Botan  1.11.15
src/lib/pubkey/nr/nr.cpp
Go to the documentation of this file.
00001 /*
00002 * Nyberg-Rueppel
00003 * (C) 1999-2010 Jack Lloyd
00004 *
00005 * Botan is released under the Simplified BSD License (see license.txt)
00006 */
00007 
00008 #include <botan/internal/pk_utils.h>
00009 #include <botan/nr.h>
00010 #include <botan/keypair.h>
00011 #include <botan/reducer.h>
00012 #include <future>
00013 
00014 namespace Botan {
00015 
00016 NR_PublicKey::NR_PublicKey(const AlgorithmIdentifier& alg_id,
00017                            const secure_vector<byte>& key_bits) :
00018    DL_Scheme_PublicKey(alg_id, key_bits, DL_Group::ANSI_X9_57)
00019    {
00020    }
00021 
00022 /*
00023 * NR_PublicKey Constructor
00024 */
00025 NR_PublicKey::NR_PublicKey(const DL_Group& grp, const BigInt& y1)
00026    {
00027    group = grp;
00028    y = y1;
00029    }
00030 
00031 /*
00032 * Create a NR private key
00033 */
00034 NR_PrivateKey::NR_PrivateKey(RandomNumberGenerator& rng,
00035                              const DL_Group& grp,
00036                              const BigInt& x_arg)
00037    {
00038    group = grp;
00039    x = x_arg;
00040 
00041    if(x == 0)
00042       x = BigInt::random_integer(rng, 2, group_q() - 1);
00043 
00044    y = power_mod(group_g(), x, group_p());
00045 
00046    if(x_arg == 0)
00047       gen_check(rng);
00048    else
00049       load_check(rng);
00050    }
00051 
00052 NR_PrivateKey::NR_PrivateKey(const AlgorithmIdentifier& alg_id,
00053                              const secure_vector<byte>& key_bits,
00054                              RandomNumberGenerator& rng) :
00055    DL_Scheme_PrivateKey(alg_id, key_bits, DL_Group::ANSI_X9_57)
00056    {
00057    y = power_mod(group_g(), x, group_p());
00058 
00059    load_check(rng);
00060    }
00061 
00062 /*
00063 * Check Private Nyberg-Rueppel Parameters
00064 */
00065 bool NR_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const
00066    {
00067    if(!DL_Scheme_PrivateKey::check_key(rng, strong) || x >= group_q())
00068       return false;
00069 
00070    if(!strong)
00071       return true;
00072 
00073    return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-1)");
00074    }
00075 
00076 namespace {
00077 
00078 /**
00079 * Nyberg-Rueppel signature operation
00080 */
00081 class NR_Signature_Operation : public PK_Ops::Signature
00082    {
00083    public:
00084       typedef NR_PrivateKey Key_Type;
00085       NR_Signature_Operation(const NR_PrivateKey& nr, const std::string&) :
00086          q(nr.group_q()),
00087          x(nr.get_x()),
00088          powermod_g_p(nr.group_g(), nr.group_p()),
00089          mod_q(nr.group_q())
00090          {
00091          }
00092 
00093       size_t message_parts() const { return 2; }
00094       size_t message_part_size() const { return q.bytes(); }
00095       size_t max_input_bits() const { return (q.bits() - 1); }
00096 
00097       secure_vector<byte> sign(const byte msg[], size_t msg_len,
00098                               RandomNumberGenerator& rng);
00099    private:
00100       const BigInt& q;
00101       const BigInt& x;
00102       Fixed_Base_Power_Mod powermod_g_p;
00103       Modular_Reducer mod_q;
00104    };
00105 
00106 secure_vector<byte>
00107 NR_Signature_Operation::sign(const byte msg[], size_t msg_len,
00108                              RandomNumberGenerator& rng)
00109    {
00110    rng.add_entropy(msg, msg_len);
00111 
00112    BigInt f(msg, msg_len);
00113 
00114    if(f >= q)
00115       throw Invalid_Argument("NR_Signature_Operation: Input is out of range");
00116 
00117    BigInt c, d;
00118 
00119    while(c == 0)
00120       {
00121       BigInt k;
00122       do
00123          k.randomize(rng, q.bits());
00124       while(k >= q);
00125 
00126       c = mod_q.reduce(powermod_g_p(k) + f);
00127       d = mod_q.reduce(k - x * c);
00128       }
00129 
00130    secure_vector<byte> output(2*q.bytes());
00131    c.binary_encode(&output[output.size() / 2 - c.bytes()]);
00132    d.binary_encode(&output[output.size() - d.bytes()]);
00133    return output;
00134    }
00135 
00136 
00137 /**
00138 * Nyberg-Rueppel verification operation
00139 */
00140 class NR_Verification_Operation : public PK_Ops::Verification
00141    {
00142    public:
00143       typedef NR_PublicKey Key_Type;
00144       NR_Verification_Operation(const NR_PublicKey& nr, const std::string&) :
00145          q(nr.group_q()), y(nr.get_y())
00146          {
00147          powermod_g_p = Fixed_Base_Power_Mod(nr.group_g(), nr.group_p());
00148          powermod_y_p = Fixed_Base_Power_Mod(y, nr.group_p());
00149          mod_p = Modular_Reducer(nr.group_p());
00150          mod_q = Modular_Reducer(nr.group_q());
00151          }
00152 
00153       size_t message_parts() const { return 2; }
00154       size_t message_part_size() const { return q.bytes(); }
00155       size_t max_input_bits() const { return (q.bits() - 1); }
00156 
00157       bool with_recovery() const { return true; }
00158 
00159       secure_vector<byte> verify_mr(const byte msg[], size_t msg_len);
00160    private:
00161       const BigInt& q;
00162       const BigInt& y;
00163 
00164       Fixed_Base_Power_Mod powermod_g_p, powermod_y_p;
00165       Modular_Reducer mod_p, mod_q;
00166    };
00167 
00168 secure_vector<byte>
00169 NR_Verification_Operation::verify_mr(const byte msg[], size_t msg_len)
00170    {
00171    const BigInt& q = mod_q.get_modulus();
00172 
00173    if(msg_len != 2*q.bytes())
00174       throw Invalid_Argument("NR verification: Invalid signature");
00175 
00176    BigInt c(msg, q.bytes());
00177    BigInt d(msg + q.bytes(), q.bytes());
00178 
00179    if(c.is_zero() || c >= q || d >= q)
00180       throw Invalid_Argument("NR verification: Invalid signature");
00181 
00182    auto future_y_c = std::async(std::launch::async, powermod_y_p, c);
00183    BigInt g_d = powermod_g_p(d);
00184 
00185    BigInt i = mod_p.multiply(g_d, future_y_c.get());
00186    return BigInt::encode_locked(mod_q.reduce(c - i));
00187    }
00188 }
00189 
00190 BOTAN_REGISTER_PK_SIGNATURE_OP("NR", NR_Signature_Operation);
00191 BOTAN_REGISTER_PK_VERIFY_OP("NR", NR_Verification_Operation);
00192 
00193 }