Multi-purpose cross-platform hybrid cryptography tool for symmetric and asymmetric encryption, cipher-based message authentication code (CMAC|PMAC|GMAC|VMAC), recursive hash digest, hash-based message authentication code (HMAC), HMAC-based key derivation function (HKDF), password-based key derivation function (PBKDF2|Argon2|Lyra2|Scrypt), password-hashing scheme (Bcrypt|Argon2|Lyra2|Makwa), shared key agreement (ECDH|VKO|X25519|X448|ML-KEM), digital signature (RSA|ECDSA|EdDSA|GOST|SLH-DSA|ML-DSA), X.509 CSRs, CRLs and Certificates, and TCP instant server with TLS 1.3 and TLCP encryption layers for small or embedded systems.
Fully OpenSSL/LibreSSL/GmSSL/RHash/Mcrypt compliant
Implements
- Anubis Involutional SPN 128-bit block cipher (Barreto, ESAT/COSIC)
- BSI TR-03111 Elliptic Curve Cryptography (ECC) Technical Guideline
- CHASKEY Message Authentication Code (Nicky Mouha, ESAT/COSIC)
- CubeHash and SipHash64/128 (Daniel J. Bernstein & JP Aumasson)
- DSTU 7564:2014 A New Standard of Ukraine: The Kupyna Hash Function
- DSTU 7624:2014 A Encryption Standard of Ukraine: Kalyna Block Cipher
- GB/T 32907-2016 - SM4 128-bit Block Cipher
- GB/T 32918.4-2016 SM2 Elliptic Curve Asymmetric Encryption
- GB/T 38636-2020 - Transport Layer Cryptography Protocol (TLCP)
- GM/T 0001-2012 ZUC Zu Chongzhi Stream cipher 128/256-bit key
- GM/T 0002-2012 SM4 Block cipher with 128-bit key
- GM/T 0003-2012 SM2 Public key algorithm 256-bit
- GM/T 0004-2012 SM3 Message digest algorithm 256-bit hash value
- GM/T 0044-2016 SM9 Public key algorithm 256-bit
- GM/T 0086-2020 Specification of key management system based on SM9
- GOST 28147-89 64-bit block cipher (RFC 5830)
- GOST R 34.10-2012 VKO key agreement function (RFC 7836)
- GOST R 34.10-2012 public key signature function (RFC 7091)
- GOST R 34.11-2012 Streebog hash function (RFC 6986)
- GOST R 34.11-94 CryptoPro hash function (RFC 5831)
- GOST R 34.12-2015 128-bit block cipher Kuznechik (RFC 7801)
- GOST R 34.12-2015 64-bit block cipher Magma (RFC 8891)
- GOST R 50.1.114-2016 GOST R 34.10-2012 and GOST R 34.11-2012
- HC-128 Stream Cipher simplified version of HC-256 (Wu, ESAT/COSIC)
- IGE (Infinite Garble Extension) Mode of Operation for Block ciphers
- ISO/IEC 10118-3:2003 RIPEMD128/160/256 and Whirlpool (ESAT/COSIC)
- ISO/IEC 18033-3:2010 HIGHT, SEED, Camellia and MISTY1 Block ciphers
- ISO/IEC 18033-4:2011 KCipher-2 stream cipher (RFC 7008)
- ISO/IEC 29192-3:2012 Trivium Stream cipher with 80-bit key
- ISO/IEC 18033-5:2015 IBE - Identity-based Encryption Mechanisms
- ISO/IEC 18033-5:2015/Amd.1:2021(E) SM9 Mechanism
- ISO/IEC 14888-3:2018 EC-SDSA Schnorr-based Signature Scheme
- ISO/IEC 29192-2:2019 PRESENT, CLEFIA and LEA block ciphers
- ISO/IEC 18636-5:2022 Barreto-Naehrig and Barreto-Lynn-Scott Curves
- KS X 1213-1 ARIA 128-bit block cipher with 128/192/256-bit keys
- KS X 3246 LEA - Lightweight Encryption Algorithm (TTAK.KO-12.0223)
- KS X 3262 LSH - A New Fast Secure Hash Function Family (in Korean)
- NIST SP800-186 X25519 Diffie-Hellman (OpenSSL compliant)
- NIST SP800-38D GCM AEAD mode for 128-bit block ciphers (RFC 5288)
- RFC 1423: Privacy Enhancement for Internet Electronic Mail
- RFC 2104: HMAC - Keyed-Hashing for Message Authentication
- RFC 2144: CAST-128 64-bit Block cipher with 128-bit key
- RFC 2612: The CAST-256 Encryption Algorithm
- RFC 3610: Counter with CBC-MAC Mode of Operation (CCM Mode)
- RFC 4009: The SEED Encryption Algorithm (KISA)
- RFC 4253: Serpent 128-bit Block cipher with 128/192/256-bit keys
- RFC 4493: Cipher-based Message Authentication Code (CMAC)
- RFC 4503: Rabbit Stream Cipher Algorithm with 128-bit key
- RFC 4543: Galois Message Authentication Code (GMAC)
- RFC 4764: EAX Authenticated-Encryption Mode of Operation
- RFC 4648: Base16, Base32, and Base64 Data Encodings
- RFC 5246: Transport Layer Security (TLS) Protocol Version 1.2
- RFC 5280: Internet X.509 PKI Certificate Revocation List (CRL)
- RFC 5297: Synthetic Initialization Vector (SIV Mode)
- RFC 5639: Elliptic Curve Cryptography (ECC) Brainpool Standard Curves
- RFC 5869: HMAC-based Key Derivation Function (HKDF)
- RFC 6114: The 128-Bit Blockcipher CLEFIA (Sony)
- RFC 7008: KCipher-2 Encryption Algorithm (KDDI R&D Laboratories)
- RFC 7253: OCB (and PMAC) Authenticated-Encryption Algorithm
- RFC 7292: PKCS #12 Personal Information Exchange Syntax v1.1
- RFC 7539: ChaCha20-Poly1305 AEAD Stream cipher
- RFC 7693: The BLAKE2 Cryptographic Hash and MAC (JP Aumasson)
- RFC 7748: Curve25519 and Curve448: Elliptic Curves for Security
- RFC 7914: The Scrypt Password-Based Key Derivation Function
- RFC 8032: Ed25519 Signature a.k.a. EdDSA (Daniel J. Bernstein)
- RFC 8446: Transport Layer Security (TLS) Protocol Version 1.3
- RFC 9058: MGM AEAD mode for 64 and 128 bit ciphers (E. Griboedova)
- RFC 9367: GOST Cipher Suites for Transport Layer Security (TLS 1.3)
- SBRC 2007: Curupira 96-bit block cipher with 96/144/192-bit keys
- STB 34.101.31-2011 Belorussian standard (Bel-T) block cipher
- STB 34.101.45-2013 Belorussian BignV1 public key algorithhm
- STB 34.101.77-2020 Belorussian standard BASH hash function
- TTAS.KO-12.0004/R1 128-bit Block Cipher SEED (ISO/IEC 18033-3:2010)
- TTAS.KO-12.0040/R1 64-bit Block Cipher HIGHT (ISO/IEC 18033-3:2010)
- TTAS.KO-12.0011/R2 HAS-160 Korean-standardized hash algorithm
- TTAK.KO-12.0015/R3 EC-KCDSA Korean Digital Signature Algorithm
- TTAK.KO-12.0223 LEA 128-bit block cipher (ISO/IEC 29192-2:2019)
- TTAK.KO-12.0276 LSH Message digest algorithm (KS X 3262)
- US FIPS 197 Advanced Encryption Standard (AES)
- US FIPS 180-2 Secure Hash Standard (SHS) SHA1 and SHA2 Algorithms
- US FIPS 202 SHA-3 Permutation-Based Hash (instance of the Keccak)
- US FIPS 203 Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM)
- US FIPS 204 Module-Lattice-Based Digital Signature Standard (ML-DSA)
- US FIPS 205 Stateless Hash-Based Digital Signature Standard (SLH-DSA)
-
Public key algorithms:
Algorithm 256 512 ECDH Signature Encryption PKI ECDSA O O O O O O EC-GDSA O O O EC-KCDSA O O O EC-SDSA O O O O ANSSI O O O O Koblitz O O O O BignV1 O O O O BIP0340 O O O O BLS12-381 O O O O O BN256 O O O O O Curve25519 O O O O Curve448 O O GOST2012 O O O O O RSA O O O SM2 O O O O O SM9 O O O O NUMS O O O O O ElGamal O O EC-ElGamal O O ML-DSA/KEM O O O SLH-DSA O O O -
Subjacent Elliptic Curves:
Curve ECDSA EC-S/GDSA EC-KCDSA ECKA-EG P-224 (secp224r1) O O O P-256 (secp256r1) O O O O P-384 (secp384r1) O O O P-521 (secp521r1) O O O B-283 (sect283r1) O B-409 (sect409r1) O B-571 (sect571r1) O K-283 (sect283k1) O K-409 (sect409k1) O K-571 (sect571k1) O Brainpool (P256r1) O Brainpool (P384r1) O Brainpool (P512r1) O Brainpool (P256t1) O Brainpool (P384t1) O Brainpool (P512t1) O BLS12-381 O Ed25519 O Pallas O ANSSI (frp256v1) O O Koblitz (secp256k1) O O O SM2 (sm2p256v1) O -
Supported ParamSets:
Algorithm A B C D GOST R 34.10-2012 256-bit O O O O GOST R 34.10-2012 512-bit O O O
-
Stream ciphers:
Cipher Key Size IV Modes Ascon 1.2 128 128 AEAD Stream Cipher Chacha20Poly1305 256 96/192 AEAD Stream Cipher Grain128a 128 40-96 AEAD Stream Cipher HC-128 128 128 XOR Stream HC-256 256 256 XOR Stream KCipher-2 128 128 XOR Stream Rabbit 128 64 XOR Stream RC4 [Obsolete] 40/128 - XOR Stream Salsa20 256 64/192 XOR Stream Skein512 Any Any MAC XOR Stream Spritz Any Any XOR Stream Trivium 80 80 XOR Stream ZUC-128 Zu Chongzhi 128 128 MAC XOR Stream ZUC-256 Zu Chongzhi 256 184 MAC XOR Stream -
Permutation ciphers:
Cipher Key IV Mode Xoodyak 128 128 Lightweight AEAD Permutation Cipher -
256-bit> block ciphers:
Cipher Block Size Key Size Modes Kalyna256 256 256/512 EAX, SIV, CTR, OFB, IGE Kalyna512 512 512 EAX, SIV, CTR, OFB, IGE SHACAL-2 256 128 to 512 EAX, SIV, CTR, OFB, IGE Threefish256 256 256 EAX, SIV, CTR, OFB, IGE Threefish512 512 512 EAX, SIV, CTR, OFB, IGE Threefish1024 1024 1024 EAX, SIV, CTR, OFB, IGE -
128-bit block ciphers:
Cipher Block Size Key Size Modes AES (Rijndael) 128 128/192/256 All modes supported Anubis 128 128 to 320 All modes supported ARIA 128 128/192/256 All modes supported Bel-T 128 128/192/256 All modes supported Camellia 128 128/192/256 All modes supported CAST256 128 128/192/256 All modes supported CLEFIA 128 128/192/256 All modes supported CRYPTON 128 128/192/256 All modes supported E2 128 128/192/256 All modes supported Kalyna128 128 128/256 All modes supported Kuznechik 128 256 All modes supported LEA 128 128/192/256 All modes supported LOKI97 128 128/192/256 All modes supported MAGENTA 128 128/192/256 All modes supported MARS 128 128 to 448 All modes supported NOEKEON 128 128 All modes supported RC6 128 128/192/256 All modes supported SEED 128 128 All modes supported Serpent 128 128/192/256 All modes supported SM4 128 128 All modes supported Twofish 128 128/192/256 All modes supported -
96-bit block ciphers:
Cipher Block Size Key Size Modes Curupira 96 96/144/192 EAX, LETTERSOUP, CTR, IGE -
64-bit block ciphers:
Cipher Block Size Key Size Modes DES [Obsolete] 64 64 EAX, CFB-8, CTR, OFB 3DES [Obsolete] 64 192 EAX, CFB-8, CTR, OFB Blowfish 64 128 EAX, CFB-8, CTR, OFB CAST5 64 128 EAX, CFB-8, CTR, OFB GOST89 (TC26) 64 256 EAX, MGM, CFB-8, CTR HIGHT 64 128 EAX, CFB-8, CTR, OFB IDEA [Obsolete] 64 128 EAX, CFB-8, CTR, OFB Khazad 64 128 EAX, MGM, CFB-8, CTR Magma 64 256 EAX, CFB-8, CTR, OFB MISTY1 64 128 EAX, CFB-8, CTR, OFB PRESENT 64 80/128 EAX, MGM, CFB-8, CTR RC2 [Obsolete] 64 128 EAX, CFB-8, CTR, OFB RC5 [Obsolete] 64 128 EAX, CFB-8, CTR, OFB SAFER 64 64/128 EAX, CFB-8, CTR, OFB TWINE 64 80/128 EAX, MGM, CFB-8, CTR -
Modes of Operation:
Mode Blocks Keys EAX Encrypt-Authenticate-Translate All Any GCM Galois/Counter Mode (AEAD) 128 128/192/256 OCB1 Offset Codebook v1 (AEAD) 128 128/192/256 OCB3 Offset Codebook v3 (AEAD) 128 128/192/256 MGM Multilinear Galois Mode (AEAD) 64/128 Any CCM Counter with CBC-MAC (AEAD) 128 128/192/256 SIV Synthetic IV Mode (AEAD) All Any CBC Cipher-Block Chaining All Any CFB Cipher Feedback Mode All Any CFB-8 Cipher Feedback Mode 8-bit All Any CTR Counter Mode (default) All Any ECB Eletronic Codebook Mode All Any IGE Infinite Garble Extension All Any OFB Output Feedback Mode All Any -
Message Digest Algorithms:
Algorithm 128 160 192 256 512 MAC BASH O O Bel-T O BLAKE-2B O O O BLAKE-2S O O O BLAKE-3 O O BMW O O Chaskey O O CubeHash O O ECHO O O ESCH O Fugue O O GOST94 CryptoPro O GrΓΈstl O O Hamsi O O Haraka v2 O HAS-160 O JH O O Kupyna O O O Legacy Keccak O O LSH O O Luffa O O MD4 [Obsolete] O MD5 [Obsolete] O MD6 O O Poly1305 O O Radio-Gatun O RIPEMD O O O SHA1 [Obsolete] O SHA2 (default) O O SHA3 O O SHAKE O O SHAvite-3 O O SIMD O O SipHash O O Skein O O O SM3 O Streebog O O Tiger O Whirlpool O Xoodyak O O ZUC-256 Zu Chongzhi O O - MAC refers to keyed hash function, like HMAC.
Authenticated encryption (AE) and authenticated encryption with associated data (AEAD) are forms of encryption which simultaneously assure the confidentiality and authenticity of data. Provides both authenticated encryption (confidentiality and authentication) and the ability to check the integrity and authentication of additional authenticated data (AAD) that is sent in the clear.
AEAD OpenSSL-PHP compliance
<?php
function encrypt($plaintext, $key, $aad = '') {
$nonceSize = 12; // Chacha20-Poly1305 standard nonce size
$nonce = random_bytes($nonceSize);
$ciphertext = openssl_encrypt(
$plaintext,
'chacha20-poly1305',
$key,
OPENSSL_RAW_DATA,
$nonce,
$tag,
$aad
);
return $nonce . $ciphertext . $tag;
}
function decrypt($ciphertext, $key, $aad = '') {
$nonceSize = 12; // Chacha20-Poly1305 standard nonce size
$tagSize = 16; // Assuming a 16-byte tag
$nonce = substr($ciphertext, 0, $nonceSize);
$tag = substr($ciphertext, -$tagSize);
$ciphertext = substr($ciphertext, $nonceSize, -$tagSize);
return openssl_decrypt(
$ciphertext,
'chacha20-poly1305',
$key,
OPENSSL_RAW_DATA,
$nonce,
$tag,
$aad
);
}
// Example usage:
$keyHex = ''; // Provide your key in hexadecimal format
$key = hex2bin($keyHex);
$plaintext = "Hello, Chacha20-Poly1305!";
// Encrypt
$ciphertext = encrypt($plaintext, $key);
echo "Encrypted: " . bin2hex($ciphertext) . PHP_EOL;
// Decrypt
$decrypted = decrypt($ciphertext, $key);
echo "Decrypted: " . $decrypted . PHP_EOL;
?>
Parameters for the ANSSI FRP256v1 Elliptic curve, Agence nationale de la sécurité des systèmes d'information. "Publication d'un paramétrage de courbe elliptique visant des applications de passeport électronique et de l'administration électronique française." 21 November 2011.
The Bign algorithm is a Schnorr-type signature scheme adopted as the standard in Belarus (STB 34.101.45). Below are the equations and descriptions associated with the signing and verification phases of Bign.
BignV1 Theory
Parameters
-
$l \in {128, 192, 256}$ β Security level. -
$q$ β A$2l$ -bit prime number. -
$G$ β A generator of an Abelian group$\langle G \rangle$ of order$q$ . -
$H$ β An external hash function:$H: {0, 1}^* \to {0, 1}^{2l}$ . -
$OID(H)$ β An identifier uniquely identifying the hash function$H$ (an ASN.1 object identifier). -
$h$ β An internal hash function:$h: {0, 1}^* \to {0, 1}^l$ .
Private Key
-
$d$ β A secret random/pseudorandom element from${1, 2, \dots, q-1}$ .
Public Key
-
$Q = dG$ β The public key associated with the private key$d$ .
Message to be signed
-
$X \in {0, 1}^*$ .
Signing
The signature
-
Choose
$k$ :
Select a random (or pseudorandom) value$k$ from${1, 2, \dots, q-1}$ . -
Calculate
$R$ :
$R = kG$ β The point$R$ is calculated by multiplying the random value$k$ by the generator$G$ . -
Calculate
$s_0$ :
$s_0 = h(OID(H) | R | H(X))$ β Here,$s_0$ is computed by the internal hash function$h$ , which involves the identifier of$H$ ,$R$ , and the hash of the message$H(X)$ . -
Calculate
$s_1$ :
$s_1 = (k - H(X) - (s_0 2^l) d) \mod q$ β The value$s_1$ is computed using$k$ ,$H(X)$ ,$s_0$ , and the private key$d$ , with a modular operation based on the prime$q$ . -
Final signature:
$s = s_0 | s_1$ β The final signature$s$ is the concatenation of$s_0$ and$s_1$ . -
Return the signature:
The signature$s$ is returned.
Verification
To verify the signature
-
Verify the length of
$s$ :
If$|s| \neq 3l$ , return 0 (invalid signature). -
Extract
$s_0$ and$s_1$ :
Split$s = s_0 | s_1$ , where$|s_0| = l$ and$|s_1| = 2l$ . -
Verify
$s_1$ :
If$s_1 \geq q$ , return 0 (invalid signature). -
Calculate
$R$ :
Compute$R = (s_1 H(X))G (s_0 2^l)Q$ . -
Verify
$R$ :
If$R = O$ (the identity element of the group), return 0 (invalid signature). -
Verify the hash:
If$h(OID(H) | R | H(X)) \neq s_0$ , return 0 (invalid signature). -
Valid signature:
If all checks pass, return 1 (valid signature).
Design Rationale
-
Short signatures:
The algorithm uses Schnorr's compression and reduces the length of$s_0$ from$2l$ to$l$ bits, resulting in shorter signatures and faster verification (1.5 exponentiations instead of 2). -
Pre-hashing:
Instead of directly using$h(R | X)$ , the algorithm uses pre-hashing:$s_0 = h(OID(H) | R | H(X))$ . This protects against multiple-target preimage attacks and facilitates integration with existing APIs and data formats. -
"Whitening" the signature:
The second part of the signature ($s_1$ ) is "whitened" by using$Y = H(X)$ . This makes finding collisions more difficult, providing security with strength$2^l$ . -
Use of
$Q$ during verification:
While hashing$Q$ during signature generation could help protect against certain attacks, this approach is rejected, as key distribution should already provide protection, and hashing$Q$ would duplicate the proof of possession during key distribution. -
Deterministic signature:
The generation of the ephemeral public key$k$ can be made deterministic using a special key generation algorithm$genk$ . This involves hashing and symmetric encryption of data such as$OID(H)$ ,$d$ , and$H(X)$ to produce a unique$k$ .
The BN256 (ISO/IEC 18636-5:2022) is an elliptic curve used in cryptography, particularly for pairing-based cryptographic protocols like identity-based encryption and short signatures. It was introduced by Paulo S. L. M. Barreto and Michael Naehrig as part of their work on constructing efficient elliptic curves for pairings.
BN256 Theory
Key Generation
- Private Key (sk): Randomly selected from
$r \in \mathbb{Z}_n$ , where$n$ is the curve order. It must remain secret. - Public Key (pk):
$pk = sk * G2$ , where$G2$ is the generator point of the curve.
Signing
- Choose
$k \in \mathbb{Z}_n$ , keep it secret, and ensure it's never reused. - Compute
$\sigma = k \cdot H(M)$ , where$H(M)$ is the hash of the message$M$ . - The final signature is
$\sigma = sk \cdot H(M)$ , where$sk$ is the private key and$H(M)$ is the hash of the message.
Verification
- Verify the signature:
$e(Ο, G2) = e(H(M), pk)$ , where$e$ is the bilinear pairing. - If the pairing holds, the signature is valid; otherwise, itβs invalid.
Verification Equation:
Curupira is a 96-bit block cipher, with keys of 96, 144 or 192 bits, and variable number of rounds, an algorithm described at SBRC 2007 by Paulo S. L. M. Barreto and Marcos A. SimplΓcio Jr., from Escola PolitΓ©cnica da Universidade de SΓ£o Paulo (USP), SΓ£o Paulo, Brazil.
Here are the main differences between ECDSA, ECGDSA, and ECKCDSA:
-
$H(m)$ represents the hash value of the message. -
$k^{-1}$ denotes the modular multiplicative inverse of$k$ modulo$(p-1)$ . -
$\equiv$ indicates congruence. -
$\oplus$ represents the XOR operation.
The ElGamal algorithm is a public-key cryptography system that enables secure communication between two parties, involving asymmetric keypair generation and cryptographic operations. Initially, a large prime number
ElGamal Theory
Key Generation
- Generate a large prime number
$p$ . - Select a generator
$g \in [2, p-2]$ . - Generate a private key
$x$ randomly. - Compute the public key
$Y = g^x \mod p$ .
Digital Signature
- Select a random value
$k$ such that$1 < k < p-1$ ,$\text{gcd}(k, p-1) = 1$ . - Compute the first signature component:
$r = g^k \mod p$ . - Compute the second signature component:
$s \equiv (H(m) - x \cdot r) \cdot k^{-1} \mod (p-1)$ .
Digital Signature Verification
- Receive the message
$m$ and the signature components$(r, s)$ . - Compute
$w \equiv s^{-1} \mod (p-1)$ . - Compute
$u_1 \equiv H(m) \cdot w \mod (p-1)$ . - Compute
$u_2 \equiv r \cdot w \mod (p-1)$ . - Compute
$v \equiv g^{u_1} \cdot Y^{u_2} \mod p$ . - The signature is valid if
$v \equiv r \mod p$ .
Key Agreement
- Bob generates his key pair
$(x_B, Y_B)$ . - Bob shares his public key
$Y_B$ with Alice. - Alice generates a random symmetric key
$K_{\text{sym}}$ . - Alice encrypts
$K_{\text{sym}}$ using Bob's public key:$a = g^{k_A} \mod p, \ b = Y_B^{k_A} \cdot K_{\text{sym}} \mod p$ . - Alice sends the ciphertext
$(a, b)$ to Bob. - Bob decrypts the received ciphertext using his private key to obtain:
$K_{\text{sym}} = (b \cdot a^{-x_B}) \mod p$ . - Now, both Alice and Bob have the shared symmetric key
$K_{\text{sym}}$ for further communication.
The EC-ElGamal algorithm is a cryptographic scheme based on elliptic curves that enables the encryption of messages between two parties using a shared public key. Is a cryptographic scheme that allows secure message transmission over an insecure channel. The algorithm relies on the mathematical properties of elliptic curves to ensure the confidentiality of messages.
EC-ElGamal encryption using elliptic curves allows secure message transmission by having Alice generate a private key
First, Alice generates a private key
where
To decrypt, Alice takes her private key
This works because:
Initially, each party generates its private key as a random number
EC-ElGamal with Schnorr Proof
We initially create a private key as a random number
With standard ElGamal encryption, we generate a random value
We then create a symmetric key from this elliptic curve point:
and where
Next, we compute the ciphertext values of:
and where
We then generate a nonce value (
The ciphertext then has values of
Here is an overview of the method:
To generate the proof, we generate a random value (
Next, we create the challenge bytes with:
We take this value and hash it (
We then create two Schnorr proof values:
To verify the proof, we reconstruct
We reconstruct
This works because:
We then reconstruct the challenge with:
We take this value and hash it (
This value is then checked against the challenge in the proof, and if they are the same, the proof is verified.
GOST refers to a set of technical standards maintained by the Euro-Asian Council for Standardization, Metrology and Certification (EASC), a regional standards organization operating under the auspices of the Commonwealth of Independent States (CIS).
-
Bit-length Equivalence
Symmetric Key Size RSA and EG Key Size ECC Key Size 80 1024 160 112 2048 224 128 3072 256 192 7680 384 256 15360 512
Identity-Based Encryption (IBE) is a cryptographic scheme that enables users to encrypt and decrypt messages using easily memorable and publicly known information, such as an email address or user identity, as the public key. In IBE, the sender encrypts a message with the recipient's identity, and the recipient, possessing a private key generated by a trusted authority known as Key Generation Authority (KGA), can decrypt the message. Unlike traditional public-key cryptography, IBE eliminates the need for a centralized public key directory, as the user's identity itself serves as the public key. This convenience in key management makes IBE particularly suitable for secure communication in decentralized or large-scale systems, where distributing and managing individual public keys may be impractical.
IBE Key Management System (KMS)
Figure 1
--------------------------------------------------------------- | IBE Key Management System | | --------------------------- ------------------- | | | Private Key Generation |--| | | | | Center (PKG) | | | | | --------------------------- | | | | | Revoke/Update | | | | | | | | | --------------------------- | Public | | | | Registration | | Parameter | | | | Service (RA) | | Service | | | --------------------------- | (PPS) | | | | Registration | | | | | Application | | | | --------------------------- | | | | | Terminal | | | | | | Entity (User/Client) |--| | | | --------------------------- ------------------- | ---------------------------------------------------------------
The IBE's Key Management System (KMS) consists of the Private Key Generator (PKG), Registration Agency (RA), Public Parameter Server (PPS), and User Terminal Entity (User/Client). The system architecture is illustrated in Figure 1. The functions of each entity are described below.
- Function: Uses the system master key and related parameters to generate private keys for users. Provides related management and query services.
- Functions:
- Undertakes tasks related to user key application registration, authentication, management, and business communication with PKG.
- Provides symmetric, asymmetric, and hash cryptographic services.
- Receives key data returned by PKG and writes it into the key carrier of the terminal entity.
- Function: A user-oriented information service system, providing publicly accessible addresses for secure query and distribution of public parameters and policies. Public parameters include password parameters and user ID status directories that can be shared publicly.
- Functions:
- Terminal application system of the user information service system.
- Applies for keys directly from PKG or through a local agent.
- Realizes the storage and use of its own private keys.
IBE Key Management System Architecture:
- Secure Channels: The generation and distribution of user keys mainly involve entities such as PKG, RA, and User/Client. This is achieved by establishing secure channels between PKG and RA, and between RA and User/Client, ensuring secure transfer and download of keys.
Summary: The architecture of the IBE Key Management System ensures secure generation of private keys by PKG, tasks of key registration and application are carried out by RA, public parameters are provided by PPS, and users interact with the system through the User/Client terminal. Secure channels facilitate the transfer and download of keys between these entities, ensuring the overall security of the key management system.
Keying material is in general to include things like shared Diffie-Hellman secrets (which are not suitable as symmetric keys), which have more structure than normal keys.
MAC (Message Authentication Code) is a cryptographic function used to ensure the integrity and authenticity of a message. It takes a message and a secret key as inputs and produces a fixed-size authentication tag, which is appended to the message. The receiver can then verify the authenticity of the message by recomputing the MAC using the shared secret key and comparing it to the received tag. If they match, the message is deemed authentic and unaltered.
Module-lattice-based algorithms, such as KEM (Key Encapsulation Mechanism) and DSA (Digital Signature Algorithm), are promising solutions in post-quantum cryptography that provide security against attacks from quantum computers. KEM facilitates secure key exchange by encapsulating a secret key in an object, leveraging complex mathematical problems like the Shortest Vector Problem (SVP) or Learning With Errors (LWE) to ensure security and efficiency. Meanwhile, DSA generates and verifies digital signatures, ensuring the authenticity and integrity of messages while also using lattice structures for protection against quantum algorithms. Together, these approaches represent a significant advancement for information security in the future.
Microsoft Nothing Up My Sleeve Elliptic curves
NUMS (Nothing Up My Sleeve) curves, which are supported in the MSRElliptic Curve Cryptography Library (a.k.a. MSR ECCLib).
These curves are elliptic curves over a prime field, just like the NIST or Brainpool curves. However, the domain-parameters are choosen using a VERY TIGHT DESIGN SPACE to ensure, that the introduction of a backdoor is infeasable. For a desired size of
PBKDF2 (Password-Based Key Derivation Function 2) is a widely used cryptographic function designed to derive secure cryptographic keys from weak passwords or passphrases. It applies a pseudorandom function, such as HMAC-SHA1, HMAC-SHA256, or HMAC-SHA512, multiple times in a loop, with a salt and a user-defined number of iterations, effectively increasing the computational cost of key generation. This technique enhances the resilience against brute-force attacks, making it more difficult and time-consuming for attackers to obtain the original password from the derived key.
Quantum computing is in an early stage of development and faces significant challenges, including the control and correction of quantum errors. Predictions vary, but many experts agree that we are still several years, or even decades, away from having the ability to build a quantum computer large enough to threaten public key cryptography algorithms currently considered secure. Scalable, sufficiently powerful quantum computers have not yet been constructed. Therefore, post-quantum cryptography is more of a precautionary measure, as classical algorithms remain secure for most everyday applications. Understand which algorithms have been compromised with the advent of quantum algorithms like Shor and Grover:
-
Security Level
Name Function pre-quantum post-quantum AES-128 block cipher 128 64 (Grover) AES-256 block cipher 256 128 (Grover) Salsa20 stream cipher 256 128 (Grover) GMAC MAC 128 128 Poly1305 MAC 128 128 SHA-256 hash function 256 128 (Grover) SHA-3 hash function 256 128 (Grover) RSA-3072 encryption 128 broken (Shor) RSA-3072 signature 128 broken (Shor) 256-bit ECDH key exchange 128 broken (Shor) 256-bit ECDSA signature 128 broken (Shor)
SM2 is a public key cryptographic algorithm based on elliptic curves, used for e.g. generation and verification of digital signatures; SM3, a hashing algorithm comparable to SHA-256; and SM4, a block cipher algorithm for symmetric cryptography comparable to AES-128. These standards are becoming widely used in Chinese commercial applications such as banking and telecommunications and are sometimes made mandatory for products procured by Chinese government agencies. SM4 is part of the ARMv8.4-A expansion to the ARM architecture.
Parameters for the sm9p256v1 Elliptic curve
SM9 is a Chinese National Identity Based Cryptography Standard and was originally published using a 256-bit Barreto-Naehrig Curve as its primary example. The new paper suggests that because attacks against some Barreto-Naehrig curves have improved that the SM9 standard should adopt a 384-bit Barreto-Naehrig Curve. The authors go on to suggest that this curve offers roughly 118 bits of security.
XOR (Exclusive OR) is a logical operator that works on bits. Letβs denote it by ^. If the two bits it takes as input are the same, the result is 0, otherwise it is 1. This implements an exclusive or operation, i.e. exactly one argument has to be 1 for the final result to be 1. We can show this using a truth table:
-
exclusive or
x y x^y 0 0 0 0 1 1 1 0 1 1 1 0
The ZUC-256 cipher is a symmetric key encryption algorithm widely used in 5G communication technologies, providing robust and efficient security. The ZUC-256 algorithm is based on the original ZUC cipher, developed by the Chinese Academy of Sciences and adopted by the 3rd Generation Partnership Project (3GPP) standard to ensure data integrity and confidentiality in fifth-generation mobile networks. Its name pays tribute to Zu Chongzhi, a 5th-century Chinese mathematician and astronomer, renowned for his contributions to mathematics, astronomy, and hydraulic engineering. His remarkable approximation of the value of Ο (pi) enabled more precise calculations in various scientific fields.
-
Cryptographic Functions:
- Asymmetric Encryption
- Symmetric Encryption AEAD Modes
- Digital Signature
- Recursive Hash Digest Check
- ECDH (Shared Key Agreement)
- CMAC (Cipher-based message authentication code)
- HMAC (Hash-based message authentication code)
- HKDF (HMAC-based key derivation function)
- PBKDF2 (Password-based key derivation function)
- PHS (Password-hashing scheme)
- TLS (Transport Layer Security v1.2 and 1.3)
- TLCP (Transport Layer Cryptography Protocol v1.1)
- PKCS12 (Personal Information Exchange Syntax v1.1)
- X.509 CSRs, CRLs and Certificates
-
Non-cryptographic Functions:
- Hex string encoder/dump/decoder (xxd-like)
- Base32 encoder/decoder
- Base64 encoder/decoder
- Base85 encoder/decoder
- Privacy-Enhanced Mail (PEM format)
- RandomArt (OpenSSH-like)
Usage of ./edgetk: -algorithm string Public key algorithm: EC, Ed25519, GOST2012, SM2. (default "RSA") -base32 string Encode binary string to Base32 format and vice-versa. [enc|dec] -base64 string Encode binary string to Base64 format and vice-versa. [enc|dec] -base85 string Encode binary string to Base85 format and vice-versa. [enc|dec] -bits int Key length. (for keypair generation and symmetric encryption) -cacert string CA Certificate path. (for TLCP Protocol) -cakey string CA Private key. (for TLCP Protocol) -cert string Certificate path. -check Check hashsum file. ('-' for STDIN) -cipher string Symmetric algorithm: aes, blowfish, magma or sm4. (default "aes") -crl string Certificate Revocation List path. -crypt string Bulk Encryption with Stream and Block ciphers. [enc|dec|help] -curve string Subjacent curve (ECDSA, BLS12381G1 and G2.) (default "ecdsa") -days int Defines the validity of the certificate from the date of creation. -digest Target file/wildcard to generate hashsum list. ('-' for STDIN) -factorp string Makwa private Factor P. (for Makwa Password-hashing Scheme) -factorq string Makwa private Factor Q. (for Makwa Password-hashing Scheme) -hex string Encode binary string to hex format and vice-versa. [enc|dump|dec] -hid uint Hierarchy Identifier. (for SM9 User Private Key) (default 1) -id string User Identifier. (for SM9 User Private Key operations) -info string Additional info. (for HKDF command and AEAD bulk encryption) -ipport string Local Port/remote's side Public IP:Port. -iter int Iter. (for Password-based key derivation function) (default 1) -iv string Initialization Vector. (for symmetric encryption) -kdf string Key derivation function. [pbkdf2|hkdf|scrypt|argon2|lyra2re2] -key string Asymmetric key, symmetric key or HMAC key, depending on operation. -mac string Compute Hash/Cipher-based message authentication code. -master string Master key path. (for sm9 setup) (default "Master.pem") -md string Hash algorithm: sha256, sha3-256 or whirlpool. (default "sha256") -mode string Mode of operation: GCM, MGM, CBC, CFB8, OCB, OFB. (default "CTR") -modulus string Makwa modulus. (Makwa hash Public Parameter) -nopad No padding. (for Base64 and Base32 encoding) -params string ElGamal Public Parameters path. -paramset string Elliptic curve ParamSet: A, B, C, D. (for GOST2012) (default "A") -pass string Password/Passphrase. (for Private key PEM encryption) -passout string User Password. (for SM9 User Private Key PEM encryption) -peerid string Remote's side User Identifier. (for SM9 Key Exchange) -pkey string Subcommands: keygen|certgen, sign|verify|derive, text|modulus. -prv string Private key path. (for keypair generation) (default "Private.pem") -pub string Public key path. (for keypair generation) (default "Public.pem") -rand int Generate random cryptographic key with given bit length. -recover Recover Passphrase from Makwa hash with Private Parameters. -recursive Process directories recursively. (for DIGEST command only) -root string Root CA Certificate path. -salt string Salt. (for HKDF and PBKDF2 commands) -signature string Input signature. (for VERIFY command and MAC verification) -subj string Subject: Identity for which a digital certificate. -tcp string Encrypted TCP/IP Transfer Protocol. [server|ip|client] -tweak string Additional 128-bit parameter input. (for THREEFISH encryption) -version Print version info. -wrap int Wrap lines after N columns. (for Base64/32 encoding) (default 64)
edgetk -pkey keygen -algorithm [ml-dsa|slh-dsa] -prv Private.pem -pub Public.pem
edgetk -pkey sign -key Private.pem -pass "pass" -signature sign.txt FILE
edgetk -pkey verify -key Public.pem -signature sign.txt FILE
edgetk -pkey keygen -algorithm ml-kem -prv Private.pem -pub Public.pem
edgetk -pkey wrapkey -key Public.pem -cipher cipher.txt
edgetk -pkey unwrapkey -key Private.pem -pass "pass" -cipher cipher.txt
PQC Public Key Infrastructure (PKI)
Key Generation:
edgetk -pkey keygen -algorithm [ml-dsa|slh-dsa] -prv CAPrivate.pem -pub CAPublic.pem
Self-Signed Certificate Generation:
edgetk -pkey certgen -key CAPrivate.pem -pub CAPublic.pem -cert CACert.crt
Check Certificate Authenticity:
edgetk -pkey check -cert CACert.crt -key CAPublic.pem
echo $?
Certificate Signing Request (CSR):
edgetk -pkey req -key Private.pem -pub Public.pem -cert Cert.csr
Display CSR Information:
edgetk -pkey text -cert Cert.csr
X.509 Certificate Signing:
edgetk -pkey x509 -key CAPrivate.pem -root CACert.crt -cert Cert.csr Cert.crt
Display Certificate Information:
edgetk -pkey text -cert Cert.crt
echo $?
Check Certificate Authenticity:
edgetk -pkey check -cert Cert.crt -key CAPublic.pem
echo $?
Generate Certificate Revocation List (CRL):
edgetk -pkey crl -key CAPrivate.pem pub CAPublic.pem -cert CACert.crt serials.txt NewCRL.pem
Display CRL Information:
edgetk -pkey text -crl NewCRL.pem
Check CRL Authenticity:
edgetk -pkey check -crl NewCRL.pem -cert CACert.crt
echo $?
Validate Certificate Against CRL:
edgetk -pkey validate -cert Cert.crt -crl NewCRL.pem
echo $?
For non-interactive scripts, you must use the flags -pass, -days and -subj:
-pass "passphrase"
-days 365
-subj "/CN=Test/OU=/O=/ST=/L=/C=/[email protected]"
./edgetk -pkey setup -algorithm elgamal [-bits 4096] > ElGamalParams.pem
./edgetk -pkey keygen -algorithm elgamal -params ElGamalParams.pem [-pass "passphrase"] [-prv Private.pem] [-pub Public.pem]
./edgetk -pkey sign -algorithm elgamal -key Private.pem [-pass "passphrase"] < file.ext > sign.txt
sign=$(cat sign.txt|awk '{print $2}')
./edgetk -pkey verify -algorithm elgamal -key Public.pem -signature $sign < file.ext
echo $?
./edgetk -pkey wrapkey -algorithm elgamal -key Public.pem > cipher.txt
ciphertext=$(cat cipher.txt|grep "Cipher"|awk '{print $2}')
./edgetk -pkey unwrapkey -algorithm elgamal -key Private.pem [-pass "passphrase"] -cipher $ciphertext
./edgetk -pkey keygen -bits 4096 [-pass "passphrase"] [-prv Private.pem] [-pub Public.pem]
./edgetk -pkey [text|modulus] [-pass "passphrase"] -key Private.pem
./edgetk -pkey [text|modulus|randomart|fingerprint] -key Public.pem
./edgetk -pkey sign -key Private.pem [-pass "passphrase"] < file.ext > sign.txt
sign=$(cat sign.txt|awk '{print $2}')
./edgetk -pkey verify -key Public.pem -signature $sign < file.ext
echo $?
./edgetk -pkey encrypt -key Public.pem < plaintext.ext > ciphertext.ext
./edgetk -pkey decrypt -key Private.pem < ciphertext.ext > plaintext.ext
./edgetk -pkey keygen -bits 256 -algorithm EC [-pass "passphrase"] [-prv Private.pem] [-pub Public.pem]
./edgetk -pkey derive -algorithm EC -key Private.pem -pub Peerkey.pem
./edgetk -pkey certgen -key Private.pem [-pass "passphrase"] [-cert "output.crt"]
./edgetk -pkey req -key Private.pem [-pass "passphrase"] [-cert Certificate.csr]
./edgetk -pkey x509 -key Private.pem -root CACert.pem -cert Certificate.csr > Certificate.crt
./edgetk -pkey [text|modulus] -cert Certificate.pem
./edgetk -pkey crl -cert CACert.pem -key Private.pem -crl old.crl serials.txt > NewCRL.crl
./edgetk -tcp ip > MyExternalIP.txt
./edgetk -tcp server -cert Certificate.pem -key Private.pem [-ipport "8081"]
./edgetk -tcp client -cert Certificate.pem -key Private.pem [-ipport "127.0.0.1:8081"]
./edgetk -rand 256
./edgetk -crypt enc -key $256bitkey < plaintext.ext > ciphertext.ext
./edgetk -crypt dec -key $256bitkey < ciphertext.ext > plaintext.ext
./edgetk -digest [-recursive] "*.*" > hash.txt
./edgetk -check hash.txt
echo $?
or
./edgetk -check hash.txt|grep FAILED^|Not found!
./edgetk -digest -md bcrypt -key "yourkey" [-iter 10] > key.bcrypt
./edgetk -check -md bcrypt -key "yourkey" < key.bcrypt
echo $?
./edgetk -mac hmac -key "secret" < file.ext
./edgetk -mac hmac -key "secret" -signature $256bitmac < file.ext
echo $?
./edgetk -kdf hkdf -bits 128 -key "IKM" [-salt "salt"] [-info "AD"]
- Generate a master key
./edgetk -pkey setup -algorithm <sm9encrypt|sm9sign> [-master "Master.pem"] [-pub "Public.pem"]
- Generate a private key and a UID (User ID) and an HID (Hierarchy ID).
./edgetk -pkey keygen -algorithm <sm9encrypt|sm9sign> [-master "Master.pem"] [-prv "Private.pem"] [-id "uid"] [-hid 1]
- To encrypt a message:
- Use the master public key.
- Include the UID and HID associated with the private key.
- Perform the encryption process.
./edgetk -pkey encrypt -algorithm sm9encrypt [-key "Public.pem"] [-id "uid"] [-hid 1] < FILE
- To decrypt a message:
- Use the associated private key.
- Use the corresponding UID.
- Perform the decryption process.
./edgetk -pkey decrypt -algorithm sm9encrypt [-key "Private.pem"] [-id "uid"] < FILE
- To sign a message:
- Use the private key (UID and HID are associated).
- Perform the signature process.
./edgetk -pkey sign -algorithm sm9sign [-key "Private.pem"] < FILE
- To verify the signature of a message:
- Use the master public key.
- Use the UID and HID associated with the private key that performed the signature.
- Perform the signature verification process.
./edgetk -pkey verify -algorithm sm9sign [-key "Public.pem"] [-id "uid"] [-hid 1] [signature "sign"] < FILE
./edgetk -hex enc < file.ext > file.hex
./edgetk -hex dec < file.hex > file.ext
./edgetk -hex dump < file.ext
./edgetk -base32 enc [-wrap 0] [-nopad] < file.ext > file.b32
./edgetk -base32 dec [-nopad] < file.b32 > file.ext
./edgetk -crypt help // Describes bulk encryption usage and arguments
./edgetk -kdf help // Describes key derivation function usage
./edgetk -mac help // Describes message authentication code usage
./edgetk -pkey help // Describes public key cryptography usage
./edgetk -tcp help // Describes TLS 1.3 Protocol parameters and usage
./edgetk -help,-h // Full list of the flags and their defaults
./edgetk -version // Print version info
- Sergey Matveev (GoGOST Library Author)
- RyuaNerin (go-krypto Library Author)
- Sun Yimin (GMSM Library Author)
- Damian Gryski (Anubis, SipHash, Misty1 Libraries Author)
- Dana Booth (Main Contributor)
- Deatil (go-cryptobin, go-hash Libraries Author)
Use issues for everything
- You can help and get help by:
- Reporting doubts and questions
- You can contribute by:
- Reporting issues
- Suggesting new features or enhancements
- Improve/fix documentation
This project is licensed under the ISC License.