You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@milagro.apache.org by sa...@apache.org on 2016/09/01 07:25:36 UTC
[08/12] incubator-milagro-crypto git commit: MILAGRO-14.Updating
package name with apache git
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/85fabaa6/go/amcl-go/PAIR.go
----------------------------------------------------------------------
diff --git a/go/amcl-go/PAIR.go b/go/amcl-go/PAIR.go
new file mode 100644
index 0000000..8a7de9f
--- /dev/null
+++ b/go/amcl-go/PAIR.go
@@ -0,0 +1,541 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+*/
+
+/* AMCL BN Curve Pairing functions */
+
+package amcl
+
+//import "fmt"
+
+/* Line function */
+func line(A *ECP2, B *ECP2, Qx *FP, Qy *FP) *FP12 {
+ P := NewECP2()
+
+ P.copy(A)
+ ZZ := NewFP2copy(P.getz())
+ ZZ.sqr()
+ var D int
+ if A == B {
+ D = A.dbl()
+ } else {
+ D = A.add(B)
+ }
+
+ if D < 0 {
+ return NewFP12int(1)
+ }
+
+ Z3 := NewFP2copy(A.getz())
+
+ var a *FP4
+ var b *FP4
+ c := NewFP4int(0)
+
+ if D == 0 { /* Addition */
+ X := NewFP2copy(B.getx())
+ Y := NewFP2copy(B.gety())
+ T := NewFP2copy(P.getz())
+ T.mul(Y)
+ ZZ.mul(T)
+
+ NY := NewFP2copy(P.gety())
+ NY.neg()
+ ZZ.add(NY)
+ Z3.pmul(Qy)
+ T.mul(P.getx())
+ X.mul(NY)
+ T.add(X)
+ a = NewFP4fp2s(Z3, T)
+ ZZ.neg()
+ ZZ.pmul(Qx)
+ b = NewFP4fp2(ZZ)
+ } else { /* Doubling */
+ X := NewFP2copy(P.getx())
+ Y := NewFP2copy(P.gety())
+ T := NewFP2copy(P.getx())
+ T.sqr()
+ T.imul(3)
+
+ Y.sqr()
+ Y.add(Y)
+ Z3.mul(ZZ)
+ Z3.pmul(Qy)
+
+ X.mul(T)
+ X.sub(Y)
+ a = NewFP4fp2s(Z3, X)
+ T.neg()
+ ZZ.mul(T)
+ ZZ.pmul(Qx)
+ b = NewFP4fp2(ZZ)
+ }
+ return NewFP12fp4s(a, b, c)
+}
+
+/* Optimal R-ate pairing */
+func ate(P *ECP2, Q *ECP) *FP12 {
+ f := NewFP2bigs(NewBIGints(CURVE_Fra), NewBIGints(CURVE_Frb))
+ x := NewBIGints(CURVE_Bnx)
+ n := NewBIGcopy(x)
+ K := NewECP2()
+ var lv *FP12
+ n.pmul(6)
+ n.dec(2)
+ n.norm()
+ P.affine()
+ Q.affine()
+ Qx := NewFPcopy(Q.getx())
+ Qy := NewFPcopy(Q.gety())
+
+ A := NewECP2()
+ r := NewFP12int(1)
+
+ A.copy(P)
+ nb := n.nbits()
+
+ for i := nb - 2; i >= 1; i-- {
+ lv = line(A, A, Qx, Qy)
+ r.smul(lv)
+
+ if n.bit(i) == 1 {
+ lv = line(A, P, Qx, Qy)
+ r.smul(lv)
+ }
+ r.sqr()
+ }
+
+ lv = line(A, A, Qx, Qy)
+ r.smul(lv)
+
+ /* R-ate fixup */
+
+ r.conj()
+
+ K.copy(P)
+ K.frob(f)
+ A.neg()
+ lv = line(A, K, Qx, Qy)
+ r.smul(lv)
+ K.frob(f)
+ K.neg()
+ lv = line(A, K, Qx, Qy)
+ r.smul(lv)
+
+ return r
+}
+
+/* Optimal R-ate double pairing e(P,Q).e(R,S) */
+func ate2(P *ECP2, Q *ECP, R *ECP2, S *ECP) *FP12 {
+ f := NewFP2bigs(NewBIGints(CURVE_Fra), NewBIGints(CURVE_Frb))
+ x := NewBIGints(CURVE_Bnx)
+ n := NewBIGcopy(x)
+ K := NewECP2()
+ var lv *FP12
+ n.pmul(6)
+ n.dec(2)
+ n.norm()
+ P.affine()
+ Q.affine()
+ R.affine()
+ S.affine()
+
+ Qx := NewFPcopy(Q.getx())
+ Qy := NewFPcopy(Q.gety())
+ Sx := NewFPcopy(S.getx())
+ Sy := NewFPcopy(S.gety())
+
+ A := NewECP2()
+ B := NewECP2()
+ r := NewFP12int(1)
+
+ A.copy(P)
+ B.copy(R)
+ nb := n.nbits()
+
+ for i := nb - 2; i >= 1; i-- {
+ lv = line(A, A, Qx, Qy)
+ r.smul(lv)
+ lv = line(B, B, Sx, Sy)
+ r.smul(lv)
+
+ if n.bit(i) == 1 {
+ lv = line(A, P, Qx, Qy)
+ r.smul(lv)
+ lv = line(B, R, Sx, Sy)
+ r.smul(lv)
+ }
+ r.sqr()
+ }
+
+ lv = line(A, A, Qx, Qy)
+ r.smul(lv)
+
+ lv = line(B, B, Sx, Sy)
+ r.smul(lv)
+
+ /* R-ate fixup */
+ r.conj()
+
+ K.copy(P)
+ K.frob(f)
+ A.neg()
+ lv = line(A, K, Qx, Qy)
+ r.smul(lv)
+ K.frob(f)
+ K.neg()
+ lv = line(A, K, Qx, Qy)
+ r.smul(lv)
+
+ K.copy(R)
+ K.frob(f)
+ B.neg()
+ lv = line(B, K, Sx, Sy)
+ r.smul(lv)
+ K.frob(f)
+ K.neg()
+ lv = line(B, K, Sx, Sy)
+ r.smul(lv)
+
+ return r
+}
+
+/* final exponentiation - keep separate for multi-pairings and to avoid thrashing stack */
+func fexp(m *FP12) *FP12 {
+ f := NewFP2bigs(NewBIGints(CURVE_Fra), NewBIGints(CURVE_Frb))
+ x := NewBIGints(CURVE_Bnx)
+ r := NewFP12copy(m)
+
+ /* Easy part of final exp */
+ lv := NewFP12copy(r)
+ lv.inverse()
+ r.conj()
+
+ r.mul(lv)
+ lv.copy(r)
+ r.frob(f)
+ r.frob(f)
+ r.mul(lv)
+ /* Hard part of final exp */
+ lv.copy(r)
+ lv.frob(f)
+ x0 := NewFP12copy(lv)
+ x0.frob(f)
+ lv.mul(r)
+ x0.mul(lv)
+ x0.frob(f)
+ x1 := NewFP12copy(r)
+ x1.conj()
+ x4 := r.pow(x)
+
+ x3 := NewFP12copy(x4)
+ x3.frob(f)
+
+ x2 := x4.pow(x)
+
+ x5 := NewFP12copy(x2)
+ x5.conj()
+ lv = x2.pow(x)
+
+ x2.frob(f)
+ r.copy(x2)
+ r.conj()
+
+ x4.mul(r)
+ x2.frob(f)
+
+ r.copy(lv)
+ r.frob(f)
+ lv.mul(r)
+
+ lv.usqr()
+ lv.mul(x4)
+ lv.mul(x5)
+ r.copy(x3)
+ r.mul(x5)
+ r.mul(lv)
+ lv.mul(x2)
+ r.usqr()
+ r.mul(lv)
+ r.usqr()
+ lv.copy(r)
+ lv.mul(x1)
+ r.mul(x0)
+ lv.usqr()
+ r.mul(lv)
+ r.reduce()
+ return r
+}
+
+/* GLV method */
+func glv(e *BIG) []*BIG {
+ t := NewBIGint(0)
+ q := NewBIGints(CURVE_Order)
+ var u []*BIG
+ var v []*BIG
+
+ for i := 0; i < 2; i++ {
+ t.copy(NewBIGints(CURVE_W[i])) // why not just t=new BIG(ROM.CURVE_W[i]);
+ d := mul(t, e)
+ v = append(v, NewBIGcopy(d.div(q)))
+ u = append(u, NewBIGint(0))
+ }
+ u[0].copy(e)
+ for i := 0; i < 2; i++ {
+ for j := 0; j < 2; j++ {
+ t.copy(NewBIGints(CURVE_SB[j][i]))
+ t.copy(modmul(v[j], t, q))
+ u[i].add(q)
+ u[i].sub(t)
+ u[i].mod(q)
+ }
+ }
+ return u
+}
+
+/* Galbraith & Scott Method */
+func gs(e *BIG) []*BIG {
+ t := NewBIGint(0)
+ q := NewBIGints(CURVE_Order)
+ var u []*BIG
+ var v []*BIG
+ for i := 0; i < 4; i++ {
+ t.copy(NewBIGints(CURVE_WB[i]))
+ d := mul(t, e)
+ v = append(v, NewBIGcopy(d.div(q)))
+ u = append(u, NewBIGint(0))
+ }
+ u[0].copy(e)
+ for i := 0; i < 4; i++ {
+ for j := 0; j < 4; j++ {
+ t.copy(NewBIGints(CURVE_BB[j][i]))
+ t.copy(modmul(v[j], t, q))
+ u[i].add(q)
+ u[i].sub(t)
+ u[i].mod(q)
+ }
+ }
+ return u
+}
+
+/* Multiply P by e in group G1 */
+func G1mul(P *ECP, e *BIG) *ECP {
+ var R *ECP
+ if USE_GLV {
+ P.affine()
+ R = NewECP()
+ R.copy(P)
+ Q := NewECP()
+ Q.copy(P)
+ q := NewBIGints(CURVE_Order)
+ cru := NewFPbig(NewBIGints(CURVE_Cru))
+ t := NewBIGint(0)
+ u := glv(e)
+ Q.getx().mul(cru)
+
+ np := u[0].nbits()
+ t.copy(modneg(u[0], q))
+ nn := t.nbits()
+ if nn < np {
+ u[0].copy(t)
+ R.neg()
+ }
+
+ np = u[1].nbits()
+ t.copy(modneg(u[1], q))
+ nn = t.nbits()
+ if nn < np {
+ u[1].copy(t)
+ Q.neg()
+ }
+
+ R = R.mul2(u[0], Q, u[1])
+
+ } else {
+ R = P.mul(e)
+ }
+ return R
+}
+
+/* Multiply P by e in group G2 */
+func G2mul(P *ECP2, e *BIG) *ECP2 {
+ var R *ECP2
+ if USE_GS_G2 {
+ var Q []*ECP2
+ f := NewFP2bigs(NewBIGints(CURVE_Fra), NewBIGints(CURVE_Frb))
+ q := NewBIGints(CURVE_Order)
+ u := gs(e)
+
+ t := NewBIGint(0)
+ P.affine()
+ Q = append(Q, NewECP2())
+ Q[0].copy(P)
+ for i := 1; i < 4; i++ {
+ Q = append(Q, NewECP2())
+ Q[i].copy(Q[i-1])
+ Q[i].frob(f)
+ }
+ for i := 0; i < 4; i++ {
+ np := u[i].nbits()
+ t.copy(modneg(u[i], q))
+ nn := t.nbits()
+ if nn < np {
+ u[i].copy(t)
+ Q[i].neg()
+ }
+ }
+ R = mul4(Q, u)
+
+ } else {
+ R = P.mul(e)
+ }
+ return R
+}
+
+/* f=f^e */
+/* Note that this method requires a lot of RAM! Better to use compressed XTR method, see FP4.java */
+func GTpow(d *FP12, e *BIG) *FP12 {
+ var r *FP12
+ if USE_GS_GT {
+ var g []*FP12
+ f := NewFP2bigs(NewBIGints(CURVE_Fra), NewBIGints(CURVE_Frb))
+ q := NewBIGints(CURVE_Order)
+ t := NewBIGint(0)
+
+ u := gs(e)
+
+ g = append(g, NewFP12copy(d))
+ for i := 1; i < 4; i++ {
+ g = append(g, NewFP12int(0))
+ g[i].copy(g[i-1])
+ g[i].frob(f)
+ }
+ for i := 0; i < 4; i++ {
+ np := u[i].nbits()
+ t.copy(modneg(u[i], q))
+ nn := t.nbits()
+ if nn < np {
+ u[i].copy(t)
+ g[i].conj()
+ }
+ }
+ r = pow4(g, u)
+ } else {
+ r = d.pow(e)
+ }
+ return r
+}
+
+/* test group membership */
+/* with GT-Strong curve, now only check that m!=1, conj(m)*m==1, and m.m^{p^4}=m^{p^2} */
+func GTmember(m *FP12) bool {
+ if m.isunity() {
+ return false
+ }
+ r := NewFP12copy(m)
+ r.conj()
+ r.mul(m)
+ if !r.isunity() {
+ return false
+ }
+
+ f := NewFP2bigs(NewBIGints(CURVE_Fra), NewBIGints(CURVE_Frb))
+
+ r.copy(m)
+ r.frob(f)
+ r.frob(f)
+ w := NewFP12copy(r)
+ w.frob(f)
+ w.frob(f)
+ w.mul(m)
+ if !GT_STRONG {
+ if !w.equals(r) {
+ return false
+ }
+ x := NewBIGints(CURVE_Bnx)
+ r.copy(m)
+ w = r.pow(x)
+ w = w.pow(x)
+ r.copy(w)
+ r.sqr()
+ r.mul(w)
+ r.sqr()
+ w.copy(m)
+ w.frob(f)
+ }
+ return w.equals(r)
+}
+
+/*
+func main() {
+
+ Q:=NewECPbigs(NewBIGints(CURVE_Gx),NewBIGints(CURVE_Gy))
+ P:=NewECP2fp2s(NewFP2bigs(NewBIGints(CURVE_Pxa),NewBIGints(CURVE_Pxb)),NewFP2bigs(NewBIGints(CURVE_Pya),NewBIGints(CURVE_Pyb)))
+
+ r:=NewBIGints(CURVE_Order)
+ xa:=NewBIGints(CURVE_Pxa)
+
+ fmt.Printf("P= "+P.toString())
+ fmt.Printf("\n");
+ fmt.Printf("Q= "+Q.toString());
+ fmt.Printf("\n");
+
+ //m:=NewBIGint(17)
+
+ e:=ate(P,Q)
+ fmt.Printf("\ne= "+e.toString())
+ fmt.Printf("\n")
+
+ e=fexp(e)
+ // e=GTpow(e,m);
+
+ fmt.Printf("\ne= "+e.toString())
+ fmt.Printf("\n");
+ GLV:=glv(r)
+
+ fmt.Printf("GLV[0]= "+GLV[0].toString())
+ fmt.Printf("\n")
+
+ fmt.Printf("GLV[0]= "+GLV[1].toString())
+ fmt.Printf("\n")
+
+ G:=NewECP(); G.copy(Q)
+ R:=NewECP2(); R.copy(P)
+
+
+ e=ate(R,Q)
+ e=fexp(e)
+
+ e=GTpow(e,xa)
+ fmt.Printf("\ne= "+e.toString());
+ fmt.Printf("\n")
+
+ R=G2mul(R,xa)
+ e=ate(R,G)
+ e=fexp(e)
+
+ fmt.Printf("\ne= "+e.toString())
+ fmt.Printf("\n")
+
+ G=G1mul(G,xa)
+ e=ate(P,G)
+ e=fexp(e)
+ fmt.Printf("\ne= "+e.toString())
+ fmt.Printf("\n")
+}
+*/
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/85fabaa6/go/amcl-go/RAND.go
----------------------------------------------------------------------
diff --git a/go/amcl-go/RAND.go b/go/amcl-go/RAND.go
new file mode 100644
index 0000000..eb92107
--- /dev/null
+++ b/go/amcl-go/RAND.go
@@ -0,0 +1,187 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+*/
+
+/*
+ * Cryptographic strong random number generator
+ *
+ * Unguessable seed -> SHA -> PRNG internal state -> SHA -> random numbers
+ * Slow - but secure
+ *
+ * See ftp://ftp.rsasecurity.com/pub/pdfs/bull-1.pdf for a justification
+ */
+
+/* Marsaglia & Zaman Random number generator constants */
+
+package amcl
+
+import (
+ "sync"
+)
+
+//import "fmt"
+
+const rand_NK int = 21
+const rand_NJ int = 6
+const rand_NV int = 8
+
+type RAND struct {
+ sync.Mutex
+ ira [rand_NK]uint32 /* random number... */
+ rndptr int
+ borrow uint32
+ pool_ptr int
+ pool [32]byte
+}
+
+/* Terminate and clean up */
+func (R *RAND) Clean() { /* kill internal state */
+ R.pool_ptr = 0
+ R.rndptr = 0
+ for i := 0; i < 32; i++ {
+ R.pool[i] = 0
+ }
+ for i := 0; i < rand_NK; i++ {
+ R.ira[i] = 0
+ }
+ R.borrow = 0
+}
+
+func NewRAND() *RAND {
+ R := new(RAND)
+ R.Clean()
+ return R
+}
+
+func (R *RAND) sbrand() uint32 { /* Marsaglia & Zaman random number generator */
+ R.rndptr++
+ if R.rndptr < rand_NK {
+ return R.ira[R.rndptr]
+ }
+ R.rndptr = 0
+ k := rand_NK - rand_NJ
+ for i := 0; i < rand_NK; i++ { /* calculate next NK values */
+ if k == rand_NK {
+ k = 0
+ }
+ t := R.ira[k]
+ pdiff := t - R.ira[i] - R.borrow
+ if pdiff < t {
+ R.borrow = 0
+ }
+ if pdiff > t {
+ R.borrow = 1
+ }
+ R.ira[i] = pdiff
+ k++
+ }
+
+ return R.ira[0]
+}
+
+func (R *RAND) sirand(seed uint32) {
+ var m uint32 = 1
+ R.borrow = 0
+ R.rndptr = 0
+ R.ira[0] ^= seed
+ for i := 1; i < rand_NK; i++ { /* fill initialisation vector */
+ in := (rand_NV * i) % rand_NK
+ R.ira[in] ^= m /* note XOR */
+ t := m
+ m = seed - m
+ seed = t
+ }
+
+ for i := 0; i < 10000; i++ {
+ R.sbrand()
+ } /* "warm-up" & stir the generator */
+}
+
+func (R *RAND) fill_pool() {
+
+ sh := NewHASH()
+ for i := 0; i < 128; i++ {
+ sh.Process(byte(R.sbrand() & 0xff))
+ }
+ R.pool = sh.Hash()
+ R.pool_ptr = 0
+}
+
+func pack(b [4]byte) uint32 { /* pack 4 bytes into a 32-bit Word */
+ return (((uint32(b[3])) & 0xff) << 24) | ((uint32(b[2]) & 0xff) << 16) | ((uint32(b[1]) & 0xff) << 8) | (uint32(b[0]) & 0xff)
+}
+
+/* Initialize RNG with some real entropy from some external source */
+func (R *RAND) Seed(rawlen int, raw []byte) { /* initialise from at least 128 byte string of raw random entropy */
+ var b [4]byte
+ sh := NewHASH()
+ R.pool_ptr = 0
+
+ for i := 0; i < rand_NK; i++ {
+ R.ira[i] = 0
+ }
+
+ if rawlen > 0 {
+ for i := 0; i < rawlen; i++ {
+ sh.Process(raw[i])
+ }
+ digest := sh.Hash()
+
+ /* initialise PRNG from distilled randomness */
+
+ for i := 0; i < 8; i++ {
+ b[0] = digest[4*i]
+ b[1] = digest[4*i+1]
+ b[2] = digest[4*i+2]
+ b[3] = digest[4*i+3]
+ R.sirand(pack(b))
+ }
+ }
+ R.fill_pool()
+}
+
+/* get random byte */
+func (R *RAND) GetByte() byte {
+ R.Lock()
+ defer R.Unlock()
+
+ r := R.pool[R.pool_ptr]
+ R.pool_ptr++
+
+ if R.pool_ptr >= 32 {
+ R.fill_pool()
+ }
+ return byte(r & 0xff)
+}
+
+/* test main program */
+/*
+func main() {
+ var raw [100]byte
+ rng:=NewRAND()
+
+ rng.Clean()
+ for i:=0;i<100;i++ {raw[i]=byte(i)}
+
+ rng.Seed(100,raw[:])
+
+ for i:=0;i<1000;i++ {
+ fmt.Printf("%03d ",rng.GetByte())
+ }
+}
+*/
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/85fabaa6/go/amcl-go/ROM.go
----------------------------------------------------------------------
diff --git a/go/amcl-go/ROM.go b/go/amcl-go/ROM.go
new file mode 100644
index 0000000..0a4ceb9
--- /dev/null
+++ b/go/amcl-go/ROM.go
@@ -0,0 +1,353 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+*/
+
+/* Fixed Data in ROM - Field and Curve parameters */
+
+package amcl
+
+const NOT_SPECIAL int = 0
+const PSEUDO_MERSENNE int = 1
+const MONTGOMERY_FRIENDLY int = 2
+const WEIERSTRASS int = 0
+const EDWARDS int = 1
+const MONTGOMERY int = 2
+
+const NLEN int = 5
+const DNLEN int = 2 * NLEN
+const CHUNK int = 64
+const MODBYTES uint = 32
+
+/*** Enter Some Field details here ***/
+// Curve 25519
+//const MODBITS uint=255
+//const MOD8 uint=5
+// NIST256 or Brainpool
+//const MODBITS uint=256
+//const MOD8 uint=7
+// MF254
+//const MODBITS uint=254
+//const MOD8 uint=7
+// MS255
+//const MODBITS uint= 255
+//const MOD8 uint= 3
+// MF256
+//const MODBITS uint=256
+//const MOD8 uint=7
+// MS256
+//const MODBITS uint= 256
+//const MOD8 uint= 3
+// ANSSI
+//const MODBITS uint= 256
+//const MOD8 uint= 3
+// BN Curve
+const MODBITS uint = 254 /* Number of bits in Modulus */
+const MOD8 uint = 3 /* Modulus mod 8 */
+
+/* Don't Modify from here... */
+const MASK int64 = ((int64(1) << BASEBITS) - 1)
+const BASEBITS uint = 56
+const OMASK int64 = ((int64(-1)) << (MODBITS % BASEBITS))
+const HBITS uint = (BASEBITS / 2)
+const HMASK int64 = ((int64(1) << HBITS) - 1)
+const TBITS uint = MODBITS % BASEBITS // Number of active bits in top word
+const TMASK int64 = (int64(1) << TBITS) - 1
+const FF_BITS int = 2048 /* Finite Field Size in bits - must be 256.2^n */
+const FFLEN int = (FF_BITS / 256)
+const HFLEN int = (FFLEN / 2) /* Useful for half-size RSA private key operations */
+
+const NEXCESS int = (1 << (uint(CHUNK) - BASEBITS - 1))
+const FEXCESS int64 = (int64(1) << (BASEBITS*uint(NLEN) - MODBITS))
+
+// START SPECIFY FIELD DETAILS HERE
+//*********************************************************************************
+// Curve25519 Modulus
+//const MODTYPE int=PSEUDO_MERSENNE
+//var Modulus = [...]int64 {0xFFFFFFFFFFFFED,0xFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFF,0x7FFFFFFF}
+//const MConst int64=0x13
+// NIST-256 Curve
+//const MODTYPE int=NOT_SPECIAL
+//var Modulus = [...]int64 {0xFFFFFFFFFFFFFF,0xFFFFFFFFFF,0x0,0x1000000,0xFFFFFFFF}
+//const MConst int64=0x1
+// MF254 Modulus
+//const MODTYPE int=MONTGOMERY_FRIENDLY
+//var Modulus= [...]int64 {0xFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFF,0x3F80FFFF}
+//const MConst int64=0x3F810000
+// MS255 Modulus
+//const MODTYPE int= 1
+//var Modulus= [...]int64 {0xFFFFFFFFFFFD03,0xFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFF,0x7FFFFFFF}
+//const MConst int64=0x2FD
+// MF256 Modulus
+//const MODTYPE int= 2
+//var Modulus= [...]int64 {0xFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFF,0xFFA7FFFF}
+//const MConst int64=0xFFA80000
+// MS256 Modulus
+//const MODTYPE int= 1
+//var Modulus= [...]int64 {0xFFFFFFFFFFFF43,0xFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFF,0xFFFFFFFF}
+//const MConst int64=0xBD
+// Brainpool
+//const MODTYPE int= NOT_SPECIAL
+//var Modulus= [...]int64 {0x13481D1F6E5377,0xF623D526202820,0x909D838D726E3B,0xA1EEA9BC3E660A,0xA9FB57DB}
+//const MConst int64 =0xA75590CEFD89B9
+// ANSSI
+//const MODTYPE int= 0
+//var Modulus= [...]int64{0xFCF353D86E9C03,0xADBCABC8CA6DE8,0xE8CE42435B3961,0xB3AD58F10126D,0xF1FD178C}
+//const MConst int64=0x97483A164E1155
+// BNCX Curve Modulus
+const MODTYPE int = NOT_SPECIAL
+
+var Modulus = [...]int64{0x6623EF5C1B55B3, 0xD6EE18093EE1BE, 0x647A6366D3243F, 0x8702A0DB0BDDF, 0x24000000}
+
+const MConst int64 = 0x4E205BF9789E85
+
+// BN Curve
+//const MODTYPE int=NOT_SPECIAL
+//var Modulus= [...]int64 {0x13,0x13A7,0x80000000086121,0x40000001BA344D,0x25236482}
+//const MConst int64=0x435E50D79435E5
+// BNT Curve
+//const MODTYPE int=NOT_SPECIAL
+//var Modulus= [...]int64 {0x9DBBFEEEB4A713,0x555614F464BABE,0x3696F8D5F06E8A,0x6517014EFA0BAB,0x240120DB}
+//const MConst int64=0xC5A872D914C4E5
+// BNT2 Curve
+//const MODTYPE int=NOT_SPECIAL
+//var Modulus= [...]int64 {0xB2DC2BB460A48B,0x93E428F0D651E8,0xF3B89D00081CF,0x410F5AADB74E20,0x24000482}
+//const MConst int64=0xFE6A47A6505CDD
+
+// START SPECIFY CURVE DETAILS HERE
+//*********************************************************************************
+
+// Ed25519 Curve
+//const CURVETYPE int=EDWARDS
+//const CURVE_A int = -1
+//var CURVE_B = [...]int64 {0xEB4DCA135978A3,0xA4D4141D8AB75,0x797779E8980070,0x2B6FFE738CC740,0x52036CEE}
+//var CURVE_Order = [...]int64 {0x12631A5CF5D3ED,0xF9DEA2F79CD658,0x14DE,0x0,0x10000000}
+//var CURVE_Gx = [...]int64 {0x562D608F25D51A,0xC7609525A7B2C9,0x31FDD6DC5C692C,0xCD6E53FEC0A4E2,0x216936D3}
+//var CURVE_Gy = [...]int64 {0x66666666666658,0x66666666666666,0x66666666666666,0x66666666666666,0x66666666}
+
+// NIST-256 Curve
+//const CURVETYPE int=WEIERSTRASS
+//const CURVE_A int = -3
+//var CURVE_B = [...]int64 {0xCE3C3E27D2604B,0x6B0CC53B0F63B,0x55769886BC651D,0xAA3A93E7B3EBBD,0x5AC635D8}
+//var CURVE_Order = [...]int64 {0xB9CAC2FC632551,0xFAADA7179E84F3,0xFFFFFFFFFFBCE6,0xFFFFFF,0xFFFFFFFF}
+//var CURVE_Gx =[...]int64 {0xA13945D898C296,0x7D812DEB33A0F4,0xE563A440F27703,0xE12C4247F8BCE6,0x6B17D1F2}
+//var CURVE_Gy =[...]int64 {0xB6406837BF51F5,0x33576B315ECECB,0x4A7C0F9E162BCE,0xFE1A7F9B8EE7EB,0x4FE342E2}
+
+// MF254 Modulus, Weierstrass Curve w-254-mont
+//const CURVETYPE int= 0
+//const CURVE_A int = -3
+//var CURVE_B = [...]int64 {0xFFFFFFFFFFD08D,0xFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFF,0x3F80FFFF}
+//var CURVE_Order=[...]int64 {0xA419C4AF8DF83F,0x8BEA0DA375C06F,0xFFFFFFFFFFEB81,0xFFFFFFFFFFFFFF,0x3F80FFFF}
+//var CURVE_Gx =[...]int64 {0x2,0x0,0x0,0x0,0x0}
+//var CURVE_Gy =[...]int64 {0x65DF37F90D4EBC,0x38E3F8511931AD,0x75BD778AEBDFB7,0x3B2E56014AE15A,0x140E3FD3}
+
+// MF254 Modulus, Edwards Curve ed-254-mont
+//const CURVETYPE int= 1
+//const CURVE_A int= -1
+//var CURVE_B = [...]int64 {0x367B,0x0,0x0,0x0,0x0}
+//var CURVE_Order=[...]int64 {0xF3D3FEC46E98C7,0x306C8BD62FB0EA,0xFFFFFFFFFFEB95,0xFFFFFFFFFFFFFF,0xFE03FFF}
+//var CURVE_Gx =[...]int64 {0x1,0x0,0x0,0x0,0x0}
+//var CURVE_Gy =[...]int64 {0x52D0FDAF2701E5,0x9A840E3212187C,0xD502363F4E3632,0xD6A4C335951D00,0x19F0E690}
+
+// MF254 Modulus, Montgomery Curve
+//const CURVETYPE int=MONTGOMERY
+//const CURVE_A int= -55790
+//var CURVE_B = [...]int64 {0x0,0x0,0x0,0x0,0x0} // not used
+//var CURVE_Order=[...]int64 {0xF3D3FEC46E98C7,0x306C8BD62FB0EA,0xFFFFFFFFFFEB95,0xFFFFFFFFFFFFFF,0xFE03FFF}
+//var CURVE_Gx =[...]int64 {0x3,0x0,0x0,0x0,0x0}
+//var CURVE_Gy =[...]int64 {0x0,0x0,0x0,0x0,0x0} // not used
+
+// MS255 Modulus, Weierstrass Curve
+//const CURVETYPE int= 0
+//const CURVE_A int= -3
+//var CURVE_B = [...]int64 {0xFFFFFFFFFFAB46,0xFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFF,0x7FFFFFFF}
+//var CURVE_Order=[...]int64 {0x8FAC983C594AEB,0x38283AD2B3DFAB,0xFFFFFFFFFF864A,0xFFFFFFFFFFFFFF,0x7FFFFFFF}
+//var CURVE_Gx =[...]int64 {0x1,0x0,0x0,0x0,0x0};
+//var CURVE_Gy =[...]int64 {0x33FF6769CB44BA,0xC78CDDFDA60D17,0xF9B2FF7D177DB6,0xEDBA7833921EBF,0x6F7A6AC0}
+
+// MS255 Modulus, Edwards Curve
+//const CURVETYPE int= 1
+//const CURVE_A int= -1
+//var CURVE_B = [...]int64{0xEA97,0x0,0x0,0x0,0x0}
+//var CURVE_Order=[...]int64{0x49D1ED0436EB75,0xA785EDA6832EAC,0xFFFFFFFFFFDCF1,0xFFFFFFFFFFFFFF,0x1FFFFFFF}
+//var CURVE_Gx =[...]int64{0x4,0x0,0x0,0x0,0x0}
+//var CURVE_Gy =[...]int64{0x2A255BD08736A0,0x4B8AED445A45BA,0xDD8E0C47E55291,0x4A7BB545EC254C,0x26CB7853}
+
+// MS255 Modulus, Montgomery Curve
+//const CURVETYPE int=MONTGOMERY
+//const CURVE_A int=-240222
+//var CURVE_B = [...]int64 {0x0,0x0,0x0,0x0,0x0}
+//var CURVE_Order=[...]int64 {0x49D1ED0436EB75,0xA785EDA6832EAC,0xFFFFFFFFFFDCF1,0xFFFFFFFFFFFFFF,0x1FFFFFFF}
+//var CURVE_Gx =[...]int64 {0x4,0x0,0x0,0x0,0x0}
+//var CURVE_Gy =[...]int64 {0x0,0x0,0x0,0x0,0x0};
+
+// MF256 Modulus, Weierstrass Curve
+//const CURVETYPE int= 0
+//const CURVE_A int= -3
+//var CURVE_B = [...]int64 {0x14E6A,0x0,0x0,0x0,0x0}
+//var CURVE_Order=[...]int64 {0x10C5E1A79857EB,0x7513E6E5074B9D,0xFFFFFFFFFFFC51,0xFFFFFFFFFFFFFF,0xFFA7FFFF}
+//var CURVE_Gx =[...]int64 {0x1,0x0,0x0,0x0,0x0}
+//var CURVE_Gy =[...]int64 {0x7954C2B724D2A,0x47EB8D94DC6610,0x26123DAE289569,0xBE1808CE7BABBA,0x20887C87}
+
+// MF256, Edwards Curve
+//const CURVETYPE int= 1
+//const CURVE_A int= -1
+//var CURVE_B = [...]int64 {0x350A,0x0,0x0,0x0,0x0}
+//var CURVE_Order=[...]int64 {0xD92EDED8EC7BAB,0xBBAFB86733C966,0xFFFFFFFFFFB154,0xFFFFFFFFFFFFFF,0x3FE9FFFF}
+//var CURVE_Gx =[...]int64 {0x1,0x0,0x0,0x0,0x0}
+//var CURVE_Gy =[...]int64 {0xEAA722F2F3C908,0x5E648DFEA68D7D,0xF3DB2C1AACA0C0,0xF8CC4D5AEAEBEE,0xDAD8D4F8}
+
+// MF256 Modulus, Montgomery Curve
+//const CURVETYPE int=MONTGOMERY
+//const CURVE_A int= -54314
+//var CURVE_B = [...]int64 {0x0,0x0,0x0,0x0,0x0} // not used
+//var CURVE_Order=[...]int64 {0xD92EDED8EC7BAB,0xBBAFB86733C966,0xFFFFFFFFFFB154,0xFFFFFFFFFFFFFF,0x3FE9FFFF}
+//var CURVE_Gx =[...]int64 {0x8,0x0,0x0,0x0,0x0}
+//var CURVE_Gy =[...]int64 {0x0,0x0,0x0,0x0,0x0} // not used
+
+// MS256, Weierstrass Curve
+//const CURVETYPE int= 0
+//const CURVE_A int= -3
+//var CURVE_B = [...]int64 {0x25581,0x0,0x0,0x0,0x0}
+//var CURVE_Order=[...]int64 {0xAB20294751A825,0x8275EA265C6020,0xFFFFFFFFFFE43C,0xFFFFFFFFFFFFFF,0xFFFFFFFF}
+//var CURVE_Gx =[...]int64 {0x1,0x0,0x0,0x0,0x0}
+//var CURVE_Gy =[...]int64 {0xF46306C2B56C77,0x2F9375894EC10B,0x6CCEEEDD6BD02C,0xC1E466D7FC82C9,0x696F1853}
+
+// MS256, Edwards Curve
+//const CURVETYPE int= 1
+//const CURVE_A int= -1
+//var CURVE_B = [...]int64 {0x3BEE,0x0,0x0,0x0,0x0}
+//var CURVE_Order=[...]int64 {0xB84E6F1122B4AD,0xA55AD0A6BC64E5,0xFFFFFFFFFFBE6A,0xFFFFFFFFFFFFFF,0x3FFFFFFF}
+//var CURVE_Gx =[...]int64 {0xD,0x0,0x0,0x0,0x0}
+//var CURVE_Gy =[...]int64 {0x7F6FB5331CADBA,0x6D63824D303F70,0xB39FA046BFBE2A,0x2A1276DBA3D330,0x7D0AB41E}
+
+// MS256 Modulus, Montgomery Curve
+//const CURVETYPE int=MONTGOMERY
+//const CURVE_A int=-61370
+//var CURVE_B = [...]int64 {0x0,0x0,0x0,0x0,0x0} // not used
+//var CURVE_Order= [...]int64 {0xB84E6F1122B4AD,0xA55AD0A6BC64E5,0xFFFFFFFFFFBE6A,0xFFFFFFFFFFFFFF,0x3FFFFFFF}
+//var CURVE_Gx = [...]int64 {0xb,0x0,0x0,0x0,0x0}
+//var CURVE_Gy = [...]int64 {0x0,0x0,0x0,0x0,0x0} // not used
+
+// Brainpool
+//const CURVETYPE int= 0
+//const CURVE_A int= -3
+//var CURVE_B = [...]int64 {0xE58101FEE92B04,0xEBC4AF2F49256A,0x733D0B76B7BF93,0x30D84EA4FE66A7,0x662C61C4}
+//var CURVE_Order= [...]int64 {0x1E0E82974856A7,0x7AA3B561A6F790,0x909D838D718C39,0xA1EEA9BC3E660A,0xA9FB57DB}
+//var CURVE_Gx = [...]int64 {0xA191562E1305F4,0x42C47AAFBC2B79,0xB23A656149AFA1,0xC1CFE7B7732213,0xA3E8EB3C}
+//var CURVE_Gy = [...]int64 {0xABE8F35B25C9BE,0xB6DE39D027001D,0xE14644417E69BC,0x3439C56D7F7B22,0x2D996C82}
+
+// ANSSI
+//const CURVETYPE int= 0
+//const CURVE_A int= -3
+//var CURVE_B = [...]int64 {0x75ED967B7BB73F,0xC9AE4B1A18030,0x754A44C00FDFEC,0x5428A9300D4ABA,0xEE353FCA}
+//var CURVE_Order=[...]int64 {0xFDD459C6D655E1,0x67E140D2BF941F,0xE8CE42435B53DC,0xB3AD58F10126D,0xF1FD178C}
+//var CURVE_Gx =[...]int64 {0xC97A2DD98F5CFF,0xD2DCAF98B70164,0x4749D423958C27,0x56C139EB31183D,0xB6B3D4C3}
+//var CURVE_Gy =[...]int64 {0x115A1554062CFB,0xC307E8E4C9E183,0xF0F3ECEF8C2701,0xC8B204911F9271,0x6142E0F7}
+
+// BNCX Curve
+
+const CURVETYPE int = WEIERSTRASS
+const CURVE_A int = 0
+
+var CURVE_B = [...]int64{0x2, 0x0, 0x0, 0x0, 0x0}
+var CURVE_Order = [...]int64{0x11C0A636EB1F6D, 0xD6EE0CC906CEBE, 0x647A6366D2C43F, 0x8702A0DB0BDDF, 0x24000000}
+var CURVE_Bnx = [...]int64{0x3C012B1, 0x40, 0x0, 0x0, 0x0}
+var CURVE_Cru = [...]int64{0xE0931794235C97, 0xDF6471EF875631, 0xCA83F1440BD, 0x480000, 0x0}
+var CURVE_Fra = [...]int64{0xD9083355C80EA3, 0x7326F173F8215B, 0x8AACA718986867, 0xA63A0164AFE18B, 0x1359082F}
+var CURVE_Frb = [...]int64{0x8D1BBC06534710, 0x63C7269546C062, 0xD9CDBC4E3ABBD8, 0x623628A900DC53, 0x10A6F7D0}
+var CURVE_Pxa = [...]int64{0x851CEEE4D2EC74, 0x85BFA03E2726C0, 0xF5C34BBB907C, 0x7053B256358B25, 0x19682D2C}
+var CURVE_Pxb = [...]int64{0xA58E8B2E29CFE1, 0x97B0C209C30F47, 0x37A8E99743F81B, 0x3E19F64AA011C9, 0x1466B9EC}
+var CURVE_Pya = [...]int64{0xFBFCEBCF0BE09F, 0xB33D847EC1B30C, 0x157DAEE2096361, 0x72332B8DD81E22, 0xA79EDD9}
+var CURVE_Pyb = [...]int64{0x904B228898EE9D, 0x4EA569D2EDEBED, 0x512D8D3461C286, 0xECC4C09035C6E4, 0x6160C39}
+var CURVE_Gx = [...]int64{0x6623EF5C1B55B2, 0xD6EE18093EE1BE, 0x647A6366D3243F, 0x8702A0DB0BDDF, 0x24000000}
+var CURVE_Gy = [...]int64{0x1, 0x0, 0x0, 0x0, 0x0}
+var CURVE_W = [2][5]int64{{0x546349162FEB83, 0xB40381200, 0x6000, 0x0, 0x0}, {0x7802561, 0x80, 0x0, 0x0, 0x0}}
+var CURVE_SB = [2][2][5]int64{{{0x5463491DB010E4, 0xB40381280, 0x6000, 0x0, 0x0}, {0x7802561, 0x80, 0x0, 0x0, 0x0}}, {{0x7802561, 0x80, 0x0, 0x0, 0x0}, {0xBD5D5D20BB33EA, 0xD6EE0188CEBCBD, 0x647A6366D2643F, 0x8702A0DB0BDDF, 0x24000000}}}
+var CURVE_WB = [4][5]int64{{0x1C2118567A84B0, 0x3C012B040, 0x2000, 0x0, 0x0}, {0xCDF995BE220475, 0x94EDA8CA7F9A36, 0x8702A0DC07E, 0x300000, 0x0}, {0x66FCCAE0F10B93, 0x4A76D4653FCD3B, 0x4381506E03F, 0x180000, 0x0}, {0x1C21185DFAAA11, 0x3C012B0C0, 0x2000, 0x0, 0x0}}
+var CURVE_BB = [4][4][5]int64{{{0x11C0A6332B0CBD, 0xD6EE0CC906CE7E, 0x647A6366D2C43F, 0x8702A0DB0BDDF, 0x24000000}, {0x11C0A6332B0CBC, 0xD6EE0CC906CE7E, 0x647A6366D2C43F, 0x8702A0DB0BDDF, 0x24000000}, {0x11C0A6332B0CBC, 0xD6EE0CC906CE7E, 0x647A6366D2C43F, 0x8702A0DB0BDDF, 0x24000000}, {0x7802562, 0x80, 0x0, 0x0, 0x0}}, {{0x7802561, 0x80, 0x0, 0x0, 0x0}, {0x11C0A6332B0CBC, 0xD6EE0CC906CE7E, 0x647A6366D2C43F, 0x8702A0DB0BDDF, 0x24000000}, {0x11C0A6332B0CBD, 0xD6EE0CC906CE7E, 0x647A6366D2C43F, 0x8702A0DB0BDDF, 0x24000000}, {0x11C0A6332B0CBC, 0xD6EE0CC906CE7E, 0x647A6366D2C43F, 0x8702A0DB0BDDF, 0x24000000}}, {{0x7802562, 0x80, 0x0, 0x0, 0x0}, {0x7802561, 0x80, 0x0, 0x0, 0x0}, {0x7802561, 0x80, 0x0, 0x0, 0x0}, {0x7802561, 0x80, 0x0, 0x0, 0x0}}, {{0x3C012B2, 0x40, 0x0, 0x0, 0x0}, {0xF004AC2, 0x100, 0x0, 0x0, 0x0}, {0x11C0A62F6AFA0A, 0xD6EE0CC906CE3E, 0x647A6366D2C43F, 0x8702A0DB0BDDF, 0x24000000}, {0x3C012B2, 0x40, 0x0, 0x0, 0x0}}}
+
+// BN Curve
+/*
+const CURVETYPE int=WEIERSTRASS
+const CURVE_A int= 0
+var CURVE_B = [...]int64 {0x2,0x0,0x0,0x0,0x0}
+var CURVE_Order=[...]int64 {0xD,0x800000000010A1,0x8000000007FF9F,0x40000001BA344D,0x25236482}
+var CURVE_Bnx=[...]int64 {0x80000000000001,0x40,0x0,0x0,0x0}
+var CURVE_Cru=[...]int64 {0x80000000000007,0x6CD,0x40000000024909,0x49B362,0x0}
+var CURVE_Fra=[...]int64 {0x7DE6C06F2A6DE9,0x74924D3F77C2E1,0x50A846953F8509,0x212E7C8CB6499B,0x1B377619}
+var CURVE_Frb=[...]int64 {0x82193F90D5922A,0x8B6DB2C08850C5,0x2F57B96AC8DC17,0x1ED1837503EAB2,0x9EBEE69}
+var CURVE_Pxa=[...]int64 {0xAB2C7935FD0CB4,0xE319E4FCC57C2B,0x24F6DF763B05A5,0xF55EA7EA335FB7,0x95B04D4}
+var CURVE_Pxb=[...]int64 {0xA07D0790962455,0x86BE3D27AA5E38,0x89E05747F39D6D,0xC08347B49D42BF,0x5D4D8A7}
+var CURVE_Pya=[...]int64 {0xADCE687A08A46C,0x2B30E98A4191F9,0x4C3784B1F16908,0x25E5313FA16D1C,0xABF2ABF}
+var CURVE_Pyb=[...]int64 {0xDF88D405F306EC,0x82076ADD13A0E6,0x1E47819D6A5C04,0xE679DABDB38627,0x18769A87}
+var CURVE_Gx =[...]int64 {0x12,0x13A7,0x80000000086121,0x40000001BA344D,0x25236482}
+var CURVE_Gy =[...]int64 {0x1,0x0,0x0,0x0,0x0}
+var CURVE_W=[2][5]int64{{0x3,0x80000000000204,0x6181,0x0,0x0},{0x1,0x81,0x0,0x0,0x0}}
+var CURVE_SB=[2][2][5]int64 {{{0x4,0x80000000000285,0x6181,0x0,0x0},{0x1,0x81,0x0,0x0,0x0}},{{0x1,0x81,0x0,0x0,0x0},{0xA,0xE9D,0x80000000079E1E,0x40000001BA344D,0x25236482}}}
+var CURVE_WB=[4][5]int64 {{0x80000000000000,0x80000000000040,0x2080,0x0,0x0},{0x80000000000005,0x54A,0x8000000001C707,0x312241,0x0},{0x80000000000003,0x800000000002C5,0xC000000000E383,0x189120,0x0},{0x80000000000001,0x800000000000C1,0x2080,0x0,0x0}}
+var CURVE_BB=[4][4][5]int64 {{{0x8000000000000D,0x80000000001060,0x8000000007FF9F,0x40000001BA344D,0x25236482},{0x8000000000000C,0x80000000001060,0x8000000007FF9F,0x40000001BA344D,0x25236482},{0x8000000000000C,0x80000000001060,0x8000000007FF9F,0x40000001BA344D,0x25236482},{0x2,0x81,0x0,0x0,0x0}},{{0x1,0x81,0x0,0x0,0x0},{0x8000000000000C,0x80000000001060,0x8000000007FF9F,0x40000001BA344D,0x25236482},{0x8000000000000D,0x80000000001060,0x8000000007FF9F,0x40000001BA344D,0x25236482},{0x8000000000000C,0x80000000001060,0x8000000007FF9F,0x40000001BA344D,0x25236482}},{{0x2,0x81,0x0,0x0,0x0},{0x1,0x81,0x0,0x0,0x0},{0x1,0x81,0x0,0x0,0x0},{0x1,0x81,0x0,0x0,0x0}},{{0x80000000000002,0x40,0x0,0x0,0x0},{0x2,0x102,0x0,0x0,0x0},{0xA,0x80000000001020,0x8000000007FF9F,0x40000001BA344D,0x25236482},{0x80000000000002,0x40,0x0,0x0,0x0}}}
+*/
+
+// BNT Curve
+/*
+const CURVETYPE int=WEIERSTRASS
+const CURVE_A int= 0
+var CURVE_B = [...]int64 {0x2,0x0,0x0,0x0,0x0}
+var CURVE_Order=[...]int64 {0x75777E8D30210D,0xD43492B2CB363A,0x3696F8D5F00E88,0x6517014EFA0BAB,0x240120DB}
+var CURVE_Bnx=[...]int64 {0x806000004081,0x40,0x0,0x0,0x0}
+var CURVE_Cru=[...]int64 {0xEB53D5AB4FCD87,0x82A5F2BAB11FAD,0x47651504C9764C,0x4801B1,0x0}
+var CURVE_Fra=[...]int64 {0xF5D14EADC80022,0x4904D6FACCE359,0xF190A13211BE6C,0xC9BBC4394F6509,0x1328A292}
+var CURVE_Frb=[...]int64 {0xA7EAB040ECA6F1,0xC513DF997D764,0x450657A3DEB01E,0x9B5B3D15AAA6A1,0x10D87E48}
+var CURVE_Pxa=[...]int64 {0x8987E2288E65BB,0xAD1CAA6313BE,0x325041548B7CCC,0x4C1339EBCC055,0x14483FCD}
+var CURVE_Pxb=[...]int64 {0x67888808DBE2C0,0x7FE1F81E34853A,0xA631A51B57B95,0x384EC302DA3FC5,0x87F46B3}
+var CURVE_Pya=[...]int64 {0x202C47E020CA1D,0xB4167E8399F36C,0xC6E5439F72C94C,0x102B0BD74A2C69,0x14E8C29C}
+var CURVE_Pyb=[...]int64 {0xD8437C716628F2,0x27E167BCB7DC6B,0xA82C7572681D0A,0x62454BD1EDEC18,0x17AFE2A4}
+var CURVE_Gx =[...]int64 {0x9DBBFEEEB4A712,0x555614F464BABE,0x3696F8D5F06E8A,0x6517014EFA0BAB,0x240120DB}
+var CURVE_Gy =[...]int64 {0x1,0x0,0x0,0x0,0x0}
+var CURVE_W=[2][5]int64{{0x26430061838403,0x81218241998384,0x6001,0x0,0x0},{0x100C000008101,0x80,0x0,0x0,0x0}}
+var CURVE_SB=[2][2][5]int64 {{{0x2743C061840504,0x81218241998404,0x6001,0x0,0x0},{0x100C000008101,0x80,0x0,0x0,0x0}},{{0x100C000008101,0x80,0x0,0x0,0x0},{0x4F347E2BAC9D0A,0x5313107131B2B6,0x3696F8D5EFAE87,0x6517014EFA0BAB,0x240120DB}}}
+var CURVE_WB=[4][5]int64 {{0x6140602080C080,0x806080C08880C1,0x2000,0x0,0x0},{0xB53904088C4A85,0xAD2FA352DC6C36,0xDA436358868EDE,0x300120,0x0},{0x5ADCB204464583,0x5697D1A96E363B,0x6D21B1AC43476F,0x180090,0x0},{0x62412020814181,0x806080C0888141,0x2000,0x0,0x0}}
+var CURVE_BB=[4][4][5]int64 {{{0x74F71E8D2FE08D,0xD43492B2CB35FA,0x3696F8D5F00E88,0x6517014EFA0BAB,0x240120DB},{0x74F71E8D2FE08C,0xD43492B2CB35FA,0x3696F8D5F00E88,0x6517014EFA0BAB,0x240120DB},{0x74F71E8D2FE08C,0xD43492B2CB35FA,0x3696F8D5F00E88,0x6517014EFA0BAB,0x240120DB},{0x100C000008102,0x80,0x0,0x0,0x0}},{{0x100C000008101,0x80,0x0,0x0,0x0},{0x74F71E8D2FE08C,0xD43492B2CB35FA,0x3696F8D5F00E88,0x6517014EFA0BAB,0x240120DB},{0x74F71E8D2FE08D,0xD43492B2CB35FA,0x3696F8D5F00E88,0x6517014EFA0BAB,0x240120DB},{0x74F71E8D2FE08C,0xD43492B2CB35FA,0x3696F8D5F00E88,0x6517014EFA0BAB,0x240120DB}},{{0x100C000008102,0x80,0x0,0x0,0x0},{0x100C000008101,0x80,0x0,0x0,0x0},{0x100C000008101,0x80,0x0,0x0,0x0},{0x100C000008101,0x80,0x0,0x0,0x0}},{{0x806000004082,0x40,0x0,0x0,0x0},{0x2018000010202,0x100,0x0,0x0,0x0},{0x7476BE8D2FA00A,0xD43492B2CB35BA,0x3696F8D5F00E88,0x6517014EFA0BAB,0x240120DB},{0x806000004082,0x40,0x0,0x0,0x0}}}
+*/
+
+// BNT2 Curve
+/*
+const CURVETYPE int=WEIERSTRASS
+const CURVE_A int= 0
+var CURVE_B = [...]int64 {0x2,0x0,0x0,0x0,0x0}
+var CURVE_Order=[...]int64 {0xFB71A511AA2BF5,0x8DE127B73833D7,0xF3B89D00021CF,0x410F5AADB74E20,0x24000482}
+var CURVE_Bnx=[...]int64 {0x20100608205,0x40,0x0,0x0,0x0}
+var CURVE_Cru=[...]int64 {0x5027444866BD33,0x5B773016470EFB,0xC3617BECF23675,0x480006,0x0}
+var CURVE_Fra=[...]int64 {0xB268C973AEF062,0xC69B33C3BCE492,0xF67FA37F195BBC,0x29E8CAB6BD0A41,0x124E0B8D}
+var CURVE_Frb=[...]int64 {0x736240B1B429,0xCD48F52D196D56,0x18BBE650E72612,0x17268FF6FA43DE,0x11B1F8F5}
+var CURVE_Pxa=[...]int64 {0xCC92399F40A3C8,0xCDA4E96611784A,0x7B056961706B35,0x9693C6318279D7,0x16FC17CF}
+var CURVE_Pxb=[...]int64 {0x557A8AD8549540,0x6F7BE6F6510610,0x565907A95D17DB,0xBD5975909C8188,0x1EB5B500}
+var CURVE_Pya=[...]int64 {0x7BECC514220513,0x4A78860E737B14,0x51B83935F12684,0x761422AA9D4DFA,0x1E8EE498}
+var CURVE_Pyb=[...]int64 {0xB9328F577CE78E,0xB746E26FA5781F,0xA93DBC1FB8E27E,0xBAE33BDBA29D76,0x23CEF4CD}
+var CURVE_Gx =[...]int64 {0xB2DC2BB460A48A,0x93E428F0D651E8,0xF3B89D00081CF,0x410F5AADB74E20,0x24000482}
+var CURVE_Gy =[...]int64 {0x1,0x0,0x0,0x0,0x0}
+var CURVE_W=[2][5]int64 {{0xB76282A1347083,0x60301399E1D10,0x6000,0x0,0x0},{0x40200C10409,0x80,0x0,0x0,0x0}}
+var CURVE_SB=[2][2][5]int64 {{{0xB76684A1F5748C,0x60301399E1D90,0x6000,0x0,0x0},{0x40200C10409,0x80,0x0,0x0,0x0}},{{0x40200C10409,0x80,0x0,0x0,0x0},{0x440F227075BB72,0x87DE267D9A16C7,0xF3B89CFFFC1CF,0x410F5AADB74E20,0x24000482}}}
+var CURVE_WB=[4][5]int64 {{0x9272D48A70A224,0x20100688A0945,0x2000,0x0,0x0},{0x5A572CF030EF19,0x9651763543721D,0x8240FD48A1B9A3,0x300004,0x0},{0xAD2C96F848B88F,0xCB28BB1AA1B92E,0x41207EA450DCD1,0x180002,0x0},{0x9276D68B31A62D,0x20100688A09C5,0x2000,0x0,0x0}}
+var CURVE_BB=[4][4][5]int64 {{{0xFB6FA41149A9F1,0x8DE127B7383397,0xF3B89D00021CF,0x410F5AADB74E20,0x24000482},{0xFB6FA41149A9F0,0x8DE127B7383397,0xF3B89D00021CF,0x410F5AADB74E20,0x24000482},{0xFB6FA41149A9F0,0x8DE127B7383397,0xF3B89D00021CF,0x410F5AADB74E20,0x24000482},{0x40200C1040A,0x80,0x0,0x0,0x0}},{{0x40200C10409,0x80,0x0,0x0,0x0},{0xFB6FA41149A9F0,0x8DE127B7383397,0xF3B89D00021CF,0x410F5AADB74E20,0x24000482},{0xFB6FA41149A9F1,0x8DE127B7383397,0xF3B89D00021CF,0x410F5AADB74E20,0x24000482},{0xFB6FA41149A9F0,0x8DE127B7383397,0xF3B89D00021CF,0x410F5AADB74E20,0x24000482}},{{0x40200C1040A,0x80,0x0,0x0,0x0},{0x40200C10409,0x80,0x0,0x0,0x0},{0x40200C10409,0x80,0x0,0x0,0x0},{0x40200C10409,0x80,0x0,0x0,0x0}},{{0x20100608206,0x40,0x0,0x0,0x0},{0x80401820812,0x100,0x0,0x0,0x0},{0xFB6DA310E927EA,0x8DE127B7383357,0xF3B89D00021CF,0x410F5AADB74E20,0x24000482},{0x20100608206,0x40,0x0,0x0,0x0}}}
+*/
+
+const USE_GLV bool = true
+const USE_GS_G2 bool = true
+const USE_GS_GT bool = true
+const GT_STRONG bool = true
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/85fabaa6/go/amcl-go/RSA.go
----------------------------------------------------------------------
diff --git a/go/amcl-go/RSA.go b/go/amcl-go/RSA.go
new file mode 100644
index 0000000..5b1cf5b
--- /dev/null
+++ b/go/amcl-go/RSA.go
@@ -0,0 +1,373 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+*/
+
+/* RSA API high-level functions */
+
+package amcl
+
+import "fmt"
+
+const RSA_RFS int = int(MODBYTES) * FFLEN
+
+type rsa_private_key struct {
+ p, q, dp, dq, c *FF
+}
+
+func New_rsa_private_key(n int) *rsa_private_key {
+ SK := new(rsa_private_key)
+ SK.p = NewFFint(n)
+ SK.q = NewFFint(n)
+ SK.dp = NewFFint(n)
+ SK.dq = NewFFint(n)
+ SK.c = NewFFint(n)
+ return SK
+}
+
+type rsa_public_key struct {
+ e int
+ n *FF
+}
+
+func New_rsa_public_key(m int) *rsa_public_key {
+ PK := new(rsa_public_key)
+ PK.e = 0
+ PK.n = NewFFint(m)
+ return PK
+}
+
+func RSA_KEY_PAIR(rng *RAND, e int, PRIV *rsa_private_key, PUB *rsa_public_key) { /* IEEE1363 A16.11/A16.12 more or less */
+ n := PUB.n.getlen() / 2
+ t := NewFFint(n)
+ p1 := NewFFint(n)
+ q1 := NewFFint(n)
+
+ for true {
+ PRIV.p.random(rng)
+ for PRIV.p.lastbits(2) != 3 {
+ PRIV.p.inc(1)
+ }
+ for !prime(PRIV.p, rng) {
+ PRIV.p.inc(4)
+ }
+
+ p1.copy(PRIV.p)
+ p1.dec(1)
+
+ if p1.cfactor(e) {
+ continue
+ }
+ break
+ }
+
+ for true {
+ PRIV.q.random(rng)
+ for PRIV.q.lastbits(2) != 3 {
+ PRIV.q.inc(1)
+ }
+ for !prime(PRIV.q, rng) {
+ PRIV.q.inc(4)
+ }
+
+ q1.copy(PRIV.q)
+ q1.dec(1)
+
+ if q1.cfactor(e) {
+ continue
+ }
+
+ break
+ }
+
+ PUB.n = ff_mul(PRIV.p, PRIV.q)
+ PUB.e = e
+
+ t.copy(p1)
+ t.shr()
+ PRIV.dp.set(e)
+ PRIV.dp.invmodp(t)
+ if PRIV.dp.parity() == 0 {
+ PRIV.dp.add(t)
+ }
+ PRIV.dp.norm()
+
+ t.copy(q1)
+ t.shr()
+ PRIV.dq.set(e)
+ PRIV.dq.invmodp(t)
+ if PRIV.dq.parity() == 0 {
+ PRIV.dq.add(t)
+ }
+ PRIV.dq.norm()
+
+ PRIV.c.copy(PRIV.p)
+ PRIV.c.invmodp(PRIV.q)
+
+}
+
+/* Mask Generation Function */
+
+func RSA_MGF1(Z []byte, olen int, K []byte) {
+ H := NewHASH()
+ hlen := 32
+
+ var k int = 0
+ for i := 0; i < len(K); i++ {
+ K[i] = 0
+ }
+
+ cthreshold := olen / hlen
+ if olen%hlen != 0 {
+ cthreshold++
+ }
+ for counter := 0; counter < cthreshold; counter++ {
+ H.Process_array(Z)
+ H.Process_num(int32(counter))
+ B := H.Hash()
+
+ if k+hlen > olen {
+ for i := 0; i < olen%hlen; i++ {
+ K[k] = B[i]
+ k++
+ }
+ } else {
+ for i := 0; i < hlen; i++ {
+ K[k] = B[i]
+ k++
+ }
+ }
+ }
+}
+
+func RSA_printBinary(array []byte) {
+ for i := 0; i < len(array); i++ {
+ fmt.Printf("%02x", array[i])
+ }
+ fmt.Printf("\n")
+}
+
+/* OAEP Message Encoding for Encryption */
+func RSA_OAEP_ENCODE(m []byte, rng *RAND, p []byte) []byte {
+ olen := RSA_RFS - 1
+ mlen := len(m)
+ var f [RSA_RFS]byte
+
+ H := NewHASH()
+ hlen := 32
+ var SEED [32]byte
+ seedlen := hlen
+ if mlen > olen-hlen-seedlen-1 {
+ return nil
+ }
+
+ var DBMASK [RSA_RFS - 1 - 32]byte
+
+ if p != nil {
+ H.Process_array(p)
+ }
+ h := H.Hash()
+ for i := 0; i < hlen; i++ {
+ f[i] = h[i]
+ }
+
+ slen := olen - mlen - hlen - seedlen - 1
+
+ for i := 0; i < slen; i++ {
+ f[hlen+i] = 0
+ }
+ f[hlen+slen] = 1
+ for i := 0; i < mlen; i++ {
+ f[hlen+slen+1+i] = m[i]
+ }
+
+ for i := 0; i < seedlen; i++ {
+ SEED[i] = rng.GetByte()
+ }
+ RSA_MGF1(SEED[:], olen-seedlen, DBMASK[:])
+
+ for i := 0; i < olen-seedlen; i++ {
+ DBMASK[i] ^= f[i]
+ }
+ RSA_MGF1(DBMASK[:], seedlen, f[:])
+
+ for i := 0; i < seedlen; i++ {
+ f[i] ^= SEED[i]
+ }
+
+ for i := 0; i < olen-seedlen; i++ {
+ f[i+seedlen] = DBMASK[i]
+ }
+
+ /* pad to length RFS */
+ d := 1
+ for i := RSA_RFS - 1; i >= d; i-- {
+ f[i] = f[i-d]
+ }
+ for i := d - 1; i >= 0; i-- {
+ f[i] = 0
+ }
+ return f[:]
+}
+
+/* OAEP Message Decoding for Decryption */
+func RSA_OAEP_DECODE(p []byte, f []byte) []byte {
+ olen := RSA_RFS - 1
+
+ H := NewHASH()
+ hlen := 32
+ var SEED [32]byte
+ seedlen := hlen
+ var CHASH [32]byte
+
+ if olen < seedlen+hlen+1 {
+ return nil
+ }
+ var DBMASK [RSA_RFS - 1 - 32]byte
+ for i := 0; i < olen-seedlen; i++ {
+ DBMASK[i] = 0
+ }
+
+ if len(f) < RSA_RFS {
+ d := RSA_RFS - len(f)
+ for i := RSA_RFS - 1; i >= d; i-- {
+ f[i] = f[i-d]
+ }
+ for i := d - 1; i >= 0; i-- {
+ f[i] = 0
+ }
+ }
+
+ if p != nil {
+ H.Process_array(p)
+ }
+ h := H.Hash()
+ for i := 0; i < hlen; i++ {
+ CHASH[i] = h[i]
+ }
+
+ x := f[0]
+
+ for i := seedlen; i < olen; i++ {
+ DBMASK[i-seedlen] = f[i+1]
+ }
+
+ RSA_MGF1(DBMASK[:], seedlen, SEED[:])
+ for i := 0; i < seedlen; i++ {
+ SEED[i] ^= f[i+1]
+ }
+ RSA_MGF1(SEED[:], olen-seedlen, f)
+ for i := 0; i < olen-seedlen; i++ {
+ DBMASK[i] ^= f[i]
+ }
+
+ comp := true
+ for i := 0; i < hlen; i++ {
+ if CHASH[i] != DBMASK[i] {
+ comp = false
+ }
+ }
+
+ for i := 0; i < olen-seedlen-hlen; i++ {
+ DBMASK[i] = DBMASK[i+hlen]
+ }
+
+ for i := 0; i < hlen; i++ {
+ SEED[i] = 0
+ CHASH[i] = 0
+ }
+
+ var k int
+ for k = 0; ; k++ {
+ if k >= olen-seedlen-hlen {
+ return nil
+ }
+ if DBMASK[k] != 0 {
+ break
+ }
+ }
+
+ t := DBMASK[k]
+ if !comp || x != 0 || t != 0x01 {
+ for i := 0; i < olen-seedlen; i++ {
+ DBMASK[i] = 0
+ }
+ return nil
+ }
+
+ var r = make([]byte, olen-seedlen-hlen-k-1)
+
+ for i := 0; i < olen-seedlen-hlen-k-1; i++ {
+ r[i] = DBMASK[i+k+1]
+ }
+
+ for i := 0; i < olen-seedlen; i++ {
+ DBMASK[i] = 0
+ }
+
+ return r
+}
+
+/* destroy the Private Key structure */
+func RSA_PRIVATE_KEY_KILL(PRIV *rsa_private_key) {
+ PRIV.p.zero()
+ PRIV.q.zero()
+ PRIV.dp.zero()
+ PRIV.dq.zero()
+ PRIV.c.zero()
+}
+
+/* RSA encryption with the public key */
+func RSA_ENCRYPT(PUB *rsa_public_key, F []byte, G []byte) {
+ n := PUB.n.getlen()
+ f := NewFFint(n)
+
+ ff_fromBytes(f, F)
+ f.power(PUB.e, PUB.n)
+ f.toBytes(G)
+}
+
+/* RSA decryption with the private key */
+func RSA_DECRYPT(PRIV *rsa_private_key, G []byte, F []byte) {
+ n := PRIV.p.getlen()
+ g := NewFFint(2 * n)
+
+ ff_fromBytes(g, G)
+ jp := g.dmod(PRIV.p)
+ jq := g.dmod(PRIV.q)
+
+ jp.skpow(PRIV.dp, PRIV.p)
+ jq.skpow(PRIV.dq, PRIV.q)
+
+ g.zero()
+ g.dscopy(jp)
+ jp.mod(PRIV.q)
+ if ff_comp(jp, jq) > 0 {
+ jq.add(PRIV.q)
+ }
+ jq.sub(jp)
+ jq.norm()
+
+ t := ff_mul(PRIV.c, jq)
+ jq = t.dmod(PRIV.q)
+
+ t = ff_mul(jq, PRIV.p)
+ g.add(t)
+ g.norm()
+
+ g.toBytes(F)
+}
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/85fabaa6/go/amcl-go/UTILS.go
----------------------------------------------------------------------
diff --git a/go/amcl-go/UTILS.go b/go/amcl-go/UTILS.go
new file mode 100644
index 0000000..b9b9ecb
--- /dev/null
+++ b/go/amcl-go/UTILS.go
@@ -0,0 +1,45 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+*/
+
+package amcl
+
+// Generate random six digit value
+func GENERATE_OTP(rng *RAND) int {
+ OTP := 0
+ mult := 1
+ for i := 0; i < 6; i++ {
+ val := int(rng.GetByte())
+ if val < 0 {
+ val = -val
+ }
+ val = val % 10
+ OTP = val*mult + OTP
+ mult = mult * 10
+ }
+ return OTP
+}
+
+// Generate a random byte array
+func GENERATE_RANDOM(rng *RAND, randomLen int) []byte {
+ random := make([]byte, randomLen)
+ for i := 0; i < randomLen; i++ {
+ random[i] = rng.GetByte()
+ }
+ return random
+}
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/85fabaa6/go/amcl-go/UTILS_test.go
----------------------------------------------------------------------
diff --git a/go/amcl-go/UTILS_test.go b/go/amcl-go/UTILS_test.go
new file mode 100644
index 0000000..17058cc
--- /dev/null
+++ b/go/amcl-go/UTILS_test.go
@@ -0,0 +1,71 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+*/
+
+package amcl
+
+import (
+ "encoding/hex"
+ "fmt"
+ "testing"
+)
+
+func TestGENERATE_OTP(t *testing.T) {
+ cases := []int{751847, 625436, 628111, 611804, 148564, 202193, 794783, 631944, 544480, 384313}
+
+ // Seed value for Random Number Generator (RNG)
+ seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+ seed, err := hex.DecodeString(seedHex)
+ if err != nil {
+ fmt.Println("Error decoding seed value")
+ return
+ }
+ rng := NewRAND()
+ rng.Seed(len(seed), seed)
+
+ // Generate the one time passwords
+ for _, want := range cases {
+ got := GENERATE_OTP(rng)
+ if got != want {
+ t.Errorf("One Time Passord %d != %d", got, want)
+ }
+ }
+}
+
+func TestGENERATE_RANDOM(t *testing.T) {
+ cases := []string{"57d662d39b1b245da469e89c", "155babf8de4204e68a656f42", "727e1980e01f996d977a0a34", "7b6c39221d89546895153f10", "32e40e9ad6f50dab3f5ec63f", "f6962a1fc5add13277900871", "93ae541acd6dc3264c19a12a", "faf196291d0820c611d3fcd4", "ba0602f0f6df1908dbcffe5b", "9e93cf35ccd5141e367cf2fd"}
+
+ // Seed value for Random Number Generator (RNG)
+ seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+ seed, err := hex.DecodeString(seedHex)
+ if err != nil {
+ fmt.Println("Error decoding seed value")
+ return
+ }
+ rng := NewRAND()
+ rng.Seed(len(seed), seed)
+
+ // Generate the one time passwords
+ for _, want := range cases {
+ val := GENERATE_RANDOM(rng, 12)
+ got := hex.EncodeToString(val)
+ if got != want {
+ t.Errorf("One Time Passord %s != %s", got, want)
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/85fabaa6/go/amcl-go/crypto.go
----------------------------------------------------------------------
diff --git a/go/amcl-go/crypto.go b/go/amcl-go/crypto.go
new file mode 100644
index 0000000..e2b8bbb
--- /dev/null
+++ b/go/amcl-go/crypto.go
@@ -0,0 +1,222 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+*/
+
+package amcl
+
+const EAS int = 16
+const EGS int = int(MODBYTES)
+const EFS int = int(MODBYTES)
+const HASH_BYTES int = 32
+const IVS int = 12
+const G1S = 2*EFS + 1
+const G2S = 4 * EFS
+const GTS = 12 * EFS
+
+/* create random secret S. Use GO RNG */
+func MPIN_RANDOM_GENERATE_WRAP(RNG *RAND) (int, []byte) {
+ var S [EGS]byte
+ errorCode := MPIN_RANDOM_GENERATE(RNG, S[:])
+ return errorCode, S[:]
+}
+
+/* Extract Server Secret SS=S*Q where Q is fixed generator in G2 and S is master secret */
+func MPIN_GET_SERVER_SECRET_WRAP(S []byte) (int, []byte) {
+ var SS [G2S]byte
+ errorCode := MPIN_GET_SERVER_SECRET(S[:], SS[:])
+ return errorCode, SS[:]
+}
+
+/* R=R1+R2 in group G1 */
+func MPIN_RECOMBINE_G1_WRAP(R1 []byte, R2 []byte) (int, []byte) {
+ var R [G1S]byte
+ errorCode := MPIN_RECOMBINE_G1(R1[:], R2[:], R[:])
+ return errorCode, R[:]
+}
+
+/* W=W1+W2 in group G2 */
+func MPIN_RECOMBINE_G2_WRAP(W1 []byte, W2 []byte) (int, []byte) {
+ var W [G2S]byte
+ errorCode := MPIN_RECOMBINE_G2(W1[:], W2[:], W[:])
+ return errorCode, W[:]
+}
+
+/* Client secret CS=S*H(ID) where ID is client ID and S is master secret */
+/* CID is hashed externally */
+func MPIN_GET_CLIENT_SECRET_WRAP(S []byte, ID []byte) (int, []byte) {
+ var CS [G1S]byte
+ errorCode := MPIN_GET_CLIENT_SECRET(S[:], ID[:], CS[:])
+ return errorCode, CS[:]
+}
+
+/* Time Permit TP=S*(date|H(ID)) where S is master secret */
+func MPIN_GET_CLIENT_PERMIT_WRAP(date int, S []byte, ID []byte) (int, []byte) {
+ var TP [G1S]byte
+ errorCode := MPIN_GET_CLIENT_PERMIT(date, S[:], ID[:], TP[:])
+ return errorCode, TP[:]
+}
+
+/* Extract PIN from CS for identity CID to form TOKEN */
+func MPIN_EXTRACT_PIN_WRAP(ID []byte, PIN int, CS []byte) (int, []byte) {
+ CSIn := make([]byte, G1S)
+ copy(CSIn, CS)
+ errorCode := MPIN_EXTRACT_PIN(ID[:], PIN, CSIn[:])
+ return errorCode, CSIn[:]
+}
+
+/* One pass MPIN Client. Using GO RNG */
+func MPIN_CLIENT_WRAP(date, TimeValue, PIN int, RNG *RAND, ID, X, TOKEN, TP, MESSAGE []byte) (int, []byte, []byte, []byte, []byte, []byte) {
+ var Y [EGS]byte
+ var SEC [G1S]byte
+ var U [G1S]byte
+ var UT [G1S]byte
+ errorCode := MPIN_CLIENT(date, ID, RNG, X[:], PIN, TOKEN[:], SEC[:], U[:], UT[:], TP[:], MESSAGE, TimeValue, Y[:])
+ return errorCode, X[:], Y[:], SEC[:], U[:], UT[:]
+}
+
+// Precompute values for use by the client side of M-Pin Full
+func MPIN_PRECOMPUTE_WRAP(TOKEN []byte, ID []byte) (int, []byte, []byte) {
+ var GT1 [GTS]byte
+ var GT2 [GTS]byte
+ errorCode := MPIN_PRECOMPUTE(TOKEN[:], ID[:], GT1[:], GT2[:])
+ return errorCode, GT1[:], GT2[:]
+}
+
+/*
+ W=x*H(G);
+ if RNG == NULL then X is passed in
+ if RNG != NULL the X is passed out
+ if typ=0 W=x*G where G is point on the curve, else W=x*M(G), where M(G) is mapping of octet G to point on the curve
+ Use GO RNG
+*/
+func MPIN_GET_G1_MULTIPLE_WRAP(RNG *RAND, typ int, X, G []byte) (int, []byte, []byte) {
+ var Z [G1S]byte
+ errorCode := MPIN_GET_G1_MULTIPLE(RNG, typ, X[:], G[:], Z[:])
+ return errorCode, X[:], Z[:]
+}
+
+/* One pass MPIN Server */
+func MPIN_SERVER_WRAP(date int, TimeValue int, SS, U, UT, V, ID, MESSAGE []byte) (int, []byte, []byte, []byte, []byte, []byte) {
+ var HID [G1S]byte
+ var HTID [G1S]byte
+ var Y [EGS]byte
+ var E [GTS]byte
+ var F [GTS]byte
+
+ errorCode := MPIN_SERVER(date, HID[:], HTID[:], Y[:], SS[:], U[:], UT[:], V[:], E[:], F[:], ID[:], MESSAGE[:], TimeValue)
+
+ return errorCode, HID[:], HTID[:], Y[:], E[:], F[:]
+}
+
+/* calculate common key on server side */
+/* Z=r.A - no time permits involved */
+func MPIN_SERVER_KEY_WRAP(Z, SS, W, U, UT []byte) (int, []byte) {
+ var SK [EAS]byte
+ errorCode := MPIN_SERVER_KEY(Z[:], SS[:], W[:], U[:], UT[:], SK[:])
+ return errorCode, SK[:]
+}
+
+/* calculate common key on client side */
+/* wCID = w.(A+AT) */
+func MPIN_CLIENT_KEY_WRAP(PIN int, GT1, GT2, R, X, T []byte) (int, []byte) {
+ var CK [EAS]byte
+ errorCode := MPIN_CLIENT_KEY(GT1[:], GT2[:], PIN, R[:], X[:], T[:], CK[:])
+ return errorCode, CK[:]
+}
+
+/* Extract big type PIN.hash(ID) from CS to form TOKEN */
+func MPIN_EXTRACT_BIG_PIN_WRAP(ID, PIN, CS []byte) (int, []byte) {
+ TOKEN := make([]byte, G1S)
+ pin := fromBytes(PIN)
+ P := ECP_fromBytes(CS)
+ if P.is_infinity() {
+ return MPIN_INVALID_POINT, TOKEN[:]
+ }
+ h := Hashit(0, ID)
+ R := mapit(h)
+
+ R = R.mul(pin)
+ P.sub(R)
+
+ P.toBytes(TOKEN)
+
+ return 0, TOKEN[:]
+}
+
+/* Add big type PIN.hash(ID) to TOKEN for identity ID to form CS */
+func MPIN_ADD_BIG_PIN_WRAP(ID, PIN, TOKEN []byte) (int, []byte) {
+ CS := make([]byte, G1S)
+ pin := fromBytes(PIN)
+ P := ECP_fromBytes(TOKEN)
+ if P.is_infinity() {
+ return MPIN_INVALID_POINT, CS[:]
+ }
+ h := Hashit(0, ID)
+ R := mapit(h)
+
+ R = R.mul(pin)
+ P.add(R)
+
+ P.toBytes(CS)
+
+ return 0, CS[:]
+}
+
+/* dst = a ^ b ^ c */
+func XORBytes(a, b, c []byte) ([]byte, int) {
+ n := len(a)
+ dst := make([]byte, n)
+ if (len(b) != n) || (len(c) != n) {
+ return dst[:], 1
+ }
+ for i := 0; i < n; i++ {
+ dst[i] = a[i] ^ b[i] ^ c[i]
+ }
+ return dst[:], 0
+}
+
+/* Outputs H(CID) and H(T|H(CID)) for time permits. If no time permits set HID=HTID */
+func MPIN_SERVER_1_WRAP(date int, ID []byte) ([]byte, []byte) {
+ var HID [G1S]byte
+ var HTID [G1S]byte
+ MPIN_SERVER_1(date, ID, HID[:], HTID[:])
+ return HID[:], HTID[:]
+}
+
+/* Implement step 2 of MPin protocol on server side */
+func MPIN_SERVER_2_WRAP(date int, HID []byte, HTID []byte, Y []byte, SS []byte, U []byte, UT []byte, V []byte) (int, []byte, []byte) {
+ var E [12 * EFS]byte
+ var F [12 * EFS]byte
+ errorCode := MPIN_SERVER_2(date, HID[:], HTID[:], Y[:], SS[:], U[:], UT[:], V[:], E[:], F[:])
+ return errorCode, E[:], F[:]
+}
+
+/* Implement step 1 on client side of MPin protocol */
+func MPIN_CLIENT_1_WRAP(date int, ID []byte, rng *RAND, X []byte, PIN int, TOKEN []byte, TP []byte) (int, []byte, []byte, []byte, []byte) {
+ var SEC [G1S]byte
+ var U [G1S]byte
+ var UT [G1S]byte
+ errorCode := MPIN_CLIENT_1(date, ID[:], rng, X[:], PIN, TOKEN[:], SEC[:], U[:], UT[:], TP[:])
+ return errorCode, X[:], SEC[:], U[:], UT[:]
+}
+
+/* Implement step 2 on client side of MPin protocol */
+func MPIN_CLIENT_2_WRAP(X []byte, Y []byte, SEC []byte) (int, []byte) {
+ errorCode := MPIN_CLIENT_2(X[:], Y[:], SEC[:])
+ return errorCode, SEC[:]
+}
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/85fabaa6/go/amcl-go/crypto_test.go
----------------------------------------------------------------------
diff --git a/go/amcl-go/crypto_test.go b/go/amcl-go/crypto_test.go
new file mode 100644
index 0000000..710204e
--- /dev/null
+++ b/go/amcl-go/crypto_test.go
@@ -0,0 +1,1194 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+*/
+
+package amcl
+
+import (
+ "crypto/rand"
+ "encoding/hex"
+ "fmt"
+ mathrand "math/rand"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+)
+
+const nIter int = 1000
+
+func TestCryptoGoodPIN(t *testing.T) {
+ want := 0
+ // Assign the End-User an ID
+ IDstr := "testUser@miracl.com"
+ ID := []byte(IDstr)
+
+ // Epoch time in days
+ date := 16660
+
+ // Epoch time in seconds
+ timeValue := 1439465203
+
+ // PIN variable to create token
+ PIN1 := 1234
+ // PIN variable to authenticate
+ PIN2 := 1234
+
+ // Seed value for Random Number Generator (RNG)
+ seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+ seed, err := hex.DecodeString(seedHex)
+ if err != nil {
+ fmt.Println("Error decoding seed value")
+ return
+ }
+ rng := NewRAND()
+ rng.Seed(len(seed), seed)
+
+ // Message to sign
+ var MESSAGE []byte
+
+ // Generate Master Secret Share 1
+ _, MS1 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Generate Master Secret Share 2
+ _, MS2 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Either Client or TA calculates Hash(ID)
+ HCID := MPIN_HASH_ID(ID)
+
+ // Generate server secret share 1
+ _, SS1 := MPIN_GET_SERVER_SECRET_WRAP(MS1[:])
+
+ // Generate server secret share 2
+ _, SS2 := MPIN_GET_SERVER_SECRET_WRAP(MS2[:])
+
+ // Combine server secret shares
+ _, SS := MPIN_RECOMBINE_G2_WRAP(SS1[:], SS2[:])
+
+ // Generate client secret share 1
+ _, CS1 := MPIN_GET_CLIENT_SECRET_WRAP(MS1[:], HCID)
+
+ // Generate client secret share 2
+ _, CS2 := MPIN_GET_CLIENT_SECRET_WRAP(MS2[:], HCID)
+
+ // Combine client secret shares
+ CS := make([]byte, G1S)
+ _, CS = MPIN_RECOMBINE_G1_WRAP(CS1[:], CS2[:])
+
+ // Generate time permit share 1
+ _, TP1 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS1[:], HCID)
+
+ // Generate time permit share 2
+ _, TP2 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS2[:], HCID)
+
+ // Combine time permit shares
+ _, TP := MPIN_RECOMBINE_G1_WRAP(TP1[:], TP2[:])
+
+ // Create token
+ _, TOKEN := MPIN_EXTRACT_PIN_WRAP(ID[:], PIN1, CS[:])
+
+ // Send U, UT, V, timeValue and Message to server
+ var X [EGS]byte
+ _, _, _, V, U, UT := MPIN_CLIENT_WRAP(date, timeValue, PIN2, rng, ID[:], X[:], TOKEN[:], TP[:], MESSAGE[:])
+
+ got, _, _, _, _, _ := MPIN_SERVER_WRAP(date, timeValue, SS[:], U[:], UT[:], V[:], ID[:], MESSAGE[:])
+ assert.Equal(t, want, got, "Should be equal")
+}
+
+func TestCryptoBadPIN(t *testing.T) {
+ want := -19
+ // Assign the End-User an ID
+ IDstr := "testUser@miracl.com"
+ ID := []byte(IDstr)
+
+ // Epoch time in days
+ date := 16660
+
+ // Epoch time in seconds
+ timeValue := 1439465203
+
+ // PIN variable to create token
+ PIN1 := 1234
+ // PIN variable to authenticate
+ PIN2 := 1235
+
+ // Seed value for Random Number Generator (RNG)
+ seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+ seed, err := hex.DecodeString(seedHex)
+ if err != nil {
+ fmt.Println("Error decoding seed value")
+ return
+ }
+ rng := NewRAND()
+ rng.Seed(len(seed), seed)
+
+ // Message to sign
+ var MESSAGE []byte
+
+ // Generate Master Secret Share 1
+ _, MS1 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Generate Master Secret Share 2
+ _, MS2 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Either Client or TA calculates Hash(ID)
+ HCID := MPIN_HASH_ID(ID)
+
+ // Generate server secret share 1
+ _, SS1 := MPIN_GET_SERVER_SECRET_WRAP(MS1[:])
+
+ // Generate server secret share 2
+ _, SS2 := MPIN_GET_SERVER_SECRET_WRAP(MS2[:])
+
+ // Combine server secret shares
+ _, SS := MPIN_RECOMBINE_G2_WRAP(SS1[:], SS2[:])
+
+ // Generate client secret share 1
+ _, CS1 := MPIN_GET_CLIENT_SECRET_WRAP(MS1[:], HCID)
+
+ // Generate client secret share 2
+ _, CS2 := MPIN_GET_CLIENT_SECRET_WRAP(MS2[:], HCID)
+
+ // Combine client secret shares
+ CS := make([]byte, G1S)
+ _, CS = MPIN_RECOMBINE_G1_WRAP(CS1[:], CS2[:])
+
+ // Generate time permit share 1
+ _, TP1 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS1[:], HCID)
+
+ // Generate time permit share 2
+ _, TP2 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS2[:], HCID)
+
+ // Combine time permit shares
+ _, TP := MPIN_RECOMBINE_G1_WRAP(TP1[:], TP2[:])
+
+ // Create token
+ _, TOKEN := MPIN_EXTRACT_PIN_WRAP(ID[:], PIN1, CS[:])
+
+ ////// Client //////
+
+ // Send U, UT, V, timeValue and Message to server
+ var X [EGS]byte
+ _, _, _, V, U, UT := MPIN_CLIENT_WRAP(date, timeValue, PIN2, rng, ID[:], X[:], TOKEN[:], TP[:], MESSAGE[:])
+
+ ////// Server //////
+ got, _, _, _, _, _ := MPIN_SERVER_WRAP(date, timeValue, SS[:], U[:], UT[:], V[:], ID[:], MESSAGE[:])
+ assert.Equal(t, want, got, "Should be equal")
+}
+
+func TestCryptoBadToken(t *testing.T) {
+ want := -19
+ // Assign the End-User an ID
+ IDstr := "testUser@miracl.com"
+ ID := []byte(IDstr)
+
+ // Epoch time in days
+ date := 16660
+
+ // Epoch time in seconds
+ timeValue := 1439465203
+
+ // PIN variable to create token
+ PIN1 := 1234
+ // PIN variable to authenticate
+ PIN2 := 1234
+
+ // Seed value for Random Number Generator (RNG)
+ seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+ seed, err := hex.DecodeString(seedHex)
+ if err != nil {
+ fmt.Println("Error decoding seed value")
+ return
+ }
+ rng := NewRAND()
+ rng.Seed(len(seed), seed)
+
+ // Message to sign
+ var MESSAGE []byte
+
+ // Generate Master Secret Share 1
+ _, MS1 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Generate Master Secret Share 2
+ _, MS2 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Either Client or TA calculates Hash(ID)
+ HCID := MPIN_HASH_ID(ID)
+
+ // Generate server secret share 1
+ _, SS1 := MPIN_GET_SERVER_SECRET_WRAP(MS1[:])
+
+ // Generate server secret share 2
+ _, SS2 := MPIN_GET_SERVER_SECRET_WRAP(MS2[:])
+
+ // Combine server secret shares
+ _, SS := MPIN_RECOMBINE_G2_WRAP(SS1[:], SS2[:])
+
+ // Generate client secret share 1
+ _, CS1 := MPIN_GET_CLIENT_SECRET_WRAP(MS1[:], HCID)
+
+ // Generate client secret share 2
+ _, CS2 := MPIN_GET_CLIENT_SECRET_WRAP(MS2[:], HCID)
+
+ // Combine client secret shares
+ CS := make([]byte, G1S)
+ _, CS = MPIN_RECOMBINE_G1_WRAP(CS1[:], CS2[:])
+
+ // Generate time permit share 1
+ _, TP1 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS1[:], HCID)
+
+ // Generate time permit share 2
+ _, TP2 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS2[:], HCID)
+
+ // Combine time permit shares
+ _, TP := MPIN_RECOMBINE_G1_WRAP(TP1[:], TP2[:])
+
+ // Create token
+ _, TOKEN := MPIN_EXTRACT_PIN_WRAP(ID[:], PIN1, CS[:])
+
+ // Send U, UT, V, timeValue and Message to server
+ var X [EGS]byte
+ _, _, _, _, U, UT := MPIN_CLIENT_WRAP(date, timeValue, PIN2, rng, ID[:], X[:], TOKEN[:], TP[:], MESSAGE[:])
+
+ // Send UT as V to model bad token
+ got, _, _, _, _, _ := MPIN_SERVER_WRAP(date, timeValue, SS[:], U[:], UT[:], UT[:], ID[:], MESSAGE[:])
+ assert.Equal(t, want, got, "Should be equal")
+}
+
+func TestCryptoRandom(t *testing.T) {
+ want := 0
+
+ for i := 0; i < nIter; i++ {
+
+ // Seed value for Random Number Generator (RNG)
+ seed := make([]byte, 16)
+ rand.Read(seed)
+ rng := NewRAND()
+ rng.Seed(len(seed), seed)
+
+ // Epoch time in days
+ date := MPIN_today()
+
+ // Epoch time in seconds
+ timeValue := MPIN_GET_TIME()
+
+ // PIN variable to create token
+ PIN1 := mathrand.Intn(10000)
+ // PIN variable to authenticate
+ PIN2 := PIN1
+
+ // Assign the End-User a random ID
+ ID := make([]byte, 16)
+ rand.Read(ID)
+
+ // Message to sign
+ var MESSAGE []byte
+
+ // Generate Master Secret Share 1
+ _, MS1 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Generate Master Secret Share 2
+ _, MS2 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Either Client or TA calculates Hash(ID)
+ HCID := MPIN_HASH_ID(ID)
+
+ // Generate server secret share 1
+ _, SS1 := MPIN_GET_SERVER_SECRET_WRAP(MS1[:])
+
+ // Generate server secret share 2
+ _, SS2 := MPIN_GET_SERVER_SECRET_WRAP(MS2[:])
+
+ // Combine server secret shares
+ _, SS := MPIN_RECOMBINE_G2_WRAP(SS1[:], SS2[:])
+
+ // Generate client secret share 1
+ _, CS1 := MPIN_GET_CLIENT_SECRET_WRAP(MS1[:], HCID)
+
+ // Generate client secret share 2
+ _, CS2 := MPIN_GET_CLIENT_SECRET_WRAP(MS2[:], HCID)
+
+ // Combine client secret shares
+ CS := make([]byte, G1S)
+ _, CS = MPIN_RECOMBINE_G1_WRAP(CS1[:], CS2[:])
+
+ // Generate time permit share 1
+ _, TP1 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS1[:], HCID)
+
+ // Generate time permit share 2
+ _, TP2 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS2[:], HCID)
+
+ // Combine time permit shares
+ _, TP := MPIN_RECOMBINE_G1_WRAP(TP1[:], TP2[:])
+
+ // Create token
+ _, TOKEN := MPIN_EXTRACT_PIN_WRAP(ID[:], PIN1, CS[:])
+
+ // Send U, UT, V, timeValue and Message to server
+ var X [EGS]byte
+ _, _, _, V, U, UT := MPIN_CLIENT_WRAP(date, timeValue, PIN2, rng, ID[:], X[:], TOKEN[:], TP[:], MESSAGE[:])
+
+ got, _, _, _, _, _ := MPIN_SERVER_WRAP(date, timeValue, SS[:], U[:], UT[:], V[:], ID[:], MESSAGE[:])
+ assert.Equal(t, want, got, "Should be equal")
+ }
+}
+
+func TestCryptoGoodSignature(t *testing.T) {
+ want := 0
+ // Assign the End-User an ID
+ IDstr := "testUser@miracl.com"
+ ID := []byte(IDstr)
+
+ // Message to sign
+ MESSAGE := []byte("test message to sign")
+
+ // Epoch time in days
+ date := 16660
+
+ // Epoch time in seconds
+ timeValue := 1439465203
+
+ // PIN variable to create token
+ PIN1 := 1234
+ // PIN variable to authenticate
+ PIN2 := 1234
+
+ // Seed value for Random Number Generator (RNG)
+ seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+ seed, err := hex.DecodeString(seedHex)
+ if err != nil {
+ fmt.Println("Error decoding seed value")
+ return
+ }
+ rng := NewRAND()
+ rng.Seed(len(seed), seed)
+
+ // Generate Master Secret Share 1
+ _, MS1 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Generate Master Secret Share 2
+ _, MS2 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Either Client or TA calculates Hash(ID)
+ HCID := MPIN_HASH_ID(ID)
+
+ // Generate server secret share 1
+ _, SS1 := MPIN_GET_SERVER_SECRET_WRAP(MS1[:])
+
+ // Generate server secret share 2
+ _, SS2 := MPIN_GET_SERVER_SECRET_WRAP(MS2[:])
+
+ // Combine server secret shares
+ _, SS := MPIN_RECOMBINE_G2_WRAP(SS1[:], SS2[:])
+
+ // Generate client secret share 1
+ _, CS1 := MPIN_GET_CLIENT_SECRET_WRAP(MS1[:], HCID)
+
+ // Generate client secret share 2
+ _, CS2 := MPIN_GET_CLIENT_SECRET_WRAP(MS2[:], HCID)
+
+ // Combine client secret shares
+ CS := make([]byte, G1S)
+ _, CS = MPIN_RECOMBINE_G1_WRAP(CS1[:], CS2[:])
+
+ // Generate time permit share 1
+ _, TP1 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS1[:], HCID)
+
+ // Generate time permit share 2
+ _, TP2 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS2[:], HCID)
+
+ // Combine time permit shares
+ _, TP := MPIN_RECOMBINE_G1_WRAP(TP1[:], TP2[:])
+
+ // Create token
+ _, TOKEN := MPIN_EXTRACT_PIN_WRAP(ID[:], PIN1, CS[:])
+
+ // Send U, UT, V, timeValue and Message to server
+ var X [EGS]byte
+ _, _, _, V, U, UT := MPIN_CLIENT_WRAP(date, timeValue, PIN2, rng, ID[:], X[:], TOKEN[:], TP[:], MESSAGE[:])
+
+ // Authenticate
+ got, _, _, _, _, _ := MPIN_SERVER_WRAP(date, timeValue, SS[:], U[:], UT[:], V[:], ID[:], MESSAGE[:])
+ assert.Equal(t, want, got, "Should be equal")
+}
+
+func TestCryptoSignatureExpired(t *testing.T) {
+ want := -19
+ // Assign the End-User an ID
+ IDstr := "testUser@miracl.com"
+ ID := []byte(IDstr)
+
+ // Message to sign
+ MESSAGE := []byte("test message to sign")
+
+ // Epoch time in days
+ date := 16660
+
+ // Epoch time in seconds
+ timeValue := 1439465203
+
+ // PIN variable to create token
+ PIN1 := 1234
+ // PIN variable to authenticate
+ PIN2 := 1234
+
+ // Seed value for Random Number Generator (RNG)
+ seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+ seed, err := hex.DecodeString(seedHex)
+ if err != nil {
+ fmt.Println("Error decoding seed value")
+ return
+ }
+ rng := NewRAND()
+ rng.Seed(len(seed), seed)
+
+ // Generate Master Secret Share 1
+ _, MS1 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Generate Master Secret Share 2
+ _, MS2 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Either Client or TA calculates Hash(ID)
+ HCID := MPIN_HASH_ID(ID)
+
+ // Generate server secret share 1
+ _, SS1 := MPIN_GET_SERVER_SECRET_WRAP(MS1[:])
+
+ // Generate server secret share 2
+ _, SS2 := MPIN_GET_SERVER_SECRET_WRAP(MS2[:])
+
+ // Combine server secret shares
+ _, SS := MPIN_RECOMBINE_G2_WRAP(SS1[:], SS2[:])
+
+ // Generate client secret share 1
+ _, CS1 := MPIN_GET_CLIENT_SECRET_WRAP(MS1[:], HCID)
+
+ // Generate client secret share 2
+ _, CS2 := MPIN_GET_CLIENT_SECRET_WRAP(MS2[:], HCID)
+
+ // Combine client secret shares
+ CS := make([]byte, G1S)
+ _, CS = MPIN_RECOMBINE_G1_WRAP(CS1[:], CS2[:])
+
+ // Generate time permit share 1
+ _, TP1 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS1[:], HCID)
+
+ // Generate time permit share 2
+ _, TP2 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS2[:], HCID)
+
+ // Combine time permit shares
+ _, TP := MPIN_RECOMBINE_G1_WRAP(TP1[:], TP2[:])
+
+ // Create token
+ _, TOKEN := MPIN_EXTRACT_PIN_WRAP(ID[:], PIN1, CS[:])
+
+ // Send U, UT, V, timeValue and Message to server
+ var X [EGS]byte
+ _, _, _, V, U, UT := MPIN_CLIENT_WRAP(date, timeValue, PIN2, rng, ID[:], X[:], TOKEN[:], TP[:], MESSAGE[:])
+
+ timeValue += 10
+ // Authenticate
+ got, _, _, _, _, _ := MPIN_SERVER_WRAP(date, timeValue, SS[:], U[:], UT[:], V[:], ID[:], MESSAGE[:])
+ assert.Equal(t, want, got, "Should be equal")
+}
+
+func TestCryptoBadSignature(t *testing.T) {
+ want := -19
+ // Assign the End-User an ID
+ IDstr := "testUser@miracl.com"
+ ID := []byte(IDstr)
+
+ // Message to sign
+ MESSAGE := []byte("test message to sign")
+
+ // Epoch time in days
+ date := 16660
+
+ // Epoch time in seconds
+ timeValue := 1439465203
+
+ // PIN variable to create token
+ PIN1 := 1234
+ // PIN variable to authenticate
+ PIN2 := 1234
+
+ // Seed value for Random Number Generator (RNG)
+ seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+ seed, err := hex.DecodeString(seedHex)
+ if err != nil {
+ fmt.Println("Error decoding seed value")
+ return
+ }
+ rng := NewRAND()
+ rng.Seed(len(seed), seed)
+
+ // Generate Master Secret Share 1
+ _, MS1 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Generate Master Secret Share 2
+ _, MS2 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Either Client or TA calculates Hash(ID)
+ HCID := MPIN_HASH_ID(ID)
+
+ // Generate server secret share 1
+ _, SS1 := MPIN_GET_SERVER_SECRET_WRAP(MS1[:])
+
+ // Generate server secret share 2
+ _, SS2 := MPIN_GET_SERVER_SECRET_WRAP(MS2[:])
+
+ // Combine server secret shares
+ _, SS := MPIN_RECOMBINE_G2_WRAP(SS1[:], SS2[:])
+
+ // Generate client secret share 1
+ _, CS1 := MPIN_GET_CLIENT_SECRET_WRAP(MS1[:], HCID)
+
+ // Generate client secret share 2
+ _, CS2 := MPIN_GET_CLIENT_SECRET_WRAP(MS2[:], HCID)
+
+ // Combine client secret shares
+ CS := make([]byte, G1S)
+ _, CS = MPIN_RECOMBINE_G1_WRAP(CS1[:], CS2[:])
+
+ // Generate time permit share 1
+ _, TP1 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS1[:], HCID)
+
+ // Generate time permit share 2
+ _, TP2 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS2[:], HCID)
+
+ // Combine time permit shares
+ _, TP := MPIN_RECOMBINE_G1_WRAP(TP1[:], TP2[:])
+
+ // Create token
+ _, TOKEN := MPIN_EXTRACT_PIN_WRAP(ID[:], PIN1, CS[:])
+
+ // Send U, UT, V, timeValue and Message to server
+ var X [EGS]byte
+ _, _, _, V, U, UT := MPIN_CLIENT_WRAP(date, timeValue, PIN2, rng, ID[:], X[:], TOKEN[:], TP[:], MESSAGE[:])
+
+ // Authenticate
+ MESSAGE[0] = 00
+ got, _, _, _, _, _ := MPIN_SERVER_WRAP(date, timeValue, SS[:], U[:], UT[:], V[:], ID[:], MESSAGE[:])
+ assert.Equal(t, want, got, "Should be equal")
+}
+
+func TestCryptoPINError(t *testing.T) {
+ want := 1
+ // Assign the End-User an ID
+ IDstr := "testUser@miracl.com"
+ ID := []byte(IDstr)
+
+ // Epoch time in days
+ date := 16660
+
+ // Epoch time in seconds
+ timeValue := 1439465203
+
+ // PIN variable to create token
+ PIN1 := 1234
+ // PIN variable to authenticate
+ PIN2 := 1235
+
+ // Seed value for Random Number Generator (RNG)
+ seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+ seed, err := hex.DecodeString(seedHex)
+ if err != nil {
+ fmt.Println("Error decoding seed value")
+ return
+ }
+ rng := NewRAND()
+ rng.Seed(len(seed), seed)
+
+ // Message to sign
+ var MESSAGE []byte
+
+ // Generate Master Secret Share 1
+ _, MS1 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Generate Master Secret Share 2
+ _, MS2 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Either Client or TA calculates Hash(ID)
+ HCID := MPIN_HASH_ID(ID)
+
+ // Generate server secret share 1
+ _, SS1 := MPIN_GET_SERVER_SECRET_WRAP(MS1[:])
+
+ // Generate server secret share 2
+ _, SS2 := MPIN_GET_SERVER_SECRET_WRAP(MS2[:])
+
+ // Combine server secret shares
+ _, SS := MPIN_RECOMBINE_G2_WRAP(SS1[:], SS2[:])
+
+ // Generate client secret share 1
+ _, CS1 := MPIN_GET_CLIENT_SECRET_WRAP(MS1[:], HCID)
+
+ // Generate client secret share 2
+ _, CS2 := MPIN_GET_CLIENT_SECRET_WRAP(MS2[:], HCID)
+
+ // Combine client secret shares
+ CS := make([]byte, G1S)
+ _, CS = MPIN_RECOMBINE_G1_WRAP(CS1[:], CS2[:])
+
+ // Generate time permit share 1
+ _, TP1 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS1[:], HCID)
+
+ // Generate time permit share 2
+ _, TP2 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS2[:], HCID)
+
+ // Combine time permit shares
+ _, TP := MPIN_RECOMBINE_G1_WRAP(TP1[:], TP2[:])
+
+ // Create token
+ _, TOKEN := MPIN_EXTRACT_PIN_WRAP(ID[:], PIN1, CS[:])
+
+ // Send U, UT, V, timeValue and Message to server
+ var X [EGS]byte
+ _, _, _, V, U, UT := MPIN_CLIENT_WRAP(date, timeValue, PIN2, rng, ID[:], X[:], TOKEN[:], TP[:], MESSAGE[:])
+
+ _, _, _, _, E, F := MPIN_SERVER_WRAP(date, timeValue, SS[:], U[:], UT[:], V[:], ID[:], MESSAGE[:])
+
+ got := MPIN_KANGAROO(E[:], F[:])
+ assert.Equal(t, want, got, "Should be equal")
+}
+
+func TestCryptoMPINFull(t *testing.T) {
+ want := "0afc948b03b2733a0663571f86411a07"
+ // Assign the End-User an ID
+ IDstr := "testUser@miracl.com"
+ ID := []byte(IDstr)
+
+ // Epoch time in days
+ date := 16660
+
+ // Epoch time in seconds
+ timeValue := 1439465203
+
+ // PIN variable to create token
+ PIN1 := 1234
+ // PIN variable to authenticate
+ PIN2 := 1234
+
+ // Seed value for Random Number Generator (RNG)
+ seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+ seed, err := hex.DecodeString(seedHex)
+ if err != nil {
+ fmt.Println("Error decoding seed value")
+ return
+ }
+ rng := NewRAND()
+ rng.Seed(len(seed), seed)
+
+ // Message to sign
+ var MESSAGE []byte
+
+ // Generate Master Secret Share 1
+ _, MS1 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Generate Master Secret Share 2
+ _, MS2 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Either Client or TA calculates Hash(ID)
+ HCID := MPIN_HASH_ID(ID)
+
+ // Generate server secret share 1
+ _, SS1 := MPIN_GET_SERVER_SECRET_WRAP(MS1[:])
+
+ // Generate server secret share 2
+ _, SS2 := MPIN_GET_SERVER_SECRET_WRAP(MS2[:])
+
+ // Combine server secret shares
+ _, SS := MPIN_RECOMBINE_G2_WRAP(SS1[:], SS2[:])
+
+ // Generate client secret share 1
+ _, CS1 := MPIN_GET_CLIENT_SECRET_WRAP(MS1[:], HCID)
+
+ // Generate client secret share 2
+ _, CS2 := MPIN_GET_CLIENT_SECRET_WRAP(MS2[:], HCID)
+
+ // Combine client secret shares
+ CS := make([]byte, G1S)
+ _, CS = MPIN_RECOMBINE_G1_WRAP(CS1[:], CS2[:])
+
+ // Generate time permit share 1
+ _, TP1 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS1[:], HCID)
+
+ // Generate time permit share 2
+ _, TP2 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS2[:], HCID)
+
+ // Combine time permit shares
+ _, TP := MPIN_RECOMBINE_G1_WRAP(TP1[:], TP2[:])
+
+ // Create token
+ _, TOKEN := MPIN_EXTRACT_PIN_WRAP(ID[:], PIN1, CS[:])
+
+ // Precomputation
+ _, G1, G2 := MPIN_PRECOMPUTE_WRAP(TOKEN[:], HCID)
+
+ // Send U, UT, V, timeValue and Message to server
+ var X [EGS]byte
+ _, XOut, _, V, U, UT := MPIN_CLIENT_WRAP(date, timeValue, PIN2, rng, ID[:], X[:], TOKEN[:], TP[:], MESSAGE[:])
+
+ // Send Z=r.ID to Server
+ var R [EGS]byte
+ _, ROut, Z := MPIN_GET_G1_MULTIPLE_WRAP(rng, 1, R[:], HCID[:])
+
+ // Authenticate
+ _, _, HTID, _, _, _ := MPIN_SERVER_WRAP(date, timeValue, SS[:], U[:], UT[:], V[:], ID[:], MESSAGE[:])
+
+ // send T=w.ID to client
+ var W [EGS]byte
+ _, WOut, T := MPIN_GET_G1_MULTIPLE_WRAP(rng, 0, W[:], HTID[:])
+
+ _, AES_KEY_SERVER := MPIN_SERVER_KEY_WRAP(Z[:], SS[:], WOut[:], U[:], UT[:])
+ got := hex.EncodeToString(AES_KEY_SERVER[:])
+ if got != want {
+ t.Errorf("%s != %s", want, got)
+ }
+
+ _, AES_KEY_CLIENT := MPIN_CLIENT_KEY_WRAP(PIN2, G1[:], G2[:], ROut[:], XOut[:], T[:])
+ got = hex.EncodeToString(AES_KEY_CLIENT[:])
+ assert.Equal(t, want, got, "Should be equal")
+}
+
+// Subtract a 256 bit PIN
+func TestCrypoSubBigPIN(t *testing.T) {
+ want := "042182235070802ebc33633e70e6628f48fd896e86dfc40c81227caa2792367a581d461dbba6efa30896c71f427df335885142cc6fb64ba082ff9573b9276475c0"
+
+ IDHex := "7465737455736572406365727469766f782e636f6d"
+ ID, err := hex.DecodeString(IDHex)
+ assert.Equal(t, nil, err, "Should be equal")
+
+ TOKENHex := "0422a522b5c05d06cde3a65872656ab596e111c4ea7c0c349bac26f0bdaf7d5f0a1ea8a0cab99d06677cfbc3c8d667e7b0af33b9ed4df007b0ccc8c2b77353bbe6"
+ TOKEN, err := hex.DecodeString(TOKENHex)
+ assert.Equal(t, nil, err, "Should be equal")
+
+ // Seed value for Random Number Generator (RNG)
+ seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+ seed, err := hex.DecodeString(seedHex)
+ assert.Equal(t, nil, err, "Should be equal")
+ rng := NewRAND()
+ rng.Seed(len(seed), seed)
+
+ // Generate big PIN - 256 bits
+ errorCode, PIN := MPIN_RANDOM_GENERATE_WRAP(rng)
+ assert.Equal(t, 0, errorCode, "Should be equal")
+
+ // Extract big PIN
+ errorCode, TK := MPIN_EXTRACT_BIG_PIN_WRAP(ID[:], PIN[:], TOKEN[:])
+ assert.Equal(t, 0, errorCode, "Should be equal")
+ got := hex.EncodeToString(TK[:])
+ assert.Equal(t, want, got, "Should be equal")
+}
+
+// Add a 256 bit PIN
+func TestCrypoAddBigPIN(t *testing.T) {
+ want := "0422a522b5c05d06cde3a65872656ab596e111c4ea7c0c349bac26f0bdaf7d5f0a1ea8a0cab99d06677cfbc3c8d667e7b0af33b9ed4df007b0ccc8c2b77353bbe6"
+
+ IDHex := "7465737455736572406365727469766f782e636f6d"
+ ID, err := hex.DecodeString(IDHex)
+ assert.Equal(t, nil, err, "Should be equal")
+
+ TOKENHex := "042182235070802ebc33633e70e6628f48fd896e86dfc40c81227caa2792367a581d461dbba6efa30896c71f427df335885142cc6fb64ba082ff9573b9276475c0"
+ TOKEN, err := hex.DecodeString(TOKENHex)
+ assert.Equal(t, nil, err, "Should be equal")
+
+ PINHex := "1b18b8b882daf76a18bf2278fe4e15c62eed8131e708573375fd81a8415014b3"
+ PIN, err := hex.DecodeString(PINHex)
+ assert.Equal(t, nil, err, "Should be equal")
+
+ // Extract big PIN
+ errorCode, TK := MPIN_ADD_BIG_PIN_WRAP(ID[:], PIN[:], TOKEN[:])
+ assert.Equal(t, 0, errorCode, "Should be equal")
+ got := hex.EncodeToString(TK[:])
+ assert.Equal(t, want, got, "Should be equal")
+}
+
+// Split key
+func TestCryptoSplitKey(t *testing.T) {
+ want := "64b36b7a0395e61350de8839adb019d5ae2134052b8533e7c4bbab3965e0af1b"
+
+ // Seed value for Random Number Generator (RNG)
+ seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+ seed, err := hex.DecodeString(seedHex)
+ assert.Equal(t, nil, err, "Should be equal")
+ rng := NewRAND()
+ rng.Seed(len(seed), seed)
+
+ // Generate big PIN - 256 bits
+ errorCode, PIN := MPIN_RANDOM_GENERATE_WRAP(rng)
+ assert.Equal(t, 0, errorCode, "Should be equal")
+ PINHex := hex.EncodeToString(PIN[:])
+ PINGoldHex := "1b18b8b882daf76a18bf2278fe4e15c62eed8131e708573375fd81a8415014b3"
+ assert.Equal(t, PINGoldHex, PINHex, "Should be equal")
+
+ n := len(PIN)
+ // Split key by C = PIN ^ A ^ B
+ A := GENERATE_RANDOM(rng, n)
+
+ B := GENERATE_RANDOM(rng, n)
+
+ C, errorCode := XORBytes(PIN[:], A[:], B[:])
+ assert.Equal(t, 0, errorCode, "Should be equal")
+ got := hex.EncodeToString(C[:])
+ assert.Equal(t, want, got, "Should be equal")
+}
+
+// Combine key shares
+func TestCryptoCombineKey(t *testing.T) {
+ want := "1b18b8b882daf76a18bf2278fe4e15c62eed8131e708573375fd81a8415014b3"
+
+ CHex := "64b36b7a0395e61350de8839adb019d5ae2134052b8533e7c4bbab3965e0af1b"
+ C, err := hex.DecodeString(CHex)
+ assert.Equal(t, nil, err, "Should be equal")
+
+ AHex := "c5add1327790087193ae541acd6dc3264c19a12afaf196291d0820c611d3fcd4"
+ A, err := hex.DecodeString(AHex)
+ assert.Equal(t, nil, err, "Should be equal")
+
+ BHex := "ba0602f0f6df1908dbcffe5b9e93cf35ccd5141e367cf2fdac4e0a573563477c"
+ B, err := hex.DecodeString(BHex)
+ assert.Equal(t, nil, err, "Should be equal")
+
+ // Combine key shares PIN = A ^ B ^ C
+ PIN, errorCode := XORBytes(C[:], A[:], B[:])
+ assert.Equal(t, 0, errorCode, "Should be equal")
+ got := hex.EncodeToString(PIN[:])
+ assert.Equal(t, want, got, "Should be equal")
+}
+
+func TestCryptoTwoPassGoodPIN(t *testing.T) {
+ want := 0
+ // Assign the End-User an ID
+ IDstr := "testUser@miracl.com"
+ ID := []byte(IDstr)
+
+ // Epoch time in days
+ date := 16660
+
+ // PIN variable to create token
+ PIN1 := 1234
+ // PIN variable to authenticate
+ PIN2 := 1234
+
+ // Seed value for Random Number Generator (RNG)
+ seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+ seed, err := hex.DecodeString(seedHex)
+ if err != nil {
+ fmt.Println("Error decoding seed value")
+ return
+ }
+ rng := NewRAND()
+ rng.Seed(len(seed), seed)
+
+ // Generate Master Secret Share 1
+ _, MS1 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Generate Master Secret Share 2
+ _, MS2 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Either Client or TA calculates Hash(ID)
+ HCID := MPIN_HASH_ID(ID)
+
+ // Generate server secret share 1
+ _, SS1 := MPIN_GET_SERVER_SECRET_WRAP(MS1[:])
+
+ // Generate server secret share 2
+ _, SS2 := MPIN_GET_SERVER_SECRET_WRAP(MS2[:])
+
+ // Combine server secret shares
+ _, SS := MPIN_RECOMBINE_G2_WRAP(SS1[:], SS2[:])
+
+ // Generate client secret share 1
+ _, CS1 := MPIN_GET_CLIENT_SECRET_WRAP(MS1[:], HCID)
+
+ // Generate client secret share 2
+ _, CS2 := MPIN_GET_CLIENT_SECRET_WRAP(MS2[:], HCID)
+
+ // Combine client secret shares
+ CS := make([]byte, G1S)
+ _, CS = MPIN_RECOMBINE_G1_WRAP(CS1[:], CS2[:])
+
+ // Generate time permit share 1
+ _, TP1 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS1[:], HCID)
+
+ // Generate time permit share 2
+ _, TP2 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS2[:], HCID)
+
+ // Combine time permit shares
+ _, TP := MPIN_RECOMBINE_G1_WRAP(TP1[:], TP2[:])
+
+ // Create token
+ _, TOKEN := MPIN_EXTRACT_PIN_WRAP(ID[:], PIN1, CS[:])
+
+ // Client Pass 1
+ var X [EGS]byte
+ _, _, SEC, U, UT := MPIN_CLIENT_1_WRAP(date, ID, rng, X[:], PIN2, TOKEN[:], TP[:])
+
+ // Server Pass 1
+ HID, HTID := MPIN_SERVER_1_WRAP(date, ID)
+ _, Y := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Client Pass 2
+ _, V := MPIN_CLIENT_2_WRAP(X[:], Y[:], SEC[:])
+
+ // Server Pass 2
+ got, _, _ := MPIN_SERVER_2_WRAP(date, HID[:], HTID[:], Y[:], SS[:], U[:], UT[:], V[:])
+ assert.Equal(t, want, got, "Should be equal")
+}
+
+func TestCryptoTwoPassBadPIN(t *testing.T) {
+ want := -19
+ // Assign the End-User an ID
+ IDstr := "testUser@miracl.com"
+ ID := []byte(IDstr)
+
+ // Epoch time in days
+ date := 16660
+
+ // PIN variable to create token
+ PIN1 := 1234
+ // PIN variable to authenticate
+ PIN2 := 1235
+
+ // Seed value for Random Number Generator (RNG)
+ seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+ seed, err := hex.DecodeString(seedHex)
+ if err != nil {
+ fmt.Println("Error decoding seed value")
+ return
+ }
+ rng := NewRAND()
+ rng.Seed(len(seed), seed)
+
+ // Generate Master Secret Share 1
+ _, MS1 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Generate Master Secret Share 2
+ _, MS2 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Either Client or TA calculates Hash(ID)
+ HCID := MPIN_HASH_ID(ID)
+
+ // Generate server secret share 1
+ _, SS1 := MPIN_GET_SERVER_SECRET_WRAP(MS1[:])
+
+ // Generate server secret share 2
+ _, SS2 := MPIN_GET_SERVER_SECRET_WRAP(MS2[:])
+
+ // Combine server secret shares
+ _, SS := MPIN_RECOMBINE_G2_WRAP(SS1[:], SS2[:])
+
+ // Generate client secret share 1
+ _, CS1 := MPIN_GET_CLIENT_SECRET_WRAP(MS1[:], HCID)
+
+ // Generate client secret share 2
+ _, CS2 := MPIN_GET_CLIENT_SECRET_WRAP(MS2[:], HCID)
+
+ // Combine client secret shares
+ CS := make([]byte, G1S)
+ _, CS = MPIN_RECOMBINE_G1_WRAP(CS1[:], CS2[:])
+
+ // Generate time permit share 1
+ _, TP1 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS1[:], HCID)
+
+ // Generate time permit share 2
+ _, TP2 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS2[:], HCID)
+
+ // Combine time permit shares
+ _, TP := MPIN_RECOMBINE_G1_WRAP(TP1[:], TP2[:])
+
+ // Create token
+ _, TOKEN := MPIN_EXTRACT_PIN_WRAP(ID[:], PIN1, CS[:])
+
+ // Client Pass 1
+ var X [EGS]byte
+ _, _, SEC, U, UT := MPIN_CLIENT_1_WRAP(date, ID, rng, X[:], PIN2, TOKEN[:], TP[:])
+
+ // Server Pass 1
+ HID, HTID := MPIN_SERVER_1_WRAP(date, ID)
+ _, Y := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Client Pass 2
+ _, V := MPIN_CLIENT_2_WRAP(X[:], Y[:], SEC[:])
+
+ // Server Pass 2
+ got, _, _ := MPIN_SERVER_2_WRAP(date, HID[:], HTID[:], Y[:], SS[:], U[:], UT[:], V[:])
+ assert.Equal(t, want, got, "Should be equal")
+}
+
+func TestCryptoTwoPassBadToken(t *testing.T) {
+ want := -19
+ // Assign the End-User an ID
+ IDstr := "testUser@miracl.com"
+ ID := []byte(IDstr)
+
+ // Epoch time in days
+ date := 16660
+
+ // PIN variable to create token
+ PIN1 := 1234
+ // PIN variable to authenticate
+ PIN2 := 1234
+
+ // Seed value for Random Number Generator (RNG)
+ seedHex := "9e8b4178790cd57a5761c4a6f164ba72"
+ seed, err := hex.DecodeString(seedHex)
+ if err != nil {
+ fmt.Println("Error decoding seed value")
+ return
+ }
+ rng := NewRAND()
+ rng.Seed(len(seed), seed)
+
+ // Generate Master Secret Share 1
+ _, MS1 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Generate Master Secret Share 2
+ _, MS2 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Either Client or TA calculates Hash(ID)
+ HCID := MPIN_HASH_ID(ID)
+
+ // Generate server secret share 1
+ _, SS1 := MPIN_GET_SERVER_SECRET_WRAP(MS1[:])
+
+ // Generate server secret share 2
+ _, SS2 := MPIN_GET_SERVER_SECRET_WRAP(MS2[:])
+
+ // Combine server secret shares
+ _, SS := MPIN_RECOMBINE_G2_WRAP(SS1[:], SS2[:])
+
+ // Generate client secret share 1
+ _, CS1 := MPIN_GET_CLIENT_SECRET_WRAP(MS1[:], HCID)
+
+ // Generate client secret share 2
+ _, CS2 := MPIN_GET_CLIENT_SECRET_WRAP(MS2[:], HCID)
+
+ // Combine client secret shares
+ CS := make([]byte, G1S)
+ _, CS = MPIN_RECOMBINE_G1_WRAP(CS1[:], CS2[:])
+
+ // Generate time permit share 1
+ _, TP1 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS1[:], HCID)
+
+ // Generate time permit share 2
+ _, TP2 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS2[:], HCID)
+
+ // Combine time permit shares
+ _, TP := MPIN_RECOMBINE_G1_WRAP(TP1[:], TP2[:])
+
+ // Create token
+ _, TOKEN := MPIN_EXTRACT_PIN_WRAP(ID[:], PIN1, CS[:])
+
+ // Client Pass 1
+ var X [EGS]byte
+ _, _, SEC, U, UT := MPIN_CLIENT_1_WRAP(date, ID, rng, X[:], PIN2, TOKEN[:], TP[:])
+
+ // Server Pass 1
+ HID, HTID := MPIN_SERVER_1_WRAP(date, ID)
+ _, Y := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Client Pass 2
+ _, _ = MPIN_CLIENT_2_WRAP(X[:], Y[:], SEC[:])
+
+ // Server Pass 2
+ // Send UT as V to model bad token
+ got, _, _ := MPIN_SERVER_2_WRAP(date, HID[:], HTID[:], Y[:], SS[:], U[:], UT[:], UT[:])
+ assert.Equal(t, want, got, "Should be equal")
+}
+
+func TestCryptoRandomTwoPass(t *testing.T) {
+ want := 0
+
+ for i := 0; i < nIter; i++ {
+
+ // Seed value for Random Number Generator (RNG)
+ seed := make([]byte, 16)
+ rand.Read(seed)
+ rng := NewRAND()
+ rng.Seed(len(seed), seed)
+
+ // Epoch time in days
+ date := MPIN_today()
+
+ // PIN variable to create token
+ PIN1 := mathrand.Intn(10000)
+ // PIN variable to authenticate
+ PIN2 := PIN1
+
+ // Assign the End-User a random ID
+ ID := make([]byte, 16)
+ rand.Read(ID)
+
+ // Generate Master Secret Share 1
+ _, MS1 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Generate Master Secret Share 2
+ _, MS2 := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Either Client or TA calculates Hash(ID)
+ HCID := MPIN_HASH_ID(ID)
+
+ // Generate server secret share 1
+ _, SS1 := MPIN_GET_SERVER_SECRET_WRAP(MS1[:])
+
+ // Generate server secret share 2
+ _, SS2 := MPIN_GET_SERVER_SECRET_WRAP(MS2[:])
+
+ // Combine server secret shares
+ _, SS := MPIN_RECOMBINE_G2_WRAP(SS1[:], SS2[:])
+
+ // Generate client secret share 1
+ _, CS1 := MPIN_GET_CLIENT_SECRET_WRAP(MS1[:], HCID)
+
+ // Generate client secret share 2
+ _, CS2 := MPIN_GET_CLIENT_SECRET_WRAP(MS2[:], HCID)
+
+ // Combine client secret shares
+ CS := make([]byte, G1S)
+ _, CS = MPIN_RECOMBINE_G1_WRAP(CS1[:], CS2[:])
+
+ // Generate time permit share 1
+ _, TP1 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS1[:], HCID)
+
+ // Generate time permit share 2
+ _, TP2 := MPIN_GET_CLIENT_PERMIT_WRAP(date, MS2[:], HCID)
+
+ // Combine time permit shares
+ _, TP := MPIN_RECOMBINE_G1_WRAP(TP1[:], TP2[:])
+
+ // Create token
+ _, TOKEN := MPIN_EXTRACT_PIN_WRAP(ID[:], PIN1, CS[:])
+
+ // Client Pass 1
+ var X [EGS]byte
+ _, _, SEC, U, UT := MPIN_CLIENT_1_WRAP(date, ID, rng, X[:], PIN2, TOKEN[:], TP[:])
+
+ // Server Pass 1
+ HID, HTID := MPIN_SERVER_1_WRAP(date, ID)
+ _, Y := MPIN_RANDOM_GENERATE_WRAP(rng)
+
+ // Client Pass 2
+ _, V := MPIN_CLIENT_2_WRAP(X[:], Y[:], SEC[:])
+
+ // Server Pass 2
+ got, _, _ := MPIN_SERVER_2_WRAP(date, HID[:], HTID[:], Y[:], SS[:], U[:], UT[:], V[:])
+ assert.Equal(t, want, got, "Should be equal")
+
+ }
+}