8#include <botan/elgamal.h>
10#include <botan/internal/blinding.h>
11#include <botan/internal/dl_scheme.h>
12#include <botan/internal/keypair.h>
13#include <botan/internal/monty_exp.h>
14#include <botan/internal/pk_ops_impl.h>
18ElGamal_PublicKey::ElGamal_PublicKey(
const DL_Group& group,
const BigInt& y) {
19 m_public_key = std::make_shared<DL_PublicKey>(group, y);
22ElGamal_PublicKey::ElGamal_PublicKey(
const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) {
22ElGamal_PublicKey::ElGamal_PublicKey(
const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) {
…}
27 return m_public_key->estimated_strength();
31 return m_public_key->p_bits();
39 return m_public_key->public_key_as_bytes();
43 return m_public_key->DER_encode();
47 return m_public_key->get_int_field(
algo_name(), field);
51 return std::make_unique<ElGamal_PrivateKey>(rng, m_public_key->group());
55 return m_public_key->check_key(rng, strong);
59 m_private_key = std::make_shared<DL_PrivateKey>(group, rng);
60 m_public_key = m_private_key->public_key();
64 m_private_key = std::make_shared<DL_PrivateKey>(group, x);
65 m_public_key = m_private_key->public_key();
70 m_public_key = m_private_key->public_key();
78 return m_private_key->get_int_field(
algo_name(), field);
82 return m_private_key->DER_encode();
86 return m_private_key->raw_private_key_bits();
90 if(!m_private_key->check_key(rng, strong)) {
94#if defined(BOTAN_HAS_OAEP) && defined(BOTAN_HAS_SHA_256)
95 const std::string padding =
"OAEP(SHA-256)";
97 const std::string padding =
"Raw";
110 ElGamal_Encryption_Operation(
const std::shared_ptr<const DL_PublicKey>& key, std::string_view eme) :
111 PK_Ops::Encryption_with_EME(eme), m_key(key) {
112 const size_t powm_window = 4;
113 m_monty_y_p =
monty_precompute(m_key->group().monty_params_p(), m_key->public_key(), powm_window);
116 size_t ciphertext_length(
size_t )
const override {
return 2 * m_key->group().p_bytes(); }
118 size_t max_ptext_input_bits()
const override {
return m_key->group().p_bits() - 1; }
120 std::vector<uint8_t> raw_encrypt(std::span<const uint8_t> ptext, RandomNumberGenerator& rng)
override;
123 std::shared_ptr<const DL_PublicKey> m_key;
124 std::shared_ptr<const Montgomery_Exponentation_State> m_monty_y_p;
127std::vector<uint8_t> ElGamal_Encryption_Operation::raw_encrypt(std::span<const uint8_t> ptext,
128 RandomNumberGenerator& rng) {
131 const auto& group = m_key->group();
133 if(m >= group.get_p()) {
134 throw Invalid_Argument(
"ElGamal encryption: Input is too large");
145 const size_t k_bits = group.p_bits() - 1;
146 const BigInt k(rng, k_bits,
false);
148 const BigInt a = group.power_g_p(k, k_bits);
149 const BigInt
b = group.multiply_mod_p(m,
monty_execute(*m_monty_y_p, k, k_bits).value());
151 return unlock(BigInt::encode_fixed_length_int_pair(a, b, group.p_bytes()));
157class ElGamal_Decryption_Operation
final :
public PK_Ops::Decryption_with_EME {
159 ElGamal_Decryption_Operation(
const std::shared_ptr<const DL_PrivateKey>& key,
160 std::string_view eme,
161 RandomNumberGenerator& rng) :
162 PK_Ops::Decryption_with_EME(eme),
165 m_key->group()._reducer_mod_p(),
167 [](const BigInt& k) {
return k; },
168 [
this](
const BigInt& k) {
return powermod_x_p(k); }) {}
170 size_t plaintext_length(
size_t )
const override {
return m_key->group().p_bytes(); }
172 secure_vector<uint8_t> raw_decrypt(std::span<const uint8_t> ctext)
override;
175 BigInt powermod_x_p(
const BigInt& v)
const {
return m_key->group().power_b_p(v, m_key->private_key()); }
177 std::shared_ptr<const DL_PrivateKey> m_key;
182 const auto& group = m_key->group();
184 const size_t p_bytes = group.p_bytes();
186 if(ctext.size() != 2 * p_bytes) {
187 throw Invalid_Argument(
"ElGamal decryption: Invalid message");
190 BigInt a(ctext.first(p_bytes));
191 const BigInt
b(ctext.last(p_bytes));
193 if(a >= group.get_p() || b >= group.get_p()) {
194 throw Invalid_Argument(
"ElGamal decryption: Invalid message");
197 a = m_blinder.
blind(a);
199 const BigInt r = group.multiply_mod_p(group.inverse_mod_p(powermod_x_p(a)), b);
207 std::string_view params,
208 std::string_view provider)
const {
209 if(provider ==
"base" || provider.empty()) {
210 return std::make_unique<ElGamal_Encryption_Operation>(this->m_public_key, params);
216 std::string_view params,
217 std::string_view provider)
const {
218 if(provider ==
"base" || provider.empty()) {
219 return std::make_unique<ElGamal_Decryption_Operation>(this->m_private_key, params, rng);
virtual OID object_identifier() const
T serialize(size_t len) const
BigInt blind(const BigInt &x) const
BigInt unblind(const BigInt &x) const
std::unique_ptr< PK_Ops::Decryption > create_decryption_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
secure_vector< uint8_t > private_key_bits() const override
const BigInt & get_int_field(std::string_view field) const override
std::unique_ptr< Public_Key > public_key() const override
secure_vector< uint8_t > raw_private_key_bits() const override
bool check_key(RandomNumberGenerator &rng, bool) const override
std::unique_ptr< PK_Ops::Encryption > create_encryption_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
const BigInt & get_int_field(std::string_view field) const override
std::vector< uint8_t > public_key_bits() const override
friend class ElGamal_PrivateKey
size_t estimated_strength() const override
bool check_key(RandomNumberGenerator &rng, bool strong) const override
AlgorithmIdentifier algorithm_identifier() const override
std::vector< uint8_t > raw_public_key_bits() const override
size_t key_length() const override
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const final
std::string algo_name() const override
int(* final)(unsigned char *, CTX *)
bool encryption_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, std::string_view padding)
std::vector< T > unlock(const secure_vector< T > &in)
Montgomery_Int monty_execute(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k, size_t max_k_bits)
std::vector< T, secure_allocator< T > > secure_vector
std::shared_ptr< const Montgomery_Exponentation_State > monty_precompute(const Montgomery_Int &g, size_t window_bits, bool const_time)