Botan 3.6.1
Crypto and TLS for C&
rfc6979.cpp
Go to the documentation of this file.
1/*
2* RFC 6979 Deterministic Nonce Generator
3* (C) 2014,2015,2024 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/internal/rfc6979.h>
9
10#include <botan/hmac_drbg.h>
11#include <botan/mac.h>
12#include <botan/internal/fmt.h>
13
14namespace Botan {
15
16RFC6979_Nonce_Generator::~RFC6979_Nonce_Generator() = default;
17
18RFC6979_Nonce_Generator::RFC6979_Nonce_Generator(std::string_view hash, size_t order_bits, const BigInt& x) :
19 m_qlen(order_bits), m_rlen((m_qlen + 7) / 8), m_rng_in(m_rlen * 2), m_rng_out(m_rlen) {
20 m_hmac_drbg = std::make_unique<HMAC_DRBG>(MessageAuthenticationCode::create_or_throw(fmt("HMAC({})", hash)));
21
22 x.serialize_to(std::span{m_rng_in}.first(m_rlen));
23}
24
25BigInt RFC6979_Nonce_Generator::nonce_for(const BigInt& order, const BigInt& m) {
26 BOTAN_DEBUG_ASSERT(order.bits() == m_qlen);
27
28 m.serialize_to(std::span{m_rng_in}.last(m_rlen));
29
30 m_hmac_drbg->initialize_with(m_rng_in);
31
32 const size_t shift = 8 * m_rlen - m_qlen;
33 BOTAN_ASSERT_NOMSG(shift < 8);
34
35 BigInt k;
36
37 do {
38 m_hmac_drbg->randomize(m_rng_out);
39 k._assign_from_bytes(m_rng_out);
40
41 if(shift > 0) {
42 k >>= shift;
43 }
44 } while(k == 0 || k >= order);
45
46 return k;
47}
48
49#if defined(BOTAN_HAS_ECC_GROUP)
50RFC6979_Nonce_Generator::RFC6979_Nonce_Generator(std::string_view hash, size_t order_bits, const EC_Scalar& scalar) :
51 m_qlen(order_bits), m_rlen((m_qlen + 7) / 8), m_rng_in(m_rlen * 2), m_rng_out(m_rlen) {
52 m_hmac_drbg = std::make_unique<HMAC_DRBG>(MessageAuthenticationCode::create_or_throw(fmt("HMAC({})", hash)));
53
54 scalar.serialize_to(std::span{m_rng_in}.first(m_rlen));
55}
56
57EC_Scalar RFC6979_Nonce_Generator::nonce_for(const EC_Group& group, const EC_Scalar& m) {
58 m.serialize_to(std::span{m_rng_in}.last(m_rlen));
59
60 m_hmac_drbg->initialize_with(m_rng_in);
61
62 const size_t shift = 8 * m_rlen - m_qlen;
63 BOTAN_ASSERT_NOMSG(shift < 8);
64
65 for(;;) {
66 m_hmac_drbg->randomize(m_rng_out);
67
68 if(shift > 0) {
69 uint8_t carry = 0;
70 for(uint8_t& b : m_rng_out) {
71 const uint8_t w = b;
72 b = (w >> shift) | carry;
73 carry = w << (8 - shift);
74 }
75 }
76
77 if(auto k = EC_Scalar::deserialize(group, m_rng_out)) {
78 return *k;
79 }
80 }
81}
82#endif
83
84} // namespace Botan
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
BOTAN_DEBUG_ASSERT
#define BOTAN_DEBUG_ASSERT(expr)
Definition assert.h:98
Botan::BigInt::serialize_to
void serialize_to(std::span< uint8_t > out) const
Definition bigint.cpp:383
Botan::BigInt::bits
size_t bits() const
Definition bigint.cpp:295
Botan::BigInt::_assign_from_bytes
void _assign_from_bytes(std::span< const uint8_t > bytes)
Definition bigint.h:947
Botan::EC_Scalar
Definition ec_scalar.h:28
Botan::EC_Scalar::deserialize
static std::optional< EC_Scalar > deserialize(const EC_Group &group, std::span< const uint8_t > bytes)
Definition ec_scalar.cpp:114
Botan::EC_Scalar::serialize_to
void serialize_to(std::span< uint8_t > bytes) const
Definition ec_scalar.cpp:84
Botan::MessageAuthenticationCode::create_or_throw
static std::unique_ptr< MessageAuthenticationCode > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition mac.cpp:148
Botan::RFC6979_Nonce_Generator::RFC6979_Nonce_Generator
RFC6979_Nonce_Generator(std::string_view hash, size_t order_bits, const BigInt &x)
Definition rfc6979.cpp:18
Botan::RFC6979_Nonce_Generator::~RFC6979_Nonce_Generator
~RFC6979_Nonce_Generator()
Botan::RFC6979_Nonce_Generator::nonce_for
BigInt nonce_for(const BigInt &group_order, const BigInt &m)
Definition rfc6979.cpp:25
Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
Botan::carry
void carry(int64_t &h0, int64_t &h1)
Definition ed25519_internal.h:28
Botan::b
const SIMD_8x32 & b
Definition simd_avx2_gfni.h:63
Generated by doxygen 1.12.0