aboutsummaryrefslogtreecommitdiffstats
path: root/lib/pubkey/rw/rw.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'lib/pubkey/rw/rw.cpp')
-rw-r--r--lib/pubkey/rw/rw.cpp130
1 files changed, 130 insertions, 0 deletions
diff --git a/lib/pubkey/rw/rw.cpp b/lib/pubkey/rw/rw.cpp
new file mode 100644
index 000000000..63e7977d8
--- /dev/null
+++ b/lib/pubkey/rw/rw.cpp
@@ -0,0 +1,130 @@
+/*
+* Rabin-Williams
+* (C) 1999-2008 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/rw.h>
+#include <botan/numthry.h>
+#include <botan/keypair.h>
+#include <botan/parsing.h>
+#include <algorithm>
+#include <future>
+
+namespace Botan {
+
+/*
+* Create a Rabin-Williams private key
+*/
+RW_PrivateKey::RW_PrivateKey(RandomNumberGenerator& rng,
+ size_t bits, size_t exp)
+ {
+ if(bits < 1024)
+ throw Invalid_Argument(algo_name() + ": Can't make a key that is only " +
+ std::to_string(bits) + " bits long");
+ if(exp < 2 || exp % 2 == 1)
+ throw Invalid_Argument(algo_name() + ": Invalid encryption exponent");
+
+ e = exp;
+
+ do
+ {
+ p = random_prime(rng, (bits + 1) / 2, e / 2, 3, 4);
+ q = random_prime(rng, bits - p.bits(), e / 2, ((p % 8 == 3) ? 7 : 3), 8);
+ n = p * q;
+ } while(n.bits() != bits);
+
+ d = inverse_mod(e, lcm(p - 1, q - 1) >> 1);
+ d1 = d % (p - 1);
+ d2 = d % (q - 1);
+ c = inverse_mod(q, p);
+
+ gen_check(rng);
+ }
+
+/*
+* Check Private Rabin-Williams Parameters
+*/
+bool RW_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const
+ {
+ if(!IF_Scheme_PrivateKey::check_key(rng, strong))
+ return false;
+
+ if(!strong)
+ return true;
+
+ if((e * d) % (lcm(p - 1, q - 1) / 2) != 1)
+ return false;
+
+ return KeyPair::signature_consistency_check(rng, *this, "EMSA2(SHA-1)");
+ }
+
+RW_Signature_Operation::RW_Signature_Operation(const RW_PrivateKey& rw) :
+ n(rw.get_n()),
+ e(rw.get_e()),
+ q(rw.get_q()),
+ c(rw.get_c()),
+ powermod_d1_p(rw.get_d1(), rw.get_p()),
+ powermod_d2_q(rw.get_d2(), rw.get_q()),
+ mod_p(rw.get_p())
+ {
+ }
+
+secure_vector<byte>
+RW_Signature_Operation::sign(const byte msg[], size_t msg_len,
+ RandomNumberGenerator& rng)
+ {
+ rng.add_entropy(msg, msg_len);
+
+ if(!blinder.initialized())
+ {
+ BigInt k(rng, std::min<size_t>(160, n.bits() - 1));
+ blinder = Blinder(power_mod(k, e, n), inverse_mod(k, n), n);
+ }
+
+ BigInt i(msg, msg_len);
+
+ if(i >= n || i % 16 != 12)
+ throw Invalid_Argument("Rabin-Williams: invalid input");
+
+ if(jacobi(i, n) != 1)
+ i >>= 1;
+
+ i = blinder.blind(i);
+
+ auto future_j1 = std::async(std::launch::async, powermod_d1_p, i);
+ const BigInt j2 = powermod_d2_q(i);
+ BigInt j1 = future_j1.get();
+
+ j1 = mod_p.reduce(sub_mul(j1, j2, c));
+
+ const BigInt r = blinder.unblind(mul_add(j1, q, j2));
+
+ return BigInt::encode_1363(std::min(r, n - r), n.bytes());
+ }
+
+secure_vector<byte>
+RW_Verification_Operation::verify_mr(const byte msg[], size_t msg_len)
+ {
+ BigInt m(msg, msg_len);
+
+ if((m > (n >> 1)) || m.is_negative())
+ throw Invalid_Argument("RW signature verification: m > n / 2 || m < 0");
+
+ BigInt r = powermod_e_n(m);
+ if(r % 16 == 12)
+ return BigInt::encode_locked(r);
+ if(r % 8 == 6)
+ return BigInt::encode_locked(2*r);
+
+ r = n - r;
+ if(r % 16 == 12)
+ return BigInt::encode_locked(r);
+ if(r % 8 == 6)
+ return BigInt::encode_locked(2*r);
+
+ throw Invalid_Argument("RW signature verification: Invalid signature");
+ }
+
+}