Add format preserving encryption, design is FE1/FD1 from the paper

Format-Preserving Encryption (http://eprint.iacr.org/2009/251). This doesn't implement the rank functions which are necessary for the actual format-preserving part, though that would be nice to add to the example.
author: lloyd <[email protected]> 2009-11-05 07:52:35 +0000
committer: lloyd <[email protected]> 2009-11-05 07:52:35 +0000
commit: a6177d3af54437375c752b8046230b7fb98c8563 (patch)
tree: 2e0199f9fb93725c1a2f0cfea03458c03bbbbba9 /src
parent: 56c3c044215f36fe00c9a8a2e06a84f969996cb7 (diff)
3 files changed, 205 insertions, 0 deletions
diff --git a/src/fpe/fpe.cpp b/src/fpe/fpe.cpp
new file mode 100644
index 000000000..b2dbf7eb1
--- /dev/null
+++ b/src/fpe/fpe.cpp
@@ -0,0 +1,166 @@
+/*
+* Format Preserving Encryption
+* (C) 2009 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/fpe.h>
+#include <botan/numthry.h>
+#include <botan/hmac.h>
+#include <botan/sha2_32.h>
+#include <botan/loadstor.h>
+#include <stdexcept>
+
+#include <iostream>
+
+namespace Botan {
+
+namespace {
+
+// Normally FPE is for SSNs, CC#s, etc, nothing too big
+const u32bit MAX_N_BYTES = 128/8;
+
+void factor(BigInt n, BigInt& a, BigInt& b)
+   {
+   a = 1;
+   b = 1;
+
+   for(u32bit i = 0; i != PRIME_TABLE_SIZE; ++i)
+      {
+      while(n % PRIMES[i] == 0)
+         {
+         a *= PRIMES[i];
+         std::swap(a, b);
+         n /= PRIMES[i];
+         }
+      }
+
+   a *= n;
+
+   if(a <= 1 || b <= 1)
+      throw std::runtime_error("Could not factor n for use in FPE");
+   }
+
+u32bit rounds(const BigInt& a, const BigInt& b)
+   {
+   return 8;
+   }
+
+class FPE_Encryptor
+   {
+   public:
+      FPE_Encryptor(const SymmetricKey& key,
+                    const BigInt& n,
+                    const MemoryRegion<byte>& tweak);
+
+      ~FPE_Encryptor() { delete mac; }
+
+      BigInt operator()(u32bit i, const BigInt& R);
+
+   private:
+      MessageAuthenticationCode* mac;
+      SecureVector<byte> mac_n_t;
+   };
+
+FPE_Encryptor::FPE_Encryptor(const SymmetricKey& key,
+                             const BigInt& n,
+                             const MemoryRegion<byte>& tweak)
+   {
+   mac = new HMAC(new SHA_256);
+   mac->set_key(key);
+
+   SecureVector<byte> n_bin = BigInt::encode(n);
+
+   if(n_bin.size() > MAX_N_BYTES)
+      throw std::runtime_error("N is too large for FPE encryption");
+
+   for(u32bit i = 0; i != 4; ++i)
+      mac->update(get_byte(i, n_bin.size()));
+   mac->update(&n_bin[0], n_bin.size());
+
+   for(u32bit i = 0; i != 4; ++i)
+      mac->update(get_byte(i, tweak.size()));
+   mac->update(&tweak[0], tweak.size());
+
+   mac_n_t = mac->final();
+   }
+
+BigInt FPE_Encryptor::operator()(u32bit round_no, const BigInt& R)
+   {
+   mac->update(mac_n_t);
+
+   for(u32bit i = 0; i != 4; ++i)
+      mac->update(get_byte(i, round_no));
+
+   SecureVector<byte> r_bin = BigInt::encode(R);
+
+   for(u32bit i = 0; i != 4; ++i)
+      mac->update(get_byte(i, r_bin.size()));
+   mac->update(&r_bin[0], r_bin.size());
+
+   SecureVector<byte> X = mac->final();
+   return BigInt(&X[0], X.size());
+   }
+
+}
+
+/**
+* Generic Z_n FPE encryption, FE1 scheme
+* See http://eprint.iacr.org/2009/251
+*/
+BigInt fpe_encrypt(const BigInt& n, const BigInt& X0,
+                   const SymmetricKey& key,
+                   const MemoryRegion<byte>& tweak)
+   {
+   FPE_Encryptor F(key, n, tweak);
+
+   BigInt a, b;
+   factor(n, a, b);
+
+   const u32bit r = rounds(a, b);
+
+   BigInt X = X0;
+
+   for(u32bit i = 0; i != r; ++i)
+      {
+      BigInt L = X / b;
+      BigInt R = X % b;
+
+      BigInt W = (L + F(i, R)) % a;
+      X = a * R + W;
+      }
+
+   return X;
+   }
+
+/**
+* Generic Z_n FPE decryption, FD1 scheme
+* See http://eprint.iacr.org/2009/251
+*/
+BigInt fpe_decrypt(const BigInt& n, const BigInt& X0,
+                   const SymmetricKey& key,
+                   const MemoryRegion<byte>& tweak)
+   {
+   FPE_Encryptor F(key, n, tweak);
+
+   BigInt a, b;
+   factor(n, a, b);
+
+   const u32bit r = rounds(a, b);
+
+   BigInt X = X0;
+
+   for(u32bit i = 0; i != r; ++i)
+      {
+      BigInt W = X % a;
+      BigInt R = X / a;
+
+      BigInt L = (W - F(r-i, R)) % a;
+      X = b*L + R;
+      }
+
+   return X;
+   }
+
+}
diff --git a/src/fpe/fpe.h b/src/fpe/fpe.h
new file mode 100644
index 000000000..677304b1d
--- /dev/null
+++ b/src/fpe/fpe.h
@@ -0,0 +1,26 @@
+/*
+* Format Preserving Encryption
+* (C) 2009 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_FORMAT_PRESERVING_ENCRYPTION_H__
+#define BOTAN_FORMAT_PRESERVING_ENCRYPTION_H__
+
+#include <botan/bigint.h>
+#include <botan/symkey.h>
+
+namespace Botan {
+
+BigInt fpe_encrypt(const BigInt& n, const BigInt& X,
+                   const SymmetricKey& key,
+                   const MemoryRegion<byte>& tweak);
+
+BigInt fpe_decrypt(const BigInt& n, const BigInt& X,
+                   const SymmetricKey& key,
+                   const MemoryRegion<byte>& tweak);
+
+}
+
+#endif
diff --git a/src/fpe/info.txt b/src/fpe/info.txt
new file mode 100644
index 000000000..f7a8c4ae4
--- /dev/null
+++ b/src/fpe/info.txt
@@ -0,0 +1,13 @@
+define FORMAT_PRESERVING_ENCRYPTION
+
+load_on auto
+
+<add>
+fpe.cpp
+fpe.h
+</add>
+
+<requires>
+cbc_mac
+bigint
+</requires>
author	lloyd <[email protected]>	2009-11-05 07:52:35 +0000
committer	lloyd <[email protected]>	2009-11-05 07:52:35 +0000
commit	a6177d3af54437375c752b8046230b7fb98c8563 (patch)
tree	2e0199f9fb93725c1a2f0cfea03458c03bbbbba9 /src
parent	56c3c044215f36fe00c9a8a2e06a84f969996cb7 (diff)