doxygen/eckcdsa_8cpp_source.html

 /*
 * ECKCDSA (ISO/IEC 14888-3:2006/Cor.2:2009)
 * (C) 2016 René Korthaus, Sirrix AG
 * (C) 2018 Jack Lloyd
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */

 #include <botan/eckcdsa.h>
 #include <botan/internal/pk_ops_impl.h>
 #include <botan/internal/point_mul.h>
 #include <botan/keypair.h>
 #include <botan/reducer.h>
 #include <botan/emsa.h>
 #include <botan/hash.h>
 #include <botan/rng.h>

 namespace Botan {

 bool ECKCDSA_PrivateKey::check_key(RandomNumberGenerator& rng,
                                  bool strong) const
    {
    if(!public_point().on_the_curve())
       {
       return false;
       }

    if(!strong)
       {
       return true;
       }

    return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-256)");
    }

 namespace {

 /**
 * ECKCDSA signature operation
 */
 class ECKCDSA_Signature_Operation final : public PK_Ops::Signature_with_EMSA
    {
    public:

       ECKCDSA_Signature_Operation(const ECKCDSA_PrivateKey& eckcdsa,
                                 const std::string& emsa) :
          PK_Ops::Signature_with_EMSA(emsa),
          m_group(eckcdsa.domain()),
          m_x(eckcdsa.private_value()),
          m_prefix()
          {
          const BigInt public_point_x = eckcdsa.public_point().get_affine_x();
          const BigInt public_point_y = eckcdsa.public_point().get_affine_y();

          m_prefix.resize(public_point_x.bytes() + public_point_y.bytes());
          public_point_x.binary_encode(m_prefix.data());
          public_point_y.binary_encode(&m_prefix[public_point_x.bytes()]);
          m_prefix.resize(HashFunction::create(hash_for_signature())->hash_block_size()); // use only the "hash input block size" leftmost bits
          }

       secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
                                       RandomNumberGenerator& rng) override;

       size_t signature_length() const override { return 2*m_group.get_order_bytes(); }
       size_t max_input_bits() const override { return m_group.get_order_bits(); }

       bool has_prefix() override { return true; }
       secure_vector<uint8_t> message_prefix() const override { return m_prefix; }

    private:
       const EC_Group m_group;
       const BigInt& m_x;
       secure_vector<uint8_t> m_prefix;
       std::vector<BigInt> m_ws;
    };

 secure_vector<uint8_t>
 ECKCDSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t,
                                      RandomNumberGenerator& rng)
    {
    const BigInt k = m_group.random_scalar(rng);
    const BigInt k_times_P_x = m_group.blinded_base_point_multiply_x(k, rng, m_ws);

    secure_vector<uint8_t> to_be_hashed(k_times_P_x.bytes());
    k_times_P_x.binary_encode(to_be_hashed.data());

    std::unique_ptr<EMSA> emsa = this->clone_emsa();
    emsa->update(to_be_hashed.data(), to_be_hashed.size());
    secure_vector<uint8_t> c = emsa->raw_data();
    c = emsa->encoding_of(c, max_input_bits(), rng);

    const BigInt r(c.data(), c.size());

    xor_buf(c, msg, c.size());
    BigInt w(c.data(), c.size());
    w = m_group.mod_order(w);

    const BigInt s = m_group.multiply_mod_order(m_x, k - w);
    if(s.is_zero())
       throw Internal_Error("During ECKCDSA signature generation created zero s");

    secure_vector<uint8_t> output = BigInt::encode_1363(r, c.size());
    output += BigInt::encode_1363(s, m_group.get_order_bytes());
    return output;
    }

 /**
 * ECKCDSA verification operation
 */
 class ECKCDSA_Verification_Operation final : public PK_Ops::Verification_with_EMSA
    {
    public:

       ECKCDSA_Verification_Operation(const ECKCDSA_PublicKey& eckcdsa,
                                    const std::string& emsa) :
          PK_Ops::Verification_with_EMSA(emsa),
          m_group(eckcdsa.domain()),
          m_gy_mul(m_group.get_base_point(), eckcdsa.public_point()),
          m_prefix()
          {
          const BigInt public_point_x = eckcdsa.public_point().get_affine_x();
          const BigInt public_point_y = eckcdsa.public_point().get_affine_y();

          m_prefix.resize(public_point_x.bytes() + public_point_y.bytes());
          public_point_x.binary_encode(&m_prefix[0]);
          public_point_y.binary_encode(&m_prefix[public_point_x.bytes()]);
          m_prefix.resize(HashFunction::create(hash_for_signature())->hash_block_size()); // use only the "hash input block size" leftmost bits
          }

       bool has_prefix() override { return true; }
       secure_vector<uint8_t> message_prefix() const override { return m_prefix; }

       size_t max_input_bits() const override { return m_group.get_order_bits(); }

       bool with_recovery() const override { return false; }

       bool verify(const uint8_t msg[], size_t msg_len,
                   const uint8_t sig[], size_t sig_len) override;
    private:
       const EC_Group m_group;
       const PointGFp_Multi_Point_Precompute m_gy_mul;
       secure_vector<uint8_t> m_prefix;
    };

 bool ECKCDSA_Verification_Operation::verify(const uint8_t msg[], size_t,
                                            const uint8_t sig[], size_t sig_len)
    {
    const std::unique_ptr<HashFunction> hash = HashFunction::create(hash_for_signature());
    //calculate size of r

    const size_t order_bytes = m_group.get_order_bytes();

    const size_t size_r = std::min(hash -> output_length(), order_bytes);
    if(sig_len != size_r + order_bytes)
       {
       return false;
       }

    secure_vector<uint8_t> r(sig, sig + size_r);

    // check that 0 < s < q
    const BigInt s(sig + size_r, order_bytes);

    if(s <= 0 || s >= m_group.get_order())
       {
       return false;
       }

    secure_vector<uint8_t> r_xor_e(r);
    xor_buf(r_xor_e, msg, r.size());
    BigInt w(r_xor_e.data(), r_xor_e.size());
    w = m_group.mod_order(w);

    const PointGFp q = m_gy_mul.multi_exp(w, s);
    const BigInt q_x = q.get_affine_x();
    secure_vector<uint8_t> c(q_x.bytes());
    q_x.binary_encode(c.data());
    std::unique_ptr<EMSA> emsa = this->clone_emsa();
    emsa->update(c.data(), c.size());
    secure_vector<uint8_t> v = emsa->raw_data();
    Null_RNG rng;
    v = emsa->encoding_of(v, max_input_bits(), rng);

    return (v == r);
    }

 }

 std::unique_ptr<PK_Ops::Verification>
 ECKCDSA_PublicKey::create_verification_op(const std::string& params,
                                          const std::string& provider) const
    {
    if(provider == "base" || provider.empty())
       return std::unique_ptr<PK_Ops::Verification>(new ECKCDSA_Verification_Operation(*this, params));
    throw Provider_Not_Found(algo_name(), provider);
    }

 std::unique_ptr<PK_Ops::Signature>
 ECKCDSA_PrivateKey::create_signature_op(RandomNumberGenerator& /*rng*/,
                                         const std::string& params,
                                         const std::string& provider) const
    {
    if(provider == "base" || provider.empty())
       return std::unique_ptr<PK_Ops::Signature>(new ECKCDSA_Signature_Operation(*this, params));
    throw Provider_Not_Found(algo_name(), provider);
    }

 }
Botan::ECKCDSA_PrivateKey::check_key
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: eckcdsa.cpp:20

Botan::PointGFp_Multi_Point_Precompute::multi_exp
PointGFp multi_exp(const BigInt &k1, const BigInt &k2) const
Definition: point_mul.cpp:381

Botan::BigInt
Definition: bigint.h:24

Botan::RandomNumberGenerator
Definition: rng.h:24

Botan::EC_PublicKey::public_point
const PointGFp & public_point() const
Definition: ecc_key.h:57

final
int(* final)(unsigned char *, CTX *)
Definition: commoncrypto_hash.cpp:29

Botan::BigInt::binary_encode
void binary_encode(uint8_t buf[]) const
Definition: bigint.cpp:400

Botan::PointGFp::get_affine_x
BigInt get_affine_x() const
Definition: point_gfp.cpp:499

Botan::PointGFp::get_affine_y
BigInt get_affine_y() const
Definition: point_gfp.cpp:518

Botan::ECKCDSA_PrivateKey::create_signature_op
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: eckcdsa.cpp:199

Botan::KeyPair::signature_consistency_check
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:49

Botan::xor_buf
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:233

Botan::ECKCDSA_PublicKey::create_verification_op
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: eckcdsa.cpp:190

Botan::HashFunction::create
static std::unique_ptr< HashFunction > create(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:106

Botan::PK_Ops::Signature_with_EMSA
Definition: pk_ops_impl.h:127

Botan
Definition: alg_id.cpp:13

Botan::BigInt::bytes
size_t bytes() const
Definition: bigint.cpp:282

Botan::BigInt::encode_1363
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:111

Botan::OCSP::Response_Status_Code::Internal_Error

Botan::Provider_Not_Found
Definition: exceptn.h:278

hash
MechanismType hash
Definition: p11_mechanism.cpp:64

Botan::ECKCDSA_PrivateKey
Definition: eckcdsa.h:61

Botan::ECKCDSA_PublicKey::algo_name
std::string algo_name() const override
Definition: eckcdsa.h:44