; using sect233k1; define curve T = (m,f(x),a,b,G,n,h), where; m = 233 and f

1. ; using sect233k1
2. ; define curve T = (m,f(x),a,b,G,n,h), where
3. ; m = 233 and finite field F(2^233) is defined by:
4. ; f(x) = x^233 + x^74 + 1
5. ; = curve E: y^2 + xy = ax^2 + b defined by:
6. ; a = 0000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
7. ; b = 0000 00000000 00000000 00000000 00000000 00000000 00000000 00000001
8. ; G(comp) = 020172 32BA853A 7E731AF1 29F22FF4 149563A4 19C26BF5 0A4C9D6E EFAD6126
9. ; G(ucomp) = 04 017232BA 853A7E73 1AF129F2 2FF41495 63A419C2 6BF50A4C 9D6EEFAD 6126'01DB 537DECE8 19B7F70F 555A67C4 27A8CD9B F18AEB9B 56E0C110 56FAE6A3
10. ; n = 80 00000000 00000000 00000000 00069D5B B915BCD4 6EFB1AD5 F173ABDF
11. ; h = 01
12. ; ## KEYGEN ## generate key pair (d, Q)
13. ; d is secret. Assert d in range [1, n-1] (random).
14. ; Q = d*G
15. ; output (d, Q)
16. ; ## PUBKEY VALID ##
17. ; assert Q != infinity point
18. ; assert xQ, yQ are of degree <= m-1
19. ; assert nQ = infinity point
20. ; if h = 1, skip final assertion
21. ; ## SECRET COMPUTE ##
22. ; inputs:
23. ; private key d(alice) associated with T(alice)
24. ; public key Q(bob) associated with T(bob)
25. ; P = (x, y) = h * d(alice) * Q(bob)
26. ; if P = infinite point, invalid
27. ; output x as shared secret field
28. ; (optional, but recommended) pass x to a KDF to generate symmetric key
29.  
30. ecc_prv_key_size := 32
31. ecc_pub_key_size := ecc_prv_key_size * 2
32. curve_degree := 233
33.  
34. ;----------------------------------------------
35. ; structures
36. virtual at 0
37. point_x rb ecc_pub_key_size/2
38. point_y rb ecc_pub_key_size/2
39. end virtual
40.  
41.  
42. ecdh_keygen:
43. ; ecdh_pubkey(void *pubkey, void* prvkey);
44. ; expects prvkey of len 32 bytes
45. ; 1. check if prvkey less than n and greater than 0. Return error if false.
46. ; 2. zero privkey bits >233 (this may serve role of #1 too)
47. ; 3. treat prvkey as ec point (x, y)
48. ; 4. multiply (x, y) by (Gx, Gy) mod m => pubkey
49. ; 5. return pubkey, modded prvkey
50. save_interrupts
51. ld hl, 32
52. call ti.frameset
53. ; (ix + 3) = pubkey
54. ; (ix + 6) = prvkey
55. ld hl, (ix + 9)
56. ld de, curve_order
57. call _and_i32 ; return with any high bytes in prvkey greater than degree 0'd?
58. .skip_zero_bits:
59. ld hl, (ix + 6)
60. ld de, (ix - 3) ; stack frame allocation ??
61. ld bc, (ix + 9)
62. ldir ; copy to memory
63.  
64.  
65.  
66.  
67.  
68. _and_i32:
69. ; inputs: hl, bc = pointing to i32 operands
70. ; outputs: hl = output
71. ld b, 4
72. .loop:
73. ld a, (de)
74. and a, (hl)
75. ld (hl), a
76. djnz .loop
77. ret
78.  
79.  
80.  
81. _i256_mul:
82. ; integer-256-bit multiplication
83.  
84.  
85.  
86.  
87.  
88. curve_a
89. dd 0x00000000
90. dd 0x00000000
91. dd 0x00000000
92. dd 0x00000000
93. dd 0x00000000
94. dd 0x00000000
95. dd 0x00000000
96. dd 0x0000
97.  
98. curve_b:
99. dd 0x00000000
100. dd 0x00000000
101. dd 0x00000000
102. dd 0x00000000
103. dd 0x00000000
104. dd 0x00000000
105. dd 0x00000000
106. dd 0x0001
107.  
108. curve_G:
109. dd 0x00000004,
110. dd 0x017232BA,
111. dd 0x853A7E73,
112. dd 0x1AF129F2,
113. dd 0x2FF41495,
114. dd 0x63A419C2,
115. dd 0x6BF50A4C,
116. dd 0x9D6EEFAD,
117. dd 0x612601DB,
118. dd 0x537DECE8,
119. dd 0x19B7F70F,
120. 555A67C4 27A8CD9B F18AEB9B 56E0C110 56FAE6A3
121.  
122. curve_order: ; n
123. dd 0x00000080,
124. dd 0x00000000,
125. dd 0x00000000,
126. dd 0x00000000,
127. dd 0x00069D5B,
128. dd 0xB915BCD4,
129. dd 0x6EFB1AD5,
130. dd 0xF173ABDF
131.  
132. curve_cofactor: ; h
133. db 4
134.