// Verify verifies the signature in r, s of hash using the public key, pub. It
// returns true iff the signature is valid.
func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
// FIPS 186-3, section 4.7
if r.Sign() < 1 || r.Cmp(pub.Q) >= 0 {
return false
}
if s.Sign() < 1 || s.Cmp(pub.Q) >= 0 {
return false
}
w := new(big.Int).ModInverse(s, pub.Q)
n := pub.Q.BitLen()
if n&7 != 0 {
return false
}
n >>= 3
if n > len(hash) {
n = len(hash)
}
z := new(big.Int).SetBytes(hash[:n])
u1 := new(big.Int).Mul(z, w)
u1.Mod(u1, pub.Q)
u2 := w.Mul(r, w)
u2.Mod(u2, pub.Q)
v := u1.Exp(pub.G, u1, pub.P)
u2.Exp(pub.Y, u2, pub.P)
v.Mul(v, u2)
v.Mod(v, pub.P)
v.Mod(v, pub.Q)
return v.Cmp(r) == 0
}
func (h *Hash) l3(m []byte, iter int) []byte {
i := 0
k1 := new(big.Int)
k2 := new(big.Int)
for need := iter + 1; need > 0; i++ {
t := h.kdf(224, 128*(i+1))[16*i : 16*(i+1)]
k1.SetBytes(t[:8])
k2.SetBytes(t[8:])
if k1.Cmp(p64) == -1 && k2.Cmp(p64) == -1 {
need--
}
}
mint := newInt(m)
m1 := new(big.Int).Div(mint, p64p32)
m2 := new(big.Int).Mod(mint, p64p32)
y := new(big.Int).Add(m1, k1)
y.Mul(y, new(big.Int).Add(m2, k2))
y.Mod(y, p64)
Y := make([]byte, 8)
copy(Y[8-len(y.Bytes()):], y.Bytes())
return Y
}
// Decrypt takes two integers, resulting from an ElGamal encryption, and
// returns the plaintext of the message. An error can result only if the
// ciphertext is invalid. Users should keep in mind that this is a padding
// oracle and thus, if exposed to an adaptive chosen ciphertext attack, can
// be used to break the cryptosystem. See ``Chosen Ciphertext Attacks
// Against Protocols Based on the RSA Encryption Standard PKCS #1'', Daniel
// Bleichenbacher, Advances in Cryptology (Crypto '98),
func Decrypt(priv *PrivateKey, c1, c2 *big.Int) (msg []byte, err error) {
s := new(big.Int).Exp(c1, priv.X, priv.P)
s.ModInverse(s, priv.P)
s.Mul(s, c2)
s.Mod(s, priv.P)
em := s.Bytes()
firstByteIsTwo := subtle.ConstantTimeByteEq(em[0], 2)
// The remainder of the plaintext must be a string of non-zero random
// octets, followed by a 0, followed by the message.
// lookingForIndex: 1 iff we are still looking for the zero.
// index: the offset of the first zero byte.
var lookingForIndex, index int
lookingForIndex = 1
for i := 1; i < len(em); i++ {
equals0 := subtle.ConstantTimeByteEq(em[i], 0)
index = subtle.ConstantTimeSelect(lookingForIndex&equals0, i, index)
lookingForIndex = subtle.ConstantTimeSelect(equals0, 0, lookingForIndex)
}
if firstByteIsTwo != 1 || lookingForIndex != 0 || index < 9 {
return nil, errors.New("elgamal: decryption error")
}
return em[index+1:], nil
}
// doubleJacobian takes a point in Jacobian coordinates, (x, y, z), and
// returns its double, also in Jacobian form.
func (curve *Curve) doubleJacobian(x, y, z *big.Int) (*big.Int, *big.Int, *big.Int) {
// See http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
delta := new(big.Int).Mul(z, z)
delta.Mod(delta, curve.P)
gamma := new(big.Int).Mul(y, y)
gamma.Mod(gamma, curve.P)
alpha := new(big.Int).Sub(x, delta)
if alpha.Sign() == -1 {
alpha.Add(alpha, curve.P)
}
alpha2 := new(big.Int).Add(x, delta)
alpha.Mul(alpha, alpha2)
alpha2.Set(alpha)
alpha.Lsh(alpha, 1)
alpha.Add(alpha, alpha2)
beta := alpha2.Mul(x, gamma)
x3 := new(big.Int).Mul(alpha, alpha)
beta8 := new(big.Int).Lsh(beta, 3)
x3.Sub(x3, beta8)
for x3.Sign() == -1 {
x3.Add(x3, curve.P)
}
x3.Mod(x3, curve.P)
z3 := new(big.Int).Add(y, z)
z3.Mul(z3, z3)
z3.Sub(z3, gamma)
if z3.Sign() == -1 {
z3.Add(z3, curve.P)
}
z3.Sub(z3, delta)
if z3.Sign() == -1 {
z3.Add(z3, curve.P)
}
z3.Mod(z3, curve.P)
beta.Lsh(beta, 2)
beta.Sub(beta, x3)
if beta.Sign() == -1 {
beta.Add(beta, curve.P)
}
y3 := alpha.Mul(alpha, beta)
gamma.Mul(gamma, gamma)
gamma.Lsh(gamma, 3)
gamma.Mod(gamma, curve.P)
y3.Sub(y3, gamma)
if y3.Sign() == -1 {
y3.Add(y3, curve.P)
}
y3.Mod(y3, curve.P)
return x3, y3, z3
}
func (h *Hash) Sum() []byte {
hashed := h.vhash()
pad := h.pdf()
sum := make([]byte, h.size)
for i := 0; i < h.size/8; i++ {
lo := 8 * i
hi := 8 * (i + 1)
t := new(big.Int).Add(newInt(pad[lo:hi]), newInt(hashed[lo:hi]))
t.Mod(t, m64)
copy(sum[hi-len(t.Bytes()):hi], t.Bytes())
}
return sum
}
// IsOnBitCurve returns true if the given (x,y) lies on the BitCurve.
func (BitCurve *BitCurve) IsOnCurve(x, y *big.Int) bool {
// y² = x³ + b
y2 := new(big.Int).Mul(y, y) //y²
y2.Mod(y2, BitCurve.P) //y²%P
x3 := new(big.Int).Mul(x, x) //x²
x3.Mul(x3, x) //x³
x3.Add(x3, BitCurve.B) //x³+B
x3.Mod(x3, BitCurve.P) //(x³+B)%P
return x3.Cmp(y2) == 0
}
func (priv *PrivateKey) Validate() os.Error {
// Check that p, q and, maybe, r are prime. Note that this is just a
// sanity check. Since the random witnesses chosen by ProbablyPrime are
// deterministic, given the candidate number, it's easy for an attack
// to generate composites that pass this test.
if !big.ProbablyPrime(priv.P, 20) {
return os.ErrorString("P is composite")
}
if !big.ProbablyPrime(priv.Q, 20) {
return os.ErrorString("Q is composite")
}
if priv.R != nil && !big.ProbablyPrime(priv.R, 20) {
return os.ErrorString("R is composite")
}
// Check that p*q*r == n.
modulus := new(big.Int).Mul(priv.P, priv.Q)
if priv.R != nil {
modulus.Mul(modulus, priv.R)
}
if modulus.Cmp(priv.N) != 0 {
return os.ErrorString("invalid modulus")
}
// Check that e and totient(p, q, r) are coprime.
pminus1 := new(big.Int).Sub(priv.P, bigOne)
qminus1 := new(big.Int).Sub(priv.Q, bigOne)
totient := new(big.Int).Mul(pminus1, qminus1)
if priv.R != nil {
rminus1 := new(big.Int).Sub(priv.R, bigOne)
totient.Mul(totient, rminus1)
}
e := big.NewInt(int64(priv.E))
gcd := new(big.Int)
x := new(big.Int)
y := new(big.Int)
big.GcdInt(gcd, x, y, totient, e)
if gcd.Cmp(bigOne) != 0 {
return os.ErrorString("invalid public exponent E")
}
// Check that de ≡ 1 (mod totient(p, q, r))
de := new(big.Int).Mul(priv.D, e)
de.Mod(de, totient)
if de.Cmp(bigOne) != 0 {
return os.ErrorString("invalid private exponent D")
}
return nil
}
// decrypt performs an RSA decryption, resulting in a plaintext integer. If a
// random source is given, RSA blinding is used.
func decrypt(rand io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err os.Error) {
// TODO(agl): can we get away with reusing blinds?
if c.Cmp(priv.N) > 0 {
err = DecryptionError{}
return
}
var ir *big.Int
if rand != nil {
// Blinding enabled. Blinding involves multiplying c by r^e.
// Then the decryption operation performs (m^e * r^e)^d mod n
// which equals mr mod n. The factor of r can then be removed
// by multipling by the multiplicative inverse of r.
var r *big.Int
for {
r, err = randomNumber(rand, priv.N)
if err != nil {
return
}
if r.Cmp(bigZero) == 0 {
r = bigOne
}
var ok bool
ir, ok = modInverse(r, priv.N)
if ok {
break
}
}
bigE := big.NewInt(int64(priv.E))
rpowe := new(big.Int).Exp(r, bigE, priv.N)
c.Mul(c, rpowe)
c.Mod(c, priv.N)
}
m = new(big.Int).Exp(c, priv.D, priv.N)
if ir != nil {
// Unblind.
m.Mul(m, ir)
m.Mod(m, priv.N)
}
return
}
func (curve *Curve) Add(p1, p2 *Point) *Point {
fmt.Printf("a")
if p1 == nil {
return p2
}
if p2 == nil {
return p1
}
lambda_numerator := new(big.Int)
lambda_denominator := new(big.Int)
lambda := new(big.Int)
lambda_numerator.Sub(p2.Y, p1.Y)
lambda_denominator.Sub(p2.X, p1.X)
if lambda_denominator.Cmp(BigZero) == -1 { //if Y is negative
lambda_denominator.Neg(lambda_denominator)
lambda_denominator.Sub(curve.P, lambda_denominator)
}
lambda_denominator, ok := modInverse(lambda_denominator, curve.P)
if !ok {
fmt.Printf("Add : Not ok\n")
return nil
}
lambda.Mul(lambda_numerator, lambda_denominator)
lambda = lambda.Mod(lambda, curve.P)
p3 := NewPoint()
p3.X.Exp(lambda, BigTwo, curve.P)
p3.X.Sub(p3.X, p1.X)
p3.X.Sub(p3.X, p2.X)
p3.X = p3.X.Mod(p3.X, curve.P)
p3.Y.Sub(p1.X, p3.X)
p3.Y.Mul(lambda, p3.Y)
p3.Y.Sub(p3.Y, p1.Y)
p3.Y = p3.Y.Mod(p3.Y, curve.P)
if p3.X.Cmp(BigZero) == -1 { //if X is negative
p3.X.Neg(p3.X)
p3.X.Sub(curve.P, p3.X)
}
if p3.Y.Cmp(BigZero) == -1 { //if Y is negative
p3.Y.Neg(p3.Y)
p3.Y.Sub(curve.P, p3.Y)
}
return p3
}
// IsOnCurve returns true if the given (x,y) lies on the curve.
func (curve *Curve) IsOnCurve(x, y *big.Int) bool {
// y² = x³ - 3x + b
y2 := new(big.Int).Mul(y, y)
y2.Mod(y2, curve.P)
x3 := new(big.Int).Mul(x, x)
x3.Mul(x3, x)
threeX := new(big.Int).Lsh(x, 1)
threeX.Add(threeX, x)
x3.Sub(x3, threeX)
x3.Add(x3, curve.B)
x3.Mod(x3, curve.P)
return x3.Cmp(y2) == 0
}
func (curve *Curve) double(p *Point) *Point {
fmt.Printf("d")
lambda_numerator := new(big.Int)
lambda_denominator := new(big.Int)
lambda := new(big.Int)
lambda_numerator.Exp(p.X, BigTwo, curve.P)
lambda_numerator.Mul(lambda_numerator, BigThree)
lambda_numerator.Add(lambda_numerator, curve.A)
lambda_denominator.Mul(BigTwo, p.Y)
lambda_denominator, ok := modInverse(lambda_denominator, curve.P)
if !ok {
fmt.Printf("Its not OKAY\n")
return nil
}
lambda.Mul(lambda_numerator, lambda_denominator)
lambda = lambda.Mod(lambda, curve.P)
p3 := NewPoint()
temp := new(big.Int)
temp2 := new(big.Int)
//temp3 := new(big.Int)
//temp4 := new(big.Int)
//temp5 := new(big.Int)
//temp6 := new(big.Int)
p3.X.Sub(temp.Exp(lambda, BigTwo, curve.P), temp2.Mul(BigTwo, p.X))
p3.X = p3.X.Mod(p3.X, curve.P)
p3.Y.Sub(p.X, p3.X)
p3.Y.Mul(p3.Y, lambda)
p3.Y = p3.Y.Sub(p3.Y, p.Y)
p3.Y = p3.Y.Mod(p3.Y, curve.P)
if p3.X.Cmp(BigZero) == -1 { //if X is negative
p3.X.Neg(p3.X)
p3.X.Sub(curve.P, p3.X)
}
if p3.Y.Cmp(BigZero) == -1 { //if Y is negative
p3.Y.Neg(p3.Y)
p3.Y.Sub(curve.P, p3.Y)
}
return p3
}
//encodes big.Int to base58 string
func Big2Base58(val *big.Int) Base58 {
answer := ""
valCopy := new(big.Int).Abs(val) //copies big.Int
if val.Cmp(big.NewInt(0)) <= 0 { //if it is less than 0, returns empty string
return Base58("")
}
tmpStr := ""
tmp := new(big.Int)
for valCopy.Cmp(big.NewInt(0)) > 0 { //converts the number into base58
tmp.Mod(valCopy, big.NewInt(58)) //takes modulo 58 value
valCopy.Div(valCopy, big.NewInt(58)) //divides the rest by 58
tmpStr += alphabet[tmp.Int64() : tmp.Int64()+1] //encodes
}
for i := (len(tmpStr) - 1); i > -1; i-- {
answer += tmpStr[i : i+1] //reverses the order
}
return Base58(answer) //returns
}
func (priv *PrivateKey) Validate() os.Error {
// Check that the prime factors are actually prime. Note that this is
// just a sanity check. Since the random witnesses chosen by
// ProbablyPrime are deterministic, given the candidate number, it's
// easy for an attack to generate composites that pass this test.
for _, prime := range priv.Primes {
if !big.ProbablyPrime(prime, 20) {
return os.ErrorString("Prime factor is composite")
}
}
// Check that Πprimes == n.
modulus := new(big.Int).Set(bigOne)
for _, prime := range priv.Primes {
modulus.Mul(modulus, prime)
}
if modulus.Cmp(priv.N) != 0 {
return os.ErrorString("invalid modulus")
}
// Check that e and totient(Πprimes) are coprime.
totient := new(big.Int).Set(bigOne)
for _, prime := range priv.Primes {
pminus1 := new(big.Int).Sub(prime, bigOne)
totient.Mul(totient, pminus1)
}
e := big.NewInt(int64(priv.E))
gcd := new(big.Int)
x := new(big.Int)
y := new(big.Int)
big.GcdInt(gcd, x, y, totient, e)
if gcd.Cmp(bigOne) != 0 {
return os.ErrorString("invalid public exponent E")
}
// Check that de ≡ 1 (mod totient(Πprimes))
de := new(big.Int).Mul(priv.D, e)
de.Mod(de, totient)
if de.Cmp(bigOne) != 0 {
return os.ErrorString("invalid private exponent D")
}
return nil
}
// doubleJacobian takes a point in Jacobian coordinates, (x, y, z), and
// returns its double, also in Jacobian form.
func (BitCurve *BitCurve) doubleJacobian(x, y, z *big.Int) (*big.Int, *big.Int, *big.Int) {
// See http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l
a := new(big.Int).Mul(x, x) //X1²
b := new(big.Int).Mul(y, y) //Y1²
c := new(big.Int).Mul(b, b) //B²
d := new(big.Int).Add(x, b) //X1+B
d.Mul(d, d) //(X1+B)²
d.Sub(d, a) //(X1+B)²-A
d.Sub(d, c) //(X1+B)²-A-C
d.Mul(d, big.NewInt(2)) //2*((X1+B)²-A-C)
e := new(big.Int).Mul(big.NewInt(3), a) //3*A
f := new(big.Int).Mul(e, e) //E²
x3 := new(big.Int).Mul(big.NewInt(2), d) //2*D
x3.Sub(f, x3) //F-2*D
x3.Mod(x3, BitCurve.P)
y3 := new(big.Int).Sub(d, x3) //D-X3
y3.Mul(e, y3) //E*(D-X3)
y3.Sub(y3, new(big.Int).Mul(big.NewInt(8), c)) //E*(D-X3)-8*C
y3.Mod(y3, BitCurve.P)
z3 := new(big.Int).Mul(y, z) //Y1*Z1
z3.Mul(big.NewInt(2), z3) //3*Y1*Z1
z3.Mod(z3, BitCurve.P)
return x3, y3, z3
}
func (priv PrivateKey) Validate() os.Error {
/*
TODO(agl): Enable once big implements ProbablyPrime.
// Check that p and q are prime.
if !priv.P.ProbablyPrime(20) {
return os.ErrorString("P is composite");
}
if !priv.Q.ProbablyPrime(20) {
return os.ErrorString("Q is composite");
}
*/
// Check that p*q == n.
modulus := new(big.Int).Mul(priv.P, priv.Q)
if big.CmpInt(modulus, priv.N) != 0 {
return os.ErrorString("invalid modulus")
}
// Check that e and totient(p, q) are coprime.
pminus1 := new(big.Int).Sub(priv.P, bigOne)
qminus1 := new(big.Int).Sub(priv.Q, bigOne)
totient := new(big.Int).Mul(pminus1, qminus1)
e := big.NewInt(int64(priv.E))
gcd := new(big.Int)
x := new(big.Int)
y := new(big.Int)
big.GcdInt(gcd, x, y, totient, e)
if big.CmpInt(gcd, bigOne) != 0 {
return os.ErrorString("invalid public exponent E")
}
// Check that de ≡ 1 (mod totient(p, q))
de := new(big.Int).Mul(priv.D, e)
de.Mod(de, totient)
if big.CmpInt(de, bigOne) != 0 {
return os.ErrorString("invalid private exponent D")
}
return nil
}
func nh(k, m []byte) []byte {
t := len(m) / 8
y := big.NewInt(0)
for i := 0; i < t; i += 2 {
mi := newInt(m[i*8 : (i+1)*8])
ki := newInt(k[i*8 : (i+1)*8])
mj := newInt(m[(i+1)*8 : (i+2)*8])
kj := newInt(k[(i+1)*8 : (i+2)*8])
sumi := new(big.Int).Add(mi, ki)
sumi.Mod(sumi, m64)
sumj := new(big.Int).Add(mj, kj)
sumj.Mod(sumj, m64)
prod := new(big.Int).Mul(sumi, sumj)
prod.Mod(prod, m128)
y.Add(y, prod)
y.Mod(y, m128)
}
y.Mod(y, m126)
Y := make([]byte, 16)
copy(Y[16-len(y.Bytes()):], y.Bytes())
return Y
}
// GenerateParameters puts a random, valid set of DSA parameters into params.
// This function takes many seconds, even on fast machines.
func GenerateParameters(params *Parameters, rand io.Reader, sizes ParameterSizes) (err os.Error) {
// This function doesn't follow FIPS 186-3 exactly in that it doesn't
// use a verification seed to generate the primes. The verification
// seed doesn't appear to be exported or used by other code and
// omitting it makes the code cleaner.
var L, N int
switch sizes {
case L1024N160:
L = 1024
N = 160
case L2048N224:
L = 2048
N = 224
case L2048N256:
L = 2048
N = 256
case L3072N256:
L = 3072
N = 256
default:
return os.ErrorString("crypto/dsa: invalid ParameterSizes")
}
qBytes := make([]byte, N/8)
pBytes := make([]byte, L/8)
q := new(big.Int)
p := new(big.Int)
rem := new(big.Int)
one := new(big.Int)
one.SetInt64(1)
GeneratePrimes:
for {
_, err = io.ReadFull(rand, qBytes)
if err != nil {
return
}
qBytes[len(qBytes)-1] |= 1
qBytes[0] |= 0x80
q.SetBytes(qBytes)
if !big.ProbablyPrime(q, numMRTests) {
continue
}
for i := 0; i < 4*L; i++ {
_, err = io.ReadFull(rand, pBytes)
if err != nil {
return
}
pBytes[len(pBytes)-1] |= 1
pBytes[0] |= 0x80
p.SetBytes(pBytes)
rem.Mod(p, q)
rem.Sub(rem, one)
p.Sub(p, rem)
if p.BitLen() < L {
continue
}
if !big.ProbablyPrime(p, numMRTests) {
continue
}
params.P = p
params.Q = q
break GeneratePrimes
}
}
h := new(big.Int)
h.SetInt64(2)
g := new(big.Int)
pm1 := new(big.Int).Sub(p, one)
e := new(big.Int).Div(pm1, q)
for {
g.Exp(h, e, p)
if g.Cmp(one) == 0 {
h.Add(h, one)
continue
}
params.G = g
return
}
panic("unreachable")
}
// decrypt performs an RSA decryption, resulting in a plaintext integer. If a
// random source is given, RSA blinding is used.
func decrypt(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err os.Error) {
// TODO(agl): can we get away with reusing blinds?
if c.Cmp(priv.N) > 0 {
err = DecryptionError{}
return
}
var ir *big.Int
if random != nil {
// Blinding enabled. Blinding involves multiplying c by r^e.
// Then the decryption operation performs (m^e * r^e)^d mod n
// which equals mr mod n. The factor of r can then be removed
// by multiplying by the multiplicative inverse of r.
var r *big.Int
for {
r, err = rand.Int(random, priv.N)
if err != nil {
return
}
if r.Cmp(bigZero) == 0 {
r = bigOne
}
var ok bool
ir, ok = modInverse(r, priv.N)
if ok {
break
}
}
bigE := big.NewInt(int64(priv.E))
rpowe := new(big.Int).Exp(r, bigE, priv.N)
cCopy := new(big.Int).Set(c)
cCopy.Mul(cCopy, rpowe)
cCopy.Mod(cCopy, priv.N)
c = cCopy
}
if priv.Precomputed.Dp == nil {
m = new(big.Int).Exp(c, priv.D, priv.N)
} else {
// We have the precalculated values needed for the CRT.
m = new(big.Int).Exp(c, priv.Precomputed.Dp, priv.Primes[0])
m2 := new(big.Int).Exp(c, priv.Precomputed.Dq, priv.Primes[1])
m.Sub(m, m2)
if m.Sign() < 0 {
m.Add(m, priv.Primes[0])
}
m.Mul(m, priv.Precomputed.Qinv)
m.Mod(m, priv.Primes[0])
m.Mul(m, priv.Primes[1])
m.Add(m, m2)
for i, values := range priv.Precomputed.CRTValues {
prime := priv.Primes[2+i]
m2.Exp(c, values.Exp, prime)
m2.Sub(m2, m)
m2.Mul(m2, values.Coeff)
m2.Mod(m2, prime)
if m2.Sign() < 0 {
m2.Add(m2, prime)
}
m2.Mul(m2, values.R)
m.Add(m, m2)
}
}
if ir != nil {
// Unblind.
m.Mul(m, ir)
m.Mod(m, priv.N)
}
return
}
// decrypt performs an RSA decryption, resulting in a plaintext integer. If a
// random source is given, RSA blinding is used.
func decrypt(rand io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err os.Error) {
// TODO(agl): can we get away with reusing blinds?
if c.Cmp(priv.N) > 0 {
err = DecryptionError{}
return
}
var ir *big.Int
if rand != nil {
// Blinding enabled. Blinding involves multiplying c by r^e.
// Then the decryption operation performs (m^e * r^e)^d mod n
// which equals mr mod n. The factor of r can then be removed
// by multipling by the multiplicative inverse of r.
var r *big.Int
for {
r, err = randomNumber(rand, priv.N)
if err != nil {
return
}
if r.Cmp(bigZero) == 0 {
r = bigOne
}
var ok bool
ir, ok = modInverse(r, priv.N)
if ok {
break
}
}
bigE := big.NewInt(int64(priv.E))
rpowe := new(big.Int).Exp(r, bigE, priv.N)
c.Mul(c, rpowe)
c.Mod(c, priv.N)
}
priv.rwMutex.RLock()
if priv.dP == nil && priv.P != nil {
priv.rwMutex.RUnlock()
priv.rwMutex.Lock()
if priv.dP == nil && priv.P != nil {
priv.precompute()
}
priv.rwMutex.Unlock()
priv.rwMutex.RLock()
}
if priv.dP == nil {
m = new(big.Int).Exp(c, priv.D, priv.N)
} else {
// We have the precalculated values needed for the CRT.
m = new(big.Int).Exp(c, priv.dP, priv.P)
m2 := new(big.Int).Exp(c, priv.dQ, priv.Q)
m.Sub(m, m2)
if m.Sign() < 0 {
m.Add(m, priv.P)
}
m.Mul(m, priv.qInv)
m.Mod(m, priv.P)
m.Mul(m, priv.Q)
m.Add(m, m2)
if priv.dR != nil {
// 3-prime CRT.
m2.Exp(c, priv.dR, priv.R)
m2.Sub(m2, m)
m2.Mul(m2, priv.tr)
m2.Mod(m2, priv.R)
if m2.Sign() < 0 {
m2.Add(m2, priv.R)
}
m2.Mul(m2, priv.pq)
m.Add(m, m2)
}
}
priv.rwMutex.RUnlock()
if ir != nil {
// Unblind.
m.Mul(m, ir)
m.Mod(m, priv.N)
}
return
}
// addJacobian takes two points in Jacobian coordinates, (x1, y1, z1) and
// (x2, y2, z2) and returns their sum, also in Jacobian form.
func (curve *Curve) addJacobian(x1, y1, z1, x2, y2, z2 *big.Int) (*big.Int, *big.Int, *big.Int) {
// See http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl
z1z1 := new(big.Int).Mul(z1, z1)
z1z1.Mod(z1z1, curve.P)
z2z2 := new(big.Int).Mul(z2, z2)
z2z2.Mod(z2z2, curve.P)
u1 := new(big.Int).Mul(x1, z2z2)
u1.Mod(u1, curve.P)
u2 := new(big.Int).Mul(x2, z1z1)
u2.Mod(u2, curve.P)
h := new(big.Int).Sub(u2, u1)
if h.Sign() == -1 {
h.Add(h, curve.P)
}
i := new(big.Int).Lsh(h, 1)
i.Mul(i, i)
j := new(big.Int).Mul(h, i)
s1 := new(big.Int).Mul(y1, z2)
s1.Mul(s1, z2z2)
s1.Mod(s1, curve.P)
s2 := new(big.Int).Mul(y2, z1)
s2.Mul(s2, z1z1)
s2.Mod(s2, curve.P)
r := new(big.Int).Sub(s2, s1)
if r.Sign() == -1 {
r.Add(r, curve.P)
}
r.Lsh(r, 1)
v := new(big.Int).Mul(u1, i)
x3 := new(big.Int).Set(r)
x3.Mul(x3, x3)
x3.Sub(x3, j)
x3.Sub(x3, v)
x3.Sub(x3, v)
x3.Mod(x3, curve.P)
y3 := new(big.Int).Set(r)
v.Sub(v, x3)
y3.Mul(y3, v)
s1.Mul(s1, j)
s1.Lsh(s1, 1)
y3.Sub(y3, s1)
y3.Mod(y3, curve.P)
z3 := new(big.Int).Add(z1, z2)
z3.Mul(z3, z3)
z3.Sub(z3, z1z1)
if z3.Sign() == -1 {
z3.Add(z3, curve.P)
}
z3.Sub(z3, z2z2)
if z3.Sign() == -1 {
z3.Add(z3, curve.P)
}
z3.Mul(z3, h)
z3.Mod(z3, curve.P)
return x3, y3, z3
}
func main() {
flag.Parse() // parsovani parametru prikazove radky
rand.Seed(time.Nanoseconds()) // inicializace generatoru nahodnych cisel
if *generateKeys {
SaveKeys(GenerateKeys(*keyLength))
}
// rozdeleni souboru na vice mensich podle delky klice
if *splitFile != "" {
rights := 0600
n, _ := ReadPublicKey()
bytes := readFile(*splitFile)
nl := len(n.Bytes()) - 1
i := 0
for ; i < len(bytes)/nl; i++ {
writeToFile(partfile(i), bytes[i*nl:(i+1)*nl], rights)
}
if len(bytes[i*nl:]) > 0 { // pokud deleni nevychazi presne
writeToFile(partfile(i), bytes[i*nl:], rights)
i++
}
// informacni soubor
writeToFile(*prefix+".info", strings.Bytes(fmt.Sprintf("%d", i)), rights)
}
// zasifruje/rozsifruje vsechny soubory verejnym klicem
if *encrypFiles {
n, e := ReadPublicKey()
max := msgscount()
for i := 0; i < max; i++ {
file := readFile(partfile(i))
bs := crypt(e, n, file)
writeToFile(partfile(i), bs, 0600)
}
}
// rozsifruje/zasifruje vsechny soubory soukromym klicem
if *decrypFiles {
p, q, d := ReadPrivateKey()
pinv := new(big.Int).Mul(p, invMod(p, q)) // = p*(p^-1 mod q)
qinv := new(big.Int).Mul(q, invMod(q, p)) // = q*(q^-1 mod p)
n := new(big.Int).Mul(p, q)
max := msgscount()
for i := 0; i < max; i++ {
file := readFile(partfile(i))
// CINSKA VETA O ZBYTCICH
bp := new(big.Int).SetBytes(crypt(d, p, file)) // decrypt mod p
bq := new(big.Int).SetBytes(crypt(d, q, file)) // decrypt mod q
// bs = bp * qinv + bq * binv (mod n)
bs := new(big.Int).Mul(bp, qinv)
bs.Add(bs, new(big.Int).Mul(bq, pinv))
bs.Mod(bs, n)
writeToFile(partfile(i), bs.Bytes(), 0600)
}
}
// spojeni souboru do jednoho
if *joinFile != "" {
max := msgscount()
var bs []byte
for i := 0; i < max; i++ {
file := readFile(partfile(i))
bs = bytes.Add(bs, file)
}
writeToFile(*joinFile, bs, 0600)
}
}
