mirror of
https://github.com/tlsnotary/circuits.git
synced 2026-01-07 22:13:53 -05:00
68 lines
2.2 KiB
Plaintext
68 lines
2.2 KiB
Plaintext
# TLS handshake circuit 5
|
|
# Compute ghash H, gctr block, encrypted counter block, verify_data - needed for Server Finished
|
|
|
|
16 3170
|
|
2 672 960
|
|
|
|
# notary inputs
|
|
# 256: outer hash state for p1
|
|
# 128: swk share
|
|
# 32 : swiv share
|
|
# 128: mask1 for H^1
|
|
# 128: mask2 for gctr block
|
|
|
|
# client inputs
|
|
# 256: inner hash state for p1
|
|
# 128: swk share
|
|
# 32: siv share
|
|
# 64: server_finished nonce
|
|
# 128: mask1 for H^1
|
|
# 128: mask2 for gctr block
|
|
# 128: mask3 for enc counter
|
|
# 96 : mask4 for verify_data
|
|
|
|
1 480
|
|
|
|
# all outputs go to the evaluator
|
|
# 128: H^1 masked twice (by mask1)
|
|
# 128: gctr block masked twice (by mask2)
|
|
# 128: enc counter masked by client
|
|
# 96 : server_verify masked by client
|
|
|
|
2 1 0 0 1632 XOR # 0
|
|
1 1 1632 1633 INV # 1
|
|
|
|
# pad outer hash digest as the last chunk of sha256
|
|
# total length of bits in outer sha256: L == 512+256 ==768 should be the last 64 bits
|
|
# 768 in binary is 0000 0011 0000 0000
|
|
# to be hashed: 256 bits inner hash digest + 1 + 191 bits of 0 + 48 bits of 0 + 0000 0011 0000 0000
|
|
# the 96 upperremost bits of the result is verify_data
|
|
768 256 [1632*8] 1633 1633 [1632*245] 1633 [672|>256] [0|>256] [1634|>256] sha256.txt
|
|
|
|
#unmask swk
|
|
256 128 [256|>128] [928|>128] [1890|>128] xor128bits.casm
|
|
|
|
#unmask siv
|
|
64 32 [384|>32] [1056|>32] [2018|>32] xor32bits.casm
|
|
|
|
# get encrypted zero - gcm H
|
|
256 128 [1890|>128] [1632*128] [2050|>128] aes-128-reverse.txt
|
|
|
|
# gctr block = server_write_IV + server_finished nonce + [0*31] + 1
|
|
256 128 [1890|>128] 1633 [1632*31] [1088|>64] [2018|>32] [2178|>128] aes-128-reverse.txt
|
|
|
|
# encrypt counter = server_write_IV + server_finished nonce + 2 (4 bytes)
|
|
256 128 [1890|>128] 1632 1633 [1632*30] [1088|>64] [2018|>32] [2306|>128] aes-128-reverse.txt
|
|
|
|
# apply notary's mask on outputs
|
|
256 128 [2050|>128] [416|>128] [2434|>128] xor128bits.casm
|
|
256 128 [2178|>128] [544|>128] [2562|>128] xor128bits.casm
|
|
|
|
# apply clients mask on outputs
|
|
256 128 [2434|>128] [1152|>128] [2690|>128] xor128bits.casm
|
|
256 128 [2562|>128] [1280|>128] [2818|>128] xor128bits.casm
|
|
|
|
256 128 [2306|>128] [1408|>128] [2946|>128] xor128bits.casm
|
|
64 32 [1794|>32] [1536|>32] [3074|>32] xor32bits.casm
|
|
64 32 [1826|>32] [1568|>32] [3106|>32] xor32bits.casm
|
|
64 32 [1858|>32] [1600|>32] [3138|>32] xor32bits.casm |