Botan  2.10.0
Crypto and TLS for C++11
eckcdsa.cpp
Go to the documentation of this file.
1 /*
2 * ECKCDSA (ISO/IEC 14888-3:2006/Cor.2:2009)
3 * (C) 2016 RenĂ© Korthaus, Sirrix AG
4 * (C) 2018 Jack Lloyd
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/eckcdsa.h>
10 #include <botan/internal/pk_ops_impl.h>
11 #include <botan/internal/point_mul.h>
12 #include <botan/keypair.h>
13 #include <botan/reducer.h>
14 #include <botan/emsa.h>
15 #include <botan/hash.h>
16 #include <botan/rng.h>
17 
18 namespace Botan {
19 
21  bool strong) const
22  {
23  if(!public_point().on_the_curve())
24  {
25  return false;
26  }
27 
28  if(!strong)
29  {
30  return true;
31  }
32 
33  return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-256)");
34  }
35 
36 namespace {
37 
38 /**
39 * ECKCDSA signature operation
40 */
41 class ECKCDSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA
42  {
43  public:
44 
45  ECKCDSA_Signature_Operation(const ECKCDSA_PrivateKey& eckcdsa,
46  const std::string& emsa) :
48  m_group(eckcdsa.domain()),
49  m_x(eckcdsa.private_value()),
50  m_prefix()
51  {
52  const BigInt public_point_x = eckcdsa.public_point().get_affine_x();
53  const BigInt public_point_y = eckcdsa.public_point().get_affine_y();
54 
55  m_prefix.resize(public_point_x.bytes() + public_point_y.bytes());
56  public_point_x.binary_encode(m_prefix.data());
57  public_point_y.binary_encode(&m_prefix[public_point_x.bytes()]);
58  m_prefix.resize(HashFunction::create(hash_for_signature())->hash_block_size()); // use only the "hash input block size" leftmost bits
59  }
60 
61  secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
62  RandomNumberGenerator& rng) override;
63 
64  size_t signature_length() const override { return 2*m_group.get_order_bytes(); }
65  size_t max_input_bits() const override { return m_group.get_order_bits(); }
66 
67  bool has_prefix() override { return true; }
68  secure_vector<uint8_t> message_prefix() const override { return m_prefix; }
69 
70  private:
71  const EC_Group m_group;
72  const BigInt& m_x;
73  secure_vector<uint8_t> m_prefix;
74  std::vector<BigInt> m_ws;
75  };
76 
78 ECKCDSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t,
80  {
81  const BigInt k = m_group.random_scalar(rng);
82  const BigInt k_times_P_x = m_group.blinded_base_point_multiply_x(k, rng, m_ws);
83 
84  secure_vector<uint8_t> to_be_hashed(k_times_P_x.bytes());
85  k_times_P_x.binary_encode(to_be_hashed.data());
86 
87  std::unique_ptr<EMSA> emsa = this->clone_emsa();
88  emsa->update(to_be_hashed.data(), to_be_hashed.size());
89  secure_vector<uint8_t> c = emsa->raw_data();
90  c = emsa->encoding_of(c, max_input_bits(), rng);
91 
92  const BigInt r(c.data(), c.size());
93 
94  xor_buf(c, msg, c.size());
95  BigInt w(c.data(), c.size());
96  w = m_group.mod_order(w);
97 
98  const BigInt s = m_group.multiply_mod_order(m_x, k - w);
99  if(s.is_zero())
100  throw Internal_Error("During ECKCDSA signature generation created zero s");
101 
102  secure_vector<uint8_t> output = BigInt::encode_1363(r, c.size());
103  output += BigInt::encode_1363(s, m_group.get_order_bytes());
104  return output;
105  }
106 
107 /**
108 * ECKCDSA verification operation
109 */
110 class ECKCDSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA
111  {
112  public:
113 
114  ECKCDSA_Verification_Operation(const ECKCDSA_PublicKey& eckcdsa,
115  const std::string& emsa) :
117  m_group(eckcdsa.domain()),
118  m_gy_mul(m_group.get_base_point(), eckcdsa.public_point()),
119  m_prefix()
120  {
121  const BigInt public_point_x = eckcdsa.public_point().get_affine_x();
122  const BigInt public_point_y = eckcdsa.public_point().get_affine_y();
123 
124  m_prefix.resize(public_point_x.bytes() + public_point_y.bytes());
125  public_point_x.binary_encode(&m_prefix[0]);
126  public_point_y.binary_encode(&m_prefix[public_point_x.bytes()]);
127  m_prefix.resize(HashFunction::create(hash_for_signature())->hash_block_size()); // use only the "hash input block size" leftmost bits
128  }
129 
130  bool has_prefix() override { return true; }
131  secure_vector<uint8_t> message_prefix() const override { return m_prefix; }
132 
133  size_t max_input_bits() const override { return m_group.get_order_bits(); }
134 
135  bool with_recovery() const override { return false; }
136 
137  bool verify(const uint8_t msg[], size_t msg_len,
138  const uint8_t sig[], size_t sig_len) override;
139  private:
140  const EC_Group m_group;
141  const PointGFp_Multi_Point_Precompute m_gy_mul;
142  secure_vector<uint8_t> m_prefix;
143  };
144 
145 bool ECKCDSA_Verification_Operation::verify(const uint8_t msg[], size_t,
146  const uint8_t sig[], size_t sig_len)
147  {
148  const std::unique_ptr<HashFunction> hash = HashFunction::create(hash_for_signature());
149  //calculate size of r
150 
151  const size_t order_bytes = m_group.get_order_bytes();
152 
153  const size_t size_r = std::min(hash -> output_length(), order_bytes);
154  if(sig_len != size_r + order_bytes)
155  {
156  return false;
157  }
158 
159  secure_vector<uint8_t> r(sig, sig + size_r);
160 
161  // check that 0 < s < q
162  const BigInt s(sig + size_r, order_bytes);
163 
164  if(s <= 0 || s >= m_group.get_order())
165  {
166  return false;
167  }
168 
169  secure_vector<uint8_t> r_xor_e(r);
170  xor_buf(r_xor_e, msg, r.size());
171  BigInt w(r_xor_e.data(), r_xor_e.size());
172  w = m_group.mod_order(w);
173 
174  const PointGFp q = m_gy_mul.multi_exp(w, s);
175  const BigInt q_x = q.get_affine_x();
176  secure_vector<uint8_t> c(q_x.bytes());
177  q_x.binary_encode(c.data());
178  std::unique_ptr<EMSA> emsa = this->clone_emsa();
179  emsa->update(c.data(), c.size());
180  secure_vector<uint8_t> v = emsa->raw_data();
181  Null_RNG rng;
182  v = emsa->encoding_of(v, max_input_bits(), rng);
183 
184  return (v == r);
185  }
186 
187 }
188 
189 std::unique_ptr<PK_Ops::Verification>
191  const std::string& provider) const
192  {
193  if(provider == "base" || provider.empty())
194  return std::unique_ptr<PK_Ops::Verification>(new ECKCDSA_Verification_Operation(*this, params));
195  throw Provider_Not_Found(algo_name(), provider);
196  }
197 
198 std::unique_ptr<PK_Ops::Signature>
200  const std::string& params,
201  const std::string& provider) const
202  {
203  if(provider == "base" || provider.empty())
204  return std::unique_ptr<PK_Ops::Signature>(new ECKCDSA_Signature_Operation(*this, params));
205  throw Provider_Not_Found(algo_name(), provider);
206  }
207 
208 }
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: eckcdsa.cpp:20
const BigInt & private_value() const
Definition: ecc_key.cpp:99
const PointGFp & public_point() const
Definition: ecc_key.h:57
bool is_zero() const
Definition: bigint.h:420
void binary_encode(uint8_t buf[]) const
Definition: bigint.cpp:384
BigInt get_affine_x() const
Definition: point_gfp.cpp:499
BigInt get_affine_y() const
Definition: point_gfp.cpp:518
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: eckcdsa.cpp:199
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:49
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:202
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: eckcdsa.cpp:190
const EC_Group & domain() const
Definition: ecc_key.h:72
static std::unique_ptr< HashFunction > create(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:110
Definition: alg_id.cpp:13
size_t bytes() const
Definition: bigint.cpp:266
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:111
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
MechanismType hash
std::string algo_name() const override
Definition: eckcdsa.h:44