/** * Generate a signature for the given message using the key we were * initialised with. For conventional DSA the message should be a SHA-1 * hash of the message of interest. * * @param message the message that will be verified later. */ public virtual BigInteger[] GenerateSignature(byte[] message) { DsaParameters parameters = key.Parameters; BigInteger q = parameters.Q; BigInteger m = CalculateE(q, message); BigInteger x = ((DsaPrivateKeyParameters)key).X; if (kCalculator.IsDeterministic) { kCalculator.Init(q, x, message); } else { kCalculator.Init(q, random); } BigInteger k = kCalculator.NextK(); BigInteger r = parameters.G.ModPow(k, parameters.P).Mod(q); k = BigIntegers.ModOddInverse(q, k).Multiply(m.Add(x.Multiply(r))); BigInteger s = k.Mod(q); return(new BigInteger[] { r, s }); }
public RsaSecretBcpgKey( BigInteger d, BigInteger p, BigInteger q) { // PGP requires (p < q) int cmp = p.CompareTo(q); if (cmp >= 0) { if (cmp == 0) { throw new ArgumentException("p and q cannot be equal"); } BigInteger tmp = p; p = q; q = tmp; } this.d = new MPInteger(d); this.p = new MPInteger(p); this.q = new MPInteger(q); this.u = new MPInteger(BigIntegers.ModOddInverse(q, p)); this.expP = d.Remainder(p.Subtract(BigInteger.One)); this.expQ = d.Remainder(q.Subtract(BigInteger.One)); this.crt = BigIntegers.ModOddInverse(p, q); }
/* * Unblind the message blinded with the blind factor. */ private BigInteger UnblindMessage( BigInteger blindedMsg) { BigInteger m = key.Modulus; BigInteger msg = blindedMsg; BigInteger blindFactorInverse = BigIntegers.ModOddInverse(m, blindingFactor); msg = msg.Multiply(blindFactorInverse); msg = msg.Mod(m); return(msg); }
public RsaSecretBcpgKey( BcpgInputStream bcpgIn) { this.d = new MPInteger(bcpgIn); this.p = new MPInteger(bcpgIn); this.q = new MPInteger(bcpgIn); this.u = new MPInteger(bcpgIn); this.expP = d.Value.Remainder(p.Value.Subtract(BigInteger.One)); this.expQ = d.Value.Remainder(q.Value.Subtract(BigInteger.One)); this.crt = BigIntegers.ModOddInverse(p.Value, q.Value); }
/** * Process a single block using the basic RSA algorithm. * * @param inBuf the input array. * @param inOff the offset into the input buffer where the data starts. * @param inLen the length of the data to be processed. * @return the result of the RSA process. * @exception DataLengthException the input block is too large. */ public virtual byte[] ProcessBlock( byte[] inBuf, int inOff, int inLen) { if (key == null) { throw new InvalidOperationException("RSA engine not initialised"); } BigInteger input = core.ConvertInput(inBuf, inOff, inLen); BigInteger result; if (key is RsaPrivateCrtKeyParameters) { RsaPrivateCrtKeyParameters k = (RsaPrivateCrtKeyParameters)key; BigInteger e = k.PublicExponent; if (e != null) // can't do blinding without a public exponent { BigInteger m = k.Modulus; BigInteger r = BigIntegers.CreateRandomInRange( BigInteger.One, m.Subtract(BigInteger.One), random); BigInteger blindedInput = r.ModPow(e, m).Multiply(input).Mod(m); BigInteger blindedResult = core.ProcessBlock(blindedInput); BigInteger rInv = BigIntegers.ModOddInverse(m, r); result = blindedResult.Multiply(rInv).Mod(m); // defence against Arjen Lenstra’s CRT attack if (!input.Equals(result.ModPow(e, m))) { throw new InvalidOperationException("RSA engine faulty decryption/signing detected"); } } else { result = core.ProcessBlock(input); } } else { result = core.ProcessBlock(input); } return(core.ConvertOutput(result)); }
public virtual byte[] GenerateSignature() { byte[] eHash = DigestUtilities.DoFinal(digest); BigInteger n = ecParams.N; BigInteger e = CalculateE(n, eHash); BigInteger d = ((ECPrivateKeyParameters)ecKey).D; BigInteger r, s; ECMultiplier basePointMultiplier = CreateBasePointMultiplier(); // 5.2.1 Draft RFC: SM2 Public Key Algorithms do // generate s { BigInteger k; do // generate r { // A3 k = kCalculator.NextK(); // A4 ECPoint p = basePointMultiplier.Multiply(ecParams.G, k).Normalize(); // A5 r = e.Add(p.AffineXCoord.ToBigInteger()).Mod(n); }while (r.SignValue == 0 || r.Add(k).Equals(n)); // A6 BigInteger dPlus1ModN = BigIntegers.ModOddInverse(n, d.Add(BigIntegers.One)); s = k.Subtract(r.Multiply(d)).Mod(n); s = dPlus1ModN.Multiply(s).Mod(n); }while (s.SignValue == 0); // A7 try { return(encoding.Encode(ecParams.N, r, s)); } catch (Exception ex) { throw new CryptoException("unable to encode signature: " + ex.Message, ex); } }
// 5.3 pg 28 /** * Generate a signature for the given message using the key we were * initialised with. For conventional DSA the message should be a SHA-1 * hash of the message of interest. * * @param message the message that will be verified later. */ public virtual BigInteger[] GenerateSignature(byte[] message) { ECDomainParameters ec = key.Parameters; BigInteger n = ec.N; BigInteger e = CalculateE(n, message); BigInteger d = ((ECPrivateKeyParameters)key).D; if (kCalculator.IsDeterministic) { kCalculator.Init(n, d, message); } else { kCalculator.Init(n, random); } BigInteger r, s; ECMultiplier basePointMultiplier = CreateBasePointMultiplier(); // 5.3.2 do // Generate s { BigInteger k; do // Generate r { k = kCalculator.NextK(); ECPoint p = basePointMultiplier.Multiply(ec.G, k).Normalize(); // 5.3.3 r = p.AffineXCoord.ToBigInteger().Mod(n); }while (r.SignValue == 0); s = BigIntegers.ModOddInverse(n, k).Multiply(e.Add(d.Multiply(r))).Mod(n); }while (s.SignValue == 0); return(new BigInteger[] { r, s }); }
protected virtual BigInteger ModInverse(BigInteger x) { return(BigIntegers.ModOddInverse(q, x)); }
public virtual AsymmetricCipherKeyPair GenerateKeyPair() { for (;;) { // // p and q values should have a length of half the strength in bits // int strength = parameters.Strength; int pBitlength = (strength + 1) / 2; int qBitlength = strength - pBitlength; int mindiffbits = strength / 3; int minWeight = strength >> 2; BigInteger e = parameters.PublicExponent; // TODO Consider generating safe primes for p, q (see DHParametersHelper.generateSafePrimes) // (then p-1 and q-1 will not consist of only small factors - see "Pollard's algorithm") BigInteger p = ChooseRandomPrime(pBitlength, e); BigInteger q, n; // // generate a modulus of the required length // for (;;) { q = ChooseRandomPrime(qBitlength, e); // p and q should not be too close together (or equal!) BigInteger diff = q.Subtract(p).Abs(); if (diff.BitLength < mindiffbits) { continue; } // // calculate the modulus // n = p.Multiply(q); if (n.BitLength != strength) { // // if we get here our primes aren't big enough, make the largest // of the two p and try again // p = p.Max(q); continue; } /* * Require a minimum weight of the NAF representation, since low-weight composites may * be weak against a version of the number-field-sieve for factoring. * * See "The number field sieve for integers of low weight", Oliver Schirokauer. */ if (WNafUtilities.GetNafWeight(n) < minWeight) { p = ChooseRandomPrime(pBitlength, e); continue; } break; } if (p.CompareTo(q) < 0) { BigInteger tmp = p; p = q; q = tmp; } BigInteger pSub1 = p.Subtract(One); BigInteger qSub1 = q.Subtract(One); //BigInteger phi = pSub1.Multiply(qSub1); BigInteger gcd = pSub1.Gcd(qSub1); BigInteger lcm = pSub1.Divide(gcd).Multiply(qSub1); // // calculate the private exponent // BigInteger d = e.ModInverse(lcm); if (d.BitLength <= qBitlength) { continue; } // // calculate the CRT factors // BigInteger dP = d.Remainder(pSub1); BigInteger dQ = d.Remainder(qSub1); BigInteger qInv = BigIntegers.ModOddInverse(p, q); return(new AsymmetricCipherKeyPair( new RsaKeyParameters(false, n, e), new RsaPrivateCrtKeyParameters(n, e, d, p, q, dP, dQ, qInv))); } }