Cryptography Reference
In-Depth Information
Example 11.26
We generate an EC key pair for the domain parameters in Example
11.25. We need a random seed for the BBS generator and we supply the function
with an externally generated one which is the following:
> kgseed := "663434a0148ccea7ff7ef7cd8b53866c":
Next, we generate the key pair:
> eckey := ECKeyGen(dp256, kgseed);
["75902d710db8b5b08cf7e27326dc86ed779298a33081bf1a7171193f77af9266",
["c2ed2f06cd6e1648c2eff6e12208b4effcb791ccf51908ab226ad2e731af798d",
"fca203d638f4afeefbf260f25cb4c4e4b8c0d3b415d3ef5cfbfcf892dea65a58"]]
We check that the key is valid for the domain parameters:
> ECKeyTest(dp256, eckey);
Valid key
Next we give the ECDSAsigning function. The required parameters are
domain,
privatekey,message and seed
, where the last serves to specify a ran-
dom seed to be used by the BBS generator to generate the “ephemeral key pair”
(
required by the signing algorithm. This ephemeral key pair is generated by
calling the previous function
ECKeyGen
. The optional keyword parameters are
messagetype
, used to specify whether the message is a hexadecimal string or an
ASCII-8 string (in which case,
messagetype = text
should be set), and
H
for
the name of the hash function used which, in our case, will be
SHA256
by default.
The output is the signature
k
,
R
)
, where
r
and
s
are hexadecimal byte strings.
> ECDSASign := proc(domain::list, privatekey::{posint,string}, message::string,
seed::{posint,string}, {messagetype::identical(hex,text):=hex, H::name:='SHA256'})
local dom, d, p, a, b, G, n, E, r, s, sec, k, R, e;
dom := stringposint
∼∼
(domain);
d := stringposint(privatekey);
p := dom[1]; a := dom[2]; b := dom[3]; G := dom[4]; n := dom[5];
E := EllipticCurve(a, b, p);
r:=0;
while r=0ors=0do
sec := stringposint
∼∼
(ECKeyGen(domain, seed));
k := sec[1];
R := sec[2];
r := R[1] mod n;
e := OS2IP(H(message, messagetype));
s := ((e+d*r)/k) mod n
end do;
I2OSP
∼
([r, s])
end proc:
Remarks 11.2
1. If the default value
SHA256
is used for the hash function, the length of the prime
p
defining the field should not exceed 256 bits (for longer primes SHA-384 or
SHA-512 should be used). If, on the other hand, a prime
n
fewer than 256 bits
long is used together with SHA-256 then the function should be modified in
order to make the value of
e
equal to the leftmost len
[
r
,
s
]
bits of the output of
applying the hash function to the message. This procedure should be used, more
generally, whenever the length of
n
is less than the output length of the hash
function used.
(
n
)
