auth: release dp9ik implementation and reentrant factotum

1 files changed, 35 insertions, 0 deletions

diff --git a/sys/src/libauthsrv/spake2ee.mp b/sys/src/libauthsrv/spake2ee.mp
new file mode 100644
index 000000000..dd8786988
--- /dev/null
+++ b/sys/src/libauthsrv/spake2ee.mp
@@ -0,0 +1,35 @@
+#
+# this implements a variant of SPAKE2 Elligator edition described in:
+# https://www.mail-archive.com/curves@moderncrypto.org/msg00412.html
+#
+
+# derive points PM or PN from a (password) hash
+spake2ee_h2P(p,a,d, h, PX,PY,PZ,PT){
+	# find a small non-square for elligator
+	n = 2;
+	while(legendresymbol(n, p) != -1)
+		n = n + 1;
+	PX,PY,PZ,PT = elligator2(p,a,d, n, h%p);
+}
+
+# Ya = xa*G+PM, Yb = xb*G+PN
+spake2ee_1(p,a,d, x, GX,GY, PX,PY,PZ,PT, y){
+	mod(p) X,Y,Z,T = edwards_scale(p,a,d, x, GX,GY,1,GX*GY);
+	X,Y,Z,T = edwards_add(p,a,d, X,Y,Z,T, PX,PY,PZ,PT);
+	y = decaf_encode(p,a,d, X,Y,Z,T);
+}
+
+# Z = xa*(Yb-PN)
+#   = xa*(xb*G+PN-PN)
+#   = xa*xb*G
+#   = xb*xa*G
+#   = xb*(xa*G+PM-PM)
+#   = xb*(Ya-PM)
+spake2ee_2(p,a,d, PX,PY,PZ,PT, x, y, ok, z){
+	ok, X,Y,Z,T = decaf_decode(p,a,d, y);
+	if(ok != 0){
+		mod(p) X,Y,Z,T = edwards_add(p,a,d, X,Y,Z,T, -PX,PY,PZ,-PT);
+		X,Y,Z,T = edwards_scale(p,a,d, x, X,Y,Z,T);
+		z = decaf_encode(p,a,d, X,Y,Z,T);
+	}
+}