1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
|
// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.security.hpke;
import com.yahoo.security.KeyUtils;
import java.security.KeyPair;
import java.security.interfaces.XECPrivateKey;
import java.security.interfaces.XECPublicKey;
import java.util.function.Supplier;
import static com.yahoo.security.ArrayUtils.concat;
import static com.yahoo.security.hpke.Constants.EAE_PRK_LABEL;
import static com.yahoo.security.hpke.Constants.EMPTY_LABEL;
import static com.yahoo.security.hpke.Constants.SHARED_SECRET_LABEL;
import static com.yahoo.security.hpke.LabeledKdfUtils.labeledExpandForSuite;
import static com.yahoo.security.hpke.LabeledKdfUtils.labeledExtractForSuite;
/**
* KEM implementation using Diffie-Hellman over X25519 curves as the shared
* secret deriver and HKDF-SHA256 as its key derivation function.
*
* HPKE KEM spec: DHKEM(X25519, HKDF-SHA256)
*
* @author vekterli
*/
final class DHKemX25519HkdfSha256 implements Kem {
private static final HkdfSha256 HKDF = HkdfSha256.getInstance();
private final Supplier<KeyPair> keyPairGen;
DHKemX25519HkdfSha256(Supplier<KeyPair> keyPairGen) {
this.keyPairGen = keyPairGen;
}
// Section 4.1 DH-Based KEM (DHKEM):
// "The implicit suite_id value used within LabeledExtract and LabeledExpand
// is defined as follows, where kem_id is defined in Section 7.1:"
//
// suite_id = concat("KEM", I2OSP(kem_id, 2))"
//
// The ID of our KEM suite, DHKEM(X25519, HKDF-SHA256), is 0x0020, so just hard code this.
private static final byte[] DHKEM_SUITE_ID_LABEL = new byte[] { 'K','E','M', 0x00, 0x20 };
@Override public short nSecret() { return 32; }
@Override public short nEnc() { return 32; }
@Override public short nPk() { return 32; }
@Override public short nSk() { return 32; }
@Override public short kemId() { return 0x0020; }
private static byte[] serializePublicKey(XECPublicKey publicKey) {
return KeyUtils.toRawX25519PublicKeyBytes(publicKey);
}
private static XECPublicKey deserializePublicKey(byte[] enc) {
return KeyUtils.fromRawX25519PublicKey(enc);
}
/**
* Section 4.1 DH-Based KEM (DHKEM):
*
* <pre>
* def ExtractAndExpand(dh, kem_context):
* eae_prk = LabeledExtract("", "eae_prk", dh)
* shared_secret = LabeledExpand(eae_prk, "shared_secret",
* kem_context, Nsecret)
* return shared_secret
* </pre>
*/
private byte[] extractAndExpand(byte[] dh, byte[] kemContext) {
byte[] eaePrk = labeledExtractForSuite(HKDF, DHKEM_SUITE_ID_LABEL, EMPTY_LABEL, EAE_PRK_LABEL, dh);
return labeledExpandForSuite(HKDF, eaePrk, DHKEM_SUITE_ID_LABEL, SHARED_SECRET_LABEL, kemContext, nSecret());
}
/**
* Section 4.1 DH-Based KEM (DHKEM):
*
* <pre>
* def Encap(pkR):
* skE, pkE = GenerateKeyPair()
* dh = DH(skE, pkR)
* enc = SerializePublicKey(pkE)
*
* pkRm = SerializePublicKey(pkR)
* kem_context = concat(enc, pkRm)
*
* shared_secret = ExtractAndExpand(dh, kem_context)
* return shared_secret, enc
* </pre>
*/
@Override
public EncapResult encap(XECPublicKey pkR) {
var kpE = keyPairGen.get();
var skE = (XECPrivateKey)kpE.getPrivate();
var pkE = (XECPublicKey)kpE.getPublic();
byte[] dh = KeyUtils.ecdh(skE, pkR);
byte[] enc = serializePublicKey(pkE);
byte[] pkRm = serializePublicKey(pkR);
byte[] kemContext = concat(enc, pkRm);
byte[] sharedSecret = extractAndExpand(dh, kemContext);
return new EncapResult(sharedSecret, enc);
}
/**
* Section 4.1 DH-Based KEM (DHKEM):
*
* <pre>
* def AuthEncap(pkR, skS):
* skE, pkE = GenerateKeyPair()
* dh = concat(DH(skE, pkR), DH(skS, pkR))
* enc = SerializePublicKey(pkE)
*
* pkRm = SerializePublicKey(pkR)
* pkSm = SerializePublicKey(pk(skS))
* kem_context = concat(enc, pkRm, pkSm)
*
* shared_secret = ExtractAndExpand(dh, kem_context)
* return shared_secret, enc
* </pre>
*/
@Override
public EncapResult authEncap(XECPublicKey pkR, XECPrivateKey skS) {
var kpE = keyPairGen.get();
var skE = (XECPrivateKey)kpE.getPrivate();
var pkE = (XECPublicKey)kpE.getPublic();
byte[] dh = concat(KeyUtils.ecdh(skE, pkR), KeyUtils.ecdh(skS, pkR));
byte[] enc = serializePublicKey(pkE);
byte[] pkRm = serializePublicKey(pkR);
byte[] pkSm = serializePublicKey(KeyUtils.extractX25519PublicKey(skS));
byte[] kemContext = concat(enc, pkRm, pkSm);
byte[] sharedSecret = extractAndExpand(dh, kemContext);
return new EncapResult(sharedSecret, enc);
}
/**
* Section 4.1 DH-Based KEM (DHKEM):
*
* <pre>
* def Decap(enc, skR):
* pkE = DeserializePublicKey(enc)
* dh = DH(skR, pkE)
*
* pkRm = SerializePublicKey(pk(skR))
* kem_context = concat(enc, pkRm)
*
* shared_secret = ExtractAndExpand(dh, kem_context)
* return shared_secret
* </pre>
*/
@Override
public byte[] decap(byte[] enc, XECPrivateKey skR) {
var pkE = deserializePublicKey(enc);
byte[] dh = KeyUtils.ecdh(skR, pkE);
byte[] pkRm = serializePublicKey(KeyUtils.extractX25519PublicKey(skR));
byte[] kemContext = concat(enc, pkRm);
return extractAndExpand(dh, kemContext);
}
/**
* Section 4.1 DH-Based KEM (DHKEM):
*
* <pre>
* def AuthDecap(enc, skR, pkS):
* pkE = DeserializePublicKey(enc)
* dh = concat(DH(skR, pkE), DH(skR, pkS))
*
* pkRm = SerializePublicKey(pk(skR))
* pkSm = SerializePublicKey(pkS)
* kem_context = concat(enc, pkRm, pkSm)
*
* shared_secret = ExtractAndExpand(dh, kem_context)
* return shared_secret
* </pre>
*/
public byte[] authDecap(byte[] enc, XECPrivateKey skR, XECPublicKey pkS) {
var pkE = deserializePublicKey(enc);
byte[] dh = concat(KeyUtils.ecdh(skR, pkE), KeyUtils.ecdh(skR, pkS));
byte[] pkRm = serializePublicKey(KeyUtils.extractX25519PublicKey(skR));
byte[] pkSm = serializePublicKey(pkS);
byte[] kemContext = concat(enc, pkRm, pkSm);
return extractAndExpand(dh, kemContext);
}
}
|
