1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
/*
* ECDSA implemenation
* (C) 2007 Manuel Hartl, FlexSecure GmbH
* 2007 Falko Strenzke, FlexSecure GmbH
* 2008-2010 Jack Lloyd
*
* Distributed under the terms of the Botan license
*/
#include <botan/ecdsa.h>
namespace Botan {
ECDSA_Signature_Operation::ECDSA_Signature_Operation(const ECDSA_PrivateKey& ecdsa) :
base_point(ecdsa.domain().get_base_point()),
order(ecdsa.domain().get_order()),
x(ecdsa.private_value())
{
}
SecureVector<byte> ECDSA_Signature_Operation::sign(const byte msg[],
u32bit msg_len,
RandomNumberGenerator& rng)
{
rng.add_entropy(msg, msg_len);
BigInt k;
k.randomize(rng, order.bits());
while(k >= order)
k.randomize(rng, order.bits() - 1);
BigInt e(msg, msg_len);
PointGFp k_times_P = base_point * k;
BigInt r = k_times_P.get_affine_x() % order;
if(r == 0)
throw Internal_Error("ECDSA_Signature_Operation: r was zero");
BigInt k_inv = inverse_mod(k, order);
BigInt s = (((r * x) + e) * k_inv) % order;
SecureVector<byte> output(2*order.bytes());
r.binary_encode(output + (output.size() / 2 - r.bytes()));
s.binary_encode(output + (output.size() - s.bytes()));
return output;
}
ECDSA_Verification_Operation::ECDSA_Verification_Operation(const ECDSA_PublicKey& ecdsa) :
base_point(ecdsa.domain().get_base_point()),
public_point(ecdsa.public_point()),
order(ecdsa.domain().get_order())
{
}
bool ECDSA_Verification_Operation::verify(const byte msg[], u32bit msg_len,
const byte sig[], u32bit sig_len)
{
if(sig_len != order.bytes()*2)
return false;
BigInt e(msg, msg_len);
BigInt r(sig, sig_len / 2);
BigInt s(sig + sig_len / 2, sig_len / 2);
if(r < 0 || r >= order || s < 0 || s >= order)
return false;
BigInt w = inverse_mod(s, order);
PointGFp R = w * (e * base_point + r * public_point);
if(R.is_zero())
return false;
return (R.get_affine_x() % order == r);
}
}
|