1 /* elgamal.c - ElGamal Public Key encryption
2 * Copyright (C) 1998, 2000, 2001 Free Software Foundation, Inc.
4 * For a description of the algorithm, see:
5 * Bruce Schneier: Applied Cryptography. John Wiley & Sons, 1996.
6 * ISBN 0-471-11709-9. Pages 476 ff.
8 * This file is part of Libgcrypt.
10 * Libgcrypt is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * Libgcrypt is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
36 MPI g; /* group generator */
37 MPI y; /* g^x mod p */
43 MPI g; /* group generator */
44 MPI y; /* g^x mod p */
45 MPI x; /* secret exponent */
49 static void test_keys( ELG_secret_key *sk, unsigned nbits );
50 static MPI gen_k( MPI p );
51 static void generate( ELG_secret_key *sk, unsigned nbits, MPI **factors );
52 static int check_secret_key( ELG_secret_key *sk );
53 static void do_encrypt(MPI a, MPI b, MPI input, ELG_public_key *pkey );
54 static void decrypt(MPI output, MPI a, MPI b, ELG_secret_key *skey );
55 static void sign(MPI a, MPI b, MPI input, ELG_secret_key *skey);
56 static int verify(MPI a, MPI b, MPI input, ELG_public_key *pkey);
59 static void (*progress_cb) ( void *, int );
60 static void *progress_cb_data;
63 _gcry_register_pk_elg_progress ( void (*cb)( void *, int), void *cb_data )
66 progress_cb_data = cb_data;
74 progress_cb ( progress_cb_data, c );
81 * Michael Wiener's table on subgroup sizes to match field sizes
82 * (floating around somewhere - Fixme: need a reference)
85 wiener_map( unsigned int n )
87 static struct { unsigned int p_n, q_n; } t[] =
88 { /* p q attack cost */
89 { 512, 119 }, /* 9 x 10^17 */
90 { 768, 145 }, /* 6 x 10^21 */
91 { 1024, 165 }, /* 7 x 10^24 */
92 { 1280, 183 }, /* 3 x 10^27 */
93 { 1536, 198 }, /* 7 x 10^29 */
94 { 1792, 212 }, /* 9 x 10^31 */
95 { 2048, 225 }, /* 8 x 10^33 */
96 { 2304, 237 }, /* 5 x 10^35 */
97 { 2560, 249 }, /* 3 x 10^37 */
98 { 2816, 259 }, /* 1 x 10^39 */
99 { 3072, 269 }, /* 3 x 10^40 */
100 { 3328, 279 }, /* 8 x 10^41 */
101 { 3584, 288 }, /* 2 x 10^43 */
102 { 3840, 296 }, /* 4 x 10^44 */
103 { 4096, 305 }, /* 7 x 10^45 */
104 { 4352, 313 }, /* 1 x 10^47 */
105 { 4608, 320 }, /* 2 x 10^48 */
106 { 4864, 328 }, /* 2 x 10^49 */
107 { 5120, 335 }, /* 3 x 10^50 */
112 for(i=0; t[i].p_n; i++ ) {
116 /* not in table - use some arbitrary high number ;-) */
121 test_keys( ELG_secret_key *sk, unsigned nbits )
124 MPI test = gcry_mpi_new ( 0 );
125 MPI out1_a = gcry_mpi_new ( nbits );
126 MPI out1_b = gcry_mpi_new ( nbits );
127 MPI out2 = gcry_mpi_new ( nbits );
133 gcry_mpi_randomize( test, nbits, GCRY_WEAK_RANDOM );
135 do_encrypt( out1_a, out1_b, test, &pk );
136 decrypt( out2, out1_a, out1_b, sk );
137 if( mpi_cmp( test, out2 ) )
138 log_fatal("ElGamal operation: encrypt, decrypt failed\n");
140 sign( out1_a, out1_b, test, sk );
141 if( !verify( out1_a, out1_b, test, &pk ) )
142 log_fatal("ElGamal operation: sign, verify failed\n");
144 gcry_mpi_release ( test );
145 gcry_mpi_release ( out1_a );
146 gcry_mpi_release ( out1_b );
147 gcry_mpi_release ( out2 );
152 * generate a random secret exponent k from prime p, so
153 * that k is relatively prime to p-1
158 MPI k = mpi_alloc_secure( 0 );
159 MPI temp = mpi_alloc( mpi_get_nlimbs(p) );
160 MPI p_1 = mpi_copy(p);
161 unsigned int orig_nbits = mpi_get_nbits(p);
162 unsigned int nbits, nbytes;
165 /* IMO using a k much lesser than p is sufficient and it greatly
166 * improves the encryption performance. We use Wiener's table
167 * and add a large safety margin.
169 nbits = wiener_map( orig_nbits ) * 3 / 2;
170 if( nbits >= orig_nbits )
173 nbytes = (nbits+7)/8;
175 log_debug("choosing a random k ");
176 mpi_sub_ui( p_1, p, 1);
178 if( !rndbuf || nbits < 32 ) {
180 rndbuf = gcry_random_bytes_secure( nbytes, GCRY_STRONG_RANDOM );
182 else { /* change only some of the higher bits */
183 /* we could improve this by directly requesting more memory
184 * at the first call to get_random_bytes() and use this the here
185 * maybe it is easier to do this directly in random.c
186 * Anyway, it is highly inlikely that we will ever reach this code
188 char *pp = gcry_random_bytes_secure( 4, GCRY_STRONG_RANDOM );
189 memcpy( rndbuf, pp, 4 );
191 log_debug("gen_k: tsss, never expected to reach this\n");
193 _gcry_mpi_set_buffer( k, rndbuf, nbytes, 0 );
196 /* Hmm, actually we don't need this step here
197 * because we use k much smaller than p - we do it anyway
198 * just in case the keep on adding a one to k ;) */
199 if( !(mpi_cmp( k, p_1 ) < 0) ) { /* check: k < (p-1) */
204 if( !(mpi_cmp_ui( k, 0 ) > 0) ) { /* check: k > 0 */
209 if( gcry_mpi_gcd( temp, k, p_1 ) )
210 goto found; /* okay, k is relatively prime to (p-1) */
211 mpi_add_ui( k, k, 1 );
227 * Generate a key pair with a key of size NBITS
228 * Returns: 2 structures filles with all needed values
229 * and an array with n-1 factors of (p-1)
232 generate( ELG_secret_key *sk, unsigned int nbits, MPI **ret_factors )
234 MPI p; /* the prime */
237 MPI x; /* the secret exponent */
244 p_min1 = gcry_mpi_new ( nbits );
245 temp = gcry_mpi_new( nbits );
246 qbits = wiener_map( nbits );
247 if( qbits & 1 ) /* better have a even one */
250 p = _gcry_generate_elg_prime( 0, nbits, qbits, g, ret_factors );
251 mpi_sub_ui(p_min1, p, 1);
254 /* select a random number which has these properties:
256 * This must be a very good random number because this is the
257 * secret part. The prime is public and may be shared anyway,
258 * so a random generator level of 1 is used for the prime.
260 * I don't see a reason to have a x of about the same size
261 * as the p. It should be sufficient to have one about the size
262 * of q or the later used k plus a large safety margin. Decryption
263 * will be much faster with such an x.
265 xbits = qbits * 3 / 2;
268 x = gcry_mpi_snew ( xbits );
270 log_debug("choosing a random x of size %u", xbits );
275 if( rndbuf ) { /* change only some of the higher bits */
276 if( xbits < 16 ) {/* should never happen ... */
278 rndbuf = gcry_random_bytes_secure( (xbits+7)/8,
279 GCRY_VERY_STRONG_RANDOM );
282 char *r = gcry_random_bytes_secure( 2,
283 GCRY_VERY_STRONG_RANDOM );
284 memcpy(rndbuf, r, 2 );
289 rndbuf = gcry_random_bytes_secure( (xbits+7)/8,
290 GCRY_VERY_STRONG_RANDOM );
292 _gcry_mpi_set_buffer( x, rndbuf, (xbits+7)/8, 0 );
293 mpi_clear_highbit( x, xbits+1 );
294 } while( !( mpi_cmp_ui( x, 0 )>0 && mpi_cmp( x, p_min1 )<0 ) );
297 y = gcry_mpi_new (nbits);
298 gcry_mpi_powm( y, g, x, p );
302 log_mpidump("elg p= ", p );
303 log_mpidump("elg g= ", g );
304 log_mpidump("elg y= ", y );
305 log_mpidump("elg x= ", x );
308 /* copy the stuff to the key structures */
314 /* now we can test our keys (this should never fail!) */
315 test_keys( sk, nbits - 64 );
317 gcry_mpi_release ( p_min1 );
318 gcry_mpi_release ( temp );
323 * Test whether the secret key is valid.
324 * Returns: if this is a valid key.
327 check_secret_key( ELG_secret_key *sk )
330 MPI y = mpi_alloc( mpi_get_nlimbs(sk->y) );
332 gcry_mpi_powm( y, sk->g, sk->x, sk->p );
333 rc = !mpi_cmp( y, sk->y );
340 do_encrypt(MPI a, MPI b, MPI input, ELG_public_key *pkey )
344 /* Note: maybe we should change the interface, so that it
345 * is possible to check that input is < p and return an
349 k = gen_k( pkey->p );
350 gcry_mpi_powm( a, pkey->g, k, pkey->p );
351 /* b = (y^k * input) mod p
352 * = ((y^k mod p) * (input mod p)) mod p
353 * and because input is < p
354 * = ((y^k mod p) * input) mod p
356 gcry_mpi_powm( b, pkey->y, k, pkey->p );
357 gcry_mpi_mulm( b, b, input, pkey->p );
360 log_mpidump("elg encrypted y= ", pkey->y);
361 log_mpidump("elg encrypted p= ", pkey->p);
362 log_mpidump("elg encrypted k= ", k);
363 log_mpidump("elg encrypted M= ", input);
364 log_mpidump("elg encrypted a= ", a);
365 log_mpidump("elg encrypted b= ", b);
375 decrypt(MPI output, MPI a, MPI b, ELG_secret_key *skey )
377 MPI t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) );
379 /* output = b/(a^x) mod p */
380 gcry_mpi_powm( t1, a, skey->x, skey->p );
381 mpi_invm( t1, t1, skey->p );
382 mpi_mulm( output, b, t1, skey->p );
385 log_mpidump("elg decrypted x= ", skey->x);
386 log_mpidump("elg decrypted p= ", skey->p);
387 log_mpidump("elg decrypted a= ", a);
388 log_mpidump("elg decrypted b= ", b);
389 log_mpidump("elg decrypted M= ", output);
397 * Make an Elgamal signature out of INPUT
401 sign(MPI a, MPI b, MPI input, ELG_secret_key *skey )
404 MPI t = mpi_alloc( mpi_get_nlimbs(a) );
405 MPI inv = mpi_alloc( mpi_get_nlimbs(a) );
406 MPI p_1 = mpi_copy(skey->p);
409 * b = (t * inv) mod (p-1)
410 * b = (t * inv(k,(p-1),(p-1)) mod (p-1)
411 * b = (((M-x*a) mod (p-1)) * inv(k,(p-1),(p-1))) mod (p-1)
414 mpi_sub_ui(p_1, p_1, 1);
415 k = gen_k( skey->p );
416 gcry_mpi_powm( a, skey->g, k, skey->p );
417 mpi_mul(t, skey->x, a );
418 mpi_subm(t, input, t, p_1 );
419 mpi_invm(inv, k, p_1 );
420 mpi_mulm(b, t, inv, p_1 );
424 log_mpidump("elg sign p= ", skey->p);
425 log_mpidump("elg sign g= ", skey->g);
426 log_mpidump("elg sign y= ", skey->y);
427 log_mpidump("elg sign x= ", skey->x);
428 log_mpidump("elg sign k= ", k);
429 log_mpidump("elg sign M= ", input);
430 log_mpidump("elg sign a= ", a);
431 log_mpidump("elg sign b= ", b);
442 * Returns true if the signature composed of A and B is valid.
445 verify(MPI a, MPI b, MPI input, ELG_public_key *pkey )
453 if( !(mpi_cmp_ui( a, 0 ) > 0 && mpi_cmp( a, pkey->p ) < 0) )
454 return 0; /* assertion 0 < a < p failed */
456 t1 = mpi_alloc( mpi_get_nlimbs(a) );
457 t2 = mpi_alloc( mpi_get_nlimbs(a) );
460 /* t1 = (y^a mod p) * (a^b mod p) mod p */
461 gcry_mpi_powm( t1, pkey->y, a, pkey->p );
462 gcry_mpi_powm( t2, a, b, pkey->p );
463 mpi_mulm( t1, t1, t2, pkey->p );
465 /* t2 = g ^ input mod p */
466 gcry_mpi_powm( t2, pkey->g, input, pkey->p );
468 rc = !mpi_cmp( t1, t2 );
470 /* t1 = (y^a mod p) * (a^b mod p) mod p */
471 base[0] = pkey->y; exp[0] = a;
472 base[1] = a; exp[1] = b;
473 base[2] = NULL; exp[2] = NULL;
474 mpi_mulpowm( t1, base, exp, pkey->p );
476 /* t2 = g ^ input mod p */
477 gcry_mpi_powm( t2, pkey->g, input, pkey->p );
479 rc = !mpi_cmp( t1, t2 );
481 /* t1 = g ^ - input * y ^ a * a ^ b mod p */
482 mpi_invm(t2, pkey->g, pkey->p );
483 base[0] = t2 ; exp[0] = input;
484 base[1] = pkey->y; exp[1] = a;
485 base[2] = a; exp[2] = b;
486 base[3] = NULL; exp[3] = NULL;
487 mpi_mulpowm( t1, base, exp, pkey->p );
488 rc = !mpi_cmp_ui( t1, 1 );
497 /*********************************************
498 ************** interface ******************
499 *********************************************/
502 _gcry_elg_generate( int algo, unsigned nbits, MPI *skey, MPI **retfactors )
506 if( !is_ELGAMAL(algo) )
507 return GCRYERR_INV_PK_ALGO;
509 generate( &sk, nbits, retfactors );
519 _gcry_elg_check_secret_key( int algo, MPI *skey )
523 if( !is_ELGAMAL(algo) )
524 return GCRYERR_INV_PK_ALGO;
525 if( !skey[0] || !skey[1] || !skey[2] || !skey[3] )
526 return GCRYERR_BAD_MPI;
532 if( !check_secret_key( &sk ) )
533 return GCRYERR_BAD_SECRET_KEY;
541 _gcry_elg_encrypt( int algo, MPI *resarr, MPI data, MPI *pkey )
545 if( !is_ELGAMAL(algo) )
546 return GCRYERR_INV_PK_ALGO;
547 if( !data || !pkey[0] || !pkey[1] || !pkey[2] )
548 return GCRYERR_BAD_MPI;
553 resarr[0] = mpi_alloc( mpi_get_nlimbs( pk.p ) );
554 resarr[1] = mpi_alloc( mpi_get_nlimbs( pk.p ) );
555 do_encrypt( resarr[0], resarr[1], data, &pk );
560 _gcry_elg_decrypt( int algo, MPI *result, MPI *data, MPI *skey )
564 if( !is_ELGAMAL(algo) )
565 return GCRYERR_INV_PK_ALGO;
566 if( !data[0] || !data[1]
567 || !skey[0] || !skey[1] || !skey[2] || !skey[3] )
568 return GCRYERR_BAD_MPI;
574 *result = mpi_alloc_secure( mpi_get_nlimbs( sk.p ) );
575 decrypt( *result, data[0], data[1], &sk );
580 _gcry_elg_sign( int algo, MPI *resarr, MPI data, MPI *skey )
584 if( !is_ELGAMAL(algo) )
585 return GCRYERR_INV_PK_ALGO;
586 if( !data || !skey[0] || !skey[1] || !skey[2] || !skey[3] )
587 return GCRYERR_BAD_MPI;
593 resarr[0] = mpi_alloc( mpi_get_nlimbs( sk.p ) );
594 resarr[1] = mpi_alloc( mpi_get_nlimbs( sk.p ) );
595 sign( resarr[0], resarr[1], data, &sk );
600 _gcry_elg_verify( int algo, MPI hash, MPI *data, MPI *pkey,
601 int (*cmp)(void *, MPI), void *opaquev )
605 if( !is_ELGAMAL(algo) )
606 return GCRYERR_INV_PK_ALGO;
607 if( !data[0] || !data[1] || !hash
608 || !pkey[0] || !pkey[1] || !pkey[2] )
609 return GCRYERR_BAD_MPI;
614 if( !verify( data[0], data[1], hash, &pk ) )
615 return GCRYERR_BAD_SIGNATURE;
622 _gcry_elg_get_nbits( int algo, MPI *pkey )
624 if( !is_ELGAMAL(algo) )
626 return mpi_get_nbits( pkey[0] );
631 * Return some information about the algorithm. We need algo here to
632 * distinguish different flavors of the algorithm.
633 * Returns: A pointer to string describing the algorithm or NULL if
634 * the ALGO is invalid.
635 * Usage: Bit 0 set : allows signing
636 * 1 set : allows encryption
637 * NOTE: This function allows signing also for ELG-E, which is not
638 * okay but a bad hack to allow to work with old gpg keys. The real check
639 * is done in the gnupg ocde depending on the packet version.
642 _gcry_elg_get_info( int algo, int *npkey, int *nskey, int *nenc, int *nsig,
652 *use = GCRY_PK_USAGE_SIGN|GCRY_PK_USAGE_ENCR;
655 *use = GCRY_PK_USAGE_SIGN|GCRY_PK_USAGE_ENCR;
657 default: *use = 0; return NULL;
projects / libgcrypt.git / blob