/* IEEE1363 ECDSA Signature Verification. Signature C and D on F is verified using public key W */
public static int ECPVP_DSA(sbyte[] W, sbyte[] F, sbyte[] C, sbyte[] D)
{
BIG r, gx, gy, f, c, d, h2;
int res = 0;
ECP G, WP, P;
HASH H = new HASH();
H.process_array(F);
sbyte[] B = H.hash();
gx = new BIG(ROM.CURVE_Gx);
gy = new BIG(ROM.CURVE_Gy);
G = new ECP(gx, gy);
r = new BIG(ROM.CURVE_Order);
c = BIG.fromBytes(C);
d = BIG.fromBytes(D);
f = BIG.fromBytes(B);
if (c.iszilch() || BIG.comp(c, r) >= 0 || d.iszilch() || BIG.comp(d, r) >= 0)
{
res = INVALID;
}
if (res == 0)
{
d.invmodp(r);
f.copy(BIG.modmul(f, d, r));
h2 = BIG.modmul(c, d, r);
WP = ECP.fromBytes(W);
if (WP.is_infinity())
{
res = ERROR;
}
else
{
P = new ECP();
P.copy(WP);
P = P.mul2(h2, G, f);
if (P.is_infinity())
{
res = INVALID;
}
else
{
d = P.X;
d.mod(r);
if (BIG.comp(d, c) != 0)
{
res = INVALID;
}
}
}
}
return(res);
}
/* Initialize RNG with some real entropy from some external source */
public virtual void seed(int rawlen, sbyte[] raw)
{ // initialise from at least 128 byte string of raw random entropy
int i;
sbyte[] digest;
sbyte[] b = new sbyte[4];
HASH sh = new HASH();
pool_ptr = 0;
for (i = 0; i < NK; i++)
{
ira[i] = 0;
}
if (rawlen > 0)
{
for (i = 0; i < rawlen; i++)
{
sh.process(raw[i]);
}
digest = sh.hash();
/* initialise PRNG from distilled randomness */
for (i = 0; i < 8; i++)
{
b[0] = digest[4 * i];
b[1] = digest[4 * i + 1];
b[2] = digest[4 * i + 2];
b[3] = digest[4 * i + 3];
sirand(pack(b));
}
}
fill_pool();
}
/* IEEE ECDSA Signature, C and D are signature on F using private key S */
public static int ECPSP_DSA(RAND RNG, sbyte[] S, sbyte[] F, sbyte[] C, sbyte[] D)
{
sbyte[] T = new sbyte[EFS];
BIG gx, gy, r, s, f, c, d, u, vx;
ECP G, V;
HASH H = new HASH();
H.process_array(F);
sbyte[] B = H.hash();
gx = new BIG(ROM.CURVE_Gx);
gy = new BIG(ROM.CURVE_Gy);
G = new ECP(gx, gy);
r = new BIG(ROM.CURVE_Order);
s = BIG.fromBytes(S);
f = BIG.fromBytes(B);
c = new BIG(0);
d = new BIG(0);
V = new ECP();
do
{
u = BIG.randomnum(r, RNG);
V.copy(G);
V = V.mul(u);
vx = V.X;
c.copy(vx);
c.mod(r);
if (c.iszilch())
{
continue;
}
u.invmodp(r);
d.copy(BIG.modmul(s, c, r));
d.add(f);
d.copy(BIG.modmul(u, d, r));
} while (d.iszilch());
c.toBytes(T);
for (int i = 0; i < EFS; i++)
{
C[i] = T[i];
}
d.toBytes(T);
for (int i = 0; i < EFS; i++)
{
D[i] = T[i];
}
return(0);
}
private void fill_pool()
{
HASH sh = new HASH();
for (int i = 0; i < 128; i++)
{
sh.process(sbrand());
}
pool = sh.hash();
pool_ptr = 0;
}
public const int TRAP = 200; // 200 for 4 digit PIN, 2000 for 6-digit PIN - approx 2*sqrt(MAXPIN)
/* Hash number (optional) and string to point on curve */
public static sbyte[] hashit(int n, sbyte[] ID)
{
HASH H = new HASH();
if (n != 0)
{
H.process_num(n);
}
H.process_array(ID);
sbyte[] h = H.hash();
return(h);
}
/* Key Derivation Functions */
/* Input octet Z */
/* Output key of length olen */
public static sbyte[] KDF1(sbyte[] Z, int olen)
{
/* NOTE: the parameter olen is the length of the output K in bytes */
HASH H = new HASH();
int hlen = HASH.len;
sbyte[] K = new sbyte[olen];
sbyte[] B;
int counter, cthreshold, k = 0;
for (int i = 0; i < K.Length; i++)
{
K[i] = 0;
}
cthreshold = olen / hlen;
if (olen % hlen != 0)
{
cthreshold++;
}
for (counter = 0; counter < cthreshold; counter++)
{
H.process_array(Z);
if (counter > 0)
{
H.process_num(counter);
}
B = H.hash();
if (k + hlen > olen)
{
for (int i = 0; i < olen % hlen; i++)
{
K[k++] = B[i];
}
}
else
{
for (int i = 0; i < hlen; i++)
{
K[k++] = B[i];
}
}
}
return(K);
}
/* Mask Generation Function */
public static void MGF1(sbyte[] Z, int olen, sbyte[] K)
{
HASH H = new HASH();
int hlen = HASH.len;
sbyte[] B = new sbyte[hlen];
int counter, cthreshold, k = 0;
for (int i = 0; i < K.Length; i++)
{
K[i] = 0;
}
cthreshold = olen / hlen;
if (olen % hlen != 0)
{
cthreshold++;
}
for (counter = 0; counter < cthreshold; counter++)
{
H.process_array(Z);
H.process_num(counter);
B = H.hash();
if (k + hlen > olen)
{
for (int i = 0; i < olen % hlen; i++)
{
K[k++] = B[i];
}
}
else
{
for (int i = 0; i < hlen; i++)
{
K[k++] = B[i];
}
}
}
}
/* Calculate HMAC of m using key k. HMAC is tag of length olen */
public static int HMAC(sbyte[] M, sbyte[] K, sbyte[] tag)
{
/* Input is from an octet m *
* olen is requested output length in bytes. k is the key *
* The output is the calculated tag */
int b;
sbyte[] B;
sbyte[] K0 = new sbyte[64];
int olen = tag.Length;
b = K0.Length;
if (olen < 4 || olen > HASH.len)
{
return(0);
}
for (int i = 0; i < b; i++)
{
K0[i] = 0;
}
HASH H = new HASH();
if (K.Length > b)
{
H.process_array(K);
B = H.hash();
for (int i = 0; i < 32; i++)
{
K0[i] = B[i];
}
}
else
{
for (int i = 0; i < K.Length; i++)
{
K0[i] = K[i];
}
}
for (int i = 0; i < b; i++)
{
K0[i] ^= 0x36;
}
H.process_array(K0);
H.process_array(M);
B = H.hash();
for (int i = 0; i < b; i++)
{
K0[i] ^= 0x6a;
}
H.process_array(K0);
H.process_array(B);
B = H.hash();
for (int i = 0; i < olen; i++)
{
tag[i] = B[i];
}
return(1);
}
/* OAEP Message Decoding for Decryption */
public static sbyte[] OAEP_DECODE(sbyte[] p, sbyte[] f)
{
int x, t;
bool comp;
int i, k, olen = RFS - 1;
int hlen, seedlen;
HASH H = new HASH();
hlen = HASH.len;
sbyte[] SEED = new sbyte[hlen];
seedlen = hlen;
sbyte[] CHASH = new sbyte[hlen];
if (olen < seedlen + hlen + 1)
{
return(new sbyte[0]);
}
sbyte[] DBMASK = new sbyte[olen - seedlen];
for (i = 0; i < olen - seedlen; i++)
{
DBMASK[i] = 0;
}
if (f.Length < RFS)
{
int d = RFS - f.Length;
for (i = RFS - 1; i >= d; i--)
{
f[i] = f[i - d];
}
for (i = d - 1; i >= 0; i--)
{
f[i] = 0;
}
}
if (p != null)
{
H.process_array(p);
}
sbyte[] h = H.hash();
for (i = 0; i < hlen; i++)
{
CHASH[i] = h[i];
}
x = f[0];
for (i = seedlen; i < olen; i++)
{
DBMASK[i - seedlen] = f[i + 1];
}
MGF1(DBMASK, seedlen, SEED);
for (i = 0; i < seedlen; i++)
{
SEED[i] ^= f[i + 1];
}
MGF1(SEED, olen - seedlen, f);
for (i = 0; i < olen - seedlen; i++)
{
DBMASK[i] ^= f[i];
}
comp = true;
for (i = 0; i < hlen; i++)
{
if (CHASH[i] != DBMASK[i])
{
comp = false;
}
}
for (i = 0; i < olen - seedlen - hlen; i++)
{
DBMASK[i] = DBMASK[i + hlen];
}
for (i = 0; i < hlen; i++)
{
SEED[i] = CHASH[i] = 0;
}
for (k = 0;; k++)
{
if (k >= olen - seedlen - hlen)
{
return(new sbyte[0]);
}
if (DBMASK[k] != 0)
{
break;
}
}
t = DBMASK[k];
if (!comp || x != 0 || t != 0x01)
{
for (i = 0; i < olen - seedlen; i++)
{
DBMASK[i] = 0;
}
return(new sbyte[0]);
}
sbyte[] r = new sbyte[olen - seedlen - hlen - k - 1];
for (i = 0; i < olen - seedlen - hlen - k - 1; i++)
{
r[i] = DBMASK[i + k + 1];
}
for (i = 0; i < olen - seedlen; i++)
{
DBMASK[i] = 0;
}
return(r);
}
/* OAEP Message Encoding for Encryption */
public static sbyte[] OAEP_ENCODE(sbyte[] m, RAND rng, sbyte[] p)
{
int i, slen, olen = RFS - 1;
int mlen = m.Length;
int hlen, seedlen;
sbyte[] f = new sbyte[RFS];
HASH H = new HASH();
hlen = HASH.len;
sbyte[] SEED = new sbyte[hlen];
seedlen = hlen;
if (mlen > olen - hlen - seedlen - 1)
{
return(new sbyte[0]);
}
sbyte[] DBMASK = new sbyte[olen - seedlen];
if (p != null)
{
H.process_array(p);
}
sbyte[] h = H.hash();
for (i = 0; i < hlen; i++)
{
f[i] = h[i];
}
slen = olen - mlen - hlen - seedlen - 1;
for (i = 0; i < slen; i++)
{
f[hlen + i] = 0;
}
f[hlen + slen] = 1;
for (i = 0; i < mlen; i++)
{
f[hlen + slen + 1 + i] = m[i];
}
for (i = 0; i < seedlen; i++)
{
SEED[i] = (sbyte)rng.Byte;
}
MGF1(SEED, olen - seedlen, DBMASK);
for (i = 0; i < olen - seedlen; i++)
{
DBMASK[i] ^= f[i];
}
MGF1(DBMASK, seedlen, f);
for (i = 0; i < seedlen; i++)
{
f[i] ^= SEED[i];
}
for (i = 0; i < olen - seedlen; i++)
{
f[i + seedlen] = DBMASK[i];
}
/* pad to length RFS */
int d = 1;
for (i = RFS - 1; i >= d; i--)
{
f[i] = f[i - d];
}
for (i = d - 1; i >= 0; i--)
{
f[i] = 0;
}
return(f);
}
/* calculate common key on server side */
/* Z=r.A - no time permits involved */
public static int SERVER_KEY(sbyte[] Z, sbyte[] SST, sbyte[] W, sbyte[] xID, sbyte[] xCID, sbyte[] SK)
{
HASH H = new HASH();
sbyte[] t = new sbyte[EFS];
ECP2 sQ = ECP2.fromBytes(SST);
if (sQ.is_infinity())
{
return(INVALID_POINT);
}
ECP R = ECP.fromBytes(Z);
if (R.is_infinity())
{
return(INVALID_POINT);
}
ECP U;
if (xCID != null)
{
U = ECP.fromBytes(xCID);
}
else
{
U = ECP.fromBytes(xID);
}
if (U.is_infinity())
{
return(INVALID_POINT);
}
BIG w = BIG.fromBytes(W);
U = PAIR.G1mul(U, w);
FP12 g = PAIR.ate(sQ, R);
g = PAIR.fexp(g);
FP4 c = g.trace();
c.geta().A.toBytes(t);
H.process_array(t);
c.geta().B.toBytes(t);
H.process_array(t);
c.getb().A.toBytes(t);
H.process_array(t);
c.getb().B.toBytes(t);
H.process_array(t);
U.X.toBytes(t);
H.process_array(t);
U.Y.toBytes(t);
H.process_array(t);
t = H.hash();
for (int i = 0; i < PAS; i++)
{
SK[i] = t[i];
}
return(0);
}
/* calculate common key on client side */
/* wCID = w.(A+AT) */
public static int CLIENT_KEY(sbyte[] G1, sbyte[] G2, int pin, sbyte[] R, sbyte[] X, sbyte[] wCID, sbyte[] CK)
{
HASH H = new HASH();
sbyte[] t = new sbyte[EFS];
FP12 g1 = FP12.fromBytes(G1);
FP12 g2 = FP12.fromBytes(G2);
BIG z = BIG.fromBytes(R);
BIG x = BIG.fromBytes(X);
ECP W = ECP.fromBytes(wCID);
if (W.is_infinity())
{
return(INVALID_POINT);
}
W = PAIR.G1mul(W, x);
FP2 f = new FP2(new BIG(ROM.CURVE_Fra), new BIG(ROM.CURVE_Frb));
BIG r = new BIG(ROM.CURVE_Order);
BIG q = new BIG(ROM.Modulus);
BIG m = new BIG(q);
m.mod(r);
BIG a = new BIG(z);
a.mod(m);
BIG b = new BIG(z);
b.div(m);
g2.pinpow(pin, PBLEN);
g1.mul(g2);
FP4 c = g1.trace();
g2.copy(g1);
g2.frob(f);
FP4 cp = g2.trace();
g1.conj();
g2.mul(g1);
FP4 cpm1 = g2.trace();
g2.mul(g1);
FP4 cpm2 = g2.trace();
c = c.xtr_pow2(cp, cpm1, cpm2, a, b);
c.geta().A.toBytes(t);
H.process_array(t);
c.geta().B.toBytes(t);
H.process_array(t);
c.getb().A.toBytes(t);
H.process_array(t);
c.getb().B.toBytes(t);
H.process_array(t);
W.X.toBytes(t);
H.process_array(t);
W.Y.toBytes(t);
H.process_array(t);
t = H.hash();
for (int i = 0; i < PAS; i++)
{
CK[i] = t[i];
}
return(0);
}
