You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
268 lines
12 KiB
268 lines
12 KiB
// mqv.h - originally written and placed in the public domain by Wei Dai |
|
|
|
/// \file mqv.h |
|
/// \brief Classes for Menezes–Qu–Vanstone (MQV) key agreement |
|
/// \since Crypto++ 3.0 |
|
|
|
#ifndef CRYPTOPP_MQV_H |
|
#define CRYPTOPP_MQV_H |
|
|
|
#include "cryptlib.h" |
|
#include "gfpcrypt.h" |
|
#include "modarith.h" |
|
#include "integer.h" |
|
#include "algebra.h" |
|
#include "misc.h" |
|
|
|
NAMESPACE_BEGIN(CryptoPP) |
|
|
|
/// \brief MQV domain for performing authenticated key agreement |
|
/// \tparam GROUP_PARAMETERS doamin parameters |
|
/// \tparam COFACTOR_OPTION cofactor option |
|
/// \details GROUP_PARAMETERS parameters include the curve coefcients and the base point. |
|
/// Binary curves use a polynomial to represent its characteristic, while prime curves |
|
/// use a prime number. |
|
/// \sa MQV, HMQV, FHMQV, and AuthenticatedKeyAgreementDomain |
|
/// \since Crypto++ 3.0 |
|
template <class GROUP_PARAMETERS, class COFACTOR_OPTION = typename GROUP_PARAMETERS::DefaultCofactorOption> |
|
class MQV_Domain : public AuthenticatedKeyAgreementDomain |
|
{ |
|
public: |
|
typedef GROUP_PARAMETERS GroupParameters; |
|
typedef typename GroupParameters::Element Element; |
|
typedef MQV_Domain<GROUP_PARAMETERS, COFACTOR_OPTION> Domain; |
|
|
|
/// \brief Construct a MQV domain |
|
MQV_Domain() {} |
|
|
|
/// \brief Construct a MQV domain |
|
/// \param params group parameters and options |
|
MQV_Domain(const GroupParameters ¶ms) |
|
: m_groupParameters(params) {} |
|
|
|
/// \brief Construct a MQV domain |
|
/// \param bt BufferedTransformation with group parameters and options |
|
MQV_Domain(BufferedTransformation &bt) |
|
{m_groupParameters.BERDecode(bt);} |
|
|
|
/// \brief Construct a MQV domain |
|
/// \tparam T1 template parameter used as a constructor parameter |
|
/// \tparam T2 template parameter used as a constructor parameter |
|
/// \param v1 first parameter |
|
/// \param v2 second parameter |
|
/// \details v1 and v2 are passed directly to the GROUP_PARAMETERS object. |
|
template <class T1, class T2> |
|
MQV_Domain(T1 v1, T2 v2) |
|
{m_groupParameters.Initialize(v1, v2);} |
|
|
|
/// \brief Construct a MQV domain |
|
/// \tparam T1 template parameter used as a constructor parameter |
|
/// \tparam T2 template parameter used as a constructor parameter |
|
/// \tparam T3 template parameter used as a constructor parameter |
|
/// \param v1 first parameter |
|
/// \param v2 second parameter |
|
/// \param v3 third parameter |
|
/// \details v1, v2 and v3 are passed directly to the GROUP_PARAMETERS object. |
|
template <class T1, class T2, class T3> |
|
MQV_Domain(T1 v1, T2 v2, T3 v3) |
|
{m_groupParameters.Initialize(v1, v2, v3);} |
|
|
|
/// \brief Construct a MQV domain |
|
/// \tparam T1 template parameter used as a constructor parameter |
|
/// \tparam T2 template parameter used as a constructor parameter |
|
/// \tparam T3 template parameter used as a constructor parameter |
|
/// \tparam T4 template parameter used as a constructor parameter |
|
/// \param v1 first parameter |
|
/// \param v2 second parameter |
|
/// \param v3 third parameter |
|
/// \param v4 third parameter |
|
/// \details v1, v2, v3 and v4 are passed directly to the GROUP_PARAMETERS object. |
|
template <class T1, class T2, class T3, class T4> |
|
MQV_Domain(T1 v1, T2 v2, T3 v3, T4 v4) |
|
{m_groupParameters.Initialize(v1, v2, v3, v4);} |
|
|
|
/// \brief Retrieves the group parameters for this domain |
|
/// \return the group parameters for this domain as a const reference |
|
const GroupParameters & GetGroupParameters() const {return m_groupParameters;} |
|
|
|
/// \brief Retrieves the group parameters for this domain |
|
/// \return the group parameters for this domain as a non-const reference |
|
GroupParameters & AccessGroupParameters() {return m_groupParameters;} |
|
|
|
/// \brief Retrieves the crypto parameters for this domain |
|
/// \return the crypto parameters for this domain as a non-const reference |
|
CryptoParameters & AccessCryptoParameters() {return AccessAbstractGroupParameters();} |
|
|
|
/// \brief Provides the size of the agreed value |
|
/// \return size of agreed value produced in this domain |
|
/// \details The length is calculated using <tt>GetEncodedElementSize(false)</tt>, |
|
/// which means the element is encoded in a non-reversible format. A |
|
/// non-reversible format means its a raw byte array, and it lacks presentation |
|
/// format like an ASN.1 BIT_STRING or OCTET_STRING. |
|
unsigned int AgreedValueLength() const {return GetAbstractGroupParameters().GetEncodedElementSize(false);} |
|
|
|
/// \brief Provides the size of the static private key |
|
/// \return size of static private keys in this domain |
|
/// \details The length is calculated using the byte count of the subgroup order. |
|
unsigned int StaticPrivateKeyLength() const {return GetAbstractGroupParameters().GetSubgroupOrder().ByteCount();} |
|
|
|
/// \brief Provides the size of the static public key |
|
/// \return size of static public keys in this domain |
|
/// \details The length is calculated using <tt>GetEncodedElementSize(true)</tt>, |
|
/// which means the element is encoded in a reversible format. A reversible |
|
/// format means it has a presentation format, and its an ANS.1 encoded element |
|
/// or point. |
|
unsigned int StaticPublicKeyLength() const {return GetAbstractGroupParameters().GetEncodedElementSize(true);} |
|
|
|
/// \brief Generate static private key in this domain |
|
/// \param rng a RandomNumberGenerator derived class |
|
/// \param privateKey a byte buffer for the generated private key in this domain |
|
/// \details The private key is a random scalar used as an exponent in the range |
|
/// <tt>[1,MaxExponent()]</tt>. |
|
/// \pre <tt>COUNTOF(privateKey) == PrivateStaticKeyLength()</tt> |
|
void GenerateStaticPrivateKey(RandomNumberGenerator &rng, byte *privateKey) const |
|
{ |
|
Integer x(rng, Integer::One(), GetAbstractGroupParameters().GetMaxExponent()); |
|
x.Encode(privateKey, StaticPrivateKeyLength()); |
|
} |
|
|
|
/// \brief Generate a static public key from a private key in this domain |
|
/// \param rng a RandomNumberGenerator derived class |
|
/// \param privateKey a byte buffer with the previously generated private key |
|
/// \param publicKey a byte buffer for the generated public key in this domain |
|
/// \details The public key is an element or point on the curve, and its stored |
|
/// in a revrsible format. A reversible format means it has a presentation |
|
/// format, and its an ANS.1 encoded element or point. |
|
/// \pre <tt>COUNTOF(publicKey) == PublicStaticKeyLength()</tt> |
|
void GenerateStaticPublicKey(RandomNumberGenerator &rng, const byte *privateKey, byte *publicKey) const |
|
{ |
|
CRYPTOPP_UNUSED(rng); |
|
const DL_GroupParameters<Element> ¶ms = GetAbstractGroupParameters(); |
|
Integer x(privateKey, StaticPrivateKeyLength()); |
|
Element y = params.ExponentiateBase(x); |
|
params.EncodeElement(true, y, publicKey); |
|
} |
|
|
|
/// \brief Provides the size of the ephemeral private key |
|
/// \return size of ephemeral private keys in this domain |
|
/// \details An ephemeral private key is a private key and public key. |
|
/// The serialized size is different than a static private key. |
|
unsigned int EphemeralPrivateKeyLength() const {return StaticPrivateKeyLength() + StaticPublicKeyLength();} |
|
|
|
/// \brief Provides the size of the ephemeral public key |
|
/// \return size of ephemeral public keys in this domain |
|
/// \details An ephemeral public key is a public key. |
|
/// The serialized size is the same as a static public key. |
|
unsigned int EphemeralPublicKeyLength() const {return StaticPublicKeyLength();} |
|
|
|
/// \brief Generate ephemeral private key in this domain |
|
/// \param rng a RandomNumberGenerator derived class |
|
/// \param privateKey a byte buffer for the generated private key in this domain |
|
/// \pre <tt>COUNTOF(privateKey) == EphemeralPrivateKeyLength()</tt> |
|
void GenerateEphemeralPrivateKey(RandomNumberGenerator &rng, byte *privateKey) const |
|
{ |
|
const DL_GroupParameters<Element> ¶ms = GetAbstractGroupParameters(); |
|
Integer x(rng, Integer::One(), params.GetMaxExponent()); |
|
x.Encode(privateKey, StaticPrivateKeyLength()); |
|
Element y = params.ExponentiateBase(x); |
|
params.EncodeElement(true, y, privateKey+StaticPrivateKeyLength()); |
|
} |
|
|
|
/// \brief Generate ephemeral public key from a private key in this domain |
|
/// \param rng a RandomNumberGenerator derived class |
|
/// \param privateKey a byte buffer with the previously generated private key |
|
/// \param publicKey a byte buffer for the generated public key in this domain |
|
/// \pre <tt>COUNTOF(publicKey) == EphemeralPublicKeyLength()</tt> |
|
void GenerateEphemeralPublicKey(RandomNumberGenerator &rng, const byte *privateKey, byte *publicKey) const |
|
{ |
|
CRYPTOPP_UNUSED(rng); |
|
memcpy(publicKey, privateKey+StaticPrivateKeyLength(), EphemeralPublicKeyLength()); |
|
} |
|
|
|
/// \brief Derive agreed value or shared secret |
|
/// \param agreedValue the shared secret |
|
/// \param staticPrivateKey your long term private key |
|
/// \param ephemeralPrivateKey your ephemeral private key |
|
/// \param staticOtherPublicKey couterparty's long term public key |
|
/// \param ephemeralOtherPublicKey couterparty's ephemeral public key |
|
/// \param validateStaticOtherPublicKey flag indicating validation |
|
/// \return true upon success, false in case of failure |
|
/// \details Agree() performs the authenticated key agreement. Agree() |
|
/// derives a shared secret from your private keys and couterparty's |
|
/// public keys. Each instance or run of the protocol should use a new |
|
/// ephemeral key pair. |
|
/// \details The other's ephemeral public key will always be validated at |
|
/// Level 1 to ensure it is a point on the curve. |
|
/// <tt>validateStaticOtherPublicKey</tt> determines how thoroughly other's |
|
/// static public key is validated. If you have previously validated the |
|
/// couterparty's static public key, then use |
|
/// <tt>validateStaticOtherPublicKey=false</tt> to save time. |
|
/// \pre <tt>COUNTOF(agreedValue) == AgreedValueLength()</tt> |
|
/// \pre <tt>COUNTOF(staticPrivateKey) == StaticPrivateKeyLength()</tt> |
|
/// \pre <tt>COUNTOF(ephemeralPrivateKey) == EphemeralPrivateKeyLength()</tt> |
|
/// \pre <tt>COUNTOF(staticOtherPublicKey) == StaticPublicKeyLength()</tt> |
|
/// \pre <tt>COUNTOF(ephemeralOtherPublicKey) == EphemeralPublicKeyLength()</tt> |
|
bool Agree(byte *agreedValue, |
|
const byte *staticPrivateKey, const byte *ephemeralPrivateKey, |
|
const byte *staticOtherPublicKey, const byte *ephemeralOtherPublicKey, |
|
bool validateStaticOtherPublicKey=true) const |
|
{ |
|
try |
|
{ |
|
const DL_GroupParameters<Element> ¶ms = GetAbstractGroupParameters(); |
|
Element WW = params.DecodeElement(staticOtherPublicKey, validateStaticOtherPublicKey); |
|
Element VV = params.DecodeElement(ephemeralOtherPublicKey, true); |
|
|
|
Integer s(staticPrivateKey, StaticPrivateKeyLength()); |
|
Integer u(ephemeralPrivateKey, StaticPrivateKeyLength()); |
|
Element V = params.DecodeElement(ephemeralPrivateKey+StaticPrivateKeyLength(), false); |
|
|
|
const Integer &r = params.GetSubgroupOrder(); |
|
Integer h2 = Integer::Power2((r.BitCount()+1)/2); |
|
Integer e = ((h2+params.ConvertElementToInteger(V)%h2)*s+u) % r; |
|
Integer tt = h2 + params.ConvertElementToInteger(VV) % h2; |
|
|
|
if (COFACTOR_OPTION::ToEnum() == NO_COFACTOR_MULTIPLICTION) |
|
{ |
|
Element P = params.ExponentiateElement(WW, tt); |
|
P = m_groupParameters.MultiplyElements(P, VV); |
|
Element R[2]; |
|
const Integer e2[2] = {r, e}; |
|
params.SimultaneousExponentiate(R, P, e2, 2); |
|
if (!params.IsIdentity(R[0]) || params.IsIdentity(R[1])) |
|
return false; |
|
params.EncodeElement(false, R[1], agreedValue); |
|
} |
|
else |
|
{ |
|
const Integer &k = params.GetCofactor(); |
|
if (COFACTOR_OPTION::ToEnum() == COMPATIBLE_COFACTOR_MULTIPLICTION) |
|
e = ModularArithmetic(r).Divide(e, k); |
|
Element P = m_groupParameters.CascadeExponentiate(VV, k*e, WW, k*(e*tt%r)); |
|
if (params.IsIdentity(P)) |
|
return false; |
|
params.EncodeElement(false, P, agreedValue); |
|
} |
|
} |
|
catch (DL_BadElement &) |
|
{ |
|
return false; |
|
} |
|
return true; |
|
} |
|
|
|
private: |
|
DL_GroupParameters<Element> & AccessAbstractGroupParameters() {return m_groupParameters;} |
|
const DL_GroupParameters<Element> & GetAbstractGroupParameters() const {return m_groupParameters;} |
|
|
|
GroupParameters m_groupParameters; |
|
}; |
|
|
|
/// Menezes-Qu-Vanstone in GF(p) with key validation, AKA <a href="http://www.weidai.com/scan-mirror/ka.html#MQV">MQV</a> |
|
/// \sa MQV, HMQV_Domain, FHMQV_Domain, AuthenticatedKeyAgreementDomain |
|
/// \since Crypto++ 3.0 |
|
typedef MQV_Domain<DL_GroupParameters_GFP_DefaultSafePrime> MQV; |
|
|
|
NAMESPACE_END |
|
|
|
#endif
|
|
|