我使用标准投影坐标得到了我的点乘法误差。我不知道我错过了什么,但是乘法点不在曲线上,有时它输出类似算术异常:整数不可逆。
public class ECPointArthimetic {
EllipticCurve ec;
private BigInteger x;
private BigInteger y;
private BigInteger z;
private BigInteger zinv;
private BigInteger one = BigInteger.ONE;
private BigInteger zero = BigInteger.ZERO;
private boolean infinity;
public ECPointArthimetic(EllipticCurve ec, BigInteger x, BigInteger y, BigInteger z) {
this.ec = ec;
this.x = x;
this.y = y;
// Projective coordinates: either zinv == null or z * zinv == 1
// z and zinv are just BigIntegers, not fieldElements
if (z == null) {
this.z = BigInteger.ONE;
} else {
this.z = z;
}
this.zinv = null;
infinity = false;
//TODO: compression flag
}
public BigInteger getX() {
if (this.zinv == null) {
this.zinv = this.z.modInverse(this.ec.getP());
}
return this.x.multiply(this.zinv).mod(this.ec.getP());
}
public BigInteger getY() {
if (this.zinv == null) {
this.zinv = this.z.modInverse(this.ec.getP());
}
return this.y.multiply(this.zinv).mod(this.ec.getP());
}
public boolean pointEquals(ECPointArthimetic other) {
if (other == this) {
return true;
}
if (this.isInfinity()) {
return other.isInfinity();
}
if (other.isInfinity()) {
return this.isInfinity();
}
BigInteger u, v;
// u = Y2 * Z1 - Y1 * Z2
u = other.y.multiply(this.z).subtract(this.y.multiply(other.z)).mod(this.ec.getP());
if (!u.equals(BigInteger.ZERO)) {
return false;
}
// v = X2 * Z1 - X1 * Z2
v = other.x.multiply(this.z).subtract(this.x.multiply(other.z)).mod(this.ec.getP());
return v.equals(BigInteger.ZERO);
}
public boolean isInfinity() {
if ((this.x == zero) && (this.y == zero)) {
return true;
}
return this.z.equals(BigInteger.ZERO) && !this.y.equals(BigInteger.ZERO);
}
public ECPointArthimetic negate() {
return new ECPointArthimetic(this.ec, this.x, this.y.negate(), this.z);
}
public ECPointArthimetic add(ECPointArthimetic b) {
if (this.isInfinity()) {
return b;
}
if (b.isInfinity()) {
return this;
}
ECPointArthimetic R = new ECPointArthimetic(this.ec, zero, zero, null);
// u = Y2 * Z1 - Y1 * Z2
BigInteger u = b.y.multiply(this.z).
subtract(this.y.multiply(b.z)).mod(this.ec.getP());
// v = X2 * Z1 - X1 * Z2
BigInteger v = b.x.multiply(this.z).
subtract(this.x.multiply(b.z)).mod(this.ec.getP());
if (BigInteger.ZERO.equals(v)) {
if (BigInteger.ZERO.equals(u)) {
return this.twice(); // this == b, so double
}
infinity = true; // this = -b, so infinity
return R;
}
BigInteger THREE = new BigInteger("3");
BigInteger x1 = this.x;
BigInteger y1 = this.y;
BigInteger x2 = b.x;
BigInteger y2 = b.y;
BigInteger v2 = v.pow(2);
BigInteger v3 = v2.multiply(v);
BigInteger x1v2 = x1.multiply(v2);
BigInteger zu2 = u.pow(2).multiply(this.z);
// x3 = v * (z2 * (z1 * u^2 - 2 * x1 * v^2) - v^3)
BigInteger x3 = zu2.subtract(x1v2.shiftLeft(1)).multiply(b.z).
subtract(v3).multiply(v).mod(this.ec.getP());
// y3 = z2 * (3 * x1 * u * v^2 - y1 * v^3 - z1 * u^3) + u * v^3
BigInteger y3 = x1v2.multiply(THREE).multiply(u).
subtract(y1.multiply(v3)).subtract(zu2.multiply(u)).
multiply(b.z).add(u.multiply(v3)).mod(this.ec.getP());
// z3 = v^3 * z1 * z2
BigInteger z3 = v3.multiply(this.z).multiply(b.z).mod(this.ec.getP());
return new ECPointArthimetic(this.ec, x3, y3, z3);
}
public ECPointArthimetic twice() {
if (this.isInfinity()) {
return this;
}
ECPointArthimetic R = new ECPointArthimetic(this.ec, zero, zero, null);
if (this.y.signum() == 0) {
infinity = true;
return R;
}
BigInteger THREE = new BigInteger("3");
BigInteger x1 = this.x;
BigInteger y1 = this.y;
BigInteger y1z1 = y1.multiply(this.z);
BigInteger y1sqz1 = y1z1.multiply(y1).mod(this.ec.getP());
BigInteger a = this.ec.getA();
// w = 3 * x1^2 + a * z1^2
BigInteger w = x1.pow(2).multiply(THREE);
if (!BigInteger.ZERO.equals(a)) {
w = w.add(this.z.pow(2).multiply(a));
}
w = w.mod(this.ec.getP());
// x3 = 2 * y1 * z1 * (w^2 - 8 * x1 * y1^2 * z1)
BigInteger x3 = w.pow(2).subtract(x1.shiftLeft(3).multiply(y1sqz1)).
shiftLeft(1).multiply(y1z1).mod(this.ec.getP());
// y3 = 4 * y1^2 * z1 * (3 * w * x1 - 2 * y1^2 * z1) - w^3
BigInteger y3 = (w.multiply(THREE).multiply(x1).subtract(y1sqz1.shiftLeft(1))).
shiftLeft(2).multiply(y1sqz1).subtract(w.pow(2).multiply(w)).mod(this.ec.getP());
// z3 = 8 * (y1 * z1)^3
BigInteger z3 = y1z1.pow(2).multiply(y1z1).shiftLeft(3).mod(this.ec.getP());
return new ECPointArthimetic(this.ec, x3, y3, z3);
}
public ECPointArthimetic multiply(BigInteger k) {
if (this.isInfinity()) {
return this;
}
ECPointArthimetic R = new ECPointArthimetic(this.ec, zero, zero, null);
if (k.signum() == 0) {
infinity = true;
return R;
}
BigInteger e = k;
BigInteger h = e.multiply(new BigInteger("3"));
ECPointArthimetic neg = this.negate();
R = this;
int i;
for (i = h.bitLength() - 2; i > 0; --i) {
R = R.twice();
boolean hBit = h.testBit(i);
boolean eBit = e.testBit(i);
if (hBit != eBit) {
R = R.add(hBit ? this : neg);
}
}
return R;
}
public ECPointArthimetic implShamirsTrick( BigInteger k,
ECPointArthimetic Q, BigInteger l){
int m = Math.max(k.bitLength(), l.bitLength());
ECPointArthimetic Z = this.add(Q);
ECPointArthimetic R = new ECPointArthimetic(ec,zero,zero,null);
for (int i = m - 1; i >= 0; --i){
R = R.twice();
if (k.testBit(i)){
if (l.testBit(i)){
R = R.add(Z);
}else{
R = R.add(this);
}
}else{
if (l.testBit(i)){
R = R.add(Q);
}
}
}
return R;
}
}
以下是我使用的曲线:
package NISTCurves;
import ecc.*;
import java.math.BigInteger;
public class P192 implements ECDomainParameters {
String p192X = "188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012";
String p192Y = "07192b95ffc8da78631011ed6b24cdd573f977a11e794811";
String p192B = "64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1";
String p192P = "6277101735386680763835789423207666416083908700390324961279";
String p192Order = "6277101735386680763835789423176059013767194773182842284081";
String p192A = "-3";
BigInteger p = new BigInteger(p192P, 16);
EllipticCurve ec =
new EllipticCurve(p,
new BigInteger(p192A).mod(p),
new BigInteger(p192B, 16));
ECPointArthimetic G = new ECPointArthimetic(ec, new BigInteger(p192X,16),
new BigInteger(p192Y,16),null);
BigInteger order = new BigInteger(p192Order, 16);
@Override
public BigInteger getP() {
return p;
}
@Override
public EllipticCurve getECCurve() {
return ec;
}
@Override
public BigInteger getOrder() {
return order;
}
@Override
public ECPointArthimetic getGenerator() {
return G;
}
}
椭圆曲线域参数的规范
package NISTCurves;
import ecc.ECPointArthimetic;
import ecc.EllipticCurve;
import java.math.BigInteger;
public interface ECDomainParameters {
public BigInteger getP();
public ECPointArthimetic getGenerator();
public EllipticCurve getECCurve();
public BigInteger getOrder();
}
椭圆曲线数字签名算法实现在这里。 在这段代码中有main函数,所以用它来测试Exception。
package ecc;
import NISTCurves.ECDomainParameters;
import NISTCurves.P192;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
/**
*
* @author Gere
*/
public class ECDSA {
private BigInteger r, s;
ECDomainParameters param;
private PrivateKey prvKey;
private PublicKey pubKey;
BigInteger zero = BigInteger.ZERO;
private BigInteger one = BigInteger.ONE;
private MessageDigest sha;
public ECDSA() {
try {
sha = MessageDigest.getInstance("SHA-512");
} catch (NoSuchAlgorithmException ex) {
ex.printStackTrace();
}
}
public void initSign(PrivateKey prvKey) {
this.prvKey = prvKey;
param = prvKey.getParam();
}
public void initVerify(PublicKey pubKey) {
this.pubKey = pubKey;
param = pubKey.getParam();
}
public void update(byte[] byteMsg) {
sha.update(byteMsg);
}
public byte[] sign() throws FileNotFoundException, IOException {
BigInteger c = new BigInteger(
param.getP().bitLength() + 64, Rand.sr);
BigInteger k = c.mod(param.getOrder().subtract(one)).add(one);
while (!(k.gcd(param.getOrder()).compareTo(one) == 0)) {
c = new BigInteger(param.getP().bitLength() + 64, Rand.sr);
k = c.mod(param.getOrder().subtract(one)).add(one);
}
BigInteger kinv = k.modInverse(param.getOrder());
ECPointArthimetic p = param.getGenerator().multiply(k);
if (p.getX().equals(zero)) {
return sign();
}
BigInteger hash = new BigInteger(sha.digest());
BigInteger r = p.getX().mod(param.getOrder());
BigInteger s = (kinv.multiply((hash.add((prvKey.getPrivateKey()
.multiply(r)))))).mod(param.getOrder());
if (s.compareTo(zero) == 0) {
return sign();
}
System.out.println("r at sign: " + r);
System.out.println("s at sign: " + s);
byte[] rArr = toUnsignedByteArray(r);
byte[] sArr = toUnsignedByteArray(s);
int nLength = (param.getOrder().bitLength() + 7) / 8;
byte[] res = new byte[2 * nLength];
System.arraycopy(rArr, 0, res, nLength - rArr.length, rArr.length);
System.arraycopy(sArr, 0, res, 2 * nLength - sArr.length,
sArr.length);
return res;
}
public boolean verify(byte[] res) {
int nLength = (param.getOrder().bitLength() + 7) / 8;
byte[] rArr = new byte[nLength];
System.arraycopy(res, 0, rArr, 0, nLength);
r = new BigInteger(rArr);
byte[] sArr = new byte[nLength];
System.arraycopy(res, nLength, sArr, 0, nLength);
s = new BigInteger(sArr);
System.out.println("r at verify: " + r);
System.out.println("s at verify: " + s);
BigInteger w, u1, u2, v;
// r in the range [1,n-1]
if (r.compareTo(one) < 0 || r.compareTo(param.getOrder()) >= 0) {
return false;
}
// s in the range [1,n-1]
if (s.compareTo(one) < 0 || s.compareTo(param.getOrder()) >= 0) {
return false;
}
w = s.modInverse(param.getOrder());
BigInteger hash = new BigInteger(sha.digest());
u1 = hash.multiply(w);
u2 = r.multiply(w);
ECPointArthimetic G = param.getGenerator();
ECPointArthimetic Q = pubKey.getPublicKey();
// u1G + u2Q
ECPointArthimetic temp = G.implShamirsTrick(u1, Q, u2);
v = temp.getX();
v = v.mod(param.getOrder());
return v.equals(r);
}
byte[] toUnsignedByteArray(BigInteger bi) {
byte[] ba = bi.toByteArray();
if (ba[0] != 0) {
return ba;
} else {
byte[] ba2 = new byte[ba.length - 1];
System.arraycopy(ba, 1, ba2, 0, ba.length - 1);
return ba2;
}
}
public static void main(String[] args) {
byte[] msg = "Hello".getBytes();
byte[] sig = null;
ECDomainParameters param = new P192();
PrivateKey prvObj = new PrivateKey(param);
PublicKey pubObj = new PublicKey(prvObj);
ECDSA ecdsa = new ECDSA();
ecdsa.initSign(prvObj);
ecdsa.update(msg);
try {
sig = ecdsa.sign();
} catch (FileNotFoundException ex) {
System.out.println(ex.getMessage());
} catch (IOException ex) {
System.out.println(ex.getMessage());
}
ecdsa.initVerify(pubObj);
ecdsa.update(msg);
if (ecdsa.verify(sig)) {
System.out.println("valid");
} else {
System.out.println("invalid");
}
}
}
这里是PrivateKey类
package ecc;
import NISTCurves.ECDomainParameters;
import java.math.BigInteger;
import java.security.SecureRandom;
/**
*
* @author Gere
*/
public class PrivateKey {
private BigInteger d;
private ECDomainParameters param;
private BigInteger one = BigInteger.ONE;
private BigInteger zero;
private PublicKey pubKey;
public PrivateKey(ECDomainParameters param) {
this.param = param;
BigInteger c = new BigInteger(param.getOrder().bitLength() + 64,
new SecureRandom());
BigInteger n1 = param.getOrder().subtract(one);
d = c.mod(n1).add(one);
pubKey = new PublicKey(this);
}
public BigInteger getPrivateKey() {
return d;
}
public ECDomainParameters getParam() {
return param;
}
}
PublicKey类
package ecc;
import NISTCurves.ECDomainParameters;
/**
*
* @author Gere
*/
public class PublicKey {
private ECDomainParameters param;
private ECPointArthimetic Q;
public PublicKey(PrivateKey privObj) {
param = privObj.getParam();
Q = param.getGenerator().multiply(privObj.getPrivateKey());
}
public ECDomainParameters getParam() {
return param;
}
public ECPointArthimetic getPublicKey() {
return Q;
}
}
椭圆曲线
package ecc;
import java.math.BigInteger;
/**
*
* @author Gere
*/
public class EllipticCurve {
private BigInteger a;
private BigInteger b;
private BigInteger p;
public EllipticCurve(BigInteger a, BigInteger b, BigInteger p) {
this.a = a;
this.b = b;
this.p = p;
}
public BigInteger getA() {
return a;
}
public BigInteger getB() {
return b;
}
public BigInteger getP() {
return p;
}
}
兰德班
package ecc;
import java.security.SecureRandom;
/**
*
* @author Gere
*/
public class Rand {
public static final SecureRandom sr = new SecureRandom();
}
椭圆曲线界面
package ecc;
import java.math.BigInteger;
public interface ECConstants{
public static final BigInteger zero = BigInteger.valueOf(0);
public static final BigInteger one = BigInteger.valueOf(1);
public static final BigInteger two = BigInteger.valueOf(2);
public static final BigInteger three = BigInteger.valueOf(3);
public static final BigInteger four= BigInteger.valueOf(4);
}
答案 0 :(得分:4)
最重要的错误在NISTCurves.P192:p中,顺序在base-10中,而不在base-16中。此外,在构造EllipticCurve对象时,以错误的顺序提供参数。您的方法需要(a, b, p)
,但是您可以使用(p, a, b)
调用它(因此我对p
不是素数的猜测是正确的。)
另一个问题出在您的验证方法中,当您打开r
和s
时。由于它们采用无符号格式,因此应使用new BigInteger(1, rArr)
而不是普通的构造函数。
通过这些更改,您的代码可以为我工作(我可以验证签名 - 我还没有验证实现的正确性。)
(旧答案如下:)
由于您没有向我们提供与堆栈跟踪匹配的代码,因此这只是猜测:
在添加椭圆曲线期间(在素数域上有曲线),您应该仅使用素数BigInteger.modInverse()
(素数场的阶数)作为模数调用p
。
如果p
实际上并不是一个素数,那么偶尔失败的“BigInteger不可逆”的最可能方法就是{<1}}。
你从哪里获得p
?尝试插入
if(!ec.getP().isProbablePrime(100)) throw new RuntimeException("P is not a prime");
的某个地方。
答案 1 :(得分:0)
来自BigInteger
的JDK java代码:
// Base and modulus are even, throw exception
if (isEven())
throw new ArithmeticException("BigInteger not invertible.");
对于modInverse()
方法,似乎BigInteger
可能不是偶数。