public String decipher(List <Org.BouncyCastle.Math.BigInteger> cipher, MHPrivateKey key)
{
String decrypted = "";
Org.BouncyCastle.Math.BigInteger temp = Org.BouncyCastle.Math.BigInteger.ValueOf(0);
int tmp = 0;
Org.BouncyCastle.Math.BigInteger bits = Org.BouncyCastle.Math.BigInteger.ValueOf(0);
for (int i = 0; i < cipher.Count; i++)
{
temp = cipher.ElementAt(i);
int bitlen = temp.BitLength;
int ff = 0;
while (bitlen < (int)Math.Pow(2, ff))
{
ff++;
}
if (ff > bitlen)
{
bitlen = ff;
}
for (int j = 0; j < bitlen; j++)
{
if (temp.Mod(Org.BouncyCastle.Math.BigInteger.ValueOf(2)).CompareTo(Org.BouncyCastle.Math.BigInteger.ValueOf(1)) == 0)
{
bits = bits.Add(key.w1.Multiply(Org.BouncyCastle.Math.BigInteger.ValueOf((long)Math.Pow(2, j))));
}
temp = temp.ShiftRight(1);
}
bits = bits.Mod(key.n);
List <Org.BouncyCastle.Math.BigInteger> list = key.a;
Org.BouncyCastle.Math.BigInteger temper;
int k = key.a.Count - 1;
while (k >= 0)
{
temper = list.ElementAt(k);
if (bits.CompareTo(temper) > -1)
{
tmp += (int)Math.Pow(2, k);
bits = bits.Subtract(temper);
}
k--;
}
decrypted += (binaryToChar(Convert.ToString(tmp, 2))).ToString();
bits = Org.BouncyCastle.Math.BigInteger.ValueOf(0);
tmp = 0;
}
return(decrypted);
}
public MHKey()
{
generator gen = new generator(8);
Org.BouncyCastle.Math.BigInteger w = gen.w;
e = new List <Org.BouncyCastle.Math.BigInteger>();
for (int i = 0; i < gen.a.Count; i++)
{
e.Add((w.Multiply(gen.a.ElementAt(i))).Mod(gen.n)); // w*a Mod n ..
}
Org.BouncyCastle.Math.BigInteger w1 = Org.BouncyCastle.Math.BigInteger.ValueOf(1);
Org.BouncyCastle.Math.BigInteger one = Org.BouncyCastle.Math.BigInteger.ValueOf(2);
while (one.IntValue != 1)
{
w1 = w1.Add(Org.BouncyCastle.Math.BigInteger.ValueOf(1)).Mod(gen.n);
one = w.Multiply(w1).Mod(gen.n);
}
privateKey = new MHPrivateKey(gen.a, w.ModInverse(gen.n), gen.n);
}
public generator(int k)
{
a = new List <Org.BouncyCastle.Math.BigInteger>();
Random rnd = new Random();
BigInteger tmp;
BigInteger sum;
sum = BigInteger.ValueOf(0);
for (int i = 0; i < k; i++)
{
tmp = BigInteger.ValueOf((long)(Math.Pow(2, k + i)));
a.Add(tmp);
sum = sum.Add(tmp);
}
n = sum.Add(BigInteger.ValueOf(1));
w = BigInteger.ValueOf(467);
while (this.getGCD(n, w).CompareTo(BigInteger.ValueOf(1)) != 0)
{
w.Add(BigInteger.ValueOf(1));
}
}
/// <summary>
/// Generate a set of M-of-N parts for a specific private key.
/// If desiredPrivKey is null, then a random key will be selected.
/// </summary>
public void Generate(int PartsNeededToDecode, int PartsToGenerate, byte[] desiredPrivKey)
{
if (PartsNeededToDecode > PartsToGenerate) {
throw new ApplicationException("Number of parts needed exceeds number of parts to generate.");
}
if (PartsNeededToDecode > 8 || PartsToGenerate > 8) {
throw new ApplicationException("Maximum number of parts is 8");
}
if (PartsNeededToDecode < 1 || PartsToGenerate < 1) {
throw new ApplicationException("Minimum number of parts is 1");
}
if (desiredPrivKey != null && desiredPrivKey.Length != 32) {
throw new ApplicationException("Desired private key must be 32 bytes");
}
KeyParts.Clear();
decodedKeyParts.Clear();
SecureRandom sr = new SecureRandom();
// Get 8 random big integers into v[i].
byte[][] vvv = new byte[8][];
BigInteger[] v = new BigInteger[8];
for (int i = 0; i < 8; i++) {
byte[] b = new byte[32];
sr.NextBytes(b, 0, 32);
// For larger values of i, chop off some most-significant-bits to prevent overflows as they are
// multiplied with increasingly larger factors.
if (i >= 7) {
b[0] &= 0x7f;
}
v[i] = new BigInteger(1, b);
Debug.WriteLine(String.Format("v({0})={1}", i, v[i].ToString()));
}
// if a certain private key is desired, then specify it.
if (desiredPrivKey != null) {
// replace v[0] with xor(v[1...7]) xor desiredPrivKey
BigInteger newv0 = BigInteger.Zero;
for (int i=1; i<PartsNeededToDecode; i++) {
newv0 = newv0.Xor(v[i]);
}
v[0] = newv0.Xor(new BigInteger(1,desiredPrivKey));
}
// Generate the expected private key from all the parts
BigInteger privkey = new BigInteger("0");
for (int i = 0; i < PartsNeededToDecode; i++) {
privkey = privkey.Xor(v[i]);
}
// Get the bitcoin address
byte[] keybytes = privkey.ToByteArrayUnsigned();
// make sure we have 32 bytes, we'll need it
if (keybytes.Length < 32) {
byte[] array32 = new byte[32];
Array.Copy(keybytes, 0, array32, 32 - keybytes.Length, keybytes.Length);
keybytes = array32;
}
KeyPair = new KeyPair(keybytes);
byte[] checksum = Util.ComputeSha256(BitcoinAddress);
// Generate the parts
for (int i = 0; i < PartsToGenerate; i++) {
BigInteger total = new BigInteger("0");
for (int j = 0; j < PartsNeededToDecode; j++) {
int factor = 1;
for (int ii = 0; ii <= i; ii++) factor = factor * (j + 1);
BigInteger bfactor = new BigInteger(factor.ToString());
total = total.Add(v[j].Multiply(bfactor));
}
Debug.WriteLine(String.Format(" pc{0}={1}", i, total.ToString()));
byte[] parts = new byte[39];
parts[0] = 0x4f;
parts[1] = (byte)(0x93 + PartsNeededToDecode);
int parts23 = (((checksum[0] << 8) + checksum[1]) & 0x1ff);
Debug.WriteLine("checksum " + parts23.ToString());
parts23 += 0x6000;
parts23 += (i << 9);
byte[] btotal = total.ToByteArrayUnsigned();
for (int jj = 0; jj < btotal.Length; jj++) {
parts[jj + 4 + (35 - btotal.Length)] = btotal[jj];
}
parts[2] = (byte)((parts23 & 0xFF00) >> 8);
parts[3] = (byte)(parts23 & 0xFF);
KeyParts.Add(Util.ByteArrayToBase58Check(parts));
decodedKeyParts.Add(parts);
}
}
public BigInteger SolveRight(BigInteger[] pcs)
{
BigInteger accum = new BigInteger("0");
foreach (coefficient c in rightside) {
BigInteger scratch = new BigInteger(pcs[c.vindex].ToString());
scratch = scratch.Multiply(new BigInteger(c.multiplier.ToString()));
accum = accum.Add(scratch);
}
return accum.Subtract(subtractor).Divide(new BigInteger(divisor.ToString())); ;
}
/*
* Finds a pair of prime BigInteger's {p, q: p = 2q + 1}
*
* (see: Handbook of Applied Cryptography 4.86)
*/
internal static BigInteger[] GenerateSafePrimes(int size, int certainty, SecureRandom random)
{
BigInteger p, q;
int qLength = size - 1;
int minWeight = size >> 2;
if (size <= 32)
{
for (;;)
{
q = new BigInteger(qLength, 2, random);
p = q.ShiftLeft(1).Add(BigInteger.One);
if (!p.IsProbablePrime(certainty))
continue;
if (certainty > 2 && !q.IsProbablePrime(certainty - 2))
continue;
break;
}
}
else
{
// Note: Modified from Java version for speed
for (;;)
{
q = new BigInteger(qLength, 0, random);
retry:
for (int i = 0; i < primeLists.Length; ++i)
{
int test = q.Remainder(BigPrimeProducts[i]).IntValue;
if (i == 0)
{
int rem3 = test % 3;
if (rem3 != 2)
{
int diff = 2 * rem3 + 2;
q = q.Add(BigInteger.ValueOf(diff));
test = (test + diff) % primeProducts[i];
}
}
int[] primeList = primeLists[i];
for (int j = 0; j < primeList.Length; ++j)
{
int prime = primeList[j];
int qRem = test % prime;
if (qRem == 0 || qRem == (prime >> 1))
{
q = q.Add(Six);
goto retry;
}
}
}
if (q.BitLength != qLength)
continue;
if (!q.RabinMillerTest(2, random))
continue;
p = q.ShiftLeft(1).Add(BigInteger.One);
if (!p.RabinMillerTest(certainty, random))
continue;
if (certainty > 2 && !q.RabinMillerTest(certainty - 2, random))
continue;
/*
* Require a minimum weight of the NAF representation, since low-weight primes may be
* weak against a version of the number-field-sieve for the discrete-logarithm-problem.
*
* See "The number field sieve for integers of low weight", Oliver Schirokauer.
*/
if (WNafUtilities.GetNafWeight(p) < minWeight)
continue;
break;
}
}
return new BigInteger[] { p, q };
}
private void btnCombine_Click(object sender, EventArgs e)
{
// What is input #1?
string input1 = txtInput1.Text;
string input2 = txtInput2.Text;
PublicKey pub1 = null, pub2 = null;
KeyPair kp1 = null, kp2 = null;
if (KeyPair.IsValidPrivateKey(input1)) {
pub1 = kp1 = new KeyPair(input1);
} else if (PublicKey.IsValidPublicKey(input1)) {
pub1 = new PublicKey(input1);
} else {
MessageBox.Show("Input key #1 is not a valid Public Key or Private Key Hex", "Can't combine", MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
if (KeyPair.IsValidPrivateKey(input2)) {
pub2 = kp2 = new KeyPair(input2);
} else if (PublicKey.IsValidPublicKey(input2)) {
pub2 = new PublicKey(input2);
} else {
MessageBox.Show("Input key #2 is not a valid Public Key or Private Key Hex", "Can't combine", MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
if (kp1 == null && kp2 == null && rdoAdd.Checked == false) {
MessageBox.Show("Can't multiply two public keys. At least one of the keys must be a private key.",
"Can't combine", MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
if (pub1.IsCompressedPoint != pub2.IsCompressedPoint) {
MessageBox.Show("Can't combine a compressed key with an uncompressed key.", "Can't combine", MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
if (pub1.AddressBase58 == pub2.AddressBase58) {
if (MessageBox.Show("Both of the key inputs have the same public key hash. You can continue, but " +
"the results are probably going to be wrong. You might have provided the wrong " +
"information, such as two parts from the same side of the transaction, instead " +
"of one part from each side. Continue anyway?", "Duplicate Key Warning", MessageBoxButtons.OKCancel, MessageBoxIcon.Warning) != DialogResult.OK) {
return;
}
}
var ps = Org.BouncyCastle.Asn1.Sec.SecNamedCurves.GetByName("secp256k1");
// Combining two private keys?
if (kp1 != null && kp2 != null) {
BigInteger e1 = new BigInteger(1, kp1.PrivateKeyBytes);
BigInteger e2 = new BigInteger(1, kp2.PrivateKeyBytes);
BigInteger ecombined = (rdoAdd.Checked ? e1.Add(e2) : e1.Multiply(e2)).Mod(ps.N);
System.Diagnostics.Debug.WriteLine(kp1.PublicKeyHex);
System.Diagnostics.Debug.WriteLine(kp2.PublicKeyHex);
KeyPair kpcombined = new KeyPair(Util.Force32Bytes(ecombined.ToByteArrayUnsigned()), compressed: kp1.IsCompressedPoint);
txtOutputAddress.Text = kpcombined.AddressBase58;
txtOutputPubkey.Text = kpcombined.PublicKeyHex.Replace(" ", "");
txtOutputPriv.Text = kpcombined.PrivateKeyBase58;
} else if (kp1 != null || kp2 != null) {
// Combining one public and one private
KeyPair priv = (kp1 == null) ? kp2 : kp1;
PublicKey pub = (kp1 == null) ? pub1 : pub2;
ECPoint point = pub.GetECPoint();
ECPoint combined = rdoAdd.Checked ? point.Add(priv.GetECPoint()) : point.Multiply(new BigInteger(1, priv.PrivateKeyBytes));
ECPoint combinedc = ps.Curve.CreatePoint(combined.X.ToBigInteger(), combined.Y.ToBigInteger(), priv.IsCompressedPoint);
PublicKey pkcombined = new PublicKey(combinedc.GetEncoded());
txtOutputAddress.Text = pkcombined.AddressBase58;
txtOutputPubkey.Text = pkcombined.PublicKeyHex.Replace(" ", "");
txtOutputPriv.Text = "Only available when combining two private keys";
} else {
// Adding two public keys
ECPoint combined = pub1.GetECPoint().Add(pub2.GetECPoint());
ECPoint combinedc = ps.Curve.CreatePoint(combined.X.ToBigInteger(), combined.Y.ToBigInteger(), pub1.IsCompressedPoint);
PublicKey pkcombined = new PublicKey(combinedc.GetEncoded());
txtOutputAddress.Text = pkcombined.AddressBase58;
txtOutputPubkey.Text = pkcombined.PublicKeyHex.Replace(" ", "");
txtOutputPriv.Text = "Only available when combining two private keys";
}
}
/*
* Finds a pair of prime BigInteger's {p, q: p = 2q + 1}
*
* (see: Handbook of Applied Cryptography 4.86)
*/
internal static BigInteger[] GenerateSafePrimes(int size, int certainty, SecureRandom random)
{
BigInteger p, q;
int qLength = size - 1;
if (size <= 32)
{
for (;;)
{
q = new BigInteger(qLength, 2, random);
p = q.ShiftLeft(1).Add(BigInteger.One);
if (p.IsProbablePrime(certainty)
&& (certainty <= 2 || q.IsProbablePrime(certainty)))
break;
}
}
else
{
// Note: Modified from Java version for speed
for (;;)
{
q = new BigInteger(qLength, 0, random);
retry:
for (int i = 0; i < primeLists.Length; ++i)
{
int test = q.Remainder(BigPrimeProducts[i]).IntValue;
if (i == 0)
{
int rem3 = test % 3;
if (rem3 != 2)
{
int diff = 2 * rem3 + 2;
q = q.Add(BigInteger.ValueOf(diff));
test = (test + diff) % primeProducts[i];
}
}
int[] primeList = primeLists[i];
for (int j = 0; j < primeList.Length; ++j)
{
int prime = primeList[j];
int qRem = test % prime;
if (qRem == 0 || qRem == (prime >> 1))
{
q = q.Add(Six);
goto retry;
}
}
}
if (q.BitLength != qLength)
continue;
if (!q.RabinMillerTest(2, random))
continue;
p = q.ShiftLeft(1).Add(BigInteger.One);
if (p.RabinMillerTest(certainty, random)
&& (certainty <= 2 || q.RabinMillerTest(certainty - 2, random)))
break;
}
}
return new BigInteger[] { p, q };
}
private static BigInteger ReduceBarrett(BigInteger x, BigInteger m, BigInteger mr, BigInteger yu)
{
int xLen = x.BitLength, mLen = m.BitLength;
if (xLen < mLen)
return x;
if (xLen - mLen > 1)
{
int k = m.magnitude.Length;
BigInteger q1 = x.DivideWords(k - 1);
BigInteger q2 = q1.Multiply(yu); // TODO Only need partial multiplication here
BigInteger q3 = q2.DivideWords(k + 1);
BigInteger r1 = x.RemainderWords(k + 1);
BigInteger r2 = q3.Multiply(m); // TODO Only need partial multiplication here
BigInteger r3 = r2.RemainderWords(k + 1);
x = r1.Subtract(r3);
if (x.sign < 0)
{
x = x.Add(mr);
}
}
while (x.CompareTo(m) >= 0)
{
x = x.Subtract(m);
}
return x;
}
public void TestModPow()
{
try
{
two.ModPow(one, zero);
Assert.Fail("expected ArithmeticException");
}
catch (ArithmeticException) {}
Assert.AreEqual(zero, zero.ModPow(zero, one));
Assert.AreEqual(one, zero.ModPow(zero, two));
Assert.AreEqual(zero, two.ModPow(one, one));
Assert.AreEqual(one, two.ModPow(zero, two));
for (int i = 0; i < 10; ++i)
{
BigInteger m = BigInteger.ProbablePrime(10 + i * 3, random);
BigInteger x = new BigInteger(m.BitLength - 1, random);
Assert.AreEqual(x, x.ModPow(m, m));
if (x.SignValue != 0)
{
Assert.AreEqual(zero, zero.ModPow(x, m));
Assert.AreEqual(one, x.ModPow(m.Subtract(one), m));
}
BigInteger y = new BigInteger(m.BitLength - 1, random);
BigInteger n = new BigInteger(m.BitLength - 1, random);
BigInteger n3 = n.ModPow(three, m);
BigInteger resX = n.ModPow(x, m);
BigInteger resY = n.ModPow(y, m);
BigInteger res = resX.Multiply(resY).Mod(m);
BigInteger res3 = res.ModPow(three, m);
Assert.AreEqual(res3, n3.ModPow(x.Add(y), m));
BigInteger a = x.Add(one); // Make sure it's not zero
BigInteger b = y.Add(one); // Make sure it's not zero
Assert.AreEqual(a.ModPow(b, m).ModInverse(m), a.ModPow(b.Negate(), m));
}
}
// 5.4 pg 29
/**
* return true if the value r and s represent a DSA signature for
* the passed in message (for standard DSA the message should be
* a SHA-1 hash of the real message to be verified).
*/
public virtual bool VerifySignature(byte[] message, BigInteger r, BigInteger s)
{
BigInteger n = key.Parameters.N;
// r and s should both in the range [1,n-1]
if (r.SignValue < 1 || s.SignValue < 1
|| r.CompareTo(n) >= 0 || s.CompareTo(n) >= 0)
{
return false;
}
BigInteger e = CalculateE(n, message);
BigInteger c = s.ModInverse(n);
BigInteger u1 = e.Multiply(c).Mod(n);
BigInteger u2 = r.Multiply(c).Mod(n);
ECPoint G = key.Parameters.G;
ECPoint Q = ((ECPublicKeyParameters) key).Q;
ECPoint point = ECAlgorithms.SumOfTwoMultiplies(G, u1, Q, u2);
if (point.IsInfinity)
return false;
/*
* If possible, avoid normalizing the point (to save a modular inversion in the curve field).
*
* There are ~cofactor elements of the curve field that reduce (modulo the group order) to 'r'.
* If the cofactor is known and small, we generate those possible field values and project each
* of them to the same "denominator" (depending on the particular projective coordinates in use)
* as the calculated point.X. If any of the projected values matches point.X, then we have:
* (point.X / Denominator mod p) mod n == r
* as required, and verification succeeds.
*
* Based on an original idea by Gregory Maxwell (https://github.com/gmaxwell), as implemented in
* the libsecp256k1 project (https://github.com/bitcoin/secp256k1).
*/
ECCurve curve = point.Curve;
if (curve != null)
{
BigInteger cofactor = curve.Cofactor;
if (cofactor != null && cofactor.CompareTo(Eight) <= 0)
{
ECFieldElement D = GetDenominator(curve.CoordinateSystem, point);
if (D != null && !D.IsZero)
{
ECFieldElement X = point.XCoord;
while (curve.IsValidFieldElement(r))
{
ECFieldElement R = curve.FromBigInteger(r).Multiply(D);
if (R.Equals(X))
{
return true;
}
r = r.Add(n);
}
return false;
}
}
}
BigInteger v = point.Normalize().AffineXCoord.ToBigInteger().Mod(n);
return v.Equals(r);
}
public void Backdoor()
{
var random = new SecureRandom();
var curve = CustomNamedCurves.GetByName("secp521r1");
var gen = new ECKeyPairGenerator("ECDSA");
var G = curve.G;
var N = curve.N;
var paramz = new ECDomainParameters(curve.Curve, G, N);
gen.Init(new ECKeyGenerationParameters(paramz, random));
var kCalc = new RandomDsaKCalculator(); // kCalc generates random values [1, N-1]
kCalc.Init(N, random);
var attackersKeyPair = gen.GenerateKeyPair();
var v = ((ECPrivateKeyParameters)attackersKeyPair.Private).D; //attacker's private
var V = G.Multiply(v); //attackers public
var usersKeyPair = gen.GenerateKeyPair(); //user's keypair
var D = ((ECPrivateKeyParameters)usersKeyPair.Private).D; //user's private
var Q = ((ECPublicKeyParameters)usersKeyPair.Public).Q;//user's public
const string message1 = "First message to sign";
var m1 = new BigInteger(1, Hash(Encoding.UTF8.GetBytes(message1))); // hash of m1
//Generate signature 1
var k1 = kCalc.NextK(); // k1 is true random
var signaturePoint1 = G.Multiply(k1).Normalize();
//(r1, s1) - signature 1
var r1 = signaturePoint1.AffineXCoord.ToBigInteger().Mod(N);
var s1 = k1.ModInverse(N).Multiply(m1.Add(D.Multiply(r1)));
//verify signature 1
var w = s1.ModInverse(N);
var u1 = m1.Multiply(w).Mod(N);
var u2 = r1.Multiply(w).Mod(N);
var verifyPoint1 = ECAlgorithms.SumOfTwoMultiplies(G, u1, Q, u2).Normalize();
var valid1 = verifyPoint1.AffineXCoord.ToBigInteger().Mod(N).Equals(r1);
//Generate signature 2
const string message2 = "Second message to sign";
var m2 = new BigInteger(1, Hash(Encoding.UTF8.GetBytes(message2))); // hash of m2
//here we generate a,b,h,e < N using seed = hash(m2)
kCalc.Init(N, new SecureRandom(new SeededGenerator(Hash(Encoding.UTF8.GetBytes(message2)))));
var a = kCalc.NextK();
var b = kCalc.NextK();
var h = kCalc.NextK();
var e = kCalc.NextK();
//u,j - true random
var u = (random.Next() % 2) == 1 ? BigInteger.One : BigInteger.Zero;
var j = (random.Next() % 2) == 1 ? BigInteger.One : BigInteger.Zero;
//compute hidden field element
var Z = G.Multiply(k1).Multiply(a)
.Add(V.Multiply(k1).Multiply(b))
.Add(G.Multiply(h).Multiply(j))
.Add(V.Multiply(e).Multiply(u))
.Normalize();
var zX = Z.AffineXCoord.ToBigInteger().ToByteArray();
var hash = Hash(zX);
var k2 = new BigInteger(1, hash);
var signaturePoint2 = G.Multiply(k2).Normalize();
//(r2, s2) = signature 2
var r2 = signaturePoint2.AffineXCoord.ToBigInteger().Mod(N);
var s2 = k2.ModInverse(N).Multiply(m2.Add(D.Multiply(r2)));
//verify signature 2
w = s2.ModInverse(N);
u1 = m2.Multiply(w).Mod(N);
u2 = r2.Multiply(w).Mod(N);
var verifyPoint2 = ECAlgorithms.SumOfTwoMultiplies(G, u1, Q, u2).Normalize();
var valid2 = verifyPoint2.AffineXCoord.ToBigInteger().Mod(N).Equals(r2);
if (valid1 && valid2)
{
//compute user's private key
var d = ExtractUsersPrivateKey(G, N, message1, message2, r1, s1, r2, s2, v, V, Q);
Console.WriteLine("Ecdsa private key restored: {0}", d.Equals(D));
}
else
{
Console.WriteLine("Something's wrong");
}
}
public void GenerateSignature(byte[] data_to_sign_byte_array, ref byte[] r_byte_array, ref byte[] s_byte_array)
{
if (data_to_sign_byte_array == null || data_to_sign_byte_array.Length < 1)
throw new ArgumentException("GenerateSignature: The data byte array to sign cannot be null/empty");
if (_private_key_param == null)
throw new ArgumentException("GenerateSignature: The DSA private key cannot be null");
if (_secure_random == null)
_secure_random = new SecureRandom();
BigInteger _data_to_sign = null;
DsaParameters _parameters = null;
BigInteger _k;
BigInteger _r;
BigInteger _s;
int _q_bit_length;
bool _do_again = false;
int _failure_count = 0;
_parameters = _private_key_param.Parameters;
_data_to_sign = new BigInteger(1, data_to_sign_byte_array);
_q_bit_length = _parameters.Q.BitLength;
/* */
// if (IsValidPQLength(_parameters.P.BitLength, _parameters.Q.BitLength) == false)
//throw new InvalidDataException("GenerateSignature: The Length of the DSA key P parameter does not correspond to that of the Q parameter");
do
{
try
{
do
{
_k = new BigInteger(1, _secure_random);
}
while (_k.CompareTo(_parameters.Q) >= 0);
_r = _parameters.G.ModPow(_k, _parameters.P).Mod(_parameters.Q);
_k = _k.ModInverse(_parameters.Q).Multiply(_data_to_sign.Add((_private_key_param).X.Multiply(_r)));
_s = _k.Mod(_parameters.Q);
r_byte_array = _r.ToByteArray();
s_byte_array = _s.ToByteArray();
_do_again = false;
}
catch (Exception)
{
if (MAX_FAILURE_COUNT == _failure_count)
throw new InvalidDataException("GenerateSignature: Failed sign data after " + MAX_FAILURE_COUNT.ToString() + " tries.");
_do_again = true;
_failure_count++;
}
}
while (_do_again == true);
Utility.SetAsMinimalLengthBE(ref r_byte_array);
Utility.SetAsMinimalLengthBE(ref s_byte_array);
/*
Console.WriteLine("Q Length {0} \n", _parameters.Q.BitLength/8);
Console.WriteLine("R Length {0} \n", r_byte_array.Length);
Console.WriteLine("S Length {0} \n", s_byte_array.Length);//*/
}
/// <summary>
/// Finds a pair of prime BigInteger's {p, q: p = 2q + 1}
///
/// (see: Handbook of Applied Cryptography 4.86)
/// </summary>
/// <param name="size">The size.</param>
/// <param name="certainty">The certainty.</param>
/// <param name="random">The random.</param>
/// <returns></returns>
internal static IBigInteger[] GenerateSafePrimes(int size, int certainty, ISecureRandom random)
{
IBigInteger p, q;
var qLength = size - 1;
if (size <= 32)
{
for (; ; )
{
q = new BigInteger(qLength, 2, random);
p = q.ShiftLeft(1).Add(BigInteger.One);
if (p.IsProbablePrime(certainty)
&& (certainty <= 2 || q.IsProbablePrime(certainty)))
break;
}
}
else
{
// Note: Modified from Java version for speed
for (; ; )
{
q = new BigInteger(qLength, 0, random);
retry:
for (var i = 0; i < _primeLists.Length; ++i)
{
var test = q.Remainder(_primeProductsBigs[i]).IntValue;
if (i == 0)
{
var rem3 = test % 3;
if (rem3 != 2)
{
var diff = 2 * rem3 + 2;
q = q.Add(BigInteger.ValueOf(diff));
test = (test + diff) % _primeProductsInts[i];
}
}
var primeList = _primeLists[i];
foreach (var prime in primeList)
{
var qRem = test % prime;
if (qRem != 0 && qRem != (prime >> 1))
continue;
q = q.Add(_six);
goto retry;
}
}
if (q.BitLength != qLength)
continue;
if (!((BigInteger)q).RabinMillerTest(2, random))
continue;
p = q.ShiftLeft(1).Add(BigInteger.One);
if (((BigInteger)p).RabinMillerTest(certainty, random)
&& (certainty <= 2 || ((BigInteger)q).RabinMillerTest(certainty - 2, random)))
break;
}
}
return new[] { p, q };
}
/// <summary>
/// Increments the serial number in the serial file
/// </summary>
public void IncrementSerial()
{
String txt = File.ReadAllText(SerialFile);
var bi = new BigInteger(txt, SerialNumberRadix);
bi = bi.Add(BigInteger.One);
File.WriteAllText(SerialFile, bi.ToString(SerialNumberRadix));
}
//Following code from https://bitcointalk.org/index.php?topic=25141.0
public static byte[] Base58ToByteArray(string base58)
{
Org.BouncyCastle.Math.BigInteger bi2 = new Org.BouncyCastle.Math.BigInteger("0");
string b58 = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
bool IgnoreChecksum = false;
foreach (char c in base58)
{
if (b58.IndexOf(c) != -1)
{
bi2 = bi2.Multiply(new Org.BouncyCastle.Math.BigInteger("58"));
bi2 = bi2.Add(new Org.BouncyCastle.Math.BigInteger(b58.IndexOf(c).ToString()));
}
else if (c == '?')
{
IgnoreChecksum = true;
}
else
{
return(null);
}
}
byte[] bb = bi2.ToByteArrayUnsigned();
// interpret leading '1's as leading zero bytes
foreach (char c in base58)
{
if (c != '1')
{
break;
}
byte[] bbb = new byte[bb.Length + 1];
Array.Copy(bb, 0, bbb, 1, bb.Length);
bb = bbb;
}
if (bb.Length < 4)
{
return(null);
}
if (IgnoreChecksum == false)
{
SHA256CryptoServiceProvider sha256 = new SHA256CryptoServiceProvider();
byte[] checksum = sha256.ComputeHash(bb, 0, bb.Length - 4);
checksum = sha256.ComputeHash(checksum);
for (int i = 0; i < 4; i++)
{
if (checksum[i] != bb[bb.Length - 4 + i])
{
return(null);
}
}
}
byte[] rv = new byte[bb.Length - 4];
Array.Copy(bb, 0, rv, 0, bb.Length - 4);
return(rv);
}
public void TestMultiply()
{
BigInteger one = BigInteger.One;
Assert.AreEqual(one, one.Negate().Multiply(one.Negate()));
for (int i = 0; i < 100; ++i)
{
int aLen = 64 + random.Next(64);
int bLen = 64 + random.Next(64);
BigInteger a = new BigInteger(aLen, random).SetBit(aLen);
BigInteger b = new BigInteger(bLen, random).SetBit(bLen);
BigInteger c = new BigInteger(32, random);
BigInteger ab = a.Multiply(b);
BigInteger bc = b.Multiply(c);
Assert.AreEqual(ab.Add(bc), a.Add(c).Multiply(b));
Assert.AreEqual(ab.Subtract(bc), a.Subtract(c).Multiply(b));
}
// Special tests for power of two since uses different code path internally
for (int i = 0; i < 100; ++i)
{
int shift = random.Next(64);
BigInteger a = one.ShiftLeft(shift);
BigInteger b = new BigInteger(64 + random.Next(64), random);
BigInteger bShift = b.ShiftLeft(shift);
Assert.AreEqual(bShift, a.Multiply(b));
Assert.AreEqual(bShift.Negate(), a.Multiply(b.Negate()));
Assert.AreEqual(bShift.Negate(), a.Negate().Multiply(b));
Assert.AreEqual(bShift, a.Negate().Multiply(b.Negate()));
Assert.AreEqual(bShift, b.Multiply(a));
Assert.AreEqual(bShift.Negate(), b.Multiply(a.Negate()));
Assert.AreEqual(bShift.Negate(), b.Negate().Multiply(a));
Assert.AreEqual(bShift, b.Negate().Multiply(a.Negate()));
}
}
public BigInteger And(
BigInteger value)
{
if (this.sign == 0 || value.sign == 0)
{
return Zero;
}
int[] aMag = this.sign > 0
? this.magnitude
: Add(One).magnitude;
int[] bMag = value.sign > 0
? value.magnitude
: value.Add(One).magnitude;
bool resultNeg = sign < 0 && value.sign < 0;
int resultLength = System.Math.Max(aMag.Length, bMag.Length);
int[] resultMag = new int[resultLength];
int aStart = resultMag.Length - aMag.Length;
int bStart = resultMag.Length - bMag.Length;
for (int i = 0; i < resultMag.Length; ++i)
{
int aWord = i >= aStart ? aMag[i - aStart] : 0;
int bWord = i >= bStart ? bMag[i - bStart] : 0;
if (this.sign < 0)
{
aWord = ~aWord;
}
if (value.sign < 0)
{
bWord = ~bWord;
}
resultMag[i] = aWord & bWord;
if (resultNeg)
{
resultMag[i] = ~resultMag[i];
}
}
BigInteger result = new BigInteger(1, resultMag, true);
// TODO Optimise this case
if (resultNeg)
{
result = result.Not();
}
return result;
}
public Key Derivate(byte[] cc, uint nChild, out byte[] ccChild)
{
byte[] l = null;
byte[] ll = new byte[32];
byte[] lr = new byte[32];
if((nChild >> 31) == 0)
{
var pubKey = PubKey.ToBytes();
l = Hashes.BIP32Hash(cc, nChild, pubKey[0], pubKey.Skip(1).ToArray());
}
else
{
l = Hashes.BIP32Hash(cc, nChild, 0, this.ToBytes());
}
Array.Copy(l, ll, 32);
Array.Copy(l, 32, lr, 0, 32);
ccChild = lr;
BigInteger parse256LL = new BigInteger(1, ll);
BigInteger kPar = new BigInteger(1, vch);
BigInteger N = ECKey.CURVE.N;
if(parse256LL.CompareTo(N) >= 0)
throw new InvalidOperationException("You won a prize ! this should happen very rarely. Take a screenshot, and roll the dice again.");
var key = parse256LL.Add(kPar).Mod(N);
if(key == BigInteger.Zero)
throw new InvalidOperationException("You won the big prize ! this would happen only 1 in 2^127. Take a screenshot, and roll the dice again.");
return new Key(key.ToByteArrayUnsigned());
}
