Crypto++  8.2
Free C&
gfpcrypt.h
Go to the documentation of this file.
1 // gfpcrypt.h - originally written and placed in the public domain by Wei Dai
2 // RFC6979 deterministic signatures added by Douglas Roark
3 // ECGDSA added by Jeffrey Walton
4 
5 /// \file gfpcrypt.h
6 /// \brief Classes and functions for schemes based on Discrete Logs (DL) over GF(p)
7 
8 #ifndef CRYPTOPP_GFPCRYPT_H
9 #define CRYPTOPP_GFPCRYPT_H
10 
11 #include "config.h"
12 
13 #if CRYPTOPP_MSC_VERSION
14 # pragma warning(push)
15 # pragma warning(disable: 4189 4231 4275)
16 #endif
17 
18 #include "cryptlib.h"
19 #include "pubkey.h"
20 #include "integer.h"
21 #include "modexppc.h"
22 #include "algparam.h"
23 #include "smartptr.h"
24 #include "sha.h"
25 #include "asn.h"
26 #include "hmac.h"
27 #include "misc.h"
28 
29 NAMESPACE_BEGIN(CryptoPP)
30 
31 CRYPTOPP_DLL_TEMPLATE_CLASS DL_GroupParameters<Integer>;
32 
33 /// \brief Integer-based GroupParameters specialization
34 class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE DL_GroupParameters_IntegerBased : public ASN1CryptoMaterial<DL_GroupParameters<Integer> >
35 {
37 
38 public:
40 
41  /// \brief Initialize a group parameters over integers
42  /// \param params the group parameters
44  {Initialize(params.GetModulus(), params.GetSubgroupOrder(), params.GetSubgroupGenerator());}
45 
46  /// \brief Create a group parameters over integers
47  /// \param rng a RandomNumberGenerator derived class
48  /// \param pbits the size of p, in bits
49  /// \details This function overload of Initialize() creates a new private key because it
50  /// takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
51  /// then use one of the other Initialize() overloads.
52  void Initialize(RandomNumberGenerator &rng, unsigned int pbits)
53  {GenerateRandom(rng, MakeParameters("ModulusSize", (int)pbits));}
54 
55  /// \brief Initialize a group parameters over integers
56  /// \param p the modulus
57  /// \param g the generator
58  void Initialize(const Integer &p, const Integer &g)
59  {SetModulusAndSubgroupGenerator(p, g); SetSubgroupOrder(ComputeGroupOrder(p)/2);}
60 
61  /// \brief Initialize a group parameters over integers
62  /// \param p the modulus
63  /// \param q the subgroup order
64  /// \param g the generator
65  void Initialize(const Integer &p, const Integer &q, const Integer &g)
66  {SetModulusAndSubgroupGenerator(p, g); SetSubgroupOrder(q);}
67 
68  // ASN1Object interface
70  void DEREncode(BufferedTransformation &bt) const;
71 
72  // GeneratibleCryptoMaterial interface
73  /*! parameters: (ModulusSize, SubgroupOrderSize (optional)) */
74  void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &alg);
75  bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const;
76  void AssignFrom(const NameValuePairs &source);
77 
78  // DL_GroupParameters
79  const Integer & GetSubgroupOrder() const {return m_q;}
80  Integer GetGroupOrder() const {return GetFieldType() == 1 ? GetModulus()-Integer::One() : GetModulus()+Integer::One();}
81  bool ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const;
82  bool ValidateElement(unsigned int level, const Integer &element, const DL_FixedBasePrecomputation<Integer> *precomp) const;
83  bool FastSubgroupCheckAvailable() const {return GetCofactor() == 2;}
84 
85  // Cygwin i386 crash at -O3; see http://github.com/weidai11/cryptopp/issues/40.
86  void EncodeElement(bool reversible, const Element &element, byte *encoded) const;
87  unsigned int GetEncodedElementSize(bool reversible) const;
88 
89  Integer DecodeElement(const byte *encoded, bool checkForGroupMembership) const;
90  Integer ConvertElementToInteger(const Element &element) const
91  {return element;}
92  Integer GetMaxExponent() const;
93  static std::string CRYPTOPP_API StaticAlgorithmNamePrefix() {return "";}
94 
95  OID GetAlgorithmID() const;
96 
97  virtual const Integer & GetModulus() const =0;
98  virtual void SetModulusAndSubgroupGenerator(const Integer &p, const Integer &g) =0;
99 
100  void SetSubgroupOrder(const Integer &q)
101  {m_q = q; ParametersChanged();}
102 
103 protected:
104  Integer ComputeGroupOrder(const Integer &modulus) const
105  {return modulus-(GetFieldType() == 1 ? 1 : -1);}
106 
107  // GF(p) = 1, GF(p^2) = 2
108  virtual int GetFieldType() const =0;
109  virtual unsigned int GetDefaultSubgroupOrderSize(unsigned int modulusSize) const;
110 
111 private:
112  Integer m_q;
113 };
114 
115 /// \brief Integer-based GroupParameters default implementation
116 /// \tparam GROUP_PRECOMP group parameters precomputation specialization
117 /// \tparam BASE_PRECOMP base class precomputation specialization
118 template <class GROUP_PRECOMP, class BASE_PRECOMP = DL_FixedBasePrecomputationImpl<typename GROUP_PRECOMP::Element> >
119 class CRYPTOPP_NO_VTABLE DL_GroupParameters_IntegerBasedImpl : public DL_GroupParametersImpl<GROUP_PRECOMP, BASE_PRECOMP, DL_GroupParameters_IntegerBased>
120 {
122 
123 public:
124  typedef typename GROUP_PRECOMP::Element Element;
125 
127 
128  // GeneratibleCryptoMaterial interface
129  bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
130  {return GetValueHelper<DL_GroupParameters_IntegerBased>(this, name, valueType, pValue).Assignable();}
131 
132  void AssignFrom(const NameValuePairs &source)
133  {AssignFromHelper<DL_GroupParameters_IntegerBased>(this, source);}
134 
135  // DL_GroupParameters
136  const DL_FixedBasePrecomputation<Element> & GetBasePrecomputation() const {return this->m_gpc;}
138 
139  // IntegerGroupParameters
140  const Integer & GetModulus() const {return this->m_groupPrecomputation.GetModulus();}
141  const Integer & GetGenerator() const {return this->m_gpc.GetBase(this->GetGroupPrecomputation());}
142 
143  void SetModulusAndSubgroupGenerator(const Integer &p, const Integer &g) // these have to be set together
144  {this->m_groupPrecomputation.SetModulus(p); this->m_gpc.SetBase(this->GetGroupPrecomputation(), g); this->ParametersChanged();}
145 
146  // non-inherited
148  {return GetModulus() == rhs.GetModulus() && GetGenerator() == rhs.GetGenerator() && this->GetSubgroupOrder() == rhs.GetSubgroupOrder();}
150  {return !operator==(rhs);}
151 };
152 
154 
155 /// \brief GF(p) group parameters
156 class CRYPTOPP_DLL DL_GroupParameters_GFP : public DL_GroupParameters_IntegerBasedImpl<ModExpPrecomputation>
157 {
158 public:
159  virtual ~DL_GroupParameters_GFP() {}
160 
161  // DL_GroupParameters
162  bool IsIdentity(const Integer &element) const {return element == Integer::One();}
163  void SimultaneousExponentiate(Element *results, const Element &base, const Integer *exponents, unsigned int exponentsCount) const;
164 
165  // NameValuePairs interface
166  bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
167  {
168  return GetValueHelper<DL_GroupParameters_IntegerBased>(this, name, valueType, pValue).Assignable();
169  }
170 
171  // used by MQV
172  Element MultiplyElements(const Element &a, const Element &b) const;
173  Element CascadeExponentiate(const Element &element1, const Integer &exponent1, const Element &element2, const Integer &exponent2) const;
174 
175 protected:
176  int GetFieldType() const {return 1;}
177 };
178 
179 /// \brief GF(p) group parameters that default to safe primes
181 {
182 public:
184 
186 
187 protected:
188  unsigned int GetDefaultSubgroupOrderSize(unsigned int modulusSize) const {return modulusSize-1;}
189 };
190 
191 /// ElGamal encryption due to due to ElGamal safe interop
192 /// \sa <A HREF="https://eprint.iacr.org/2021/923.pdf">On the
193 /// (in)security of ElGamal in OpenPGP</A>,
194 /// <A HREF="https://github.com/weidai11/cryptopp/issues/1059">Issue 1059</A>,
195 /// <A HREF="https://nvd.nist.gov/vuln/detail/CVE-2021-40530">CVE-2021-40530</A>
197 {
198 public:
200 
201  virtual ~DL_GroupParameters_ElGamal() {}
202 
204  {
205  return GetSubgroupOrder()-1;
206  }
207 };
208 
209 /// \brief GDSA algorithm
210 /// \tparam T FieldElement type or class
211 template <class T>
213 {
214 public:
215  CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "DSA-1363";}
216 
217  virtual ~DL_Algorithm_GDSA() {}
218 
219  void Sign(const DL_GroupParameters<T> &params, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
220  {
221  const Integer &q = params.GetSubgroupOrder();
222  r %= q;
223  Integer kInv = k.InverseMod(q);
224  s = (kInv * (x*r + e)) % q;
225  CRYPTOPP_ASSERT(!!r && !!s);
226  }
227 
228  bool Verify(const DL_GroupParameters<T> &params, const DL_PublicKey<T> &publicKey, const Integer &e, const Integer &r, const Integer &s) const
229  {
230  const Integer &q = params.GetSubgroupOrder();
231  if (r>=q || r<1 || s>=q || s<1)
232  return false;
233 
234  Integer w = s.InverseMod(q);
235  Integer u1 = (e * w) % q;
236  Integer u2 = (r * w) % q;
237  // verify r == (g^u1 * y^u2 mod p) mod q
238  return r == params.ConvertElementToInteger(publicKey.CascadeExponentiateBaseAndPublicElement(u1, u2)) % q;
239  }
240 };
241 
242 /// \brief DSA signature algorithm based on RFC 6979
243 /// \tparam T FieldElement type or class
244 /// \tparam H HashTransformation derived class
245 /// \sa <a href="http://tools.ietf.org/rfc/rfc6979.txt">RFC 6979, Deterministic Usage of the
246 /// Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)</a>
247 /// \since Crypto++ 6.0
248 template <class T, class H>
250 {
251 public:
252  CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "DSA-RFC6979";}
253 
254  virtual ~DL_Algorithm_DSA_RFC6979() {}
255 
256  bool IsProbabilistic() const
257  {return false;}
258  bool IsDeterministic() const
259  {return true;}
260 
261  // Deterministic K
262  Integer GenerateRandom(const Integer &x, const Integer &q, const Integer &e) const
263  {
264  static const byte zero = 0, one = 1;
265  const size_t qlen = q.BitCount();
266  const size_t rlen = BitsToBytes(qlen);
267 
268  // Step (a) - formatted E(m)
269  SecByteBlock BH(e.MinEncodedSize());
270  e.Encode(BH, BH.size());
271  BH = bits2octets(BH, q);
272 
273  // Step (a) - private key to byte array
274  SecByteBlock BX(STDMAX(rlen, x.MinEncodedSize()));
275  x.Encode(BX, BX.size());
276 
277  // Step (b)
278  SecByteBlock V(H::DIGESTSIZE);
279  std::fill(V.begin(), V.begin()+H::DIGESTSIZE, one);
280 
281  // Step (c)
282  SecByteBlock K(H::DIGESTSIZE);
283  std::fill(K.begin(), K.begin()+H::DIGESTSIZE, zero);
284 
285  // Step (d)
286  m_hmac.SetKey(K, K.size());
287  m_hmac.Update(V, V.size());
288  m_hmac.Update(&zero, 1);
289  m_hmac.Update(BX, BX.size());
290  m_hmac.Update(BH, BH.size());
291  m_hmac.TruncatedFinal(K, K.size());
292 
293  // Step (e)
294  m_hmac.SetKey(K, K.size());
295  m_hmac.Update(V, V.size());
296  m_hmac.TruncatedFinal(V, V.size());
297 
298  // Step (f)
299  m_hmac.SetKey(K, K.size());
300  m_hmac.Update(V, V.size());
301  m_hmac.Update(&one, 1);
302  m_hmac.Update(BX, BX.size());
303  m_hmac.Update(BH, BH.size());
304  m_hmac.TruncatedFinal(K, K.size());
305 
306  // Step (g)
307  m_hmac.SetKey(K, K.size());
308  m_hmac.Update(V, V.size());
309  m_hmac.TruncatedFinal(V, V.size());
310 
311  Integer k;
312  SecByteBlock temp(rlen);
313  for (;;)
314  {
315  // We want qlen bits, but we support only hash functions with an output length
316  // multiple of 8; hence, we will gather rlen bits, i.e., rolen octets.
317  size_t toff = 0;
318  while (toff < rlen)
319  {
320  m_hmac.Update(V, V.size());
321  m_hmac.TruncatedFinal(V, V.size());
322 
323  size_t cc = STDMIN(V.size(), temp.size() - toff);
324  memcpy_s(temp+toff, temp.size() - toff, V, cc);
325  toff += cc;
326  }
327 
328  k = bits2int(temp, qlen);
329  if (k > 0 && k < q)
330  break;
331 
332  // k is not in the proper range; update K and V, and loop.
333  m_hmac.Update(V, V.size());
334  m_hmac.Update(&zero, 1);
335  m_hmac.TruncatedFinal(K, K.size());
336 
337  m_hmac.SetKey(K, K.size());
338  m_hmac.Update(V, V.size());
339  m_hmac.TruncatedFinal(V, V.size());
340  }
341 
342  return k;
343  }
344 
345 protected:
346 
347  Integer bits2int(const SecByteBlock& bits, size_t qlen) const
348  {
349  Integer ret(bits, bits.size());
350  size_t blen = bits.size()*8;
351 
352  if (blen > qlen)
353  ret >>= blen - qlen;
354 
355  return ret;
356  }
357 
358  // RFC 6979 support function. Takes an integer and converts it into bytes that
359  // are the same length as an elliptic curve's order.
360  SecByteBlock int2octets(const Integer& val, size_t rlen) const
361  {
362  SecByteBlock block(val.MinEncodedSize());
363  val.Encode(block, val.MinEncodedSize());
364 
365  if (block.size() == rlen)
366  return block;
367 
368  // The least significant bytes are the ones we need to preserve.
369  SecByteBlock t(rlen);
370  if (block.size() > rlen)
371  {
372  size_t offset = block.size() - rlen;
373  std::memcpy(t, block + offset, rlen);
374  }
375  else // block.size() < rlen
376  {
377  size_t offset = rlen - block.size();
378  memset(t, '\x00', offset);
379  std::memcpy(t + offset, block, rlen - offset);
380  }
381 
382  return t;
383  }
384 
385  // Turn a stream of bits into a set of bytes with the same length as an elliptic
386  // curve's order.
387  SecByteBlock bits2octets(const SecByteBlock& in, const Integer& q) const
388  {
389  Integer b2 = bits2int(in, q.BitCount());
390  Integer b1 = b2 - q;
391  return int2octets(b1.IsNegative() ? b2 : b1, q.ByteCount());
392  }
393 
394 private:
395  mutable H m_hash;
396  mutable HMAC<H> m_hmac;
397 };
398 
399 /// \brief German Digital Signature Algorithm
400 /// \tparam T FieldElement type or class
401 /// \details The Digital Signature Scheme ECGDSA does not define the algorithm over integers. Rather, the
402 /// signature algorithm is only defined over elliptic curves. However, The library design is such that the
403 /// generic algorithm reside in <tt>gfpcrypt.h</tt>.
404 /// \sa Erwin Hess, Marcus Schafheutle, and Pascale Serf <A HREF="http://www.teletrust.de/fileadmin/files/oid/ecgdsa_final.pdf">
405 /// The Digital Signature Scheme ECGDSA (October 24, 2006)</A>
406 template <class T>
408 {
409 public:
410  CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "GDSA-ISO15946";}
411 
412  virtual ~DL_Algorithm_GDSA_ISO15946() {}
413 
414  void Sign(const DL_GroupParameters<T> &params, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
415  {
416  const Integer &q = params.GetSubgroupOrder();
417  // r = x(k * G) mod q
418  r = params.ConvertElementToInteger(params.ExponentiateBase(k)) % q;
419  // s = (k * r - h(m)) * d_A mod q
420  s = (k * r - e) * x % q;
421  CRYPTOPP_ASSERT(!!r && !!s);
422  }
423 
424  bool Verify(const DL_GroupParameters<T> &params, const DL_PublicKey<T> &publicKey, const Integer &e, const Integer &r, const Integer &s) const
425  {
426  const Integer &q = params.GetSubgroupOrder();
427  if (r>=q || r<1 || s>=q || s<1)
428  return false;
429 
430  const Integer& rInv = r.InverseMod(q);
431  const Integer u1 = (rInv * e) % q;
432  const Integer u2 = (rInv * s) % q;
433  // verify x(G^u1 + P_A^u2) mod q
434  return r == params.ConvertElementToInteger(publicKey.CascadeExponentiateBaseAndPublicElement(u1, u2)) % q;
435  }
436 };
437 
438 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_GDSA<Integer>;
439 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA1>;
440 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA224>;
441 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA256>;
442 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA384>;
443 CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_DSA_RFC6979<Integer, SHA512>;
444 
445 /// \brief NR algorithm
446 /// \tparam T FieldElement type or class
447 template <class T>
449 {
450 public:
451  CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "NR";}
452 
453  virtual ~DL_Algorithm_NR() {}
454 
455  void Sign(const DL_GroupParameters<T> &params, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
456  {
457  const Integer &q = params.GetSubgroupOrder();
458  r = (r + e) % q;
459  s = (k - x*r) % q;
460  CRYPTOPP_ASSERT(!!r);
461  }
462 
463  bool Verify(const DL_GroupParameters<T> &params, const DL_PublicKey<T> &publicKey, const Integer &e, const Integer &r, const Integer &s) const
464  {
465  const Integer &q = params.GetSubgroupOrder();
466  if (r>=q || r<1 || s>=q)
467  return false;
468 
469  // check r == (m_g^s * m_y^r + m) mod m_q
470  return r == (params.ConvertElementToInteger(publicKey.CascadeExponentiateBaseAndPublicElement(s, r)) + e) % q;
471  }
472 };
473 
474 /// \brief Discrete Log (DL) public key in GF(p) groups
475 /// \tparam GP GroupParameters derived class
476 /// \details DSA public key format is defined in 7.3.3 of RFC 2459. The private key format is defined in 12.9 of PKCS #11 v2.10.
477 template <class GP>
479 {
480 public:
481  virtual ~DL_PublicKey_GFP() {}
482 
483  /// \brief Initialize a public key over GF(p)
484  /// \param params the group parameters
485  /// \param y the public element
486  void Initialize(const DL_GroupParameters_IntegerBased &params, const Integer &y)
487  {this->AccessGroupParameters().Initialize(params); this->SetPublicElement(y);}
488 
489  /// \brief Initialize a public key over GF(p)
490  /// \param p the modulus
491  /// \param g the generator
492  /// \param y the public element
493  void Initialize(const Integer &p, const Integer &g, const Integer &y)
494  {this->AccessGroupParameters().Initialize(p, g); this->SetPublicElement(y);}
495 
496  /// \brief Initialize a public key over GF(p)
497  /// \param p the modulus
498  /// \param q the subgroup order
499  /// \param g the generator
500  /// \param y the public element
501  void Initialize(const Integer &p, const Integer &q, const Integer &g, const Integer &y)
502  {this->AccessGroupParameters().Initialize(p, q, g); this->SetPublicElement(y);}
503 
504  // X509PublicKey
506  {this->SetPublicElement(Integer(bt));}
508  {this->GetPublicElement().DEREncode(bt);}
509 };
510 
511 /// \brief Discrete Log (DL) private key in GF(p) groups
512 /// \tparam GP GroupParameters derived class
513 template <class GP>
515 {
516 public:
517  virtual ~DL_PrivateKey_GFP();
518 
519  /// \brief Create a private key
520  /// \param rng a RandomNumberGenerator derived class
521  /// \param modulusBits the size of the modulus, in bits
522  /// \details This function overload of Initialize() creates a new private key because it
523  /// takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
524  /// then use one of the other Initialize() overloads.
525  void Initialize(RandomNumberGenerator &rng, unsigned int modulusBits)
526  {this->GenerateRandomWithKeySize(rng, modulusBits);}
527 
528  /// \brief Create a private key
529  /// \param rng a RandomNumberGenerator derived class
530  /// \param p the modulus
531  /// \param g the generator
532  /// \details This function overload of Initialize() creates a new private key because it
533  /// takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
534  /// then use one of the other Initialize() overloads.
535  void Initialize(RandomNumberGenerator &rng, const Integer &p, const Integer &g)
536  {this->GenerateRandom(rng, MakeParameters("Modulus", p)("SubgroupGenerator", g));}
537 
538  /// \brief Create a private key
539  /// \param rng a RandomNumberGenerator derived class
540  /// \param p the modulus
541  /// \param q the subgroup order
542  /// \param g the generator
543  /// \details This function overload of Initialize() creates a new private key because it
544  /// takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
545  /// then use one of the other Initialize() overloads.
546  void Initialize(RandomNumberGenerator &rng, const Integer &p, const Integer &q, const Integer &g)
547  {this->GenerateRandom(rng, MakeParameters("Modulus", p)("SubgroupOrder", q)("SubgroupGenerator", g));}
548 
549  /// \brief Initialize a private key over GF(p)
550  /// \param params the group parameters
551  /// \param x the private exponent
552  void Initialize(const DL_GroupParameters_IntegerBased &params, const Integer &x)
553  {this->AccessGroupParameters().Initialize(params); this->SetPrivateExponent(x);}
554 
555  /// \brief Initialize a private key over GF(p)
556  /// \param p the modulus
557  /// \param g the generator
558  /// \param x the private exponent
559  void Initialize(const Integer &p, const Integer &g, const Integer &x)
560  {this->AccessGroupParameters().Initialize(p, g); this->SetPrivateExponent(x);}
561 
562  /// \brief Initialize a private key over GF(p)
563  /// \param p the modulus
564  /// \param q the subgroup order
565  /// \param g the generator
566  /// \param x the private exponent
567  void Initialize(const Integer &p, const Integer &q, const Integer &g, const Integer &x)
568  {this->AccessGroupParameters().Initialize(p, q, g); this->SetPrivateExponent(x);}
569 };
570 
571 // Out-of-line dtor due to AIX and GCC, http://github.com/weidai11/cryptopp/issues/499
572 template <class GP>
574 
575 /// \brief Discrete Log (DL) signing/verification keys in GF(p) groups
577 {
581 };
582 
583 /// \brief Discrete Log (DL) encryption/decryption keys in GF(p) groups
585 {
589 };
590 
591 /// ElGamal encryption keys due to ElGamal safe interop
592 /// \sa <A HREF="https://eprint.iacr.org/2021/923.pdf">On the
593 /// (in)security of ElGamal in OpenPGP</A>,
594 /// <A HREF="https://github.com/weidai11/cryptopp/issues/1059">Issue 1059</A>,
595 /// <A HREF="https://nvd.nist.gov/vuln/detail/CVE-2021-40530">CVE-2021-40530</A>
597 {
601 };
602 
603 /// \brief DSA signature scheme
604 /// \tparam H HashTransformation derived class
605 /// \sa <a href="http://www.weidai.com/scan-mirror/sig.html#DSA-1363">DSA-1363</a>
606 /// \since Crypto++ 1.0 for DSA, Crypto++ 5.6.2 for DSA2
607 template <class H>
608 struct GDSA : public DL_SS<
609  DL_SignatureKeys_GFP,
610  DL_Algorithm_GDSA<Integer>,
611  DL_SignatureMessageEncodingMethod_DSA,
612  H>
613 {
614 };
615 
616 /// \brief NR signature scheme
617 /// \tparam H HashTransformation derived class
618 /// \sa <a href="http://www.weidai.com/scan-mirror/sig.html#NR">NR</a>
619 template <class H>
620 struct NR : public DL_SS<
621  DL_SignatureKeys_GFP,
622  DL_Algorithm_NR<Integer>,
623  DL_SignatureMessageEncodingMethod_NR,
624  H>
625 {
626 };
627 
628 /// \brief DSA group parameters
629 /// \details These are GF(p) group parameters that are allowed by the DSA standard
630 /// \sa DL_Keys_DSA
632 {
633 public:
634  virtual ~DL_GroupParameters_DSA() {}
635 
636  /*! also checks that the lengths of p and q are allowed by the DSA standard */
637  bool ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const;
638  /*! parameters: (ModulusSize), or (Modulus, SubgroupOrder, SubgroupGenerator) */
639  /*! ModulusSize must be between DSA::MIN_PRIME_LENGTH and DSA::MAX_PRIME_LENGTH, and divisible by DSA::PRIME_LENGTH_MULTIPLE */
640  void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &alg);
641 
642  static bool CRYPTOPP_API IsValidPrimeLength(unsigned int pbits)
643  {return pbits >= MIN_PRIME_LENGTH && pbits <= MAX_PRIME_LENGTH && pbits % PRIME_LENGTH_MULTIPLE == 0;}
644 
645  enum {MIN_PRIME_LENGTH = 1024, MAX_PRIME_LENGTH = 3072, PRIME_LENGTH_MULTIPLE = 1024};
646 };
647 
648 template <class H>
649 class DSA2;
650 
651 /// \brief DSA keys
652 /// \sa DL_GroupParameters_DSA
654 {
657 };
658 
659 /// \brief DSA signature scheme
660 /// \tparam H HashTransformation derived class
661 /// \details The class is named DSA2 instead of DSA for backwards compatibility because
662 /// DSA was a non-template class.
663 /// \details DSA default method GenerateRandom uses a 2048-bit modulus and a 224-bit subgoup by default.
664 /// The modulus can be changed using the following code:
665 /// <pre>
666 /// DSA::PrivateKey privateKey;
667 /// privateKey.GenerateRandomWithKeySize(prng, 2048);
668 /// </pre>
669 /// \details The subgroup order can be changed using the following code:
670 /// <pre>
671 /// AlgorithmParameters params = MakeParameters
672 /// (Name::ModulusSize(), 2048)
673 /// (Name::SubgroupOrderSize(), 256);
674 ///
675 /// DSA::PrivateKey privateKey;
676 /// privateKey.GenerateRandom(prng, params);
677 /// </pre>
678 /// \sa <a href="http://en.wikipedia.org/wiki/Digital_Signature_Algorithm">DSA</a>, as specified in FIPS 186-3,
679 /// <a href="https://www.cryptopp.com/wiki/Digital_Signature_Algorithm">Digital Signature Algorithm</a> on the wiki, and
680 /// <a href="https://www.cryptopp.com/wiki/NameValuePairs">NameValuePairs</a> on the wiki.
681 /// \since Crypto++ 1.0 for DSA, Crypto++ 5.6.2 for DSA2, Crypto++ 6.1 for 2048-bit modulus.
682 template <class H>
683 class DSA2 : public DL_SS<
684  DL_Keys_DSA,
685  DL_Algorithm_GDSA<Integer>,
686  DL_SignatureMessageEncodingMethod_DSA,
687  H,
688  DSA2<H> >
689 {
690 public:
691  static std::string CRYPTOPP_API StaticAlgorithmName() {return "DSA/" + (std::string)H::StaticAlgorithmName();}
692 };
693 
694 /// \brief DSA deterministic signature scheme
695 /// \tparam H HashTransformation derived class
696 /// \sa <a href="http://www.weidai.com/scan-mirror/sig.html#DSA-1363">DSA-1363</a>
697 /// \since Crypto++ 1.0 for DSA, Crypto++ 5.6.2 for DSA2
698 template <class H>
699 struct DSA_RFC6979 : public DL_SS<
700  DL_SignatureKeys_GFP,
701  DL_Algorithm_DSA_RFC6979<Integer, H>,
702  DL_SignatureMessageEncodingMethod_DSA,
703  H,
704  DSA_RFC6979<H> >
705 {
706  static std::string CRYPTOPP_API StaticAlgorithmName() {return std::string("DSA-RFC6979/") + H::StaticAlgorithmName();}
707 };
708 
709 /// DSA with SHA-1, typedef'd for backwards compatibility
710 typedef DSA2<SHA1> DSA;
711 
712 CRYPTOPP_DLL_TEMPLATE_CLASS DL_PublicKey_GFP<DL_GroupParameters_DSA>;
713 CRYPTOPP_DLL_TEMPLATE_CLASS DL_PrivateKey_GFP<DL_GroupParameters_DSA>;
715 
716 /// \brief P1363 based XOR Encryption Method
717 /// \tparam MAC MessageAuthenticationCode derived class used for MAC computation
718 /// \tparam DHAES_MODE flag indicating DHAES mode
719 /// \tparam LABEL_OCTETS flag indicating the label is octet count
720 /// \details DL_EncryptionAlgorithm_Xor is based on an early P1363 draft, which itself appears to be based on an
721 /// early Certicom SEC-1 draft (or an early SEC-1 draft was based on a P1363 draft). Crypto++ 4.2 used it in its Integrated
722 /// Ecryption Schemes with <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
723 /// \details If you need this method for Crypto++ 4.2 compatibility, then use the ECIES template class with
724 /// <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
725 /// \details If you need this method for Bouncy Castle 1.54 and Botan 1.11 compatibility, then use the ECIES template class with
726 /// <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=ture</tt> and <tt>LABEL_OCTETS=false</tt>.
727 /// \details Bouncy Castle 1.54 and Botan 1.11 compatibility are the default template parameters.
728 /// \since Crypto++ 4.0
729 template <class MAC, bool DHAES_MODE, bool LABEL_OCTETS=false>
731 {
732 public:
733  virtual ~DL_EncryptionAlgorithm_Xor() {}
734 
735  bool ParameterSupported(const char *name) const {return strcmp(name, Name::EncodingParameters()) == 0;}
736  size_t GetSymmetricKeyLength(size_t plaintextLength) const
737  {return plaintextLength + static_cast<size_t>(MAC::DIGESTSIZE);}
738  size_t GetSymmetricCiphertextLength(size_t plaintextLength) const
739  {return plaintextLength + static_cast<size_t>(MAC::DIGESTSIZE);}
740  size_t GetMaxSymmetricPlaintextLength(size_t ciphertextLength) const
741  {return SaturatingSubtract(ciphertextLength, static_cast<size_t>(MAC::DIGESTSIZE));}
742  void SymmetricEncrypt(RandomNumberGenerator &rng, const byte *key, const byte *plaintext, size_t plaintextLength, byte *ciphertext, const NameValuePairs &parameters) const
743  {
744  CRYPTOPP_UNUSED(rng);
745  const byte *cipherKey = NULLPTR, *macKey = NULLPTR;
746  if (DHAES_MODE)
747  {
748  macKey = key;
749  cipherKey = key + MAC::DEFAULT_KEYLENGTH;
750  }
751  else
752  {
753  cipherKey = key;
754  macKey = key + plaintextLength;
755  }
756 
757  ConstByteArrayParameter encodingParameters;
758  parameters.GetValue(Name::EncodingParameters(), encodingParameters);
759 
760  if (plaintextLength) // Coverity finding
761  xorbuf(ciphertext, plaintext, cipherKey, plaintextLength);
762 
763  MAC mac(macKey);
764  mac.Update(ciphertext, plaintextLength);
765  mac.Update(encodingParameters.begin(), encodingParameters.size());
766  if (DHAES_MODE)
767  {
768  byte L[8];
769  PutWord(false, BIG_ENDIAN_ORDER, L, (LABEL_OCTETS ? word64(encodingParameters.size()) : 8 * word64(encodingParameters.size())));
770  mac.Update(L, 8);
771  }
772  mac.Final(ciphertext + plaintextLength);
773  }
774  DecodingResult SymmetricDecrypt(const byte *key, const byte *ciphertext, size_t ciphertextLength, byte *plaintext, const NameValuePairs &parameters) const
775  {
776  size_t plaintextLength = GetMaxSymmetricPlaintextLength(ciphertextLength);
777  const byte *cipherKey, *macKey;
778  if (DHAES_MODE)
779  {
780  macKey = key;
781  cipherKey = key + MAC::DEFAULT_KEYLENGTH;
782  }
783  else
784  {
785  cipherKey = key;
786  macKey = key + plaintextLength;
787  }
788 
789  ConstByteArrayParameter encodingParameters;
790  parameters.GetValue(Name::EncodingParameters(), encodingParameters);
791 
792  MAC mac(macKey);
793  mac.Update(ciphertext, plaintextLength);
794  mac.Update(encodingParameters.begin(), encodingParameters.size());
795  if (DHAES_MODE)
796  {
797  byte L[8];
798  PutWord(false, BIG_ENDIAN_ORDER, L, (LABEL_OCTETS ? word64(encodingParameters.size()) : 8 * word64(encodingParameters.size())));
799  mac.Update(L, 8);
800  }
801  if (!mac.Verify(ciphertext + plaintextLength))
802  return DecodingResult();
803 
804  if (plaintextLength) // Coverity finding
805  xorbuf(plaintext, ciphertext, cipherKey, plaintextLength);
806 
807  return DecodingResult(plaintextLength);
808  }
809 };
810 
811 /// _
812 template <class T, bool DHAES_MODE, class KDF>
814 {
815 public:
816  virtual ~DL_KeyDerivationAlgorithm_P1363() {}
817 
818  bool ParameterSupported(const char *name) const {return strcmp(name, Name::KeyDerivationParameters()) == 0;}
819  void Derive(const DL_GroupParameters<T> &params, byte *derivedKey, size_t derivedLength, const T &agreedElement, const T &ephemeralPublicKey, const NameValuePairs &parameters) const
820  {
821  SecByteBlock agreedSecret;
822  if (DHAES_MODE)
823  {
824  agreedSecret.New(params.GetEncodedElementSize(true) + params.GetEncodedElementSize(false));
825  params.EncodeElement(true, ephemeralPublicKey, agreedSecret);
826  params.EncodeElement(false, agreedElement, agreedSecret + params.GetEncodedElementSize(true));
827  }
828  else
829  {
830  agreedSecret.New(params.GetEncodedElementSize(false));
831  params.EncodeElement(false, agreedElement, agreedSecret);
832  }
833 
834  ConstByteArrayParameter derivationParameters;
835  parameters.GetValue(Name::KeyDerivationParameters(), derivationParameters);
836  KDF::DeriveKey(derivedKey, derivedLength, agreedSecret, agreedSecret.size(), derivationParameters.begin(), derivationParameters.size());
837  }
838 };
839 
840 /// \brief Discrete Log Integrated Encryption Scheme
841 /// \tparam COFACTOR_OPTION cofactor multiplication option
842 /// \tparam HASH HashTransformation derived class used for key drivation and MAC computation
843 /// \tparam DHAES_MODE flag indicating if the MAC includes addition context parameters such as the label
844 /// \tparam LABEL_OCTETS flag indicating if the label size is specified in octets or bits
845 /// \details DLIES is an Integer based Integrated Encryption Scheme (IES). The scheme combines a Key Encapsulation Method (KEM)
846 /// with a Data Encapsulation Method (DEM) and a MAC tag. The scheme is
847 /// <A HREF="http://en.wikipedia.org/wiki/ciphertext_indistinguishability">IND-CCA2</A>, which is a strong notion of security.
848 /// You should prefer an Integrated Encryption Scheme over homegrown schemes.
849 /// \details The library's original implementation is based on an early P1363 draft, which itself appears to be based on an early Certicom
850 /// SEC-1 draft (or an early SEC-1 draft was based on a P1363 draft). Crypto++ 4.2 used the early draft in its Integrated Ecryption
851 /// Schemes with <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
852 /// \details If you desire an Integrated Encryption Scheme with Crypto++ 4.2 compatibility, then use the DLIES template class with
853 /// <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
854 /// \details If you desire an Integrated Encryption Scheme with Bouncy Castle 1.54 and Botan 1.11 compatibility, then use the DLIES
855 /// template class with <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=true</tt> and <tt>LABEL_OCTETS=false</tt>.
856 /// \details The default template parameters ensure compatibility with Bouncy Castle 1.54 and Botan 1.11. The combination of
857 /// <tt>IncompatibleCofactorMultiplication</tt> and <tt>DHAES_MODE=true</tt> is recommended for best efficiency and security.
858 /// SHA1 is used for compatibility reasons, but it can be changed if desired. SHA-256 or another hash will likely improve the
859 /// security provided by the MAC. The hash is also used in the key derivation function as a PRF.
860 /// \details Below is an example of constructing a Crypto++ 4.2 compatible DLIES encryptor and decryptor.
861 /// <pre>
862 /// AutoSeededRandomPool prng;
863 /// DL_PrivateKey_GFP<DL_GroupParameters_GFP> key;
864 /// key.Initialize(prng, 2048);
865 ///
866 /// DLIES<SHA1,NoCofactorMultiplication,true,true>::Decryptor decryptor(key);
867 /// DLIES<SHA1,NoCofactorMultiplication,true,true>::Encryptor encryptor(decryptor);
868 /// </pre>
869 /// \sa ECIES, <a href="http://www.weidai.com/scan-mirror/ca.html#DLIES">Discrete Log Integrated Encryption Scheme (DLIES)</a>,
870 /// Martínez, Encinas, and Ávila's <A HREF="http://digital.csic.es/bitstream/10261/32671/1/V2-I2-P7-13.pdf">A Survey of the Elliptic
871 /// Curve Integrated Encryption Schemes</A>
872 /// \since Crypto++ 4.0, Crypto++ 5.7 for Bouncy Castle and Botan compatibility
873 template <class HASH = SHA1, class COFACTOR_OPTION = NoCofactorMultiplication, bool DHAES_MODE = true, bool LABEL_OCTETS=false>
874 struct DLIES
875  : public DL_ES<
876  DL_CryptoKeys_GFP,
877  DL_KeyAgreementAlgorithm_DH<Integer, COFACTOR_OPTION>,
878  DL_KeyDerivationAlgorithm_P1363<Integer, DHAES_MODE, P1363_KDF2<HASH> >,
879  DL_EncryptionAlgorithm_Xor<HMAC<HASH>, DHAES_MODE, LABEL_OCTETS>,
880  DLIES<> >
881 {
882  static std::string CRYPTOPP_API StaticAlgorithmName() {return "DLIES";} // TODO: fix this after name is standardized
883 };
884 
885 NAMESPACE_END
886 
887 #if CRYPTOPP_MSC_VERSION
888 # pragma warning(pop)
889 #endif
890 
891 #endif
Classes for working with NameValuePairs.
AlgorithmParameters MakeParameters(const char *name, const T &value, bool throwIfNotUsed=true)
Create an object that implements NameValuePairs.
Definition: algparam.h:502
Classes and functions for working with ANS.1 objects.
bool operator==(const OID &lhs, const OID &rhs)
Compare two OIDs for equality.
bool operator!=(const OID &lhs, const OID &rhs)
Compare two OIDs for inequality.
Encode and decode ASN.1 objects with additional information.
Definition: asn.h:381
virtual void DEREncode(BufferedTransformation &bt) const =0
Encode this object into a BufferedTransformation.
virtual void BERDecode(BufferedTransformation &bt)=0
Decode this object from a BufferedTransformation.
Interface for buffered transformations.
Definition: cryptlib.h:1599
Used to pass byte array input as part of a NameValuePairs object.
Definition: algparam.h:21
size_t size() const
Length of the memory block.
Definition: algparam.h:84
const byte * begin() const
Pointer to the first byte in the memory block.
Definition: algparam.h:80
DSA signature algorithm based on RFC 6979.
Definition: gfpcrypt.h:250
Integer GenerateRandom(const Integer &x, const Integer &q, const Integer &e) const
Generate k.
Definition: gfpcrypt.h:262
bool IsDeterministic() const
Signature scheme flag.
Definition: gfpcrypt.h:258
German Digital Signature Algorithm.
Definition: gfpcrypt.h:408
void Sign(const DL_GroupParameters< T > &params, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
Sign a message using a private key.
Definition: gfpcrypt.h:414
bool Verify(const DL_GroupParameters< T > &params, const DL_PublicKey< T > &publicKey, const Integer &e, const Integer &r, const Integer &s) const
Verify a message using a public key.
Definition: gfpcrypt.h:424
GDSA algorithm.
Definition: gfpcrypt.h:213
bool Verify(const DL_GroupParameters< T > &params, const DL_PublicKey< T > &publicKey, const Integer &e, const Integer &r, const Integer &s) const
Verify a message using a public key.
Definition: gfpcrypt.h:228
void Sign(const DL_GroupParameters< T > &params, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
Sign a message using a private key.
Definition: gfpcrypt.h:219
NR algorithm.
Definition: gfpcrypt.h:449
bool Verify(const DL_GroupParameters< T > &params, const DL_PublicKey< T > &publicKey, const Integer &e, const Integer &r, const Integer &s) const
Verify a message using a public key.
Definition: gfpcrypt.h:463
void Sign(const DL_GroupParameters< T > &params, const Integer &x, const Integer &k, const Integer &e, Integer &r, Integer &s) const
Sign a message using a private key.
Definition: gfpcrypt.h:455
Discrete Log (DL) encryption scheme.
Definition: pubkey.h:2306
Interface for Elgamal-like signature algorithms.
Definition: pubkey.h:1367
P1363 based XOR Encryption Method.
Definition: gfpcrypt.h:731
DSA group parameters.
Definition: gfpcrypt.h:632
ElGamal encryption due to due to ElGamal safe interop.
Definition: gfpcrypt.h:197
Integer GetMaxExponent() const
Retrieves the maximum exponent for the group.
Definition: gfpcrypt.h:203
GF(p) group parameters that default to safe primes.
Definition: gfpcrypt.h:181
GF(p) group parameters.
Definition: gfpcrypt.h:157
bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
Get a named value.
Definition: gfpcrypt.h:166
Integer-based GroupParameters specialization.
Definition: gfpcrypt.h:35
void Initialize(const Integer &p, const Integer &g)
Initialize a group parameters over integers.
Definition: gfpcrypt.h:58
Integer GetGroupOrder() const
Retrieves the order of the group.
Definition: gfpcrypt.h:80
void Initialize(RandomNumberGenerator &rng, unsigned int pbits)
Create a group parameters over integers.
Definition: gfpcrypt.h:52
Integer ConvertElementToInteger(const Element &element) const
Converts an element to an Integer.
Definition: gfpcrypt.h:90
void Initialize(const DL_GroupParameters_IntegerBased &params)
Initialize a group parameters over integers.
Definition: gfpcrypt.h:43
void Initialize(const Integer &p, const Integer &q, const Integer &g)
Initialize a group parameters over integers.
Definition: gfpcrypt.h:65
const Integer & GetSubgroupOrder() const
Retrieves the subgroup order.
Definition: gfpcrypt.h:79
Integer-based GroupParameters default implementation.
Definition: gfpcrypt.h:120
void AssignFrom(const NameValuePairs &source)
Assign values to this object.
Definition: gfpcrypt.h:132
const DL_FixedBasePrecomputation< Element > & GetBasePrecomputation() const
Retrieves the group precomputation.
Definition: gfpcrypt.h:136
bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
Get a named value.
Definition: gfpcrypt.h:129
DL_FixedBasePrecomputation< Element > & AccessBasePrecomputation()
Retrieves the group precomputation.
Definition: gfpcrypt.h:137
Interface for Discrete Log (DL) group parameters.
Definition: pubkey.h:754
virtual void EncodeElement(bool reversible, const Element &element, byte *encoded) const =0
Encodes the element.
virtual const Element & GetSubgroupGenerator() const
Retrieves the subgroup generator.
Definition: pubkey.h:829
virtual unsigned int GetEncodedElementSize(bool reversible) const =0
Retrieves the encoded element's size.
virtual Element ExponentiateBase(const Integer &exponent) const
Exponentiates the base.
Definition: pubkey.h:839
virtual const Integer & GetSubgroupOrder() const=0
Retrieves the subgroup order.
virtual Integer ConvertElementToInteger(const Element &element) const =0
Converts an element to an Integer.
Base implementation of Discrete Log (DL) group parameters.
Definition: pubkey.h:984
const DL_GroupPrecomputation< Element > & GetGroupPrecomputation() const
Retrieves the group precomputation.
Definition: pubkey.h:994
Interface for key derivation algorithms used in DL cryptosystems.
Definition: pubkey.h:1449
Discrete Log (DL) private key in GF(p) groups.
Definition: gfpcrypt.h:515
void Initialize(RandomNumberGenerator &rng, const Integer &p, const Integer &q, const Integer &g)
Create a private key.
Definition: gfpcrypt.h:546
void Initialize(RandomNumberGenerator &rng, const Integer &p, const Integer &g)
Create a private key.
Definition: gfpcrypt.h:535
void Initialize(RandomNumberGenerator &rng, unsigned int modulusBits)
Create a private key.
Definition: gfpcrypt.h:525
void Initialize(const Integer &p, const Integer &q, const Integer &g, const Integer &x)
Initialize a private key over GF(p)
Definition: gfpcrypt.h:567
void Initialize(const Integer &p, const Integer &g, const Integer &x)
Initialize a private key over GF(p)
Definition: gfpcrypt.h:559
void Initialize(const DL_GroupParameters_IntegerBased &params, const Integer &x)
Initialize a private key over GF(p)
Definition: gfpcrypt.h:552
Discrete Log (DL) private key base implementation.
Definition: pubkey.h:1209
void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &params)
Generate a random key or crypto parameters.
Definition: pubkey.h:1239
void SetPrivateExponent(const Integer &x)
Sets the private exponent.
Definition: pubkey.h:1264
Discrete Log (DL) public key in GF(p) groups.
Definition: gfpcrypt.h:479
void Initialize(const DL_GroupParameters_IntegerBased &params, const Integer &y)
Initialize a public key over GF(p)
Definition: gfpcrypt.h:486
void Initialize(const Integer &p, const Integer &g, const Integer &y)
Initialize a public key over GF(p)
Definition: gfpcrypt.h:493
void DEREncodePublicKey(BufferedTransformation &bt) const
encode subjectPublicKey part of subjectPublicKeyInfo, without the BIT STRING header
Definition: gfpcrypt.h:507
void BERDecodePublicKey(BufferedTransformation &bt, bool, size_t)
decode subjectPublicKey part of subjectPublicKeyInfo, without the BIT STRING header
Definition: gfpcrypt.h:505
void Initialize(const Integer &p, const Integer &q, const Integer &g, const Integer &y)
Initialize a public key over GF(p)
Definition: gfpcrypt.h:501
Interface for Discrete Log (DL) public keys.
Definition: pubkey.h:1029
virtual void SetPublicElement(const Element &y)
Sets the public element.
Definition: pubkey.h:1063
virtual const Element & GetPublicElement() const
Retrieves the public element.
Definition: pubkey.h:1059
virtual Element CascadeExponentiateBaseAndPublicElement(const Integer &baseExp, const Integer &publicExp) const
Exponentiates an element.
Definition: pubkey.h:1080
Discrete Log (DL) public key base implementation.
Definition: pubkey.h:1299
Discrete Log (DL) signature scheme.
Definition: pubkey.h:2286
Interface for symmetric encryption algorithms used in DL cryptosystems.
Definition: pubkey.h:1460
DSA signature scheme.
Definition: gfpcrypt.h:689
Interface for deterministic signers.
Definition: pubkey.h:1420
void GenerateRandomWithKeySize(RandomNumberGenerator &rng, unsigned int keySize)
Generate a random key or crypto parameters.
Definition: cryptlib.cpp:811
Multiple precision integer with arithmetic operations.
Definition: integer.h:50
size_t MinEncodedSize(Signedness sign=UNSIGNED) const
Minimum number of bytes to encode this integer.
Definition: integer.cpp:3393
unsigned int BitCount() const
Determines the number of bits required to represent the Integer.
Definition: integer.cpp:3345
static const Integer & One()
Integer representing 1.
Definition: integer.cpp:4877
bool IsNegative() const
Determines if the Integer is negative.
Definition: integer.h:336
unsigned int ByteCount() const
Determines the number of bytes required to represent the Integer.
Definition: integer.cpp:3336
void Encode(byte *output, size_t outputLen, Signedness sign=UNSIGNED) const
Encode in big-endian format.
Definition: integer.cpp:3410
Integer InverseMod(const Integer &n) const
Calculate multiplicative inverse.
Definition: integer.cpp:4430
Interface for retrieving values given their names.
Definition: cryptlib.h:294
bool GetValue(const char *name, T &value) const
Get a named value.
Definition: cryptlib.h:350
Object Identifier.
Definition: asn.h:167
Interface for random number generators.
Definition: cryptlib.h:1384
iterator begin()
Provides an iterator pointing to the first element in the memory block.
Definition: secblock.h:772
void New(size_type newSize)
Change size without preserving contents.
Definition: secblock.h:965
size_type size() const
Provides the count of elements in the SecBlock.
Definition: secblock.h:797
SecBlock<byte> typedef.
Definition: secblock.h:1058
Library configuration file.
Abstract base classes that provide a uniform interface to this library.
@ BIG_ENDIAN_ORDER
byte order is big-endian
Definition: cryptlib.h:147
DSA2< SHA1 > DSA
DSA with SHA-1, typedef'd for backwards compatibility.
Definition: gfpcrypt.h:710
Classes for HMAC message authentication codes.
Multiple precision integer with arithmetic operations.
Utility functions for the Crypto++ library.
T1 SaturatingSubtract(const T1 &a, const T2 &b)
Performs a saturating subtract clamped at 0.
Definition: misc.h:1004
void memcpy_s(void *dest, size_t sizeInBytes, const void *src, size_t count)
Bounds checking replacement for memcpy()
Definition: misc.h:443
void xorbuf(byte *buf, const byte *mask, size_t count)
Performs an XOR of a buffer with a mask.
Definition: misc.cpp:32
size_t BitsToBytes(size_t bitCount)
Returns the number of 8-bit bytes or octets required for the specified number of bits.
Definition: misc.h:850
const T & STDMIN(const T &a, const T &b)
Replacement function for std::min.
Definition: misc.h:567
void PutWord(bool assumeAligned, ByteOrder order, byte *block, T value, const byte *xorBlock=NULL)
Access a block of memory.
Definition: misc.h:2428
const T & STDMAX(const T &a, const T &b)
Replacement function for std::max.
Definition: misc.h:578
Crypto++ library namespace.
const char * KeyDerivationParameters()
ConstByteArrayParameter.
Definition: argnames.h:67
const char * EncodingParameters()
ConstByteArrayParameter.
Definition: argnames.h:66
This file contains helper classes/functions for implementing public key algorithms.
Classes for SHA-1 and SHA-2 family of message digests.
Classes for automatic resource management.
ElGamal encryption keys due to ElGamal safe interop.
Definition: gfpcrypt.h:597
Discrete Log (DL) encryption/decryption keys in GF(p) groups.
Definition: gfpcrypt.h:585
DSA keys.
Definition: gfpcrypt.h:654
Discrete Log (DL) signing/verification keys in GF(p) groups.
Definition: gfpcrypt.h:577
Discrete Log Integrated Encryption Scheme.
Definition: gfpcrypt.h:881
DSA deterministic signature scheme.
Definition: gfpcrypt.h:705
Returns a decoding results.
Definition: cryptlib.h:256
Converts an enumeration to a type suitable for use as a template parameter.
Definition: cryptlib.h:136
DSA signature scheme.
Definition: gfpcrypt.h:613
NR signature scheme.
Definition: gfpcrypt.h:625
#define CRYPTOPP_ASSERT(exp)
Debugging and diagnostic assertion.
Definition: trap.h:69