9#include <botan/ecgdsa.h>
10#include <botan/internal/keypair.h>
11#include <botan/reducer.h>
12#include <botan/internal/pk_ops_impl.h>
13#include <botan/internal/point_mul.h>
44 const std::string& emsa) :
45 PK_Ops::Signature_with_EMSA(emsa),
46 m_group(ecgdsa.domain()),
47 m_x(ecgdsa.private_value())
51 secure_vector<uint8_t> raw_sign(
const uint8_t msg[],
size_t msg_len,
52 RandomNumberGenerator& rng)
override;
54 size_t signature_length()
const override {
return 2*m_group.get_order_bytes(); }
56 size_t max_input_bits()
const override {
return m_group.get_order_bits(); }
59 const EC_Group m_group;
61 std::vector<BigInt> m_ws;
65ECGDSA_Signature_Operation::raw_sign(
const uint8_t msg[],
size_t msg_len,
66 RandomNumberGenerator& rng)
70 const BigInt k = m_group.random_scalar(rng);
72 const BigInt r = m_group.mod_order(
73 m_group.blinded_base_point_multiply_x(k, rng, m_ws));
75 const BigInt kr = m_group.multiply_mod_order(k, r);
77 const BigInt s = m_group.multiply_mod_order(m_x, kr - m);
80 if(r.is_zero() || s.is_zero())
81 throw Internal_Error(
"During ECGDSA signature generated zero r/s");
89class ECGDSA_Verification_Operation
final :
public PK_Ops::Verification_with_EMSA
93 ECGDSA_Verification_Operation(
const ECGDSA_PublicKey& ecgdsa,
94 const std::string& emsa) :
95 PK_Ops::Verification_with_EMSA(emsa),
96 m_group(ecgdsa.domain()),
97 m_gy_mul(m_group.get_base_point(), ecgdsa.public_point())
101 size_t max_input_bits()
const override {
return m_group.get_order_bits(); }
103 bool with_recovery()
const override {
return false; }
105 bool verify(
const uint8_t msg[],
size_t msg_len,
106 const uint8_t sig[],
size_t sig_len)
override;
108 const EC_Group m_group;
109 const PointGFp_Multi_Point_Precompute m_gy_mul;
112bool ECGDSA_Verification_Operation::verify(
const uint8_t msg[],
size_t msg_len,
113 const uint8_t sig[],
size_t sig_len)
115 if(sig_len != m_group.get_order_bytes() * 2)
120 const BigInt r(sig, sig_len / 2);
121 const BigInt s(sig + sig_len / 2, sig_len / 2);
123 if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order())
126 const BigInt w = m_group.inverse_mod_order(r);
128 const BigInt u1 = m_group.multiply_mod_order(e, w);
129 const BigInt u2 = m_group.multiply_mod_order(s, w);
130 const PointGFp R = m_gy_mul.
multi_exp(u1, u2);
135 const BigInt
v = m_group.mod_order(R.get_affine_x());
141std::unique_ptr<PK_Ops::Verification>
143 const std::string& provider)
const
145 if(provider ==
"base" || provider.empty())
146 return std::make_unique<ECGDSA_Verification_Operation>(*
this, params);
150std::unique_ptr<PK_Ops::Signature>
152 const std::string& params,
153 const std::string& provider)
const
155 if(provider ==
"base" || provider.empty())
156 return std::make_unique<ECGDSA_Signature_Operation>(*
this, params);
static secure_vector< uint8_t > encode_fixed_length_int_pair(const BigInt &n1, const BigInt &n2, size_t bytes)
static BigInt from_bytes_with_max_bits(const uint8_t buf[], size_t length, size_t max_bits)
std::unique_ptr< Public_Key > public_key() const override
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string ¶ms, const std::string &provider) const override
bool check_key(RandomNumberGenerator &rng, bool) const override
std::string algo_name() const override
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string ¶ms, const std::string &provider) const override
const EC_Group & domain() const
const PointGFp & public_point() const
PointGFp multi_exp(const BigInt &k1, const BigInt &k2) const
int(* final)(unsigned char *, CTX *)
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
