aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pubkey/rfc6979
diff options
context:
space:
mode:
authorlloyd <[email protected]>2015-03-12 11:48:27 +0000
committerlloyd <[email protected]>2015-03-12 11:48:27 +0000
commitff26efb1c4b8530024dc9b42d75e39536ece6e11 (patch)
tree8f76ffab672673222b1c2bd8121c40fa2d765e62 /src/lib/pubkey/rfc6979
parenta06d7288968e205ca5f4df7cb3fcb3914353fb5f (diff)
Externalize the state of a RFC 6979 nonce computation.
This lets you amortize quite a few memory allocations (RNG, various BigInts, etc) over many nonce generations. Change generate_rfc6979_nonce to just instantiate one of these states, call the function once, and return. This doesn't have any additional overhead versus the previous implementation of this function. Fix HMAC_DRBG to correctly reset its state to its starting position when you call clear() on it.
Diffstat (limited to 'src/lib/pubkey/rfc6979')
-rw-r--r--src/lib/pubkey/rfc6979/rfc6979.cpp53
-rw-r--r--src/lib/pubkey/rfc6979/rfc6979.h24
2 files changed, 55 insertions, 22 deletions
diff --git a/src/lib/pubkey/rfc6979/rfc6979.cpp b/src/lib/pubkey/rfc6979/rfc6979.cpp
index 3bd723d6d..58cdbaa1b 100644
--- a/src/lib/pubkey/rfc6979/rfc6979.cpp
+++ b/src/lib/pubkey/rfc6979/rfc6979.cpp
@@ -1,6 +1,6 @@
/*
* RFC 6979 Deterministic Nonce Generator
-* (C) 2014 Jack Lloyd
+* (C) 2014,2015 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/
@@ -25,32 +25,43 @@ std::string hash_for_deterministic_signature(const std::string& emsa)
return "SHA-512"; // safe default if nothing we understand
}
-BigInt generate_rfc6979_nonce(const BigInt& x,
- const BigInt& q,
- const BigInt& h,
- const std::string& hash)
+RFC6979_Nonce_Generator::RFC6979_Nonce_Generator(const std::string& hash,
+ const BigInt& order,
+ const BigInt& x) :
+ m_order(order),
+ m_qlen(m_order.bits()),
+ m_rlen(m_qlen / 8 + (m_qlen % 8 ? 1 : 0)),
+ m_hmac_drbg(new HMAC_DRBG(make_message_auth("HMAC(" + hash + ")").release())),
+ m_rng_in(m_rlen * 2),
+ m_rng_out(m_rlen)
{
- HMAC_DRBG rng(make_message_auth("HMAC(" + hash + ")").release(), nullptr);
-
- const size_t qlen = q.bits();
- const size_t rlen = qlen / 8 + (qlen % 8 ? 1 : 0);
-
- secure_vector<byte> input = BigInt::encode_1363(x, rlen);
-
- input += BigInt::encode_1363(h, rlen);
-
- rng.add_entropy(&input[0], input.size());
-
- BigInt k;
+ BigInt::encode_1363(&m_rng_in[0], m_rlen, x);
+ }
- secure_vector<byte> kbits(rlen);
+const BigInt& RFC6979_Nonce_Generator::nonce_for(const BigInt& m)
+ {
+ BigInt::encode_1363(&m_rng_in[m_rlen], m_rlen, m);
+ m_hmac_drbg->clear();
+ m_hmac_drbg->add_entropy(&m_rng_in[0], m_rng_in.size());
- while(k == 0 || k >= q)
+ do
{
- rng.randomize(&kbits[0], kbits.size());
- k = BigInt::decode(kbits) >> (8*rlen - qlen);
+ m_hmac_drbg->randomize(&m_rng_out[0], m_rng_out.size());
+ m_k.binary_decode(&m_rng_out[0], m_rng_out.size());
+ m_k >>= (8*m_rlen - m_qlen);
}
+ while(m_k == 0 || m_k >= m_order);
+ return m_k;
+ }
+
+BigInt generate_rfc6979_nonce(const BigInt& x,
+ const BigInt& q,
+ const BigInt& h,
+ const std::string& hash)
+ {
+ RFC6979_Nonce_Generator gen(hash, q, x);
+ BigInt k = gen.nonce_for(h);
return k;
}
diff --git a/src/lib/pubkey/rfc6979/rfc6979.h b/src/lib/pubkey/rfc6979/rfc6979.h
index 8e2940578..5b3dee8ef 100644
--- a/src/lib/pubkey/rfc6979/rfc6979.h
+++ b/src/lib/pubkey/rfc6979/rfc6979.h
@@ -1,6 +1,6 @@
/*
* RFC 6979 Deterministic Nonce Generator
-* (C) 2014 Jack Lloyd
+* (C) 2014,2015 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/
@@ -10,9 +10,31 @@
#include <botan/bigint.h>
#include <string>
+#include <memory>
namespace Botan {
+class RandomNumberGenerator;
+
+class BOTAN_DLL RFC6979_Nonce_Generator
+ {
+ public:
+ /**
+ * Note: keeps persistent reference to order
+ */
+ RFC6979_Nonce_Generator(const std::string& hash,
+ const BigInt& order,
+ const BigInt& x);
+
+ const BigInt& nonce_for(const BigInt& m);
+ private:
+ const BigInt& m_order;
+ BigInt m_k;
+ size_t m_qlen, m_rlen;
+ std::unique_ptr<RandomNumberGenerator> m_hmac_drbg;
+ secure_vector<byte> m_rng_in, m_rng_out;
+ };
+
/**
* @param x the secret (EC)DSA key
* @param q the group order