//go:build ignore
// +build ignore

package paillier

// envelope provide hybrid encryption for a user with a remote cryptographic server.
// The server has a KEK and the user wants to encrypt a file.
// 1. The user generate a random user key ukey
// 2. The user use ukey to encrypt the file
// 3. The user do the followings to encrypt the ukey with KEK without leaking ukey to the server:
// 3-0. The user generate a (temporary or long term) paillier key pair (sk, pk).
// 3-1. The user encrypt ukey with paillier encryption: ukeyCipher = PaiEnc(ukey, pk)
// 3-2. The server HOMOMORPHICLY encrypt ukey with KEK: ukeyEnvelopeCipher = PaiEnc(SM4Enc(ukey, KEK), pk)
// 3-3. The user decrypt ukeyEnvelopeCipher and get ukeyEnvelope = SM4Enc(ukey, KEK)
//
// The user do the following to decrypt the ukey and then to decrypt the file.
// Also without leaking ukey.
// 1. The user generate a (temporary or long term) paillier key pair (sk, pk).
// 2. User encrypt ukeyEnvelope: ukeyEnvelopeCipher = PaiEnc(ukeyEnvelope, pk)
// 3. The server HOMORPHICLY decrypt ukeyEnvelopeCipher: ukeyCipher = PaiEnc(ukey, pk)
// 4. The user decrypt ukeyCipher, with ukey.

import (
	"fmt"
	"math/big"

	"xdx.jelly/xgcl/grand"
	"xdx.jelly/xgcl/sm/sm4"
)

// xyzw => 0x0y0z0w
var tbl = []byte{0, 1, 4, 5, 16, 17, 20, 21, 64, 65, 68, 69, 80, 81, 84, 85}

type EnvelopeUser struct{}
type EnvelopeServer struct{}

// EncryptUserKey
func (EnvelopeUser) EncryptUserKey(ukey []byte, pk *PublicKey) (ukeyCipher *Cipher, err error) {
	if len(ukey)*8*2 > pk.Bits() {
		return nil, fmt.Errorf("input key too long, should less than %d bytes", pk.Bits()/8/2)
	}
	buf := make([]byte, 0, len(ukey)*2)
	for _, k := range ukey {
		buf = append(buf, tbl[k&0xf])
		buf = append(buf, tbl[k>>4])
	}
	return pk.Encrypt(new(big.Int).SetBytes(buf), grand.Reader)
}

func DecryptKey(c *Cipher, keyLength int, priKey *PrivateKey) ([]byte, error) {
	k, err := priKey.Decrypt(c)
	_ = err
	key2 := make([]byte, keyLength*2)
	k.FillBytes(key2)
	key := make([]byte, keyLength)
	for i := 0; i < len(key); i++ {
		x := key2[2*i]
		y := key2[2*i+1]
		n := byte(0)
		n |= (x >> 0) & 1
		n |= (x >> 1) & 2
		n |= (x >> 2) & 4
		n |= (x >> 3) & 8
		key[i] = n

		n = byte(0)
		n |= (y >> 0) & 1
		n |= (y >> 1) & 2
		n |= (y >> 2) & 4
		n |= (y >> 3) & 8
		key[i] |= (n << 4)
	}
	return key, nil
}

func GenEnvelope(c0 *Cipher, kek []byte, pubkey *PublicKey) ([]byte, *Cipher, error) {
	iv := grand.GetRandom(16)
	c1, err := sm4.EncryptECB(nil, kek, iv) // c1 = sm4.Enc(iv)
	c2, err := EncryptUserKey(c1, pubkey)   // c2 = PaiEnc(sm4.Enc(iv))
	c2.HomomorphicAdd(c2, c0, pubkey)       // c2 = PaiEnc(sm4.Enc(iv) ^ key)

	_ = err
	return iv, c2, nil
}

func DecryptEnvelope(c *Cipher, prikey *PrivateKey) ([]byte, error) {
	k, err := prikey.Decrypt(c)
	_ = err
	key2 := make([]byte, 32)
	k.FillBytes(key2)
	key := make([]byte, 16)
	for i := 0; i < 16; i++ {
		x := key2[2*i]
		y := key2[2*i+1]
		n := byte(0)
		n |= (x >> 0) & 1
		n |= (x >> 1) & 2
		n |= (x >> 2) & 4
		n |= (x >> 3) & 8
		key[i] = n

		n = byte(0)
		n |= (y >> 0) & 1
		n |= (y >> 1) & 2
		n |= (y >> 2) & 4
		n |= (y >> 3) & 8
		key[i] |= (n << 4)
	}
	return key, nil
}