<PackageReference Include="BouncyCastle.Cryptography" Version="2.4.0" />

JPakeUtilities

public abstract class JPakeUtilities
Primitives needed for a J-PAKE exchange. The recommended way to perform a J-PAKE exchange is by using two JPAKEParticipants. Internally, those participants call these primitive operations in JPakeUtilities. The primitives, however, can be used without a JPAKEParticipant if needed.
public static readonly BigInteger One

public static readonly BigInteger Zero

protected JPakeUtilities()

public static BigInteger CalculateA(BigInteger p, BigInteger q, BigInteger gA, BigInteger x2s)

Calculate A as done in round 2.

public static BigInteger CalculateGA(BigInteger p, BigInteger gx1, BigInteger gx3, BigInteger gx4)

Calculate ga as done in round 2.

public static BigInteger CalculateGx(BigInteger p, BigInteger g, BigInteger x)

Calculate g^x mod p as done in round 1.

public static BigInteger CalculateKeyingMaterial(BigInteger p, BigInteger q, BigInteger gx4, BigInteger x2, BigInteger s, BigInteger B)

Calculates the keying material, which can be done after round 2 has completed. A session key must be derived from this key material using a secure key derivation function (KDF). The KDF used to derive the key is handled externally (i.e. not by JPAKEParticipant). KeyingMaterial = (B/g^{x2*x4*s})^x2

public static BigInteger CalculateMacTag(string participantId, string partnerParticipantId, BigInteger gx1, BigInteger gx2, BigInteger gx3, BigInteger gx4, BigInteger keyingMaterial, IDigest digest)

Calculates the MacTag (to be used for key confirmation), as defined by NIST SP 800-56A Revision 1, Section 8.2 Unilateral Key Confirmation for Key Agreement Schemes. MacTag = HMAC(MacKey, MacLen, MacData) MacKey = H(K || "JPAKE_KC") MacData = "KC_1_U" || participantId || partnerParticipantId || gx1 || gx2 || gx3 || gx4 Note that both participants use "KC_1_U" because the sender of the round 3 message is always the initiator for key confirmation. HMAC = {@link HMac} used with the given {@link Digest} H = The given {@link Digest} MacLen = length of MacTag

public static BigInteger CalculateS(char[] password)

Converts the given password to a BigInteger for use in arithmetic calculations.

public static BigInteger CalculateS(BigInteger q, byte[] password)

Converts the given password to a BigInteger mod q.

public static BigInteger CalculateS(BigInteger q, char[] password)

Converts the given password (UTF8 encoded) to a BigInteger mod q.

public static BigInteger CalculateX2s(BigInteger q, BigInteger x2, BigInteger s)

Calculate x2 * s as done in round 2.

public static BigInteger[] CalculateZeroKnowledgeProof(BigInteger p, BigInteger q, BigInteger g, BigInteger gx, BigInteger x, string participantId, IDigest digest, SecureRandom random)

Calculate a zero knowledge proof of x using Schnorr's signature. The returned array has two elements {g^v, r = v-x*h} for x.

public static BigInteger GenerateX1(BigInteger q, SecureRandom random)

Return a value that can be used as x1 or x3 during round 1. The returned value is a random value in the range [0, q-1].

public static BigInteger GenerateX2(BigInteger q, SecureRandom random)

Return a value that can be used as x2 or x4 during round 1. The returned value is a random value in the range [1, q-1].

public static void ValidateGa(BigInteger ga)

Validates that ga is not 1. As described by Feng Hao... Alice could simply check ga != 1 to ensure it is a generator. In fact, as we will explain in Section 3, (x1 + x3 + x4 ) is random over Zq even in the face of active attacks. Hence, the probability for ga = 1 is extremely small - on the order of 2^160 for 160-bit q. throws CryptoException if ga is 1

public static void ValidateGx4(BigInteger gx4)

Validates that g^x4 is not 1. throws CryptoException if g^x4 is 1

public static void ValidateMacTag(string participantId, string partnerParticipantId, BigInteger gx1, BigInteger gx2, BigInteger gx3, BigInteger gx4, BigInteger keyingMaterial, IDigest digest, BigInteger partnerMacTag)

Validates the MacTag received from the partner participant. throws CryptoException if the participantId strings are equal.

public static void ValidateNotNull(object obj, string description)

Validates that the given object is not null. throws NullReferenceException if the object is null.

public static void ValidateParticipantIdsDiffer(string participantId1, string participantId2)

Validates that the given participant ids are not equal. (For the J-PAKE exchange, each participant must use a unique id.) Throws CryptoException if the participantId strings are equal.

public static void ValidateParticipantIdsEqual(string expectedParticipantId, string actualParticipantId)

Validates that the given participant ids are equal. This is used to ensure that the payloads received from each round all come from the same participant.

public static void ValidateZeroKnowledgeProof(BigInteger p, BigInteger q, BigInteger g, BigInteger gx, BigInteger[] zeroKnowledgeProof, string participantId, IDigest digest)

Validates the zero knowledge proof (generated by calculateZeroKnowledgeProof(BigInteger, BigInteger, BigInteger, BigInteger, BigInteger, string, Digest, SecureRandom) is correct. throws CryptoException if the zero knowledge proof is not correct