Global's BigA has a 256-bit q, and 2048-bit p and g. It was generated
using DSAGroupGenerator, which is an adapted version of FIPS-186-2, which
I produced after extensive consultation with Scott. The seed is included
so it can be regenerated.
On Mon, Sep 25, 2006 at 12:53:31PM +0100, toad wrote:
> On Sun, Sep 24, 2006 at 01:03:18AM +0000, nextgens at freenetproject.org
> wrote:
> > Author: nextgens
> > Date: 2006-09-24 01:02:49 +0000 (Sun, 24 Sep 2006)
> > New Revision: 10505
> >
> > Modified:
> > trunk/freenet/src/freenet/crypt/DSA.java
> > trunk/freenet/src/freenet/crypt/DSAGroup.java
> > Log:
> > Fix some crypto code:
> > 1) we were generating the "h" parameter of the group with only a few
> > bytes
>
> Eh? h is the number of bits of another parameter; it's supposed to be short!
> Hmmm, having said that, our Q length needs to be the same as our hash
> length, i.e. 256. Which code did we actually use for group generation?
> I'm reasonably sure I generated a group with 2048/256...
>
> Having to change group would be rather destructive, please could you
> give a detailed justification?
>
> > 2) we weren't verifying DSA signatures as we ought to
> >
> > TODO: what about following FIPS-186-3 insteed of the first version ?
>
> I don't think it was available at the time of implementation.
> >
> > Of course it needs to be carefully reviewed... and hasn't been tested ;p
> >
> > Modified: trunk/freenet/src/freenet/crypt/DSA.java
> > ===================================================================
> > --- trunk/freenet/src/freenet/crypt/DSA.java 2006-09-23 22:47:03 UTC
> > (rev 10504)
> > +++ trunk/freenet/src/freenet/crypt/DSA.java 2006-09-24 01:02:49 UTC
> > (rev 10505)
> > @@ -14,23 +14,20 @@
> > * Returns a DSA signature given a group, private key (x), a random
> > nonce
> > * (k), and the hash of the message (m).
> > */
> > - public static DSASignature sign(DSAGroup g,
> > - DSAPrivateKey x,
> > - BigInteger k,
> > - BigInteger m) {
> > + public static DSASignature sign(DSAGroup g,
> > + DSAPrivateKey x,
> > + BigInteger k,
> > + BigInteger m) {
> > BigInteger r=g.getG().modPow(k, g.getP()).mod(g.getQ());
> > -
> > +
> > BigInteger kInv=k.modInverse(g.getQ());
> > return sign(g, x, r, kInv, m);
> > - }
> > -
> > - public static DSASignature sign(DSAGroup g, DSAPrivateKey x,
> > BigInteger m,
> > - Random r) {
> > - BigInteger k;
> > - do {
> > - k=new NativeBigInteger(256, r);
> > - } while ((k.compareTo(g.getQ())>-1) ||
> > (k.compareTo(BigInteger.ZERO)==0));
> > - return sign(g, x, k, m);
> > + }
> > +
> > + public static DSASignature sign(DSAGroup g, DSAPrivateKey x, BigInteger
> > m,
> > + Random r) {
> > + BigInteger k = DSA.generateK(g, r);
> > + return sign(g, x, k, m);
> > }
> >
> > /**
> > @@ -41,10 +38,7 @@
> > BigInteger[][] result=new BigInteger[count][2];
> >
> > for (int i=0; i<count; i++) {
> > - BigInteger k;
> > - do {
> > - k=new NativeBigInteger(160, r);
> > - } while ((k.compareTo(g.getQ())>-1) ||
> > (k.compareTo(BigInteger.ZERO)==0));
> > + BigInteger k = DSA.generateK(g, r);
> >
> > result[i][0] = g.getG().modPow(k, g.getP()); // r
> > result[i][1] = k.modInverse(g.getQ()); // k^-1
> > @@ -60,10 +54,20 @@
> > public static DSASignature sign(DSAGroup g, DSAPrivateKey x,
> > BigInteger r, BigInteger kInv,
> > BigInteger m) {
> > - BigInteger s1=m.add(x.getX().multiply(r)).mod(g.getQ());
> > - BigInteger s=kInv.multiply(s1).mod(g.getQ());
> > - return new DSASignature(r,s);
> > + BigInteger s1=m.add(x.getX().multiply(r)).mod(g.getQ());
> > + BigInteger s=kInv.multiply(s1).mod(g.getQ());
> > + // FIXME: the following case would involve recomputing the sig.
> > with a different k
> > + if((r.compareTo(BigInteger.ZERO) == 0) ||
> > (s.compareTo(BigInteger.ZERO) == 0)) throw new
> > NullPointerException("Something is wrong there!");
> > + return new DSASignature(r,s);
> > }
> > +
> > + private static BigInteger generateK(DSAGroup g, Random r){
> > + BigInteger k;
> > + do {
> > + k=new NativeBigInteger(DSAGroup.Q_BIT_LENGTH, r);
> > + } while ((g.getQ().compareTo(k) < 1) ||
> > (k.compareTo(BigInteger.ZERO) == 0));
> > + return k;
> > + }
> >
> > /**
> > * Verifies the message authenticity given a group, the public key
> > @@ -73,7 +77,12 @@
> > DSASignature sig,
> > BigInteger m) {
> > try {
> > - BigInteger w=sig.getS().modInverse(kp.getQ());
> > + // 0<r<q has to be true
> > + if((sig.getR().compareTo(BigInteger.ZERO) < 1) ||
> > (kp.getQ().compareTo(sig.getR()) < 1)) return false;
> > + // 0<s<q has to be true as well
> > + if((sig.getS().compareTo(BigInteger.ZERO) < 1) ||
> > (kp.getQ().compareTo(sig.getS()) < 1)) return false;
> > +
> > + BigInteger w=sig.getS().modInverse(kp.getQ());
> > BigInteger u1=m.multiply(w).mod(kp.getQ());
> > BigInteger u2=sig.getR().multiply(w).mod(kp.getQ());
> > BigInteger v1=kp.getG().modPow(u1, kp.getP());
> > @@ -81,7 +90,6 @@
> > BigInteger v=v1.multiply(v2).mod(kp.getP()).mod(kp.getQ());
> > return v.equals(sig.getR());
> >
> > -
> > //FIXME: is there a better way to handle this exception raised on
> > the 'w=' line above?
> > } catch (ArithmeticException e) { // catch error raised by invalid data
> > return false; // and report that that data is bad.
> >
> > Modified: trunk/freenet/src/freenet/crypt/DSAGroup.java
> > ===================================================================
> > --- trunk/freenet/src/freenet/crypt/DSAGroup.java 2006-09-23 22:47:03 UTC
> > (rev 10504)
> > +++ trunk/freenet/src/freenet/crypt/DSAGroup.java 2006-09-24 01:02:49 UTC
> > (rev 10505)
> > @@ -21,6 +21,8 @@
> > */
> > public class DSAGroup extends CryptoKey {
> > private static final long serialVersionUID = -1;
> > +
> > + public static final int Q_BIT_LENGTH = 160;
> >
> > private BigInteger p, q, g;
> >
> > @@ -171,7 +173,7 @@
> >
> > public void run() {
> > while (true) {
> > - qs.addElement(makePrime(160, 80, r));
> > + qs.addElement(makePrime(DSAGroup.Q_BIT_LENGTH, 80, r));
> > synchronized (this) {
> > notifyAll();
> > }
> > @@ -239,7 +241,7 @@
> > qg.notify();
> > }
> > } else
> > - q = makePrime(160, 80, r);
> > + q = makePrime(DSAGroup.Q_BIT_LENGTH, 80, r);
> >
> > BigInteger X = new BigInteger(bits, r).setBit(bits - 1);
> >
> > @@ -252,7 +254,7 @@
> > BigInteger h;
> > do {
> > if ((cc++) % 5 == 0) System.err.print("+");
> > - h = new NativeBigInteger(160, r);
> > + h = new NativeBigInteger(bits, r);
> > g = h.modPow(pmin1.divide(q), p);
> > } while ((h.compareTo(p.subtract(BigInteger.ONE)) != -1)
> > || (h.compareTo(BigInteger.ONE) < 1)
> > @@ -267,8 +269,9 @@
> > q = grp.getQ();
> > g = grp.getG();
> > BigInteger pmin1 = p.subtract(BigInteger.ONE);
> > + // TODO: that's FIPS-186-1, we should consider implementing 3
> > insteed!
> > boolean rv = !((p.bitLength() > 1024) || (p.bitLength() < 512))
> > - && ((p.bitLength() % 64) == 0) && (q.bitLength() == 160)
> > + && ((p.bitLength() % 64) == 0) && (q.bitLength() ==
> > DSAGroup.Q_BIT_LENGTH)
> > && (q.compareTo(p) == -1) && isPrime(p, 80) && isPrime(q,
> > 80)
> > && pmin1.mod(q).equals(BigInteger.ZERO)
> > && (g.compareTo(BigInteger.ONE) == 1)
> >
> _______________________________________________
> Devl mailing list
> Devl at freenetproject.org
> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL:
<https://emu.freenetproject.org/pipermail/devl/attachments/20060925/1cec0749/attachment.pgp>
