9#include <botan/ecies.h>
10#include <botan/numthry.h>
11#include <botan/cipher_mode.h>
13#include <botan/internal/pk_ops_impl.h>
26class ECIES_PrivateKey
final :
public EC_PrivateKey,
public PK_Key_Agreement_Key
29 explicit ECIES_PrivateKey(
const ECDH_PrivateKey& private_key) :
30 EC_PublicKey(private_key),
31 EC_PrivateKey(private_key),
32 PK_Key_Agreement_Key(),
37 std::vector<uint8_t> public_value()
const override
39 return m_key.public_value();
42 std::string algo_name()
const override
47 std::unique_ptr<Public_Key> public_key()
const override
49 return m_key.public_key();
57 std::unique_ptr<PK_Ops::Key_Agreement>
58 create_key_agreement_op(RandomNumberGenerator& rng,
59 std::string_view params,
60 std::string_view provider)
const override;
63 ECDH_PrivateKey m_key;
71class ECIES_ECDH_KA_Operation
final :
public PK_Ops::Key_Agreement_with_KDF
74 ECIES_ECDH_KA_Operation(
const ECIES_PrivateKey& private_key, RandomNumberGenerator& rng) :
75 PK_Ops::Key_Agreement_with_KDF(
"Raw"),
81 size_t agreed_value_size()
const override {
return m_key.domain().get_p_bytes(); }
83 secure_vector<uint8_t> raw_agree(
const uint8_t w[],
size_t w_len)
override
85 const EC_Group& group = m_key.domain();
87 EC_Point input_point = group.OS2ECP(w, w_len);
88 input_point.randomize_repr(m_rng);
90 const EC_Point S = group.blinded_var_point_multiply(
91 input_point, m_key.private_value(), m_rng, m_ws);
93 if(S.on_the_curve() ==
false)
99 ECIES_PrivateKey m_key;
100 RandomNumberGenerator& m_rng;
101 std::vector<BigInt> m_ws;
104std::unique_ptr<PK_Ops::Key_Agreement>
105ECIES_PrivateKey::create_key_agreement_op(RandomNumberGenerator& rng,
107 std::string_view )
const
109 return std::make_unique<ECIES_ECDH_KA_Operation>(*
this, rng);
121PK_Key_Agreement create_key_agreement(
const PK_Key_Agreement_Key& private_key,
122 const ECIES_KA_Params& ecies_params,
124 RandomNumberGenerator& rng)
126 const ECDH_PrivateKey* ecdh_key =
dynamic_cast<const ECDH_PrivateKey*
>(&private_key);
128 if(ecdh_key ==
nullptr && (ecies_params.cofactor_mode() || ecies_params.old_cofactor_mode()
129 || ecies_params.check_mode()))
135 throw Invalid_Argument(
"ECIES: cofactor, old cofactor and check mode are only supported for ECDH_PrivateKey");
138 if(ecdh_key && (for_encryption || !ecies_params.cofactor_mode()))
141 return PK_Key_Agreement(ECIES_PrivateKey(*ecdh_key), rng,
"Raw");
144 return PK_Key_Agreement(private_key, rng,
"Raw");
152 m_ka(create_key_agreement(private_key, ecies_params, for_encryption, rng)),
153 m_params(ecies_params)
161 const EC_Point& other_public_key_point)
const
163 if(other_public_key_point.
is_zero())
170 EC_Point other_point = other_public_key_point;
183 derivation_input += eph_public_key_bin;
191 derivation_input.insert(derivation_input.end(), peh.
begin(), peh.
end());
199 std::string_view kdf_spec,
204 m_kdf_spec(kdf_spec),
206 m_compression_mode(compression_type),
212 std::string_view kdf_spec,
213 std::string_view dem_algo_spec,
215 std::string_view mac_spec,
219 ECIES_KA_Params(domain, kdf_spec, dem_key_len + mac_key_len, compression_type, flags),
220 m_dem_spec(dem_algo_spec),
221 m_dem_keylen(dem_key_len),
222 m_mac_spec(mac_spec),
223 m_mac_keylen(mac_key_len)
228 throw Invalid_Argument(
"ECIES: only one of cofactor_mode, old_cofactor_mode and check_mode can be set");
233 std::string_view kdf_spec,
234 std::string_view dem_algo_spec,
236 std::string_view mac_spec,
237 size_t mac_key_len) :
260 m_ka(private_key, ecies_params, true, rng),
261 m_params(ecies_params),
262 m_eph_public_key_bin(private_key.public_value()),
285size_t ECIES_Encryptor::maximum_input_size()
const
294size_t ECIES_Encryptor::ciphertext_length(
size_t ptext_len)
const
296 return m_eph_public_key_bin.size() +
297 m_mac->output_length() +
298 m_cipher->output_length(ptext_len);
304std::vector<uint8_t> ECIES_Encryptor::enc(
const uint8_t data[],
size_t length, RandomNumberGenerator& )
const
308 throw Invalid_State(
"ECIES: the other key is zero");
316 if(m_iv.
empty() && !m_cipher->valid_nonce_length(m_iv.
size()))
317 throw Invalid_Argument(
"ECIES with " + m_cipher->name() +
" requires an IV be set");
319 m_cipher->start(m_iv.
bits_of());
321 secure_vector<uint8_t> encrypted_data(data, data + length);
322 m_cipher->finish(encrypted_data);
326 std::vector<uint8_t> out(m_eph_public_key_bin.size() + encrypted_data.size() + m_mac->output_length());
328 buffer_insert(out, m_eph_public_key_bin.size(), encrypted_data);
332 m_mac->update(encrypted_data);
335 m_mac->update(m_label);
337 m_mac->final(out.data() + m_eph_public_key_bin.size() + encrypted_data.size());
346 m_ka(key, ecies_params, false, rng),
347 m_params(ecies_params),
357 throw Invalid_Argument(
"ECIES: gcd of cofactor and order must be 1 if check_mode is 0");
365size_t ECIES_Decryptor::plaintext_length(
size_t ctext_len)
const
368 const size_t overhead = point_size + m_mac->output_length();
370 if(ctext_len < overhead)
373 return m_cipher->output_length(ctext_len - overhead);
379secure_vector<uint8_t> ECIES_Decryptor::do_decrypt(uint8_t& valid_mask,
const uint8_t in[],
size_t in_len)
const
383 if(in_len < point_size + m_mac->output_length())
385 throw Decoding_Error(
"ECIES decryption: ciphertext is too short");
389 const std::vector<uint8_t> other_public_key_bin(in, in + point_size);
390 const std::vector<uint8_t> encrypted_data(in + point_size, in + in_len - m_mac->output_length());
391 const std::vector<uint8_t> mac_data(in + in_len - m_mac->output_length(), in + in_len);
394 EC_Point other_public_key = m_params.
domain().
OS2ECP(other_public_key_bin);
397 if(m_params.
check_mode() && !other_public_key.on_the_curve())
399 throw Decoding_Error(
"ECIES decryption: received public key is not on the curve");
408 m_mac->update(encrypted_data);
411 m_mac->update(m_label);
413 const secure_vector<uint8_t> calculated_mac = m_mac->final();
414 valid_mask =
ct_compare_u8(mac_data.data(), calculated_mac.data(), mac_data.size());
421 if(m_iv.
empty() && !m_cipher->valid_nonce_length(m_iv.
size()))
422 throw Invalid_Argument(
"ECIES with " + m_cipher->name() +
" requires an IV be set");
423 m_cipher->start(m_iv.
bits_of());
429 secure_vector<uint8_t> decrypted_data(encrypted_data.begin(), encrypted_data.end());
430 m_cipher->finish(decrypted_data);
431 return decrypted_data;
438 return secure_vector<uint8_t>();
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
static std::unique_ptr< Cipher_Mode > create_or_throw(std::string_view algo, Cipher_Dir direction, std::string_view provider="")
ECIES_Decryptor(const PK_Key_Agreement_Key &private_key, const ECIES_System_Params &ecies_params, RandomNumberGenerator &rng)
ECIES_Encryptor(const PK_Key_Agreement_Key &private_key, const ECIES_System_Params &ecies_params, RandomNumberGenerator &rng)
SymmetricKey derive_secret(const std::vector< uint8_t > &eph_public_key_bin, const EC_Point &other_public_key_point) const
ECIES_KA_Operation(const PK_Key_Agreement_Key &private_key, const ECIES_KA_Params &ecies_params, bool for_encryption, RandomNumberGenerator &rng)
ECIES_KA_Params(const EC_Group &domain, std::string_view kdf_spec, size_t length, EC_Point_Format compression_type, ECIES_Flags flags)
size_t secret_length() const
bool old_cofactor_mode() const
const std::string kdf_spec() const
EC_Point_Format compression_type() const
bool cofactor_mode() const
bool single_hash_mode() const
const EC_Group & domain() const
size_t dem_keylen() const
returns the length of the key used by the data encryption method
ECIES_System_Params(const EC_Group &domain, std::string_view kdf_spec, std::string_view dem_algo_spec, size_t dem_key_len, std::string_view mac_spec, size_t mac_key_len)
size_t mac_keylen() const
returns the length of the key used by the message authentication code
std::unique_ptr< Cipher_Mode > create_cipher(Cipher_Dir direction) const
creates an instance of the data encryption method
std::unique_ptr< MessageAuthenticationCode > create_mac() const
creates an instance of the message authentication code
const BigInt & get_cofactor() const
const BigInt & get_order() const
size_t point_size(EC_Point_Format format) const
EC_Point OS2ECP(const uint8_t bits[], size_t len) const
std::vector< uint8_t > encode(EC_Point_Format format) const
static std::unique_ptr< KDF > create_or_throw(std::string_view algo_spec, std::string_view provider="")
static std::unique_ptr< MessageAuthenticationCode > create_or_throw(std::string_view algo_spec, std::string_view provider="")
secure_vector< uint8_t > bits_of() const
const uint8_t * end() const
const uint8_t * begin() const
SymmetricKey derive_key(size_t key_len, const uint8_t in[], size_t in_len, const uint8_t params[], size_t params_len) const
int(* final)(unsigned char *, CTX *)
#define BOTAN_DIAGNOSTIC_POP
#define BOTAN_DIAGNOSTIC_PUSH
#define BOTAN_DIAGNOSTIC_IGNORE_INHERITED_VIA_DOMINANCE
size_t buffer_insert(std::vector< T, Alloc > &buf, size_t buf_offset, const T input[], size_t input_length)
uint8_t ct_compare_u8(const uint8_t x[], const uint8_t y[], size_t len)
BigInt gcd(const BigInt &a, const BigInt &b)
std::vector< T, secure_allocator< T > > secure_vector