10 #include <botan/gost_3410.h> 11 #include <botan/internal/pk_ops_impl.h> 12 #include <botan/internal/point_mul.h> 13 #include <botan/reducer.h> 14 #include <botan/der_enc.h> 15 #include <botan/ber_dec.h> 24 size_t part_size = std::max(x.
bytes(), y.
bytes());
26 std::vector<uint8_t> bits(2*part_size);
32 for(
size_t i = 0; i != part_size / 2; ++i)
34 std::swap(bits[i], bits[part_size-1-i]);
35 std::swap(bits[part_size+i], bits[2*part_size-1-i]);
38 std::vector<uint8_t> output;
47 if(p_bits == 256 || p_bits == 512)
50 throw Encoding_Error(
"GOST-34.10-2012 is not defined for parameters of this size");
55 std::vector<uint8_t> params;
66 const std::vector<uint8_t>& key_bits)
76 if(p_bits != 256 && p_bits != 512)
77 throw Decoding_Error(
"GOST-34.10-2012 is not defined for parameters of size " +
83 const size_t part_size = bits.size() / 2;
86 for(
size_t i = 0; i != part_size / 2; ++i)
88 std::swap(bits[i], bits[part_size-1-i]);
89 std::swap(bits[part_size+i], bits[2*part_size-1-i]);
92 BigInt x(bits.data(), part_size);
93 BigInt y(&bits[part_size], part_size);
98 "Loaded GOST 34.10 public key is on the curve");
107 if(p_bits != 256 && p_bits != 512)
108 throw Decoding_Error(
"GOST-34.10-2012 is not defined for parameters of size " +
114 BigInt decode_le(
const uint8_t msg[],
size_t msg_len)
118 for(
size_t i = 0; i != msg_le.size() / 2; ++i)
119 std::swap(msg_le[i], msg_le[msg_le.size()-1-i]);
121 return BigInt(msg_le.data(), msg_le.size());
127 class GOST_3410_Signature_Operation
final :
public PK_Ops::Signature_with_EMSA
130 GOST_3410_Signature_Operation(
const GOST_3410_PrivateKey& gost_3410,
131 const std::string& emsa) :
132 PK_Ops::Signature_with_EMSA(emsa),
133 m_group(gost_3410.domain()),
134 m_x(gost_3410.private_value())
137 size_t signature_length()
const override {
return 2*m_group.get_order_bytes(); }
139 size_t max_input_bits()
const override {
return m_group.get_order_bits(); }
141 secure_vector<uint8_t> raw_sign(
const uint8_t msg[],
size_t msg_len,
142 RandomNumberGenerator& rng)
override;
145 const EC_Group m_group;
147 std::vector<BigInt> m_ws;
150 secure_vector<uint8_t>
151 GOST_3410_Signature_Operation::raw_sign(
const uint8_t msg[],
size_t msg_len,
152 RandomNumberGenerator& rng)
154 const BigInt k = m_group.random_scalar(rng);
156 BigInt e = decode_le(msg, msg_len);
158 e = m_group.mod_order(e);
162 const BigInt r = m_group.mod_order(
163 m_group.blinded_base_point_multiply_x(k, rng, m_ws));
165 const BigInt s = m_group.mod_order(
166 m_group.multiply_mod_order(r, m_x) +
167 m_group.multiply_mod_order(k, e));
170 throw Internal_Error(
"GOST 34.10 signature generation failed, r/s equal to zero");
178 class GOST_3410_Verification_Operation
final :
public PK_Ops::Verification_with_EMSA
182 GOST_3410_Verification_Operation(
const GOST_3410_PublicKey& gost,
183 const std::string& emsa) :
184 PK_Ops::Verification_with_EMSA(emsa),
185 m_group(gost.domain()),
186 m_gy_mul(m_group.get_base_point(), gost.public_point())
189 size_t max_input_bits()
const override {
return m_group.get_order_bits(); }
191 bool with_recovery()
const override {
return false; }
193 bool verify(
const uint8_t msg[],
size_t msg_len,
194 const uint8_t sig[],
size_t sig_len)
override;
196 const EC_Group m_group;
197 const PointGFp_Multi_Point_Precompute m_gy_mul;
200 bool GOST_3410_Verification_Operation::verify(
const uint8_t msg[],
size_t msg_len,
201 const uint8_t sig[],
size_t sig_len)
203 if(sig_len != m_group.get_order_bytes() * 2)
206 const BigInt s(sig, sig_len / 2);
207 const BigInt r(sig + sig_len / 2, sig_len / 2);
209 const BigInt& order = m_group.get_order();
211 if(r <= 0 || r >= order || s <= 0 || s >= order)
214 BigInt e = decode_le(msg, msg_len);
215 e = m_group.mod_order(e);
219 const BigInt v = m_group.inverse_mod_order(e);
221 const BigInt z1 = m_group.multiply_mod_order(s, v);
222 const BigInt z2 = m_group.multiply_mod_order(-r, v);
224 const PointGFp R = m_gy_mul.
multi_exp(z1, z2);
229 return (R.get_affine_x() == r);
234 std::unique_ptr<PK_Ops::Verification>
236 const std::string& provider)
const 238 if(provider ==
"base" || provider.empty())
239 return std::unique_ptr<PK_Ops::Verification>(
new GOST_3410_Verification_Operation(*
this, params));
243 std::unique_ptr<PK_Ops::Signature>
245 const std::string& params,
246 const std::string& provider)
const 248 if(provider ==
"base" || provider.empty())
249 return std::unique_ptr<PK_Ops::Signature>(
new GOST_3410_Signature_Operation(*
this, params));
const OID & get_curve_oid() const
PointGFp point(const BigInt &x, const BigInt &y) const
PointGFp multi_exp(const BigInt &k1, const BigInt &k2) const
size_t get_p_bits() const
const PointGFp & public_point() const
int(* final)(unsigned char *, CTX *)
std::string to_string(const BER_Object &obj)
void binary_encode(uint8_t buf[]) const
BER_Decoder & decode(bool &out)
BigInt get_affine_x() const
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string ¶ms, const std::string &provider) const override
BigInt get_affine_y() const
#define BOTAN_ASSERT(expr, assertion_made)
std::vector< uint8_t > public_key_bits() const override
DER_Encoder & encode(bool b)
virtual OID get_oid() const
const EC_Group & domain() const
GOST_3410_PublicKey()=default
const std::vector< uint8_t > & get_parameters() const
bool on_the_curve() const
std::string algo_name() const override
AlgorithmIdentifier algorithm_identifier() const override
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string ¶ms, const std::string &provider) const override
std::vector< T, secure_allocator< T > > secure_vector
static secure_vector< uint8_t > encode_fixed_length_int_pair(const BigInt &n1, const BigInt &n2, size_t bytes)
GOST_3410_PrivateKey(const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &key_bits)