jmg
/
lora-irrigation
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Implement a secure ICS protocol targeting LoRa Node151 microcontroller for controlling irrigation.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
25 Commits
4 Branches
18 MiB
 
 
 
 
 
 
Tree: df2aac27e6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'df2aac27e6'
${ noResults }
lora-irrigation/strobe/python/Strobe/Toy25519.py

192 lines
4.9 KiB
Raw Blame History 

  1. # Toy25519.py - Toy Ed25519 arithmetic library with Strobelite interface.

  2. # This version of the Ed25519 library has the Edwards arithmetic, but no

  3. # hashing implemented for the signatures -- the hashing is done by Strobe lite.

  4. #

  5. # Written in 2011? by Daniel J. Bernstein <djb@cr.yp.to>

  6. #            2013 by Donald Stufft <donald@stufft.io>

  7. #            2013 by Alex Gaynor <alex.gaynor@gmail.com>

  8. #            2013 by Greg Price <price@mit.edu>

  9. #            2015 by Mike Hamburg <mike@shiftleft.org>

  10. #

  11. # To the extent possible under law, the author(s) have dedicated all copyright

  12. # and related and neighboring rights to this software to the public domain

  13. # worldwide. This software is distributed without any warranty.

  14. #

  15. # You should have received a copy of the CC0 Public Domain Dedication along

  16. # with this software. If not, see

  17. # <http://creativecommons.org/publicdomain/zero/1.0/>.

  18. 

  19. """

  20. NB: This code is not safe for use with secret keys or secret data.

  21. The only safe use of this code is for verifying signatures on public messages.

  22. 

  23. Functions for computing the public key of a secret key and for signing

  24. a message are included, namely publickey_unsafe and signature_unsafe,

  25. for testing purposes only.

  26. 

  27. The root of the problem is that Python's long-integer arithmetic is

  28. not designed for use in cryptography.  Specifically, it may take more

  29. or less time to execute an operation depending on the values of the

  30. inputs, and its memory access patterns may also depend on the inputs.

  31. This opens it to timing and cache side-channel attacks which can

  32. disclose data to an attacker.  We rely on Python's long-integer

  33. arithmetic, so we cannot handle secrets without risking their disclosure.

  34. """

  35. 

  36. import hashlib

  37. import operator

  38. import sys

  39. import os

  40. 

  41. 

  42. __version__ = "1.0.dev0"

  43. 

  44. 

  45. # Useful for very coarse version differentiation.

  46. PY3 = sys.version_info[0] == 3

  47. 

  48. b = 256

  49. q = 2 ** 255 - 19

  50. l = 2 ** 252 + 27742317777372353535851937790883648493

  51. 

  52. def inv(z):

  53.     """$= z^{-1} \mod q$, for z != 0"""

  54.     return pow(z,q-2,q)

  55.     

  56. 

  57. d = -121665 * inv(121666) % q

  58. I = pow(2, (q - 1) // 4, q)

  59. 

  60. def xrecover(y):

  61.     xx = (y * y - 1) * inv(d * y * y + 1)

  62.     x = pow(xx, (q + 3) // 8, q)

  63. 

  64.     if (x * x - xx) % q != 0:

  65.         x = (x * I) % q

  66. 

  67.     if (x * x - xx) % q != 0:

  68.         # It ain't square!

  69.         return None

  70.         

  71.     if x % 2 != 0:

  72.         x = q-x

  73. 

  74.     return x

  75. 

  76. def decodeint(s):

  77.     s = bytearray(s)

  78.     return sum(b<<(8*i) for i,b in enumerate(s))

  79. 

  80. def encodeint(y,bytes=32):

  81.     if y >= 1<<(8*bytes): return None

  82.     return bytearray([

  83.         (y>>(8*i)) & 0xFF

  84.         for i in range(bytes)

  85.     ])

  86.     

  87. def decodepoint(s):

  88.     ss = bytearray(s)

  89.     xlo = ss[-1]>>7

  90.     ss[-1] &= 0x7F

  91.     

  92.     y = decodeint(ss)

  93.     if y >= q: return None

  94.     

  95.     x = xrecover(y)

  96.     if x is None: return None

  97.     

  98.     if x & 1 != xlo: x = q - x

  99.     

  100.     P = (x, y, 1, (x*y) % q)

  101.     return P

  102. 

  103. def encodepoint(P):

  104.     (x, y, z, t) = P

  105.     zi = inv(z)

  106.     x = (x * zi) % q

  107.     y = (y * zi) % q

  108.     ss = encodeint(y)

  109.     ss[-1] ^= 0x80 * (x&1)

  110.     return ss

  111. 

  112. B = decodepoint(encodeint((4*inv(5)) % q))

  113. ident = (0, 1, 1, 0)

  114. 

  115. def edwards_neg(point):

  116.     (x,y,z,t) = point

  117.     return (q-x)%q,y,z,(q-t)%q

  118.     

  119. def edwards_add(P, Q):

  120.     # This is formula sequence 'addition-add-2008-hwcd-3' from

  121.     # http://www.hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html

  122.     (x1, y1, z1, t1) = P

  123.     (x2, y2, z2, t2) = Q

  124. 

  125.     a = (y1-x1)*(y2-x2) % q

  126.     b = (y1+x1)*(y2+x2) % q

  127.     c = t1*2*d*t2 % q

  128.     dd = z1*2*z2 % q

  129.     e = b - a

  130.     f = dd - c

  131.     g = dd + c

  132.     h = b + a

  133.     x3 = e*f

  134.     y3 = g*h

  135.     t3 = e*h

  136.     z3 = f*g

  137. 

  138.     return (x3 % q, y3 % q, z3 % q, t3 % q)

  139. 

  140. def edwards_double(P):

  141.     # MH: optimization not worth it.

  142.     return edwards_add(P,P)

  143. 

  144. def scalarmult(P, e):

  145.     if e == 0:

  146.         return ident

  147.     Q = scalarmult(P, e // 2)

  148.     Q = edwards_double(Q)

  149.     if e & 1:

  150.         Q = edwards_add(Q, P)

  151.     return Q

  152.     

  153. def scalarmult_B(e):

  154.     # MH: optimization not worth it

  155.     return scalarmult(B, e)

  156. 

  157. class Toy25519:

  158.     challenge_bytes = 32

  159. 

  160.     @staticmethod

  161.     def get_pubkey(sk):

  162.         return encodepoint(scalarmult_B(decodeint(sk)))

  163. 

  164.     @staticmethod

  165.     def keygen():

  166.         sk = bytearray(os.urandom((b+7)//8))

  167.         return Toy25519.get_pubkey(sk),sk

  168. 

  169.     @staticmethod

  170.     def ecdh(pk,sk):

  171.         P = decodepoint(pk)

  172.         if P is None: return None

  173.         return encodepoint(scalarmult(P,8*decodeint(sk)))

  174. 

  175.     @staticmethod

  176.     def sig_response(secret,esec,challenge):

  177.         sl = decodeint(secret)

  178.         el = decodeint(esec)

  179.         cl = decodeint(challenge)

  180.         response = (sl * cl + el) % l

  181.         return encodeint(response)

  182.     

  183.     @staticmethod

  184.     def sig_verify(pk,eph,challenge,response):

  185.         P = decodepoint(pk)

  186.         if P is None: return False

  187.         MPC = scalarmult(edwards_neg(P),decodeint(challenge))

  188.         BR = scalarmult_B(decodeint(response))

  189.         EE = edwards_add(MPC,BR)

  190.         return encodepoint(EE) == eph