Botan
1.11.15
|
00001 /* 00002 * Nyberg-Rueppel 00003 * (C) 1999-2010 Jack Lloyd 00004 * 00005 * Botan is released under the Simplified BSD License (see license.txt) 00006 */ 00007 00008 #include <botan/internal/pk_utils.h> 00009 #include <botan/nr.h> 00010 #include <botan/keypair.h> 00011 #include <botan/reducer.h> 00012 #include <future> 00013 00014 namespace Botan { 00015 00016 NR_PublicKey::NR_PublicKey(const AlgorithmIdentifier& alg_id, 00017 const secure_vector<byte>& key_bits) : 00018 DL_Scheme_PublicKey(alg_id, key_bits, DL_Group::ANSI_X9_57) 00019 { 00020 } 00021 00022 /* 00023 * NR_PublicKey Constructor 00024 */ 00025 NR_PublicKey::NR_PublicKey(const DL_Group& grp, const BigInt& y1) 00026 { 00027 group = grp; 00028 y = y1; 00029 } 00030 00031 /* 00032 * Create a NR private key 00033 */ 00034 NR_PrivateKey::NR_PrivateKey(RandomNumberGenerator& rng, 00035 const DL_Group& grp, 00036 const BigInt& x_arg) 00037 { 00038 group = grp; 00039 x = x_arg; 00040 00041 if(x == 0) 00042 x = BigInt::random_integer(rng, 2, group_q() - 1); 00043 00044 y = power_mod(group_g(), x, group_p()); 00045 00046 if(x_arg == 0) 00047 gen_check(rng); 00048 else 00049 load_check(rng); 00050 } 00051 00052 NR_PrivateKey::NR_PrivateKey(const AlgorithmIdentifier& alg_id, 00053 const secure_vector<byte>& key_bits, 00054 RandomNumberGenerator& rng) : 00055 DL_Scheme_PrivateKey(alg_id, key_bits, DL_Group::ANSI_X9_57) 00056 { 00057 y = power_mod(group_g(), x, group_p()); 00058 00059 load_check(rng); 00060 } 00061 00062 /* 00063 * Check Private Nyberg-Rueppel Parameters 00064 */ 00065 bool NR_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const 00066 { 00067 if(!DL_Scheme_PrivateKey::check_key(rng, strong) || x >= group_q()) 00068 return false; 00069 00070 if(!strong) 00071 return true; 00072 00073 return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-1)"); 00074 } 00075 00076 namespace { 00077 00078 /** 00079 * Nyberg-Rueppel signature operation 00080 */ 00081 class NR_Signature_Operation : public PK_Ops::Signature 00082 { 00083 public: 00084 typedef NR_PrivateKey Key_Type; 00085 NR_Signature_Operation(const NR_PrivateKey& nr, const std::string&) : 00086 q(nr.group_q()), 00087 x(nr.get_x()), 00088 powermod_g_p(nr.group_g(), nr.group_p()), 00089 mod_q(nr.group_q()) 00090 { 00091 } 00092 00093 size_t message_parts() const { return 2; } 00094 size_t message_part_size() const { return q.bytes(); } 00095 size_t max_input_bits() const { return (q.bits() - 1); } 00096 00097 secure_vector<byte> sign(const byte msg[], size_t msg_len, 00098 RandomNumberGenerator& rng); 00099 private: 00100 const BigInt& q; 00101 const BigInt& x; 00102 Fixed_Base_Power_Mod powermod_g_p; 00103 Modular_Reducer mod_q; 00104 }; 00105 00106 secure_vector<byte> 00107 NR_Signature_Operation::sign(const byte msg[], size_t msg_len, 00108 RandomNumberGenerator& rng) 00109 { 00110 rng.add_entropy(msg, msg_len); 00111 00112 BigInt f(msg, msg_len); 00113 00114 if(f >= q) 00115 throw Invalid_Argument("NR_Signature_Operation: Input is out of range"); 00116 00117 BigInt c, d; 00118 00119 while(c == 0) 00120 { 00121 BigInt k; 00122 do 00123 k.randomize(rng, q.bits()); 00124 while(k >= q); 00125 00126 c = mod_q.reduce(powermod_g_p(k) + f); 00127 d = mod_q.reduce(k - x * c); 00128 } 00129 00130 secure_vector<byte> output(2*q.bytes()); 00131 c.binary_encode(&output[output.size() / 2 - c.bytes()]); 00132 d.binary_encode(&output[output.size() - d.bytes()]); 00133 return output; 00134 } 00135 00136 00137 /** 00138 * Nyberg-Rueppel verification operation 00139 */ 00140 class NR_Verification_Operation : public PK_Ops::Verification 00141 { 00142 public: 00143 typedef NR_PublicKey Key_Type; 00144 NR_Verification_Operation(const NR_PublicKey& nr, const std::string&) : 00145 q(nr.group_q()), y(nr.get_y()) 00146 { 00147 powermod_g_p = Fixed_Base_Power_Mod(nr.group_g(), nr.group_p()); 00148 powermod_y_p = Fixed_Base_Power_Mod(y, nr.group_p()); 00149 mod_p = Modular_Reducer(nr.group_p()); 00150 mod_q = Modular_Reducer(nr.group_q()); 00151 } 00152 00153 size_t message_parts() const { return 2; } 00154 size_t message_part_size() const { return q.bytes(); } 00155 size_t max_input_bits() const { return (q.bits() - 1); } 00156 00157 bool with_recovery() const { return true; } 00158 00159 secure_vector<byte> verify_mr(const byte msg[], size_t msg_len); 00160 private: 00161 const BigInt& q; 00162 const BigInt& y; 00163 00164 Fixed_Base_Power_Mod powermod_g_p, powermod_y_p; 00165 Modular_Reducer mod_p, mod_q; 00166 }; 00167 00168 secure_vector<byte> 00169 NR_Verification_Operation::verify_mr(const byte msg[], size_t msg_len) 00170 { 00171 const BigInt& q = mod_q.get_modulus(); 00172 00173 if(msg_len != 2*q.bytes()) 00174 throw Invalid_Argument("NR verification: Invalid signature"); 00175 00176 BigInt c(msg, q.bytes()); 00177 BigInt d(msg + q.bytes(), q.bytes()); 00178 00179 if(c.is_zero() || c >= q || d >= q) 00180 throw Invalid_Argument("NR verification: Invalid signature"); 00181 00182 auto future_y_c = std::async(std::launch::async, powermod_y_p, c); 00183 BigInt g_d = powermod_g_p(d); 00184 00185 BigInt i = mod_p.multiply(g_d, future_y_c.get()); 00186 return BigInt::encode_locked(mod_q.reduce(c - i)); 00187 } 00188 } 00189 00190 BOTAN_REGISTER_PK_SIGNATURE_OP("NR", NR_Signature_Operation); 00191 BOTAN_REGISTER_PK_VERIFY_OP("NR", NR_Verification_Operation); 00192 00193 }