public static byte[] SignRaw(ECPrivateKey sk, IDigest rfc6979Hash, byte[] hash, int hashOff, int hashLen) { ECCurve curve = sk.Curve; byte[] q = curve.SubgroupOrder; RFC6979 rf = new RFC6979(rfc6979Hash, q, sk.X, hash, hashOff, hashLen, rfc6979Hash != null); ModInt mh = rf.GetHashMod(); ModInt mx = mh.Dup(); mx.Decode(sk.X); /* * Compute DSA signature. We use a loop to enumerate * candidates for k until a proper one is found (it * is VERY improbable that we may have to loop). */ ModInt mr = mh.Dup(); ModInt ms = mh.Dup(); ModInt mk = mh.Dup(); byte[] k = new byte[q.Length]; for (;;) { rf.NextK(k); MutableECPoint G = curve.MakeGenerator(); if (G.MulSpecCT(k) == 0) { /* * We may get an error here only if the * curve is invalid (generator does not * produce the expected subgroup). */ throw new CryptoException( "Invalid EC private key / curve"); } mr.DecodeReduce(G.X); if (mr.IsZero) { continue; } ms.Set(mx); ms.ToMonty(); ms.MontyMul(mr); ms.Add(mh); mk.Decode(k); mk.Invert(); ms.ToMonty(); ms.MontyMul(mk); byte[] sig = new byte[q.Length << 1]; mr.Encode(sig, 0, q.Length); ms.Encode(sig, q.Length, q.Length); return(sig); } }
/* * Multiply the provided (encoded) point G by a scalar x. Scalar * encoding is big-endian. The scalar value shall be non-zero and * lower than the subgroup order (exception: some curves allow * larger ranges). * * The result is written in the provided D[] array, using either * compressed or uncompressed format (for some curves, output is * always compressed). The array shall have the appropriate length. * Returned value is -1 on success, 0 on error. If 0 is returned * then the array contents are indeterminate. * * G and D need not be distinct arrays. */ public uint Mul(byte[] G, byte[] x, byte[] D, bool compressed) { MutableECPoint P = MakeZero(); uint good = P.DecodeCT(G); good &= ~P.IsInfinityCT; good &= P.MulSpecCT(x); good &= P.Encode(D, compressed); return(good); }
/* * CheckValid() runs the validity tests on the curve, and * verifies that provided point is part of a subgroup with * the advertised subgroup order. */ public void CheckValid() { curve.CheckValid(); MutableECPoint P = iPub.Dup(); if (P.MulSpecCT(curve.SubgroupOrder) == 0 || !P.IsInfinity) { throw new CryptoException( "Public key point not on the defined subgroup"); } }
/* * Given points A and B, and scalar x and y, return x*A+y*B. This * is used for ECDSA. Scalars use big-endian encoding and must be * non-zero and lower than the subgroup order. * * The result is written in the provided D[] array, using either * compressed or uncompressed format (for some curves, output is * always compressed). The array shall have the appropriate length. * Returned value is -1 on success, 0 on error. If 0 is returned * then the array contents are indeterminate. * * Not all curves support this operation; if the curve does not, * then an exception is thrown. * * A, B and D need not be distinct arrays. */ public uint MulAdd(byte[] A, byte[] x, byte[] B, byte[] y, byte[] D, bool compressed) { MutableECPoint P = MakeZero(); MutableECPoint Q = MakeZero(); /* * Decode both points. */ uint good = P.DecodeCT(A); good &= Q.DecodeCT(B); good &= ~P.IsInfinityCT & ~Q.IsInfinityCT; /* * Perform both point multiplications. */ good &= P.MulSpecCT(x); good &= Q.MulSpecCT(y); good &= ~P.IsInfinityCT & ~Q.IsInfinityCT; /* * Perform addition. The AddCT() function may fail if * P = Q, in which case we must compute 2Q and use that * value instead. */ uint z = P.AddCT(Q); Q.DoubleCT(); P.Set(Q, ~z); /* * Encode the result. The Encode() function will report * an error if the addition result is infinity. */ good &= P.Encode(D, compressed); return(good); }
public static bool VerifyRaw(ECPublicKey pk, byte[] hash, int hashOff, int hashLen, byte[] sig, int sigOff, int sigLen) { try { /* * Get the curve. */ ECCurve curve = pk.Curve; /* * Get r and s from signature. This also verifies * that they do not exceed the subgroup order. */ if (sigLen == 0 || (sigLen & 1) != 0) { return(false); } int tlen = sigLen >> 1; ModInt oneQ = new ModInt(curve.SubgroupOrder); oneQ.Set(1); ModInt r = oneQ.Dup(); ModInt s = oneQ.Dup(); r.Decode(sig, sigOff, tlen); s.Decode(sig, sigOff + tlen, tlen); /* * If either r or s was too large, it got set to * zero. We also don't want real zeros. */ if (r.IsZero || s.IsZero) { return(false); } /* * Convert the hash value to an integer modulo q. * As per FIPS 186-4, if the hash value is larger * than q, then we keep the qlen leftmost bits of * the hash value. */ int qBitLength = oneQ.ModBitLength; int hBitLength = hashLen << 3; byte[] hv; if (hBitLength <= qBitLength) { hv = new byte[hashLen]; Array.Copy(hash, hashOff, hv, 0, hashLen); } else { int qlen = (qBitLength + 7) >> 3; hv = new byte[qlen]; Array.Copy(hash, hashOff, hv, 0, qlen); int rs = (8 - (qBitLength & 7)) & 7; BigInt.RShift(hv, rs); } ModInt z = oneQ.Dup(); z.DecodeReduce(hv); /* * Apply the verification algorithm: * w = 1/s mod q * u = z*w mod q * v = r*w mod q * T = u*G + v*Pub * test whether T.x mod q == r. */ /* * w = 1/s mod q */ ModInt w = s.Dup(); w.Invert(); /* * u = z*w mod q */ w.ToMonty(); ModInt u = w.Dup(); u.MontyMul(z); /* * v = r*w mod q */ ModInt v = w.Dup(); v.MontyMul(r); /* * Compute u*G */ MutableECPoint T = curve.MakeGenerator(); uint good = T.MulSpecCT(u.Encode()); /* * Compute v*iPub */ MutableECPoint M = pk.iPub.Dup(); good &= M.MulSpecCT(v.Encode()); /* * Compute T = u*G+v*iPub */ uint nd = T.AddCT(M); M.DoubleCT(); T.Set(M, ~nd); good &= ~T.IsInfinityCT; /* * Get T.x, reduced modulo q. * Signature is valid if and only if we get * the same value as r (and we did not encounter * an error previously). */ s.DecodeReduce(T.X); return((good & r.EqCT(s)) != 0); } catch (CryptoException) { /* * Exceptions may occur if the key or signature * have invalid values (non invertible, out of * range...). Any such occurrence means that the * signature is not valid. */ return(false); } }