TODO: try to get the correct q

Author: gefeili

core/src/main/java/org/bouncycastle/crypto/kems/SAKKEKEMSGenerator.java

@@ -0,0 +1,150 @@
+package org.bouncycastle.crypto.kems;
+
+import org.bouncycastle.crypto.EncapsulatedSecretGenerator;
+import org.bouncycastle.crypto.SecretWithEncapsulation;
+import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
+import org.bouncycastle.crypto.params.SAKKEPublicKey;
+import org.bouncycastle.math.ec.ECCurve;
+import org.bouncycastle.math.ec.ECFieldElement;
+import org.bouncycastle.math.ec.ECPoint;
+import org.bouncycastle.util.Arrays;
+import org.bouncycastle.util.BigIntegers;
+
+import java.math.BigInteger;
+import java.nio.ByteBuffer;
+import java.security.SecureRandom;
+
+public class SAKKEKEMSGenerator
+    implements EncapsulatedSecretGenerator
+{
+    private final SAKKEPublicKey publicParams;
+    private final SecureRandom random;
+
+    public SAKKEKEMSGenerator(SAKKEPublicKey params, SecureRandom random)
+    {
+        this.publicParams = params;
+        this.random = random;
+    }
+
+    @Override
+    public SecretWithEncapsulation generateEncapsulated(AsymmetricKeyParameter recipientKey)
+    {
+        // 1. Generate random SSV in range [0, 2^n - 1]
+        BigInteger ssv = new BigInteger(publicParams.getN(), random);
+
+        // 2. Compute r = HashToIntegerRange(SSV || b, q)
+        BigInteger b = getRecipientId((SAKKEPublicKey)recipientKey);
+        BigInteger r = SAKKEUtils.hashToIntegerRange(Arrays.concatenate(ssv.toByteArray(), b.toByteArray()), publicParams.getQ());
+
+        // 3. Compute R_(b,S) = [r]([b]P + Z_S)
+        ECPoint bP = publicParams.getP().multiply(b);   // [b]P
+        ECPoint Z_S = publicParams.getZ();              // Z_S
+        ECPoint R_bS = bP.add(Z_S).multiply(r);         // [r]([b]P + Z_S)
+
+        // 4. Compute H = SSV XOR HashToIntegerRange( g^r, 2^n )
+        BigInteger g_r = pairing(R_bS, publicParams.getP(), publicParams.getQ(), publicParams.getP().getCurve().getField().getCharacteristic());
+        BigInteger mask = SAKKEUtils.hashToIntegerRange(g_r.toByteArray(), BigInteger.ONE.shiftLeft(publicParams.getN())); // 2^n
+
+        BigInteger H = ssv.xor(mask);
+
+        // 5. Encode encapsulated data (R_bS, H)
+        byte[] encapsulated = encodeData(R_bS, H);
+
+        return new SecretWithEncapsulationImpl(
+            BigIntegers.asUnsignedByteArray(publicParams.getN() / 8, ssv), // Output SSV as key material
+            encapsulated
+        );
+    }
+
+    private BigInteger getRecipientId(SAKKEPublicKey pubKey)
+    {
+        byte[] hashedId = SAKKEUtils.hash(pubKey.getZ().getEncoded(false));  // Hash Z_S
+        return new BigInteger(1, hashedId).mod(pubKey.getQ().subtract(BigInteger.ONE)).add(BigIntegers.TWO);
+    }
+
+    /**
+     * Computes the Tate-Lichtenbaum pairing ⟨P, Q⟩ as per RFC 6508.
+     * <p>
+     * //* @param P First point (on E(F_p)).
+     *
+     * @param Q Second point (on E(F_p)).
+     * @return Result of the pairing in the field F_p^2.
+     */
+    public static BigInteger pairing(ECPoint R, ECPoint Q, BigInteger p, BigInteger q)
+    {
+        ECCurve curve = R.getCurve();
+        ECFieldElement i = curve.fromBigInteger(BigInteger.ONE.negate()); // i = -1 in F_p^2
+
+        ECPoint C = R;
+        BigInteger c = p.add(BigInteger.ONE).divide(q);
+        ECFieldElement v = curve.fromBigInteger(BigInteger.ONE); // v = 1 in F_p
+
+        String qBits = q.subtract(BigInteger.ONE).toString(2); // Binary representation of q-1
+
+        for (int j = 1; j < qBits.length(); j++)
+        { // Skip MSB
+            // l = (3 * (C_x^2 - 1)) / (2 * C_y)
+            ECFieldElement Cx = C.getAffineXCoord();
+            ECFieldElement Cy = C.getAffineYCoord();
+            ECFieldElement l = Cx.square().multiply(curve.fromBigInteger(ECFieldElement.THREE)).subtract(curve.fromBigInteger(BigInteger.ONE))
+                .divide(Cy.multiply(curve.fromBigInteger(BigIntegers.TWO)));
+
+            // v = v^2 * (l * (Q_x + C_x) + (i * Q_y - C_y))
+            ECFieldElement Qx = Q.getAffineXCoord();
+            ECFieldElement Qy = Q.getAffineYCoord();
+            v = v.square().multiply(l.multiply(Qx.add(Cx)).add(i.multiply(Qy).subtract(Cy)));
+
+            // Double the point
+            C = C.twice();
+
+            // If the bit is 1, perform additional step
+            if (qBits.charAt(j) == '1')
+            {
+                // l = (C_y - R_y) / (C_x - R_x)
+                ECFieldElement Rx = R.getAffineXCoord();
+                ECFieldElement Ry = R.getAffineYCoord();
+                l = Cy.subtract(Ry).divide(Cx.subtract(Rx));
+
+                // v = v * (l * (Q_x + C_x) + (i * Q_y - C_y))
+                v = v.multiply(l.multiply(Qx.add(Cx)).add(i.multiply(Qy).subtract(Cy)));
+
+                // C = C + R
+                C = C.add(R);
+            }
+        }
+
+        // Compute v^c
+        v = curve.fromBigInteger(v.toBigInteger().pow(c.intValue()));
+
+        // Convert to F_p representative
+        return computeFpRepresentative(v, curve);
+    }
+
+    private static BigInteger computeFpRepresentative(ECFieldElement t, ECCurve curve)
+    {
+        // Characteristic of F_p
+        BigInteger p = ((ECCurve.Fp) curve).getQ();
+
+        // Assume t = a + i * b in F_p² → extract a, b
+        ECFieldElement a = t; // In F_p², a is the real part
+        ECFieldElement b = t.multiply(curve.fromBigInteger(BigInteger.ONE.negate())); // Imaginary part
+
+        // Compute b/a mod p
+        return b.toBigInteger().multiply(a.toBigInteger().modInverse(p)).mod(p);
+    }
+
+    public static byte[] encodeData(ECPoint R_bS, BigInteger H) {
+        // 1. Serialize EC Point (use compressed format for efficiency)
+        byte[] R_bS_bytes = R_bS.getEncoded(true);
+
+        // 2. Serialize H (convert to a fixed-length byte array)
+        byte[] H_bytes = H.toByteArray();
+
+        // 3. Combine both into a single byte array
+        ByteBuffer buffer = ByteBuffer.allocate(R_bS_bytes.length + H_bytes.length);
+        buffer.put(R_bS_bytes);
+        buffer.put(H_bytes);
+
+        return buffer.array();
+    }
+}

core/src/main/java/org/bouncycastle/crypto/kems/SAKKEUtils.java

@@ -0,0 +1,66 @@
+package org.bouncycastle.crypto.kems;
+
+import java.math.BigInteger;
+
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.digests.SHA256Digest;
+import org.bouncycastle.math.ec.ECPoint;
+import org.bouncycastle.util.Strings;
+import org.bouncycastle.util.encoders.Hex;
+
+public class SAKKEUtils
+{
+    public static BigInteger hashToIntegerRange(byte[] input, BigInteger q)
+    {
+        // RFC 6508 Section 5.1: Hashing to an Integer Range
+        SHA256Digest digest = new SHA256Digest();
+        byte[] hash = new byte[digest.getDigestSize()];
+
+        // Step 1: Compute A = hashfn(s)
+        digest.update(input, 0, input.length);
+        digest.doFinal(hash, 0);
+        byte[] A = hash.clone();
+
+        // Step 2: Initialize h_0 to all-zero bytes of hashlen size
+        byte[] h = new byte[digest.getDigestSize()];
+
+        // Step 3: Compute l = Ceiling(lg(n)/hashlen)
+        int l = q.bitLength() >> 8;
+
+        BigInteger v = BigInteger.ZERO;
+
+        // Step 4: Compute h_i and v_i
+        for (int i = 1; i <= l; i++)
+        {
+            // h_i = hashfn(h_{i-1})
+            digest.update(h, 0, h.length);
+            digest.doFinal(h, 0);
+            System.out.println("h_"+i+":" +new String(Hex.encode(h)));
+            // v_i = hashfn(h_i || A)
+            digest.update(h, 0, h.length);
+            digest.update(A, 0, A.length);
+            byte[] v_i = new byte[digest.getDigestSize()];
+            digest.doFinal(v_i, 0);
+            System.out.println("v_"+i+":" +new String(Hex.encode(v_i)));
+            // Append v_i to v'
+            v = v.shiftLeft(v_i.length * 8).add(new BigInteger(1, v_i));
+        }
+        System.out.println("v:" +new String(Hex.encode(v.toByteArray())));
+        // Step 6: v = v' mod n
+        return v.mod(q);
+    }
+
+    public static byte[] hash(byte[] data)
+    {
+        Digest digest = new SHA256Digest();
+        byte[] rlt = new byte[digest.getDigestSize()];
+        digest.update(data, 0, data.length);
+        digest.doFinal(rlt, 0);
+        return rlt;
+    }
+
+    public static byte[] hash(ECPoint point)
+    {
+        return hash(point.getEncoded(false)); // Use uncompressed encoding
+    }
+}

core/src/main/java/org/bouncycastle/crypto/params/SAKKEPrivateKey.java

@@ -0,0 +1,37 @@
+package org.bouncycastle.crypto.params;
+
+import java.math.BigInteger;
+
+import org.bouncycastle.math.ec.ECPoint;
+
+public class SAKKEPrivateKey
+    extends AsymmetricKeyParameter
+{
+    private final BigInteger b; // User's identity
+    private final ECPoint K;    // Private key K_a
+    private final SAKKEPublicKey publicParams;
+
+    public SAKKEPrivateKey(BigInteger b, ECPoint K, SAKKEPublicKey publicParams)
+    {
+        super(true);
+        this.b = b;
+        this.K = K;
+        this.publicParams = publicParams;
+    }
+
+    // Getters
+    public ECPoint getK()
+    {
+        return K;
+    }
+
+    public BigInteger getB()
+    {
+        return b;
+    }
+
+    public SAKKEPublicKey getPublicParams()
+    {
+        return publicParams;
+    }
+}

core/src/main/java/org/bouncycastle/crypto/params/SAKKEPublicKey.java

@@ -0,0 +1,52 @@
+package org.bouncycastle.crypto.params;
+
+import java.math.BigInteger;
+
+import org.bouncycastle.math.ec.ECCurve;
+import org.bouncycastle.math.ec.ECPoint;
+
+public class SAKKEPublicKey
+    extends AsymmetricKeyParameter
+{
+    private final ECCurve curve;
+    private final ECPoint P;  // Base point
+    private final ECPoint Z;  // KMS Public Key: Z = [z]P
+    private final BigInteger q; // Subgroup order
+    private final int n;      // SSV bit length
+
+    public SAKKEPublicKey(ECCurve curve, ECPoint P, ECPoint Z, BigInteger q, int n)
+    {
+        super(false);
+        this.curve = curve;
+        this.P = P;
+        this.Z = Z;
+        this.q = q;
+        this.n = n;
+    }
+
+    // Getters
+    public ECCurve getCurve()
+    {
+        return curve;
+    }
+
+    public ECPoint getP()
+    {
+        return P;
+    }
+
+    public ECPoint getZ()
+    {
+        return Z;
+    }
+
+    public BigInteger getQ()
+    {
+        return q;
+    }
+
+    public int getN()
+    {
+        return n;
+    }
+}

core/src/test/java/org/bouncycastle/crypto/kems/test/SAKKEKEMSTest.java

@@ -0,0 +1,81 @@
+package org.bouncycastle.crypto.kems.test;
+
+import java.math.BigInteger;
+
+
+import org.bouncycastle.crypto.kems.SAKKEKEMSGenerator;
+import org.bouncycastle.crypto.kems.SAKKEUtils;
+import org.bouncycastle.util.Arrays;
+import org.bouncycastle.util.Strings;
+import org.bouncycastle.util.encoders.Hex;
+import org.bouncycastle.util.test.SimpleTest;
+import org.junit.Assert;
+
+public class SAKKEKEMSTest
+    extends SimpleTest
+{
+    public static void main(String[] args)
+        throws Exception
+    {
+        SAKKEKEMSTest test = new SAKKEKEMSTest();
+        test.performTest();
+        // Expected Rb values
+//        BigInteger expectedRbx = new BigInteger("44E8AD44AB8592A6A5A3DDCA5CF896C718043606A01D650DEF37A01F37C228C332FC317354E2C274D4DAF8AD001054C7...
+//            BigInteger expectedRby = new BigInteger("557E134AD85BB1D4B9CE4F8BE4B08A12BABF55B1D6F1D7A638019EA28E15AB1C9F76375FDD1210D4F4351B9A009486B7...
+//
+//            // Instantiate SAKKE KEM Generator
+//            SAKKEKEMSGenerator kem = new SAKKEKEMSGenerator();
+//        EncapsulatedData encapsulatedData = kem.encapsulate(SSV);
+//
+//        // Validate results
+//        boolean testPassed = expectedRbx.equals(encapsulatedData.getRbx()) && expectedRby.equals(encapsulatedData.getRby());
+
+        //System.out.println("SAKKE KEM Test " + (testPassed ? "PASSED" : "FAILED"));
+    }
+
+    private static byte[] hexStringToByteArray(String s)
+    {
+        int len = s.length();
+        byte[] data = new byte[len / 2];
+        for (int i = 0; i < len; i += 2)
+        {
+            data[i / 2] = (byte)((Character.digit(s.charAt(i), 16) << 4)
+                + Character.digit(s.charAt(i + 1), 16));
+        }
+        return data;
+    }
+
+    @Override
+    public String getName()
+    {
+        return null;
+    }
+
+    @Override
+    public void performTest()
+        throws Exception
+    {
+//        BigInteger z = new BigInteger("AFF429D35F84B110D094803B3595A6E2998BC99F");
+//        BigInteger Zx = new BigInteger("5958EF1B1679BF099B3A030DF255AA6A23C1D8F143D4D23F753E69BD27A832F38CB4AD53DDEF"
+//            + "4260B0FE8BB45C4C1FF510EFFE300367A37B61F701D914AEF09724825FA0707D61A6DFF4FBD7273566CDDE352A0B04B7C16A78309BE"
+//            + "640697DE747613A5FC195E8B9F328852A579DB8F99B1D0034479EA9C5595F47C4B2F54FF2");
+//        BigInteger Zy = new BigInteger("1508D37514DCF7A8E143A6058C09A6BF2C9858CA37C258065AE6BF7532BC8B5B63383866E075"
+//            + "3C5AC0E72709F8445F2E6178E065857E0EDA10F68206B63505ED87E534FB2831FF957FB7DC619DAE61301EEACC2FDA3680EA499925" +
+//            "8A833CEA8FC67C6D19487FB449059F26CC8AAB655AB58B7CC796E24E9A394095754F5F8BAE");
+//
+        byte[] b = Hex.decode("323031312D30320074656C3A2B34343737303039303031323300");
+
+        byte[] SSV = Hex.decode("123456789ABCDEF0123456789ABCDEF0");
+        byte[] expectedR = Hex.decode("13EE3E1B8DAC5DB168B1CEB32F0566A4C273693F78BAFFA2A2EE6A686E6BD90F8206CCAB84E7F"
+            + "42ED39BD4FB131012ECCA2ECD2119414560C17CAB46B956A80F58A3302EB3E2C9A228FBA7ED34D8ACA2392DA1FFB0B17B2320AE09AAEDF"
+            + "D0235F6FE0EB65337A63F9CC97728B8E5AD0460FADE144369AA5B2166213247712096");
+
+        BigInteger r = SAKKEUtils.hashToIntegerRange(Arrays.concatenate(SSV, b), BigInteger.valueOf(1024));
+
+        System.out.println("r:" +new String(Hex.encode(r.toByteArray())));
+
+        System.out.println("r:" +new String(Hex.encode(expectedR)));
+
+        Assert.assertTrue(Arrays.areEqual(r.toByteArray(), expectedR));
+    }
+}