protected override BitString GetEphemeralDataFromKeyContribution(ISecretKeyingMaterial secretKeyingMaterial)
{
if (secretKeyingMaterial.EphemeralKeyPair != null)
{
var domainParam = (EccDomainParameters)secretKeyingMaterial.DomainParameters;
var exactLength = CurveAttributesHelper.GetCurveAttribute(domainParam.CurveE.CurveName).DegreeOfPolynomial;;
var ephemKey = (EccKeyPair)secretKeyingMaterial.EphemeralKeyPair;
if (ephemKey.PublicQ.X != 0)
{
return(BitString.ConcatenateBits(
SharedSecretZHelper.FormatEccSharedSecretZ(ephemKey.PublicQ.X, exactLength),
SharedSecretZHelper.FormatEccSharedSecretZ(ephemKey.PublicQ.Y, exactLength)
));
}
}
if (secretKeyingMaterial.EphemeralNonce != null && secretKeyingMaterial.EphemeralNonce?.BitLength != 0)
{
return(secretKeyingMaterial.EphemeralNonce);
}
return(secretKeyingMaterial.DkmNonce);
}
public SharedSecretResponse GenerateSharedSecretZ(
EccDomainParameters domainParameters,
EccKeyPair xPrivateKeyPartyA,
EccKeyPair yPublicKeyPartyB,
EccKeyPair rPrivateKeyPartyA,
EccKeyPair tPublicKeyPartyA,
EccKeyPair tPublicKeyPartyB)
{
var exactBitSize = domainParameters.CurveE.OrderN.ExactBitLength();
var associateValueQeA = AssociateValueFunction(exactBitSize, tPublicKeyPartyA);
var associateValueQeB = AssociateValueFunction(exactBitSize, tPublicKeyPartyB);
var implicitSigA =
(rPrivateKeyPartyA.PrivateD + associateValueQeA
* xPrivateKeyPartyA.PrivateD) % domainParameters.CurveE.OrderN;
var p = domainParameters.CurveE.Multiply(yPublicKeyPartyB.PublicQ, associateValueQeB);
p = domainParameters.CurveE.Add(p, tPublicKeyPartyB.PublicQ);
p = domainParameters.CurveE.Multiply(p, implicitSigA);
p = domainParameters.CurveE.Multiply(p, domainParameters.CurveE.CofactorH);
if (p.Infinity)
{
return(new SharedSecretResponse("Point is infinity"));
}
var pExactLength = domainParameters.CurveE.FieldSizeQ.ExactBitLength();
BitString z = SharedSecretZHelper.FormatEccSharedSecretZ(p.X, pExactLength);
return(new SharedSecretResponse(z));
}
/// <inheritdoc />
protected override BitString GetEphemeralKeyOrNonce(EccKeyPair ephemeralPublicKey, BitString ephemeralNonce, BitString dkmNonce)
{
if (ephemeralPublicKey?.PublicQ != null && ephemeralPublicKey.PublicQ?.X != 0)
{
var exactLength = CurveAttributesHelper.GetCurveAttribute(DomainParameters.CurveE.CurveName).DegreeOfPolynomial;
return(BitString.ConcatenateBits(
SharedSecretZHelper.FormatEccSharedSecretZ(ephemeralPublicKey.PublicQ.X, exactLength),
SharedSecretZHelper.FormatEccSharedSecretZ(ephemeralPublicKey.PublicQ.Y, exactLength)
));
}
if (ephemeralNonce != null && ephemeralNonce?.BitLength != 0)
{
return(ephemeralNonce);
}
return(dkmNonce);
}
public SharedSecretResponse GenerateSharedSecretZ(
EccDomainParameters domainParameters,
EccKeyPair dA,
EccKeyPair qB
)
{
var p = domainParameters.CurveE.Multiply(qB.PublicQ, dA.PrivateD);
p = domainParameters.CurveE.Multiply(p, domainParameters.CurveE.CofactorH);
if (p.Infinity)
{
return(new SharedSecretResponse("Point is infinity"));
}
var curveAttributes = CurveAttributesHelper.GetCurveAttribute(domainParameters.CurveE.CurveName);
BitString z = SharedSecretZHelper.FormatEccSharedSecretZ(p.X, curveAttributes.DegreeOfPolynomial);
return(new SharedSecretResponse(z));
}
public SharedSecretResponse GenerateSharedSecretZ(
FfcDomainParameters domainParameters,
FfcKeyPair xPrivateStaticKeyPartyA,
FfcKeyPair yPublicStaticKeyPartyB,
FfcKeyPair rPrivateKeyPartyA,
FfcKeyPair tPublicKeyPartyA,
FfcKeyPair tPublicKeyPartyB)
{
// 1. w = ceil (len(q) / 2)
var qBitString = new BitString(domainParameters.Q);
int lenQ = qBitString.BitLength;
int w = lenQ / 2 + ((lenQ % 2 != 0) ? 1 : 0);
// 2^w is equal to (1 << w)
var tw = BigInteger.One << w;
// 2. T_A = t_A mod 2^w + 2^w
var T_A = (tPublicKeyPartyA.PublicKeyY % tw) + tw;
// 3. S_A = (r_A + T_A x_A) mod q
var S_A = (rPrivateKeyPartyA.PrivateKeyX + (T_A * xPrivateStaticKeyPartyA.PrivateKeyX)) % domainParameters.Q;
// 4. T_B = (t_B mod 2^w) + 2^w
var T_B = (tPublicKeyPartyB.PublicKeyY % tw) + tw;
// 5. Z = ((t_B * (y_B^T_B))^S_A) mod p
// Two steps: 1. me1 = y_B ^ T_B mod p 2. z = (t_B * me1) ^ S_A mod p
var me1 = BigInteger.ModPow(yPublicStaticKeyPartyB.PublicKeyY, T_B, domainParameters.P);
var z = new BitString(BigInteger.ModPow((tPublicKeyPartyB.PublicKeyY * me1), S_A, domainParameters.P));
// 6 if z = 1, fail
if (z.ToPositiveBigInteger() == 1)
{
return(new SharedSecretResponse($"{nameof(z)} was 1, error."));
}
SharedSecretZHelper.FormatFfcSharedSecretZ(ref z);
return(new SharedSecretResponse(z));
}
public SharedSecretResponse GenerateSharedSecretZ(
FfcDomainParameters domainParameters,
FfcKeyPair xPrivateKeyPartyA,
FfcKeyPair yPublicKeyPartyB)
{
var z = new BitString(
BigInteger.ModPow(
yPublicKeyPartyB.PublicKeyY,
xPrivateKeyPartyA.PrivateKeyX,
domainParameters.P
)
);
if (z.ToPositiveBigInteger() == 1)
{
return(new SharedSecretResponse($"{nameof(z)} was 1, error."));
}
SharedSecretZHelper.FormatFfcSharedSecretZ(ref z);
return(new SharedSecretResponse(z));
}
