-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathc3.casm
59 lines (47 loc) · 2.04 KB
/
c3.casm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# TLS stage 3.
# Compute expanded p1 which consists of client_write_key + server_write_key
# Compute expanded p2 which consists of client_IV + server_IV
12 2562
2 576 832
# notary inputs
# 256: outer hash state
# 128: output mask1 (for swk)
# 128: output mask2 (for cwk)
# 32: output mask3 (for siv)
# 32: output mask4 (for civ)
# client inputs
# 256: inner hash state for p1_expanded_keys
# 256: inner hash state for p2_expanded_keys
# 128: output mask1 (for swk)
# 128: output mask2 (for cwk)
# 32: output mask3 (for siv)
# 32: output mask4 (for civ)
1 320
# all outputs go to the evaluator
# 128: server_write_key xor-masked twice (by mask1)
# 128: client_write_key xor-masked twice (by mask2)
# 32 : server IV xor-masked twice (by mask3)
# 32 : client IV xor-masked twice (by mask4)
2 1 0 0 1408 XOR # 0
1 1 1408 1409 INV # 1
# pad outer hash digest as the last chunk of sha256
# total length of bits in outer sha256: L == 512+256 ==768 should be the last 64 bits
# 768 in binary is 0000 0011 0000 0000
# to be hashed: 256 bits inner hash digest + 1 + 191 bits of 0 + 48 bits of 0 + 0000 0011 0000 0000
# the result is p1:
# 8 zeroes 1 1 245 zeroes 1 C input 1 N input 1
768 256 [1408*8] 1409 1409 [1408*245] 1409 [576|>256] [0|>256] [1410|>256] sha256.txt
# the result is p2 (client IV is the top-most 32 bits):
# 8 zeroes 1 1 245 zeroes 1 C input 2 N input 1
768 256 [1408*8] 1409 1409 [1408*245] 1409 [832|>256] [0|>256] [1666|>256] sha256.txt
#prepare all outputs
# xor swk/cwk/siv/civ with notary's masks
256 128 [1410|>128] [256|>128] [1922|>128] xor128bits.casm
256 128 [1538|>128] [384|>128] [2050|>128] xor128bits.casm
64 32 [1858|>32] [512|>32] [2178|>32] xor32bits.casm
64 32 [1890|>32] [544|>32] [2210|>32] xor32bits.casm
# xor the result with client's masks
256 128 [1922|>128] [1088|>128] [2242|>128] xor128bits.casm
256 128 [2050|>128] [1216|>128] [2370|>128] xor128bits.casm
64 32 [2178|>32] [1344|>32] [2498|>32] xor32bits.casm
64 32 [2210|>32] [1376|>32] [2530|>32] xor32bits.casm