Crypto++  8.2
Free C++ class library of cryptographic schemes
gfpcrypt.h
Go to the documentation of this file.
1 // gfpcrypt.h - originally written and placed in the public domain by Wei Dai
2 // RFC6979 deterministic signatures added by Douglas Roark
3 // ECGDSA added by Jeffrey Walton
4 
5 /// \file gfpcrypt.h
6 /// \brief Classes and functions for schemes based on Discrete Logs (DL) over GF(p)
7 
8 #ifndef CRYPTOPP_GFPCRYPT_H
9 #define CRYPTOPP_GFPCRYPT_H
10 
11 #include "config.h"
12 
13 #if CRYPTOPP_MSC_VERSION
14 # pragma warning(push)
15 # pragma warning(disable: 4189 4231 4275)
16 #endif
17 
18 #include "cryptlib.h"
19 #include "pubkey.h"
20 #include "integer.h"
21 #include "modexppc.h"
22 #include "algparam.h"
23 #include "smartptr.h"
24 #include "sha.h"
25 #include "asn.h"
26 #include "hmac.h"
27 #include "misc.h"
28 
29 NAMESPACE_BEGIN(CryptoPP)
30 
31 CRYPTOPP_DLL_TEMPLATE_CLASS DL_GroupParameters<Integer>;
32 
33 /// \brief Integer-based GroupParameters specialization
34 class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE DL_GroupParameters_IntegerBased : public ASN1CryptoMaterial<DL_GroupParameters<Integer> >
35 {
37 
38 public:
40 
41  /// \brief Initialize a group parameters over integers
42  /// \param params the group parameters
44  {Initialize(params.GetModulus(), params.GetSubgroupOrder(), params.GetSubgroupGenerator());}
45 
46  /// \brief Create a group parameters over integers
47  /// \param rng a RandomNumberGenerator derived class
48  /// \param pbits the size of p, in bits
49  /// \details This function overload of Initialize() creates a new private key because it
50  /// takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
51  /// then use one of the other Initialize() overloads.
52  void Initialize(RandomNumberGenerator &rng, unsigned int pbits)
53  {GenerateRandom(rng, MakeParameters("ModulusSize", (int)pbits));}
54 
55  /// \brief Initialize a group parameters over integers
56  /// \param p the modulus
57  /// \param g the generator
58  void Initialize(const Integer &p, const Integer &g)
59  {SetModulusAndSubgroupGenerator(p, g); SetSubgroupOrder(ComputeGroupOrder(p)/2);}
60 
61  /// \brief Initialize a group parameters over integers
62  /// \param p the modulus
63  /// \param q the subgroup order
64  /// \param g the generator
65  void Initialize(const Integer &p, const Integer &q, const Integer &g)
66  {SetModulusAndSubgroupGenerator(p, g); SetSubgroupOrder(q);}
67 
68  // ASN1Object interface
70  void DEREncode(BufferedTransformation &bt) const;
71 
72  /// \brief Generate a random key
73  /// \param rng a RandomNumberGenerator to produce keying material
74  /// \param alg additional initialization parameters
75  /// \details Recognised NameValuePairs are ModulusSize and
76  /// SubgroupOrderSize (optional)
77  /// \throws KeyingErr if a key can't be generated or algorithm parameters
78  /// are invalid
79  void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &alg);
80 
81  /// \brief Get a named value
82  /// \param name the name of the object or value to retrieve
83  /// \param valueType reference to a variable that receives the value
84  /// \param pValue void pointer to a variable that receives the value
85  /// \returns true if the value was retrieved, false otherwise
86  /// \details GetVoidValue() retrieves the value of name if it exists.
87  /// \note GetVoidValue() is an internal function and should be implemented
88  /// by derived classes. Users should use one of the other functions instead.
89  /// \sa GetValue(), GetValueWithDefault(), GetIntValue(), GetIntValueWithDefault(),
90  /// GetRequiredParameter() and GetRequiredIntParameter()
91  bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const;
92 
93  /// \brief Initialize or reinitialize this key
94  /// \param source NameValuePairs to assign
95  void AssignFrom(const NameValuePairs &source);
96 
97  // DL_GroupParameters
98  const Integer & GetSubgroupOrder() const {return m_q;}
99  Integer GetGroupOrder() const {return GetFieldType() == 1 ? GetModulus()-Integer::One() : GetModulus()+Integer::One();}
100  bool ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const;
101  bool ValidateElement(unsigned int level, const Integer &element, const DL_FixedBasePrecomputation<Integer> *precomp) const;
102 
103  /// \brief Determine if subgroup membership check is fast
104  /// \returns true or false
105  bool FastSubgroupCheckAvailable() const {return GetCofactor() == 2;}
106 
107  /// \brief Encodes the element
108  /// \param reversible flag indicating the encoding format
109  /// \param element reference to the element to encode
110  /// \param encoded destination byte array for the encoded element
111  /// \details EncodeElement() must be implemented in a derived class.
112  /// \pre <tt>COUNTOF(encoded) == GetEncodedElementSize()</tt>
113  /// \sa GetEncodedElementSize(), DecodeElement(), <A
114  /// HREF="http://github.com/weidai11/cryptopp/issues/40">Cygwin
115  /// i386 crash at -O3</A>
116  void EncodeElement(bool reversible, const Element &element, byte *encoded) const;
117 
118  /// \brief Retrieve the encoded element's size
119  /// \param reversible flag indicating the encoding format
120  /// \returns encoded element's size, in bytes
121  /// \details The format of the encoded element varies by the underlying
122  /// type of the element and the reversible flag.
123  /// \sa EncodeElement(), DecodeElement()
124  unsigned int GetEncodedElementSize(bool reversible) const;
125 
126  /// \brief Decodes the element
127  /// \param encoded byte array with the encoded element
128  /// \param checkForGroupMembership flag indicating if the element should be validated
129  /// \returns Element after decoding
130  /// \details DecodeElement() must be implemented in a derived class.
131  /// \pre <tt>COUNTOF(encoded) == GetEncodedElementSize()</tt>
132  /// \sa GetEncodedElementSize(), EncodeElement()
133  Integer DecodeElement(const byte *encoded, bool checkForGroupMembership) const;
134 
135  /// \brief Converts an element to an Integer
136  /// \param element the element to convert to an Integer
137  /// \returns Element after converting to an Integer
138  /// \details ConvertElementToInteger() must be implemented in a derived class.
139  Integer ConvertElementToInteger(const Element &element) const
140  {return element;}
141 
142  /// \brief Retrieve the maximum exponent for the group
143  /// \returns the maximum exponent for the group
144  Integer GetMaxExponent() const;
145 
146  /// \brief Retrieve the OID of the algorithm
147  /// \returns OID of the algorithm
148  OID GetAlgorithmID() const;
149 
150  /// \brief Retrieve the modulus for the group
151  /// \returns the modulus for the group
152  virtual const Integer & GetModulus() const =0;
153 
154  /// \brief Set group parameters
155  /// \param p the prime modulus
156  /// \param g the group generator
157  virtual void SetModulusAndSubgroupGenerator(const Integer &p, const Integer &g) =0;
158 
159  /// \brief Set subgroup order
160  /// \param q the subgroup order
161  void SetSubgroupOrder(const Integer &q)
162  {m_q = q; ParametersChanged();}
163 
164  static std::string CRYPTOPP_API StaticAlgorithmNamePrefix() {return "";}
165 
166 protected:
167  Integer ComputeGroupOrder(const Integer &modulus) const
168  {return modulus-(GetFieldType() == 1 ? 1 : -1);}
169 
170  // GF(p) = 1, GF(p^2) = 2
171  virtual int GetFieldType() const =0;
172  virtual unsigned int GetDefaultSubgroupOrderSize(unsigned int modulusSize) const;
173 
174 private:
175  Integer m_q;
176 };
177 
178 /// \brief Integer-based GroupParameters default implementation
179 /// \tparam GROUP_PRECOMP group parameters precomputation specialization
180 /// \tparam BASE_PRECOMP base class precomputation specialization
181 template <class GROUP_PRECOMP, class BASE_PRECOMP = DL_FixedBasePrecomputationImpl<typename GROUP_PRECOMP::Element> >
182 class CRYPTOPP_NO_VTABLE DL_GroupParameters_IntegerBasedImpl : public DL_GroupParametersImpl<GROUP_PRECOMP, BASE_PRECOMP, DL_GroupParameters_IntegerBased>
183 {
185 
186 public:
187  typedef typename GROUP_PRECOMP::Element Element;
188 
190 
191  // GeneratibleCryptoMaterial interface
192  bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
193  {return GetValueHelper<DL_GroupParameters_IntegerBased>(this, name, valueType, pValue).Assignable();}
194 
195  void AssignFrom(const NameValuePairs &source)
196  {AssignFromHelper<DL_GroupParameters_IntegerBased>(this, source);}
197 
198  // DL_GroupParameters
199  const DL_FixedBasePrecomputation<Element> & GetBasePrecomputation() const {return this->m_gpc;}
201 
202  // IntegerGroupParameters
203  /// \brief Retrieve the modulus for the group
204  /// \returns the modulus for the group
205  const Integer & GetModulus() const {return this->m_groupPrecomputation.GetModulus();}
206 
207  /// \brief Retrieves a reference to the group generator
208  /// \returns const reference to the group generator
209  const Integer & GetGenerator() const {return this->m_gpc.GetBase(this->GetGroupPrecomputation());}
210 
211  void SetModulusAndSubgroupGenerator(const Integer &p, const Integer &g) // these have to be set together
212  {this->m_groupPrecomputation.SetModulus(p); this->m_gpc.SetBase(this->GetGroupPrecomputation(), g); this->ParametersChanged();}
213 
214  // non-inherited
216  {return GetModulus() == rhs.GetModulus() && GetGenerator() == rhs.GetGenerator() && this->GetSubgroupOrder() == rhs.GetSubgroupOrder();}
218  {return !operator==(rhs);}
219 };
220 
222 
223 /// \brief GF(p) group parameters
224 class CRYPTOPP_DLL DL_GroupParameters_GFP : public DL_GroupParameters_IntegerBasedImpl<ModExpPrecomputation>
225 {
226 public:
227  virtual ~DL_GroupParameters_GFP() {}
228 
229  /// \brief Determines if an element is an identity
230  /// \param element element to check
231  /// \returns true if the element is an identity, false otherwise
232  /// \details The identity element or or neutral element is a special element
233  /// in a group that leaves other elements unchanged when combined with it.
234  /// \details IsIdentity() must be implemented in a derived class.
235  bool IsIdentity(const Integer &element) const {return element == Integer::One();}
236 
237  /// \brief Exponentiates a base to multiple exponents
238  /// \param results an array of Elements
239  /// \param base the base to raise to the exponents
240  /// \param exponents an array of exponents
241  /// \param exponentsCount the number of exponents in the array
242  /// \details SimultaneousExponentiate() raises the base to each exponent in
243  /// the exponents array and stores the result at the respective position in
244  /// the results array.
245  /// \details SimultaneousExponentiate() must be implemented in a derived class.
246  /// \pre <tt>COUNTOF(results) == exponentsCount</tt>
247  /// \pre <tt>COUNTOF(exponents) == exponentsCount</tt>
248  void SimultaneousExponentiate(Element *results, const Element &base, const Integer *exponents, unsigned int exponentsCount) const;
249 
250  /// \brief Get a named value
251  /// \param name the name of the object or value to retrieve
252  /// \param valueType reference to a variable that receives the value
253  /// \param pValue void pointer to a variable that receives the value
254  /// \returns true if the value was retrieved, false otherwise
255  /// \details GetVoidValue() retrieves the value of name if it exists.
256  /// \note GetVoidValue() is an internal function and should be implemented
257  /// by derived classes. Users should use one of the other functions instead.
258  /// \sa GetValue(), GetValueWithDefault(), GetIntValue(), GetIntValueWithDefault(),
259  /// GetRequiredParameter() and GetRequiredIntParameter()
260  bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
261  {
262  return GetValueHelper<DL_GroupParameters_IntegerBased>(this, name, valueType, pValue).Assignable();
263  }
264 
265  // used by MQV
266  Element MultiplyElements(const Element &a, const Element &b) const;
267  Element CascadeExponentiate(const Element &element1, const Integer &exponent1, const Element &element2, const Integer &exponent2) const;
268 
269 protected:
270  int GetFieldType() const {return 1;}
271 };
272 
273 /// \brief GF(p) group parameters that default to safe primes
275 {
276 public:
278 
280 
281 protected:
282  unsigned int GetDefaultSubgroupOrderSize(unsigned int modulusSize) const {return modulusSize-1;}
283 };
284 
285 /// \brief GDSA algorithm
286 /// \tparam T FieldElement type or class
287 template <class T>
289 {
290 public:
291  CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "DSA-1363";}
292 
293  virtual ~DL_Algorithm_GDSA() {}
294 
295  void Sign(const DL_GroupParameters<T> &params, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
296  {
297  const Integer &q = params.GetSubgroupOrder();
298  r %= q;
299  Integer kInv = k.InverseMod(q);
300  s = (kInv * (x*r + e)) % q;
301  CRYPTOPP_ASSERT(!!r && !!s);
302  }
303 
304  bool Verify(const DL_GroupParameters<T> &params, const DL_PublicKey<T> &publicKey, const Integer &e, const Integer &r, const Integer &s) const
305  {
306  const Integer &q = params.GetSubgroupOrder();
307  if (r>=q || r<1 || s>=q || s<1)
308  return false;
309 
310  Integer w = s.InverseMod(q);
311  Integer u1 = (e * w) % q;
312  Integer u2 = (r * w) % q;
313  // verify r == (g^u1 * y^u2 mod p) mod q
314  return r == params.ConvertElementToInteger(publicKey.CascadeExponentiateBaseAndPublicElement(u1, u2)) % q;
315  }
316 };
317 
318 /// \brief DSA signature algorithm based on RFC 6979
319 /// \tparam T FieldElement type or class
320 /// \tparam H HashTransformation derived class
321 /// \sa <a href="http://tools.ietf.org/rfc/rfc6979.txt">RFC 6979, Deterministic Usage of the
322 /// Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)</a>
323 /// \since Crypto++ 6.0
324 template <class T, class H>
326 {
327 public:
328  CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "DSA-RFC6979";}
329 
330  virtual ~DL_Algorithm_DSA_RFC6979() {}
331 
332  bool IsProbabilistic() const
333  {return false;}
334  bool IsDeterministic() const
335  {return true;}
336 
337  // Deterministic K
338  Integer GenerateRandom(const Integer &x, const Integer &q, const Integer &e) const
339  {
340  static const byte zero = 0, one = 1;
341  const size_t qlen = q.BitCount();
342  const size_t rlen = BitsToBytes(qlen);
343 
344  // Step (a) - formatted E(m)
346  e.Encode(BH, BH.size());
347  BH = bits2octets(BH, q);
348 
349  // Step (a) - private key to byte array
350  SecByteBlock BX(STDMAX(rlen, x.MinEncodedSize()));
351  x.Encode(BX, BX.size());
352 
353  // Step (b)
354  SecByteBlock V(H::DIGESTSIZE);
355  std::fill(V.begin(), V.begin()+H::DIGESTSIZE, one);
356 
357  // Step (c)
358  SecByteBlock K(H::DIGESTSIZE);
359  std::fill(K.begin(), K.begin()+H::DIGESTSIZE, zero);
360 
361  // Step (d)
362  m_hmac.SetKey(K, K.size());
363  m_hmac.Update(V, V.size());
364  m_hmac.Update(&zero, 1);
365  m_hmac.Update(BX, BX.size());
366  m_hmac.Update(BH, BH.size());
367  m_hmac.TruncatedFinal(K, K.size());
368 
369  // Step (e)
370  m_hmac.SetKey(K, K.size());
371  m_hmac.Update(V, V.size());
372  m_hmac.TruncatedFinal(V, V.size());
373 
374  // Step (f)
375  m_hmac.SetKey(K, K.size());
376  m_hmac.Update(V, V.size());
377  m_hmac.Update(&one, 1);
378  m_hmac.Update(BX, BX.size());
379  m_hmac.Update(BH, BH.size());
380  m_hmac.TruncatedFinal(K, K.size());
381 
382  // Step (g)
383  m_hmac.SetKey(K, K.size());
384  m_hmac.Update(V, V.size());
385  m_hmac.TruncatedFinal(V, V.size());
386 
387  Integer k;
388  SecByteBlock temp(rlen);
389  for (;;)
390  {
391  // We want qlen bits, but we support only hash functions with an output length
392  // multiple of 8; hence, we will gather rlen bits, i.e., rolen octets.
393  size_t toff = 0;
394  while (toff < rlen)
395  {
396  m_hmac.Update(V, V.size());
397  m_hmac.TruncatedFinal(V, V.size());
398 
399  size_t cc = STDMIN(V.size(), temp.size() - toff);
400  memcpy_s(temp+toff, temp.size() - toff, V, cc);
401  toff += cc;
402  }
403 
404  k = bits2int(temp, qlen);
405  if (k > 0 && k < q)
406  break;
407 
408  // k is not in the proper range; update K and V, and loop.
409  m_hmac.Update(V, V.size());
410  m_hmac.Update(&zero, 1);
411  m_hmac.TruncatedFinal(K, K.size());
412 
413  m_hmac.SetKey(K, K.size());
414  m_hmac.Update(V, V.size());
415  m_hmac.TruncatedFinal(V, V.size());
416  }
417 
418  return k;
419  }
420 
421 protected:
422 
423  Integer bits2int(const SecByteBlock& bits, size_t qlen) const
424  {
425  Integer ret(bits, bits.size());
426  size_t blen = bits.size()*8;
427 
428  if (blen > qlen)
429  ret >>= blen - qlen;
430 
431  return ret;
432  }
433 
434  // RFC 6979 support function. Takes an integer and converts it into bytes that
435  // are the same length as an elliptic curve's order.
436  SecByteBlock int2octets(const Integer& val, size_t rlen) const
437  {
438  SecByteBlock block(val.MinEncodedSize());
439  val.Encode(block, val.MinEncodedSize());
440 
441  if (block.size() == rlen)
442  return block;
443 
444  // The least significant bytes are the ones we need to preserve.
445  SecByteBlock t(rlen);
446  if (block.size() > rlen)
447  {
448  size_t offset = block.size() - rlen;
449  std::memcpy(t, block + offset, rlen);
450  }
451  else // block.size() < rlen
452  {
453  size_t offset = rlen - block.size();
454  memset(t, '\x00', offset);
455  std::memcpy(t + offset, block, rlen - offset);
456  }
457 
458  return t;
459  }
460 
461  // Turn a stream of bits into a set of bytes with the same length as an elliptic
462  // curve's order.
463  SecByteBlock bits2octets(const SecByteBlock& in, const Integer& q) const
464  {
465  Integer b2 = bits2int(in, q.BitCount());
466  Integer b1 = b2 - q;
467  return int2octets(b1.IsNegative() ? b2 : b1, q.ByteCount());
468  }
469 
470 private:
471  mutable H m_hash;
472  mutable HMAC<H> m_hmac;
473 };
474 
475 /// \brief German Digital Signature Algorithm
476 /// \tparam T FieldElement type or class
477 /// \details The Digital Signature Scheme ECGDSA does not define the algorithm over integers. Rather, the
478 /// signature algorithm is only defined over elliptic curves. However, The library design is such that the
479 /// generic algorithm reside in <tt>gfpcrypt.h</tt>.
480 /// \sa Erwin Hess, Marcus Schafheutle, and Pascale Serf <A HREF="http://www.teletrust.de/fileadmin/files/oid/ecgdsa_final.pdf">
481 /// The Digital Signature Scheme ECGDSA (October 24, 2006)</A>
482 template <class T>
484 {
485 public:
486  CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "GDSA-ISO15946";}
487 
488  virtual ~DL_Algorithm_GDSA_ISO15946() {}
489 
490  void Sign(const DL_GroupParameters<T> &params, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
491  {
492  const Integer &q = params.GetSubgroupOrder();
493  // r = x(k * G) mod q
494  r = params.ConvertElementToInteger(params.ExponentiateBase(k)) % q;
495  // s = (k * r - h(m)) * d_A mod q
496  s = (k * r - e) * x % q;
497  CRYPTOPP_ASSERT(!!r && !!s);
498  }
499 
500  bool Verify(const DL_GroupParameters<T> &params, const DL_PublicKey<T> &publicKey, const Integer &e, const Integer &r, const Integer &s) const
501  {
502  const Integer &q = params.GetSubgroupOrder();
503  if (r>=q || r<1 || s>=q || s<1)
504  return false;
505 
506  const Integer& rInv = r.InverseMod(q);
507  const Integer u1 = (rInv * e) % q;
508  const Integer u2 = (rInv * s) % q;
509  // verify x(G^u1 + P_A^u2) mod q
510  return r == params.ConvertElementToInteger(publicKey.CascadeExponentiateBaseAndPublicElement(u1, u2)) % q;
511  }
512 };
513 
514 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_GDSA<Integer>;
515 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA1>;
516 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA224>;
517 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA256>;
518 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA384>;
519 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA512>;
520 
521 /// \brief NR algorithm
522 /// \tparam T FieldElement type or class
523 template <class T>
525 {
526 public:
527  CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "NR";}
528 
529  virtual ~DL_Algorithm_NR() {}
530 
531  void Sign(const DL_GroupParameters<T> &params, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
532  {
533  const Integer &q = params.GetSubgroupOrder();
534  r = (r + e) % q;
535  s = (k - x*r) % q;
536  CRYPTOPP_ASSERT(!!r);
537  }
538 
539  bool Verify(const DL_GroupParameters<T> &params, const DL_PublicKey<T> &publicKey, const Integer &e, const Integer &r, const Integer &s) const
540  {
541  const Integer &q = params.GetSubgroupOrder();
542  if (r>=q || r<1 || s>=q)
543  return false;
544 
545  // check r == (m_g^s * m_y^r + m) mod m_q
546  return r == (params.ConvertElementToInteger(publicKey.CascadeExponentiateBaseAndPublicElement(s, r)) + e) % q;
547  }
548 };
549 
550 /// \brief Discrete Log (DL) public key in GF(p) groups
551 /// \tparam GP GroupParameters derived class
552 /// \details DSA public key format is defined in 7.3.3 of RFC 2459. The private key format is defined in 12.9 of PKCS #11 v2.10.
553 template <class GP>
555 {
556 public:
557  virtual ~DL_PublicKey_GFP() {}
558 
559  /// \brief Initialize a public key over GF(p)
560  /// \param params the group parameters
561  /// \param y the public element
562  void Initialize(const DL_GroupParameters_IntegerBased &params, const Integer &y)
563  {this->AccessGroupParameters().Initialize(params); this->SetPublicElement(y);}
564 
565  /// \brief Initialize a public key over GF(p)
566  /// \param p the modulus
567  /// \param g the generator
568  /// \param y the public element
569  void Initialize(const Integer &p, const Integer &g, const Integer &y)
570  {this->AccessGroupParameters().Initialize(p, g); this->SetPublicElement(y);}
571 
572  /// \brief Initialize a public key over GF(p)
573  /// \param p the modulus
574  /// \param q the subgroup order
575  /// \param g the generator
576  /// \param y the public element
577  void Initialize(const Integer &p, const Integer &q, const Integer &g, const Integer &y)
578  {this->AccessGroupParameters().Initialize(p, q, g); this->SetPublicElement(y);}
579 
580  // X509PublicKey
582  {this->SetPublicElement(Integer(bt));}
584  {this->GetPublicElement().DEREncode(bt);}
585 };
586 
587 /// \brief Discrete Log (DL) private key in GF(p) groups
588 /// \tparam GP GroupParameters derived class
589 template <class GP>
591 {
592 public:
593  virtual ~DL_PrivateKey_GFP();
594 
595  /// \brief Create a private key
596  /// \param rng a RandomNumberGenerator derived class
597  /// \param modulusBits the size of the modulus, in bits
598  /// \details This function overload of Initialize() creates a new private key because it
599  /// takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
600  /// then use one of the other Initialize() overloads.
601  void Initialize(RandomNumberGenerator &rng, unsigned int modulusBits)
602  {this->GenerateRandomWithKeySize(rng, modulusBits);}
603 
604  /// \brief Create a private key
605  /// \param rng a RandomNumberGenerator derived class
606  /// \param p the modulus
607  /// \param g the generator
608  /// \details This function overload of Initialize() creates a new private key because it
609  /// takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
610  /// then use one of the other Initialize() overloads.
611  void Initialize(RandomNumberGenerator &rng, const Integer &p, const Integer &g)
612  {this->GenerateRandom(rng, MakeParameters("Modulus", p)("SubgroupGenerator", g));}
613 
614  /// \brief Create a private key
615  /// \param rng a RandomNumberGenerator derived class
616  /// \param p the modulus
617  /// \param q the subgroup order
618  /// \param g the generator
619  /// \details This function overload of Initialize() creates a new private key because it
620  /// takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
621  /// then use one of the other Initialize() overloads.
622  void Initialize(RandomNumberGenerator &rng, const Integer &p, const Integer &q, const Integer &g)
623  {this->GenerateRandom(rng, MakeParameters("Modulus", p)("SubgroupOrder", q)("SubgroupGenerator", g));}
624 
625  /// \brief Initialize a private key over GF(p)
626  /// \param params the group parameters
627  /// \param x the private exponent
628  void Initialize(const DL_GroupParameters_IntegerBased &params, const Integer &x)
629  {this->AccessGroupParameters().Initialize(params); this->SetPrivateExponent(x);}
630 
631  /// \brief Initialize a private key over GF(p)
632  /// \param p the modulus
633  /// \param g the generator
634  /// \param x the private exponent
635  void Initialize(const Integer &p, const Integer &g, const Integer &x)
636  {this->AccessGroupParameters().Initialize(p, g); this->SetPrivateExponent(x);}
637 
638  /// \brief Initialize a private key over GF(p)
639  /// \param p the modulus
640  /// \param q the subgroup order
641  /// \param g the generator
642  /// \param x the private exponent
643  void Initialize(const Integer &p, const Integer &q, const Integer &g, const Integer &x)
644  {this->AccessGroupParameters().Initialize(p, q, g); this->SetPrivateExponent(x);}
645 };
646 
647 // Out-of-line dtor due to AIX and GCC, http://github.com/weidai11/cryptopp/issues/499
648 template <class GP>
650 
651 /// \brief Discrete Log (DL) signing/verification keys in GF(p) groups
653 {
657 };
658 
659 /// \brief Discrete Log (DL) encryption/decryption keys in GF(p) groups
661 {
665 };
666 
667 /// \brief DSA signature scheme
668 /// \tparam H HashTransformation derived class
669 /// \sa <a href="http://www.weidai.com/scan-mirror/sig.html#DSA-1363">DSA-1363</a>
670 /// \since Crypto++ 1.0 for DSA, Crypto++ 5.6.2 for DSA2
671 template <class H>
672 struct GDSA : public DL_SS<
673  DL_SignatureKeys_GFP,
674  DL_Algorithm_GDSA<Integer>,
675  DL_SignatureMessageEncodingMethod_DSA,
676  H>
677 {
678 };
679 
680 /// \brief NR signature scheme
681 /// \tparam H HashTransformation derived class
682 /// \sa <a href="http://www.weidai.com/scan-mirror/sig.html#NR">NR</a>
683 template <class H>
684 struct NR : public DL_SS<
685  DL_SignatureKeys_GFP,
686  DL_Algorithm_NR<Integer>,
687  DL_SignatureMessageEncodingMethod_NR,
688  H>
689 {
690 };
691 
692 /// \brief DSA group parameters
693 /// \details These are GF(p) group parameters that are allowed by the DSA standard
694 /// \sa DL_Keys_DSA
695 /// \since Crypto++ 1.0
697 {
698 public:
699  virtual ~DL_GroupParameters_DSA() {}
700 
701  /// \brief Check the group for errors
702  /// \param rng RandomNumberGenerator for objects which use randomized testing
703  /// \param level level of thoroughness
704  /// \returns true if the tests succeed, false otherwise
705  /// \details ValidateGroup() also checks that the lengths of p and q are allowed
706  /// by the DSA standard.
707  /// \details There are four levels of thoroughness:
708  /// <ul>
709  /// <li>0 - using this object won't cause a crash or exception
710  /// <li>1 - this object will probably function, and encrypt, sign, other operations correctly
711  /// <li>2 - ensure this object will function correctly, and perform reasonable security checks
712  /// <li>3 - perform reasonable security checks, and do checks that may take a long time
713  /// </ul>
714  /// \details Level 0 does not require a RandomNumberGenerator. A NullRNG() can be used for level 0.
715  /// Level 1 may not check for weak keys and such. Levels 2 and 3 are recommended.
716  bool ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const;
717 
718  /// \brief Generate a random key or crypto parameters
719  /// \param rng a RandomNumberGenerator to produce keying material
720  /// \param alg additional initialization parameters
721  /// \details NameValuePairs can be ModulusSize alone; or Modulus, SubgroupOrder, and
722  /// SubgroupGenerator. ModulusSize must be between <tt>DSA::MIN_PRIME_LENGTH</tt> and
723  /// <tt>DSA::MAX_PRIME_LENGTH</tt>, and divisible by <tt>DSA::PRIME_LENGTH_MULTIPLE</tt>.
724  /// \details An example of changing the modulus size using NameValuePairs is shown below.
725  /// <pre>
726  /// AlgorithmParameters params = MakeParameters
727  /// (Name::ModulusSize(), 2048);
728  ///
729  /// DL_GroupParameters_DSA groupParams;
730  /// groupParams.GenerateRandom(prng, params);
731  /// </pre>
732  /// \throws KeyingErr if a key can't be generated or algorithm parameters are invalid.
733  void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &alg);
734 
735  /// \brief Check the prime length for errors
736  /// \param pbits number of bits in the prime number
737  /// \returns true if the tests succeed, false otherwise
738  static bool CRYPTOPP_API IsValidPrimeLength(unsigned int pbits)
739  {return pbits >= MIN_PRIME_LENGTH && pbits <= MAX_PRIME_LENGTH && pbits % PRIME_LENGTH_MULTIPLE == 0;}
740 
741  /// \brief DSA prime length
742  enum {
743  /// \brief Minimum prime length
744  MIN_PRIME_LENGTH = 1024,
745  /// \brief Maximum prime length
746  MAX_PRIME_LENGTH = 3072,
747  /// \brief Prime length multiple
748  PRIME_LENGTH_MULTIPLE = 1024
749  };
750 };
751 
752 template <class H>
753 class DSA2;
754 
755 /// \brief DSA keys
756 /// \sa DL_GroupParameters_DSA
757 /// \since Crypto++ 1.0
759 {
762 };
763 
764 /// \brief DSA signature scheme
765 /// \tparam H HashTransformation derived class
766 /// \details The class is named DSA2 instead of DSA for backwards compatibility because
767 /// DSA was a non-template class.
768 /// \details DSA default method GenerateRandom uses a 2048-bit modulus and a 224-bit subgoup by default.
769 /// The modulus can be changed using the following code:
770 /// <pre>
771 /// DSA::PrivateKey privateKey;
772 /// privateKey.GenerateRandomWithKeySize(prng, 2048);
773 /// </pre>
774 /// \details The subgroup order can be changed using the following code:
775 /// <pre>
776 /// AlgorithmParameters params = MakeParameters
777 /// (Name::ModulusSize(), 2048)
778 /// (Name::SubgroupOrderSize(), 256);
779 ///
780 /// DSA::PrivateKey privateKey;
781 /// privateKey.GenerateRandom(prng, params);
782 /// </pre>
783 /// \sa <a href="http://en.wikipedia.org/wiki/Digital_Signature_Algorithm">DSA</a>, as specified in FIPS 186-3,
784 /// <a href="https://www.cryptopp.com/wiki/Digital_Signature_Algorithm">Digital Signature Algorithm</a> on the wiki, and
785 /// <a href="https://www.cryptopp.com/wiki/NameValuePairs">NameValuePairs</a> on the wiki.
786 /// \since Crypto++ 1.0 for DSA, Crypto++ 5.6.2 for DSA2, Crypto++ 6.1 for 2048-bit modulus.
787 template <class H>
788 class DSA2 : public DL_SS<
789  DL_Keys_DSA,
790  DL_Algorithm_GDSA<Integer>,
791  DL_SignatureMessageEncodingMethod_DSA,
792  H,
793  DSA2<H> >
794 {
795 public:
796  static std::string CRYPTOPP_API StaticAlgorithmName() {return "DSA/" + (std::string)H::StaticAlgorithmName();}
797 };
798 
799 /// \brief DSA deterministic signature scheme
800 /// \tparam H HashTransformation derived class
801 /// \sa <a href="http://www.weidai.com/scan-mirror/sig.html#DSA-1363">DSA-1363</a>
802 /// \since Crypto++ 1.0 for DSA, Crypto++ 5.6.2 for DSA2
803 template <class H>
804 struct DSA_RFC6979 : public DL_SS<
805  DL_SignatureKeys_GFP,
806  DL_Algorithm_DSA_RFC6979<Integer, H>,
807  DL_SignatureMessageEncodingMethod_DSA,
808  H,
809  DSA_RFC6979<H> >
810 {
811  static std::string CRYPTOPP_API StaticAlgorithmName() {return std::string("DSA-RFC6979/") + H::StaticAlgorithmName();}
812 };
813 
814 /// DSA with SHA-1, typedef'd for backwards compatibility
815 typedef DSA2<SHA1> DSA;
816 
817 CRYPTOPP_DLL_TEMPLATE_CLASS DL_PublicKey_GFP<DL_GroupParameters_DSA>;
818 CRYPTOPP_DLL_TEMPLATE_CLASS DL_PrivateKey_GFP<DL_GroupParameters_DSA>;
820 
821 /// \brief P1363 based XOR Encryption Method
822 /// \tparam MAC MessageAuthenticationCode derived class used for MAC computation
823 /// \tparam DHAES_MODE flag indicating DHAES mode
824 /// \tparam LABEL_OCTETS flag indicating the label is octet count
825 /// \details DL_EncryptionAlgorithm_Xor is based on an early P1363 draft, which itself appears to be based on an
826 /// early Certicom SEC-1 draft (or an early SEC-1 draft was based on a P1363 draft). Crypto++ 4.2 used it in its Integrated
827 /// Ecryption Schemes with <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
828 /// \details If you need this method for Crypto++ 4.2 compatibility, then use the ECIES template class with
829 /// <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
830 /// \details If you need this method for Bouncy Castle 1.54 and Botan 1.11 compatibility, then use the ECIES template class with
831 /// <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=ture</tt> and <tt>LABEL_OCTETS=false</tt>.
832 /// \details Bouncy Castle 1.54 and Botan 1.11 compatibility are the default template parameters.
833 /// \since Crypto++ 4.0
834 template <class MAC, bool DHAES_MODE, bool LABEL_OCTETS=false>
836 {
837 public:
838  virtual ~DL_EncryptionAlgorithm_Xor() {}
839 
840  bool ParameterSupported(const char *name) const {return strcmp(name, Name::EncodingParameters()) == 0;}
841  size_t GetSymmetricKeyLength(size_t plaintextLength) const
842  {return plaintextLength + static_cast<size_t>(MAC::DEFAULT_KEYLENGTH);}
843  size_t GetSymmetricCiphertextLength(size_t plaintextLength) const
844  {return plaintextLength + static_cast<size_t>(MAC::DIGESTSIZE);}
845  size_t GetMaxSymmetricPlaintextLength(size_t ciphertextLength) const
846  {return SaturatingSubtract(ciphertextLength, static_cast<size_t>(MAC::DIGESTSIZE));}
847  void SymmetricEncrypt(RandomNumberGenerator &rng, const byte *key, const byte *plaintext, size_t plaintextLength, byte *ciphertext, const NameValuePairs &parameters) const
848  {
849  CRYPTOPP_UNUSED(rng);
850  const byte *cipherKey = NULLPTR, *macKey = NULLPTR;
851  if (DHAES_MODE)
852  {
853  macKey = key;
854  cipherKey = key + MAC::DEFAULT_KEYLENGTH;
855  }
856  else
857  {
858  cipherKey = key;
859  macKey = key + plaintextLength;
860  }
861 
862  ConstByteArrayParameter encodingParameters;
863  parameters.GetValue(Name::EncodingParameters(), encodingParameters);
864 
865  if (plaintextLength) // Coverity finding
866  xorbuf(ciphertext, plaintext, cipherKey, plaintextLength);
867 
868  MAC mac(macKey);
869  mac.Update(ciphertext, plaintextLength);
870  mac.Update(encodingParameters.begin(), encodingParameters.size());
871  if (DHAES_MODE)
872  {
873  byte L[8];
874  PutWord(false, BIG_ENDIAN_ORDER, L, (LABEL_OCTETS ? word64(encodingParameters.size()) : 8 * word64(encodingParameters.size())));
875  mac.Update(L, 8);
876  }
877  mac.Final(ciphertext + plaintextLength);
878  }
879  DecodingResult SymmetricDecrypt(const byte *key, const byte *ciphertext, size_t ciphertextLength, byte *plaintext, const NameValuePairs &parameters) const
880  {
881  size_t plaintextLength = GetMaxSymmetricPlaintextLength(ciphertextLength);
882  const byte *cipherKey, *macKey;
883  if (DHAES_MODE)
884  {
885  macKey = key;
886  cipherKey = key + MAC::DEFAULT_KEYLENGTH;
887  }
888  else
889  {
890  cipherKey = key;
891  macKey = key + plaintextLength;
892  }
893 
894  ConstByteArrayParameter encodingParameters;
895  parameters.GetValue(Name::EncodingParameters(), encodingParameters);
896 
897  MAC mac(macKey);
898  mac.Update(ciphertext, plaintextLength);
899  mac.Update(encodingParameters.begin(), encodingParameters.size());
900  if (DHAES_MODE)
901  {
902  byte L[8];
903  PutWord(false, BIG_ENDIAN_ORDER, L, (LABEL_OCTETS ? word64(encodingParameters.size()) : 8 * word64(encodingParameters.size())));
904  mac.Update(L, 8);
905  }
906  if (!mac.Verify(ciphertext + plaintextLength))
907  return DecodingResult();
908 
909  if (plaintextLength) // Coverity finding
910  xorbuf(plaintext, ciphertext, cipherKey, plaintextLength);
911 
912  return DecodingResult(plaintextLength);
913  }
914 };
915 
916 /// _
917 template <class T, bool DHAES_MODE, class KDF>
919 {
920 public:
921  virtual ~DL_KeyDerivationAlgorithm_P1363() {}
922 
923  bool ParameterSupported(const char *name) const {return strcmp(name, Name::KeyDerivationParameters()) == 0;}
924  void Derive(const DL_GroupParameters<T> &params, byte *derivedKey, size_t derivedLength, const T &agreedElement, const T &ephemeralPublicKey, const NameValuePairs &parameters) const
925  {
926  SecByteBlock agreedSecret;
927  if (DHAES_MODE)
928  {
929  agreedSecret.New(params.GetEncodedElementSize(true) + params.GetEncodedElementSize(false));
930  params.EncodeElement(true, ephemeralPublicKey, agreedSecret);
931  params.EncodeElement(false, agreedElement, agreedSecret + params.GetEncodedElementSize(true));
932  }
933  else
934  {
935  agreedSecret.New(params.GetEncodedElementSize(false));
936  params.EncodeElement(false, agreedElement, agreedSecret);
937  }
938 
939  ConstByteArrayParameter derivationParameters;
940  parameters.GetValue(Name::KeyDerivationParameters(), derivationParameters);
941  KDF::DeriveKey(derivedKey, derivedLength, agreedSecret, agreedSecret.size(), derivationParameters.begin(), derivationParameters.size());
942  }
943 };
944 
945 /// \brief Discrete Log Integrated Encryption Scheme
946 /// \tparam COFACTOR_OPTION cofactor multiplication option
947 /// \tparam HASH HashTransformation derived class used for key drivation and MAC computation
948 /// \tparam DHAES_MODE flag indicating if the MAC includes addition context parameters such as the label
949 /// \tparam LABEL_OCTETS flag indicating if the label size is specified in octets or bits
950 /// \details DLIES is an Integer based Integrated Encryption Scheme (IES). The scheme combines a Key Encapsulation Method (KEM)
951 /// with a Data Encapsulation Method (DEM) and a MAC tag. The scheme is
952 /// <A HREF="http://en.wikipedia.org/wiki/ciphertext_indistinguishability">IND-CCA2</A>, which is a strong notion of security.
953 /// You should prefer an Integrated Encryption Scheme over homegrown schemes.
954 /// \details The library's original implementation is based on an early P1363 draft, which itself appears to be based on an early Certicom
955 /// SEC-1 draft (or an early SEC-1 draft was based on a P1363 draft). Crypto++ 4.2 used the early draft in its Integrated Ecryption
956 /// Schemes with <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
957 /// \details If you desire an Integrated Encryption Scheme with Crypto++ 4.2 compatibility, then use the DLIES template class with
958 /// <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
959 /// \details If you desire an Integrated Encryption Scheme with Bouncy Castle 1.54 and Botan 1.11 compatibility, then use the DLIES
960 /// template class with <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=true</tt> and <tt>LABEL_OCTETS=false</tt>.
961 /// \details The default template parameters ensure compatibility with Bouncy Castle 1.54 and Botan 1.11. The combination of
962 /// <tt>IncompatibleCofactorMultiplication</tt> and <tt>DHAES_MODE=true</tt> is recommended for best efficiency and security.
963 /// SHA1 is used for compatibility reasons, but it can be changed if desired. SHA-256 or another hash will likely improve the
964 /// security provided by the MAC. The hash is also used in the key derivation function as a PRF.
965 /// \details Below is an example of constructing a Crypto++ 4.2 compatible DLIES encryptor and decryptor.
966 /// <pre>
967 /// AutoSeededRandomPool prng;
968 /// DL_PrivateKey_GFP<DL_GroupParameters_GFP> key;
969 /// key.Initialize(prng, 2048);
970 ///
971 /// DLIES<SHA1,NoCofactorMultiplication,true,true>::Decryptor decryptor(key);
972 /// DLIES<SHA1,NoCofactorMultiplication,true,true>::Encryptor encryptor(decryptor);
973 /// </pre>
974 /// \sa ECIES, <a href="http://www.weidai.com/scan-mirror/ca.html#DLIES">Discrete Log Integrated Encryption Scheme (DLIES)</a>,
975 /// Martínez, Encinas, and Ávila's <A HREF="http://digital.csic.es/bitstream/10261/32671/1/V2-I2-P7-13.pdf">A Survey of the Elliptic
976 /// Curve Integrated Encryption Schemes</A>
977 /// \since Crypto++ 4.0, Crypto++ 5.7 for Bouncy Castle and Botan compatibility
978 template <class HASH = SHA1, class COFACTOR_OPTION = NoCofactorMultiplication, bool DHAES_MODE = true, bool LABEL_OCTETS=false>
979 struct DLIES
980  : public DL_ES<
981  DL_CryptoKeys_GFP,
982  DL_KeyAgreementAlgorithm_DH<Integer, COFACTOR_OPTION>,
983  DL_KeyDerivationAlgorithm_P1363<Integer, DHAES_MODE, P1363_KDF2<HASH> >,
984  DL_EncryptionAlgorithm_Xor<HMAC<HASH>, DHAES_MODE, LABEL_OCTETS>,
985  DLIES<> >
986 {
987  static std::string CRYPTOPP_API StaticAlgorithmName() {return "DLIES";} // TODO: fix this after name is standardized
988 };
989 
990 NAMESPACE_END
991 
992 #if CRYPTOPP_MSC_VERSION
993 # pragma warning(pop)
994 #endif
995 
996 #endif
Used to pass byte array input as part of a NameValuePairs object.
Definition: algparam.h:20
void Initialize(RandomNumberGenerator &rng, const Integer &p, const Integer &q, const Integer &g)
Create a private key.
Definition: gfpcrypt.h:622
Discrete Log Integrated Encryption Scheme.
Definition: gfpcrypt.h:979
virtual void DEREncode(BufferedTransformation &bt) const =0
Encode this object into a BufferedTransformation.
Classes for working with NameValuePairs.
Utility functions for the Crypto++ library.
const Integer & GetModulus() const
Retrieve the modulus for the group.
Definition: gfpcrypt.h:205
void SetModulusAndSubgroupGenerator(const Integer &p, const Integer &g)
Set group parameters.
Definition: gfpcrypt.h:211
static bool CRYPTOPP_API IsValidPrimeLength(unsigned int pbits)
Check the prime length for errors.
Definition: gfpcrypt.h:738
GF(p) group parameters.
Definition: gfpcrypt.h:224
void Initialize(const DL_GroupParameters_IntegerBased &params, const Integer &y)
Initialize a public key over GF(p)
Definition: gfpcrypt.h:562
Integer GetGroupOrder() const
Retrieves the order of the group.
Definition: gfpcrypt.h:99
size_t size() const
Length of the memory block.
Definition: algparam.h:84
size_t BitsToBytes(size_t bitCount)
Returns the number of 8-bit bytes or octets required for the specified number of bits.
Definition: misc.h:913
This file contains helper classes/functions for implementing public key algorithms.
Interface for deterministic signers.
Definition: pubkey.h:1458
void Sign(const DL_GroupParameters< T > &params, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
Sign a message using a private key.
Definition: gfpcrypt.h:295
void Initialize(RandomNumberGenerator &rng, unsigned int modulusBits)
Create a private key.
Definition: gfpcrypt.h:601
bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
Get a named value.
Definition: gfpcrypt.h:260
void PutWord(bool assumeAligned, ByteOrder order, byte *block, T value, const byte *xorBlock=NULL)
Access a block of memory.
Definition: misc.h:2483
void Initialize(const Integer &p, const Integer &g)
Initialize a group parameters over integers.
Definition: gfpcrypt.h:58
P1363 based XOR Encryption Method.
Definition: gfpcrypt.h:835
Converts an enumeration to a type suitable for use as a template parameter.
Definition: cryptlib.h:135
Abstract base classes that provide a uniform interface to this library.
void memcpy_s(void *dest, size_t sizeInBytes, const void *src, size_t count)
Bounds checking replacement for memcpy()
Definition: misc.h:506
const Integer & GetGenerator() const
Retrieves a reference to the group generator.
Definition: gfpcrypt.h:209
virtual Integer ConvertElementToInteger(const Element &element) const =0
Converts an element to an Integer.
GF(p) group parameters that default to safe primes.
Definition: gfpcrypt.h:274
void SetSubgroupOrder(const Integer &q)
Set subgroup order.
Definition: gfpcrypt.h:161
Interface for key derivation algorithms used in DL cryptosystems.
Definition: pubkey.h:1487
Classes for automatic resource management.
Library configuration file.
DSA keys.
Definition: gfpcrypt.h:758
Interface for random number generators.
Definition: cryptlib.h:1414
void Initialize(RandomNumberGenerator &rng, unsigned int pbits)
Create a group parameters over integers.
Definition: gfpcrypt.h:52
void New(size_type newSize)
Change size without preserving contents.
Definition: secblock.h:997
Integer InverseMod(const Integer &n) const
Calculate multiplicative inverse.
Definition: integer.cpp:4421
Discrete Log (DL) encryption scheme.
Definition: pubkey.h:2344
SecBlock<byte> typedef.
Definition: secblock.h:1090
Interface for buffered transformations.
Definition: cryptlib.h:1631
DSA signature scheme.
Definition: gfpcrypt.h:672
virtual Element ExponentiateBase(const Integer &exponent) const
Exponentiates the base.
Definition: pubkey.h:869
static const Integer &CRYPTOPP_API One()
Integer representing 1.
Definition: integer.cpp:4868
bool operator==(const OID &lhs, const OID &rhs)
Compare two OIDs for equality.
Interface for Discrete Log (DL) public keys.
Definition: pubkey.h:1058
bool FastSubgroupCheckAvailable() const
Determine if subgroup membership check is fast.
Definition: gfpcrypt.h:105
void DEREncodePublicKey(BufferedTransformation &bt) const
Encode subjectPublicKey part of subjectPublicKeyInfo.
Definition: gfpcrypt.h:583
void Initialize(const Integer &p, const Integer &q, const Integer &g)
Initialize a group parameters over integers.
Definition: gfpcrypt.h:65
Discrete Log (DL) signature scheme.
Definition: pubkey.h:2321
void Initialize(RandomNumberGenerator &rng, const Integer &p, const Integer &g)
Create a private key.
Definition: gfpcrypt.h:611
unsigned int ByteCount() const
Determines the number of bytes required to represent the Integer.
Definition: integer.cpp:3339
bool operator!=(const OID &lhs, const OID &rhs)
Compare two OIDs for inequality.
void Sign(const DL_GroupParameters< T > &params, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
Sign a message using a private key.
Definition: gfpcrypt.h:490
size_t MinEncodedSize(Signedness sign=UNSIGNED) const
Minimum number of bytes to encode this integer.
Definition: integer.cpp:3396
DL_FixedBasePrecomputation< Element > & AccessBasePrecomputation()
Retrieves the group precomputation.
Definition: gfpcrypt.h:200
Returns a decoding results.
Definition: cryptlib.h:277
Discrete Log (DL) private key base implementation.
Definition: pubkey.h:1238
DSA2< SHA1 > DSA
DSA with SHA-1, typedef&#39;d for backwards compatibility.
Definition: gfpcrypt.h:815
Classes for HMAC message authentication codes.
DSA signature scheme.
Definition: gfpcrypt.h:753
const byte * begin() const
Pointer to the first byte in the memory block.
Definition: algparam.h:80
AlgorithmParameters MakeParameters(const char *name, const T &value, bool throwIfNotUsed=true)
Create an object that implements NameValuePairs.
Definition: algparam.h:504
Integer ConvertElementToInteger(const Element &element) const
Converts an element to an Integer.
Definition: gfpcrypt.h:139
Interface for Elgamal-like signature algorithms.
Definition: pubkey.h:1405
virtual void BERDecode(BufferedTransformation &bt)=0
Decode this object from a BufferedTransformation.
void Initialize(const Integer &p, const Integer &g, const Integer &y)
Initialize a public key over GF(p)
Definition: gfpcrypt.h:569
const char * EncodingParameters()
ConstByteArrayParameter.
Definition: argnames.h:66
Discrete Log (DL) signing/verification keys in GF(p) groups.
Definition: gfpcrypt.h:652
DSA deterministic signature scheme.
Definition: gfpcrypt.h:804
virtual const Element & GetSubgroupGenerator() const
Retrieves the subgroup generator.
Definition: pubkey.h:859
Discrete Log (DL) encryption/decryption keys in GF(p) groups.
Definition: gfpcrypt.h:660
Multiple precision integer with arithmetic operations.
Definition: integer.h:49
NR signature scheme.
Definition: gfpcrypt.h:684
T1 SaturatingSubtract(const T1 &a, const T2 &b)
Performs a saturating subtract clamped at 0.
Definition: misc.h:1068
Integer-based GroupParameters default implementation.
Definition: gfpcrypt.h:182
const DL_FixedBasePrecomputation< Element > & GetBasePrecomputation() const
Retrieves the group precomputation.
Definition: gfpcrypt.h:199
bool IsIdentity(const Integer &element) const
Determines if an element is an identity.
Definition: gfpcrypt.h:235
byte order is big-endian
Definition: cryptlib.h:147
bool IsDeterministic() const
Signature scheme flag.
Definition: gfpcrypt.h:334
const T & STDMIN(const T &a, const T &b)
Replacement function for std::min.
Definition: misc.h:630
#define CRYPTOPP_ASSERT(exp)
Debugging and diagnostic assertion.
Definition: trap.h:69
DSA group parameters.
Definition: gfpcrypt.h:696
Classes and functions for working with ANS.1 objects.
Classes for SHA-1 and SHA-2 family of message digests.
void Initialize(const Integer &p, const Integer &q, const Integer &g, const Integer &x)
Initialize a private key over GF(p)
Definition: gfpcrypt.h:643
void Initialize(const DL_GroupParameters_IntegerBased &params)
Initialize a group parameters over integers.
Definition: gfpcrypt.h:43
Discrete Log (DL) public key in GF(p) groups.
Definition: gfpcrypt.h:554
iterator begin()
Provides an iterator pointing to the first element in the memory block.
Definition: secblock.h:803
unsigned int BitCount() const
Determines the number of bits required to represent the Integer.
Definition: integer.cpp:3348
virtual Element CascadeExponentiateBaseAndPublicElement(const Integer &baseExp, const Integer &publicExp) const
Exponentiates an element.
Definition: pubkey.h:1110
DSA signature algorithm based on RFC 6979.
Definition: gfpcrypt.h:325
void Encode(byte *output, size_t outputLen, Signedness sign=UNSIGNED) const
Encode in big-endian format.
Definition: integer.cpp:3411
bool Verify(const DL_GroupParameters< T > &params, const DL_PublicKey< T > &publicKey, const Integer &e, const Integer &r, const Integer &s) const
Verify a message using a public key.
Definition: gfpcrypt.h:539
bool Verify(const DL_GroupParameters< T > &params, const DL_PublicKey< T > &publicKey, const Integer &e, const Integer &r, const Integer &s) const
Verify a message using a public key.
Definition: gfpcrypt.h:304
Discrete Log (DL) private key in GF(p) groups.
Definition: gfpcrypt.h:590
GDSA algorithm.
Definition: gfpcrypt.h:288
void Initialize(const DL_GroupParameters_IntegerBased &params, const Integer &x)
Initialize a private key over GF(p)
Definition: gfpcrypt.h:628
Integer GenerateRandom(const Integer &x, const Integer &q, const Integer &e) const
Generate k.
Definition: gfpcrypt.h:338
virtual void EncodeElement(bool reversible, const Element &element, byte *encoded) const =0
Encodes the element.
virtual unsigned int GetEncodedElementSize(bool reversible) const =0
Retrieves the encoded element&#39;s size.
CRYPTOPP_DLL void CRYPTOPP_API xorbuf(byte *buf, const byte *mask, size_t count)
Performs an XOR of a buffer with a mask.
Definition: misc.cpp:46
NR algorithm.
Definition: gfpcrypt.h:524
Discrete Log (DL) public key base implementation.
Definition: pubkey.h:1335
void AssignFrom(const NameValuePairs &source)
Initialize or reinitialize this key.
Definition: gfpcrypt.h:195
Multiple precision integer with arithmetic operations.
const Integer & GetSubgroupOrder() const
Retrieves the subgroup order.
Definition: gfpcrypt.h:98
const T & STDMAX(const T &a, const T &b)
Replacement function for std::max.
Definition: misc.h:641
const char * KeyDerivationParameters()
ConstByteArrayParameter.
Definition: argnames.h:67
Crypto++ library namespace.
bool GetValue(const char *name, T &value) const
Get a named value.
Definition: cryptlib.h:379
Interface for symmetric encryption algorithms used in DL cryptosystems.
Definition: pubkey.h:1498
Base implementation of Discrete Log (DL) group parameters.
Definition: pubkey.h:1013
void BERDecodePublicKey(BufferedTransformation &bt, bool, size_t)
Decode subjectPublicKey part of subjectPublicKeyInfo.
Definition: gfpcrypt.h:581
virtual const Integer & GetModulus() const =0
Retrieve the modulus for the group.
void Sign(const DL_GroupParameters< T > &params, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
Sign a message using a private key.
Definition: gfpcrypt.h:531
German Digital Signature Algorithm.
Definition: gfpcrypt.h:483
void Initialize(const Integer &p, const Integer &q, const Integer &g, const Integer &y)
Initialize a public key over GF(p)
Definition: gfpcrypt.h:577
Integer-based GroupParameters specialization.
Definition: gfpcrypt.h:34
Encode and decode ASN.1 objects with additional information.
Definition: asn.h:683
void Initialize(const Integer &p, const Integer &g, const Integer &x)
Initialize a private key over GF(p)
Definition: gfpcrypt.h:635
Object Identifier.
Definition: asn.h:264
bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
Get a named value.
Definition: gfpcrypt.h:192
size_type size() const
Provides the count of elements in the SecBlock.
Definition: secblock.h:828
bool Verify(const DL_GroupParameters< T > &params, const DL_PublicKey< T > &publicKey, const Integer &e, const Integer &r, const Integer &s) const
Verify a message using a public key.
Definition: gfpcrypt.h:500
Interface for retrieving values given their names.
Definition: cryptlib.h:321
virtual const Integer & GetSubgroupOrder() const =0
Retrieves the subgroup order.