1 /*############################################################################
2 # Copyright 2017 Intel Corporation
3 #
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
7 #
8 # http://www.apache.org/licenses/LICENSE-2.0
9 #
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
15 ############################################################################*/
16 /// Precomputed signature computation.
17 /*! \file */
18
19 #include "epid/member/tiny/src/presig_compute.h"
20
21 #include "epid/member/tiny/math/efq.h"
22 #include "epid/member/tiny/math/fp.h"
23 #include "epid/member/tiny/math/fq12.h"
24 #include "epid/member/tiny/math/serialize.h"
25 #include "epid/member/tiny/math/vli.h"
26 #include "epid/member/tiny/src/context.h"
27
28 static const EccPointFq epid20_g1 = {
29 {{0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
30 0x00000000, 0x00000000}},
31 {{0x00000002, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
32 0x00000000, 0x00000000}}};
33 static const FpElem epid20_p = {{0xD10B500D, 0xF62D536C, 0x1299921A, 0x0CDC65FB,
34 0xEE71A49E, 0x46E5F25E, 0xFFFCF0CD,
35 0xFFFFFFFF}};
36
EpidMemberComputePreSig(MemberCtx const * ctx,PreComputedSignatureData * presig)37 EpidStatus EpidMemberComputePreSig(MemberCtx const* ctx,
38 PreComputedSignatureData* presig) {
39 /* B and K are not computed by this precomputation.
40 *This differs from the Intel(R) EPID 2.0 spec.
41 *On IoT and especially accelerated platforms,
42 *the extra latency is likely less expensive
43 *than the space and possibly redundant computation
44 *needed to compute and store these values.
45 */
46 EpidStatus sts = kEpidMathErr;
47 EccPointFq t;
48
49 EccPointJacobiFq tmp1;
50 EccPointJacobiFq tmp2;
51 do {
52 if (!FpRandNonzero(&presig->a, ctx->rnd_func, ctx->rnd_param)) {
53 break;
54 }
55
56 // T = A * h2^a
57 EFqDeserialize(&t, &ctx->pub_key.h2);
58 EFqFromAffine(&tmp1, &t);
59 EFqMulSSCM(&tmp2, &tmp1, &presig->a);
60 EFqDeserialize(&t, &ctx->credential.A);
61 EFqFromAffine(&tmp1, &t);
62 EFqAdd(&tmp2, &tmp2, &tmp1);
63 if (EFqToAffine(&presig->T, &tmp2) != 1) {
64 break;
65 }
66
67 FpDeserialize((FpElem*)&t.x, &ctx->credential.x);
68 FpMul(&presig->b, &presig->a, (FpElem*)&t.x);
69
70 if (!FpRandNonzero(&presig->rx, ctx->rnd_func, ctx->rnd_param)) {
71 break;
72 }
73 if (!FpRandNonzero(&presig->rf, ctx->rnd_func, ctx->rnd_param)) {
74 break;
75 }
76 if (!FpRandNonzero(&presig->ra, ctx->rnd_func, ctx->rnd_param)) {
77 break;
78 }
79 if (!FpRandNonzero(&presig->rb, ctx->rnd_func, ctx->rnd_param)) {
80 break;
81 }
82 VliSub(&t.x.limbs, &epid20_p.limbs,
83 &presig->rx.limbs); // FpNeg(&t.x, rx), but this is fast.
84 FpMul((FpElem*)&t.y, &presig->a, &presig->rx);
85 FpSub((FpElem*)&t.y, &presig->rb, (FpElem*)&t.y);
86
87 // R2 = ea2^&t.x * e12^rf * e22 ^ &t.y * e2w ^ ra
88 Fq12MultiExp(&presig->R2, &ctx->precomp.ea2, &t.x.limbs, &ctx->precomp.e12,
89 &presig->rf.limbs, &ctx->precomp.e22, &t.y.limbs,
90 &ctx->precomp.e2w, &presig->ra.limbs);
91 sts = kEpidNoErr;
92 } while (0);
93
94 // Zero sensitive stack variables
95 FpClear((FpElem*)&t.x);
96 FpClear((FpElem*)&t.y);
97 EFqFromAffine(&tmp1, &epid20_g1);
98 EFqFromAffine(&tmp2, &epid20_g1);
99 return sts;
100 }
101