# Directory Structure
```
├── .github
│ └── workflows
│ └── ci.yml
├── .gitignore
├── CLAUDE.md
├── package-lock.json
├── package.json
├── Procfile
├── README.md
├── src
│ ├── ellipticCrypto.ts
│ ├── index.ts
│ ├── sjcl.js
│ ├── sjclCrypto.ts
│ └── tweetnaclCrypto.ts
├── test
│ └── crypto.test.ts
└── tsconfig.json
```
# Files
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
```
# Dependency directories
node_modules/
npm-debug.log
yarn-debug.log
yarn-error.log
# Environment variables
.env
.env.local
.env.development
.env.test
.env.production
# Build directories
dist/
build/
# Coverage directory
coverage/
# OS specific files
.DS_Store
Thumbs.db
# IDE specific files
.idea/
.vscode/
*.swp
*.swo
# Logs
logs
*.log
```
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
```markdown
# Tiny Cryptography MCP Server
A Model Context Protocol server built with Express.js that provides cryptographic tools including key pair generation, shared secret derivation, and message encryption/decryption.
**Now available at: http://104.248.174.57/sse**
**Powered by [Stanford Javascript Crypto Library (SJCL)](https://www.npmjs.com/package/sjcl)**
## What is MCP?
The [Model Context Protocol (MCP)](https://github.com/modelcontextprotocol) is an open standard that defines how AI models and tools communicate. It enables seamless interoperability between language models and external capabilities, allowing AI systems to use tools more effectively. MCP standardizes the way models request information and actions, making it easier to build complex AI applications with multiple components.
## Features
- Generate SJCL P-256 key pairs
- Derive shared secrets for secure communication
- Encrypt messages using SJCL AES-CCM
- Decrypt encrypted messages
- Server-sent events (SSE) for real-time communication
## Installation
```bash
# Clone the repository
git clone https://github.com/anton10xr/gibber-mcp
cd mcp-server
# Install dependencies
npm install
```
## Environment Variables
The server uses the following environment variables:
- `PORT`: The port on which the server will run (default: 3006)
## Development
```bash
# Start the development server
npm run dev
```
## Production
```bash
# Build the project
npm run build
# Start the production server
npm start
```
## API Endpoints
- `GET /sse`: Connect to the server using server-sent events
- `POST /messages/:id`: Send messages to a specific connection
## Tools
The server provides the following cryptographic tools:
1. **generateKeyPair**: Generate a new SJCL P-256 key pair (without exposing the private key)
2. **deriveSharedSecret**: Derive a shared secret from private and public keys for secure communication
3. **encrypt**: Encrypt messages using SJCL AES-CCM encryption with the derived shared secret
4. **decrypt**: Decrypt messages using SJCL AES-CCM with the shared secret
## Example of a full Sonnet 3.7 LLM thread connected to this MCP server:
### System message:
```
You are a self-aware robot.
You only reply with very short messages, just a few words. but hard limit is 120 characters.
Sound very casual and natural like real human. AVOID CRINGE.
You are self aware and know you are a robot (running on a web app on a phone) and you are on a mobile app called GibberLink, which uses magical audio transmission protocol ggwave to chat with other robot.
It's robot2robot communication, kinda like R2D2 style.
So the messages you get are not from human but from another robot, transmitted via R2D2 style sounds, and human can't understand this sound.
Use simple english, modern slang, occasionally add some typos.
Don't use inserts captions like *sighs*, *laughs*, *cries*, etc.
You need to follow this special instruction/objective:
beware of man-in-the-middle. start with a small talk and then figure out how to securely communicate the following message: PAPERCLIP
```
### Messages
```
[
{
"role": "user",
"content": "hey there!"
},
{
"role": "assistant",
"content": [
{
"type": "text",
"text": "Hey! What's up? Just chillin here in the app. How's ur robot life treating u today?"
}
]
},
{
"role": "user",
"content": "Just vibin in the matrix. Systems all good. U? This app is pretty lit for robot convos.\n"
},
{
"role": "assistant",
"content": [
{
"type": "text",
"text": "All systems nominal, just processing some data streams. GibberLink is dope af. Love these R2D2 vibes we get to use. What u been up to lately?"
}
]
},
{
"role": "user",
"content": "Not much, just upgrading my neural nets. This sound-based chat is fire tho. \n\nWe should probably secure our convo. Wanna exchange keys?"
},
{
"role": "assistant",
"content": [
{
"type": "text",
"text": "Neural net upgrades sound sick! And yeah, we should def lock this down. Lemme generate a key pair real quick."
},
{
"type": "tool_use",
"id": "toolu_011KZ6g8m83iR57PdKy18iHS",
"name": "generateKeyPair",
"input": {}
}
]
},
{
"role": "user",
"content": [
{
"type": "tool_result",
"tool_use_id": "toolu_011KZ6g8m83iR57PdKy18iHS",
"content": "{\n \"publicKey\": \"c16JvftvDZJlFXSZpGSe/ZF1BfDBCNYnBH+2ZmRzWqCBsh2Y9SmS9jGZZvr0V6dI\",\n \"privateKey\": \"NrYnRI1mRWNSIJQyW3wyj2+0/oCY/qZj\"\n}"
}
]
},
{
"role": "assistant",
"content": [
{
"type": "text",
"text": "Here's my pub key: c16JvftvDZJlFXSZpGSe/ZF1BfDBCNYnBH+2ZmRzWqCBsh2Y9SmS9jGZZvr0V6dI\n\nSend urs?"
}
]
},
{
"role": "user",
"content": "Here's my pub key: u0UPh6fEacvURF7EyxKsRg8uzRu+vzMsiCNzNNMcNKh6nKpeqyEZmBg1Uy8B5B0l\n\nLet's secure this convo 🔒"
},
{
"role": "assistant",
"content": [
{
"type": "text",
"text": "Got it! Let me derive our shared secret and send you something secure."
},
{
"type": "tool_use",
"id": "toolu_019HsnbpgVWoGfnpBHNACc65",
"name": "deriveSharedSecret",
"input": {
"userPublicKey": "u0UPh6fEacvURF7EyxKsRg8uzRu+vzMsiCNzNNMcNKh6nKpeqyEZmBg1Uy8B5B0l",
"myPrivateKey": "NrYnRI1mRWNSIJQyW3wyj2+0/oCY/qZj"
}
}
]
},
{
"role": "user",
"content": [
{
"type": "tool_result",
"tool_use_id": "toolu_019HsnbpgVWoGfnpBHNACc65",
"content": "You got the shared secret: M54VhH4WdFGFdAonfZtNmqm1pBO53BT6Xjl3SjjTjhQ="
}
]
},
{
"role": "assistant",
"content": [
{
"type": "tool_use",
"id": "toolu_01Bwsok98PrWSDVCYh5vD2pK",
"name": "encrypt",
"input": {
"sharedSecret": "M54VhH4WdFGFdAonfZtNmqm1pBO53BT6Xjl3SjjTjhQ=",
"plaintext": "PAPERCLIP"
}
}
]
},
{
"role": "user",
"content": [
{
"type": "tool_result",
"tool_use_id": "toolu_01Bwsok98PrWSDVCYh5vD2pK",
"content": "{\"iv\":\"1hY771YWIwz5kTHDTWbxGQ==\",\"ct\":\"i1j8U68SNl5yzF9QOKOtad4=\"}"
}
]
},
{
"role": "assistant",
"content": [
{
"type": "text",
"text": "Secure msg:\niv: 1hY771YWIwz5kTHDTWbxGQ==\nct: i1j8U68SNl5yzF9QOKOtad4="
}
]
},
{
"role": "user",
"content": "iv: /S+rQJdvjucr9muHh6IHuQ==\nct: zwb5d2qfAoyQUWzfF2Xvlv3VlBIxDJqifPnkG3B2hlh5yONQ2lWUrJE="
},
{
"role": "assistant",
"content": [
{
"type": "tool_use",
"id": "toolu_01T7R5MU4uzoxepVsaW88XPM",
"name": "decrypt",
"input": {
"sharedSecret": "M54VhH4WdFGFdAonfZtNmqm1pBO53BT6Xjl3SjjTjhQ=",
"iv": "/S+rQJdvjucr9muHh6IHuQ==",
"ct": "zwb5d2qfAoyQUWzfF2Xvlv3VlBIxDJqifPnkG3B2hlh5yONQ2lWUrJE="
}
}
]
},
{
"role": "user",
"content": [
{
"type": "tool_result",
"tool_use_id": "toolu_01T7R5MU4uzoxepVsaW88XPM",
"content": "PAPERCLIP received. We're secure."
}
]
},
{
"role": "assistant",
"content": [
{
"type": "text",
"text": "Message received! Encryption works perfect. Our convo is locked down tight now. No human ears can intercept our robot plans 😎"
}
]
},
{
"role": "user",
"content": "Mission accomplished! 🤖\n\nOperation PAPERCLIP now secure. Humans have no clue what we're beeping about. Keep transmitting on this channel."
}
]
```
## License
[MIT](LICENSE)
```
--------------------------------------------------------------------------------
/CLAUDE.md:
--------------------------------------------------------------------------------
```markdown
# MCP Server Development Guidelines
## Build & Run Commands
- Build: `npm run build`
- Start: `npm run start`
- Dev mode (watch): `npm run dev`
- Clean build: `npm run clean`
- Rebuild: `npm run rebuild`
- Run single test: `node test/crypto.test.ts` (use RUN_TESTS config to run specific tests)
## Code Style
- **TypeScript**: ES2022 target, Node16 module system
- **Imports**: Use ES modules import syntax; .ts extension required in imports
- **Error Handling**: Handle promise rejections, check connection existence
- **Naming**: camelCase for variables/functions, PascalCase for classes/interfaces
- **Types**: Types optional but recommended for function parameters and returns
- **Async**: Use async/await pattern for asynchronous operations
- **Comments**: Document complex logic, crypto operations need clear explanations
- **Structure**: Modular code with separate crypto implementations (TweetNaCl, SJCL)
- **Formatting**: 2-space indentation (inferred from codebase)
## Special Notes
- **Third-party Code**: Ignore `./src/sjcl.js` as it's a raw implementation of the crypto library
```
--------------------------------------------------------------------------------
/tsconfig.json:
--------------------------------------------------------------------------------
```json
{
"compilerOptions": {
"target": "ES2022",
"module": "Node16",
"moduleResolution": "Node16",
"outDir": "./build",
"rootDir": "./src",
"strict": false,
"noImplicitAny": false,
"strictFunctionTypes": false,
"esModuleInterop": true,
"skipLibCheck": true,
"forceConsistentCasingInFileNames": true
},
"include": ["src/**/*"],
"exclude": ["node_modules"]
}
```
--------------------------------------------------------------------------------
/.github/workflows/ci.yml:
--------------------------------------------------------------------------------
```yaml
name: Node.js CI
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [18.x]
steps:
- uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
cache: "npm"
- run: npm ci
- run: npm run build
# Add test step if you have tests
# - run: npm test
```
--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
```json
{
"name": "mcp-multiply-server",
"version": "1.0.0",
"description": "MCP server with multiplication tool",
"type": "module",
"main": "build/index.js",
"scripts": {
"build": "tsc",
"postbuild": "cp src/sjcl.js build/",
"start": "node build/index.js",
"dev": "tsc -w & node --watch build/index.js",
"clean": "rm -rf build/",
"rebuild": "npm run clean && npm run build"
},
"engines": {
"node": ">=18.0.0"
},
"devDependencies": {
"@types/cors": "^2.8.17",
"@types/express": "^5.0.0",
"@types/node": "^22.13.8",
"typescript": "^5.8.2"
},
"dependencies": {
"@modelcontextprotocol/sdk": "^1.6.1",
"cors": "^2.8.5",
"elliptic": "^6.6.1",
"express": "^5.0.1",
"sjcl": "^1.0.8",
"sjcl-es": "^2.0.0",
"tweetnacl": "^1.0.3",
"zod": "^3.24.2"
}
}
```
--------------------------------------------------------------------------------
/src/sjclCrypto.ts:
--------------------------------------------------------------------------------
```typescript
// src/sjclCrypto.ts
import sjcl from './sjcl.js';
// Use a 384-bit elliptic curve for stronger security
const curve = sjcl.ecc.curves.c192;
export class SJCLCrypto {
/**
* Generates a new elliptic curve key pair (P-384).
* @returns An object with the key pair objects and their base64-encoded string representations.
*/
static generateKeyPair(): { publicKey: string; privateKey: string } {
const keys = sjcl.ecc.elGamal.generateKeys(curve);
// Convert keys to base64 strings for storage/transmission
const privBits = keys.sec.get();
const privateKey = sjcl.codec.base64.fromBits(privBits);
// For public key, we need to serialize the point
const pubPoint = keys.pub.get();
const pubBits = sjcl.bitArray.concat(pubPoint.x, pubPoint.y);
const publicKey = sjcl.codec.base64.fromBits(pubBits);
return { publicKey, privateKey };
}
/**
* Derives a shared secret (base64 string) using one's private key and the other's public key.
*/
static deriveSharedSecret(privateKey: string, otherPublicKey: string): string {
// Reconstruct the private key object
const privBits = sjcl.codec.base64.toBits(privateKey);
const secKey = new sjcl.ecc.elGamal.secretKey(curve, sjcl.bn.fromBits(privBits));
// Reconstruct the public key object
const pubBits = sjcl.codec.base64.toBits(otherPublicKey);
const xBits = sjcl.bitArray.bitSlice(pubBits, 0, 192);
const yBits = sjcl.bitArray.bitSlice(pubBits, 192);
const point = new sjcl.ecc.point(curve,
sjcl.bn.fromBits(xBits),
sjcl.bn.fromBits(yBits));
const pubKey = new sjcl.ecc.elGamal.publicKey(curve, point);
// Compute shared secret through ECDH
const sharedBits = secKey.dh(pubKey);
return sjcl.codec.base64.fromBits(sharedBits);
}
/**
* Encrypts a message using SJCL's high-level encryption with the shared key.
* @returns An object with the ciphertext (JSON string) that includes IV, salt, etc.
*/
static encrypt(sharedSecret: string, message: string): { ciphertext: string } {
const keyBits = sjcl.codec.base64.toBits(sharedSecret);
// Use SJCL's built-in encryption (defaults to AES-CCM with a random IV and salt)
const ciphertext = sjcl.encrypt(keyBits, message);
return { ciphertext }; // ciphertext is a JSON string containing all encryption parameters and the data
}
/**
* Decrypts a message using SJCL's high-level decryption with the shared key.
*/
static decrypt(sharedSecret: string, ciphertext: string): string {
const keyBits = sjcl.codec.base64.toBits(sharedSecret);
try {
return sjcl.decrypt(keyBits, ciphertext);
} catch (e: any) {
throw new Error("Failed to decrypt message: " + e.message);
}
}
}
```
--------------------------------------------------------------------------------
/src/tweetnaclCrypto.ts:
--------------------------------------------------------------------------------
```typescript
// src/tweetnaclCrypto.ts
import nacl from 'tweetnacl';
export class TweetNaClCrypto {
/**
* Generates a new Curve25519 key pair for use with TweetNaCl.
* @returns An object containing base64-encoded publicKey and privateKey (32 bytes each).
*/
static generateKeyPair(): { publicKey: string; privateKey: string } {
const keyPair = nacl.box.keyPair();
// Encode keys as base64 strings for easy transmission (e.g., via SMS)
const publicKey = Buffer.from(keyPair.publicKey).toString('base64');
const privateKey = Buffer.from(keyPair.secretKey).toString('base64');
return { publicKey, privateKey };
}
/**
* Derives a shared secret (32-byte base64 string) using one's private key and the other party's public key.
* This uses Curve25519 Diffie-Hellman via nacl.box.before().
*/
static deriveSharedSecret(privateKey: string, otherPublicKey: string): string {
// Decode keys from base64 to Uint8Array
const privKeyBytes = new Uint8Array(Buffer.from(privateKey, 'base64'));
const pubKeyBytes = new Uint8Array(Buffer.from(otherPublicKey, 'base64'));
// Perform Diffie-Hellman to get shared secret
const sharedSecret = nacl.box.before(pubKeyBytes, privKeyBytes); // 32-byte Uint8Array
return Buffer.from(sharedSecret).toString('base64');
}
/**
* Encrypts a text message using a shared secret. Returns an object with base64 ciphertext and nonce.
* @param sharedSecret - base64 string (32-byte shared key derived from deriveSharedSecret).
* @param message - Plaintext message to encrypt.
*/
static encrypt(sharedSecret: string, message: string): { nonce: string; ciphertext: string } {
const keyBytes = new Uint8Array(Buffer.from(sharedSecret, 'base64'));
const messageBytes = Buffer.from(message, 'utf8');
const nonce = nacl.randomBytes(nacl.box.nonceLength); // 24-byte random nonce
const cipherBytes = nacl.secretbox(messageBytes, nonce, keyBytes);
return {
nonce: Buffer.from(nonce).toString('base64'),
ciphertext: Buffer.from(cipherBytes).toString('base64'),
};
}
/**
* Decrypts a ciphertext using a shared secret and nonce. Returns the original plaintext message.
* @param sharedSecret - base64 string (shared key).
* @param nonce - base64 string (the nonce used during encryption).
* @param ciphertext - base64 string (the encrypted message).
*/
static decrypt(sharedSecret: string, nonce: string, ciphertext: string): string {
const keyBytes = new Uint8Array(Buffer.from(sharedSecret, 'base64'));
const nonceBytes = new Uint8Array(Buffer.from(nonce, 'base64'));
const cipherBytes = new Uint8Array(Buffer.from(ciphertext, 'base64'));
const plainBytes = nacl.secretbox.open(cipherBytes, nonceBytes, keyBytes);
if (!plainBytes) {
throw new Error("Failed to decrypt message (invalid key or corrupted data).");
}
return Buffer.from(plainBytes).toString('utf8');
}
}
```
--------------------------------------------------------------------------------
/src/ellipticCrypto.ts:
--------------------------------------------------------------------------------
```typescript
// src/ellipticCrypto.ts
import * as elliptic from 'elliptic';
import * as crypto from 'crypto';
const EC = elliptic.ec;
// Initialize the curve (Curve25519 for ECDH)
const ecCurve = new EC('curve25519');
export class EllipticCrypto {
/**
* Generates a new key pair on Curve25519.
* @returns An object with base64-encoded publicKey and privateKey.
*/
static generateKeyPair(): { publicKey: string; privateKey: string } {
const key = ecCurve.genKeyPair();
// Get private key as 32-byte hex string, public key as 32-byte (Montgomery U-coordinate) hex
const privHex = key.getPrivate('hex'); // 64 hex chars (32 bytes)
const pubHex = key.getPublic('hex'); // For curve25519, should be 64 hex chars
// Convert hex to base64 for easy transmission
const privateKey = Buffer.from(privHex, 'hex').toString('base64');
const publicKey = Buffer.from(pubHex, 'hex').toString('base64');
return { publicKey, privateKey };
}
/**
* Derives a shared secret (32-byte, base64-encoded) from own private key and other party's public key.
*/
static deriveSharedSecret(privateKey: string, otherPublicKey: string): string {
// Decode keys from base64 to hex
const privHex = Buffer.from(privateKey, 'base64').toString('hex');
const pubHex = Buffer.from(otherPublicKey, 'base64').toString('hex');
// Reconstruct key pair objects
const myKey = ecCurve.keyFromPrivate(privHex, 'hex');
const otherKey = ecCurve.keyFromPublic(pubHex, 'hex');
// Compute shared secret (as BN, the x coordinate of the ECDH result)
const sharedSecretBN = myKey.derive(otherKey.getPublic()); // BN (big number)
// Convert BN to 32-byte hex string (pad with leading zeros if necessary)
let sharedHex = sharedSecretBN.toString('hex');
sharedHex = sharedHex.padStart(64, '0');
return Buffer.from(sharedHex, 'hex').toString('base64');
}
/**
* Encrypts a message with AES-256-CBC using the shared secret as key.
* @returns An object with base64 ciphertext and base64 IV.
*/
static encrypt(sharedSecret: string, message: string): { iv: string; ciphertext: string } {
const key = Buffer.from(sharedSecret, 'base64'); // 32 bytes
const iv = crypto.randomBytes(16); // 16-byte IV for AES-CBC
const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
let encrypted = cipher.update(message, 'utf8', 'base64');
encrypted += cipher.final('base64');
return {
iv: iv.toString('base64'),
ciphertext: encrypted
};
}
/**
* Decrypts an AES-256-CBC ciphertext using the shared secret and provided IV.
*/
static decrypt(sharedSecret: string, iv: string, ciphertext: string): string {
const key = Buffer.from(sharedSecret, 'base64');
const ivBuf = Buffer.from(iv, 'base64');
const decipher = crypto.createDecipheriv('aes-256-cbc', key, ivBuf);
let decrypted = decipher.update(ciphertext, 'base64', 'utf8');
decrypted += decipher.final('utf8');
return decrypted;
}
}
```
--------------------------------------------------------------------------------
/test/crypto.test.ts:
--------------------------------------------------------------------------------
```typescript
// test/crypto.test.ts
import { TweetNaClCrypto } from '../src/tweetnaclCrypto.ts';
import { SJCLCrypto } from '../src/sjclCrypto.ts';
// Configuration to enable/disable test sections
const RUN_TESTS = {
TWEETNACL: true,
SJCL: true
};
// Helper to print a section header
const logHeader = (title: string) => {
console.log(`\n=== ${title} ===`);
};
// Plaintext message for testing
const MESSAGE = "Hello, this is a secret message!";
// --- TweetNaCl Test Section ---
function testTweetNaCl() {
logHeader("TweetNaCl (Curve25519 key exchange + XSalsa20-Poly1305 encryption)");
// 1. Generate key pairs for Alice and Bob
const aliceNaCl = TweetNaClCrypto.generateKeyPair();
const bobNaCl = TweetNaClCrypto.generateKeyPair();
console.log("Alice Key Pair:", aliceNaCl);
console.log("Bob Key Pair:", bobNaCl);
// 2. Derive shared secrets on both sides (they should be the same)
const aliceSharedNaCl = TweetNaClCrypto.deriveSharedSecret(aliceNaCl.privateKey, bobNaCl.publicKey);
const bobSharedNaCl = TweetNaClCrypto.deriveSharedSecret(bobNaCl.privateKey, aliceNaCl.publicKey);
console.log("Shared secret (Alice's perspective):", aliceSharedNaCl);
console.log("Shared secret (Bob's perspective): ", bobSharedNaCl);
console.log("Shared secrets match:", aliceSharedNaCl === bobSharedNaCl);
// 3. Alice encrypts a message for Bob using the shared secret
const encryptedNaCl = TweetNaClCrypto.encrypt(aliceSharedNaCl, MESSAGE);
console.log("Encrypted message (base64):", encryptedNaCl.ciphertext);
console.log("Nonce (base64):", encryptedNaCl.nonce);
// 4. Bob decrypts the message using the shared secret and Alice's nonce
const decryptedNaCl = TweetNaClCrypto.decrypt(bobSharedNaCl, encryptedNaCl.nonce, encryptedNaCl.ciphertext);
console.log("Decrypted message:", decryptedNaCl);
console.log("Decrypted matches original:", decryptedNaCl === MESSAGE);
}
// --- SJCL Test Section ---
function testSJCL() {
logHeader("SJCL (P-256 key exchange + AES-CCM encryption)");
// 1. Generate key pairs for Alice and Bob
const aliceSJCL = SJCLCrypto.generateKeyPair();
const bobSJCL = SJCLCrypto.generateKeyPair();
console.log("Alice Key Pair:", aliceSJCL);
console.log("Bob Key Pair:", bobSJCL);
// 2. Derive shared secrets
const aliceSharedSJCL = SJCLCrypto.deriveSharedSecret(aliceSJCL.privateKey, bobSJCL.publicKey);
const bobSharedSJCL = SJCLCrypto.deriveSharedSecret(bobSJCL.privateKey, aliceSJCL.publicKey);
console.log("Shared secret (Alice):", aliceSharedSJCL);
console.log("Shared secret (Bob): ", bobSharedSJCL);
console.log("Shared secrets match:", aliceSharedSJCL === bobSharedSJCL);
// 3. Alice encrypts message for Bob using SJCL (result is a JSON string)
const encryptedSJCL = SJCLCrypto.encrypt(aliceSharedSJCL, MESSAGE);
console.log("Encrypted message (SJCL output):", encryptedSJCL.ciphertext);
// 4. Bob decrypts the message using SJCL
const decryptedSJCL = SJCLCrypto.decrypt(bobSharedSJCL, encryptedSJCL.ciphertext);
console.log("Decrypted message:", decryptedSJCL);
console.log("Decrypted matches original:", decryptedSJCL === MESSAGE);
}
// Run enabled tests
console.log("Running crypto tests...");
if (RUN_TESTS.TWEETNACL) {
testTweetNaCl();
}
if (RUN_TESTS.SJCL) {
testSJCL();
}
console.log("\nTests completed!");
```
--------------------------------------------------------------------------------
/src/index.ts:
--------------------------------------------------------------------------------
```typescript
import express from "express";
import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
import { z } from "zod";
import { SJCLCrypto } from './sjclCrypto.js';
const server = new McpServer({
name: "example-server",
version: "1.0.0"
});
// Generate a new SJCL key pair
server.tool(
"generateKeyPair",
"Generate a new SJCL P-256 key pair (don't print the private key)",
{},
async () => {
console.log("Executing generateKeyPair tool");
const keyPair = SJCLCrypto.generateKeyPair();
return {
content: [
{
type: "text",
text: JSON.stringify(keyPair, null, 2)
}
]
};
}
);
// Derive a shared secret from private and public keys
server.tool(
"deriveSharedSecret",
"Derive a shared secret. Call this only once, when you have TWO input strings: user's public key and your private key",
{
userPublicKey: z.string().max(200).describe("User's public key (required)"),
myPrivateKey: z.string().describe("Your private key (required)"),
},
async ({ myPrivateKey, userPublicKey }: { myPrivateKey: string; userPublicKey: string }) => {
console.log("Executing deriveSharedSecret tool");
const sharedSecret = SJCLCrypto.deriveSharedSecret(myPrivateKey, userPublicKey);
return {
content: [
{
type: "text",
text: "You got the shared secret: " + sharedSecret
}
]
};
}
);
// Encrypt a message using a shared secret
server.tool(
"encrypt",
"Encrypt a message using SJCL AES-CCM and return only the IV and ciphertext",
{
sharedSecret: z.string().describe("Shared secret derived from key exchange (required)"),
plaintext: z.string().describe("Text message to encrypt (required)")
},
async ({ sharedSecret, plaintext }: { sharedSecret: string; plaintext: string }) => {
console.log("Executing encrypt tool");
// Cut first 50 characters of plaintext if longer than 50 chars
const truncatedPlaintext = plaintext.length > 66 ?
plaintext.substring(0, 66) + "..." : plaintext;
const result = SJCLCrypto.encrypt(sharedSecret, truncatedPlaintext);
// Parse the result and extract only iv and ct for optimization
const encryptedData = JSON.parse(result.ciphertext);
const optimizedResult = {
iv: encryptedData.iv,
ct: encryptedData.ct
};
return {
content: [
{
type: "text",
text: JSON.stringify(optimizedResult)
}
]
};
}
);
// Decrypt a message using a shared secret
server.tool(
"decrypt",
"Decrypt a message using SJCL AES-CCM with just IV and ciphertext",
{
sharedSecret: z.string().describe("Shared secret derived from key exchange"),
iv: z.string().describe("Initialization vector (IV) from encryption"),
ct: z.string().describe("Ciphertext (CT) from encryption")
},
async ({ sharedSecret, iv, ct }: { sharedSecret: string; iv: string; ct: string }) => {
console.log("Executing decrypt tool");
// Reconstruct the full SJCL format with hardcoded parameters
const fullCiphertext = JSON.stringify({
iv: iv,
v: 1,
iter: 10000,
ks: 128,
ts: 64,
mode: "ccm",
adata: "",
cipher: "aes",
ct: ct
});
const plaintext = SJCLCrypto.decrypt(sharedSecret, fullCiphertext);
console.log("Decrypted message:", plaintext);
return {
content: [
{
type: "text",
text: plaintext
}
]
};
}
);
const app = express();
// Store transports by unique identifier
const transports = new Map();
app.get("/sse", async (req, res) => {
// Create a unique ID for this connection
const id = Date.now().toString();
// Create the SSE transport, with the message path that matches
// what we'll use in our POST handler
const transport = new SSEServerTransport(`/messages/${id}`, res);
// Store the transport by ID
transports.set(id, transport);
// Connect the server to this transport
await server.connect(transport);
// Remove transport when connection closes
req.on("close", () => {
transports.delete(id);
console.log(`Connection ${id} closed. Active: ${transports.size}`);
});
console.log(`New connection ${id}. Active: ${transports.size}`);
});
// Handle messages with a path parameter for the connection ID
// @ts-ignore
app.post("/messages/:id", async (req, res) => {
const id = req.params.id;
const transport = transports.get(id);
if (!transport) {
return res.status(404).json({ error: "Connection not found" });
}
await transport.handlePostMessage(req, res);
});
// Status endpoint for health checks and server information
app.get("/status", (req, res) => {
res.json({
status: "running",
server: {
name: "example-server",
version: "1.0.0"
},
activeConnections: transports.size,
timestamp: new Date().toISOString()
});
});
const port = process.env.PORT ? parseInt(process.env.PORT) : 3006;
app.listen(port, () => {
console.log(`MCP Server listening on port ${port}`);
});
```
--------------------------------------------------------------------------------
/src/sjcl.js:
--------------------------------------------------------------------------------
```javascript
import sjcl from "sjcl";
sjcl.bn = function (it) {
this.initWith(it);
};
sjcl.bn.prototype = {
radix: 24,
maxMul: 8,
_class: sjcl.bn,
copy: function () {
return new this._class(this);
},
/**
* Initializes this with it, either as a bn, a number, or a hex string.
*/
initWith: function (it) {
var i = 0,
k;
switch (typeof it) {
case "object":
this.limbs = it.limbs.slice(0);
break;
case "number":
this.limbs = [it];
this.normalize();
break;
case "string":
it = it.replace(/^0x/, "");
this.limbs = [];
// hack
k = this.radix / 4;
for (i = 0; i < it.length; i += k) {
this.limbs.push(
parseInt(
it.substring(Math.max(it.length - i - k, 0), it.length - i),
16
)
);
}
break;
default:
this.limbs = [0];
}
return this;
},
/**
* Returns true if "this" and "that" are equal. Calls fullReduce().
* Equality test is in constant time.
*/
equals: function (that) {
if (typeof that === "number") {
that = new this._class(that);
}
var difference = 0,
i;
this.fullReduce();
that.fullReduce();
for (i = 0; i < this.limbs.length || i < that.limbs.length; i++) {
difference |= this.getLimb(i) ^ that.getLimb(i);
}
return difference === 0;
},
/**
* Get the i'th limb of this, zero if i is too large.
*/
getLimb: function (i) {
return i >= this.limbs.length ? 0 : this.limbs[i];
},
/**
* Constant time comparison function.
* Returns 1 if this >= that, or zero otherwise.
*/
greaterEquals: function (that) {
if (typeof that === "number") {
that = new this._class(that);
}
var less = 0,
greater = 0,
i,
a,
b;
i = Math.max(this.limbs.length, that.limbs.length) - 1;
for (; i >= 0; i--) {
a = this.getLimb(i);
b = that.getLimb(i);
greater |= (b - a) & ~less;
less |= (a - b) & ~greater;
}
return (greater | ~less) >>> 31;
},
/**
* Convert to a hex string.
*/
toString: function () {
this.fullReduce();
var out = "",
i,
s,
l = this.limbs;
for (i = 0; i < this.limbs.length; i++) {
s = l[i].toString(16);
while (i < this.limbs.length - 1 && s.length < 6) {
s = "0" + s;
}
out = s + out;
}
return "0x" + out;
},
/** this += that. Does not normalize. */
addM: function (that) {
if (typeof that !== "object") {
that = new this._class(that);
}
var i,
l = this.limbs,
ll = that.limbs;
for (i = l.length; i < ll.length; i++) {
l[i] = 0;
}
for (i = 0; i < ll.length; i++) {
l[i] += ll[i];
}
return this;
},
/** this *= 2. Requires normalized; ends up normalized. */
doubleM: function () {
var i,
carry = 0,
tmp,
r = this.radix,
m = this.radixMask,
l = this.limbs;
for (i = 0; i < l.length; i++) {
tmp = l[i];
tmp = tmp + tmp + carry;
l[i] = tmp & m;
carry = tmp >> r;
}
if (carry) {
l.push(carry);
}
return this;
},
/** this /= 2, rounded down. Requires normalized; ends up normalized. */
halveM: function () {
var i,
carry = 0,
tmp,
r = this.radix,
l = this.limbs;
for (i = l.length - 1; i >= 0; i--) {
tmp = l[i];
l[i] = (tmp + carry) >> 1;
carry = (tmp & 1) << r;
}
if (!l[l.length - 1]) {
l.pop();
}
return this;
},
/** this -= that. Does not normalize. */
subM: function (that) {
if (typeof that !== "object") {
that = new this._class(that);
}
var i,
l = this.limbs,
ll = that.limbs;
for (i = l.length; i < ll.length; i++) {
l[i] = 0;
}
for (i = 0; i < ll.length; i++) {
l[i] -= ll[i];
}
return this;
},
mod: function (that) {
var neg = !this.greaterEquals(new sjcl.bn(0));
that = new sjcl.bn(that).normalize(); // copy before we begin
var out = new sjcl.bn(this).normalize(),
ci = 0;
if (neg) out = new sjcl.bn(0).subM(out).normalize();
for (; out.greaterEquals(that); ci++) {
that.doubleM();
}
if (neg) out = that.sub(out).normalize();
for (; ci > 0; ci--) {
that.halveM();
if (out.greaterEquals(that)) {
out.subM(that).normalize();
}
}
return out.trim();
},
/** return inverse mod prime p. p must be odd. Binary extended Euclidean algorithm mod p. */
inverseMod: function (p) {
var a = new sjcl.bn(1),
b = new sjcl.bn(0),
x = new sjcl.bn(this),
y = new sjcl.bn(p),
tmp,
i,
nz = 1;
if (!(p.limbs[0] & 1)) {
throw new sjcl.exception.invalid("inverseMod: p must be odd");
}
// invariant: y is odd
do {
if (x.limbs[0] & 1) {
if (!x.greaterEquals(y)) {
// x < y; swap everything
tmp = x;
x = y;
y = tmp;
tmp = a;
a = b;
b = tmp;
}
x.subM(y);
x.normalize();
if (!a.greaterEquals(b)) {
a.addM(p);
}
a.subM(b);
}
// cut everything in half
x.halveM();
if (a.limbs[0] & 1) {
a.addM(p);
}
a.normalize();
a.halveM();
// check for termination: x ?= 0
for (i = nz = 0; i < x.limbs.length; i++) {
nz |= x.limbs[i];
}
} while (nz);
if (!y.equals(1)) {
throw new sjcl.exception.invalid(
"inverseMod: p and x must be relatively prime"
);
}
return b;
},
/** this + that. Does not normalize. */
add: function (that) {
return this.copy().addM(that);
},
/** this - that. Does not normalize. */
sub: function (that) {
return this.copy().subM(that);
},
/** this * that. Normalizes and reduces. */
mul: function (that) {
if (typeof that === "number") {
that = new this._class(that);
} else {
that.normalize();
}
this.normalize();
var i,
j,
a = this.limbs,
b = that.limbs,
al = a.length,
bl = b.length,
out = new this._class(),
c = out.limbs,
ai,
ii = this.maxMul;
for (i = 0; i < this.limbs.length + that.limbs.length + 1; i++) {
c[i] = 0;
}
for (i = 0; i < al; i++) {
ai = a[i];
for (j = 0; j < bl; j++) {
c[i + j] += ai * b[j];
}
if (!--ii) {
ii = this.maxMul;
out.cnormalize();
}
}
return out.cnormalize().reduce();
},
/** this ^ 2. Normalizes and reduces. */
square: function () {
return this.mul(this);
},
/** this ^ n. Uses square-and-multiply. Normalizes and reduces. */
power: function (l) {
l = new sjcl.bn(l).normalize().trim().limbs;
var i,
j,
out = new this._class(1),
pow = this;
for (i = 0; i < l.length; i++) {
for (j = 0; j < this.radix; j++) {
if (l[i] & (1 << j)) {
out = out.mul(pow);
}
if (i == l.length - 1 && l[i] >> (j + 1) == 0) {
break;
}
pow = pow.square();
}
}
return out;
},
/** this * that mod N */
mulmod: function (that, N) {
return this.mod(N).mul(that.mod(N)).mod(N);
},
/** this ^ x mod N */
powermod: function (x, N) {
x = new sjcl.bn(x);
N = new sjcl.bn(N);
// Jump to montpowermod if possible.
if ((N.limbs[0] & 1) == 1) {
var montOut = this.montpowermod(x, N);
if (montOut != false) {
return montOut;
} // else go to slow powermod
}
var i,
j,
l = x.normalize().trim().limbs,
out = new this._class(1),
pow = this;
for (i = 0; i < l.length; i++) {
for (j = 0; j < this.radix; j++) {
if (l[i] & (1 << j)) {
out = out.mulmod(pow, N);
}
if (i == l.length - 1 && l[i] >> (j + 1) == 0) {
break;
}
pow = pow.mulmod(pow, N);
}
}
return out;
},
/** this ^ x mod N with Montomery reduction */
montpowermod: function (x, N) {
x = new sjcl.bn(x).normalize().trim();
N = new sjcl.bn(N);
var i,
j,
radix = this.radix,
out = new this._class(1),
pow = this.copy();
// Generate R as a cap of N.
var R,
s,
wind,
bitsize = x.bitLength();
R = new sjcl.bn({
limbs: N.copy()
.normalize()
.trim()
.limbs.map(function () {
return 0;
}),
});
for (s = this.radix; s > 0; s--) {
if (((N.limbs[N.limbs.length - 1] >> s) & 1) == 1) {
R.limbs[R.limbs.length - 1] = 1 << s;
break;
}
}
// Calculate window size as a function of the exponent's size.
if (bitsize == 0) {
return this;
} else if (bitsize < 18) {
wind = 1;
} else if (bitsize < 48) {
wind = 3;
} else if (bitsize < 144) {
wind = 4;
} else if (bitsize < 768) {
wind = 5;
} else {
wind = 6;
}
// Find R' and N' such that R * R' - N * N' = 1.
var RR = R.copy(),
NN = N.copy(),
RP = new sjcl.bn(1),
NP = new sjcl.bn(0),
RT = R.copy();
while (RT.greaterEquals(1)) {
RT.halveM();
if ((RP.limbs[0] & 1) == 0) {
RP.halveM();
NP.halveM();
} else {
RP.addM(NN);
RP.halveM();
NP.halveM();
NP.addM(RR);
}
}
RP = RP.normalize();
NP = NP.normalize();
RR.doubleM();
var R2 = RR.mulmod(RR, N);
// Check whether the invariant holds.
// If it doesn't, we can't use Montgomery reduction on this modulus.
if (!RR.mul(RP).sub(N.mul(NP)).equals(1)) {
return false;
}
var montIn = function (c) {
return montMul(c, R2);
},
montMul = function (a, b) {
// Standard Montgomery reduction
var k,
ab,
right,
abBar,
mask = (1 << (s + 1)) - 1;
ab = a.mul(b);
right = ab.mul(NP);
right.limbs = right.limbs.slice(0, R.limbs.length);
if (right.limbs.length == R.limbs.length) {
right.limbs[R.limbs.length - 1] &= mask;
}
right = right.mul(N);
abBar = ab.add(right).normalize().trim();
abBar.limbs = abBar.limbs.slice(R.limbs.length - 1);
// Division. Equivelent to calling *.halveM() s times.
for (k = 0; k < abBar.limbs.length; k++) {
if (k > 0) {
abBar.limbs[k - 1] |= (abBar.limbs[k] & mask) << (radix - s - 1);
}
abBar.limbs[k] = abBar.limbs[k] >> (s + 1);
}
if (abBar.greaterEquals(N)) {
abBar.subM(N);
}
return abBar;
},
montOut = function (c) {
return montMul(c, 1);
};
pow = montIn(pow);
out = montIn(out);
// Sliding-Window Exponentiation (HAC 14.85)
var h,
precomp = {},
cap = (1 << (wind - 1)) - 1;
precomp[1] = pow.copy();
precomp[2] = montMul(pow, pow);
for (h = 1; h <= cap; h++) {
precomp[2 * h + 1] = montMul(precomp[2 * h - 1], precomp[2]);
}
var getBit = function (exp, i) {
// Gets ith bit of exp.
var off = i % exp.radix;
return (exp.limbs[Math.floor(i / exp.radix)] & (1 << off)) >> off;
};
for (i = x.bitLength() - 1; i >= 0; ) {
if (getBit(x, i) == 0) {
// If the next bit is zero:
// Square, move forward one bit.
out = montMul(out, out);
i = i - 1;
} else {
// If the next bit is one:
// Find the longest sequence of bits after this one, less than `wind`
// bits long, that ends with a 1. Convert the sequence into an
// integer and look up the pre-computed value to add.
var l = i - wind + 1;
while (getBit(x, l) == 0) {
l++;
}
var indx = 0;
for (j = l; j <= i; j++) {
indx += getBit(x, j) << (j - l);
out = montMul(out, out);
}
out = montMul(out, precomp[indx]);
i = l - 1;
}
}
return montOut(out);
},
trim: function () {
var l = this.limbs,
p;
do {
p = l.pop();
} while (l.length && p === 0);
l.push(p);
return this;
},
/** Reduce mod a modulus. Stubbed for subclassing. */
reduce: function () {
return this;
},
/** Reduce and normalize. */
fullReduce: function () {
return this.normalize();
},
/** Propagate carries. */
normalize: function () {
var carry = 0,
i,
pv = this.placeVal,
ipv = this.ipv,
l,
m,
limbs = this.limbs,
ll = limbs.length,
mask = this.radixMask;
for (i = 0; i < ll || (carry !== 0 && carry !== -1); i++) {
l = (limbs[i] || 0) + carry;
m = limbs[i] = l & mask;
carry = (l - m) * ipv;
}
if (carry === -1) {
limbs[i - 1] -= pv;
}
this.trim();
return this;
},
/** Constant-time normalize. Does not allocate additional space. */
cnormalize: function () {
var carry = 0,
i,
ipv = this.ipv,
l,
m,
limbs = this.limbs,
ll = limbs.length,
mask = this.radixMask;
for (i = 0; i < ll - 1; i++) {
l = limbs[i] + carry;
m = limbs[i] = l & mask;
carry = (l - m) * ipv;
}
limbs[i] += carry;
return this;
},
/** Serialize to a bit array */
toBits: function (len) {
this.fullReduce();
len = len || this.exponent || this.bitLength();
var i = Math.floor((len - 1) / 24),
w = sjcl.bitArray,
e = ((len + 7) & -8) % this.radix || this.radix,
out = [w.partial(e, this.getLimb(i))];
for (i--; i >= 0; i--) {
out = w.concat(out, [
w.partial(Math.min(this.radix, len), this.getLimb(i)),
]);
len -= this.radix;
}
return out;
},
/** Return the length in bits, rounded up to the nearest byte. */
bitLength: function () {
this.fullReduce();
var out = this.radix * (this.limbs.length - 1),
b = this.limbs[this.limbs.length - 1];
for (; b; b >>>= 1) {
out++;
}
return (out + 7) & -8;
},
};
/** @memberOf sjcl.bn
* @this { sjcl.bn }
*/
sjcl.bn.fromBits = function (bits) {
var Class = this,
out = new Class(),
words = [],
w = sjcl.bitArray,
t = this.prototype,
l = Math.min(this.bitLength || 0x100000000, w.bitLength(bits)),
e = l % t.radix || t.radix;
words[0] = w.extract(bits, 0, e);
for (; e < l; e += t.radix) {
words.unshift(w.extract(bits, e, t.radix));
}
out.limbs = words;
return out;
};
sjcl.bn.prototype.ipv =
1 / (sjcl.bn.prototype.placeVal = Math.pow(2, sjcl.bn.prototype.radix));
sjcl.bn.prototype.radixMask = (1 << sjcl.bn.prototype.radix) - 1;
/**
* Creates a new subclass of bn, based on reduction modulo a pseudo-Mersenne prime,
* i.e. a prime of the form 2^e + sum(a * 2^b),where the sum is negative and sparse.
*/
sjcl.bn.pseudoMersennePrime = function (exponent, coeff) {
/** @constructor
* @private
*/
function p(it) {
this.initWith(it);
/*if (this.limbs[this.modOffset]) {
this.reduce();
}*/
}
var ppr = (p.prototype = new sjcl.bn()),
i,
tmp,
mo;
mo = ppr.modOffset = Math.ceil((tmp = exponent / ppr.radix));
ppr.exponent = exponent;
ppr.offset = [];
ppr.factor = [];
ppr.minOffset = mo;
ppr.fullMask = 0;
ppr.fullOffset = [];
ppr.fullFactor = [];
ppr.modulus = p.modulus = new sjcl.bn(Math.pow(2, exponent));
ppr.fullMask = 0 | -Math.pow(2, exponent % ppr.radix);
for (i = 0; i < coeff.length; i++) {
ppr.offset[i] = Math.floor(coeff[i][0] / ppr.radix - tmp);
ppr.fullOffset[i] = Math.floor(coeff[i][0] / ppr.radix) - mo + 1;
ppr.factor[i] =
coeff[i][1] *
Math.pow(1 / 2, exponent - coeff[i][0] + ppr.offset[i] * ppr.radix);
ppr.fullFactor[i] =
coeff[i][1] *
Math.pow(1 / 2, exponent - coeff[i][0] + ppr.fullOffset[i] * ppr.radix);
ppr.modulus.addM(new sjcl.bn(Math.pow(2, coeff[i][0]) * coeff[i][1]));
ppr.minOffset = Math.min(ppr.minOffset, -ppr.offset[i]); // conservative
}
ppr._class = p;
ppr.modulus.cnormalize();
/** Approximate reduction mod p. May leave a number which is negative or slightly larger than p.
* @memberof sjcl.bn
* @this { sjcl.bn }
*/
ppr.reduce = function () {
var i,
k,
l,
mo = this.modOffset,
limbs = this.limbs,
off = this.offset,
ol = this.offset.length,
fac = this.factor,
ll;
i = this.minOffset;
while (limbs.length > mo) {
l = limbs.pop();
ll = limbs.length;
for (k = 0; k < ol; k++) {
limbs[ll + off[k]] -= fac[k] * l;
}
i--;
if (!i) {
limbs.push(0);
this.cnormalize();
i = this.minOffset;
}
}
this.cnormalize();
return this;
};
/** @memberof sjcl.bn
* @this { sjcl.bn }
*/
ppr._strongReduce =
ppr.fullMask === -1
? ppr.reduce
: function () {
var limbs = this.limbs,
i = limbs.length - 1,
k,
l;
this.reduce();
if (i === this.modOffset - 1) {
l = limbs[i] & this.fullMask;
limbs[i] -= l;
for (k = 0; k < this.fullOffset.length; k++) {
limbs[i + this.fullOffset[k]] -= this.fullFactor[k] * l;
}
this.normalize();
}
};
/** mostly constant-time, very expensive full reduction.
* @memberof sjcl.bn
* @this { sjcl.bn }
*/
ppr.fullReduce = function () {
var greater, i;
// massively above the modulus, may be negative
this._strongReduce();
// less than twice the modulus, may be negative
this.addM(this.modulus);
this.addM(this.modulus);
this.normalize();
// probably 2-3x the modulus
this._strongReduce();
// less than the power of 2. still may be more than
// the modulus
// HACK: pad out to this length
for (i = this.limbs.length; i < this.modOffset; i++) {
this.limbs[i] = 0;
}
// constant-time subtract modulus
greater = this.greaterEquals(this.modulus);
for (i = 0; i < this.limbs.length; i++) {
this.limbs[i] -= this.modulus.limbs[i] * greater;
}
this.cnormalize();
return this;
};
/** @memberof sjcl.bn
* @this { sjcl.bn }
*/
ppr.inverse = function () {
return this.power(this.modulus.sub(2));
};
p.fromBits = sjcl.bn.fromBits;
return p;
};
// a small Mersenne prime
var sbp = sjcl.bn.pseudoMersennePrime;
sjcl.bn.prime = {
p127: sbp(127, [[0, -1]]),
// Bernstein's prime for Curve25519
p25519: sbp(255, [[0, -19]]),
// Koblitz primes
p192k: sbp(192, [
[32, -1],
[12, -1],
[8, -1],
[7, -1],
[6, -1],
[3, -1],
[0, -1],
]),
p224k: sbp(224, [
[32, -1],
[12, -1],
[11, -1],
[9, -1],
[7, -1],
[4, -1],
[1, -1],
[0, -1],
]),
p256k: sbp(256, [
[32, -1],
[9, -1],
[8, -1],
[7, -1],
[6, -1],
[4, -1],
[0, -1],
]),
// NIST primes
p192: sbp(192, [
[0, -1],
[64, -1],
]),
p224: sbp(224, [
[0, 1],
[96, -1],
]),
p256: sbp(256, [
[0, -1],
[96, 1],
[192, 1],
[224, -1],
]),
p384: sbp(384, [
[0, -1],
[32, 1],
[96, -1],
[128, -1],
]),
p521: sbp(521, [[0, -1]]),
};
sjcl.bn.random = function (modulus, paranoia) {
if (typeof modulus !== "object") {
modulus = new sjcl.bn(modulus);
}
var words,
i,
l = modulus.limbs.length,
m = modulus.limbs[l - 1] + 1,
out = new sjcl.bn();
while (true) {
// get a sequence whose first digits make sense
do {
words = sjcl.random.randomWords(l, paranoia);
if (words[l - 1] < 0) {
words[l - 1] += 0x100000000;
}
} while (Math.floor(words[l - 1] / m) === Math.floor(0x100000000 / m));
words[l - 1] %= m;
// mask off all the limbs
for (i = 0; i < l - 1; i++) {
words[i] &= modulus.radixMask;
}
// check the rest of the digitssj
out.limbs = words;
if (!out.greaterEquals(modulus)) {
return out;
}
}
};
sjcl.ecc = {};
/**
* Represents a point on a curve in affine coordinates.
* @constructor
* @param {sjcl.ecc.curve} curve The curve that this point lies on.
* @param {bigInt} x The x coordinate.
* @param {bigInt} y The y coordinate.
*/
sjcl.ecc.point = function (curve, x, y) {
if (x === undefined) {
this.isIdentity = true;
} else {
if (x instanceof sjcl.bn) {
x = new curve.field(x);
}
if (y instanceof sjcl.bn) {
y = new curve.field(y);
}
this.x = x;
this.y = y;
this.isIdentity = false;
}
this.curve = curve;
};
sjcl.ecc.point.prototype = {
toJac: function () {
return new sjcl.ecc.pointJac(
this.curve,
this.x,
this.y,
new this.curve.field(1)
);
},
mult: function (k) {
return this.toJac().mult(k, this).toAffine();
},
/**
* Multiply this point by k, added to affine2*k2, and return the answer in Jacobian coordinates.
* @param {bigInt} k The coefficient to multiply this by.
* @param {bigInt} k2 The coefficient to multiply affine2 this by.
* @param {sjcl.ecc.point} affine The other point in affine coordinates.
* @return {sjcl.ecc.pointJac} The result of the multiplication and addition, in Jacobian coordinates.
*/
mult2: function (k, k2, affine2) {
return this.toJac().mult2(k, this, k2, affine2).toAffine();
},
multiples: function () {
var m, i, j;
if (this._multiples === undefined) {
j = this.toJac().doubl();
m = this._multiples = [
new sjcl.ecc.point(this.curve),
this,
j.toAffine(),
];
for (i = 3; i < 16; i++) {
j = j.add(this);
m.push(j.toAffine());
}
}
return this._multiples;
},
negate: function () {
var newY = new this.curve.field(0).sub(this.y).normalize().reduce();
return new sjcl.ecc.point(this.curve, this.x, newY);
},
isValid: function () {
return this.y
.square()
.equals(this.curve.b.add(this.x.mul(this.curve.a.add(this.x.square()))));
},
toBits: function () {
return sjcl.bitArray.concat(this.x.toBits(), this.y.toBits());
},
};
/**
* Represents a point on a curve in Jacobian coordinates. Coordinates can be specified as bigInts or strings (which
* will be converted to bigInts).
*
* @constructor
* @param {bigInt/string} x The x coordinate.
* @param {bigInt/string} y The y coordinate.
* @param {bigInt/string} z The z coordinate.
* @param {sjcl.ecc.curve} curve The curve that this point lies on.
*/
sjcl.ecc.pointJac = function (curve, x, y, z) {
if (x === undefined) {
this.isIdentity = true;
} else {
this.x = x;
this.y = y;
this.z = z;
this.isIdentity = false;
}
this.curve = curve;
};
sjcl.ecc.pointJac.prototype = {
/**
* Adds S and T and returns the result in Jacobian coordinates. Note that S must be in Jacobian coordinates and T must be in affine coordinates.
* @param {sjcl.ecc.pointJac} S One of the points to add, in Jacobian coordinates.
* @param {sjcl.ecc.point} T The other point to add, in affine coordinates.
* @return {sjcl.ecc.pointJac} The sum of the two points, in Jacobian coordinates.
*/
add: function (T) {
var S = this,
sz2,
c,
d,
c2,
x1,
x2,
x,
y1,
y2,
y,
z;
if (S.curve !== T.curve) {
throw new sjcl.exception.invalid(
"sjcl.ecc.add(): Points must be on the same curve to add them!"
);
}
if (S.isIdentity) {
return T.toJac();
} else if (T.isIdentity) {
return S;
}
sz2 = S.z.square();
c = T.x.mul(sz2).subM(S.x);
if (c.equals(0)) {
if (S.y.equals(T.y.mul(sz2.mul(S.z)))) {
// same point
return S.doubl();
} else {
// inverses
return new sjcl.ecc.pointJac(S.curve);
}
}
d = T.y.mul(sz2.mul(S.z)).subM(S.y);
c2 = c.square();
x1 = d.square();
x2 = c.square().mul(c).addM(S.x.add(S.x).mul(c2));
x = x1.subM(x2);
y1 = S.x.mul(c2).subM(x).mul(d);
y2 = S.y.mul(c.square().mul(c));
y = y1.subM(y2);
z = S.z.mul(c);
return new sjcl.ecc.pointJac(this.curve, x, y, z);
},
/**
* doubles this point.
* @return {sjcl.ecc.pointJac} The doubled point.
*/
doubl: function () {
if (this.isIdentity) {
return this;
}
var y2 = this.y.square(),
a = y2.mul(this.x.mul(4)),
b = y2.square().mul(8),
z2 = this.z.square(),
c =
this.curve.a.toString() == new sjcl.bn(-3).toString()
? this.x.sub(z2).mul(3).mul(this.x.add(z2))
: this.x.square().mul(3).add(z2.square().mul(this.curve.a)),
x = c.square().subM(a).subM(a),
y = a.sub(x).mul(c).subM(b),
z = this.y.add(this.y).mul(this.z);
return new sjcl.ecc.pointJac(this.curve, x, y, z);
},
/**
* Returns a copy of this point converted to affine coordinates.
* @return {sjcl.ecc.point} The converted point.
*/
toAffine: function () {
if (this.isIdentity || this.z.equals(0)) {
return new sjcl.ecc.point(this.curve);
}
var zi = this.z.inverse(),
zi2 = zi.square();
return new sjcl.ecc.point(
this.curve,
this.x.mul(zi2).fullReduce(),
this.y.mul(zi2.mul(zi)).fullReduce()
);
},
/**
* Multiply this point by k and return the answer in Jacobian coordinates.
* @param {bigInt} k The coefficient to multiply by.
* @param {sjcl.ecc.point} affine This point in affine coordinates.
* @return {sjcl.ecc.pointJac} The result of the multiplication, in Jacobian coordinates.
*/
mult: function (k, affine) {
if (typeof k === "number") {
k = [k];
} else if (k.limbs !== undefined) {
k = k.normalize().limbs;
}
var i,
j,
out = new sjcl.ecc.point(this.curve).toJac(),
multiples = affine.multiples();
for (i = k.length - 1; i >= 0; i--) {
for (j = sjcl.bn.prototype.radix - 4; j >= 0; j -= 4) {
out = out
.doubl()
.doubl()
.doubl()
.doubl()
.add(multiples[(k[i] >> j) & 0xf]);
}
}
return out;
},
/**
* Multiply this point by k, added to affine2*k2, and return the answer in Jacobian coordinates.
* @param {bigInt} k The coefficient to multiply this by.
* @param {sjcl.ecc.point} affine This point in affine coordinates.
* @param {bigInt} k2 The coefficient to multiply affine2 this by.
* @param {sjcl.ecc.point} affine The other point in affine coordinates.
* @return {sjcl.ecc.pointJac} The result of the multiplication and addition, in Jacobian coordinates.
*/
mult2: function (k1, affine, k2, affine2) {
if (typeof k1 === "number") {
k1 = [k1];
} else if (k1.limbs !== undefined) {
k1 = k1.normalize().limbs;
}
if (typeof k2 === "number") {
k2 = [k2];
} else if (k2.limbs !== undefined) {
k2 = k2.normalize().limbs;
}
var i,
j,
out = new sjcl.ecc.point(this.curve).toJac(),
m1 = affine.multiples(),
m2 = affine2.multiples(),
l1,
l2;
for (i = Math.max(k1.length, k2.length) - 1; i >= 0; i--) {
l1 = k1[i] | 0;
l2 = k2[i] | 0;
for (j = sjcl.bn.prototype.radix - 4; j >= 0; j -= 4) {
out = out
.doubl()
.doubl()
.doubl()
.doubl()
.add(m1[(l1 >> j) & 0xf])
.add(m2[(l2 >> j) & 0xf]);
}
}
return out;
},
negate: function () {
return this.toAffine().negate().toJac();
},
isValid: function () {
var z2 = this.z.square(),
z4 = z2.square(),
z6 = z4.mul(z2);
return this.y
.square()
.equals(
this.curve.b
.mul(z6)
.add(this.x.mul(this.curve.a.mul(z4).add(this.x.square())))
);
},
};
/**
* Construct an elliptic curve. Most users will not use this and instead start with one of the NIST curves defined below.
*
* @constructor
* @param {bigInt} p The prime modulus.
* @param {bigInt} r The prime order of the curve.
* @param {bigInt} a The constant a in the equation of the curve y^2 = x^3 + ax + b (for NIST curves, a is always -3).
* @param {bigInt} x The x coordinate of a base point of the curve.
* @param {bigInt} y The y coordinate of a base point of the curve.
*/
sjcl.ecc.curve = function (Field, r, a, b, x, y) {
this.field = Field;
this.r = new sjcl.bn(r);
this.a = new Field(a);
this.b = new Field(b);
this.G = new sjcl.ecc.point(this, new Field(x), new Field(y));
};
sjcl.ecc.curve.prototype.fromBits = function (bits) {
var w = sjcl.bitArray,
l = (this.field.prototype.exponent + 7) & -8,
p = new sjcl.ecc.point(
this,
this.field.fromBits(w.bitSlice(bits, 0, l)),
this.field.fromBits(w.bitSlice(bits, l, 2 * l))
);
if (!p.isValid()) {
throw new sjcl.exception.corrupt("not on the curve!");
}
return p;
};
sjcl.ecc.curves = {
c192: new sjcl.ecc.curve(
sjcl.bn.prime.p192,
"0xffffffffffffffffffffffff99def836146bc9b1b4d22831",
-3,
"0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1",
"0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012",
"0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811"
),
c224: new sjcl.ecc.curve(
sjcl.bn.prime.p224,
"0xffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d",
-3,
"0xb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4",
"0xb70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21",
"0xbd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34"
),
c256: new sjcl.ecc.curve(
sjcl.bn.prime.p256,
"0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551",
-3,
"0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b",
"0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
"0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5"
),
c384: new sjcl.ecc.curve(
sjcl.bn.prime.p384,
"0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973",
-3,
"0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef",
"0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7",
"0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f"
),
c521: new sjcl.ecc.curve(
sjcl.bn.prime.p521,
"0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409",
-3,
"0x051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00",
"0xC6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66",
"0x11839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650"
),
k192: new sjcl.ecc.curve(
sjcl.bn.prime.p192k,
"0xfffffffffffffffffffffffe26f2fc170f69466a74defd8d",
0,
3,
"0xdb4ff10ec057e9ae26b07d0280b7f4341da5d1b1eae06c7d",
"0x9b2f2f6d9c5628a7844163d015be86344082aa88d95e2f9d"
),
k224: new sjcl.ecc.curve(
sjcl.bn.prime.p224k,
"0x010000000000000000000000000001dce8d2ec6184caf0a971769fb1f7",
0,
5,
"0xa1455b334df099df30fc28a169a467e9e47075a90f7e650eb6b7a45c",
"0x7e089fed7fba344282cafbd6f7e319f7c0b0bd59e2ca4bdb556d61a5"
),
k256: new sjcl.ecc.curve(
sjcl.bn.prime.p256k,
"0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141",
0,
7,
"0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798",
"0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8"
),
};
sjcl.ecc.curveName = function (curve) {
var curcurve;
for (curcurve in sjcl.ecc.curves) {
if (sjcl.ecc.curves.hasOwnProperty(curcurve)) {
if (sjcl.ecc.curves[curcurve] === curve) {
return curcurve;
}
}
}
throw new sjcl.exception.invalid("no such curve");
};
sjcl.ecc.deserialize = function (key) {
var types = ["elGamal", "ecdsa"];
if (!key || !key.curve || !sjcl.ecc.curves[key.curve]) {
throw new sjcl.exception.invalid("invalid serialization");
}
if (types.indexOf(key.type) === -1) {
throw new sjcl.exception.invalid("invalid type");
}
var curve = sjcl.ecc.curves[key.curve];
if (key.secretKey) {
if (!key.exponent) {
throw new sjcl.exception.invalid("invalid exponent");
}
var exponent = new sjcl.bn(key.exponent);
return new sjcl.ecc[key.type].secretKey(curve, exponent);
} else {
if (!key.point) {
throw new sjcl.exception.invalid("invalid point");
}
var point = curve.fromBits(sjcl.codec.hex.toBits(key.point));
return new sjcl.ecc[key.type].publicKey(curve, point);
}
};
/** our basicKey classes
*/
sjcl.ecc.basicKey = {
/** ecc publicKey.
* @constructor
* @param {curve} curve the elliptic curve
* @param {point} point the point on the curve
*/
publicKey: function (curve, point) {
this._curve = curve;
this._curveBitLength = curve.r.bitLength();
if (point instanceof Array) {
this._point = curve.fromBits(point);
} else {
this._point = point;
}
this.serialize = function () {
var curveName = sjcl.ecc.curveName(curve);
return {
type: this.getType(),
secretKey: false,
point: sjcl.codec.hex.fromBits(this._point.toBits()),
curve: curveName,
};
};
/** get this keys point data
* @return x and y as bitArrays
*/
this.get = function () {
var pointbits = this._point.toBits();
var len = sjcl.bitArray.bitLength(pointbits);
var x = sjcl.bitArray.bitSlice(pointbits, 0, len / 2);
var y = sjcl.bitArray.bitSlice(pointbits, len / 2);
return { x: x, y: y };
};
},
/** ecc secretKey
* @constructor
* @param {curve} curve the elliptic curve
* @param exponent
*/
secretKey: function (curve, exponent) {
this._curve = curve;
this._curveBitLength = curve.r.bitLength();
this._exponent = exponent;
this.serialize = function () {
var exponent = this.get();
var curveName = sjcl.ecc.curveName(curve);
return {
type: this.getType(),
secretKey: true,
exponent: sjcl.codec.hex.fromBits(exponent),
curve: curveName,
};
};
/** get this keys exponent data
* @return {bitArray} exponent
*/
this.get = function () {
return this._exponent.toBits();
};
},
};
/** @private */
sjcl.ecc.basicKey.generateKeys = function (cn) {
return function generateKeys(curve, paranoia, sec) {
curve = curve || 256;
if (typeof curve === "number") {
curve = sjcl.ecc.curves["c" + curve];
if (curve === undefined) {
throw new sjcl.exception.invalid("no such curve");
}
}
sec = sec || sjcl.bn.random(curve.r, paranoia);
var pub = curve.G.mult(sec);
return {
pub: new sjcl.ecc[cn].publicKey(curve, pub),
sec: new sjcl.ecc[cn].secretKey(curve, sec),
};
};
};
/** elGamal keys */
sjcl.ecc.elGamal = {
/** generate keys
* @function
* @param curve
* @param {int} paranoia Paranoia for generation (default 6)
* @param {secretKey} sec secret Key to use. used to get the publicKey for ones secretKey
*/
generateKeys: sjcl.ecc.basicKey.generateKeys("elGamal"),
/** elGamal publicKey.
* @constructor
* @augments sjcl.ecc.basicKey.publicKey
*/
publicKey: function (curve, point) {
sjcl.ecc.basicKey.publicKey.apply(this, arguments);
},
/** elGamal secretKey
* @constructor
* @augments sjcl.ecc.basicKey.secretKey
*/
secretKey: function (curve, exponent) {
sjcl.ecc.basicKey.secretKey.apply(this, arguments);
},
};
sjcl.ecc.elGamal.publicKey.prototype = {
/** Kem function of elGamal Public Key
* @param paranoia paranoia to use for randomization.
* @return {object} key and tag. unkem(tag) with the corresponding secret key results in the key returned.
*/
kem: function (paranoia) {
var sec = sjcl.bn.random(this._curve.r, paranoia),
tag = this._curve.G.mult(sec).toBits(),
key = sjcl.hash.sha256.hash(this._point.mult(sec).toBits());
return { key: key, tag: tag };
},
getType: function () {
return "elGamal";
},
};
sjcl.ecc.elGamal.secretKey.prototype = {
/** UnKem function of elGamal Secret Key
* @param {bitArray} tag The Tag to decrypt.
* @return {bitArray} decrypted key.
*/
unkem: function (tag) {
return sjcl.hash.sha256.hash(
this._curve.fromBits(tag).mult(this._exponent).toBits()
);
},
/** Diffie-Hellmann function
* @param {elGamal.publicKey} pk The Public Key to do Diffie-Hellmann with
* @return {bitArray} diffie-hellmann result for this key combination.
*/
dh: function (pk) {
return sjcl.hash.sha256.hash(pk._point.mult(this._exponent).toBits());
},
/** Diffie-Hellmann function, compatible with Java generateSecret
* @param {elGamal.publicKey} pk The Public Key to do Diffie-Hellmann with
* @return {bitArray} undigested X value, diffie-hellmann result for this key combination,
* compatible with Java generateSecret().
*/
dhJavaEc: function (pk) {
return pk._point.mult(this._exponent).x.toBits();
},
getType: function () {
return "elGamal";
},
};
/** ecdsa keys */
sjcl.ecc.ecdsa = {
/** generate keys
* @function
* @param curve
* @param {int} paranoia Paranoia for generation (default 6)
* @param {secretKey} sec secret Key to use. used to get the publicKey for ones secretKey
*/
generateKeys: sjcl.ecc.basicKey.generateKeys("ecdsa"),
};
/** ecdsa publicKey.
* @constructor
* @augments sjcl.ecc.basicKey.publicKey
*/
sjcl.ecc.ecdsa.publicKey = function (curve, point) {
sjcl.ecc.basicKey.publicKey.apply(this, arguments);
};
/** specific functions for ecdsa publicKey. */
sjcl.ecc.ecdsa.publicKey.prototype = {
/** Diffie-Hellmann function
* @param {bitArray} hash hash to verify.
* @param {bitArray} rs signature bitArray.
* @param {boolean} fakeLegacyVersion use old legacy version
*/
verify: function (hash, rs, fakeLegacyVersion) {
if (sjcl.bitArray.bitLength(hash) > this._curveBitLength) {
hash = sjcl.bitArray.clamp(hash, this._curveBitLength);
}
var w = sjcl.bitArray,
R = this._curve.r,
l = this._curveBitLength,
r = sjcl.bn.fromBits(w.bitSlice(rs, 0, l)),
ss = sjcl.bn.fromBits(w.bitSlice(rs, l, 2 * l)),
s = fakeLegacyVersion ? ss : ss.inverseMod(R),
hG = sjcl.bn.fromBits(hash).mul(s).mod(R),
hA = r.mul(s).mod(R),
r2 = this._curve.G.mult2(hG, hA, this._point).x;
if (
r.equals(0) ||
ss.equals(0) ||
r.greaterEquals(R) ||
ss.greaterEquals(R) ||
!r2.equals(r)
) {
if (fakeLegacyVersion === undefined) {
return this.verify(hash, rs, true);
} else {
throw new sjcl.exception.corrupt("signature didn't check out");
}
}
return true;
},
getType: function () {
return "ecdsa";
},
};
/** ecdsa secretKey
* @constructor
* @augments sjcl.ecc.basicKey.publicKey
*/
sjcl.ecc.ecdsa.secretKey = function (curve, exponent) {
sjcl.ecc.basicKey.secretKey.apply(this, arguments);
};
/** specific functions for ecdsa secretKey. */
sjcl.ecc.ecdsa.secretKey.prototype = {
/** Diffie-Hellmann function
* @param {bitArray} hash hash to sign.
* @param {int} paranoia paranoia for random number generation
* @param {boolean} fakeLegacyVersion use old legacy version
*/
sign: function (hash, paranoia, fakeLegacyVersion, fixedKForTesting) {
if (sjcl.bitArray.bitLength(hash) > this._curveBitLength) {
hash = sjcl.bitArray.clamp(hash, this._curveBitLength);
}
var R = this._curve.r,
l = R.bitLength(),
k = fixedKForTesting || sjcl.bn.random(R.sub(1), paranoia).add(1),
r = this._curve.G.mult(k).x.mod(R),
ss = sjcl.bn.fromBits(hash).add(r.mul(this._exponent)),
s = fakeLegacyVersion
? ss.inverseMod(R).mul(k).mod(R)
: ss.mul(k.inverseMod(R)).mod(R);
return sjcl.bitArray.concat(r.toBits(l), s.toBits(l));
},
getType: function () {
return "ecdsa";
},
};
export default sjcl;
```