onb_integer.c

来自「ECC的C++源码」· C语言 代码 · 共 634 行 · 第 1/2 页

	elptic_mul( &signature->d, &public_curve->pnt, &Temp1, &public_curve->crv);
	elptic_mul( &signature->c, signer_point, &Temp2, &public_curve->crv);
	esum( &Temp1, &Temp2, &Verify, &public_curve->crv);
	
/*  convert x value of verify point to an integer and first signature value too  */

	field_to_int( &Verify.x, &x_value);
	field_to_int( &signature->c, &c_value);

/*  compute resultant message digest from original signature  */

	field_to_int( &public_curve->pnt_order, &point_order);
	int_sub( &c_value, &x_value, &temp);
	while( temp.hw[0] & 0x8000) 			/* ensure positive result */
		int_add( &point_order, &temp, &temp);
	int_div( &temp, &point_order, &quotient, &check_value);

/*  generate hash of message and compare to original signature  */

	hash_to_int( Message, length, &temp);
	int_div( &temp, &point_order, &quotient, &hash_value);
	
	int_null(&temp);
	int_sub( &hash_value, &check_value, &temp);
	while( temp.hw[0] & 0x8000) 		/*  ensure positive zero */
		int_add( &point_order, &temp, &temp);

/*  return error if result of subtraction is not zero  */

	INTLOOP(i) if (temp.hw[i]) return(0);  
	return(1);
}

/*  Elliptic Curve Secret Value Derivation Primative, Menezes-Qu-Vanstone version.
	Enter with "this sides" secret and public key, as well as ephemeral secret and
	ephemeral public key, the other sides publick and ephemeral keys, and the 
	elliptic curve parameters they are all based on including curve, point and 
	order of the point.
	
	Returns a shared secret value.  This version uses an integer package as well
	as elliptic curve mathematics.
*/

void onb_mqv( Base, my_first, my_second, 
				their_first, their_second,
				shared_secret)
EC_PARAMETER *Base;
EC_KEYPAIR	 *my_first, *my_second;
POINT        *their_first, *their_second;
FIELD2N      *shared_secret;
{
	BIGINT	my_x_value;
	BIGINT	my_secret, my_ephemeral;
	FIELD2N	my_half_x, their_half_x;
	BIGINT	temp1, quotient, temp2;
	BIGINT	cfactor, point_order;
	FIELD2N	e_value;
	POINT	Temp, Common;
	INDEX	i, limit, half_msb;
	ELEMENT	mask;
	
/*  convert x component of my ephemeral key to an integer modulo
	2^h where h is half the size of the order of the base point.
	Since we are using curves with order almost equal to the 
	field size, the value of h is about half NUMBITS.  
	Change limit to meet the specs for your application.
*/

	limit = NUMBITS / 2;
	half_msb = limit % WORDSIZE;
	mask = ~(~0 << half_msb);
	limit = limit/WORDSIZE + ( half_msb ? 1 : 0);
	copy( &my_second->pblc_key.x, &my_half_x);
	for( i=0; i<limit; i++) my_half_x.e[i] = 0;
	my_half_x.e[i] &= mask;
	my_half_x.e[i] |= 1L << half_msb;
	field_to_int( &my_half_x, &my_x_value);

/*  get half the other sides ephemeral key  */

	copy( &their_second->x, &their_half_x);
	for( i=0; i<limit; i++) their_half_x.e[i] = 0;
	their_half_x.e[i] &= mask;
	their_half_x.e[i] |= 1L << half_msb;
	
/*  compute multiplier from my secrets and x component  */

	field_to_int( &my_first->prvt_key, &my_secret);
	field_to_int( &my_second->prvt_key, &my_ephemeral);
	field_to_int( &Base->pnt_order, &point_order);
	int_mul( &my_x_value, &my_secret, &temp1);
	int_add( &temp1, &my_ephemeral, &temp1);
	int_div( &temp1, &point_order, &quotient, &temp2);
	
/*  convert integer to equivelent compressed value for 
	elliptic multiply. */
	
	int_to_field( &temp2, &e_value);

/*  use other sides public points to create their 
	portion of the secret.  */
	
	elptic_mul( &their_half_x, their_first, &Common, &Base->crv);
	esum( their_second, &Common, &Temp, &Base->crv);
	elptic_mul( &e_value, &Temp, &Common, &Base->crv);

/*  take output from common point  */

	copy( &Common.x, shared_secret);
}

/*  DSA version of Elliptic curve signature primitive of IEEE P1363.

	Enter with EC parameters, signers private key, pointer to message and
	it's length.
	
	Output is 2 values in SIGNITURE structure.
	value "c" = x component of random point modulo point order of
				public point  (random point = random key * public point)
	value "d" = (random key)^-1 * (message hash + signer's key * c)
*/

void onb_DSA_Signature( Message, length, public_curve, secret_key, signature)
char *Message;
unsigned long length;
EC_PARAMETER *public_curve;
FIELD2N *secret_key;
SIGNATURE *signature;
{
	BIGINT			hash_value;		/*  then to an integer  */
	EC_KEYPAIR		random_key;
	BIGINT			x_value, k_value, sig_value, c_value;
	BIGINT			temp, quotient;
	BIGINT			key_value, point_order, u_value;
	INDEX			i, count;

/*  compute hash of input message  */

	hash_to_int( Message, length, &hash_value);
	
/*  create random value and generate random point on public curve  */

	ECKGP( public_curve, &random_key);
		
/*  convert x component of random point to an integer modulo
	the order of the base point.  This is first part of 
	signature.
*/

	field_to_int( &public_curve->pnt_order, &point_order);
	field_to_int( &random_key.pblc_key.x, &x_value);
	int_div( &x_value, &point_order, &quotient, &c_value);
	int_to_field( &c_value, &signature->c);
	
/*	multiply that  by signers private key and add to message
	digest modulo the order of the base point. 
	hash value + private key * c value
*/

	field_to_int( secret_key, &key_value);
	int_mul( &key_value, &c_value, &temp);
	int_add( &temp, &hash_value, &temp);
	int_div( &temp, &point_order, &quotient, &k_value);
	
/*  final step is to multiply by inverse of random key value
		modulo order of base point.
*/

	field_to_int( &random_key.prvt_key, &temp);
	mod_inv( &temp, &point_order, &u_value);
	int_mul( &u_value, &k_value, &temp);
	int_div( &temp, &point_order, &quotient, &sig_value);
	int_to_field( &sig_value, &signature->d);
}

/*  verify a signature of a message using DSA scheme.

	Inputs:	Message to be verified of given length,
			elliptic curve parameters public_curve 
			signer's public key (as a point),
			signature block.
	
	Output: value 1 if signature verifies,
			value 0 if failure to verify.
*/

int onb_DSA_Verify( Message, length, public_curve, signer_point, signature)
char			*Message;
unsigned long 	length;
EC_PARAMETER	*public_curve;
POINT			*signer_point;
SIGNATURE		*signature;
{
	BIGINT			hash_value;
	POINT			Temp1, Temp2, Verify;
	BIGINT			c_value, d_value;
	BIGINT			temp, quotient, h1, h2;
	BIGINT			check_value, point_order;
	INDEX			i, count;
	FIELD2N			h1_field, h2_field;

/*  compute inverse of second signature value  */

	field_to_int( &public_curve->pnt_order, &point_order);
	field_to_int( &signature->d, &temp);
	mod_inv( &temp, &point_order, &d_value);
	
/*  generate hash of message  */

	hash_to_int( Message, length, &hash_value);

/*  compute elliptic curve multipliers:
	h1 = hash value * d_value, h2 = c * d_value
*/

	int_mul( &hash_value, &d_value, &temp);
	int_div( &temp, &point_order, &quotient, &h1);
	int_to_field( &h1, &h1_field);
	field_to_int( &signature->c, &c_value);
	int_mul( &d_value, &c_value, &temp);
	int_div( &temp, &point_order, &quotient, &h2);
	int_to_field( &h2, &h2_field);

/*  find hidden point from public data  */

	elptic_mul( &h1_field, &public_curve->pnt, &Temp1, &public_curve->crv);
	elptic_mul( &h2_field, signer_point, &Temp2, &public_curve->crv);
	esum( &Temp1, &Temp2, &Verify, &public_curve->crv);
	
/*  convert x value of verify point to an integer modulo point order */

	field_to_int( &Verify.x, &temp);
	int_div( &temp, &point_order, &quotient, &check_value);
	
/*  compare resultant message digest from original signature  */

	int_null(&temp);
	int_sub( &c_value, &check_value, &temp);
	while( temp.hw[0] & 0x8000) 		/*  ensure positive zero */
		int_add( &point_order, &temp, &temp);

/*  return error if result of subtraction is not zero  */

	INTLOOP(i) if (temp.hw[i]) return(0);  
	return(1);
}

main()
{
	EC_PARAMETER	Base;
	EC_KEYPAIR		Signer;
	SIGNATURE		signature;
	BIGINT			prime_order;
	POINT			temp;
	INDEX 			i, error;
	char			Message[1024];
	
	char string1[MAXSTRING] = "5192296858534827627896703833467507"; /*N 113  */
/*	char string1[MAXSTRING] = "680564733841876926932320129493409985129";*/ /*N~ 131 */
/*	char string1[MAXSTRING] = "5444517870735015415344659586094410599059";*/ /*N 134 (g^2 = g+1)	*/
/*	char string1[MAXSTRING] = "19822884620916109459140767798279811163792081";*/ /*N~ 148 GF(16) */
/*	char string1[MAXSTRING] = "91343852333181432387730573045979447452365303319";*/  /* N 158 */
	
	init_opt_math();
	
	random_seed = 0xFEEDFACE;

/*  compute curve order from Koblitz data  */

	ascii_to_bigint(&string1, &prime_order);
	int_to_field( &prime_order, &Base.pnt_order);
	null( &Base.cofactor);
	Base.cofactor.e[NUMWORD] = 2;

/*  create Koblitz curve  */

	Base.crv.form = 1;
	one(&Base.crv.a2);
	one(&Base.crv.a6);
	print_curve("Koblitz 113", &Base.crv);

/*  create base point of known order with no cofactor  */

	rand_point( &temp, &Base.crv);
	print_point("random point", &temp);
	edbl( &temp, &Base.pnt, &Base.crv);
	print_point(" Base point ",&Base.pnt);
	
/*  create a secret key for testing. Note that secret key must be less than order.
	The standard implies that the field size which can be used is one bit less than
	the length of the public base point order.
*/

	ECKGP( &Base, &Signer);
	print_field("Signer's secret key", &Signer.prvt_key);
	print_point("Signers public key", &Signer.pblc_key);
	
/*  create a message to be signed  */

	for (i=0; i<1024; i++) Message[i] = i;

/*  call Nyberg_Ruepple signature scheme  */

	NR_Signature( Message, 1024, &Base, &Signer.prvt_key, &signature);
	print_field("first component of signiture", &signature.c);
	print_field("second component of signiture", &signature.d);

/*  verify message has not been tampered.  Need public curve parameters, signers
	public key, message, length of message, and order of public curve parameters
	as well as the signature. If there is a null response, message is not same as
	the orignal signed version.
*/
	error = NR_Verify( Message, 1024, &Base, &Signer.pblc_key, &signature);
	if (error) printf("Message Verifies");
	else printf("Message fails!");
}