBYTES_XXX],y); - - OCT_empty(w); - switch (sha) - { - case SHA256: - HASH256_init(&sha256); - for (i=0; i<6*MODBYTES_XXX; i++) HASH256_process(&sha256,t[i]); - HASH256_hash(&sha256,h); - break; - case SHA384: - HASH384_init(&sha512); - for (i=0; i<6*MODBYTES_XXX; i++) HASH384_process(&sha512,t[i]); - HASH384_hash(&sha512,h); - break; - case SHA512: - HASH512_init(&sha512); - for (i=0; i<6*MODBYTES_XXX; i++) HASH512_process(&sha512,t[i]); - HASH512_hash(&sha512,h); - break; - } - - OCT_jbytes(w,h,AESKEY_ZZZ); - for (i=0; i<hlen; i++) h[i]=0; -} - -/* these next two functions help to implement elligator squared - http://eprint.iacr.org/2014/043 */ -/* maps a random u to a point on the curve */ -static void map(ECP_ZZZ *P,BIG_XXX u,int cb) -{ - BIG_XXX x,q; - - BIG_XXX_rcopy(q,Modulus_YYY); - BIG_XXX_copy(x,u); - BIG_XXX_mod(x,q); - - while (!ECP_ZZZ_setx(P,x,cb)) - { - BIG_XXX_inc(x,1); - BIG_XXX_norm(x); - } -} - -/* returns u derived from P. Random value in range 1 to return value should then be added to u */ -static int unmap(BIG_XXX u,int *cb,ECP_ZZZ *P) -{ - int s,r=0; - BIG_XXX x; - - s=ECP_ZZZ_get(x,x,P); - BIG_XXX_copy(u,x); - do - { - BIG_XXX_dec(u,1); - BIG_XXX_norm(u); - r++; - } - while (!ECP_ZZZ_setx(P,u,s)); - ECP_ZZZ_setx(P,x,s); - - *cb=s; - - return r; -} - -/* these next two functions implement elligator squared - http://eprint.iacr.org/2014/043 */ -/* Elliptic curve point E in format (0x04,x,y} is converted to form {0x0-,u,v} */ -/* Note that u and v are indistinguisible from random strings */ -int MPIN_ZZZ_ENCODING(csprng *RNG,octet *E) -{ - int rn,m,su,sv,res=0; - - BIG_XXX q,u,v; - ECP_ZZZ P,W; - - if (!ECP_ZZZ_fromOctet(&P,E)) res=MPIN_INVALID_POINT; - if (res==0) - { - BIG_XXX_rcopy(q,Modulus_YYY); - - BIG_XXX_randomnum(u,q,RNG); - - su=RAND_byte(RNG); - if (su<0) su=-su; - su%=2; - map(&W,u,su); - ECP_ZZZ_sub(&P,&W); //ECP_ZZZ_affine(&P); - - rn=unmap(v,&sv,&P); - m=RAND_byte(RNG); - if (m<0) m=-m; - m%=rn; - BIG_XXX_inc(v,m+1); - E->val[0]=su+2*sv; - BIG_XXX_toBytes(&(E->val[1]),u); - BIG_XXX_toBytes(&(E->val[PFS_ZZZ+1]),v); - } - return res; -} - -int MPIN_ZZZ_DECODING(octet *D) -{ - int su,sv; - BIG_XXX u,v; - ECP_ZZZ P,W; - int res=0; - - if ((D->val[0]&0x04)!=0) res=MPIN_INVALID_POINT; - if (res==0) - { - - BIG_XXX_fromBytes(u,&(D->val[1])); - BIG_XXX_fromBytes(v,&(D->val[PFS_ZZZ+1])); - - su=D->val[0]&1; - sv=(D->val[0]>>1)&1; - map(&W,u,su); - map(&P,v,sv); - ECP_ZZZ_add(&P,&W); //ECP_ZZZ_affine(&P); - ECP_ZZZ_toOctet(D,&P,false); - } - - return res; -} - -/* R=R1+R2 in group G1 */ -int MPIN_ZZZ_RECOMBINE_G1(octet *R1,octet *R2,octet *R) -{ - ECP_ZZZ P,T; - int res=0; - if (res==0) - { - if (!ECP_ZZZ_fromOctet(&P,R1)) res=MPIN_INVALID_POINT; - if (!ECP_ZZZ_fromOctet(&T,R2)) res=MPIN_INVALID_POINT; - } - if (res==0) - { - ECP_ZZZ_add(&P,&T); //ECP_ZZZ_affine(&P); - ECP_ZZZ_toOctet(R,&P,false); - } - return res; -} - -/* W=W1+W2 in group G2 */ -int MPIN_ZZZ_RECOMBINE_G2(octet *W1,octet *W2,octet *W) -{ - ECP2_ZZZ Q,T; - int res=0; - if (!ECP2_ZZZ_fromOctet(&Q,W1)) res=MPIN_INVALID_POINT; - if (!ECP2_ZZZ_fromOctet(&T,W2)) res=MPIN_INVALID_POINT; - if (res==0) - { - ECP2_ZZZ_add(&Q,&T); //ECP2_ZZZ_affine(&Q); - ECP2_ZZZ_toOctet(W,&Q); - } - return res; -} - -/* create random secret S */ -int MPIN_ZZZ_RANDOM_GENERATE(csprng *RNG,octet* S) -{ - BIG_XXX r,s; - - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - BIG_XXX_randomnum(s,r,RNG); -#ifdef AES_S - BIG_XXX_mod2m(s,2*AES_S); -#endif - BIG_XXX_toBytes(S->val,s); - S->len=MODBYTES_XXX; - return 0; -} - -/* Extract PIN from TOKEN for identity CID */ -int MPIN_ZZZ_EXTRACT_PIN(int sha,octet *CID,int pin,octet *TOKEN) -{ - pin%=MAXPIN; - return MPIN_ZZZ_EXTRACT_FACTOR(sha,CID,pin,PBLEN,TOKEN); -} - -/* Extract a factor < 32 bits for identity CID */ -int MPIN_ZZZ_EXTRACT_FACTOR(int sha,octet *CID,int factor,int facbits,octet *TOKEN) -{ - ECP_ZZZ P,R; - int res=0; - char h[MODBYTES_XXX]; - octet H= {0,sizeof(h),h}; - - if (!ECP_ZZZ_fromOctet(&P,TOKEN)) res=MPIN_INVALID_POINT; - if (res==0) - { - mhashit(sha,-1,CID,&H); - ECP_ZZZ_mapit(&R,&H); - - ECP_ZZZ_pinmul(&R,factor,facbits); - ECP_ZZZ_sub(&P,&R); //ECP_ZZZ_affine(&P); - - ECP_ZZZ_toOctet(TOKEN,&P,false); - } - return res; -} - -/* Extract a factor < 32 bits for identity CID */ -int MPIN_ZZZ_RESTORE_FACTOR(int sha,octet *CID,int factor,int facbits,octet *TOKEN) -{ - ECP_ZZZ P,R; - int res=0; - char h[MODBYTES_XXX]; - octet H= {0,sizeof(h),h}; - - if (!ECP_ZZZ_fromOctet(&P,TOKEN)) res=MPIN_INVALID_POINT; - if (res==0) - { - mhashit(sha,-1,CID,&H); - ECP_ZZZ_mapit(&R,&H); - - ECP_ZZZ_pinmul(&R,factor,facbits); - ECP_ZZZ_add(&P,&R); //ECP_ZZZ_affine(&P); - - ECP_ZZZ_toOctet(TOKEN,&P,false); - } - return res; -} - -/* Implement step 2 on client side of MPin protocol - SEC=-(x+y)*SEC */ -int MPIN_ZZZ_CLIENT_2(octet *X,octet *Y,octet *SEC) -{ - BIG_XXX px,py,r; - ECP_ZZZ P; - int res=0; - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - if (!ECP_ZZZ_fromOctet(&P,SEC)) res=MPIN_INVALID_POINT; - if (res==0) - { - BIG_XXX_fromBytes(px,X->val); - BIG_XXX_fromBytes(py,Y->val); - BIG_XXX_add(px,px,py); - BIG_XXX_mod(px,r); - // BIG_XXX_sub(px,r,px); - PAIR_ZZZ_G1mul(&P,px); - ECP_ZZZ_neg(&P); - ECP_ZZZ_toOctet(SEC,&P,false); - } - return res; -} - -/* - W=x*H(G); - if RNG == NULL then X is passed in - if RNG != NULL the X is passed out - if type=0 W=x*G where G is point on the curve, else W=x*M(G), where M(G) is mapping of octet G to point on the curve -*/ - -int MPIN_ZZZ_GET_G1_MULTIPLE(csprng *RNG,int type,octet *X,octet *G,octet *W) -{ - ECP_ZZZ P; - BIG_XXX r,x; - int res=0; - if (RNG!=NULL) - { - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - BIG_XXX_randomnum(x,r,RNG); -#ifdef AES_S - BIG_XXX_mod2m(x,2*AES_S); -#endif - X->len=MODBYTES_XXX; - BIG_XXX_toBytes(X->val,x); - } - else - BIG_XXX_fromBytes(x,X->val); - - if (type==0) - { - if (!ECP_ZZZ_fromOctet(&P,G)) res=MPIN_INVALID_POINT; - } - else - { - ECP_ZZZ_mapit(&P,G); - } - - if (res==0) - { - PAIR_ZZZ_G1mul(&P,x); - ECP_ZZZ_toOctet(W,&P,false); - } - return res; -} - -/* - if RNG == NULL then X is passed in - if RNG != NULL the X is passed out - W=x*G where G is point on the curve - if type==1 W=(x^-1)G -*/ - -int MPIN_ZZZ_GET_G2_MULTIPLE(csprng *RNG,int type,octet *X,octet *G,octet *W) -{ - ECP2_ZZZ P; - BIG_XXX r,x; - int res=0; - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - if (RNG!=NULL) - { - BIG_XXX_randomnum(x,r,RNG); -#ifdef AES_S - BIG_XXX_mod2m(x,2*AES_S); -#endif - X->len=MODBYTES_XXX; - BIG_XXX_toBytes(X->val,x); - } - else - { - BIG_XXX_fromBytes(x,X->val); - if (type==1) BIG_XXX_invmodp(x,x,r); - } - - if (!ECP2_ZZZ_fromOctet(&P,G)) res=MPIN_INVALID_POINT; - - if (res==0) - { - PAIR_ZZZ_G2mul(&P,x); - ECP2_ZZZ_toOctet(W,&P); - } - return res; -} - - - -/* Client secret CST=s*H(CID) where CID is client ID and s is master secret */ -/* CID is hashed externally */ -int MPIN_ZZZ_GET_CLIENT_SECRET(octet *S,octet *CID,octet *CST) -{ - return MPIN_ZZZ_GET_G1_MULTIPLE(NULL,1,S,CID,CST); -} - -/* Implement step 1 on client side of MPin protocol */ -int MPIN_ZZZ_CLIENT_1(int sha,int date,octet *CLIENT_ID,csprng *RNG,octet *X,int pin,octet *TOKEN,octet *SEC,octet *xID,octet *xCID,octet *PERMIT) -{ - BIG_XXX r,x; - ECP_ZZZ P,T,W; - int res=0; - char h[MODBYTES_XXX]; - octet H= {0,sizeof(h),h}; - - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - if (RNG!=NULL) - { - BIG_XXX_randomnum(x,r,RNG); -#ifdef AES_S - BIG_XXX_mod2m(x,2*AES_S); -#endif - X->len=MODBYTES_XXX; - BIG_XXX_toBytes(X->val,x); - } - else - BIG_XXX_fromBytes(x,X->val); - - mhashit(sha,-1,CLIENT_ID,&H); - - ECP_ZZZ_mapit(&P,&H); - - if (!ECP_ZZZ_fromOctet(&T,TOKEN)) res=MPIN_INVALID_POINT; - - if (res==0) - { - pin%=MAXPIN; - - ECP_ZZZ_copy(&W,&P); // W=H(ID) - ECP_ZZZ_pinmul(&W,pin,PBLEN); // W=alpha.H(ID) - ECP_ZZZ_add(&T,&W); // T=Token+alpha.H(ID) = s.H(ID) - - if (date) - { - if (PERMIT!=NULL) - { - if (!ECP_ZZZ_fromOctet(&W,PERMIT)) res=MPIN_INVALID_POINT; - ECP_ZZZ_add(&T,&W); // SEC=s.H(ID)+s.H(T|ID) - } - mhashit(sha,date,&H,&H); - - ECP_ZZZ_mapit(&W,&H); - if (xID!=NULL) - { - PAIR_ZZZ_G1mul(&P,x); // P=x.H(ID) - ECP_ZZZ_toOctet(xID,&P,false); // xID - PAIR_ZZZ_G1mul(&W,x); // W=x.H(T|ID) - ECP_ZZZ_add(&P,&W); //ECP_ZZZ_affine(&P); - } - else - { - ECP_ZZZ_add(&P,&W); //ECP_ZZZ_affine(&P); - PAIR_ZZZ_G1mul(&P,x); - } - if (xCID!=NULL) ECP_ZZZ_toOctet(xCID,&P,false); // U - } - else - { - if (xID!=NULL) - { - PAIR_ZZZ_G1mul(&P,x); // P=x.H(ID) - ECP_ZZZ_toOctet(xID,&P,false); // xID - } - } - } - - if (res==0) - { - //ECP_ZZZ_affine(&T); - ECP_ZZZ_toOctet(SEC,&T,false); // V - } - return res; -} - -/* Extract Server Secret SST=S*Q where Q is fixed generator in G2 and S is master secret */ -int MPIN_ZZZ_GET_SERVER_SECRET(octet *S,octet *SST) -{ - BIG_XXX r,s; - ECP2_ZZZ Q; - int res=0; - - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - - ECP2_ZZZ_generator(&Q); - - if (res==0) - { - - BIG_XXX_fromBytes(s,S->val); - PAIR_ZZZ_G2mul(&Q,s); - ECP2_ZZZ_toOctet(SST,&Q); - } - - return res; -} - - -/* Time Permit CTT=s*H(date|H(CID)) where s is master secret */ -int MPIN_ZZZ_GET_CLIENT_PERMIT(int sha,int date,octet *S,octet *CID,octet *CTT) -{ - BIG_XXX s; - ECP_ZZZ P; - char h[MODBYTES_XXX]; - octet H= {0,sizeof(h),h}; - - mhashit(sha,date,CID,&H); - - ECP_ZZZ_mapit(&P,&H); - -//printf("P= "); ECP_ZZZ_output(&P); printf("\n"); -//exit(0); - - BIG_XXX_fromBytes(s,S->val); - - - -//printf("s= "); BIG_XXX_output(s); printf("\n"); - PAIR_ZZZ_G1mul(&P,s); -//printf("OP= "); ECP_ZZZ_output(&P); printf("\n"); -// - ECP_ZZZ_toOctet(CTT,&P,false); - return 0; -} - -// if date=0 only use HID, set HCID=NULL -// if date and PE, use HID and HCID - -/* Outputs H(CID) and H(CID)+H(T|H(CID)) for time permits. If no time permits set HTID=NULL */ -void MPIN_ZZZ_SERVER_1(int sha,int date,octet *CID,octet *HID,octet *HTID) -{ - char h[MODBYTES_XXX]; - octet H= {0,sizeof(h),h}; - ECP_ZZZ P,R; - -#ifdef USE_ANONYMOUS - ECP_ZZZ_mapit(&P,CID); -#else - mhashit(sha,-1,CID,&H); - ECP_ZZZ_mapit(&P,&H); -#endif - - ECP_ZZZ_toOctet(HID,&P,false); // new - - if (date) - { - // if (HID!=NULL) ECP_ZZZ_toOctet(HID,&P,false); -#ifdef USE_ANONYMOUS - mhashit(sha,date,CID,&H); -#else - mhashit(sha,date,&H,&H); -#endif - ECP_ZZZ_mapit(&R,&H); - ECP_ZZZ_add(&P,&R); //ECP_ZZZ_affine(&P); - ECP_ZZZ_toOctet(HTID,&P,false); - } - //else ECP_ZZZ_toOctet(HID,&P,false); - -} - -/* Implement M-Pin on server side */ -int MPIN_ZZZ_SERVER_2(int date,octet *HID,octet *HTID,octet *Y,octet *SST,octet *xID,octet *xCID,octet *mSEC,octet *E,octet *F,octet *Pa) -{ - BIG_XXX px,py,y; - FP12_YYY g; - ECP2_ZZZ Q,sQ; - ECP_ZZZ P,R; - int res=0; - - ECP2_ZZZ_generator(&Q); - - // key-escrow less scheme: use Pa instead of Q in pairing computation - // Q left for backward compatiblity - if (Pa!=NULL) - { - if (!ECP2_ZZZ_fromOctet(&Q, Pa)) res=MPIN_INVALID_POINT; - } - - if (res==0) - { - if (!ECP2_ZZZ_fromOctet(&sQ,SST)) res=MPIN_INVALID_POINT; - } - - if (res==0) - { - if (date) - { - //BIG_XXX_fromBytes(px,&(xCID->val[1])); - //BIG_XXX_fromBytes(py,&(xCID->val[PFS_ZZZ+1])); - if (!ECP_ZZZ_fromOctet(&R,xCID)) res=MPIN_INVALID_POINT; - } - else - { - //BIG_XXX_fromBytes(px,&(xID->val[1])); - //BIG_XXX_fromBytes(py,&(xID->val[PFS_ZZZ+1])); - if (!ECP_ZZZ_fromOctet(&R,xID)) res=MPIN_INVALID_POINT; - } - //if (!ECP_ZZZ_set(&R,px,py)) res=MPIN_INVALID_POINT; // x(A+AT) - } - if (res==0) - { - BIG_XXX_fromBytes(y,Y->val); - if (date) - { - if (!ECP_ZZZ_fromOctet(&P,HTID)) res=MPIN_INVALID_POINT; - } - else - { - if (!ECP_ZZZ_fromOctet(&P,HID)) res=MPIN_INVALID_POINT; - } - } - if (res==0) - { - PAIR_ZZZ_G1mul(&P,y); // y(A+AT) - ECP_ZZZ_add(&P,&R); // x(A+AT)+y(A+T) - //ECP_ZZZ_affine(&P); - if (!ECP_ZZZ_fromOctet(&R,mSEC)) res=MPIN_INVALID_POINT; // V - } - if (res==0) - { - - PAIR_ZZZ_double_ate(&g,&Q,&R,&sQ,&P); - PAIR_ZZZ_fexp(&g); - - if (!FP12_YYY_isunity(&g)) - { - if (HID!=NULL && xID!=NULL && E!=NULL && F !=NULL) - { - /* xID is set to NULL if there is no way to calculate PIN error */ - FP12_YYY_toOctet(E,&g); - - /* Note error is in the PIN, not in the time permit! Hence the need to exclude Time Permit from this check */ - - if (date) - { - if (!ECP_ZZZ_fromOctet(&P,HID)) res=MPIN_INVALID_POINT; - if (!ECP_ZZZ_fromOctet(&R,xID)) res=MPIN_INVALID_POINT; // U - - if (res==0) - { - PAIR_ZZZ_G1mul(&P,y); // yA - ECP_ZZZ_add(&P,&R); // yA+xA - //ECP_ZZZ_affine(&P); - } - } - if (res==0) - { - PAIR_ZZZ_ate(&g,&Q,&P); - PAIR_ZZZ_fexp(&g); - FP12_YYY_toOctet(F,&g); - } - } - res=MPIN_BAD_PIN; - } - } - - return res; -} - -#if MAXPIN==10000 -#define MR_TS 10 /* 2^10/10 approx = sqrt(MAXPIN) */ -#define TRAP 200 /* 2*sqrt(MAXPIN) */ -#endif - -#if MAXPIN==1000000 -#define MR_TS 14 -#define TRAP 2000 -#endif - -/* Pollards kangaroos used to return PIN error */ -int MPIN_ZZZ_KANGAROO(octet *E,octet *F) -{ - int i,j,m,s,dn,dm,steps; - int distance[MR_TS]; - FP12_YYY ge,gf,t,table[MR_TS]; - int res=0; - // BIG_XXX w; - - FP12_YYY_fromOctet(&ge,E); - FP12_YYY_fromOctet(&gf,F); - - FP12_YYY_copy(&t,&gf); - - for (s=1,m=0; m<MR_TS; m++) - { - distance[m]=s; - FP12_YYY_copy(&table[m],&t); - s*=2; - FP12_YYY_usqr(&t,&t); - FP12_YYY_reduce(&t); - } - - FP12_YYY_one(&t); - - for (dn=0,j=0; j<TRAP; j++) - { - - //BIG_XXX_copy(w,t.a.a.a); - //FP_YYY_redc(w); - //i=BIG_XXX_lastbits(w,20)%MR_TS; - - i=t.a.a.a.g[0]%MR_TS; - - FP12_YYY_mul(&t,&table[i]); - FP12_YYY_reduce(&t); - dn+=distance[i]; - } - - FP12_YYY_conj(&gf,&t); - steps=0; - dm=0; - while (dm-dn<MAXPIN) - { - steps++; - if (steps>4*TRAP) break; - - //BIG_XXX_copy(w,ge.a.a.a); - //FP_YYY_redc(w); - //i=BIG_XXX_lastbits(w,20)%MR_TS; - - i=ge.a.a.a.g[0]%MR_TS; - - FP12_YYY_mul(&ge,&table[i]); - FP12_YYY_reduce(&ge); - dm+=distance[i]; - if (FP12_YYY_equals(&ge,&t)) - { - res=dm-dn; - break; - } - if (FP12_YYY_equals(&ge,&gf)) - { - res=dn-dm; - break; - } - } - if (steps>4*TRAP || dm-dn>=MAXPIN) - { - res=0; /* Trap Failed - probable invalid token */ - } - - return res; -} - -/* Functions to support M-Pin Full */ - -int MPIN_ZZZ_PRECOMPUTE(octet *TOKEN,octet *CID,octet *CP,octet *G1,octet *G2) -{ - ECP_ZZZ P,T; - ECP2_ZZZ Q; - FP12_YYY g; - int res=0; - - if (!ECP_ZZZ_fromOctet(&T,TOKEN)) res=MPIN_INVALID_POINT; - - if (res==0) - { - ECP_ZZZ_mapit(&P,CID); - if (CP!=NULL) - { - if (!ECP2_ZZZ_fromOctet(&Q,CP)) res=MPIN_INVALID_POINT; - } - else - { - ECP2_ZZZ_generator(&Q); - } - } - if (res==0) - { - PAIR_ZZZ_ate(&g,&Q,&T); - PAIR_ZZZ_fexp(&g); - - FP12_YYY_toOctet(G1,&g); - if (G2!=NULL) - { - PAIR_ZZZ_ate(&g,&Q,&P); - PAIR_ZZZ_fexp(&g); - FP12_YYY_toOctet(G2,&g); - } - } - return res; -} - -/* calculate common key on client side */ -/* wCID = w.(A+AT) */ -int MPIN_ZZZ_CLIENT_KEY(int sha,octet *G1,octet *G2,int pin,octet *R,octet *X,octet *H,octet *wCID,octet *CK) -{ - FP12_YYY g1,g2; - FP4_YYY c;//,cp,cpm1,cpm2; -// FP2_YYY f; - ECP_ZZZ W; - int res=0; - BIG_XXX r,z,x,h;//q,m,a,b; - - FP12_YYY_fromOctet(&g1,G1); - FP12_YYY_fromOctet(&g2,G2); - BIG_XXX_fromBytes(z,R->val); - BIG_XXX_fromBytes(x,X->val); - BIG_XXX_fromBytes(h,H->val); - - if (!ECP_ZZZ_fromOctet(&W,wCID)) res=MPIN_INVALID_POINT; - - if (res==0) - { - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - BIG_XXX_add(z,z,h); // new - BIG_XXX_mod(z,r); - - FP12_YYY_pinpow(&g2,pin,PBLEN); - FP12_YYY_mul(&g1,&g2); - - PAIR_ZZZ_G1mul(&W,x); - - FP12_YYY_compow(&c,&g1,z,r); - - /* BIG_XXX_rcopy(a,Fra_YYY); - BIG_XXX_rcopy(b,Frb_YYY); - FP2_YYY_from_BIGs(&f,a,b); - - BIG_XXX_rcopy(q,Modulus_YYY); - BIG_XXX_copy(m,q); - BIG_XXX_mod(m,r); - - BIG_XXX_copy(a,z); - BIG_XXX_mod(a,m); - - BIG_XXX_copy(b,z); - BIG_XXX_sdiv(b,m); - - - FP12_YYY_trace(&c,&g1); - - FP12_YYY_copy(&g2,&g1); - FP12_YYY_frob(&g2,&f); - FP12_YYY_trace(&cp,&g2); - - FP12_YYY_conj(&g1,&g1); - FP12_YYY_mul(&g2,&g1); - FP12_YYY_trace(&cpm1,&g2); - FP12_YYY_mul(&g2,&g1); - FP12_YYY_trace(&cpm2,&g2); - - FP4_YYY_xtr_pow2(&c,&cp,&c,&cpm1,&cpm2,a,b); - */ - mpin_hash(sha,&c,&W,CK); - - } - return res; -} - -/* calculate common key on server side */ -/* Z=r.A - no time permits involved */ - -int MPIN_ZZZ_SERVER_KEY(int sha,octet *Z,octet *SST,octet *W,octet *H,octet *HID,octet *xID,octet *xCID,octet *SK) -{ - int res=0; - FP12_YYY g; - FP4_YYY c; - ECP_ZZZ R,U,A; - ECP2_ZZZ sQ; - BIG_XXX w,h; - - if (!ECP2_ZZZ_fromOctet(&sQ,SST)) res=MPIN_INVALID_POINT; - if (!ECP_ZZZ_fromOctet(&R,Z)) res=MPIN_INVALID_POINT; - - - if (!ECP_ZZZ_fromOctet(&A,HID)) res=MPIN_INVALID_POINT; - - // new - if (xCID!=NULL) - { - if (!ECP_ZZZ_fromOctet(&U,xCID)) res=MPIN_INVALID_POINT; - } - else - { - if (!ECP_ZZZ_fromOctet(&U,xID)) res=MPIN_INVALID_POINT; - } - BIG_XXX_fromBytes(w,W->val); - BIG_XXX_fromBytes(h,H->val); - - - PAIR_ZZZ_ate(&g,&sQ,&A); - PAIR_ZZZ_fexp(&g); - - if (res==0) - { - PAIR_ZZZ_G1mul(&A,h); - ECP_ZZZ_add(&R,&A); // new - //ECP_ZZZ_affine(&R); - PAIR_ZZZ_ate(&g,&sQ,&R); - PAIR_ZZZ_fexp(&g); - PAIR_ZZZ_G1mul(&U,w); - FP12_YYY_trace(&c,&g); - mpin_hash(sha,&c,&U,SK); - } - return res; -} - -/* Generate Y = H(TimeValue, xCID/xID) */ -void MPIN_ZZZ_GET_Y(int sha,int TimeValue,octet *xCID,octet *Y) -{ - BIG_XXX q,y; - char h[MODBYTES_XXX]; - octet H= {0,sizeof(h),h}; - - mhashit(sha,TimeValue,xCID,&H); - BIG_XXX_fromBytes(y,H.val); - BIG_XXX_rcopy(q,CURVE_Order_ZZZ); - BIG_XXX_mod(y,q); - BIG_XXX_toBytes(Y->val,y); - Y->len=PGS_ZZZ; -} - -/* One pass MPIN Client */ -int MPIN_ZZZ_CLIENT(int sha,int date,octet *ID,csprng *RNG,octet *X,int pin,octet *TOKEN,octet *V,octet *U,octet *UT,octet *TP,octet *MESSAGE,int TimeValue,octet *Y) -{ - int rtn=0; - char m[M_SIZE_ZZZ]; - octet M= {0,sizeof(m),m}; - - octet *pID; - if (date == 0) - pID = U; - else - pID = UT; - - rtn = MPIN_ZZZ_CLIENT_1(sha,date,ID,RNG,X,pin,TOKEN,V,U,UT,TP); - if (rtn != 0) - return rtn; - - OCT_joctet(&M,pID); - if (MESSAGE!=NULL) - { - OCT_joctet(&M,MESSAGE); - } - - MPIN_ZZZ_GET_Y(sha,TimeValue,&M,Y); - - rtn = MPIN_ZZZ_CLIENT_2(X,Y,V); - if (rtn != 0) - return rtn; - - return 0; -} - -/* One pass MPIN Server */ -int MPIN_ZZZ_SERVER(int sha,int date,octet *HID,octet *HTID,octet *Y,octet *sQ,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *ID,octet *MESSAGE,int TimeValue, octet *Pa) -{ - int rtn=0; - char m[M_SIZE_ZZZ]; - octet M= {0,sizeof(m),m}; - - octet *pU; - if (date == 0) - pU = U; - else - pU = UT; - - MPIN_ZZZ_SERVER_1(sha,date,ID,HID,HTID); - - OCT_joctet(&M,pU); - if (MESSAGE!=NULL) - { - OCT_joctet(&M,MESSAGE); - } - - MPIN_ZZZ_GET_Y(sha,TimeValue,&M,Y); - - rtn = MPIN_ZZZ_SERVER_2(date,HID,HTID,Y,sQ,U,UT,V,E,F,Pa); - if (rtn != 0) - return rtn; - - return 0; -} - -int MPIN_ZZZ_GET_DVS_KEYPAIR(csprng *R,octet *Z,octet *Pa) -{ - BIG_XXX z,r; - ECP2_ZZZ Q; - int res=0; - - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - - if (R!=NULL) - { - BIG_XXX_randomnum(z,r,R); - Z->len=MODBYTES_XXX; - BIG_XXX_toBytes(Z->val,z); - } - else - BIG_XXX_fromBytes(z,Z->val); - - BIG_XXX_invmodp(z,z,r); - - ECP2_ZZZ_generator(&Q); - - if (res==0) - { - PAIR_ZZZ_G2mul(&Q,z); - ECP2_ZZZ_toOctet(Pa,&Q); - } - - return res; -} http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/1add7560/version3/c/mpin.h ---------------------------------------------------------------------- diff --git a/version3/c/mpin.h b/version3/c/mpin.h deleted file mode 100644 index 98c853c..0000000 --- a/version3/c/mpin.h +++ /dev/null @@ -1,345 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/** - * @file mpin.h - * @author Mike Scott - * @brief M-Pin Header file - * - * - */ - -#ifndef MPIN_ZZZ_H -#define MPIN_ZZZ_H - -#include "pair_ZZZ.h" -#include "pbc_support.h" - -/* Field size is assumed to be greater than or equal to group size */ - -#define PGS_ZZZ MODBYTES_XXX /**< MPIN Group Size */ -#define PFS_ZZZ MODBYTES_XXX /**< MPIN Field Size */ -//#define PAS_ZZZ 16 /**< MPIN Symmetric Key Size */ - -#define MPIN_OK 0 /**< Function completed without error */ -#define MPIN_INVALID_POINT -14 /**< Point is NOT on the curve */ -#define MPIN_BAD_PIN -19 /**< Bad PIN number entered */ - -#define MPIN_PAS 16 /**< MPIN Symmetric Key Size */ -#define MAXPIN 10000 /**< max PIN */ -#define PBLEN 14 /**< max length of PIN in bits */ - -//#define HASH_TYPE_MPIN_ZZZ SHA256 /**< Choose Hash function */ - -#define MESSAGE_SIZE 256 /**< Signature message size */ -#define M_SIZE_ZZZ (MESSAGE_SIZE+2*PFS_ZZZ+1) /**< Signature message size and G1 size */ - -/* MPIN support functions */ - -/* MPIN primitives */ - - -/** @brief Generate Y=H(s,O), where s is epoch time, O is an octet, and H(.) is a hash function - * - @param h is the hash type - @param t is epoch time in seconds - @param O is an input octet - @param Y is the output octet -*/ -void MPIN_ZZZ_GET_Y(int h,int t,octet *O,octet *Y); - -/** @brief Extract a PIN number from a client secret - * - @param h is the hash type - @param ID is the input client identity - @param factor is an input factor - @param facbits is the number of bits in the factor - @param CS is the client secret from which the factor is to be extracted - @return 0 or an error code - */ -int MPIN_ZZZ_EXTRACT_FACTOR(int h,octet *ID,int factor,int facbits,octet *CS); - -/** @brief Extract a PIN number from a client secret - * - @param h is the hash type - @param ID is the input client identity - @param factor is an input factor - @param facbits is the number of bits in the factor - @param CS is the client secret to which the factor is to be added - @return 0 or an error code - */ -int MPIN_ZZZ_RESTORE_FACTOR(int h,octet *ID,int factor,int facbits,octet *CS); - - -/** @brief Extract a PIN number from a client secret - * - @param h is the hash type - @param ID is the input client identity - @param pin is an input PIN number - @param CS is the client secret from which the PIN is to be extracted - @return 0 or an error code - */ -int MPIN_ZZZ_EXTRACT_PIN(int h,octet *ID,int pin,octet *CS); - - - -/** @brief Perform client side of the one-pass version of the M-Pin protocol - * - If Time Permits are disabled, set d = 0, and UT is not generated and can be set to NULL. - If Time Permits are enabled, and PIN error detection is OFF, U is not generated and can be set to NULL. - If Time Permits are enabled, and PIN error detection is ON, U and UT are both generated. - @param h is the hash type - @param d is input date, in days since the epoch. Set to 0 if Time permits disabled - @param ID is the input client identity - @param R is a pointer to a cryptographically secure random number generator - @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input - @param pin is the input PIN number - @param T is the input M-Pin token (the client secret with PIN portion removed) - @param V is output = -(x+y)(CS+TP), where CS is the reconstructed client secret, and TP is the time permit - @param U is output = x.H(ID) - @param UT is output = x.(H(ID)+H(d|H(ID))) - @param TP is the input time permit - @param MESSAGE is the message to be signed - @param t is input epoch time in seconds - a timestamp - @param y is output H(t|U) or H(t|UT) if Time Permits enabled - @return 0 or an error code - */ -int MPIN_ZZZ_CLIENT(int h,int d,octet *ID,csprng *R,octet *x,int pin,octet *T,octet *V,octet *U,octet *UT,octet *TP, octet* MESSAGE, int t, octet *y); -/** @brief Perform first pass of the client side of the 3-pass version of the M-Pin protocol - * - If Time Permits are disabled, set d = 0, and UT is not generated and can be set to NULL. - If Time Permits are enabled, and PIN error detection is OFF, U is not generated and can be set to NULL. - If Time Permits are enabled, and PIN error detection is ON, U and UT are both generated. - @param h is the hash type - @param d is input date, in days since the epoch. Set to 0 if Time permits disabled - @param ID is the input client identity - @param R is a pointer to a cryptographically secure random number generator - @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input - @param pin is the input PIN number - @param T is the input M-Pin token (the client secret with PIN portion removed) - @param S is output = CS+TP, where CS=is the reconstructed client secret, and TP is the time permit - @param U is output = x.H(ID) - @param UT is output = x.(H(ID)+H(d|H(ID))) - @param TP is the input time permit - @return 0 or an error code - */ -int MPIN_ZZZ_CLIENT_1(int h,int d,octet *ID,csprng *R,octet *x,int pin,octet *T,octet *S,octet *U,octet *UT,octet *TP); -/** @brief Generate a random group element - * - @param R is a pointer to a cryptographically secure random number generator - @param S is the output random octet - @return 0 or an error code - */ -int MPIN_ZZZ_RANDOM_GENERATE(csprng *R,octet *S); -/** @brief Perform second pass of the client side of the 3-pass version of the M-Pin protocol - * - @param x an input, a locally generated random number - @param y an input random challenge from the server - @param V on output = -(x+y).V - @return 0 or an error code - */ -int MPIN_ZZZ_CLIENT_2(octet *x,octet *y,octet *V); -/** @brief Perform server side of the one-pass version of the M-Pin protocol - * - If Time Permits are disabled, set d = 0, and UT and HTID are not generated and can be set to NULL. - If Time Permits are enabled, and PIN error detection is OFF, U and HID are not needed and can be set to NULL. - If Time Permits are enabled, and PIN error detection is ON, U, UT, HID and HTID are all required. - @param h is the hash type - @param d is input date, in days since the epoch. Set to 0 if Time permits disabled - @param HID is output H(ID), a hash of the client ID - @param HTID is output H(ID)+H(d|H(ID)) - @param y is output H(t|U) or H(t|UT) if Time Permits enabled - @param SS is the input server secret - @param U is input from the client = x.H(ID) - @param UT is input from the client= x.(H(ID)+H(d|H(ID))) - @param V is an input from the client - @param E is an output to help the Kangaroos to find the PIN error, or NULL if not required - @param F is an output to help the Kangaroos to find the PIN error, or NULL if not required - @param ID is the input claimed client identity - @param MESSAGE is the message to be signed - @param t is input epoch time in seconds - a timestamp - @param Pa is input from the client z.Q or NULL if the key-escrow less scheme is not used - @return 0 or an error code - */ -int MPIN_ZZZ_SERVER(int h,int d,octet *HID,octet *HTID,octet *y,octet *SS,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *ID,octet *MESSAGE, int t, octet *Pa); -/** @brief Perform first pass of the server side of the 3-pass version of the M-Pin protocol - * - @param h is the hash type - @param d is input date, in days since the epoch. Set to 0 if Time permits disabled - @param ID is the input claimed client identity - @param HID is output H(ID), a hash of the client ID - @param HTID is output H(ID)+H(d|H(ID)) - @return 0 or an error code - */ -void MPIN_ZZZ_SERVER_1(int h,int d,octet *ID,octet *HID,octet *HTID); -/** @brief Perform third pass on the server side of the 3-pass version of the M-Pin protocol - * - If Time Permits are disabled, set d = 0, and UT and HTID are not needed and can be set to NULL. - If Time Permits are enabled, and PIN error detection is OFF, U and HID are not needed and can be set to NULL. - If Time Permits are enabled, and PIN error detection is ON, U, UT, HID and HTID are all required. - @param d is input date, in days since the epoch. Set to 0 if Time permits disabled - @param HID is input H(ID), a hash of the client ID - @param HTID is input H(ID)+H(d|H(ID)) - @param y is the input server's randomly generated challenge - @param SS is the input server secret - @param U is input from the client = x.H(ID) - @param UT is input from the client= x.(H(ID)+H(d|H(ID))) - @param V is an input from the client - @param E is an output to help the Kangaroos to find the PIN error, or NULL if not required - @param F is an output to help the Kangaroos to find the PIN error, or NULL if not required - @param Pa is the input public key from the client, z.Q or NULL if the client uses regular mpin - @return 0 or an error code - */ -int MPIN_ZZZ_SERVER_2(int d,octet *HID,octet *HTID,octet *y,octet *SS,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *Pa); -/** @brief Add two members from the group G1 - * - @param Q1 an input member of G1 - @param Q2 an input member of G1 - @param Q an output member of G1 = Q1+Q2 - @return 0 or an error code - */ -int MPIN_ZZZ_RECOMBINE_G1(octet *Q1,octet *Q2,octet *Q); -/** @brief Add two members from the group G2 - * - @param P1 an input member of G2 - @param P2 an input member of G2 - @param P an output member of G2 = P1+P2 - @return 0 or an error code - */ -int MPIN_ZZZ_RECOMBINE_G2(octet *P1,octet *P2,octet *P); -/** @brief Use Kangaroos to find PIN error - * - @param E a member of the group GT - @param F a member of the group GT = E^e - @return 0 if Kangaroos failed, or the PIN error e - */ -int MPIN_ZZZ_KANGAROO(octet *E,octet *F); -/** @brief Encoding of a Time Permit to make it indistinguishable from a random string - * - @param R is a pointer to a cryptographically secure random number generator - @param TP is the input time permit, obfuscated on output - @return 0 or an error code - */ -int MPIN_ZZZ_ENCODING(csprng *R,octet *TP); -/** @brief Encoding of an obfuscated Time Permit - * - @param TP is the input obfuscated time permit, restored on output - @return 0 or an error code - */ -int MPIN_ZZZ_DECODING(octet *TP); - -/** @brief Find a random multiple of a point in G1 - * - @param R is a pointer to a cryptographically secure random number generator - @param type determines type of action to be taken - @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input - @param G if type=0 a point in G1, else an octet to be mapped to G1 - @param W the output =x.G or x.M(G), where M(.) is a mapping - @return 0 or an error code - */ -int MPIN_ZZZ_GET_G1_MULTIPLE(csprng *R,int type,octet *x,octet *G,octet *W); -/** @brief Find a random multiple of a point in G1 - * - @param R is a pointer to a cryptographically secure random number generator - @param type determines type of action to betaken - @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input - @param G a point in G2 - @param W the output =x.G or (1/x).G - @return 0 or an error code - */ -int MPIN_ZZZ_GET_G2_MULTIPLE(csprng *R,int type,octet *x,octet *G,octet *W); - -/** @brief Create a client secret in G1 from a master secret and the client ID - * - @param S is an input master secret - @param ID is the input client identity - @param CS is the full client secret = s.H(ID) - @return 0 or an error code - */ -int MPIN_ZZZ_GET_CLIENT_SECRET(octet *S,octet *ID,octet *CS); -/** @brief Create a Time Permit in G1 from a master secret and the client ID - * - @param h is the hash type - @param d is input date, in days since the epoch. - @param S is an input master secret - @param ID is the input client identity - @param TP is a Time Permit for the given date = s.H(d|H(ID)) - @return 0 or an error code - */ -int MPIN_ZZZ_GET_CLIENT_PERMIT(int h,int d,octet *S,octet *ID,octet *TP); -/** @brief Create a server secret in G2 from a master secret - * - @param S is an input master secret - @param SS is the server secret = s.Q where Q is a fixed generator of G2 - @return 0 or an error code - */ -int MPIN_ZZZ_GET_SERVER_SECRET(octet *S,octet *SS); -/* int MPIN_TEST_PAIRING(octet *,octet *); */ - -/* For M-Pin Full */ -/** @brief Precompute values for use by the client side of M-Pin Full - * - @param T is the input M-Pin token (the client secret with PIN portion removed) - @param ID is the input client identity - @param CP is Public Key (or NULL) - @param g1 precomputed output - @param g2 precomputed output - @return 0 or an error code - */ -int MPIN_ZZZ_PRECOMPUTE(octet *T,octet *ID,octet *CP,octet *g1,octet *g2); -/** @brief Calculate Key on Server side for M-Pin Full - * - Uses UT internally for the key calculation, unless not available in which case U is used - @param h is the hash type - @param Z is the input Client-side Diffie-Hellman component - @param SS is the input server secret - @param w is an input random number generated by the server - @param p is an input, hash of the protocol transcript - @param I is the hashed input client ID = H(ID) - @param U is input from the client = x.H(ID) - @param UT is input from the client= x.(H(ID)+H(d|H(ID))) - @param K is the output calculated shared key - @return 0 or an error code - */ -int MPIN_ZZZ_SERVER_KEY(int h,octet *Z,octet *SS,octet *w,octet *p,octet *I,octet *U,octet *UT,octet *K); -/** @brief Calculate Key on Client side for M-Pin Full - * - @param h is the hash type - @param g1 precomputed input - @param g2 precomputed input - @param pin is the input PIN number - @param r is an input, a locally generated random number - @param x is an input, a locally generated random number - @param p is an input, hash of the protocol transcript - @param T is the input Server-side Diffie-Hellman component - @param K is the output calculated shared key - @return 0 or an error code - */ -int MPIN_ZZZ_CLIENT_KEY(int h,octet *g1,octet *g2,int pin,octet *r,octet *x,octet *p,octet *T,octet *K); - -/** @brief Generates a random public key for the client z.Q - * - @param R is a pointer to a cryptographically secure random number generator - @param Z an output internally randomly generated if R!=NULL, otherwise it must be provided as an input - @param Pa the output public key for the client - */ -int MPIN_ZZZ_GET_DVS_KEYPAIR(csprng *R,octet *Z,octet *Pa); - -#endif -
