Botan  2.1.0
Crypto and TLS for C++11
eckcdsa.cpp
Go to the documentation of this file.
1 /*
2 * ECKCDSA (ISO/IEC 14888-3:2006/Cor.2:2009)
3 * (C) 2016 RenĂ© Korthaus, Sirrix AG
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/eckcdsa.h>
9 #include <botan/internal/pk_ops_impl.h>
10 #include <botan/keypair.h>
11 #include <botan/reducer.h>
12 #include <botan/emsa.h>
13 #include <botan/hash.h>
14 
15 namespace Botan {
16 
18  bool strong) const
19  {
20  if(!public_point().on_the_curve())
21  {
22  return false;
23  }
24 
25  if(!strong)
26  {
27  return true;
28  }
29 
30  return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-256)");
31  }
32 
33 namespace {
34 
35 /**
36 * ECKCDSA signature operation
37 */
38 class ECKCDSA_Signature_Operation : public PK_Ops::Signature_with_EMSA
39  {
40  public:
41 
42  ECKCDSA_Signature_Operation(const ECKCDSA_PrivateKey& eckcdsa,
43  const std::string& emsa) :
44  PK_Ops::Signature_with_EMSA(emsa),
45  m_order(eckcdsa.domain().get_order()),
46  m_base_point(eckcdsa.domain().get_base_point(), m_order),
47  m_x(eckcdsa.private_value()),
49  m_prefix()
50  {
51  const BigInt public_point_x = eckcdsa.public_point().get_affine_x();
52  const BigInt public_point_y = eckcdsa.public_point().get_affine_y();
53 
54  m_prefix.resize(public_point_x.bytes() + public_point_y.bytes());
55  public_point_x.binary_encode(m_prefix.data());
56  public_point_y.binary_encode(&m_prefix[public_point_x.bytes()]);
57  m_prefix.resize(HashFunction::create(hash_for_signature())->hash_block_size()); // use only the "hash input block size" leftmost bits
58  }
59 
60  secure_vector<uint8_t> raw_sign(const uint8_t msg[], size_t msg_len,
61  RandomNumberGenerator& rng) override;
62 
63  size_t max_input_bits() const override { return m_order.bits(); }
64 
65  bool has_prefix() override { return true; }
66  secure_vector<uint8_t> message_prefix() const override { return m_prefix; }
67 
68  private:
69  const BigInt& m_order;
70  Blinded_Point_Multiply m_base_point;
71  const BigInt& m_x;
72  Modular_Reducer m_mod_order;
73  secure_vector<uint8_t> m_prefix;
74  };
75 
76 secure_vector<uint8_t>
77 ECKCDSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t,
78  RandomNumberGenerator& rng)
79  {
80  const BigInt k = BigInt::random_integer(rng, 1, m_order);
81  const PointGFp k_times_P = m_base_point.blinded_multiply(k, rng);
82  const BigInt k_times_P_x = k_times_P.get_affine_x();
83 
84  secure_vector<uint8_t> to_be_hashed(k_times_P_x.bytes());
85  k_times_P_x.binary_encode(to_be_hashed.data());
86 
87  std::unique_ptr<EMSA> emsa(m_emsa->clone());
88  emsa->update(to_be_hashed.data(), to_be_hashed.size());
89  secure_vector<uint8_t> c = emsa->raw_data();
90  c = emsa->encoding_of(c, max_input_bits(), rng);
91 
92  const BigInt r(c.data(), c.size());
93 
94  xor_buf(c, msg, c.size());
95  BigInt w(c.data(), c.size());
96  w = m_mod_order.reduce(w);
97 
98  const BigInt s = m_mod_order.multiply(m_x, k - w);
99  BOTAN_ASSERT(s != 0, "invalid s");
100 
101  secure_vector<uint8_t> output = BigInt::encode_1363(r, c.size());
102  output += BigInt::encode_1363(s, m_order.bytes());
103  return output;
104  }
105 
106 /**
107 * ECKCDSA verification operation
108 */
109 class ECKCDSA_Verification_Operation : public PK_Ops::Verification_with_EMSA
110  {
111  public:
112 
113  ECKCDSA_Verification_Operation(const ECKCDSA_PublicKey& eckcdsa,
114  const std::string& emsa) :
115  PK_Ops::Verification_with_EMSA(emsa),
116  m_base_point(eckcdsa.domain().get_base_point()),
117  m_public_point(eckcdsa.public_point()),
118  m_order(eckcdsa.domain().get_order()),
120  m_prefix()
121  {
122  const BigInt public_point_x = m_public_point.get_affine_x();
123  const BigInt public_point_y = m_public_point.get_affine_y();
124 
125  m_prefix.resize(public_point_x.bytes() + public_point_y.bytes());
126  public_point_x.binary_encode(&m_prefix[0]);
127  public_point_y.binary_encode(&m_prefix[public_point_x.bytes()]);
128  m_prefix.resize(HashFunction::create(hash_for_signature())->hash_block_size()); // use only the "hash input block size" leftmost bits
129  }
130 
131  bool has_prefix() override { return true; }
132  secure_vector<uint8_t> message_prefix() const override { return m_prefix; }
133 
134  size_t max_input_bits() const override { return m_order.bits(); }
135 
136  bool with_recovery() const override { return false; }
137 
138  bool verify(const uint8_t msg[], size_t msg_len,
139  const uint8_t sig[], size_t sig_len) override;
140  private:
141  const PointGFp& m_base_point;
142  const PointGFp& m_public_point;
143  const BigInt& m_order;
144  // FIXME: should be offered by curve
145  Modular_Reducer m_mod_order;
146  secure_vector<uint8_t> m_prefix;
147  };
148 
149 bool ECKCDSA_Verification_Operation::verify(const uint8_t msg[], size_t,
150  const uint8_t sig[], size_t sig_len)
151  {
152  const std::unique_ptr<HashFunction> hash = HashFunction::create(hash_for_signature());
153  //calculate size of r
154  size_t size_r = std::min(hash -> output_length(), m_order.bytes());
155  if(sig_len != size_r+m_order.bytes())
156  {
157  return false;
158  }
159 
160  secure_vector<uint8_t> r(sig, sig + size_r);
161 
162  // check that 0 < s < q
163  const BigInt s(sig + size_r, m_order.bytes());
164 
165  if(s <= 0 || s >= m_order)
166  {
167  return false;
168  }
169 
170  secure_vector<uint8_t> r_xor_e(r);
171  xor_buf(r_xor_e, msg, r.size());
172  BigInt w(r_xor_e.data(), r_xor_e.size());
173  w = m_mod_order.reduce(w);
174 
175  const PointGFp q = multi_exponentiate(m_base_point, w, m_public_point, s);
176  const BigInt q_x = q.get_affine_x();
177  secure_vector<uint8_t> c(q_x.bytes());
178  q_x.binary_encode(c.data());
179  std::unique_ptr<EMSA> emsa(m_emsa->clone());
180  emsa->update(c.data(), c.size());
181  secure_vector<uint8_t> v = emsa->raw_data();
182  Null_RNG rng;
183  v = emsa->encoding_of(v, max_input_bits(), rng);
184 
185  return (v == r);
186  }
187 
188 }
189 
190 std::unique_ptr<PK_Ops::Verification>
192  const std::string& provider) const
193  {
194  if(provider == "base" || provider.empty())
195  return std::unique_ptr<PK_Ops::Verification>(new ECKCDSA_Verification_Operation(*this, params));
196  throw Provider_Not_Found(algo_name(), provider);
197  }
198 
199 std::unique_ptr<PK_Ops::Signature>
201  const std::string& params,
202  const std::string& provider) const
203  {
204  if(provider == "base" || provider.empty())
205  return std::unique_ptr<PK_Ops::Signature>(new ECKCDSA_Signature_Operation(*this, params));
206  throw Provider_Not_Found(algo_name(), provider);
207  }
208 
209 }
void xor_buf(T out[], const T in[], size_t length)
Definition: mem_ops.h:115
Modular_Reducer m_mod_order
Definition: eckcdsa.cpp:72
void binary_encode(uint8_t buf[]) const
Definition: bigint.cpp:270
const BigInt & m_order
Definition: eckcdsa.cpp:69
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: eckcdsa.cpp:17
BigInt get_affine_y() const
Definition: point_gfp.cpp:402
static BigInt random_integer(RandomNumberGenerator &rng, const BigInt &min, const BigInt &max)
Definition: big_rand.cpp:45
const PointGFp & public_point() const
Definition: ecc_key.h:58
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:27
BigInt get_affine_x() const
Definition: point_gfp.cpp:390
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: eckcdsa.cpp:200
Blinded_Point_Multiply m_base_point
Definition: eckcdsa.cpp:70
std::string m_emsa
Definition: dsa.cpp:100
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: eckcdsa.cpp:191
BigInt multiply(const BigInt &x, const BigInt &y) const
Definition: reducer.h:31
const PointGFp & m_public_point
Definition: eckcdsa.cpp:142
static std::unique_ptr< HashFunction > create(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:93
PointGFp blinded_multiply(const BigInt &scalar, RandomNumberGenerator &rng)
Definition: point_gfp.cpp:335
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:48
Definition: alg_id.cpp:13
const BigInt & m_x
Definition: eckcdsa.cpp:71
BigInt reduce(const BigInt &x) const
Definition: reducer.cpp:32
secure_vector< uint8_t > m_prefix
Definition: eckcdsa.cpp:73
T min(T a, T b)
Definition: ct_utils.h:180
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:82
MechanismType hash
PointGFp multi_exponentiate(const PointGFp &p1, const BigInt &z1, const PointGFp &p2, const BigInt &z2)
Definition: point_gfp.cpp:248
std::string algo_name() const override
Definition: eckcdsa.h:44
size_t bytes() const
Definition: bigint.cpp:176