You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
275 lines
8.2 KiB
275 lines
8.2 KiB
// dsa.cpp - written and placed in the public domain by Wei Dai |
|
|
|
#include "pch.h" |
|
|
|
#ifndef CRYPTOPP_IMPORTS |
|
|
|
#include "gfpcrypt.h" |
|
#include "asn.h" |
|
#include "oids.h" |
|
#include "nbtheory.h" |
|
|
|
NAMESPACE_BEGIN(CryptoPP) |
|
|
|
void TestInstantiations_gfpcrypt() |
|
{ |
|
GDSA<SHA>::Signer test; |
|
GDSA<SHA>::Verifier test1; |
|
DSA::Signer test5(NullRNG(), 100); |
|
DSA::Signer test2(test5); |
|
NR<SHA>::Signer test3; |
|
NR<SHA>::Verifier test4; |
|
DLIES<>::Encryptor test6; |
|
DLIES<>::Decryptor test7; |
|
} |
|
|
|
void DL_GroupParameters_DSA::GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &alg) |
|
{ |
|
Integer p, q, g; |
|
|
|
if (alg.GetValue("Modulus", p) && alg.GetValue("SubgroupGenerator", g)) |
|
{ |
|
q = alg.GetValueWithDefault("SubgroupOrder", ComputeGroupOrder(p)/2); |
|
} |
|
else |
|
{ |
|
int modulusSize = 1024; |
|
alg.GetIntValue("ModulusSize", modulusSize) || alg.GetIntValue("KeySize", modulusSize); |
|
|
|
if (!DSA::IsValidPrimeLength(modulusSize)) |
|
throw InvalidArgument("DSA: not a valid prime length"); |
|
|
|
SecByteBlock seed(SHA::DIGESTSIZE); |
|
Integer h; |
|
int c; |
|
|
|
do |
|
{ |
|
rng.GenerateBlock(seed, SHA::DIGESTSIZE); |
|
} while (!DSA::GeneratePrimes(seed, SHA::DIGESTSIZE*8, c, p, modulusSize, q)); |
|
|
|
do |
|
{ |
|
h.Randomize(rng, 2, p-2); |
|
g = a_exp_b_mod_c(h, (p-1)/q, p); |
|
} while (g <= 1); |
|
} |
|
|
|
Initialize(p, q, g); |
|
} |
|
|
|
bool DL_GroupParameters_DSA::ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const |
|
{ |
|
bool pass = DL_GroupParameters_GFP::ValidateGroup(rng, level); |
|
pass = pass && DSA::IsValidPrimeLength(GetModulus().BitCount()); |
|
pass = pass && GetSubgroupOrder().BitCount() == 160; |
|
return pass; |
|
} |
|
|
|
void DL_SignatureMessageEncodingMethod_DSA::ComputeMessageRepresentative(RandomNumberGenerator &rng, |
|
const byte *recoverableMessage, size_t recoverableMessageLength, |
|
HashTransformation &hash, HashIdentifier hashIdentifier, bool messageEmpty, |
|
byte *representative, size_t representativeBitLength) const |
|
{ |
|
assert(recoverableMessageLength == 0); |
|
assert(hashIdentifier.second == 0); |
|
const size_t representativeByteLength = BitsToBytes(representativeBitLength); |
|
const size_t digestSize = hash.DigestSize(); |
|
const size_t paddingLength = SaturatingSubtract(representativeByteLength, digestSize); |
|
|
|
memset(representative, 0, paddingLength); |
|
hash.TruncatedFinal(representative+paddingLength, STDMIN(representativeByteLength, digestSize)); |
|
|
|
if (digestSize*8 > representativeBitLength) |
|
{ |
|
Integer h(representative, representativeByteLength); |
|
h >>= representativeByteLength*8 - representativeBitLength; |
|
h.Encode(representative, representativeByteLength); |
|
} |
|
} |
|
|
|
void DL_SignatureMessageEncodingMethod_NR::ComputeMessageRepresentative(RandomNumberGenerator &rng, |
|
const byte *recoverableMessage, size_t recoverableMessageLength, |
|
HashTransformation &hash, HashIdentifier hashIdentifier, bool messageEmpty, |
|
byte *representative, size_t representativeBitLength) const |
|
{ |
|
assert(recoverableMessageLength == 0); |
|
assert(hashIdentifier.second == 0); |
|
const size_t representativeByteLength = BitsToBytes(representativeBitLength); |
|
const size_t digestSize = hash.DigestSize(); |
|
const size_t paddingLength = SaturatingSubtract(representativeByteLength, digestSize); |
|
|
|
memset(representative, 0, paddingLength); |
|
hash.TruncatedFinal(representative+paddingLength, STDMIN(representativeByteLength, digestSize)); |
|
|
|
if (digestSize*8 >= representativeBitLength) |
|
{ |
|
Integer h(representative, representativeByteLength); |
|
h >>= representativeByteLength*8 - representativeBitLength + 1; |
|
h.Encode(representative, representativeByteLength); |
|
} |
|
} |
|
|
|
bool DL_GroupParameters_IntegerBased::ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const |
|
{ |
|
const Integer &p = GetModulus(), &q = GetSubgroupOrder(); |
|
|
|
bool pass = true; |
|
pass = pass && p > Integer::One() && p.IsOdd(); |
|
pass = pass && q > Integer::One() && q.IsOdd(); |
|
|
|
if (level >= 1) |
|
pass = pass && GetCofactor() > Integer::One() && GetGroupOrder() % q == Integer::Zero(); |
|
if (level >= 2) |
|
pass = pass && VerifyPrime(rng, q, level-2) && VerifyPrime(rng, p, level-2); |
|
|
|
return pass; |
|
} |
|
|
|
bool DL_GroupParameters_IntegerBased::ValidateElement(unsigned int level, const Integer &g, const DL_FixedBasePrecomputation<Integer> *gpc) const |
|
{ |
|
const Integer &p = GetModulus(), &q = GetSubgroupOrder(); |
|
|
|
bool pass = true; |
|
pass = pass && GetFieldType() == 1 ? g.IsPositive() : g.NotNegative(); |
|
pass = pass && g < p && !IsIdentity(g); |
|
|
|
if (level >= 1) |
|
{ |
|
if (gpc) |
|
pass = pass && gpc->Exponentiate(GetGroupPrecomputation(), Integer::One()) == g; |
|
} |
|
if (level >= 2) |
|
{ |
|
if (GetFieldType() == 2) |
|
pass = pass && Jacobi(g*g-4, p)==-1; |
|
|
|
// verifying that Lucas((p+1)/2, w, p)==2 is omitted because it's too costly |
|
// and at most 1 bit is leaked if it's false |
|
bool fullValidate = (GetFieldType() == 2 && level >= 3) || !FastSubgroupCheckAvailable(); |
|
|
|
if (fullValidate && pass) |
|
{ |
|
Integer gp = gpc ? gpc->Exponentiate(GetGroupPrecomputation(), q) : ExponentiateElement(g, q); |
|
pass = pass && IsIdentity(gp); |
|
} |
|
else if (GetFieldType() == 1) |
|
pass = pass && Jacobi(g, p) == 1; |
|
} |
|
|
|
return pass; |
|
} |
|
|
|
void DL_GroupParameters_IntegerBased::GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &alg) |
|
{ |
|
Integer p, q, g; |
|
|
|
if (alg.GetValue("Modulus", p) && alg.GetValue("SubgroupGenerator", g)) |
|
{ |
|
q = alg.GetValueWithDefault("SubgroupOrder", ComputeGroupOrder(p)/2); |
|
} |
|
else |
|
{ |
|
int modulusSize, subgroupOrderSize; |
|
|
|
if (!alg.GetIntValue("ModulusSize", modulusSize)) |
|
modulusSize = alg.GetIntValueWithDefault("KeySize", 2048); |
|
|
|
if (!alg.GetIntValue("SubgroupOrderSize", subgroupOrderSize)) |
|
subgroupOrderSize = GetDefaultSubgroupOrderSize(modulusSize); |
|
|
|
PrimeAndGenerator pg; |
|
pg.Generate(GetFieldType() == 1 ? 1 : -1, rng, modulusSize, subgroupOrderSize); |
|
p = pg.Prime(); |
|
q = pg.SubPrime(); |
|
g = pg.Generator(); |
|
} |
|
|
|
Initialize(p, q, g); |
|
} |
|
|
|
Integer DL_GroupParameters_IntegerBased::DecodeElement(const byte *encoded, bool checkForGroupMembership) const |
|
{ |
|
Integer g(encoded, GetModulus().ByteCount()); |
|
if (!ValidateElement(1, g, NULL)) |
|
throw DL_BadElement(); |
|
return g; |
|
} |
|
|
|
void DL_GroupParameters_IntegerBased::BERDecode(BufferedTransformation &bt) |
|
{ |
|
BERSequenceDecoder parameters(bt); |
|
Integer p(parameters); |
|
Integer q(parameters); |
|
Integer g; |
|
if (parameters.EndReached()) |
|
{ |
|
g = q; |
|
q = ComputeGroupOrder(p) / 2; |
|
} |
|
else |
|
g.BERDecode(parameters); |
|
parameters.MessageEnd(); |
|
|
|
SetModulusAndSubgroupGenerator(p, g); |
|
SetSubgroupOrder(q); |
|
} |
|
|
|
void DL_GroupParameters_IntegerBased::DEREncode(BufferedTransformation &bt) const |
|
{ |
|
DERSequenceEncoder parameters(bt); |
|
GetModulus().DEREncode(parameters); |
|
m_q.DEREncode(parameters); |
|
GetSubgroupGenerator().DEREncode(parameters); |
|
parameters.MessageEnd(); |
|
} |
|
|
|
bool DL_GroupParameters_IntegerBased::GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const |
|
{ |
|
return GetValueHelper<DL_GroupParameters<Element> >(this, name, valueType, pValue) |
|
CRYPTOPP_GET_FUNCTION_ENTRY(Modulus); |
|
} |
|
|
|
void DL_GroupParameters_IntegerBased::AssignFrom(const NameValuePairs &source) |
|
{ |
|
AssignFromHelper(this, source) |
|
CRYPTOPP_SET_FUNCTION_ENTRY2(Modulus, SubgroupGenerator) |
|
CRYPTOPP_SET_FUNCTION_ENTRY(SubgroupOrder) |
|
; |
|
} |
|
|
|
OID DL_GroupParameters_IntegerBased::GetAlgorithmID() const |
|
{ |
|
return ASN1::id_dsa(); |
|
} |
|
|
|
void DL_GroupParameters_GFP::SimultaneousExponentiate(Element *results, const Element &base, const Integer *exponents, unsigned int exponentsCount) const |
|
{ |
|
ModularArithmetic ma(GetModulus()); |
|
ma.SimultaneousExponentiate(results, base, exponents, exponentsCount); |
|
} |
|
|
|
DL_GroupParameters_GFP::Element DL_GroupParameters_GFP::MultiplyElements(const Element &a, const Element &b) const |
|
{ |
|
return a_times_b_mod_c(a, b, GetModulus()); |
|
} |
|
|
|
DL_GroupParameters_GFP::Element DL_GroupParameters_GFP::CascadeExponentiate(const Element &element1, const Integer &exponent1, const Element &element2, const Integer &exponent2) const |
|
{ |
|
ModularArithmetic ma(GetModulus()); |
|
return ma.CascadeExponentiate(element1, exponent1, element2, exponent2); |
|
} |
|
|
|
Integer DL_GroupParameters_IntegerBased::GetMaxExponent() const |
|
{ |
|
return STDMIN(GetSubgroupOrder()-1, Integer::Power2(2*DiscreteLogWorkFactor(GetFieldType()*GetModulus().BitCount()))); |
|
} |
|
|
|
unsigned int DL_GroupParameters_IntegerBased::GetDefaultSubgroupOrderSize(unsigned int modulusSize) const |
|
{ |
|
return 2*DiscreteLogWorkFactor(GetFieldType()*modulusSize); |
|
} |
|
|
|
NAMESPACE_END |
|
|
|
#endif
|
|
|