pssr_8cpp_source.html

 // pssr.cpp - written and placed in the public domain by Wei Dai

 #include "pch.h"
 #include "pssr.h"
 #include "misc.h"

 #include <functional>

 NAMESPACE_BEGIN(CryptoPP)

 // more in dll.cpp
 template<> const byte EMSA2HashId<RIPEMD160>::id = 0x31;
 template<> const byte EMSA2HashId<RIPEMD128>::id = 0x32;
 template<> const byte EMSA2HashId<Whirlpool>::id = 0x37;

 #ifndef CRYPTOPP_IMPORTS

 size_t PSSR_MEM_Base::MinRepresentativeBitLength(size_t hashIdentifierLength, size_t digestLength) const
 {
         size_t saltLen = SaltLen(digestLength);
         size_t minPadLen = MinPadLen(digestLength);
         return 9 + 8*(minPadLen + saltLen + digestLength + hashIdentifierLength);
 }

 size_t PSSR_MEM_Base::MaxRecoverableLength(size_t representativeBitLength, size_t hashIdentifierLength, size_t digestLength) const
 {
         if (AllowRecovery())
                 return SaturatingSubtract(representativeBitLength, MinRepresentativeBitLength(hashIdentifierLength, digestLength)) / 8;
         return 0;
 }

 bool PSSR_MEM_Base::IsProbabilistic() const
 {
         return SaltLen(1) > 0;
 }

 bool PSSR_MEM_Base::AllowNonrecoverablePart() const
 {
         return true;
 }

 bool PSSR_MEM_Base::RecoverablePartFirst() const
 {
         return false;
 }

 void PSSR_MEM_Base::ComputeMessageRepresentative(RandomNumberGenerator &rng,
         const byte *recoverableMessage, size_t recoverableMessageLength,
         HashTransformation &hash, HashIdentifier hashIdentifier, bool messageEmpty,
         byte *representative, size_t representativeBitLength) const
 {
         CRYPTOPP_UNUSED(rng), CRYPTOPP_UNUSED(recoverableMessage), CRYPTOPP_UNUSED(recoverableMessageLength);
         CRYPTOPP_UNUSED(messageEmpty), CRYPTOPP_UNUSED(hashIdentifier);
         CRYPTOPP_ASSERT(representativeBitLength >= MinRepresentativeBitLength(hashIdentifier.second, hash.DigestSize()));

         const size_t u = hashIdentifier.second + 1;
         const size_t representativeByteLength = BitsToBytes(representativeBitLength);
         const size_t digestSize = hash.DigestSize();
         const size_t saltSize = SaltLen(digestSize);
         byte *const h = representative + representativeByteLength - u - digestSize;

         SecByteBlock digest(digestSize), salt(saltSize);
         hash.Final(digest);
         rng.GenerateBlock(salt, saltSize);

         // compute H = hash of M'
         byte c[8];
         PutWord(false, BIG_ENDIAN_ORDER, c, (word32)SafeRightShift<29>(recoverableMessageLength));
         PutWord(false, BIG_ENDIAN_ORDER, c+4, word32(recoverableMessageLength << 3));
         hash.Update(c, 8);
         hash.Update(recoverableMessage, recoverableMessageLength);
         hash.Update(digest, digestSize);
         hash.Update(salt, saltSize);
         hash.Final(h);

         // compute representative
         GetMGF().GenerateAndMask(hash, representative, representativeByteLength - u - digestSize, h, digestSize, false);
         byte *xorStart = representative + representativeByteLength - u - digestSize - salt.size() - recoverableMessageLength - 1;
         xorStart[0] ^= 1;
         if (recoverableMessage && recoverableMessageLength)
                 xorbuf(xorStart + 1, recoverableMessage, recoverableMessageLength);
         xorbuf(xorStart + 1 + recoverableMessageLength, salt, salt.size());
         if (hashIdentifier.first && hashIdentifier.second)
         {
                 memcpy(representative + representativeByteLength - u, hashIdentifier.first, hashIdentifier.second);
                 representative[representativeByteLength - 1] = 0xcc;
         }
         else
         {
                 representative[representativeByteLength - 1] = 0xbc;
         }
         if (representativeBitLength % 8 != 0)
                 representative[0] = (byte)Crop(representative[0], representativeBitLength % 8);
 }

 DecodingResult PSSR_MEM_Base::RecoverMessageFromRepresentative(
         HashTransformation &hash, HashIdentifier hashIdentifier, bool messageEmpty,
         byte *representative, size_t representativeBitLength,
         byte *recoverableMessage) const
 {
         CRYPTOPP_UNUSED(recoverableMessage), CRYPTOPP_UNUSED(messageEmpty), CRYPTOPP_UNUSED(hashIdentifier);
         CRYPTOPP_ASSERT(representativeBitLength >= MinRepresentativeBitLength(hashIdentifier.second, hash.DigestSize()));

         const size_t u = hashIdentifier.second + 1;
         const size_t representativeByteLength = BitsToBytes(representativeBitLength);
         const size_t digestSize = hash.DigestSize();
         const size_t saltSize = SaltLen(digestSize);
         const byte *const h = representative + representativeByteLength - u - digestSize;

         SecByteBlock digest(digestSize);
         hash.Final(digest);

         DecodingResult result(0);
         bool &valid = result.isValidCoding;
         size_t &recoverableMessageLength = result.messageLength;

         valid = (representative[representativeByteLength - 1] == (hashIdentifier.second ? 0xcc : 0xbc)) && valid;

         if (hashIdentifier.first && hashIdentifier.second)
                 valid = VerifyBufsEqual(representative + representativeByteLength - u, hashIdentifier.first, hashIdentifier.second) && valid;

         GetMGF().GenerateAndMask(hash, representative, representativeByteLength - u - digestSize, h, digestSize);
         if (representativeBitLength % 8 != 0)
                 representative[0] = (byte)Crop(representative[0], representativeBitLength % 8);

         // extract salt and recoverableMessage from DB = 00 ... || 01 || M || salt
         byte *salt = representative + representativeByteLength - u - digestSize - saltSize;
         byte *M = std::find_if(representative, salt-1, std::bind2nd(std::not_equal_to<byte>(), byte(0)));
         recoverableMessageLength = salt-M-1;
         if (*M == 0x01 &&
            (size_t)(M - representative - (representativeBitLength % 8 != 0)) >= MinPadLen(digestSize) &&
            recoverableMessageLength <= MaxRecoverableLength(representativeBitLength, hashIdentifier.second, digestSize))
         {
                 if (recoverableMessage)
                         memcpy(recoverableMessage, M+1, recoverableMessageLength);
         }
         else
         {
                 recoverableMessageLength = 0;
                 valid = false;
         }

         // verify H = hash of M'
         byte c[8];
         PutWord(false, BIG_ENDIAN_ORDER, c, (word32)SafeRightShift<29>(recoverableMessageLength));
         PutWord(false, BIG_ENDIAN_ORDER, c+4, word32(recoverableMessageLength << 3));
         hash.Update(c, 8);
         hash.Update(recoverableMessage, recoverableMessageLength);
         hash.Update(digest, digestSize);
         hash.Update(salt, saltSize);
         valid = hash.Verify(h) && valid;

         if (!AllowRecovery() && valid && recoverableMessageLength != 0)
                 {throw NotImplemented("PSSR_MEM: message recovery disabled");}

         return result;
 }

 #endif

 NAMESPACE_END
byte
uint8_t byte
Definition: Common.h:57

misc.h
Utility functions for the Crypto++ library.

RandomNumberGenerator::GenerateBlock
virtual void GenerateBlock(byte *output, size_t size)
Generate random array of bytes.
Definition: cryptlib.cpp:326

BitsToBytes
size_t BitsToBytes(size_t bitCount)
Returns the number of 8-bit bytes or octets required for the specified number of bits.
Definition: misc.h:749

PutWord
void PutWord(bool assumeAligned, ByteOrder order, byte *block, T value, const byte *xorBlock=NULL)
Access a block of memory.
Definition: misc.h:2123

NAMESPACE_BEGIN
#define NAMESPACE_BEGIN(x)
Definition: config.h:200

h
#define h(i)
Definition: sha.cpp:736

SecBlock< byte >

RIPEMD160
RIPEMD-160 message digest.
Definition: ripemd.h:17

SecBlock::size
size_type size() const
Provides the count of elements in the SecBlock.
Definition: secblock.h:524

c
#define c(i)

RandomNumberGenerator
Interface for random number generators.
Definition: cryptlib.h:1188

DecodingResult::messageLength
size_t messageLength
Recovered message length if isValidCoding is true, undefined otherwise.
Definition: cryptlib.h:261

PSSR_MEM_Base::AllowRecovery
virtual bool AllowRecovery() const =0

PSSR_MEM_Base::MinPadLen
virtual size_t MinPadLen(size_t hashLen) const =0

EMSA2HashId
Definition: emsa2.h:19

PSSR_MEM_Base::AllowNonrecoverablePart
bool AllowNonrecoverablePart() const
Definition: pssr.cpp:37

DecodingResult
Returns a decoding results.
Definition: cryptlib.h:238

PSSR_MEM_Base::IsProbabilistic
bool IsProbabilistic() const
Definition: pssr.cpp:32

MaskGeneratingFunction::GenerateAndMask
virtual void GenerateAndMask(HashTransformation &hash, byte *output, size_t outputLength, const byte *input, size_t inputLength, bool mask=true) const =0
Generate and apply mask.

NotImplemented
A method was called which was not implemented.
Definition: cryptlib.h:205

Whirlpool
Whirlpool
Definition: whrlpool.h:10

Crop
T Crop(T value, size_t bits)
Truncates the value to the specified number of bits.
Definition: misc.h:737

PSSR_MEM_Base::RecoverablePartFirst
bool RecoverablePartFirst() const
Definition: pssr.cpp:42

pch.h

SaturatingSubtract
T1 SaturatingSubtract(const T1 &a, const T2 &b)
Performs a saturating subtract clamped at 0.
Definition: misc.h:847

PSSR_MEM_Base::MinRepresentativeBitLength
size_t MinRepresentativeBitLength(size_t hashIdentifierLength, size_t digestLength) const
Definition: pssr.cpp:18

PSSR_MEM_Base::MaxRecoverableLength
size_t MaxRecoverableLength(size_t representativeBitLength, size_t hashIdentifierLength, size_t digestLength) const
Definition: pssr.cpp:25

BIG_ENDIAN_ORDER
byte order is big-endian
Definition: cryptlib.h:128

HashTransformation::Verify
virtual bool Verify(const byte *digest)
Verifies the hash of the current message.
Definition: cryptlib.h:1015

SafeRightShift
Safely right shift values when undefined behavior could occur.

CRYPTOPP_ASSERT
#define CRYPTOPP_ASSERT(exp)
Definition: trap.h:92

xorbuf
void xorbuf(byte *buf, const byte *mask, size_t count)
Performs an XOR of a buffer with a mask.
Definition: misc.cpp:28

PSSR_MEM_Base::SaltLen
virtual size_t SaltLen(size_t hashLen) const =0

PSSR_MEM_Base::ComputeMessageRepresentative
void ComputeMessageRepresentative(RandomNumberGenerator &rng, const byte *recoverableMessage, size_t recoverableMessageLength, HashTransformation &hash, HashIdentifier hashIdentifier, bool messageEmpty, byte *representative, size_t representativeBitLength) const
Definition: pssr.cpp:47

HashTransformation::DigestSize
virtual unsigned int DigestSize() const =0
Provides the digest size of the hash.

memcpy
void * memcpy(void *a, const void *b, size_t c)
Definition: glibc_compat.cpp:17

CRYPTOPP_UNUSED
#define CRYPTOPP_UNUSED(x)
Definition: config.h:741

HashTransformation
Interface for hash functions and data processing part of MACs.
Definition: cryptlib.h:930

dev::evmjit::byte
uint8_t byte
Definition: Common.h:10

NAMESPACE_END
#define NAMESPACE_END
Definition: config.h:201

DecodingResult::isValidCoding
bool isValidCoding
Flag to indicate the decoding is valid.
Definition: cryptlib.h:259

PSSR_MEM_Base::GetMGF
virtual const MaskGeneratingFunction & GetMGF() const =0

PSSR_MEM_Base::RecoverMessageFromRepresentative
DecodingResult RecoverMessageFromRepresentative(HashTransformation &hash, HashIdentifier hashIdentifier, bool messageEmpty, byte *representative, size_t representativeBitLength, byte *recoverableMessage) const
Definition: pssr.cpp:96

CryptoPP

HashIdentifier
std::pair< const byte *, unsigned int > HashIdentifier
Definition: pubkey.h:314

word32
unsigned int word32
Definition: config.h:231

HashTransformation::Final
virtual void Final(byte *digest)
Computes the hash of the current message.
Definition: cryptlib.h:960

RIPEMD128
RIPEMD-128 message digest.
Definition: ripemd.h:42

pssr.h
Classes for probablistic signature schemes.

HashTransformation::Update
virtual void Update(const byte *input, size_t length)=0
Updates a hash with additional input.

VerifyBufsEqual
bool VerifyBufsEqual(const byte *buf, const byte *mask, size_t count)
Performs a near constant-time comparison of two equally sized buffers.
Definition: misc.cpp:96