Owl Augmented Pake Protocol Implementation, including tests and example

core/src/main/java/org/bouncycastle/crypto/agreement/owl/ECSchnorrZKP.java

@@ -0,0 +1,55 @@
+package org.example;
+
+import java.math.BigInteger;
+
+import org.bouncycastle.math.ec.ECPoint;
+
+/**
+ * Package protected class containing zero knowledge proof, for an Owl key exchange.
+ * <p>
+ * This class encapsulates the values involved in the Schnorr
+ * zero-knowledge proof used in the Owl protocol.
+ */
+public class ECSchnorrZKP
+{
+
+    /**
+     * The value of V = G x [v].
+     */
+    private final ECPoint V;
+
+    /**
+     * The value of r = v - d * c mod n
+     */
+    private final BigInteger r;
+
+    /**
+     * Constructor for ECSchnorrZKP
+     * 
+     * @param V Prover's commitment V = G x [v]
+     * @param r Prover's response r to a challenge c, r = v - d * c mod n
+     */
+    public ECSchnorrZKP(ECPoint V, BigInteger r)
+    {
+        this.V = V;
+        this.r = r;
+    }
+
+    /**
+     * Get the prover's commitment V = G x [v] where G is a base point on the elliptic curve and v is an ephemeral secret
+     * @return The prover's commitment
+     */
+    public ECPoint getV()
+    {
+        return V;
+    }
+
+    /**
+     * Get the prover's response r to the challenge c, r = v - d * c mod n where d is the prover's private key
+     * @return The prover's response 
+     */
+    public BigInteger getr()
+    {
+        return r;
+    }
+}

core/src/main/java/org/bouncycastle/crypto/agreement/owl/Owl_AuthenticationFinish.java

@@ -0,0 +1,103 @@
+package org.example;
+
+import java.math.BigInteger;
+
+import org.bouncycastle.math.ec.ECPoint;
+
+/**
+ * The payload sent by the client during the third pass of an Owl exchange.
+ * <p>
+ * Each {@link Owl_Client} creates and sends an instance
+ * of this payload to the {@link Owl_Server} after validating the previous payload
+ * {@link Owl_AuthenticationServerResponse}.
+ * The payload to send should be created via
+ * {@link Owl_Client#authenticationFinish(Owl_AuthenticationServerResponse)}.
+ * <p>
+ * Each {@link Owl_Client} must also validate the payload
+ * received from the {@link Owl_Server}, which is done by the same function
+ * {@link Owl_Client#authenticationFinish(Owl_AuthenticationServerResponse)}.
+ */
+public class Owl_AuthenticationFinish
+{
+    /**
+     *  Client's unique Id
+     */
+    private final String clientId;
+    /**
+     * The value alpha = (x2 x pi) * [X1 + X3 + X4].
+     */
+    private final ECPoint alpha;
+
+    /**
+     * The zero Knowledge proof for alpha.
+     * <p>
+     * This is a class {@link ECSchnorrZKP} with two fields, containing {v * [G], r} for x2pi.
+     * </p>
+     */
+    private final ECSchnorrZKP knowledgeProofForAlpha;
+
+    /**
+     * The value of r = x1 - t.h mod n
+     */
+    private final BigInteger r;
+
+    /**
+     * Constructor of Owl_AuthenticationFinish
+     * @param clientId Client's identity
+     * @param alpha The public key alpha sent by the client in the third pass
+     * @param knowledgeProofForAlpha The zero-knowledge proof for the knowledge of the private key for alpha
+     * @param r The response r for proving the knowledge of t=H(usrname||password) mod n. 
+     */
+    public Owl_AuthenticationFinish(
+        String clientId,
+        ECPoint alpha,
+        ECSchnorrZKP knowledgeProofForAlpha,
+        BigInteger r)
+    {
+        Owl_Util.validateNotNull(clientId, "clientId");
+        Owl_Util.validateNotNull(alpha, "alpha");
+        Owl_Util.validateNotNull(r, "r");
+        Owl_Util.validateNotNull(knowledgeProofForAlpha, "knowledgeProofForAlpha");
+
+        this.clientId = clientId;
+        this.knowledgeProofForAlpha = knowledgeProofForAlpha;
+        this.alpha = alpha;
+        this.r = r;
+    }
+
+    /**
+     * Get the client's identity (also known as username)
+     * @return The client's identity
+     */
+    public String getClientId()
+    {
+        return clientId;
+    }
+
+    /**
+     * Get the public key alpha = (x2 x pi) * [X1 + X3 + X4]. sent by the client in the third pass
+     * @return The public key alpha 
+     */
+    public ECPoint getAlpha()
+    {
+        return alpha;
+    }
+
+    /**
+     * Get the response r as part of the zero-knowledge proof for proving the knowledge of t, r = x1 - t.h mod n where x1 is the ephemeral private key for the public key X1 sent in the first pass of Owl
+     * @return The response r sent by the client in the third pass
+     */
+    public BigInteger getR()
+    {
+        return r;
+    }
+
+    /**
+     * Get the Schnorr zero-knowledge proof for the knowledge of the private key (x2 x pi) for the public key alpha 
+     * @return {@link ECSchnorrZKP}
+     */
+    public ECSchnorrZKP getKnowledgeProofForAlpha()
+    {
+        return knowledgeProofForAlpha;
+    }
+}

core/src/main/java/org/bouncycastle/crypto/agreement/owl/Owl_AuthenticationInitiate.java

@@ -0,0 +1,123 @@
+package org.example;
+
+import org.bouncycastle.math.ec.ECPoint;
+
+/**
+ * The payload sent by the client in the first pass of an Owl exchange.
+ * <p>
+ * Each {@link Owl_Client} creates and sends an instance
+ * of this payload to the {@link Owl_Server}.
+ * The payload to send should be created via
+ * {@link Owl_Client#authenticationInitiate()}.
+ */
+public class Owl_AuthenticationInitiate
+{
+
+    /**
+     * Unique identifier for the client (this is the username)
+     * <p>
+     * ClientId must not be the same as the server unique identifier,
+     * </p>
+     */
+    private final String clientId;
+
+    /**
+     * The value of g^x1
+     */
+    private final ECPoint gx1;
+
+    /**
+     * The value of g^x2
+     */
+    private final ECPoint gx2;
+
+    /**
+     * The zero knowledge proof for x1.
+     * <p>
+     * This is a class {@link ECSchnorrZKP} with two fields, containing {g^v, r} for x1.
+     * </p>
+     */
+    private final ECSchnorrZKP knowledgeProofForX1;
+
+    /**
+     * The zero knowledge proof for x2.
+     * <p>
+     * This is a class {@link ECSchnorrZKP} with two fields, containing {g^v, r} for x2.
+     * </p>
+     */
+    private final ECSchnorrZKP knowledgeProofForX2;
+
+    /**
+     * Constructor of Owl_AuthenticationInitiate
+     * @param clientId the client's identity (or username)
+     * @param gx1 The public key X1 = x1 * [G]
+     * @param gx2 The public key X2 = x2 * [G]
+     * @param knowledgeProofForX1 The zero-knowledge proof for proving the knowledge of x1
+     * @param knowledgeProofForX2 The zero-knowledge proof for proving the knowledge of x2
+     */
+    public Owl_AuthenticationInitiate(
+        String clientId,
+        ECPoint gx1,
+        ECPoint gx2,
+        ECSchnorrZKP knowledgeProofForX1,
+        ECSchnorrZKP knowledgeProofForX2)
+    {
+        Owl_Util.validateNotNull(clientId, "clientId");
+        Owl_Util.validateNotNull(gx1, "gx1");
+        Owl_Util.validateNotNull(gx2, "gx2");
+        Owl_Util.validateNotNull(knowledgeProofForX1, "knowledgeProofForX1");
+        Owl_Util.validateNotNull(knowledgeProofForX2, "knowledgeProofForX2");
+
+        this.clientId = clientId;
+        this.gx1 = gx1;
+        this.gx2 = gx2;
+        this.knowledgeProofForX1 = knowledgeProofForX1;
+        this.knowledgeProofForX2 = knowledgeProofForX2;
+    }
+
+    /**
+     * Get the client's identity (or username)
+     * @return The client's identity
+     */
+    public String getClientId()
+    {
+        return clientId;
+    }
+
+    /**
+     * Get the client's public key X1 = x1 * [G] in the first pass of Owl
+     * @return The client's public key X1 
+     */
+    public ECPoint getGx1()
+    {
+        return gx1;
+    }
+
+    /**
+     * Get the client's public key X2 = x2 * [G] in the first pass of Owl
+     * @return The client's public key X2 
+     */
+    public ECPoint getGx2()
+    {
+        return gx2;
+    }
+
+    /**
+     * Get the zero-knowledge proof for the knowledge of x1
+     * @return {@link ECSchnorrZKP}
+     */
+    public ECSchnorrZKP getKnowledgeProofForX1()
+    {
+        return knowledgeProofForX1;
+    }
+
+    /**
+     * Get the zero-knowledge proof for the knowledge of x2
+     * @return {@link ECSchnorrZKP}
+     */
+    public ECSchnorrZKP getKnowledgeProofForX2()
+    {
+        return knowledgeProofForX2;
+    }
+
+}