Botan  2.7.0
Crypto and TLS for C++11
ecgdsa.cpp
Go to the documentation of this file.
1 /*
2 * ECGDSA (BSI-TR-03111, version 2.0)
3 * (C) 2016 RenĂ© Korthaus
4 * (C) 2018 Jack Lloyd
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/ecgdsa.h>
10 #include <botan/keypair.h>
11 #include <botan/reducer.h>
12 #include <botan/internal/pk_ops_impl.h>
13 #include <botan/internal/point_mul.h>
14 
15 namespace Botan {
16 
18  bool strong) const
19  {
20  if(!public_point().on_the_curve())
21  return false;
22 
23  if(!strong)
24  return true;
25 
26  return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-256)");
27  }
28 
29 namespace {
30 
31 /**
32 * ECGDSA signature operation
33 */
34 class ECGDSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA
35  {
36  public:
37 
38  ECGDSA_Signature_Operation(const ECGDSA_PrivateKey& ecgdsa,
39  const std::string& emsa) :
40  PK_Ops::Signature_with_EMSA(emsa),
41  m_group(ecgdsa.domain()),
42  m_x(ecgdsa.private_value())
43  {
44  }
45 
46  secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
47  RandomNumberGenerator& rng) override;
48 
49  size_t max_input_bits() const override { return m_group.get_order_bits(); }
50 
51  private:
52  const EC_Group m_group;
53  const BigInt& m_x;
54  std::vector<BigInt> m_ws;
55  };
56 
57 secure_vector<uint8_t>
58 ECGDSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len,
59  RandomNumberGenerator& rng)
60  {
61  const BigInt m(msg, msg_len, m_group.get_order_bits());
62 
63  const BigInt k = m_group.random_scalar(rng);
64 
65  const BigInt r = m_group.mod_order(
66  m_group.blinded_base_point_multiply_x(k, rng, m_ws));
67 
68  const BigInt kr = m_group.multiply_mod_order(k, r);
69 
70  const BigInt s = m_group.multiply_mod_order(m_x, kr - m);
71 
72  // With overwhelming probability, a bug rather than actual zero r/s
73  if(r.is_zero() || s.is_zero())
74  throw Internal_Error("During ECGDSA signature generated zero r/s");
75 
76  return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order_bytes());
77  }
78 
79 /**
80 * ECGDSA verification operation
81 */
82 class ECGDSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA
83  {
84  public:
85 
86  ECGDSA_Verification_Operation(const ECGDSA_PublicKey& ecgdsa,
87  const std::string& emsa) :
88  PK_Ops::Verification_with_EMSA(emsa),
89  m_group(ecgdsa.domain()),
90  m_gy_mul(m_group.get_base_point(), ecgdsa.public_point())
91  {
92  }
93 
94  size_t max_input_bits() const override { return m_group.get_order_bits(); }
95 
96  bool with_recovery() const override { return false; }
97 
98  bool verify(const uint8_t msg[], size_t msg_len,
99  const uint8_t sig[], size_t sig_len) override;
100  private:
101  const EC_Group m_group;
102  const PointGFp_Multi_Point_Precompute m_gy_mul;
103  };
104 
105 bool ECGDSA_Verification_Operation::verify(const uint8_t msg[], size_t msg_len,
106  const uint8_t sig[], size_t sig_len)
107  {
108  if(sig_len != m_group.get_order_bytes() * 2)
109  return false;
110 
111  const BigInt e(msg, msg_len, m_group.get_order_bits());
112 
113  const BigInt r(sig, sig_len / 2);
114  const BigInt s(sig + sig_len / 2, sig_len / 2);
115 
116  if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order())
117  return false;
118 
119  const BigInt w = m_group.inverse_mod_order(r);
120 
121  const BigInt u1 = m_group.multiply_mod_order(e, w);
122  const BigInt u2 = m_group.multiply_mod_order(s, w);
123  const PointGFp R = m_gy_mul.multi_exp(u1, u2);
124 
125  if(R.is_zero())
126  return false;
127 
128  const BigInt v = m_group.mod_order(R.get_affine_x());
129  return (v == r);
130  }
131 
132 }
133 
134 std::unique_ptr<PK_Ops::Verification>
136  const std::string& provider) const
137  {
138  if(provider == "base" || provider.empty())
139  return std::unique_ptr<PK_Ops::Verification>(new ECGDSA_Verification_Operation(*this, params));
140  throw Provider_Not_Found(algo_name(), provider);
141  }
142 
143 std::unique_ptr<PK_Ops::Signature>
145  const std::string& params,
146  const std::string& provider) const
147  {
148  if(provider == "base" || provider.empty())
149  return std::unique_ptr<PK_Ops::Signature>(new ECGDSA_Signature_Operation(*this, params));
150  throw Provider_Not_Found(algo_name(), provider);
151  }
152 
153 }
std::string algo_name() const override
Definition: ecgdsa.h:44
PointGFp multi_exp(const BigInt &k1, const BigInt &k2) const
Definition: point_mul.cpp:341
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: ecgdsa.cpp:144
const PointGFp & public_point() const
Definition: ecc_key.h:57
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: ecgdsa.cpp:135
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:49
Definition: alg_id.cpp:13
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: ecgdsa.cpp:17
static secure_vector< uint8_t > encode_fixed_length_int_pair(const BigInt &n1, const BigInt &n2, size_t bytes)
Definition: big_code.cpp:103