diff --git a/prototype.lisp b/prototype.lisp index ee232c9..44020e7 100644 --- a/prototype.lisp +++ b/prototype.lisp @@ -71,49 +71,49 @@ (defparameter *Nsk* 32) (defparameter *suite_id* (|| (ASCII "KEM") (I2OSP #x0010 2))) (defparameter *bitmask* #xff) -(labels ((LabeledExtract (salt label ikm) - (HKDF-Extract salt (|| (ASCII "HPKE-v1") *suite_id* label ikm))) - (LabeledExpand (prk label info L) - (HKDF-Expand - prk (|| (I2OSP L 2) (ASCII "HPKE-v1") *suite_id* label info) - L)) - (ExtractAndExpand (dh kem_context) - (let* ((eae_prk (LabeledExtract (ASCII "") (ASCII "eae_prk") dh)) - (shared_secret - (LabeledExpand - eae_prk (ASCII "shared_secret") kem_context *Nsecret*))) - shared_secret)) - (GenerateKeyPair () - (let ((sk (EC-Random))) (values sk (EC-Scalar-Base-Mult sk)))) - (SerializePublicKey (pk) - (|| (I2OSP (getf (crypto:ec-destructure-point pk) :x) 32) - (I2OSP (getf (crypto:ec-destructure-point pk) :y) 32))) - (DeserializePublicKey (b) - (crypto:ec-make-point - *EC* :x (OS2IP (subseq b 0 32)) :y (OS2IP (subseq b 32))))) - (defun KEM-Derive-Key-Pair (ikm) ;; todo test vectors - (loop with dkp_prk = (LabeledExtract (ASCII "") (ASCII "dkp_prk") ikm) +(labels + ((labeled-extract (salt label ikm) + (HKDF-Extract salt (|| (ASCII "HPKE-v1") *suite_id* (ASCII label) ikm))) + (labeled-expand (prk label info L) + (HKDF-Expand prk (|| (I2OSP L 2) (ASCII "HPKE-v1") + *suite_id* (ASCII label) info) + L)) + (extract-and-expand (dh kem_context) + (let* ((eae_prk (labeled-extract (ASCII "") "eae_prk" dh)) + (shared_secret + (labeled-expand eae_prk "shared_secret" kem_context *Nsecret*))) + shared_secret)) + (generate-key-pair () + (let ((sk (EC-Random))) (values sk (EC-Scalar-Base-Mult sk)))) + (serialize-public-key (pk) + (|| (I2OSP (getf (crypto:ec-destructure-point pk) :x) 32) + (I2OSP (getf (crypto:ec-destructure-point pk) :y) 32))) + (deserialize-public-key (b) + (crypto:ec-make-point *EC* :x (OS2IP (subseq b 0 32)) + :y (OS2IP (subseq b 32))))) + (defun KEM-Derive-Key-Pair (ikm) + (loop with dkp_prk = (labeled-extract (ASCII "") "dkp_prk" ikm) for counter from 0 upto 254 - for bytes = (LabeledExpand dkp_prk (ASCII "candidate") - (I2OSP counter 1) *Nsk*) + for bytes + = (labeled-expand dkp_prk "candidate" (I2OSP counter 1) *Nsk*) for sk = (progn (setf (aref bytes 0) (logand (aref bytes 0) *bitmask*)) (OS2IP bytes)) when (not (= sk 0)) return (values sk (EC-Scalar-Base-Mult sk)))) (defun KEM-Encap (pkR) - (multiple-value-bind (skE pkE) (GenerateKeyPair) + (multiple-value-bind (skE pkE) (generate-key-pair) (let* ((dh (ECDH-Create-Shared-Secret skE pkR)) - (enc (SerializePublicKey pkE)) - (pkRm (SerializePublicKey pkR)) + (enc (serialize-public-key pkE)) + (pkRm (serialize-public-key pkR)) (kem_context (|| enc pkRm)) - (shared_secret (ExtractAndExpand dh kem_context))) + (shared_secret (extract-and-expand dh kem_context))) (values shared_secret enc)))) (defun KEM-Decap (enc skR) - (let* ((pkE (DeserializePublicKey enc)) + (let* ((pkE (deserialize-public-key enc)) (dh (ECDH-Create-Shared-Secret skR pkE)) - (pkRm (SerializePublicKey (EC-Scalar-Base-Mult skR))) + (pkRm (serialize-public-key (EC-Scalar-Base-Mult skR))) (kem_context (|| enc pkRm)) - (shared_secret (ExtractAndExpand dh kem_context))) + (shared_secret (extract-and-expand dh kem_context))) shared_secret))) (defun Authenticate (sk_device reader_data bf) @@ -129,12 +129,11 @@ (cond ((null path) (values bf salt)) ((typep (car path) 'number) (multiple-value-bind (bf-prime salt) (HDK salt (car path)) - (if (null bf) (fold salt (cdr path) bf-prime) - (fold salt (cdr path) - (BL-Combine-Blinding-Factors bf bf-prime))))) - (t (multiple-value-bind (sk pk) (KEM-Derive-Key-Pair salt) - (declare (ignore pk)) - (fold (KEM-Decap (car path) sk) (cdr path) bf))))) + (fold salt (cdr path) + (if (null bf) bf-prime + (BL-Combine-Blinding-Factors bf bf-prime))))) + (t (fold (KEM-Decap (car path) (KEM-Derive-Key-Pair salt)) (cdr path) + bf)))) (defclass document () ((pk :reader pk :initarg :pk))) (defun make-document (doc salt index)