Crypto++ 8.2
Free C&
eccrypto.h
Go to the documentation of this file.
1// eccrypto.h - originally written and placed in the public domain by Wei Dai
2// deterministic signatures added by by Douglas Roark
3
4/// \file eccrypto.h
5/// \brief Classes and functions for Elliptic Curves over prime and binary fields
6
7#ifndef CRYPTOPP_ECCRYPTO_H
8#define CRYPTOPP_ECCRYPTO_H
9
10#include "config.h"
11#include "cryptlib.h"
12#include "pubkey.h"
13#include "integer.h"
14#include "asn.h"
15#include "hmac.h"
16#include "sha.h"
17#include "gfpcrypt.h"
18#include "dh.h"
19#include "mqv.h"
20#include "hmqv.h"
21#include "fhmqv.h"
22#include "ecp.h"
23#include "ec2n.h"
24
25#if CRYPTOPP_MSC_VERSION
26# pragma warning(push)
27# pragma warning(disable: 4231 4275)
28#endif
29
30NAMESPACE_BEGIN(CryptoPP)
31
32/// \brief Elliptic Curve Parameters
33/// \tparam EC elliptic curve field
34/// \details This class corresponds to the ASN.1 sequence of the same name
35/// in ANSI X9.62 and SEC 1. EC is currently defined for ECP and EC2N.
36template <class EC>
37class DL_GroupParameters_EC : public DL_GroupParametersImpl<EcPrecomputation<EC> >
38{
40
41public:
42 typedef EC EllipticCurve;
43 typedef typename EllipticCurve::Point Point;
44 typedef Point Element;
46
47 virtual ~DL_GroupParameters_EC() {}
48
49 /// \brief Construct an EC GroupParameters
50 DL_GroupParameters_EC() : m_compress(false), m_encodeAsOID(true) {}
51
52 /// \brief Construct an EC GroupParameters
53 /// \param oid the OID of a curve
55 : m_compress(false), m_encodeAsOID(true) {Initialize(oid);}
56
57 /// \brief Construct an EC GroupParameters
58 /// \param ec the elliptic curve
59 /// \param G the base point
60 /// \param n the order of the base point
61 /// \param k the cofactor
62 DL_GroupParameters_EC(const EllipticCurve &ec, const Point &G, const Integer &n, const Integer &k = Integer::Zero())
63 : m_compress(false), m_encodeAsOID(true) {Initialize(ec, G, n, k);}
64
65 /// \brief Construct an EC GroupParameters
66 /// \param bt BufferedTransformation with group parameters
68 : m_compress(false), m_encodeAsOID(true) {BERDecode(bt);}
69
70 /// \brief Initialize an EC GroupParameters using {EC,G,n,k}
71 /// \param ec the elliptic curve
72 /// \param G the base point
73 /// \param n the order of the base point
74 /// \param k the cofactor
75 /// \details This Initialize() function overload initializes group parameters from existing parameters.
76 void Initialize(const EllipticCurve &ec, const Point &G, const Integer &n, const Integer &k = Integer::Zero())
77 {
78 this->m_groupPrecomputation.SetCurve(ec);
79 this->SetSubgroupGenerator(G);
80 m_n = n;
81 m_k = k;
82 }
83
84 /// \brief Initialize a DL_GroupParameters_EC {EC,G,n,k}
85 /// \param oid the OID of a curve
86 /// \details This Initialize() function overload initializes group parameters from existing parameters.
87 void Initialize(const OID &oid);
88
89 // NameValuePairs
90 bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const;
91 void AssignFrom(const NameValuePairs &source);
92
93 // GeneratibleCryptoMaterial interface
94 /// this implementation doesn't actually generate a curve, it just initializes the parameters with existing values
95 /*! parameters: (Curve, SubgroupGenerator, SubgroupOrder, Cofactor (optional)), or (GroupOID) */
97
98 // DL_GroupParameters
99 const DL_FixedBasePrecomputation<Element> & GetBasePrecomputation() const {return this->m_gpc;}
101 const Integer & GetSubgroupOrder() const {return m_n;}
102 Integer GetCofactor() const;
103 bool ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const;
104 bool ValidateElement(unsigned int level, const Element &element, const DL_FixedBasePrecomputation<Element> *precomp) const;
105 bool FastSubgroupCheckAvailable() const {return false;}
106 void EncodeElement(bool reversible, const Element &element, byte *encoded) const
107 {
108 if (reversible)
109 GetCurve().EncodePoint(encoded, element, m_compress);
110 else
111 element.x.Encode(encoded, GetEncodedElementSize(false));
112 }
113 virtual unsigned int GetEncodedElementSize(bool reversible) const
114 {
115 if (reversible)
116 return GetCurve().EncodedPointSize(m_compress);
117 else
118 return GetCurve().GetField().MaxElementByteLength();
119 }
120 Element DecodeElement(const byte *encoded, bool checkForGroupMembership) const
121 {
122 Point result;
123 if (!GetCurve().DecodePoint(result, encoded, GetEncodedElementSize(true)))
124 throw DL_BadElement();
125 if (checkForGroupMembership && !ValidateElement(1, result, NULLPTR))
126 throw DL_BadElement();
127 return result;
128 }
129 Integer ConvertElementToInteger(const Element &element) const;
131 bool IsIdentity(const Element &element) const {return element.identity;}
132 void SimultaneousExponentiate(Element *results, const Element &base, const Integer *exponents, unsigned int exponentsCount) const;
133 static std::string CRYPTOPP_API StaticAlgorithmNamePrefix() {return "EC";}
134
135 // ASN1Key
136 OID GetAlgorithmID() const;
137
138 // used by MQV
139 Element MultiplyElements(const Element &a, const Element &b) const;
140 Element CascadeExponentiate(const Element &element1, const Integer &exponent1, const Element &element2, const Integer &exponent2) const;
141
142 // non-inherited
143
144 // enumerate OIDs for recommended parameters, use OID() to get first one
145 static OID CRYPTOPP_API GetNextRecommendedParametersOID(const OID &oid);
146
147 void BERDecode(BufferedTransformation &bt);
148 void DEREncode(BufferedTransformation &bt) const;
149
150 void SetPointCompression(bool compress) {m_compress = compress;}
151 bool GetPointCompression() const {return m_compress;}
152
153 void SetEncodeAsOID(bool encodeAsOID) {m_encodeAsOID = encodeAsOID;}
154 bool GetEncodeAsOID() const {return m_encodeAsOID;}
155
156 const EllipticCurve& GetCurve() const {return this->m_groupPrecomputation.GetCurve();}
157
158 bool operator==(const ThisClass &rhs) const
159 {return this->m_groupPrecomputation.GetCurve() == rhs.m_groupPrecomputation.GetCurve() && this->m_gpc.GetBase(this->m_groupPrecomputation) == rhs.m_gpc.GetBase(rhs.m_groupPrecomputation);}
160
161protected:
162 unsigned int FieldElementLength() const {return GetCurve().GetField().MaxElementByteLength();}
163 unsigned int ExponentLength() const {return m_n.ByteCount();}
164
165 OID m_oid; // set if parameters loaded from a recommended curve
166 Integer m_n; // order of base point
167 mutable Integer m_k; // cofactor
168 mutable bool m_compress, m_encodeAsOID; // presentation details
169};
170
171/// \brief Elliptic Curve Discrete Log (DL) public key
172/// \tparam EC elliptic curve field
173template <class EC>
174class DL_PublicKey_EC : public DL_PublicKeyImpl<DL_GroupParameters_EC<EC> >
175{
176public:
177 typedef typename EC::Point Element;
178
179 virtual ~DL_PublicKey_EC() {}
180
181 /// \brief Initialize an EC Public Key using {GP,Q}
182 /// \param params group parameters
183 /// \param Q the public point
184 /// \details This Initialize() function overload initializes a public key from existing parameters.
185 void Initialize(const DL_GroupParameters_EC<EC> &params, const Element &Q)
186 {this->AccessGroupParameters() = params; this->SetPublicElement(Q);}
187
188 /// \brief Initialize an EC Public Key using {EC,G,n,Q}
189 /// \param ec the elliptic curve
190 /// \param G the base point
191 /// \param n the order of the base point
192 /// \param Q the public point
193 /// \details This Initialize() function overload initializes a public key from existing parameters.
194 void Initialize(const EC &ec, const Element &G, const Integer &n, const Element &Q)
195 {this->AccessGroupParameters().Initialize(ec, G, n); this->SetPublicElement(Q);}
196
197 // X509PublicKey
198 void BERDecodePublicKey(BufferedTransformation &bt, bool parametersPresent, size_t size);
199 void DEREncodePublicKey(BufferedTransformation &bt) const;
200};
201
202/// \brief Elliptic Curve Discrete Log (DL) private key
203/// \tparam EC elliptic curve field
204template <class EC>
205class DL_PrivateKey_EC : public DL_PrivateKeyImpl<DL_GroupParameters_EC<EC> >
206{
207public:
208 typedef typename EC::Point Element;
209
210 virtual ~DL_PrivateKey_EC();
211
212 /// \brief Initialize an EC Private Key using {GP,x}
213 /// \param params group parameters
214 /// \param x the private exponent
215 /// \details This Initialize() function overload initializes a private key from existing parameters.
216 void Initialize(const DL_GroupParameters_EC<EC> &params, const Integer &x)
217 {this->AccessGroupParameters() = params; this->SetPrivateExponent(x);}
218
219 /// \brief Initialize an EC Private Key using {EC,G,n,x}
220 /// \param ec the elliptic curve
221 /// \param G the base point
222 /// \param n the order of the base point
223 /// \param x the private exponent
224 /// \details This Initialize() function overload initializes a private key from existing parameters.
225 void Initialize(const EC &ec, const Element &G, const Integer &n, const Integer &x)
226 {this->AccessGroupParameters().Initialize(ec, G, n); this->SetPrivateExponent(x);}
227
228 /// \brief Create an EC private key
229 /// \param rng a RandomNumberGenerator derived class
230 /// \param params the EC group parameters
231 /// \details This function overload of Initialize() creates a new private key because it
232 /// takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
233 /// then use one of the other Initialize() overloads.
235 {this->GenerateRandom(rng, params);}
236
237 /// \brief Create an EC private key
238 /// \param rng a RandomNumberGenerator derived class
239 /// \param ec the elliptic curve
240 /// \param G the base point
241 /// \param n the order of the base point
242 /// \details This function overload of Initialize() creates a new private key because it
243 /// takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
244 /// then use one of the other Initialize() overloads.
245 void Initialize(RandomNumberGenerator &rng, const EC &ec, const Element &G, const Integer &n)
246 {this->GenerateRandom(rng, DL_GroupParameters_EC<EC>(ec, G, n));}
247
248 // PKCS8PrivateKey
249 void BERDecodePrivateKey(BufferedTransformation &bt, bool parametersPresent, size_t size);
250 void DEREncodePrivateKey(BufferedTransformation &bt) const;
251};
252
253// Out-of-line dtor due to AIX and GCC, http://github.com/weidai11/cryptopp/issues/499
254template<class EC>
256
257/// \brief Elliptic Curve Diffie-Hellman
258/// \tparam EC elliptic curve field
259/// \tparam COFACTOR_OPTION cofactor multiplication option
260/// \sa CofactorMultiplicationOption, <a href="http://www.weidai.com/scan-mirror/ka.html#ECDH">Elliptic Curve Diffie-Hellman, AKA ECDH</a>
261/// \since Crypto++ 3.0
262template <class EC, class COFACTOR_OPTION = typename DL_GroupParameters_EC<EC>::DefaultCofactorOption>
263struct ECDH
264{
265 typedef DH_Domain<DL_GroupParameters_EC<EC>, COFACTOR_OPTION> Domain;
266};
267
268/// \brief Elliptic Curve Menezes-Qu-Vanstone
269/// \tparam EC elliptic curve field
270/// \tparam COFACTOR_OPTION cofactor multiplication option
271/// \sa CofactorMultiplicationOption, <a href="http://www.weidai.com/scan-mirror/ka.html#ECMQV">Elliptic Curve Menezes-Qu-Vanstone, AKA ECMQV</a>
272template <class EC, class COFACTOR_OPTION = typename DL_GroupParameters_EC<EC>::DefaultCofactorOption>
273struct ECMQV
274{
275 typedef MQV_Domain<DL_GroupParameters_EC<EC>, COFACTOR_OPTION> Domain;
276};
277
278/// \brief Hashed Elliptic Curve Menezes-Qu-Vanstone
279/// \tparam EC elliptic curve field
280/// \tparam COFACTOR_OPTION cofactor multiplication option
281/// \details This implementation follows Hugo Krawczyk's <a href="http://eprint.iacr.org/2005/176">HMQV: A High-Performance
282/// Secure Diffie-Hellman Protocol</a>. Note: this implements HMQV only. HMQV-C with Key Confirmation is not provided.
283/// \sa CofactorMultiplicationOption
284template <class EC, class COFACTOR_OPTION = typename DL_GroupParameters_EC<EC>::DefaultCofactorOption, class HASH = SHA256>
285struct ECHMQV
286{
287 typedef HMQV_Domain<DL_GroupParameters_EC<EC>, COFACTOR_OPTION, HASH> Domain;
288};
289
294
295/// \brief Fully Hashed Elliptic Curve Menezes-Qu-Vanstone
296/// \tparam EC elliptic curve field
297/// \tparam COFACTOR_OPTION cofactor multiplication option
298/// \details This implementation follows Augustin P. Sarr and Philippe Elbaz–Vincent, and Jean–Claude Bajard's
299/// <a href="http://eprint.iacr.org/2009/408">A Secure and Efficient Authenticated Diffie-Hellman Protocol</a>.
300/// Note: this is FHMQV, Protocol 5, from page 11; and not FHMQV-C.
301/// \sa CofactorMultiplicationOption
302template <class EC, class COFACTOR_OPTION = typename DL_GroupParameters_EC<EC>::DefaultCofactorOption, class HASH = SHA256>
304{
305 typedef FHMQV_Domain<DL_GroupParameters_EC<EC>, COFACTOR_OPTION, HASH> Domain;
306};
307
312
313/// \brief Elliptic Curve Discrete Log (DL) keys
314/// \tparam EC elliptic curve field
315template <class EC>
317{
320};
321
322// Forward declaration; documented below
323template <class EC, class H>
324struct ECDSA;
325
326/// \brief Elliptic Curve DSA keys
327/// \tparam EC elliptic curve field
328/// \since Crypto++ 3.2
329template <class EC>
331{
334};
335
336/// \brief Elliptic Curve DSA (ECDSA) signature algorithm
337/// \tparam EC elliptic curve field
338/// \since Crypto++ 3.2
339template <class EC>
340class DL_Algorithm_ECDSA : public DL_Algorithm_GDSA<typename EC::Point>
341{
342public:
343 CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "ECDSA";}
344};
345
346/// \brief Elliptic Curve DSA (ECDSA) signature algorithm based on RFC 6979
347/// \tparam EC elliptic curve field
348/// \sa <a href="http://tools.ietf.org/rfc/rfc6979.txt">RFC 6979, Deterministic Usage of the
349/// Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)</a>
350/// \since Crypto++ 6.0
351template <class EC, class H>
352class DL_Algorithm_ECDSA_RFC6979 : public DL_Algorithm_DSA_RFC6979<typename EC::Point, H>
353{
354public:
355 CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "ECDSA-RFC6979";}
356};
357
358/// \brief Elliptic Curve NR (ECNR) signature algorithm
359/// \tparam EC elliptic curve field
360template <class EC>
361class DL_Algorithm_ECNR : public DL_Algorithm_NR<typename EC::Point>
362{
363public:
364 CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "ECNR";}
365};
366
367/// \brief Elliptic Curve DSA (ECDSA) signature scheme
368/// \tparam EC elliptic curve field
369/// \tparam H HashTransformation derived class
370/// \sa <a href="http://www.weidai.com/scan-mirror/sig.html#ECDSA">ECDSA</a>
371/// \since Crypto++ 3.2
372template <class EC, class H>
373struct ECDSA : public DL_SS<DL_Keys_ECDSA<EC>, DL_Algorithm_ECDSA<EC>, DL_SignatureMessageEncodingMethod_DSA, H>
374{
375};
376
377/// \brief Elliptic Curve DSA (ECDSA) deterministic signature scheme
378/// \tparam EC elliptic curve field
379/// \tparam H HashTransformation derived class
380/// \sa <a href="http://tools.ietf.org/rfc/rfc6979.txt">Deterministic Usage of the
381/// Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)</a>
382/// \since Crypto++ 6.0
383template <class EC, class H>
384struct ECDSA_RFC6979 : public DL_SS<
385 DL_Keys_ECDSA<EC>,
386 DL_Algorithm_ECDSA_RFC6979<EC, H>,
387 DL_SignatureMessageEncodingMethod_DSA,
388 H,
389 ECDSA_RFC6979<EC,H> >
390{
391 static std::string CRYPTOPP_API StaticAlgorithmName() {return std::string("ECDSA-RFC6979/") + H::StaticAlgorithmName();}
392};
393
394/// \brief Elliptic Curve NR (ECNR) signature scheme
395/// \tparam EC elliptic curve field
396/// \tparam H HashTransformation derived class
397template <class EC, class H = SHA1>
398struct ECNR : public DL_SS<DL_Keys_EC<EC>, DL_Algorithm_ECNR<EC>, DL_SignatureMessageEncodingMethod_NR, H>
399{
400};
401
402// ******************************************
403
404template <class EC>
406template <class EC>
408
409/// \brief Elliptic Curve German DSA key for ISO/IEC 15946
410/// \tparam EC elliptic curve field
411/// \sa ECGDSA
412/// \since Crypto++ 6.0
413template <class EC>
414class DL_PrivateKey_ECGDSA : public DL_PrivateKeyImpl<DL_GroupParameters_EC<EC> >
415{
416public:
417 typedef typename EC::Point Element;
418
419 virtual ~DL_PrivateKey_ECGDSA() {}
420
421 /// \brief Initialize an EC Private Key using {GP,x}
422 /// \param params group parameters
423 /// \param x the private exponent
424 /// \details This Initialize() function overload initializes a private key from existing parameters.
425 void Initialize(const DL_GroupParameters_EC<EC> &params, const Integer &x)
426 {
427 this->AccessGroupParameters() = params;
428 this->SetPrivateExponent(x);
429 CRYPTOPP_ASSERT(x>=1 && x<=params.GetSubgroupOrder()-1);
430 }
431
432 /// \brief Initialize an EC Private Key using {EC,G,n,x}
433 /// \param ec the elliptic curve
434 /// \param G the base point
435 /// \param n the order of the base point
436 /// \param x the private exponent
437 /// \details This Initialize() function overload initializes a private key from existing parameters.
438 void Initialize(const EC &ec, const Element &G, const Integer &n, const Integer &x)
439 {
440 this->AccessGroupParameters().Initialize(ec, G, n);
441 this->SetPrivateExponent(x);
442 CRYPTOPP_ASSERT(x>=1 && x<=this->AccessGroupParameters().GetSubgroupOrder()-1);
443 }
444
445 /// \brief Create an EC private key
446 /// \param rng a RandomNumberGenerator derived class
447 /// \param params the EC group parameters
448 /// \details This function overload of Initialize() creates a new private key because it
449 /// takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
450 /// then use one of the other Initialize() overloads.
452 {this->GenerateRandom(rng, params);}
453
454 /// \brief Create an EC private key
455 /// \param rng a RandomNumberGenerator derived class
456 /// \param ec the elliptic curve
457 /// \param G the base point
458 /// \param n the order of the base point
459 /// \details This function overload of Initialize() creates a new private key because it
460 /// takes a RandomNumberGenerator() as a parameter. If you have an existing keypair,
461 /// then use one of the other Initialize() overloads.
462 void Initialize(RandomNumberGenerator &rng, const EC &ec, const Element &G, const Integer &n)
463 {this->GenerateRandom(rng, DL_GroupParameters_EC<EC>(ec, G, n));}
464
465 virtual void MakePublicKey(DL_PublicKey_ECGDSA<EC> &pub) const
466 {
468 pub.AccessAbstractGroupParameters().AssignFrom(params);
469 const Integer &xInv = this->GetPrivateExponent().InverseMod(params.GetSubgroupOrder());
470 pub.SetPublicElement(params.ExponentiateBase(xInv));
471 CRYPTOPP_ASSERT(xInv.NotZero());
472 }
473
474 virtual bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
475 {
476 return GetValueHelper<DL_PrivateKey_ECGDSA<EC>,
477 DL_PrivateKey_ECGDSA<EC> >(this, name, valueType, pValue).Assignable();
478 }
479
480 virtual void AssignFrom(const NameValuePairs &source)
481 {
482 AssignFromHelper<DL_PrivateKey_ECGDSA<EC>,
483 DL_PrivateKey_ECGDSA<EC> >(this, source);
484 }
485
486 // PKCS8PrivateKey
487 void BERDecodePrivateKey(BufferedTransformation &bt, bool parametersPresent, size_t size);
488 void DEREncodePrivateKey(BufferedTransformation &bt) const;
489};
490
491/// \brief Elliptic Curve German DSA key for ISO/IEC 15946
492/// \tparam EC elliptic curve field
493/// \sa ECGDSA
494/// \since Crypto++ 6.0
495template <class EC>
496class DL_PublicKey_ECGDSA : public DL_PublicKeyImpl<DL_GroupParameters_EC<EC> >
497{
499
500public:
501 typedef typename EC::Point Element;
502
503 virtual ~DL_PublicKey_ECGDSA() {}
504
505 /// \brief Initialize an EC Public Key using {GP,Q}
506 /// \param params group parameters
507 /// \param Q the public point
508 /// \details This Initialize() function overload initializes a public key from existing parameters.
509 void Initialize(const DL_GroupParameters_EC<EC> &params, const Element &Q)
510 {this->AccessGroupParameters() = params; this->SetPublicElement(Q);}
511
512 /// \brief Initialize an EC Public Key using {EC,G,n,Q}
513 /// \param ec the elliptic curve
514 /// \param G the base point
515 /// \param n the order of the base point
516 /// \param Q the public point
517 /// \details This Initialize() function overload initializes a public key from existing parameters.
518 void Initialize(const EC &ec, const Element &G, const Integer &n, const Element &Q)
519 {this->AccessGroupParameters().Initialize(ec, G, n); this->SetPublicElement(Q);}
520
521 virtual void AssignFrom(const NameValuePairs &source)
522 {
523 DL_PrivateKey_ECGDSA<EC> *pPrivateKey = NULLPTR;
524 if (source.GetThisPointer(pPrivateKey))
525 pPrivateKey->MakePublicKey(*this);
526 else
527 {
528 this->AccessAbstractGroupParameters().AssignFrom(source);
529 AssignFromHelper(this, source)
530 CRYPTOPP_SET_FUNCTION_ENTRY(PublicElement);
531 }
532 }
533
534 // DL_PublicKey<T>
535 virtual void SetPublicElement(const Element &y)
536 {this->AccessPublicPrecomputation().SetBase(this->GetAbstractGroupParameters().GetGroupPrecomputation(), y);}
537
538 // X509PublicKey
539 void BERDecodePublicKey(BufferedTransformation &bt, bool parametersPresent, size_t size);
540 void DEREncodePublicKey(BufferedTransformation &bt) const;
541};
542
543/// \brief Elliptic Curve German DSA keys for ISO/IEC 15946
544/// \tparam EC elliptic curve field
545/// \sa ECGDSA
546/// \since Crypto++ 6.0
547template <class EC>
549{
552};
553
554/// \brief Elliptic Curve German DSA signature algorithm
555/// \tparam EC elliptic curve field
556/// \sa ECGDSA
557/// \since Crypto++ 6.0
558template <class EC>
559class DL_Algorithm_ECGDSA : public DL_Algorithm_GDSA_ISO15946<typename EC::Point>
560{
561public:
562 CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "ECGDSA";}
563};
564
565/// \brief Elliptic Curve German Digital Signature Algorithm signature scheme
566/// \tparam EC elliptic curve field
567/// \tparam H HashTransformation derived class
568/// \sa Erwin Hess, Marcus Schafheutle, and Pascale Serf <A
569/// HREF="http://www.teletrust.de/fileadmin/files/oid/ecgdsa_final.pdf">The Digital Signature Scheme
570/// ECGDSA (October 24, 2006)</A>
571/// \since Crypto++ 6.0
572template <class EC, class H>
573struct ECGDSA : public DL_SS<
574 DL_Keys_ECGDSA<EC>,
575 DL_Algorithm_ECGDSA<EC>,
576 DL_SignatureMessageEncodingMethod_DSA,
577 H>
578{
579 static std::string CRYPTOPP_API StaticAlgorithmName() {return std::string("ECGDSA-ISO15946/") + H::StaticAlgorithmName();}
580};
581
582// ******************************************
583
584/// \brief Elliptic Curve Integrated Encryption Scheme
585/// \tparam COFACTOR_OPTION cofactor multiplication option
586/// \tparam HASH HashTransformation derived class used for key drivation and MAC computation
587/// \tparam DHAES_MODE flag indicating if the MAC includes additional context parameters such as <em>u·V</em>, <em>v·U</em> and label
588/// \tparam LABEL_OCTETS flag indicating if the label size is specified in octets or bits
589/// \details ECIES is an Elliptic Curve based Integrated Encryption Scheme (IES). The scheme combines a Key Encapsulation
590/// Method (KEM) with a Data Encapsulation Method (DEM) and a MAC tag. The scheme is
591/// <A HREF="http://en.wikipedia.org/wiki/ciphertext_indistinguishability">IND-CCA2</A>, which is a strong notion of security.
592/// You should prefer an Integrated Encryption Scheme over homegrown schemes.
593/// \details The library's original implementation is based on an early P1363 draft, which itself appears to be based on an early Certicom
594/// SEC-1 draft (or an early SEC-1 draft was based on a P1363 draft). Crypto++ 4.2 used the early draft in its Integrated Ecryption
595/// Schemes with <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
596/// \details If you desire an Integrated Encryption Scheme with Crypto++ 4.2 compatibility, then use the ECIES template class with
597/// <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=false</tt> and <tt>LABEL_OCTETS=true</tt>.
598/// \details If you desire an Integrated Encryption Scheme with Bouncy Castle 1.54 and Botan 1.11 compatibility, then use the ECIES
599/// template class with <tt>NoCofactorMultiplication</tt>, <tt>DHAES_MODE=true</tt> and <tt>LABEL_OCTETS=false</tt>.
600/// \details The default template parameters ensure compatibility with Bouncy Castle 1.54 and Botan 1.11. The combination of
601/// <tt>IncompatibleCofactorMultiplication</tt> and <tt>DHAES_MODE=true</tt> is recommended for best efficiency and security.
602/// SHA1 is used for compatibility reasons, but it can be changed if desired. SHA-256 or another hash will likely improve the
603/// security provided by the MAC. The hash is also used in the key derivation function as a PRF.
604/// \details Below is an example of constructing a Crypto++ 4.2 compatible ECIES encryptor and decryptor.
605/// <pre>
606/// AutoSeededRandomPool prng;
607/// DL_PrivateKey_EC<ECP> key;
608/// key.Initialize(prng, ASN1::secp160r1());
609///
610/// ECIES<ECP,SHA1,NoCofactorMultiplication,true,true>::Decryptor decryptor(key);
611/// ECIES<ECP,SHA1,NoCofactorMultiplication,true,true>::Encryptor encryptor(decryptor);
612/// </pre>
613/// \sa DLIES, <a href="http://www.weidai.com/scan-mirror/ca.html#ECIES">Elliptic Curve Integrated Encryption Scheme (ECIES)</a>,
614/// Martínez, Encinas, and Ávila's <A HREF="http://digital.csic.es/bitstream/10261/32671/1/V2-I2-P7-13.pdf">A Survey of the Elliptic
615/// Curve Integrated Encryption Schemes</A>
616/// \since Crypto++ 4.0, Crypto++ 5.7 for Bouncy Castle and Botan compatibility
617template <class EC, class HASH = SHA1, class COFACTOR_OPTION = NoCofactorMultiplication, bool DHAES_MODE = true, bool LABEL_OCTETS = false>
618struct ECIES
619 : public DL_ES<
620 DL_Keys_EC<EC>,
621 DL_KeyAgreementAlgorithm_DH<typename EC::Point, COFACTOR_OPTION>,
622 DL_KeyDerivationAlgorithm_P1363<typename EC::Point, DHAES_MODE, P1363_KDF2<HASH> >,
623 DL_EncryptionAlgorithm_Xor<HMAC<HASH>, DHAES_MODE, LABEL_OCTETS>,
624 ECIES<EC> >
625{
626 // TODO: fix this after name is standardized
627 CRYPTOPP_STATIC_CONSTEXPR const char* CRYPTOPP_API StaticAlgorithmName() {return "ECIES";}
628};
629
630NAMESPACE_END
631
632#ifdef CRYPTOPP_MANUALLY_INSTANTIATE_TEMPLATES
633#include "eccrypto.cpp"
634#endif
635
636NAMESPACE_BEGIN(CryptoPP)
637
638CRYPTOPP_DLL_TEMPLATE_CLASS DL_GroupParameters_EC<ECP>;
639CRYPTOPP_DLL_TEMPLATE_CLASS DL_GroupParameters_EC<EC2N>;
640CRYPTOPP_DLL_TEMPLATE_CLASS DL_PublicKeyImpl<DL_GroupParameters_EC<ECP> >;
641CRYPTOPP_DLL_TEMPLATE_CLASS DL_PublicKeyImpl<DL_GroupParameters_EC<EC2N> >;
642CRYPTOPP_DLL_TEMPLATE_CLASS DL_PublicKey_EC<ECP>;
643CRYPTOPP_DLL_TEMPLATE_CLASS DL_PublicKey_EC<EC2N>;
644CRYPTOPP_DLL_TEMPLATE_CLASS DL_PublicKey_ECGDSA<ECP>;
645CRYPTOPP_DLL_TEMPLATE_CLASS DL_PublicKey_ECGDSA<EC2N>;
646CRYPTOPP_DLL_TEMPLATE_CLASS DL_PrivateKeyImpl<DL_GroupParameters_EC<ECP> >;
647CRYPTOPP_DLL_TEMPLATE_CLASS DL_PrivateKeyImpl<DL_GroupParameters_EC<EC2N> >;
648CRYPTOPP_DLL_TEMPLATE_CLASS DL_PrivateKey_EC<ECP>;
649CRYPTOPP_DLL_TEMPLATE_CLASS DL_PrivateKey_EC<EC2N>;
650CRYPTOPP_DLL_TEMPLATE_CLASS DL_PrivateKey_ECGDSA<ECP>;
651CRYPTOPP_DLL_TEMPLATE_CLASS DL_PrivateKey_ECGDSA<EC2N>;
652CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_GDSA<ECP::Point>;
653CRYPTOPP_DLL_TEMPLATE_CLASS DL_Algorithm_GDSA<EC2N::Point>;
656
657NAMESPACE_END
658
659#if CRYPTOPP_MSC_VERSION
660# pragma warning(pop)
661#endif
662
663#endif
Classes and functions for working with ANS.1 objects.
Interface for buffered transformations.
Definition: cryptlib.h:1599
Diffie-Hellman domain.
Definition: dh.h:26
DSA signature algorithm based on RFC 6979.
Definition: gfpcrypt.h:232
Elliptic Curve DSA (ECDSA) signature algorithm based on RFC 6979.
Definition: eccrypto.h:353
Elliptic Curve DSA (ECDSA) signature algorithm.
Definition: eccrypto.h:341
Elliptic Curve German DSA signature algorithm.
Definition: eccrypto.h:560
Elliptic Curve NR (ECNR) signature algorithm.
Definition: eccrypto.h:362
German Digital Signature Algorithm.
Definition: gfpcrypt.h:390
GDSA algorithm.
Definition: gfpcrypt.h:195
NR algorithm.
Definition: gfpcrypt.h:431
Exception thrown when an invalid group element is encountered.
Definition: pubkey.h:744
Discrete Log (DL) encryption scheme.
Definition: pubkey.h:2299
DL_FixedBasePrecomputation interface.
Definition: eprecomp.h:61
Elliptic Curve Parameters.
Definition: eccrypto.h:38
DL_GroupParameters_EC(const OID &oid)
Construct an EC GroupParameters.
Definition: eccrypto.h:54
Integer GetCofactor() const
Retrieves the cofactor.
Definition: eccrypto.cpp:592
void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &alg)
this implementation doesn't actually generate a curve, it just initializes the parameters with existi...
Definition: eccrypto.cpp:532
virtual unsigned int GetEncodedElementSize(bool reversible) const
Retrieves the encoded element's size.
Definition: eccrypto.h:113
bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
Get a named value.
Definition: eccrypto.cpp:494
Element DecodeElement(const byte *encoded, bool checkForGroupMembership) const
Decodes the element.
Definition: eccrypto.h:120
const Integer & GetSubgroupOrder() const
Retrieves the subgroup order.
Definition: eccrypto.h:101
DL_FixedBasePrecomputation< Element > & AccessBasePrecomputation()
Retrieves the group precomputation.
Definition: eccrypto.h:100
void AssignFrom(const NameValuePairs &source)
Assign values to this object.
Definition: eccrypto.cpp:511
DL_GroupParameters_EC()
Construct an EC GroupParameters.
Definition: eccrypto.h:50
const DL_FixedBasePrecomputation< Element > & GetBasePrecomputation() const
Retrieves the group precomputation.
Definition: eccrypto.h:99
bool ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const
Check the group for errors.
Definition: eccrypto.cpp:611
Integer GetMaxExponent() const
Retrieves the maximum exponent for the group.
Definition: eccrypto.h:130
void Initialize(const EllipticCurve &ec, const Point &G, const Integer &n, const Integer &k=Integer::Zero())
Initialize an EC GroupParameters using {EC,G,n,k}.
Definition: eccrypto.h:76
DL_GroupParameters_EC(const EllipticCurve &ec, const Point &G, const Integer &n, const Integer &k=Integer::Zero())
Construct an EC GroupParameters.
Definition: eccrypto.h:62
DL_GroupParameters_EC(BufferedTransformation &bt)
Construct an EC GroupParameters.
Definition: eccrypto.h:67
Interface for Discrete Log (DL) group parameters.
Definition: pubkey.h:754
virtual void SetSubgroupGenerator(const Element &base)
Sets the subgroup generator.
Definition: pubkey.h:834
virtual const Integer & GetSubgroupOrder() const =0
Retrieves the subgroup order.
virtual Element ExponentiateBase(const Integer &exponent) const
Exponentiates the base.
Definition: pubkey.h:839
Base implementation of Discrete Log (DL) group parameters.
Definition: pubkey.h:984
Elliptic Curve German DSA key for ISO/IEC 15946.
Definition: eccrypto.h:415
void Initialize(RandomNumberGenerator &rng, const EC &ec, const Element &G, const Integer &n)
Create an EC private key.
Definition: eccrypto.h:462
void Initialize(const DL_GroupParameters_EC< EC > &params, const Integer &x)
Initialize an EC Private Key using {GP,x}.
Definition: eccrypto.h:425
void Initialize(RandomNumberGenerator &rng, const DL_GroupParameters_EC< EC > &params)
Create an EC private key.
Definition: eccrypto.h:451
void Initialize(const EC &ec, const Element &G, const Integer &n, const Integer &x)
Initialize an EC Private Key using {EC,G,n,x}.
Definition: eccrypto.h:438
Elliptic Curve Discrete Log (DL) private key.
Definition: eccrypto.h:206
void Initialize(RandomNumberGenerator &rng, const DL_GroupParameters_EC< EC > &params)
Create an EC private key.
Definition: eccrypto.h:234
void Initialize(const DL_GroupParameters_EC< EC > &params, const Integer &x)
Initialize an EC Private Key using {GP,x}.
Definition: eccrypto.h:216
void Initialize(const EC &ec, const Element &G, const Integer &n, const Integer &x)
Initialize an EC Private Key using {EC,G,n,x}.
Definition: eccrypto.h:225
void Initialize(RandomNumberGenerator &rng, const EC &ec, const Element &G, const Integer &n)
Create an EC private key.
Definition: eccrypto.h:245
Discrete Log (DL) private key base implementation.
Definition: pubkey.h:1209
const DL_GroupParameters< Element > & GetAbstractGroupParameters() const
Definition: pubkey.h:1259
const Integer & GetPrivateExponent() const
Definition: pubkey.h:1263
void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &params)
Definition: pubkey.h:1239
Elliptic Curve German DSA key for ISO/IEC 15946.
Definition: eccrypto.h:497
void Initialize(const EC &ec, const Element &G, const Integer &n, const Element &Q)
Initialize an EC Public Key using {EC,G,n,Q}.
Definition: eccrypto.h:518
void Initialize(const DL_GroupParameters_EC< EC > &params, const Element &Q)
Initialize an EC Public Key using {GP,Q}.
Definition: eccrypto.h:509
Elliptic Curve Discrete Log (DL) public key.
Definition: eccrypto.h:175
void Initialize(const EC &ec, const Element &G, const Integer &n, const Element &Q)
Initialize an EC Public Key using {EC,G,n,Q}.
Definition: eccrypto.h:194
void Initialize(const DL_GroupParameters_EC< EC > &params, const Element &Q)
Initialize an EC Public Key using {GP,Q}.
Definition: eccrypto.h:185
virtual void SetPublicElement(const Element &y)
Sets the public element.
Definition: pubkey.h:1063
Discrete Log (DL) public key base implementation.
Definition: pubkey.h:1299
DL_FixedBasePrecomputation< Element > & AccessPublicPrecomputation()
Definition: pubkey.h:1349
const DL_GroupParameters< Element > & GetAbstractGroupParameters() const
Definition: pubkey.h:1344
DL_GroupParameters< Element > & AccessAbstractGroupParameters()
Retrieves abstract group parameters.
Definition: pubkey.h:1345
Discrete Log (DL) signature scheme.
Definition: pubkey.h:2279
Fully Hashed Menezes-Qu-Vanstone in GF(p)
Definition: fhmqv.h:25
Hashed Menezes-Qu-Vanstone in GF(p)
Definition: hmqv.h:24
Multiple precision integer with arithmetic operations.
Definition: integer.h:50
static const Integer & Zero()
Integer representing 0.
Definition: integer.cpp:4865
bool NotZero() const
Determines if the Integer is non-0.
Definition: integer.h:333
unsigned int ByteCount() const
Determines the number of bytes required to represent the Integer.
Definition: integer.cpp:3336
Integer InverseMod(const Integer &n) const
Calculate multiplicative inverse.
Definition: integer.cpp:4430
MQV domain for performing authenticated key agreement.
Definition: mqv.h:29
Interface for retrieving values given their names.
Definition: cryptlib.h:294
bool GetThisPointer(T *&ptr) const
Get a pointer to this object.
Definition: cryptlib.h:337
Object Identifier.
Definition: asn.h:167
Interface for random number generators.
Definition: cryptlib.h:1384
SHA-1 message digest.
Definition: sha.h:27
SHA-256 message digest.
Definition: sha.h:65
SHA-384 message digest.
Definition: sha.h:177
SHA-512 message digest.
Definition: sha.h:142
Library configuration file.
Abstract base classes that provide a uniform interface to this library.
Classes for Diffie-Hellman key exchange.
Classes for Elliptic Curves over binary fields.
Classes for Elliptic Curves over prime fields.
Classes for Fully Hashed Menezes-Qu-Vanstone key agreement in GF(p)
Classes and functions for schemes based on Discrete Logs (DL) over GF(p)
Classes for HMAC message authentication codes.
Classes for Hashed Menezes-Qu-Vanstone key agreement in GF(p)
Multiple precision integer with arithmetic operations.
Classes for Menezes–Qu–Vanstone (MQV) key agreement.
Crypto++ library namespace.
This file contains helper classes/functions for implementing public key algorithms.
Classes for SHA-1 and SHA-2 family of message digests.
Elliptic Curve DSA keys.
Definition: eccrypto.h:331
Elliptic Curve German DSA keys for ISO/IEC 15946.
Definition: eccrypto.h:549
Elliptic Curve Discrete Log (DL) keys.
Definition: eccrypto.h:317
Elliptic Curve Diffie-Hellman.
Definition: eccrypto.h:264
Elliptic Curve DSA (ECDSA) deterministic signature scheme.
Definition: eccrypto.h:390
Elliptic Curve DSA (ECDSA) signature scheme.
Definition: eccrypto.h:374
Fully Hashed Elliptic Curve Menezes-Qu-Vanstone.
Definition: eccrypto.h:304
Elliptic Curve German Digital Signature Algorithm signature scheme.
Definition: eccrypto.h:578
Hashed Elliptic Curve Menezes-Qu-Vanstone.
Definition: eccrypto.h:286
Elliptic Curve Integrated Encryption Scheme.
Definition: eccrypto.h:625
Elliptic Curve Menezes-Qu-Vanstone.
Definition: eccrypto.h:274
Elliptic Curve NR (ECNR) signature scheme.
Definition: eccrypto.h:399
Converts an enumeration to a type suitable for use as a template parameter.
Definition: cryptlib.h:136
#define CRYPTOPP_ASSERT(exp)
Debugging and diagnostic assertion.
Definition: trap.h:69