Crypto++  5.6.5
Free C++ class library of cryptographic schemes
gfpcrypt.h
Go to the documentation of this file.
1 // gfpcrypt.h - originally written and placed in the public domain by Wei Dai
2 // RFC6979 deterministic signatures (DL_Algorithm_DSA_RFC6979) added by by Douglas Roark
3 // ECGDSA (DL_Algorithm_GDSA_ISO15946) added by Jeffrey Walton
4 
5 //! \file gfpcrypt.h
6 //! \brief Classes and functions for schemes based on Discrete Logs (DL) over GF(p)
7 
8 #ifndef CRYPTOPP_GFPCRYPT_H
9 #define CRYPTOPP_GFPCRYPT_H
10 
11 #include "config.h"
12 
13 #if CRYPTOPP_MSC_VERSION
14 # pragma warning(push)
15 # pragma warning(disable: 4189)
16 #endif
17 
18 #include "cryptlib.h"
19 #include "pubkey.h"
20 #include "integer.h"
21 #include "modexppc.h"
22 #include "algparam.h"
23 #include "smartptr.h"
24 #include "sha.h"
25 #include "asn.h"
26 #include "hmac.h"
27 #include "misc.h"
28 
29 NAMESPACE_BEGIN(CryptoPP)
30 
31 CRYPTOPP_DLL_TEMPLATE_CLASS DL_GroupParameters<Integer>;
32 
33 //! \class DL_GroupParameters_IntegerBased
34 //! \brief Integer-based GroupParameters specialization
35 class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE DL_GroupParameters_IntegerBased : public ASN1CryptoMaterial<DL_GroupParameters<Integer> >
36 {
38 
39 public:
41 
42  //! \brief Initialize a group parameters over integers
43  //! \param params the group parameters
45  {Initialize(params.GetModulus(), params.GetSubgroupOrder(), params.GetSubgroupGenerator());}
46 
47  //! \brief Create a group parameters over integers
48  //! \param rng a RandomNumberGenerator derived class
49  //! \param pbits the size of p, in bits
50  //! \details This function overload of Initialize() creates a new private key because it
51  //! takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
52  //! then use one of the other Initialize() overloads.
53  void Initialize(RandomNumberGenerator &rng, unsigned int pbits)
54  {GenerateRandom(rng, MakeParameters("ModulusSize", (int)pbits));}
55 
56  //! \brief Initialize a group parameters over integers
57  //! \param p the modulus
58  //! \param g the generator
59  void Initialize(const Integer &p, const Integer &g)
60  {SetModulusAndSubgroupGenerator(p, g); SetSubgroupOrder(ComputeGroupOrder(p)/2);}
61 
62  //! \brief Initialize a group parameters over integers
63  //! \param p the modulus
64  //! \param q the subgroup order
65  //! \param g the generator
66  void Initialize(const Integer &p, const Integer &q, const Integer &g)
67  {SetModulusAndSubgroupGenerator(p, g); SetSubgroupOrder(q);}
68 
69  // ASN1Object interface
71  void DEREncode(BufferedTransformation &bt) const;
72 
73  // GeneratibleCryptoMaterial interface
74  /*! parameters: (ModulusSize, SubgroupOrderSize (optional)) */
75  void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &alg);
76  bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const;
77  void AssignFrom(const NameValuePairs &source);
78 
79  // DL_GroupParameters
80  const Integer & GetSubgroupOrder() const {return m_q;}
81  Integer GetGroupOrder() const {return GetFieldType() == 1 ? GetModulus()-Integer::One() : GetModulus()+Integer::One();}
82  bool ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const;
83  bool ValidateElement(unsigned int level, const Integer &element, const DL_FixedBasePrecomputation<Integer> *precomp) const;
84  bool FastSubgroupCheckAvailable() const {return GetCofactor() == 2;}
85 
86  // Cygwin i386 crash at -O3; see http://github.com/weidai11/cryptopp/issues/40.
87  void EncodeElement(bool reversible, const Element &element, byte *encoded) const;
88  unsigned int GetEncodedElementSize(bool reversible) const;
89 
90  Integer DecodeElement(const byte *encoded, bool checkForGroupMembership) const;
91  Integer ConvertElementToInteger(const Element &element) const
92  {return element;}
93  Integer GetMaxExponent() const;
94  static std::string CRYPTOPP_API StaticAlgorithmNamePrefix() {return "";}
95 
96  OID GetAlgorithmID() const;
97 
98  virtual const Integer & GetModulus() const =0;
99  virtual void SetModulusAndSubgroupGenerator(const Integer &p, const Integer &g) =0;
100 
101  void SetSubgroupOrder(const Integer &q)
102  {m_q = q; ParametersChanged();}
103 
104 protected:
105  Integer ComputeGroupOrder(const Integer &modulus) const
106  {return modulus-(GetFieldType() == 1 ? 1 : -1);}
107 
108  // GF(p) = 1, GF(p^2) = 2
109  virtual int GetFieldType() const =0;
110  virtual unsigned int GetDefaultSubgroupOrderSize(unsigned int modulusSize) const;
111 
112 private:
113  Integer m_q;
114 };
115 
116 //! \class DL_GroupParameters_IntegerBasedImpl
117 //! \brief Integer-based GroupParameters default implementation
118 //! \tparam GROUP_PRECOMP group parameters precomputation specialization
119 //! \tparam BASE_PRECOMP base class precomputation specialization
120 template <class GROUP_PRECOMP, class BASE_PRECOMP = DL_FixedBasePrecomputationImpl<typename GROUP_PRECOMP::Element> >
121 class CRYPTOPP_NO_VTABLE DL_GroupParameters_IntegerBasedImpl : public DL_GroupParametersImpl<GROUP_PRECOMP, BASE_PRECOMP, DL_GroupParameters_IntegerBased>
122 {
124 
125 public:
126  typedef typename GROUP_PRECOMP::Element Element;
127 
129 
130  // GeneratibleCryptoMaterial interface
131  bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
132  {return GetValueHelper<DL_GroupParameters_IntegerBased>(this, name, valueType, pValue).Assignable();}
133 
134  void AssignFrom(const NameValuePairs &source)
135  {AssignFromHelper<DL_GroupParameters_IntegerBased>(this, source);}
136 
137  // DL_GroupParameters
138  const DL_FixedBasePrecomputation<Element> & GetBasePrecomputation() const {return this->m_gpc;}
140 
141  // IntegerGroupParameters
142  const Integer & GetModulus() const {return this->m_groupPrecomputation.GetModulus();}
143  const Integer & GetGenerator() const {return this->m_gpc.GetBase(this->GetGroupPrecomputation());}
144 
145  void SetModulusAndSubgroupGenerator(const Integer &p, const Integer &g) // these have to be set together
146  {this->m_groupPrecomputation.SetModulus(p); this->m_gpc.SetBase(this->GetGroupPrecomputation(), g); this->ParametersChanged();}
147 
148  // non-inherited
150  {return GetModulus() == rhs.GetModulus() && GetGenerator() == rhs.GetGenerator() && this->GetSubgroupOrder() == rhs.GetSubgroupOrder();}
152  {return !operator==(rhs);}
153 };
154 
156 
157 //! \class DL_GroupParameters_GFP
158 //! \brief GF(p) group parameters
159 class CRYPTOPP_DLL DL_GroupParameters_GFP : public DL_GroupParameters_IntegerBasedImpl<ModExpPrecomputation>
160 {
161 public:
162  virtual ~DL_GroupParameters_GFP() {}
163 
164  // DL_GroupParameters
165  bool IsIdentity(const Integer &element) const {return element == Integer::One();}
166  void SimultaneousExponentiate(Element *results, const Element &base, const Integer *exponents, unsigned int exponentsCount) const;
167 
168  // NameValuePairs interface
169  bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
170  {
171  return GetValueHelper<DL_GroupParameters_IntegerBased>(this, name, valueType, pValue).Assignable();
172  }
173 
174  // used by MQV
175  Element MultiplyElements(const Element &a, const Element &b) const;
176  Element CascadeExponentiate(const Element &element1, const Integer &exponent1, const Element &element2, const Integer &exponent2) const;
177 
178 protected:
179  int GetFieldType() const {return 1;}
180 };
181 
182 //! \class DL_GroupParameters_GFP
183 //! \brief GF(p) group parameters that default to safe primes
185 {
186 public:
188 
190 
191 protected:
192  unsigned int GetDefaultSubgroupOrderSize(unsigned int modulusSize) const {return modulusSize-1;}
193 };
194 
195 //! \class DL_Algorithm_GDSA
196 //! \brief GDSA algorithm
197 //! \tparam T FieldElement type or class
198 template <class T>
200 {
201 public:
202  CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "DSA-1363";}
203 
204  virtual ~DL_Algorithm_GDSA() {}
205 
206  void Sign(const DL_GroupParameters<T> &params, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
207  {
208  const Integer &q = params.GetSubgroupOrder();
209  r %= q;
210  Integer kInv = k.InverseMod(q);
211  s = (kInv * (x*r + e)) % q;
212  CRYPTOPP_ASSERT(!!r && !!s);
213  }
214 
215  bool Verify(const DL_GroupParameters<T> &params, const DL_PublicKey<T> &publicKey, const Integer &e, const Integer &r, const Integer &s) const
216  {
217  const Integer &q = params.GetSubgroupOrder();
218  if (r>=q || r<1 || s>=q || s<1)
219  return false;
220 
221  Integer w = s.InverseMod(q);
222  Integer u1 = (e * w) % q;
223  Integer u2 = (r * w) % q;
224  // verify r == (g^u1 * y^u2 mod p) mod q
225  return r == params.ConvertElementToInteger(publicKey.CascadeExponentiateBaseAndPublicElement(u1, u2)) % q;
226  }
227 };
228 
229 //! \class DL_Algorithm_DSA_RFC6979
230 //! \brief DSA signature algorithm based on RFC 6979
231 //! \tparam T FieldElement type or class
232 //! \tparam H HashTransformation derived class
233 //! \sa <a href="http://tools.ietf.org/rfc/rfc6979.txt">RFC 6979, Deterministic Usage of the
234 //! Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)</a>
235 //! \since Crypto++ 6.0
236 template <class T, class H>
238 {
239 public:
240  CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "DSA-RFC6979";}
241 
242  virtual ~DL_Algorithm_DSA_RFC6979() {}
243 
244  bool IsProbabilistic() const
245  {return false;}
246  bool IsDeterministic() const
247  {return true;}
248 
249  // Deterministic K
250  Integer GenerateRandom(const Integer &x, const Integer &q, const Integer &e) const
251  {
252  static const byte zero = 0, one = 1;
253  const size_t qlen = q.BitCount();
254  const size_t rlen = BitsToBytes(qlen);
255 
256  // Step (a) - formatted E(m)
258  e.Encode(BH, BH.size());
259  BH = bits2octets(BH, q);
260 
261  // Step (a) - private key to byte array
262  SecByteBlock BX(STDMAX(rlen, x.MinEncodedSize()));
263  x.Encode(BX, BX.size());
264 
265  // Step (b)
266  SecByteBlock V(H::DIGESTSIZE);
267  std::fill(V.begin(), V.begin()+H::DIGESTSIZE, one);
268 
269  // Step (c)
270  SecByteBlock K(H::DIGESTSIZE);
271  std::fill(K.begin(), K.begin()+H::DIGESTSIZE, zero);
272 
273  // Step (d)
274  m_hmac.SetKey(K, K.size());
275  m_hmac.Update(V, V.size());
276  m_hmac.Update(&zero, 1);
277  m_hmac.Update(BX, BX.size());
278  m_hmac.Update(BH, BH.size());
279  m_hmac.TruncatedFinal(K, K.size());
280 
281  // Step (e)
282  m_hmac.SetKey(K, K.size());
283  m_hmac.Update(V, V.size());
284  m_hmac.TruncatedFinal(V, V.size());
285 
286  // Step (f)
287  m_hmac.SetKey(K, K.size());
288  m_hmac.Update(V, V.size());
289  m_hmac.Update(&one, 1);
290  m_hmac.Update(BX, BX.size());
291  m_hmac.Update(BH, BH.size());
292  m_hmac.TruncatedFinal(K, K.size());
293 
294  // Step (g)
295  m_hmac.SetKey(K, K.size());
296  m_hmac.Update(V, V.size());
297  m_hmac.TruncatedFinal(V, V.size());
298 
299  Integer k;
300  SecByteBlock temp(rlen);
301  for (;;)
302  {
303  // We want qlen bits, but we support only hash functions with an output length
304  // multiple of 8; hence, we will gather rlen bits, i.e., rolen octets.
305  size_t toff = 0;
306  while (toff < rlen)
307  {
308  m_hmac.Update(V, V.size());
309  m_hmac.TruncatedFinal(V, V.size());
310 
311  size_t cc = STDMIN(V.size(), temp.size() - toff);
312  memcpy_s(temp+toff, temp.size() - toff, V, cc);
313  toff += cc;
314  }
315 
316  k = bits2int(temp, qlen);
317  if (k > 0 && k < q)
318  break;
319 
320  // k is not in the proper range; update K and V, and loop.
321  m_hmac.Update(V, V.size());
322  m_hmac.Update(&zero, 1);
323  m_hmac.TruncatedFinal(K, K.size());
324 
325  m_hmac.SetKey(K, K.size());
326  m_hmac.Update(V, V.size());
327  m_hmac.TruncatedFinal(V, V.size());
328  }
329 
330  return k;
331  }
332 
333 protected:
334 
335 #if 0
336  // Determine bits without converting to an Integer
337  inline unsigned int BitCount(const byte* buffer, size_t size) const
338  {
339  unsigned int idx = 0;
340  while (idx < size && buffer[idx] == 0) { idx++; }
341  return (size-idx)*8 - (8-BitPrecision(buffer[idx]));
342  }
343 #endif
344 
345  Integer bits2int(const SecByteBlock& bits, size_t qlen) const
346  {
347  Integer ret(bits, bits.size());
348  size_t blen = bits.size()*8;
349 
350  if (blen > qlen)
351  ret >>= blen - qlen;
352 
353  return ret;
354  }
355 
356  // RFC 6979 support function. Takes an integer and converts it into bytes that
357  // are the same length as an elliptic curve's order.
358  SecByteBlock int2octets(const Integer& val, size_t rlen) const
359  {
360  SecByteBlock block(val.MinEncodedSize());
361  val.Encode(block, val.MinEncodedSize());
362 
363  if (block.size() == rlen)
364  return block;
365 
366  // The least significant bytes are the ones we need to preserve.
367  SecByteBlock t(rlen);
368  if (block.size() > rlen)
369  {
370  size_t offset = block.size() - rlen;
371  memcpy(t, block + offset, rlen);
372  }
373  else // block.size() < rlen
374  {
375  size_t offset = rlen - block.size();
376  memset(t, '\x00', offset);
377  memcpy(t + offset, block, rlen - offset);
378  }
379 
380  return t;
381  }
382 
383  // Turn a stream of bits into a set of bytes with the same length as an elliptic
384  // curve's order.
385  SecByteBlock bits2octets(const SecByteBlock& in, const Integer& q) const
386  {
387  Integer b2 = bits2int(in, in.size()*8);
388  Integer b1 = b2 - q;
389  return int2octets(b1.IsNegative() ? b2 : b1, q.ByteCount());
390  }
391 
392 private:
393  mutable H m_hash;
394  mutable HMAC<H> m_hmac;
395 };
396 
397 //! \class DL_Algorithm_GDSA_ISO15946
398 //! \brief German Digital Signature Algorithm
399 //! \tparam T FieldElement type or class
400 //! \details The Digital Signature Scheme ECGDSA does not define the algorithm over integers. Rather, the
401 //! signature algorithm is only defined over elliptic curves. However, The library design is such that the
402 //! generic algorithm reside in <tt>gfpcrypt.h</tt>.
403 //! \sa Erwin Hess, Marcus Schafheutle, and Pascale Serf <A HREF="http://www.teletrust.de/fileadmin/files/oid/ecgdsa_final.pdf">
404 //! The Digital Signature Scheme ECGDSA (October 24, 2006)</A>
405 template <class T>
407 {
408 public:
409  CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "GDSA-ISO15946";}
410 
411  virtual ~DL_Algorithm_GDSA_ISO15946() {}
412 
413  void Sign(const DL_GroupParameters<T> &params, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
414  {
415  const Integer &q = params.GetSubgroupOrder();
416  // r = x(k * G) mod q
417  r = params.ConvertElementToInteger(params.ExponentiateBase(k)) % q;
418  // s = (k * r - h(m)) * d_A mod q
419  s = (k * r - e) * x % q;
420  CRYPTOPP_ASSERT(!!r && !!s);
421  }
422 
423  bool Verify(const DL_GroupParameters<T> &params, const DL_PublicKey<T> &publicKey, const Integer &e, const Integer &r, const Integer &s) const
424  {
425  const Integer &q = params.GetSubgroupOrder();
426  if (r>=q || r<1 || s>=q || s<1)
427  return false;
428 
429  const Integer& rInv = r.InverseMod(q);
430  const Integer u1 = (rInv * e) % q;
431  const Integer u2 = (rInv * s) % q;
432  // verify x(G^u1 + P_A^u2) mod q
433  return r == params.ConvertElementToInteger(publicKey.CascadeExponentiateBaseAndPublicElement(u1, u2)) % q;
434  }
435 };
436 
437 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_GDSA<Integer>;
438 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA1>;
439 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA224>;
440 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA256>;
441 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA384>;
442 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA512>;
443 
444 //! \class DL_Algorithm_NR
445 //! \brief NR algorithm
446 //! \tparam T FieldElement type or class
447 template <class T>
449 {
450 public:
451  CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "NR";}
452 
453  virtual ~DL_Algorithm_NR() {}
454 
455  void Sign(const DL_GroupParameters<T> &params, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
456  {
457  const Integer &q = params.GetSubgroupOrder();
458  r = (r + e) % q;
459  s = (k - x*r) % q;
460  CRYPTOPP_ASSERT(!!r);
461  }
462 
463  bool Verify(const DL_GroupParameters<T> &params, const DL_PublicKey<T> &publicKey, const Integer &e, const Integer &r, const Integer &s) const
464  {
465  const Integer &q = params.GetSubgroupOrder();
466  if (r>=q || r<1 || s>=q)
467  return false;
468 
469  // check r == (m_g^s * m_y^r + m) mod m_q
470  return r == (params.ConvertElementToInteger(publicKey.CascadeExponentiateBaseAndPublicElement(s, r)) + e) % q;
471  }
472 };
473 
474 //! \class DL_PublicKey_GFP
475 //! \brief Discrete Log (DL) public key in GF(p) groups
476 //! \tparam GP GroupParameters derived class
477 //! \details DSA public key format is defined in 7.3.3 of RFC 2459. The private key format is defined in 12.9 of PKCS #11 v2.10.
478 template <class GP>
480 {
481 public:
482  virtual ~DL_PublicKey_GFP() {}
483 
484  //! \brief Initialize a public key over GF(p)
485  //! \param params the group parameters
486  //! \param y the public element
487  void Initialize(const DL_GroupParameters_IntegerBased &params, const Integer &y)
488  {this->AccessGroupParameters().Initialize(params); this->SetPublicElement(y);}
489 
490  //! \brief Initialize a public key over GF(p)
491  //! \param p the modulus
492  //! \param g the generator
493  //! \param y the public element
494  void Initialize(const Integer &p, const Integer &g, const Integer &y)
495  {this->AccessGroupParameters().Initialize(p, g); this->SetPublicElement(y);}
496 
497  //! \brief Initialize a public key over GF(p)
498  //! \param p the modulus
499  //! \param q the subgroup order
500  //! \param g the generator
501  //! \param y the public element
502  void Initialize(const Integer &p, const Integer &q, const Integer &g, const Integer &y)
503  {this->AccessGroupParameters().Initialize(p, q, g); this->SetPublicElement(y);}
504 
505  // X509PublicKey
507  {this->SetPublicElement(Integer(bt));}
509  {this->GetPublicElement().DEREncode(bt);}
510 };
511 
512 //! \class DL_PrivateKey_GFP
513 //! \brief Discrete Log (DL) private key in GF(p) groups
514 //! \tparam GP GroupParameters derived class
515 template <class GP>
517 {
518 public:
519  virtual ~DL_PrivateKey_GFP() {}
520 
521  //! \brief Create a private key
522  //! \param rng a RandomNumberGenerator derived class
523  //! \param modulusBits the size of the modulus, in bits
524  //! \details This function overload of Initialize() creates a new private key because it
525  //! takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
526  //! then use one of the other Initialize() overloads.
527  void Initialize(RandomNumberGenerator &rng, unsigned int modulusBits)
528  {this->GenerateRandomWithKeySize(rng, modulusBits);}
529 
530  //! \brief Create a private key
531  //! \param rng a RandomNumberGenerator derived class
532  //! \param p the modulus
533  //! \param g the generator
534  //! \details This function overload of Initialize() creates a new private key because it
535  //! takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
536  //! then use one of the other Initialize() overloads.
537  void Initialize(RandomNumberGenerator &rng, const Integer &p, const Integer &g)
538  {this->GenerateRandom(rng, MakeParameters("Modulus", p)("SubgroupGenerator", g));}
539 
540  //! \brief Create a private key
541  //! \param rng a RandomNumberGenerator derived class
542  //! \param p the modulus
543  //! \param q the subgroup order
544  //! \param g the generator
545  //! \details This function overload of Initialize() creates a new private key because it
546  //! takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
547  //! then use one of the other Initialize() overloads.
548  void Initialize(RandomNumberGenerator &rng, const Integer &p, const Integer &q, const Integer &g)
549  {this->GenerateRandom(rng, MakeParameters("Modulus", p)("SubgroupOrder", q)("SubgroupGenerator", g));}
550 
551  //! \brief Initialize a private key over GF(p)
552  //! \param params the group parameters
553  //! \param x the private exponent
554  void Initialize(const DL_GroupParameters_IntegerBased &params, const Integer &x)
555  {this->AccessGroupParameters().Initialize(params); this->SetPrivateExponent(x);}
556 
557  //! \brief Initialize a private key over GF(p)
558  //! \param p the modulus
559  //! \param g the generator
560  //! \param x the private exponent
561  void Initialize(const Integer &p, const Integer &g, const Integer &x)
562  {this->AccessGroupParameters().Initialize(p, g); this->SetPrivateExponent(x);}
563 
564  //! \brief Initialize a private key over GF(p)
565  //! \param p the modulus
566  //! \param q the subgroup order
567  //! \param g the generator
568  //! \param x the private exponent
569  void Initialize(const Integer &p, const Integer &q, const Integer &g, const Integer &x)
570  {this->AccessGroupParameters().Initialize(p, q, g); this->SetPrivateExponent(x);}
571 };
572 
573 //! \class DL_SignatureKeys_GFP
574 //! \brief Discrete Log (DL) signing/verification keys in GF(p) groups
576 {
580 };
581 
582 //! \class DL_CryptoKeys_GFP
583 //! \brief Discrete Log (DL) encryption/decryption keys in GF(p) groups
585 {
589 };
590 
591 //! \class DL_PublicKey_GFP_OldFormat
592 //! \brief Discrete Log (DL) public key in GF(p) groups
593 //! \tparam BASE GroupParameters derived class
594 //! \deprecated This implementation uses a non-standard Crypto++ key format. New implementations
595 //! should use DL_PublicKey_GFP and DL_PrivateKey_GFP
596 template <class BASE>
597 class DL_PublicKey_GFP_OldFormat : public BASE
598 {
599 public:
600  virtual ~DL_PublicKey_GFP_OldFormat() {}
601 
602  void BERDecode(BufferedTransformation &bt)
603  {
604  BERSequenceDecoder seq(bt);
605  Integer v1(seq);
606  Integer v2(seq);
607  Integer v3(seq);
608 
609  if (seq.EndReached())
610  {
611  this->AccessGroupParameters().Initialize(v1, v1/2, v2);
612  this->SetPublicElement(v3);
613  }
614  else
615  {
616  Integer v4(seq);
617  this->AccessGroupParameters().Initialize(v1, v2, v3);
618  this->SetPublicElement(v4);
619  }
620 
621  seq.MessageEnd();
622  }
623 
624  void DEREncode(BufferedTransformation &bt) const
625  {
626  DERSequenceEncoder seq(bt);
627  this->GetGroupParameters().GetModulus().DEREncode(seq);
628  if (this->GetGroupParameters().GetCofactor() != 2)
629  this->GetGroupParameters().GetSubgroupOrder().DEREncode(seq);
630  this->GetGroupParameters().GetGenerator().DEREncode(seq);
631  this->GetPublicElement().DEREncode(seq);
632  seq.MessageEnd();
633  }
634 };
635 
636 //! \class DL_PrivateKey_GFP_OldFormat
637 //! \brief Discrete Log (DL) private key in GF(p) groups
638 //! \tparam BASE GroupParameters derived class
639 //! \deprecated This implementation uses a non-standard Crypto++ key format. New implementations
640 //! should use DL_PublicKey_GFP and DL_PrivateKey_GFP
641 template <class BASE>
642 class DL_PrivateKey_GFP_OldFormat : public BASE
643 {
644 public:
645  virtual ~DL_PrivateKey_GFP_OldFormat() {}
646 
647  void BERDecode(BufferedTransformation &bt)
648  {
649  BERSequenceDecoder seq(bt);
650  Integer v1(seq);
651  Integer v2(seq);
652  Integer v3(seq);
653  Integer v4(seq);
654 
655  if (seq.EndReached())
656  {
657  this->AccessGroupParameters().Initialize(v1, v1/2, v2);
658  this->SetPrivateExponent(v4 % (v1/2)); // some old keys may have x >= q
659  }
660  else
661  {
662  Integer v5(seq);
663  this->AccessGroupParameters().Initialize(v1, v2, v3);
664  this->SetPrivateExponent(v5);
665  }
666 
667  seq.MessageEnd();
668  }
669 
670  void DEREncode(BufferedTransformation &bt) const
671  {
672  DERSequenceEncoder seq(bt);
673  this->GetGroupParameters().GetModulus().DEREncode(seq);
674  if (this->GetGroupParameters().GetCofactor() != 2)
675  this->GetGroupParameters().GetSubgroupOrder().DEREncode(seq);
676  this->GetGroupParameters().GetGenerator().DEREncode(seq);
677  this->GetGroupParameters().ExponentiateBase(this->GetPrivateExponent()).DEREncode(seq);
678  this->GetPrivateExponent().DEREncode(seq);
679  seq.MessageEnd();
680  }
681 };
682 
683 //! \class GDSA
684 //! \brief DSA signature scheme
685 //! \tparam H HashTransformation derived class
686 //! \sa <a href="http://www.weidai.com/scan-mirror/sig.html#DSA-1363">DSA-1363</a>
687 //! \since Crypto++ 1.0 for DSA, Crypto++ 5.6.2 for DSA2
688 template <class H>
689 struct GDSA : public DL_SS<
690  DL_SignatureKeys_GFP,
691  DL_Algorithm_GDSA<Integer>,
692  DL_SignatureMessageEncodingMethod_DSA,
693  H>
694 {
695 };
696 
697 //! \class NR
698 //! \brief NR signature scheme
699 //! \tparam H HashTransformation derived class
700 //! \sa <a href="http://www.weidai.com/scan-mirror/sig.html#NR">NR</a>
701 template <class H>
702 struct NR : public DL_SS<
703  DL_SignatureKeys_GFP,
704  DL_Algorithm_NR<Integer>,
705  DL_SignatureMessageEncodingMethod_NR,
706  H>
707 {
708 };
709 
710 //! \class DL_GroupParameters_DSA
711 //! \brief DSA group parameters
712 //! \details These are GF(p) group parameters that are allowed by the DSA standard
713 //! \sa DL_Keys_DSA
715 {
716 public:
717  virtual ~DL_GroupParameters_DSA() {}
718 
719  /*! also checks that the lengths of p and q are allowed by the DSA standard */
720  bool ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const;
721  /*! parameters: (ModulusSize), or (Modulus, SubgroupOrder, SubgroupGenerator) */
722  /*! ModulusSize must be between DSA::MIN_PRIME_LENGTH and DSA::MAX_PRIME_LENGTH, and divisible by DSA::PRIME_LENGTH_MULTIPLE */
723  void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &alg);
724 
725  static bool CRYPTOPP_API IsValidPrimeLength(unsigned int pbits)
726  {return pbits >= MIN_PRIME_LENGTH && pbits <= MAX_PRIME_LENGTH && pbits % PRIME_LENGTH_MULTIPLE == 0;}
727 
728  enum {MIN_PRIME_LENGTH = 1024, MAX_PRIME_LENGTH = 3072, PRIME_LENGTH_MULTIPLE = 1024};
729 };
730 
731 template <class H>
732 class DSA2;
733 
734 //! \class DL_Keys_DSA
735 //! \brief DSA keys
736 //! \sa DL_GroupParameters_DSA
738 {
741 };
742 
743 //! \class DSA2
744 //! \brief DSA signature scheme
745 //! \tparam H HashTransformation derived class
746 //! \details The class is named DSA2 instead of DSA for backwards compatibility because DSA was a non-template class.
747 //! \sa <a href="http://en.wikipedia.org/wiki/Digital_Signature_Algorithm">DSA</a>, as specified in FIPS 186-3
748 //! \since Crypto++ 1.0 for DSA, Crypto++ 5.6.2 for DSA2
749 template <class H>
750 class DSA2 : public DL_SS<
751  DL_Keys_DSA,
752  DL_Algorithm_GDSA<Integer>,
753  DL_SignatureMessageEncodingMethod_DSA,
754  H,
755  DSA2<H> >
756 {
757 public:
758  static std::string CRYPTOPP_API StaticAlgorithmName() {return "DSA/" + (std::string)H::StaticAlgorithmName();}
759 };
760 
761 //! \class DSA_RFC6979
762 //! \brief DSA deterministic signature scheme
763 //! \tparam H HashTransformation derived class
764 //! \sa <a href="http://www.weidai.com/scan-mirror/sig.html#DSA-1363">DSA-1363</a>
765 //! \since Crypto++ 1.0 for DSA, Crypto++ 5.6.2 for DSA2
766 template <class H>
767 struct DSA_RFC6979 : public DL_SS<
768  DL_SignatureKeys_GFP,
769  DL_Algorithm_DSA_RFC6979<Integer, H>,
770  DL_SignatureMessageEncodingMethod_DSA,
771  H,
772  DSA_RFC6979<H> >
773 {
774  static std::string CRYPTOPP_API StaticAlgorithmName() {return std::string("DSA-RFC6979/") + H::StaticAlgorithmName();}
775 };
776 
777 //! DSA with SHA-1, typedef'd for backwards compatibility
778 typedef DSA2<SHA1> DSA;
779 
780 CRYPTOPP_DLL_TEMPLATE_CLASS DL_PublicKey_GFP<DL_GroupParameters_DSA>;
781 CRYPTOPP_DLL_TEMPLATE_CLASS DL_PrivateKey_GFP<DL_GroupParameters_DSA>;
783 
784 //! \class DL_EncryptionAlgorithm_Xor
785 //! \brief P1363 based XOR Encryption Method
786 //! \tparam MAC MessageAuthenticationCode derived class used for MAC computation
787 //! \tparam DHAES_MODE flag indicating DHAES mode
788 //! \tparam LABEL_OCTETS flag indicating the label is octet count
789 //! \details DL_EncryptionAlgorithm_Xor is based on an early P1363 draft, which itself appears to be based on an
790 //! early Certicom SEC-1 draft (or an early SEC-1 draft was based on a P1363 draft). Crypto++ 4.2 used it in its Integrated
791 //! Ecryption Schemes with <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
792 //! \details If you need this method for Crypto++ 4.2 compatibility, then use the ECIES template class with
793 //! <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
794 //! \details If you need this method for Bouncy Castle 1.54 and Botan 1.11 compatibility, then use the ECIES template class with
795 //! <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=ture</tt> and <tt>LABEL_OCTETS=false</tt>.
796 //! \details Bouncy Castle 1.54 and Botan 1.11 compatibility are the default template parameters.
797 //! \since Crypto++ 4.0
798 template <class MAC, bool DHAES_MODE, bool LABEL_OCTETS=false>
800 {
801 public:
802  virtual ~DL_EncryptionAlgorithm_Xor() {}
803 
804  bool ParameterSupported(const char *name) const {return strcmp(name, Name::EncodingParameters()) == 0;}
805  size_t GetSymmetricKeyLength(size_t plaintextLength) const
806  {return plaintextLength + static_cast<size_t>(MAC::DIGESTSIZE);}
807  size_t GetSymmetricCiphertextLength(size_t plaintextLength) const
808  {return plaintextLength + static_cast<size_t>(MAC::DIGESTSIZE);}
809  size_t GetMaxSymmetricPlaintextLength(size_t ciphertextLength) const
810  {return SaturatingSubtract(ciphertextLength, static_cast<size_t>(MAC::DIGESTSIZE));}
811  void SymmetricEncrypt(RandomNumberGenerator &rng, const byte *key, const byte *plaintext, size_t plaintextLength, byte *ciphertext, const NameValuePairs &parameters) const
812  {
813  CRYPTOPP_UNUSED(rng);
814  const byte *cipherKey = NULLPTR, *macKey = NULLPTR;
815  if (DHAES_MODE)
816  {
817  macKey = key;
818  cipherKey = key + MAC::DEFAULT_KEYLENGTH;
819  }
820  else
821  {
822  cipherKey = key;
823  macKey = key + plaintextLength;
824  }
825 
826  ConstByteArrayParameter encodingParameters;
827  parameters.GetValue(Name::EncodingParameters(), encodingParameters);
828 
829  if (plaintextLength) // Coverity finding
830  xorbuf(ciphertext, plaintext, cipherKey, plaintextLength);
831 
832  MAC mac(macKey);
833  mac.Update(ciphertext, plaintextLength);
834  mac.Update(encodingParameters.begin(), encodingParameters.size());
835  if (DHAES_MODE)
836  {
837  byte L[8];
838  PutWord(false, BIG_ENDIAN_ORDER, L, (LABEL_OCTETS ? word64(encodingParameters.size()) : 8 * word64(encodingParameters.size())));
839  mac.Update(L, 8);
840  }
841  mac.Final(ciphertext + plaintextLength);
842  }
843  DecodingResult SymmetricDecrypt(const byte *key, const byte *ciphertext, size_t ciphertextLength, byte *plaintext, const NameValuePairs &parameters) const
844  {
845  size_t plaintextLength = GetMaxSymmetricPlaintextLength(ciphertextLength);
846  const byte *cipherKey, *macKey;
847  if (DHAES_MODE)
848  {
849  macKey = key;
850  cipherKey = key + MAC::DEFAULT_KEYLENGTH;
851  }
852  else
853  {
854  cipherKey = key;
855  macKey = key + plaintextLength;
856  }
857 
858  ConstByteArrayParameter encodingParameters;
859  parameters.GetValue(Name::EncodingParameters(), encodingParameters);
860 
861  MAC mac(macKey);
862  mac.Update(ciphertext, plaintextLength);
863  mac.Update(encodingParameters.begin(), encodingParameters.size());
864  if (DHAES_MODE)
865  {
866  byte L[8];
867  PutWord(false, BIG_ENDIAN_ORDER, L, (LABEL_OCTETS ? word64(encodingParameters.size()) : 8 * word64(encodingParameters.size())));
868  mac.Update(L, 8);
869  }
870  if (!mac.Verify(ciphertext + plaintextLength))
871  return DecodingResult();
872 
873  if (plaintextLength) // Coverity finding
874  xorbuf(plaintext, ciphertext, cipherKey, plaintextLength);
875 
876  return DecodingResult(plaintextLength);
877  }
878 };
879 
880 //! _
881 template <class T, bool DHAES_MODE, class KDF>
883 {
884 public:
885  virtual ~DL_KeyDerivationAlgorithm_P1363() {}
886 
887  bool ParameterSupported(const char *name) const {return strcmp(name, Name::KeyDerivationParameters()) == 0;}
888  void Derive(const DL_GroupParameters<T> &params, byte *derivedKey, size_t derivedLength, const T &agreedElement, const T &ephemeralPublicKey, const NameValuePairs &parameters) const
889  {
890  SecByteBlock agreedSecret;
891  if (DHAES_MODE)
892  {
893  agreedSecret.New(params.GetEncodedElementSize(true) + params.GetEncodedElementSize(false));
894  params.EncodeElement(true, ephemeralPublicKey, agreedSecret);
895  params.EncodeElement(false, agreedElement, agreedSecret + params.GetEncodedElementSize(true));
896  }
897  else
898  {
899  agreedSecret.New(params.GetEncodedElementSize(false));
900  params.EncodeElement(false, agreedElement, agreedSecret);
901  }
902 
903  ConstByteArrayParameter derivationParameters;
904  parameters.GetValue(Name::KeyDerivationParameters(), derivationParameters);
905  KDF::DeriveKey(derivedKey, derivedLength, agreedSecret, agreedSecret.size(), derivationParameters.begin(), derivationParameters.size());
906  }
907 };
908 
909 //! \class DLIES
910 //! \brief Discrete Log Integrated Encryption Scheme
911 //! \tparam COFACTOR_OPTION \ref CofactorMultiplicationOption "cofactor multiplication option"
912 //! \tparam HASH HashTransformation derived class used for key drivation and MAC computation
913 //! \tparam DHAES_MODE flag indicating if the MAC includes addition context parameters such as the label
914 //! \tparam LABEL_OCTETS flag indicating if the label size is specified in octets or bits
915 //! \details DLIES is an Integer based Integrated Encryption Scheme (IES). The scheme combines a Key Encapsulation Method (KEM)
916 //! with a Data Encapsulation Method (DEM) and a MAC tag. The scheme is
917 //! <A HREF="http://en.wikipedia.org/wiki/ciphertext_indistinguishability">IND-CCA2</A>, which is a strong notion of security.
918 //! You should prefer an Integrated Encryption Scheme over homegrown schemes.
919 //! \details The library's original implementation is based on an early P1363 draft, which itself appears to be based on an early Certicom
920 //! SEC-1 draft (or an early SEC-1 draft was based on a P1363 draft). Crypto++ 4.2 used the early draft in its Integrated Ecryption
921 //! Schemes with <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
922 //! \details If you desire an Integrated Encryption Scheme with Crypto++ 4.2 compatibility, then use the DLIES template class with
923 //! <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
924 //! \details If you desire an Integrated Encryption Scheme with Bouncy Castle 1.54 and Botan 1.11 compatibility, then use the DLIES
925 //! template class with <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=true</tt> and <tt>LABEL_OCTETS=false</tt>.
926 //! \details The default template parameters ensure compatibility with Bouncy Castle 1.54 and Botan 1.11. The combination of
927 //! <tt>IncompatibleCofactorMultiplication</tt> and <tt>DHAES_MODE=true</tt> is recommended for best efficiency and security.
928 //! SHA1 is used for compatibility reasons, but it can be changed if desired. SHA-256 or another hash will likely improve the
929 //! security provided by the MAC. The hash is also used in the key derivation function as a PRF.
930 //! \details Below is an example of constructing a Crypto++ 4.2 compatible DLIES encryptor and decryptor.
931 //! <pre>
932 //! AutoSeededRandomPool prng;
933 //! DL_PrivateKey_GFP<DL_GroupParameters_GFP> key;
934 //! key.Initialize(prng, 2048);
935 //!
936 //! DLIES<SHA1,NoCofactorMultiplication,true,true>::Decryptor decryptor(key);
937 //! DLIES<SHA1,NoCofactorMultiplication,true,true>::Encryptor encryptor(decryptor);
938 //! </pre>
939 //! \sa ECIES, <a href="http://www.weidai.com/scan-mirror/ca.html#DLIES">Discrete Log Integrated Encryption Scheme (DLIES)</a>,
940 //! Martínez, Encinas, and Ávila's <A HREF="http://digital.csic.es/bitstream/10261/32671/1/V2-I2-P7-13.pdf">A Survey of the Elliptic
941 //! Curve Integrated Encryption Schemes</A>
942 //! \since Crypto++ 4.0, Crypto++ 5.7 for Bouncy Castle and Botan compatibility
943 template <class HASH = SHA1, class COFACTOR_OPTION = NoCofactorMultiplication, bool DHAES_MODE = true, bool LABEL_OCTETS=false>
944 struct DLIES
945  : public DL_ES<
946  DL_CryptoKeys_GFP,
947  DL_KeyAgreementAlgorithm_DH<Integer, COFACTOR_OPTION>,
948  DL_KeyDerivationAlgorithm_P1363<Integer, DHAES_MODE, P1363_KDF2<HASH> >,
949  DL_EncryptionAlgorithm_Xor<HMAC<HASH>, DHAES_MODE, LABEL_OCTETS>,
950  DLIES<> >
951 {
952  static std::string CRYPTOPP_API StaticAlgorithmName() {return "DLIES";} // TODO: fix this after name is standardized
953 };
954 
955 NAMESPACE_END
956 
957 #if CRYPTOPP_MSC_VERSION
958 # pragma warning(pop)
959 #endif
960 
961 #endif
Used to pass byte array input as part of a NameValuePairs object.
Definition: algparam.h:29
void Initialize(RandomNumberGenerator &rng, const Integer &p, const Integer &q, const Integer &g)
Create a private key.
Definition: gfpcrypt.h:548
Discrete Log Integrated Encryption Scheme.
Definition: gfpcrypt.h:944
virtual void DEREncode(BufferedTransformation &bt) const =0
Encode this object into a BufferedTransformation.
Classes for working with NameValuePairs.
Utility functions for the Crypto++ library.
GF(p) group parameters.
Definition: gfpcrypt.h:159
void Initialize(const DL_GroupParameters_IntegerBased &params, const Integer &y)
Initialize a public key over GF(p)
Definition: gfpcrypt.h:487
Integer GetGroupOrder() const
Retrieves the order of the group.
Definition: gfpcrypt.h:81
size_t size() const
Length of the memory block.
Definition: algparam.h:93
size_t BitsToBytes(size_t bitCount)
Returns the number of 8-bit bytes or octets required for the specified number of bits.
Definition: misc.h:796
This file contains helper classes/functions for implementing public key algorithms.
Interface for deterministic signers.
Definition: pubkey.h:1281
void Initialize(RandomNumberGenerator &rng, unsigned int modulusBits)
Create a private key.
Definition: gfpcrypt.h:527
bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
Get a named value.
Definition: gfpcrypt.h:169
void PutWord(bool assumeAligned, ByteOrder order, byte *block, T value, const byte *xorBlock=NULL)
Access a block of memory.
Definition: misc.h:2235
void Initialize(const Integer &p, const Integer &g)
Initialize a group parameters over integers.
Definition: gfpcrypt.h:59
P1363 based XOR Encryption Method.
Definition: gfpcrypt.h:799
Converts an enumeration to a type suitable for use as a template parameter.
Definition: cryptlib.h:126
Abstract base classes that provide a uniform interface to this library.
void memcpy_s(void *dest, size_t sizeInBytes, const void *src, size_t count)
Bounds checking replacement for memcpy()
Definition: misc.h:401
virtual Integer ConvertElementToInteger(const Element &element) const =0
Converts an element to an Integer.
Interface for key derivation algorithms used in DL cryptosystems.
Definition: pubkey.h:1304
Classes for automatic resource management.
Library configuration file.
DSA keys.
Definition: gfpcrypt.h:737
Interface for random number generators.
Definition: cryptlib.h:1190
void Initialize(RandomNumberGenerator &rng, unsigned int pbits)
Create a group parameters over integers.
Definition: gfpcrypt.h:53
void New(size_type newSize)
Change size without preserving contents.
Definition: secblock.h:717
Integer InverseMod(const Integer &n) const
calculate multiplicative inverse of *this mod n
Definition: integer.cpp:4440
Discrete Log (DL) encryption scheme.
Definition: pubkey.h:2155
SecBlock<byte> typedef.
Definition: secblock.h:810
BER Sequence Decoder.
Definition: asn.h:303
Interface for buffered transformations.
Definition: cryptlib.h:1345
DSA signature scheme.
Definition: gfpcrypt.h:689
virtual Element ExponentiateBase(const Integer &exponent) const
Retrieves the subgroup generator.
Definition: pubkey.h:803
static const Integer & One()
Integer representing 1.
Definition: integer.cpp:3096
bool operator==(const OID &lhs, const OID &rhs)
Compare two OIDs for equality.
Interface for Discrete Log (DL) public keys.
Definition: pubkey.h:992
void DEREncodePublicKey(BufferedTransformation &bt) const
encode subjectPublicKey part of subjectPublicKeyInfo, without the BIT STRING header ...
Definition: gfpcrypt.h:508
void Initialize(const Integer &p, const Integer &q, const Integer &g)
Initialize a group parameters over integers.
Definition: gfpcrypt.h:66
Discrete Log (DL) signature scheme.
Definition: pubkey.h:2132
void Initialize(RandomNumberGenerator &rng, const Integer &p, const Integer &g)
Create a private key.
Definition: gfpcrypt.h:537
unsigned int ByteCount() const
Determines the number of bytes required to represent the Integer.
Definition: integer.cpp:3362
bool operator!=(const OID &lhs, const OID &rhs)
Compare two OIDs for inequality.
size_t MinEncodedSize(Signedness sign=UNSIGNED) const
Minimum number of bytes to encode this integer.
Definition: integer.cpp:3419
DL_FixedBasePrecomputation< Element > & AccessBasePrecomputation()
Retrieves the group precomputation.
Definition: gfpcrypt.h:139
Returns a decoding results.
Definition: cryptlib.h:248
DSA2< SHA1 > DSA
DSA with SHA-1, typedef&#39;d for backwards compatibility.
Definition: gfpcrypt.h:778
Classes for HMAC message authentication codes.
DSA signature scheme.
Definition: gfpcrypt.h:732
const byte * begin() const
Pointer to the first byte in the memory block.
Definition: algparam.h:89
Discrete Log (DL) public key in GF(p) groups.
Definition: gfpcrypt.h:597
AlgorithmParameters MakeParameters(const char *name, const T &value, bool throwIfNotUsed=true)
Create an object that implements NameValuePairs.
Definition: algparam.h:502
Integer ConvertElementToInteger(const Element &element) const
Converts an element to an Integer.
Definition: gfpcrypt.h:91
Interface for Elgamal-like signature algorithms.
Definition: pubkey.h:1257
virtual void BERDecode(BufferedTransformation &bt)=0
Decode this object from a BufferedTransformation.
void Initialize(const Integer &p, const Integer &g, const Integer &y)
Initialize a public key over GF(p)
Definition: gfpcrypt.h:494
const char * EncodingParameters()
ConstByteArrayParameter.
Definition: argnames.h:66
Discrete Log (DL) signing/verification keys in GF(p) groups.
Definition: gfpcrypt.h:575
DSA deterministic signature scheme.
Definition: gfpcrypt.h:767
virtual const Element & GetSubgroupGenerator() const
Retrieves the subgroup generator.
Definition: pubkey.h:793
Discrete Log (DL) encryption/decryption keys in GF(p) groups.
Definition: gfpcrypt.h:584
Multiple precision integer with arithmetic operations.
Definition: integer.h:49
NR signature scheme.
Definition: gfpcrypt.h:702
T1 SaturatingSubtract(const T1 &a, const T2 &b)
Performs a saturating subtract clamped at 0.
Definition: misc.h:896
Integer-based GroupParameters default implementation.
Definition: gfpcrypt.h:121
const DL_FixedBasePrecomputation< Element > & GetBasePrecomputation() const
Retrieves the group precomputation.
Definition: gfpcrypt.h:138
bool IsIdentity(const Integer &element) const
Determines if an element is an identity.
Definition: gfpcrypt.h:165
byte order is big-endian
Definition: cryptlib.h:138
const T & STDMIN(const T &a, const T &b)
Replacement function for std::min.
Definition: misc.h:514
#define CRYPTOPP_ASSERT(exp)
Debugging and diagnostic assertion.
Definition: trap.h:61
DSA group parameters.
Definition: gfpcrypt.h:714
Classes and functions for working with ANS.1 objects.
Classes for SHA-1 and SHA-2 family of message digests.
void Initialize(const Integer &p, const Integer &q, const Integer &g, const Integer &x)
Initialize a private key over GF(p)
Definition: gfpcrypt.h:569
void Initialize(const DL_GroupParameters_IntegerBased &params)
Initialize a group parameters over integers.
Definition: gfpcrypt.h:44
Discrete Log (DL) public key in GF(p) groups.
Definition: gfpcrypt.h:479
iterator begin()
Provides an iterator pointing to the first element in the memory block.
Definition: secblock.h:545
unsigned int BitCount() const
Determines the number of bits required to represent the Integer.
Definition: integer.cpp:3371
DSA signature algorithm based on RFC 6979.
Definition: gfpcrypt.h:237
DER Sequence Encoder.
Definition: asn.h:313
void Encode(byte *output, size_t outputLen, Signedness sign=UNSIGNED) const
Encode in big-endian format.
Definition: integer.cpp:3435
Discrete Log (DL) private key in GF(p) groups.
Definition: gfpcrypt.h:642
Discrete Log (DL) private key in GF(p) groups.
Definition: gfpcrypt.h:516
GDSA algorithm.
Definition: gfpcrypt.h:199
void xorbuf(byte *buf, const byte *mask, size_t count)
Performs an XOR of a buffer with a mask.
Definition: misc.cpp:28
void Initialize(const DL_GroupParameters_IntegerBased &params, const Integer &x)
Initialize a private key over GF(p)
Definition: gfpcrypt.h:554
virtual void EncodeElement(bool reversible, const Element &element, byte *encoded) const =0
Encodes the element.
virtual unsigned int GetEncodedElementSize(bool reversible) const =0
Retrieves the encoded element&#39;s size.
NR algorithm.
Definition: gfpcrypt.h:448
void AssignFrom(const NameValuePairs &source)
Assign values to this object.
Definition: gfpcrypt.h:134
Multiple precision integer with arithmetic operations.
const Integer & GetSubgroupOrder() const
Retrieves the subgroup order.
Definition: gfpcrypt.h:80
const T & STDMAX(const T &a, const T &b)
Replacement function for std::max.
Definition: misc.h:525
const char * KeyDerivationParameters()
ConstByteArrayParameter.
Definition: argnames.h:67
Crypto++ library namespace.
bool GetValue(const char *name, T &value) const
Get a named value.
Definition: cryptlib.h:343
Interface for symmetric encryption algorithms used in DL cryptosystems.
Definition: pubkey.h:1315
Base implementation of Discrete Log (DL) group parameters.
Definition: pubkey.h:947
void BERDecodePublicKey(BufferedTransformation &bt, bool, size_t)
decode subjectPublicKey part of subjectPublicKeyInfo, without the BIT STRING header ...
Definition: gfpcrypt.h:506
German Digital Signature Algorithm.
Definition: gfpcrypt.h:406
void Initialize(const Integer &p, const Integer &q, const Integer &g, const Integer &y)
Initialize a public key over GF(p)
Definition: gfpcrypt.h:502
Integer-based GroupParameters specialization.
Definition: gfpcrypt.h:35
Encode and decode ASN.1 objects with additional information.
Definition: asn.h:374
void Initialize(const Integer &p, const Integer &g, const Integer &x)
Initialize a private key over GF(p)
Definition: gfpcrypt.h:561
Object Identifier.
Definition: asn.h:166
bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
Get a named value.
Definition: gfpcrypt.h:131
unsigned int BitPrecision(const T &value)
Returns the number of bits required for a value.
Definition: misc.h:700
size_type size() const
Provides the count of elements in the SecBlock.
Definition: secblock.h:570
Interface for retrieving values given their names.
Definition: cryptlib.h:285
virtual const Integer & GetSubgroupOrder() const =0
Retrieves the subgroup order.