Here is some blurb and also some design information.
Here is the user manual and here is a challenge
If you can read zip files you can download all the sources for pegwit by pressing here.
The source containing main is pegwit.c. The other sources are ec_crypt.c, ec_curve.c, ec_field.c, ec_param.c, ec_vlong.c, square.c, sqcts.c, sha1.c and binasc.c. Included source files are ec_crypt.h, ec_curve.h, ec_field.h, ec_param.h, ec_vlong.h, sha1.h, square.h, sqcts.h, square.tab and binasc.h.
The source is intended to be completely portable, please let me know of any problems so I can fix them. The only special action needed is that either LITTLE_ENDIAN or BIG_ENDIAN may need to be defined externally. A compile-time error is reported if neither is defined and the endianness cannot be determined at compile time. A run-time error is reported if the wrong one is defined.
pegwit.exe is a Windows 95 executable. pwkey.exe and pwjunk.exe are optional Win95 utilities for entering passwords and generating random junk. pwkey.c and pwjunk.c are (non-portable) sources for these utilities.
pegwit.exe is an MSDOS executable.
Test data
test.bat is a batch file for testing.
test.pub is the public key for test.pri
test.tx0 is test.txt encrypted with test.pub ( but note that -e is not deterministic )
test.sig is test.txt signed with test.pri (using -s)
test.tx1 is test.txt encrypted symmetrically (-E) with test.sig
test.tx2 is test.txt signed with test.pri (using -S)
test.tx3 is test.txt encrypted with test.pri (using -fe)
test.tx4 is test.txt encrypted with test.sig (using -fE)
Changes. Note that a change of first digit of the version number indicates that the new version is incompatible with earlier versions. However note that v8.7 is not encryption compatible with v8.1..v8.5.
8.0 has many changes - for one thing it is in C rather than C++ ( thanks to Paulo Barreto ). Secret values are now read from standard input, and a secret value is required for -e ( see user manual for details ). The generation of multipliers has been improved (v7 was not secure for > 2^64 signatures) and the MAC used is now 'double-barreled' SHA1 ( 240 bits = 160 bits + 80 bits ). Public keys are now partially validated : they must begin with "pegwit v8 public key ="
v8.1 : I messed up in v8.0 - prng_next was not hashing the correct data, and while not insecure, it was a mess. So v8.0 should not be used, only use v8.1 (which is not compatible). Hopefully no-one got a copy of 8.0.
v8.1 : Re-worked prng to cure endian problems. ( No version number change )
pwjunk v2.0 : printf format string in pwjunk was wrong. pwjunk revised to use kbhit and a timing loop which gives better resolution than using clock(). Also now generates a (rough) estimate of how much entropy has been gathered, and does not allow termination until estimate reachs 128 bits.
v8.1 : changed C++ style comments to C comments
v8.2 : changed -e to use single barrel hash of plain text. ( signature still uses double barrel for MAC )
v8.2 : deleted unused function cpMakePrivateKey from ec_crypt.c
v8.2 : put conditional compilation round functions which are not required for pegwit
The code is now known to run OK on a big-endian processor ( HP700 series Unix box). Thanks to Steve Gilham for this.
v8.3 : -S and -V commands added for signing text files. These make pegwit more convenient when signing email or news. Thanks to Mr. Tines for this.
v8.4 : -fX 'filter mode' commands added, also ascii 'armoring' of encrypted input/output. Again, thanks to Mr. Tines.
v8.4 : quite a few mainly cosmetic changes to ec_*.* modules ( by Paulo Barreto ). There is a new source file ec_param.c. Note that pegwit does not support different curves (yet) - these are provided for direct uses of ec_*.* in a non-pegwit context.
v8.5 : signature verification was totally bust in v8.4 There were actually two seperate bugs : (1) -v was not printing any error message when signature failed. (2) -V was not doing anything at all (a boolean test was the wrong way round). THUS PEGWIT v8.4 SHOULD NEVER BE USED TO CHECK SIGNATURES! Many apologies for this major cock-up.
v8.6 : changed to using new version of square. Unfortunately I previously had not been doing the proper endian conversion, so v8.6 is not encryption compatible with earlier versions. Signatures and public/private keys functionality has not changed though. v8.6 uses cipher-text stealing to minimise expansion when encrypting. For -E encrypted files, provided the size is > 15 bytes and even, there is no change in size. Encryption and decryption is also faster in this version.
v8.7 : updated to neater cipher-text stealing : not encryption compatible with v8.6. Probably no-one got v8.6.
v8.71 : Public keys enclosed in braces {} can be split up, and need not be at the beginning of the file. New ec_*.* code, which can be compiled to use Colin Plumb's BNLIB rather than ec_vlong.c if desired (although there is no reason to do this for pegwit).
If you port pegwit to other systems, or have any suggestions or comments please let me know. Also let me know if you would like to be notified by email of any major developments, e.g. major bugs, major new versions, etc.
Send mail to George at george.barwood@dial.pipex.com
More crypto stuff (including more info on pegwit components)
My FAQ on elliptic curve cryptography HTML version