36 lines
948 B
Plaintext
36 lines
948 B
Plaintext
#
|
|
# this implements a variant of SPAKE2 Elligator edition described in:
|
|
# https://www.mail-archive.com/curves@moderncrypto.org/msg00412.html
|
|
#
|
|
|
|
# derive points PM or PN from a (password) hash
|
|
spake2ee_h2P(p,a,d, h, PX,PY,PZ,PT){
|
|
# find a small non-square for elligator
|
|
n = 2;
|
|
while(legendresymbol(n, p) != -1)
|
|
n = n + 1;
|
|
PX,PY,PZ,PT = elligator2(p,a,d, n, h%p);
|
|
}
|
|
|
|
# Ya = xa*G+PM, Yb = xb*G+PN
|
|
spake2ee_1(p,a,d, x, GX,GY, PX,PY,PZ,PT, y){
|
|
mod(p) X,Y,Z,T = edwards_scale(p,a,d, x, GX,GY,1,GX*GY);
|
|
X,Y,Z,T = edwards_add(p,a,d, X,Y,Z,T, PX,PY,PZ,PT);
|
|
y = decaf_encode(p,a,d, X,Y,Z,T);
|
|
}
|
|
|
|
# Z = xa*(Yb-PN)
|
|
# = xa*(xb*G+PN-PN)
|
|
# = xa*xb*G
|
|
# = xb*xa*G
|
|
# = xb*(xa*G+PM-PM)
|
|
# = xb*(Ya-PM)
|
|
spake2ee_2(p,a,d, PX,PY,PZ,PT, x, y, ok, z){
|
|
ok, X,Y,Z,T = decaf_decode(p,a,d, y);
|
|
if(ok != 0){
|
|
mod(p) X,Y,Z,T = edwards_add(p,a,d, X,Y,Z,T, -PX,PY,PZ,-PT);
|
|
X,Y,Z,T = edwards_scale(p,a,d, x, X,Y,Z,T);
|
|
z = decaf_encode(p,a,d, X,Y,Z,T);
|
|
}
|
|
}
|