| /*############################################################################ |
| # Copyright 2016-2017 Intel Corporation |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| ############################################################################*/ |
| |
| /*! |
| * \file |
| * \brief EpidDecompressPrivKey implementation. |
| */ |
| |
| #include "epid/member/api.h" |
| |
| #include "epid/common/errors.h" |
| #include "epid/common/math/ecgroup.h" |
| #include "epid/common/math/hash.h" |
| #include "epid/common/math/src/bignum-internal.h" |
| #include "epid/common/src/epid2params.h" |
| #include "epid/common/src/memory.h" |
| #include "epid/common/types.h" |
| |
| /// Handle Intel(R) EPID Error with Break |
| #define BREAK_ON_EPID_ERROR(ret) \ |
| if (kEpidNoErr != (ret)) { \ |
| break; \ |
| } |
| |
| /*! |
| * \brief |
| * Internal implementation of PrivKey |
| */ |
| typedef struct PrivKey_ { |
| GroupId gid; ///< group ID |
| EcPoint* A; ///< an element in G1 |
| FfElement* x; ///< an integer between [0, p-1] |
| FfElement* f; ///< an integer between [0, p-1] |
| } PrivKey_; |
| |
| /// Implements the derivation method used by private key decompression |
| /// Derives two integers x, f between [1, p-1] from the seed value |
| static EpidStatus DeriveXF(FpElemStr* x, FpElemStr* f, Seed const* seed, |
| FpElemStr const* p); |
| |
| EpidStatus EpidDecompressPrivKey(GroupPubKey const* pub_key, |
| CompressedPrivKey const* compressed_privkey, |
| PrivKey* priv_key) { |
| EpidStatus result = kEpidErr; |
| Epid2Params_* epid2_params = 0; |
| PrivKey_ priv_key_ = {{{0}}, 0, 0, 0}; |
| FfElement* Ax = 0; |
| EcPoint* t1 = 0; |
| EcPoint* t2 = 0; |
| FfElement* t3 = 0; |
| FfElement* t4 = 0; |
| BigNum* bn_pminus1 = 0; |
| BigNum* bn_one = 0; |
| EcPoint* h1 = 0; |
| EcPoint* w = 0; |
| |
| // check parameters |
| if (!pub_key || !compressed_privkey || !priv_key) { |
| return kEpidBadArgErr; |
| } |
| |
| // Internal representation of Epid2Params |
| result = CreateEpid2Params(&epid2_params); |
| if (kEpidNoErr != result) { |
| return result; |
| } |
| |
| do { |
| uint8_t bn_one_str = 1; |
| FpElemStr p_str = {0}; |
| bool is_valid = false; |
| // shortcuts |
| EcGroup* G1 = epid2_params->G1; |
| EcGroup* G2 = epid2_params->G2; |
| FiniteField* GT = epid2_params->GT; |
| EcPoint* g1 = epid2_params->g1; |
| EcPoint* g2 = epid2_params->g2; |
| PairingState* ps_ctx = epid2_params->pairing_state; |
| FiniteField* Fp = epid2_params->Fp; |
| FiniteField* Fq = epid2_params->Fq; |
| BigNum* p = epid2_params->p; |
| |
| // In the following process, temporary variables t1 (an element of |
| // G2), t2 (an element of G1), t3, t4 (elements of GT) are used. |
| // Let the compressed private key be (gid, A.x, seed). Let the |
| // Intel(R) EPID public key be (gid, h1, h2, w). |
| |
| // Create a new Priv Key |
| result = NewEcPoint(G1, &priv_key_.A); |
| BREAK_ON_EPID_ERROR(result); |
| result = NewFfElement(Fp, &priv_key_.x); |
| BREAK_ON_EPID_ERROR(result); |
| result = NewFfElement(Fp, &priv_key_.f); |
| BREAK_ON_EPID_ERROR(result); |
| |
| result = NewFfElement(Fq, &Ax); |
| BREAK_ON_EPID_ERROR(result); |
| result = NewEcPoint(G2, &t1); |
| BREAK_ON_EPID_ERROR(result); |
| result = NewEcPoint(G1, &t2); |
| BREAK_ON_EPID_ERROR(result); |
| result = NewFfElement(GT, &t3); |
| BREAK_ON_EPID_ERROR(result); |
| result = NewFfElement(GT, &t4); |
| BREAK_ON_EPID_ERROR(result); |
| result = NewBigNum(sizeof(BigNumStr), &bn_pminus1); |
| BREAK_ON_EPID_ERROR(result); |
| result = NewBigNum(sizeof(bn_one_str), &bn_one); |
| BREAK_ON_EPID_ERROR(result); |
| |
| result = NewEcPoint(G1, &h1); |
| BREAK_ON_EPID_ERROR(result); |
| result = ReadEcPoint(G1, &(pub_key->h1), sizeof(pub_key->h1), h1); |
| BREAK_ON_EPID_ERROR(result); |
| result = NewEcPoint(G2, &w); |
| BREAK_ON_EPID_ERROR(result); |
| result = ReadEcPoint(G2, &(pub_key->w), sizeof(pub_key->w), w); |
| BREAK_ON_EPID_ERROR(result); |
| |
| result = WriteBigNum(p, sizeof(p_str), &p_str); |
| BREAK_ON_EPID_ERROR(result); |
| |
| result = ReadBigNum(&bn_one_str, sizeof(bn_one_str), bn_one); |
| BREAK_ON_EPID_ERROR(result); |
| |
| // 1. The member derives x and f from seed. The derivation |
| // function must be the same as the one used in the key |
| // generation above. This step is out of scope of this |
| // specification. |
| result = |
| DeriveXF(&priv_key->x, &priv_key->f, &compressed_privkey->seed, &p_str); |
| BREAK_ON_EPID_ERROR(result); |
| // 2. The member computes A = G1.makePoint(A.x). |
| result = ReadFfElement(Fq, &compressed_privkey->ax, |
| sizeof(compressed_privkey->ax), Ax); |
| BREAK_ON_EPID_ERROR(result); |
| result = EcMakePoint(G1, Ax, priv_key_.A); |
| BREAK_ON_EPID_ERROR(result); |
| // 3. The member tests whether (A, x, f) is a valid Intel(R) EPID |
| // private key as follows: |
| // a. It computes t1 = G2.sscmExp(g2, x). |
| result = EcSscmExp(G2, g2, (BigNumStr const*)&priv_key->x, t1); |
| BREAK_ON_EPID_ERROR(result); |
| // b. It computes t1 = G2.mul(t1, w). |
| result = EcMul(G2, t1, w, t1); |
| BREAK_ON_EPID_ERROR(result); |
| // c. It computes t3 = pairing(A, t1). |
| result = Pairing(ps_ctx, priv_key_.A, t1, t3); |
| BREAK_ON_EPID_ERROR(result); |
| // d. It computes t2 = G1.sscmExp(h1, f). |
| result = EcSscmExp(G1, h1, (BigNumStr const*)&priv_key->f, t2); |
| BREAK_ON_EPID_ERROR(result); |
| // e. It computes t2 = G1.mul(t2, g1). |
| result = EcMul(G1, t2, g1, t2); |
| BREAK_ON_EPID_ERROR(result); |
| // f. It computes t4 = pairing(t2, g2). |
| result = Pairing(ps_ctx, t2, g2, t4); |
| BREAK_ON_EPID_ERROR(result); |
| // g. If GT.isEqual(t3, t4) = false |
| result = FfIsEqual(GT, t3, t4, &is_valid); |
| BREAK_ON_EPID_ERROR(result); |
| if (!is_valid) { |
| // i. It computes t3 = GT.exp(t3, p-1). |
| result = BigNumSub(p, bn_one, bn_pminus1); |
| BREAK_ON_EPID_ERROR(result); |
| result = FfExp(GT, t3, bn_pminus1, t3); |
| BREAK_ON_EPID_ERROR(result); |
| // ii. If GT.isEqual(t3, t4) = false again, it reports bad |
| // Intel(R) EPID private key and exits. |
| result = FfIsEqual(GT, t3, t4, &is_valid); |
| BREAK_ON_EPID_ERROR(result); |
| if (!is_valid) { |
| result = kEpidBadArgErr; // Invalid Member key |
| break; |
| } |
| // iii. It sets A = G1.inverse(A). |
| result = EcInverse(G1, priv_key_.A, priv_key_.A); |
| BREAK_ON_EPID_ERROR(result); |
| // NOTE A is modified here in this step. |
| } |
| // 4. The decompressed Intel(R) EPID private key is (gid, A, x, f). |
| // x, f already filled in. |
| priv_key->gid = pub_key->gid; |
| result = WriteEcPoint(G1, priv_key_.A, &priv_key->A, sizeof(priv_key->A)); |
| BREAK_ON_EPID_ERROR(result); |
| |
| result = kEpidNoErr; |
| } while (0); |
| |
| DeleteEcPoint(&priv_key_.A); |
| DeleteFfElement(&priv_key_.x); |
| DeleteFfElement(&priv_key_.f); |
| DeleteFfElement(&Ax); |
| DeleteEcPoint(&t1); |
| DeleteEcPoint(&t2); |
| DeleteFfElement(&t3); |
| DeleteFfElement(&t4); |
| DeleteBigNum(&bn_pminus1); |
| DeleteBigNum(&bn_one); |
| DeleteEcPoint(&h1); |
| DeleteEcPoint(&w); |
| DeleteEpid2Params(&epid2_params); |
| |
| return result; |
| } |
| |
| /// Hash message buffer |
| typedef struct HashMsg { |
| /// Message to be hashed |
| char data[11]; |
| } HashMsg; |
| |
| static EpidStatus DeriveXF(FpElemStr* x, FpElemStr* f, Seed const* seed, |
| FpElemStr const* p) { |
| EpidStatus result = kEpidErr; |
| |
| BigNum* bn_x = 0; |
| BigNum* bn_f = 0; |
| BigNum* bn_p = 0; |
| |
| do { |
| HashMsg msgstr = {{ |
| 0x00, 0x45, 0x43, 0x43, 0x2d, 0x53, 0x61, 0x66, 0x65, 0x49, 0x44, |
| }}; |
| #pragma pack(1) |
| struct { |
| Seed seed; |
| HashMsg msg; |
| } hashbuf; |
| #pragma pack() |
| |
| Sha256Digest digest[2]; |
| Ipp8u str512[512 / 8]; |
| |
| result = NewBigNum(sizeof(*p), &bn_p); |
| BREAK_ON_EPID_ERROR(result); |
| result = ReadBigNum(p, sizeof(*p), bn_p); |
| BREAK_ON_EPID_ERROR(result); |
| |
| result = NewBigNum(sizeof(digest), &bn_x); |
| BREAK_ON_EPID_ERROR(result); |
| result = NewBigNum(sizeof(digest), &bn_f); |
| BREAK_ON_EPID_ERROR(result); |
| |
| // compute x |
| hashbuf.seed = *seed; |
| hashbuf.msg = msgstr; |
| hashbuf.msg.data[0] = 0x06; |
| result = Sha256MessageDigest(&hashbuf, sizeof(hashbuf), &digest[0]); |
| BREAK_ON_EPID_ERROR(result); |
| hashbuf.msg.data[0] = 0x07; |
| result = Sha256MessageDigest(&hashbuf, sizeof(hashbuf), &digest[1]); |
| BREAK_ON_EPID_ERROR(result); |
| |
| result = ReadBigNum(&digest, sizeof(digest), bn_x); |
| BREAK_ON_EPID_ERROR(result); |
| |
| result = BigNumMod(bn_x, bn_p, bn_x); |
| BREAK_ON_EPID_ERROR(result); |
| |
| result = WriteBigNum(bn_x, sizeof(str512), str512); |
| BREAK_ON_EPID_ERROR(result); |
| |
| *x = *(FpElemStr*)&str512[sizeof(str512) / 2]; |
| |
| // compute f |
| hashbuf.seed = *seed; |
| hashbuf.msg = msgstr; |
| hashbuf.msg.data[0] = 0x08; |
| result = Sha256MessageDigest(&hashbuf, sizeof(hashbuf), &digest[0]); |
| BREAK_ON_EPID_ERROR(result); |
| hashbuf.msg.data[0] = 0x09; |
| result = Sha256MessageDigest(&hashbuf, sizeof(hashbuf), &digest[1]); |
| BREAK_ON_EPID_ERROR(result); |
| |
| result = ReadBigNum(&digest, sizeof(digest), bn_f); |
| BREAK_ON_EPID_ERROR(result); |
| |
| result = BigNumMod(bn_f, bn_p, bn_f); |
| BREAK_ON_EPID_ERROR(result); |
| |
| result = WriteBigNum(bn_f, sizeof(str512), str512); |
| BREAK_ON_EPID_ERROR(result); |
| |
| *f = *(FpElemStr*)&str512[sizeof(str512) / 2]; |
| |
| result = kEpidNoErr; |
| } while (0); |
| |
| DeleteBigNum(&bn_x); |
| DeleteBigNum(&bn_f); |
| DeleteBigNum(&bn_p); |
| |
| return result; |
| } |
