From 1e6dc842a4298a7e3be0d9d379399097e37d2623 Mon Sep 17 00:00:00 2001 From: Fang Date: Fri, 13 Jul 2018 15:22:34 +0200 Subject: [PATCH] Add secp core with secp256k to zuse. Not yet fully jet-hinted. --- sys/zuse.hoon | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 175 insertions(+) diff --git a/sys/zuse.hoon b/sys/zuse.hoon index 589200f9c3..13a6e139fa 100644 --- a/sys/zuse.hoon +++ b/sys/zuse.hoon @@ -3322,6 +3322,181 @@ :: prepend outer padding to result, hash again (haj (add out boq) (add (lsh 3 out kop) -)) -- :: hmac + :: :: + :::: ++secp:crypto :: (2b9) secp family + :: :::: + ++ secp + ~% %secp ..is ~ + |% + += jaco [x=@ y=@ z=@] :: jacobian point + += pont [x=@ y=@] :: curve point + :: + ++ secp256k1 + %+ secp 32 + :* p=0xffff.ffff.ffff.ffff.ffff.ffff.ffff.ffff. :: modulo + ffff.ffff.ffff.ffff.ffff.fffe.ffff.fc2f + a=0 :: y^2=x^3+ax+b + b=7 + ^= g :: "prime" point + :* x=0x79be.667e.f9dc.bbac.55a0.6295.ce87.0b07. + 029b.fcdb.2dce.28d9.59f2.815b.16f8.1798 + y=0x483a.da77.26a3.c465.5da4.fbfc.0e11.08a8. + fd17.b448.a685.5419.9c47.d08f.fb10.d4b8 + == + n=0xffff.ffff.ffff.ffff.ffff.ffff.ffff.fffe. :: prime order of g + baae.dce6.af48.a03b.bfd2.5e8c.d036.4141 + == + :: + ++ secp + |= [w=@ p=@ a=@ b=@ g=pont n=@] + =/ p ~(. fo p) + =/ n ~(. fo n) + |% + ++ compress-point + |= pont + ^- @ + (can 3 ~[w^x 1^(add 0x2 (cut 0 [0 1] y))]) + :: + ++ serialize-point + |= pont + ^- @ + (can 3 ~[w^y w^x 1^0x4]) + :: + ++ decompress-point + |= dat=@ + ^- pont + =+ x=(end 3 w a) + =+ y=:(add (pow x 3) (mul a x) b) + =+ s=(rsh 3 32 dat) + :- x + ?: =(0x2 s) y + ?: =(0x3 s) y + ~| [`@ux`s `@ux`dat] + !! + :: + ++ priv-to-pub :: get pub from priv + |= prv=@ + ^- pont + (jc-mul g prv) + :: + ++ make-k :: deterministic nonce + =, mimes:html + |= [has=@uvI prv=@] + ^- @ + =* hmc hmac-sha256l:hmac + =/ v (fil 3 w 1) + =/ k 0 + =. k (hmc k w [+ -]:(as-octs (can 3 [w has] [w prv] [1 0x0] [w v] ~))) + =. v (hmc k w v w) + =. k (hmc k w [+ -]:(as-octs (can 3 [w has] [w prv] [1 0x1] [w v] ~))) + =. v (hmc k w v w) + (hmc k w v w) + :: + ++ ecdsa-raw-sign :: generate signature + |= [has=@uvI prv=@] + ^- [v=@ r=@ s=@] + =/ z has + =/ k (make-k has prv) + =+ [r y]=(jc-mul g k) + =/ s (pro.n `@`(inv.n k) `@`(sum.n z (mul r prv))) + =/ big-s (gte (mul 2 s) ^n) + :* v=(add 27 (mix (end 0 1 y) ?:(big-s 1 0))) + r=r + s=?.(big-s s (sub ^n s)) + == + :: + ++ ecdsa-raw-recover :: get pubkey from sig + |= [has=@uvI sig=[v=@ r=@ s=@]] + ^- pont + ?> ?&((lte 27 v.sig) (lte v.sig 34)) + =/ x r.sig + =/ ysq (sum.p b (exp.p 3 x)) :: omits A=0 + =/ bet (exp.p (div +(^p) 4) ysq) + =/ y ?:(=(1 (end 0 1 (mix v.sig bet))) bet (dif.p 0 bet)) + ?> =(0 (dif.p ysq (pro.p y y))) + ?< =(0 (sit.n r.sig)) + ?< =(0 (sit.n s.sig)) + =/ gz (mul:jc [x y 1]:g (dif.n 0 has)) + =/ xy (mul:jc [x y 1] s.sig) + =/ qr (add:jc gz xy) + (from:jc (mul:jc qr (inv.n r.sig))) + :: + ++ jc-mul :: point x scalar + |= [a=pont n=@] + ^- pont + (from:jc (mul:jc (into:jc a) n)) + :: + ++ jc-add :: add points + |= [a=pont b=pont] + ^- pont + (from:jc (add:jc (into:jc a) (into:jc b))) + :: + ++ jc :: jacobian core + |% + ++ add :: addition + |= [a=jaco b=jaco] + ^- jaco + ?: =(0 y.a) b + ?: =(0 y.b) a + =/ u1 :(pro.p x.a z.b z.b) + =/ u2 :(pro.p x.b z.a z.a) + =/ s1 :(pro.p y.a z.b z.b z.b) + =/ s2 :(pro.p y.b z.a z.a z.a) + ?: =(u1 u2) + ?. =(s1 s2) + [0 0 1] + (dub a) + =/ h (dif.p u2 u1) + =/ r (dif.p s2 s1) + =/ h2 (pro.p h h) + =/ h3 (pro.p h2 h) + =/ u1h2 (pro.p u1 h2) + =/ nx (dif.p (pro.p r r) :(sum.p h3 u1h2 u1h2)) + =/ ny (dif.p (pro.p r (dif.p u1h2 nx)) (pro.p s1 h3)) + =/ nz :(pro.p h z.a z.b) + [nx ny nz] + :: + ++ dub :: double + |= a=jaco + ^- jaco + ?: =(0 y.a) + [0 0 0] + =/ ysq (pro.p y.a y.a) + =/ s :(pro.p 4 x.a ysq) + =/ m :(pro.p 3 x.a x.a) :: omits A=0 + =/ nx (dif.p (pro.p m m) (sum.p s s)) + =/ ny (dif.p (pro.p m (dif.p s nx)) :(pro.p 8 ysq ysq)) + =/ nz :(pro.p 2 y.a z.a) + [nx ny nz] + :: + ++ mul :: jaco x scalar + |= [a=jaco n=@] + ^- jaco + ?: =(0 y.a) + [0 0 1] + ?: =(0 n) + [0 0 1] + ?: =(1 n) + a + ?: (gte n ^^n) + $(n (mod n ^^n)) + ?: =(0 (mod n 2)) + (dub $(n (div n 2))) + (add a (dub $(n (div n 2)))) + :: + ++ from :: jaco -> point + |= a=jaco + ^- pont + =/ z (inv.p z.a) + [:(pro.p x.a z z) :(pro.p y.a z z z)] + :: + ++ into :: point -> jaco + |= pont + ^- jaco + [x y z=1] + -- + -- + -- -- ::crypto :: :::: :::: ++unity :: (2c) unit promotion