1 // gfpcrypt.h - originally written and placed in the public domain by Wei Dai
2 // RFC6979 deterministic signatures added by Douglas Roark
3 // ECGDSA added by Jeffrey Walton
4
5 /// \file gfpcrypt.h
6 /// \brief Classes and functions for schemes based on Discrete Logs (DL) over GF(p)
7
8 #ifndef CRYPTOPP_GFPCRYPT_H
9 #define CRYPTOPP_GFPCRYPT_H
10
11 #include "config.h"
12
13 #if CRYPTOPP_MSC_VERSION
14 # pragma warning(push)
15 # pragma warning(disable: 4189 4231 4275)
16 #endif
17
18 #include "cryptlib.h"
19 #include "pubkey.h"
20 #include "integer.h"
21 #include "modexppc.h"
22 #include "algparam.h"
23 #include "smartptr.h"
24 #include "sha.h"
25 #include "asn.h"
26 #include "hmac.h"
27 #include "misc.h"
28
29 NAMESPACE_BEGIN(CryptoPP)
30
31 CRYPTOPP_DLL_TEMPLATE_CLASS DL_GroupParameters<Integer>;
32
33 /// \brief Integer-based GroupParameters specialization
34 class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE DL_GroupParameters_IntegerBased : public ASN1CryptoMaterial<DL_GroupParameters<Integer> >
35 {
36 typedef DL_GroupParameters_IntegerBased ThisClass;
37
38 public:
~DL_GroupParameters_IntegerBased()39 virtual ~DL_GroupParameters_IntegerBased() {}
40
41 /// \brief Initialize a group parameters over integers
42 /// \param params the group parameters
Initialize(const DL_GroupParameters_IntegerBased & params)43 void Initialize(const DL_GroupParameters_IntegerBased ¶ms)
44 {Initialize(params.GetModulus(), params.GetSubgroupOrder(), params.GetSubgroupGenerator());}
45
46 /// \brief Create a group parameters over integers
47 /// \param rng a RandomNumberGenerator derived class
48 /// \param pbits the size of p, in bits
49 /// \details This function overload of Initialize() creates a new private key because it
50 /// takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
51 /// then use one of the other Initialize() overloads.
Initialize(RandomNumberGenerator & rng,unsigned int pbits)52 void Initialize(RandomNumberGenerator &rng, unsigned int pbits)
53 {GenerateRandom(rng, MakeParameters("ModulusSize", (int)pbits));}
54
55 /// \brief Initialize a group parameters over integers
56 /// \param p the modulus
57 /// \param g the generator
Initialize(const Integer & p,const Integer & g)58 void Initialize(const Integer &p, const Integer &g)
59 {SetModulusAndSubgroupGenerator(p, g); SetSubgroupOrder(ComputeGroupOrder(p)/2);}
60
61 /// \brief Initialize a group parameters over integers
62 /// \param p the modulus
63 /// \param q the subgroup order
64 /// \param g the generator
Initialize(const Integer & p,const Integer & q,const Integer & g)65 void Initialize(const Integer &p, const Integer &q, const Integer &g)
66 {SetModulusAndSubgroupGenerator(p, g); SetSubgroupOrder(q);}
67
68 // ASN1Object interface
69 void BERDecode(BufferedTransformation &bt);
70 void DEREncode(BufferedTransformation &bt) const;
71
72 /// \brief Generate a random key
73 /// \param rng a RandomNumberGenerator to produce keying material
74 /// \param alg additional initialization parameters
75 /// \details Recognised NameValuePairs are ModulusSize and
76 /// SubgroupOrderSize (optional)
77 /// \throw KeyingErr if a key can't be generated or algorithm parameters
78 /// are invalid
79 void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &alg);
80
81 /// \brief Get a named value
82 /// \param name the name of the object or value to retrieve
83 /// \param valueType reference to a variable that receives the value
84 /// \param pValue void pointer to a variable that receives the value
85 /// \return true if the value was retrieved, false otherwise
86 /// \details GetVoidValue() retrieves the value of name if it exists.
87 /// \note GetVoidValue() is an internal function and should be implemented
88 /// by derived classes. Users should use one of the other functions instead.
89 /// \sa GetValue(), GetValueWithDefault(), GetIntValue(), GetIntValueWithDefault(),
90 /// GetRequiredParameter() and GetRequiredIntParameter()
91 bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const;
92
93 /// \brief Initialize or reinitialize this key
94 /// \param source NameValuePairs to assign
95 void AssignFrom(const NameValuePairs &source);
96
97 // DL_GroupParameters
GetSubgroupOrder()98 const Integer & GetSubgroupOrder() const {return m_q;}
GetGroupOrder()99 Integer GetGroupOrder() const {return GetFieldType() == 1 ? GetModulus()-Integer::One() : GetModulus()+Integer::One();}
100 bool ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const;
101 bool ValidateElement(unsigned int level, const Integer &element, const DL_FixedBasePrecomputation<Integer> *precomp) const;
102
103 /// \brief Determine if subgroup membership check is fast
104 /// \return true or false
FastSubgroupCheckAvailable()105 bool FastSubgroupCheckAvailable() const {return GetCofactor() == 2;}
106
107 /// \brief Encodes the element
108 /// \param reversible flag indicating the encoding format
109 /// \param element reference to the element to encode
110 /// \param encoded destination byte array for the encoded element
111 /// \details EncodeElement() must be implemented in a derived class.
112 /// \pre <tt>COUNTOF(encoded) == GetEncodedElementSize()</tt>
113 /// \sa GetEncodedElementSize(), DecodeElement(), <A
114 /// HREF="http://github.com/weidai11/cryptopp/issues/40">Cygwin
115 /// i386 crash at -O3</A>
116 void EncodeElement(bool reversible, const Element &element, byte *encoded) const;
117
118 /// \brief Retrieve the encoded element's size
119 /// \param reversible flag indicating the encoding format
120 /// \return encoded element's size, in bytes
121 /// \details The format of the encoded element varies by the underlying
122 /// type of the element and the reversible flag.
123 /// \sa EncodeElement(), DecodeElement()
124 unsigned int GetEncodedElementSize(bool reversible) const;
125
126 /// \brief Decodes the element
127 /// \param encoded byte array with the encoded element
128 /// \param checkForGroupMembership flag indicating if the element should be validated
129 /// \return Element after decoding
130 /// \details DecodeElement() must be implemented in a derived class.
131 /// \pre <tt>COUNTOF(encoded) == GetEncodedElementSize()</tt>
132 /// \sa GetEncodedElementSize(), EncodeElement()
133 Integer DecodeElement(const byte *encoded, bool checkForGroupMembership) const;
134
135 /// \brief Converts an element to an Integer
136 /// \param element the element to convert to an Integer
137 /// \return Element after converting to an Integer
138 /// \details ConvertElementToInteger() must be implemented in a derived class.
ConvertElementToInteger(const Element & element)139 Integer ConvertElementToInteger(const Element &element) const
140 {return element;}
141
142 /// \brief Retrieve the maximum exponent for the group
143 /// \return the maximum exponent for the group
144 Integer GetMaxExponent() const;
145
146 /// \brief Retrieve the OID of the algorithm
147 /// \return OID of the algorithm
148 OID GetAlgorithmID() const;
149
150 /// \brief Retrieve the modulus for the group
151 /// \return the modulus for the group
152 virtual const Integer & GetModulus() const =0;
153
154 /// \brief Set group parameters
155 /// \param p the prime modulus
156 /// \param g the group generator
157 virtual void SetModulusAndSubgroupGenerator(const Integer &p, const Integer &g) =0;
158
159 /// \brief Set subgroup order
160 /// \param q the subgroup order
SetSubgroupOrder(const Integer & q)161 void SetSubgroupOrder(const Integer &q)
162 {m_q = q; ParametersChanged();}
163
StaticAlgorithmNamePrefix()164 static std::string CRYPTOPP_API StaticAlgorithmNamePrefix() {return "";}
165
166 protected:
ComputeGroupOrder(const Integer & modulus)167 Integer ComputeGroupOrder(const Integer &modulus) const
168 {return modulus-(GetFieldType() == 1 ? 1 : -1);}
169
170 // GF(p) = 1, GF(p^2) = 2
171 virtual int GetFieldType() const =0;
172 virtual unsigned int GetDefaultSubgroupOrderSize(unsigned int modulusSize) const;
173
174 private:
175 Integer m_q;
176 };
177
178 /// \brief Integer-based GroupParameters default implementation
179 /// \tparam GROUP_PRECOMP group parameters precomputation specialization
180 /// \tparam BASE_PRECOMP base class precomputation specialization
181 template <class GROUP_PRECOMP, class BASE_PRECOMP = DL_FixedBasePrecomputationImpl<typename GROUP_PRECOMP::Element> >
182 class CRYPTOPP_NO_VTABLE DL_GroupParameters_IntegerBasedImpl : public DL_GroupParametersImpl<GROUP_PRECOMP, BASE_PRECOMP, DL_GroupParameters_IntegerBased>
183 {
184 typedef DL_GroupParameters_IntegerBasedImpl<GROUP_PRECOMP, BASE_PRECOMP> ThisClass;
185
186 public:
187 typedef typename GROUP_PRECOMP::Element Element;
188
~DL_GroupParameters_IntegerBasedImpl()189 virtual ~DL_GroupParameters_IntegerBasedImpl() {}
190
191 // GeneratibleCryptoMaterial interface
GetVoidValue(const char * name,const std::type_info & valueType,void * pValue)192 bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
193 {return GetValueHelper<DL_GroupParameters_IntegerBased>(this, name, valueType, pValue).Assignable();}
194
AssignFrom(const NameValuePairs & source)195 void AssignFrom(const NameValuePairs &source)
196 {AssignFromHelper<DL_GroupParameters_IntegerBased>(this, source);}
197
198 // DL_GroupParameters
GetBasePrecomputation()199 const DL_FixedBasePrecomputation<Element> & GetBasePrecomputation() const {return this->m_gpc;}
AccessBasePrecomputation()200 DL_FixedBasePrecomputation<Element> & AccessBasePrecomputation() {return this->m_gpc;}
201
202 // IntegerGroupParameters
203 /// \brief Retrieve the modulus for the group
204 /// \return the modulus for the group
GetModulus()205 const Integer & GetModulus() const {return this->m_groupPrecomputation.GetModulus();}
206
207 /// \brief Retrieves a reference to the group generator
208 /// \return const reference to the group generator
GetGenerator()209 const Integer & GetGenerator() const {return this->m_gpc.GetBase(this->GetGroupPrecomputation());}
210
SetModulusAndSubgroupGenerator(const Integer & p,const Integer & g)211 void SetModulusAndSubgroupGenerator(const Integer &p, const Integer &g) // these have to be set together
212 {this->m_groupPrecomputation.SetModulus(p); this->m_gpc.SetBase(this->GetGroupPrecomputation(), g); this->ParametersChanged();}
213
214 // non-inherited
215 bool operator==(const DL_GroupParameters_IntegerBasedImpl<GROUP_PRECOMP, BASE_PRECOMP> &rhs) const
216 {return GetModulus() == rhs.GetModulus() && GetGenerator() == rhs.GetGenerator() && this->GetSubgroupOrder() == rhs.GetSubgroupOrder();}
217 bool operator!=(const DL_GroupParameters_IntegerBasedImpl<GROUP_PRECOMP, BASE_PRECOMP> &rhs) const
218 {return !operator==(rhs);}
219 };
220
221 CRYPTOPP_DLL_TEMPLATE_CLASS DL_GroupParameters_IntegerBasedImpl<ModExpPrecomputation>;
222
223 /// \brief GF(p) group parameters
224 class CRYPTOPP_DLL DL_GroupParameters_GFP : public DL_GroupParameters_IntegerBasedImpl<ModExpPrecomputation>
225 {
226 public:
~DL_GroupParameters_GFP()227 virtual ~DL_GroupParameters_GFP() {}
228
229 /// \brief Determines if an element is an identity
230 /// \param element element to check
231 /// \return true if the element is an identity, false otherwise
232 /// \details The identity element or or neutral element is a special element
233 /// in a group that leaves other elements unchanged when combined with it.
234 /// \details IsIdentity() must be implemented in a derived class.
IsIdentity(const Integer & element)235 bool IsIdentity(const Integer &element) const {return element == Integer::One();}
236
237 /// \brief Exponentiates a base to multiple exponents
238 /// \param results an array of Elements
239 /// \param base the base to raise to the exponents
240 /// \param exponents an array of exponents
241 /// \param exponentsCount the number of exponents in the array
242 /// \details SimultaneousExponentiate() raises the base to each exponent in
243 /// the exponents array and stores the result at the respective position in
244 /// the results array.
245 /// \details SimultaneousExponentiate() must be implemented in a derived class.
246 /// \pre <tt>COUNTOF(results) == exponentsCount</tt>
247 /// \pre <tt>COUNTOF(exponents) == exponentsCount</tt>
248 void SimultaneousExponentiate(Element *results, const Element &base, const Integer *exponents, unsigned int exponentsCount) const;
249
250 /// \brief Get a named value
251 /// \param name the name of the object or value to retrieve
252 /// \param valueType reference to a variable that receives the value
253 /// \param pValue void pointer to a variable that receives the value
254 /// \return true if the value was retrieved, false otherwise
255 /// \details GetVoidValue() retrieves the value of name if it exists.
256 /// \note GetVoidValue() is an internal function and should be implemented
257 /// by derived classes. Users should use one of the other functions instead.
258 /// \sa GetValue(), GetValueWithDefault(), GetIntValue(), GetIntValueWithDefault(),
259 /// GetRequiredParameter() and GetRequiredIntParameter()
GetVoidValue(const char * name,const std::type_info & valueType,void * pValue)260 bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
261 {
262 return GetValueHelper<DL_GroupParameters_IntegerBased>(this, name, valueType, pValue).Assignable();
263 }
264
265 // used by MQV
266 Element MultiplyElements(const Element &a, const Element &b) const;
267 Element CascadeExponentiate(const Element &element1, const Integer &exponent1, const Element &element2, const Integer &exponent2) const;
268
269 protected:
GetFieldType()270 int GetFieldType() const {return 1;}
271 };
272
273 /// \brief GF(p) group parameters that default to safe primes
274 class CRYPTOPP_DLL DL_GroupParameters_GFP_DefaultSafePrime : public DL_GroupParameters_GFP
275 {
276 public:
277 typedef NoCofactorMultiplication DefaultCofactorOption;
278
~DL_GroupParameters_GFP_DefaultSafePrime()279 virtual ~DL_GroupParameters_GFP_DefaultSafePrime() {}
280
281 protected:
GetDefaultSubgroupOrderSize(unsigned int modulusSize)282 unsigned int GetDefaultSubgroupOrderSize(unsigned int modulusSize) const {return modulusSize-1;}
283 };
284
285 /// \brief GDSA algorithm
286 /// \tparam T FieldElement type or class
287 template <class T>
288 class DL_Algorithm_GDSA : public DL_ElgamalLikeSignatureAlgorithm<T>
289 {
290 public:
StaticAlgorithmName()291 CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "DSA-1363";}
292
~DL_Algorithm_GDSA()293 virtual ~DL_Algorithm_GDSA() {}
294
Sign(const DL_GroupParameters<T> & params,const Integer & x,const Integer & k,const Integer & e,Integer & r,Integer & s)295 void Sign(const DL_GroupParameters<T> ¶ms, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
296 {
297 const Integer &q = params.GetSubgroupOrder();
298 r %= q;
299 Integer kInv = k.InverseMod(q);
300 s = (kInv * (x*r + e)) % q;
301 CRYPTOPP_ASSERT(!!r && !!s);
302 }
303
Verify(const DL_GroupParameters<T> & params,const DL_PublicKey<T> & publicKey,const Integer & e,const Integer & r,const Integer & s)304 bool Verify(const DL_GroupParameters<T> ¶ms, const DL_PublicKey<T> &publicKey, const Integer &e, const Integer &r, const Integer &s) const
305 {
306 const Integer &q = params.GetSubgroupOrder();
307 if (r>=q || r<1 || s>=q || s<1)
308 return false;
309
310 Integer w = s.InverseMod(q);
311 Integer u1 = (e * w) % q;
312 Integer u2 = (r * w) % q;
313 // verify r == (g^u1 * y^u2 mod p) mod q
314 return r == params.ConvertElementToInteger(publicKey.CascadeExponentiateBaseAndPublicElement(u1, u2)) % q;
315 }
316 };
317
318 /// \brief DSA signature algorithm based on RFC 6979
319 /// \tparam T FieldElement type or class
320 /// \tparam H HashTransformation derived class
321 /// \sa <a href="http://tools.ietf.org/rfc/rfc6979.txt">RFC 6979, Deterministic Usage of the
322 /// Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)</a>
323 /// \since Crypto++ 6.0
324 template <class T, class H>
325 class DL_Algorithm_DSA_RFC6979 : public DL_Algorithm_GDSA<T>, public DeterministicSignatureAlgorithm
326 {
327 public:
StaticAlgorithmName()328 CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "DSA-RFC6979";}
329
~DL_Algorithm_DSA_RFC6979()330 virtual ~DL_Algorithm_DSA_RFC6979() {}
331
IsProbabilistic()332 bool IsProbabilistic() const
333 {return false;}
IsDeterministic()334 bool IsDeterministic() const
335 {return true;}
336
337 // Deterministic K
GenerateRandom(const Integer & x,const Integer & q,const Integer & e)338 Integer GenerateRandom(const Integer &x, const Integer &q, const Integer &e) const
339 {
340 static const byte zero = 0, one = 1;
341 const size_t qlen = q.BitCount();
342 const size_t rlen = BitsToBytes(qlen);
343
344 // Step (a) - formatted E(m)
345 SecByteBlock BH(e.MinEncodedSize());
346 e.Encode(BH, BH.size());
347 BH = bits2octets(BH, q);
348
349 // Step (a) - private key to byte array
350 SecByteBlock BX(STDMAX(rlen, x.MinEncodedSize()));
351 x.Encode(BX, BX.size());
352
353 // Step (b)
354 SecByteBlock V(H::DIGESTSIZE);
355 std::fill(V.begin(), V.begin()+H::DIGESTSIZE, one);
356
357 // Step (c)
358 SecByteBlock K(H::DIGESTSIZE);
359 std::fill(K.begin(), K.begin()+H::DIGESTSIZE, zero);
360
361 // Step (d)
362 m_hmac.SetKey(K, K.size());
363 m_hmac.Update(V, V.size());
364 m_hmac.Update(&zero, 1);
365 m_hmac.Update(BX, BX.size());
366 m_hmac.Update(BH, BH.size());
367 m_hmac.TruncatedFinal(K, K.size());
368
369 // Step (e)
370 m_hmac.SetKey(K, K.size());
371 m_hmac.Update(V, V.size());
372 m_hmac.TruncatedFinal(V, V.size());
373
374 // Step (f)
375 m_hmac.SetKey(K, K.size());
376 m_hmac.Update(V, V.size());
377 m_hmac.Update(&one, 1);
378 m_hmac.Update(BX, BX.size());
379 m_hmac.Update(BH, BH.size());
380 m_hmac.TruncatedFinal(K, K.size());
381
382 // Step (g)
383 m_hmac.SetKey(K, K.size());
384 m_hmac.Update(V, V.size());
385 m_hmac.TruncatedFinal(V, V.size());
386
387 Integer k;
388 SecByteBlock temp(rlen);
389 for (;;)
390 {
391 // We want qlen bits, but we support only hash functions with an output length
392 // multiple of 8; hence, we will gather rlen bits, i.e., rolen octets.
393 size_t toff = 0;
394 while (toff < rlen)
395 {
396 m_hmac.Update(V, V.size());
397 m_hmac.TruncatedFinal(V, V.size());
398
399 size_t cc = STDMIN(V.size(), temp.size() - toff);
400 memcpy_s(temp+toff, temp.size() - toff, V, cc);
401 toff += cc;
402 }
403
404 k = bits2int(temp, qlen);
405 if (k > 0 && k < q)
406 break;
407
408 // k is not in the proper range; update K and V, and loop.
409 m_hmac.Update(V, V.size());
410 m_hmac.Update(&zero, 1);
411 m_hmac.TruncatedFinal(K, K.size());
412
413 m_hmac.SetKey(K, K.size());
414 m_hmac.Update(V, V.size());
415 m_hmac.TruncatedFinal(V, V.size());
416 }
417
418 return k;
419 }
420
421 protected:
422
bits2int(const SecByteBlock & bits,size_t qlen)423 Integer bits2int(const SecByteBlock& bits, size_t qlen) const
424 {
425 Integer ret(bits, bits.size());
426 size_t blen = bits.size()*8;
427
428 if (blen > qlen)
429 ret >>= blen - qlen;
430
431 return ret;
432 }
433
434 // RFC 6979 support function. Takes an integer and converts it into bytes that
435 // are the same length as an elliptic curve's order.
int2octets(const Integer & val,size_t rlen)436 SecByteBlock int2octets(const Integer& val, size_t rlen) const
437 {
438 SecByteBlock block(val.MinEncodedSize());
439 val.Encode(block, val.MinEncodedSize());
440
441 if (block.size() == rlen)
442 return block;
443
444 // The least significant bytes are the ones we need to preserve.
445 SecByteBlock t(rlen);
446 if (block.size() > rlen)
447 {
448 size_t offset = block.size() - rlen;
449 std::memcpy(t, block + offset, rlen);
450 }
451 else // block.size() < rlen
452 {
453 size_t offset = rlen - block.size();
454 memset(t, '\x00', offset);
455 std::memcpy(t + offset, block, rlen - offset);
456 }
457
458 return t;
459 }
460
461 // Turn a stream of bits into a set of bytes with the same length as an elliptic
462 // curve's order.
bits2octets(const SecByteBlock & in,const Integer & q)463 SecByteBlock bits2octets(const SecByteBlock& in, const Integer& q) const
464 {
465 Integer b2 = bits2int(in, q.BitCount());
466 Integer b1 = b2 - q;
467 return int2octets(b1.IsNegative() ? b2 : b1, q.ByteCount());
468 }
469
470 private:
471 mutable H m_hash;
472 mutable HMAC<H> m_hmac;
473 };
474
475 /// \brief German Digital Signature Algorithm
476 /// \tparam T FieldElement type or class
477 /// \details The Digital Signature Scheme ECGDSA does not define the algorithm over integers. Rather, the
478 /// signature algorithm is only defined over elliptic curves. However, The library design is such that the
479 /// generic algorithm reside in <tt>gfpcrypt.h</tt>.
480 /// \sa Erwin Hess, Marcus Schafheutle, and Pascale Serf <A HREF="http://www.teletrust.de/fileadmin/files/oid/ecgdsa_final.pdf">
481 /// The Digital Signature Scheme ECGDSA (October 24, 2006)</A>
482 template <class T>
483 class DL_Algorithm_GDSA_ISO15946 : public DL_ElgamalLikeSignatureAlgorithm<T>
484 {
485 public:
StaticAlgorithmName()486 CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "GDSA-ISO15946";}
487
~DL_Algorithm_GDSA_ISO15946()488 virtual ~DL_Algorithm_GDSA_ISO15946() {}
489
Sign(const DL_GroupParameters<T> & params,const Integer & x,const Integer & k,const Integer & e,Integer & r,Integer & s)490 void Sign(const DL_GroupParameters<T> ¶ms, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
491 {
492 const Integer &q = params.GetSubgroupOrder();
493 // r = x(k * G) mod q
494 r = params.ConvertElementToInteger(params.ExponentiateBase(k)) % q;
495 // s = (k * r - h(m)) * d_A mod q
496 s = (k * r - e) * x % q;
497 CRYPTOPP_ASSERT(!!r && !!s);
498 }
499
Verify(const DL_GroupParameters<T> & params,const DL_PublicKey<T> & publicKey,const Integer & e,const Integer & r,const Integer & s)500 bool Verify(const DL_GroupParameters<T> ¶ms, const DL_PublicKey<T> &publicKey, const Integer &e, const Integer &r, const Integer &s) const
501 {
502 const Integer &q = params.GetSubgroupOrder();
503 if (r>=q || r<1 || s>=q || s<1)
504 return false;
505
506 const Integer& rInv = r.InverseMod(q);
507 const Integer u1 = (rInv * e) % q;
508 const Integer u2 = (rInv * s) % q;
509 // verify x(G^u1 + P_A^u2) mod q
510 return r == params.ConvertElementToInteger(publicKey.CascadeExponentiateBaseAndPublicElement(u1, u2)) % q;
511 }
512 };
513
514 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_GDSA<Integer>;
515 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA1>;
516 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA224>;
517 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA256>;
518 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA384>;
519 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA512>;
520
521 /// \brief NR algorithm
522 /// \tparam T FieldElement type or class
523 template <class T>
524 class DL_Algorithm_NR : public DL_ElgamalLikeSignatureAlgorithm<T>
525 {
526 public:
StaticAlgorithmName()527 CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "NR";}
528
~DL_Algorithm_NR()529 virtual ~DL_Algorithm_NR() {}
530
Sign(const DL_GroupParameters<T> & params,const Integer & x,const Integer & k,const Integer & e,Integer & r,Integer & s)531 void Sign(const DL_GroupParameters<T> ¶ms, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
532 {
533 const Integer &q = params.GetSubgroupOrder();
534 r = (r + e) % q;
535 s = (k - x*r) % q;
536 CRYPTOPP_ASSERT(!!r);
537 }
538
Verify(const DL_GroupParameters<T> & params,const DL_PublicKey<T> & publicKey,const Integer & e,const Integer & r,const Integer & s)539 bool Verify(const DL_GroupParameters<T> ¶ms, const DL_PublicKey<T> &publicKey, const Integer &e, const Integer &r, const Integer &s) const
540 {
541 const Integer &q = params.GetSubgroupOrder();
542 if (r>=q || r<1 || s>=q)
543 return false;
544
545 // check r == (m_g^s * m_y^r + m) mod m_q
546 return r == (params.ConvertElementToInteger(publicKey.CascadeExponentiateBaseAndPublicElement(s, r)) + e) % q;
547 }
548 };
549
550 /// \brief Discrete Log (DL) public key in GF(p) groups
551 /// \tparam GP GroupParameters derived class
552 /// \details DSA public key format is defined in 7.3.3 of RFC 2459. The private key format is defined in 12.9 of PKCS #11 v2.10.
553 template <class GP>
554 class DL_PublicKey_GFP : public DL_PublicKeyImpl<GP>
555 {
556 public:
~DL_PublicKey_GFP()557 virtual ~DL_PublicKey_GFP() {}
558
559 /// \brief Initialize a public key over GF(p)
560 /// \param params the group parameters
561 /// \param y the public element
Initialize(const DL_GroupParameters_IntegerBased & params,const Integer & y)562 void Initialize(const DL_GroupParameters_IntegerBased ¶ms, const Integer &y)
563 {this->AccessGroupParameters().Initialize(params); this->SetPublicElement(y);}
564
565 /// \brief Initialize a public key over GF(p)
566 /// \param p the modulus
567 /// \param g the generator
568 /// \param y the public element
Initialize(const Integer & p,const Integer & g,const Integer & y)569 void Initialize(const Integer &p, const Integer &g, const Integer &y)
570 {this->AccessGroupParameters().Initialize(p, g); this->SetPublicElement(y);}
571
572 /// \brief Initialize a public key over GF(p)
573 /// \param p the modulus
574 /// \param q the subgroup order
575 /// \param g the generator
576 /// \param y the public element
Initialize(const Integer & p,const Integer & q,const Integer & g,const Integer & y)577 void Initialize(const Integer &p, const Integer &q, const Integer &g, const Integer &y)
578 {this->AccessGroupParameters().Initialize(p, q, g); this->SetPublicElement(y);}
579
580 // X509PublicKey
BERDecodePublicKey(BufferedTransformation & bt,bool,size_t)581 void BERDecodePublicKey(BufferedTransformation &bt, bool, size_t)
582 {this->SetPublicElement(Integer(bt));}
DEREncodePublicKey(BufferedTransformation & bt)583 void DEREncodePublicKey(BufferedTransformation &bt) const
584 {this->GetPublicElement().DEREncode(bt);}
585 };
586
587 /// \brief Discrete Log (DL) private key in GF(p) groups
588 /// \tparam GP GroupParameters derived class
589 template <class GP>
590 class DL_PrivateKey_GFP : public DL_PrivateKeyImpl<GP>
591 {
592 public:
593 virtual ~DL_PrivateKey_GFP();
594
595 /// \brief Create a private key
596 /// \param rng a RandomNumberGenerator derived class
597 /// \param modulusBits the size of the modulus, in bits
598 /// \details This function overload of Initialize() creates a new private key because it
599 /// takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
600 /// then use one of the other Initialize() overloads.
Initialize(RandomNumberGenerator & rng,unsigned int modulusBits)601 void Initialize(RandomNumberGenerator &rng, unsigned int modulusBits)
602 {this->GenerateRandomWithKeySize(rng, modulusBits);}
603
604 /// \brief Create a private key
605 /// \param rng a RandomNumberGenerator derived class
606 /// \param p the modulus
607 /// \param g the generator
608 /// \details This function overload of Initialize() creates a new private key because it
609 /// takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
610 /// then use one of the other Initialize() overloads.
Initialize(RandomNumberGenerator & rng,const Integer & p,const Integer & g)611 void Initialize(RandomNumberGenerator &rng, const Integer &p, const Integer &g)
612 {this->GenerateRandom(rng, MakeParameters("Modulus", p)("SubgroupGenerator", g));}
613
614 /// \brief Create a private key
615 /// \param rng a RandomNumberGenerator derived class
616 /// \param p the modulus
617 /// \param q the subgroup order
618 /// \param g the generator
619 /// \details This function overload of Initialize() creates a new private key because it
620 /// takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
621 /// then use one of the other Initialize() overloads.
Initialize(RandomNumberGenerator & rng,const Integer & p,const Integer & q,const Integer & g)622 void Initialize(RandomNumberGenerator &rng, const Integer &p, const Integer &q, const Integer &g)
623 {this->GenerateRandom(rng, MakeParameters("Modulus", p)("SubgroupOrder", q)("SubgroupGenerator", g));}
624
625 /// \brief Initialize a private key over GF(p)
626 /// \param params the group parameters
627 /// \param x the private exponent
Initialize(const DL_GroupParameters_IntegerBased & params,const Integer & x)628 void Initialize(const DL_GroupParameters_IntegerBased ¶ms, const Integer &x)
629 {this->AccessGroupParameters().Initialize(params); this->SetPrivateExponent(x);}
630
631 /// \brief Initialize a private key over GF(p)
632 /// \param p the modulus
633 /// \param g the generator
634 /// \param x the private exponent
Initialize(const Integer & p,const Integer & g,const Integer & x)635 void Initialize(const Integer &p, const Integer &g, const Integer &x)
636 {this->AccessGroupParameters().Initialize(p, g); this->SetPrivateExponent(x);}
637
638 /// \brief Initialize a private key over GF(p)
639 /// \param p the modulus
640 /// \param q the subgroup order
641 /// \param g the generator
642 /// \param x the private exponent
Initialize(const Integer & p,const Integer & q,const Integer & g,const Integer & x)643 void Initialize(const Integer &p, const Integer &q, const Integer &g, const Integer &x)
644 {this->AccessGroupParameters().Initialize(p, q, g); this->SetPrivateExponent(x);}
645 };
646
647 // Out-of-line dtor due to AIX and GCC, http://github.com/weidai11/cryptopp/issues/499
648 template <class GP>
~DL_PrivateKey_GFP()649 DL_PrivateKey_GFP<GP>::~DL_PrivateKey_GFP() {}
650
651 /// \brief Discrete Log (DL) signing/verification keys in GF(p) groups
652 struct DL_SignatureKeys_GFP
653 {
654 typedef DL_GroupParameters_GFP GroupParameters;
655 typedef DL_PublicKey_GFP<GroupParameters> PublicKey;
656 typedef DL_PrivateKey_GFP<GroupParameters> PrivateKey;
657 };
658
659 /// \brief Discrete Log (DL) encryption/decryption keys in GF(p) groups
660 struct DL_CryptoKeys_GFP
661 {
662 typedef DL_GroupParameters_GFP_DefaultSafePrime GroupParameters;
663 typedef DL_PublicKey_GFP<GroupParameters> PublicKey;
664 typedef DL_PrivateKey_GFP<GroupParameters> PrivateKey;
665 };
666
667 /// \brief DSA signature scheme
668 /// \tparam H HashTransformation derived class
669 /// \sa <a href="http://www.weidai.com/scan-mirror/sig.html#DSA-1363">DSA-1363</a>
670 /// \since Crypto++ 1.0 for DSA, Crypto++ 5.6.2 for DSA2
671 template <class H>
672 struct GDSA : public DL_SS<
673 DL_SignatureKeys_GFP,
674 DL_Algorithm_GDSA<Integer>,
675 DL_SignatureMessageEncodingMethod_DSA,
676 H>
677 {
678 };
679
680 /// \brief NR signature scheme
681 /// \tparam H HashTransformation derived class
682 /// \sa <a href="http://www.weidai.com/scan-mirror/sig.html#NR">NR</a>
683 template <class H>
684 struct NR : public DL_SS<
685 DL_SignatureKeys_GFP,
686 DL_Algorithm_NR<Integer>,
687 DL_SignatureMessageEncodingMethod_NR,
688 H>
689 {
690 };
691
692 /// \brief DSA group parameters
693 /// \details These are GF(p) group parameters that are allowed by the DSA standard
694 /// \sa DL_Keys_DSA
695 /// \since Crypto++ 1.0
696 class CRYPTOPP_DLL DL_GroupParameters_DSA : public DL_GroupParameters_GFP
697 {
698 public:
~DL_GroupParameters_DSA()699 virtual ~DL_GroupParameters_DSA() {}
700
701 /// \brief Check the group for errors
702 /// \param rng RandomNumberGenerator for objects which use randomized testing
703 /// \param level level of thoroughness
704 /// \return true if the tests succeed, false otherwise
705 /// \details ValidateGroup() also checks that the lengths of p and q are allowed
706 /// by the DSA standard.
707 /// \details There are four levels of thoroughness:
708 /// <ul>
709 /// <li>0 - using this object won't cause a crash or exception
710 /// <li>1 - this object will probably function, and encrypt, sign, other operations correctly
711 /// <li>2 - ensure this object will function correctly, and perform reasonable security checks
712 /// <li>3 - perform reasonable security checks, and do checks that may take a long time
713 /// </ul>
714 /// \details Level 0 does not require a RandomNumberGenerator. A NullRNG() can be used for level 0.
715 /// Level 1 may not check for weak keys and such. Levels 2 and 3 are recommended.
716 bool ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const;
717
718 /// \brief Generate a random key or crypto parameters
719 /// \param rng a RandomNumberGenerator to produce keying material
720 /// \param alg additional initialization parameters
721 /// \details NameValuePairs can be ModulusSize alone; or Modulus, SubgroupOrder, and
722 /// SubgroupGenerator. ModulusSize must be between <tt>DSA::MIN_PRIME_LENGTH</tt> and
723 /// <tt>DSA::MAX_PRIME_LENGTH</tt>, and divisible by <tt>DSA::PRIME_LENGTH_MULTIPLE</tt>.
724 /// \details An example of changing the modulus size using NameValuePairs is shown below.
725 /// <pre>
726 /// AlgorithmParameters params = MakeParameters
727 /// (Name::ModulusSize(), 2048);
728 ///
729 /// DL_GroupParameters_DSA groupParams;
730 /// groupParams.GenerateRandom(prng, params);
731 /// </pre>
732 /// \throw KeyingErr if a key can't be generated or algorithm parameters are invalid.
733 void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &alg);
734
735 /// \brief Check the prime length for errors
736 /// \param pbits number of bits in the prime number
737 /// \return true if the tests succeed, false otherwise
IsValidPrimeLength(unsigned int pbits)738 static bool CRYPTOPP_API IsValidPrimeLength(unsigned int pbits)
739 {return pbits >= MIN_PRIME_LENGTH && pbits <= MAX_PRIME_LENGTH && pbits % PRIME_LENGTH_MULTIPLE == 0;}
740
741 /// \brief DSA prime length
742 enum {
743 /// \brief Minimum prime length
744 MIN_PRIME_LENGTH = 1024,
745 /// \brief Maximum prime length
746 MAX_PRIME_LENGTH = 3072,
747 /// \brief Prime length multiple
748 PRIME_LENGTH_MULTIPLE = 1024
749 };
750 };
751
752 template <class H>
753 class DSA2;
754
755 /// \brief DSA keys
756 /// \sa DL_GroupParameters_DSA
757 /// \since Crypto++ 1.0
758 struct DL_Keys_DSA
759 {
760 typedef DL_PublicKey_GFP<DL_GroupParameters_DSA> PublicKey;
761 typedef DL_PrivateKey_WithSignaturePairwiseConsistencyTest<DL_PrivateKey_GFP<DL_GroupParameters_DSA>, DSA2<SHA1> > PrivateKey;
762 };
763
764 /// \brief DSA signature scheme
765 /// \tparam H HashTransformation derived class
766 /// \details The class is named DSA2 instead of DSA for backwards compatibility because
767 /// DSA was a non-template class.
768 /// \details DSA default method GenerateRandom uses a 2048-bit modulus and a 224-bit subgoup by default.
769 /// The modulus can be changed using the following code:
770 /// <pre>
771 /// DSA::PrivateKey privateKey;
772 /// privateKey.GenerateRandomWithKeySize(prng, 2048);
773 /// </pre>
774 /// \details The subgroup order can be changed using the following code:
775 /// <pre>
776 /// AlgorithmParameters params = MakeParameters
777 /// (Name::ModulusSize(), 2048)
778 /// (Name::SubgroupOrderSize(), 256);
779 ///
780 /// DSA::PrivateKey privateKey;
781 /// privateKey.GenerateRandom(prng, params);
782 /// </pre>
783 /// \sa <a href="http://en.wikipedia.org/wiki/Digital_Signature_Algorithm">DSA</a>, as specified in FIPS 186-3,
784 /// <a href="https://www.cryptopp.com/wiki/Digital_Signature_Algorithm">Digital Signature Algorithm</a> on the wiki, and
785 /// <a href="https://www.cryptopp.com/wiki/NameValuePairs">NameValuePairs</a> on the wiki.
786 /// \since Crypto++ 1.0 for DSA, Crypto++ 5.6.2 for DSA2, Crypto++ 6.1 for 2048-bit modulus.
787 template <class H>
788 class DSA2 : public DL_SS<
789 DL_Keys_DSA,
790 DL_Algorithm_GDSA<Integer>,
791 DL_SignatureMessageEncodingMethod_DSA,
792 H,
793 DSA2<H> >
794 {
795 public:
StaticAlgorithmName()796 static std::string CRYPTOPP_API StaticAlgorithmName() {return "DSA/" + (std::string)H::StaticAlgorithmName();}
797 };
798
799 /// \brief DSA deterministic signature scheme
800 /// \tparam H HashTransformation derived class
801 /// \sa <a href="http://www.weidai.com/scan-mirror/sig.html#DSA-1363">DSA-1363</a>
802 /// \since Crypto++ 1.0 for DSA, Crypto++ 5.6.2 for DSA2
803 template <class H>
804 struct DSA_RFC6979 : public DL_SS<
805 DL_SignatureKeys_GFP,
806 DL_Algorithm_DSA_RFC6979<Integer, H>,
807 DL_SignatureMessageEncodingMethod_DSA,
808 H,
809 DSA_RFC6979<H> >
810 {
StaticAlgorithmNameDSA_RFC6979811 static std::string CRYPTOPP_API StaticAlgorithmName() {return std::string("DSA-RFC6979/") + H::StaticAlgorithmName();}
812 };
813
814 /// DSA with SHA-1, typedef'd for backwards compatibility
815 typedef DSA2<SHA1> DSA;
816
817 CRYPTOPP_DLL_TEMPLATE_CLASS DL_PublicKey_GFP<DL_GroupParameters_DSA>;
818 CRYPTOPP_DLL_TEMPLATE_CLASS DL_PrivateKey_GFP<DL_GroupParameters_DSA>;
819 CRYPTOPP_DLL_TEMPLATE_CLASS DL_PrivateKey_WithSignaturePairwiseConsistencyTest<DL_PrivateKey_GFP<DL_GroupParameters_DSA>, DSA2<SHA1> >;
820
821 /// \brief P1363 based XOR Encryption Method
822 /// \tparam MAC MessageAuthenticationCode derived class used for MAC computation
823 /// \tparam DHAES_MODE flag indicating DHAES mode
824 /// \tparam LABEL_OCTETS flag indicating the label is octet count
825 /// \details DL_EncryptionAlgorithm_Xor is based on an early P1363 draft, which itself appears to be based on an
826 /// early Certicom SEC-1 draft (or an early SEC-1 draft was based on a P1363 draft). Crypto++ 4.2 used it in its Integrated
827 /// Ecryption Schemes with <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
828 /// \details If you need this method for Crypto++ 4.2 compatibility, then use the ECIES template class with
829 /// <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
830 /// \details If you need this method for Bouncy Castle 1.54 and Botan 1.11 compatibility, then use the ECIES template class with
831 /// <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=ture</tt> and <tt>LABEL_OCTETS=false</tt>.
832 /// \details Bouncy Castle 1.54 and Botan 1.11 compatibility are the default template parameters.
833 /// \since Crypto++ 4.0
834 template <class MAC, bool DHAES_MODE, bool LABEL_OCTETS=false>
835 class DL_EncryptionAlgorithm_Xor : public DL_SymmetricEncryptionAlgorithm
836 {
837 public:
~DL_EncryptionAlgorithm_Xor()838 virtual ~DL_EncryptionAlgorithm_Xor() {}
839
ParameterSupported(const char * name)840 bool ParameterSupported(const char *name) const {return strcmp(name, Name::EncodingParameters()) == 0;}
GetSymmetricKeyLength(size_t plaintextLength)841 size_t GetSymmetricKeyLength(size_t plaintextLength) const
842 {return plaintextLength + static_cast<size_t>(MAC::DEFAULT_KEYLENGTH);}
GetSymmetricCiphertextLength(size_t plaintextLength)843 size_t GetSymmetricCiphertextLength(size_t plaintextLength) const
844 {return plaintextLength + static_cast<size_t>(MAC::DIGESTSIZE);}
GetMaxSymmetricPlaintextLength(size_t ciphertextLength)845 size_t GetMaxSymmetricPlaintextLength(size_t ciphertextLength) const
846 {return SaturatingSubtract(ciphertextLength, static_cast<size_t>(MAC::DIGESTSIZE));}
SymmetricEncrypt(RandomNumberGenerator & rng,const byte * key,const byte * plaintext,size_t plaintextLength,byte * ciphertext,const NameValuePairs & parameters)847 void SymmetricEncrypt(RandomNumberGenerator &rng, const byte *key, const byte *plaintext, size_t plaintextLength, byte *ciphertext, const NameValuePairs ¶meters) const
848 {
849 CRYPTOPP_UNUSED(rng);
850 const byte *cipherKey = NULLPTR, *macKey = NULLPTR;
851 if (DHAES_MODE)
852 {
853 macKey = key;
854 cipherKey = key + MAC::DEFAULT_KEYLENGTH;
855 }
856 else
857 {
858 cipherKey = key;
859 macKey = key + plaintextLength;
860 }
861
862 ConstByteArrayParameter encodingParameters;
863 parameters.GetValue(Name::EncodingParameters(), encodingParameters);
864
865 if (plaintextLength) // Coverity finding
866 xorbuf(ciphertext, plaintext, cipherKey, plaintextLength);
867
868 MAC mac(macKey);
869 mac.Update(ciphertext, plaintextLength);
870 mac.Update(encodingParameters.begin(), encodingParameters.size());
871 if (DHAES_MODE)
872 {
873 byte L[8];
874 PutWord(false, BIG_ENDIAN_ORDER, L, (LABEL_OCTETS ? word64(encodingParameters.size()) : 8 * word64(encodingParameters.size())));
875 mac.Update(L, 8);
876 }
877 mac.Final(ciphertext + plaintextLength);
878 }
SymmetricDecrypt(const byte * key,const byte * ciphertext,size_t ciphertextLength,byte * plaintext,const NameValuePairs & parameters)879 DecodingResult SymmetricDecrypt(const byte *key, const byte *ciphertext, size_t ciphertextLength, byte *plaintext, const NameValuePairs ¶meters) const
880 {
881 size_t plaintextLength = GetMaxSymmetricPlaintextLength(ciphertextLength);
882 const byte *cipherKey, *macKey;
883 if (DHAES_MODE)
884 {
885 macKey = key;
886 cipherKey = key + MAC::DEFAULT_KEYLENGTH;
887 }
888 else
889 {
890 cipherKey = key;
891 macKey = key + plaintextLength;
892 }
893
894 ConstByteArrayParameter encodingParameters;
895 parameters.GetValue(Name::EncodingParameters(), encodingParameters);
896
897 MAC mac(macKey);
898 mac.Update(ciphertext, plaintextLength);
899 mac.Update(encodingParameters.begin(), encodingParameters.size());
900 if (DHAES_MODE)
901 {
902 byte L[8];
903 PutWord(false, BIG_ENDIAN_ORDER, L, (LABEL_OCTETS ? word64(encodingParameters.size()) : 8 * word64(encodingParameters.size())));
904 mac.Update(L, 8);
905 }
906 if (!mac.Verify(ciphertext + plaintextLength))
907 return DecodingResult();
908
909 if (plaintextLength) // Coverity finding
910 xorbuf(plaintext, ciphertext, cipherKey, plaintextLength);
911
912 return DecodingResult(plaintextLength);
913 }
914 };
915
916 /// _
917 template <class T, bool DHAES_MODE, class KDF>
918 class DL_KeyDerivationAlgorithm_P1363 : public DL_KeyDerivationAlgorithm<T>
919 {
920 public:
~DL_KeyDerivationAlgorithm_P1363()921 virtual ~DL_KeyDerivationAlgorithm_P1363() {}
922
ParameterSupported(const char * name)923 bool ParameterSupported(const char *name) const {return strcmp(name, Name::KeyDerivationParameters()) == 0;}
Derive(const DL_GroupParameters<T> & params,byte * derivedKey,size_t derivedLength,const T & agreedElement,const T & ephemeralPublicKey,const NameValuePairs & parameters)924 void Derive(const DL_GroupParameters<T> ¶ms, byte *derivedKey, size_t derivedLength, const T &agreedElement, const T &ephemeralPublicKey, const NameValuePairs ¶meters) const
925 {
926 SecByteBlock agreedSecret;
927 if (DHAES_MODE)
928 {
929 agreedSecret.New(params.GetEncodedElementSize(true) + params.GetEncodedElementSize(false));
930 params.EncodeElement(true, ephemeralPublicKey, agreedSecret);
931 params.EncodeElement(false, agreedElement, agreedSecret + params.GetEncodedElementSize(true));
932 }
933 else
934 {
935 agreedSecret.New(params.GetEncodedElementSize(false));
936 params.EncodeElement(false, agreedElement, agreedSecret);
937 }
938
939 ConstByteArrayParameter derivationParameters;
940 parameters.GetValue(Name::KeyDerivationParameters(), derivationParameters);
941 KDF::DeriveKey(derivedKey, derivedLength, agreedSecret, agreedSecret.size(), derivationParameters.begin(), derivationParameters.size());
942 }
943 };
944
945 /// \brief Discrete Log Integrated Encryption Scheme
946 /// \tparam COFACTOR_OPTION cofactor multiplication option
947 /// \tparam HASH HashTransformation derived class used for key drivation and MAC computation
948 /// \tparam DHAES_MODE flag indicating if the MAC includes addition context parameters such as the label
949 /// \tparam LABEL_OCTETS flag indicating if the label size is specified in octets or bits
950 /// \details DLIES is an Integer based Integrated Encryption Scheme (IES). The scheme combines a Key Encapsulation Method (KEM)
951 /// with a Data Encapsulation Method (DEM) and a MAC tag. The scheme is
952 /// <A HREF="http://en.wikipedia.org/wiki/ciphertext_indistinguishability">IND-CCA2</A>, which is a strong notion of security.
953 /// You should prefer an Integrated Encryption Scheme over homegrown schemes.
954 /// \details The library's original implementation is based on an early P1363 draft, which itself appears to be based on an early Certicom
955 /// SEC-1 draft (or an early SEC-1 draft was based on a P1363 draft). Crypto++ 4.2 used the early draft in its Integrated Ecryption
956 /// Schemes with <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
957 /// \details If you desire an Integrated Encryption Scheme with Crypto++ 4.2 compatibility, then use the DLIES template class with
958 /// <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
959 /// \details If you desire an Integrated Encryption Scheme with Bouncy Castle 1.54 and Botan 1.11 compatibility, then use the DLIES
960 /// template class with <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=true</tt> and <tt>LABEL_OCTETS=false</tt>.
961 /// \details The default template parameters ensure compatibility with Bouncy Castle 1.54 and Botan 1.11. The combination of
962 /// <tt>IncompatibleCofactorMultiplication</tt> and <tt>DHAES_MODE=true</tt> is recommended for best efficiency and security.
963 /// SHA1 is used for compatibility reasons, but it can be changed if desired. SHA-256 or another hash will likely improve the
964 /// security provided by the MAC. The hash is also used in the key derivation function as a PRF.
965 /// \details Below is an example of constructing a Crypto++ 4.2 compatible DLIES encryptor and decryptor.
966 /// <pre>
967 /// AutoSeededRandomPool prng;
968 /// DL_PrivateKey_GFP<DL_GroupParameters_GFP> key;
969 /// key.Initialize(prng, 2048);
970 ///
971 /// DLIES<SHA1,NoCofactorMultiplication,true,true>::Decryptor decryptor(key);
972 /// DLIES<SHA1,NoCofactorMultiplication,true,true>::Encryptor encryptor(decryptor);
973 /// </pre>
974 /// \sa ECIES, <a href="http://www.weidai.com/scan-mirror/ca.html#DLIES">Discrete Log Integrated Encryption Scheme (DLIES)</a>,
975 /// Martínez, Encinas, and Ávila's <A HREF="http://digital.csic.es/bitstream/10261/32671/1/V2-I2-P7-13.pdf">A Survey of the Elliptic
976 /// Curve Integrated Encryption Schemes</A>
977 /// \since Crypto++ 4.0, Crypto++ 5.7 for Bouncy Castle and Botan compatibility
978 template <class HASH = SHA1, class COFACTOR_OPTION = NoCofactorMultiplication, bool DHAES_MODE = true, bool LABEL_OCTETS=false>
979 struct DLIES
980 : public DL_ES<
981 DL_CryptoKeys_GFP,
982 DL_KeyAgreementAlgorithm_DH<Integer, COFACTOR_OPTION>,
983 DL_KeyDerivationAlgorithm_P1363<Integer, DHAES_MODE, P1363_KDF2<HASH> >,
984 DL_EncryptionAlgorithm_Xor<HMAC<HASH>, DHAES_MODE, LABEL_OCTETS>,
985 DLIES<> >
986 {
StaticAlgorithmNameDLIES987 static std::string CRYPTOPP_API StaticAlgorithmName() {return "DLIES";} // TODO: fix this after name is standardized
988 };
989
990 NAMESPACE_END
991
992 #if CRYPTOPP_MSC_VERSION
993 # pragma warning(pop)
994 #endif
995
996 #endif
997