00001 #ifndef CRYPTOPP_GFPCRYPT_H
00002 #define CRYPTOPP_GFPCRYPT_H
00003
00004
00005
00006
00007
00008 #include "pubkey.h"
00009 #include "modexppc.h"
00010 #include "sha.h"
00011 #include "algparam.h"
00012 #include "asn.h"
00013 #include "smartptr.h"
00014 #include "hmac.h"
00015
00016 #include <limits.h>
00017
00018 NAMESPACE_BEGIN(CryptoPP)
00019
00020 CRYPTOPP_DLL_TEMPLATE_CLASS DL_GroupParameters<Integer>;
00021
00022
00023 class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE DL_GroupParameters_IntegerBased : public ASN1CryptoMaterial<DL_GroupParameters<Integer> >
00024 {
00025 typedef DL_GroupParameters_IntegerBased ThisClass;
00026
00027 public:
00028 void Initialize(const DL_GroupParameters_IntegerBased ¶ms)
00029 {Initialize(params.GetModulus(), params.GetSubgroupOrder(), params.GetSubgroupGenerator());}
00030 void Initialize(RandomNumberGenerator &rng, unsigned int pbits)
00031 {GenerateRandom(rng, MakeParameters("ModulusSize", (int)pbits));}
00032 void Initialize(const Integer &p, const Integer &g)
00033 {SetModulusAndSubgroupGenerator(p, g); SetSubgroupOrder(ComputeGroupOrder(p)/2);}
00034 void Initialize(const Integer &p, const Integer &q, const Integer &g)
00035 {SetModulusAndSubgroupGenerator(p, g); SetSubgroupOrder(q);}
00036
00037
00038 void BERDecode(BufferedTransformation &bt);
00039 void DEREncode(BufferedTransformation &bt) const;
00040
00041
00042
00043 void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &alg);
00044 bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const;
00045 void AssignFrom(const NameValuePairs &source);
00046
00047
00048 const Integer & GetSubgroupOrder() const {return m_q;}
00049 Integer GetGroupOrder() const {return GetFieldType() == 1 ? GetModulus()-Integer::One() : GetModulus()+Integer::One();}
00050 bool ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const;
00051 bool ValidateElement(unsigned int level, const Integer &element, const DL_FixedBasePrecomputation<Integer> *precomp) const;
00052 bool FastSubgroupCheckAvailable() const {return GetCofactor() == 2;}
00053 void EncodeElement(bool reversible, const Element &element, byte *encoded) const
00054 {element.Encode(encoded, GetModulus().ByteCount());}
00055 unsigned int GetEncodedElementSize(bool reversible) const {return GetModulus().ByteCount();}
00056 Integer DecodeElement(const byte *encoded, bool checkForGroupMembership) const;
00057 Integer ConvertElementToInteger(const Element &element) const
00058 {return element;}
00059 Integer GetMaxExponent() const;
00060 static std::string CRYPTOPP_API StaticAlgorithmNamePrefix() {return "";}
00061
00062 OID GetAlgorithmID() const;
00063
00064 virtual const Integer & GetModulus() const =0;
00065 virtual void SetModulusAndSubgroupGenerator(const Integer &p, const Integer &g) =0;
00066
00067 void SetSubgroupOrder(const Integer &q)
00068 {m_q = q; ParametersChanged();}
00069
00070 protected:
00071 Integer ComputeGroupOrder(const Integer &modulus) const
00072 {return modulus-(GetFieldType() == 1 ? 1 : -1);}
00073
00074
00075 virtual int GetFieldType() const =0;
00076 virtual unsigned int GetDefaultSubgroupOrderSize(unsigned int modulusSize) const;
00077
00078 private:
00079 Integer m_q;
00080 };
00081
00082
00083 template <class GROUP_PRECOMP, class BASE_PRECOMP = DL_FixedBasePrecomputationImpl<CPP_TYPENAME GROUP_PRECOMP::Element> >
00084 class CRYPTOPP_NO_VTABLE DL_GroupParameters_IntegerBasedImpl : public DL_GroupParametersImpl<GROUP_PRECOMP, BASE_PRECOMP, DL_GroupParameters_IntegerBased>
00085 {
00086 typedef DL_GroupParameters_IntegerBasedImpl<GROUP_PRECOMP, BASE_PRECOMP> ThisClass;
00087
00088 public:
00089 typedef typename GROUP_PRECOMP::Element Element;
00090
00091
00092 bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
00093 {return GetValueHelper<DL_GroupParameters_IntegerBased>(this, name, valueType, pValue).Assignable();}
00094
00095 void AssignFrom(const NameValuePairs &source)
00096 {AssignFromHelper<DL_GroupParameters_IntegerBased>(this, source);}
00097
00098
00099 const DL_FixedBasePrecomputation<Element> & GetBasePrecomputation() const {return this->m_gpc;}
00100 DL_FixedBasePrecomputation<Element> & AccessBasePrecomputation() {return this->m_gpc;}
00101
00102
00103 const Integer & GetModulus() const {return this->m_groupPrecomputation.GetModulus();}
00104 const Integer & GetGenerator() const {return this->m_gpc.GetBase(this->GetGroupPrecomputation());}
00105
00106 void SetModulusAndSubgroupGenerator(const Integer &p, const Integer &g)
00107 {this->m_groupPrecomputation.SetModulus(p); this->m_gpc.SetBase(this->GetGroupPrecomputation(), g); this->ParametersChanged();}
00108
00109
00110 bool operator==(const DL_GroupParameters_IntegerBasedImpl<GROUP_PRECOMP, BASE_PRECOMP> &rhs) const
00111 {return GetModulus() == rhs.GetModulus() && GetGenerator() == rhs.GetGenerator() && this->GetSubgroupOrder() == rhs.GetSubgroupOrder();}
00112 bool operator!=(const DL_GroupParameters_IntegerBasedImpl<GROUP_PRECOMP, BASE_PRECOMP> &rhs) const
00113 {return !operator==(rhs);}
00114 };
00115
00116 CRYPTOPP_DLL_TEMPLATE_CLASS DL_GroupParameters_IntegerBasedImpl<ModExpPrecomputation>;
00117
00118
00119 class CRYPTOPP_DLL DL_GroupParameters_GFP : public DL_GroupParameters_IntegerBasedImpl<ModExpPrecomputation>
00120 {
00121 public:
00122
00123 bool IsIdentity(const Integer &element) const {return element == Integer::One();}
00124 void SimultaneousExponentiate(Element *results, const Element &base, const Integer *exponents, unsigned int exponentsCount) const;
00125
00126
00127 bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
00128 {
00129 return GetValueHelper<DL_GroupParameters_IntegerBased>(this, name, valueType, pValue).Assignable();
00130 }
00131
00132
00133 Element MultiplyElements(const Element &a, const Element &b) const;
00134 Element CascadeExponentiate(const Element &element1, const Integer &exponent1, const Element &element2, const Integer &exponent2) const;
00135
00136 protected:
00137 int GetFieldType() const {return 1;}
00138 };
00139
00140
00141 class CRYPTOPP_DLL DL_GroupParameters_GFP_DefaultSafePrime : public DL_GroupParameters_GFP
00142 {
00143 public:
00144 typedef NoCofactorMultiplication DefaultCofactorOption;
00145
00146 protected:
00147 unsigned int GetDefaultSubgroupOrderSize(unsigned int modulusSize) const {return modulusSize-1;}
00148 };
00149
00150
00151 template <class T>
00152 class DL_Algorithm_GDSA : public DL_ElgamalLikeSignatureAlgorithm<T>
00153 {
00154 public:
00155 static const char * CRYPTOPP_API StaticAlgorithmName() {return "DSA-1363";}
00156
00157 void Sign(const DL_GroupParameters<T> ¶ms, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
00158 {
00159 const Integer &q = params.GetSubgroupOrder();
00160 r %= q;
00161 Integer kInv = k.InverseMod(q);
00162 s = (kInv * (x*r + e)) % q;
00163 assert(!!r && !!s);
00164 }
00165
00166 bool Verify(const DL_GroupParameters<T> ¶ms, const DL_PublicKey<T> &publicKey, const Integer &e, const Integer &r, const Integer &s) const
00167 {
00168 const Integer &q = params.GetSubgroupOrder();
00169 if (r>=q || r<1 || s>=q || s<1)
00170 return false;
00171
00172 Integer w = s.InverseMod(q);
00173 Integer u1 = (e * w) % q;
00174 Integer u2 = (r * w) % q;
00175
00176 return r == params.ConvertElementToInteger(publicKey.CascadeExponentiateBaseAndPublicElement(u1, u2)) % q;
00177 }
00178 };
00179
00180 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_GDSA<Integer>;
00181
00182
00183 template <class T>
00184 class DL_Algorithm_NR : public DL_ElgamalLikeSignatureAlgorithm<T>
00185 {
00186 public:
00187 static const char * CRYPTOPP_API StaticAlgorithmName() {return "NR";}
00188
00189 void Sign(const DL_GroupParameters<T> ¶ms, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
00190 {
00191 const Integer &q = params.GetSubgroupOrder();
00192 r = (r + e) % q;
00193 s = (k - x*r) % q;
00194 assert(!!r);
00195 }
00196
00197 bool Verify(const DL_GroupParameters<T> ¶ms, const DL_PublicKey<T> &publicKey, const Integer &e, const Integer &r, const Integer &s) const
00198 {
00199 const Integer &q = params.GetSubgroupOrder();
00200 if (r>=q || r<1 || s>=q)
00201 return false;
00202
00203
00204 return r == (params.ConvertElementToInteger(publicKey.CascadeExponentiateBaseAndPublicElement(s, r)) + e) % q;
00205 }
00206 };
00207
00208
00209
00210 template <class GP>
00211 class DL_PublicKey_GFP : public DL_PublicKeyImpl<GP>
00212 {
00213 public:
00214 void Initialize(const DL_GroupParameters_IntegerBased ¶ms, const Integer &y)
00215 {this->AccessGroupParameters().Initialize(params); this->SetPublicElement(y);}
00216 void Initialize(const Integer &p, const Integer &g, const Integer &y)
00217 {this->AccessGroupParameters().Initialize(p, g); this->SetPublicElement(y);}
00218 void Initialize(const Integer &p, const Integer &q, const Integer &g, const Integer &y)
00219 {this->AccessGroupParameters().Initialize(p, q, g); this->SetPublicElement(y);}
00220
00221
00222 void BERDecodePublicKey(BufferedTransformation &bt, bool, size_t)
00223 {this->SetPublicElement(Integer(bt));}
00224 void DEREncodePublicKey(BufferedTransformation &bt) const
00225 {this->GetPublicElement().DEREncode(bt);}
00226 };
00227
00228
00229 template <class GP>
00230 class DL_PrivateKey_GFP : public DL_PrivateKeyImpl<GP>
00231 {
00232 public:
00233 void Initialize(RandomNumberGenerator &rng, unsigned int modulusBits)
00234 {this->GenerateRandomWithKeySize(rng, modulusBits);}
00235 void Initialize(RandomNumberGenerator &rng, const Integer &p, const Integer &g)
00236 {this->GenerateRandom(rng, MakeParameters("Modulus", p)("SubgroupGenerator", g));}
00237 void Initialize(RandomNumberGenerator &rng, const Integer &p, const Integer &q, const Integer &g)
00238 {this->GenerateRandom(rng, MakeParameters("Modulus", p)("SubgroupOrder", q)("SubgroupGenerator", g));}
00239 void Initialize(const DL_GroupParameters_IntegerBased ¶ms, const Integer &x)
00240 {this->AccessGroupParameters().Initialize(params); this->SetPrivateExponent(x);}
00241 void Initialize(const Integer &p, const Integer &g, const Integer &x)
00242 {this->AccessGroupParameters().Initialize(p, g); this->SetPrivateExponent(x);}
00243 void Initialize(const Integer &p, const Integer &q, const Integer &g, const Integer &x)
00244 {this->AccessGroupParameters().Initialize(p, q, g); this->SetPrivateExponent(x);}
00245 };
00246
00247
00248 struct DL_SignatureKeys_GFP
00249 {
00250 typedef DL_GroupParameters_GFP GroupParameters;
00251 typedef DL_PublicKey_GFP<GroupParameters> PublicKey;
00252 typedef DL_PrivateKey_GFP<GroupParameters> PrivateKey;
00253 };
00254
00255
00256 struct DL_CryptoKeys_GFP
00257 {
00258 typedef DL_GroupParameters_GFP_DefaultSafePrime GroupParameters;
00259 typedef DL_PublicKey_GFP<GroupParameters> PublicKey;
00260 typedef DL_PrivateKey_GFP<GroupParameters> PrivateKey;
00261 };
00262
00263
00264 template <class BASE>
00265 class DL_PublicKey_GFP_OldFormat : public BASE
00266 {
00267 public:
00268 void BERDecode(BufferedTransformation &bt)
00269 {
00270 BERSequenceDecoder seq(bt);
00271 Integer v1(seq);
00272 Integer v2(seq);
00273 Integer v3(seq);
00274
00275 if (seq.EndReached())
00276 {
00277 this->AccessGroupParameters().Initialize(v1, v1/2, v2);
00278 this->SetPublicElement(v3);
00279 }
00280 else
00281 {
00282 Integer v4(seq);
00283 this->AccessGroupParameters().Initialize(v1, v2, v3);
00284 this->SetPublicElement(v4);
00285 }
00286
00287 seq.MessageEnd();
00288 }
00289
00290 void DEREncode(BufferedTransformation &bt) const
00291 {
00292 DERSequenceEncoder seq(bt);
00293 this->GetGroupParameters().GetModulus().DEREncode(seq);
00294 if (this->GetGroupParameters().GetCofactor() != 2)
00295 this->GetGroupParameters().GetSubgroupOrder().DEREncode(seq);
00296 this->GetGroupParameters().GetGenerator().DEREncode(seq);
00297 this->GetPublicElement().DEREncode(seq);
00298 seq.MessageEnd();
00299 }
00300 };
00301
00302
00303 template <class BASE>
00304 class DL_PrivateKey_GFP_OldFormat : public BASE
00305 {
00306 public:
00307 void BERDecode(BufferedTransformation &bt)
00308 {
00309 BERSequenceDecoder seq(bt);
00310 Integer v1(seq);
00311 Integer v2(seq);
00312 Integer v3(seq);
00313 Integer v4(seq);
00314
00315 if (seq.EndReached())
00316 {
00317 this->AccessGroupParameters().Initialize(v1, v1/2, v2);
00318 this->SetPrivateExponent(v4 % (v1/2));
00319 }
00320 else
00321 {
00322 Integer v5(seq);
00323 this->AccessGroupParameters().Initialize(v1, v2, v3);
00324 this->SetPrivateExponent(v5);
00325 }
00326
00327 seq.MessageEnd();
00328 }
00329
00330 void DEREncode(BufferedTransformation &bt) const
00331 {
00332 DERSequenceEncoder seq(bt);
00333 this->GetGroupParameters().GetModulus().DEREncode(seq);
00334 if (this->GetGroupParameters().GetCofactor() != 2)
00335 this->GetGroupParameters().GetSubgroupOrder().DEREncode(seq);
00336 this->GetGroupParameters().GetGenerator().DEREncode(seq);
00337 this->GetGroupParameters().ExponentiateBase(this->GetPrivateExponent()).DEREncode(seq);
00338 this->GetPrivateExponent().DEREncode(seq);
00339 seq.MessageEnd();
00340 }
00341 };
00342
00343
00344 template <class H>
00345 struct GDSA : public DL_SS<
00346 DL_SignatureKeys_GFP,
00347 DL_Algorithm_GDSA<Integer>,
00348 DL_SignatureMessageEncodingMethod_DSA,
00349 H>
00350 {
00351 };
00352
00353
00354 template <class H>
00355 struct NR : public DL_SS<
00356 DL_SignatureKeys_GFP,
00357 DL_Algorithm_NR<Integer>,
00358 DL_SignatureMessageEncodingMethod_NR,
00359 H>
00360 {
00361 };
00362
00363
00364 class CRYPTOPP_DLL DL_GroupParameters_DSA : public DL_GroupParameters_GFP
00365 {
00366 public:
00367
00368 bool ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const;
00369
00370
00371 void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &alg);
00372
00373 static bool CRYPTOPP_API IsValidPrimeLength(unsigned int pbits)
00374 {return pbits >= MIN_PRIME_LENGTH && pbits <= MAX_PRIME_LENGTH && pbits % PRIME_LENGTH_MULTIPLE == 0;}
00375
00376 enum {MIN_PRIME_LENGTH = 1024, MAX_PRIME_LENGTH = 3072, PRIME_LENGTH_MULTIPLE = 1024};
00377 };
00378
00379 template <class H>
00380 class DSA2;
00381
00382
00383 struct DL_Keys_DSA
00384 {
00385 typedef DL_PublicKey_GFP<DL_GroupParameters_DSA> PublicKey;
00386 typedef DL_PrivateKey_WithSignaturePairwiseConsistencyTest<DL_PrivateKey_GFP<DL_GroupParameters_DSA>, DSA2<SHA> > PrivateKey;
00387 };
00388
00389
00390
00391 template <class H>
00392 class DSA2 : public DL_SS<
00393 DL_Keys_DSA,
00394 DL_Algorithm_GDSA<Integer>,
00395 DL_SignatureMessageEncodingMethod_DSA,
00396 H,
00397 DSA2<H> >
00398 {
00399 public:
00400 static std::string CRYPTOPP_API StaticAlgorithmName() {return "DSA/" + (std::string)H::StaticAlgorithmName();}
00401 };
00402
00403
00404 typedef DSA2<SHA> DSA;
00405
00406 CRYPTOPP_DLL_TEMPLATE_CLASS DL_PublicKey_GFP<DL_GroupParameters_DSA>;
00407 CRYPTOPP_DLL_TEMPLATE_CLASS DL_PrivateKey_GFP<DL_GroupParameters_DSA>;
00408 CRYPTOPP_DLL_TEMPLATE_CLASS DL_PrivateKey_WithSignaturePairwiseConsistencyTest<DL_PrivateKey_GFP<DL_GroupParameters_DSA>, DSA2<SHA> >;
00409
00410
00411 template <class MAC, bool DHAES_MODE>
00412 class DL_EncryptionAlgorithm_Xor : public DL_SymmetricEncryptionAlgorithm
00413 {
00414 public:
00415 bool ParameterSupported(const char *name) const {return strcmp(name, Name::EncodingParameters()) == 0;}
00416 size_t GetSymmetricKeyLength(size_t plaintextLength) const
00417 {return plaintextLength + MAC::DEFAULT_KEYLENGTH;}
00418 size_t GetSymmetricCiphertextLength(size_t plaintextLength) const
00419 {return plaintextLength + MAC::DIGESTSIZE;}
00420 size_t GetMaxSymmetricPlaintextLength(size_t ciphertextLength) const
00421 {return (unsigned int)SaturatingSubtract(ciphertextLength, (unsigned int)MAC::DIGESTSIZE);}
00422 void SymmetricEncrypt(RandomNumberGenerator &rng, const byte *key, const byte *plaintext, size_t plaintextLength, byte *ciphertext, const NameValuePairs ¶meters) const
00423 {
00424 const byte *cipherKey, *macKey;
00425 if (DHAES_MODE)
00426 {
00427 macKey = key;
00428 cipherKey = key + MAC::DEFAULT_KEYLENGTH;
00429 }
00430 else
00431 {
00432 cipherKey = key;
00433 macKey = key + plaintextLength;
00434 }
00435
00436 ConstByteArrayParameter encodingParameters;
00437 parameters.GetValue(Name::EncodingParameters(), encodingParameters);
00438
00439 xorbuf(ciphertext, plaintext, cipherKey, plaintextLength);
00440 MAC mac(macKey);
00441 mac.Update(ciphertext, plaintextLength);
00442 mac.Update(encodingParameters.begin(), encodingParameters.size());
00443 if (DHAES_MODE)
00444 {
00445 byte L[8] = {0,0,0,0};
00446 PutWord(false, BIG_ENDIAN_ORDER, L+4, word32(encodingParameters.size()));
00447 mac.Update(L, 8);
00448 }
00449 mac.Final(ciphertext + plaintextLength);
00450 }
00451 DecodingResult SymmetricDecrypt(const byte *key, const byte *ciphertext, size_t ciphertextLength, byte *plaintext, const NameValuePairs ¶meters) const
00452 {
00453 size_t plaintextLength = GetMaxSymmetricPlaintextLength(ciphertextLength);
00454 const byte *cipherKey, *macKey;
00455 if (DHAES_MODE)
00456 {
00457 macKey = key;
00458 cipherKey = key + MAC::DEFAULT_KEYLENGTH;
00459 }
00460 else
00461 {
00462 cipherKey = key;
00463 macKey = key + plaintextLength;
00464 }
00465
00466 ConstByteArrayParameter encodingParameters;
00467 parameters.GetValue(Name::EncodingParameters(), encodingParameters);
00468
00469 MAC mac(macKey);
00470 mac.Update(ciphertext, plaintextLength);
00471 mac.Update(encodingParameters.begin(), encodingParameters.size());
00472 if (DHAES_MODE)
00473 {
00474 byte L[8] = {0,0,0,0};
00475 PutWord(false, BIG_ENDIAN_ORDER, L+4, word32(encodingParameters.size()));
00476 mac.Update(L, 8);
00477 }
00478 if (!mac.Verify(ciphertext + plaintextLength))
00479 return DecodingResult();
00480
00481 xorbuf(plaintext, ciphertext, cipherKey, plaintextLength);
00482 return DecodingResult(plaintextLength);
00483 }
00484 };
00485
00486
00487 template <class T, bool DHAES_MODE, class KDF>
00488 class DL_KeyDerivationAlgorithm_P1363 : public DL_KeyDerivationAlgorithm<T>
00489 {
00490 public:
00491 bool ParameterSupported(const char *name) const {return strcmp(name, Name::KeyDerivationParameters()) == 0;}
00492 void Derive(const DL_GroupParameters<T> ¶ms, byte *derivedKey, size_t derivedLength, const T &agreedElement, const T &ephemeralPublicKey, const NameValuePairs ¶meters) const
00493 {
00494 SecByteBlock agreedSecret;
00495 if (DHAES_MODE)
00496 {
00497 agreedSecret.New(params.GetEncodedElementSize(true) + params.GetEncodedElementSize(false));
00498 params.EncodeElement(true, ephemeralPublicKey, agreedSecret);
00499 params.EncodeElement(false, agreedElement, agreedSecret + params.GetEncodedElementSize(true));
00500 }
00501 else
00502 {
00503 agreedSecret.New(params.GetEncodedElementSize(false));
00504 params.EncodeElement(false, agreedElement, agreedSecret);
00505 }
00506
00507 ConstByteArrayParameter derivationParameters;
00508 parameters.GetValue(Name::KeyDerivationParameters(), derivationParameters);
00509 KDF::DeriveKey(derivedKey, derivedLength, agreedSecret, agreedSecret.size(), derivationParameters.begin(), derivationParameters.size());
00510 }
00511 };
00512
00513
00514 template <class COFACTOR_OPTION = NoCofactorMultiplication, bool DHAES_MODE = true>
00515 struct DLIES
00516 : public DL_ES<
00517 DL_CryptoKeys_GFP,
00518 DL_KeyAgreementAlgorithm_DH<Integer, COFACTOR_OPTION>,
00519 DL_KeyDerivationAlgorithm_P1363<Integer, DHAES_MODE, P1363_KDF2<SHA1> >,
00520 DL_EncryptionAlgorithm_Xor<HMAC<SHA1>, DHAES_MODE>,
00521 DLIES<> >
00522 {
00523 static std::string CRYPTOPP_API StaticAlgorithmName() {return "DLIES";}
00524 };
00525
00526 NAMESPACE_END
00527
00528 #endif