/* a tiny-ecdh implementation for the ez80 CPU ## CURVE SPEC ##using

1. /*
2.  
3. a tiny-ecdh implementation for the ez80 CPU
4.  
5. ## CURVE SPEC ##
6. using curve secp224k1
7. define curve T = (p, a, b, G, n, h), where
8. finite field Fp is defined by:
9. p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFE56D
10. f(x) = 2^224 − 2^32 − 2^12 − 2^11 − 2^9 − 2^7 − 2^4 − 2 − 1
11. curve E: y^2 = x^3 + ax + b over Fp is defined by:
12. a = 00000000 00000000 00000000 00000000 00000000 00000000 00000000
13. b = 00000000 00000000 00000000 00000000 00000000 00000000 00000005
14. G(x) = A1455B33 4DF099DF 30FC28A1 69A467E9 E47075A9 0F7E650E B6B7A45C
15. G(y) = 7E089FED 7FBA3442 82CAFBD6 F7E319F7 C0B0BD59 E2CA4BDB 556D61A5
16. n = 00000000 00000000 00000000 0001DCE8 D2EC6184 CAF0A971 769FB1F7
17. h = 01
18.  
19. ## KEYGEN ## generate key pair (d, Q)
20. d is secret. Assert d in range [1, n-1] (random).
21. Q = d*G
22. output (d, Q)
23.  
24. ## PUBKEY VALID ##
25. assert Q != infinity point
26. assert xQ, yQ are of degree <= m-1
27. assert nQ = infinity point
28. if h = 1, skip final assertion
29.  
30. ## SECRET COMPUTE ##
31. inputs:
32. private key d(alice) associated with T(alice)
33. public key Q(bob) associated with T(bob)
34. P = (x, y) = h * d(alice) * Q(bob)
35. if P = infinite point, invalid
36. output x as shared secret field
37. (optional, but recommended) pass x to a KDF to generate symmetric key
38. */
39.  
40. #define ECC_PRV_KEY_SIZE 28
41. #define ECC_PUB_KEY_SIZE (ECC_PRV_KEY_SIZE<<1)
42. #define CURVE_DEGREE 224
43.  
44. #define PTFM_WORD_SIZE sizeof(uint8_t)
45. #define ECC_GF_LEN (ECC_PRV_KEY_SIZE / PTFM_WORD_SIZE)
46.  
47. // main type definitions for variables
48. typedef uint32_t vec_t[ECC_GF_LEN]; // should be 24 bytes
49. struct Point {
50. vec_t x;
51. vec_t y;
52. };
53. struct Curve {
54. vec_t polynomial;
55. vec_t coeff_a;
56. vec_t coeff_b;
57. Point base;
58. vec_t b_order;
59. uint8_t cofactor;
60. };
61.  
62.  
63. Curve secp224k1 = {
64. {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFE56D}, // p
65. {0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000}, // a
66. {0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000005}, // b
67. {
68. {0xA1455B33, 0x4DF099DF, 0x30FC28A1, 0x69A467E9, 0xE47075A9, 0x0F7E650E, 0xB6B7A45C},
69. {0x7E089FED, 0x7FBA3442, 0x82CAFBD6, 0xF7E319F7, 0xC0B0BD59, 0xE2CA4BDB, 0x556D61A5}
70. }, // G (x, y)
71. {0x00000000, 0x00000000, 0x00000000, 0x0001DCE8, 0xD2EC6184, 0xCAF0A971, 0x769FB1F7}, // n
72. 1
73. };
74.