|
71 | 71 | (defparameter *Nsk* 32) |
72 | 72 | (defparameter *suite_id* (|| (ASCII "KEM") (I2OSP #x0010 2))) |
73 | 73 | (defparameter *bitmask* #xff) |
74 | | -(labels ((LabeledExtract (salt label ikm) |
75 | | - (HKDF-Extract salt (|| (ASCII "HPKE-v1") *suite_id* label ikm))) |
76 | | - (LabeledExpand (prk label info L) |
77 | | - (HKDF-Expand |
78 | | - prk (|| (I2OSP L 2) (ASCII "HPKE-v1") *suite_id* label info) |
79 | | - L)) |
80 | | - (ExtractAndExpand (dh kem_context) |
81 | | - (let* ((eae_prk (LabeledExtract (ASCII "") (ASCII "eae_prk") dh)) |
82 | | - (shared_secret |
83 | | - (LabeledExpand |
84 | | - eae_prk (ASCII "shared_secret") kem_context *Nsecret*))) |
85 | | - shared_secret)) |
86 | | - (GenerateKeyPair () |
87 | | - (let ((sk (EC-Random))) (values sk (EC-Scalar-Base-Mult sk)))) |
88 | | - (SerializePublicKey (pk) |
89 | | - (|| (I2OSP (getf (crypto:ec-destructure-point pk) :x) 32) |
90 | | - (I2OSP (getf (crypto:ec-destructure-point pk) :y) 32))) |
91 | | - (DeserializePublicKey (b) |
92 | | - (crypto:ec-make-point |
93 | | - *EC* :x (OS2IP (subseq b 0 32)) :y (OS2IP (subseq b 32))))) |
94 | | - (defun KEM-Derive-Key-Pair (ikm) ;; todo test vectors |
95 | | - (loop with dkp_prk = (LabeledExtract (ASCII "") (ASCII "dkp_prk") ikm) |
| 74 | +(labels |
| 75 | + ((labeled-extract (salt label ikm) |
| 76 | + (HKDF-Extract salt (|| (ASCII "HPKE-v1") *suite_id* (ASCII label) ikm))) |
| 77 | + (labeled-expand (prk label info L) |
| 78 | + (HKDF-Expand prk (|| (I2OSP L 2) (ASCII "HPKE-v1") |
| 79 | + *suite_id* (ASCII label) info) |
| 80 | + L)) |
| 81 | + (extract-and-expand (dh kem_context) |
| 82 | + (let* ((eae_prk (labeled-extract (ASCII "") "eae_prk" dh)) |
| 83 | + (shared_secret |
| 84 | + (labeled-expand eae_prk "shared_secret" kem_context *Nsecret*))) |
| 85 | + shared_secret)) |
| 86 | + (generate-key-pair () |
| 87 | + (let ((sk (EC-Random))) (values sk (EC-Scalar-Base-Mult sk)))) |
| 88 | + (serialize-public-key (pk) |
| 89 | + (|| (I2OSP (getf (crypto:ec-destructure-point pk) :x) 32) |
| 90 | + (I2OSP (getf (crypto:ec-destructure-point pk) :y) 32))) |
| 91 | + (deserialize-public-key (b) |
| 92 | + (crypto:ec-make-point *EC* :x (OS2IP (subseq b 0 32)) |
| 93 | + :y (OS2IP (subseq b 32))))) |
| 94 | + (defun KEM-Derive-Key-Pair (ikm) |
| 95 | + (loop with dkp_prk = (labeled-extract (ASCII "") "dkp_prk" ikm) |
96 | 96 | for counter from 0 upto 254 |
97 | | - for bytes = (LabeledExpand dkp_prk (ASCII "candidate") |
98 | | - (I2OSP counter 1) *Nsk*) |
| 97 | + for bytes |
| 98 | + = (labeled-expand dkp_prk "candidate" (I2OSP counter 1) *Nsk*) |
99 | 99 | for sk = (progn |
100 | 100 | (setf (aref bytes 0) (logand (aref bytes 0) *bitmask*)) |
101 | 101 | (OS2IP bytes)) |
102 | 102 | when (not (= sk 0)) return (values sk (EC-Scalar-Base-Mult sk)))) |
103 | 103 | (defun KEM-Encap (pkR) |
104 | | - (multiple-value-bind (skE pkE) (GenerateKeyPair) |
| 104 | + (multiple-value-bind (skE pkE) (generate-key-pair) |
105 | 105 | (let* ((dh (ECDH-Create-Shared-Secret skE pkR)) |
106 | | - (enc (SerializePublicKey pkE)) |
107 | | - (pkRm (SerializePublicKey pkR)) |
| 106 | + (enc (serialize-public-key pkE)) |
| 107 | + (pkRm (serialize-public-key pkR)) |
108 | 108 | (kem_context (|| enc pkRm)) |
109 | | - (shared_secret (ExtractAndExpand dh kem_context))) |
| 109 | + (shared_secret (extract-and-expand dh kem_context))) |
110 | 110 | (values shared_secret enc)))) |
111 | 111 | (defun KEM-Decap (enc skR) |
112 | | - (let* ((pkE (DeserializePublicKey enc)) |
| 112 | + (let* ((pkE (deserialize-public-key enc)) |
113 | 113 | (dh (ECDH-Create-Shared-Secret skR pkE)) |
114 | | - (pkRm (SerializePublicKey (EC-Scalar-Base-Mult skR))) |
| 114 | + (pkRm (serialize-public-key (EC-Scalar-Base-Mult skR))) |
115 | 115 | (kem_context (|| enc pkRm)) |
116 | | - (shared_secret (ExtractAndExpand dh kem_context))) |
| 116 | + (shared_secret (extract-and-expand dh kem_context))) |
117 | 117 | shared_secret))) |
118 | 118 |
|
119 | 119 | (defun Authenticate (sk_device reader_data bf) |
|
129 | 129 | (cond ((null path) (values bf salt)) |
130 | 130 | ((typep (car path) 'number) |
131 | 131 | (multiple-value-bind (bf-prime salt) (HDK salt (car path)) |
132 | | - (if (null bf) (fold salt (cdr path) bf-prime) |
133 | | - (fold salt (cdr path) |
134 | | - (BL-Combine-Blinding-Factors bf bf-prime))))) |
135 | | - (t (multiple-value-bind (sk pk) (KEM-Derive-Key-Pair salt) |
136 | | - (declare (ignore pk)) |
137 | | - (fold (KEM-Decap (car path) sk) (cdr path) bf))))) |
| 132 | + (fold salt (cdr path) |
| 133 | + (if (null bf) bf-prime |
| 134 | + (BL-Combine-Blinding-Factors bf bf-prime))))) |
| 135 | + (t (fold (KEM-Decap (car path) (KEM-Derive-Key-Pair salt)) (cdr path) |
| 136 | + bf)))) |
138 | 137 |
|
139 | 138 | (defclass document () ((pk :reader pk :initarg :pk))) |
140 | 139 | (defun make-document (doc salt index) |
|
0 commit comments