Botan 3.9.0
Crypto and TLS for C&
ec_group.cpp
Go to the documentation of this file.
1/*
2* ECC Domain Parameters
3*
4* (C) 2007 Falko Strenzke, FlexSecure GmbH
5* (C) 2008,2018,2024 Jack Lloyd
6* (C) 2018 Tobias Niemann
7*
8* Botan is released under the Simplified BSD License (see license.txt)
9*/
10
11#include <botan/ec_group.h>
12
13#include <botan/ber_dec.h>
14#include <botan/der_enc.h>
15#include <botan/mutex.h>
16#include <botan/numthry.h>
17#include <botan/pem.h>
18#include <botan/rng.h>
19#include <botan/internal/barrett.h>
20#include <botan/internal/ec_inner_data.h>
21#include <botan/internal/fmt.h>
22#include <botan/internal/primality.h>
23#include <vector>
24
25namespace Botan {
26
27class EC_Group_Data_Map final {
28 public:
29 EC_Group_Data_Map() = default;
30
31 size_t clear() {
32 lock_guard_type<mutex_type> lock(m_mutex);
33 size_t count = m_registered_curves.size();
34 m_registered_curves.clear();
35 return count;
36 }
37
38 std::shared_ptr<EC_Group_Data> lookup(const OID& oid) {
39 lock_guard_type<mutex_type> lock(m_mutex);
40
41 for(auto i : m_registered_curves) {
42 if(i->oid() == oid) {
43 return i;
44 }
45 }
46
47 // Not found, check hardcoded data
48 std::shared_ptr<EC_Group_Data> data = EC_Group::EC_group_info(oid);
49
50 if(data) {
51 m_registered_curves.push_back(data);
52 return data;
53 }
54
55 // Nope, unknown curve
56 return std::shared_ptr<EC_Group_Data>();
57 }
58
59 std::shared_ptr<EC_Group_Data> lookup_or_create(const BigInt& p,
60 const BigInt& a,
61 const BigInt& b,
62 const BigInt& g_x,
63 const BigInt& g_y,
64 const BigInt& order,
65 const BigInt& cofactor,
66 const OID& oid,
67 EC_Group_Source source) {
68 BOTAN_ASSERT_NOMSG(oid.has_value());
69
70 lock_guard_type<mutex_type> lock(m_mutex);
71
72 for(auto i : m_registered_curves) {
73 if(i->oid() == oid) {
74 /*
75 * If both OID and params are the same then we are done, just return
76 * the already registered curve obj.
77 *
78 * First verify that the params match, to catch an application
79 * that is attempting to register a EC_Group under the same OID as
80 * another group currently in use
81 */
82 if(!i->params_match(p, a, b, g_x, g_y, order, cofactor)) {
83 throw Invalid_Argument("Attempting to register a curve using OID " + oid.to_string() +
84 " but a distinct curve is already registered using that OID");
85 }
86
87 return i;
88 }
89
90 /*
91 * If the same curve was previously created without an OID but is now
92 * being registered again using an OID, save that OID.
93 *
94 * TODO(Botan4) remove this block; this situation won't be possible since
95 * we will require all groups to have an OID
96 */
97 if(i->oid().empty() && i->params_match(p, a, b, g_x, g_y, order, cofactor)) {
98 i->set_oid(oid);
99 return i;
100 }
101 }
102
103 /*
104 * Not found in current list, so we need to create a new entry
105 */
106 auto new_group = [&] {
107 if(auto g = EC_Group::EC_group_info(oid); g != nullptr) {
108 /*
109 * This turned out to be the OID of one of the builtin groups. Verify
110 * that all of the provided parameters match that builtin group.
111 */
112 BOTAN_ARG_CHECK(g->params_match(p, a, b, g_x, g_y, order, cofactor),
113 "Attempting to register an EC group under OID of hardcoded group");
114
115 return g;
116 } else {
117 /*
118 * This path is taken for an application registering a new EC_Group with an OID specified
119 */
120 return EC_Group_Data::create(p, a, b, g_x, g_y, order, cofactor, oid, source);
121 }
122 }();
123
124 m_registered_curves.push_back(new_group);
125 return new_group;
126 }
127
128 std::shared_ptr<EC_Group_Data> lookup_or_create_without_oid(const BigInt& p,
129 const BigInt& a,
130 const BigInt& b,
131 const BigInt& g_x,
132 const BigInt& g_y,
133 const BigInt& order,
134 const BigInt& cofactor,
135 EC_Group_Source source) {
136 lock_guard_type<mutex_type> lock(m_mutex);
137
138 for(auto i : m_registered_curves) {
139 if(i->params_match(p, a, b, g_x, g_y, order, cofactor)) {
140 return i;
141 }
142 }
143
144 // Try to use the order as a hint to look up the group id
145 const OID oid_from_order = EC_Group::EC_group_identity_from_order(order);
146 if(oid_from_order.has_value()) {
147 auto new_group = EC_Group::EC_group_info(oid_from_order);
148
149 // Have to check all params in the (unlikely/malicious) event of an order collision
150 if(new_group && new_group->params_match(p, a, b, g_x, g_y, order, cofactor)) {
151 m_registered_curves.push_back(new_group);
152 return new_group;
153 }
154 }
155
156 /*
157 * At this point we have failed to identify the group; it is not any of
158 * the builtin values, nor is it a group that the user had previously
159 * registered explicitly. We create the group data without an OID.
160 *
161 * TODO(Botan4) remove this; throw an exception instead
162 */
163 auto new_group = EC_Group_Data::create(p, a, b, g_x, g_y, order, cofactor, OID(), source);
164 m_registered_curves.push_back(new_group);
165 return new_group;
166 }
167
168 private:
169 mutex_type m_mutex;
170 // TODO(Botan4): Once OID is required we could make this into a map
171 std::vector<std::shared_ptr<EC_Group_Data>> m_registered_curves;
172};
173
174//static
175EC_Group_Data_Map& EC_Group::ec_group_data() {
176 /*
177 * This exists purely to ensure the allocator is constructed before g_ec_data,
178 * which ensures that its destructor runs after ~g_ec_data is complete.
179 */
180
181 static Allocator_Initializer g_init_allocator;
182 static EC_Group_Data_Map g_ec_data;
183 return g_ec_data;
184}
185
186//static
187size_t EC_Group::clear_registered_curve_data() {
188 return ec_group_data().clear();
189}
190
191//static
192std::shared_ptr<EC_Group_Data> EC_Group::load_EC_group_info(const char* p_str,
193 const char* a_str,
194 const char* b_str,
195 const char* g_x_str,
196 const char* g_y_str,
197 const char* order_str,
198 const OID& oid) {
199 BOTAN_ARG_CHECK(oid.has_value(), "EC_Group::load_EC_group_info OID must be set");
200
201 const BigInt p(p_str);
202 const BigInt a(a_str);
203 const BigInt b(b_str);
204 const BigInt g_x(g_x_str);
205 const BigInt g_y(g_y_str);
206 const BigInt order(order_str);
207 const BigInt cofactor(1); // implicit
208
209 return EC_Group_Data::create(p, a, b, g_x, g_y, order, cofactor, oid, EC_Group_Source::Builtin);
210}
211
212//static
213std::pair<std::shared_ptr<EC_Group_Data>, bool> EC_Group::BER_decode_EC_group(std::span<const uint8_t> bits,
214 EC_Group_Source source) {
215 BER_Decoder ber(bits);
216
217 auto next_obj_type = ber.peek_next_object().type_tag();
218
219 if(next_obj_type == ASN1_Type::ObjectId) {
220 OID oid;
221 ber.decode(oid);
222
223 auto data = ec_group_data().lookup(oid);
224 if(!data) {
225 throw Decoding_Error(fmt("Unknown namedCurve OID '{}'", oid.to_string()));
226 }
227
228 return std::make_pair(data, false);
229 } else if(next_obj_type == ASN1_Type::Sequence) {
230 BigInt p;
231 BigInt a;
232 BigInt b;
233 BigInt order;
234 BigInt cofactor;
235 std::vector<uint8_t> base_pt;
236 std::vector<uint8_t> seed;
237
238 ber.start_sequence()
239 .decode_and_check<size_t>(1, "Unknown ECC param version code")
240 .start_sequence()
241 .decode_and_check(OID({1, 2, 840, 10045, 1, 1}), "Only prime ECC fields supported")
242 .decode(p)
243 .end_cons()
244 .start_sequence()
245 .decode_octet_string_bigint(a)
246 .decode_octet_string_bigint(b)
247 .decode_optional_string(seed, ASN1_Type::BitString, ASN1_Type::BitString)
248 .end_cons()
249 .decode(base_pt, ASN1_Type::OctetString)
250 .decode(order)
251 .decode(cofactor)
252 .end_cons()
253 .verify_end();
254
255 if(p.bits() < 112 || p.bits() > 521 || p.is_negative()) {
256 throw Decoding_Error("ECC p parameter is invalid size");
257 }
258
259 // TODO(Botan4) we can remove this check since we'll only accept pre-registered groups
260 auto mod_p = Barrett_Reduction::for_public_modulus(p);
261 if(!is_bailie_psw_probable_prime(p, mod_p)) {
262 throw Decoding_Error("ECC p parameter is not a prime");
263 }
264
265 if(a.is_negative() || a >= p) {
266 throw Decoding_Error("Invalid ECC a parameter");
267 }
268
269 if(b <= 0 || b >= p) {
270 throw Decoding_Error("Invalid ECC b parameter");
271 }
272
273 if(order.is_negative() || order.is_zero() || order >= 2 * p) {
274 throw Decoding_Error("Invalid ECC group order");
275 }
276
277 // TODO(Botan4) we can remove this check since we'll only accept pre-registered groups
278 auto mod_order = Barrett_Reduction::for_public_modulus(order);
279 if(!is_bailie_psw_probable_prime(order, mod_order)) {
280 throw Decoding_Error("Invalid ECC order parameter");
281 }
282
283 // TODO(Botan4) Require cofactor == 1
284 if(cofactor <= 0 || cofactor >= 16) {
285 throw Decoding_Error("Invalid ECC cofactor parameter");
286 }
287
288 const size_t p_bytes = p.bytes();
289 if(base_pt.size() != 1 + p_bytes && base_pt.size() != 1 + 2 * p_bytes) {
290 throw Decoding_Error("Invalid ECC base point encoding");
291 }
292
293 auto [g_x, g_y] = [&]() {
294 const uint8_t hdr = base_pt[0];
295
296 if(hdr == 0x04 && base_pt.size() == 1 + 2 * p_bytes) {
297 BigInt x = BigInt::decode(&base_pt[1], p_bytes);
298 BigInt y = BigInt::decode(&base_pt[p_bytes + 1], p_bytes);
299
300 if(x < p && y < p) {
301 return std::make_pair(x, y);
302 }
303 } else if((hdr == 0x02 || hdr == 0x03) && base_pt.size() == 1 + p_bytes) {
304 // TODO(Botan4) remove this branch; we won't support compressed points
305 BigInt x = BigInt::decode(&base_pt[1], p_bytes);
306 BigInt y = sqrt_modulo_prime(((x * x + a) * x + b) % p, p);
307
308 if(x < p && y >= 0) {
309 const bool y_mod_2 = (hdr & 0x01) == 1;
310 if(y.get_bit(0) != y_mod_2) {
311 y = p - y;
312 }
313
314 return std::make_pair(x, y);
315 }
316 }
317
318 throw Decoding_Error("Invalid ECC base point encoding");
319 }();
320
321 // TODO(Botan4) we can remove this check since we'll only accept pre-registered groups
322 auto y2 = mod_p.square(g_y);
323 auto x3_ax_b = mod_p.reduce(mod_p.cube(g_x) + mod_p.multiply(a, g_x) + b);
324 if(y2 != x3_ax_b) {
325 throw Decoding_Error("Invalid ECC base point");
326 }
327
328 auto data = ec_group_data().lookup_or_create_without_oid(p, a, b, g_x, g_y, order, cofactor, source);
329 return std::make_pair(data, true);
330 } else if(next_obj_type == ASN1_Type::Null) {
331 throw Decoding_Error("Decoding ImplicitCA ECC parameters is not supported");
332 } else {
333 throw Decoding_Error(
334 fmt("Unexpected tag {} while decoding ECC domain params", asn1_tag_to_string(next_obj_type)));
335 }
336}
337
338EC_Group::EC_Group() = default;
339
340EC_Group::~EC_Group() = default;
341
342EC_Group::EC_Group(const EC_Group&) = default;
343
344EC_Group& EC_Group::operator=(const EC_Group&) = default;
345
346// Internal constructor
347EC_Group::EC_Group(std::shared_ptr<EC_Group_Data>&& data) : m_data(std::move(data)) {}
348
349//static
350bool EC_Group::supports_named_group(std::string_view name) {
351 return EC_Group::known_named_groups().contains(std::string(name));
352}
353
354//static
355bool EC_Group::supports_application_specific_group() {
356#if defined(BOTAN_HAS_LEGACY_EC_POINT) || defined(BOTAN_HAS_PCURVES_GENERIC)
357 return true;
358#else
359 return false;
360#endif
361}
362
363//static
364bool EC_Group::supports_application_specific_group_with_cofactor() {
365#if defined(BOTAN_HAS_LEGACY_EC_POINT)
366 return true;
367#else
368 return false;
369#endif
370}
371
372//static
373EC_Group EC_Group::from_OID(const OID& oid) {
374 auto data = ec_group_data().lookup(oid);
375
376 if(!data) {
377 throw Invalid_Argument(fmt("No EC_Group associated with OID '{}'", oid.to_string()));
378 }
379
380 return EC_Group(std::move(data));
381}
382
383//static
384EC_Group EC_Group::from_name(std::string_view name) {
385 std::shared_ptr<EC_Group_Data> data;
386
387 if(auto oid = OID::from_name(name)) {
388 data = ec_group_data().lookup(oid.value());
389 }
390
391 if(!data) {
392 throw Invalid_Argument(fmt("Unknown EC_Group '{}'", name));
393 }
394
395 return EC_Group(std::move(data));
396}
397
398EC_Group::EC_Group(std::string_view str) {
399 if(str.empty()) {
400 return; // no initialization / uninitialized
401 }
402
403 try {
404 const OID oid = OID::from_string(str);
405 if(oid.has_value()) {
406 m_data = ec_group_data().lookup(oid);
407 }
408 } catch(...) {}
409
410 if(m_data == nullptr) {
411 if(str.size() > 30 && str.starts_with("-----BEGIN EC PARAMETERS-----")) {
412 // OK try it as PEM ...
413 const auto ber = PEM_Code::decode_check_label(str, "EC PARAMETERS");
414
415 auto data = BER_decode_EC_group(ber, EC_Group_Source::ExternalSource);
416 this->m_data = data.first;
417 this->m_explicit_encoding = data.second;
418 }
419 }
420
421 if(m_data == nullptr) {
422 throw Invalid_Argument(fmt("Unknown ECC group '{}'", str));
423 }
424}
425
426//static
427EC_Group EC_Group::from_PEM(std::string_view pem) {
428 const auto ber = PEM_Code::decode_check_label(pem, "EC PARAMETERS");
429 return EC_Group(ber);
430}
431
432EC_Group::EC_Group(const BigInt& p,
433 const BigInt& a,
434 const BigInt& b,
435 const BigInt& base_x,
436 const BigInt& base_y,
437 const BigInt& order,
438 const BigInt& cofactor,
439 const OID& oid) {
440 if(oid.has_value()) {
441 m_data = ec_group_data().lookup_or_create(
442 p, a, b, base_x, base_y, order, cofactor, oid, EC_Group_Source::ExternalSource);
443 } else {
444 m_data = ec_group_data().lookup_or_create_without_oid(
445 p, a, b, base_x, base_y, order, cofactor, EC_Group_Source::ExternalSource);
446 }
447}
448
449EC_Group::EC_Group(const OID& oid,
450 const BigInt& p,
451 const BigInt& a,
452 const BigInt& b,
453 const BigInt& base_x,
454 const BigInt& base_y,
455 const BigInt& order) {
456 BOTAN_ARG_CHECK(oid.has_value(), "An OID is required for creating an EC_Group");
457
458 // TODO(Botan4) remove this and require 192 bits minimum
459#if defined(BOTAN_DISABLE_DEPRECATED_FEATURES)
460 constexpr size_t p_bits_lower_bound = 192;
461#else
462 constexpr size_t p_bits_lower_bound = 128;
463#endif
464
465 BOTAN_ARG_CHECK(p.bits() >= p_bits_lower_bound, "EC_Group p too small");
466 BOTAN_ARG_CHECK(p.bits() <= 521, "EC_Group p too large");
467
468 if(p.bits() == 521) {
469 const auto p521 = BigInt::power_of_2(521) - 1;
470 BOTAN_ARG_CHECK(p == p521, "EC_Group with p of 521 bits must be 2**521-1");
471 } else if(p.bits() == 239) {
472 const auto x962_p239 = []() {
473 BigInt p239;
474 for(size_t i = 0; i != 239; ++i) {
475 if(i < 47 || ((i >= 94) && (i != 143))) {
476 p239.set_bit(i);
477 }
478 }
479 return p239;
480 }();
481
482 BOTAN_ARG_CHECK(p == x962_p239, "EC_Group with p of 239 bits must be the X9.62 prime");
483 } else {
484 BOTAN_ARG_CHECK(p.bits() % 32 == 0, "EC_Group p must be a multiple of 32 bits");
485 }
486
487 BOTAN_ARG_CHECK(p % 4 == 3, "EC_Group p must be congruent to 3 modulo 4");
488
489 BOTAN_ARG_CHECK(a >= 0 && a < p, "EC_Group a is invalid");
490 BOTAN_ARG_CHECK(b > 0 && b < p, "EC_Group b is invalid");
491 BOTAN_ARG_CHECK(base_x >= 0 && base_x < p, "EC_Group base_x is invalid");
492 BOTAN_ARG_CHECK(base_y >= 0 && base_y < p, "EC_Group base_y is invalid");
493 BOTAN_ARG_CHECK(p.bits() == order.bits(), "EC_Group p and order must have the same number of bits");
494
495 auto mod_p = Barrett_Reduction::for_public_modulus(p);
496 BOTAN_ARG_CHECK(is_bailie_psw_probable_prime(p, mod_p), "EC_Group p is not prime");
497
498 auto mod_order = Barrett_Reduction::for_public_modulus(order);
499 BOTAN_ARG_CHECK(is_bailie_psw_probable_prime(order, mod_order), "EC_Group order is not prime");
500
501 // This catches someone "ignoring" a cofactor and just trying to
502 // provide the subgroup order
503 BOTAN_ARG_CHECK((p - order).abs().bits() <= (p.bits() / 2) + 1, "Hasse bound invalid");
504
505 // Check that 4*a^3 + 27*b^2 != 0
506 const auto discriminant = mod_p.reduce(mod_p.multiply(BigInt::from_s32(4), mod_p.cube(a)) +
507 mod_p.multiply(BigInt::from_s32(27), mod_p.square(b)));
508 BOTAN_ARG_CHECK(discriminant != 0, "EC_Group discriminant is invalid");
509
510 // Check that the generator (base_x,base_y) is on the curve; y^2 = x^3 + a*x + b
511 auto y2 = mod_p.square(base_y);
512 auto x3_ax_b = mod_p.reduce(mod_p.cube(base_x) + mod_p.multiply(a, base_x) + b);
513 BOTAN_ARG_CHECK(y2 == x3_ax_b, "EC_Group generator is not on the curve");
514
515 BigInt cofactor(1);
516
517 m_data =
518 ec_group_data().lookup_or_create(p, a, b, base_x, base_y, order, cofactor, oid, EC_Group_Source::ExternalSource);
519}
520
521EC_Group::EC_Group(std::span<const uint8_t> ber) {
522 auto data = BER_decode_EC_group(ber, EC_Group_Source::ExternalSource);
523 m_data = data.first;
524 m_explicit_encoding = data.second;
525}
526
527const EC_Group_Data& EC_Group::data() const {
528 if(m_data == nullptr) {
529 throw Invalid_State("EC_Group uninitialized");
530 }
531 return *m_data;
532}
533
534size_t EC_Group::get_p_bits() const {
535 return data().p_bits();
536}
537
538size_t EC_Group::get_p_bytes() const {
539 return data().p_bytes();
540}
541
542size_t EC_Group::get_order_bits() const {
543 return data().order_bits();
544}
545
546size_t EC_Group::get_order_bytes() const {
547 return data().order_bytes();
548}
549
550const BigInt& EC_Group::get_p() const {
551 return data().p();
552}
553
554const BigInt& EC_Group::get_a() const {
555 return data().a();
556}
557
558const BigInt& EC_Group::get_b() const {
559 return data().b();
560}
561
562#if defined(BOTAN_HAS_LEGACY_EC_POINT)
563const EC_Point& EC_Group::get_base_point() const {
564 return data().base_point();
565}
566
567const EC_Point& EC_Group::generator() const {
568 return data().base_point();
569}
570
571bool EC_Group::verify_public_element(const EC_Point& point) const {
572 //check that public point is not at infinity
573 if(point.is_zero()) {
574 return false;
575 }
576
577 //check that public point is on the curve
578 if(point.on_the_curve() == false) {
579 return false;
580 }
581
582 //check that public point has order q
583 if((point * get_order()).is_zero() == false) {
584 return false;
585 }
586
587 if(has_cofactor()) {
588 if((point * get_cofactor()).is_zero()) {
589 return false;
590 }
591 }
592
593 return true;
594}
595
596#endif
597
598const BigInt& EC_Group::get_order() const {
599 return data().order();
600}
601
602const BigInt& EC_Group::get_g_x() const {
603 return data().g_x();
604}
605
606const BigInt& EC_Group::get_g_y() const {
607 return data().g_y();
608}
609
610const BigInt& EC_Group::get_cofactor() const {
611 return data().cofactor();
612}
613
614bool EC_Group::has_cofactor() const {
615 return data().has_cofactor();
616}
617
618const OID& EC_Group::get_curve_oid() const {
619 return data().oid();
620}
621
622EC_Group_Source EC_Group::source() const {
623 return data().source();
624}
625
626EC_Group_Engine EC_Group::engine() const {
627 return data().engine();
628}
629
630std::vector<uint8_t> EC_Group::DER_encode() const {
631 const auto& der_named_curve = data().der_named_curve();
632 // TODO(Botan4) this can be removed because an OID will always be defined
633 if(der_named_curve.empty()) {
634 throw Encoding_Error("Cannot encode EC_Group as OID because OID not set");
635 }
636
637 return der_named_curve;
638}
639
640std::vector<uint8_t> EC_Group::DER_encode(EC_Group_Encoding form) const {
641 if(form == EC_Group_Encoding::Explicit) {
642 std::vector<uint8_t> output;
643 DER_Encoder der(output);
644 const size_t ecpVers1 = 1;
645 const OID curve_type("1.2.840.10045.1.1"); // prime field
646
647 const size_t p_bytes = get_p_bytes();
648
649 const auto generator = EC_AffinePoint::generator(*this).serialize_uncompressed();
650
651 der.start_sequence()
652 .encode(ecpVers1)
653 .start_sequence()
654 .encode(curve_type)
655 .encode(get_p())
656 .end_cons()
657 .start_sequence()
658 .encode(get_a().serialize(p_bytes), ASN1_Type::OctetString)
659 .encode(get_b().serialize(p_bytes), ASN1_Type::OctetString)
660 .end_cons()
661 .encode(generator, ASN1_Type::OctetString)
662 .encode(get_order())
663 .encode(get_cofactor())
664 .end_cons();
665 return output;
666 } else if(form == EC_Group_Encoding::NamedCurve) {
667 return this->DER_encode();
668 } else if(form == EC_Group_Encoding::ImplicitCA) {
669 return {0x00, 0x05};
670 } else {
671 throw Internal_Error("EC_Group::DER_encode: Unknown encoding");
672 }
673}
674
675std::string EC_Group::PEM_encode(EC_Group_Encoding form) const {
676 const std::vector<uint8_t> der = DER_encode(form);
677 return PEM_Code::encode(der, "EC PARAMETERS");
678}
679
680bool EC_Group::operator==(const EC_Group& other) const {
681 if(m_data == other.m_data) {
682 return true; // same shared rep
683 }
684
685 return (get_p() == other.get_p() && get_a() == other.get_a() && get_b() == other.get_b() &&
686 get_g_x() == other.get_g_x() && get_g_y() == other.get_g_y() && get_order() == other.get_order() &&
687 get_cofactor() == other.get_cofactor());
688}
689
690bool EC_Group::verify_group(RandomNumberGenerator& rng, bool strong) const {
691 const bool is_builtin = source() == EC_Group_Source::Builtin;
692
693 if(is_builtin && !strong) {
694 return true;
695 }
696
697 // TODO(Botan4) this can probably all be removed once the deprecated EC_Group
698 // constructor is removed, since at that point it no longer becomes possible
699 // to create an EC_Group which fails to satisfy these conditions
700
701 const BigInt& p = get_p();
702 const BigInt& a = get_a();
703 const BigInt& b = get_b();
704 const BigInt& order = get_order();
705
706 if(p <= 3 || order <= 0) {
707 return false;
708 }
709 if(a < 0 || a >= p) {
710 return false;
711 }
712 if(b <= 0 || b >= p) {
713 return false;
714 }
715
716 const size_t test_prob = 128;
717 const bool is_randomly_generated = is_builtin;
718
719 //check if field modulus is prime
720 if(!is_prime(p, rng, test_prob, is_randomly_generated)) {
721 return false;
722 }
723
724 //check if order is prime
725 if(!is_prime(order, rng, test_prob, is_randomly_generated)) {
726 return false;
727 }
728
729 //compute the discriminant: 4*a^3 + 27*b^2 which must be nonzero
730 auto mod_p = Barrett_Reduction::for_public_modulus(p);
731
732 const BigInt discriminant = mod_p.reduce(mod_p.multiply(BigInt::from_s32(4), mod_p.cube(a)) +
733 mod_p.multiply(BigInt::from_s32(27), mod_p.square(b)));
734
735 if(discriminant == 0) {
736 return false;
737 }
738
739 //check for valid cofactor
740 if(get_cofactor() < 1) {
741 return false;
742 }
743
744#if defined(BOTAN_HAS_LEGACY_EC_POINT)
745 const EC_Point& base_point = get_base_point();
746 //check if the base point is on the curve
747 if(!base_point.on_the_curve()) {
748 return false;
749 }
750 if((base_point * get_cofactor()).is_zero()) {
751 return false;
752 }
753 //check if order of the base point is correct
754 if(!(base_point * order).is_zero()) {
755 return false;
756 }
757#endif
758
759 // check the Hasse bound (roughly)
760 if((p - get_cofactor() * order).abs().bits() > (p.bits() / 2) + 1) {
761 return false;
762 }
763
764 return true;
765}
766
767EC_Group::Mul2Table::Mul2Table(EC_Group::Mul2Table&& other) noexcept = default;
768
769EC_Group::Mul2Table& EC_Group::Mul2Table::operator=(EC_Group::Mul2Table&& other) noexcept = default;
770
771EC_Group::Mul2Table::Mul2Table(const EC_AffinePoint& h) : m_tbl(h._group()->make_mul2_table(h._inner())) {}
772
773EC_Group::Mul2Table::~Mul2Table() = default;
774
775std::optional<EC_AffinePoint> EC_Group::Mul2Table::mul2_vartime(const EC_Scalar& x, const EC_Scalar& y) const {
776 auto pt = m_tbl->mul2_vartime(x._inner(), y._inner());
777 if(pt) {
778 return EC_AffinePoint::_from_inner(std::move(pt));
779 } else {
780 return {};
781 }
782}
783
784bool EC_Group::Mul2Table::mul2_vartime_x_mod_order_eq(const EC_Scalar& v,
785 const EC_Scalar& x,
786 const EC_Scalar& y) const {
787 return m_tbl->mul2_vartime_x_mod_order_eq(v._inner(), x._inner(), y._inner());
788}
789
790bool EC_Group::Mul2Table::mul2_vartime_x_mod_order_eq(const EC_Scalar& v,
791 const EC_Scalar& c,
792 const EC_Scalar& x,
793 const EC_Scalar& y) const {
794 return this->mul2_vartime_x_mod_order_eq(v, c * x, c * y);
795}
796
797} // namespace Botan
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33
Botan::Barrett_Reduction::for_public_modulus
static Barrett_Reduction for_public_modulus(const BigInt &m)
Definition barrett.cpp:33
Botan::BigInt::decode
static BigInt decode(const uint8_t buf[], size_t length)
Definition bigint.h:857
Botan::BigInt::set_bit
void set_bit(size_t n)
Definition bigint.h:463
Botan::BigInt::bits
size_t bits() const
Definition bigint.cpp:311
Botan::BigInt::power_of_2
static BigInt power_of_2(size_t n)
Definition bigint.h:820
Botan::BigInt::from_s32
static BigInt from_s32(int32_t n)
Definition bigint.cpp:41
Botan::DER_Encoder
Definition der_enc.h:23
Botan::DER_Encoder::start_sequence
DER_Encoder & start_sequence()
Definition der_enc.h:65
Botan::DER_Encoder::end_cons
DER_Encoder & end_cons()
Definition der_enc.cpp:173
Botan::DER_Encoder::encode
DER_Encoder & encode(bool b)
Definition der_enc.cpp:252
Botan::EC_AffinePoint
Definition ec_apoint.h:36
Botan::EC_AffinePoint::serialize_uncompressed
T serialize_uncompressed() const
Definition ec_apoint.h:203
Botan::EC_AffinePoint::_from_inner
static EC_AffinePoint _from_inner(std::unique_ptr< EC_AffinePoint_Data > inner)
Definition ec_apoint.cpp:234
Botan::EC_AffinePoint::generator
static EC_AffinePoint generator(const EC_Group &group)
Return the standard group generator.
Definition ec_apoint.cpp:84
Botan::EC_Group::Mul2Table
Table for computing g*x + h*y.
Definition ec_group.h:334
Botan::EC_Group::Mul2Table::operator=
Mul2Table & operator=(const Mul2Table &other)=delete
Botan::EC_Group::Mul2Table::mul2_vartime
std::optional< EC_AffinePoint > mul2_vartime(const EC_Scalar &x, const EC_Scalar &y) const
Definition ec_group.cpp:775
Botan::EC_Group::Mul2Table::~Mul2Table
~Mul2Table()
Botan::EC_Group::Mul2Table::Mul2Table
BOTAN_FUTURE_EXPLICIT Mul2Table(const EC_AffinePoint &h)
Definition ec_group.cpp:771
Botan::EC_Group::Mul2Table::mul2_vartime_x_mod_order_eq
bool mul2_vartime_x_mod_order_eq(const EC_Scalar &v, const EC_Scalar &x, const EC_Scalar &y) const
Definition ec_group.cpp:784
Botan::EC_Group_Data
Definition ec_inner_data.h:127
Botan::EC_Group_Data::create
static std::shared_ptr< EC_Group_Data > create(const BigInt &p, const BigInt &a, const BigInt &b, const BigInt &g_x, const BigInt &g_y, const BigInt &order, const BigInt &cofactor, const OID &oid, EC_Group_Source source)
Definition ec_inner_data.cpp:103
Botan::EC_Group
Definition ec_group.h:87
Botan::EC_Group::~EC_Group
~EC_Group()
Botan::EC_Group::from_name
static EC_Group from_name(std::string_view name)
Definition ec_group.cpp:384
Botan::EC_Group::from_PEM
static EC_Group from_PEM(std::string_view pem)
Definition ec_group.cpp:427
Botan::EC_Group::get_b
const BigInt & get_b() const
Definition ec_group.cpp:558
Botan::EC_Group::get_a
const BigInt & get_a() const
Definition ec_group.cpp:554
Botan::EC_Group::get_g_y
const BigInt & get_g_y() const
Definition ec_group.cpp:606
Botan::EC_Group::get_cofactor
const BigInt & get_cofactor() const
Definition ec_group.cpp:610
Botan::EC_Group::mod_order
BigInt mod_order(const BigInt &x) const
Definition ec_group.h:664
Botan::EC_Group::operator==
bool operator==(const EC_Group &other) const
Definition ec_group.cpp:680
Botan::EC_Group::supports_application_specific_group_with_cofactor
static bool supports_application_specific_group_with_cofactor()
Definition ec_group.cpp:364
Botan::EC_Group::engine
EC_Group_Engine engine() const
Definition ec_group.cpp:626
Botan::EC_Group::source
EC_Group_Source source() const
Definition ec_group.cpp:622
Botan::EC_Group::get_p
const BigInt & get_p() const
Definition ec_group.cpp:550
Botan::EC_Group::verify_group
bool verify_group(RandomNumberGenerator &rng, bool strong=false) const
Definition ec_group.cpp:690
Botan::EC_Group::get_order
const BigInt & get_order() const
Definition ec_group.cpp:598
Botan::EC_Group::get_p_bits
size_t get_p_bits() const
Definition ec_group.cpp:534
Botan::EC_Group::from_OID
static EC_Group from_OID(const OID &oid)
Definition ec_group.cpp:373
Botan::EC_Group::EC_group_info
static std::shared_ptr< EC_Group_Data > EC_group_info(const OID &oid)
Definition ec_named.cpp:15
Botan::EC_Group::DER_encode
std::vector< uint8_t > DER_encode() const
Definition ec_group.cpp:630
Botan::EC_Group::get_g_x
const BigInt & get_g_x() const
Definition ec_group.cpp:602
Botan::EC_Group::EC_Group
EC_Group(const BigInt &p, const BigInt &a, const BigInt &b, const BigInt &base_x, const BigInt &base_y, const BigInt &order, const BigInt &cofactor, const OID &oid=OID())
Definition ec_group.cpp:432
Botan::EC_Group::get_curve_oid
const OID & get_curve_oid() const
Definition ec_group.cpp:618
Botan::EC_Group::supports_application_specific_group
static bool supports_application_specific_group()
Definition ec_group.cpp:355
Botan::EC_Group::known_named_groups
static const std::set< std::string > & known_named_groups()
Definition ec_named.cpp:476
Botan::EC_Group::has_cofactor
bool has_cofactor() const
Definition ec_group.cpp:614
Botan::EC_Group::EC_Group
EC_Group()
Botan::EC_Group::clear_registered_curve_data
static size_t clear_registered_curve_data()
Definition ec_group.cpp:187
Botan::EC_Group::supports_named_group
static bool supports_named_group(std::string_view name)
Definition ec_group.cpp:350
Botan::EC_Group::operator=
EC_Group & operator=(const EC_Group &)
Botan::EC_Group::get_p_bytes
size_t get_p_bytes() const
Definition ec_group.cpp:538
Botan::EC_Group::EC_group_identity_from_order
static OID EC_group_identity_from_order(const BigInt &order)
Definition ec_named.cpp:356
Botan::EC_Group::PEM_encode
std::string PEM_encode(EC_Group_Encoding form=EC_Group_Encoding::Explicit) const
Definition ec_group.cpp:675
Botan::EC_Group::get_order_bits
size_t get_order_bits() const
Definition ec_group.cpp:542
Botan::EC_Group::get_order_bytes
size_t get_order_bytes() const
Definition ec_group.cpp:546
Botan::EC_Point
Definition ec_point.h:33
Botan::EC_Point::on_the_curve
bool on_the_curve() const
Definition ec_point.cpp:675
Botan::EC_Scalar
Definition ec_scalar.h:28
Botan::EC_Scalar::_inner
const EC_Scalar_Data & _inner() const
Definition ec_scalar.h:244
Botan::Encoding_Error
Definition exceptn.h:181
Botan::Internal_Error
Definition exceptn.h:321
Botan::Invalid_Argument
Definition exceptn.h:131
Botan::Invalid_State
Definition exceptn.h:206
Botan::OID::from_name
static std::optional< OID > from_name(std::string_view name)
Definition asn1_oid.cpp:72
Botan::OID::has_value
bool has_value() const
Definition asn1_obj.h:271
Botan::OID::to_string
std::string to_string() const
Definition asn1_oid.cpp:125
Botan::OID::from_string
static OID from_string(std::string_view str)
Definition asn1_oid.cpp:86
Botan::PEM_Code::encode
std::string encode(const uint8_t der[], size_t length, std::string_view label, size_t width)
Definition pem.cpp:39
Botan::PEM_Code::decode_check_label
secure_vector< uint8_t > decode_check_label(DataSource &source, std::string_view label_want)
Definition pem.cpp:49
Botan::PEM_Code::decode
secure_vector< uint8_t > decode(DataSource &source, std::string &label)
Definition pem.cpp:62
Botan::mutex_type
noop_mutex mutex_type
Definition mutex.h:37
Botan::asn1_tag_to_string
std::string asn1_tag_to_string(ASN1_Type type)
Definition asn1_obj.cpp:93
Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
Botan::abs
BigInt abs(const BigInt &n)
Definition numthry.h:24
Botan::lock
secure_vector< T > lock(const std::vector< T > &in)
Definition secmem.h:81
Botan::is_bailie_psw_probable_prime
bool is_bailie_psw_probable_prime(const BigInt &n, const Barrett_Reduction &mod_n)
Definition primality.cpp:98
Botan::is_prime
bool is_prime(const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
Definition numthry.cpp:354
Botan::EC_Group_Engine
EC_Group_Engine
Definition ec_group.h:66
Botan::lock_guard_type
lock_guard< T > lock_guard_type
Definition mutex.h:55
Botan::sqrt_modulo_prime
BigInt sqrt_modulo_prime(const BigInt &a, const BigInt &p)
Definition numthry.cpp:26
Botan::EC_Group_Source
EC_Group_Source
Definition ec_group.h:56
Botan::EC_Group_Encoding
EC_Group_Encoding
Definition ec_group.h:36
Generated by doxygen 1.14.0