Set teh parameter settings of SAKKE

Author: gefeili

core/src/main/java/org/bouncycastle/crypto/kems/SAKKEKEMExtractor.java

@@ -19,21 +19,21 @@ public class SAKKEKEMExtractor
     private final BigInteger q;
     private final ECPoint P;
     private final ECPoint Z_S;
-    private final ECPoint K_bS; // Receiver's RSK
+    private final ECPoint K_bs;
     private final int n; // Security parameter
-    private final SAKKEPrivateKeyParameters privateKey;
+    private final BigInteger identifier;
 
     public SAKKEKEMExtractor(SAKKEPrivateKeyParameters privateKey)
     {
-        this.privateKey = privateKey;
         SAKKEPublicKeyParameters publicKey = privateKey.getPublicParams();
         this.curve = publicKey.getCurve();
         this.q = publicKey.getQ();
         this.P = publicKey.getP();
-        this.p = publicKey.getp();
+        this.p = publicKey.getPrime();
         this.Z_S = publicKey.getZ();
-        this.K_bS = privateKey.getPrivatePoint();
+        this.K_bs = privateKey.getRSK();
         this.n = publicKey.getN();
+        this.identifier = publicKey.getIdentifier();
     }
 
     @Override
@@ -46,16 +46,15 @@ public byte[] extractSecret(byte[] encapsulation)
             BigInteger H = new BigInteger(Arrays.copyOfRange(encapsulation, 257, 274));
 
             // Step 2: Compute w = <R_bS, K_bS> using pairing
-            BigInteger w = computePairing(R_bS, K_bS, p, q);
-            //System.out.println(new String(Hex.encode(w.toByteArray())));
-            //BigInteger w = tatePairing(R_bS.getXCoord().toBigInteger(), R_bS.getYCoord().toBigInteger(), K_bS.getXCoord().toBigInteger(), K_bS.getYCoord().toBigInteger(), q, p);
+            BigInteger w = computePairing(R_bS, K_bs, p, q);
+
             // Step 3: Compute SSV = H XOR HashToIntegerRange(w, 2^n)
             BigInteger twoToN = BigInteger.ONE.shiftLeft(n);
             BigInteger mask = SAKKEUtils.hashToIntegerRange(w.toByteArray(), twoToN);
             BigInteger ssv = H.xor(mask);
 
             // Step 4: Compute r = HashToIntegerRange(SSV || b)
-            BigInteger b = privateKey.getB();
+            BigInteger b = identifier;
             BigInteger r = SAKKEUtils.hashToIntegerRange(Arrays.concatenate(ssv.toByteArray(), b.toByteArray()), q);
 
             // Step 5: Validate R_bS

core/src/main/java/org/bouncycastle/crypto/kems/SAKKEKEMSGenerator.java

@@ -3,56 +3,18 @@
 import org.bouncycastle.crypto.EncapsulatedSecretGenerator;
 import org.bouncycastle.crypto.SecretWithEncapsulation;
 import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
+import org.bouncycastle.crypto.params.SAKKEPublicKeyParameters;
 import org.bouncycastle.math.ec.ECCurve;
 import org.bouncycastle.math.ec.ECPoint;
 import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.BigIntegers;
-import org.bouncycastle.util.encoders.Hex;
 
 import java.math.BigInteger;
 import java.security.SecureRandom;
 
 public class SAKKEKEMSGenerator
     implements EncapsulatedSecretGenerator
 {
-
-    private static final BigInteger p = new BigInteger(
-        "997ABB1F0A563FDA65C61198DAD0657A416C0CE19CB48261BE9AE358B3E01A2E" +
-            "F40AAB27E2FC0F1B228730D531A59CB0E791B39FF7C88A19356D27F4A666A6D0" +
-            "E26C6487326B4CD4512AC5CD65681CE1B6AFF4A831852A82A7CF3C521C3C09AA" +
-            "9F94D6AF56971F1FFCE3E82389857DB080C5DF10AC7ACE87666D807AFEA85FEB", 16
-    );
-
-    private static final BigInteger q = new BigInteger(
-        "265EAEC7C2958FF69971846636B4195E905B0338672D20986FA6B8D62CF8068B" +
-            "BD02AAC9F8BF03C6C8A1CC354C69672C39E46CE7FDF222864D5B49FD2999A9B4" +
-            "389B1921CC9AD335144AB173595A07386DABFD2A0C614AA0A9F3CF14870F026A" +
-            "A7E535ABD5A5C7C7FF38FA08E2615F6C203177C42B1EB3A1D99B601EBFAA17FB", 16
-    );
-
-    private static final BigInteger Px = new BigInteger(
-        "53FC09EE332C29AD0A7990053ED9B52A2B1A2FD60AEC69C698B2F204B6FF7CBF" +
-            "B5EDB6C0F6CE2308AB10DB9030B09E1043D5F22CDB9DFA55718BD9E7406CE890" +
-            "9760AF765DD5BCCB337C86548B72F2E1A702C3397A60DE74A7C1514DBA66910D" +
-            "D5CFB4CC80728D87EE9163A5B63F73EC80EC46C4967E0979880DC8ABEAE63895", 16
-    );
-
-    private static final BigInteger Py = new BigInteger(
-        "0A8249063F6009F1F9F1F0533634A135D3E82016029906963D778D821E141178" +
-            "F5EA69F4654EC2B9E7F7F5E5F0DE55F66B598CCF9A140B2E416CFF0CA9E032B9" +
-            "70DAE117AD547C6CCAD696B5B7652FE0AC6F1E80164AA989492D979FC5A4D5F2" +
-            "13515AD7E9CB99A980BDAD5AD5BB4636ADB9B5706A67DCDE75573FD71BEF16D7", 16
-    );
-
-    BigInteger g = new BigInteger(Hex.decode("66FC2A43 2B6EA392 148F1586 7D623068\n" +
-        "               C6A87BD1 FB94C41E 27FABE65 8E015A87\n" +
-        "               371E9474 4C96FEDA 449AE956 3F8BC446\n" +
-        "               CBFDA85D 5D00EF57 7072DA8F 541721BE\n" +
-        "               EE0FAED1 828EAB90 B99DFB01 38C78433\n" +
-        "               55DF0460 B4A9FD74 B4F1A32B CAFA1FFA\n" +
-        "               D682C033 A7942BCC E3720F20 B9B7B040\n" +
-        "               3C8CAE87 B7A0042A CDE0FAB3 6461EA46"));
-    private static final int n = 128;
     private final SecureRandom random;
 
     public SAKKEKEMSGenerator(SecureRandom random)
@@ -63,54 +25,34 @@ public SAKKEKEMSGenerator(SecureRandom random)
     @Override
     public SecretWithEncapsulation generateEncapsulated(AsymmetricKeyParameter recipientKey)
     {
+        SAKKEPublicKeyParameters keyParameters = (SAKKEPublicKeyParameters)recipientKey;
+        ECPoint Z = keyParameters.getZ();
+        BigInteger b = keyParameters.getIdentifier();
+        BigInteger p = keyParameters.getPrime();
+        BigInteger q = keyParameters.getQ();
+        BigInteger g = keyParameters.getG();
+        int n = keyParameters.getN();
+        ECCurve curve = keyParameters.getCurve();
+        ECPoint P = keyParameters.getP();
+
         // 1. Generate random SSV in range [0, 2^n - 1]
         BigInteger ssv = new BigInteger(n, random);
 
+
         // 2. Compute r = HashToIntegerRange(SSV || b, q)
-        BigInteger b = new BigInteger("323031312D30320074656C3A2B34343737303039303031323300", 16); //getRecipientId((SAKKEPublicKey)recipientKey);
+
         BigInteger r = SAKKEUtils.hashToIntegerRange(Arrays.concatenate(ssv.toByteArray(), b.toByteArray()), q);
-        //System.out.println(new String(Hex.encode(r.toByteArray())));
-        ECCurve.Fp curve = new ECCurve.Fp(
-            p,                                   // Prime p
-            BigInteger.valueOf(-3).mod(p),             // a = -3
-            BigInteger.ZERO, // ,
-            g,                                  // Order of the subgroup (from RFC 6509)
-            BigInteger.ONE                      // Cofactor = 1
-        );
-        ECPoint P = curve.createPoint(Px, Py);
-
-        ECPoint Z = curve.createPoint(
-            new BigInteger("5958EF1B1679BF099B3A030DF255AA6A" +
-                "23C1D8F143D4D23F753E69BD27A832F3" +
-                "8CB4AD53DDEF4260B0FE8BB45C4C1FF5" +
-                "10EFFE300367A37B61F701D914AEF097" +
-                "24825FA0707D61A6DFF4FBD7273566CD" +
-                "DE352A0B04B7C16A78309BE640697DE7" +
-                "47613A5FC195E8B9F328852A579DB8F9" +
-                "9B1D0034479EA9C5595F47C4B2F54FF2", 16),  // Px
-            new BigInteger("1508D37514DCF7A8E143A6058C09A6BF" +
-                "2C9858CA37C258065AE6BF7532BC8B5B" +
-                "63383866E0753C5AC0E72709F8445F2E" +
-                "6178E065857E0EDA10F68206B63505ED" +
-                "87E534FB2831FF957FB7DC619DAE6130" +
-                "1EEACC2FDA3680EA4999258A833CEA8F" +
-                "C67C6D19487FB449059F26CC8AAB655A" +
-                "B58B7CC796E24E9A394095754F5F8BAE", 16)   // Py
-        );
+
 
         // 3. Compute R_(b,S) = [r]([b]P + Z_S)
         ECPoint bP = P.multiply(b).normalize();
         ECPoint R_bS = bP.add(Z).multiply(r).normalize();         // [r]([b]P + Z_S)
-//        System.out.println("R_Bs x:" + new String(Hex.encode(R_bS.getXCoord().toBigInteger().toByteArray())));
-//        System.out.println("R_Bs y:" + new String(Hex.encode(R_bS.getYCoord().toBigInteger().toByteArray())));
-
 
         // 4. Compute H = SSV XOR HashToIntegerRange( g^r, 2^n )
         BigInteger[] v = fp2Exponentiate(p, BigInteger.ONE, g, r, curve);
         BigInteger g_r = v[1].multiply(v[0].modInverse(p)).mod(p);
 
         BigInteger mask = SAKKEUtils.hashToIntegerRange(g_r.toByteArray(), BigInteger.ONE.shiftLeft(n)); // 2^n
-        //System.out.println(new String(Hex.encode(mask.toByteArray())));
 
         BigInteger H = ssv.xor(mask);
         //System.out.println(new String(Hex.encode(H.toByteArray())));
@@ -124,14 +66,12 @@ public SecretWithEncapsulation generateEncapsulated(AsymmetricKeyParameter recip
     }
 
 
-    // Helper method for F_p² exponentiation
     public static BigInteger[] fp2Exponentiate(
         BigInteger p,
         BigInteger pointX,
         BigInteger pointY,
         BigInteger n,
-        ECCurve.Fp curve
-    )
+        ECCurve curve)
     {
         BigInteger[] result = new BigInteger[2];
 

core/src/main/java/org/bouncycastle/crypto/params/SAKKEPrivateKeyParameters.java

@@ -7,30 +7,31 @@
 public class SAKKEPrivateKeyParameters
     extends AsymmetricKeyParameter
 {
-    private final BigInteger b; // User's identity
-    private final ECPoint K;    // Private key K_a
     private final SAKKEPublicKeyParameters publicParams;
+    private final BigInteger z;  // KMS Public Key: Z = [z]P
+    private final ECPoint rsk;
 
-    public SAKKEPrivateKeyParameters(BigInteger b, ECPoint K, SAKKEPublicKeyParameters publicParams)
+    public SAKKEPrivateKeyParameters(BigInteger z, ECPoint rsk, SAKKEPublicKeyParameters publicParams)
     {
         super(true);
-        this.b = b;
-        this.K = K;
+        this.z = z;
+        this.rsk = rsk;
         this.publicParams = publicParams;
     }
 
-    public BigInteger getB()
+    public SAKKEPublicKeyParameters getPublicParams()
     {
-        return b;
+        return publicParams;
     }
 
-    public SAKKEPublicKeyParameters getPublicParams()
+
+    public BigInteger getMasterSecret()
     {
-        return publicParams;
+        return z;
     }
 
-    public ECPoint getPrivatePoint()
+    public ECPoint getRSK()
     {
-        return K;
+        return rsk;
     }
 }

core/src/main/java/org/bouncycastle/crypto/params/SAKKEPublicKeyParameters.java

@@ -2,6 +2,8 @@
 
 import java.math.BigInteger;
 
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.digests.SHA256Digest;
 import org.bouncycastle.math.ec.ECCurve;
 import org.bouncycastle.math.ec.ECPoint;
 import org.bouncycastle.util.encoders.Hex;
@@ -17,6 +19,13 @@ public class SAKKEPublicKeyParameters
             "9F94D6AF56971F1FFCE3E82389857DB080C5DF10AC7ACE87666D807AFEA85FEB", 16
     );
 
+    private static final BigInteger q = new BigInteger(
+        "265EAEC7C2958FF69971846636B4195E905B0338672D20986FA6B8D62CF8068B" +
+            "BD02AAC9F8BF03C6C8A1CC354C69672C39E46CE7FDF222864D5B49FD2999A9B4" +
+            "389B1921CC9AD335144AB173595A07386DABFD2A0C614AA0A9F3CF14870F026A" +
+            "A7E535ABD5A5C7C7FF38FA08E2615F6C203177C42B1EB3A1D99B601EBFAA17FB", 16
+    );
+
     private static final BigInteger Px = new BigInteger(
         "53FC09EE332C29AD0A7990053ED9B52A2B1A2FD60AEC69C698B2F204B6FF7CBF" +
             "B5EDB6C0F6CE2308AB10DB9030B09E1043D5F22CDB9DFA55718BD9E7406CE890" +
@@ -31,7 +40,8 @@ public class SAKKEPublicKeyParameters
             "13515AD7E9CB99A980BDAD5AD5BB4636ADB9B5706A67DCDE75573FD71BEF16D7", 16
     );
 
-
+    // g = <P,P>
+    // < , > is Tate-Lichtenbaum Pairing
     private static final BigInteger g = new BigInteger(Hex.decode("66FC2A43 2B6EA392 148F1586 7D623068\n" +
         "               C6A87BD1 FB94C41E 27FABE65 8E015A87\n" +
         "               371E9474 4C96FEDA 449AE956 3F8BC446\n" +
@@ -41,13 +51,6 @@ public class SAKKEPublicKeyParameters
         "               D682C033 A7942BCC E3720F20 B9B7B040\n" +
         "               3C8CAE87 B7A0042A CDE0FAB3 6461EA46"));
 
-    private static final BigInteger q = new BigInteger(
-        "265EAEC7C2958FF69971846636B4195E905B0338672D20986FA6B8D62CF8068B" +
-            "BD02AAC9F8BF03C6C8A1CC354C69672C39E46CE7FDF222864D5B49FD2999A9B4" +
-            "389B1921CC9AD335144AB173595A07386DABFD2A0C614AA0A9F3CF14870F026A" +
-            "A7E535ABD5A5C7C7FF38FA08E2615F6C203177C42B1EB3A1D99B601EBFAA17FB", 16
-    );
-
     private static final ECCurve.Fp curve = new ECCurve.Fp(
         p,                                   // Prime p
         BigInteger.valueOf(-3).mod(p),             // a = -3
@@ -56,18 +59,34 @@ public class SAKKEPublicKeyParameters
         BigInteger.ONE                      // Cofactor = 1
     );
 
+
     private static final ECPoint P = curve.createPoint(Px, Py);
-    private final ECPoint Z;  // KMS Public Key: Z = [z]P
+    private final ECPoint Z;
+
+    private final BigInteger identifier; // User's identity
 
     private static final int n = 128;      // SSV bit length
 
-    public SAKKEPublicKeyParameters(ECPoint Z)
+    private final Digest digest = new SHA256Digest();
+
+    public SAKKEPublicKeyParameters(BigInteger identifier, ECPoint Z)
     {
         super(false);
+        this.identifier = identifier;
         this.Z = Z;
     }
 
     // Getters
+    public BigInteger getIdentifier()
+    {
+        return identifier;
+    }
+
+    public ECPoint getZ()
+    {
+        return Z;
+    }
+
     public ECCurve getCurve()
     {
         return curve;
@@ -78,12 +97,7 @@ public ECPoint getP()
         return P;
     }
 
-    public ECPoint getZ()
-    {
-        return Z;
-    }
-
-    public BigInteger getp()
+    public BigInteger getPrime()
     {
         return p;
     }
@@ -97,4 +111,14 @@ public int getN()
     {
         return n;
     }
+
+    public Digest getDigest()
+    {
+        return digest;
+    }
+
+    public BigInteger getG()
+    {
+        return g;
+    }
 }

core/src/test/java/org/bouncycastle/crypto/kems/test/SAKKEKEMSTest.java

@@ -38,6 +38,20 @@ public String getName()
     public void performTest()
         throws Exception
     {
+
+        final BigInteger Px = new BigInteger(
+            "53FC09EE332C29AD0A7990053ED9B52A2B1A2FD60AEC69C698B2F204B6FF7CBF" +
+                "B5EDB6C0F6CE2308AB10DB9030B09E1043D5F22CDB9DFA55718BD9E7406CE890" +
+                "9760AF765DD5BCCB337C86548B72F2E1A702C3397A60DE74A7C1514DBA66910D" +
+                "D5CFB4CC80728D87EE9163A5B63F73EC80EC46C4967E0979880DC8ABEAE63895", 16
+        );
+
+        final BigInteger Py = new BigInteger(
+            "0A8249063F6009F1F9F1F0533634A135D3E82016029906963D778D821E141178" +
+                "F5EA69F4654EC2B9E7F7F5E5F0DE55F66B598CCF9A140B2E416CFF0CA9E032B9" +
+                "70DAE117AD547C6CCAD696B5B7652FE0AC6F1E80164AA989492D979FC5A4D5F2" +
+                "13515AD7E9CB99A980BDAD5AD5BB4636ADB9B5706A67DCDE75573FD71BEF16D7", 16
+        );
         BigInteger g = new BigInteger(Hex.decode("66FC2A43 2B6EA392 148F1586 7D623068" +
             "               C6A87BD1 FB94C41E 27FABE65 8E015A87" +
             "               371E9474 4C96FEDA 449AE956 3F8BC446" +
@@ -127,14 +141,18 @@ public void performTest()
         SecureRandom random = new FixedSecureRandom(new FixedSecureRandom.Source[]{new FixedSecureRandom.Data(ssv),
             new FixedSecureRandom.Data(b)});
         SAKKEKEMSGenerator generator = new SAKKEKEMSGenerator(random);
-        SecretWithEncapsulation rlt = generator.generateEncapsulated(null);
+        SecretWithEncapsulation rlt = generator.generateEncapsulated(new SAKKEPublicKeyParameters(new BigInteger(b), curve.createPoint(Zx, Zy)));
 
+        ECPoint P = curve.createPoint(Px, Py);
+
+        BigInteger computed_g2 = SAKKEKEMExtractor.computePairing(P, P, p, q);
+        Assert.assertTrue(computed_g2.equals(g));
         ECPoint K_bS = curve.createPoint(kbx, kby);
 
-        SAKKEKEMExtractor extractor = new SAKKEKEMExtractor(new SAKKEPrivateKeyParameters(new BigInteger(b), K_bS,
-            new SAKKEPublicKeyParameters(curve.createPoint(Zx, Zy))));
+
+        SAKKEKEMExtractor extractor = new SAKKEKEMExtractor(new SAKKEPrivateKeyParameters(z, K_bS,
+            new SAKKEPublicKeyParameters(new BigInteger(b), curve.createPoint(Zx, Zy))));
         byte[] test = extractor.extractSecret(rlt.getEncapsulation());
         Assert.assertTrue(Arrays.areEqual(test, ssv));
-
     }
 }