1 /** 2 * Format Preserving Encryption (FE1 scheme) 3 * 4 * Copyright: 5 * (C) 2009 Jack Lloyd 6 * (C) 2014-2015 Etienne Cimon 7 * 8 * License: 9 * Botan is released under the Simplified BSD License (see LICENSE.md) 10 */ 11 module botan.constructs.fpe_fe1; 12 13 import botan.constants; 14 static if (BOTAN_HAS_FPE_FE1): 15 16 import botan.math.bigint.bigint; 17 import botan.algo_base.symkey; 18 import botan.math.numbertheory.numthry; 19 import botan.mac.hmac; 20 import botan.hash.sha2_32; 21 import botan.mac.mac; 22 import botan.utils.exceptn; 23 import botan.utils.types; 24 import botan.utils.mem_ops; 25 import std.exception; 26 import std.algorithm : swap; 27 28 struct FPE { 29 30 /** 31 * Format Preserving Encryption using the scheme FE1 from the paper 32 * "Format-Preserving Encryption" by Bellare, Rogaway, et al 33 * (http://eprint.iacr.org/2009/251) 34 * 35 * Encrypt X from and onto the group Z_n using key and tweak 36 * 37 * Params: 38 * n = the modulus 39 * X = the plaintext as a BigInt 40 * key = a random key 41 * tweak = will modify the ciphertext (think of as an IV) 42 */ 43 static BigInt fe1Encrypt(const(BigInt)* n0, const(BigInt)* X0, 44 in SymmetricKey key, 45 const ref Vector!ubyte tweak) 46 { 47 Unique!FPEEncryptor F = new FPEEncryptor(key, n0, tweak); 48 49 BigInt a, b; 50 factor(n0.dup, &a, &b); 51 52 const size_t r = rounds(&a, &b); 53 54 BigInt X = X0.dup; 55 56 foreach (size_t i; 0 .. r) 57 { 58 BigInt L = X / b; 59 BigInt R = X % b; 60 auto W_0 = F(i, &R); 61 BigInt W = (L + W_0) % a; 62 X = (a * R) + W; 63 } 64 65 return X; 66 } 67 68 69 /** 70 * Decrypt X from and onto the group Z_n using key and tweak 71 * Params: 72 * n = the modulus 73 * X = the ciphertext as a BigInt 74 * key = is the key used for encryption 75 * tweak = the same tweak used for encryption 76 */ 77 static BigInt fe1Decrypt(const(BigInt)* n0, const(BigInt)* X0, in SymmetricKey key, const ref Vector!ubyte tweak) 78 { 79 auto F = scoped!FPEEncryptor(key, n0, tweak); 80 81 BigInt a, b; 82 factor(n0.dup, &a, &b); 83 84 const size_t r = rounds(&a, &b); 85 86 BigInt X = X0.dup; 87 88 foreach (size_t i; 0 .. r) 89 { 90 BigInt W = X % a; 91 BigInt R = X / a; 92 auto L_0 = F(r-i-1, &R); 93 BigInt L = (W - L_0) % a; 94 X = (b * L) + R; 95 } 96 97 return X; 98 } 99 100 101 } 102 103 private: 104 105 // Normally FPE is for SSNs, CC#s, etc, nothing too big 106 __gshared immutable size_t MAX_N_BYTES = 128/8; 107 108 /* 109 * Factor n into a and b which are as close together as possible. 110 * Assumes n is composed mostly of small factors which is the case for 111 * typical uses of FPE (typically, n is a power of 10) 112 * 113 * Want a >= b since the safe number of rounds is 2+log_a(b); if a >= b 114 * then this is always 3 115 */ 116 void factor(BigInt n, BigInt* a, BigInt* b) 117 { 118 *a = 1; 119 *b = 1; 120 121 size_t n_low_zero = lowZeroBits(&n); 122 123 *a <<= (n_low_zero / 2); 124 *b <<= n_low_zero - (n_low_zero / 2); 125 n >>= n_low_zero; 126 127 foreach (size_t i; 0 .. PRIME_TABLE_SIZE) 128 { 129 while (n % PRIMES[i] == 0) 130 { 131 *a *= PRIMES[i]; 132 if (*a > b) 133 swap(a, b); 134 n /= PRIMES[i]; 135 } 136 } 137 138 if (*a > b) 139 swap(a, b); 140 *a *= n; 141 if (*a < b) 142 swap(a, b); 143 144 if (*a <= 1 || *b <= 1) 145 throw new Exception("Could not factor n for use in FPE"); 146 } 147 148 /* 149 * According to a paper by Rogaway, Bellare, etc, the min safe number 150 * of rounds to use for FPE is 2+log_a(b). If a >= b then log_a(b) <= 1 151 * so 3 rounds is safe. The FPE factorization routine should always 152 * return a >= b, so just confirm that and return 3. 153 */ 154 size_t rounds(const(BigInt)* a, const(BigInt)* b) 155 { 156 if (a < b) 157 throw new LogicError("FPE rounds: a < b"); 158 return 3; 159 } 160 161 /* 162 * A simple round function based on HMAC(SHA-256) 163 */ 164 final class FPEEncryptor 165 { 166 public: 167 this()(in SymmetricKey key, const(BigInt)* n, const ref Vector!ubyte tweak) 168 { 169 170 m_mac = new HMAC(new SHA256); 171 m_mac.setKey(key); 172 173 Vector!ubyte n_bin = BigInt.encode(n); 174 175 if (n_bin.length > MAX_N_BYTES) 176 throw new Exception("N is too large for FPE encryption"); 177 178 m_mac.updateBigEndian(cast(uint)(n_bin.length)); 179 m_mac.update(n_bin.ptr, n_bin.length); 180 181 m_mac.updateBigEndian(cast(uint)(tweak.length)); 182 m_mac.update(tweak.ptr, tweak.length); 183 184 m_mac_n_t = unlock(m_mac.finished()); 185 } 186 187 188 BigInt opCall(size_t round_no, const(BigInt)* R) 189 { 190 SecureVector!ubyte r_bin = BigInt.encodeLocked(R); 191 192 m_mac.update(m_mac_n_t); 193 m_mac.updateBigEndian(cast(uint)(round_no)); 194 195 m_mac.updateBigEndian(cast(uint)(r_bin.length)); 196 m_mac.update(r_bin.ptr, r_bin.length); 197 198 SecureVector!ubyte X = m_mac.finished(); 199 return BigInt(X.ptr, X.length); 200 } 201 202 private: 203 Unique!MessageAuthenticationCode m_mac; 204 Vector!ubyte m_mac_n_t; 205 }