Botan 3.9.0
Crypto and TLS for C&
ecdh.cpp
Go to the documentation of this file.
1/*
2* ECDH implemenation
3* (C) 2007 Manuel Hartl, FlexSecure GmbH
4* 2007 Falko Strenzke, FlexSecure GmbH
5* 2008-2010 Jack Lloyd
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/ecdh.h>
11
12#include <botan/bigint.h>
13#include <botan/internal/pk_ops_impl.h>
14
15namespace Botan {
16
17std::unique_ptr<Public_Key> ECDH_PrivateKey::public_key() const {
18 return std::make_unique<ECDH_PublicKey>(domain(), _public_ec_point());
19}
20
21namespace {
22
23/**
24* ECDH operation
25*/
26class ECDH_KA_Operation final : public PK_Ops::Key_Agreement_with_KDF {
27 public:
28 ECDH_KA_Operation(const ECDH_PrivateKey& key, std::string_view kdf, RandomNumberGenerator& rng) :
29 PK_Ops::Key_Agreement_with_KDF(kdf),
30 m_group(key.domain()),
31 m_l_times_priv(mul_cofactor_inv(m_group, key._private_key())),
32 m_rng(rng) {}
33
34 size_t agreed_value_size() const override { return m_group.get_p_bytes(); }
35
36 secure_vector<uint8_t> raw_agree(const uint8_t w[], size_t w_len) override {
37 const auto input_point = [&] {
38 if(m_group.has_cofactor()) {
39#if defined(BOTAN_HAS_LEGACY_EC_POINT)
40 return EC_AffinePoint(m_group, m_group.get_cofactor() * m_group.OS2ECP(w, w_len));
41#else
42 throw Not_Implemented(
43 "Support for DH with cofactor adjustment not available in this build configuration");
44#endif
45 } else {
46 if(auto point = EC_AffinePoint::deserialize(m_group, {w, w_len})) {
47 return *point;
48 } else {
49 throw Decoding_Error("ECDH - Invalid elliptic curve point: not on curve");
50 }
51 }
52 }();
53
54 // Typical specs (such as BSI's TR-03111 Section 4.3.1) require that
55 // we check the resulting point of the multiplication to not be the
56 // point at infinity. However, since we ensure that our ECC private
57 // scalar can never be zero, checking the peer's input point is
58 // equivalent.
59 if(input_point.is_identity()) {
60 throw Decoding_Error("ECDH - Invalid elliptic curve point: identity");
61 }
62
63 return input_point.mul_x_only(m_l_times_priv, m_rng);
64 }
65
66 private:
67 static EC_Scalar mul_cofactor_inv(const EC_Group& group, const EC_Scalar& x) {
68 // We implement BSI TR-03111 ECKAEG which only matters in the (rare/deprecated)
69 // case of a curve with cofactor.
70
71 if(group.has_cofactor()) {
72 // We could precompute this but cofactors are rare
73 return x * EC_Scalar::from_bigint(group, group.get_cofactor()).invert_vartime();
74 } else {
75 return x;
76 }
77 }
78
79 const EC_Group m_group;
80 const EC_Scalar m_l_times_priv;
81 RandomNumberGenerator& m_rng;
82};
83
84} // namespace
85
86std::unique_ptr<Private_Key> ECDH_PublicKey::generate_another(RandomNumberGenerator& rng) const {
87 return std::make_unique<ECDH_PrivateKey>(rng, domain());
88}
89
90std::vector<uint8_t> ECDH_PublicKey::public_value(EC_Point_Format format) const {
91 return _public_ec_point().serialize(format);
92}
93
94std::unique_ptr<PK_Ops::Key_Agreement> ECDH_PrivateKey::create_key_agreement_op(RandomNumberGenerator& rng,
95 std::string_view params,
96 std::string_view provider) const {
97 if(provider == "base" || provider.empty()) {
98 return std::make_unique<ECDH_KA_Operation>(*this, params, rng);
99 }
100
101 throw Provider_Not_Found(algo_name(), provider);
102}
103
104} // namespace Botan
std::unique_ptr< Public_Key > public_key() const override
Definition ecdh.cpp:17
std::unique_ptr< PK_Ops::Key_Agreement > create_key_agreement_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition ecdh.cpp:94
std::vector< uint8_t > public_value() const
Definition ecdh.h:55
std::string algo_name() const override
Definition ecdh.h:50
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const final
Definition ecdh.cpp:86
static std::optional< EC_AffinePoint > deserialize(const EC_Group &group, std::span< const uint8_t > bytes)
std::vector< uint8_t > serialize(EC_Point_Format format) const
Return an encoding depending on the requested format.
const EC_Group & domain() const
Definition ecc_key.cpp:64
const EC_AffinePoint & _public_ec_point() const
Definition ecc_key.cpp:76
static EC_Scalar from_bigint(const EC_Group &group, const BigInt &bn)
Definition ec_scalar.cpp:69
EC_Scalar invert_vartime() const
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69