/* * Create a giant, initialized with specified char[] data. */ giant giant_with_data(const unsigned char *d, int len) { int numDigits = BYTES_TO_GIANT_DIGITS(len); giant result; result = newGiant(numDigits); deserializeGiant(d, result, len); return result; }
/* * serialize, deserialize giants's n[] to/from byte stream. * First byte of byte stream is the MS byte of the resulting giant, * regardless of the size of giantDigit. * * No assumption is made about the alignment of cp. * * As of 7 Apr 1998, these routines are in compliance with IEEE P1363, * section 5.5.1, for the representation of a large integer as a byte * stream. */ void serializeGiant(giant g, unsigned char *cp, unsigned numBytes) { unsigned digitDex; unsigned numDigits = BYTES_TO_GIANT_DIGITS(numBytes); giantDigit digit; unsigned char *ptr; unsigned digitByte; int size = abs(g->sign); if(numBytes == 0) { return; } if(numBytes > (g->capacity * GIANT_BYTES_PER_DIGIT)) { CKRaise("serializeGiant: CAPACITY EXCEEDED!\n"); } /* * note we might be asked to write more than the valid number * if bytes in the giant in the case if truncated sign due to * zero M.S. digit(s).... */ /* * zero out unused digits so we can infer sign during deserialize */ for(digitDex=size; digitDex<numDigits; digitDex++) { g->n[digitDex] = 0; } /* * Emit bytes starting from l.s. byte. L.s. byte of the outgoing * data stream is *last*. L.s. digit of giant's digits is *first*. */ digitDex = 0; ptr = &cp[numBytes - 1]; do { /* one loop per giant digit */ digit = g->n[digitDex++]; for(digitByte=0; digitByte<GIANT_BYTES_PER_DIGIT; digitByte++) { /* one loop per byte in the digit */ *ptr-- = (unsigned char)digit; if(--numBytes == 0) { break; } digit >>= 8; } } while(numBytes != 0); }
int main(int argc, char **argv) { int arg; char *argp; giant *g1; giant *g2; // ditto unsigned char *buf; // random data unsigned numDigits; unsigned i; unsigned numBytes; unsigned mulgElapsed; unsigned sqrElapsed; int loops = LOOPS_DEF; int seedSpec = 0; unsigned seed = 0; unsigned maxSize = MAX_SIZE_DEF; unsigned minSize = MIN_SIZE_DEF; int useOld = 0; initCryptKit(); #if macintosh argc = ccommand(&argv); #endif for(arg=1; arg<argc; arg++) { argp = argv[arg]; switch(argp[0]) { case 'x': maxSize = atoi(&argp[2]); break; case 'n': minSize = atoi(&argp[2]); break; case 'l': loops = atoi(&argp[2]); break; case 'o': useOld = 1; break; case 's': seed = atoi(&argp[2]); seedSpec = 1; break; case 'h': default: usage(argv); } } buf = malloc(maxSize); if(!seedSpec) { unsigned long tim; time(&tim); seed = (unsigned)tim; } SRAND(seed); /* * Scratch giants, big enough for anything. Malloc here, init with * random data before each test * note these mallocs will be too big in the useOld case... */ g1 = malloc(sizeof(giant) * loops); g2 = malloc(sizeof(giant) * loops); if((g1 == NULL) || (g2 == NULL)) { printf("malloc error\n"); exit(1); } if(useOld) { numDigits = ((2 * maxSize) + 1) / 2; } else { numDigits = BYTES_TO_GIANT_DIGITS(2 * maxSize); } for(i=0; i<loops; i++) { g1[i] = newGiant(numDigits); g2[i] = newGiant(numDigits); if((g1[i] == NULL) || (g2[i] == NULL)) { printf("malloc error\n"); exit(1); } } printf("Starting giants test: seed %d\n", seed); for(numBytes=minSize; numBytes<=maxSize; numBytes*=2) { initRandGiants(numBytes, buf, loops, g1, g2); mulgElapsed = mulgTest(loops, g1, g2); initRandGiants(numBytes, buf, loops, g1, g2); sqrElapsed = squareTest(loops, g1, g2); printf(" bits : %4d mulg : %3d ns gsquare : %3d ns\n", numBytes * 8, mulgElapsed / loops, sqrElapsed / loops); } /* for numBytes */ return 0; }
feeReturn feeECDSAVerify(const unsigned char *sigData, size_t sigDataLen, const unsigned char *data, unsigned dataLen, feePubKey pubKey, feeSigFormat format) { /* giant integers per IEEE P1363 notation */ giant h; // s^(-1) giant h1; // f h giant h2; // c times h giant littleC; // newGiant from ECDSA_decode giant littleD; // ditto giant c; // borrowed, full size giant d; // ditto giant cPrime = NULL; // i mod r pointProj h1G = NULL; // h1 'o' G pointProj h2W = NULL; // h2 'o' W key W; // i.e., their public key unsigned version; feeReturn frtn; curveParams *cp = feePubKeyCurveParams(pubKey); unsigned groupBytesLen = ((feePubKeyBitsize(pubKey)+7) / 8); int result; if(cp == NULL) { return FR_BadPubKey; } /* * First decode the byteRep string. */ frtn = ECDSA_decode( format, groupBytesLen, sigData, sigDataLen, &littleC, &littleD, &version); if(frtn) { return frtn; } /* * littleC and littleD have capacity = abs(sign), probably * not big enough.... */ c = borrowGiant(cp->maxDigits); d = borrowGiant(cp->maxDigits); gtog(littleC, c); gtog(littleD, d); freeGiant(littleC); freeGiant(littleD); sigDbg(("ECDSA verify:\n")); /* * Verify that c and d are within [1,group_order-1] */ if((gcompg(cp->cOrderPlus, c) != 1) || (gcompg(cp->cOrderPlus, d) != 1) || isZero(c) || isZero(d)) { returnGiant(c); returnGiant(d); return FR_InvalidSignature; } /* * W = signer's public key */ W = feePubKeyPlusCurve(pubKey); /* * 1) Compute h = d^(-1) (mod x1OrderPlus); */ SIGPROF_START; h = borrowGiant(cp->maxDigits); gtog(d, h); binvg_x1OrderPlus(cp, h); SIGPROF_END(vfyStep1); /* * 2) h1 = digest as giant (skips assigning to 'f' in P1363) */ if(dataLen > (cp->maxDigits * GIANT_BYTES_PER_DIGIT)) { h1 = borrowGiant(BYTES_TO_GIANT_DIGITS(dataLen)); } else { h1 = borrowGiant(cp->maxDigits); } deserializeGiant(data, h1, dataLen); /* * Certicom SEC1 states that if the digest is larger than the modulus, * use the left q bits of the digest. */ unsigned hashBits = dataLen * 8; if(hashBits > cp->q) { gshiftright(hashBits - cp->q, h1); } sigLogGiant(" Wx : ", W->x); sigLogGiant(" f : ", h1); sigLogGiant(" c : ", c); sigLogGiant(" d : ", d); sigLogGiant(" s^(-1) : ", h); /* * 3) Compute h1 = f * h mod x1OrderPlus; */ SIGPROF_START; mulg(h, h1); // h1 := f * h x1OrderPlusMod(h1, cp); SIGPROF_END(vfyStep3); /* * 4) Compute h2 = c * h (mod x1OrderPlus); */ SIGPROF_START; h2 = borrowGiant(cp->maxDigits); gtog(c, h2); mulg(h, h2); // h2 := c * h x1OrderPlusMod(h2, cp); SIGPROF_END(vfyStep4); /* * 5) Compute h2W = h2 'o' W (W = theirPub) */ CKASSERT((W->y != NULL) && !isZero(W->y)); h2W = newPointProj(cp->maxDigits); gtog(W->x, h2W->x); gtog(W->y, h2W->y); int_to_giant(1, h2W->z); ellMulProjSimple(h2W, h2, cp); /* * 6) Compute h1G = h1 'o' G (G = {x1Plus, y1Plus, 1} ) */ CKASSERT((cp->y1Plus != NULL) && !isZero(cp->y1Plus)); h1G = newPointProj(cp->maxDigits); gtog(cp->x1Plus, h1G->x); gtog(cp->y1Plus, h1G->y); int_to_giant(1, h1G->z); ellMulProjSimple(h1G, h1, cp); /* * 7) h1G := (h1 'o' G) + (h2 'o' W) */ ellAddProj(h1G, h2W, cp); /* * 8) If elliptic sum is point at infinity, signature is bad; stop. */ if(isZero(h1G->z)) { dbgLog(("feeECDSAVerify: h1 * G = point at infinity\n")); result = 1; goto vfyDone; } normalizeProj(h1G, cp); /* * 9) cPrime = x coordinate of elliptic sum, mod x1OrderPlus */ cPrime = borrowGiant(cp->maxDigits); gtog(h1G->x, cPrime); x1OrderPlusMod(cPrime, cp); /* * 10) Good sig iff cPrime == c */ result = gcompg(c, cPrime); vfyDone: if(result) { frtn = FR_InvalidSignature; #if LOG_BAD_SIG printf("***yup, bad sig***\n"); #endif // LOG_BAD_SIG } else { frtn = FR_Success; } returnGiant(c); returnGiant(d); returnGiant(h); returnGiant(h1); returnGiant(h2); if(h1G != NULL) { freePointProj(h1G); } if(h2W != NULL) { freePointProj(h2W); } if(cPrime != NULL) { returnGiant(cPrime); } return frtn; }
feeReturn feeECDSASign( feePubKey pubKey, feeSigFormat format, // Signature format DER 9.62 / RAW const unsigned char *data, // data to be signed unsigned dataLen, // in bytes feeRandFcn randFcn, // optional void *randRef, // optional unsigned char **sigData, // malloc'd and RETURNED unsigned *sigDataLen) // RETURNED { curveParams *cp; /* giant integers per IEEE P1363 notation */ giant c; // both 1363 'c' and 'i' // i.e., x-coord of u's pub key giant d; giant u; // random private key giant s; // private key as giant giant f; // data (message) as giant feeReturn frtn = FR_Success; feeRand frand; unsigned char *randBytes; unsigned randBytesLen; unsigned groupBytesLen; giant privGiant; #if ECDSA_SIGN_USE_PROJ pointProjStruct pt; // pt->x = c giant pty; // pt->y giant ptz; // pt->z #endif // ECDSA_SIGN_USE_PROJ if(pubKey == NULL) { return FR_BadPubKey; } cp = feePubKeyCurveParams(pubKey); if(cp == NULL) { return FR_BadPubKey; } if(cp->curveType != FCT_Weierstrass) { return FR_IllegalCurve; } CKASSERT(!isZero(cp->x1OrderPlus)); /* * Private key and message to be signed as giants */ privGiant = feePubKeyPrivData(pubKey); if(privGiant == NULL) { dbgLog(("Attempt to Sign without private data\n")); return FR_IllegalArg; } s = borrowGiant(cp->maxDigits); gtog(privGiant, s); if(dataLen > (cp->maxDigits * GIANT_BYTES_PER_DIGIT)) { f = borrowGiant(BYTES_TO_GIANT_DIGITS(dataLen)); } else { f = borrowGiant(cp->maxDigits); } deserializeGiant(data, f, dataLen); /* * Certicom SEC1 states that if the digest is larger than the modulus, * use the left q bits of the digest. */ unsigned hashBits = dataLen * 8; if(hashBits > cp->q) { gshiftright(hashBits - cp->q, f); } sigDbg(("ECDSA sign:\n")); sigLogGiant(" s : ", s); sigLogGiant(" f : ", f); c = borrowGiant(cp->maxDigits); d = borrowGiant(cp->maxDigits); u = borrowGiant(cp->maxDigits); if(randFcn == NULL) { frand = feeRandAlloc(); } else { frand = NULL; } /* * Random size is just larger than base prime */ groupBytesLen = ((feePubKeyBitsize(pubKey)+7) / 8); randBytesLen = groupBytesLen+8; // +8bytes (64bits) to reduce the biais when with reduction mod prime. Per FIPS186-4 - "Using Extra Random Bits" randBytes = (unsigned char*) fmalloc(randBytesLen); #if ECDSA_SIGN_USE_PROJ /* quick temp pointProj */ pty = borrowGiant(cp->maxDigits); ptz = borrowGiant(cp->maxDigits); pt.x = c; pt.y = pty; pt.z = ptz; #endif // ECDSA_SIGN_USE_PROJ while(1) { /* Repeat this loop until we have a non-zero c and d */ /* * 1) Obtain random u in [2, x1OrderPlus-2] */ SIGPROF_START; if(randFcn) { randFcn(randRef, randBytes, randBytesLen); } else { feeRandBytes(frand, randBytes, randBytesLen); } deserializeGiant(randBytes, u, randBytesLen); sigLogGiant(" raw u : ", u); sigLogGiant(" order : ", cp->x1OrderPlus); x1OrderPlusJustify(u, cp); SIGPROF_END(signStep1); sigLogGiant(" in range u : ", u); /* * note 'o' indicates elliptic multiply, * is integer mult. * * 2) Compute x coordinate, call it c, of u 'o' G * 3) Reduce: c := c mod x1OrderPlus; * 4) If c == 0, goto (1); */ SIGPROF_START; gtog(cp->x1Plus, c); #if ECDSA_SIGN_USE_PROJ /* projective coordinates */ gtog(cp->y1Plus, pty); int_to_giant(1, ptz); ellMulProjSimple(&pt, u, cp); #else /* ECDSA_SIGN_USE_PROJ */ /* the FEE way */ elliptic_simple(c, u, cp); #endif /* ECDSA_SIGN_USE_PROJ */ SIGPROF_END(signStep2); SIGPROF_START; x1OrderPlusMod(c, cp); SIGPROF_END(signStep34); if(isZero(c)) { dbgLog(("feeECDSASign: zero modulo (1)\n")); continue; } /* * 5) Compute u^(-1) mod x1OrderPlus; */ SIGPROF_START; gtog(u, d); binvg_x1OrderPlus(cp, d); SIGPROF_END(signStep5); sigLogGiant(" u^(-1) : ", d); /* * 6) Compute signature d as: * d = [u^(-1) (f + s*c)] (mod x1OrderPlus) */ SIGPROF_START; mulg(c, s); // s *= c x1OrderPlusMod(s, cp); addg(f, s); // s := f + (s * c) x1OrderPlusMod(s, cp); mulg(s, d); // d := u^(-1) (f + (s * c)) x1OrderPlusMod(d, cp); SIGPROF_END(signStep67); /* * 7) If d = 0, goto (1); */ if(isZero(d)) { dbgLog(("feeECDSASign: zero modulo (2)\n")); continue; } sigLogGiant(" c : ", c); sigLogGiant(" d : ", d); break; // normal successful exit } /* * 8) signature is now the integer pair (c, d). */ /* * Cook up raw data representing the signature. */ SIGPROF_START; ECDSA_encode(format,groupBytesLen, c, d, sigData, sigDataLen); SIGPROF_END(signStep8); if(frand != NULL) { feeRandFree(frand); } ffree(randBytes); returnGiant(u); returnGiant(d); returnGiant(c); returnGiant(f); returnGiant(s); #if ECDSA_SIGN_USE_PROJ returnGiant(pty); returnGiant(ptz); #endif /* ECDSA_SIGN_USE_PROJ */ return frtn; }