jose 0.1.0 → 0.2.0

data/lib/jose/jwa/edwards_point.rb

@@ -0,0 +1,257 @@
+# A point on (twisted) Edwards curve.
+class JOSE::JWA::EdwardsPoint
+  include Comparable
+
+  attr_accessor :x, :y, :z
+
+  def initpoint(x, y)
+    @x = x
+    @y = y
+    @z = self.class::BASE_FIELD.make(1)
+  end
+
+  def decode_base(s, b)
+    # Check that point encoding is of correct length.
+    raise ArgumentError, "s must be #{(b/8)} bytes" if s.bytesize != (b / 8)
+    # Extract signbit.
+    s = s.dup
+    xs = s.getbyte((b-1)/8) >> ((b-1) & 7)
+    s.setbyte((b-1)/8, s.getbyte((b-1)/8) & ~(1 << 7))
+    # Decode y. If this fails, fail.
+    y = self.class::BASE_FIELD.from_bytes(s, b)
+    # Try to recover x. If it does not exist, or is zero and xs is
+    # wrong, fail.
+    x = solve_x2(y).sqrt
+    raise ArgumentError, "decode error" if x.nil? or (x.zero? and xs != x.sign)
+    # If sign of x isn't correct, flip it.
+    x = -x if x.sign != xs
+    # Return the constructed point.
+    return x, y
+  end
+
+  def encode_base(b)
+    xp, yp = @x / @z, @y / @z
+    # Encode y.
+    s = yp.to_bytes(b)
+    # Add sign bit of x to encoding.
+    if xp.sign != 0
+      s.setbyte((b-1)/8, s.getbyte((b-1)/8) | (1 << ((b-1) % 8)))
+    end
+    return s
+  end
+
+  def *(x)
+    r = zero_elem
+    s = self
+    while x > 0
+      if (x % 2) > 0
+        r = r + s
+      end
+      s = s.double
+      x = x / 2
+    end
+    return r
+  end
+
+  # Check two points are equal.
+  def <=>(y)
+    # Need to check x1/z1 == x2/z2 and similarly for y, so cross-
+    # multiply to eliminate divisions.
+    xn1 = @x * y.z
+    xn2 = y.x * @z
+    yn1 = @y * y.z
+    yn2 = y.y * @z
+    return yn1 <=> yn2 if xn1 == xn2
+    return xn1 <=> xn2
+  end
+end
+
+# A point on Edwards25519.
+class JOSE::JWA::Edwards25519Point < JOSE::JWA::EdwardsPoint
+  # Create a new point on curve.
+  BASE_FIELD = JOSE::JWA::FieldElement.new(1, (2**255)-19).freeze
+  D = (-BASE_FIELD.make(121665)/BASE_FIELD.make(121666)).freeze
+  F0 = BASE_FIELD.make(0).freeze
+  F1 = BASE_FIELD.make(1).freeze
+  XB = BASE_FIELD.make(15112221349535400772501151409588531511454012693041857206046113283949847762202).freeze
+  YB = BASE_FIELD.make(46316835694926478169428394003475163141307993866256225615783033603165251855960).freeze
+  # Order of basepoint.
+  L = 7237005577332262213973186563042994240857116359379907606001950938285454250989
+  # The logarithm of cofactor.
+  C = 3
+  # The highest set bit
+  N = 254
+  # The coding length
+  B = 256
+
+  attr_accessor :t
+
+  # The standard base point.
+  def self.stdbase
+    return new(XB, YB)
+  end
+
+  def initialize(x, y)
+    # Check the point is actually on the curve.
+    raise ArgumentError, "Invalid point" if y*y-x*x != F1+D*x*x*y*y
+    initpoint(x, y)
+    @t = x*y
+  end
+
+  # Decode a point representation.
+  def decode(s)
+    x, y = decode_base(s, B)
+    return nil if x.nil?
+    return JOSE::JWA::Edwards25519Point.new(x, y)
+  end
+
+  # Encode a point representation.
+  def encode
+    return encode_base(B)
+  end
+
+  def normalize
+    xp, yp, zp = @x / @z, @y / @z, @z / @z
+    tmp = zero_elem
+    tmp.x, tmp.y, tmp.z, tmp.t = xp, yp, zp, xp * yp
+    return tmp
+  end
+
+  # Construct neutral point on this curve.
+  def zero_elem
+    return JOSE::JWA::Edwards25519Point.new(F0, F1)
+  end
+
+  # Solve for x^2.
+  def solve_x2(y)
+    return ((y*y-F1)/(D*y*y+F1))
+  end
+
+  # Point addition.
+  def +(y)
+    # The formulas are from EFD.
+    tmp = zero_elem
+    zcp = @z * y.z
+    a = (@y - @x) * (y.y - y.x)
+    b = (@y + @x) * (y.y + y.x)
+    c = (D + D) * @t * y.t
+    d = zcp + zcp
+    e, h = b - a, b + a
+    f, g = d - c, d + c
+    tmp.x, tmp.y, tmp.z, tmp.t = e * f, g * h, f * g, e * h
+    return tmp
+  end
+
+  # Point doubling.
+  def double
+    # The formulas are from EFD.
+    tmp = zero_elem
+    x1s, y1s, z1s = @x * @x, @y * @y, @z * @z
+    xys = @x + @y
+    h = -(x1s + y1s)
+    e = xys * xys + h
+    g = y1s - x1s
+    f = g - (z1s + z1s)
+    tmp.x, tmp.y, tmp.z, tmp.t = e * f, g * h, f * g, e * h
+    return tmp
+  end
+
+  def inspect
+    "\n{#{@x.x},\n"\
+    " #{@y.x},\n"\
+    " #{@z.x},\n"\
+    " #{@t.x}}"
+  end
+
+end
+
+# A point on Edward448
+class JOSE::JWA::Edwards448Point < JOSE::JWA::EdwardsPoint
+  # Create a new point on curve.
+  BASE_FIELD = JOSE::JWA::FieldElement.new(1, (2**448)-(2**224)-1).freeze
+  D = BASE_FIELD.make(-39081).freeze
+  F0 = BASE_FIELD.make(0).freeze
+  F1 = BASE_FIELD.make(1).freeze
+  XB = BASE_FIELD.make(224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710).freeze
+  YB = BASE_FIELD.make(298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660).freeze
+  # Order of basepoint.
+  L = 181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779
+  # The logarithm of cofactor.
+  C = 2
+  # The highest set bit
+  N = 447
+  # The coding length
+  B = 456
+
+  # The standard base point.
+  def self.stdbase
+    return new(XB, YB)
+  end
+
+  def initialize(x, y)
+    # Check the point is actually on the curve.
+    raise ArgumentError, "Invalid point" if y*y+x*x != F1+D*x*x*y*y
+    initpoint(x, y)
+  end
+
+  # Decode a point representation.
+  def decode(s)
+    x, y = decode_base(s, B)
+    return nil if x.nil?
+    return JOSE::JWA::Edwards448Point.new(x, y)
+  end
+
+  # Encode a point representation.
+  def encode
+    return encode_base(B)
+  end
+
+  def normalize
+    xp, yp, zp = @x / @z, @y / @z, @z / @z
+    tmp = zero_elem
+    tmp.x, tmp.y, tmp.z = xp, yp, zp
+    return tmp
+  end
+
+  # Construct neutral point on this curve.
+  def zero_elem
+    return JOSE::JWA::Edwards448Point.new(F0, F1)
+  end
+
+  # Solve for x^2.
+  def solve_x2(y)
+    return ((y*y-F1)/(D*y*y-F1))
+  end
+
+  # Point addition.
+  def +(y)
+    # The formulas are from EFD.
+    tmp = zero_elem
+    xcp, ycp, zcp = @x * y.x, @y * y.y, @z * y.z
+    b = zcp * zcp
+    e = D * xcp * ycp
+    f, g = b - e, b + e
+    tmp.x = zcp * f * ((@x + @y) * (y.x + y.y) - xcp - ycp)
+    tmp.y, tmp.z = zcp * g * (ycp - xcp), f * g
+    return tmp
+  end
+
+  # Point doubling.
+  def double
+    # The formulas are from EFD.
+    tmp = zero_elem
+    x1s, y1s, z1s = @x * @x, @y * @y, @z * @z
+    xys = @x + @y
+    f = x1s + y1s
+    j = f - (z1s + z1s)
+    tmp.x, tmp.y, tmp.z = (xys * xys - x1s - y1s) * j, f * (x1s - y1s), f * j
+    return tmp
+  end
+
+  def inspect
+    "\n{#{@x.x},\n"\
+    " #{@y.x},\n"\
+    " #{@z.x}}"
+  end
+
+end

data/lib/jose/jwa/field_element.rb

@@ -0,0 +1,161 @@
+class JOSE::JWA::FieldElement
+  include Comparable
+
+  attr_reader :x, :p
+
+  def initialize(x, p)
+    @p = p.to_bn
+    @x = x.to_bn % @p
+    @x = (@x.to_i % @p).to_bn if @x < 0
+  end
+
+  def <=>(y)
+    return nil if not y.is_a?(JOSE::JWA::FieldElement)
+    return @p <=> y.p if @p != y.p
+    return value <=> y.value
+  end
+
+  def +(y)
+    check_field_element(y)
+    return make(@x+y.x)
+  end
+
+  def **(y)
+    check_field_element(y)
+    return make(@x**y.x)
+  end
+
+  def -(y)
+    check_field_element(y)
+    return make(@p+@x-y.x)
+  end
+
+  def -@
+    return make(@p-@x)
+  end
+
+  def *(y)
+    check_field_element(y)
+    return make(@x*y.x)
+  end
+
+  def /(y)
+    check_field_element(y)
+    return self*y.inv()
+  end
+
+  def &(y)
+    ival = y.x.to_i if y.is_a?(JOSE::JWA::FieldElement) and check_field_element(y)
+    ival ||= y
+    return make(@x.to_i & ival)
+  end
+
+  def |(y)
+    ival = y.x.to_i if y.is_a?(JOSE::JWA::FieldElement) and check_field_element(y)
+    ival ||= y
+    return make(@x.to_i | ival)
+  end
+
+  def ^(y)
+    ival = y.x.to_i if y.is_a?(JOSE::JWA::FieldElement) and check_field_element(y)
+    ival ||= y
+    return make(@x.to_i ^ ival)
+  end
+
+  def ~@
+    return make(~@x.to_i)
+  end
+
+  def <<(y)
+    ival = y.x.to_i if y.is_a?(JOSE::JWA::FieldElement) and check_field_element(y)
+    ival ||= y
+    return make(@x.to_i << ival)
+  end
+
+  def >>(y)
+    ival = y.x.to_i if y.is_a?(JOSE::JWA::FieldElement) and check_field_element(y)
+    ival ||= y
+    return make(@x.to_i >> ival)
+  end
+
+  def inv
+    return make(@x.mod_inverse(@p))
+  end
+
+  def sqr
+    return self*self
+  end
+
+  def sqrt
+    y = nil
+    # Compute candidate square root.
+    if (@p % 4) == 3
+      y = JOSE::JWA::FieldElement.sqrt4k3(@x,@p)
+    elsif (@p % 8) == 5
+      y = JOSE::JWA::FieldElement.sqrt8k5(@x,@p)
+    else
+      raise NotImplementedError, 'sqrt(_,8k+1)'
+    end
+    # Check square root candidate valid.
+    return y if y*y == self
+    return nil
+  end
+
+  def make(ival)
+    return JOSE::JWA::FieldElement.new(ival,@p)
+  end
+
+  def sign
+    return @x%2
+  end
+
+  def value
+    return (@p-@x)*(-1) if negative?
+    return @x
+  end
+
+  def from_bytes(x, b)
+    x = x.pack(JOSE::JWA::UCHAR_PACK) if x.is_a?(Array)
+    rv = OpenSSL::BN.new(x.reverse, 2)# % (2**(b-1))
+
+    raise ArgumentError, "x is larger than or equal to p (#{rv})" if rv >= @p
+    return make(rv)
+  end
+
+  def to_bytes(b)
+    return @x.to_s(2).rjust(b.to_i.div(8), JOSE::JWA::ZERO_PAD).reverse
+  end
+
+  def negative?
+    return !!(sign.zero? and not zero?)
+  end
+
+  def positive?
+    return !negative?
+  end
+
+  def zero?
+    return @x.zero?
+  end
+
+  def self.sqrt4k3(x, p)
+    return self.new(x.mod_exp(((p+1)/4)[0], p), p)
+  end
+
+  def self.sqrt8k5(x, p)
+    y = x.mod_exp(((p+3)/8)[0], p)
+    # If the square root exists, it is either y, or y*2^(p-1)/4.
+    if y.mod_sqr(p) == (x % p)
+      return self.new(y, p)
+    else
+      z = 2.to_bn.mod_exp(((p-1)/4)[0], p)
+      return self.new(y.mod_mul(z, p), p)
+    end
+  end
+
+private
+  def check_field_element(y)
+    raise ArgumentError, "fields don't match" if not y.is_a?(JOSE::JWA::FieldElement) or @p != y.p
+    return true
+  end
+end

data/lib/jose/jwa/sha3.rb

@@ -0,0 +1,150 @@
+module JOSE::JWA::SHA3
+
+  extend self
+
+  ROUNDS5   = (0...5).to_a.freeze
+  ROUNDS23  = (0...23).to_a.freeze
+  ROUNDS24  = (0...24).to_a.freeze
+  ROUNDS25  = (0...25).to_a.freeze
+  ROUNDSBY5 = [0, 5, 10, 15, 20].freeze
+
+  ROTATIONS = [
+    0,1,62,28,27,36,44,6,55,20,3,10,43,25,39,41,45,15,
+    21,8,18,2,61,56,14
+  ].freeze
+
+  PERMUTATION = [
+    1,6,9,22,14,20,2,12,13,19,23,15,4,24,21,8,16,5,3,
+    18,17,11,7,10
+  ].freeze
+
+  RC = [
+    0x0000000000000001,0x0000000000008082,0x800000000000808a,
+    0x8000000080008000,0x000000000000808b,0x0000000080000001,
+    0x8000000080008081,0x8000000000008009,0x000000000000008a,
+    0x0000000000000088,0x0000000080008009,0x000000008000000a,
+    0x000000008000808b,0x800000000000008b,0x8000000000008089,
+    0x8000000000008003,0x8000000000008002,0x8000000000000080,
+    0x000000000000800a,0x800000008000000a,0x8000000080008081,
+    0x8000000000008080,0x0000000080000001,0x8000000080008008
+  ].freeze
+
+  # Rotate a word x by b places to the left.
+  def rol(x, b)
+    return ((x << b) | (x >> (64 - b))) & (2**64-1)
+  end
+
+  # Do the SHA-3 state transform on state s.
+  def sha3_transform(s)
+    ROUNDS24.each do |rnd|
+      # AddColumnParity (Theta)
+      c = [0]*5
+      d = [0]*5
+      ROUNDS25.each do |i|
+        c[i % 5] ^= s[i]
+      end
+      ROUNDS5.each do |i|
+        d[i] = c[(i+4) % 5] ^ rol(c[(i+1) % 5], 1)
+      end
+      ROUNDS25.each do |i|
+        s[i] ^= d[i % 5]
+      end
+      # RotateWords (Rho).
+      ROUNDS25.each do |i|
+        s[i] = rol(s[i], ROTATIONS[i])
+      end
+      # PermuteWords (Pi)
+      t = s[PERMUTATION[0]]
+      ROUNDS23.each do |i|
+        s[PERMUTATION[i]] = s[PERMUTATION[i+1]]
+      end
+      s[PERMUTATION[-1]] = t
+      # NonlinearMixRows (Chi)
+      ROUNDSBY5.each do |i|
+        t = [s[i],s[i+1],s[i+2],s[i+3],s[i+4],s[i],s[i+1]]
+        ROUNDS5.each do |j|
+          s[i+j] = t[j]^((~t[j+1])&(t[j+2]))
+        end
+      end
+      # AddRoundConstant (Iota)
+      s[0] ^= RC[rnd]
+    end
+    return s
+  end
+
+  # Reinterpret octet array b to word array and XOR it to state s.
+  def reinterpret_to_words_and_xor(s, b)
+    (0...(b.length/8)).each do |j|
+      block = b[(8*j)..-1][0...8]
+      block = block.pack(JOSE::JWA::UCHAR_PACK) if block.is_a?(Array)
+      s[j] ^= OpenSSL::BN.new(block.reverse, 2).to_i
+    end
+    return s
+  end
+
+  # Reinterpret word array w to octet array and return it.
+  def reinterpret_to_octets(w)
+    mp = ''.force_encoding('BINARY')
+    (0...(w.length)).each do |j|
+      mp << OpenSSL::BN.new(w[j]).to_s(2).rjust(8, JOSE::JWA::ZERO_PAD).reverse
+    end
+    return mp
+  end
+
+  # (semi-)generic SHA-3 implementation
+  def sha3_raw(msg, r_w, o_p, e_b)
+    r_b = 8 * r_w
+    s = [0]*25
+    # Handle whole blocks.
+    idx = 0
+    blocks = msg.bytesize / r_b
+    (0...blocks).each do |i|
+      reinterpret_to_words_and_xor(s, msg[idx..-1][0...r_b])
+      idx += r_b
+      sha3_transform(s)
+    end
+    # Handle last block padding.
+    m = msg[idx..-1].unpack(JOSE::JWA::UCHAR_PACK)
+    m.push(o_p)
+    while m.length < r_b
+      m.push(0)
+    end
+    m[-1] |= 128
+    # Handle padded last block.
+    reinterpret_to_words_and_xor(s, m)
+    sha3_transform(s)
+    # Output.
+    out = ''.force_encoding('BINARY')
+    while out.length < e_b
+      out << reinterpret_to_octets(s[0...r_w])
+      sha3_transform(s)
+    end
+    return out[0...e_b]
+  end
+
+  # Implementations of actual SHA-3 functions.
+  def sha3_224(msg)
+    return sha3_raw(msg,18,6,28)
+  end
+
+  def sha3_256(msg)
+    return sha3_raw(msg,17,6,32)
+  end
+
+  def sha3_384(msg)
+    return sha3_raw(msg,13,6,48)
+  end
+
+  def sha3_512(msg)
+    return sha3_raw(msg,9,6,64)
+  end
+
+  def shake128(msg,olen)
+    return sha3_raw(msg,21,31,olen)
+  end
+
+  def shake256(msg,olen)
+    return sha3_raw(msg,17,31,olen)
+  end
+
+end