Botan  2.4.0
Crypto and TLS for C++11
eckcdsa.cpp
Go to the documentation of this file.
1 /*
2 * ECKCDSA (ISO/IEC 14888-3:2006/Cor.2:2009)
3 * (C) 2016 RenĂ© Korthaus, Sirrix AG
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/eckcdsa.h>
9 #include <botan/internal/pk_ops_impl.h>
10 #include <botan/keypair.h>
11 #include <botan/reducer.h>
12 #include <botan/emsa.h>
13 #include <botan/hash.h>
14 #include <botan/rng.h>
15 
16 namespace Botan {
17 
19  bool strong) const
20  {
21  if(!public_point().on_the_curve())
22  {
23  return false;
24  }
25 
26  if(!strong)
27  {
28  return true;
29  }
30 
31  return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-256)");
32  }
33 
34 namespace {
35 
36 /**
37 * ECKCDSA signature operation
38 */
39 class ECKCDSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA
40  {
41  public:
42 
43  ECKCDSA_Signature_Operation(const ECKCDSA_PrivateKey& eckcdsa,
44  const std::string& emsa) :
46  m_order(eckcdsa.domain().get_order()),
47  m_base_point(eckcdsa.domain().get_base_point(), m_order),
48  m_x(eckcdsa.private_value()),
49  m_mod_order(m_order),
50  m_prefix()
51  {
52  const BigInt public_point_x = eckcdsa.public_point().get_affine_x();
53  const BigInt public_point_y = eckcdsa.public_point().get_affine_y();
54 
55  m_prefix.resize(public_point_x.bytes() + public_point_y.bytes());
56  public_point_x.binary_encode(m_prefix.data());
57  public_point_y.binary_encode(&m_prefix[public_point_x.bytes()]);
58  m_prefix.resize(HashFunction::create(hash_for_signature())->hash_block_size()); // use only the "hash input block size" leftmost bits
59  }
60 
61  secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
62  RandomNumberGenerator& rng) override;
63 
64  size_t max_input_bits() const override { return m_order.bits(); }
65 
66  bool has_prefix() override { return true; }
67  secure_vector<uint8_t> message_prefix() const override { return m_prefix; }
68 
69  private:
70  const BigInt& m_order;
71  Blinded_Point_Multiply m_base_point;
72  const BigInt& m_x;
73  Modular_Reducer m_mod_order;
74  secure_vector<uint8_t> m_prefix;
75  };
76 
78 ECKCDSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t,
80  {
81  const BigInt k = BigInt::random_integer(rng, 1, m_order);
82  const PointGFp k_times_P = m_base_point.blinded_multiply(k, rng);
83  const BigInt k_times_P_x = k_times_P.get_affine_x();
84 
85  secure_vector<uint8_t> to_be_hashed(k_times_P_x.bytes());
86  k_times_P_x.binary_encode(to_be_hashed.data());
87 
88  std::unique_ptr<EMSA> emsa = this->clone_emsa();
89  emsa->update(to_be_hashed.data(), to_be_hashed.size());
90  secure_vector<uint8_t> c = emsa->raw_data();
91  c = emsa->encoding_of(c, max_input_bits(), rng);
92 
93  const BigInt r(c.data(), c.size());
94 
95  xor_buf(c, msg, c.size());
96  BigInt w(c.data(), c.size());
97  w = m_mod_order.reduce(w);
98 
99  const BigInt s = m_mod_order.multiply(m_x, k - w);
100  BOTAN_ASSERT(s != 0, "invalid s");
101 
102  secure_vector<uint8_t> output = BigInt::encode_1363(r, c.size());
103  output += BigInt::encode_1363(s, m_order.bytes());
104  return output;
105  }
106 
107 /**
108 * ECKCDSA verification operation
109 */
110 class ECKCDSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA
111  {
112  public:
113 
114  ECKCDSA_Verification_Operation(const ECKCDSA_PublicKey& eckcdsa,
115  const std::string& emsa) :
117  m_base_point(eckcdsa.domain().get_base_point()),
118  m_public_point(eckcdsa.public_point()),
119  m_order(eckcdsa.domain().get_order()),
120  m_mod_order(m_order),
121  m_prefix()
122  {
123  const BigInt public_point_x = m_public_point.get_affine_x();
124  const BigInt public_point_y = m_public_point.get_affine_y();
125 
126  m_prefix.resize(public_point_x.bytes() + public_point_y.bytes());
127  public_point_x.binary_encode(&m_prefix[0]);
128  public_point_y.binary_encode(&m_prefix[public_point_x.bytes()]);
129  m_prefix.resize(HashFunction::create(hash_for_signature())->hash_block_size()); // use only the "hash input block size" leftmost bits
130  }
131 
132  bool has_prefix() override { return true; }
133  secure_vector<uint8_t> message_prefix() const override { return m_prefix; }
134 
135  size_t max_input_bits() const override { return m_order.bits(); }
136 
137  bool with_recovery() const override { return false; }
138 
139  bool verify(const uint8_t msg[], size_t msg_len,
140  const uint8_t sig[], size_t sig_len) override;
141  private:
142  const PointGFp& m_base_point;
143  const PointGFp& m_public_point;
144  const BigInt& m_order;
145  // FIXME: should be offered by curve
146  Modular_Reducer m_mod_order;
147  secure_vector<uint8_t> m_prefix;
148  };
149 
150 bool ECKCDSA_Verification_Operation::verify(const uint8_t msg[], size_t,
151  const uint8_t sig[], size_t sig_len)
152  {
153  const std::unique_ptr<HashFunction> hash = HashFunction::create(hash_for_signature());
154  //calculate size of r
155  size_t size_r = std::min(hash -> output_length(), m_order.bytes());
156  if(sig_len != size_r+m_order.bytes())
157  {
158  return false;
159  }
160 
161  secure_vector<uint8_t> r(sig, sig + size_r);
162 
163  // check that 0 < s < q
164  const BigInt s(sig + size_r, m_order.bytes());
165 
166  if(s <= 0 || s >= m_order)
167  {
168  return false;
169  }
170 
171  secure_vector<uint8_t> r_xor_e(r);
172  xor_buf(r_xor_e, msg, r.size());
173  BigInt w(r_xor_e.data(), r_xor_e.size());
174  w = m_mod_order.reduce(w);
175 
176  const PointGFp q = multi_exponentiate(m_base_point, w, m_public_point, s);
177  const BigInt q_x = q.get_affine_x();
178  secure_vector<uint8_t> c(q_x.bytes());
179  q_x.binary_encode(c.data());
180  std::unique_ptr<EMSA> emsa = this->clone_emsa();
181  emsa->update(c.data(), c.size());
182  secure_vector<uint8_t> v = emsa->raw_data();
183  Null_RNG rng;
184  v = emsa->encoding_of(v, max_input_bits(), rng);
185 
186  return (v == r);
187  }
188 
189 }
190 
191 std::unique_ptr<PK_Ops::Verification>
193  const std::string& provider) const
194  {
195  if(provider == "base" || provider.empty())
196  return std::unique_ptr<PK_Ops::Verification>(new ECKCDSA_Verification_Operation(*this, params));
197  throw Provider_Not_Found(algo_name(), provider);
198  }
199 
200 std::unique_ptr<PK_Ops::Signature>
202  const std::string& params,
203  const std::string& provider) const
204  {
205  if(provider == "base" || provider.empty())
206  return std::unique_ptr<PK_Ops::Signature>(new ECKCDSA_Signature_Operation(*this, params));
207  throw Provider_Not_Found(algo_name(), provider);
208  }
209 
210 }
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: eckcdsa.cpp:18
const BigInt & private_value() const
Definition: ecc_key.cpp:112
const PointGFp & get_base_point() const
Definition: ec_group.h:96
const PointGFp & public_point() const
Definition: ecc_key.h:57
void binary_encode(uint8_t buf[]) const
Definition: bigint.cpp:269
static BigInt random_integer(RandomNumberGenerator &rng, const BigInt &min, const BigInt &max)
Definition: big_rand.cpp:45
BigInt get_affine_x() const
Definition: point_gfp.cpp:389
BigInt get_affine_y() const
Definition: point_gfp.cpp:401
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:29
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: eckcdsa.cpp:201
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:49
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:163
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: eckcdsa.cpp:192
const EC_Group & domain() const
Definition: ecc_key.h:72
static std::unique_ptr< HashFunction > create(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:106
Definition: alg_id.cpp:13
size_t bytes() const
Definition: bigint.cpp:175
const BigInt & get_order() const
Definition: ec_group.h:102
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:82
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:88
MechanismType hash
PointGFp multi_exponentiate(const PointGFp &p1, const BigInt &z1, const PointGFp &p2, const BigInt &z2)
Definition: point_gfp.cpp:247
std::string algo_name() const override
Definition: eckcdsa.h:44