1 FEE Portable Byte Representation of Public Key Strings and Signatures 2 Last Modified 15 March 2001 3 4This defines portable data formats shared by the C and Java implementation of FEE. This definition supercedes formats used prior to 20 Feb 2001. 5 6 7Primitive Data Types 8-------------------- 9 10 int, unsigned int: 11 4 bytes, M.S. byte first 12 13 short, feeUnichar, Java char: 14 2 bytes, M.S. byte first 15 16 giant, GiantInteger: 17 18 type contents comment 19 ------ -------- --------------------------------------- 20 int numBytes abs(numBytes) indicates size of n[] to 21 follow, in BYTES 22 sign of numBytes is sign bit of result 23 byte data n[0], MSB first for each element 24 25 26Curve Parameters (curveParams, Java CurveParams) 27------------------------------------------------ 28 29 CURVE_PARAM_VERSION = 1: 30 31 type contents 32 ------ -------- 33 int CURVE_PARAM_VERSION = 1 34 int minVersion of code to parse this struct = 1 35 unsigned q 36 int k 37 int spare 38 giant a 39 giant b 40 giant c 41 giant x1Plus 42 giant x1Minus 43 giant cOrderPlus 44 giant cOrderMinus 45 giant x1OrderPlus 46 giant x1OrderMinus 47 48 The last four fields are not always known; a value of (giant)0 49 indicates a "not known" condition. In this case, 4 bytes of 50 zero are written, indicating a giant with a length of zero. 51 52 CURVE_PARAM_VERSION = 2 (20 Jan 1998) 53 54 type contents 55 ------ -------- 56 int CURVE_PARAM_VERSION = 2 57 int minVersion of code to parse this struct = 2 58 byte primeType /* new for version 2 */ 59 unsigned q 60 int k 61 unsigned m /* new for version 2 */ 62 int spare 63 giant a 64 giant b 65 giant c 66 giant x1Plus 67 giant x1Minus 68 giant cOrderPlus 69 giant cOrderMinus 70 giant x1OrderPlus 71 giant x1OrderMinus 72 giant basePrime, if primeType == PT_GENERAL /* new */ 73 74 Note that as of version 2, the cOrder* and x1Order* fields are always 75 known. 76 77 CURVE_PARAM_VERSION = 3 (1 Sep 1998) 78 79 type contents 80 ------ -------- 81 int CURVE_PARAM_VERSION = 3 82 int minVersion of code to parse this struct = 3 83 byte primeType 84 byte curveType /* new for version 3 */ 85 unsigned q 86 int k 87 unsigned m 88 int spare 89 giant a 90 giant b 91 giant c 92 giant x1Plus 93 giant x1Minus 94 giant cOrderPlus 95 giant cOrderMinus 96 giant x1OrderPlus 97 giant x1OrderMinus 98 giant basePrime, if primeType == PT_GENERAL 99 100 101Public Key String 102----------------- 103 104 PUBLIC_KEY_STRING_VERSION = 3: 105 106 A public key string is always encoded via enc64(); the raw data before 107 enc64() is as follows. 108 109 type contents 110 ------ -------- 111 int PUBLIC_KEY_STRING_MAGIC (0xfeeddeef) 112 int PUBLIC_KEY_STRING_VERSION = 3 113 int minVersion of code to parse this key = 3 114 int spare 115 curveParams curve parameters 116 giant plusX (public key, plus curve) 117 giant minusX (public key, minus curve) 118 int usageName length in unichars 119 feeUnichar[] usageName as array of unichars 120 121 PUBLIC_KEY_BLOB_VERSION = 4 (23 Mar 1998) 122 123 New for version 4 - exported blobs for both public and private keys. 124 Public key strings are merely enc64() encoded versions of public 125 key blobs and are identical to PUBLIC_KEY_STRING_VERSION 3 public 126 key strings. 127 128 PUBLIC_KEY_BLOB_MAGIC : 0xfeeddeef - public 129 0xfeeddeed - private 130 minVersion : 3 for public, 4 for private 131 132 type contents 133 ------ -------- 134 int PUBLIC_KEY_BLOB_MAGIC 135 int PUBLIC_KEY_BLOB_VERSION = 4 136 int minVersion of code to parse this key = 3 or 4 137 int spare 138 curveParams curve parameters 139 140 public key blob: 141 giant plusX (public key, plus curve) 142 giant minusX (public key, minus curve) 143 private key blob: 144 int privDataLen 145 unsigned char privData[] 146 147 both private and public: 148 149 int usageName length in unichars 150 feeUnichar[] usageName as array of unichars 151 152 PUBLIC_KEY_BLOB_VERSION = 5 (2 Sep 1998) 153 154 Added plusY. 155 minVersion = 5. 156 157 type contents 158 ------ -------- 159 int PUBLIC_KEY_BLOB_MAGIC_{PRIV,PUB} 160 int PUBLIC_KEY_BLOB_VERSION = 5 161 int minVersion of code to parse this key = 5 162 int spare 163 curveParams curve parameters 164 165 public key blob: 166 giant plusX (public key, plus curve) 167 giant plusY (y-coord of public key, plus curve, may be zero) 168 giant minusX (public key, minus curve) 169 private key blob: 170 giant privGiant 171 172 both private and public: 173 174 int usageName length in unichars 175 feeUnichar[] usageName as array of unichars 176 177 PUBLIC_KEY_BLOB_VERSION = 6 (14 Mar 2001) 178 179 Deleted usageName. 180 181 type contents 182 ------ -------- 183 int PUBLIC_KEY_BLOB_MAGIC_{PRIV,PUB} 184 int PUBLIC_KEY_BLOB_VERSION = 5 185 int minVersion of code to parse this key = 5 186 int spare 187 curveParams curve parameters 188 189 public key blob: 190 giant plusX (public key, plus curve) 191 giant plusY (y-coord of public key, plus curve, may be zero) 192 giant minusX (public key, minus curve) 193 private key blob: 194 giant privGiant 195 196 197Digital Signature, ElGamal style 198-------------------------------- 199 200 type contents 201 ------ -------- 202 int FEE_SIG_MAGIC (0xfee00516) 203 int FEE_SIG_VERSION = 3 204 int minVersion of code to parse this signature = 3 205 int spare 206 int signer length in unichars (DELETED 2/20/01) 207 feeUnichar[] signer as array of unichars (DELETED 2/20/01) 208 giant u 209 giant Pm.x 210 211 FEE_SIG_VERSION = 4 (15 March 2001) 212 Deleted signer. 213 214 type contents 215 ------ -------- 216 int FEE_SIG_MAGIC (0xfee00516) 217 int FEE_SIG_VERSION = 4 218 int minVersion of code to parse this signature = 4 219 int spare 220 giant u 221 giant Pm.x 222 223Digital Signature, ECDSA style 224-------------------------------- 225 226 type contents 227 ------ -------- 228 int FEE_ECDSA_MAGIC (0xfee00517) 229 int FEE_ECDSA_VERSION = 1 230 int minVersion of code to parse this signature = 1 231 int spare 232 int signer length in unichars (DELETED 2/20/01) 233 feeUnichar[] signer as array of unichars (DELETED 2/20/01) 234 giant s 235 giant x0 236 237 FEE_ECDSA_VERSION = 2 (15 March 2001) 238 Deleted signer. 239 240 type contents 241 ------ -------- 242 int FEE_ECDSA_MAGIC (0xfee00517) 243 int FEE_ECDSA_VERSION = 2 244 int minVersion of code to parse this signature = 2 245 int spare 246 giant s 247 giant x0 248 249 250 251FEED (2:1) CipherText 252--------------------- 253 254This data type uses an optimized form of Giants in that the sign, and hence 255the number of 16-bit shorts (i.e., the size of n[]), is implied by the size 256of p used in encryption and decryption. For a given curve parameter q (as 257in p = 2**q - k), the number of shorts per giant transmitted is ((q/8 + 1)/2). 258As in normal giants, the n[] array is transmitted m.s. byte first. During 259encoding, unused elements in n[] - i.e., those appearing after 260n[abs(sign) - 1] - are zero. Upon decoding, the sign of an incoming n[] 261array can be inferred from the number of non-zero shorts. 262 263One block of ciphertext is formatted as follows. See "Fast Elliptic 264Encryption (FEE) Algorithms", by Richard E. Crandall, July 1996, for 265descriptions of Xm, Xc, and g. 266 267 type contents 268 --------------- ----------------- 269 optimized giant Xm 270 optimized giant Xc 271 byte g 272 273 274FEED (1:1) CipherText 275--------------------- 276 277The first cipherblock is a FEED(2:1) encrypted copy of the initial 278R and S arrays; this is basically a bunch of random bytes which are 279used to cook up the giants R and S at both encrypt and decrypt time. 280In 1:1 FEED ciphertext, this is encrypted with the recipient's public 281key; the result is padded out to one 1:1 FEED Cipherblock. 282 283Subsequent cipherblocks are: 284 285 type contents 286 --------------- ----------------- 287 optimized giant Xm 288 byte clueByte 289 290 clueByte contents: 291 bit 0 : 0 ==> minus 292 1 ==> plus 293 bit 1 : 's' arg to elliptic_add() 294