http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/1add7560/version3/c/mpin192.c ---------------------------------------------------------------------- diff --git a/version3/c/mpin192.c b/version3/c/mpin192.c deleted file mode 100644 index e1f3bce..0000000 --- a/version3/c/mpin192.c +++ /dev/null @@ -1,975 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/* MPIN Functions */ - -/* Version 3.0 - supports Time Permits */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <time.h> -#include "mpin192_ZZZ.h" - -#define ROUNDUP(a,b) ((a)-1)/(b)+1 - -/* Special mpin hashing */ -static void mpin_hash(int sha,FP8_YYY *f, ECP_ZZZ *P,octet *w) -{ - int i; - BIG_XXX x,y; - char h[64]; - hash256 sha256; - hash512 sha512; - char t[10*MODBYTES_XXX]; // to hold 10 BIGs - int hlen=sha; - - - FP_YYY_redc(x,&(f->a.a.a)); - BIG_XXX_toBytes(&t[0],x); - FP_YYY_redc(x,&(f->a.a.b)); - BIG_XXX_toBytes(&t[MODBYTES_XXX],x); - FP_YYY_redc(x,&(f->a.b.a)); - BIG_XXX_toBytes(&t[2*MODBYTES_XXX],x); - FP_YYY_redc(x,&(f->a.b.b)); - BIG_XXX_toBytes(&t[3*MODBYTES_XXX],x); - - FP_YYY_redc(x,&(f->b.a.a)); - BIG_XXX_toBytes(&t[4*MODBYTES_XXX],x); - FP_YYY_redc(x,&(f->b.a.b)); - BIG_XXX_toBytes(&t[5*MODBYTES_XXX],x); - FP_YYY_redc(x,&(f->b.b.a)); - BIG_XXX_toBytes(&t[6*MODBYTES_XXX],x); - FP_YYY_redc(x,&(f->b.b.b)); - BIG_XXX_toBytes(&t[7*MODBYTES_XXX],x); - - ECP_ZZZ_get(x,y,P); - BIG_XXX_toBytes(&t[8*MODBYTES_XXX],x); - BIG_XXX_toBytes(&t[9*MODBYTES_XXX],y); - - OCT_empty(w); - switch (sha) - { - case SHA256: - HASH256_init(&sha256); - for (i=0; i<10*MODBYTES_XXX; i++) HASH256_process(&sha256,t[i]); - HASH256_hash(&sha256,h); - break; - case SHA384: - HASH384_init(&sha512); - for (i=0; i<10*MODBYTES_XXX; i++) HASH384_process(&sha512,t[i]); - HASH384_hash(&sha512,h); - break; - case SHA512: - HASH512_init(&sha512); - for (i=0; i<10*MODBYTES_XXX; i++) HASH512_process(&sha512,t[i]); - HASH512_hash(&sha512,h); - break; - } - - OCT_jbytes(w,h,AESKEY_ZZZ); - for (i=0; i<hlen; i++) h[i]=0; -} - -/* these next two functions help to implement elligator squared - http://eprint.iacr.org/2014/043 */ -/* maps a random u to a point on the curve */ -static void map(ECP_ZZZ *P,BIG_XXX u,int cb) -{ - BIG_XXX x,q; - - BIG_XXX_rcopy(q,Modulus_YYY); - BIG_XXX_copy(x,u); - BIG_XXX_mod(x,q); - - while (!ECP_ZZZ_setx(P,x,cb)) - { - BIG_XXX_inc(x,1); BIG_XXX_norm(x); - } -} - -/* returns u derived from P. Random value in range 1 to return value should then be added to u */ -static int unmap(BIG_XXX u,int *cb,ECP_ZZZ *P) -{ - int s,r=0; - BIG_XXX x; - - s=ECP_ZZZ_get(x,x,P); - BIG_XXX_copy(u,x); - do - { - BIG_XXX_dec(u,1); BIG_XXX_norm(u); - r++; - } - while (!ECP_ZZZ_setx(P,u,s)); - ECP_ZZZ_setx(P,x,s); - - *cb=s; - - return r; -} - -/* these next two functions implement elligator squared - http://eprint.iacr.org/2014/043 */ -/* Elliptic curve point E in format (0x04,x,y} is converted to form {0x0-,u,v} */ -/* Note that u and v are indistinguisible from random strings */ -int MPIN_ZZZ_ENCODING(csprng *RNG,octet *E) -{ - int rn,m,su,sv,res=0; - - BIG_XXX q,u,v; - ECP_ZZZ P,W; - - if (!ECP_ZZZ_fromOctet(&P,E)) res=MPIN_INVALID_POINT; - if (res==0) - { - BIG_XXX_rcopy(q,Modulus_YYY); - - BIG_XXX_randomnum(u,q,RNG); - - su=RAND_byte(RNG); - if (su<0) su=-su; - su%=2; - map(&W,u,su); - ECP_ZZZ_sub(&P,&W); //ECP_ZZZ_affine(&P); - - rn=unmap(v,&sv,&P); - m=RAND_byte(RNG); - if (m<0) m=-m; - m%=rn; - BIG_XXX_inc(v,m+1); - E->val[0]=su+2*sv; - BIG_XXX_toBytes(&(E->val[1]),u); - BIG_XXX_toBytes(&(E->val[PFS_ZZZ+1]),v); - } - return res; -} - -int MPIN_ZZZ_DECODING(octet *D) -{ - int su,sv; - BIG_XXX u,v; - ECP_ZZZ P,W; - int res=0; - - if ((D->val[0]&0x04)!=0) res=MPIN_INVALID_POINT; - if (res==0) - { - - BIG_XXX_fromBytes(u,&(D->val[1])); - BIG_XXX_fromBytes(v,&(D->val[PFS_ZZZ+1])); - - su=D->val[0]&1; - sv=(D->val[0]>>1)&1; - map(&W,u,su); - map(&P,v,sv); - ECP_ZZZ_add(&P,&W); //ECP_ZZZ_affine(&P); - ECP_ZZZ_toOctet(D,&P,false); - } - - return res; -} - -/* R=R1+R2 in group G1 */ -int MPIN_ZZZ_RECOMBINE_G1(octet *R1,octet *R2,octet *R) -{ - ECP_ZZZ P,T; - int res=0; - if (res==0) - { - if (!ECP_ZZZ_fromOctet(&P,R1)) res=MPIN_INVALID_POINT; - if (!ECP_ZZZ_fromOctet(&T,R2)) res=MPIN_INVALID_POINT; - } - if (res==0) - { - ECP_ZZZ_add(&P,&T); //ECP_ZZZ_affine(&P); - ECP_ZZZ_toOctet(R,&P,false); - } - return res; -} - -/* W=W1+W2 in group G2 */ -int MPIN_ZZZ_RECOMBINE_G2(octet *W1,octet *W2,octet *W) -{ - ECP4_ZZZ Q,T; - int res=0; - if (!ECP4_ZZZ_fromOctet(&Q,W1)) res=MPIN_INVALID_POINT; - if (!ECP4_ZZZ_fromOctet(&T,W2)) res=MPIN_INVALID_POINT; - if (res==0) - { - ECP4_ZZZ_add(&Q,&T); //ECP4_ZZZ_affine(&Q); - ECP4_ZZZ_toOctet(W,&Q); - } - return res; -} - -/* create random secret S */ -int MPIN_ZZZ_RANDOM_GENERATE(csprng *RNG,octet* S) -{ - BIG_XXX r,s; - - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - BIG_XXX_randomnum(s,r,RNG); -#ifdef AES_S - BIG_XXX_mod2m(s,2*AES_S); -#endif - BIG_XXX_toBytes(S->val,s); - S->len=MODBYTES_XXX; - return 0; -} - -/* Extract PIN from TOKEN for identity CID */ -int MPIN_ZZZ_EXTRACT_PIN(int sha,octet *CID,int pin,octet *TOKEN) -{ - pin%=MAXPIN; - return MPIN_ZZZ_EXTRACT_FACTOR(sha,CID,pin,PBLEN,TOKEN); -} - -/* Extract a factor < 32 bits for identity CID */ -int MPIN_ZZZ_EXTRACT_FACTOR(int sha,octet *CID,int factor,int facbits,octet *TOKEN) -{ - ECP_ZZZ P,R; - int res=0; - char h[MODBYTES_XXX]; - octet H= {0,sizeof(h),h}; - - if (!ECP_ZZZ_fromOctet(&P,TOKEN)) res=MPIN_INVALID_POINT; - if (res==0) - { - mhashit(sha,-1,CID,&H); - ECP_ZZZ_mapit(&R,&H); - - ECP_ZZZ_pinmul(&R,factor,facbits); - ECP_ZZZ_sub(&P,&R); //ECP_ZZZ_affine(&P); - - ECP_ZZZ_toOctet(TOKEN,&P,false); - } - return res; -} - -/* Extract a factor < 32 bits for identity CID */ -int MPIN_ZZZ_RESTORE_FACTOR(int sha,octet *CID,int factor,int facbits,octet *TOKEN) -{ - ECP_ZZZ P,R; - int res=0; - char h[MODBYTES_XXX]; - octet H= {0,sizeof(h),h}; - - if (!ECP_ZZZ_fromOctet(&P,TOKEN)) res=MPIN_INVALID_POINT; - if (res==0) - { - mhashit(sha,-1,CID,&H); - ECP_ZZZ_mapit(&R,&H); - - ECP_ZZZ_pinmul(&R,factor,facbits); - ECP_ZZZ_add(&P,&R); //ECP_ZZZ_affine(&P); - - ECP_ZZZ_toOctet(TOKEN,&P,false); - } - return res; -} - -/* Implement step 2 on client side of MPin protocol - SEC=-(x+y)*SEC */ -int MPIN_ZZZ_CLIENT_2(octet *X,octet *Y,octet *SEC) -{ - BIG_XXX px,py,r; - ECP_ZZZ P; - int res=0; - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - if (!ECP_ZZZ_fromOctet(&P,SEC)) res=MPIN_INVALID_POINT; - if (res==0) - { - BIG_XXX_fromBytes(px,X->val); - BIG_XXX_fromBytes(py,Y->val); - BIG_XXX_add(px,px,py); - BIG_XXX_mod(px,r); - // BIG_XXX_sub(px,r,px); - PAIR_ZZZ_G1mul(&P,px); - ECP_ZZZ_neg(&P); - ECP_ZZZ_toOctet(SEC,&P,false); - } - return res; -} - -/* - W=x*H(G); - if RNG == NULL then X is passed in - if RNG != NULL the X is passed out - if type=0 W=x*G where G is point on the curve, else W=x*M(G), where M(G) is mapping of octet G to point on the curve -*/ - -int MPIN_ZZZ_GET_G1_MULTIPLE(csprng *RNG,int type,octet *X,octet *G,octet *W) -{ - ECP_ZZZ P; - BIG_XXX r,x; - int res=0; - if (RNG!=NULL) - { - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - BIG_XXX_randomnum(x,r,RNG); -#ifdef AES_S - BIG_XXX_mod2m(x,2*AES_S); -#endif - X->len=MODBYTES_XXX; - BIG_XXX_toBytes(X->val,x); - } - else - BIG_XXX_fromBytes(x,X->val); - - if (type==0) - { - if (!ECP_ZZZ_fromOctet(&P,G)) res=MPIN_INVALID_POINT; - } - else - { - ECP_ZZZ_mapit(&P,G); - } - - if (res==0) - { - PAIR_ZZZ_G1mul(&P,x); - ECP_ZZZ_toOctet(W,&P,false); - } - return res; -} - -/* - if RNG == NULL then X is passed in - if RNG != NULL the X is passed out - W=x*G where G is point on the curve - if type==1 W=(x^-1)G -*/ - -int MPIN_ZZZ_GET_G2_MULTIPLE(csprng *RNG,int type,octet *X,octet *G,octet *W) -{ - ECP4_ZZZ P; - BIG_XXX r,x; - int res=0; - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - if (RNG!=NULL) - { - BIG_XXX_randomnum(x,r,RNG); -#ifdef AES_S - BIG_XXX_mod2m(x,2*AES_S); -#endif - X->len=MODBYTES_XXX; - BIG_XXX_toBytes(X->val,x); - } - else - { - BIG_XXX_fromBytes(x,X->val); - if (type==1) BIG_XXX_invmodp(x,x,r); - } - - if (!ECP4_ZZZ_fromOctet(&P,G)) res=MPIN_INVALID_POINT; - - if (res==0) - { - PAIR_ZZZ_G2mul(&P,x); - ECP4_ZZZ_toOctet(W,&P); - } - return res; -} - - - -/* Client secret CST=s*H(CID) where CID is client ID and s is master secret */ -/* CID is hashed externally */ -int MPIN_ZZZ_GET_CLIENT_SECRET(octet *S,octet *CID,octet *CST) -{ - return MPIN_ZZZ_GET_G1_MULTIPLE(NULL,1,S,CID,CST); -} - -/* Implement step 1 on client side of MPin protocol */ -int MPIN_ZZZ_CLIENT_1(int sha,int date,octet *CLIENT_ID,csprng *RNG,octet *X,int pin,octet *TOKEN,octet *SEC,octet *xID,octet *xCID,octet *PERMIT) -{ - BIG_XXX r,x; - ECP_ZZZ P,T,W; - int res=0; - char h[MODBYTES_XXX]; - octet H= {0,sizeof(h),h}; - - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - if (RNG!=NULL) - { - BIG_XXX_randomnum(x,r,RNG); -#ifdef AES_S - BIG_XXX_mod2m(x,2*AES_S); -#endif - X->len=MODBYTES_XXX; - BIG_XXX_toBytes(X->val,x); - } - else - BIG_XXX_fromBytes(x,X->val); - - mhashit(sha,-1,CLIENT_ID,&H); - - ECP_ZZZ_mapit(&P,&H); - - if (!ECP_ZZZ_fromOctet(&T,TOKEN)) res=MPIN_INVALID_POINT; - - if (res==0) - { - pin%=MAXPIN; - - ECP_ZZZ_copy(&W,&P); // W=H(ID) - ECP_ZZZ_pinmul(&W,pin,PBLEN); // W=alpha.H(ID) - ECP_ZZZ_add(&T,&W); // T=Token+alpha.H(ID) = s.H(ID) - - if (date) - { - if (PERMIT!=NULL) - { - if (!ECP_ZZZ_fromOctet(&W,PERMIT)) res=MPIN_INVALID_POINT; - ECP_ZZZ_add(&T,&W); // SEC=s.H(ID)+s.H(T|ID) - } - mhashit(sha,date,&H,&H); - - ECP_ZZZ_mapit(&W,&H); - if (xID!=NULL) - { - PAIR_ZZZ_G1mul(&P,x); // P=x.H(ID) - ECP_ZZZ_toOctet(xID,&P,false); // xID - PAIR_ZZZ_G1mul(&W,x); // W=x.H(T|ID) - ECP_ZZZ_add(&P,&W); //ECP_ZZZ_affine(&P); - } - else - { - ECP_ZZZ_add(&P,&W); //ECP_ZZZ_affine(&P); - PAIR_ZZZ_G1mul(&P,x); - } - if (xCID!=NULL) ECP_ZZZ_toOctet(xCID,&P,false); // U - } - else - { - if (xID!=NULL) - { - PAIR_ZZZ_G1mul(&P,x); // P=x.H(ID) - ECP_ZZZ_toOctet(xID,&P,false); // xID - } - } - } - - if (res==0) - { - //ECP_ZZZ_affine(&T); - ECP_ZZZ_toOctet(SEC,&T,false); // V - } - return res; -} - -/* Extract Server Secret SST=S*Q where Q is fixed generator in G2 and S is master secret */ -int MPIN_ZZZ_GET_SERVER_SECRET(octet *S,octet *SST) -{ - BIG_XXX r,s; - ECP4_ZZZ Q; - int res=0; - - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - - ECP4_ZZZ_generator(&Q); - - if (res==0) - { - BIG_XXX_fromBytes(s,S->val); - PAIR_ZZZ_G2mul(&Q,s); - ECP4_ZZZ_toOctet(SST,&Q); - } - - return res; -} - - -/* Time Permit CTT=s*H(date|H(CID)) where s is master secret */ -int MPIN_ZZZ_GET_CLIENT_PERMIT(int sha,int date,octet *S,octet *CID,octet *CTT) -{ - BIG_XXX s; - ECP_ZZZ P; - char h[MODBYTES_XXX]; - octet H= {0,sizeof(h),h}; - - mhashit(sha,date,CID,&H); - - ECP_ZZZ_mapit(&P,&H); - -//printf("P= "); ECP_ZZZ_output(&P); printf("\n"); -//exit(0); - - BIG_XXX_fromBytes(s,S->val); - - - -//printf("s= "); BIG_XXX_output(s); printf("\n"); - PAIR_ZZZ_G1mul(&P,s); -//printf("OP= "); ECP_ZZZ_output(&P); printf("\n"); -// - ECP_ZZZ_toOctet(CTT,&P,false); - return 0; -} - -// if date=0 only use HID, set HCID=NULL -// if date and PE, use HID and HCID - -/* Outputs H(CID) and H(CID)+H(T|H(CID)) for time permits. If no time permits set HTID=NULL */ -void MPIN_ZZZ_SERVER_1(int sha,int date,octet *CID,octet *HID,octet *HTID) -{ - char h[MODBYTES_XXX]; - octet H= {0,sizeof(h),h}; - ECP_ZZZ P,R; - BIG_XXX x; - -#ifdef USE_ANONYMOUS - ECP_ZZZ_mapit(&P,CID); -#else - mhashit(sha,-1,CID,&H); - ECP_ZZZ_mapit(&P,&H); -#endif - - ECP_ZZZ_toOctet(HID,&P,false); // new - - if (date) - { - // if (HID!=NULL) ECP_ZZZ_toOctet(HID,&P,false); -#ifdef USE_ANONYMOUS - mhashit(sha,date,CID,&H); -#else - mhashit(sha,date,&H,&H); -#endif - ECP_ZZZ_mapit(&R,&H); - ECP_ZZZ_add(&P,&R); //ECP_ZZZ_affine(&P); - ECP_ZZZ_toOctet(HTID,&P,false); - } - //else ECP_ZZZ_toOctet(HID,&P,false); - -} - -/* Implement M-Pin on server side */ -int MPIN_ZZZ_SERVER_2(int date,octet *HID,octet *HTID,octet *Y,octet *SST,octet *xID,octet *xCID,octet *mSEC,octet *E,octet *F,octet *Pa) -{ - BIG_XXX px,py,y; - FP24_YYY g; - ECP4_ZZZ Q,sQ; - ECP_ZZZ P,R; - int res=0; - - ECP4_ZZZ_generator(&Q); - - // key-escrow less scheme: use Pa instead of Q in pairing computation - // Q left for backward compatiblity - if (Pa!=NULL) - { - if (!ECP4_ZZZ_fromOctet(&Q, Pa)) res=MPIN_INVALID_POINT; - } - - - if (res==0) - { - if (!ECP4_ZZZ_fromOctet(&sQ,SST)) res=MPIN_INVALID_POINT; - } - - if (res==0) - { - if (date) - { - //BIG_XXX_fromBytes(px,&(xCID->val[1])); - //BIG_XXX_fromBytes(py,&(xCID->val[PFS_ZZZ+1])); - if (!ECP_ZZZ_fromOctet(&R,xCID)) res=MPIN_INVALID_POINT; - } - else - { - //BIG_XXX_fromBytes(px,&(xID->val[1])); - //BIG_XXX_fromBytes(py,&(xID->val[PFS_ZZZ+1])); - if (!ECP_ZZZ_fromOctet(&R,xID)) res=MPIN_INVALID_POINT; - } - //if (!ECP_ZZZ_set(&R,px,py)) res=MPIN_INVALID_POINT; // x(A+AT) - } - if (res==0) - { - BIG_XXX_fromBytes(y,Y->val); - if (date) - { - if (!ECP_ZZZ_fromOctet(&P,HTID)) res=MPIN_INVALID_POINT; - } - else - { - if (!ECP_ZZZ_fromOctet(&P,HID)) res=MPIN_INVALID_POINT; - } - } - if (res==0) - { - PAIR_ZZZ_G1mul(&P,y); // y(A+AT) - ECP_ZZZ_add(&P,&R); // x(A+AT)+y(A+T) - //ECP_ZZZ_affine(&P); - if (!ECP_ZZZ_fromOctet(&R,mSEC)) res=MPIN_INVALID_POINT; // V - } - if (res==0) - { - - PAIR_ZZZ_double_ate(&g,&Q,&R,&sQ,&P); - PAIR_ZZZ_fexp(&g); - - if (!FP24_YYY_isunity(&g)) - { - if (HID!=NULL && xID!=NULL && E!=NULL && F !=NULL) - { - /* xID is set to NULL if there is no way to calculate PIN error */ - FP24_YYY_toOctet(E,&g); - - /* Note error is in the PIN, not in the time permit! Hence the need to exclude Time Permit from this check */ - - if (date) - { - if (!ECP_ZZZ_fromOctet(&P,HID)) res=MPIN_INVALID_POINT; - if (!ECP_ZZZ_fromOctet(&R,xID)) res=MPIN_INVALID_POINT; // U - - if (res==0) - { - PAIR_ZZZ_G1mul(&P,y); // yA - ECP_ZZZ_add(&P,&R); // yA+xA - //ECP_ZZZ_affine(&P); - } - } - if (res==0) - { - PAIR_ZZZ_ate(&g,&Q,&P); - PAIR_ZZZ_fexp(&g); - FP24_YYY_toOctet(F,&g); - } - } - res=MPIN_BAD_PIN; - } - } - - return res; -} - -#if MAXPIN==10000 -#define MR_TS 10 /* 2^10/10 approx = sqrt(MAXPIN) */ -#define TRAP 200 /* 2*sqrt(MAXPIN) */ -#endif - -#if MAXPIN==1000000 -#define MR_TS 14 -#define TRAP 2000 -#endif - -/* Pollards kangaroos used to return PIN error */ -int MPIN_ZZZ_KANGAROO(octet *E,octet *F) -{ - int i,j,m,s,dn,dm,steps; - int distance[MR_TS]; - FP24_YYY ge,gf,t,table[MR_TS]; - int res=0; - // BIG_XXX w; - - FP24_YYY_fromOctet(&ge,E); - FP24_YYY_fromOctet(&gf,F); - - FP24_YYY_copy(&t,&gf); - - for (s=1,m=0; m<MR_TS; m++) - { - distance[m]=s; - FP24_YYY_copy(&table[m],&t); - s*=2; - FP24_YYY_usqr(&t,&t); - FP24_YYY_reduce(&t); - } - - FP24_YYY_one(&t); - - for (dn=0,j=0; j<TRAP; j++) - { - - //BIG_XXX_copy(w,t.a.a.a); - //FP_YYY_redc(w); - //i=BIG_XXX_lastbits(w,20)%MR_TS; - - i=t.a.a.a.a.g[0]%MR_TS; - - FP24_YYY_mul(&t,&table[i]); - FP24_YYY_reduce(&t); - dn+=distance[i]; - } - - FP24_YYY_conj(&gf,&t); - steps=0; - dm=0; - while (dm-dn<MAXPIN) - { - steps++; - if (steps>4*TRAP) break; - - //BIG_XXX_copy(w,ge.a.a.a); - //FP_YYY_redc(w); - //i=BIG_XXX_lastbits(w,20)%MR_TS; - - i=ge.a.a.a.a.g[0]%MR_TS; - - FP24_YYY_mul(&ge,&table[i]); - FP24_YYY_reduce(&ge); - dm+=distance[i]; - if (FP24_YYY_equals(&ge,&t)) - { - res=dm-dn; - break; - } - if (FP24_YYY_equals(&ge,&gf)) - { - res=dn-dm; - break; - } - } - if (steps>4*TRAP || dm-dn>=MAXPIN) - { - res=0; /* Trap Failed - probable invalid token */ - } - - return res; -} - -/* Functions to support M-Pin Full */ - -int MPIN_ZZZ_PRECOMPUTE(octet *TOKEN,octet *CID,octet *CP,octet *G1,octet *G2) -{ - ECP_ZZZ P,T; - ECP4_ZZZ Q; - FP24_YYY g; - BIG_XXX x; - int res=0; - - if (!ECP_ZZZ_fromOctet(&T,TOKEN)) res=MPIN_INVALID_POINT; - - if (res==0) - { - ECP_ZZZ_mapit(&P,CID); - if (CP!=NULL) - { - if (!ECP4_ZZZ_fromOctet(&Q,CP)) res=MPIN_INVALID_POINT; - } - else - { - ECP4_ZZZ_generator(&Q); - } - } - if (res==0) - { - PAIR_ZZZ_ate(&g,&Q,&T); - PAIR_ZZZ_fexp(&g); - - FP24_YYY_toOctet(G1,&g); - if (G2!=NULL) - { - PAIR_ZZZ_ate(&g,&Q,&P); - PAIR_ZZZ_fexp(&g); - FP24_YYY_toOctet(G2,&g); - } - } - return res; -} - -/* calculate common key on client side */ -/* wCID = w.(A+AT) */ -int MPIN_ZZZ_CLIENT_KEY(int sha,octet *G1,octet *G2,int pin,octet *R,octet *X,octet *H,octet *wCID,octet *CK) -{ - FP24_YYY g1,g2; - FP8_YYY c;//,cp,cpm1,cpm2; - - ECP_ZZZ W; - int res=0; - BIG_XXX r,z,x,h;//q,m,a,b; - - FP24_YYY_fromOctet(&g1,G1); - FP24_YYY_fromOctet(&g2,G2); - BIG_XXX_fromBytes(z,R->val); - BIG_XXX_fromBytes(x,X->val); - BIG_XXX_fromBytes(h,H->val); - - if (!ECP_ZZZ_fromOctet(&W,wCID)) res=MPIN_INVALID_POINT; - - if (res==0) - { - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - BIG_XXX_add(z,z,h); // new - BIG_XXX_mod(z,r); - - FP24_YYY_pinpow(&g2,pin,PBLEN); - FP24_YYY_mul(&g1,&g2); - - PAIR_ZZZ_G1mul(&W,x); - - FP24_YYY_compow(&c,&g1,z,r); - mpin_hash(sha,&c,&W,CK); - - } - return res; -} - -/* calculate common key on server side */ -/* Z=r.A - no time permits involved */ - -int MPIN_ZZZ_SERVER_KEY(int sha,octet *Z,octet *SST,octet *W,octet *H,octet *HID,octet *xID,octet *xCID,octet *SK) -{ - int res=0; - FP24_YYY g; - FP8_YYY c; - ECP_ZZZ R,U,A; - ECP4_ZZZ sQ; - BIG_XXX w,h; - - if (!ECP4_ZZZ_fromOctet(&sQ,SST)) res=MPIN_INVALID_POINT; - if (!ECP_ZZZ_fromOctet(&R,Z)) res=MPIN_INVALID_POINT; - - - if (!ECP_ZZZ_fromOctet(&A,HID)) res=MPIN_INVALID_POINT; - - // new - if (xCID!=NULL) - { - if (!ECP_ZZZ_fromOctet(&U,xCID)) res=MPIN_INVALID_POINT; - } - else - { - if (!ECP_ZZZ_fromOctet(&U,xID)) res=MPIN_INVALID_POINT; - } - BIG_XXX_fromBytes(w,W->val); - BIG_XXX_fromBytes(h,H->val); - - - PAIR_ZZZ_ate(&g,&sQ,&A); - PAIR_ZZZ_fexp(&g); - - if (res==0) - { - PAIR_ZZZ_G1mul(&A,h); - ECP_ZZZ_add(&R,&A); // new - //ECP_ZZZ_affine(&R); - PAIR_ZZZ_ate(&g,&sQ,&R); - PAIR_ZZZ_fexp(&g); - PAIR_ZZZ_G1mul(&U,w); - FP24_YYY_trace(&c,&g); - mpin_hash(sha,&c,&U,SK); - } - return res; -} - -/* Generate Y = H(TimeValue, xCID/xID) */ -void MPIN_ZZZ_GET_Y(int sha,int TimeValue,octet *xCID,octet *Y) -{ - BIG_XXX q,y; - char h[MODBYTES_XXX]; - octet H= {0,sizeof(h),h}; - - mhashit(sha,TimeValue,xCID,&H); - BIG_XXX_fromBytes(y,H.val); - BIG_XXX_rcopy(q,CURVE_Order_ZZZ); - BIG_XXX_mod(y,q); - BIG_XXX_toBytes(Y->val,y); - Y->len=PGS_ZZZ; -} - -/* One pass MPIN Client */ -int MPIN_ZZZ_CLIENT(int sha,int date,octet *ID,csprng *RNG,octet *X,int pin,octet *TOKEN,octet *V,octet *U,octet *UT,octet *TP,octet *MESSAGE,int TimeValue,octet *Y) -{ - int rtn=0; - char m[M_SIZE_ZZZ]; - octet M= {0,sizeof(m),m}; - - octet *pID; - if (date == 0) - pID = U; - else - pID = UT; - - rtn = MPIN_ZZZ_CLIENT_1(sha,date,ID,RNG,X,pin,TOKEN,V,U,UT,TP); - if (rtn != 0) - return rtn; - - OCT_joctet(&M,pID); - if (MESSAGE!=NULL) - { - OCT_joctet(&M,MESSAGE); - } - - MPIN_ZZZ_GET_Y(sha,TimeValue,&M,Y); - - rtn = MPIN_ZZZ_CLIENT_2(X,Y,V); - if (rtn != 0) - return rtn; - - return 0; -} - -/* One pass MPIN Server */ -int MPIN_ZZZ_SERVER(int sha,int date,octet *HID,octet *HTID,octet *Y,octet *sQ,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *ID,octet *MESSAGE,int TimeValue, octet *Pa) -{ - int rtn=0; - char m[M_SIZE_ZZZ]; - octet M= {0,sizeof(m),m}; - - octet *pU; - if (date == 0) - pU = U; - else - pU = UT; - - MPIN_ZZZ_SERVER_1(sha,date,ID,HID,HTID); - - OCT_joctet(&M,pU); - if (MESSAGE!=NULL) - { - OCT_joctet(&M,MESSAGE); - } - - MPIN_ZZZ_GET_Y(sha,TimeValue,&M,Y); - - rtn = MPIN_ZZZ_SERVER_2(date,HID,HTID,Y,sQ,U,UT,V,E,F,Pa); - if (rtn != 0) - return rtn; - - return 0; -} - -int MPIN_ZZZ_GET_DVS_KEYPAIR(csprng *R,octet *Z,octet *Pa) -{ - BIG_XXX z,r; - ECP4_ZZZ Q; - int res=0; - - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - - if (R!=NULL) - { - BIG_XXX_randomnum(z,r,R); - Z->len=MODBYTES_XXX; - BIG_XXX_toBytes(Z->val,z); - } - else - BIG_XXX_fromBytes(z,Z->val); - - BIG_XXX_invmodp(z,z,r); - - ECP4_ZZZ_generator(&Q); - - if (res==0) - { - PAIR_ZZZ_G2mul(&Q,z); - ECP4_ZZZ_toOctet(Pa,&Q); - } - - return res; -} \ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/1add7560/version3/c/mpin192.h ---------------------------------------------------------------------- diff --git a/version3/c/mpin192.h b/version3/c/mpin192.h deleted file mode 100644 index 79f562c..0000000 --- a/version3/c/mpin192.h +++ /dev/null @@ -1,339 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/** - * @file mpin.h - * @author Mike Scott and Kealan McCusker - * @date 2nd June 2015 - * @brief M-Pin Header file - * - * Allows some user configuration - * defines structures - * declares functions - * - */ - -#ifndef MPIN_ZZZ_H -#define MPIN_ZZZ_H - -#include "pair192_ZZZ.h" -#include "pbc_support.h" - -/* Field size is assumed to be greater than or equal to group size */ - -#define PGS_ZZZ MODBYTES_XXX /**< MPIN Group Size */ -#define PFS_ZZZ MODBYTES_XXX /**< MPIN Field Size */ - -#define MPIN_OK 0 /**< Function completed without error */ -#define MPIN_INVALID_POINT -14 /**< Point is NOT on the curve */ -#define MPIN_BAD_PIN -19 /**< Bad PIN number entered */ - -#define MAXPIN 10000 /**< max PIN */ -#define PBLEN 14 /**< max length of PIN in bits */ - -//#define PAS_ZZZ 24 /**< MPIN Symmetric Key Size 192 bits */ -//#define HASH_TYPE_MPIN_ZZZ SHA384 /**< Choose Hash function */ - -#define MESSAGE_SIZE 256 /**< Signature message size */ -#define M_SIZE_ZZZ (MESSAGE_SIZE+2*PFS_ZZZ+1) /**< Signature message size and G1 size */ - - -/* MPIN support functions */ - -/* MPIN primitives */ - - -void MPIN_ZZZ_GET_Y(int h,int t,octet *O,octet *Y); -/** @brief Extract a PIN number from a client secret - * - @param h is the hash type - @param ID is the input client identity - @param factor is an input factor - @param facbits is the number of bits in the factor - @param CS is the client secret from which the factor is to be extracted - @return 0 or an error code - */ -int MPIN_ZZZ_EXTRACT_FACTOR(int h,octet *ID,int factor,int facbits,octet *CS); - -/** @brief Extract a PIN number from a client secret - * - @param h is the hash type - @param ID is the input client identity - @param factor is an input factor - @param facbits is the number of bits in the factor - @param CS is the client secret to which the factor is to be added - @return 0 or an error code - */ -int MPIN_ZZZ_RESTORE_FACTOR(int h,octet *ID,int factor,int facbits,octet *CS); - - -/** @brief Extract a PIN number from a client secret - * - @param h is the hash type - @param ID is the input client identity - @param pin is an input PIN number - @param CS is the client secret from which the PIN is to be extracted - @return 0 or an error code - */ -int MPIN_ZZZ_EXTRACT_PIN(int h,octet *ID,int pin,octet *CS); - -/** @brief Perform client side of the one-pass version of the M-Pin protocol - * - If Time Permits are disabled, set d = 0, and UT is not generated and can be set to NULL. - If Time Permits are enabled, and PIN error detection is OFF, U is not generated and can be set to NULL. - If Time Permits are enabled, and PIN error detection is ON, U and UT are both generated. - @param h is the hash type - @param d is input date, in days since the epoch. Set to 0 if Time permits disabled - @param ID is the input client identity - @param R is a pointer to a cryptographically secure random number generator - @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input - @param pin is the input PIN number - @param T is the input M-Pin token (the client secret with PIN portion removed) - @param V is output = -(x+y)(CS+TP), where CS is the reconstructed client secret, and TP is the time permit - @param U is output = x.H(ID) - @param UT is output = x.(H(ID)+H(d|H(ID))) - @param TP is the input time permit - @param MESSAGE is the message to be signed - @param t is input epoch time in seconds - a timestamp - @param y is output H(t|U) or H(t|UT) if Time Permits enabled - @return 0 or an error code - */ -int MPIN_ZZZ_CLIENT(int h,int d,octet *ID,csprng *R,octet *x,int pin,octet *T,octet *V,octet *U,octet *UT,octet *TP, octet* MESSAGE, int t, octet *y); -/** @brief Perform first pass of the client side of the 3-pass version of the M-Pin protocol - * - If Time Permits are disabled, set d = 0, and UT is not generated and can be set to NULL. - If Time Permits are enabled, and PIN error detection is OFF, U is not generated and can be set to NULL. - If Time Permits are enabled, and PIN error detection is ON, U and UT are both generated. - @param h is the hash type - @param d is input date, in days since the epoch. Set to 0 if Time permits disabled - @param ID is the input client identity - @param R is a pointer to a cryptographically secure random number generator - @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input - @param pin is the input PIN number - @param T is the input M-Pin token (the client secret with PIN portion removed) - @param S is output = CS+TP, where CS=is the reconstructed client secret, and TP is the time permit - @param U is output = x.H(ID) - @param UT is output = x.(H(ID)+H(d|H(ID))) - @param TP is the input time permit - @return 0 or an error code - */ -int MPIN_ZZZ_CLIENT_1(int h,int d,octet *ID,csprng *R,octet *x,int pin,octet *T,octet *S,octet *U,octet *UT,octet *TP); -/** @brief Generate a random group element - * - @param R is a pointer to a cryptographically secure random number generator - @param S is the output random octet - @return 0 or an error code - */ -int MPIN_ZZZ_RANDOM_GENERATE(csprng *R,octet *S); -/** @brief Perform second pass of the client side of the 3-pass version of the M-Pin protocol - * - @param x an input, a locally generated random number - @param y an input random challenge from the server - @param V on output = -(x+y).V - @return 0 or an error code - */ -int MPIN_ZZZ_CLIENT_2(octet *x,octet *y,octet *V); -/** @brief Perform server side of the one-pass version of the M-Pin protocol - * - If Time Permits are disabled, set d = 0, and UT and HTID are not generated and can be set to NULL. - If Time Permits are enabled, and PIN error detection is OFF, U and HID are not needed and can be set to NULL. - If Time Permits are enabled, and PIN error detection is ON, U, UT, HID and HTID are all required. - @param h is the hash type - @param d is input date, in days since the epoch. Set to 0 if Time permits disabled - @param HID is output H(ID), a hash of the client ID - @param HTID is output H(ID)+H(d|H(ID)) - @param y is output H(t|U) or H(t|UT) if Time Permits enabled - @param SS is the input server secret - @param U is input from the client = x.H(ID) - @param UT is input from the client= x.(H(ID)+H(d|H(ID))) - @param V is an input from the client - @param E is an output to help the Kangaroos to find the PIN error, or NULL if not required - @param F is an output to help the Kangaroos to find the PIN error, or NULL if not required - @param ID is the input claimed client identity - @param MESSAGE is the message to be signed - @param t is input epoch time in seconds - a timestamp - @param Pa is input from the client z.Q or NULL if the key-escrow less scheme is not used - @return 0 or an error code - */ -int MPIN_ZZZ_SERVER(int h,int d,octet *HID,octet *HTID,octet *y,octet *SS,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *ID,octet *MESSAGE, int t, octet *Pa); -/** @brief Perform first pass of the server side of the 3-pass version of the M-Pin protocol - * - @param h is the hash type - @param d is input date, in days since the epoch. Set to 0 if Time permits disabled - @param ID is the input claimed client identity - @param HID is output H(ID), a hash of the client ID - @param HTID is output H(ID)+H(d|H(ID)) - @return 0 or an error code - */ -void MPIN_ZZZ_SERVER_1(int h,int d,octet *ID,octet *HID,octet *HTID); -/** @brief Perform third pass on the server side of the 3-pass version of the M-Pin protocol - * - If Time Permits are disabled, set d = 0, and UT and HTID are not needed and can be set to NULL. - If Time Permits are enabled, and PIN error detection is OFF, U and HID are not needed and can be set to NULL. - If Time Permits are enabled, and PIN error detection is ON, U, UT, HID and HTID are all required. - @param d is input date, in days since the epoch. Set to 0 if Time permits disabled - @param HID is input H(ID), a hash of the client ID - @param HTID is input H(ID)+H(d|H(ID)) - @param y is the input server's randomly generated challenge - @param SS is the input server secret - @param U is input from the client = x.H(ID) - @param UT is input from the client= x.(H(ID)+H(d|H(ID))) - @param V is an input from the client - @param E is an output to help the Kangaroos to find the PIN error, or NULL if not required - @param F is an output to help the Kangaroos to find the PIN error, or NULL if not required - @param Pa is the input public key from the client, z.Q or NULL if the client uses regular mpin - @return 0 or an error code - */ -int MPIN_ZZZ_SERVER_2(int d,octet *HID,octet *HTID,octet *y,octet *SS,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *Pa); -/** @brief Add two members from the group G1 - * - @param Q1 an input member of G1 - @param Q2 an input member of G1 - @param Q an output member of G1 = Q1+Q2 - @return 0 or an error code - */ -int MPIN_ZZZ_RECOMBINE_G1(octet *Q1,octet *Q2,octet *Q); -/** @brief Add two members from the group G2 - * - @param P1 an input member of G2 - @param P2 an input member of G2 - @param P an output member of G2 = P1+P2 - @return 0 or an error code - */ -int MPIN_ZZZ_RECOMBINE_G2(octet *P1,octet *P2,octet *P); -/** @brief Use Kangaroos to find PIN error - * - @param E a member of the group GT - @param F a member of the group GT = E^e - @return 0 if Kangaroos failed, or the PIN error e - */ -int MPIN_ZZZ_KANGAROO(octet *E,octet *F); -/** @brief Encoding of a Time Permit to make it indistinguishable from a random string - * - @param R is a pointer to a cryptographically secure random number generator - @param TP is the input time permit, obfuscated on output - @return 0 or an error code - */ -int MPIN_ZZZ_ENCODING(csprng *R,octet *TP); -/** @brief Encoding of an obfuscated Time Permit - * - @param TP is the input obfuscated time permit, restored on output - @return 0 or an error code - */ -int MPIN_ZZZ_DECODING(octet *TP); - -/** @brief Find a random multiple of a point in G1 - * - @param R is a pointer to a cryptographically secure random number generator - @param type determines type of action to be taken - @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input - @param G if type=0 a point in G1, else an octet to be mapped to G1 - @param W the output =x.G or x.M(G), where M(.) is a mapping - @return 0 or an error code - */ -int MPIN_ZZZ_GET_G1_MULTIPLE(csprng *R,int type,octet *x,octet *G,octet *W); -/** @brief Find a random multiple of a point in G1 - * - @param R is a pointer to a cryptographically secure random number generator - @param type determines type of action to betaken - @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input - @param G a point in G2 - @param W the output =x.G or (1/x).G - @return 0 or an error code - */ -int MPIN_ZZZ_GET_G2_MULTIPLE(csprng *R,int type,octet *x,octet *G,octet *W); - -/** @brief Create a client secret in G1 from a master secret and the client ID - * - @param S is an input master secret - @param ID is the input client identity - @param CS is the full client secret = s.H(ID) - @return 0 or an error code - */ -int MPIN_ZZZ_GET_CLIENT_SECRET(octet *S,octet *ID,octet *CS); -/** @brief Create a Time Permit in G1 from a master secret and the client ID - * - @param h is the hash type - @param d is input date, in days since the epoch. - @param S is an input master secret - @param ID is the input client identity - @param TP is a Time Permit for the given date = s.H(d|H(ID)) - @return 0 or an error code - */ -int MPIN_ZZZ_GET_CLIENT_PERMIT(int h,int d,octet *S,octet *ID,octet *TP); -/** @brief Create a server secret in G2 from a master secret - * - @param S is an input master secret - @param SS is the server secret = s.Q where Q is a fixed generator of G2 - @return 0 or an error code - */ -int MPIN_ZZZ_GET_SERVER_SECRET(octet *S,octet *SS); -/* int MPIN_TEST_PAIRING(octet *,octet *); */ - -/* For M-Pin Full */ -/** @brief Precompute values for use by the client side of M-Pin Full - * - @param T is the input M-Pin token (the client secret with PIN portion removed) - @param ID is the input client identity - @param CP is Public Key (or NULL) - @param g1 precomputed output - @param g2 precomputed output - @return 0 or an error code - */ -int MPIN_ZZZ_PRECOMPUTE(octet *T,octet *ID,octet *CP,octet *g1,octet *g2); -/** @brief Calculate Key on Server side for M-Pin Full - * - Uses UT internally for the key calculation, unless not available in which case U is used - @param h is the hash type - @param Z is the input Client-side Diffie-Hellman component - @param SS is the input server secret - @param w is an input random number generated by the server - @param p is an input, hash of the protocol transcript - @param I is the hashed input client ID = H(ID) - @param U is input from the client = x.H(ID) - @param UT is input from the client= x.(H(ID)+H(d|H(ID))) - @param K is the output calculated shared key - @return 0 or an error code - */ -int MPIN_ZZZ_SERVER_KEY(int h,octet *Z,octet *SS,octet *w,octet *p,octet *I,octet *U,octet *UT,octet *K); -/** @brief Calculate Key on Client side for M-Pin Full - * - @param h is the hash type - @param g1 precomputed input - @param g2 precomputed input - @param pin is the input PIN number - @param r is an input, a locally generated random number - @param x is an input, a locally generated random number - @param p is an input, hash of the protocol transcript - @param T is the input Server-side Diffie-Hellman component - @param K is the output calculated shared key - @return 0 or an error code - */ -int MPIN_ZZZ_CLIENT_KEY(int h,octet *g1,octet *g2,int pin,octet *r,octet *x,octet *p,octet *T,octet *K); - -/** @brief Generates a random public key for the client z.Q - * - @param R is a pointer to a cryptographically secure random number generator - @param Z an output internally randomly generated if R!=NULL, otherwise it must be provided as an input - @param Pa the output public key for the client - */ -int MPIN_ZZZ_GET_DVS_KEYPAIR(csprng *R,octet *Z,octet *Pa); - -#endif - http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/1add7560/version3/c/mpin256.c ---------------------------------------------------------------------- diff --git a/version3/c/mpin256.c b/version3/c/mpin256.c deleted file mode 100644 index 47c88d3..0000000 --- a/version3/c/mpin256.c +++ /dev/null @@ -1,998 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/* MPIN Functions */ - -/* Version 3.0 - supports Time Permits */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <time.h> -#include "mpin256_ZZZ.h" - - -#define ROUNDUP(a,b) ((a)-1)/(b)+1 - - -/* Special mpin hashing */ -static void mpin_hash(int sha,FP16_YYY *f, ECP_ZZZ *P,octet *w) -{ - int i; - BIG_XXX x,y; - char h[64]; - hash256 sha256; - hash512 sha512; - char t[18*MODBYTES_XXX]; // to hold 10 BIGs - int hlen=sha; - - FP_YYY_redc(x,&(f->a.a.a.a)); - BIG_XXX_toBytes(&t[0],x); - FP_YYY_redc(x,&(f->a.a.a.b)); - BIG_XXX_toBytes(&t[MODBYTES_XXX],x); - - FP_YYY_redc(x,&(f->a.a.b.a)); - BIG_XXX_toBytes(&t[2*MODBYTES_XXX],x); - FP_YYY_redc(x,&(f->a.a.b.b)); - BIG_XXX_toBytes(&t[3*MODBYTES_XXX],x); - - FP_YYY_redc(x,&(f->a.b.a.a)); - BIG_XXX_toBytes(&t[4*MODBYTES_XXX],x); - FP_YYY_redc(x,&(f->a.b.a.b)); - BIG_XXX_toBytes(&t[5*MODBYTES_XXX],x); - - FP_YYY_redc(x,&(f->a.b.b.a)); - BIG_XXX_toBytes(&t[6*MODBYTES_XXX],x); - FP_YYY_redc(x,&(f->a.b.b.b)); - BIG_XXX_toBytes(&t[7*MODBYTES_XXX],x); - - FP_YYY_redc(x,&(f->b.a.a.a)); - BIG_XXX_toBytes(&t[8*MODBYTES_XXX],x); - FP_YYY_redc(x,&(f->b.a.a.b)); - BIG_XXX_toBytes(&t[9*MODBYTES_XXX],x); - - FP_YYY_redc(x,&(f->b.a.b.a)); - BIG_XXX_toBytes(&t[10*MODBYTES_XXX],x); - FP_YYY_redc(x,&(f->b.a.b.b)); - BIG_XXX_toBytes(&t[11*MODBYTES_XXX],x); - - FP_YYY_redc(x,&(f->b.b.a.a)); - BIG_XXX_toBytes(&t[12*MODBYTES_XXX],x); - FP_YYY_redc(x,&(f->b.b.a.b)); - BIG_XXX_toBytes(&t[13*MODBYTES_XXX],x); - - FP_YYY_redc(x,&(f->b.b.b.a)); - BIG_XXX_toBytes(&t[14*MODBYTES_XXX],x); - FP_YYY_redc(x,&(f->b.b.b.b)); - BIG_XXX_toBytes(&t[15*MODBYTES_XXX],x); - - ECP_ZZZ_get(x,y,P); - BIG_XXX_toBytes(&t[16*MODBYTES_XXX],x); - BIG_XXX_toBytes(&t[17*MODBYTES_XXX],y); - - OCT_empty(w); - switch (sha) - { - case SHA256: - HASH256_init(&sha256); - for (i=0; i<18*MODBYTES_XXX; i++) HASH256_process(&sha256,t[i]); - HASH256_hash(&sha256,h); - break; - case SHA384: - HASH384_init(&sha512); - for (i=0; i<18*MODBYTES_XXX; i++) HASH384_process(&sha512,t[i]); - HASH384_hash(&sha512,h); - break; - case SHA512: - HASH512_init(&sha512); - for (i=0; i<18*MODBYTES_XXX; i++) HASH512_process(&sha512,t[i]); - HASH512_hash(&sha512,h); - break; - } - - OCT_jbytes(w,h,AESKEY_ZZZ); - for (i=0; i<hlen; i++) h[i]=0; -} - -/* these next two functions help to implement elligator squared - http://eprint.iacr.org/2014/043 */ -/* maps a random u to a point on the curve */ -static void map(ECP_ZZZ *P,BIG_XXX u,int cb) -{ - BIG_XXX x,q; - - BIG_XXX_rcopy(q,Modulus_YYY); - BIG_XXX_copy(x,u); - BIG_XXX_mod(x,q); - - while (!ECP_ZZZ_setx(P,x,cb)) - { - BIG_XXX_inc(x,1); BIG_XXX_norm(x); - } -} - -/* returns u derived from P. Random value in range 1 to return value should then be added to u */ -static int unmap(BIG_XXX u,int *cb,ECP_ZZZ *P) -{ - int s,r=0; - BIG_XXX x; - - s=ECP_ZZZ_get(x,x,P); - BIG_XXX_copy(u,x); - do - { - BIG_XXX_dec(u,1); BIG_XXX_norm(u); - r++; - } - while (!ECP_ZZZ_setx(P,u,s)); - ECP_ZZZ_setx(P,x,s); - - *cb=s; - - return r; -} - -/* these next two functions implement elligator squared - http://eprint.iacr.org/2014/043 */ -/* Elliptic curve point E in format (0x04,x,y} is converted to form {0x0-,u,v} */ -/* Note that u and v are indistinguisible from random strings */ -int MPIN_ZZZ_ENCODING(csprng *RNG,octet *E) -{ - int rn,m,su,sv,res=0; - - BIG_XXX q,u,v; - ECP_ZZZ P,W; - - if (!ECP_ZZZ_fromOctet(&P,E)) res=MPIN_INVALID_POINT; - if (res==0) - { - BIG_XXX_rcopy(q,Modulus_YYY); - - BIG_XXX_randomnum(u,q,RNG); - - su=RAND_byte(RNG); - if (su<0) su=-su; - su%=2; - map(&W,u,su); - ECP_ZZZ_sub(&P,&W); //ECP_ZZZ_affine(&P); - - rn=unmap(v,&sv,&P); - m=RAND_byte(RNG); - if (m<0) m=-m; - m%=rn; - BIG_XXX_inc(v,m+1); - E->val[0]=su+2*sv; - BIG_XXX_toBytes(&(E->val[1]),u); - BIG_XXX_toBytes(&(E->val[PFS_ZZZ+1]),v); - } - return res; -} - -int MPIN_ZZZ_DECODING(octet *D) -{ - int su,sv; - BIG_XXX u,v; - ECP_ZZZ P,W; - int res=0; - - if ((D->val[0]&0x04)!=0) res=MPIN_INVALID_POINT; - if (res==0) - { - - BIG_XXX_fromBytes(u,&(D->val[1])); - BIG_XXX_fromBytes(v,&(D->val[PFS_ZZZ+1])); - - su=D->val[0]&1; - sv=(D->val[0]>>1)&1; - map(&W,u,su); - map(&P,v,sv); - ECP_ZZZ_add(&P,&W); //ECP_ZZZ_affine(&P); - ECP_ZZZ_toOctet(D,&P,false); - } - - return res; -} - -/* R=R1+R2 in group G1 */ -int MPIN_ZZZ_RECOMBINE_G1(octet *R1,octet *R2,octet *R) -{ - ECP_ZZZ P,T; - int res=0; - if (res==0) - { - if (!ECP_ZZZ_fromOctet(&P,R1)) res=MPIN_INVALID_POINT; - if (!ECP_ZZZ_fromOctet(&T,R2)) res=MPIN_INVALID_POINT; - } - if (res==0) - { - ECP_ZZZ_add(&P,&T); //ECP_ZZZ_affine(&P); - ECP_ZZZ_toOctet(R,&P,false); - } - return res; -} - -/* W=W1+W2 in group G2 */ -int MPIN_ZZZ_RECOMBINE_G2(octet *W1,octet *W2,octet *W) -{ - ECP8_ZZZ Q,T; - int res=0; - if (!ECP8_ZZZ_fromOctet(&Q,W1)) res=MPIN_INVALID_POINT; - if (!ECP8_ZZZ_fromOctet(&T,W2)) res=MPIN_INVALID_POINT; - if (res==0) - { - ECP8_ZZZ_add(&Q,&T); //ECP8_ZZZ_affine(&Q); - ECP8_ZZZ_toOctet(W,&Q); - } - return res; -} - -/* create random secret S */ -int MPIN_ZZZ_RANDOM_GENERATE(csprng *RNG,octet* S) -{ - BIG_XXX r,s; - - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - BIG_XXX_randomnum(s,r,RNG); -#ifdef AES_S - BIG_XXX_mod2m(s,2*AES_S); -#endif - BIG_XXX_toBytes(S->val,s); - S->len=MODBYTES_XXX; - return 0; -} - -/* Extract PIN from TOKEN for identity CID */ -int MPIN_ZZZ_EXTRACT_PIN(int sha,octet *CID,int pin,octet *TOKEN) -{ - pin%=MAXPIN; - return MPIN_ZZZ_EXTRACT_FACTOR(sha,CID,pin,PBLEN,TOKEN); -} - -/* Extract a factor < 32 bits for identity CID */ -int MPIN_ZZZ_EXTRACT_FACTOR(int sha,octet *CID,int factor,int facbits,octet *TOKEN) -{ - ECP_ZZZ P,R; - int res=0; - char h[MODBYTES_XXX]; - octet H= {0,sizeof(h),h}; - - if (!ECP_ZZZ_fromOctet(&P,TOKEN)) res=MPIN_INVALID_POINT; - if (res==0) - { - mhashit(sha,-1,CID,&H); - ECP_ZZZ_mapit(&R,&H); - - ECP_ZZZ_pinmul(&R,factor,facbits); - ECP_ZZZ_sub(&P,&R); //ECP_ZZZ_affine(&P); - - ECP_ZZZ_toOctet(TOKEN,&P,false); - } - return res; -} - -/* Extract a factor < 32 bits for identity CID */ -int MPIN_ZZZ_RESTORE_FACTOR(int sha,octet *CID,int factor,int facbits,octet *TOKEN) -{ - ECP_ZZZ P,R; - int res=0; - char h[MODBYTES_XXX]; - octet H= {0,sizeof(h),h}; - - if (!ECP_ZZZ_fromOctet(&P,TOKEN)) res=MPIN_INVALID_POINT; - if (res==0) - { - mhashit(sha,-1,CID,&H); - ECP_ZZZ_mapit(&R,&H); - - ECP_ZZZ_pinmul(&R,factor,facbits); - ECP_ZZZ_add(&P,&R); //ECP_ZZZ_affine(&P); - - ECP_ZZZ_toOctet(TOKEN,&P,false); - } - return res; -} - -/* Implement step 2 on client side of MPin protocol - SEC=-(x+y)*SEC */ -int MPIN_ZZZ_CLIENT_2(octet *X,octet *Y,octet *SEC) -{ - BIG_XXX px,py,r; - ECP_ZZZ P; - int res=0; - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - if (!ECP_ZZZ_fromOctet(&P,SEC)) res=MPIN_INVALID_POINT; - if (res==0) - { - BIG_XXX_fromBytes(px,X->val); - BIG_XXX_fromBytes(py,Y->val); - BIG_XXX_add(px,px,py); - BIG_XXX_mod(px,r); - // BIG_XXX_sub(px,r,px); - PAIR_ZZZ_G1mul(&P,px); - ECP_ZZZ_neg(&P); - ECP_ZZZ_toOctet(SEC,&P,false); - } - return res; -} - -/* - W=x*H(G); - if RNG == NULL then X is passed in - if RNG != NULL the X is passed out - if type=0 W=x*G where G is point on the curve, else W=x*M(G), where M(G) is mapping of octet G to point on the curve -*/ - -int MPIN_ZZZ_GET_G1_MULTIPLE(csprng *RNG,int type,octet *X,octet *G,octet *W) -{ - ECP_ZZZ P; - BIG_XXX r,x; - int res=0; - if (RNG!=NULL) - { - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - BIG_XXX_randomnum(x,r,RNG); -#ifdef AES_S - BIG_XXX_mod2m(x,2*AES_S); -#endif - X->len=MODBYTES_XXX; - BIG_XXX_toBytes(X->val,x); - } - else - BIG_XXX_fromBytes(x,X->val); - - if (type==0) - { - if (!ECP_ZZZ_fromOctet(&P,G)) res=MPIN_INVALID_POINT; - } - else - { - ECP_ZZZ_mapit(&P,G); - } - - if (res==0) - { - PAIR_ZZZ_G1mul(&P,x); - ECP_ZZZ_toOctet(W,&P,false); - } - return res; -} - -/* - if RNG == NULL then X is passed in - if RNG != NULL the X is passed out - W=x*G where G is point on the curve - if type==1 W=(x^-1)G -*/ - -int MPIN_ZZZ_GET_G2_MULTIPLE(csprng *RNG,int type,octet *X,octet *G,octet *W) -{ - ECP8_ZZZ P; - BIG_XXX r,x; - int res=0; - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - if (RNG!=NULL) - { - BIG_XXX_randomnum(x,r,RNG); -#ifdef AES_S - BIG_XXX_mod2m(x,2*AES_S); -#endif - X->len=MODBYTES_XXX; - BIG_XXX_toBytes(X->val,x); - } - else - { - BIG_XXX_fromBytes(x,X->val); - if (type==1) BIG_XXX_invmodp(x,x,r); - } - - if (!ECP8_ZZZ_fromOctet(&P,G)) res=MPIN_INVALID_POINT; - - if (res==0) - { - PAIR_ZZZ_G2mul(&P,x); - ECP8_ZZZ_toOctet(W,&P); - } - return res; -} - - - -/* Client secret CST=s*H(CID) where CID is client ID and s is master secret */ -/* CID is hashed externally */ -int MPIN_ZZZ_GET_CLIENT_SECRET(octet *S,octet *CID,octet *CST) -{ - return MPIN_ZZZ_GET_G1_MULTIPLE(NULL,1,S,CID,CST); -} - -/* Implement step 1 on client side of MPin protocol */ -int MPIN_ZZZ_CLIENT_1(int sha,int date,octet *CLIENT_ID,csprng *RNG,octet *X,int pin,octet *TOKEN,octet *SEC,octet *xID,octet *xCID,octet *PERMIT) -{ - BIG_XXX r,x; - ECP_ZZZ P,T,W; - int res=0; - char h[MODBYTES_XXX]; - octet H= {0,sizeof(h),h}; - - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - if (RNG!=NULL) - { - BIG_XXX_randomnum(x,r,RNG); -#ifdef AES_S - BIG_XXX_mod2m(x,2*AES_S); -#endif - X->len=MODBYTES_XXX; - BIG_XXX_toBytes(X->val,x); - } - else - BIG_XXX_fromBytes(x,X->val); - - mhashit(sha,-1,CLIENT_ID,&H); - - ECP_ZZZ_mapit(&P,&H); - - if (!ECP_ZZZ_fromOctet(&T,TOKEN)) res=MPIN_INVALID_POINT; - - if (res==0) - { - pin%=MAXPIN; - - ECP_ZZZ_copy(&W,&P); // W=H(ID) - ECP_ZZZ_pinmul(&W,pin,PBLEN); // W=alpha.H(ID) - ECP_ZZZ_add(&T,&W); // T=Token+alpha.H(ID) = s.H(ID) - - if (date) - { - if (PERMIT!=NULL) - { - if (!ECP_ZZZ_fromOctet(&W,PERMIT)) res=MPIN_INVALID_POINT; - ECP_ZZZ_add(&T,&W); // SEC=s.H(ID)+s.H(T|ID) - } - mhashit(sha,date,&H,&H); - - ECP_ZZZ_mapit(&W,&H); - if (xID!=NULL) - { - PAIR_ZZZ_G1mul(&P,x); // P=x.H(ID) - ECP_ZZZ_toOctet(xID,&P,false); // xID - PAIR_ZZZ_G1mul(&W,x); // W=x.H(T|ID) - ECP_ZZZ_add(&P,&W); //ECP_ZZZ_affine(&P); - } - else - { - ECP_ZZZ_add(&P,&W); //ECP_ZZZ_affine(&P); - PAIR_ZZZ_G1mul(&P,x); - } - if (xCID!=NULL) ECP_ZZZ_toOctet(xCID,&P,false); // U - } - else - { - if (xID!=NULL) - { - PAIR_ZZZ_G1mul(&P,x); // P=x.H(ID) - ECP_ZZZ_toOctet(xID,&P,false); // xID - } - } - } - - if (res==0) - { - //ECP_ZZZ_affine(&T); - ECP_ZZZ_toOctet(SEC,&T,false); // V - } - return res; -} - -/* Extract Server Secret SST=S*Q where Q is fixed generator in G2 and S is master secret */ -int MPIN_ZZZ_GET_SERVER_SECRET(octet *S,octet *SST) -{ - BIG_XXX r,s; - ECP8_ZZZ Q; - int res=0; - - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - - ECP8_ZZZ_generator(&Q); - - if (res==0) - { - BIG_XXX_fromBytes(s,S->val); - PAIR_ZZZ_G2mul(&Q,s); - ECP8_ZZZ_toOctet(SST,&Q); - } - - return res; -} - - -/* Time Permit CTT=s*H(date|H(CID)) where s is master secret */ -int MPIN_ZZZ_GET_CLIENT_PERMIT(int sha,int date,octet *S,octet *CID,octet *CTT) -{ - BIG_XXX s; - ECP_ZZZ P; - char h[MODBYTES_XXX]; - octet H= {0,sizeof(h),h}; - - mhashit(sha,date,CID,&H); - - ECP_ZZZ_mapit(&P,&H); - -//printf("P= "); ECP_ZZZ_output(&P); printf("\n"); -//exit(0); - - BIG_XXX_fromBytes(s,S->val); - - - -//printf("s= "); BIG_XXX_output(s); printf("\n"); - PAIR_ZZZ_G1mul(&P,s); -//printf("OP= "); ECP_ZZZ_output(&P); printf("\n"); -// - ECP_ZZZ_toOctet(CTT,&P,false); - return 0; -} - -// if date=0 only use HID, set HCID=NULL -// if date and PE, use HID and HCID - -/* Outputs H(CID) and H(CID)+H(T|H(CID)) for time permits. If no time permits set HTID=NULL */ -void MPIN_ZZZ_SERVER_1(int sha,int date,octet *CID,octet *HID,octet *HTID) -{ - char h[MODBYTES_XXX]; - octet H= {0,sizeof(h),h}; - ECP_ZZZ P,R; - BIG_XXX x; - -#ifdef USE_ANONYMOUS - ECP_ZZZ_mapit(&P,CID); -#else - mhashit(sha,-1,CID,&H); - ECP_ZZZ_mapit(&P,&H); -#endif - - ECP_ZZZ_toOctet(HID,&P,false); // new - - if (date) - { - // if (HID!=NULL) ECP_ZZZ_toOctet(HID,&P,false); -#ifdef USE_ANONYMOUS - mhashit(sha,date,CID,&H); -#else - mhashit(sha,date,&H,&H); -#endif - ECP_ZZZ_mapit(&R,&H); - ECP_ZZZ_add(&P,&R); //ECP_ZZZ_affine(&P); - ECP_ZZZ_toOctet(HTID,&P,false); - } - //else ECP_ZZZ_toOctet(HID,&P,false); - -} - -/* Implement M-Pin on server side */ -int MPIN_ZZZ_SERVER_2(int date,octet *HID,octet *HTID,octet *Y,octet *SST,octet *xID,octet *xCID,octet *mSEC,octet *E,octet *F,octet *Pa) -{ - BIG_XXX px,py,y; - FP48_YYY g; - ECP8_ZZZ Q,sQ; - ECP_ZZZ P,R; - int res=0; - - ECP8_ZZZ_generator(&Q); - - // key-escrow less scheme: use Pa instead of Q in pairing computation - // Q left for backward compatiblity - if (Pa!=NULL) - { - if (!ECP8_ZZZ_fromOctet(&Q, Pa)) res=MPIN_INVALID_POINT; - } - - - if (res==0) - { - if (!ECP8_ZZZ_fromOctet(&sQ,SST)) res=MPIN_INVALID_POINT; - } - - if (res==0) - { - if (date) - { - //BIG_XXX_fromBytes(px,&(xCID->val[1])); - //BIG_XXX_fromBytes(py,&(xCID->val[PFS_ZZZ+1])); - if (!ECP_ZZZ_fromOctet(&R,xCID)) res=MPIN_INVALID_POINT; - } - else - { - //BIG_XXX_fromBytes(px,&(xID->val[1])); - //BIG_XXX_fromBytes(py,&(xID->val[PFS_ZZZ+1])); - if (!ECP_ZZZ_fromOctet(&R,xID)) res=MPIN_INVALID_POINT; - } - //if (!ECP_ZZZ_set(&R,px,py)) res=MPIN_INVALID_POINT; // x(A+AT) - } - if (res==0) - { - BIG_XXX_fromBytes(y,Y->val); - if (date) - { - if (!ECP_ZZZ_fromOctet(&P,HTID)) res=MPIN_INVALID_POINT; - } - else - { - if (!ECP_ZZZ_fromOctet(&P,HID)) res=MPIN_INVALID_POINT; - } - } - if (res==0) - { - PAIR_ZZZ_G1mul(&P,y); // y(A+AT) - ECP_ZZZ_add(&P,&R); // x(A+AT)+y(A+T) - //ECP_ZZZ_affine(&P); - if (!ECP_ZZZ_fromOctet(&R,mSEC)) res=MPIN_INVALID_POINT; // V - } - if (res==0) - { - - PAIR_ZZZ_double_ate(&g,&Q,&R,&sQ,&P); - PAIR_ZZZ_fexp(&g); - - if (!FP48_YYY_isunity(&g)) - { - if (HID!=NULL && xID!=NULL && E!=NULL && F !=NULL) - { - /* xID is set to NULL if there is no way to calculate PIN error */ - FP48_YYY_toOctet(E,&g); - - /* Note error is in the PIN, not in the time permit! Hence the need to exclude Time Permit from this check */ - - if (date) - { - if (!ECP_ZZZ_fromOctet(&P,HID)) res=MPIN_INVALID_POINT; - if (!ECP_ZZZ_fromOctet(&R,xID)) res=MPIN_INVALID_POINT; // U - - if (res==0) - { - PAIR_ZZZ_G1mul(&P,y); // yA - ECP_ZZZ_add(&P,&R); // yA+xA - //ECP_ZZZ_affine(&P); - } - } - if (res==0) - { - PAIR_ZZZ_ate(&g,&Q,&P); - PAIR_ZZZ_fexp(&g); - FP48_YYY_toOctet(F,&g); - } - } - res=MPIN_BAD_PIN; - } - } - - return res; -} - -#if MAXPIN==10000 -#define MR_TS 10 /* 2^10/10 approx = sqrt(MAXPIN) */ -#define TRAP 200 /* 2*sqrt(MAXPIN) */ -#endif - -#if MAXPIN==1000000 -#define MR_TS 14 -#define TRAP 2000 -#endif - -/* Pollards kangaroos used to return PIN error */ -int MPIN_ZZZ_KANGAROO(octet *E,octet *F) -{ - int i,j,m,s,dn,dm,steps; - int distance[MR_TS]; - FP48_YYY ge,gf,t,table[MR_TS]; - int res=0; - // BIG_XXX w; - - FP48_YYY_fromOctet(&ge,E); - FP48_YYY_fromOctet(&gf,F); - - FP48_YYY_copy(&t,&gf); - - for (s=1,m=0; m<MR_TS; m++) - { - distance[m]=s; - FP48_YYY_copy(&table[m],&t); - s*=2; - FP48_YYY_usqr(&t,&t); - FP48_YYY_reduce(&t); - } - - FP48_YYY_one(&t); - - for (dn=0,j=0; j<TRAP; j++) - { - - //BIG_XXX_copy(w,t.a.a.a); - //FP_YYY_redc(w); - //i=BIG_XXX_lastbits(w,20)%MR_TS; - - i=t.a.a.a.a.a.g[0]%MR_TS; - - FP48_YYY_mul(&t,&table[i]); - FP48_YYY_reduce(&t); - dn+=distance[i]; - } - - FP48_YYY_conj(&gf,&t); - steps=0; - dm=0; - while (dm-dn<MAXPIN) - { - steps++; - if (steps>4*TRAP) break; - - //BIG_XXX_copy(w,ge.a.a.a); - //FP_YYY_redc(w); - //i=BIG_XXX_lastbits(w,20)%MR_TS; - - i=ge.a.a.a.a.a.g[0]%MR_TS; - - FP48_YYY_mul(&ge,&table[i]); - FP48_YYY_reduce(&ge); - dm+=distance[i]; - if (FP48_YYY_equals(&ge,&t)) - { - res=dm-dn; - break; - } - if (FP48_YYY_equals(&ge,&gf)) - { - res=dn-dm; - break; - } - } - if (steps>4*TRAP || dm-dn>=MAXPIN) - { - res=0; /* Trap Failed - probable invalid token */ - } - - return res; -} - -/* Functions to support M-Pin Full */ - -int MPIN_ZZZ_PRECOMPUTE(octet *TOKEN,octet *CID,octet *CP,octet *G1,octet *G2) -{ - ECP_ZZZ P,T; - ECP8_ZZZ Q; - FP48_YYY g; - BIG_XXX x; - int res=0; - - if (!ECP_ZZZ_fromOctet(&T,TOKEN)) res=MPIN_INVALID_POINT; - - if (res==0) - { - ECP_ZZZ_mapit(&P,CID); - if (CP!=NULL) - { - if (!ECP8_ZZZ_fromOctet(&Q,CP)) res=MPIN_INVALID_POINT; - } - else - { - ECP8_ZZZ_generator(&Q); - } - } - if (res==0) - { - PAIR_ZZZ_ate(&g,&Q,&T); - PAIR_ZZZ_fexp(&g); - - FP48_YYY_toOctet(G1,&g); - if (G2!=NULL) - { - PAIR_ZZZ_ate(&g,&Q,&P); - PAIR_ZZZ_fexp(&g); - FP48_YYY_toOctet(G2,&g); - } - } - return res; -} - -/* calculate common key on client side */ -/* wCID = w.(A+AT) */ -int MPIN_ZZZ_CLIENT_KEY(int sha,octet *G1,octet *G2,int pin,octet *R,octet *X,octet *H,octet *wCID,octet *CK) -{ - FP48_YYY g1,g2; - FP16_YYY c;//,cp,cpm1,cpm2; - - ECP_ZZZ W; - int res=0; - BIG_XXX r,z,x,h;//q,m,a,b; - - FP48_YYY_fromOctet(&g1,G1); - FP48_YYY_fromOctet(&g2,G2); - BIG_XXX_fromBytes(z,R->val); - BIG_XXX_fromBytes(x,X->val); - BIG_XXX_fromBytes(h,H->val); - - if (!ECP_ZZZ_fromOctet(&W,wCID)) res=MPIN_INVALID_POINT; - - if (res==0) - { - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - BIG_XXX_add(z,z,h); // new - BIG_XXX_mod(z,r); - - FP48_YYY_pinpow(&g2,pin,PBLEN); - FP48_YYY_mul(&g1,&g2); - - PAIR_ZZZ_G1mul(&W,x); - - FP48_YYY_compow(&c,&g1,z,r); - mpin_hash(sha,&c,&W,CK); - - } - return res; -} - -/* calculate common key on server side */ -/* Z=r.A - no time permits involved */ - -int MPIN_ZZZ_SERVER_KEY(int sha,octet *Z,octet *SST,octet *W,octet *H,octet *HID,octet *xID,octet *xCID,octet *SK) -{ - int res=0; - FP48_YYY g; - FP16_YYY c; - ECP_ZZZ R,U,A; - ECP8_ZZZ sQ; - BIG_XXX w,h; - - if (!ECP8_ZZZ_fromOctet(&sQ,SST)) res=MPIN_INVALID_POINT; - if (!ECP_ZZZ_fromOctet(&R,Z)) res=MPIN_INVALID_POINT; - - - if (!ECP_ZZZ_fromOctet(&A,HID)) res=MPIN_INVALID_POINT; - - // new - if (xCID!=NULL) - { - if (!ECP_ZZZ_fromOctet(&U,xCID)) res=MPIN_INVALID_POINT; - } - else - { - if (!ECP_ZZZ_fromOctet(&U,xID)) res=MPIN_INVALID_POINT; - } - BIG_XXX_fromBytes(w,W->val); - BIG_XXX_fromBytes(h,H->val); - - - PAIR_ZZZ_ate(&g,&sQ,&A); - PAIR_ZZZ_fexp(&g); - - if (res==0) - { - PAIR_ZZZ_G1mul(&A,h); - ECP_ZZZ_add(&R,&A); // new - //ECP_ZZZ_affine(&R); - PAIR_ZZZ_ate(&g,&sQ,&R); - PAIR_ZZZ_fexp(&g); - PAIR_ZZZ_G1mul(&U,w); - FP48_YYY_trace(&c,&g); - mpin_hash(sha,&c,&U,SK); - } - return res; -} - -/* Generate Y = H(TimeValue, xCID/xID) */ -void MPIN_ZZZ_GET_Y(int sha,int TimeValue,octet *xCID,octet *Y) -{ - BIG_XXX q,y; - char h[MODBYTES_XXX]; - octet H= {0,sizeof(h),h}; - - mhashit(sha,TimeValue,xCID,&H); - BIG_XXX_fromBytes(y,H.val); - BIG_XXX_rcopy(q,CURVE_Order_ZZZ); - BIG_XXX_mod(y,q); - BIG_XXX_toBytes(Y->val,y); - Y->len=PGS_ZZZ; -} - -/* One pass MPIN Client */ -int MPIN_ZZZ_CLIENT(int sha,int date,octet *ID,csprng *RNG,octet *X,int pin,octet *TOKEN,octet *V,octet *U,octet *UT,octet *TP,octet *MESSAGE,int TimeValue,octet *Y) -{ - int rtn=0; - char m[M_SIZE_ZZZ]; - octet M= {0,sizeof(m),m}; - - octet *pID; - if (date == 0) - pID = U; - else - pID = UT; - - rtn = MPIN_ZZZ_CLIENT_1(sha,date,ID,RNG,X,pin,TOKEN,V,U,UT,TP); - if (rtn != 0) - return rtn; - - OCT_joctet(&M,pID); - if (MESSAGE!=NULL) - { - OCT_joctet(&M,MESSAGE); - } - - MPIN_ZZZ_GET_Y(sha,TimeValue,&M,Y); - - rtn = MPIN_ZZZ_CLIENT_2(X,Y,V); - if (rtn != 0) - return rtn; - - return 0; -} - -/* One pass MPIN Server */ -int MPIN_ZZZ_SERVER(int sha,int date,octet *HID,octet *HTID,octet *Y,octet *sQ,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *ID,octet *MESSAGE,int TimeValue, octet *Pa) -{ - int rtn=0; - char m[M_SIZE_ZZZ]; - octet M= {0,sizeof(m),m}; - - octet *pU; - if (date == 0) - pU = U; - else - pU = UT; - - MPIN_ZZZ_SERVER_1(sha,date,ID,HID,HTID); - - OCT_joctet(&M,pU); - if (MESSAGE!=NULL) - { - OCT_joctet(&M,MESSAGE); - } - - MPIN_ZZZ_GET_Y(sha,TimeValue,&M,Y); - - rtn = MPIN_ZZZ_SERVER_2(date,HID,HTID,Y,sQ,U,UT,V,E,F,Pa); - if (rtn != 0) - return rtn; - - return 0; -} - -int MPIN_ZZZ_GET_DVS_KEYPAIR(csprng *R,octet *Z,octet *Pa) -{ - BIG_XXX z,r; - ECP8_ZZZ Q; - int res=0; - - BIG_XXX_rcopy(r,CURVE_Order_ZZZ); - - if (R!=NULL) - { - BIG_XXX_randomnum(z,r,R); - Z->len=MODBYTES_XXX; - BIG_XXX_toBytes(Z->val,z); - } - else - BIG_XXX_fromBytes(z,Z->val); - - BIG_XXX_invmodp(z,z,r); - - ECP8_ZZZ_generator(&Q); - - if (res==0) - { - PAIR_ZZZ_G2mul(&Q,z); - ECP8_ZZZ_toOctet(Pa,&Q); - } - - return res; -} http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/1add7560/version3/c/mpin256.h ---------------------------------------------------------------------- diff --git a/version3/c/mpin256.h b/version3/c/mpin256.h deleted file mode 100644 index 46ba21a..0000000 --- a/version3/c/mpin256.h +++ /dev/null @@ -1,339 +0,0 @@ -/* -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. -*/ - -/** - * @file mpin.h - * @author Mike Scott and Kealan McCusker - * @date 2nd June 2015 - * @brief M-Pin Header file - * - * Allows some user configuration - * defines structures - * declares functions - * - */ - -#ifndef MPIN_ZZZ_H -#define MPIN_ZZZ_H - -#include "pair256_ZZZ.h" -#include "pbc_support.h" - - -/* Field size is assumed to be greater than or equal to group size */ - -#define PGS_ZZZ MODBYTES_XXX /**< MPIN Group Size */ -#define PFS_ZZZ MODBYTES_XXX /**< MPIN Field Size */ - -#define MPIN_OK 0 /**< Function completed without error */ -#define MPIN_INVALID_POINT -14 /**< Point is NOT on the curve */ -#define MPIN_BAD_PIN -19 /**< Bad PIN number entered */ - -#define MAXPIN 10000 /**< max PIN */ -#define PBLEN 14 /**< max length of PIN in bits */ - -//#define PAS_ZZZ 24 /**< MPIN Symmetric Key Size 192 bits */ -//#define HASH_TYPE_MPIN_ZZZ SHA384 /**< Choose Hash function */ - -#define MESSAGE_SIZE 256 /**< Signature message size */ -#define M_SIZE_ZZZ (MESSAGE_SIZE+2*PFS_ZZZ+1) /**< Signature message size and G1 size */ - -/* MPIN support functions */ - -/* MPIN primitives */ - - -void MPIN_ZZZ_GET_Y(int h,int t,octet *O,octet *Y); -/** @brief Extract a PIN number from a client secret - * - @param h is the hash type - @param ID is the input client identity - @param factor is an input factor - @param facbits is the number of bits in the factor - @param CS is the client secret from which the factor is to be extracted - @return 0 or an error code - */ -int MPIN_ZZZ_EXTRACT_FACTOR(int h,octet *ID,int factor,int facbits,octet *CS); - -/** @brief Extract a PIN number from a client secret - * - @param h is the hash type - @param ID is the input client identity - @param factor is an input factor - @param facbits is the number of bits in the factor - @param CS is the client secret to which the factor is to be added - @return 0 or an error code - */ -int MPIN_ZZZ_RESTORE_FACTOR(int h,octet *ID,int factor,int facbits,octet *CS); - - -/** @brief Extract a PIN number from a client secret - * - @param h is the hash type - @param ID is the input client identity - @param pin is an input PIN number - @param CS is the client secret from which the PIN is to be extracted - @return 0 or an error code - */ -int MPIN_ZZZ_EXTRACT_PIN(int h,octet *ID,int pin,octet *CS); - -/** @brief Perform client side of the one-pass version of the M-Pin protocol - * - If Time Permits are disabled, set d = 0, and UT is not generated and can be set to NULL. - If Time Permits are enabled, and PIN error detection is OFF, U is not generated and can be set to NULL. - If Time Permits are enabled, and PIN error detection is ON, U and UT are both generated. - @param h is the hash type - @param d is input date, in days since the epoch. Set to 0 if Time permits disabled - @param ID is the input client identity - @param R is a pointer to a cryptographically secure random number generator - @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input - @param pin is the input PIN number - @param T is the input M-Pin token (the client secret with PIN portion removed) - @param V is output = -(x+y)(CS+TP), where CS is the reconstructed client secret, and TP is the time permit - @param U is output = x.H(ID) - @param UT is output = x.(H(ID)+H(d|H(ID))) - @param TP is the input time permit - @param MESSAGE is the message to be signed - @param t is input epoch time in seconds - a timestamp - @param y is output H(t|U) or H(t|UT) if Time Permits enabled - @return 0 or an error code - */ -int MPIN_ZZZ_CLIENT(int h,int d,octet *ID,csprng *R,octet *x,int pin,octet *T,octet *V,octet *U,octet *UT,octet *TP, octet* MESSAGE, int t, octet *y); -/** @brief Perform first pass of the client side of the 3-pass version of the M-Pin protocol - * - If Time Permits are disabled, set d = 0, and UT is not generated and can be set to NULL. - If Time Permits are enabled, and PIN error detection is OFF, U is not generated and can be set to NULL. - If Time Permits are enabled, and PIN error detection is ON, U and UT are both generated. - @param h is the hash type - @param d is input date, in days since the epoch. Set to 0 if Time permits disabled - @param ID is the input client identity - @param R is a pointer to a cryptographically secure random number generator - @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input - @param pin is the input PIN number - @param T is the input M-Pin token (the client secret with PIN portion removed) - @param S is output = CS+TP, where CS=is the reconstructed client secret, and TP is the time permit - @param U is output = x.H(ID) - @param UT is output = x.(H(ID)+H(d|H(ID))) - @param TP is the input time permit - @return 0 or an error code - */ -int MPIN_ZZZ_CLIENT_1(int h,int d,octet *ID,csprng *R,octet *x,int pin,octet *T,octet *S,octet *U,octet *UT,octet *TP); -/** @brief Generate a random group element - * - @param R is a pointer to a cryptographically secure random number generator - @param S is the output random octet - @return 0 or an error code - */ -int MPIN_ZZZ_RANDOM_GENERATE(csprng *R,octet *S); -/** @brief Perform second pass of the client side of the 3-pass version of the M-Pin protocol - * - @param x an input, a locally generated random number - @param y an input random challenge from the server - @param V on output = -(x+y).V - @return 0 or an error code - */ -int MPIN_ZZZ_CLIENT_2(octet *x,octet *y,octet *V); -/** @brief Perform server side of the one-pass version of the M-Pin protocol - * - If Time Permits are disabled, set d = 0, and UT and HTID are not generated and can be set to NULL. - If Time Permits are enabled, and PIN error detection is OFF, U and HID are not needed and can be set to NULL. - If Time Permits are enabled, and PIN error detection is ON, U, UT, HID and HTID are all required. - @param h is the hash type - @param d is input date, in days since the epoch. Set to 0 if Time permits disabled - @param HID is output H(ID), a hash of the client ID - @param HTID is output H(ID)+H(d|H(ID)) - @param y is output H(t|U) or H(t|UT) if Time Permits enabled - @param SS is the input server secret - @param U is input from the client = x.H(ID) - @param UT is input from the client= x.(H(ID)+H(d|H(ID))) - @param V is an input from the client - @param E is an output to help the Kangaroos to find the PIN error, or NULL if not required - @param F is an output to help the Kangaroos to find the PIN error, or NULL if not required - @param ID is the input claimed client identity - @param MESSAGE is the message to be signed - @param t is input epoch time in seconds - a timestamp - @param Pa is input from the client z.Q or NULL if the key-escrow less scheme is not used - @return 0 or an error code - */ -int MPIN_ZZZ_SERVER(int h,int d,octet *HID,octet *HTID,octet *y,octet *SS,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *ID,octet *MESSAGE, int t, octet *Pa); -/** @brief Perform first pass of the server side of the 3-pass version of the M-Pin protocol - * - @param h is the hash type - @param d is input date, in days since the epoch. Set to 0 if Time permits disabled - @param ID is the input claimed client identity - @param HID is output H(ID), a hash of the client ID - @param HTID is output H(ID)+H(d|H(ID)) - @return 0 or an error code - */ -void MPIN_ZZZ_SERVER_1(int h,int d,octet *ID,octet *HID,octet *HTID); -/** @brief Perform third pass on the server side of the 3-pass version of the M-Pin protocol - * - If Time Permits are disabled, set d = 0, and UT and HTID are not needed and can be set to NULL. - If Time Permits are enabled, and PIN error detection is OFF, U and HID are not needed and can be set to NULL. - If Time Permits are enabled, and PIN error detection is ON, U, UT, HID and HTID are all required. - @param d is input date, in days since the epoch. Set to 0 if Time permits disabled - @param HID is input H(ID), a hash of the client ID - @param HTID is input H(ID)+H(d|H(ID)) - @param y is the input server's randomly generated challenge - @param SS is the input server secret - @param U is input from the client = x.H(ID) - @param UT is input from the client= x.(H(ID)+H(d|H(ID))) - @param V is an input from the client - @param E is an output to help the Kangaroos to find the PIN error, or NULL if not required - @param F is an output to help the Kangaroos to find the PIN error, or NULL if not required - @param Pa is the input public key from the client, z.Q or NULL if the client uses regular mpin - @return 0 or an error code - */ -int MPIN_ZZZ_SERVER_2(int d,octet *HID,octet *HTID,octet *y,octet *SS,octet *U,octet *UT,octet *V,octet *E,octet *F,octet *Pa); -/** @brief Add two members from the group G1 - * - @param Q1 an input member of G1 - @param Q2 an input member of G1 - @param Q an output member of G1 = Q1+Q2 - @return 0 or an error code - */ -int MPIN_ZZZ_RECOMBINE_G1(octet *Q1,octet *Q2,octet *Q); -/** @brief Add two members from the group G2 - * - @param P1 an input member of G2 - @param P2 an input member of G2 - @param P an output member of G2 = P1+P2 - @return 0 or an error code - */ -int MPIN_ZZZ_RECOMBINE_G2(octet *P1,octet *P2,octet *P); -/** @brief Use Kangaroos to find PIN error - * - @param E a member of the group GT - @param F a member of the group GT = E^e - @return 0 if Kangaroos failed, or the PIN error e - */ -int MPIN_ZZZ_KANGAROO(octet *E,octet *F); -/** @brief Encoding of a Time Permit to make it indistinguishable from a random string - * - @param R is a pointer to a cryptographically secure random number generator - @param TP is the input time permit, obfuscated on output - @return 0 or an error code - */ -int MPIN_ZZZ_ENCODING(csprng *R,octet *TP); -/** @brief Encoding of an obfuscated Time Permit - * - @param TP is the input obfuscated time permit, restored on output - @return 0 or an error code - */ -int MPIN_ZZZ_DECODING(octet *TP); - -/** @brief Find a random multiple of a point in G1 - * - @param R is a pointer to a cryptographically secure random number generator - @param type determines type of action to be taken - @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input - @param G if type=0 a point in G1, else an octet to be mapped to G1 - @param W the output =x.G or x.M(G), where M(.) is a mapping - @return 0 or an error code - */ -int MPIN_ZZZ_GET_G1_MULTIPLE(csprng *R,int type,octet *x,octet *G,octet *W); -/** @brief Find a random multiple of a point in G1 - * - @param R is a pointer to a cryptographically secure random number generator - @param type determines type of action to betaken - @param x an output internally randomly generated if R!=NULL, otherwise must be provided as an input - @param G a point in G2 - @param W the output =x.G or (1/x).G - @return 0 or an error code - */ -int MPIN_ZZZ_GET_G2_MULTIPLE(csprng *R,int type,octet *x,octet *G,octet *W); - -/** @brief Create a client secret in G1 from a master secret and the client ID - * - @param S is an input master secret - @param ID is the input client identity - @param CS is the full client secret = s.H(ID) - @return 0 or an error code - */ -int MPIN_ZZZ_GET_CLIENT_SECRET(octet *S,octet *ID,octet *CS); -/** @brief Create a Time Permit in G1 from a master secret and the client ID - * - @param h is the hash type - @param d is input date, in days since the epoch. - @param S is an input master secret - @param ID is the input client identity - @param TP is a Time Permit for the given date = s.H(d|H(ID)) - @return 0 or an error code - */ -int MPIN_ZZZ_GET_CLIENT_PERMIT(int h,int d,octet *S,octet *ID,octet *TP); -/** @brief Create a server secret in G2 from a master secret - * - @param S is an input master secret - @param SS is the server secret = s.Q where Q is a fixed generator of G2 - @return 0 or an error code - */ -int MPIN_ZZZ_GET_SERVER_SECRET(octet *S,octet *SS); -/* int MPIN_TEST_PAIRING(octet *,octet *); */ - -/* For M-Pin Full */ -/** @brief Precompute values for use by the client side of M-Pin Full - * - @param T is the input M-Pin token (the client secret with PIN portion removed) - @param ID is the input client identity - @param CP is Public Key (or NULL) - @param g1 precomputed output - @param g2 precomputed output - @return 0 or an error code - */ -int MPIN_ZZZ_PRECOMPUTE(octet *T,octet *ID,octet *CP,octet *g1,octet *g2); -/** @brief Calculate Key on Server side for M-Pin Full - * - Uses UT internally for the key calculation, unless not available in which case U is used - @param h is the hash type - @param Z is the input Client-side Diffie-Hellman component - @param SS is the input server secret - @param w is an input random number generated by the server - @param p is an input, hash of the protocol transcript - @param I is the hashed input client ID = H(ID) - @param U is input from the client = x.H(ID) - @param UT is input from the client= x.(H(ID)+H(d|H(ID))) - @param K is the output calculated shared key - @return 0 or an error code - */ -int MPIN_ZZZ_SERVER_KEY(int h,octet *Z,octet *SS,octet *w,octet *p,octet *I,octet *U,octet *UT,octet *K); -/** @brief Calculate Key on Client side for M-Pin Full - * - @param h is the hash type - @param g1 precomputed input - @param g2 precomputed input - @param pin is the input PIN number - @param r is an input, a locally generated random number - @param x is an input, a locally generated random number - @param p is an input, hash of the protocol transcript - @param T is the input Server-side Diffie-Hellman component - @param K is the output calculated shared key - @return 0 or an error code - */ -int MPIN_ZZZ_CLIENT_KEY(int h,octet *g1,octet *g2,int pin,octet *r,octet *x,octet *p,octet *T,octet *K); - -/** @brief Generates a random public key for the client z.Q - * - @param R is a pointer to a cryptographically secure random number generator - @param Z an output internally randomly generated if R!=NULL, otherwise it must be provided as an input - @param Pa the output public key for the client - */ -int MPIN_ZZZ_GET_DVS_KEYPAIR(csprng *R,octet *Z,octet *Pa); - -#endif -
