Botan 3.0.0-alpha0
Crypto and TLS for C&
ecdsa.cpp
Go to the documentation of this file.
1/*
2* ECDSA implemenation
3* (C) 2007 Manuel Hartl, FlexSecure GmbH
4* 2007 Falko Strenzke, FlexSecure GmbH
5* 2008-2010,2015,2016,2018 Jack Lloyd
6* 2016 René Korthaus
7*
8* Botan is released under the Simplified BSD License (see license.txt)
9*/
10
11#include <botan/ecdsa.h>
12#include <botan/internal/pk_ops_impl.h>
13#include <botan/internal/point_mul.h>
14#include <botan/internal/keypair.h>
15#include <botan/reducer.h>
16#include <botan/internal/emsa.h>
17
18#if defined(BOTAN_HAS_RFC6979_GENERATOR)
19 #include <botan/internal/rfc6979.h>
20#endif
21
22namespace Botan {
23
24namespace {
25
26PointGFp recover_ecdsa_public_key(const EC_Group& group,
27 const std::vector<uint8_t>& msg,
28 const BigInt& r,
29 const BigInt& s,
30 uint8_t v)
31 {
32 if(group.get_cofactor() != 1)
33 throw Invalid_Argument("ECDSA public key recovery only supported for prime order groups");
34
35 if(v >= 4)
36 throw Invalid_Argument("Unexpected v param for ECDSA public key recovery");
37
38 const BigInt& group_order = group.get_order();
39
40 if(r <= 0 || r >= group_order || s <= 0 || s >= group_order)
41 {
42 throw Invalid_Argument("Out of range r/s cannot recover ECDSA public key");
43 }
44
45 const uint8_t y_odd = v % 2;
46 const uint8_t add_order = v >> 1;
47 const size_t p_bytes = group.get_p_bytes();
48
49 try
50 {
51 const BigInt e = BigInt::from_bytes_with_max_bits(msg.data(), msg.size(), group.get_order_bits());
52 const BigInt r_inv = group.inverse_mod_order(r);
53
54 BigInt x = r + add_order*group_order;
55
56 std::vector<uint8_t> X(p_bytes + 1);
57
58 X[0] = 0x02 | y_odd;
59 BigInt::encode_1363(&X[1], p_bytes, x);
60
61 const PointGFp R = group.OS2ECP(X);
62
63 if((R*group_order).is_zero() == false)
64 throw Decoding_Error("Unable to recover ECDSA public key");
65
66 // Compute r_inv * (s*R - eG)
67 PointGFp_Multi_Point_Precompute RG_mul(R, group.get_base_point());
68 const BigInt ne = group.mod_order(group_order - e);
69 return r_inv * RG_mul.multi_exp(s, ne);
70 }
71 catch(...)
72 {
73 // continue on and throw
74 }
75
76 throw Decoding_Error("Failed to recover ECDSA public key from signature/msg pair");
77 }
78
79}
80
82 const std::vector<uint8_t>& msg,
83 const BigInt& r,
84 const BigInt& s,
85 uint8_t v) :
86 EC_PublicKey(group, recover_ecdsa_public_key(group, msg, r, s, v)) {}
87
88
89uint8_t ECDSA_PublicKey::recovery_param(const std::vector<uint8_t>& msg,
90 const BigInt& r,
91 const BigInt& s) const
92 {
93 for(uint8_t v = 0; v != 4; ++v)
94 {
95 try
96 {
97 PointGFp R = recover_ecdsa_public_key(this->domain(), msg, r, s, v);
98
99 if(R == this->public_point())
100 {
101 return v;
102 }
103 }
104 catch(Decoding_Error&)
105 {
106 // try the next v
107 }
108 }
109
110 throw Internal_Error("Could not determine ECDSA recovery parameter");
111 }
112
113std::unique_ptr<Public_Key> ECDSA_PrivateKey::public_key() const
114 {
115 return std::make_unique<ECDSA_PublicKey>(domain(), public_point());
116 }
117
119 bool strong) const
120 {
121 if(!public_point().on_the_curve())
122 return false;
123
124 if(!strong)
125 return true;
126
127 return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-256)");
128 }
129
130namespace {
131
132/**
133* ECDSA signature operation
134*/
135class ECDSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA
136 {
137 public:
138
139 ECDSA_Signature_Operation(const ECDSA_PrivateKey& ecdsa,
140 const std::string& emsa,
142 PK_Ops::Signature_with_EMSA(emsa),
143 m_group(ecdsa.domain()),
144 m_x(ecdsa.private_value())
145 {
146#if defined(BOTAN_HAS_RFC6979_GENERATOR)
147 m_rfc6979.reset(new RFC6979_Nonce_Generator(this->hash_for_signature(), m_group.get_order(), m_x));
148#endif
149
150 m_b = m_group.random_scalar(rng);
151 m_b_inv = m_group.inverse_mod_order(m_b);
152 }
153
154 size_t signature_length() const override { return 2*m_group.get_order_bytes(); }
155
156 size_t max_input_bits() const override { return m_group.get_order_bits(); }
157
158 secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
159 RandomNumberGenerator& rng) override;
160
161 private:
162 const EC_Group m_group;
163 const BigInt& m_x;
164
165#if defined(BOTAN_HAS_RFC6979_GENERATOR)
166 std::unique_ptr<RFC6979_Nonce_Generator> m_rfc6979;
167#endif
168
169 std::vector<BigInt> m_ws;
170
171 BigInt m_b, m_b_inv;
172 };
173
174secure_vector<uint8_t>
175ECDSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len,
176 RandomNumberGenerator& rng)
177 {
178 BigInt m = BigInt::from_bytes_with_max_bits(msg, msg_len, m_group.get_order_bits());
179
180#if defined(BOTAN_HAS_RFC6979_GENERATOR)
181 const BigInt k = m_rfc6979->nonce_for(m);
182#else
183 const BigInt k = m_group.random_scalar(rng);
184#endif
185
186 const BigInt r = m_group.mod_order(
187 m_group.blinded_base_point_multiply_x(k, rng, m_ws));
188
189 const BigInt k_inv = m_group.inverse_mod_order(k);
190
191 /*
192 * Blind the input message and compute x*r+m as (x*r*b + m*b)/b
193 */
194 m_b = m_group.square_mod_order(m_b);
195 m_b_inv = m_group.square_mod_order(m_b_inv);
196
197 m = m_group.multiply_mod_order(m_b, m_group.mod_order(m));
198 const BigInt xr_m = m_group.mod_order(m_group.multiply_mod_order(m_x, m_b, r) + m);
199
200 const BigInt s = m_group.multiply_mod_order(k_inv, xr_m, m_b_inv);
201
202 // With overwhelming probability, a bug rather than actual zero r/s
203 if(r.is_zero() || s.is_zero())
204 throw Internal_Error("During ECDSA signature generated zero r/s");
205
206 return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order_bytes());
207 }
208
209/**
210* ECDSA verification operation
211*/
212class ECDSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA
213 {
214 public:
215 ECDSA_Verification_Operation(const ECDSA_PublicKey& ecdsa,
216 const std::string& emsa) :
217 PK_Ops::Verification_with_EMSA(emsa),
218 m_group(ecdsa.domain()),
219 m_gy_mul(m_group.get_base_point(), ecdsa.public_point())
220 {
221 }
222
223 size_t max_input_bits() const override { return m_group.get_order_bits(); }
224
225 bool with_recovery() const override { return false; }
226
227 bool verify(const uint8_t msg[], size_t msg_len,
228 const uint8_t sig[], size_t sig_len) override;
229 private:
230 const EC_Group m_group;
231 const PointGFp_Multi_Point_Precompute m_gy_mul;
232 };
233
234bool ECDSA_Verification_Operation::verify(const uint8_t msg[], size_t msg_len,
235 const uint8_t sig[], size_t sig_len)
236 {
237 if(sig_len != m_group.get_order_bytes() * 2)
238 return false;
239
240 const BigInt e = BigInt::from_bytes_with_max_bits(msg, msg_len, m_group.get_order_bits());
241
242 const BigInt r(sig, sig_len / 2);
243 const BigInt s(sig + sig_len / 2, sig_len / 2);
244
245 // Cannot be negative here since we just decoded from binary
246 if(r.is_zero() || s.is_zero())
247 return false;
248
249 if(r >= m_group.get_order() || s >= m_group.get_order())
250 return false;
251
252 const BigInt w = m_group.inverse_mod_order(s);
253
254 const BigInt u1 = m_group.multiply_mod_order(m_group.mod_order(e), w);
255 const BigInt u2 = m_group.multiply_mod_order(r, w);
256 const PointGFp R = m_gy_mul.multi_exp(u1, u2);
257
258 if(R.is_zero())
259 return false;
260
261 const BigInt v = m_group.mod_order(R.get_affine_x());
262 return (v == r);
263 }
264
265}
266
267std::unique_ptr<PK_Ops::Verification>
269 const std::string& provider) const
270 {
271 if(provider == "base" || provider.empty())
272 return std::make_unique<ECDSA_Verification_Operation>(*this, params);
273
274 throw Provider_Not_Found(algo_name(), provider);
275 }
276
277std::unique_ptr<PK_Ops::Signature>
279 const std::string& params,
280 const std::string& provider) const
281 {
282 if(provider == "base" || provider.empty())
283 return std::make_unique<ECDSA_Signature_Operation>(*this, params, rng);
284
285 throw Provider_Not_Found(algo_name(), provider);
286 }
287
288}
static secure_vector< uint8_t > encode_fixed_length_int_pair(const BigInt &n1, const BigInt &n2, size_t bytes)
Definition: big_code.cpp:128
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:106
static BigInt from_bytes_with_max_bits(const uint8_t buf[], size_t length, size_t max_bits)
Definition: bigint.cpp:110
std::unique_ptr< Public_Key > public_key() const override
Definition: ecdsa.cpp:113
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: ecdsa.cpp:278
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: ecdsa.cpp:118
std::string algo_name() const override
Definition: ecdsa.h:61
uint8_t recovery_param(const std::vector< uint8_t > &msg, const BigInt &r, const BigInt &s) const
Definition: ecdsa.cpp:89
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: ecdsa.cpp:268
const EC_Group & domain() const
Definition: ecc_key.h:56
const PointGFp & public_point() const
Definition: ecc_key.h:41
PointGFp multi_exp(const BigInt &k1, const BigInt &k2) const
Definition: point_mul.cpp:377
int(* final)(unsigned char *, CTX *)
fe X
Definition: ge.cpp:26
Polynomial v
Definition: kyber.cpp:822
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:47
Definition: alg_id.cpp:13