FEE Portable Byte Representation of Public Key Strings and Signatures
Last Modified 15 March 2001
This defines portable data formats shared by the C and Java implementation of FEE. This definition supercedes formats used prior to 20 Feb 2001.
Primitive Data Types
--------------------
int, unsigned int:
4 bytes, M.S. byte first
short, feeUnichar, Java char:
2 bytes, M.S. byte first
giant, GiantInteger:
type contents comment
------ -------- ---------------------------------------
int numBytes abs(numBytes) indicates size of n[] to
follow, in BYTES
sign of numBytes is sign bit of result
byte data n[0], MSB first for each element
Curve Parameters (curveParams, Java CurveParams)
------------------------------------------------
CURVE_PARAM_VERSION = 1:
type contents
------ --------
int CURVE_PARAM_VERSION = 1
int minVersion of code to parse this struct = 1
unsigned q
int k
int spare
giant a
giant b
giant c
giant x1Plus
giant x1Minus
giant cOrderPlus
giant cOrderMinus
giant x1OrderPlus
giant x1OrderMinus
The last four fields are not always known; a value of (giant)0
indicates a "not known" condition. In this case, 4 bytes of
zero are written, indicating a giant with a length of zero.
CURVE_PARAM_VERSION = 2 (20 Jan 1998)
type contents
------ --------
int CURVE_PARAM_VERSION = 2
int minVersion of code to parse this struct = 2
byte primeType /* new for version 2 */
unsigned q
int k
unsigned m /* new for version 2 */
int spare
giant a
giant b
giant c
giant x1Plus
giant x1Minus
giant cOrderPlus
giant cOrderMinus
giant x1OrderPlus
giant x1OrderMinus
giant basePrime, if primeType == PT_GENERAL /* new */
Note that as of version 2, the cOrder* and x1Order* fields are always
known.
CURVE_PARAM_VERSION = 3 (1 Sep 1998)
type contents
------ --------
int CURVE_PARAM_VERSION = 3
int minVersion of code to parse this struct = 3
byte primeType
byte curveType /* new for version 3 */
unsigned q
int k
unsigned m
int spare
giant a
giant b
giant c
giant x1Plus
giant x1Minus
giant cOrderPlus
giant cOrderMinus
giant x1OrderPlus
giant x1OrderMinus
giant basePrime, if primeType == PT_GENERAL
Public Key String
-----------------
PUBLIC_KEY_STRING_VERSION = 3:
A public key string is always encoded via enc64(); the raw data before
enc64() is as follows.
type contents
------ --------
int PUBLIC_KEY_STRING_MAGIC (0xfeeddeef)
int PUBLIC_KEY_STRING_VERSION = 3
int minVersion of code to parse this key = 3
int spare
curveParams curve parameters
giant plusX (public key, plus curve)
giant minusX (public key, minus curve)
int usageName length in unichars
feeUnichar[] usageName as array of unichars
PUBLIC_KEY_BLOB_VERSION = 4 (23 Mar 1998)
New for version 4 - exported blobs for both public and private keys.
Public key strings are merely enc64() encoded versions of public
key blobs and are identical to PUBLIC_KEY_STRING_VERSION 3 public
key strings.
PUBLIC_KEY_BLOB_MAGIC : 0xfeeddeef - public
0xfeeddeed - private
minVersion : 3 for public, 4 for private
type contents
------ --------
int PUBLIC_KEY_BLOB_MAGIC
int PUBLIC_KEY_BLOB_VERSION = 4
int minVersion of code to parse this key = 3 or 4
int spare
curveParams curve parameters
public key blob:
giant plusX (public key, plus curve)
giant minusX (public key, minus curve)
private key blob:
int privDataLen
unsigned char privData[]
both private and public:
int usageName length in unichars
feeUnichar[] usageName as array of unichars
PUBLIC_KEY_BLOB_VERSION = 5 (2 Sep 1998)
Added plusY.
minVersion = 5.
type contents
------ --------
int PUBLIC_KEY_BLOB_MAGIC_{PRIV,PUB}
int PUBLIC_KEY_BLOB_VERSION = 5
int minVersion of code to parse this key = 5
int spare
curveParams curve parameters
public key blob:
giant plusX (public key, plus curve)
giant plusY (y-coord of public key, plus curve, may be zero)
giant minusX (public key, minus curve)
private key blob:
giant privGiant
both private and public:
int usageName length in unichars
feeUnichar[] usageName as array of unichars
PUBLIC_KEY_BLOB_VERSION = 6 (14 Mar 2001)
Deleted usageName.
type contents
------ --------
int PUBLIC_KEY_BLOB_MAGIC_{PRIV,PUB}
int PUBLIC_KEY_BLOB_VERSION = 5
int minVersion of code to parse this key = 5
int spare
curveParams curve parameters
public key blob:
giant plusX (public key, plus curve)
giant plusY (y-coord of public key, plus curve, may be zero)
giant minusX (public key, minus curve)
private key blob:
giant privGiant
Digital Signature, ElGamal style
--------------------------------
type contents
------ --------
int FEE_SIG_MAGIC (0xfee00516)
int FEE_SIG_VERSION = 3
int minVersion of code to parse this signature = 3
int spare
int signer length in unichars (DELETED 2/20/01)
feeUnichar[] signer as array of unichars (DELETED 2/20/01)
giant u
giant Pm.x
FEE_SIG_VERSION = 4 (15 March 2001)
Deleted signer.
type contents
------ --------
int FEE_SIG_MAGIC (0xfee00516)
int FEE_SIG_VERSION = 4
int minVersion of code to parse this signature = 4
int spare
giant u
giant Pm.x
Digital Signature, ECDSA style
--------------------------------
type contents
------ --------
int FEE_ECDSA_MAGIC (0xfee00517)
int FEE_ECDSA_VERSION = 1
int minVersion of code to parse this signature = 1
int spare
int signer length in unichars (DELETED 2/20/01)
feeUnichar[] signer as array of unichars (DELETED 2/20/01)
giant s
giant x0
FEE_ECDSA_VERSION = 2 (15 March 2001)
Deleted signer.
type contents
------ --------
int FEE_ECDSA_MAGIC (0xfee00517)
int FEE_ECDSA_VERSION = 2
int minVersion of code to parse this signature = 2
int spare
giant s
giant x0
FEED (2:1) CipherText
---------------------
This data type uses an optimized form of Giants in that the sign, and hence
the number of 16-bit shorts (i.e., the size of n[]), is implied by the size
of p used in encryption and decryption. For a given curve parameter q (as
in p = 2**q - k), the number of shorts per giant transmitted is ((q/8 + 1)/2).
As in normal giants, the n[] array is transmitted m.s. byte first. During
encoding, unused elements in n[] - i.e., those appearing after
n[abs(sign) - 1] - are zero. Upon decoding, the sign of an incoming n[]
array can be inferred from the number of non-zero shorts.
One block of ciphertext is formatted as follows. See "Fast Elliptic
Encryption (FEE) Algorithms", by Richard E. Crandall, July 1996, for
descriptions of Xm, Xc, and g.
type contents
--------------- -----------------
optimized giant Xm
optimized giant Xc
byte g
FEED (1:1) CipherText
---------------------
The first cipherblock is a FEED(2:1) encrypted copy of the initial
R and S arrays; this is basically a bunch of random bytes which are
used to cook up the giants R and S at both encrypt and decrypt time.
In 1:1 FEED ciphertext, this is encrypted with the recipient's public
key; the result is padded out to one 1:1 FEED Cipherblock.
Subsequent cipherblocks are:
type contents
--------------- -----------------
optimized giant Xm
byte clueByte
clueByte contents:
bit 0 : 0 ==> minus
1 ==> plus
bit 1 : 's' arg to elliptic_add()