Botan 3.8.1
Crypto and TLS for C&
rfc6979.cpp
Go to the documentation of this file.
1/*
2* RFC 6979 Deterministic Nonce Generator
3* (C) 2014,2015,2024 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/internal/rfc6979.h>
9
10#include <botan/assert.h>
11#include <botan/hmac_drbg.h>
12#include <botan/mac.h>
13#include <botan/internal/fmt.h>
14
15namespace Botan {
16
18
19RFC6979_Nonce_Generator::RFC6979_Nonce_Generator(std::string_view hash, size_t order_bits, const BigInt& x) :
20 m_qlen(order_bits), m_rlen((m_qlen + 7) / 8), m_rng_in(m_rlen * 2), m_rng_out(m_rlen) {
21 m_hmac_drbg = std::make_unique<HMAC_DRBG>(MessageAuthenticationCode::create_or_throw(fmt("HMAC({})", hash)));
22
23 x.serialize_to(std::span{m_rng_in}.first(m_rlen));
24}
25
27 BOTAN_DEBUG_ASSERT(order.bits() == m_qlen);
28
29 m.serialize_to(std::span{m_rng_in}.last(m_rlen));
30
31 m_hmac_drbg->initialize_with(m_rng_in);
32
33 const size_t shift = 8 * m_rlen - m_qlen;
34 BOTAN_ASSERT_NOMSG(shift < 8);
35
36 BigInt k;
37
38 do {
39 m_hmac_drbg->randomize(m_rng_out);
40 k._assign_from_bytes(m_rng_out);
41
42 if(shift > 0) {
43 k >>= shift;
44 }
45 } while(k == 0 || k >= order);
46
47 return k;
48}
49
50#if defined(BOTAN_HAS_ECC_GROUP)
51RFC6979_Nonce_Generator::RFC6979_Nonce_Generator(std::string_view hash, size_t order_bits, const EC_Scalar& scalar) :
52 m_qlen(order_bits), m_rlen((m_qlen + 7) / 8), m_rng_in(m_rlen * 2), m_rng_out(m_rlen) {
53 m_hmac_drbg = std::make_unique<HMAC_DRBG>(MessageAuthenticationCode::create_or_throw(fmt("HMAC({})", hash)));
54
55 scalar.serialize_to(std::span{m_rng_in}.first(m_rlen));
56}
57
59 m.serialize_to(std::span{m_rng_in}.last(m_rlen));
60
61 m_hmac_drbg->initialize_with(m_rng_in);
62
63 const size_t shift = 8 * m_rlen - m_qlen;
64 BOTAN_ASSERT_NOMSG(shift < 8);
65
66 for(;;) {
67 m_hmac_drbg->randomize(m_rng_out);
68
69 if(shift > 0) {
70 uint8_t carry = 0;
71 for(uint8_t& b : m_rng_out) {
72 const uint8_t w = b;
73 b = (w >> shift) | carry;
74 carry = w << (8 - shift);
75 }
76 }
77
78 if(auto k = EC_Scalar::deserialize(group, m_rng_out)) {
79 return *k;
80 }
81 }
82}
83#endif
84
85} // namespace Botan
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:61
#define BOTAN_DEBUG_ASSERT(expr)
Definition assert.h:100
void serialize_to(std::span< uint8_t > out) const
Definition bigint.cpp:398
size_t bits() const
Definition bigint.cpp:310
void _assign_from_bytes(std::span< const uint8_t > bytes)
Definition bigint.h:947
static std::optional< EC_Scalar > deserialize(const EC_Group &group, std::span< const uint8_t > bytes)
void serialize_to(std::span< uint8_t > bytes) const
Definition ec_scalar.cpp:84
static std::unique_ptr< MessageAuthenticationCode > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition mac.cpp:148
RFC6979_Nonce_Generator(std::string_view hash, size_t order_bits, const BigInt &x)
Definition rfc6979.cpp:19
BigInt nonce_for(const BigInt &group_order, const BigInt &m)
Definition rfc6979.cpp:26
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
void carry(int64_t &h0, int64_t &h1)