README
¶
mqv
Package mqv implements MQV ECC as described in "NIST Special Publication 800-56A Revision 3".
MQV is a key agreement protocol similar to Diffie-Hellman, but instead of using 2 ephemeral keys C(2e, 0s), MQV uses 2 ephemeral and 2 static keys C(2e, 2s) in the full variant. The static keys are previously distributed and will be used to authenticate the parties.
Another advantage of MQV is the "one-pass" mode C(1e, 2s) which allows senders and receivers to transmit data without a full roundtrip for the key agreement. In this case, the sender uses the static key of the other party twice (its safe to pass a key twice, once as static key and once as ephemeral key), and the receiver uses his own static key twice to decode the message.
In addition to the basic MQV primitive, this package also implements a blinded version BlindMQV, which blinds the keys before doing the computations in order to prevent side channel attacks.
Please see SP 800-56A Rev. 3 for more details.
Installation
go get github.com/mgit-at/mqv
License
Copyright (c) 2017 mgIT GmbH. All rights reserved. Distributed under the Apache License. See LICENSE for details.
Documentation
¶
Overview ¶
Package mqv implements MQV ECC as described in "NIST Special Publication 800-56A Revision 3".
MQV is a key agreement protocol similar to Diffie-Hellman, but instead of using 2 ephemeral keys C(2e, 0s), MQV uses 2 ephemeral and 2 static keys C(2e, 2s) in the full variant. The static keys are previously distributed and will be used to authenticate the parties.
Another advantage of MQV is the "one-pass" mode C(1e, 2s) which allows senders and receivers to transmit data without a full roundtrip for the key agreement. In this case, the sender uses the static key of the other party twice (its safe to pass a key twice, once as static key and once as ephemeral key), and the receiver uses his own static key twice to decode the message.
In addition to the basic MQV primitive, this package also implements a blinded version BlindMQV, which blinds the keys before doing the computations in order to prevent side channel attacks.
Please see https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final for more details.
Index ¶
- func BlindKey(priv []byte, params *elliptic.CurveParams, rand io.Reader) ([]byte, []byte, error)
- func BlindMQV(ownStaticPriv, ownEphemeralPriv []byte, ...) (*big.Int, *big.Int, error)
- func GenerateKey(params *elliptic.CurveParams, rand io.Reader) ([]byte, error)
- func MQV(ownStaticPriv, ownEphemeralPriv []byte, ...) (*big.Int, *big.Int, error)
- func ScalarMultBlind(x *big.Int, y *big.Int, priv []byte, curve elliptic.Curve, rand io.Reader) (*big.Int, *big.Int, error)
- func SubtleIntSize(numBits int) int
- func WipeBytes(b []byte)
- func WipeInt(x *big.Int)
- type SubtleInt
- func (z SubtleInt) Add(x, y SubtleInt) uint
- func (z SubtleInt) AddMod(x, y, n SubtleInt)
- func (z SubtleInt) Big() *big.Int
- func (z SubtleInt) Bytes() []byte
- func (z SubtleInt) Less(y SubtleInt) uint
- func (z SubtleInt) Select(p uint, x, y SubtleInt)
- func (z SubtleInt) SetBytes(buf []byte)
- func (z SubtleInt) SetZero()
- func (z SubtleInt) String() string
- func (z SubtleInt) Sub(x, y SubtleInt) uint
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func BlindKey ¶
BlindKey blinds the original private key (p) with a random blind key (b) and returns (p+b, -b) mod n.
func BlindMQV ¶
func BlindMQV(ownStaticPriv, ownEphemeralPriv []byte, ownEphemeralX, otherStaticX, otherStaticY, otherEphemeralX, otherEphemeralY *big.Int, curve elliptic.Curve, rand io.Reader) (*big.Int, *big.Int, error)
BlindMQV implements the ECC MQV primitive with additional blinding to prevent side channel attacks.
Usually Z is calculated with mqvSig(ownStaticPriv, ownEphemeralPriv) * mqvBase() (see mqvSimple), but this might leak information about the private keys on various side channels (e.g. timing or power consumption) since neither the elliptic curve implementation nor the big number implementation is constant time. Therefore we blind each key by a random number 0 <= r < n. Assuming r is completely random, then (originalPrivKey + r) mod n has also full entropy, as well as -r mod n. We do this for both private keys. The blinding process (simple addition / substraction modulo n) is done in constant time and the random numbers are kept secret. Z is now calculated by mqvSig(ownStaticPriv + r1, ownEphemeralPriv + r2) * mqvBase() + mqvSig(-r1, -r2) * mqvBase(), which are basically two MQV primitives with random keys instead of one using the original key.
func GenerateKey ¶
GenerateKey returns a public / private key pair. The private key is generated using the given reader, which must return random data.
func MQV ¶
func MQV(ownStaticPriv, ownEphemeralPriv []byte, ownEphemeralX, otherStaticX, otherStaticY, otherEphemeralX, otherEphemeralY *big.Int, curve elliptic.Curve) (*big.Int, *big.Int, error)
MQV implements the ECC MQV primitive that calculates a shared secret based on the domain parameters, the own public and private keys and the other party's public keys. In the full form, each party has a static and a ephemeral key. In the one-pass form the other party only has a static key which is used twice with this primitive. h is the cofactor of the elliptic curve. See section 5.7.2.3 of SP 800-56A Rev. 3 for more details.
func ScalarMultBlind ¶
func ScalarMultBlind(x *big.Int, y *big.Int, priv []byte, curve elliptic.Curve, rand io.Reader) (*big.Int, *big.Int, error)
ScalarMultBlind is similar to to the elliptic.ScalarMult function, but it does two scalar multiplications with the blinded keys instead and adds the afterwards.
func SubtleIntSize ¶
SubtleIntSize returns the size of a SubtleInt that can store at least numBits of information.
Types ¶
type SubtleInt ¶
type SubtleInt []uint
SubtleInt represents a non-negative big integer with a fixed size. All operations on this integer are performed in constant time.
Source Files