SM9-密钥交换

算法过程

代码实现

///************************************************************************ 
//  File name:    SM9_Key_ex.c 
//  Version:      SM9_Key_ex_V1.0 
//  Date:         Jan 1,2017 
//  Description:  implementation of SM9 Key Exchange Protocol 
//                all operations based on BN curve line function 
//  Function List: 
//        1.bytes128_to_ecn2        //convert char into ecn2 
//        2.zzn12_ElementPrint      //print all element of struct zzn12 
//        3.LinkCharZzn12           //link two different types(unsigned char and zzn12)to one(unsigned char) 
//        4.Test_Point              //test if the given point is on SM9 curve 
//        5.SM9_KeyEx_KDF           //calculate KDF(IDA||IDB||RA||RB||g1||g2||g3) 
//        6.SM9_KeyEx_Hash          //calculate Hash(hashid||g1||Hash(g2||g3||IDA||IDB||RA||RB)) 
//        7.SM9_H1                  //function H1 in SM9 standard 5.4.2.2 
//        8.SM9_Init                //initiate SM9 curve 
//        9.SM9_GenerateEncryptKey  //generate encrypted private and public key 
//        10.SM9_KeyEx_InitA_I      //calculate RA (Step A1-A4) 
//        11.SM9_KeyEx_ReB_I        //calculate RB ,a hash Value SB and a shared key SKB(Step B1-A7) 
//        12.SM9_KeyEx_InitA_II     //initiator A calculate the secret key SKA and a hash 
//SA which responder B might verifies(Step A5-A7) 
//        13.SM9_KeyEx_ReB_II       //Step B10 (optional) verifies the hash value SA received from initiator A 
//        14.SM9_SelfCheck()        //SM9 slef-check 

// 
// Notes: 
// This SM9 implementation source code can be used for academic, non-profit making or non-commercial use only. 
// This SM9 implementation is created on MIRACL. SM9 implementation source code provider does not provide MIRACL library, MIRACL license or any permission to use MIRACL library. Any commercial use of MIRACL requires a license which may be obtained from Shamus Software Ltd. 

//**************************************************************************/ 

#include "SM9_Key_ex.h" 

#include "kdf.h" 


/****************************************************************
Function:       bytes128_to_ecn2
Description:    convert 128 bytes into ecn2
Calls:          MIRACL functions
Called By:      SM9_Init,SM9_KeyEx_ReB_I, SM9_KeyEx_InitA_II
Input:          Ppubs[]
Output:         ecn2 *res
Return:         FALSE: execution error
TRUE: execute correctly
Others:
****************************************************************/
BOOL bytes128_to_ecn2(unsigned char Ppubs[], ecn2 *res)
{
	zzn2 x, y;
	big a, b;
	ecn2 r;
	r.x.a = mirvar(0); r.x.b = mirvar(0);
	r.y.a = mirvar(0); r.y.b = mirvar(0);
	r.z.a = mirvar(0); r.z.b = mirvar(0);
	r.marker = MR_EPOINT_INFINITY;

	x.a = mirvar(0); x.b = mirvar(0);
	y.a = mirvar(0); y.b = mirvar(0);
	a = mirvar(0); b = mirvar(0);

	bytes_to_big(BNLEN, Ppubs, b);
	bytes_to_big(BNLEN, Ppubs + BNLEN, a);
	zzn2_from_bigs(a, b, &x);
	bytes_to_big(BNLEN, Ppubs + BNLEN * 2, b);
	bytes_to_big(BNLEN, Ppubs + BNLEN * 3, a);
	zzn2_from_bigs(a, b, &y);

	return ecn2_set(&x, &y, res);
}
/****************************************************************
Function:       zzn12_ElementPrint
Description:    print all element of struct zzn12
Calls:          MIRACL functions
Called By:      SM9_KeyEx_ReB_I,SM9_KeyEx_InitA_II
Input:          zzn12 x
Output:         NULL
Return:         NULL
Others:
****************************************************************/
void zzn12_ElementPrint(zzn12 x)
{
	big tmp;
	tmp = mirvar(0);

	redc(x.c.b.b, tmp); cotnum(tmp, stdout);
	redc(x.c.b.a, tmp); cotnum(tmp, stdout);
	redc(x.c.a.b, tmp); cotnum(tmp, stdout);
	redc(x.c.a.a, tmp); cotnum(tmp, stdout);
	redc(x.b.b.b, tmp); cotnum(tmp, stdout);
	redc(x.b.b.a, tmp); cotnum(tmp, stdout);
	redc(x.b.a.b, tmp); cotnum(tmp, stdout);
	redc(x.b.a.a, tmp); cotnum(tmp, stdout);
	redc(x.a.b.b, tmp); cotnum(tmp, stdout);
	redc(x.a.b.a, tmp); cotnum(tmp, stdout);
	redc(x.a.a.b, tmp); cotnum(tmp, stdout);
	redc(x.a.a.a, tmp); cotnum(tmp, stdout);
}


/****************************************************************
Function:       LinkCharZzn12
Description:    link two different types(unsigned char and zzn12)to one(unsigned char)
Calls:          MIRACL functions
Called By:      SM9_KeyEx_KDF,SM9_KeyEx_Hash
Input:          message:
len:    length of message
w:      zzn12 element
Output:         Z:      the characters array stored message and w
Zlen:   length of Z
Return:         NULL
Others:
****************************************************************/
void LinkCharZzn12(unsigned char *message, int len, zzn12 w, unsigned char *Z, int Zlen)
{
	big tmp;

	tmp = mirvar(0);

	memcpy(Z, message, len);
	redc(w.c.b.b, tmp); big_to_bytes(BNLEN, tmp, Z + len, 1);
	redc(w.c.b.a, tmp); big_to_bytes(BNLEN, tmp, Z + len + BNLEN, 1);
	redc(w.c.a.b, tmp); big_to_bytes(BNLEN, tmp, Z + len + BNLEN * 2, 1);
	redc(w.c.a.a, tmp); big_to_bytes(BNLEN, tmp, Z + len + BNLEN * 3, 1);
	redc(w.b.b.b, tmp); big_to_bytes(BNLEN, tmp, Z + len + BNLEN * 4, 1);
	redc(w.b.b.a, tmp); big_to_bytes(BNLEN, tmp, Z + len + BNLEN * 5, 1);
	redc(w.b.a.b, tmp); big_to_bytes(BNLEN, tmp, Z + len + BNLEN * 6, 1);
	redc(w.b.a.a, tmp); big_to_bytes(BNLEN, tmp, Z + len + BNLEN * 7, 1);
	redc(w.a.b.b, tmp); big_to_bytes(BNLEN, tmp, Z + len + BNLEN * 8, 1);
	redc(w.a.b.a, tmp); big_to_bytes(BNLEN, tmp, Z + len + BNLEN * 9, 1);
	redc(w.a.a.b, tmp); big_to_bytes(BNLEN, tmp, Z + len + BNLEN * 10, 1);
	redc(w.a.a.a, tmp); big_to_bytes(BNLEN, tmp, Z + len + BNLEN * 11, 1);
}

/****************************************************************
Function:       Test_Point
Description:    test if the given point is on SM9 curve
Calls:          MIRACL functions
Called By:      SM9_KeyEx_ReB_I,SM9_KeyEx_InitA_II
Input:          point
Output:         null
Return:         0: success
1: not a valid point on curve

Others:
****************************************************************/
int Test_Point(epoint* point)
{
	big x, y, x_3, tmp;
	epoint *buf;

	x = mirvar(0); y = mirvar(0);
	x_3 = mirvar(0);
	tmp = mirvar(0);
	buf = epoint_init();

	//test if y^2=x^3+b 
	epoint_get(point, x, y);
	power(x, 3, para_q, x_3);     //x_3=x^3 mod p 
	multiply(x, para_a, x);
	divide(x, para_q, tmp);
	add(x_3, x, x);                  //x=x^3+ax+b 
	add(x, para_b, x);
	divide(x, para_q, tmp);          //x=x^3+ax+b mod p 
	power(y, 2, para_q, y);        //y=y^2 mod p 
	if (mr_compare(x, y) != 0)
		return 1;

	//test infinity 
	ecurve_mult(N, point, buf);
	if (point_at_infinity(buf) == FALSE)
		return 1;

	return 0;
}


/****************************************************************
Function:       SM9_KeyEx_KDF
Description:    calculate KDF(IDA||IDB||RA||RB||g1||g2||g3)
Calls:          MIRACL functions,LinkCharZzn12,SM3_KDF
Called By:      SM9_KeyEx_ReB_I,SM9_KeyEx_InitA_II
Input:          IDA,IDB:   //identification of user A and B
RA,RB      //element of group G1
g1,g2,g3   //R-ate pairing
klen       //bytelen of K
Output:         K          //shared secret key
Return:         0: success
1: asking for memory error
Others:
****************************************************************/
int SM9_KeyEx_KDF(unsigned char *IDA, unsigned char *IDB, epoint *RA, epoint *RB, zzn12 g1, zzn12 g2, zzn12 g3, int klen, unsigned char K[])
{
	unsigned char *Z = NULL;
	int Zlen;
	int IDALen = strlen(IDA), IDBLen = strlen(IDB);
	big x1, y1, x2, y2;

	x1 = mirvar(0); y1 = mirvar(0);
	x2 = mirvar(0); y2 = mirvar(0);
	epoint_get(RA, x1, y1);
	epoint_get(RB, x2, y2);

	Zlen = IDALen + IDBLen + BNLEN * 40;
	Z = (char *)malloc(sizeof(char)*(Zlen + 1));
	if (Z == NULL) return SM9_ASK_MEMORY_ERR;

	memcpy(Z, IDA, IDALen);
	memcpy(Z + IDALen, IDB, IDBLen);
	big_to_bytes(BNLEN, x1, Z + IDALen + IDBLen, 1);
	big_to_bytes(BNLEN, y1, Z + IDALen + IDBLen + BNLEN, 1);
	big_to_bytes(BNLEN, x2, Z + IDALen + IDBLen + BNLEN * 2, 1);
	big_to_bytes(BNLEN, y2, Z + IDALen + IDBLen + BNLEN * 3, 1);
	LinkCharZzn12(Z, 0, g1, Z + IDALen + IDBLen + BNLEN * 4, BNLEN * 12);
	LinkCharZzn12(Z, 0, g2, Z + IDALen + IDBLen + BNLEN * 16, BNLEN * 12);
	LinkCharZzn12(Z, 0, g3, Z + IDALen + IDBLen + BNLEN * 28, BNLEN * 12);

	SM3_KDF(Z, Zlen, klen, K);
	free(Z);
	return 0;
}


/****************************************************************
Function:       SM9_KeyEx_Hash
Description:    calculate Hash(hashid||g1||Hash(g2||g3||IDA||IDB||RA||RB))
Calls:          MIRACL functions,LinkCharZzn12,SM3_256
Called By:      SM9_KeyEx_ReB_I,SM9_KeyEx_InitA_II
Input:
hashid     //0x82,0x83
IDA,IDB:   //identification of user A and B
RA,RB      //element of group G1
g1,g2,g3   //R-ate pairing
Output:
hash       //hash=Hash(hashid||g1||Hash(g2||g3||IDA||IDB||RA||RB))
Return:         0: success
1: asking for memory error
Others:
****************************************************************/
int SM9_KeyEx_Hash(unsigned char hashid[], unsigned char *IDA, unsigned char *IDB, epoint *RA, epoint *RB, zzn12 g1, zzn12 g2, zzn12 g3, unsigned char hash[])
{
	int Zlen;
	int IDALen = strlen(IDA), IDBLen = strlen(IDB);
	unsigned char *Z = NULL;
	big x1, y1, x2, y2;

	x1 = mirvar(0); y1 = mirvar(0);
	x2 = mirvar(0); y2 = mirvar(0);
	epoint_get(RA, x1, y1); epoint_get(RB, x2, y2);

	Zlen = IDALen + IDBLen + BNLEN * 28;
	Z = (char *)malloc(sizeof(char)*(Zlen + 1));
	if (Z == NULL) return SM9_ASK_MEMORY_ERR;

	LinkCharZzn12(Z, 0, g2, Z, BNLEN * 12);
	LinkCharZzn12(Z, 0, g3, Z + BNLEN * 12, BNLEN * 12);
	memcpy(Z + BNLEN * 24, IDA, IDALen);
	memcpy(Z + BNLEN * 24 + IDALen, IDB, IDBLen);
	big_to_bytes(BNLEN, x1, Z + BNLEN * 24 + IDALen + IDBLen, 1);
	big_to_bytes(BNLEN, y1, Z + BNLEN * 25 + IDALen + IDBLen, 1);
	big_to_bytes(BNLEN, x2, Z + BNLEN * 26 + IDALen + IDBLen, 1);
	big_to_bytes(BNLEN, y2, Z + BNLEN * 27 + IDALen + IDBLen, 1);

	SM3_256(Z, Zlen, hash);

	Zlen = 1 + BNLEN * 12 + SM3_len / 8;
	memcpy(Z, hashid, 1);
	LinkCharZzn12(Z, 1, g1, Z, 1 + BNLEN * 12);
	memcpy(Z + 1 + BNLEN * 12, hash, SM3_len / 8);

	SM3_256(Z, Zlen, hash);
	free(Z);
	return 0;
}
/****************************************************************
Function:       SM9_H1
Description:    function H1 in SM9 standard 5.4.2.2
Calls:          MIRACL functions,SM3_KDF
Called By:      SM9_GenerateEncryptKey,SM9_KeyEx_InitA_I
Input:          Z:
Zlen:the length of Z
n:Frobniues constant X
Output:         h1=H1(Z,Zlen)
Return:         0: success;
1: asking for memory error
Others:
****************************************************************/
int SM9_H1(unsigned char Z[], int Zlen, big n, big h1)
{
	int hlen, i, ZHlen;
	big hh, i256, tmp, n1;
	unsigned char *ZH = NULL, *ha = NULL;

	hh = mirvar(0); i256 = mirvar(0);
	tmp = mirvar(0); n1 = mirvar(0);
	convert(1, i256);
	ZHlen = Zlen + 1;

	hlen = (int)ceil((5.0*logb2(n)) / 32.0);
	decr(n, 1, n1);
	ZH = (char *)malloc(sizeof(char)*(ZHlen + 1));
	if (ZH == NULL) return SM9_ASK_MEMORY_ERR;
	memcpy(ZH + 1, Z, Zlen);
	ZH[0] = 0x01;
	ha = (char *)malloc(sizeof(char)*(hlen + 1));
	if (ha == NULL) return SM9_ASK_MEMORY_ERR;
	SM3_KDF(ZH, ZHlen, hlen, ha);

	for (i = hlen - 1; i >= 0; i--)//key[从大到小] 
	{
		premult(i256, ha[i], tmp);
		add(hh, tmp, hh);
		premult(i256, 256, i256);
		divide(i256, n1, tmp);
		divide(hh, n1, tmp);
	}
	incr(hh, 1, h1);
	free(ZH); free(ha);
	return 0;
}



/****************************************************************
Function:       SM9_Init
Description:    Initiate SM9 curve
Calls:          MIRACL functions
Called By:      SM9_SelfCheck
Input:          null
Output:         null
Return:         0: success;
5: base point P1 error
6: base point P2 error
Others:
****************************************************************/
int ARS_SM9_Init()
{
	big P1_x, P1_y;

	para_q = mirvar(0); N = mirvar(0);
	P1_x = mirvar(0);  P1_y = mirvar(0);
	para_a = mirvar(0);
	para_b = mirvar(0); para_t = mirvar(0);
	X.a = mirvar(0);  X.b = mirvar(0);
	P2.x.a = mirvar(0); P2.x.b = mirvar(0);
	P2.y.a = mirvar(0); P2.y.b = mirvar(0);
	P2.z.a = mirvar(0); P2.z.b = mirvar(0);
	P2.marker = MR_EPOINT_INFINITY;

	P1 = epoint_init();
	bytes_to_big(BNLEN, SM9_q, para_q);
	bytes_to_big(BNLEN, SM9_P1x, P1_x);
	bytes_to_big(BNLEN, SM9_P1y, P1_y);
	bytes_to_big(BNLEN, SM9_a, para_a);
	bytes_to_big(BNLEN, SM9_b, para_b);
	bytes_to_big(BNLEN, SM9_N, N);
	bytes_to_big(BNLEN, SM9_t, para_t);

	mip->TWIST = MR_SEXTIC_M;
	ecurve_init(para_a, para_b, para_q, MR_PROJECTIVE);  //Initialises GF(q) elliptic curve 
														 //MR_PROJECTIVE specifying  projective coordinates 

	if (!epoint_set(P1_x, P1_y, 0, P1)) return SM9_G1BASEPOINT_SET_ERR;


	if (!(bytes128_to_ecn2(SM9_P2, &P2)))   return SM9_G2BASEPOINT_SET_ERR;
	set_frobenius_constant(&X);

	return 0;
}

/***************************************************************
Function:       SM9_GenerateEncryptKey
Description:    Generate encryption keys(public key and private key)
Calls:          MIRACL functions,SM9_H1,xgcd
Called By:      SM9_SelfCheck
Input:          hid:0x02
ID:identification
IDlen:the length of ID
ke:master private key used to generate encryption public key and private key
Output:         Ppubs:encryption public key
deB: encryption private key
Return:         0: success;
1: asking for memory error
Others:
****************************************************************/
int ARS_SM9_GenerateEncryptKey(unsigned char hid[], unsigned char *ID, int IDlen, big ke, unsigned char Ppubs[], unsigned char deB[])
{
	big h1, t1, t2, rem, xPpub, yPpub, tmp;
	unsigned char *Z = NULL;
	int Zlen = IDlen + 1, buf;
	ecn2 dEB;
	epoint *Ppub;

	h1 = mirvar(0); t1 = mirvar(0);
	t2 = mirvar(0); rem = mirvar(0); tmp = mirvar(0);
	xPpub = mirvar(0); yPpub = mirvar(0);
	Ppub = epoint_init();
	dEB.x.a = mirvar(0); dEB.x.b = mirvar(0); dEB.y.a = mirvar(0); dEB.y.b = mirvar(0);
	dEB.z.a = mirvar(0); dEB.z.b = mirvar(0); dEB.marker = MR_EPOINT_INFINITY;

	Z = (char *)malloc(sizeof(char)*(Zlen + 1));
	memcpy(Z, ID, IDlen);
	memcpy(Z + IDlen, hid, 1);

	buf = SM9_H1(Z, Zlen, N, h1);
	if (buf != 0)    return buf;
	add(h1, ke, t1);//t1=H1(IDA||hid,N)+ks 
	xgcd(t1, N, t1, t1, t1);//t1=t1(-1) 
	multiply(ke, t1, t2); divide(t2, N, rem);//t2=ks*t1(-1) 

											 //Ppub=[ke]P2 
	ecurve_mult(ke, P1, Ppub);

	//deB=[t2]P2 
	ecn2_copy(&P2, &dEB);
	ecn2_mul(t2, &dEB);

	epoint_get(Ppub, xPpub, yPpub);
	big_to_bytes(BNLEN, xPpub, Ppubs, 1);
	big_to_bytes(BNLEN, yPpub, Ppubs + BNLEN, 1);

	redc(dEB.x.b, tmp); big_to_bytes(BNLEN, tmp, deB, 1);
	redc(dEB.x.a, tmp); big_to_bytes(BNLEN, tmp, deB + BNLEN, 1);
	redc(dEB.y.b, tmp); big_to_bytes(BNLEN, tmp, deB + BNLEN * 2, 1);
	redc(dEB.y.a, tmp); big_to_bytes(BNLEN, tmp, deB + BNLEN * 3, 1);

	free(Z);
	return 0;
}


/****************************************************************
Function:       SM9_KeyEx_InitA_I
Description:    calculate RA (Step A1-A4)
Calls:          MIRACL functions,SM9_H1
Called By:      SM9_SelfCheck()
Input:
hid:0x02
IDB          //identification of userB
randA        //a random number K lies in [1,N-1]
Ppubs        //encryption public key
deA          //decryption private key of user A
Output:
RA           //RA=[rA]QB
Return:
0: success
1: asking for memory error
Others:
****************************************************************/
int ARS_SM9_KeyEx_InitA_I(unsigned char hid[], unsigned char *IDB, unsigned char randA[],unsigned char Ppub[], unsigned char deA[], epoint *RA)
{
	big h, x, y, rA;
	epoint *Ppube, *QB;
	unsigned char *Z = NULL;
	int Zlen, buf;

	//initiate 
	h = mirvar(0); rA = mirvar(0); x = mirvar(0); y = mirvar(0);
	QB = epoint_init(); Ppube = epoint_init();

	bytes_to_big(BNLEN, Ppub, x);
	bytes_to_big(BNLEN, Ppub + BNLEN, y);
	epoint_set(x, y, 0, Ppube);

	//----------A1:calculate QB=[H1(IDB||hid,N)]P1+Ppube---------- 
	Zlen = strlen(IDB) + 1;
	Z = (char *)malloc(sizeof(char)*(Zlen + 1));
	if (Z == NULL) return SM9_ASK_MEMORY_ERR;
	memcpy(Z, IDB, strlen(IDB));
	memcpy(Z + strlen(IDB), hid, 1);
	buf = SM9_H1(Z, Zlen, N, h);
	if (buf) return buf;
	ecurve_mult(h, P1, QB);
	ecurve_add(Ppube, QB);

	printf("*******************QB:=[H1(IDB||hid,N)]P1+Ppube*****************\n");
	epoint_get(QB, x, y);
	cotnum(x, stdout); cotnum(y, stdout);

	//--------------- Step A2:randnom ------------------- 
	bytes_to_big(BNLEN, randA, rA);
	printf("\n*********************随机数 rA:******************************\n");
	cotnum(rA, stdout);

	//----------------Step A3:RA=[r]QB 
	ecurve_mult(rA, QB, RA);

	free(Z);
	return 0;
}

/****************************************************************
Function:       SM9_KeyEx_ReB_I
Description:    calculate RB ,a hash Value SB and a shared key SKB(Step B1-A7)
Calls:          MIRACL functions,SM9_H1,Test_Point,ecap(),member(),
zzn12_pow,zzn12_ElementPrint(),SM9_KeyEx_Hash
Called By:      SM9_SelfCheck()
Input:
hid:0x02
IDA,IDB      //identification of userA and B
randB        //a random number K lies in [1,N-1]
Ppub         //encryption public key
deB          //decryption private key of user B
RA           //temporary value received from initiator A
Output:
RB           //RB=[rB]QA
SB           //(option) calculates a hash value SB that initiator A might verifies
g1,g2,g3     //R-ate pairings used to calculate S2 in function  SM9_KeyEx_ReB_II
Return:
0: success
1: asking for memory error
2: element is out of order q
3: R-ate calculation error
4: RA is not valid
Others:
****************************************************************/
int ARS_SM9_KeyEx_ReB_I(unsigned char hid[], unsigned char *IDA, unsigned char *IDB, unsigned char randB[], unsigned char Ppub[],
	unsigned char deB[], epoint *RA, epoint *RB, unsigned char SB[], zzn12 *g1, zzn12 *g2, zzn12 *g3)
{
	big h, x, y, rB;
	epoint *Ppube, *QA;
	unsigned char *Z = NULL, hashid[] = { 0x82 };
	unsigned char SKB[16];
	ecn2 dEB;
	int Zlen, buf, i;

	//initiate 
	h = mirvar(0); rB = mirvar(0); x = mirvar(0); y = mirvar(0);
	QA = epoint_init(); Ppube = epoint_init();
	dEB.x.a = mirvar(0); dEB.x.b = mirvar(0); dEB.y.a = mirvar(0); dEB.y.b = mirvar(0);
	dEB.z.a = mirvar(0); dEB.z.b = mirvar(0); dEB.marker = MR_EPOINT_INFINITY;

	bytes_to_big(BNLEN, Ppub, x); bytes_to_big(BNLEN, Ppub + BNLEN, y);
	bytes128_to_ecn2(deB, &dEB);
	epoint_set(x, y, 0, Ppube);

	//----------B1:calculate QA=[H1(IDA||hid,N)]P1+Ppube---------- 
	Zlen = strlen(IDA) + 1;
	Z = (char *)malloc(sizeof(char)*(Zlen + 1));
	if (Z == NULL) return SM9_ASK_MEMORY_ERR;
	memcpy(Z, IDA, strlen(IDA));
	memcpy(Z + strlen(IDA), hid, 1);

	buf = SM9_H1(Z, Zlen, N, h);
	if (buf) return buf;
	ecurve_mult(h, P1, QA);
	ecurve_add(Ppube, QA);
	printf("*****************QA:=[H1(IDA||hid,N)]P1+Ppube*****************\n");
	epoint_get(QA, x, y);
	cotnum(x, stdout); cotnum(y, stdout);

	//--------------- Step B2:randnom ------------------- 
	bytes_to_big(BNLEN, randB, rB);
	printf("\n*********************随机数 rB:********************************\n");
	cotnum(rB, stdout);

	//----------------Step B3:RB=[rB]QA------------------ 
	ecurve_mult(rB, QA, RB);
	printf("\n***********************:RB=[rB]QA*******************************\n");
	epoint_get(RB, x, y);
	cotnum(x, stdout); cotnum(y, stdout);

	//test if RA is on G1 
	if (Test_Point(RA)) return SM9_NOT_VALID_G1;

	//----------------Step B4:g1=e(deB,RA),g2=(e(P2,Ppube))^rB,g3=g1^rB 
	if (!ecap(dEB, RA, para_t, X, g1)) return SM9_MY_ECAP_12A_ERR;
	if (!ecap(P2, Ppube, para_t, X, g2)) return SM9_MY_ECAP_12A_ERR;
	//test if a ZZn12 element is of order q 
	if ((!member(*g1, para_t, X)) || (!member(*g2, para_t, X))) return SM9_MEMBER_ERR;

	*g2 = zzn12_pow(*g2, rB);
	*g3 = zzn12_pow(*g1, rB);

	printf("\n*********************g1=e(RA,deB):****************************\n");
	zzn12_ElementPrint(*g1);
	printf("\n*****************g2=(e(P2,Ppub3))^rB:*************************\n");
	zzn12_ElementPrint(*g2);
	printf("\n*********************g3=g1^rB:********************************\n");
	zzn12_ElementPrint(*g3);

	//---------------- B5:SKB=KDF(IDA||IDB||RA||RB||g1||g2||g3,klen)---------- 
	buf = SM9_KeyEx_KDF(IDA, IDB, RA, RB, *g1, *g2, *g3, 16, SKB);
	if (buf) return buf;
	printf("\n*********SKB=KDF(IDA||IDB||RA||RB||g1||g2||g3,klen):***********\n");
	for (i = 0; i<16; i++) printf("%02x", SKB[i]);

	//---------------- B6(optional):SB=Hash(0x82||g1||Hash(g2||g3||IDA||IDB||RA||RB))---------- 
	buf = SM9_KeyEx_Hash(hashid, IDA, IDB, RA, RB, *g1, *g2, *g3, SB);
	if (buf) return buf;
	printf("\n\n****SB=Hash(0x82||g1||Hash(g2||g3||IDA||IDB||RA||RB))********\n");
	for (i = 0; i<SM3_len / 8; i++) printf("%02x", SB[i]);

	free(Z);
	return 0;
}

/****************************************************************
Function:       SM9_KeyEx_InitA_II
Description:    initiator A calculate the secret key SKA and a hash
SA which responder B might verifies(Step A5-A7)
Calls:          MIRACL functions,SM9_H1,Test_Point,ecap(),member(),zzn12_init
zzn12_pow,zzn12_ElementPrint(),SM9_KeyEx_KDF,SM9_KeyEx_Hash
Called By:      SM9_SelfCheck()
Input:
IDA,IDB      //identification of userA and B
randA        //a random number K lies in [1,N-1]
Ppub         //encryption public key
deA          //decryption private key of initiator A
RA,RB        //temporary value received from initiator A and responder B
SB           //a hash value SB calculated by responder B,verified in this function
Output:
SA:          //(option) calculates a hash value SA that responder B might verifies
Return:
0: success
1: asking for memory error
2: element is out of order q
3: R-ate calculation error
4: RA is not valid
9: key exchange failed,form B to A,S1!=SB
Others:
****************************************************************/
int ARS_SM9_KeyEx_InitA_II(unsigned char *IDA, unsigned char *IDB, unsigned char randA[], unsigned char Ppub[],
	unsigned char deA[], epoint *RA, epoint *RB, unsigned char SB[], unsigned char SA[])
{
	big h, x, y, rA;
	epoint *Ppube;
	unsigned char hashid[] = { 0x82 };
	unsigned char S1[SM3_len / 8], SKA[16];
	zzn12 g1, g2, g3;
	ecn2 dEA;
	int buf, i;

	//initiate 
	h = mirvar(0); rA = mirvar(0); x = mirvar(0); y = mirvar(0);
	Ppube = epoint_init();
	dEA.x.a = mirvar(0); dEA.x.b = mirvar(0); dEA.y.a = mirvar(0); dEA.y.b = mirvar(0);
	dEA.z.a = mirvar(0); dEA.z.b = mirvar(0); dEA.marker = MR_EPOINT_INFINITY;
	zzn12_init(&g1); zzn12_init(&g2); zzn12_init(&g3);

	bytes_to_big(BNLEN, Ppub, x); bytes_to_big(BNLEN, Ppub + BNLEN, y);
	bytes_to_big(BNLEN, randA, rA);
	bytes128_to_ecn2(deA, &dEA);
	epoint_set(x, y, 0, Ppube);

	//test if RB is on G1 
	if (Test_Point(RB)) return SM9_NOT_VALID_G1;

	//----------------Step A5:g1=(e(P2,Ppube))^rA,g2=e(deA,RB),g3=g2^rA--------- 
	if (!ecap(P2, Ppube, para_t, X, &g1)) return SM9_MY_ECAP_12A_ERR;
	if (!ecap(dEA, RB, para_t, X, &g2)) return SM9_MY_ECAP_12A_ERR;
	//test if a ZZn12 element is of order q 
	if ((!member(g1, para_t, X)) || (!member(g2, para_t, X))) return SM9_MEMBER_ERR;

	g1 = zzn12_pow(g1, rA);
	g3 = zzn12_pow(g2, rA);
	printf("\n***********************g1=e(Ppub,P2):****************************\n");
	zzn12_ElementPrint(g1);
	printf("\n*******************g2=(e(RB,deA))^rB:*************************\n");
	zzn12_ElementPrint(g2);
	printf("\n***********************g3=g2^rB:********************************\n");
	zzn12_ElementPrint(g3);

	//------------------ A6:S1=Hash(0x82||g1||Hash(g2||g3||IDA||IDB||RA||RB))---------- 
	buf = SM9_KeyEx_Hash(hashid, IDA, IDB, RA, RB, g1, g2, g3, S1);
	if (buf) return buf;
	printf("\n*********S1=Hash(0x82||g1||Hash(g2||g3||IDA||IDB||RA||RB))********\n");
	for (i = 0; i<SM3_len / 8; i++) printf("%02x", S1[i]);

	if (memcmp(S1, SB, SM3_len / 8)) return SM9_ERR_CMP_S1SB;

	//---------- A7: SKA=KDF(IDA||IDB||RA||RB||g1||g2||g3,klen)---------- 
	buf = SM9_KeyEx_KDF(IDA, IDB, RA, RB, g1, g2, g3, 16, SKA);
	if (buf) return buf;
	printf("\n\n************SKA=KDF(IDA||IDB||RA||RB||g1||g2||g3,klen)************\n");
	for (i = 0; i<16; i++) printf("%02x", SKA[i]);

	//---------  A8(optional):SA=Hash(0x83||g1||Hash(g2||g3||IDA||IDB||RA||RB))---------- 
	hashid[0] = (unsigned char)0x83;
	buf = SM9_KeyEx_Hash(hashid, IDA, IDB, RA, RB, g1, g2, g3, SA);
	if (buf) return buf;
	printf("\n\n*********SA=Hash(0x83||g1||Hash(g2||g3||IDA||IDB||RA||RB))********\n");
	for (i = 0; i<SM3_len / 8; i++) printf("%02x", SA[i]);

	return 0;
}


/****************************************************************
Function:       SM9_KeyEx_ReB_II
Description:    Step B10 (optional) verifies the hash value SA received from initiator A
Calls:          SM9_KeyEx_Hash
Called By:      SM9_SelfCheck()
Input:
IDA,IDB      //identification of userA and B
g1,g2,g3     //R-ate pairings geted from function SM9_KeyEx_ReB_I,g1=e(RA,deB)g2=(e(P2,Ppub3))^rBg3=g1^rB
RA,RB        //temporary value received from initiator A and responder B
SA           //a hash value SA calculated by initiator A,verified in this function
Output:
NULL
Return:
0: success
1: asking for memory error
A: key exchange failed,form A to B,S2!=SA
Others:
****************************************************************/
int ARS_SM9_KeyEx_ReB_II(unsigned char *IDA, unsigned char *IDB, zzn12 g1, zzn12 g2, zzn12 g3, epoint *RA, epoint *RB, unsigned char SA[])
{
	unsigned char hashid[] = { 0x83 };
	unsigned char S2[SM3_len / 8];
	int buf, i;

	//---------------- B8(optional):S2=Hash(0x83||g1||Hash(g2||g3||IDA||IDB||RA||RB))---------- 
	buf = SM9_KeyEx_Hash(hashid, IDA, IDB, RA, RB, g1, g2, g3, S2);
	if (buf) return buf;
	printf("\n*************** S2=Hash(0x83||g1||Hash(g2||g3||IDA||IDB||RA||RB))****************\n");
	for (i = 0; i<SM3_len / 8; i++) printf("%02x", S2[i]);

	if (memcmp(S2, SA, SM3_len / 8)) return SM9_ERR_CMP_S2SA;
	return 0;
}

/****************************************************************
Function:       SM9_SelfCheck
Description:    SM9 self check
Calls:          MIRACL functions,SM9_Init(),SM9_GenerateEncryptKey(),SM9_KeyEx_InitA_I,
SM9_KeyEx_InitA_II,SM9_KeyEx_ReB_I,SM9_KeyEx_ReB_II
Called By:
Input:
Output:
Return:         0: self-check success
1: asking for memory error
2: element is out of order q
3: R-ate calculation error
4: test if C1 is on G1
5: base point P1 error
6: base point P2 error
7: Encryption public key generated error
8: Encryption private key generated error
9: key exchange failed,form B to A,S1!=SB
A: key exchange failed,form A to B,S2!=SA
B: RA generated error
C: RB generated error
D: SA generated error
E: SB generated error
Others:
****************************************************************/
int ARS_SM9_SelfCheck()
{
	//the master private key 
	unsigned char KE[32] = { 0x00,0x02,0xE6,0x5B,0x07,0x62,0xD0,0x42,0xF5,0x1F,0x0D,0x23,0x54,0x2B,0x13,0xED,
		0x8C,0xFA,0x2E,0x9A,0x0E,0x72,0x06,0x36,0x1E,0x01,0x3A,0x28,0x39,0x05,0xE3,0x1F };

	unsigned char randA[32] = { 0x00,0x00,0x58,0x79,0xDD,0x1D,0x51,0xE1,0x75,0x94,0x6F,0x23,0xB1,0xB4,0x1E,0x93,
		0xBA,0x31,0xC5,0x84,0xAE,0x59,0xA4,0x26,0xEC,0x10,0x46,0xA4,0xD0,0x3B,0x06,0xC8 };
	unsigned char randB[32] = { 0x00,0x01,0x8B,0x98,0xC4,0x4B,0xEF,0x9F,0x85,0x37,0xFB,0x7D,0x07,0x1B,0x2C,0x92,
		0x8B,0x3B,0xC6,0x5B,0xD3,0xD6,0x9E,0x1E,0xEE,0x21,0x35,0x64,0x90,0x56,0x34,0xFE };
	//standard datas 
	unsigned char std_Ppub[64] = { 0x91,0x74,0x54,0x26,0x68,0xE8,0xF1,0x4A,0xB2,0x73,0xC0,0x94,0x5C,0x36,0x90,0xC6,
		0x6E,0x5D,0xD0,0x96,0x78,0xB8,0x6F,0x73,0x4C,0x43,0x50,0x56,0x7E,0xD0,0x62,0x83,
		0x54,0xE5,0x98,0xC6,0xBF,0x74,0x9A,0x3D,0xAC,0xC9,0xFF,0xFE,0xDD,0x9D,0xB6,0x86,
		0x6C,0x50,0x45,0x7C,0xFC,0x7A,0xA2,0xA4,0xAD,0x65,0xC3,0x16,0x8F,0xF7,0x42,0x10 };
	unsigned char std_deA[128] = { 0x0F,0xE8,0xEA,0xB3,0x95,0x19,0x9B,0x56,0xBF,0x1D,0x75,0xBD,0x2C,0xD6,0x10,0xB6,
		0x42,0x4F,0x08,0xD1,0x09,0x29,0x22,0xC5,0x88,0x2B,0x52,0xDC,0xD6,0xCA,0x83,0x2A,
		0x7D,0xA5,0x7B,0xC5,0x02,0x41,0xF9,0xE5,0xBF,0xDD,0xC0,0x75,0xDD,0x9D,0x32,0xC7,
		0x77,0x71,0x00,0xD7,0x36,0x91,0x6C,0xFC,0x16,0x5D,0x8D,0x36,0xE0,0x63,0x4C,0xD7,
		0x83,0xA4,0x57,0xDA,0xF5,0x2C,0xAD,0x46,0x4C,0x90,0x3B,0x26,0x06,0x2C,0xAF,0x93,
		0x7B,0xB4,0x0E,0x37,0xDA,0xDE,0xD9,0xED,0xA4,0x01,0x05,0x0E,0x49,0xC8,0xAD,0x0C,
		0x69,0x70,0x87,0x6B,0x9A,0xAD,0x1B,0x7A,0x50,0xBB,0x48,0x63,0xA1,0x1E,0x57,0x4A,
		0xF1,0xFE,0x3C,0x59,0x75,0x16,0x1D,0x73,0xDE,0x4C,0x3A,0xF6,0x21,0xFB,0x1E,0xFB };
	unsigned char std_deB[128] = { 0x74,0xCC,0xC3,0xAC,0x9C,0x38,0x3C,0x60,0xAF,0x08,0x39,0x72,0xB9,0x6D,0x05,0xC7,
		0x5F,0x12,0xC8,0x90,0x7D,0x12,0x8A,0x17,0xAD,0xAF,0xBA,0xB8,0xC5,0xA4,0xAC,0xF7,
		0x01,0x09,0x2F,0xF4,0xDE,0x89,0x36,0x26,0x70,0xC2,0x17,0x11,0xB6,0xDB,0xE5,0x2D,
		0xCD,0x5F,0x8E,0x40,0xC6,0x65,0x4B,0x3D,0xEC,0xE5,0x73,0xC2,0xAB,0x3D,0x29,0xB2,
		0x44,0xB0,0x29,0x4A,0xA0,0x42,0x90,0xE1,0x52,0x4F,0xF3,0xE3,0xDA,0x8C,0xFD,0x43,
		0x2B,0xB6,0x4D,0xE3,0xA8,0x04,0x0B,0x5B,0x88,0xD1,0xB5,0xFC,0x86,0xA4,0xEB,0xC1,
		0x8C,0xFC,0x48,0xFB,0x4F,0xF3,0x7F,0x1E,0x27,0x72,0x74,0x64,0xF3,0xC3,0x4E,0x21,
		0x53,0x86,0x1A,0xD0,0x8E,0x97,0x2D,0x16,0x25,0xFC,0x1A,0x7B,0xD1,0x8D,0x55,0x39 };
	unsigned char std_RA[64] = { 0x7C,0xBA,0x5B,0x19,0x06,0x9E,0xE6,0x6A,0xA7,0x9D,0x49,0x04,0x13,0xD1,0x18,0x46,
		0xB9,0xBA,0x76,0xDD,0x22,0x56,0x7F,0x80,0x9C,0xF2,0x3B,0x6D,0x96,0x4B,0xB2,0x65,
		0xA9,0x76,0x0C,0x99,0xCB,0x6F,0x70,0x63,0x43,0xFE,0xD0,0x56,0x37,0x08,0x58,0x64,
		0x95,0x8D,0x6C,0x90,0x90,0x2A,0xBA,0x7D,0x40,0x5F,0xBE,0xDF,0x7B,0x78,0x15,0x99 };
	unsigned char std_RB[64] = { 0x86,0x1E,0x91,0x48,0x5F,0xB7,0x62,0x3D,0x27,0x94,0xF4,0x95,0x03,0x1A,0x35,0x59,
		0x8B,0x49,0x3B,0xD4,0x5B,0xE3,0x78,0x13,0xAB,0xC7,0x10,0xFC,0xC1,0xF3,0x44,0x82,
		0x32,0xD9,0x06,0xA4,0x69,0xEB,0xC1,0x21,0x6A,0x80,0x2A,0x70,0x52,0xD5,0x61,0x7C,
		0xD4,0x30,0xFB,0x56,0xFB,0xA7,0x29,0xD4,0x1D,0x9B,0xD6,0x68,0xE9,0xEB,0x96,0x00 };
	unsigned char std_SA[32] = { 0x19,0x5D,0x1B,0x72,0x56,0xBA,0x7E,0x0E,0x67,0xC7,0x12,0x02,0xA2,0x5F,0x8C,0x94,
		0xFF,0x82,0x41,0x70,0x2C,0x2F,0x55,0xD6,0x13,0xAE,0x1C,0x6B,0x98,0x21,0x51,0x72 };
	unsigned char std_SB[32] = { 0x3B,0xB4,0xBC,0xEE,0x81,0x39,0xC9,0x60,0xB4,0xD6,0x56,0x6D,0xB1,0xE0,0xD5,0xF0,
		0xB2,0x76,0x76,0x80,0xE5,0xE1,0xBF,0x93,0x41,0x03,0xE6,0xC6,0x6E,0x40,0xFF,0xEE };

	unsigned char hid[] = { 0x02 }, *IDA = "Alice", *IDB = "Bob";
	unsigned char Ppub[64], deA[128], deB[128];
	unsigned char xy[64], SA[SM3_len / 8], SB[SM3_len / 8];
	epoint *RA, *RB;
	big ke, x, y;
	zzn12 g1, g2, g3;
	int tmp, i;

	mip = mirsys(1000, 16);
	mip->IOBASE = 16;

	x = mirvar(0); y = mirvar(0); ke = mirvar(0);
	bytes_to_big(32, KE, ke);
	RA = epoint_init(); RB = epoint_init();
	zzn12_init(&g1); zzn12_init(&g2); zzn12_init(&g3);

	tmp = ARS_SM9_Init();
	if (tmp != 0) return tmp;
	printf("\n用户A的ID号为:%s\n用户B的ID号为:%s\n",IDA,IDB);

	printf("\n*********************** SM9 密钥生成 ***************************");
	tmp = ARS_SM9_GenerateEncryptKey(hid, IDA, strlen(IDA), ke, Ppub, deA);
	if (tmp != 0)  return tmp;
	tmp = ARS_SM9_GenerateEncryptKey(hid, IDB, strlen(IDB), ke, Ppub, deB);
	if (tmp != 0)  return tmp;
	if (memcmp(Ppub, std_Ppub, 64) != 0)
		return SM9_GEPUB_ERR;
	if (memcmp(deA, std_deA, 128) != 0)
		return SM9_GEPRI_ERR;
	if (memcmp(deB, std_deB, 128) != 0)
		return SM9_GEPRI_ERR;

	printf("\n**********************公钥 Ppubs=[ke]P1:*************************\n");
	for (i = 0; i<64; i++) printf("%02x", Ppub[i]);
	printf("\n\n**************用户A私钥 deA = (xdeA, ydeA):*********************\n");
	for (i = 0; i<128; i++) printf("%02x", deA[i]);
	printf("\n\n**************用户B私钥 deB = (xdeB, ydeB):*********************\n");
	for (i = 0; i<128; i++) printf("%02x", deB[i]);

	printf("\n");
	printf("\n*********************** SM9 密钥交换 ***************************\n");
	printf("\n//////////////////// SM9 密钥交换 A1-A4://////////////////////////\n");
	tmp = ARS_SM9_KeyEx_InitA_I(hid, IDB, randA, Ppub, deA, RA);
	if (tmp != 0) return tmp;
	printf("\n//////////////////////////// RA=[r]QB //////////////////////////////\n");
	epoint_get(RA, x, y);
	cotnum(x, stdout); cotnum(y, stdout);
	big_to_bytes(BNLEN, x, xy, 1); big_to_bytes(BNLEN, y, xy + BNLEN, 1);
	if (memcmp(xy, std_RA, BNLEN * 2) != 0)
		return SM9_ERR_RA;


	printf("\n//////////////////////// SM9 密钥交换 B1-B7:///////////////////////\n");
	tmp = ARS_SM9_KeyEx_ReB_I(hid, IDA, IDB, randB, Ppub, deB, RA, RB, SB, &g1, &g2, &g3);
	if (tmp != 0) return tmp;
	epoint_get(RB, x, y);
	big_to_bytes(BNLEN, x, xy, 1); big_to_bytes(BNLEN, y, xy + BNLEN, 1);
	if (memcmp(xy, std_RB, BNLEN * 2) != 0)
		return SM9_ERR_RB;
	if (memcmp(SB, std_SB, SM3_len / 8) != 0)
		return SM9_ERR_SB;

	printf("\n");
	printf("\n//////////////////////// SM9 密钥交换 A5-A8:///////////////////////");
	tmp = ARS_SM9_KeyEx_InitA_II(IDA, IDB, randA, Ppub, deA, RA, RB, SB, SA);
	if (tmp != 0) return tmp;
	if (memcmp(SA, std_SA, SM3_len / 8) != 0)
		return SM9_ERR_SA;

	printf("\n");
	printf("\n//////////////////////// SM9 密钥交换 B8:///////////////////////");
	tmp = ARS_SM9_KeyEx_ReB_II(IDA, IDB, g1, g2, g3, RA, RB, SA);
	if (tmp != 0) return tmp;

	printf("\n");
	return 0;
}

完整代码见github

参考

1、国标—SM9-密钥交换

2、密码学-基础理论与应用(李子臣著)

3、商用密码检测中心-源码下载

posted @ 2021-05-20 16:13  PamShao  阅读(1310)  评论(8编辑  收藏  举报