add pairing cryptos

crypto/bfibe/bfibe_asn1.c

@@ -0,0 +1,100 @@
+/* ====================================================================
+ * Copyright (c) 2016 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <openssl/ec.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/ec_type1.h>
+#include <openssl/ec_hash.h>
+#include <openssl/bfibe.h>
+#include <openssl/rand.h>
+#include <openssl/bn.h>
+#include <openssl/bn_hash.h>
+#include <openssl/bn_gfp2.h>
+#include <openssl/kdf.h>
+#include "bfibe_lcl.h"
+
+ASN1_SEQUENCE(BFPublicParameters) = {
+	ASN1_SIMPLE(BFPublicParameters, version, LONG),
+	ASN1_SIMPLE(BFPublicParameters, curve, ASN1_OBJECT),
+	ASN1_SIMPLE(BFPublicParameters, p, BIGNUM),
+	ASN1_SIMPLE(BFPublicParameters, q, BIGNUM),
+	ASN1_SIMPLE(BFPublicParameters, pointP, FpPoint),
+	ASN1_SIMPLE(BFPublicParameters, pointPpub, FpPoint),
+	ASN1_SIMPLE(BFPublicParameters, hashfcn, ASN1_OBJECT)
+} ASN1_SEQUENCE_END(BFPublicParameters)
+IMPLEMENT_ASN1_FUNCTIONS(BFPublicParameters)
+IMPLEMENT_ASN1_DUP_FUNCTION(BFPublicParameters)
+
+ASN1_SEQUENCE(BFMasterSecret) = {
+	ASN1_SIMPLE(BFMasterSecret, version, LONG),
+	ASN1_SIMPLE(BFMasterSecret, masterSecret, BIGNUM)
+} ASN1_SEQUENCE_END(BFMasterSecret)
+IMPLEMENT_ASN1_FUNCTIONS(BFMasterSecret)
+IMPLEMENT_ASN1_DUP_FUNCTION(BFMasterSecret)
+
+ASN1_SEQUENCE(BFPrivateKeyBlock) = {
+	ASN1_SIMPLE(BFPrivateKeyBlock, version, LONG),
+	ASN1_SIMPLE(BFPrivateKeyBlock, privateKey, FpPoint)
+} ASN1_SEQUENCE_END(BFPrivateKeyBlock)
+IMPLEMENT_ASN1_FUNCTIONS(BFPrivateKeyBlock)
+IMPLEMENT_ASN1_DUP_FUNCTION(BFPrivateKeyBlock)
+
+ASN1_SEQUENCE(BFCiphertextBlock) = {
+	ASN1_SIMPLE(BFCiphertextBlock, version, LONG),
+	ASN1_SIMPLE(BFCiphertextBlock, u, FpPoint),
+	ASN1_SIMPLE(BFCiphertextBlock, v, ASN1_OCTET_STRING),
+	ASN1_SIMPLE(BFCiphertextBlock, w, ASN1_OCTET_STRING),
+} ASN1_SEQUENCE_END(BFCiphertextBlock)
+IMPLEMENT_ASN1_FUNCTIONS(BFCiphertextBlock)
+IMPLEMENT_ASN1_DUP_FUNCTION(BFCiphertextBlock)
+

crypto/bfibe/bfibe_err.c

@@ -0,0 +1,66 @@
+/*
+ * Generated by util/mkerr.pl DO NOT EDIT
+ * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/bfibe.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+# define ERR_FUNC(func) ERR_PACK(ERR_LIB_BFIBE,func,0)
+# define ERR_REASON(reason) ERR_PACK(ERR_LIB_BFIBE,0,reason)
+
+static ERR_STRING_DATA BFIBE_str_functs[] = {
+    {ERR_FUNC(BFIBE_F_BFIBE_DECRYPT), "BFIBE_decrypt"},
+    {ERR_FUNC(BFIBE_F_BFIBE_DO_DECRYPT), "BFIBE_do_decrypt"},
+    {ERR_FUNC(BFIBE_F_BFIBE_DO_ENCRYPT), "BFIBE_do_encrypt"},
+    {ERR_FUNC(BFIBE_F_BFIBE_ENCRYPT), "BFIBE_encrypt"},
+    {ERR_FUNC(BFIBE_F_BFIBE_EXTRACT_PRIVATE_KEY),
+     "BFIBE_extract_private_key"},
+    {ERR_FUNC(BFIBE_F_BFIBE_SETUP), "BFIBE_setup"},
+    {0, NULL}
+};
+
+static ERR_STRING_DATA BFIBE_str_reasons[] = {
+    {ERR_REASON(BFIBE_R_BFIBE_CIPHERTEXT_FAILURE),
+     "bfibe ciphertext failure"},
+    {ERR_REASON(BFIBE_R_BUFFER_TOO_SMALL), "buffer too small"},
+    {ERR_REASON(BFIBE_R_COMPUTE_OUTLEN_FAILURE), "compute outlen failure"},
+    {ERR_REASON(BFIBE_R_D2I_FAILURE), "d2i failure"},
+    {ERR_REASON(BFIBE_R_DECRYPT_FAILURE), "decrypt failure"},
+    {ERR_REASON(BFIBE_R_ENCRYPT_FAILURE), "encrypt failure"},
+    {ERR_REASON(BFIBE_R_HASH_BYTES_FAILURE), "hash bytes failure"},
+    {ERR_REASON(BFIBE_R_I2D_FAILURE), "i2d failure"},
+    {ERR_REASON(BFIBE_R_INVALID_BFIBE_HASHFUNC), "invalid bfibe hashfunc"},
+    {ERR_REASON(BFIBE_R_INVALID_CIPHERTEXT), "invalid ciphertext"},
+    {ERR_REASON(BFIBE_R_INVALID_TYPE1CURVE), "invalid type1curve"},
+    {ERR_REASON(BFIBE_R_KDF_FAILURE), "kdf failure"},
+    {ERR_REASON(BFIBE_R_NOT_NAMED_CURVE), "not named curve"},
+    {ERR_REASON(BFIBE_R_PARSE_CURVE_FAILURE), "parse curve failure"},
+    {ERR_REASON(BFIBE_R_PARSE_MPK_FAILURE), "parse mpk failure"},
+    {ERR_REASON(BFIBE_R_PARSE_PAIRING), "parse pairing"},
+    {ERR_REASON(BFIBE_R_RAND_FAILURE), "rand failure"},
+    {0, NULL}
+};
+
+#endif
+
+int ERR_load_BFIBE_strings(void)
+{
+#ifndef OPENSSL_NO_ERR
+
+    if (ERR_func_error_string(BFIBE_str_functs[0].error) == NULL) {
+        ERR_load_strings(0, BFIBE_str_functs);
+        ERR_load_strings(0, BFIBE_str_reasons);
+    }
+#endif
+    return 1;
+}

crypto/bfibe/bfibe_lcl.h

@@ -0,0 +1,102 @@
+/* ====================================================================
+ * Copyright (c) 2016 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <openssl/ec.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/ec_type1.h>
+#include <openssl/ec_hash.h>
+#include <openssl/bfibe.h>
+#include <openssl/rand.h>
+#include <openssl/bn.h>
+#include <openssl/bn_hash.h>
+#include <openssl/bn_gfp2.h>
+#include <openssl/kdf.h>
+
+/*
+ * the `curve` attribute of BFPublicParameters is the OID present the
+ * `type1curve` which is E: y^2 = x^3 + 1 over prime field. It is not an
+ * elliptic curve domain parameters composed of (p, a, b, G, n, h).
+ * For type-1 curve, a = 0, b = 1.
+ * q (i.e. the n in ec params) is the order of generator G, is a prime.
+ * When q is a solinas prime, the scalar mulitiplication computation can
+ * be reduced.
+ * zeta (i.e. h in ec params) = (p + 1)/q. In normall ecc, h is very small
+ * such as 1 or 4. But in pairing, the zeta (or h) is very large.
+ */
+struct BFPublicParameters_st {
+	long version;
+	ASN1_OBJECT *curve;
+	BIGNUM *p;
+	BIGNUM *q;
+	FpPoint *pointP;
+	FpPoint *pointPpub;
+	ASN1_OBJECT *hashfcn;
+};
+
+struct BFMasterSecret_st {
+	long version;
+	BIGNUM *masterSecret;
+};
+
+struct BFPrivateKeyBlock_st {
+	long version;
+	FpPoint *privateKey;
+};
+
+struct BFCiphertextBlock_st {
+	long version;
+	FpPoint *u;
+	ASN1_OCTET_STRING *v;
+	ASN1_OCTET_STRING *w;
+};
+

crypto/bfibe/bfibe_lib.c

@@ -0,0 +1,710 @@
+/* ====================================================================
+ * Copyright (c) 2016 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <openssl/err.h>
+#include <openssl/ec.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/ec_type1.h>
+#include <openssl/ec_hash.h>
+#include <openssl/bfibe.h>
+#include <openssl/rand.h>
+#include <openssl/bn.h>
+#include <openssl/bn_hash.h>
+#include <openssl/bn_gfp2.h>
+#include <openssl/kdf.h>
+#include <openssl/kdf2.h>
+#include "bfibe_lcl.h"
+
+
+int BFIBE_setup(const EC_GROUP *group, const EVP_MD *md,
+	BFPublicParameters **pmpk, BFMasterSecret **pmsk)
+{
+	int ret = 0;
+	BFPublicParameters *mpk = NULL;
+	BFMasterSecret *msk = NULL;
+	BN_CTX *bn_ctx = NULL;
+	EC_POINT *point = NULL;
+	BIGNUM *a;
+	BIGNUM *b;
+
+	if (!group || !pmpk || !pmsk) {
+		BFIBEerr(BFIBE_F_BFIBE_SETUP, ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+	}
+
+	if (!(bn_ctx = BN_CTX_new())) {
+		BFIBEerr(BFIBE_F_BFIBE_SETUP, ERR_R_MALLOC_FAILURE);
+		goto end;
+	}
+
+	BN_CTX_start(bn_ctx);
+	a = BN_CTX_get(bn_ctx);
+	b = BN_CTX_get(bn_ctx);
+	if (!b) {
+		BFIBEerr(BFIBE_F_BFIBE_SETUP, ERR_R_MALLOC_FAILURE);
+		goto end;
+	}
+
+	mpk = BFPublicParameters_new();
+	msk = BFMasterSecret_new();
+	point = EC_POINT_new(group);
+
+	if (!mpk || !msk || !point) {
+		BFIBEerr(BFIBE_F_BFIBE_SETUP, ERR_R_MALLOC_FAILURE);
+		goto end;
+	}
+
+	/*
+	 * set mpk->version
+	 * set mpk->curve
+	 */
+
+	mpk->version = BFIBE_VERSION;
+
+	OPENSSL_assert(mpk->curve);
+	ASN1_OBJECT_free(mpk->curve);
+	if (!(mpk->curve = OBJ_nid2obj(NID_type1curve))) {
+		BFIBEerr(BFIBE_F_BFIBE_SETUP, BFIBE_R_NOT_NAMED_CURVE);
+		goto end;
+	}
+
+	/* mpk->p = group->p */
+	if (!EC_GROUP_get_curve_GFp(group, mpk->p, a, b, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_SETUP, ERR_R_EC_LIB);
+		goto end;
+	}
+	if (!BN_is_zero(a) || !BN_is_one(b)) {
+		BFIBEerr(BFIBE_F_BFIBE_SETUP, BFIBE_R_INVALID_TYPE1CURVE);
+		goto end;
+	}
+
+	/* mpk->q = group->order */
+	if (!EC_GROUP_get_order(group, mpk->q, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_SETUP, BFIBE_R_INVALID_TYPE1CURVE);
+		goto end;
+	}
+
+	/* mpk->pointP = group->generator */
+	if (!EC_POINT_get_affine_coordinates_GFp(group, EC_GROUP_get0_generator(group),
+		mpk->pointP->x, mpk->pointP->y, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_SETUP, ERR_R_EC_LIB);
+		goto end;
+	}
+
+	/* set mpk->hashfcn from F_p^2 element bits */
+	OPENSSL_assert(mpk->hashfcn);
+	ASN1_OBJECT_free(mpk->hashfcn);
+	if (!(mpk->hashfcn = OBJ_nid2obj(EVP_MD_type(md)))) {
+		BFIBEerr(BFIBE_F_BFIBE_SETUP, BFIBE_R_PARSE_PAIRING);
+		goto end;
+	}
+
+	/*
+	 * set msk->version
+	 * random msk->masterSecret in [2, q - 1]
+	 */
+
+	msk->version = BFIBE_VERSION;
+
+	do {
+		if (!BN_rand_range(msk->masterSecret, mpk->q)) {
+			BFIBEerr(BFIBE_F_BFIBE_SETUP, ERR_R_BN_LIB);
+			goto end;
+		}
+	} while (BN_is_zero(msk->masterSecret) || BN_is_one(msk->masterSecret));
+
+	/* mpk->pointPpub = msk->masterSecret * mpk->pointP */
+
+	if (!EC_POINT_mul(group, point, msk->masterSecret, NULL, NULL, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_SETUP, ERR_R_EC_LIB);
+		goto end;
+	}
+	if (!EC_POINT_get_affine_coordinates_GFp(group, point,
+		mpk->pointPpub->x, mpk->pointPpub->y, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_SETUP, ERR_R_EC_LIB);
+		goto end;
+	}
+
+	/* set return value */
+	*pmpk = mpk;
+	*pmsk = msk;
+	ret = 1;
+
+end:
+	if (!ret) {
+		BFPublicParameters_free(mpk);
+		BFMasterSecret_free(msk);
+		*pmpk = NULL;
+		*pmsk = NULL;
+	}
+	if (bn_ctx) {
+		BN_CTX_end(bn_ctx);
+	}
+	BN_CTX_free(bn_ctx);
+	EC_POINT_free(point);
+	return ret;
+}
+
+BFPrivateKeyBlock *BFIBE_extract_private_key(BFPublicParameters *mpk,
+	BFMasterSecret *msk, const char *id, size_t idlen)
+{
+	int e = 1;
+	BFPrivateKeyBlock *ret = NULL;
+	EC_GROUP *group = NULL;
+	EC_POINT *point = NULL;
+	BN_CTX *bn_ctx = NULL;
+	const EVP_MD *md;
+
+	if (!mpk || !msk || !id || idlen <= 0) {
+		BFIBEerr(BFIBE_F_BFIBE_EXTRACT_PRIVATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+	}
+
+	if (!(bn_ctx = BN_CTX_new())) {
+		BFIBEerr(BFIBE_F_BFIBE_EXTRACT_PRIVATE_KEY,
+			ERR_R_MALLOC_FAILURE);
+		goto end;
+	}
+
+	/*
+	 * get EC_GROUP from mpk->{p, q, pointP}
+	 * get EVP_MD from mpk->hashfcn
+	 */
+	if (!(group = EC_GROUP_new_type1curve(mpk->p, mpk->pointP->x,
+		mpk->pointP->y, mpk->q, bn_ctx))) {
+		BFIBEerr(BFIBE_F_BFIBE_EXTRACT_PRIVATE_KEY, BFIBE_R_PARSE_CURVE_FAILURE);
+		goto end;
+	}
+
+	if (!(md = EVP_get_digestbyobj(mpk->hashfcn))) {
+		BFIBEerr(BFIBE_F_BFIBE_EXTRACT_PRIVATE_KEY,
+			BFIBE_R_INVALID_BFIBE_HASHFUNC);
+		goto end;
+	}
+
+	/* prepare tmp variables */
+	point = EC_POINT_new(group);
+	if (!point) {
+		BFIBEerr(BFIBE_F_BFIBE_EXTRACT_PRIVATE_KEY, ERR_R_MALLOC_FAILURE);
+		goto end;
+	}
+
+	/*
+	 * set ret->version
+	 * set ret->privateKey = msk->masterSecret * HashToPoint(ID)
+	 */
+
+	if (!(ret = BFPrivateKeyBlock_new())) {
+		BFIBEerr(BFIBE_F_BFIBE_EXTRACT_PRIVATE_KEY, ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+	ret->version = BFIBE_VERSION;
+
+	if (!EC_POINT_hash2point(group, md, id, idlen, point, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_EXTRACT_PRIVATE_KEY, ERR_R_EC_LIB);
+		goto end;
+	}
+
+	if (!EC_POINT_mul(group, point, NULL, point, msk->masterSecret, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_EXTRACT_PRIVATE_KEY, ERR_R_EC_LIB);
+		goto end;
+	}
+
+	if (!EC_POINT_get_affine_coordinates_GFp(group, point,
+		ret->privateKey->x, ret->privateKey->y, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_EXTRACT_PRIVATE_KEY, ERR_R_EC_LIB);
+		goto end;
+	}
+
+	e = 0;
+end:
+	if (e && ret) {
+		BFPrivateKeyBlock_free(ret);
+		ret = NULL;
+	}
+	EC_GROUP_free(group);
+	EC_POINT_free(point);
+	BN_CTX_free(bn_ctx);
+	return ret;
+}
+
+/*
+ * r = rand(), |r| = hashlen
+ * k = HashToRange(r||Hash(m), q), k in [0, q-1]
+ * U = [k]P in E/F_p
+ * Q = HashToPoint(ID) in E/F_p
+ * v = Hash(e(Ppub, Q)^k) xor r, |v| == hashlen
+ * w = HashBytes(r) xor m
+ */
+BFCiphertextBlock *BFIBE_do_encrypt(BFPublicParameters *mpk,
+	const unsigned char *in, size_t inlen,
+	const char *id, size_t idlen)
+{
+	int e = 1;
+	BFCiphertextBlock *ret = NULL;
+	BN_CTX *bn_ctx = NULL;
+	EC_GROUP *group = NULL;
+	EC_POINT *Ppub = NULL;
+	EC_POINT *point = NULL;
+	BN_GFP2 *theta = NULL;
+	BIGNUM *k;
+	const EVP_MD *md;
+	KDF_FUNC hash_bytes;
+	unsigned char rho[EVP_MAX_MD_SIZE * 2];
+	unsigned char buf[EVP_MAX_MD_SIZE];
+	unsigned int len;
+	size_t size;
+	int i;
+
+	if (!mpk || !in || inlen <= 0 || !id || idlen <= 0) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_ENCRYPT, ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+	}
+
+	/* BN_CTX */
+	if (!(bn_ctx = BN_CTX_new())) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_ENCRYPT, ERR_R_MALLOC_FAILURE);
+		goto end;
+	}
+	BN_CTX_start(bn_ctx);
+
+	/* EC_GROUP */
+	if (!(group = EC_GROUP_new_type1curve(mpk->p, mpk->pointP->x,
+		mpk->pointP->y, mpk->q, bn_ctx))) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_ENCRYPT, BFIBE_R_PARSE_MPK_FAILURE);
+		goto end;
+	}
+
+	ret = BFCiphertextBlock_new();
+	Ppub = EC_POINT_new(group);
+	point = EC_POINT_new(group);
+	theta = BN_GFP2_new();
+	k = BN_CTX_get(bn_ctx);
+
+	if (!ret || !point || !Ppub || !k || !theta) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_ENCRYPT, ERR_R_MALLOC_FAILURE);
+		goto end;
+	}
+
+
+	/* get kdf from mpk->hashfcn */
+	if (!(md = EVP_get_digestbyobj(mpk->hashfcn))) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_ENCRYPT, BFIBE_R_INVALID_BFIBE_HASHFUNC);
+		goto end;
+	}
+
+	if (!(hash_bytes = KDF_get_ibcs(md))) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_ENCRYPT,
+			BFIBE_R_INVALID_BFIBE_HASHFUNC);
+		goto end;
+	}
+
+	/* ret->version */
+	ret->version = BFIBE_VERSION;
+
+	/* rho = Rand(hashlen) */
+	if (!RAND_bytes(rho, EVP_MD_size(md))) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_ENCRYPT, BFIBE_R_RAND_FAILURE);
+		goto end;
+	}
+
+	/* k = HashToRange(rho||Hash(in), q) in [0, q - 1] */
+	len = EVP_MD_size(md);
+	if (!EVP_Digest(in, inlen, rho + EVP_MD_size(md), &len, md, NULL)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_ENCRYPT, ERR_R_EVP_LIB);
+		goto end;
+	}
+	if (!BN_hash_to_range(md, &k, rho, EVP_MD_size(md) * 2, mpk->q, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_ENCRYPT, ERR_R_BN_LIB);
+		goto end;
+	}
+
+	/* ret->u = mpk->pointP * k in E/F_p, mpk->pointP is the generator */
+	if (!EC_POINT_mul(group, point, k, NULL, NULL, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_ENCRYPT, ERR_R_EC_LIB);
+		goto end;
+	}
+	if (!EC_POINT_get_affine_coordinates_GFp(group, point,
+		ret->u->x, ret->u->y, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_ENCRYPT, ERR_R_EC_LIB);
+		goto end;
+	}
+
+	/* theta = e(mpk->pointPpub, HashToPoint(ID)) */
+	if (!EC_POINT_set_affine_coordinates_GFp(group, Ppub,
+		mpk->pointPpub->x, mpk->pointPpub->y, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_ENCRYPT, ERR_R_EC_LIB);
+		goto end;
+	}
+	if (!EC_POINT_hash2point(group, md, id, idlen, point, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_ENCRYPT, ERR_R_EC_LIB);
+		goto end;
+	}
+	if (!EC_type1curve_tate(group, theta, Ppub, point, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_ENCRYPT, ERR_R_EC_LIB);
+		goto end;
+	}
+
+	/* theta = theta^k */
+	if (!BN_GFP2_exp(theta, theta, k, mpk->p, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_ENCRYPT, ERR_R_EC_LIB);
+		goto end;
+	}
+
+	/* ret->v = Hash(theta) xor rho */
+	size = sizeof(buf);
+	if (!BN_GFP2_canonical(theta, buf, &size, 0, mpk->p, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_ENCRYPT, ERR_R_BN_LIB);
+		goto end;
+	}
+	len = sizeof(buf);
+	if (!EVP_Digest(buf, size, buf, &len, md, NULL)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_ENCRYPT, ERR_R_EVP_LIB);
+		goto end;
+	}
+	for (i = 0; i < EVP_MD_size(md); i++) {
+		buf[i] ^= rho[i];
+	}
+	if (!ASN1_OCTET_STRING_set(ret->v, buf, EVP_MD_size(md))) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_ENCRYPT, ERR_R_ASN1_LIB);
+		goto end;
+	}
+
+	/*  ret->w = HashBytes(rho) xor m */
+	if (!ASN1_OCTET_STRING_set(ret->w, NULL, inlen)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_ENCRYPT, ERR_R_MALLOC_FAILURE);
+		goto end;
+	}
+	size = inlen;
+	if (!hash_bytes(rho, EVP_MD_size(md), ret->w->data, &size)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_ENCRYPT,
+			BFIBE_R_HASH_BYTES_FAILURE);
+		goto end;
+	}
+	for (i = 0; i < inlen; i++) {
+		ret->w->data[i] ^= in[i];
+	}
+
+	e = 0;
+
+end:
+	if (e && ret) {
+		BFCiphertextBlock_free(ret);
+		ret = NULL;
+	}
+	if (bn_ctx) {
+		BN_CTX_end(bn_ctx);
+	}
+	BN_CTX_free(bn_ctx);
+	EC_GROUP_free(group);
+	EC_POINT_free(Ppub);
+	EC_POINT_free(point);
+	BN_GFP2_free(theta);
+	return ret;
+}
+
+int BFIBE_do_decrypt(BFPublicParameters *mpk,
+	const BFCiphertextBlock *in, unsigned char *out, size_t *outlen,
+	BFPrivateKeyBlock *sk)
+{
+	int ret = 0;
+	BN_CTX *bn_ctx = NULL;
+	EC_GROUP *group = NULL;
+	EC_POINT *point = NULL;
+	EC_POINT *point1 = NULL;
+	BN_GFP2 *theta = NULL;
+	BIGNUM *k;
+	const EVP_MD *md;
+	KDF_FUNC hash_bytes;
+	unsigned char rho[EVP_MAX_MD_SIZE * 2];
+	unsigned int size;
+	int i;
+
+	if (!mpk || !in || !outlen || !sk) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_DECRYPT, ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+	}
+
+	if (!out) {
+		*outlen = in->w->length;
+		return 1;
+	}
+	if (*outlen < in->w->length) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_DECRYPT,
+			BFIBE_R_BUFFER_TOO_SMALL);
+		return 0;
+	}
+
+	/* BN_CTX */
+	if (!(bn_ctx = BN_CTX_new())) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_DECRYPT, ERR_R_MALLOC_FAILURE);
+		goto end;
+	}
+	BN_CTX_start(bn_ctx);
+
+	/* EC_GROUP */
+	if (!(group = EC_GROUP_new_type1curve(mpk->p, mpk->pointP->x,
+		mpk->pointP->y, mpk->q, bn_ctx))) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_DECRYPT,
+			BFIBE_R_INVALID_TYPE1CURVE);
+		goto end;
+	}
+
+	point = EC_POINT_new(group);
+	point1 = EC_POINT_new(group);
+	theta = BN_GFP2_new();
+	k = BN_CTX_get(bn_ctx);
+
+	if (!point || !point1 || !theta || !k) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_DECRYPT, ERR_R_MALLOC_FAILURE);
+		goto end;
+	}
+
+	/* theta = e(ciphertext->u, sk->privateKey) */
+	if (!EC_POINT_set_affine_coordinates_GFp(group, point,
+		in->u->x, in->u->y, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_DECRYPT, ERR_R_EC_LIB);
+		goto end;
+	}
+	if (!EC_POINT_set_affine_coordinates_GFp(group, point1,
+		sk->privateKey->x, sk->privateKey->y, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_DECRYPT, ERR_R_EC_LIB);
+		goto end;
+	}
+	if (!EC_type1curve_tate(group, theta, point, point1, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_DECRYPT, ERR_R_EC_LIB);
+		goto end;
+	}
+
+	/* md = mpk->hashfcn */
+	if (!(md = EVP_get_digestbyobj(mpk->hashfcn))) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_DECRYPT, BFIBE_R_INVALID_BFIBE_HASHFUNC);
+		goto end;
+	}
+
+	/* rho = Hash(Canoncial(theta)) xor ciphertext->v */
+	size = sizeof(rho);
+	if (!BN_GFP2_canonical(theta, rho, &size, 0, mpk->p, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_DECRYPT, ERR_R_EC_LIB);
+		goto end;
+	}
+	if (!EVP_Digest(rho, size, rho, &size, md, NULL)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_DECRYPT, ERR_R_EVP_LIB);
+		goto end;
+	}
+	for (i = 0; i < EVP_MD_size(md); i++) {
+		rho[i] ^= in->v->data[i];
+	}
+
+	/* function hash_bytes() = kdf(md) */
+	if (!(hash_bytes = KDF_get_ibcs(md))) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_DECRYPT,
+			BFIBE_R_INVALID_BFIBE_HASHFUNC);
+		goto end;
+	}
+
+	/* out = HashBytes(rho) xor ciphertext->w */
+	size = in->w->length;
+	if (!hash_bytes(rho, EVP_MD_size(md), out, &size)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_DECRYPT,
+			BFIBE_R_KDF_FAILURE);
+		goto end;
+	}
+	for (i = 0; i < in->w->length; i++) {
+		out[i] ^= in->w->data[i];
+	}
+
+	/* k = HashToRange(rho || Hash(out)) in [0, mpk->q) */
+	size = EVP_MD_size(md);
+	if (!EVP_Digest(out, in->w->length, rho + EVP_MD_size(md), &size, md, NULL)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_DECRYPT, ERR_R_EVP_LIB);
+		goto end;
+	}
+	if (!BN_hash_to_range(md, &k, rho, EVP_MD_size(md) * 2, mpk->q, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_DECRYPT, ERR_R_BN_LIB);
+		goto end;
+	}
+
+	/* Verify that in->u == mpk->pointP * k */
+	if (!EC_POINT_mul(group, point, k, NULL, NULL, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_DECRYPT, ERR_R_EC_LIB);
+		goto end;
+	}
+	if (1 != EC_POINT_cmp_fppoint(group, point, in->u, bn_ctx)) {
+		BFIBEerr(BFIBE_F_BFIBE_DO_DECRYPT, BFIBE_R_BFIBE_CIPHERTEXT_FAILURE);
+		goto end;
+	}
+
+	*outlen = in->w->length;
+	ret = 1;
+
+end:
+	if (bn_ctx) {
+		BN_CTX_end(bn_ctx);
+	}
+	BN_CTX_free(bn_ctx);
+	EC_GROUP_free(group);
+	EC_POINT_free(point);
+	EC_POINT_free(point1);
+	BN_GFP2_free(theta);
+	return ret;
+}
+
+/* estimation of the max length of DER encoded ciphertext */
+static int BFCiphertextBlock_size(BFPublicParameters *mpk,
+	size_t inlen, size_t *outlen)
+{
+	size_t len = 0;
+	len += (OPENSSL_ECC_MAX_FIELD_BITS/8) * 2;
+	len += inlen;
+	len += EVP_MAX_MD_SIZE;
+	len += 128; /* caused by version and DER encoding */
+	*outlen = len;
+	return 1;
+}
+
+int BFIBE_encrypt(BFPublicParameters *mpk,
+	const unsigned char *in, size_t inlen,
+	unsigned char *out, size_t *outlen,
+	const char *id, size_t idlen)
+{
+	int ret = 0;
+	BFCiphertextBlock *c = NULL;
+	unsigned char *p;
+	size_t len;
+
+	if (!mpk || !in || inlen <= 0 || !outlen || !id || idlen <= 0) {
+		BFIBEerr(BFIBE_F_BFIBE_ENCRYPT, ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+	}
+
+	if (!BFCiphertextBlock_size(mpk, inlen, &len)) {
+		BFIBEerr(BFIBE_F_BFIBE_ENCRYPT, BFIBE_R_COMPUTE_OUTLEN_FAILURE);
+		return 0;
+	}
+	if (!out) {
+		*outlen = len;
+		return 1;
+	}
+	if (*outlen < len) {
+		BFIBEerr(BFIBE_F_BFIBE_ENCRYPT, BFIBE_R_BUFFER_TOO_SMALL);
+		return 0;
+	}
+
+	if (!(c = BFIBE_do_encrypt(mpk, in, inlen, id, idlen))) {
+		BFIBEerr(BFIBE_F_BFIBE_ENCRYPT, BFIBE_R_ENCRYPT_FAILURE);
+		goto end;
+	}
+
+	p = out;
+	if (!i2d_BFCiphertextBlock(c, &p)) {
+		BFIBEerr(BFIBE_F_BFIBE_ENCRYPT, BFIBE_R_I2D_FAILURE);
+		goto end;
+	}
+	len = p - out;
+
+	*outlen = len;
+	ret = 1;
+
+end:
+	BFCiphertextBlock_free(c);
+	return ret;
+}
+
+int BFIBE_decrypt(BFPublicParameters *mpk,
+	const unsigned char *in, size_t inlen,
+	unsigned char *out, size_t *outlen,
+	BFPrivateKeyBlock *sk)
+{
+	int ret = 0;
+	BFCiphertextBlock *c = NULL;
+	const unsigned char *p;
+
+	if (!mpk || !in || inlen <= 0 || !outlen || !sk) {
+		BFIBEerr(BFIBE_F_BFIBE_DECRYPT, ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+	}
+
+	if (!out) {
+		*outlen = inlen;
+		return 1;
+	}
+	if (*outlen < inlen) {
+		BFIBEerr(BFIBE_F_BFIBE_DECRYPT, BFIBE_R_BUFFER_TOO_SMALL);
+		return 0;
+	}
+
+	p = in;
+	if (!(c = d2i_BFCiphertextBlock(NULL, &p, inlen))) {
+		BFIBEerr(BFIBE_F_BFIBE_DECRYPT, BFIBE_R_D2I_FAILURE);
+		goto end;
+	}
+
+	/* check no remaining ciphertext */
+	if (p - in != inlen) {
+		BFIBEerr(BFIBE_F_BFIBE_DECRYPT, BFIBE_R_INVALID_CIPHERTEXT);
+		goto end;
+	}
+
+	if (!BFIBE_do_decrypt(mpk, c, out, outlen, sk)) {
+		BFIBEerr(BFIBE_F_BFIBE_DECRYPT, BFIBE_R_DECRYPT_FAILURE);
+		goto end;
+	}
+
+	ret = 1;
+end:
+	BFCiphertextBlock_free(c);
+	return ret;
+}
+

crypto/bfibe/build.info

@@ -0,0 +1,2 @@
+LIBS=../../libcrypto
+SOURCE[../../libcrypto]=bfibe_err.c bfibe_asn1.c bfibe_lib.c